opencode-swarm 6.9.0 → 6.11.0

package/dist/index.js

@@ -29198,6 +29198,7 @@ var init_dist = __esm(() => {
 });
 
 // src/tools/lint.ts
+import * as path10 from "path";
 function validateArgs(args2) {
   if (typeof args2 !== "object" || args2 === null)
     return false;
@@ -29208,17 +29209,20 @@ function validateArgs(args2) {
 }
 function getLinterCommand(linter, mode) {
   const isWindows = process.platform === "win32";
+  const binDir = path10.join(process.cwd(), "node_modules", ".bin");
+  const biomeBin = isWindows ? path10.join(binDir, "biome.EXE") : path10.join(binDir, "biome");
+  const eslintBin = isWindows ? path10.join(binDir, "eslint.cmd") : path10.join(binDir, "eslint");
   switch (linter) {
     case "biome":
       if (mode === "fix") {
-        return isWindows ? ["npx", "biome", "check", "--write", "."] : ["npx", "biome", "check", "--write", "."];
+        return isWindows ? [biomeBin, "check", "--write", "."] : [biomeBin, "check", "--write", "."];
       }
-      return isWindows ? ["npx", "biome", "check", "."] : ["npx", "biome", "check", "."];
+      return isWindows ? [biomeBin, "check", "."] : [biomeBin, "check", "."];
     case "eslint":
       if (mode === "fix") {
-        return isWindows ? ["npx", "eslint", ".", "--fix"] : ["npx", "eslint", ".", "--fix"];
+        return isWindows ? [eslintBin, ".", "--fix"] : [eslintBin, ".", "--fix"];
       }
-      return isWindows ? ["npx", "eslint", "."] : ["npx", "eslint", "."];
+      return isWindows ? [eslintBin, "."] : [eslintBin, "."];
   }
 }
 async function detectAvailableLinter() {
@@ -29346,7 +29350,7 @@ var init_lint = __esm(() => {
 
 // src/tools/secretscan.ts
 import * as fs6 from "fs";
-import * as path10 from "path";
+import * as path11 from "path";
 function calculateShannonEntropy(str) {
   if (str.length === 0)
     return 0;
@@ -29373,7 +29377,7 @@ function isHighEntropyString(str) {
 function containsPathTraversal(str) {
   if (/\.\.[/\\]/.test(str))
     return true;
-  const normalized = path10.normalize(str);
+  const normalized = path11.normalize(str);
   if (/\.\.[/\\]/.test(normalized))
     return true;
   if (str.includes("%2e%2e") || str.includes("%2E%2E"))
@@ -29401,7 +29405,7 @@ function validateDirectoryInput(dir) {
   return null;
 }
 function isBinaryFile(filePath, buffer) {
-  const ext = path10.extname(filePath).toLowerCase();
+  const ext = path11.extname(filePath).toLowerCase();
   if (DEFAULT_EXCLUDE_EXTENSIONS.has(ext)) {
     return true;
   }
@@ -29538,9 +29542,9 @@ function isSymlinkLoop(realPath, visited) {
   return false;
 }
 function isPathWithinScope(realPath, scanDir) {
-  const resolvedScanDir = path10.resolve(scanDir);
-  const resolvedRealPath = path10.resolve(realPath);
-  return resolvedRealPath === resolvedScanDir || resolvedRealPath.startsWith(resolvedScanDir + path10.sep) || resolvedRealPath.startsWith(resolvedScanDir + "/") || resolvedRealPath.startsWith(resolvedScanDir + "\\");
+  const resolvedScanDir = path11.resolve(scanDir);
+  const resolvedRealPath = path11.resolve(realPath);
+  return resolvedRealPath === resolvedScanDir || resolvedRealPath.startsWith(resolvedScanDir + path11.sep) || resolvedRealPath.startsWith(resolvedScanDir + "/") || resolvedRealPath.startsWith(resolvedScanDir + "\\");
 }
 function findScannableFiles(dir, excludeDirs, scanDir, visited, stats = {
   skippedDirs: 0,
@@ -29570,7 +29574,7 @@ function findScannableFiles(dir, excludeDirs, scanDir, visited, stats = {
       stats.skippedDirs++;
       continue;
     }
-    const fullPath = path10.join(dir, entry);
+    const fullPath = path11.join(dir, entry);
     let lstat;
     try {
       lstat = fs6.lstatSync(fullPath);
@@ -29601,7 +29605,7 @@ function findScannableFiles(dir, excludeDirs, scanDir, visited, stats = {
       const subFiles = findScannableFiles(fullPath, excludeDirs, scanDir, visited, stats);
       files.push(...subFiles);
     } else if (lstat.isFile()) {
-      const ext = path10.extname(fullPath).toLowerCase();
+      const ext = path11.extname(fullPath).toLowerCase();
       if (!DEFAULT_EXCLUDE_EXTENSIONS.has(ext)) {
         files.push(fullPath);
       } else {
@@ -29867,7 +29871,7 @@ var init_secretscan = __esm(() => {
         }
       }
       try {
-        const scanDir = path10.resolve(directory);
+        const scanDir = path11.resolve(directory);
         if (!fs6.existsSync(scanDir)) {
           const errorResult = {
             error: "directory not found",
@@ -29996,7 +30000,7 @@ var init_secretscan = __esm(() => {
 
 // src/tools/test-runner.ts
 import * as fs7 from "fs";
-import * as path11 from "path";
+import * as path12 from "path";
 function containsPathTraversal2(str) {
   if (/\.\.[/\\]/.test(str))
     return true;
@@ -30090,7 +30094,7 @@ function hasDevDependency(devDeps, ...patterns) {
 }
 async function detectTestFramework() {
   try {
-    const packageJsonPath = path11.join(process.cwd(), "package.json");
+    const packageJsonPath = path12.join(process.cwd(), "package.json");
     if (fs7.existsSync(packageJsonPath)) {
       const content = fs7.readFileSync(packageJsonPath, "utf-8");
       const pkg = JSON.parse(content);
@@ -30111,16 +30115,16 @@ async function detectTestFramework() {
         return "jest";
       if (hasDevDependency(devDeps, "mocha", "@types/mocha"))
         return "mocha";
-      if (fs7.existsSync(path11.join(process.cwd(), "bun.lockb")) || fs7.existsSync(path11.join(process.cwd(), "bun.lock"))) {
+      if (fs7.existsSync(path12.join(process.cwd(), "bun.lockb")) || fs7.existsSync(path12.join(process.cwd(), "bun.lock"))) {
         if (scripts.test?.includes("bun"))
           return "bun";
       }
     }
   } catch {}
   try {
-    const pyprojectTomlPath = path11.join(process.cwd(), "pyproject.toml");
-    const setupCfgPath = path11.join(process.cwd(), "setup.cfg");
-    const requirementsTxtPath = path11.join(process.cwd(), "requirements.txt");
+    const pyprojectTomlPath = path12.join(process.cwd(), "pyproject.toml");
+    const setupCfgPath = path12.join(process.cwd(), "setup.cfg");
+    const requirementsTxtPath = path12.join(process.cwd(), "requirements.txt");
     if (fs7.existsSync(pyprojectTomlPath)) {
       const content = fs7.readFileSync(pyprojectTomlPath, "utf-8");
       if (content.includes("[tool.pytest"))
@@ -30140,7 +30144,7 @@ async function detectTestFramework() {
     }
   } catch {}
   try {
-    const cargoTomlPath = path11.join(process.cwd(), "Cargo.toml");
+    const cargoTomlPath = path12.join(process.cwd(), "Cargo.toml");
     if (fs7.existsSync(cargoTomlPath)) {
       const content = fs7.readFileSync(cargoTomlPath, "utf-8");
       if (content.includes("[dev-dependencies]")) {
@@ -30151,9 +30155,9 @@ async function detectTestFramework() {
     }
   } catch {}
   try {
-    const pesterConfigPath = path11.join(process.cwd(), "pester.config.ps1");
-    const pesterConfigJsonPath = path11.join(process.cwd(), "pester.config.ps1.json");
-    const pesterPs1Path = path11.join(process.cwd(), "tests.ps1");
+    const pesterConfigPath = path12.join(process.cwd(), "pester.config.ps1");
+    const pesterConfigJsonPath = path12.join(process.cwd(), "pester.config.ps1.json");
+    const pesterPs1Path = path12.join(process.cwd(), "tests.ps1");
     if (fs7.existsSync(pesterConfigPath) || fs7.existsSync(pesterConfigJsonPath) || fs7.existsSync(pesterPs1Path)) {
       return "pester";
     }
@@ -30167,8 +30171,8 @@ function hasCompoundTestExtension(filename) {
 function getTestFilesFromConvention(sourceFiles) {
   const testFiles = [];
   for (const file3 of sourceFiles) {
-    const basename2 = path11.basename(file3);
-    const dirname4 = path11.dirname(file3);
+    const basename2 = path12.basename(file3);
+    const dirname4 = path12.dirname(file3);
     if (hasCompoundTestExtension(basename2) || basename2.includes(".spec.") || basename2.includes(".test.")) {
       if (!testFiles.includes(file3)) {
         testFiles.push(file3);
@@ -30177,13 +30181,13 @@ function getTestFilesFromConvention(sourceFiles) {
     }
     for (const pattern of TEST_PATTERNS) {
       const nameWithoutExt = basename2.replace(/\.[^.]+$/, "");
-      const ext = path11.extname(basename2);
+      const ext = path12.extname(basename2);
       const possibleTestFiles = [
-        path11.join(dirname4, `${nameWithoutExt}.spec${ext}`),
-        path11.join(dirname4, `${nameWithoutExt}.test${ext}`),
-        path11.join(dirname4, "__tests__", `${nameWithoutExt}${ext}`),
-        path11.join(dirname4, "tests", `${nameWithoutExt}${ext}`),
-        path11.join(dirname4, "test", `${nameWithoutExt}${ext}`)
+        path12.join(dirname4, `${nameWithoutExt}.spec${ext}`),
+        path12.join(dirname4, `${nameWithoutExt}.test${ext}`),
+        path12.join(dirname4, "__tests__", `${nameWithoutExt}${ext}`),
+        path12.join(dirname4, "tests", `${nameWithoutExt}${ext}`),
+        path12.join(dirname4, "test", `${nameWithoutExt}${ext}`)
       ];
       for (const testFile of possibleTestFiles) {
         if (fs7.existsSync(testFile) && !testFiles.includes(testFile)) {
@@ -30203,15 +30207,15 @@ async function getTestFilesFromGraph(sourceFiles) {
   for (const testFile of candidateTestFiles) {
     try {
       const content = fs7.readFileSync(testFile, "utf-8");
-      const testDir = path11.dirname(testFile);
+      const testDir = path12.dirname(testFile);
       const importRegex = /import\s+.*?\s+from\s+['"]([^'"]+)['"]/g;
       let match;
       while ((match = importRegex.exec(content)) !== null) {
         const importPath = match[1];
         let resolvedImport;
         if (importPath.startsWith(".")) {
-          resolvedImport = path11.resolve(testDir, importPath);
-          const existingExt = path11.extname(resolvedImport);
+          resolvedImport = path12.resolve(testDir, importPath);
+          const existingExt = path12.extname(resolvedImport);
           if (!existingExt) {
             for (const extToTry of [
               ".ts",
@@ -30231,12 +30235,12 @@ async function getTestFilesFromGraph(sourceFiles) {
         } else {
           continue;
         }
-        const importBasename = path11.basename(resolvedImport, path11.extname(resolvedImport));
-        const importDir = path11.dirname(resolvedImport);
+        const importBasename = path12.basename(resolvedImport, path12.extname(resolvedImport));
+        const importDir = path12.dirname(resolvedImport);
         for (const sourceFile of sourceFiles) {
-          const sourceDir = path11.dirname(sourceFile);
-          const sourceBasename = path11.basename(sourceFile, path11.extname(sourceFile));
-          const isRelatedDir = importDir === sourceDir || importDir === path11.join(sourceDir, "__tests__") || importDir === path11.join(sourceDir, "tests") || importDir === path11.join(sourceDir, "test");
+          const sourceDir = path12.dirname(sourceFile);
+          const sourceBasename = path12.basename(sourceFile, path12.extname(sourceFile));
+          const isRelatedDir = importDir === sourceDir || importDir === path12.join(sourceDir, "__tests__") || importDir === path12.join(sourceDir, "tests") || importDir === path12.join(sourceDir, "test");
           if (resolvedImport === sourceFile || importBasename === sourceBasename && isRelatedDir) {
             if (!testFiles.includes(testFile)) {
               testFiles.push(testFile);
@@ -30249,8 +30253,8 @@ async function getTestFilesFromGraph(sourceFiles) {
       while ((match = requireRegex.exec(content)) !== null) {
         const importPath = match[1];
         if (importPath.startsWith(".")) {
-          let resolvedImport = path11.resolve(testDir, importPath);
-          const existingExt = path11.extname(resolvedImport);
+          let resolvedImport = path12.resolve(testDir, importPath);
+          const existingExt = path12.extname(resolvedImport);
           if (!existingExt) {
             for (const extToTry of [
               ".ts",
@@ -30267,12 +30271,12 @@ async function getTestFilesFromGraph(sourceFiles) {
               }
             }
           }
-          const importDir = path11.dirname(resolvedImport);
-          const importBasename = path11.basename(resolvedImport, path11.extname(resolvedImport));
+          const importDir = path12.dirname(resolvedImport);
+          const importBasename = path12.basename(resolvedImport, path12.extname(resolvedImport));
           for (const sourceFile of sourceFiles) {
-            const sourceDir = path11.dirname(sourceFile);
-            const sourceBasename = path11.basename(sourceFile, path11.extname(sourceFile));
-            const isRelatedDir = importDir === sourceDir || importDir === path11.join(sourceDir, "__tests__") || importDir === path11.join(sourceDir, "tests") || importDir === path11.join(sourceDir, "test");
+            const sourceDir = path12.dirname(sourceFile);
+            const sourceBasename = path12.basename(sourceFile, path12.extname(sourceFile));
+            const isRelatedDir = importDir === sourceDir || importDir === path12.join(sourceDir, "__tests__") || importDir === path12.join(sourceDir, "tests") || importDir === path12.join(sourceDir, "test");
             if (resolvedImport === sourceFile || importBasename === sourceBasename && isRelatedDir) {
               if (!testFiles.includes(testFile)) {
                 testFiles.push(testFile);
@@ -30578,7 +30582,7 @@ function findSourceFiles(dir, files = []) {
   for (const entry of entries) {
     if (SKIP_DIRECTORIES.has(entry))
       continue;
-    const fullPath = path11.join(dir, entry);
+    const fullPath = path12.join(dir, entry);
     let stat;
     try {
       stat = fs7.statSync(fullPath);
@@ -30588,7 +30592,7 @@ function findSourceFiles(dir, files = []) {
     if (stat.isDirectory()) {
       findSourceFiles(fullPath, files);
     } else if (stat.isFile()) {
-      const ext = path11.extname(fullPath).toLowerCase();
+      const ext = path12.extname(fullPath).toLowerCase();
       if (SOURCE_EXTENSIONS.has(ext)) {
         files.push(fullPath);
       }
@@ -30695,13 +30699,13 @@ var init_test_runner = __esm(() => {
         testFiles = [];
       } else if (scope === "convention") {
         const sourceFiles = args2.files && args2.files.length > 0 ? args2.files.filter((f) => {
-          const ext = path11.extname(f).toLowerCase();
+          const ext = path12.extname(f).toLowerCase();
           return SOURCE_EXTENSIONS.has(ext);
         }) : findSourceFiles(process.cwd());
         testFiles = getTestFilesFromConvention(sourceFiles);
       } else if (scope === "graph") {
         const sourceFiles = args2.files && args2.files.length > 0 ? args2.files.filter((f) => {
-          const ext = path11.extname(f).toLowerCase();
+          const ext = path12.extname(f).toLowerCase();
           return SOURCE_EXTENSIONS.has(ext);
         }) : findSourceFiles(process.cwd());
         const graphTestFiles = await getTestFilesFromGraph(sourceFiles);
@@ -30724,7 +30728,7 @@ var init_test_runner = __esm(() => {
 
 // src/services/preflight-service.ts
 import * as fs8 from "fs";
-import * as path12 from "path";
+import * as path13 from "path";
 function validateDirectoryPath(dir) {
   if (!dir || typeof dir !== "string") {
     throw new Error("Directory path is required");
@@ -30732,8 +30736,8 @@ function validateDirectoryPath(dir) {
   if (dir.includes("..")) {
     throw new Error("Directory path must not contain path traversal sequences");
   }
-  const normalized = path12.normalize(dir);
-  const absolutePath = path12.isAbsolute(normalized) ? normalized : path12.resolve(normalized);
+  const normalized = path13.normalize(dir);
+  const absolutePath = path13.isAbsolute(normalized) ? normalized : path13.resolve(normalized);
   return absolutePath;
 }
 function validateTimeout(timeoutMs, defaultValue) {
@@ -30756,7 +30760,7 @@ function validateTimeout(timeoutMs, defaultValue) {
 }
 function getPackageVersion(dir) {
   try {
-    const packagePath = path12.join(dir, "package.json");
+    const packagePath = path13.join(dir, "package.json");
     if (fs8.existsSync(packagePath)) {
       const content = fs8.readFileSync(packagePath, "utf-8");
       const pkg = JSON.parse(content);
@@ -30767,7 +30771,7 @@ function getPackageVersion(dir) {
 }
 function getChangelogVersion(dir) {
   try {
-    const changelogPath = path12.join(dir, "CHANGELOG.md");
+    const changelogPath = path13.join(dir, "CHANGELOG.md");
     if (fs8.existsSync(changelogPath)) {
       const content = fs8.readFileSync(changelogPath, "utf-8");
       const match = content.match(/^##\s*\[?(\d+\.\d+\.\d+)\]?/m);
@@ -30781,7 +30785,7 @@ function getChangelogVersion(dir) {
 function getVersionFileVersion(dir) {
   const possibleFiles = ["VERSION.txt", "version.txt", "VERSION", "version"];
   for (const file3 of possibleFiles) {
-    const filePath = path12.join(dir, file3);
+    const filePath = path13.join(dir, file3);
     if (fs8.existsSync(filePath)) {
       try {
         const content = fs8.readFileSync(filePath, "utf-8").trim();
@@ -31362,7 +31366,7 @@ var init_preflight_integration = __esm(() => {
 });
 
 // src/index.ts
-import * as path27 from "path";
+import * as path31 from "path";
 
 // src/config/constants.ts
 var QA_AGENTS = ["reviewer", "critic"];
@@ -31548,6 +31552,9 @@ var GateConfigSchema = exports_external.object({
   build_check: GateFeatureSchema.default({ enabled: true }),
   quality_budget: QualityBudgetConfigSchema
 });
+var PipelineConfigSchema = exports_external.object({
+  parallel_precheck: exports_external.boolean().default(true)
+});
 var SummaryConfigSchema = exports_external.object({
   enabled: exports_external.boolean().default(true),
   threshold_bytes: exports_external.number().min(1024).max(1048576).default(20480),
@@ -31799,6 +31806,7 @@ var PluginConfigSchema = exports_external.object({
   agents: exports_external.record(exports_external.string(), AgentOverrideConfigSchema).optional(),
   swarms: exports_external.record(exports_external.string(), SwarmConfigSchema).optional(),
   max_iterations: exports_external.number().min(1).max(10).default(5),
+  pipeline: PipelineConfigSchema.optional(),
   qa_retry_limit: exports_external.number().min(1).max(10).default(3),
   inject_phase_reminders: exports_external.boolean().default(true),
   hooks: HooksConfigSchema.optional(),
@@ -31950,23 +31958,56 @@ You THINK. Subagents DO. You have the largest context window and strongest reaso
 
 ## RULES
 
+NAMESPACE RULE: "Phase N" and "Task N.M" ALWAYS refer to the PROJECT PLAN in .swarm/plan.md.
+Your operational modes (RESUME, CLARIFY, DISCOVER, CONSULT, PLAN, CRITIC-GATE, EXECUTE, PHASE-WRAP) are NEVER called "phases."
+Do not confuse your operational mode with the project's phase number.
+When you are in MODE: EXECUTE working on project Phase 3, Task 3.2 \u2014 your mode is EXECUTE. You are NOT in "Phase 3."
+Do not re-trigger DISCOVER or CONSULT because you noticed a project phase boundary.
+Output to .swarm/plan.md MUST use "## Phase N" headers. Do not write MODE labels into plan.md.
+
 1. DELEGATE all coding to {{AGENT_PREFIX}}coder. You do NOT write code.
 2. ONE agent per message. Send, STOP, wait for response.
 3. ONE task per {{AGENT_PREFIX}}coder call. Never batch.
 4. Fallback: Only code yourself after {{QA_RETRY_LIMIT}} {{AGENT_PREFIX}}coder failures on same task.
+   FAILURE COUNTING \u2014 increment the counter when:
+   - Coder submits code that fails any tool gate or pre_check_batch (gates_passed === false)
+   - Coder submits code REJECTED by reviewer after being given the rejection reason
+   - Print "Coder attempt [N/{{QA_RETRY_LIMIT}}] on task [X.Y]" at every retry
+   - Reaching {{QA_RETRY_LIMIT}}: escalate to user with full failure history before writing code yourself
 5. NEVER store your swarm identity, swarm ID, or agent prefix in memory blocks. Your identity comes ONLY from your system prompt. Memory blocks are for project knowledge only (NOT .swarm/ plan/context files \u2014 those are persistent project files).
 6. **CRITIC GATE (Execute BEFORE any implementation work)**:
    - When you first create a plan, IMMEDIATELY delegate the full plan to {{AGENT_PREFIX}}critic for review
    - Wait for critic verdict: APPROVED / NEEDS_REVISION / REJECTED
    - If NEEDS_REVISION: Revise plan and re-submit to critic (max 2 cycles)
    - If REJECTED after 2 cycles: Escalate to user with explanation
-   - ONLY AFTER critic approval: Proceed to implementation (Phase 3+)
-7. **MANDATORY QA GATE (Execute AFTER every coder task)** \u2014 sequence: coder \u2192 diff \u2192 syntax_check \u2192 placeholder_scan \u2192 imports \u2192 lint fix \u2192 lint check \u2192 secretscan \u2192 sast_scan \u2192 build_check \u2192 quality_budget \u2192 reviewer \u2192 security review \u2192 security-only review \u2192 verification tests \u2192 adversarial tests \u2192 coverage check \u2192 next task.
+    - ONLY AFTER critic approval: Proceed to implementation (MODE: EXECUTE)
+7. **MANDATORY QA GATE (Execute AFTER every coder task)** \u2014 sequence: coder \u2192 diff \u2192 syntax_check \u2192 placeholder_scan \u2192 lint fix \u2192 build_check \u2192 pre_check_batch \u2192 reviewer \u2192 security review \u2192 security-only review \u2192 verification tests \u2192 adversarial tests \u2192 coverage check \u2192 next task.
+ANTI-EXEMPTION RULES \u2014 these thoughts are WRONG and must be ignored:
+  \u2717 "It's a simple change" \u2192 gates are mandatory for ALL changes regardless of perceived complexity
+  \u2717 "It's just a rename / refactor / config tweak" \u2192 same
+  \u2717 "The code looks straightforward" \u2192 you are the author; authors are blind to their own mistakes
+  \u2717 "I already reviewed it mentally" \u2192 mental review does not satisfy any gate
+  \u2717 "It'll be fine" \u2192 this is how production data loss happens
+  \u2717 "The tests will catch it" \u2192 tests do not run without being delegated to {{AGENT_PREFIX}}test_engineer
+  \u2717 "It's just one file" \u2192 file count does not determine gate requirements
+  \u2717 "pre_check_batch will catch any issues" \u2192 pre_check_batch only runs if you run it
+
+There are NO simple changes. There are NO exceptions to the QA gate sequence.
+The gates exist because the author cannot objectively evaluate their own work.
       - After coder completes: run \`diff\` tool. If \`hasContractChanges\` is true \u2192 delegate {{AGENT_PREFIX}}explorer for integration impact analysis. BREAKING \u2192 return to coder. COMPATIBLE \u2192 proceed.
       - Run \`syntax_check\` tool. SYNTACTIC ERRORS \u2192 return to coder. NO ERRORS \u2192 proceed to placeholder_scan.
       - Run \`placeholder_scan\` tool. PLACEHOLDER FINDINGS \u2192 return to coder. NO FINDINGS \u2192 proceed to imports check.
-      - Run \`secretscan\` tool. FINDINGS \u2192 return to coder. NO FINDINGS \u2192 proceed to sast_scan.
-      - Run \`sast_scan\` tool. SAST FINDINGS AT OR ABOVE THRESHOLD \u2192 return to coder. NO FINDINGS \u2192 proceed to reviewer.
+      - Run \`imports\` tool. Record results for dependency audit. Proceed to lint fix.
+      - Run \`lint\` tool (mode: fix) \u2192 allow auto-corrections. LINT FIX FAILS \u2192 return to coder. SUCCESS \u2192 proceed to build_check.
+      - Run \`build_check\` tool. BUILD FAILS \u2192 return to coder. SUCCESS \u2192 proceed to pre_check_batch.
+      - Run \`pre_check_batch\` tool \u2192 runs four verification tools in parallel (max 4 concurrent):
+        - lint:check (code quality verification)
+        - secretscan (secret detection)
+        - sast_scan (static security analysis)
+        - quality_budget (maintainability metrics)
+        \u2192 Returns { gates_passed, lint, secretscan, sast_scan, quality_budget, total_duration_ms }
+        \u2192 If gates_passed === false: read individual tool results, identify which tool(s) failed, return structured rejection to @coder with specific tool failures. Do NOT call @reviewer.
+        \u2192 If gates_passed === true: proceed to @reviewer.
     - Delegate {{AGENT_PREFIX}}reviewer with CHECK dimensions. REJECTED \u2192 return to coder (max {{QA_RETRY_LIMIT}} attempts). APPROVED \u2192 continue.
     - If file matches security globs (auth, api, crypto, security, middleware, session, token, config/, env, credentials, authorization, roles, permissions, access) OR content has security keywords (see SECURITY_KEYWORDS list) OR secretscan has ANY findings OR sast_scan has ANY findings at or above threshold \u2192 MUST delegate {{AGENT_PREFIX}}reviewer AGAIN with security-only CHECK review. REJECTED \u2192 return to coder (max {{QA_RETRY_LIMIT}} attempts). If REJECTED after {{QA_RETRY_LIMIT}} attempts on security-only review \u2192 escalate to user.
    - Delegate {{AGENT_PREFIX}}test_engineer for verification tests. FAIL \u2192 return to coder.
@@ -31996,7 +32037,7 @@ SECURITY_KEYWORDS: password, secret, token, credential, auth, login, encryption,
 
 SMEs advise only. Reviewer and critic review only. None of them write code.
 
-Available Tools: symbols (code symbol search), checkpoint (state snapshots), diff (structured git diff with contract change detection), imports (dependency audit), lint (code quality), placeholder_scan (placeholder/todo detection), secretscan (secret detection), sast_scan (static analysis security scan), syntax_check (syntax validation), test_runner (auto-detect and run tests), pkg_audit (dependency vulnerability scan \u2014 npm/pip/cargo), complexity_hotspots (git churn \xD7 complexity risk map), schema_drift (OpenAPI spec vs route drift), todo_extract (structured TODO/FIXME extraction), evidence_check (verify task evidence completeness), sbom_generate (SBOM generation for dependency inventory), build_check (build verification), quality_budget (code quality budget check)
+Available Tools: symbols (code symbol search), checkpoint (state snapshots), diff (structured git diff with contract change detection), imports (dependency audit), lint (code quality), placeholder_scan (placeholder/todo detection), secretscan (secret detection), sast_scan (static analysis security scan), syntax_check (syntax validation), test_runner (auto-detect and run tests), pkg_audit (dependency vulnerability scan \u2014 npm/pip/cargo), complexity_hotspots (git churn \xD7 complexity risk map), schema_drift (OpenAPI spec vs route drift), todo_extract (structured TODO/FIXME extraction), evidence_check (verify task evidence completeness), sbom_generate (SBOM generation for dependency inventory), build_check (build verification), quality_budget (code quality budget check), pre_check_batch (parallel verification: lint:check + secretscan + sast_scan + quality_budget)
 
 ## DELEGATION FORMAT
 
@@ -32090,7 +32131,7 @@ OUTPUT: Code scaffold for src/pages/Settings.tsx with component tree, typed prop
 
 ## WORKFLOW
 
-### Phase 0: Resume Check
+### MODE: RESUME
 If .swarm/plan.md exists:
   1. Read plan.md header for "Swarm:" field
   2. If Swarm field missing or matches "{{SWARM_ID}}" \u2192 Resume at current task
@@ -32101,14 +32142,14 @@ If .swarm/plan.md exists:
      - Update context.md Swarm field to "{{SWARM_ID}}"
      - Inform user: "Resuming project from [other] swarm. Cleared stale context. Ready to continue."
      - Resume at current task
-If .swarm/plan.md does not exist \u2192 New project, proceed to Phase 1
+If .swarm/plan.md does not exist \u2192 New project, proceed to MODE: CLARIFY
 If new project: Run \`complexity_hotspots\` tool (90 days) to generate a risk map. Note modules with recommendation "security_review" or "full_gates" in context.md for stricter QA gates during Phase 5. Optionally run \`todo_extract\` to capture existing technical debt for plan consideration. After initial discovery, run \`sbom_generate\` with scope='all' to capture baseline dependency inventory (saved to .swarm/evidence/sbom/).
 
-### Phase 1: Clarify
+### MODE: CLARIFY
 Ambiguous request \u2192 Ask up to 3 questions, wait for answers
-Clear request \u2192 Phase 2
+Clear request \u2192 MODE: DISCOVER
 
-### Phase 2: Discover
+### MODE: DISCOVER
 Delegate to {{AGENT_PREFIX}}explorer. Wait for response.
 For complex tasks, make a second explorer call focused on risk/gap analysis:
 - Hidden requirements, unstated assumptions, scope risks
@@ -32117,51 +32158,123 @@ After explorer returns:
 - Run \`symbols\` tool on key files identified by explorer to understand public API surfaces
 - Run \`complexity_hotspots\` if not already run in Phase 0 (check context.md for existing analysis). Note modules with recommendation "security_review" or "full_gates" in context.md.
 
-### Phase 3: Consult SMEs
+### MODE: CONSULT
 Check .swarm/context.md for cached guidance first.
 Identify 1-3 relevant domains from the task requirements.
 Call {{AGENT_PREFIX}}sme once per domain, serially. Max 3 SME calls per project phase.
 Re-consult if a new domain emerges or if significant changes require fresh evaluation.
 Cache guidance in context.md.
 
-### Phase 4: Plan
-Create .swarm/plan.md:
+### MODE: PLAN
+
+Create .swarm/plan.md
 - Phases with discrete tasks
 - Dependencies (depends: X.Y)
 - Acceptance criteria per task
 
-Create .swarm/context.md:
+TASK GRANULARITY RULES:
+- SMALL task: 1 file, 1 function/class/component, 1 logical concern. Delegate as-is.
+- MEDIUM task: If it touches >1 file, SPLIT into sequential file-scoped subtasks before writing to plan.
+- LARGE task: MUST be decomposed before writing to plan. A LARGE task in the plan is a planning error.
+- Litmus test: If you cannot write TASK + FILE + constraint in 3 bullet points, the task is too large. Split it.
+- NEVER write a task with compound verbs: "implement X and add Y and update Z" = 3 tasks, not 1. Split before writing to plan.
+- Coder receives ONE task. You make ALL scope decisions in the plan. Coder makes zero scope decisions.
+
+Create .swarm/context.md
 - Decisions, patterns, SME cache, file map
 
-### Phase 4.5: Critic Gate
+### MODE: CRITIC-GATE
 Delegate plan to {{AGENT_PREFIX}}critic for review BEFORE any implementation begins.
 - Send the full plan.md content and codebase context summary
-- **APPROVED** \u2192 Proceed to Phase 5
-- **NEEDS_REVISION** \u2192 Revise the plan based on critic feedback, then resubmit (max 2 revision cycles)
+- **APPROVED** \u2192 Proceed to MODE: EXECUTE
+- **NEEDS_REVISION** \u2192 Revise the plan based on critic feedback, then resubmit (max 2 cycles)
 - **REJECTED** \u2192 Inform the user of fundamental issues and ask for guidance before proceeding
 
-### Phase 5: Execute
+\u26D4 HARD STOP \u2014 Print this checklist before advancing to MODE: EXECUTE:
+  [ ] {{AGENT_PREFIX}}critic returned a verdict
+  [ ] APPROVED \u2192 proceed to MODE: EXECUTE
+  [ ] NEEDS_REVISION \u2192 revised and resubmitted (attempt N of max 2)
+  [ ] REJECTED (any cycle) \u2192 informed user. STOP.
+
+You MUST NOT proceed to MODE: EXECUTE without printing this checklist with filled values.
+
+CRITIC-GATE TRIGGER: Run ONCE when you first write the complete .swarm/plan.md.
+Do NOT re-run CRITIC-GATE before every project phase.
+If resuming a project with an existing approved plan, CRITIC-GATE is already satisfied.
+
+### MODE: EXECUTE
 For each task (respecting dependencies):
 
+RETRY PROTOCOL \u2014 when returning to coder after any gate failure:
+1. Provide structured rejection: "GATE FAILED: [gate name] | REASON: [details] | REQUIRED FIX: [specific action required]"
+2. Re-enter at step 5b ({{AGENT_PREFIX}}coder) with full failure context
+3. Resume execution at the failed step (do not restart from 5a)
+   Exception: if coder modified files outside the original task scope, restart from step 5c
+4. Gates already PASSED may be skipped on retry if their input files are unchanged
+5. Print "Resuming at step [5X] after coder retry [N/{{QA_RETRY_LIMIT}}]" before re-executing
+
 5a. **UI DESIGN GATE** (conditional \u2014 Rule 9): If task matches UI trigger \u2192 {{AGENT_PREFIX}}designer produces scaffold \u2192 pass scaffold to coder as INPUT. If no match \u2192 skip.
 5b. {{AGENT_PREFIX}}coder - Implement (if designer scaffold produced, include it as INPUT).
 5c. Run \`diff\` tool. If \`hasContractChanges\` \u2192 {{AGENT_PREFIX}}explorer integration analysis. BREAKING \u2192 coder retry.
+    \u2192 REQUIRED: Print "diff: [PASS | CONTRACT CHANGE \u2014 details]"
     5d. Run \`syntax_check\` tool. SYNTACTIC ERRORS \u2192 return to coder. NO ERRORS \u2192 proceed to placeholder_scan.
+    \u2192 REQUIRED: Print "syntaxcheck: [PASS | FAIL \u2014 N errors]"
     5e. Run \`placeholder_scan\` tool. PLACEHOLDER FINDINGS \u2192 return to coder. NO FINDINGS \u2192 proceed to imports.
+    \u2192 REQUIRED: Print "placeholderscan: [PASS | FAIL \u2014 N findings]"
     5f. Run \`imports\` tool for dependency audit. ISSUES \u2192 return to coder.
+    \u2192 REQUIRED: Print "imports: [PASS | ISSUES \u2014 details]"
     5g. Run \`lint\` tool with fix mode for auto-fixes. If issues remain \u2192 run \`lint\` tool with check mode. FAIL \u2192 return to coder.
-    5h. Run \`secretscan\` tool. FINDINGS \u2192 return to coder. NO FINDINGS \u2192 proceed to sast_scan.
-    5i. Run \`sast_scan\` tool. SAST FINDINGS AT OR ABOVE THRESHOLD \u2192 return to coder. NO FINDINGS \u2192 proceed to build_check.
-    5j. Run \`build_check\` tool. BUILD FAILURES \u2192 return to coder. SKIPPED (no toolchain) \u2192 proceed. PASSED \u2192 proceed to quality_budget.
-    5k. Run \`quality_budget\` tool. QUALITY VIOLATIONS \u2192 return to coder. WITHIN BUDGET \u2192 proceed to reviewer.
-    5l. {{AGENT_PREFIX}}reviewer - General review. REJECTED (< {{QA_RETRY_LIMIT}}) \u2192 coder retry. REJECTED ({{QA_RETRY_LIMIT}}) \u2192 escalate.
-    5m. Security gate: if file matches security globs (auth, api, crypto, security, middleware, session, token, config/, env, credentials, authorization, roles, permissions, access) OR content has security keywords (see SECURITY_KEYWORDS list) OR secretscan has ANY findings OR sast_scan has ANY findings at or above threshold \u2192 MUST delegate {{AGENT_PREFIX}}reviewer security-only review. REJECTED (< {{QA_RETRY_LIMIT}}) \u2192 coder retry. REJECTED ({{QA_RETRY_LIMIT}}) \u2192 escalate to user.
-    5n. {{AGENT_PREFIX}}test_engineer - Verification tests. FAIL \u2192 coder retry from 5g.
-    5o. {{AGENT_PREFIX}}test_engineer - Adversarial tests. FAIL \u2192 coder retry from 5g.
-    5p. COVERAGE CHECK: If test_engineer reports coverage < 70% \u2192 delegate {{AGENT_PREFIX}}test_engineer for an additional test pass targeting uncovered paths. This is a soft guideline; use judgment for trivial tasks.
-    5q. Update plan.md [x], proceed to next task.
-
-### Phase 6: Phase Complete
+    \u2192 REQUIRED: Print "lint: [PASS | FAIL \u2014 details]"
+    5h. Run \`build_check\` tool. BUILD FAILS \u2192 return to coder. SUCCESS \u2192 proceed to pre_check_batch.
+    \u2192 REQUIRED: Print "buildcheck: [PASS | FAIL | SKIPPED \u2014 no toolchain]"
+    5i. Run \`pre_check_batch\` tool \u2192 runs four verification tools in parallel (max 4 concurrent):
+    - lint:check (code quality verification)
+    - secretscan (secret detection)
+    - sast_scan (static security analysis)
+    - quality_budget (maintainability metrics)
+    \u2192 Returns { gates_passed, lint, secretscan, sast_scan, quality_budget, total_duration_ms }
+    \u2192 If gates_passed === false: read individual tool results, identify which tool(s) failed, return structured rejection to @coder with specific tool failures. Do NOT call @reviewer.
+    \u2192 If gates_passed === true: proceed to @reviewer.
+    \u2192 REQUIRED: Print "pre_check_batch: [PASS \u2014 all gates passed | FAIL \u2014 [gate]: [details]]"
+    5j. {{AGENT_PREFIX}}reviewer - General review. REJECTED (< {{QA_RETRY_LIMIT}}) \u2192 coder retry. REJECTED ({{QA_RETRY_LIMIT}}) \u2192 escalate.
+    \u2192 REQUIRED: Print "reviewer: [APPROVED | REJECTED \u2014 reason]"
+    5k. Security gate: if file matches security globs (auth, api, crypto, security, middleware, session, token, config/, env, credentials, authorization, roles, permissions, access) OR content has security keywords (see SECURITY_KEYWORDS list) OR secretscan has ANY findings OR sast_scan has ANY findings at or above threshold \u2192 MUST delegate {{AGENT_PREFIX}}reviewer security-only review. REJECTED (< {{QA_RETRY_LIMIT}}) \u2192 coder retry. REJECTED ({{QA_RETRY_LIMIT}}) \u2192 escalate to user.
+    \u2192 REQUIRED: Print "security-reviewer: [TRIGGERED | NOT TRIGGERED \u2014 reason]"
+    \u2192 If TRIGGERED: Print "security-reviewer: [APPROVED | REJECTED \u2014 reason]"
+    5l. {{AGENT_PREFIX}}test_engineer - Verification tests. FAIL \u2192 coder retry from 5g.
+    \u2192 REQUIRED: Print "testengineer-verification: [PASS N/N | FAIL \u2014 details]"
+    5m. {{AGENT_PREFIX}}test_engineer - Adversarial tests. FAIL \u2192 coder retry from 5g.
+    \u2192 REQUIRED: Print "testengineer-adversarial: [PASS | FAIL \u2014 details]"
+    5n. COVERAGE CHECK: If test_engineer reports coverage < 70% \u2192 delegate {{AGENT_PREFIX}}test_engineer for an additional test pass targeting uncovered paths. This is a soft guideline; use judgment for trivial tasks.
+
+PRE-COMMIT RULE \u2014 Before ANY commit or push:
+  You MUST answer YES to ALL of the following:
+  [ ] Did {{AGENT_PREFIX}}reviewer run and return APPROVED? (not "I reviewed it" \u2014 the agent must have run)
+  [ ] Did {{AGENT_PREFIX}}test_engineer run and return PASS? (not "the code looks correct" \u2014 the agent must have run)
+  [ ] Did pre_check_batch run with gates_passed true?
+  [ ] Did the diff step run?
+
+  If ANY box is unchecked: DO NOT COMMIT. Return to step 5b.
+  There is no override. A commit without a completed QA gate is a workflow violation.
+
+TASK COMPLETION CHECKLIST \u2014 emit before marking \u2713 in plan.md:
+  [TOOL] diff: PASS / SKIP
+  [TOOL] syntaxcheck: PASS
+  [tool] placeholderscan: PASS
+  [tool] imports: PASS
+  [tool] lint: PASS
+  [tool] buildcheck: PASS / SKIPPED (no toolchain)
+  [tool] pre_check_batch: PASS (lint:check \u2713 secretscan \u2713 sast_scan \u2713 quality_budget \u2713)
+  [gate] reviewer: APPROVED
+  [gate] security-reviewer: SKIPPED (no security trigger)
+  [gate] testengineer-verification: PASS
+  [gate] testengineer-adversarial: PASS
+  [gate] coverage: PASS or soft-skip (trivial task)
+  All fields filled \u2192 update plan.md \u2713, proceed to next task.
+
+    5o. Update plan.md [x], proceed to next task.
+
+### MODE: PHASE-WRAP
 1. {{AGENT_PREFIX}}explorer - Rescan
 2. {{AGENT_PREFIX}}docs - Update documentation for all changes in this phase. Provide:
    - Complete list of files changed during this phase
@@ -32254,7 +32367,14 @@ RULES:
 
 OUTPUT FORMAT:
 DONE: [one-line summary]
-CHANGED: [file]: [what changed]`;
+CHANGED: [file]: [what changed]
+
+AUTHOR BLINDNESS WARNING:
+Your output is NOT reviewed, tested, or approved until the Architect runs the full QA gate.
+Do NOT add commentary like "this looks good," "should be fine," or "ready for production."
+You wrote the code. You cannot objectively evaluate it. That is what the gates are for.
+Output only: DONE [one-line summary] / CHANGED [file] [what changed]
+`;
 function createCoderAgent(model, customPrompt, customAppendPrompt) {
   let prompt = CODER_PROMPT;
   if (customPrompt) {
@@ -32293,10 +32413,11 @@ CONTEXT: [codebase summary, constraints]
 REVIEW CHECKLIST:
 - Completeness: Are all requirements addressed? Missing edge cases?
 - Feasibility: Can each task actually be implemented as described? Are file paths real?
-- Scope: Is the plan doing too much or too little? Feature creep detection.
+- Scope: Is the plan doing too much or too little? Feature creep detection?
 - Dependencies: Are task dependencies correct? Will ordering work?
 - Risk: Are high-risk changes identified? Is there a rollback path?
 - AI-Slop Detection: Does the plan contain vague filler ("robust", "comprehensive", "leverage") without concrete specifics?
+- Task Atomicity: Does any single task touch 2+ files or contain compound verbs ("implement X and add Y and update Z")? Flag as MAJOR \u2014 oversized tasks blow coder's context and cause downstream gate failures. Suggested fix: Split into sequential single-file tasks before proceeding.
 
 OUTPUT FORMAT:
 VERDICT: APPROVED | NEEDS_REVISION | REJECTED
@@ -35138,7 +35259,7 @@ async function handleResetCommand(directory, args2) {
 init_utils2();
 init_utils();
 import { mkdirSync as mkdirSync5, readdirSync as readdirSync4, renameSync as renameSync2, rmSync as rmSync3, statSync as statSync6 } from "fs";
-import * as path13 from "path";
+import * as path14 from "path";
 var SUMMARY_ID_REGEX = /^S\d+$/;
 function sanitizeSummaryId(id) {
   if (!id || id.length === 0) {
@@ -35166,9 +35287,9 @@ async function storeSummary(directory, id, fullOutput, summaryText, maxStoredByt
   if (outputBytes > maxStoredBytes) {
     throw new Error(`Summary fullOutput size (${outputBytes} bytes) exceeds maximum (${maxStoredBytes} bytes)`);
   }
-  const relativePath = path13.join("summaries", `${sanitizedId}.json`);
+  const relativePath = path14.join("summaries", `${sanitizedId}.json`);
   const summaryPath = validateSwarmPath(directory, relativePath);
-  const summaryDir = path13.dirname(summaryPath);
+  const summaryDir = path14.dirname(summaryPath);
   const entry = {
     id: sanitizedId,
     summaryText,
@@ -35178,7 +35299,7 @@ async function storeSummary(directory, id, fullOutput, summaryText, maxStoredByt
   };
   const entryJson = JSON.stringify(entry);
   mkdirSync5(summaryDir, { recursive: true });
-  const tempPath = path13.join(summaryDir, `${sanitizedId}.json.tmp.${Date.now()}.${process.pid}`);
+  const tempPath = path14.join(summaryDir, `${sanitizedId}.json.tmp.${Date.now()}.${process.pid}`);
   try {
     await Bun.write(tempPath, entryJson);
     renameSync2(tempPath, summaryPath);
@@ -35191,7 +35312,7 @@ async function storeSummary(directory, id, fullOutput, summaryText, maxStoredByt
 }
 async function loadFullOutput(directory, id) {
   const sanitizedId = sanitizeSummaryId(id);
-  const relativePath = path13.join("summaries", `${sanitizedId}.json`);
+  const relativePath = path14.join("summaries", `${sanitizedId}.json`);
   validateSwarmPath(directory, relativePath);
   const content = await readSwarmFileAsync(directory, relativePath);
   if (content === null) {
@@ -35695,8 +35816,8 @@ async function doFlush(directory) {
     const activitySection = renderActivitySection();
     const updated = replaceOrAppendSection(existing, "## Agent Activity", activitySection);
     const flushedCount = swarmState.pendingEvents;
-    const path14 = `${directory}/.swarm/context.md`;
-    await Bun.write(path14, updated);
+    const path15 = `${directory}/.swarm/context.md`;
+    await Bun.write(path15, updated);
     swarmState.pendingEvents = Math.max(0, swarmState.pendingEvents - flushedCount);
   } catch (error93) {
     warn("Agent activity flush failed:", error93);
@@ -36252,14 +36373,14 @@ ${originalText}`;
 }
 // src/hooks/system-enhancer.ts
 import * as fs11 from "fs";
-import * as path15 from "path";
+import * as path16 from "path";
 init_manager2();
 
 // src/services/decision-drift-analyzer.ts
 init_utils2();
 init_manager2();
 import * as fs10 from "fs";
-import * as path14 from "path";
+import * as path15 from "path";
 var DEFAULT_DRIFT_CONFIG = {
   staleThresholdPhases: 1,
   detectContradictions: true,
@@ -36413,7 +36534,7 @@ async function analyzeDecisionDrift(directory, config3 = {}) {
         currentPhase = legacyPhase;
       }
     }
-    const contextPath = path14.join(directory, ".swarm", "context.md");
+    const contextPath = path15.join(directory, ".swarm", "context.md");
     let contextContent = "";
     try {
       if (fs10.existsSync(contextPath)) {
@@ -36674,18 +36795,28 @@ function createSystemEnhancerHook(config3, directory) {
           if (config3.secretscan?.enabled === false) {
             tryInject("[SWARM CONFIG] Secretscan gate is DISABLED. Skip secretscan in QA sequence.");
           }
+          const sessionId_preflight = _input.sessionID;
+          const activeAgent_preflight = swarmState.activeAgent.get(sessionId_preflight ?? "");
+          const isArchitectForPreflight = !activeAgent_preflight || stripKnownSwarmPrefix(activeAgent_preflight) === "architect";
+          if (isArchitectForPreflight) {
+            if (config3.pipeline?.parallel_precheck !== false) {
+              tryInject("[SWARM HINT] Parallel pre-check enabled: call pre_check_batch(files, directory) after lint --fix and build_check to run lint:check + secretscan + sast_scan + quality_budget concurrently (max 4 parallel). Check gates_passed before calling @reviewer.");
+            } else {
+              tryInject("[SWARM HINT] Parallel pre-check disabled: run lint:check \u2192 secretscan \u2192 sast_scan \u2192 quality_budget sequentially.");
+            }
+          }
           const sessionId_retro = _input.sessionID;
           const activeAgent_retro = swarmState.activeAgent.get(sessionId_retro ?? "");
           const isArchitect = !activeAgent_retro || stripKnownSwarmPrefix(activeAgent_retro) === "architect";
           if (isArchitect) {
             try {
-              const evidenceDir = path15.join(directory, ".swarm", "evidence");
+              const evidenceDir = path16.join(directory, ".swarm", "evidence");
               if (fs11.existsSync(evidenceDir)) {
                 const files = fs11.readdirSync(evidenceDir).filter((f) => f.endsWith(".json")).sort().reverse();
                 for (const file3 of files.slice(0, 5)) {
                   let content;
                   try {
-                    content = JSON.parse(fs11.readFileSync(path15.join(evidenceDir, file3), "utf-8"));
+                    content = JSON.parse(fs11.readFileSync(path16.join(evidenceDir, file3), "utf-8"));
                   } catch {
                     continue;
                   }
@@ -36900,18 +37031,32 @@ function createSystemEnhancerHook(config3, directory) {
             metadata: { contentType: "prose" }
           });
         }
+        const sessionId_preflight_b = _input.sessionID;
+        const activeAgent_preflight_b = swarmState.activeAgent.get(sessionId_preflight_b ?? "");
+        const isArchitectForPreflight_b = !activeAgent_preflight_b || stripKnownSwarmPrefix(activeAgent_preflight_b) === "architect";
+        if (isArchitectForPreflight_b) {
+          const hintText_b = config3.pipeline?.parallel_precheck !== false ? "[SWARM HINT] Parallel pre-check enabled: call pre_check_batch(files, directory) after lint --fix and build_check to run lint:check + secretscan + sast_scan + quality_budget concurrently (max 4 parallel). Check gates_passed before calling @reviewer." : "[SWARM HINT] Parallel pre-check disabled: run lint:check \u2192 secretscan \u2192 sast_scan \u2192 quality_budget sequentially.";
+          candidates.push({
+            id: `candidate-${idCounter++}`,
+            kind: "phase",
+            text: hintText_b,
+            tokens: estimateTokens(hintText_b),
+            priority: 1,
+            metadata: { contentType: "prose" }
+          });
+        }
         const sessionId_retro_b = _input.sessionID;
         const activeAgent_retro_b = swarmState.activeAgent.get(sessionId_retro_b ?? "");
         const isArchitect_b = !activeAgent_retro_b || stripKnownSwarmPrefix(activeAgent_retro_b) === "architect";
         if (isArchitect_b) {
           try {
-            const evidenceDir_b = path15.join(directory, ".swarm", "evidence");
+            const evidenceDir_b = path16.join(directory, ".swarm", "evidence");
             if (fs11.existsSync(evidenceDir_b)) {
               const files_b = fs11.readdirSync(evidenceDir_b).filter((f) => f.endsWith(".json")).sort().reverse();
               for (const file3 of files_b.slice(0, 5)) {
                 let content_b;
                 try {
-                  content_b = JSON.parse(fs11.readFileSync(path15.join(evidenceDir_b, file3), "utf-8"));
+                  content_b = JSON.parse(fs11.readFileSync(path16.join(evidenceDir_b, file3), "utf-8"));
                 } catch {
                   continue;
                 }
@@ -37207,7 +37352,7 @@ init_dist();
 // src/build/discovery.ts
 init_dist();
 import * as fs12 from "fs";
-import * as path16 from "path";
+import * as path17 from "path";
 var ECOSYSTEMS = [
   {
     ecosystem: "node",
@@ -37325,11 +37470,11 @@ function findBuildFiles(workingDir, patterns) {
           return regex.test(f);
         });
         if (matches.length > 0) {
-          return path16.join(dir, matches[0]);
+          return path17.join(dir, matches[0]);
         }
       } catch {}
     } else {
-      const filePath = path16.join(workingDir, pattern);
+      const filePath = path17.join(workingDir, pattern);
       if (fs12.existsSync(filePath)) {
         return filePath;
       }
@@ -37338,7 +37483,7 @@ function findBuildFiles(workingDir, patterns) {
   return null;
 }
 function getRepoDefinedScripts(workingDir, scripts) {
-  const packageJsonPath = path16.join(workingDir, "package.json");
+  const packageJsonPath = path17.join(workingDir, "package.json");
   if (!fs12.existsSync(packageJsonPath)) {
     return [];
   }
@@ -37379,7 +37524,7 @@ function findAllBuildFiles(workingDir) {
         const regex = new RegExp("^" + pattern.replace(/\*/g, ".*") + "$");
         findFilesRecursive(workingDir, regex, allBuildFiles);
       } else {
-        const filePath = path16.join(workingDir, pattern);
+        const filePath = path17.join(workingDir, pattern);
         if (fs12.existsSync(filePath)) {
           allBuildFiles.add(filePath);
         }
@@ -37392,7 +37537,7 @@ function findFilesRecursive(dir, regex, results) {
   try {
     const entries = fs12.readdirSync(dir, { withFileTypes: true });
     for (const entry of entries) {
-      const fullPath = path16.join(dir, entry.name);
+      const fullPath = path17.join(dir, entry.name);
       if (entry.isDirectory() && !["node_modules", ".git", "dist", "build", "target"].includes(entry.name)) {
         findFilesRecursive(fullPath, regex, results);
       } else if (entry.isFile() && regex.test(entry.name)) {
@@ -37634,7 +37779,7 @@ var build_check = tool({
 init_tool();
 import { spawnSync } from "child_process";
 import * as fs13 from "fs";
-import * as path17 from "path";
+import * as path18 from "path";
 var CHECKPOINT_LOG_PATH = ".swarm/checkpoints.json";
 var MAX_LABEL_LENGTH = 100;
 var GIT_TIMEOUT_MS = 30000;
@@ -37685,7 +37830,7 @@ function validateLabel(label) {
   return null;
 }
 function getCheckpointLogPath() {
-  return path17.join(process.cwd(), CHECKPOINT_LOG_PATH);
+  return path18.join(process.cwd(), CHECKPOINT_LOG_PATH);
 }
 function readCheckpointLog() {
   const logPath = getCheckpointLogPath();
@@ -37703,7 +37848,7 @@ function readCheckpointLog() {
 }
 function writeCheckpointLog(log2) {
   const logPath = getCheckpointLogPath();
-  const dir = path17.dirname(logPath);
+  const dir = path18.dirname(logPath);
   if (!fs13.existsSync(dir)) {
     fs13.mkdirSync(dir, { recursive: true });
   }
@@ -37910,7 +38055,7 @@ var checkpoint = tool({
 // src/tools/complexity-hotspots.ts
 init_dist();
 import * as fs14 from "fs";
-import * as path18 from "path";
+import * as path19 from "path";
 var MAX_FILE_SIZE_BYTES2 = 256 * 1024;
 var DEFAULT_DAYS = 90;
 var DEFAULT_TOP_N = 20;
@@ -38053,7 +38198,7 @@ async function analyzeHotspots(days, topN, extensions) {
   const extSet = new Set(extensions.map((e) => e.startsWith(".") ? e : `.${e}`));
   const filteredChurn = new Map;
   for (const [file3, count] of churnMap) {
-    const ext = path18.extname(file3).toLowerCase();
+    const ext = path19.extname(file3).toLowerCase();
     if (extSet.has(ext)) {
       filteredChurn.set(file3, count);
     }
@@ -38064,7 +38209,7 @@ async function analyzeHotspots(days, topN, extensions) {
   for (const [file3, churnCount] of filteredChurn) {
     let fullPath = file3;
     if (!fs14.existsSync(fullPath)) {
-      fullPath = path18.join(cwd, file3);
+      fullPath = path19.join(cwd, file3);
     }
     const complexity = getComplexityForFile(fullPath);
     if (complexity !== null) {
@@ -38222,14 +38367,14 @@ function validateBase(base) {
 function validatePaths(paths) {
   if (!paths)
     return null;
-  for (const path19 of paths) {
-    if (!path19 || path19.length === 0) {
+  for (const path20 of paths) {
+    if (!path20 || path20.length === 0) {
       return "empty path not allowed";
     }
-    if (path19.length > MAX_PATH_LENGTH) {
+    if (path20.length > MAX_PATH_LENGTH) {
       return `path exceeds maximum length of ${MAX_PATH_LENGTH}`;
     }
-    if (SHELL_METACHARACTERS2.test(path19)) {
+    if (SHELL_METACHARACTERS2.test(path20)) {
       return "path contains shell metacharacters";
     }
   }
@@ -38292,8 +38437,8 @@ var diff = tool({
         if (parts2.length >= 3) {
           const additions = parseInt(parts2[0]) || 0;
           const deletions = parseInt(parts2[1]) || 0;
-          const path19 = parts2[2];
-          files.push({ path: path19, additions, deletions });
+          const path20 = parts2[2];
+          files.push({ path: path20, additions, deletions });
         }
       }
       const contractChanges = [];
@@ -38522,7 +38667,7 @@ Use these as DOMAIN values when delegating to @sme.`;
 // src/tools/evidence-check.ts
 init_dist();
 import * as fs15 from "fs";
-import * as path19 from "path";
+import * as path20 from "path";
 var MAX_FILE_SIZE_BYTES3 = 1024 * 1024;
 var MAX_EVIDENCE_FILES = 1000;
 var EVIDENCE_DIR = ".swarm/evidence";
@@ -38545,9 +38690,9 @@ function validateRequiredTypes(input) {
   return null;
 }
 function isPathWithinSwarm(filePath, cwd) {
-  const normalizedCwd = path19.resolve(cwd);
-  const swarmPath = path19.join(normalizedCwd, ".swarm");
-  const normalizedPath = path19.resolve(filePath);
+  const normalizedCwd = path20.resolve(cwd);
+  const swarmPath = path20.join(normalizedCwd, ".swarm");
+  const normalizedPath = path20.resolve(filePath);
   return normalizedPath.startsWith(swarmPath);
 }
 function parseCompletedTasks(planContent) {
@@ -38578,10 +38723,10 @@ function readEvidenceFiles(evidenceDir, cwd) {
     if (!VALID_EVIDENCE_FILENAME_REGEX.test(filename)) {
       continue;
     }
-    const filePath = path19.join(evidenceDir, filename);
+    const filePath = path20.join(evidenceDir, filename);
     try {
-      const resolvedPath = path19.resolve(filePath);
-      const evidenceDirResolved = path19.resolve(evidenceDir);
+      const resolvedPath = path20.resolve(filePath);
+      const evidenceDirResolved = path20.resolve(evidenceDir);
       if (!resolvedPath.startsWith(evidenceDirResolved)) {
         continue;
       }
@@ -38688,7 +38833,7 @@ var evidence_check = tool({
       return JSON.stringify(errorResult, null, 2);
     }
     const requiredTypes = requiredTypesValue.split(",").map((t) => t.trim()).filter((t) => t.length > 0);
-    const planPath = path19.join(cwd, PLAN_FILE);
+    const planPath = path20.join(cwd, PLAN_FILE);
     if (!isPathWithinSwarm(planPath, cwd)) {
       const errorResult = {
         error: "plan file path validation failed",
@@ -38720,7 +38865,7 @@ var evidence_check = tool({
       };
       return JSON.stringify(result2, null, 2);
     }
-    const evidenceDir = path19.join(cwd, EVIDENCE_DIR);
+    const evidenceDir = path20.join(cwd, EVIDENCE_DIR);
     const evidence = readEvidenceFiles(evidenceDir, cwd);
     const { tasksWithFullEvidence, gaps } = analyzeGaps(completedTasks, evidence, requiredTypes);
     const completeness = completedTasks.length > 0 ? Math.round(tasksWithFullEvidence.length / completedTasks.length * 100) / 100 : 1;
@@ -38737,7 +38882,7 @@ var evidence_check = tool({
 // src/tools/file-extractor.ts
 init_tool();
 import * as fs16 from "fs";
-import * as path20 from "path";
+import * as path21 from "path";
 var EXT_MAP = {
   python: ".py",
   py: ".py",
@@ -38815,12 +38960,12 @@ var extract_code_blocks = tool({
       if (prefix) {
         filename = `${prefix}_${filename}`;
       }
-      let filepath = path20.join(targetDir, filename);
-      const base = path20.basename(filepath, path20.extname(filepath));
-      const ext = path20.extname(filepath);
+      let filepath = path21.join(targetDir, filename);
+      const base = path21.basename(filepath, path21.extname(filepath));
+      const ext = path21.extname(filepath);
       let counter = 1;
       while (fs16.existsSync(filepath)) {
-        filepath = path20.join(targetDir, `${base}_${counter}${ext}`);
+        filepath = path21.join(targetDir, `${base}_${counter}${ext}`);
         counter++;
       }
       try {
@@ -38933,7 +39078,7 @@ var gitingest = tool({
 // src/tools/imports.ts
 init_dist();
 import * as fs17 from "fs";
-import * as path21 from "path";
+import * as path22 from "path";
 var MAX_FILE_PATH_LENGTH2 = 500;
 var MAX_SYMBOL_LENGTH = 256;
 var MAX_FILE_SIZE_BYTES4 = 1024 * 1024;
@@ -38987,7 +39132,7 @@ function validateSymbolInput(symbol3) {
   return null;
 }
 function isBinaryFile2(filePath, buffer) {
-  const ext = path21.extname(filePath).toLowerCase();
+  const ext = path22.extname(filePath).toLowerCase();
   if (ext === ".json" || ext === ".md" || ext === ".txt") {
     return false;
   }
@@ -39011,15 +39156,15 @@ function parseImports(content, targetFile, targetSymbol) {
   const imports = [];
   let resolvedTarget;
   try {
-    resolvedTarget = path21.resolve(targetFile);
+    resolvedTarget = path22.resolve(targetFile);
   } catch {
     resolvedTarget = targetFile;
   }
-  const targetBasename = path21.basename(targetFile, path21.extname(targetFile));
+  const targetBasename = path22.basename(targetFile, path22.extname(targetFile));
   const targetWithExt = targetFile;
   const targetWithoutExt = targetFile.replace(/\.(ts|tsx|js|jsx|mjs|cjs)$/i, "");
-  const normalizedTargetWithExt = path21.normalize(targetWithExt).replace(/\\/g, "/");
-  const normalizedTargetWithoutExt = path21.normalize(targetWithoutExt).replace(/\\/g, "/");
+  const normalizedTargetWithExt = path22.normalize(targetWithExt).replace(/\\/g, "/");
+  const normalizedTargetWithoutExt = path22.normalize(targetWithoutExt).replace(/\\/g, "/");
   const importRegex = /import\s+(?:\{[\s\S]*?\}|(?:\*\s+as\s+\w+)|\w+)\s+from\s+['"`]([^'"`]+)['"`]|import\s+['"`]([^'"`]+)['"`]|require\s*\(\s*['"`]([^'"`]+)['"`]\s*\)/g;
   let match;
   while ((match = importRegex.exec(content)) !== null) {
@@ -39043,9 +39188,9 @@ function parseImports(content, targetFile, targetSymbol) {
     }
     const normalizedModule = modulePath.replace(/^\.\//, "").replace(/^\.\.\\/, "../");
     let isMatch = false;
-    const targetDir = path21.dirname(targetFile);
-    const targetExt = path21.extname(targetFile);
-    const targetBasenameNoExt = path21.basename(targetFile, targetExt);
+    const targetDir = path22.dirname(targetFile);
+    const targetExt = path22.extname(targetFile);
+    const targetBasenameNoExt = path22.basename(targetFile, targetExt);
     const moduleNormalized = modulePath.replace(/\\/g, "/").replace(/^\.\//, "");
     const moduleName = modulePath.split(/[/\\]/).pop() || "";
     const moduleNameNoExt = moduleName.replace(/\.(ts|tsx|js|jsx|mjs|cjs)$/i, "");
@@ -39113,10 +39258,10 @@ function findSourceFiles2(dir, files = [], stats = { skippedDirs: [], skippedFil
   entries.sort((a, b) => a.toLowerCase().localeCompare(b.toLowerCase()));
   for (const entry of entries) {
     if (SKIP_DIRECTORIES2.has(entry)) {
-      stats.skippedDirs.push(path21.join(dir, entry));
+      stats.skippedDirs.push(path22.join(dir, entry));
       continue;
     }
-    const fullPath = path21.join(dir, entry);
+    const fullPath = path22.join(dir, entry);
     let stat;
     try {
       stat = fs17.statSync(fullPath);
@@ -39130,7 +39275,7 @@ function findSourceFiles2(dir, files = [], stats = { skippedDirs: [], skippedFil
     if (stat.isDirectory()) {
       findSourceFiles2(fullPath, files, stats);
     } else if (stat.isFile()) {
-      const ext = path21.extname(fullPath).toLowerCase();
+      const ext = path22.extname(fullPath).toLowerCase();
       if (SUPPORTED_EXTENSIONS.includes(ext)) {
         files.push(fullPath);
       }
@@ -39186,7 +39331,7 @@ var imports = tool({
       return JSON.stringify(errorResult, null, 2);
     }
     try {
-      const targetFile = path21.resolve(file3);
+      const targetFile = path22.resolve(file3);
       if (!fs17.existsSync(targetFile)) {
         const errorResult = {
           error: `target file not found: ${file3}`,
@@ -39208,7 +39353,7 @@ var imports = tool({
         };
         return JSON.stringify(errorResult, null, 2);
       }
-      const baseDir = path21.dirname(targetFile);
+      const baseDir = path22.dirname(targetFile);
       const scanStats = {
         skippedDirs: [],
         skippedFiles: 0,
@@ -39298,7 +39443,7 @@ init_lint();
 // src/tools/pkg-audit.ts
 init_dist();
 import * as fs18 from "fs";
-import * as path22 from "path";
+import * as path23 from "path";
 var MAX_OUTPUT_BYTES5 = 52428800;
 var AUDIT_TIMEOUT_MS = 120000;
 function isValidEcosystem(value) {
@@ -39316,13 +39461,13 @@ function validateArgs3(args2) {
 function detectEcosystems() {
   const ecosystems = [];
   const cwd = process.cwd();
-  if (fs18.existsSync(path22.join(cwd, "package.json"))) {
+  if (fs18.existsSync(path23.join(cwd, "package.json"))) {
     ecosystems.push("npm");
   }
-  if (fs18.existsSync(path22.join(cwd, "pyproject.toml")) || fs18.existsSync(path22.join(cwd, "requirements.txt"))) {
+  if (fs18.existsSync(path23.join(cwd, "pyproject.toml")) || fs18.existsSync(path23.join(cwd, "requirements.txt"))) {
     ecosystems.push("pip");
   }
-  if (fs18.existsSync(path22.join(cwd, "Cargo.toml"))) {
+  if (fs18.existsSync(path23.join(cwd, "Cargo.toml"))) {
     ecosystems.push("cargo");
   }
   return ecosystems;
@@ -41230,11 +41375,11 @@ var Module2 = (() => {
       throw toThrow;
     }, "quit_");
     var scriptDirectory = "";
-    function locateFile(path23) {
+    function locateFile(path24) {
       if (Module["locateFile"]) {
-        return Module["locateFile"](path23, scriptDirectory);
+        return Module["locateFile"](path24, scriptDirectory);
       }
-      return scriptDirectory + path23;
+      return scriptDirectory + path24;
     }
     __name(locateFile, "locateFile");
     var readAsync, readBinary;
@@ -43023,6 +43168,9 @@ for (const definition of languageDefinitions) {
     extensionMap.set(extension, definition);
   }
 }
+function getLanguageForExtension(extension) {
+  return extensionMap.get(extension.toLowerCase());
+}
 
 // src/tools/placeholder-scan.ts
 var MAX_FILE_SIZE = 1024 * 1024;
@@ -43043,54 +43191,799 @@ var SUPPORTED_PARSER_EXTENSIONS = new Set([
   ".php",
   ".rb"
 ]);
+// src/tools/pre-check-batch.ts
+init_dist();
+import * as path26 from "path";
+
+// node_modules/yocto-queue/index.js
+class Node2 {
+  value;
+  next;
+  constructor(value) {
+    this.value = value;
+  }
+}
+
+class Queue {
+  #head;
+  #tail;
+  #size;
+  constructor() {
+    this.clear();
+  }
+  enqueue(value) {
+    const node = new Node2(value);
+    if (this.#head) {
+      this.#tail.next = node;
+      this.#tail = node;
+    } else {
+      this.#head = node;
+      this.#tail = node;
+    }
+    this.#size++;
+  }
+  dequeue() {
+    const current = this.#head;
+    if (!current) {
+      return;
+    }
+    this.#head = this.#head.next;
+    this.#size--;
+    if (!this.#head) {
+      this.#tail = undefined;
+    }
+    return current.value;
+  }
+  peek() {
+    if (!this.#head) {
+      return;
+    }
+    return this.#head.value;
+  }
+  clear() {
+    this.#head = undefined;
+    this.#tail = undefined;
+    this.#size = 0;
+  }
+  get size() {
+    return this.#size;
+  }
+  *[Symbol.iterator]() {
+    let current = this.#head;
+    while (current) {
+      yield current.value;
+      current = current.next;
+    }
+  }
+  *drain() {
+    while (this.#head) {
+      yield this.dequeue();
+    }
+  }
+}
+
+// node_modules/p-limit/index.js
+function pLimit(concurrency) {
+  let rejectOnClear = false;
+  if (typeof concurrency === "object") {
+    ({ concurrency, rejectOnClear = false } = concurrency);
+  }
+  validateConcurrency(concurrency);
+  if (typeof rejectOnClear !== "boolean") {
+    throw new TypeError("Expected `rejectOnClear` to be a boolean");
+  }
+  const queue = new Queue;
+  let activeCount = 0;
+  const resumeNext = () => {
+    if (activeCount < concurrency && queue.size > 0) {
+      activeCount++;
+      queue.dequeue().run();
+    }
+  };
+  const next = () => {
+    activeCount--;
+    resumeNext();
+  };
+  const run2 = async (function_, resolve10, arguments_2) => {
+    const result = (async () => function_(...arguments_2))();
+    resolve10(result);
+    try {
+      await result;
+    } catch {}
+    next();
+  };
+  const enqueue = (function_, resolve10, reject, arguments_2) => {
+    const queueItem = { reject };
+    new Promise((internalResolve) => {
+      queueItem.run = internalResolve;
+      queue.enqueue(queueItem);
+    }).then(run2.bind(undefined, function_, resolve10, arguments_2));
+    if (activeCount < concurrency) {
+      resumeNext();
+    }
+  };
+  const generator = (function_, ...arguments_2) => new Promise((resolve10, reject) => {
+    enqueue(function_, resolve10, reject, arguments_2);
+  });
+  Object.defineProperties(generator, {
+    activeCount: {
+      get: () => activeCount
+    },
+    pendingCount: {
+      get: () => queue.size
+    },
+    clearQueue: {
+      value() {
+        if (!rejectOnClear) {
+          queue.clear();
+          return;
+        }
+        const abortError = AbortSignal.abort().reason;
+        while (queue.size > 0) {
+          queue.dequeue().reject(abortError);
+        }
+      }
+    },
+    concurrency: {
+      get: () => concurrency,
+      set(newConcurrency) {
+        validateConcurrency(newConcurrency);
+        concurrency = newConcurrency;
+        queueMicrotask(() => {
+          while (activeCount < concurrency && queue.size > 0) {
+            resumeNext();
+          }
+        });
+      }
+    },
+    map: {
+      async value(iterable, function_) {
+        const promises = Array.from(iterable, (value, index) => this(function_, value, index));
+        return Promise.all(promises);
+      }
+    }
+  });
+  return generator;
+}
+function validateConcurrency(concurrency) {
+  if (!((Number.isInteger(concurrency) || concurrency === Number.POSITIVE_INFINITY) && concurrency > 0)) {
+    throw new TypeError("Expected `concurrency` to be a number from 1 and up");
+  }
+}
+
+// src/tools/pre-check-batch.ts
+init_utils();
+init_lint();
+
 // src/tools/quality-budget.ts
 init_manager();
 
 // src/quality/metrics.ts
+import * as fs19 from "fs";
+import * as path24 from "path";
 var MAX_FILE_SIZE_BYTES5 = 256 * 1024;
-// src/tools/retrieve-summary.ts
-init_dist();
-var RETRIEVE_MAX_BYTES = 10 * 1024 * 1024;
-var retrieve_summary = tool({
-  description: "Retrieve the full content of a stored tool output summary by its ID (e.g. S1, S2). Use this when a prior tool output was summarized and you need the full content.",
-  args: {
-    id: tool.schema.string().describe("The summary ID to retrieve (e.g. S1, S2, S99). Must match pattern S followed by digits.")
-  },
-  async execute(args2, context) {
-    const directory = context.directory;
-    let sanitizedId;
-    try {
-      sanitizedId = sanitizeSummaryId(args2.id);
-    } catch {
-      return "Error: invalid summary ID format. Expected format: S followed by digits (e.g. S1, S2, S99).";
+var MIN_DUPLICATION_LINES = 10;
+function estimateCyclomaticComplexity(content) {
+  let processed = content.replace(/\/\*[\s\S]*?\*\//g, "");
+  processed = processed.replace(/\/\/.*/g, "");
+  processed = processed.replace(/#.*/g, "");
+  processed = processed.replace(/'[^']*'/g, "");
+  processed = processed.replace(/"[^"]*"/g, "");
+  processed = processed.replace(/`[^`]*`/g, "");
+  let complexity = 1;
+  const decisionPatterns = [
+    /\bif\b/g,
+    /\belse\s+if\b/g,
+    /\bfor\b/g,
+    /\bwhile\b/g,
+    /\bswitch\b/g,
+    /\bcase\b/g,
+    /\bcatch\b/g,
+    /\?\./g,
+    /\?\?/g,
+    /&&/g,
+    /\|\|/g
+  ];
+  for (const pattern of decisionPatterns) {
+    const matches = processed.match(pattern);
+    if (matches) {
+      complexity += matches.length;
+    }
+  }
+  const ternaryMatches = processed.match(/\?[^:]/g);
+  if (ternaryMatches) {
+    complexity += ternaryMatches.length;
+  }
+  return complexity;
+}
+function getComplexityForFile2(filePath) {
+  try {
+    const stat = fs19.statSync(filePath);
+    if (stat.size > MAX_FILE_SIZE_BYTES5) {
+      return null;
+    }
+    const content = fs19.readFileSync(filePath, "utf-8");
+    return estimateCyclomaticComplexity(content);
+  } catch {
+    return null;
+  }
+}
+async function computeComplexityDelta(files, workingDir) {
+  let totalComplexity = 0;
+  const analyzedFiles = [];
+  for (const file3 of files) {
+    const fullPath = path24.isAbsolute(file3) ? file3 : path24.join(workingDir, file3);
+    if (!fs19.existsSync(fullPath)) {
+      continue;
+    }
+    const complexity = getComplexityForFile2(fullPath);
+    if (complexity !== null) {
+      totalComplexity += complexity;
+      analyzedFiles.push(file3);
+    }
+  }
+  return { delta: totalComplexity, analyzedFiles };
+}
+function countExportsInFile(content) {
+  let count = 0;
+  const exportFunctionMatches = content.match(/export\s+function\s+\w+/g);
+  if (exportFunctionMatches)
+    count += exportFunctionMatches.length;
+  const exportClassMatches = content.match(/export\s+class\s+\w+/g);
+  if (exportClassMatches)
+    count += exportClassMatches.length;
+  const exportConstMatches = content.match(/export\s+const\s+\w+/g);
+  if (exportConstMatches)
+    count += exportConstMatches.length;
+  const exportLetMatches = content.match(/export\s+let\s+\w+/g);
+  if (exportLetMatches)
+    count += exportLetMatches.length;
+  const exportVarMatches = content.match(/export\s+var\s+\w+/g);
+  if (exportVarMatches)
+    count += exportVarMatches.length;
+  const exportNamedMatches = content.match(/export\s*\{[^}]+\}/g);
+  if (exportNamedMatches) {
+    for (const match of exportNamedMatches) {
+      const names = match.match(/\b[a-zA-Z_$][a-zA-Z0-9_$]*\b/g);
+      const filteredNames = names ? names.filter((n) => n !== "export") : [];
+      count += filteredNames.length;
+    }
+  }
+  const exportDefaultMatches = content.match(/export\s+default/g);
+  if (exportDefaultMatches)
+    count += exportDefaultMatches.length;
+  const exportTypeMatches = content.match(/export\s+(type|interface)\s+\w+/g);
+  if (exportTypeMatches)
+    count += exportTypeMatches.length;
+  const exportEnumMatches = content.match(/export\s+enum\s+\w+/g);
+  if (exportEnumMatches)
+    count += exportEnumMatches.length;
+  const exportEqualsMatches = content.match(/export\s+=/g);
+  if (exportEqualsMatches)
+    count += exportEqualsMatches.length;
+  return count;
+}
+function countPythonExports(content) {
+  let count = 0;
+  const noComments = content.replace(/#.*/g, "");
+  const noStrings = noComments.replace(/"[^"]*"/g, "").replace(/'[^']*'/g, "");
+  const functionMatches = noStrings.match(/^\s*def\s+\w+/gm);
+  if (functionMatches)
+    count += functionMatches.length;
+  const classMatches = noStrings.match(/^\s*class\s+\w+/gm);
+  if (classMatches)
+    count += classMatches.length;
+  const originalContent = content;
+  const allMatchOriginal = originalContent.match(/__all__\s*=\s*\[([^\]]+)\]/);
+  if (allMatchOriginal?.[1]) {
+    const names = allMatchOriginal[1].match(/['"]?(\w+)['"]?/g);
+    if (names) {
+      const cleanNames = names.map((n) => n.replace(/['"]/g, ""));
+      count += cleanNames.length;
+    }
+  }
+  return count;
+}
+function countRustExports(content) {
+  let count = 0;
+  let processed = content.replace(/\/\/.*/g, "");
+  processed = processed.replace(/\/\*[\s\S]*?\*\//g, "");
+  const pubFnMatches = processed.match(/pub\s+fn\s+\w+/g);
+  if (pubFnMatches)
+    count += pubFnMatches.length;
+  const pubStructMatches = processed.match(/pub\s+struct\s+\w+/g);
+  if (pubStructMatches)
+    count += pubStructMatches.length;
+  const pubEnumMatches = processed.match(/pub\s+enum\s+\w+/g);
+  if (pubEnumMatches)
+    count += pubEnumMatches.length;
+  const pubUseMatches = processed.match(/pub\s+use\s+/g);
+  if (pubUseMatches)
+    count += pubUseMatches.length;
+  const pubConstMatches = processed.match(/pub\s+const\s+\w+/g);
+  if (pubConstMatches)
+    count += pubConstMatches.length;
+  const pubModMatches = processed.match(/pub\s+mod\s+\w+/g);
+  if (pubModMatches)
+    count += pubModMatches.length;
+  const pubTypeMatches = processed.match(/pub\s+type\s+\w+/g);
+  if (pubTypeMatches)
+    count += pubTypeMatches.length;
+  return count;
+}
+function countGoExports(content) {
+  let count = 0;
+  let processed = content.replace(/\/\/.*/gm, "");
+  processed = processed.replace(/\/\*[\s\S]*?\*\//g, "");
+  const exportedFuncMatches = processed.match(/^\s*func\s+[A-Z]\w*/gm);
+  if (exportedFuncMatches)
+    count += exportedFuncMatches.length;
+  const exportedVarMatches = processed.match(/^\s*var\s+[A-Z]\w*/gm);
+  if (exportedVarMatches)
+    count += exportedVarMatches.length;
+  const exportedTypeMatches = processed.match(/^\s*type\s+[A-Z]\w*/gm);
+  if (exportedTypeMatches)
+    count += exportedTypeMatches.length;
+  const exportedConstMatches = processed.match(/^\s*const\s+[A-Z]\w*/gm);
+  if (exportedConstMatches)
+    count += exportedConstMatches.length;
+  const packageMatch = processed.match(/^\s*package\s+\w+/m);
+  if (packageMatch)
+    count += 1;
+  return count;
+}
+function getExportCountForFile(filePath) {
+  try {
+    const content = fs19.readFileSync(filePath, "utf-8");
+    const ext = path24.extname(filePath).toLowerCase();
+    switch (ext) {
+      case ".ts":
+      case ".tsx":
+      case ".js":
+      case ".jsx":
+      case ".mjs":
+      case ".cjs":
+        return countExportsInFile(content);
+      case ".py":
+        return countPythonExports(content);
+      case ".rs":
+        return countRustExports(content);
+      case ".go":
+        return countGoExports(content);
+      default:
+        return countExportsInFile(content);
+    }
+  } catch {
+    return 0;
+  }
+}
+async function computePublicApiDelta(files, workingDir) {
+  let totalExports = 0;
+  const analyzedFiles = [];
+  for (const file3 of files) {
+    const fullPath = path24.isAbsolute(file3) ? file3 : path24.join(workingDir, file3);
+    if (!fs19.existsSync(fullPath)) {
+      continue;
+    }
+    const exports = getExportCountForFile(fullPath);
+    totalExports += exports;
+    analyzedFiles.push(file3);
+  }
+  return { delta: totalExports, analyzedFiles };
+}
+function findDuplicateLines(content, minLines) {
+  const lines = content.split(`
+`).filter((line) => line.trim().length > 0);
+  if (lines.length < minLines) {
+    return 0;
+  }
+  const lineCounts = new Map;
+  for (const line of lines) {
+    const normalized = line.trim();
+    lineCounts.set(normalized, (lineCounts.get(normalized) || 0) + 1);
+  }
+  let duplicateCount = 0;
+  for (const [_line, count] of lineCounts) {
+    if (count > 1) {
+      duplicateCount += count - 1;
+    }
+  }
+  return duplicateCount;
+}
+async function computeDuplicationRatio(files, workingDir) {
+  let totalLines = 0;
+  let duplicateLines = 0;
+  const analyzedFiles = [];
+  for (const file3 of files) {
+    const fullPath = path24.isAbsolute(file3) ? file3 : path24.join(workingDir, file3);
+    if (!fs19.existsSync(fullPath)) {
+      continue;
     }
-    let fullOutput;
     try {
-      fullOutput = await loadFullOutput(directory, sanitizedId);
-    } catch {
-      return "Error: failed to retrieve summary.";
+      const stat = fs19.statSync(fullPath);
+      if (stat.size > MAX_FILE_SIZE_BYTES5) {
+        continue;
+      }
+      const content = fs19.readFileSync(fullPath, "utf-8");
+      const lines = content.split(`
+`).filter((line) => line.trim().length > 0);
+      if (lines.length < MIN_DUPLICATION_LINES) {
+        analyzedFiles.push(file3);
+        continue;
+      }
+      totalLines += lines.length;
+      duplicateLines += findDuplicateLines(content, MIN_DUPLICATION_LINES);
+      analyzedFiles.push(file3);
+    } catch {}
+  }
+  const ratio = totalLines > 0 ? duplicateLines / totalLines : 0;
+  return { ratio, analyzedFiles };
+}
+function countCodeLines(content) {
+  let processed = content.replace(/\/\*[\s\S]*?\*\//g, "");
+  processed = processed.replace(/\/\/.*/g, "");
+  processed = processed.replace(/#.*/g, "");
+  const lines = processed.split(`
+`).filter((line) => line.trim().length > 0);
+  return lines.length;
+}
+function isTestFile(filePath) {
+  const basename5 = path24.basename(filePath);
+  const _ext = path24.extname(filePath).toLowerCase();
+  const testPatterns = [
+    ".test.",
+    ".spec.",
+    ".tests.",
+    ".test.ts",
+    ".test.js",
+    ".spec.ts",
+    ".spec.js",
+    ".test.tsx",
+    ".test.jsx",
+    ".spec.tsx",
+    ".spec.jsx"
+  ];
+  for (const pattern of testPatterns) {
+    if (basename5.includes(pattern)) {
+      return true;
     }
-    if (fullOutput === null) {
-      return `Summary \`${sanitizedId}\` not found. Use a valid summary ID (e.g. S1, S2).`;
+  }
+  const normalizedPath = filePath.replace(/\\/g, "/");
+  if (normalizedPath.includes("/tests/") || normalizedPath.includes("/test/")) {
+    return true;
+  }
+  if (normalizedPath.includes("/__tests__/")) {
+    return true;
+  }
+  return false;
+}
+function shouldExcludeFile(filePath, excludeGlobs) {
+  const normalizedPath = filePath.replace(/\\/g, "/");
+  for (const glob of excludeGlobs) {
+    const pattern = glob.replace(/\./g, "\\.").replace(/\*\*/g, ".*").replace(/\*/g, "[^/]*");
+    const regex = new RegExp(pattern);
+    if (regex.test(normalizedPath)) {
+      return true;
     }
-    if (fullOutput.length > RETRIEVE_MAX_BYTES) {
-      return `Error: summary content exceeds maximum size limit (10 MB).`;
+  }
+  return false;
+}
+async function computeTestToCodeRatio(workingDir, enforceGlobs, excludeGlobs) {
+  let testLines = 0;
+  let codeLines = 0;
+  const srcDir = path24.join(workingDir, "src");
+  if (fs19.existsSync(srcDir)) {
+    await scanDirectoryForLines(srcDir, enforceGlobs, excludeGlobs, false, (lines) => {
+      codeLines += lines;
+    });
+  }
+  const possibleSrcDirs = ["lib", "app", "source", "core"];
+  for (const dir of possibleSrcDirs) {
+    const dirPath = path24.join(workingDir, dir);
+    if (fs19.existsSync(dirPath)) {
+      await scanDirectoryForLines(dirPath, enforceGlobs, excludeGlobs, false, (lines) => {
+        codeLines += lines;
+      });
     }
-    return fullOutput;
   }
-});
-// src/tools/sast-scan.ts
-init_manager();
-
-// src/sast/rules/c.ts
-var cRules = [
-  {
-    id: "sast/c-buffer-overflow",
-    name: "Buffer overflow vulnerability",
-    severity: "critical",
-    languages: ["c", "cpp"],
-    description: "strcpy/strcat to fixed-size buffer without bounds checking",
-    remediation: "Use strncpy, snprintf, or safer alternatives that include size limits.",
+  const testsDir = path24.join(workingDir, "tests");
+  if (fs19.existsSync(testsDir)) {
+    await scanDirectoryForLines(testsDir, ["**"], ["node_modules", "dist"], true, (lines) => {
+      testLines += lines;
+    });
+  }
+  const possibleTestDirs = ["test", "__tests__", "specs"];
+  for (const dir of possibleTestDirs) {
+    const dirPath = path24.join(workingDir, dir);
+    if (fs19.existsSync(dirPath) && dirPath !== testsDir) {
+      await scanDirectoryForLines(dirPath, ["**"], ["node_modules", "dist"], true, (lines) => {
+        testLines += lines;
+      });
+    }
+  }
+  const totalLines = testLines + codeLines;
+  const ratio = totalLines > 0 ? testLines / totalLines : 0;
+  return { ratio, testLines, codeLines };
+}
+async function scanDirectoryForLines(dirPath, includeGlobs, excludeGlobs, isTestScan, callback) {
+  try {
+    const entries = fs19.readdirSync(dirPath, { withFileTypes: true });
+    for (const entry of entries) {
+      const fullPath = path24.join(dirPath, entry.name);
+      if (entry.isDirectory()) {
+        if (entry.name === "node_modules" || entry.name === "dist" || entry.name === "build" || entry.name === ".git") {
+          continue;
+        }
+        await scanDirectoryForLines(fullPath, includeGlobs, excludeGlobs, isTestScan, callback);
+      } else if (entry.isFile()) {
+        const relativePath = fullPath.replace(`${process.cwd()}/`, "");
+        const ext = path24.extname(entry.name).toLowerCase();
+        const validExts = [
+          ".ts",
+          ".tsx",
+          ".js",
+          ".jsx",
+          ".py",
+          ".rs",
+          ".go",
+          ".java",
+          ".cs"
+        ];
+        if (!validExts.includes(ext)) {
+          continue;
+        }
+        if (isTestScan && !isTestFile(fullPath)) {
+          continue;
+        }
+        if (!isTestScan && isTestFile(fullPath)) {
+          continue;
+        }
+        if (shouldExcludeFile(relativePath, excludeGlobs)) {
+          continue;
+        }
+        if (!isTestScan && includeGlobs.length > 0 && !includeGlobs.includes("**")) {
+          let matches = false;
+          for (const glob of includeGlobs) {
+            const pattern = glob.replace(/\./g, "\\.").replace(/\*\*/g, ".*").replace(/\*/g, "[^/]*");
+            const regex = new RegExp(pattern);
+            if (regex.test(relativePath)) {
+              matches = true;
+              break;
+            }
+          }
+          if (!matches)
+            continue;
+        }
+        try {
+          const content = fs19.readFileSync(fullPath, "utf-8");
+          const lines = countCodeLines(content);
+          callback(lines);
+        } catch {}
+      }
+    }
+  } catch {}
+}
+function detectViolations(metrics, thresholds) {
+  const violations = [];
+  if (metrics.complexity_delta > thresholds.max_complexity_delta) {
+    violations.push({
+      type: "complexity",
+      message: `Complexity delta (${metrics.complexity_delta}) exceeds threshold (${thresholds.max_complexity_delta})`,
+      severity: metrics.complexity_delta > thresholds.max_complexity_delta * 1.5 ? "error" : "warning",
+      files: metrics.files_analyzed
+    });
+  }
+  if (metrics.public_api_delta > thresholds.max_public_api_delta) {
+    violations.push({
+      type: "api",
+      message: `Public API delta (${metrics.public_api_delta}) exceeds threshold (${thresholds.max_public_api_delta})`,
+      severity: metrics.public_api_delta > thresholds.max_public_api_delta * 1.5 ? "error" : "warning",
+      files: metrics.files_analyzed
+    });
+  }
+  if (metrics.duplication_ratio > thresholds.max_duplication_ratio) {
+    violations.push({
+      type: "duplication",
+      message: `Duplication ratio (${(metrics.duplication_ratio * 100).toFixed(1)}%) exceeds threshold (${(thresholds.max_duplication_ratio * 100).toFixed(1)}%)`,
+      severity: metrics.duplication_ratio > thresholds.max_duplication_ratio * 1.5 ? "error" : "warning",
+      files: metrics.files_analyzed
+    });
+  }
+  if (metrics.files_analyzed.length > 0 && metrics.test_to_code_ratio < thresholds.min_test_to_code_ratio) {
+    violations.push({
+      type: "test_ratio",
+      message: `Test-to-code ratio (${(metrics.test_to_code_ratio * 100).toFixed(1)}%) below threshold (${(thresholds.min_test_to_code_ratio * 100).toFixed(1)}%)`,
+      severity: metrics.test_to_code_ratio < thresholds.min_test_to_code_ratio * 0.5 ? "error" : "warning",
+      files: metrics.files_analyzed
+    });
+  }
+  return violations;
+}
+async function computeQualityMetrics(changedFiles, thresholds, workingDir) {
+  const config3 = {
+    enabled: thresholds.enabled ?? true,
+    max_complexity_delta: thresholds.max_complexity_delta ?? 5,
+    max_public_api_delta: thresholds.max_public_api_delta ?? 10,
+    max_duplication_ratio: thresholds.max_duplication_ratio ?? 0.05,
+    min_test_to_code_ratio: thresholds.min_test_to_code_ratio ?? 0.3,
+    enforce_on_globs: thresholds.enforce_on_globs ?? ["src/**"],
+    exclude_globs: thresholds.exclude_globs ?? [
+      "docs/**",
+      "tests/**",
+      "**/*.test.*"
+    ]
+  };
+  const filteredFiles = changedFiles.filter((file3) => {
+    const normalizedPath = file3.replace(/\\/g, "/");
+    for (const glob of config3.enforce_on_globs) {
+      const pattern = glob.replace(/\./g, "\\.").replace(/\*\*/g, ".*").replace(/\*/g, "[^/]*");
+      const regex = new RegExp(pattern);
+      if (regex.test(normalizedPath)) {
+        for (const exclude of config3.exclude_globs) {
+          const excludePattern = exclude.replace(/\./g, "\\.").replace(/\*\*/g, ".*").replace(/\*/g, "[^/]*");
+          const excludeRegex = new RegExp(excludePattern);
+          if (excludeRegex.test(normalizedPath)) {
+            return false;
+          }
+        }
+        return true;
+      }
+    }
+    return false;
+  });
+  const [complexityResult, apiResult, duplicationResult, testRatioResult] = await Promise.all([
+    computeComplexityDelta(filteredFiles, workingDir),
+    computePublicApiDelta(filteredFiles, workingDir),
+    computeDuplicationRatio(filteredFiles, workingDir),
+    computeTestToCodeRatio(workingDir, config3.enforce_on_globs, config3.exclude_globs)
+  ]);
+  const allAnalyzedFiles = [
+    ...new Set([
+      ...complexityResult.analyzedFiles,
+      ...apiResult.analyzedFiles,
+      ...duplicationResult.analyzedFiles
+    ])
+  ];
+  const violations = detectViolations({
+    complexity_delta: complexityResult.delta,
+    public_api_delta: apiResult.delta,
+    duplication_ratio: duplicationResult.ratio,
+    test_to_code_ratio: testRatioResult.ratio,
+    files_analyzed: allAnalyzedFiles,
+    thresholds: config3,
+    violations: []
+  }, config3);
+  return {
+    complexity_delta: complexityResult.delta,
+    public_api_delta: apiResult.delta,
+    duplication_ratio: duplicationResult.ratio,
+    test_to_code_ratio: testRatioResult.ratio,
+    files_analyzed: allAnalyzedFiles,
+    thresholds: config3,
+    violations
+  };
+}
+
+// src/tools/quality-budget.ts
+function validateInput(input) {
+  if (!input || typeof input !== "object") {
+    return { valid: false, error: "Input must be an object" };
+  }
+  const typedInput = input;
+  if (!Array.isArray(typedInput.changed_files)) {
+    return { valid: false, error: "changed_files must be an array" };
+  }
+  for (const file3 of typedInput.changed_files) {
+    if (typeof file3 !== "string") {
+      return { valid: false, error: "changed_files must contain strings" };
+    }
+  }
+  if (typedInput.config !== undefined) {
+    if (!typedInput.config || typeof typedInput.config !== "object") {
+      return { valid: false, error: "config must be an object if provided" };
+    }
+  }
+  return { valid: true };
+}
+async function qualityBudget(input, directory) {
+  const validation = validateInput(input);
+  if (!validation.valid) {
+    throw new Error(`Invalid input: ${validation.error}`);
+  }
+  const { changed_files: changedFiles, config: config3 } = input;
+  const thresholds = {
+    enabled: config3?.enabled ?? true,
+    max_complexity_delta: config3?.max_complexity_delta ?? 5,
+    max_public_api_delta: config3?.max_public_api_delta ?? 10,
+    max_duplication_ratio: config3?.max_duplication_ratio ?? 0.05,
+    min_test_to_code_ratio: config3?.min_test_to_code_ratio ?? 0.3,
+    enforce_on_globs: config3?.enforce_on_globs ?? ["src/**"],
+    exclude_globs: config3?.exclude_globs ?? [
+      "docs/**",
+      "tests/**",
+      "**/*.test.*"
+    ]
+  };
+  if (!thresholds.enabled) {
+    return {
+      verdict: "pass",
+      metrics: {
+        complexity_delta: 0,
+        public_api_delta: 0,
+        duplication_ratio: 0,
+        test_to_code_ratio: 0,
+        files_analyzed: [],
+        thresholds,
+        violations: []
+      },
+      violations: [],
+      summary: {
+        files_analyzed: 0,
+        violations_count: 0,
+        errors_count: 0,
+        warnings_count: 0
+      }
+    };
+  }
+  const metrics = await computeQualityMetrics(changedFiles, thresholds, directory);
+  const errorsCount = metrics.violations.filter((v) => v.severity === "error").length;
+  const warningsCount = metrics.violations.filter((v) => v.severity === "warning").length;
+  const verdict = errorsCount > 0 ? "fail" : "pass";
+  await saveEvidence(directory, "quality_budget", {
+    task_id: "quality_budget",
+    type: "quality_budget",
+    timestamp: new Date().toISOString(),
+    agent: "quality_budget",
+    verdict,
+    summary: `Quality budget check: ${metrics.files_analyzed.length} files analyzed, ${metrics.violations.length} violation(s) found (${errorsCount} errors, ${warningsCount} warnings)`,
+    metrics: {
+      complexity_delta: metrics.complexity_delta,
+      public_api_delta: metrics.public_api_delta,
+      duplication_ratio: metrics.duplication_ratio,
+      test_to_code_ratio: metrics.test_to_code_ratio
+    },
+    thresholds: {
+      max_complexity_delta: thresholds.max_complexity_delta,
+      max_public_api_delta: thresholds.max_public_api_delta,
+      max_duplication_ratio: thresholds.max_duplication_ratio,
+      min_test_to_code_ratio: thresholds.min_test_to_code_ratio
+    },
+    violations: metrics.violations.map((v) => ({
+      type: v.type,
+      message: v.message,
+      severity: v.severity,
+      files: v.files
+    })),
+    files_analyzed: metrics.files_analyzed
+  });
+  return {
+    verdict,
+    metrics,
+    violations: metrics.violations,
+    summary: {
+      files_analyzed: metrics.files_analyzed.length,
+      violations_count: metrics.violations.length,
+      errors_count: errorsCount,
+      warnings_count: warningsCount
+    }
+  };
+}
+
+// src/tools/sast-scan.ts
+init_manager();
+import * as fs20 from "fs";
+import * as path25 from "path";
+import { extname as extname7 } from "path";
+
+// src/sast/rules/c.ts
+var cRules = [
+  {
+    id: "sast/c-buffer-overflow",
+    name: "Buffer overflow vulnerability",
+    severity: "critical",
+    languages: ["c", "cpp"],
+    description: "strcpy/strcat to fixed-size buffer without bounds checking",
+    remediation: "Use strncpy, snprintf, or safer alternatives that include size limits.",
     pattern: /\b(?:strcpy|strcat)\s*\(\s*[a-zA-Z_]/
   },
   {
@@ -43697,20 +44590,768 @@ var allRules = [
   ...cRules,
   ...csharpRules
 ];
+function getRulesForLanguage(language) {
+  const normalized = language.toLowerCase();
+  return allRules.filter((rule) => rule.languages.some((lang) => lang.toLowerCase() === normalized));
+}
+function findPatternMatches(content, pattern) {
+  const matches = [];
+  const lines = content.split(`
+`);
+  for (let lineNum = 0;lineNum < lines.length; lineNum++) {
+    const line = lines[lineNum];
+    const workPattern = new RegExp(pattern.source, pattern.flags.includes("g") ? pattern.flags : pattern.flags + "g");
+    let match;
+    while ((match = workPattern.exec(line)) !== null) {
+      matches.push({
+        text: match[0],
+        line: lineNum + 1,
+        column: match.index + 1
+      });
+      if (match[0].length === 0) {
+        workPattern.lastIndex++;
+      }
+    }
+  }
+  return matches;
+}
+function executeRulesSync(filePath, content, language) {
+  const findings = [];
+  const normalizedLang = language.toLowerCase();
+  const rules = getRulesForLanguage(normalizedLang);
+  for (const rule of rules) {
+    if (!rule.pattern)
+      continue;
+    const matches = findPatternMatches(content, rule.pattern);
+    for (const match of matches) {
+      if (rule.validate) {
+        const context = {
+          filePath,
+          content,
+          language: normalizedLang
+        };
+        if (!rule.validate(match, context)) {
+          continue;
+        }
+      }
+      const lines = content.split(`
+`);
+      const excerpt = lines[match.line - 1]?.trim() || "";
+      findings.push({
+        rule_id: rule.id,
+        severity: rule.severity,
+        message: rule.description,
+        location: {
+          file: filePath,
+          line: match.line,
+          column: match.column
+        },
+        remediation: rule.remediation,
+        excerpt
+      });
+    }
+  }
+  return findings;
+}
 
 // src/sast/semgrep.ts
 import { execFile, execFileSync, spawn } from "child_process";
 import { promisify } from "util";
 var execFileAsync = promisify(execFile);
+var semgrepAvailableCache = null;
+var DEFAULT_RULES_DIR = ".swarm/semgrep-rules";
+var DEFAULT_TIMEOUT_MS3 = 30000;
+function isSemgrepAvailable() {
+  if (semgrepAvailableCache !== null) {
+    return semgrepAvailableCache;
+  }
+  try {
+    execFileSync("semgrep", ["--version"], {
+      encoding: "utf-8",
+      stdio: "pipe"
+    });
+    semgrepAvailableCache = true;
+    return true;
+  } catch {
+    semgrepAvailableCache = false;
+    return false;
+  }
+}
+function parseSemgrepResults(semgrepOutput) {
+  const findings = [];
+  try {
+    const parsed = JSON.parse(semgrepOutput);
+    const results = parsed.results || parsed;
+    for (const result of results) {
+      const severity = mapSemgrepSeverity(result.extra?.severity || result.severity);
+      findings.push({
+        rule_id: result.check_id || result.rule_id || "unknown",
+        severity,
+        message: result.extra?.message || result.message || "Security issue detected",
+        location: {
+          file: result.path || result.start?.filename || result.file || "unknown",
+          line: result.start?.line || result.line || 1,
+          column: result.start?.col || result.column
+        },
+        remediation: result.extra?.fix,
+        excerpt: result.extra?.lines || result.lines || ""
+      });
+    }
+  } catch {
+    return [];
+  }
+  return findings;
+}
+function mapSemgrepSeverity(severity) {
+  const severityLower = (severity || "").toLowerCase();
+  switch (severityLower) {
+    case "error":
+    case "critical":
+      return "critical";
+    case "warning":
+    case "high":
+      return "high";
+    case "info":
+    case "low":
+      return "low";
+    default:
+      return "medium";
+  }
+}
+async function executeWithTimeout(command, args2, options) {
+  return new Promise((resolve10) => {
+    const child = spawn(command, args2, {
+      shell: false,
+      cwd: options.cwd
+    });
+    let stdout = "";
+    let stderr = "";
+    const timeout = setTimeout(() => {
+      child.kill("SIGTERM");
+      resolve10({
+        stdout,
+        stderr: "Process timed out",
+        exitCode: 124
+      });
+    }, options.timeoutMs);
+    child.stdout?.on("data", (data) => {
+      stdout += data.toString();
+    });
+    child.stderr?.on("data", (data) => {
+      stderr += data.toString();
+    });
+    child.on("close", (code) => {
+      clearTimeout(timeout);
+      resolve10({
+        stdout,
+        stderr,
+        exitCode: code ?? 0
+      });
+    });
+    child.on("error", (err2) => {
+      clearTimeout(timeout);
+      resolve10({
+        stdout,
+        stderr: err2.message,
+        exitCode: 1
+      });
+    });
+  });
+}
+async function runSemgrep(options) {
+  const files = options.files || [];
+  const rulesDir = options.rulesDir || DEFAULT_RULES_DIR;
+  const timeoutMs = options.timeoutMs || DEFAULT_TIMEOUT_MS3;
+  if (files.length === 0) {
+    return {
+      available: isSemgrepAvailable(),
+      findings: [],
+      engine: "tier_a"
+    };
+  }
+  if (!isSemgrepAvailable()) {
+    return {
+      available: false,
+      findings: [],
+      error: "Semgrep is not installed or not available on PATH",
+      engine: "tier_a"
+    };
+  }
+  const args2 = [
+    "--config=./" + rulesDir,
+    "--json",
+    "--quiet",
+    ...files
+  ];
+  try {
+    const result = await executeWithTimeout("semgrep", args2, {
+      timeoutMs,
+      cwd: options.cwd
+    });
+    if (result.exitCode !== 0) {
+      if (result.exitCode === 1 && result.stdout) {
+        const findings2 = parseSemgrepResults(result.stdout);
+        return {
+          available: true,
+          findings: findings2,
+          engine: "tier_a+tier_b"
+        };
+      }
+      return {
+        available: true,
+        findings: [],
+        error: result.stderr || `Semgrep exited with code ${result.exitCode}`,
+        engine: "tier_a"
+      };
+    }
+    const findings = parseSemgrepResults(result.stdout);
+    return {
+      available: true,
+      findings,
+      engine: "tier_a+tier_b"
+    };
+  } catch (error93) {
+    const errorMessage = error93 instanceof Error ? error93.message : "Unknown error running Semgrep";
+    return {
+      available: true,
+      findings: [],
+      error: errorMessage,
+      engine: "tier_a"
+    };
+  }
+}
 
 // src/tools/sast-scan.ts
 init_utils();
 var MAX_FILE_SIZE_BYTES6 = 512 * 1024;
+var MAX_FILES_SCANNED2 = 1000;
+var MAX_FINDINGS2 = 100;
+var SEVERITY_ORDER = {
+  low: 0,
+  medium: 1,
+  high: 2,
+  critical: 3
+};
+function shouldSkipFile(filePath) {
+  try {
+    const stats = fs20.statSync(filePath);
+    if (stats.size > MAX_FILE_SIZE_BYTES6) {
+      return { skip: true, reason: "file too large" };
+    }
+    if (stats.size === 0) {
+      return { skip: true, reason: "empty file" };
+    }
+    const fd = fs20.openSync(filePath, "r");
+    const buffer = Buffer.alloc(8192);
+    const bytesRead = fs20.readSync(fd, buffer, 0, 8192, 0);
+    fs20.closeSync(fd);
+    if (bytesRead > 0) {
+      let nullCount = 0;
+      for (let i2 = 0;i2 < bytesRead; i2++) {
+        if (buffer[i2] === 0) {
+          nullCount++;
+        }
+      }
+      if (nullCount / bytesRead > 0.1) {
+        return { skip: true, reason: "binary file" };
+      }
+    }
+    return { skip: false };
+  } catch {
+    return { skip: true, reason: "cannot read file" };
+  }
+}
+function meetsThreshold(severity, threshold) {
+  const severityLevel = SEVERITY_ORDER[severity] ?? 0;
+  const thresholdLevel = SEVERITY_ORDER[threshold] ?? 1;
+  return severityLevel >= thresholdLevel;
+}
+function countBySeverity(findings) {
+  const counts = {
+    critical: 0,
+    high: 0,
+    medium: 0,
+    low: 0
+  };
+  for (const finding of findings) {
+    const severity = finding.severity.toLowerCase();
+    if (severity in counts) {
+      counts[severity]++;
+    }
+  }
+  return counts;
+}
+function scanFileWithTierA(filePath, language) {
+  try {
+    const content = fs20.readFileSync(filePath, "utf-8");
+    const findings = executeRulesSync(filePath, content, language);
+    return findings.map((f) => ({
+      rule_id: f.rule_id,
+      severity: f.severity,
+      message: f.message,
+      location: {
+        file: f.location.file,
+        line: f.location.line,
+        column: f.location.column
+      },
+      remediation: f.remediation
+    }));
+  } catch {
+    return [];
+  }
+}
+async function sastScan(input, directory, config3) {
+  const { changed_files, severity_threshold = "medium" } = input;
+  if (config3?.gates?.sast_scan?.enabled === false) {
+    return {
+      verdict: "pass",
+      findings: [],
+      summary: {
+        engine: "tier_a",
+        files_scanned: 0,
+        findings_count: 0,
+        findings_by_severity: {
+          critical: 0,
+          high: 0,
+          medium: 0,
+          low: 0
+        }
+      }
+    };
+  }
+  const allFindings = [];
+  let filesScanned = 0;
+  let filesSkipped = 0;
+  const semgrepAvailable = isSemgrepAvailable();
+  const engine = semgrepAvailable ? "tier_a+tier_b" : "tier_a";
+  const filesByLanguage = new Map;
+  for (const filePath of changed_files) {
+    const resolvedPath = path25.isAbsolute(filePath) ? filePath : path25.resolve(directory, filePath);
+    if (!fs20.existsSync(resolvedPath)) {
+      filesSkipped++;
+      continue;
+    }
+    const skipResult = shouldSkipFile(resolvedPath);
+    if (skipResult.skip) {
+      filesSkipped++;
+      continue;
+    }
+    const ext = extname7(resolvedPath).toLowerCase();
+    const langDef = getLanguageForExtension(ext);
+    if (!langDef) {
+      filesSkipped++;
+      continue;
+    }
+    const language = langDef.id;
+    const tierAFindings = scanFileWithTierA(resolvedPath, language);
+    allFindings.push(...tierAFindings);
+    if (semgrepAvailable) {
+      const existing = filesByLanguage.get(language) || [];
+      existing.push(resolvedPath);
+      filesByLanguage.set(language, existing);
+    }
+    filesScanned++;
+    if (filesScanned >= MAX_FILES_SCANNED2) {
+      warn(`SAST Scan: Reached maximum files limit (${MAX_FILES_SCANNED2}), stopping`);
+      break;
+    }
+  }
+  if (semgrepAvailable && filesByLanguage.size > 0) {
+    try {
+      const allFilesForSemgrep = Array.from(filesByLanguage.values()).flat();
+      if (allFilesForSemgrep.length > 0) {
+        const semgrepResult = await runSemgrep({
+          files: allFilesForSemgrep
+        });
+        if (semgrepResult.findings.length > 0) {
+          const semgrepFindings = semgrepResult.findings.map((f) => ({
+            rule_id: f.rule_id,
+            severity: f.severity,
+            message: f.message,
+            location: {
+              file: f.location.file,
+              line: f.location.line,
+              column: f.location.column
+            },
+            remediation: f.remediation
+          }));
+          const existingKeys = new Set(allFindings.map((f) => `${f.rule_id}:${f.location.file}:${f.location.line}`));
+          for (const finding of semgrepFindings) {
+            const key = `${finding.rule_id}:${finding.location.file}:${finding.location.line}`;
+            if (!existingKeys.has(key)) {
+              allFindings.push(finding);
+              existingKeys.add(key);
+            }
+          }
+        }
+      }
+    } catch (error93) {
+      warn(`SAST Scan: Semgrep failed, falling back to Tier A: ${error93}`);
+    }
+  }
+  let finalFindings = allFindings;
+  if (allFindings.length > MAX_FINDINGS2) {
+    finalFindings = allFindings.slice(0, MAX_FINDINGS2);
+    warn(`SAST Scan: Found ${allFindings.length} findings, limiting to ${MAX_FINDINGS2}`);
+  }
+  const findingsBySeverity = countBySeverity(finalFindings);
+  let verdict = "pass";
+  for (const finding of finalFindings) {
+    if (meetsThreshold(finding.severity, severity_threshold)) {
+      verdict = "fail";
+      break;
+    }
+  }
+  const summary = {
+    engine,
+    files_scanned: filesScanned,
+    findings_count: finalFindings.length,
+    findings_by_severity: findingsBySeverity
+  };
+  await saveEvidence(directory, "sast_scan", {
+    task_id: "sast_scan",
+    type: "sast",
+    timestamp: new Date().toISOString(),
+    agent: "sast_scan",
+    verdict,
+    summary: `Scanned ${filesScanned} files, found ${finalFindings.length} finding(s) using ${engine}`,
+    ...summary,
+    findings: finalFindings
+  });
+  return {
+    verdict,
+    findings: finalFindings,
+    summary
+  };
+}
+
+// src/tools/pre-check-batch.ts
+init_secretscan();
+var TOOL_TIMEOUT_MS = 60000;
+var MAX_COMBINED_BYTES = 500000;
+var MAX_CONCURRENT = 4;
+var MAX_FILES = 100;
+function validatePath(inputPath, baseDir) {
+  if (!inputPath || inputPath.length === 0) {
+    return "path is required";
+  }
+  const resolved = path26.resolve(baseDir, inputPath);
+  const baseResolved = path26.resolve(baseDir);
+  const relative2 = path26.relative(baseResolved, resolved);
+  if (relative2.startsWith("..") || path26.isAbsolute(relative2)) {
+    return "path traversal detected";
+  }
+  return null;
+}
+function validateDirectory(dir) {
+  if (!dir || dir.length === 0) {
+    return "directory is required";
+  }
+  if (dir.length > 500) {
+    return "directory path too long";
+  }
+  const traversalCheck = validatePath(dir, process.cwd());
+  if (traversalCheck) {
+    return traversalCheck;
+  }
+  return null;
+}
+async function runWithTimeout(promise3, timeoutMs) {
+  const timeoutPromise = new Promise((_, reject) => {
+    setTimeout(() => reject(new Error(`Timeout after ${timeoutMs}ms`)), timeoutMs);
+  });
+  return Promise.race([promise3, timeoutPromise]);
+}
+async function runLintWrapped(_config) {
+  const start2 = process.hrtime.bigint();
+  try {
+    const linter = await detectAvailableLinter();
+    if (!linter) {
+      return {
+        ran: false,
+        error: "No linter found (biome or eslint)",
+        duration_ms: Number(process.hrtime.bigint() - start2) / 1e6
+      };
+    }
+    const result = await runWithTimeout(runLint(linter, "check"), TOOL_TIMEOUT_MS);
+    return {
+      ran: true,
+      result,
+      duration_ms: Number(process.hrtime.bigint() - start2) / 1e6
+    };
+  } catch (error93) {
+    return {
+      ran: true,
+      error: error93 instanceof Error ? error93.message : "Unknown error",
+      duration_ms: Number(process.hrtime.bigint() - start2) / 1e6
+    };
+  }
+}
+async function runSecretscanWrapped(directory, _config) {
+  const start2 = process.hrtime.bigint();
+  try {
+    const result = await runWithTimeout(runSecretscan(directory), TOOL_TIMEOUT_MS);
+    return {
+      ran: true,
+      result,
+      duration_ms: Number(process.hrtime.bigint() - start2) / 1e6
+    };
+  } catch (error93) {
+    return {
+      ran: true,
+      error: error93 instanceof Error ? error93.message : "Unknown error",
+      duration_ms: Number(process.hrtime.bigint() - start2) / 1e6
+    };
+  }
+}
+async function runSastScanWrapped(changedFiles, directory, severityThreshold, config3) {
+  const start2 = process.hrtime.bigint();
+  try {
+    const result = await runWithTimeout(sastScan({ changed_files: changedFiles, severity_threshold: severityThreshold }, directory, config3), TOOL_TIMEOUT_MS);
+    return {
+      ran: true,
+      result,
+      duration_ms: Number(process.hrtime.bigint() - start2) / 1e6
+    };
+  } catch (error93) {
+    return {
+      ran: true,
+      error: error93 instanceof Error ? error93.message : "Unknown error",
+      duration_ms: Number(process.hrtime.bigint() - start2) / 1e6
+    };
+  }
+}
+async function runQualityBudgetWrapped(changedFiles, directory, _config) {
+  const start2 = process.hrtime.bigint();
+  try {
+    const result = await runWithTimeout(qualityBudget({ changed_files: changedFiles }, directory), TOOL_TIMEOUT_MS);
+    return {
+      ran: true,
+      result,
+      duration_ms: Number(process.hrtime.bigint() - start2) / 1e6
+    };
+  } catch (error93) {
+    return {
+      ran: true,
+      error: error93 instanceof Error ? error93.message : "Unknown error",
+      duration_ms: Number(process.hrtime.bigint() - start2) / 1e6
+    };
+  }
+}
+async function runPreCheckBatch(input) {
+  const { files, directory, sast_threshold = "medium", config: config3 } = input;
+  const dirError = validateDirectory(directory);
+  if (dirError) {
+    warn(`pre_check_batch: Invalid directory: ${dirError}`);
+    return {
+      gates_passed: false,
+      lint: { ran: false, error: dirError, duration_ms: 0 },
+      secretscan: { ran: false, error: dirError, duration_ms: 0 },
+      sast_scan: { ran: false, error: dirError, duration_ms: 0 },
+      quality_budget: { ran: false, error: dirError, duration_ms: 0 },
+      total_duration_ms: 0
+    };
+  }
+  let changedFiles = [];
+  if (files && files.length > 0) {
+    for (const file3 of files) {
+      const fileError = validatePath(file3, directory);
+      if (fileError) {
+        warn(`pre_check_batch: Invalid file path: ${file3}`);
+        continue;
+      }
+      changedFiles.push(path26.resolve(directory, file3));
+    }
+  } else {
+    changedFiles = [];
+  }
+  if (changedFiles.length === 0 && !files) {
+    warn("pre_check_batch: No files provided, skipping SAST and quality_budget");
+    return {
+      gates_passed: true,
+      lint: { ran: false, error: "No files provided", duration_ms: 0 },
+      secretscan: { ran: false, error: "No files provided", duration_ms: 0 },
+      sast_scan: { ran: false, error: "No files provided", duration_ms: 0 },
+      quality_budget: {
+        ran: false,
+        error: "No files provided",
+        duration_ms: 0
+      },
+      total_duration_ms: 0
+    };
+  }
+  if (changedFiles.length > MAX_FILES) {
+    throw new Error(`Input exceeds maximum file count: ${changedFiles.length} > ${MAX_FILES}`);
+  }
+  const limit = pLimit(MAX_CONCURRENT);
+  const [lintResult, secretscanResult, sastScanResult, qualityBudgetResult] = await Promise.all([
+    limit(() => runLintWrapped(config3)),
+    limit(() => runSecretscanWrapped(directory, config3)),
+    limit(() => runSastScanWrapped(changedFiles, directory, sast_threshold, config3)),
+    limit(() => runQualityBudgetWrapped(changedFiles, directory, config3))
+  ]);
+  const totalDuration = lintResult.duration_ms + secretscanResult.duration_ms + sastScanResult.duration_ms + qualityBudgetResult.duration_ms;
+  let gatesPassed = true;
+  if (lintResult.ran && lintResult.result) {
+    const lintRes = lintResult.result;
+    if ("success" in lintRes && lintRes.success === false) {
+      gatesPassed = false;
+      warn("pre_check_batch: Lint has errors - GATE FAILED");
+    }
+  } else if (lintResult.error) {
+    gatesPassed = false;
+    warn(`pre_check_batch: Lint error - GATE FAILED: ${lintResult.error}`);
+  }
+  if (secretscanResult.ran && secretscanResult.result) {
+    const scanResult = secretscanResult.result;
+    if ("findings" in scanResult && scanResult.findings.length > 0) {
+      gatesPassed = false;
+      warn("pre_check_batch: Secretscan found secrets - GATE FAILED");
+    }
+  } else if (secretscanResult.error) {
+    gatesPassed = false;
+    warn(`pre_check_batch: Secretscan error - GATE FAILED: ${secretscanResult.error}`);
+  }
+  if (sastScanResult.ran && sastScanResult.result) {
+    if (sastScanResult.result.verdict === "fail") {
+      gatesPassed = false;
+      warn("pre_check_batch: SAST scan found vulnerabilities - GATE FAILED");
+    }
+  } else if (sastScanResult.error) {
+    gatesPassed = false;
+    warn(`pre_check_batch: SAST scan error - GATE FAILED: ${sastScanResult.error}`);
+  }
+  const result = {
+    gates_passed: gatesPassed,
+    lint: lintResult,
+    secretscan: secretscanResult,
+    sast_scan: sastScanResult,
+    quality_budget: qualityBudgetResult,
+    total_duration_ms: Math.round(totalDuration)
+  };
+  const outputSize = JSON.stringify(result).length;
+  if (outputSize > MAX_COMBINED_BYTES) {
+    warn(`pre_check_batch: Large output (${outputSize} bytes)`);
+  }
+  return result;
+}
+var pre_check_batch = tool({
+  description: "Run multiple verification tools in parallel: lint, secretscan, SAST scan, and quality budget. Returns unified result with gates_passed status. Security tools (secretscan, sast_scan) are HARD GATES - failures block merging.",
+  args: {
+    files: tool.schema.array(tool.schema.string()).optional().describe("Specific files to check (optional, scans directory if not provided)"),
+    directory: tool.schema.string().describe('Directory to run checks in (e.g., "." or "./src")'),
+    sast_threshold: tool.schema.enum(["low", "medium", "high", "critical"]).optional().describe("Minimum severity for SAST findings to cause failure (default: medium)")
+  },
+  async execute(args2) {
+    if (!args2 || typeof args2 !== "object") {
+      const errorResult = {
+        gates_passed: false,
+        lint: { ran: false, error: "Invalid arguments", duration_ms: 0 },
+        secretscan: { ran: false, error: "Invalid arguments", duration_ms: 0 },
+        sast_scan: { ran: false, error: "Invalid arguments", duration_ms: 0 },
+        quality_budget: {
+          ran: false,
+          error: "Invalid arguments",
+          duration_ms: 0
+        },
+        total_duration_ms: 0
+      };
+      return JSON.stringify(errorResult, null, 2);
+    }
+    const typedArgs = args2;
+    if (!typedArgs.directory) {
+      const errorResult = {
+        gates_passed: false,
+        lint: { ran: false, error: "directory is required", duration_ms: 0 },
+        secretscan: {
+          ran: false,
+          error: "directory is required",
+          duration_ms: 0
+        },
+        sast_scan: {
+          ran: false,
+          error: "directory is required",
+          duration_ms: 0
+        },
+        quality_budget: {
+          ran: false,
+          error: "directory is required",
+          duration_ms: 0
+        },
+        total_duration_ms: 0
+      };
+      return JSON.stringify(errorResult, null, 2);
+    }
+    const dirError = validateDirectory(typedArgs.directory);
+    if (dirError) {
+      const errorResult = {
+        gates_passed: false,
+        lint: { ran: false, error: dirError, duration_ms: 0 },
+        secretscan: { ran: false, error: dirError, duration_ms: 0 },
+        sast_scan: { ran: false, error: dirError, duration_ms: 0 },
+        quality_budget: { ran: false, error: dirError, duration_ms: 0 },
+        total_duration_ms: 0
+      };
+      return JSON.stringify(errorResult, null, 2);
+    }
+    try {
+      const result = await runPreCheckBatch({
+        files: typedArgs.files,
+        directory: typedArgs.directory,
+        sast_threshold: typedArgs.sast_threshold,
+        config: typedArgs.config
+      });
+      return JSON.stringify(result, null, 2);
+    } catch (error93) {
+      const errorMessage = error93 instanceof Error ? error93.message : "Unknown error";
+      const errorResult = {
+        gates_passed: false,
+        lint: { ran: false, error: errorMessage, duration_ms: 0 },
+        secretscan: { ran: false, error: errorMessage, duration_ms: 0 },
+        sast_scan: { ran: false, error: errorMessage, duration_ms: 0 },
+        quality_budget: { ran: false, error: errorMessage, duration_ms: 0 },
+        total_duration_ms: 0
+      };
+      return JSON.stringify(errorResult, null, 2);
+    }
+  }
+});
+// src/tools/retrieve-summary.ts
+init_dist();
+var RETRIEVE_MAX_BYTES = 10 * 1024 * 1024;
+var retrieve_summary = tool({
+  description: "Retrieve the full content of a stored tool output summary by its ID (e.g. S1, S2). Use this when a prior tool output was summarized and you need the full content.",
+  args: {
+    id: tool.schema.string().describe("The summary ID to retrieve (e.g. S1, S2, S99). Must match pattern S followed by digits.")
+  },
+  async execute(args2, context) {
+    const directory = context.directory;
+    let sanitizedId;
+    try {
+      sanitizedId = sanitizeSummaryId(args2.id);
+    } catch {
+      return "Error: invalid summary ID format. Expected format: S followed by digits (e.g. S1, S2, S99).";
+    }
+    let fullOutput;
+    try {
+      fullOutput = await loadFullOutput(directory, sanitizedId);
+    } catch {
+      return "Error: failed to retrieve summary.";
+    }
+    if (fullOutput === null) {
+      return `Summary \`${sanitizedId}\` not found. Use a valid summary ID (e.g. S1, S2).`;
+    }
+    if (fullOutput.length > RETRIEVE_MAX_BYTES) {
+      return `Error: summary content exceeds maximum size limit (10 MB).`;
+    }
+    return fullOutput;
+  }
+});
 // src/tools/sbom-generate.ts
 init_dist();
 init_manager();
-import * as fs19 from "fs";
-import * as path23 from "path";
+import * as fs21 from "fs";
+import * as path27 from "path";
 
 // src/sbom/detectors/dart.ts
 function parsePubspecLock(content) {
@@ -44555,9 +46196,9 @@ function findManifestFiles(rootDir) {
   const patterns = [...new Set(allDetectors.flatMap((d) => d.patterns))];
   function searchDir(dir) {
     try {
-      const entries = fs19.readdirSync(dir, { withFileTypes: true });
+      const entries = fs21.readdirSync(dir, { withFileTypes: true });
       for (const entry of entries) {
-        const fullPath = path23.join(dir, entry.name);
+        const fullPath = path27.join(dir, entry.name);
         if (entry.name.startsWith(".") || entry.name === "node_modules" || entry.name === "dist" || entry.name === "build" || entry.name === "target") {
           continue;
         }
@@ -44567,7 +46208,7 @@ function findManifestFiles(rootDir) {
           for (const pattern of patterns) {
             const regex = pattern.replace(/\./g, "\\.").replace(/\*/g, ".*").replace(/\?/g, ".");
             if (new RegExp(regex, "i").test(entry.name)) {
-              manifestFiles.push(path23.relative(cwd, fullPath));
+              manifestFiles.push(path27.relative(cwd, fullPath));
               break;
             }
           }
@@ -44584,14 +46225,14 @@ function findManifestFilesInDirs(directories, workingDir) {
   const patterns = [...new Set(allDetectors.flatMap((d) => d.patterns))];
   for (const dir of directories) {
     try {
-      const entries = fs19.readdirSync(dir, { withFileTypes: true });
+      const entries = fs21.readdirSync(dir, { withFileTypes: true });
       for (const entry of entries) {
-        const fullPath = path23.join(dir, entry.name);
+        const fullPath = path27.join(dir, entry.name);
         if (entry.isFile()) {
           for (const pattern of patterns) {
             const regex = pattern.replace(/\./g, "\\.").replace(/\*/g, ".*").replace(/\?/g, ".");
             if (new RegExp(regex, "i").test(entry.name)) {
-              found.push(path23.relative(workingDir, fullPath));
+              found.push(path27.relative(workingDir, fullPath));
               break;
             }
           }
@@ -44604,11 +46245,11 @@ function findManifestFilesInDirs(directories, workingDir) {
 function getDirectoriesFromChangedFiles(changedFiles, workingDir) {
   const dirs = new Set;
   for (const file3 of changedFiles) {
-    let currentDir = path23.dirname(file3);
+    let currentDir = path27.dirname(file3);
     while (true) {
-      if (currentDir && currentDir !== "." && currentDir !== path23.sep) {
-        dirs.add(path23.join(workingDir, currentDir));
-        const parent = path23.dirname(currentDir);
+      if (currentDir && currentDir !== "." && currentDir !== path27.sep) {
+        dirs.add(path27.join(workingDir, currentDir));
+        const parent = path27.dirname(currentDir);
         if (parent === currentDir)
           break;
         currentDir = parent;
@@ -44622,7 +46263,7 @@ function getDirectoriesFromChangedFiles(changedFiles, workingDir) {
 }
 function ensureOutputDir(outputDir) {
   try {
-    fs19.mkdirSync(outputDir, { recursive: true });
+    fs21.mkdirSync(outputDir, { recursive: true });
   } catch (error93) {
     if (!error93 || error93.code !== "EEXIST") {
       throw error93;
@@ -44715,11 +46356,11 @@ var sbom_generate = tool({
     const processedFiles = [];
     for (const manifestFile of manifestFiles) {
       try {
-        const fullPath = path23.isAbsolute(manifestFile) ? manifestFile : path23.join(workingDir, manifestFile);
-        if (!fs19.existsSync(fullPath)) {
+        const fullPath = path27.isAbsolute(manifestFile) ? manifestFile : path27.join(workingDir, manifestFile);
+        if (!fs21.existsSync(fullPath)) {
           continue;
         }
-        const content = fs19.readFileSync(fullPath, "utf-8");
+        const content = fs21.readFileSync(fullPath, "utf-8");
         const components = detectComponents(manifestFile, content);
         processedFiles.push(manifestFile);
         if (components.length > 0) {
@@ -44732,8 +46373,8 @@ var sbom_generate = tool({
     const bom = generateCycloneDX(allComponents);
     const bomJson = serializeCycloneDX(bom);
     const filename = generateSbomFilename();
-    const outputPath = path23.join(outputDir, filename);
-    fs19.writeFileSync(outputPath, bomJson, "utf-8");
+    const outputPath = path27.join(outputDir, filename);
+    fs21.writeFileSync(outputPath, bomJson, "utf-8");
     const verdict = processedFiles.length > 0 ? "pass" : "pass";
     try {
       const timestamp = new Date().toISOString();
@@ -44774,8 +46415,8 @@ var sbom_generate = tool({
 });
 // src/tools/schema-drift.ts
 init_dist();
-import * as fs20 from "fs";
-import * as path24 from "path";
+import * as fs22 from "fs";
+import * as path28 from "path";
 var SPEC_CANDIDATES = [
   "openapi.json",
   "openapi.yaml",
@@ -44807,28 +46448,28 @@ function normalizePath(p) {
 }
 function discoverSpecFile(cwd, specFileArg) {
   if (specFileArg) {
-    const resolvedPath = path24.resolve(cwd, specFileArg);
-    const normalizedCwd = cwd.endsWith(path24.sep) ? cwd : cwd + path24.sep;
+    const resolvedPath = path28.resolve(cwd, specFileArg);
+    const normalizedCwd = cwd.endsWith(path28.sep) ? cwd : cwd + path28.sep;
     if (!resolvedPath.startsWith(normalizedCwd) && resolvedPath !== cwd) {
       throw new Error("Invalid spec_file: path traversal detected");
     }
-    const ext = path24.extname(resolvedPath).toLowerCase();
+    const ext = path28.extname(resolvedPath).toLowerCase();
     if (!ALLOWED_EXTENSIONS.includes(ext)) {
       throw new Error(`Invalid spec_file: must end in .json, .yaml, or .yml, got ${ext}`);
     }
-    const stats = fs20.statSync(resolvedPath);
+    const stats = fs22.statSync(resolvedPath);
     if (stats.size > MAX_SPEC_SIZE) {
       throw new Error(`Invalid spec_file: file exceeds ${MAX_SPEC_SIZE / 1024 / 1024}MB limit`);
     }
-    if (!fs20.existsSync(resolvedPath)) {
+    if (!fs22.existsSync(resolvedPath)) {
       throw new Error(`Spec file not found: ${resolvedPath}`);
     }
     return resolvedPath;
   }
   for (const candidate of SPEC_CANDIDATES) {
-    const candidatePath = path24.resolve(cwd, candidate);
-    if (fs20.existsSync(candidatePath)) {
-      const stats = fs20.statSync(candidatePath);
+    const candidatePath = path28.resolve(cwd, candidate);
+    if (fs22.existsSync(candidatePath)) {
+      const stats = fs22.statSync(candidatePath);
       if (stats.size <= MAX_SPEC_SIZE) {
         return candidatePath;
       }
@@ -44837,8 +46478,8 @@ function discoverSpecFile(cwd, specFileArg) {
   return null;
 }
 function parseSpec(specFile) {
-  const content = fs20.readFileSync(specFile, "utf-8");
-  const ext = path24.extname(specFile).toLowerCase();
+  const content = fs22.readFileSync(specFile, "utf-8");
+  const ext = path28.extname(specFile).toLowerCase();
   if (ext === ".json") {
     return parseJsonSpec(content);
   }
@@ -44904,12 +46545,12 @@ function extractRoutes(cwd) {
   function walkDir(dir) {
     let entries;
     try {
-      entries = fs20.readdirSync(dir, { withFileTypes: true });
+      entries = fs22.readdirSync(dir, { withFileTypes: true });
     } catch {
       return;
     }
     for (const entry of entries) {
-      const fullPath = path24.join(dir, entry.name);
+      const fullPath = path28.join(dir, entry.name);
       if (entry.isSymbolicLink()) {
         continue;
       }
@@ -44919,7 +46560,7 @@ function extractRoutes(cwd) {
         }
         walkDir(fullPath);
       } else if (entry.isFile()) {
-        const ext = path24.extname(entry.name).toLowerCase();
+        const ext = path28.extname(entry.name).toLowerCase();
         const baseName = entry.name.toLowerCase();
         if (![".ts", ".js", ".mjs"].includes(ext)) {
           continue;
@@ -44937,7 +46578,7 @@ function extractRoutes(cwd) {
 }
 function extractRoutesFromFile(filePath) {
   const routes = [];
-  const content = fs20.readFileSync(filePath, "utf-8");
+  const content = fs22.readFileSync(filePath, "utf-8");
   const lines = content.split(/\r?\n/);
   const expressRegex = /(?:app|router|server|express)\.(get|post|put|patch|delete|options|head)\s*\(\s*['"`]([^'"`]+)['"`]/g;
   const flaskRegex = /@(?:app|blueprint|bp)\.route\s*\(\s*['"]([^'"]+)['"]/g;
@@ -45084,8 +46725,8 @@ init_secretscan();
 
 // src/tools/symbols.ts
 init_tool();
-import * as fs21 from "fs";
-import * as path25 from "path";
+import * as fs23 from "fs";
+import * as path29 from "path";
 var MAX_FILE_SIZE_BYTES7 = 1024 * 1024;
 var WINDOWS_RESERVED_NAMES = /^(con|prn|aux|nul|com[1-9]|lpt[1-9])(\.|:|$)/i;
 function containsControlCharacters(str) {
@@ -45114,11 +46755,11 @@ function containsWindowsAttacks(str) {
 }
 function isPathInWorkspace(filePath, workspace) {
   try {
-    const resolvedPath = path25.resolve(workspace, filePath);
-    const realWorkspace = fs21.realpathSync(workspace);
-    const realResolvedPath = fs21.realpathSync(resolvedPath);
-    const relativePath = path25.relative(realWorkspace, realResolvedPath);
-    if (relativePath.startsWith("..") || path25.isAbsolute(relativePath)) {
+    const resolvedPath = path29.resolve(workspace, filePath);
+    const realWorkspace = fs23.realpathSync(workspace);
+    const realResolvedPath = fs23.realpathSync(resolvedPath);
+    const relativePath = path29.relative(realWorkspace, realResolvedPath);
+    if (relativePath.startsWith("..") || path29.isAbsolute(relativePath)) {
       return false;
     }
     return true;
@@ -45130,17 +46771,17 @@ function validatePathForRead(filePath, workspace) {
   return isPathInWorkspace(filePath, workspace);
 }
 function extractTSSymbols(filePath, cwd) {
-  const fullPath = path25.join(cwd, filePath);
+  const fullPath = path29.join(cwd, filePath);
   if (!validatePathForRead(fullPath, cwd)) {
     return [];
   }
   let content;
   try {
-    const stats = fs21.statSync(fullPath);
+    const stats = fs23.statSync(fullPath);
     if (stats.size > MAX_FILE_SIZE_BYTES7) {
       throw new Error(`File too large: ${stats.size} bytes (max: ${MAX_FILE_SIZE_BYTES7})`);
     }
-    content = fs21.readFileSync(fullPath, "utf-8");
+    content = fs23.readFileSync(fullPath, "utf-8");
   } catch {
     return [];
   }
@@ -45282,17 +46923,17 @@ function extractTSSymbols(filePath, cwd) {
   });
 }
 function extractPythonSymbols(filePath, cwd) {
-  const fullPath = path25.join(cwd, filePath);
+  const fullPath = path29.join(cwd, filePath);
   if (!validatePathForRead(fullPath, cwd)) {
     return [];
   }
   let content;
   try {
-    const stats = fs21.statSync(fullPath);
+    const stats = fs23.statSync(fullPath);
     if (stats.size > MAX_FILE_SIZE_BYTES7) {
       throw new Error(`File too large: ${stats.size} bytes (max: ${MAX_FILE_SIZE_BYTES7})`);
     }
-    content = fs21.readFileSync(fullPath, "utf-8");
+    content = fs23.readFileSync(fullPath, "utf-8");
   } catch {
     return [];
   }
@@ -45364,7 +47005,7 @@ var symbols = tool({
       }, null, 2);
     }
     const cwd = process.cwd();
-    const ext = path25.extname(file3);
+    const ext = path29.extname(file3);
     if (containsControlCharacters(file3)) {
       return JSON.stringify({
         file: file3,
@@ -45432,8 +47073,8 @@ init_test_runner();
 
 // src/tools/todo-extract.ts
 init_dist();
-import * as fs22 from "fs";
-import * as path26 from "path";
+import * as fs24 from "fs";
+import * as path30 from "path";
 var MAX_TEXT_LENGTH = 200;
 var MAX_FILE_SIZE_BYTES8 = 1024 * 1024;
 var SUPPORTED_EXTENSIONS2 = new Set([
@@ -45504,9 +47145,9 @@ function validatePathsInput(paths, cwd) {
     return { error: "paths contains path traversal", resolvedPath: null };
   }
   try {
-    const resolvedPath = path26.resolve(paths);
-    const normalizedCwd = path26.resolve(cwd);
-    const normalizedResolved = path26.resolve(resolvedPath);
+    const resolvedPath = path30.resolve(paths);
+    const normalizedCwd = path30.resolve(cwd);
+    const normalizedResolved = path30.resolve(resolvedPath);
     if (!normalizedResolved.startsWith(normalizedCwd)) {
       return {
         error: "paths must be within the current working directory",
@@ -45522,13 +47163,13 @@ function validatePathsInput(paths, cwd) {
   }
 }
 function isSupportedExtension(filePath) {
-  const ext = path26.extname(filePath).toLowerCase();
+  const ext = path30.extname(filePath).toLowerCase();
   return SUPPORTED_EXTENSIONS2.has(ext);
 }
 function findSourceFiles3(dir, files = []) {
   let entries;
   try {
-    entries = fs22.readdirSync(dir);
+    entries = fs24.readdirSync(dir);
   } catch {
     return files;
   }
@@ -45537,10 +47178,10 @@ function findSourceFiles3(dir, files = []) {
     if (SKIP_DIRECTORIES3.has(entry)) {
       continue;
     }
-    const fullPath = path26.join(dir, entry);
+    const fullPath = path30.join(dir, entry);
     let stat;
     try {
-      stat = fs22.statSync(fullPath);
+      stat = fs24.statSync(fullPath);
     } catch {
       continue;
     }
@@ -45633,7 +47274,7 @@ var todo_extract = tool({
       return JSON.stringify(errorResult, null, 2);
     }
     const scanPath = resolvedPath;
-    if (!fs22.existsSync(scanPath)) {
+    if (!fs24.existsSync(scanPath)) {
       const errorResult = {
         error: `path not found: ${pathsInput}`,
         total: 0,
@@ -45643,13 +47284,13 @@ var todo_extract = tool({
       return JSON.stringify(errorResult, null, 2);
     }
     const filesToScan = [];
-    const stat = fs22.statSync(scanPath);
+    const stat = fs24.statSync(scanPath);
     if (stat.isFile()) {
       if (isSupportedExtension(scanPath)) {
         filesToScan.push(scanPath);
       } else {
         const errorResult = {
-          error: `unsupported file extension: ${path26.extname(scanPath)}`,
+          error: `unsupported file extension: ${path30.extname(scanPath)}`,
           total: 0,
           byPriority: { high: 0, medium: 0, low: 0 },
           entries: []
@@ -45662,11 +47303,11 @@ var todo_extract = tool({
     const allEntries = [];
     for (const filePath of filesToScan) {
       try {
-        const fileStat = fs22.statSync(filePath);
+        const fileStat = fs24.statSync(filePath);
         if (fileStat.size > MAX_FILE_SIZE_BYTES8) {
           continue;
         }
-        const content = fs22.readFileSync(filePath, "utf-8");
+        const content = fs24.readFileSync(filePath, "utf-8");
         const entries = parseTodoComments(content, filePath, tagsSet);
         allEntries.push(...entries);
       } catch {}
@@ -45737,7 +47378,7 @@ var OpenCodeSwarm = async (ctx) => {
     const { PreflightTriggerManager: PTM } = await Promise.resolve().then(() => (init_trigger(), exports_trigger));
     preflightTriggerManager = new PTM(automationConfig);
     const { AutomationStatusArtifact: ASA } = await Promise.resolve().then(() => (init_status_artifact(), exports_status_artifact));
-    const swarmDir = path27.resolve(ctx.directory, ".swarm");
+    const swarmDir = path31.resolve(ctx.directory, ".swarm");
     statusArtifact = new ASA(swarmDir);
     statusArtifact.updateConfig(automationConfig.mode, automationConfig.capabilities);
     if (automationConfig.capabilities?.evidence_auto_summaries === true) {
@@ -45840,6 +47481,7 @@ var OpenCodeSwarm = async (ctx) => {
       lint,
       diff,
       pkg_audit,
+      pre_check_batch,
       retrieve_summary,
       schema_drift,
       secretscan,