@phren/cli 0.0.10 → 0.0.12

package/mcp/dist/skill-files.js

@@ -5,6 +5,7 @@ import { findProjectDir } from "./project-locator.js";
 import { buildSkillManifest } from "./skill-registry.js";
 import { setSkillEnabled } from "./skill-state.js";
 import { errorMessage } from "./utils.js";
+import { isManagedSymlink } from "./link-skills.js";
 function normalizeSkillRemovalTarget(skillPath) {
     if (!skillPath)
         return skillPath;
@@ -19,10 +20,9 @@ function symlinkManagedSkill(src, dest, managedRoot) {
         if (stat.isSymbolicLink()) {
             const currentTarget = fs.readlinkSync(dest);
             const resolvedTarget = path.resolve(path.dirname(dest), currentTarget);
-            const managedPrefix = path.resolve(managedRoot) + path.sep;
             if (resolvedTarget === path.resolve(src))
                 return;
-            if (!resolvedTarget.startsWith(managedPrefix))
+            if (!isManagedSymlink(dest, managedRoot))
                 return;
             fs.unlinkSync(dest);
         }
@@ -39,18 +39,12 @@ function symlinkManagedSkill(src, dest, managedRoot) {
 }
 function removeManagedSkillLink(dest, managedRoot) {
     try {
-        const stat = fs.lstatSync(dest);
-        if (!stat.isSymbolicLink())
-            return;
-        const currentTarget = fs.readlinkSync(dest);
-        const resolvedTarget = path.resolve(path.dirname(dest), currentTarget);
-        const managedPrefix = path.resolve(managedRoot) + path.sep;
-        if (!resolvedTarget.startsWith(managedPrefix))
+        if (!isManagedSymlink(dest, managedRoot))
             return;
         fs.unlinkSync(dest);
     }
     catch (err) {
-        if (err.code !== "ENOENT" && (process.env.PHREN_DEBUG || process.env.PHREN_DEBUG)) {
+        if (err.code !== "ENOENT" && (process.env.PHREN_DEBUG)) {
             process.stderr.write(`[phren] removeManagedSkillLink: ${errorMessage(err)}\n`);
         }
     }

package/mcp/dist/skill-registry.js

@@ -64,6 +64,9 @@ function getProjectLocalSkills(phrenPath, project) {
     return collectSkills(phrenPath, path.join(projectDir, "skills"), project, "project", "canonical", seen);
 }
 function skillPriority(skill) {
+    // "user" scope (priority 500) reserved for skills the user marks as untouchable —
+    // not yet wired to a scopeType value, but the priority slot is established here
+    // so the ordering is stable when we add it.
     if (skill.scopeType === "project" && skill.sourceKind === "canonical")
         return 400;
     if (skill.scopeType === "global" && skill.sourceKind === "canonical")

package/mcp/dist/status.js

@@ -3,12 +3,14 @@ import * as path from "path";
 import { fileURLToPath } from "url";
 import { findPhrenPath, getProjectDirs, EXEC_TIMEOUT_QUICK_MS, debugLog, isRecord, hookConfigPath, homeDir, readRootManifest, } from "./shared.js";
 import { buildIndex, detectProject, findFtsCacheForPath, listIndexedDocumentPaths, queryRows } from "./shared-index.js";
+import { mergeConfig, getWorkflowPolicy } from "./shared-governance.js";
 import { getMcpEnabledPreference, getHooksEnabledPreference } from "./init.js";
 import { getTelemetrySummary } from "./telemetry.js";
-import { runGit as runGitShared } from "./utils.js";
+import { runGit as runGitShared, errorMessage } from "./utils.js";
 import { readRuntimeHealth, resolveTaskFilePath } from "./data-access.js";
 import { resolveRuntimeProfile } from "./runtime-profile.js";
 import { renderPhrenArt } from "./phren-art.js";
+import { RESET, BOLD, DIM, GREEN, YELLOW, RED, CYAN } from "./shell-render.js";
 const __dirname = path.dirname(fileURLToPath(import.meta.url));
 function readPackageVersion() {
     try {
@@ -17,18 +19,11 @@ function readPackageVersion() {
         return typeof pkg.version === "string" ? pkg.version : "unknown";
     }
     catch (err) {
-        if ((process.env.PHREN_DEBUG || process.env.PHREN_DEBUG))
-            process.stderr.write(`[phren] readPackageVersion: ${err instanceof Error ? err.message : String(err)}\n`);
+        if ((process.env.PHREN_DEBUG))
+            process.stderr.write(`[phren] readPackageVersion: ${errorMessage(err)}\n`);
         return "unknown";
     }
 }
-const RESET = "\x1b[0m";
-const BOLD = "\x1b[1m";
-const DIM = "\x1b[2m";
-const GREEN = "\x1b[32m";
-const YELLOW = "\x1b[33m";
-const RED = "\x1b[31m";
-const CYAN = "\x1b[36m";
 function check(ok) {
     return ok ? `${GREEN}ok${RESET}` : `${RED}missing${RESET}`;
 }
@@ -71,6 +66,33 @@ export async function runStatus() {
     // Active project
     if (activeProject) {
         console.log(`  ${DIM}project${RESET}  ${activeProject}`);
+        // Effective config for this project
+        try {
+            const resolved = mergeConfig(phrenPath, activeProject);
+            const globalWorkflow = getWorkflowPolicy(phrenPath);
+            const projectSensitivity = resolved.findingSensitivity !== globalWorkflow.findingSensitivity
+                ? `${resolved.findingSensitivity} ${DIM}(project override)${RESET}`
+                : resolved.findingSensitivity;
+            const projectTaskMode = resolved.taskMode !== globalWorkflow.taskMode
+                ? `${resolved.taskMode} ${DIM}(project override)${RESET}`
+                : resolved.taskMode;
+            console.log(`  ${DIM}sensitivity${RESET}  ${projectSensitivity}`);
+            console.log(`  ${DIM}task mode${RESET}    ${projectTaskMode}`);
+            if (resolved.proactivity.base || resolved.proactivity.findings || resolved.proactivity.tasks) {
+                const parts = [];
+                if (resolved.proactivity.base)
+                    parts.push(`base:${resolved.proactivity.base}`);
+                if (resolved.proactivity.findings)
+                    parts.push(`findings:${resolved.proactivity.findings}`);
+                if (resolved.proactivity.tasks)
+                    parts.push(`tasks:${resolved.proactivity.tasks}`);
+                console.log(`  ${DIM}proactivity${RESET}  ${parts.join(" ")} ${DIM}(project override)${RESET}`);
+            }
+        }
+        catch (err) {
+            if ((process.env.PHREN_DEBUG))
+                process.stderr.write(`[phren] statusConfig: ${errorMessage(err)}\n`);
+        }
     }
     // Phren path and config
     console.log(`  ${DIM}path${RESET}     ${phrenPath}`);
@@ -102,8 +124,8 @@ export async function runStatus() {
                 mcpConfigured = Boolean(servers?.phren || servers?.phren);
             }
             catch (err) {
-                if ((process.env.PHREN_DEBUG || process.env.PHREN_DEBUG))
-                    process.stderr.write(`[phren] statusWorkspaceMcp parse: ${err instanceof Error ? err.message : String(err)}\n`);
+                if ((process.env.PHREN_DEBUG))
+                    process.stderr.write(`[phren] statusWorkspaceMcp parse: ${errorMessage(err)}\n`);
             }
         }
     }
@@ -120,8 +142,8 @@ export async function runStatus() {
                 hooksInstalled = hookEvents.every((event) => hasCommandHook(hooks?.[event]));
             }
             catch (err) {
-                if ((process.env.PHREN_DEBUG || process.env.PHREN_DEBUG))
-                    process.stderr.write(`[phren] statusHooks settingsParse: ${err instanceof Error ? err.message : String(err)}\n`);
+                if ((process.env.PHREN_DEBUG))
+                    process.stderr.write(`[phren] statusHooks settingsParse: ${errorMessage(err)}\n`);
             }
         }
     }
@@ -151,8 +173,8 @@ export async function runStatus() {
         }
     }
     catch (err) {
-        if ((process.env.PHREN_DEBUG || process.env.PHREN_DEBUG))
-            process.stderr.write(`[phren] statusFtsIndex: ${err instanceof Error ? err.message : String(err)}\n`);
+        if ((process.env.PHREN_DEBUG))
+            process.stderr.write(`[phren] statusFtsIndex: ${errorMessage(err)}\n`);
     }
     const ftsLabel = ftsIndexOk
         ? `${GREEN}ok${RESET} ${DIM}(${ftsIndexSize > 0 ? `${(ftsIndexSize / 1024).toFixed(0)} KB` : `${ftsDocCount ?? 0} docs`})${RESET}`
@@ -186,8 +208,8 @@ export async function runStatus() {
         }
     }
     catch (err) {
-        if ((process.env.PHREN_DEBUG || process.env.PHREN_DEBUG))
-            process.stderr.write(`[phren] statusSemantic: ${err instanceof Error ? err.message : String(err)}\n`);
+        if ((process.env.PHREN_DEBUG))
+            process.stderr.write(`[phren] statusSemantic: ${errorMessage(err)}\n`);
     }
     // Agent integration status
     function hasPhrenEntry(filePath) {
@@ -198,8 +220,8 @@ export async function runStatus() {
             return raw.includes('"phren"') || raw.includes("'phren'") || raw.includes('"phren"') || raw.includes("'phren'");
         }
         catch (err) {
-            if ((process.env.PHREN_DEBUG || process.env.PHREN_DEBUG))
-                process.stderr.write(`[phren] hasPhrenEntry: ${err instanceof Error ? err.message : String(err)}\n`);
+            if ((process.env.PHREN_DEBUG))
+                process.stderr.write(`[phren] hasPhrenEntry: ${errorMessage(err)}\n`);
             return false;
         }
     }
@@ -274,7 +296,7 @@ export async function runStatus() {
             totalTask += countBullets(taskPath);
         totalQueue += countQueueItems(phrenPath, projName);
     }
-    console.log(`\n  ${DIM}phren holds${RESET}  ${projectDirs.length} projects, ${totalFindings} fragments, ${totalTask} tasks, ${totalQueue} queued`);
+    console.log(`\n  ${DIM}phren holds${RESET}  ${projectDirs.length} projects, ${totalFindings} findings, ${totalTask} tasks, ${totalQueue} queued`);
     const gitTarget = manifest?.installMode === "project-local" && manifest.workspaceRoot ? manifest.workspaceRoot : phrenPath;
     const isGitRepo = runGit(gitTarget, ["rev-parse", "--is-inside-work-tree"]) === "true";
     const hasOriginRemote = isGitRepo && Boolean(runGit(gitTarget, ["remote", "get-url", "origin"]));

package/mcp/dist/task-hygiene.js

@@ -141,7 +141,7 @@ function collectCorpus(root) {
                 texts.push(fs.readFileSync(fullPath, "utf8").slice(0, MAX_TEXT_BYTES).toLowerCase());
             }
             catch (err) {
-                if ((process.env.PHREN_DEBUG || process.env.PHREN_DEBUG))
+                if ((process.env.PHREN_DEBUG))
                     process.stderr.write(`[phren] task hygiene read ${fullPath}: ${errorMessage(err)}\n`);
             }
             if (filesSeen >= MAX_FILES_PER_ROOT)

package/mcp/dist/telemetry.js

@@ -1,6 +1,7 @@
 import * as fs from "fs";
 import * as path from "path";
 import { runtimeDir } from "./shared.js";
+import { errorMessage } from "./utils.js";
 // In-memory buffers keyed by phrenPath to batch disk writes
 // Keeping per-path buffers avoids silently losing events when the active path changes.
 const buffers = new Map();
@@ -25,8 +26,8 @@ function loadFromDisk(phrenPath) {
         };
     }
     catch (err) {
-        if ((process.env.PHREN_DEBUG || process.env.PHREN_DEBUG))
-            process.stderr.write(`[phren] telemetry loadFromDisk: ${err instanceof Error ? err.message : String(err)}\n`);
+        if ((process.env.PHREN_DEBUG))
+            process.stderr.write(`[phren] telemetry loadFromDisk: ${errorMessage(err)}\n`);
         return defaults;
     }
 }
@@ -57,8 +58,8 @@ function flushTelemetryForPath(phrenPath) {
         fs.writeFileSync(file, JSON.stringify(data, null, 2) + "\n");
     }
     catch (err) {
-        if ((process.env.PHREN_DEBUG || process.env.PHREN_DEBUG))
-            process.stderr.write(`[phren] telemetry flush: ${err instanceof Error ? err.message : String(err)}\n`);
+        if ((process.env.PHREN_DEBUG))
+            process.stderr.write(`[phren] telemetry flush: ${errorMessage(err)}\n`);
     }
     pendingCounts.set(phrenPath, 0);
 }

package/mcp/dist/update.js

@@ -63,7 +63,7 @@ export async function runPhrenUpdate(opts = {}) {
                 }
             }
             catch (err) {
-                if ((process.env.PHREN_DEBUG || process.env.PHREN_DEBUG))
+                if ((process.env.PHREN_DEBUG))
                     process.stderr.write(`[phren] runPhrenUpdate gitStatus: ${errorMessage(err)}\n`);
             }
             const pull = run("git", ["pull", "--rebase", "--autostash"], root);

package/mcp/dist/utils.js

@@ -12,7 +12,7 @@ function loadSynonymsJson(fileName) {
         return JSON.parse(fs.readFileSync(filePath, "utf8"));
     }
     catch (err) {
-        if ((process.env.PHREN_DEBUG || process.env.PHREN_DEBUG))
+        if ((process.env.PHREN_DEBUG))
             process.stderr.write(`[phren] ${fileName} load failed: ${err instanceof Error ? err.message : String(err)}\n`);
         return {};
     }
@@ -241,7 +241,7 @@ export function sanitizeFts5Query(raw) {
     if (raw.length > 500)
         raw = raw.slice(0, 500);
     // Whitelist approach: only allow alphanumeric, spaces, hyphens, apostrophes, double quotes, asterisks
-    let q = raw.replace(/[^a-zA-Z0-9 \-'"*]/g, " ");
+    let q = raw.replace(/[^a-zA-Z0-9 \-"*]/g, " ");
     q = q.replace(/\s+/g, " ");
     q = q.trim();
     // Q83: FTS5 only accepts * as a prefix operator directly attached to a token
@@ -276,7 +276,7 @@ function parseSynonymsYaml(filePath) {
         return loaded;
     }
     catch (err) {
-        if ((process.env.PHREN_DEBUG || process.env.PHREN_DEBUG))
+        if ((process.env.PHREN_DEBUG))
             process.stderr.write(`[phren] synonyms.yaml parse failed (${filePath}): ${err instanceof Error ? err.message : String(err)}\n`);
         return {};
     }
@@ -315,7 +315,7 @@ function parseLearnedSynonymsJson(filePath) {
         return loaded;
     }
     catch (err) {
-        if ((process.env.PHREN_DEBUG || process.env.PHREN_DEBUG))
+        if ((process.env.PHREN_DEBUG))
             process.stderr.write(`[phren] learned-synonyms parse failed (${filePath}): ${err instanceof Error ? err.message : String(err)}\n`);
         return {};
     }

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@phren/cli",
-  "version": "0.0.10",
-  "description": "Knowledge layer for AI agents. Claude remembers you. Phren remembers your work.",
+  "version": "0.0.12",
+  "description": "Knowledge layer for AI agents. Phren learns and recalls.",
   "type": "module",
   "bin": {
     "phren": "mcp/dist/index.js"
@@ -18,7 +18,6 @@
     "glob": "^13.0.6",
     "inquirer": "^12.10.0",
     "js-yaml": "^4.1.1",
-    "sharp": "^0.34.5",
     "sql.js-fts5": "^1.4.0",
     "zod": "^4.3.6"
   },

package/skills/docs.md

@@ -74,10 +74,10 @@ These numbers appear in multiple files and must all agree:
 
 | Item | Where to verify |
 |------|----------------|
-| MCP tool count | `mcp/src/index.ts` — count `server.tool(` calls |
-| CLI subcommand count | `mcp/src/cli.ts` — count `program.command(` calls |
+| MCP tool count | `mcp/src/index.ts`: count `server.tool(` calls |
+| CLI subcommand count | `mcp/src/cli.ts`: count `program.command(` calls |
 | Version | `package.json` → `version` field |
-| Hook events | `mcp/src/init.ts` — look for hook registration |
+| Hook events | `mcp/src/init.ts`: look for hook registration |
 
 Run `/parity` if it is installed to automate numeric cross-checking across surfaces.
 
@@ -95,7 +95,7 @@ Sections to verify and update:
 - **Tool count** in any summary sentence (e.g. "65 MCP tools")
 
 When updating the HTML:
-- Keep existing structure and CSS classes — do not restructure the page
+- Keep existing structure and CSS classes. Do not restructure the page
 - Update text content only; do not rewrite layout
 - Preserve the `<details>` blocks for env var categories if they exist
 
@@ -103,12 +103,12 @@ When updating the HTML:
 
 These files are consumed by LLMs directly. Keep them plain text with no HTML.
 
-`llms.txt` — short summary (under 60 lines):
+`llms.txt`, short summary (under 60 lines):
 - Tool count
 - Install command
 - One-line description of what phren does
 
-`llms-full.txt` — comprehensive reference:
+`llms-full.txt`, comprehensive reference:
 - All MCP tool signatures with descriptions
 - All CLI commands
 - All environment variables
@@ -122,7 +122,7 @@ The CLI commands block must list every top-level command. Add or remove lines to
 
 ### 7. Sync version references
 
-`CHANGELOG.md`: the top entry's version must match `package.json`. If a new version was bumped but the changelog has no entry yet, note it — do not fabricate one.
+`CHANGELOG.md`: the top entry's version must match `package.json`. If a new version was bumped but the changelog has no entry yet, note it. Do not fabricate one.
 
 `README.md` and `docs/index.html`: update any hardcoded version strings (badges, `npm install @phren/cli@X.Y.Z`, etc.).
 
@@ -150,18 +150,18 @@ No changes needed:
   - mcp/README.md: tool count correct
 
 Warnings:
-  - docs/faq.md: references `phren init` — command was renamed to `phren link` in v0.0.7
+  - docs/faq.md: references `phren init`, command was renamed to `phren link` in v0.0.7
 ```
 
 List every file checked. Be specific about what changed and what line/section.
 
 ## What not to do
 
-- Do not restructure or reformat documentation for style — only fix accuracy
+- Do not restructure or reformat documentation for style. Only fix accuracy
 - Do not add new sections or features to the docs without user direction
 - Do not fabricate changelog entries for unreleased versions
-- Do not silently skip a surface because it looks "probably fine" — check all of them
-- Do not guess tool counts — always derive from `grep` on the source file
+- Do not silently skip a surface because it looks "probably fine". Check all of them
+- Do not guess tool counts. Always derive from `grep` on the source file
 
 ## Related skills
 

package/starter/README.md

@@ -1,6 +1,6 @@
 # My Phren
 
-Your personal project store for [phren](https://github.com/alaarab/phren). Phren is your project's memory keeper — he holds what your agents learn and surfaces it when it matters, across sessions and machines.
+Your personal project store for [phren](https://github.com/alaarab/phren). Phren is your project's memory keeper. He holds what your agents learn and surfaces it when it matters, across sessions and machines.
 
 ## Structure
 

package/starter/global/CLAUDE.md

@@ -56,7 +56,7 @@ Run `/phren-sync` to pull everything down or push changes back.
 
 ## MCP tools
 
-The phren MCP server is running. Phren already knows a lot — ask him before asking the user to repeat themselves.
+The phren MCP server is running. Phren already knows a lot. Ask him before asking the user to repeat themselves.
 
 - **At session start:** ask phren what's active: `list_projects()`, then `get_project_summary(name)` for the relevant project
 - **When the user mentions a project, codebase, or task:** ask phren first: `search_knowledge(query)` before asking questions
@@ -86,4 +86,4 @@ Read `~/.phren-context.md` at the start of every session for machine-specific co
 
 ## Without MCP server
 
-If the MCP server isn't available, phren still helps. Claude reads `~/.phren-context.md` and per-project memory files from `~/.claude/projects/` for context, then fetches details directly from `~/.phren/project-name/` as needed. No MCP required — phren just works a bit more quietly.
+If the MCP server isn't available, phren still helps. Claude reads `~/.phren-context.md` and per-project memory files from `~/.claude/projects/` for context, then fetches details directly from `~/.phren/project-name/` as needed. No MCP required, phren just works a bit more quietly.

package/starter/global/skills/audit.md

@@ -0,0 +1,106 @@
+---
+name: audit
+description: Full codebase audit. Dead code, security, dependencies, performance, optimization. Not a diff review, scans everything.
+---
+# /audit - Full Codebase Audit
+
+Unlike `/simplify` (which reviews your last diff), this scans the entire codebase. Run it when you want to clean house.
+
+## What It Does
+
+Launch 5 parallel agents. Each one scans the full codebase for a different class of problem. When they're done, aggregate findings and fix what's fixable.
+
+## Phase 1: Discover the Codebase
+
+Before launching agents, understand the project:
+
+```
+1. Read package.json (or pyproject.toml, Cargo.toml, go.mod, whatever applies)
+2. Find the source directories (src/, lib/, app/, etc.)
+3. Count files by extension to understand the stack
+4. Check for existing lint/test configs
+```
+
+Pass this context to every agent so they know where to look.
+
+## Phase 2: Launch 5 Agents in Parallel
+
+Use the Agent tool to launch all five concurrently in a single message. Give each agent the project context from Phase 1.
+
+### Agent 1: Dead Code & Unused Exports
+
+Find code that exists but isn't used:
+
+1. **Unused exports.** For every `export` in the codebase, check if it's imported anywhere. Flag exports that are only used in their own file or not used at all. Exclude entry points and public API surfaces.
+2. **Unused dependencies.** Cross-reference `package.json` dependencies against actual imports in source files. Flag packages that are installed but never imported. Check devDependencies too. Are test utilities actually used in tests?
+3. **Dead functions.** Functions defined but never called. Methods on classes that nothing invokes. Event handlers registered but for events that are never emitted.
+4. **Orphan files.** Files that nothing imports. Test files for source files that no longer exist. Config files for tools that aren't in the project.
+5. **Feature flags that resolved.** Environment variable checks where one branch is clearly dead. TODO/FIXME/HACK comments older than 6 months.
+6. **Stale type definitions.** Interfaces or types that nothing references. Generic type parameters that are always the same concrete type.
+
+### Agent 2: Security Scan
+
+Look for vulnerabilities in the actual code (not just `npm audit`):
+
+1. **Injection vectors.** Shell commands built from user input without sanitization. SQL queries with string concatenation. HTML built from unescaped variables. Regex built from user input (ReDoS).
+2. **Path traversal.** Any file operation where the path comes from user input or external data without validation. Check for `../` normalization and symlink following.
+3. **Secret exposure.** Hardcoded API keys, tokens, passwords. Environment variables logged or included in error messages. Secrets in URLs or query parameters.
+4. **Insecure defaults.** TLS verification disabled. CORS set to `*`. Cookies without secure/httponly/samesite flags. Debug modes that shouldn't ship.
+5. **Dependency vulnerabilities.** Run `npm audit` (or equivalent). Check for known CVEs. Flag dependencies that haven't been updated in 12+ months.
+6. **Auth and access control.** Endpoints or functions that should check permissions but don't. Token validation that's incomplete. Rate limiting gaps.
+7. **SSRF and network.** Outbound requests where the URL comes from user input. Webhook/callback URLs that aren't validated against internal networks.
+
+### Agent 3: Performance & Efficiency
+
+Find code that wastes time or resources:
+
+1. **Startup cost.** What runs at import/require time? Top-level await, synchronous file reads, heavy initialization that could be lazy.
+2. **N+1 patterns.** Loops that make a network/disk/DB call per iteration instead of batching.
+3. **Redundant computation.** The same value computed multiple times in a hot path. Missing memoization where inputs rarely change. Expensive operations inside loops that could be hoisted.
+4. **Blocking operations.** Synchronous file I/O on async paths. `JSON.parse` on large payloads without streaming. CPU-heavy work on the event loop.
+5. **Unbounded growth.** Caches without eviction. Arrays that grow without limits. Event listeners that are added but never removed. Intervals that are set but never cleared.
+6. **Over-fetching.** Loading entire files when you need one field. Importing a whole library for one function. Reading all records when filtering for a subset.
+7. **Missed parallelism.** Sequential `await` calls that are independent and could use `Promise.all`. File operations that could be batched.
+
+### Agent 4: Code Quality & Simplification
+
+Find code that's more complicated than it needs to be:
+
+1. **Abstraction debt.** Functions over 80 lines. Files over 500 lines. Classes that do too many things. Deeply nested conditionals (3+ levels).
+2. **Copy-paste code.** Near-duplicate blocks across files. Similar switch/case statements that should share logic. Functions that differ by one parameter.
+3. **Unnecessary indirection.** Wrapper functions that add nothing. Abstract classes with one implementation. Factory patterns for objects that are only created once.
+4. **Type complexity.** Union types with 5+ members. Generic types nested 3+ levels deep. Type assertions (`as`) that could be avoided with better typing.
+5. **Error handling.** Empty catch blocks. Catch-and-rethrow without adding context. Inconsistent error types across similar operations.
+6. **Naming.** Boolean variables that don't read as questions. Functions whose names don't describe what they return. Abbreviations that only the author understands.
+7. **Stale patterns.** Callbacks where promises/async would be cleaner. Manual iteration where array methods would work. Hand-rolled utilities where the language or a dependency provides it.
+
+### Agent 5: Dependency Health
+
+Audit the dependency tree:
+
+1. **Outdated packages.** Run `npm outdated` (or equivalent). Flag major version bumps that are available. Note any breaking changes.
+2. **Heavy dependencies.** Check bundle/install size. Flag packages over 1MB that could be replaced with lighter alternatives or native APIs.
+3. **Duplicate functionality.** Multiple packages that do the same thing (e.g., both `lodash` and `underscore`, or `axios` and `node-fetch`).
+4. **License issues.** Check for GPL or other copyleft licenses in a non-GPL project. Flag any "unknown" licenses.
+5. **Abandoned packages.** Dependencies with no commits in 2+ years, or archived repos.
+6. **Phantom dependencies.** Imports that resolve only because a parent dependency installs them (not in your own package.json).
+
+## Phase 3: Triage and Fix
+
+Wait for all agents. Then:
+
+1. **Deduplicate.** Multiple agents may flag the same issue from different angles. Merge them.
+2. **Prioritize.** Security issues first. Then dead code (easy wins). Then performance. Then quality.
+3. **Fix directly.** Don't just report. Fix what you can. For things that need the user's input (like removing a dependency that might be used in a way you can't see), ask.
+4. **Summarize.** Report what was found, what was fixed, and what needs the user's decision.
+
+## Options
+
+The user can scope the audit:
+
+- `/audit`: full audit, all 5 agents
+- `/audit security`: just the security agent
+- `/audit dead-code`: just dead code detection
+- `/audit performance`: just performance
+- `/audit deps`: just dependency health
+- `/audit quality`: just code quality

package/mcp/dist/cli-hooks-retrieval.js

@@ -1,2 +0,0 @@
-// cli-hooks-retrieval.ts — re-export surface for the shared retrieval core.
-export * from "./shared-retrieval.js";

package/mcp/dist/impact-scoring.js

@@ -1,22 +0,0 @@
-// Backward-compatible wrapper around finding-impact.
-import { findingIdFromLine, extractFindingIdsFromSnippet, logImpact, getHighImpactFindings, markImpactEntriesCompletedForSession, } from "./finding-impact.js";
-export function impactEntryKey(project, findingId) {
-    return `${project}\u0000${findingId}`;
-}
-export { findingIdFromLine, extractFindingIdsFromSnippet, markImpactEntriesCompletedForSession, };
-export function appendImpactEntries(phrenPath, entries) {
-    const pending = entries.filter((entry) => !entry.taskCompleted);
-    if (pending.length === 0)
-        return;
-    logImpact(phrenPath, pending.map((entry) => ({
-        findingId: entry.findingId,
-        project: entry.project,
-        sessionId: entry.sessionId,
-    })));
-}
-export function getHighImpactFindingKeys(phrenPath, minSuccessCount = 3) {
-    const findingIds = getHighImpactFindings(phrenPath, minSuccessCount);
-    // Legacy API encoded project+findingId; new API tracks finding ID globally.
-    // Return IDs as-is to preserve compatibility where only membership checks are used.
-    return findingIds;
-}

package/mcp/dist/shared-paths.js

@@ -1 +0,0 @@
-export * from "./phren-paths.js";