nexus-agents 2.29.0 → 2.29.1

package/dist/chunk-2UR7YN6T.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/mcp/tools/scanner-registry-fetcher.ts","../src/mcp/tools/repo-security-plan-fallback.ts","../src/mcp/tools/repo-security-plan.ts"],"sourcesContent":["/**\n * nexus-agents/mcp - Scanner Registry Fetcher\n *\n * Fetches the scanner-registry.json manifest from the\n * vulnerability-scanner-registry GitHub Releases at runtime.\n * Uses a TTL cache and falls back to embedded data on failure.\n *\n * @module mcp/tools/scanner-registry-fetcher\n * (Source: Consensus vote — externalize scanner registry, 6-0 unanimous)\n */\n\nimport { z } from 'zod';\nimport { createLogger } from '../../core/index.js';\n\n// ============================================================================\n// Types\n// ============================================================================\n\n/** A scanner entry from the registry manifest. */\nexport interface RegistryScanner {\n  readonly name: string;\n  readonly displayName: string;\n  readonly categories: readonly string[];\n  readonly license: string;\n  readonly pricingModel: string;\n  readonly relationships?: readonly RegistryRelationship[] | undefined;\n}\n\n/** A relationship edge between scanners. */\nexport interface RegistryRelationship {\n  readonly target: string;\n  readonly type: 'uses' | 'supersedes' | 'bundles' | 'competes-with';\n}\n\n/** Language matrix: category → scanner names. */\nexport interface LanguageMatrixEntry {\n  readonly sast?: readonly string[] | undefined;\n  readonly sca?: readonly string[] | undefined;\n  readonly secrets?: readonly string[] | undefined;\n  readonly container?: readonly string[] | undefined;\n  readonly iac?: readonly string[] | undefined;\n  readonly dast?: readonly string[] | undefined;\n}\n\n/** The full registry manifest shape. */\nexport interface ScannerRegistryManifest {\n  readonly version: string;\n  readonly generatedAt: string;\n  readonly scanners: readonly RegistryScanner[];\n  readonly languageMatrix: Readonly<Record<string, LanguageMatrixEntry>>;\n}\n\n// ============================================================================\n// Zod Schema for Validation\n// ============================================================================\n\nconst RelationshipSchema = z.object({\n  target: z.string().min(1),\n  type: z.enum(['uses', 'supersedes', 'bundles', 'competes-with']),\n});\n\nconst ScannerSchema = z.object({\n  name: z.string().min(1),\n  displayName: z.string().min(1),\n  categories: z.array(z.string().min(1)),\n  license: z.string().min(1),\n  pricingModel: z.string().min(1),\n  relationships: z.array(RelationshipSchema).optional(),\n});\n\nconst LanguageMatrixEntrySchema = z\n  .object({\n    sast: z.array(z.string()).optional(),\n    sca: z.array(z.string()).optional(),\n    secrets: z.array(z.string()).optional(),\n    container: z.array(z.string()).optional(),\n    iac: z.array(z.string()).optional(),\n    dast: z.array(z.string()).optional(),\n  })\n  .loose();\n\nconst ManifestSchema = z.object({\n  version: z.string().min(1),\n  generatedAt: z.string().min(1),\n  scanners: z.array(ScannerSchema),\n  languageMatrix: z.record(z.string().max(50), LanguageMatrixEntrySchema),\n});\n\n// ============================================================================\n// Cache\n// ============================================================================\n\ninterface CacheEntry {\n  manifest: ScannerRegistryManifest;\n  fetchedAt: number;\n  releaseTag: string;\n}\n\nconst CACHE_TTL_MS = 60 * 60 * 1000; // 1 hour\nlet cachedEntry: CacheEntry | null = null;\n\n/** Inflight fetch promise for probe coalescing (#1448). */\nlet inflightFetch: Promise<ScannerRegistryManifest | null> | undefined;\n\n/** Clear the cache and inflight state (for testing). */\nexport function clearRegistryCache(): void {\n  cachedEntry = null;\n  inflightFetch = undefined;\n}\n\n// ============================================================================\n// Fetcher\n// ============================================================================\n\nconst REGISTRY_REPO = 'williamzujkowski/vulnerability-scanner-registry';\nconst FETCH_TIMEOUT_MS = 10_000;\n\n/** Promisified execFile signature used by fetcher helpers. */\ntype ExecFileAsync = (\n  file: string,\n  args: readonly string[],\n  options: { timeout?: number; maxBuffer?: number }\n) => Promise<{ stdout: string; stderr: string }>;\n\nconst logger = createLogger({ component: 'scanner-registry-fetcher' });\n\n/** Get the latest release tag name (lightweight check, no download). */\nasync function getLatestReleaseTag(execFileAsync: ExecFileAsync): Promise<string | null> {\n  const { stdout } = await execFileAsync(\n    'gh',\n    ['release', 'view', '--repo', REGISTRY_REPO, '--json', 'tagName', '--jq', '.tagName'],\n    { timeout: FETCH_TIMEOUT_MS }\n  );\n  return stdout.trim() || null;\n}\n\n/** Download and parse the full manifest. */\nasync function downloadManifest(\n  execFileAsync: ExecFileAsync\n): Promise<ScannerRegistryManifest | null> {\n  const { stdout } = await execFileAsync(\n    'gh',\n    [\n      'release',\n      'download',\n      '--repo',\n      REGISTRY_REPO,\n      '--pattern',\n      'scanner-registry.json',\n      '--output',\n      '-',\n    ],\n    { timeout: FETCH_TIMEOUT_MS, maxBuffer: 1024 * 1024 }\n  );\n\n  let jsonData: unknown;\n  try {\n    jsonData = JSON.parse(stdout);\n  } catch {\n    logger.warn('Registry manifest is not valid JSON', {\n      stdoutLength: stdout.length,\n      preview: stdout.slice(0, 100),\n    });\n    return null;\n  }\n\n  const parsed = ManifestSchema.safeParse(jsonData);\n  if (!parsed.success) {\n    logger.warn('Registry manifest failed schema validation', {\n      errors: parsed.error.issues.slice(0, 3),\n    });\n    return null;\n  }\n\n  logger.info('Fetched scanner registry manifest', {\n    version: parsed.data.version,\n    scanners: parsed.data.scanners.length,\n    languages: Object.keys(parsed.data.languageMatrix).length,\n  });\n  return parsed.data;\n}\n\n/**\n * Fetch the scanner registry manifest from GitHub Releases.\n * If we have a cached version and the release tag hasn't changed,\n * just refreshes the cache timer (no download).\n */\nasync function fetchManifestFromGitHub(): Promise<ScannerRegistryManifest | null> {\n  try {\n    const { execFile } = await import('node:child_process');\n    const { promisify } = await import('node:util');\n    const execFileAsync = promisify(execFile);\n\n    const tag = await getLatestReleaseTag(execFileAsync);\n    if (tag === null) {\n      logger.warn('No releases found in scanner registry');\n      return null;\n    }\n\n    // If cached version matches the latest tag, refresh timer only\n    if (cachedEntry !== null && cachedEntry.releaseTag === tag) {\n      logger.debug('Scanner registry unchanged, refreshing cache timer', { tag });\n      cachedEntry = { ...cachedEntry, fetchedAt: Date.now() };\n      return cachedEntry.manifest;\n    }\n\n    // New release — download full manifest\n    const manifest = await downloadManifest(execFileAsync);\n    if (manifest !== null) {\n      cachedEntry = { manifest, fetchedAt: Date.now(), releaseTag: tag };\n    }\n    return manifest;\n  } catch (err) {\n    const msg = err instanceof Error ? err.message : String(err);\n    logger.debug('Failed to fetch scanner registry', { error: msg });\n    return null;\n  }\n}\n\n/**\n * Get the scanner registry, fetching from GitHub if cache is stale.\n * Returns null if no cached data and fetch fails.\n */\nexport async function getRegistryManifest(): Promise<ScannerRegistryManifest | null> {\n  // Check cache\n  if (cachedEntry !== null) {\n    const age = Date.now() - cachedEntry.fetchedAt;\n    if (age < CACHE_TTL_MS) {\n      return cachedEntry.manifest;\n    }\n  }\n\n  // Coalesce concurrent fetches — only one inflight request at a time (#1448)\n  inflightFetch ??= fetchManifestFromGitHub().finally(() => {\n    inflightFetch = undefined;\n  });\n  const manifest = await inflightFetch;\n  if (manifest !== null) {\n    return manifest;\n  }\n\n  // Return stale cache if available\n  if (cachedEntry !== null) {\n    logger.warn('Using stale cached registry manifest');\n    return cachedEntry.manifest;\n  }\n\n  return null;\n}\n\n/**\n * Extract scanners from manifest into the format expected by plan builder.\n */\nexport function extractScannerEntries(\n  manifest: ScannerRegistryManifest\n): readonly RegistryScanner[] {\n  return manifest.scanners;\n}\n\n/**\n * Extract language matrix, normalizing to consistent category keys.\n */\nexport function extractLanguageMatrix(\n  manifest: ScannerRegistryManifest\n): Readonly<Record<string, LanguageMatrixEntry>> {\n  return manifest.languageMatrix;\n}\n","/**\n * nexus-agents/mcp - Fallback Scanner Data\n *\n * Embedded snapshot of the vulnerability-scanner-registry manifest.\n * Used when the live registry fetch fails (network issues, gh CLI\n * unavailable, etc.). Updated periodically from the canonical\n * registry at github.com/williamzujkowski/vulnerability-scanner-registry.\n *\n * @module mcp/tools/repo-security-plan-fallback\n * (Source: Consensus vote — externalize scanner registry, 6-0 unanimous)\n */\n\nimport type { ScannerData } from './repo-security-plan.js';\n\n// ============================================================================\n// Fallback Scanner Entries (27 scanners)\n// ============================================================================\n\nconst FALLBACK_SCANNERS: ScannerData['scanners'] = [\n  {\n    name: 'semgrep',\n    displayName: 'Semgrep',\n    categories: ['sast', 'secrets'],\n    license: 'LGPL-2.1',\n    pricingModel: 'freemium',\n  },\n  {\n    name: 'codeql',\n    displayName: 'CodeQL',\n    categories: ['sast'],\n    license: 'MIT',\n    pricingModel: 'freemium',\n  },\n  {\n    name: 'bandit',\n    displayName: 'Bandit',\n    categories: ['sast'],\n    license: 'Apache-2.0',\n    pricingModel: 'free',\n  },\n  {\n    name: 'gosec',\n    displayName: 'Gosec',\n    categories: ['sast'],\n    license: 'Apache-2.0',\n    pricingModel: 'free',\n  },\n  {\n    name: 'brakeman',\n    displayName: 'Brakeman',\n    categories: ['sast'],\n    license: 'MIT',\n    pricingModel: 'free',\n  },\n  {\n    name: 'phpstan',\n    displayName: 'PHPStan',\n    categories: ['sast'],\n    license: 'MIT',\n    pricingModel: 'freemium',\n  },\n  {\n    name: 'shellcheck',\n    displayName: 'ShellCheck',\n    categories: ['sast'],\n    license: 'GPL-3.0',\n    pricingModel: 'free',\n  },\n  {\n    name: 'cppcheck',\n    displayName: 'Cppcheck',\n    categories: ['sast'],\n    license: 'GPL-3.0',\n    pricingModel: 'free',\n  },\n  {\n    name: 'detekt',\n    displayName: 'detekt',\n    categories: ['sast'],\n    license: 'Apache-2.0',\n    pricingModel: 'free',\n  },\n  {\n    name: 'spotbugs',\n    displayName: 'SpotBugs',\n    categories: ['sast'],\n    license: 'LGPL-2.1',\n    pricingModel: 'free',\n  },\n  {\n    name: 'eslint-security',\n    displayName: 'eslint-plugin-security',\n    categories: ['sast'],\n    license: 'Apache-2.0',\n    pricingModel: 'free',\n  },\n  {\n    name: 'sonarqube',\n    displayName: 'SonarQube',\n    categories: ['sast', 'sca'],\n    license: 'LGPL-3.0',\n    pricingModel: 'freemium',\n  },\n  {\n    name: 'osv-scanner',\n    displayName: 'OSV-Scanner',\n    categories: ['sca', 'container', 'iac', 'sbom'],\n    license: 'Apache-2.0',\n    pricingModel: 'free',\n  },\n  {\n    name: 'grype',\n    displayName: 'Grype',\n    categories: ['sca', 'container'],\n    license: 'Apache-2.0',\n    pricingModel: 'free',\n  },\n  {\n    name: 'snyk',\n    displayName: 'Snyk',\n    categories: ['sca', 'sast', 'container'],\n    license: 'Proprietary',\n    pricingModel: 'freemium',\n  },\n  {\n    name: 'npm-audit',\n    displayName: 'npm audit',\n    categories: ['sca'],\n    license: 'Artistic-2.0',\n    pricingModel: 'free',\n  },\n  {\n    name: 'pip-audit',\n    displayName: 'pip-audit',\n    categories: ['sca'],\n    license: 'Apache-2.0',\n    pricingModel: 'free',\n  },\n  {\n    name: 'cargo-audit',\n    displayName: 'cargo-audit',\n    categories: ['sca'],\n    license: 'Apache-2.0',\n    pricingModel: 'free',\n  },\n  {\n    name: 'bundler-audit',\n    displayName: 'bundler-audit',\n    categories: ['sca'],\n    license: 'GPL-3.0',\n    pricingModel: 'free',\n  },\n  {\n    name: 'govulncheck',\n    displayName: 'govulncheck',\n    categories: ['sca'],\n    license: 'BSD-3-Clause',\n    pricingModel: 'free',\n  },\n  {\n    name: 'owasp-dependency-check',\n    displayName: 'OWASP Dependency-Check',\n    categories: ['sca'],\n    license: 'Apache-2.0',\n    pricingModel: 'free',\n  },\n  {\n    name: 'gitleaks',\n    displayName: 'Gitleaks',\n    categories: ['secrets'],\n    license: 'MIT',\n    pricingModel: 'free',\n  },\n  {\n    name: 'trufflehog',\n    displayName: 'TruffleHog',\n    categories: ['secrets'],\n    license: 'AGPL-3.0',\n    pricingModel: 'freemium',\n  },\n  {\n    name: 'checkov',\n    displayName: 'Checkov',\n    categories: ['iac', 'sca'],\n    license: 'Apache-2.0',\n    pricingModel: 'free',\n  },\n  {\n    name: 'tfsec',\n    displayName: 'tfsec',\n    categories: ['iac'],\n    license: 'MIT',\n    pricingModel: 'free',\n  },\n  {\n    name: 'owasp-zap',\n    displayName: 'OWASP ZAP',\n    categories: ['dast', 'api'],\n    license: 'Apache-2.0',\n    pricingModel: 'free',\n  },\n  {\n    name: 'syft',\n    displayName: 'Syft',\n    categories: ['sbom'],\n    license: 'Apache-2.0',\n    pricingModel: 'free',\n  },\n  {\n    name: 'grype-image',\n    displayName: 'Grype (image scan)',\n    categories: ['image-currency', 'container'],\n    license: 'Apache-2.0',\n    pricingModel: 'free',\n  },\n];\n\n// ============================================================================\n// Fallback Language Map (16 languages)\n// ============================================================================\n\nconst FALLBACK_LANGUAGE_MAP: ScannerData['languageMap'] = {\n  TypeScript: {\n    sast: ['semgrep', 'eslint-security', 'codeql'],\n    sca: ['npm-audit', 'osv-scanner'],\n    secrets: ['gitleaks'],\n  },\n  JavaScript: {\n    sast: ['semgrep', 'eslint-security', 'codeql'],\n    sca: ['npm-audit', 'osv-scanner'],\n    secrets: ['gitleaks'],\n  },\n  Python: {\n    sast: ['bandit', 'semgrep', 'codeql'],\n    sca: ['pip-audit', 'osv-scanner'],\n    secrets: ['gitleaks'],\n  },\n  Java: {\n    sast: ['codeql', 'semgrep', 'spotbugs'],\n    sca: ['owasp-dependency-check', 'osv-scanner'],\n    secrets: ['gitleaks'],\n  },\n  Go: {\n    sast: ['gosec', 'semgrep', 'codeql'],\n    sca: ['govulncheck', 'osv-scanner'],\n    secrets: ['gitleaks'],\n  },\n  Ruby: {\n    sast: ['brakeman', 'semgrep', 'codeql'],\n    sca: ['bundler-audit', 'osv-scanner'],\n    secrets: ['gitleaks'],\n  },\n  PHP: {\n    sast: ['phpstan', 'semgrep'],\n    sca: ['osv-scanner'],\n    secrets: ['gitleaks'],\n  },\n  'C#': {\n    sast: ['codeql', 'semgrep'],\n    sca: ['osv-scanner'],\n    secrets: ['gitleaks'],\n  },\n  C: {\n    sast: ['cppcheck', 'codeql', 'semgrep'],\n    sca: ['osv-scanner'],\n    secrets: ['gitleaks'],\n  },\n  'C++': {\n    sast: ['cppcheck', 'codeql', 'semgrep'],\n    sca: ['osv-scanner'],\n    secrets: ['gitleaks'],\n  },\n  Rust: {\n    sast: ['semgrep'],\n    sca: ['cargo-audit', 'osv-scanner'],\n    secrets: ['gitleaks'],\n  },\n  Kotlin: {\n    sast: ['detekt', 'semgrep', 'codeql'],\n    sca: ['osv-scanner'],\n    secrets: ['gitleaks'],\n  },\n  Swift: {\n    sast: ['codeql', 'semgrep'],\n    sca: ['osv-scanner'],\n    secrets: ['gitleaks'],\n  },\n  Scala: {\n    sast: ['semgrep', 'spotbugs'],\n    sca: ['osv-scanner'],\n    secrets: ['gitleaks'],\n  },\n  Shell: {\n    sast: ['shellcheck', 'semgrep'],\n    sca: [],\n    secrets: ['gitleaks'],\n  },\n  HCL: {\n    sast: ['checkov', 'tfsec'],\n    sca: ['osv-scanner'],\n    secrets: ['gitleaks'],\n  },\n};\n\n// ============================================================================\n// Exported Fallback\n// ============================================================================\n\n/** Embedded scanner data snapshot used when live registry is unavailable. */\nexport const FALLBACK_SCANNER_DATA: ScannerData = {\n  scanners: FALLBACK_SCANNERS,\n  languageMap: FALLBACK_LANGUAGE_MAP,\n  source: 'fallback',\n};\n","/**\n * nexus-agents/mcp - Repository Security Plan Logic\n *\n * Generates a language-aware security scanning pipeline recommendation\n * by composing repo_analyze output with scanner registry data.\n * Fetches fresh data from vulnerability-scanner-registry GitHub Releases;\n * falls back to embedded snapshot if fetch fails.\n *\n * @module mcp/tools/repo-security-plan\n * (Source: Issue #1079, externalization vote 6-0 unanimous)\n */\n\nimport type { RepoAnalysis } from './repo-analyze-types.js';\nimport type {\n  RepoSecurityPlanInput,\n  RepoSecurityPlan,\n  ScannerRecommendation,\n  ConflictWarning,\n  CoverageAnalysis,\n} from './repo-security-plan-types.js';\nimport { analyzeGitHubRepo } from './repo-analyze.js';\nimport { getRegistryManifest } from './scanner-registry-fetcher.js';\nimport type { RegistryScanner, LanguageMatrixEntry } from './scanner-registry-fetcher.js';\nimport { FALLBACK_SCANNER_DATA } from './repo-security-plan-fallback.js';\nimport { createLogger } from '../../core/index.js';\n\nconst logger = createLogger({ component: 'repo-security-plan' });\n\n// ============================================================================\n// Scanner Data Interface (common shape for fetched + fallback)\n// ============================================================================\n\n/** Internal scanner entry used by plan builder. */\nexport interface ScannerEntry {\n  readonly name: string;\n  readonly displayName: string;\n  readonly categories: readonly string[];\n  readonly license: string;\n  readonly pricingModel: string;\n  readonly supersedes?: readonly string[];\n}\n\n/** Language mapping: category → scanner names. */\ninterface LanguageMapping {\n  readonly sast: readonly string[];\n  readonly sca: readonly string[];\n  readonly secrets: readonly string[];\n}\n\n/** Resolved scanner data for plan building. */\nexport interface ScannerData {\n  readonly scanners: readonly ScannerEntry[];\n  readonly languageMap: Readonly<Record<string, LanguageMapping>>;\n  readonly source: 'registry' | 'fallback';\n}\n\n// Re-export for consumers\nexport { FALLBACK_SCANNER_DATA } from './repo-security-plan-fallback.js';\n\n// ============================================================================\n// Registry → ScannerData Conversion\n// ============================================================================\n\nfunction convertRegistryScanner(s: RegistryScanner): ScannerEntry {\n  const supersedes = s.relationships?.filter((r) => r.type === 'supersedes').map((r) => r.target);\n  return {\n    name: s.name,\n    displayName: s.displayName,\n    categories: s.categories,\n    license: s.license,\n    pricingModel: s.pricingModel,\n    ...(supersedes !== undefined && supersedes.length > 0 ? { supersedes } : {}),\n  };\n}\n\n/** Known PascalCase language names from GitHub API. Handles registry keys like \"typescript\" → \"TypeScript\". */\nconst LANGUAGE_PASCAL_MAP: Readonly<Record<string, string>> = {\n  typescript: 'TypeScript',\n  javascript: 'JavaScript',\n  python: 'Python',\n  java: 'Java',\n  csharp: 'C#',\n  'c#': 'C#',\n  cpp: 'C++',\n  'c++': 'C++',\n  go: 'Go',\n  rust: 'Rust',\n  ruby: 'Ruby',\n  php: 'PHP',\n  swift: 'Swift',\n  kotlin: 'Kotlin',\n  scala: 'Scala',\n  hcl: 'HCL',\n  shell: 'Shell',\n  dockerfile: 'Dockerfile',\n};\n\nfunction normalizeLangName(lang: string): string {\n  const lower = lang.toLowerCase();\n  return LANGUAGE_PASCAL_MAP[lower] ?? lang.charAt(0).toUpperCase() + lang.slice(1);\n}\n\nfunction convertLanguageMatrix(\n  matrix: Readonly<Record<string, LanguageMatrixEntry>>\n): Record<string, LanguageMapping> {\n  const result: Record<string, LanguageMapping> = {};\n  for (const [lang, entry] of Object.entries(matrix)) {\n    // Normalize language name to PascalCase (GitHub API returns PascalCase like \"TypeScript\")\n    const normalized = normalizeLangName(lang);\n    result[normalized] = {\n      sast: entry.sast ?? [],\n      sca: entry.sca ?? [],\n      secrets: entry.secrets ?? [],\n    };\n  }\n  return result;\n}\n\n/** Resolve scanner data: fetch from registry, fall back to embedded. */\nexport async function resolveScannerData(): Promise<ScannerData> {\n  const manifest = await getRegistryManifest();\n  if (manifest !== null) {\n    logger.info('Using live scanner registry', {\n      version: manifest.version,\n      scanners: manifest.scanners.length,\n    });\n    return {\n      scanners: manifest.scanners.map(convertRegistryScanner),\n      languageMap: convertLanguageMatrix(manifest.languageMatrix),\n      source: 'registry',\n    };\n  }\n\n  logger.info('Using fallback scanner data');\n  return FALLBACK_SCANNER_DATA;\n}\n\n// ============================================================================\n// CI Snippet Generation (GitHub Actions only for v1)\n// ============================================================================\n\nconst CI_SNIPPETS: Readonly<Record<string, string>> = {\n  semgrep: '- uses: semgrep/semgrep-action@v1\\n  with:\\n    config: auto',\n  codeql: '- uses: github/codeql-action/analyze@v3',\n  grype: '- uses: anchore/scan-action@v4\\n  with:\\n    path: .',\n  'grype-image':\n    '- uses: anchore/scan-action@v4\\n  with:\\n    image: ${{ env.IMAGE_TAG }}\\n    severity: CRITICAL,HIGH\\n    exit-code: 1',\n  gitleaks: '- uses: gitleaks/gitleaks-action@v2',\n  bandit: '- run: pip install bandit && bandit -r . -f json',\n  gosec: '- uses: securego/gosec@master\\n  with:\\n    args: ./...',\n  checkov: '- uses: bridgecrewio/checkov-action@master',\n  'osv-scanner': '- uses: google/osv-scanner-action@v1',\n  snyk: '- uses: snyk/actions/node@master # adjust for language',\n  shellcheck: '- uses: ludeeus/action-shellcheck@master',\n};\n\nfunction generateCiSnippet(name: string, ci: string | null): string | null {\n  if (ci !== 'github-actions') return null;\n  return CI_SNIPPETS[name] ?? null;\n}\n\n// ============================================================================\n// Helper Functions\n// ============================================================================\n\nfunction findScanner(name: string, scanners: readonly ScannerEntry[]): ScannerEntry | undefined {\n  return scanners.find((s) => s.name === name);\n}\n\nfunction isAlreadyUsed(name: string, existing: readonly string[]): boolean {\n  return existing.some((t) => t.toLowerCase().includes(name.toLowerCase()));\n}\n\n/** Context passed to recommendation collectors. */\ninterface RecContext {\n  readonly existing: readonly string[];\n  readonly ciProvider: string | null;\n  readonly language: string | null;\n  readonly categoryFilter: ReadonlySet<string> | null;\n  readonly maxScanners: number;\n  readonly scanners: readonly ScannerEntry[];\n}\n\n/** Options for collecting recommendations in a single category. */\ninterface CategoryRecOptions {\n  readonly names: readonly string[];\n  readonly category: string;\n  readonly rationale: (entry: ScannerEntry) => string;\n  readonly priority: 'critical' | 'recommended';\n  readonly ctx: RecContext;\n}\n\n/** Collect recommendations for a single category. */\nfunction collectCategoryRecs(recs: ScannerRecommendation[], opts: CategoryRecOptions): void {\n  for (const name of opts.names) {\n    if (recs.length >= opts.ctx.maxScanners) break;\n    if (isAlreadyUsed(name, opts.ctx.existing)) continue;\n    const entry = findScanner(name, opts.ctx.scanners);\n    if (!entry) continue;\n    if (opts.ctx.categoryFilter && !opts.ctx.categoryFilter.has(opts.category)) continue;\n    const isFirst = opts.category === 'sast' && recs.length === 0;\n    recs.push({\n      name,\n      displayName: entry.displayName,\n      category: opts.category,\n      license: entry.license,\n      pricingModel: entry.pricingModel,\n      rationale: opts.rationale(entry),\n      priority: isFirst ? 'critical' : opts.priority,\n      ciSnippet: generateCiSnippet(name, opts.ctx.ciProvider),\n    });\n  }\n}\n\n/** Collect language-specific recommendations (SAST + SCA + secrets). */\nfunction collectLanguageRecs(\n  langMap: LanguageMapping,\n  recs: ScannerRecommendation[],\n  ctx: RecContext\n): void {\n  const lang = ctx.language ?? 'unknown';\n  collectCategoryRecs(recs, {\n    names: langMap.sast,\n    category: 'sast',\n    rationale: (e) => `${e.displayName} provides SAST for ${lang}`,\n    priority: 'recommended',\n    ctx,\n  });\n  collectCategoryRecs(recs, {\n    names: langMap.sca,\n    category: 'sca',\n    rationale: (e) => `${e.displayName} provides SCA for ${lang} dependencies`,\n    priority: 'critical',\n    ctx,\n  });\n  collectCategoryRecs(recs, {\n    names: langMap.secrets,\n    category: 'secrets',\n    rationale: () => 'Detects leaked credentials and API keys in source code',\n    priority: 'critical',\n    ctx,\n  });\n}\n\n/** Try to add a single scanner if not already present. */\nfunction tryAddScanner(\n  scannerName: string,\n  category: string,\n  rationale: string,\n  recs: ScannerRecommendation[],\n  ctx: RecContext\n): void {\n  if (recs.length >= ctx.maxScanners) return;\n  if (ctx.categoryFilter && !ctx.categoryFilter.has(category)) return;\n  if (isAlreadyUsed(scannerName, ctx.existing)) return;\n  if (recs.some((r) => r.name === scannerName)) return;\n  const entry = findScanner(scannerName, ctx.scanners);\n  if (!entry) return;\n  recs.push({\n    name: scannerName,\n    displayName: entry.displayName,\n    category,\n    license: entry.license,\n    pricingModel: entry.pricingModel,\n    rationale,\n    priority: 'recommended',\n    ciSnippet: generateCiSnippet(scannerName, ctx.ciProvider),\n  });\n}\n\n// ============================================================================\n// Conflict Detection\n// ============================================================================\n\nfunction detectConflicts(\n  recs: readonly ScannerRecommendation[],\n  scanners: readonly ScannerEntry[]\n): readonly ConflictWarning[] {\n  const warnings: ConflictWarning[] = [];\n  const names = new Set(recs.map((r) => r.name));\n  detectSuperseded(names, scanners, warnings);\n  detectRedundant(recs, warnings);\n  return warnings;\n}\n\nfunction detectSuperseded(\n  names: ReadonlySet<string>,\n  scanners: readonly ScannerEntry[],\n  warnings: ConflictWarning[]\n): void {\n  for (const scanner of scanners) {\n    if (!names.has(scanner.name)) continue;\n    if (!scanner.supersedes) continue;\n    for (const old of scanner.supersedes) {\n      if (names.has(old)) {\n        warnings.push({\n          scanners: [old, scanner.name],\n          type: 'superseded',\n          recommendation: `${scanner.displayName} supersedes ${old}. Remove ${old}.`,\n        });\n      }\n    }\n  }\n}\n\nfunction detectRedundant(\n  recs: readonly ScannerRecommendation[],\n  warnings: ConflictWarning[]\n): void {\n  const catMap = new Map<string, string[]>();\n  for (const rec of recs) {\n    const arr = catMap.get(rec.category) ?? [];\n    arr.push(rec.name);\n    catMap.set(rec.category, arr);\n  }\n  for (const [cat, scanners] of catMap) {\n    if (scanners.length > 2) {\n      const count = String(scanners.length);\n      warnings.push({\n        scanners,\n        type: 'redundant',\n        recommendation: `${count} scanners for ${cat}. Consider keeping top 2.`,\n      });\n    }\n  }\n}\n\n// ============================================================================\n// Coverage Analysis\n// ============================================================================\n\nconst ALL_CATEGORIES = ['sast', 'dast', 'sca', 'secrets', 'container', 'iac', 'image-currency'];\n\nfunction buildCoverage(\n  recs: readonly ScannerRecommendation[],\n  existing: readonly string[],\n  scanners: readonly ScannerEntry[]\n): readonly CoverageAnalysis[] {\n  return ALL_CATEGORIES.map((cat) => {\n    const found = recs.filter((r) => r.category === cat).map((r) => r.name);\n    const existingMatch = existing.some((t) =>\n      scanners.some((s) => s.categories.includes(cat) && t.toLowerCase().includes(s.name))\n    );\n    return { category: cat, covered: found.length > 0 || existingMatch, scanners: found };\n  });\n}\n\n// ============================================================================\n// Plan Assembly\n// ============================================================================\n\n/** Options for buildPlanFromAnalysis (allows optional fields for testability). */\ninterface BuildPlanOptions {\n  readonly repo: string;\n  readonly categories?: readonly string[] | undefined;\n  readonly maxScanners?: number | undefined;\n}\n\n/** Generate a security scanning plan for a repository (fetches live data). */\nexport async function generateSecurityPlan(\n  input: RepoSecurityPlanInput\n): Promise<RepoSecurityPlan> {\n  const [analysis, data] = await Promise.all([\n    analyzeGitHubRepo({ repo: input.repo, depth: 'deep' }),\n    resolveScannerData(),\n  ]);\n  return buildPlanFromAnalysis(analysis, input, data);\n}\n\n/** Collect infrastructure-specific scanner recommendations. */\nfunction collectInfraRecs(\n  analysis: RepoAnalysis,\n  recs: ScannerRecommendation[],\n  ctx: RecContext\n): void {\n  if (analysis.hasDockerfile) {\n    tryAddScanner(\n      'grype',\n      'container',\n      'Dockerfile detected — scan container images for vulnerabilities',\n      recs,\n      ctx\n    );\n    tryAddScanner('grype-image', 'image-currency', buildImageCurrencyRationale(), recs, ctx);\n  }\n  if (analysis.hasHelmCharts) {\n    tryAddScanner(\n      'checkov',\n      'iac',\n      'Helm charts detected — scan IaC for misconfigurations',\n      recs,\n      ctx\n    );\n  }\n}\n\n/**\n * Build the rationale string for periodic container base image CVE scanning.\n * Extracted to keep collectInfraRecs within the 50-line function limit.\n */\nfunction buildImageCurrencyRationale(): string {\n  return (\n    'Dockerfile detected — periodically scan built images with ' +\n    '`grype image --severity CRITICAL,HIGH` to detect CVEs introduced by stale base images. ' +\n    'Pin base images to specific version tags (e.g., node:22.4.0-alpine3.20) rather than ' +\n    ':latest to get reproducible scans and predictable CVE surface area. ' +\n    'Alpine-based images typically have a smaller CVE surface than Debian/Ubuntu equivalents ' +\n    'due to musl libc and a minimal package set, but verify with grype before assuming.'\n  );\n}\n\n/** Pure function: build plan from analysis + scanner data (testable). */\nexport function buildPlanFromAnalysis(\n  analysis: RepoAnalysis,\n  input: BuildPlanOptions,\n  data?: ScannerData\n): RepoSecurityPlan {\n  const resolved = data ?? FALLBACK_SCANNER_DATA;\n  const ctx: RecContext = {\n    existing: analysis.securityTooling,\n    ciProvider: analysis.ciProvider,\n    language: analysis.language,\n    categoryFilter: input.categories ? new Set(input.categories) : null,\n    maxScanners: input.maxScanners ?? 10,\n    scanners: resolved.scanners,\n  };\n\n  const recs: ScannerRecommendation[] = [];\n  const normalizedLang = analysis.language !== null ? normalizeLangName(analysis.language) : null;\n  const langMap = normalizedLang !== null ? resolved.languageMap[normalizedLang] : undefined;\n  if (langMap) collectLanguageRecs(langMap, recs, ctx);\n  collectInfraRecs(analysis, recs, ctx);\n\n  const conflicts = detectConflicts(recs, resolved.scanners);\n  const coverage = buildCoverage(recs, analysis.securityTooling, resolved.scanners);\n  const uncovered = coverage.filter((c) => !c.covered).map((c) => c.category);\n\n  return {\n    repo: analysis.name,\n    language: analysis.language,\n    framework: analysis.framework,\n    ciProvider: analysis.ciProvider,\n    existingTooling: analysis.securityTooling,\n    recommendations: recs,\n    conflicts,\n    coverage,\n    gapsSummary: [\n      ...analysis.gaps,\n      ...(uncovered.length > 0 ? [`Uncovered categories: ${uncovered.join(', ')}`] : []),\n    ],\n  };\n}\n"],"mappings":";;;;;;;;AAWA,SAAS,SAAS;AA6ClB,IAAM,qBAAqB,EAAE,OAAO;AAAA,EAClC,QAAQ,EAAE,OAAO,EAAE,IAAI,CAAC;AAAA,EACxB,MAAM,EAAE,KAAK,CAAC,QAAQ,cAAc,WAAW,eAAe,CAAC;AACjE,CAAC;AAED,IAAM,gBAAgB,EAAE,OAAO;AAAA,EAC7B,MAAM,EAAE,OAAO,EAAE,IAAI,CAAC;AAAA,EACtB,aAAa,EAAE,OAAO,EAAE,IAAI,CAAC;AAAA,EAC7B,YAAY,EAAE,MAAM,EAAE,OAAO,EAAE,IAAI,CAAC,CAAC;AAAA,EACrC,SAAS,EAAE,OAAO,EAAE,IAAI,CAAC;AAAA,EACzB,cAAc,EAAE,OAAO,EAAE,IAAI,CAAC;AAAA,EAC9B,eAAe,EAAE,MAAM,kBAAkB,EAAE,SAAS;AACtD,CAAC;AAED,IAAM,4BAA4B,EAC/B,OAAO;AAAA,EACN,MAAM,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,SAAS;AAAA,EACnC,KAAK,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,SAAS;AAAA,EAClC,SAAS,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,SAAS;AAAA,EACtC,WAAW,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,SAAS;AAAA,EACxC,KAAK,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,SAAS;AAAA,EAClC,MAAM,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,SAAS;AACrC,CAAC,EACA,MAAM;AAET,IAAM,iBAAiB,EAAE,OAAO;AAAA,EAC9B,SAAS,EAAE,OAAO,EAAE,IAAI,CAAC;AAAA,EACzB,aAAa,EAAE,OAAO,EAAE,IAAI,CAAC;AAAA,EAC7B,UAAU,EAAE,MAAM,aAAa;AAAA,EAC/B,gBAAgB,EAAE,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,GAAG,yBAAyB;AACxE,CAAC;AAYD,IAAM,eAAe,KAAK,KAAK;AAC/B,IAAI,cAAiC;AAGrC,IAAI;AAGG,SAAS,qBAA2B;AACzC,gBAAc;AACd,kBAAgB;AAClB;AAMA,IAAM,gBAAgB;AACtB,IAAM,mBAAmB;AASzB,IAAM,SAAS,aAAa,EAAE,WAAW,2BAA2B,CAAC;AAGrE,eAAe,oBAAoB,eAAsD;AACvF,QAAM,EAAE,OAAO,IAAI,MAAM;AAAA,IACvB;AAAA,IACA,CAAC,WAAW,QAAQ,UAAU,eAAe,UAAU,WAAW,QAAQ,UAAU;AAAA,IACpF,EAAE,SAAS,iBAAiB;AAAA,EAC9B;AACA,SAAO,OAAO,KAAK,KAAK;AAC1B;AAGA,eAAe,iBACb,eACyC;AACzC,QAAM,EAAE,OAAO,IAAI,MAAM;AAAA,IACvB;AAAA,IACA;AAAA,MACE;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,IACF;AAAA,IACA,EAAE,SAAS,kBAAkB,WAAW,OAAO,KAAK;AAAA,EACtD;AAEA,MAAI;AACJ,MAAI;AACF,eAAW,KAAK,MAAM,MAAM;AAAA,EAC9B,QAAQ;AACN,WAAO,KAAK,uCAAuC;AAAA,MACjD,cAAc,OAAO;AAAA,MACrB,SAAS,OAAO,MAAM,GAAG,GAAG;AAAA,IAC9B,CAAC;AACD,WAAO;AAAA,EACT;AAEA,QAAM,SAAS,eAAe,UAAU,QAAQ;AAChD,MAAI,CAAC,OAAO,SAAS;AACnB,WAAO,KAAK,8CAA8C;AAAA,MACxD,QAAQ,OAAO,MAAM,OAAO,MAAM,GAAG,CAAC;AAAA,IACxC,CAAC;AACD,WAAO;AAAA,EACT;AAEA,SAAO,KAAK,qCAAqC;AAAA,IAC/C,SAAS,OAAO,KAAK;AAAA,IACrB,UAAU,OAAO,KAAK,SAAS;AAAA,IAC/B,WAAW,OAAO,KAAK,OAAO,KAAK,cAAc,EAAE;AAAA,EACrD,CAAC;AACD,SAAO,OAAO;AAChB;AAOA,eAAe,0BAAmE;AAChF,MAAI;AACF,UAAM,EAAE,SAAS,IAAI,MAAM,OAAO,eAAoB;AACtD,UAAM,EAAE,UAAU,IAAI,MAAM,OAAO,MAAW;AAC9C,UAAM,gBAAgB,UAAU,QAAQ;AAExC,UAAM,MAAM,MAAM,oBAAoB,aAAa;AACnD,QAAI,QAAQ,MAAM;AAChB,aAAO,KAAK,uCAAuC;AACnD,aAAO;AAAA,IACT;AAGA,QAAI,gBAAgB,QAAQ,YAAY,eAAe,KAAK;AAC1D,aAAO,MAAM,sDAAsD,EAAE,IAAI,CAAC;AAC1E,oBAAc,EAAE,GAAG,aAAa,WAAW,KAAK,IAAI,EAAE;AACtD,aAAO,YAAY;AAAA,IACrB;AAGA,UAAM,WAAW,MAAM,iBAAiB,aAAa;AACrD,QAAI,aAAa,MAAM;AACrB,oBAAc,EAAE,UAAU,WAAW,KAAK,IAAI,GAAG,YAAY,IAAI;AAAA,IACnE;AACA,WAAO;AAAA,EACT,SAAS,KAAK;AACZ,UAAM,MAAM,eAAe,QAAQ,IAAI,UAAU,OAAO,GAAG;AAC3D,WAAO,MAAM,oCAAoC,EAAE,OAAO,IAAI,CAAC;AAC/D,WAAO;AAAA,EACT;AACF;AAMA,eAAsB,sBAA+D;AAEnF,MAAI,gBAAgB,MAAM;AACxB,UAAM,MAAM,KAAK,IAAI,IAAI,YAAY;AACrC,QAAI,MAAM,cAAc;AACtB,aAAO,YAAY;AAAA,IACrB;AAAA,EACF;AAGA,oBAAkB,wBAAwB,EAAE,QAAQ,MAAM;AACxD,oBAAgB;AAAA,EAClB,CAAC;AACD,QAAM,WAAW,MAAM;AACvB,MAAI,aAAa,MAAM;AACrB,WAAO;AAAA,EACT;AAGA,MAAI,gBAAgB,MAAM;AACxB,WAAO,KAAK,sCAAsC;AAClD,WAAO,YAAY;AAAA,EACrB;AAEA,SAAO;AACT;;;ACtOA,IAAM,oBAA6C;AAAA,EACjD;AAAA,IACE,MAAM;AAAA,IACN,aAAa;AAAA,IACb,YAAY,CAAC,QAAQ,SAAS;AAAA,IAC9B,SAAS;AAAA,IACT,cAAc;AAAA,EAChB;AAAA,EACA;AAAA,IACE,MAAM;AAAA,IACN,aAAa;AAAA,IACb,YAAY,CAAC,MAAM;AAAA,IACnB,SAAS;AAAA,IACT,cAAc;AAAA,EAChB;AAAA,EACA;AAAA,IACE,MAAM;AAAA,IACN,aAAa;AAAA,IACb,YAAY,CAAC,MAAM;AAAA,IACnB,SAAS;AAAA,IACT,cAAc;AAAA,EAChB;AAAA,EACA;AAAA,IACE,MAAM;AAAA,IACN,aAAa;AAAA,IACb,YAAY,CAAC,MAAM;AAAA,IACnB,SAAS;AAAA,IACT,cAAc;AAAA,EAChB;AAAA,EACA;AAAA,IACE,MAAM;AAAA,IACN,aAAa;AAAA,IACb,YAAY,CAAC,MAAM;AAAA,IACnB,SAAS;AAAA,IACT,cAAc;AAAA,EAChB;AAAA,EACA;AAAA,IACE,MAAM;AAAA,IACN,aAAa;AAAA,IACb,YAAY,CAAC,MAAM;AAAA,IACnB,SAAS;AAAA,IACT,cAAc;AAAA,EAChB;AAAA,EACA;AAAA,IACE,MAAM;AAAA,IACN,aAAa;AAAA,IACb,YAAY,CAAC,MAAM;AAAA,IACnB,SAAS;AAAA,IACT,cAAc;AAAA,EAChB;AAAA,EACA;AAAA,IACE,MAAM;AAAA,IACN,aAAa;AAAA,IACb,YAAY,CAAC,MAAM;AAAA,IACnB,SAAS;AAAA,IACT,cAAc;AAAA,EAChB;AAAA,EACA;AAAA,IACE,MAAM;AAAA,IACN,aAAa;AAAA,IACb,YAAY,CAAC,MAAM;AAAA,IACnB,SAAS;AAAA,IACT,cAAc;AAAA,EAChB;AAAA,EACA;AAAA,IACE,MAAM;AAAA,IACN,aAAa;AAAA,IACb,YAAY,CAAC,MAAM;AAAA,IACnB,SAAS;AAAA,IACT,cAAc;AAAA,EAChB;AAAA,EACA;AAAA,IACE,MAAM;AAAA,IACN,aAAa;AAAA,IACb,YAAY,CAAC,MAAM;AAAA,IACnB,SAAS;AAAA,IACT,cAAc;AAAA,EAChB;AAAA,EACA;AAAA,IACE,MAAM;AAAA,IACN,aAAa;AAAA,IACb,YAAY,CAAC,QAAQ,KAAK;AAAA,IAC1B,SAAS;AAAA,IACT,cAAc;AAAA,EAChB;AAAA,EACA;AAAA,IACE,MAAM;AAAA,IACN,aAAa;AAAA,IACb,YAAY,CAAC,OAAO,aAAa,OAAO,MAAM;AAAA,IAC9C,SAAS;AAAA,IACT,cAAc;AAAA,EAChB;AAAA,EACA;AAAA,IACE,MAAM;AAAA,IACN,aAAa;AAAA,IACb,YAAY,CAAC,OAAO,WAAW;AAAA,IAC/B,SAAS;AAAA,IACT,cAAc;AAAA,EAChB;AAAA,EACA;AAAA,IACE,MAAM;AAAA,IACN,aAAa;AAAA,IACb,YAAY,CAAC,OAAO,QAAQ,WAAW;AAAA,IACvC,SAAS;AAAA,IACT,cAAc;AAAA,EAChB;AAAA,EACA;AAAA,IACE,MAAM;AAAA,IACN,aAAa;AAAA,IACb,YAAY,CAAC,KAAK;AAAA,IAClB,SAAS;AAAA,IACT,cAAc;AAAA,EAChB;AAAA,EACA;AAAA,IACE,MAAM;AAAA,IACN,aAAa;AAAA,IACb,YAAY,CAAC,KAAK;AAAA,IAClB,SAAS;AAAA,IACT,cAAc;AAAA,EAChB;AAAA,EACA;AAAA,IACE,MAAM;AAAA,IACN,aAAa;AAAA,IACb,YAAY,CAAC,KAAK;AAAA,IAClB,SAAS;AAAA,IACT,cAAc;AAAA,EAChB;AAAA,EACA;AAAA,IACE,MAAM;AAAA,IACN,aAAa;AAAA,IACb,YAAY,CAAC,KAAK;AAAA,IAClB,SAAS;AAAA,IACT,cAAc;AAAA,EAChB;AAAA,EACA;AAAA,IACE,MAAM;AAAA,IACN,aAAa;AAAA,IACb,YAAY,CAAC,KAAK;AAAA,IAClB,SAAS;AAAA,IACT,cAAc;AAAA,EAChB;AAAA,EACA;AAAA,IACE,MAAM;AAAA,IACN,aAAa;AAAA,IACb,YAAY,CAAC,KAAK;AAAA,IAClB,SAAS;AAAA,IACT,cAAc;AAAA,EAChB;AAAA,EACA;AAAA,IACE,MAAM;AAAA,IACN,aAAa;AAAA,IACb,YAAY,CAAC,SAAS;AAAA,IACtB,SAAS;AAAA,IACT,cAAc;AAAA,EAChB;AAAA,EACA;AAAA,IACE,MAAM;AAAA,IACN,aAAa;AAAA,IACb,YAAY,CAAC,SAAS;AAAA,IACtB,SAAS;AAAA,IACT,cAAc;AAAA,EAChB;AAAA,EACA;AAAA,IACE,MAAM;AAAA,IACN,aAAa;AAAA,IACb,YAAY,CAAC,OAAO,KAAK;AAAA,IACzB,SAAS;AAAA,IACT,cAAc;AAAA,EAChB;AAAA,EACA;AAAA,IACE,MAAM;AAAA,IACN,aAAa;AAAA,IACb,YAAY,CAAC,KAAK;AAAA,IAClB,SAAS;AAAA,IACT,cAAc;AAAA,EAChB;AAAA,EACA;AAAA,IACE,MAAM;AAAA,IACN,aAAa;AAAA,IACb,YAAY,CAAC,QAAQ,KAAK;AAAA,IAC1B,SAAS;AAAA,IACT,cAAc;AAAA,EAChB;AAAA,EACA;AAAA,IACE,MAAM;AAAA,IACN,aAAa;AAAA,IACb,YAAY,CAAC,MAAM;AAAA,IACnB,SAAS;AAAA,IACT,cAAc;AAAA,EAChB;AAAA,EACA;AAAA,IACE,MAAM;AAAA,IACN,aAAa;AAAA,IACb,YAAY,CAAC,kBAAkB,WAAW;AAAA,IAC1C,SAAS;AAAA,IACT,cAAc;AAAA,EAChB;AACF;AAMA,IAAM,wBAAoD;AAAA,EACxD,YAAY;AAAA,IACV,MAAM,CAAC,WAAW,mBAAmB,QAAQ;AAAA,IAC7C,KAAK,CAAC,aAAa,aAAa;AAAA,IAChC,SAAS,CAAC,UAAU;AAAA,EACtB;AAAA,EACA,YAAY;AAAA,IACV,MAAM,CAAC,WAAW,mBAAmB,QAAQ;AAAA,IAC7C,KAAK,CAAC,aAAa,aAAa;AAAA,IAChC,SAAS,CAAC,UAAU;AAAA,EACtB;AAAA,EACA,QAAQ;AAAA,IACN,MAAM,CAAC,UAAU,WAAW,QAAQ;AAAA,IACpC,KAAK,CAAC,aAAa,aAAa;AAAA,IAChC,SAAS,CAAC,UAAU;AAAA,EACtB;AAAA,EACA,MAAM;AAAA,IACJ,MAAM,CAAC,UAAU,WAAW,UAAU;AAAA,IACtC,KAAK,CAAC,0BAA0B,aAAa;AAAA,IAC7C,SAAS,CAAC,UAAU;AAAA,EACtB;AAAA,EACA,IAAI;AAAA,IACF,MAAM,CAAC,SAAS,WAAW,QAAQ;AAAA,IACnC,KAAK,CAAC,eAAe,aAAa;AAAA,IAClC,SAAS,CAAC,UAAU;AAAA,EACtB;AAAA,EACA,MAAM;AAAA,IACJ,MAAM,CAAC,YAAY,WAAW,QAAQ;AAAA,IACtC,KAAK,CAAC,iBAAiB,aAAa;AAAA,IACpC,SAAS,CAAC,UAAU;AAAA,EACtB;AAAA,EACA,KAAK;AAAA,IACH,MAAM,CAAC,WAAW,SAAS;AAAA,IAC3B,KAAK,CAAC,aAAa;AAAA,IACnB,SAAS,CAAC,UAAU;AAAA,EACtB;AAAA,EACA,MAAM;AAAA,IACJ,MAAM,CAAC,UAAU,SAAS;AAAA,IAC1B,KAAK,CAAC,aAAa;AAAA,IACnB,SAAS,CAAC,UAAU;AAAA,EACtB;AAAA,EACA,GAAG;AAAA,IACD,MAAM,CAAC,YAAY,UAAU,SAAS;AAAA,IACtC,KAAK,CAAC,aAAa;AAAA,IACnB,SAAS,CAAC,UAAU;AAAA,EACtB;AAAA,EACA,OAAO;AAAA,IACL,MAAM,CAAC,YAAY,UAAU,SAAS;AAAA,IACtC,KAAK,CAAC,aAAa;AAAA,IACnB,SAAS,CAAC,UAAU;AAAA,EACtB;AAAA,EACA,MAAM;AAAA,IACJ,MAAM,CAAC,SAAS;AAAA,IAChB,KAAK,CAAC,eAAe,aAAa;AAAA,IAClC,SAAS,CAAC,UAAU;AAAA,EACtB;AAAA,EACA,QAAQ;AAAA,IACN,MAAM,CAAC,UAAU,WAAW,QAAQ;AAAA,IACpC,KAAK,CAAC,aAAa;AAAA,IACnB,SAAS,CAAC,UAAU;AAAA,EACtB;AAAA,EACA,OAAO;AAAA,IACL,MAAM,CAAC,UAAU,SAAS;AAAA,IAC1B,KAAK,CAAC,aAAa;AAAA,IACnB,SAAS,CAAC,UAAU;AAAA,EACtB;AAAA,EACA,OAAO;AAAA,IACL,MAAM,CAAC,WAAW,UAAU;AAAA,IAC5B,KAAK,CAAC,aAAa;AAAA,IACnB,SAAS,CAAC,UAAU;AAAA,EACtB;AAAA,EACA,OAAO;AAAA,IACL,MAAM,CAAC,cAAc,SAAS;AAAA,IAC9B,KAAK,CAAC;AAAA,IACN,SAAS,CAAC,UAAU;AAAA,EACtB;AAAA,EACA,KAAK;AAAA,IACH,MAAM,CAAC,WAAW,OAAO;AAAA,IACzB,KAAK,CAAC,aAAa;AAAA,IACnB,SAAS,CAAC,UAAU;AAAA,EACtB;AACF;AAOO,IAAM,wBAAqC;AAAA,EAChD,UAAU;AAAA,EACV,aAAa;AAAA,EACb,QAAQ;AACV;;;AC/RA,IAAMA,UAAS,aAAa,EAAE,WAAW,qBAAqB,CAAC;AAqC/D,SAAS,uBAAuB,GAAkC;AAChE,QAAM,aAAa,EAAE,eAAe,OAAO,CAAC,MAAM,EAAE,SAAS,YAAY,EAAE,IAAI,CAAC,MAAM,EAAE,MAAM;AAC9F,SAAO;AAAA,IACL,MAAM,EAAE;AAAA,IACR,aAAa,EAAE;AAAA,IACf,YAAY,EAAE;AAAA,IACd,SAAS,EAAE;AAAA,IACX,cAAc,EAAE;AAAA,IAChB,GAAI,eAAe,UAAa,WAAW,SAAS,IAAI,EAAE,WAAW,IAAI,CAAC;AAAA,EAC5E;AACF;AAGA,IAAM,sBAAwD;AAAA,EAC5D,YAAY;AAAA,EACZ,YAAY;AAAA,EACZ,QAAQ;AAAA,EACR,MAAM;AAAA,EACN,QAAQ;AAAA,EACR,MAAM;AAAA,EACN,KAAK;AAAA,EACL,OAAO;AAAA,EACP,IAAI;AAAA,EACJ,MAAM;AAAA,EACN,MAAM;AAAA,EACN,KAAK;AAAA,EACL,OAAO;AAAA,EACP,QAAQ;AAAA,EACR,OAAO;AAAA,EACP,KAAK;AAAA,EACL,OAAO;AAAA,EACP,YAAY;AACd;AAEA,SAAS,kBAAkB,MAAsB;AAC/C,QAAM,QAAQ,KAAK,YAAY;AAC/B,SAAO,oBAAoB,KAAK,KAAK,KAAK,OAAO,CAAC,EAAE,YAAY,IAAI,KAAK,MAAM,CAAC;AAClF;AAEA,SAAS,sBACP,QACiC;AACjC,QAAM,SAA0C,CAAC;AACjD,aAAW,CAAC,MAAM,KAAK,KAAK,OAAO,QAAQ,MAAM,GAAG;AAElD,UAAM,aAAa,kBAAkB,IAAI;AACzC,WAAO,UAAU,IAAI;AAAA,MACnB,MAAM,MAAM,QAAQ,CAAC;AAAA,MACrB,KAAK,MAAM,OAAO,CAAC;AAAA,MACnB,SAAS,MAAM,WAAW,CAAC;AAAA,IAC7B;AAAA,EACF;AACA,SAAO;AACT;AAGA,eAAsB,qBAA2C;AAC/D,QAAM,WAAW,MAAM,oBAAoB;AAC3C,MAAI,aAAa,MAAM;AACrB,IAAAA,QAAO,KAAK,+BAA+B;AAAA,MACzC,SAAS,SAAS;AAAA,MAClB,UAAU,SAAS,SAAS;AAAA,IAC9B,CAAC;AACD,WAAO;AAAA,MACL,UAAU,SAAS,SAAS,IAAI,sBAAsB;AAAA,MACtD,aAAa,sBAAsB,SAAS,cAAc;AAAA,MAC1D,QAAQ;AAAA,IACV;AAAA,EACF;AAEA,EAAAA,QAAO,KAAK,6BAA6B;AACzC,SAAO;AACT;AAMA,IAAM,cAAgD;AAAA,EACpD,SAAS;AAAA,EACT,QAAQ;AAAA,EACR,OAAO;AAAA,EACP,eACE;AAAA,EACF,UAAU;AAAA,EACV,QAAQ;AAAA,EACR,OAAO;AAAA,EACP,SAAS;AAAA,EACT,eAAe;AAAA,EACf,MAAM;AAAA,EACN,YAAY;AACd;AAEA,SAAS,kBAAkB,MAAc,IAAkC;AACzE,MAAI,OAAO,iBAAkB,QAAO;AACpC,SAAO,YAAY,IAAI,KAAK;AAC9B;AAMA,SAAS,YAAY,MAAc,UAA6D;AAC9F,SAAO,SAAS,KAAK,CAAC,MAAM,EAAE,SAAS,IAAI;AAC7C;AAEA,SAAS,cAAc,MAAc,UAAsC;AACzE,SAAO,SAAS,KAAK,CAAC,MAAM,EAAE,YAAY,EAAE,SAAS,KAAK,YAAY,CAAC,CAAC;AAC1E;AAsBA,SAAS,oBAAoB,MAA+B,MAAgC;AAC1F,aAAW,QAAQ,KAAK,OAAO;AAC7B,QAAI,KAAK,UAAU,KAAK,IAAI,YAAa;AACzC,QAAI,cAAc,MAAM,KAAK,IAAI,QAAQ,EAAG;AAC5C,UAAM,QAAQ,YAAY,MAAM,KAAK,IAAI,QAAQ;AACjD,QAAI,CAAC,MAAO;AACZ,QAAI,KAAK,IAAI,kBAAkB,CAAC,KAAK,IAAI,eAAe,IAAI,KAAK,QAAQ,EAAG;AAC5E,UAAM,UAAU,KAAK,aAAa,UAAU,KAAK,WAAW;AAC5D,SAAK,KAAK;AAAA,MACR;AAAA,MACA,aAAa,MAAM;AAAA,MACnB,UAAU,KAAK;AAAA,MACf,SAAS,MAAM;AAAA,MACf,cAAc,MAAM;AAAA,MACpB,WAAW,KAAK,UAAU,KAAK;AAAA,MAC/B,UAAU,UAAU,aAAa,KAAK;AAAA,MACtC,WAAW,kBAAkB,MAAM,KAAK,IAAI,UAAU;AAAA,IACxD,CAAC;AAAA,EACH;AACF;AAGA,SAAS,oBACP,SACA,MACA,KACM;AACN,QAAM,OAAO,IAAI,YAAY;AAC7B,sBAAoB,MAAM;AAAA,IACxB,OAAO,QAAQ;AAAA,IACf,UAAU;AAAA,IACV,WAAW,CAAC,MAAM,GAAG,EAAE,WAAW,sBAAsB,IAAI;AAAA,IAC5D,UAAU;AAAA,IACV;AAAA,EACF,CAAC;AACD,sBAAoB,MAAM;AAAA,IACxB,OAAO,QAAQ;AAAA,IACf,UAAU;AAAA,IACV,WAAW,CAAC,MAAM,GAAG,EAAE,WAAW,qBAAqB,IAAI;AAAA,IAC3D,UAAU;AAAA,IACV;AAAA,EACF,CAAC;AACD,sBAAoB,MAAM;AAAA,IACxB,OAAO,QAAQ;AAAA,IACf,UAAU;AAAA,IACV,WAAW,MAAM;AAAA,IACjB,UAAU;AAAA,IACV;AAAA,EACF,CAAC;AACH;AAGA,SAAS,cACP,aACA,UACA,WACA,MACA,KACM;AACN,MAAI,KAAK,UAAU,IAAI,YAAa;AACpC,MAAI,IAAI,kBAAkB,CAAC,IAAI,eAAe,IAAI,QAAQ,EAAG;AAC7D,MAAI,cAAc,aAAa,IAAI,QAAQ,EAAG;AAC9C,MAAI,KAAK,KAAK,CAAC,MAAM,EAAE,SAAS,WAAW,EAAG;AAC9C,QAAM,QAAQ,YAAY,aAAa,IAAI,QAAQ;AACnD,MAAI,CAAC,MAAO;AACZ,OAAK,KAAK;AAAA,IACR,MAAM;AAAA,IACN,aAAa,MAAM;AAAA,IACnB;AAAA,IACA,SAAS,MAAM;AAAA,IACf,cAAc,MAAM;AAAA,IACpB;AAAA,IACA,UAAU;AAAA,IACV,WAAW,kBAAkB,aAAa,IAAI,UAAU;AAAA,EAC1D,CAAC;AACH;AAMA,SAAS,gBACP,MACA,UAC4B;AAC5B,QAAM,WAA8B,CAAC;AACrC,QAAM,QAAQ,IAAI,IAAI,KAAK,IAAI,CAAC,MAAM,EAAE,IAAI,CAAC;AAC7C,mBAAiB,OAAO,UAAU,QAAQ;AAC1C,kBAAgB,MAAM,QAAQ;AAC9B,SAAO;AACT;AAEA,SAAS,iBACP,OACA,UACA,UACM;AACN,aAAW,WAAW,UAAU;AAC9B,QAAI,CAAC,MAAM,IAAI,QAAQ,IAAI,EAAG;AAC9B,QAAI,CAAC,QAAQ,WAAY;AACzB,eAAW,OAAO,QAAQ,YAAY;AACpC,UAAI,MAAM,IAAI,GAAG,GAAG;AAClB,iBAAS,KAAK;AAAA,UACZ,UAAU,CAAC,KAAK,QAAQ,IAAI;AAAA,UAC5B,MAAM;AAAA,UACN,gBAAgB,GAAG,QAAQ,WAAW,eAAe,GAAG,YAAY,GAAG;AAAA,QACzE,CAAC;AAAA,MACH;AAAA,IACF;AAAA,EACF;AACF;AAEA,SAAS,gBACP,MACA,UACM;AACN,QAAM,SAAS,oBAAI,IAAsB;AACzC,aAAW,OAAO,MAAM;AACtB,UAAM,MAAM,OAAO,IAAI,IAAI,QAAQ,KAAK,CAAC;AACzC,QAAI,KAAK,IAAI,IAAI;AACjB,WAAO,IAAI,IAAI,UAAU,GAAG;AAAA,EAC9B;AACA,aAAW,CAAC,KAAK,QAAQ,KAAK,QAAQ;AACpC,QAAI,SAAS,SAAS,GAAG;AACvB,YAAM,QAAQ,OAAO,SAAS,MAAM;AACpC,eAAS,KAAK;AAAA,QACZ;AAAA,QACA,MAAM;AAAA,QACN,gBAAgB,GAAG,KAAK,iBAAiB,GAAG;AAAA,MAC9C,CAAC;AAAA,IACH;AAAA,EACF;AACF;AAMA,IAAM,iBAAiB,CAAC,QAAQ,QAAQ,OAAO,WAAW,aAAa,OAAO,gBAAgB;AAE9F,SAAS,cACP,MACA,UACA,UAC6B;AAC7B,SAAO,eAAe,IAAI,CAAC,QAAQ;AACjC,UAAM,QAAQ,KAAK,OAAO,CAAC,MAAM,EAAE,aAAa,GAAG,EAAE,IAAI,CAAC,MAAM,EAAE,IAAI;AACtE,UAAM,gBAAgB,SAAS;AAAA,MAAK,CAAC,MACnC,SAAS,KAAK,CAAC,MAAM,EAAE,WAAW,SAAS,GAAG,KAAK,EAAE,YAAY,EAAE,SAAS,EAAE,IAAI,CAAC;AAAA,IACrF;AACA,WAAO,EAAE,UAAU,KAAK,SAAS,MAAM,SAAS,KAAK,eAAe,UAAU,MAAM;AAAA,EACtF,CAAC;AACH;AAcA,eAAsB,qBACpB,OAC2B;AAC3B,QAAM,CAAC,UAAU,IAAI,IAAI,MAAM,QAAQ,IAAI;AAAA,IACzC,kBAAkB,EAAE,MAAM,MAAM,MAAM,OAAO,OAAO,CAAC;AAAA,IACrD,mBAAmB;AAAA,EACrB,CAAC;AACD,SAAO,sBAAsB,UAAU,OAAO,IAAI;AACpD;AAGA,SAAS,iBACP,UACA,MACA,KACM;AACN,MAAI,SAAS,eAAe;AAC1B;AAAA,MACE;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,IACF;AACA,kBAAc,eAAe,kBAAkB,4BAA4B,GAAG,MAAM,GAAG;AAAA,EACzF;AACA,MAAI,SAAS,eAAe;AAC1B;AAAA,MACE;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,IACF;AAAA,EACF;AACF;AAMA,SAAS,8BAAsC;AAC7C,SACE;AAOJ;AAGO,SAAS,sBACd,UACA,OACA,MACkB;AAClB,QAAM,WAAW,QAAQ;AACzB,QAAM,MAAkB;AAAA,IACtB,UAAU,SAAS;AAAA,IACnB,YAAY,SAAS;AAAA,IACrB,UAAU,SAAS;AAAA,IACnB,gBAAgB,MAAM,aAAa,IAAI,IAAI,MAAM,UAAU,IAAI;AAAA,IAC/D,aAAa,MAAM,eAAe;AAAA,IAClC,UAAU,SAAS;AAAA,EACrB;AAEA,QAAM,OAAgC,CAAC;AACvC,QAAM,iBAAiB,SAAS,aAAa,OAAO,kBAAkB,SAAS,QAAQ,IAAI;AAC3F,QAAM,UAAU,mBAAmB,OAAO,SAAS,YAAY,cAAc,IAAI;AACjF,MAAI,QAAS,qBAAoB,SAAS,MAAM,GAAG;AACnD,mBAAiB,UAAU,MAAM,GAAG;AAEpC,QAAM,YAAY,gBAAgB,MAAM,SAAS,QAAQ;AACzD,QAAM,WAAW,cAAc,MAAM,SAAS,iBAAiB,SAAS,QAAQ;AAChF,QAAM,YAAY,SAAS,OAAO,CAAC,MAAM,CAAC,EAAE,OAAO,EAAE,IAAI,CAAC,MAAM,EAAE,QAAQ;AAE1E,SAAO;AAAA,IACL,MAAM,SAAS;AAAA,IACf,UAAU,SAAS;AAAA,IACnB,WAAW,SAAS;AAAA,IACpB,YAAY,SAAS;AAAA,IACrB,iBAAiB,SAAS;AAAA,IAC1B,iBAAiB;AAAA,IACjB;AAAA,IACA;AAAA,IACA,aAAa;AAAA,MACX,GAAG,SAAS;AAAA,MACZ,GAAI,UAAU,SAAS,IAAI,CAAC,yBAAyB,UAAU,KAAK,IAAI,CAAC,EAAE,IAAI,CAAC;AAAA,IAClF;AAAA,EACF;AACF;","names":["logger"]}

package/dist/{chunk-KGDG6PWZ.js → chunk-2UUUKVNR.js}

@@ -1,6 +1,6 @@
 import {
   createLogger
-} from "./chunk-IMWYKX4H.js";
+} from "./chunk-ELIFTCYM.js";
 
 // src/swe-bench/mcp-config.ts
 import { writeFile, mkdtemp, rm } from "fs/promises";
@@ -58,4 +58,4 @@ export {
   generateMcpConfig,
   getDefaultAllowedTools
 };
-//# sourceMappingURL=chunk-KGDG6PWZ.js.map
+//# sourceMappingURL=chunk-2UUUKVNR.js.map

package/dist/{chunk-5VZLXMO7.js → chunk-3EVVQ32X.js}

@@ -3,7 +3,7 @@ import {
 } from "./chunk-633WH2ML.js";
 import {
   createAllAdapters
-} from "./chunk-ZBZJHXRT.js";
+} from "./chunk-4AGPR6XZ.js";
 import {
   DEFAULT_CAPABILITIES,
   DEFAULT_MODEL_CAPABILITIES,
@@ -15,7 +15,7 @@ import {
   ok,
   symbols,
   writeLine
-} from "./chunk-IMWYKX4H.js";
+} from "./chunk-ELIFTCYM.js";
 import {
   LEARNING_DIR,
   OUTCOMES_FILE,
@@ -24,7 +24,7 @@ import {
 } from "./chunk-CLYZ7FWP.js";
 
 // src/version.ts
-var VERSION = true ? "2.29.0" : "dev";
+var VERSION = true ? "2.29.1" : "dev";
 
 // src/cli/setup-data-dir.ts
 import { mkdirSync, existsSync as existsSync2 } from "fs";
@@ -757,7 +757,7 @@ async function runDoctorFix(result) {
   writeLine2("\u2500".repeat(40));
   let fixCount = 0;
   if (!result.dataDirectory.rootExists || result.dataDirectory.subdirectories.some((d) => !d.exists || !d.writable)) {
-    const { runSetup } = await import("./setup-command-IQ4MD3FT.js");
+    const { runSetup } = await import("./setup-command-E6MXO5RZ.js");
     const setupResult = runSetup({
       skipMcp: true,
       skipRules: true,
@@ -771,7 +771,7 @@ async function runDoctorFix(result) {
     }
   }
   if (!result.configFile.found) {
-    const { runConfigInitSync } = await import("./setup-config-5YUPLDXF.js");
+    const { runConfigInitSync } = await import("./setup-config-O5F3AZBL.js");
     const configResult = runConfigInitSync(process.cwd(), false, false);
     if (configResult.success && configResult.created) {
       writeLine2(`\u2713 Generated config: ${configResult.path}`);
@@ -835,4 +835,4 @@ export {
   startStdioServer,
   closeServer
 };
-//# sourceMappingURL=chunk-5VZLXMO7.js.map
+//# sourceMappingURL=chunk-3EVVQ32X.js.map

package/dist/{chunk-WSK4VSXP.js → chunk-3GXDN4AX.js}

@@ -1,6 +1,6 @@
 import {
   getErrorMessage
-} from "./chunk-IMWYKX4H.js";
+} from "./chunk-ELIFTCYM.js";
 
 // src/cli/setup-config.ts
 import { existsSync, writeFileSync } from "fs";
@@ -59,4 +59,4 @@ function runConfigInitSync(projectRoot, force, dryRun) {
 export {
   runConfigInitSync
 };
-//# sourceMappingURL=chunk-WSK4VSXP.js.map
+//# sourceMappingURL=chunk-3GXDN4AX.js.map

package/dist/{chunk-ZBZJHXRT.js → chunk-4AGPR6XZ.js}

@@ -1,3 +1,7 @@
+import {
+  CliCircuitBreaker,
+  DEFAULT_CIRCUIT_BREAKER_CONFIG
+} from "./chunk-LLGUX44Z.js";
 import {
   CLI_SUBPROCESS_TIMEOUTS,
   CLI_TIMEOUTS,
@@ -6,8 +10,6 @@ import {
   DEFAULT_CAPABILITIES,
   DEFAULT_MODEL_CAPABILITIES,
   DEFAULT_MODEL_PER_CLI,
-  ErrorCode,
-  NexusError,
   buildModelInfo,
   clampPercent,
   createLogger,
@@ -22,7 +24,7 @@ import {
   getTimeProvider,
   isRateLimitText,
   ok
-} from "./chunk-IMWYKX4H.js";
+} from "./chunk-ELIFTCYM.js";
 
 // src/cli-adapters/subprocess-adapter.ts
 import { spawn } from "child_process";
@@ -51,7 +53,19 @@ function estimateTaskComplexity(taskDescription) {
   if (complexIndicators.some((indicator) => lower.includes(indicator))) {
     return "complex";
   }
-  const simpleIndicators = ["single", "quick", "one function", "simple", "small", "brief", "short"];
+  const simpleIndicators = [
+    "single",
+    "quick",
+    "one function",
+    "simple",
+    "small",
+    "brief",
+    "short",
+    "run tests",
+    "test suite",
+    "exploration",
+    "explore"
+  ];
   if (simpleIndicators.some((indicator) => lower.includes(indicator))) {
     return "simple";
   }
@@ -1375,345 +1389,6 @@ var ResilientGeminiParser = class {
   }
 };
 
-// src/cli-adapters/circuit-breaker-types.ts
-var CircuitErrorCode = {
-  CIRCUIT_OPEN: "CIRCUIT_OPEN",
-  CIRCUIT_HALF_OPEN_REJECTED: "CIRCUIT_HALF_OPEN_REJECTED",
-  EXECUTION_FAILED: "EXECUTION_FAILED"
-};
-var CircuitError = class extends NexusError {
-  circuitErrorCode;
-  cliName;
-  circuitState;
-  failureCategory;
-  constructor(message, options) {
-    const baseOptions = {
-      code: ErrorCode.INTERNAL_ERROR,
-      context: {
-        circuitErrorCode: options.circuitErrorCode,
-        cliName: options.cliName,
-        circuitState: options.circuitState
-      }
-    };
-    if (options.cause !== void 0) {
-      baseOptions.cause = options.cause;
-    }
-    if (options.failureCategory !== void 0) {
-      baseOptions.context["failureCategory"] = options.failureCategory;
-    }
-    super(message, baseOptions);
-    this.name = "CircuitError";
-    this.circuitErrorCode = options.circuitErrorCode;
-    this.cliName = options.cliName;
-    this.circuitState = options.circuitState;
-    if (options.failureCategory !== void 0) {
-      this.failureCategory = options.failureCategory;
-    }
-  }
-};
-var DEFAULT_CIRCUIT_BREAKER_CONFIG = {
-  failureThreshold: 5,
-  resetTimeoutMs: 3e4,
-  halfOpenSuccessThreshold: 2,
-  countTimeoutsAsFailures: true,
-  countAuthFailuresAsFailures: false,
-  countRateLimitsAsFailures: true,
-  halfOpenMaxRequests: 3
-};
-var TIMEOUT_PATTERNS = ["timeout", "timed out"];
-var AUTH_PATTERNS = ["auth", "unauthorized", "forbidden", "oauth"];
-var RATE_LIMIT_PATTERNS = ["rate limit", "too many requests", "429"];
-var CONNECTION_PATTERNS = [
-  "connection",
-  "econnrefused",
-  "enotfound",
-  "mcp",
-  "eaddrinuse",
-  "address already in use"
-];
-var CRASH_PATTERNS = ["crash", "exited", "killed", "sigterm", "sigkill"];
-function matchesPatterns(text, patterns) {
-  return patterns.some((pattern) => text.includes(pattern));
-}
-function categorizeError2(error) {
-  if (!(error instanceof Error)) {
-    return "unknown";
-  }
-  const message = error.message.toLowerCase();
-  const name = error.name.toLowerCase();
-  const combined = `${message} ${name}`;
-  if (matchesPatterns(combined, TIMEOUT_PATTERNS)) return "timeout";
-  if (matchesPatterns(combined, AUTH_PATTERNS)) return "authentication";
-  if (matchesPatterns(combined, RATE_LIMIT_PATTERNS)) return "rate_limit";
-  if (matchesPatterns(combined, CONNECTION_PATTERNS)) return "connection";
-  if (matchesPatterns(combined, CRASH_PATTERNS)) return "crash";
-  return "unknown";
-}
-
-// src/cli-adapters/circuit-breaker.ts
-var CliCircuitBreaker = class {
-  constructor(cliName, config = DEFAULT_CIRCUIT_BREAKER_CONFIG) {
-    this.cliName = cliName;
-    this.config = config;
-    this.lastStateChange = getTimeProvider().now();
-  }
-  state = "closed";
-  failureCount = 0;
-  successCount = 0;
-  lastFailureTime = null;
-  lastStateChange;
-  halfOpenRequests = 0;
-  listeners = /* @__PURE__ */ new Set();
-  /**
-   * Executes a function with circuit breaker protection.
-   */
-  async execute(fn) {
-    const canExecute = this.canExecute();
-    if (!canExecute.ok) {
-      return canExecute;
-    }
-    try {
-      const result = await fn();
-      this.onSuccess();
-      return ok(result);
-    } catch (error) {
-      const category = categorizeError2(error);
-      if (this.shouldCountFailure(category)) {
-        this.onFailure(category);
-      }
-      return err(this.createExecutionError(error, category));
-    }
-  }
-  getState() {
-    this.checkStateTransition();
-    return this.state;
-  }
-  getSnapshot() {
-    this.checkStateTransition();
-    return {
-      state: this.state,
-      failureCount: this.failureCount,
-      successCount: this.successCount,
-      lastFailureTime: this.lastFailureTime,
-      lastStateChange: this.lastStateChange,
-      halfOpenRequests: this.halfOpenRequests,
-      config: this.config
-    };
-  }
-  reset() {
-    const previousState = this.state;
-    this.state = "closed";
-    this.failureCount = 0;
-    this.successCount = 0;
-    this.lastFailureTime = null;
-    this.halfOpenRequests = 0;
-    this.lastStateChange = getTimeProvider().now();
-    if (previousState !== "closed") {
-      this.emitStateChange(previousState, "closed", "Manual reset");
-    }
-  }
-  recordFailure(category) {
-    if (this.shouldCountFailure(category)) {
-      this.onFailure(category);
-    }
-  }
-  recordSuccess() {
-    this.onSuccess();
-  }
-  addStateChangeListener(listener) {
-    this.listeners.add(listener);
-  }
-  removeStateChangeListener(listener) {
-    this.listeners.delete(listener);
-  }
-  // -------------------------------------------------------------------------
-  // Private Methods
-  // -------------------------------------------------------------------------
-  canExecute() {
-    this.checkStateTransition();
-    if (this.state === "closed") {
-      return ok(true);
-    }
-    if (this.state === "open") {
-      return err(
-        new CircuitError(`Circuit is open for CLI: ${this.cliName}`, {
-          circuitErrorCode: CircuitErrorCode.CIRCUIT_OPEN,
-          cliName: this.cliName,
-          circuitState: this.state
-        })
-      );
-    }
-    if (this.halfOpenRequests >= this.config.halfOpenMaxRequests) {
-      return err(
-        new CircuitError(`Circuit half-open request limit reached for CLI: ${this.cliName}`, {
-          circuitErrorCode: CircuitErrorCode.CIRCUIT_HALF_OPEN_REJECTED,
-          cliName: this.cliName,
-          circuitState: this.state
-        })
-      );
-    }
-    this.halfOpenRequests++;
-    return ok(true);
-  }
-  checkStateTransition() {
-    if (this.state === "open" && this.lastFailureTime !== null) {
-      const elapsed = getTimeProvider().now() - this.lastFailureTime;
-      if (elapsed >= this.config.resetTimeoutMs) {
-        this.transitionTo("half-open", "Reset timeout elapsed");
-      }
-    }
-  }
-  onSuccess() {
-    if (this.state === "closed") {
-      this.failureCount = 0;
-    } else if (this.state === "half-open") {
-      this.successCount++;
-      if (this.successCount >= this.config.halfOpenSuccessThreshold) {
-        const reason = `${String(this.successCount)} consecutive successes in half-open state`;
-        this.transitionTo("closed", reason);
-      }
-    }
-  }
-  onFailure(category) {
-    this.failureCount++;
-    this.lastFailureTime = getTimeProvider().now();
-    if (this.state === "closed" && this.failureCount >= this.config.failureThreshold) {
-      const reason = `Failure threshold (${String(this.config.failureThreshold)}) exceeded`;
-      this.transitionTo("open", reason);
-    } else if (this.state === "half-open") {
-      this.transitionTo("open", `Failure during half-open recovery (category: ${category})`);
-    }
-  }
-  transitionTo(newState, reason) {
-    const previousState = this.state;
-    this.state = newState;
-    this.lastStateChange = getTimeProvider().now();
-    if (newState === "closed") {
-      this.failureCount = 0;
-      this.successCount = 0;
-      this.halfOpenRequests = 0;
-    } else if (newState === "half-open") {
-      this.successCount = 0;
-      this.halfOpenRequests = 0;
-    }
-    this.emitStateChange(previousState, newState, reason);
-  }
-  emitStateChange(previousState, newState, reason) {
-    const event = {
-      cliName: this.cliName,
-      previousState,
-      newState,
-      timestamp: this.lastStateChange,
-      failureCount: this.failureCount,
-      reason
-    };
-    for (const listener of this.listeners) {
-      try {
-        listener(event);
-      } catch {
-      }
-    }
-  }
-  shouldCountFailure(category) {
-    if (category === "timeout") return this.config.countTimeoutsAsFailures;
-    if (category === "authentication") return this.config.countAuthFailuresAsFailures;
-    if (category === "rate_limit") return this.config.countRateLimitsAsFailures;
-    return true;
-  }
-  createExecutionError(error, category) {
-    const message = getErrorMessage(error);
-    const cause = error instanceof Error ? error : new Error(String(error));
-    return new CircuitError(`CLI execution failed: ${message}`, {
-      circuitErrorCode: CircuitErrorCode.EXECUTION_FAILED,
-      cliName: this.cliName,
-      circuitState: this.state,
-      failureCategory: category,
-      cause
-    });
-  }
-};
-var CircuitBreakerRegistry = class {
-  constructor(defaultConfig = {}) {
-    this.defaultConfig = defaultConfig;
-  }
-  breakers = /* @__PURE__ */ new Map();
-  globalListeners = /* @__PURE__ */ new Set();
-  getBreaker(cliName, config) {
-    let breaker = this.breakers.get(cliName);
-    if (!breaker) {
-      const mergedConfig = {
-        ...DEFAULT_CIRCUIT_BREAKER_CONFIG,
-        ...this.defaultConfig,
-        ...config
-      };
-      breaker = new CliCircuitBreaker(cliName, mergedConfig);
-      for (const listener of this.globalListeners) {
-        breaker.addStateChangeListener(listener);
-      }
-      this.breakers.set(cliName, breaker);
-    }
-    return breaker;
-  }
-  isOpen(cliName) {
-    return this.breakers.get(cliName)?.getState() === "open";
-  }
-  getAllSnapshots() {
-    const snapshots = /* @__PURE__ */ new Map();
-    for (const [name, breaker] of this.breakers) {
-      snapshots.set(name, breaker.getSnapshot());
-    }
-    return snapshots;
-  }
-  resetAll() {
-    for (const breaker of this.breakers.values()) {
-      breaker.reset();
-    }
-  }
-  reset(cliName) {
-    this.breakers.get(cliName)?.reset();
-  }
-  addGlobalStateChangeListener(listener) {
-    this.globalListeners.add(listener);
-    for (const breaker of this.breakers.values()) {
-      breaker.addStateChangeListener(listener);
-    }
-  }
-  removeGlobalStateChangeListener(listener) {
-    this.globalListeners.delete(listener);
-    for (const breaker of this.breakers.values()) {
-      breaker.removeStateChangeListener(listener);
-    }
-  }
-  getHealthyClis() {
-    const healthy = [];
-    for (const [name, breaker] of this.breakers) {
-      if (breaker.getState() === "closed") {
-        healthy.push(name);
-      }
-    }
-    return healthy;
-  }
-  getUnhealthyClis() {
-    const unhealthy = [];
-    for (const [name, breaker] of this.breakers) {
-      const state = breaker.getState();
-      if (state === "open" || state === "half-open") {
-        unhealthy.push(name);
-      }
-    }
-    return unhealthy;
-  }
-};
-function mapCliErrorToCategory(errorCode) {
-  const mapping = {
-    TIMEOUT: "timeout",
-    NOT_AUTHENTICATED: "authentication",
-    RATE_LIMITED: "rate_limit",
-    CONNECTION_ERROR: "connection"
-  };
-  return mapping[errorCode] ?? "unknown";
-}
-
 // src/cli-adapters/adapters/gemini-adapter-helpers.ts
 var GEMINI_LEGACY_DEFAULTS = {
   displayNames: {},
@@ -2986,9 +2661,6 @@ export {
   extractNumberField,
   ClaudeResponseParser,
   ClaudeCliAdapter,
-  CircuitError,
-  CircuitBreakerRegistry,
-  mapCliErrorToCategory,
   GeminiCliAdapter,
   CodexResponseParser,
   CodexCliAdapter,
@@ -3003,4 +2675,4 @@ export {
   isCliAvailable,
   getAvailableClis
 };
-//# sourceMappingURL=chunk-ZBZJHXRT.js.map
+//# sourceMappingURL=chunk-4AGPR6XZ.js.map