@renseiai/agentfactory 0.8.17 → 0.8.19

package/dist/src/orchestrator/orchestrator.js

@@ -5,7 +5,7 @@
  */
 import { randomUUID } from 'crypto';
 import { execSync } from 'child_process';
-import { existsSync, lstatSync, mkdirSync, readFileSync, readdirSync, rmSync, statSync, symlinkSync, unlinkSync, writeFileSync } from 'fs';
+import { copyFileSync, existsSync, lstatSync, mkdirSync, readFileSync, readdirSync, readlinkSync, rmSync, statSync, symlinkSync, unlinkSync, writeFileSync } from 'fs';
 import { resolve, dirname, basename } from 'path';
 import { parse as parseDotenv } from 'dotenv';
 import { createProvider, resolveProviderName, resolveProviderWithSource, } from '../providers/index.js';
@@ -16,6 +16,7 @@ import { createSessionLogger } from './session-logger.js';
 import { ContextManager } from './context-manager.js';
 import { isSessionLoggingEnabled, getLogAnalysisConfig } from './log-config.js';
 import { parseWorkResult } from './parse-work-result.js';
+import { parseSecurityScanOutput } from './security-scan-event.js';
 import { runBackstop, formatBackstopComment } from './session-backstop.js';
 import { createActivityEmitter } from './activity-emitter.js';
 import { createApiActivityEmitter } from './api-activity-emitter.js';
@@ -26,6 +27,12 @@ import { ToolRegistry } from '../tools/index.js';
 import { createMergeQueueAdapter } from '../merge-queue/index.js';
 // Default inactivity timeout: 5 minutes
 const DEFAULT_INACTIVITY_TIMEOUT_MS = 300000;
+// Coordination inactivity timeout: 30 minutes.
+// Coordinators spawn foreground sub-agents via the Agent tool. During sub-agent
+// execution the parent event stream is silent (no tool_progress events), so the
+// standard 5-minute inactivity timeout kills coordinators prematurely. 30 minutes
+// gives sub-agents ample time to complete complex work.
+const COORDINATION_INACTIVITY_TIMEOUT_MS = 1800000;
 // Default max session timeout: unlimited (undefined)
 const DEFAULT_MAX_SESSION_TIMEOUT_MS = undefined;
 // Env vars that Claude Code interprets for authentication/routing. If these
@@ -746,6 +753,27 @@ Attempt rebase onto latest main.
 Resolve conflicts using mergiraf-enhanced git merge if available.
 Push updated branch and trigger merge via configured merge queue provider.${LINEAR_CLI_INSTRUCTION}`;
             break;
+        case 'security':
+            basePrompt = `Security scan ${identifier}.
+Run security scanning tools (SAST, dependency audit) against the codebase and output structured results.
+
+WORKFLOW:
+1. Identify the project type (Node.js, Python, etc.) by inspecting package.json, requirements.txt, etc.
+2. Run appropriate scanners (semgrep for SAST, npm-audit/pip-audit for dependencies)
+3. Parse scanner outputs and produce structured JSON summaries
+4. Output results in fenced code blocks tagged \`security-scan-result\`
+
+IMPORTANT CONSTRAINTS:
+- This is READ-ONLY scanning — do NOT make code changes, git commits, or fix vulnerabilities yourself.
+- If critical or high severity issues found, emit <!-- WORK_RESULT:failed -->.
+- If only medium/low or no issues found, emit <!-- WORK_RESULT:passed -->.
+- If a scanner is not available, skip it and note this in your output.
+
+STRUCTURED RESULT MARKER (REQUIRED):
+You MUST include a structured result marker in your final output message.
+- On pass: Include <!-- WORK_RESULT:passed --> in your final message
+- On fail: Include <!-- WORK_RESULT:failed --> in your final message${LINEAR_CLI_INSTRUCTION}`;
+            break;
     }
     // Inject workflow failure context for retries
     if (options?.failureContext) {
@@ -774,6 +802,7 @@ const WORK_TYPE_SUFFIX = {
     'qa-coordination': 'QA-COORD',
     'acceptance-coordination': 'AC-COORD',
     merge: 'MRG',
+    security: 'SEC',
 };
 /**
  * Generate a worktree identifier that includes the work type suffix
@@ -1041,6 +1070,20 @@ export class AgentOrchestrator {
                 maxSessionTimeoutMs: override?.maxSessionTimeoutMs ?? baseConfig.maxSessionTimeoutMs,
             };
         }
+        // Coordination work types spawn foreground sub-agents via the Agent tool.
+        // During sub-agent execution the parent event stream is silent (no
+        // tool_progress events flow from Agent tool execution), so the standard
+        // inactivity timeout would kill coordinators prematurely. Use a longer
+        // default unless the user has configured a per-work-type override above.
+        const isCoordination = workType === 'coordination' || workType === 'inflight-coordination'
+            || workType === 'qa-coordination' || workType === 'acceptance-coordination'
+            || workType === 'refinement-coordination';
+        if (isCoordination) {
+            return {
+                inactivityTimeoutMs: Math.max(baseConfig.inactivityTimeoutMs, COORDINATION_INACTIVITY_TIMEOUT_MS),
+                maxSessionTimeoutMs: baseConfig.maxSessionTimeoutMs,
+            };
+        }
         return baseConfig;
     }
     /**
@@ -1777,18 +1820,139 @@ ORCHESTRATOR_INSTALL=1 exec pnpm add "$@"
                     this.linkNodeModulesContents(src, dest, identifier);
                 }
             }
+            // Fix 5: Also scan worktree for workspaces that exist on the branch
+            // but not in the main repo's directory listing (e.g., newly added workspaces)
+            for (const subdir of ['apps', 'packages']) {
+                const wtSubdir = resolve(worktreePath, subdir);
+                if (!existsSync(wtSubdir))
+                    continue;
+                for (const entry of readdirSync(wtSubdir)) {
+                    const src = resolve(repoRoot, subdir, entry, 'node_modules');
+                    const dest = resolve(wtSubdir, entry, 'node_modules');
+                    if (!existsSync(src))
+                        continue; // No source deps to link
+                    if (existsSync(dest))
+                        continue; // Already linked above
+                    this.linkNodeModulesContents(src, dest, identifier);
+                }
+            }
             if (skipped > 0) {
                 console.log(`[${identifier}] Dependencies linked successfully (${skipped} workspace(s) skipped — not on this branch)`);
             }
             else {
                 console.log(`[${identifier}] Dependencies linked successfully`);
             }
+            // Verify critical symlinks are intact; if not, remove and retry once
+            if (!this.verifyDependencyLinks(worktreePath, identifier)) {
+                console.warn(`[${identifier}] Dependency verification failed — removing and re-linking`);
+                this.removeWorktreeNodeModules(worktreePath);
+                const retryDest = resolve(worktreePath, 'node_modules');
+                this.linkNodeModulesContents(mainNodeModules, retryDest, identifier);
+                if (!this.verifyDependencyLinks(worktreePath, identifier)) {
+                    console.warn(`[${identifier}] Verification failed after retry — falling back to install`);
+                    this.installDependencies(worktreePath, identifier);
+                }
+            }
         }
         catch (error) {
             console.warn(`[${identifier}] Symlink failed, falling back to install:`, error instanceof Error ? error.message : String(error));
             this.installDependencies(worktreePath, identifier);
         }
     }
+    /**
+     * Verify that critical dependency symlinks are intact and resolvable.
+     * Returns true if verification passes, false if re-linking is needed.
+     */
+    verifyDependencyLinks(worktreePath, identifier) {
+        const destRoot = resolve(worktreePath, 'node_modules');
+        if (!existsSync(destRoot))
+            return false;
+        // Sentinel packages that should always be present in a Node.js project
+        const sentinels = ['typescript'];
+        // Also check for .modules.yaml (pnpm store metadata) if it exists in main
+        const repoRoot = findRepoRoot(worktreePath);
+        if (repoRoot) {
+            const pnpmMeta = resolve(repoRoot, 'node_modules', '.modules.yaml');
+            if (existsSync(pnpmMeta)) {
+                sentinels.push('.modules.yaml');
+            }
+        }
+        for (const pkg of sentinels) {
+            const pkgPath = resolve(destRoot, pkg);
+            if (!existsSync(pkgPath)) {
+                console.warn(`[${identifier}] Verification: missing ${pkg}`);
+                return false;
+            }
+            // Follow the symlink — throws if target was deleted from main repo
+            try {
+                statSync(pkgPath);
+            }
+            catch {
+                console.warn(`[${identifier}] Verification: broken symlink for ${pkg}`);
+                return false;
+            }
+        }
+        return true;
+    }
+    /**
+     * Remove all node_modules directories from a worktree (root + per-workspace).
+     */
+    removeWorktreeNodeModules(worktreePath) {
+        const destRoot = resolve(worktreePath, 'node_modules');
+        try {
+            if (existsSync(destRoot)) {
+                rmSync(destRoot, { recursive: true, force: true });
+            }
+        }
+        catch {
+            // Ignore cleanup errors
+        }
+        for (const subdir of ['apps', 'packages']) {
+            const subPath = resolve(worktreePath, subdir);
+            if (!existsSync(subPath))
+                continue;
+            try {
+                for (const entry of readdirSync(subPath)) {
+                    const nm = resolve(subPath, entry, 'node_modules');
+                    if (existsSync(nm)) {
+                        rmSync(nm, { recursive: true, force: true });
+                    }
+                }
+            }
+            catch {
+                // Ignore cleanup errors
+            }
+        }
+    }
+    /**
+     * Create or update a symlink atomically, handling EEXIST races.
+     *
+     * If the destination already exists and points to the correct target, this is a no-op.
+     * If it points elsewhere or isn't a symlink, it's replaced.
+     */
+    safeSymlink(src, dest) {
+        try {
+            symlinkSync(src, dest);
+        }
+        catch (error) {
+            if (error.code === 'EEXIST') {
+                // Verify existing symlink points to correct target
+                try {
+                    const existing = readlinkSync(dest);
+                    if (resolve(existing) === resolve(src))
+                        return; // Already correct
+                }
+                catch {
+                    // Not a symlink or can't read — remove and retry
+                }
+                unlinkSync(dest);
+                symlinkSync(src, dest);
+            }
+            else {
+                throw error;
+            }
+        }
+    }
     /**
      * Create a real node_modules directory and symlink each entry from the source.
      *
@@ -1796,10 +1960,11 @@ ORCHESTRATOR_INSTALL=1 exec pnpm add "$@"
      * resolve through the symlink and corrupt the original), we create a real
      * directory and symlink each entry individually. If pnpm "recreates" this
      * directory, it only destroys the worktree's symlinks — not the originals.
+     *
+     * Supports incremental sync: if the destination already exists, only missing
+     * or stale entries are updated (safe for concurrent agents and phase reuse).
      */
     linkNodeModulesContents(srcNodeModules, destNodeModules, identifier) {
-        if (existsSync(destNodeModules))
-            return;
         mkdirSync(destNodeModules, { recursive: true });
         for (const entry of readdirSync(srcNodeModules)) {
             const srcEntry = resolve(srcNodeModules, entry);
@@ -1812,16 +1977,12 @@ ORCHESTRATOR_INSTALL=1 exec pnpm add "$@"
                     for (const scopedEntry of readdirSync(srcEntry)) {
                         const srcScoped = resolve(srcEntry, scopedEntry);
                         const destScoped = resolve(destEntry, scopedEntry);
-                        if (!existsSync(destScoped)) {
-                            symlinkSync(srcScoped, destScoped);
-                        }
+                        this.safeSymlink(srcScoped, destScoped);
                     }
                     continue;
                 }
             }
-            if (!existsSync(destEntry)) {
-                symlinkSync(srcEntry, destEntry);
-            }
+            this.safeSymlink(srcEntry, destEntry);
         }
     }
     /**
@@ -1830,36 +1991,8 @@ ORCHESTRATOR_INSTALL=1 exec pnpm add "$@"
      */
     installDependencies(worktreePath, identifier) {
         console.log(`[${identifier}] Installing dependencies via pnpm...`);
-        // Remove any node_modules from a partial linkDependencies attempt.
-        // Handles both old format (directory-level symlink) and new format
-        // (real directory with symlinked contents).
-        const destRoot = resolve(worktreePath, 'node_modules');
-        try {
-            if (existsSync(destRoot)) {
-                rmSync(destRoot, { recursive: true, force: true });
-                console.log(`[${identifier}] Removed partial node_modules before install`);
-            }
-        }
-        catch {
-            // Ignore cleanup errors — pnpm install may still work
-        }
-        // Also remove any per-workspace node_modules that were partially created
-        for (const subdir of ['apps', 'packages']) {
-            const subPath = resolve(worktreePath, subdir);
-            if (!existsSync(subPath))
-                continue;
-            try {
-                for (const entry of readdirSync(subPath)) {
-                    const nm = resolve(subPath, entry, 'node_modules');
-                    if (existsSync(nm)) {
-                        rmSync(nm, { recursive: true, force: true });
-                    }
-                }
-            }
-            catch {
-                // Ignore cleanup errors
-            }
-        }
+        // Remove any node_modules from a partial linkDependencies attempt
+        this.removeWorktreeNodeModules(worktreePath);
         // Set ORCHESTRATOR_INSTALL=1 to bypass the preinstall guard script
         // that blocks pnpm install in worktrees (to prevent symlink corruption).
         const installEnv = { ...process.env, ORCHESTRATOR_INSTALL: '1' };
@@ -1889,6 +2022,82 @@ ORCHESTRATOR_INSTALL=1 exec pnpm add "$@"
             }
         }
     }
+    /**
+     * Sync dependencies between worktree and main repo before linking.
+     *
+     * When a development agent adds new packages on a branch, the lockfile in the
+     * worktree diverges from the main repo. This method detects lockfile drift,
+     * updates the main repo's node_modules, then re-links into the worktree.
+     */
+    syncDependencies(worktreePath, identifier) {
+        const repoRoot = findRepoRoot(worktreePath);
+        if (!repoRoot) {
+            this.linkDependencies(worktreePath, identifier);
+            return;
+        }
+        const worktreeLock = resolve(worktreePath, 'pnpm-lock.yaml');
+        const mainLock = resolve(repoRoot, 'pnpm-lock.yaml');
+        // Detect lockfile drift: if the worktree has a lockfile that differs from main,
+        // a dev agent added/changed dependencies on the branch
+        let lockfileDrifted = false;
+        if (existsSync(worktreeLock) && existsSync(mainLock)) {
+            try {
+                const wtContent = readFileSync(worktreeLock, 'utf-8');
+                const mainContent = readFileSync(mainLock, 'utf-8');
+                lockfileDrifted = wtContent !== mainContent;
+            }
+            catch {
+                // If we can't read either file, proceed without sync
+            }
+        }
+        if (lockfileDrifted) {
+            console.log(`[${identifier}] Lockfile drift detected — syncing main repo dependencies`);
+            try {
+                // Copy the worktree's lockfile to the main repo so install picks up new deps
+                copyFileSync(worktreeLock, mainLock);
+                // Also copy any changed package.json files from worktree workspaces to main
+                for (const subdir of ['', 'apps', 'packages']) {
+                    const wtDir = subdir ? resolve(worktreePath, subdir) : worktreePath;
+                    const mainDir = subdir ? resolve(repoRoot, subdir) : repoRoot;
+                    if (subdir && !existsSync(wtDir))
+                        continue;
+                    const entries = subdir ? readdirSync(wtDir) : [''];
+                    for (const entry of entries) {
+                        const wtPkg = resolve(wtDir, entry, 'package.json');
+                        const mainPkg = resolve(mainDir, entry, 'package.json');
+                        if (!existsSync(wtPkg))
+                            continue;
+                        try {
+                            const wtPkgContent = readFileSync(wtPkg, 'utf-8');
+                            const mainPkgContent = existsSync(mainPkg) ? readFileSync(mainPkg, 'utf-8') : '';
+                            if (wtPkgContent !== mainPkgContent) {
+                                copyFileSync(wtPkg, mainPkg);
+                            }
+                        }
+                        catch {
+                            // Skip files we can't read
+                        }
+                    }
+                }
+                // Install in the main repo (not the worktree) to update node_modules
+                const installEnv = { ...process.env, ORCHESTRATOR_INSTALL: '1' };
+                execSync('pnpm install --frozen-lockfile 2>&1', {
+                    cwd: repoRoot,
+                    stdio: 'pipe',
+                    encoding: 'utf-8',
+                    timeout: 120_000,
+                    env: installEnv,
+                });
+                console.log(`[${identifier}] Main repo dependencies synced`);
+                // Remove stale worktree node_modules so linkDependencies creates fresh symlinks
+                this.removeWorktreeNodeModules(worktreePath);
+            }
+            catch (error) {
+                console.warn(`[${identifier}] Dependency sync failed, proceeding with existing state:`, error instanceof Error ? error.message : String(error));
+            }
+        }
+        this.linkDependencies(worktreePath, identifier);
+    }
     /**
      * @deprecated Use linkDependencies() instead. This now delegates to linkDependencies.
      */
@@ -2201,6 +2410,25 @@ ORCHESTRATOR_INSTALL=1 exec pnpm add "$@"
                     // Ignore state update errors
                 }
             }
+            // Emit structured security scan events for security work type agents
+            if (emitter && agent.status === 'completed' && agent.workType === 'security') {
+                const fullOutput = assistantTextChunks.join('\n');
+                const scanEvents = parseSecurityScanOutput(fullOutput);
+                for (const scanEvent of scanEvents) {
+                    try {
+                        await emitter.emitSecurityScan(scanEvent);
+                        log?.info('Security scan event emitted', {
+                            scanner: scanEvent.scanner,
+                            findings: scanEvent.totalFindings,
+                        });
+                    }
+                    catch (scanError) {
+                        log?.warn('Failed to emit security scan event', {
+                            error: scanError instanceof Error ? scanError.message : String(scanError),
+                        });
+                    }
+                }
+            }
             // Emit a final response activity to close the Linear agent session.
             // Linear auto-transitions sessions to "complete" when a response activity is emitted.
             if (emitter && (agent.status === 'completed' || agent.status === 'failed')) {
@@ -2298,56 +2526,64 @@ ORCHESTRATOR_INSTALL=1 exec pnpm add "$@"
                 }
             }
             // Update Linear status based on work type if auto-transition is enabled
-            if (agent.status === 'completed' && this.config.autoTransition) {
+            if ((agent.status === 'completed' || agent.status === 'failed') && this.config.autoTransition) {
                 const workType = agent.workType ?? 'development';
                 const isResultSensitive = workType === 'qa' || workType === 'acceptance' || workType === 'coordination' || workType === 'qa-coordination' || workType === 'acceptance-coordination';
                 let targetStatus = null;
                 if (isResultSensitive) {
-                    // For QA/acceptance: parse result to decide promote vs reject.
-                    // Try the final result message first, then fall back to scanning
-                    // all accumulated assistant text (the marker may be in an earlier turn).
-                    let workResult = parseWorkResult(agent.resultMessage, workType);
-                    if (workResult === 'unknown' && assistantTextChunks.length > 0) {
-                        const fullText = assistantTextChunks.join('\n');
-                        workResult = parseWorkResult(fullText, workType);
-                        if (workResult !== 'unknown') {
-                            log?.info('Work result found in accumulated text (not in final message)', { workResult });
-                        }
-                    }
-                    agent.workResult = workResult;
-                    if (workResult === 'passed') {
-                        targetStatus = this.statusMappings.workTypeCompleteStatus[workType];
-                        log?.info('Work result: passed, promoting', { workType, targetStatus });
-                    }
-                    else if (workResult === 'failed') {
+                    if (agent.status === 'failed') {
+                        // Agent crashed/errored — treat as QA/acceptance failure
+                        agent.workResult = 'failed';
                         targetStatus = this.statusMappings.workTypeFailStatus[workType];
-                        log?.info('Work result: failed, transitioning to fail status', { workType, targetStatus });
+                        log?.info('Agent failed (crash/error), transitioning to fail status', { workType, targetStatus });
                     }
                     else {
-                        // unknown — safe default: don't transition
-                        log?.warn('Work result: unknown, skipping auto-transition', {
-                            workType,
-                            hasResultMessage: !!agent.resultMessage,
-                        });
-                        // Post a diagnostic comment so the issue doesn't silently stall
-                        try {
-                            await this.client.createComment(issueId, `⚠️ Agent completed but no structured result marker was detected in the output.\n\n` +
-                                `**Issue status was NOT updated automatically.**\n\n` +
-                                `The orchestrator expected one of:\n` +
-                                `- \`<!-- WORK_RESULT:passed -->\` to promote the issue\n` +
-                                `- \`<!-- WORK_RESULT:failed -->\` to record a failure\n\n` +
-                                `This usually means the agent exited early (timeout, error, or missing logic). ` +
-                                `Check the agent logs for details, then manually update the issue status or re-trigger the agent.`);
-                            log?.info('Posted diagnostic comment for unknown work result');
+                        // For QA/acceptance: parse result to decide promote vs reject.
+                        // Try the final result message first, then fall back to scanning
+                        // all accumulated assistant text (the marker may be in an earlier turn).
+                        let workResult = parseWorkResult(agent.resultMessage, workType);
+                        if (workResult === 'unknown' && assistantTextChunks.length > 0) {
+                            const fullText = assistantTextChunks.join('\n');
+                            workResult = parseWorkResult(fullText, workType);
+                            if (workResult !== 'unknown') {
+                                log?.info('Work result found in accumulated text (not in final message)', { workResult });
+                            }
                         }
-                        catch (error) {
-                            log?.warn('Failed to post diagnostic comment for unknown work result', {
-                                error: error instanceof Error ? error.message : String(error),
+                        agent.workResult = workResult;
+                        if (workResult === 'passed') {
+                            targetStatus = this.statusMappings.workTypeCompleteStatus[workType];
+                            log?.info('Work result: passed, promoting', { workType, targetStatus });
+                        }
+                        else if (workResult === 'failed') {
+                            targetStatus = this.statusMappings.workTypeFailStatus[workType];
+                            log?.info('Work result: failed, transitioning to fail status', { workType, targetStatus });
+                        }
+                        else {
+                            // unknown — safe default: don't transition
+                            log?.warn('Work result: unknown, skipping auto-transition', {
+                                workType,
+                                hasResultMessage: !!agent.resultMessage,
                             });
+                            // Post a diagnostic comment so the issue doesn't silently stall
+                            try {
+                                await this.client.createComment(issueId, `⚠️ Agent completed but no structured result marker was detected in the output.\n\n` +
+                                    `**Issue status was NOT updated automatically.**\n\n` +
+                                    `The orchestrator expected one of:\n` +
+                                    `- \`<!-- WORK_RESULT:passed -->\` to promote the issue\n` +
+                                    `- \`<!-- WORK_RESULT:failed -->\` to record a failure\n\n` +
+                                    `This usually means the agent exited early (timeout, error, or missing logic). ` +
+                                    `Check the agent logs for details, then manually update the issue status or re-trigger the agent.`);
+                                log?.info('Posted diagnostic comment for unknown work result');
+                            }
+                            catch (error) {
+                                log?.warn('Failed to post diagnostic comment for unknown work result', {
+                                    error: error instanceof Error ? error.message : String(error),
+                                });
+                            }
                         }
                     }
                 }
-                else {
+                else if (agent.status === 'completed') {
                     // Non-QA/acceptance: promote on completion, but validate code-producing work types first
                     const isCodeProducing = workType === 'development' || workType === 'inflight';
                     if (isCodeProducing && agent.worktreePath && !agent.pullRequestUrl) {
@@ -2662,7 +2898,9 @@ ORCHESTRATOR_INSTALL=1 exec pnpm add "$@"
                 agent.providerSessionId = event.sessionId;
                 this.updateLastActivity(issueId, 'init');
                 // Update state with provider session ID (only for worktree-based agents)
-                if (agent.worktreePath) {
+                // Skip if agent already failed — a late init event after an error would
+                // re-persist a stale session ID, preventing fresh recovery on next attempt
+                if (agent.worktreePath && agent.status !== 'failed') {
                     try {
                         updateState(agent.worktreePath, {
                             providerSessionId: event.sessionId,
@@ -2840,10 +3078,17 @@ ORCHESTRATOR_INSTALL=1 exec pnpm add "$@"
                         : `Agent error: ${event.errorSubtype}`;
                     if (agent.worktreePath) {
                         try {
+                            // If the error is a stale session (resume failed), clear providerSessionId
+                            // so the next recovery attempt starts fresh instead of hitting the same error
+                            const isStaleSession = errorMessage.includes('No conversation found with session ID');
                             updateState(agent.worktreePath, {
                                 status: 'failed',
                                 errorMessage,
+                                ...(isStaleSession && { providerSessionId: null }),
                             });
+                            if (isStaleSession) {
+                                log?.info('Cleared stale providerSessionId from state — next recovery will start fresh');
+                            }
                         }
                         catch {
                             // Ignore state update errors
@@ -3145,8 +3390,8 @@ ORCHESTRATOR_INSTALL=1 exec pnpm add "$@"
                 const workType = await this.detectWorkType(issue.id, 'Backlog');
                 // Create worktree with work type suffix
                 const { worktreePath, worktreeIdentifier } = this.createWorktree(issue.identifier, workType);
-                // Link dependencies from main repo into worktree
-                this.linkDependencies(worktreePath, issue.identifier);
+                // Sync and link dependencies from main repo into worktree
+                this.syncDependencies(worktreePath, issue.identifier);
                 const startStatus = this.statusMappings.workTypeStartStatus[workType];
                 // Update issue status based on work type if auto-transition is enabled
                 if (this.config.autoTransition && startStatus) {
@@ -3263,8 +3508,8 @@ ORCHESTRATOR_INSTALL=1 exec pnpm add "$@"
             const wt = this.createWorktree(identifier, effectiveWorkType);
             worktreePath = wt.worktreePath;
             worktreeIdentifier = wt.worktreeIdentifier;
-            // Link dependencies from main repo into worktree
-            this.linkDependencies(worktreePath, identifier);
+            // Sync and link dependencies from main repo into worktree
+            this.syncDependencies(worktreePath, identifier);
             // Check for existing state and potential recovery
             const recoveryCheck = checkRecovery(worktreePath, {
                 heartbeatTimeoutMs: getHeartbeatTimeoutFromEnv(),
@@ -3517,8 +3762,8 @@ ORCHESTRATOR_INSTALL=1 exec pnpm add "$@"
                     const result = this.createWorktree(identifier, workType);
                     worktreePath = result.worktreePath;
                     worktreeIdentifier = result.worktreeIdentifier;
-                    // Link dependencies from main repo into worktree
-                    this.linkDependencies(worktreePath, identifier);
+                    // Sync and link dependencies from main repo into worktree
+                    this.syncDependencies(worktreePath, identifier);
                 }
             }
             catch (error) {
@@ -3537,8 +3782,8 @@ ORCHESTRATOR_INSTALL=1 exec pnpm add "$@"
                 const result = this.createWorktree(identifier, effectiveWorkType);
                 worktreePath = result.worktreePath;
                 worktreeIdentifier = result.worktreeIdentifier;
-                // Link dependencies from main repo into worktree
-                this.linkDependencies(worktreePath, identifier);
+                // Sync and link dependencies from main repo into worktree
+                this.syncDependencies(worktreePath, identifier);
             }
             catch (error) {
                 return {

package/dist/src/orchestrator/security-scan-event.d.ts

@@ -0,0 +1,57 @@
+/**
+ * Security Scan Event
+ *
+ * Defines the `SecurityScanEvent` type and parsers for extracting structured
+ * vulnerability data from security scanner output (semgrep JSON, npm-audit JSON, etc.).
+ *
+ * The security station template instructs agents to output structured JSON in
+ * fenced code blocks tagged `security-scan-result`. This module parses that output.
+ */
+import { z } from 'zod';
+export interface SecurityScanEvent {
+    type: 'agent.security-scan';
+    scanner: string;
+    severityCounts: {
+        critical: number;
+        high: number;
+        medium: number;
+        low: number;
+    };
+    totalFindings: number;
+    target: string;
+    scanDurationMs: number;
+    timestamp: string;
+}
+export declare const SecurityScanEventSchema: z.ZodObject<{
+    type: z.ZodLiteral<"agent.security-scan">;
+    scanner: z.ZodString;
+    severityCounts: z.ZodObject<{
+        critical: z.ZodNumber;
+        high: z.ZodNumber;
+        medium: z.ZodNumber;
+        low: z.ZodNumber;
+    }, z.core.$strip>;
+    totalFindings: z.ZodNumber;
+    target: z.ZodString;
+    scanDurationMs: z.ZodNumber;
+    timestamp: z.ZodString;
+}, z.core.$strip>;
+/**
+ * Parse structured security scan results from agent output.
+ *
+ * Looks for fenced code blocks tagged `security-scan-result` and parses
+ * the JSON inside each block. Returns one `SecurityScanEvent` per block.
+ *
+ * Gracefully handles malformed output — returns partial data with zero counts
+ * rather than throwing.
+ */
+export declare function parseSecurityScanOutput(rawOutput: string): SecurityScanEvent[];
+/**
+ * Parse semgrep --json output into a SecurityScanEvent.
+ */
+export declare function parseSemgrepOutput(rawJson: string, target: string, durationMs: number): SecurityScanEvent;
+/**
+ * Parse npm audit --json output into a SecurityScanEvent.
+ */
+export declare function parseNpmAuditOutput(rawJson: string, target: string, durationMs: number): SecurityScanEvent;
+//# sourceMappingURL=security-scan-event.d.ts.map

package/dist/src/orchestrator/security-scan-event.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"security-scan-event.d.ts","sourceRoot":"","sources":["../../../src/orchestrator/security-scan-event.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAA;AAMvB,MAAM,WAAW,iBAAiB;IAChC,IAAI,EAAE,qBAAqB,CAAA;IAC3B,OAAO,EAAE,MAAM,CAAA;IACf,cAAc,EAAE;QAAE,QAAQ,EAAE,MAAM,CAAC;QAAC,IAAI,EAAE,MAAM,CAAC;QAAC,MAAM,EAAE,MAAM,CAAC;QAAC,GAAG,EAAE,MAAM,CAAA;KAAE,CAAA;IAC/E,aAAa,EAAE,MAAM,CAAA;IACrB,MAAM,EAAE,MAAM,CAAA;IACd,cAAc,EAAE,MAAM,CAAA;IACtB,SAAS,EAAE,MAAM,CAAA;CAClB;AAMD,eAAO,MAAM,uBAAuB;;;;;;;;;;;;;iBAalC,CAAA;AAYF;;;;;;;;GAQG;AACH,wBAAgB,uBAAuB,CAAC,SAAS,EAAE,MAAM,GAAG,iBAAiB,EAAE,CAkB9E;AAED;;GAEG;AACH,wBAAgB,kBAAkB,CAAC,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,GAAG,iBAAiB,CA2BzG;AAED;;GAEG;AACH,wBAAgB,mBAAmB,CAAC,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,GAAG,iBAAiB,CAoD1G"}