grepmax 0.13.6 → 0.14.0

package/README.md

@@ -135,6 +135,9 @@ Plugins auto-update when you run `npm install -g grepmax@latest` — no need to
 | `impact_analysis` | Dependents + affected tests for a symbol or file. |
 | `find_similar` | Vector similarity search. |
 | `build_context` | Token-budgeted topic summary. |
+| `investigate` | Agentic codebase Q&A using local LLM + gmax tools. |
+| `review_commit` | Review a git commit for bugs, security issues, and breaking changes. |
+| `review_report` | Get accumulated code review findings for the current project. |
 
 ## Search Options
 
@@ -174,6 +177,61 @@ gmax status                   # See all projects + watcher status
 
 The daemon auto-starts when you run `gmax add`, `gmax index`, `gmax remove`, or `gmax summarize`. It shuts down after 30 minutes of inactivity.
 
+## Local LLM (optional)
+
+gmax can use a local LLM (via llama-server) for agentic codebase investigation. This is entirely opt-in and disabled by default — gmax works fine without it.
+
+```bash
+gmax llm on                   # Enable LLM features (persists to config)
+gmax llm start                # Start llama-server (auto-starts daemon too)
+gmax llm status               # Check server status
+gmax llm stop                 # Stop llama-server
+gmax llm off                  # Disable LLM + stop server
+```
+
+### Investigate
+
+Ask questions about your codebase — the LLM autonomously uses gmax tools (search, trace, peek, impact, related) to gather evidence and synthesize an answer.
+
+```bash
+gmax investigate "how does authentication work?"
+gmax investigate "what would break if I changed VectorDB?" -v
+gmax investigate "where are API routes defined?" --root ~/project
+```
+
+### Review
+
+Automatic code review on git commits. Extracts the diff, gathers codebase context (callers, dependents, related files), and prompts the LLM for structured findings.
+
+```bash
+gmax review                           # Review HEAD
+gmax review --commit abc1234          # Review specific commit
+gmax review --commit HEAD~3 -v        # Verbose — shows context gathering + LLM progress
+gmax review report                    # Show accumulated findings
+gmax review report --json             # Raw JSON output
+gmax review clear                     # Clear report
+```
+
+#### Post-commit hook
+
+Install a git hook that automatically reviews every commit in the background via the daemon:
+
+```bash
+gmax review install                   # Install in current repo
+gmax review install ~/other-repo      # Install in another repo
+```
+
+The hook sends an IPC message to the daemon and returns instantly — it never blocks `git commit`. Findings accumulate in the report.
+
+### LLM Configuration
+
+| Variable | Description | Default |
+| --- | --- | --- |
+| `GMAX_LLM_MODEL` | Path to GGUF model file | (none) |
+| `GMAX_LLM_BINARY` | llama-server binary | `llama-server` |
+| `GMAX_LLM_PORT` | Server port | `8079` |
+| `GMAX_LLM_IDLE_TIMEOUT` | Minutes before auto-stop | `30` |
+
 ## Architecture
 
 All data lives in `~/.gmax/`:

package/dist/commands/mcp.js

@@ -305,6 +305,28 @@ const TOOLS = [
             required: ["question"],
         },
     },
+    {
+        name: "review_commit",
+        description: "Review a git commit for bugs, breaking changes, and security issues using local LLM + codebase context. Returns structured findings. Requires LLM to be enabled (gmax llm on).",
+        inputSchema: {
+            type: "object",
+            properties: {
+                commit: { type: "string", description: "Git ref to review (default: HEAD)" },
+            },
+            required: [],
+        },
+    },
+    {
+        name: "review_report",
+        description: "Get the accumulated code review report for the current project. Returns findings from all reviewed commits.",
+        inputSchema: {
+            type: "object",
+            properties: {
+                json: { type: "boolean", description: "Return raw JSON instead of text (default: false)" },
+            },
+            required: [],
+        },
+    },
 ];
 // ---------------------------------------------------------------------------
 // Helpers
@@ -1833,7 +1855,7 @@ exports.mcp = new commander_1.Command("mcp")
         return { tools: TOOLS };
     }));
     server.setRequestHandler(types_js_1.CallToolRequestSchema, (request) => __awaiter(void 0, void 0, void 0, function* () {
-        var _a, _b, _c, _d, _e, _f;
+        var _a, _b, _c, _d, _e, _f, _g;
         const { name, arguments: args } = request.params;
         const toolArgs = (args !== null && args !== void 0 ? args : {});
         const startMs = Date.now();
@@ -1919,26 +1941,77 @@ exports.mcp = new commander_1.Command("mcp")
                 }
                 break;
             }
+            case "review_commit": {
+                const commitRef = String(toolArgs.commit || "HEAD");
+                try {
+                    const { isDaemonRunning, sendDaemonCommand } = yield Promise.resolve().then(() => __importStar(require("../lib/utils/daemon-client")));
+                    if (yield isDaemonRunning()) {
+                        const llmResp = yield sendDaemonCommand({ cmd: "llm-start" }, { timeoutMs: 90000 });
+                        if (!llmResp.ok) {
+                            result = err(`LLM server not available: ${llmResp.error}. Run \`gmax llm on && gmax llm start\`.`);
+                            break;
+                        }
+                    }
+                    else {
+                        result = err("LLM server not available. Run `gmax llm on && gmax llm start`.");
+                        break;
+                    }
+                    const { reviewCommit } = yield Promise.resolve().then(() => __importStar(require("../lib/llm/review")));
+                    const rev = yield reviewCommit({ commitRef, projectRoot });
+                    if (rev.clean) {
+                        result = ok(`Clean commit (${rev.commit}) — no issues found in ${rev.duration}s.`);
+                    }
+                    else {
+                        const { readReport } = yield Promise.resolve().then(() => __importStar(require("../lib/llm/report")));
+                        const report = readReport(projectRoot);
+                        const entry = report === null || report === void 0 ? void 0 : report.reviews.find((r) => r.commit === rev.commit);
+                        result = ok(JSON.stringify({ commit: rev.commit, findings: (_a = entry === null || entry === void 0 ? void 0 : entry.findings) !== null && _a !== void 0 ? _a : [], duration: rev.duration }, null, 2));
+                    }
+                }
+                catch (e) {
+                    result = err(`Review failed: ${e instanceof Error ? e.message : String(e)}`);
+                }
+                break;
+            }
+            case "review_report": {
+                try {
+                    const { readReport, formatReportText } = yield Promise.resolve().then(() => __importStar(require("../lib/llm/report")));
+                    const report = readReport(projectRoot);
+                    if (!report || report.reviews.length === 0) {
+                        result = ok("No review findings yet.");
+                    }
+                    else if (toolArgs.json) {
+                        result = ok(JSON.stringify(report, null, 2));
+                    }
+                    else {
+                        result = ok(formatReportText(report));
+                    }
+                }
+                catch (e) {
+                    result = err(`Report failed: ${e instanceof Error ? e.message : String(e)}`);
+                }
+                break;
+            }
             default:
                 return err(`Unknown tool: ${name}`);
         }
         // Best-effort query logging
         try {
             const { logQuery } = yield Promise.resolve().then(() => __importStar(require("../lib/utils/query-log")));
-            const text = (_c = (_b = (_a = result.content) === null || _a === void 0 ? void 0 : _a[0]) === null || _b === void 0 ? void 0 : _b.text) !== null && _c !== void 0 ? _c : "";
+            const text = (_d = (_c = (_b = result.content) === null || _b === void 0 ? void 0 : _b[0]) === null || _c === void 0 ? void 0 : _c.text) !== null && _d !== void 0 ? _d : "";
             const resultLines = text.split("\n").filter((l) => l.trim()).length;
             logQuery({
                 ts: new Date().toISOString(),
                 source: "mcp",
                 tool: name,
-                query: String((_f = (_e = (_d = toolArgs.query) !== null && _d !== void 0 ? _d : toolArgs.symbol) !== null && _e !== void 0 ? _e : toolArgs.target) !== null && _f !== void 0 ? _f : ""),
+                query: String((_g = (_f = (_e = toolArgs.query) !== null && _e !== void 0 ? _e : toolArgs.symbol) !== null && _f !== void 0 ? _f : toolArgs.target) !== null && _g !== void 0 ? _g : ""),
                 project: projectRoot,
                 results: resultLines,
                 ms: Date.now() - startMs,
                 error: result.isError ? text.slice(0, 200) : undefined,
             });
         }
-        catch (_g) { }
+        catch (_h) { }
         return result;
     }));
     yield server.connect(transport);

package/dist/commands/review.js

@@ -0,0 +1,237 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.review = void 0;
+const node_child_process_1 = require("node:child_process");
+const fs = __importStar(require("node:fs"));
+const path = __importStar(require("node:path"));
+const commander_1 = require("commander");
+const exit_1 = require("../lib/utils/exit");
+const project_root_1 = require("../lib/utils/project-root");
+exports.review = new commander_1.Command("review")
+    .description("Review code changes using local LLM + codebase context")
+    .option("--commit <ref>", "Commit to review", "HEAD")
+    .option("--root <dir>", "Project root directory")
+    .option("--background", "Run review asynchronously via daemon", false)
+    .option("-v, --verbose", "Print progress to stderr", false)
+    .addHelpText("after", `
+Examples:
+  gmax review                           Review HEAD
+  gmax review --commit abc1234          Review specific commit
+  gmax review --background              Run async via daemon
+
+Subcommands:
+  gmax review report [--json]           Show accumulated findings
+  gmax review clear                     Clear report
+  gmax review install [DIR]             Install post-commit hook
+`)
+    .action((opts) => __awaiter(void 0, void 0, void 0, function* () {
+    var _a;
+    try {
+        const root = opts.root ? path.resolve(opts.root) : process.cwd();
+        const projectRoot = (_a = (0, project_root_1.findProjectRoot)(root)) !== null && _a !== void 0 ? _a : root;
+        const commitRef = opts.commit;
+        if (opts.background) {
+            // Fire-and-forget via daemon
+            const { ensureDaemonRunning, sendDaemonCommand } = yield Promise.resolve().then(() => __importStar(require("../lib/utils/daemon-client")));
+            if (!(yield ensureDaemonRunning())) {
+                console.error("Failed to start daemon");
+                process.exitCode = 1;
+                return;
+            }
+            const resp = yield sendDaemonCommand({ cmd: "review", root: projectRoot, commitRef }, { timeoutMs: 5000 });
+            if (!resp.ok) {
+                console.error(`Review failed: ${resp.error}`);
+                process.exitCode = 1;
+                return;
+            }
+            console.log(`Review queued for ${commitRef}`);
+            return;
+        }
+        // Foreground: ensure LLM server is running
+        const { ensureDaemonRunning, sendDaemonCommand } = yield Promise.resolve().then(() => __importStar(require("../lib/utils/daemon-client")));
+        if (!(yield ensureDaemonRunning())) {
+            console.error("Failed to start daemon");
+            process.exitCode = 1;
+            return;
+        }
+        const llmResp = yield sendDaemonCommand({ cmd: "llm-start" }, { timeoutMs: 90000 });
+        if (!llmResp.ok) {
+            console.error(`LLM server error: ${llmResp.error}`);
+            console.error("Run `gmax llm on` to enable the LLM server.");
+            process.exitCode = 1;
+            return;
+        }
+        const { reviewCommit } = yield Promise.resolve().then(() => __importStar(require("../lib/llm/review")));
+        const result = yield reviewCommit({
+            commitRef,
+            projectRoot,
+            verbose: opts.verbose,
+        });
+        if (result.clean) {
+            console.log(`${result.commit} — clean (${result.duration}s)`);
+        }
+        else {
+            console.log(`${result.commit} — ${result.findingCount} finding(s) (${result.duration}s)`);
+            console.log("Run `gmax review report` to see details.");
+        }
+    }
+    catch (err) {
+        const msg = err instanceof Error ? err.message : String(err);
+        console.error(`Review failed: ${msg}`);
+        process.exitCode = 1;
+    }
+    finally {
+        yield (0, exit_1.gracefulExit)();
+    }
+}));
+// --- Subcommands ---
+exports.review
+    .command("report")
+    .description("Show accumulated review findings")
+    .option("--json", "Output raw JSON", false)
+    .option("--root <dir>", "Project root directory")
+    .action((opts) => __awaiter(void 0, void 0, void 0, function* () {
+    var _a;
+    try {
+        const root = opts.root ? path.resolve(opts.root) : process.cwd();
+        const projectRoot = (_a = (0, project_root_1.findProjectRoot)(root)) !== null && _a !== void 0 ? _a : root;
+        const { readReport, formatReportText } = yield Promise.resolve().then(() => __importStar(require("../lib/llm/report")));
+        const report = readReport(projectRoot);
+        if (!report || report.reviews.length === 0) {
+            console.log("No review findings yet.");
+            return;
+        }
+        if (opts.json) {
+            console.log(JSON.stringify(report, null, 2));
+        }
+        else {
+            console.log(formatReportText(report));
+        }
+    }
+    catch (err) {
+        const msg = err instanceof Error ? err.message : String(err);
+        console.error(`Report failed: ${msg}`);
+        process.exitCode = 1;
+    }
+    finally {
+        yield (0, exit_1.gracefulExit)();
+    }
+}));
+exports.review
+    .command("clear")
+    .description("Clear the review report")
+    .option("--root <dir>", "Project root directory")
+    .action((opts) => __awaiter(void 0, void 0, void 0, function* () {
+    var _a;
+    try {
+        const root = opts.root ? path.resolve(opts.root) : process.cwd();
+        const projectRoot = (_a = (0, project_root_1.findProjectRoot)(root)) !== null && _a !== void 0 ? _a : root;
+        const { clearReport } = yield Promise.resolve().then(() => __importStar(require("../lib/llm/report")));
+        clearReport(projectRoot);
+        console.log("Report cleared.");
+    }
+    finally {
+        yield (0, exit_1.gracefulExit)();
+    }
+}));
+exports.review
+    .command("install [dir]")
+    .description("Install post-commit hook for automatic review")
+    .action((dir) => __awaiter(void 0, void 0, void 0, function* () {
+    try {
+        let targetDir;
+        if (dir) {
+            targetDir = path.resolve(dir);
+        }
+        else {
+            try {
+                targetDir = (0, node_child_process_1.execFileSync)("git", ["rev-parse", "--show-toplevel"], {
+                    encoding: "utf-8",
+                }).trim();
+            }
+            catch (_a) {
+                console.error("Not in a git repo and no directory specified.");
+                process.exitCode = 1;
+                return;
+            }
+        }
+        const hooksDir = path.join(targetDir, ".git", "hooks");
+        if (!fs.existsSync(hooksDir)) {
+            console.error(`Not a git repo: ${targetDir}`);
+            process.exitCode = 1;
+            return;
+        }
+        const hookFile = path.join(hooksDir, "post-commit");
+        // Backup existing hook if it doesn't mention gmax
+        if (fs.existsSync(hookFile)) {
+            const existing = fs.readFileSync(hookFile, "utf-8");
+            if (!existing.includes("gmax review")) {
+                fs.copyFileSync(hookFile, `${hookFile}.gmax-backup`);
+                console.log("Backed up existing post-commit hook.");
+            }
+        }
+        // Resolve gmax binary path
+        let gmaxBin = "gmax";
+        try {
+            gmaxBin = (0, node_child_process_1.execFileSync)("which", ["gmax"], { encoding: "utf-8" }).trim();
+        }
+        catch (_b) { }
+        const hookContent = `#!/usr/bin/env bash
+# gmax review — async code review on commit
+# Always exits 0 to never block git
+"${gmaxBin}" review --commit HEAD --background --root "${targetDir}" || true
+`;
+        fs.writeFileSync(hookFile, hookContent, { mode: 0o755 });
+        console.log(`Installed post-commit hook in ${targetDir}`);
+    }
+    catch (err) {
+        const msg = err instanceof Error ? err.message : String(err);
+        console.error(`Install failed: ${msg}`);
+        process.exitCode = 1;
+    }
+    finally {
+        yield (0, exit_1.gracefulExit)();
+    }
+}));

package/dist/index.js

@@ -57,6 +57,7 @@ const peek_1 = require("./commands/peek");
 const project_1 = require("./commands/project");
 const recent_1 = require("./commands/recent");
 const related_1 = require("./commands/related");
+const review_1 = require("./commands/review");
 const opencode_1 = require("./commands/opencode");
 const plugin_1 = require("./commands/plugin");
 const remove_1 = require("./commands/remove");
@@ -114,6 +115,7 @@ commander_1.program.addCommand(mcp_1.mcp);
 commander_1.program.addCommand(summarize_1.summarize);
 commander_1.program.addCommand(llm_1.llm);
 commander_1.program.addCommand(investigate_1.investigateCmd);
+commander_1.program.addCommand(review_1.review);
 // Setup & diagnostics
 commander_1.program.addCommand(setup_1.setup);
 commander_1.program.addCommand(config_1.config);

package/dist/lib/daemon/daemon.js

@@ -41,6 +41,13 @@ var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, ge
         step((generator = generator.apply(thisArg, _arguments || [])).next());
     });
 };
+var __asyncValues = (this && this.__asyncValues) || function (o) {
+    if (!Symbol.asyncIterator) throw new TypeError("Symbol.asyncIterator is not defined.");
+    var m = o[Symbol.asyncIterator], i;
+    return m ? m.call(o) : (o = typeof __values === "function" ? __values(o) : o[Symbol.iterator](), i = {}, verb("next"), verb("throw"), verb("return"), i[Symbol.asyncIterator] = function () { return this; }, i);
+    function verb(n) { i[n] = o[n] && function (v) { return new Promise(function (resolve, reject) { v = o[n](v), settle(resolve, reject, v.done, v.value); }); }; }
+    function settle(resolve, reject, d, v) { Promise.resolve(v).then(function(v) { resolve({ value: v, done: d }); }, reject); }
+};
 var __importDefault = (this && this.__importDefault) || function (mod) {
     return (mod && mod.__esModule) ? mod : { "default": mod };
 };
@@ -131,8 +138,9 @@ class Daemon {
             // 7. Register daemon (only after resources are open)
             (0, watcher_store_1.registerDaemon)(process.pid);
             // 7. Subscribe to all registered projects (skip missing directories)
-            const projects = (0, project_registry_1.listProjects)().filter((p) => p.status === "indexed");
-            for (const p of projects) {
+            const allProjects = (0, project_registry_1.listProjects)();
+            const indexed = allProjects.filter((p) => p.status === "indexed");
+            for (const p of indexed) {
                 if (!fs.existsSync(p.root)) {
                     console.log(`[daemon] Skipping ${path.basename(p.root)} — directory not found`);
                     continue;
@@ -144,6 +152,13 @@ class Daemon {
                     console.error(`[daemon] Failed to watch ${path.basename(p.root)}:`, err);
                 }
             }
+            // 7b. Index pending projects in the background
+            const pending = allProjects.filter((p) => p.status === "pending" && fs.existsSync(p.root));
+            for (const p of pending) {
+                this.indexPendingProject(p.root).catch((err) => {
+                    console.error(`[daemon] Failed to index pending ${path.basename(p.root)}:`, err);
+                });
+            }
             // 8. Heartbeat
             this.heartbeatInterval = setInterval(() => {
                 (0, watcher_store_1.heartbeat)(process.pid);
@@ -265,10 +280,88 @@ class Daemon {
                 status: "watching",
                 lastHeartbeat: Date.now(),
             });
+            // Catchup scan — find files changed while daemon was offline
+            this.catchupScan(root, processor).catch((err) => {
+                console.error(`[daemon:${path.basename(root)}] Catchup scan failed:`, err);
+            });
             this.pendingOps.delete(root);
             console.log(`[daemon] Watching ${root}`);
         });
     }
+    catchupScan(root, processor) {
+        return __awaiter(this, void 0, void 0, function* () {
+            var _a, e_1, _b, _c;
+            const { walk } = yield Promise.resolve().then(() => __importStar(require("../index/walker")));
+            const { INDEXABLE_EXTENSIONS } = yield Promise.resolve().then(() => __importStar(require("../../config")));
+            const { isFileCached } = yield Promise.resolve().then(() => __importStar(require("../utils/cache-check")));
+            let queued = 0;
+            try {
+                for (var _d = true, _e = __asyncValues(walk(root, {
+                    additionalPatterns: ["**/.git/**", "**/.gmax/**", "**/.osgrep/**"],
+                })), _f; _f = yield _e.next(), _a = _f.done, !_a; _d = true) {
+                    _c = _f.value;
+                    _d = false;
+                    const relPath = _c;
+                    const absPath = path.join(root, relPath);
+                    const ext = path.extname(absPath).toLowerCase();
+                    const bn = path.basename(absPath).toLowerCase();
+                    if (!INDEXABLE_EXTENSIONS.has(ext) && !INDEXABLE_EXTENSIONS.has(bn))
+                        continue;
+                    try {
+                        const stats = yield fs.promises.stat(absPath);
+                        const cached = this.metaCache.get(absPath);
+                        if (!isFileCached(cached, stats)) {
+                            processor.handleFileEvent("change", absPath);
+                            queued++;
+                        }
+                    }
+                    catch (_g) { }
+                }
+            }
+            catch (e_1_1) { e_1 = { error: e_1_1 }; }
+            finally {
+                try {
+                    if (!_d && !_a && (_b = _e.return)) yield _b.call(_e);
+                }
+                finally { if (e_1) throw e_1.error; }
+            }
+            if (queued > 0) {
+                console.log(`[daemon:${path.basename(root)}] Catchup: ${queued} file(s) changed while offline`);
+            }
+        });
+    }
+    indexPendingProject(root) {
+        return __awaiter(this, void 0, void 0, function* () {
+            yield this.withProjectLock(root, () => __awaiter(this, void 0, void 0, function* () {
+                var _a;
+                if (!this.vectorDb || !this.metaCache)
+                    return;
+                console.log(`[daemon] Indexing pending project: ${path.basename(root)}`);
+                this.vectorDb.pauseMaintenanceLoop();
+                try {
+                    const result = yield (0, syncer_1.initialSync)({
+                        projectRoot: root,
+                        vectorDb: this.vectorDb,
+                        metaCache: this.metaCache,
+                        onProgress: () => { this.resetActivity(); },
+                    });
+                    const proj = (0, project_registry_1.getProject)(root);
+                    if (proj) {
+                        (0, project_registry_1.registerProject)(Object.assign(Object.assign({}, proj), { lastIndexed: new Date().toISOString(), chunkCount: result.indexed, status: "indexed" }));
+                    }
+                    yield this.watchProject(root);
+                    console.log(`[daemon] Indexed ${path.basename(root)} (${result.total} files, ${result.indexed} chunks)`);
+                }
+                catch (err) {
+                    const msg = err instanceof Error ? err.message : String(err);
+                    console.error(`[daemon] indexPendingProject failed for ${path.basename(root)}: ${msg}`);
+                }
+                finally {
+                    (_a = this.vectorDb) === null || _a === void 0 ? void 0 : _a.resumeMaintenanceLoop();
+                }
+            }));
+        });
+    }
     unwatchProject(root) {
         return __awaiter(this, void 0, void 0, function* () {
             const processor = this.processors.get(root);
@@ -539,6 +632,24 @@ class Daemon {
         var _a;
         (_a = this.llmServer) === null || _a === void 0 ? void 0 : _a.touchIdle();
     }
+    reviewCommit(root, commitRef) {
+        return __awaiter(this, void 0, void 0, function* () {
+            this.resetActivity();
+            try {
+                if (!this.llmServer) {
+                    console.log("[review] daemon not initialized, skipping");
+                    return;
+                }
+                yield this.llmServer.ensure();
+                const { reviewCommit } = yield Promise.resolve().then(() => __importStar(require("../llm/review")));
+                const result = yield reviewCommit({ commitRef, projectRoot: root });
+                console.log(`[review] ${result.commit} — ${result.findingCount} finding(s) in ${result.duration}s`);
+            }
+            catch (err) {
+                console.error(`[review] failed: ${err instanceof Error ? err.message : String(err)}`);
+            }
+        });
+    }
     shutdown() {
         return __awaiter(this, void 0, void 0, function* () {
             var _a, _b, _c, _d;

package/dist/lib/daemon/ipc-handler.js

@@ -102,6 +102,14 @@ function handleCommand(daemon, cmd, conn) {
                     return null;
                 }
                 // --- LLM server management ---
+                case "review": {
+                    const root = String(cmd.root || "");
+                    const commitRef = String(cmd.commitRef || "HEAD");
+                    if (!root)
+                        return { ok: false, error: "missing root" };
+                    setImmediate(() => daemon.reviewCommit(root, commitRef));
+                    return { ok: true };
+                }
                 case "llm-start":
                     return yield daemon.llmStart();
                 case "llm-stop":

package/dist/lib/llm/diff.js

@@ -0,0 +1,139 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.SYMBOL_MAX = exports.DIFF_MAX_LINES = void 0;
+exports.extractDiff = extractDiff;
+exports.readCommitInfo = readCommitInfo;
+exports.extractChangedFiles = extractChangedFiles;
+exports.extractSymbols = extractSymbols;
+exports.detectLanguages = detectLanguages;
+const node_child_process_1 = require("node:child_process");
+exports.DIFF_MAX_LINES = 500;
+exports.SYMBOL_MAX = 10;
+const KEYWORD_SKIP = new Set([
+    "public", "private", "internal", "protected", "open", "final", "static",
+    "override", "class", "struct", "enum", "func", "function", "def", "const",
+    "let", "var", "export", "async", "await", "import", "return", "if", "else",
+    "for", "while", "switch", "case", "guard", "interface", "abstract", "sealed",
+    "data", "suspend", "inline", "typealias", "extension", "protocol", "throws",
+    "mutating", "nonmutating", "convenience", "required", "weak", "unowned",
+    "lazy", "dynamic", "optional", "objc", "nonisolated", "isolated",
+    "consuming", "borrowing",
+]);
+const DECL_RE = /(?:function|class|struct|enum|interface|func|def)\s+([a-zA-Z_][a-zA-Z0-9_]*)/g;
+const IDENT_RE = /[a-zA-Z_][a-zA-Z0-9_]*/g;
+const LANG_MAP = [
+    [/\.(ts|tsx|js|jsx)$/, "typescript"],
+    [/\.swift$/, "swift"],
+    [/\.(kt|kts)$/, "kotlin"],
+    [/\.py$/, "python"],
+    [/\.go$/, "go"],
+    [/\.rs$/, "rust"],
+];
+function git(args, root) {
+    return (0, node_child_process_1.execFileSync)("git", args, {
+        cwd: root,
+        encoding: "utf-8",
+        timeout: 10000,
+        stdio: ["pipe", "pipe", "pipe"],
+    });
+}
+/**
+ * Extract unified diff from a commit. Returns null for empty diffs (merges, amends).
+ * Truncates to DIFF_MAX_LINES if needed.
+ */
+function extractDiff(ref, root) {
+    let raw;
+    try {
+        raw = git(["diff-tree", "-p", "--no-commit-id", ref], root);
+    }
+    catch (_a) {
+        return null;
+    }
+    if (!raw.trim())
+        return null;
+    const lines = raw.split("\n");
+    if (lines.length <= exports.DIFF_MAX_LINES)
+        return raw;
+    const truncated = lines.slice(0, exports.DIFF_MAX_LINES);
+    truncated.push("", `... [truncated — ${lines.length} total lines, showing first ${exports.DIFF_MAX_LINES}]`);
+    return truncated.join("\n");
+}
+/**
+ * Read commit metadata. Throws if ref is invalid.
+ */
+function readCommitInfo(ref, root) {
+    const raw = git(["log", "-1", "--format=%H|%h|%s|%an|%ai", ref], root).trim();
+    const parts = raw.split("|");
+    return {
+        hash: parts[0],
+        short: parts[1],
+        message: parts.slice(2, -2).join("|"), // message may contain |
+        author: parts[parts.length - 2],
+        date: parts[parts.length - 1],
+    };
+}
+/**
+ * List files changed in a commit.
+ */
+function extractChangedFiles(ref, root) {
+    try {
+        const raw = git(["diff-tree", "--no-commit-id", "--name-only", "-r", ref], root);
+        return raw.trim().split("\n").filter(Boolean);
+    }
+    catch (_a) {
+        return [];
+    }
+}
+/**
+ * Extract symbol names from a unified diff.
+ * Pass 1: hunk headers (git auto-detects enclosing function/class).
+ * Pass 2: added-line declaration patterns.
+ */
+function extractSymbols(diff) {
+    const symbols = new Set();
+    for (const line of diff.split("\n")) {
+        // Pass 1: hunk headers
+        if (line.startsWith("@@")) {
+            const ctx = line.replace(/^@@[^@]*@@\s*/, "");
+            if (!ctx)
+                continue;
+            const idents = [];
+            let m;
+            IDENT_RE.lastIndex = 0;
+            while ((m = IDENT_RE.exec(ctx)) !== null) {
+                if (!KEYWORD_SKIP.has(m[0]))
+                    idents.push(m[0]);
+            }
+            if (idents.length > 0)
+                symbols.add(idents[idents.length - 1]);
+            continue;
+        }
+        // Pass 2: added lines with declarations
+        if (line.startsWith("+") && !line.startsWith("+++")) {
+            DECL_RE.lastIndex = 0;
+            let m;
+            while ((m = DECL_RE.exec(line)) !== null) {
+                symbols.add(m[1]);
+            }
+        }
+    }
+    // Filter short identifiers and cap
+    return [...symbols]
+        .filter((s) => s.length >= 2)
+        .slice(0, exports.SYMBOL_MAX);
+}
+/**
+ * Detect languages from file extensions.
+ */
+function detectLanguages(files) {
+    const langs = new Set();
+    for (const file of files) {
+        for (const [re, lang] of LANG_MAP) {
+            if (re.test(file)) {
+                langs.add(lang);
+                break;
+            }
+        }
+    }
+    return [...langs];
+}

package/dist/lib/llm/report.js

@@ -0,0 +1,141 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.getReportPath = getReportPath;
+exports.readReport = readReport;
+exports.appendReview = appendReview;
+exports.clearReport = clearReport;
+exports.formatReportText = formatReportText;
+const node_crypto_1 = require("node:crypto");
+const fs = __importStar(require("node:fs"));
+const path = __importStar(require("node:path"));
+const config_1 = require("../../config");
+function getReportPath(projectRoot) {
+    const hash = (0, node_crypto_1.createHash)("sha256")
+        .update(projectRoot)
+        .digest("hex")
+        .slice(0, 16);
+    return path.join(config_1.PATHS.cacheDir, `review-${hash}.json`);
+}
+function emptyReport() {
+    return {
+        session_start: new Date().toISOString(),
+        reviews: [],
+        summary: { commits_reviewed: 0, total_findings: 0, errors: 0, warnings: 0 },
+    };
+}
+function readReport(projectRoot) {
+    const p = getReportPath(projectRoot);
+    try {
+        const raw = fs.readFileSync(p, "utf-8");
+        return JSON.parse(raw);
+    }
+    catch (_a) {
+        return null;
+    }
+}
+function appendReview(projectRoot, entry) {
+    var _a;
+    const p = getReportPath(projectRoot);
+    const tmp = `${p}.tmp`;
+    try {
+        fs.mkdirSync(path.dirname(p), { recursive: true });
+        const report = (_a = readReport(projectRoot)) !== null && _a !== void 0 ? _a : emptyReport();
+        report.reviews.push(entry);
+        // Recompute summary
+        let errors = 0;
+        let warnings = 0;
+        let total = 0;
+        for (const r of report.reviews) {
+            for (const f of r.findings) {
+                total++;
+                if (f.severity === "error")
+                    errors++;
+                else
+                    warnings++;
+            }
+        }
+        report.summary = {
+            commits_reviewed: report.reviews.length,
+            total_findings: total,
+            errors,
+            warnings,
+        };
+        fs.writeFileSync(tmp, JSON.stringify(report, null, 2));
+        fs.renameSync(tmp, p);
+    }
+    catch (err) {
+        // Clean up tmp on failure
+        try {
+            fs.unlinkSync(tmp);
+        }
+        catch (_b) { }
+        console.error(`[review] failed to write report: ${err instanceof Error ? err.message : String(err)}`);
+    }
+}
+function clearReport(projectRoot) {
+    try {
+        fs.unlinkSync(getReportPath(projectRoot));
+    }
+    catch (_a) { }
+}
+function formatReportText(report) {
+    const { summary } = report;
+    const lines = [];
+    lines.push("=== Review Report ===");
+    lines.push(`${summary.commits_reviewed} commit(s) reviewed — ${summary.total_findings} finding(s) (${summary.errors} error, ${summary.warnings} warning)`);
+    lines.push("");
+    for (const rev of report.reviews) {
+        lines.push(`--- ${rev.commit} — ${rev.message} (${rev.duration_seconds}s) ---`);
+        if (rev.findings.length === 0) {
+            lines.push("  clean");
+        }
+        else {
+            for (const f of rev.findings) {
+                const tag = f.severity === "error" ? "ERROR" : "WARN ";
+                lines.push(`  ${tag}  ${f.file}:${f.line} [${f.category}]`);
+                lines.push(`         ${f.message}`);
+                for (const e of f.evidence) {
+                    lines.push(`         > ${e}`);
+                }
+                if (f.suggestion) {
+                    lines.push(`         fix: ${f.suggestion}`);
+                }
+            }
+        }
+        lines.push("");
+    }
+    return lines.join("\n");
+}

package/dist/lib/llm/review.js

@@ -0,0 +1,403 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.reviewCommit = reviewCommit;
+const path = __importStar(require("node:path"));
+const openai_1 = __importDefault(require("openai"));
+const graph_builder_1 = require("../graph/graph-builder");
+const searcher_1 = require("../search/searcher");
+const vector_db_1 = require("../store/vector-db");
+const project_root_1 = require("../utils/project-root");
+const config_1 = require("./config");
+const diff_1 = require("./diff");
+const report_1 = require("./report");
+const tools_1 = require("./tools");
+function reviewCommit(opts) {
+    return __awaiter(this, void 0, void 0, function* () {
+        var _a, _b, _c, _d;
+        const { commitRef, projectRoot, verbose = false } = opts;
+        const wallStart = Date.now();
+        // 1. Extract diff
+        const diff = (0, diff_1.extractDiff)(commitRef, projectRoot);
+        if (!diff) {
+            if (verbose)
+                process.stderr.write("[review] empty diff, skipping\n");
+            return { commit: commitRef, findingCount: 0, duration: 0, clean: true };
+        }
+        // 2. Commit metadata
+        const info = (0, diff_1.readCommitInfo)(commitRef, projectRoot);
+        if (verbose)
+            process.stderr.write(`[review] ${info.short} — ${info.message}\n`);
+        // 3. Changed files & symbols
+        const changedFiles = (0, diff_1.extractChangedFiles)(commitRef, projectRoot);
+        const symbols = (0, diff_1.extractSymbols)(diff);
+        const languages = (0, diff_1.detectLanguages)(changedFiles);
+        if (verbose) {
+            process.stderr.write(`[review] files: ${changedFiles.length}, symbols: ${symbols.length}, langs: ${languages.join(", ")}\n`);
+        }
+        // 4. Gather context via gmax internal APIs
+        let contextStr = "";
+        const paths = (0, project_root_1.ensureProjectPaths)(projectRoot);
+        const vectorDb = new vector_db_1.VectorDB(paths.lancedbDir);
+        try {
+            const searcher = new searcher_1.Searcher(vectorDb);
+            const graphBuilder = new graph_builder_1.GraphBuilder(vectorDb, projectRoot);
+            const ctx = { vectorDb, searcher, graphBuilder, projectRoot };
+            contextStr = yield gatherContext(symbols, changedFiles, ctx, verbose);
+        }
+        catch (err) {
+            if (verbose) {
+                process.stderr.write(`[review] context gathering failed: ${err instanceof Error ? err.message : String(err)}\n`);
+            }
+        }
+        finally {
+            yield vectorDb.close();
+        }
+        // 5. Build prompts
+        const systemPrompt = buildSystemPrompt(languages);
+        const userPrompt = buildUserPrompt(info, diff, symbols, contextStr);
+        // 6. Call LLM (single shot)
+        const config = (0, config_1.getLlmConfig)();
+        const modelName = path.basename(config.model, path.extname(config.model));
+        const client = new openai_1.default({
+            baseURL: `http://${config.host}:${config.port}/v1`,
+            apiKey: "local",
+        });
+        let content;
+        try {
+            if (verbose)
+                process.stderr.write("[review] calling LLM...\n");
+            const response = yield client.chat.completions.create({
+                model: modelName,
+                messages: [
+                    { role: "system", content: systemPrompt },
+                    { role: "user", content: userPrompt },
+                ],
+                max_tokens: config.maxTokens,
+                temperature: 0,
+            });
+            content = (_d = (_c = (_b = (_a = response.choices) === null || _a === void 0 ? void 0 : _a[0]) === null || _b === void 0 ? void 0 : _b.message) === null || _c === void 0 ? void 0 : _c.content) !== null && _d !== void 0 ? _d : "";
+            if (!content) {
+                if (verbose)
+                    process.stderr.write("[review] empty LLM response\n");
+                content = "";
+            }
+        }
+        catch (err) {
+            const msg = err instanceof Error ? err.message : String(err);
+            if (verbose)
+                process.stderr.write(`[review] LLM call failed: ${msg}\n`);
+            const duration = Math.round((Date.now() - wallStart) / 1000);
+            return { commit: info.short, findingCount: 0, duration, clean: true };
+        }
+        // 7. Parse response
+        const { findings, summary } = parseFindings(content);
+        const duration = Math.round((Date.now() - wallStart) / 1000);
+        if (verbose) {
+            process.stderr.write(`[review] ${findings.length} finding(s) in ${duration}s\n`);
+        }
+        // 8. Append to report
+        const entry = {
+            commit: info.short,
+            message: info.message,
+            timestamp: new Date().toISOString(),
+            duration_seconds: duration,
+            findings,
+            summary,
+            clean: findings.length === 0,
+        };
+        (0, report_1.appendReview)(projectRoot, entry);
+        return {
+            commit: info.short,
+            findingCount: findings.length,
+            duration,
+            clean: findings.length === 0,
+        };
+    });
+}
+// ---------------------------------------------------------------------------
+// Context gathering
+// ---------------------------------------------------------------------------
+const CONTEXT_CHAR_BUDGET = 12000;
+const CONTEXT_TIMEOUT_MS = 15000;
+function gatherContext(symbols, changedFiles, ctx, verbose) {
+    return __awaiter(this, void 0, void 0, function* () {
+        // Launch all tool calls in parallel
+        const peekPromises = symbols.map((s) => (0, tools_1.executeTool)("peek", { symbol: s }, ctx));
+        const impactPromises = symbols.map((s) => (0, tools_1.executeTool)("impact", { target: s, depth: 2 }, ctx));
+        const relatedPromises = changedFiles.map((f) => (0, tools_1.executeTool)("related", { file: f }, ctx));
+        const allPromises = [
+            ...peekPromises.map((p) => p.then((r) => ({ type: "peek", result: r }))),
+            ...impactPromises.map((p) => p.then((r) => ({ type: "impact", result: r }))),
+            ...relatedPromises.map((p) => p.then((r) => ({ type: "related", result: r }))),
+        ];
+        // Race against timeout
+        const timeout = new Promise((resolve) => setTimeout(() => resolve("timeout"), CONTEXT_TIMEOUT_MS));
+        const settled = yield Promise.race([
+            Promise.allSettled(allPromises),
+            timeout.then(() => "timeout"),
+        ]);
+        const peekResults = [];
+        const impactResults = [];
+        const relatedResults = [];
+        if (settled !== "timeout") {
+            for (const s of settled) {
+                if (s.status !== "fulfilled")
+                    continue;
+                const { type, result } = s.value;
+                if (result.startsWith("(") && (result.includes("not found") || result.includes("error") || result.includes("not indexed") || result.includes("none")))
+                    continue;
+                if (type === "peek")
+                    peekResults.push(result);
+                else if (type === "impact")
+                    impactResults.push(result);
+                else
+                    relatedResults.push(result);
+            }
+        }
+        else if (verbose) {
+            process.stderr.write("[review] context gathering timed out\n");
+        }
+        // Assemble with char budget
+        let chars = 0;
+        const sections = [];
+        if (peekResults.length > 0) {
+            const section = `### Callers & Dependents\n${peekResults.join("\n")}\n`;
+            sections.push(section);
+            chars += section.length;
+        }
+        if (impactResults.length > 0 && chars < CONTEXT_CHAR_BUDGET) {
+            const section = `### Impact Analysis\n${impactResults.join("\n")}\n`;
+            sections.push(section);
+            chars += section.length;
+        }
+        if (relatedResults.length > 0 && chars < CONTEXT_CHAR_BUDGET) {
+            const section = `### Related Files\n${relatedResults.join("\n")}\n`;
+            sections.push(section);
+        }
+        if (verbose) {
+            process.stderr.write(`[review] context: ${peekResults.length} peek, ${impactResults.length} impact, ${relatedResults.length} related\n`);
+        }
+        return sections.join("\n");
+    });
+}
+// ---------------------------------------------------------------------------
+// Prompt construction (ported from sentinel/src/lib/prompt.sh)
+// ---------------------------------------------------------------------------
+function buildSystemPrompt(languages) {
+    let prompt = `You are Sentinel, a senior code reviewer analyzing git commits. You review diffs alongside codebase context (call graphs, dependents, related files) provided by a semantic search tool.
+
+Your job is to find issues that could cause bugs, crashes, security vulnerabilities, or breaking changes at runtime. You are not a linter — ignore style, formatting, naming conventions, and minor nitpicks.
+
+Focus on:
+- Changes that break callers or dependents (evidence provided)
+- Logic errors, off-by-one, incorrect conditions
+- Missing error handling that could crash at runtime
+- Security issues: injection, auth bypass, secrets, unsafe input
+- State mutations with unprotected concurrent access
+- Resource leaks: unclosed connections, missing cleanup
+- API contract violations: return type changes, removed fields, changed semantics
+
+Do not flag:
+- Style or formatting
+- Missing comments or documentation
+- Test coverage
+- Performance unless it's a clear regression (N+1, unbounded loop)
+- Things the compiler/type system already catches`;
+    if (languages.includes("typescript")) {
+        prompt += `
+
+## TypeScript Checks
+- Missing \`await\` on async calls
+- \`any\` type hiding real type errors
+- Non-exhaustive switch on discriminated unions
+- Promise fire-and-forget without error handling
+- Optional chaining masking bugs where value should never be null`;
+    }
+    if (languages.includes("swift")) {
+        prompt += `
+
+## Swift Checks
+- Force unwraps (\`!\`) outside test files
+- Missing \`[weak self]\` in escaping closures
+- Missing \`@MainActor\` on UI state mutations
+- \`try!\` or \`try?\` silently swallowing errors
+- Sendable violations in concurrent code`;
+    }
+    if (languages.includes("kotlin")) {
+        prompt += `
+
+## Kotlin Checks
+- Coroutine scope leaks (GlobalScope, unstructured)
+- Missing null checks on Java interop boundaries
+- Fragment lifecycle violations
+- Hardcoded strings that should be resources`;
+    }
+    prompt += `
+
+## Thinking
+
+Before issuing your verdict, reason through:
+1. What changed in this diff?
+2. What is the blast radius? (use the provided caller/dependent evidence)
+3. Could this break something at runtime that the compiler won't catch?
+4. Is there a security implication?
+
+## Output Format
+
+Respond with ONLY valid JSON. No markdown, no explanation outside the JSON.
+
+If no issues found:
+{"findings": [], "summary": "Clean commit — no runtime risks identified."}
+
+If issues found:
+{
+  "findings": [
+    {
+      "file": "path/to/file.ts",
+      "line": 42,
+      "severity": "error|warning",
+      "category": "breaking_change|logic_error|security|resource_leak|concurrency|missing_error_handling",
+      "symbol": "functionName",
+      "message": "Brief description of the issue",
+      "evidence": ["CallerA.swift:34 still expects Optional<User>"],
+      "suggestion": "One-line fix suggestion"
+    }
+  ],
+  "summary": "Brief summary of all findings."
+}
+
+Severity guide:
+- error: will break at runtime, security vulnerability, data loss
+- warning: could break under certain conditions, smells risky
+
+Be concise. One sentence per message. Evidence from the codebase context, not speculation.`;
+    return prompt;
+}
+function buildUserPrompt(info, diff, symbols, context) {
+    let prompt = `## Commit
+${info.short} — ${info.message}
+
+## Diff
+${diff}
+
+## Codebase Context
+`;
+    if (symbols.length > 0) {
+        prompt += `### Changed Symbols\n${symbols.join("\n")}\n\n`;
+    }
+    if (context) {
+        prompt += context;
+    }
+    prompt += `\nReview this commit. Think through the blast radius using the provided context, then output your findings as JSON.`;
+    return prompt;
+}
+// ---------------------------------------------------------------------------
+// Response parsing
+// ---------------------------------------------------------------------------
+function stripThinkTags(text) {
+    return text
+        .replace(/<think(?:ing)?>[\s\S]*?<\/think(?:ing)?>/g, "")
+        .trim();
+}
+function parseFindings(content) {
+    const empty = { findings: [], summary: "Parse error — could not extract findings from model output." };
+    if (!content)
+        return empty;
+    // Strip think tags and markdown fences
+    let cleaned = stripThinkTags(content);
+    cleaned = cleaned.replace(/^```json\s*\n?/, "").replace(/\n?```\s*$/, "");
+    // Try direct parse
+    try {
+        const parsed = JSON.parse(cleaned);
+        if (Array.isArray(parsed.findings)) {
+            return {
+                findings: validateFindings(parsed.findings),
+                summary: String(parsed.summary || "No summary."),
+            };
+        }
+    }
+    catch (_a) { }
+    // Fallback: extract JSON between first { and last }
+    const firstBrace = cleaned.indexOf("{");
+    const lastBrace = cleaned.lastIndexOf("}");
+    if (firstBrace >= 0 && lastBrace > firstBrace) {
+        try {
+            const extracted = cleaned.slice(firstBrace, lastBrace + 1);
+            const parsed = JSON.parse(extracted);
+            if (Array.isArray(parsed.findings)) {
+                return {
+                    findings: validateFindings(parsed.findings),
+                    summary: String(parsed.summary || "No summary."),
+                };
+            }
+        }
+        catch (_b) { }
+    }
+    return empty;
+}
+function validateFindings(raw) {
+    const findings = [];
+    for (const item of raw) {
+        if (!item || typeof item !== "object")
+            continue;
+        const f = item;
+        if (!f.file || !f.message)
+            continue;
+        findings.push({
+            file: String(f.file),
+            line: Number(f.line) || 0,
+            severity: f.severity === "error" ? "error" : "warning",
+            category: String(f.category || "logic_error"),
+            symbol: String(f.symbol || ""),
+            message: String(f.message),
+            evidence: Array.isArray(f.evidence) ? f.evidence.map(String) : [],
+            suggestion: String(f.suggestion || ""),
+        });
+    }
+    return findings;
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "grepmax",
-  "version": "0.13.6",
+  "version": "0.14.0",
   "author": "Robert Owens <78518764+reowens@users.noreply.github.com>",
   "homepage": "https://github.com/reowens/grepmax",
   "bugs": {

package/plugins/grepmax/.claude-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "grepmax",
-  "version": "0.13.6",
+  "version": "0.14.0",
   "description": "Semantic code search for Claude Code. Automatically indexes your project and provides intelligent search capabilities.",
   "author": {
     "name": "Robert Owens",

package/plugins/grepmax/skills/grepmax/SKILL.md

@@ -175,6 +175,14 @@ gmax context "payment flow" --budget 8000
 gmax context src/lib/auth/ --budget 3000
 ```
 
+### Investigate — `gmax investigate "question"` (requires LLM)
+```
+gmax investigate "how does authentication work?"
+gmax investigate "what would break if I changed VectorDB?" -v
+gmax investigate "where are API routes defined?" --root ~/project --rounds 5
+```
+Agentic Q&A: a local LLM autonomously uses gmax tools (search, trace, peek, impact, related) to gather evidence and answer. Requires `gmax llm on && gmax llm start`. Use `-v` to see tool calls and reasoning.
+
 ### Other
 ```
 gmax status                                # show all indexed projects
@@ -185,6 +193,7 @@ gmax project --agent                       # compact: key\tvalue pairs
 gmax index                                 # reindex current directory
 gmax config                                # view/change settings
 gmax doctor                                # health check
+gmax llm on/off/start/stop/status          # manage local LLM server
 ```
 
 ## Workflow