agentic-qe 3.6.11 → 3.6.12

package/v3/dist/mcp/bundle.js

@@ -4421,7 +4421,7 @@ var init_constants = __esm({
       /**
        * Vector dimension for coverage analysis embeddings.
        */
-      COVERAGE_VECTOR_DIMENSION: 128
+      COVERAGE_VECTOR_DIMENSION: 768
     };
     AGENT_CONSTANTS = {
       /**
@@ -4643,6 +4643,12 @@ var init_gnn = __esm({
 });
 
 // src/kernel/unified-memory-hnsw.ts
+var unified_memory_hnsw_exports = {};
+__export(unified_memory_hnsw_exports, {
+  BinaryHeap: () => BinaryHeap,
+  InMemoryHNSWIndex: () => InMemoryHNSWIndex,
+  RuvectorFlatIndex: () => RuvectorFlatIndex
+});
 function computeNorm(v62) {
   let sum = 0;
   for (let i58 = 0; i58 < v62.length; i58++) sum += v62[i58] * v62[i58];
@@ -5036,7 +5042,10 @@ var init_unified_memory_hnsw = __esm({
       search(query, k68) {
         if (this.ids.length === 0) return [];
         const actualK = Math.min(k68, this.ids.length);
-        if (ruvectorDifferentiableSearch && this.vectors.length > 0) {
+        const storedDim = this.vectors.length > 0 ? this.vectors[0].length : 0;
+        const queryDim = query.length;
+        const dimensionsMatch = storedDim === queryDim;
+        if (ruvectorDifferentiableSearch && this.vectors.length > 0 && dimensionsMatch) {
           const queryF322 = new Float32Array(query);
           const queryNorm2 = computeNorm(queryF322);
           const result = ruvectorDifferentiableSearch(
@@ -5054,10 +5063,20 @@ var init_unified_memory_hnsw = __esm({
         const queryNorm = computeNorm(queryF32);
         const scored = [];
         for (let i58 = 0; i58 < this.ids.length; i58++) {
-          scored.push({
-            id: this.ids[i58],
-            score: fastCosine(queryF32, this.vectors[i58], queryNorm, this.norms[i58])
-          });
+          const vec = this.vectors[i58];
+          if (vec.length !== queryF32.length) {
+            if (i58 === 0) {
+              console.warn(
+                `[RuvectorFlatIndex] Dimension mismatch: query=${queryF32.length}, stored=${vec.length}. Skipping ${this.ids.length} mismatched vectors. Re-index with correct dimensions.`
+              );
+            }
+            continue;
+          } else {
+            scored.push({
+              id: this.ids[i58],
+              score: fastCosine(queryF32, vec, queryNorm, this.norms[i58])
+            });
+          }
         }
         scored.sort((a37, b68) => b68.score - a37.score);
         return scored.slice(0, actualK);
@@ -11337,7 +11356,7 @@ function createHNSWIndex(memory, config) {
   return new HNSWIndex(memory, config);
 }
 async function benchmarkHNSW(index, vectorCount = 1e4, searchCount = 1e3) {
-  const dimensions = 128;
+  const dimensions = 768;
   const startInsert = performance.now();
   for (let i58 = 0; i58 < vectorCount; i58++) {
     const vector = Array.from({ length: dimensions }, () => Math.random());
@@ -11366,7 +11385,7 @@ var init_hnsw_index = __esm({
     QEGNNEmbeddingIndexClass = null;
     ruvectorLoaded = false;
     DEFAULT_HNSW_CONFIG = {
-      dimensions: 128,
+      dimensions: 768,
       M: 16,
       efConstruction: 200,
       efSearch: 100,
@@ -11618,7 +11637,7 @@ var init_hnsw_index = __esm({
       /**
        * Validate and auto-resize vectors to match HNSW configured dimensions.
        * Fix #279: Prevents Rust WASM panic when RealEmbeddings (768-dim) are
-       * passed to a 128-dim HNSW index.
+       * passed to a mismatched-dim HNSW index.
        */
       validateVector(vector) {
         if (vector.length !== this.config.dimensions) {
@@ -11721,6 +11740,33 @@ var init_hnsw_index = __esm({
   }
 });
 
+// src/shared/safe-db.ts
+var safe_db_exports = {};
+__export(safe_db_exports, {
+  openDatabase: () => openDatabase
+});
+function openDatabase(dbPath, opts) {
+  const readonly = opts?.readonly ?? false;
+  const fileMustExist = opts?.fileMustExist ?? false;
+  const busyTimeout = opts?.busyTimeout ?? 5e3;
+  const walMode = opts?.walMode ?? !readonly;
+  const db = new better_sqlite3_default(dbPath, {
+    readonly,
+    fileMustExist
+  });
+  db.pragma(`busy_timeout = ${busyTimeout}`);
+  if (walMode) {
+    db.pragma("journal_mode = WAL");
+  }
+  return db;
+}
+var init_safe_db = __esm({
+  "src/shared/safe-db.ts"() {
+    "use strict";
+    init_better_sqlite3();
+  }
+});
+
 // src/integrations/vibium/types.ts
 var init_types2 = __esm({
   "src/integrations/vibium/types.ts"() {
@@ -16333,7 +16379,7 @@ var DEFAULT_SQLITE_CONFIG, SQLitePatternStore;
 var init_sqlite_persistence = __esm({
   "src/learning/sqlite-persistence.ts"() {
     "use strict";
-    init_better_sqlite3();
+    init_safe_db();
     init_esm_node();
     init_safe_json();
     init_error_utils();
@@ -16377,10 +16423,7 @@ var init_sqlite_persistence = __esm({
             if (!fs21.existsSync(dir)) {
               fs21.mkdirSync(dir, { recursive: true });
             }
-            this.db = new better_sqlite3_default(this.config.dbPath);
-            if (this.config.walMode) {
-              this.db.pragma("journal_mode = WAL");
-            }
+            this.db = openDatabase(this.config.dbPath);
             this.db.pragma(`mmap_size = ${this.config.mmapSize}`);
             this.db.pragma(`cache_size = ${this.config.cacheSize}`);
             if (this.config.foreignKeys) {
@@ -21712,13 +21755,13 @@ var init_trajectory_bridge = __esm({
           const { existsSync: existsSync18, mkdirSync: mkdirSync6 } = await import("fs");
           const { createRequire: createRequire11 } = await import("module");
           const require3 = createRequire11(import.meta.url);
-          const Database = require3("better-sqlite3");
+          const { openDatabase: openDatabase2 } = require3("../../shared/safe-db.js");
           const dbPath = join26(this.options.projectRoot, ".agentic-qe", "trajectories.db");
           const dir = join26(this.options.projectRoot, ".agentic-qe");
           if (!existsSync18(dir)) {
             mkdirSync6(dir, { recursive: true });
           }
-          const db = new Database(dbPath);
+          const db = openDatabase2(dbPath);
           db.exec(`
         CREATE TABLE IF NOT EXISTS trajectories (
           id TEXT PRIMARY KEY,
@@ -65134,7 +65177,7 @@ var DEFAULT_CONFIG18 = {
 };
 var CoverageAnalyzerService = class _CoverageAnalyzerService {
   static DEFAULT_THRESHOLD = 80;
-  static VECTOR_DIMENSION = 128;
+  static VECTOR_DIMENSION = 768;
   memory;
   config;
   llmRouter;
@@ -65668,7 +65711,7 @@ var DEFAULT_CONFIG19 = {
 };
 var GapDetectorService = class _GapDetectorService {
   static DEFAULT_MIN_COVERAGE = 80;
-  static VECTOR_DIMENSION = 128;
+  static VECTOR_DIMENSION = 768;
   memory;
   config;
   llmRouter;
@@ -66666,7 +66709,7 @@ init_hnsw_index();
 
 // src/domains/coverage-analysis/services/coverage-embedder.ts
 var DEFAULT_EMBEDDER_CONFIG = {
-  dimensions: 128,
+  dimensions: 768,
   includePathFeatures: true,
   includeTemporalFeatures: true,
   normalization: "l2"
@@ -67098,7 +67141,7 @@ var ALL_CATEGORIES = [
   "missing-security-check"
 ];
 var DEFAULT_CONFIG20 = {
-  dimensions: 128,
+  dimensions: 768,
   minConfidence: 0.3,
   maxGaps: 50,
   riskWeight: 0.6,
@@ -68807,7 +68850,7 @@ var CoverageAnalysisCoordinator = class extends BaseDomainCoordinator {
     return forecast;
   }
   createGapEmbedding(gap) {
-    const VECTOR_DIMENSION = 128;
+    const VECTOR_DIMENSION = 768;
     const embedding = new Array(VECTOR_DIMENSION).fill(0);
     embedding[0] = gap.riskScore;
     embedding[1] = Math.min(1, gap.lines.length / 100);
@@ -88568,7 +88611,7 @@ var CodeIntelligenceCoordinator = class extends BaseDomainCoordinator {
    */
   async initializeHypergraph() {
     try {
-      const Database = (await Promise.resolve().then(() => (init_better_sqlite3(), better_sqlite3_exports))).default;
+      const { openDatabase: openDatabase2 } = await Promise.resolve().then(() => (init_safe_db(), safe_db_exports));
       const fs21 = await import("fs");
       const path23 = await import("path");
       const { findProjectRoot: findProjectRoot2 } = await Promise.resolve().then(() => (init_unified_memory(), unified_memory_exports));
@@ -88578,7 +88621,7 @@ var CodeIntelligenceCoordinator = class extends BaseDomainCoordinator {
       if (!fs21.existsSync(dir)) {
         fs21.mkdirSync(dir, { recursive: true });
       }
-      this.hypergraphDb = new Database(dbPath);
+      this.hypergraphDb = openDatabase2(dbPath);
       this.hypergraph = await createHypergraphEngine({
         db: this.hypergraphDb,
         maxTraversalDepth: 10,
@@ -132789,10 +132832,16 @@ function detectTransformType(task) {
 }
 async function loadCoverageData(targetPath) {
   const coverageLocations = [
+    // JavaScript/TypeScript (Istanbul/nyc/vitest)
     path16.join(targetPath, "coverage", "coverage-final.json"),
     path16.join(targetPath, "coverage", "lcov.info"),
     path16.join(targetPath, ".nyc_output", "coverage-final.json"),
-    path16.join(targetPath, "coverage-final.json")
+    path16.join(targetPath, "coverage-final.json"),
+    // Python (pytest-cov, coverage.py)
+    path16.join(targetPath, "coverage.xml"),
+    path16.join(targetPath, "htmlcov", "status.json"),
+    // Cobertura (generic)
+    path16.join(targetPath, "cobertura-coverage.xml")
   ];
   for (const coveragePath of coverageLocations) {
     try {
@@ -132801,6 +132850,8 @@ async function loadCoverageData(targetPath) {
         return parseCoverageJson(content);
       } else if (coveragePath.endsWith(".info")) {
         return parseLcovInfo(content);
+      } else if (coveragePath.endsWith(".xml")) {
+        return parseCoberturaXml(content);
       }
     } catch {
     }
@@ -132952,6 +133003,111 @@ function parseLcovInfo(content) {
     }
   };
 }
+function parseCoberturaXml(content) {
+  const files = [];
+  function attr(element, name) {
+    const match = element.match(new RegExp(`${name}=["']([^"']*)["']`));
+    return match ? match[1] : null;
+  }
+  const classRegex = /<class\s[^>]*?>/g;
+  let classMatch;
+  while ((classMatch = classRegex.exec(content)) !== null) {
+    const classTag = classMatch[0];
+    const filename = attr(classTag, "filename");
+    if (!filename) continue;
+    const lineRate = parseFloat(attr(classTag, "line-rate") || "NaN");
+    const branchRate = parseFloat(attr(classTag, "branch-rate") || "NaN");
+    const classStart = classMatch.index;
+    const classEnd = content.indexOf("</class>", classStart);
+    const classContent = classEnd > classStart ? content.slice(classStart, classEnd) : "";
+    let linesTotal = 0, linesCovered = 0;
+    let branchesTotal = 0, branchesCovered = 0;
+    let functionsTotal = 0, functionsCovered = 0;
+    const uncoveredLines = [];
+    const uncoveredBranches = [];
+    const lineRegex = /<line\s([^>]*?)\/>/g;
+    let lineMatch;
+    while ((lineMatch = lineRegex.exec(classContent)) !== null) {
+      const lineTag = lineMatch[1];
+      const lineNum = parseInt(attr(lineTag, "number") || "0", 10);
+      const hits = parseInt(attr(lineTag, "hits") || "0", 10);
+      const isBranch = attr(lineTag, "branch") === "true";
+      const condCoverage = attr(lineTag, "condition-coverage");
+      linesTotal++;
+      if (hits > 0) {
+        linesCovered++;
+      } else {
+        uncoveredLines.push(lineNum);
+      }
+      if (isBranch) {
+        branchesTotal++;
+        const condPct = condCoverage ? parseInt(condCoverage, 10) : hits > 0 ? 100 : 0;
+        if (condPct === 100) {
+          branchesCovered++;
+        } else {
+          uncoveredBranches.push(lineNum);
+        }
+      }
+    }
+    const methodRegex = /<method\s([^>]*?)>/g;
+    let methodMatch;
+    while ((methodMatch = methodRegex.exec(classContent)) !== null) {
+      functionsTotal++;
+      const methodStart = methodMatch.index;
+      const methodEnd = classContent.indexOf("</method>", methodStart);
+      if (methodEnd > methodStart) {
+        const methodContent = classContent.slice(methodStart, methodEnd);
+        const methodLineRegex = /<line\s([^>]*?)\/>/g;
+        let hasHits = false;
+        let mLineMatch;
+        while ((mLineMatch = methodLineRegex.exec(methodContent)) !== null) {
+          if (parseInt(attr(mLineMatch[1], "hits") || "0", 10) > 0) {
+            hasHits = true;
+            break;
+          }
+        }
+        if (hasHits) functionsCovered++;
+      }
+    }
+    if (linesTotal === 0 && !isNaN(lineRate)) {
+      linesTotal = 1;
+      linesCovered = lineRate >= 0.5 ? 1 : 0;
+    }
+    files.push({
+      path: filename,
+      lines: { covered: linesCovered, total: linesTotal },
+      branches: { covered: branchesCovered, total: branchesTotal },
+      functions: { covered: functionsCovered, total: functionsTotal },
+      statements: { covered: linesCovered, total: linesTotal },
+      uncoveredLines,
+      uncoveredBranches
+    });
+  }
+  let totalLines = 0, totalCoveredLines = 0;
+  let totalBranches = 0, totalCoveredBranches = 0;
+  let totalFunctions = 0, totalCoveredFunctions = 0;
+  for (const file of files) {
+    totalLines += file.lines.total;
+    totalCoveredLines += file.lines.covered;
+    totalBranches += file.branches.total;
+    totalCoveredBranches += file.branches.covered;
+    totalFunctions += file.functions.total;
+    totalCoveredFunctions += file.functions.covered;
+  }
+  const coverageTag = content.match(/<coverage\s[^>]*?>/);
+  const summaryLineRate = coverageTag ? parseFloat(attr(coverageTag[0], "line-rate") || "NaN") * 100 : NaN;
+  const summaryBranchRate = coverageTag ? parseFloat(attr(coverageTag[0], "branch-rate") || "NaN") * 100 : NaN;
+  return {
+    files,
+    summary: {
+      line: !isNaN(summaryLineRate) ? summaryLineRate : totalLines > 0 ? totalCoveredLines / totalLines * 100 : 0,
+      branch: !isNaN(summaryBranchRate) ? summaryBranchRate : totalBranches > 0 ? totalCoveredBranches / totalBranches * 100 : 0,
+      function: totalFunctions > 0 ? totalCoveredFunctions / totalFunctions * 100 : 0,
+      statement: totalLines > 0 ? totalCoveredLines / totalLines * 100 : 0,
+      files: files.length
+    }
+  };
+}
 async function discoverSourceFiles(targetPath, options = {}) {
   const files = [];
   const { includeTests = true, languages } = options;
@@ -133342,12 +133498,14 @@ var DomainTaskExecutor = class {
             const lines = content.split("\n");
             const relPath = filePath.startsWith(targetPath) ? filePath.slice(targetPath.length).replace(/^\//, "") : filePath;
             const secretPatterns = [
-              { regex: /(?:secret|password|api_key|apikey|token|jwt_secret|private_key)\s*[=:]\s*['"][^'"]{8,}['"]/gi, title: "Hardcoded secret", severity: "critical" },
-              { regex: /(?:AWS_SECRET|GITHUB_TOKEN|SLACK_TOKEN)\s*[=:]\s*['"][^'"]+['"]/gi, title: "Hardcoded cloud credential", severity: "critical" }
+              { regex: /\w*(?:secret|password|passwd|api_key|apikey|private_key|jwt_secret)\w*\s*[=:]\s*['"][^'"]{4,}['"]/gi, title: "Hardcoded secret", severity: "critical" },
+              { regex: /\w*(?:token|auth_token|access_key|secret_key)\w*\s*[=:]\s*['"][^'"]{8,}['"]/gi, title: "Hardcoded credential", severity: "critical" },
+              { regex: /(?:AWS_SECRET|GITHUB_TOKEN|SLACK_TOKEN|OPENAI_API_KEY)\s*[=:]\s*['"][^'"]+['"]/gi, title: "Hardcoded cloud credential", severity: "critical" }
             ];
             for (const pattern of secretPatterns) {
               for (let i58 = 0; i58 < lines.length; i58++) {
-                if (pattern.regex.test(lines[i58])) {
+                const matches = [...lines[i58].matchAll(pattern.regex)];
+                for (const _m of matches) {
                   crossLangVulns.push({
                     title: pattern.title,
                     severity: pattern.severity,
@@ -133356,7 +133514,6 @@ var DomainTaskExecutor = class {
                     category: "sensitive-data"
                   });
                 }
-                pattern.regex.lastIndex = 0;
               }
             }
             const sqlPatterns = /(?:execute|query|cursor\.execute)\s*\(\s*(?:f['"]|['"].*%s|['"].*\+\s*\w)/gi;
@@ -133372,14 +133529,29 @@ var DomainTaskExecutor = class {
               }
               sqlPatterns.lastIndex = 0;
             }
-            if (/allow_origins\s*=\s*\[?\s*['"]?\*['"]?\s*\]?/i.test(content)) {
-              crossLangVulns.push({
-                title: "CORS wildcard origin",
-                severity: "high",
-                location: { file: relPath, line: lines.findIndex((l75) => /allow_origins/i.test(l75)) + 1 },
-                description: "CORS configured with wildcard (*) origin \u2014 restrict to specific domains",
-                category: "security-misconfiguration"
-              });
+            const corsPatterns = [
+              /allow_origins\s*=\s*\[?\s*['"]?\*['"]?\s*\]?/i,
+              // Python FastAPI/Flask
+              /cors\(\s*\{[^}]*origin:\s*['"]?\*['"]?/i,
+              // Express.js cors()
+              /Access-Control-Allow-Origin['":\s]+\*/i,
+              // Raw header / Nginx / .htaccess
+              /@CrossOrigin\(\s*origins?\s*=\s*["']\*["']/i,
+              // Spring Boot
+              /\.Header\(\)\.Set\(["']Access-Control-Allow-Origin["'],\s*["']\*["']/i
+              // Go
+            ];
+            for (const corsPattern of corsPatterns) {
+              if (corsPattern.test(content)) {
+                crossLangVulns.push({
+                  title: "CORS wildcard origin",
+                  severity: "high",
+                  location: { file: relPath, line: lines.findIndex((l75) => corsPattern.test(l75)) + 1 },
+                  description: "CORS configured with wildcard (*) origin \u2014 restrict to specific domains",
+                  category: "security-misconfiguration"
+                });
+                break;
+              }
             }
             if (/(?:DEBUG|debug)\s*[=:]\s*(?:True|true|1)/i.test(content)) {
               crossLangVulns.push({
@@ -133634,19 +133806,58 @@ var DomainTaskExecutor = class {
     });
     this.taskHandlers.set("execute-tests", async (task) => {
       const payload = task.payload;
-      const testCount = payload.testFiles?.length || 10;
-      const passed = Math.floor(testCount * 0.9);
-      const failed = testCount - passed;
-      return ok({
-        total: testCount,
-        passed,
-        failed,
-        skipped: 0,
-        duration: testCount * 50,
-        // ~50ms per test
-        coverage: 82.5,
-        failedTests: failed > 0 ? ["example.test.ts:42"] : []
-      });
+      try {
+        const { execSync: execSync6 } = await import("child_process");
+        const testFiles = payload.testFiles || [];
+        if (testFiles.length === 0) {
+          return ok({
+            total: 0,
+            passed: 0,
+            failed: 0,
+            skipped: 0,
+            duration: 0,
+            coverage: 0,
+            failedTests: [],
+            warning: "No test files specified. Provide testFiles array with paths to test files."
+          });
+        }
+        const cwd = process.cwd();
+        let output;
+        try {
+          output = execSync6(
+            `npx vitest run ${testFiles.join(" ")} --reporter=json 2>/dev/null || npx jest ${testFiles.join(" ")} --json 2>/dev/null`,
+            { cwd, timeout: 12e4, encoding: "utf-8", stdio: ["pipe", "pipe", "pipe"] }
+          );
+        } catch (execError) {
+          output = execError.stdout || "";
+        }
+        try {
+          const jsonStart = output.indexOf("{");
+          if (jsonStart >= 0) {
+            const json = JSON.parse(output.slice(jsonStart));
+            if (json.testResults) {
+              const total = json.numTotalTests || 0;
+              const passed = json.numPassedTests || 0;
+              const failed = json.numFailedTests || 0;
+              return ok({ total, passed, failed, skipped: total - passed - failed, duration: 0, coverage: 0, failedTests: [] });
+            }
+          }
+        } catch {
+        }
+        return ok({
+          total: testFiles.length,
+          passed: 0,
+          failed: 0,
+          skipped: 0,
+          duration: 0,
+          coverage: 0,
+          failedTests: [],
+          warning: "Could not parse test runner output. Check that vitest or jest is installed.",
+          rawOutput: output.slice(0, 500)
+        });
+      } catch (error) {
+        return err(toError(error));
+      }
     });
     this.taskHandlers.set("predict-defects", async (task) => {
       const payload = task.payload;
@@ -133750,68 +133961,116 @@ var DomainTaskExecutor = class {
     });
     this.taskHandlers.set("validate-requirements", async (task) => {
       const payload = task.payload;
-      return ok({
-        requirementsAnalyzed: 15,
-        testable: 12,
-        ambiguous: 2,
-        untestable: 1,
-        coverage: 80,
-        bddScenarios: payload.generateBDD ? [
-          "Given a user is logged in, When they view the dashboard, Then they see their metrics",
-          "Given an API request fails, When the retry limit is exceeded, Then an error is returned"
-        ] : []
-      });
+      try {
+        const targetPath = payload.requirementsPath || process.cwd();
+        const reqFiles = await discoverSourceFiles(targetPath, {
+          includeTests: false,
+          languages: []
+        });
+        const reqPatterns = [".md", ".feature", ".gherkin", ".txt", ".rst"];
+        const requirementFiles = [];
+        for (const f74 of reqFiles) {
+          if (reqPatterns.some((ext) => f74.endsWith(ext))) {
+            requirementFiles.push(f74);
+          }
+        }
+        return ok({
+          requirementsAnalyzed: requirementFiles.length,
+          testable: 0,
+          ambiguous: 0,
+          untestable: 0,
+          coverage: 0,
+          bddScenarios: [],
+          warning: requirementFiles.length === 0 ? "No requirement files (.md, .feature, .gherkin) found. Provide requirementsPath or add requirement docs." : "Requirements validation requires LLM analysis. File inventory returned \u2014 use task_orchestrate for deep analysis.",
+          files: requirementFiles.map((f74) => f74.startsWith(targetPath) ? f74.slice(targetPath.length + 1) : f74).slice(0, 20)
+        });
+      } catch (error) {
+        return err(toError(error));
+      }
     });
     this.taskHandlers.set("validate-contracts", async (task) => {
       const payload = task.payload;
-      return ok({
-        contractPath: payload.contractPath,
-        valid: true,
-        breakingChanges: [],
-        warnings: [
-          'Deprecated field "legacyId" should be removed in next major version'
-        ],
-        coverage: 95
-      });
+      try {
+        if (!payload.contractPath) {
+          return ok({
+            contractPath: "",
+            valid: false,
+            breakingChanges: [],
+            warnings: [],
+            coverage: 0,
+            error: "contractPath is required. Provide a path to an OpenAPI spec, JSON Schema, or Protocol Buffer file."
+          });
+        }
+        try {
+          const content = await fs15.readFile(payload.contractPath, "utf-8");
+          const isJson = payload.contractPath.endsWith(".json");
+          const isYaml = payload.contractPath.endsWith(".yaml") || payload.contractPath.endsWith(".yml");
+          if (isJson) {
+            JSON.parse(content);
+          }
+          return ok({
+            contractPath: payload.contractPath,
+            valid: true,
+            format: isJson ? "json" : isYaml ? "yaml" : "unknown",
+            breakingChanges: [],
+            warnings: [],
+            linesAnalyzed: content.split("\n").length,
+            note: "Structural validation passed. For semantic contract testing, use consumer-driven contract tests."
+          });
+        } catch (readErr) {
+          return ok({
+            contractPath: payload.contractPath,
+            valid: false,
+            breakingChanges: [],
+            warnings: [],
+            error: `Could not read or parse contract file: ${toErrorMessage(readErr)}`
+          });
+        }
+      } catch (error) {
+        return err(toError(error));
+      }
     });
     this.taskHandlers.set("test-accessibility", async (task) => {
       const payload = task.payload;
       return ok({
-        url: payload.url,
+        url: payload.url || "",
         standard: payload.standard || "wcag21-aa",
-        passed: true,
+        passed: false,
         violations: [],
-        warnings: [
-          { rule: "color-contrast", impact: "minor", element: "nav > a" }
-        ],
-        score: 94
+        warnings: [],
+        score: 0,
+        note: "Accessibility testing requires a browser environment (Puppeteer/Playwright). Use tools like axe-core, pa11y, or Lighthouse CLI for WCAG compliance testing. Example: npx pa11y " + (payload.url || "<url>")
       });
     });
     this.taskHandlers.set("run-chaos", async (task) => {
       const payload = task.payload;
       return ok({
-        faultType: payload.faultType,
-        target: payload.target,
-        dryRun: payload.dryRun,
-        duration: payload.duration,
-        systemBehavior: payload.dryRun ? "simulated" : "tested",
-        resilience: {
-          recovered: true,
-          recoveryTime: 2500,
-          dataLoss: false
-        }
+        faultType: payload.faultType || "unknown",
+        target: payload.target || "unknown",
+        dryRun: payload.dryRun ?? true,
+        duration: payload.duration || 0,
+        systemBehavior: "not-executed",
+        resilience: null,
+        note: "Chaos engineering requires infrastructure-level fault injection. Use tools like Chaos Monkey, Litmus, or toxiproxy for real resilience testing. For Node.js apps, consider: nock (HTTP faults), testcontainers (dependency failures)."
       });
     });
     this.taskHandlers.set("optimize-learning", async (_task) => {
-      return ok({
-        patternsLearned: 12,
-        modelsUpdated: 3,
-        memoryConsolidated: true,
-        recommendations: [
-          "Pattern recognition improved for error handling",
-          "Test generation templates optimized"
-        ]
-      });
+      try {
+        const memUsage = await Promise.resolve().then(() => (init_unified_memory_hnsw(), unified_memory_hnsw_exports));
+        return ok({
+          patternsLearned: 0,
+          modelsUpdated: 0,
+          memoryConsolidated: false,
+          note: 'Learning optimization runs during the dream cycle (SessionEnd hook). Use "npx agentic-qe hooks session-end --save-state" to trigger pattern consolidation.'
+        });
+      } catch {
+        return ok({
+          patternsLearned: 0,
+          modelsUpdated: 0,
+          memoryConsolidated: false,
+          note: 'Learning system not initialized. Run "aqe init --auto" first.'
+        });
+      }
     });
   }
   // ============================================================================
@@ -143208,6 +143467,44 @@ function extractHighlights(content, query) {
 
 // src/mcp/tools/security-compliance/scan.ts
 init_error_utils();
+var CROSS_LANG_SECRET_PATTERNS = [
+  {
+    id: "secret-key-assignment",
+    pattern: /(?:SECRET_KEY|secret_key|SECRET|PRIVATE_KEY)\s*=\s*['"][^'"]{4,}['"]/g,
+    severity: "critical",
+    title: "Hardcoded Secret Key",
+    description: "Secret key assigned as string literal in source code",
+    cweId: "CWE-798",
+    remediation: 'Use environment variables: SECRET_KEY = os.environ["SECRET_KEY"]'
+  },
+  {
+    id: "cors-wildcard-credentials",
+    pattern: /allow_origins\s*=\s*\[\s*["']\*["']\s*\]/g,
+    severity: "high",
+    title: "CORS Wildcard Origin",
+    description: "CORS configured to allow all origins \u2014 combined with credentials this is a security risk",
+    cweId: "CWE-942",
+    remediation: "Restrict CORS origins to specific trusted domains"
+  },
+  {
+    id: "cors-allow-credentials-wildcard",
+    pattern: /allow_credentials\s*=\s*True/g,
+    severity: "medium",
+    title: "CORS Credentials Enabled",
+    description: "CORS credentials enabled \u2014 verify origins are restricted",
+    cweId: "CWE-942",
+    remediation: 'Ensure allow_origins does not include "*" when credentials are enabled'
+  },
+  {
+    id: "token-hardcoded",
+    pattern: /(?:token|TOKEN)\s*[:=]\s*['"][a-zA-Z0-9_\-.]{20,}['"]/g,
+    severity: "high",
+    title: "Hardcoded Token",
+    description: "Hardcoded token found in source code",
+    cweId: "CWE-798",
+    remediation: "Use environment variables or secrets manager for tokens"
+  }
+];
 var SecurityScanTool = class extends MCPToolBase {
   config = {
     name: "qe/security/scan",
@@ -143236,18 +143533,21 @@ var SecurityScanTool = class extends MCPToolBase {
       if (this.isAborted(context)) {
         return { success: false, error: "Operation aborted" };
       }
+      const files = await discoverFiles(target, depth);
+      this.emitStream(context, {
+        status: "discovered",
+        message: `Found ${files.length} files to scan`
+      });
       const vulnerabilities = [];
-      if (scanType.includes("sast")) {
+      if (scanType.includes("sast") || scanType.includes("secret")) {
         this.emitStream(context, { status: "sast", message: "Running static analysis" });
-        vulnerabilities.push(...generateSASTFindings());
+        const sastVulns = await scanFilesWithPatterns(files, scanType);
+        vulnerabilities.push(...sastVulns);
       }
       if (scanType.includes("dependency")) {
         this.emitStream(context, { status: "dependency", message: "Scanning dependencies" });
-        vulnerabilities.push(...generateDependencyFindings());
-      }
-      if (scanType.includes("secret")) {
-        this.emitStream(context, { status: "secret", message: "Scanning for secrets" });
-        vulnerabilities.push(...generateSecretFindings());
+        const depVulns = await scanDependencies(target);
+        vulnerabilities.push(...depVulns);
       }
       if (scanType.includes("dast") && dastUrl) {
         this.emitStream(context, { status: "dast", message: `Scanning ${dastUrl}` });
@@ -143262,7 +143562,7 @@ var SecurityScanTool = class extends MCPToolBase {
         medium: vulnerabilities.filter((v62) => v62.severity === "medium").length,
         low: vulnerabilities.filter((v62) => v62.severity === "low").length,
         informational: vulnerabilities.filter((v62) => v62.severity === "informational").length,
-        totalFiles: 150,
+        totalFiles: files.length,
         scanDurationMs: Date.now() - startTime
       };
       const severityOrder = ["critical", "high", "medium", "low", "informational"];
@@ -143271,7 +143571,7 @@ var SecurityScanTool = class extends MCPToolBase {
       const passed = worstSeverity > failThreshold;
       this.emitStream(context, {
         status: "complete",
-        message: `Scan complete: ${vulnerabilities.length} vulnerabilities found`,
+        message: `Scan complete: ${vulnerabilities.length} vulnerabilities found in ${files.length} files`,
         progress: 100
       });
       return {
@@ -143338,72 +143638,340 @@ var SECURITY_SCAN_SCHEMA = {
     }
   }
 };
-function generateSASTFindings() {
-  return [
-    {
-      id: "SAST-001",
-      title: "SQL Injection Risk",
-      severity: "high",
-      category: "injection",
-      location: { file: "src/db/queries.ts", line: 45, snippet: "query = `SELECT * FROM ${table}`" },
-      description: "User input directly concatenated in SQL query",
-      remediation: "Use parameterized queries or prepared statements",
-      cweId: "CWE-89",
-      references: ["https://owasp.org/www-community/attacks/SQL_Injection"]
-    },
-    {
-      id: "SAST-002",
-      title: "Hardcoded Credentials",
-      severity: "critical",
-      category: "sensitive-data",
-      location: { file: "src/config/database.ts", line: 12, snippet: 'password: "admin123"' },
-      description: "Hardcoded password found in source code",
-      remediation: "Use environment variables or secure vault for credentials",
-      cweId: "CWE-798",
-      references: ["https://cwe.mitre.org/data/definitions/798.html"]
+var SCANNABLE_EXTENSIONS = /* @__PURE__ */ new Set([
+  ".ts",
+  ".tsx",
+  ".js",
+  ".jsx",
+  ".mjs",
+  ".cjs",
+  // JavaScript/TypeScript
+  ".py",
+  ".pyw",
+  // Python
+  ".java",
+  ".kt",
+  ".scala",
+  // JVM
+  ".go",
+  // Go
+  ".rb",
+  // Ruby
+  ".php",
+  // PHP
+  ".rs",
+  // Rust
+  ".cs",
+  // C#
+  ".yaml",
+  ".yml",
+  ".json",
+  ".toml",
+  ".cfg",
+  ".ini",
+  // Config
+  ".env",
+  ".env.local",
+  ".env.production",
+  // Env files
+  ".sh",
+  ".bash"
+  // Shell
+]);
+var SKIP_DIRS = /* @__PURE__ */ new Set([
+  "node_modules",
+  ".git",
+  "__pycache__",
+  ".venv",
+  "venv",
+  "dist",
+  "build",
+  ".next",
+  ".nuxt",
+  "coverage",
+  ".tox"
+]);
+async function discoverFiles(target, depth) {
+  const fs21 = await import("fs");
+  const path23 = await import("path");
+  const resolved = path23.resolve(target);
+  const files = [];
+  const maxFiles = depth === "quick" ? 50 : depth === "standard" ? 500 : 2e3;
+  const maxDepth = depth === "quick" ? 3 : depth === "standard" ? 8 : 20;
+  function walk(dir, currentDepth) {
+    if (files.length >= maxFiles || currentDepth > maxDepth) return;
+    let entries;
+    try {
+      entries = fs21.readdirSync(dir, { withFileTypes: true });
+    } catch {
+      return;
     }
-  ];
+    for (const entry of entries) {
+      if (files.length >= maxFiles) break;
+      const fullPath = path23.join(dir, entry.name);
+      if (entry.isDirectory()) {
+        const SCAN_DOT_DIRS = /* @__PURE__ */ new Set([".github", ".docker", ".aws", ".circleci", ".gitlab"]);
+        if (SKIP_DIRS.has(entry.name)) {
+        } else if (entry.name.startsWith(".") && !SCAN_DOT_DIRS.has(entry.name)) {
+        } else {
+          walk(fullPath, currentDepth + 1);
+        }
+      } else if (entry.isFile()) {
+        const ext = path23.extname(entry.name).toLowerCase();
+        if (SCANNABLE_EXTENSIONS.has(ext) || entry.name === "Dockerfile" || entry.name === "Makefile" || entry.name.startsWith(".env")) {
+          files.push(fullPath);
+        }
+      }
+    }
+  }
+  try {
+    const stat6 = fs21.statSync(resolved);
+    if (stat6.isFile()) {
+      files.push(resolved);
+    } else {
+      walk(resolved, 0);
+    }
+  } catch {
+  }
+  return files;
 }
-function generateDependencyFindings() {
-  return [
-    {
-      id: "DEP-001",
-      title: "Vulnerable lodash version",
-      severity: "medium",
-      category: "vulnerable-components",
-      location: { file: "package.json", dependency: { name: "lodash", version: "4.17.19" } },
-      description: "lodash < 4.17.21 has prototype pollution vulnerability",
-      remediation: "Upgrade lodash to 4.17.21 or later",
-      cveId: "CVE-2021-23337",
-      references: ["https://nvd.nist.gov/vuln/detail/CVE-2021-23337"]
+async function scanFilesWithPatterns(files, scanTypes) {
+  const fs21 = await import("fs");
+  const path23 = await import("path");
+  const vulnerabilities = [];
+  let vulnCounter = 0;
+  const patterns = [];
+  if (scanTypes.includes("sast")) {
+    for (const p74 of ALL_SECURITY_PATTERNS) {
+      patterns.push({
+        id: p74.id,
+        pattern: new RegExp(p74.pattern.source, p74.pattern.flags),
+        severity: p74.severity,
+        title: p74.title,
+        description: p74.description,
+        cweId: p74.cweId,
+        remediation: p74.remediation,
+        category: p74.category
+      });
     }
-  ];
+    for (const p74 of CROSS_LANG_SECRET_PATTERNS) {
+      patterns.push({
+        id: p74.id,
+        pattern: new RegExp(p74.pattern.source, p74.pattern.flags),
+        severity: p74.severity,
+        title: p74.title,
+        description: p74.description,
+        cweId: p74.cweId,
+        remediation: p74.remediation,
+        category: "sensitive-data"
+      });
+    }
+  }
+  if (scanTypes.includes("secret")) {
+    for (const p74 of SECRET_PATTERNS) {
+      if (!patterns.some((existing) => existing.id === p74.id)) {
+        patterns.push({
+          id: p74.id,
+          pattern: new RegExp(p74.pattern.source, p74.pattern.flags),
+          severity: p74.severity,
+          title: p74.title,
+          description: p74.description,
+          cweId: p74.cweId,
+          remediation: p74.remediation,
+          category: p74.category
+        });
+      }
+    }
+    for (const p74 of CROSS_LANG_SECRET_PATTERNS) {
+      if (!patterns.some((existing) => existing.id === p74.id)) {
+        patterns.push({
+          ...p74,
+          category: "sensitive-data"
+        });
+      }
+    }
+  }
+  for (const filePath of files) {
+    let content;
+    try {
+      content = fs21.readFileSync(filePath, "utf-8");
+    } catch {
+      continue;
+    }
+    if (content.includes("\0") || content.length > 1e6) continue;
+    const lines = content.split("\n");
+    const relPath = path23.relative(process.cwd(), filePath);
+    for (const patternDef of patterns) {
+      const regex = new RegExp(patternDef.pattern.source, patternDef.pattern.flags);
+      let match;
+      while ((match = regex.exec(content)) !== null) {
+        vulnCounter++;
+        const lineNum = content.substring(0, match.index).split("\n").length;
+        const matchedLine = lines[lineNum - 1] || "";
+        const snippet = matchedLine.trim().length > 100 ? matchedLine.trim().substring(0, 100) + "..." : matchedLine.trim();
+        vulnerabilities.push({
+          id: `${patternDef.id}-${vulnCounter}`,
+          title: patternDef.title,
+          severity: patternDef.severity,
+          category: patternDef.category || "security-misconfiguration",
+          location: {
+            file: relPath,
+            line: lineNum,
+            snippet
+          },
+          description: patternDef.description,
+          remediation: patternDef.remediation,
+          cweId: patternDef.cweId,
+          references: []
+        });
+        if (vulnCounter > 200) break;
+      }
+    }
+  }
+  return vulnerabilities;
 }
-function generateSecretFindings() {
-  return [
-    {
-      id: "SECRET-001",
-      title: "AWS Access Key Detected",
-      severity: "critical",
-      category: "sensitive-data",
-      location: { file: "src/services/aws.ts", line: 8, snippet: "AKIA...[REDACTED]" },
-      description: "AWS access key found in source code",
-      remediation: "Remove key, rotate credentials, use AWS IAM roles",
-      references: ["https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html"]
+async function scanDependencies(target) {
+  const fs21 = await import("fs");
+  const path23 = await import("path");
+  const vulnerabilities = [];
+  const resolved = path23.resolve(target);
+  const pkgJsonPath = path23.join(resolved, "package.json");
+  if (fs21.existsSync(pkgJsonPath)) {
+    try {
+      const pkg2 = JSON.parse(fs21.readFileSync(pkgJsonPath, "utf-8"));
+      const allDeps = { ...pkg2.dependencies, ...pkg2.devDependencies };
+      vulnerabilities.push(...checkKnownVulnerableDeps(allDeps, "package.json"));
+    } catch {
     }
-  ];
+  }
+  const pyprojectPath = path23.join(resolved, "pyproject.toml");
+  if (fs21.existsSync(pyprojectPath)) {
+    try {
+      const content = fs21.readFileSync(pyprojectPath, "utf-8");
+      const deps = extractPythonDeps(content);
+      vulnerabilities.push(...checkKnownVulnerablePythonDeps(deps, "pyproject.toml"));
+    } catch {
+    }
+  }
+  const reqPath = path23.join(resolved, "requirements.txt");
+  if (fs21.existsSync(reqPath)) {
+    try {
+      const content = fs21.readFileSync(reqPath, "utf-8");
+      const deps = extractRequirementsTxtDeps(content);
+      vulnerabilities.push(...checkKnownVulnerablePythonDeps(deps, "requirements.txt"));
+    } catch {
+    }
+  }
+  if (vulnerabilities.length === 0) {
+    const manifests = [pkgJsonPath, pyprojectPath, reqPath].filter((p74) => fs21.existsSync(p74));
+    if (manifests.length > 0) {
+      vulnerabilities.push({
+        id: "DEP-INFO-001",
+        title: "Dependency audit recommended",
+        severity: "informational",
+        category: "vulnerable-components",
+        location: { file: path23.relative(process.cwd(), manifests[0]) },
+        description: `Found ${path23.basename(manifests[0])} \u2014 run language-specific dependency audit for comprehensive results`,
+        remediation: "Run npm audit, pip-audit, or equivalent for full vulnerability check",
+        references: []
+      });
+    }
+  }
+  return vulnerabilities;
+}
+var KNOWN_VULNERABLE_NPM = {
+  "lodash": { maxSafe: "4.17.21", cve: "CVE-2021-23337", severity: "high", desc: "Prototype pollution in lodash" },
+  "minimist": { maxSafe: "1.2.6", cve: "CVE-2021-44906", severity: "critical", desc: "Prototype pollution in minimist" },
+  "node-fetch": { maxSafe: "2.6.7", cve: "CVE-2022-0235", severity: "high", desc: "Information exposure in node-fetch" },
+  "express": { maxSafe: "4.19.2", cve: "CVE-2024-29041", severity: "medium", desc: "Open redirect in express" }
+};
+function checkKnownVulnerableDeps(deps, manifest) {
+  const vulns = [];
+  for (const [name, version] of Object.entries(deps)) {
+    const known = KNOWN_VULNERABLE_NPM[name];
+    if (known) {
+      const cleanVersion = version.replace(/^[\^~>=<]+/, "");
+      if (compareVersions(cleanVersion, known.maxSafe) < 0) {
+        vulns.push({
+          id: `DEP-${name}-${known.cve}`,
+          title: `Vulnerable ${name} version`,
+          severity: known.severity,
+          category: "vulnerable-components",
+          location: { file: manifest, dependency: { name, version: cleanVersion } },
+          description: known.desc,
+          remediation: `Upgrade ${name} to >= ${known.maxSafe}`,
+          cveId: known.cve,
+          references: [`https://nvd.nist.gov/vuln/detail/${known.cve}`]
+        });
+      }
+    }
+  }
+  return vulns;
+}
+var KNOWN_VULNERABLE_PYTHON = {
+  "python-jose": { cve: "CVE-2024-33663", severity: "critical", desc: "python-jose is abandoned and has known JWT vulnerabilities" },
+  "pyjwt": { cve: "CVE-2022-29217", severity: "high", desc: "PyJWT algorithm confusion vulnerability (upgrade to >= 2.4.0)" },
+  "python-multipart": { cve: "CVE-2026-24486", severity: "high", desc: "python-multipart DoS vulnerability" },
+  "jinja2": { cve: "CVE-2024-34064", severity: "medium", desc: "Jinja2 XSS via template injection" },
+  "urllib3": { cve: "CVE-2023-45803", severity: "medium", desc: "urllib3 request body exposure on redirect" },
+  "requests": { cve: "CVE-2023-32681", severity: "medium", desc: "Requests proxy credential exposure" }
+};
+function extractPythonDeps(tomlContent) {
+  const deps = [];
+  const depMatch = tomlContent.match(/dependencies\s*=\s*\[([\s\S]*?)\]/);
+  if (depMatch) {
+    const matches = depMatch[1].matchAll(/["']([a-zA-Z0-9_-]+)/g);
+    for (const m74 of matches) {
+      deps.push(m74[1].toLowerCase());
+    }
+  }
+  return deps;
+}
+function extractRequirementsTxtDeps(content) {
+  return content.split("\n").map((line) => line.trim()).filter((line) => line && !line.startsWith("#")).map((line) => line.split(/[>=<!~\[]/)[0].trim().toLowerCase()).filter(Boolean);
+}
+function checkKnownVulnerablePythonDeps(deps, manifest) {
+  const vulns = [];
+  for (const dep of deps) {
+    const known = KNOWN_VULNERABLE_PYTHON[dep];
+    if (known) {
+      vulns.push({
+        id: `DEP-py-${dep}-${known.cve}`,
+        title: `Vulnerable Python dependency: ${dep}`,
+        severity: known.severity,
+        category: "vulnerable-components",
+        location: { file: manifest, dependency: { name: dep, version: "any" } },
+        description: known.desc,
+        remediation: dep === "python-jose" ? "Migrate to PyJWT or joserfc" : `Check for updates to ${dep}`,
+        cveId: known.cve,
+        references: [`https://nvd.nist.gov/vuln/detail/${known.cve}`]
+      });
+    }
+  }
+  return vulns;
+}
+function compareVersions(a37, b68) {
+  const pa9 = a37.split(".").map(Number);
+  const pb = b68.split(".").map(Number);
+  for (let i58 = 0; i58 < 3; i58++) {
+    const va5 = pa9[i58] || 0;
+    const vb = pb[i58] || 0;
+    if (va5 < vb) return -1;
+    if (va5 > vb) return 1;
+  }
+  return 0;
 }
 function generateDASTFindings(url) {
   return [
     {
-      id: "DAST-001",
-      title: "Missing Security Headers",
-      severity: "medium",
+      id: "DAST-INFO-001",
+      title: "DAST scan target noted",
+      severity: "informational",
       category: "security-misconfiguration",
       location: { file: url },
-      description: "X-Frame-Options and Content-Security-Policy headers missing",
-      remediation: "Add security headers to HTTP responses",
-      references: ["https://owasp.org/www-project-secure-headers/"]
+      description: `DAST target ${url} recorded. Full DAST requires integration with a dynamic scanner (e.g., ZAP, Burp).`,
+      remediation: "Configure a DAST tool to scan the live application",
+      references: ["https://owasp.org/www-project-zap/"]
     }
   ];
 }
@@ -143441,6 +144009,9 @@ function generateRecommendations5(vulnerabilities, summary) {
   if (vulnerabilities.some((v62) => v62.category === "sensitive-data")) {
     recs.push("Implement proper secrets management");
   }
+  if (vulnerabilities.some((v62) => v62.category === "vulnerable-components")) {
+    recs.push("Run full dependency audit and update vulnerable packages");
+  }
   if (recs.length === 0) {
     recs.push("No critical issues found. Continue regular security reviews.");
   }
@@ -147777,7 +148348,7 @@ function getSharedGOAPPlanner() {
 }
 
 // src/planning/plan-executor.ts
-init_better_sqlite3();
+init_safe_db();
 init_unified_memory();
 init_error_utils();
 init_safe_json();
@@ -147812,7 +148383,7 @@ var PlanExecutor = class {
     this.spawner = spawner;
     this.config = { ...DEFAULT_CONFIG69, ...config };
     if (!this.config.useUnified) {
-      this.db = new better_sqlite3_default(dbPath ?? ":memory:");
+      this.db = openDatabase(dbPath ?? ":memory:", { walMode: false });
       this.db.pragma("journal_mode = WAL");
     }
   }
@@ -149756,7 +150327,7 @@ init_logging();
 init_types();
 
 // src/learning/v2-to-v3-migration.ts
-init_better_sqlite3();
+init_safe_db();
 init_error_utils();
 init_safe_json();
 init_logging();
@@ -150201,7 +150772,7 @@ init_logging();
 var logger17 = LoggerFactory.create("pattern-lifecycle");
 
 // src/learning/metrics-tracker.ts
-init_better_sqlite3();
+init_safe_db();
 init_qe_patterns();
 init_safe_json();
 init_logging();