mcp-coordinator 0.4.0 → 0.6.0

package/dist/src/git-cochange-builder.d.ts

@@ -0,0 +1,32 @@
+import { type Logger } from "./logger.js";
+import type { Metrics } from "./metrics.js";
+interface BuilderOpts {
+    repoRoot: string;
+    sinceDays?: number;
+    maxCount?: number;
+    timeoutMs?: number;
+    refreshMs?: number;
+    retryMs?: number;
+    logger?: Logger;
+    metrics?: Metrics;
+}
+export declare class GitCochangeBuilder {
+    private repoRoot;
+    private sinceDays;
+    private maxCount;
+    private timeoutMs;
+    private refreshMs;
+    private retryMs;
+    private log;
+    private metrics?;
+    private timer;
+    constructor(opts: BuilderOpts);
+    /** Build once. Resolves after persistence. */
+    build(): Promise<void>;
+    private runGitLog;
+    private parseLog;
+    /** Schedule a refresh loop. unref() so it doesn't keep the loop alive. */
+    startScheduler(): void;
+    stopScheduler(): void;
+}
+export {};

package/dist/src/git-cochange-builder.js

@@ -0,0 +1,238 @@
+// src/git-cochange-builder.ts
+import { spawn } from "child_process";
+import { existsSync } from "fs";
+import path from "path";
+import { getDb } from "./database.js";
+import { silentLogger } from "./logger.js";
+const DEFAULT_DENYLIST = [
+    /package-lock\.json$/, /pnpm-lock\.yaml$/, /yarn\.lock$/, /\.lock$/,
+    /\/dist\//, /\/build\//, /\/\.next\//, /\/__snapshots__\//,
+    /\.min\.js$/, /\.map$/, /\/coverage\//, /\/node_modules\//, /\.snap$/,
+];
+export class GitCochangeBuilder {
+    repoRoot;
+    sinceDays;
+    maxCount;
+    timeoutMs;
+    refreshMs;
+    retryMs;
+    log;
+    metrics;
+    timer = null;
+    constructor(opts) {
+        this.repoRoot = opts.repoRoot;
+        this.sinceDays = opts.sinceDays ?? 7;
+        this.maxCount = opts.maxCount ?? 2000;
+        this.timeoutMs = opts.timeoutMs ?? 5000;
+        this.refreshMs = opts.refreshMs ?? 1800000;
+        this.retryMs = opts.retryMs ?? 300000;
+        this.log = opts.logger || silentLogger;
+        this.metrics = opts.metrics;
+    }
+    /** Build once. Resolves after persistence. */
+    async build() {
+        const db = getDb();
+        const setMeta = (k, v) => db.prepare("INSERT OR REPLACE INTO git_cochange_meta (k, v) VALUES (?, ?)").run(k, v);
+        if (!existsSync(path.join(this.repoRoot, ".git"))) {
+            this.log.info({}, "Layer 4 unavailable: no .git");
+            setMeta("available", "false");
+            this.metrics?.gitCochangeBuilds.inc({ outcome: "failed" });
+            return;
+        }
+        if (existsSync(path.join(this.repoRoot, ".git", "shallow"))) {
+            this.log.info({}, "Layer 4 unavailable: shallow clone");
+            setMeta("available", "false");
+            this.metrics?.gitCochangeBuilds.inc({ outcome: "shallow_skipped" });
+            return;
+        }
+        let stdout = null;
+        try {
+            stdout = await this.runGitLog();
+        }
+        catch (err) {
+            this.log.warn({ err }, "git log failed");
+            setMeta("available", "false");
+            setMeta("last_error", String(err.message));
+            this.metrics?.gitCochangeBuilds.inc({ outcome: "failed" });
+            return;
+        }
+        if (stdout === "TIMEOUT") {
+            setMeta("available", "stale_partial");
+            this.log.warn({}, "git log timed out — Layer 4 stale_partial");
+            this.metrics?.gitCochangeBuilds.inc({ outcome: "timeout" });
+            return;
+        }
+        const { pairs, totalCommits } = this.parseLog(stdout);
+        // Dynamic predictor cap: any file appearing in > 40% of effective commits is
+        // excluded as a *predictor* (still allowed as a *target*). Prevents hotspot files
+        // like config or barrel index from saturating co-change with every other file.
+        const PREDICTOR_CAP_RATIO = 0.4;
+        const fileCommitCount = new Map();
+        for (const key of pairs.keys()) {
+            const [a, b] = key.split("|");
+            fileCommitCount.set(a, (fileCommitCount.get(a) ?? 0) + (pairs.get(key) ?? 0));
+            fileCommitCount.set(b, (fileCommitCount.get(b) ?? 0) + (pairs.get(key) ?? 0));
+        }
+        const promiscuous = new Set();
+        for (const [file, count] of fileCommitCount) {
+            // count is total times the file appeared in any pair; max possible is roughly
+            // (totalCommits) per file. Use raw count / totalCommits as an approximation
+            // of the file's commit frequency.
+            if (totalCommits > 0 && count / totalCommits > PREDICTOR_CAP_RATIO) {
+                promiscuous.add(file);
+            }
+        }
+        if (promiscuous.size > 0) {
+            this.log.info({ count: promiscuous.size, files: Array.from(promiscuous) }, "Layer 4 dynamic predictor cap excluded files");
+        }
+        db.exec("DELETE FROM git_cochange");
+        const stmt = db.prepare("INSERT INTO git_cochange (file_a, file_b, count, total_commits, computed_at) VALUES (?, ?, ?, ?, datetime('now'))");
+        const insertMany = db.transaction(() => {
+            for (const [key, count] of pairs.entries()) {
+                const [a, b] = key.split("|");
+                // Skip pairs where EITHER file is a promiscuous predictor (file is allowed
+                // as target only, but a pair where it's a predictor is dropped). For the
+                // index entry to be useful, both files must be non-promiscuous predictors.
+                if (promiscuous.has(a) || promiscuous.has(b))
+                    continue;
+                if (a < b)
+                    stmt.run(a, b, count, totalCommits);
+            }
+        });
+        insertMany();
+        setMeta("available", "true");
+        setMeta("last_built_at", new Date().toISOString());
+        this.metrics?.gitCochangeBuilds.inc({ outcome: "success" });
+        this.metrics?.gitCochangePairs.set(pairs.size);
+    }
+    runGitLog() {
+        return new Promise((resolve, reject) => {
+            const args = [
+                "log",
+                `--max-count=${this.maxCount}`,
+                "--diff-filter=AMRD",
+                `--since=${this.sinceDays} days ago`,
+                "--no-renames",
+                "--pretty=format:%H",
+                "--name-only",
+                "-z",
+            ];
+            const proc = spawn("git", args, { cwd: this.repoRoot });
+            let buf = "";
+            const timer = setTimeout(() => {
+                proc.kill();
+                resolve("TIMEOUT");
+            }, this.timeoutMs);
+            proc.stdout.on("data", (c) => (buf += c.toString("utf-8")));
+            proc.on("error", (err) => { clearTimeout(timer); reject(err); });
+            proc.on("close", (code) => {
+                clearTimeout(timer);
+                if (code === 0)
+                    resolve(buf);
+                else
+                    reject(new Error(`git log exit ${code}`));
+            });
+        });
+    }
+    parseLog(stdout) {
+        // git log -z --pretty=format:%H --name-only output format:
+        // Each commit entry: <SHA>\n<file1>\0<file2>\0...\0
+        // Between commits the NUL separator also acts as delimiter.
+        // We split on NUL first, then detect SHA boundaries within tokens.
+        const tokens = stdout.split("\0").filter(t => t.length > 0);
+        const pairs = new Map();
+        let totalCommits = 0;
+        let currentFiles = [];
+        const flush = () => {
+            if (currentFiles.length === 0)
+                return;
+            // Skip massive commits (likely sweeps)
+            if (currentFiles.length > 200) {
+                currentFiles = [];
+                return;
+            }
+            // Apply denylist
+            const eligible = currentFiles.filter(f => !DEFAULT_DENYLIST.some(re => re.test(f)));
+            for (let i = 0; i < eligible.length; i++) {
+                for (let j = i + 1; j < eligible.length; j++) {
+                    const [a, b] = eligible[i] < eligible[j] ? [eligible[i], eligible[j]] : [eligible[j], eligible[i]];
+                    const key = `${a}|${b}`;
+                    pairs.set(key, (pairs.get(key) ?? 0) + 1);
+                }
+            }
+            totalCommits++;
+            currentFiles = [];
+        };
+        // SHA pattern: 40 hex chars
+        const shaRe = /^([0-9a-f]{40})\n(.*)$/s;
+        for (const t of tokens) {
+            // Each token after splitting on \0 may look like:
+            // "\nSHA40\npath" (commit boundary with preceding newline)
+            // "SHA40\npath"  (commit boundary at start)
+            // "path"         (file path continuation)
+            // "\nSHA40"      (SHA only, no file on same token)
+            // Strip leading newlines to normalize
+            const stripped = t.replace(/^\n+/, "");
+            const shaMatch = stripped.match(shaRe);
+            if (shaMatch) {
+                // We found a SHA — flush the previous commit's files
+                flush();
+                const trailingPath = shaMatch[2].trim();
+                if (trailingPath)
+                    currentFiles.push(trailingPath);
+            }
+            else {
+                // Check if this token itself IS a SHA (no file attached, happens when
+                // --pretty=format:%H emits the SHA on its own NUL-terminated chunk)
+                const pureSha = stripped.match(/^[0-9a-f]{40}$/);
+                if (pureSha) {
+                    flush();
+                }
+                else {
+                    // It's a file path (or part of one); newlines indicate embedded commit
+                    // boundaries when a file is on the same NUL chunk as the next SHA.
+                    // Handle the case where "path\nSHA\npath" might appear.
+                    const parts = stripped.split("\n");
+                    for (let i = 0; i < parts.length; i++) {
+                        const part = parts[i].trim();
+                        if (!part)
+                            continue;
+                        if (/^[0-9a-f]{40}$/.test(part)) {
+                            flush();
+                        }
+                        else {
+                            currentFiles.push(part);
+                        }
+                    }
+                }
+            }
+        }
+        flush();
+        return { pairs, totalCommits };
+    }
+    /** Schedule a refresh loop. unref() so it doesn't keep the loop alive. */
+    startScheduler() {
+        const tick = async () => {
+            try {
+                await this.build();
+                this.timer = setTimeout(tick, this.refreshMs);
+            }
+            catch (err) {
+                this.log.warn({ err }, "build failed, retrying");
+                this.timer = setTimeout(tick, this.retryMs);
+            }
+            if (this.timer && typeof this.timer.unref === "function")
+                this.timer.unref();
+        };
+        // First build after 5s grace
+        this.timer = setTimeout(tick, 5000);
+        if (this.timer && typeof this.timer.unref === "function")
+            this.timer.unref();
+    }
+    stopScheduler() {
+        if (this.timer) {
+            clearTimeout(this.timer);
+            this.timer = null;
+        }
+    }
+}

package/dist/src/http/handle-health.d.ts

@@ -13,7 +13,7 @@ export declare function handleLivez(_req: IncomingMessage, res: ServerResponse):
  * structured `{ok:false,error:"…"}` instead of a 500. The response shape is
  * identical between 200 and 503 so consumers can parse uniformly.
  */
-export declare function handleReadyz(_req: IncomingMessage, res: ServerResponse, services: Pick<CoordinatorServices, "mqttBridge">): void;
+export declare function handleReadyz(_req: IncomingMessage, res: ServerResponse, services: Pick<CoordinatorServices, "mqttBridge" | "treeSitter" | "gitCochange">): void;
 /**
  * Backwards-compatible alias. The original /health route returned a fixed
  * {status:"ok",version} payload with no dep checks; semantically that is a

package/dist/src/http/handle-health.js

@@ -47,6 +47,8 @@ export function handleReadyz(_req, res, services) {
     const checks = {
         db: { ok: false },
         mqtt: { ok: false },
+        tree_sitter: { ok: false, grammars_loaded: 0, total_grammars: 7, optional: true },
+        git_cochange: { available: false, status: "unavailable", optional: true },
     };
     try {
         // Cheapest possible round-trip that exercises the connection without
@@ -69,6 +71,30 @@ export function handleReadyz(_req, res, services) {
     catch (err) {
         checks.mqtt.error = err.message;
     }
+    // Optional: tree-sitter status (does NOT gate readiness — Layer 0.5 degrades gracefully)
+    try {
+        if (services.treeSitter) {
+            checks.tree_sitter = services.treeSitter.status();
+        }
+    }
+    catch {
+        // keep default { ok: false, grammars_loaded: 0, total_grammars: 7, optional: true }
+    }
+    // Optional: git_cochange availability (does NOT gate readiness — Layer 4 degrades gracefully)
+    try {
+        const row = getDb()
+            .prepare("SELECT v FROM git_cochange_meta WHERE k = ?")
+            .get("available");
+        checks.git_cochange = {
+            available: row?.v === "true",
+            status: row?.v ?? "unavailable",
+            optional: true,
+        };
+    }
+    catch {
+        // keep default { available: false, status: "unavailable", optional: true }
+    }
+    // Gating: only db + mqtt block readiness. tree_sitter and git_cochange are reported but optional.
     const allOk = checks.db.ok && checks.mqtt.ok;
     json(res, {
         status: allOk ? "ready" : "not_ready",

package/dist/src/http/handle-rest.js

@@ -1,3 +1,4 @@
+import { createHash } from "crypto";
 import { getDb } from "../database.js";
 import { runCommonAnnounceFlow } from "../announce-workflow.js";
 import { canResetDb } from "../reset-guard.js";
@@ -5,7 +6,15 @@ import { parseBody, json } from "./utils.js";
 export async function handleRest(req, res, ctx) {
     const { services, httpLog, authEnabled, getRunConfig, setRunConfig } = ctx;
     const url = req.url || "";
-    const body = await parseBody(req);
+    let body;
+    try {
+        body = await parseBody(req);
+    }
+    catch (err) {
+        const e = err;
+        json(res, { error: e.message || "Invalid request" }, e.statusCode || 400);
+        return;
+    }
     const agentId = body.agent_id;
     // Dashboard/work-stealing polls these endpoints every few seconds — demote to debug
     // to keep the info log focused on coordination events (announce, claim, resolve, etc).
@@ -61,7 +70,7 @@ export async function handleRest(req, res, ctx) {
         json(res, { ok: true });
     }
     else if (url === "/api/announce") {
-        const { agent_id, subject, plan, target_modules, target_files, depends_on_files, exports_affected, keep_open, assigned_to } = body;
+        const { agent_id, subject, plan, target_modules, target_files, depends_on_files, exports_affected, keep_open, assigned_to, target_symbols } = body;
         const thread = consultation.announceWork({ agent_id, subject, plan, target_modules, target_files, depends_on_files, exports_affected, keep_open, assigned_to });
         const agentInfo = registry.get(agent_id);
         // S2 fix: shared workflow (impact scoring, override respondents, auto-resolve,
@@ -69,6 +78,7 @@ export async function handleRest(req, res, ctx) {
         // function used by the MCP announce_work tool path.
         const { updated, categorized, respondents, planQuality } = runCommonAnnounceFlow(services, thread.id, {
             agent_id, subject, plan, target_modules, target_files, depends_on_files, exports_affected, keep_open,
+            target_symbols,
         });
         // REST-specific thread_opened SSE shape (different field set than MCP — kept
         // divergent because consumers may depend on this exact contract).
@@ -358,6 +368,92 @@ export async function handleRest(req, res, ctx) {
             json(res, { registered: true, status: agent.status, activity: activity.activity_status });
         }
     }
+    else if (url === "/api/file-activity" && req.method === "POST") {
+        if (typeof body.session_id !== "string" || typeof body.agent_id !== "string"
+            || typeof body.tool_name !== "string" || typeof body.file_path !== "string") {
+            json(res, { error: "missing required fields" }, 400);
+            return;
+        }
+        if (body.agent_name !== undefined && typeof body.agent_name !== "string") {
+            json(res, { error: "agent_name must be string when present" }, 400);
+            return;
+        }
+        const MAX_CONTENT = 262144;
+        let symbols = null;
+        let contentHash = null;
+        if (typeof body.content === "string") {
+            if (body.content.length > MAX_CONTENT) {
+                json(res, { error: "content exceeds 256 KB" }, 400);
+                return;
+            }
+            contentHash = createHash("sha256").update(body.content).digest("hex");
+            symbols = ctx.services.treeSitter.extract(body.file_path, body.content, null);
+        }
+        ctx.services.fileTracker.log({
+            session_id: body.session_id,
+            agent_id: body.agent_id,
+            agent_name: body.agent_name,
+            tool_name: body.tool_name,
+            file_path: body.file_path,
+            content_hash: contentHash,
+            symbols_touched: symbols,
+        });
+        json(res, { ok: true });
+    }
+    else if (url === "/api/working-files/start" && req.method === "POST") {
+        if (typeof body.agent_id !== "string" || typeof body.file_path !== "string") {
+            json(res, { error: "agent_id and file_path required" }, 400);
+            return;
+        }
+        const ttl = parseInt(process.env.COORDINATOR_WORKING_FILES_TTL_MIN || "30", 10);
+        services.workingFiles.start(body.agent_id, body.file_path, ttl);
+        json(res, { ok: true });
+    }
+    else if (url === "/api/working-files/stop" && req.method === "POST") {
+        if (typeof body.agent_id !== "string" || typeof body.file_path !== "string") {
+            json(res, { error: "agent_id and file_path required" }, 400);
+            return;
+        }
+        services.workingFiles.stop(body.agent_id, body.file_path);
+        json(res, { ok: true });
+    }
+    else if (url?.startsWith("/api/scoring-stats") && req.method === "GET") {
+        const u = new URL(url, "http://localhost");
+        const sinceParam = u.searchParams.get("since") || "24h";
+        const sinceMin = sinceParam.endsWith("h") ? parseInt(sinceParam) * 60
+            : sinceParam.endsWith("d") ? parseInt(sinceParam) * 60 * 24
+                : 60 * 24;
+        const db = getDb();
+        const rows = db.prepare(`SELECT
+         lf.layer,
+         COUNT(*) AS fire_count,
+         AVG(lf.score) AS avg_score,
+         SUM(CASE WHEN json_extract(e.payload, '$.resolution_type') = 'auto_resolved' THEN 1 ELSE 0 END) AS auto_resolved,
+         SUM(CASE WHEN json_extract(e.payload, '$.resolution_type') = 'consensus' THEN 1 ELSE 0 END) AS consensus,
+         SUM(CASE WHEN json_extract(e.payload, '$.resolution_type') = 'timeout' THEN 1 ELSE 0 END) AS timeout_count,
+         SUM(CASE WHEN json_extract(e.payload, '$.resolution_type') IN ('agent_departure','closed') THEN 1 ELSE 0 END) AS cancelled
+       FROM layer_firings lf
+       LEFT JOIN events e
+         ON e.type = 'thread_resolved'
+         AND json_extract(e.payload, '$.thread_id') = lf.thread_id
+       WHERE lf.fired_at > datetime('now', '-' || ? || ' minutes')
+       GROUP BY lf.layer
+       ORDER BY fire_count DESC`).all(sinceMin);
+        json(res, {
+            window: { since: sinceParam, now: new Date().toISOString() },
+            layers: rows.map(r => ({
+                layer: r.layer,
+                fire_count: r.fire_count,
+                avg_score: r.avg_score,
+                outcomes: {
+                    auto_resolved: r.auto_resolved,
+                    consensus: r.consensus,
+                    timeout: r.timeout_count,
+                    cancelled: r.cancelled,
+                },
+            })),
+        });
+    }
     else if (url === "/api/status") {
         const online = registry.listOnline();
         const openThreads = consultation.listThreads({ status: "open" });

package/dist/src/http/utils.d.ts

@@ -1,8 +1,4 @@
 import type { IncomingMessage, ServerResponse } from "http";
-/**
- * S1: shared HTTP helpers extracted from serve-http.ts.
- * parseBody, json, decodeJwtPayload, safeEqual.
- */
 export declare function parseBody(req: IncomingMessage): Promise<Record<string, unknown>>;
 export declare function json(res: ServerResponse, data: unknown, status?: number): void;
 /**

package/dist/src/http/utils.js

@@ -3,11 +3,25 @@ import { timingSafeEqual } from "crypto";
  * S1: shared HTTP helpers extracted from serve-http.ts.
  * parseBody, json, decodeJwtPayload, safeEqual.
  */
+const MAX_BODY_BYTES = parseInt(process.env.COORDINATOR_MAX_BODY_BYTES || "1048576", 10);
 export function parseBody(req) {
     return new Promise((resolve, reject) => {
-        let body = "";
-        req.on("data", (chunk) => (body += chunk.toString()));
+        let bytes = 0;
+        const chunks = [];
+        req.on("data", (chunk) => {
+            bytes += chunk.length;
+            if (bytes > MAX_BODY_BYTES) {
+                const err = new Error("Payload too large");
+                err.statusCode = 413;
+                // destroy() may not exist on every IncomingMessage-like input (test stub).
+                req.destroy?.(err);
+                reject(err);
+                return;
+            }
+            chunks.push(chunk);
+        });
         req.on("end", () => {
+            const body = Buffer.concat(chunks).toString("utf-8");
             try {
                 resolve(body ? JSON.parse(body) : {});
             }

package/dist/src/impact-scorer.d.ts

@@ -1,6 +1,7 @@
 import type { AgentRegistry } from "./agent-registry.js";
 import type { FileTracker } from "./file-tracker.js";
 import type { Consultation } from "./consultation.js";
+import type { WorkingFilesTracker } from "./working-files-tracker.js";
 export interface ImpactScore {
     agent_id: string;
     agent_name: string;
@@ -19,13 +20,16 @@ interface AnnounceParams {
     target_files: string[];
     depends_on_files?: string[];
     exports_affected?: string[];
+    target_symbols?: string[];
 }
 export declare class ImpactScorer {
     private registry;
     private fileTracker;
     private consultation?;
-    constructor(registry: AgentRegistry, fileTracker: FileTracker, consultation?: Consultation | undefined);
+    private workingFiles?;
+    constructor(registry: AgentRegistry, fileTracker: FileTracker, consultation?: Consultation | undefined, workingFiles?: WorkingFilesTracker | undefined);
     score(params: AnnounceParams): ImpactScore[];
     categorize(params: AnnounceParams): CategorizedImpact;
+    private getRecentSymbolsForFile;
 }
 export {};

package/dist/src/impact-scorer.js

@@ -1,3 +1,4 @@
+import { getDb } from "./database.js";
 // Layer 0 (announced-intent) recency window. Resolved threads older than this
 // are excluded — yesterday's resolved work shouldn't trigger today's scoring.
 // Aligned with file-tracker's default conflict window per the audit guidance.
@@ -11,10 +12,12 @@ export class ImpactScorer {
     registry;
     fileTracker;
     consultation;
-    constructor(registry, fileTracker, consultation) {
+    workingFiles;
+    constructor(registry, fileTracker, consultation, workingFiles) {
         this.registry = registry;
         this.fileTracker = fileTracker;
         this.consultation = consultation;
+        this.workingFiles = workingFiles;
     }
     score(params) {
         const onlineAgents = this.registry
@@ -42,6 +45,34 @@ export class ImpactScorer {
         const fileToAgents = filesToIndex.length > 0
             ? this.fileTracker.getFileToAgentsIndex(filesToIndex, params.agent_id, FILE_ACTIVITY_WINDOW_MINUTES)
             : new Map();
+        const inFlightToAgents = this.workingFiles
+            ? this.workingFiles.getIndex(filesToIndex, params.agent_id)
+            : new Map();
+        // Pre-load symbols_touched for the target_files × online_agents matrix once,
+        // keyed by (file_path, agent_id). Avoids N*M DB roundtrips inside the score loop.
+        let symbolsByFileAgent = null;
+        if (params.target_symbols && params.target_symbols.length > 0 && params.target_files.length > 0) {
+            const db = getDb();
+            const placeholders = params.target_files.map(() => "?").join(",");
+            const rows = db.prepare(`SELECT agent_id, file_path, symbols_touched
+         FROM file_activity
+         WHERE file_path IN (${placeholders})
+           AND symbols_touched IS NOT NULL
+           AND id IN (
+             SELECT MAX(id) FROM file_activity
+             WHERE file_path IN (${placeholders})
+               AND symbols_touched IS NOT NULL
+             GROUP BY agent_id, file_path
+           )`).all(...params.target_files, ...params.target_files);
+            symbolsByFileAgent = new Map();
+            for (const r of rows) {
+                try {
+                    const arr = JSON.parse(r.symbols_touched);
+                    symbolsByFileAgent.set(`${r.file_path}|${r.agent_id}`, arr);
+                }
+                catch { /* malformed JSON: ignore */ }
+            }
+        }
         // O2: bound the resolved-thread query to a recency window. Without this,
         // listThreads({status:'resolved'}) returns ALL historical resolved threads
         // (unbounded growth). The Layer 0 filter only keeps threads where the
@@ -102,12 +133,32 @@ export class ImpactScorer {
                     }
                 }
             }
-            // Layer 1: Same file recently modified (score 100) — uses pre-built index.
+            // Layer 1: Same file recently modified (file_activity) OR currently in flight (working_files).
             for (const targetFile of params.target_files) {
-                const agentsForFile = fileToAgents.get(targetFile);
-                if (agentsForFile && agentsForFile.has(agent.id)) {
+                const recentAgents = fileToAgents.get(targetFile);
+                const inFlightAgents = inFlightToAgents.get(targetFile);
+                if (recentAgents && recentAgents.has(agent.id)) {
                     maxScore = Math.max(maxScore, 100);
-                    reasons.push(`same file: ${targetFile}`);
+                    let annotated = false;
+                    if (params.target_symbols && params.target_symbols.length > 0) {
+                        const theirSymbols = symbolsByFileAgent?.get(`${targetFile}|${agent.id}`) || null;
+                        if (theirSymbols && theirSymbols.length > 0) {
+                            const mine = new Set(params.target_symbols);
+                            const theirs = new Set(theirSymbols);
+                            const overlap = [...mine].some(s => theirs.has(s));
+                            if (!overlap) {
+                                reasons.push(`same file: ${targetFile}; disjoint symbols: you=[${[...mine].join(",")}], them=[${[...theirs].join(",")}] — verify shared module state`);
+                                annotated = true;
+                            }
+                        }
+                    }
+                    if (!annotated) {
+                        reasons.push(`same file (recent): ${targetFile}`);
+                    }
+                }
+                if (inFlightAgents && inFlightAgents.has(agent.id)) {
+                    maxScore = Math.max(maxScore, 100);
+                    reasons.push(`same file (in flight): ${targetFile}`);
                 }
             }
             // Layer 2: Depends-on file recently modified (score 80)
@@ -126,9 +177,34 @@ export class ImpactScorer {
                 maxScore = Math.max(maxScore, 30);
                 reasons.push(`module overlap: ${overlapping.join(", ")}`);
             }
-            // Layer 4 (future): Git co-change analysis
-            // Score 60 for >50% co-change ratio, 40 for >20%
-            // Requires git history analysis — not implemented in v3 prototype
+            // Layer 4: git co-change. For each target_file F, find rows in git_cochange where
+            // (LEAST(F,partner), GREATEST(F,partner)) match. If the OTHER agent recently
+            // touched the partner file, apply the co-change score.
+            const db = getDb();
+            for (const targetFile of params.target_files) {
+                const rows = db.prepare(`SELECT file_a, file_b, count, total_commits FROM git_cochange
+           WHERE file_a = ? OR file_b = ?`).all(targetFile, targetFile);
+                for (const r of rows) {
+                    const partner = r.file_a === targetFile ? r.file_b : r.file_a;
+                    const ratio = r.count / Math.max(r.total_commits, 1);
+                    let layer4Score = 0;
+                    if (ratio > 0.5)
+                        layer4Score = 60;
+                    else if (ratio > 0.2)
+                        layer4Score = 40;
+                    if (layer4Score === 0)
+                        continue;
+                    // Did the OTHER agent touch the partner file recently?
+                    const partnerActivity = db.prepare(`SELECT 1 FROM file_activity
+             WHERE file_path = ? AND agent_id = ?
+               AND created_at > datetime('now', '-60 minutes')
+             LIMIT 1`).get(partner, agent.id);
+                    if (partnerActivity) {
+                        maxScore = Math.max(maxScore, layer4Score);
+                        reasons.push(`co-change: ${targetFile} ↔ ${partner} (ratio ${ratio.toFixed(2)})`);
+                    }
+                }
+            }
             return {
                 agent_id: agent.id,
                 agent_name: agent.name,
@@ -146,4 +222,18 @@ export class ImpactScorer {
             pass: scores.filter((s) => s.score < 30),
         };
     }
+    getRecentSymbolsForFile(filePath, agentId) {
+        const db = getDb();
+        const row = db.prepare(`SELECT symbols_touched FROM file_activity
+       WHERE agent_id = ? AND file_path = ? AND symbols_touched IS NOT NULL
+       ORDER BY id DESC LIMIT 1`).get(agentId, filePath);
+        if (!row || !row.symbols_touched)
+            return null;
+        try {
+            return JSON.parse(row.symbols_touched);
+        }
+        catch {
+            return null;
+        }
+    }
 }

package/dist/src/introspection.js

@@ -4,7 +4,7 @@ export class IntrospectionManager {
     create(params) {
         const db = getDb();
         const id = randomUUID();
-        db.prepare(`INSERT INTO introspections (id, thread_id, agent_id, score, reasons)
+        db.prepare(`INSERT INTO introspections (id, thread_id, agent_id, score, reasons)
        VALUES (?, ?, ?, ?, ?)`).run(id, params.thread_id, params.agent_id, params.score, JSON.stringify(params.reasons));
         return this.get(id);
     }