projscan 4.6.0 → 4.8.0

package/docs/ROADMAP.md

@@ -1,6 +1,6 @@
 # ProjScan Roadmap
 
-Last reviewed 2026-06-16.
+Last reviewed 2026-06-17.
 
 ---
 
@@ -45,7 +45,7 @@ Four plays, in order:
 3. **Become the operator, not the advisor** — stop suggesting and start acting (cross-repo, apply, security gate). ✅ Shipped in the 1.6 arc.
 4. **Expand the moat** — depth where it matters (CFG / dataflow on hot paths, more languages, sub-file embeddings, cost analytics, live PR review, plugin extensibility). Not everywhere; we're not trying to be Cody. ✅ The 1.7 → 2.0 arc turns this into a platform contract.
 5. **Coordinate the swarm** — collision detection, claims/leases, merge-risk preflight, intent routing, one-call coordination, and live coordinate watch shipped across the 3.6 through 3.7 arc, with the 4.0 tool-surface consolidation now complete. The next work is evidence: prove which commands agents reach for in real multi-worktree sessions, then deepen only the paths that prevent integration failures.
-6. **Make agent proof release-ready** — 4.1 through 4.5 turned Mission Control into a goal → mission → proof → review harness and packaged the post-4.4 implementation train: current planning surfaces, adoption examples, precise framework dataflow, scoped/redacted evidence exports, Python upgrade previews, and hotspot maintainability cleanup.
+6. **Make agent proof release-ready** — 4.1 through 4.6 turned Mission Control into a goal → mission → proof → review harness and packaged the post-4.4 implementation train: current planning surfaces, adoption examples, precise framework dataflow, scoped/redacted evidence exports, Python upgrade previews, coordination evidence, public graph types, and hotspot maintainability cleanup.
 
 We are _not_ trying to be:
 
@@ -56,21 +56,32 @@ We are _not_ trying to be:
 
 ## Now / Next / Later
 
-### Now — Post-4.5 Validation
+### Now — Post-4.6 Validation
 
-4.5.0 "Review-Ready Intelligence Train" packages the post-4.4 implementation train. The next work is validation and selective hardening from real use, not another broad feature push.
+4.6.0 "Agent Coordination And Routing Hardening" packages the latest post-4.4 implementation train. The next work is validation and selective hardening from real use, not another broad feature push or another release push.
 
 The active validation lines are:
 
 - **Swarm coordination evidence.** Validate how real agents use `collisions`, `claim`, `merge-risk`, `coordinate`, and `coordinate --watch`; deepen only the coordination paths that prevent integration failures.
 - **Evidence export adoption.** Prove scoped/redacted report controls work for partner, security, and release-review handoffs without leaking unnecessary repo structure.
 - **Python upgrade coverage.** Extend lockfile support only after Poetry and pinned-requirement evidence prove useful in real repos.
-- **Framework dataflow precision.** Add more framework patterns only when each has a narrow request source, sink, and false-positive fixture.
+- **Framework dataflow precision.** Add more framework patterns only when each has a narrow request source, sink, and false-positive fixture; current validation includes Remix route data and SvelteKit `RequestEvent` coverage.
 - **Hotspot maintainability.** Continue extracting and covering high-churn start/review/type surfaces when they show concrete review or defect risk.
 
 Strictly **local-first** throughout: same-repo / same-machine evidence, no daemon, no cloud, no hidden network calls, no new telemetry, and no secret-value reads.
 
-Success signals: teams copy the adoption examples into real reviews, scoped/redacted artifacts are accepted by reviewers, Python upgrade previews identify useful local evidence, dataflow additions stay quiet on lookalikes, and release bug-hunts remain free of concrete defects.
+Success signals: teams copy the adoption examples into real reviews, scoped/redacted artifacts are accepted by reviewers, Python upgrade previews identify useful local evidence, coordination evidence explains multi-agent decisions, dataflow additions stay quiet on lookalikes, and release bug-hunts remain free of concrete defects.
+
+### Recently Completed — 4.6.0 (2026)
+
+**4.6.0 "Agent Coordination And Routing Hardening"** shipped the next hardening pass after the review-ready train:
+
+- Framework-gated request-source coverage now includes Next `nextUrl`, Hono URL reads, Express URL reads, Koa URL reads, and Fastify URL reads.
+- Agent hints include concrete local coordination evidence for multi-agent collision, handoff, and coordination decisions.
+- Public consumers can import code graph result types.
+- Mission Control start, intent router, review, CLI, and MCP test surfaces were split into focused suites while preserving public behavior.
+- Intent routing, code graph parsing/indexing, release evidence, upgrade preview, CLI reporting, and MCP transport helpers moved into smaller modules.
+- MCP watch IDs, request notifications, no-release continuation routing, agent harness proof routing, Python upgrade evidence, scoped dependency redaction, path-safe file links, unresolved review refs, and inspector purpose detection were tightened.
 
 ### Recently Completed — 4.5.0 (2026)
 
@@ -79,7 +90,7 @@ Success signals: teams copy the adoption examples into real reviews, scoped/reda
 - Roadmap and release-train planning now default to the current post-4.4 product lines instead of stale shipped work.
 - Adoption examples cover agent orchestration, package ownership, custom policy plugins, swarm coordination, and scoped evidence exports.
 - `analyze`, `doctor`, and `ci` can scope and redact shareable evidence with direct flags or named `reportPolicies` presets.
-- `projscan upgrade` and MCP `projscan_upgrade` support offline Python previews from manifests, Poetry/Pipfile/uv/PDM/Conda lockfiles, pinned requirements/constraints, and Python importers.
+- `projscan upgrade` and MCP `projscan_upgrade` support offline Python previews from manifests, Poetry/Pipfile/uv/PDM/Conda lockfiles, root and recognized nested requirements/constraints, and Python importers.
 - Dataflow detects narrow Fastify and Koa request-source patterns, including Fastify raw URL/header and Koa IP evidence, while suppressing lookalike helpers and Koa response-body writes.
 - Start next-action assembly and taint function identity were tightened during release readiness cleanup.
 

package/docs/examples/adoption-workflows.md

@@ -50,7 +50,9 @@ projscan agent-brief --intent "handoff package ownership for fastapi" --format j
 For Node packages, `upgrade` reads local `package.json`, `node_modules`, local
 CHANGELOG files, and importer evidence. For Python packages, it reads
 `pyproject.toml`, `setup.cfg`, `setup.py`, root `requirements*.txt` files,
-Poetry/Pipfile/uv/PDM/Conda lockfiles, and pinned root requirements/constraints, then
+common `requirements/*.txt` / `requirements/*.in` manifests,
+Poetry/Pipfile/uv/PDM/Conda lockfiles, and pinned root or recognized nested
+requirements/constraints, then
 returns declared scope, current-version source, drift, and Python importers.
 
 Decision loop:
@@ -93,6 +95,15 @@ Decision loop:
 Use this when a team wants to share a health or CI artifact without exposing
 repo layout or sensitive paths.
 
+Start from Mission Control when the reviewer asks in plain language:
+
+```bash
+projscan start --intent "share redacted evidence for src/api with a partner" --format json
+```
+
+The routed start output returns the three artifact commands below as ready
+actions, using the requested scope when one is present in the intent.
+
 ```bash
 projscan analyze --report-scope src/api --redact-paths --format json > reports/api-analysis.json
 projscan doctor --report-scope src/api --redact-paths --format markdown > reports/api-health.md

package/docs/examples/swarm-coordination.md

@@ -56,11 +56,20 @@ with the active command path, current worktree state, local-only source signals,
 the validation workflow above, and a reminder that session memory is separate
 from current Git/worktree evidence. The default `coordinate` console view prints
 the same session-boundary reminder inside its `Evidence` section.
+Read `currentWorktree.changedFileCount` as the branch/base delta used for
+collision detection, including local commits and any dirty files. Read
+`currentWorktree.uncommittedChangedFileCount` as the current dirty worktree
+count from `git status`. A clean worktree can therefore show changed files
+against `origin/main` while still reporting `0` uncommitted files.
 When multiple worktrees are present, `agent-brief` also carries a
 `context.coordinationHints` entry even for a clear swarm, so the next agent knows
 to validate locally with `projscan coordinate --format json`,
 `projscan coordinate --watch --interval 5 --format json`, and
 `projscan agent-brief --format json` before continuing parallel edits.
+`preflight` also carries this proof path under `evidence.coordination`: it keeps
+the compact readiness counts and adds the local-only command path, current
+worktree summary, validation workflow, and session-boundary reminder used by
+`coordinate`.
 
 For MCP clients that support long-running notifications, use the watch tool:
 
@@ -116,5 +125,5 @@ These are the next hardening targets for real swarm usage:
 - transitive collision recall: prove dependent-file conflicts are caught, not
   only same-file conflicts
 - live watch adoption: prove agents notice and act on coordination changes
-- preflight and agent-brief integration: prove the same coordination facts show
-  up where agents already look before editing or handing off
+- preflight and handoff adoption: prove agents consistently cite the shared
+  coordination proof path before editing, committing, and handing off

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "projscan",
   "mcpName": "io.github.abhiyoheswaran1/projscan",
-  "version": "4.6.0",
+  "version": "4.8.0",
   "description": "Agent-first code intelligence. MCP server (2025-03-26) with 11 AST adapters covering 12 named languages: JavaScript, TypeScript, Python, Go, Java, Ruby, Rust, PHP, C#, Kotlin, Swift, and C++; repo understanding maps (projscan_understand), stable v3 semantic graph (projscan_semantic_graph), dataflow risk engine with bridge-helper detection (projscan_dataflow), code graph, file + per-function AST cyclomatic complexity, per-function fan-in + fan-out, coupling + cycle detection, structural PR diff with HTML reporter, coverage report with HTML reporter, intent-grounded one-call PR review (projscan_review with optional `intent` arg, new taint flows, contract changes, and newDataflowRisks) and long-running PR-watch mode with structured per-bucket deltas (projscan_review_watch), first-60-seconds workflow orientation (projscan_start), agent workplans (projscan_workplan), bug-hunt queues (projscan_bug_hunt), product-line planning (projscan_release_train), evidence packs (projscan_evidence_pack), regression planning (projscan_regression_plan), agent briefs (projscan_agent_brief), quality scorecards (projscan_quality_scorecard), and preflight with supply-chain IOC evidence, rule-driven fix suggestions + mechanical apply layer with rollback (projscan_apply_fix, projscan_fix_suggest, projscan_explain_issue), source-to-sink taint analysis (projscan_taint) with truncation reporting, transitive blast-radius analysis with cross-repo mode (projscan_impact for files and symbols), cross-repo workspace registration + intelligence (projscan_workspace_graph), per-function semantic search chunks (sub-file embeddings), per-rule confidence + severity drift + cost-summary analytics with live streaming (projscan_cost_summary), stable local analyzer + reporter plugin API (projscan_plugin, CLI --reporter, opt-in via PROJSCAN_PLUGINS_PREVIEW=1), monorepo workspace awareness with cross-package import policy + per-package dependencies / outdated / audit, BM25 + optional semantic search, cursor pagination, progress notifications, context-budgeted output, and a stable-surface CI guard. CLI on the side.",
   "type": "module",
   "main": "./dist/index.js",