@planu/cli 4.1.2 → 4.1.4

package/CHANGELOG.md

@@ -1,3 +1,24 @@
+## [4.1.4] - 2026-05-21
+
+### Bug Fixes
+- Centralize Rust-first hot-path fallback behavior in `core-bridge` so callers use native acceleration when available and TypeScript fallbacks consistently when unavailable.
+- Keep crash scanning, broad validation reads, gaps log verification, HMAC signing, duplicate detection, and layer scanning resilient when native reads return partial results or test doubles expose older nullable bridge behavior.
+- Lock published native optional dependencies across macOS and Linux architectures in `pnpm` so release dependency checks remain cross-platform stable.
+
+### Tests
+- Re-run the full suite with 31,275 passing tests and 5 skipped tests.
+
+
+## [4.1.3] - 2026-05-21
+
+### Bug Fixes
+- Make the TypeScript file watcher fallback portable across operating systems by avoiding non-portable recursive `fs.watch` mode.
+- Keep the native-core fallback path non-fatal when a platform-specific binary is unavailable.
+
+### Tests
+- Add coverage to prevent reintroducing recursive watcher mode in the portable fallback.
+
+
 ## [4.1.2] - 2026-05-21
 
 ### Bug Fixes

package/dist/engine/code-scanner/layer-scanner.js

@@ -1,7 +1,7 @@
 // src/engine/code-scanner/layer-scanner.ts — Scans the 4 implementation layers (SPEC-441)
-import { readdir, readFile, stat } from 'node:fs/promises';
-import { join, relative, extname, basename } from 'node:path';
-import { isNativeActive, fastFindFilesByExt, fastFindPatterns } from '../core-bridge.js';
+import { readFile, stat } from 'node:fs/promises';
+import { join, relative, basename } from 'node:path';
+import { fastFindFilesByExt, fastReadFiles } from '../core-bridge.js';
 /**
  * Scan a project directory for evidence of spec implementation across 4 layers.
  */
@@ -11,29 +11,18 @@ export async function scanLayers(projectPath, keywords, symbolVariants) {
     const [srcExists, testsExists] = await Promise.all([dirExists(srcDir), dirExists(testsDir)]);
     let srcFiles = [];
     let testFiles = [];
-    if (isNativeActive()) {
-        if (srcExists) {
-            srcFiles = fastFindFilesByExt(srcDir, ['ts', 'js', 'tsx', 'jsx']) ?? [];
-            // Filter out .d.ts natively mapped
-            srcFiles = srcFiles.filter((f) => !f.endsWith('.d.ts'));
-        }
-        if (testsExists) {
-            testFiles = fastFindFilesByExt(testsDir, ['ts', 'js', 'tsx', 'jsx']) ?? [];
-            testFiles = testFiles.filter((f) => !f.endsWith('.d.ts'));
-        }
+    if (srcExists) {
+        srcFiles = fastFindFilesByExt(srcDir, ['ts', 'js', 'tsx', 'jsx']).filter((f) => !f.endsWith('.d.ts'));
     }
-    else {
-        [srcFiles, testFiles] = await Promise.all([
-            srcExists ? collectTsFiles(srcDir) : Promise.resolve([]),
-            testsExists ? collectTsFiles(testsDir) : Promise.resolve([]),
-        ]);
+    if (testsExists) {
+        testFiles = fastFindFilesByExt(testsDir, ['ts', 'js', 'tsx', 'jsx']).filter((f) => !f.endsWith('.d.ts'));
     }
     // Layer 1: files whose names match keywords
     const matchedFiles = srcFiles.filter((f) => keywords.some((kw) => basename(f).toLowerCase().includes(kw)));
     // Layer 2: exported symbols in matched files (and register/index files)
     const registerFiles = srcFiles.filter((f) => /register.*\.ts$|index\.ts$/.test(f));
     const filesToScanForSymbols = [...new Set([...matchedFiles, ...registerFiles])];
-    const symbols = await findSymbols(filesToScanForSymbols, symbolVariants, projectPath);
+    const symbols = findSymbols(filesToScanForSymbols, symbolVariants);
     // Layer 3: test files matching keywords
     const matchedTests = testFiles.filter((f) => keywords.some((kw) => basename(f).toLowerCase().includes(kw)));
     // Layer 4: registrations in license-plans.json and register-*.ts files
@@ -48,78 +37,22 @@ export async function scanLayers(projectPath, keywords, symbolVariants) {
 // ---------------------------------------------------------------------------
 // Internal helpers
 // ---------------------------------------------------------------------------
-async function collectTsFiles(dir) {
-    const results = [];
-    try {
-        await walkDir(dir, results);
-    }
-    catch {
-        // Directory not accessible — return empty
-    }
-    return results;
-}
-async function walkDir(dir, out) {
-    let entries;
-    try {
-        entries = await readdir(dir);
-    }
-    catch {
-        return;
-    }
-    await Promise.all(entries.map(async (entry) => {
-        const full = join(dir, entry);
-        try {
-            const s = await stat(full);
-            if (s.isDirectory()) {
-                await walkDir(full, out);
-            }
-            else if (extname(entry) === '.ts' && !entry.endsWith('.d.ts')) {
-                out.push(full);
-            }
-        }
-        catch {
-            // skip
-        }
-    }));
-}
-async function findSymbols(files, variants, projectPath) {
+function findSymbols(files, variants) {
     const found = new Set();
-    if (isNativeActive() && files.length > 0) {
-        const EXPORT_RE = '^export\\s+(?:async\\s+)?(?:function|class|const|type|interface)\\s+(\\w+)';
-        const matches = fastFindPatterns(projectPath, [EXPORT_RE], [], []);
-        if (matches) {
-            const allowedPaths = new Set(files);
-            for (const m of matches) {
-                if (allowedPaths.has(m.path)) {
-                    // Rust fastFindPatterns returns the whole matched string.
-                    // Extract the group 1 (symbol name)
-                    const execMatch = new RegExp(EXPORT_RE).exec(m.content);
-                    const name = execMatch?.[1] ?? '';
-                    if (variants.some((v) => name.toLowerCase().includes(v.toLowerCase()))) {
-                        found.add(name);
-                    }
+    if (files.length > 0) {
+        const EXPORT_RE = /^export\s+(?:async\s+)?(?:function|class|const|type|interface)\s+(\w+)/gm;
+        for (const file of fastReadFiles(files)) {
+            let match;
+            while ((match = EXPORT_RE.exec(file.content)) !== null) {
+                const name = match[1] ?? '';
+                if (variants.some((v) => name.toLowerCase().includes(v.toLowerCase()))) {
+                    found.add(name);
                 }
             }
-            return [...found];
+            EXPORT_RE.lastIndex = 0;
         }
+        return [...found];
     }
-    const EXPORT_RE_NODE = /^export\s+(?:async\s+)?(?:function|class|const|type|interface)\s+(\w+)/gm;
-    await Promise.all(files.map(async (f) => {
-        let content;
-        try {
-            content = await readFile(f, 'utf8');
-        }
-        catch {
-            return;
-        }
-        let match;
-        while ((match = EXPORT_RE_NODE.exec(content)) !== null) {
-            const name = match[1] ?? '';
-            if (variants.some((v) => name.toLowerCase().includes(v.toLowerCase()))) {
-                found.add(name);
-            }
-        }
-    }));
     return [...found];
 }
 async function findRegistrations(projectPath, srcFiles, keywords) {
@@ -141,40 +74,20 @@ async function findRegistrations(projectPath, srcFiles, keywords) {
     }
     // Check register-*.ts files for registerTool calls matching keywords
     const registerFiles = srcFiles.filter((f) => /register.*\.ts$/.test(f));
-    if (isNativeActive() && registerFiles.length > 0) {
-        const REGISTER_RE = 'registerTool\\s*\\(\\s*[\'"]([^\'"]+)[\'"]';
-        const matches = fastFindPatterns(projectPath, [REGISTER_RE], [], []);
-        if (matches) {
-            const allowedPaths = new Set(registerFiles);
-            for (const m of matches) {
-                if (allowedPaths.has(m.path)) {
-                    const execMatch = new RegExp(REGISTER_RE).exec(m.content);
-                    const toolName = execMatch?.[1] ?? '';
-                    if (keywords.some((kw) => toolName.includes(kw))) {
-                        found.add(`registered:${toolName}`);
-                    }
+    if (registerFiles.length > 0) {
+        const REGISTER_RE = /registerTool\s*\(\s*['"]([^'"]+)['"]/g;
+        for (const file of fastReadFiles(registerFiles)) {
+            let match;
+            while ((match = REGISTER_RE.exec(file.content)) !== null) {
+                const toolName = match[1] ?? '';
+                if (keywords.some((kw) => toolName.includes(kw))) {
+                    found.add(`registered:${toolName}`);
                 }
             }
-            return [...found];
+            REGISTER_RE.lastIndex = 0;
         }
+        return [...found];
     }
-    const REGISTER_RE_NODE = /registerTool\s*\(\s*['"]([^'"]+)['"]/g;
-    await Promise.all(registerFiles.map(async (f) => {
-        let content;
-        try {
-            content = await readFile(f, 'utf8');
-        }
-        catch {
-            return;
-        }
-        let match;
-        while ((match = REGISTER_RE_NODE.exec(content)) !== null) {
-            const toolName = match[1] ?? '';
-            if (keywords.some((kw) => toolName.includes(kw))) {
-                found.add(`registered:${toolName}`);
-            }
-        }
-    }));
     return [...found];
 }
 async function dirExists(p) {

package/dist/engine/core-bridge.d.ts

@@ -12,12 +12,12 @@ export declare function fastScanAndHashFiles(rootPath: string): FileHash[];
 export declare function fastScanProjectMetadata(rootPath: string): FileMetadata[];
 export declare function fastScanSpecAnnotations(rootPath: string): SpecAnnotation[];
 export declare function fastCheckAcCoverage(filePaths: string[], keywords: string[]): string[];
-export declare function fastDetectDriftParallel(rootPath: string, keywords: string[]): DriftResult | null;
-export declare function fastFindDuplicateBlocks(paths: string[], minLines: number): DuplicateRawBlockRs[] | null;
-export declare function fastFindPatterns(rootPath: string, patterns: string[], extensions?: string[], exclude?: string[]): FastGrepMatch[] | null;
-export declare function fastFindFilesByName(rootPath: string, names: string[]): string[] | null;
-export declare function fastFindFilesByExt(rootPath: string, extensions: string[]): string[] | null;
-export declare function fastReadFiles(paths: string[]): FileContent[] | null;
+export declare function fastDetectDriftParallel(rootPath: string, keywords: string[]): DriftResult;
+export declare function fastFindDuplicateBlocks(paths: string[], minLines: number): DuplicateRawBlockRs[];
+export declare function fastFindPatterns(rootPath: string, patterns: string[], extensions?: string[], exclude?: string[]): FastGrepMatch[];
+export declare function fastFindFilesByName(rootPath: string, names: string[]): string[];
+export declare function fastFindFilesByExt(rootPath: string, extensions: string[]): string[];
+export declare function fastReadFiles(paths: string[]): FileContent[];
 export declare function fastScanSpecs(rootPath: string): SpecBriefRs[] | null;
 export declare function fastVerifyGapsChain(filePath: string): GapsLogChainResultRs;
 export declare function fastAppendGapEntry(filePath: string, id: string, timestamp: string, specId: string, description: string, severity: string, affectedSpecs: string[]): string;

package/dist/engine/core-bridge.js

@@ -180,6 +180,7 @@ const getNative = () => process.env.DISABLE_NATIVE_CORE === '1' ? null : nativeM
 const PROJECT_ID_RE = /^[a-f0-9]{16,64}$/;
 const SPEC_ANNOTATION_RE = /@spec\s+(SPEC-\d+)(?:\s+AC:([\d,]+))?(?:\s+(.*))?/;
 const SCANNABLE_EXTS = new Set(['.ts', '.js', '.tsx', '.jsx', '.rs', '.py', '.go']);
+const MAX_TS_WATCHERS = 128;
 const IGNORED_DIRS = new Set([
     'node_modules',
     '.git',
@@ -671,11 +672,41 @@ export function startNativeWatcher(rootPath, callback) {
         n.startProjectWatcher(rootPath, callback);
         return;
     }
-    // TS fallback: chokidar would be heavy; use fs.watch lazily.
+    // TS fallback: watch each existing directory. Node's `recursive: true` is not
+    // portable across all OS/libc combinations, and unsupported platforms must not
+    // crash the MCP server when the native watcher is unavailable.
     const fs = nodeFs;
-    fs.watch(rootPath, { recursive: true }, (event, filename) => {
-        callback(null, `${event}:${filename ?? ''}`);
-    });
+    let watcherCount = 0;
+    const watchDir = (absDir, relDir) => {
+        if (watcherCount >= MAX_TS_WATCHERS) {
+            return;
+        }
+        const watcher = fs.watch(absDir, {}, (event, filename) => {
+            callback(null, `${event}:${join(relDir, filename?.toString() ?? '')}`);
+        });
+        watcherCount++;
+        watcher.on('error', (err) => {
+            callback(err, '');
+        });
+    };
+    const walkDirs = (absDir, relDir) => {
+        watchDir(absDir, relDir);
+        let entries;
+        try {
+            entries = readdirSync(absDir, { withFileTypes: true });
+        }
+        catch {
+            return;
+        }
+        for (const entry of entries) {
+            if (!entry.isDirectory() || IGNORED_DIRS.has(entry.name)) {
+                continue;
+            }
+            const childRel = join(relDir, entry.name);
+            walkDirs(join(absDir, entry.name), childRel);
+        }
+    };
+    walkDirs(rootPath, '');
 }
 export const isNativeActive = () => nativeModule !== null && process.env.DISABLE_NATIVE_CORE !== '1';
 export const nativeLoadDiagnostic = () => loadDiagnostic;

package/dist/engine/crash-shield/index.js

@@ -7,7 +7,7 @@ import { goDetector } from './detectors/go-detector.js';
 import { rustDetector } from './detectors/rust-detector.js';
 import { javaDetector } from './detectors/java-detector.js';
 import { frameworkDetector } from './detectors/framework-detector.js';
-import { isNativeActive, fastReadFiles } from '../core-bridge.js';
+import { fastReadFiles } from '../core-bridge.js';
 export { fixCrashRisks } from './auto-fixer/index.js';
 const ALL_DETECTORS = [
     typescriptDetector,
@@ -17,7 +17,6 @@ const ALL_DETECTORS = [
     javaDetector,
     frameworkDetector,
 ];
-const FILE_SCAN_TIMEOUT_MS = 1000;
 /**
  * Scans a project for crash risks and returns a SafetyReport.
  * @param projectPath - absolute path to the project root
@@ -39,80 +38,44 @@ export async function scanCrashRisks(projectPath, stackHint) {
 }
 async function scanFiles(files, detectedStack) {
     const applicableDetectors = selectDetectors(detectedStack);
-    if (isNativeActive()) {
-        const fileContents = fastReadFiles(files);
-        if (fileContents) {
-            const results = fileContents.map(({ path, content }) => {
-                const fileDetectors = applicableDetectors.filter((d) => d.fileExtensions.some((ext) => path.endsWith(ext)));
-                const risks = [];
-                for (const detector of fileDetectors) {
-                    try {
-                        const found = detector.detect(path, content);
-                        risks.push(...found);
-                    }
-                    catch {
-                        // Detector error: skip silently
-                    }
-                }
-                return risks;
-            });
-            return results.flat();
+    const fileContents = fastReadFiles(files);
+    const seen = new Set(fileContents.map((file) => file.path));
+    const results = fileContents.map(({ path, content }) => detectRisksInContent(path, content, applicableDetectors));
+    const unreadByBridge = files.filter((file) => !seen.has(file));
+    const fallbackResults = await Promise.all(unreadByBridge.map(async (file) => {
+        try {
+            const content = await readFile(file, 'utf-8');
+            return detectRisksInContent(file, content, applicableDetectors);
         }
-    }
-    const results = await Promise.all(files.map((file) => scanSingleFile(file, applicableDetectors)));
-    return results.flat();
-}
-function selectDetectors(detectedStack) {
-    if (detectedStack.length === 0) {
-        return ALL_DETECTORS;
-    }
-    return ALL_DETECTORS.filter((detector) => {
-        if (detector.language === 'multi') {
-            return true;
+        catch {
+            return [];
         }
-        return detectedStack.includes(detector.language);
-    });
+    }));
+    return [...results, ...fallbackResults].flat();
 }
-async function scanSingleFile(file, detectors) {
-    const applicableDetectors = detectors.filter((d) => d.fileExtensions.some((ext) => file.endsWith(ext)));
-    if (applicableDetectors.length === 0) {
-        return [];
-    }
-    let content;
-    try {
-        content = await withTimeout(readFile(file, 'utf-8'), FILE_SCAN_TIMEOUT_MS, file);
-    }
-    catch {
-        return [];
-    }
+function detectRisksInContent(path, content, applicableDetectors) {
+    const fileDetectors = applicableDetectors.filter((d) => d.fileExtensions.some((ext) => path.endsWith(ext)));
     const risks = [];
-    for (const detector of applicableDetectors) {
+    for (const detector of fileDetectors) {
         try {
-            const found = detector.detect(file, content);
+            const found = detector.detect(path, content);
             risks.push(...found);
         }
         catch {
-            /* c8 ignore next */
             // Detector error: skip silently
         }
     }
     return risks;
 }
-async function withTimeout(promise, ms, file) {
-    return new Promise((resolve, reject) => {
-        /* c8 ignore next 3 */
-        const timer = setTimeout(() => {
-            reject(new Error(`Scan timeout for file: ${file}`));
-        }, ms);
-        promise.then((value) => {
-            clearTimeout(timer);
-            resolve(value);
-        }, 
-        /* c8 ignore next 4 */
-        (err) => {
-            clearTimeout(timer);
-            reject(err instanceof Error ? err : new Error(String(err)));
-        });
+function selectDetectors(detectedStack) {
+    if (detectedStack.length === 0) {
+        return ALL_DETECTORS;
+    }
+    return ALL_DETECTORS.filter((detector) => {
+        if (detector.language === 'multi') {
+            return true;
+        }
+        return detectedStack.includes(detector.language);
     });
 }
 //# sourceMappingURL=index.js.map

package/dist/engine/detect-duplication.js

@@ -10,24 +10,6 @@ const LANGUAGE_EXTENSIONS = {
     typescript: ['.ts', '.tsx'],
     javascript: ['.js', '.jsx', '.mjs', '.cjs'],
 };
-/**
- * Normalize a single line: remove inline comments, trim, lowercase.
- */
-function normalizeLine(line) {
-    let trimmed = line;
-    // Remove single-line comments (but not URLs like http://)
-    const commentIdx = trimmed.indexOf('//');
-    if (commentIdx >= 0) {
-        trimmed = trimmed.slice(0, commentIdx);
-    }
-    return trimmed.trim().toLowerCase();
-}
-/**
- * Remove multi-line comment blocks from source text.
- */
-function stripMultilineComments(text) {
-    return text.replace(/\/\*[\s\S]*?\*\//g, '');
-}
 /**
  * Build glob patterns for the requested languages.
  */
@@ -46,6 +28,24 @@ function buildIgnorePatterns(userExclude) {
     const user = userExclude ?? [];
     return [...DEFAULT_EXCLUDE, ...user];
 }
+/**
+ * Normalize a single line: remove inline comments, trim, lowercase.
+ */
+function normalizeLine(line) {
+    let trimmed = line;
+    // Remove single-line comments (but not URLs like http://)
+    const commentIdx = trimmed.indexOf('//');
+    if (commentIdx >= 0) {
+        trimmed = trimmed.slice(0, commentIdx);
+    }
+    return trimmed.trim().toLowerCase();
+}
+/**
+ * Remove multi-line comment blocks from source text.
+ */
+function stripMultilineComments(text) {
+    return text.replace(/\/\*[\s\S]*?\*\//g, '');
+}
 /**
  * Hash an array of normalized lines using SHA-256 (first 16 chars for speed).
  */
@@ -153,7 +153,47 @@ function buildSuggestion(cluster) {
     }
     return `Extract ${String(lineCount)} lines from ${first.path}:${String(first.startLine)} and ${second.path}:${String(second.startLine)} into shared utility`;
 }
-import { isNativeActive, fastFindDuplicateBlocks } from './core-bridge.js';
+import { fastFindDuplicateBlocks } from './core-bridge.js';
+async function detectDuplicateBlocksFallback(uniqueFiles, minLines) {
+    const hashMap = new Map();
+    for (const filePath of uniqueFiles) {
+        let content;
+        try {
+            content = await readFile(filePath, 'utf-8');
+        }
+        catch {
+            continue;
+        }
+        content = stripMultilineComments(content);
+        const rawLines = content.split('\n');
+        const blocks = extractBlocks(filePath, rawLines, minLines);
+        for (const block of blocks) {
+            const h = hashLines(block.lines);
+            const existing = hashMap.get(h) ?? [];
+            existing.push(block);
+            hashMap.set(h, existing);
+        }
+    }
+    const rawClusters = [];
+    for (const [h, locations] of hashMap.entries()) {
+        if (locations.length >= 2) {
+            rawClusters.push({ hash: h, locations });
+        }
+    }
+    return rawClusters;
+}
+function isDuplicateRawBlockArray(value) {
+    if (!Array.isArray(value)) {
+        return false;
+    }
+    return value.every((item) => {
+        if (typeof item !== 'object' || item === null) {
+            return false;
+        }
+        const candidate = item;
+        return typeof candidate.hash === 'string' && Array.isArray(candidate.locations);
+    });
+}
 /**
  * Detect code duplication across project files.
  */
@@ -173,40 +213,10 @@ export async function detectDuplication(input) {
     }
     // Deduplicate file list
     const uniqueFiles = [...new Set(allFiles)];
-    let rawClusters = [];
-    if (isNativeActive()) {
-        const nativeBlocks = fastFindDuplicateBlocks(uniqueFiles, minLines);
-        if (nativeBlocks) {
-            rawClusters = nativeBlocks;
-        }
-    }
-    else {
-        const hashMap = new Map();
-        for (const filePath of uniqueFiles) {
-            let content;
-            try {
-                content = await readFile(filePath, 'utf-8');
-            }
-            catch {
-                continue;
-            }
-            content = stripMultilineComments(content);
-            const rawLines = content.split('\n');
-            const blocks = extractBlocks(filePath, rawLines, minLines);
-            for (const block of blocks) {
-                const h = hashLines(block.lines);
-                const existing = hashMap.get(h) ?? [];
-                existing.push(block);
-                hashMap.set(h, existing);
-            }
-        }
-        // Find collisions (same hash, different files or different locations)
-        for (const [h, locations] of hashMap.entries()) {
-            if (locations.length >= 2) {
-                rawClusters.push({ hash: h, locations });
-            }
-        }
-    }
+    const bridgeResult = fastFindDuplicateBlocks(uniqueFiles, minLines);
+    const rawClusters = isDuplicateRawBlockArray(bridgeResult)
+        ? bridgeResult
+        : await detectDuplicateBlocksFallback(uniqueFiles, minLines);
     // Group locations into clusters, merging per-file overlaps
     const clusters = [];
     let clusterId = 0;

package/dist/engine/drift-monitor.js

@@ -281,7 +281,7 @@ async function computeAcCoverageScore(criteria, filePaths) {
         }
         const rootPath = path.dirname(firstFile); // Use first file's dir as heuristic
         const result = fastDetectDriftParallel(rootPath, [...allTerms]);
-        foundTerms = new Set(result?.foundKeywords ?? []);
+        foundTerms = new Set(result.foundKeywords);
     }
     else {
         // Fallback: Read all implementation files once

package/dist/engine/hooks/file-watcher.d.ts

@@ -18,9 +18,11 @@ export declare function matchesGlobPattern(filePath: string, pattern: string): b
 export declare function matchesPatterns(filePath: string, include?: string[], exclude?: string[]): boolean;
 export declare class FileWatcher extends EventEmitter {
     private watcher;
+    private readonly watchers;
     private readonly rootDir;
     private readonly include;
     private readonly exclude;
+    private readonly maxWatchers;
     /** Track known files to distinguish create vs modify */
     private readonly knownFiles;
     private closed;
@@ -42,6 +44,10 @@ export declare class FileWatcher extends EventEmitter {
      * Graceful shutdown: release all handles.
      */
     close(): void;
+    private startTypeScriptWatcher;
+    private watchDirectory;
+    private watchSubdirectories;
+    private emitWatcherError;
     private handleFsEvent;
     private determineEventType;
 }

package/dist/engine/hooks/file-watcher.js

@@ -1,6 +1,6 @@
 // engine/hooks/file-watcher.ts — File system watcher with normalized events (SPEC-129)
 import { EventEmitter } from 'node:events';
-import { watch } from 'node:fs';
+import { readdirSync, watch } from 'node:fs';
 import { stat } from 'node:fs/promises';
 import { normalize, join } from 'node:path';
 // ---------------------------------------------------------------------------
@@ -73,15 +73,22 @@ export function matchesPatterns(filePath, include, exclude) {
 // Default excludes
 // ---------------------------------------------------------------------------
 const DEFAULT_EXCLUDES = ['data/**', 'node_modules/**', '.git/**'];
+const DEFAULT_MAX_TS_WATCHERS = 128;
+function maxTypeScriptWatchers() {
+    const raw = Number(process.env.PLANU_MAX_TS_WATCHERS ?? DEFAULT_MAX_TS_WATCHERS);
+    return Number.isFinite(raw) && raw > 0 ? Math.floor(raw) : DEFAULT_MAX_TS_WATCHERS;
+}
 // ---------------------------------------------------------------------------
 // FileWatcher
 // ---------------------------------------------------------------------------
 import { isNativeActive, startNativeWatcher } from '../core-bridge.js';
 export class FileWatcher extends EventEmitter {
     watcher = null;
+    watchers = new Set();
     rootDir;
     include;
     exclude;
+    maxWatchers = maxTypeScriptWatchers();
     /** Track known files to distinguish create vs modify */
     knownFiles = new Set();
     closed = false;
@@ -112,21 +119,11 @@ export class FileWatcher extends EventEmitter {
                 });
             }
             else {
-                this.watcher = watch(this.rootDir, { recursive: true }, (_eventType, filename) => {
-                    if (!filename || this.closed) {
-                        return;
-                    }
-                    // Normalize path separator
-                    const relPath = filename.replace(/\\/g, '/');
-                    void this.handleFsEvent(relPath);
-                });
-                this.watcher.on('error', (err) => {
-                    this.emit('error', err);
-                });
+                this.startTypeScriptWatcher();
             }
         }
         catch (err) {
-            this.emit('error', err);
+            this.emitWatcherError(err);
         }
     }
     /**
@@ -148,15 +145,71 @@ export class FileWatcher extends EventEmitter {
      */
     close() {
         this.closed = true;
-        if (this.watcher) {
-            this.watcher.close();
-            this.watcher = null;
+        for (const watcher of this.watchers) {
+            watcher.close();
         }
+        this.watchers.clear();
+        this.watcher = null;
         this.removeAllListeners();
     }
     // ---------------------------------------------------------------------------
     // Private
     // ---------------------------------------------------------------------------
+    startTypeScriptWatcher() {
+        this.watchDirectory(this.rootDir, '');
+        this.watchSubdirectories(this.rootDir, '');
+    }
+    watchDirectory(absDir, relDir) {
+        const watcher = watch(absDir, {}, (_eventType, filename) => {
+            if (!filename || this.closed) {
+                return;
+            }
+            const relPath = join(relDir, filename).replace(/\\/g, '/');
+            void this.handleFsEvent(relPath);
+        });
+        watcher.on('error', (err) => {
+            this.emitWatcherError(err);
+        });
+        this.watchers.add(watcher);
+        this.watcher ??= watcher;
+    }
+    watchSubdirectories(absDir, relDir) {
+        if (this.watchers.size >= this.maxWatchers) {
+            return;
+        }
+        let entries;
+        try {
+            entries = readdirSync(absDir, { withFileTypes: true });
+        }
+        catch {
+            return;
+        }
+        for (const entry of entries) {
+            if (!entry.isDirectory()) {
+                continue;
+            }
+            const childRel = join(relDir, entry.name).replace(/\\/g, '/');
+            if (this.exclude.some((p) => matchesGlobPattern(childRel, p))) {
+                continue;
+            }
+            const childAbs = join(absDir, entry.name);
+            try {
+                this.watchDirectory(childAbs, childRel);
+            }
+            catch {
+                continue;
+            }
+            if (this.watchers.size >= this.maxWatchers) {
+                return;
+            }
+            this.watchSubdirectories(childAbs, childRel);
+        }
+    }
+    emitWatcherError(err) {
+        if (this.listenerCount('error') > 0) {
+            this.emit('error', err);
+        }
+    }
     async handleFsEvent(relPath) {
         try {
             // Check exclude patterns first

package/dist/engine/reviewer-tokens/signer.js

@@ -1,8 +1,8 @@
 // engine/reviewer-tokens/signer.ts — HMAC-SHA256 sign/verify for reviewer tokens (SPEC-722)
-import { createHmac, randomBytes } from 'node:crypto';
+import { randomBytes } from 'node:crypto';
 import { readFile, writeFile, mkdir, appendFile } from 'node:fs/promises';
 import { join, dirname } from 'node:path';
-import { isNativeActive, fastHmacSign, fastHmacVerify } from '../core-bridge.js';
+import { fastHmacSign, fastHmacVerify } from '../core-bridge.js';
 const SECRET_FILENAME = '.planu-secret';
 const GITIGNORE_ENTRY = '.planu-secret\n';
 let cachedSecret = null;
@@ -55,29 +55,11 @@ export function canonicalJson(obj) {
 }
 /** Compute HMAC-SHA256 over `data` using `secret`. Returns hex digest. */
 export function hmacSign(secret, data) {
-    if (isNativeActive()) {
-        const sig = fastHmacSign(secret, data);
-        if (sig) {
-            return sig;
-        }
-    }
-    return createHmac('sha256', secret).update(data).digest('hex');
+    return fastHmacSign(secret, data);
 }
 /** Verify a previously computed HMAC-SHA256 signature. Constant-time compare via crypto. */
 export function hmacVerify(secret, data, signature) {
-    if (isNativeActive()) {
-        return fastHmacVerify(secret, data, signature);
-    }
-    const expected = hmacSign(secret, data);
-    // Constant-time comparison to prevent timing attacks.
-    if (expected.length !== signature.length) {
-        return false;
-    }
-    let mismatch = 0;
-    for (let i = 0; i < expected.length; i++) {
-        mismatch |= expected.charCodeAt(i) ^ signature.charCodeAt(i);
-    }
-    return mismatch === 0;
+    return fastHmacVerify(secret, data, signature);
 }
 /** Reset cached secret (test helper only — not exported from index). */
 export function _resetSecretCache() {

package/dist/engine/scan-project/module-discoverer.js

@@ -212,16 +212,14 @@ async function detectMonorepo(projectPath) {
     if (isNativeActive()) {
         // Rust: optimized directory resolution for monorepo patterns
         const pkgJsonPaths = fastFindFilesByName(projectPath, ['package.json']);
-        if (pkgJsonPaths) {
-            // Filter directories that match the workspace globs (simplified heuristic)
-            const dirs = pkgJsonPaths
-                .map((p) => dirname(p))
-                .map((p) => relative(projectPath, p))
-                .filter((rel) => rel !== '' && !isIgnored(rel.split('/')[0] ?? ''));
-            // In a real implementation we would match against workspaceGlobs exactly,
-            // but for speed we take all dirs with package.json that aren't ignored.
-            resolved.push(...dirs);
-        }
+        // Filter directories that match the workspace globs (simplified heuristic).
+        const dirs = pkgJsonPaths
+            .map((p) => dirname(p))
+            .map((p) => relative(projectPath, p))
+            .filter((rel) => rel !== '' && !isIgnored(rel.split('/')[0] ?? ''));
+        // In a real implementation we would match against workspaceGlobs exactly,
+        // but for speed we take all dirs with package.json that aren't ignored.
+        resolved.push(...dirs);
     }
     if (resolved.length === 0) {
         for (const pattern of workspaceGlobs) {
@@ -258,7 +256,7 @@ async function detectMonorepo(projectPath) {
 async function detectPackageBased(projectPath) {
     if (isNativeActive()) {
         const manifests = fastFindFilesByName(projectPath, PACKAGE_MANIFESTS);
-        if (manifests && manifests.length > 0) {
+        if (manifests.length > 0) {
             const modules = [];
             const seen = new Set();
             for (const m of manifests) {

package/dist/engine/validator/analyzer.js

@@ -7,7 +7,7 @@ import { glob } from 'glob';
 import { z } from 'zod';
 const BROAD_SCAN_IGNORE = ['node_modules/**', 'dist/**', 'build/**', '.git/**'];
 const BROAD_SCAN_MAX = 300;
-import { isNativeActive, fastReadFiles } from '../core-bridge.js';
+import { fastReadFiles } from '../core-bridge.js';
 /**
  * Build a file-contents cache for a broader search across the project.
  * Caps at BROAD_SCAN_MAX files to bound I/O on large repos.
@@ -21,18 +21,21 @@ async function buildBroadCache(projectPath) {
             ignore: BROAD_SCAN_IGNORE,
             maxDepth: 5,
         });
-        if (isNativeActive()) {
-            const results = fastReadFiles(files.map((f) => join(projectPath, f)));
-            if (results) {
-                for (const res of results) {
-                    cache.set(relative(projectPath, res.path), res.content);
-                }
-                return cache;
-            }
+        const cappedFiles = files.slice(0, BROAD_SCAN_MAX);
+        const absoluteFiles = cappedFiles.map((f) => join(projectPath, f));
+        const results = fastReadFiles(absoluteFiles);
+        const loaded = new Set();
+        for (const res of results) {
+            cache.set(relative(projectPath, res.path), res.content);
+            loaded.add(res.path);
         }
-        await Promise.all(files.slice(0, BROAD_SCAN_MAX).map(async (file) => {
+        await Promise.all(cappedFiles.map(async (file, index) => {
+            const absPath = absoluteFiles[index];
+            if (!absPath || loaded.has(absPath)) {
+                return;
+            }
             try {
-                const content = await readFile(join(projectPath, file), 'utf-8');
+                const content = await readFile(absPath, 'utf-8');
                 cache.set(file, content);
             }
             catch {

package/dist/engine/validator/deep-code-checker.js

@@ -115,12 +115,13 @@ async function resolveFiles(scopeGlob, projectPath, exclude) {
         return [];
     }
 }
+// ─── Checkers ─────────────────────────────────────────────────────────────────
+import { isNativeActive, fastFindPatterns } from '../core-bridge.js';
 function buildRegex(pattern) {
     try {
         return new RegExp(pattern, 'g');
     }
     catch {
-        // If pattern is not a valid regex, escape it
         try {
             const escaped = RegExp.escape(pattern);
             return new RegExp(escaped, 'g');
@@ -130,8 +131,6 @@ function buildRegex(pattern) {
         }
     }
 }
-// ─── Checkers ─────────────────────────────────────────────────────────────────
-import { isNativeActive, fastFindPatterns } from '../core-bridge.js';
 /**
  * Search for a regex pattern in files matching the scope glob.
  * For grep_absent: passed when matchCount === 0.
@@ -140,11 +139,8 @@ import { isNativeActive, fastFindPatterns } from '../core-bridge.js';
 export async function grepCheck(config, projectPath, checkType) {
     const evidence = [];
     if (isNativeActive()) {
-        // Rust: optimized parallel search
         const results = fastFindPatterns(projectPath, [config.pattern], [], config.exclude ? [config.exclude] : []);
-        if (results) {
-            evidence.push(...results.map((r) => `${relative(projectPath, r.path)}:${r.line}`));
-        }
+        evidence.push(...results.map((r) => `${relative(projectPath, r.path)}:${r.line}`));
     }
     else {
         const files = await resolveFiles(config.scope, projectPath, config.exclude);
@@ -159,7 +155,7 @@ export async function grepCheck(config, projectPath, checkType) {
                         const line = lines[i];
                         if (line !== undefined && regex.test(line)) {
                             evidence.push(`${file}:${i + 1}`);
-                            regex.lastIndex = 0; // reset for global flag
+                            regex.lastIndex = 0;
                         }
                     }
                 }

package/dist/storage/base-store.js

@@ -3,9 +3,8 @@
 import { readFile, mkdir } from 'node:fs/promises';
 import { dirname, join } from 'node:path';
 import { homedir } from 'node:os';
-import { createHash } from 'node:crypto';
 import { writeJsonSafe } from '../engine/safety/atomic-writer.js';
-import { fastHashProjectPath, isNativeActive } from '../engine/core-bridge.js';
+import { fastHashProjectPath } from '../engine/core-bridge.js';
 /**
  * Runtime-safe JSON.parse with typed fallback.
  *
@@ -37,10 +36,7 @@ export function safeJsonParse(raw, fallback) {
  * Hash a project path into a deterministic projectId using SHA-256.
  */
 export function hashProjectPath(projectPath) {
-    if (isNativeActive()) {
-        return fastHashProjectPath(projectPath);
-    }
-    return createHash('sha256').update(projectPath).digest('hex').slice(0, 16);
+    return fastHashProjectPath(projectPath).slice(0, 16);
 }
 /**
  * Ensure the parent directory for a file path exists.

package/dist/storage/gaps-log.js

@@ -7,7 +7,7 @@
 import { createHash, randomUUID } from 'node:crypto';
 import { appendFile, readFile, mkdir } from 'node:fs/promises';
 import { dirname, join } from 'node:path';
-import { isNativeActive, fastAppendGapEntry, fastVerifyGapsChain } from '../engine/core-bridge.js';
+import { fastAppendGapEntry, fastVerifyGapsChain } from '../engine/core-bridge.js';
 import { projectDataDir } from './base-store.js';
 // ---------------------------------------------------------------------------
 // Path helper
@@ -53,26 +53,22 @@ async function doAppend(filePath, input) {
     const affectedSpecs = input.affectedSpecs && input.affectedSpecs.length > 0 ? input.affectedSpecs : [input.specId];
     const id = randomUUID();
     const timestamp = new Date().toISOString();
-    if (isNativeActive()) {
-        const sha = fastAppendGapEntry(filePath, id, timestamp, input.specId, input.description, severity, affectedSpecs);
-        if (sha) {
-            // We don't have the prevSha readily available here without re-reading,
-            // but the GapEntry returned is primarily for the tool response.
-            // If needed we can read the file tail in TS too.
-            return {
-                id,
-                timestamp,
-                specId: input.specId,
-                description: input.description,
-                severity,
-                affectedSpecs,
-                prevSha: '', // not needed for response
-                sha,
-            };
-        }
+    const bridgeSha = fastAppendGapEntry(filePath, id, timestamp, input.specId, input.description, severity, affectedSpecs);
+    if (typeof bridgeSha === 'string' && bridgeSha.length > 0) {
+        // The append path owns prevSha lookup internally. The response only needs
+        // the persisted entry identity and final sha.
+        return {
+            id,
+            timestamp,
+            specId: input.specId,
+            description: input.description,
+            severity,
+            affectedSpecs,
+            prevSha: '',
+            sha: bridgeSha,
+        };
     }
     await mkdir(dirname(filePath), { recursive: true });
-    // Read last entry's sha to chain
     const lines = await readJsonlLines(filePath);
     let prevSha = '';
     if (lines.length > 0) {
@@ -138,16 +134,22 @@ export async function readGapsLog(projectId) {
  * Verify the hash chain of the gaps log for a given project.
  * Returns validation result with the index of the first broken entry (if any).
  */
-export async function verifyGapsLogChain(projectId) {
+export function verifyGapsLogChain(projectId) {
     const filePath = gapsLogPath(projectId);
-    if (isNativeActive()) {
-        const res = fastVerifyGapsChain(filePath);
-        return {
-            valid: res.valid,
-            totalEntries: res.totalEntries,
-            brokenAt: res.brokenAt,
-        };
+    const bridgeResult = fastVerifyGapsChain(filePath);
+    if (isGapsLogChainResult(bridgeResult)) {
+        return Promise.resolve({
+            valid: bridgeResult.valid,
+            totalEntries: bridgeResult.totalEntries,
+            brokenAt: bridgeResult.brokenAt,
+        });
     }
+    return verifyGapsLogChainFallback(filePath);
+}
+// ---------------------------------------------------------------------------
+// Internal helpers
+// ---------------------------------------------------------------------------
+async function verifyGapsLogChainFallback(filePath) {
     const lines = await readJsonlLines(filePath);
     if (lines.length === 0) {
         return { valid: true, totalEntries: 0, brokenAt: null };
@@ -165,11 +167,9 @@ export async function verifyGapsLogChain(projectId) {
         catch {
             return { valid: false, totalEntries: lines.length, brokenAt: i };
         }
-        // Check prevSha chain
         if (entry.prevSha !== prevSha) {
             return { valid: false, totalEntries: lines.length, brokenAt: i };
         }
-        // Verify sha
         const { sha, ...rest } = entry;
         const expectedSha = computeGapEntrySha(rest);
         if (sha !== expectedSha) {
@@ -179,9 +179,15 @@ export async function verifyGapsLogChain(projectId) {
     }
     return { valid: true, totalEntries: lines.length, brokenAt: null };
 }
-// ---------------------------------------------------------------------------
-// Internal helpers
-// ---------------------------------------------------------------------------
+function isGapsLogChainResult(value) {
+    if (typeof value !== 'object' || value === null) {
+        return false;
+    }
+    const candidate = value;
+    return (typeof candidate.valid === 'boolean' &&
+        typeof candidate.totalEntries === 'number' &&
+        (typeof candidate.brokenAt === 'number' || candidate.brokenAt === null));
+}
 async function readJsonlLines(filePath) {
     let raw;
     try {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@planu/cli",
-  "version": "4.1.2",
+  "version": "4.1.4",
   "description": "Planu — MCP Server for Spec Driven Development with native Rust acceleration for hot paths. Cross-platform (Linux/macOS/Windows, x64/arm64, glibc/musl).",
   "type": "module",
   "main": "dist/index.js",
@@ -32,12 +32,12 @@
     "packageName": "@planu/core"
   },
   "optionalDependencies": {
-    "@planu/core-darwin-arm64": "4.1.2",
-    "@planu/core-darwin-x64": "4.1.2",
-    "@planu/core-linux-arm64-gnu": "4.1.2",
-    "@planu/core-linux-arm64-musl": "4.1.2",
-    "@planu/core-linux-x64-gnu": "4.1.2",
-    "@planu/core-linux-x64-musl": "4.1.2"
+    "@planu/core-darwin-arm64": "4.1.4",
+    "@planu/core-darwin-x64": "4.1.4",
+    "@planu/core-linux-arm64-gnu": "4.1.4",
+    "@planu/core-linux-arm64-musl": "4.1.4",
+    "@planu/core-linux-x64-gnu": "4.1.4",
+    "@planu/core-linux-x64-musl": "4.1.4"
   },
   "engines": {
     "node": ">=24.0.0"
@@ -143,6 +143,20 @@
       "hono": ">=4.12.14",
       "postcss": ">=8.5.10",
       "fast-uri": ">=3.1.2"
+    },
+    "supportedArchitectures": {
+      "os": [
+        "darwin",
+        "linux"
+      ],
+      "cpu": [
+        "arm64",
+        "x64"
+      ],
+      "libc": [
+        "glibc",
+        "musl"
+      ]
     }
   },
   "devDependencies": {