glassbox 0.1.3 → 0.2.0

package/dist/cli.js

@@ -1,19 +1,47 @@
 #!/usr/bin/env node
+var __defProp = Object.defineProperty;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __esm = (fn, res) => function __init() {
+  return fn && (res = (0, fn[__getOwnPropNames(fn)[0]])(fn = 0)), res;
+};
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
 
 // src/db/connection.ts
+var connection_exports = {};
+__export(connection_exports, {
+  getDb: () => getDb
+});
 import { PGlite } from "@electric-sql/pglite";
-import { mkdirSync } from "fs";
+import { mkdirSync, rmSync } from "fs";
 import { homedir } from "os";
 import { join } from "path";
-var dataDir = join(homedir(), ".glassbox", "data");
-mkdirSync(dataDir, { recursive: true });
-var db = null;
 async function getDb() {
   if (db) return db;
-  db = new PGlite(join(dataDir, "reviews"));
-  await db.waitReady;
-  await initSchema(db);
-  return db;
+  try {
+    db = new PGlite(dbPath);
+    await db.waitReady;
+    await initSchema(db);
+    return db;
+  } catch (err) {
+    db = null;
+    const message = err instanceof Error ? err.message : String(err);
+    if (message.includes("Aborted") || message.includes("RuntimeError")) {
+      console.error("Database appears to be corrupt. Recreating...");
+      console.error("(Previous review data will be lost.)");
+      try {
+        rmSync(dbPath, { recursive: true, force: true });
+      } catch {
+      }
+      db = new PGlite(dbPath);
+      await db.waitReady;
+      await initSchema(db);
+      return db;
+    }
+    throw err;
+  }
 }
 async function initSchema(db2) {
   await db2.exec(`
@@ -55,21 +83,99 @@ async function initSchema(db2) {
 
     CREATE INDEX IF NOT EXISTS idx_annotations_file ON annotations(review_file_id);
   `);
-  try {
-    await db2.exec("ALTER TABLE reviews ADD COLUMN head_commit TEXT");
-  } catch {
-  }
-  try {
-    await db2.exec("ALTER TABLE annotations ADD COLUMN is_stale BOOLEAN NOT NULL DEFAULT FALSE");
-  } catch {
-  }
-  try {
-    await db2.exec("ALTER TABLE annotations ADD COLUMN original_content TEXT");
-  } catch {
+  await db2.exec(`
+    CREATE TABLE IF NOT EXISTS ai_analyses (
+      id TEXT PRIMARY KEY,
+      review_id TEXT NOT NULL REFERENCES reviews(id) ON DELETE CASCADE,
+      analysis_type TEXT NOT NULL,
+      status TEXT NOT NULL DEFAULT 'pending',
+      error_message TEXT,
+      created_at TIMESTAMP NOT NULL DEFAULT NOW(),
+      updated_at TIMESTAMP NOT NULL DEFAULT NOW()
+    );
+
+    CREATE INDEX IF NOT EXISTS idx_ai_analyses_review ON ai_analyses(review_id);
+
+    CREATE TABLE IF NOT EXISTS ai_file_scores (
+      id TEXT PRIMARY KEY,
+      analysis_id TEXT NOT NULL REFERENCES ai_analyses(id) ON DELETE CASCADE,
+      review_file_id TEXT NOT NULL,
+      file_path TEXT NOT NULL,
+      sort_order INTEGER NOT NULL DEFAULT 0,
+      aggregate_score REAL,
+      rationale TEXT,
+      dimension_scores TEXT,
+      notes TEXT,
+      created_at TIMESTAMP NOT NULL DEFAULT NOW()
+    );
+
+    CREATE INDEX IF NOT EXISTS idx_ai_file_scores_analysis ON ai_file_scores(analysis_id);
+
+    CREATE TABLE IF NOT EXISTS user_preferences (
+      id TEXT PRIMARY KEY DEFAULT 'singleton',
+      sort_mode TEXT NOT NULL DEFAULT 'folder',
+      risk_sort_dimension TEXT NOT NULL DEFAULT 'aggregate',
+      show_risk_scores BOOLEAN NOT NULL DEFAULT FALSE
+    );
+  `);
+  await addColumnIfMissing(db2, "reviews", "head_commit", "TEXT");
+  await addColumnIfMissing(db2, "annotations", "is_stale", "BOOLEAN NOT NULL DEFAULT FALSE");
+  await addColumnIfMissing(db2, "annotations", "original_content", "TEXT");
+  await addColumnIfMissing(db2, "ai_file_scores", "notes", "TEXT");
+  await addColumnIfMissing(db2, "ai_analyses", "progress_completed", "INTEGER NOT NULL DEFAULT 0");
+  await addColumnIfMissing(db2, "ai_analyses", "progress_total", "INTEGER NOT NULL DEFAULT 0");
+  await db2.exec(
+    `UPDATE ai_analyses SET status = 'failed', error_message = 'Interrupted (server restarted)' WHERE status = 'running'`
+  );
+}
+async function addColumnIfMissing(db2, table, column, definition) {
+  const result = await db2.query(
+    `SELECT column_name FROM information_schema.columns WHERE table_name = $1 AND column_name = $2`,
+    [table, column]
+  );
+  if (result.rows.length === 0) {
+    await db2.exec(`ALTER TABLE ${table} ADD COLUMN ${column} ${definition}`);
   }
 }
+var dataDir, dbPath, db;
+var init_connection = __esm({
+  "src/db/connection.ts"() {
+    "use strict";
+    dataDir = join(homedir(), ".glassbox", "data");
+    mkdirSync(dataDir, { recursive: true });
+    dbPath = join(dataDir, "reviews");
+    db = null;
+  }
+});
 
 // src/db/queries.ts
+var queries_exports = {};
+__export(queries_exports, {
+  addAnnotation: () => addAnnotation,
+  addReviewFile: () => addReviewFile,
+  createReview: () => createReview,
+  deleteAnnotation: () => deleteAnnotation,
+  deleteReview: () => deleteReview,
+  deleteReviewFile: () => deleteReviewFile,
+  deleteStaleAnnotations: () => deleteStaleAnnotations,
+  getAnnotationsForFile: () => getAnnotationsForFile,
+  getAnnotationsForReview: () => getAnnotationsForReview,
+  getLatestInProgressReview: () => getLatestInProgressReview,
+  getReview: () => getReview,
+  getReviewFile: () => getReviewFile,
+  getReviewFiles: () => getReviewFiles,
+  getStaleCountsForReview: () => getStaleCountsForReview,
+  keepAllStaleAnnotations: () => keepAllStaleAnnotations,
+  listReviews: () => listReviews,
+  markAnnotationCurrent: () => markAnnotationCurrent,
+  markAnnotationStale: () => markAnnotationStale,
+  moveAnnotation: () => moveAnnotation,
+  updateAnnotation: () => updateAnnotation,
+  updateFileDiff: () => updateFileDiff,
+  updateFileStatus: () => updateFileStatus,
+  updateReviewHead: () => updateReviewHead,
+  updateReviewStatus: () => updateReviewStatus
+});
 function generateId() {
   return Date.now().toString(36) + Math.random().toString(36).slice(2, 10);
 }
@@ -254,14 +360,913 @@ async function getStaleCountsForReview(reviewId) {
   }
   return counts;
 }
+var init_queries = __esm({
+  "src/db/queries.ts"() {
+    "use strict";
+    init_connection();
+  }
+});
 
-// src/git/diff.ts
+// src/cli.ts
+init_queries();
+
+// src/debug.ts
+var debugEnabled = false;
+var aiServiceTestEnabled = false;
+var demoMode = null;
+function setDebug(enabled) {
+  debugEnabled = enabled;
+}
+function isDebug() {
+  return debugEnabled;
+}
+function setAIServiceTest(enabled) {
+  aiServiceTestEnabled = enabled;
+}
+function isAIServiceTest() {
+  return aiServiceTestEnabled;
+}
+function setDemoMode(scenario) {
+  demoMode = scenario;
+}
+function getDemoMode() {
+  return demoMode;
+}
+function debugLog(...args) {
+  if (debugEnabled) {
+    console.log("[debug]", ...args);
+  }
+}
+
+// src/ai/config.ts
 import { execSync } from "child_process";
-import { readFileSync } from "fs";
+import { chmodSync, existsSync, mkdirSync as mkdirSync2, readFileSync, writeFileSync } from "fs";
+import { homedir as homedir2 } from "os";
+import { join as join2 } from "path";
+
+// src/ai/models.ts
+var PLATFORMS = {
+  anthropic: "Anthropic",
+  openai: "OpenAI",
+  google: "Google"
+};
+var MODELS = {
+  anthropic: [
+    { id: "claude-sonnet-4-20250514", name: "Claude Sonnet 4", contextWindow: 2e5, isDefault: true },
+    { id: "claude-haiku-4-20250514", name: "Claude Haiku 4", contextWindow: 2e5, isDefault: false }
+  ],
+  openai: [
+    { id: "gpt-4o", name: "GPT-4o", contextWindow: 128e3, isDefault: true },
+    { id: "gpt-4o-mini", name: "GPT-4o Mini", contextWindow: 128e3, isDefault: false }
+  ],
+  google: [
+    { id: "gemini-2.5-flash", name: "Gemini 2.5 Flash", contextWindow: 1e6, isDefault: true },
+    { id: "gemini-2.5-pro", name: "Gemini 2.5 Pro", contextWindow: 1e6, isDefault: false }
+  ]
+};
+var ENV_KEY_NAMES = {
+  anthropic: "ANTHROPIC_API_KEY",
+  openai: "OPENAI_API_KEY",
+  google: "GEMINI_API_KEY"
+};
+function getDefaultModel(platform) {
+  const models = MODELS[platform];
+  const def = models.find((m) => m.isDefault);
+  return def ? def.id : models[0].id;
+}
+function getModelContextWindow(platform, modelId) {
+  const model = MODELS[platform].find((m) => m.id === modelId);
+  return model ? model.contextWindow : 128e3;
+}
+
+// src/ai/config.ts
+var CONFIG_DIR = join2(homedir2(), ".glassbox");
+var CONFIG_PATH = join2(CONFIG_DIR, "config.json");
+function readConfigFile() {
+  try {
+    if (existsSync(CONFIG_PATH)) {
+      return JSON.parse(readFileSync(CONFIG_PATH, "utf-8"));
+    }
+  } catch {
+  }
+  return {};
+}
+function writeConfigFile(config) {
+  mkdirSync2(CONFIG_DIR, { recursive: true });
+  writeFileSync(CONFIG_PATH, JSON.stringify(config, null, 2), "utf-8");
+  try {
+    chmodSync(CONFIG_PATH, 384);
+  } catch {
+  }
+}
+function getKeyFromEnv(platform) {
+  const envName = ENV_KEY_NAMES[platform];
+  return process.env[envName] ?? null;
+}
+var WIN_CRED_READ_PS = `
+Add-Type -TypeDefinition @'
+using System;
+using System.Runtime.InteropServices;
+public class CredHelper {
+    [DllImport("advapi32", SetLastError = true, CharSet = CharSet.Unicode)]
+    static extern bool CredRead(string t, int type, int f, out IntPtr p);
+    [DllImport("advapi32")]
+    static extern void CredFree(IntPtr p);
+    [StructLayout(LayoutKind.Sequential, CharSet = CharSet.Unicode)]
+    struct CRED {
+        public int Flags; public int Type; public string TargetName; public string Comment;
+        public long LastWritten; public int CredentialBlobSize; public IntPtr CredentialBlob;
+        public int Persist; public int AttributeCount; public IntPtr Attributes;
+        public string TargetAlias; public string UserName;
+    }
+    public static string Read(string target) {
+        IntPtr ptr;
+        if (!CredRead(target, 1, 0, out ptr)) return "";
+        CRED c = (CRED)Marshal.PtrToStructure(ptr, typeof(CRED));
+        string r = Marshal.PtrToStringUni(c.CredentialBlob, c.CredentialBlobSize / 2);
+        CredFree(ptr);
+        return r;
+    }
+}
+'@
+`;
+function winCredTarget(platform) {
+  return `glassbox-${platform}-api-key`;
+}
+function getKeyFromKeychain(platform) {
+  const os = process.platform;
+  const account = `${platform}-api-key`;
+  try {
+    if (os === "darwin") {
+      const result = execSync(
+        `security find-generic-password -s glassbox -a "${account}" -w 2>/dev/null`,
+        { encoding: "utf-8" }
+      ).trim();
+      return result !== "" ? result : null;
+    }
+    if (os === "linux") {
+      const result = execSync(
+        `secret-tool lookup service glassbox account "${account}" 2>/dev/null`,
+        { encoding: "utf-8" }
+      ).trim();
+      return result !== "" ? result : null;
+    }
+    if (os === "win32") {
+      const target = winCredTarget(platform);
+      const script = WIN_CRED_READ_PS + `Write-Output ([CredHelper]::Read('${target}'))`;
+      const result = execSync("powershell -NoProfile -Command -", {
+        input: script,
+        encoding: "utf-8"
+      }).trim();
+      return result !== "" ? result : null;
+    }
+  } catch {
+    return null;
+  }
+  return null;
+}
+function getKeyFromConfig(platform) {
+  const config = readConfigFile();
+  const encoded = config.ai?.keys?.[platform];
+  if (encoded === void 0 || encoded === "") return null;
+  try {
+    return Buffer.from(encoded, "base64").toString("utf-8");
+  } catch {
+    return null;
+  }
+}
+function resolveAPIKey(platform) {
+  const envKey = getKeyFromEnv(platform);
+  if (envKey !== null) return { key: envKey, source: "env" };
+  const keychainKey = getKeyFromKeychain(platform);
+  if (keychainKey !== null) return { key: keychainKey, source: "keychain" };
+  const configKey = getKeyFromConfig(platform);
+  if (configKey !== null) return { key: configKey, source: "config" };
+  return { key: null, source: null };
+}
+function loadAIConfig() {
+  const config = readConfigFile();
+  const platform = config.ai?.platform ?? "anthropic";
+  const model = config.ai?.model ?? getDefaultModel(platform);
+  const { key, source } = resolveAPIKey(platform);
+  return { platform, model, apiKey: key, keySource: source };
+}
+function saveAIConfigPreferences(platform, model) {
+  const config = readConfigFile();
+  if (config.ai === void 0) config.ai = {};
+  config.ai.platform = platform;
+  config.ai.model = model;
+  writeConfigFile(config);
+}
+function saveAPIKey(platform, key, storage) {
+  if (storage === "keychain") {
+    saveKeyToKeychain(platform, key);
+  } else {
+    const config = readConfigFile();
+    if (config.ai === void 0) config.ai = {};
+    if (config.ai.keys === void 0) config.ai.keys = {};
+    config.ai.keys[platform] = Buffer.from(key).toString("base64");
+    writeConfigFile(config);
+  }
+}
+function saveKeyToKeychain(platform, key) {
+  const os = process.platform;
+  const account = `${platform}-api-key`;
+  if (os === "darwin") {
+    try {
+      execSync(`security delete-generic-password -s glassbox -a "${account}" 2>/dev/null`);
+    } catch {
+    }
+    execSync(
+      `security add-generic-password -s glassbox -a "${account}" -w "${key.replace(/"/g, '\\"')}"`
+    );
+    return;
+  }
+  if (os === "linux") {
+    execSync(
+      `secret-tool store --label='Glassbox API Key' service glassbox account "${account}"`,
+      { input: key, encoding: "utf-8" }
+    );
+    return;
+  }
+  if (os === "win32") {
+    const target = winCredTarget(platform);
+    const escapedKey = key.replace(/'/g, "''");
+    const script = `cmdkey /generic:'${target}' /user:'glassbox' /pass:'${escapedKey}'`;
+    execSync("powershell -NoProfile -Command -", {
+      input: script,
+      encoding: "utf-8"
+    });
+  }
+}
+function deleteAPIKey(platform) {
+  const os = process.platform;
+  const account = `${platform}-api-key`;
+  try {
+    if (os === "darwin") {
+      execSync(`security delete-generic-password -s glassbox -a "${account}" 2>/dev/null`);
+    } else if (os === "linux") {
+      execSync(`secret-tool clear service glassbox account "${account}" 2>/dev/null`);
+    } else if (os === "win32") {
+      const target = winCredTarget(platform);
+      execSync("powershell -NoProfile -Command -", {
+        input: `cmdkey /delete:'${target}'`,
+        encoding: "utf-8"
+      });
+    }
+  } catch {
+  }
+  const config = readConfigFile();
+  if (config.ai?.keys !== void 0) {
+    config.ai.keys[platform] = "";
+    writeConfigFile(config);
+  }
+}
+function detectAvailablePlatforms() {
+  const results = [];
+  for (const platform of ["anthropic", "openai", "google"]) {
+    const { source } = resolveAPIKey(platform);
+    if (source !== null) {
+      results.push({ platform, source });
+    }
+  }
+  return results;
+}
+function isKeychainAvailable() {
+  const os = process.platform;
+  if (os === "darwin" || os === "win32") return true;
+  if (os === "linux") {
+    try {
+      execSync("which secret-tool 2>/dev/null", { encoding: "utf-8" });
+      return true;
+    } catch {
+      return false;
+    }
+  }
+  return false;
+}
+function getKeychainLabel() {
+  const os = process.platform;
+  if (os === "darwin") return "Keychain";
+  if (os === "linux") return "System Keyring";
+  if (os === "win32") return "Credential Manager";
+  return "System Keychain";
+}
+function loadGuidedReviewConfig() {
+  const config = readConfigFile();
+  return {
+    enabled: config.guidedReview?.enabled ?? false,
+    topics: config.guidedReview?.topics ?? []
+  };
+}
+function saveGuidedReviewConfig(settings) {
+  const config = readConfigFile();
+  config.guidedReview = { enabled: settings.enabled, topics: settings.topics };
+  writeConfigFile(config);
+}
+
+// src/db/ai-queries.ts
+init_connection();
+function generateId2() {
+  return Date.now().toString(36) + Math.random().toString(36).slice(2, 10);
+}
+async function createAnalysis(reviewId, analysisType) {
+  const db2 = await getDb();
+  const id = generateId2();
+  const result = await db2.query(
+    `INSERT INTO ai_analyses (id, review_id, analysis_type, status)
+     VALUES ($1, $2, $3, 'running') RETURNING *`,
+    [id, reviewId, analysisType]
+  );
+  return result.rows[0];
+}
+async function updateAnalysisStatus(id, status, errorMessage) {
+  const db2 = await getDb();
+  await db2.query(
+    "UPDATE ai_analyses SET status = $1, error_message = $2, updated_at = NOW() WHERE id = $3",
+    [status, errorMessage ?? null, id]
+  );
+}
+async function updateAnalysisProgress(id, completed, total) {
+  const db2 = await getDb();
+  await db2.query(
+    "UPDATE ai_analyses SET progress_completed = $1, progress_total = $2, updated_at = NOW() WHERE id = $3",
+    [completed, total, id]
+  );
+}
+async function getLatestAnalysis(reviewId, analysisType) {
+  const db2 = await getDb();
+  const result = await db2.query(
+    `SELECT * FROM ai_analyses
+     WHERE review_id = $1 AND analysis_type = $2
+     ORDER BY created_at DESC LIMIT 1`,
+    [reviewId, analysisType]
+  );
+  return result.rows[0];
+}
+async function appendFileScores(analysisId, scores) {
+  const db2 = await getDb();
+  const existing = await db2.query(
+    "SELECT file_path FROM ai_file_scores WHERE analysis_id = $1",
+    [analysisId]
+  );
+  const existingPaths = new Set(existing.rows.map((r) => r.file_path));
+  for (const score of scores) {
+    if (existingPaths.has(score.filePath)) continue;
+    const id = generateId2();
+    await db2.query(
+      `INSERT INTO ai_file_scores (id, analysis_id, review_file_id, file_path, sort_order, aggregate_score, rationale, dimension_scores, notes)
+       VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9)`,
+      [
+        id,
+        analysisId,
+        score.reviewFileId,
+        score.filePath,
+        score.sortOrder,
+        score.aggregateScore,
+        score.rationale,
+        score.dimensionScores !== null ? JSON.stringify(score.dimensionScores) : null,
+        score.notes !== null ? JSON.stringify(score.notes) : null
+      ]
+    );
+  }
+}
+async function getFileScoresForReview(reviewId, analysisType) {
+  const db2 = await getDb();
+  const result = await db2.query(
+    `SELECT s.* FROM ai_file_scores s
+     JOIN ai_analyses a ON s.analysis_id = a.id
+     WHERE a.review_id = $1 AND a.analysis_type = $2 AND a.status IN ('completed', 'running')
+     ORDER BY a.created_at DESC, s.sort_order
+     LIMIT 1000`,
+    [reviewId, analysisType]
+  );
+  if (result.rows.length === 0) return [];
+  const latestAnalysisId = result.rows[0].analysis_id;
+  const rows = result.rows.filter((r) => r.analysis_id === latestAnalysisId);
+  const seen = /* @__PURE__ */ new Set();
+  return rows.filter((r) => {
+    if (seen.has(r.file_path)) return false;
+    seen.add(r.file_path);
+    return true;
+  });
+}
+async function getPreviousScores(reviewId, analysisType, excludeAnalysisId) {
+  const db2 = await getDb();
+  for (const status of ["completed", "failed"]) {
+    const result = await db2.query(
+      `SELECT s.* FROM ai_file_scores s
+       JOIN ai_analyses a ON s.analysis_id = a.id
+       WHERE a.review_id = $1 AND a.analysis_type = $2 AND a.status = $3
+         AND a.id != $4
+       ORDER BY a.created_at DESC, s.sort_order
+       LIMIT 1000`,
+      [reviewId, analysisType, status, excludeAnalysisId]
+    );
+    if (result.rows.length > 0) {
+      const latestAnalysisId = result.rows[0].analysis_id;
+      return result.rows.filter((r) => r.analysis_id === latestAnalysisId);
+    }
+  }
+  return [];
+}
+async function getUserPreferences() {
+  const db2 = await getDb();
+  const result = await db2.query(
+    "SELECT * FROM user_preferences WHERE id = $1",
+    ["singleton"]
+  );
+  if (result.rows.length === 0) {
+    return { sort_mode: "folder", risk_sort_dimension: "aggregate", show_risk_scores: false };
+  }
+  return result.rows[0];
+}
+async function saveUserPreferences(prefs) {
+  const db2 = await getDb();
+  const current = await getUserPreferences();
+  const merged = { ...current, ...prefs };
+  await db2.query(
+    `INSERT INTO user_preferences (id, sort_mode, risk_sort_dimension, show_risk_scores)
+     VALUES ($1, $2, $3, $4)
+     ON CONFLICT (id) DO UPDATE SET
+       sort_mode = EXCLUDED.sort_mode,
+       risk_sort_dimension = EXCLUDED.risk_sort_dimension,
+       show_risk_scores = EXCLUDED.show_risk_scores`,
+    ["singleton", merged.sort_mode, merged.risk_sort_dimension, merged.show_risk_scores]
+  );
+}
+
+// src/demo.ts
+init_queries();
+var DEMO_SCENARIOS = [
+  { id: 1, label: "Main UI with guided review notes" },
+  { id: 2, label: "Risk mode with inline risk notes" },
+  { id: 3, label: "Narrative mode with walkthrough notes" },
+  { id: 4, label: "Annotations with different categories" },
+  { id: 5, label: "Settings dialog with guided review" }
+];
+var DEMO_FILES = [
+  {
+    path: "src/auth/session.ts",
+    status: "modified",
+    hunks: [{
+      oldStart: 1,
+      oldCount: 18,
+      newStart: 1,
+      newCount: 28,
+      lines: [
+        { type: "context", oldNum: 1, newNum: 1, content: "import { randomBytes } from 'crypto';" },
+        { type: "context", oldNum: 2, newNum: 2, content: "import type { Request, Response } from 'express';" },
+        { type: "add", oldNum: null, newNum: 3, content: "import { redis } from '../db/redis.js';" },
+        { type: "context", oldNum: 3, newNum: 4, content: "" },
+        { type: "context", oldNum: 4, newNum: 5, content: "export interface Session {" },
+        { type: "context", oldNum: 5, newNum: 6, content: "  id: string;" },
+        { type: "context", oldNum: 6, newNum: 7, content: "  userId: string;" },
+        { type: "remove", oldNum: 7, newNum: null, content: "  expiresAt: number;" },
+        { type: "add", oldNum: null, newNum: 8, content: "  expiresAt: Date;" },
+        { type: "add", oldNum: null, newNum: 9, content: "  refreshToken: string;" },
+        { type: "context", oldNum: 8, newNum: 10, content: "}" },
+        { type: "context", oldNum: 9, newNum: 11, content: "" },
+        { type: "remove", oldNum: 10, newNum: null, content: "const sessions = new Map<string, Session>();" },
+        { type: "add", oldNum: null, newNum: 12, content: "const SESSION_TTL = 60 * 60 * 24; // 24 hours" },
+        { type: "context", oldNum: 11, newNum: 13, content: "" },
+        { type: "remove", oldNum: 12, newNum: null, content: "export function createSession(userId: string): Session {" },
+        { type: "remove", oldNum: 13, newNum: null, content: "  const session: Session = {" },
+        { type: "remove", oldNum: 14, newNum: null, content: "    id: randomBytes(32).toString('hex')," },
+        { type: "remove", oldNum: 15, newNum: null, content: "    userId," },
+        { type: "remove", oldNum: 16, newNum: null, content: "    expiresAt: Date.now() + 86400000," },
+        { type: "remove", oldNum: 17, newNum: null, content: "  };" },
+        { type: "remove", oldNum: 18, newNum: null, content: "  sessions.set(session.id, session);" },
+        { type: "add", oldNum: null, newNum: 14, content: "export async function createSession(userId: string): Promise<Session> {" },
+        { type: "add", oldNum: null, newNum: 15, content: "  const id = randomBytes(32).toString('hex');" },
+        { type: "add", oldNum: null, newNum: 16, content: "  const refreshToken = randomBytes(48).toString('hex');" },
+        { type: "add", oldNum: null, newNum: 17, content: "  const session: Session = {" },
+        { type: "add", oldNum: null, newNum: 18, content: "    id," },
+        { type: "add", oldNum: null, newNum: 19, content: "    userId," },
+        { type: "add", oldNum: null, newNum: 20, content: "    expiresAt: new Date(Date.now() + SESSION_TTL * 1000)," },
+        { type: "add", oldNum: null, newNum: 21, content: "    refreshToken," },
+        { type: "add", oldNum: null, newNum: 22, content: "  };" },
+        { type: "add", oldNum: null, newNum: 23, content: "  await redis.set(`session:${id}`, JSON.stringify(session), 'EX', SESSION_TTL);" },
+        { type: "context", oldNum: 19, newNum: 24, content: "  return session;" },
+        { type: "context", oldNum: 20, newNum: 25, content: "}" },
+        { type: "context", oldNum: 21, newNum: 26, content: "" },
+        { type: "add", oldNum: null, newNum: 27, content: "export async function validateSession(id: string): Promise<Session | null> {" },
+        { type: "add", oldNum: null, newNum: 28, content: "  const raw = await redis.get(`session:${id}`);" },
+        { type: "add", oldNum: null, newNum: 29, content: "  if (raw === null) return null;" },
+        { type: "add", oldNum: null, newNum: 30, content: "  const session = JSON.parse(raw) as Session;" },
+        { type: "add", oldNum: null, newNum: 31, content: "  if (new Date(session.expiresAt) < new Date()) return null;" },
+        { type: "add", oldNum: null, newNum: 32, content: "  return session;" },
+        { type: "add", oldNum: null, newNum: 33, content: "}" }
+      ]
+    }]
+  },
+  {
+    path: "src/api/routes/users.ts",
+    status: "modified",
+    hunks: [{
+      oldStart: 12,
+      oldCount: 10,
+      newStart: 12,
+      newCount: 16,
+      lines: [
+        { type: "context", oldNum: 12, newNum: 12, content: "router.post('/login', async (req, res) => {" },
+        { type: "context", oldNum: 13, newNum: 13, content: "  const { email, password } = req.body;" },
+        { type: "add", oldNum: null, newNum: 14, content: "" },
+        { type: "add", oldNum: null, newNum: 15, content: "  if (!email || !password) {" },
+        { type: "add", oldNum: null, newNum: 16, content: "    return res.status(400).json({ error: 'Missing credentials' });" },
+        { type: "add", oldNum: null, newNum: 17, content: "  }" },
+        { type: "context", oldNum: 14, newNum: 18, content: "" },
+        { type: "context", oldNum: 15, newNum: 19, content: "  const user = await findUserByEmail(email);" },
+        { type: "remove", oldNum: 16, newNum: null, content: "  if (!user || user.password !== password) {" },
+        { type: "add", oldNum: null, newNum: 20, content: "  if (!user || !(await verifyPassword(password, user.passwordHash))) {" },
+        { type: "context", oldNum: 17, newNum: 21, content: "    return res.status(401).json({ error: 'Invalid credentials' });" },
+        { type: "context", oldNum: 18, newNum: 22, content: "  }" },
+        { type: "context", oldNum: 19, newNum: 23, content: "" },
+        { type: "remove", oldNum: 20, newNum: null, content: "  const session = createSession(user.id);" },
+        { type: "add", oldNum: null, newNum: 24, content: "  const session = await createSession(user.id);" },
+        { type: "add", oldNum: null, newNum: 25, content: "  res.cookie('sid', session.id, { httpOnly: true, secure: true, sameSite: 'strict' });" },
+        { type: "context", oldNum: 21, newNum: 26, content: "  res.json({ ok: true });" },
+        { type: "context", oldNum: 22, newNum: 27, content: "});" }
+      ]
+    }]
+  },
+  {
+    path: "src/db/redis.ts",
+    status: "added",
+    hunks: [{
+      oldStart: 0,
+      oldCount: 0,
+      newStart: 1,
+      newCount: 12,
+      lines: [
+        { type: "add", oldNum: null, newNum: 1, content: "import Redis from 'ioredis';" },
+        { type: "add", oldNum: null, newNum: 2, content: "" },
+        { type: "add", oldNum: null, newNum: 3, content: "const REDIS_URL = process.env.REDIS_URL ?? 'redis://localhost:6379';" },
+        { type: "add", oldNum: null, newNum: 4, content: "" },
+        { type: "add", oldNum: null, newNum: 5, content: "export const redis = new Redis(REDIS_URL, {" },
+        { type: "add", oldNum: null, newNum: 6, content: "  maxRetriesPerRequest: 3," },
+        { type: "add", oldNum: null, newNum: 7, content: "  retryStrategy(times) {" },
+        { type: "add", oldNum: null, newNum: 8, content: "    return Math.min(times * 200, 5000);" },
+        { type: "add", oldNum: null, newNum: 9, content: "  }," },
+        { type: "add", oldNum: null, newNum: 10, content: "});" },
+        { type: "add", oldNum: null, newNum: 11, content: "" },
+        { type: "add", oldNum: null, newNum: 12, content: "redis.on('error', (err) => console.error('Redis error:', err));" }
+      ]
+    }]
+  },
+  {
+    path: "src/middleware/auth.ts",
+    status: "modified",
+    hunks: [{
+      oldStart: 1,
+      oldCount: 8,
+      newStart: 1,
+      newCount: 14,
+      lines: [
+        { type: "context", oldNum: 1, newNum: 1, content: "import type { NextFunction, Request, Response } from 'express';" },
+        { type: "remove", oldNum: 2, newNum: null, content: "import { getSession } from '../auth/session.js';" },
+        { type: "add", oldNum: null, newNum: 2, content: "import { validateSession } from '../auth/session.js';" },
+        { type: "context", oldNum: 3, newNum: 3, content: "" },
+        { type: "remove", oldNum: 4, newNum: null, content: "export function requireAuth(req: Request, res: Response, next: NextFunction) {" },
+        { type: "remove", oldNum: 5, newNum: null, content: "  const session = getSession(req.cookies.sid);" },
+        { type: "remove", oldNum: 6, newNum: null, content: "  if (!session) return res.status(401).end();" },
+        { type: "add", oldNum: null, newNum: 4, content: "export async function requireAuth(req: Request, res: Response, next: NextFunction) {" },
+        { type: "add", oldNum: null, newNum: 5, content: "  const sid = req.cookies.sid ?? req.headers.authorization?.replace(/^Bearer /, '');" },
+        { type: "add", oldNum: null, newNum: 6, content: "  if (!sid) return res.status(401).json({ error: 'Not authenticated' });" },
+        { type: "add", oldNum: null, newNum: 7, content: "" },
+        { type: "add", oldNum: null, newNum: 8, content: "  const session = await validateSession(sid);" },
+        { type: "add", oldNum: null, newNum: 9, content: "  if (!session) return res.status(401).json({ error: 'Session expired' });" },
+        { type: "context", oldNum: 7, newNum: 10, content: "" },
+        { type: "context", oldNum: 8, newNum: 11, content: "  req.userId = session.userId;" },
+        { type: "add", oldNum: null, newNum: 12, content: "  req.sessionId = session.id;" },
+        { type: "context", oldNum: 9, newNum: 13, content: "  next();" },
+        { type: "context", oldNum: 10, newNum: 14, content: "}" }
+      ]
+    }]
+  },
+  {
+    path: "src/utils/password.ts",
+    status: "added",
+    hunks: [{
+      oldStart: 0,
+      oldCount: 0,
+      newStart: 1,
+      newCount: 11,
+      lines: [
+        { type: "add", oldNum: null, newNum: 1, content: "import bcrypt from 'bcrypt';" },
+        { type: "add", oldNum: null, newNum: 2, content: "" },
+        { type: "add", oldNum: null, newNum: 3, content: "const SALT_ROUNDS = 12;" },
+        { type: "add", oldNum: null, newNum: 4, content: "" },
+        { type: "add", oldNum: null, newNum: 5, content: "export async function hashPassword(password: string): Promise<string> {" },
+        { type: "add", oldNum: null, newNum: 6, content: "  return bcrypt.hash(password, SALT_ROUNDS);" },
+        { type: "add", oldNum: null, newNum: 7, content: "}" },
+        { type: "add", oldNum: null, newNum: 8, content: "" },
+        { type: "add", oldNum: null, newNum: 9, content: "export async function verifyPassword(password: string, hash: string): Promise<boolean> {" },
+        { type: "add", oldNum: null, newNum: 10, content: "  return bcrypt.compare(password, hash);" },
+        { type: "add", oldNum: null, newNum: 11, content: "}" }
+      ]
+    }]
+  },
+  {
+    path: "tests/auth.test.ts",
+    status: "added",
+    hunks: [{
+      oldStart: 0,
+      oldCount: 0,
+      newStart: 1,
+      newCount: 15,
+      lines: [
+        { type: "add", oldNum: null, newNum: 1, content: "import { describe, expect, it } from 'vitest';" },
+        { type: "add", oldNum: null, newNum: 2, content: "import { createSession, validateSession } from '../src/auth/session.js';" },
+        { type: "add", oldNum: null, newNum: 3, content: "" },
+        { type: "add", oldNum: null, newNum: 4, content: "describe('Session management', () => {" },
+        { type: "add", oldNum: null, newNum: 5, content: "  it('creates and validates a session', async () => {" },
+        { type: "add", oldNum: null, newNum: 6, content: "    const session = await createSession('user-1');" },
+        { type: "add", oldNum: null, newNum: 7, content: "    expect(session.id).toBeDefined();" },
+        { type: "add", oldNum: null, newNum: 8, content: "    expect(session.userId).toBe('user-1');" },
+        { type: "add", oldNum: null, newNum: 9, content: "" },
+        { type: "add", oldNum: null, newNum: 10, content: "    const valid = await validateSession(session.id);" },
+        { type: "add", oldNum: null, newNum: 11, content: "    expect(valid).not.toBeNull();" },
+        { type: "add", oldNum: null, newNum: 12, content: "  });" },
+        { type: "add", oldNum: null, newNum: 13, content: "" },
+        { type: "add", oldNum: null, newNum: 14, content: "  it('rejects expired sessions', async () => {" },
+        { type: "add", oldNum: null, newNum: 15, content: "    const result = await validateSession('nonexistent');" },
+        { type: "add", oldNum: null, newNum: 16, content: "    expect(result).toBeNull();" },
+        { type: "add", oldNum: null, newNum: 17, content: "  });" },
+        { type: "add", oldNum: null, newNum: 18, content: "});" }
+      ]
+    }]
+  },
+  {
+    path: "package.json",
+    status: "modified",
+    hunks: [{
+      oldStart: 10,
+      oldCount: 3,
+      newStart: 10,
+      newCount: 5,
+      lines: [
+        { type: "context", oldNum: 10, newNum: 10, content: '  "dependencies": {' },
+        { type: "context", oldNum: 11, newNum: 11, content: '    "express": "^4.18.2",' },
+        { type: "add", oldNum: null, newNum: 12, content: '    "bcrypt": "^5.1.1",' },
+        { type: "add", oldNum: null, newNum: 13, content: '    "ioredis": "^5.3.2",' },
+        { type: "context", oldNum: 12, newNum: 14, content: '    "typescript": "^5.3.0"' }
+      ]
+    }]
+  }
+];
+var GUIDED_NOTES = {
+  "src/auth/session.ts": {
+    overview: "This file manages user sessions \u2014 the mechanism that keeps you logged in across requests. The change migrates from in-memory storage (a Map) to Redis, which persists sessions across server restarts and works in multi-server deployments.",
+    lines: [
+      { line: 3, content: "Redis is an in-memory data store that runs as a separate process. Unlike a JavaScript Map, data in Redis survives server restarts and can be shared across multiple server instances." },
+      { line: 8, content: "Changed from a number (Unix timestamp) to a Date object. Date objects are more readable and less error-prone than raw milliseconds \u2014 compare 'new Date() > expiresAt' vs 'Date.now() > expiresAt'." },
+      { line: 9, content: "A refresh token allows the client to get a new session without re-entering credentials. This is a security best practice \u2014 short-lived sessions with refresh tokens limit the damage if a session ID is stolen." },
+      { line: 12, content: "Defining the TTL as a named constant makes the code self-documenting. The '60 * 60 * 24' expression is clearer than a magic number like 86400." },
+      { line: 23, content: "Template literals (backtick strings) let you embed expressions with ${...}. The 'EX' flag tells Redis to automatically delete this key after SESSION_TTL seconds \u2014 no need for manual cleanup." },
+      { line: 30, content: "JSON.parse returns 'unknown' in strict TypeScript. The 'as Session' is a type assertion telling the compiler to trust that the stored JSON matches the Session shape." }
+    ]
+  },
+  "src/api/routes/users.ts": {
+    overview: "The login route now validates input, uses proper password hashing instead of plaintext comparison, and sets a secure HTTP cookie. These are fundamental security improvements.",
+    lines: [
+      { line: 15, content: "Input validation is a key security practice. Always verify that required fields exist before using them \u2014 this prevents crashes from undefined values and makes error messages more helpful." },
+      { line: 20, content: "verifyPassword uses bcrypt to compare the plaintext password against a stored hash. The old code compared passwords directly, which means passwords were stored in plaintext \u2014 a critical security vulnerability." },
+      { line: 25, content: "httpOnly prevents JavaScript from reading the cookie (mitigates XSS attacks). 'secure' ensures it's only sent over HTTPS. 'sameSite: strict' prevents the cookie from being sent in cross-site requests (mitigates CSRF attacks)." }
+    ]
+  },
+  "src/db/redis.ts": {
+    overview: "A new module that initializes the Redis connection. It reads the connection URL from an environment variable with a sensible local default, and includes retry logic for resilience.",
+    lines: [
+      { line: 3, content: "The nullish coalescing operator (??) returns the right side only if the left is null or undefined. This gives you a fallback: use the env variable if set, otherwise default to localhost." },
+      { line: 7, content: "A retry strategy controls what happens when Redis is temporarily unreachable. This implements exponential backoff \u2014 waiting longer between each retry, capped at 5 seconds \u2014 to avoid overwhelming a recovering server." },
+      { line: 12, content: "Listening for 'error' events prevents unhandled exceptions from crashing the process. In Node.js, an EventEmitter that emits 'error' with no listener will throw." }
+    ]
+  },
+  "src/middleware/auth.ts": {
+    overview: "The auth middleware now supports both cookie-based and Bearer token authentication, and returns proper JSON error responses instead of empty 401s.",
+    lines: [
+      { line: 5, content: "Optional chaining (?.) safely accesses properties that might not exist. This line checks for a session ID in cookies first, then falls back to an Authorization header \u2014 supporting both browser and API clients." },
+      { line: 12, content: "Attaching the session ID to the request object makes it available to downstream route handlers. This is a common Express pattern called 'request augmentation'." }
+    ]
+  },
+  "src/utils/password.ts": {
+    overview: "A utility module for securely hashing and verifying passwords using bcrypt. Bcrypt is an industry-standard algorithm specifically designed for password hashing.",
+    lines: [
+      { line: 3, content: "Salt rounds control how computationally expensive the hash is. 12 rounds means 2^12 (4,096) iterations. Higher is more secure but slower \u2014 12 is a good balance for most applications." },
+      { line: 6, content: "bcrypt.hash automatically generates a random salt and embeds it in the output. You never need to store the salt separately \u2014 it's included in the hash string itself." },
+      { line: 10, content: "bcrypt.compare is timing-safe, meaning it takes the same amount of time regardless of where the mismatch occurs. This prevents timing attacks where an attacker measures response times to guess the hash character by character." }
+    ]
+  }
+};
+var RISK_SCORES = [
+  {
+    path: "src/auth/session.ts",
+    aggregate: 0.65,
+    scores: { security: 0.65, correctness: 0.4, "error-handling": 0.5, maintainability: 0.2, architecture: 0.3, performance: 0.15 },
+    rationale: "Session data is JSON-serialized without schema validation. Redis key construction uses string interpolation which could be exploited if session IDs contain special characters.",
+    notes: {
+      overview: "Moderate security risk from unvalidated deserialization and potential Redis key injection.",
+      lines: [
+        { line: 23, content: "Template literal in Redis key \u2014 if 'id' ever contains colons or special Redis characters, this could cause key collisions or unexpected behavior." },
+        { line: 30, content: "JSON.parse without validation \u2014 a corrupted Redis entry would cause a runtime crash. Consider wrapping in try/catch or using a schema validator like zod." }
+      ]
+    }
+  },
+  {
+    path: "src/api/routes/users.ts",
+    aggregate: 0.45,
+    scores: { security: 0.45, correctness: 0.3, "error-handling": 0.35, maintainability: 0.2, architecture: 0.15, performance: 0.1 },
+    rationale: "Login route has good input validation and secure cookie settings, but lacks rate limiting which makes it vulnerable to brute-force attacks.",
+    notes: {
+      overview: "Solid authentication improvements, but missing rate limiting on the login endpoint.",
+      lines: [
+        { line: 12, content: "No rate limiting on login attempts. Consider adding express-rate-limit to prevent brute-force attacks." }
+      ]
+    }
+  },
+  {
+    path: "src/db/redis.ts",
+    aggregate: 0.35,
+    scores: { security: 0.35, correctness: 0.2, "error-handling": 0.3, maintainability: 0.1, architecture: 0.15, performance: 0.1 },
+    rationale: "Redis connection is established at module load time. If Redis is down, the import itself will start retrying, which could delay application startup.",
+    notes: {
+      overview: "Minor risk from eager connection initialization. Connection errors are handled but could delay startup.",
+      lines: [
+        { line: 5, content: "Connection is created at import time. Consider lazy initialization to avoid blocking app startup if Redis is temporarily unavailable." }
+      ]
+    }
+  },
+  {
+    path: "src/middleware/auth.ts",
+    aggregate: 0.3,
+    scores: { security: 0.3, correctness: 0.2, "error-handling": 0.15, maintainability: 0.1, architecture: 0.1, performance: 0.1 },
+    rationale: "Auth middleware correctly validates sessions but the Bearer token extraction could be tighter.",
+    notes: {
+      overview: "Low risk. Bearer token parsing is functional but could be more strict with format validation.",
+      lines: [
+        { line: 5, content: "The regex replace is loose \u2014 it only strips 'Bearer ' prefix but doesn't validate the token format. A malformed Authorization header would pass through." }
+      ]
+    }
+  },
+  {
+    path: "src/utils/password.ts",
+    aggregate: 0.1,
+    scores: { security: 0.1, correctness: 0.05, "error-handling": 0.1, maintainability: 0.05, architecture: 0.05, performance: 0.1 },
+    rationale: "Well-implemented password hashing with appropriate salt rounds. No significant concerns.",
+    notes: {
+      overview: "Clean, secure implementation. Salt rounds are appropriate for production use.",
+      lines: []
+    }
+  },
+  {
+    path: "tests/auth.test.ts",
+    aggregate: 0.05,
+    scores: { security: 0, correctness: 0.05, "error-handling": 0, maintainability: 0.05, architecture: 0, performance: 0 },
+    rationale: "Test file with basic coverage. Consider adding tests for edge cases like expired sessions and concurrent access.",
+    notes: {
+      overview: "Basic test coverage. No security or correctness risks in test code itself.",
+      lines: []
+    }
+  },
+  {
+    path: "package.json",
+    aggregate: 0.15,
+    scores: { security: 0.15, correctness: 0, "error-handling": 0, maintainability: 0.05, architecture: 0, performance: 0 },
+    rationale: "New dependencies are well-known and maintained. Bcrypt 5.x uses N-API bindings which are stable.",
+    notes: {
+      overview: "Low risk. Dependencies are well-maintained and widely used.",
+      lines: []
+    }
+  }
+];
+var NARRATIVE_ORDER = [
+  { path: "src/utils/password.ts", position: 1, rationale: "Start with this utility \u2014 it introduces the bcrypt dependency used by the login route.", notes: { overview: "Read first: this new utility module is a building block used by the authentication changes that follow.", lines: [{ line: 3, content: "This salt rounds constant is referenced conceptually in the login route changes." }] } },
+  { path: "src/db/redis.ts", position: 2, rationale: "Redis client setup \u2014 needed to understand the session storage migration.", notes: { overview: "Read second: the Redis client created here replaces the in-memory Map used for sessions.", lines: [{ line: 5, content: "This exported redis instance is imported by the session module next." }] } },
+  { path: "src/auth/session.ts", position: 3, rationale: "Core session changes \u2014 depends on Redis client, used by auth middleware.", notes: { overview: "The main change: sessions move from an in-memory Map to Redis. The interface gains a refresh token and the functions become async.", lines: [{ line: 14, content: "Note this is now async \u2014 all callers need to be updated to await the result." }, { line: 27, content: "New function that replaces the old synchronous getSession." }] } },
+  { path: "src/middleware/auth.ts", position: 4, rationale: "Auth middleware \u2014 consumes the new async session API.", notes: { overview: "Updated to use the new async validateSession. Also adds Bearer token support for API clients.", lines: [{ line: 4, content: "Changed to async to accommodate the Redis-backed session lookup." }] } },
+  { path: "src/api/routes/users.ts", position: 5, rationale: "Login route \u2014 integrates password hashing and new session creation.", notes: { overview: "The login endpoint ties together the password utility and session changes.", lines: [{ line: 20, content: "This is where verifyPassword (from step 1) gets used in practice." }, { line: 24, content: "The await here is new \u2014 createSession is now async because of the Redis migration." }] } },
+  { path: "package.json", position: 6, rationale: "Dependencies \u2014 confirms bcrypt and ioredis were added.", notes: { overview: "Quick check: the two new dependencies (bcrypt, ioredis) that the code changes require.", lines: [] } },
+  { path: "tests/auth.test.ts", position: 7, rationale: "Tests \u2014 read last to verify the changes work correctly.", notes: { overview: "Tests for the session management changes. Read these last to confirm the new async API works as expected.", lines: [] } }
+];
+var ANNOTATIONS = [
+  { filePath: "src/auth/session.ts", line: 23, side: "new", category: "bug", content: "Redis key should be sanitized \u2014 if a session ID contains a colon, it will conflict with the key namespace." },
+  { filePath: "src/auth/session.ts", line: 30, side: "new", category: "fix", content: "Wrap JSON.parse in try/catch to handle corrupted Redis data gracefully instead of crashing." },
+  { filePath: "src/auth/session.ts", line: 12, side: "new", category: "pattern-follow", content: "Good use of a named constant instead of a magic number. This makes the TTL self-documenting." },
+  { filePath: "src/api/routes/users.ts", line: 15, side: "new", category: "pattern-follow", content: "Good input validation pattern \u2014 checking required fields early and returning a descriptive error." },
+  { filePath: "src/api/routes/users.ts", line: 25, side: "new", category: "style", content: "Consider extracting cookie options into a shared constant so they're consistent across all cookie-setting code." },
+  { filePath: "src/api/routes/users.ts", line: 12, side: "new", category: "fix", content: "Add rate limiting to prevent brute-force login attempts. Use express-rate-limit with a window of 15 minutes and max 5 attempts." },
+  { filePath: "src/db/redis.ts", line: 5, side: "new", category: "note", content: "Consider using lazy initialization so the app can start even if Redis is temporarily down." },
+  { filePath: "src/middleware/auth.ts", line: 5, side: "new", category: "fix", content: "Validate the token format after extracting it. A regex like /^[a-f0-9]{64}$/ would reject malformed tokens early." },
+  { filePath: "src/utils/password.ts", line: 3, side: "new", category: "remember", content: "Always use bcrypt or argon2 for password hashing. Never use SHA/MD5 for passwords." }
+];
+async function setupDemoReview(scenario) {
+  const repoRoot = process.cwd();
+  const review = await createReview(repoRoot, "demo-project", "demo", `scenario-${String(scenario)}`);
+  const fileIdMap = /* @__PURE__ */ new Map();
+  for (const file of DEMO_FILES) {
+    const diff = {
+      filePath: file.path,
+      oldPath: null,
+      status: file.status,
+      hunks: file.hunks,
+      isBinary: false
+    };
+    const rf = await addReviewFile(review.id, file.path, JSON.stringify(diff));
+    fileIdMap.set(file.path, rf.id);
+  }
+  const { updateFileStatus: updateFileStatus2 } = await Promise.resolve().then(() => (init_queries(), queries_exports));
+  const reviewedPaths = ["src/utils/password.ts", "src/db/redis.ts", "package.json"];
+  for (const p of reviewedPaths) {
+    const fid = fileIdMap.get(p);
+    if (fid !== void 0) await updateFileStatus2(fid, "reviewed");
+  }
+  switch (scenario) {
+    case 1:
+      await setupGuidedNotes(review.id, fileIdMap);
+      saveGuidedReviewConfig({ enabled: true, topics: ["codebase", "typescript"] });
+      await saveUserPreferences({ sort_mode: "folder" });
+      break;
+    case 2:
+      await setupRiskScores(review.id, fileIdMap);
+      await saveUserPreferences({ sort_mode: "risk", show_risk_scores: true });
+      break;
+    case 3:
+      await setupNarrativeOrder(review.id, fileIdMap);
+      await saveUserPreferences({ sort_mode: "narrative" });
+      break;
+    case 4:
+      await setupAnnotations(fileIdMap);
+      await saveUserPreferences({ sort_mode: "folder" });
+      break;
+    case 5:
+      saveGuidedReviewConfig({ enabled: true, topics: ["programming", "codebase", "typescript", "javascript"] });
+      await saveUserPreferences({ sort_mode: "folder" });
+      break;
+    default:
+      break;
+  }
+  return { reviewId: review.id };
+}
+async function setupGuidedNotes(reviewId, fileIdMap) {
+  const analysis = await createAnalysis(reviewId, "guided");
+  const scores = Object.entries(GUIDED_NOTES).map(([path, notes], idx) => ({
+    reviewFileId: fileIdMap.get(path) ?? "",
+    filePath: path,
+    sortOrder: idx,
+    aggregateScore: null,
+    rationale: null,
+    dimensionScores: null,
+    notes
+  }));
+  await appendFileScores(analysis.id, scores);
+  await updateAnalysisStatus(analysis.id, "completed");
+}
+async function setupRiskScores(reviewId, fileIdMap) {
+  const analysis = await createAnalysis(reviewId, "risk");
+  const sorted = RISK_SCORES.slice().sort((a, b) => b.aggregate - a.aggregate);
+  const scores = sorted.map((r, idx) => ({
+    reviewFileId: fileIdMap.get(r.path) ?? "",
+    filePath: r.path,
+    sortOrder: idx,
+    aggregateScore: r.aggregate,
+    rationale: r.rationale,
+    dimensionScores: r.scores,
+    notes: r.notes
+  }));
+  await appendFileScores(analysis.id, scores);
+  await updateAnalysisStatus(analysis.id, "completed");
+}
+async function setupNarrativeOrder(reviewId, fileIdMap) {
+  const analysis = await createAnalysis(reviewId, "narrative");
+  const scores = NARRATIVE_ORDER.map((r) => ({
+    reviewFileId: fileIdMap.get(r.path) ?? "",
+    filePath: r.path,
+    sortOrder: r.position,
+    aggregateScore: null,
+    rationale: r.rationale,
+    dimensionScores: null,
+    notes: r.notes
+  }));
+  await appendFileScores(analysis.id, scores);
+  await updateAnalysisStatus(analysis.id, "completed");
+}
+async function setupAnnotations(fileIdMap) {
+  for (const ann of ANNOTATIONS) {
+    const fileId = fileIdMap.get(ann.filePath);
+    if (fileId !== void 0) {
+      await addAnnotation(fileId, ann.line, ann.side, ann.category, ann.content);
+    }
+  }
+}
+
+// src/git/diff.ts
+import { execSync as execSync2 } from "child_process";
+import { readFileSync as readFileSync2 } from "fs";
 import { resolve } from "path";
 function git(args, cwd) {
   try {
-    return execSync(`git ${args}`, { cwd, encoding: "utf-8", maxBuffer: 50 * 1024 * 1024 });
+    return execSync2(`git ${args}`, { cwd, encoding: "utf-8", maxBuffer: 50 * 1024 * 1024 });
   } catch (e) {
     const err = e;
     if (err.stdout !== void 0 && err.stdout !== "") return err.stdout;
@@ -336,7 +1341,7 @@ function getAllFiles(repoRoot) {
 function createNewFileDiff(filePath, repoRoot) {
   let content;
   try {
-    const buf = readFileSync(resolve(repoRoot, filePath));
+    const buf = readFileSync2(resolve(repoRoot, filePath));
     const checkLen = Math.min(buf.length, 8192);
     for (let i = 0; i < checkLen; i++) {
       if (buf[i] === 0) {
@@ -377,13 +1382,13 @@ function parseDiff(raw2) {
     if (headerEnd === -1 && !header.includes("Binary")) {
       const pathMatch2 = chunk.match(/^a\/(.+?) b\/(.+)/m);
       if (pathMatch2) {
-        const isBinary2 = header.includes("Binary");
+        const isBinary3 = header.includes("Binary");
         files.push({
           filePath: pathMatch2[2],
           oldPath: pathMatch2[1] !== pathMatch2[2] ? pathMatch2[1] : null,
           status: header.includes("new file") ? "added" : header.includes("deleted file") ? "deleted" : "modified",
           hunks: [],
-          isBinary: isBinary2
+          isBinary: isBinary3
         });
       }
       continue;
@@ -396,8 +1401,8 @@ function parseDiff(raw2) {
     if (header.includes("new file mode")) status = "added";
     else if (header.includes("deleted file mode")) status = "deleted";
     else if (oldPath !== null) status = "renamed";
-    const isBinary = header.includes("Binary file");
-    if (isBinary) {
+    const isBinary2 = header.includes("Binary file");
+    if (isBinary2) {
       files.push({ filePath, oldPath, status, hunks: [], isBinary: true });
       continue;
     }
@@ -457,7 +1462,7 @@ function getFileContent(filePath, ref, cwd) {
   const repoRoot = getRepoRoot(cwd);
   try {
     if (ref === "working") {
-      return execSync(`cat "${resolve(repoRoot, filePath)}"`, { encoding: "utf-8", maxBuffer: 10 * 1024 * 1024 });
+      return execSync2(`cat "${resolve(repoRoot, filePath)}"`, { encoding: "utf-8", maxBuffer: 10 * 1024 * 1024 });
     }
     return git(`show ${ref}:${filePath}`, repoRoot);
   } catch {
@@ -465,7 +1470,7 @@ function getFileContent(filePath, ref, cwd) {
   }
 }
 function getHeadCommit(cwd) {
-  return execSync("git rev-parse HEAD", { cwd, encoding: "utf-8" }).trim();
+  return execSync2("git rev-parse HEAD", { cwd, encoding: "utf-8" }).trim();
 }
 function getModeString(mode) {
   switch (mode.type) {
@@ -504,143 +1509,1359 @@ function getModeArgs(mode) {
       return void 0;
   }
 }
-
-// src/review-update.ts
-function findLineContent(diff, lineNumber, side) {
-  for (const hunk of diff.hunks) {
-    for (const line of hunk.lines) {
-      if (side === "old" && line.oldNum === lineNumber) return line.content;
-      if (side === "new" && line.newNum === lineNumber) return line.content;
-    }
+
+// src/review-update.ts
+init_queries();
+function findLineContent(diff, lineNumber, side) {
+  for (const hunk of diff.hunks) {
+    for (const line of hunk.lines) {
+      if (side === "old" && line.oldNum === lineNumber) return line.content;
+      if (side === "new" && line.newNum === lineNumber) return line.content;
+    }
+  }
+  return null;
+}
+function findMatchingLine(diff, content, origLineNum, side, radius = 10) {
+  let bestMatch = null;
+  let bestDistance = Infinity;
+  for (const hunk of diff.hunks) {
+    for (const line of hunk.lines) {
+      if (line.content !== content) continue;
+      const lineNum = side === "old" ? line.oldNum : line.newNum;
+      if (lineNum == null) continue;
+      const distance = Math.abs(lineNum - origLineNum);
+      if (distance <= radius && distance < bestDistance) {
+        bestDistance = distance;
+        bestMatch = { lineNumber: lineNum, side };
+      }
+    }
+  }
+  return bestMatch;
+}
+async function migrateAnnotations(annotations, oldDiff, newDiff) {
+  let staleCount = 0;
+  for (const annotation of annotations) {
+    const oldContent = findLineContent(oldDiff, annotation.line_number, annotation.side);
+    if (oldContent === null) {
+      if (!annotation.is_stale) {
+        await markAnnotationStale(annotation.id, null);
+        staleCount++;
+      }
+      continue;
+    }
+    const match = findMatchingLine(newDiff, oldContent, annotation.line_number, annotation.side);
+    if (match) {
+      if (match.lineNumber !== annotation.line_number || match.side !== annotation.side) {
+        await moveAnnotation(annotation.id, match.lineNumber, match.side);
+      } else if (annotation.is_stale) {
+        await markAnnotationCurrent(annotation.id);
+      }
+    } else {
+      if (!annotation.is_stale) {
+        await markAnnotationStale(annotation.id, oldContent);
+        staleCount++;
+      }
+    }
+  }
+  return staleCount;
+}
+async function updateReviewDiffs(reviewId, newDiffs, headCommit) {
+  const existingFiles = await getReviewFiles(reviewId);
+  const existingByPath = /* @__PURE__ */ new Map();
+  for (const f of existingFiles) {
+    existingByPath.set(f.file_path, f);
+  }
+  const newDiffsByPath = /* @__PURE__ */ new Map();
+  for (const d of newDiffs) {
+    newDiffsByPath.set(d.filePath, d);
+  }
+  let updated = 0;
+  let added = 0;
+  let stale = 0;
+  for (const [path, existingFile] of existingByPath) {
+    const newDiff = newDiffsByPath.get(path);
+    if (newDiff) {
+      const oldDiff = JSON.parse(existingFile.diff_data ?? "{}");
+      const annotations = await getAnnotationsForFile(existingFile.id);
+      if (annotations.length > 0) {
+        stale += await migrateAnnotations(annotations, oldDiff, newDiff);
+      }
+      await updateFileDiff(existingFile.id, JSON.stringify(newDiff));
+      updated++;
+    } else {
+      const annotations = await getAnnotationsForFile(existingFile.id);
+      if (annotations.length === 0) {
+        await deleteReviewFile(existingFile.id);
+      } else {
+        const oldDiff = JSON.parse(existingFile.diff_data ?? "{}");
+        for (const a of annotations) {
+          if (!a.is_stale) {
+            const content = findLineContent(oldDiff, a.line_number, a.side);
+            await markAnnotationStale(a.id, content);
+            stale++;
+          }
+        }
+      }
+    }
+  }
+  for (const [path, diff] of newDiffsByPath) {
+    if (!existingByPath.has(path)) {
+      await addReviewFile(reviewId, path, JSON.stringify(diff));
+      added++;
+    }
+  }
+  await updateReviewHead(reviewId, headCommit);
+  return { updated, added, stale };
+}
+
+// src/server.ts
+import { serve } from "@hono/node-server";
+import { exec } from "child_process";
+import { existsSync as existsSync3, readFileSync as readFileSync4 } from "fs";
+import { Hono as Hono4 } from "hono";
+import { dirname, join as join4 } from "path";
+import { fileURLToPath } from "url";
+
+// src/routes/ai-api.ts
+import { Hono } from "hono";
+
+// src/ai/client.ts
+async function sendAIRequest(config, systemPrompt, messages) {
+  if (config.apiKey === null) {
+    throw new Error(`No API key configured for ${config.platform}`);
+  }
+  const totalChars = messages.reduce((sum, m) => sum + m.content.length, 0) + systemPrompt.length;
+  debugLog(`AI request \u2192 ${config.platform}/${config.model} | ${String(messages.length)} message(s) | ~${String(Math.ceil(totalChars / 3))} estimated tokens`);
+  const start = Date.now();
+  let response;
+  switch (config.platform) {
+    case "anthropic":
+      response = await sendAnthropicRequest(config.apiKey, config.model, systemPrompt, messages);
+      break;
+    case "openai":
+      response = await sendOpenAIRequest(config.apiKey, config.model, systemPrompt, messages);
+      break;
+    case "google":
+      response = await sendGoogleRequest(config.apiKey, config.model, systemPrompt, messages);
+      break;
+  }
+  const elapsed = ((Date.now() - start) / 1e3).toFixed(1);
+  debugLog(`AI response \u2190 ${elapsed}s | ${String(response.inputTokens)} in / ${String(response.outputTokens)} out tokens`);
+  return response;
+}
+async function sendAnthropicRequest(apiKey, model, systemPrompt, messages) {
+  const response = await fetch("https://api.anthropic.com/v1/messages", {
+    method: "POST",
+    headers: {
+      "Content-Type": "application/json",
+      "x-api-key": apiKey,
+      "anthropic-version": "2023-06-01"
+    },
+    body: JSON.stringify({
+      model,
+      max_tokens: 8192,
+      system: systemPrompt,
+      messages: messages.map((m) => ({
+        role: m.role,
+        content: m.content
+      }))
+    })
+  });
+  if (!response.ok) {
+    const errorText = await response.text();
+    throw new Error(`Anthropic API error (${String(response.status)}): ${errorText}`);
+  }
+  const data = await response.json();
+  const text = data.content.filter((c) => c.type === "text").map((c) => c.text).join("");
+  return {
+    content: text,
+    inputTokens: data.usage.input_tokens,
+    outputTokens: data.usage.output_tokens
+  };
+}
+async function sendOpenAIRequest(apiKey, model, systemPrompt, messages) {
+  const oaiMessages = [
+    { role: "system", content: systemPrompt },
+    ...messages.map((m) => ({ role: m.role, content: m.content }))
+  ];
+  const response = await fetch("https://api.openai.com/v1/chat/completions", {
+    method: "POST",
+    headers: {
+      "Content-Type": "application/json",
+      "Authorization": `Bearer ${apiKey}`
+    },
+    body: JSON.stringify({
+      model,
+      messages: oaiMessages,
+      max_tokens: 8192
+    })
+  });
+  if (!response.ok) {
+    const errorText = await response.text();
+    throw new Error(`OpenAI API error (${String(response.status)}): ${errorText}`);
+  }
+  const data = await response.json();
+  return {
+    content: data.choices[0].message.content,
+    inputTokens: data.usage.prompt_tokens,
+    outputTokens: data.usage.completion_tokens
+  };
+}
+async function sendGoogleRequest(apiKey, model, systemPrompt, messages) {
+  const contents = messages.map((m) => ({
+    role: m.role === "assistant" ? "model" : "user",
+    parts: [{ text: m.content }]
+  }));
+  const response = await fetch(
+    `https://generativelanguage.googleapis.com/v1beta/models/${model}:generateContent?key=${apiKey}`,
+    {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify({
+        system_instruction: { parts: [{ text: systemPrompt }] },
+        contents,
+        generationConfig: {
+          maxOutputTokens: 8192,
+          responseMimeType: "application/json"
+        }
+      })
+    }
+  );
+  if (!response.ok) {
+    const errorText = await response.text();
+    throw new Error(`Google AI API error (${String(response.status)}): ${errorText}`);
+  }
+  const data = await response.json();
+  const text = data.candidates[0].content.parts.map((p) => p.text).join("");
+  return {
+    content: text,
+    inputTokens: data.usageMetadata?.promptTokenCount ?? 0,
+    outputTokens: data.usageMetadata?.candidatesTokenCount ?? 0
+  };
+}
+
+// src/ai/context-builder.ts
+function summarizeHunk(hunk, maxLines) {
+  const lines = [];
+  lines.push(`@@ -${String(hunk.oldStart)},${String(hunk.oldCount)} +${String(hunk.newStart)},${String(hunk.newCount)} @@`);
+  const hunkLines = hunk.lines;
+  if (hunkLines.length <= maxLines) {
+    for (const line of hunkLines) {
+      const prefix = line.type === "add" ? "+" : line.type === "remove" ? "-" : " ";
+      lines.push(prefix + line.content);
+    }
+  } else {
+    const half = Math.floor(maxLines / 2);
+    for (let i = 0; i < half; i++) {
+      const line = hunkLines[i];
+      const prefix = line.type === "add" ? "+" : line.type === "remove" ? "-" : " ";
+      lines.push(prefix + line.content);
+    }
+    lines.push(`... (${String(hunkLines.length - maxLines)} lines omitted) ...`);
+    for (let i = hunkLines.length - half; i < hunkLines.length; i++) {
+      const line = hunkLines[i];
+      const prefix = line.type === "add" ? "+" : line.type === "remove" ? "-" : " ";
+      lines.push(prefix + line.content);
+    }
+  }
+  return lines.join("\n");
+}
+function buildDiffText(diff, charBudget) {
+  if (diff.isBinary) return "[Binary file]";
+  if (diff.hunks.length === 0) return "[No changes]";
+  const fullLines = [];
+  for (const hunk of diff.hunks) {
+    fullLines.push(`@@ -${String(hunk.oldStart)},${String(hunk.oldCount)} +${String(hunk.newStart)},${String(hunk.newCount)} @@`);
+    for (const line of hunk.lines) {
+      const prefix = line.type === "add" ? "+" : line.type === "remove" ? "-" : " ";
+      fullLines.push(prefix + line.content);
+    }
+  }
+  const fullText = fullLines.join("\n");
+  if (fullText.length <= charBudget) return fullText;
+  const maxLinesPerHunk = Math.max(10, Math.floor(charBudget / (diff.hunks.length * 80)));
+  return diff.hunks.map((h) => summarizeHunk(h, maxLinesPerHunk)).join("\n\n");
+}
+function buildFileContexts(files, charBudget) {
+  const contexts = [];
+  const perFileBudget = Math.floor(charBudget / Math.max(files.length, 1));
+  for (const file of files) {
+    const diff = JSON.parse(file.diff_data !== null && file.diff_data !== "" ? file.diff_data : "{}");
+    let added = 0;
+    let removed = 0;
+    const hunks = diff.hunks;
+    for (const hunk of hunks ?? []) {
+      for (const line of hunk.lines) {
+        if (line.type === "add") added++;
+        if (line.type === "remove") removed++;
+      }
+    }
+    contexts.push({
+      fileId: file.id,
+      filePath: file.file_path,
+      status: diff.status ?? file.status,
+      linesAdded: added,
+      linesRemoved: removed,
+      diffText: buildDiffText(diff, perFileBudget)
+    });
+  }
+  return contexts;
+}
+function formatContextsForPrompt(contexts) {
+  const sections = contexts.map((ctx) => {
+    return [
+      `=== ${ctx.filePath} (${ctx.status}, +${String(ctx.linesAdded)} -${String(ctx.linesRemoved)}) ===`,
+      ctx.diffText
+    ].join("\n");
+  });
+  return sections.join("\n\n");
+}
+function formatAdditionalContext(files) {
+  return files.map((f) => {
+    return `=== Full content: ${f.path} ===
+${f.content}`;
+  }).join("\n\n");
+}
+
+// src/ai/shared.ts
+function isNeedContext(parsed) {
+  return typeof parsed === "object" && parsed !== null && "needContext" in parsed && Array.isArray(parsed.needContext);
+}
+function extractJSON(text) {
+  const stripped = text.trim().replace(/^```json?\n?/, "").replace(/\n?```$/, "");
+  try {
+    return JSON.parse(stripped);
+  } catch {
+  }
+  const arrayMatch = text.match(/\[[\s\S]*\]/);
+  if (arrayMatch !== null) {
+    try {
+      return JSON.parse(arrayMatch[0]);
+    } catch {
+    }
+  }
+  const objMatch = text.match(/\{[\s\S]*\}/);
+  if (objMatch !== null) {
+    try {
+      return JSON.parse(objMatch[0]);
+    } catch {
+    }
+  }
+  throw new Error(`Could not extract JSON from AI response: ${text.slice(0, 300)}`);
+}
+
+// src/ai/analyze-guided.ts
+var TOPIC_DISPLAY = {
+  programming: "programming in general",
+  codebase: "this codebase",
+  javascript: "JavaScript",
+  python: "Python",
+  typescript: "TypeScript",
+  java: "Java",
+  csharp: "C#",
+  cpp: "C++",
+  go: "Go",
+  rust: "Rust",
+  php: "PHP",
+  swift: "Swift",
+  ruby: "Ruby",
+  kotlin: "Kotlin",
+  scala: "Scala",
+  c: "C",
+  objectivec: "Objective-C",
+  r: "R",
+  lua: "Lua",
+  perl: "Perl",
+  bash: "Shell scripting",
+  dart: "Dart",
+  elixir: "Elixir",
+  erlang: "Erlang",
+  haskell: "Haskell",
+  clojure: "Clojure",
+  ocaml: "OCaml",
+  zig: "Zig",
+  nim: "Nim",
+  groovy: "Groovy"
+};
+function buildSystemPrompt(config) {
+  const topicNames = config.topics.map((t) => TOPIC_DISPLAY[t] ?? t);
+  const topicList = topicNames.join(", ");
+  const hasLang = config.topics.some((t) => t !== "programming" && t !== "codebase");
+  const newToProgramming = config.topics.includes("programming");
+  const newToCodebase = config.topics.includes("codebase");
+  let focusInstructions = "";
+  if (newToProgramming) {
+    focusInstructions += `
+- Explain basic programming concepts (variables, functions, control flow, types) when they appear
+- Define technical terms the first time you use them
+- Explain WHY code is structured a certain way, not just what it does`;
+  }
+  if (newToCodebase) {
+    focusInstructions += `
+- Explain how each file fits into the broader system architecture
+- Describe the purpose of the module/component and its relationships with other parts
+- Highlight conventions and patterns specific to this codebase`;
+  }
+  if (hasLang) {
+    focusInstructions += `
+- Explain language-specific idioms, syntax, and features that may be unfamiliar
+- Point out language best practices and common pitfalls
+- When a pattern is language-specific, explain the underlying concept and alternatives`;
+  }
+  return `You are a JSON-only API. You output raw JSON with no other text, no markdown fences, no explanation.
+
+TASK: Provide educational walkthrough notes for a code reviewer who is new to: ${topicList}.
+
+Your goal is to help this reviewer understand the code changes by explaining concepts, patterns, and decisions they may not be familiar with. Focus on teaching \u2014 not evaluating risk or ordering files.
+
+For each file, provide:
+- "overview": A clear, educational explanation of what this file does, what changed, and why it matters. Tailor the depth to the reviewer's experience level.
+- "lines": An array of specific line-level educational notes referencing NEW-side line numbers from the diff. Each entry has "line" (number) and "content" (educational explanation). Focus on the most instructive lines \u2014 not every line.
+
+Focus areas:${focusInstructions}
+
+General guidelines:
+- Explain WHY something matters, not just WHAT it is
+- Use concrete, accessible language \u2014 avoid jargon unless you define it
+- When a change introduces a pattern, explain the pattern and its benefits
+- Keep notes practical and specific to the actual code shown
+
+OUTPUT FORMAT \u2014 you MUST output ONLY this JSON array, nothing else:
+[{"filePath":"src/example.ts","notes":{"overview":"Educational summary of this file and its changes","lines":[{"line":42,"content":"This uses a closure to capture the variable \u2014 closures are functions that remember variables from their outer scope"}]}}]
+
+If you need full file content to explain accurately, output ONLY: {"needContext":["path/to/file.ts"]}
+
+CRITICAL: Your entire response must be parseable by JSON.parse(). No prose, no markdown, no explanation.`;
+}
+async function runGuidedAnalysisBatch(files, config, repoRoot, guidedReview) {
+  const contextWindow = getModelContextWindow(config.platform, config.model);
+  const charBudget = Math.floor(contextWindow * 0.7 * 3);
+  const systemPrompt = buildSystemPrompt(guidedReview);
+  const contexts = buildFileContexts(files, charBudget);
+  const validPaths = new Set(files.map((f) => f.file_path));
+  const initialPrompt = [
+    `Provide educational walkthrough notes for these ${String(files.length)} changed files:`,
+    "",
+    formatContextsForPrompt(contexts)
+  ].join("\n");
+  const messages = [{ role: "user", content: initialPrompt }];
+  for (let round = 0; round < 3; round++) {
+    const response = await sendAIRequest(config, systemPrompt, messages);
+    const parsed = extractJSON(response.content);
+    if (isNeedContext(parsed)) {
+      const safePaths = parsed.needContext.filter((p) => validPaths.has(p));
+      if (safePaths.length === 0) {
+        throw new Error("AI requested context for files not in the review");
+      }
+      const fileContents = safePaths.map((path) => ({
+        path,
+        content: getFileContent(path, "working", repoRoot)
+      }));
+      messages.push({ role: "assistant", content: response.content });
+      messages.push({
+        role: "user",
+        content: `Here is the full content of the requested files:
+
+${formatAdditionalContext(fileContents)}`
+      });
+      continue;
+    }
+    if (!Array.isArray(parsed)) {
+      throw new Error("Expected an array of guided review notes from AI");
+    }
+    return parsed;
+  }
+  throw new Error("Guided analysis did not converge after 3 context rounds");
+}
+
+// src/ai/guided-review.ts
+var TOPIC_DISPLAY2 = {
+  programming: "programming in general",
+  codebase: "this codebase",
+  javascript: "JavaScript",
+  python: "Python",
+  typescript: "TypeScript",
+  java: "Java",
+  csharp: "C#",
+  cpp: "C++",
+  go: "Go",
+  rust: "Rust",
+  php: "PHP",
+  swift: "Swift",
+  ruby: "Ruby",
+  kotlin: "Kotlin",
+  scala: "Scala",
+  c: "C",
+  objectivec: "Objective-C",
+  r: "R",
+  lua: "Lua",
+  perl: "Perl",
+  bash: "Shell scripting",
+  dart: "Dart",
+  elixir: "Elixir",
+  erlang: "Erlang",
+  haskell: "Haskell",
+  clojure: "Clojure",
+  ocaml: "OCaml",
+  zig: "Zig",
+  nim: "Nim",
+  groovy: "Groovy"
+};
+function buildGuidedReviewSuffix(config, analysisType) {
+  if (!config.enabled || config.topics.length === 0) return "";
+  const topicNames = config.topics.map((t) => TOPIC_DISPLAY2[t] ?? t);
+  const topicList = topicNames.join(", ");
+  let suffix = `
+
+GUIDED REVIEW MODE \u2014 The reviewer is new to: ${topicList}.
+
+Adjust your output for this experience level:
+- Write more detailed, educational explanations that help the reviewer learn
+- Explain WHY something matters, not just WHAT it is
+- When a concept relates to something the reviewer is learning, explain the underlying principle
+- Include actionable suggestions for improvement, not just observations`;
+  if (analysisType === "risk") {
+    suffix += `
+- In rationale, provide context about why each risk dimension matters for this file
+- In line-level notes, explain language idioms, design patterns, and security concepts the reviewer may not know
+- Suggest specific fixes with brief code examples where helpful
+- Be more verbose and explanatory than you would for an expert reviewer`;
+  } else {
+    suffix += `
+- In overview notes, explain what the file does and its role in the broader system
+- In line-level notes, explain patterns, conventions, and design decisions
+- Help build understanding progressively through the reading order
+- When relevant, explain how files relate to each other and why the ordering matters`;
+  }
+  return suffix;
+}
+
+// src/ai/analyze-narrative.ts
+var SYSTEM_PROMPT = `You are a JSON-only API. You output raw JSON with no other text, no markdown fences, no explanation.
+
+TASK: Determine the best reading order for a human reviewing these code changes, and provide walkthrough notes for each file.
+
+PRINCIPLES for ordering:
+1. Types/interfaces/data models first (foundations)
+2. Utility functions and shared helpers next
+3. Core business logic, ordered by dependency
+4. Integration code (routes, controllers, event handlers)
+5. Configuration and build files
+6. Tests last
+
+For each file, provide walkthrough notes to guide the reviewer:
+- "overview": A 1-2 sentence summary explaining what changed in this file and why it matters in the reading order
+- "lines": An array of specific line-level walkthrough notes referencing NEW-side line numbers from the diff. Highlight key changes, important patterns, and connections to other files. Each entry has "line" (number) and "content" (brief note).
+
+OUTPUT FORMAT \u2014 you MUST output ONLY this JSON array, nothing else:
+[{"filePath":"src/types.ts","position":1,"rationale":"Defines core interfaces","notes":{"overview":"Start here: these new types are used throughout the rest of the changes","lines":[{"line":10,"content":"This interface is the foundation for the new feature in routes.ts"}]}}]
+
+Every file in the diff must appear exactly once.
+
+If you need full file content to determine dependencies, output ONLY: {"needContext":["path/to/file.ts"]}
+
+CRITICAL: Your entire response must be parseable by JSON.parse(). No prose, no markdown, no explanation.`;
+async function runNarrativeAnalysisBatch(files, config, repoRoot, guidedReview) {
+  const contextWindow = getModelContextWindow(config.platform, config.model);
+  const charBudget = Math.floor(contextWindow * 0.7 * 3);
+  const systemPrompt = SYSTEM_PROMPT + (guidedReview !== void 0 ? buildGuidedReviewSuffix(guidedReview, "narrative") : "");
+  const contexts = buildFileContexts(files, charBudget);
+  const validPaths = new Set(files.map((f) => f.file_path));
+  const initialPrompt = [
+    `Determine the best reading order for reviewing these ${String(files.length)} changed files:`,
+    "",
+    formatContextsForPrompt(contexts)
+  ].join("\n");
+  const messages = [{ role: "user", content: initialPrompt }];
+  for (let round = 0; round < 3; round++) {
+    const response = await sendAIRequest(config, systemPrompt, messages);
+    const parsed = extractJSON(response.content);
+    if (isNeedContext(parsed)) {
+      const safePaths = parsed.needContext.filter((p) => validPaths.has(p));
+      if (safePaths.length === 0) {
+        throw new Error("AI requested context for files not in the review");
+      }
+      const fileContents = safePaths.map((path) => ({
+        path,
+        content: getFileContent(path, "working", repoRoot)
+      }));
+      messages.push({ role: "assistant", content: response.content });
+      messages.push({
+        role: "user",
+        content: `Here is the full content of the requested files:
+
+${formatAdditionalContext(fileContents)}`
+      });
+      continue;
+    }
+    if (!Array.isArray(parsed)) {
+      throw new Error("Expected an array of narrative ordering from AI");
+    }
+    return parsed;
+  }
+  throw new Error("Narrative analysis did not converge after 3 context rounds");
+}
+function mergeNarrativeOrders(batchResults, batchCount) {
+  if (batchCount <= 1) {
+    return new Map(batchResults.map((r) => [r.filePath, r.position]));
+  }
+  const batches = [];
+  let currentBatch = [];
+  let lastPos = 0;
+  const sorted = batchResults.slice();
+  for (const r of sorted) {
+    if (r.position <= lastPos && currentBatch.length > 0) {
+      batches.push(currentBatch.slice().sort((a, b) => a.position - b.position));
+      currentBatch = [];
+    }
+    currentBatch.push(r);
+    lastPos = r.position;
+  }
+  if (currentBatch.length > 0) {
+    batches.push(currentBatch.slice().sort((a, b) => a.position - b.position));
+  }
+  const merged = [];
+  const maxLen = Math.max(...batches.map((b) => b.length));
+  for (let i = 0; i < maxLen; i++) {
+    for (const batch of batches) {
+      if (i < batch.length) {
+        merged.push(batch[i].filePath);
+      }
+    }
+  }
+  const positions = /* @__PURE__ */ new Map();
+  for (let i = 0; i < merged.length; i++) {
+    positions.set(merged[i], i + 1);
+  }
+  return positions;
+}
+
+// src/ai/analyze-risk.ts
+var SYSTEM_PROMPT2 = `You are a JSON-only API. You output raw JSON with no other text, no markdown fences, no explanation.
+
+TASK: Evaluate each changed file across these risk dimensions on a 0.0 to 1.0 scale (0.0 = no concern, 1.0 = critical):
+
+1. security - Injection vulnerabilities, auth gaps, data exposure, insecure crypto, path traversal
+2. correctness - Logic errors, off-by-one, null handling, type safety, race conditions
+3. error-handling - Missing catches, unvalidated input, silent failures
+4. maintainability - Complexity, coupling, unclear naming, magic numbers
+5. architecture - Separation of concerns, dependency direction, scalability, API design
+6. performance - Algorithmic complexity, memory management, unnecessary allocation
+
+For each file, also provide detailed notes:
+- "overview": A 1-2 sentence summary of the key risk concerns for this file
+- "lines": An array of specific line-level observations referencing NEW-side line numbers from the diff. Focus on the most important risks, not every line. Each entry has "line" (number) and "content" (brief note).
+
+OUTPUT FORMAT \u2014 you MUST output ONLY this JSON array, nothing else:
+[{"filePath":"src/example.ts","scores":{"security":0.2,"correctness":0.5,"error-handling":0.3,"maintainability":0.4,"architecture":0.1,"performance":0.2},"aggregate":0.35,"rationale":"Brief concern","notes":{"overview":"Key risk summary for this file","lines":[{"line":42,"content":"SQL injection: user input not parameterized"}]}}]
+
+The aggregate should be the MAX of all individual dimension scores (if a file has one critical issue, the aggregate should reflect that).
+
+If you need full file content to assess accurately, output ONLY: {"needContext":["path/to/file.ts"]}
+
+CRITICAL: Your entire response must be parseable by JSON.parse(). No prose, no markdown, no explanation.`;
+async function runRiskAnalysisBatch(files, config, repoRoot, guidedReview) {
+  const contextWindow = getModelContextWindow(config.platform, config.model);
+  const charBudget = Math.floor(contextWindow * 0.7 * 3);
+  const systemPrompt = SYSTEM_PROMPT2 + (guidedReview !== void 0 ? buildGuidedReviewSuffix(guidedReview, "risk") : "");
+  const contexts = buildFileContexts(files, charBudget);
+  const validPaths = new Set(files.map((f) => f.file_path));
+  const initialPrompt = [
+    `Analyze the following ${String(files.length)} file diffs for risk:`,
+    "",
+    formatContextsForPrompt(contexts)
+  ].join("\n");
+  const messages = [{ role: "user", content: initialPrompt }];
+  for (let round = 0; round < 3; round++) {
+    const response = await sendAIRequest(config, systemPrompt, messages);
+    const parsed = extractJSON(response.content);
+    if (isNeedContext(parsed)) {
+      const safePaths = parsed.needContext.filter((p) => validPaths.has(p));
+      if (safePaths.length === 0) {
+        throw new Error("AI requested context for files not in the review");
+      }
+      const fileContents = safePaths.map((path) => ({
+        path,
+        content: getFileContent(path, "working", repoRoot)
+      }));
+      messages.push({ role: "assistant", content: response.content });
+      messages.push({
+        role: "user",
+        content: `Here is the full content of the requested files:
+
+${formatAdditionalContext(fileContents)}`
+      });
+      continue;
+    }
+    if (!Array.isArray(parsed)) {
+      throw new Error("Expected an array of risk assessments from AI");
+    }
+    return parsed;
+  }
+  throw new Error("Risk analysis did not converge after 3 context rounds");
+}
+
+// src/ai/batch-planner.ts
+function parseDiff2(file) {
+  return JSON.parse(
+    file.diff_data !== null && file.diff_data !== "" ? file.diff_data : "{}"
+  );
+}
+function isBinary(file) {
+  const diff = parseDiff2(file);
+  return diff.isBinary;
+}
+function estimateFileTokens(file) {
+  const diff = parseDiff2(file);
+  if (diff.isBinary) return 0;
+  const hunks = diff.hunks;
+  if (!hunks) return 0;
+  let charCount = 0;
+  for (const hunk of hunks) {
+    charCount += 40;
+    for (const line of hunk.lines) {
+      charCount += line.content.length + 2;
+    }
+  }
+  charCount += file.file_path.length + 80;
+  return Math.ceil(charCount / 3);
+}
+var DEFAULT_BATCH_TOKEN_LIMIT = 2e4;
+function planBatches(files, contextWindowTokens) {
+  const binaryFiles = [];
+  const analyzableFiles = [];
+  for (const file of files) {
+    if (isBinary(file)) {
+      binaryFiles.push(file);
+    } else {
+      analyzableFiles.push({ file, tokens: estimateFileTokens(file) });
+    }
+  }
+  if (analyzableFiles.length === 0) {
+    return { batches: [], binaryFiles };
+  }
+  const contextCap = Math.floor(contextWindowTokens * 0.7 * 0.85);
+  const batchTokenLimit = Math.min(DEFAULT_BATCH_TOKEN_LIMIT, contextCap);
+  analyzableFiles.sort((a, b) => b.tokens - a.tokens);
+  const batches = [];
+  const placed = /* @__PURE__ */ new Set();
+  for (let i = 0; i < analyzableFiles.length; i++) {
+    if (placed.has(i)) continue;
+    const entry = analyzableFiles[i];
+    const batchFiles = [entry.file];
+    let batchTokens = entry.tokens;
+    placed.add(i);
+    for (let j = i + 1; j < analyzableFiles.length; j++) {
+      if (placed.has(j)) continue;
+      const candidate = analyzableFiles[j];
+      if (batchTokens + candidate.tokens <= batchTokenLimit) {
+        batchFiles.push(candidate.file);
+        batchTokens += candidate.tokens;
+        placed.add(j);
+      }
+    }
+    batches.push({ files: batchFiles, estimatedTokens: batchTokens });
+  }
+  debugLog(`Batch plan: ${String(analyzableFiles.length)} analyzable files, ${String(binaryFiles.length)} binary files \u2192 ${String(batches.length)} batch(es), limit ${String(batchTokenLimit)} tokens/batch`);
+  for (let i = 0; i < batches.length; i++) {
+    debugLog(`  Batch ${String(i)}: ${String(batches[i].files.length)} files, ~${String(batches[i].estimatedTokens)} tokens`);
+  }
+  return { batches, binaryFiles };
+}
+
+// src/ai/batch-runner.ts
+async function runBatches(batches, totalFiles, processBatch, onBatchComplete, onProgress, concurrency = 1, shouldCancel, label = "") {
+  const tag = label !== "" ? `[${label}] ` : "";
+  const allResults = [];
+  let completedBatches = 0;
+  let completedFiles = 0;
+  const progress = () => ({
+    totalBatches: batches.length,
+    completedBatches,
+    totalFiles,
+    completedFiles
+  });
+  async function runOne(batch, index) {
+    debugLog(`${tag}Batch ${String(index)} starting: ${String(batch.files.length)} files, ~${String(batch.estimatedTokens)} tokens`);
+    let results;
+    try {
+      results = await processBatch(batch, index);
+    } catch (err) {
+      if (isRetriable(err)) {
+        const msg = err instanceof Error ? err.message : String(err);
+        debugLog(`${tag}Batch ${String(index)} hit retriable error, waiting 30-60s: ${msg.slice(0, 120)}`);
+        const delay = 3e4 + Math.random() * 3e4;
+        await sleep(delay);
+        debugLog(`${tag}Batch ${String(index)} retrying...`);
+        results = await processBatch(batch, index);
+      } else {
+        throw err;
+      }
+    }
+    debugLog(`${tag}Batch ${String(index)} completed: ${String(results.length)} results`);
+    allResults.push(...results);
+    completedBatches++;
+    completedFiles += batch.files.length;
+    await onBatchComplete(index, results);
+    await onProgress(progress());
+  }
+  let nextIndex = 0;
+  const running = /* @__PURE__ */ new Set();
+  while (nextIndex < batches.length || running.size > 0) {
+    while (nextIndex < batches.length && running.size < concurrency) {
+      if (shouldCancel !== void 0 && shouldCancel()) {
+        debugLog(`${tag}Batch runner cancelled \u2014 skipping batch ${String(nextIndex)} and ${String(batches.length - nextIndex - 1)} remaining`);
+        nextIndex = batches.length;
+        break;
+      }
+      const idx = nextIndex++;
+      const batch = batches[idx];
+      const p = runOne(batch, idx).catch((err) => {
+        const msg = err instanceof Error ? err.message : String(err);
+        console.error(`${tag}Batch ${String(idx)} failed: ${msg}`);
+        completedBatches++;
+        void onProgress(progress());
+      });
+      running.add(p);
+      void p.then(() => {
+        running.delete(p);
+      });
+    }
+    if (running.size > 0) {
+      await Promise.race(running);
+    }
+  }
+  return allResults;
+}
+function isRetriable(err) {
+  if (!(err instanceof Error)) return false;
+  const msg = err.message;
+  return msg.includes("429") || msg.includes("500") || msg.includes("502") || msg.includes("503") || msg.includes("504") || msg.includes("rate_limit");
+}
+function sleep(ms) {
+  return new Promise((resolve2) => {
+    setTimeout(resolve2, ms);
+  });
+}
+
+// src/ai/mock.ts
+var LOREM = [
+  "Lorem ipsum dolor sit amet, consectetur adipiscing elit.",
+  "Sed do eiusmod tempor incididunt ut labore et dolore magna aliqua.",
+  "Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris.",
+  "Duis aute irure dolor in reprehenderit in voluptate velit esse cillum.",
+  "Excepteur sint occaecat cupidatat non proident, sunt in culpa.",
+  "Nulla facilisi morbi tempus iaculis urna id volutpat lacus.",
+  "Viverra accumsan in nisl nisi scelerisque eu ultrices vitae.",
+  "Amet consectetur adipiscing elit pellentesque habitant morbi tristique."
+];
+var LINE_NOTES = [
+  "Consider extracting this into a helper function.",
+  "This variable could use a more descriptive name.",
+  "Potential null reference if upstream data is missing.",
+  "Good use of early return pattern here.",
+  "Magic number \u2014 consider defining as a named constant.",
+  "This logic duplicates what exists in the utility module.",
+  "Edge case: what happens when the input array is empty?",
+  "Type assertion here bypasses compile-time safety checks."
+];
+function pick(arr) {
+  return arr[Math.floor(Math.random() * arr.length)];
+}
+function randomScore() {
+  return Math.round(Math.random() * 10) / 10;
+}
+function randomLines(count) {
+  const lines = [];
+  const numLines = 1 + Math.floor(Math.random() * Math.min(count, 3));
+  const usedLines = /* @__PURE__ */ new Set();
+  for (let i = 0; i < numLines; i++) {
+    let line = 1 + Math.floor(Math.random() * Math.max(count, 20));
+    while (usedLines.has(line)) line++;
+    usedLines.add(line);
+    lines.push({ line, content: pick(LINE_NOTES) });
   }
-  return null;
+  return lines.sort((a, b) => a.line - b.line);
 }
-function findMatchingLine(diff, content, origLineNum, side, radius = 10) {
-  let bestMatch = null;
-  let bestDistance = Infinity;
-  for (const hunk of diff.hunks) {
-    for (const line of hunk.lines) {
-      if (line.content !== content) continue;
-      const lineNum = side === "old" ? line.oldNum : line.newNum;
-      if (lineNum == null) continue;
-      const distance = Math.abs(lineNum - origLineNum);
-      if (distance <= radius && distance < bestDistance) {
-        bestDistance = distance;
-        bestMatch = { lineNumber: lineNum, side };
+function sleep2(ms) {
+  return new Promise((resolve2) => {
+    setTimeout(resolve2, ms);
+  });
+}
+async function mockRiskAnalysisBatch(files) {
+  const delay = 2e3 + Math.random() * 2e3;
+  debugLog(`[mock] Risk batch: ${String(files.length)} files, waiting ${String(Math.round(delay / 1e3))}s`);
+  await sleep2(delay);
+  return files.map((f) => {
+    const scores = {
+      security: randomScore(),
+      correctness: randomScore(),
+      "error-handling": randomScore(),
+      maintainability: randomScore(),
+      architecture: randomScore(),
+      performance: randomScore()
+    };
+    const aggregate = Math.max(...Object.values(scores));
+    return {
+      filePath: f.file_path,
+      scores,
+      aggregate,
+      rationale: pick(LOREM),
+      notes: {
+        overview: pick(LOREM),
+        lines: randomLines(50)
       }
+    };
+  });
+}
+async function mockNarrativeAnalysisBatch(files) {
+  const delay = 2e3 + Math.random() * 2e3;
+  debugLog(`[mock] Narrative batch: ${String(files.length)} files, waiting ${String(Math.round(delay / 1e3))}s`);
+  await sleep2(delay);
+  const shuffled = files.slice().sort(() => Math.random() - 0.5);
+  return shuffled.map((f, idx) => ({
+    filePath: f.file_path,
+    position: idx + 1,
+    rationale: pick(LOREM),
+    notes: {
+      overview: pick(LOREM),
+      lines: randomLines(50)
     }
-  }
-  return bestMatch;
+  }));
 }
-async function migrateAnnotations(annotations, oldDiff, newDiff) {
-  let staleCount = 0;
-  for (const annotation of annotations) {
-    const oldContent = findLineContent(oldDiff, annotation.line_number, annotation.side);
-    if (oldContent === null) {
-      if (!annotation.is_stale) {
-        await markAnnotationStale(annotation.id, null);
-        staleCount++;
-      }
-      continue;
+var GUIDED_NOTES2 = [
+  "This is a closure \u2014 it captures variables from the surrounding scope so they can be used later.",
+  "The async/await pattern makes asynchronous code read like synchronous code.",
+  "This uses destructuring to extract specific properties from an object.",
+  "A Set is used here because it automatically prevents duplicate entries.",
+  "Template literals (backtick strings) allow embedding expressions with ${...} syntax.",
+  "The optional chaining operator (?.) safely accesses nested properties that might be null.",
+  "This arrow function uses an implicit return \u2014 no braces means the expression is returned directly.",
+  "The spread operator (...) creates a shallow copy of the array to avoid mutating the original."
+];
+async function mockGuidedAnalysisBatch(files) {
+  const delay = 2e3 + Math.random() * 2e3;
+  debugLog(`[mock] Guided batch: ${String(files.length)} files, waiting ${String(Math.round(delay / 1e3))}s`);
+  await sleep2(delay);
+  return files.map((f) => ({
+    filePath: f.file_path,
+    notes: {
+      overview: pick(LOREM),
+      lines: randomLines(50).map((l) => ({ ...l, content: pick(GUIDED_NOTES2) }))
     }
-    const match = findMatchingLine(newDiff, oldContent, annotation.line_number, annotation.side);
-    if (match) {
-      if (match.lineNumber !== annotation.line_number || match.side !== annotation.side) {
-        await moveAnnotation(annotation.id, match.lineNumber, match.side);
-      } else if (annotation.is_stale) {
-        await markAnnotationCurrent(annotation.id);
-      }
-    } else {
-      if (!annotation.is_stale) {
-        await markAnnotationStale(annotation.id, oldContent);
-        staleCount++;
+  }));
+}
+
+// src/routes/ai-api.ts
+init_queries();
+var aiApiRoutes = new Hono();
+var cancelledAnalyses = /* @__PURE__ */ new Set();
+aiApiRoutes.get("/config", (c) => {
+  const config = loadAIConfig();
+  return c.json({
+    platform: config.platform,
+    model: config.model,
+    keyConfigured: config.apiKey !== null || isAIServiceTest() || getDemoMode() !== null,
+    keySource: config.keySource,
+    guidedReview: loadGuidedReviewConfig()
+  });
+});
+aiApiRoutes.post("/config", async (c) => {
+  const body = await c.req.json();
+  saveAIConfigPreferences(body.platform, body.model);
+  if (body.guidedReview !== void 0) {
+    saveGuidedReviewConfig(body.guidedReview);
+  }
+  return c.json({ ok: true });
+});
+aiApiRoutes.get("/models", (c) => {
+  return c.json({
+    platforms: PLATFORMS,
+    models: MODELS
+  });
+});
+aiApiRoutes.get("/key-status", (c) => {
+  const platforms = ["anthropic", "openai", "google"];
+  const status = {};
+  for (const platform of platforms) {
+    const { source } = resolveAPIKey(platform);
+    status[platform] = { configured: source !== null, source };
+  }
+  return c.json({
+    status,
+    keychainAvailable: isKeychainAvailable(),
+    keychainLabel: getKeychainLabel(),
+    availablePlatforms: detectAvailablePlatforms()
+  });
+});
+aiApiRoutes.post("/key", async (c) => {
+  const body = await c.req.json();
+  saveAPIKey(
+    body.platform,
+    body.key,
+    body.storage
+  );
+  return c.json({ ok: true });
+});
+aiApiRoutes.delete("/key", (c) => {
+  const platform = c.req.query("platform") ?? "anthropic";
+  deleteAPIKey(platform);
+  return c.json({ ok: true });
+});
+aiApiRoutes.post("/analyze", async (c) => {
+  const reviewId = c.req.query("reviewId") ?? "";
+  const repoRoot = c.get("repoRoot");
+  const body = await c.req.json();
+  const analysisType = body.type;
+  const invalidateCache = body.invalidateCache === true;
+  debugLog(`POST /analyze: type=${analysisType}, reviewId=${reviewId}`);
+  if (analysisType !== "risk" && analysisType !== "narrative" && analysisType !== "guided") {
+    return c.json({ error: "Invalid analysis type" }, 400);
+  }
+  const testMode = isAIServiceTest();
+  const config = loadAIConfig();
+  if (config.apiKey === null && !testMode) {
+    debugLog("POST /analyze: no API key configured");
+    return c.json({ error: "No API key configured" }, 400);
+  }
+  debugLog(`POST /analyze: platform=${config.platform}, model=${config.model}${testMode ? " (TEST MODE)" : ""}`);
+  const files = await getReviewFiles(reviewId);
+  debugLog(`POST /analyze: ${String(files.length)} files in review`);
+  if (files.length === 0) {
+    return c.json({ error: "No files in review" }, 400);
+  }
+  if (invalidateCache) {
+    debugLog("POST /analyze: invalidateCache=true, cancelling all running analyses");
+    for (const type of ["risk", "narrative", "guided"]) {
+      const running = await getLatestAnalysis(reviewId, type);
+      if (running !== void 0 && running.status === "running") {
+        debugLog(`POST /analyze: cancelling ${type} analysis id=${running.id}`);
+        cancelledAnalyses.add(running.id);
+        await updateAnalysisStatus(running.id, "failed", "Cancelled");
       }
     }
+  } else if (analysisType === "risk" || analysisType === "narrative") {
+    const otherType = analysisType === "risk" ? "narrative" : "risk";
+    const otherRunning = await getLatestAnalysis(reviewId, otherType);
+    if (otherRunning !== void 0 && otherRunning.status === "running") {
+      debugLog(`POST /analyze: cancelling ${otherType} analysis id=${otherRunning.id} (switching to ${analysisType})`);
+      cancelledAnalyses.add(otherRunning.id);
+    }
   }
-  return staleCount;
-}
-async function updateReviewDiffs(reviewId, newDiffs, headCommit) {
-  const existingFiles = await getReviewFiles(reviewId);
-  const existingByPath = /* @__PURE__ */ new Map();
-  for (const f of existingFiles) {
-    existingByPath.set(f.file_path, f);
-  }
-  const newDiffsByPath = /* @__PURE__ */ new Map();
-  for (const d of newDiffs) {
-    newDiffsByPath.set(d.filePath, d);
+  if (!invalidateCache) {
+    const existing = await getLatestAnalysis(reviewId, analysisType);
+    if (existing !== void 0) {
+      debugLog(`POST /analyze: found existing ${analysisType} analysis id=${existing.id}, status=${existing.status}, created=${existing.created_at}, updated=${existing.updated_at}`);
+    }
+    if (existing !== void 0 && existing.status === "running") {
+      const ageMs = Date.now() - (/* @__PURE__ */ new Date(existing.updated_at + "Z")).getTime();
+      debugLog(`POST /analyze: existing analysis age=${String(Math.round(ageMs / 1e3))}s`);
+      if (ageMs < 15 * 60 * 1e3) {
+        debugLog("POST /analyze: reusing existing running analysis");
+        return c.json({ analysisId: existing.id, status: "running" });
+      }
+      debugLog("POST /analyze: marking stale analysis as timed out");
+      await updateAnalysisStatus(existing.id, "failed", "Analysis timed out");
+    }
   }
-  let updated = 0;
-  let added = 0;
-  let stale = 0;
-  for (const [path, existingFile] of existingByPath) {
-    const newDiff = newDiffsByPath.get(path);
-    if (newDiff) {
-      const oldDiff = JSON.parse(existingFile.diff_data ?? "{}");
-      const annotations = await getAnnotationsForFile(existingFile.id);
-      if (annotations.length > 0) {
-        stale += await migrateAnnotations(annotations, oldDiff, newDiff);
+  const analysis = await createAnalysis(reviewId, analysisType);
+  debugLog(`POST /analyze: created new analysis id=${analysis.id}`);
+  const guidedReview = loadGuidedReviewConfig();
+  void (async () => {
+    try {
+      debugLog("Background analysis starting...");
+      const contextWindow = getModelContextWindow(config.platform, config.model);
+      debugLog(`Context window: ${String(contextWindow)} tokens`);
+      const { batches, binaryFiles } = planBatches(files, contextWindow);
+      const fileIdMap = new Map(files.map((f) => [f.file_path, f.id]));
+      const totalAnalyzable = batches.reduce((sum, b) => sum + b.files.length, 0);
+      debugLog(`Analysis plan: ${String(totalAnalyzable)} analyzable + ${String(binaryFiles.length)} binary = ${String(totalAnalyzable + binaryFiles.length)} total files in ${String(batches.length)} batch(es)`);
+      const prevScores = invalidateCache ? [] : await getPreviousScores(reviewId, analysisType, analysis.id);
+      const binaryPathSet = new Set(binaryFiles.map((f) => f.file_path));
+      const unchangedPaths = /* @__PURE__ */ new Set();
+      const cachedScores = prevScores.filter((s) => {
+        if (fileIdMap.has(s.file_path) && !binaryPathSet.has(s.file_path)) {
+          unchangedPaths.add(s.file_path);
+          return true;
+        }
+        return false;
+      });
+      debugLog(`Cache: ${String(cachedScores.length)} scores from previous analysis, ${String(totalAnalyzable - cachedScores.length)} files need processing`);
+      if (cachedScores.length > 0) {
+        const cachedForInsert = cachedScores.map((s) => ({
+          reviewFileId: fileIdMap.get(s.file_path) ?? s.review_file_id,
+          filePath: s.file_path,
+          sortOrder: s.sort_order,
+          aggregateScore: s.aggregate_score,
+          rationale: s.rationale,
+          dimensionScores: s.dimension_scores !== null ? JSON.parse(s.dimension_scores) : null,
+          notes: s.notes !== null ? JSON.parse(s.notes) : null
+        }));
+        await appendFileScores(analysis.id, cachedForInsert);
       }
-      await updateFileDiff(existingFile.id, JSON.stringify(newDiff));
-      updated++;
-    } else {
-      const annotations = await getAnnotationsForFile(existingFile.id);
-      if (annotations.length === 0) {
-        await deleteReviewFile(existingFile.id);
+      const filteredBatches = batches.map((batch) => {
+        const remaining = batch.files.filter((f) => !unchangedPaths.has(f.file_path));
+        return { files: remaining, estimatedTokens: batch.estimatedTokens };
+      }).filter((batch) => batch.files.length > 0);
+      const filteredAnalyzable = filteredBatches.reduce((sum, b) => sum + b.files.length, 0);
+      const totalForProgress = filteredAnalyzable + binaryFiles.length + cachedScores.length;
+      debugLog(`After cache: ${String(filteredAnalyzable)} files to analyze in ${String(filteredBatches.length)} batch(es)`);
+      await updateAnalysisProgress(analysis.id, cachedScores.length, totalForProgress);
+      if (binaryFiles.length > 0) {
+        debugLog(`Saving ${String(binaryFiles.length)} binary files with score 0`);
+        const binaryScoreEntries = binaryFiles.map((f, idx) => ({
+          reviewFileId: fileIdMap.get(f.file_path) ?? "",
+          filePath: f.file_path,
+          sortOrder: 99999 + idx,
+          // Will be re-sorted later
+          aggregateScore: analysisType === "risk" ? 0 : null,
+          rationale: "Binary file \u2014 not analyzed",
+          dimensionScores: analysisType === "risk" ? { security: 0, correctness: 0, "error-handling": 0, maintainability: 0, architecture: 0, performance: 0 } : null,
+          notes: null
+        }));
+        await appendFileScores(analysis.id, binaryScoreEntries);
+        await updateAnalysisProgress(analysis.id, cachedScores.length + binaryFiles.length, totalForProgress);
+      }
+      if (filteredBatches.length === 0) {
+        debugLog("No batches to process (all files cached or binary), marking completed");
+        await updateAnalysisStatus(analysis.id, "completed");
+        return;
+      }
+      const shouldCancel = () => cancelledAnalyses.has(analysis.id);
+      const progressOffset = cachedScores.length + binaryFiles.length;
+      if (analysisType === "risk") {
+        await runBatchedRiskAnalysis(analysis.id, filteredBatches, files, config, repoRoot, fileIdMap, totalForProgress, progressOffset, shouldCancel, guidedReview);
+      } else if (analysisType === "narrative") {
+        await runBatchedNarrativeAnalysis(analysis.id, filteredBatches, files, config, repoRoot, fileIdMap, totalForProgress, progressOffset, shouldCancel, guidedReview);
       } else {
-        const oldDiff = JSON.parse(existingFile.diff_data ?? "{}");
-        for (const a of annotations) {
-          if (!a.is_stale) {
-            const content = findLineContent(oldDiff, a.line_number, a.side);
-            await markAnnotationStale(a.id, content);
-            stale++;
-          }
-        }
+        await runBatchedGuidedAnalysis(analysis.id, filteredBatches, files, config, repoRoot, fileIdMap, totalForProgress, progressOffset, shouldCancel, guidedReview);
       }
+      if (cancelledAnalyses.has(analysis.id)) {
+        cancelledAnalyses.delete(analysis.id);
+        debugLog(`Analysis ${analysis.id} was cancelled (user switched modes)`);
+        await updateAnalysisStatus(analysis.id, "failed", "Cancelled");
+        return;
+      }
+      cancelledAnalyses.delete(analysis.id);
+      debugLog(`Analysis ${analysis.id} completed successfully`);
+      await updateAnalysisStatus(analysis.id, "completed");
+    } catch (err) {
+      const message = err instanceof Error ? err.message : "Unknown error";
+      console.error(`Analysis failed: ${message}`);
+      debugLog(`Analysis ${analysis.id} failed: ${message}`);
+      await updateAnalysisStatus(analysis.id, "failed", message);
     }
+  })();
+  return c.json({ analysisId: analysis.id, status: "running" });
+});
+async function runBatchedRiskAnalysis(analysisId, batches, allFiles, config, repoRoot, fileIdMap, progressTotal, progressOffset, shouldCancel, guidedReview) {
+  const allResults = await runBatches(
+    batches,
+    allFiles.length,
+    async (batch) => isAIServiceTest() ? mockRiskAnalysisBatch(batch.files) : runRiskAnalysisBatch(batch.files, config, repoRoot, guidedReview),
+    async (_batchIndex, results) => {
+      for (const r of results) {
+        const maxDimension = Math.max(...Object.values(r.scores));
+        r.aggregate = Math.max(r.aggregate, maxDimension);
+      }
+      const scores = results.map((r) => ({
+        reviewFileId: fileIdMap.get(r.filePath) ?? "",
+        filePath: r.filePath,
+        sortOrder: 0,
+        // Placeholder — final sort happens after all batches
+        aggregateScore: r.aggregate,
+        rationale: r.rationale,
+        dimensionScores: r.scores,
+        notes: r.notes ?? null
+      }));
+      await appendFileScores(analysisId, scores);
+    },
+    async (progress) => {
+      await updateAnalysisProgress(analysisId, progressOffset + progress.completedFiles, progressTotal);
+    },
+    1,
+    shouldCancel,
+    "risk"
+  );
+  const sorted = allResults.slice().sort((a, b) => b.aggregate - a.aggregate);
+  const sortMap = new Map(sorted.map((r, idx) => [r.filePath, idx]));
+  const { getDb: getDb2 } = await Promise.resolve().then(() => (init_connection(), connection_exports));
+  const db2 = await getDb2();
+  for (const [filePath, sortOrder] of sortMap) {
+    await db2.query(
+      "UPDATE ai_file_scores SET sort_order = $1 WHERE analysis_id = $2 AND file_path = $3",
+      [sortOrder, analysisId, filePath]
+    );
   }
-  for (const [path, diff] of newDiffsByPath) {
-    if (!existingByPath.has(path)) {
-      await addReviewFile(reviewId, path, JSON.stringify(diff));
-      added++;
+}
+async function runBatchedNarrativeAnalysis(analysisId, batches, allFiles, config, repoRoot, fileIdMap, progressTotal, progressOffset, shouldCancel, guidedReview) {
+  const allResults = await runBatches(
+    batches,
+    allFiles.length,
+    async (batch) => isAIServiceTest() ? mockNarrativeAnalysisBatch(batch.files) : runNarrativeAnalysisBatch(batch.files, config, repoRoot, guidedReview),
+    async (_batchIndex, results) => {
+      const scores = results.map((r) => ({
+        reviewFileId: fileIdMap.get(r.filePath) ?? "",
+        filePath: r.filePath,
+        sortOrder: r.position,
+        // Batch-local position — will be re-sorted after merge
+        aggregateScore: null,
+        rationale: r.rationale,
+        dimensionScores: null,
+        notes: r.notes ?? null
+      }));
+      await appendFileScores(analysisId, scores);
+    },
+    async (progress) => {
+      await updateAnalysisProgress(analysisId, progressOffset + progress.completedFiles, progressTotal);
+    },
+    1,
+    shouldCancel,
+    "narrative"
+  );
+  if (allResults.length > 0) {
+    const mergedPositions = mergeNarrativeOrders(allResults, batches.length);
+    const { getDb: getDb2 } = await Promise.resolve().then(() => (init_connection(), connection_exports));
+    const db2 = await getDb2();
+    for (const [filePath, position] of mergedPositions) {
+      await db2.query(
+        "UPDATE ai_file_scores SET sort_order = $1 WHERE analysis_id = $2 AND file_path = $3",
+        [position, analysisId, filePath]
+      );
     }
   }
-  await updateReviewHead(reviewId, headCommit);
-  return { updated, added, stale };
 }
-
-// src/server.ts
-import { serve } from "@hono/node-server";
-import { exec } from "child_process";
-import { existsSync as existsSync2, readFileSync as readFileSync3 } from "fs";
-import { Hono as Hono3 } from "hono";
-import { dirname, join as join3 } from "path";
-import { fileURLToPath } from "url";
+async function runBatchedGuidedAnalysis(analysisId, batches, allFiles, config, repoRoot, fileIdMap, progressTotal, progressOffset, shouldCancel, guidedReview) {
+  await runBatches(
+    batches,
+    allFiles.length,
+    async (batch) => {
+      if (isAIServiceTest()) return mockGuidedAnalysisBatch(batch.files);
+      if (guidedReview === void 0) throw new Error("Guided review config required");
+      return runGuidedAnalysisBatch(batch.files, config, repoRoot, guidedReview);
+    },
+    async (_batchIndex, results) => {
+      const scores = results.map((r, idx) => ({
+        reviewFileId: fileIdMap.get(r.filePath) ?? "",
+        filePath: r.filePath,
+        sortOrder: idx,
+        aggregateScore: null,
+        rationale: null,
+        dimensionScores: null,
+        notes: r.notes
+      }));
+      await appendFileScores(analysisId, scores);
+    },
+    async (progress) => {
+      await updateAnalysisProgress(analysisId, progressOffset + progress.completedFiles, progressTotal);
+    },
+    1,
+    shouldCancel,
+    "guided"
+  );
+}
+aiApiRoutes.get("/analysis/:type", async (c) => {
+  const reviewId = c.req.query("reviewId") ?? "";
+  const analysisType = c.req.param("type");
+  const analysis = await getLatestAnalysis(reviewId, analysisType);
+  if (analysis === void 0) {
+    debugLog(`GET /analysis/${analysisType}: no analysis found`);
+    return c.json({ status: "none", scores: [] });
+  }
+  debugLog(`GET /analysis/${analysisType}: id=${analysis.id}, status=${analysis.status}, error=${analysis.error_message ?? "none"}`);
+  if (analysis.status === "failed") {
+    return c.json({
+      status: analysis.status,
+      error: analysis.error_message,
+      scores: []
+    });
+  }
+  const scores = await getFileScoresForReview(reviewId, analysisType);
+  return c.json({
+    status: analysis.status,
+    progressCompleted: analysis.progress_completed,
+    progressTotal: analysis.progress_total,
+    scores: scores.map((s) => ({
+      reviewFileId: s.review_file_id,
+      filePath: s.file_path,
+      sortOrder: s.sort_order,
+      aggregateScore: s.aggregate_score,
+      rationale: s.rationale,
+      dimensionScores: s.dimension_scores !== null ? JSON.parse(s.dimension_scores) : null,
+      notes: s.notes !== null ? JSON.parse(s.notes) : null
+    }))
+  });
+});
+aiApiRoutes.get("/analysis/:type/status", async (c) => {
+  const reviewId = c.req.query("reviewId") ?? "";
+  const analysisType = c.req.param("type");
+  const analysis = await getLatestAnalysis(reviewId, analysisType);
+  if (analysis === void 0) {
+    debugLog(`GET /analysis/${analysisType}/status: no analysis found`);
+    return c.json({ status: "none" });
+  }
+  debugLog(`GET /analysis/${analysisType}/status: id=${analysis.id}, status=${analysis.status}, progress=${String(analysis.progress_completed)}/${String(analysis.progress_total)}, updated=${analysis.updated_at}`);
+  if (analysis.status === "running") {
+    const ageMs = Date.now() - (/* @__PURE__ */ new Date(analysis.updated_at + "Z")).getTime();
+    if (ageMs > 15 * 60 * 1e3) {
+      debugLog(`GET /analysis/${analysisType}/status: timing out stale analysis (age=${String(Math.round(ageMs / 1e3))}s)`);
+      await updateAnalysisStatus(analysis.id, "failed", "Analysis timed out");
+      return c.json({ status: "failed", error: "Analysis timed out" });
+    }
+  }
+  return c.json({
+    status: analysis.status,
+    error: analysis.error_message,
+    progressCompleted: analysis.progress_completed,
+    progressTotal: analysis.progress_total
+  });
+});
+aiApiRoutes.get("/debug-status", (c) => {
+  return c.json({ enabled: isDebug() });
+});
+aiApiRoutes.post("/debug-log", async (c) => {
+  if (!isDebug()) return c.json({ ok: true });
+  const body = await c.req.json();
+  debugLog(`[client] ${body.message}`);
+  return c.json({ ok: true });
+});
+aiApiRoutes.get("/preferences", async (c) => {
+  const prefs = await getUserPreferences();
+  return c.json(prefs);
+});
+aiApiRoutes.post("/preferences", async (c) => {
+  const body = await c.req.json();
+  await saveUserPreferences(body);
+  return c.json({ ok: true });
+});
 
 // src/routes/api.ts
-import { Hono } from "hono";
+init_queries();
+import { Hono as Hono2 } from "hono";
 
 // src/export/generate.ts
-import { execSync as execSync2 } from "child_process";
-import { appendFileSync, existsSync, mkdirSync as mkdirSync2, readFileSync as readFileSync2, unlinkSync, writeFileSync } from "fs";
-import { homedir as homedir2 } from "os";
-import { join as join2 } from "path";
-var DISMISS_FILE = join2(homedir2(), ".glassbox", "gitignore-dismissed.json");
+init_queries();
+import { execSync as execSync3 } from "child_process";
+import { appendFileSync, existsSync as existsSync2, mkdirSync as mkdirSync3, readFileSync as readFileSync3, unlinkSync, writeFileSync as writeFileSync2 } from "fs";
+import { homedir as homedir3 } from "os";
+import { join as join3 } from "path";
+var DISMISS_FILE = join3(homedir3(), ".glassbox", "gitignore-dismissed.json");
 var DISMISS_DAYS = 30;
 function loadDismissals() {
   try {
-    return JSON.parse(readFileSync2(DISMISS_FILE, "utf-8"));
+    return JSON.parse(readFileSync3(DISMISS_FILE, "utf-8"));
   } catch {
     return {};
   }
 }
 function saveDismissals(data) {
-  const dir = join2(homedir2(), ".glassbox");
-  mkdirSync2(dir, { recursive: true });
-  writeFileSync(DISMISS_FILE, JSON.stringify(data), "utf-8");
+  const dir = join3(homedir3(), ".glassbox");
+  mkdirSync3(dir, { recursive: true });
+  writeFileSync2(DISMISS_FILE, JSON.stringify(data), "utf-8");
 }
 function isGlassboxGitignored(repoRoot) {
   try {
-    execSync2("git check-ignore -q .glassbox", { cwd: repoRoot, stdio: "pipe" });
+    execSync3("git check-ignore -q .glassbox", { cwd: repoRoot, stdio: "pipe" });
     return true;
   } catch {
     return false;
@@ -657,16 +2878,16 @@ function shouldPromptGitignore(repoRoot) {
   return true;
 }
 function addGlassboxToGitignore(repoRoot) {
-  const gitignorePath = join2(repoRoot, ".gitignore");
-  if (existsSync(gitignorePath)) {
-    const content = readFileSync2(gitignorePath, "utf-8");
+  const gitignorePath = join3(repoRoot, ".gitignore");
+  if (existsSync2(gitignorePath)) {
+    const content = readFileSync3(gitignorePath, "utf-8");
     if (!content.endsWith("\n")) {
       appendFileSync(gitignorePath, "\n.glassbox/\n", "utf-8");
     } else {
       appendFileSync(gitignorePath, ".glassbox/\n", "utf-8");
     }
   } else {
-    writeFileSync(gitignorePath, ".glassbox/\n", "utf-8");
+    writeFileSync2(gitignorePath, ".glassbox/\n", "utf-8");
   }
 }
 function dismissGitignorePrompt(repoRoot) {
@@ -675,17 +2896,17 @@ function dismissGitignorePrompt(repoRoot) {
   saveDismissals(dismissals);
 }
 function deleteReviewExport(reviewId, repoRoot) {
-  const exportDir = join2(repoRoot, ".glassbox");
-  const archivePath = join2(exportDir, `review-${reviewId}.md`);
-  if (existsSync(archivePath)) unlinkSync(archivePath);
+  const exportDir = join3(repoRoot, ".glassbox");
+  const archivePath = join3(exportDir, `review-${reviewId}.md`);
+  if (existsSync2(archivePath)) unlinkSync(archivePath);
 }
 async function generateReviewExport(reviewId, repoRoot, isCurrent) {
   const review = await getReview(reviewId);
   if (!review) throw new Error("Review not found");
   const files = await getReviewFiles(reviewId);
   const annotations = await getAnnotationsForReview(reviewId);
-  const exportDir = join2(repoRoot, ".glassbox");
-  mkdirSync2(exportDir, { recursive: true });
+  const exportDir = join3(repoRoot, ".glassbox");
+  mkdirSync3(exportDir, { recursive: true });
   const byFile = {};
   for (const a of annotations) {
     if (!(a.file_path in byFile)) byFile[a.file_path] = [];
@@ -750,11 +2971,11 @@ async function generateReviewExport(reviewId, repoRoot, isCurrent) {
   lines.push("6. **note** annotations are informational context. Consider them but they may not require code changes.");
   lines.push("");
   const content = lines.join("\n");
-  const archivePath = join2(exportDir, `review-${review.id}.md`);
-  writeFileSync(archivePath, content, "utf-8");
+  const archivePath = join3(exportDir, `review-${review.id}.md`);
+  writeFileSync2(archivePath, content, "utf-8");
   if (isCurrent) {
-    const latestPath = join2(exportDir, "latest-review.md");
-    writeFileSync(latestPath, content, "utf-8");
+    const latestPath = join3(exportDir, "latest-review.md");
+    writeFileSync2(latestPath, content, "utf-8");
     return latestPath;
   }
   return archivePath;
@@ -1079,7 +3300,7 @@ function pushIndentSymbol(root, stack, sym, indent, lines, lineIdx) {
 }
 
 // src/routes/api.ts
-var apiRoutes = new Hono();
+var apiRoutes = new Hono2();
 function resolveReviewId(c) {
   return c.req.query("reviewId") ?? c.get("reviewId");
 }
@@ -1254,7 +3475,7 @@ apiRoutes.get("/context/:fileId", async (c) => {
 });
 
 // src/routes/pages.tsx
-import { Hono as Hono2 } from "hono";
+import { Hono as Hono3 } from "hono";
 
 // src/utils/escapeHtml.ts
 function escapeHtml(str) {
@@ -1342,67 +3563,73 @@ function DiffView({ file, diff, annotations, mode }) {
   ] });
 }
 function SplitDiff({ hunks, annotationsByLine }) {
-  return /* @__PURE__ */ jsx("div", { className: "diff-table-split", children: hunks.map((hunk, hunkIdx) => {
-    const pairs = pairLines(hunk.lines);
-    return /* @__PURE__ */ jsx("div", { className: "hunk-block", children: [
-      /* @__PURE__ */ jsx(
-        "div",
-        {
-          className: "hunk-separator",
-          "data-hunk-idx": hunkIdx,
-          "data-old-start": hunk.oldStart,
-          "data-old-count": hunk.oldCount,
-          "data-new-start": hunk.newStart,
-          "data-new-count": hunk.newCount,
-          children: [
-            "@@ -",
-            hunk.oldStart,
-            ",",
-            hunk.oldCount,
-            " +",
-            hunk.newStart,
-            ",",
-            hunk.newCount,
-            " @@"
-          ]
-        }
-      ),
-      pairs.map((pair) => {
-        const leftAnns = pair.left ? annotationsByLine[`${pair.left.oldNum}:old`] ?? [] : [];
-        const rightAnns = pair.right ? annotationsByLine[`${pair.right.newNum}:new`] ?? [] : [];
-        const allAnns = [...leftAnns, ...rightAnns];
-        return /* @__PURE__ */ jsx("div", { children: [
-          /* @__PURE__ */ jsx("div", { className: "split-row", children: [
-            /* @__PURE__ */ jsx(
-              "div",
-              {
-                className: `diff-line split-left ${pair.left?.type || "empty"}`,
-                "data-line": pair.left?.oldNum ?? "",
-                "data-side": "old",
-                children: [
-                  /* @__PURE__ */ jsx("span", { className: "gutter", children: pair.left?.oldNum ?? "" }),
-                  /* @__PURE__ */ jsx("span", { className: "code", children: pair.left ? raw(escapeHtml(pair.left.content)) : "" })
-                ]
-              }
-            ),
-            /* @__PURE__ */ jsx(
-              "div",
-              {
-                className: `diff-line split-right ${pair.right?.type || "empty"}`,
-                "data-line": pair.right?.newNum ?? "",
-                "data-side": "new",
-                children: [
-                  /* @__PURE__ */ jsx("span", { className: "gutter", children: pair.right?.newNum ?? "" }),
-                  /* @__PURE__ */ jsx("span", { className: "code", children: pair.right ? raw(escapeHtml(pair.right.content)) : "" })
-                ]
-              }
-            )
-          ] }),
-          allAnns.length > 0 ? /* @__PURE__ */ jsx(AnnotationRows, { annotations: allAnns }) : null
-        ] });
-      })
-    ] });
-  }) });
+  const lastHunk = hunks[hunks.length - 1];
+  const tailStart = lastHunk ? lastHunk.newStart + lastHunk.newCount : 1;
+  return /* @__PURE__ */ jsx("div", { className: "diff-table-split", children: [
+    hunks.map((hunk, hunkIdx) => {
+      const pairs = pairLines(hunk.lines);
+      return /* @__PURE__ */ jsx("div", { className: "hunk-block", children: [
+        /* @__PURE__ */ jsx(
+          "div",
+          {
+            className: "hunk-separator",
+            "data-hunk-idx": hunkIdx,
+            "data-old-start": hunk.oldStart,
+            "data-old-count": hunk.oldCount,
+            "data-new-start": hunk.newStart,
+            "data-new-count": hunk.newCount,
+            children: [
+              "@@ -",
+              hunk.oldStart,
+              ",",
+              hunk.oldCount,
+              " +",
+              hunk.newStart,
+              ",",
+              hunk.newCount,
+              " @@"
+            ]
+          }
+        ),
+        pairs.map((pair) => {
+          const leftAnns = pair.left ? annotationsByLine[`${pair.left.oldNum}:old`] ?? [] : [];
+          const rightAnns = pair.right ? annotationsByLine[`${pair.right.newNum}:new`] ?? [] : [];
+          const allAnns = [...leftAnns, ...rightAnns];
+          return /* @__PURE__ */ jsx("div", { children: [
+            /* @__PURE__ */ jsx("div", { className: "split-row", children: [
+              /* @__PURE__ */ jsx(
+                "div",
+                {
+                  className: `diff-line split-left ${pair.left?.type || "empty"}`,
+                  "data-line": pair.left?.oldNum ?? "",
+                  "data-side": "old",
+                  "data-new-line": pair.left?.newNum ?? pair.right?.newNum ?? "",
+                  children: [
+                    /* @__PURE__ */ jsx("span", { className: "gutter", children: pair.left?.oldNum ?? "" }),
+                    /* @__PURE__ */ jsx("span", { className: "code", children: pair.left ? raw(escapeHtml(pair.left.content)) : "" })
+                  ]
+                }
+              ),
+              /* @__PURE__ */ jsx(
+                "div",
+                {
+                  className: `diff-line split-right ${pair.right?.type || "empty"}`,
+                  "data-line": pair.right?.newNum ?? "",
+                  "data-side": "new",
+                  children: [
+                    /* @__PURE__ */ jsx("span", { className: "gutter", children: pair.right?.newNum ?? "" }),
+                    /* @__PURE__ */ jsx("span", { className: "code", children: pair.right ? raw(escapeHtml(pair.right.content)) : "" })
+                  ]
+                }
+              )
+            ] }),
+            allAnns.length > 0 ? /* @__PURE__ */ jsx(AnnotationRows, { annotations: allAnns }) : null
+          ] });
+        })
+      ] });
+    }),
+    /* @__PURE__ */ jsx("div", { className: "hunk-separator hunk-expander-tail", "data-start": tailStart, children: "\u2195 Show remaining lines" })
+  ] });
 }
 function pairLines(lines) {
   const pairs = [];
@@ -1438,51 +3665,56 @@ function pairLines(lines) {
   return pairs;
 }
 function UnifiedDiff({ hunks, annotationsByLine }) {
-  return /* @__PURE__ */ jsx("div", { className: "diff-table-unified", children: hunks.map((hunk, hunkIdx) => /* @__PURE__ */ jsx("div", { className: "hunk-block", children: [
-    /* @__PURE__ */ jsx(
-      "div",
-      {
-        className: "hunk-separator",
-        "data-hunk-idx": hunkIdx,
-        "data-old-start": hunk.oldStart,
-        "data-old-count": hunk.oldCount,
-        "data-new-start": hunk.newStart,
-        "data-new-count": hunk.newCount,
-        children: [
-          "@@ -",
-          hunk.oldStart,
-          ",",
-          hunk.oldCount,
-          " +",
-          hunk.newStart,
-          ",",
-          hunk.newCount,
-          " @@"
-        ]
-      }
-    ),
-    hunk.lines.map((line) => {
-      const lineNum = line.type === "remove" ? line.oldNum : line.newNum;
-      const side = line.type === "remove" ? "old" : "new";
-      const anns = annotationsByLine[`${lineNum}:${side}`] ?? [];
-      return /* @__PURE__ */ jsx("div", { children: [
-        /* @__PURE__ */ jsx(
-          "div",
-          {
-            className: `diff-line ${line.type}${anns.length ? " has-annotation" : ""}`,
-            "data-line": lineNum,
-            "data-side": side,
-            children: [
-              /* @__PURE__ */ jsx("span", { className: "gutter-old", children: line.oldNum ?? "" }),
-              /* @__PURE__ */ jsx("span", { className: "gutter-new", children: line.newNum ?? "" }),
-              /* @__PURE__ */ jsx("span", { className: "code", children: raw(escapeHtml(line.content)) })
-            ]
-          }
-        ),
-        anns.length > 0 ? /* @__PURE__ */ jsx(AnnotationRows, { annotations: anns }) : null
-      ] });
-    })
-  ] })) });
+  const lastHunk = hunks[hunks.length - 1];
+  const tailStart = lastHunk ? lastHunk.newStart + lastHunk.newCount : 1;
+  return /* @__PURE__ */ jsx("div", { className: "diff-table-unified", children: [
+    hunks.map((hunk, hunkIdx) => /* @__PURE__ */ jsx("div", { className: "hunk-block", children: [
+      /* @__PURE__ */ jsx(
+        "div",
+        {
+          className: "hunk-separator",
+          "data-hunk-idx": hunkIdx,
+          "data-old-start": hunk.oldStart,
+          "data-old-count": hunk.oldCount,
+          "data-new-start": hunk.newStart,
+          "data-new-count": hunk.newCount,
+          children: [
+            "@@ -",
+            hunk.oldStart,
+            ",",
+            hunk.oldCount,
+            " +",
+            hunk.newStart,
+            ",",
+            hunk.newCount,
+            " @@"
+          ]
+        }
+      ),
+      hunk.lines.map((line) => {
+        const lineNum = line.type === "remove" ? line.oldNum : line.newNum;
+        const side = line.type === "remove" ? "old" : "new";
+        const anns = annotationsByLine[`${lineNum}:${side}`] ?? [];
+        return /* @__PURE__ */ jsx("div", { children: [
+          /* @__PURE__ */ jsx(
+            "div",
+            {
+              className: `diff-line ${line.type}${anns.length ? " has-annotation" : ""}`,
+              "data-line": lineNum,
+              "data-side": side,
+              children: [
+                /* @__PURE__ */ jsx("span", { className: "gutter-old", children: line.oldNum ?? "" }),
+                /* @__PURE__ */ jsx("span", { className: "gutter-new", children: line.newNum ?? "" }),
+                /* @__PURE__ */ jsx("span", { className: "code", children: raw(escapeHtml(line.content)) })
+              ]
+            }
+          ),
+          anns.length > 0 ? /* @__PURE__ */ jsx(AnnotationRows, { annotations: anns }) : null
+        ] });
+      })
+    ] })),
+    /* @__PURE__ */ jsx("div", { className: "hunk-separator hunk-expander-tail", "data-start": tailStart, children: "\u2195 Show remaining lines" })
+  ] });
 }
 function AnnotationRows({ annotations }) {
   return /* @__PURE__ */ jsx("div", { className: "annotation-row", children: annotations.map((a) => /* @__PURE__ */ jsx(
@@ -1748,7 +3980,8 @@ function getHistoryScript() {
 }
 
 // src/routes/pages.tsx
-var pageRoutes = new Hono2();
+init_queries();
+var pageRoutes = new Hono3();
 pageRoutes.get("/", async (c) => {
   const reviewId = c.get("reviewId");
   const review = await getReview(reviewId);
@@ -1875,9 +4108,9 @@ pageRoutes.get("/history", async (c) => {
 });
 
 // src/server.ts
-function tryServe(fetch, port) {
+function tryServe(fetch2, port) {
   return new Promise((resolve2, reject) => {
-    const server = serve({ fetch, port });
+    const server = serve({ fetch: fetch2, port });
     server.on("listening", () => {
       resolve2(port);
     });
@@ -1891,7 +4124,7 @@ function tryServe(fetch, port) {
   });
 }
 async function startServer(port, reviewId, repoRoot) {
-  const app = new Hono3();
+  const app = new Hono4();
   app.use("*", async (c, next) => {
     c.set("reviewId", reviewId);
     c.set("currentReviewId", reviewId);
@@ -1899,16 +4132,17 @@ async function startServer(port, reviewId, repoRoot) {
     await next();
   });
   const selfDir = dirname(fileURLToPath(import.meta.url));
-  const distDir = existsSync2(join3(selfDir, "client", "styles.css")) ? join3(selfDir, "client") : join3(selfDir, "..", "dist", "client");
+  const distDir = existsSync3(join4(selfDir, "client", "styles.css")) ? join4(selfDir, "client") : join4(selfDir, "..", "dist", "client");
   app.get("/static/styles.css", (c) => {
-    const css = readFileSync3(join3(distDir, "styles.css"), "utf-8");
+    const css = readFileSync4(join4(distDir, "styles.css"), "utf-8");
     return c.text(css, 200, { "Content-Type": "text/css", "Cache-Control": "no-cache" });
   });
   app.get("/static/app.js", (c) => {
-    const js = readFileSync3(join3(distDir, "app.global.js"), "utf-8");
+    const js = readFileSync4(join4(distDir, "app.global.js"), "utf-8");
     return c.text(js, 200, { "Content-Type": "application/javascript", "Cache-Control": "no-cache" });
   });
   app.route("/api", apiRoutes);
+  app.route("/api/ai", aiApiRoutes);
   app.route("/", pageRoutes);
   let actualPort = port;
   for (let attempt = 0; attempt < 20; attempt++) {
@@ -1934,18 +4168,18 @@ async function startServer(port, reviewId, repoRoot) {
 }
 
 // src/update-check.ts
-import { existsSync as existsSync3, mkdirSync as mkdirSync3, readFileSync as readFileSync4, writeFileSync as writeFileSync2 } from "fs";
+import { existsSync as existsSync4, mkdirSync as mkdirSync4, readFileSync as readFileSync5, writeFileSync as writeFileSync3 } from "fs";
 import { get } from "https";
-import { homedir as homedir3 } from "os";
-import { dirname as dirname2, join as join4 } from "path";
+import { homedir as homedir4 } from "os";
+import { dirname as dirname2, join as join5 } from "path";
 import { fileURLToPath as fileURLToPath2 } from "url";
-var DATA_DIR = join4(homedir3(), ".glassbox");
-var CHECK_FILE = join4(DATA_DIR, "last-update-check");
+var DATA_DIR = join5(homedir4(), ".glassbox");
+var CHECK_FILE = join5(DATA_DIR, "last-update-check");
 var PACKAGE_NAME = "glassbox";
 function getCurrentVersion() {
   try {
     const dir = dirname2(fileURLToPath2(import.meta.url));
-    const pkg = JSON.parse(readFileSync4(join4(dir, "..", "package.json"), "utf-8"));
+    const pkg = JSON.parse(readFileSync5(join5(dir, "..", "package.json"), "utf-8"));
     return pkg.version;
   } catch {
     return "0.0.0";
@@ -1953,16 +4187,16 @@ function getCurrentVersion() {
 }
 function getLastCheckDate() {
   try {
-    if (existsSync3(CHECK_FILE)) {
-      return readFileSync4(CHECK_FILE, "utf-8").trim();
+    if (existsSync4(CHECK_FILE)) {
+      return readFileSync5(CHECK_FILE, "utf-8").trim();
     }
   } catch {
   }
   return null;
 }
 function saveCheckDate() {
-  mkdirSync3(DATA_DIR, { recursive: true });
-  writeFileSync2(CHECK_FILE, (/* @__PURE__ */ new Date()).toISOString().slice(0, 10), "utf-8");
+  mkdirSync4(DATA_DIR, { recursive: true });
+  writeFileSync3(CHECK_FILE, (/* @__PURE__ */ new Date()).toISOString().slice(0, 10), "utf-8");
 }
 function isFirstUseToday() {
   const last = getLastCheckDate();
@@ -2066,6 +4300,7 @@ Options:
   --port <number>     Port to run on (default: 4173)
   --resume            Resume the latest in-progress review for this mode
   --check-for-updates Check for a newer version on npm
+  --ai-service-test   Use mock AI responses (no API calls, no tokens used)
   --help              Show this help message
 
 Examples:
@@ -2083,6 +4318,8 @@ function parseArgs(argv) {
   let resume = false;
   let forceUpdateCheck = false;
   let debug = false;
+  let aiServiceTest = false;
+  let demo = null;
   for (let i = 0; i < args.length; i++) {
     const arg = args[i];
     switch (arg) {
@@ -2129,7 +4366,18 @@ function parseArgs(argv) {
       case "--debug":
         debug = true;
         break;
+      case "--ai-service-test":
+        aiServiceTest = true;
+        break;
       default:
+        if (arg.startsWith("--demo:")) {
+          demo = parseInt(arg.slice(7), 10);
+          if (isNaN(demo) || demo < 1) {
+            console.error(`Invalid demo scenario: ${arg}`);
+            process.exit(1);
+          }
+          break;
+        }
         console.error(`Unknown option: ${arg}`);
         printUsage();
         process.exit(1);
@@ -2138,7 +4386,7 @@ function parseArgs(argv) {
   if (!mode) {
     mode = { type: "uncommitted" };
   }
-  return { mode, port, resume, forceUpdateCheck, debug };
+  return { mode, port, resume, forceUpdateCheck, debug, aiServiceTest, demo };
 }
 async function main() {
   const parsed = parseArgs(process.argv);
@@ -2146,9 +4394,32 @@ async function main() {
     printUsage();
     process.exit(1);
   }
-  const { mode, port, resume, forceUpdateCheck, debug } = parsed;
+  const { mode, port, resume, forceUpdateCheck, debug, aiServiceTest, demo } = parsed;
+  setDebug(debug);
+  setAIServiceTest(aiServiceTest);
+  if (aiServiceTest) {
+    console.log("AI service test mode enabled \u2014 using mock AI responses");
+  }
   if (debug) {
-    console.log(`Build timestamp: ${"2026-03-06T05:23:12.429Z"}`);
+    console.log(`[debug] Build timestamp: ${"2026-03-10T06:39:37.519Z"}`);
+  }
+  if (demo !== null) {
+    const scenario = DEMO_SCENARIOS.find((s) => s.id === demo);
+    if (scenario === void 0) {
+      console.error(`Unknown demo scenario: ${String(demo)}`);
+      console.error("Available scenarios:");
+      for (const s of DEMO_SCENARIOS) {
+        console.error(`  --demo:${String(s.id)}  ${s.label}`);
+      }
+      process.exit(1);
+    }
+    setDemoMode(demo);
+    console.log(`
+  DEMO MODE: ${scenario.label}
+`);
+    const { reviewId } = await setupDemoReview(demo);
+    await startServer(port, reviewId, process.cwd());
+    return;
   }
   await checkForUpdates(forceUpdateCheck);
   const cwd = process.cwd();