npm - @saulwade/swl-ses - Versions diffs - 1.4.1 → 1.5.0 - Mend

@saulwade/swl-ses 1.4.1 → 1.5.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (136) hide show

package/CLAUDE.md +3 -3
package/README.md +561 -560
package/agentes/nemesis-auditor-swl.md +161 -161
package/bin/swl-mcp-server.js +49 -22
package/bin/swl-ses.js +74 -0
package/comandos/swl/.evolved.json +22 -22
package/comandos/swl/contribuir.md +233 -233
package/comandos/swl/ejecutar-fase.md +33 -4
package/comandos/swl/metricas.md +72 -0
package/comandos/swl/nemesis.md +122 -122
package/gateway/lib/event-channel.js +191 -191
package/habilidades/backend-production-resilience/SKILL.md +288 -288
package/habilidades/benchmark-memoria/SKILL.md +186 -186
package/habilidades/diagrama-arquitectura/assets/template.html +276 -276
package/habilidades/discutir-fase/SKILL.md +50 -2
package/habilidades/doubt-driven-review/SKILL.md +171 -171
package/habilidades/doubt-driven-review/recursos/EXAMPLES.md +130 -130
package/habilidades/ejecutar-task-iterativo/SKILL.md +278 -0
package/habilidades/eval-framework/SKILL.md +212 -212
package/habilidades/feynman-auditor-swl/SKILL.md +123 -123
package/habilidades/feynman-auditor-swl/recursos/preguntas-language-agnostic.md +108 -108
package/habilidades/harness-claude-code/SKILL.md +299 -299
package/habilidades/infra-github-actions/SKILL.md +166 -166
package/habilidades/legacy-code-rescue/SKILL.md +267 -267
package/habilidades/manejo-errores/.evolved.json +8 -8
package/habilidades/meta-skills-estandar/recursos/convencion-examples.md +93 -93
package/habilidades/meta-skills-estandar/recursos/skills-as-agents.md +163 -163
package/habilidades/patrones-python/SKILL.md +229 -229
package/habilidades/patrones-python/recursos/patrones-avanzados.md +469 -469
package/habilidades/planear-fase/SKILL.md +319 -319
package/habilidades/protocolo-revision-swl/SKILL.md +276 -0
package/habilidades/release-semver/.evolved.json +8 -8
package/habilidades/state-inconsistency-auditor-swl/SKILL.md +166 -166
package/habilidades/state-inconsistency-auditor-swl/recursos/coupled-state-patterns.md +147 -147
package/habilidades/testing-python/SKILL.md +340 -340
package/habilidades/verificar-trabajo/SKILL.md +49 -5
package/habilidades/web-fetcher-routing/SKILL.md +75 -75
package/hooks/claudemd-bloat-detector.js +161 -161
package/hooks/lib/agent-routing.js +107 -107
package/hooks/lib/auto-consolidator.js +335 -335
package/hooks/lib/error-classifier.js +308 -308
package/hooks/lib/merkle-audit.js +96 -96
package/hooks/lib/provenance-tracker.js +191 -191
package/hooks/lib/rate-limit-tracker.js +253 -253
package/hooks/lib/resource-quota.js +122 -122
package/hooks/lib/retry-jitter.js +165 -165
package/hooks/lib/security-net.js +201 -201
package/hooks/lib/skill-auditor.js +588 -588
package/hooks/lib/sync-status.js +228 -228
package/hooks/lib/taint-tracker.js +107 -107
package/hooks/lib/text-similarity.js +241 -241
package/hooks/lib/toon-compressor.js +245 -245
package/hooks/registro-turnos.js +209 -209
package/hooks/sugerir-regenerar-inventario.js +170 -170
package/hooks/validar-formato-post-subagente.js +140 -140
package/hooks/validar-memoria-hook.js +218 -218
package/instintos/prompt-appendices.yaml +57 -57
package/manifiestos/agent-output-schemas.json +57 -57
package/manifiestos/modulos.json +1321 -1262
package/manifiestos/perfiles.json +2 -1
package/manifiestos/skills-lock.json +1114 -1114
package/package.json +3 -3
package/plantillas/auditor-veto-template.md +105 -105
package/plantillas/github-workflows/README.md +47 -47
package/plantillas/github-workflows/release-please.yml +44 -44
package/plantillas/github-workflows/swl-ci.yml +107 -107
package/plantillas/github-workflows/swl-security.yml +51 -51
package/plugin.json +351 -343
package/reglas/analisis-previo-tareas-grandes.md +172 -172
package/reglas/arreglar-al-detectar.md +147 -147
package/reglas/fragmentos-compartidos.md +152 -152
package/reglas/harness-claude-code.md +213 -213
package/reglas/usar-context7.md +226 -226
package/schemas/diary-entry.schema.json +80 -80
package/scripts/audit-tools/audit-history.js +330 -330
package/scripts/audit-tools/bundle-tracker.js +290 -290
package/scripts/audit-tools/canary-monitor.js +352 -352
package/scripts/audit-tools/code-profiler.js +605 -605
package/scripts/audit-tools/dep-doctor.js +320 -320
package/scripts/audit-tools/env-validator.js +206 -206
package/scripts/audit-tools/lib/fs-walk.js +48 -48
package/scripts/audit-tools/lib/output.js +23 -23
package/scripts/audit-tools/migration-checker.js +392 -392
package/scripts/audit-tools/pentest-scanner.js +1436 -1436
package/scripts/benchmark-memoria.js +167 -167
package/scripts/configurar-branch-protection.js +418 -418
package/scripts/derivar-feature-list.js +489 -0
package/scripts/detectar-aprendizajes-duplicados.js +151 -151
package/scripts/doctor.js +31 -4
package/scripts/field-report.js +199 -199
package/scripts/generar-checklists-consolidados.js +273 -273
package/scripts/generar-inventario.js +420 -420
package/scripts/generar-matriz-lenguajes.js +271 -271
package/scripts/instalador.js +56 -5
package/scripts/lib/artefactos-python.js +43 -43
package/scripts/lib/benchmark-metrics.js +160 -160
package/scripts/lib/budget-enforcer.js +252 -252
package/scripts/lib/configurar-ci.js +380 -380
package/scripts/lib/contadores-inventario.js +217 -217
package/scripts/lib/detectar-runtime.js +75 -9
package/scripts/lib/detectar-stack-detallado.js +307 -307
package/scripts/lib/diary-entry.js +234 -234
package/scripts/lib/estado.js +13 -1
package/scripts/lib/eval-metrics-store.js +218 -218
package/scripts/lib/eval-quality.js +171 -171
package/scripts/lib/eval-schemas.js +144 -144
package/scripts/lib/eval-self-correct.js +106 -106
package/scripts/lib/eval-validator.js +185 -185
package/scripts/lib/expandir-targets.js +71 -0
package/scripts/lib/jaccard-similarity.js +98 -98
package/scripts/lib/longmemeval-runner.js +125 -125
package/scripts/lib/manifiestos.js +42 -1
package/scripts/lib/npm-version.js +261 -261
package/scripts/lib/paquetes-conocidos.js +50 -50
package/scripts/lib/parsear-opciones.js +3 -0
package/scripts/lib/prompt-builder.js +264 -264
package/scripts/lib/rrf-fusion.js +175 -175
package/scripts/lib/scoring-instintos.js +277 -277
package/scripts/lib/semantic-search.js +252 -252
package/scripts/lib/toml-merge.js +204 -0
package/scripts/lib/transformadores/base.js +43 -9
package/scripts/lib/transformadores/codex.js +375 -115
package/scripts/lib/transformadores/cursor.js +359 -0
package/scripts/lib/transformadores/index.js +2 -0
package/scripts/limpiar-artefactos-python.js +131 -131
package/scripts/mcp-server/README.md +122 -80
package/scripts/mcp-server/auth.js +105 -0
package/scripts/mcp-server/cache.js +106 -0
package/scripts/mcp-server/handlers.js +386 -206
package/scripts/mcp-server/telemetry.js +78 -0
package/scripts/migrar-csv-a-array.js +168 -168
package/scripts/migrar-fase-dominio.js +201 -201
package/scripts/publicar.js +511 -511
package/scripts/run-eval.js +141 -141
package/scripts/validar-manifest.js +231 -195
package/scripts/validar-userland-vacio.js +110 -110

package/scripts/audit-tools/dep-doctor.js CHANGED Viewed

@@ -1,320 +1,320 @@
-// Adaptado de temp/ultraship-main/tools/dep-doctor.mjs bajo MIT License
-// Fuente: Houseofmvps/ultraship (https://github.com/Houseofmvps/ultraship)
-'use strict';
-const { readFileSync, existsSync, readdirSync, statSync } = require('fs');
-const { join, relative, extname } = require('path');
-const { outputJSON, outputError } = require('./lib/output');
-const SKIP_DIRS = new Set([
-  'node_modules', '.git', 'dist', 'build', '.next', 'coverage',
-  '__pycache__', '.cache', 'venv', '.venv', 'target', 'vendor',
-  '.tox', 'eggs', '.eggs', 'htmlcov', '.mypy_cache', '.pytest_cache',
-]);
-const CODE_EXTS = new Set(['.ts', '.tsx', '.js', '.jsx', '.mjs', '.cjs', '.json', '.vue', '.svelte']);
-/**
- * Recorre un directorio buscando archivos de código.
- * @param {string} dir
- * @returns {string[]}
- */
-function findCodeFiles(dir) {
-  const files = [];
-  function walk(d) {
-    try {
-      for (const entry of readdirSync(d)) {
-        if (entry.startsWith('.') || SKIP_DIRS.has(entry)) continue;
-        const p = join(d, entry);
-        try {
-          const s = statSync(p);
-          if (s.isDirectory()) walk(p);
-          else if (CODE_EXTS.has(extname(entry).toLowerCase())) files.push(p);
-        } catch { /* skip */ }
-      }
-    } catch { /* skip */ }
-  }
-  walk(dir);
-  return files;
-}
-// Dependencias usadas implícitamente (herramientas de build, definiciones de tipos)
-const IMPLICIT_DEPS = new Set([
-  'typescript', '@types/node', '@types/react', '@types/react-dom',
-  'eslint', 'prettier', 'vitest', 'jest', 'mocha',
-  'tailwindcss', 'autoprefixer', 'postcss',
-  'drizzle-kit', 'prisma',
-  '@vitejs/plugin-react', 'vite',
-  'tsx', 'ts-node', 'nodemon',
-  'husky', 'lint-staged', 'commitlint',
-  'dotenv', 'cross-env',
-]);
-// Paquetes cuyo nombre de import difiere del nombre en package.json
-const IMPORT_ALIASES = {
-  'next': ['next', 'next/'],
-  '@hono/node-server': ['@hono/node-server'],
-  'drizzle-orm': ['drizzle-orm'],
-  '@neondatabase/serverless': ['@neondatabase/serverless'],
-  'better-auth': ['better-auth'],
-  '@anthropic-ai/sdk': ['@anthropic-ai/sdk', 'anthropic'],
-  '@clerk/nextjs': ['@clerk/nextjs'],
-};
-/**
- * Detecta dependencias no utilizadas en el directorio dado.
- * @param {string} dir
- * @returns {{ unused: object[], total_deps: number, total_dev_deps: number, error?: string }}
- */
-function detectUnusedDeps(dir) {
-  const pkgPath = join(dir, 'package.json');
-  if (!existsSync(pkgPath)) return { unused: [], error: 'No se encontró package.json', total_deps: 0, total_dev_deps: 0 };
-  let pkg;
-  try {
-    pkg = JSON.parse(readFileSync(pkgPath, 'utf8'));
-  } catch (e) {
-    return { unused: [], error: `package.json inválido: ${e.message}`, total_deps: 0, total_dev_deps: 0 };
-  }
-  const prodDeps = Object.keys(pkg.dependencies || {});
-  const devDeps = Object.keys(pkg.devDependencies || {});
-  const codeFiles = findCodeFiles(dir);
-  const fileContents = new Map();
-  let allCode = '';
-  for (const file of codeFiles) {
-    try {
-      const code = readFileSync(file, 'utf8');
-      fileContents.set(file, code);
-      allCode += code + '\n';
-    } catch { /* skip */ }
-  }
-  // Incluir archivos de configuración en la raíz
-  const configFiles = [
-    'vite.config.ts', 'vite.config.js', 'next.config.js', 'next.config.mjs',
-    'tailwind.config.js', 'tailwind.config.ts', 'postcss.config.js', 'postcss.config.cjs',
-    'drizzle.config.ts', 'drizzle.config.js', '.eslintrc.js', '.eslintrc.json',
-    'tsconfig.json', 'jest.config.js', 'vitest.config.ts',
-  ];
-  for (const cf of configFiles) {
-    const p = join(dir, cf);
-    if (existsSync(p)) {
-      try {
-        const code = readFileSync(p, 'utf8');
-        fileContents.set(p, code);
-        allCode += code + '\n';
-      } catch { /* skip */ }
-    }
-  }
-  // Construir grafo de imports: objetivos de import locales normalizados
-  const allImportTargets = new Set();
-  for (const [, code] of fileContents) {
-    const importRegex = /(?:from\s+|require\s*\(\s*)['"]([^'"]+)['"]/g;
-    let m;
-    while ((m = importRegex.exec(code)) !== null) {
-      const target = m[1];
-      if (target.startsWith('.') || target.startsWith('@/') || target.startsWith('~/')) {
-        const clean = target.replace(/^(?:\.\/|@\/|~\/)/, '').replace(/\.(ts|tsx|js|jsx|mjs|cjs)$/, '');
-        allImportTargets.add(clean);
-        allImportTargets.add(clean.replace(/\/index$/, ''));
-      }
-    }
-  }
-  function isFileReachable(filePath) {
-    const rel = relative(dir, filePath).replace(/\\/g, '/');
-    const noExt = rel.replace(/\.(ts|tsx|js|jsx|mjs|cjs)$/, '');
-    const noIndex = noExt.replace(/\/index$/, '');
-    const basename = filePath.split(/[/\\]/).pop();
-    if (['page.tsx', 'page.ts', 'page.jsx', 'layout.tsx', 'layout.ts',
-      'main.tsx', 'main.ts', 'App.tsx', 'App.ts', 'index.tsx', 'index.ts',
-      'index.js', 'main.js'].includes(basename)) return true;
-    if (rel.includes('/routes/') || rel.includes('/api/') || rel.includes('/pages/')) return true;
-    if (rel.includes('config')) return true;
-    for (const target of allImportTargets) {
-      if (target === noExt || target === noIndex ||
-        target === `src/${noExt}` || target === `src/${noIndex}` ||
-        noExt.endsWith(`/${target}`) || noIndex.endsWith(`/${target}`)) return true;
-    }
-    return false;
-  }
-  function findDepImportFiles(dep) {
-    const aliases = IMPORT_ALIASES[dep] || [dep];
-    const files = [];
-    for (const [filePath, code] of fileContents) {
-      for (const alias of aliases) {
-        if (code.includes(`'${alias}'`) || code.includes(`"${alias}"`) ||
-          code.includes(`'${alias}/`) || code.includes(`"${alias}/`)) {
-          files.push(filePath);
-          break;
-        }
-      }
-      if (dep.startsWith('@') && !files.includes(filePath)) {
-        if (code.includes(`'${dep}'`) || code.includes(`"${dep}"`) ||
-          code.includes(`'${dep}/`) || code.includes(`"${dep}/`)) {
-          files.push(filePath);
-        }
-      }
-    }
-    return files;
-  }
-  const unused = [];
-  function isUsed(dep) {
-    if (IMPLICIT_DEPS.has(dep)) return true;
-    if (dep.startsWith('@types/')) return true;
-    const aliases = IMPORT_ALIASES[dep] || [dep];
-    for (const alias of aliases) {
-      if (allCode.includes(`'${alias}'`) || allCode.includes(`"${alias}"`)) return true;
-      if (allCode.includes(`'${alias}/`) || allCode.includes(`"${alias}/`)) return true;
-      if (allCode.includes(`require('${alias}')`) || allCode.includes(`require("${alias}")`)) return true;
-    }
-    if (dep.startsWith('@')) {
-      if (allCode.includes(`'${dep}'`) || allCode.includes(`"${dep}"`)) return true;
-      if (allCode.includes(`'${dep}/`) || allCode.includes(`"${dep}/`)) return true;
-    }
-    return false;
-  }
-  function isDeadCode(dep) {
-    const importFiles = findDepImportFiles(dep);
-    if (importFiles.length === 0) return true;
-    return importFiles.every(f => !isFileReachable(f));
-  }
-  for (const dep of prodDeps) {
-    if (!isUsed(dep)) {
-      unused.push({ name: dep, type: 'production', severity: 'high', message: `"${dep}" está en dependencies pero no se importa en ningún lugar — eliminar para reducir el tamaño de instalación` });
-    } else if (isDeadCode(dep)) {
-      unused.push({ name: dep, type: 'production', severity: 'medium', message: `"${dep}" solo se importa en archivos no alcanzables — eliminar si esos componentes no se necesitan` });
-    }
-  }
-  for (const dep of devDeps) {
-    if (!isUsed(dep)) {
-      unused.push({ name: dep, type: 'devDependency', severity: 'low', message: `"${dep}" está en devDependencies pero no se referencia — puede eliminarse` });
-    }
-  }
-  return { unused, total_deps: prodDeps.length, total_dev_deps: devDeps.length };
-}
-/**
- * Detecta dependencias posiblemente desactualizadas.
- * @param {string} dir
- * @returns {{ outdated: object[] }}
- */
-function detectOutdated(dir) {
-  const pkgPath = join(dir, 'package.json');
-  if (!existsSync(pkgPath)) return { outdated: [] };
-  let pkg;
-  try {
-    pkg = JSON.parse(readFileSync(pkgPath, 'utf8'));
-  } catch {
-    return { outdated: [] };
-  }
-  const allDeps = { ...pkg.dependencies, ...pkg.devDependencies };
-  const findings = [];
-  for (const [name, version] of Object.entries(allDeps)) {
-    if (typeof version !== 'string') continue;
-    const v = version.trim();
-    if (v.startsWith('file:') || v.startsWith('link:') || v.startsWith('workspace:') || v === '*' || v === 'latest') continue;
-    // Versión anclada exacta (sin ^ ni ~)
-    if (/^\d/.test(v)) {
-      findings.push({
-        name,
-        version: v,
-        severity: 'low',
-        issue: 'anclada',
-        message: `"${name}@${v}" está anclado a versión exacta — usar ^${v} para recibir actualizaciones de parches`,
-      });
-    }
-    // Versiones mayores muy antiguas de paquetes conocidos
-    const majorMatch = v.match(/\d+/);
-    if (majorMatch) {
-      const major = parseInt(majorMatch[0], 10);
-      const knownOld = {
-        'react': 18, 'next': 14, 'vue': 3, 'express': 4, 'hono': 4,
-        'typescript': 5, 'vite': 5, 'tailwindcss': 3, 'eslint': 9,
-        'drizzle-orm': 0, 'prisma': 5, 'zod': 3,
-      };
-      if (knownOld[name] !== undefined && major < knownOld[name] - 1) {
-        findings.push({
-          name,
-          version: v,
-          severity: 'medium',
-          issue: 'mayor_desactualizado',
-          message: `"${name}@${v}" tiene ${knownOld[name] - major}+ versiones mayores de retraso — considerar actualización`,
-        });
-      }
-    }
-  }
-  return { outdated: findings };
-}
-function main() {
-  const dir = process.argv[2];
-  if (!dir) {
-    outputError('Uso: node dep-doctor.js <directorio-proyecto>');
-    process.exit(0);
-  }
-  if (!existsSync(dir)) {
-    outputError(`Ruta no encontrada: ${dir}`);
-    process.exit(0);
-  }
-  const unusedResult = detectUnusedDeps(dir);
-  const outdatedResult = detectOutdated(dir);
-  outputJSON({
-    success: true,
-    packages_scanned: 1,
-    total_production_deps: unusedResult.total_deps || 0,
-    total_dev_deps: unusedResult.total_dev_deps || 0,
-    unused_count: unusedResult.unused.length,
-    outdated_count: outdatedResult.outdated.length,
-    total_findings: unusedResult.unused.length + outdatedResult.outdated.length,
-    unused: unusedResult.unused,
-    outdated: outdatedResult.outdated,
-  });
-}
-main();
-module.exports = { detectUnusedDeps, detectOutdated, findCodeFiles, IMPLICIT_DEPS };
-/**
- * @complemento Skill("dependencias-auditoria")
- *
- * dep-doctor.js realiza **análisis estático** de dependencias:
- *   - Detecta dependencias declaradas pero nunca importadas en el código fuente.
- *   - Detecta versiones ancladas sin `^`/`~` y versiones mayores muy desactualizadas.
- *   - Sin ejecución de shell, sin red. Seguro para usar en cualquier entorno.
- *   - Rápido (solo lectura de archivos locales).
- *
- * Skill("dependencias-auditoria") realiza **auditoría de seguridad profunda**:
- *   - Consulta bases de datos CVE reales (pip-audit, npm audit, trivy, grype).
- *   - Detecta licencias incompatibles (pip-licenses, license-checker).
- *   - Identifica dependencias abandonadas con fecha de último commit.
- *   - Requiere: red (acceso a advisories), shell (pip-audit, npm, trivy instalados).
- *   - Más lento pero definitivo en vulnerabilidades conocidas.
- *
- * Flujo recomendado:
- *   1. Ejecutar `dep-doctor.js` primero (rápido, sin dependencias externas).
- *      → Eliminar dependencias no usadas reduce la superficie de ataque.
- *   2. Luego invocar `Skill("dependencias-auditoria")` para CVEs y licencias.
- *      → Asegura que las dependencias restantes no tienen vulnerabilidades conocidas.
- */
+// Adaptado de temp/ultraship-main/tools/dep-doctor.mjs bajo MIT License
+// Fuente: Houseofmvps/ultraship (https://github.com/Houseofmvps/ultraship)
+'use strict';
+const { readFileSync, existsSync, readdirSync, statSync } = require('fs');
+const { join, relative, extname } = require('path');
+const { outputJSON, outputError } = require('./lib/output');
+const SKIP_DIRS = new Set([
+  'node_modules', '.git', 'dist', 'build', '.next', 'coverage',
+  '__pycache__', '.cache', 'venv', '.venv', 'target', 'vendor',
+  '.tox', 'eggs', '.eggs', 'htmlcov', '.mypy_cache', '.pytest_cache',
+]);
+const CODE_EXTS = new Set(['.ts', '.tsx', '.js', '.jsx', '.mjs', '.cjs', '.json', '.vue', '.svelte']);
+/**
+ * Recorre un directorio buscando archivos de código.
+ * @param {string} dir
+ * @returns {string[]}
+ */
+function findCodeFiles(dir) {
+  const files = [];
+  function walk(d) {
+    try {
+      for (const entry of readdirSync(d)) {
+        if (entry.startsWith('.') || SKIP_DIRS.has(entry)) continue;
+        const p = join(d, entry);
+        try {
+          const s = statSync(p);
+          if (s.isDirectory()) walk(p);
+          else if (CODE_EXTS.has(extname(entry).toLowerCase())) files.push(p);
+        } catch { /* skip */ }
+      }
+    } catch { /* skip */ }
+  }
+  walk(dir);
+  return files;
+}
+// Dependencias usadas implícitamente (herramientas de build, definiciones de tipos)
+const IMPLICIT_DEPS = new Set([
+  'typescript', '@types/node', '@types/react', '@types/react-dom',
+  'eslint', 'prettier', 'vitest', 'jest', 'mocha',
+  'tailwindcss', 'autoprefixer', 'postcss',
+  'drizzle-kit', 'prisma',
+  '@vitejs/plugin-react', 'vite',
+  'tsx', 'ts-node', 'nodemon',
+  'husky', 'lint-staged', 'commitlint',
+  'dotenv', 'cross-env',
+]);
+// Paquetes cuyo nombre de import difiere del nombre en package.json
+const IMPORT_ALIASES = {
+  'next': ['next', 'next/'],
+  '@hono/node-server': ['@hono/node-server'],
+  'drizzle-orm': ['drizzle-orm'],
+  '@neondatabase/serverless': ['@neondatabase/serverless'],
+  'better-auth': ['better-auth'],
+  '@anthropic-ai/sdk': ['@anthropic-ai/sdk', 'anthropic'],
+  '@clerk/nextjs': ['@clerk/nextjs'],
+};
+/**
+ * Detecta dependencias no utilizadas en el directorio dado.
+ * @param {string} dir
+ * @returns {{ unused: object[], total_deps: number, total_dev_deps: number, error?: string }}
+ */
+function detectUnusedDeps(dir) {
+  const pkgPath = join(dir, 'package.json');
+  if (!existsSync(pkgPath)) return { unused: [], error: 'No se encontró package.json', total_deps: 0, total_dev_deps: 0 };
+  let pkg;
+  try {
+    pkg = JSON.parse(readFileSync(pkgPath, 'utf8'));
+  } catch (e) {
+    return { unused: [], error: `package.json inválido: ${e.message}`, total_deps: 0, total_dev_deps: 0 };
+  }
+  const prodDeps = Object.keys(pkg.dependencies || {});
+  const devDeps = Object.keys(pkg.devDependencies || {});
+  const codeFiles = findCodeFiles(dir);
+  const fileContents = new Map();
+  let allCode = '';
+  for (const file of codeFiles) {
+    try {
+      const code = readFileSync(file, 'utf8');
+      fileContents.set(file, code);
+      allCode += code + '\n';
+    } catch { /* skip */ }
+  }
+  // Incluir archivos de configuración en la raíz
+  const configFiles = [
+    'vite.config.ts', 'vite.config.js', 'next.config.js', 'next.config.mjs',
+    'tailwind.config.js', 'tailwind.config.ts', 'postcss.config.js', 'postcss.config.cjs',
+    'drizzle.config.ts', 'drizzle.config.js', '.eslintrc.js', '.eslintrc.json',
+    'tsconfig.json', 'jest.config.js', 'vitest.config.ts',
+  ];
+  for (const cf of configFiles) {
+    const p = join(dir, cf);
+    if (existsSync(p)) {
+      try {
+        const code = readFileSync(p, 'utf8');
+        fileContents.set(p, code);
+        allCode += code + '\n';
+      } catch { /* skip */ }
+    }
+  }
+  // Construir grafo de imports: objetivos de import locales normalizados
+  const allImportTargets = new Set();
+  for (const [, code] of fileContents) {
+    const importRegex = /(?:from\s+|require\s*\(\s*)['"]([^'"]+)['"]/g;
+    let m;
+    while ((m = importRegex.exec(code)) !== null) {
+      const target = m[1];
+      if (target.startsWith('.') || target.startsWith('@/') || target.startsWith('~/')) {
+        const clean = target.replace(/^(?:\.\/|@\/|~\/)/, '').replace(/\.(ts|tsx|js|jsx|mjs|cjs)$/, '');
+        allImportTargets.add(clean);
+        allImportTargets.add(clean.replace(/\/index$/, ''));
+      }
+    }
+  }
+  function isFileReachable(filePath) {
+    const rel = relative(dir, filePath).replace(/\\/g, '/');
+    const noExt = rel.replace(/\.(ts|tsx|js|jsx|mjs|cjs)$/, '');
+    const noIndex = noExt.replace(/\/index$/, '');
+    const basename = filePath.split(/[/\\]/).pop();
+    if (['page.tsx', 'page.ts', 'page.jsx', 'layout.tsx', 'layout.ts',
+      'main.tsx', 'main.ts', 'App.tsx', 'App.ts', 'index.tsx', 'index.ts',
+      'index.js', 'main.js'].includes(basename)) return true;
+    if (rel.includes('/routes/') || rel.includes('/api/') || rel.includes('/pages/')) return true;
+    if (rel.includes('config')) return true;
+    for (const target of allImportTargets) {
+      if (target === noExt || target === noIndex ||
+        target === `src/${noExt}` || target === `src/${noIndex}` ||
+        noExt.endsWith(`/${target}`) || noIndex.endsWith(`/${target}`)) return true;
+    }
+    return false;
+  }
+  function findDepImportFiles(dep) {
+    const aliases = IMPORT_ALIASES[dep] || [dep];
+    const files = [];
+    for (const [filePath, code] of fileContents) {
+      for (const alias of aliases) {
+        if (code.includes(`'${alias}'`) || code.includes(`"${alias}"`) ||
+          code.includes(`'${alias}/`) || code.includes(`"${alias}/`)) {
+          files.push(filePath);
+          break;
+        }
+      }
+      if (dep.startsWith('@') && !files.includes(filePath)) {
+        if (code.includes(`'${dep}'`) || code.includes(`"${dep}"`) ||
+          code.includes(`'${dep}/`) || code.includes(`"${dep}/`)) {
+          files.push(filePath);
+        }
+      }
+    }
+    return files;
+  }
+  const unused = [];
+  function isUsed(dep) {
+    if (IMPLICIT_DEPS.has(dep)) return true;
+    if (dep.startsWith('@types/')) return true;
+    const aliases = IMPORT_ALIASES[dep] || [dep];
+    for (const alias of aliases) {
+      if (allCode.includes(`'${alias}'`) || allCode.includes(`"${alias}"`)) return true;
+      if (allCode.includes(`'${alias}/`) || allCode.includes(`"${alias}/`)) return true;
+      if (allCode.includes(`require('${alias}')`) || allCode.includes(`require("${alias}")`)) return true;
+    }
+    if (dep.startsWith('@')) {
+      if (allCode.includes(`'${dep}'`) || allCode.includes(`"${dep}"`)) return true;
+      if (allCode.includes(`'${dep}/`) || allCode.includes(`"${dep}/`)) return true;
+    }
+    return false;
+  }
+  function isDeadCode(dep) {
+    const importFiles = findDepImportFiles(dep);
+    if (importFiles.length === 0) return true;
+    return importFiles.every(f => !isFileReachable(f));
+  }
+  for (const dep of prodDeps) {
+    if (!isUsed(dep)) {
+      unused.push({ name: dep, type: 'production', severity: 'high', message: `"${dep}" está en dependencies pero no se importa en ningún lugar — eliminar para reducir el tamaño de instalación` });
+    } else if (isDeadCode(dep)) {
+      unused.push({ name: dep, type: 'production', severity: 'medium', message: `"${dep}" solo se importa en archivos no alcanzables — eliminar si esos componentes no se necesitan` });
+    }
+  }
+  for (const dep of devDeps) {
+    if (!isUsed(dep)) {
+      unused.push({ name: dep, type: 'devDependency', severity: 'low', message: `"${dep}" está en devDependencies pero no se referencia — puede eliminarse` });
+    }
+  }
+  return { unused, total_deps: prodDeps.length, total_dev_deps: devDeps.length };
+}
+/**
+ * Detecta dependencias posiblemente desactualizadas.
+ * @param {string} dir
+ * @returns {{ outdated: object[] }}
+ */
+function detectOutdated(dir) {
+  const pkgPath = join(dir, 'package.json');
+  if (!existsSync(pkgPath)) return { outdated: [] };
+  let pkg;
+  try {
+    pkg = JSON.parse(readFileSync(pkgPath, 'utf8'));
+  } catch {
+    return { outdated: [] };
+  }
+  const allDeps = { ...pkg.dependencies, ...pkg.devDependencies };
+  const findings = [];
+  for (const [name, version] of Object.entries(allDeps)) {
+    if (typeof version !== 'string') continue;
+    const v = version.trim();
+    if (v.startsWith('file:') || v.startsWith('link:') || v.startsWith('workspace:') || v === '*' || v === 'latest') continue;
+    // Versión anclada exacta (sin ^ ni ~)
+    if (/^\d/.test(v)) {
+      findings.push({
+        name,
+        version: v,
+        severity: 'low',
+        issue: 'anclada',
+        message: `"${name}@${v}" está anclado a versión exacta — usar ^${v} para recibir actualizaciones de parches`,
+      });
+    }
+    // Versiones mayores muy antiguas de paquetes conocidos
+    const majorMatch = v.match(/\d+/);
+    if (majorMatch) {
+      const major = parseInt(majorMatch[0], 10);
+      const knownOld = {
+        'react': 18, 'next': 14, 'vue': 3, 'express': 4, 'hono': 4,
+        'typescript': 5, 'vite': 5, 'tailwindcss': 3, 'eslint': 9,
+        'drizzle-orm': 0, 'prisma': 5, 'zod': 3,
+      };
+      if (knownOld[name] !== undefined && major < knownOld[name] - 1) {
+        findings.push({
+          name,
+          version: v,
+          severity: 'medium',
+          issue: 'mayor_desactualizado',
+          message: `"${name}@${v}" tiene ${knownOld[name] - major}+ versiones mayores de retraso — considerar actualización`,
+        });
+      }
+    }
+  }
+  return { outdated: findings };
+}
+function main() {
+  const dir = process.argv[2];
+  if (!dir) {
+    outputError('Uso: node dep-doctor.js <directorio-proyecto>');
+    process.exit(0);
+  }
+  if (!existsSync(dir)) {
+    outputError(`Ruta no encontrada: ${dir}`);
+    process.exit(0);
+  }
+  const unusedResult = detectUnusedDeps(dir);
+  const outdatedResult = detectOutdated(dir);
+  outputJSON({
+    success: true,
+    packages_scanned: 1,
+    total_production_deps: unusedResult.total_deps || 0,
+    total_dev_deps: unusedResult.total_dev_deps || 0,
+    unused_count: unusedResult.unused.length,
+    outdated_count: outdatedResult.outdated.length,
+    total_findings: unusedResult.unused.length + outdatedResult.outdated.length,
+    unused: unusedResult.unused,
+    outdated: outdatedResult.outdated,
+  });
+}
+main();
+module.exports = { detectUnusedDeps, detectOutdated, findCodeFiles, IMPLICIT_DEPS };
+/**
+ * @complemento Skill("dependencias-auditoria")
+ *
+ * dep-doctor.js realiza **análisis estático** de dependencias:
+ *   - Detecta dependencias declaradas pero nunca importadas en el código fuente.
+ *   - Detecta versiones ancladas sin `^`/`~` y versiones mayores muy desactualizadas.
+ *   - Sin ejecución de shell, sin red. Seguro para usar en cualquier entorno.
+ *   - Rápido (solo lectura de archivos locales).
+ *
+ * Skill("dependencias-auditoria") realiza **auditoría de seguridad profunda**:
+ *   - Consulta bases de datos CVE reales (pip-audit, npm audit, trivy, grype).
+ *   - Detecta licencias incompatibles (pip-licenses, license-checker).
+ *   - Identifica dependencias abandonadas con fecha de último commit.
+ *   - Requiere: red (acceso a advisories), shell (pip-audit, npm, trivy instalados).
+ *   - Más lento pero definitivo en vulnerabilidades conocidas.
+ *
+ * Flujo recomendado:
+ *   1. Ejecutar `dep-doctor.js` primero (rápido, sin dependencias externas).
+ *      → Eliminar dependencias no usadas reduce la superficie de ataque.
+ *   2. Luego invocar `Skill("dependencias-auditoria")` para CVEs y licencias.
+ *      → Asegura que las dependencias restantes no tienen vulnerabilidades conocidas.
+ */