codesift-mcp 0.4.0 → 0.5.0

package/dist/register-tools.js

@@ -9,7 +9,7 @@ import { searchSymbols, searchText, semanticSearch } from "./tools/search-tools.
 import { getFileTree, getFileOutline, getRepoOutline, suggestQueries } from "./tools/outline-tools.js";
 import { getSymbol, getSymbols, findAndShow, findReferences, findReferencesBatch, findDeadCode, getContextBundle, formatRefsCompact, formatSymbolCompact, formatSymbolsCompact, formatBundleCompact } from "./tools/symbol-tools.js";
 import { traceCallChain } from "./tools/graph-tools.js";
-import { traceComponentTree, analyzeHooks, analyzeRenders, buildContextGraph, auditCompilerReadiness } from "./tools/react-tools.js";
+import { traceComponentTree, analyzeHooks, analyzeRenders, buildContextGraph, auditCompilerReadiness, reactQuickstart } from "./tools/react-tools.js";
 import { impactAnalysis } from "./tools/impact-tools.js";
 import { traceRoute } from "./tools/route-tools.js";
 import { detectCommunities } from "./tools/community-tools.js";
@@ -27,7 +27,7 @@ import { getUsageStats, formatUsageReport } from "./storage/usage-stats.js";
 import { goToDefinition, getTypeInfo, renameSymbol, getCallHierarchy } from "./lsp/lsp-tools.js";
 import { indexConversations, searchConversations, searchAllConversations, findConversationsForSymbol } from "./tools/conversation-tools.js";
 import { scanSecrets } from "./tools/secret-tools.js";
-import { resolvePhpNamespace, analyzeActiveRecord, tracePhpEvent, findPhpViews, resolvePhpService, phpSecurityScan, phpProjectAudit, findPhpNPlusOne, findPhpGodModel, } from "./tools/php-tools.js";
+import { resolvePhpNamespace, tracePhpEvent, findPhpViews, resolvePhpService, phpSecurityScan, phpProjectAudit, } from "./tools/php-tools.js";
 import { consolidateMemories, readMemory } from "./tools/memory-tools.js";
 import { createAnalysisPlan, writeScratchpad, readScratchpad, listScratchpad, updateStepStatus, getPlan, listPlans } from "./tools/coordinator-tools.js";
 import { frequencyAnalysis } from "./tools/frequency-tools.js";
@@ -38,29 +38,30 @@ import { traceRoomSchema } from "./tools/room-tools.js";
 import { extractKotlinSerializationContract } from "./tools/serialization-tools.js";
 import { astroAnalyzeIslands, astroHydrationAudit } from "./tools/astro-islands.js";
 import { astroRouteMap } from "./tools/astro-routes.js";
-import { analyzeNextjsComponents } from "./tools/nextjs-component-tools.js";
+import { astroActionsAudit } from "./tools/astro-actions.js";
+import { astroAudit } from "./tools/astro-audit.js";
 import { nextjsRouteMap } from "./tools/nextjs-route-tools.js";
 import { nextjsMetadataAudit } from "./tools/nextjs-metadata-tools.js";
-import { nextjsAuditServerActions } from "./tools/nextjs-security-tools.js";
-import { nextjsApiContract } from "./tools/nextjs-api-contract-tools.js";
-import { nextjsBoundaryAnalyzer } from "./tools/nextjs-boundary-tools.js";
-import { nextjsLinkIntegrity } from "./tools/nextjs-link-tools.js";
-import { nextjsDataFlow } from "./tools/nextjs-data-flow-tools.js";
-import { nextjsMiddlewareCoverage } from "./tools/nextjs-middleware-coverage-tools.js";
 import { frameworkAudit } from "./tools/nextjs-framework-audit-tools.js";
 import { astroConfigAnalyze } from "./tools/astro-config.js";
+import { astroContentCollections } from "./tools/astro-content-collections.js";
 import { analyzeProject, getExtractorVersions } from "./tools/project-tools.js";
 import { getModelGraph } from "./tools/model-tools.js";
 import { getTestFixtures } from "./tools/pytest-tools.js";
 import { findFrameworkWiring } from "./tools/wiring-tools.js";
 import { runRuff } from "./tools/ruff-tools.js";
 import { parsePyproject } from "./tools/pyproject-tools.js";
+import { resolveConstantValue } from "./tools/python-constants-tools.js";
+import { effectiveDjangoViewSecurity } from "./tools/django-view-security-tools.js";
 import { findPythonCallers } from "./tools/python-callers.js";
+import { taintTrace } from "./tools/taint-tools.js";
 import { analyzeDjangoSettings } from "./tools/django-settings.js";
-import { traceCeleryChain } from "./tools/celery-tools.js";
 import { runMypy, runPyright } from "./tools/typecheck-tools.js";
 import { analyzePythonDeps } from "./tools/python-deps-analyzer.js";
-import { findPythonCircularImports } from "./tools/python-circular-imports.js";
+import { pythonAudit } from "./tools/python-audit.js";
+import { traceFastAPIDepends } from "./tools/fastapi-depends.js";
+import { analyzeAsyncCorrectness } from "./tools/async-correctness.js";
+import { getPydanticModels } from "./tools/pydantic-models.js";
 import { reviewDiff } from "./tools/review-diff-tools.js";
 import { auditScan } from "./tools/audit-tools.js";
 import { indexStatus } from "./tools/status-tools.js";
@@ -68,17 +69,18 @@ import { auditAgentConfig } from "./tools/agent-config-tools.js";
 import { testImpactAnalysis } from "./tools/test-impact-tools.js";
 import { dependencyAudit } from "./tools/dependency-audit-tools.js";
 import { migrationLint } from "./tools/migration-lint-tools.js";
+import { planTurn, formatPlanTurnResult } from "./tools/plan-turn-tools.js";
+import { astroMigrationCheck } from "./tools/astro-migration.js";
 import { analyzePrismaSchema } from "./tools/prisma-schema-tools.js";
 import { findPerfHotspots } from "./tools/perf-tools.js";
 import { fanInFanOut, coChangeAnalysis } from "./tools/coupling-tools.js";
 import { architectureSummary } from "./tools/architecture-tools.js";
-import { nestLifecycleMap, nestModuleGraph, nestDIGraph, nestGuardChain, nestRouteInventory, nestAudit } from "./tools/nest-tools.js";
-import { nestGraphQLMap, nestWebSocketMap, nestScheduleMap, nestTypeOrmMap, nestMicroserviceMap } from "./tools/nest-ext-tools.js";
+import { nestAudit } from "./tools/nest-tools.js";
 import { explainQuery } from "./tools/query-tools.js";
 import { formatSnapshot, getContext, getSessionState } from "./storage/session-state.js";
 import { formatComplexityCompact, formatComplexityCounts, formatClonesCompact, formatClonesCounts, formatHotspotsCompact, formatHotspotsCounts, formatTraceRouteCompact, formatTraceRouteCounts } from "./formatters-shortening.js";
-import { formatSearchSymbols, formatFileTree, formatFileOutline, formatSearchPatterns, formatDeadCode, formatComplexity, formatClones, formatHotspots, formatRepoOutline, formatSuggestQueries, formatSecrets, formatConversations, formatRoles, formatAssembleContext, formatCommunities, formatCallTree, formatTraceRoute, formatKnowledgeMap, formatImpactAnalysis, formatDiffOutline, formatChangedSymbols, formatReviewDiff, formatPerfHotspots, formatFanInFanOut, formatCoChange, formatArchitectureSummary, formatNextjsComponents, formatNextjsRouteMap, formatNextjsMetadataAudit, formatNextjsAuditServerActions, formatNextjsApiContract, formatNextjsBoundaryAnalyzer, formatNextjsLinkIntegrity, formatNextjsDataFlow, formatNextjsMiddlewareCoverage, formatFrameworkAudit } from "./formatters.js";
-import { formatNextjsRouteMapCompact, formatNextjsRouteMapCounts, formatNextjsMetadataAuditCompact, formatNextjsMetadataAuditCounts, formatFrameworkAuditCompact, formatFrameworkAuditCounts, formatServerActionsAuditCompact, formatServerActionsAuditCounts, formatApiContractCompact, formatApiContractCounts, formatBoundaryAnalyzerCompact, formatBoundaryAnalyzerCounts } from "./formatters-shortening.js";
+import { formatSearchSymbols, formatFileTree, formatFileOutline, formatSearchPatterns, formatDeadCode, formatComplexity, formatClones, formatHotspots, formatRepoOutline, formatSuggestQueries, formatSecrets, formatConversations, formatRoles, formatAssembleContext, formatCommunities, formatCallTree, formatTraceRoute, formatKnowledgeMap, formatImpactAnalysis, formatDiffOutline, formatChangedSymbols, formatReviewDiff, formatPerfHotspots, formatFanInFanOut, formatCoChange, formatArchitectureSummary, formatNextjsRouteMap, formatNextjsMetadataAudit, formatFrameworkAudit } from "./formatters.js";
+import { formatNextjsRouteMapCompact, formatNextjsRouteMapCounts, formatNextjsMetadataAuditCompact, formatNextjsMetadataAuditCounts, formatFrameworkAuditCompact, formatFrameworkAuditCounts } from "./formatters-shortening.js";
 const zFiniteNumber = z.number().finite();
 /** Coerce string→number for numeric params while rejecting NaN/empty strings. */
 export const zNum = () => z.union([
@@ -167,19 +169,7 @@ export function getToolHandle(name) {
 /** Framework-specific tool bundles — auto-enabled when the framework is detected in an indexed repo */
 const FRAMEWORK_TOOL_BUNDLES = {
     nestjs: [
-        // Wave 1
-        "nest_lifecycle_map",
-        "nest_module_graph",
-        "nest_di_graph",
-        "nest_guard_chain",
-        "nest_route_inventory",
-        // Wave 2
-        "nest_graphql_map",
-        "nest_websocket_map",
-        "nest_schedule_map",
-        "nest_typeorm_map",
-        "nest_microservice_map",
-        // nest_audit is already core — always visible
+    // All NestJS sub-tools absorbed into nest_audit
     ],
 };
 /** Track which framework bundles have been auto-enabled this session (avoid repeat work) */
@@ -217,14 +207,12 @@ const FRAMEWORK_TOOL_GROUPS = {
     // PHP / Yii2 / Laravel — detected by composer.json
     "composer.json": [
         "resolve_php_namespace",
-        "analyze_activerecord",
+        // analyze_activerecord, find_php_n_plus_one, find_php_god_model absorbed into php_project_audit
         "trace_php_event",
         "find_php_views",
         "resolve_php_service",
         "php_security_scan",
         "php_project_audit",
-        "find_php_n_plus_one",
-        "find_php_god_model",
     ],
     // Kotlin / Android / Gradle — detected by build.gradle.kts or settings.gradle.kts
     "build.gradle.kts": [
@@ -277,6 +265,7 @@ const REACT_TOOLS = [
     "analyze_renders",
     "analyze_context_graph",
     "audit_compiler_readiness",
+    "react_quickstart",
 ];
 /**
  * Hono-specific tools — auto-enabled when a Hono project is detected.
@@ -287,20 +276,6 @@ const REACT_TOOLS = [
  * Detection: package.json with "hono" OR "@hono/zod-openapi" dep.
  * Content-based (not filename), so lives outside FRAMEWORK_TOOL_GROUPS.
  */
-/**
- * Next.js Tier-1 tools — auto-enabled when 'next' is in package.json deps.
- * These are the 7 hidden tools; the 3 core tools (nextjs_route_map,
- * nextjs_metadata_audit, framework_audit) are always visible.
- */
-const NEXTJS_TOOLS = [
-    "analyze_nextjs_components",
-    "nextjs_audit_server_actions",
-    "nextjs_api_contract",
-    "nextjs_boundary_analyzer",
-    "nextjs_link_integrity",
-    "nextjs_data_flow",
-    "nextjs_middleware_coverage",
-];
 const HONO_TOOLS = [
     "trace_context_flow",
     "extract_api_contract",
@@ -308,10 +283,8 @@ const HONO_TOOLS = [
     "audit_hono_security",
     "visualize_hono_routes",
     // Phase 2 additions — closes blog-API demo gaps + GitHub issues #3587/#4121/#4270
-    "trace_conditional_middleware",
     "analyze_inline_handler",
     "extract_response_types",
-    "detect_middleware_env_regression",
     "detect_hono_modules",
     "find_dead_hono_routes",
 ];
@@ -351,11 +324,6 @@ export async function detectAutoLoadTools(cwd) {
             if (hasHono) {
                 toEnable.push(...HONO_TOOLS);
             }
-            // Next.js: auto-enable hidden tools when next dep is present
-            const hasNext = !!allDeps["next"];
-            if (hasNext) {
-                toEnable.push(...NEXTJS_TOOLS);
-            }
         }
         catch { /* malformed package.json */ }
     }
@@ -504,15 +472,20 @@ export const CORE_TOOL_NAMES = new Set([
     "index_folder", // repo onboarding
     "discover_tools", // meta: discovers remaining hidden tools
     "describe_tools", // meta: full schema for hidden tools
+    "plan_turn", // meta: route query to best tools/symbols/files
     "get_session_snapshot", // session: compaction survival
     "analyze_project", // project profile
     "get_extractor_versions", // cache invalidation
     "index_status", // meta: check if repo is indexed
-    // --- Astro tools ---
+    // --- Astro tools (7 core) ---
     "astro_analyze_islands",
-    "astro_hydration_audit",
+    // astro_hydration_audit: discoverable — use astro_audit for full check or call directly
     "astro_route_map",
     "astro_config_analyze",
+    "astro_actions_audit",
+    "astro_migration_check",
+    "astro_content_collections",
+    "astro_audit",
     // --- Hono tools (Task 23) ---
     "trace_middleware_chain", // core: top Hono pain point (Discussion #4255)
     "analyze_hono_app", // core: meta-tool, first call for any Hono project
@@ -605,12 +578,13 @@ const TOOL_DEFINITIONS = [
         category: "search",
         searchHint: "search find symbols functions classes types methods by name signature",
         outputSchema: OutputSchemas.searchResults,
-        description: "Search symbols by name/signature. detail_level: compact (~15 tok), standard (default), full.",
+        description: "Search symbols by name/signature. Supports kind, file, and decorator filters. detail_level: compact (~15 tok), standard (default), full.",
         schema: {
             repo: z.string().optional().describe("Repository identifier (default: auto-detected from CWD)"),
             query: z.string().describe("Search query string"),
             kind: z.string().optional().describe("Filter by symbol kind (function, class, etc.)"),
             file_pattern: z.string().optional().describe("Glob pattern to filter files"),
+            decorator: z.string().optional().describe("Filter by decorator metadata, e.g. login_required, @dataclass, router.get"),
             include_source: zBool().describe("Include full source code of each symbol"),
             top_k: zNum().describe("Maximum number of results to return (default 50)"),
             source_chars: zNum().describe("Truncate each symbol's source to N characters (reduces output size)"),
@@ -622,6 +596,7 @@ const TOOL_DEFINITIONS = [
             const results = await searchSymbols(args.repo, args.query, {
                 kind: args.kind,
                 file_pattern: args.file_pattern,
+                decorator: args.decorator,
                 include_source: args.include_source,
                 top_k: args.top_k,
                 source_chars: args.source_chars,
@@ -1039,6 +1014,19 @@ const TOOL_DEFINITIONS = [
             return JSON.stringify(result, null, 2);
         },
     },
+    {
+        name: "react_quickstart",
+        category: "analysis",
+        searchHint: "react onboarding day-1 overview stack inventory components hooks critical issues",
+        description: "Day-1 onboarding composite for React projects. Single call returns: component/hook inventory, stack detection (state mgmt, routing, UI lib, form lib, build tool), critical pattern scan (XSS, Rule of Hooks, memory leaks), top hook usage, and suggested next queries. Replaces 5-6 manual tool calls. First tool to run on an unfamiliar React codebase.",
+        schema: {
+            repo: z.string().optional().describe("Repository identifier (default: auto-detected from CWD)"),
+        },
+        handler: async (args) => {
+            const result = await reactQuickstart(args.repo);
+            return JSON.stringify(result, null, 2);
+        },
+    },
     {
         name: "trace_route",
         category: "graph",
@@ -1886,6 +1874,87 @@ const TOOL_DEFINITIONS = [
         schema: { repo: z.string().optional().describe("Repository identifier (default: auto-detected from CWD)") },
         handler: async (args) => { return await parsePyproject(args.repo); },
     },
+    {
+        name: "resolve_constant_value",
+        category: "analysis",
+        searchHint: "python typescript nestjs resolve constant value literal alias import default parameter propagation",
+        description: "Resolve Python or TypeScript constants and function default values through simple aliases and import chains. Returns literals or explicit unresolved reasons.",
+        schema: {
+            repo: z.string().optional().describe("Repository identifier (default: auto-detected from CWD)"),
+            symbol_name: z.string().describe("Constant, function, or method name to resolve"),
+            file_pattern: z.string().optional().describe("Filter candidate symbols by file path substring"),
+            language: z.enum(["python", "typescript"]).optional().describe("Force resolver language instead of auto-inference"),
+            max_depth: zFiniteNumber.optional().describe("Maximum alias/import resolution depth (default: 8)"),
+        },
+        handler: async (args) => {
+            const opts = {};
+            if (args.file_pattern != null)
+                opts.file_pattern = args.file_pattern;
+            if (args.language != null)
+                opts.language = args.language;
+            if (args.max_depth != null)
+                opts.max_depth = args.max_depth;
+            return await resolveConstantValue(args.repo, args.symbol_name, opts);
+        },
+    },
+    {
+        name: "effective_django_view_security",
+        category: "security",
+        requiresLanguage: "python",
+        searchHint: "python django view auth csrf login_required middleware mixin route security posture",
+        description: "Assess effective Django view security from decorators, mixins, settings middleware, and optional route resolution.",
+        schema: {
+            repo: z.string().optional().describe("Repository identifier (default: auto-detected from CWD)"),
+            path: z.string().optional().describe("Django route path to resolve first, e.g. /settings/"),
+            symbol_name: z.string().optional().describe("View function/class/method name when you already know the symbol"),
+            file_pattern: z.string().optional().describe("Filter candidate symbols by file path substring"),
+            settings_file: z.string().optional().describe("Explicit Django settings file path (auto-detects if omitted)"),
+        },
+        handler: async (args) => {
+            const opts = {};
+            if (args.path != null)
+                opts.path = args.path;
+            if (args.symbol_name != null)
+                opts.symbol_name = args.symbol_name;
+            if (args.file_pattern != null)
+                opts.file_pattern = args.file_pattern;
+            if (args.settings_file != null)
+                opts.settings_file = args.settings_file;
+            return await effectiveDjangoViewSecurity(args.repo, opts);
+        },
+    },
+    {
+        name: "taint_trace",
+        category: "security",
+        requiresLanguage: "python",
+        searchHint: "python django taint data flow source sink request get post redirect mark_safe cursor execute subprocess session trace",
+        description: "Trace Python/Django user-controlled data from request sources to security sinks like redirect, mark_safe, cursor.execute, subprocess, requests/httpx, open, or session writes.",
+        schema: {
+            repo: z.string().optional().describe("Repository identifier (default: auto-detected from CWD)"),
+            framework: z.enum(["python-django"]).optional().describe("Currently only python-django is implemented"),
+            file_pattern: z.string().optional().describe("Restrict analysis to matching Python files"),
+            source_patterns: z.array(z.string()).optional().describe("Optional source pattern allowlist (defaults to request.* presets)"),
+            sink_patterns: z.array(z.string()).optional().describe("Optional sink pattern allowlist (defaults to built-in security sinks)"),
+            max_depth: zFiniteNumber.optional().describe("Maximum interprocedural helper depth (default: 4)"),
+            max_traces: zFiniteNumber.optional().describe("Maximum traces to return before truncation (default: 50)"),
+        },
+        handler: async (args) => {
+            const opts = {};
+            if (args.framework != null)
+                opts.framework = args.framework;
+            if (args.file_pattern != null)
+                opts.file_pattern = args.file_pattern;
+            if (args.source_patterns != null)
+                opts.source_patterns = args.source_patterns;
+            if (args.sink_patterns != null)
+                opts.sink_patterns = args.sink_patterns;
+            if (args.max_depth != null)
+                opts.max_depth = args.max_depth;
+            if (args.max_traces != null)
+                opts.max_traces = args.max_traces;
+            return await taintTrace(args.repo, opts);
+        },
+    },
     {
         name: "find_python_callers",
         category: "analysis",
@@ -1927,26 +1996,6 @@ const TOOL_DEFINITIONS = [
             return await analyzeDjangoSettings(args.repo, opts);
         },
     },
-    {
-        name: "trace_celery_chain",
-        category: "analysis",
-        requiresLanguage: "python",
-        searchHint: "python celery task shared_task delay apply_async chain group chord canvas retry orphan queue",
-        description: "Celery task tracing: tasks with policies (bind, retries, queue), .delay() call sites, canvas operators (chain/group/chord), orphan tasks.",
-        schema: {
-            repo: z.string().optional().describe("Repository identifier (default: auto-detected from CWD)"),
-            file_pattern: z.string().optional().describe("Filter by file path substring"),
-            task_name: z.string().optional().describe("Focus on a specific task by name"),
-        },
-        handler: async (args) => {
-            const opts = {};
-            if (args.file_pattern != null)
-                opts.file_pattern = args.file_pattern;
-            if (args.task_name != null)
-                opts.task_name = args.task_name;
-            return await traceCeleryChain(args.repo, opts);
-        },
-    },
     {
         name: "run_mypy",
         category: "analysis",
@@ -2014,58 +2063,104 @@ const TOOL_DEFINITIONS = [
         },
     },
     {
-        name: "find_python_circular_imports",
+        name: "trace_fastapi_depends",
         category: "analysis",
         requiresLanguage: "python",
-        searchHint: "python circular import cycle ImportError TYPE_CHECKING DFS dependency",
-        description: "Detect Python circular imports via DFS on the import graph. Skips TYPE_CHECKING-only imports. Reports cycle paths with severity.",
+        searchHint: "python fastapi depends dependency injection security scopes oauth2 authentication auth endpoint",
+        description: "Trace FastAPI Depends()/Security() dependency injection chains recursively from route handlers. Detects yield deps (resource cleanup), Security() with scopes, shared deps across endpoints, endpoints without auth.",
         schema: {
             repo: z.string().optional().describe("Repository identifier (default: auto-detected from CWD)"),
             file_pattern: z.string().optional().describe("Filter by file path substring"),
-            max_cycles: zFiniteNumber.optional().describe("Max cycles to report (default: 50)"),
+            endpoint: z.string().optional().describe("Focus on a specific endpoint function name"),
+            max_depth: zFiniteNumber.optional().describe("Max dependency tree depth (default: 5)"),
         },
         handler: async (args) => {
             const opts = {};
             if (args.file_pattern != null)
                 opts.file_pattern = args.file_pattern;
-            if (args.max_cycles != null)
-                opts.max_cycles = args.max_cycles;
-            return await findPythonCircularImports(args.repo, opts);
+            if (args.endpoint != null)
+                opts.endpoint = args.endpoint;
+            if (args.max_depth != null)
+                opts.max_depth = args.max_depth;
+            return await traceFastAPIDepends(args.repo, opts);
         },
     },
-    // --- PHP / Yii2 tools (all discoverable via discover_tools(query="php")) ---
     {
-        name: "resolve_php_namespace",
+        name: "analyze_async_correctness",
         category: "analysis",
-        requiresLanguage: "php",
-        searchHint: "php namespace resolve PSR-4 autoload composer class file path yii2 laravel symfony",
-        description: "Resolve a PHP FQCN to file path via composer.json PSR-4 autoload mapping.",
+        requiresLanguage: "python",
+        searchHint: "python async await asyncio blocking sync requests sleep subprocess django sqlalchemy ORM coroutine fastapi",
+        description: "Detect 8 asyncio pitfalls in async def: blocking requests/sleep/IO/subprocess, sync SQLAlchemy/Django ORM in async views, async without await, asyncio.create_task without ref storage.",
         schema: {
             repo: z.string().optional().describe("Repository identifier (default: auto-detected from CWD)"),
-            class_name: z.string().describe("Fully-qualified class name, e.g. 'App\\\\Models\\\\User'"),
+            file_pattern: z.string().optional().describe("Filter by file path substring"),
+            rules: z.array(z.string()).optional().describe("Subset of rules to run"),
+            max_results: zFiniteNumber.optional().describe("Max findings (default: 200)"),
         },
         handler: async (args) => {
-            return await resolvePhpNamespace(args.repo, args.class_name);
+            const opts = {};
+            if (args.file_pattern != null)
+                opts.file_pattern = args.file_pattern;
+            if (args.rules != null)
+                opts.rules = args.rules;
+            if (args.max_results != null)
+                opts.max_results = args.max_results;
+            return await analyzeAsyncCorrectness(args.repo, opts);
         },
     },
     {
-        name: "analyze_activerecord",
+        name: "get_pydantic_models",
         category: "analysis",
-        requiresLanguage: "php",
-        searchHint: "php activerecord eloquent model schema relations rules behaviors table yii2 laravel orm",
-        description: "Extract PHP ActiveRecord/Eloquent model schema: table name, relations, validation rules, behaviors.",
+        requiresLanguage: "python",
+        searchHint: "python pydantic basemodel fastapi schema request response contract validator field constraint type classdiagram",
+        description: "Extract Pydantic models: fields with types, validators, Field() constraints, model_config, cross-model references (list[X], Optional[Y]), inheritance. JSON or mermaid classDiagram.",
         schema: {
             repo: z.string().optional().describe("Repository identifier (default: auto-detected from CWD)"),
-            model_name: z.string().optional().describe("Filter by specific model class name"),
             file_pattern: z.string().optional().describe("Filter by file path substring"),
+            output_format: z.enum(["json", "mermaid"]).optional().describe("Output as structured JSON or mermaid classDiagram"),
         },
         handler: async (args) => {
             const opts = {};
-            if (typeof args.model_name === "string")
-                opts.model_name = args.model_name;
-            if (typeof args.file_pattern === "string")
+            if (args.file_pattern != null)
                 opts.file_pattern = args.file_pattern;
-            return await analyzeActiveRecord(args.repo, opts);
+            if (args.output_format != null)
+                opts.output_format = args.output_format;
+            return await getPydanticModels(args.repo, opts);
+        },
+    },
+    {
+        name: "python_audit",
+        category: "analysis",
+        requiresLanguage: "python",
+        searchHint: "python audit health score compound project review django security circular patterns celery dependencies dead code task shared_task delay apply_async chain group chord canvas retry orphan queue import cycle ImportError TYPE_CHECKING DFS",
+        description: "Compound Python project health audit: circular imports + Django settings + anti-patterns (17) + framework wiring + Celery orphans + pytest fixtures + deps + dead code. Runs in parallel, returns unified health score (0-100) + severity counts + prioritized top_risks list.",
+        schema: {
+            repo: z.string().optional().describe("Repository identifier (default: auto-detected from CWD)"),
+            file_pattern: z.string().optional().describe("Filter by file path substring"),
+            checks: z.array(z.string()).optional().describe("Subset of checks: circular_imports, django_settings, anti_patterns, framework_wiring, celery, pytest_fixtures, dependencies, dead_code"),
+        },
+        handler: async (args) => {
+            const opts = {};
+            if (args.file_pattern != null)
+                opts.file_pattern = args.file_pattern;
+            if (args.checks != null)
+                opts.checks = args.checks;
+            return await pythonAudit(args.repo, opts);
+        },
+    },
+    // --- PHP / Yii2 tools (all discoverable via discover_tools(query="php")) ---
+    {
+        name: "resolve_php_namespace",
+        category: "analysis",
+        requiresLanguage: "php",
+        searchHint: "php namespace resolve PSR-4 autoload composer class file path yii2 laravel symfony",
+        description: "Resolve a PHP FQCN to file path via composer.json PSR-4 autoload mapping.",
+        schema: {
+            repo: z.string().optional().describe("Repository identifier (default: auto-detected from CWD)"),
+            class_name: z.string().describe("Fully-qualified class name, e.g. 'App\\\\Models\\\\User'"),
+        },
+        handler: async (args) => {
+            return await resolvePhpNamespace(args.repo, args.class_name);
         },
     },
     {
@@ -2143,62 +2238,23 @@ const TOOL_DEFINITIONS = [
         name: "php_project_audit",
         category: "analysis",
         requiresLanguage: "php",
-        searchHint: "php project audit health quality technical debt code review comprehensive yii2 laravel",
-        description: "Compound PHP project audit: security scan + ActiveRecord analysis + health score. Runs checks in parallel.",
+        searchHint: "php project audit health quality technical debt code review comprehensive yii2 laravel activerecord eloquent model schema relations rules behaviors table orm n+1 query foreach eager loading relation god class anti-pattern too many methods oversized",
+        description: "Compound PHP project audit: security scan + ActiveRecord analysis + N+1 detection + god model detection + health score. Runs checks in parallel.",
         schema: {
             repo: z.string().optional().describe("Repository identifier (default: auto-detected from CWD)"),
             file_pattern: z.string().optional().describe("Glob pattern to filter analyzed files"),
+            checks: z.string().optional().describe("Comma-separated checks: n_plus_one, god_model, activerecord, security, events, views, services, namespace. Default: all"),
         },
         handler: async (args) => {
             const opts = {};
             if (typeof args.file_pattern === "string")
                 opts.file_pattern = args.file_pattern;
+            if (typeof args.checks === "string" && args.checks.trim()) {
+                opts.checks = args.checks.split(",").map((c) => c.trim()).filter(Boolean);
+            }
             return await phpProjectAudit(args.repo, opts);
         },
     },
-    {
-        name: "find_php_n_plus_one",
-        category: "analysis",
-        requiresLanguage: "php",
-        searchHint: "php n+1 query foreach activerecord with eager loading yii2 eloquent relation",
-        description: "Detect N+1 query patterns in PHP: foreach loops accessing ActiveRecord relations without eager loading via ->with(). Yii2/Laravel aware.",
-        schema: {
-            repo: z.string().optional().describe("Repository identifier (default: auto-detected from CWD)"),
-            limit: z.number().optional().describe("Max findings to return (default: 100)"),
-            file_pattern: z.string().optional().describe("Substring filter on file paths (e.g. 'controllers/')"),
-        },
-        handler: async (args) => {
-            const opts = {};
-            if (typeof args.limit === "number")
-                opts.limit = args.limit;
-            if (typeof args.file_pattern === "string")
-                opts.file_pattern = args.file_pattern;
-            return await findPhpNPlusOne(args.repo, opts);
-        },
-    },
-    {
-        name: "find_php_god_model",
-        category: "analysis",
-        requiresLanguage: "php",
-        searchHint: "php god model god class anti-pattern too many methods relations oversized yii2 activerecord",
-        description: "Find oversized ActiveRecord models (god classes) with configurable thresholds for method, relation, and line counts. Reports reasons per model.",
-        schema: {
-            repo: z.string().optional().describe("Repository identifier (default: auto-detected from CWD)"),
-            min_methods: z.number().optional().describe("Method count threshold (default: 50)"),
-            min_relations: z.number().optional().describe("Relation count threshold (default: 15)"),
-            min_lines: z.number().optional().describe("Line count threshold (default: 500)"),
-        },
-        handler: async (args) => {
-            const opts = {};
-            if (typeof args.min_methods === "number")
-                opts.min_methods = args.min_methods;
-            if (typeof args.min_relations === "number")
-                opts.min_relations = args.min_relations;
-            if (typeof args.min_lines === "number")
-                opts.min_lines = args.min_lines;
-            return await findPhpGodModel(args.repo, opts);
-        },
-    },
     // --- Memory consolidation ---
     {
         name: "consolidate_memories",
@@ -2635,66 +2691,11 @@ const TOOL_DEFINITIONS = [
             return parts.join("\n");
         },
     },
-    // --- NestJS analysis tools ---
-    {
-        name: "nest_lifecycle_map",
-        category: "nestjs",
-        searchHint: "nestjs lifecycle hook onModuleInit onApplicationBootstrap shutdown",
-        description: "Map NestJS lifecycle hooks across the codebase — onModuleInit, onModuleDestroy, etc.",
-        schema: { repo: z.string().optional().describe("Repository identifier (default: auto-detected from CWD)") },
-        handler: async (args) => nestLifecycleMap(args.repo ?? ""),
-    },
-    {
-        name: "nest_module_graph",
-        category: "nestjs",
-        searchHint: "nestjs module dependency graph circular import boundary",
-        description: "Build NestJS module dependency graph with circular dependency detection and boundary analysis.",
-        schema: {
-            repo: z.string().optional().describe("Repository identifier (default: auto-detected from CWD)"),
-            max_modules: z.number().optional().describe("Max modules to process (default: 200)"),
-            output_format: z.enum(["json", "mermaid"]).optional().describe("Output format: json (default) or mermaid"),
-        },
-        handler: async (args) => nestModuleGraph(args.repo ?? "", args),
-    },
-    {
-        name: "nest_di_graph",
-        category: "nestjs",
-        searchHint: "nestjs dependency injection provider constructor inject graph cycle",
-        description: "Build NestJS provider DI graph with constructor injection tracking and cycle detection.",
-        schema: {
-            repo: z.string().optional().describe("Repository identifier (default: auto-detected from CWD)"),
-            max_nodes: z.number().optional().describe("Max provider nodes (default: 200)"),
-            focus: z.string().optional().describe("Path substring to filter files"),
-        },
-        handler: async (args) => nestDIGraph(args.repo ?? "", args),
-    },
-    {
-        name: "nest_guard_chain",
-        category: "nestjs",
-        searchHint: "nestjs guard interceptor pipe filter middleware chain route security",
-        description: "Show guard/interceptor/pipe/filter execution chain per NestJS route (global → controller → method).",
-        schema: {
-            repo: z.string().optional().describe("Repository identifier (default: auto-detected from CWD)"),
-            path: z.string().optional().describe("Filter to specific route path"),
-            max_routes: z.number().optional().describe("Max routes (default: 300)"),
-        },
-        handler: async (args) => nestGuardChain(args.repo ?? "", args),
-    },
-    {
-        name: "nest_route_inventory",
-        category: "nestjs",
-        searchHint: "nestjs route endpoint api map inventory list all guards params",
-        description: "Full NestJS route map with guards, params, and protected/unprotected stats.",
-        schema: {
-            repo: z.string().optional().describe("Repository identifier (default: auto-detected from CWD)"),
-            max_routes: z.number().optional().describe("Max routes (default: 500)"),
-        },
-        handler: async (args) => nestRouteInventory(args.repo ?? "", args),
-    },
+    // --- NestJS analysis tools (sub-tools absorbed into nest_audit) ---
     {
         name: "nest_audit",
         category: "nestjs",
-        searchHint: "nestjs audit analysis comprehensive module di guard route lifecycle pattern graphql websocket schedule typeorm microservice",
+        searchHint: "nestjs audit analysis comprehensive module di guard route lifecycle pattern graphql websocket schedule typeorm microservice hook onModuleInit onApplicationBootstrap shutdown dependency graph circular import boundary injection provider constructor inject cycle interceptor pipe filter middleware chain security endpoint api map inventory list all params resolver query mutation subscription apollo gateway subscribemessage socketio realtime event cron interval timeout scheduled job task onevent listener entity relation onetomany manytoone database schema messagepattern eventpattern kafka rabbitmq nats transport request pipeline handler execution flow visualization bull bullmq queue processor process background worker scope transient singleton performance escalation swagger openapi documentation apiproperty apioperation apiresponse contract extract",
         description: "One-call NestJS architecture audit: modules, DI, guards, routes, lifecycle, patterns, GraphQL, WebSocket, schedule, TypeORM, microservices.",
         schema: {
             repo: z.string().optional().describe("Repository identifier (default: auto-detected from CWD)"),
@@ -2705,63 +2706,6 @@ const TOOL_DEFINITIONS = [
             return nestAudit(args.repo ?? "", checks ? { checks } : undefined);
         },
     },
-    // --- Wave 2 NestJS tools (nest-ext-tools.ts) ---
-    {
-        name: "nest_graphql_map",
-        category: "nestjs",
-        searchHint: "nestjs graphql resolver query mutation subscription apollo",
-        description: "Map NestJS GraphQL resolvers — Query, Mutation, Subscription handlers with return types.",
-        schema: {
-            repo: z.string().optional().describe("Repository identifier (default: auto-detected from CWD)"),
-            max_entries: z.number().optional().describe("Max resolver entries (default: 300)"),
-        },
-        handler: async (args) => nestGraphQLMap(args.repo ?? "", args),
-    },
-    {
-        name: "nest_websocket_map",
-        category: "nestjs",
-        searchHint: "nestjs websocket gateway subscribemessage socketio realtime event",
-        description: "Map NestJS WebSocket gateways with port, namespace, and subscribed events.",
-        schema: {
-            repo: z.string().optional().describe("Repository identifier (default: auto-detected from CWD)"),
-            max_gateways: z.number().optional().describe("Max gateways (default: 100)"),
-        },
-        handler: async (args) => nestWebSocketMap(args.repo ?? "", args),
-    },
-    {
-        name: "nest_schedule_map",
-        category: "nestjs",
-        searchHint: "nestjs cron interval timeout scheduled job task onevent event listener",
-        description: "Map NestJS scheduled tasks (@Cron/@Interval/@Timeout) and event listeners (@OnEvent).",
-        schema: {
-            repo: z.string().optional().describe("Repository identifier (default: auto-detected from CWD)"),
-            max_schedules: z.number().optional().describe("Max schedule entries (default: 300)"),
-            max_files_scanned: z.number().optional().describe("Max files to scan (default: 2000)"),
-        },
-        handler: async (args) => nestScheduleMap(args.repo ?? "", args),
-    },
-    {
-        name: "nest_typeorm_map",
-        category: "nestjs",
-        searchHint: "nestjs typeorm entity relation onetomany manytoone database schema",
-        description: "Build TypeORM entity relation graph with OneToMany/ManyToOne edges and cycle detection.",
-        schema: {
-            repo: z.string().optional().describe("Repository identifier (default: auto-detected from CWD)"),
-            max_entities: z.number().optional().describe("Max entities (default: 200)"),
-        },
-        handler: async (args) => nestTypeOrmMap(args.repo ?? "", args),
-    },
-    {
-        name: "nest_microservice_map",
-        category: "nestjs",
-        searchHint: "nestjs microservice messagepattern eventpattern kafka rabbitmq nats transport",
-        description: "Map NestJS microservice @MessagePattern and @EventPattern handlers.",
-        schema: {
-            repo: z.string().optional().describe("Repository identifier (default: auto-detected from CWD)"),
-            max_patterns: z.number().optional().describe("Max patterns (default: 300)"),
-        },
-        handler: async (args) => nestMicroserviceMap(args.repo ?? "", args),
-    },
     // --- Agent config audit ---
     {
         name: "audit_agent_config",
@@ -3007,6 +2951,7 @@ const TOOL_DEFINITIONS = [
             repo: z.string().optional().describe("Repository identifier (default: auto-detected from CWD)"),
             severity: z.enum(["all", "warnings", "errors"]).default("all").describe("Filter issues by severity (default: all)"),
             path_prefix: z.string().optional().describe("Only scan files under this path prefix"),
+            fail_on: z.enum(["error", "warning", "info"]).optional().describe("Set exit_code gate: 'error' exits 1 on any errors; 'warning' exits 2 on warnings; 'info' exits 2 on info or warnings"),
         },
         handler: async (args) => {
             const opts = {};
@@ -3016,6 +2961,8 @@ const TOOL_DEFINITIONS = [
                 opts.severity = args.severity;
             if (args.path_prefix != null)
                 opts.path_prefix = args.path_prefix;
+            if (args.fail_on != null)
+                opts.fail_on = args.fail_on;
             return await astroHydrationAudit(opts);
         },
     },
@@ -3055,20 +3002,82 @@ const TOOL_DEFINITIONS = [
             return await astroConfigAnalyze({ project_root: index.root });
         },
     },
+    {
+        name: "astro_actions_audit",
+        category: "analysis",
+        searchHint: "astro actions defineAction zod refine passthrough multipart file enctype audit",
+        description: "Audit Astro Actions (src/actions/index.ts) for 6 known anti-patterns (AA01-AA06): missing handler return, top-level .refine() (Astro issue #11641), .passthrough() usage (issue #11693), File schema without multipart form, server-side invocation via actions.xxx(), and client calls to unknown actions. Returns issues grouped by severity with an A/B/C/D score.",
+        schema: {
+            repo: z.string().optional().describe("Repository identifier (default: auto-detected from CWD)"),
+            severity: z.enum(["all", "warnings", "errors"]).default("all").describe("Filter issues by severity (default: all)"),
+        },
+        handler: async (args) => {
+            const opts = {};
+            if (args.repo != null)
+                opts.repo = args.repo;
+            if (args.severity != null)
+                opts.severity = args.severity;
+            return await astroActionsAudit(opts);
+        },
+    },
+    {
+        name: "astro_content_collections",
+        category: "analysis",
+        searchHint: "astro content collections defineCollection zod schema reference glob loader frontmatter",
+        description: "Parse an Astro content collections config (src/content.config.ts or legacy src/content/config.ts), extract each collection's loader + Zod schema fields, build a reference() graph, and optionally validate entry frontmatter against required fields.",
+        schema: {
+            repo: z.string().optional().describe("Repository identifier (default: auto-detected from CWD)"),
+            validate_entries: z.boolean().default(true).describe("Validate entry frontmatter against required schema fields (default: true)"),
+        },
+        handler: async (args) => {
+            const index = await getCodeIndex(args.repo ?? "");
+            if (!index)
+                throw new Error("Repository not found — run index_folder first");
+            const opts = { project_root: index.root };
+            if (args.validate_entries != null)
+                opts.validate_entries = args.validate_entries;
+            return await astroContentCollections(opts);
+        },
+    },
+    {
+        name: "astro_audit",
+        category: "analysis",
+        searchHint: "astro meta audit full health check score gates recommendations islands hydration routes config actions content migration patterns",
+        description: "One-call Astro project health check: runs all 7 Astro tools + 13 Astro patterns in parallel, returns unified {score, gates, sections, recommendations}. Mirrors react_quickstart pattern.",
+        schema: {
+            repo: z.string().optional().describe("Repository identifier (default: auto-detected from CWD)"),
+            skip: z.array(z.string()).optional().describe("Sections to skip: config, hydration, routes, actions, content, migration, patterns"),
+        },
+        handler: async (args) => {
+            const opts = {};
+            if (args.repo != null)
+                opts.repo = args.repo;
+            if (args.skip != null)
+                opts.skip = args.skip;
+            return await astroAudit(opts);
+        },
+    },
     // --- Hono framework tools (Task 23) ---
     {
         name: "trace_middleware_chain",
         category: "graph",
-        searchHint: "hono middleware chain trace order scope auth use",
-        description: "Trace the ordered middleware chain for a Hono route. Returns full middleware stack in registration order for a given path+method.",
+        searchHint: "hono middleware chain trace order scope auth use conditional applied_when if method header path basicAuth gated",
+        description: "Hono middleware introspection. Three query modes: (1) route mode — pass path (+optional method) to get the chain effective for that route; (2) scope mode — pass scope literal (e.g. '/posts/*') to get that specific app.use chain; (3) app-wide mode — omit path and scope to get every chain flattened. Any mode supports only_conditional=true to filter to entries with applied_when populated, so the blog-API pattern (basicAuth wrapped in `if (method !== 'GET')`) is surfaced as gated rather than missed. Absorbs the former trace_conditional_middleware tool.",
         schema: {
             repo: z.string().optional().describe("Repository identifier (default: auto-detected from CWD)"),
-            path: z.string().describe("URL path to trace (e.g. '/api/users/:id')"),
-            method: z.string().optional().describe("HTTP method filter (GET, POST, etc.)"),
+            path: z.string().optional().describe("Route path to look up (e.g. '/api/users/:id'). Omit for scope or app-wide query."),
+            method: z.string().optional().describe("HTTP method filter (GET, POST, etc.). Only used in route mode."),
+            scope: z.string().optional().describe("Exact middleware scope literal (e.g. '/posts/*'). Mutually exclusive with path."),
+            only_conditional: z.boolean().optional().describe("Filter entries to those whose applied_when field is populated (conditional middleware)."),
         },
         handler: async (args) => {
             const { traceMiddlewareChain } = await import("./tools/hono-middleware-chain.js");
-            return await traceMiddlewareChain(args.repo, args.path, args.method);
+            const opts = {};
+            if (args.scope !== undefined)
+                opts.scope = args.scope;
+            if (args.only_conditional !== undefined)
+                opts.only_conditional = args.only_conditional;
+            return await traceMiddlewareChain(args.repo, args.path, args.method, Object.keys(opts).length > 0 ? opts : undefined);
         },
     },
     {
@@ -3131,8 +3140,8 @@ const TOOL_DEFINITIONS = [
     {
         name: "audit_hono_security",
         category: "security",
-        searchHint: "hono security audit rate limit secure headers auth order csrf",
-        description: "Security audit of a Hono app: missing rate limiting on mutation routes, missing secure-headers middleware globally, auth middleware ordering violations. Returns prioritized findings.",
+        searchHint: "hono security audit rate limit secure headers auth order csrf env regression createMiddleware BlankEnv Issue 3587",
+        description: "Security + type-safety audit of a Hono app. Rules: missing-secure-headers (global), missing-rate-limit + missing-auth (mutation routes, conditional-middleware aware via applied_when), auth-ordering (auth after non-auth in chain), env-regression (plain createMiddleware in 3+ chains — Hono Issue #3587, absorbed from the former detect_middleware_env_regression tool). Returns prioritized findings plus heuristic disclaimers via `notes` field for best-effort rules.",
         schema: {
             repo: z.string().optional().describe("Repository identifier (default: auto-detected from CWD)"),
         },
@@ -3156,20 +3165,6 @@ const TOOL_DEFINITIONS = [
         },
     },
     // --- Hono Phase 2 tools (T13) ---
-    {
-        name: "trace_conditional_middleware",
-        category: "analysis",
-        searchHint: "hono conditional middleware applied_when if method header path basicAuth auth gated",
-        description: "List Hono middleware entries that are applied under a runtime condition (e.g., basicAuth only for non-GET methods). Each entry carries condition_type (method|header|path|custom) + condition_text. Closes blog-API false positive where audit_hono_security flagged inline-arrow conditional auth as missing.",
-        schema: {
-            repo: z.string().optional().describe("Repository identifier (default: auto-detected from CWD)"),
-            scope: z.string().optional().describe("Filter to a specific middleware scope (e.g. '/posts/*')"),
-        },
-        handler: async (args) => {
-            const { traceConditionalMiddleware } = await import("./tools/hono-conditional-middleware.js");
-            return await traceConditionalMiddleware(args.repo, args.scope);
-        },
-    },
     {
         name: "analyze_inline_handler",
         category: "analysis",
@@ -3198,19 +3193,6 @@ const TOOL_DEFINITIONS = [
             return await extractResponseTypes(args.repo);
         },
     },
-    {
-        name: "detect_middleware_env_regression",
-        category: "analysis",
-        searchHint: "hono middleware env regression createMiddleware generic BlankEnv type Issue 3587",
-        description: "Heuristic static check for Hono Issue #3587: flags middleware chains of 3+ entries where an intermediate member is declared with plain createMiddleware(...) (no Env generic), which resets the accumulated Env type to BlankEnv for downstream middleware. Reports chain_scope + chain_length + middleware_name + definition file:line. Includes a heuristic disclaimer in the result note.",
-        schema: {
-            repo: z.string().optional().describe("Repository identifier (default: auto-detected from CWD)"),
-        },
-        handler: async (args) => {
-            const { detectMiddlewareEnvRegression } = await import("./tools/hono-env-regression.js");
-            return await detectMiddlewareEnvRegression(args.repo);
-        },
-    },
     {
         name: "detect_hono_modules",
         category: "analysis",
@@ -3238,29 +3220,6 @@ const TOOL_DEFINITIONS = [
         },
     },
     // --- Next.js framework tools ---
-    {
-        name: "analyze_nextjs_components",
-        category: "analysis",
-        searchHint: "nextjs next.js component server client classifier use client use server hooks",
-        description: "Classify Next.js files as Server or Client components via AST analysis. Detects 'use client'/'use server' directives (with 512-byte window + comment stripping), hooks, JSX event handlers, browser globals, and next/dynamic({ ssr:false }). Flags unnecessary 'use client' and async client components. Supports monorepo workspace auto-detection.",
-        schema: {
-            repo: z.string().optional().describe("Repository identifier (default: auto-detected from CWD)"),
-            workspace: z.string().optional().describe("Monorepo workspace path, e.g. 'apps/web'"),
-            file_pattern: z.string().optional().describe("Glob to scope the scan, e.g. 'app/products/**'"),
-            max_files: z.number().int().positive().optional().describe("Max files to scan (default 2000)"),
-        },
-        handler: async (args) => {
-            const opts = {};
-            if (args.workspace != null)
-                opts.workspace = args.workspace;
-            if (args.file_pattern != null)
-                opts.file_pattern = args.file_pattern;
-            if (args.max_files != null)
-                opts.max_files = args.max_files;
-            const result = await analyzeNextjsComponents(args.repo ?? "", opts);
-            return formatNextjsComponents(result);
-        },
-    },
     {
         name: "nextjs_route_map",
         category: "analysis",
@@ -3307,135 +3266,17 @@ const TOOL_DEFINITIONS = [
             return formatNextjsMetadataAudit(result);
         },
     },
-    {
-        name: "nextjs_audit_server_actions",
-        category: "security",
-        searchHint: "nextjs server actions security audit auth validation rate limit zod use server",
-        description: "Audit Next.js Server Actions for security weaknesses across four checks: authorization guards, input validation (Zod-aware), rate limiting, and structured error handling. Per-action weighted scoring (auth 40, validation 30, rate 20, errors 10) with grade buckets.",
-        schema: {
-            repo: z.string().optional().describe("Repository identifier (default: auto-detected from CWD)"),
-            workspace: z.string().optional().describe("Monorepo workspace path, e.g. 'apps/web'"),
-            max_files: z.number().int().positive().optional().describe("Max files to scan (default 2000)"),
-        },
-        handler: async (args) => {
-            const opts = {};
-            if (args.workspace != null)
-                opts.workspace = args.workspace;
-            if (args.max_files != null)
-                opts.max_files = args.max_files;
-            const result = await nextjsAuditServerActions(args.repo ?? "", opts);
-            return formatNextjsAuditServerActions(result);
-        },
-    },
-    {
-        name: "nextjs_api_contract",
-        category: "analysis",
-        searchHint: "nextjs api contract route handler openapi method body schema response zod",
-        description: "Extract API handler contracts from Next.js route handlers (App Router app/api/**/route.ts and Pages Router pages/api/**/*.ts). Captures HTTP methods, query params, request body schemas (Zod-aware), response shapes, and inferred status codes per handler.",
-        schema: {
-            repo: z.string().optional().describe("Repository identifier (default: auto-detected from CWD)"),
-            workspace: z.string().optional().describe("Monorepo workspace path, e.g. 'apps/web'"),
-            max_files: z.number().int().positive().optional().describe("Max files to scan (default 1000)"),
-        },
-        handler: async (args) => {
-            const opts = {};
-            if (args.workspace != null)
-                opts.workspace = args.workspace;
-            if (args.max_files != null)
-                opts.max_files = args.max_files;
-            const result = await nextjsApiContract(args.repo ?? "", opts);
-            return formatNextjsApiContract(result);
-        },
-    },
-    {
-        name: "nextjs_boundary_analyzer",
-        category: "analysis",
-        searchHint: "nextjs client boundary use client component bundle imports loc score",
-        description: "Analyze Next.js client component boundaries — walks `app/**/*.{tsx,jsx}` files marked `\"use client\"`, computes a deterministic ranking score from cheap signals (LOC, import counts, dynamic imports, third-party imports), and returns a top-N list of largest offenders. Score is signal-based, not actual bundle bytes.",
-        schema: {
-            repo: z.string().optional().describe("Repository identifier (default: auto-detected from CWD)"),
-            workspace: z.string().optional().describe("Monorepo workspace path, e.g. 'apps/web'"),
-            top_n: z.number().int().positive().optional().describe("Number of top entries to return (default 20)"),
-        },
-        handler: async (args) => {
-            const opts = {};
-            if (args.workspace != null)
-                opts.workspace = args.workspace;
-            if (args.top_n != null)
-                opts.top_n = args.top_n;
-            const result = await nextjsBoundaryAnalyzer(args.repo ?? "", opts);
-            return formatNextjsBoundaryAnalyzer(result);
-        },
-    },
-    {
-        name: "nextjs_link_integrity",
-        category: "analysis",
-        searchHint: "nextjs link integrity broken navigation Link href router push 404",
-        description: "Cross-reference Next.js navigation refs (<Link href>, router.push/.replace) against the route map to flag broken links. Template-literal hrefs are bucketed as 'unresolved' rather than guessed.",
-        schema: {
-            repo: z.string().optional().describe("Repository identifier (default: auto-detected from CWD)"),
-            workspace: z.string().optional().describe("Monorepo workspace path, e.g. 'apps/web'"),
-            max_files: z.number().int().positive().optional().describe("Max files to scan (default 2000)"),
-        },
-        handler: async (args) => {
-            const opts = {};
-            if (args.workspace != null)
-                opts.workspace = args.workspace;
-            if (args.max_files != null)
-                opts.max_files = args.max_files;
-            const result = await nextjsLinkIntegrity(args.repo ?? "", opts);
-            return formatNextjsLinkIntegrity(result);
-        },
-    },
-    {
-        name: "nextjs_data_flow",
-        category: "analysis",
-        searchHint: "nextjs data flow fetch waterfall cache cookies headers ssr revalidate",
-        description: "Analyze data fetching patterns in Next.js pages: detect fetch waterfalls (sequential awaits in same scope), classify cache strategies (no-cache, cached, ISR), and aggregate per-page data flow with totals.",
-        schema: {
-            repo: z.string().optional().describe("Repository identifier (default: auto-detected from CWD)"),
-            workspace: z.string().optional().describe("Monorepo workspace path, e.g. 'apps/web'"),
-            url_path: z.string().optional().describe("Filter to a single URL path"),
-        },
-        handler: async (args) => {
-            const opts = {};
-            if (args.workspace != null)
-                opts.workspace = args.workspace;
-            if (args.url_path != null)
-                opts.url_path = args.url_path;
-            const result = await nextjsDataFlow(args.repo ?? "", opts);
-            return formatNextjsDataFlow(result);
-        },
-    },
-    {
-        name: "nextjs_middleware_coverage",
-        category: "security",
-        searchHint: "nextjs middleware coverage protected admin auth route matcher security",
-        description: "Cross-reference Next.js routes with middleware matcher config to compute coverage. Flags admin/dashboard routes without middleware protection as high-severity warnings.",
-        schema: {
-            repo: z.string().optional().describe("Repository identifier (default: auto-detected from CWD)"),
-            workspace: z.string().optional().describe("Monorepo workspace path, e.g. 'apps/web'"),
-            flag_admin_prefix: z.union([z.string(), z.array(z.string())]).optional().describe("Admin path prefix(es) to flag (default: ['/admin', '/dashboard'])"),
-        },
-        handler: async (args) => {
-            const opts = {};
-            if (args.workspace != null)
-                opts.workspace = args.workspace;
-            if (args.flag_admin_prefix != null)
-                opts.flag_admin_prefix = args.flag_admin_prefix;
-            const result = await nextjsMiddlewareCoverage(args.repo ?? "", opts);
-            return formatNextjsMiddlewareCoverage(result);
-        },
-    },
     {
         name: "framework_audit",
         category: "analysis",
-        searchHint: "nextjs framework audit meta-tool overall score security metadata routes components",
+        searchHint: "nextjs next.js framework audit meta-tool overall score security metadata routes components classifier use client use server hooks server actions auth validation rate limit zod api contract route handler openapi method body schema response client boundary bundle imports loc link integrity broken navigation href router push 404 data flow fetch waterfall cache cookies headers ssr revalidate middleware coverage protected admin matcher",
         description: "Run all Next.js sub-audits (components, routes, metadata, security, api_contract, boundary, links, data_flow, middleware_coverage) and aggregate into a unified weighted overall score with grade. Use as a single first-call for any Next.js project.",
         schema: {
             repo: z.string().optional().describe("Repository identifier (default: auto-detected from CWD)"),
             workspace: z.string().optional().describe("Monorepo workspace path, e.g. 'apps/web'"),
             tools: z.array(z.string()).optional().describe("Subset of tools to run (default: all 9). Names: components, routes, metadata, security, api_contract, boundary, links, data_flow, middleware_coverage"),
+            mode: z.enum(["full", "priority"]).optional().describe("Output mode: 'full' returns per-tool results + aggregated summary; 'priority' returns a single unified top-N actionable findings list sorted by severity × cross-tool occurrences"),
+            priority_limit: z.number().int().positive().optional().describe("Max findings in priority mode (default: 20)"),
         },
         handler: async (args) => {
             const opts = {};
@@ -3443,6 +3284,10 @@ const TOOL_DEFINITIONS = [
                 opts.workspace = args.workspace;
             if (args.tools != null)
                 opts.tools = args.tools;
+            if (args.mode != null)
+                opts.mode = args.mode;
+            if (args.priority_limit != null)
+                opts.priority_limit = args.priority_limit;
             const result = await frameworkAudit(args.repo ?? "", opts);
             return formatFrameworkAudit(result);
         },
@@ -3543,94 +3388,40 @@ const TOOL_DEFINITIONS = [
         },
     },
     {
-        name: "analyze_schema_complexity",
-        category: "analysis",
-        searchHint: "schema complexity god table column count FK index score refactor",
-        description: "Per-table complexity score based on column count, FK relationships, and indexes. Identifies god tables needing refactoring. Sorted by score descending.",
-        schema: {
-            repo: z.string().optional().describe("Repository identifier (default: auto-detected from CWD)"),
-            file_pattern: z.string().optional().describe("Scope to files matching pattern"),
-            top_n: zNum().describe("Return top N most complex tables (default: 50)"),
-        },
-        handler: async (args) => {
-            const { analyzeSchemaComplexity } = await import("./tools/sql-tools.js");
-            const opts = {};
-            if (args.file_pattern != null)
-                opts.file_pattern = args.file_pattern;
-            if (args.top_n != null)
-                opts.top_n = args.top_n;
-            const result = await analyzeSchemaComplexity(args.repo, opts);
-            const parts = [];
-            parts.push(`Schema complexity: ${result.tables.length} tables`);
-            parts.push(`${"Table".padEnd(30)} ${"Cols".padStart(5)} ${"FKs".padStart(4)} ${"Idx".padStart(4)} ${"Score".padStart(7)}`);
-            for (const t of result.tables) {
-                parts.push(`  ${t.name.padEnd(28)} ${String(t.column_count).padStart(5)} ${String(t.fk_count).padStart(4)} ${String(t.index_count).padStart(4)} ${t.score.toFixed(1).padStart(7)}`);
-            }
-            return parts.join("\n");
-        },
-    },
-    {
-        name: "scan_dml_safety",
+        name: "sql_audit",
         category: "analysis",
-        searchHint: "DML safety SQL DELETE UPDATE SELECT star WHERE clause unbounded dangerous query",
-        description: "Scan codebase for unsafe SQL DML patterns: DELETE/UPDATE without WHERE (data loss risk), SELECT * (unbounded reads). Cross-language — finds SQL in .ts, .py, .go, .php files.",
+        searchHint: "SQL audit composite drift orphan lint DML safety complexity god table schema diagnostic",
+        description: "Composite SQL audit — runs 5 diagnostic gates (drift, orphan, lint, dml, complexity) in one call. Use this instead of calling the individual gate functions separately.",
         schema: {
             repo: z.string().optional().describe("Repository identifier (default: auto-detected from CWD)"),
+            checks: z.array(z.enum(["drift", "orphan", "lint", "dml", "complexity"])).optional().describe("Subset of gates to run (default: all 5)"),
             file_pattern: z.string().optional().describe("Scope to files matching pattern"),
-            max_results: zNum().describe("Max findings per pattern (default: 200)"),
+            max_results: zNum().describe("Max DML findings per pattern (default: 200)"),
         },
         handler: async (args) => {
-            const { scanDmlSafety } = await import("./tools/sql-tools.js");
+            const { sqlAudit } = await import("./tools/sql-tools.js");
             const opts = {};
+            if (args.checks != null)
+                opts.checks = args.checks;
             if (args.file_pattern != null)
                 opts.file_pattern = args.file_pattern;
             if (args.max_results != null)
                 opts.max_results = args.max_results;
-            const result = await scanDmlSafety(args.repo, opts);
+            const result = await sqlAudit(args.repo, opts);
             const parts = [];
-            parts.push(`DML safety: ${result.summary.total} findings across ${result.summary.files_scanned} files`);
-            for (const [rule, count] of Object.entries(result.summary.by_rule)) {
-                parts.push(`  ${rule}: ${count}`);
-            }
-            const high = result.findings.filter((f) => f.severity === "high");
-            if (high.length > 0) {
-                parts.push("\n⚠ HIGH RISK:");
-                for (const f of high.slice(0, 20)) {
-                    parts.push(`  [${f.rule}] ${f.file}:${f.line}  ${f.context ?? ""}`);
-                }
-            }
-            return parts.join("\n");
-        },
-    },
-    {
-        name: "lint_schema",
-        category: "analysis",
-        searchHint: "lint SQL schema anti-pattern primary key wide table duplicate index design",
-        description: "Lint SQL schema for anti-patterns: missing primary key, wide tables (>20 cols), duplicate index names. Conservative ruleset with near-zero false positives.",
-        schema: {
-            repo: z.string().optional().describe("Repository identifier (default: auto-detected from CWD)"),
-            file_pattern: z.string().optional().describe("Scope to files matching pattern"),
-        },
-        handler: async (args) => {
-            const { lintSchema } = await import("./tools/sql-tools.js");
-            const opts = {};
-            if (args.file_pattern != null)
-                opts.file_pattern = args.file_pattern;
-            const result = await lintSchema(args.repo, opts);
-            const parts = [];
-            parts.push(`Schema lint: ${result.summary.total} finding${result.summary.total === 1 ? "" : "s"}`);
-            for (const [rule, count] of Object.entries(result.summary.by_rule)) {
-                parts.push(`  ${rule}: ${count}`);
+            parts.push(`SQL audit: ${result.summary.gates_run} gates run, ${result.summary.gates_passed} passed, ${result.summary.gates_failed} failed`);
+            parts.push(`  Total findings:    ${result.summary.total_findings}`);
+            parts.push(`  Critical findings: ${result.summary.critical_findings}`);
+            parts.push("");
+            for (const g of result.gates) {
+                const icon = g.pass ? "✓" : (g.critical ? "✗ CRITICAL" : "⚠");
+                parts.push(`${icon} ${g.check}: ${g.summary}`);
             }
             if (result.warnings.length > 0) {
-                for (const w of result.warnings)
-                    parts.push(`⚠ ${w}`);
-            }
-            if (result.findings.length > 0) {
                 parts.push("");
-                for (const f of result.findings.slice(0, 30)) {
-                    parts.push(`  [${f.severity.toUpperCase()}] ${f.rule}: ${f.detail}  (${f.file}:${f.line})`);
-                }
+                parts.push("─── Warnings ───");
+                for (const w of result.warnings)
+                    parts.push(`  ⚠ ${w}`);
             }
             return parts.join("\n");
         },
@@ -3670,35 +3461,6 @@ const TOOL_DEFINITIONS = [
             return parts.join("\n");
         },
     },
-    {
-        name: "find_orphan_tables",
-        category: "analysis",
-        searchHint: "orphan table SQL unused dead unreferenced no query no model drop candidate",
-        description: "Find SQL tables with zero references in the codebase — no DML queries, no ORM models, no FK references. Candidates for DROP TABLE.",
-        schema: {
-            repo: z.string().optional().describe("Repository identifier (default: auto-detected from CWD)"),
-            file_pattern: z.string().optional().describe("Scope to SQL files matching pattern"),
-        },
-        handler: async (args) => {
-            const { findOrphanTables } = await import("./tools/sql-tools.js");
-            const opts = {};
-            if (args.file_pattern != null)
-                opts.file_pattern = args.file_pattern;
-            const result = await findOrphanTables(args.repo, opts);
-            const parts = [];
-            parts.push(`Tables: ${result.total_tables} | Orphans: ${result.orphan_count}`);
-            if (result.orphans.length > 0) {
-                parts.push("");
-                for (const o of result.orphans) {
-                    parts.push(`  ${o.name.padEnd(30)} ${o.column_count} cols  ${o.file}:${o.line}`);
-                }
-            }
-            else {
-                parts.push("No orphan tables found — all tables have at least one reference.");
-            }
-            return parts.join("\n");
-        },
-    },
     {
         name: "search_columns",
         category: "search",
@@ -3734,45 +3496,69 @@ const TOOL_DEFINITIONS = [
             return parts.join("\n");
         },
     },
+    // --- Astro v6 migration check ---
     {
-        name: "analyze_schema_drift",
+        name: "astro_migration_check",
         category: "analysis",
-        searchHint: "schema drift ORM Prisma Drizzle SQL mismatch migration type field comparison database",
-        description: "Detect schema drift between ORM models (Prisma) and SQL schema. Flags fields in ORM not in SQL, SQL columns not in ORM, and type mismatches. Catches 'forgot to run migration' bugs before production.",
+        searchHint: "astro v6 migration upgrade breaking changes compatibility check AM01 AM10 content collections ViewTransitions",
+        description: "Scan an Astro project for v5→v6 breaking changes. Detects 10 issues (AM01–AM10): removed APIs (Astro.glob, emitESMImage), component renames (ViewTransitions→ClientRouter), content collection config changes, Node.js version requirements, Zod 4 deprecations, hybrid output mode, and removed integrations (@astrojs/lit). Returns a migration report with per-issue effort estimates.",
         schema: {
             repo: z.string().optional().describe("Repository identifier (default: auto-detected from CWD)"),
-            file_pattern: z.string().optional().describe("Scope analysis to files matching pattern"),
+            target_version: z.enum(["6"]).optional().describe("Target Astro version (default: '6')"),
         },
         handler: async (args) => {
-            const { analyzeSchemaDrift } = await import("./tools/sql-tools.js");
-            const opts = {};
-            if (args.file_pattern != null)
-                opts.file_pattern = args.file_pattern;
-            const result = await analyzeSchemaDrift(args.repo, opts);
-            const parts = [];
-            parts.push(`Schema drift: ${result.summary.total} issue${result.summary.total === 1 ? "" : "s"}`);
-            parts.push(`  extra in ORM:     ${result.summary.extra_in_orm}`);
-            parts.push(`  extra in SQL:     ${result.summary.extra_in_sql}`);
-            parts.push(`  type mismatches:  ${result.summary.type_mismatches}`);
-            parts.push(`  ORMs detected:    ${result.orms_detected.join(", ") || "(none)"}`);
-            if (result.warnings.length > 0) {
-                parts.push("");
-                for (const w of result.warnings)
-                    parts.push(`⚠ ${w}`);
+            const mcArgs = {};
+            if (args.repo != null)
+                mcArgs.repo = args.repo;
+            if (args.target_version != null)
+                mcArgs.target_version = args.target_version;
+            const result = await astroMigrationCheck(mcArgs);
+            const lines = [];
+            lines.push(`ASTRO MIGRATION CHECK: v${result.current_version ?? "unknown"} → v${result.target_version}`);
+            lines.push(`Issues: ${result.summary.total_issues} | Estimated: ${result.summary.estimated_migration_hours}`);
+            if (Object.keys(result.summary.by_effort).length > 0) {
+                const effortStr = Object.entries(result.summary.by_effort)
+                    .map(([k, v]) => `${v}×${k}`)
+                    .join(", ");
+                lines.push(`Effort: ${effortStr}`);
             }
-            if (result.drifts.length > 0) {
-                parts.push("");
-                parts.push("─── Drifts ───");
-                for (const d of result.drifts.slice(0, 50)) {
-                    const loc = d.orm_file ? `${d.orm_file}:${d.orm_line}` : (d.sql_file ? `${d.sql_file}:${d.sql_line}` : "");
-                    parts.push(`  [${d.kind}] ${loc}`);
-                    parts.push(`    ${d.detail}`);
-                }
-                if (result.drifts.length > 50) {
-                    parts.push(`  ... and ${result.drifts.length - 50} more`);
+            if (result.breaking_changes.length === 0) {
+                lines.push("\n✓ No v6 breaking changes detected.");
+            }
+            else {
+                lines.push("");
+                for (const issue of result.breaking_changes) {
+                    const sev = issue.severity === "error" ? "✗" : issue.severity === "warning" ? "⚠" : "ℹ";
+                    lines.push(`${sev} ${issue.code} [${issue.category}] — ${issue.message}`);
+                    lines.push(`  effort: ${issue.effort} | files: ${issue.files.slice(0, 3).join(", ")}${issue.files.length > 3 ? ` +${issue.files.length - 3} more` : ""}`);
+                    if (issue.migration_guide)
+                        lines.push(`  guide: ${issue.migration_guide}`);
                 }
             }
-            return parts.join("\n");
+            return lines.join("\n");
+        },
+    },
+    // --- Discovery / concierge ---
+    {
+        name: "plan_turn",
+        category: "discovery",
+        searchHint: "plan turn routing recommend tools symbols files gap analysis session aware concierge",
+        description: "Routes a natural-language query to the most relevant CodeSift tools, symbols, and files. Uses hybrid BM25+semantic ranking with session-aware dedup. Call at the start of a task to get a prioritized action list.",
+        schema: {
+            repo: z.string().optional().describe("Repository identifier (default: auto-detected from CWD)"),
+            query: z.string().describe("Natural-language description of what you want to do"),
+            max_results: z.number().optional().describe("Max tools to return (default 10)"),
+            skip_session: z.boolean().optional().describe("Skip session state checks (default false)"),
+        },
+        handler: async (args) => {
+            const { query, max_results, skip_session } = args;
+            const opts = {};
+            if (max_results !== undefined)
+                opts.max_results = max_results;
+            if (skip_session !== undefined)
+                opts.skip_session = skip_session;
+            const result = await planTurn(args.repo, query, opts);
+            return formatPlanTurnResult(result);
         },
     },
 ];
@@ -3971,9 +3757,6 @@ export function registerTools(server, options) {
     registerShortener("nextjs_route_map", { compact: formatNextjsRouteMapCompact, counts: formatNextjsRouteMapCounts });
     registerShortener("nextjs_metadata_audit", { compact: formatNextjsMetadataAuditCompact, counts: formatNextjsMetadataAuditCounts });
     registerShortener("framework_audit", { compact: formatFrameworkAuditCompact, counts: formatFrameworkAuditCounts });
-    registerShortener("nextjs_audit_server_actions", { compact: formatServerActionsAuditCompact, counts: formatServerActionsAuditCounts });
-    registerShortener("nextjs_api_contract", { compact: formatApiContractCompact, counts: formatApiContractCounts });
-    registerShortener("nextjs_boundary_analyzer", { compact: formatBoundaryAnalyzerCompact, counts: formatBoundaryAnalyzerCounts });
     registerShortener("get_session_context", {
         compact: (raw) => {
             const text = typeof raw === "string" ? raw : JSON.stringify(raw);