@northbridge-security/secureai 0.1.13

package/tasks/bun.yml

@@ -0,0 +1,738 @@
+# https://taskfile.dev
+
+version: "3"
+
+tasks:
+  core:info:
+    silent: true
+    cmds:
+      - |
+        # Color codes
+        GREEN='\033[0;32m'
+        YELLOW='\033[0;33m'
+        BLUE='\033[0;34m'
+        BOLD='\033[1m'
+        NC='\033[0m' # No Color
+
+        echo -e "${BOLD}Development:${NC}"
+        echo -e "  ${GREEN}task install${NC}                     ${YELLOW}i${NC}         Clean install (frozen lockfile, no scripts)"
+        echo -e "  ${GREEN}task install:quick${NC}               ${YELLOW}iq${NC}        Quick install (allows lockfile updates)"
+        echo -e "  ${GREEN}task build${NC}                       ${YELLOW}b${NC}         Build the project"
+        echo -e "  ${GREEN}task test${NC}                        ${YELLOW}t${NC}         Run unit tests"
+        echo -e "  ${GREEN}task test:integration${NC}            ${YELLOW}ti${NC}        Run integration tests"
+        echo -e "  ${GREEN}task test:coverage${NC}               ${YELLOW}cov${NC}       Run tests with coverage                  FILES=\"...\" or DIFF=true"
+        echo -e "  ${GREEN}task test:coverage:report${NC}        ${YELLOW}covr${NC}      Show coverage report with low files      THRESHOLD=80 (default)"
+        echo -e "  ${GREEN}task lint${NC}                        ${YELLOW}l${NC}         Run linter                               FILES=\"...\""
+        echo -e "  ${GREEN}task lint:fix${NC}                    ${YELLOW}lf${NC}        Run linter with auto-fix                 FILES=\"...\""
+        echo -e "  ${GREEN}task dev${NC}                         ${YELLOW}d${NC}         Run in development mode"
+        echo ""
+
+  install:
+    desc: Clean install dependencies (removes caches, uses frozen lockfile, ignores scripts)
+    aliases: [i]
+    silent: true
+    cmds:
+      - |
+        GREEN='\033[0;32m'
+        YELLOW='\033[0;33m'
+        NC='\033[0m'
+
+        # Clean local caches first for reproducible builds
+        # See: https://www.lekman.com/blog/2025/11/securing-your-javascript-dependencies-what-every-organisation-needs-to-know/
+
+        # Remove node_modules
+        if [ -d "node_modules" ]; then
+          rm -rf node_modules
+          echo -e "${GREEN}✓${NC} Removed node_modules/"
+        fi
+
+        # Remove bun's local cache
+        if [ -d ".bun" ]; then
+          rm -rf .bun
+          echo -e "${GREEN}✓${NC} Removed .bun/"
+        fi
+
+        # Remove SST cache (serverless framework)
+        if [ -d ".sst" ]; then
+          rm -rf .sst
+          echo -e "${GREEN}✓${NC} Removed .sst/"
+        fi
+
+        # Remove SST output directory
+        if [ -d ".open-next" ]; then
+          rm -rf .open-next
+          echo -e "${GREEN}✓${NC} Removed .open-next/"
+        fi
+
+        # Secure install with frozen lockfile and no lifecycle scripts
+        # --frozen-lockfile: Ensures exact versions from bun.lockb (fails if lockfile needs update)
+        # --ignore-scripts: Prevents execution of potentially malicious postinstall scripts
+        echo -e "${GREEN}▶${NC} Installing dependencies (frozen lockfile, no scripts)..."
+        bun install --frozen-lockfile --ignore-scripts
+
+        echo -e "${GREEN}✓${NC} Dependencies installed securely"
+
+  install:quick:
+    desc: Quick install (no clean, updates lockfile if needed)
+    aliases: [iq]
+    silent: true
+    cmds:
+      - bun install
+
+  build:
+    desc: Build the project
+    aliases: [b]
+    silent: true
+    cmds:
+      - bun turbo build
+    sources:
+      - src/**/*.ts
+    generates:
+      - dist/**/*.js
+
+  rebuild:
+    aliases: [rb]
+    desc: First cleans project build artifacts, logs, and temporary files, then rebuilds the project
+    silent: true
+    cmds:
+      - task clean
+      - task install
+      - task build
+
+  clean:
+    desc: Clean build artifacts, logs, and temporary files (use venv=true to also delete venv)
+    aliases: [c]
+    silent: true
+    vars:
+      DELETE_VENV: '{{.venv | default "false"}}'
+    cmds:
+      - |
+        # Color codes
+        GREEN='\033[0;32m'
+        YELLOW='\033[0;33m'
+        NC='\033[0m'
+
+        # Get repository root
+        REPO_ROOT=$(task git:repo:root)
+
+        # Clean build artifacts and dependency caches
+        rm -rf dist
+        rm -rf node_modules
+        rm -rf .bun
+        rm -rf .sst
+        rm -rf .open-next
+        echo -e "${GREEN}✓${NC} Removed dist/, node_modules/, .bun/, .sst/, .open-next/"
+
+        # Clean .logs contents (keep the directory)
+        if [ -d .logs ]; then
+          find .logs -mindepth 1 -delete
+          echo -e "${GREEN}✓${NC} Cleaned .logs/ contents"
+        fi
+
+        # Delete *.local.md files in root folder only (not subfolders)
+        # EXCEPT: .bugs.local.md and *.report.local.md
+        LOCAL_MD_COUNT=$(find . -maxdepth 1 -name "*.local.md" -type f ! -name ".bugs.local.md" ! -name "*.report.local.md" | wc -l | tr -d ' ')
+        if [ "$LOCAL_MD_COUNT" -gt 0 ]; then
+          find . -maxdepth 1 -name "*.local.md" -type f ! -name ".bugs.local.md" ! -name "*.report.local.md" -delete
+          echo -e "${GREEN}✓${NC} Deleted $LOCAL_MD_COUNT *.local.md file(s) from root (preserved .bugs.local.md and *.report.local.md)"
+        fi
+
+        # Delete *.txt files in root folder only (not subfolders)
+        TXT_COUNT=$(find . -maxdepth 1 -name "*.txt" -type f | wc -l | tr -d ' ')
+        if [ "$TXT_COUNT" -gt 0 ]; then
+          find . -maxdepth 1 -name "*.txt" -type f -delete
+          echo -e "${GREEN}✓${NC} Deleted $TXT_COUNT *.txt file(s) from root"
+        fi
+
+        # Delete *.log files in root folder only (not subfolders)
+        LOG_COUNT=$(find . -maxdepth 1 -name "*.log" -type f | wc -l | tr -d ' ')
+        if [ "$LOG_COUNT" -gt 0 ]; then
+          find . -maxdepth 1 -name "*.log" -type f -delete
+          echo -e "${GREEN}✓${NC} Deleted $LOG_COUNT *.log file(s) from root"
+        fi
+
+        # Delete TypeScript build cache files (recursive)
+        TSBUILDINFO_COUNT=$(find . -name "*.tsbuildinfo" -type f | wc -l | tr -d ' ')
+        if [ "$TSBUILDINFO_COUNT" -gt 0 ]; then
+          find . -name "*.tsbuildinfo" -type f -delete
+          echo -e "${GREEN}✓${NC} Deleted $TSBUILDINFO_COUNT *.tsbuildinfo file(s)"
+        fi
+
+        # Delete .DS_Store files (macOS metadata, recursive)
+        DS_STORE_COUNT=$(find . -name ".DS_Store" -type f | wc -l | tr -d ' ')
+        if [ "$DS_STORE_COUNT" -gt 0 ]; then
+          find . -name ".DS_Store" -type f -delete
+          echo -e "${GREEN}✓${NC} Deleted $DS_STORE_COUNT .DS_Store file(s)"
+        fi
+
+        # Optionally delete venv
+        {{if eq .DELETE_VENV "true"}}
+        if [ -d venv ]; then
+          rm -rf venv
+          echo -e "${GREEN}✓${NC} Deleted venv/"
+        fi
+        {{end}}
+
+        # Delete all git worktrees (except main worktree)
+        WORKTREE_COUNT=$(git worktree list --porcelain | grep -c "^worktree " || echo 0)
+        # Subtract 1 for the main worktree
+        if [ "$WORKTREE_COUNT" -gt 1 ]; then
+          REMOVED_COUNT=0
+          git worktree list --porcelain | grep "^worktree " | cut -d' ' -f2 | while read -r worktree_path; do
+            # Skip main worktree (current directory)
+            if [ "$worktree_path" != "$REPO_ROOT" ] && [ "$worktree_path" != "." ]; then
+              git worktree remove "$worktree_path" --force 2>/dev/null || true
+              REMOVED_COUNT=$((REMOVED_COUNT + 1))
+            fi
+          done
+
+          # Prune stale worktree administrative files
+          git worktree prune 2>/dev/null || true
+
+          ACTUAL_COUNT=$((WORKTREE_COUNT - 1))
+          echo -e "${GREEN}✓${NC} Removed $ACTUAL_COUNT git worktree(s)"
+        fi
+
+  dev:
+    desc: Run in development mode
+    aliases: [d]
+    silent: true
+    cmds:
+      - bun run dev
+
+  lint:
+    desc: Run linter
+    aliases: [l]
+    silent: true
+    vars:
+      FILE_PATTERN: '{{.FILES | default "."}}'
+    deps:
+      - task: yaml:lint
+        vars: { FILES: "{{.FILES}}" }
+      - task: markdown:lint
+        vars: { FILES: "{{.FILES}}" }
+    cmds:
+      - |
+        GREEN='\033[0;32m'
+        YELLOW='\033[0;33m'
+        RED='\033[0;31m'
+        NC='\033[0m'
+
+        # Run typecheck only if FILES not specified (needs full project)
+        {{if not .FILES}}
+        task typecheck
+        {{end}}
+
+        # Detect ESLint
+        HAS_ESLINT=false
+        if [ -f "eslint.config.js" ] || [ -f "eslint.config.mjs" ] || [ -f "eslint.config.cjs" ] || \
+           [ -f ".eslintrc.js" ] || [ -f ".eslintrc.cjs" ] || [ -f ".eslintrc.json" ] || [ -f ".eslintrc" ] || \
+           grep -q '"eslintConfig"' package.json 2>/dev/null; then
+          HAS_ESLINT=true
+        fi
+
+        # Detect Biome
+        HAS_BIOME=false
+        if [ -f "biome.json" ] || [ -f "biome.jsonc" ]; then
+          HAS_BIOME=true
+        fi
+
+        # Track overall exit code
+        FINAL_EXIT=0
+
+        # Run ESLint - exits 0 for warnings, 1 for errors
+        if [ "$HAS_ESLINT" = true ]; then
+          echo -e "${GREEN}▶${NC} Running ESLint..."
+          bunx eslint {{.FILE_PATTERN}} || FINAL_EXIT=$?
+        fi
+
+        # Run Biome lint
+        if [ "$HAS_BIOME" = true ]; then
+          echo -e "${GREEN}▶${NC} Running Biome lint..."
+          bunx biome lint {{.FILE_PATTERN}} || FINAL_EXIT=$?
+        fi
+
+        if [ "$HAS_ESLINT" = false ] && [ "$HAS_BIOME" = false ]; then
+          echo -e "${YELLOW}⚠${NC} No linter configuration found (ESLint or Biome)"
+        fi
+
+        exit $FINAL_EXIT
+
+  lint:fix:
+    desc: Run linter with auto-fix
+    aliases: [lf]
+    silent: true
+    vars:
+      FILE_PATTERN: '{{.FILES | default "."}}'
+    deps:
+      - task: yaml:lint:fix
+        vars: { FILES: "{{.FILES}}" }
+      - task: markdown:lint:fix
+        vars: { FILES: "{{.FILES}}" }
+    cmds:
+      - |
+        GREEN='\033[0;32m'
+        YELLOW='\033[0;33m'
+        NC='\033[0m'
+
+        # Detect ESLint
+        HAS_ESLINT=false
+        if [ -f "eslint.config.js" ] || [ -f "eslint.config.mjs" ] || [ -f "eslint.config.cjs" ] || \
+           [ -f ".eslintrc.js" ] || [ -f ".eslintrc.cjs" ] || [ -f ".eslintrc.json" ] || [ -f ".eslintrc" ] || \
+           grep -q '"eslintConfig"' package.json 2>/dev/null; then
+          HAS_ESLINT=true
+        fi
+
+        # Detect Biome
+        HAS_BIOME=false
+        if [ -f "biome.json" ] || [ -f "biome.jsonc" ]; then
+          HAS_BIOME=true
+        fi
+
+        # Detect Prettier
+        HAS_PRETTIER=false
+        if [ -f ".prettierrc" ] || [ -f ".prettierrc.json" ] || [ -f ".prettierrc.js" ] || \
+           [ -f ".prettierrc.cjs" ] || [ -f ".prettierrc.mjs" ] || [ -f "prettier.config.js" ] || \
+           [ -f "prettier.config.cjs" ] || [ -f "prettier.config.mjs" ] || \
+           grep -q '"prettier"' package.json 2>/dev/null; then
+          HAS_PRETTIER=true
+        fi
+
+        # Run linters and formatters
+        if [ "$HAS_ESLINT" = true ]; then
+          echo -e "${GREEN}▶${NC} Running ESLint with auto-fix..."
+          bunx eslint --fix {{.FILE_PATTERN}}
+        fi
+
+        if [ "$HAS_BIOME" = true ]; then
+          echo -e "${GREEN}▶${NC} Running Biome lint with auto-fix..."
+          bunx biome lint --write {{.FILE_PATTERN}}
+        fi
+
+        if [ "$HAS_PRETTIER" = true ]; then
+          echo -e "${GREEN}▶${NC} Running Prettier..."
+          bunx prettier --write --log-level=warn {{.FILE_PATTERN}}
+        fi
+
+        if [ "$HAS_ESLINT" = false ] && [ "$HAS_BIOME" = false ] && [ "$HAS_PRETTIER" = false ]; then
+          echo -e "${YELLOW}⚠${NC} No linter/formatter configuration found (ESLint, Biome, or Prettier)"
+        fi
+
+  format:
+    desc: Format code
+    aliases: [f]
+    silent: true
+    cmds:
+      - |
+        GREEN='\033[0;32m'
+        YELLOW='\033[0;33m'
+        NC='\033[0m'
+
+        # Detect Biome
+        HAS_BIOME=false
+        if [ -f "biome.json" ] || [ -f "biome.jsonc" ]; then
+          HAS_BIOME=true
+        fi
+
+        # Detect Prettier
+        HAS_PRETTIER=false
+        if [ -f ".prettierrc" ] || [ -f ".prettierrc.json" ] || [ -f ".prettierrc.js" ] || \
+           [ -f ".prettierrc.cjs" ] || [ -f ".prettierrc.mjs" ] || [ -f "prettier.config.js" ] || \
+           [ -f "prettier.config.cjs" ] || [ -f "prettier.config.mjs" ] || \
+           grep -q '"prettier"' package.json 2>/dev/null; then
+          HAS_PRETTIER=true
+        fi
+
+        # Run formatters (Biome first if both exist, as it's faster)
+        if [ "$HAS_BIOME" = true ]; then
+          echo -e "${GREEN}▶${NC} Running Biome format..."
+          bunx biome format --write .
+        fi
+
+        if [ "$HAS_PRETTIER" = true ]; then
+          echo -e "${GREEN}▶${NC} Running Prettier..."
+          bunx prettier --write --log-level=warn .
+        fi
+
+        if [ "$HAS_BIOME" = false ] && [ "$HAS_PRETTIER" = false ]; then
+          echo -e "${YELLOW}⚠${NC} No formatter configuration found (Biome or Prettier)"
+        fi
+
+  typecheck:
+    desc: Type check TypeScript
+    aliases: [tc]
+    silent: true
+    cmds:
+      - bun turbo typecheck
+
+  test:setup-dirs:
+    desc: Create test output directories in root and all packages
+    internal: true
+    silent: true
+    cmds:
+      - |
+        # Create .logs directories in root and each package (turbo runs in package dirs)
+        mkdir -p .logs/test-results .logs/coverage
+        for pkg in packages/*/; do
+          mkdir -p "$pkg/.logs/test-results" "$pkg/coverage"
+        done
+
+  test:
+    desc: Run unit tests (excludes integration tests)
+    aliases: [t]
+    silent: true
+    deps: [test:setup-dirs]
+    cmds:
+      - |
+        source "$(task op:export)"
+        bun turbo test
+
+  test:integration:
+    desc: Run integration tests (tests that interact with real external systems)
+    aliases: [ti]
+    silent: true
+    deps: [test:setup-dirs]
+    cmds:
+      - |
+        source "$(task op:export)"
+        bun turbo test:integration
+
+  test:coverage:
+    desc: Run tests with coverage (use FILES="pattern" or DIFF=true for staged files)
+    aliases: [cov]
+    silent: true
+    deps: [test:setup-dirs]
+    vars:
+      FILE_PATTERN: '{{.FILES | default ""}}'
+      DIFF_MODE: '{{.DIFF | default "false"}}'
+    cmds:
+      - |
+        # Export 1Password secrets
+        source "$(task op:export)"
+
+        EXIT_CODE=0
+
+        if [ "{{.DIFF_MODE}}" = "true" ]; then
+          FILE_LIST=$(git diff --staged --name-only --diff-filter=d '*.ts' '*.tsx' | tr '\n' ' ')
+          if [ -z "$FILE_LIST" ]; then
+            echo "No TypeScript files staged"
+            exit 0
+          fi
+          export FILES="$FILE_LIST"
+          bun run test:coverage || EXIT_CODE=$?
+        elif [ -n "{{.FILE_PATTERN}}" ]; then
+          export FILES="{{.FILE_PATTERN}}"
+          bun run test:coverage || EXIT_CODE=$?
+        else
+          # Use turbo for full coverage run (caching, parallelism)
+          bunx turbo test:coverage || EXIT_CODE=$?
+        fi
+
+        # Always show report, then exit with original exit code
+        task test:coverage:report
+        exit $EXIT_CODE
+
+  test:coverage:report:
+    desc: Display coverage report summary from existing test results
+    aliases: [covr]
+    silent: true
+    vars:
+      THRESHOLD: '{{.THRESHOLD | default "80"}}'
+    cmds:
+      - |
+        # Color codes
+        RED='\033[0;31m'
+        YELLOW='\033[0;33m'
+        GREEN='\033[0;32m'
+        CYAN='\033[0;36m'
+        BOLD='\033[1m'
+        NC='\033[0m'
+
+        # Ensure .tmp directory exists for temp files
+        mkdir -p .tmp
+
+        # Find all lcov files in packages (monorepo) or root
+        # Excludes .logs/ directory (old debug runs)
+        LCOV_FILES=$(find . -path "./packages/*/coverage/lcov.info" -o -path "./coverage/lcov.info" 2>/dev/null | grep -v node_modules | grep -v "\.logs/")
+
+        echo ""
+        echo -e "${BOLD}Coverage Report${NC}"
+        echo ""
+
+        if [ -n "$LCOV_FILES" ]; then
+          # Aggregate coverage from all lcov files
+          TOTAL_HIT=0
+          TOTAL_FOUND=0
+
+          for LCOV_FILE in $LCOV_FILES; do
+            HIT=$(grep "^LH:" "$LCOV_FILE" 2>/dev/null | awk -F: '{sum+=$2} END {print sum+0}')
+            FOUND=$(grep "^LF:" "$LCOV_FILE" 2>/dev/null | awk -F: '{sum+=$2} END {print sum+0}')
+            TOTAL_HIT=$((TOTAL_HIT + HIT))
+            TOTAL_FOUND=$((TOTAL_FOUND + FOUND))
+
+            # Extract package name from path (handle root ./coverage/lcov.info)
+            # Check for root patterns first, before removing suffixes
+            PKG_NAME=$(echo "$LCOV_FILE" | sed -e 's|^\./coverage/lcov\.info$|root|' -e 's|^\./\.logs/coverage/lcov\.info$|root|' -e 's|^\./packages/||' -e 's|/coverage/lcov\.info$||')
+            if [ "$FOUND" -gt 0 ]; then
+              PKG_PCT=$(awk "BEGIN {printf \"%.1f\", ($HIT/$FOUND)*100}")
+              # Color code: green >= 80%, yellow >= 50%, red < 50%
+              if awk "BEGIN {exit !($PKG_PCT >= 80)}"; then
+                PKG_COLOR="$GREEN"
+              elif awk "BEGIN {exit !($PKG_PCT >= 50)}"; then
+                PKG_COLOR="$YELLOW"
+              else
+                PKG_COLOR="$RED"
+              fi
+              echo -e "  ${CYAN}${PKG_NAME}:${NC} ${HIT}/${FOUND} (${PKG_COLOR}${PKG_PCT}%${NC})"
+            fi
+          done
+
+          if [ "$TOTAL_FOUND" -gt 0 ]; then
+            COVERAGE_PCT=$(awk "BEGIN {printf \"%.1f\", ($TOTAL_HIT/$TOTAL_FOUND)*100}")
+            # Color code total
+            if awk "BEGIN {exit !($COVERAGE_PCT >= 80)}"; then
+              TOTAL_COLOR="$GREEN"
+            elif awk "BEGIN {exit !($COVERAGE_PCT >= 50)}"; then
+              TOTAL_COLOR="$YELLOW"
+            else
+              TOTAL_COLOR="$RED"
+            fi
+            echo ""
+            echo -e "  ${BOLD}Total:${NC} ${TOTAL_HIT}/${TOTAL_FOUND} (${TOTAL_COLOR}${COVERAGE_PCT}%${NC})"
+          fi
+
+          # Parse all lcov files to find files below threshold
+          # Process each lcov file separately to preserve package context
+          > .tmp/low_coverage_raw.txt
+          for LCOV_FILE in $LCOV_FILES; do
+            # Extract package prefix from lcov path (e.g., packages/secureai-core/)
+            PKG_PREFIX=$(echo "$LCOV_FILE" | sed -n 's|\./\(packages/[^/]*/\)coverage/lcov.info|\1|p')
+
+            awk -v threshold="{{.THRESHOLD}}" -v pkg_prefix="$PKG_PREFIX" '
+              /^SF:/ {
+                file = substr($0, 4)
+                # Skip cross-package references (files starting with ../)
+                if (file ~ /^\.\.\//) {
+                  skip = 1
+                  next
+                }
+                # Prepend package prefix to relative paths (src/... or tests/...)
+                if (pkg_prefix != "" && file ~ /^src\//) {
+                  file = pkg_prefix file
+                } else if (pkg_prefix != "" && file ~ /^tests\//) {
+                  file = pkg_prefix file
+                }
+                # Check exclusion patterns (matching bunfig.toml)
+                skip = 0
+                if (file ~ /\.system\.ts$/) skip = 1
+                if (file ~ /systems\.ts$/) skip = 1
+                if (file ~ /\.cli\.ts$/) skip = 1
+                if (file ~ /\/index\.ts$/) skip = 1
+                if (file ~ /\/interfaces\.ts$/) skip = 1
+                if (file ~ /\/mock\.ts$/) skip = 1
+                if (file ~ /\/mocks\.ts$/) skip = 1
+                if (file ~ /\/mocks\//) skip = 1
+                if (file ~ /test-doubles\.ts$/) skip = 1
+                if (file ~ /^tests\//) skip = 1
+                if (file ~ /\.test\.ts$/) skip = 1
+                if (file ~ /\/setup\.ts$/) skip = 1
+                if (file ~ /\/tools\/plan-/) skip = 1
+                if (file ~ /\/tools\/pii-/) skip = 1
+                if (file ~ /\/tools\/secret-/) skip = 1
+                if (file ~ /in-memory/) skip = 1
+                if (file ~ /\.system\.js$/) skip = 1
+              }
+              /^LF:/ { lines_found = substr($0, 4) }
+              /^LH:/ { lines_hit = substr($0, 4) }
+              /^end_of_record/ {
+                if (lines_found > 0 && skip == 0) {
+                  coverage = (lines_hit / lines_found) * 100
+                  if (coverage < threshold) {
+                    printf "%s|%.1f\n", file, coverage
+                  }
+                }
+                file = ""; lines_found = 0; lines_hit = 0; skip = 0
+              }
+            ' "$LCOV_FILE" >> .tmp/low_coverage_raw.txt
+          done
+
+          # Deduplicate by file (keep first occurrence - lowest will be sorted first)
+          sort -t'|' -k2 -n .tmp/low_coverage_raw.txt 2>/dev/null | \
+            awk -F'|' '!seen[$1]++ { print $1 "|" $2 }' | \
+            sort -t'|' -k2 -n > .tmp/low_coverage_files.txt
+          rm -f .tmp/low_coverage_raw.txt
+
+          echo ""
+          if [ -s .tmp/low_coverage_files.txt ]; then
+            FILE_COUNT=$(wc -l < .tmp/low_coverage_files.txt | tr -d ' ')
+            echo -e "${BOLD}Files Below {{.THRESHOLD}}%${NC} (${FILE_COUNT} files)"
+            echo ""
+            echo -e "  ${CYAN}Coverage   File${NC}"
+            echo -e "  ${CYAN}─────────  ────────────────────────────────────────────────────${NC}"
+            awk -F'|' -v red="$RED" -v yellow="$YELLOW" -v nc="$NC" '{
+              color = ($2 < 50) ? red : yellow
+              printf "  %s%7.1f%%  %s%s\n", color, $2, nc, $1
+            }' .tmp/low_coverage_files.txt
+            echo ""
+            echo -e "  ${RED}$FILE_COUNT file(s) below threshold${NC}"
+          else
+            echo -e "  ${GREEN}✓ All files meet {{.THRESHOLD}}% coverage${NC}"
+          fi
+          rm -f .tmp/low_coverage_files.txt
+        else
+          echo -e "  ${YELLOW}No coverage files found${NC}"
+          echo -e "  ${CYAN}Run:${NC} task test:coverage"
+        fi
+
+        # Find all junit files in packages (monorepo) or root
+        JUNIT_FILES=$(find . -path "./packages/*/.logs/test-results/junit.xml" -o -path "./.logs/test-results/junit.xml" 2>/dev/null | grep -v node_modules)
+
+        echo ""
+        echo -e "${BOLD}Test Results${NC}"
+        echo ""
+
+        if [ -n "$JUNIT_FILES" ]; then
+          TOTAL_TESTS=0
+          TOTAL_FAILURES=0
+
+          for JUNIT_FILE in $JUNIT_FILES; do
+            TESTS=$(grep -o 'tests="[0-9]*"' "$JUNIT_FILE" 2>/dev/null | head -1 | grep -o '[0-9]*' || echo "0")
+            FAILURES=$(grep -o 'failures="[0-9]*"' "$JUNIT_FILE" 2>/dev/null | head -1 | grep -o '[0-9]*' || echo "0")
+            TOTAL_TESTS=$((TOTAL_TESTS + TESTS))
+            TOTAL_FAILURES=$((TOTAL_FAILURES + FAILURES))
+
+            # Extract package name from path
+            PKG_NAME=$(echo "$JUNIT_FILE" | sed 's|^\./packages/||' | sed 's|/\.logs/test-results/junit.xml||' | sed 's|^\./\.logs/test-results/junit.xml|root|')
+            if [ "$FAILURES" = "0" ]; then
+              echo -e "  ${GREEN}✓${NC} ${PKG_NAME}: ${TESTS} tests"
+            else
+              echo -e "  ${RED}✗${NC} ${PKG_NAME}: ${FAILURES}/${TESTS} failed"
+            fi
+          done
+
+          echo ""
+          if [ "$TOTAL_FAILURES" = "0" ]; then
+            echo -e "  ${GREEN}✓ ${TOTAL_TESTS} tests passed${NC}"
+          else
+            echo -e "  ${RED}✗ ${TOTAL_FAILURES} failures${NC} out of ${TOTAL_TESTS} tests"
+          fi
+        else
+          echo -e "  ${YELLOW}No test result files found${NC}"
+          echo -e "  ${CYAN}Run:${NC} task test:coverage"
+        fi
+        echo ""
+
+  test:clear:
+    desc: Clear test caches, coverage reports, and result files
+    aliases: [tcl]
+    silent: true
+    cmds:
+      - bun run packages/secureai-cli/src/cli.ts test-clear {{.CLI_ARGS}}
+
+  ci:
+    desc: Run CI checks (lint, typecheck, test, build)
+    silent: true
+    deps:
+      - lint
+      - typecheck
+      - test
+      - build
+
+  # Settings shortcuts (flattened from claude namespace for convenience)
+  so:
+    desc: Open Claude settings.json in detected IDE
+    silent: true
+    cmds:
+      - task claude:settings:open
+
+  ss:
+    desc: Show current Claude settings
+    silent: true
+    cmds:
+      - task claude:settings:show
+
+  sp:
+    desc: Print Claude settings file path
+    silent: true
+    cmds:
+      - task claude:settings:path
+
+  # Cross-platform IDE file opener utility
+  # Opens file in the IDE that invoked the task (detects from environment/process)
+  ide:open:
+    desc: Open file in current IDE (detects invoking IDE from environment)
+    aliases: [io]
+    silent: true
+    vars:
+      FILE_PATH: '{{.FILE | default ""}}'
+    cmds:
+      - |
+        FILE_PATH="{{.FILE_PATH}}"
+        if [ -z "$FILE_PATH" ]; then
+          echo "Usage: task ide:open FILE=\"path/to/file\""
+          exit 1
+        fi
+
+        # Expand ~ to home directory
+        FILE_PATH="${FILE_PATH/#\~/$HOME}"
+
+        # Detect which IDE invoked us by checking environment variables
+        # VSCODE_CODE_CACHE_PATH contains the IDE name in the path
+        IDE_CMD=""
+
+        if [ -n "$VSCODE_CODE_CACHE_PATH" ]; then
+          if [[ "$VSCODE_CODE_CACHE_PATH" == *"Cursor"* ]]; then
+            IDE_CMD="cursor"
+          elif [[ "$VSCODE_CODE_CACHE_PATH" == *"Code - Insiders"* ]]; then
+            IDE_CMD="code-insiders"
+          elif [[ "$VSCODE_CODE_CACHE_PATH" == *"Code"* ]]; then
+            IDE_CMD="code"
+          fi
+        fi
+
+        # Fallback: check __CFBundleIdentifier on macOS
+        if [ -z "$IDE_CMD" ] && [ -n "$__CFBundleIdentifier" ]; then
+          case "$__CFBundleIdentifier" in
+            com.todesktop.230313mzl4w4u92)
+              IDE_CMD="cursor"
+              ;;
+            com.microsoft.VSCodeInsiders)
+              IDE_CMD="code-insiders"
+              ;;
+            com.microsoft.VSCode)
+              IDE_CMD="code"
+              ;;
+          esac
+        fi
+
+        # External terminal fallback: code > code-insiders > cursor
+        if [ -z "$IDE_CMD" ]; then
+          if command -v code &> /dev/null; then
+            IDE_CMD="code"
+          elif command -v code-insiders &> /dev/null; then
+            IDE_CMD="code-insiders"
+          elif command -v cursor &> /dev/null; then
+            IDE_CMD="cursor"
+          fi
+        fi
+
+        if [ -z "$IDE_CMD" ]; then
+          # Fallback: try platform-specific open
+          case "$(uname -s)" in
+            Darwin)
+              open "$FILE_PATH"
+              ;;
+            Linux)
+              xdg-open "$FILE_PATH" 2>/dev/null || echo "No IDE found"
+              ;;
+            MINGW*|MSYS*|CYGWIN*)
+              start "" "$FILE_PATH"
+              ;;
+            *)
+              echo "No IDE found. Install cursor, code, or code-insiders"
+              exit 1
+              ;;
+          esac
+        else
+          "$IDE_CMD" "$FILE_PATH"
+        fi