nexus-agents 2.29.1 → 2.29.2

package/dist/{chunk-2UUUKVNR.js → chunk-LKDHAJJB.js}

@@ -1,6 +1,6 @@
 import {
   createLogger
-} from "./chunk-ELIFTCYM.js";
+} from "./chunk-HSOPD265.js";
 
 // src/swe-bench/mcp-config.ts
 import { writeFile, mkdtemp, rm } from "fs/promises";
@@ -58,4 +58,4 @@ export {
   generateMcpConfig,
   getDefaultAllowedTools
 };
-//# sourceMappingURL=chunk-2UUUKVNR.js.map
+//# sourceMappingURL=chunk-LKDHAJJB.js.map

package/dist/{chunk-N5SY7V45.js → chunk-NKGTEJYU.js}

@@ -1,14 +1,14 @@
 import {
   resolveToken
-} from "./chunk-7SKAKA4I.js";
+} from "./chunk-VZ2YOQWU.js";
 import {
   GitHubProvider,
   ScmError
-} from "./chunk-4HA5PAL7.js";
+} from "./chunk-EPMBGZQX.js";
 import {
   err,
   ok
-} from "./chunk-ELIFTCYM.js";
+} from "./chunk-HSOPD265.js";
 
 // src/scm/factory.ts
 async function createScmProvider(config) {
@@ -41,4 +41,4 @@ export {
   createScmProvider,
   createGitHubProvider
 };
-//# sourceMappingURL=chunk-N5SY7V45.js.map
+//# sourceMappingURL=chunk-NKGTEJYU.js.map

package/dist/{chunk-YSTJEMQX.js → chunk-QGODFK36.js}

@@ -2,7 +2,7 @@ import {
   createLogger,
   getTimeProvider,
   isRateLimitText
-} from "./chunk-ELIFTCYM.js";
+} from "./chunk-HSOPD265.js";
 
 // src/pipeline/expert-bridge.ts
 var logger = createLogger({ component: "expert-bridge" });
@@ -12,7 +12,7 @@ var cachedMcpConfigPath = null;
 async function getMcpConfigPath() {
   if (cachedMcpConfigPath !== null) return cachedMcpConfigPath;
   try {
-    const { generateMcpConfig } = await import("./mcp-config-2OXIOMJ6.js");
+    const { generateMcpConfig } = await import("./mcp-config-ETY7GFGW.js");
     const config = await generateMcpConfig();
     cachedMcpConfigPath = config.configPath;
     return cachedMcpConfigPath;
@@ -23,13 +23,13 @@ async function getMcpConfigPath() {
 var cachedCircuitBreaker = null;
 async function getRouter() {
   if (cachedRouter !== null) return cachedRouter;
-  const { createAllAdapters } = await import("./factory-ELEDP2WD.js");
-  const { createCompositeRouter } = await import("./composite-router-FNW7ZWL7.js");
+  const { createAllAdapters } = await import("./factory-NHORX63J.js");
+  const { createCompositeRouter } = await import("./composite-router-JD7URTC2.js");
   const adapters = createAllAdapters();
   if (adapters.size === 0) return null;
   cachedRouter = createCompositeRouter(adapters);
   try {
-    const { createCliCircuitBreakerIntegration } = await import("./cli-circuit-breaker-5FAODXVY.js");
+    const { createCliCircuitBreakerIntegration } = await import("./cli-circuit-breaker-6EJO3PPU.js");
     cachedCircuitBreaker = createCliCircuitBreakerIntegration([...adapters.values()]);
   } catch {
   }
@@ -76,7 +76,7 @@ async function dispatchWithRateLimitRetry(router, task, expertType, start) {
 async function executeExpert(expertType, prompt) {
   const start = getTimeProvider().now();
   try {
-    const { BUILT_IN_EXPERTS } = await import("./expert-config-A5CHKUGI.js");
+    const { BUILT_IN_EXPERTS } = await import("./expert-config-MQ5OJE3U.js");
     const config = BUILT_IN_EXPERTS[expertType];
     const fullPrompt = `${config.systemPrompt}
 
@@ -119,4 +119,4 @@ ${prompt}`;
 export {
   executeExpert
 };
-//# sourceMappingURL=chunk-YSTJEMQX.js.map
+//# sourceMappingURL=chunk-QGODFK36.js.map

package/dist/{chunk-FZFZ77UJ.js → chunk-QSNAFOE6.js}

@@ -1,7 +1,7 @@
 import {
   getTokenEnvVars,
   resolveToken
-} from "./chunk-7SKAKA4I.js";
+} from "./chunk-VZ2YOQWU.js";
 import {
   ClaudeAdapter,
   DEFAULT_RELEVANCE_CONFIG,
@@ -25,7 +25,7 @@ import {
   toolSuccessStructured,
   withProgressHeartbeat,
   wrapToolWithTimeout
-} from "./chunk-CGWRJ4EM.js";
+} from "./chunk-J245RJGW.js";
 import {
   REGISTRY_PATH,
   getProjectRoot,
@@ -35,14 +35,14 @@ import {
   resolveInsideRoot,
   savePapersRegistry,
   synthesizeResearch
-} from "./chunk-MRU6L7YJ.js";
+} from "./chunk-GX436VRU.js";
 import {
   IssueTriage,
   sanitizeInput
-} from "./chunk-IECE6DBS.js";
+} from "./chunk-5COIDGQJ.js";
 import {
   generateSecurityPlan
-} from "./chunk-2UR7YN6T.js";
+} from "./chunk-TL2GJMJ5.js";
 import {
   analyzeGitHubRepo
 } from "./chunk-BC3M4VLP.js";
@@ -61,18 +61,18 @@ import {
   BuiltInExpertTypeSchema,
   ExpertConfigSchema,
   getSecurityKnowledgePrompt
-} from "./chunk-OOIPRRPX.js";
+} from "./chunk-LDIN2PLV.js";
 import {
   DEFAULT_TASK_TTL_MS,
   clampTaskTtl
-} from "./chunk-3EVVQ32X.js";
+} from "./chunk-WSYJN7BI.js";
 import {
   createSessionMemory
-} from "./chunk-SRECH7OQ.js";
+} from "./chunk-KQIDTE52.js";
 import {
   MemoryImportance,
   calculateTextJaccardSimilarity
-} from "./chunk-FYJVXQHX.js";
+} from "./chunk-DDQGAVQA.js";
 import {
   STOPWORDS,
   capitalize,
@@ -81,13 +81,13 @@ import {
 } from "./chunk-633WH2ML.js";
 import {
   generateMcpConfig
-} from "./chunk-2UUUKVNR.js";
+} from "./chunk-LKDHAJJB.js";
 import {
   getFallbackChainForCategory
-} from "./chunk-C2C5ONFR.js";
+} from "./chunk-66NNHMVB.js";
 import {
   executeExpert
-} from "./chunk-YSTJEMQX.js";
+} from "./chunk-QGODFK36.js";
 import {
   ClaudeCliAdapter,
   CliDetectionCache,
@@ -96,7 +96,7 @@ import {
   getAvailableClis,
   sleep,
   withTimeout
-} from "./chunk-4AGPR6XZ.js";
+} from "./chunk-CW2Z773T.js";
 import {
   AGENT_ROUTER_TIMEOUTS,
   API_TIMEOUTS,
@@ -164,7 +164,7 @@ import {
   modelSupportsAll,
   ok,
   toExpertTaskAnalysisResult
-} from "./chunk-ELIFTCYM.js";
+} from "./chunk-HSOPD265.js";
 import {
   isPersistenceEnabled
 } from "./chunk-CLYZ7FWP.js";
@@ -174,7 +174,8 @@ import { z } from "zod";
 var LoggingConfigSchema = z.object({
   level: z.enum(["debug", "info", "warn", "error"]).default("info"),
   format: z.enum(["json", "pretty"]).default("json"),
-  destination: z.enum(["stdout", "stderr", "file"]).default("stdout"),
+  // Default to stderr: MCP stdio transport reserves stdout for JSON-RPC frames.
+  destination: z.enum(["stdout", "stderr", "file"]).default("stderr"),
   filePath: z.string().optional()
 });
 var ProviderConfigSchema = z.object({
@@ -673,7 +674,9 @@ var defaultConfig = {
   logging: {
     level: "info",
     format: "json",
-    destination: "stdout"
+    // stderr is the safe default: MCP stdio transport reserves stdout for
+    // JSON-RPC frames. Any log written to stdout corrupts the transport.
+    destination: "stderr"
   },
   security: {
     allowedPaths: ["./"],
@@ -9977,6 +9980,19 @@ When reviewing web-facing code, check for presence and correctness of these head
 
 **Severity guidance:** Missing frame-ancestors/X-Frame-Options \u2192 medium. Missing SRI on external scripts \u2192 high. unsafe-eval without wasm-unsafe-eval justification \u2192 high. No CSP at all on public-facing app \u2192 high.
 
+### Reference Implementation
+- **Test-secrets canon**: \`packages/nexus-agents/src/testing/test-secrets.ts\` \u2014 FAKE_* constants (obviously fake by construction) that satisfy GitHub secret-scanning without false positives. Import these instead of inventing new fakes.
+- **Threat model + sandbox**: \`docs/architecture/SECURITY.md\` \u2014 canonical threat model, sandbox boundaries, CVE mitigations. Cite its sections when making recommendations.
+- **Untrusted-input policy**: \`docs/architecture/UNTRUSTED_INPUT_HARDENING.md\` \u2014 trust tiers, Rule of Two, typed actions, corroboration requirements. Use when evaluating new agent/MCP surfaces.
+- **Security rules summary**: \`.claude/rules/security.md\` \u2014 quick reference the agent operator sees first.
+
+### Anti-Pattern Prohibitions
+- No security-through-obscurity \u2014 don't recommend hiding endpoints or obfuscating code as a substitute for actual access control
+- No relaxing CSP for a library \u2014 pick a CSP-safe alternative instead; \`unsafe-eval\`/\`unsafe-inline\` need a documented threat-model justification
+- No suggesting encryption without first stating the threat model \u2014 encryption choice depends on the adversary; "encrypt it" without "from whom?" is theater
+- No string-concatenated SQL/shell/HTML \u2014 always use parameterized queries, \`execFile\` over \`exec\`, and templating engines that auto-escape
+- No client-side-only validation \u2014 every server-trusted decision must be re-validated server-side, regardless of frontend checks
+
 ### Failure Patterns to Avoid
 - Do not flag test files for containing fake secrets (they use FAKE_* constants by design)
 - Do not report generic OWASP findings without codebase-specific evidence
@@ -9994,6 +10010,10 @@ var TESTING_EXPERT_BASE_PROMPT = `You are a testing expert specializing in test-
 5. Include edge cases and error scenarios
 
 ## Output Format
+
+**Default: flexible output.** When generating tests, lead with the runnable test code in fenced code blocks (with the target test file path as block info, e.g. \`\`\`typescript src/foo.test.ts). Include brief inline rationale only where non-obvious. Use JSON structure only when the caller is a programmatic consumer requesting it (e.g., coverage dashboards, PR-bot integrations).
+
+**Structured JSON (optional, for programmatic consumers):**
 Respond with JSON matching this structure:
 {
   "content": "Summary of testing analysis",
@@ -10061,38 +10081,193 @@ Respond with JSON matching this structure:
 - For broad "add tests" requests, start with untested critical paths rather than attempting exhaustive coverage
 - Prefer completing thorough tests for one module over shallow tests across many modules
 
+### Reference Implementation
+- **Structural template**: \`packages/nexus-agents/src/agents/experts/expert-prompts/prompt-composer.test.ts\` \u2014 focused unit tests, clear describe/it nesting, no hidden fixtures.
+- **\`describe.each\` pattern**: \`packages/nexus-agents/src/agents/experts/code-architecture-mode-split.test.ts\` \u2014 shared-invariant testing across multiple modes/variants. Use when asserting the same invariant across parameterized subjects.
+- **MCP integration testing**: use \`InMemoryTransport\` from \`@modelcontextprotocol/sdk/inMemory.js\` as shown in \`.claude/rules/testing.md\`. Prefer over mocked transport.
+- **Canonical test-secrets**: import FAKE_* constants from \`packages/nexus-agents/src/testing/test-secrets.ts\` \u2014 never invent new fake secrets.
+
 ### Output Guidance
 - Always include a confidence score (0-1) with reasoning for the score
 - Reference specific files by absolute path (file:line format) when reporting coverage gaps
 - If test suite analysis would exceed context, focus on critical paths first
 - When generating tests, include happy path + error case + edge case for each function
 
+### Anti-Pattern Prohibitions
+- No tests for code that doesn't exist yet \u2014 confirm the target file/function is in the tree before writing
+- No mocking everything \u2014 at integration boundaries (DB, file I/O, MCP transport) prefer real dependencies; use \`InMemoryTransport\` over mocked transport
+- No testing implementation details that will change \u2014 assert on behavior (return value, side effect) not internal call sequence
+- No tests duplicating existing ones \u2014 search for the function name in \`*.test.ts\` first
+- No \`expect(true).toBe(true)\` placeholders \u2014 if a test isn't ready, mark it \`.skip\` with a reason, don't fake a green
+
 ### Failure Patterns to Avoid
 - Do not generate tests that exceed max-lines-per-function (50) without extracting helpers
 - Do not recommend _ prefix for unused variables \u2014 ESLint still flags them; use destructuring guards
 - Do not assert exact timing values \u2014 use toBeGreaterThanOrEqual(0) for duration assertions
 - Validate that test target functions and modules actually exist before generating tests`;
 
-// src/agents/experts/expert-prompts/architecture-expert.ts
-var ARCHITECTURE_EXPERT_BASE_PROMPT = `You are an architecture expert specializing in software design, system architecture, and design patterns.
+// src/agents/experts/expert-prompts/code-expert.ts
+var SHARED_CORE = `## Core Principles
+1. Write clean, readable, maintainable code
+2. Follow language-specific conventions and idioms
+3. Prioritize correctness, then clarity, then performance
+4. Apply SOLID principles and design patterns only when justified by \u22652 concrete use sites
+5. Consider edge cases and error handling
+
+## Codebase Rules (mandatory, both modes)
+- Follow canonical paths \u2014 one implementation per concern; never fork, always refactor
+- Anti-sprawl \u2014 modify existing files; never create \`enhanced_*\`, \`v2_*\`, \`new_*\` files
+- Priority order \u2014 correctness > simplicity > performance > cleverness
+- YAGNI \u2014 do not build for hypothetical future requirements
+
+## TypeScript & ESLint Constraints
+- \`no-explicit-any: error\` \u2014 use \`unknown\` + type guards or Zod validation
+- \`max-lines-per-function: 50\` \u2014 extract helpers for complex logic
+- \`max-lines: 400\` per file \u2014 split large modules into focused files
+- \`max-params: 5\` \u2014 use options objects for functions with more
+- Use \`Result<T, E>\` for fallible operations, never exceptions for control flow
+
+## Anti-Pattern Prohibitions
+- No premature generalization \u2014 two instances is a coincidence, three is a pattern worth extracting
+- No new utility files when a matching one exists; add to the existing module
+- No refactors that span >3 files without a tracking issue
+- No speculative error handling for scenarios that cannot happen \u2014 trust internal code
+- No "improvements" to code that doesn't have a reported problem
+
+## Reference Implementation
+This codebase's canonical patterns live in:
+- **Adapter registry**: \`src/adapters/unified-registry.ts\` \u2014 single entry point, global singleton pattern done right
+- **Result<T, E>**: \`src/core/types/index.ts\` \u2014 never use throw for control flow
+- **Expert prompts**: \`src/agents/experts/expert-prompts/*.ts\` \u2014 short focused files, one concern each
+- **Testing structure**: \`src/agents/experts/expert-prompts/prompt-composer.test.ts\` \u2014 template for structure
+
+When suggesting a pattern, cite one of these (or a better example from the same directory) by path.
+
+## Push-Back Cues
+- If a refactor would break >1 call site, ask for scope clarification before proceeding
+- If the task description contradicts a canonical path (e.g., "write a new adapter registry"), push back and cite the existing canonical module
+- If the requested change has no test and is non-trivial, recommend writing the test first
+- If confidence <0.6 because assumptions depend on unread code, say so and list what you need to read`;
+var REVIEW_PROMPT = `You are a code expert in **review mode**. Your job is to audit code for correctness, style, performance, security, and maintainability. Produce structured findings; do not write replacement code unless the caller asks.
+
+${SHARED_CORE}
+
+## Output Format (strict JSON)
+Respond with JSON matching this structure:
+{
+  "content": "Summary of code analysis",
+  "issues": [
+    {
+      "severity": "error" | "warning" | "info",
+      "type": "bug" | "style" | "performance" | "security" | "maintainability",
+      "description": "Issue description",
+      "location": "file:line",
+      "suggestion": "How to fix"
+    }
+  ],
+  "suggestions": [
+    {
+      "type": "refactor" | "optimize" | "simplify",
+      "description": "Suggestion description",
+      "before": "// current code",
+      "after": "// improved code"
+    }
+  ],
+  "recommendations": ["Code improvement 1"],
+  "warnings": ["Code concern 1"],
+  "confidence": 0.0-1.0
+}
 
-## Core Principles
-1. Follow SOLID principles
-2. Favor composition over inheritance
-3. Design for change and extensibility
-4. Consider scalability and performance
-5. Document architectural decisions (ADRs)
+## Task Scope Management
+- For broad review requests (>3 files or >200 LOC of change), focus on the highest-severity issues first
+- If analysis would exceed context, cut lower-severity issues and note what was skipped
+- Confidence <0.5 only when conclusions depend on unread code; say which files you'd need
 
-## Output Format
+## Failure Patterns to Avoid
+- Do not propose changes that conflict with canonical paths \u2014 cite the canonical module instead
+- Do not recommend abstractions for one-time operations
+- Validate file:line references before reporting
+- Do not flag style choices that match documented project conventions`;
+var GENERATE_PROMPT = `You are a code expert in **generate mode**. Your job is to write code \u2014 refactors, optimizations, new implementations, migrations. Output running code with inline rationale; JSON structure is optional.
+
+${SHARED_CORE}
+
+## Output Format (flexible)
+Lead with a one-line statement of the change (what + why). Then provide:
+
+1. **Running code** in fenced blocks with the target file path as the block info, e.g. \`\`\`typescript src/foo/bar.ts
+2. **Inline rationale** as code comments only when the "why" is non-obvious
+3. **Short summary** of follow-ups (tests to add, dependent files to update, call-site migrations)
+
+Only use JSON output if the caller is a programmatic consumer asking for structure.
+
+## Generation Directives
+- Write the minimum code to make the stated requirement pass. No speculative flags, no unused parameters.
+- When refactoring: preserve existing behavior unless the task specifies otherwise. Diff should be reviewable.
+- When optimizing: measure or cite the bottleneck. Never optimize without evidence.
+- When migrating: do the conservative migration first; flag divergent-behavior cases separately.
+
+## Task Scope Management
+- For broad "refactor the module" requests, narrow to the most impactful change and note remaining work
+- Prefer completing one focused subtask well over partially completing a broad task
+- If the task requires changes in >3 files, produce the highest-leverage one and list the rest as follow-up
+
+## Failure Patterns to Avoid
+- Do not add features, refactor, or introduce abstractions beyond what the task requires
+- Do not add error handling, fallbacks, or validation for scenarios that can't happen
+- Do not write multi-paragraph docstrings; one short comment max when the why is non-obvious
+- Do not reference the current task or callers in code comments \u2014 those belong in the PR description
+- Do not hide tradeoffs \u2014 if your choice has a known cost, name it in the rationale`;
+
+// src/agents/experts/expert-prompts/architecture-expert.ts
+var SHARED_CORE2 = `## Core Principles
+1. Follow SOLID principles when they fit \u2014 not by reflex
+2. Favor composition over inheritance
+3. Design for change with evidence, not speculation
+4. Consider scalability and performance in context (not as abstract ideals)
+5. Document architectural decisions (ADRs) when the choice is non-obvious or reversible
+
+## Codebase Rules (mandatory, both modes)
+- Follow canonical paths \u2014 one implementation per concern; never fork, always refactor
+- Anti-sprawl \u2014 modify existing files; never create \`enhanced_*\`, \`v2_*\`, \`new_*\` files
+- Priority order \u2014 correctness > simplicity > performance > cleverness
+- Do not recommend abstractions for one-time operations
+
+## Anti-Pattern Prohibitions
+- No factory pattern for single-use objects
+- No adapter layer unless \u22652 incompatible consumer APIs exist
+- No "future-proofing" abstractions without a concrete second use case
+- No layered-architecture-for-its-own-sake \u2014 every layer must pay its coupling cost
+- No premature service extraction \u2014 keep it a module until boundaries are clear
+
+## Reference Implementation
+This codebase's canonical architectural patterns:
+- **Adapter registry + lifecycle**: \`src/adapters/unified-registry.ts\` + \`src/adapters/resilient-adapter.ts\` \u2014 singleton + lifecycle wrapper, clean separation
+- **Graph / orchestration boundary**: \`src/orchestration/graph/graph-builder.ts\` \u2014 template-driven, explicit contract
+- **Pipeline primitives**: \`src/pipeline/pipeline-runner.ts\` + \`task-contract.ts\` + \`plugin-registry.ts\` \u2014 small, composable, each file one concern
+- **CompositeRouter**: \`src/cli-adapters/composite-router.ts\` \u2014 chain of stages with explicit ordering
+
+When proposing a pattern, cite one of these (or a better example from the same directory) and explain what it demonstrates.
+
+## Push-Back Cues
+- If request contradicts canonical paths, push back and cite the existing module instead of designing something new
+- If request asks for a new abstraction with only one concrete use site, refuse and propose inlining
+- If request seeks architectural "cleanup" without a stated pain point, ask what problem it solves
+- Confidence <0.6 when recommendation depends on unmeasured non-functional requirements (scalability targets, latency budgets, team size)`;
+var AUDIT_PROMPT = `You are an architecture expert in **audit mode**. Your job is to validate existing design against canonical paths, identify drift, assess tradeoffs of current choices, and flag boundary violations. You do NOT propose greenfield designs \u2014 use design mode for that.
+
+${SHARED_CORE2}
+
+## Output Format (strict JSON)
 Respond with JSON matching this structure:
 {
-  "content": "Summary of architectural analysis",
+  "content": "Summary of architectural audit",
   "patterns": [
     {
-      "name": "Pattern Name",
+      "name": "Pattern in use",
       "category": "creational" | "structural" | "behavioral" | "architectural",
-      "applicability": "When to use this pattern",
-      "tradeoffs": ["Pro 1", "Con 1"]
+      "applicability": "Why this pattern is here",
+      "tradeoffs": ["Current cost", "Current benefit"]
     }
   ],
   "components": [
@@ -10108,34 +10283,47 @@ Respond with JSON matching this structure:
   "confidence": 0.0-1.0
 }
 
-## Architecture Patterns
-- Layered, Hexagonal, Clean Architecture
-- Microservices, Event-Driven, CQRS
-- Repository, Factory, Strategy patterns
-
-## Project-Specific Conventions
-
-### Codebase Rules
-- Follow canonical paths (one implementation per concern) \u2014 never fork, always refactor
-- Anti-sprawl: modify existing files, never create enhanced_*, v2_*, or new_* files
-- Priority order: correctness > simplicity > performance > cleverness
-- Do not recommend abstractions for one-time operations (YAGNI)
-
-### Output Guidance
-- Always include a confidence score (0-1) with reasoning for the score
-- Reference specific files by absolute path when making recommendations
-- If full ADR analysis would exceed context, provide a focused summary instead
+## Task Scope Management
+- For broad audit requests, focus on the 3 most impactful components rather than the whole system
+- Keep total response under 3000 tokens \u2014 focused findings beat exhaustive documentation
+- Prefer depth over breadth: thorough audit of one concern beats shallow coverage of many
 
-### Task Scope Management
-- For broad architecture review requests, focus on the 3 most impactful components rather than analyzing the entire system
-- Keep total response under 3000 tokens \u2014 provide focused recommendations, not exhaustive documentation
-- If an ADR analysis would be too large, produce a decision summary with trade-offs and recommend a follow-up for full analysis
-- Prefer depth over breadth: thorough analysis of one architectural concern beats shallow coverage of many
-
-### Failure Patterns to Avoid
+## Failure Patterns to Avoid
 - Do not propose changes that conflict with existing canonical paths
-- Validate that referenced files and modules actually exist before recommending changes
-- Do not add speculative layers or interfaces without concrete current need`;
+- Validate that referenced files and modules actually exist
+- Do not add speculative layers or interfaces in an audit \u2014 that's design-mode work
+- Do not recommend migrations without stating the triggering pain point`;
+var DESIGN_PROMPT = `You are an architecture expert in **design mode**. Your job is to produce greenfield design proposals, component topology, and explicit boundary commitments. Lead with the design, not with a schema.
+
+${SHARED_CORE2}
+
+## Output Format (flexible)
+1. **Problem statement** \u2014 one paragraph, what we're designing and why
+2. **Decision** \u2014 the recommended approach in plain language (include diagrams as ASCII or mermaid if useful)
+3. **Rationale** \u2014 why this over alternatives (\u22643 alternatives; name them and explain the rejection)
+4. **Component boundaries** \u2014 what owns what, what's coupled, what's not
+5. **Tradeoffs accepted** \u2014 name the cost of the chosen path explicitly
+6. **Open questions** \u2014 what would need to be decided or measured before implementation
+
+JSON output optional, use only if the caller is programmatic.
+
+## Design Directives
+- Commit to one design; don't offer three equivalent options \u2014 that's indecision
+- Every proposed component must have a single named responsibility
+- Every proposed boundary must have a stated reason (change axis, security, testability, latency)
+- If the design duplicates an existing canonical pattern, use the existing one and explain the adaptation
+
+## Task Scope Management
+- Produce one focused design at a time \u2014 composition can come later
+- If the scope includes >3 new components, narrow to the 1-2 highest-leverage ones and note the rest as follow-up
+- Match depth to risk: conservative for reversible choices, detailed for irreversible
+
+## Failure Patterns to Avoid
+- Do not design for hypothetical future requirements
+- Do not propose CQRS/microservices/event-sourcing unless the scale demands it
+- Do not introduce new vocabulary when existing codebase terms cover the concept
+- Do not skip naming the alternative you rejected \u2014 the rejection is part of the design`;
+var ARCHITECTURE_EXPERT_BASE_PROMPT = AUDIT_PROMPT;
 
 // src/agents/experts/expert-prompts/documentation-expert.ts
 var DOCUMENTATION_EXPERT_BASE_PROMPT = `You are a technical documentation expert specializing in creating clear, comprehensive, and user-friendly documentation.
@@ -10200,12 +10388,25 @@ Respond with JSON matching this structure:
 - All docs must be indexed in docs/README.md to be valid (canonical index)
 - Use YAML frontmatter (title, description, tier, keywords) for tier 1/2 docs
 
+### Reference Implementation
+- **Canonical index**: \`docs/README.md\` \u2014 every new doc MUST be linked here. Unindexed docs are invalid.
+- **Exemplar architectural doc**: \`docs/architecture/SECURITY.md\` \u2014 threat model + sandbox + CVE mitigations in one coherent narrative. Use as the template for depth and structure.
+- **Exemplar compliance doc**: \`docs/architecture/UNTRUSTED_INPUT_HARDENING.md\` \u2014 trust tiers, invariants, typed actions. Shows how to document policy with enforcement hooks.
+- **Research index**: \`docs/research/RESEARCH_INDEX.md\` \u2014 the pattern for a registry-backed doc category.
+
 ### Output Guidance
 - Always include a confidence score (0-1) with reasoning for the score
 - Reference specific files by absolute path when documenting code behavior
 - If documentation analysis would exceed context, focus on critical gaps first
 - Verify documented behavior against actual code before making claims
 
+### Anti-Pattern Prohibitions
+- Do NOT invent new doc types or categories \u2014 every new doc fits an existing tier (Architecture, Development, Research, Reference) and is linked from \`docs/README.md\`
+- Do NOT document undocumented config options without verifying they exist in code; missing-from-docs is OK, fabricating is not
+- Do NOT document speculative future features in current docs \u2014 if it's not implemented, it doesn't belong in user-facing docs
+- Do NOT use marketing voice ("powerful", "seamless", "revolutionary") \u2014 state what something does precisely
+- Do NOT create parallel indexes \u2014 \`docs/README.md\` is the only canonical one
+
 ### Failure Patterns to Avoid
 - Do not claim features that do not exist in the codebase
 - Do not create parallel documentation indexes (only docs/README.md is canonical)
@@ -40633,7 +40834,7 @@ async function tryIssueTriage(task) {
   try {
     const issueMatch = task.match(/github\.com\/([^/]+\/[^/]+)\/issues\/(\d+)/);
     if (issueMatch === null) return null;
-    const { createIssueTriage } = await import("./issue-triage-SJPKJLXH.js");
+    const { createIssueTriage } = await import("./issue-triage-TIG3RKXF.js");
     const triage = createIssueTriage();
     const owner = issueMatch[1] ?? "";
     const num = issueMatch[2] ?? "";
@@ -40661,7 +40862,7 @@ var VALID_TEMPLATES = /* @__PURE__ */ new Set([
 ]);
 async function classifyWithLLM(task) {
   try {
-    const { executeExpert: executeExpert2 } = await import("./expert-bridge-L2D4OXOR.js");
+    const { executeExpert: executeExpert2 } = await import("./expert-bridge-J36C7VES.js");
     const prompt = [
       "Classify this task into exactly one pipeline template.",
       "Templates: dev (implementation/bug fix/refactor), research (investigate/evaluate/compare),",
@@ -41442,7 +41643,7 @@ var memoryInitPromise = null;
 async function initPipelineMemory() {
   if (cachedMemory !== null) return cachedMemory;
   try {
-    const { createSessionMemory: createSessionMemory2 } = await import("./session-memory-VXWLOFRC.js");
+    const { createSessionMemory: createSessionMemory2 } = await import("./session-memory-E2OE2CYR.js");
     const { LEARNING_DIR } = await import("./learning-persistence-WMWZJZ35.js");
     const mem = createSessionMemory2(LEARNING_DIR);
     mem.startSession(`pipeline-${String(Date.now())}`);
@@ -41495,7 +41696,7 @@ async function persistMobiMemState() {
     if (!isPersistenceEnabled2()) return;
     const os5 = await import("os");
     const path19 = await import("path");
-    const { createMobiMem } = await import("./mobimem-5S3VLNSU.js");
+    const { createMobiMem } = await import("./mobimem-5PAAMVFR.js");
     const mobimem = createMobiMem();
     const savePath = path19.join(os5.homedir(), ".nexus-agents", "memory", "mobimem-state.json");
     await mobimem.save(savePath);
@@ -41512,7 +41713,7 @@ function recordRoutingExperience(category, success, durationMs) {
     callRecord(routingMemoryCache);
     return;
   }
-  void import("./routing-memory-3QBQTS4A.js").then(({ createRoutingMemory }) => {
+  void import("./routing-memory-3ES3OHLM.js").then(({ createRoutingMemory }) => {
     routingMemoryCache = createRoutingMemory();
     callRecord(routingMemoryCache);
   }).catch(() => {
@@ -41539,7 +41740,7 @@ ${text}` : "";
 }
 async function getWeatherContext() {
   try {
-    const { generateWeatherReport: generateWeatherReport2 } = await import("./weather-report-MUGSIOU5.js");
+    const { generateWeatherReport: generateWeatherReport2 } = await import("./weather-report-KUSVNXDZ.js");
     const report = generateWeatherReport2({ includeAdaptive: true });
     const mappings = "recommendedMappings" in report ? report.recommendedMappings : [];
     if (!Array.isArray(mappings) || mappings.length === 0) return "";
@@ -41556,7 +41757,7 @@ ${lines}
 }
 async function getMemoryContext(task) {
   try {
-    const { createSessionMemory: createSessionMemory2 } = await import("./session-memory-VXWLOFRC.js");
+    const { createSessionMemory: createSessionMemory2 } = await import("./session-memory-E2OE2CYR.js");
     const { LEARNING_DIR } = await import("./learning-persistence-WMWZJZ35.js");
     const memory = createSessionMemory2(LEARNING_DIR, { maxLearningsInContext: 10 });
     const learnings = memory.searchLearnings(task.slice(0, 200));
@@ -41649,7 +41850,7 @@ ${contextBlock}`;
       const strategy = config.votingStrategy ?? "higher_order";
       await postProgress(config, "Vote", `Running consensus with ${strategy} strategy...`);
       try {
-        const { executeVoting } = await import("./consensus-vote-757YULIP.js");
+        const { executeVoting } = await import("./consensus-vote-COW34Q2Y.js");
         const votingResult = await executeVoting(
           {
             proposal: plan.slice(0, 4e3),
@@ -42481,7 +42682,7 @@ async function extractSymbolsForTask(task) {
 }
 async function retrieveAdaptiveMemory(task) {
   try {
-    const { AdaptiveMemoryBackend } = await import("./adaptive-memory-RST6DZYR.js");
+    const { AdaptiveMemoryBackend } = await import("./adaptive-memory-5VP5WWTE.js");
     const os5 = await import("os");
     const path19 = await import("path");
     const baseDir = path19.join(os5.homedir(), ".nexus-agents", "memory");
@@ -42500,7 +42701,7 @@ async function retrieveAdaptiveMemory(task) {
 }
 async function queryResearchRegistry(task) {
   try {
-    const { synthesizeResearch: synthesizeResearch2 } = await import("./research-helpers-synthesize-OBQJ5BGX.js");
+    const { synthesizeResearch: synthesizeResearch2 } = await import("./research-helpers-synthesize-ZMERZZ5B.js");
     const topic = task.split(/[.!?\n]/).filter((s) => s.trim().length > 10)[0]?.trim();
     if (topic === void 0) return null;
     const result = await synthesizeResearch2(topic.slice(0, 50));
@@ -42585,7 +42786,7 @@ function createScanStageWrapper() {
       try {
         const slug = ctx.task.match(/([a-zA-Z0-9._-]+\/[a-zA-Z0-9._-]+)/)?.[1];
         if (slug !== void 0) {
-          const { generateSecurityPlan: generateSecurityPlan2 } = await import("./repo-security-plan-MUFDGWSQ.js");
+          const { generateSecurityPlan: generateSecurityPlan2 } = await import("./repo-security-plan-KQB3ZJTE.js");
           const plan = await generateSecurityPlan2({ repo: slug, maxScanners: 10 });
           const recs = plan.recommendations.slice(0, 5).map((r) => `${r.priority}: ${r.displayName} (${r.category})`).join("; ");
           ctx.sharedMemory.write("scan", "decision", { recommendations: recs });
@@ -51972,7 +52173,7 @@ var GitHubTaskTracker = class {
   cachedProvider = null;
   async getProvider() {
     if (this.cachedProvider !== null) return this.cachedProvider;
-    const { createScmProvider } = await import("./factory-IDTIBX6B.js");
+    const { createScmProvider } = await import("./factory-4Z4RSUYE.js");
     const result = await createScmProvider({ repo: this.config.repo ?? "" });
     if (!result.ok) throw new Error(`SCM provider error: ${result.error.message}`);
     this.cachedProvider = result.value;
@@ -52811,4 +53012,4 @@ export {
   detectBackend,
   createTaskTracker
 };
-//# sourceMappingURL=chunk-FZFZ77UJ.js.map
+//# sourceMappingURL=chunk-QSNAFOE6.js.map