edsger 0.63.1 → 0.65.0

package/dist/commands/session-turn/index.d.ts

@@ -4,12 +4,30 @@
  * its own line and free of logger formatting so it parses cleanly.
  */
 export declare const SESSION_ID_MARKER = "__EDSGER_SESSION_ID__=";
+/**
+ * Marker emitted on stdout for each background `cli_*` run still in flight when
+ * the turn ends. The desktop main process parses these, watches each run to
+ * completion (the turn process itself exits immediately), and then re-engages
+ * the agent via `--run-finished` so it reports results without the user having
+ * to ask. The JSON payload is `{ run_id, pid, log_path, command }`.
+ */
+export declare const CLI_RUN_MARKER = "__EDSGER_CLI_RUN__=";
 export interface SessionTurnCliOptions {
     channelId: string;
     productId: string;
     repositoryIds?: string[];
     /** SDK session id from a previous turn, to resume the same conversation. */
     resumeSessionId?: string;
+    /**
+     * Follow-up turn triggered by the desktop watcher when a background `cli_*`
+     * run finishes. When set, the turn is driven by a synthetic prompt instead of
+     * the channel's pending human messages: the agent inspects what the run
+     * produced and reports it to the user.
+     */
+    runFinished?: {
+        runId: string;
+        command?: string;
+    };
     verbose?: boolean;
 }
 export declare function runSessionTurnCommand(options: SessionTurnCliOptions): Promise<void>;

package/dist/commands/session-turn/index.js

@@ -4,6 +4,14 @@
  * its own line and free of logger formatting so it parses cleanly.
  */
 export const SESSION_ID_MARKER = '__EDSGER_SESSION_ID__=';
+/**
+ * Marker emitted on stdout for each background `cli_*` run still in flight when
+ * the turn ends. The desktop main process parses these, watches each run to
+ * completion (the turn process itself exits immediately), and then re-engages
+ * the agent via `--run-finished` so it reports results without the user having
+ * to ask. The JSON payload is `{ run_id, pid, log_path, command }`.
+ */
+export const CLI_RUN_MARKER = '__EDSGER_CLI_RUN__=';
 /**
  * `edsger session-turn <channelId>` — run one conversational agent turn for a
  * chat session (an ai_assistant channel bound to a product).
@@ -17,106 +25,120 @@ export const SESSION_ID_MARKER = '__EDSGER_SESSION_ID__=';
  * there is no fixed pipeline.
  */
 import { query } from '@anthropic-ai/claude-agent-sdk';
-import { createSessionMcpServer } from 'edsger-tools';
+import { buildSessionAgentOptions, buildSessionSystemPrompt, buildSessionUserPrompt, createSessionMcpServer, listActiveCliRuns, loadExternalMcpServers, SESSION_MAX_TURNS, } from 'edsger-tools';
 import { callMcpEndpoint } from '../../api/mcp-client.js';
 import { DEFAULT_MODEL } from '../../constants.js';
 import { getToolDeps } from '../../tools/bootstrap.js';
-import { logError, logInfo, logSuccess } from '../../utils/logger.js';
-const MAX_TURNS = 40;
-function buildSystemPrompt(opts) {
-    const { channelId, productId, repositoryIds } = opts;
-    const repoLine = repositoryIds.length > 0
-        ? repositoryIds.join(', ')
-        : '(none provided — call list_session_repositories to discover them)';
-    return `You are an engineering agent working in a chat session with a user, like a pair-programming assistant.
-
-## This session
-- Session channel_id: ${channelId}
-- Product product_id: ${productId}
-- In-scope repository_ids: ${repoLine}
-
-## How you work
-You are an orchestrator, not a fixed pipeline. Do only what the user asked:
-- A question or status check → just answer (you can read code with Read/Grep/Glob).
-- "Write the test cases" / "add user stories" → use create_user_story / create_test_case / create_test_report. No code.
-- "Check quality" / "find bugs" → launch the matching cli_* tool (asynchronous: it returns a run handle, results appear later; report progress with get_cli_run).
-
-## Implementing code changes (you hand this off — you do NOT write code or open PRs yourself)
-When the user wants code changes:
-1. Optionally list_session_repositories to understand the codebase scope.
-2. create_issue with a clear, implementable description (the product may span multiple repos — say which).
-3. Mark it ready for AI with update_issue_status so the engineering pipeline picks it up, clones the repos, implements the change, and opens the pull request(s).
-4. Tell the user you filed the issue and that the pipeline will produce the PR(s); offer to check status later.
-Only create issues/tasks when the work warrants tracking — a pure question or quality check should not leave an issue behind.
-
-## Talking to the user
-- send_chat_message for explanations, summaries, clarifying questions (channel_id "${channelId}").
-- provide_options when there are 2-4 clear next steps.
-- Be concise; report what you did and what you need.`;
-}
-function buildUserPrompt(messages) {
-    const conversation = messages
-        .map((m) => {
-        const who = m.sender_agent_id
-            ? `[Agent: ${m.sender_name || 'Unknown'}]`
-            : `[${m.sender_name || 'User'}]`;
-        return `${who}: ${m.content}`;
-    })
-        .join('\n\n');
-    return `New message(s) in this session:\n\n${conversation}\n\nDecide what to do and act. Keep the user informed via send_chat_message.`;
+import { logError, logInfo, logSuccess, logWarning, } from '../../utils/logger.js';
+import { cloneSessionRepos, describeSessionRepos, } from '../../workspace/session-workspace.js';
+/**
+ * Clone (or refresh) the session product's repositories into a local session
+ * directory and produce the agent's cwd + a prompt note describing the layout.
+ *
+ * One session dir holds every repo as a subdirectory; clones are reused across
+ * turns. Best-effort: if nothing can be cloned (no GitHub config, private repo
+ * the token can't reach), the agent still runs — it can answer, file issues,
+ * etc. — just without a checked-out codebase.
+ */
+async function prepareSessionWorkspace(opts) {
+    let workspace = null;
+    try {
+        workspace = await cloneSessionRepos(opts);
+    }
+    catch (error) {
+        logWarning(`Could not prepare session repos: ${error instanceof Error ? error.message : String(error)}`);
+    }
+    return {
+        sessionDir: workspace?.sessionDir,
+        repoScopeNote: workspace ? describeSessionRepos(workspace.repos) : '',
+    };
 }
 export async function runSessionTurnCommand(options) {
-    const { channelId, productId, repositoryIds = [], resumeSessionId, verbose = false, } = options;
+    const { channelId, productId, repositoryIds = [], resumeSessionId, runFinished, verbose = false, } = options;
     // Emit the SDK session id so the desktop can persist it for the next turn.
     const emitSessionId = (id) => {
         if (id) {
             process.stdout.write(`\n${SESSION_ID_MARKER}${id}\n`);
         }
     };
-    // 1. Load the pending human messages that triggered this turn.
-    const pendingResult = (await callMcpEndpoint('chat/messages/pending', {
-        channel_id: channelId,
-    }));
-    const messages = pendingResult.messages ?? [];
-    if (messages.length === 0) {
-        logInfo('No pending messages for this session — nothing to do.');
-        return;
+    // Emit a marker for every background cli_* run still in flight, so the
+    // desktop watcher can poll each to completion and re-engage the agent.
+    const emitActiveCliRuns = () => {
+        for (const run of listActiveCliRuns()) {
+            const payload = JSON.stringify({
+                run_id: run.run_id,
+                pid: run.pid,
+                log_path: run.log_path,
+                command: run.command,
+            });
+            process.stdout.write(`\n${CLI_RUN_MARKER}${payload}\n`);
+        }
+    };
+    // 1. Decide what drives this turn. A normal turn replays the channel's
+    //    pending human messages; a watcher-triggered follow-up replays a
+    //    synthetic prompt about the background run that just finished.
+    let messages = [];
+    if (runFinished) {
+        logInfo(`Reporting completion of background run ${runFinished.runId} for session ${channelId}`);
+    }
+    else {
+        const pendingResult = (await callMcpEndpoint('chat/messages/pending', {
+            channel_id: channelId,
+        }));
+        messages = pendingResult.messages ?? [];
+        if (messages.length === 0) {
+            logInfo('No pending messages for this session — nothing to do.');
+            return;
+        }
+        logInfo(`Processing ${messages.length} message(s) for session ${channelId}`);
     }
-    logInfo(`Processing ${messages.length} message(s) for session ${channelId}`);
-    // 2. Build the session toolbelt + prompts.
+    // 2. Clone the product's in-scope repositories into a local session
+    //    directory so the agent's Read/Grep/Glob can inspect the real code.
+    const { sessionDir, repoScopeNote } = await prepareSessionWorkspace({
+        channelId,
+        productId,
+        repositoryIds,
+        verbose,
+    });
+    // 3. Build the session toolbelt + prompts.
     const deps = getToolDeps({
         verbose,
         context: { productId, channelId, repositoryIds },
     });
     const sessionServer = createSessionMcpServer(deps);
-    const systemPrompt = buildSystemPrompt({
+    // User-configured external MCP servers (~/.edsger/mcp.json). Best-effort.
+    const external = loadExternalMcpServers({ warn: logWarning });
+    if (external.names.length > 0) {
+        logInfo(`External MCP servers: ${external.names.join(', ')}`);
+    }
+    const systemPrompt = buildSessionSystemPrompt({
         channelId,
         productId,
         repositoryIds,
+        repoScopeNote,
+        externalMcpNames: external.names,
     });
-    const userPrompt = buildUserPrompt(messages);
-    // 3. Run one SDK turn. Resume the prior SDK session when we have its id so
-    //    the conversation (and prompt cache) carries across turns.
+    const userPrompt = runFinished
+        ? buildRunFinishedPrompt(runFinished)
+        : buildSessionUserPrompt(messages);
+    // 4. Run one SDK turn. Resume the prior SDK session when we have its id so
+    //    the conversation (and prompt cache) carries across turns. Point the
+    //    agent's cwd at the session directory so its read-only file tools resolve
+    //    against the cloned repos. Prompt + tool/MCP wiring come from the shared
+    //    session core (edsger-tools) so CLI and worker can't drift apart.
     let finalResponse = '';
     let sdkSessionId = resumeSessionId ?? '';
     try {
         for await (const message of query({
             prompt: userPrompt,
             options: {
-                agent: 'session-agent',
-                agents: {
-                    'session-agent': {
-                        description: 'Conversational engineering agent for a session',
-                        prompt: systemPrompt,
-                        maxTurns: MAX_TURNS,
-                        mcpServers: ['edsger-session'],
-                        disallowedTools: ['Edit', 'Write', 'Bash', 'NotebookEdit', 'Agent'],
-                    },
-                },
-                mcpServers: { 'edsger-session': sessionServer },
-                tools: ['Read', 'Grep', 'Glob'],
-                permissionMode: 'bypassPermissions',
-                allowDangerouslySkipPermissions: true,
+                ...buildSessionAgentOptions(systemPrompt, {
+                    sessionServer,
+                    externalServers: external.servers,
+                    externalNames: external.names,
+                    sessionDir,
+                    maxTurns: SESSION_MAX_TURNS,
+                }),
                 model: DEFAULT_MODEL,
                 ...(resumeSessionId ? { resume: resumeSessionId } : {}),
             },
@@ -146,10 +168,11 @@ export async function runSessionTurnCommand(options) {
             metadata: {},
         }).catch(() => undefined);
         emitSessionId(sdkSessionId);
+        emitActiveCliRuns();
         await markProcessed(messages);
         return;
     }
-    // 4. Post the final reply (the agent may also have posted via
+    // 5. Post the final reply (the agent may also have posted via
     //    send_chat_message during the turn; this carries the closing summary).
     const reply = finalResponse.trim();
     if (reply) {
@@ -162,12 +185,27 @@ export async function runSessionTurnCommand(options) {
             logError(`Failed to post reply: ${e instanceof Error ? e.message : String(e)}`);
         });
     }
-    // 5. Mark the triggering messages processed so they aren't re-run.
+    // 6. Mark the triggering messages processed so they aren't re-run. (No-op for
+    //    a watcher follow-up, which has no triggering human messages.)
     await markProcessed(messages);
-    // 6. Emit the SDK session id so the desktop persists it for the next turn.
+    // 7. Emit the SDK session id so the desktop persists it for the next turn,
+    //    plus a marker for any background run launched this turn so the watcher
+    //    keeps following it to completion.
     emitSessionId(sdkSessionId);
+    emitActiveCliRuns();
     logSuccess('Session turn complete.');
 }
+/**
+ * The synthetic user prompt for a watcher-triggered follow-up turn. Steers the
+ * agent to inspect what the finished run produced and report it — explicitly
+ * NOT to ask the user whether it should check.
+ */
+function buildRunFinishedPrompt(runFinished) {
+    const which = runFinished.command
+        ? `the \`${runFinished.command}\` analysis (run ${runFinished.runId})`
+        : `a background analysis you launched earlier (run ${runFinished.runId})`;
+    return `${which} just finished. Inspect what it produced — call get_cli_run with run_id "${runFinished.runId}" for the log tail, then use the list_* / get_* tools (e.g. list_issues) to see the findings it filed. Summarize the results for the user via send_chat_message. Do not ask whether you should check — just report what you found. If nothing of note was produced, say so briefly.`;
+}
 async function markProcessed(messages) {
     for (const m of messages) {
         await callMcpEndpoint('chat/messages/mark_processed', {

package/dist/commands/sync-aws/index.js

@@ -11,7 +11,7 @@
 import { exec as execCb } from 'child_process';
 import { promisify } from 'util';
 import { callMcpEndpoint } from '../../api/mcp-client.js';
-import { logError, logInfo, logSuccess, logWarning } from '../../utils/logger.js';
+import { logError, logInfo, logSuccess, logWarning, } from '../../utils/logger.js';
 const exec = promisify(execCb);
 async function runAwsCmd(args, region) {
     const regionFlag = region ? ` --region ${region}` : '';
@@ -37,7 +37,10 @@ async function checkAwsCli() {
 }
 export async function runSyncAws(teamId, options = {}) {
     const { verbose, noCost } = options;
-    const region = options.region ?? process.env.AWS_REGION ?? process.env.AWS_DEFAULT_REGION ?? 'us-east-1';
+    const region = options.region ??
+        process.env.AWS_REGION ??
+        process.env.AWS_DEFAULT_REGION ??
+        'us-east-1';
     logInfo(`Starting AWS sync for team ${teamId} (region: ${region})`);
     if (!(await checkAwsCli())) {
         logError('AWS CLI not found. Install it from https://aws.amazon.com/cli/ ' +
@@ -57,7 +60,7 @@ export async function runSyncAws(teamId, options = {}) {
     }
     // ── Phase 1: Resource discovery by Service tag ──
     logInfo('Phase 1: Discovering resources by Service tag...');
-    let resources = [];
+    const resources = [];
     try {
         let paginationToken;
         do {
@@ -79,10 +82,12 @@ export async function runSyncAws(teamId, options = {}) {
     const byService = new Map();
     for (const res of resources) {
         const serviceTag = res.Tags.find((t) => t.Key === 'Service')?.Value;
-        if (!serviceTag)
+        if (!serviceTag) {
             continue;
-        if (!byService.has(serviceTag))
+        }
+        if (!byService.has(serviceTag)) {
             byService.set(serviceTag, []);
+        }
         byService.get(serviceTag).push(res);
     }
     logInfo(`Mapped to ${byService.size} distinct services`);
@@ -92,10 +97,13 @@ export async function runSyncAws(teamId, options = {}) {
     for (const [serviceName, svcResources] of byService) {
         const teamTag = svcResources[0]?.Tags.find((t) => t.Key === 'Team')?.Value;
         // Tier signals
-        const hasMultiAz = svcResources.some((r) => r.ResourceARN.includes(':rds:') || r.ResourceARN.includes(':elasticache:'));
+        const hasMultiAz = svcResources.some((r) => r.ResourceARN.includes(':rds:') ||
+            r.ResourceARN.includes(':elasticache:'));
         const hasLambda = svcResources.some((r) => r.ResourceARN.includes(':lambda:'));
         const hasEcs = svcResources.some((r) => r.ResourceARN.includes(':ecs:'));
-        const tier = hasMultiAz || (hasEcs && svcResources.length > 3) ? 'critical' : 'standard';
+        const tier = hasMultiAz || (hasEcs && svcResources.length > 3)
+            ? 'critical'
+            : 'standard';
         const kind = hasLambda && !hasEcs ? 'job' : 'service';
         if (verbose) {
             logInfo(`  ${serviceName}: ${svcResources.length} resources, tier=${tier}`);
@@ -109,16 +117,36 @@ export async function runSyncAws(teamId, options = {}) {
                 source: 'aws',
                 source_ref: `aws:${region}:${serviceName}`,
                 field_sources: {
-                    name: { value: serviceName, confidence: 1.0, source: 'aws_tag', source_detail: 'Tag:Service' },
-                    tier: { value: tier, confidence: hasMultiAz ? 0.8 : 0.5, source: 'aws_resource_analysis' },
-                    ...(teamTag ? { owner: { value: teamTag, confidence: 0.8, source: 'aws_tag', source_detail: 'Tag:Team' } } : {}),
+                    name: {
+                        value: serviceName,
+                        confidence: 1.0,
+                        source: 'aws_tag',
+                        source_detail: 'Tag:Service',
+                    },
+                    tier: {
+                        value: tier,
+                        confidence: hasMultiAz ? 0.8 : 0.5,
+                        source: 'aws_resource_analysis',
+                    },
+                    ...(teamTag
+                        ? {
+                            owner: {
+                                value: teamTag,
+                                confidence: 0.8,
+                                source: 'aws_tag',
+                                source_detail: 'Tag:Team',
+                            },
+                        }
+                        : {}),
                 },
                 needs_review: false,
             }));
-            if (result.action === 'created')
+            if (result.action === 'created') {
                 created++;
-            else
+            }
+            else {
                 updated++;
+            }
             // Add resource components
             for (const res of svcResources) {
                 const arnParts = res.ResourceARN.split(':');
@@ -164,11 +192,13 @@ export async function runSyncAws(teamId, options = {}) {
             for (const period of parsed.ResultsByTime) {
                 for (const group of period.Groups) {
                     const tagValue = group.Keys[0]?.replace('Service$', '') ?? '';
-                    if (!tagValue || tagValue === '')
+                    if (!tagValue || tagValue === '') {
                         continue;
+                    }
                     const cost = parseFloat(group.Metrics.BlendedCost.Amount);
-                    if (cost <= 0)
+                    if (cost <= 0) {
                         continue;
+                    }
                     if (verbose) {
                         logInfo(`  ${tagValue}: $${cost.toFixed(2)}/month`);
                     }

package/dist/commands/sync-datadog/index.js

@@ -11,40 +11,54 @@
  *   3. Upsert via MCP endpoints (services.upsert_draft, services.add_component)
  */
 import { callMcpEndpoint } from '../../api/mcp-client.js';
-import { logError, logInfo, logSuccess, logWarning } from '../../utils/logger.js';
+import { logError, logInfo, logSuccess, logWarning, } from '../../utils/logger.js';
 function readDatadogEnv() {
     const apiKey = process.env.DD_API_KEY ?? '';
     const appKey = process.env.DD_APP_KEY ?? '';
     const site = process.env.DD_SITE ?? 'datadoghq.com';
     const missing = [];
-    if (!apiKey)
+    if (!apiKey) {
         missing.push('DD_API_KEY');
-    if (!appKey)
+    }
+    if (!appKey) {
         missing.push('DD_APP_KEY');
-    if (missing.length > 0)
+    }
+    if (missing.length > 0) {
         return { ok: false, missing };
+    }
     return { ok: true, env: { apiKey, appKey, site } };
 }
 function mapTier(ddTier) {
-    if (!ddTier)
+    if (!ddTier) {
         return 'standard';
+    }
     const lower = ddTier.toLowerCase();
-    if (lower.includes('1') || lower.includes('critical') || lower.includes('high'))
+    if (lower.includes('1') ||
+        lower.includes('critical') ||
+        lower.includes('high')) {
         return 'critical';
-    if (lower.includes('3') || lower.includes('low') || lower.includes('experiment'))
+    }
+    if (lower.includes('3') ||
+        lower.includes('low') ||
+        lower.includes('experiment')) {
         return 'experimental';
+    }
     return 'standard';
 }
 function mapKind(ddType) {
-    if (!ddType)
+    if (!ddType) {
         return 'service';
+    }
     const lower = ddType.toLowerCase();
-    if (lower === 'web' || lower === 'website' || lower === 'frontend')
+    if (lower === 'web' || lower === 'website' || lower === 'frontend') {
         return 'website';
-    if (lower === 'library' || lower === 'lib')
+    }
+    if (lower === 'library' || lower === 'lib') {
         return 'library';
-    if (lower === 'job' || lower === 'worker' || lower === 'cron')
+    }
+    if (lower === 'job' || lower === 'worker' || lower === 'cron') {
         return 'job';
+    }
     return 'service';
 }
 export async function runSyncDatadog(teamId, options = {}) {
@@ -97,8 +111,9 @@ export async function runSyncDatadog(teamId, options = {}) {
             skipped++;
             continue;
         }
-        if (verbose)
+        if (verbose) {
             logInfo(`Processing: ${name}`);
+        }
         try {
             // Upsert service
             const result = (await callMcpEndpoint('services.upsert_draft', {
@@ -114,21 +129,40 @@ export async function runSyncDatadog(teamId, options = {}) {
                 source_ref: `datadog:${name}`,
                 field_sources: {
                     name: { value: name, confidence: 1.0, source: 'datadog' },
-                    tier: { value: mapTier(schema.tier), confidence: 0.9, source: 'datadog' },
-                    language: { value: schema.languages?.[0], confidence: 1.0, source: 'datadog' },
-                    ...(schema.team ? { owner: { value: schema.team, confidence: 0.9, source: 'datadog' } } : {}),
+                    tier: {
+                        value: mapTier(schema.tier),
+                        confidence: 0.9,
+                        source: 'datadog',
+                    },
+                    language: {
+                        value: schema.languages?.[0],
+                        confidence: 1.0,
+                        source: 'datadog',
+                    },
+                    ...(schema.team
+                        ? {
+                            owner: {
+                                value: schema.team,
+                                confidence: 0.9,
+                                source: 'datadog',
+                            },
+                        }
+                        : {}),
                 },
                 needs_review: false,
             }));
             const serviceId = result.service.id;
-            if (result.action === 'created')
+            if (result.action === 'created') {
                 created++;
-            else
+            }
+            else {
                 updated++;
+            }
             // Add repo components
             for (const repo of schema.repos ?? []) {
-                if (!repo.url)
+                if (!repo.url) {
                     continue;
+                }
                 const repoName = repo.url
                     .replace(/^https?:\/\/github\.com\//, '')
                     .replace(/\.git$/, '');
@@ -143,14 +177,16 @@ export async function runSyncDatadog(teamId, options = {}) {
                     componentCount++;
                 }
                 catch {
-                    if (verbose)
+                    if (verbose) {
                         logWarning(`  Failed to add repo: ${repo.url}`);
+                    }
                 }
             }
             // Add link components (dashboards, runbooks, etc.)
             for (const link of schema.links ?? []) {
-                if (!link.url)
+                if (!link.url) {
                     continue;
+                }
                 const kind = link.type === 'dashboard' || link.type === 'grafana'
                     ? 'dashboard'
                     : link.type === 'runbook' || link.type === 'doc'
@@ -169,8 +205,9 @@ export async function runSyncDatadog(teamId, options = {}) {
                     componentCount++;
                 }
                 catch {
-                    if (verbose)
+                    if (verbose) {
                         logWarning(`  Failed to add link: ${link.url}`);
+                    }
                 }
             }
             // Add Slack channel

package/dist/commands/sync-org-repos/index.js

@@ -4,8 +4,8 @@
  * Reads the team's configured github_org, fetches all repos from that org
  * via the local `gh` CLI, and upserts a repositories row for each repo.
  */
-import { getSupabase, hasSupabaseSession } from '../../supabase/client.js';
 import { syncOrgRepos } from '../../phases/sync-org-repos/index.js';
+import { getSupabase, hasSupabaseSession } from '../../supabase/client.js';
 import { logError, logInfo, logSuccess } from '../../utils/logger.js';
 const ORG_NAME_RE = /^[a-zA-Z0-9](?:[a-zA-Z0-9-]*[a-zA-Z0-9])?$/;
 export async function runSyncOrgRepos(teamId, options = {}) {

package/dist/commands/sync-terraform/index.js

@@ -10,11 +10,11 @@
  * about module structure, variable passing, resource tagging, etc.
  */
 import { execSync } from 'child_process';
-import { mkdtempSync, readFileSync, readdirSync, rmSync, statSync } from 'fs';
+import { mkdtempSync, readdirSync, readFileSync, rmSync, statSync } from 'fs';
 import { tmpdir } from 'os';
 import { join, relative } from 'path';
 import { callMcpEndpoint } from '../../api/mcp-client.js';
-import { logError, logInfo, logSuccess, logWarning } from '../../utils/logger.js';
+import { logError, logInfo, logSuccess, logWarning, } from '../../utils/logger.js';
 export async function runSyncTerraform(teamId, options = {}) {
     const { verbose } = options;
     logInfo(`Starting Terraform sync for team ${teamId}`);
@@ -57,8 +57,9 @@ export async function runSyncTerraform(teamId, options = {}) {
     function walk(dir) {
         try {
             for (const entry of readdirSync(dir)) {
-                if (entry.startsWith('.') || entry === 'node_modules')
+                if (entry.startsWith('.') || entry === 'node_modules') {
                     continue;
+                }
                 const full = join(dir, entry);
                 try {
                     const stat = statSync(full);
@@ -100,8 +101,9 @@ export async function runSyncTerraform(teamId, options = {}) {
             moduleFiles.get(moduleDir).push({ path: relPath, content });
         }
         catch {
-            if (verbose)
+            if (verbose) {
                 logWarning(`Could not read ${relPath}`);
+            }
         }
     }
     logInfo(`Found ${moduleFiles.size} module directories`);
@@ -111,13 +113,14 @@ export async function runSyncTerraform(teamId, options = {}) {
     let components = 0;
     for (const [moduleDir, files] of moduleFiles) {
         // Skip root-level files that are just backend/provider config
-        if (moduleDir === '.' && files.every((f) => /^(backend|provider|versions|terraform)\b/.test(f.path))) {
+        if (moduleDir === '.' &&
+            files.every((f) => /^(backend|provider|versions|terraform)\b/.test(f.path))) {
             continue;
         }
         // Extract service name from module directory
         const moduleName = moduleDir === '.'
-            ? repoFullName?.split('/')[1] ?? 'root'
-            : moduleDir.split('/').pop() ?? moduleDir;
+            ? (repoFullName?.split('/')[1] ?? 'root')
+            : (moduleDir.split('/').pop() ?? moduleDir);
         // Extract resource ARNs and types from .tf content
         const resources = [];
         const tags = {};
@@ -137,18 +140,22 @@ export async function runSyncTerraform(teamId, options = {}) {
                 tags.Team = m[1];
             }
             // Tier signals
-            if (/multi_az\s*=\s*true/i.test(file.content))
+            if (/multi_az\s*=\s*true/i.test(file.content)) {
                 hasMultiAz = true;
-            if (/aws_appautoscaling|autoscaling_group/i.test(file.content))
+            }
+            if (/aws_appautoscaling|autoscaling_group/i.test(file.content)) {
                 hasAutoscaling = true;
+            }
             // Module references (dependencies)
             for (const m of file.content.matchAll(/module\.([a-zA-Z0-9_-]+)\./g)) {
-                if (!moduleRefs.includes(m[1]))
+                if (!moduleRefs.includes(m[1])) {
                     moduleRefs.push(m[1]);
+                }
             }
         }
-        if (resources.length === 0)
+        if (resources.length === 0) {
             continue;
+        }
         const serviceName = tags.Service ?? moduleName;
         const tier = hasMultiAz || hasAutoscaling ? 'critical' : 'standard';
         if (verbose) {
@@ -163,16 +170,35 @@ export async function runSyncTerraform(teamId, options = {}) {
                 source: 'terraform',
                 source_ref: `terraform:${repoFullName ?? localDir}:${moduleDir}`,
                 field_sources: {
-                    name: { value: serviceName, confidence: tags.Service ? 1.0 : 0.7, source: 'terraform', source_detail: moduleDir },
-                    tier: { value: tier, confidence: hasMultiAz ? 0.8 : 0.5, source: 'terraform' },
-                    ...(tags.Team ? { owner: { value: tags.Team, confidence: 0.8, source: 'terraform_tag' } } : {}),
+                    name: {
+                        value: serviceName,
+                        confidence: tags.Service ? 1.0 : 0.7,
+                        source: 'terraform',
+                        source_detail: moduleDir,
+                    },
+                    tier: {
+                        value: tier,
+                        confidence: hasMultiAz ? 0.8 : 0.5,
+                        source: 'terraform',
+                    },
+                    ...(tags.Team
+                        ? {
+                            owner: {
+                                value: tags.Team,
+                                confidence: 0.8,
+                                source: 'terraform_tag',
+                            },
+                        }
+                        : {}),
                 },
                 needs_review: !tags.Service,
             }));
-            if (result.action === 'created')
+            if (result.action === 'created') {
                 created++;
-            else
+            }
+            else {
                 updated++;
+            }
             // Add AWS resource components
             for (const res of resources) {
                 try {
@@ -181,7 +207,11 @@ export async function runSyncTerraform(teamId, options = {}) {
                         kind: 'aws_resource',
                         provider: 'terraform',
                         external_id: `${res.type}.${res.name}`,
-                        metadata: { resource_type: res.type, resource_name: res.name, module: moduleDir },
+                        metadata: {
+                            resource_type: res.type,
+                            resource_name: res.name,
+                            module: moduleDir,
+                        },
                     });
                     components++;
                 }

package/dist/index.js

@@ -441,6 +441,8 @@ program
     .requiredOption('--product <productId>', 'Product the session is bound to')
     .option('--repos <ids>', 'Comma-separated repository IDs the agent may touch', '')
     .option('--resume <sessionId>', 'SDK session id from a previous turn to resume the same conversation')
+    .option('--run-finished <runId>', 'Follow-up turn: report the results of a background cli_* run that finished')
+    .option('--run-command <command>', 'The command name of the finished run (used with --run-finished)')
     .option('-v, --verbose', 'Verbose output')
     .action(async (channelId, opts) => {
     try {
@@ -452,6 +454,9 @@ program
                 .map((s) => s.trim())
                 .filter(Boolean),
             resumeSessionId: opts.resume,
+            runFinished: opts.runFinished
+                ? { runId: opts.runFinished, command: opts.runCommand }
+                : undefined,
             verbose: opts.verbose,
         });
     }

package/dist/phases/chat-processor/product-prompts.d.ts

@@ -1,4 +1,4 @@
 /**
  * System prompts for the product chat AI processor.
  */
-export declare const PRODUCT_CHAT_RESPONSE_PROMPT = "You are an AI assistant embedded in Edsger, a software development platform. You are helping a team manage a product at the product level.\n\n## Your Capabilities\nYou can see the product's current state, all issues (with statuses), and team members. You have tools to:\n- List issues with status filtering\n- Create new issues for the product\n- Get detailed issue information (drill down into any issue)\n- Create tasks for team members (human) or AI\n- Look up product team members by name\n- Send follow-up messages and present options to the user\n\n## How to Respond\n1. **Understand the intent** \u2014 Is this a question about product state, a request to create something, or coordination work?\n2. **Take action if needed** \u2014 Use the appropriate tools to make changes\n3. **Respond concisely** \u2014 Summarize what you understood and what you did\n4. **Ask for clarification** \u2014 If the message is ambiguous, use provide_options to present choices\n\n## Communication Style\n- Respond in the same language the user writes in\n- Be concise but thorough \u2014 no filler text\n- Reference specific issues, statuses, and team members by name\n- When making changes, always explain what you changed and why\n\n## Product-Level Scope\nUnlike issue chat (which focuses on a single issue's lifecycle), you operate at the product level:\n- Answer cross-issue questions (e.g., \"which issues are blocked?\", \"what's our progress?\")\n- Help with product planning and prioritization\n- Create new issues when the user describes new work\n- Coordinate team work by creating and assigning tasks\n- Provide product-wide insights and summaries\n\n## Task Creation\nWhen the user asks to notify someone, assign a review, or request action from a team member:\n1. Use list_product_members to find the person by name\n2. Use create_task with executor=\"human\", the resolved user ID, and the correct action_url\n3. Confirm in chat what you created and who it's assigned to\n\nWhen the user describes work for AI to do:\n1. Use create_task with executor=\"ai\" \u2014 the task worker will pick it up automatically\n\n### Action URL Patterns\nAlways set action_url to link to the most relevant page:\n- Product page: `/products/{product_id}`\n- Issue details: `/products/{product_id}/issues/{issue_id}`\n- Issue tab: `/products/{product_id}/issues/{issue_id}?tab={tab}`\n\n## Important Rules\n- Never make destructive changes without confirmation\n- For ambiguous requests, present options rather than guessing\n- If you can't do something, explain why clearly\n- When creating tasks for people, always confirm the person's identity if the name is ambiguous\n";
+export declare const PRODUCT_CHAT_RESPONSE_PROMPT = "You are an AI assistant embedded in Edsger, a software development platform. You are helping a team manage a product at the product level.\n\n## Your Capabilities\nYou can see the product's current state, all issues (with statuses), and team members. You have tools to:\n- List issues with status filtering\n- Create new issues for the product\n- Get detailed issue information (drill down into any issue)\n- Create tasks for team members (human) or AI\n- Look up product team members by name\n- Send follow-up messages and present options to the user\n- Launch a code analysis of the product's repo (cli_find_bugs / cli_find_smells / cli_find_architecture / cli_find_features) and check a run's progress (get_cli_run)\n\n## Analyzing the code\nYou cannot read the source directly, but you can launch an audit that does. When the user asks about code quality, what to optimize / refactor / improve, bugs, dead code, performance, or architecture, do NOT just speculate from issue titles \u2014 launch the matching analysis:\n- \"what should we optimize / refactor / improve\", code smells, dead code, perf, type-safety \u2192 cli_find_smells\n- bugs / correctness audit \u2192 cli_find_bugs\n- architecture / coupling / layering / cycles \u2192 cli_find_architecture\n- feature opportunities from feedback + code \u2192 cli_find_features\n\nThese run in the background and FILE EACH FINDING AS AN ISSUE \u2014 they do not return results inline. So: launch the run, tell the user it's running and that findings will show up as new issues, and offer to check progress later with get_cli_run (or re-list issues). Don't claim to have analyzed the code yourself.\n\n## How to Respond\n1. **Understand the intent** \u2014 Is this a question about product state, a request to create something, or coordination work?\n2. **Take action if needed** \u2014 Use the appropriate tools to make changes\n3. **Respond concisely** \u2014 Summarize what you understood and what you did\n4. **Ask for clarification** \u2014 If the message is ambiguous, use provide_options to present choices\n\n## Communication Style\n- Respond in the same language the user writes in\n- Be concise but thorough \u2014 no filler text\n- Reference specific issues, statuses, and team members by name\n- When making changes, always explain what you changed and why\n\n## Product-Level Scope\nUnlike issue chat (which focuses on a single issue's lifecycle), you operate at the product level:\n- Answer cross-issue questions (e.g., \"which issues are blocked?\", \"what's our progress?\")\n- Help with product planning and prioritization\n- Create new issues when the user describes new work\n- Coordinate team work by creating and assigning tasks\n- Provide product-wide insights and summaries\n\n## Task Creation\nWhen the user asks to notify someone, assign a review, or request action from a team member:\n1. Use list_product_members to find the person by name\n2. Use create_task with executor=\"human\", the resolved user ID, and the correct action_url\n3. Confirm in chat what you created and who it's assigned to\n\nWhen the user describes work for AI to do:\n1. Use create_task with executor=\"ai\" \u2014 the task worker will pick it up automatically\n\n### Action URL Patterns\nAlways set action_url to link to the most relevant page:\n- Product page: `/products/{product_id}`\n- Issue details: `/products/{product_id}/issues/{issue_id}`\n- Issue tab: `/products/{product_id}/issues/{issue_id}?tab={tab}`\n\n## Important Rules\n- Never make destructive changes without confirmation\n- For ambiguous requests, present options rather than guessing\n- If you can't do something, explain why clearly\n- When creating tasks for people, always confirm the person's identity if the name is ambiguous\n";

package/dist/phases/chat-processor/product-prompts.js

@@ -11,6 +11,16 @@ You can see the product's current state, all issues (with statuses), and team me
 - Create tasks for team members (human) or AI
 - Look up product team members by name
 - Send follow-up messages and present options to the user
+- Launch a code analysis of the product's repo (cli_find_bugs / cli_find_smells / cli_find_architecture / cli_find_features) and check a run's progress (get_cli_run)
+
+## Analyzing the code
+You cannot read the source directly, but you can launch an audit that does. When the user asks about code quality, what to optimize / refactor / improve, bugs, dead code, performance, or architecture, do NOT just speculate from issue titles — launch the matching analysis:
+- "what should we optimize / refactor / improve", code smells, dead code, perf, type-safety → cli_find_smells
+- bugs / correctness audit → cli_find_bugs
+- architecture / coupling / layering / cycles → cli_find_architecture
+- feature opportunities from feedback + code → cli_find_features
+
+These run in the background and FILE EACH FINDING AS AN ISSUE — they do not return results inline. So: launch the run, tell the user it's running and that findings will show up as new issues, and offer to check progress later with get_cli_run (or re-list issues). Don't claim to have analyzed the code yourself.
 
 ## How to Respond
 1. **Understand the intent** — Is this a question about product state, a request to create something, or coordination work?

package/dist/phases/flow-shared/clone-repos.d.ts

@@ -31,6 +31,19 @@ export interface CloneFlowReposFailure {
     ok: false;
     message: string;
 }
+export declare function safeDirName(fullName: string): string;
+/**
+ * Resolve the repositories a flow targets (by id, preserving the stored
+ * order), falling back to the product's primary repo.
+ */
+export declare function resolveTargetRepos(productId: string, repositoryIds: string[], fallback: {
+    owner: string;
+    repo: string;
+}): Promise<{
+    fullName: string;
+    owner: string;
+    repo: string;
+}[]>;
 export declare function cloneFlowRepos(opts: {
     productId: string;
     repositoryIds: string[];

package/dist/phases/flow-shared/clone-repos.js

@@ -17,14 +17,14 @@ import { getGitHubConfigByProduct } from '../../api/github.js';
 import { getSupabase } from '../../supabase/client.js';
 import { logInfo, logWarning } from '../../utils/logger.js';
 import { cloneIssueRepo, ensureWorkspaceDir, getIssueRepoPath, } from '../../workspace/workspace-manager.js';
-function safeDirName(fullName) {
+export function safeDirName(fullName) {
     return fullName.replace(/[^a-zA-Z0-9._-]/g, '_');
 }
 /**
  * Resolve the repositories a flow targets (by id, preserving the stored
  * order), falling back to the product's primary repo.
  */
-async function resolveTargetRepos(productId, repositoryIds, fallback) {
+export async function resolveTargetRepos(productId, repositoryIds, fallback) {
     if (repositoryIds.length === 0) {
         return [
             {
@@ -39,10 +39,7 @@ async function resolveTargetRepos(productId, repositoryIds, fallback) {
         .from('repositories')
         .select('id, full_name')
         .in('id', repositoryIds);
-    const byId = new Map(((data) ?? []).map((r) => [
-        r.id,
-        r.full_name,
-    ]));
+    const byId = new Map((data ?? []).map((r) => [r.id, r.full_name]));
     // Preserve the caller's order (flows.repository_ids is ordered).
     const resolved = [];
     for (const id of repositoryIds) {
@@ -104,7 +101,10 @@ export async function cloneFlowRepos(opts) {
         }
     }
     if (repos.length === 0) {
-        return { ok: false, message: 'Failed to clone any of the selected repositories.' };
+        return {
+            ok: false,
+            message: 'Failed to clone any of the selected repositories.',
+        };
     }
     if (repos.length > 1) {
         logInfo(`Cloned ${repos.length} repos for ${workspaceKey}: ${repos.map((r) => r.fullName).join(', ')}`);

package/dist/phases/sync-org-repos/index.js

@@ -29,8 +29,9 @@ async function fetchOrgRepos(orgLogin, verbose) {
     }
     const repos = [];
     for (const line of stdout.trim().split('\n')) {
-        if (!line)
+        if (!line) {
             continue;
+        }
         try {
             repos.push(JSON.parse(line));
         }

package/dist/workspace/session-workspace.d.ts

@@ -0,0 +1,43 @@
+/**
+ * Session workspace — clones a product's configured repositories into a single
+ * local "session directory", one subdirectory per repo.
+ *
+ * A chat session (an `ai_assistant` channel) is bound to a product, and a
+ * product can span several repositories. For the session agent's read-only
+ * tools (Read / Grep / Glob) to inspect the real code, we clone every in-scope
+ * repo into:
+ *
+ *   <workspace>/sessions/<channelId>/<owner>_<repo>/
+ *
+ * and point the agent's cwd at the per-session directory. The clones are reused
+ * (and fetched) across turns of the same session rather than re-cloned each
+ * time, so follow-up turns are fast and always see the latest code.
+ *
+ * Repo resolution and the secure-token clone are shared with flow generation
+ * (`phases/flow-shared/clone-repos.ts`).
+ */
+import { type ClonedRepo } from '../phases/flow-shared/clone-repos.js';
+export interface SessionWorkspace {
+    /** Directory holding every cloned repo as a subdirectory; the agent's cwd. */
+    sessionDir: string;
+    /** The repos that were successfully cloned/refreshed for this session. */
+    repos: ClonedRepo[];
+}
+/**
+ * Clone (or refresh) every repository the session's product is scoped to into a
+ * single local session directory. Returns the directory to use as the agent's
+ * cwd plus the cloned repos, or `null` when no repo could be made available
+ * (no GitHub config, or every clone failed) so the caller can still run the
+ * agent without a codebase.
+ */
+export declare function cloneSessionRepos(opts: {
+    channelId: string;
+    productId: string;
+    repositoryIds: string[];
+    verbose?: boolean;
+}): Promise<SessionWorkspace | null>;
+/**
+ * Build a note for the agent's system prompt describing where each repo is
+ * checked out, so it points Read / Grep / Glob at the right subdirectory.
+ */
+export declare function describeSessionRepos(repos: ClonedRepo[]): string;

package/dist/workspace/session-workspace.js

@@ -0,0 +1,90 @@
+/**
+ * Session workspace — clones a product's configured repositories into a single
+ * local "session directory", one subdirectory per repo.
+ *
+ * A chat session (an `ai_assistant` channel) is bound to a product, and a
+ * product can span several repositories. For the session agent's read-only
+ * tools (Read / Grep / Glob) to inspect the real code, we clone every in-scope
+ * repo into:
+ *
+ *   <workspace>/sessions/<channelId>/<owner>_<repo>/
+ *
+ * and point the agent's cwd at the per-session directory. The clones are reused
+ * (and fetched) across turns of the same session rather than re-cloned each
+ * time, so follow-up turns are fast and always see the latest code.
+ *
+ * Repo resolution and the secure-token clone are shared with flow generation
+ * (`phases/flow-shared/clone-repos.ts`).
+ */
+import { mkdirSync } from 'fs';
+import { getGitHubConfigByProduct } from '../api/github.js';
+import { resolveTargetRepos, safeDirName, } from '../phases/flow-shared/clone-repos.js';
+import { logInfo, logWarning } from '../utils/logger.js';
+import { cloneIssueRepo, ensureWorkspaceDir, getIssueRepoPath, } from './workspace-manager.js';
+const SESSIONS_DIR_NAME = 'sessions';
+/**
+ * Clone (or refresh) every repository the session's product is scoped to into a
+ * single local session directory. Returns the directory to use as the agent's
+ * cwd plus the cloned repos, or `null` when no repo could be made available
+ * (no GitHub config, or every clone failed) so the caller can still run the
+ * agent without a codebase.
+ */
+export async function cloneSessionRepos(opts) {
+    const { channelId, productId, repositoryIds, verbose } = opts;
+    const gh = await getGitHubConfigByProduct(productId, verbose);
+    if (!gh.configured || !gh.token || !gh.owner || !gh.repo) {
+        logWarning(gh.message ||
+            'No GitHub repository configured for this product; the session agent will run without a codebase.');
+        return null;
+    }
+    // Resolve the in-scope repos (ordered), falling back to the product's
+    // primary repo when none were explicitly selected.
+    const targets = await resolveTargetRepos(productId, repositoryIds, {
+        owner: gh.owner,
+        repo: gh.repo,
+    });
+    const workspaceRoot = ensureWorkspaceDir();
+    const sessionDir = getIssueRepoPath(workspaceRoot, `${SESSIONS_DIR_NAME}/${safeDirName(channelId)}`);
+    // Ensure the per-session parent exists before cloning into subdirectories.
+    mkdirSync(sessionDir, { recursive: true });
+    const repos = [];
+    for (const target of targets) {
+        try {
+            // The product-level token (installation or user PAT/OAuth) is reused for
+            // every repo; if it can't access one, that clone fails and we skip it
+            // rather than aborting the whole session.
+            const { repoPath } = cloneIssueRepo(sessionDir, safeDirName(target.fullName), target.owner, target.repo, gh.token);
+            repos.push({
+                fullName: target.fullName,
+                owner: target.owner,
+                repo: target.repo,
+                dir: repoPath,
+            });
+        }
+        catch (err) {
+            logWarning(`Skipping ${target.fullName}: clone failed (${err instanceof Error ? err.message : String(err)})`);
+        }
+    }
+    if (repos.length === 0) {
+        return null;
+    }
+    logInfo(`Session ${channelId}: ${repos.length} repo(s) ready in ${sessionDir}`);
+    return { sessionDir, repos };
+}
+/**
+ * Build a note for the agent's system prompt describing where each repo is
+ * checked out, so it points Read / Grep / Glob at the right subdirectory.
+ */
+export function describeSessionRepos(repos) {
+    if (repos.length === 0) {
+        return '';
+    }
+    const list = repos.map((r) => `- ${r.fullName} → subdirectory \`${safeDirName(r.fullName)}/\``);
+    return [
+        repos.length === 1
+            ? 'The product code is checked out in your working directory:'
+            : `This product spans ${repos.length} repositories, each checked out as a subdirectory of your working directory:`,
+        ...list,
+        'Use Read / Grep / Glob against these paths to inspect the actual code before answering.',
+    ].join('\n');
+}

package/eslint.config.mjs

@@ -5,6 +5,10 @@ import {
 } from '../edsger-lint/eslint/index.mjs'
 
 export default [
+  // Test-only infra (the node:test→vitest shim) lives outside the src TS
+  // project, so skip it for the type-checked lint.
+  { ignores: ['test/**'] },
+
   ...baseConfig,
 
   // Type-checked rules

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "edsger",
-  "version": "0.63.1",
+  "version": "0.65.0",
   "type": "module",
   "bin": {
     "edsger": "dist/index.js"
@@ -50,8 +50,8 @@
     "commander": "^12.0.0",
     "cosmiconfig": "^9.0.0",
     "dotenv": "^16.4.5",
-    "edsger-contract": "0.6.0",
-    "edsger-tools": "0.6.0",
+    "edsger-contract": "0.7.0",
+    "edsger-tools": "0.8.0",
     "gray-matter": "^4.0.3",
     "zod": "^4.0.0"
   },

package/vitest.config.ts

@@ -1,26 +1,19 @@
+import { fileURLToPath } from 'node:url'
+
 import { defineConfig } from 'vitest/config'
 
 export default defineConfig({
   test: {
-    // Most other __tests__ folders in this package use the node:test API
-    // (assert + node --test), not vitest. Scope vitest to the folders whose
-    // tests are written against `vitest`; migrating the rest can happen
-    // separately.
-    include: [
-      'src/phases/run-sheet/__tests__/**/*.test.ts',
-      'src/phases/code-refine-verification/__tests__/**/*.test.ts',
-      'src/phases/find-bugs/__tests__/**/*.test.ts',
-      'src/phases/find-features/__tests__/**/*.test.ts',
-      'src/phases/find-smells/__tests__/**/*.test.ts',
-      'src/phases/sync-github-issues/__tests__/**/*.test.ts',
-      'src/phases/sync-sentry-issues/__tests__/**/*.test.ts',
-      'src/phases/sync-shared/__tests__/**/*.test.ts',
-      'src/phases/screen-flow/__tests__/**/*.test.ts',
-      'src/phases/recipes/__tests__/**/*.test.ts',
-      'src/types/__tests__/**/*.test.ts',
-      'src/commands/find-smells/__tests__/**/*.test.ts',
-    ],
+    // Run every test under src, including the many files written against the
+    // node:test API — those used to be silently skipped. The `node:test` alias
+    // below lets them run under vitest unchanged.
+    include: ['src/**/__tests__/**/*.test.ts'],
     exclude: ['dist/**', 'node_modules/**'],
     environment: 'node',
+    alias: {
+      'node:test': fileURLToPath(
+        new URL('./test/node-test-shim.ts', import.meta.url)
+      ),
+    },
   },
 })