agentic-qe 3.7.20 → 3.7.22

package/dist/cli/commands/hooks.js

@@ -358,7 +358,24 @@ async function consolidateExperiencesToPatterns() {
         await um.initialize();
     }
     const db = um.getDatabase();
-    // Aggregate unprocessed experiences by domain+agent with quality thresholds
+    // Ensure consolidation columns exist (may be missing on older DBs)
+    const existingCols = new Set(db.prepare('PRAGMA table_info(captured_experiences)').all().map(c => c.name));
+    const migrations = [
+        ['consolidated_into', 'TEXT DEFAULT NULL'],
+        ['consolidation_count', 'INTEGER DEFAULT 1'],
+        ['quality_updated_at', 'TEXT DEFAULT NULL'],
+        ['reuse_success_count', 'INTEGER DEFAULT 0'],
+        ['reuse_failure_count', 'INTEGER DEFAULT 0'],
+    ];
+    for (const [col, def] of migrations) {
+        if (!existingCols.has(col)) {
+            db.exec(`ALTER TABLE captured_experiences ADD COLUMN ${col} ${def}`);
+        }
+    }
+    // Aggregate unprocessed experiences by domain+agent with quality thresholds.
+    // Exclude 'cli-hook' agent — these are low-quality hook telemetry events
+    // (quality ~0.40, success_rate ~0.24) that flood the pipeline and block
+    // real pattern creation. See issue #348.
     const aggregates = db.prepare(`
     SELECT
       domain,
@@ -371,6 +388,7 @@ async function consolidateExperiencesToPatterns() {
       GROUP_CONCAT(DISTINCT source) as sources
     FROM captured_experiences
     WHERE application_count = 0
+      AND agent != 'cli-hook'
     GROUP BY domain, agent
     HAVING cnt >= 3 AND avg_quality >= 0.5 AND success_rate >= 0.6
     ORDER BY avg_quality DESC
@@ -382,20 +400,25 @@ async function consolidateExperiencesToPatterns() {
     let created = 0;
     for (const agg of aggregates) {
         try {
-            // Check for existing pattern with same domain+agent to avoid duplicates
+            // Use date-bucketed names so new patterns emerge as usage evolves,
+            // instead of silently reinforcing one static pattern forever.
+            const dateBucket = new Date().toISOString().slice(0, 7); // YYYY-MM
+            const patternName = `${agg.agent}-${agg.domain}-${dateBucket}`;
+            // Check for existing pattern with same name this month
             const existing = db.prepare(`
         SELECT id FROM qe_patterns
         WHERE qe_domain = ? AND name = ?
         LIMIT 1
-      `).get(agg.domain, `${agg.agent}-session-pattern`);
+      `).get(agg.domain, patternName);
             if (existing) {
-                // Reinforce existing pattern instead of creating duplicate
+                // Reinforce existing monthly pattern
                 db.prepare(`
           UPDATE qe_patterns
           SET usage_count = usage_count + ?,
               successful_uses = successful_uses + ?,
               confidence = MIN(0.99, confidence + 0.01),
-              quality_score = MIN(0.99, quality_score + 0.005)
+              quality_score = MIN(0.99, quality_score + 0.005),
+              updated_at = datetime('now')
           WHERE id = ?
         `).run(agg.cnt, agg.successes, existing.id);
             }
@@ -409,7 +432,7 @@ async function consolidateExperiencesToPatterns() {
             confidence, usage_count, success_rate, quality_score, tier,
             template_json, context_json, created_at, successful_uses
           ) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, datetime('now'), ?)
-        `).run(patternId, 'workflow', agg.domain, agg.domain, `${agg.agent}-session-pattern`, `Auto-consolidated from ${agg.cnt} experiences. Agent: ${agg.agent}, success rate: ${(agg.success_rate * 100).toFixed(0)}%`, confidence, agg.cnt, agg.success_rate, qualityScore, 'short-term', JSON.stringify({ type: 'workflow', content: `${agg.agent} pattern for ${agg.domain}`, variables: [] }), JSON.stringify({ tags: (agg.sources || '').split(','), sourceType: 'session-consolidation', extractedAt: new Date().toISOString() }), agg.successes);
+        `).run(patternId, 'workflow', agg.domain, agg.domain, patternName, `Auto-consolidated from ${agg.cnt} experiences. Agent: ${agg.agent}, success rate: ${(agg.success_rate * 100).toFixed(0)}%`, confidence, agg.cnt, agg.success_rate, qualityScore, 'short-term', JSON.stringify({ type: 'workflow', content: `${agg.agent} pattern for ${agg.domain}`, variables: [] }), JSON.stringify({ tags: (agg.sources || '').split(','), sourceType: 'session-consolidation', extractedAt: new Date().toISOString() }), agg.successes);
                 created++;
             }
             // Mark experiences as processed

package/dist/cli/commands/init.js

@@ -28,7 +28,6 @@ export function createInitCommand() {
         .description('Initialize Agentic QE v3 in your project')
         .option('-a, --auto', 'Auto-configure without prompts')
         .option('-u, --upgrade', 'Upgrade existing installation (overwrites skills, agents, validation)')
-        .option('--auto-migrate', 'Automatically migrate from v2 if detected')
         .option('--minimal', 'Minimal installation (no skills, patterns, or workers)')
         .option('--skip-patterns', 'Skip pattern loading')
         .option('--with-n8n', 'Include n8n workflow testing platform')
@@ -57,14 +56,6 @@ export function createInitCommand() {
         .action(async () => {
         await checkStatus();
     });
-    initCmd
-        .command('migrate')
-        .description('Migrate from v2 to v3')
-        .option('--dry-run', 'Show what would be migrated without making changes')
-        .option('--force', 'Force migration even if v3 already exists')
-        .action(async (migrateOptions) => {
-        await runMigration(migrateOptions);
-    });
     initCmd
         .command('reset')
         .description('Reset AQE configuration (keeps data)')
@@ -87,11 +78,10 @@ async function runInit(options) {
     // Check if already initialized
     const aqeDir = path.join(projectRoot, '.agentic-qe');
     const isExisting = existsSync(aqeDir);
-    if (isExisting && !options.auto && !options.autoMigrate && !options.upgrade) {
+    if (isExisting && !options.auto && !options.upgrade) {
         console.log(chalk.yellow('  ⚠ AQE directory already exists at:'), aqeDir);
         console.log(chalk.gray('    Use --auto to update configuration (keeps existing skills)'));
         console.log(chalk.gray('    Use --upgrade to update all skills, agents, and validation'));
-        console.log(chalk.gray('    Use --auto-migrate to migrate from v2'));
         console.log('');
     }
     // Expand --with-all-platforms into individual flags
@@ -110,7 +100,6 @@ async function runInit(options) {
         projectRoot,
         autoMode: options.auto,
         upgrade: options.upgrade,
-        autoMigrate: options.autoMigrate,
         minimal: options.minimal,
         skipPatterns: options.skipPatterns,
         withN8n: options.withN8n,
@@ -223,67 +212,6 @@ async function checkStatus() {
     }
     console.log('');
 }
-/**
- * Run v2 to v3 migration
- */
-async function runMigration(options) {
-    const projectRoot = process.cwd();
-    const aqeDir = path.join(projectRoot, '.agentic-qe');
-    console.log('');
-    console.log(chalk.bold.blue('  AQE v2 to v3 Migration'));
-    console.log(chalk.gray('  ──────────────────────────'));
-    console.log('');
-    // Import migration modules
-    const { createV2Detector, createV2DataMigrator, createV2ConfigMigrator } = await import('../../init/migration/index.js');
-    // Detect v2
-    const detector = createV2Detector(projectRoot);
-    const v2Info = await detector.detect();
-    if (!v2Info.detected) {
-        console.log(chalk.yellow('  ⚠ No v2 installation detected'));
-        console.log(chalk.gray('    Run "aqe init" to create a new installation'));
-        console.log('');
-        return;
-    }
-    console.log(chalk.green('  ✓ Found v2 installation'));
-    console.log(chalk.gray(`    Database: ${v2Info.paths.memoryDb || 'not found'}`));
-    console.log(chalk.gray(`    Config: ${v2Info.paths.configDir || 'not found'}`));
-    console.log(chalk.gray(`    Version: ${v2Info.version || 'unknown'}`));
-    console.log('');
-    if (options.dryRun) {
-        console.log(chalk.yellow('  Dry run - no changes will be made'));
-        console.log('');
-        return;
-    }
-    // Run migration
-    console.log(chalk.blue('  Migrating data...'));
-    if (v2Info.paths.memoryDb) {
-        const dataMigrator = createV2DataMigrator({
-            v2DbPath: v2Info.paths.memoryDb,
-            v3PatternsDbPath: path.join(aqeDir, 'patterns.db'),
-            onProgress: (p) => console.log(chalk.gray(`    ${p.message}`)),
-        });
-        const dataResult = await dataMigrator.migrate();
-        if (dataResult.success) {
-            console.log(chalk.green(`  ✓ Migrated ${dataResult.counts.patterns || 0} patterns`));
-            console.log(chalk.green(`  ✓ Migrated ${dataResult.counts.experiences || 0} experiences`));
-        }
-        else {
-            console.log(chalk.red(`  ✗ Data migration failed: ${dataResult.errors.join(', ')}`));
-        }
-    }
-    const configMigrator = createV2ConfigMigrator(projectRoot);
-    const configResult = await configMigrator.migrate();
-    if (configResult.success) {
-        console.log(chalk.green('  ✓ Config migrated'));
-    }
-    else {
-        console.log(chalk.yellow('  ⚠ Config migration skipped (no v2 config found)'));
-    }
-    console.log('');
-    console.log(chalk.green('  Migration complete!'));
-    console.log(chalk.gray('    Run "aqe init" to complete setup'));
-    console.log('');
-}
 /**
  * Reset AQE configuration
  */

package/dist/cli/commands/learning.js

@@ -13,7 +13,7 @@ import { Command } from 'commander';
 import chalk from 'chalk';
 import path from 'node:path';
 import { findProjectRoot } from '../../kernel/unified-memory.js';
-import { existsSync, writeFileSync, readFileSync, mkdirSync, copyFileSync } from 'node:fs';
+import { existsSync, writeFileSync, readFileSync, mkdirSync, copyFileSync, renameSync } from 'node:fs';
 import { safeJsonParse } from '../../shared/safe-json.js';
 import { stat, unlink } from 'node:fs/promises';
 import { QE_DOMAIN_LIST } from '../../learning/qe-patterns.js';
@@ -62,6 +62,7 @@ Examples:
     registerExportFullCommand(learning);
     registerImportMergeCommand(learning);
     registerDreamCommand(learning);
+    registerRepairCommand(learning);
     return learning;
 }
 // ============================================================================
@@ -372,15 +373,19 @@ function registerExtractCommand(learning) {
             console.log(`  Min occurrences: ${minCount}\n`);
             const db = openDatabase(dbPath, { readonly: true });
             const experiences = db.prepare(`
-          SELECT task_type, COUNT(*) as count, AVG(reward) as avg_reward, MAX(reward) as max_reward,
-                 MIN(reward) as min_reward, GROUP_CONCAT(DISTINCT action) as actions
-          FROM learning_experiences WHERE reward >= ? GROUP BY task_type HAVING COUNT(*) >= ? ORDER BY avg_reward DESC
+          SELECT domain as task_type, COUNT(*) as count, AVG(quality) as avg_reward, MAX(quality) as max_reward,
+                 MIN(quality) as min_reward, GROUP_CONCAT(DISTINCT agent) as actions
+          FROM captured_experiences WHERE quality >= ? AND agent != 'cli-hook' GROUP BY domain HAVING COUNT(*) >= ? ORDER BY avg_reward DESC
         `).all(minReward, minCount);
-            const memoryPatterns = db.prepare(`
-          SELECT substr(key, 1, 40) as key_prefix, COUNT(*) as count
-          FROM memory_entries WHERE key LIKE 'phase2/learning/%'
-          GROUP BY substr(key, 1, 40) HAVING COUNT(*) >= ? ORDER BY COUNT(*) DESC LIMIT 20
-        `).all(minCount);
+            let memoryPatterns = [];
+            try {
+                memoryPatterns = db.prepare(`
+            SELECT substr(key, 1, 40) as key_prefix, COUNT(*) as count
+            FROM memory_entries WHERE key LIKE 'phase2/learning/%'
+            GROUP BY substr(key, 1, 40) HAVING COUNT(*) >= ? ORDER BY COUNT(*) DESC LIMIT 20
+          `).all(minCount);
+            }
+            catch { /* memory_entries table may not exist */ }
             db.close();
             const extractedPatterns = [];
             for (const exp of experiences) {
@@ -689,7 +694,7 @@ function registerVerifyCommand(learning) {
             let tableCounts = {};
             try {
                 const db = openDatabase(dbPath, { readonly: true });
-                for (const table of ['qe_patterns', 'qe_trajectories', 'learning_experiences', 'kv_store', 'vectors']) {
+                for (const table of ['qe_patterns', 'qe_trajectories', 'captured_experiences', 'kv_store', 'vectors']) {
                     try {
                         const r = db.prepare(`SELECT COUNT(*) as count FROM ${table}`).get();
                         tableCounts[table] = r.count;
@@ -770,9 +775,9 @@ function registerExportFullCommand(learning) {
             if (options.includeExperiences) {
                 try {
                     const db = openDatabase(dbPath, { readonly: true });
-                    const experiences = db.prepare(`SELECT task_type, action, AVG(reward) as avg_reward, COUNT(*) as count FROM learning_experiences GROUP BY task_type, action ORDER BY count DESC LIMIT 500`).all();
+                    const experiences = db.prepare(`SELECT domain as task_type, agent as action, AVG(quality) as avg_reward, COUNT(*) as count FROM captured_experiences WHERE agent != 'cli-hook' GROUP BY domain, agent ORDER BY count DESC LIMIT 500`).all();
                     exportData.experiences = experiences.map(e => ({ taskType: e.task_type, action: e.action, reward: e.avg_reward, count: e.count }));
-                    const metaRow = db.prepare(`SELECT COUNT(*) as total, AVG(reward) as avg_reward FROM learning_experiences`).get();
+                    const metaRow = db.prepare(`SELECT COUNT(*) as total, AVG(quality) as avg_reward FROM captured_experiences WHERE agent != 'cli-hook'`).get();
                     exportData.metadata = { totalExperiences: metaRow.total, avgReward: metaRow.avg_reward };
                     db.close();
                 }
@@ -1136,6 +1141,153 @@ function registerDreamCommand(learning) {
     });
 }
 // ============================================================================
+// Subcommand: repair
+// ============================================================================
+function registerRepairCommand(learning) {
+    learning
+        .command('repair')
+        .description('Repair a corrupted learning database (dump + reimport to rebuild indexes)')
+        .option('-f, --file <path>', 'Database file to repair (defaults to current project)')
+        .option('--dry-run', 'Show what would be done without modifying files')
+        .option('--json', 'Output as JSON')
+        .action(async (options) => {
+        try {
+            const dbPath = options.file ? path.resolve(options.file) : getDbPath();
+            if (!existsSync(dbPath))
+                throw new Error(`Database file not found: ${dbPath}`);
+            // Step 1: Check integrity first
+            const integrityResult = await verifyDatabaseIntegrity(dbPath);
+            if (integrityResult.valid) {
+                if (options.json) {
+                    printJson({ status: 'healthy', message: 'Database is already healthy, no repair needed', path: dbPath });
+                }
+                else {
+                    printSuccess('Database integrity check passed — no repair needed.');
+                }
+                process.exit(0);
+            }
+            printInfo(`Corruption detected: ${integrityResult.message}`);
+            // Step 2: Count rows before repair
+            let rowCountsBefore = {};
+            try {
+                const db = openDatabase(dbPath, { readonly: true });
+                const tables = db.prepare("SELECT name FROM sqlite_master WHERE type='table' AND name NOT LIKE 'sqlite_%'").all();
+                for (const t of tables) {
+                    try {
+                        const r = db.prepare(`SELECT COUNT(*) as count FROM "${t.name}"`).get();
+                        rowCountsBefore[t.name] = r.count;
+                    }
+                    catch { /* corrupted table, count what we can */ }
+                }
+                db.close();
+            }
+            catch { /* ignore count failures */ }
+            const totalBefore = Object.values(rowCountsBefore).reduce((a, b) => a + b, 0);
+            printInfo(`Found ${Object.keys(rowCountsBefore).length} tables, ~${totalBefore} total rows`);
+            if (options.dryRun) {
+                if (options.json) {
+                    printJson({ status: 'dry-run', corruptionDetected: true, message: integrityResult.message, tables: rowCountsBefore, totalRows: totalBefore });
+                }
+                else {
+                    console.log(chalk.bold('\nDry run — would perform these steps:'));
+                    console.log('  1. Backup corrupted DB');
+                    console.log('  2. Dump all data via .dump');
+                    console.log('  3. Reimport into fresh DB (rebuilds all indexes)');
+                    console.log('  4. Verify integrity of repaired DB');
+                    console.log('  5. Verify row counts match');
+                    console.log('  6. Swap repaired DB into place');
+                    console.log('');
+                }
+                process.exit(0);
+            }
+            // Step 3: Backup
+            const backupPath = `${dbPath}.bak-${Date.now()}`;
+            copyFileSync(dbPath, backupPath);
+            printInfo(`Backup created: ${backupPath}`);
+            // Step 4: Remove stale WAL/SHM
+            for (const suffix of ['-wal', '-shm']) {
+                const walFile = dbPath + suffix;
+                if (existsSync(walFile)) {
+                    await unlink(walFile);
+                }
+            }
+            // Step 5: Dump and reimport using sqlite3 CLI
+            const { execSync } = await import('node:child_process');
+            const repairedPath = `${dbPath}.repaired`;
+            const dumpPath = `${dbPath}.dump.sql`;
+            try {
+                // Dump all data
+                execSync(`sqlite3 "${dbPath}" ".dump" > "${dumpPath}"`, { stdio: 'pipe', timeout: 120000 });
+                // Reimport into fresh DB
+                execSync(`sqlite3 "${repairedPath}" < "${dumpPath}"`, { stdio: 'pipe', timeout: 120000 });
+                // Enable WAL on repaired DB
+                execSync(`sqlite3 "${repairedPath}" "PRAGMA journal_mode=WAL;"`, { stdio: 'pipe' });
+            }
+            catch (dumpError) {
+                // Clean up partial files
+                if (existsSync(repairedPath))
+                    await unlink(repairedPath);
+                if (existsSync(dumpPath))
+                    await unlink(dumpPath);
+                throw new Error(`sqlite3 dump/reimport failed: ${dumpError instanceof Error ? dumpError.message : 'unknown'}. Is sqlite3 installed?`);
+            }
+            // Step 6: Verify repaired DB
+            const repairedIntegrity = await verifyDatabaseIntegrity(repairedPath);
+            if (!repairedIntegrity.valid) {
+                if (existsSync(dumpPath))
+                    await unlink(dumpPath);
+                throw new Error(`Repaired DB still has integrity issues: ${repairedIntegrity.message}. Backup preserved at ${backupPath}`);
+            }
+            // Step 7: Verify row counts
+            let rowCountsAfter = {};
+            const repairedDb = openDatabase(repairedPath, { readonly: true });
+            const repairedTables = repairedDb.prepare("SELECT name FROM sqlite_master WHERE type='table' AND name NOT LIKE 'sqlite_%'").all();
+            for (const t of repairedTables) {
+                try {
+                    const r = repairedDb.prepare(`SELECT COUNT(*) as count FROM "${t.name}"`).get();
+                    rowCountsAfter[t.name] = r.count;
+                }
+                catch { /* skip */ }
+            }
+            repairedDb.close();
+            const totalAfter = Object.values(rowCountsAfter).reduce((a, b) => a + b, 0);
+            // Step 8: Swap
+            renameSync(dbPath, `${dbPath}.pre-repair`);
+            renameSync(repairedPath, dbPath);
+            // Clean up dump file
+            if (existsSync(dumpPath))
+                await unlink(dumpPath);
+            if (options.json) {
+                printJson({
+                    status: 'repaired',
+                    backupPath,
+                    rowsBefore: totalBefore,
+                    rowsAfter: totalAfter,
+                    tablesRepaired: Object.keys(rowCountsAfter).length,
+                    rowCounts: rowCountsAfter,
+                });
+            }
+            else {
+                printSuccess('Database repaired successfully!');
+                console.log(`  Backup:       ${backupPath}`);
+                console.log(`  Rows before:  ${totalBefore}`);
+                console.log(`  Rows after:   ${totalAfter}`);
+                if (totalAfter < totalBefore) {
+                    console.log(chalk.yellow(`  Warning: ${totalBefore - totalAfter} rows may have been lost due to data page corruption`));
+                }
+                console.log(`  Tables:       ${Object.keys(rowCountsAfter).length}`);
+                console.log(`  Integrity:    ${chalk.green('OK')}`);
+                console.log('');
+            }
+            process.exit(0);
+        }
+        catch (error) {
+            printError(`repair failed: ${error instanceof Error ? error.message : 'unknown'}`);
+            process.exit(1);
+        }
+    });
+}
+// ============================================================================
 // Exports
 // ============================================================================
 export { initializeLearningSystem } from './learning-helpers.js';

package/dist/cli/handlers/init-handler.d.ts

@@ -40,7 +40,6 @@ interface InitOptions {
     withWindsurf?: boolean;
     withContinuedev?: boolean;
     withAllPlatforms?: boolean;
-    autoMigrate?: boolean;
     withClaudeFlow?: boolean;
     skipClaudeFlow?: boolean;
     noGovernance?: boolean;

package/dist/cli/handlers/init-handler.js

@@ -72,10 +72,6 @@ export class InitHandler {
                 options.withWindsurf = true;
                 options.withContinuedev = true;
             }
-            // --auto-migrate implies --auto (must use orchestrator for migration)
-            if (options.autoMigrate && !options.auto && !options.wizard) {
-                options.auto = true;
-            }
             // --upgrade implies --auto (must use modular orchestrator to overwrite files)
             if (options.upgrade && !options.auto && !options.wizard) {
                 options.auto = true;
@@ -118,7 +114,6 @@ export class InitHandler {
             withCodex: options.withCodex,
             withWindsurf: options.withWindsurf,
             withContinueDev: options.withContinuedev,
-            autoMigrate: options.autoMigrate,
             noGovernance: options.noGovernance,
         });
         console.log(chalk.white('  Analyzing project...\n'));
@@ -192,7 +187,6 @@ export class InitHandler {
             minimal: options.minimal,
             skipPatterns: options.skipPatterns,
             withN8n: options.withN8n,
-            autoMigrate: options.autoMigrate,
         };
         const orchestrator = new InitOrchestrator(orchestratorOptions);
         if (options.wizard) {

package/dist/cli/index.js

@@ -790,7 +790,6 @@ import { createCoverageCommand } from './commands/coverage.js';
 import { createQualityCommand } from './commands/quality.js';
 import { createSecurityCommand } from './commands/security.js';
 import { createCodeCommand } from './commands/code.js';
-import { createMigrateCommand } from './commands/migrate.js';
 import { createCompletionsCommand } from './commands/completions.js';
 import { createFleetCommand } from './commands/fleet.js';
 import { createValidateSwarmCommand } from './commands/validate-swarm.js';
@@ -803,7 +802,6 @@ program.addCommand(createCoverageCommand(context, cleanupAndExit, ensureInitiali
 program.addCommand(createQualityCommand(context, cleanupAndExit, ensureInitialized));
 program.addCommand(createSecurityCommand(context, cleanupAndExit, ensureInitialized));
 program.addCommand(createCodeCommand(context, cleanupAndExit, ensureInitialized));
-program.addCommand(createMigrateCommand(context, cleanupAndExit, ensureInitialized));
 program.addCommand(createCompletionsCommand(cleanupAndExit));
 program.addCommand(createFleetCommand(context, cleanupAndExit, ensureInitialized, registerDomainWorkflowActions));
 program.addCommand(createValidateSwarmCommand(context, cleanupAndExit, ensureInitialized));

package/dist/context/sources/defect-source.js

@@ -19,8 +19,8 @@ export class DefectContextSource {
             if (!existsSync(dbPath)) {
                 return [];
             }
-            const Database = (await import('better-sqlite3')).default;
-            const db = new Database(dbPath, { readonly: true });
+            const { openDatabase } = await import('../../shared/safe-db.js');
+            const db = openDatabase(dbPath, { readonly: true });
             try {
                 // Check if patterns table exists
                 const tableCheck = db.prepare("SELECT name FROM sqlite_master WHERE type='table' AND name='qe_patterns'").get();

package/dist/context/sources/memory-source.js

@@ -20,8 +20,8 @@ export class MemoryContextSource {
                 return this.fallbackGather(request);
             }
             // Dynamic import to avoid hard dependency
-            const Database = (await import('better-sqlite3')).default;
-            const db = new Database(dbPath, { readonly: true });
+            const { openDatabase } = await import('../../shared/safe-db.js');
+            const db = openDatabase(dbPath, { readonly: true });
             try {
                 // Query patterns relevant to the task domain
                 const domainKeywords = this.extractDomainKeywords(request.taskDescription);

package/dist/context/sources/requirements-source.js

@@ -18,8 +18,8 @@ export class RequirementsContextSource {
             if (!existsSync(dbPath)) {
                 return this.fallbackGather(request);
             }
-            const Database = (await import('better-sqlite3')).default;
-            const db = new Database(dbPath, { readonly: true });
+            const { openDatabase } = await import('../../shared/safe-db.js');
+            const db = openDatabase(dbPath, { readonly: true });
             try {
                 // Check if requirements table exists
                 const tableCheck = db.prepare("SELECT name FROM sqlite_master WHERE type='table' AND name='qe_patterns'").get();

package/dist/coordination/protocols/security-audit.d.ts

@@ -169,14 +169,11 @@ export declare class SecurityAuditProtocol {
      */
     execute(trigger: SecurityAuditTrigger): Promise<Result<SecurityAuditResult>>;
     /**
-     * Scan for vulnerabilities using SAST
-     * Delegates to real SecurityScannerService with semgrep integration when available
+     * Scan for vulnerabilities using SAST.
+     * SASTScanner now integrates semgrep internally (runs alongside pattern scanning
+     * when semgrep is installed), so no separate fallback is needed here.
      */
     scanVulnerabilities(options: SecurityAuditOptions): Promise<Result<SASTResult>>;
-    /**
-     * Map semgrep OWASP category to VulnerabilityCategory
-     */
-    private mapSemgrepCategory;
     /**
      * Scan dependencies for vulnerabilities
      * Delegates to real SecurityScannerService which uses OSV API for real vulnerability data

package/dist/coordination/protocols/security-audit.js

@@ -10,6 +10,7 @@ import { v4 as uuidv4 } from 'uuid';
 import { ok, err, } from '../../shared/types/index.js';
 import { FilePath, RiskScore } from '../../shared/value-objects/index.js';
 import { createEvent, } from '../../shared/events/domain-events.js';
+// Semgrep is now integrated directly into SASTScanner (no coordination-layer fallback needed)
 import { toError } from '../../shared/error-utils.js';
 // CQ-005: Use DomainServiceRegistry instead of dynamic imports from domains/
 import { DomainServiceRegistry, ServiceKeys } from '../../shared/domain-service-registry.js';
@@ -22,18 +23,6 @@ function resolveSecurityScannerService(memory) {
     const factory = DomainServiceRegistry.resolve(ServiceKeys.SecurityScannerService);
     return factory(memory);
 }
-function resolveIsSemgrepAvailable() {
-    const fn = DomainServiceRegistry.resolve(ServiceKeys.isSemgrepAvailable);
-    return fn();
-}
-function resolveRunSemgrepWithRules(targetPath, ruleSetIds) {
-    const fn = DomainServiceRegistry.resolve(ServiceKeys.runSemgrepWithRules);
-    return fn(targetPath, ruleSetIds);
-}
-function resolveConvertSemgrepFindings(findings) {
-    const fn = DomainServiceRegistry.resolve(ServiceKeys.convertSemgrepFindings);
-    return fn(findings);
-}
 // ============================================================================
 // Protocol Events
 // ============================================================================
@@ -208,8 +197,9 @@ export class SecurityAuditProtocol {
     // Scanning Methods
     // ==========================================================================
     /**
-     * Scan for vulnerabilities using SAST
-     * Delegates to real SecurityScannerService with semgrep integration when available
+     * Scan for vulnerabilities using SAST.
+     * SASTScanner now integrates semgrep internally (runs alongside pattern scanning
+     * when semgrep is installed), so no separate fallback is needed here.
      */
     async scanVulnerabilities(options) {
         try {
@@ -219,96 +209,26 @@ export class SecurityAuditProtocol {
                 return err(agentId.error);
             }
             const files = this.config.scanPaths.map(path => FilePath.create(path));
-            // Try real SecurityScannerService first
             try {
                 const scanner = this.getSecurityScanner();
                 const ruleSetIds = options.ruleSetIds || ['owasp-top-10', 'cwe-sans-25'];
+                // SASTScanner.scanWithRules now runs pattern scanning + semgrep in parallel
                 const scanResult = await scanner.scanWithRules(files, ruleSetIds);
                 if (scanResult.success) {
                     return ok(scanResult.value);
                 }
-                // If scanner fails, continue to fallback
+                return err(scanResult.error);
             }
             catch (scannerError) {
-                // Scanner unavailable - log and continue to fallback
                 await this.memory.set('security-audit:scanner-error', { error: String(scannerError), timestamp: new Date().toISOString() }, { namespace: 'security-compliance', ttl: 3600 });
+                return err(new Error(`SAST scanning failed: ${String(scannerError)}. ` +
+                    'Ensure SecurityScannerService is properly configured.'));
             }
-            // Try semgrep if available as secondary option
-            const semgrepAvailable = await resolveIsSemgrepAvailable();
-            if (semgrepAvailable) {
-                try {
-                    const semgrepResult = await resolveRunSemgrepWithRules(this.config.scanPaths[0] || '.', options.ruleSetIds || ['owasp-top-10']);
-                    if (semgrepResult.success && semgrepResult.findings.length > 0) {
-                        const convertedFindings = resolveConvertSemgrepFindings(semgrepResult.findings);
-                        const vulnerabilities = convertedFindings.map(f => ({
-                            id: uuidv4(),
-                            cveId: undefined,
-                            title: f.title,
-                            description: f.description,
-                            severity: f.severity,
-                            category: this.mapSemgrepCategory(f.owaspCategory || 'injection'),
-                            location: {
-                                file: f.file,
-                                line: f.line,
-                                column: f.column,
-                                snippet: f.snippet,
-                            },
-                            remediation: {
-                                description: f.remediation,
-                                estimatedEffort: 'moderate',
-                                automatable: false,
-                            },
-                            references: f.references,
-                        }));
-                        const summary = this.calculateSummary(vulnerabilities);
-                        return ok({
-                            scanId: uuidv4(),
-                            vulnerabilities,
-                            summary,
-                            coverage: {
-                                filesScanned: files.length,
-                                linesScanned: vulnerabilities.length * 50,
-                                rulesApplied: 45,
-                            },
-                        });
-                    }
-                }
-                catch (semgrepError) {
-                    // Semgrep failed - log error
-                    await this.memory.set('security-audit:semgrep-error', { error: String(semgrepError), timestamp: new Date().toISOString() }, { namespace: 'security-compliance', ttl: 3600 });
-                }
-            }
-            // NO FALLBACK - Security scans must either succeed or fail explicitly
-            // An empty vulnerability list would falsely indicate "scan succeeded, nothing found"
-            // when in reality we couldn't scan at all
-            return err(new Error('SAST scanning unavailable: neither SecurityScannerService nor semgrep could execute. ' +
-                'Install semgrep (pip install semgrep) or ensure SecurityScannerService is properly configured.'));
         }
         catch (error) {
             return err(toError(error));
         }
     }
-    /**
-     * Map semgrep OWASP category to VulnerabilityCategory
-     */
-    mapSemgrepCategory(owaspCategory) {
-        const categoryMap = {
-            'A01': 'access-control',
-            'A02': 'sensitive-data',
-            'A03': 'injection',
-            'A04': 'insecure-deserialization',
-            'A05': 'security-misconfiguration',
-            'A06': 'vulnerable-components',
-            'A07': 'broken-auth',
-            'A08': 'insecure-deserialization',
-            'A09': 'insufficient-logging',
-            'A10': 'xxe',
-            'injection': 'injection',
-            'xss': 'xss',
-            'broken-auth': 'broken-auth',
-        };
-        return categoryMap[owaspCategory] || 'security-misconfiguration';
-    }
     /**
      * Scan dependencies for vulnerabilities
      * Delegates to real SecurityScannerService which uses OSV API for real vulnerability data