npm - milens - Versions diffs - 0.6.6 → 0.6.7 - Mend

milens 0.6.6 → 0.6.7

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (19) hide show

package/.agents/skills/adapters/SKILL.md +14 -14
package/.agents/skills/analyzer/SKILL.md +26 -24
package/.agents/skills/apps/SKILL.md +10 -8
package/.agents/skills/docs/SKILL.md +13 -8
package/.agents/skills/milens/SKILL.md +164 -43
package/.agents/skills/milens-security-review/SKILL.md +224 -224
package/.agents/skills/orchestrator/SKILL.md +3 -1
package/.agents/skills/parser/SKILL.md +16 -15
package/.agents/skills/root/SKILL.md +20 -20
package/.agents/skills/security/SKILL.md +1 -0
package/.agents/skills/server/SKILL.md +8 -8
package/.agents/skills/store/SKILL.md +12 -12
package/.agents/skills/test/SKILL.md +57 -26
package/README.md +7 -8
package/dist/ui/progress.d.ts +28 -0
package/dist/ui/progress.d.ts.map +1 -0
package/dist/ui/progress.js +100 -0
package/dist/ui/progress.js.map +1 -0
package/package.json +1 -1

package/.agents/skills/milens-security-review/SKILL.md CHANGED Viewed

@@ -1,224 +1,224 @@
----
-name: milens-security-review
-description: Security Audit — scan for secrets, hidden unicode, dangerous patterns, data leaks, and produce a security report
----
-# milens-security-review — Security Audit
-Scan the codebase for security vulnerabilities: exposed secrets, hidden unicode (Trojan Source), dangerous code patterns, data leakage, and unexpected file changes.
-## Tools Required
-| Tool | Purpose |
-|---|---|
-| `mcp_milens_review_pr` | Initial risk assessment of changed files and symbols |
-| `mcp_milens_grep` | Pattern search for secrets, unicode, dangerous calls, data leaks |
-| `mcp_milens_review_symbol` | Deep-dive risk analysis on high-risk symbols |
-| `mcp_milens_detect_changes` | Verify only expected files changed |
-> **CRITICAL:** All milens MCP tool calls MUST include the `repo` parameter set to the **absolute path of the workspace root**.
-## Workflow
-### Step 1: Initial Risk Assessment
-Start with a PR-level overview to identify high-risk areas.
-```
-mcp_milens_review_pr({repo: "<workspaceRoot>"})
-```
-Focus on:
-- **New files** — highest risk for secrets or vulnerabilities
-- **Modified config files** — `.env`, `config.*`, settings files
-- **Auth/routing files** — middleware, guards, session handlers
-- **CRITICAL-rated symbols** — these get deep-dived in Step 6
-### Step 2: Secret Detection
-Search for hardcoded secrets and credentials.
-```
-mcp_milens_grep({pattern: "password|secret|api_key|token|private_key|AUTH_TOKEN", scope: "code", repo: "<workspaceRoot>"})
-```
-Key patterns to flag:
-- **Assignments to secrets** — `const apiKey = "sk-..."` (critical)
-- **Config values** — `password: "admin123"` (high)
-- **Variable names only** — `const apiKey = process.env.KEY` (low — already env-var'd)
-- **Test fixtures** — `const testPassword = "..."` (verify it's not a real password)
-### Step 3: Hidden Unicode Detection (Trojan Source)
-Search for invisible and bidirectional Unicode characters used in supply-chain attacks.
-```
-mcp_milens_grep({pattern: "[\\u200B\\u200C\\u200D\\u2060\\uFEFF\\u202A-\\u202E]", scope: "code", isRegex: true, repo: "<workspaceRoot>"})
-```
-These characters can:
-- Make code look like one thing but compile as another
-- Hide backdoors in copy-pasted code
-- Exploit bidirectional text in string literals and comments
-**Any match is a CRITICAL finding** — flag for immediate removal.
-### Step 4: Dangerous Code Patterns
-Search for patterns that enable code injection or arbitrary execution.
-```
-mcp_milens_grep({pattern: "eval\\(|exec\\(|child_process|Function\\(", scope: "code", isRegex: true, repo: "<workspaceRoot>"})
-```
-Severity guidance:
-- `eval()` / `exec()` with user input — **CRITICAL**
-- `child_process.exec()` with dynamic arguments — **CRITICAL**
-- `new Function()` — **HIGH** (eval equivalent)
-- `child_process.spawn()` with fixed arguments — **LOW** (safer than exec)
-### Step 5: Data Leak Detection
-Find logging statements that may expose sensitive data.
-```
-mcp_milens_grep({pattern: "console\\.(log|debug|info)\\(", scope: "code", isRegex: true, repo: "<workspaceRoot>"})
-```
-Flag any `console.log` that logs:
-- User data (emails, names, PII)
-- Tokens, passwords, keys
-- Request bodies or headers
-- Database query results with user data
-### Step 6: Deep-Dive on Critical Symbols
-For any symbol flagged as CRITICAL in Step 1, run a deep-dive.
-```
-mcp_milens_review_symbol({name: "<symbolName>", repo: "<workspaceRoot>"})
-```
-This provides:
-- **Role** — what the symbol does (auth, routing, data access)
-- **Heat** — how frequently it changes (volatile code = higher risk)
-- **Dependents** — blast radius if compromised
-- **Test status** — whether its behavior is verified
-### Step 7: Verify Change Scope
-Confirm that only expected files were modified.
-```
-mcp_milens_detect_changes({repo: "<workspaceRoot>"})
-```
-This catches:
-- Unintended file modifications (config drift)
-- Stray files included in the commit
-- Missing or extra changes vs. expectations
-### Step 8: Produce Security Audit Report
-Consolidate into a structured report:
-1. **Executive Summary** — overall risk level, critical findings count
-2. **Secret Scan Results** — each match with file, line, severity, and remediation
-3. **Unicode Scan Results** — each match (any match is critical)
-4. **Dangerous Patterns** — each `eval`/`exec`/`Function` usage with justification
-5. **Data Leak Findings** — each `console.log` that logs sensitive data
-6. **Symbol Risk Deep-Dives** — per CRITICAL symbol from Step 6
-7. **Change Scope Verification** — expected vs. actual changed files
-8. **Remediation Plan** — ordered by severity, with specific fix recommendations
-9. **Verdict** — PASSED / NEEDS REMEDIATION / BLOCKED
-## Example Session
-### Input
-```
-"run a security audit before the release"
-```
-### Tool Calls
-**Step 1 — PR overview:**
-```
-mcp_milens_review_pr({repo: "/home/user/project"})
-```
-**Output:** 8 changed files, 2 CRITICAL symbols (`authHandler`, `paymentProcessor`).
-**Step 2 — Secret detection:**
-```
-mcp_milens_grep({pattern: "password|secret|api_key|token|private_key|AUTH_TOKEN", scope: "code", repo: "/home/user/project"})
-```
-**Output:**
-```
-src/config.ts:12    apiKey: "sk-prod-abc123..."     ← CRITICAL: hardcoded API key
-src/auth/login.ts:34 const password = req.body.pass   ← LOW: variable assignment
-src/__tests__/helpers.ts:8  const testToken = "test"  ← OK: test fixture
-```
-**Step 3 — Unicode scan:**
-```
-mcp_milens_grep({pattern: "[\\u200B\\u200C\\u200D\\u2060\\uFEFF\\u202A-\\u202E]", scope: "code", isRegex: true, repo: "/home/user/project"})
-```
-**Output:** 0 matches. Clean.
-**Step 4 — Dangerous patterns:**
-```
-mcp_milens_grep({pattern: "eval\\(|exec\\(|child_process|Function\\(", scope: "code", isRegex: true, repo: "/home/user/project"})
-```
-**Output:**
-```
-src/scripts/migrate.ts:22  exec(`pg_dump ${dbName}`)  ← CRITICAL: dynamic args
-```
-**Step 5 — Data leak:**
-```
-mcp_milens_grep({pattern: "console\\.(log|debug|info)\\(", scope: "code", isRegex: true, repo: "/home/user/project"})
-```
-**Output:**
-```
-src/auth/login.ts:28  console.log("User login:", email)  ← HIGH: logs PII
-```
-**Step 6 — Deep-dive:**
-```
-mcp_milens_review_symbol({name: "authHandler", repo: "/home/user/project"})
-```
-**Output:** Core auth entry point, 23 dependents, 0 tests — very high risk.
-**Step 7 — Verify scope:**
-```
-mcp_milens_detect_changes({repo: "/home/user/project"})
-```
-**Output:** 8 files changed — matches expectations.
-**Step 8 — Report produced** (see report format above). Verdict: **NEEDS REMEDIATION** (1 critical secret, 1 critical dangerous pattern, 1 high data leak).
-## Best Practices
-1. **Don't assume variable names are safe.** `const password = process.env.DB_PASS` is fine; `const password = "admin123"` is not. Read the value, not just the name.
-2. **Unicode scan is non-negotiable.** Trojan Source attacks are invisible to human reviewers. Even a single zero-width character match is a blocking finding.
-3. **Test fixtures get a pass — but verify.** `const testApiKey = "test-key"` is acceptable, but `const testApiKey = "sk-live-..."` is a leaked production key.
-4. **Dynamic exec/Function is almost always wrong.** If `exec()` takes user-controlled input, it's remote code execution. The only acceptable pattern is fully-hardcoded command strings.
-5. **Detect changes verifies the boundary.** If `detect_changes` shows files you didn't touch, something went wrong — config drift, lockfile churn, or accidental staging.
-## Quality Gate
-| Criteria | Pass | Fail |
-|---|---|---|
-| Secret scan | No hardcoded secrets found outside test fixtures | Any production secret in code |
-| Unicode scan | Zero matches | Any hidden unicode character found |
-| Dangerous patterns | No `eval`/`exec` with dynamic input | Any dynamic `exec()` or `Function()` call |
-| Data leak | No PII/credentials in `console.log` | Sensitive data logged to console |
-| Change scope | `detect_changes` matches expectations | Unexpected files in the diff |
-| All scans completed | All 7 steps executed | Any tool call skipped or failed |
+---
+name: milens-security-review
+description: Security Audit — scan for secrets, hidden unicode, dangerous patterns, data leaks, and produce a security report
+---
+# milens-security-review — Security Audit
+Scan the codebase for security vulnerabilities: exposed secrets, hidden unicode (Trojan Source), dangerous code patterns, data leakage, and unexpected file changes.
+## Tools Required
+| Tool | Purpose |
+|---|---|
+| `mcp_milens_review_pr` | Initial risk assessment of changed files and symbols |
+| `mcp_milens_grep` | Pattern search for secrets, unicode, dangerous calls, data leaks |
+| `mcp_milens_review_symbol` | Deep-dive risk analysis on high-risk symbols |
+| `mcp_milens_detect_changes` | Verify only expected files changed |
+> **CRITICAL:** All milens MCP tool calls MUST include the `repo` parameter set to the **absolute path of the workspace root**.
+## Workflow
+### Step 1: Initial Risk Assessment
+Start with a PR-level overview to identify high-risk areas.
+```
+mcp_milens_review_pr({repo: "<workspaceRoot>"})
+```
+Focus on:
+- **New files** — highest risk for secrets or vulnerabilities
+- **Modified config files** — `.env`, `config.*`, settings files
+- **Auth/routing files** — middleware, guards, session handlers
+- **CRITICAL-rated symbols** — these get deep-dived in Step 6
+### Step 2: Secret Detection
+Search for hardcoded secrets and credentials.
+```
+mcp_milens_grep({pattern: "password|secret|api_key|token|private_key|AUTH_TOKEN", scope: "code", repo: "<workspaceRoot>"})
+```
+Key patterns to flag:
+- **Assignments to secrets** — `const apiKey = "sk-..."` (critical)
+- **Config values** — `password: "admin123"` (high)
+- **Variable names only** — `const apiKey = process.env.KEY` (low — already env-var'd)
+- **Test fixtures** — `const testPassword = "..."` (verify it's not a real password)
+### Step 3: Hidden Unicode Detection (Trojan Source)
+Search for invisible and bidirectional Unicode characters used in supply-chain attacks.
+```
+mcp_milens_grep({pattern: "[\\u200B\\u200C\\u200D\\u2060\\uFEFF\\u202A-\\u202E]", scope: "code", isRegex: true, repo: "<workspaceRoot>"})
+```
+These characters can:
+- Make code look like one thing but compile as another
+- Hide backdoors in copy-pasted code
+- Exploit bidirectional text in string literals and comments
+**Any match is a CRITICAL finding** — flag for immediate removal.
+### Step 4: Dangerous Code Patterns
+Search for patterns that enable code injection or arbitrary execution.
+```
+mcp_milens_grep({pattern: "eval\\(|exec\\(|child_process|Function\\(", scope: "code", isRegex: true, repo: "<workspaceRoot>"})
+```
+Severity guidance:
+- `eval()` / `exec()` with user input — **CRITICAL**
+- `child_process.exec()` with dynamic arguments — **CRITICAL**
+- `new Function()` — **HIGH** (eval equivalent)
+- `child_process.spawn()` with fixed arguments — **LOW** (safer than exec)
+### Step 5: Data Leak Detection
+Find logging statements that may expose sensitive data.
+```
+mcp_milens_grep({pattern: "console\\.(log|debug|info)\\(", scope: "code", isRegex: true, repo: "<workspaceRoot>"})
+```
+Flag any `console.log` that logs:
+- User data (emails, names, PII)
+- Tokens, passwords, keys
+- Request bodies or headers
+- Database query results with user data
+### Step 6: Deep-Dive on Critical Symbols
+For any symbol flagged as CRITICAL in Step 1, run a deep-dive.
+```
+mcp_milens_review_symbol({name: "<symbolName>", repo: "<workspaceRoot>"})
+```
+This provides:
+- **Role** — what the symbol does (auth, routing, data access)
+- **Heat** — how frequently it changes (volatile code = higher risk)
+- **Dependents** — blast radius if compromised
+- **Test status** — whether its behavior is verified
+### Step 7: Verify Change Scope
+Confirm that only expected files were modified.
+```
+mcp_milens_detect_changes({repo: "<workspaceRoot>"})
+```
+This catches:
+- Unintended file modifications (config drift)
+- Stray files included in the commit
+- Missing or extra changes vs. expectations
+### Step 8: Produce Security Audit Report
+Consolidate into a structured report:
+1. **Executive Summary** — overall risk level, critical findings count
+2. **Secret Scan Results** — each match with file, line, severity, and remediation
+3. **Unicode Scan Results** — each match (any match is critical)
+4. **Dangerous Patterns** — each `eval`/`exec`/`Function` usage with justification
+5. **Data Leak Findings** — each `console.log` that logs sensitive data
+6. **Symbol Risk Deep-Dives** — per CRITICAL symbol from Step 6
+7. **Change Scope Verification** — expected vs. actual changed files
+8. **Remediation Plan** — ordered by severity, with specific fix recommendations
+9. **Verdict** — PASSED / NEEDS REMEDIATION / BLOCKED
+## Example Session
+### Input
+```
+"run a security audit before the release"
+```
+### Tool Calls
+**Step 1 — PR overview:**
+```
+mcp_milens_review_pr({repo: "/home/user/project"})
+```
+**Output:** 8 changed files, 2 CRITICAL symbols (`authHandler`, `paymentProcessor`).
+**Step 2 — Secret detection:**
+```
+mcp_milens_grep({pattern: "password|secret|api_key|token|private_key|AUTH_TOKEN", scope: "code", repo: "/home/user/project"})
+```
+**Output:**
+```
+src/config.ts:12    apiKey: "sk-prod-abc123..."     ← CRITICAL: hardcoded API key
+src/auth/login.ts:34 const password = req.body.pass   ← LOW: variable assignment
+src/__tests__/helpers.ts:8  const testToken = "test"  ← OK: test fixture
+```
+**Step 3 — Unicode scan:**
+```
+mcp_milens_grep({pattern: "[\\u200B\\u200C\\u200D\\u2060\\uFEFF\\u202A-\\u202E]", scope: "code", isRegex: true, repo: "/home/user/project"})
+```
+**Output:** 0 matches. Clean.
+**Step 4 — Dangerous patterns:**
+```
+mcp_milens_grep({pattern: "eval\\(|exec\\(|child_process|Function\\(", scope: "code", isRegex: true, repo: "/home/user/project"})
+```
+**Output:**
+```
+src/scripts/migrate.ts:22  exec(`pg_dump ${dbName}`)  ← CRITICAL: dynamic args
+```
+**Step 5 — Data leak:**
+```
+mcp_milens_grep({pattern: "console\\.(log|debug|info)\\(", scope: "code", isRegex: true, repo: "/home/user/project"})
+```
+**Output:**
+```
+src/auth/login.ts:28  console.log("User login:", email)  ← HIGH: logs PII
+```
+**Step 6 — Deep-dive:**
+```
+mcp_milens_review_symbol({name: "authHandler", repo: "/home/user/project"})
+```
+**Output:** Core auth entry point, 23 dependents, 0 tests — very high risk.
+**Step 7 — Verify scope:**
+```
+mcp_milens_detect_changes({repo: "/home/user/project"})
+```
+**Output:** 8 files changed — matches expectations.
+**Step 8 — Report produced** (see report format above). Verdict: **NEEDS REMEDIATION** (1 critical secret, 1 critical dangerous pattern, 1 high data leak).
+## Best Practices
+1. **Don't assume variable names are safe.** `const password = process.env.DB_PASS` is fine; `const password = "admin123"` is not. Read the value, not just the name.
+2. **Unicode scan is non-negotiable.** Trojan Source attacks are invisible to human reviewers. Even a single zero-width character match is a blocking finding.
+3. **Test fixtures get a pass — but verify.** `const testApiKey = "test-key"` is acceptable, but `const testApiKey = "sk-live-..."` is a leaked production key.
+4. **Dynamic exec/Function is almost always wrong.** If `exec()` takes user-controlled input, it's remote code execution. The only acceptable pattern is fully-hardcoded command strings.
+5. **Detect changes verifies the boundary.** If `detect_changes` shows files you didn't touch, something went wrong — config drift, lockfile churn, or accidental staging.
+## Quality Gate
+| Criteria | Pass | Fail |
+|---|---|---|
+| Secret scan | No hardcoded secrets found outside test fixtures | Any production secret in code |
+| Unicode scan | Zero matches | Any hidden unicode character found |
+| Dangerous patterns | No `eval`/`exec` with dynamic input | Any dynamic `exec()` or `Function()` call |
+| Data leak | No PII/credentials in `console.log` | Sensitive data logged to console |
+| Change scope | `detect_changes` matches expectations | Unexpected files in the diff |
+| All scans completed | All 7 steps executed | Any tool call skipped or failed |

package/.agents/skills/orchestrator/SKILL.md CHANGED Viewed

@@ -39,20 +39,22 @@ Contains 22 symbols (7 exported) across 2 files.
 ## Entry Points
 - **`Orchestrator`** [class] — 6 incoming references
+- **`e`** [function] — 5 incoming references
 - **`OrchestratorReport`** [interface] — 5 incoming references
 - **`formatReport`** [function] — 4 incoming references
 - **`snapshot`** [method] — 3 incoming references
-- **`run`** [method] — 3 incoming references
 ## Dependencies
 - **store**: `Database`, `findSymbolByName`, `findUpstream`, `clear`, `getTestCoverageGaps`, `findDeadCode`, `close`
 - **analyzer**: `reviewPr`, `ReviewResult`, `SymbolRisk`
 - **root**: `CodeSymbol`, `has`
+- **test**: `add`
 ## Used By
 - **root**: `Orchestrator`, `subscribe`, `runAndFormat`
 - **server**: `Orchestrator`, `snapshot`, `compare`, `runAndFormat`
 - **test**: `Orchestrator`, `formatReport`, `OrchestratorReport`, `subscribe`, `run`, `snapshot`, `compare`, `cancel` (+3 more)
+- **apps**: `e`
 ## Files
 - src/orchestrator/orchestrator.ts

package/.agents/skills/parser/SKILL.md CHANGED Viewed

@@ -26,27 +26,27 @@ When working with code in **parser/**, follow these mandatory safety rules:
 | See file symbols | `mcp_milens_get_file_symbols` |
 ## Overview
-Contains 76 symbols (26 exported) across 15 files.
+Contains 83 symbols (31 exported) across 16 files.
 ## Key Symbols
-- **`LangSpec`** [interface] (src/parser/extract.ts:6) — 30 refs
+- **`LangSpec`** [interface] (src/parser/extract.ts:6) — 32 refs
 - **`loadLanguage`** [function] (src/parser/loader.ts:21) — 14 refs
 - **`getParser`** [function] (src/parser/loader.ts:32) — 13 refs
-- **`extractFromTree`** [function] (src/parser/extract.ts:250) — 8 refs
+- **`extractFromTree`** [function] (src/parser/extract.ts:256) — 8 refs
 - **`supportedExtensions`** [function] (src/parser/languages.ts:29) — 6 refs
-- **`extractHtmlScripts`** [function] (src/parser/lang-html.ts:33) — 5 refs
+- **`extractHtmlScripts`** [function] (src/parser/lang-html.ts:38) — 5 refs
 - **`extractMarkdown`** [function] (src/parser/lang-md.ts:34) — 5 refs
 - **`spec`** [variable] (src/parser/lang-ts.ts:5) — 5 refs
-- **`extractVueScript`** [function] (src/parser/lang-vue.ts:18) — 5 refs
+- **`extractVueScript`** [function] (src/parser/lang-vue.ts:19) — 5 refs
 - **`initTreeSitter`** [function] (src/parser/loader.ts:15) — 5 refs
-- **`clearQueryCache`** [function] (src/parser/extract.ts:67) — 4 refs
-- **`extractHtmlRefs`** [function] (src/parser/lang-html.ts:52) — 4 refs
-- **`extractVueTemplateRefs`** [function] (src/parser/lang-vue.ts:37) — 4 refs
-- **`langForFile`** [function] (src/parser/languages.ts:24) — 4 refs
-- **`spec`** [variable] (src/parser/lang-js.ts:5) — 3 refs
+- **`clearQueryCache`** [function] (src/parser/extract.ts:72) — 4 refs
+- **`extractHtmlRefs`** [function] (src/parser/lang-html.ts:57) — 4 refs
+- **`extractHtmlLinks`** [function] (src/parser/lang-html.ts:99) — 4 refs
+- **`extractVueTemplateRefs`** [function] (src/parser/lang-vue.ts:38) — 4 refs
+- **`extractVueTemplateAst`** [function] (src/parser/lang-vue.ts:90) — 4 refs
 ## Entry Points
-- **`LangSpec`** [interface] — 30 incoming references
+- **`LangSpec`** [interface] — 32 incoming references
 - **`loadLanguage`** [function] — 14 incoming references
 - **`getParser`** [function] — 13 incoming references
 - **`extractFromTree`** [function] — 8 incoming references
@@ -54,14 +54,14 @@ Contains 76 symbols (26 exported) across 15 files.
 ## Dependencies
 - **root**: `CodeSymbol`, `RawImport`, `RawCall`, `RawHeritage`, `RawReExport`, `RawTypeBinding`, `RawAssignmentBinding`, `RawReturnType` (+4 more)
-- **test**: `lang`, `parser`
-- **analyzer**: `find`, `resolve`
+- **test**: `lang`, `add`, `parser`
+- **analyzer**: `resolve`
 - **store**: `load`
 ## Used By
-- **analyzer**: `langForFile`, `supportedExtensions`, `getParser`, `loadLanguage`, `extractFromTree`, `clearQueryCache`, `extractVueScript`, `extractVueTemplateRefs` (+6 more)
+- **analyzer**: `langForFile`, `supportedExtensions`, `getParser`, `loadLanguage`, `extractFromTree`, `clearQueryCache`, `extractVueScript`, `extractVueTemplateRefs` (+9 more)
 - **server**: `getParser`, `loadLanguage`, `ALL_LANGS`
-- **test**: `getParser`, `loadLanguage`, `extractFromTree`, `extractVueScript`, `extractVueTemplateRefs`, `spec`, `extractHtmlScripts`, `extractHtmlRefs` (+7 more)
+- **test**: `getParser`, `loadLanguage`, `extractFromTree`, `extractVueScript`, `extractVueTemplateRefs`, `extractVueCompositionApi`, `extractVueTemplateAst`, `spec` (+11 more)
 ## Files
 - src/parser/extract.ts
@@ -77,5 +77,6 @@ Contains 76 symbols (26 exported) across 15 files.
 - src/parser/lang-rust.ts
 - src/parser/lang-ts.ts
 - src/parser/lang-vue.ts
+- src/parser/language-provider.ts
 - src/parser/languages.ts
 - src/parser/loader.ts

package/.agents/skills/root/SKILL.md CHANGED Viewed

@@ -26,47 +26,47 @@ When working with code in **root/**, follow these mandatory safety rules:
 | See file symbols | `mcp_milens_get_file_symbols` |
 ## Overview
-Contains 204 symbols (153 exported) across 13 files.
+Contains 229 symbols (153 exported) across 13 files.
 ## Key Symbols
-- **`CodeSymbol`** [interface] (src/types.ts:8) — 41 refs
-- **`SymbolLink`** [interface] (src/types.ts:26) — 21 refs
-- **`isTestFile`** [function] (src/utils.ts:2) — 11 refs
-- **`RawCall`** [interface] (src/types.ts:44) — 7 refs
-- **`RawImport`** [interface] (src/types.ts:35) — 6 refs
+- **`CodeSymbol`** [interface] (src/types.ts:8) — 53 refs
+- **`SymbolLink`** [interface] (src/types.ts:26) — 24 refs
+- **`RawCall`** [interface] (src/types.ts:44) — 15 refs
+- **`isTestFile`** [function] (src/utils.ts:2) — 12 refs
+- **`RawImport`** [interface] (src/types.ts:35) — 9 refs
+- **`RawHeritage`** [interface] (src/types.ts:52) — 7 refs
 - **`ExtractionResult`** [interface] (src/types.ts:60) — 6 refs
+- **`RawTypeBinding`** [interface] (src/types.ts:80) — 6 refs
+- **`RawAssignmentBinding`** [interface] (src/types.ts:88) — 6 refs
+- **`RawReturnType`** [interface] (src/types.ts:96) — 5 refs
+- **`RawCallResultBinding`** [interface] (src/types.ts:104) — 5 refs
 - **`generateAgentsMd`** [function] (src/agents-md.ts:43) — 4 refs
 - **`computeMetrics`** [function] (src/metrics.ts:21) — 4 refs
 - **`formatMetricsReport`** [function] (src/metrics.ts:62) — 4 refs
 - **`MilensMetrics`** [interface] (src/metrics.ts:4) — 4 refs
-- **`generateSkills`** [function] (src/skills.ts:19) — 4 refs
-- **`RawHeritage`** [interface] (src/types.ts:52) — 4 refs
-- **`RawTypeBinding`** [interface] (src/types.ts:80) — 4 refs
-- **`RawAssignmentBinding`** [interface] (src/types.ts:88) — 4 refs
-- **`RawReturnType`** [interface] (src/types.ts:96) — 4 refs
 ## Entry Points
-- **`CodeSymbol`** [interface] — 41 incoming references
-- **`has`** [function] — 30 incoming references
-- **`SymbolLink`** [interface] — 21 incoming references
-- **`isTestFile`** [function] — 11 incoming references
-- **`RawCall`** [interface] — 7 incoming references
+- **`CodeSymbol`** [interface] — 53 incoming references
+- **`has`** [function] — 47 incoming references
+- **`SymbolLink`** [interface] — 24 incoming references
+- **`RawCall`** [interface] — 15 incoming references
+- **`isTestFile`** [function] — 12 incoming references
 ## Dependencies
-- **store**: `Database`, `RepoRegistry`, `AnnotationStore`, `runDecayPass`, `getIncomingLinks`, `getAllSymbols`, `getCodebaseSummary`, `register` (+25 more)
+- **store**: `Database`, `RepoRegistry`, `AnnotationStore`, `runDecayPass`, `getIncomingLinks`, `getAllSymbols`, `getCodebaseSummary`, `register` (+24 more)
 - **analyzer**: `loadAliases`, `analyze`, `resolve`, `clear`
 - **server**: `startHttp`, `startStdio`, `HookManager`, `get`, `enableHook`, `loadConfig`, `saveConfig`, `disableHook`
 - **security**: `loadRules`, `auditDependencies`
 - **orchestrator**: `Orchestrator`, `subscribe`, `runAndFormat`
+- **test**: `add`, `dbPath`
 - **scripts**: `outDir`
-- **test**: `dbPath`
 ## Used By
 - **analyzer**: `isTestFile`, `CodeSymbol`, `ExtractionResult`, `RawImport`, `RawCall`, `RawHeritage`, `RawReExport`, `RawTypeBinding` (+8 more)
 - **orchestrator**: `CodeSymbol`, `has`
 - **parser**: `CodeSymbol`, `RawImport`, `RawCall`, `RawHeritage`, `RawReExport`, `RawTypeBinding`, `RawAssignmentBinding`, `RawReturnType` (+4 more)
 - **store**: `Annotation`, `AnnotationKey`, `Session`, `EvolutionEvent`, `CodeSymbol`, `SymbolLink`, `RepoEntry`, `has` (+1 more)
-- **test**: `generateAgentsMd`, `AnnotationKey`, `CodeSymbol`, `SymbolLink`, `computeMetrics`, `formatMetricsReport`, `MilensMetrics`, `RawImport` (+9 more)
+- **test**: `generateAgentsMd`, `AnnotationKey`, `CodeSymbol`, `SymbolLink`, `computeMetrics`, `formatMetricsReport`, `MilensMetrics`, `RawImport` (+17 more)
 - **security**: `has`
 - **server**: `has`
@@ -76,11 +76,11 @@ Contains 204 symbols (153 exported) across 13 files.
 - CONTRIBUTING.md
 - DEPLOY.md
 - README.md
-- milens-upgrade.md
 - src/agents-md.ts
 - src/cli.ts
 - src/metrics.ts
 - src/skills.ts
 - src/types.ts
+- src/uninstall.ts
 - src/utils.ts
 - vitest.config.ts

package/.agents/skills/security/SKILL.md CHANGED Viewed

@@ -53,6 +53,7 @@ Contains 35 symbols (15 exported) across 2 files.
 - **`parseDependencies`** [function] — 3 incoming references
 ## Dependencies
+- **test**: `add`
 - **root**: `has`
 ## Used By