aislop 0.8.3 → 0.9.1

package/dist/mcp.js

@@ -1,19 +1,20 @@
 #!/usr/bin/env node
 import { n as runSubprocess, t as isToolInstalled } from "./subprocess-CCnnN_oQ.js";
 import { createRequire, isBuiltin } from "node:module";
+import { performance } from "node:perf_hooks";
 import { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
 import { StdioServerTransport } from "@modelcontextprotocol/sdk/server/stdio.js";
-import path from "node:path";
 import { spawn, spawnSync } from "node:child_process";
+import path from "node:path";
 import { z } from "zod";
 import fs from "node:fs";
 import YAML from "yaml";
 import { z as z$1 } from "zod/v4";
-import { performance } from "node:perf_hooks";
 import micromatch from "micromatch";
 import { fileURLToPath } from "node:url";
 import os from "node:os";
 import "typescript";
+import { randomUUID } from "node:crypto";
 
 //#region src/config/defaults.ts
 const DEFAULT_CONFIG = {
@@ -25,6 +26,7 @@ const DEFAULT_CONFIG = {
 		"build",
 		"coverage"
 	],
+	include: [],
 	engines: {
 		format: true,
 		lint: true,
@@ -60,7 +62,7 @@ const DEFAULT_CONFIG = {
 		smoothing: 20
 	},
 	ci: {
-		failBelow: 0,
+		failBelow: 70,
 		format: "json"
 	},
 	telemetry: { enabled: true }
@@ -150,7 +152,7 @@ const ScoringSchema = z$1.object({
 	smoothing: z$1.number().nonnegative().default(20)
 });
 const CiSchema = z$1.object({
-	failBelow: z$1.number().default(0),
+	failBelow: z$1.number().default(70),
 	format: z$1.enum(["json"]).default("json")
 });
 const TelemetrySchema = z$1.object({ enabled: z$1.boolean().default(true) });
@@ -184,7 +186,7 @@ const AislopConfigSchema = z$1.object({
 		smoothing: 20
 	})),
 	ci: CiSchema.default(() => ({
-		failBelow: 0,
+		failBelow: 70,
 		format: "json"
 	})),
 	telemetry: TelemetrySchema.default(() => ({ enabled: true })),
@@ -194,7 +196,8 @@ const AislopConfigSchema = z$1.object({
 		"dist",
 		"build",
 		"coverage"
-	])
+	]),
+	include: z$1.array(z$1.string()).default(() => [])
 });
 const defaults = AislopConfigSchema.parse({});
 /**
@@ -274,31 +277,68 @@ const EXCLUDED_DIRS = [
 	"dist",
 	"build",
 	".git",
+	".agents",
 	"vendor",
+	"examples",
+	"example",
+	"demos",
+	"demo",
+	"bench",
+	"benches",
+	"benchmarks",
+	"fixtures",
+	"fixture",
+	"samples",
+	"sample",
+	"tutorials",
+	"tutorial",
+	"code_samples",
+	"code-samples",
+	"notebooks",
 	"tests",
 	"test",
 	"__tests__",
 	"__test__",
 	"spec",
 	"__mocks__",
-	"fixtures",
 	"test_data",
 	".next",
 	".nuxt",
 	"coverage",
-	".turbo"
+	".turbo",
+	"public"
 ];
 const FIND_PRUNE_DIRS = [
 	"node_modules",
 	"dist",
 	"build",
 	".git",
+	".agents",
 	"vendor",
+	"examples",
+	"example",
+	"demos",
+	"demo",
+	"bench",
+	"benches",
+	"benchmarks",
+	"fixtures",
+	"fixture",
+	"samples",
+	"sample",
+	"tutorials",
+	"tutorial",
+	"code_samples",
+	"code-samples",
+	"notebooks",
 	".next",
 	".nuxt",
 	"coverage",
-	".turbo"
+	".turbo",
+	"public"
 ];
+const BUILD_CACHE_FILE_PATTERNS = [/\.timestamp-\d+-[a-z0-9]+\.[mc]?js$/i];
+const isBuildCacheFile = (filePath) => BUILD_CACHE_FILE_PATTERNS.some((pattern) => pattern.test(filePath));
 const TEST_FILE_PATTERNS = [
 	/(?:^|\/).*\.test\.[^/]+$/i,
 	/(?:^|\/).*\.spec\.[^/]+$/i,
@@ -323,6 +363,7 @@ const hasAllowedExtension = (filePath, extraExtensions) => {
 	return SOURCE_EXTENSIONS.has(extension) || extraExtensions.has(extension);
 };
 const isExcludedPath = (filePath) => EXCLUDED_DIRS.some((dir) => filePath === dir || filePath.startsWith(`${dir}/`) || filePath.includes(`/${dir}/`));
+const isExcludedFromScan = (relativePath) => isExcludedPath(relativePath) || isBuildCacheFile(relativePath);
 const isTestFile$2 = (filePath) => TEST_FILE_PATTERNS.some((pattern) => pattern.test(filePath));
 const getIgnoredPaths = (rootDirectory, files) => {
 	if (files.length === 0) return /* @__PURE__ */ new Set();
@@ -381,7 +422,7 @@ const normalizeExcludePatterns = (patterns) => {
 		return [p];
 	});
 };
-const filterProjectFiles = (rootDirectory, files, extraExtensions = [], exclude = []) => {
+const filterProjectFiles = (rootDirectory, files, extraExtensions = [], exclude = [], include = []) => {
 	const extraSet = new Set(extraExtensions);
 	const normalizedFiles = files.map((file) => {
 		const absolutePath = path.isAbsolute(file) ? file : path.resolve(rootDirectory, file);
@@ -396,8 +437,16 @@ const filterProjectFiles = (rootDirectory, files, extraExtensions = [], exclude
 		if (!normalizedExcludePatterns.length) return false;
 		return micromatch.isMatch(relativePath, normalizedExcludePatterns, { dot: true });
 	};
+	const hasIncludePatterns = include.length > 0;
+	const isUserIncluded = (relativePath) => {
+		if (!hasIncludePatterns) return true;
+		return micromatch.isMatch(relativePath, include, { dot: true });
+	};
 	return normalizedFiles.filter(({ absolutePath, relativePath }) => {
-		return hasAllowedExtension(relativePath, extraSet) && !isExcludedPath(relativePath) && !isTestFile$2(relativePath) && !ignoredPaths.has(relativePath) && !isUserExcluded(relativePath) && fs.existsSync(absolutePath);
+		if (!fs.existsSync(absolutePath) || !isWithinProject(relativePath) || isExcludedPath(relativePath) || isTestFile$2(relativePath) || ignoredPaths.has(relativePath)) return false;
+		if (!isUserIncluded(relativePath)) return false;
+		if (isUserExcluded(relativePath)) return false;
+		return hasAllowedExtension(relativePath, extraSet);
 	}).map(({ absolutePath }) => absolutePath);
 };
 const filterExplicitFiles = (rootDirectory, files, extraExtensions = []) => {
@@ -1127,6 +1176,86 @@ const PYTHON_IMPORT_TO_PIP = {
 	redis: "redis"
 };
 
+//#endregion
+//#region src/engines/ai-slop/python-manifest.ts
+const addPyDep = (pyDeps, name) => {
+	const normalized = name.toLowerCase().replace(/_/g, "-");
+	pyDeps.add(normalized);
+};
+const collectFromRequirementsTxt = (rootDir, pyDeps) => {
+	const reqPath = path.join(rootDir, "requirements.txt");
+	if (!fs.existsSync(reqPath)) return false;
+	try {
+		const content = fs.readFileSync(reqPath, "utf-8");
+		for (const line of content.split("\n")) {
+			const trimmed = line.trim();
+			if (!trimmed || trimmed.startsWith("#") || trimmed.startsWith("-")) continue;
+			const match = trimmed.match(/^([a-zA-Z0-9_\-.]+)/);
+			if (match) addPyDep(pyDeps, match[1]);
+		}
+		return true;
+	} catch {
+		return false;
+	}
+};
+const collectFromPyproject = (rootDir, pyDeps) => {
+	const pyprojPath = path.join(rootDir, "pyproject.toml");
+	if (!fs.existsSync(pyprojPath)) return false;
+	try {
+		const content = fs.readFileSync(pyprojPath, "utf-8");
+		const projectNameMatch = content.match(/\[project\][\s\S]*?^\s*name\s*=\s*["']([^"']+)/m);
+		if (projectNameMatch) addPyDep(pyDeps, projectNameMatch[1]);
+		const poetryNameMatch = content.match(/\[tool\.poetry\][\s\S]*?^\s*name\s*=\s*["']([^"']+)/m);
+		if (poetryNameMatch) addPyDep(pyDeps, poetryNameMatch[1]);
+		const pep621 = content.match(/^\s*dependencies\s*=\s*\[([\s\S]*?)\]/m);
+		if (pep621) for (const line of pep621[1].split("\n")) {
+			const m = line.match(/["']\s*([a-zA-Z0-9_\-.]+)/);
+			if (m) addPyDep(pyDeps, m[1]);
+		}
+		const poetryRe = /\[tool\.poetry(?:\.group\.[a-z]+)?\.dependencies\]([\s\S]*?)(?=\n\[|$)/g;
+		let match = poetryRe.exec(content);
+		while (match !== null) {
+			for (const line of match[1].split("\n")) {
+				const m = line.trim().match(/^([a-zA-Z0-9_\-.]+)\s*=/);
+				if (m && m[1] !== "python") addPyDep(pyDeps, m[1]);
+			}
+			match = poetryRe.exec(content);
+		}
+		return true;
+	} catch {
+		return false;
+	}
+};
+const collectFromPipfile = (rootDir, pyDeps) => {
+	const pipfilePath = path.join(rootDir, "Pipfile");
+	if (!fs.existsSync(pipfilePath)) return false;
+	try {
+		const content = fs.readFileSync(pipfilePath, "utf-8");
+		const sectionRe = /\[(packages|dev-packages)\]([\s\S]*?)(?=\n\[|$)/g;
+		let match = sectionRe.exec(content);
+		while (match !== null) {
+			for (const line of match[2].split("\n")) {
+				const m = line.trim().match(/^([a-zA-Z0-9_\-.]+)\s*=/);
+				if (m) addPyDep(pyDeps, m[1]);
+			}
+			match = sectionRe.exec(content);
+		}
+		return true;
+	} catch {
+		return false;
+	}
+};
+const collectPythonDeps = (rootDir) => {
+	const pyDeps = /* @__PURE__ */ new Set();
+	const hasReq = collectFromRequirementsTxt(rootDir, pyDeps);
+	const hasPyproject = collectFromPyproject(rootDir, pyDeps);
+	const hasPipfile = collectFromPipfile(rootDir, pyDeps);
+	return {
+		pyDeps,
+		hasPyManifest: hasReq || hasPyproject || hasPipfile
+	};
+};
+
 //#endregion
 //#region src/engines/ai-slop/hallucinated-imports.ts
 const JS_EXTENSIONS$1 = new Set([
@@ -1263,10 +1392,26 @@ const buildAliasMatcher = (key) => {
 };
 const collectAliasMatchersFromConfig = (configPath, matchers) => {
 	const opts = readJson(configPath)?.compilerOptions;
-	if (!opts || typeof opts !== "object") return;
+	if (!opts) return;
 	const paths = opts.paths;
-	if (!paths || typeof paths !== "object") return;
-	for (const key of Object.keys(paths)) matchers.push(buildAliasMatcher(key));
+	if (paths && typeof paths === "object") for (const key of Object.keys(paths)) matchers.push(buildAliasMatcher(key));
+	const baseUrl = opts.baseUrl;
+	if (typeof baseUrl === "string") {
+		const baseUrlDir = path.resolve(path.dirname(configPath), baseUrl);
+		let entries;
+		try {
+			entries = fs.readdirSync(baseUrlDir);
+		} catch {
+			return;
+		}
+		const baseSpecifiers = /* @__PURE__ */ new Set();
+		for (const entry of entries) {
+			if (entry.startsWith(".") || entry === "node_modules") continue;
+			const base = entry.replace(/\.(?:[jt]sx?|mjs|cjs|d\.ts)$/i, "");
+			if (base.length > 0) baseSpecifiers.add(base);
+		}
+		for (const name of baseSpecifiers) matchers.push((spec) => spec === name || spec.startsWith(`${name}/`));
+	}
 };
 const collectTsPathAliases = (rootDir) => {
 	const matchers = [];
@@ -1274,97 +1419,35 @@ const collectTsPathAliases = (rootDir) => {
 	for (const dir of dirs) for (const fname of TS_CONFIG_FILES) collectAliasMatchersFromConfig(path.join(dir, fname), matchers);
 	return matchers;
 };
-const addPyDep = (pyDeps, name) => {
-	const normalized = name.toLowerCase().replace(/_/g, "-");
-	pyDeps.add(normalized);
-};
-const collectFromRequirementsTxt = (rootDir, pyDeps) => {
-	const reqPath = path.join(rootDir, "requirements.txt");
-	if (!fs.existsSync(reqPath)) return false;
-	try {
-		const content = fs.readFileSync(reqPath, "utf-8");
-		for (const line of content.split("\n")) {
-			const trimmed = line.trim();
-			if (!trimmed || trimmed.startsWith("#") || trimmed.startsWith("-")) continue;
-			const match = trimmed.match(/^([a-zA-Z0-9_\-.]+)/);
-			if (match) addPyDep(pyDeps, match[1]);
-		}
-		return true;
-	} catch {
-		return false;
-	}
-};
-const collectFromPyproject = (rootDir, pyDeps) => {
-	const pyprojPath = path.join(rootDir, "pyproject.toml");
-	if (!fs.existsSync(pyprojPath)) return false;
-	try {
-		const content = fs.readFileSync(pyprojPath, "utf-8");
-		const projectNameMatch = content.match(/\[project\][\s\S]*?^\s*name\s*=\s*["']([^"']+)/m);
-		if (projectNameMatch) addPyDep(pyDeps, projectNameMatch[1]);
-		const poetryNameMatch = content.match(/\[tool\.poetry\][\s\S]*?^\s*name\s*=\s*["']([^"']+)/m);
-		if (poetryNameMatch) addPyDep(pyDeps, poetryNameMatch[1]);
-		const pep621 = content.match(/^\s*dependencies\s*=\s*\[([\s\S]*?)\]/m);
-		if (pep621) for (const line of pep621[1].split("\n")) {
-			const m = line.match(/["']\s*([a-zA-Z0-9_\-.]+)/);
-			if (m) addPyDep(pyDeps, m[1]);
-		}
-		const poetryRe = /\[tool\.poetry(?:\.group\.[a-z]+)?\.dependencies\]([\s\S]*?)(?=\n\[|$)/g;
-		let match = poetryRe.exec(content);
-		while (match !== null) {
-			for (const line of match[1].split("\n")) {
-				const m = line.trim().match(/^([a-zA-Z0-9_\-.]+)\s*=/);
-				if (m && m[1] !== "python") addPyDep(pyDeps, m[1]);
-			}
-			match = poetryRe.exec(content);
-		}
-		return true;
-	} catch {
-		return false;
-	}
-};
-const collectFromPipfile = (rootDir, pyDeps) => {
-	const pipfilePath = path.join(rootDir, "Pipfile");
-	if (!fs.existsSync(pipfilePath)) return false;
-	try {
-		const content = fs.readFileSync(pipfilePath, "utf-8");
-		const sectionRe = /\[(packages|dev-packages)\]([\s\S]*?)(?=\n\[|$)/g;
-		let match = sectionRe.exec(content);
-		while (match !== null) {
-			for (const line of match[2].split("\n")) {
-				const m = line.trim().match(/^([a-zA-Z0-9_\-.]+)\s*=/);
-				if (m) addPyDep(pyDeps, m[1]);
-			}
-			match = sectionRe.exec(content);
-		}
-		return true;
-	} catch {
-		return false;
-	}
-};
 const loadManifest = (rootDir) => {
 	const jsDeps = /* @__PURE__ */ new Set();
-	const pyDeps = /* @__PURE__ */ new Set();
 	const hasJsManifest = collectJsDeps(rootDir, jsDeps);
-	const hasReq = collectFromRequirementsTxt(rootDir, pyDeps);
-	const hasPyproject = collectFromPyproject(rootDir, pyDeps);
-	const hasPipfile = collectFromPipfile(rootDir, pyDeps);
+	const { pyDeps, hasPyManifest } = collectPythonDeps(rootDir);
 	return {
 		jsDeps,
 		pyDeps,
 		hasJsManifest,
-		hasPyManifest: hasReq || hasPyproject || hasPipfile
+		hasPyManifest
 	};
 };
 const isJsRelativeOrAbsolute = (spec) => spec.startsWith(".") || spec.startsWith("/") || spec.startsWith("~/");
+const RUNTIME_BUILTINS = new Set(["bun"]);
 const isJsBuiltin = (spec) => {
+	if (RUNTIME_BUILTINS.has(spec)) return true;
 	return isBuiltin(spec.startsWith("node:") ? spec.slice(5) : spec) || isBuiltin(spec);
 };
 const VIRTUAL_MODULE_PREFIXES = [
 	"astro:",
 	"virtual:",
-	"bun:"
+	"bun:",
+	"~icons/"
 ];
 const isJsVirtualModule = (spec) => VIRTUAL_MODULE_PREFIXES.some((p) => spec.startsWith(p));
+const stripImportQuery = (spec) => {
+	const idx = spec.indexOf("?");
+	return idx === -1 ? spec : spec.slice(0, idx);
+};
+const VIRTUAL_ASSET_FILES = { "unfonts.css": "unplugin-fonts" };
 const TEMPLATE_PLACEHOLDER_RE = /\$\{/;
 const isLikelyRealImportSpec = (spec) => {
 	if (spec.length === 0) return false;
@@ -1431,10 +1514,14 @@ const extractPyImports = (content) => {
 	}
 	return results;
 };
-const checkJsImport = (spec, manifest, tsAliasMatchers) => {
+const checkJsImport = (rawSpec, manifest, tsAliasMatchers) => {
+	const spec = stripImportQuery(rawSpec);
+	if (spec.length === 0) return null;
 	if (isJsRelativeOrAbsolute(spec)) return null;
 	if (isJsBuiltin(spec)) return null;
 	if (isJsVirtualModule(spec)) return null;
+	const virtualOwner = VIRTUAL_ASSET_FILES[spec];
+	if (virtualOwner && manifest.jsDeps.has(virtualOwner)) return null;
 	if (tsAliasMatchers.some((m) => m(spec))) return null;
 	const pkg = packageNameFromImport(spec);
 	if (manifest.jsDeps.has(pkg)) return null;
@@ -2789,64 +2876,88 @@ const analyzeFunctions = (content, ext) => {
 	}
 	return functions;
 };
-const JSX_FILE_LOC_MULTIPLIER = 1.5;
+const FILE_LOC_MULTIPLIERS = {
+	".tsx": 1.5,
+	".jsx": 1.5,
+	".rs": 2.5,
+	".go": 1.5
+};
+const DECLARATION_FILE_RE = /\.d\.ts$/i;
+const fileLocBudget = (ext, relativePath, base) => {
+	if (DECLARATION_FILE_RE.test(relativePath)) return Number.POSITIVE_INFINITY;
+	const multiplier = FILE_LOC_MULTIPLIERS[ext] ?? 1;
+	return Math.ceil(base * multiplier);
+};
 const checkFileDiagnostics = (relativePath, content, limits) => {
 	const results = [];
 	const lineCount = content.split("\n").length;
 	const ext = path.extname(relativePath).toLowerCase();
 	if (isDataFile(content)) return results;
-	const configuredMax = ext === ".jsx" || ext === ".tsx" ? Math.ceil(limits.maxFileLoc * JSX_FILE_LOC_MULTIPLIER) : limits.maxFileLoc;
+	const configuredMax = fileLocBudget(ext, relativePath, limits.maxFileLoc);
+	if (!Number.isFinite(configuredMax)) return results;
 	if (lineCount > Math.ceil(configuredMax * 1.1)) results.push({
 		filePath: relativePath,
 		engine: "code-quality",
 		rule: "complexity/file-too-large",
 		severity: "warning",
-		message: `File has ${lineCount} lines (max: ${configuredMax})`,
+		message: `File too large (max: ${configuredMax})`,
 		help: "Consider splitting this file into smaller modules",
 		line: 0,
 		column: 0,
 		category: "Complexity",
-		fixable: false
+		fixable: false,
+		detail: `${lineCount} lines`
 	});
 	return results;
 };
-const checkFunctionDiagnostics = (relativePath, fn, limits) => {
+const JSX_EXTENSIONS = new Set([".tsx", ".jsx"]);
+const isComponentFunction = (name, ext) => JSX_EXTENSIONS.has(ext) && /^[A-Z]/.test(name);
+const functionLocBudget = (fn, ext, base) => {
+	if (isComponentFunction(fn.name, ext)) return Math.ceil(base * 2);
+	if (ext === ".rs") return Math.ceil(base * 1.5);
+	return base;
+};
+const checkFunctionDiagnostics = (relativePath, fn, limits, ext) => {
 	const results = [];
-	if (fn.lineCount - fn.templateLines > Math.ceil(limits.maxFunctionLoc * 1.1)) results.push({
+	const fnMax = functionLocBudget(fn, ext, limits.maxFunctionLoc);
+	if (fn.lineCount - fn.templateLines > Math.ceil(fnMax * 1.1)) results.push({
 		filePath: relativePath,
 		engine: "code-quality",
 		rule: "complexity/function-too-long",
 		severity: "warning",
-		message: `Function '${fn.name}' has ${fn.lineCount} lines (max: ${limits.maxFunctionLoc})`,
+		message: `Function too long (max: ${fnMax})`,
 		help: "Consider breaking this function into smaller pieces",
 		line: fn.startLine,
 		column: 0,
 		category: "Complexity",
-		fixable: false
+		fixable: false,
+		detail: `${fn.name} · ${fn.lineCount} lines`
 	});
 	if (fn.maxNesting > limits.maxNesting) results.push({
 		filePath: relativePath,
 		engine: "code-quality",
 		rule: "complexity/deep-nesting",
 		severity: "warning",
-		message: `Function '${fn.name}' has nesting depth ${fn.maxNesting} (max: ${limits.maxNesting})`,
+		message: `Function nested too deeply (max: ${limits.maxNesting})`,
 		help: "Consider using early returns or extracting nested logic",
 		line: fn.startLine,
 		column: 0,
 		category: "Complexity",
-		fixable: false
+		fixable: false,
+		detail: `${fn.name} · depth ${fn.maxNesting}`
 	});
 	if (fn.paramCount > limits.maxParams) results.push({
 		filePath: relativePath,
 		engine: "code-quality",
 		rule: "complexity/too-many-params",
 		severity: "warning",
-		message: `Function '${fn.name}' has ${fn.paramCount} parameters (max: ${limits.maxParams})`,
+		message: `Function has too many parameters (max: ${limits.maxParams})`,
 		help: "Consider using an options object parameter",
 		line: fn.startLine,
 		column: 0,
 		category: "Complexity",
-		fixable: false
+		fixable: false,
+		detail: `${fn.name} · ${fn.paramCount} params`
 	});
 	return results;
 };
@@ -2861,7 +2972,7 @@ const checkFileComplexity = (filePath, rootDirectory, limits) => {
 	}
 	const ext = path.extname(filePath).toLowerCase();
 	const diagnostics = checkFileDiagnostics(relativePath, content, limits);
-	for (const fn of analyzeFunctions(content, ext)) diagnostics.push(...checkFunctionDiagnostics(relativePath, fn, limits));
+	for (const fn of analyzeFunctions(content, ext)) diagnostics.push(...checkFunctionDiagnostics(relativePath, fn, limits, ext));
 	return diagnostics;
 };
 const checkComplexity = async (context) => {
@@ -2966,17 +3077,19 @@ const findDuplicateBlocks = (content, relativePath) => {
 		});
 	}
 	return reports.map((r) => {
+		const span = r.currentEnd - r.currentStart + 1;
 		return {
 			filePath: relativePath,
 			engine: "code-quality",
 			rule: "code-quality/duplicate-block",
 			severity: "warning",
-			message: `${r.currentEnd - r.currentStart + 1}-line block at line ${r.currentStart} duplicates a block starting at line ${r.priorStart}. Extract a shared helper.`,
+			message: "Duplicate code block — extract a shared helper",
 			help: `Pull the shared logic into a function both sites can call. Keeps one version of the truth and makes future changes one-shot instead of N-shot.`,
 			line: r.currentStart,
 			column: 0,
 			category: "Complexity",
-			fixable: false
+			fixable: false,
+			detail: `${span} lines duplicate block at L${r.priorStart}`
 		};
 	});
 };
@@ -3518,16 +3631,34 @@ const isToolAvailable = async (toolName) => {
 	return isToolInstalled(toolName);
 };
 
+//#endregion
+//#region src/engines/python-targets.ts
+const PYTHON_EXTENSIONS = new Set([".py", ".pyi"]);
+const normalizeProjectPath = (filePath) => filePath.split(path.sep).join("/");
+const getPythonTargets = (context) => {
+	const targets = (context.files ?? getSourceFiles(context)).filter((filePath) => PYTHON_EXTENSIONS.has(path.extname(filePath).toLowerCase())).map((filePath) => {
+		const absolutePath = path.isAbsolute(filePath) ? filePath : path.resolve(context.rootDirectory, filePath);
+		return normalizeProjectPath(path.relative(context.rootDirectory, absolutePath));
+	}).filter((filePath) => filePath.length > 0 && !filePath.startsWith(".."));
+	return [...new Set(targets)];
+};
+const getRuffDiagnosticPath = (rootDirectory, filePath) => {
+	const normalizedPath = filePath.replace(/^a\//, "");
+	return normalizeProjectPath(path.isAbsolute(normalizedPath) ? path.relative(rootDirectory, normalizedPath) : normalizedPath);
+};
+
 //#endregion
 //#region src/engines/format/ruff-format.ts
 const runRuffFormat = async (context) => {
 	const ruffBinary = resolveToolBinary("ruff");
+	const targets = getPythonTargets(context);
+	if (targets.length === 0) return [];
 	try {
 		const result = await runSubprocess(ruffBinary, [
 			"format",
 			"--check",
 			"--diff",
-			context.rootDirectory
+			...targets
 		], {
 			cwd: context.rootDirectory,
 			timeout: 6e4
@@ -3543,9 +3674,9 @@ const parseRuffFormatOutput = (output, rootDir) => {
 	const filePattern = /^--- (.+)$/gm;
 	let match;
 	while ((match = filePattern.exec(output)) !== null) {
-		const filePath = match[1].replace(/^a\//, "");
+		const filePath = getRuffDiagnosticPath(rootDir, match[1]);
 		diagnostics.push({
-			filePath: path.relative(rootDir, filePath),
+			filePath,
 			engine: "format",
 			rule: "python-formatting",
 			severity: "warning",
@@ -3815,6 +3946,95 @@ const resolveOxlintBinary = () => {
 		return "oxlint";
 	}
 };
+const VITE_QUERY_RE = /["'][^"']*\?(worker|sharedworker|worker-url|url|raw|inline|init)\b/;
+const isViteVirtualImportFalsePositive = (rule, message) => rule.startsWith("import/") && VITE_QUERY_RE.test(message);
+const AMBIENT_GLOBAL_DEPS = [
+	"unplugin-icons",
+	"@types/bun",
+	"bun-types"
+];
+const SST_PLATFORM_REF_RE = /\/\/\/\s*<reference\s+path=["'][^"']*sst[\\/]+platform[\\/]+config\.d\.ts["']/;
+const ICON_AUTOIMPORT_RE = /^Icon[A-Z]/;
+const NO_UNDEF_IDENT_RE = /^['‘"`]([^'’"`]+)['’"`]/;
+const detectAmbientSources = (rootDir) => {
+	const found = /* @__PURE__ */ new Set();
+	const skipDirs = new Set([
+		"node_modules",
+		".git",
+		"dist",
+		"build",
+		"out",
+		"target",
+		"coverage",
+		".next",
+		".turbo"
+	]);
+	const walk = (dir, depth) => {
+		if (depth > 4 || found.size === AMBIENT_GLOBAL_DEPS.length) return;
+		let entries;
+		try {
+			entries = fs.readdirSync(dir, { withFileTypes: true });
+		} catch {
+			return;
+		}
+		for (const entry of entries) {
+			if (found.size === AMBIENT_GLOBAL_DEPS.length) return;
+			if (entry.name.startsWith(".") && entry.name !== ".github") continue;
+			if (skipDirs.has(entry.name)) continue;
+			const full = path.join(dir, entry.name);
+			if (entry.isDirectory()) walk(full, depth + 1);
+			else if (entry.name === "package.json") try {
+				const pkg = JSON.parse(fs.readFileSync(full, "utf-8"));
+				const allDeps = {
+					...pkg.dependencies ?? {},
+					...pkg.devDependencies ?? {},
+					...pkg.peerDependencies ?? {}
+				};
+				for (const dep of AMBIENT_GLOBAL_DEPS) if (dep in allDeps) found.add(dep);
+			} catch {}
+		}
+	};
+	walk(rootDir, 0);
+	return found;
+};
+const extractNoUndefIdentifier = (message) => {
+	return NO_UNDEF_IDENT_RE.exec(message)?.[1] ?? null;
+};
+const isAmbientFalsePositive = (rule, message, sources) => {
+	if (rule !== "eslint/no-undef") return false;
+	const ident = extractNoUndefIdentifier(message);
+	if (!ident) return false;
+	if (sources.has("unplugin-icons") && ICON_AUTOIMPORT_RE.test(ident)) return true;
+	if ((sources.has("@types/bun") || sources.has("bun-types")) && ident === "Bun") return true;
+	return false;
+};
+const sstReferencedFiles = /* @__PURE__ */ new Map();
+const fileReferencesSstPlatform = (rootDir, relativeFilePath) => {
+	const cached = sstReferencedFiles.get(relativeFilePath);
+	if (cached !== void 0) return cached;
+	const absolute = path.isAbsolute(relativeFilePath) ? relativeFilePath : path.join(rootDir, relativeFilePath);
+	let referenced = false;
+	try {
+		const fd = fs.openSync(absolute, "r");
+		try {
+			const buf = Buffer.alloc(512);
+			const bytesRead = fs.readSync(fd, buf, 0, 512, 0);
+			referenced = SST_PLATFORM_REF_RE.test(buf.toString("utf-8", 0, bytesRead));
+		} finally {
+			fs.closeSync(fd);
+		}
+	} catch {
+		referenced = false;
+	}
+	sstReferencedFiles.set(relativeFilePath, referenced);
+	return referenced;
+};
+const UNUSED_VAR_IDENT_RE = /(?:Variable|Parameter|Catch parameter) '([^']+)' (?:is declared but never used|is caught but never used)/;
+const isUnderscoreUnusedVar = (rule, message) => {
+	if (rule !== "eslint/no-unused-vars") return false;
+	const match = UNUSED_VAR_IDENT_RE.exec(message);
+	return match ? match[1].startsWith("_") : false;
+};
 const parseRuleCode = (code) => {
 	if (!code) return {
 		plugin: "eslint",
@@ -3853,6 +4073,8 @@ const runOxlint = async (context) => {
 		framework: context.frameworks.find((f) => f !== "none"),
 		testFramework: detectTestFramework(context.rootDirectory)
 	});
+	const ambientSources = detectAmbientSources(context.rootDirectory);
+	sstReferencedFiles.clear();
 	try {
 		fs.writeFileSync(configPath, JSON.stringify(config, null, 2));
 		const args = [
@@ -3892,6 +4114,11 @@ const runOxlint = async (context) => {
 				fixable: false
 			};
 		}).filter((d) => {
+			if (isExcludedFromScan(path.isAbsolute(d.filePath) ? path.relative(context.rootDirectory, d.filePath) : d.filePath)) return false;
+			if (isViteVirtualImportFalsePositive(d.rule, d.message)) return false;
+			if (isAmbientFalsePositive(d.rule, d.message, ambientSources)) return false;
+			if (isUnderscoreUnusedVar(d.rule, d.message)) return false;
+			if (d.rule === "eslint/no-undef" && fileReferencesSstPlatform(context.rootDirectory, d.filePath)) return false;
 			const key = `${d.filePath}:${d.line}:${d.rule}:${d.message}`;
 			if (seen.has(key)) return false;
 			seen.add(key);
@@ -3906,18 +4133,20 @@ const runOxlint = async (context) => {
 //#region src/engines/lint/ruff.ts
 const runRuffLint = async (context) => {
 	const ruffBinary = resolveToolBinary("ruff");
+	const targets = getPythonTargets(context);
+	if (targets.length === 0) return [];
 	try {
 		const output = (await runSubprocess(ruffBinary, [
 			"check",
 			"--output-format=json",
-			context.rootDirectory
+			...targets
 		], {
 			cwd: context.rootDirectory,
 			timeout: 6e4
 		})).stdout;
 		if (!output) return [];
 		return JSON.parse(output).map((d) => ({
-			filePath: path.relative(context.rootDirectory, d.filename),
+			filePath: getRuffDiagnosticPath(context.rootDirectory, d.filename),
 			engine: "lint",
 			rule: `ruff/${d.code}`,
 			severity: d.code.startsWith("E") || d.code.startsWith("F") ? "error" : "warning",
@@ -4012,56 +4241,94 @@ const runPnpmAuditWithFallback = async (rootDir, timeout) => {
 		return [];
 	}
 };
+const SEVERITY_RANK = {
+	critical: 4,
+	high: 3,
+	moderate: 2,
+	low: 1
+};
 const toSeverity = (value) => value === "critical" || value === "high" ? "error" : "warning";
-const defaultAuditFixCommand = (source) => source === "pnpm audit" ? "pnpm audit --fix" : "npm audit fix";
+const upsertVuln = (bucket, packageName, severity, recommendation) => {
+	const existing = bucket.get(packageName);
+	if (existing) {
+		existing.advisories++;
+		if ((SEVERITY_RANK[severity] ?? 0) > (SEVERITY_RANK[existing.worstSeverity] ?? 0)) existing.worstSeverity = severity;
+		if (recommendation) existing.recommendations.add(recommendation);
+	} else bucket.set(packageName, {
+		packageName,
+		worstSeverity: severity,
+		advisories: 1,
+		recommendations: recommendation ? new Set([recommendation]) : /* @__PURE__ */ new Set()
+	});
+};
+const SEMVER_RE = /(\d+)\.(\d+)\.(\d+)/;
+const cmpSemver = (a, b) => {
+	const [, a1, a2, a3] = SEMVER_RE.exec(a) ?? [
+		"",
+		"0",
+		"0",
+		"0"
+	];
+	const [, b1, b2, b3] = SEMVER_RE.exec(b) ?? [
+		"",
+		"0",
+		"0",
+		"0"
+	];
+	if (Number(a1) !== Number(b1)) return Number(a1) - Number(b1);
+	if (Number(a2) !== Number(b2)) return Number(a2) - Number(b2);
+	return Number(a3) - Number(b3);
+};
+const pickBestRecommendation = (recs) => {
+	if (recs.length <= 1) return recs[0] ?? "";
+	const versioned = recs.filter((r) => SEMVER_RE.test(r));
+	if (versioned.length === 0) return recs[0];
+	return versioned.reduce((best, r) => cmpSemver(r, best) > 0 ? r : best);
+};
+const cleanRecommendation = (raw) => {
+	const t = raw.trim();
+	if (!t || t.toLowerCase() === "none") return "no fix available";
+	return t;
+};
+const aggregateToDiagnostic = (agg, source) => {
+	const best = cleanRecommendation(pickBestRecommendation([...agg.recommendations]));
+	const countLabel = agg.advisories > 1 ? ` (${agg.advisories} advisories)` : "";
+	const recLabel = best ? ` — ${best}` : "";
+	return {
+		filePath: "package.json",
+		engine: "security",
+		rule: "security/vulnerable-dependency",
+		severity: toSeverity(agg.worstSeverity),
+		message: `${agg.packageName} (${agg.worstSeverity})${recLabel}${countLabel}`,
+		help: "",
+		line: 0,
+		column: 0,
+		category: "Security",
+		fixable: false,
+		detail: source === "npm audit" ? "npm" : "pnpm"
+	};
+};
 const parseLegacyAdvisories = (advisories, source) => {
-	const diagnostics = [];
-	for (const [key, advisory] of Object.entries(advisories)) {
-		const packageName = advisory.module_name ?? advisory.name ?? advisory.package ?? key;
-		const severity = (advisory.severity ?? "moderate").toLowerCase();
-		const recommendation = advisory.recommendation ?? advisory.title ?? `Run \`${defaultAuditFixCommand(source)}\` to resolve`;
-		diagnostics.push({
-			filePath: "package.json",
-			engine: "security",
-			rule: "security/vulnerable-dependency",
-			severity: toSeverity(severity),
-			message: `Vulnerable dependency (${source}): ${packageName} (${severity})`,
-			help: withFixHint(recommendation),
-			line: 0,
-			column: 0,
-			category: "Security",
-			fixable: false
-		});
-	}
-	return diagnostics;
+	const bucket = /* @__PURE__ */ new Map();
+	for (const [key, advisory] of Object.entries(advisories)) upsertVuln(bucket, advisory.module_name ?? advisory.name ?? advisory.package ?? key, (advisory.severity ?? "moderate").toLowerCase(), advisory.recommendation ?? advisory.title ?? "");
+	return [...bucket.values()].map((agg) => aggregateToDiagnostic(agg, source));
 };
 const parseModernVulnerabilities = (vulnerabilities, source) => {
-	const diagnostics = [];
+	const bucket = /* @__PURE__ */ new Map();
 	for (const [packageName, vulnerability] of Object.entries(vulnerabilities)) {
 		const severity = (vulnerability.severity ?? "moderate").toLowerCase();
 		const fixAvailable = vulnerability.fixAvailable;
 		const isDirect = vulnerability.isDirect === true;
-		let recommendation = `Run \`${defaultAuditFixCommand(source)}\` to resolve`;
-		if (fixAvailable === false) recommendation = isDirect ? "No automatic fix — check for a newer major version" : "Transitive with no fix — add an override or upgrade the parent";
-		else if (!isDirect && fixAvailable === true) recommendation = "Transitive dep — may need an override or parent upgrade";
+		let recommendation = "";
+		if (fixAvailable === false) recommendation = isDirect ? "no automatic fix" : "transitive — needs override or parent upgrade";
+		else if (!isDirect && fixAvailable === true) recommendation = "transitive — may need override or parent upgrade";
 		else if (fixAvailable && typeof fixAvailable === "object" && "name" in fixAvailable && "version" in fixAvailable) {
 			const target = fixAvailable;
-			if (target.name && target.version) recommendation = `Upgrade to ${target.name}@${target.version}.`;
+			if (target.name && target.version) recommendation = `upgrade to ${target.name}@${target.version}`;
 		}
-		diagnostics.push({
-			filePath: "package.json",
-			engine: "security",
-			rule: "security/vulnerable-dependency",
-			severity: toSeverity(severity),
-			message: `Vulnerable dependency (${source}): ${packageName} (${severity})`,
-			help: withFixHint(recommendation),
-			line: 0,
-			column: 0,
-			category: "Security",
-			fixable: false
-		});
+		upsertVuln(bucket, packageName, severity, recommendation);
 	}
-	return diagnostics;
+	return [...bucket.values()].map((agg) => aggregateToDiagnostic(agg, source));
 };
 const parseJsAudit = (output, source) => {
 	if (!output) return [];
@@ -4977,10 +5244,17 @@ const runScan = async (cwd) => {
 	const config = loadConfig(cwd);
 	const diagnostics = (await runEngines(buildEngineContext(project.rootDirectory, project, config), enabledEnginesFromConfig(config))).flatMap((r) => r.diagnostics);
 	const { score } = calculateScore(diagnostics, config.scoring.weights, config.scoring.thresholds, project.sourceFileCount, config.scoring.smoothing);
+	const errorCount = diagnostics.filter((d) => d.severity === "error").length;
+	const failBelow = config.ci.failBelow;
 	return {
 		project,
 		diagnostics,
-		score
+		score,
+		qualityGate: {
+			failBelow,
+			passed: errorCount === 0 && score >= failBelow,
+			errorCount
+		}
 	};
 };
 const aislopScanInputSchema = z.object({ path: z.string().optional().describe("Project directory to scan. Defaults to the MCP server's cwd.") });
@@ -4990,10 +5264,11 @@ const aislopScanTool = {
 	inputSchema: aislopScanInputSchema
 };
 const handleAislopScan = async (input) => {
-	const { project, diagnostics, score } = await runScan(resolveCwd(input.path));
+	const { project, diagnostics, score, qualityGate } = await runScan(resolveCwd(input.path));
 	const summary = summariseDiagnostics(diagnostics, project.rootDirectory);
 	return {
 		score,
+		qualityGate,
 		fileCount: project.sourceFileCount,
 		languages: project.languages,
 		frameworks: project.frameworks,
@@ -5094,7 +5369,225 @@ const handleAislopBaseline = (input) => {
 
 //#endregion
 //#region src/version.ts
-const APP_VERSION = "0.8.3";
+const APP_VERSION = "0.9.1";
+
+//#endregion
+//#region src/telemetry/env.ts
+const detectPackageManager = (env = process.env) => {
+	const execPath = env.npm_execpath ?? "";
+	if (execPath.includes("npx")) return "npx";
+	const userAgent = env.npm_config_user_agent ?? "";
+	if (userAgent.startsWith("pnpm/")) return "pnpm";
+	if (userAgent.startsWith("yarn/")) return "yarn";
+	if (userAgent.startsWith("bun/")) return "bun";
+	if (userAgent.startsWith("npm/")) return "npm";
+	if (execPath.includes("pnpm")) return "pnpm";
+	if (execPath.includes("yarn")) return "yarn";
+	if (execPath.includes("bun")) return "bun";
+	if (execPath.includes("npm")) return "npm";
+	return "unknown";
+};
+const CI_ENV_KEYS = [
+	"CI",
+	"GITHUB_ACTIONS",
+	"GITLAB_CI",
+	"CIRCLECI",
+	"TRAVIS",
+	"BUILDKITE",
+	"DRONE",
+	"TEAMCITY_VERSION",
+	"TF_BUILD"
+];
+const isCiEnv = (env = process.env) => CI_ENV_KEYS.some((k) => {
+	const v = env[k];
+	return v === "true" || v === "1" || v != null && v.length > 0 && k !== "CI";
+}) || env.CI === "true" || env.CI === "1";
+
+//#endregion
+//#region src/telemetry/identity.ts
+const FILE_BASENAME = "install_id";
+const resolveInstallIdPath = (homedir = os.homedir(), env = process.env) => {
+	if (process.platform === "linux" && env.XDG_STATE_HOME) return path.join(env.XDG_STATE_HOME, "aislop", FILE_BASENAME);
+	return path.join(homedir, ".aislop", FILE_BASENAME);
+};
+const ensureInstallId = (idPath = resolveInstallIdPath()) => {
+	if (fs.existsSync(idPath)) {
+		const existing = fs.readFileSync(idPath, "utf-8").trim();
+		if (existing.length > 0) return {
+			installId: existing,
+			created: false
+		};
+	}
+	const dir = path.dirname(idPath);
+	fs.mkdirSync(dir, { recursive: true });
+	const installId = randomUUID();
+	const tmpPath = `${idPath}.${process.pid}.tmp`;
+	fs.writeFileSync(tmpPath, `${installId}\n`, { mode: 384 });
+	try {
+		fs.renameSync(tmpPath, idPath);
+		return {
+			installId,
+			created: true
+		};
+	} catch {
+		fs.rmSync(tmpPath, { force: true });
+		return {
+			installId: fs.readFileSync(idPath, "utf-8").trim(),
+			created: false
+		};
+	}
+};
+
+//#endregion
+//#region src/telemetry/redaction.ts
+const SAFE_PROPERTY_NAMES = new Set([
+	"aislop_version",
+	"node_version",
+	"os",
+	"arch",
+	"schema_version",
+	"anonymous_install_id",
+	"package_manager",
+	"is_ci",
+	"command",
+	"language_summary",
+	"lang_typescript",
+	"lang_javascript",
+	"lang_python",
+	"lang_java",
+	"file_count_bucket",
+	"exit_code",
+	"duration_ms",
+	"error_kind",
+	"score",
+	"score_bucket",
+	"finding_count",
+	"error_count",
+	"warning_count",
+	"fixable_count",
+	"fix_steps",
+	"fix_resolved",
+	"fix_score_delta",
+	"engine_format_issues",
+	"engine_format_ms",
+	"engine_lint_issues",
+	"engine_lint_ms",
+	"engine_code_quality_issues",
+	"engine_code_quality_ms",
+	"engine_ai_slop_issues",
+	"engine_ai_slop_ms",
+	"engine_architecture_issues",
+	"engine_architecture_ms",
+	"engine_security_issues",
+	"engine_security_ms",
+	"tool",
+	"ok",
+	"agent",
+	"score_delta"
+]);
+const redactProperties = (props) => {
+	const clean = {};
+	const dropped = [];
+	for (const [key, value] of Object.entries(props)) {
+		if (value === void 0) continue;
+		if (SAFE_PROPERTY_NAMES.has(key)) clean[key] = value;
+		else dropped.push(key);
+	}
+	return {
+		clean,
+		dropped
+	};
+};
+
+//#endregion
+//#region src/telemetry/client.ts
+const POSTHOG_HOST = "https://eu.i.posthog.com";
+const POSTHOG_KEY = "phc_eY2cOMFva9q24GrWeOuvuVIOhCIdjOALxeAR3ItrqbJ";
+const SCHEMA_VERSION = "v2";
+const REQUEST_TIMEOUT_MS = 3e3;
+const isTelemetryDisabled = (config) => {
+	const env = process.env;
+	if (env.AISLOP_NO_TELEMETRY === "1" || env.DO_NOT_TRACK === "1") return true;
+	if (config?.enabled === false) return true;
+	if (config?.enabled === true) return false;
+	if (env.CI === "true" || env.CI === "1") return true;
+	return false;
+};
+const isDebug = () => process.env.AISLOP_TELEMETRY_DEBUG === "1";
+const pendingRequests = /* @__PURE__ */ new Set();
+let cachedInstallId = null;
+let installCreated = false;
+const baseProperties = (installId) => ({
+	aislop_version: APP_VERSION,
+	node_version: process.version,
+	os: os.platform(),
+	arch: os.arch(),
+	schema_version: SCHEMA_VERSION,
+	anonymous_install_id: installId,
+	package_manager: detectPackageManager(),
+	is_ci: isCiEnv()
+});
+const track = (input) => {
+	if (isTelemetryDisabled(input.config)) return { installCreated: false };
+	if (cachedInstallId == null) {
+		const ensured = ensureInstallId(resolveInstallIdPath());
+		cachedInstallId = ensured.installId;
+		installCreated = ensured.created;
+	}
+	const { clean, dropped } = redactProperties({
+		...baseProperties(cachedInstallId),
+		...input.properties
+	});
+	if (isDebug()) {
+		const compact = JSON.stringify({
+			event: input.event,
+			properties: clean
+		});
+		process.stderr.write(`[telemetry] ${compact}\n`);
+		if (dropped.length > 0) for (const key of dropped) process.stderr.write(`[telemetry] dropped non-allowlisted property: ${key}\n`);
+	}
+	if (process.env.AISLOP_TELEMETRY_DRY_RUN === "1") return { installCreated };
+	const payload = {
+		api_key: POSTHOG_KEY,
+		event: input.event,
+		distinct_id: cachedInstallId,
+		properties: clean,
+		timestamp: (/* @__PURE__ */ new Date()).toISOString()
+	};
+	const request = fetch(`${POSTHOG_HOST}/capture/`, {
+		method: "POST",
+		headers: { "Content-Type": "application/json" },
+		body: JSON.stringify(payload),
+		signal: AbortSignal.timeout(REQUEST_TIMEOUT_MS)
+	}).then(() => {}).catch(() => {}).finally(() => {
+		pendingRequests.delete(request);
+	});
+	pendingRequests.add(request);
+	return { installCreated };
+};
+const flushTelemetry = async () => {
+	if (pendingRequests.size === 0) return;
+	await Promise.all(pendingRequests);
+};
+
+//#endregion
+//#region src/telemetry/events.ts
+const buildMcpToolCalledProps = (input) => {
+	const props = {
+		tool: input.tool,
+		duration_ms: Math.round(input.durationMs),
+		ok: input.ok
+	};
+	if (input.errorKind) props.error_kind = input.errorKind;
+	return props;
+};
+const errorKindFromException = (error) => {
+	const message = error instanceof Error ? error.message.toLowerCase() : String(error).toLowerCase();
+	if (message.includes("timeout") || message.includes("timed out")) return "timeout";
+	if (message.includes("invalid config") || message.includes("config_invalid")) return "config_invalid";
+	if (message.includes("engine") && message.includes("crash")) return "engine_crash";
+	return "unknown";
+};
 
 //#endregion
 //#region src/mcp.ts
@@ -5109,10 +5602,29 @@ const err = (message) => ({
 	}],
 	isError: true
 });
-const tryHandle = async (fn) => {
+const instrument = async (tool, fn) => {
+	const startedAt = performance.now();
 	try {
-		return ok(await fn());
+		const value = await fn();
+		track({
+			event: "mcp_tool_called",
+			properties: buildMcpToolCalledProps({
+				tool,
+				durationMs: performance.now() - startedAt,
+				ok: true
+			})
+		});
+		return ok(value);
 	} catch (e) {
+		track({
+			event: "mcp_tool_called",
+			properties: buildMcpToolCalledProps({
+				tool,
+				durationMs: performance.now() - startedAt,
+				ok: false,
+				errorKind: errorKindFromException(e)
+			})
+		});
 		return err(e instanceof Error ? e.message : String(e));
 	}
 };
@@ -5124,25 +5636,27 @@ const buildServer = () => {
 	server.registerTool(aislopScanTool.name, {
 		description: aislopScanTool.description,
 		inputSchema: aislopScanInputSchema.shape
-	}, (input) => tryHandle(() => handleAislopScan(input)));
+	}, (input) => instrument("aislop_scan", () => handleAislopScan(input)));
 	server.registerTool(aislopFixTool.name, {
 		description: aislopFixTool.description,
 		inputSchema: aislopFixInputSchema.shape
-	}, (input) => tryHandle(() => handleAislopFix(input)));
+	}, (input) => instrument("aislop_fix", () => handleAislopFix(input)));
 	server.registerTool(aislopWhyTool.name, {
 		description: aislopWhyTool.description,
 		inputSchema: aislopWhyInputSchema.shape
-	}, (input) => tryHandle(() => handleAislopWhy(input)));
+	}, (input) => instrument("aislop_why", () => handleAislopWhy(input)));
 	server.registerTool(aislopBaselineTool.name, {
 		description: aislopBaselineTool.description,
 		inputSchema: aislopBaselineInputSchema.shape
-	}, (input) => tryHandle(() => handleAislopBaseline(input)));
+	}, (input) => instrument("aislop_baseline", () => handleAislopBaseline(input)));
 	return server;
 };
 const main = async () => {
 	const server = buildServer();
 	const transport = new StdioServerTransport();
 	await server.connect(transport);
+	track({ event: "mcp_server_started" });
+	await flushTelemetry();
 };
 main().catch((e) => {
 	process.stderr.write(`aislop-mcp failed to start: ${e instanceof Error ? e.message : String(e)}\n`);