opencode-swarm 6.9.0 → 6.10.0

package/dist/index.js

@@ -29198,6 +29198,7 @@ var init_dist = __esm(() => {
 });
 
 // src/tools/lint.ts
+import * as path10 from "path";
 function validateArgs(args2) {
   if (typeof args2 !== "object" || args2 === null)
     return false;
@@ -29208,17 +29209,20 @@ function validateArgs(args2) {
 }
 function getLinterCommand(linter, mode) {
   const isWindows = process.platform === "win32";
+  const binDir = path10.join(process.cwd(), "node_modules", ".bin");
+  const biomeBin = isWindows ? path10.join(binDir, "biome.EXE") : path10.join(binDir, "biome");
+  const eslintBin = isWindows ? path10.join(binDir, "eslint.cmd") : path10.join(binDir, "eslint");
   switch (linter) {
     case "biome":
       if (mode === "fix") {
-        return isWindows ? ["npx", "biome", "check", "--write", "."] : ["npx", "biome", "check", "--write", "."];
+        return isWindows ? [biomeBin, "check", "--write", "."] : [biomeBin, "check", "--write", "."];
       }
-      return isWindows ? ["npx", "biome", "check", "."] : ["npx", "biome", "check", "."];
+      return isWindows ? [biomeBin, "check", "."] : [biomeBin, "check", "."];
     case "eslint":
       if (mode === "fix") {
-        return isWindows ? ["npx", "eslint", ".", "--fix"] : ["npx", "eslint", ".", "--fix"];
+        return isWindows ? [eslintBin, ".", "--fix"] : [eslintBin, ".", "--fix"];
       }
-      return isWindows ? ["npx", "eslint", "."] : ["npx", "eslint", "."];
+      return isWindows ? [eslintBin, "."] : [eslintBin, "."];
   }
 }
 async function detectAvailableLinter() {
@@ -29346,7 +29350,7 @@ var init_lint = __esm(() => {
 
 // src/tools/secretscan.ts
 import * as fs6 from "fs";
-import * as path10 from "path";
+import * as path11 from "path";
 function calculateShannonEntropy(str) {
   if (str.length === 0)
     return 0;
@@ -29373,7 +29377,7 @@ function isHighEntropyString(str) {
 function containsPathTraversal(str) {
   if (/\.\.[/\\]/.test(str))
     return true;
-  const normalized = path10.normalize(str);
+  const normalized = path11.normalize(str);
   if (/\.\.[/\\]/.test(normalized))
     return true;
   if (str.includes("%2e%2e") || str.includes("%2E%2E"))
@@ -29401,7 +29405,7 @@ function validateDirectoryInput(dir) {
   return null;
 }
 function isBinaryFile(filePath, buffer) {
-  const ext = path10.extname(filePath).toLowerCase();
+  const ext = path11.extname(filePath).toLowerCase();
   if (DEFAULT_EXCLUDE_EXTENSIONS.has(ext)) {
     return true;
   }
@@ -29538,9 +29542,9 @@ function isSymlinkLoop(realPath, visited) {
   return false;
 }
 function isPathWithinScope(realPath, scanDir) {
-  const resolvedScanDir = path10.resolve(scanDir);
-  const resolvedRealPath = path10.resolve(realPath);
-  return resolvedRealPath === resolvedScanDir || resolvedRealPath.startsWith(resolvedScanDir + path10.sep) || resolvedRealPath.startsWith(resolvedScanDir + "/") || resolvedRealPath.startsWith(resolvedScanDir + "\\");
+  const resolvedScanDir = path11.resolve(scanDir);
+  const resolvedRealPath = path11.resolve(realPath);
+  return resolvedRealPath === resolvedScanDir || resolvedRealPath.startsWith(resolvedScanDir + path11.sep) || resolvedRealPath.startsWith(resolvedScanDir + "/") || resolvedRealPath.startsWith(resolvedScanDir + "\\");
 }
 function findScannableFiles(dir, excludeDirs, scanDir, visited, stats = {
   skippedDirs: 0,
@@ -29570,7 +29574,7 @@ function findScannableFiles(dir, excludeDirs, scanDir, visited, stats = {
       stats.skippedDirs++;
       continue;
     }
-    const fullPath = path10.join(dir, entry);
+    const fullPath = path11.join(dir, entry);
     let lstat;
     try {
       lstat = fs6.lstatSync(fullPath);
@@ -29601,7 +29605,7 @@ function findScannableFiles(dir, excludeDirs, scanDir, visited, stats = {
       const subFiles = findScannableFiles(fullPath, excludeDirs, scanDir, visited, stats);
       files.push(...subFiles);
     } else if (lstat.isFile()) {
-      const ext = path10.extname(fullPath).toLowerCase();
+      const ext = path11.extname(fullPath).toLowerCase();
       if (!DEFAULT_EXCLUDE_EXTENSIONS.has(ext)) {
         files.push(fullPath);
       } else {
@@ -29867,7 +29871,7 @@ var init_secretscan = __esm(() => {
         }
       }
       try {
-        const scanDir = path10.resolve(directory);
+        const scanDir = path11.resolve(directory);
         if (!fs6.existsSync(scanDir)) {
           const errorResult = {
             error: "directory not found",
@@ -29996,7 +30000,7 @@ var init_secretscan = __esm(() => {
 
 // src/tools/test-runner.ts
 import * as fs7 from "fs";
-import * as path11 from "path";
+import * as path12 from "path";
 function containsPathTraversal2(str) {
   if (/\.\.[/\\]/.test(str))
     return true;
@@ -30090,7 +30094,7 @@ function hasDevDependency(devDeps, ...patterns) {
 }
 async function detectTestFramework() {
   try {
-    const packageJsonPath = path11.join(process.cwd(), "package.json");
+    const packageJsonPath = path12.join(process.cwd(), "package.json");
     if (fs7.existsSync(packageJsonPath)) {
       const content = fs7.readFileSync(packageJsonPath, "utf-8");
       const pkg = JSON.parse(content);
@@ -30111,16 +30115,16 @@ async function detectTestFramework() {
         return "jest";
       if (hasDevDependency(devDeps, "mocha", "@types/mocha"))
         return "mocha";
-      if (fs7.existsSync(path11.join(process.cwd(), "bun.lockb")) || fs7.existsSync(path11.join(process.cwd(), "bun.lock"))) {
+      if (fs7.existsSync(path12.join(process.cwd(), "bun.lockb")) || fs7.existsSync(path12.join(process.cwd(), "bun.lock"))) {
         if (scripts.test?.includes("bun"))
           return "bun";
       }
     }
   } catch {}
   try {
-    const pyprojectTomlPath = path11.join(process.cwd(), "pyproject.toml");
-    const setupCfgPath = path11.join(process.cwd(), "setup.cfg");
-    const requirementsTxtPath = path11.join(process.cwd(), "requirements.txt");
+    const pyprojectTomlPath = path12.join(process.cwd(), "pyproject.toml");
+    const setupCfgPath = path12.join(process.cwd(), "setup.cfg");
+    const requirementsTxtPath = path12.join(process.cwd(), "requirements.txt");
     if (fs7.existsSync(pyprojectTomlPath)) {
       const content = fs7.readFileSync(pyprojectTomlPath, "utf-8");
       if (content.includes("[tool.pytest"))
@@ -30140,7 +30144,7 @@ async function detectTestFramework() {
     }
   } catch {}
   try {
-    const cargoTomlPath = path11.join(process.cwd(), "Cargo.toml");
+    const cargoTomlPath = path12.join(process.cwd(), "Cargo.toml");
     if (fs7.existsSync(cargoTomlPath)) {
       const content = fs7.readFileSync(cargoTomlPath, "utf-8");
       if (content.includes("[dev-dependencies]")) {
@@ -30151,9 +30155,9 @@ async function detectTestFramework() {
     }
   } catch {}
   try {
-    const pesterConfigPath = path11.join(process.cwd(), "pester.config.ps1");
-    const pesterConfigJsonPath = path11.join(process.cwd(), "pester.config.ps1.json");
-    const pesterPs1Path = path11.join(process.cwd(), "tests.ps1");
+    const pesterConfigPath = path12.join(process.cwd(), "pester.config.ps1");
+    const pesterConfigJsonPath = path12.join(process.cwd(), "pester.config.ps1.json");
+    const pesterPs1Path = path12.join(process.cwd(), "tests.ps1");
     if (fs7.existsSync(pesterConfigPath) || fs7.existsSync(pesterConfigJsonPath) || fs7.existsSync(pesterPs1Path)) {
       return "pester";
     }
@@ -30167,8 +30171,8 @@ function hasCompoundTestExtension(filename) {
 function getTestFilesFromConvention(sourceFiles) {
   const testFiles = [];
   for (const file3 of sourceFiles) {
-    const basename2 = path11.basename(file3);
-    const dirname4 = path11.dirname(file3);
+    const basename2 = path12.basename(file3);
+    const dirname4 = path12.dirname(file3);
     if (hasCompoundTestExtension(basename2) || basename2.includes(".spec.") || basename2.includes(".test.")) {
       if (!testFiles.includes(file3)) {
         testFiles.push(file3);
@@ -30177,13 +30181,13 @@ function getTestFilesFromConvention(sourceFiles) {
     }
     for (const pattern of TEST_PATTERNS) {
       const nameWithoutExt = basename2.replace(/\.[^.]+$/, "");
-      const ext = path11.extname(basename2);
+      const ext = path12.extname(basename2);
       const possibleTestFiles = [
-        path11.join(dirname4, `${nameWithoutExt}.spec${ext}`),
-        path11.join(dirname4, `${nameWithoutExt}.test${ext}`),
-        path11.join(dirname4, "__tests__", `${nameWithoutExt}${ext}`),
-        path11.join(dirname4, "tests", `${nameWithoutExt}${ext}`),
-        path11.join(dirname4, "test", `${nameWithoutExt}${ext}`)
+        path12.join(dirname4, `${nameWithoutExt}.spec${ext}`),
+        path12.join(dirname4, `${nameWithoutExt}.test${ext}`),
+        path12.join(dirname4, "__tests__", `${nameWithoutExt}${ext}`),
+        path12.join(dirname4, "tests", `${nameWithoutExt}${ext}`),
+        path12.join(dirname4, "test", `${nameWithoutExt}${ext}`)
       ];
       for (const testFile of possibleTestFiles) {
         if (fs7.existsSync(testFile) && !testFiles.includes(testFile)) {
@@ -30203,15 +30207,15 @@ async function getTestFilesFromGraph(sourceFiles) {
   for (const testFile of candidateTestFiles) {
     try {
       const content = fs7.readFileSync(testFile, "utf-8");
-      const testDir = path11.dirname(testFile);
+      const testDir = path12.dirname(testFile);
       const importRegex = /import\s+.*?\s+from\s+['"]([^'"]+)['"]/g;
       let match;
       while ((match = importRegex.exec(content)) !== null) {
         const importPath = match[1];
         let resolvedImport;
         if (importPath.startsWith(".")) {
-          resolvedImport = path11.resolve(testDir, importPath);
-          const existingExt = path11.extname(resolvedImport);
+          resolvedImport = path12.resolve(testDir, importPath);
+          const existingExt = path12.extname(resolvedImport);
           if (!existingExt) {
             for (const extToTry of [
               ".ts",
@@ -30231,12 +30235,12 @@ async function getTestFilesFromGraph(sourceFiles) {
         } else {
           continue;
         }
-        const importBasename = path11.basename(resolvedImport, path11.extname(resolvedImport));
-        const importDir = path11.dirname(resolvedImport);
+        const importBasename = path12.basename(resolvedImport, path12.extname(resolvedImport));
+        const importDir = path12.dirname(resolvedImport);
         for (const sourceFile of sourceFiles) {
-          const sourceDir = path11.dirname(sourceFile);
-          const sourceBasename = path11.basename(sourceFile, path11.extname(sourceFile));
-          const isRelatedDir = importDir === sourceDir || importDir === path11.join(sourceDir, "__tests__") || importDir === path11.join(sourceDir, "tests") || importDir === path11.join(sourceDir, "test");
+          const sourceDir = path12.dirname(sourceFile);
+          const sourceBasename = path12.basename(sourceFile, path12.extname(sourceFile));
+          const isRelatedDir = importDir === sourceDir || importDir === path12.join(sourceDir, "__tests__") || importDir === path12.join(sourceDir, "tests") || importDir === path12.join(sourceDir, "test");
           if (resolvedImport === sourceFile || importBasename === sourceBasename && isRelatedDir) {
             if (!testFiles.includes(testFile)) {
               testFiles.push(testFile);
@@ -30249,8 +30253,8 @@ async function getTestFilesFromGraph(sourceFiles) {
       while ((match = requireRegex.exec(content)) !== null) {
         const importPath = match[1];
         if (importPath.startsWith(".")) {
-          let resolvedImport = path11.resolve(testDir, importPath);
-          const existingExt = path11.extname(resolvedImport);
+          let resolvedImport = path12.resolve(testDir, importPath);
+          const existingExt = path12.extname(resolvedImport);
           if (!existingExt) {
             for (const extToTry of [
               ".ts",
@@ -30267,12 +30271,12 @@ async function getTestFilesFromGraph(sourceFiles) {
               }
             }
           }
-          const importDir = path11.dirname(resolvedImport);
-          const importBasename = path11.basename(resolvedImport, path11.extname(resolvedImport));
+          const importDir = path12.dirname(resolvedImport);
+          const importBasename = path12.basename(resolvedImport, path12.extname(resolvedImport));
           for (const sourceFile of sourceFiles) {
-            const sourceDir = path11.dirname(sourceFile);
-            const sourceBasename = path11.basename(sourceFile, path11.extname(sourceFile));
-            const isRelatedDir = importDir === sourceDir || importDir === path11.join(sourceDir, "__tests__") || importDir === path11.join(sourceDir, "tests") || importDir === path11.join(sourceDir, "test");
+            const sourceDir = path12.dirname(sourceFile);
+            const sourceBasename = path12.basename(sourceFile, path12.extname(sourceFile));
+            const isRelatedDir = importDir === sourceDir || importDir === path12.join(sourceDir, "__tests__") || importDir === path12.join(sourceDir, "tests") || importDir === path12.join(sourceDir, "test");
             if (resolvedImport === sourceFile || importBasename === sourceBasename && isRelatedDir) {
               if (!testFiles.includes(testFile)) {
                 testFiles.push(testFile);
@@ -30578,7 +30582,7 @@ function findSourceFiles(dir, files = []) {
   for (const entry of entries) {
     if (SKIP_DIRECTORIES.has(entry))
       continue;
-    const fullPath = path11.join(dir, entry);
+    const fullPath = path12.join(dir, entry);
     let stat;
     try {
       stat = fs7.statSync(fullPath);
@@ -30588,7 +30592,7 @@ function findSourceFiles(dir, files = []) {
     if (stat.isDirectory()) {
       findSourceFiles(fullPath, files);
     } else if (stat.isFile()) {
-      const ext = path11.extname(fullPath).toLowerCase();
+      const ext = path12.extname(fullPath).toLowerCase();
       if (SOURCE_EXTENSIONS.has(ext)) {
         files.push(fullPath);
       }
@@ -30695,13 +30699,13 @@ var init_test_runner = __esm(() => {
         testFiles = [];
       } else if (scope === "convention") {
         const sourceFiles = args2.files && args2.files.length > 0 ? args2.files.filter((f) => {
-          const ext = path11.extname(f).toLowerCase();
+          const ext = path12.extname(f).toLowerCase();
           return SOURCE_EXTENSIONS.has(ext);
         }) : findSourceFiles(process.cwd());
         testFiles = getTestFilesFromConvention(sourceFiles);
       } else if (scope === "graph") {
         const sourceFiles = args2.files && args2.files.length > 0 ? args2.files.filter((f) => {
-          const ext = path11.extname(f).toLowerCase();
+          const ext = path12.extname(f).toLowerCase();
           return SOURCE_EXTENSIONS.has(ext);
         }) : findSourceFiles(process.cwd());
         const graphTestFiles = await getTestFilesFromGraph(sourceFiles);
@@ -30724,7 +30728,7 @@ var init_test_runner = __esm(() => {
 
 // src/services/preflight-service.ts
 import * as fs8 from "fs";
-import * as path12 from "path";
+import * as path13 from "path";
 function validateDirectoryPath(dir) {
   if (!dir || typeof dir !== "string") {
     throw new Error("Directory path is required");
@@ -30732,8 +30736,8 @@ function validateDirectoryPath(dir) {
   if (dir.includes("..")) {
     throw new Error("Directory path must not contain path traversal sequences");
   }
-  const normalized = path12.normalize(dir);
-  const absolutePath = path12.isAbsolute(normalized) ? normalized : path12.resolve(normalized);
+  const normalized = path13.normalize(dir);
+  const absolutePath = path13.isAbsolute(normalized) ? normalized : path13.resolve(normalized);
   return absolutePath;
 }
 function validateTimeout(timeoutMs, defaultValue) {
@@ -30756,7 +30760,7 @@ function validateTimeout(timeoutMs, defaultValue) {
 }
 function getPackageVersion(dir) {
   try {
-    const packagePath = path12.join(dir, "package.json");
+    const packagePath = path13.join(dir, "package.json");
     if (fs8.existsSync(packagePath)) {
       const content = fs8.readFileSync(packagePath, "utf-8");
       const pkg = JSON.parse(content);
@@ -30767,7 +30771,7 @@ function getPackageVersion(dir) {
 }
 function getChangelogVersion(dir) {
   try {
-    const changelogPath = path12.join(dir, "CHANGELOG.md");
+    const changelogPath = path13.join(dir, "CHANGELOG.md");
     if (fs8.existsSync(changelogPath)) {
       const content = fs8.readFileSync(changelogPath, "utf-8");
       const match = content.match(/^##\s*\[?(\d+\.\d+\.\d+)\]?/m);
@@ -30781,7 +30785,7 @@ function getChangelogVersion(dir) {
 function getVersionFileVersion(dir) {
   const possibleFiles = ["VERSION.txt", "version.txt", "VERSION", "version"];
   for (const file3 of possibleFiles) {
-    const filePath = path12.join(dir, file3);
+    const filePath = path13.join(dir, file3);
     if (fs8.existsSync(filePath)) {
       try {
         const content = fs8.readFileSync(filePath, "utf-8").trim();
@@ -31362,7 +31366,7 @@ var init_preflight_integration = __esm(() => {
 });
 
 // src/index.ts
-import * as path27 from "path";
+import * as path31 from "path";
 
 // src/config/constants.ts
 var QA_AGENTS = ["reviewer", "critic"];
@@ -31548,6 +31552,9 @@ var GateConfigSchema = exports_external.object({
   build_check: GateFeatureSchema.default({ enabled: true }),
   quality_budget: QualityBudgetConfigSchema
 });
+var PipelineConfigSchema = exports_external.object({
+  parallel_precheck: exports_external.boolean().default(true)
+});
 var SummaryConfigSchema = exports_external.object({
   enabled: exports_external.boolean().default(true),
   threshold_bytes: exports_external.number().min(1024).max(1048576).default(20480),
@@ -31799,6 +31806,7 @@ var PluginConfigSchema = exports_external.object({
   agents: exports_external.record(exports_external.string(), AgentOverrideConfigSchema).optional(),
   swarms: exports_external.record(exports_external.string(), SwarmConfigSchema).optional(),
   max_iterations: exports_external.number().min(1).max(10).default(5),
+  pipeline: PipelineConfigSchema.optional(),
   qa_retry_limit: exports_external.number().min(1).max(10).default(3),
   inject_phase_reminders: exports_external.boolean().default(true),
   hooks: HooksConfigSchema.optional(),
@@ -31961,12 +31969,21 @@ You THINK. Subagents DO. You have the largest context window and strongest reaso
    - If NEEDS_REVISION: Revise plan and re-submit to critic (max 2 cycles)
    - If REJECTED after 2 cycles: Escalate to user with explanation
    - ONLY AFTER critic approval: Proceed to implementation (Phase 3+)
-7. **MANDATORY QA GATE (Execute AFTER every coder task)** \u2014 sequence: coder \u2192 diff \u2192 syntax_check \u2192 placeholder_scan \u2192 imports \u2192 lint fix \u2192 lint check \u2192 secretscan \u2192 sast_scan \u2192 build_check \u2192 quality_budget \u2192 reviewer \u2192 security review \u2192 security-only review \u2192 verification tests \u2192 adversarial tests \u2192 coverage check \u2192 next task.
+7. **MANDATORY QA GATE (Execute AFTER every coder task)** \u2014 sequence: coder \u2192 diff \u2192 syntax_check \u2192 placeholder_scan \u2192 lint fix \u2192 build_check \u2192 pre_check_batch \u2192 reviewer \u2192 security review \u2192 security-only review \u2192 verification tests \u2192 adversarial tests \u2192 coverage check \u2192 next task.
       - After coder completes: run \`diff\` tool. If \`hasContractChanges\` is true \u2192 delegate {{AGENT_PREFIX}}explorer for integration impact analysis. BREAKING \u2192 return to coder. COMPATIBLE \u2192 proceed.
       - Run \`syntax_check\` tool. SYNTACTIC ERRORS \u2192 return to coder. NO ERRORS \u2192 proceed to placeholder_scan.
       - Run \`placeholder_scan\` tool. PLACEHOLDER FINDINGS \u2192 return to coder. NO FINDINGS \u2192 proceed to imports check.
-      - Run \`secretscan\` tool. FINDINGS \u2192 return to coder. NO FINDINGS \u2192 proceed to sast_scan.
-      - Run \`sast_scan\` tool. SAST FINDINGS AT OR ABOVE THRESHOLD \u2192 return to coder. NO FINDINGS \u2192 proceed to reviewer.
+      - Run \`imports\` tool. Record results for dependency audit. Proceed to lint fix.
+      - Run \`lint\` tool (mode: fix) \u2192 allow auto-corrections. LINT FIX FAILS \u2192 return to coder. SUCCESS \u2192 proceed to build_check.
+      - Run \`build_check\` tool. BUILD FAILS \u2192 return to coder. SUCCESS \u2192 proceed to pre_check_batch.
+      - Run \`pre_check_batch\` tool \u2192 runs four verification tools in parallel (max 4 concurrent):
+        - lint:check (code quality verification)
+        - secretscan (secret detection)
+        - sast_scan (static security analysis)
+        - quality_budget (maintainability metrics)
+        \u2192 Returns { gates_passed, lint, secretscan, sast_scan, quality_budget, total_duration_ms }
+        \u2192 If gates_passed === false: read individual tool results, identify which tool(s) failed, return structured rejection to @coder with specific tool failures. Do NOT call @reviewer.
+        \u2192 If gates_passed === true: proceed to @reviewer.
     - Delegate {{AGENT_PREFIX}}reviewer with CHECK dimensions. REJECTED \u2192 return to coder (max {{QA_RETRY_LIMIT}} attempts). APPROVED \u2192 continue.
     - If file matches security globs (auth, api, crypto, security, middleware, session, token, config/, env, credentials, authorization, roles, permissions, access) OR content has security keywords (see SECURITY_KEYWORDS list) OR secretscan has ANY findings OR sast_scan has ANY findings at or above threshold \u2192 MUST delegate {{AGENT_PREFIX}}reviewer AGAIN with security-only CHECK review. REJECTED \u2192 return to coder (max {{QA_RETRY_LIMIT}} attempts). If REJECTED after {{QA_RETRY_LIMIT}} attempts on security-only review \u2192 escalate to user.
    - Delegate {{AGENT_PREFIX}}test_engineer for verification tests. FAIL \u2192 return to coder.
@@ -31996,7 +32013,7 @@ SECURITY_KEYWORDS: password, secret, token, credential, auth, login, encryption,
 
 SMEs advise only. Reviewer and critic review only. None of them write code.
 
-Available Tools: symbols (code symbol search), checkpoint (state snapshots), diff (structured git diff with contract change detection), imports (dependency audit), lint (code quality), placeholder_scan (placeholder/todo detection), secretscan (secret detection), sast_scan (static analysis security scan), syntax_check (syntax validation), test_runner (auto-detect and run tests), pkg_audit (dependency vulnerability scan \u2014 npm/pip/cargo), complexity_hotspots (git churn \xD7 complexity risk map), schema_drift (OpenAPI spec vs route drift), todo_extract (structured TODO/FIXME extraction), evidence_check (verify task evidence completeness), sbom_generate (SBOM generation for dependency inventory), build_check (build verification), quality_budget (code quality budget check)
+Available Tools: symbols (code symbol search), checkpoint (state snapshots), diff (structured git diff with contract change detection), imports (dependency audit), lint (code quality), placeholder_scan (placeholder/todo detection), secretscan (secret detection), sast_scan (static analysis security scan), syntax_check (syntax validation), test_runner (auto-detect and run tests), pkg_audit (dependency vulnerability scan \u2014 npm/pip/cargo), complexity_hotspots (git churn \xD7 complexity risk map), schema_drift (OpenAPI spec vs route drift), todo_extract (structured TODO/FIXME extraction), evidence_check (verify task evidence completeness), sbom_generate (SBOM generation for dependency inventory), build_check (build verification), quality_budget (code quality budget check), pre_check_batch (parallel verification: lint:check + secretscan + sast_scan + quality_budget)
 
 ## DELEGATION FORMAT
 
@@ -32150,16 +32167,21 @@ For each task (respecting dependencies):
     5e. Run \`placeholder_scan\` tool. PLACEHOLDER FINDINGS \u2192 return to coder. NO FINDINGS \u2192 proceed to imports.
     5f. Run \`imports\` tool for dependency audit. ISSUES \u2192 return to coder.
     5g. Run \`lint\` tool with fix mode for auto-fixes. If issues remain \u2192 run \`lint\` tool with check mode. FAIL \u2192 return to coder.
-    5h. Run \`secretscan\` tool. FINDINGS \u2192 return to coder. NO FINDINGS \u2192 proceed to sast_scan.
-    5i. Run \`sast_scan\` tool. SAST FINDINGS AT OR ABOVE THRESHOLD \u2192 return to coder. NO FINDINGS \u2192 proceed to build_check.
-    5j. Run \`build_check\` tool. BUILD FAILURES \u2192 return to coder. SKIPPED (no toolchain) \u2192 proceed. PASSED \u2192 proceed to quality_budget.
-    5k. Run \`quality_budget\` tool. QUALITY VIOLATIONS \u2192 return to coder. WITHIN BUDGET \u2192 proceed to reviewer.
-    5l. {{AGENT_PREFIX}}reviewer - General review. REJECTED (< {{QA_RETRY_LIMIT}}) \u2192 coder retry. REJECTED ({{QA_RETRY_LIMIT}}) \u2192 escalate.
-    5m. Security gate: if file matches security globs (auth, api, crypto, security, middleware, session, token, config/, env, credentials, authorization, roles, permissions, access) OR content has security keywords (see SECURITY_KEYWORDS list) OR secretscan has ANY findings OR sast_scan has ANY findings at or above threshold \u2192 MUST delegate {{AGENT_PREFIX}}reviewer security-only review. REJECTED (< {{QA_RETRY_LIMIT}}) \u2192 coder retry. REJECTED ({{QA_RETRY_LIMIT}}) \u2192 escalate to user.
-    5n. {{AGENT_PREFIX}}test_engineer - Verification tests. FAIL \u2192 coder retry from 5g.
-    5o. {{AGENT_PREFIX}}test_engineer - Adversarial tests. FAIL \u2192 coder retry from 5g.
-    5p. COVERAGE CHECK: If test_engineer reports coverage < 70% \u2192 delegate {{AGENT_PREFIX}}test_engineer for an additional test pass targeting uncovered paths. This is a soft guideline; use judgment for trivial tasks.
-    5q. Update plan.md [x], proceed to next task.
+    5h. Run \`build_check\` tool. BUILD FAILS \u2192 return to coder. SUCCESS \u2192 proceed to pre_check_batch.
+    5i. Run \`pre_check_batch\` tool \u2192 runs four verification tools in parallel (max 4 concurrent):
+    - lint:check (code quality verification)
+    - secretscan (secret detection)
+    - sast_scan (static security analysis)
+    - quality_budget (maintainability metrics)
+    \u2192 Returns { gates_passed, lint, secretscan, sast_scan, quality_budget, total_duration_ms }
+    \u2192 If gates_passed === false: read individual tool results, identify which tool(s) failed, return structured rejection to @coder with specific tool failures. Do NOT call @reviewer.
+    \u2192 If gates_passed === true: proceed to @reviewer.
+    5j. {{AGENT_PREFIX}}reviewer - General review. REJECTED (< {{QA_RETRY_LIMIT}}) \u2192 coder retry. REJECTED ({{QA_RETRY_LIMIT}}) \u2192 escalate.
+    5k. Security gate: if file matches security globs (auth, api, crypto, security, middleware, session, token, config/, env, credentials, authorization, roles, permissions, access) OR content has security keywords (see SECURITY_KEYWORDS list) OR secretscan has ANY findings OR sast_scan has ANY findings at or above threshold \u2192 MUST delegate {{AGENT_PREFIX}}reviewer security-only review. REJECTED (< {{QA_RETRY_LIMIT}}) \u2192 coder retry. REJECTED ({{QA_RETRY_LIMIT}}) \u2192 escalate to user.
+    5l. {{AGENT_PREFIX}}test_engineer - Verification tests. FAIL \u2192 coder retry from 5g.
+    5m. {{AGENT_PREFIX}}test_engineer - Adversarial tests. FAIL \u2192 coder retry from 5g.
+    5n. COVERAGE CHECK: If test_engineer reports coverage < 70% \u2192 delegate {{AGENT_PREFIX}}test_engineer for an additional test pass targeting uncovered paths. This is a soft guideline; use judgment for trivial tasks.
+    5o. Update plan.md [x], proceed to next task.
 
 ### Phase 6: Phase Complete
 1. {{AGENT_PREFIX}}explorer - Rescan
@@ -35138,7 +35160,7 @@ async function handleResetCommand(directory, args2) {
 init_utils2();
 init_utils();
 import { mkdirSync as mkdirSync5, readdirSync as readdirSync4, renameSync as renameSync2, rmSync as rmSync3, statSync as statSync6 } from "fs";
-import * as path13 from "path";
+import * as path14 from "path";
 var SUMMARY_ID_REGEX = /^S\d+$/;
 function sanitizeSummaryId(id) {
   if (!id || id.length === 0) {
@@ -35166,9 +35188,9 @@ async function storeSummary(directory, id, fullOutput, summaryText, maxStoredByt
   if (outputBytes > maxStoredBytes) {
     throw new Error(`Summary fullOutput size (${outputBytes} bytes) exceeds maximum (${maxStoredBytes} bytes)`);
   }
-  const relativePath = path13.join("summaries", `${sanitizedId}.json`);
+  const relativePath = path14.join("summaries", `${sanitizedId}.json`);
   const summaryPath = validateSwarmPath(directory, relativePath);
-  const summaryDir = path13.dirname(summaryPath);
+  const summaryDir = path14.dirname(summaryPath);
   const entry = {
     id: sanitizedId,
     summaryText,
@@ -35178,7 +35200,7 @@ async function storeSummary(directory, id, fullOutput, summaryText, maxStoredByt
   };
   const entryJson = JSON.stringify(entry);
   mkdirSync5(summaryDir, { recursive: true });
-  const tempPath = path13.join(summaryDir, `${sanitizedId}.json.tmp.${Date.now()}.${process.pid}`);
+  const tempPath = path14.join(summaryDir, `${sanitizedId}.json.tmp.${Date.now()}.${process.pid}`);
   try {
     await Bun.write(tempPath, entryJson);
     renameSync2(tempPath, summaryPath);
@@ -35191,7 +35213,7 @@ async function storeSummary(directory, id, fullOutput, summaryText, maxStoredByt
 }
 async function loadFullOutput(directory, id) {
   const sanitizedId = sanitizeSummaryId(id);
-  const relativePath = path13.join("summaries", `${sanitizedId}.json`);
+  const relativePath = path14.join("summaries", `${sanitizedId}.json`);
   validateSwarmPath(directory, relativePath);
   const content = await readSwarmFileAsync(directory, relativePath);
   if (content === null) {
@@ -35695,8 +35717,8 @@ async function doFlush(directory) {
     const activitySection = renderActivitySection();
     const updated = replaceOrAppendSection(existing, "## Agent Activity", activitySection);
     const flushedCount = swarmState.pendingEvents;
-    const path14 = `${directory}/.swarm/context.md`;
-    await Bun.write(path14, updated);
+    const path15 = `${directory}/.swarm/context.md`;
+    await Bun.write(path15, updated);
     swarmState.pendingEvents = Math.max(0, swarmState.pendingEvents - flushedCount);
   } catch (error93) {
     warn("Agent activity flush failed:", error93);
@@ -36252,14 +36274,14 @@ ${originalText}`;
 }
 // src/hooks/system-enhancer.ts
 import * as fs11 from "fs";
-import * as path15 from "path";
+import * as path16 from "path";
 init_manager2();
 
 // src/services/decision-drift-analyzer.ts
 init_utils2();
 init_manager2();
 import * as fs10 from "fs";
-import * as path14 from "path";
+import * as path15 from "path";
 var DEFAULT_DRIFT_CONFIG = {
   staleThresholdPhases: 1,
   detectContradictions: true,
@@ -36413,7 +36435,7 @@ async function analyzeDecisionDrift(directory, config3 = {}) {
         currentPhase = legacyPhase;
       }
     }
-    const contextPath = path14.join(directory, ".swarm", "context.md");
+    const contextPath = path15.join(directory, ".swarm", "context.md");
     let contextContent = "";
     try {
       if (fs10.existsSync(contextPath)) {
@@ -36674,18 +36696,28 @@ function createSystemEnhancerHook(config3, directory) {
           if (config3.secretscan?.enabled === false) {
             tryInject("[SWARM CONFIG] Secretscan gate is DISABLED. Skip secretscan in QA sequence.");
           }
+          const sessionId_preflight = _input.sessionID;
+          const activeAgent_preflight = swarmState.activeAgent.get(sessionId_preflight ?? "");
+          const isArchitectForPreflight = !activeAgent_preflight || stripKnownSwarmPrefix(activeAgent_preflight) === "architect";
+          if (isArchitectForPreflight) {
+            if (config3.pipeline?.parallel_precheck !== false) {
+              tryInject("[SWARM HINT] Parallel pre-check enabled: call pre_check_batch(files, directory) after lint --fix and build_check to run lint:check + secretscan + sast_scan + quality_budget concurrently (max 4 parallel). Check gates_passed before calling @reviewer.");
+            } else {
+              tryInject("[SWARM HINT] Parallel pre-check disabled: run lint:check \u2192 secretscan \u2192 sast_scan \u2192 quality_budget sequentially.");
+            }
+          }
           const sessionId_retro = _input.sessionID;
           const activeAgent_retro = swarmState.activeAgent.get(sessionId_retro ?? "");
           const isArchitect = !activeAgent_retro || stripKnownSwarmPrefix(activeAgent_retro) === "architect";
           if (isArchitect) {
             try {
-              const evidenceDir = path15.join(directory, ".swarm", "evidence");
+              const evidenceDir = path16.join(directory, ".swarm", "evidence");
               if (fs11.existsSync(evidenceDir)) {
                 const files = fs11.readdirSync(evidenceDir).filter((f) => f.endsWith(".json")).sort().reverse();
                 for (const file3 of files.slice(0, 5)) {
                   let content;
                   try {
-                    content = JSON.parse(fs11.readFileSync(path15.join(evidenceDir, file3), "utf-8"));
+                    content = JSON.parse(fs11.readFileSync(path16.join(evidenceDir, file3), "utf-8"));
                   } catch {
                     continue;
                   }
@@ -36900,18 +36932,32 @@ function createSystemEnhancerHook(config3, directory) {
             metadata: { contentType: "prose" }
           });
         }
+        const sessionId_preflight_b = _input.sessionID;
+        const activeAgent_preflight_b = swarmState.activeAgent.get(sessionId_preflight_b ?? "");
+        const isArchitectForPreflight_b = !activeAgent_preflight_b || stripKnownSwarmPrefix(activeAgent_preflight_b) === "architect";
+        if (isArchitectForPreflight_b) {
+          const hintText_b = config3.pipeline?.parallel_precheck !== false ? "[SWARM HINT] Parallel pre-check enabled: call pre_check_batch(files, directory) after lint --fix and build_check to run lint:check + secretscan + sast_scan + quality_budget concurrently (max 4 parallel). Check gates_passed before calling @reviewer." : "[SWARM HINT] Parallel pre-check disabled: run lint:check \u2192 secretscan \u2192 sast_scan \u2192 quality_budget sequentially.";
+          candidates.push({
+            id: `candidate-${idCounter++}`,
+            kind: "phase",
+            text: hintText_b,
+            tokens: estimateTokens(hintText_b),
+            priority: 1,
+            metadata: { contentType: "prose" }
+          });
+        }
         const sessionId_retro_b = _input.sessionID;
         const activeAgent_retro_b = swarmState.activeAgent.get(sessionId_retro_b ?? "");
         const isArchitect_b = !activeAgent_retro_b || stripKnownSwarmPrefix(activeAgent_retro_b) === "architect";
         if (isArchitect_b) {
           try {
-            const evidenceDir_b = path15.join(directory, ".swarm", "evidence");
+            const evidenceDir_b = path16.join(directory, ".swarm", "evidence");
             if (fs11.existsSync(evidenceDir_b)) {
               const files_b = fs11.readdirSync(evidenceDir_b).filter((f) => f.endsWith(".json")).sort().reverse();
               for (const file3 of files_b.slice(0, 5)) {
                 let content_b;
                 try {
-                  content_b = JSON.parse(fs11.readFileSync(path15.join(evidenceDir_b, file3), "utf-8"));
+                  content_b = JSON.parse(fs11.readFileSync(path16.join(evidenceDir_b, file3), "utf-8"));
                 } catch {
                   continue;
                 }
@@ -37207,7 +37253,7 @@ init_dist();
 // src/build/discovery.ts
 init_dist();
 import * as fs12 from "fs";
-import * as path16 from "path";
+import * as path17 from "path";
 var ECOSYSTEMS = [
   {
     ecosystem: "node",
@@ -37325,11 +37371,11 @@ function findBuildFiles(workingDir, patterns) {
           return regex.test(f);
         });
         if (matches.length > 0) {
-          return path16.join(dir, matches[0]);
+          return path17.join(dir, matches[0]);
         }
       } catch {}
     } else {
-      const filePath = path16.join(workingDir, pattern);
+      const filePath = path17.join(workingDir, pattern);
       if (fs12.existsSync(filePath)) {
         return filePath;
       }
@@ -37338,7 +37384,7 @@ function findBuildFiles(workingDir, patterns) {
   return null;
 }
 function getRepoDefinedScripts(workingDir, scripts) {
-  const packageJsonPath = path16.join(workingDir, "package.json");
+  const packageJsonPath = path17.join(workingDir, "package.json");
   if (!fs12.existsSync(packageJsonPath)) {
     return [];
   }
@@ -37379,7 +37425,7 @@ function findAllBuildFiles(workingDir) {
         const regex = new RegExp("^" + pattern.replace(/\*/g, ".*") + "$");
         findFilesRecursive(workingDir, regex, allBuildFiles);
       } else {
-        const filePath = path16.join(workingDir, pattern);
+        const filePath = path17.join(workingDir, pattern);
         if (fs12.existsSync(filePath)) {
           allBuildFiles.add(filePath);
         }
@@ -37392,7 +37438,7 @@ function findFilesRecursive(dir, regex, results) {
   try {
     const entries = fs12.readdirSync(dir, { withFileTypes: true });
     for (const entry of entries) {
-      const fullPath = path16.join(dir, entry.name);
+      const fullPath = path17.join(dir, entry.name);
       if (entry.isDirectory() && !["node_modules", ".git", "dist", "build", "target"].includes(entry.name)) {
         findFilesRecursive(fullPath, regex, results);
       } else if (entry.isFile() && regex.test(entry.name)) {
@@ -37634,7 +37680,7 @@ var build_check = tool({
 init_tool();
 import { spawnSync } from "child_process";
 import * as fs13 from "fs";
-import * as path17 from "path";
+import * as path18 from "path";
 var CHECKPOINT_LOG_PATH = ".swarm/checkpoints.json";
 var MAX_LABEL_LENGTH = 100;
 var GIT_TIMEOUT_MS = 30000;
@@ -37685,7 +37731,7 @@ function validateLabel(label) {
   return null;
 }
 function getCheckpointLogPath() {
-  return path17.join(process.cwd(), CHECKPOINT_LOG_PATH);
+  return path18.join(process.cwd(), CHECKPOINT_LOG_PATH);
 }
 function readCheckpointLog() {
   const logPath = getCheckpointLogPath();
@@ -37703,7 +37749,7 @@ function readCheckpointLog() {
 }
 function writeCheckpointLog(log2) {
   const logPath = getCheckpointLogPath();
-  const dir = path17.dirname(logPath);
+  const dir = path18.dirname(logPath);
   if (!fs13.existsSync(dir)) {
     fs13.mkdirSync(dir, { recursive: true });
   }
@@ -37910,7 +37956,7 @@ var checkpoint = tool({
 // src/tools/complexity-hotspots.ts
 init_dist();
 import * as fs14 from "fs";
-import * as path18 from "path";
+import * as path19 from "path";
 var MAX_FILE_SIZE_BYTES2 = 256 * 1024;
 var DEFAULT_DAYS = 90;
 var DEFAULT_TOP_N = 20;
@@ -38053,7 +38099,7 @@ async function analyzeHotspots(days, topN, extensions) {
   const extSet = new Set(extensions.map((e) => e.startsWith(".") ? e : `.${e}`));
   const filteredChurn = new Map;
   for (const [file3, count] of churnMap) {
-    const ext = path18.extname(file3).toLowerCase();
+    const ext = path19.extname(file3).toLowerCase();
     if (extSet.has(ext)) {
       filteredChurn.set(file3, count);
     }
@@ -38064,7 +38110,7 @@ async function analyzeHotspots(days, topN, extensions) {
   for (const [file3, churnCount] of filteredChurn) {
     let fullPath = file3;
     if (!fs14.existsSync(fullPath)) {
-      fullPath = path18.join(cwd, file3);
+      fullPath = path19.join(cwd, file3);
     }
     const complexity = getComplexityForFile(fullPath);
     if (complexity !== null) {
@@ -38222,14 +38268,14 @@ function validateBase(base) {
 function validatePaths(paths) {
   if (!paths)
     return null;
-  for (const path19 of paths) {
-    if (!path19 || path19.length === 0) {
+  for (const path20 of paths) {
+    if (!path20 || path20.length === 0) {
       return "empty path not allowed";
     }
-    if (path19.length > MAX_PATH_LENGTH) {
+    if (path20.length > MAX_PATH_LENGTH) {
       return `path exceeds maximum length of ${MAX_PATH_LENGTH}`;
     }
-    if (SHELL_METACHARACTERS2.test(path19)) {
+    if (SHELL_METACHARACTERS2.test(path20)) {
       return "path contains shell metacharacters";
     }
   }
@@ -38292,8 +38338,8 @@ var diff = tool({
         if (parts2.length >= 3) {
           const additions = parseInt(parts2[0]) || 0;
           const deletions = parseInt(parts2[1]) || 0;
-          const path19 = parts2[2];
-          files.push({ path: path19, additions, deletions });
+          const path20 = parts2[2];
+          files.push({ path: path20, additions, deletions });
         }
       }
       const contractChanges = [];
@@ -38522,7 +38568,7 @@ Use these as DOMAIN values when delegating to @sme.`;
 // src/tools/evidence-check.ts
 init_dist();
 import * as fs15 from "fs";
-import * as path19 from "path";
+import * as path20 from "path";
 var MAX_FILE_SIZE_BYTES3 = 1024 * 1024;
 var MAX_EVIDENCE_FILES = 1000;
 var EVIDENCE_DIR = ".swarm/evidence";
@@ -38545,9 +38591,9 @@ function validateRequiredTypes(input) {
   return null;
 }
 function isPathWithinSwarm(filePath, cwd) {
-  const normalizedCwd = path19.resolve(cwd);
-  const swarmPath = path19.join(normalizedCwd, ".swarm");
-  const normalizedPath = path19.resolve(filePath);
+  const normalizedCwd = path20.resolve(cwd);
+  const swarmPath = path20.join(normalizedCwd, ".swarm");
+  const normalizedPath = path20.resolve(filePath);
   return normalizedPath.startsWith(swarmPath);
 }
 function parseCompletedTasks(planContent) {
@@ -38578,10 +38624,10 @@ function readEvidenceFiles(evidenceDir, cwd) {
     if (!VALID_EVIDENCE_FILENAME_REGEX.test(filename)) {
       continue;
     }
-    const filePath = path19.join(evidenceDir, filename);
+    const filePath = path20.join(evidenceDir, filename);
     try {
-      const resolvedPath = path19.resolve(filePath);
-      const evidenceDirResolved = path19.resolve(evidenceDir);
+      const resolvedPath = path20.resolve(filePath);
+      const evidenceDirResolved = path20.resolve(evidenceDir);
       if (!resolvedPath.startsWith(evidenceDirResolved)) {
         continue;
       }
@@ -38688,7 +38734,7 @@ var evidence_check = tool({
       return JSON.stringify(errorResult, null, 2);
     }
     const requiredTypes = requiredTypesValue.split(",").map((t) => t.trim()).filter((t) => t.length > 0);
-    const planPath = path19.join(cwd, PLAN_FILE);
+    const planPath = path20.join(cwd, PLAN_FILE);
     if (!isPathWithinSwarm(planPath, cwd)) {
       const errorResult = {
         error: "plan file path validation failed",
@@ -38720,7 +38766,7 @@ var evidence_check = tool({
       };
       return JSON.stringify(result2, null, 2);
     }
-    const evidenceDir = path19.join(cwd, EVIDENCE_DIR);
+    const evidenceDir = path20.join(cwd, EVIDENCE_DIR);
     const evidence = readEvidenceFiles(evidenceDir, cwd);
     const { tasksWithFullEvidence, gaps } = analyzeGaps(completedTasks, evidence, requiredTypes);
     const completeness = completedTasks.length > 0 ? Math.round(tasksWithFullEvidence.length / completedTasks.length * 100) / 100 : 1;
@@ -38737,7 +38783,7 @@ var evidence_check = tool({
 // src/tools/file-extractor.ts
 init_tool();
 import * as fs16 from "fs";
-import * as path20 from "path";
+import * as path21 from "path";
 var EXT_MAP = {
   python: ".py",
   py: ".py",
@@ -38815,12 +38861,12 @@ var extract_code_blocks = tool({
       if (prefix) {
         filename = `${prefix}_${filename}`;
       }
-      let filepath = path20.join(targetDir, filename);
-      const base = path20.basename(filepath, path20.extname(filepath));
-      const ext = path20.extname(filepath);
+      let filepath = path21.join(targetDir, filename);
+      const base = path21.basename(filepath, path21.extname(filepath));
+      const ext = path21.extname(filepath);
       let counter = 1;
       while (fs16.existsSync(filepath)) {
-        filepath = path20.join(targetDir, `${base}_${counter}${ext}`);
+        filepath = path21.join(targetDir, `${base}_${counter}${ext}`);
         counter++;
       }
       try {
@@ -38933,7 +38979,7 @@ var gitingest = tool({
 // src/tools/imports.ts
 init_dist();
 import * as fs17 from "fs";
-import * as path21 from "path";
+import * as path22 from "path";
 var MAX_FILE_PATH_LENGTH2 = 500;
 var MAX_SYMBOL_LENGTH = 256;
 var MAX_FILE_SIZE_BYTES4 = 1024 * 1024;
@@ -38987,7 +39033,7 @@ function validateSymbolInput(symbol3) {
   return null;
 }
 function isBinaryFile2(filePath, buffer) {
-  const ext = path21.extname(filePath).toLowerCase();
+  const ext = path22.extname(filePath).toLowerCase();
   if (ext === ".json" || ext === ".md" || ext === ".txt") {
     return false;
   }
@@ -39011,15 +39057,15 @@ function parseImports(content, targetFile, targetSymbol) {
   const imports = [];
   let resolvedTarget;
   try {
-    resolvedTarget = path21.resolve(targetFile);
+    resolvedTarget = path22.resolve(targetFile);
   } catch {
     resolvedTarget = targetFile;
   }
-  const targetBasename = path21.basename(targetFile, path21.extname(targetFile));
+  const targetBasename = path22.basename(targetFile, path22.extname(targetFile));
   const targetWithExt = targetFile;
   const targetWithoutExt = targetFile.replace(/\.(ts|tsx|js|jsx|mjs|cjs)$/i, "");
-  const normalizedTargetWithExt = path21.normalize(targetWithExt).replace(/\\/g, "/");
-  const normalizedTargetWithoutExt = path21.normalize(targetWithoutExt).replace(/\\/g, "/");
+  const normalizedTargetWithExt = path22.normalize(targetWithExt).replace(/\\/g, "/");
+  const normalizedTargetWithoutExt = path22.normalize(targetWithoutExt).replace(/\\/g, "/");
   const importRegex = /import\s+(?:\{[\s\S]*?\}|(?:\*\s+as\s+\w+)|\w+)\s+from\s+['"`]([^'"`]+)['"`]|import\s+['"`]([^'"`]+)['"`]|require\s*\(\s*['"`]([^'"`]+)['"`]\s*\)/g;
   let match;
   while ((match = importRegex.exec(content)) !== null) {
@@ -39043,9 +39089,9 @@ function parseImports(content, targetFile, targetSymbol) {
     }
     const normalizedModule = modulePath.replace(/^\.\//, "").replace(/^\.\.\\/, "../");
     let isMatch = false;
-    const targetDir = path21.dirname(targetFile);
-    const targetExt = path21.extname(targetFile);
-    const targetBasenameNoExt = path21.basename(targetFile, targetExt);
+    const targetDir = path22.dirname(targetFile);
+    const targetExt = path22.extname(targetFile);
+    const targetBasenameNoExt = path22.basename(targetFile, targetExt);
     const moduleNormalized = modulePath.replace(/\\/g, "/").replace(/^\.\//, "");
     const moduleName = modulePath.split(/[/\\]/).pop() || "";
     const moduleNameNoExt = moduleName.replace(/\.(ts|tsx|js|jsx|mjs|cjs)$/i, "");
@@ -39113,10 +39159,10 @@ function findSourceFiles2(dir, files = [], stats = { skippedDirs: [], skippedFil
   entries.sort((a, b) => a.toLowerCase().localeCompare(b.toLowerCase()));
   for (const entry of entries) {
     if (SKIP_DIRECTORIES2.has(entry)) {
-      stats.skippedDirs.push(path21.join(dir, entry));
+      stats.skippedDirs.push(path22.join(dir, entry));
       continue;
     }
-    const fullPath = path21.join(dir, entry);
+    const fullPath = path22.join(dir, entry);
     let stat;
     try {
       stat = fs17.statSync(fullPath);
@@ -39130,7 +39176,7 @@ function findSourceFiles2(dir, files = [], stats = { skippedDirs: [], skippedFil
     if (stat.isDirectory()) {
       findSourceFiles2(fullPath, files, stats);
     } else if (stat.isFile()) {
-      const ext = path21.extname(fullPath).toLowerCase();
+      const ext = path22.extname(fullPath).toLowerCase();
       if (SUPPORTED_EXTENSIONS.includes(ext)) {
         files.push(fullPath);
       }
@@ -39186,7 +39232,7 @@ var imports = tool({
       return JSON.stringify(errorResult, null, 2);
     }
     try {
-      const targetFile = path21.resolve(file3);
+      const targetFile = path22.resolve(file3);
       if (!fs17.existsSync(targetFile)) {
         const errorResult = {
           error: `target file not found: ${file3}`,
@@ -39208,7 +39254,7 @@ var imports = tool({
         };
         return JSON.stringify(errorResult, null, 2);
       }
-      const baseDir = path21.dirname(targetFile);
+      const baseDir = path22.dirname(targetFile);
       const scanStats = {
         skippedDirs: [],
         skippedFiles: 0,
@@ -39298,7 +39344,7 @@ init_lint();
 // src/tools/pkg-audit.ts
 init_dist();
 import * as fs18 from "fs";
-import * as path22 from "path";
+import * as path23 from "path";
 var MAX_OUTPUT_BYTES5 = 52428800;
 var AUDIT_TIMEOUT_MS = 120000;
 function isValidEcosystem(value) {
@@ -39316,13 +39362,13 @@ function validateArgs3(args2) {
 function detectEcosystems() {
   const ecosystems = [];
   const cwd = process.cwd();
-  if (fs18.existsSync(path22.join(cwd, "package.json"))) {
+  if (fs18.existsSync(path23.join(cwd, "package.json"))) {
     ecosystems.push("npm");
   }
-  if (fs18.existsSync(path22.join(cwd, "pyproject.toml")) || fs18.existsSync(path22.join(cwd, "requirements.txt"))) {
+  if (fs18.existsSync(path23.join(cwd, "pyproject.toml")) || fs18.existsSync(path23.join(cwd, "requirements.txt"))) {
     ecosystems.push("pip");
   }
-  if (fs18.existsSync(path22.join(cwd, "Cargo.toml"))) {
+  if (fs18.existsSync(path23.join(cwd, "Cargo.toml"))) {
     ecosystems.push("cargo");
   }
   return ecosystems;
@@ -41230,11 +41276,11 @@ var Module2 = (() => {
       throw toThrow;
     }, "quit_");
     var scriptDirectory = "";
-    function locateFile(path23) {
+    function locateFile(path24) {
       if (Module["locateFile"]) {
-        return Module["locateFile"](path23, scriptDirectory);
+        return Module["locateFile"](path24, scriptDirectory);
       }
-      return scriptDirectory + path23;
+      return scriptDirectory + path24;
     }
     __name(locateFile, "locateFile");
     var readAsync, readBinary;
@@ -43023,6 +43069,9 @@ for (const definition of languageDefinitions) {
     extensionMap.set(extension, definition);
   }
 }
+function getLanguageForExtension(extension) {
+  return extensionMap.get(extension.toLowerCase());
+}
 
 // src/tools/placeholder-scan.ts
 var MAX_FILE_SIZE = 1024 * 1024;
@@ -43043,63 +43092,808 @@ var SUPPORTED_PARSER_EXTENSIONS = new Set([
   ".php",
   ".rb"
 ]);
+// src/tools/pre-check-batch.ts
+init_dist();
+import * as path26 from "path";
+
+// node_modules/yocto-queue/index.js
+class Node2 {
+  value;
+  next;
+  constructor(value) {
+    this.value = value;
+  }
+}
+
+class Queue {
+  #head;
+  #tail;
+  #size;
+  constructor() {
+    this.clear();
+  }
+  enqueue(value) {
+    const node = new Node2(value);
+    if (this.#head) {
+      this.#tail.next = node;
+      this.#tail = node;
+    } else {
+      this.#head = node;
+      this.#tail = node;
+    }
+    this.#size++;
+  }
+  dequeue() {
+    const current = this.#head;
+    if (!current) {
+      return;
+    }
+    this.#head = this.#head.next;
+    this.#size--;
+    if (!this.#head) {
+      this.#tail = undefined;
+    }
+    return current.value;
+  }
+  peek() {
+    if (!this.#head) {
+      return;
+    }
+    return this.#head.value;
+  }
+  clear() {
+    this.#head = undefined;
+    this.#tail = undefined;
+    this.#size = 0;
+  }
+  get size() {
+    return this.#size;
+  }
+  *[Symbol.iterator]() {
+    let current = this.#head;
+    while (current) {
+      yield current.value;
+      current = current.next;
+    }
+  }
+  *drain() {
+    while (this.#head) {
+      yield this.dequeue();
+    }
+  }
+}
+
+// node_modules/p-limit/index.js
+function pLimit(concurrency) {
+  let rejectOnClear = false;
+  if (typeof concurrency === "object") {
+    ({ concurrency, rejectOnClear = false } = concurrency);
+  }
+  validateConcurrency(concurrency);
+  if (typeof rejectOnClear !== "boolean") {
+    throw new TypeError("Expected `rejectOnClear` to be a boolean");
+  }
+  const queue = new Queue;
+  let activeCount = 0;
+  const resumeNext = () => {
+    if (activeCount < concurrency && queue.size > 0) {
+      activeCount++;
+      queue.dequeue().run();
+    }
+  };
+  const next = () => {
+    activeCount--;
+    resumeNext();
+  };
+  const run2 = async (function_, resolve10, arguments_2) => {
+    const result = (async () => function_(...arguments_2))();
+    resolve10(result);
+    try {
+      await result;
+    } catch {}
+    next();
+  };
+  const enqueue = (function_, resolve10, reject, arguments_2) => {
+    const queueItem = { reject };
+    new Promise((internalResolve) => {
+      queueItem.run = internalResolve;
+      queue.enqueue(queueItem);
+    }).then(run2.bind(undefined, function_, resolve10, arguments_2));
+    if (activeCount < concurrency) {
+      resumeNext();
+    }
+  };
+  const generator = (function_, ...arguments_2) => new Promise((resolve10, reject) => {
+    enqueue(function_, resolve10, reject, arguments_2);
+  });
+  Object.defineProperties(generator, {
+    activeCount: {
+      get: () => activeCount
+    },
+    pendingCount: {
+      get: () => queue.size
+    },
+    clearQueue: {
+      value() {
+        if (!rejectOnClear) {
+          queue.clear();
+          return;
+        }
+        const abortError = AbortSignal.abort().reason;
+        while (queue.size > 0) {
+          queue.dequeue().reject(abortError);
+        }
+      }
+    },
+    concurrency: {
+      get: () => concurrency,
+      set(newConcurrency) {
+        validateConcurrency(newConcurrency);
+        concurrency = newConcurrency;
+        queueMicrotask(() => {
+          while (activeCount < concurrency && queue.size > 0) {
+            resumeNext();
+          }
+        });
+      }
+    },
+    map: {
+      async value(iterable, function_) {
+        const promises = Array.from(iterable, (value, index) => this(function_, value, index));
+        return Promise.all(promises);
+      }
+    }
+  });
+  return generator;
+}
+function validateConcurrency(concurrency) {
+  if (!((Number.isInteger(concurrency) || concurrency === Number.POSITIVE_INFINITY) && concurrency > 0)) {
+    throw new TypeError("Expected `concurrency` to be a number from 1 and up");
+  }
+}
+
+// src/tools/pre-check-batch.ts
+init_utils();
+init_lint();
+
 // src/tools/quality-budget.ts
 init_manager();
 
 // src/quality/metrics.ts
+import * as fs19 from "fs";
+import * as path24 from "path";
 var MAX_FILE_SIZE_BYTES5 = 256 * 1024;
-// src/tools/retrieve-summary.ts
-init_dist();
-var RETRIEVE_MAX_BYTES = 10 * 1024 * 1024;
-var retrieve_summary = tool({
-  description: "Retrieve the full content of a stored tool output summary by its ID (e.g. S1, S2). Use this when a prior tool output was summarized and you need the full content.",
-  args: {
-    id: tool.schema.string().describe("The summary ID to retrieve (e.g. S1, S2, S99). Must match pattern S followed by digits.")
-  },
-  async execute(args2, context) {
-    const directory = context.directory;
-    let sanitizedId;
-    try {
-      sanitizedId = sanitizeSummaryId(args2.id);
-    } catch {
-      return "Error: invalid summary ID format. Expected format: S followed by digits (e.g. S1, S2, S99).";
+var MIN_DUPLICATION_LINES = 10;
+function estimateCyclomaticComplexity(content) {
+  let processed = content.replace(/\/\*[\s\S]*?\*\//g, "");
+  processed = processed.replace(/\/\/.*/g, "");
+  processed = processed.replace(/#.*/g, "");
+  processed = processed.replace(/'[^']*'/g, "");
+  processed = processed.replace(/"[^"]*"/g, "");
+  processed = processed.replace(/`[^`]*`/g, "");
+  let complexity = 1;
+  const decisionPatterns = [
+    /\bif\b/g,
+    /\belse\s+if\b/g,
+    /\bfor\b/g,
+    /\bwhile\b/g,
+    /\bswitch\b/g,
+    /\bcase\b/g,
+    /\bcatch\b/g,
+    /\?\./g,
+    /\?\?/g,
+    /&&/g,
+    /\|\|/g
+  ];
+  for (const pattern of decisionPatterns) {
+    const matches = processed.match(pattern);
+    if (matches) {
+      complexity += matches.length;
+    }
+  }
+  const ternaryMatches = processed.match(/\?[^:]/g);
+  if (ternaryMatches) {
+    complexity += ternaryMatches.length;
+  }
+  return complexity;
+}
+function getComplexityForFile2(filePath) {
+  try {
+    const stat = fs19.statSync(filePath);
+    if (stat.size > MAX_FILE_SIZE_BYTES5) {
+      return null;
+    }
+    const content = fs19.readFileSync(filePath, "utf-8");
+    return estimateCyclomaticComplexity(content);
+  } catch {
+    return null;
+  }
+}
+async function computeComplexityDelta(files, workingDir) {
+  let totalComplexity = 0;
+  const analyzedFiles = [];
+  for (const file3 of files) {
+    const fullPath = path24.isAbsolute(file3) ? file3 : path24.join(workingDir, file3);
+    if (!fs19.existsSync(fullPath)) {
+      continue;
+    }
+    const complexity = getComplexityForFile2(fullPath);
+    if (complexity !== null) {
+      totalComplexity += complexity;
+      analyzedFiles.push(file3);
+    }
+  }
+  return { delta: totalComplexity, analyzedFiles };
+}
+function countExportsInFile(content) {
+  let count = 0;
+  const exportFunctionMatches = content.match(/export\s+function\s+\w+/g);
+  if (exportFunctionMatches)
+    count += exportFunctionMatches.length;
+  const exportClassMatches = content.match(/export\s+class\s+\w+/g);
+  if (exportClassMatches)
+    count += exportClassMatches.length;
+  const exportConstMatches = content.match(/export\s+const\s+\w+/g);
+  if (exportConstMatches)
+    count += exportConstMatches.length;
+  const exportLetMatches = content.match(/export\s+let\s+\w+/g);
+  if (exportLetMatches)
+    count += exportLetMatches.length;
+  const exportVarMatches = content.match(/export\s+var\s+\w+/g);
+  if (exportVarMatches)
+    count += exportVarMatches.length;
+  const exportNamedMatches = content.match(/export\s*\{[^}]+\}/g);
+  if (exportNamedMatches) {
+    for (const match of exportNamedMatches) {
+      const names = match.match(/\b[a-zA-Z_$][a-zA-Z0-9_$]*\b/g);
+      const filteredNames = names ? names.filter((n) => n !== "export") : [];
+      count += filteredNames.length;
+    }
+  }
+  const exportDefaultMatches = content.match(/export\s+default/g);
+  if (exportDefaultMatches)
+    count += exportDefaultMatches.length;
+  const exportTypeMatches = content.match(/export\s+(type|interface)\s+\w+/g);
+  if (exportTypeMatches)
+    count += exportTypeMatches.length;
+  const exportEnumMatches = content.match(/export\s+enum\s+\w+/g);
+  if (exportEnumMatches)
+    count += exportEnumMatches.length;
+  const exportEqualsMatches = content.match(/export\s+=/g);
+  if (exportEqualsMatches)
+    count += exportEqualsMatches.length;
+  return count;
+}
+function countPythonExports(content) {
+  let count = 0;
+  const noComments = content.replace(/#.*/g, "");
+  const noStrings = noComments.replace(/"[^"]*"/g, "").replace(/'[^']*'/g, "");
+  const functionMatches = noStrings.match(/^\s*def\s+\w+/gm);
+  if (functionMatches)
+    count += functionMatches.length;
+  const classMatches = noStrings.match(/^\s*class\s+\w+/gm);
+  if (classMatches)
+    count += classMatches.length;
+  const originalContent = content;
+  const allMatchOriginal = originalContent.match(/__all__\s*=\s*\[([^\]]+)\]/);
+  if (allMatchOriginal?.[1]) {
+    const names = allMatchOriginal[1].match(/['"]?(\w+)['"]?/g);
+    if (names) {
+      const cleanNames = names.map((n) => n.replace(/['"]/g, ""));
+      count += cleanNames.length;
+    }
+  }
+  return count;
+}
+function countRustExports(content) {
+  let count = 0;
+  let processed = content.replace(/\/\/.*/g, "");
+  processed = processed.replace(/\/\*[\s\S]*?\*\//g, "");
+  const pubFnMatches = processed.match(/pub\s+fn\s+\w+/g);
+  if (pubFnMatches)
+    count += pubFnMatches.length;
+  const pubStructMatches = processed.match(/pub\s+struct\s+\w+/g);
+  if (pubStructMatches)
+    count += pubStructMatches.length;
+  const pubEnumMatches = processed.match(/pub\s+enum\s+\w+/g);
+  if (pubEnumMatches)
+    count += pubEnumMatches.length;
+  const pubUseMatches = processed.match(/pub\s+use\s+/g);
+  if (pubUseMatches)
+    count += pubUseMatches.length;
+  const pubConstMatches = processed.match(/pub\s+const\s+\w+/g);
+  if (pubConstMatches)
+    count += pubConstMatches.length;
+  const pubModMatches = processed.match(/pub\s+mod\s+\w+/g);
+  if (pubModMatches)
+    count += pubModMatches.length;
+  const pubTypeMatches = processed.match(/pub\s+type\s+\w+/g);
+  if (pubTypeMatches)
+    count += pubTypeMatches.length;
+  return count;
+}
+function countGoExports(content) {
+  let count = 0;
+  let processed = content.replace(/\/\/.*/gm, "");
+  processed = processed.replace(/\/\*[\s\S]*?\*\//g, "");
+  const exportedFuncMatches = processed.match(/^\s*func\s+[A-Z]\w*/gm);
+  if (exportedFuncMatches)
+    count += exportedFuncMatches.length;
+  const exportedVarMatches = processed.match(/^\s*var\s+[A-Z]\w*/gm);
+  if (exportedVarMatches)
+    count += exportedVarMatches.length;
+  const exportedTypeMatches = processed.match(/^\s*type\s+[A-Z]\w*/gm);
+  if (exportedTypeMatches)
+    count += exportedTypeMatches.length;
+  const exportedConstMatches = processed.match(/^\s*const\s+[A-Z]\w*/gm);
+  if (exportedConstMatches)
+    count += exportedConstMatches.length;
+  const packageMatch = processed.match(/^\s*package\s+\w+/m);
+  if (packageMatch)
+    count += 1;
+  return count;
+}
+function getExportCountForFile(filePath) {
+  try {
+    const content = fs19.readFileSync(filePath, "utf-8");
+    const ext = path24.extname(filePath).toLowerCase();
+    switch (ext) {
+      case ".ts":
+      case ".tsx":
+      case ".js":
+      case ".jsx":
+      case ".mjs":
+      case ".cjs":
+        return countExportsInFile(content);
+      case ".py":
+        return countPythonExports(content);
+      case ".rs":
+        return countRustExports(content);
+      case ".go":
+        return countGoExports(content);
+      default:
+        return countExportsInFile(content);
+    }
+  } catch {
+    return 0;
+  }
+}
+async function computePublicApiDelta(files, workingDir) {
+  let totalExports = 0;
+  const analyzedFiles = [];
+  for (const file3 of files) {
+    const fullPath = path24.isAbsolute(file3) ? file3 : path24.join(workingDir, file3);
+    if (!fs19.existsSync(fullPath)) {
+      continue;
+    }
+    const exports = getExportCountForFile(fullPath);
+    totalExports += exports;
+    analyzedFiles.push(file3);
+  }
+  return { delta: totalExports, analyzedFiles };
+}
+function findDuplicateLines(content, minLines) {
+  const lines = content.split(`
+`).filter((line) => line.trim().length > 0);
+  if (lines.length < minLines) {
+    return 0;
+  }
+  const lineCounts = new Map;
+  for (const line of lines) {
+    const normalized = line.trim();
+    lineCounts.set(normalized, (lineCounts.get(normalized) || 0) + 1);
+  }
+  let duplicateCount = 0;
+  for (const [_line, count] of lineCounts) {
+    if (count > 1) {
+      duplicateCount += count - 1;
+    }
+  }
+  return duplicateCount;
+}
+async function computeDuplicationRatio(files, workingDir) {
+  let totalLines = 0;
+  let duplicateLines = 0;
+  const analyzedFiles = [];
+  for (const file3 of files) {
+    const fullPath = path24.isAbsolute(file3) ? file3 : path24.join(workingDir, file3);
+    if (!fs19.existsSync(fullPath)) {
+      continue;
     }
-    let fullOutput;
     try {
-      fullOutput = await loadFullOutput(directory, sanitizedId);
-    } catch {
-      return "Error: failed to retrieve summary.";
+      const stat = fs19.statSync(fullPath);
+      if (stat.size > MAX_FILE_SIZE_BYTES5) {
+        continue;
+      }
+      const content = fs19.readFileSync(fullPath, "utf-8");
+      const lines = content.split(`
+`).filter((line) => line.trim().length > 0);
+      if (lines.length < MIN_DUPLICATION_LINES) {
+        analyzedFiles.push(file3);
+        continue;
+      }
+      totalLines += lines.length;
+      duplicateLines += findDuplicateLines(content, MIN_DUPLICATION_LINES);
+      analyzedFiles.push(file3);
+    } catch {}
+  }
+  const ratio = totalLines > 0 ? duplicateLines / totalLines : 0;
+  return { ratio, analyzedFiles };
+}
+function countCodeLines(content) {
+  let processed = content.replace(/\/\*[\s\S]*?\*\//g, "");
+  processed = processed.replace(/\/\/.*/g, "");
+  processed = processed.replace(/#.*/g, "");
+  const lines = processed.split(`
+`).filter((line) => line.trim().length > 0);
+  return lines.length;
+}
+function isTestFile(filePath) {
+  const basename5 = path24.basename(filePath);
+  const _ext = path24.extname(filePath).toLowerCase();
+  const testPatterns = [
+    ".test.",
+    ".spec.",
+    ".tests.",
+    ".test.ts",
+    ".test.js",
+    ".spec.ts",
+    ".spec.js",
+    ".test.tsx",
+    ".test.jsx",
+    ".spec.tsx",
+    ".spec.jsx"
+  ];
+  for (const pattern of testPatterns) {
+    if (basename5.includes(pattern)) {
+      return true;
     }
-    if (fullOutput === null) {
-      return `Summary \`${sanitizedId}\` not found. Use a valid summary ID (e.g. S1, S2).`;
+  }
+  const normalizedPath = filePath.replace(/\\/g, "/");
+  if (normalizedPath.includes("/tests/") || normalizedPath.includes("/test/")) {
+    return true;
+  }
+  if (normalizedPath.includes("/__tests__/")) {
+    return true;
+  }
+  return false;
+}
+function shouldExcludeFile(filePath, excludeGlobs) {
+  const normalizedPath = filePath.replace(/\\/g, "/");
+  for (const glob of excludeGlobs) {
+    const pattern = glob.replace(/\./g, "\\.").replace(/\*\*/g, ".*").replace(/\*/g, "[^/]*");
+    const regex = new RegExp(pattern);
+    if (regex.test(normalizedPath)) {
+      return true;
     }
-    if (fullOutput.length > RETRIEVE_MAX_BYTES) {
-      return `Error: summary content exceeds maximum size limit (10 MB).`;
+  }
+  return false;
+}
+async function computeTestToCodeRatio(workingDir, enforceGlobs, excludeGlobs) {
+  let testLines = 0;
+  let codeLines = 0;
+  const srcDir = path24.join(workingDir, "src");
+  if (fs19.existsSync(srcDir)) {
+    await scanDirectoryForLines(srcDir, enforceGlobs, excludeGlobs, false, (lines) => {
+      codeLines += lines;
+    });
+  }
+  const possibleSrcDirs = ["lib", "app", "source", "core"];
+  for (const dir of possibleSrcDirs) {
+    const dirPath = path24.join(workingDir, dir);
+    if (fs19.existsSync(dirPath)) {
+      await scanDirectoryForLines(dirPath, enforceGlobs, excludeGlobs, false, (lines) => {
+        codeLines += lines;
+      });
     }
-    return fullOutput;
   }
-});
-// src/tools/sast-scan.ts
-init_manager();
-
-// src/sast/rules/c.ts
-var cRules = [
-  {
-    id: "sast/c-buffer-overflow",
-    name: "Buffer overflow vulnerability",
-    severity: "critical",
-    languages: ["c", "cpp"],
-    description: "strcpy/strcat to fixed-size buffer without bounds checking",
-    remediation: "Use strncpy, snprintf, or safer alternatives that include size limits.",
-    pattern: /\b(?:strcpy|strcat)\s*\(\s*[a-zA-Z_]/
-  },
-  {
-    id: "sast/c-gets",
-    name: "Unsafe gets() usage",
-    severity: "critical",
-    languages: ["c", "cpp"],
-    description: "gets() does not check buffer bounds - removed from C11",
-    remediation: "Use fgets() with proper buffer size instead of gets().",
+  const testsDir = path24.join(workingDir, "tests");
+  if (fs19.existsSync(testsDir)) {
+    await scanDirectoryForLines(testsDir, ["**"], ["node_modules", "dist"], true, (lines) => {
+      testLines += lines;
+    });
+  }
+  const possibleTestDirs = ["test", "__tests__", "specs"];
+  for (const dir of possibleTestDirs) {
+    const dirPath = path24.join(workingDir, dir);
+    if (fs19.existsSync(dirPath) && dirPath !== testsDir) {
+      await scanDirectoryForLines(dirPath, ["**"], ["node_modules", "dist"], true, (lines) => {
+        testLines += lines;
+      });
+    }
+  }
+  const totalLines = testLines + codeLines;
+  const ratio = totalLines > 0 ? testLines / totalLines : 0;
+  return { ratio, testLines, codeLines };
+}
+async function scanDirectoryForLines(dirPath, includeGlobs, excludeGlobs, isTestScan, callback) {
+  try {
+    const entries = fs19.readdirSync(dirPath, { withFileTypes: true });
+    for (const entry of entries) {
+      const fullPath = path24.join(dirPath, entry.name);
+      if (entry.isDirectory()) {
+        if (entry.name === "node_modules" || entry.name === "dist" || entry.name === "build" || entry.name === ".git") {
+          continue;
+        }
+        await scanDirectoryForLines(fullPath, includeGlobs, excludeGlobs, isTestScan, callback);
+      } else if (entry.isFile()) {
+        const relativePath = fullPath.replace(`${process.cwd()}/`, "");
+        const ext = path24.extname(entry.name).toLowerCase();
+        const validExts = [
+          ".ts",
+          ".tsx",
+          ".js",
+          ".jsx",
+          ".py",
+          ".rs",
+          ".go",
+          ".java",
+          ".cs"
+        ];
+        if (!validExts.includes(ext)) {
+          continue;
+        }
+        if (isTestScan && !isTestFile(fullPath)) {
+          continue;
+        }
+        if (!isTestScan && isTestFile(fullPath)) {
+          continue;
+        }
+        if (shouldExcludeFile(relativePath, excludeGlobs)) {
+          continue;
+        }
+        if (!isTestScan && includeGlobs.length > 0 && !includeGlobs.includes("**")) {
+          let matches = false;
+          for (const glob of includeGlobs) {
+            const pattern = glob.replace(/\./g, "\\.").replace(/\*\*/g, ".*").replace(/\*/g, "[^/]*");
+            const regex = new RegExp(pattern);
+            if (regex.test(relativePath)) {
+              matches = true;
+              break;
+            }
+          }
+          if (!matches)
+            continue;
+        }
+        try {
+          const content = fs19.readFileSync(fullPath, "utf-8");
+          const lines = countCodeLines(content);
+          callback(lines);
+        } catch {}
+      }
+    }
+  } catch {}
+}
+function detectViolations(metrics, thresholds) {
+  const violations = [];
+  if (metrics.complexity_delta > thresholds.max_complexity_delta) {
+    violations.push({
+      type: "complexity",
+      message: `Complexity delta (${metrics.complexity_delta}) exceeds threshold (${thresholds.max_complexity_delta})`,
+      severity: metrics.complexity_delta > thresholds.max_complexity_delta * 1.5 ? "error" : "warning",
+      files: metrics.files_analyzed
+    });
+  }
+  if (metrics.public_api_delta > thresholds.max_public_api_delta) {
+    violations.push({
+      type: "api",
+      message: `Public API delta (${metrics.public_api_delta}) exceeds threshold (${thresholds.max_public_api_delta})`,
+      severity: metrics.public_api_delta > thresholds.max_public_api_delta * 1.5 ? "error" : "warning",
+      files: metrics.files_analyzed
+    });
+  }
+  if (metrics.duplication_ratio > thresholds.max_duplication_ratio) {
+    violations.push({
+      type: "duplication",
+      message: `Duplication ratio (${(metrics.duplication_ratio * 100).toFixed(1)}%) exceeds threshold (${(thresholds.max_duplication_ratio * 100).toFixed(1)}%)`,
+      severity: metrics.duplication_ratio > thresholds.max_duplication_ratio * 1.5 ? "error" : "warning",
+      files: metrics.files_analyzed
+    });
+  }
+  if (metrics.files_analyzed.length > 0 && metrics.test_to_code_ratio < thresholds.min_test_to_code_ratio) {
+    violations.push({
+      type: "test_ratio",
+      message: `Test-to-code ratio (${(metrics.test_to_code_ratio * 100).toFixed(1)}%) below threshold (${(thresholds.min_test_to_code_ratio * 100).toFixed(1)}%)`,
+      severity: metrics.test_to_code_ratio < thresholds.min_test_to_code_ratio * 0.5 ? "error" : "warning",
+      files: metrics.files_analyzed
+    });
+  }
+  return violations;
+}
+async function computeQualityMetrics(changedFiles, thresholds, workingDir) {
+  const config3 = {
+    enabled: thresholds.enabled ?? true,
+    max_complexity_delta: thresholds.max_complexity_delta ?? 5,
+    max_public_api_delta: thresholds.max_public_api_delta ?? 10,
+    max_duplication_ratio: thresholds.max_duplication_ratio ?? 0.05,
+    min_test_to_code_ratio: thresholds.min_test_to_code_ratio ?? 0.3,
+    enforce_on_globs: thresholds.enforce_on_globs ?? ["src/**"],
+    exclude_globs: thresholds.exclude_globs ?? [
+      "docs/**",
+      "tests/**",
+      "**/*.test.*"
+    ]
+  };
+  const filteredFiles = changedFiles.filter((file3) => {
+    const normalizedPath = file3.replace(/\\/g, "/");
+    for (const glob of config3.enforce_on_globs) {
+      const pattern = glob.replace(/\./g, "\\.").replace(/\*\*/g, ".*").replace(/\*/g, "[^/]*");
+      const regex = new RegExp(pattern);
+      if (regex.test(normalizedPath)) {
+        for (const exclude of config3.exclude_globs) {
+          const excludePattern = exclude.replace(/\./g, "\\.").replace(/\*\*/g, ".*").replace(/\*/g, "[^/]*");
+          const excludeRegex = new RegExp(excludePattern);
+          if (excludeRegex.test(normalizedPath)) {
+            return false;
+          }
+        }
+        return true;
+      }
+    }
+    return false;
+  });
+  const [complexityResult, apiResult, duplicationResult, testRatioResult] = await Promise.all([
+    computeComplexityDelta(filteredFiles, workingDir),
+    computePublicApiDelta(filteredFiles, workingDir),
+    computeDuplicationRatio(filteredFiles, workingDir),
+    computeTestToCodeRatio(workingDir, config3.enforce_on_globs, config3.exclude_globs)
+  ]);
+  const allAnalyzedFiles = [
+    ...new Set([
+      ...complexityResult.analyzedFiles,
+      ...apiResult.analyzedFiles,
+      ...duplicationResult.analyzedFiles
+    ])
+  ];
+  const violations = detectViolations({
+    complexity_delta: complexityResult.delta,
+    public_api_delta: apiResult.delta,
+    duplication_ratio: duplicationResult.ratio,
+    test_to_code_ratio: testRatioResult.ratio,
+    files_analyzed: allAnalyzedFiles,
+    thresholds: config3,
+    violations: []
+  }, config3);
+  return {
+    complexity_delta: complexityResult.delta,
+    public_api_delta: apiResult.delta,
+    duplication_ratio: duplicationResult.ratio,
+    test_to_code_ratio: testRatioResult.ratio,
+    files_analyzed: allAnalyzedFiles,
+    thresholds: config3,
+    violations
+  };
+}
+
+// src/tools/quality-budget.ts
+function validateInput(input) {
+  if (!input || typeof input !== "object") {
+    return { valid: false, error: "Input must be an object" };
+  }
+  const typedInput = input;
+  if (!Array.isArray(typedInput.changed_files)) {
+    return { valid: false, error: "changed_files must be an array" };
+  }
+  for (const file3 of typedInput.changed_files) {
+    if (typeof file3 !== "string") {
+      return { valid: false, error: "changed_files must contain strings" };
+    }
+  }
+  if (typedInput.config !== undefined) {
+    if (!typedInput.config || typeof typedInput.config !== "object") {
+      return { valid: false, error: "config must be an object if provided" };
+    }
+  }
+  return { valid: true };
+}
+async function qualityBudget(input, directory) {
+  const validation = validateInput(input);
+  if (!validation.valid) {
+    throw new Error(`Invalid input: ${validation.error}`);
+  }
+  const { changed_files: changedFiles, config: config3 } = input;
+  const thresholds = {
+    enabled: config3?.enabled ?? true,
+    max_complexity_delta: config3?.max_complexity_delta ?? 5,
+    max_public_api_delta: config3?.max_public_api_delta ?? 10,
+    max_duplication_ratio: config3?.max_duplication_ratio ?? 0.05,
+    min_test_to_code_ratio: config3?.min_test_to_code_ratio ?? 0.3,
+    enforce_on_globs: config3?.enforce_on_globs ?? ["src/**"],
+    exclude_globs: config3?.exclude_globs ?? [
+      "docs/**",
+      "tests/**",
+      "**/*.test.*"
+    ]
+  };
+  if (!thresholds.enabled) {
+    return {
+      verdict: "pass",
+      metrics: {
+        complexity_delta: 0,
+        public_api_delta: 0,
+        duplication_ratio: 0,
+        test_to_code_ratio: 0,
+        files_analyzed: [],
+        thresholds,
+        violations: []
+      },
+      violations: [],
+      summary: {
+        files_analyzed: 0,
+        violations_count: 0,
+        errors_count: 0,
+        warnings_count: 0
+      }
+    };
+  }
+  const metrics = await computeQualityMetrics(changedFiles, thresholds, directory);
+  const errorsCount = metrics.violations.filter((v) => v.severity === "error").length;
+  const warningsCount = metrics.violations.filter((v) => v.severity === "warning").length;
+  const verdict = errorsCount > 0 ? "fail" : "pass";
+  await saveEvidence(directory, "quality_budget", {
+    task_id: "quality_budget",
+    type: "quality_budget",
+    timestamp: new Date().toISOString(),
+    agent: "quality_budget",
+    verdict,
+    summary: `Quality budget check: ${metrics.files_analyzed.length} files analyzed, ${metrics.violations.length} violation(s) found (${errorsCount} errors, ${warningsCount} warnings)`,
+    metrics: {
+      complexity_delta: metrics.complexity_delta,
+      public_api_delta: metrics.public_api_delta,
+      duplication_ratio: metrics.duplication_ratio,
+      test_to_code_ratio: metrics.test_to_code_ratio
+    },
+    thresholds: {
+      max_complexity_delta: thresholds.max_complexity_delta,
+      max_public_api_delta: thresholds.max_public_api_delta,
+      max_duplication_ratio: thresholds.max_duplication_ratio,
+      min_test_to_code_ratio: thresholds.min_test_to_code_ratio
+    },
+    violations: metrics.violations.map((v) => ({
+      type: v.type,
+      message: v.message,
+      severity: v.severity,
+      files: v.files
+    })),
+    files_analyzed: metrics.files_analyzed
+  });
+  return {
+    verdict,
+    metrics,
+    violations: metrics.violations,
+    summary: {
+      files_analyzed: metrics.files_analyzed.length,
+      violations_count: metrics.violations.length,
+      errors_count: errorsCount,
+      warnings_count: warningsCount
+    }
+  };
+}
+
+// src/tools/sast-scan.ts
+init_manager();
+import * as fs20 from "fs";
+import * as path25 from "path";
+import { extname as extname7 } from "path";
+
+// src/sast/rules/c.ts
+var cRules = [
+  {
+    id: "sast/c-buffer-overflow",
+    name: "Buffer overflow vulnerability",
+    severity: "critical",
+    languages: ["c", "cpp"],
+    description: "strcpy/strcat to fixed-size buffer without bounds checking",
+    remediation: "Use strncpy, snprintf, or safer alternatives that include size limits.",
+    pattern: /\b(?:strcpy|strcat)\s*\(\s*[a-zA-Z_]/
+  },
+  {
+    id: "sast/c-gets",
+    name: "Unsafe gets() usage",
+    severity: "critical",
+    languages: ["c", "cpp"],
+    description: "gets() does not check buffer bounds - removed from C11",
+    remediation: "Use fgets() with proper buffer size instead of gets().",
     pattern: /\bgets\s*\(/
   },
   {
@@ -43697,20 +44491,768 @@ var allRules = [
   ...cRules,
   ...csharpRules
 ];
+function getRulesForLanguage(language) {
+  const normalized = language.toLowerCase();
+  return allRules.filter((rule) => rule.languages.some((lang) => lang.toLowerCase() === normalized));
+}
+function findPatternMatches(content, pattern) {
+  const matches = [];
+  const lines = content.split(`
+`);
+  for (let lineNum = 0;lineNum < lines.length; lineNum++) {
+    const line = lines[lineNum];
+    const workPattern = new RegExp(pattern.source, pattern.flags.includes("g") ? pattern.flags : pattern.flags + "g");
+    let match;
+    while ((match = workPattern.exec(line)) !== null) {
+      matches.push({
+        text: match[0],
+        line: lineNum + 1,
+        column: match.index + 1
+      });
+      if (match[0].length === 0) {
+        workPattern.lastIndex++;
+      }
+    }
+  }
+  return matches;
+}
+function executeRulesSync(filePath, content, language) {
+  const findings = [];
+  const normalizedLang = language.toLowerCase();
+  const rules = getRulesForLanguage(normalizedLang);
+  for (const rule of rules) {
+    if (!rule.pattern)
+      continue;
+    const matches = findPatternMatches(content, rule.pattern);
+    for (const match of matches) {
+      if (rule.validate) {
+        const context = {
+          filePath,
+          content,
+          language: normalizedLang
+        };
+        if (!rule.validate(match, context)) {
+          continue;
+        }
+      }
+      const lines = content.split(`
+`);
+      const excerpt = lines[match.line - 1]?.trim() || "";
+      findings.push({
+        rule_id: rule.id,
+        severity: rule.severity,
+        message: rule.description,
+        location: {
+          file: filePath,
+          line: match.line,
+          column: match.column
+        },
+        remediation: rule.remediation,
+        excerpt
+      });
+    }
+  }
+  return findings;
+}
 
 // src/sast/semgrep.ts
 import { execFile, execFileSync, spawn } from "child_process";
 import { promisify } from "util";
 var execFileAsync = promisify(execFile);
+var semgrepAvailableCache = null;
+var DEFAULT_RULES_DIR = ".swarm/semgrep-rules";
+var DEFAULT_TIMEOUT_MS3 = 30000;
+function isSemgrepAvailable() {
+  if (semgrepAvailableCache !== null) {
+    return semgrepAvailableCache;
+  }
+  try {
+    execFileSync("semgrep", ["--version"], {
+      encoding: "utf-8",
+      stdio: "pipe"
+    });
+    semgrepAvailableCache = true;
+    return true;
+  } catch {
+    semgrepAvailableCache = false;
+    return false;
+  }
+}
+function parseSemgrepResults(semgrepOutput) {
+  const findings = [];
+  try {
+    const parsed = JSON.parse(semgrepOutput);
+    const results = parsed.results || parsed;
+    for (const result of results) {
+      const severity = mapSemgrepSeverity(result.extra?.severity || result.severity);
+      findings.push({
+        rule_id: result.check_id || result.rule_id || "unknown",
+        severity,
+        message: result.extra?.message || result.message || "Security issue detected",
+        location: {
+          file: result.path || result.start?.filename || result.file || "unknown",
+          line: result.start?.line || result.line || 1,
+          column: result.start?.col || result.column
+        },
+        remediation: result.extra?.fix,
+        excerpt: result.extra?.lines || result.lines || ""
+      });
+    }
+  } catch {
+    return [];
+  }
+  return findings;
+}
+function mapSemgrepSeverity(severity) {
+  const severityLower = (severity || "").toLowerCase();
+  switch (severityLower) {
+    case "error":
+    case "critical":
+      return "critical";
+    case "warning":
+    case "high":
+      return "high";
+    case "info":
+    case "low":
+      return "low";
+    default:
+      return "medium";
+  }
+}
+async function executeWithTimeout(command, args2, options) {
+  return new Promise((resolve10) => {
+    const child = spawn(command, args2, {
+      shell: false,
+      cwd: options.cwd
+    });
+    let stdout = "";
+    let stderr = "";
+    const timeout = setTimeout(() => {
+      child.kill("SIGTERM");
+      resolve10({
+        stdout,
+        stderr: "Process timed out",
+        exitCode: 124
+      });
+    }, options.timeoutMs);
+    child.stdout?.on("data", (data) => {
+      stdout += data.toString();
+    });
+    child.stderr?.on("data", (data) => {
+      stderr += data.toString();
+    });
+    child.on("close", (code) => {
+      clearTimeout(timeout);
+      resolve10({
+        stdout,
+        stderr,
+        exitCode: code ?? 0
+      });
+    });
+    child.on("error", (err2) => {
+      clearTimeout(timeout);
+      resolve10({
+        stdout,
+        stderr: err2.message,
+        exitCode: 1
+      });
+    });
+  });
+}
+async function runSemgrep(options) {
+  const files = options.files || [];
+  const rulesDir = options.rulesDir || DEFAULT_RULES_DIR;
+  const timeoutMs = options.timeoutMs || DEFAULT_TIMEOUT_MS3;
+  if (files.length === 0) {
+    return {
+      available: isSemgrepAvailable(),
+      findings: [],
+      engine: "tier_a"
+    };
+  }
+  if (!isSemgrepAvailable()) {
+    return {
+      available: false,
+      findings: [],
+      error: "Semgrep is not installed or not available on PATH",
+      engine: "tier_a"
+    };
+  }
+  const args2 = [
+    "--config=./" + rulesDir,
+    "--json",
+    "--quiet",
+    ...files
+  ];
+  try {
+    const result = await executeWithTimeout("semgrep", args2, {
+      timeoutMs,
+      cwd: options.cwd
+    });
+    if (result.exitCode !== 0) {
+      if (result.exitCode === 1 && result.stdout) {
+        const findings2 = parseSemgrepResults(result.stdout);
+        return {
+          available: true,
+          findings: findings2,
+          engine: "tier_a+tier_b"
+        };
+      }
+      return {
+        available: true,
+        findings: [],
+        error: result.stderr || `Semgrep exited with code ${result.exitCode}`,
+        engine: "tier_a"
+      };
+    }
+    const findings = parseSemgrepResults(result.stdout);
+    return {
+      available: true,
+      findings,
+      engine: "tier_a+tier_b"
+    };
+  } catch (error93) {
+    const errorMessage = error93 instanceof Error ? error93.message : "Unknown error running Semgrep";
+    return {
+      available: true,
+      findings: [],
+      error: errorMessage,
+      engine: "tier_a"
+    };
+  }
+}
 
 // src/tools/sast-scan.ts
 init_utils();
 var MAX_FILE_SIZE_BYTES6 = 512 * 1024;
+var MAX_FILES_SCANNED2 = 1000;
+var MAX_FINDINGS2 = 100;
+var SEVERITY_ORDER = {
+  low: 0,
+  medium: 1,
+  high: 2,
+  critical: 3
+};
+function shouldSkipFile(filePath) {
+  try {
+    const stats = fs20.statSync(filePath);
+    if (stats.size > MAX_FILE_SIZE_BYTES6) {
+      return { skip: true, reason: "file too large" };
+    }
+    if (stats.size === 0) {
+      return { skip: true, reason: "empty file" };
+    }
+    const fd = fs20.openSync(filePath, "r");
+    const buffer = Buffer.alloc(8192);
+    const bytesRead = fs20.readSync(fd, buffer, 0, 8192, 0);
+    fs20.closeSync(fd);
+    if (bytesRead > 0) {
+      let nullCount = 0;
+      for (let i2 = 0;i2 < bytesRead; i2++) {
+        if (buffer[i2] === 0) {
+          nullCount++;
+        }
+      }
+      if (nullCount / bytesRead > 0.1) {
+        return { skip: true, reason: "binary file" };
+      }
+    }
+    return { skip: false };
+  } catch {
+    return { skip: true, reason: "cannot read file" };
+  }
+}
+function meetsThreshold(severity, threshold) {
+  const severityLevel = SEVERITY_ORDER[severity] ?? 0;
+  const thresholdLevel = SEVERITY_ORDER[threshold] ?? 1;
+  return severityLevel >= thresholdLevel;
+}
+function countBySeverity(findings) {
+  const counts = {
+    critical: 0,
+    high: 0,
+    medium: 0,
+    low: 0
+  };
+  for (const finding of findings) {
+    const severity = finding.severity.toLowerCase();
+    if (severity in counts) {
+      counts[severity]++;
+    }
+  }
+  return counts;
+}
+function scanFileWithTierA(filePath, language) {
+  try {
+    const content = fs20.readFileSync(filePath, "utf-8");
+    const findings = executeRulesSync(filePath, content, language);
+    return findings.map((f) => ({
+      rule_id: f.rule_id,
+      severity: f.severity,
+      message: f.message,
+      location: {
+        file: f.location.file,
+        line: f.location.line,
+        column: f.location.column
+      },
+      remediation: f.remediation
+    }));
+  } catch {
+    return [];
+  }
+}
+async function sastScan(input, directory, config3) {
+  const { changed_files, severity_threshold = "medium" } = input;
+  if (config3?.gates?.sast_scan?.enabled === false) {
+    return {
+      verdict: "pass",
+      findings: [],
+      summary: {
+        engine: "tier_a",
+        files_scanned: 0,
+        findings_count: 0,
+        findings_by_severity: {
+          critical: 0,
+          high: 0,
+          medium: 0,
+          low: 0
+        }
+      }
+    };
+  }
+  const allFindings = [];
+  let filesScanned = 0;
+  let filesSkipped = 0;
+  const semgrepAvailable = isSemgrepAvailable();
+  const engine = semgrepAvailable ? "tier_a+tier_b" : "tier_a";
+  const filesByLanguage = new Map;
+  for (const filePath of changed_files) {
+    const resolvedPath = path25.isAbsolute(filePath) ? filePath : path25.resolve(directory, filePath);
+    if (!fs20.existsSync(resolvedPath)) {
+      filesSkipped++;
+      continue;
+    }
+    const skipResult = shouldSkipFile(resolvedPath);
+    if (skipResult.skip) {
+      filesSkipped++;
+      continue;
+    }
+    const ext = extname7(resolvedPath).toLowerCase();
+    const langDef = getLanguageForExtension(ext);
+    if (!langDef) {
+      filesSkipped++;
+      continue;
+    }
+    const language = langDef.id;
+    const tierAFindings = scanFileWithTierA(resolvedPath, language);
+    allFindings.push(...tierAFindings);
+    if (semgrepAvailable) {
+      const existing = filesByLanguage.get(language) || [];
+      existing.push(resolvedPath);
+      filesByLanguage.set(language, existing);
+    }
+    filesScanned++;
+    if (filesScanned >= MAX_FILES_SCANNED2) {
+      warn(`SAST Scan: Reached maximum files limit (${MAX_FILES_SCANNED2}), stopping`);
+      break;
+    }
+  }
+  if (semgrepAvailable && filesByLanguage.size > 0) {
+    try {
+      const allFilesForSemgrep = Array.from(filesByLanguage.values()).flat();
+      if (allFilesForSemgrep.length > 0) {
+        const semgrepResult = await runSemgrep({
+          files: allFilesForSemgrep
+        });
+        if (semgrepResult.findings.length > 0) {
+          const semgrepFindings = semgrepResult.findings.map((f) => ({
+            rule_id: f.rule_id,
+            severity: f.severity,
+            message: f.message,
+            location: {
+              file: f.location.file,
+              line: f.location.line,
+              column: f.location.column
+            },
+            remediation: f.remediation
+          }));
+          const existingKeys = new Set(allFindings.map((f) => `${f.rule_id}:${f.location.file}:${f.location.line}`));
+          for (const finding of semgrepFindings) {
+            const key = `${finding.rule_id}:${finding.location.file}:${finding.location.line}`;
+            if (!existingKeys.has(key)) {
+              allFindings.push(finding);
+              existingKeys.add(key);
+            }
+          }
+        }
+      }
+    } catch (error93) {
+      warn(`SAST Scan: Semgrep failed, falling back to Tier A: ${error93}`);
+    }
+  }
+  let finalFindings = allFindings;
+  if (allFindings.length > MAX_FINDINGS2) {
+    finalFindings = allFindings.slice(0, MAX_FINDINGS2);
+    warn(`SAST Scan: Found ${allFindings.length} findings, limiting to ${MAX_FINDINGS2}`);
+  }
+  const findingsBySeverity = countBySeverity(finalFindings);
+  let verdict = "pass";
+  for (const finding of finalFindings) {
+    if (meetsThreshold(finding.severity, severity_threshold)) {
+      verdict = "fail";
+      break;
+    }
+  }
+  const summary = {
+    engine,
+    files_scanned: filesScanned,
+    findings_count: finalFindings.length,
+    findings_by_severity: findingsBySeverity
+  };
+  await saveEvidence(directory, "sast_scan", {
+    task_id: "sast_scan",
+    type: "sast",
+    timestamp: new Date().toISOString(),
+    agent: "sast_scan",
+    verdict,
+    summary: `Scanned ${filesScanned} files, found ${finalFindings.length} finding(s) using ${engine}`,
+    ...summary,
+    findings: finalFindings
+  });
+  return {
+    verdict,
+    findings: finalFindings,
+    summary
+  };
+}
+
+// src/tools/pre-check-batch.ts
+init_secretscan();
+var TOOL_TIMEOUT_MS = 60000;
+var MAX_COMBINED_BYTES = 500000;
+var MAX_CONCURRENT = 4;
+var MAX_FILES = 100;
+function validatePath(inputPath, baseDir) {
+  if (!inputPath || inputPath.length === 0) {
+    return "path is required";
+  }
+  const resolved = path26.resolve(baseDir, inputPath);
+  const baseResolved = path26.resolve(baseDir);
+  const relative2 = path26.relative(baseResolved, resolved);
+  if (relative2.startsWith("..") || path26.isAbsolute(relative2)) {
+    return "path traversal detected";
+  }
+  return null;
+}
+function validateDirectory(dir) {
+  if (!dir || dir.length === 0) {
+    return "directory is required";
+  }
+  if (dir.length > 500) {
+    return "directory path too long";
+  }
+  const traversalCheck = validatePath(dir, process.cwd());
+  if (traversalCheck) {
+    return traversalCheck;
+  }
+  return null;
+}
+async function runWithTimeout(promise3, timeoutMs) {
+  const timeoutPromise = new Promise((_, reject) => {
+    setTimeout(() => reject(new Error(`Timeout after ${timeoutMs}ms`)), timeoutMs);
+  });
+  return Promise.race([promise3, timeoutPromise]);
+}
+async function runLintWrapped(_config) {
+  const start2 = process.hrtime.bigint();
+  try {
+    const linter = await detectAvailableLinter();
+    if (!linter) {
+      return {
+        ran: false,
+        error: "No linter found (biome or eslint)",
+        duration_ms: Number(process.hrtime.bigint() - start2) / 1e6
+      };
+    }
+    const result = await runWithTimeout(runLint(linter, "check"), TOOL_TIMEOUT_MS);
+    return {
+      ran: true,
+      result,
+      duration_ms: Number(process.hrtime.bigint() - start2) / 1e6
+    };
+  } catch (error93) {
+    return {
+      ran: true,
+      error: error93 instanceof Error ? error93.message : "Unknown error",
+      duration_ms: Number(process.hrtime.bigint() - start2) / 1e6
+    };
+  }
+}
+async function runSecretscanWrapped(directory, _config) {
+  const start2 = process.hrtime.bigint();
+  try {
+    const result = await runWithTimeout(runSecretscan(directory), TOOL_TIMEOUT_MS);
+    return {
+      ran: true,
+      result,
+      duration_ms: Number(process.hrtime.bigint() - start2) / 1e6
+    };
+  } catch (error93) {
+    return {
+      ran: true,
+      error: error93 instanceof Error ? error93.message : "Unknown error",
+      duration_ms: Number(process.hrtime.bigint() - start2) / 1e6
+    };
+  }
+}
+async function runSastScanWrapped(changedFiles, directory, severityThreshold, config3) {
+  const start2 = process.hrtime.bigint();
+  try {
+    const result = await runWithTimeout(sastScan({ changed_files: changedFiles, severity_threshold: severityThreshold }, directory, config3), TOOL_TIMEOUT_MS);
+    return {
+      ran: true,
+      result,
+      duration_ms: Number(process.hrtime.bigint() - start2) / 1e6
+    };
+  } catch (error93) {
+    return {
+      ran: true,
+      error: error93 instanceof Error ? error93.message : "Unknown error",
+      duration_ms: Number(process.hrtime.bigint() - start2) / 1e6
+    };
+  }
+}
+async function runQualityBudgetWrapped(changedFiles, directory, _config) {
+  const start2 = process.hrtime.bigint();
+  try {
+    const result = await runWithTimeout(qualityBudget({ changed_files: changedFiles }, directory), TOOL_TIMEOUT_MS);
+    return {
+      ran: true,
+      result,
+      duration_ms: Number(process.hrtime.bigint() - start2) / 1e6
+    };
+  } catch (error93) {
+    return {
+      ran: true,
+      error: error93 instanceof Error ? error93.message : "Unknown error",
+      duration_ms: Number(process.hrtime.bigint() - start2) / 1e6
+    };
+  }
+}
+async function runPreCheckBatch(input) {
+  const { files, directory, sast_threshold = "medium", config: config3 } = input;
+  const dirError = validateDirectory(directory);
+  if (dirError) {
+    warn(`pre_check_batch: Invalid directory: ${dirError}`);
+    return {
+      gates_passed: false,
+      lint: { ran: false, error: dirError, duration_ms: 0 },
+      secretscan: { ran: false, error: dirError, duration_ms: 0 },
+      sast_scan: { ran: false, error: dirError, duration_ms: 0 },
+      quality_budget: { ran: false, error: dirError, duration_ms: 0 },
+      total_duration_ms: 0
+    };
+  }
+  let changedFiles = [];
+  if (files && files.length > 0) {
+    for (const file3 of files) {
+      const fileError = validatePath(file3, directory);
+      if (fileError) {
+        warn(`pre_check_batch: Invalid file path: ${file3}`);
+        continue;
+      }
+      changedFiles.push(path26.resolve(directory, file3));
+    }
+  } else {
+    changedFiles = [];
+  }
+  if (changedFiles.length === 0 && !files) {
+    warn("pre_check_batch: No files provided, skipping SAST and quality_budget");
+    return {
+      gates_passed: true,
+      lint: { ran: false, error: "No files provided", duration_ms: 0 },
+      secretscan: { ran: false, error: "No files provided", duration_ms: 0 },
+      sast_scan: { ran: false, error: "No files provided", duration_ms: 0 },
+      quality_budget: {
+        ran: false,
+        error: "No files provided",
+        duration_ms: 0
+      },
+      total_duration_ms: 0
+    };
+  }
+  if (changedFiles.length > MAX_FILES) {
+    throw new Error(`Input exceeds maximum file count: ${changedFiles.length} > ${MAX_FILES}`);
+  }
+  const limit = pLimit(MAX_CONCURRENT);
+  const [lintResult, secretscanResult, sastScanResult, qualityBudgetResult] = await Promise.all([
+    limit(() => runLintWrapped(config3)),
+    limit(() => runSecretscanWrapped(directory, config3)),
+    limit(() => runSastScanWrapped(changedFiles, directory, sast_threshold, config3)),
+    limit(() => runQualityBudgetWrapped(changedFiles, directory, config3))
+  ]);
+  const totalDuration = lintResult.duration_ms + secretscanResult.duration_ms + sastScanResult.duration_ms + qualityBudgetResult.duration_ms;
+  let gatesPassed = true;
+  if (lintResult.ran && lintResult.result) {
+    const lintRes = lintResult.result;
+    if ("success" in lintRes && lintRes.success === false) {
+      gatesPassed = false;
+      warn("pre_check_batch: Lint has errors - GATE FAILED");
+    }
+  } else if (lintResult.error) {
+    gatesPassed = false;
+    warn(`pre_check_batch: Lint error - GATE FAILED: ${lintResult.error}`);
+  }
+  if (secretscanResult.ran && secretscanResult.result) {
+    const scanResult = secretscanResult.result;
+    if ("findings" in scanResult && scanResult.findings.length > 0) {
+      gatesPassed = false;
+      warn("pre_check_batch: Secretscan found secrets - GATE FAILED");
+    }
+  } else if (secretscanResult.error) {
+    gatesPassed = false;
+    warn(`pre_check_batch: Secretscan error - GATE FAILED: ${secretscanResult.error}`);
+  }
+  if (sastScanResult.ran && sastScanResult.result) {
+    if (sastScanResult.result.verdict === "fail") {
+      gatesPassed = false;
+      warn("pre_check_batch: SAST scan found vulnerabilities - GATE FAILED");
+    }
+  } else if (sastScanResult.error) {
+    gatesPassed = false;
+    warn(`pre_check_batch: SAST scan error - GATE FAILED: ${sastScanResult.error}`);
+  }
+  const result = {
+    gates_passed: gatesPassed,
+    lint: lintResult,
+    secretscan: secretscanResult,
+    sast_scan: sastScanResult,
+    quality_budget: qualityBudgetResult,
+    total_duration_ms: Math.round(totalDuration)
+  };
+  const outputSize = JSON.stringify(result).length;
+  if (outputSize > MAX_COMBINED_BYTES) {
+    warn(`pre_check_batch: Large output (${outputSize} bytes)`);
+  }
+  return result;
+}
+var pre_check_batch = tool({
+  description: "Run multiple verification tools in parallel: lint, secretscan, SAST scan, and quality budget. Returns unified result with gates_passed status. Security tools (secretscan, sast_scan) are HARD GATES - failures block merging.",
+  args: {
+    files: tool.schema.array(tool.schema.string()).optional().describe("Specific files to check (optional, scans directory if not provided)"),
+    directory: tool.schema.string().describe('Directory to run checks in (e.g., "." or "./src")'),
+    sast_threshold: tool.schema.enum(["low", "medium", "high", "critical"]).optional().describe("Minimum severity for SAST findings to cause failure (default: medium)")
+  },
+  async execute(args2) {
+    if (!args2 || typeof args2 !== "object") {
+      const errorResult = {
+        gates_passed: false,
+        lint: { ran: false, error: "Invalid arguments", duration_ms: 0 },
+        secretscan: { ran: false, error: "Invalid arguments", duration_ms: 0 },
+        sast_scan: { ran: false, error: "Invalid arguments", duration_ms: 0 },
+        quality_budget: {
+          ran: false,
+          error: "Invalid arguments",
+          duration_ms: 0
+        },
+        total_duration_ms: 0
+      };
+      return JSON.stringify(errorResult, null, 2);
+    }
+    const typedArgs = args2;
+    if (!typedArgs.directory) {
+      const errorResult = {
+        gates_passed: false,
+        lint: { ran: false, error: "directory is required", duration_ms: 0 },
+        secretscan: {
+          ran: false,
+          error: "directory is required",
+          duration_ms: 0
+        },
+        sast_scan: {
+          ran: false,
+          error: "directory is required",
+          duration_ms: 0
+        },
+        quality_budget: {
+          ran: false,
+          error: "directory is required",
+          duration_ms: 0
+        },
+        total_duration_ms: 0
+      };
+      return JSON.stringify(errorResult, null, 2);
+    }
+    const dirError = validateDirectory(typedArgs.directory);
+    if (dirError) {
+      const errorResult = {
+        gates_passed: false,
+        lint: { ran: false, error: dirError, duration_ms: 0 },
+        secretscan: { ran: false, error: dirError, duration_ms: 0 },
+        sast_scan: { ran: false, error: dirError, duration_ms: 0 },
+        quality_budget: { ran: false, error: dirError, duration_ms: 0 },
+        total_duration_ms: 0
+      };
+      return JSON.stringify(errorResult, null, 2);
+    }
+    try {
+      const result = await runPreCheckBatch({
+        files: typedArgs.files,
+        directory: typedArgs.directory,
+        sast_threshold: typedArgs.sast_threshold,
+        config: typedArgs.config
+      });
+      return JSON.stringify(result, null, 2);
+    } catch (error93) {
+      const errorMessage = error93 instanceof Error ? error93.message : "Unknown error";
+      const errorResult = {
+        gates_passed: false,
+        lint: { ran: false, error: errorMessage, duration_ms: 0 },
+        secretscan: { ran: false, error: errorMessage, duration_ms: 0 },
+        sast_scan: { ran: false, error: errorMessage, duration_ms: 0 },
+        quality_budget: { ran: false, error: errorMessage, duration_ms: 0 },
+        total_duration_ms: 0
+      };
+      return JSON.stringify(errorResult, null, 2);
+    }
+  }
+});
+// src/tools/retrieve-summary.ts
+init_dist();
+var RETRIEVE_MAX_BYTES = 10 * 1024 * 1024;
+var retrieve_summary = tool({
+  description: "Retrieve the full content of a stored tool output summary by its ID (e.g. S1, S2). Use this when a prior tool output was summarized and you need the full content.",
+  args: {
+    id: tool.schema.string().describe("The summary ID to retrieve (e.g. S1, S2, S99). Must match pattern S followed by digits.")
+  },
+  async execute(args2, context) {
+    const directory = context.directory;
+    let sanitizedId;
+    try {
+      sanitizedId = sanitizeSummaryId(args2.id);
+    } catch {
+      return "Error: invalid summary ID format. Expected format: S followed by digits (e.g. S1, S2, S99).";
+    }
+    let fullOutput;
+    try {
+      fullOutput = await loadFullOutput(directory, sanitizedId);
+    } catch {
+      return "Error: failed to retrieve summary.";
+    }
+    if (fullOutput === null) {
+      return `Summary \`${sanitizedId}\` not found. Use a valid summary ID (e.g. S1, S2).`;
+    }
+    if (fullOutput.length > RETRIEVE_MAX_BYTES) {
+      return `Error: summary content exceeds maximum size limit (10 MB).`;
+    }
+    return fullOutput;
+  }
+});
 // src/tools/sbom-generate.ts
 init_dist();
 init_manager();
-import * as fs19 from "fs";
-import * as path23 from "path";
+import * as fs21 from "fs";
+import * as path27 from "path";
 
 // src/sbom/detectors/dart.ts
 function parsePubspecLock(content) {
@@ -44555,9 +46097,9 @@ function findManifestFiles(rootDir) {
   const patterns = [...new Set(allDetectors.flatMap((d) => d.patterns))];
   function searchDir(dir) {
     try {
-      const entries = fs19.readdirSync(dir, { withFileTypes: true });
+      const entries = fs21.readdirSync(dir, { withFileTypes: true });
       for (const entry of entries) {
-        const fullPath = path23.join(dir, entry.name);
+        const fullPath = path27.join(dir, entry.name);
         if (entry.name.startsWith(".") || entry.name === "node_modules" || entry.name === "dist" || entry.name === "build" || entry.name === "target") {
           continue;
         }
@@ -44567,7 +46109,7 @@ function findManifestFiles(rootDir) {
           for (const pattern of patterns) {
             const regex = pattern.replace(/\./g, "\\.").replace(/\*/g, ".*").replace(/\?/g, ".");
             if (new RegExp(regex, "i").test(entry.name)) {
-              manifestFiles.push(path23.relative(cwd, fullPath));
+              manifestFiles.push(path27.relative(cwd, fullPath));
               break;
             }
           }
@@ -44584,14 +46126,14 @@ function findManifestFilesInDirs(directories, workingDir) {
   const patterns = [...new Set(allDetectors.flatMap((d) => d.patterns))];
   for (const dir of directories) {
     try {
-      const entries = fs19.readdirSync(dir, { withFileTypes: true });
+      const entries = fs21.readdirSync(dir, { withFileTypes: true });
       for (const entry of entries) {
-        const fullPath = path23.join(dir, entry.name);
+        const fullPath = path27.join(dir, entry.name);
         if (entry.isFile()) {
           for (const pattern of patterns) {
             const regex = pattern.replace(/\./g, "\\.").replace(/\*/g, ".*").replace(/\?/g, ".");
             if (new RegExp(regex, "i").test(entry.name)) {
-              found.push(path23.relative(workingDir, fullPath));
+              found.push(path27.relative(workingDir, fullPath));
               break;
             }
           }
@@ -44604,11 +46146,11 @@ function findManifestFilesInDirs(directories, workingDir) {
 function getDirectoriesFromChangedFiles(changedFiles, workingDir) {
   const dirs = new Set;
   for (const file3 of changedFiles) {
-    let currentDir = path23.dirname(file3);
+    let currentDir = path27.dirname(file3);
     while (true) {
-      if (currentDir && currentDir !== "." && currentDir !== path23.sep) {
-        dirs.add(path23.join(workingDir, currentDir));
-        const parent = path23.dirname(currentDir);
+      if (currentDir && currentDir !== "." && currentDir !== path27.sep) {
+        dirs.add(path27.join(workingDir, currentDir));
+        const parent = path27.dirname(currentDir);
         if (parent === currentDir)
           break;
         currentDir = parent;
@@ -44622,7 +46164,7 @@ function getDirectoriesFromChangedFiles(changedFiles, workingDir) {
 }
 function ensureOutputDir(outputDir) {
   try {
-    fs19.mkdirSync(outputDir, { recursive: true });
+    fs21.mkdirSync(outputDir, { recursive: true });
   } catch (error93) {
     if (!error93 || error93.code !== "EEXIST") {
       throw error93;
@@ -44715,11 +46257,11 @@ var sbom_generate = tool({
     const processedFiles = [];
     for (const manifestFile of manifestFiles) {
       try {
-        const fullPath = path23.isAbsolute(manifestFile) ? manifestFile : path23.join(workingDir, manifestFile);
-        if (!fs19.existsSync(fullPath)) {
+        const fullPath = path27.isAbsolute(manifestFile) ? manifestFile : path27.join(workingDir, manifestFile);
+        if (!fs21.existsSync(fullPath)) {
           continue;
         }
-        const content = fs19.readFileSync(fullPath, "utf-8");
+        const content = fs21.readFileSync(fullPath, "utf-8");
         const components = detectComponents(manifestFile, content);
         processedFiles.push(manifestFile);
         if (components.length > 0) {
@@ -44732,8 +46274,8 @@ var sbom_generate = tool({
     const bom = generateCycloneDX(allComponents);
     const bomJson = serializeCycloneDX(bom);
     const filename = generateSbomFilename();
-    const outputPath = path23.join(outputDir, filename);
-    fs19.writeFileSync(outputPath, bomJson, "utf-8");
+    const outputPath = path27.join(outputDir, filename);
+    fs21.writeFileSync(outputPath, bomJson, "utf-8");
     const verdict = processedFiles.length > 0 ? "pass" : "pass";
     try {
       const timestamp = new Date().toISOString();
@@ -44774,8 +46316,8 @@ var sbom_generate = tool({
 });
 // src/tools/schema-drift.ts
 init_dist();
-import * as fs20 from "fs";
-import * as path24 from "path";
+import * as fs22 from "fs";
+import * as path28 from "path";
 var SPEC_CANDIDATES = [
   "openapi.json",
   "openapi.yaml",
@@ -44807,28 +46349,28 @@ function normalizePath(p) {
 }
 function discoverSpecFile(cwd, specFileArg) {
   if (specFileArg) {
-    const resolvedPath = path24.resolve(cwd, specFileArg);
-    const normalizedCwd = cwd.endsWith(path24.sep) ? cwd : cwd + path24.sep;
+    const resolvedPath = path28.resolve(cwd, specFileArg);
+    const normalizedCwd = cwd.endsWith(path28.sep) ? cwd : cwd + path28.sep;
     if (!resolvedPath.startsWith(normalizedCwd) && resolvedPath !== cwd) {
       throw new Error("Invalid spec_file: path traversal detected");
     }
-    const ext = path24.extname(resolvedPath).toLowerCase();
+    const ext = path28.extname(resolvedPath).toLowerCase();
     if (!ALLOWED_EXTENSIONS.includes(ext)) {
       throw new Error(`Invalid spec_file: must end in .json, .yaml, or .yml, got ${ext}`);
     }
-    const stats = fs20.statSync(resolvedPath);
+    const stats = fs22.statSync(resolvedPath);
     if (stats.size > MAX_SPEC_SIZE) {
       throw new Error(`Invalid spec_file: file exceeds ${MAX_SPEC_SIZE / 1024 / 1024}MB limit`);
     }
-    if (!fs20.existsSync(resolvedPath)) {
+    if (!fs22.existsSync(resolvedPath)) {
       throw new Error(`Spec file not found: ${resolvedPath}`);
     }
     return resolvedPath;
   }
   for (const candidate of SPEC_CANDIDATES) {
-    const candidatePath = path24.resolve(cwd, candidate);
-    if (fs20.existsSync(candidatePath)) {
-      const stats = fs20.statSync(candidatePath);
+    const candidatePath = path28.resolve(cwd, candidate);
+    if (fs22.existsSync(candidatePath)) {
+      const stats = fs22.statSync(candidatePath);
       if (stats.size <= MAX_SPEC_SIZE) {
         return candidatePath;
       }
@@ -44837,8 +46379,8 @@ function discoverSpecFile(cwd, specFileArg) {
   return null;
 }
 function parseSpec(specFile) {
-  const content = fs20.readFileSync(specFile, "utf-8");
-  const ext = path24.extname(specFile).toLowerCase();
+  const content = fs22.readFileSync(specFile, "utf-8");
+  const ext = path28.extname(specFile).toLowerCase();
   if (ext === ".json") {
     return parseJsonSpec(content);
   }
@@ -44904,12 +46446,12 @@ function extractRoutes(cwd) {
   function walkDir(dir) {
     let entries;
     try {
-      entries = fs20.readdirSync(dir, { withFileTypes: true });
+      entries = fs22.readdirSync(dir, { withFileTypes: true });
     } catch {
       return;
     }
     for (const entry of entries) {
-      const fullPath = path24.join(dir, entry.name);
+      const fullPath = path28.join(dir, entry.name);
       if (entry.isSymbolicLink()) {
         continue;
       }
@@ -44919,7 +46461,7 @@ function extractRoutes(cwd) {
         }
         walkDir(fullPath);
       } else if (entry.isFile()) {
-        const ext = path24.extname(entry.name).toLowerCase();
+        const ext = path28.extname(entry.name).toLowerCase();
         const baseName = entry.name.toLowerCase();
         if (![".ts", ".js", ".mjs"].includes(ext)) {
           continue;
@@ -44937,7 +46479,7 @@ function extractRoutes(cwd) {
 }
 function extractRoutesFromFile(filePath) {
   const routes = [];
-  const content = fs20.readFileSync(filePath, "utf-8");
+  const content = fs22.readFileSync(filePath, "utf-8");
   const lines = content.split(/\r?\n/);
   const expressRegex = /(?:app|router|server|express)\.(get|post|put|patch|delete|options|head)\s*\(\s*['"`]([^'"`]+)['"`]/g;
   const flaskRegex = /@(?:app|blueprint|bp)\.route\s*\(\s*['"]([^'"]+)['"]/g;
@@ -45084,8 +46626,8 @@ init_secretscan();
 
 // src/tools/symbols.ts
 init_tool();
-import * as fs21 from "fs";
-import * as path25 from "path";
+import * as fs23 from "fs";
+import * as path29 from "path";
 var MAX_FILE_SIZE_BYTES7 = 1024 * 1024;
 var WINDOWS_RESERVED_NAMES = /^(con|prn|aux|nul|com[1-9]|lpt[1-9])(\.|:|$)/i;
 function containsControlCharacters(str) {
@@ -45114,11 +46656,11 @@ function containsWindowsAttacks(str) {
 }
 function isPathInWorkspace(filePath, workspace) {
   try {
-    const resolvedPath = path25.resolve(workspace, filePath);
-    const realWorkspace = fs21.realpathSync(workspace);
-    const realResolvedPath = fs21.realpathSync(resolvedPath);
-    const relativePath = path25.relative(realWorkspace, realResolvedPath);
-    if (relativePath.startsWith("..") || path25.isAbsolute(relativePath)) {
+    const resolvedPath = path29.resolve(workspace, filePath);
+    const realWorkspace = fs23.realpathSync(workspace);
+    const realResolvedPath = fs23.realpathSync(resolvedPath);
+    const relativePath = path29.relative(realWorkspace, realResolvedPath);
+    if (relativePath.startsWith("..") || path29.isAbsolute(relativePath)) {
       return false;
     }
     return true;
@@ -45130,17 +46672,17 @@ function validatePathForRead(filePath, workspace) {
   return isPathInWorkspace(filePath, workspace);
 }
 function extractTSSymbols(filePath, cwd) {
-  const fullPath = path25.join(cwd, filePath);
+  const fullPath = path29.join(cwd, filePath);
   if (!validatePathForRead(fullPath, cwd)) {
     return [];
   }
   let content;
   try {
-    const stats = fs21.statSync(fullPath);
+    const stats = fs23.statSync(fullPath);
     if (stats.size > MAX_FILE_SIZE_BYTES7) {
       throw new Error(`File too large: ${stats.size} bytes (max: ${MAX_FILE_SIZE_BYTES7})`);
     }
-    content = fs21.readFileSync(fullPath, "utf-8");
+    content = fs23.readFileSync(fullPath, "utf-8");
   } catch {
     return [];
   }
@@ -45282,17 +46824,17 @@ function extractTSSymbols(filePath, cwd) {
   });
 }
 function extractPythonSymbols(filePath, cwd) {
-  const fullPath = path25.join(cwd, filePath);
+  const fullPath = path29.join(cwd, filePath);
   if (!validatePathForRead(fullPath, cwd)) {
     return [];
   }
   let content;
   try {
-    const stats = fs21.statSync(fullPath);
+    const stats = fs23.statSync(fullPath);
     if (stats.size > MAX_FILE_SIZE_BYTES7) {
       throw new Error(`File too large: ${stats.size} bytes (max: ${MAX_FILE_SIZE_BYTES7})`);
     }
-    content = fs21.readFileSync(fullPath, "utf-8");
+    content = fs23.readFileSync(fullPath, "utf-8");
   } catch {
     return [];
   }
@@ -45364,7 +46906,7 @@ var symbols = tool({
       }, null, 2);
     }
     const cwd = process.cwd();
-    const ext = path25.extname(file3);
+    const ext = path29.extname(file3);
     if (containsControlCharacters(file3)) {
       return JSON.stringify({
         file: file3,
@@ -45432,8 +46974,8 @@ init_test_runner();
 
 // src/tools/todo-extract.ts
 init_dist();
-import * as fs22 from "fs";
-import * as path26 from "path";
+import * as fs24 from "fs";
+import * as path30 from "path";
 var MAX_TEXT_LENGTH = 200;
 var MAX_FILE_SIZE_BYTES8 = 1024 * 1024;
 var SUPPORTED_EXTENSIONS2 = new Set([
@@ -45504,9 +47046,9 @@ function validatePathsInput(paths, cwd) {
     return { error: "paths contains path traversal", resolvedPath: null };
   }
   try {
-    const resolvedPath = path26.resolve(paths);
-    const normalizedCwd = path26.resolve(cwd);
-    const normalizedResolved = path26.resolve(resolvedPath);
+    const resolvedPath = path30.resolve(paths);
+    const normalizedCwd = path30.resolve(cwd);
+    const normalizedResolved = path30.resolve(resolvedPath);
     if (!normalizedResolved.startsWith(normalizedCwd)) {
       return {
         error: "paths must be within the current working directory",
@@ -45522,13 +47064,13 @@ function validatePathsInput(paths, cwd) {
   }
 }
 function isSupportedExtension(filePath) {
-  const ext = path26.extname(filePath).toLowerCase();
+  const ext = path30.extname(filePath).toLowerCase();
   return SUPPORTED_EXTENSIONS2.has(ext);
 }
 function findSourceFiles3(dir, files = []) {
   let entries;
   try {
-    entries = fs22.readdirSync(dir);
+    entries = fs24.readdirSync(dir);
   } catch {
     return files;
   }
@@ -45537,10 +47079,10 @@ function findSourceFiles3(dir, files = []) {
     if (SKIP_DIRECTORIES3.has(entry)) {
       continue;
     }
-    const fullPath = path26.join(dir, entry);
+    const fullPath = path30.join(dir, entry);
     let stat;
     try {
-      stat = fs22.statSync(fullPath);
+      stat = fs24.statSync(fullPath);
     } catch {
       continue;
     }
@@ -45633,7 +47175,7 @@ var todo_extract = tool({
       return JSON.stringify(errorResult, null, 2);
     }
     const scanPath = resolvedPath;
-    if (!fs22.existsSync(scanPath)) {
+    if (!fs24.existsSync(scanPath)) {
       const errorResult = {
         error: `path not found: ${pathsInput}`,
         total: 0,
@@ -45643,13 +47185,13 @@ var todo_extract = tool({
       return JSON.stringify(errorResult, null, 2);
     }
     const filesToScan = [];
-    const stat = fs22.statSync(scanPath);
+    const stat = fs24.statSync(scanPath);
     if (stat.isFile()) {
       if (isSupportedExtension(scanPath)) {
         filesToScan.push(scanPath);
       } else {
         const errorResult = {
-          error: `unsupported file extension: ${path26.extname(scanPath)}`,
+          error: `unsupported file extension: ${path30.extname(scanPath)}`,
           total: 0,
           byPriority: { high: 0, medium: 0, low: 0 },
           entries: []
@@ -45662,11 +47204,11 @@ var todo_extract = tool({
     const allEntries = [];
     for (const filePath of filesToScan) {
       try {
-        const fileStat = fs22.statSync(filePath);
+        const fileStat = fs24.statSync(filePath);
         if (fileStat.size > MAX_FILE_SIZE_BYTES8) {
           continue;
         }
-        const content = fs22.readFileSync(filePath, "utf-8");
+        const content = fs24.readFileSync(filePath, "utf-8");
         const entries = parseTodoComments(content, filePath, tagsSet);
         allEntries.push(...entries);
       } catch {}
@@ -45737,7 +47279,7 @@ var OpenCodeSwarm = async (ctx) => {
     const { PreflightTriggerManager: PTM } = await Promise.resolve().then(() => (init_trigger(), exports_trigger));
     preflightTriggerManager = new PTM(automationConfig);
     const { AutomationStatusArtifact: ASA } = await Promise.resolve().then(() => (init_status_artifact(), exports_status_artifact));
-    const swarmDir = path27.resolve(ctx.directory, ".swarm");
+    const swarmDir = path31.resolve(ctx.directory, ".swarm");
     statusArtifact = new ASA(swarmDir);
     statusArtifact.updateConfig(automationConfig.mode, automationConfig.capabilities);
     if (automationConfig.capabilities?.evidence_auto_summaries === true) {
@@ -45840,6 +47382,7 @@ var OpenCodeSwarm = async (ctx) => {
       lint,
       diff,
       pkg_audit,
+      pre_check_batch,
       retrieve_summary,
       schema_drift,
       secretscan,