iosm-cli 0.1.3 → 0.2.0

package/CHANGELOG.md

@@ -9,6 +9,33 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 _No unreleased changes._
 
+## [0.2.0] - 2026-03-11
+
+### Added
+
+- **Interactive engineering contract manager (`/contract`)** — field-by-field contract editing with immediate save-on-enter and automatic JSON generation for project scope
+- **Layered contract model** — explicit `project`, `session`, and `effective` contract layers with copy/delete flows and merged runtime enforcement
+- **Singular feasibility mode (`/singular`)** — command-first feasibility analysis that combines repository baseline scan with a standard agent pass and returns exactly three implementation options
+- **Option-driven execution handoff** — `/singular` now produces concrete file targets, step plans, trade-offs, and decision guidance before implementation starts
+- **Regression coverage for large paste UX** — multiline unbracketed paste now covered by dedicated tests to ensure one submission flow and compact marker rendering
+
+### Changed
+
+- **Feasibility workflow naming** — `/blast` replaced by `/singular` for feature feasibility decisions
+- **Profile cleanup** — `/shadow` workflow removed to avoid duplication with plan-oriented analysis
+- **Contract interaction model** — removed extra save step in field editor; entering value immediately persists to selected scope
+
+### Fixed
+
+- **TUI width safety** — startup resources block now truncates long lines to terminal width, preventing render crashes on narrow terminals
+- **Paste queue behavior** — large pasted multiline input is treated as a single paste event instead of fragmented queued submissions
+
+### Documentation
+
+- Expanded README with dedicated decision workflow section (`/contract` vs `/singular`), command migration notes, and clearer contract layer distinctions
+- Extended interactive mode docs with explicit `effective/session/project` explanations and migration guidance from removed commands
+- Updated CLI reference with interactive feasibility/contract command behavior and migration notes
+
 ## [0.1.3] - 2026-03-10
 
 ### Added

package/README.md

@@ -1,4 +1,4 @@
-<h1 align="center">IOSM CLI v0.1.3</h1>
+<h1 align="center">IOSM CLI v0.2.0</h1>
 
 <p align="center">
   <strong>AI Engineering Runtime for Professional Developers</strong>
@@ -141,7 +141,7 @@ Core commands to unlock full runtime value:
 
 ```console
 $ iosm
-IOSM CLI v0.1.3 [full]
+IOSM CLI v0.2.0 [full]
 
 you> Refactor authentication module with parallel agents, then finalize in IOSM mode
 iosm> /orchestrate --parallel --agents 4 \
@@ -260,11 +260,42 @@ Track and resume delegated execution with `/subagent-runs`, `/subagent-resume`,
 | Track delegated runs | `/subagent-runs`, `/subagent-resume`, `/team-runs`, `/team-status` | Monitor and resume orchestration pipelines |
 | Manage MCP servers | `/mcp` | Inspect/add/enable external tool servers interactively |
 | Manage semantic search | `/semantic` | Configure provider with auto model discovery (OpenRouter/Ollama), index codebase, query by intent/meaning |
+| Define engineering contract | `/contract` | Field-by-field interactive contract editor with auto-save and automatic JSON generation |
+| Analyze feasibility variants | `/singular <feature request>` | Runs baseline + standard agent pass, then returns 3 implementation options and recommendation |
 | Manage memory | `/memory` | Add/edit/remove persistent project facts and constraints |
 | Save/restore state | `/checkpoint` / `/rollback` | Safe experimentation with fast rollback |
 | Diagnose runtime | `/doctor` | Verify model/auth/MCP/resources when behavior is inconsistent |
 | Manage settings | `/settings` | Tune runtime defaults and operational preferences |
 
+## Decision Workflow: `/contract` + `/singular`
+
+### `/contract` (interactive contract manager)
+
+- No manual JSON editing in terminal.
+- You edit fields directly (`goal`, `scope_include`, `scope_exclude`, `constraints`, `quality_gates`, `definition_of_done`, `risks`, and additional planning fields).
+- Press `Enter` on a field value and it is saved immediately.
+- Contract JSON is built automatically.
+
+Key manager actions:
+- `Open effective contract` = read merged runtime contract (`project + session`).
+- `Edit session contract` = temporary overlay for current session only.
+- `Edit project contract` = persistent baseline in `.iosm/contract.json`.
+
+### `/singular <request>` (feature feasibility analyzer)
+
+- Command-first flow: write request, run analysis, receive decision options.
+- Uses standard agent-style repository run (not static form output), then merges with baseline repository scan.
+- Produces exactly 3 options:
+  - `Option 1`: practical implementation path (usually recommended).
+  - `Option 2`: alternative strategy with different trade-offs.
+  - `Option 3`: defer/do-not-implement-now path.
+- Each option includes affected files, step-by-step plan, risks, and when-to-choose guidance.
+- User selects `1/2/3` (or exits) before coding starts.
+
+Legacy note:
+- `/blast` and `/shadow` are removed from active workflow.
+- Use `/singular` for feasibility decisions and `/contract` for engineering constraints.
+
 ## IOSM In One Line
 
 **IOSM** gives you a repeatable loop for improving codebases with explicit quality gates, metrics, and artifact history instead of one-off AI edits.

package/dist/core/blast.d.ts

@@ -0,0 +1,62 @@
+import type { EngineeringContract } from "./contract.js";
+export type BlastProfile = "quick" | "full";
+export type BlastSeverity = "low" | "medium" | "high";
+export interface BlastFinding {
+    id: string;
+    title: string;
+    severity: BlastSeverity;
+    category: string;
+    detail: string;
+    path?: string;
+    line?: number;
+    recommendation?: string;
+}
+export interface BlastRunOptions {
+    profile: BlastProfile;
+    autosave?: boolean;
+    contract?: EngineeringContract;
+}
+export interface BlastRunResult {
+    runId: string;
+    profile: BlastProfile;
+    startedAt: string;
+    completedAt: string;
+    durationMs: number;
+    scannedFiles: number;
+    scannedLines: number;
+    findings: BlastFinding[];
+    summary: string;
+    nextSteps: string[];
+    reportMarkdown: string;
+    contract: EngineeringContract;
+    autosaved: boolean;
+    reportPath?: string;
+    findingsPath?: string;
+}
+export interface BlastLastRun {
+    runId: string;
+    reportPath: string;
+    findingsPath: string;
+    metaPath?: string;
+    summary?: string;
+    profile?: BlastProfile;
+    completedAt?: string;
+    findings?: number;
+}
+export interface BlastServiceOptions {
+    cwd: string;
+}
+export declare class BlastService {
+    private readonly cwd;
+    constructor(options: BlastServiceOptions);
+    getAuditsRoot(): string;
+    getLastRun(): BlastLastRun | undefined;
+    run(options: BlastRunOptions): Promise<BlastRunResult>;
+    private saveRunArtifacts;
+    private scanRepository;
+    private walkFiles;
+    private buildSummary;
+    private buildNextSteps;
+    private buildReportMarkdown;
+}
+//# sourceMappingURL=blast.d.ts.map

package/dist/core/blast.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"blast.d.ts","sourceRoot":"","sources":["../../src/core/blast.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,eAAe,CAAC;AAEzD,MAAM,MAAM,YAAY,GAAG,OAAO,GAAG,MAAM,CAAC;AAC5C,MAAM,MAAM,aAAa,GAAG,KAAK,GAAG,QAAQ,GAAG,MAAM,CAAC;AAEtD,MAAM,WAAW,YAAY;IAC5B,EAAE,EAAE,MAAM,CAAC;IACX,KAAK,EAAE,MAAM,CAAC;IACd,QAAQ,EAAE,aAAa,CAAC;IACxB,QAAQ,EAAE,MAAM,CAAC;IACjB,MAAM,EAAE,MAAM,CAAC;IACf,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,cAAc,CAAC,EAAE,MAAM,CAAC;CACxB;AAED,MAAM,WAAW,eAAe;IAC/B,OAAO,EAAE,YAAY,CAAC;IACtB,QAAQ,CAAC,EAAE,OAAO,CAAC;IACnB,QAAQ,CAAC,EAAE,mBAAmB,CAAC;CAC/B;AAED,MAAM,WAAW,cAAc;IAC9B,KAAK,EAAE,MAAM,CAAC;IACd,OAAO,EAAE,YAAY,CAAC;IACtB,SAAS,EAAE,MAAM,CAAC;IAClB,WAAW,EAAE,MAAM,CAAC;IACpB,UAAU,EAAE,MAAM,CAAC;IACnB,YAAY,EAAE,MAAM,CAAC;IACrB,YAAY,EAAE,MAAM,CAAC;IACrB,QAAQ,EAAE,YAAY,EAAE,CAAC;IACzB,OAAO,EAAE,MAAM,CAAC;IAChB,SAAS,EAAE,MAAM,EAAE,CAAC;IACpB,cAAc,EAAE,MAAM,CAAC;IACvB,QAAQ,EAAE,mBAAmB,CAAC;IAC9B,SAAS,EAAE,OAAO,CAAC;IACnB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,YAAY,CAAC,EAAE,MAAM,CAAC;CACtB;AAED,MAAM,WAAW,YAAY;IAC5B,KAAK,EAAE,MAAM,CAAC;IACd,UAAU,EAAE,MAAM,CAAC;IACnB,YAAY,EAAE,MAAM,CAAC;IACrB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,OAAO,CAAC,EAAE,YAAY,CAAC;IACvB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,QAAQ,CAAC,EAAE,MAAM,CAAC;CAClB;AAkFD,MAAM,WAAW,mBAAmB;IACnC,GAAG,EAAE,MAAM,CAAC;CACZ;AAED,qBAAa,YAAY;IACxB,OAAO,CAAC,QAAQ,CAAC,GAAG,CAAS;gBAEjB,OAAO,EAAE,mBAAmB;IAIxC,aAAa,IAAI,MAAM;IAIvB,UAAU,IAAI,YAAY,GAAG,SAAS;IA+ChC,GAAG,CAAC,OAAO,EAAE,eAAe,GAAG,OAAO,CAAC,cAAc,CAAC;IAqD5D,OAAO,CAAC,gBAAgB;IAiCxB,OAAO,CAAC,cAAc;IAgKtB,OAAO,CAAC,SAAS;IAiCjB,OAAO,CAAC,YAAY;IAYpB,OAAO,CAAC,cAAc;IAoBtB,OAAO,CAAC,mBAAmB;CAoE3B"}

package/dist/core/blast.js

@@ -0,0 +1,448 @@
+import { existsSync, mkdirSync, readdirSync, readFileSync, statSync, writeFileSync } from "node:fs";
+import { join, relative, sep } from "node:path";
+const SCAN_TEXT_EXTENSIONS = new Set([
+    ".ts",
+    ".tsx",
+    ".js",
+    ".jsx",
+    ".mjs",
+    ".cjs",
+    ".py",
+    ".go",
+    ".rs",
+    ".java",
+    ".json",
+    ".yaml",
+    ".yml",
+    ".toml",
+    ".md",
+    ".sh",
+    ".env",
+    ".sql",
+    ".html",
+    ".css",
+]);
+const EXCLUDED_DIR_NAMES = new Set([".git", "node_modules", "dist", "build", ".iosm", ".next", "coverage"]);
+function toPosixPath(value) {
+    return value.split(sep).join("/");
+}
+function getExtension(filePath) {
+    const normalized = filePath.toLowerCase();
+    const index = normalized.lastIndexOf(".");
+    return index >= 0 ? normalized.slice(index) : "";
+}
+function containsAny(text, terms) {
+    const normalized = text.toLowerCase();
+    return terms.some((term) => normalized.includes(term.toLowerCase()));
+}
+function countSeverity(findings, severity) {
+    return findings.filter((item) => item.severity === severity).length;
+}
+function clampFindings(findings, max) {
+    if (findings.length <= max)
+        return findings;
+    return findings.slice(0, max);
+}
+function serializeFinding(finding) {
+    const location = finding.path ? ` (${finding.path}${finding.line ? `:${finding.line}` : ""})` : "";
+    return `- [${finding.severity.toUpperCase()}] ${finding.title}${location}\n  ${finding.detail}${finding.recommendation ? `\n  fix: ${finding.recommendation}` : ""}`;
+}
+function nowIso() {
+    return new Date().toISOString();
+}
+function buildRunId(date = new Date()) {
+    const year = date.getUTCFullYear();
+    const month = String(date.getUTCMonth() + 1).padStart(2, "0");
+    const day = String(date.getUTCDate()).padStart(2, "0");
+    const hours = String(date.getUTCHours()).padStart(2, "0");
+    const minutes = String(date.getUTCMinutes()).padStart(2, "0");
+    const seconds = String(date.getUTCSeconds()).padStart(2, "0");
+    return `${year}-${month}-${day}-${hours}${minutes}${seconds}`;
+}
+export class BlastService {
+    constructor(options) {
+        this.cwd = options.cwd;
+    }
+    getAuditsRoot() {
+        return join(this.cwd, ".iosm", "audits");
+    }
+    getLastRun() {
+        const root = this.getAuditsRoot();
+        if (!existsSync(root))
+            return undefined;
+        const candidates = readdirSync(root, { withFileTypes: true })
+            .filter((entry) => entry.isDirectory())
+            .map((entry) => entry.name)
+            .sort((a, b) => a.localeCompare(b));
+        const runId = candidates[candidates.length - 1];
+        if (!runId)
+            return undefined;
+        const runDir = join(root, runId);
+        const reportPath = join(runDir, "report.md");
+        const findingsPath = join(runDir, "findings.json");
+        if (!existsSync(reportPath) || !existsSync(findingsPath)) {
+            return undefined;
+        }
+        const metaPath = join(runDir, "meta.json");
+        let summary;
+        let profile;
+        let completedAt;
+        let findingsCount;
+        if (existsSync(metaPath)) {
+            try {
+                const parsed = JSON.parse(readFileSync(metaPath, "utf8"));
+                summary = typeof parsed.summary === "string" ? parsed.summary : undefined;
+                profile =
+                    parsed.profile === "quick" || parsed.profile === "full" ? parsed.profile : undefined;
+                completedAt = typeof parsed.completedAt === "string" ? parsed.completedAt : undefined;
+                findingsCount = typeof parsed.findings === "number" ? parsed.findings : undefined;
+            }
+            catch {
+                // Keep metadata optional.
+            }
+        }
+        return {
+            runId,
+            reportPath,
+            findingsPath,
+            metaPath: existsSync(metaPath) ? metaPath : undefined,
+            summary,
+            profile,
+            completedAt,
+            findings: findingsCount,
+        };
+    }
+    async run(options) {
+        const startedAt = nowIso();
+        const started = Date.now();
+        const profile = options.profile;
+        const runId = buildRunId(new Date());
+        const autosave = options.autosave !== false;
+        const contract = options.contract ? { ...options.contract } : {};
+        const { files, findings, counters } = this.scanRepository(profile, contract);
+        const findingsLimited = clampFindings(findings, profile === "full" ? 150 : 80);
+        const summary = this.buildSummary(counters, findingsLimited);
+        const nextSteps = this.buildNextSteps(findingsLimited, contract);
+        const completedAt = nowIso();
+        const durationMs = Date.now() - started;
+        const reportMarkdown = this.buildReportMarkdown({
+            runId,
+            profile,
+            startedAt,
+            completedAt,
+            durationMs,
+            counters,
+            findings: findingsLimited,
+            summary,
+            nextSteps,
+            contract,
+        });
+        const result = {
+            runId,
+            profile,
+            startedAt,
+            completedAt,
+            durationMs,
+            scannedFiles: counters.files,
+            scannedLines: counters.lines,
+            findings: findingsLimited,
+            summary,
+            nextSteps,
+            reportMarkdown,
+            contract,
+            autosaved: false,
+        };
+        if (autosave) {
+            const saved = this.saveRunArtifacts(result);
+            result.autosaved = true;
+            result.reportPath = saved.reportPath;
+            result.findingsPath = saved.findingsPath;
+        }
+        return result;
+    }
+    saveRunArtifacts(result) {
+        const runDir = join(this.getAuditsRoot(), result.runId);
+        mkdirSync(runDir, { recursive: true });
+        const reportPath = join(runDir, "report.md");
+        const findingsPath = join(runDir, "findings.json");
+        const metaPath = join(runDir, "meta.json");
+        writeFileSync(reportPath, `${result.reportMarkdown}\n`, "utf8");
+        writeFileSync(findingsPath, `${JSON.stringify(result.findings, null, 2)}\n`, "utf8");
+        writeFileSync(metaPath, `${JSON.stringify({
+            runId: result.runId,
+            profile: result.profile,
+            summary: result.summary,
+            startedAt: result.startedAt,
+            completedAt: result.completedAt,
+            durationMs: result.durationMs,
+            files: result.scannedFiles,
+            lines: result.scannedLines,
+            findings: result.findings.length,
+        }, null, 2)}\n`, "utf8");
+        return { reportPath, findingsPath };
+    }
+    scanRepository(profile, contract) {
+        const counters = {
+            files: 0,
+            lines: 0,
+            todoCount: 0,
+            debugCount: 0,
+            unsafeEvalCount: 0,
+            anyTypeCount: 0,
+            tsIgnoreCount: 0,
+            testFiles: 0,
+            largeFiles: 0,
+        };
+        const findings = [];
+        const files = this.walkFiles(profile);
+        const maxFileBytes = profile === "full" ? 512_000 : 256_000;
+        for (const absolutePath of files) {
+            const relativePath = toPosixPath(relative(this.cwd, absolutePath));
+            const stat = statSync(absolutePath);
+            if (stat.size > maxFileBytes) {
+                counters.largeFiles += 1;
+                findings.push({
+                    id: `large-file:${relativePath}`,
+                    title: "Large file in scan scope",
+                    severity: "medium",
+                    category: "maintainability",
+                    detail: `File size ${stat.size} bytes exceeds ${maxFileBytes} bytes threshold for ${profile} profile.`,
+                    path: relativePath,
+                    recommendation: "Split file into smaller modules or exclude it from scope if generated.",
+                });
+                continue;
+            }
+            let content;
+            try {
+                content = readFileSync(absolutePath, "utf8");
+            }
+            catch {
+                continue;
+            }
+            if (content.includes("\u0000"))
+                continue;
+            const lines = content.split(/\r?\n/);
+            counters.files += 1;
+            counters.lines += lines.length;
+            if (/(^|\/)(test|tests|__tests__)\//i.test(relativePath) || /\.test\./i.test(relativePath)) {
+                counters.testFiles += 1;
+            }
+            for (let i = 0; i < lines.length; i++) {
+                const line = lines[i] ?? "";
+                const lineNumber = i + 1;
+                if (/(TODO|FIXME|HACK)\b/i.test(line)) {
+                    counters.todoCount += 1;
+                    if (findings.length < 220) {
+                        findings.push({
+                            id: `todo:${relativePath}:${lineNumber}`,
+                            title: "Outstanding TODO/FIXME marker",
+                            severity: "low",
+                            category: "maintainability",
+                            detail: line.trim(),
+                            path: relativePath,
+                            line: lineNumber,
+                            recommendation: "Convert to tracked issue or resolve before release.",
+                        });
+                    }
+                }
+                if (/\bconsole\.log\(|\bdebugger\b/.test(line)) {
+                    counters.debugCount += 1;
+                    if (findings.length < 220) {
+                        findings.push({
+                            id: `debug:${relativePath}:${lineNumber}`,
+                            title: "Debug artifact in code path",
+                            severity: "medium",
+                            category: "quality",
+                            detail: line.trim(),
+                            path: relativePath,
+                            line: lineNumber,
+                            recommendation: "Remove debug call or guard behind explicit debug flag.",
+                        });
+                    }
+                }
+                if (/\beval\s*\(|\bnew Function\s*\(|child_process\.(exec|execSync)\s*\(/.test(line)) {
+                    counters.unsafeEvalCount += 1;
+                    if (findings.length < 220) {
+                        findings.push({
+                            id: `unsafe:${relativePath}:${lineNumber}`,
+                            title: "Potentially unsafe dynamic execution",
+                            severity: "high",
+                            category: "security",
+                            detail: line.trim(),
+                            path: relativePath,
+                            line: lineNumber,
+                            recommendation: "Replace with safer static alternatives or strictly sanitize inputs.",
+                        });
+                    }
+                }
+                if (/:\s*any\b|<any>/.test(line)) {
+                    counters.anyTypeCount += 1;
+                }
+                if (/@ts-ignore\b/.test(line)) {
+                    counters.tsIgnoreCount += 1;
+                }
+            }
+        }
+        if (counters.anyTypeCount > 15) {
+            findings.push({
+                id: "types:any-overuse",
+                title: "High usage of `any` type",
+                severity: "medium",
+                category: "type-safety",
+                detail: `Detected ${counters.anyTypeCount} occurrences of explicit any type usage.`,
+                recommendation: "Replace broad any usage with domain types or unknown + narrowing.",
+            });
+        }
+        if (counters.tsIgnoreCount > 5) {
+            findings.push({
+                id: "types:ts-ignore-overuse",
+                title: "Excessive @ts-ignore usage",
+                severity: "medium",
+                category: "type-safety",
+                detail: `Detected ${counters.tsIgnoreCount} @ts-ignore directives.`,
+                recommendation: "Audit and remove ignored type errors; keep only documented exceptions.",
+            });
+        }
+        const gates = contract.quality_gates ?? [];
+        if (containsAny(gates.join(" "), ["test", "coverage"]) && counters.testFiles === 0) {
+            findings.push({
+                id: "contract:tests-missing",
+                title: "Contract gate mismatch: tests expected",
+                severity: "high",
+                category: "contract",
+                detail: "Quality gates mention tests/coverage but no test files were detected in scan scope.",
+                recommendation: "Add coverage-aligned tests or adjust contract gates before implementation.",
+            });
+        }
+        if (containsAny(gates.join(" "), ["no todo", "todo=0", "todo:0"]) && counters.todoCount > 0) {
+            findings.push({
+                id: "contract:todo-mismatch",
+                title: "Contract gate mismatch: TODO markers present",
+                severity: "medium",
+                category: "contract",
+                detail: `Contract requires TODO cleanup but ${counters.todoCount} markers were found.`,
+                recommendation: "Resolve TODO/FIXME markers or relax gate for current cycle.",
+            });
+        }
+        return { files, findings, counters };
+    }
+    walkFiles(profile) {
+        const maxFiles = profile === "full" ? 18_000 : 6_000;
+        const stack = [this.cwd];
+        const files = [];
+        while (stack.length > 0 && files.length < maxFiles) {
+            const dir = stack.pop();
+            if (!dir)
+                break;
+            let entries;
+            try {
+                entries = readdirSync(dir, { withFileTypes: true });
+            }
+            catch {
+                continue;
+            }
+            for (const entry of entries) {
+                const absolutePath = join(dir, entry.name);
+                if (entry.isDirectory()) {
+                    if (EXCLUDED_DIR_NAMES.has(entry.name))
+                        continue;
+                    stack.push(absolutePath);
+                    continue;
+                }
+                if (!entry.isFile())
+                    continue;
+                if (!SCAN_TEXT_EXTENSIONS.has(getExtension(entry.name)))
+                    continue;
+                files.push(absolutePath);
+                if (files.length >= maxFiles)
+                    break;
+            }
+        }
+        return files.sort((a, b) => a.localeCompare(b));
+    }
+    buildSummary(counters, findings) {
+        const high = countSeverity(findings, "high");
+        const medium = countSeverity(findings, "medium");
+        const low = countSeverity(findings, "low");
+        const highestRisk = findings.find((item) => item.severity === "high") ?? findings[0];
+        const highestLine = highestRisk
+            ? ` Highest risk: ${highestRisk.title}${highestRisk.path ? ` (${highestRisk.path})` : ""}.`
+            : "";
+        return `Scanned ${counters.files} files (${counters.lines} lines). Findings: ${high} high, ${medium} medium, ${low} low.${highestLine}`;
+    }
+    buildNextSteps(findings, contract) {
+        const steps = [];
+        const high = findings.filter((item) => item.severity === "high");
+        const medium = findings.filter((item) => item.severity === "medium");
+        if (high.length > 0) {
+            steps.push("Address all HIGH findings first and add regression checks before refactors.");
+        }
+        if (medium.length > 0) {
+            steps.push("Batch MEDIUM findings by module and apply low-blast-radius fixes incrementally.");
+        }
+        if ((contract.quality_gates ?? []).length > 0) {
+            steps.push("Re-run /blast after changes to verify contract quality gates.");
+        }
+        if (steps.length === 0) {
+            steps.push("No major risks detected; proceed with planned changes and keep /blast as pre-merge audit.");
+        }
+        return steps.slice(0, 3);
+    }
+    buildReportMarkdown(payload) {
+        const high = countSeverity(payload.findings, "high");
+        const medium = countSeverity(payload.findings, "medium");
+        const low = countSeverity(payload.findings, "low");
+        const topFindings = payload.findings
+            .sort((a, b) => {
+            const score = (severity) => (severity === "high" ? 3 : severity === "medium" ? 2 : 1);
+            return score(b.severity) - score(a.severity);
+        })
+            .slice(0, 20);
+        const contractLines = [];
+        if (payload.contract.goal)
+            contractLines.push(`- goal: ${payload.contract.goal}`);
+        if (payload.contract.quality_gates && payload.contract.quality_gates.length > 0) {
+            contractLines.push(`- quality_gates: ${payload.contract.quality_gates.join("; ")}`);
+        }
+        if (payload.contract.constraints && payload.contract.constraints.length > 0) {
+            contractLines.push(`- constraints: ${payload.contract.constraints.join("; ")}`);
+        }
+        const contractSection = contractLines.length > 0 ? contractLines.join("\n") : "- none";
+        return [
+            `# Blast Audit Report`,
+            ``,
+            `- run_id: ${payload.runId}`,
+            `- profile: ${payload.profile}`,
+            `- started_at: ${payload.startedAt}`,
+            `- completed_at: ${payload.completedAt}`,
+            `- duration_ms: ${payload.durationMs}`,
+            ``,
+            `## Executive Summary`,
+            `${payload.summary}`,
+            ``,
+            `## Scan Metrics`,
+            `- files_scanned: ${payload.counters.files}`,
+            `- lines_scanned: ${payload.counters.lines}`,
+            `- test_files: ${payload.counters.testFiles}`,
+            `- TODO/FIXME markers: ${payload.counters.todoCount}`,
+            `- debug artifacts: ${payload.counters.debugCount}`,
+            `- unsafe dynamic execution markers: ${payload.counters.unsafeEvalCount}`,
+            `- large files skipped: ${payload.counters.largeFiles}`,
+            ``,
+            `## Findings Overview`,
+            `- high: ${high}`,
+            `- medium: ${medium}`,
+            `- low: ${low}`,
+            ``,
+            `## Contract Context`,
+            `${contractSection}`,
+            ``,
+            `## Top Findings`,
+            topFindings.length > 0 ? topFindings.map(serializeFinding).join("\n") : "- none",
+            ``,
+            `## Recommended Next Steps`,
+            payload.nextSteps.map((step, index) => `${index + 1}. ${step}`).join("\n"),
+        ].join("\n");
+    }
+}
+//# sourceMappingURL=blast.js.map