milens 0.6.2 → 0.6.4

package/dist/server/mcp.js

@@ -14,6 +14,10 @@ import { RepoRegistry } from '../store/registry.js';
 import { getParser, loadLanguage } from '../parser/loader.js';
 import { ALL_LANGS } from '../parser/languages.js';
 import { fileURLToPath } from 'node:url';
+import { generateTestPlan } from './test-plan.js';
+import { AnnotationStore } from '../store/annotations.js';
+import { registerAllPrompts } from './mcp-prompts.js';
+import { loadRules } from '../security/rules.js';
 const __dirname = dirname(fileURLToPath(import.meta.url));
 const PKG_VERSION = process.env.MILENS_VERSION ?? JSON.parse(readFileSync(join(__dirname, '..', '..', 'package.json'), 'utf-8')).version;
 // ── Lazy DB connection with idle eviction ──
@@ -310,42 +314,42 @@ function loadGrepIgnoreRules(rootPath) {
     return ig;
 }
 // ── Server instructions (sent to client via MCP protocol on initialize) ──
-const MILENS_INSTRUCTIONS = `milens — code intelligence engine. Indexes codebases into symbol graphs.
-
-## Tool selection
-- \`query\` — find symbol definitions (code identifiers only)
-- \`grep\` — text search ALL files. Use \`scope\` param: all (default), code (source only), imports, definitions
-- \`context\` — 360° view: incoming + outgoing for a symbol
-- \`impact\` — blast radius: what breaks if symbol changes
-- \`overview\` — combined context + impact + grep in one call (preferred for editing workflows)
-- \`edit_check\` — pre-edit safety: callers + export status + re-export chains + test coverage + ⚠ warnings (fastest for edits)
-- \`trace\` — execution flow: call chains from entrypoints to a symbol (or downstream from it)
-- \`routes\` — detect framework routes/endpoints (Express, FastAPI, NestJS, Flask, Go, PHP, Rails)
-- \`smart_context\` — intent-aware context: understand/edit/debug/test (returns only what matters for intent)
-- \`domains\` — show domain clusters: groups of files forming logical modules based on dependency graph
-- \`repos\` — list all indexed repositories with summary stats (multi-repo support)
-- \`detect_changes\` — git diff → affected symbols
-- \`explain_relationship\` — shortest path between two symbols
-- \`find_dead_code\` — unused exports
-- \`get_file_symbols\` — all symbols in a file
-- \`get_type_hierarchy\` — inheritance tree
-
-## Rules
-- Before editing a symbol: run \`edit_check\` or \`smart_context\` with intent=edit
-- For debugging: run \`smart_context\` with intent=debug or \`trace\` to=symbol
-- For writing tests: run \`smart_context\` with intent=test — shows deps to mock + callers to cover
-- \`impact\` only tracks code deps — always pair with \`grep\` for templates/configs
-- Use \`query\` for camelCase/PascalCase identifiers, \`grep\` for display text or multi-word strings
-- impact depth: 1=WILL BREAK, 2=LIKELY AFFECTED, 3=MAY NEED TESTING
-- ⚠ markers indicate unresolved INTERNAL references — external package imports/calls are tracked separately
-- ✓ test coverage shown on edit_check — symbols with no test coverage get a warning
-- ⏳ staleness: files not re-analyzed in 24h are flagged — consider re-running \`milens analyze\`
-
-## Resources (MCP Resources protocol)
-- \`milens://overview\` — index overview (stats, domains, coverage, staleness)
-- \`milens://symbol/{name}\` — symbol context by name
-- \`milens://file/{path}\` — all symbols in a file
-- \`milens://domain/{name}\` — domain cluster details
+const MILENS_INSTRUCTIONS = `milens — code intelligence engine. Indexes codebases into symbol graphs.
+
+## Tool selection
+- \`query\` — find symbol definitions (code identifiers only)
+- \`grep\` — text search ALL files. Use \`scope\` param: all (default), code (source only), imports, definitions
+- \`context\` — 360° view: incoming + outgoing for a symbol
+- \`impact\` — blast radius: what breaks if symbol changes
+- \`overview\` — combined context + impact + grep in one call (preferred for editing workflows)
+- \`edit_check\` — pre-edit safety: callers + export status + re-export chains + test coverage + ⚠ warnings (fastest for edits)
+- \`trace\` — execution flow: call chains from entrypoints to a symbol (or downstream from it)
+- \`routes\` — detect framework routes/endpoints (Express, FastAPI, NestJS, Flask, Go, PHP, Rails)
+- \`smart_context\` — intent-aware context: understand/edit/debug/test (returns only what matters for intent)
+- \`domains\` — show domain clusters: groups of files forming logical modules based on dependency graph
+- \`repos\` — list all indexed repositories with summary stats (multi-repo support)
+- \`detect_changes\` — git diff → affected symbols
+- \`explain_relationship\` — shortest path between two symbols
+- \`find_dead_code\` — unused exports
+- \`get_file_symbols\` — all symbols in a file
+- \`get_type_hierarchy\` — inheritance tree
+
+## Rules
+- Before editing a symbol: run \`edit_check\` or \`smart_context\` with intent=edit
+- For debugging: run \`smart_context\` with intent=debug or \`trace\` to=symbol
+- For writing tests: run \`smart_context\` with intent=test — shows deps to mock + callers to cover
+- \`impact\` only tracks code deps — always pair with \`grep\` for templates/configs
+- Use \`query\` for camelCase/PascalCase identifiers, \`grep\` for display text or multi-word strings
+- impact depth: 1=WILL BREAK, 2=LIKELY AFFECTED, 3=MAY NEED TESTING
+- ⚠ markers indicate unresolved INTERNAL references — external package imports/calls are tracked separately
+- ✓ test coverage shown on edit_check — symbols with no test coverage get a warning
+- ⏳ staleness: files not re-analyzed in 24h are flagged — consider re-running \`milens analyze\`
+
+## Resources (MCP Resources protocol)
+- \`milens://overview\` — index overview (stats, domains, coverage, staleness)
+- \`milens://symbol/{name}\` — symbol context by name
+- \`milens://file/{path}\` — all symbols in a file
+- \`milens://domain/{name}\` — domain cluster details
 `;
 // ── Server setup ──
 export function createMcpServer(rootPath) {
@@ -410,6 +414,29 @@ export function createMcpServer(rootPath) {
         }
         return origTool(...args);
     });
+    // ── Selective tool profiles (W4) ──
+    const profile = process.env.MILENS_PROFILE || undefined;
+    if (profile && profile !== 'full') {
+        const minimal = new Set(['query', 'grep', 'context', 'impact', 'status', 'codebase_summary', 'edit_check', 'detect_changes', 'get_file_symbols', 'overview']);
+        const standard = new Set([...minimal, 'domains', 'repos', 'explain_relationship', 'find_dead_code', 'get_type_hierarchy', 'trace', 'routes', 'smart_context', 'review_pr', 'review_symbol', 'test_coverage_gaps', 'test_plan', 'test_impact', 'session_start', 'recall']);
+        const allowed = profile === 'minimal' ? minimal : standard;
+        // Wrap server.tool again to gate by profile
+        const profileWrappedTool = server.tool.bind(server);
+        server.tool = ((...args) => {
+            const toolName = args[0];
+            if (!allowed.has(toolName)) {
+                // Return a no-op tool that explains it's disabled
+                const origLength = args.length;
+                const handler = args[origLength - 1];
+                if (typeof handler === 'function') {
+                    args[origLength - 1] = async () => ({
+                        content: [{ type: 'text', text: `Tool "${toolName}" disabled by profile "${profile}". Use --profile full to enable.` }],
+                    });
+                }
+            }
+            return profileWrappedTool(...args);
+        });
+    }
     // ── Tool: query ──
     server.tool('query', 'Search indexed symbol definitions by name/kind. For text in templates/configs/docs, use `grep`.', {
         query: z.string().describe('Symbol name, kind, or keyword to search'),
@@ -1308,6 +1335,284 @@ export function createMcpServer(rootPath) {
             return { content: [{ type: 'text', text: `Query error: ${err.message}` }] };
         }
     });
+    // ═══ codebase_summary ═══
+    server.tool('codebase_summary', 'Compact ~500 token codebase overview: domains, top hubs, test coverage, annotations count. Use at the start of every session.', { repo: z.string().optional() }, async ({ repo }) => {
+        const { db } = getDb(repo);
+        const summary = db.getCodebaseSummary();
+        const lines = [
+            'Milens Codebase Summary:',
+            `  Symbols: ${summary.symbols} | Links: ${summary.links} | Files: ${summary.files}`,
+        ];
+        if (summary.exportedSymbols > 0) {
+            lines.push(`  Test coverage: ${summary.coveragePct}% (${summary.testedSymbols}/${summary.exportedSymbols} exported symbols tested)`);
+        }
+        if (summary.domains.length > 0) {
+            const domainStr = summary.domains.map(d => `${d.domain}(${d.symbols}s)`).join(', ');
+            lines.push(`  Domains: ${domainStr}`);
+        }
+        if (summary.topHubs.length > 0) {
+            const hubStr = summary.topHubs.map(h => `${h.name}(${h.kind},heat:${h.heat})`).join(', ');
+            lines.push(`  Top hubs: ${hubStr}`);
+        }
+        try {
+            const annCount = db.getAnnotationCount();
+            lines.push(`  Total annotations: ${annCount}`);
+        }
+        catch {
+            lines.push('  Total annotations: 0');
+        }
+        return { content: [{ type: 'text', text: lines.join('\n') }] };
+    });
+    // ═══ review_pr ═══
+    server.tool('review_pr', 'PR risk assessment: git diff -> affected symbols with risk scores (LOW/MEDIUM/HIGH/CRITICAL).', { ref: z.string().optional().default('HEAD'), repo: z.string().optional() }, async ({ ref, repo }) => {
+        const { db, root } = getDb(repo);
+        let changedFiles = [];
+        try {
+            const { execSync } = await import('node:child_process');
+            const diff = execSync(`git diff --name-only ${ref}`, { cwd: root, encoding: 'utf-8' }).trim();
+            changedFiles = diff ? diff.split('\n').filter(Boolean) : [];
+        }
+        catch { }
+        if (changedFiles.length === 0) {
+            return { content: [{ type: 'text', text: 'No changed files detected.' }] };
+        }
+        const allAffected = [];
+        for (const file of changedFiles) {
+            const syms = db.getSymbolsByFile(file);
+            if (syms.length === 0)
+                continue;
+            for (const sym of syms) {
+                const incoming = db.getIncomingLinks(sym.id).filter(l => l.type !== 'contains');
+                const depsCount = incoming.length;
+                const heat = sym.heat ?? 0;
+                const hasTest = db.getSymbolTestCoverage(sym.id);
+                const score = Math.round((heat / 100) * 40 + Math.min(depsCount / 10, 1) * 35 + (hasTest ? 0 : 25));
+                let level = 'LOW';
+                if (score > 75)
+                    level = 'CRITICAL';
+                else if (score > 50)
+                    level = 'HIGH';
+                else if (score > 25)
+                    level = 'MEDIUM';
+                allAffected.push({ symbol: sym.name, kind: sym.kind, file: sym.filePath, heat, dependents: depsCount, hasTest, riskScore: score, riskLevel: level });
+            }
+        }
+        allAffected.sort((a, b) => b.riskScore - a.riskScore);
+        const summary = { CRITICAL: 0, HIGH: 0, MEDIUM: 0, LOW: 0 };
+        for (const a of allAffected)
+            summary[a.riskLevel]++;
+        const lines = [`PR Risk Assessment (vs ${ref}):\n`];
+        lines.push(`${changedFiles.length} changed files, ${allAffected.length} affected symbols\n`);
+        for (const a of allAffected.slice(0, 30)) {
+            lines.push(`  ${a.symbol} [${a.kind}] ${a.file} — heat:${a.heat} deps:${a.dependents} test:${a.hasTest ? 'yes' : 'no'} → ${a.riskLevel}(${a.riskScore})`);
+        }
+        lines.push(`\nSummary: CRITICAL=${summary.CRITICAL} HIGH=${summary.HIGH} MEDIUM=${summary.MEDIUM} LOW=${summary.LOW}`);
+        return { content: [{ type: 'text', text: lines.join('\n') }] };
+    });
+    // ═══ review_symbol ═══
+    server.tool('review_symbol', 'Deep-dive single symbol risk: role, heat, dependents, test status, risk level.', { name: z.string(), repo: z.string().optional() }, async ({ name, repo }) => {
+        const { db, root } = getDb(repo);
+        const syms = db.findSymbolByName(name);
+        if (syms.length === 0)
+            return { content: [{ type: 'text', text: `"${name}" not found.` }] };
+        const lines = [];
+        for (const sym of syms) {
+            const incoming = db.getIncomingLinks(sym.id).filter(l => l.type !== 'contains');
+            const outgoing = db.getOutgoingLinks(sym.id).filter(l => l.type !== 'contains');
+            const depsCount = incoming.length;
+            const depsTop = incoming.slice(0, 5).map(l => { const s = db.findSymbolById(l.fromId); return s?.name ?? l.fromId; });
+            const outCount = outgoing.length;
+            const outTop = outgoing.slice(0, 5).map(l => { const s = db.findSymbolById(l.toId); return s?.name ?? l.toId; });
+            const hasTest = sym.exported ? db.getSymbolTestCoverage(sym.id) : false;
+            const heat = sym.heat ?? 0;
+            const score = Math.round((heat / 100) * 40 + Math.min(depsCount / 10, 1) * 35 + (hasTest ? 0 : 25));
+            let risk = 'LOW';
+            if (score > 75)
+                risk = 'CRITICAL';
+            else if (score > 50)
+                risk = 'HIGH';
+            else if (score > 25)
+                risk = 'MEDIUM';
+            lines.push(`${sym.name} [${sym.kind}] ${sym.filePath}:${sym.startLine}`);
+            lines.push(`  role: ${sym.role ?? 'unknown'} | heat: ${heat} | exported: ${sym.exported}`);
+            lines.push(`  dependents: ${depsCount} ${depsTop.length ? '(' + depsTop.join(', ') + ')' : ''}`);
+            lines.push(`  dependencies: ${outCount} ${outTop.length ? '(' + outTop.join(', ') + ')' : ''}`);
+            lines.push(`  test coverage: ${hasTest ? 'yes' : 'no'}`);
+            lines.push(`  risk: ${risk} (score: ${score})`);
+            if (risk === 'CRITICAL')
+                lines.push(`  recommendation: High risk — has ${depsCount} dependents with no test coverage. Write tests before modifying.`);
+            else if (risk === 'HIGH')
+                lines.push(`  recommendation: Review dependents carefully before modifying.`);
+            lines.push('');
+        }
+        return { content: [{ type: 'text', text: lines.join('\n') }] };
+    });
+    // ═══ test_coverage_gaps ═══
+    server.tool('test_coverage_gaps', 'Untested exported symbols sorted by risk. Prioritize writing tests for these.', { limit: z.number().optional().default(20), repo: z.string().optional() }, async ({ limit, repo }) => {
+        const { db } = getDb(repo);
+        const coverage = db.getTestCoverage();
+        const gaps = db.getTestCoverageGaps(limit);
+        const lines = [`Test Coverage: ${coverage.testedSymbols}/${coverage.exportedProductionSymbols} (${coverage.exportedProductionSymbols > 0 ? Math.round(coverage.testedSymbols / coverage.exportedProductionSymbols * 100) : 0}%) from ${coverage.testFiles} test files\n`];
+        if (gaps.length === 0) {
+            lines.push('All exported symbols have test coverage!');
+        }
+        else {
+            lines.push(`Top ${gaps.length} untested symbols:\n`);
+            for (const g of gaps) {
+                const incoming = db.getIncomingLinks(g.id).filter(l => l.type !== 'contains');
+                const risk = (g.heat ?? 0) > 80 ? 'CRITICAL' : (g.heat ?? 0) > 50 ? 'HIGH' : (g.heat ?? 0) > 30 ? 'MEDIUM' : 'LOW';
+                lines.push(`  ${g.name} [${g.kind}] ${g.filePath}:${g.startLine} — heat:${g.heat ?? 0} deps:${incoming.length} risk:${risk}`);
+            }
+        }
+        return { content: [{ type: 'text', text: lines.join('\n') }] };
+    });
+    // ═══ test_impact ═══
+    server.tool('test_impact', 'Map changed code -> which test files to run. Use after making changes.', { ref: z.string().optional().default('HEAD'), repo: z.string().optional() }, async ({ ref, repo }) => {
+        const { db, root } = getDb(repo);
+        let changedFiles = [];
+        try {
+            const { execSync } = await import('node:child_process');
+            const diff = execSync(`git diff --name-only ${ref}`, { cwd: root, encoding: 'utf-8' }).trim();
+            changedFiles = diff ? diff.split('\n').filter(Boolean) : [];
+        }
+        catch { }
+        if (changedFiles.length === 0)
+            return { content: [{ type: 'text', text: 'No changed files.' }] };
+        const changedIds = [];
+        const changedNames = [];
+        for (const file of changedFiles) {
+            for (const sym of db.getSymbolsByFile(file)) {
+                changedIds.push(sym.id);
+                changedNames.push(sym.name);
+            }
+        }
+        if (changedIds.length === 0)
+            return { content: [{ type: 'text', text: 'No symbols in changed files.' }] };
+        const impact = db.getTestImpact(changedIds);
+        const lines = [`Changed symbols (${changedNames.length}): ${changedNames.join(', ')}`];
+        lines.push(`\nAffected test files (${impact.testFiles.length}):`);
+        for (const f of impact.testFiles)
+            lines.push(`  ${f}`);
+        if (impact.testFiles.length > 0) {
+            lines.push(`\nSuggested command: npx vitest run ${impact.testFiles.join(' ')}`);
+        }
+        return { content: [{ type: 'text', text: lines.join('\n') }] };
+    });
+    // ═══ test_plan ═══
+    server.tool('test_plan', 'Generate a test strategy for a symbol: mock plan + >=3 test scenarios.', { name: z.string(), repo: z.string().optional() }, async ({ name, repo }) => {
+        const { db } = getDb(repo);
+        const plan = generateTestPlan(db, name);
+        if (!plan)
+            return { content: [{ type: 'text', text: `"${name}" not found.` }] };
+        return { content: [{ type: 'text', text: plan.planText }] };
+    });
+    // ═══ annotate ═══
+    server.tool('annotate', 'Record a note about a symbol for future sessions. Use after discovering bugs, patterns, or important caveats.', {
+        symbol: z.string(),
+        key: z.enum(['note', 'bug', 'security', 'architecture', 'workflow', 'test', 'dependency', 'refactor']),
+        value: z.string(),
+        agent: z.string().optional(),
+        session_id: z.string().optional(),
+        confidence: z.number().optional().default(0.5),
+    }, async ({ symbol, key, value, agent, session_id, confidence }) => {
+        const { db } = getDb();
+        const store = new AnnotationStore(db.connection);
+        const ann = store.annotate(symbol, key, value, { agent, sessionId: session_id });
+        return { content: [{ type: 'text', text: `Annotation saved: ${ann.id}\n  symbol: ${ann.symbol}\n  key: ${ann.key}\n  confidence: ${ann.confidence}` }] };
+    });
+    // ═══ recall ═══
+    server.tool('recall', 'Retrieve annotations saved in previous sessions. Filter by symbol, key, or agent.', {
+        symbol: z.string().optional(), key: z.enum(['note', 'bug', 'security', 'architecture', 'workflow', 'test', 'dependency', 'refactor']).optional(),
+        agent: z.string().optional(), limit: z.number().optional().default(50),
+    }, async ({ symbol, key, agent, limit }) => {
+        const { db } = getDb();
+        const store = new AnnotationStore(db.connection);
+        const results = store.recall({ symbol, key, agent, limit });
+        if (results.length === 0)
+            return { content: [{ type: 'text', text: 'No annotations found.' }] };
+        const lines = [`${results.length} annotation(s):\n`];
+        for (const a of results) {
+            lines.push(`[${a.key}] ${a.symbol} — ${a.value.slice(0, 120)}`);
+            lines.push(`  confidence: ${a.confidence.toFixed(1)} | agent: ${a.agent ?? '?'} | ${a.updatedAt}\n`);
+        }
+        return { content: [{ type: 'text', text: lines.join('\n') }] };
+    });
+    // ═══ session_start ═══
+    server.tool('session_start', 'Start a new session. Returns a session ID to use with annotate, session_end, and handoff.', { agent: z.string().describe('Agent name (e.g. vibe-coder, reviewer)') }, async ({ agent }) => {
+        const { db } = getDb();
+        const store = new AnnotationStore(db.connection);
+        const sessionId = store.sessionStart(agent);
+        return { content: [{ type: 'text', text: `Session started: ${sessionId}\nAgent: ${agent}\nUse this ID with annotate() and session_end().` }] };
+    });
+    // ═══ session_context ═══
+    server.tool('session_context', 'Get metadata about a session: annotations, tool calls, duration.', { session_id: z.string() }, async ({ session_id }) => {
+        const { db } = getDb();
+        const store = new AnnotationStore(db.connection);
+        const ctx = store.sessionContext(session_id);
+        if (!ctx.session)
+            return { content: [{ type: 'text', text: `Session "${session_id}" not found.` }] };
+        const s = ctx.session;
+        const lines = [
+            `Session: ${s.id}`,
+            `Agent: ${s.agent} | Status: ${s.status}`,
+            `Started: ${s.startedAt} | Ended: ${s.endedAt ?? 'in progress'}`,
+            `Tool calls: ${s.toolCallsCount} | Annotations: ${s.annotationsCount}`,
+        ];
+        if (s.context)
+            lines.push(`Context: ${s.context}`);
+        if (ctx.annotations.length > 0) {
+            lines.push(`\nAnnotations (${ctx.annotations.length}):`);
+            for (const a of ctx.annotations) {
+                lines.push(`  [${a.key}] ${a.symbol}: ${a.value.slice(0, 80)}`);
+            }
+        }
+        return { content: [{ type: 'text', text: lines.join('\n') }] };
+    });
+    // ═══ session_end ═══
+    server.tool('session_end', 'End a session and record its stats. Use at the end of every session.', { session_id: z.string(), status: z.enum(['completed', 'failed']).optional().default('completed') }, async ({ session_id, status }) => {
+        const { db } = getDb();
+        const store = new AnnotationStore(db.connection);
+        const summary = store.sessionEnd(session_id, status);
+        return { content: [{ type: 'text', text: `Session ended: ${session_id}\nStatus: ${status}\nAnnotations: ${summary.annotationCount}` }] };
+    });
+    // ═══ handoff ═══
+    server.tool('handoff', 'Transfer context from one agent session to another. Ends the source session and creates a new one for the target agent.', {
+        from_session: z.string(), to_agent: z.string(),
+        context: z.string().describe('Summary of what was done, key decisions, and caveats for the next agent'),
+    }, async ({ from_session, to_agent, context }) => {
+        const { db } = getDb();
+        const store = new AnnotationStore(db.connection);
+        const result = store.handoff(from_session, to_agent, context);
+        return { content: [{ type: 'text', text: `Handoff complete.\nNew session: ${result.newSessionId}\nAgent: ${to_agent}\nAnnotations copied: ${result.annotationsCopied}` }] };
+    });
+    // ═══ semantic_search ═══
+    server.tool('semantic_search', 'Search symbols by semantic meaning (falls back to FTS5 keyword search when embeddings unavailable).', { query: z.string(), limit: z.number().optional().default(10), repo: z.string().optional() }, async ({ query, limit, repo }) => {
+        const { db } = getDb(repo);
+        if (db.searchSymbols(query, limit).length > 0) {
+            const results = db.searchSymbols(query, limit);
+            const lines = [`Semantic search (FTS5 fallback — embeddings not available):\n`];
+            for (const s of results) {
+                lines.push(`${s.name} [${s.kind}] ${s.filePath}:${s.startLine}${s.exported ? ' (exported)' : ''}`);
+            }
+            return { content: [{ type: 'text', text: lines.join('\n') }] };
+        }
+        return { content: [{ type: 'text', text: `No results for "${query}". Embeddings not available. Run \`milens analyze --embeddings\` for semantic search.` }] };
+    });
+    // ═══ find_similar ═══
+    server.tool('find_similar', 'Find symbols topologically similar to a given symbol (shared callers/callees). Useful for finding patterns to copy or refactor together.', { name: z.string(), limit: z.number().optional().default(10), repo: z.string().optional() }, async ({ name, limit, repo }) => {
+        const { db } = getDb(repo);
+        const syms = db.findSymbolByName(name);
+        if (syms.length === 0)
+            return { content: [{ type: 'text', text: `"${name}" not found.` }] };
+        const results = db.findTopologicallySimilar(syms[0].id, limit);
+        if (results.length === 0)
+            return { content: [{ type: 'text', text: `No similar symbols found for "${name}".` }] };
+        const lines = [`Symbols similar to "${name}":\n`];
+        for (const r of results) {
+            lines.push(`  ${r.symbol.name} [${r.symbol.kind}] ${r.symbol.filePath}:${r.symbol.startLine} — similarity: ${r.similarity.toFixed(2)}`);
+        }
+        return { content: [{ type: 'text', text: lines.join('\n') }] };
+    });
     // ══════════════════════════════════════════════
     // ── MCP Resources ──
     // ══════════════════════════════════════════════
@@ -1462,6 +1767,185 @@ export function createMcpServer(rootPath) {
                 },
             }],
     }));
+    // ── Prompt: vibe-code-planner ──
+    server.prompt('vibe-code-planner', 'ECC-style Planner Agent workflow: analyze codebase, create implementation plan with blast radius awareness', { feature: z.string().describe('Feature or task name to plan') }, ({ feature }) => ({
+        messages: [{
+                role: 'user',
+                content: {
+                    type: 'text',
+                    text: `I am the Planner Agent. I need to create an implementation plan for "${feature}".\n\n` +
+                        `Follow this ECC Planner workflow:\n\n` +
+                        `PHASE 1 — CODEBASE INTELLIGENCE:\n` +
+                        `1. Run \`codebase_summary()\` to understand the project structure\n` +
+                        `2. Run \`domains()\` to see module clusters\n` +
+                        `3. Run \`routes()\` to find relevant API endpoints\n\n` +
+                        `PHASE 2 — TARGET ANALYSIS:\n` +
+                        `4. Run \`smart_context({name: "keySymbol", intent: "edit"})\` for each affected symbol\n` +
+                        `5. Run \`edit_check({name: "keySymbol"})\` for safety\n` +
+                        `6. Run \`trace({to: "keySymbol"})\` to understand execution flow\n\n` +
+                        `PHASE 3 — IMPACT PREDICTION:\n` +
+                        `7. Run \`impact({target: "keySymbol", depth: 3})\` to see blast radius\n` +
+                        `8. Run \`explain_relationship({from: "A", to: "B"})\` for distant dependencies\n\n` +
+                        `PHASE 4 — TEST STRATEGY:\n` +
+                        `9. Run \`test_plan({name: "keySymbol"})\` for mock strategy\n` +
+                        `10. Run \`test_coverage_gaps()\` to check existing coverage\n\n` +
+                        `PHASE 5 — FINAL PLAN:\n` +
+                        `Output a plan.md with: Overview, Architecture Changes, Implementation Steps (file+action+why+deps+risk), Testing Strategy, Risks & Mitigations, Success Criteria.\n\n` +
+                        `Use the ECC plan format with specific file paths, dependencies, and risk levels (LOW/MEDIUM/HIGH).`,
+                },
+            }],
+    }));
+    // ── Prompt: vibe-code-reviewer ──
+    server.prompt('vibe-code-reviewer', 'ECC-style Reviewer Agent workflow: PR risk assessment, dead code detection, security scan', { session_id: z.string().optional().describe('Optional session ID for annotation context') }, ({ session_id }) => ({
+        messages: [{
+                role: 'user',
+                content: {
+                    type: 'text',
+                    text: `I am the Reviewer Agent. Review the current changes thoroughly.${session_id ? ` Session: ${session_id}` : ''}\n\n` +
+                        `Follow this ECC Reviewer workflow:\n\n` +
+                        `1. Run \`review_pr()\` to get risk scores for all changed symbols\n` +
+                        `2. For each CRITICAL/HIGH symbol:\n` +
+                        `   a. Run \`review_symbol({name})\` for deep dive\n` +
+                        `   b. Run \`context({name})\` to see relationships\n` +
+                        `   c. Run \`grep({pattern: "symbolName"})\` for text references\n` +
+                        `3. Run \`find_dead_code()\` to detect orphaned symbols\n` +
+                        `4. Run \`grep({pattern: "password|secret|api_key|token", scope: "code"})\` for secrets\n` +
+                        `5. Run \`grep({pattern: "TODO|FIXME|HACK|console\\\\.log", scope: "code"})\` for tech debt\n` +
+                        `6. Run \`detect_changes()\` to verify expected files only\n` +
+                        `7. Create a review report: symbols OK to merge vs symbols needing fixes\n` +
+                        `8. Run \`annotate({symbol, key: "bug"|"security", value})\` for any critical findings`,
+                },
+            }],
+    }));
+    // ── Prompt: closed-loop-session ──
+    server.prompt('closed-loop-session', 'Complete 6-phase closed-loop session: Analyze → Plan → Code → Verify → Learn → Improve', { task: z.string().describe('Task description'), agent: z.string().optional().default('vibe-coder') }, ({ task, agent }) => ({
+        messages: [{
+                role: 'user',
+                content: {
+                    type: 'text',
+                    text: `Run a complete closed-loop development session for: "${task}"\n\n` +
+                        `PHASE 1 — ANALYZE (bootstrap):\n` +
+                        `  session_start({agent: "${agent}"}) → codebase_summary() → domains() → recall()\n\n` +
+                        `PHASE 2 — PLAN:\n` +
+                        `  smart_context({intent: "edit"}) → edit_check() → impact({depth: 3}) → test_plan()\n\n` +
+                        `PHASE 3 — CODE:\n` +
+                        `  Implement changes with guard: edit_check() before each edit, impact() mid-edit, context() for reference\n\n` +
+                        `PHASE 4 — VERIFY:\n` +
+                        `  detect_changes() → test_impact() → review_pr() → test_coverage_gaps() → grep(secrets)\n\n` +
+                        `PHASE 5 — LEARN:\n` +
+                        `  annotate() key observations → session_context() → handoff() if needed\n\n` +
+                        `PHASE 6 — IMPROVE:\n` +
+                        `  milens evolve (if patterns ready) → milens metrics (check health)\n\n` +
+                        `At the end: session_end({session_id}) to record stats.`,
+                },
+            }],
+    }));
+    // ── Register MCP Prompts (W1) ──
+    registerAllPrompts(server);
+    // ── Tool: security_scan (S2) ──
+    server.tool('security_scan', 'Scan codebase for security vulnerabilities using 50+ built-in rules. Replaces multiple manual grep() calls. Categories: secrets, injection, unicode, dangerous, config, data-leak, crypto, auth, file-access.', {
+        scope: z.enum(['all', 'secrets', 'injection', 'unicode', 'dangerous', 'config', 'data-leak', 'crypto', 'auth', 'file-access']).optional().default('all').describe('Scan scope'),
+        repo: z.string().optional().describe('Repository root path'),
+        severity: z.enum(['CRITICAL', 'HIGH', 'MEDIUM', 'LOW']).optional().describe('Minimum severity filter'),
+        limit: z.number().optional().default(50).describe('Max findings'),
+    }, async ({ scope, repo, severity, limit }) => {
+        const { db, root } = getDb(repo);
+        const rules = loadRules();
+        // Filter rules by scope and severity
+        const filtered = rules.filter(r => {
+            if (scope !== 'all' && r.category !== scope)
+                return false;
+            if (severity) {
+                const sevOrder = { CRITICAL: 4, HIGH: 3, MEDIUM: 2, LOW: 1 };
+                if ((sevOrder[r.severity] || 0) < (sevOrder[severity] || 0))
+                    return false;
+            }
+            return r.enabled;
+        });
+        // Get all source files from the DB
+        const symbols = db.getAllSymbols();
+        const fileSet = new Set();
+        for (const s of symbols) {
+            if (s.filePath && !s.filePath.includes('node_modules') && !s.filePath.includes('.git')) {
+                fileSet.add(s.filePath);
+            }
+        }
+        const files = [...fileSet].slice(0, 1000); // cap at 1000 files
+        const { readFileSync: rfs, existsSync: es } = await import('node:fs');
+        const { resolve: resolvePath } = await import('node:path');
+        const findings = [];
+        const byCategory = {};
+        const bySeverity = { CRITICAL: 0, HIGH: 0, MEDIUM: 0, LOW: 0 };
+        for (const file of files) {
+            const fullPath = resolvePath(root, file);
+            if (!es(fullPath))
+                continue;
+            // Skip files that don't match rule fileGlobs (simple check)
+            const applicableRules = filtered.filter(r => {
+                if (!r.fileGlob)
+                    return true;
+                // Simple glob: just check extension
+                const ext = r.fileGlob.replace('**/*.', '').replace('**/*', '');
+                return file.endsWith(ext) || r.fileGlob === '**/*';
+            });
+            if (applicableRules.length === 0)
+                continue;
+            try {
+                const content = rfs(fullPath, 'utf-8');
+                const lines = content.split('\n');
+                for (const rule of applicableRules) {
+                    for (const pattern of rule.patterns) {
+                        let match;
+                        // Reset regex lastIndex for global patterns
+                        pattern.lastIndex = 0;
+                        while ((match = pattern.exec(content)) !== null) {
+                            const lineNum = content.substring(0, match.index).split('\n').length;
+                            const ctxStart = Math.max(0, lineNum - 3);
+                            const ctxEnd = Math.min(lines.length, lineNum + 2);
+                            const context = lines.slice(ctxStart, ctxEnd).join('\n');
+                            findings.push({
+                                ruleId: rule.id,
+                                category: rule.category,
+                                severity: rule.severity,
+                                owasp: rule.owasp,
+                                file,
+                                line: lineNum,
+                                match: match[0].length > 100 ? match[0].slice(0, 97) + '...' : match[0],
+                                context,
+                                fix: rule.fix,
+                            });
+                            byCategory[rule.category] = (byCategory[rule.category] || 0) + 1;
+                            bySeverity[rule.severity] = (bySeverity[rule.severity] || 0) + 1;
+                        }
+                    }
+                }
+            }
+            catch {
+                // Skip unreadable files
+            }
+        }
+        // Calculate security score (100 - deductions)
+        const deduction = findings.filter((f) => f.severity === 'CRITICAL').length * 5 +
+            findings.filter((f) => f.severity === 'HIGH').length * 2 +
+            findings.filter((f) => f.severity === 'MEDIUM').length * 0.5;
+        const score = Math.max(0, Math.round(100 - deduction));
+        const limited = findings.slice(0, limit);
+        return {
+            content: [{
+                    type: 'text',
+                    text: JSON.stringify({
+                        summary: {
+                            totalScanned: files.length,
+                            findings: findings.length,
+                            byCategory,
+                            bySeverity,
+                            score,
+                        },
+                        findings: limited,
+                    }, null, 2),
+                }],
+        };
+    });
     return server;
 }
 // ── Transport: stdio ──