agentic-qe 3.8.12 → 3.8.14

package/.claude/skills/qe-code-intelligence/SKILL.md

@@ -26,16 +26,19 @@ Guide the use of v3's code intelligence capabilities including knowledge graph c
 
 ```bash
 # Index codebase into knowledge graph
-aqe kg index --source src/ --incremental
+aqe code index src/ --incremental
 
 # Semantic code search
-aqe kg search "authentication middleware" --limit 10
+aqe code search "authentication middleware"
 
-# Query dependencies
-aqe kg deps --file src/services/UserService.ts --depth 3
+# Analyze change impact
+aqe code impact src/services/UserService.ts --depth 3
 
-# Get intelligent context
-aqe kg context --query "how does payment processing work"
+# Map dependencies
+aqe code deps src/
+
+# Analyze complexity and find hotspots
+aqe code complexity src/
 ```
 
 ## Agent Workflow
@@ -49,7 +52,7 @@ Task("Index codebase", `
   - Map relationships (imports, calls, inheritance)
   - Generate embeddings for semantic search
   Store in AgentDB vector database.
-`, "qe-knowledge-graph")
+`, "qe-kg-builder")
 
 // Semantic search
 Task("Find relevant code", `
@@ -58,7 +61,7 @@ Task("Find relevant code", `
   - Include related functions and types
   - Rank by relevance score
   - Return with minimal context (80% token reduction)
-`, "qe-semantic-searcher")
+`, "qe-code-intelligence")
 ```
 
 ## Knowledge Graph Operations
@@ -192,19 +195,25 @@ interface SearchResult {
 
 ```bash
 # Full reindex
-aqe kg index --source src/ --force
+aqe code index src/
+
+# Incremental index (changed files only)
+aqe code index src/ --incremental
 
-# Search with filters
-aqe kg search "database connection" --type function --file "*.service.ts"
+# Index only files changed since a git ref
+aqe code index . --git-since HEAD~5
+
+# Semantic code search
+aqe code search "database connection"
 
-# Show entity details
-aqe kg show --entity UserService --relations
+# Change impact analysis
+aqe code impact src/services/UserService.ts
 
-# Export graph
-aqe kg export --format dot --output codebase.dot
+# Dependency mapping
+aqe code deps src/ --depth 5
 
-# Statistics
-aqe kg stats
+# Complexity metrics and hotspots
+aqe code complexity src/ --format json
 ```
 
 ## Gotchas
@@ -213,10 +222,10 @@ aqe kg stats
 - Knowledge graph construction fails on repos >50K LOC — scope to specific modules
 - Semantic search returns irrelevant results without domain-specific embeddings — always verify search results manually
 - Agent claims "80% token reduction" but may skip critical context — verify key files are included in results
-- Fleet must be initialized before using: run `npx ruflo doctor --fix` if you get initialization errors
+- Fleet must be initialized before using: run `aqe health` to diagnose, or `aqe init` to re-initialize if you get initialization errors
 
 ## Coordination
 
-**Primary Agents**: qe-knowledge-graph, qe-semantic-searcher, qe-dependency-mapper
-**Coordinator**: qe-code-intelligence-coordinator
+**Primary Agents**: qe-kg-builder, qe-dependency-mapper, qe-impact-analyzer, qe-code-complexity
+**Coordinator**: qe-code-intelligence
 **Related Skills**: qe-test-generation, qe-defect-intelligence

package/.claude/skills/qe-code-intelligence/evals/qe-code-intelligence.yaml

@@ -50,8 +50,8 @@ mcp_integration:
   target_agents:
     - qe-learning-coordinator
     - qe-queen-coordinator
-    - qe-knowledge-graph
-    - qe-semantic-searcher
+    - qe-code-intelligence
+    - qe-kg-builder
 
 # =============================================================================
 # ReasoningBank Learning Configuration
@@ -449,7 +449,7 @@ success_criteria:
 # =============================================================================
 
 metadata:
-  author: "qe-knowledge-graph"
+  author: "qe-code-intelligence"
   created: "2026-02-02"
   last_updated: "2026-02-02"
   coverage_target: >

package/.claude/skills/qe-quality-assessment/SKILL.md

@@ -236,7 +236,7 @@ Read `run-history.json` before each run — alert if quality gate failed 3 of la
 - Completion theater: agent hardcoded version '3.0.0' instead of reading from package.json — verify actual values in output
 - Fix issues in priority waves (P0 → P1 → P2) with verification between each wave — don't fix everything in parallel
 - quality-assessment domain has 53.7% success rate — expect failures and have fallback
-- If HybridMemoryBackend initialization fails, run `npx ruflo doctor --fix` first
+- If HybridMemoryBackend initialization fails, run `aqe health` to diagnose, or `aqe init` to re-initialize
 
 ## Coordination
 

package/.claude/skills/qe-test-generation/SKILL.md

@@ -151,7 +151,7 @@ quality_checks:
 - Components that pass unit tests individually may have zero integration wiring — always generate at least one integration test per module boundary
 - When generating tests for a new codebase, check which framework is installed (jest vs vitest vs mocha) — they have different mock APIs and Claude will use the wrong one
 - Completion theater: agent may claim "comprehensive tests generated" but leave stubs or hardcoded values — always run the generated tests before accepting
-- Fleet must be initialized before using QE agents: run `npx ruflo doctor --fix` if you get "Fleet not initialized"
+- Fleet must be initialized before using QE agents: run `aqe health` to diagnose, or `aqe init` to re-initialize if you get "Fleet not initialized"
 
 ## Coordination
 

package/.claude/skills/skills-manifest.json

@@ -932,7 +932,7 @@
   },
   "metadata": {
     "generatedBy": "Agentic QE Fleet",
-    "fleetVersion": "3.8.12",
+    "fleetVersion": "3.8.14",
     "manifestVersion": "1.3.0",
     "lastUpdated": "2026-02-04T00:00:00.000Z",
     "contributors": [

package/CHANGELOG.md

@@ -5,6 +5,47 @@ All notable changes to the Agentic QE project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [3.8.14] - 2026-03-31
+
+### Fixed
+
+- **Security: SQL injection in witness-chain LIMIT/OFFSET** — Parameterized LIMIT and OFFSET values in `getEntries()` query instead of string interpolation. Also handles offset-without-limit correctly via SQLite `LIMIT -1` idiom, and `limit=0` now properly returns zero rows.
+- **Removed `@faker-js/faker` from 7 production generator files** — Replaced with lightweight `test-value-helpers.ts` using only `node:crypto`. Eliminates ~6 MB runtime dependency for npm consumers. Generators now work without devDependencies installed.
+- **`aqe init` hook paths break from subfolders** — Adopted `CLAUDE_PROJECT_DIR` pattern so hook commands resolve correctly regardless of working directory.
+- **Removed ruflo permissions from `aqe init`** — Only AQE-specific entries are injected into user settings; third-party tool permissions no longer leak in.
+- **Dead MCP `server.ts` removed (911 lines)** — Eliminated unused dual-server divergence risk; production uses `MCPProtocolServer` via `entry.ts`.
+- **CI publishes without test gate** — Added mandatory unit test pass gate to `npm-publish.yml`. Removed `continue-on-error` from `optimized-ci.yml` test steps.
+- **ESLint broken in ESM project** — Renamed `.eslintrc.js` to `.eslintrc.cjs` for CommonJS compatibility.
+- **Hardcoded version `3.0.0` in MCP servers** — `protocol-server.ts` and `http-server.ts` now read version dynamically from `package.json`.
+- **Vitest process hang on native modules** — Added worker-level `afterAll` force-exit and global teardown safety net for `better-sqlite3` / `hnswlib-node` handles.
+
+### Added
+
+- **`test-value-helpers.ts`** — Zero-dependency test data generator for test-generation domain using `node:crypto` built-ins with range guards for edge cases.
+- **Pagination edge case tests** — `limit=0`, offset-without-limit, and offset-beyond-total coverage in witness-chain tests.
+- **17 unit tests for test-value-helpers** — Covers all value generators including boundary inputs and inverted ranges.
+
+## [3.8.13] - 2026-03-30
+
+### Added
+
+- **Code intelligence CLI commands** — New `aqe code complexity` action with cyclomatic, cognitive, and Halstead metrics, hotspot detection, and JSON output. New `--incremental` and `--git-since <ref>` flags for `aqe code index` enabling git-aware incremental indexing.
+- **Code intelligence section in README** — CLI Reference now documents all 7 `aqe code` commands with usage examples.
+
+### Fixed
+
+- **Security: command injection in `--git-since`** — Replaced `execSync` with `execFileSync` to prevent shell injection via user-supplied git refs (CWE-78).
+- **Control flow bug in complexity action** — Added missing `return` after `cleanupAndExit()` calls that could cause null-pointer crashes.
+- **Stale CLI references across 20 files** — Replaced non-existent `aqe kg` commands with correct `aqe code` syntax in all skill files, eval configs, docs, and catalogs. Fixed phantom agent names (`qe-knowledge-graph`, `qe-semantic-searcher`) with actual agents (`qe-kg-builder`, `qe-code-intelligence`, `qe-impact-analyzer`, `qe-code-complexity`). Replaced `ruflo doctor --fix` with `aqe health` / `aqe init` across CLAUDE.md, skills, and docs.
+- **`aqe init` MCP server setup** — Restored MCP server initialization as default behavior during `aqe init --auto`.
+- **Tool-scoping tests** — Added `hypergraph_query` to all 5 scoped agent roles to match source of truth. Fixed queen-dependency test expectations for agents without inline MCP references.
+- **`--depth` validation** — Now validates the `--depth` flag is a positive integer instead of silently passing `NaN`.
+
+### Changed
+
+- **Batched complexity analysis** — File analysis uses `Promise.all` with batch size of 8 instead of sequential processing.
+- **Shared source extensions** — Exported `SOURCE_EXTENSIONS` from `file-discovery.ts` to prevent divergence between full scan and `--git-since` paths.
+
 ## [3.8.12] - 2026-03-29
 
 ### Added

package/README.md

@@ -244,6 +244,15 @@ aqe learning dream             # Trigger dream cycle
 aqe brain export/import        # Portable intelligence
 aqe platform list/setup/verify # Manage coding agent platforms
 aqe health                     # System health check
+
+# Code intelligence
+aqe code index src/                  # Index codebase into knowledge graph
+aqe code index src/ --incremental    # Incremental index (changed files only)
+aqe code index . --git-since HEAD~5  # Index files changed in last 5 commits
+aqe code search "authentication"     # Semantic code search
+aqe code impact src/                 # Change impact analysis
+aqe code deps src/                   # Dependency mapping
+aqe code complexity src/             # Complexity metrics and hotspots
 ```
 
 ---

package/assets/skills/qe-code-intelligence/SKILL.md

@@ -26,16 +26,19 @@ Guide the use of v3's code intelligence capabilities including knowledge graph c
 
 ```bash
 # Index codebase into knowledge graph
-aqe kg index --source src/ --incremental
+aqe code index src/ --incremental
 
 # Semantic code search
-aqe kg search "authentication middleware" --limit 10
+aqe code search "authentication middleware"
 
-# Query dependencies
-aqe kg deps --file src/services/UserService.ts --depth 3
+# Analyze change impact
+aqe code impact src/services/UserService.ts --depth 3
 
-# Get intelligent context
-aqe kg context --query "how does payment processing work"
+# Map dependencies
+aqe code deps src/
+
+# Analyze complexity and find hotspots
+aqe code complexity src/
 ```
 
 ## Agent Workflow
@@ -49,7 +52,7 @@ Task("Index codebase", `
   - Map relationships (imports, calls, inheritance)
   - Generate embeddings for semantic search
   Store in AgentDB vector database.
-`, "qe-knowledge-graph")
+`, "qe-kg-builder")
 
 // Semantic search
 Task("Find relevant code", `
@@ -58,7 +61,7 @@ Task("Find relevant code", `
   - Include related functions and types
   - Rank by relevance score
   - Return with minimal context (80% token reduction)
-`, "qe-semantic-searcher")
+`, "qe-code-intelligence")
 ```
 
 ## Knowledge Graph Operations
@@ -192,19 +195,25 @@ interface SearchResult {
 
 ```bash
 # Full reindex
-aqe kg index --source src/ --force
+aqe code index src/
+
+# Incremental index (changed files only)
+aqe code index src/ --incremental
 
-# Search with filters
-aqe kg search "database connection" --type function --file "*.service.ts"
+# Index only files changed since a git ref
+aqe code index . --git-since HEAD~5
+
+# Semantic code search
+aqe code search "database connection"
 
-# Show entity details
-aqe kg show --entity UserService --relations
+# Change impact analysis
+aqe code impact src/services/UserService.ts
 
-# Export graph
-aqe kg export --format dot --output codebase.dot
+# Dependency mapping
+aqe code deps src/ --depth 5
 
-# Statistics
-aqe kg stats
+# Complexity metrics and hotspots
+aqe code complexity src/ --format json
 ```
 
 ## Gotchas
@@ -213,10 +222,10 @@ aqe kg stats
 - Knowledge graph construction fails on repos >50K LOC — scope to specific modules
 - Semantic search returns irrelevant results without domain-specific embeddings — always verify search results manually
 - Agent claims "80% token reduction" but may skip critical context — verify key files are included in results
-- Fleet must be initialized before using: run `npx ruflo doctor --fix` if you get initialization errors
+- Fleet must be initialized before using: run `aqe health` to diagnose, or `aqe init` to re-initialize if you get initialization errors
 
 ## Coordination
 
-**Primary Agents**: qe-knowledge-graph, qe-semantic-searcher, qe-dependency-mapper
-**Coordinator**: qe-code-intelligence-coordinator
+**Primary Agents**: qe-kg-builder, qe-dependency-mapper, qe-impact-analyzer, qe-code-complexity
+**Coordinator**: qe-code-intelligence
 **Related Skills**: qe-test-generation, qe-defect-intelligence

package/assets/skills/qe-code-intelligence/evals/qe-code-intelligence.yaml

@@ -50,8 +50,8 @@ mcp_integration:
   target_agents:
     - qe-learning-coordinator
     - qe-queen-coordinator
-    - qe-knowledge-graph
-    - qe-semantic-searcher
+    - qe-code-intelligence
+    - qe-kg-builder
 
 # =============================================================================
 # ReasoningBank Learning Configuration
@@ -449,7 +449,7 @@ success_criteria:
 # =============================================================================
 
 metadata:
-  author: "qe-knowledge-graph"
+  author: "qe-code-intelligence"
   created: "2026-02-02"
   last_updated: "2026-02-02"
   coverage_target: >

package/assets/skills/qe-quality-assessment/SKILL.md

@@ -236,7 +236,7 @@ Read `run-history.json` before each run — alert if quality gate failed 3 of la
 - Completion theater: agent hardcoded version '3.0.0' instead of reading from package.json — verify actual values in output
 - Fix issues in priority waves (P0 → P1 → P2) with verification between each wave — don't fix everything in parallel
 - quality-assessment domain has 53.7% success rate — expect failures and have fallback
-- If HybridMemoryBackend initialization fails, run `npx ruflo doctor --fix` first
+- If HybridMemoryBackend initialization fails, run `aqe health` to diagnose, or `aqe init` to re-initialize
 
 ## Coordination
 

package/assets/skills/qe-test-generation/SKILL.md

@@ -151,7 +151,7 @@ quality_checks:
 - Components that pass unit tests individually may have zero integration wiring — always generate at least one integration test per module boundary
 - When generating tests for a new codebase, check which framework is installed (jest vs vitest vs mocha) — they have different mock APIs and Claude will use the wrong one
 - Completion theater: agent may claim "comprehensive tests generated" but leave stubs or hardcoded values — always run the generated tests before accepting
-- Fleet must be initialized before using QE agents: run `npx ruflo doctor --fix` if you get "Fleet not initialized"
+- Fleet must be initialized before using QE agents: run `aqe health` to diagnose, or `aqe init` to re-initialize if you get "Fleet not initialized"
 
 ## Coordination
 

package/dist/audit/witness-chain.js

@@ -190,9 +190,21 @@ export class WitnessChain {
             params.push(filter.actor);
         }
         const where = conditions.length > 0 ? `WHERE ${conditions.join(' AND ')}` : '';
-        const limit = filter?.limit ? `LIMIT ${filter.limit}` : '';
-        const offset = filter?.offset ? `OFFSET ${filter.offset}` : '';
-        return this.db.prepare(`SELECT * FROM witness_chain ${where} ORDER BY id ASC ${limit} ${offset}`).all(...params);
+        const hasLimit = filter?.limit != null;
+        const hasOffset = filter?.offset != null;
+        // SQLite requires LIMIT before OFFSET; use LIMIT -1 ("all rows") when only offset is given
+        const limitClause = hasLimit ? 'LIMIT ?' : (hasOffset ? 'LIMIT ?' : '');
+        const offsetClause = hasOffset ? 'OFFSET ?' : '';
+        if (hasLimit) {
+            params.push(filter.limit);
+        }
+        else if (hasOffset) {
+            params.push(-1);
+        }
+        if (hasOffset) {
+            params.push(filter.offset);
+        }
+        return this.db.prepare(`SELECT * FROM witness_chain ${where} ORDER BY id ASC ${limitClause} ${offsetClause}`).all(...params);
     }
     /** Get all witness entries for a pattern by ID (checks both patternId and pattern_id keys). */
     getPatternLineage(patternId) {