pi-crew 0.5.5 → 0.5.6

package/src/ui/overlays/mailbox-detail-overlay.ts

@@ -20,6 +20,8 @@ export class MailboxDetailOverlay {
 	private side: "inbox" | "outbox" = "inbox";
 	private selected = 0;
 	private expanded = false;
+	private lastRefreshedTaskCount = 0;
+	private needsRefresh = true;
 
 	constructor(opts: { runId: string; cwd: string; done: (action: MailboxAction | undefined) => void; theme?: unknown }) {
 		this.runId = opts.runId;
@@ -32,6 +34,12 @@ export class MailboxDetailOverlay {
 	private refresh(): void {
 		const loaded = loadRunManifestById(this.cwd, this.runId);
 		if (!loaded) return;
+		// Track task count changes to trigger re-render
+		const taskCount = loaded.tasks.length;
+		if (taskCount !== this.lastRefreshedTaskCount) {
+			this.lastRefreshedTaskCount = taskCount;
+			this.needsRefresh = true;
+		}
 		const delivery = readDeliveryState(loaded.manifest).messages;
 		const applyDelivery = (message: MailboxMessage): MailboxMessage => ({ ...message, status: delivery[message.id] ?? message.status });
 		const taskIds = loaded.tasks.map((task) => task.id);
@@ -49,11 +57,14 @@ export class MailboxDetailOverlay {
 	}
 
 	invalidate(): void {
-		this.refresh();
+		this.needsRefresh = true;
 	}
 
 	render(width: number): string[] {
-		this.refresh();
+		if (this.needsRefresh) {
+			this.refresh();
+			this.needsRefresh = false;
+		}
 		const inner = Math.max(40, width - 4);
 		const col = Math.max(18, Math.floor((inner - 3) / 2));
 		const lines = [

package/src/ui/powerbar-publisher.ts

@@ -294,6 +294,7 @@ export function requestPowerbarUpdate(
 
 /** Dispose the powerbar coalescer. Call during extension cleanup. */
 export function disposePowerbarCoalescer(): void {
+	powerbarCoalescer.flush();
 	powerbarCoalescer.dispose();
 }
 

package/src/ui/transcript-cache.ts

@@ -19,6 +19,7 @@ export interface TranscriptReadOptions {
 
 const TRANSCRIPT_CACHE_TTL_MS = 500;
 const DEFAULT_TAIL_BYTES = 256 * 1024;
+const MAX_CACHE_SIZE = 100;
 const transcriptCache = new Map<string, TranscriptCacheEntry>();
 
 function cacheKey(path: string, options: Required<Pick<TranscriptReadOptions, "full">> & { maxTailBytes: number }): string {
@@ -85,6 +86,18 @@ export function readTranscriptLinesCached(path: string, parse: (text: string) =>
 			truncated: read.truncated,
 		};
 		transcriptCache.set(key, entry);
+		// Evict oldest entry if cache exceeds max size
+		if (transcriptCache.size > MAX_CACHE_SIZE) {
+			let oldestKey: string | null = null;
+			let oldestParsedAt = Infinity;
+			for (const [k, v] of transcriptCache.entries()) {
+				if (v.parsedAt < oldestParsedAt) {
+					oldestParsedAt = v.parsedAt;
+					oldestKey = k;
+				}
+			}
+			if (oldestKey) transcriptCache.delete(oldestKey);
+		}
 		return lines;
 	} catch {
 		return previous?.lines ?? [];

package/src/utils/bm25-search.ts

@@ -46,17 +46,17 @@ export class BM25Search<T extends SearchDocument> {
   }
 
   /**
-   * Compute document frequency for a query term using substring matching,
-   * consistent with the regex-based tf computation in search().
+   * Compute document frequency for a query term using indexOf for better performance.
+   * Uses linear-time substring matching instead of regex to avoid ReDoS.
    */
   private df(term: string): number {
-    const escaped = term.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
-    const re = new RegExp(escaped, "g");
+    const termLower = term.toLowerCase();
     let count = 0;
     for (const doc of this.documents) {
       for (const field of Object.keys(this.fieldWeights)) {
         const text = (doc.fields[field] ?? "").toLowerCase();
-        if (re.test(text)) {
+        // Use indexOf for linear-time substring search
+        if (text.includes(termLower)) {
           count++;
           break;
         }
@@ -81,11 +81,19 @@ export class BM25Search<T extends SearchDocument> {
         let fieldScore = 0;
 
         for (const term of queryTerms) {
-          const escaped = term.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
-          const tf = (textLower.match(new RegExp(escaped, "g")) ?? []).length;
+          // Use indexOf for linear-time substring counting instead of regex
+          const termLower = term.toLowerCase();
+          let tf = 0;
+          let pos = 0;
+          while ((pos = textLower.indexOf(termLower, pos)) !== -1) {
+            tf++;
+            pos += termLower.length;
+            // Cap tf to prevent runaway on repeated patterns
+            if (tf > 100) break;
+          }
           if (tf === 0) continue;
 
-          const df = this.df(term);
+          const df = this.df(termLower);
           if (df === 0) continue;
 
           const idf = Math.log((this.N - df + 0.5) / (df + 0.5) + 1);

package/src/utils/env-filter.ts

@@ -1,4 +1,4 @@
-import { SECRET_KEY_PATTERN } from "./redaction.ts";
+import { isSecretKey } from "./redaction.ts";
 
 export interface SanitizeEnvOptions {
 	/** Allow-list of env var names to preserve. Supports trailing glob, e.g. `"PI_*"`. */
@@ -8,14 +8,17 @@ export interface SanitizeEnvOptions {
 /**
  * Strip env vars whose keys look like secrets before passing to child processes.
  *
- * Default mode (no allowList): deny-list using SECRET_KEY_PATTERN.
+ * Default mode (no allowList): deny-list using isSecretKey.
  * When allowList is provided, only keys matching the allow-list are preserved.
  */
 export function sanitizeEnvSecrets(env: NodeJS.ProcessEnv, options?: SanitizeEnvOptions): Record<string, string> {
 	const filtered: Record<string, string> = {};
 	if (options?.allowList && options.allowList.length > 0) {
 		const matchers = options.allowList.map((p) => {
-			if (p.endsWith("*")) return (k: string) => k.startsWith(p.slice(0, -1));
+			if (p.endsWith("*")) {
+				const prefix = p.slice(0, -1);
+				return (k: string) => k.startsWith(prefix) && k.length > prefix.length;
+			}
 			return (k: string) => k === p;
 		});
 		for (const [key, value] of Object.entries(env)) {
@@ -24,7 +27,7 @@ export function sanitizeEnvSecrets(env: NodeJS.ProcessEnv, options?: SanitizeEnv
 		return filtered;
 	}
 	for (const [key, value] of Object.entries(env)) {
-		if (value !== undefined && !SECRET_KEY_PATTERN.test(key)) filtered[key] = value;
+		if (value !== undefined && !isSecretKey(key)) filtered[key] = value;
 	}
 	return filtered;
-}
+}

package/src/utils/redaction.ts

@@ -1,26 +1,180 @@
-export const SECRET_KEY_PATTERN = /(?:^|[_.-])(token|api[-_]?key|password|passwd|secret|credential|authorization|private[-_]?key)(?:$|[_.-])/i;
-const INLINE_SECRET_PATTERN = /(^|[\s,{])(([A-Za-z0-9_.-]*(?:api[-_]?key|token|password|passwd|secret|credential|authorization|private[-_]?key)[A-Za-z0-9_.-]*)\s*[=:]\s*)([^\s,;"'}]+)/gi;
-const AUTH_HEADER_PATTERN = /\b(Authorization\s*:\s*(?:Bearer|Basic|Token)?\s*)([^\r\n]+)/gi;
-const BEARER_PATTERN = /\b(Bearer\s+)([A-Za-z0-9._~+/=-]{8,})\b/g;
-const PEM_PRIVATE_KEY_PATTERN = /-----BEGIN [A-Z ]*PRIVATE KEY-----[\s\S]{0,65536}?-----END [A-Z ]*PRIVATE KEY-----/g;
+/**
+ * ReDoS-resistant pattern matching for secret detection.
+ * Uses linear-time scan instead of complex regex to prevent catastrophic backtracking.
+ */
+
+// Pattern for PEM private keys (possessive quantifier prevents backtracking)
+export const PEM_PRIVATE_KEY_PATTERN = /-----BEGIN [A-Z ]+PRIVATE KEY-----[\s\S]+?-----END [A-Z ]+PRIVATE KEY-----/g;
+
+// Linear-time secret key detection
+export function isSecretKey(keyName: string): boolean {
+	// Fast path: common secret key names
+	const lower = keyName.toLowerCase();
+	if (/^(token|apikey|api_key|password|secret|credential|authorization|privatekey|private_key)$/.test(lower)) {
+		return true;
+	}
+	// Linear scan for prefix characters followed by keywords
+	const prefixes = "_.-";
+	const keywords = ["token", "api", "key", "password", "passwd", "secret", "credential", "authorization", "private"];
+	
+	for (let i = 0; i < keyName.length; i++) {
+		if (prefixes.includes(keyName[i])) {
+			const remaining = keyName.substring(i + 1).toLowerCase();
+			for (const kw of keywords) {
+				if (remaining.startsWith(kw)) {
+					const afterKw = remaining.substring(kw.length);
+					if (afterKw === "" || prefixes.includes(afterKw[0]) || /[a-zA-Z0-9]/.test(afterKw[0])) {
+						return true;
+					}
+				}
+			}
+		}
+	}
+	return false;
+}
+
+// Linear-time Authorization header redaction
+export function redactAuthHeader(line: string): string {
+	const lower = line.toLowerCase();
+	const authIdx = lower.indexOf("authorization:");
+	if (authIdx === -1) return line;
+	
+	// Verify word boundary - must be at start of line or preceded by whitespace/comma/brace
+	if (authIdx > 0) {
+		const before = line[authIdx - 1];
+		if (before !== ' ' && before !== ',' && before !== '{' && before !== '[' && before !== '"' && before !== '\r' && before !== '\n') {
+			return line; // Not a word boundary
+		}
+	}
+	
+	// Check if this is followed by Bearer token (don't redact Bearer tokens separately)
+	// Look for "Bearer" after "authorization:"
+	const afterAuth = lower.substring(authIdx + 14).trimStart();
+	if (!afterAuth.startsWith('bearer ')) {
+		// No Bearer token, this is a regular Authorization header - redact it
+		let end = authIdx + 14;
+		while (end < line.length && line[end] !== "\r" && line[end] !== "\n") {
+			end++;
+		}
+		return line.substring(0, end) + " ***" + (end < line.length ? line.substring(end) : "");
+	}
+	
+	// It's a Bearer token format - don't redact here, let redactBearerTokens handle it
+	return line;
+}
+
+// Linear-time Bearer token redaction
+export function redactBearerTokens(line: string): string {
+	const upper = line.toUpperCase();
+	const result: string[] = [];
+	let i = 0;
+	
+	while (i < line.length) {
+		if (upper.startsWith("BEARER ", i)) {
+			// Check word boundary: preceded by start, space, comma, brace, or newline
+			if (i > 0) {
+				const before = line[i - 1];
+				if (before !== ' ' && before !== ',' && before !== '{' && before !== '[' && before !== '"' && before !== '\r' && before !== '\n') {
+					result.push(line[i]);
+					i++;
+					continue;
+				}
+			}
+			
+			// Found "Bearer " - now find the token
+			const bearerPrefix = line.substring(i, i + 7); // "Bearer "
+			let j = i + 7;
+			let tokenLen = 0;
+			while (j < line.length && tokenLen < 200 && /[A-Za-z0-9._~+/-]/.test(line[j])) {
+				j++;
+				tokenLen++;
+			}
+			
+			if (tokenLen >= 8) {
+				// Replace with Bearer + *** (redact the token)
+				result.push(bearerPrefix + "***");
+				i = j;
+				continue;
+			}
+		}
+		result.push(line[i]);
+		i++;
+	}
+	
+	return result.join("");
+}
 
 function isRecord(value: unknown): value is Record<string, unknown> {
 	if (!value || typeof value !== "object" || Array.isArray(value)) return false;
-	// Exclude built-in types whose Object.entries() would produce empty arrays.
 	if (value instanceof Date || value instanceof RegExp || value instanceof Error || value instanceof Map || value instanceof Set) return false;
 	return true;
 }
 
-function isSecretKey(keyName: string): boolean {
-	return SECRET_KEY_PATTERN.test(keyName) || /^(token|apiKey|api_key|password|secret|credential|authorization|privateKey|private_key)$/i.test(keyName);
+export function redactSecretString(value: string): string {
+	let result = value;
+	
+	// Replace PEM private keys
+	result = result.replace(PEM_PRIVATE_KEY_PATTERN, "***");
+	
+	// Replace Authorization headers (non-Bearer format)
+	result = redactAuthHeader(result);
+	
+	// Replace Bearer tokens
+	result = redactBearerTokens(result);
+	
+	// Replace inline secrets: key=value or key:value patterns
+	result = redactInlineSecrets(result);
+	
+	return result;
 }
 
-export function redactSecretString(value: string): string {
-	return value
-		.replace(PEM_PRIVATE_KEY_PATTERN, "***")
-		.replace(AUTH_HEADER_PATTERN, "$1***")
-		.replace(BEARER_PATTERN, "$1***")
-		.replace(INLINE_SECRET_PATTERN, "$1$2***");
+// Linear-time inline secret redaction: token=xxx, api_key=xxx, etc.
+function redactInlineSecrets(value: string): string {
+	const result: string[] = [];
+	let i = 0;
+	
+	while (i < value.length) {
+		// Look for pattern: word_chars + = or : + non-whitespace_value
+		// Check for secret key followed by = or :
+		let j = i;
+		let keyLen = 0;
+		
+		// Collect key characters (alphanumeric, underscore, hyphen)
+		while (j < value.length && /[a-zA-Z0-9_-]/.test(value[j])) {
+			j++;
+			keyLen++;
+		}
+		
+		if (keyLen > 0 && j < value.length && (value[j] === '=' || value[j] === ':')) {
+			const key = value.substring(i, i + keyLen);
+			
+			// Check if this is a secret key
+			if (isSecretKey(key)) {
+				// Find the value (everything after = or : until space, comma, or end)
+				const sep = value[j];
+				let k = j + 1;
+				let valLen = 0;
+				while (k < value.length && valLen < 500 && value[k] !== ' ' && value[k] !== ',' && value[k] !== ';' && value[k] !== '"' && value[k] !== '"' && value[k] !== '\r' && value[k] !== '\n') {
+					k++;
+					valLen++;
+				}
+				
+				// Only redact if there's actual content
+				if (valLen > 0) {
+					result.push(key);
+					result.push(sep);
+					result.push("***");
+					i = k;
+					continue;
+				}
+			}
+		}
+		
+		result.push(value[i]);
+		i++;
+	}
+	
+	return result.join("");
 }
 
 export function redactSecrets(value: unknown, keyName = ""): unknown {
@@ -41,4 +195,4 @@ export function redactJsonLine(line: string): string {
 	} catch {
 		return redactSecretString(line);
 	}
-}
+}

package/src/utils/sse-parser.ts

@@ -8,6 +8,9 @@ export interface ServerSentEvent {
 /** L1: Maximum number of raw lines before discarding an oversized event. */
 const MAX_EVENT_LINES = 1000;
 
+/** L2: Maximum data size per line to prevent unbounded memory usage. */
+const MAX_DATA_SIZE = 100000; // 100KB per line
+
 /** Read newline-delimited lines from a text ReadableStream, buffering partial chunks. */
 async function* readLines(
 	stream: ReadableStream<string>,
@@ -97,13 +100,19 @@ export async function* readSseEvents(
 
 		currentRaw.push(line);
 
-		// L1: Guard against unbounded memory growth
+		// L1: Guard against unbounded memory growth (line count)
 		if (currentRaw.length > MAX_EVENT_LINES) {
 			const evt = flush();
 			if (evt) yield evt;
 			continue;
 		}
 
+		// L2: Guard against unbounded memory growth (data size per line)
+		if (value.length > MAX_DATA_SIZE) {
+			// Truncate oversized data to prevent memory issues
+			value = value.slice(0, MAX_DATA_SIZE);
+		}
+
 		if (field === "event") {
 			currentEvent = value;
 		} else if (field === "data") {

package/src/worktree/cleanup.ts

@@ -59,7 +59,12 @@ export function cleanupRunWorktrees(manifest: TeamRunManifest, options: { force?
 			// Commit changes to a branch instead of just preserving the worktree
 			try {
 				execFileSync("git", ["add", "-A"], { cwd: worktreePath, encoding: "utf-8", stdio: ["ignore", "pipe", "pipe"], env: { ...process.env, LANG: "C", LC_ALL: "C" }, windowsHide: true });
-				const safeDesc = entry.name.slice(0, 200);
+				let safeDesc = entry.name.slice(0, 200);
+				// SECURITY: Strip any newlines that could be injected via a malicious worktree name
+				// to prevent newline injection in git commit messages
+				if (safeDesc.includes("\n")) {
+					safeDesc = safeDesc.replace(/[\r\n]+/g, " ");
+				}
 				execFileSync("git", ["commit", "-m", `pi-crew: ${safeDesc}`], { cwd: worktreePath, encoding: "utf-8", stdio: ["ignore", "pipe", "pipe"], env: { ...process.env, LANG: "C", LC_ALL: "C" }, windowsHide: true });
 				// Create branch in the main repo pointing to this worktree's HEAD
 				try {

package/workflows/chain.workflow.md

@@ -0,0 +1,252 @@
+# Chain Workflow - Sequential execution with context passing
+
+**Source:** `docs/pi-boomerang-integration-plan.md`  
+**Syntax:** `step1 -> step2 -> step3`  
+**Version:** 1.0.0
+
+---
+
+## Overview
+
+The Chain workflow enables sequential execution of multiple teams with automatic context passing between steps. Each step receives a handoff summary from the previous step, enabling informed execution without repeating context.
+
+## Usage
+
+```bash
+# Simple team chain
+pi team run --chain "@research -> @implement -> @review"
+
+# With model override
+pi team run --chain "@research -> @implement --model claude-opus-3 -> @review"
+
+# With inline goals
+pi team run --chain '"Research AI trends" -> "Analyze findings" -> "Write report"'
+
+# Global model override
+pi team run --chain "@step1 -> @step2 -> @step3" --global-model claude-sonnet-4
+
+# With timeout
+pi team run --chain "@step1 --timeout 60 -> @step2"
+
+# Continue on error
+pi team run --chain "@step1 -> @step2" --continue-on-error
+```
+
+## Chain Syntax
+
+### Step References
+
+| Syntax | Type | Example |
+|--------|------|---------|
+| `@teamName` | Team reference | `@research` |
+| `workflow:name` | Workflow reference | `workflow:build` |
+| `template:name` | Template reference | `template:planning` |
+| `"goal text"` | Inline goal | `"Research AI trends"` |
+
+### Per-Step Overrides
+
+| Flag | Description | Example |
+|------|-------------|---------|
+| `--model <model>` | Override model | `--model claude-opus-3` |
+| `--skill <skill>` | Override skill | `--skill coding` |
+| `--thinking <mode>` | Thinking mode | `--thinking deep` |
+| `--timeout <seconds>` | Step timeout | `--timeout 60` |
+| `--continue-on-error` | Continue chain on failure | `--continue-on-error` |
+
+### Global Overrides
+
+| Flag | Description | Example |
+|------|-------------|---------|
+| `--global-model <model>` | Apply to all steps | `--global-model sonnet` |
+| `--global-skill <skill>` | Apply to all steps | `--global-skill writing` |
+| `--global-thinking <mode>` | Apply to all steps | `--global-thinking fast` |
+| `--continue-on-error` | Continue on any step failure | `--continue-on-error` |
+
+## Workflow Definition
+
+```yaml
+name: chain
+description: Sequential execution with context passing
+syntax: "step1 -> step2 -> step3"
+
+steps:
+  - id: chain_executor
+    role: chain-executor
+    task: |
+      Execute the chain: {chain}
+      
+      Each step receives context from previous steps.
+      Generate handoff summary after each step.
+
+configuration:
+  # Chain parser settings
+  parser:
+    stepSeparator: "->"
+    trimWhitespace: true
+    validateReferences: true
+  
+  # Handoff settings
+  handoff:
+    generateBetweenSteps: true
+    accumulateContext: true
+    maxHandoffHistory: 10
+  
+  # Execution settings
+  execution:
+    sequential: true
+    stopOnFailure: true
+    timeoutPerStep: 300000  # 5 minutes
+```
+
+## Context Passing
+
+When running a chain:
+
+1. **Initial context** is passed to the first step
+2. **Handoff summary** is generated after each step completes
+3. **Chain history** is appended to context for subsequent steps
+
+### Handoff Summary Structure
+
+```typescript
+interface HandoffSummary {
+  taskId: string;
+  runId: string;
+  timestamp: number;
+  
+  task: string;
+  outcome: "success" | "failure" | "partial";
+  
+  filesCreated: string[];
+  filesModified: string[];
+  filesDeleted: string[];
+  
+  decisions: Decision[];
+  
+  blockers: string[];
+  nextSteps: string[];
+  
+  metrics: {
+    tokensUsed: number;
+    duration: number;
+    iterations: number;
+    toolsUsed: string[];
+  };
+  
+  contextSnapshot: string;
+}
+```
+
+### Chain History Format
+
+```typescript
+interface ChainHistoryEntry {
+  step: string;
+  outcome: string;
+  filesCreated: string[];
+  filesModified: string[];
+  decisions: string[];
+  nextSteps: string[];
+}
+```
+
+## Examples
+
+### Research → Implement → Review
+
+```bash
+pi team run \
+  --team implementation \
+  --workflow chain \
+  --chain "@research:gather -> @implement:build -> @review:verify" \
+  --goal "Build feature X with research, implementation, and review"
+```
+
+### Multi-Model Pipeline
+
+```bash
+pi team run \
+  --chain "@fast-research --model haiku -> @deep-analysis --model opus -> @summary --model sonnet" \
+  --goal "Analyze codebase and produce documentation"
+```
+
+### Error-Tolerant Pipeline
+
+```bash
+pi team run \
+  --chain "@step1 -> @step2 -> @step3" \
+  --continue-on-error \
+  --goal "Run data pipeline with graceful degradation"
+```
+
+## Integration Points
+
+### Retry Support
+
+Chains can be combined with retry configuration:
+
+```typescript
+interface ChainRetryConfig {
+  maxAttempts: number;
+  summaryBetweenAttempts: boolean;
+  stopOnSuccess: boolean;
+  backoffMs?: number;
+}
+
+// Example: Retry each step up to 2 times
+const config: ChainRetryConfig = {
+  maxAttempts: 2,
+  summaryBetweenAttempts: true,
+  stopOnSuccess: true,
+  backoffMs: 1000,
+};
+```
+
+### Budget Tracking
+
+Chain execution supports budget tracking per step:
+
+```bash
+pi team run \
+  --chain "@step1 -> @step2" \
+  --budget-total 100000 \
+  --budget-warning 80000
+```
+
+## Event Types
+
+| Event | Description |
+|-------|-------------|
+| `chain.started` | Chain execution began |
+| `chain.step_completed` | Step completed successfully |
+| `chain.step_failed` | Step failed |
+| `chain.completed` | All steps completed |
+| `chain.failed` | Chain failed |
+
+## Error Handling
+
+### Default Behavior
+
+- Chain stops on first failure
+- Handoff from failed step includes error details
+- Final result includes all attempted steps
+
+### Continue on Error
+
+```bash
+pi team run --chain "@step1 -> @step2" --continue-on-error
+```
+
+- All steps execute regardless of failures
+- Each step receives context from previous (even failed) steps
+- Final result indicates overall success/failure
+
+## Related Features
+
+- **HandoffManager** (`src/runtime/handoff-manager.ts`) - Generates structured summaries
+- **RetryRunner** (`src/runtime/retry-runner.ts`) - Retry with accumulated context
+- **BudgetTracker** - Token budget tracking across steps
+
+---
+
+*Generated from pi-boomerang integration plan. See `docs/pi-boomerang-integration-plan.md` for full specification.*

package/workflows/pipeline.workflow.md

@@ -0,0 +1,27 @@
+---
+name: pipeline
+description: Multi-stage pipeline with automatic fan-out for array inputs
+---
+
+## Stage 1: Research
+role: explorer
+
+Perform initial research on: {goal}. Gather relevant information, identify key concepts, and provide a structured summary.
+
+## Stage 2: Analysis
+role: analyst
+dependsOn: Stage 1
+
+Analyze the research findings from Stage 1. Identify patterns, relationships, and insights. Provide structured analysis with supporting evidence.
+
+## Stage 3: Synthesis
+role: analyst
+dependsOn: Stage 2
+
+Synthesize the analysis into actionable recommendations. Prioritize findings and provide clear next steps.
+
+## Stage 4: Documentation
+role: writer
+dependsOn: Synthesis
+
+Document the complete findings in a clear, well-structured format. Include executive summary, detailed findings, and recommendations.