@jigyasudham/veto 0.8.0

package/dist/agents/memory/project-mapper.js

@@ -0,0 +1,114 @@
+function detectCategory(task) {
+    const t = task.toLowerCase();
+    if (t.includes('initial') || t.includes('first time') || t.includes('new project') || t.includes('onboard') || t.includes('create map'))
+        return 'initial-map';
+    if (t.includes('update') || t.includes('refresh') || t.includes('new file') || t.includes('delete') || t.includes('rename') || t.includes('move'))
+        return 'update';
+    if (t.includes('find') || t.includes('where') || t.includes('locate') || t.includes('search') || t.includes('query'))
+        return 'query';
+    return 'general';
+}
+const categoryApproach = {
+    'initial-map': 'Build the first project map by scanning the directory tree (excluding node_modules, .git, dist). Identify the tech stack from package.json / pyproject.toml / Cargo.toml. Identify key modules: entry points, router, config, schema, main service files. Store via veto_project_map_update.',
+    'update': 'Incrementally update the project map after file changes. Add new files to the structure, remove deleted files, update module roles if they changed. Call veto_project_map_update after every session that modifies files. Do not re-scan the full tree — apply a diff.',
+    'query': 'Query the project map via veto_project_map_get to answer "where is X" questions without reading the filesystem. Use the key_modules list for entry points, then follow imports. Fall back to a targeted filesystem search only if the map is stale.',
+    'general': 'Check if a project map exists (veto_project_map_get). Create one if absent. Update if the last updated_at timestamp is more than one session old. Use the map to navigate the codebase before touching the filesystem.',
+};
+const categorySteps = {
+    'initial-map': [
+        'Read package.json (or equivalent) to identify language, framework, and key dependencies',
+        'Scan the top-level src/ directory structure — list all directories and their purpose',
+        'Identify entry points: main.ts / index.ts / app.ts / server.ts / cli.ts',
+        'Identify router or routing config (routes.ts, app.ts, next.config.js, etc.)',
+        'Identify database layer: schema files, migration files, ORM config',
+        'Identify config files: .env, config/, settings files',
+        'Identify test directories and test runner config',
+        'Build the structure JSON: { "src/": { "agents/": [...], "router/": [...] } }',
+        'Identify key_modules: list of the 10–20 most important files with their role',
+        'Call veto_project_map_update with project_dir, structure, key_modules, tech_stack',
+        'Verify the map with veto_project_map_get and confirm all key files are present',
+    ],
+    'update': [
+        'Identify which files were added, removed, or renamed in this session',
+        'Load the current map via veto_project_map_get',
+        'Apply adds: add new file paths to the appropriate structure branch',
+        'Apply removes: remove deleted file paths from the structure',
+        'Update key_modules if a new important file was added or an important file was removed',
+        'Update tech_stack if a new dependency was added (e.g. a new framework)',
+        'Call veto_project_map_update with the modified structure',
+        'Confirm the updated map reflects the current filesystem state',
+    ],
+    'query': [
+        'Call veto_project_map_get to load the current map',
+        'Check updated_at — if older than the current session, consider triggering a refresh',
+        'Search key_modules for the file or module being queried',
+        'If not in key_modules, traverse the structure JSON for the relevant directory',
+        'Return the file path and module role without hitting the filesystem',
+        'If the map query is inconclusive, fall back to a targeted Glob search',
+        'If a Glob search finds a file missing from the map, trigger a map update',
+    ],
+    'general': [
+        'Call veto_project_map_get to check if a map exists',
+        'If no map: run the initial-map flow',
+        'If map exists: check updated_at — update if stale',
+        'Use the map to answer navigation questions before scanning the filesystem',
+        'After each session that modifies files, call veto_project_map_update',
+    ],
+};
+const categoryChecklist = {
+    'initial-map': [
+        '[ ] Tech stack identified: language, framework, key libraries',
+        '[ ] All src/ directories listed with role description',
+        '[ ] Entry points identified and listed in key_modules',
+        '[ ] Database / schema layer identified',
+        '[ ] Test directory and runner identified',
+        '[ ] Structure JSON stored via veto_project_map_update',
+        '[ ] Map verified via veto_project_map_get',
+    ],
+    'update': [
+        '[ ] All added files included in structure',
+        '[ ] All deleted files removed from structure',
+        '[ ] key_modules updated if important file changed',
+        '[ ] veto_project_map_update called with new structure',
+        '[ ] Map verified post-update',
+    ],
+    'query': [
+        '[ ] veto_project_map_get called before any filesystem scan',
+        '[ ] key_modules checked first for fast lookup',
+        '[ ] Structure JSON traversed if not in key_modules',
+        '[ ] Filesystem fallback used only if map is inconclusive',
+        '[ ] Map updated if filesystem revealed a gap',
+    ],
+    'general': [
+        '[ ] Map existence checked at session start',
+        '[ ] Map updated at session end if files were modified',
+        '[ ] Map used as primary navigation source, not the filesystem',
+    ],
+};
+export function plan(task, context) {
+    const category = detectCategory(task + ' ' + (context ?? ''));
+    return {
+        agent: 'project-mapper',
+        task,
+        tier: 1,
+        approach: categoryApproach[category],
+        steps: categorySteps[category],
+        checklist: categoryChecklist[category],
+        pitfalls: [
+            'Scanning the full project tree including node_modules — causes massive, useless maps',
+            'Only building the map once and never updating — the map becomes stale after file changes',
+            'Storing file contents in the map instead of just paths and roles — balloons storage',
+            'Not listing key_modules — forces a full structure search for common lookups',
+            'Building the map from memory instead of actually scanning — silently incorrect paths',
+            'Forgetting to update the map after a refactor that moves or renames many files',
+        ],
+        patterns: [
+            'Incremental update: diff-based map updates after file changes, not full re-scans',
+            'Key modules first: maintain a flat list of the most important files for O(1) lookup',
+            'Role annotation: each entry in key_modules includes the file\'s role (entry-point, router, schema, etc.)',
+            'Lazy refresh: check updated_at and only refresh when the map is stale',
+        ],
+        duration_estimate: '5-10 minutes',
+    };
+}
+//# sourceMappingURL=project-mapper.js.map

package/dist/agents/quality/accessibility.js

@@ -0,0 +1,89 @@
+export function plan(task, context) {
+    return {
+        agent: 'accessibility',
+        task,
+        tier: 2,
+        approach: 'Audit against WCAG 2.1 AA — the legal minimum for most jurisdictions. Work through four principles: Perceivable (can users perceive all content?), Operable (can users navigate with keyboard and assistive tech?), Understandable (is the UI predictable and error-recovery clear?), Robust (does it work with screen readers and future tech?). Flag failures by WCAG criterion number.',
+        steps: [
+            'Check colour contrast: text must meet 4.5:1 (normal) or 3:1 (large text) against background — WCAG 1.4.3',
+            'Check all images have alt text — decorative images use alt="" — WCAG 1.1.1',
+            'Check all form inputs have associated <label> elements — WCAG 1.3.1',
+            'Check the entire UI is keyboard-navigable: Tab order is logical, no keyboard traps — WCAG 2.1.1',
+            'Check focus indicator is visible on all interactive elements — WCAG 2.4.7',
+            'Check no content flashes more than 3 times per second — WCAG 2.3.1',
+            'Check page has a descriptive <title> — WCAG 2.4.2',
+            'Check heading hierarchy: h1→h2→h3, no levels skipped — WCAG 1.3.1',
+            'Check error messages identify the field and explain how to fix — WCAG 3.3.1',
+            'Check interactive elements have accessible names (aria-label where needed) — WCAG 4.1.2',
+            'Test with a screen reader (NVDA/VoiceOver) on the critical path',
+        ],
+        checklist: [
+            '[ ] Colour contrast ≥ 4.5:1 for normal text, 3:1 for large text',
+            '[ ] All images have meaningful alt text',
+            '[ ] All form inputs have visible labels',
+            '[ ] Full keyboard navigation — no mouse required',
+            '[ ] Visible focus indicator on all interactive elements',
+            '[ ] No flashing content > 3 Hz',
+            '[ ] Logical heading hierarchy',
+            '[ ] Error messages identify field + explain fix',
+            '[ ] Screen reader tested on critical path',
+        ],
+        pitfalls: [
+            'Using colour alone to convey information — 8% of men have colour vision deficiency',
+            'Placeholder text as a label substitute — placeholder disappears when typing',
+            'Custom interactive components without ARIA roles — screen readers see a div, not a button',
+            'Positive contrast ratio on a design tool that does not account for anti-aliasing',
+            'Fixing accessibility at end of development — 10× more expensive than building it in',
+        ],
+        patterns: [
+            'POUR framework: Perceivable → Operable → Understandable → Robust',
+            'Keyboard-first development: if it works with keyboard only, it usually works with everything',
+            'Semantic HTML over ARIA: a <button> is better than a <div role="button">',
+            'Error recovery: every error must name the field and tell the user exactly how to fix it',
+        ],
+        duration_estimate: '2-6 hours',
+    };
+}
+export function analyze(code, context) {
+    const findings = [];
+    if (/<img(?![^>]*\balt=)/i.test(code)) {
+        findings.push({ severity: 'high', category: 'WCAG-1.1.1', description: 'Image(s) missing alt attribute', fix: 'Add alt="description" to all <img> tags. Use alt="" for decorative images.' });
+    }
+    if (/<input(?![^>]*\btype="hidden")[^>]*>(?![\s\S]*?<label)/i.test(code) && !/<label/i.test(code)) {
+        findings.push({ severity: 'high', category: 'WCAG-1.3.1', description: 'Form input(s) may lack associated label', fix: 'Add <label for="inputId"> or wrap input in <label>.' });
+    }
+    if (/onClick|onclick/.test(code) && !/<button|role="button"/i.test(code)) {
+        findings.push({ severity: 'medium', category: 'WCAG-2.1.1', description: 'Click handler on non-interactive element — may not be keyboard accessible', fix: 'Use <button> for click interactions, or add role="button" tabIndex={0} and onKeyDown handler.' });
+    }
+    if (/:focus\s*\{[^}]*outline\s*:\s*none/i.test(code) || /:focus\s*\{[^}]*outline\s*:\s*0/i.test(code)) {
+        findings.push({ severity: 'high', category: 'WCAG-2.4.7', description: 'Focus outline suppressed — keyboard users lose navigation indicator', fix: 'Remove outline:none from :focus. Use outline:none on :focus-visible only with a custom focus style.' });
+    }
+    if (/<h[1-6]/i.test(code)) {
+        const headings = (code.match(/<h([1-6])/gi) ?? []).map(h => parseInt(h[2]));
+        for (let i = 1; i < headings.length; i++) {
+            if (headings[i] - headings[i - 1] > 1) {
+                findings.push({ severity: 'medium', category: 'WCAG-1.3.1', description: `Heading level skipped: h${headings[i - 1]} → h${headings[i]}`, fix: 'Heading levels must be sequential. Do not skip levels.' });
+                break;
+            }
+        }
+    }
+    if (/aria-label|aria-labelledby|role=/i.test(code)) {
+        if (/role="presentation"|role="none"/i.test(code) && /<img/i.test(code)) {
+            findings.push({ severity: 'low', category: 'WCAG-1.1.1', description: 'Image with role="presentation" — verify this is truly decorative', fix: 'If decorative, use alt="". If informative, remove role="presentation" and add meaningful alt.' });
+        }
+    }
+    const critCount = findings.filter(f => f.severity === 'critical').length;
+    const highCount = findings.filter(f => f.severity === 'high').length;
+    const score = Math.max(0, 100 - critCount * 30 - highCount * 20 - findings.filter(f => f.severity === 'medium').length * 10);
+    return {
+        agent: 'accessibility',
+        subject: context ?? 'UI code',
+        findings,
+        score,
+        verdict: score >= 85 ? 'approved' : score >= 65 ? 'approved_with_warnings' : score >= 40 ? 'needs_revision' : 'rejected',
+        summary: findings.length === 0 ? 'No accessibility issues detected in static analysis. Manual screen reader test still recommended.' : `${findings.length} accessibility issue(s). Top: ${findings[0].description}`,
+        critical_count: critCount,
+        high_count: highCount,
+    };
+}
+//# sourceMappingURL=accessibility.js.map

package/dist/agents/quality/code-quality.js

@@ -0,0 +1,109 @@
+export function plan(task, context) {
+    const t = (task + ' ' + (context ?? '')).toLowerCase();
+    const isRefactor = t.includes('refactor') || t.includes('clean') || t.includes('improve');
+    const isReview = t.includes('review') || t.includes('audit') || t.includes('check');
+    return {
+        agent: 'code-quality',
+        task,
+        tier: 2,
+        approach: isRefactor
+            ? 'Refactor for quality by applying the three passes: first remove dead code and unused imports, then extract duplicated logic into shared utilities, then rename for clarity. Never change behaviour. Run tests after each pass.'
+            : isReview
+                ? 'Audit code quality across five dimensions: complexity (cyclomatic), duplication, naming clarity, function length, and comment quality. Score each 1–5 and produce a prioritised fix list ordered by impact.'
+                : 'Assess code quality holistically. Identify the highest-impact improvement: the one change that most improves readability, maintainability, or testability. Deliver that change, verify nothing regressed.',
+        steps: [
+            'Measure cyclomatic complexity — flag any function above 10',
+            'Identify duplicate blocks (3+ lines appearing 2+ times) — extract to a shared utility',
+            'Check function length — flag functions over 40 lines for extraction',
+            'Check naming: are variable, function, and class names self-documenting?',
+            'Check nesting depth — flag logic nested 4+ levels deep',
+            'Identify magic numbers and strings — replace with named constants',
+            'Check for dead code: unused variables, unreachable branches, exported symbols with no consumers',
+            'Check comment quality: comments should explain WHY, not WHAT',
+            'Verify no TODO comments without a linked issue number',
+            'Run the linter — fix all warnings, not just errors',
+        ],
+        checklist: [
+            '[ ] No function above cyclomatic complexity 10',
+            '[ ] No duplicate blocks of 3+ lines',
+            '[ ] No function longer than 40 lines',
+            '[ ] All names are self-documenting',
+            '[ ] Nesting depth ≤ 3 levels',
+            '[ ] No magic numbers or strings',
+            '[ ] No dead code',
+            '[ ] Linter passes with zero warnings',
+            '[ ] No TODO without issue number',
+        ],
+        pitfalls: [
+            'Renaming for style without improving clarity — churn with no gain',
+            'Extracting functions so small they obscure the calling site',
+            'Removing comments that explain non-obvious WHY reasons',
+            'Refactoring without a test suite — introduces regressions silently',
+        ],
+        patterns: [
+            'Three-pass refactor: dead code → duplication → naming',
+            'Complexity budget: cyclomatic ≤ 10, nesting ≤ 3, length ≤ 40 lines',
+            'Magic constant extraction: all literals that carry domain meaning become named constants',
+        ],
+        duration_estimate: '1-3 hours',
+    };
+}
+export function analyze(code, context) {
+    const findings = [];
+    const lines = code.split('\n');
+    // Complexity: count decision points
+    const decisionKeywords = /\b(if|else|for|while|case|catch|\?\?|&&|\|\|)\b/g;
+    const decisions = (code.match(decisionKeywords) ?? []).length;
+    if (decisions > 15) {
+        findings.push({ severity: 'high', category: 'complexity', description: `High cyclomatic complexity: ~${decisions} decision points detected`, fix: 'Extract branches into well-named helper functions. Target < 10 per function.' });
+    }
+    else if (decisions > 8) {
+        findings.push({ severity: 'medium', category: 'complexity', description: `Moderate complexity: ~${decisions} decision points`, fix: 'Consider extracting the most complex branches into helpers.' });
+    }
+    // Long functions
+    const funcMatches = code.match(/(?:function\s+\w+|=>\s*\{|\w+\s*\([^)]*\)\s*\{)/g) ?? [];
+    if (lines.length > 50 && funcMatches.length <= 2) {
+        findings.push({ severity: 'medium', category: 'length', description: `File/function is ${lines.length} lines with few sub-functions`, fix: 'Extract logical sections into smaller, named functions.' });
+    }
+    // Magic numbers
+    const magicNumbers = code.match(/[^.]\b([2-9]\d{1,3}|1[0-9]{2,3})\b(?!\s*[,\]])/g) ?? [];
+    if (magicNumbers.length > 3) {
+        findings.push({ severity: 'low', category: 'magic-values', description: `${magicNumbers.length} potential magic numbers detected`, fix: 'Extract numeric literals into named constants with descriptive names.' });
+    }
+    // Deep nesting
+    let maxDepth = 0, currentDepth = 0;
+    for (const ch of code) {
+        if (ch === '{') {
+            currentDepth++;
+            maxDepth = Math.max(maxDepth, currentDepth);
+        }
+        else if (ch === '}')
+            currentDepth--;
+    }
+    if (maxDepth > 5) {
+        findings.push({ severity: 'medium', category: 'nesting', description: `Deep nesting detected: ${maxDepth} levels`, fix: 'Use early returns and guard clauses to reduce nesting depth to ≤ 3.' });
+    }
+    // Empty catch
+    if (/catch\s*\([^)]*\)\s*\{\s*\}/.test(code)) {
+        findings.push({ severity: 'high', category: 'error-handling', description: 'Empty catch block — exception silently swallowed', fix: 'Log the error or rethrow. Never silently swallow exceptions.' });
+    }
+    // TODO without issue
+    const todos = (code.match(/\/\/\s*TODO(?!.*#\d)/gi) ?? []).length;
+    if (todos > 0) {
+        findings.push({ severity: 'low', category: 'maintainability', description: `${todos} TODO comment(s) without linked issue number`, fix: 'Add issue number (e.g. // TODO #123) or resolve the TODO.' });
+    }
+    const critCount = findings.filter(f => f.severity === 'critical').length;
+    const highCount = findings.filter(f => f.severity === 'high').length;
+    const score = Math.max(0, 100 - critCount * 25 - highCount * 15 - findings.filter(f => f.severity === 'medium').length * 8 - findings.filter(f => f.severity === 'low').length * 3);
+    return {
+        agent: 'code-quality',
+        subject: context ?? 'code',
+        findings,
+        score,
+        verdict: score >= 85 ? 'approved' : score >= 65 ? 'approved_with_warnings' : score >= 40 ? 'needs_revision' : 'rejected',
+        summary: findings.length === 0 ? 'Code quality looks good.' : `${findings.length} quality issue(s) found. Top concern: ${findings[0].description}`,
+        critical_count: critCount,
+        high_count: highCount,
+    };
+}
+//# sourceMappingURL=code-quality.js.map

package/dist/agents/quality/compatibility.js

@@ -0,0 +1,55 @@
+export function plan(task, context) {
+    const t = (task + ' ' + (context ?? '')).toLowerCase();
+    const isBrowser = t.includes('browser') || t.includes('safari') || t.includes('firefox') || t.includes('frontend') || t.includes('css');
+    const isNode = t.includes('node') || t.includes('runtime') || t.includes('version') || t.includes('backend');
+    const isMobile = t.includes('mobile') || t.includes('ios') || t.includes('android') || t.includes('responsive');
+    const approach = isBrowser
+        ? 'Check browser compatibility for every CSS property, JS API, and Web API used. Target: Chrome 100+, Firefox 100+, Safari 15+, Edge 100+. Use caniuse.com for CSS and MDN compatibility tables for JS. Flag anything below 90% global usage without a polyfill.'
+        : isNode
+            ? 'Verify compatibility with the stated Node.js version range. Check: built-in modules (crypto, fs, sqlite), ES module vs CommonJS assumptions, and any native addons. Test on the minimum supported version, not just the latest.'
+            : isMobile
+                ? 'Test responsive behaviour at 320px (small phone), 375px (standard phone), 768px (tablet), 1024px (small desktop), 1440px (standard desktop). Verify touch targets are ≥ 44×44px. Verify no horizontal scroll at any breakpoint.'
+                : 'Audit compatibility across the three dimensions relevant to this project: runtime version, browser support, and mobile breakpoints. Identify any usage of APIs not available in the minimum supported environment.';
+    return {
+        agent: 'compatibility',
+        task,
+        tier: 2,
+        approach,
+        steps: [
+            'Identify the minimum supported environment: Node version, browser versions, mobile screen sizes',
+            'List all external APIs, Web APIs, and language features used',
+            'Cross-reference each against the minimum environment\'s support tables (caniuse, MDN, Node.js docs)',
+            'Flag anything requiring a polyfill or transpile target adjustment',
+            'Check package.json engines field — does it accurately reflect the minimum Node version?',
+            'Check tsconfig.json target and lib — do they match the actual deployment environment?',
+            'Check CSS: use @supports for progressive enhancement, not as a workaround',
+            'Test responsive layout at 320px minimum width — the most common failure point',
+            'Verify touch targets ≥ 44×44px on all interactive elements',
+            'Check for deprecated APIs with removal dates within the support window',
+        ],
+        checklist: [
+            '[ ] Minimum Node.js version documented in package.json engines field',
+            '[ ] tsconfig target and lib match deployment environment',
+            '[ ] No JS/CSS APIs used below 90% browser support without polyfill',
+            '[ ] Responsive layout tested at 320px minimum width',
+            '[ ] Touch targets ≥ 44×44px on mobile',
+            '[ ] No deprecated APIs scheduled for removal within support window',
+            '[ ] No native addons that break cross-platform (Windows/Mac/Linux)',
+        ],
+        pitfalls: [
+            'Testing only on the latest browser — Safari consistently lags on Web APIs',
+            'Assuming Node 22 features are available when minimum is Node 18',
+            'Using CSS grid subgrid without checking Safari 15 support',
+            'Touch targets that pass on desktop but fail on 320px mobile',
+            'Native addons that compile on Mac but not on Windows (different MSVC requirements)',
+        ],
+        patterns: [
+            'Progressive enhancement: build for the minimum, enhance for modern — not the reverse',
+            'Engines field as contract: package.json engines is a promise to users about compatibility',
+            'caniuse-first: check support tables before using any new browser API',
+            '320px rule: if it works at 320px, it works on every phone',
+        ],
+        duration_estimate: '1-3 hours',
+    };
+}
+//# sourceMappingURL=compatibility.js.map

package/dist/agents/quality/documentation.js

@@ -0,0 +1,95 @@
+export function plan(task, context) {
+    const t = (task + ' ' + (context ?? '')).toLowerCase();
+    const isApi = t.includes('api') || t.includes('endpoint') || t.includes('openapi');
+    const isReadme = t.includes('readme') || t.includes('getting started') || t.includes('onboard');
+    return {
+        agent: 'documentation',
+        task,
+        tier: 1,
+        approach: isApi
+            ? 'Document the API using OpenAPI 3.0. Every endpoint needs: method, path, summary, request body schema, response schemas (200, 400, 401, 404, 500), and at least one request example. Generated docs should be accurate enough that a client can integrate without reading the source code.'
+            : isReadme
+                ? 'Write a README that answers the four questions every new user asks: what is this, how do I install it, how do I use it, and how do I contribute. Lead with a one-sentence description, then a quick-start that works in under 5 minutes.'
+                : 'Document the public API surface. Every exported function, class, and type gets a JSDoc block with: one-line description, @param for each parameter, @returns, @throws for known errors, and one @example. Internal functions do not need JSDoc.',
+        steps: [
+            'List all exported symbols that lack documentation',
+            'For each exported function: write a one-line description that explains what it does (not how)',
+            'Document every parameter: name, type, description, whether optional, default value',
+            'Document the return value: type and what it represents',
+            'Document known thrown errors with @throws',
+            'Write at least one @example per exported function',
+            'For APIs: document request/response shape with types or OpenAPI schema',
+            'For README: include quick-start that works in under 5 minutes',
+            'Remove outdated documentation that no longer matches the code',
+            'Verify all code examples actually run correctly',
+        ],
+        checklist: [
+            '[ ] Every exported symbol has a JSDoc block',
+            '[ ] Every @param has a description (not just a type)',
+            '[ ] @returns documents what is returned, not just the type',
+            '[ ] @throws present for all known error paths',
+            '[ ] At least one @example per exported function',
+            '[ ] No documentation that contradicts the current code',
+            '[ ] README quick-start tested end-to-end',
+        ],
+        pitfalls: [
+            'Documenting HOW instead of WHY — "increments counter by 1" is not documentation',
+            'Copying type signatures into prose — JSDoc @param already has the type',
+            'Writing examples that do not actually run',
+            'Documenting internal functions that are not part of the public API',
+            'Leaving stale documentation that contradicts the current implementation',
+        ],
+        patterns: [
+            'API-first documentation: write the docs before the implementation to clarify the contract',
+            'Example-driven: code examples are the most useful documentation format',
+            'Quick-start rule: a new developer should have something running in under 5 minutes',
+        ],
+        duration_estimate: '1-4 hours',
+    };
+}
+export function analyze(code, context) {
+    const findings = [];
+    const lines = code.split('\n');
+    // Count exported symbols
+    const exports = (code.match(/^export\s+(function|class|const|type|interface|async)/gm) ?? []).length;
+    // Count JSDoc blocks before exports
+    const jsdocs = (code.match(/\/\*\*[\s\S]*?\*\/\s*\nexport/g) ?? []).length;
+    const undocumented = exports - jsdocs;
+    if (undocumented > 0) {
+        findings.push({
+            severity: undocumented > 3 ? 'high' : 'medium',
+            category: 'missing-docs',
+            description: `${undocumented} of ${exports} exported symbol(s) lack JSDoc documentation`,
+            fix: 'Add /** description */ block before each exported function, class, or type.',
+        });
+    }
+    // Check for param docs
+    const params = (code.match(/@param/g) ?? []).length;
+    const funcParams = (code.match(/\([^)]{5,}\)/g) ?? []).length;
+    if (exports > 0 && params === 0 && funcParams > 2) {
+        findings.push({ severity: 'medium', category: 'missing-params', description: 'No @param documentation found', fix: 'Add @param {type} name — description for each parameter.' });
+    }
+    // Check for examples
+    if (exports > 0 && !code.includes('@example')) {
+        findings.push({ severity: 'low', category: 'missing-examples', description: 'No @example blocks found', fix: 'Add at least one @example showing typical usage for each exported function.' });
+    }
+    // Check for stale "TODO: document"
+    const todoDoc = (code.match(/\/\/\s*TODO.*doc/gi) ?? []).length;
+    if (todoDoc > 0) {
+        findings.push({ severity: 'low', category: 'stale-todo', description: `${todoDoc} TODO documentation reminder(s) found`, fix: 'Write the documentation and remove the TODO.' });
+    }
+    const score = Math.max(0, 100 - findings.filter(f => f.severity === 'high').length * 20
+        - findings.filter(f => f.severity === 'medium').length * 10
+        - findings.filter(f => f.severity === 'low').length * 5);
+    return {
+        agent: 'documentation',
+        subject: context ?? 'code',
+        findings,
+        score,
+        verdict: score >= 85 ? 'approved' : score >= 65 ? 'approved_with_warnings' : score >= 40 ? 'needs_revision' : 'rejected',
+        summary: findings.length === 0 ? 'Documentation looks complete.' : `${findings.length} documentation gap(s). Top: ${findings[0].description}`,
+        critical_count: 0,
+        high_count: findings.filter(f => f.severity === 'high').length,
+    };
+}
+//# sourceMappingURL=documentation.js.map

package/dist/agents/quality/error-handling.js

@@ -0,0 +1,87 @@
+export function plan(task, context) {
+    return {
+        agent: 'error-handling',
+        task,
+        tier: 2,
+        approach: 'Audit error handling for the three failure classes: expected failures (validation, not found, auth), unexpected failures (bugs, network failures, DB errors), and catastrophic failures (process crash, OOM). Each class needs a different treatment. Expected failures return structured error responses. Unexpected failures are logged with context and surfaced as generic errors to users. Catastrophic failures are captured by a top-level handler and alert.',
+        steps: [
+            'Identify all async operations: DB calls, HTTP requests, file I/O, external APIs',
+            'Verify every async call has a try/catch or .catch() — no floating promises',
+            'Check that catch blocks do not silently swallow errors — log OR rethrow, never neither',
+            'Verify error messages to users do not leak stack traces or internal details in production',
+            'Check that typed errors are used — no throw new Error("raw string") for domain errors',
+            'Verify HTTP error codes are semantically correct: 400 vs 422, 401 vs 403, 404 vs 410',
+            'Check that errors include enough context to diagnose: which record, which operation, what input',
+            'Verify the top-level process error handler is in place: uncaughtException, unhandledRejection',
+            'Check that external API timeouts are configured — no indefinite hangs',
+            'Test each error path: does the system recover gracefully or leave state corrupted?',
+        ],
+        checklist: [
+            '[ ] No floating promises — every async call awaited or .catch() chained',
+            '[ ] No empty or silent catch blocks',
+            '[ ] Stack traces never exposed to users in production',
+            '[ ] Typed domain errors — not raw Error strings',
+            '[ ] HTTP status codes semantically correct',
+            '[ ] Error log includes context (what failed, on what input)',
+            '[ ] process.on("uncaughtException") and ("unhandledRejection") registered',
+            '[ ] All external HTTP calls have a timeout configured',
+            '[ ] Error paths tested — system recovers without corrupting state',
+        ],
+        pitfalls: [
+            'Catch-and-log without rethrowing — the caller assumes success when the operation failed',
+            'Using the same error type for expected and unexpected failures — callers cannot distinguish',
+            'Not including the original error in a re-thrown wrapper — stack trace lost',
+            'Logging only the error message without the input that caused it — impossible to reproduce',
+            'Catching Error but not checking error.name — all errors look the same',
+        ],
+        patterns: [
+            'Error taxonomy: expected (return structured error) | unexpected (log + generic response) | catastrophic (alert)',
+            'Context-rich errors: every thrown error includes the operation, input, and correlation ID',
+            'Fail-fast on programming errors: throw immediately on invalid arguments — do not try to recover',
+            'Structured error types: one class per error category with a code field for programmatic handling',
+        ],
+        duration_estimate: '2-4 hours',
+    };
+}
+export function analyze(code, context) {
+    const findings = [];
+    // Empty catch blocks
+    const emptyCatch = (code.match(/catch\s*\([^)]*\)\s*\{\s*\}/g) ?? []).length;
+    if (emptyCatch > 0) {
+        findings.push({ severity: 'critical', category: 'silent-failure', description: `${emptyCatch} empty catch block(s) — exceptions silently swallowed`, fix: 'Log the error and/or rethrow. Never swallow exceptions silently.' });
+    }
+    // Catch with only console.log (no rethrow)
+    const logOnlyCatch = (code.match(/catch\s*\([^)]*\)\s*\{[^}]*console\.[a-z]+[^}]*\}/g) ?? [])
+        .filter(block => !block.includes('throw')).length;
+    if (logOnlyCatch > 0) {
+        findings.push({ severity: 'high', category: 'swallowed-error', description: `${logOnlyCatch} catch block(s) log but do not rethrow — caller assumes success`, fix: 'After logging, either rethrow the error or return a typed error result to the caller.' });
+    }
+    // Floating promises
+    const floatingPromise = (code.match(/(?<!\bawait\s)(?<!\breturn\s)\b\w+\([^)]*\)\.then\(/g) ?? []).length;
+    if (floatingPromise > 1) {
+        findings.push({ severity: 'high', category: 'floating-promise', description: `Potential floating promise(s) detected`, fix: 'Ensure all Promise chains are awaited or have a .catch() handler.' });
+    }
+    // Raw Error strings
+    const rawThrows = (code.match(/throw new Error\(['"`][^'"`]{1,50}['"`]\)/g) ?? []).length;
+    if (rawThrows > 2) {
+        findings.push({ severity: 'medium', category: 'untyped-errors', description: `${rawThrows} raw Error string throws — callers cannot distinguish error types`, fix: 'Create typed error classes (class NotFoundError extends Error) for each distinct error category.' });
+    }
+    // No timeout on fetch/axios
+    if (/fetch\(|axios\.|got\(|request\(/.test(code) && !/timeout/.test(code)) {
+        findings.push({ severity: 'medium', category: 'missing-timeout', description: 'External HTTP call detected without apparent timeout configuration', fix: 'Add a timeout to all external HTTP calls. Unconfigured calls hang indefinitely on network issues.' });
+    }
+    const critCount = findings.filter(f => f.severity === 'critical').length;
+    const highCount = findings.filter(f => f.severity === 'high').length;
+    const score = Math.max(0, 100 - critCount * 30 - highCount * 20 - findings.filter(f => f.severity === 'medium').length * 10);
+    return {
+        agent: 'error-handling',
+        subject: context ?? 'code',
+        findings,
+        score,
+        verdict: score >= 85 ? 'approved' : score >= 65 ? 'approved_with_warnings' : score >= 40 ? 'needs_revision' : 'rejected',
+        summary: findings.length === 0 ? 'Error handling looks solid.' : `${findings.length} error handling issue(s). Top: ${findings[0].description}`,
+        critical_count: critCount,
+        high_count: highCount,
+    };
+}
+//# sourceMappingURL=error-handling.js.map

package/dist/agents/research/competitor-analyzer.js

@@ -0,0 +1,44 @@
+export function plan(task, context) {
+    return {
+        agent: 'competitor-analyzer',
+        task,
+        tier: 2,
+        approach: 'Analyse competitors on three dimensions: feature gap (what they have that you don\'t), differentiation gap (what you have that they don\'t), and positioning gap (where they own user perception). The goal is not to copy — it is to identify where building a feature would be table-stakes vs. where it would be genuinely differentiating.',
+        steps: [
+            'List the top 3–5 direct competitors and 2–3 indirect alternatives',
+            'For each competitor: document their core value proposition in one sentence',
+            'Build a feature matrix: rows = features, columns = products, cells = yes/no/partial',
+            'Identify table-stakes features: present in all competitors (building these is hygiene, not differentiation)',
+            'Identify differentiating features: present in 0–1 competitors (building these creates moat)',
+            'Identify features your product has that no competitor has — this is your current moat',
+            'Research competitor pricing to understand the value they signal for each tier',
+            'Read user reviews of competitors to find the most common complaints (these are opportunities)',
+            'Identify the positioning gaps: what perception do users have of each competitor?',
+            'Recommend the top 3 features by differentiation potential × build cost',
+            'Store analysis in veto_memory_store (type="reference", tags=["competitive", "strategy"])',
+        ],
+        checklist: [
+            '[ ] Top 5 direct competitors identified',
+            '[ ] Feature matrix built with table-stakes vs. differentiating features separated',
+            '[ ] Current moat (unique features) identified',
+            '[ ] User review analysis for top 2 complaints per competitor',
+            '[ ] Differentiation opportunities ranked by potential × cost',
+            '[ ] Analysis stored in veto_memory_store',
+        ],
+        pitfalls: [
+            'Copying competitor features without understanding why they built them — builds technical debt, not differentiation',
+            'Ignoring indirect alternatives — users often switch to a different category entirely, not a direct competitor',
+            'Treating all feature gaps as problems — some are intentional product decisions',
+            'Not reading user reviews — documentation says what a product does; reviews say what it fails to do',
+            'Analysing features in isolation from pricing — a feature only matters if the target segment can afford it',
+        ],
+        patterns: [
+            'Table-stakes separation: hygiene features vs. moat features require different prioritisation logic',
+            'Complaint mining: competitor weaknesses in reviews are your clearest product opportunities',
+            'Moat-first thinking: understand your current differentiation before adding more features',
+            'Indirect competitor awareness: the biggest threat is often a product in a different category',
+        ],
+        duration_estimate: '2-4 hours',
+    };
+}
+//# sourceMappingURL=competitor-analyzer.js.map