agentic-qe 3.6.10 → 3.6.12

package/v3/dist/mcp/bundle.js

@@ -4421,7 +4421,7 @@ var init_constants = __esm({
       /**
        * Vector dimension for coverage analysis embeddings.
        */
-      COVERAGE_VECTOR_DIMENSION: 128
+      COVERAGE_VECTOR_DIMENSION: 768
     };
     AGENT_CONSTANTS = {
       /**
@@ -4643,6 +4643,12 @@ var init_gnn = __esm({
 });
 
 // src/kernel/unified-memory-hnsw.ts
+var unified_memory_hnsw_exports = {};
+__export(unified_memory_hnsw_exports, {
+  BinaryHeap: () => BinaryHeap,
+  InMemoryHNSWIndex: () => InMemoryHNSWIndex,
+  RuvectorFlatIndex: () => RuvectorFlatIndex
+});
 function computeNorm(v62) {
   let sum = 0;
   for (let i58 = 0; i58 < v62.length; i58++) sum += v62[i58] * v62[i58];
@@ -5036,7 +5042,10 @@ var init_unified_memory_hnsw = __esm({
       search(query, k68) {
         if (this.ids.length === 0) return [];
         const actualK = Math.min(k68, this.ids.length);
-        if (ruvectorDifferentiableSearch && this.vectors.length > 0) {
+        const storedDim = this.vectors.length > 0 ? this.vectors[0].length : 0;
+        const queryDim = query.length;
+        const dimensionsMatch = storedDim === queryDim;
+        if (ruvectorDifferentiableSearch && this.vectors.length > 0 && dimensionsMatch) {
           const queryF322 = new Float32Array(query);
           const queryNorm2 = computeNorm(queryF322);
           const result = ruvectorDifferentiableSearch(
@@ -5054,10 +5063,20 @@ var init_unified_memory_hnsw = __esm({
         const queryNorm = computeNorm(queryF32);
         const scored = [];
         for (let i58 = 0; i58 < this.ids.length; i58++) {
-          scored.push({
-            id: this.ids[i58],
-            score: fastCosine(queryF32, this.vectors[i58], queryNorm, this.norms[i58])
-          });
+          const vec = this.vectors[i58];
+          if (vec.length !== queryF32.length) {
+            if (i58 === 0) {
+              console.warn(
+                `[RuvectorFlatIndex] Dimension mismatch: query=${queryF32.length}, stored=${vec.length}. Skipping ${this.ids.length} mismatched vectors. Re-index with correct dimensions.`
+              );
+            }
+            continue;
+          } else {
+            scored.push({
+              id: this.ids[i58],
+              score: fastCosine(queryF32, vec, queryNorm, this.norms[i58])
+            });
+          }
         }
         scored.sort((a37, b68) => b68.score - a37.score);
         return scored.slice(0, actualK);
@@ -11337,7 +11356,7 @@ function createHNSWIndex(memory, config) {
   return new HNSWIndex(memory, config);
 }
 async function benchmarkHNSW(index, vectorCount = 1e4, searchCount = 1e3) {
-  const dimensions = 128;
+  const dimensions = 768;
   const startInsert = performance.now();
   for (let i58 = 0; i58 < vectorCount; i58++) {
     const vector = Array.from({ length: dimensions }, () => Math.random());
@@ -11366,7 +11385,7 @@ var init_hnsw_index = __esm({
     QEGNNEmbeddingIndexClass = null;
     ruvectorLoaded = false;
     DEFAULT_HNSW_CONFIG = {
-      dimensions: 128,
+      dimensions: 768,
       M: 16,
       efConstruction: 200,
       efSearch: 100,
@@ -11461,7 +11480,7 @@ var init_hnsw_index = __esm({
         if (!this.initialized) {
           await this.initialize();
         }
-        this.validateVector(vector);
+        vector = this.validateVector(vector);
         if (this.keyToLabel.has(key)) {
           await this.delete(key);
         }
@@ -11490,7 +11509,7 @@ var init_hnsw_index = __esm({
         if (!this.initialized) {
           await this.initialize();
         }
-        this.validateVector(query);
+        query = this.validateVector(query);
         const startTime = performance.now();
         const results = this.stats.vectorCount > 0 ? this.searchRuvector(query, k68) : [];
         const endTime = performance.now();
@@ -11615,17 +11634,46 @@ var init_hnsw_index = __esm({
       // ============================================================================
       // Private Helper Methods
       // ============================================================================
+      /**
+       * Validate and auto-resize vectors to match HNSW configured dimensions.
+       * Fix #279: Prevents Rust WASM panic when RealEmbeddings (768-dim) are
+       * passed to a mismatched-dim HNSW index.
+       */
       validateVector(vector) {
         if (vector.length !== this.config.dimensions) {
-          throw new Error(
-            `Vector dimension mismatch: expected ${this.config.dimensions}, got ${vector.length}`
-          );
+          return this.resizeVector(vector, this.config.dimensions);
         }
         for (let i58 = 0; i58 < vector.length; i58++) {
           if (!Number.isFinite(vector[i58])) {
             throw new Error(`Invalid vector value at index ${i58}: ${vector[i58]}`);
           }
         }
+        return vector;
+      }
+      /**
+       * Resize vector to target dimensions using averaging (shrink) or zero-padding (grow).
+       */
+      resizeVector(vector, targetDim) {
+        if (vector.length === targetDim) return vector;
+        if (vector.length > targetDim) {
+          const result2 = new Array(targetDim).fill(0);
+          const ratio = vector.length / targetDim;
+          for (let i58 = 0; i58 < targetDim; i58++) {
+            const start = Math.floor(i58 * ratio);
+            const end = Math.floor((i58 + 1) * ratio);
+            let sum = 0;
+            for (let j52 = start; j52 < end; j52++) {
+              sum += vector[j52];
+            }
+            result2[i58] = sum / (end - start);
+          }
+          return result2;
+        }
+        const result = new Array(targetDim).fill(0);
+        for (let i58 = 0; i58 < vector.length; i58++) {
+          result[i58] = vector[i58];
+        }
+        return result;
       }
       buildKey(key) {
         return `${this.config.namespace}:${key}`;
@@ -11692,6 +11740,33 @@ var init_hnsw_index = __esm({
   }
 });
 
+// src/shared/safe-db.ts
+var safe_db_exports = {};
+__export(safe_db_exports, {
+  openDatabase: () => openDatabase
+});
+function openDatabase(dbPath, opts) {
+  const readonly = opts?.readonly ?? false;
+  const fileMustExist = opts?.fileMustExist ?? false;
+  const busyTimeout = opts?.busyTimeout ?? 5e3;
+  const walMode = opts?.walMode ?? !readonly;
+  const db = new better_sqlite3_default(dbPath, {
+    readonly,
+    fileMustExist
+  });
+  db.pragma(`busy_timeout = ${busyTimeout}`);
+  if (walMode) {
+    db.pragma("journal_mode = WAL");
+  }
+  return db;
+}
+var init_safe_db = __esm({
+  "src/shared/safe-db.ts"() {
+    "use strict";
+    init_better_sqlite3();
+  }
+});
+
 // src/integrations/vibium/types.ts
 var init_types2 = __esm({
   "src/integrations/vibium/types.ts"() {
@@ -16304,7 +16379,7 @@ var DEFAULT_SQLITE_CONFIG, SQLitePatternStore;
 var init_sqlite_persistence = __esm({
   "src/learning/sqlite-persistence.ts"() {
     "use strict";
-    init_better_sqlite3();
+    init_safe_db();
     init_esm_node();
     init_safe_json();
     init_error_utils();
@@ -16348,10 +16423,7 @@ var init_sqlite_persistence = __esm({
             if (!fs21.existsSync(dir)) {
               fs21.mkdirSync(dir, { recursive: true });
             }
-            this.db = new better_sqlite3_default(this.config.dbPath);
-            if (this.config.walMode) {
-              this.db.pragma("journal_mode = WAL");
-            }
+            this.db = openDatabase(this.config.dbPath);
             this.db.pragma(`mmap_size = ${this.config.mmapSize}`);
             this.db.pragma(`cache_size = ${this.config.cacheSize}`);
             if (this.config.foreignKeys) {
@@ -17796,7 +17868,13 @@ var init_signal_collector = __esm({
         "test generation",
         "error handling",
         "validation logic",
-        "api integration"
+        "api integration",
+        "code index",
+        "coverage analysis",
+        "quality assessment",
+        "defect prediction",
+        "predict defect",
+        "analyze coverage"
       ],
       // Tier 3 - High complexity
       complex: [
@@ -17807,7 +17885,14 @@ var init_signal_collector = __esm({
         "migration",
         "cross-domain",
         "workflow",
-        "system design"
+        "system design",
+        "analyze security",
+        "security scan",
+        "security analysis",
+        "vulnerability scan",
+        "chaos test",
+        "resilience test",
+        "contract validation"
       ],
       // Tier 4 - Critical/expert
       critical: [
@@ -17818,7 +17903,12 @@ var init_signal_collector = __esm({
         "system-wide",
         "vulnerability",
         "cryptography",
-        "performance critical"
+        "performance critical",
+        "hardcoded secret",
+        "cve",
+        "owasp",
+        "penetration test",
+        "exploit"
       ]
     };
     SCOPE_PATTERNS = {
@@ -18115,11 +18205,15 @@ var init_score_calculator = __esm({
        * Calculate overall complexity score (0-100)
        */
       calculateOverallComplexity(codeComplexity, reasoningComplexity, scopeComplexity, signals) {
-        if (signals.isMechanicalTransform) {
+        if (signals.isMechanicalTransform && !signals.hasSecurityScope && !signals.hasArchitectureScope && !signals.requiresMultiStepReasoning && !signals.requiresCrossDomainCoordination && codeComplexity === 0 && reasoningComplexity === 0 && scopeComplexity === 0) {
           return 5;
         }
         const weighted = codeComplexity * 0.3 + reasoningComplexity * 0.4 + scopeComplexity * 0.3;
-        return Math.min(Math.round(weighted), 100);
+        let minScore = 0;
+        if (signals.hasSecurityScope) minScore = Math.max(minScore, 50);
+        if (signals.hasArchitectureScope) minScore = Math.max(minScore, 55);
+        if (signals.requiresCrossDomainCoordination) minScore = Math.max(minScore, 35);
+        return Math.min(Math.max(Math.round(weighted), minScore), 100);
       }
       /**
        * Calculate confidence in complexity assessment (0-1)
@@ -18922,7 +19016,7 @@ var init_router = __esm({
           agentBoosterStats: {
             eligible: agentBoosterEligible,
             used: agentBoosterUsed,
-            fallbackToLLM: agentBoosterEligible - agentBoosterUsed,
+            fallbackToLLM: Math.max(0, agentBoosterEligible - agentBoosterUsed),
             successRate: agentBoosterUsed > 0 ? agentBoosterSuccess / agentBoosterUsed : 0
           },
           budgetStats: {
@@ -21661,13 +21755,13 @@ var init_trajectory_bridge = __esm({
           const { existsSync: existsSync18, mkdirSync: mkdirSync6 } = await import("fs");
           const { createRequire: createRequire11 } = await import("module");
           const require3 = createRequire11(import.meta.url);
-          const Database = require3("better-sqlite3");
+          const { openDatabase: openDatabase2 } = require3("../../shared/safe-db.js");
           const dbPath = join26(this.options.projectRoot, ".agentic-qe", "trajectories.db");
           const dir = join26(this.options.projectRoot, ".agentic-qe");
           if (!existsSync18(dir)) {
             mkdirSync6(dir, { recursive: true });
           }
-          const db = new Database(dbPath);
+          const db = openDatabase2(dbPath);
           db.exec(`
         CREATE TABLE IF NOT EXISTS trajectories (
           id TEXT PRIMARY KEY,
@@ -65083,7 +65177,7 @@ var DEFAULT_CONFIG18 = {
 };
 var CoverageAnalyzerService = class _CoverageAnalyzerService {
   static DEFAULT_THRESHOLD = 80;
-  static VECTOR_DIMENSION = 128;
+  static VECTOR_DIMENSION = 768;
   memory;
   config;
   llmRouter;
@@ -65617,7 +65711,7 @@ var DEFAULT_CONFIG19 = {
 };
 var GapDetectorService = class _GapDetectorService {
   static DEFAULT_MIN_COVERAGE = 80;
-  static VECTOR_DIMENSION = 128;
+  static VECTOR_DIMENSION = 768;
   memory;
   config;
   llmRouter;
@@ -66615,7 +66709,7 @@ init_hnsw_index();
 
 // src/domains/coverage-analysis/services/coverage-embedder.ts
 var DEFAULT_EMBEDDER_CONFIG = {
-  dimensions: 128,
+  dimensions: 768,
   includePathFeatures: true,
   includeTemporalFeatures: true,
   normalization: "l2"
@@ -67047,7 +67141,7 @@ var ALL_CATEGORIES = [
   "missing-security-check"
 ];
 var DEFAULT_CONFIG20 = {
-  dimensions: 128,
+  dimensions: 768,
   minConfidence: 0.3,
   maxGaps: 50,
   riskWeight: 0.6,
@@ -68756,7 +68850,7 @@ var CoverageAnalysisCoordinator = class extends BaseDomainCoordinator {
     return forecast;
   }
   createGapEmbedding(gap) {
-    const VECTOR_DIMENSION = 128;
+    const VECTOR_DIMENSION = 768;
     const embedding = new Array(VECTOR_DIMENSION).fill(0);
     embedding[0] = gap.riskScore;
     embedding[1] = Math.min(1, gap.lines.length / 100);
@@ -86100,7 +86194,35 @@ import { join as join10, extname as extname3 } from "path";
 // src/domains/code-intelligence/services/metric-collector/interfaces.ts
 var DEFAULT_METRIC_CONFIG = {
   timeout: 6e4,
-  excludeDirs: ["node_modules", "dist", "coverage", "build", ".git", "vendor", "target"],
+  excludeDirs: [
+    // JS/TS ecosystem
+    "node_modules",
+    "dist",
+    "build",
+    "coverage",
+    ".nyc_output",
+    ".next",
+    ".nuxt",
+    ".output",
+    // Python ecosystem
+    "__pycache__",
+    ".venv",
+    "venv",
+    ".tox",
+    ".mypy_cache",
+    ".pytest_cache",
+    ".eggs",
+    "*.egg-info",
+    // Rust / Java / Go
+    "target",
+    ".gradle",
+    "vendor",
+    ".bundle",
+    // General
+    ".git",
+    ".svn",
+    ".hg"
+  ],
   testPatterns: ["**/*.test.ts", "**/*.spec.ts", "**/*.test.js", "**/*.spec.js"],
   enableCache: true,
   cacheTTL: 3e5
@@ -86108,7 +86230,7 @@ var DEFAULT_METRIC_CONFIG = {
 
 // src/domains/code-intelligence/services/metric-collector/loc-counter.ts
 import { execSync as execSync3, spawnSync as spawnSync2 } from "child_process";
-import { existsSync as existsSync6, readdirSync, readFileSync as readFileSync5 } from "fs";
+import { existsSync as existsSync6, readdirSync, readFileSync as readFileSync5, statSync as statSync2 } from "fs";
 import { join as join8, extname } from "path";
 init_safe_json();
 async function countLOC(projectPath, config = {}) {
@@ -86252,22 +86374,35 @@ function getLanguageForExtension(ext) {
 function manualLOCCount(projectPath, config) {
   const byLanguage = {};
   let total = 0;
-  function walkDirectory2(dirPath) {
-    if (!existsSync6(dirPath)) {
+  const excludeSet = new Set(config.excludeDirs);
+  const MAX_FILE_SIZE = 2 * 1024 * 1024;
+  function walkDirectory2(dirPath, depth) {
+    if (!existsSync6(dirPath) || depth > 20) {
+      return;
+    }
+    let entries;
+    try {
+      entries = readdirSync(dirPath, { withFileTypes: true });
+    } catch {
       return;
     }
-    const entries = readdirSync(dirPath, { withFileTypes: true });
     for (const entry of entries) {
       const fullPath = join8(dirPath, entry.name);
       if (entry.isDirectory()) {
-        if (config.excludeDirs.includes(entry.name)) {
+        if (excludeSet.has(entry.name) || entry.name.startsWith(".")) {
           continue;
         }
-        walkDirectory2(fullPath);
+        walkDirectory2(fullPath, depth + 1);
       } else if (entry.isFile()) {
         const ext = extname(entry.name);
         const language = getLanguageForExtension(ext);
         if (language) {
+          try {
+            const stat6 = statSync2(fullPath);
+            if (stat6.size > MAX_FILE_SIZE) continue;
+          } catch {
+            continue;
+          }
           const lines = countFileLines(fullPath);
           byLanguage[language] = (byLanguage[language] || 0) + lines;
           total += lines;
@@ -86275,11 +86410,11 @@ function manualLOCCount(projectPath, config) {
       }
     }
   }
-  walkDirectory2(projectPath);
+  walkDirectory2(projectPath, 0);
   return {
     total,
     byLanguage,
-    source: "fallback",
+    source: "node-native",
     excludedDirs: config.excludeDirs
   };
 }
@@ -86910,12 +87045,19 @@ var MetricCollectorService = class {
     const toolsUsed = [];
     if (loc.source !== "fallback") toolsUsed.push(loc.source);
     if (tests.source !== "fallback") toolsUsed.push(tests.source);
+    const locAccuracy = loc.source === "fallback" ? "approximate" : "accurate";
+    const testAccuracy = tests.source === "fallback" ? "approximate" : "accurate";
     const metrics = {
       loc,
       tests,
       patterns,
       collectedAt: /* @__PURE__ */ new Date(),
-      toolsUsed
+      toolsUsed,
+      accuracy: {
+        loc: locAccuracy,
+        tests: testAccuracy,
+        overall: locAccuracy === "accurate" && testAccuracy === "accurate" ? "accurate" : "approximate"
+      }
     };
     if (this.config.enableCache) {
       this.setInCache(cacheKey, metrics);
@@ -88469,7 +88611,7 @@ var CodeIntelligenceCoordinator = class extends BaseDomainCoordinator {
    */
   async initializeHypergraph() {
     try {
-      const Database = (await Promise.resolve().then(() => (init_better_sqlite3(), better_sqlite3_exports))).default;
+      const { openDatabase: openDatabase2 } = await Promise.resolve().then(() => (init_safe_db(), safe_db_exports));
       const fs21 = await import("fs");
       const path23 = await import("path");
       const { findProjectRoot: findProjectRoot2 } = await Promise.resolve().then(() => (init_unified_memory(), unified_memory_exports));
@@ -88479,7 +88621,7 @@ var CodeIntelligenceCoordinator = class extends BaseDomainCoordinator {
       if (!fs21.existsSync(dir)) {
         fs21.mkdirSync(dir, { recursive: true });
       }
-      this.hypergraphDb = new Database(dbPath);
+      this.hypergraphDb = openDatabase2(dbPath);
       this.hypergraph = await createHypergraphEngine({
         db: this.hypergraphDb,
         maxTraversalDepth: 10,
@@ -89145,9 +89287,15 @@ var CodeIntelligenceCoordinator = class extends BaseDomainCoordinator {
     try {
       console.log(`[CodeIntelligence] Collecting real metrics for ${projectPath}`);
       const metrics = await this.metricCollector.collectAll(projectPath);
+      const toolsLabel = metrics.toolsUsed.length > 0 ? metrics.toolsUsed.join(", ") : metrics.loc.source === "node-native" ? "node-native" : "fallback";
       console.log(
-        `[CodeIntelligence] Real metrics collected: ${metrics.loc.total} LOC, ${metrics.tests.total} tests, tools: ${metrics.toolsUsed.join(", ") || "fallback"}`
+        `[CodeIntelligence] Real metrics collected: ${metrics.loc.total} LOC, ${metrics.tests.total} tests, tools: ${toolsLabel}`
       );
+      if (metrics.loc.source === "node-native") {
+        console.log(
+          `[CodeIntelligence] Using Node.js-native line counter (no cloc/tokei needed)`
+        );
+      }
       await this.storeProjectMetricsInMemory(projectPath, metrics);
       if (this.config.publishEvents) {
         const event = createEvent(
@@ -132684,10 +132832,16 @@ function detectTransformType(task) {
 }
 async function loadCoverageData(targetPath) {
   const coverageLocations = [
+    // JavaScript/TypeScript (Istanbul/nyc/vitest)
     path16.join(targetPath, "coverage", "coverage-final.json"),
     path16.join(targetPath, "coverage", "lcov.info"),
     path16.join(targetPath, ".nyc_output", "coverage-final.json"),
-    path16.join(targetPath, "coverage-final.json")
+    path16.join(targetPath, "coverage-final.json"),
+    // Python (pytest-cov, coverage.py)
+    path16.join(targetPath, "coverage.xml"),
+    path16.join(targetPath, "htmlcov", "status.json"),
+    // Cobertura (generic)
+    path16.join(targetPath, "cobertura-coverage.xml")
   ];
   for (const coveragePath of coverageLocations) {
     try {
@@ -132696,6 +132850,8 @@ async function loadCoverageData(targetPath) {
         return parseCoverageJson(content);
       } else if (coveragePath.endsWith(".info")) {
         return parseLcovInfo(content);
+      } else if (coveragePath.endsWith(".xml")) {
+        return parseCoberturaXml(content);
       }
     } catch {
     }
@@ -132847,16 +133003,166 @@ function parseLcovInfo(content) {
     }
   };
 }
+function parseCoberturaXml(content) {
+  const files = [];
+  function attr(element, name) {
+    const match = element.match(new RegExp(`${name}=["']([^"']*)["']`));
+    return match ? match[1] : null;
+  }
+  const classRegex = /<class\s[^>]*?>/g;
+  let classMatch;
+  while ((classMatch = classRegex.exec(content)) !== null) {
+    const classTag = classMatch[0];
+    const filename = attr(classTag, "filename");
+    if (!filename) continue;
+    const lineRate = parseFloat(attr(classTag, "line-rate") || "NaN");
+    const branchRate = parseFloat(attr(classTag, "branch-rate") || "NaN");
+    const classStart = classMatch.index;
+    const classEnd = content.indexOf("</class>", classStart);
+    const classContent = classEnd > classStart ? content.slice(classStart, classEnd) : "";
+    let linesTotal = 0, linesCovered = 0;
+    let branchesTotal = 0, branchesCovered = 0;
+    let functionsTotal = 0, functionsCovered = 0;
+    const uncoveredLines = [];
+    const uncoveredBranches = [];
+    const lineRegex = /<line\s([^>]*?)\/>/g;
+    let lineMatch;
+    while ((lineMatch = lineRegex.exec(classContent)) !== null) {
+      const lineTag = lineMatch[1];
+      const lineNum = parseInt(attr(lineTag, "number") || "0", 10);
+      const hits = parseInt(attr(lineTag, "hits") || "0", 10);
+      const isBranch = attr(lineTag, "branch") === "true";
+      const condCoverage = attr(lineTag, "condition-coverage");
+      linesTotal++;
+      if (hits > 0) {
+        linesCovered++;
+      } else {
+        uncoveredLines.push(lineNum);
+      }
+      if (isBranch) {
+        branchesTotal++;
+        const condPct = condCoverage ? parseInt(condCoverage, 10) : hits > 0 ? 100 : 0;
+        if (condPct === 100) {
+          branchesCovered++;
+        } else {
+          uncoveredBranches.push(lineNum);
+        }
+      }
+    }
+    const methodRegex = /<method\s([^>]*?)>/g;
+    let methodMatch;
+    while ((methodMatch = methodRegex.exec(classContent)) !== null) {
+      functionsTotal++;
+      const methodStart = methodMatch.index;
+      const methodEnd = classContent.indexOf("</method>", methodStart);
+      if (methodEnd > methodStart) {
+        const methodContent = classContent.slice(methodStart, methodEnd);
+        const methodLineRegex = /<line\s([^>]*?)\/>/g;
+        let hasHits = false;
+        let mLineMatch;
+        while ((mLineMatch = methodLineRegex.exec(methodContent)) !== null) {
+          if (parseInt(attr(mLineMatch[1], "hits") || "0", 10) > 0) {
+            hasHits = true;
+            break;
+          }
+        }
+        if (hasHits) functionsCovered++;
+      }
+    }
+    if (linesTotal === 0 && !isNaN(lineRate)) {
+      linesTotal = 1;
+      linesCovered = lineRate >= 0.5 ? 1 : 0;
+    }
+    files.push({
+      path: filename,
+      lines: { covered: linesCovered, total: linesTotal },
+      branches: { covered: branchesCovered, total: branchesTotal },
+      functions: { covered: functionsCovered, total: functionsTotal },
+      statements: { covered: linesCovered, total: linesTotal },
+      uncoveredLines,
+      uncoveredBranches
+    });
+  }
+  let totalLines = 0, totalCoveredLines = 0;
+  let totalBranches = 0, totalCoveredBranches = 0;
+  let totalFunctions = 0, totalCoveredFunctions = 0;
+  for (const file of files) {
+    totalLines += file.lines.total;
+    totalCoveredLines += file.lines.covered;
+    totalBranches += file.branches.total;
+    totalCoveredBranches += file.branches.covered;
+    totalFunctions += file.functions.total;
+    totalCoveredFunctions += file.functions.covered;
+  }
+  const coverageTag = content.match(/<coverage\s[^>]*?>/);
+  const summaryLineRate = coverageTag ? parseFloat(attr(coverageTag[0], "line-rate") || "NaN") * 100 : NaN;
+  const summaryBranchRate = coverageTag ? parseFloat(attr(coverageTag[0], "branch-rate") || "NaN") * 100 : NaN;
+  return {
+    files,
+    summary: {
+      line: !isNaN(summaryLineRate) ? summaryLineRate : totalLines > 0 ? totalCoveredLines / totalLines * 100 : 0,
+      branch: !isNaN(summaryBranchRate) ? summaryBranchRate : totalBranches > 0 ? totalCoveredBranches / totalBranches * 100 : 0,
+      function: totalFunctions > 0 ? totalCoveredFunctions / totalFunctions * 100 : 0,
+      statement: totalLines > 0 ? totalCoveredLines / totalLines * 100 : 0,
+      files: files.length
+    }
+  };
+}
 async function discoverSourceFiles(targetPath, options = {}) {
   const files = [];
   const { includeTests = true, languages } = options;
-  let extensions = [".ts", ".tsx", ".js", ".jsx", ".mjs", ".cjs"];
+  let extensions = [
+    ".ts",
+    ".tsx",
+    ".js",
+    ".jsx",
+    ".mjs",
+    ".cjs",
+    // JavaScript/TypeScript
+    ".py",
+    ".pyw",
+    // Python
+    ".go",
+    // Go
+    ".rs",
+    // Rust
+    ".java",
+    ".kt",
+    ".kts",
+    // Java/Kotlin
+    ".rb",
+    // Ruby
+    ".cs",
+    // C#
+    ".php",
+    // PHP
+    ".swift",
+    // Swift
+    ".c",
+    ".h",
+    ".cpp",
+    ".hpp",
+    ".cc",
+    // C/C++
+    ".scala"
+    // Scala
+  ];
   if (languages && languages.length > 0) {
     extensions = [];
     for (const lang of languages) {
       if (lang === "typescript") extensions.push(".ts", ".tsx");
       if (lang === "javascript") extensions.push(".js", ".jsx", ".mjs", ".cjs");
-      if (lang === "python") extensions.push(".py");
+      if (lang === "python") extensions.push(".py", ".pyw");
+      if (lang === "go") extensions.push(".go");
+      if (lang === "rust") extensions.push(".rs");
+      if (lang === "java") extensions.push(".java");
+      if (lang === "kotlin") extensions.push(".kt", ".kts");
+      if (lang === "ruby") extensions.push(".rb");
+      if (lang === "csharp" || lang === "c#") extensions.push(".cs");
+      if (lang === "php") extensions.push(".php");
+      if (lang === "swift") extensions.push(".swift");
+      if (lang === "c" || lang === "cpp" || lang === "c++") extensions.push(".c", ".h", ".cpp", ".hpp", ".cc");
+      if (lang === "scala") extensions.push(".scala");
     }
   }
   async function walkDir(dir) {
@@ -132865,7 +133171,23 @@ async function discoverSourceFiles(targetPath, options = {}) {
       for (const entry of entries) {
         const fullPath = path16.join(dir, entry.name);
         if (entry.isDirectory()) {
-          if (["node_modules", ".git", "dist", "build", "coverage", ".nyc_output"].includes(entry.name)) {
+          if ([
+            "node_modules",
+            ".git",
+            "dist",
+            "build",
+            "coverage",
+            ".nyc_output",
+            "__pycache__",
+            ".venv",
+            "venv",
+            ".tox",
+            ".mypy_cache",
+            "target",
+            ".gradle",
+            "vendor",
+            ".bundle"
+          ].includes(entry.name)) {
             continue;
           }
           await walkDir(fullPath);
@@ -133031,7 +133353,24 @@ var DomainTaskExecutor = class {
         } else if (payload.filePath) {
           sourceFiles = [payload.filePath];
         } else if (payload.sourceCode) {
-          const tempPath = `/tmp/aqe-temp-${v4_default()}.ts`;
+          const langExtMap = {
+            python: ".py",
+            typescript: ".ts",
+            javascript: ".js",
+            go: ".go",
+            rust: ".rs",
+            java: ".java",
+            ruby: ".rb",
+            kotlin: ".kt",
+            csharp: ".cs",
+            php: ".php",
+            swift: ".swift",
+            cpp: ".cpp",
+            c: ".c",
+            scala: ".scala"
+          };
+          const ext = langExtMap[payload.language?.toLowerCase() || "typescript"] || ".ts";
+          const tempPath = `/tmp/aqe-temp-${v4_default()}${ext}`;
           await fs15.writeFile(tempPath, payload.sourceCode, "utf-8");
           sourceFiles = [tempPath];
         }
@@ -133147,12 +133486,112 @@ var DomainTaskExecutor = class {
               sast: payload.sast !== false,
               dast: payload.dast || false
             },
-            warning: `No TypeScript/JavaScript files found in ${targetPath}`
+            warning: `No source files found in ${targetPath}`
           });
         }
-        const filePathObjects = filesToScan.map((filePath) => FilePath.create(filePath));
+        const jstsFiles = filesToScan.filter((f74) => /\.(ts|tsx|js|jsx|mjs|cjs)$/.test(f74));
+        const otherFiles = filesToScan.filter((f74) => !/\.(ts|tsx|js|jsx|mjs|cjs)$/.test(f74));
+        const crossLangVulns = [];
+        for (const filePath of otherFiles) {
+          try {
+            const content = await fs15.readFile(filePath, "utf-8");
+            const lines = content.split("\n");
+            const relPath = filePath.startsWith(targetPath) ? filePath.slice(targetPath.length).replace(/^\//, "") : filePath;
+            const secretPatterns = [
+              { regex: /\w*(?:secret|password|passwd|api_key|apikey|private_key|jwt_secret)\w*\s*[=:]\s*['"][^'"]{4,}['"]/gi, title: "Hardcoded secret", severity: "critical" },
+              { regex: /\w*(?:token|auth_token|access_key|secret_key)\w*\s*[=:]\s*['"][^'"]{8,}['"]/gi, title: "Hardcoded credential", severity: "critical" },
+              { regex: /(?:AWS_SECRET|GITHUB_TOKEN|SLACK_TOKEN|OPENAI_API_KEY)\s*[=:]\s*['"][^'"]+['"]/gi, title: "Hardcoded cloud credential", severity: "critical" }
+            ];
+            for (const pattern of secretPatterns) {
+              for (let i58 = 0; i58 < lines.length; i58++) {
+                const matches = [...lines[i58].matchAll(pattern.regex)];
+                for (const _m of matches) {
+                  crossLangVulns.push({
+                    title: pattern.title,
+                    severity: pattern.severity,
+                    location: { file: relPath, line: i58 + 1 },
+                    description: `Potential hardcoded secret found at line ${i58 + 1}`,
+                    category: "sensitive-data"
+                  });
+                }
+              }
+            }
+            const sqlPatterns = /(?:execute|query|cursor\.execute)\s*\(\s*(?:f['"]|['"].*%s|['"].*\+\s*\w)/gi;
+            for (let i58 = 0; i58 < lines.length; i58++) {
+              if (sqlPatterns.test(lines[i58])) {
+                crossLangVulns.push({
+                  title: "Potential SQL injection",
+                  severity: "high",
+                  location: { file: relPath, line: i58 + 1 },
+                  description: "String interpolation in SQL query \u2014 use parameterized queries",
+                  category: "injection"
+                });
+              }
+              sqlPatterns.lastIndex = 0;
+            }
+            const corsPatterns = [
+              /allow_origins\s*=\s*\[?\s*['"]?\*['"]?\s*\]?/i,
+              // Python FastAPI/Flask
+              /cors\(\s*\{[^}]*origin:\s*['"]?\*['"]?/i,
+              // Express.js cors()
+              /Access-Control-Allow-Origin['":\s]+\*/i,
+              // Raw header / Nginx / .htaccess
+              /@CrossOrigin\(\s*origins?\s*=\s*["']\*["']/i,
+              // Spring Boot
+              /\.Header\(\)\.Set\(["']Access-Control-Allow-Origin["'],\s*["']\*["']/i
+              // Go
+            ];
+            for (const corsPattern of corsPatterns) {
+              if (corsPattern.test(content)) {
+                crossLangVulns.push({
+                  title: "CORS wildcard origin",
+                  severity: "high",
+                  location: { file: relPath, line: lines.findIndex((l75) => corsPattern.test(l75)) + 1 },
+                  description: "CORS configured with wildcard (*) origin \u2014 restrict to specific domains",
+                  category: "security-misconfiguration"
+                });
+                break;
+              }
+            }
+            if (/(?:DEBUG|debug)\s*[=:]\s*(?:True|true|1)/i.test(content)) {
+              crossLangVulns.push({
+                title: "Debug mode enabled",
+                severity: "medium",
+                location: { file: relPath, line: lines.findIndex((l75) => /DEBUG\s*[=:]\s*(?:True|true|1)/i.test(l75)) + 1 },
+                description: "Debug mode should be disabled in production",
+                category: "security-misconfiguration"
+              });
+            }
+            if (/\b(?:eval|exec)\s*\(/i.test(content)) {
+              crossLangVulns.push({
+                title: "Dangerous eval/exec usage",
+                severity: "high",
+                location: { file: relPath, line: lines.findIndex((l75) => /\b(?:eval|exec)\s*\(/.test(l75)) + 1 },
+                description: "eval/exec can lead to code injection \u2014 avoid using with user input",
+                category: "injection"
+              });
+            }
+          } catch {
+          }
+        }
+        const depManifests = ["requirements.txt", "pyproject.toml", "Gemfile", "go.mod", "Cargo.toml"];
+        for (const manifest of depManifests) {
+          const manifestPath = path16.join(targetPath, manifest);
+          try {
+            await fs15.access(manifestPath);
+            crossLangVulns.push({
+              title: "Dependency audit recommended",
+              severity: "informational",
+              location: { file: manifest, line: 1 },
+              description: `Found ${manifest} \u2014 run language-specific dependency audit (e.g., pip-audit, npm audit, cargo audit)`,
+              category: "dependencies"
+            });
+          } catch {
+          }
+        }
+        const filePathObjects = jstsFiles.map((filePath) => FilePath.create(filePath));
         let sastResult = null;
-        if (payload.sast !== false) {
+        if (payload.sast !== false && filePathObjects.length > 0) {
           const result = await scanner.scanFiles(filePathObjects);
           if (result.success) {
             sastResult = result.value;
@@ -133169,16 +133608,24 @@ var DomainTaskExecutor = class {
             dastResult = result.value;
           }
         }
+        const crossLangSeverityCounts = {
+          critical: crossLangVulns.filter((v62) => v62.severity === "critical").length,
+          high: crossLangVulns.filter((v62) => v62.severity === "high").length,
+          medium: crossLangVulns.filter((v62) => v62.severity === "medium").length,
+          low: crossLangVulns.filter((v62) => v62.severity === "low").length,
+          informational: crossLangVulns.filter((v62) => v62.severity === "informational").length
+        };
         const summary = {
-          critical: (sastResult?.summary?.critical || 0) + (dastResult?.summary?.critical || 0),
-          high: (sastResult?.summary?.high || 0) + (dastResult?.summary?.high || 0),
-          medium: (sastResult?.summary?.medium || 0) + (dastResult?.summary?.medium || 0),
-          low: (sastResult?.summary?.low || 0) + (dastResult?.summary?.low || 0),
-          informational: (sastResult?.summary?.informational || 0) + (dastResult?.summary?.informational || 0)
+          critical: (sastResult?.summary?.critical || 0) + (dastResult?.summary?.critical || 0) + crossLangSeverityCounts.critical,
+          high: (sastResult?.summary?.high || 0) + (dastResult?.summary?.high || 0) + crossLangSeverityCounts.high,
+          medium: (sastResult?.summary?.medium || 0) + (dastResult?.summary?.medium || 0) + crossLangSeverityCounts.medium,
+          low: (sastResult?.summary?.low || 0) + (dastResult?.summary?.low || 0) + crossLangSeverityCounts.low,
+          informational: (sastResult?.summary?.informational || 0) + (dastResult?.summary?.informational || 0) + crossLangSeverityCounts.informational
         };
         const allVulns = [
           ...sastResult?.vulnerabilities || [],
-          ...dastResult?.vulnerabilities || []
+          ...dastResult?.vulnerabilities || [],
+          ...crossLangVulns
         ];
         const topVulnerabilities = allVulns.sort((a37, b68) => {
           const severityOrder = { critical: 0, high: 1, medium: 2, low: 3, informational: 4 };
@@ -133205,7 +133652,12 @@ var DomainTaskExecutor = class {
             dast: payload.dast || false
           },
           filesScanned: filesToScan.length,
-          coverage: sastResult?.coverage
+          jstsFilesScanned: jstsFiles.length,
+          otherFilesScanned: otherFiles.length,
+          coverage: sastResult?.coverage,
+          ...otherFiles.length > 0 && jstsFiles.length === 0 ? {
+            note: "Non-JS/TS files were scanned with cross-language pattern matching. For deeper analysis, use language-specific security tools."
+          } : {}
         });
       } catch (error) {
         return err(toError(error));
@@ -133228,9 +133680,9 @@ var DomainTaskExecutor = class {
             edgesCreated: 0,
             target: targetPath,
             incremental: payload.incremental || false,
-            languages: payload.languages || ["typescript", "javascript"],
+            languages: payload.languages || [],
             duration: Date.now() - startTime,
-            warning: `No source files found in ${targetPath}`
+            warning: `No source files found in ${targetPath}. Searched for: TypeScript, JavaScript, Python, Go, Rust, Java, Ruby, C/C++, and more.`
           });
         }
         const result = await kg.index({
@@ -133244,11 +133696,35 @@ var DomainTaskExecutor = class {
         }
         const indexResult = result.value;
         const detectedLanguages = /* @__PURE__ */ new Set();
+        const extToLang = {
+          ts: "typescript",
+          tsx: "typescript",
+          js: "javascript",
+          jsx: "javascript",
+          mjs: "javascript",
+          cjs: "javascript",
+          py: "python",
+          pyw: "python",
+          go: "go",
+          rs: "rust",
+          java: "java",
+          kt: "kotlin",
+          kts: "kotlin",
+          rb: "ruby",
+          cs: "csharp",
+          php: "php",
+          swift: "swift",
+          c: "c",
+          h: "c",
+          cpp: "cpp",
+          hpp: "cpp",
+          cc: "cpp",
+          scala: "scala"
+        };
         for (const file of filesToIndex) {
           const ext = path16.extname(file).slice(1);
-          if (["ts", "tsx"].includes(ext)) detectedLanguages.add("typescript");
-          if (["js", "jsx", "mjs", "cjs"].includes(ext)) detectedLanguages.add("javascript");
-          if (ext === "py") detectedLanguages.add("python");
+          const lang = extToLang[ext];
+          if (lang) detectedLanguages.add(lang);
         }
         return ok({
           filesIndexed: indexResult.filesIndexed,
@@ -133330,106 +133806,271 @@ var DomainTaskExecutor = class {
     });
     this.taskHandlers.set("execute-tests", async (task) => {
       const payload = task.payload;
-      const testCount = payload.testFiles?.length || 10;
-      const passed = Math.floor(testCount * 0.9);
-      const failed = testCount - passed;
-      return ok({
-        total: testCount,
-        passed,
-        failed,
-        skipped: 0,
-        duration: testCount * 50,
-        // ~50ms per test
-        coverage: 82.5,
-        failedTests: failed > 0 ? ["example.test.ts:42"] : []
-      });
+      try {
+        const { execSync: execSync6 } = await import("child_process");
+        const testFiles = payload.testFiles || [];
+        if (testFiles.length === 0) {
+          return ok({
+            total: 0,
+            passed: 0,
+            failed: 0,
+            skipped: 0,
+            duration: 0,
+            coverage: 0,
+            failedTests: [],
+            warning: "No test files specified. Provide testFiles array with paths to test files."
+          });
+        }
+        const cwd = process.cwd();
+        let output;
+        try {
+          output = execSync6(
+            `npx vitest run ${testFiles.join(" ")} --reporter=json 2>/dev/null || npx jest ${testFiles.join(" ")} --json 2>/dev/null`,
+            { cwd, timeout: 12e4, encoding: "utf-8", stdio: ["pipe", "pipe", "pipe"] }
+          );
+        } catch (execError) {
+          output = execError.stdout || "";
+        }
+        try {
+          const jsonStart = output.indexOf("{");
+          if (jsonStart >= 0) {
+            const json = JSON.parse(output.slice(jsonStart));
+            if (json.testResults) {
+              const total = json.numTotalTests || 0;
+              const passed = json.numPassedTests || 0;
+              const failed = json.numFailedTests || 0;
+              return ok({ total, passed, failed, skipped: total - passed - failed, duration: 0, coverage: 0, failedTests: [] });
+            }
+          }
+        } catch {
+        }
+        return ok({
+          total: testFiles.length,
+          passed: 0,
+          failed: 0,
+          skipped: 0,
+          duration: 0,
+          coverage: 0,
+          failedTests: [],
+          warning: "Could not parse test runner output. Check that vitest or jest is installed.",
+          rawOutput: output.slice(0, 500)
+        });
+      } catch (error) {
+        return err(toError(error));
+      }
     });
     this.taskHandlers.set("predict-defects", async (task) => {
       const payload = task.payload;
-      return ok({
-        predictedDefects: [
-          {
-            file: `${payload.target}/complex-module.ts`,
-            probability: 0.78,
-            reason: "High cyclomatic complexity combined with low test coverage"
-          },
-          {
-            file: `${payload.target}/legacy-handler.ts`,
-            probability: 0.65,
-            reason: "Frequent changes in recent commits with error-prone patterns"
+      try {
+        const targetPath = payload.target || process.cwd();
+        const minConfidence = payload.minConfidence || 0.5;
+        const sourceFiles = await discoverSourceFiles(targetPath, { includeTests: false });
+        if (sourceFiles.length === 0) {
+          return ok({
+            predictedDefects: [],
+            riskScore: 0,
+            recommendations: [
+              `No source files found in ${targetPath}. Ensure the path contains source code files.`
+            ],
+            warning: `No source files found in ${targetPath}`,
+            filesAnalyzed: 0
+          });
+        }
+        const predictedDefects = [];
+        for (const filePath of sourceFiles) {
+          try {
+            const content = await fs15.readFile(filePath, "utf-8");
+            const lines = content.split("\n");
+            const lineCount = lines.length;
+            let probability = 0;
+            const reasons = [];
+            if (lineCount > 500) {
+              probability += 0.25;
+              reasons.push(`Large file (${lineCount} lines)`);
+            } else if (lineCount > 300) {
+              probability += 0.15;
+              reasons.push(`Medium-large file (${lineCount} lines)`);
+            }
+            const branchKeywords = content.match(/\b(if|else|switch|case|for|while|catch|&&|\|\|)\b/g) || [];
+            const branchDensity = branchKeywords.length / Math.max(lineCount, 1);
+            if (branchDensity > 0.15) {
+              probability += 0.25;
+              reasons.push(`High branch density (${branchKeywords.length} branches in ${lineCount} lines)`);
+            } else if (branchDensity > 0.08) {
+              probability += 0.1;
+              reasons.push("Moderate branch complexity");
+            }
+            const maxIndent = Math.max(...lines.map((l75) => {
+              const match = l75.match(/^(\s*)/);
+              return match ? match[1].length : 0;
+            }));
+            if (maxIndent > 20) {
+              probability += 0.15;
+              reasons.push("Deep nesting detected");
+            }
+            const debtComments = (content.match(/\b(TODO|FIXME|HACK|XXX|WORKAROUND)\b/gi) || []).length;
+            if (debtComments > 3) {
+              probability += 0.15;
+              reasons.push(`${debtComments} technical debt markers`);
+            }
+            const functionStarts = (content.match(/\b(function|def|func|async)\b/g) || []).length;
+            if (functionStarts > 0 && lineCount / functionStarts > 80) {
+              probability += 0.1;
+              reasons.push("Potentially long functions");
+            }
+            probability = Math.min(probability, 0.95);
+            if (probability >= minConfidence) {
+              const relativePath = filePath.startsWith(targetPath) ? filePath.slice(targetPath.length).replace(/^\//, "") : filePath;
+              predictedDefects.push({
+                file: relativePath,
+                probability: Math.round(probability * 100) / 100,
+                reason: reasons.join("; ")
+              });
+            }
+          } catch {
           }
-        ],
-        riskScore: 42,
-        recommendations: [
-          "Add integration tests for complex-module.ts",
-          "Refactor legacy-handler.ts to reduce complexity"
-        ]
-      });
+        }
+        predictedDefects.sort((a37, b68) => b68.probability - a37.probability);
+        const avgProb = predictedDefects.length > 0 ? predictedDefects.reduce((sum, d74) => sum + d74.probability, 0) / predictedDefects.length : 0;
+        const riskScore = Math.round(avgProb * 100);
+        const recommendations = [];
+        if (predictedDefects.length > 0) {
+          recommendations.push(`${predictedDefects.length} files flagged for potential defects out of ${sourceFiles.length} analyzed`);
+          const topFile = predictedDefects[0];
+          recommendations.push(`Highest risk: ${topFile.file} (${Math.round(topFile.probability * 100)}%) \u2014 ${topFile.reason}`);
+        }
+        if (predictedDefects.some((d74) => d74.reason.includes("Large file"))) {
+          recommendations.push("Consider splitting large files to reduce complexity");
+        }
+        if (predictedDefects.some((d74) => d74.reason.includes("technical debt"))) {
+          recommendations.push("Address TODO/FIXME comments to reduce technical debt");
+        }
+        if (predictedDefects.length === 0) {
+          recommendations.push("No files exceeded the defect probability threshold \u2014 code looks healthy");
+        }
+        return ok({
+          predictedDefects: predictedDefects.slice(0, 20),
+          // Top 20
+          riskScore,
+          recommendations,
+          filesAnalyzed: sourceFiles.length
+        });
+      } catch (error) {
+        return err(toError(error));
+      }
     });
     this.taskHandlers.set("validate-requirements", async (task) => {
       const payload = task.payload;
-      return ok({
-        requirementsAnalyzed: 15,
-        testable: 12,
-        ambiguous: 2,
-        untestable: 1,
-        coverage: 80,
-        bddScenarios: payload.generateBDD ? [
-          "Given a user is logged in, When they view the dashboard, Then they see their metrics",
-          "Given an API request fails, When the retry limit is exceeded, Then an error is returned"
-        ] : []
-      });
+      try {
+        const targetPath = payload.requirementsPath || process.cwd();
+        const reqFiles = await discoverSourceFiles(targetPath, {
+          includeTests: false,
+          languages: []
+        });
+        const reqPatterns = [".md", ".feature", ".gherkin", ".txt", ".rst"];
+        const requirementFiles = [];
+        for (const f74 of reqFiles) {
+          if (reqPatterns.some((ext) => f74.endsWith(ext))) {
+            requirementFiles.push(f74);
+          }
+        }
+        return ok({
+          requirementsAnalyzed: requirementFiles.length,
+          testable: 0,
+          ambiguous: 0,
+          untestable: 0,
+          coverage: 0,
+          bddScenarios: [],
+          warning: requirementFiles.length === 0 ? "No requirement files (.md, .feature, .gherkin) found. Provide requirementsPath or add requirement docs." : "Requirements validation requires LLM analysis. File inventory returned \u2014 use task_orchestrate for deep analysis.",
+          files: requirementFiles.map((f74) => f74.startsWith(targetPath) ? f74.slice(targetPath.length + 1) : f74).slice(0, 20)
+        });
+      } catch (error) {
+        return err(toError(error));
+      }
     });
     this.taskHandlers.set("validate-contracts", async (task) => {
       const payload = task.payload;
-      return ok({
-        contractPath: payload.contractPath,
-        valid: true,
-        breakingChanges: [],
-        warnings: [
-          'Deprecated field "legacyId" should be removed in next major version'
-        ],
-        coverage: 95
-      });
+      try {
+        if (!payload.contractPath) {
+          return ok({
+            contractPath: "",
+            valid: false,
+            breakingChanges: [],
+            warnings: [],
+            coverage: 0,
+            error: "contractPath is required. Provide a path to an OpenAPI spec, JSON Schema, or Protocol Buffer file."
+          });
+        }
+        try {
+          const content = await fs15.readFile(payload.contractPath, "utf-8");
+          const isJson = payload.contractPath.endsWith(".json");
+          const isYaml = payload.contractPath.endsWith(".yaml") || payload.contractPath.endsWith(".yml");
+          if (isJson) {
+            JSON.parse(content);
+          }
+          return ok({
+            contractPath: payload.contractPath,
+            valid: true,
+            format: isJson ? "json" : isYaml ? "yaml" : "unknown",
+            breakingChanges: [],
+            warnings: [],
+            linesAnalyzed: content.split("\n").length,
+            note: "Structural validation passed. For semantic contract testing, use consumer-driven contract tests."
+          });
+        } catch (readErr) {
+          return ok({
+            contractPath: payload.contractPath,
+            valid: false,
+            breakingChanges: [],
+            warnings: [],
+            error: `Could not read or parse contract file: ${toErrorMessage(readErr)}`
+          });
+        }
+      } catch (error) {
+        return err(toError(error));
+      }
     });
     this.taskHandlers.set("test-accessibility", async (task) => {
       const payload = task.payload;
       return ok({
-        url: payload.url,
+        url: payload.url || "",
         standard: payload.standard || "wcag21-aa",
-        passed: true,
+        passed: false,
         violations: [],
-        warnings: [
-          { rule: "color-contrast", impact: "minor", element: "nav > a" }
-        ],
-        score: 94
+        warnings: [],
+        score: 0,
+        note: "Accessibility testing requires a browser environment (Puppeteer/Playwright). Use tools like axe-core, pa11y, or Lighthouse CLI for WCAG compliance testing. Example: npx pa11y " + (payload.url || "<url>")
       });
     });
     this.taskHandlers.set("run-chaos", async (task) => {
       const payload = task.payload;
       return ok({
-        faultType: payload.faultType,
-        target: payload.target,
-        dryRun: payload.dryRun,
-        duration: payload.duration,
-        systemBehavior: payload.dryRun ? "simulated" : "tested",
-        resilience: {
-          recovered: true,
-          recoveryTime: 2500,
-          dataLoss: false
-        }
+        faultType: payload.faultType || "unknown",
+        target: payload.target || "unknown",
+        dryRun: payload.dryRun ?? true,
+        duration: payload.duration || 0,
+        systemBehavior: "not-executed",
+        resilience: null,
+        note: "Chaos engineering requires infrastructure-level fault injection. Use tools like Chaos Monkey, Litmus, or toxiproxy for real resilience testing. For Node.js apps, consider: nock (HTTP faults), testcontainers (dependency failures)."
       });
     });
     this.taskHandlers.set("optimize-learning", async (_task) => {
-      return ok({
-        patternsLearned: 12,
-        modelsUpdated: 3,
-        memoryConsolidated: true,
-        recommendations: [
-          "Pattern recognition improved for error handling",
-          "Test generation templates optimized"
-        ]
-      });
+      try {
+        const memUsage = await Promise.resolve().then(() => (init_unified_memory_hnsw(), unified_memory_hnsw_exports));
+        return ok({
+          patternsLearned: 0,
+          modelsUpdated: 0,
+          memoryConsolidated: false,
+          note: 'Learning optimization runs during the dream cycle (SessionEnd hook). Use "npx agentic-qe hooks session-end --save-state" to trigger pattern consolidation.'
+        });
+      } catch {
+        return ok({
+          patternsLearned: 0,
+          modelsUpdated: 0,
+          memoryConsolidated: false,
+          note: 'Learning system not initialized. Run "aqe init --auto" first.'
+        });
+      }
     });
   }
   // ============================================================================
@@ -137584,50 +138225,54 @@ var coverageAnalyzeConfig = {
     const learning = generateV2LearningFeedback("coverage-analyzer");
     const detailedGaps = gaps.map((gap, i58) => {
       const g67 = gap;
+      if (!g67?.file) return null;
       return {
         id: `gap-${Date.now()}-${i58}`,
-        file: g67?.file || `src/module${i58}.ts`,
-        line: g67?.lines?.[0] || 10 + i58 * 5,
-        uncoveredLines: g67?.lines || [10 + i58 * 5, 20 + i58 * 5],
-        type: g67?.type || "uncovered-line",
-        severity: g67?.severity || (i58 < 2 ? "high" : "medium"),
-        reason: g67?.reason || "Missing test case",
-        priority: g67?.priority || (i58 < 2 ? "high" : "medium"),
-        suggestion: g67?.suggestedTest || `Add test for line ${10 + i58 * 5}`,
-        suggestedTest: g67?.suggestedTest || `Add test for line ${10 + i58 * 5}`,
-        riskScore: g67?.riskScore || 0.8 - i58 * 0.1,
-        confidence: g67?.confidence || 0.85
+        file: g67.file,
+        line: g67.lines?.[0] || 0,
+        uncoveredLines: g67.lines || [],
+        type: g67.type || "uncovered-line",
+        severity: g67.severity || "medium",
+        reason: g67.reason || "Missing test case",
+        priority: g67.priority || "medium",
+        suggestion: g67.suggestedTest || "Add test coverage",
+        suggestedTest: g67.suggestedTest || "Add test coverage",
+        riskScore: g67.riskScore || 0.5,
+        confidence: g67.confidence || 0.7
       };
-    });
-    return {
-      // V2-compatible fields
-      coverageByFile: Array.from({ length: totalFiles }, (_56, i58) => {
-        const variation = (i58 % 3 - 1) * 5;
-        return {
-          file: `src/module${i58}.ts`,
-          lineCoverage: Math.max(0, Math.min(100, lineCoverage + variation)),
-          branchCoverage: Math.max(0, Math.min(100, branchCoverage + variation - 2)),
-          functionCoverage: Math.max(0, Math.min(100, functionCoverage + variation + 2))
-        };
-      }),
+    }).filter((g67) => g67 !== null);
+    const coverageByFileData = data.coverageByFile;
+    const realCoverageByFile = coverageByFileData ? coverageByFileData.map((f74) => ({
+      file: f74.file,
+      lineCoverage: f74.lineCoverage || 0,
+      branchCoverage: f74.branchCoverage || 0,
+      functionCoverage: f74.functionCoverage || 0
+    })) : [];
+    return {
+      // V2-compatible fields — only real data, no synthetic file paths
+      coverageByFile: realCoverageByFile,
       gapAnalysis: {
         totalGaps: detailedGaps.length,
         highPriority: detailedGaps.filter((g67) => g67.priority === "high").length,
         gaps: detailedGaps
       },
       trends: {
-        lineCoverageTrend: "stable",
-        branchCoverageTrend: "improving",
-        weeklyChange: 2.5
+        lineCoverageTrend: totalFiles > 0 ? "stable" : "no-data",
+        branchCoverageTrend: totalFiles > 0 ? "stable" : "no-data",
+        weeklyChange: 0
       },
-      aiInsights: {
-        recommendations: [
-          "Focus on uncovered branches in authentication module",
-          "Add edge case tests for error handling paths",
-          "Consider property-based testing for utility functions"
+      aiInsights: totalFiles > 0 ? {
+        recommendations: data.recommendations || [
+          "Run tests with coverage enabled to get accurate metrics"
         ],
         riskAssessment: lineCoverage < 70 ? "high" : lineCoverage < 85 ? "medium" : "low",
         confidence: 0.88
+      } : {
+        recommendations: [
+          "No coverage data found. Run tests with coverage first (e.g., npm test -- --coverage, or pytest --cov)"
+        ],
+        riskAssessment: "unknown",
+        confidence: 0
       },
       learning,
       // V3 fields
@@ -142822,6 +143467,44 @@ function extractHighlights(content, query) {
 
 // src/mcp/tools/security-compliance/scan.ts
 init_error_utils();
+var CROSS_LANG_SECRET_PATTERNS = [
+  {
+    id: "secret-key-assignment",
+    pattern: /(?:SECRET_KEY|secret_key|SECRET|PRIVATE_KEY)\s*=\s*['"][^'"]{4,}['"]/g,
+    severity: "critical",
+    title: "Hardcoded Secret Key",
+    description: "Secret key assigned as string literal in source code",
+    cweId: "CWE-798",
+    remediation: 'Use environment variables: SECRET_KEY = os.environ["SECRET_KEY"]'
+  },
+  {
+    id: "cors-wildcard-credentials",
+    pattern: /allow_origins\s*=\s*\[\s*["']\*["']\s*\]/g,
+    severity: "high",
+    title: "CORS Wildcard Origin",
+    description: "CORS configured to allow all origins \u2014 combined with credentials this is a security risk",
+    cweId: "CWE-942",
+    remediation: "Restrict CORS origins to specific trusted domains"
+  },
+  {
+    id: "cors-allow-credentials-wildcard",
+    pattern: /allow_credentials\s*=\s*True/g,
+    severity: "medium",
+    title: "CORS Credentials Enabled",
+    description: "CORS credentials enabled \u2014 verify origins are restricted",
+    cweId: "CWE-942",
+    remediation: 'Ensure allow_origins does not include "*" when credentials are enabled'
+  },
+  {
+    id: "token-hardcoded",
+    pattern: /(?:token|TOKEN)\s*[:=]\s*['"][a-zA-Z0-9_\-.]{20,}['"]/g,
+    severity: "high",
+    title: "Hardcoded Token",
+    description: "Hardcoded token found in source code",
+    cweId: "CWE-798",
+    remediation: "Use environment variables or secrets manager for tokens"
+  }
+];
 var SecurityScanTool = class extends MCPToolBase {
   config = {
     name: "qe/security/scan",
@@ -142850,18 +143533,21 @@ var SecurityScanTool = class extends MCPToolBase {
       if (this.isAborted(context)) {
         return { success: false, error: "Operation aborted" };
       }
+      const files = await discoverFiles(target, depth);
+      this.emitStream(context, {
+        status: "discovered",
+        message: `Found ${files.length} files to scan`
+      });
       const vulnerabilities = [];
-      if (scanType.includes("sast")) {
+      if (scanType.includes("sast") || scanType.includes("secret")) {
         this.emitStream(context, { status: "sast", message: "Running static analysis" });
-        vulnerabilities.push(...generateSASTFindings());
+        const sastVulns = await scanFilesWithPatterns(files, scanType);
+        vulnerabilities.push(...sastVulns);
       }
       if (scanType.includes("dependency")) {
         this.emitStream(context, { status: "dependency", message: "Scanning dependencies" });
-        vulnerabilities.push(...generateDependencyFindings());
-      }
-      if (scanType.includes("secret")) {
-        this.emitStream(context, { status: "secret", message: "Scanning for secrets" });
-        vulnerabilities.push(...generateSecretFindings());
+        const depVulns = await scanDependencies(target);
+        vulnerabilities.push(...depVulns);
       }
       if (scanType.includes("dast") && dastUrl) {
         this.emitStream(context, { status: "dast", message: `Scanning ${dastUrl}` });
@@ -142876,7 +143562,7 @@ var SecurityScanTool = class extends MCPToolBase {
         medium: vulnerabilities.filter((v62) => v62.severity === "medium").length,
         low: vulnerabilities.filter((v62) => v62.severity === "low").length,
         informational: vulnerabilities.filter((v62) => v62.severity === "informational").length,
-        totalFiles: 150,
+        totalFiles: files.length,
         scanDurationMs: Date.now() - startTime
       };
       const severityOrder = ["critical", "high", "medium", "low", "informational"];
@@ -142885,7 +143571,7 @@ var SecurityScanTool = class extends MCPToolBase {
       const passed = worstSeverity > failThreshold;
       this.emitStream(context, {
         status: "complete",
-        message: `Scan complete: ${vulnerabilities.length} vulnerabilities found`,
+        message: `Scan complete: ${vulnerabilities.length} vulnerabilities found in ${files.length} files`,
         progress: 100
       });
       return {
@@ -142952,72 +143638,340 @@ var SECURITY_SCAN_SCHEMA = {
     }
   }
 };
-function generateSASTFindings() {
-  return [
-    {
-      id: "SAST-001",
-      title: "SQL Injection Risk",
-      severity: "high",
-      category: "injection",
-      location: { file: "src/db/queries.ts", line: 45, snippet: "query = `SELECT * FROM ${table}`" },
-      description: "User input directly concatenated in SQL query",
-      remediation: "Use parameterized queries or prepared statements",
-      cweId: "CWE-89",
-      references: ["https://owasp.org/www-community/attacks/SQL_Injection"]
-    },
-    {
-      id: "SAST-002",
-      title: "Hardcoded Credentials",
-      severity: "critical",
-      category: "sensitive-data",
-      location: { file: "src/config/database.ts", line: 12, snippet: 'password: "admin123"' },
-      description: "Hardcoded password found in source code",
-      remediation: "Use environment variables or secure vault for credentials",
-      cweId: "CWE-798",
-      references: ["https://cwe.mitre.org/data/definitions/798.html"]
+var SCANNABLE_EXTENSIONS = /* @__PURE__ */ new Set([
+  ".ts",
+  ".tsx",
+  ".js",
+  ".jsx",
+  ".mjs",
+  ".cjs",
+  // JavaScript/TypeScript
+  ".py",
+  ".pyw",
+  // Python
+  ".java",
+  ".kt",
+  ".scala",
+  // JVM
+  ".go",
+  // Go
+  ".rb",
+  // Ruby
+  ".php",
+  // PHP
+  ".rs",
+  // Rust
+  ".cs",
+  // C#
+  ".yaml",
+  ".yml",
+  ".json",
+  ".toml",
+  ".cfg",
+  ".ini",
+  // Config
+  ".env",
+  ".env.local",
+  ".env.production",
+  // Env files
+  ".sh",
+  ".bash"
+  // Shell
+]);
+var SKIP_DIRS = /* @__PURE__ */ new Set([
+  "node_modules",
+  ".git",
+  "__pycache__",
+  ".venv",
+  "venv",
+  "dist",
+  "build",
+  ".next",
+  ".nuxt",
+  "coverage",
+  ".tox"
+]);
+async function discoverFiles(target, depth) {
+  const fs21 = await import("fs");
+  const path23 = await import("path");
+  const resolved = path23.resolve(target);
+  const files = [];
+  const maxFiles = depth === "quick" ? 50 : depth === "standard" ? 500 : 2e3;
+  const maxDepth = depth === "quick" ? 3 : depth === "standard" ? 8 : 20;
+  function walk(dir, currentDepth) {
+    if (files.length >= maxFiles || currentDepth > maxDepth) return;
+    let entries;
+    try {
+      entries = fs21.readdirSync(dir, { withFileTypes: true });
+    } catch {
+      return;
     }
-  ];
+    for (const entry of entries) {
+      if (files.length >= maxFiles) break;
+      const fullPath = path23.join(dir, entry.name);
+      if (entry.isDirectory()) {
+        const SCAN_DOT_DIRS = /* @__PURE__ */ new Set([".github", ".docker", ".aws", ".circleci", ".gitlab"]);
+        if (SKIP_DIRS.has(entry.name)) {
+        } else if (entry.name.startsWith(".") && !SCAN_DOT_DIRS.has(entry.name)) {
+        } else {
+          walk(fullPath, currentDepth + 1);
+        }
+      } else if (entry.isFile()) {
+        const ext = path23.extname(entry.name).toLowerCase();
+        if (SCANNABLE_EXTENSIONS.has(ext) || entry.name === "Dockerfile" || entry.name === "Makefile" || entry.name.startsWith(".env")) {
+          files.push(fullPath);
+        }
+      }
+    }
+  }
+  try {
+    const stat6 = fs21.statSync(resolved);
+    if (stat6.isFile()) {
+      files.push(resolved);
+    } else {
+      walk(resolved, 0);
+    }
+  } catch {
+  }
+  return files;
 }
-function generateDependencyFindings() {
-  return [
-    {
-      id: "DEP-001",
-      title: "Vulnerable lodash version",
-      severity: "medium",
-      category: "vulnerable-components",
-      location: { file: "package.json", dependency: { name: "lodash", version: "4.17.19" } },
-      description: "lodash < 4.17.21 has prototype pollution vulnerability",
-      remediation: "Upgrade lodash to 4.17.21 or later",
-      cveId: "CVE-2021-23337",
-      references: ["https://nvd.nist.gov/vuln/detail/CVE-2021-23337"]
+async function scanFilesWithPatterns(files, scanTypes) {
+  const fs21 = await import("fs");
+  const path23 = await import("path");
+  const vulnerabilities = [];
+  let vulnCounter = 0;
+  const patterns = [];
+  if (scanTypes.includes("sast")) {
+    for (const p74 of ALL_SECURITY_PATTERNS) {
+      patterns.push({
+        id: p74.id,
+        pattern: new RegExp(p74.pattern.source, p74.pattern.flags),
+        severity: p74.severity,
+        title: p74.title,
+        description: p74.description,
+        cweId: p74.cweId,
+        remediation: p74.remediation,
+        category: p74.category
+      });
     }
-  ];
+    for (const p74 of CROSS_LANG_SECRET_PATTERNS) {
+      patterns.push({
+        id: p74.id,
+        pattern: new RegExp(p74.pattern.source, p74.pattern.flags),
+        severity: p74.severity,
+        title: p74.title,
+        description: p74.description,
+        cweId: p74.cweId,
+        remediation: p74.remediation,
+        category: "sensitive-data"
+      });
+    }
+  }
+  if (scanTypes.includes("secret")) {
+    for (const p74 of SECRET_PATTERNS) {
+      if (!patterns.some((existing) => existing.id === p74.id)) {
+        patterns.push({
+          id: p74.id,
+          pattern: new RegExp(p74.pattern.source, p74.pattern.flags),
+          severity: p74.severity,
+          title: p74.title,
+          description: p74.description,
+          cweId: p74.cweId,
+          remediation: p74.remediation,
+          category: p74.category
+        });
+      }
+    }
+    for (const p74 of CROSS_LANG_SECRET_PATTERNS) {
+      if (!patterns.some((existing) => existing.id === p74.id)) {
+        patterns.push({
+          ...p74,
+          category: "sensitive-data"
+        });
+      }
+    }
+  }
+  for (const filePath of files) {
+    let content;
+    try {
+      content = fs21.readFileSync(filePath, "utf-8");
+    } catch {
+      continue;
+    }
+    if (content.includes("\0") || content.length > 1e6) continue;
+    const lines = content.split("\n");
+    const relPath = path23.relative(process.cwd(), filePath);
+    for (const patternDef of patterns) {
+      const regex = new RegExp(patternDef.pattern.source, patternDef.pattern.flags);
+      let match;
+      while ((match = regex.exec(content)) !== null) {
+        vulnCounter++;
+        const lineNum = content.substring(0, match.index).split("\n").length;
+        const matchedLine = lines[lineNum - 1] || "";
+        const snippet = matchedLine.trim().length > 100 ? matchedLine.trim().substring(0, 100) + "..." : matchedLine.trim();
+        vulnerabilities.push({
+          id: `${patternDef.id}-${vulnCounter}`,
+          title: patternDef.title,
+          severity: patternDef.severity,
+          category: patternDef.category || "security-misconfiguration",
+          location: {
+            file: relPath,
+            line: lineNum,
+            snippet
+          },
+          description: patternDef.description,
+          remediation: patternDef.remediation,
+          cweId: patternDef.cweId,
+          references: []
+        });
+        if (vulnCounter > 200) break;
+      }
+    }
+  }
+  return vulnerabilities;
 }
-function generateSecretFindings() {
-  return [
-    {
-      id: "SECRET-001",
-      title: "AWS Access Key Detected",
-      severity: "critical",
-      category: "sensitive-data",
-      location: { file: "src/services/aws.ts", line: 8, snippet: "AKIA...[REDACTED]" },
-      description: "AWS access key found in source code",
-      remediation: "Remove key, rotate credentials, use AWS IAM roles",
-      references: ["https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html"]
+async function scanDependencies(target) {
+  const fs21 = await import("fs");
+  const path23 = await import("path");
+  const vulnerabilities = [];
+  const resolved = path23.resolve(target);
+  const pkgJsonPath = path23.join(resolved, "package.json");
+  if (fs21.existsSync(pkgJsonPath)) {
+    try {
+      const pkg2 = JSON.parse(fs21.readFileSync(pkgJsonPath, "utf-8"));
+      const allDeps = { ...pkg2.dependencies, ...pkg2.devDependencies };
+      vulnerabilities.push(...checkKnownVulnerableDeps(allDeps, "package.json"));
+    } catch {
     }
-  ];
+  }
+  const pyprojectPath = path23.join(resolved, "pyproject.toml");
+  if (fs21.existsSync(pyprojectPath)) {
+    try {
+      const content = fs21.readFileSync(pyprojectPath, "utf-8");
+      const deps = extractPythonDeps(content);
+      vulnerabilities.push(...checkKnownVulnerablePythonDeps(deps, "pyproject.toml"));
+    } catch {
+    }
+  }
+  const reqPath = path23.join(resolved, "requirements.txt");
+  if (fs21.existsSync(reqPath)) {
+    try {
+      const content = fs21.readFileSync(reqPath, "utf-8");
+      const deps = extractRequirementsTxtDeps(content);
+      vulnerabilities.push(...checkKnownVulnerablePythonDeps(deps, "requirements.txt"));
+    } catch {
+    }
+  }
+  if (vulnerabilities.length === 0) {
+    const manifests = [pkgJsonPath, pyprojectPath, reqPath].filter((p74) => fs21.existsSync(p74));
+    if (manifests.length > 0) {
+      vulnerabilities.push({
+        id: "DEP-INFO-001",
+        title: "Dependency audit recommended",
+        severity: "informational",
+        category: "vulnerable-components",
+        location: { file: path23.relative(process.cwd(), manifests[0]) },
+        description: `Found ${path23.basename(manifests[0])} \u2014 run language-specific dependency audit for comprehensive results`,
+        remediation: "Run npm audit, pip-audit, or equivalent for full vulnerability check",
+        references: []
+      });
+    }
+  }
+  return vulnerabilities;
+}
+var KNOWN_VULNERABLE_NPM = {
+  "lodash": { maxSafe: "4.17.21", cve: "CVE-2021-23337", severity: "high", desc: "Prototype pollution in lodash" },
+  "minimist": { maxSafe: "1.2.6", cve: "CVE-2021-44906", severity: "critical", desc: "Prototype pollution in minimist" },
+  "node-fetch": { maxSafe: "2.6.7", cve: "CVE-2022-0235", severity: "high", desc: "Information exposure in node-fetch" },
+  "express": { maxSafe: "4.19.2", cve: "CVE-2024-29041", severity: "medium", desc: "Open redirect in express" }
+};
+function checkKnownVulnerableDeps(deps, manifest) {
+  const vulns = [];
+  for (const [name, version] of Object.entries(deps)) {
+    const known = KNOWN_VULNERABLE_NPM[name];
+    if (known) {
+      const cleanVersion = version.replace(/^[\^~>=<]+/, "");
+      if (compareVersions(cleanVersion, known.maxSafe) < 0) {
+        vulns.push({
+          id: `DEP-${name}-${known.cve}`,
+          title: `Vulnerable ${name} version`,
+          severity: known.severity,
+          category: "vulnerable-components",
+          location: { file: manifest, dependency: { name, version: cleanVersion } },
+          description: known.desc,
+          remediation: `Upgrade ${name} to >= ${known.maxSafe}`,
+          cveId: known.cve,
+          references: [`https://nvd.nist.gov/vuln/detail/${known.cve}`]
+        });
+      }
+    }
+  }
+  return vulns;
+}
+var KNOWN_VULNERABLE_PYTHON = {
+  "python-jose": { cve: "CVE-2024-33663", severity: "critical", desc: "python-jose is abandoned and has known JWT vulnerabilities" },
+  "pyjwt": { cve: "CVE-2022-29217", severity: "high", desc: "PyJWT algorithm confusion vulnerability (upgrade to >= 2.4.0)" },
+  "python-multipart": { cve: "CVE-2026-24486", severity: "high", desc: "python-multipart DoS vulnerability" },
+  "jinja2": { cve: "CVE-2024-34064", severity: "medium", desc: "Jinja2 XSS via template injection" },
+  "urllib3": { cve: "CVE-2023-45803", severity: "medium", desc: "urllib3 request body exposure on redirect" },
+  "requests": { cve: "CVE-2023-32681", severity: "medium", desc: "Requests proxy credential exposure" }
+};
+function extractPythonDeps(tomlContent) {
+  const deps = [];
+  const depMatch = tomlContent.match(/dependencies\s*=\s*\[([\s\S]*?)\]/);
+  if (depMatch) {
+    const matches = depMatch[1].matchAll(/["']([a-zA-Z0-9_-]+)/g);
+    for (const m74 of matches) {
+      deps.push(m74[1].toLowerCase());
+    }
+  }
+  return deps;
+}
+function extractRequirementsTxtDeps(content) {
+  return content.split("\n").map((line) => line.trim()).filter((line) => line && !line.startsWith("#")).map((line) => line.split(/[>=<!~\[]/)[0].trim().toLowerCase()).filter(Boolean);
+}
+function checkKnownVulnerablePythonDeps(deps, manifest) {
+  const vulns = [];
+  for (const dep of deps) {
+    const known = KNOWN_VULNERABLE_PYTHON[dep];
+    if (known) {
+      vulns.push({
+        id: `DEP-py-${dep}-${known.cve}`,
+        title: `Vulnerable Python dependency: ${dep}`,
+        severity: known.severity,
+        category: "vulnerable-components",
+        location: { file: manifest, dependency: { name: dep, version: "any" } },
+        description: known.desc,
+        remediation: dep === "python-jose" ? "Migrate to PyJWT or joserfc" : `Check for updates to ${dep}`,
+        cveId: known.cve,
+        references: [`https://nvd.nist.gov/vuln/detail/${known.cve}`]
+      });
+    }
+  }
+  return vulns;
+}
+function compareVersions(a37, b68) {
+  const pa9 = a37.split(".").map(Number);
+  const pb = b68.split(".").map(Number);
+  for (let i58 = 0; i58 < 3; i58++) {
+    const va5 = pa9[i58] || 0;
+    const vb = pb[i58] || 0;
+    if (va5 < vb) return -1;
+    if (va5 > vb) return 1;
+  }
+  return 0;
 }
 function generateDASTFindings(url) {
   return [
     {
-      id: "DAST-001",
-      title: "Missing Security Headers",
-      severity: "medium",
+      id: "DAST-INFO-001",
+      title: "DAST scan target noted",
+      severity: "informational",
       category: "security-misconfiguration",
       location: { file: url },
-      description: "X-Frame-Options and Content-Security-Policy headers missing",
-      remediation: "Add security headers to HTTP responses",
-      references: ["https://owasp.org/www-project-secure-headers/"]
+      description: `DAST target ${url} recorded. Full DAST requires integration with a dynamic scanner (e.g., ZAP, Burp).`,
+      remediation: "Configure a DAST tool to scan the live application",
+      references: ["https://owasp.org/www-project-zap/"]
     }
   ];
 }
@@ -143055,6 +144009,9 @@ function generateRecommendations5(vulnerabilities, summary) {
   if (vulnerabilities.some((v62) => v62.category === "sensitive-data")) {
     recs.push("Implement proper secrets management");
   }
+  if (vulnerabilities.some((v62) => v62.category === "vulnerable-components")) {
+    recs.push("Run full dependency audit and update vulnerable packages");
+  }
   if (recs.length === 0) {
     recs.push("No critical issues found. Continue regular security reviews.");
   }
@@ -147391,7 +148348,7 @@ function getSharedGOAPPlanner() {
 }
 
 // src/planning/plan-executor.ts
-init_better_sqlite3();
+init_safe_db();
 init_unified_memory();
 init_error_utils();
 init_safe_json();
@@ -147426,7 +148383,7 @@ var PlanExecutor = class {
     this.spawner = spawner;
     this.config = { ...DEFAULT_CONFIG69, ...config };
     if (!this.config.useUnified) {
-      this.db = new better_sqlite3_default(dbPath ?? ":memory:");
+      this.db = openDatabase(dbPath ?? ":memory:", { walMode: false });
       this.db.pragma("journal_mode = WAL");
     }
   }
@@ -149370,7 +150327,7 @@ init_logging();
 init_types();
 
 // src/learning/v2-to-v3-migration.ts
-init_better_sqlite3();
+init_safe_db();
 init_error_utils();
 init_safe_json();
 init_logging();
@@ -149815,7 +150772,7 @@ init_logging();
 var logger17 = LoggerFactory.create("pattern-lifecycle");
 
 // src/learning/metrics-tracker.ts
-init_better_sqlite3();
+init_safe_db();
 init_qe_patterns();
 init_safe_json();
 init_logging();
@@ -153347,14 +154304,22 @@ async function handleTaskOrchestrate(params) {
   }
   const { queen, workflowOrchestrator } = getFleetState();
   try {
+    const inferredDomain = params.context?.project || inferDomainFromDescription(params.task);
+    const inferredIsCritical = params.priority === "critical" || /\b(security|vulnerability|cve|owasp|critical|production|exploit)\b/i.test(params.task);
     const router = await getTaskRouter();
     const routingResult = await router.routeTask({
       task: params.task,
       codeContext: params.codeContext,
       filePaths: params.filePaths,
       manualTier: params.manualTier,
-      isCritical: params.priority === "critical",
-      domain: params.context?.project
+      isCritical: inferredIsCritical,
+      agentType: `qe-${inferredDomain}`,
+      domain: inferredDomain,
+      metadata: {
+        inferredDomain,
+        hasCodeContext: !!params.codeContext,
+        fileCount: params.filePaths?.length
+      }
     });
     const reasoningBankService = await getReasoningBankService();
     const experienceGuidance = await reasoningBankService.getExperienceGuidance(
@@ -153492,14 +154457,22 @@ async function handleTaskOrchestrate(params) {
 async function handleModelRoute(params) {
   try {
     const router = await getTaskRouter();
+    const inferredDomain = params.domain || inferDomainFromDescription(params.task);
+    const inferredIsCritical = params.isCritical ?? /\b(security|vulnerability|cve|owasp|critical|production|exploit)\b/i.test(params.task);
     const result = await router.routeTask({
       task: params.task,
       codeContext: params.codeContext,
       filePaths: params.filePaths,
       manualTier: params.manualTier,
-      isCritical: params.isCritical,
-      agentType: params.agentType,
-      domain: params.domain
+      isCritical: inferredIsCritical,
+      agentType: params.agentType || `qe-${inferredDomain}`,
+      domain: inferredDomain,
+      // Pass metadata to help the complexity analyzer
+      metadata: {
+        inferredDomain,
+        hasCodeContext: !!params.codeContext,
+        fileCount: params.filePaths?.length
+      }
     });
     return {
       success: true,
@@ -153562,6 +154535,43 @@ async function handleRoutingMetrics(params) {
     };
   }
 }
+function inferDomainFromDescription(description) {
+  const lower = description.toLowerCase();
+  if (/\b(security|vulnerabilit|cve|owasp|secret|credential|injection|xss|csrf)\b/.test(lower)) {
+    return "security-compliance";
+  }
+  if (/\b(chaos|resilience|fault.?inject|disaster|failover)\b/.test(lower)) {
+    return "chaos-resilience";
+  }
+  if (/\b(defect|bug.?predict|risk.?assess|mutation)\b/.test(lower)) {
+    return "defect-intelligence";
+  }
+  if (/\b(coverage|uncovered|gap.?analy)\b/.test(lower)) {
+    return "coverage-analysis";
+  }
+  if (/\b(quality|code.?review|maintain|tech.?debt)\b/.test(lower)) {
+    return "quality-assessment";
+  }
+  if (/\b(contract|api.?compat|breaking.?change|pact)\b/.test(lower)) {
+    return "contract-testing";
+  }
+  if (/\b(index|knowledge.?graph|semantic|code.?intel)\b/.test(lower)) {
+    return "code-intelligence";
+  }
+  if (/\b(accessib|a11y|wcag|screen.?read)\b/.test(lower)) {
+    return "visual-accessibility";
+  }
+  if (/\b(requirement|bdd|acceptance|user.?stor)\b/.test(lower)) {
+    return "requirements-validation";
+  }
+  if (/\b(generat.*test|test.*generat|write.*test|create.*test)\b/.test(lower)) {
+    return "test-generation";
+  }
+  if (/\b(run.*test|execut.*test)\b/.test(lower)) {
+    return "test-execution";
+  }
+  return "test-generation";
+}
 function inferTaskType(description) {
   const lower = description.toLowerCase();
   if (/run\s+(?:\w+\s+)*tests?/.test(lower) || /execute\s+(?:\w+\s+)*tests?/.test(lower) || lower.includes("run tests") || lower.includes("execute tests")) {
@@ -155321,7 +156331,18 @@ var MCPProtocolServer = class {
   async start() {
     await initializeConnectionPool();
     this.transport.onRequest(async (request) => {
-      return this.handleRequest(request);
+      try {
+        return await this.handleRequest(request);
+      } catch (err4) {
+        const message = err4 instanceof Error ? err4.message : String(err4);
+        console.error(`[MCP] Unhandled error in request handler: ${message}`);
+        return {
+          content: [{
+            type: "text",
+            text: JSON.stringify({ success: false, error: `Internal error: ${message}` })
+          }]
+        };
+      }
     });
     this.transport.onNotification(async (notification) => {
       await this.handleNotification(notification);