milens 0.6.2 → 0.6.4

package/.agents/skills/milens-security-review/SKILL.md

@@ -0,0 +1,224 @@
+---
+name: milens-security-review
+description: Security Audit — scan for secrets, hidden unicode, dangerous patterns, data leaks, and produce a security report
+---
+
+# milens-security-review — Security Audit
+
+Scan the codebase for security vulnerabilities: exposed secrets, hidden unicode (Trojan Source), dangerous code patterns, data leakage, and unexpected file changes.
+
+## Tools Required
+
+| Tool | Purpose |
+|---|---|
+| `mcp_milens_review_pr` | Initial risk assessment of changed files and symbols |
+| `mcp_milens_grep` | Pattern search for secrets, unicode, dangerous calls, data leaks |
+| `mcp_milens_review_symbol` | Deep-dive risk analysis on high-risk symbols |
+| `mcp_milens_detect_changes` | Verify only expected files changed |
+
+> **CRITICAL:** All milens MCP tool calls MUST include the `repo` parameter set to the **absolute path of the workspace root**.
+
+## Workflow
+
+### Step 1: Initial Risk Assessment
+
+Start with a PR-level overview to identify high-risk areas.
+
+```
+mcp_milens_review_pr({repo: "<workspaceRoot>"})
+```
+
+Focus on:
+- **New files** — highest risk for secrets or vulnerabilities
+- **Modified config files** — `.env`, `config.*`, settings files
+- **Auth/routing files** — middleware, guards, session handlers
+- **CRITICAL-rated symbols** — these get deep-dived in Step 6
+
+### Step 2: Secret Detection
+
+Search for hardcoded secrets and credentials.
+
+```
+mcp_milens_grep({pattern: "password|secret|api_key|token|private_key|AUTH_TOKEN", scope: "code", repo: "<workspaceRoot>"})
+```
+
+Key patterns to flag:
+- **Assignments to secrets** — `const apiKey = "sk-..."` (critical)
+- **Config values** — `password: "admin123"` (high)
+- **Variable names only** — `const apiKey = process.env.KEY` (low — already env-var'd)
+- **Test fixtures** — `const testPassword = "..."` (verify it's not a real password)
+
+### Step 3: Hidden Unicode Detection (Trojan Source)
+
+Search for invisible and bidirectional Unicode characters used in supply-chain attacks.
+
+```
+mcp_milens_grep({pattern: "[\\u200B\\u200C\\u200D\\u2060\\uFEFF\\u202A-\\u202E]", scope: "code", isRegex: true, repo: "<workspaceRoot>"})
+```
+
+These characters can:
+- Make code look like one thing but compile as another
+- Hide backdoors in copy-pasted code
+- Exploit bidirectional text in string literals and comments
+
+**Any match is a CRITICAL finding** — flag for immediate removal.
+
+### Step 4: Dangerous Code Patterns
+
+Search for patterns that enable code injection or arbitrary execution.
+
+```
+mcp_milens_grep({pattern: "eval\\(|exec\\(|child_process|Function\\(", scope: "code", isRegex: true, repo: "<workspaceRoot>"})
+```
+
+Severity guidance:
+- `eval()` / `exec()` with user input — **CRITICAL**
+- `child_process.exec()` with dynamic arguments — **CRITICAL**
+- `new Function()` — **HIGH** (eval equivalent)
+- `child_process.spawn()` with fixed arguments — **LOW** (safer than exec)
+
+### Step 5: Data Leak Detection
+
+Find logging statements that may expose sensitive data.
+
+```
+mcp_milens_grep({pattern: "console\\.(log|debug|info)\\(", scope: "code", isRegex: true, repo: "<workspaceRoot>"})
+```
+
+Flag any `console.log` that logs:
+- User data (emails, names, PII)
+- Tokens, passwords, keys
+- Request bodies or headers
+- Database query results with user data
+
+### Step 6: Deep-Dive on Critical Symbols
+
+For any symbol flagged as CRITICAL in Step 1, run a deep-dive.
+
+```
+mcp_milens_review_symbol({name: "<symbolName>", repo: "<workspaceRoot>"})
+```
+
+This provides:
+- **Role** — what the symbol does (auth, routing, data access)
+- **Heat** — how frequently it changes (volatile code = higher risk)
+- **Dependents** — blast radius if compromised
+- **Test status** — whether its behavior is verified
+
+### Step 7: Verify Change Scope
+
+Confirm that only expected files were modified.
+
+```
+mcp_milens_detect_changes({repo: "<workspaceRoot>"})
+```
+
+This catches:
+- Unintended file modifications (config drift)
+- Stray files included in the commit
+- Missing or extra changes vs. expectations
+
+### Step 8: Produce Security Audit Report
+
+Consolidate into a structured report:
+
+1. **Executive Summary** — overall risk level, critical findings count
+2. **Secret Scan Results** — each match with file, line, severity, and remediation
+3. **Unicode Scan Results** — each match (any match is critical)
+4. **Dangerous Patterns** — each `eval`/`exec`/`Function` usage with justification
+5. **Data Leak Findings** — each `console.log` that logs sensitive data
+6. **Symbol Risk Deep-Dives** — per CRITICAL symbol from Step 6
+7. **Change Scope Verification** — expected vs. actual changed files
+8. **Remediation Plan** — ordered by severity, with specific fix recommendations
+9. **Verdict** — PASSED / NEEDS REMEDIATION / BLOCKED
+
+## Example Session
+
+### Input
+
+```
+"run a security audit before the release"
+```
+
+### Tool Calls
+
+**Step 1 — PR overview:**
+```
+mcp_milens_review_pr({repo: "/home/user/project"})
+```
+
+**Output:** 8 changed files, 2 CRITICAL symbols (`authHandler`, `paymentProcessor`).
+
+**Step 2 — Secret detection:**
+```
+mcp_milens_grep({pattern: "password|secret|api_key|token|private_key|AUTH_TOKEN", scope: "code", repo: "/home/user/project"})
+```
+
+**Output:**
+```
+src/config.ts:12    apiKey: "sk-prod-abc123..."     ← CRITICAL: hardcoded API key
+src/auth/login.ts:34 const password = req.body.pass   ← LOW: variable assignment
+src/__tests__/helpers.ts:8  const testToken = "test"  ← OK: test fixture
+```
+
+**Step 3 — Unicode scan:**
+```
+mcp_milens_grep({pattern: "[\\u200B\\u200C\\u200D\\u2060\\uFEFF\\u202A-\\u202E]", scope: "code", isRegex: true, repo: "/home/user/project"})
+```
+
+**Output:** 0 matches. Clean.
+
+**Step 4 — Dangerous patterns:**
+```
+mcp_milens_grep({pattern: "eval\\(|exec\\(|child_process|Function\\(", scope: "code", isRegex: true, repo: "/home/user/project"})
+```
+
+**Output:**
+```
+src/scripts/migrate.ts:22  exec(`pg_dump ${dbName}`)  ← CRITICAL: dynamic args
+```
+
+**Step 5 — Data leak:**
+```
+mcp_milens_grep({pattern: "console\\.(log|debug|info)\\(", scope: "code", isRegex: true, repo: "/home/user/project"})
+```
+
+**Output:**
+```
+src/auth/login.ts:28  console.log("User login:", email)  ← HIGH: logs PII
+```
+
+**Step 6 — Deep-dive:**
+```
+mcp_milens_review_symbol({name: "authHandler", repo: "/home/user/project"})
+```
+
+**Output:** Core auth entry point, 23 dependents, 0 tests — very high risk.
+
+**Step 7 — Verify scope:**
+```
+mcp_milens_detect_changes({repo: "/home/user/project"})
+```
+
+**Output:** 8 files changed — matches expectations.
+
+**Step 8 — Report produced** (see report format above). Verdict: **NEEDS REMEDIATION** (1 critical secret, 1 critical dangerous pattern, 1 high data leak).
+
+## Best Practices
+
+1. **Don't assume variable names are safe.** `const password = process.env.DB_PASS` is fine; `const password = "admin123"` is not. Read the value, not just the name.
+2. **Unicode scan is non-negotiable.** Trojan Source attacks are invisible to human reviewers. Even a single zero-width character match is a blocking finding.
+3. **Test fixtures get a pass — but verify.** `const testApiKey = "test-key"` is acceptable, but `const testApiKey = "sk-live-..."` is a leaked production key.
+4. **Dynamic exec/Function is almost always wrong.** If `exec()` takes user-controlled input, it's remote code execution. The only acceptable pattern is fully-hardcoded command strings.
+5. **Detect changes verifies the boundary.** If `detect_changes` shows files you didn't touch, something went wrong — config drift, lockfile churn, or accidental staging.
+
+## Quality Gate
+
+| Criteria | Pass | Fail |
+|---|---|---|
+| Secret scan | No hardcoded secrets found outside test fixtures | Any production secret in code |
+| Unicode scan | Zero matches | Any hidden unicode character found |
+| Dangerous patterns | No `eval`/`exec` with dynamic input | Any dynamic `exec()` or `Function()` call |
+| Data leak | No PII/credentials in `console.log` | Sensitive data logged to console |
+| Change scope | `detect_changes` matches expectations | Unexpected files in the diff |
+| All scans completed | All 7 steps executed | Any tool call skipped or failed |

package/.agents/skills/milens-tdd/SKILL.md

@@ -0,0 +1,156 @@
+---
+name: milens-tdd
+description: Test-Driven Development with Code Intelligence — find gaps, generate test plans, implement, and verify
+---
+
+# milens-tdd — Test-Driven Development with Code Intelligence
+
+Identify untested symbols ranked by risk, generate targeted test strategies, implement tests, and verify coverage.
+
+## Tools Required
+
+| Tool | Purpose |
+|---|---|
+| `mcp_milens_test_coverage_gaps` | Find untested symbols sorted by risk |
+| `mcp_milens_test_plan` | Generate mock strategy and test scenarios for a symbol |
+| `mcp_milens_test_impact` | Identify affected test files after changes |
+| `mcp_milens_review_pr` | Post-change quality check for CRITICAL issues |
+
+> **CRITICAL:** All milens MCP tool calls MUST include the `repo` parameter set to the **absolute path of the workspace root**.
+
+## Workflow
+
+### Step 1: Identify Untested Symbols
+
+Start by finding symbols with no test coverage, sorted by risk (hotspots first).
+
+```
+mcp_milens_test_coverage_gaps({repo: "<workspaceRoot>", limit: 10})
+```
+
+Review the output:
+- **HIGH risk symbols** — complex logic, high fan-in, many dependents. Prioritize these.
+- **MEDIUM risk symbols** — moderate complexity, some dependents.
+- **LOW risk symbols** — simple getters, one-liners. Lowest priority.
+
+### Step 2: Generate Test Plans
+
+For each high-risk symbol identified in Step 1, request a test plan.
+
+```
+mcp_milens_test_plan({name: "<symbolName>", repo: "<workspaceRoot>"})
+```
+
+The test plan provides:
+- **Mock strategy** — what to stub, what to isolate
+- **3+ test scenarios** — happy path, edge cases, error states
+- **Setup requirements** — dependencies to initialize
+- **Expected assertions** — what each test should verify
+
+### Step 3: Implement Tests
+
+Write test files based on the test plan output:
+
+1. Check if test files already exist for the module
+2. Follow existing test patterns in the codebase (frameworks, conventions, helper utilities)
+3. Implement each test scenario from the plan
+4. Keep tests focused — one behavior per test
+
+### Step 4: Verify Test Impact
+
+After writing tests, confirm which test files changed and should run.
+
+```
+mcp_milens_test_impact({repo: "<workspaceRoot>"})
+```
+
+This lists all test files affected by the current changes. Run those tests to validate.
+
+### Step 5: Quality Check
+
+Run the PR review to catch any CRITICAL issues before committing.
+
+```
+mcp_milens_review_pr({repo: "<workspaceRoot>"})
+```
+
+Address any CRITICAL or HIGH findings before completing the cycle.
+
+## Example Session
+
+### Input
+
+```
+"add tests for the resolveLinks function"
+```
+
+### Tool Calls
+
+**Step 1 — Find gaps:**
+```
+mcp_milens_test_coverage_gaps({repo: "/home/user/project", limit: 10})
+```
+
+**Output:**
+```
+Coverage Gaps (untested exported symbols):
+1. resolveLinks [function] — HIGH risk (12 dependents, 8 callers)
+2. parseConfig [function] — MEDIUM risk (5 dependents)
+3. formatOutput [function] — LOW risk (1 dependent)
+...
+```
+
+**Step 2 — Test plan for high-risk:**
+```
+mcp_milens_test_plan({name: "resolveLinks", repo: "/home/user/project"})
+```
+
+**Output:**
+```
+Test Plan for resolveLinks:
+  Mock strategy: stub loadAliases, stub database queries
+  Tests:
+    1. resolves direct links between two symbols
+    2. handles circular dependency chain gracefully
+    3. returns empty array when no links found
+    4. throws on malformed symbol data
+  Setup: import SymbolLink from '@/types', mock store layer
+```
+
+**Step 3 — Implement tests** in `src/__tests__/resolver.test.ts`
+
+**Step 4 — Verify:**
+```
+mcp_milens_test_impact({repo: "/home/user/project"})
+```
+
+**Output:**
+```
+Affected test files:
+  src/__tests__/resolver.test.ts (new)
+  src/__tests__/analyzer.test.ts (modified, re-export impact)
+```
+
+**Step 5 — Quality:**
+```
+mcp_milens_review_pr({repo: "/home/user/project"})
+```
+
+**Output:** No CRITICAL issues. 2 LOW suggestions.
+
+## Best Practices
+
+1. **Prioritize by risk, not alphabetically.** A HIGH-risk utility with 50 callers matters more than a LOW-risk getter nobody uses.
+2. **Don't test implementation details.** Follow the test plan's mock strategy — stub at module boundaries, not internal functions.
+3. **One behavior per test.** Each test should verify a single scenario (happy path, edge case, error) with a descriptive name.
+4. **Verify before commit.** Always run Step 4 (`test_impact`) and Step 5 (`review_pr`) before merging. Don't skip the quality gate.
+5. **Re-check gaps after large refactors.** A refactor can move symbols from "tested" back to "untested."
+
+## Quality Gate
+
+| Criteria | Pass | Fail |
+|---|---|---|
+| Test coverage gaps | HIGH-risk symbols have tests | HIGH-risk symbols still uncovered after session |
+| Test plan adherence | ≥3 scenarios implemented per symbol | Tests don't match plan scenarios |
+| Test impact verification | All affected test files pass | Any test file fails |
+| PR review | No CRITICAL issues | Unresolved CRITICAL issues remain |

package/.agents/skills/parser/SKILL.md

@@ -0,0 +1,60 @@
+---
+name: milens-parser
+description: Code intelligence for the parser area — symbols, dependencies, and entry points
+---
+
+# Parser
+
+## Overview
+Contains 76 symbols (26 exported) across 15 files.
+
+## Key Symbols
+- **`LangSpec`** [interface] (src/parser/extract.ts:6) — 30 refs
+- **`loadLanguage`** [function] (src/parser/loader.ts:21) — 10 refs
+- **`getParser`** [function] (src/parser/loader.ts:32) — 9 refs
+- **`extractFromTree`** [function] (src/parser/extract.ts:250) — 6 refs
+- **`extractHtmlScripts`** [function] (src/parser/lang-html.ts:33) — 5 refs
+- **`extractMarkdown`** [function] (src/parser/lang-md.ts:34) — 5 refs
+- **`extractVueScript`** [function] (src/parser/lang-vue.ts:18) — 5 refs
+- **`extractHtmlRefs`** [function] (src/parser/lang-html.ts:52) — 4 refs
+- **`extractVueTemplateRefs`** [function] (src/parser/lang-vue.ts:37) — 4 refs
+- **`spec`** [variable] (src/parser/lang-js.ts:5) — 3 refs
+- **`spec`** [variable] (src/parser/lang-ts.ts:5) — 3 refs
+- **`clearQueryCache`** [function] (src/parser/extract.ts:67) — 2 refs
+- **`spec`** [variable] (src/parser/lang-css.ts:5) — 2 refs
+- **`spec`** [variable] (src/parser/lang-go.ts:5) — 2 refs
+- **`spec`** [variable] (src/parser/lang-py.ts:5) — 2 refs
+
+## Entry Points
+- **`LangSpec`** [interface] — 30 incoming references
+- **`loadLanguage`** [function] — 10 incoming references
+- **`getParser`** [function] — 9 incoming references
+- **`extractFromTree`** [function] — 6 incoming references
+- **`extractHtmlScripts`** [function] — 5 incoming references
+
+## Dependencies
+- **root**: `CodeSymbol`, `RawImport`, `RawCall`, `RawHeritage`, `RawReExport`, `RawTypeBinding`, `RawAssignmentBinding`, `RawReturnType` (+4 more)
+- **analyzer**: `find`, `resolve`
+- **store**: `load`
+
+## Used By
+- **analyzer**: `langForFile`, `getParser`, `loadLanguage`, `extractFromTree`, `clearQueryCache`, `extractVueScript`, `extractVueTemplateRefs`, `extractHtmlScripts` (+6 more)
+- **server**: `getParser`, `loadLanguage`, `ALL_LANGS`
+- **test**: `getParser`, `loadLanguage`, `extractFromTree`, `extractVueScript`, `extractVueTemplateRefs`, `spec`, `extractHtmlScripts`, `extractHtmlRefs` (+2 more)
+
+## Files
+- src/parser/extract.ts
+- src/parser/lang-css.ts
+- src/parser/lang-go.ts
+- src/parser/lang-html.ts
+- src/parser/lang-java.ts
+- src/parser/lang-js.ts
+- src/parser/lang-md.ts
+- src/parser/lang-php.ts
+- src/parser/lang-py.ts
+- src/parser/lang-ruby.ts
+- src/parser/lang-rust.ts
+- src/parser/lang-ts.ts
+- src/parser/lang-vue.ts
+- src/parser/languages.ts
+- src/parser/loader.ts

package/.agents/skills/root/SKILL.md

@@ -0,0 +1,64 @@
+---
+name: milens-root
+description: Code intelligence for the root area — symbols, dependencies, and entry points
+---
+
+# Root
+
+## Overview
+Contains 257 symbols (206 exported) across 14 files.
+
+## Key Symbols
+- **`CodeSymbol`** [interface] (src/types.ts:8) — 30 refs
+- **`SymbolLink`** [interface] (src/types.ts:26) — 13 refs
+- **`isTestFile`** [function] (src/utils.ts:2) — 9 refs
+- **`RawCall`** [interface] (src/types.ts:44) — 7 refs
+- **`RawImport`** [interface] (src/types.ts:35) — 6 refs
+- **`ExtractionResult`** [interface] (src/types.ts:60) — 6 refs
+- **`RawHeritage`** [interface] (src/types.ts:52) — 4 refs
+- **`RawTypeBinding`** [interface] (src/types.ts:80) — 4 refs
+- **`RawAssignmentBinding`** [interface] (src/types.ts:88) — 4 refs
+- **`RawReturnType`** [interface] (src/types.ts:96) — 4 refs
+- **`RawCallResultBinding`** [interface] (src/types.ts:104) — 4 refs
+- **`RawReExport`** [interface] (src/types.ts:73) — 3 refs
+- **`Annotation`** [interface] (src/types.ts:138) — 3 refs
+- **`generateAgentsMd`** [function] (src/agents-md.ts:43) — 2 refs
+- **`computeMetrics`** [function] (src/metrics.ts:21) — 2 refs
+
+## Entry Points
+- **`CodeSymbol`** [interface] — 30 incoming references
+- **`has`** [function] — 26 incoming references
+- **`SymbolLink`** [interface] — 13 incoming references
+- **`isTestFile`** [function] — 9 incoming references
+- **`RawCall`** [interface] — 7 incoming references
+
+## Dependencies
+- **store**: `Database`, `RepoRegistry`, `AnnotationStore`, `runDecayPass`, `getIncomingLinks`, `getAllSymbols`, `getCodebaseSummary`, `register` (+23 more)
+- **analyzer**: `loadAliases`, `analyze`, `resolve`, `clear`
+- **server**: `startHttp`, `startStdio`, `HookManager`, `get`, `enableHook`, `loadConfig`, `saveConfig`, `disableHook`
+- **security**: `loadRules`, `auditDependencies`
+- **scripts**: `outDir`
+
+## Used By
+- **analyzer**: `isTestFile`, `CodeSymbol`, `ExtractionResult`, `RawImport`, `RawCall`, `RawHeritage`, `RawReExport`, `RawTypeBinding` (+8 more)
+- **parser**: `CodeSymbol`, `RawImport`, `RawCall`, `RawHeritage`, `RawReExport`, `RawTypeBinding`, `RawAssignmentBinding`, `RawReturnType` (+4 more)
+- **store**: `Annotation`, `AnnotationKey`, `Session`, `EvolutionEvent`, `CodeSymbol`, `SymbolLink`, `RepoEntry`, `has` (+1 more)
+- **test**: `CodeSymbol`, `SymbolLink`, `RawImport`, `RawCall`, `RawHeritage`, `RawTypeBinding`, `RawAssignmentBinding`, `RawReturnType` (+2 more)
+- **security**: `has`
+- **server**: `has`
+
+## Files
+- AGENTS.md
+- CLAUDE.md
+- CONTRIBUTING.md
+- DEPLOY.md
+- README.md
+- TODO.md
+- TODO2.md
+- src/agents-md.ts
+- src/cli.ts
+- src/metrics.ts
+- src/skills.ts
+- src/types.ts
+- src/utils.ts
+- vitest.config.ts

package/.agents/skills/scripts/SKILL.md

@@ -0,0 +1,27 @@
+---
+name: milens-scripts
+description: Code intelligence for the scripts area — symbols, dependencies, and entry points
+---
+
+# Scripts
+
+## Overview
+Contains 29 symbols (0 exported) across 1 files.
+
+## Entry Points
+- **`run`** [function] — 22 incoming references
+- **`ROOT`** [variable] — 2 incoming references
+- **`outDir`** [variable] — 2 incoming references
+- **`resolveTargets`** [function] — 1 incoming references
+- **`__dirname`** [variable] — 1 incoming references
+
+## Dependencies
+- **analyzer**: `resolve`
+
+## Used By
+- **root**: `outDir`
+- **store**: `run`
+- **test**: `run`
+
+## Files
+- scripts/build-standalone.mjs

package/.agents/skills/security/SKILL.md

@@ -0,0 +1,44 @@
+---
+name: milens-security
+description: Code intelligence for the security area — symbols, dependencies, and entry points
+---
+
+# Security
+
+## Overview
+Contains 35 symbols (15 exported) across 2 files.
+
+## Key Symbols
+- **`loadRules`** [function] (src/security/rules.ts:1044) — 4 refs
+- **`Ecosystem`** [type] (src/security/deps.ts:8) — 3 refs
+- **`auditDependencies`** [function] (src/security/deps.ts:732) — 2 refs
+- **`VulnerabilityReport`** [interface] (src/security/deps.ts:26) — 2 refs
+- **`detectEcosystem`** [function] (src/security/deps.ts:512) — 1 refs
+- **`parseDependencies`** [function] (src/security/deps.ts:524) — 1 refs
+- **`checkVulnerabilities`** [function] (src/security/deps.ts:687) — 1 refs
+- **`SecurityCategory`** [type] (src/security/rules.ts:3) — 1 refs
+- **`Dependency`** [interface] (src/security/deps.ts:10) — 0 refs
+- **`Vulnerability`** [interface] (src/security/deps.ts:16) — 0 refs
+- **`getRulesByCategory`** [function] (src/security/rules.ts:1048) — 0 refs
+- **`getRulesBySeverity`** [function] (src/security/rules.ts:1052) — 0 refs
+- **`SecurityRule`** [interface] (src/security/rules.ts:14) — 0 refs
+- **`SecurityMatch`** [interface] (src/security/rules.ts:29) — 0 refs
+- **`SecurityReport`** [interface] (src/security/rules.ts:41) — 0 refs
+
+## Entry Points
+- **`readManifest`** [function] — 6 incoming references
+- **`loadRules`** [function] — 4 incoming references
+- **`Ecosystem`** [type] — 3 incoming references
+- **`manifestExists`** [function] — 2 incoming references
+- **`parseSemver`** [function] — 2 incoming references
+
+## Dependencies
+- **root**: `has`
+
+## Used By
+- **root**: `loadRules`, `auditDependencies`
+- **server**: `loadRules`
+
+## Files
+- src/security/deps.ts
+- src/security/rules.ts

package/.agents/skills/server/SKILL.md

@@ -0,0 +1,46 @@
+---
+name: milens-server
+description: Code intelligence for the server area — symbols, dependencies, and entry points
+---
+
+# Server
+
+## Overview
+Contains 74 symbols (12 exported) across 4 files.
+
+## Key Symbols
+- **`HookConfig`** [interface] (src/server/hooks.ts:5) — 3 refs
+- **`HookManager`** [class] (src/server/hooks.ts:43) — 2 refs
+- **`SessionContext`** [interface] (src/server/hooks.ts:15) — 2 refs
+- **`registerAllPrompts`** [function] (src/server/mcp-prompts.ts:637) — 2 refs
+- **`createMcpServer`** [function] (src/server/mcp.ts:367) — 2 refs
+- **`startStdio`** [function] (src/server/mcp.ts:2289) — 2 refs
+- **`startHttp`** [function] (src/server/mcp.ts:2297) — 2 refs
+- **`generateTestPlan`** [function] (src/server/test-plan.ts:14) — 2 refs
+- **`defaultOnSessionStart`** [function] (src/server/hooks.ts:100) — 0 refs
+- **`defaultOnSessionEnd`** [function] (src/server/hooks.ts:164) — 0 refs
+- **`defaultOnPreCommit`** [function] (src/server/hooks.ts:227) — 0 refs
+- **`TestPlan`** [interface] (src/server/test-plan.ts:3) — 0 refs
+
+## Entry Points
+- **`get`** [method] — 8 incoming references
+- **`loadConfig`** [method] — 3 incoming references
+- **`saveConfig`** [method] — 3 incoming references
+- **`HookConfig`** [interface] — 3 incoming references
+- **`HookManager`** [class] — 2 incoming references
+
+## Dependencies
+- **store**: `Database`, `AnnotationStore`, `RepoRegistry`, `getCodebaseSummary`, `recall`, `close`, `getStats`, `getTestCoverage` (+33 more)
+- **analyzer**: `reviewPr`, `resolve`, `find`
+- **parser**: `getParser`, `loadLanguage`, `ALL_LANGS`
+- **security**: `loadRules`
+- **root**: `has`
+
+## Used By
+- **root**: `startHttp`, `startStdio`, `HookManager`, `get`, `enableHook`, `loadConfig`, `saveConfig`, `disableHook`
+
+## Files
+- src/server/hooks.ts
+- src/server/mcp-prompts.ts
+- src/server/mcp.ts
+- src/server/test-plan.ts

package/.agents/skills/store/SKILL.md

@@ -0,0 +1,53 @@
+---
+name: milens-store
+description: Code intelligence for the store area — symbols, dependencies, and entry points
+---
+
+# Store
+
+## Overview
+Contains 128 symbols (14 exported) across 5 files.
+
+## Key Symbols
+- **`Database`** [class] (src/store/db.ts:10) — 42 refs
+- **`AnnotationStore`** [class] (src/store/annotations.ts:10) — 14 refs
+- **`RepoRegistry`** [class] (src/store/registry.ts:18) — 6 refs
+- **`buildEmbeddingText`** [function] (src/store/vectors.ts:250) — 4 refs
+- **`TfIdfProvider`** [class] (src/store/vectors.ts:44) — 4 refs
+- **`EmbeddingStore`** [class] (src/store/vectors.ts:170) — 4 refs
+- **`runDecayPass`** [function] (src/store/confidence.ts:84) — 2 refs
+- **`EmbeddingProvider`** [interface] (src/store/vectors.ts:15) — 2 refs
+- **`decayConfidence`** [function] (src/store/confidence.ts:21) — 1 refs
+- **`boostConfidence`** [function] (src/store/confidence.ts:4) — 0 refs
+- **`getStaleAnnotations`** [function] (src/store/confidence.ts:37) — 0 refs
+- **`promoteSecurityAnnotations`** [function] (src/store/confidence.ts:47) — 0 refs
+- **`NeuralProvider`** [class] (src/store/vectors.ts:122) — 0 refs
+- **`SimilarResult`** [interface] (src/store/vectors.ts:23) — 0 refs
+
+## Entry Points
+- **`Database`** [class] — 42 incoming references
+- **`get`** [method] — 21 incoming references
+- **`close`** [method] — 16 incoming references
+- **`AnnotationStore`** [class] — 14 incoming references
+- **`rowToSymbol`** [function] — 13 incoming references
+
+## Dependencies
+- **root**: `Annotation`, `AnnotationKey`, `Session`, `EvolutionEvent`, `CodeSymbol`, `SymbolLink`, `RepoEntry`, `has` (+1 more)
+- **scripts**: `run`
+- **analyzer**: `find`, `resolve`
+
+## Used By
+- **root**: `Database`, `RepoRegistry`, `AnnotationStore`, `runDecayPass`, `getIncomingLinks`, `getAllSymbols`, `getCodebaseSummary`, `register` (+23 more)
+- **analyzer**: `Database`, `TfIdfProvider`, `EmbeddingStore`, `buildEmbeddingText`, `get`, `clear`, `isFileUpToDate`, `upsertFileHash` (+22 more)
+- **server**: `Database`, `AnnotationStore`, `RepoRegistry`, `getCodebaseSummary`, `recall`, `close`, `getStats`, `getTestCoverage` (+33 more)
+- **test**: `Database`, `RepoRegistry`, `TfIdfProvider`, `EmbeddingStore`, `buildEmbeddingText`, `close`, `insertSymbol`, `findSymbolByName` (+44 more)
+- **apps**: `remove`, `Database`, `getCodebaseSummary`, `close`
+- **docs**: `remove`
+- **parser**: `load`
+
+## Files
+- src/store/annotations.ts
+- src/store/confidence.ts
+- src/store/db.ts
+- src/store/registry.ts
+- src/store/vectors.ts