mstro-app 0.4.4 → 0.4.11

package/server/services/plan/parser-core.ts

@@ -208,6 +208,13 @@ function optionalNumber(val: unknown): number | null {
   return val != null ? Number(val) : null;
 }
 
+function clampParallelAgents(val: unknown): number {
+  if (val == null) return 3;
+  const n = Number(val);
+  if (!Number.isFinite(n) || n < 1) return 3;
+  return Math.min(Math.round(n), 10);
+}
+
 export function parseProjectConfig(content: string): ProjectConfig {
   const { frontMatter, body } = parseFrontMatter(content);
   const sections = extractSections(body);
@@ -389,6 +396,7 @@ export function parseBoard(content: string, filePath: string): Board {
     completedAt: optionalString(fm.completed_at),
     goal: String(fm.goal || sections.get('Goal') || ''),
     executionSummary,
+    maxParallelAgents: clampParallelAgents(fm.max_parallel_agents),
     path: filePath,
   };
 }

package/server/services/plan/types.ts

@@ -119,6 +119,8 @@ export interface Board {
   completedAt: string | null;
   goal: string;
   executionSummary: BoardExecutionSummary | null;
+  /** Max parallel headless Claude Code instances per execution wave (default: 3) */
+  maxParallelAgents: number;
   path: string;
 }
 

package/server/services/platform.ts

@@ -72,6 +72,7 @@ export class PlatformConnection {
   private tokenRefreshInterval: ReturnType<typeof setInterval> | null = null
   private heartbeatInterval: ReturnType<typeof setInterval> | null = null
   private missedPongs = 0
+  private everConnected = false
   private readonly startedAt: string
 
   constructor(
@@ -228,13 +229,6 @@ export class PlatformConnection {
       }
     }
 
-    let everConnected = false
-    const originalOnConnected = this.callbacks.onConnected
-    this.callbacks.onConnected = (connectionId) => {
-      everConnected = true
-      originalOnConnected?.(connectionId)
-    }
-
     this.ws.onclose = (event) => {
       this.stopHeartbeat()
       this.isConnected = false
@@ -242,7 +236,7 @@ export class PlatformConnection {
       if (!this.isIntentionallyClosed) {
         const isAuthFailure = event.code === 4001 ||
           event.reason?.includes('Unauthorized') ||
-          (event.code === 1006 && !everConnected)
+          (event.code === 1006 && !this.everConnected)
 
         if (isAuthFailure) {
           console.error('\n❌ Authentication failed. Your device token may be invalid or expired.')
@@ -267,6 +261,7 @@ export class PlatformConnection {
     switch (message.type) {
       case 'paired':
         this.isConnected = true
+        this.everConnected = true
         this.connectionId = message.connectionId as string
         this.startHeartbeat()
         this.callbacks.onConnected?.(message.connectionId as string)

package/server/services/websocket/file-explorer-handlers.ts

@@ -93,9 +93,13 @@ export function handleFileExplorerMessage(ctx: HandlerContext, ws: WSContext, ms
       handleDeleteFile(ctx, ws, msg, tabId, workingDir);
     },
     renameFile: () => {
-      if (isSandboxed && msg.data?.filePath) {
-        const validation = validatePathWithinWorkingDir(msg.data.filePath, workingDir);
-        if (!validation.valid) { ctx.send(ws, { type: 'fileError', tabId, data: { operation: 'renameFile', path: msg.data.filePath, error: 'Sandboxed: path outside project directory' } }); return; }
+      if (isSandboxed) {
+        const oldValidation = msg.data?.oldPath ? validatePathWithinWorkingDir(msg.data.oldPath, workingDir) : { valid: false };
+        const newValidation = msg.data?.newPath ? validatePathWithinWorkingDir(msg.data.newPath, workingDir) : { valid: false };
+        if (!oldValidation.valid || !newValidation.valid) {
+          ctx.send(ws, { type: 'fileError', tabId, data: { operation: 'renameFile', path: msg.data?.oldPath || '', error: 'Sandboxed: path outside project directory' } });
+          return;
+        }
       }
       handleRenameFile(ctx, ws, msg, tabId, workingDir);
     },

package/server/services/websocket/git-handlers.ts

@@ -31,7 +31,7 @@ export async function handleGitMessage(ctx: HandlerContext, ws: WSContext, msg:
   const gitDir = ctx.gitDirectories.get(tabId) || workingDir;
 
   if (GIT_PR_TYPES.has(msg.type)) {
-    handleGitPRMessage(ctx, ws, msg, tabId, gitDir, workingDir);
+    await handleGitPRMessage(ctx, ws, msg, tabId, gitDir, workingDir);
     return;
   }
   if (GIT_WORKTREE_TYPES.has(msg.type)) {
@@ -39,7 +39,7 @@ export async function handleGitMessage(ctx: HandlerContext, ws: WSContext, msg:
     return;
   }
 
-  const handlers: Record<string, () => void> = {
+  const handlers: Record<string, () => Promise<void>> = {
     gitStatus: () => handleGitStatus(ctx, ws, tabId, gitDir),
     gitStage: () => handleGitStage(ctx, ws, msg, tabId, gitDir),
     gitUnstage: () => handleGitUnstage(ctx, ws, msg, tabId, gitDir),
@@ -61,7 +61,7 @@ export async function handleGitMessage(ctx: HandlerContext, ws: WSContext, msg:
     gitCreateTag: () => handleGitCreateTag(ctx, ws, msg, tabId, gitDir),
     gitPushTag: () => handleGitPushTag(ctx, ws, msg, tabId, gitDir),
   };
-  handlers[msg.type]?.();
+  await handlers[msg.type]?.();
 }
 
 export async function handleGitStatus(ctx: HandlerContext, ws: WSContext, tabId: string, workingDir: string): Promise<void> {

package/server/services/websocket/git-pr-handlers.ts

@@ -6,13 +6,13 @@ import { detectGitProvider, executeGitCommand, spawnCheck, spawnHaikuWithPrompt,
 import type { HandlerContext } from './handler-context.js';
 import type { WebSocketMessage, WSContext } from './types.js';
 
-export function handleGitPRMessage(ctx: HandlerContext, ws: WSContext, msg: WebSocketMessage, tabId: string, gitDir: string, _workingDir: string): void {
-  const handlers: Record<string, () => void> = {
+export async function handleGitPRMessage(ctx: HandlerContext, ws: WSContext, msg: WebSocketMessage, tabId: string, gitDir: string, _workingDir: string): Promise<void> {
+  const handlers: Record<string, () => Promise<void>> = {
     gitGetRemoteInfo: () => handleGitGetRemoteInfo(ctx, ws, tabId, gitDir),
     gitCreatePR: () => handleGitCreatePR(ctx, ws, msg, tabId, gitDir),
     gitGeneratePRDescription: () => handleGitGeneratePRDescription(ctx, ws, msg, tabId, gitDir),
   };
-  handlers[msg.type]?.();
+  await handlers[msg.type]?.();
 }
 
 async function handleGitGetRemoteInfo(ctx: HandlerContext, ws: WSContext, tabId: string, workingDir: string): Promise<void> {

package/server/services/websocket/handler.ts

@@ -215,6 +215,18 @@ export class WebSocketImproviseHandler implements HandlerContext {
   }
 
   handleClose(ws: WSContext): void {
+    // Destroy sessions owned by this connection to free interval timers
+    const tabMap = this.connections.get(ws);
+    if (tabMap) {
+      const sessionIds = new Set(tabMap.values());
+      for (const sessionId of sessionIds) {
+        const session = this.sessions.get(sessionId);
+        if (session) {
+          session.destroy();
+          this.sessions.delete(sessionId);
+        }
+      }
+    }
     this.connections.delete(ws);
     this.allConnections.delete(ws);
     cleanupTerminalSubscribers(this, ws);

package/server/services/websocket/quality-complexity.ts

@@ -1,8 +1,7 @@
 // Copyright (c) 2025-present Mstro, Inc. All rights reserved.
 // Licensed under the MIT License. See LICENSE file for details.
 
-import { existsSync } from 'node:fs';
-import { extname, join, relative } from 'node:path';
+import { extname, relative } from 'node:path';
 import { runCommand, type SourceFile } from './quality-tools.js';
 import { biomeDiagToFinding, type Ecosystem, FUNCTION_LENGTH_THRESHOLD, isBiomeComplexityDiagnostic, isEslintComplexityRule, type QualityFinding } from './quality-types.js';
 
@@ -162,9 +161,6 @@ function computeComplexityScore(findings: QualityFinding[]): number {
 }
 
 async function complexityFromBiome(dirPath: string): Promise<QualityFinding[] | null> {
-  const hasBiomeConfig = existsSync(join(dirPath, 'biome.json')) || existsSync(join(dirPath, 'biome.jsonc'));
-  if (!hasBiomeConfig) return null;
-
   const result = await runCommand('npx', ['@biomejs/biome', 'lint', '--reporter=json', '.'], dirPath);
   if (result.exitCode > 1) return null;
 
@@ -245,8 +241,10 @@ async function analyzeNodeComplexity(
   const hasCapableTool = !installed || installed.has('biome') || installed.has('eslint');
   if (!hasCapableTool) return null;
 
-  const hasBiomeConfig = existsSync(join(dirPath, 'biome.json')) || existsSync(join(dirPath, 'biome.jsonc'));
-  if (hasBiomeConfig) {
+  // Use installed tools list instead of config file presence.
+  // This fixes monorepo scenarios where biome.json is in a subdirectory.
+  const hasBiome = !installed || installed.has('biome');
+  if (hasBiome) {
     const findings = await complexityFromBiome(dirPath);
     if (findings) return findings;
   }

package/server/services/websocket/quality-linting.ts

@@ -1,8 +1,7 @@
 // Copyright (c) 2025-present Mstro, Inc. All rights reserved.
 // Licensed under the MIT License. See LICENSE file for details.
 
-import { existsSync } from 'node:fs';
-import { join, relative } from 'node:path';
+import { relative } from 'node:path';
 import { runCommand, type SourceFile } from './quality-tools.js';
 import { biomeDiagToFinding, type Ecosystem, isBiomeComplexityDiagnostic, isEslintComplexityRule, type QualityFinding } from './quality-types.js';
 
@@ -57,7 +56,7 @@ function processEslintMessage(
   else acc.warnings++;
   acc.findings.push({
     severity: msg.severity === 2 ? 'high' : 'medium',
-    category: 'linting',
+    category: 'lint',
     file: relative(dirPath, filePath),
     line: (msg.line as number) ?? null,
     title: (msg.ruleId as string) || 'Lint issue',
@@ -81,11 +80,17 @@ async function lintWithEslint(dirPath: string, acc: LintAccumulator): Promise<vo
   }
 }
 
-async function lintNode(dirPath: string, acc: LintAccumulator): Promise<void> {
-  const biomeConfig = existsSync(join(dirPath, 'biome.json')) || existsSync(join(dirPath, 'biome.jsonc'));
-  if (biomeConfig) {
+async function lintNode(dirPath: string, acc: LintAccumulator, installed: Set<string> | null): Promise<void> {
+  // Use installed tools list to decide which linter to run, not config file presence.
+  // This fixes monorepo scenarios where the config is in a subdirectory.
+  const hasBiome = !installed || installed.has('biome');
+  const hasEslint = !installed || installed.has('eslint');
+
+  if (hasBiome) {
     await lintWithBiome(dirPath, acc);
-  } else {
+    if (acc.ran) return;
+  }
+  if (hasEslint) {
     await lintWithEslint(dirPath, acc);
   }
 }
@@ -103,7 +108,7 @@ async function lintPython(dirPath: string, acc: LintAccumulator): Promise<void>
       else acc.warnings++;
       acc.findings.push({
         severity: sev,
-        category: 'linting',
+        category: 'lint',
         file: item.filename ? relative(dirPath, item.filename) : '',
         line: item.location?.row ?? null,
         title: item.code || 'Lint issue',
@@ -124,7 +129,7 @@ function processClippyMessage(msg: Record<string, unknown>, acc: LintAccumulator
   const code = message.code as Record<string, unknown> | undefined;
   acc.findings.push({
     severity: level === 'error' ? 'high' : 'medium',
-    category: 'linting',
+    category: 'lint',
     file: (span?.file_name as string) || '',
     line: (span?.line_start as number) ?? null,
     title: (code?.code as string) || 'Clippy',
@@ -164,10 +169,12 @@ export async function analyzeLinting(
   dirPath: string,
   ecosystems: Ecosystem[],
   files: SourceFile[],
+  installedToolNames?: string[],
 ): Promise<{ score: number; findings: QualityFinding[]; available: boolean; issueCount: number }> {
   const acc = newLintAccumulator();
+  const installed = installedToolNames ? new Set(installedToolNames) : null;
 
-  if (ecosystems.includes('node')) await lintNode(dirPath, acc);
+  if (ecosystems.includes('node')) await lintNode(dirPath, acc, installed);
   if (ecosystems.includes('python')) await lintPython(dirPath, acc);
   if (ecosystems.includes('rust')) await lintRust(dirPath, acc);
 

package/server/services/websocket/quality-review-agent.ts

@@ -29,28 +29,62 @@ export interface CodeReviewFinding {
 
 // ── Prompt ────────────────────────────────────────────────────
 
-export function buildCodeReviewPrompt(dirPath: string): string {
-  return `You are an expert code review agent. Your task is to perform a comprehensive, language-agnostic code review of the project in the current working directory.
+export function buildCodeReviewPrompt(dirPath: string, cliFindings?: Array<{ severity: string; category: string; file: string; line: number | null; title: string; description: string }>): string {
+  const cliFindingsSection = cliFindings && cliFindings.length > 0
+    ? `\n## CLI Tool Findings (already detected)\n\nThe following issues were found by automated CLI tools (linters, formatters, complexity analyzers). Review these for context — they are already included in the final report. Focus your analysis on DEEPER issues these tools cannot detect.\n\n${cliFindings.slice(0, 50).map((f, i) => `${i + 1}. [${f.severity.toUpperCase()}] ${f.category} — ${f.file}${f.line ? `:${f.line}` : ''} — ${f.title}: ${f.description}`).join('\n')}\n${cliFindings.length > 50 ? `\n...and ${cliFindings.length - 50} more issues from CLI tools.\n` : ''}`
+    : '';
 
-IMPORTANT: Your current working directory is "${dirPath}". Only review files within this directory. Do NOT traverse parent directories or review files outside this path.
+  return `You are a senior staff engineer performing a rigorous, honest code review. Your job is to surface the most impactful quality bottlenecks — the issues a principal engineer would flag in a code review. Be critical and objective. Do NOT inflate scores.
 
+IMPORTANT: Your current working directory is "${dirPath}". Only review files within this directory.
+${cliFindingsSection}
 ## Review Process
 
-1. **Discover**: Use Glob to find source files (e.g. "**/*.{ts,tsx,js,py,rs,go,java,rb,php}"). Understand the project structure. Only search within the current directory.
+1. **Discover**: Use Glob to find source files (e.g. "**/*.{ts,tsx,js,py,rs,go,java,rb,php}"). Understand the project structure.
 2. **Read**: Read the most important files — entry points, core modules, handlers, services. Prioritize files with recent git changes (\`git diff --name-only HEAD~5\` via Bash if available).
-3. **Analyze**: Look for real, actionable issues across these categories:
-   - **security**: Injection vulnerabilities (SQL, XSS, command), hardcoded secrets/credentials, auth bypasses, insecure crypto, path traversal, SSRF, unsafe deserialization
-   - **bugs**: Null/undefined errors, race conditions, logic errors, unhandled edge cases, off-by-one errors, resource leaks, incorrect error handling
-   - **performance**: N+1 queries, unnecessary re-renders, missing memoization, blocking I/O in hot paths, unbounded data structures, missing pagination
-   - **maintainability**: God functions (>100 lines), deep nesting (>4 levels), duplicated logic, missing error handling at system boundaries, tight coupling
+3. **Analyze**: Look for real, actionable issues across ALL of these categories:
+
+   ### Architecture
+   - What is the current architecture (monolith, microservices, layered, etc.)?
+   - Are there architectural violations? (e.g., presentation layer directly accessing data layer, circular dependencies between modules)
+   - Is there proper separation of concerns?
+   - Are there god objects or god modules that do too much?
+
+   ### SOLID / OOP Principles
+   - **SRP**: Classes/modules with multiple unrelated responsibilities
+   - **OCP**: Code that requires modification instead of extension for new features
+   - **LSP**: Subtypes that don't properly substitute for their base types
+   - **ISP**: Interfaces/contracts that force implementations to depend on methods they don't use
+   - **DIP**: High-level modules directly depending on low-level modules instead of abstractions
+
+   ### Security
+   - Injection vulnerabilities (SQL, XSS, command), hardcoded secrets/credentials, auth bypasses, insecure crypto, path traversal, SSRF, unsafe deserialization
+
+   ### Bugs & Logic
+   - Null/undefined errors, race conditions, logic errors, unhandled edge cases, off-by-one errors, resource leaks, incorrect error handling, incorrect algorithms
+
+   ### Performance
+   - N+1 queries, unnecessary re-renders, missing memoization, blocking I/O in hot paths, unbounded data structures, missing pagination
 
 ## Rules
 
 - Only report findings you are >80% confident about. No speculative or low-confidence issues.
-- Focus on bugs and security over style. Skip formatting, naming preferences, and minor nits.
+- Focus on architecture, SOLID violations, bugs, and security over style nits.
 - Each finding MUST reference a specific file and line number. Do not report vague or file-level issues.
-- Limit to the 20 most important findings, ranked by severity.
+- Limit to the 25 most important findings, ranked by severity.
 - Do NOT modify any files. This is a read-only review.
+- Be HONEST about the overall quality. A codebase with serious issues should score low.
+
+## Scoring Guidelines
+
+After your analysis, provide an honest overall quality score (0-100) and letter grade:
+- **A (90-100)**: Excellent — clean architecture, minimal issues, well-tested, follows best practices
+- **B (80-89)**: Good — solid code with minor issues, mostly well-structured
+- **C (70-79)**: Adequate — functional but has notable quality issues that should be addressed
+- **D (60-69)**: Below average — significant issues in architecture, testing, or code quality
+- **F (0-59)**: Poor — serious problems: security vulnerabilities, broken architecture, major bugs, or unmaintainable code
+
+Consider ALL findings (both CLI tool findings and your own) when determining the score. The score should reflect the overall state of the codebase honestly. A project with 50+ linting errors, formatting issues, complex functions, AND architectural problems should NOT score above 70.
 
 ## Output
 
@@ -58,10 +92,13 @@ After your analysis, output EXACTLY one JSON code block with your findings. No o
 
 \`\`\`json
 {
+  "score": 72,
+  "grade": "C",
+  "scoreRationale": "Brief explanation of why this score was given, referencing key issues",
   "findings": [
     {
       "severity": "critical|high|medium|low",
-      "category": "security|bugs|performance|maintainability",
+      "category": "architecture|oop|security|bugs|performance|logic",
       "file": "relative/path/to/file.ts",
       "line": 42,
       "title": "Short title describing the issue",
@@ -77,7 +114,7 @@ After your analysis, output EXACTLY one JSON code block with your findings. No o
 // ── Response parsing ──────────────────────────────────────────
 
 const VALID_SEVERITIES = new Set(['critical', 'high', 'medium', 'low']);
-const VALID_CATEGORIES = new Set(['security', 'bugs', 'performance', 'maintainability']);
+const VALID_CATEGORIES = new Set(['architecture', 'oop', 'security', 'bugs', 'performance', 'logic', 'maintainability']);
 
 function normalizeFinding(f: Record<string, unknown>): CodeReviewFinding | null {
   if (typeof f.file !== 'string' || typeof f.title !== 'string') return null;
@@ -105,7 +142,15 @@ function extractJson(response: string): string {
   return response.trim();
 }
 
-export function parseCodeReviewResponse(response: string): { findings: CodeReviewFinding[]; summary: string } {
+export interface CodeReviewResult {
+  findings: CodeReviewFinding[];
+  summary: string;
+  score: number | null;
+  grade: string | null;
+  scoreRationale: string | null;
+}
+
+export function parseCodeReviewResponse(response: string): CodeReviewResult {
   const jsonStr = extractJson(response);
 
   try {
@@ -113,9 +158,12 @@ export function parseCodeReviewResponse(response: string): { findings: CodeRevie
     const rawFindings: Record<string, unknown>[] = Array.isArray(parsed.findings) ? parsed.findings : [];
     const findings = rawFindings.map(normalizeFinding).filter((f): f is CodeReviewFinding => f !== null);
     const summary = typeof parsed.summary === 'string' ? parsed.summary : `Found ${findings.length} issue(s).`;
-    return { findings, summary };
+    const score = typeof parsed.score === 'number' ? Math.max(0, Math.min(100, Math.round(parsed.score))) : null;
+    const grade = typeof parsed.grade === 'string' ? parsed.grade : null;
+    const scoreRationale = typeof parsed.scoreRationale === 'string' ? parsed.scoreRationale : null;
+    return { findings, summary, score, grade, scoreRationale };
   } catch {
-    return { findings: [], summary: 'Failed to parse code review results.' };
+    return { findings: [], summary: 'Failed to parse code review results.', score: null, grade: null, scoreRationale: null };
   }
 }
 
@@ -180,9 +228,21 @@ export async function handleCodeReview(
       data: { path: reportPath, message: 'Starting AI code review...' },
     });
 
+    // Load CLI findings from the existing report to pass to the AI reviewer
+    let cliFindings: Array<{ severity: string; category: string; file: string; line: number | null; title: string; description: string }> | undefined;
+    try {
+      const persistence = getPersistence(workingDir);
+      const existingReport = persistence.loadReport(reportPath);
+      if (existingReport?.findings) {
+        cliFindings = existingReport.findings;
+      }
+    } catch {
+      // Continue without CLI findings if persistence fails
+    }
+
     const runner = new HeadlessRunner({
       workingDir: dirPath,
-      directPrompt: buildCodeReviewPrompt(dirPath),
+      directPrompt: buildCodeReviewPrompt(dirPath, cliFindings),
       stallWarningMs: 120_000,
       stallKillMs: 600_000,
       stallHardCapMs: 900_000,
@@ -213,27 +273,39 @@ export async function handleCodeReview(
     });
 
     const responseText = result.assistantResponse || '';
-    const { findings, summary } = parseCodeReviewResponse(responseText);
+    const reviewResult = parseCodeReviewResponse(responseText);
 
-    // Recompute overall score with AI review findings included
+    // Use AI-determined score if available, otherwise fall back to recomputation
     let updatedResults: import('./quality-service.js').QualityResults | null = null;
     try {
       const persistence = getPersistence(workingDir);
       const existingReport = persistence.loadReport(reportPath);
       if (existingReport) {
-        updatedResults = recomputeWithAiReview(existingReport, findings);
-        updatedResults = { ...updatedResults, codeReview: findings as unknown as typeof updatedResults.codeReview };
+        if (reviewResult.score !== null && reviewResult.grade !== null) {
+          // Use the AI-determined score and grade directly
+          updatedResults = {
+            ...existingReport,
+            overall: reviewResult.score,
+            grade: reviewResult.grade,
+            codeReview: reviewResult.findings as unknown as typeof existingReport.codeReview,
+            scoreRationale: reviewResult.scoreRationale ?? undefined,
+          };
+        } else {
+          // Fallback: recompute with weighted formula
+          updatedResults = recomputeWithAiReview(existingReport, reviewResult.findings);
+          updatedResults = { ...updatedResults, codeReview: reviewResult.findings as unknown as typeof updatedResults.codeReview };
+        }
         persistence.saveReport(reportPath, updatedResults);
         persistence.appendHistory(updatedResults, reportPath);
       }
-      persistence.saveCodeReview(reportPath, findings as unknown as Record<string, unknown>[], summary);
+      persistence.saveCodeReview(reportPath, reviewResult.findings as unknown as Record<string, unknown>[], reviewResult.summary);
     } catch {
       // Persistence failure should not break the review flow
     }
 
     ctx.send(ws, {
       type: 'qualityCodeReview',
-      data: { path: reportPath, findings, summary, results: updatedResults },
+      data: { path: reportPath, findings: reviewResult.findings, summary: reviewResult.summary, results: updatedResults },
     });
   } catch (error) {
     ctx.send(ws, {

package/server/services/websocket/quality-service.ts

@@ -15,51 +15,81 @@ export type { CategoryScore, QualityFinding, QualityResults, QualityTool, ScanPr
 // Formatting Analysis
 // ============================================================================
 
-async function analyzeFormatting(
-  dirPath: string,
-  ecosystems: Ecosystem[],
-  files: SourceFile[],
-): Promise<{ score: number; available: boolean; issueCount: number }> {
-  let totalFiles = 0;
-  let passingFiles = 0;
-  let ran = false;
-
-  if (ecosystems.includes('node')) {
-    const result = await runCommand('npx', ['prettier', '--check', '.'], dirPath);
-    ran = true;
-    const unformatted = result.stdout.split('\n').filter((l) => l.trim() && !l.startsWith('Checking'));
-    const nodeFiles = files.filter((f) => ['.ts', '.tsx', '.js', '.jsx', '.mjs', '.cjs'].includes(extname(f.path)));
-    totalFiles += nodeFiles.length;
-    passingFiles += Math.max(0, nodeFiles.length - unformatted.length);
+interface FmtAccumulator {
+  totalFiles: number;
+  passingFiles: number;
+  ran: boolean;
+  findings: QualityFinding[];
+}
+
+function newFmtAccumulator(): FmtAccumulator {
+  return { totalFiles: 0, passingFiles: 0, ran: false, findings: [] };
+}
+
+async function fmtNode(dirPath: string, files: SourceFile[], acc: FmtAccumulator): Promise<void> {
+  const result = await runCommand('npx', ['prettier', '--check', '.'], dirPath);
+  acc.ran = true;
+  const unformatted = result.stdout.split('\n').filter((l) => l.trim() && !l.startsWith('Checking'));
+  const nodeFiles = files.filter((f) => ['.ts', '.tsx', '.js', '.jsx', '.mjs', '.cjs'].includes(extname(f.path)));
+  acc.totalFiles += nodeFiles.length;
+  acc.passingFiles += Math.max(0, nodeFiles.length - unformatted.length);
+  for (const filePath of unformatted) {
+    if (!filePath.trim()) continue;
+    const rel = filePath.startsWith('/') ? filePath.replace(`${dirPath}/`, '') : filePath;
+    acc.findings.push({ severity: 'low', category: 'format', file: rel, line: null, title: 'File not formatted', description: 'Does not match Prettier formatting rules.' });
   }
+}
 
-  if (ecosystems.includes('python')) {
-    const result = await runCommand('black', ['--check', '--quiet', '.'], dirPath);
-    ran = true;
-    const pyFiles = files.filter((f) => ['.py', '.pyi'].includes(extname(f.path)));
-    totalFiles += pyFiles.length;
-    if (result.exitCode === 0) {
-      passingFiles += pyFiles.length;
-    } else {
-      const wouldReformat = (result.stderr.match(/would reformat/gi) || []).length;
-      passingFiles += Math.max(0, pyFiles.length - wouldReformat);
-    }
+async function fmtPython(dirPath: string, files: SourceFile[], acc: FmtAccumulator): Promise<void> {
+  const result = await runCommand('black', ['--check', '--quiet', '.'], dirPath);
+  acc.ran = true;
+  const pyFiles = files.filter((f) => ['.py', '.pyi'].includes(extname(f.path)));
+  acc.totalFiles += pyFiles.length;
+  if (result.exitCode === 0) {
+    acc.passingFiles += pyFiles.length;
+    return;
   }
+  const reformatLines = result.stderr.split('\n').filter((l) => l.includes('would reformat'));
+  acc.passingFiles += Math.max(0, pyFiles.length - reformatLines.length);
+  for (const line of reformatLines) {
+    const match = line.match(/would reformat (.+)/);
+    if (match) acc.findings.push({ severity: 'low', category: 'format', file: match[1].trim(), line: null, title: 'File not formatted', description: 'Does not match Black formatting rules.' });
+  }
+}
 
-  if (ecosystems.includes('rust')) {
-    const result = await runCommand('cargo', ['fmt', '--check'], dirPath);
-    ran = true;
-    const rsFiles = files.filter((f) => extname(f.path) === '.rs');
-    totalFiles += rsFiles.length;
-    if (result.exitCode === 0) passingFiles += rsFiles.length;
+async function fmtRust(dirPath: string, files: SourceFile[], acc: FmtAccumulator): Promise<void> {
+  const result = await runCommand('cargo', ['fmt', '--check'], dirPath);
+  acc.ran = true;
+  const rsFiles = files.filter((f) => extname(f.path) === '.rs');
+  acc.totalFiles += rsFiles.length;
+  if (result.exitCode === 0) {
+    acc.passingFiles += rsFiles.length;
+    return;
+  }
+  const diffLines = result.stdout.split('\n').filter((l) => l.startsWith('Diff in'));
+  for (const line of diffLines) {
+    const match = line.match(/Diff in (.+?) at/);
+    if (match) acc.findings.push({ severity: 'low', category: 'format', file: match[1].trim(), line: null, title: 'File not formatted', description: 'Does not match rustfmt formatting rules.' });
   }
+}
+
+async function analyzeFormatting(
+  dirPath: string,
+  ecosystems: Ecosystem[],
+  files: SourceFile[],
+): Promise<{ score: number; available: boolean; issueCount: number; findings: QualityFinding[] }> {
+  const acc = newFmtAccumulator();
+
+  if (ecosystems.includes('node')) await fmtNode(dirPath, files, acc);
+  if (ecosystems.includes('python')) await fmtPython(dirPath, files, acc);
+  if (ecosystems.includes('rust')) await fmtRust(dirPath, files, acc);
 
-  if (!ran || totalFiles === 0) {
-    return { score: 0, available: false, issueCount: 0 };
+  if (!acc.ran || acc.totalFiles === 0) {
+    return { score: 0, available: false, issueCount: 0, findings: [] };
   }
 
-  const score = Math.round((passingFiles / totalFiles) * 100);
-  return { score, available: true, issueCount: totalFiles - passingFiles };
+  const score = Math.round((acc.passingFiles / acc.totalFiles) * 100);
+  return { score, available: true, issueCount: acc.totalFiles - acc.passingFiles, findings: acc.findings.slice(0, 50) };
 }
 
 // ============================================================================
@@ -195,7 +225,7 @@ export async function runQualityScan(
   progress('Running linters', 2);
   const hasLinter = !installedSet || hasInstalledToolInCategory(installedSet, ecosystems, 'linter');
   const lintResult = hasLinter
-    ? await analyzeLinting(dirPath, ecosystems, files)
+    ? await analyzeLinting(dirPath, ecosystems, files, installedToolNames)
     : { score: 0, findings: [], available: false, issueCount: 0 };
 
   // Step 3: Check formatting (only if a formatter is installed)
@@ -203,7 +233,7 @@ export async function runQualityScan(
   const hasFormatter = !installedSet || hasInstalledToolInCategory(installedSet, ecosystems, 'formatter');
   const fmtResult = hasFormatter
     ? await analyzeFormatting(dirPath, ecosystems, files)
-    : { score: 0, available: false, issueCount: 0 };
+    : { score: 0, available: false, issueCount: 0, findings: [] as QualityFinding[] };
 
   // Step 4: Analyze complexity (using real tools: Biome, ESLint, radon)
   progress('Analyzing complexity', 4);
@@ -274,6 +304,7 @@ export async function runQualityScan(
   const overall = computeOverallScore(categories);
   const allFindings = [
     ...lintResult.findings,
+    ...fmtResult.findings,
     ...complexityResult.findings,
     ...fileLengthResult.findings,
     ...funcLengthResult.findings,

package/server/services/websocket/quality-types.ts

@@ -42,6 +42,8 @@ export interface QualityResults {
   totalLines: number;
   timestamp: string;
   ecosystem: string[];
+  /** AI-generated rationale for the score */
+  scoreRationale?: string;
 }
 
 export interface ScanProgress {

package/server/services/websocket/session-handlers.ts

@@ -201,7 +201,10 @@ export function handleSessionMessage(ctx: HandlerContext, ws: WSContext, msg: We
     }
     case 'new': {
       const oldSession = requireSession(ctx, ws, tabId);
+      const oldSessionId = oldSession.getSessionInfo().sessionId;
       const newSession = oldSession.startNewSession({ model: getModel() });
+      oldSession.destroy();
+      ctx.sessions.delete(oldSessionId);
       setupSessionListeners(ctx, newSession, ws, tabId);
       const newSessionId = newSession.getSessionInfo().sessionId;
       ctx.sessions.set(newSessionId, newSession);