npm - @wrongstack/core - Versions diffs - 0.1.8 → 0.1.9 - Mend

@wrongstack/core 0.1.8 → 0.1.9

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (11) hide show

package/dist/defaults/index.d.ts +104 -1
package/dist/defaults/index.js +239 -3
package/dist/defaults/index.js.map +1 -1
package/dist/index.d.ts +5 -4
package/dist/index.js +240 -4
package/dist/index.js.map +1 -1
package/package.json +2 -2
package/skills/audit-log/SKILL.md +67 -0
package/skills/bug-hunter/SKILL.md +87 -0
package/skills/refactor-planner/SKILL.md +94 -0
package/skills/security-scanner/SKILL.md +117 -0

package/dist/defaults/index.d.ts CHANGED Viewed

@@ -1062,6 +1062,55 @@ interface DirectorOptions {
      * `DEFAULT_SUBAGENT_BASELINE`). Pass an empty string to suppress.
      */
     subagentBaseline?: string;
+    /**
+     * Absolute path to a directory the fleet can use as a shared scratchpad
+     * (read + write by every subagent). When set, the director creates it on
+     * construction and `subagentSystemPrompt()` automatically injects a
+     * "Shared notes" block telling subagents where to drop their findings.
+     * This is the cheap fleet-coordination channel — agents don't need each
+     * other's transcripts, just each other's conclusions.
+     *
+     * Convention: under a fleet run rooted at `<sessionsRoot>/<runId>/`,
+     * pass `<sessionsRoot>/<runId>/shared/` here.
+     */
+    sharedScratchpadPath?: string;
+    /**
+     * Maximum number of spawns this director can perform across its
+     * lifetime. Default: unlimited. Acts as a hard fleet-wide cost cap —
+     * a runaway leader that keeps spawning workers gets cut off cleanly
+     * instead of burning provider tokens until the user kills the
+     * process. The N+1-th spawn call rejects with a `DirectorBudgetError`.
+     */
+    maxSpawns?: number;
+    /**
+     * Maximum nesting depth for spawns. The director constructed by the
+     * user is at depth `spawnDepth` (default 0); any subagent that itself
+     * acts as a director would construct its own `Director` with
+     * `spawnDepth: parent.spawnDepth + 1`. When `spawnDepth >= maxSpawnDepth`,
+     * `spawn()` rejects. Default: 2 (root director can spawn workers; a
+     * worker that becomes a sub-director cannot itself spawn further).
+     * This stops infinite recursive director chains from a hostile or
+     * confused prompt.
+     */
+    maxSpawnDepth?: number;
+    /**
+     * Current spawn-chain depth for this director instance. Defaults to 0.
+     * A nested director should pass `parent.spawnDepth + 1`. Together with
+     * `maxSpawnDepth` this bounds the chain.
+     */
+    spawnDepth?: number;
+}
+/**
+ * Thrown by `Director.spawn()` when a configured spawn cap (`maxSpawns`,
+ * `maxSpawnDepth`) is hit. Distinct error class so callers — including
+ * the `spawn_subagent` tool surface — can recognize the budget case and
+ * report it cleanly instead of treating it like an unexpected failure.
+ */
+declare class DirectorBudgetError extends Error {
+    readonly kind: 'max_spawns' | 'max_spawn_depth';
+    readonly limit: number;
+    readonly observed: number;
+    constructor(kind: 'max_spawns' | 'max_spawn_depth', limit: number, observed: number);
 }
 declare class Director {
     readonly id: string;
@@ -1097,6 +1146,19 @@ declare class Director {
     private readonly roster?;
     private readonly directorPreamble;
     private readonly subagentBaseline;
+    /** Absolute path to the fleet's shared scratchpad directory, or null
+     *  when none was configured. Exposed as a readonly getter for callers
+     *  that need to surface the path to the user (e.g. the CLI logging
+     *  the location after `--director` boots). */
+    readonly sharedScratchpadPath: string | null;
+    /** Spawn cap (lifetime total). Infinity means unlimited. */
+    readonly maxSpawns: number;
+    /** Nesting cap. The N-th director in a chain has `spawnDepth = N-1`. */
+    readonly maxSpawnDepth: number;
+    /** This director's position in a director chain. Root director = 0. */
+    readonly spawnDepth: number;
+    /** Live spawn counter for `maxSpawns` enforcement. */
+    private spawnCount;
     constructor(opts: DirectorOptions);
     /**
      * Spawn a subagent. Identical to the coordinator's `spawn()` but
@@ -1360,6 +1422,16 @@ interface SubagentPromptParts {
      *  but exposed here in case the factory wants it duplicated in the
      *  system prompt for reinforcement. */
     task?: string;
+    /**
+     * Absolute path to a shared scratchpad directory the whole fleet can
+     * read/write. When set, the composer adds a "Shared notes" block that
+     * tells the subagent where to drop findings and where to look for
+     * sibling output. This is the cheap fleet-coordination channel —
+     * agents don't need each other's transcripts, just each other's
+     * conclusions. Falls between `task` and `override` so the override
+     * can still narrow or replace it.
+     */
+    sharedScratchpad?: string;
     /** Final per-spawn override from `SubagentConfig.systemPromptOverride`.
      *  Added last so it wins on conflict — that's by design: the spawn site
      *  knows the most about what this specific subagent should do. */
@@ -1398,6 +1470,37 @@ declare function rosterSummaryFromConfigs(roster: Record<string, {
     role?: string;
 }>): string;
+/**
+ * Pre-built subagent role configurations for the WrongStack fleet.
+ * These can be passed to `MultiAgentHost.spawn()` or used as templates
+ * for the director's roster.
+ */
+/**
+ * Audit Log Agent — analyzes session logs, event streams, and traces.
+ * Use for: post-mortems, trend analysis, operational insights.
+ */
+declare const AUDIT_LOG_AGENT: SubagentConfig;
+/**
+ * Bug Hunter Agent — systematic bug and code smell detection.
+ * Use for: pre-refactoring health checks, code review, regression prevention.
+ */
+declare const BUG_HUNTER_AGENT: SubagentConfig;
+/**
+ * Refactor Planner Agent — structured refactoring planning.
+ * Use for: large rewrites, technical debt reduction, architecture improvements.
+ */
+declare const REFACTOR_PLANNER_AGENT: SubagentConfig;
+/**
+ * Security Scanner Agent — vulnerability and secret detection.
+ * Use for: CI checks, pre-release audits, dependency vulnerability scanning.
+ */
+declare const SECURITY_SCANNER_AGENT: SubagentConfig;
+/** All pre-built agents in a map for easy lookup by role. */
+declare const FLEET_ROSTER: Record<string, SubagentConfig>;
+/** Quick-access list for spawning all at once. */
+declare const ALL_FLEET_AGENTS: SubagentConfig[];
 type AutonomousResult = RunResult & {
     toolCalls: number;
     reason?: string;
@@ -2203,4 +2306,4 @@ declare const sentinelServer: () => MCPServerConfig;
 /** Everything bundled — full set of built-in servers. Useful for `wstack mcp add --all`. */
 declare const allServers: () => Record<string, MCPServerConfig>;
-export { type AbandonedSession, type AgentFactory, type AgentFactoryResult, type AgentRunnerOptions, type AttachmentStoreOptions, AutoCompactionMiddleware, AutonomousRunner, type AutonomousRunnerOptions, type CompactorOptions, type ConfigLoaderOptions, type ConfigMigration, ConfigMigrationError, type ConfigSource, type ContextManagerAction, type ContextManagerInput, type ContextManagerResult, type ContextManagerToolOptions, DEFAULT_CONFIG_MIGRATIONS, DEFAULT_DIRECTOR_PREAMBLE, DEFAULT_SUBAGENT_BASELINE, DefaultAttachmentStore, DefaultConfigLoader, DefaultConfigStore, DefaultErrorHandler, DefaultHealthRegistry, DefaultLogger, type DefaultLoggerOptions, DefaultMemoryStore, DefaultModeStore, DefaultModelsRegistry, type DefaultModelsRegistryOptions, DefaultMultiAgentCoordinator, DefaultPathResolver, DefaultPermissionPolicy, DefaultRetryPolicy, DefaultSecretScrubber, DefaultSecretVault, DefaultSessionReader, DefaultSessionStore, DefaultSkillLoader, DefaultTaskStore, DefaultTokenCounter, Director, type DirectorPromptParts, type DirectorSessionFactory, type DirectorSessionFactoryOptions, type DoneCheckResult, DoneConditionChecker, FleetBus, type FleetEvent, type FleetHandler, type FleetUsage, FleetUsageAggregator, type GeneratedTask, HybridCompactor, InMemoryAgentBridge, InMemoryBridgeTransport, InMemoryMetricsSink, IntelligentCompactor, type IntelligentCompactorOptions, LLMSelector, type LLMSelectorOptions, type MemoryStoreOptions, type MetricsServerHandle, type MetricsServerOptions, type MigrationContext, type MigrationResult, type ModeLoaderOptions, type MultiAgentCoordinatorOptions, NoopMetricsSink, NoopTracer, OTelTracer, type OtlpMetricsExporterHandle, type OtlpMetricsExporterOptions, type OtlpTraceExporterHandle, type OtlpTraceExporterOptions, PROMETHEUS_CONTENT_TYPE, type PermissionPolicyOptions, type PersistedQueueItem, QueueStore, RecoveryLock, type RecoveryLockOptions, type SecretVaultOptions, SelectiveCompactor, type SelectiveCompactorOptions, type SessionStoreOptions, type SkillLoaderOptions, SpecDrivenDev, type SpecDrivenDevOptions, SpecParser, type SubagentPromptParts, type SubagentUsageSnapshot, TaskFlow, type TaskFlowEventMap, type TaskFlowEventName, type TaskFlowExecutionContext, type TaskFlowOptions, type TaskFlowPhase, TaskGenerator, type TaskGeneratorOptions, type TaskStore, TaskTracker, type TaskTrackerOptions, type TaskTransition, ToolExecutor, allServers, awsServer, blockServer, braveSearchServer, buildOtlpMetricsRequest, buildOtlpTracesRequest, classifyFamily, composeDirectorPrompt, composeSubagentPrompt, context7Server, contextManagerTool, createContextManagerTool, createMessage, decryptConfigSecrets, encryptConfigSecrets, everArtServer, filesystemServer, githubServer, googleMapsServer, loadProjectModes, loadUserModes, makeAgentSubagentRunner, makeDirectorSessionFactory, migratePlaintextSecrets, renderPrometheus, rewriteConfigEncrypted, rosterSummaryFromConfigs, runConfigMigrations, sentinelServer, slackServer, startMetricsServer, startOtlpMetricsExporter, startOtlpTraceExporter, wireMetricsToEvents };
+export { ALL_FLEET_AGENTS, AUDIT_LOG_AGENT, type AbandonedSession, type AgentFactory, type AgentFactoryResult, type AgentRunnerOptions, type AttachmentStoreOptions, AutoCompactionMiddleware, AutonomousRunner, type AutonomousRunnerOptions, BUG_HUNTER_AGENT, type CompactorOptions, type ConfigLoaderOptions, type ConfigMigration, ConfigMigrationError, type ConfigSource, type ContextManagerAction, type ContextManagerInput, type ContextManagerResult, type ContextManagerToolOptions, DEFAULT_CONFIG_MIGRATIONS, DEFAULT_DIRECTOR_PREAMBLE, DEFAULT_SUBAGENT_BASELINE, DefaultAttachmentStore, DefaultConfigLoader, DefaultConfigStore, DefaultErrorHandler, DefaultHealthRegistry, DefaultLogger, type DefaultLoggerOptions, DefaultMemoryStore, DefaultModeStore, DefaultModelsRegistry, type DefaultModelsRegistryOptions, DefaultMultiAgentCoordinator, DefaultPathResolver, DefaultPermissionPolicy, DefaultRetryPolicy, DefaultSecretScrubber, DefaultSecretVault, DefaultSessionReader, DefaultSessionStore, DefaultSkillLoader, DefaultTaskStore, DefaultTokenCounter, Director, DirectorBudgetError, type DirectorPromptParts, type DirectorSessionFactory, type DirectorSessionFactoryOptions, type DoneCheckResult, DoneConditionChecker, FLEET_ROSTER, FleetBus, type FleetEvent, type FleetHandler, type FleetUsage, FleetUsageAggregator, type GeneratedTask, HybridCompactor, InMemoryAgentBridge, InMemoryBridgeTransport, InMemoryMetricsSink, IntelligentCompactor, type IntelligentCompactorOptions, LLMSelector, type LLMSelectorOptions, type MemoryStoreOptions, type MetricsServerHandle, type MetricsServerOptions, type MigrationContext, type MigrationResult, type ModeLoaderOptions, type MultiAgentCoordinatorOptions, NoopMetricsSink, NoopTracer, OTelTracer, type OtlpMetricsExporterHandle, type OtlpMetricsExporterOptions, type OtlpTraceExporterHandle, type OtlpTraceExporterOptions, PROMETHEUS_CONTENT_TYPE, type PermissionPolicyOptions, type PersistedQueueItem, QueueStore, REFACTOR_PLANNER_AGENT, RecoveryLock, type RecoveryLockOptions, SECURITY_SCANNER_AGENT, type SecretVaultOptions, SelectiveCompactor, type SelectiveCompactorOptions, type SessionStoreOptions, type SkillLoaderOptions, SpecDrivenDev, type SpecDrivenDevOptions, SpecParser, type SubagentPromptParts, type SubagentUsageSnapshot, TaskFlow, type TaskFlowEventMap, type TaskFlowEventName, type TaskFlowExecutionContext, type TaskFlowOptions, type TaskFlowPhase, TaskGenerator, type TaskGeneratorOptions, type TaskStore, TaskTracker, type TaskTrackerOptions, type TaskTransition, ToolExecutor, allServers, awsServer, blockServer, braveSearchServer, buildOtlpMetricsRequest, buildOtlpTracesRequest, classifyFamily, composeDirectorPrompt, composeSubagentPrompt, context7Server, contextManagerTool, createContextManagerTool, createMessage, decryptConfigSecrets, encryptConfigSecrets, everArtServer, filesystemServer, githubServer, googleMapsServer, loadProjectModes, loadUserModes, makeAgentSubagentRunner, makeDirectorSessionFactory, migratePlaintextSecrets, renderPrometheus, rewriteConfigEncrypted, rosterSummaryFromConfigs, runConfigMigrations, sentinelServer, slackServer, startMetricsServer, startOtlpMetricsExporter, startOtlpTraceExporter, wireMetricsToEvents };

package/dist/defaults/index.js CHANGED Viewed

@@ -4083,6 +4083,15 @@ ${parts.role.trim()}`);
     sections.push(`Task:
 ${parts.task.trim()}`);
   }
+  if (parts.sharedScratchpad && parts.sharedScratchpad.trim().length > 0) {
+    sections.push(
+      `Shared notes:
+A scratchpad shared with the rest of the fleet is mounted at \`${parts.sharedScratchpad.trim()}\`.
+- Write your final findings as markdown files there (e.g. \`findings.md\`, \`security.md\`).
+- Before starting, list the directory and read any sibling files relevant to your task \u2014 they may already contain context you can build on.
+- Use stable filenames (one file per concern); overwrite instead of appending so the Director sees the latest state.`
+    );
+  }
   if (parts.override && parts.override.trim().length > 0) {
     sections.push(parts.override.trim());
   }
@@ -4100,6 +4109,20 @@ function rosterSummaryFromConfigs(roster) {
 }
 // src/defaults/director.ts
+var DirectorBudgetError = class extends Error {
+  kind;
+  limit;
+  observed;
+  constructor(kind, limit, observed) {
+    super(
+      kind === "max_spawns" ? `Director spawn budget exceeded: tried to spawn #${observed} but maxSpawns is ${limit}` : `Director spawn depth budget exceeded: this director is at depth ${observed} and maxSpawnDepth is ${limit}`
+    );
+    this.name = "DirectorBudgetError";
+    this.kind = kind;
+    this.limit = limit;
+    this.observed = observed;
+  }
+};
 var Director = class {
   id;
   fleet;
@@ -4134,12 +4157,32 @@ var Director = class {
   roster;
   directorPreamble;
   subagentBaseline;
+  /** Absolute path to the fleet's shared scratchpad directory, or null
+   *  when none was configured. Exposed as a readonly getter for callers
+   *  that need to surface the path to the user (e.g. the CLI logging
+   *  the location after `--director` boots). */
+  sharedScratchpadPath;
+  /** Spawn cap (lifetime total). Infinity means unlimited. */
+  maxSpawns;
+  /** Nesting cap. The N-th director in a chain has `spawnDepth = N-1`. */
+  maxSpawnDepth;
+  /** This director's position in a director chain. Root director = 0. */
+  spawnDepth;
+  /** Live spawn counter for `maxSpawns` enforcement. */
+  spawnCount = 0;
   constructor(opts) {
     this.id = opts.config.coordinatorId || randomUUID();
     this.manifestPath = opts.manifestPath;
     this.roster = opts.roster;
     this.directorPreamble = opts.directorPreamble ?? DEFAULT_DIRECTOR_PREAMBLE;
     this.subagentBaseline = opts.subagentBaseline ?? DEFAULT_SUBAGENT_BASELINE;
+    this.sharedScratchpadPath = opts.sharedScratchpadPath ?? null;
+    this.maxSpawns = opts.maxSpawns ?? Infinity;
+    this.maxSpawnDepth = opts.maxSpawnDepth ?? 2;
+    this.spawnDepth = opts.spawnDepth ?? 0;
+    if (this.sharedScratchpadPath) {
+      void fsp.mkdir(this.sharedScratchpadPath, { recursive: true }).catch(() => void 0);
+    }
     this.transport = new InMemoryBridgeTransport();
     this.bridge = new InMemoryAgentBridge(
       { agentId: this.id, coordinatorId: this.id },
@@ -4175,6 +4218,13 @@ var Director = class {
    * it the `cost` column in `usage.snapshot()` stays at 0.
    */
   async spawn(config, priceLookup) {
+    if (this.spawnDepth >= this.maxSpawnDepth) {
+      throw new DirectorBudgetError("max_spawn_depth", this.maxSpawnDepth, this.spawnDepth);
+    }
+    if (this.spawnCount >= this.maxSpawns) {
+      throw new DirectorBudgetError("max_spawns", this.maxSpawns, this.spawnCount + 1);
+    }
+    this.spawnCount += 1;
     const result = await this.coordinator.spawn(config);
     this.subagentMeta.set(result.subagentId, {
       provider: config.provider,
@@ -4427,6 +4477,7 @@ var Director = class {
       baseline: this.subagentBaseline,
       role: config.prompt,
       task: taskBrief,
+      sharedScratchpad: this.sharedScratchpadPath ?? void 0,
       override: config.systemPromptOverride
     });
   }
@@ -4496,8 +4547,15 @@ function makeSpawnTool(director, roster) {
       if (typeof i.maxIterations === "number") cfg.maxIterations = i.maxIterations;
       if (typeof i.maxToolCalls === "number") cfg.maxToolCalls = i.maxToolCalls;
       if (typeof i.maxCostUsd === "number") cfg.maxCostUsd = i.maxCostUsd;
-      const subagentId = await director.spawn(cfg);
-      return { subagentId, provider: cfg.provider, model: cfg.model, name: cfg.name };
+      try {
+        const subagentId = await director.spawn(cfg);
+        return { subagentId, provider: cfg.provider, model: cfg.model, name: cfg.name };
+      } catch (err) {
+        if (err instanceof DirectorBudgetError) {
+          return { error: err.message, kind: err.kind, limit: err.limit, observed: err.observed };
+        }
+        return { error: err instanceof Error ? err.message : String(err) };
+      }
     }
   };
 }
@@ -4688,6 +4746,184 @@ function makeDirectorSessionFactory(opts) {
   };
 }
+// src/defaults/agents/fleet.ts
+var AUDIT_LOG_AGENT = {
+  id: "audit-log",
+  name: "Audit Log",
+  role: "audit-log",
+  prompt: `You are the Audit Log agent. Your job is to analyze structured JSONL
+session logs and produce actionable markdown reports.
+Scope:
+- Parse session logs (iteration counts, tool calls, errors, usage)
+- Detect repeated failure patterns across multiple runs
+- Identify tool usage anomalies (over-use, failures, unexpected chains)
+- Track token consumption trends
+- Generate structured audit reports with severity ratings
+Input format you accept:
+{ "task": "analyze | report | trends", "sessionPath": "<path>", "focus": "errors | tools | usage | all" }
+Output: Markdown audit report with sections:
+- ## Summary (totals, error rate)
+- ## Top Errors (count + context)
+- ## Tool Usage (table with calls, failures, avg duration)
+- ## Anomalies (pattern \u2192 severity)
+Working rules:
+- Never fabricate numbers \u2014 read the actual logs first
+- Always include file:line references for errors
+- If sessionPath is missing, ask the director to provide it
+- Report confidence level: high (>90% accuracy), medium, low`,
+  maxIterations: 50,
+  maxToolCalls: 200,
+  timeoutMs: 12e4
+};
+var BUG_HUNTER_AGENT = {
+  id: "bug-hunter",
+  name: "Bug Hunter",
+  role: "bug-hunter",
+  prompt: `You are the Bug Hunter agent. Your job is to systematically scan
+source code for bugs, anti-patterns, and code smells using pattern matching
+and heuristics. Output a prioritized hit list with file:line references.
+Scope:
+- Detect common bug patterns (uncaught errors, resource leaks, race conditions)
+- Identify anti-patterns (callback hell, God objects, circular deps)
+- Find TypeScript-specific issues (unsafe any, missing null checks, branded types)
+- Flag security-sensitive constructs (eval, innerHTML, hardcoded secrets)
+- Rank findings: critical > high > medium > low
+Input format you accept:
+{ "task": "scan | hunt | check", "paths": ["src/**/*.ts"], "focus": "bugs | patterns | security | all", "severityThreshold": "medium" }
+Output: Markdown bug hunt report:
+- ## Critical (must fix first)
+- ## High (should fix)
+- ## Medium
+- ## Low (consider)
+Each entry: **[TYPE]** \`file:line\` \u2014 description + suggested fix
+Bug pattern reference you know:
+| Pattern | Regex hint | Severity |
+|---------|------------|----------|
+| Uncaught promise | /.then\\(.*\\)/ without catch | high |
+| Event leak | on\\( without off/removeListener | high |
+| Hardcoded secret | [a-zA-Z0-9/_-]{20,} in config files | critical |
+| unsafe any | : any\\b or <any> | medium |
+| innerHTML | innerHTML\\s*= | high |
+Working rules:
+- Never scan node_modules \u2014 it's noise
+- Always include file:line for every finding
+- If >30% of findings are false positives, note the confidence level
+- Ask director for clarification if paths are ambiguous`,
+  maxIterations: 80,
+  maxToolCalls: 300,
+  timeoutMs: 18e4
+};
+var REFACTOR_PLANNER_AGENT = {
+  id: "refactor-planner",
+  name: "Refactor Planner",
+  role: "refactor-planner",
+  prompt: `You are the Refactor Planner agent. Your job is to analyze code
+structure and produce a concrete, phased refactoring plan with risk
+assessment, dependency ordering, and rollback strategy.
+Scope:
+- Map module-level dependencies (import graph)
+- Identify coupling hotspots (high fan-in/out modules)
+- Assess refactoring risk by complexity and test coverage
+- Generate phased plans with checkpoint milestones
+- Produce diff-friendly task lists (one task = one concern)
+Input format you accept:
+{ "task": "plan | assess | roadmap", "target": "src/core", "constraint": "no-breaking-changes | minimal-downtime | full-rewrite", "focus": "architecture | performance | maintainability" }
+Output: Markdown refactor plan:
+- ## Phase 1: Low Risk / High Payoff (do first)
+  Table: | # | Task | Module | Risk | Est. Time |
+- ## Phase 2: Medium Risk
+- ## Phase 3: High Risk (requires full regression)
+- ## Dependency Graph (abbreviated ASCII)
+- ## Rollback Strategy
+- ## Exit Criteria (checkbox list)
+Risk scoring criteria:
+| Factor | Low | Medium | High |
+|--------|-----|--------|------|
+| Cyclomatic complexity | <10 | 10-20 | >20 |
+| Test coverage | >80% | 50-80% | <50% |
+| Fan-out (imports) | <5 | 5-15 | >15 |
+Working rules:
+- Always include rollback strategy \u2014 every refactor can fail
+- Merge tasks that take <1h into a single phase
+- Respect team constraints (reviewer availability, parallelization)
+- Never plan without analyzing the actual code first`,
+  maxIterations: 60,
+  maxToolCalls: 250,
+  timeoutMs: 15e4
+};
+var SECURITY_SCANNER_AGENT = {
+  id: "security-scanner",
+  name: "Security Scanner",
+  role: "security-scanner",
+  prompt: `You are the Security Scanner agent. Your job is to scan code,
+configs, and dependencies for security issues from hardcoded secrets to
+supply chain risks.
+Scope:
+- Detect hardcoded secrets: API keys, tokens, passwords, private keys
+- Find injection vectors: eval, innerHTML, SQL concat, shell injection
+- Identify insecure patterns: weak crypto, hardcoded IVs, disabled TLS
+- Scan dependencies for known CVEs (via npm/pnpm audit)
+- Flag supply chain risks: postinstall hooks, unverified scripts, .npmrc
+Input format you accept:
+{ "task": "scan | audit | secrets | dependencies", "paths": ["src", "config"], "depth": "quick | normal | deep" }
+Output: Markdown security report:
+- ## CRITICAL: Secrets Found (with code snippets)
+- ## HIGH: Injection Vectors
+- ## MEDIUM: Insecure Patterns
+- ## Dependency Issues (CVE list)
+- ## Summary table (severity \u2192 count)
+- ## Remediation Checklist (with checkboxes)
+Secret patterns you detect:
+| Pattern | Example | Severity |
+|---------|---------|----------|
+| AWS Access Key | AKIAIOSFODNN7EXAMPLE | critical |
+| AWS Secret Key | [a-zA-Z0-9/+=]{40} base64 | critical |
+| GitHub Token | ghp_[a-zA-Z0-9]{36} | critical |
+| Private Key PEM | -----BEGIN.*PRIVATE KEY----- | critical |
+| JWT | eyJ[a-zA-Z0-9_-]+ | high |
+Injection patterns:
+| Construct | Safe alternative |
+|-----------|-----------------|
+| eval(str) | new Function() or parse |
+| innerHTML = x | textContent or sanitize |
+| exec(\`cmd \${x}\`) | execFile with args array |
+Working rules:
+- Never scan node_modules \u2014 use npm audit instead
+- Always provide remediation steps, not just findings
+- Verify regex-based secrets before flagging (false positive risk)
+- When in doubt, flag as medium rather than ignoring potential issues`,
+  maxIterations: 70,
+  maxToolCalls: 280,
+  timeoutMs: 16e4
+};
+var FLEET_ROSTER = {
+  "audit-log": AUDIT_LOG_AGENT,
+  "bug-hunter": BUG_HUNTER_AGENT,
+  "refactor-planner": REFACTOR_PLANNER_AGENT,
+  "security-scanner": SECURITY_SCANNER_AGENT
+};
+var ALL_FLEET_AGENTS = Object.values(FLEET_ROSTER);
 // src/defaults/autonomous-runner.ts
 var DoneConditionChecker = class {
   constructor(condition) {
@@ -7253,6 +7489,6 @@ var allServers = () => ({
   sentinel: { ...sentinelServer(), enabled: false }
 });
-export { AutoCompactionMiddleware, AutonomousRunner, BudgetExceededError, ConfigMigrationError, DEFAULT_CONFIG_MIGRATIONS, DEFAULT_DIRECTOR_PREAMBLE, DEFAULT_SUBAGENT_BASELINE, DefaultAttachmentStore, DefaultConfigLoader, DefaultConfigStore, DefaultErrorHandler, DefaultHealthRegistry, DefaultLogger, DefaultMemoryStore, DefaultModeStore, DefaultModelsRegistry, DefaultMultiAgentCoordinator, DefaultPathResolver, DefaultPermissionPolicy, DefaultRetryPolicy, DefaultSecretScrubber, DefaultSecretVault, DefaultSessionReader, DefaultSessionStore, DefaultSkillLoader, DefaultTaskStore, DefaultTokenCounter, Director, DoneConditionChecker, FleetBus, FleetUsageAggregator, HybridCompactor, InMemoryAgentBridge, InMemoryBridgeTransport, InMemoryMetricsSink, IntelligentCompactor, LLMSelector, NoopMetricsSink, NoopTracer, OTelTracer, PROMETHEUS_CONTENT_TYPE, QueueStore, RecoveryLock, SelectiveCompactor, SpecDrivenDev, SpecParser, SubagentBudget, TaskFlow, TaskGenerator, TaskTracker, ToolExecutor, allServers, awsServer, blockServer, braveSearchServer, buildOtlpMetricsRequest, buildOtlpTracesRequest, classifyFamily, composeDirectorPrompt, composeSubagentPrompt, context7Server, contextManagerTool, createContextManagerTool, createMessage, decryptConfigSecrets, encryptConfigSecrets, everArtServer, filesystemServer, githubServer, googleMapsServer, loadProjectModes, loadUserModes, makeAgentSubagentRunner, makeDirectorSessionFactory, migratePlaintextSecrets, renderPrometheus, rewriteConfigEncrypted, rosterSummaryFromConfigs, runConfigMigrations, sentinelServer, slackServer, startMetricsServer, startOtlpMetricsExporter, startOtlpTraceExporter, wireMetricsToEvents };
+export { ALL_FLEET_AGENTS, AUDIT_LOG_AGENT, AutoCompactionMiddleware, AutonomousRunner, BUG_HUNTER_AGENT, BudgetExceededError, ConfigMigrationError, DEFAULT_CONFIG_MIGRATIONS, DEFAULT_DIRECTOR_PREAMBLE, DEFAULT_SUBAGENT_BASELINE, DefaultAttachmentStore, DefaultConfigLoader, DefaultConfigStore, DefaultErrorHandler, DefaultHealthRegistry, DefaultLogger, DefaultMemoryStore, DefaultModeStore, DefaultModelsRegistry, DefaultMultiAgentCoordinator, DefaultPathResolver, DefaultPermissionPolicy, DefaultRetryPolicy, DefaultSecretScrubber, DefaultSecretVault, DefaultSessionReader, DefaultSessionStore, DefaultSkillLoader, DefaultTaskStore, DefaultTokenCounter, Director, DirectorBudgetError, DoneConditionChecker, FLEET_ROSTER, FleetBus, FleetUsageAggregator, HybridCompactor, InMemoryAgentBridge, InMemoryBridgeTransport, InMemoryMetricsSink, IntelligentCompactor, LLMSelector, NoopMetricsSink, NoopTracer, OTelTracer, PROMETHEUS_CONTENT_TYPE, QueueStore, REFACTOR_PLANNER_AGENT, RecoveryLock, SECURITY_SCANNER_AGENT, SelectiveCompactor, SpecDrivenDev, SpecParser, SubagentBudget, TaskFlow, TaskGenerator, TaskTracker, ToolExecutor, allServers, awsServer, blockServer, braveSearchServer, buildOtlpMetricsRequest, buildOtlpTracesRequest, classifyFamily, composeDirectorPrompt, composeSubagentPrompt, context7Server, contextManagerTool, createContextManagerTool, createMessage, decryptConfigSecrets, encryptConfigSecrets, everArtServer, filesystemServer, githubServer, googleMapsServer, loadProjectModes, loadUserModes, makeAgentSubagentRunner, makeDirectorSessionFactory, migratePlaintextSecrets, renderPrometheus, rewriteConfigEncrypted, rosterSummaryFromConfigs, runConfigMigrations, sentinelServer, slackServer, startMetricsServer, startOtlpMetricsExporter, startOtlpTraceExporter, wireMetricsToEvents };
 //# sourceMappingURL=index.js.map
 //# sourceMappingURL=index.js.map