nexus-agents 2.77.1 → 2.77.3

package/dist/{chunk-BC3M4VLP.js → chunk-BMOPMCFZ.js}

@@ -190,7 +190,10 @@ function analyzeRepo(metadata, topLevelEntries, workflowEntries) {
     packageManager: detectPackageManager(topLevelEntries),
     ciProvider,
     securityTooling: secTooling,
-    hasDockerfile: topLevelEntries.includes("Dockerfile") || topLevelEntries.includes("docker-compose.yml") || topLevelEntries.includes("docker-compose.yaml"),
+    // Match `Dockerfile`, `Dockerfile.<purpose>` (e.g. `Dockerfile.sandbox`),
+    // and docker-compose variants. Pre-#2730 the check was exact-match only,
+    // so a repo with three legitimate `Dockerfile.*` files reported false.
+    hasDockerfile: topLevelEntries.some((e) => e === "Dockerfile" || e.startsWith("Dockerfile.")) || topLevelEntries.includes("docker-compose.yml") || topLevelEntries.includes("docker-compose.yaml"),
     hasHelmCharts: topLevelEntries.includes("Chart.yaml") || topLevelEntries.includes("charts") || topLevelEntries.includes("helm"),
     hasMakefile: topLevelEntries.includes("Makefile"),
     hasTests,
@@ -356,4 +359,4 @@ export {
   analyzeRepo,
   analyzeGitHubRepo
 };
-//# sourceMappingURL=chunk-BC3M4VLP.js.map
+//# sourceMappingURL=chunk-BMOPMCFZ.js.map

package/dist/chunk-BMOPMCFZ.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/mcp/tools/repo-analyze.ts"],"sourcesContent":["/* eslint-disable max-lines -- cohesive module, governance allows 400-600 */\n/**\n * nexus-agents/mcp - Repository Analyze Logic\n *\n * Inspects a GitHub repository and returns structured analysis\n * including language, tooling, CI, security, and gap identification.\n *\n * @module mcp/tools/repo-analyze\n * (Source: Issue #1074)\n */\n\nimport type { RepoAnalyzeInput, RepoAnalysis } from './repo-analyze-types.js';\n\n// ============================================================================\n// Helpers\n// ============================================================================\n\n/** Normalize \"owner/repo\" from either \"owner/repo\" or full GitHub URL. */\nexport function normalizeRepoId(input: string): string {\n  const urlMatch = /github\\.com\\/([^/]+\\/[^/]+?)(?:\\.git)?(?:\\/|$)/.exec(input);\n  const matched = urlMatch?.[1] ?? '';\n  if (matched.length > 0) return matched;\n  if (/^[^/]+\\/[^/]+$/.test(input)) return input;\n  throw new Error(`Invalid repo format: \"${input}\". Use \"owner/name\" or a GitHub URL.`);\n}\n\n/** Package manager detection rules: [files, manager]. First match wins. */\nconst PACKAGE_MANAGER_RULES: ReadonlyArray<readonly [readonly string[], string]> = [\n  [['pnpm-lock.yaml'], 'pnpm'],\n  [['yarn.lock'], 'yarn'],\n  [['package-lock.json', 'package.json'], 'npm'],\n  [['Cargo.toml'], 'cargo'],\n  [['go.mod'], 'go'],\n  [['requirements.txt', 'pyproject.toml'], 'pip'],\n  [['Gemfile'], 'bundler'],\n  [['pom.xml'], 'maven'],\n  [['build.gradle', 'build.gradle.kts'], 'gradle'],\n];\n\n/** Detect package manager from top-level files. */\nexport function detectPackageManager(entries: readonly string[]): string | null {\n  for (const [files, manager] of PACKAGE_MANAGER_RULES) {\n    if (files.some((f) => entries.includes(f))) return manager;\n  }\n  return null;\n}\n\n/** Detect CI provider from directory structure. */\nexport function detectCiProvider(entries: readonly string[]): string | null {\n  if (entries.includes('.github')) return 'github-actions';\n  if (entries.includes('.gitlab-ci.yml')) return 'gitlab-ci';\n  if (entries.includes('Jenkinsfile')) return 'jenkins';\n  if (entries.includes('.circleci')) return 'circleci';\n  if (entries.includes('.travis.yml')) return 'travis';\n  if (entries.includes('azure-pipelines.yml')) return 'azure-devops';\n  if (entries.includes('concourse')) return 'concourse';\n  return null;\n}\n\n/** Tool names detectable from CI workflow filenames (#1674). */\nconst WORKFLOW_SECURITY_PATTERNS: ReadonlyArray<readonly [string, string]> = [\n  ['semgrep', 'semgrep'],\n  ['codeql', 'codeql'],\n  ['grype', 'grype'],\n  ['snyk', 'snyk'],\n];\n\n/** Detect security tools from .github/workflows/ filenames. */\nfunction detectWorkflowSecurity(\n  workflowEntries: readonly string[],\n  existing: readonly string[]\n): readonly string[] {\n  const wfLower = workflowEntries.map((w) => w.toLowerCase());\n  const found: string[] = [];\n  for (const [pattern, tool] of WORKFLOW_SECURITY_PATTERNS) {\n    if (!existing.includes(tool) && wfLower.some((w) => w.includes(pattern))) {\n      found.push(tool);\n    }\n  }\n  return found;\n}\n\n/** Detect security tooling from root files and CI workflow filenames (#1674). */\nexport function detectSecurityTooling(\n  entries: readonly string[],\n  workflowEntries?: readonly string[]\n): readonly string[] {\n  const tools: string[] = [];\n  if (entries.includes('.semgrep.yml') || entries.includes('.semgrep')) tools.push('semgrep');\n  if (entries.includes('.snyk')) tools.push('snyk');\n  if (entries.includes('SECURITY.md')) tools.push('security-policy');\n  if (entries.includes('.grype.yaml')) tools.push('grype');\n  if (entries.includes('CODEOWNERS')) tools.push('codeowners');\n  if (workflowEntries !== undefined) {\n    tools.push(...detectWorkflowSecurity(workflowEntries, tools));\n  }\n  return tools;\n}\n\n/** Detect framework from package manager config. */\nexport function detectFramework(entries: readonly string[]): string | null {\n  if (entries.includes('helmfile.yaml') || entries.includes('helmfile.yaml.gotmpl'))\n    return 'helmfile';\n  if (entries.includes('next.config.js') || entries.includes('next.config.ts')) return 'nextjs';\n  if (entries.includes('angular.json')) return 'angular';\n  if (entries.includes('vite.config.ts') || entries.includes('vite.config.js')) return 'vite';\n  if (entries.includes('tsconfig.json') && entries.includes('package.json')) return 'typescript';\n  return null;\n}\n\n/** Gap detection rules: [files-any-present, gap message]. */\nconst GAP_RULES: ReadonlyArray<readonly [readonly string[], string]> = [\n  [['SECURITY.md'], 'No SECURITY.md policy'],\n  [['CODEOWNERS'], 'No CODEOWNERS file'],\n  [['LICENSE', 'LICENSE.md'], 'No LICENSE file'],\n  [\n    ['.semgrep.yml', '.semgrep', '.grype.yaml', '.snyk'],\n    'No SAST/SCA security scanning configured',\n  ],\n  // Test detection handled separately via detectTestInfra (supports monorepo + co-located patterns)\n  [['.gitignore'], 'No .gitignore file'],\n];\n\n/** Scanner recommendation per language. Canonical source: secure-language-stacks. */\ninterface LanguageScanners {\n  readonly sast: readonly string[];\n  readonly sca: readonly string[];\n}\n\nconst LANGUAGE_SCANNER_MATRIX: Readonly<Record<string, LanguageScanners>> = {\n  TypeScript: {\n    sast: ['semgrep (p/typescript, p/nodejs)', 'eslint-plugin-security'],\n    sca: ['osv-scanner', 'npm audit'],\n  },\n  JavaScript: {\n    sast: ['semgrep (p/javascript, p/nodejs)', 'eslint-plugin-security'],\n    sca: ['osv-scanner', 'npm audit'],\n  },\n  Python: {\n    sast: ['semgrep (p/python)', 'bandit'],\n    sca: ['osv-scanner', 'pip-audit'],\n  },\n  Java: {\n    sast: ['semgrep (p/java)', 'spotbugs + find-sec-bugs'],\n    sca: ['osv-scanner', 'OWASP dependency-check'],\n  },\n  Go: {\n    sast: ['semgrep (p/golang)', 'gosec'],\n    sca: ['osv-scanner', 'govulncheck'],\n  },\n  Rust: {\n    sast: ['semgrep (p/rust)'],\n    sca: ['osv-scanner', 'cargo-audit'],\n  },\n  'C++': {\n    sast: ['semgrep (p/c)', 'cppcheck'],\n    sca: ['osv-scanner'],\n  },\n  C: {\n    sast: ['semgrep (p/c)', 'cppcheck'],\n    sca: ['osv-scanner'],\n  },\n  Kotlin: {\n    sast: ['semgrep (p/kotlin)', 'detekt'],\n    sca: ['osv-scanner', 'OWASP dependency-check'],\n  },\n  Swift: {\n    sast: ['semgrep (p/swift)'],\n    sca: ['osv-scanner'],\n  },\n  Ruby: {\n    sast: ['semgrep (p/ruby)', 'brakeman'],\n    sca: ['osv-scanner', 'bundler-audit'],\n  },\n  PHP: {\n    sast: ['semgrep (p/php)', 'phpstan'],\n    sca: ['osv-scanner', 'composer audit'],\n  },\n  Shell: {\n    sast: ['semgrep (p/bash)', 'shellcheck'],\n    sca: [],\n  },\n  HCL: {\n    sast: ['semgrep (p/terraform)', 'tfsec'],\n    sca: ['osv-scanner'],\n  },\n};\n\n/** Generate language-specific scanner recommendations when SAST/SCA is missing. */\nexport function getLanguageRecommendations(\n  language: string | null,\n  securityTooling: readonly string[]\n): readonly string[] {\n  if (language === null) return [];\n  const scanners = LANGUAGE_SCANNER_MATRIX[language];\n  if (scanners === undefined) return [];\n\n  const hasSast = securityTooling.includes('semgrep') || securityTooling.includes('snyk');\n  const hasSca =\n    securityTooling.includes('osv-scanner') ||\n    securityTooling.includes('grype') ||\n    securityTooling.includes('snyk');\n\n  const recs: string[] = [];\n  if (!hasSast && scanners.sast.length > 0) {\n    const tools = scanners.sast.join(', ');\n    recs.push(`${language} project missing SAST: ${tools}`);\n  }\n  if (!hasSca && scanners.sca.length > 0) {\n    const tools = scanners.sca.join(', ');\n    recs.push(`${language} project missing SCA: ${tools}`);\n  }\n  return recs;\n}\n\n/** SAST tool names that suppress the generic gap message. */\nconst SAST_TOOLS = new Set(['semgrep', 'codeql', 'snyk']);\nconst SAST_GAP_MSG = 'No SAST/SCA security scanning configured';\n\n/** Remove the SAST/SCA gap if any SAST tool was detected (#1674). */\nfunction removeSastGapIfToolDetected(gaps: string[], secTools: readonly string[]): void {\n  if (secTools.some((t) => SAST_TOOLS.has(t))) {\n    const idx = gaps.indexOf(SAST_GAP_MSG);\n    if (idx !== -1) gaps.splice(idx, 1);\n  }\n}\n\n/** Identify gaps in repository best practices. */\nexport function identifyGaps(\n  entries: readonly string[],\n  ciProvider: string | null,\n  language?: string | null,\n  securityTooling?: readonly string[]\n): readonly string[] {\n  const gaps: string[] = [];\n  if (ciProvider === null) gaps.push('No CI/CD configuration detected');\n  for (const [files, message] of GAP_RULES) {\n    if (!files.some((f) => entries.includes(f))) gaps.push(message);\n  }\n  // Test detection: uses detectTestInfra for monorepo + co-located pattern support (#1130)\n  if (!detectTestInfra(entries)) gaps.push('No test directory detected');\n\n  // Remove SAST/SCA gap if workflow-level security was detected (#1674)\n  removeSastGapIfToolDetected(gaps, securityTooling ?? []);\n\n  // Language-specific recommendations when generic SAST/SCA gap detected\n  const hasGenericSecGap = gaps.includes('No SAST/SCA security scanning configured');\n  if (\n    hasGenericSecGap &&\n    language !== null &&\n    language !== undefined &&\n    securityTooling !== undefined\n  ) {\n    const langRecs = getLanguageRecommendations(language, securityTooling);\n    gaps.push(...langRecs);\n  }\n\n  return gaps;\n}\n\n// ============================================================================\n// Core\n// ============================================================================\n\n/** GitHub repo metadata from the API. */\nexport interface GhRepoMetadata {\n  readonly name: string;\n  readonly full_name: string;\n  readonly description: string | null;\n  readonly language: string | null;\n  readonly default_branch: string;\n  readonly stargazers_count: number;\n  readonly license: { readonly spdx_id: string } | null;\n}\n\n/** Analyze a GitHub repository given its metadata and file tree. */\nexport function analyzeRepo(\n  metadata: GhRepoMetadata,\n  topLevelEntries: readonly string[],\n  workflowEntries?: readonly string[]\n): RepoAnalysis {\n  const ciProvider = detectCiProvider(topLevelEntries);\n  const secTooling = detectSecurityTooling(topLevelEntries, workflowEntries);\n  const hasTests = detectTestInfra(topLevelEntries);\n\n  return {\n    name: metadata.full_name,\n    language: metadata.language,\n    framework: detectFramework(topLevelEntries),\n    packageManager: detectPackageManager(topLevelEntries),\n    ciProvider,\n    securityTooling: secTooling,\n    // Match `Dockerfile`, `Dockerfile.<purpose>` (e.g. `Dockerfile.sandbox`),\n    // and docker-compose variants. Pre-#2730 the check was exact-match only,\n    // so a repo with three legitimate `Dockerfile.*` files reported false.\n    hasDockerfile:\n      topLevelEntries.some((e) => e === 'Dockerfile' || e.startsWith('Dockerfile.')) ||\n      topLevelEntries.includes('docker-compose.yml') ||\n      topLevelEntries.includes('docker-compose.yaml'),\n    hasHelmCharts:\n      topLevelEntries.includes('Chart.yaml') ||\n      topLevelEntries.includes('charts') ||\n      topLevelEntries.includes('helm'),\n    hasMakefile: topLevelEntries.includes('Makefile'),\n    hasTests,\n    license: metadata.license?.spdx_id ?? null,\n    description: metadata.description,\n    defaultBranch: metadata.default_branch,\n    stars: metadata.stargazers_count,\n    topLevelEntries: [...topLevelEntries],\n    gaps: identifyGaps(topLevelEntries, ciProvider, metadata.language, secTooling),\n  };\n}\n\n/** Non-code languages to exclude when detecting primary language. */\nconst MARKUP_LANGUAGES = new Set([\n  'HTML',\n  'CSS',\n  'SCSS',\n  'Less',\n  'Markdown',\n  'Roff',\n  'SVG',\n  'XML',\n  'XSLT',\n  'Mustache',\n  'Handlebars',\n  'EJS',\n]);\n\n/** Detect primary language from GitHub languages API (byte counts). */\nfunction detectPrimaryLanguage(\n  languages: Record<string, number>,\n  fallback: string | null\n): string | null {\n  const sorted = Object.entries(languages)\n    .filter(([lang]) => !MARKUP_LANGUAGES.has(lang))\n    .sort((a, b) => b[1] - a[1]);\n  const top = sorted[0];\n  return top !== undefined ? top[0] : fallback;\n}\n\n/** Check for test infrastructure beyond top-level directories. */\nfunction detectTestInfra(entries: readonly string[]): boolean {\n  const testDirs = ['tests', 'test', '__tests__', 'spec'];\n  if (testDirs.some((d) => entries.includes(d))) return true;\n  // Check for test config files (co-located test pattern, monorepos)\n  const testConfigs = [\n    'vitest.config.ts',\n    'vitest.config.js',\n    'vitest.config.mts',\n    'vitest.workspace.ts',\n    'vitest.workspace.js',\n    'jest.config.ts',\n    'jest.config.js',\n    'jest.config.mjs',\n    'cypress.config.ts',\n    'cypress.config.js',\n    'playwright.config.ts',\n    '.mocharc.yml',\n    '.mocharc.json',\n  ];\n  if (testConfigs.some((c) => entries.includes(c))) return true;\n  // Monorepo: packages/ dir + package.json implies co-located tests\n  return entries.includes('packages') && entries.includes('package.json');\n}\n\n/** Infer code language from project files when GitHub reports markup. */\nfunction inferLanguageFromEntries(\n  entries: readonly string[],\n  fallback: string | null\n): string | null {\n  if (entries.includes('tsconfig.json')) return 'TypeScript';\n  if (entries.includes('Cargo.toml')) return 'Rust';\n  if (entries.includes('go.mod')) return 'Go';\n  if (entries.includes('pyproject.toml') || entries.includes('setup.py')) return 'Python';\n  if (entries.includes('pom.xml') || entries.includes('build.gradle')) return 'Java';\n  if (entries.includes('Gemfile')) return 'Ruby';\n  if (entries.includes('package.json')) return 'JavaScript';\n  return fallback;\n}\n\ntype ExecFileFn = (\n  cmd: string,\n  args: string[],\n  options?: { timeout?: number }\n) => Promise<{ stdout: string }>;\n\n/** Lazy-load promisified execFile. */\nasync function getExecFile(): Promise<ExecFileFn> {\n  const { execFile } = await import('node:child_process');\n  const { promisify } = await import('node:util');\n  return promisify(execFile);\n}\n\n/** Fetch repo metadata and languages via GitHub API. */\nasync function fetchRepoData(\n  repoId: string,\n  exec: ExecFileFn\n): Promise<{ metadata: GhRepoMetadata; entries: string[] }> {\n  const { stdout: metaJson } = await exec(\n    'gh',\n    [\n      'api',\n      `repos/${repoId}`,\n      '--jq',\n      '{name: .name, full_name: .full_name, description: .description, language: .language, default_branch: .default_branch, stargazers_count: .stargazers_count, license: .license}',\n    ],\n    { timeout: 30_000 }\n  );\n  let metadata: GhRepoMetadata;\n  try {\n    metadata = JSON.parse(metaJson.trim()) as GhRepoMetadata;\n  } catch {\n    throw new Error(`Failed to parse repo metadata for ${repoId}: ${metaJson.slice(0, 200)}`);\n  }\n  const { stdout: contentsJson } = await exec(\n    'gh',\n    ['api', `repos/${repoId}/contents`, '--jq', '[.[].name]'],\n    { timeout: 30_000 }\n  );\n  let entries: string[];\n  try {\n    const parsed: unknown = JSON.parse(contentsJson.trim());\n    entries = Array.isArray(parsed) ? parsed.filter((e): e is string => typeof e === 'string') : [];\n  } catch {\n    throw new Error(`Failed to parse repo contents for ${repoId}: ${contentsJson.slice(0, 200)}`);\n  }\n  return { metadata, entries };\n}\n\n/** Resolve NOASSERTION license via the GitHub license API. */\nasync function resolveLicense(repoId: string, exec: ExecFileFn): Promise<string | null> {\n  try {\n    const { stdout } = await exec(\n      'gh',\n      ['api', `repos/${repoId}/license`, '--jq', '.license.spdx_id'],\n      { timeout: 15_000 }\n    );\n    const spdxId = stdout.trim();\n    if (spdxId !== '' && spdxId !== 'null' && spdxId !== 'NOASSERTION') {\n      return spdxId;\n    }\n  } catch {\n    // Keep NOASSERTION if license API also fails\n  }\n  return null;\n}\n\n/** Resolve primary language, falling back to entry inference for markup repos. */\nasync function resolveLanguage(\n  repoId: string,\n  entries: readonly string[],\n  metadata: GhRepoMetadata,\n  exec: ExecFileFn\n): Promise<string | null> {\n  let languages: Record<string, number> = {};\n  try {\n    const { stdout } = await exec('gh', ['api', `repos/${repoId}/languages`], { timeout: 15_000 });\n    languages = JSON.parse(stdout.trim()) as Record<string, number>;\n  } catch {\n    /* fall back to metadata.language */\n  }\n  const primary = detectPrimaryLanguage(languages, metadata.language);\n  if (primary === null || MARKUP_LANGUAGES.has(primary)) {\n    return inferLanguageFromEntries(entries, primary);\n  }\n  return primary;\n}\n\n/** Fetch workflow filenames from .github/workflows/ (#1674). Best-effort. */\nasync function fetchWorkflowEntries(repoId: string, exec: ExecFileFn): Promise<readonly string[]> {\n  try {\n    const { stdout } = await exec(\n      'gh',\n      ['api', `repos/${repoId}/contents/.github/workflows`, '--jq', '[.[].name]'],\n      { timeout: 15_000 }\n    );\n    const parsed: unknown = JSON.parse(stdout.trim());\n    return Array.isArray(parsed) ? parsed.filter((e): e is string => typeof e === 'string') : [];\n  } catch {\n    return []; // No workflows directory or API error — graceful fallback\n  }\n}\n\n/** Fetch repo data from GitHub and produce analysis. */\nexport async function analyzeGitHubRepo(input: RepoAnalyzeInput): Promise<RepoAnalysis> {\n  const repoId = normalizeRepoId(input.repo);\n  const exec = await getExecFile();\n  const { metadata, entries } = await fetchRepoData(repoId, exec);\n\n  const primaryLang = await resolveLanguage(repoId, entries, metadata, exec);\n  const enhanced = { ...metadata, language: primaryLang };\n\n  // Resolve null or NOASSERTION license when LICENSE file exists\n  const hasLicenseFile = entries.includes('LICENSE') || entries.includes('LICENSE.md');\n  const licenseUnresolved = enhanced.license === null || enhanced.license.spdx_id === 'NOASSERTION';\n  if (licenseUnresolved && hasLicenseFile) {\n    const resolved = await resolveLicense(repoId, exec);\n    if (resolved !== null) enhanced.license = { spdx_id: resolved };\n  }\n\n  // Fetch workflow filenames for CI-level security detection (#1674)\n  const workflowEntries = entries.includes('.github')\n    ? await fetchWorkflowEntries(repoId, exec)\n    : [];\n\n  return analyzeRepo(enhanced, entries, workflowEntries);\n}\n"],"mappings":";AAkBO,SAAS,gBAAgB,OAAuB;AACrD,QAAM,WAAW,iDAAiD,KAAK,KAAK;AAC5E,QAAM,UAAU,WAAW,CAAC,KAAK;AACjC,MAAI,QAAQ,SAAS,EAAG,QAAO;AAC/B,MAAI,iBAAiB,KAAK,KAAK,EAAG,QAAO;AACzC,QAAM,IAAI,MAAM,yBAAyB,KAAK,sCAAsC;AACtF;AAGA,IAAM,wBAA6E;AAAA,EACjF,CAAC,CAAC,gBAAgB,GAAG,MAAM;AAAA,EAC3B,CAAC,CAAC,WAAW,GAAG,MAAM;AAAA,EACtB,CAAC,CAAC,qBAAqB,cAAc,GAAG,KAAK;AAAA,EAC7C,CAAC,CAAC,YAAY,GAAG,OAAO;AAAA,EACxB,CAAC,CAAC,QAAQ,GAAG,IAAI;AAAA,EACjB,CAAC,CAAC,oBAAoB,gBAAgB,GAAG,KAAK;AAAA,EAC9C,CAAC,CAAC,SAAS,GAAG,SAAS;AAAA,EACvB,CAAC,CAAC,SAAS,GAAG,OAAO;AAAA,EACrB,CAAC,CAAC,gBAAgB,kBAAkB,GAAG,QAAQ;AACjD;AAGO,SAAS,qBAAqB,SAA2C;AAC9E,aAAW,CAAC,OAAO,OAAO,KAAK,uBAAuB;AACpD,QAAI,MAAM,KAAK,CAAC,MAAM,QAAQ,SAAS,CAAC,CAAC,EAAG,QAAO;AAAA,EACrD;AACA,SAAO;AACT;AAGO,SAAS,iBAAiB,SAA2C;AAC1E,MAAI,QAAQ,SAAS,SAAS,EAAG,QAAO;AACxC,MAAI,QAAQ,SAAS,gBAAgB,EAAG,QAAO;AAC/C,MAAI,QAAQ,SAAS,aAAa,EAAG,QAAO;AAC5C,MAAI,QAAQ,SAAS,WAAW,EAAG,QAAO;AAC1C,MAAI,QAAQ,SAAS,aAAa,EAAG,QAAO;AAC5C,MAAI,QAAQ,SAAS,qBAAqB,EAAG,QAAO;AACpD,MAAI,QAAQ,SAAS,WAAW,EAAG,QAAO;AAC1C,SAAO;AACT;AAGA,IAAM,6BAAuE;AAAA,EAC3E,CAAC,WAAW,SAAS;AAAA,EACrB,CAAC,UAAU,QAAQ;AAAA,EACnB,CAAC,SAAS,OAAO;AAAA,EACjB,CAAC,QAAQ,MAAM;AACjB;AAGA,SAAS,uBACP,iBACA,UACmB;AACnB,QAAM,UAAU,gBAAgB,IAAI,CAAC,MAAM,EAAE,YAAY,CAAC;AAC1D,QAAM,QAAkB,CAAC;AACzB,aAAW,CAAC,SAAS,IAAI,KAAK,4BAA4B;AACxD,QAAI,CAAC,SAAS,SAAS,IAAI,KAAK,QAAQ,KAAK,CAAC,MAAM,EAAE,SAAS,OAAO,CAAC,GAAG;AACxE,YAAM,KAAK,IAAI;AAAA,IACjB;AAAA,EACF;AACA,SAAO;AACT;AAGO,SAAS,sBACd,SACA,iBACmB;AACnB,QAAM,QAAkB,CAAC;AACzB,MAAI,QAAQ,SAAS,cAAc,KAAK,QAAQ,SAAS,UAAU,EAAG,OAAM,KAAK,SAAS;AAC1F,MAAI,QAAQ,SAAS,OAAO,EAAG,OAAM,KAAK,MAAM;AAChD,MAAI,QAAQ,SAAS,aAAa,EAAG,OAAM,KAAK,iBAAiB;AACjE,MAAI,QAAQ,SAAS,aAAa,EAAG,OAAM,KAAK,OAAO;AACvD,MAAI,QAAQ,SAAS,YAAY,EAAG,OAAM,KAAK,YAAY;AAC3D,MAAI,oBAAoB,QAAW;AACjC,UAAM,KAAK,GAAG,uBAAuB,iBAAiB,KAAK,CAAC;AAAA,EAC9D;AACA,SAAO;AACT;AAGO,SAAS,gBAAgB,SAA2C;AACzE,MAAI,QAAQ,SAAS,eAAe,KAAK,QAAQ,SAAS,sBAAsB;AAC9E,WAAO;AACT,MAAI,QAAQ,SAAS,gBAAgB,KAAK,QAAQ,SAAS,gBAAgB,EAAG,QAAO;AACrF,MAAI,QAAQ,SAAS,cAAc,EAAG,QAAO;AAC7C,MAAI,QAAQ,SAAS,gBAAgB,KAAK,QAAQ,SAAS,gBAAgB,EAAG,QAAO;AACrF,MAAI,QAAQ,SAAS,eAAe,KAAK,QAAQ,SAAS,cAAc,EAAG,QAAO;AAClF,SAAO;AACT;AAGA,IAAM,YAAiE;AAAA,EACrE,CAAC,CAAC,aAAa,GAAG,uBAAuB;AAAA,EACzC,CAAC,CAAC,YAAY,GAAG,oBAAoB;AAAA,EACrC,CAAC,CAAC,WAAW,YAAY,GAAG,iBAAiB;AAAA,EAC7C;AAAA,IACE,CAAC,gBAAgB,YAAY,eAAe,OAAO;AAAA,IACnD;AAAA,EACF;AAAA;AAAA,EAEA,CAAC,CAAC,YAAY,GAAG,oBAAoB;AACvC;AAQA,IAAM,0BAAsE;AAAA,EAC1E,YAAY;AAAA,IACV,MAAM,CAAC,oCAAoC,wBAAwB;AAAA,IACnE,KAAK,CAAC,eAAe,WAAW;AAAA,EAClC;AAAA,EACA,YAAY;AAAA,IACV,MAAM,CAAC,oCAAoC,wBAAwB;AAAA,IACnE,KAAK,CAAC,eAAe,WAAW;AAAA,EAClC;AAAA,EACA,QAAQ;AAAA,IACN,MAAM,CAAC,sBAAsB,QAAQ;AAAA,IACrC,KAAK,CAAC,eAAe,WAAW;AAAA,EAClC;AAAA,EACA,MAAM;AAAA,IACJ,MAAM,CAAC,oBAAoB,0BAA0B;AAAA,IACrD,KAAK,CAAC,eAAe,wBAAwB;AAAA,EAC/C;AAAA,EACA,IAAI;AAAA,IACF,MAAM,CAAC,sBAAsB,OAAO;AAAA,IACpC,KAAK,CAAC,eAAe,aAAa;AAAA,EACpC;AAAA,EACA,MAAM;AAAA,IACJ,MAAM,CAAC,kBAAkB;AAAA,IACzB,KAAK,CAAC,eAAe,aAAa;AAAA,EACpC;AAAA,EACA,OAAO;AAAA,IACL,MAAM,CAAC,iBAAiB,UAAU;AAAA,IAClC,KAAK,CAAC,aAAa;AAAA,EACrB;AAAA,EACA,GAAG;AAAA,IACD,MAAM,CAAC,iBAAiB,UAAU;AAAA,IAClC,KAAK,CAAC,aAAa;AAAA,EACrB;AAAA,EACA,QAAQ;AAAA,IACN,MAAM,CAAC,sBAAsB,QAAQ;AAAA,IACrC,KAAK,CAAC,eAAe,wBAAwB;AAAA,EAC/C;AAAA,EACA,OAAO;AAAA,IACL,MAAM,CAAC,mBAAmB;AAAA,IAC1B,KAAK,CAAC,aAAa;AAAA,EACrB;AAAA,EACA,MAAM;AAAA,IACJ,MAAM,CAAC,oBAAoB,UAAU;AAAA,IACrC,KAAK,CAAC,eAAe,eAAe;AAAA,EACtC;AAAA,EACA,KAAK;AAAA,IACH,MAAM,CAAC,mBAAmB,SAAS;AAAA,IACnC,KAAK,CAAC,eAAe,gBAAgB;AAAA,EACvC;AAAA,EACA,OAAO;AAAA,IACL,MAAM,CAAC,oBAAoB,YAAY;AAAA,IACvC,KAAK,CAAC;AAAA,EACR;AAAA,EACA,KAAK;AAAA,IACH,MAAM,CAAC,yBAAyB,OAAO;AAAA,IACvC,KAAK,CAAC,aAAa;AAAA,EACrB;AACF;AAGO,SAAS,2BACd,UACA,iBACmB;AACnB,MAAI,aAAa,KAAM,QAAO,CAAC;AAC/B,QAAM,WAAW,wBAAwB,QAAQ;AACjD,MAAI,aAAa,OAAW,QAAO,CAAC;AAEpC,QAAM,UAAU,gBAAgB,SAAS,SAAS,KAAK,gBAAgB,SAAS,MAAM;AACtF,QAAM,SACJ,gBAAgB,SAAS,aAAa,KACtC,gBAAgB,SAAS,OAAO,KAChC,gBAAgB,SAAS,MAAM;AAEjC,QAAM,OAAiB,CAAC;AACxB,MAAI,CAAC,WAAW,SAAS,KAAK,SAAS,GAAG;AACxC,UAAM,QAAQ,SAAS,KAAK,KAAK,IAAI;AACrC,SAAK,KAAK,GAAG,QAAQ,0BAA0B,KAAK,EAAE;AAAA,EACxD;AACA,MAAI,CAAC,UAAU,SAAS,IAAI,SAAS,GAAG;AACtC,UAAM,QAAQ,SAAS,IAAI,KAAK,IAAI;AACpC,SAAK,KAAK,GAAG,QAAQ,yBAAyB,KAAK,EAAE;AAAA,EACvD;AACA,SAAO;AACT;AAGA,IAAM,aAAa,oBAAI,IAAI,CAAC,WAAW,UAAU,MAAM,CAAC;AACxD,IAAM,eAAe;AAGrB,SAAS,4BAA4B,MAAgB,UAAmC;AACtF,MAAI,SAAS,KAAK,CAAC,MAAM,WAAW,IAAI,CAAC,CAAC,GAAG;AAC3C,UAAM,MAAM,KAAK,QAAQ,YAAY;AACrC,QAAI,QAAQ,GAAI,MAAK,OAAO,KAAK,CAAC;AAAA,EACpC;AACF;AAGO,SAAS,aACd,SACA,YACA,UACA,iBACmB;AACnB,QAAM,OAAiB,CAAC;AACxB,MAAI,eAAe,KAAM,MAAK,KAAK,iCAAiC;AACpE,aAAW,CAAC,OAAO,OAAO,KAAK,WAAW;AACxC,QAAI,CAAC,MAAM,KAAK,CAAC,MAAM,QAAQ,SAAS,CAAC,CAAC,EAAG,MAAK,KAAK,OAAO;AAAA,EAChE;AAEA,MAAI,CAAC,gBAAgB,OAAO,EAAG,MAAK,KAAK,4BAA4B;AAGrE,8BAA4B,MAAM,mBAAmB,CAAC,CAAC;AAGvD,QAAM,mBAAmB,KAAK,SAAS,0CAA0C;AACjF,MACE,oBACA,aAAa,QACb,aAAa,UACb,oBAAoB,QACpB;AACA,UAAM,WAAW,2BAA2B,UAAU,eAAe;AACrE,SAAK,KAAK,GAAG,QAAQ;AAAA,EACvB;AAEA,SAAO;AACT;AAkBO,SAAS,YACd,UACA,iBACA,iBACc;AACd,QAAM,aAAa,iBAAiB,eAAe;AACnD,QAAM,aAAa,sBAAsB,iBAAiB,eAAe;AACzE,QAAM,WAAW,gBAAgB,eAAe;AAEhD,SAAO;AAAA,IACL,MAAM,SAAS;AAAA,IACf,UAAU,SAAS;AAAA,IACnB,WAAW,gBAAgB,eAAe;AAAA,IAC1C,gBAAgB,qBAAqB,eAAe;AAAA,IACpD;AAAA,IACA,iBAAiB;AAAA;AAAA;AAAA;AAAA,IAIjB,eACE,gBAAgB,KAAK,CAAC,MAAM,MAAM,gBAAgB,EAAE,WAAW,aAAa,CAAC,KAC7E,gBAAgB,SAAS,oBAAoB,KAC7C,gBAAgB,SAAS,qBAAqB;AAAA,IAChD,eACE,gBAAgB,SAAS,YAAY,KACrC,gBAAgB,SAAS,QAAQ,KACjC,gBAAgB,SAAS,MAAM;AAAA,IACjC,aAAa,gBAAgB,SAAS,UAAU;AAAA,IAChD;AAAA,IACA,SAAS,SAAS,SAAS,WAAW;AAAA,IACtC,aAAa,SAAS;AAAA,IACtB,eAAe,SAAS;AAAA,IACxB,OAAO,SAAS;AAAA,IAChB,iBAAiB,CAAC,GAAG,eAAe;AAAA,IACpC,MAAM,aAAa,iBAAiB,YAAY,SAAS,UAAU,UAAU;AAAA,EAC/E;AACF;AAGA,IAAM,mBAAmB,oBAAI,IAAI;AAAA,EAC/B;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AACF,CAAC;AAGD,SAAS,sBACP,WACA,UACe;AACf,QAAM,SAAS,OAAO,QAAQ,SAAS,EACpC,OAAO,CAAC,CAAC,IAAI,MAAM,CAAC,iBAAiB,IAAI,IAAI,CAAC,EAC9C,KAAK,CAAC,GAAG,MAAM,EAAE,CAAC,IAAI,EAAE,CAAC,CAAC;AAC7B,QAAM,MAAM,OAAO,CAAC;AACpB,SAAO,QAAQ,SAAY,IAAI,CAAC,IAAI;AACtC;AAGA,SAAS,gBAAgB,SAAqC;AAC5D,QAAM,WAAW,CAAC,SAAS,QAAQ,aAAa,MAAM;AACtD,MAAI,SAAS,KAAK,CAAC,MAAM,QAAQ,SAAS,CAAC,CAAC,EAAG,QAAO;AAEtD,QAAM,cAAc;AAAA,IAClB;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,EACF;AACA,MAAI,YAAY,KAAK,CAAC,MAAM,QAAQ,SAAS,CAAC,CAAC,EAAG,QAAO;AAEzD,SAAO,QAAQ,SAAS,UAAU,KAAK,QAAQ,SAAS,cAAc;AACxE;AAGA,SAAS,yBACP,SACA,UACe;AACf,MAAI,QAAQ,SAAS,eAAe,EAAG,QAAO;AAC9C,MAAI,QAAQ,SAAS,YAAY,EAAG,QAAO;AAC3C,MAAI,QAAQ,SAAS,QAAQ,EAAG,QAAO;AACvC,MAAI,QAAQ,SAAS,gBAAgB,KAAK,QAAQ,SAAS,UAAU,EAAG,QAAO;AAC/E,MAAI,QAAQ,SAAS,SAAS,KAAK,QAAQ,SAAS,cAAc,EAAG,QAAO;AAC5E,MAAI,QAAQ,SAAS,SAAS,EAAG,QAAO;AACxC,MAAI,QAAQ,SAAS,cAAc,EAAG,QAAO;AAC7C,SAAO;AACT;AASA,eAAe,cAAmC;AAChD,QAAM,EAAE,SAAS,IAAI,MAAM,OAAO,eAAoB;AACtD,QAAM,EAAE,UAAU,IAAI,MAAM,OAAO,MAAW;AAC9C,SAAO,UAAU,QAAQ;AAC3B;AAGA,eAAe,cACb,QACA,MAC0D;AAC1D,QAAM,EAAE,QAAQ,SAAS,IAAI,MAAM;AAAA,IACjC;AAAA,IACA;AAAA,MACE;AAAA,MACA,SAAS,MAAM;AAAA,MACf;AAAA,MACA;AAAA,IACF;AAAA,IACA,EAAE,SAAS,IAAO;AAAA,EACpB;AACA,MAAI;AACJ,MAAI;AACF,eAAW,KAAK,MAAM,SAAS,KAAK,CAAC;AAAA,EACvC,QAAQ;AACN,UAAM,IAAI,MAAM,qCAAqC,MAAM,KAAK,SAAS,MAAM,GAAG,GAAG,CAAC,EAAE;AAAA,EAC1F;AACA,QAAM,EAAE,QAAQ,aAAa,IAAI,MAAM;AAAA,IACrC;AAAA,IACA,CAAC,OAAO,SAAS,MAAM,aAAa,QAAQ,YAAY;AAAA,IACxD,EAAE,SAAS,IAAO;AAAA,EACpB;AACA,MAAI;AACJ,MAAI;AACF,UAAM,SAAkB,KAAK,MAAM,aAAa,KAAK,CAAC;AACtD,cAAU,MAAM,QAAQ,MAAM,IAAI,OAAO,OAAO,CAAC,MAAmB,OAAO,MAAM,QAAQ,IAAI,CAAC;AAAA,EAChG,QAAQ;AACN,UAAM,IAAI,MAAM,qCAAqC,MAAM,KAAK,aAAa,MAAM,GAAG,GAAG,CAAC,EAAE;AAAA,EAC9F;AACA,SAAO,EAAE,UAAU,QAAQ;AAC7B;AAGA,eAAe,eAAe,QAAgB,MAA0C;AACtF,MAAI;AACF,UAAM,EAAE,OAAO,IAAI,MAAM;AAAA,MACvB;AAAA,MACA,CAAC,OAAO,SAAS,MAAM,YAAY,QAAQ,kBAAkB;AAAA,MAC7D,EAAE,SAAS,KAAO;AAAA,IACpB;AACA,UAAM,SAAS,OAAO,KAAK;AAC3B,QAAI,WAAW,MAAM,WAAW,UAAU,WAAW,eAAe;AAClE,aAAO;AAAA,IACT;AAAA,EACF,QAAQ;AAAA,EAER;AACA,SAAO;AACT;AAGA,eAAe,gBACb,QACA,SACA,UACA,MACwB;AACxB,MAAI,YAAoC,CAAC;AACzC,MAAI;AACF,UAAM,EAAE,OAAO,IAAI,MAAM,KAAK,MAAM,CAAC,OAAO,SAAS,MAAM,YAAY,GAAG,EAAE,SAAS,KAAO,CAAC;AAC7F,gBAAY,KAAK,MAAM,OAAO,KAAK,CAAC;AAAA,EACtC,QAAQ;AAAA,EAER;AACA,QAAM,UAAU,sBAAsB,WAAW,SAAS,QAAQ;AAClE,MAAI,YAAY,QAAQ,iBAAiB,IAAI,OAAO,GAAG;AACrD,WAAO,yBAAyB,SAAS,OAAO;AAAA,EAClD;AACA,SAAO;AACT;AAGA,eAAe,qBAAqB,QAAgB,MAA8C;AAChG,MAAI;AACF,UAAM,EAAE,OAAO,IAAI,MAAM;AAAA,MACvB;AAAA,MACA,CAAC,OAAO,SAAS,MAAM,+BAA+B,QAAQ,YAAY;AAAA,MAC1E,EAAE,SAAS,KAAO;AAAA,IACpB;AACA,UAAM,SAAkB,KAAK,MAAM,OAAO,KAAK,CAAC;AAChD,WAAO,MAAM,QAAQ,MAAM,IAAI,OAAO,OAAO,CAAC,MAAmB,OAAO,MAAM,QAAQ,IAAI,CAAC;AAAA,EAC7F,QAAQ;AACN,WAAO,CAAC;AAAA,EACV;AACF;AAGA,eAAsB,kBAAkB,OAAgD;AACtF,QAAM,SAAS,gBAAgB,MAAM,IAAI;AACzC,QAAM,OAAO,MAAM,YAAY;AAC/B,QAAM,EAAE,UAAU,QAAQ,IAAI,MAAM,cAAc,QAAQ,IAAI;AAE9D,QAAM,cAAc,MAAM,gBAAgB,QAAQ,SAAS,UAAU,IAAI;AACzE,QAAM,WAAW,EAAE,GAAG,UAAU,UAAU,YAAY;AAGtD,QAAM,iBAAiB,QAAQ,SAAS,SAAS,KAAK,QAAQ,SAAS,YAAY;AACnF,QAAM,oBAAoB,SAAS,YAAY,QAAQ,SAAS,QAAQ,YAAY;AACpF,MAAI,qBAAqB,gBAAgB;AACvC,UAAM,WAAW,MAAM,eAAe,QAAQ,IAAI;AAClD,QAAI,aAAa,KAAM,UAAS,UAAU,EAAE,SAAS,SAAS;AAAA,EAChE;AAGA,QAAM,kBAAkB,QAAQ,SAAS,SAAS,IAC9C,MAAM,qBAAqB,QAAQ,IAAI,IACvC,CAAC;AAEL,SAAO,YAAY,UAAU,SAAS,eAAe;AACvD;","names":[]}

package/dist/{chunk-FGQOGLHQ.js → chunk-K446R3BC.js}

@@ -53,10 +53,10 @@ import {
 } from "./chunk-ERWXGXV2.js";
 import {
   generateSecurityPlan
-} from "./chunk-ZKOBXAPK.js";
+} from "./chunk-WXVN4K3D.js";
 import {
   analyzeGitHubRepo
-} from "./chunk-BC3M4VLP.js";
+} from "./chunk-BMOPMCFZ.js";
 import {
   CodebaseIndex
 } from "./chunk-AP2FD37C.js";
@@ -70,7 +70,7 @@ import {
   clampTaskTtl,
   getAvailabilityCache,
   resolveFallback
-} from "./chunk-EVI46ZGG.js";
+} from "./chunk-LTUUW3FN.js";
 import {
   DEFAULTS
 } from "./chunk-YQMQSJQK.js";
@@ -1521,6 +1521,10 @@ var BaseAgentOptionsSchema = z4.object({
     "pm_expert",
     "ux_expert",
     "infrastructure_expert",
+    "qa_expert",
+    // #2715 — was missing from this Zod copy; canonical AgentRole has it
+    "data_visualization_expert",
+    // #2715 — same
     "thinker",
     "worker",
     "verifier",
@@ -10603,17 +10607,7 @@ function createManyExperts(configs, options) {
   return ok(experts);
 }
 function createAllBuiltInExperts(options) {
-  const types = [
-    "code",
-    "architecture",
-    "security",
-    "documentation",
-    "testing",
-    "devops",
-    "research",
-    "pm",
-    "ux"
-  ];
+  const types = Object.keys(BUILT_IN_EXPERTS);
   const experts = [];
   for (const type of types) {
     const result = createBuiltInExpert(type, options);
@@ -28397,9 +28391,6 @@ function delegateInputToTaskContract(input) {
   if (input.billing_mode !== void 0) {
     metadata["billingMode"] = input.billing_mode;
   }
-  if (input.estimate_tokens === true) {
-    metadata["estimateTokens"] = true;
-  }
   return buildBaseTaskContract({
     idPrefix: "delegate",
     task: input.task,
@@ -33599,7 +33590,12 @@ var DelegateInputSchema = z56.object({
   task: z56.string().min(1).max(5e4).describe("Task to execute or analyze"),
   preferred_capability: z56.enum(["reasoning", "context", "speed", "code"]).optional().describe("Preferred capability for routing: reasoning, context, speed, or code"),
   model_hint: z56.string().max(100).optional().describe("Explicit model preference (e.g., claude-opus, gemini-pro)"),
-  estimate_tokens: z56.boolean().optional().default(false).describe("If true, return token estimate only without execution"),
+  // estimate_tokens flag removed (#2723). The field was declared in two schemas
+  // (here and in TOOL_SCHEMA below) but never read by any consumer — calling
+  // `delegate_to_model { estimate_tokens: true }` returned the full routing
+  // decision identical to omitting the flag. The output already carries
+  // `estimated_tokens` so the use case the flag advertised is satisfied
+  // without the flag.
   billing_mode: z56.enum(["plan", "api"]).optional().describe("Billing mode: plan (monthly subscription, ignore cost) or api (pay-per-token)")
 });
 var DelegateOutputSchema = z56.object({
@@ -33696,7 +33692,7 @@ var TOOL_SCHEMA = {
   task: z56.string().min(1).max(5e4).describe("Task to execute or analyze"),
   preferred_capability: z56.enum(["reasoning", "context", "speed", "code"]).optional().describe("Preferred capability for routing"),
   model_hint: z56.string().max(100).optional().describe("Explicit model preference"),
-  estimate_tokens: z56.boolean().optional().describe("Return token estimate only"),
+  // estimate_tokens removed (#2723) — see comment above on DelegateInputSchema.
   billing_mode: z56.enum(["plan", "api"]).optional().describe("Billing mode for cost handling")
 };
 
@@ -40556,11 +40552,18 @@ function classifyTraceError(err2) {
   }
   return "unknown";
 }
-function sanitizeErrorMessage(err2) {
-  if (err2 instanceof Error) {
-    return err2.message.replace(/\/[^\s:]+/g, "<path>");
+function userFacingTraceError(err2, runId) {
+  const category = classifyTraceError(err2);
+  switch (category) {
+    case "not_found":
+      return `No trace file for runId '${runId}'`;
+    case "permission_error":
+      return `Permission denied reading trace for runId '${runId}'`;
+    case "parse_error":
+      return `Trace file for runId '${runId}' is malformed (invalid JSONL)`;
+    default:
+      return "Failed to read trace";
   }
-  return "An unexpected error occurred";
 }
 function parseJsonlLines(content) {
   return content.trim().split("\n").filter(Boolean).flatMap((line) => {
@@ -40605,7 +40608,7 @@ async function queryTraceFromDisk(input, runsDir) {
     };
   } catch (err2) {
     const category = classifyTraceError(err2);
-    const message = sanitizeErrorMessage(err2);
+    const message = userFacingTraceError(err2, input.runId);
     if (category === "not_found") {
       traceLogger.debug("Trace file not found", { runId: input.runId });
     } else {
@@ -43749,7 +43752,7 @@ function createAnalyzeStageWrapper() {
             true
           );
         }
-        const { analyzeGitHubRepo: analyzeGitHubRepo2 } = await import("./repo-analyze-HWMXSK5C.js");
+        const { analyzeGitHubRepo: analyzeGitHubRepo2 } = await import("./repo-analyze-QGLXEFVJ.js");
         const analysis = await analyzeGitHubRepo2({ repo: slug, depth: "deep" });
         const summary = `Language: ${String(analysis.language)}, Framework: ${String(analysis.framework)}, CI: ${String(analysis.ciProvider)}, Security: ${analysis.securityTooling.join(", ") || "none"}`;
         ctx.sharedMemory.write("analyze", "discovery", { slug, analysis: summary });
@@ -43769,7 +43772,7 @@ function createScanStageWrapper() {
       try {
         const slug = ctx.task.match(/([a-zA-Z0-9._-]+\/[a-zA-Z0-9._-]+)/)?.[1];
         if (slug !== void 0) {
-          const { generateSecurityPlan: generateSecurityPlan2 } = await import("./repo-security-plan-EIL2BV3S.js");
+          const { generateSecurityPlan: generateSecurityPlan2 } = await import("./repo-security-plan-X5CRZ2YY.js");
           const plan = await generateSecurityPlan2({ repo: slug, maxScanners: 10 });
           const recs = plan.recommendations.slice(0, 5).map((r) => `${r.priority}: ${r.displayName} (${r.category})`).join("; ");
           ctx.sharedMemory.write("scan", "decision", { recommendations: recs });
@@ -45668,7 +45671,7 @@ var PipelineInputSchema = z97.object({
   task: z97.string().min(5).max(1e4).describe("Task description \u2014 pipeline template auto-selected based on content"),
   /** Path to a spec file (.md, .yaml) to use as task input. */
   specFile: z97.string().max(500).optional().describe("Path to a spec file \u2014 content prepended to task for greenfield projects"),
-  /** Override template (dev, research, audit, greenfield). Auto-detected if omitted. */
+  /** Override template — see `listTemplateIds()` for the canonical list (#2728). Auto-detected if omitted. */
   template: z97.string().max(50).optional().describe(`Pipeline template override. Available: ${listTemplateIds().join(", ")}`),
   /** Voting strategy for consensus stages. */
   votingStrategy: z97.enum([
@@ -45734,7 +45737,7 @@ function selectStageRegistry(template, task, agentStages) {
   }
   return createDevStageRegistry(agentStages);
 }
-var RUN_PIPELINE_DESCRIPTION = "Single unified entry point for all pipeline templates (dev/research/audit/greenfield). Auto-detects template from task content or accepts an explicit override.";
+var RUN_PIPELINE_DESCRIPTION = `Single unified entry point for all pipeline templates (${listTemplateIds().join("/")}). Auto-detects template from task content or accepts an explicit override.`;
 function registerPipelineTool(server, _deps) {
   server.registerTool(
     "run_pipeline",
@@ -50007,4 +50010,4 @@ export {
   detectBackend,
   createTaskTracker
 };
-//# sourceMappingURL=chunk-FGQOGLHQ.js.map
+//# sourceMappingURL=chunk-K446R3BC.js.map