@toolbaux/guardian 0.1.23 → 0.2.0

package/README.md

@@ -85,16 +85,18 @@ The block between markers is replaced on every save (VSCode extension) and every
 
 Guardian includes an MCP server that Claude Code and Cursor connect to automatically. The VSCode extension sets this up on first activation — no manual config needed.
 
-**6 compact tools available to AI:**
+**8 compact tools available to AI:**
 
 | Tool | Tokens | Purpose |
 |------|--------|---------|
 | `guardian_orient` | ~100 | Project summary at session start |
 | `guardian_context` | ~50-80 | File or endpoint dependencies before editing |
 | `guardian_impact` | ~30 | What breaks if you change a file |
-| `guardian_search` | ~70 | Find endpoints, models, modules by keyword |
+| `guardian_search` | ~70 | Find endpoints, models, modules, and functions by keyword |
 | `guardian_model` | ~90 | Full field details (only when needed) |
 | `guardian_metrics` | ~50 | Session usage stats |
+| `guardian_grep` | ~40 | Semantic grep — search symbols and literals across the codebase |
+| `guardian_glob` | ~30 | Semantic file discovery — find files by pattern with module context |
 
 All responses are compact JSON — no pretty-printing, no verbose keys. Repeated calls are cached (30s TTL). Usage metrics tracked per session.
 
@@ -229,8 +231,8 @@ npm install && npm run build && npm link
 
 ```bash
 guardian init                          # config, .specs dir, pre-commit hook, CLAUDE.md
-guardian extract                       # full architecture + UX snapshots + docs
-guardian extract --backend sqlite      # same + builds guardian.db with FTS index
+guardian extract                       # full architecture + UX snapshots + guardian.db (default: sqlite)
+guardian extract --backend file        # file-only mode, skips guardian.db
 guardian generate --ai-context         # compact ~3K token AI context only
 ```
 

package/dist/cli.js

@@ -62,7 +62,7 @@ program
     .option("--no-file-graph", "Exclude file-level dependency graph")
     .option("--config <path>", "Path to guardian.config.json")
     .option("--docs-mode <mode>", "Docs mode (lean|full)")
-    .option("--backend <backend>", "Storage backend: 'file' (default) or 'sqlite' (also builds guardian.db + FTS index)")
+    .option("--backend <backend>", "Storage backend: 'sqlite' (default, builds guardian.db + FTS index) or 'file'")
     .action(async (projectRoot, options) => {
     await runExtract({
         projectRoot,

package/dist/commands/context.js

@@ -5,21 +5,90 @@ import { loadArchitectureDiff, loadHeatmap } from "../extract/compress.js";
 import { renderContextBlock } from "../extract/context-block.js";
 import { resolveMachineInputDir } from "../output-layout.js";
 import { DEFAULT_SPECS_DIR } from "../config.js";
+import { SqliteSpecsStore, DB_FILENAME } from "../db/sqlite-specs-store.js";
+/** Open a SqliteSpecsStore if guardian.db exists, return null otherwise. */
+async function tryOpenStore(specsDir) {
+    const dbPath = path.join(specsDir, DB_FILENAME);
+    try {
+        await fs.stat(dbPath);
+        const store = new SqliteSpecsStore(specsDir);
+        await store.init();
+        return store;
+    }
+    catch {
+        return null;
+    }
+}
+/** Reconstruct the SI report shape renderContextBlock needs from module_metrics rows. */
+function siFromMetrics(rows) {
+    return rows.map(r => ({
+        feature: r.module,
+        structure: { nodes: r.nodes, edges: r.edges },
+        metrics: { depth: 0, fanout_avg: 0, fanout_max: 0, density: 0, has_cycles: false },
+        scores: { depth_score: 0, fanout_score: 0, density_score: 0, cycle_score: 0, query_score: 0 },
+        confidence: { value: r.confidence, level: r.confidence_level },
+        ambiguity: { level: "LOW" },
+        classification: {
+            depth_level: r.depth_level,
+            propagation: r.propagation,
+            compressible: r.compressible,
+        },
+        recommendation: {
+            primary: { pattern: r.pattern, confidence: r.confidence },
+            fallback: { pattern: "", condition: "" },
+            avoid: [],
+        },
+        guardrails: { enforce_if_confidence_above: 0.7 },
+        override: { allowed: true, requires_reason: true },
+    }));
+}
 export async function runContext(options) {
     const inputDir = await resolveMachineInputDir(options.input || DEFAULT_SPECS_DIR);
-    const { architecture, ux } = await loadSnapshots(inputDir);
+    // inputDir resolves to .specs/machine/; DB lives one level up at .specs/guardian.db
+    const specsDir = path.dirname(inputDir);
+    const store = await tryOpenStore(specsDir);
+    let architecture;
+    let ux;
+    let si;
+    try {
+        // ── Load snapshots: DB first, file fallback ─────────────────────────────
+        if (store) {
+            const archEntry = await store.readSpec("architecture.snapshot");
+            const uxEntry = await store.readSpec("ux.snapshot");
+            if (archEntry && uxEntry) {
+                architecture = yaml.load(archEntry.content);
+                ux = yaml.load(uxEntry.content);
+            }
+            else {
+                ({ architecture, ux } = await loadSnapshotsFromFiles(inputDir));
+            }
+        }
+        else {
+            ({ architecture, ux } = await loadSnapshotsFromFiles(inputDir));
+        }
+        // ── Load SI reports: module_metrics table first, file fallback ──────────
+        if (store) {
+            const rows = store.readModuleMetrics();
+            if (rows.length > 0) {
+                si = siFromMetrics(rows);
+            }
+        }
+        if (!si) {
+            try {
+                const siRaw = await fs.readFile(path.join(inputDir, "structural-intelligence.json"), "utf8");
+                si = JSON.parse(siRaw);
+            }
+            catch { /* not available */ }
+        }
+    }
+    finally {
+        if (store)
+            await store.close();
+    }
     const [diff, heatmap] = await Promise.all([
         loadArchitectureDiff(inputDir),
         loadHeatmap(inputDir)
     ]);
-    // Load structural intelligence if available
-    let si;
-    try {
-        const siPath = path.join(inputDir, "structural-intelligence.json");
-        const siRaw = await fs.readFile(siPath, "utf8");
-        si = JSON.parse(siRaw);
-    }
-    catch { /* not available */ }
     const content = renderContextBlock(architecture, ux, {
         focusQuery: options.focus,
         maxLines: normalizeMaxLines(options.maxLines),
@@ -38,16 +107,18 @@ export async function runContext(options) {
     await fs.writeFile(outputPath, next, "utf8");
     console.log(`Wrote ${outputPath}`);
 }
-async function loadSnapshots(inputDir) {
+async function loadSnapshotsFromFiles(inputDir) {
     const architecturePath = path.join(inputDir, "architecture.snapshot.yaml");
     const uxPath = path.join(inputDir, "ux.snapshot.yaml");
-    let architectureRaw;
-    let uxRaw;
     try {
-        [architectureRaw, uxRaw] = await Promise.all([
+        const [architectureRaw, uxRaw] = await Promise.all([
             fs.readFile(architecturePath, "utf8"),
             fs.readFile(uxPath, "utf8")
         ]);
+        return {
+            architecture: yaml.load(architectureRaw),
+            ux: yaml.load(uxRaw)
+        };
     }
     catch (error) {
         if (error.code === "ENOENT") {
@@ -55,10 +126,6 @@ async function loadSnapshots(inputDir) {
         }
         throw error;
     }
-    return {
-        architecture: yaml.load(architectureRaw),
-        ux: yaml.load(uxRaw)
-    };
 }
 async function readIfExists(filePath) {
     try {
@@ -75,37 +142,28 @@ function stripExistingSpecGuardBlocks(content) {
         .replace(/<!-- guardian:auto-context -->[\s\S]*?<!-- \/guardian:auto-context -->/g, "<!-- guardian:auto-context -->\n<!-- /guardian:auto-context -->")
         .replace(/\n{3,}/g, "\n\n");
 }
-/**
- * Inject context into a file that has <!-- guardian:auto-context --> markers.
- * Replaces content between the markers instead of appending.
- */
 function injectIntoAutoContext(existing, contextBlock) {
     const marker = "<!-- guardian:auto-context -->";
     const endMarker = "<!-- /guardian:auto-context -->";
     if (!existing.includes(marker)) {
-        // No auto-context markers — fall back to append behavior
         const cleaned = stripExistingSpecGuardBlocks(existing).trim();
         return cleaned.length > 0 ? `${cleaned}\n\n${contextBlock}\n` : `${contextBlock}\n`;
     }
-    // Replace content between markers
     const startIdx = existing.indexOf(marker);
     const endIdx = existing.indexOf(endMarker);
-    if (startIdx === -1 || endIdx === -1) {
+    if (startIdx === -1 || endIdx === -1)
         return existing;
-    }
     const before = existing.slice(0, startIdx + marker.length);
     const after = existing.slice(endIdx);
     return `${before}\n${contextBlock}\n${after}`;
 }
 function normalizeMaxLines(value) {
-    if (typeof value === "number" && Number.isFinite(value)) {
+    if (typeof value === "number" && Number.isFinite(value))
         return value;
-    }
     if (typeof value === "string" && value.trim().length > 0) {
         const parsed = Number.parseInt(value, 10);
-        if (Number.isFinite(parsed) && parsed > 0) {
+        if (Number.isFinite(parsed) && parsed > 0)
             return parsed;
-        }
     }
     return undefined;
 }

package/dist/commands/extract.js

@@ -5,13 +5,16 @@ import { runIntel } from "./intel.js";
 import { runGenerate } from "./generate.js";
 import { runContext } from "./context.js";
 export async function runExtract(options) {
+    // Default to sqlite so every extract builds guardian.db automatically.
+    // Pass --backend file to opt out (e.g. CI environments that don't need search).
+    const backend = options.backend ?? "sqlite";
     const { architecturePath, uxPath } = await extractProject(options);
     console.log(`Wrote ${architecturePath}`);
     console.log(`Wrote ${uxPath}`);
     // Auto-build codebase intelligence after every extract
     const specsDir = path.resolve(options.output);
     try {
-        await runIntel({ specs: specsDir, backend: options.backend });
+        await runIntel({ specs: specsDir, backend });
     }
     catch {
         // Non-fatal — intel build failure should not break extract

package/dist/commands/generate.js

@@ -1,26 +1,99 @@
 import fs from "node:fs/promises";
 import path from "node:path";
+import yaml from "js-yaml";
 import { buildSnapshots } from "../extract/index.js";
 import { renderContextBlock } from "../extract/context-block.js";
 import { getOutputLayout } from "../output-layout.js";
 import { DEFAULT_SPECS_DIR } from "../config.js";
 import { analyzeDepth } from "../extract/analyzers/depth.js";
+import { SqliteSpecsStore, DB_FILENAME } from "../db/sqlite-specs-store.js";
 export async function runGenerate(options) {
     if (!options.aiContext) {
         throw new Error("`guardian generate` currently supports `--ai-context` only.");
     }
     const outputRoot = path.resolve(options.output ?? DEFAULT_SPECS_DIR);
     const layout = getOutputLayout(outputRoot);
-    const { architecture, ux } = await buildSnapshots({
-        projectRoot: options.projectRoot,
-        backendRoot: options.backendRoot,
-        frontendRoot: options.frontendRoot,
-        output: outputRoot,
-        includeFileGraph: true,
-        configPath: options.configPath
-    });
-    // Load persisted Structural Intelligence reports emitted by `guardian extract`
-    const siReports = await loadStructuralIntelligenceReports(layout.machineDir);
+    // ── Load snapshots: DB first, full re-extraction as fallback ──────────────
+    // When guardian.db exists (built by extract), load snapshots from the specs
+    // table instead of re-analysing the whole codebase. This is ~10× faster.
+    let architecture;
+    let ux;
+    let siReports;
+    const dbPath = path.join(outputRoot, DB_FILENAME);
+    let store = null;
+    try {
+        await fs.stat(dbPath);
+        store = new SqliteSpecsStore(outputRoot);
+        await store.init();
+    }
+    catch {
+        store = null;
+    }
+    try {
+        if (store) {
+            const archEntry = await store.readSpec("architecture.snapshot");
+            const uxEntry = await store.readSpec("ux.snapshot");
+            if (archEntry && uxEntry) {
+                console.log("[guardian] Loading snapshots from guardian.db");
+                architecture = yaml.load(archEntry.content);
+                ux = yaml.load(uxEntry.content);
+            }
+            else {
+                console.log("[guardian] Snapshots not in DB — extracting from codebase");
+                ({ architecture, ux } = await buildSnapshots({
+                    projectRoot: options.projectRoot,
+                    backendRoot: options.backendRoot,
+                    frontendRoot: options.frontendRoot,
+                    output: outputRoot,
+                    includeFileGraph: true,
+                    configPath: options.configPath
+                }));
+            }
+            // SI from module_metrics, fall back to file
+            const metricRows = store.readModuleMetrics();
+            if (metricRows.length > 0) {
+                siReports = metricRows.map(r => ({
+                    feature: r.module,
+                    structure: { nodes: r.nodes, edges: r.edges },
+                    metrics: { depth: 0, fanout_avg: 0, fanout_max: 0, density: 0, has_cycles: false },
+                    scores: { depth_score: 0, fanout_score: 0, density_score: 0, cycle_score: 0, query_score: 0 },
+                    confidence: { value: r.confidence, level: r.confidence_level },
+                    ambiguity: { level: "LOW" },
+                    classification: {
+                        depth_level: r.depth_level,
+                        propagation: r.propagation,
+                        compressible: r.compressible,
+                    },
+                    recommendation: {
+                        primary: { pattern: r.pattern, confidence: r.confidence },
+                        fallback: { pattern: "", condition: "" },
+                        avoid: [],
+                    },
+                    guardrails: { enforce_if_confidence_above: 0.7 },
+                    override: { allowed: true, requires_reason: true },
+                }));
+            }
+            else {
+                siReports = await loadStructuralIntelligenceReports(layout.machineDir);
+            }
+        }
+        else {
+            console.log("[guardian] No guardian.db found — extracting from codebase");
+            ({ architecture, ux } = await buildSnapshots({
+                projectRoot: options.projectRoot,
+                backendRoot: options.backendRoot,
+                frontendRoot: options.frontendRoot,
+                output: outputRoot,
+                includeFileGraph: true,
+                configPath: options.configPath
+            }));
+            siReports = await loadStructuralIntelligenceReports(layout.machineDir);
+        }
+    }
+    finally {
+        if (store)
+            await store.close();
+    }
     // If a --focus query is provided, prepend a real-time SI report for that query
     if (options.focus) {
         try {

package/dist/commands/init.js

@@ -13,32 +13,62 @@
  */
 import fs from "node:fs/promises";
 import path from "node:path";
+import { randomUUID } from "node:crypto";
 import { DEFAULT_SPECS_DIR } from "../config.js";
 const DEFAULT_CONFIG = {
     docs: {
         mode: "full",
     },
 };
+/**
+ * Hook script written to .claude/hooks/mcp-first.sh
+ *
+ * Blocks Read/Glob/Grep until a guardian MCP tool has been called in the
+ * current session. Session state lives in /tmp/guardian-used-<SESSION_ID>
+ * and is set by the PostToolUse hook (guardian-used.sh) below.
+ */
 const CLAUDE_CODE_HOOK_SCRIPT = `#!/bin/bash
-# Guardian MCP-first hook — ensures AI tools use Guardian MCP before reading source files.
-# Installed by: guardian init
+# Guardian MCP-first hook — blocks Read/Glob/Grep until guardian tools are used.
+# Installed by: guardian init  (v3 — session-scoped flag, no time drift)
 
 INPUT=$(cat)
-TOOL_NAME=$(echo "$INPUT" | jq -r '.tool_name // empty')
+SESSION_ID=$(echo "$INPUT" | jq -r '.session_id // "default"')
+FLAG="/tmp/guardian-used-\${SESSION_ID}"
 
-cat >&2 <<BLOCK
-BLOCKED: Use Guardian MCP tools before reading source files.
+# If guardian was called in this session, allow all file operations.
+if [ -f "$FLAG" ]; then
+  exit 0
+fi
+
+cat >&2 <<'BLOCK'
+BLOCKED: Use Guardian MCP tools before exploring source files.
 
-Use these MCP tools first:
-  - guardian_orient  — get codebase overview
-  - guardian_search  — find features by keyword
-  - guardian_context — deep dive into a specific area
+Call one of these first:
+  guardian_search("your query")  — find files/symbols/endpoints by keyword
+  guardian_grep("pattern")       — semantic grep (replaces Grep tool)
+  guardian_glob("src/auth/**")   — semantic file discovery (replaces Glob tool)
+  guardian_orient()              — get codebase overview
 
-Then you can read individual files as needed.
+File reads are unblocked automatically for the rest of this session.
 BLOCK
 
 exit 2
 `;
+/**
+ * Hook script written to .claude/hooks/guardian-used.sh
+ *
+ * Called by PostToolUse after any guardian_* tool. Sets the session flag
+ * that mcp-first.sh checks, unblocking subsequent Read/Glob/Grep calls.
+ */
+const GUARDIAN_USED_SCRIPT = `#!/bin/bash
+# Guardian PostToolUse hook — marks guardian as used for this session.
+# Installed by: guardian init
+
+INPUT=$(cat)
+SESSION_ID=$(echo "$INPUT" | jq -r '.session_id // "default"')
+touch "/tmp/guardian-used-\${SESSION_ID}"
+exit 0
+`;
 const HOOK_SCRIPT = `#!/bin/sh
 # guardian pre-commit hook — keeps architecture context fresh
 # Installed by: guardian init
@@ -80,6 +110,22 @@ export async function runInit(options) {
     else {
         console.log("  · guardian.config.json already exists");
     }
+    // 2b. Ensure project_id is present in guardian.config.json
+    try {
+        const raw = await fs.readFile(configPath, "utf8");
+        const cfg = JSON.parse(raw);
+        if (!cfg.project_id) {
+            cfg.project_id = randomUUID();
+            await fs.writeFile(configPath, JSON.stringify(cfg, null, 2) + "\n", "utf8");
+            console.log("  ✓ Added project_id to guardian.config.json");
+        }
+        else {
+            console.log("  · guardian.config.json already has project_id");
+        }
+    }
+    catch {
+        // Non-fatal — config may not be valid JSON yet
+    }
     // 3. Install pre-commit hook
     if (!options.skipHook) {
         const gitDir = path.join(root, ".git");
@@ -213,18 +259,13 @@ async function setupClaudeCodeHooks(root, specsDir) {
             try {
                 mcpConfig = JSON.parse(await fs.readFile(mcpJsonPath, "utf8"));
             }
-            catch {
-                // Corrupted — overwrite
-            }
+            catch { /* corrupted — overwrite */ }
         }
         if (!mcpConfig.mcpServers)
             mcpConfig.mcpServers = {};
         const servers = mcpConfig.mcpServers;
         if (!servers.guardian) {
-            servers.guardian = {
-                command: "guardian",
-                args: ["mcp-serve", "--specs", specsDir],
-            };
+            servers.guardian = { command: "guardian", args: ["mcp-serve", "--specs", specsDir] };
             await fs.writeFile(mcpJsonPath, JSON.stringify(mcpConfig, null, 2) + "\n", "utf8");
             console.log("  ✓ Created .mcp.json (MCP server config)");
         }
@@ -238,58 +279,49 @@ async function setupClaudeCodeHooks(root, specsDir) {
     const claudeDir = path.join(root, ".claude");
     const hooksDir = path.join(claudeDir, "hooks");
     const settingsPath = path.join(claudeDir, "settings.json");
-    const hookScriptPath = path.join(hooksDir, "mcp-first.sh");
+    const mcpFirstPath = path.join(hooksDir, "mcp-first.sh");
+    const guardianUsedPath = path.join(hooksDir, "guardian-used.sh");
     await fs.mkdir(hooksDir, { recursive: true });
-    // Write the hook script
-    if (!(await fileExists(hookScriptPath))) {
-        await fs.writeFile(hookScriptPath, CLAUDE_CODE_HOOK_SCRIPT, "utf8");
-        await fs.chmod(hookScriptPath, 0o755);
-        console.log("  ✓ Created Claude Code MCP-first hook (.claude/hooks/mcp-first.sh)");
-    }
-    else {
-        console.log("  · Claude Code hook already exists");
-    }
+    // Always overwrite hook scripts so they stay in sync with this version of guardian.
+    await fs.writeFile(mcpFirstPath, CLAUDE_CODE_HOOK_SCRIPT, "utf8");
+    await fs.chmod(mcpFirstPath, 0o755);
+    console.log("  ✓ Wrote .claude/hooks/mcp-first.sh (PreToolUse — blocks until guardian called)");
+    await fs.writeFile(guardianUsedPath, GUARDIAN_USED_SCRIPT, "utf8");
+    await fs.chmod(guardianUsedPath, 0o755);
+    console.log("  ✓ Wrote .claude/hooks/guardian-used.sh (PostToolUse — sets session flag)");
     // Write or merge .claude/settings.json
     let settings = {};
     if (await fileExists(settingsPath)) {
         try {
             settings = JSON.parse(await fs.readFile(settingsPath, "utf8"));
         }
-        catch {
-            // Corrupted file — overwrite
-        }
+        catch { /* corrupted — overwrite */ }
     }
-    // Add MCP server config
+    // MCP server registration
     if (!settings.mcpServers)
         settings.mcpServers = {};
-    const mcpServers = settings.mcpServers;
-    if (!mcpServers.guardian) {
-        mcpServers.guardian = {
-            command: "guardian",
-            args: ["mcp-serve", "--specs", specsDir],
-        };
-    }
-    // Add PreToolUse hook
-    const hookEntry = {
-        matcher: "Read|Glob|Grep",
-        hooks: [
+    settings.mcpServers.guardian = {
+        command: "guardian",
+        args: ["mcp-serve", "--specs", specsDir],
+    };
+    // Hooks — always overwrite to keep in sync with installed scripts.
+    settings.hooks = {
+        // PreToolUse: block Read/Glob/Grep until a guardian tool has been called.
+        // The script itself handles the session-flag check — no "if" filter needed here.
+        PreToolUse: [
+            {
+                matcher: "Read|Glob|Grep",
+                hooks: [{ type: "command", command: ".claude/hooks/mcp-first.sh" }],
+            },
+        ],
+        // PostToolUse: set the session flag after any guardian MCP tool call.
+        PostToolUse: [
             {
-                type: "command",
-                if: "Read(//*/src/*)|Glob(*src*)|Grep(*src*)",
-                command: '"$CLAUDE_PROJECT_DIR"/.claude/hooks/mcp-first.sh',
+                matcher: "mcp__guardian__guardian_search|mcp__guardian__guardian_orient|mcp__guardian__guardian_context|mcp__guardian__guardian_impact|mcp__guardian__guardian_grep|mcp__guardian__guardian_glob",
+                hooks: [{ type: "command", command: ".claude/hooks/guardian-used.sh" }],
             },
         ],
     };
-    if (!settings.hooks)
-        settings.hooks = {};
-    const hooks = settings.hooks;
-    if (!hooks.PreToolUse) {
-        hooks.PreToolUse = [hookEntry];
-        console.log("  ✓ Configured Claude Code PreToolUse hook in .claude/settings.json");
-    }
-    else {
-        console.log("  · Claude Code PreToolUse hook already configured");
-    }
     await fs.writeFile(settingsPath, JSON.stringify(settings, null, 2) + "\n", "utf8");
-    console.log("  ✓ Updated .claude/settings.json (MCP server + hooks)");
+    console.log("  ✓ Updated .claude/settings.json (MCP server + PreToolUse + PostToolUse hooks)");
 }

package/dist/commands/intel.js

@@ -13,6 +13,7 @@ import { writeCodebaseIntelligenceViaStore } from "../extract/codebase-intel.js"
 import { getOutputLayout } from "../output-layout.js";
 import { SqliteSpecsStore } from "../db/sqlite-specs-store.js";
 import { populateFTSIndex } from "../db/fts-builder.js";
+import { embedFunctions } from "../db/embeddings.js";
 export async function runIntel(options) {
     const specsDir = path.resolve(options.specs);
     const layout = getOutputLayout(specsDir);
@@ -49,6 +50,28 @@ export async function runIntel(options) {
                 catch { /* not generated yet — skip */ }
                 populateFTSIndex(store, intel, arch, funcIntel);
                 console.log(`Built FTS5 search index (${Object.keys(intel.api_registry ?? {}).length} endpoints indexed)`);
+                // Populate module_metrics from structural-intelligence.json (if present).
+                try {
+                    const siRaw = await (await import("node:fs/promises")).readFile((await import("node:path")).join(machineDir, "structural-intelligence.json"), "utf8");
+                    const siReports = JSON.parse(siRaw);
+                    if (Array.isArray(siReports) && siReports.length > 0) {
+                        store.rebuildModuleMetrics(siReports);
+                        console.log(`Indexed ${siReports.length} module metrics`);
+                    }
+                }
+                catch { /* structural-intelligence.json not generated yet — skip */ }
+                // Embed functions for semantic (vector) search.
+                // Uses local on-device model by default (no API key needed).
+                // If OPENAI_API_KEY is set, uses OpenAI text-embedding-3-small (better quality).
+                if (funcIntel?.functions?.length) {
+                    console.log(`[guardian embed] embedding ${funcIntel.functions.length} functions…`);
+                    try {
+                        await embedFunctions(store, funcIntel.functions, process.env.OPENAI_API_KEY);
+                    }
+                    catch (err) {
+                        console.warn(`[guardian embed] skipped: ${err.message}`);
+                    }
+                }
             }
             console.log(`Wrote guardian.db → ${layout.rootDir}`);
         }