projscan 4.11.1 → 4.12.0

package/dist/mcp/tools/assess.js

@@ -18,6 +18,10 @@ export const assessTool = {
                 type: 'number',
                 description: 'Maximum Proof Cards to return. Default: 5, max: 25.',
             },
+            feedback_path: {
+                type: 'string',
+                description: 'Optional local feedback artifact path to apply as trust memory.',
+            },
             max_tokens: {
                 type: 'number',
                 description: 'Cap the response to roughly this many tokens.',
@@ -31,6 +35,7 @@ export const assessTool = {
             maxCards: typeof args.max_cards === 'number' && Number.isFinite(args.max_cards)
                 ? args.max_cards
                 : undefined,
+            feedbackPath: typeof args.feedback_path === 'string' ? args.feedback_path : undefined,
         }),
     }),
 };

package/dist/mcp/tools/assess.js.map

@@ -1 +1 @@
-{"version":3,"file":"assess.js","sourceRoot":"","sources":["../../../src/mcp/tools/assess.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,aAAa,EAAE,MAAM,sBAAsB,CAAC;AAIrD,MAAM,YAAY,GAAG,IAAI,GAAG,CAAa,CAAC,UAAU,EAAE,WAAW,EAAE,gBAAgB,CAAC,CAAC,CAAC;AAEtF,MAAM,CAAC,MAAM,UAAU,GAAY;IACjC,IAAI,EAAE,iBAAiB;IACvB,WAAW,EACT,uKAAuK;IACzK,WAAW,EAAE;QACX,IAAI,EAAE,QAAQ;QACd,UAAU,EAAE;YACV,IAAI,EAAE;gBACJ,IAAI,EAAE,QAAQ;gBACd,WAAW,EAAE,0EAA0E;aACxF;YACD,IAAI,EAAE;gBACJ,IAAI,EAAE,QAAQ;gBACd,WAAW,EACT,uGAAuG;aAC1G;YACD,SAAS,EAAE;gBACT,IAAI,EAAE,QAAQ;gBACd,WAAW,EAAE,qDAAqD;aACnE;YACD,UAAU,EAAE;gBACV,IAAI,EAAE,QAAQ;gBACd,WAAW,EAAE,+CAA+C;aAC7D;SACF;KACF;IACD,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,QAAQ,EAAE,EAAE,CAAC,CAAC;QAClC,MAAM,EAAE,MAAM,aAAa,CAAC,QAAQ,EAAE;YACpC,IAAI,EAAE,OAAO,IAAI,CAAC,IAAI,KAAK,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,SAAS;YAC3D,IAAI,EAAE,SAAS,CAAC,IAAI,CAAC,IAAI,CAAC;YAC1B,QAAQ,EACN,OAAO,IAAI,CAAC,SAAS,KAAK,QAAQ,IAAI,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,SAAS,CAAC;gBACnE,CAAC,CAAC,IAAI,CAAC,SAAS;gBAChB,CAAC,CAAC,SAAS;SAChB,CAAC;KACH,CAAC;CACH,CAAC;AAEF,SAAS,SAAS,CAAC,KAAc;IAC/B,OAAO,OAAO,KAAK,KAAK,QAAQ,IAAI,YAAY,CAAC,GAAG,CAAC,KAAmB,CAAC;QACvE,CAAC,CAAE,KAAoB;QACvB,CAAC,CAAC,SAAS,CAAC;AAChB,CAAC"}
+{"version":3,"file":"assess.js","sourceRoot":"","sources":["../../../src/mcp/tools/assess.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,aAAa,EAAE,MAAM,sBAAsB,CAAC;AAIrD,MAAM,YAAY,GAAG,IAAI,GAAG,CAAa,CAAC,UAAU,EAAE,WAAW,EAAE,gBAAgB,CAAC,CAAC,CAAC;AAEtF,MAAM,CAAC,MAAM,UAAU,GAAY;IACjC,IAAI,EAAE,iBAAiB;IACvB,WAAW,EACT,uKAAuK;IACzK,WAAW,EAAE;QACX,IAAI,EAAE,QAAQ;QACd,UAAU,EAAE;YACV,IAAI,EAAE;gBACJ,IAAI,EAAE,QAAQ;gBACd,WAAW,EAAE,0EAA0E;aACxF;YACD,IAAI,EAAE;gBACJ,IAAI,EAAE,QAAQ;gBACd,WAAW,EACT,uGAAuG;aAC1G;YACD,SAAS,EAAE;gBACT,IAAI,EAAE,QAAQ;gBACd,WAAW,EAAE,qDAAqD;aACnE;YACD,aAAa,EAAE;gBACb,IAAI,EAAE,QAAQ;gBACd,WAAW,EAAE,iEAAiE;aAC/E;YACD,UAAU,EAAE;gBACV,IAAI,EAAE,QAAQ;gBACd,WAAW,EAAE,+CAA+C;aAC7D;SACF;KACF;IACD,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,QAAQ,EAAE,EAAE,CAAC,CAAC;QAClC,MAAM,EAAE,MAAM,aAAa,CAAC,QAAQ,EAAE;YACpC,IAAI,EAAE,OAAO,IAAI,CAAC,IAAI,KAAK,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,SAAS;YAC3D,IAAI,EAAE,SAAS,CAAC,IAAI,CAAC,IAAI,CAAC;YAC1B,QAAQ,EACN,OAAO,IAAI,CAAC,SAAS,KAAK,QAAQ,IAAI,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,SAAS,CAAC;gBACnE,CAAC,CAAC,IAAI,CAAC,SAAS;gBAChB,CAAC,CAAC,SAAS;YACf,YAAY,EAAE,OAAO,IAAI,CAAC,aAAa,KAAK,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC,CAAC,SAAS;SACtF,CAAC;KACH,CAAC;CACH,CAAC;AAEF,SAAS,SAAS,CAAC,KAAc;IAC/B,OAAO,OAAO,KAAK,KAAK,QAAQ,IAAI,YAAY,CAAC,GAAG,CAAC,KAAmB,CAAC;QACvE,CAAC,CAAE,KAAoB;QACvB,CAAC,CAAC,SAAS,CAAC;AAChB,CAAC"}

package/dist/projscan-sbom.cdx.json

@@ -1,23 +1,23 @@
 {
   "bomFormat": "CycloneDX",
   "specVersion": "1.5",
-  "serialNumber": "urn:uuid:ac1a1fd3-2c78-4830-8579-508d0b0ff5e9",
+  "serialNumber": "urn:uuid:ca5d65db-a8a8-4950-9238-f24ca99d602b",
   "version": 1,
   "metadata": {
-    "timestamp": "2026-06-22T06:58:43.839Z",
+    "timestamp": "2026-06-22T20:54:55.115Z",
     "tools": [
       {
         "vendor": "projscan",
         "name": "projscan-sbom-generator",
-        "version": "4.11.1"
+        "version": "4.12.0"
       }
     ],
     "component": {
       "type": "application",
-      "bom-ref": "pkg:npm/projscan@4.11.1",
+      "bom-ref": "pkg:npm/projscan@4.12.0",
       "name": "projscan",
-      "version": "4.11.1",
-      "purl": "pkg:npm/projscan@4.11.1"
+      "version": "4.12.0",
+      "purl": "pkg:npm/projscan@4.12.0"
     }
   },
   "components": [

package/dist/tool-manifest.json

@@ -1,8 +1,8 @@
 {
   "name": "projscan",
-  "version": "4.11.1",
+  "version": "4.12.0",
   "mcpProtocolVersion": null,
-  "generatedAt": "2026-06-22T06:58:50.868Z",
+  "generatedAt": "2026-06-22T20:55:02.250Z",
   "toolCount": 47,
   "tools": [
     {
@@ -1019,6 +1019,10 @@
             "type": "number",
             "description": "Maximum Proof Cards to return. Default: 5, max: 25."
           },
+          "feedback_path": {
+            "type": "string",
+            "description": "Optional local feedback artifact path to apply as trust memory."
+          },
           "max_tokens": {
             "type": "number",
             "description": "Cap the response to roughly this many tokens."

package/dist/types/assess.d.ts

@@ -45,6 +45,35 @@ export interface AssessSuppression {
 export interface AssessFeedback {
     command: string;
 }
+export type AssessEvidenceStrengthLevel = 'strong' | 'moderate' | 'thin';
+export type AssessTrustMemoryStatus = 'none' | 'helpful' | 'noisy' | 'suppressed' | 'mixed';
+export interface AssessEvidenceStrength {
+    level: AssessEvidenceStrengthLevel;
+    score: number;
+    sources: string[];
+    reasons: string[];
+}
+export interface AssessRanking {
+    rank: number;
+    score: number;
+    reasons: string[];
+}
+export interface AssessTrustMemory {
+    status: AssessTrustMemoryStatus;
+    summary: string;
+    signals: string[];
+    feedbackCommand: string;
+}
+export interface AssessAgentHandoff {
+    title: string;
+    problem: string;
+    scope: string[];
+    files: string[];
+    constraints: string[];
+    verificationCommands: string[];
+    doneCriteria: string[];
+    rollback: string;
+}
 export interface AssessProofCard {
     id: string;
     priority: WorkplanPriority;
@@ -57,6 +86,12 @@ export interface AssessProofCard {
     recommendedFix: AssessRecommendedFix;
     verification: AssessVerification;
     confidence: AssessConfidence;
+    confidenceReason: string;
+    evidenceStrength: AssessEvidenceStrength;
+    evidenceGaps: string[];
+    ranking: AssessRanking;
+    trustMemory: AssessTrustMemory;
+    agentHandoff: AssessAgentHandoff;
     suppression: AssessSuppression;
     feedback: AssessFeedback;
     riskDelta: RiskDeltaSnapshot;

package/dist/types/simulate.d.ts

@@ -24,6 +24,18 @@ export interface SimulateRolloutStep {
     detail: string;
     commands: string[];
 }
+export type SimulateAlternativeId = 'bounded-extraction' | 'test-first' | 'leave-unchanged';
+export interface SimulateAlternative {
+    id: SimulateAlternativeId;
+    title: string;
+    summary: string;
+    riskDelta: number;
+    blastRadius: number;
+    confidence: SimulateConfidence;
+    proofCommands: string[];
+    reason: string;
+    tradeoffs: string[];
+}
 export interface SimulateReport {
     schemaVersion: 1;
     plan: string;
@@ -37,5 +49,7 @@ export interface SimulateReport {
     rolloutPlan: SimulateRolloutStep[];
     proofCommands: string[];
     evidence: SimulateEvidence[];
+    alternatives: SimulateAlternative[];
+    recommendedAlternative: SimulateAlternative;
     warnings: string[];
 }

package/docs/GUIDE.md

@@ -123,12 +123,10 @@ and a before-edit gate instead of a free-form plan.
 ### Before handoff or commit
 
 ```bash
-projscan bug-hunt --format json
+projscan start --intent "is this safe to commit?"
+projscan assess --mode fix-first --format markdown
 projscan preflight --mode before_commit --format json
 projscan evidence-pack --pr-comment
-projscan assess --goal "make this repo safer to ship this week"
-projscan assess --mode fix-first --format markdown
-projscan simulate --plan "split bugHunt.ts into ranking, evidence, and output modules"
 ```
 
 Success criteria: concrete fix targets, manual review gates, and proof commands
@@ -137,13 +135,26 @@ are separated before a reviewer sees the work.
 `projscan assess` turns those same signals into Proof Cards with evidence,
 impact, a safe change shape, verification commands, feedback or suppression
 guidance, and a risk delta. Add `--baseline previous-assess.json` to compare
-the current risk delta against a prior run. It does not release, tag, publish,
-or deploy.
+the current risk delta against a prior run. Add `--feedback
+.projscan-feedback.json` when accepted recommendations, noisy findings, false
+positives, or suppressions should affect future ranking. The Markdown output
+shows evidence strength, confidence reason, ranking reasons, trust memory,
+evidence gaps, and an AgentLoopKit handoff packet. It does not release, tag,
+publish, or deploy.
 
 `projscan simulate --plan "<change plan>"` is the next step when the safest
 fix shape is a refactor, extraction, or module split. It predicts likely files,
 affected tests, contract surfaces, rollout steps, proof commands, and projected
-risk delta from local evidence. It is read-only and does not execute the plan.
+risk delta from local evidence. It compares bounded extraction, test-first, and
+leave-unchanged alternatives, then names the recommended option. It is read-only
+and does not execute the plan.
+
+Weekly or before a larger refactor, run the broader assessment and simulator:
+
+```bash
+projscan assess --goal "make this repo safer to ship this week"
+projscan simulate --plan "split bugHunt.ts into ranking, evidence, and output modules"
+```
 
 ### Before release-candidate review
 
@@ -248,8 +259,8 @@ When the agent first opens a repo, or before starting a refactor, the question i
 - **`projscan_bug_hunt` / `projscan bug-hunt`** — bug-hunt action queue. Combines doctor issues, preflight, hotspots, and session coordination into ranked actions with verification commands; release-scale-only findings print as manual review/sign-off work while preserving JSON verdict compatibility, and pure hotspot churn stays as watchlist/top-suspect evidence when health and gates are clean.
 - **`projscan_agent_brief` / `projscan agent-brief`** — compact next-agent context packet with focus items, repo context, coordination hints, guardrails, and suggested next actions.
 - **`projscan_quality_scorecard` / `projscan quality-scorecard`** — dimensioned quality view across health, security, tests, maintainability, coordination, top risks, and verification commands.
-- **`projscan_assess` / `projscan assess`** — proof-first assessment. Composes quality-scorecard, bug-hunt, and preflight into Proof Cards with local evidence, impact, a safe fix shape, verification commands, feedback or suppression guidance, and risk delta. Use `projscan assess --goal "make this repo safer to ship this week"` for a broad weekly pass, `projscan assess --mode fix-first --format markdown` when you want one or two next actions instead of a long list, or `--baseline previous-assess.json` to compare against a prior assessment. The command is read-only and does not release, tag, publish, or deploy.
-- **`projscan_simulate` / `projscan simulate`** — risk delta simulator. Evaluates a proposed change plan before editing and returns likely touched files, affected tests, contract surfaces, rollout steps, proof commands, confidence, and projected before/after risk. Use `projscan simulate --plan "split bugHunt.ts into ranking, evidence, and output modules"` before doing a refactor. The command is read-only and does not execute the plan.
+- **`projscan_assess` / `projscan assess`** — proof-first assessment. Composes quality-scorecard, bug-hunt, and preflight into Proof Cards with local evidence, impact, a safe fix shape, verification commands, feedback or suppression guidance, and risk delta. Proof Cards include evidence strength, confidence reason, ranking reasons, trust memory, evidence gaps, and an AgentLoopKit handoff packet. Use `projscan assess --goal "make this repo safer to ship this week"` for a broad weekly pass, `projscan assess --mode fix-first --format markdown` when you want one or two next actions instead of a long list, `--feedback .projscan-feedback.json` when local reviewer memory should affect ranking, or `--baseline previous-assess.json` to compare against a prior assessment. The command is read-only and does not release, tag, publish, or deploy.
+- **`projscan_simulate` / `projscan simulate`** — risk delta simulator. Evaluates a proposed change plan before editing and returns likely touched files, affected tests, contract surfaces, rollout steps, proof commands, confidence, projected before/after risk, alternatives, and a recommended option. Use `projscan simulate --plan "split bugHunt.ts into ranking, evidence, and output modules"` before doing a refactor. The command is read-only and does not execute the plan.
 - **`projscan_understand` / `projscan understand`** — cited repo-comprehension surface. Returns repo maps, runtime flow maps, contract maps, change-readiness guidance, verification tiers, unknowns, read-first files, and exact next commands.
 - **`projscan_adoption` / `projscan init team` / `projscan init mcp` / `projscan mcp doctor` / `projscan init policy` / `projscan init github-action` / `projscan recipes` / `projscan first-run` / `projscan telemetry` / `projscan dogfood`** — adoption layer. Returns MCP client config snippets, setup verification, policy starters, PR workflow scaffolding with validated PR comments and block-only enforcement, baseline memory, ownership routing, first-PR onboarding steps, repeatable team-bootstrap and PR-automation recipes, multi-repo dogfood evidence, measured reviewer feedback, default-off telemetry controls, adoption trial reports, and setup diagnostics.
 - **`projscan_release_train` / `projscan release-train`** — product-line readiness planner. Plans upcoming product lines with version, scope, readiness, and next-action evidence.

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "projscan",
   "mcpName": "io.github.abhiyoheswaran1/projscan",
-  "version": "4.11.1",
+  "version": "4.12.0",
   "description": "Local code intelligence for agent-assisted engineering. Focused daily workflows for repo orientation before edits, proof before handoff or commit, and release-candidate review, with AST-backed evidence through an MCP server and CLI. Runs locally by default.",
   "type": "module",
   "main": "./dist/index.js",