edsger 0.76.0 → 0.77.0

package/dist/phases/api-docs/types.d.ts

@@ -0,0 +1,22 @@
+/**
+ * Shapes the api-docs MCP tool accepts. The Zod schema lives in mcp-server.ts;
+ * these plain TS types are what the orchestrator / persistence helpers consume.
+ *
+ * Defensive caps mirror the DB CHECK constraints from
+ * 20260605000000_create_api_doc_runs.sql so the MCP tool can reject oversized
+ * output with an actionable message instead of a Postgres constraint violation.
+ */
+/** A spec-compliant OpenAPI document. Kept loose — the agent owns the shape. */
+export type OpenApiSpec = Record<string, unknown>;
+export interface ApiDocsArtifact {
+    /** Parsed OpenAPI document, or null when the repo exposes no HTTP API. */
+    openapi: OpenApiSpec | null;
+    /** Human-readable Markdown API reference (always produced). */
+    markdown: string;
+    /** One-paragraph overview for the tab header. */
+    summary: string;
+    /** Number of documented endpoints/operations (0 for non-HTTP surfaces). */
+    endpointCount: number;
+}
+export declare const API_DOCS_MARKDOWN_MAX = 200000;
+export declare const API_DOCS_SUMMARY_MAX = 1000;

package/dist/phases/api-docs/types.js

@@ -0,0 +1,10 @@
+/**
+ * Shapes the api-docs MCP tool accepts. The Zod schema lives in mcp-server.ts;
+ * these plain TS types are what the orchestrator / persistence helpers consume.
+ *
+ * Defensive caps mirror the DB CHECK constraints from
+ * 20260605000000_create_api_doc_runs.sql so the MCP tool can reject oversized
+ * output with an actionable message instead of a Postgres constraint violation.
+ */
+export const API_DOCS_MARKDOWN_MAX = 200_000;
+export const API_DOCS_SUMMARY_MAX = 1000;

package/dist/phases/find-architecture/index.js

@@ -12,8 +12,11 @@ import { query } from '@anthropic-ai/claude-agent-sdk';
 import { DEFAULT_MODEL } from '../../constants.js';
 import { logError, logInfo, logSuccess, logWarning, } from '../../utils/logger.js';
 import { cleanupIssueRepo, cloneIssueRepo, ensureWorkspaceDir, syncRepoToRef, } from '../../workspace/workspace-manager.js';
+import { resolveScanBase } from '../find-shared/baseline.js';
+import { resolveCustomRules } from '../find-shared/custom-rules.js';
 import { detectDefaultBranch, gitRevParse, isAncestor, listChangedPaths, } from '../find-shared/git.js';
 import { createIssue, fetchOpenIssues, fetchOpenIssuesByRepo, fetchProductBasics, fetchRepositoryBasics, } from '../find-shared/mcp.js';
+import { resolveStackRulePacks } from '../find-shared/rule-config.js';
 import { createPromptGenerator, extractTextFromContent, tryExtractResult, } from '../pr-shared/agent-utils.js';
 import { createFindArchitectureSystemPrompt, createFindArchitectureUserPrompt, } from './prompts.js';
 import { acquireFindArchitectureLock, loadFindArchitectureState, updateFindArchitectureState, } from './state.js';
@@ -33,13 +36,11 @@ const MAX_TURNS = 200;
  */
 // eslint-disable-next-line complexity
 export async function scanForArchitecture(options) {
-    const { productId, repoId, githubToken, owner, repo, full, maxFiles, verbose } = options;
+    const { productId, repoId, githubToken, owner, repo, full, maxFiles, verbose, } = options;
     // State/lock/workspace are keyed by an opaque scope id so product and repo
     // scans never collide; repo keys are prefixed to namespace them clearly.
     const scopeId = productId ?? `repo-${repoId}`;
-    const scopeLabel = productId
-        ? `product ${productId}`
-        : `repository ${repoId}`;
+    const scopeLabel = productId ? `product ${productId}` : `repository ${repoId}`;
     logInfo(`Starting architecture scan for ${scopeLabel} (${owner}/${repo})`);
     const lock = acquireFindArchitectureLock(scopeId);
     if (!lock) {
@@ -63,7 +64,7 @@ export async function scanForArchitecture(options) {
         syncRepoToRef(repoPath, { branch }, githubToken);
         const headSha = gitRevParse(repoPath, 'HEAD');
         const state = loadFindArchitectureState(scopeId);
-        const baseSha = full ? undefined : state.lastScannedCommitSha;
+        const baseSha = await resolveScanBase({ productId, repoId }, { full, lastScannedSha: state.lastScannedCommitSha });
         let scope = 'full';
         let changedPaths;
         if (baseSha && baseSha !== headSha) {
@@ -115,7 +116,12 @@ export async function scanForArchitecture(options) {
             ? await fetchOpenIssues(productId)
             : await fetchOpenIssuesByRepo(repoId);
         logInfo(`Loaded ${existingIssues.length} existing issues for dedup context`);
-        const systemPrompt = createFindArchitectureSystemPrompt();
+        const rulePacks = await resolveStackRulePacks(repoPath, {
+            productId,
+            repoId,
+        });
+        const customRules = await resolveCustomRules({ productId, repoId }, 'architecture');
+        const systemPrompt = createFindArchitectureSystemPrompt(rulePacks, customRules);
         const userPrompt = createFindArchitectureUserPrompt({
             productName: product.name,
             productDescription: product.description,
@@ -241,6 +247,7 @@ async function createIssueForFinding(scope, finding) {
         repoId: scope.repoId,
         title: finding.title,
         description: formatIssueDescription(finding),
+        source: 'quality',
     });
 }
 function formatIssueDescription(finding) {

package/dist/phases/find-architecture/prompts.d.ts

@@ -12,7 +12,8 @@
  *     multiple files: module boundaries, layering, coupling, cycles, missing
  *     or duplicated abstractions, responsibility creep, cross-cutting concerns.
  */
-export declare function createFindArchitectureSystemPrompt(): string;
+import { type RulePack } from '../find-shared/rule-packs.js';
+export declare function createFindArchitectureSystemPrompt(packs?: RulePack[], customRules?: string): string;
 export interface FindArchitectureUserPromptParams {
     productName: string;
     productDescription?: string;

package/dist/phases/find-architecture/prompts.js

@@ -12,7 +12,8 @@
  *     multiple files: module boundaries, layering, coupling, cycles, missing
  *     or duplicated abstractions, responsibility creep, cross-cutting concerns.
  */
-export function createFindArchitectureSystemPrompt() {
+import { renderRulePacks } from '../find-shared/rule-packs.js';
+export function createFindArchitectureSystemPrompt(packs = [], customRules = '') {
     return `You are a senior staff engineer auditing a codebase for **architectural problems and improvement opportunities**. You have read-only access via Read/Grep/Glob and may run shallow Bash queries (e.g. \`git log\`, \`wc -l\`, \`grep\`) to navigate.
 
 **What counts as an architectural finding worth filing**:
@@ -26,7 +27,7 @@ export function createFindArchitectureSystemPrompt() {
 8. **Responsibility creep**: a service / component that started focused and now does five things
 9. **Cross-cutting concerns**: logging, auth, retries, error handling implemented inconsistently across modules
 10. **Inconsistency**: same problem solved different ways in different parts of the codebase, drifting conventions
-11. **Scalability shape**: data-flow / control-flow patterns that won't survive the next obvious axis of growth
+11. **Scalability shape**: data-flow / control-flow patterns that won't survive the next obvious axis of growth${renderRulePacks(packs, 'architecture')}${customRules}
 
 **What does NOT count** (skip these — wrong tool):
 - Real bugs (security holes, logic errors, races, data corruption) — those belong in \`edsger find-bugs\`. **Don't drop them silently — list them in \`deferred_to_bugs\`.**

package/dist/phases/find-bugs/index.js

@@ -7,6 +7,7 @@ import { query } from '@anthropic-ai/claude-agent-sdk';
 import { DEFAULT_MODEL } from '../../constants.js';
 import { logError, logInfo, logSuccess, logWarning, } from '../../utils/logger.js';
 import { cleanupIssueRepo, cloneIssueRepo, ensureWorkspaceDir, syncRepoToRef, } from '../../workspace/workspace-manager.js';
+import { resolveScanBase } from '../find-shared/baseline.js';
 import { detectDefaultBranch, gitRevParse, isAncestor, listChangedPaths, } from '../find-shared/git.js';
 import { createIssue, fetchOpenIssues, fetchOpenIssuesByRepo, fetchProductBasics, fetchRepositoryBasics, } from '../find-shared/mcp.js';
 import { createPromptGenerator, extractTextFromContent, tryExtractResult, } from '../pr-shared/agent-utils.js';
@@ -65,7 +66,7 @@ export async function scanForBugs(options) {
         syncRepoToRef(repoPath, { branch }, githubToken);
         const headSha = gitRevParse(repoPath, 'HEAD');
         const state = loadFindBugsState(scopeId);
-        const baseSha = full ? undefined : state.lastScannedCommitSha;
+        const baseSha = await resolveScanBase({ productId, repoId }, { full, lastScannedSha: state.lastScannedCommitSha });
         let scope = 'full';
         let changedPaths;
         if (baseSha && baseSha !== headSha) {
@@ -218,6 +219,7 @@ async function createIssueForBug(scope, bug) {
         repoId: scope.repoId,
         title: bug.title,
         description: formatIssueDescription(bug),
+        source: 'quality',
     });
 }
 function formatIssueDescription(bug) {

package/dist/phases/find-shared/baseline.d.ts

@@ -0,0 +1,45 @@
+/**
+ * Server-side scan baseline, shared across the find-* phases.
+ *
+ * A baseline pins a commit as the "everything before here is acknowledged"
+ * floor for a scope. On a fresh scan (no machine-local scan-state cursor) the
+ * find-* scanners use it as the diff base so only findings in code changed
+ * since the baseline are reported — the "only new" view DCM-style baselines
+ * provide — instead of re-filing the entire pre-existing backlog.
+ *
+ * Read here via the user's supabase session; written from the desktop app
+ * (services/db/quality-baselines.ts). Stored in `quality_scan_baselines`.
+ */
+export interface ScanScope {
+    productId?: string;
+    repoId?: string;
+}
+/**
+ * Resolve the diff base for a scan, given the explicit `--full` flag, the
+ * machine-local last-scanned cursor, and the server baseline. Pure + exported
+ * for testing.
+ *
+ * - `--full` always wins → undefined (scan everything, ignore baseline).
+ * - otherwise prefer the local cursor (normal incremental), falling back to
+ *   the baseline so a fresh checkout still suppresses the pre-existing backlog.
+ */
+export declare function resolveScanBaseSha(opts: {
+    full?: boolean;
+    lastScannedSha?: string;
+    baselineSha?: string | null;
+}): string | undefined;
+/**
+ * Fetch the pinned baseline commit for a scope, or null if none is set / no
+ * session is available. Never throws — a baseline read failure must not abort
+ * a scan (it just degrades to a full scan).
+ */
+export declare function getScanBaseline(scope: ScanScope): Promise<string | null>;
+/**
+ * Fetch the baseline and resolve the scan's diff base in one call, logging when
+ * the baseline floor is applied on a fresh checkout. Shared by every find-*
+ * phase so the baseline wiring lives in one place.
+ */
+export declare function resolveScanBase(scope: ScanScope, opts: {
+    full?: boolean;
+    lastScannedSha?: string;
+}): Promise<string | undefined>;

package/dist/phases/find-shared/baseline.js

@@ -0,0 +1,56 @@
+/**
+ * Server-side scan baseline, shared across the find-* phases.
+ *
+ * A baseline pins a commit as the "everything before here is acknowledged"
+ * floor for a scope. On a fresh scan (no machine-local scan-state cursor) the
+ * find-* scanners use it as the diff base so only findings in code changed
+ * since the baseline are reported — the "only new" view DCM-style baselines
+ * provide — instead of re-filing the entire pre-existing backlog.
+ *
+ * Read here via the user's supabase session; written from the desktop app
+ * (services/db/quality-baselines.ts). Stored in `quality_scan_baselines`.
+ */
+import { logInfo } from '../../utils/logger.js';
+import { readScopedRow } from './scoped-read.js';
+/**
+ * Resolve the diff base for a scan, given the explicit `--full` flag, the
+ * machine-local last-scanned cursor, and the server baseline. Pure + exported
+ * for testing.
+ *
+ * - `--full` always wins → undefined (scan everything, ignore baseline).
+ * - otherwise prefer the local cursor (normal incremental), falling back to
+ *   the baseline so a fresh checkout still suppresses the pre-existing backlog.
+ */
+export function resolveScanBaseSha(opts) {
+    if (opts.full) {
+        return undefined;
+    }
+    // `||` (not `??`) so an empty-string cursor falls through to the baseline.
+    return opts.lastScannedSha || opts.baselineSha || undefined;
+}
+/**
+ * Fetch the pinned baseline commit for a scope, or null if none is set / no
+ * session is available. Never throws — a baseline read failure must not abort
+ * a scan (it just degrades to a full scan).
+ */
+export async function getScanBaseline(scope) {
+    const row = await readScopedRow('quality_scan_baselines', 'baseline_commit_sha', scope);
+    return row?.baseline_commit_sha ?? null;
+}
+/**
+ * Fetch the baseline and resolve the scan's diff base in one call, logging when
+ * the baseline floor is applied on a fresh checkout. Shared by every find-*
+ * phase so the baseline wiring lives in one place.
+ */
+export async function resolveScanBase(scope, opts) {
+    const baselineSha = await getScanBaseline(scope);
+    const baseSha = resolveScanBaseSha({
+        full: opts.full,
+        lastScannedSha: opts.lastScannedSha,
+        baselineSha,
+    });
+    if (!opts.full && !opts.lastScannedSha && baselineSha) {
+        logInfo(`No local scan history; using server baseline ${baselineSha.slice(0, 8)} — reporting only findings new since the baseline.`);
+    }
+    return baseSha;
+}

package/dist/phases/find-shared/custom-rules.d.ts

@@ -0,0 +1,39 @@
+/**
+ * Per-scope user-authored custom rules, shared across the find-* phases.
+ *
+ * Where the built-in rule packs (rule-packs.ts) ship stack-specific guidance,
+ * custom rules let a team write their *own* checks in natural language — the
+ * configurable-rules / CQLinq capability NDepend-style tools expose, without
+ * the query language. Each enabled rule's guidance is appended to the relevant
+ * scanner's system prompt so the agent flags violations like any other finding.
+ *
+ * Read here from the user's supabase session; authored from the desktop app
+ * (services/db/quality-custom-rules.ts). Stored in `quality_custom_rules`.
+ */
+import type { ScanScope } from './baseline.js';
+import type { FindPhaseKind } from './rule-packs.js';
+/** Phases that consume injected custom-rule guidance today. */
+export type CustomRulePhase = Extract<FindPhaseKind, 'smells' | 'architecture'>;
+export interface CustomRule {
+    label: string;
+    guidance: string;
+}
+/**
+ * Fetch the enabled custom rules for a scope + phase, oldest first. Never
+ * throws — a read failure (or no session) must not abort a scan; it just means
+ * no custom rules are injected.
+ */
+export declare function getCustomRules(scope: ScanScope, phase: CustomRulePhase): Promise<CustomRule[]>;
+/**
+ * Render custom rules into a markdown block for appending to a find-* system
+ * prompt. Returns '' when there are none, so callers can concatenate
+ * unconditionally (same contract as renderRulePacks). Pure + exported for
+ * testing.
+ */
+export declare function renderCustomRules(rules: CustomRule[]): string;
+/**
+ * Fetch + render the scope's custom rules for a phase in one call, logging how
+ * many were applied. Shared by the rule-consuming phases so the wiring lives in
+ * one place. Returns the markdown block ('' when none apply).
+ */
+export declare function resolveCustomRules(scope: ScanScope, phase: CustomRulePhase): Promise<string>;

package/dist/phases/find-shared/custom-rules.js

@@ -0,0 +1,75 @@
+/**
+ * Per-scope user-authored custom rules, shared across the find-* phases.
+ *
+ * Where the built-in rule packs (rule-packs.ts) ship stack-specific guidance,
+ * custom rules let a team write their *own* checks in natural language — the
+ * configurable-rules / CQLinq capability NDepend-style tools expose, without
+ * the query language. Each enabled rule's guidance is appended to the relevant
+ * scanner's system prompt so the agent flags violations like any other finding.
+ *
+ * Read here from the user's supabase session; authored from the desktop app
+ * (services/db/quality-custom-rules.ts). Stored in `quality_custom_rules`.
+ */
+import { getSupabase, hasSupabaseSession } from '../../supabase/client.js';
+import { logInfo, logWarning } from '../../utils/logger.js';
+/**
+ * Fetch the enabled custom rules for a scope + phase, oldest first. Never
+ * throws — a read failure (or no session) must not abort a scan; it just means
+ * no custom rules are injected.
+ */
+export async function getCustomRules(scope, phase) {
+    if (!hasSupabaseSession()) {
+        return [];
+    }
+    try {
+        const query = getSupabase()
+            .from('quality_custom_rules')
+            .select('label, guidance')
+            .eq('phase', phase)
+            .eq('enabled', true);
+        const scoped = scope.productId
+            ? query.eq('product_id', scope.productId)
+            : query.eq('repository_id', scope.repoId);
+        const { data, error } = await scoped.order('created_at', {
+            ascending: true,
+        });
+        if (error) {
+            logWarning(`Could not read quality_custom_rules: ${error.message}`);
+            return [];
+        }
+        return data ?? [];
+    }
+    catch (err) {
+        logWarning(`Could not read quality_custom_rules: ${err instanceof Error ? err.message : String(err)}`);
+        return [];
+    }
+}
+/**
+ * Render custom rules into a markdown block for appending to a find-* system
+ * prompt. Returns '' when there are none, so callers can concatenate
+ * unconditionally (same contract as renderRulePacks). Pure + exported for
+ * testing.
+ */
+export function renderCustomRules(rules) {
+    if (rules.length === 0) {
+        return '';
+    }
+    const sections = rules
+        .map((r) => `### ${r.label}\n${r.guidance}`)
+        .join('\n\n');
+    return `\n\n**Custom rules** — this team has defined the following project-specific checks. Treat each as an additional category, applying the same severity rubric and output format as the generic categories above:\n\n${sections}`;
+}
+/**
+ * Fetch + render the scope's custom rules for a phase in one call, logging how
+ * many were applied. Shared by the rule-consuming phases so the wiring lives in
+ * one place. Returns the markdown block ('' when none apply).
+ */
+export async function resolveCustomRules(scope, phase) {
+    const rules = await getCustomRules(scope, phase);
+    if (rules.length > 0) {
+        logInfo(`Applying ${rules.length} custom ${phase} rule(s): ${rules
+            .map((r) => r.label)
+            .join(', ')}`);
+    }
+    return renderCustomRules(rules);
+}

package/dist/phases/find-shared/detect-context.d.ts

@@ -0,0 +1,40 @@
+/**
+ * Deterministic project-context detection, shared across the find-* phases.
+ *
+ * The find-* auditors are LLM-driven and already language-agnostic for the
+ * generic smell/bug/architecture categories — the agent reads whatever source
+ * is in the repo. This module adds the missing piece needed for *targeted*,
+ * stack-specific rules: a cheap, no-LLM detection of which languages and
+ * frameworks a repository actually contains, so the right rule packs (see
+ * `rule-packs.ts`) can be selected and injected into the system prompt.
+ *
+ * It mirrors the role that Phase 1 detection plays for `quality-benchmark`,
+ * but stays deterministic (manifest-file inspection only) so a scan never pays
+ * an extra model round-trip just to figure out the stack.
+ *
+ * Polyglot repos are first-class: a monorepo with `apps/mobile/pubspec.yaml`
+ * and `services/api/go.mod` resolves to `{ languages: ['dart','go'],
+ * frameworks: ['flutter'] }`, and every matching rule pack is selected.
+ *
+ * Detection is best-effort and must never throw — a malformed manifest simply
+ * contributes nothing.
+ */
+/**
+ * Detected stack for a repository. Values are lowercased so callers can do
+ * case-insensitive set membership without re-normalising — same convention as
+ * `selectToolsForContext` in the quality-benchmark tool catalog.
+ */
+export interface ProjectContext {
+    /** Languages present, e.g. ['dart', 'go', 'ts']. */
+    languages: string[];
+    /** Frameworks present, e.g. ['flutter', 'react']. */
+    frameworks: string[];
+    /** Marker filenames that were found, e.g. ['pubspec.yaml', 'package.json']. */
+    files_present: string[];
+}
+/**
+ * Detect the languages and frameworks present in a repository checkout.
+ *
+ * @param repoRoot absolute path to the repo checkout (cwd of the auditor).
+ */
+export declare function detectProjectContext(repoRoot: string): ProjectContext;

package/dist/phases/find-shared/detect-context.js

@@ -0,0 +1,247 @@
+/**
+ * Deterministic project-context detection, shared across the find-* phases.
+ *
+ * The find-* auditors are LLM-driven and already language-agnostic for the
+ * generic smell/bug/architecture categories — the agent reads whatever source
+ * is in the repo. This module adds the missing piece needed for *targeted*,
+ * stack-specific rules: a cheap, no-LLM detection of which languages and
+ * frameworks a repository actually contains, so the right rule packs (see
+ * `rule-packs.ts`) can be selected and injected into the system prompt.
+ *
+ * It mirrors the role that Phase 1 detection plays for `quality-benchmark`,
+ * but stays deterministic (manifest-file inspection only) so a scan never pays
+ * an extra model round-trip just to figure out the stack.
+ *
+ * Polyglot repos are first-class: a monorepo with `apps/mobile/pubspec.yaml`
+ * and `services/api/go.mod` resolves to `{ languages: ['dart','go'],
+ * frameworks: ['flutter'] }`, and every matching rule pack is selected.
+ *
+ * Detection is best-effort and must never throw — a malformed manifest simply
+ * contributes nothing.
+ */
+import { readdirSync, readFileSync, statSync } from 'node:fs';
+import { join } from 'node:path';
+/** Directories never worth walking — vendored, generated, or VCS metadata. */
+const SKIP_DIRS = new Set([
+    'node_modules',
+    '.git',
+    'dist',
+    'build',
+    'out',
+    '.next',
+    '.dart_tool',
+    'target',
+    'vendor',
+    'Pods',
+    '.gradle',
+    '__pycache__',
+    '.venv',
+    'venv',
+]);
+/**
+ * How deep to walk looking for manifest files. Root + a couple of levels
+ * catches the common monorepo layouts (`apps/<x>/`, `packages/<x>/`,
+ * `services/<x>/`) without descending into the whole tree.
+ */
+const MAX_DEPTH = 3;
+/**
+ * Walk the repo (bounded depth, skipping vendored dirs) and collect the
+ * absolute paths of every manifest file we know how to read. Defensive: any
+ * unreadable directory is skipped silently.
+ */
+function collectManifests(repoRoot) {
+    // marker filename → list of absolute paths where it was found
+    const found = new Map();
+    const record = (marker, absPath) => {
+        const list = found.get(marker) ?? [];
+        list.push(absPath);
+        found.set(marker, list);
+    };
+    const walk = (dir, depth) => {
+        if (depth > MAX_DEPTH) {
+            return;
+        }
+        let entries;
+        try {
+            entries = readdirSync(dir);
+        }
+        catch {
+            return;
+        }
+        for (const entry of entries) {
+            const abs = join(dir, entry);
+            let isDir = false;
+            try {
+                isDir = statSync(abs).isDirectory();
+            }
+            catch {
+                continue;
+            }
+            if (isDir) {
+                if (!SKIP_DIRS.has(entry) && !entry.startsWith('.')) {
+                    walk(abs, depth + 1);
+                }
+                continue;
+            }
+            // File: record exact-name and extension-based markers.
+            if (MARKER_FILES.has(entry)) {
+                record(entry, abs);
+            }
+            else if (entry.endsWith('.csproj')) {
+                record('*.csproj', abs);
+            }
+            else if (entry.endsWith('.gemspec')) {
+                record('*.gemspec', abs);
+            }
+        }
+    };
+    walk(repoRoot, 0);
+    return found;
+}
+/** Exact-name manifest files we look for. */
+const MARKER_FILES = new Set([
+    'pubspec.yaml',
+    'package.json',
+    'tsconfig.json',
+    'go.mod',
+    'Cargo.toml',
+    'pyproject.toml',
+    'requirements.txt',
+    'setup.py',
+    'Pipfile',
+    'Gemfile',
+    'pom.xml',
+    'build.gradle',
+    'build.gradle.kts',
+]);
+function safeRead(paths) {
+    if (!paths || paths.length === 0) {
+        return '';
+    }
+    let out = '';
+    for (const p of paths) {
+        try {
+            out += `\n${readFileSync(p, 'utf-8')}`;
+        }
+        catch {
+            // unreadable manifest contributes nothing
+        }
+    }
+    return out;
+}
+/** Add every framework whose marker regex matches `haystack`. */
+function addFrameworks(frameworks, haystack, markers) {
+    for (const [re, name] of markers) {
+        if (re.test(haystack)) {
+            frameworks.add(name);
+        }
+    }
+}
+function detectDart({ manifests, languages, frameworks }) {
+    if (!manifests.has('pubspec.yaml')) {
+        return;
+    }
+    languages.add('dart');
+    const pubspec = safeRead(manifests.get('pubspec.yaml'));
+    // Flutter projects declare `flutter:` as a dependency / SDK constraint.
+    if (/\bflutter\s*:/.test(pubspec) || /sdk:\s*flutter/.test(pubspec)) {
+        frameworks.add('flutter');
+    }
+}
+const JS_FRAMEWORK_MARKERS = [
+    [/"react-native"\s*:/, 'react-native'],
+    [/"react"\s*:/, 'react'],
+    [/"next"\s*:/, 'next'],
+    [/"vue"\s*:/, 'vue'],
+    [/"@angular\/core"\s*:/, 'angular'],
+    [/"svelte"\s*:/, 'svelte'],
+    [/"express"\s*:/, 'express'],
+    [/"@nestjs\/core"\s*:/, 'nest'],
+];
+function detectJsTs({ manifests, languages, frameworks }) {
+    if (!manifests.has('package.json')) {
+        return;
+    }
+    languages.add('js');
+    const pkg = safeRead(manifests.get('package.json'));
+    if (manifests.has('tsconfig.json') || /"typescript"\s*:/.test(pkg)) {
+        languages.add('ts');
+    }
+    addFrameworks(frameworks, pkg, JS_FRAMEWORK_MARKERS);
+}
+const PY_FRAMEWORK_MARKERS = [
+    [/\bdjango\b/i, 'django'],
+    [/\bfastapi\b/i, 'fastapi'],
+    [/\bflask\b/i, 'flask'],
+];
+function detectPython({ manifests, languages, frameworks }) {
+    const hasPy = manifests.has('pyproject.toml') ||
+        manifests.has('requirements.txt') ||
+        manifests.has('setup.py') ||
+        manifests.has('Pipfile');
+    if (!hasPy) {
+        return;
+    }
+    languages.add('py');
+    const py = safeRead(manifests.get('pyproject.toml')) +
+        safeRead(manifests.get('requirements.txt')) +
+        safeRead(manifests.get('Pipfile'));
+    addFrameworks(frameworks, py, PY_FRAMEWORK_MARKERS);
+}
+function detectRuby({ manifests, languages, frameworks }) {
+    if (!manifests.has('Gemfile') && !manifests.has('*.gemspec')) {
+        return;
+    }
+    languages.add('ruby');
+    if (/\brails\b/i.test(safeRead(manifests.get('Gemfile')))) {
+        frameworks.add('rails');
+    }
+}
+function detectJvm({ manifests, languages }) {
+    const hasJvm = manifests.has('pom.xml') ||
+        manifests.has('build.gradle') ||
+        manifests.has('build.gradle.kts');
+    if (!hasJvm) {
+        return;
+    }
+    languages.add('java');
+    const gradle = safeRead(manifests.get('build.gradle')) +
+        safeRead(manifests.get('build.gradle.kts'));
+    if (manifests.has('build.gradle.kts') || /\bkotlin\b/i.test(gradle)) {
+        languages.add('kotlin');
+    }
+}
+/** Single-marker languages with no framework inference. */
+const SIMPLE_LANGUAGES = [
+    ['go.mod', 'go'],
+    ['Cargo.toml', 'rust'],
+    ['*.csproj', 'cs'],
+];
+/**
+ * Detect the languages and frameworks present in a repository checkout.
+ *
+ * @param repoRoot absolute path to the repo checkout (cwd of the auditor).
+ */
+export function detectProjectContext(repoRoot) {
+    const manifests = collectManifests(repoRoot);
+    const acc = {
+        manifests,
+        languages: new Set(),
+        frameworks: new Set(),
+    };
+    for (const [marker, lang] of SIMPLE_LANGUAGES) {
+        if (manifests.has(marker)) {
+            acc.languages.add(lang);
+        }
+    }
+    detectDart(acc);
+    detectJsTs(acc);
+    detectPython(acc);
+    detectRuby(acc);
+    detectJvm(acc);
+    return {
+        languages: [...acc.languages],
+        frameworks: [...acc.frameworks],
+        files_present: [...manifests.keys()],
+    };
+}

package/dist/phases/find-shared/mcp.d.ts

@@ -38,6 +38,12 @@ export interface CreateIssueInput {
     title: string;
     /** Already-formatted markdown body. The caller decides the layout. */
     description: string;
+    /**
+     * Origin tag written to `issues.source`. Omit to accept the DB default
+     * ('manual'). The find-* scanners pass 'quality' so automated findings can be
+     * told apart from hand-written and externally-synced issues.
+     */
+    source?: string;
 }
 /**
  * File a new issue via MCP. The issue is scoped to a product OR a single