projscan 4.8.0 → 4.9.2

package/dist/utils/fileWalker.js

@@ -33,7 +33,12 @@ const DEFAULT_IGNORE = [
 export async function walkFiles(rootPath, options) {
     const ignore = options?.ignore ?? DEFAULT_IGNORE;
     let pattern = '**/*';
-    if (options?.extensions?.length) {
+    if (options?.paths) {
+        if (options.paths.length === 0)
+            return [];
+        pattern = options.paths.map((filePath) => fg.escapePath(filePath));
+    }
+    else if (options?.extensions?.length) {
         const exts = options.extensions.map((e) => e.replace(/^\./, ''));
         pattern = exts.length === 1 ? `**/*.${exts[0]}` : `**/*.{${exts.join(',')}}`;
     }

package/dist/utils/fileWalker.js.map

@@ -1 +1 @@
-{"version":3,"file":"fileWalker.js","sourceRoot":"","sources":["../../src/utils/fileWalker.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,WAAW,CAAC;AAC3B,OAAO,IAAI,MAAM,WAAW,CAAC;AAQ7B,MAAM,cAAc,GAAG;IACrB,oBAAoB;IACpB,YAAY;IACZ,YAAY;IACZ,aAAa;IACb,gBAAgB;IAChB,aAAa;IACb,aAAa;IACb,cAAc;IACd,uBAAuB;IACvB,wBAAwB;IACxB,cAAc;IACd,eAAe;IACf,cAAc;IACd,cAAc;IACd,kEAAkE;IAClE,oEAAoE;IACpE,mCAAmC;IACnC,YAAY;IACZ,aAAa;IACb,WAAW;IACX,cAAc;IACd,mBAAmB;IACnB,YAAY;IACZ,qBAAqB;IACrB,mBAAmB;IACnB,mBAAmB;IACnB,aAAa;IACb,kBAAkB;CACnB,CAAC;AAEF,MAAM,CAAC,KAAK,UAAU,SAAS,CAAC,QAAgB,EAAE,OAAqB;IACrE,MAAM,MAAM,GAAG,OAAO,EAAE,MAAM,IAAI,cAAc,CAAC;IAEjD,IAAI,OAAO,GAAG,MAAM,CAAC;IACrB,IAAI,OAAO,EAAE,UAAU,EAAE,MAAM,EAAE,CAAC;QAChC,MAAM,IAAI,GAAG,OAAO,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC,CAAC;QACjE,OAAO,GAAG,IAAI,CAAC,MAAM,KAAK,CAAC,CAAC,CAAC,CAAC,QAAQ,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,SAAS,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC;IAC/E,CAAC;IAED,MAAM,OAAO,GAAG,MAAM,EAAE,CAAC,OAAO,EAAE;QAChC,GAAG,EAAE,QAAQ;QACb,QAAQ,EAAE,KAAK;QACf,GAAG,EAAE,IAAI;QACT,MAAM;QACN,KAAK,EAAE,IAAI;QACX,SAAS,EAAE,IAAI;QACf,mBAAmB,EAAE,KAAK;KAC3B,CAAC,CAAC;IAEH,OAAO,OAAO,CAAC,GAAG,CAAC,CAAC,KAAK,EAAE,EAAE;QAC3B,MAAM,YAAY,GAAG,OAAO,KAAK,KAAK,QAAQ,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,IAAI,CAAC;QACpE,MAAM,KAAK,GAAG,OAAO,KAAK,KAAK,QAAQ,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,KAAK,CAAC,KAAK,CAAC;QAElE,OAAO;YACL,YAAY;YACZ,YAAY,EAAE,IAAI,CAAC,OAAO,CAAC,QAAQ,EAAE,YAAY,CAAC;YAClD,SAAS,EAAE,IAAI,CAAC,OAAO,CAAC,YAAY,CAAC,CAAC,WAAW,EAAE;YACnD,SAAS,EAAE,KAAK,EAAE,IAAI,IAAI,CAAC;YAC3B,SAAS,EAAE,IAAI,CAAC,OAAO,CAAC,YAAY,CAAC;SACtC,CAAC;IACJ,CAAC,CAAC,CAAC;AACL,CAAC;AAED,MAAM,UAAU,wBAAwB;IACtC,OAAO,CAAC,GAAG,cAAc,CAAC,CAAC;AAC7B,CAAC"}
+{"version":3,"file":"fileWalker.js","sourceRoot":"","sources":["../../src/utils/fileWalker.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,WAAW,CAAC;AAC3B,OAAO,IAAI,MAAM,WAAW,CAAC;AAS7B,MAAM,cAAc,GAAG;IACrB,oBAAoB;IACpB,YAAY;IACZ,YAAY;IACZ,aAAa;IACb,gBAAgB;IAChB,aAAa;IACb,aAAa;IACb,cAAc;IACd,uBAAuB;IACvB,wBAAwB;IACxB,cAAc;IACd,eAAe;IACf,cAAc;IACd,cAAc;IACd,kEAAkE;IAClE,oEAAoE;IACpE,mCAAmC;IACnC,YAAY;IACZ,aAAa;IACb,WAAW;IACX,cAAc;IACd,mBAAmB;IACnB,YAAY;IACZ,qBAAqB;IACrB,mBAAmB;IACnB,mBAAmB;IACnB,aAAa;IACb,kBAAkB;CACnB,CAAC;AAEF,MAAM,CAAC,KAAK,UAAU,SAAS,CAAC,QAAgB,EAAE,OAAqB;IACrE,MAAM,MAAM,GAAG,OAAO,EAAE,MAAM,IAAI,cAAc,CAAC;IAEjD,IAAI,OAAO,GAAsB,MAAM,CAAC;IACxC,IAAI,OAAO,EAAE,KAAK,EAAE,CAAC;QACnB,IAAI,OAAO,CAAC,KAAK,CAAC,MAAM,KAAK,CAAC;YAAE,OAAO,EAAE,CAAC;QAC1C,OAAO,GAAG,OAAO,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,QAAQ,EAAE,EAAE,CAAC,EAAE,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC,CAAC;IACrE,CAAC;SAAM,IAAI,OAAO,EAAE,UAAU,EAAE,MAAM,EAAE,CAAC;QACvC,MAAM,IAAI,GAAG,OAAO,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC,CAAC;QACjE,OAAO,GAAG,IAAI,CAAC,MAAM,KAAK,CAAC,CAAC,CAAC,CAAC,QAAQ,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,SAAS,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC;IAC/E,CAAC;IAED,MAAM,OAAO,GAAG,MAAM,EAAE,CAAC,OAAO,EAAE;QAChC,GAAG,EAAE,QAAQ;QACb,QAAQ,EAAE,KAAK;QACf,GAAG,EAAE,IAAI;QACT,MAAM;QACN,KAAK,EAAE,IAAI;QACX,SAAS,EAAE,IAAI;QACf,mBAAmB,EAAE,KAAK;KAC3B,CAAC,CAAC;IAEH,OAAO,OAAO,CAAC,GAAG,CAAC,CAAC,KAAK,EAAE,EAAE;QAC3B,MAAM,YAAY,GAAG,OAAO,KAAK,KAAK,QAAQ,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,IAAI,CAAC;QACpE,MAAM,KAAK,GAAG,OAAO,KAAK,KAAK,QAAQ,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,KAAK,CAAC,KAAK,CAAC;QAElE,OAAO;YACL,YAAY;YACZ,YAAY,EAAE,IAAI,CAAC,OAAO,CAAC,QAAQ,EAAE,YAAY,CAAC;YAClD,SAAS,EAAE,IAAI,CAAC,OAAO,CAAC,YAAY,CAAC,CAAC,WAAW,EAAE;YACnD,SAAS,EAAE,KAAK,EAAE,IAAI,IAAI,CAAC;YAC3B,SAAS,EAAE,IAAI,CAAC,OAAO,CAAC,YAAY,CAAC;SACtC,CAAC;IACJ,CAAC,CAAC,CAAC;AACL,CAAC;AAED,MAAM,UAAU,wBAAwB;IACtC,OAAO,CAAC,GAAG,cAAc,CAAC,CAAC;AAC7B,CAAC"}

package/dist/utils/formatSupport.d.ts

@@ -29,6 +29,7 @@ export declare const COMMAND_FORMAT_SUPPORT: {
     readonly feedback: readonly ["console", "json"];
     readonly 'feedback init': readonly ["console", "json"];
     readonly 'feedback add': readonly ["console", "json"];
+    readonly 'feedback intake': readonly ["console", "json"];
     readonly 'feedback summary': readonly ["console", "json"];
     readonly explain: readonly ["console", "json", "markdown"];
     readonly 'explain-issue': readonly ["console", "json", "markdown"];

package/dist/utils/formatSupport.js

@@ -34,6 +34,7 @@ export const COMMAND_FORMAT_SUPPORT = {
     feedback: ['console', 'json'],
     'feedback init': ['console', 'json'],
     'feedback add': ['console', 'json'],
+    'feedback intake': ['console', 'json'],
     'feedback summary': ['console', 'json'],
     explain: ['console', 'json', 'markdown'],
     'explain-issue': ['console', 'json', 'markdown'],

package/dist/utils/formatSupport.js.map

@@ -1 +1 @@
-{"version":3,"file":"formatSupport.js","sourceRoot":"","sources":["../../src/utils/formatSupport.ts"],"names":[],"mappings":"AAEA,MAAM,CAAC,MAAM,cAAc,GAAG;IAC5B,SAAS;IACT,MAAM;IACN,UAAU;IACV,OAAO;IACP,MAAM;CACoC,CAAC;AAE7C,MAAM,CAAC,MAAM,sBAAsB,GAAG;IACpC,aAAa,EAAE,CAAC,SAAS,EAAE,MAAM,CAAC;IAClC,OAAO,EAAE,CAAC,SAAS,EAAE,MAAM,EAAE,UAAU,EAAE,OAAO,EAAE,MAAM,CAAC;IACzD,WAAW,EAAE,CAAC,SAAS,EAAE,MAAM,CAAC;IAChC,KAAK,EAAE,CAAC,SAAS,EAAE,MAAM,EAAE,UAAU,EAAE,OAAO,CAAC;IAC/C,KAAK,EAAE,CAAC,SAAS,CAAC;IAClB,UAAU,EAAE,CAAC,SAAS,EAAE,MAAM,CAAC;IAC/B,EAAE,EAAE,CAAC,SAAS,EAAE,MAAM,EAAE,UAAU,EAAE,OAAO,CAAC;IAC5C,KAAK,EAAE,CAAC,SAAS,EAAE,MAAM,CAAC;IAC1B,YAAY,EAAE,CAAC,SAAS,EAAE,MAAM,CAAC;IACjC,WAAW,EAAE,CAAC,SAAS,EAAE,MAAM,CAAC;IAChC,eAAe,EAAE,CAAC,SAAS,EAAE,MAAM,CAAC;IACpC,aAAa,EAAE,CAAC,SAAS,EAAE,MAAM,CAAC;IAClC,UAAU,EAAE,CAAC,SAAS,EAAE,MAAM,CAAC;IAC/B,UAAU,EAAE,CAAC,SAAS,EAAE,MAAM,CAAC;IAC/B,YAAY,EAAE,CAAC,SAAS,EAAE,MAAM,CAAC;IACjC,KAAK,EAAE,CAAC,SAAS,EAAE,MAAM,CAAC;IAC1B,QAAQ,EAAE,CAAC,SAAS,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,CAAC;IACjD,QAAQ,EAAE,CAAC,SAAS,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,CAAC;IACjD,YAAY,EAAE,CAAC,SAAS,EAAE,MAAM,EAAE,UAAU,CAAC;IAC7C,QAAQ,EAAE,CAAC,SAAS,EAAE,MAAM,CAAC;IAC7B,OAAO,EAAE,CAAC,SAAS,EAAE,MAAM,EAAE,UAAU,CAAC;IACxC,IAAI,EAAE,CAAC,SAAS,EAAE,MAAM,EAAE,UAAU,CAAC;IACrC,MAAM,EAAE,CAAC,SAAS,EAAE,MAAM,EAAE,UAAU,EAAE,OAAO,EAAE,MAAM,CAAC;IACxD,OAAO,EAAE,CAAC,SAAS,EAAE,MAAM,CAAC;IAC5B,eAAe,EAAE,CAAC,SAAS,EAAE,MAAM,CAAC;IACpC,QAAQ,EAAE,CAAC,SAAS,EAAE,MAAM,CAAC;IAC7B,eAAe,EAAE,CAAC,SAAS,EAAE,MAAM,CAAC;IACpC,cAAc,EAAE,CAAC,SAAS,EAAE,MAAM,CAAC;IACnC,kBAAkB,EAAE,CAAC,SAAS,EAAE,MAAM,CAAC;IACvC,OAAO,EAAE,CAAC,SAAS,EAAE,MAAM,EAAE,UAAU,CAAC;IACxC,eAAe,EAAE,CAAC,SAAS,EAAE,MAAM,EAAE,UAAU,CAAC;IAChD,IAAI,EAAE,CAAC,SAAS,EAAE,MAAM,EAAE,UAAU,CAAC;IACrC,WAAW,EAAE,CAAC,SAAS,EAAE,MAAM,CAAC;IAChC,GAAG,EAAE,CAAC,SAAS,CAAC;IAChB,aAAa,EAAE,CAAC,SAAS,EAAE,MAAM,EAAE,UAAU,CAAC;IAC9C,OAAO,EAAE,CAAC,SAAS,EAAE,MAAM,CAAC;IAC5B,IAAI,EAAE,CAAC,SAAS,CAAC;IACjB,QAAQ,EAAE,CAAC,SAAS,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,CAAC;IACjD,MAAM,EAAE,CAAC,SAAS,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,CAAC;IAC/C,IAAI,EAAE,CAAC,SAAS,CAAC;IACjB,oBAAoB,EAAE,CAAC,SAAS,EAAE,MAAM,CAAC;IACzC,UAAU,EAAE,CAAC,SAAS,EAAE,MAAM,CAAC;IAC/B,aAAa,EAAE,CAAC,SAAS,EAAE,MAAM,CAAC;IAClC,WAAW,EAAE,CAAC,SAAS,EAAE,MAAM,CAAC;IAChC,cAAc,EAAE,CAAC,SAAS,CAAC;IAC3B,GAAG,EAAE,CAAC,SAAS,CAAC;IAChB,eAAe,EAAE,CAAC,SAAS,EAAE,MAAM,EAAE,UAAU,CAAC;IAChD,YAAY,EAAE,CAAC,SAAS,EAAE,MAAM,CAAC;IACjC,MAAM,EAAE,CAAC,SAAS,EAAE,MAAM,CAAC;IAC3B,eAAe,EAAE,CAAC,SAAS,EAAE,MAAM,CAAC;IACpC,aAAa,EAAE,CAAC,SAAS,EAAE,MAAM,CAAC;IAClC,eAAe,EAAE,CAAC,SAAS,CAAC;IAC5B,QAAQ,EAAE,CAAC,SAAS,EAAE,MAAM,EAAE,UAAU,EAAE,OAAO,CAAC;IAClD,aAAa,EAAE,CAAC,SAAS,EAAE,MAAM,CAAC;IAClC,iBAAiB,EAAE,CAAC,SAAS,EAAE,MAAM,CAAC;IACtC,aAAa,EAAE,CAAC,SAAS,EAAE,MAAM,CAAC;IAClC,aAAa,EAAE,CAAC,SAAS,EAAE,MAAM,CAAC;IAClC,cAAc,EAAE,CAAC,SAAS,EAAE,MAAM,CAAC;IACnC,gBAAgB,EAAE,CAAC,SAAS,EAAE,MAAM,CAAC;IACrC,SAAS,EAAE,CAAC,SAAS,EAAE,MAAM,CAAC;IAC9B,eAAe,EAAE,CAAC,SAAS,EAAE,MAAM,CAAC;IACpC,SAAS,EAAE,CAAC,SAAS,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,CAAC;IAClD,mBAAmB,EAAE,CAAC,SAAS,EAAE,MAAM,CAAC;IACxC,eAAe,EAAE,CAAC,SAAS,EAAE,MAAM,CAAC;IACpC,iBAAiB,EAAE,CAAC,SAAS,EAAE,MAAM,CAAC;IACtC,OAAO,EAAE,CAAC,SAAS,EAAE,MAAM,CAAC;IAC5B,MAAM,EAAE,CAAC,SAAS,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,CAAC;IAC/C,MAAM,EAAE,CAAC,SAAS,EAAE,MAAM,EAAE,UAAU,CAAC;IACvC,gBAAgB,EAAE,CAAC,SAAS,EAAE,MAAM,CAAC;IACrC,OAAO,EAAE,CAAC,SAAS,EAAE,MAAM,CAAC;IAC5B,KAAK,EAAE,CAAC,SAAS,EAAE,MAAM,CAAC;IAC1B,iBAAiB,EAAE,CAAC,SAAS,EAAE,MAAM,CAAC;IACtC,gBAAgB,EAAE,CAAC,SAAS,EAAE,MAAM,CAAC;IACrC,eAAe,EAAE,CAAC,SAAS,EAAE,MAAM,CAAC;IACpC,SAAS,EAAE,CAAC,SAAS,EAAE,MAAM,EAAE,UAAU,CAAC;IAC1C,KAAK,EAAE,CAAC,SAAS,EAAE,MAAM,CAAC;IAC1B,KAAK,EAAE,CAAC,SAAS,EAAE,MAAM,CAAC;IAC1B,UAAU,EAAE,CAAC,SAAS,EAAE,MAAM,CAAC;IAC/B,SAAS,EAAE,CAAC,SAAS,EAAE,MAAM,CAAC;IAC9B,kBAAkB,EAAE,CAAC,SAAS,EAAE,MAAM,CAAC;IACvC,kBAAkB,EAAE,CAAC,SAAS,EAAE,MAAM,CAAC;IACvC,mBAAmB,EAAE,CAAC,SAAS,EAAE,MAAM,CAAC;IACxC,mBAAmB,EAAE,CAAC,SAAS,EAAE,MAAM,CAAC;IACxC,OAAO,EAAE,CAAC,SAAS,EAAE,MAAM,EAAE,UAAU,CAAC;IACxC,KAAK,EAAE,CAAC,SAAS,CAAC;IAClB,gBAAgB,EAAE,CAAC,SAAS,EAAE,MAAM,CAAC;IACrC,eAAe,EAAE,CAAC,SAAS,CAAC;IAC5B,kBAAkB,EAAE,CAAC,SAAS,CAAC;IAC/B,UAAU,EAAE,CAAC,SAAS,EAAE,MAAM,EAAE,UAAU,CAAC;IAC3C,QAAQ,EAAE,CAAC,SAAS,EAAE,MAAM,CAAC;CAC6B,CAAC;AAI7D,MAAM,UAAU,UAAU,CAAC,UAAmC,cAAc;IAC1E,OAAO,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AAC5B,CAAC;AAED,MAAM,UAAU,uBAAuB,CAAC,WAAmB;IACzD,OAAQ,sBAAkE,CAAC,WAAW,CAAC,CAAC;AAC1F,CAAC;AAED,MAAM,UAAU,iBAAiB;IAI/B,OAAO,MAAM,CAAC,OAAO,CAAC,sBAAsB,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,OAAO,EAAE,OAAO,CAAC,EAAE,EAAE,CAAC,CAAC;QACzE,OAAO,EAAE,OAA4B;QACrC,OAAO;KACR,CAAC,CAAC,CAAC;AACN,CAAC"}
+{"version":3,"file":"formatSupport.js","sourceRoot":"","sources":["../../src/utils/formatSupport.ts"],"names":[],"mappings":"AAEA,MAAM,CAAC,MAAM,cAAc,GAAG;IAC5B,SAAS;IACT,MAAM;IACN,UAAU;IACV,OAAO;IACP,MAAM;CACoC,CAAC;AAE7C,MAAM,CAAC,MAAM,sBAAsB,GAAG;IACpC,aAAa,EAAE,CAAC,SAAS,EAAE,MAAM,CAAC;IAClC,OAAO,EAAE,CAAC,SAAS,EAAE,MAAM,EAAE,UAAU,EAAE,OAAO,EAAE,MAAM,CAAC;IACzD,WAAW,EAAE,CAAC,SAAS,EAAE,MAAM,CAAC;IAChC,KAAK,EAAE,CAAC,SAAS,EAAE,MAAM,EAAE,UAAU,EAAE,OAAO,CAAC;IAC/C,KAAK,EAAE,CAAC,SAAS,CAAC;IAClB,UAAU,EAAE,CAAC,SAAS,EAAE,MAAM,CAAC;IAC/B,EAAE,EAAE,CAAC,SAAS,EAAE,MAAM,EAAE,UAAU,EAAE,OAAO,CAAC;IAC5C,KAAK,EAAE,CAAC,SAAS,EAAE,MAAM,CAAC;IAC1B,YAAY,EAAE,CAAC,SAAS,EAAE,MAAM,CAAC;IACjC,WAAW,EAAE,CAAC,SAAS,EAAE,MAAM,CAAC;IAChC,eAAe,EAAE,CAAC,SAAS,EAAE,MAAM,CAAC;IACpC,aAAa,EAAE,CAAC,SAAS,EAAE,MAAM,CAAC;IAClC,UAAU,EAAE,CAAC,SAAS,EAAE,MAAM,CAAC;IAC/B,UAAU,EAAE,CAAC,SAAS,EAAE,MAAM,CAAC;IAC/B,YAAY,EAAE,CAAC,SAAS,EAAE,MAAM,CAAC;IACjC,KAAK,EAAE,CAAC,SAAS,EAAE,MAAM,CAAC;IAC1B,QAAQ,EAAE,CAAC,SAAS,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,CAAC;IACjD,QAAQ,EAAE,CAAC,SAAS,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,CAAC;IACjD,YAAY,EAAE,CAAC,SAAS,EAAE,MAAM,EAAE,UAAU,CAAC;IAC7C,QAAQ,EAAE,CAAC,SAAS,EAAE,MAAM,CAAC;IAC7B,OAAO,EAAE,CAAC,SAAS,EAAE,MAAM,EAAE,UAAU,CAAC;IACxC,IAAI,EAAE,CAAC,SAAS,EAAE,MAAM,EAAE,UAAU,CAAC;IACrC,MAAM,EAAE,CAAC,SAAS,EAAE,MAAM,EAAE,UAAU,EAAE,OAAO,EAAE,MAAM,CAAC;IACxD,OAAO,EAAE,CAAC,SAAS,EAAE,MAAM,CAAC;IAC5B,eAAe,EAAE,CAAC,SAAS,EAAE,MAAM,CAAC;IACpC,QAAQ,EAAE,CAAC,SAAS,EAAE,MAAM,CAAC;IAC7B,eAAe,EAAE,CAAC,SAAS,EAAE,MAAM,CAAC;IACpC,cAAc,EAAE,CAAC,SAAS,EAAE,MAAM,CAAC;IACnC,iBAAiB,EAAE,CAAC,SAAS,EAAE,MAAM,CAAC;IACtC,kBAAkB,EAAE,CAAC,SAAS,EAAE,MAAM,CAAC;IACvC,OAAO,EAAE,CAAC,SAAS,EAAE,MAAM,EAAE,UAAU,CAAC;IACxC,eAAe,EAAE,CAAC,SAAS,EAAE,MAAM,EAAE,UAAU,CAAC;IAChD,IAAI,EAAE,CAAC,SAAS,EAAE,MAAM,EAAE,UAAU,CAAC;IACrC,WAAW,EAAE,CAAC,SAAS,EAAE,MAAM,CAAC;IAChC,GAAG,EAAE,CAAC,SAAS,CAAC;IAChB,aAAa,EAAE,CAAC,SAAS,EAAE,MAAM,EAAE,UAAU,CAAC;IAC9C,OAAO,EAAE,CAAC,SAAS,EAAE,MAAM,CAAC;IAC5B,IAAI,EAAE,CAAC,SAAS,CAAC;IACjB,QAAQ,EAAE,CAAC,SAAS,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,CAAC;IACjD,MAAM,EAAE,CAAC,SAAS,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,CAAC;IAC/C,IAAI,EAAE,CAAC,SAAS,CAAC;IACjB,oBAAoB,EAAE,CAAC,SAAS,EAAE,MAAM,CAAC;IACzC,UAAU,EAAE,CAAC,SAAS,EAAE,MAAM,CAAC;IAC/B,aAAa,EAAE,CAAC,SAAS,EAAE,MAAM,CAAC;IAClC,WAAW,EAAE,CAAC,SAAS,EAAE,MAAM,CAAC;IAChC,cAAc,EAAE,CAAC,SAAS,CAAC;IAC3B,GAAG,EAAE,CAAC,SAAS,CAAC;IAChB,eAAe,EAAE,CAAC,SAAS,EAAE,MAAM,EAAE,UAAU,CAAC;IAChD,YAAY,EAAE,CAAC,SAAS,EAAE,MAAM,CAAC;IACjC,MAAM,EAAE,CAAC,SAAS,EAAE,MAAM,CAAC;IAC3B,eAAe,EAAE,CAAC,SAAS,EAAE,MAAM,CAAC;IACpC,aAAa,EAAE,CAAC,SAAS,EAAE,MAAM,CAAC;IAClC,eAAe,EAAE,CAAC,SAAS,CAAC;IAC5B,QAAQ,EAAE,CAAC,SAAS,EAAE,MAAM,EAAE,UAAU,EAAE,OAAO,CAAC;IAClD,aAAa,EAAE,CAAC,SAAS,EAAE,MAAM,CAAC;IAClC,iBAAiB,EAAE,CAAC,SAAS,EAAE,MAAM,CAAC;IACtC,aAAa,EAAE,CAAC,SAAS,EAAE,MAAM,CAAC;IAClC,aAAa,EAAE,CAAC,SAAS,EAAE,MAAM,CAAC;IAClC,cAAc,EAAE,CAAC,SAAS,EAAE,MAAM,CAAC;IACnC,gBAAgB,EAAE,CAAC,SAAS,EAAE,MAAM,CAAC;IACrC,SAAS,EAAE,CAAC,SAAS,EAAE,MAAM,CAAC;IAC9B,eAAe,EAAE,CAAC,SAAS,EAAE,MAAM,CAAC;IACpC,SAAS,EAAE,CAAC,SAAS,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,CAAC;IAClD,mBAAmB,EAAE,CAAC,SAAS,EAAE,MAAM,CAAC;IACxC,eAAe,EAAE,CAAC,SAAS,EAAE,MAAM,CAAC;IACpC,iBAAiB,EAAE,CAAC,SAAS,EAAE,MAAM,CAAC;IACtC,OAAO,EAAE,CAAC,SAAS,EAAE,MAAM,CAAC;IAC5B,MAAM,EAAE,CAAC,SAAS,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,CAAC;IAC/C,MAAM,EAAE,CAAC,SAAS,EAAE,MAAM,EAAE,UAAU,CAAC;IACvC,gBAAgB,EAAE,CAAC,SAAS,EAAE,MAAM,CAAC;IACrC,OAAO,EAAE,CAAC,SAAS,EAAE,MAAM,CAAC;IAC5B,KAAK,EAAE,CAAC,SAAS,EAAE,MAAM,CAAC;IAC1B,iBAAiB,EAAE,CAAC,SAAS,EAAE,MAAM,CAAC;IACtC,gBAAgB,EAAE,CAAC,SAAS,EAAE,MAAM,CAAC;IACrC,eAAe,EAAE,CAAC,SAAS,EAAE,MAAM,CAAC;IACpC,SAAS,EAAE,CAAC,SAAS,EAAE,MAAM,EAAE,UAAU,CAAC;IAC1C,KAAK,EAAE,CAAC,SAAS,EAAE,MAAM,CAAC;IAC1B,KAAK,EAAE,CAAC,SAAS,EAAE,MAAM,CAAC;IAC1B,UAAU,EAAE,CAAC,SAAS,EAAE,MAAM,CAAC;IAC/B,SAAS,EAAE,CAAC,SAAS,EAAE,MAAM,CAAC;IAC9B,kBAAkB,EAAE,CAAC,SAAS,EAAE,MAAM,CAAC;IACvC,kBAAkB,EAAE,CAAC,SAAS,EAAE,MAAM,CAAC;IACvC,mBAAmB,EAAE,CAAC,SAAS,EAAE,MAAM,CAAC;IACxC,mBAAmB,EAAE,CAAC,SAAS,EAAE,MAAM,CAAC;IACxC,OAAO,EAAE,CAAC,SAAS,EAAE,MAAM,EAAE,UAAU,CAAC;IACxC,KAAK,EAAE,CAAC,SAAS,CAAC;IAClB,gBAAgB,EAAE,CAAC,SAAS,EAAE,MAAM,CAAC;IACrC,eAAe,EAAE,CAAC,SAAS,CAAC;IAC5B,kBAAkB,EAAE,CAAC,SAAS,CAAC;IAC/B,UAAU,EAAE,CAAC,SAAS,EAAE,MAAM,EAAE,UAAU,CAAC;IAC3C,QAAQ,EAAE,CAAC,SAAS,EAAE,MAAM,CAAC;CAC6B,CAAC;AAI7D,MAAM,UAAU,UAAU,CAAC,UAAmC,cAAc;IAC1E,OAAO,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AAC5B,CAAC;AAED,MAAM,UAAU,uBAAuB,CAAC,WAAmB;IACzD,OAAQ,sBAAkE,CAAC,WAAW,CAAC,CAAC;AAC1F,CAAC;AAED,MAAM,UAAU,iBAAiB;IAI/B,OAAO,MAAM,CAAC,OAAO,CAAC,sBAAsB,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,OAAO,EAAE,OAAO,CAAC,EAAE,EAAE,CAAC,CAAC;QACzE,OAAO,EAAE,OAA4B;QACrC,OAAO;KACR,CAAC,CAAC,CAAC;AACN,CAAC"}

package/docs/GUIDE.md

@@ -1,8 +1,8 @@
 # ProjScan - Full Guide
 
-A deep dive into everything ProjScan can do. For a quick overview, see the [README](../README.md).
+This guide starts with demonstrated workflows before the command reference. For a quick overview, see the [README](../README.md).
 
-**ProjScan is agent-first**: the MCP server is the primary interface, and the CLI is a consumer of the same primitives. This guide covers both, but if you're integrating with Claude Code / Cursor / Windsurf / Codex, start with [MCP Server for AI Agents](#mcp-server-for-ai-agents).
+**ProjScan is agent-first where agents need local repo evidence**: the MCP server and CLI share the same primitives. This guide covers both, but if you're integrating with Claude Code / Cursor / Windsurf / Codex, start with [MCP Server for AI Agents](#mcp-server-for-ai-agents).
 
 ---
 
@@ -104,6 +104,44 @@ This runs the default `analyze` command. Within a second or two you'll see a ful
 4. **Dependency summary** - production vs. dev count, package manager, lock file status
 5. **Issues found** - grouped by severity (error, warning, info)
 
+## Daily workflows engineers can trust
+
+Use these before the command reference when you want the product's most proven
+paths.
+
+### Before editing a feature
+
+```bash
+projscan start --intent "what files do I need to change for auth?"
+projscan understand --view change --intent "add auth token refresh" --format json
+projscan preflight --mode before_edit --format json
+```
+
+Success criteria: the agent starts with cited files, change-readiness evidence,
+and a before-edit gate instead of a free-form plan.
+
+### Before handoff or commit
+
+```bash
+projscan bug-hunt --format json
+projscan preflight --mode before_commit --format json
+projscan evidence-pack --pr-comment
+```
+
+Success criteria: concrete fix targets, manual review gates, and proof commands
+are separated before a reviewer sees the work.
+
+### Before release-candidate review
+
+```bash
+projscan release-train --format json
+projscan preflight --mode before_merge --format json
+projscan evidence-pack --pr-comment
+```
+
+Success criteria: release-train stays read-only, `caution` names the next
+action, and no version, publish, tag, or deploy step is implied.
+
 ---
 
 ## The agent journey
@@ -167,7 +205,7 @@ When the agent first opens a repo, or before starting a refactor, the question i
   For risky-file, complexity, refactor-priority, and codebase-performance questions, such as `projscan start --intent "what files are risky to touch?"`, `projscan start --intent "which files are too complex?"`, `projscan start --intent "what file should I refactor first?"`, `projscan start --intent "find performance bottlenecks"`, or `projscan start --intent "where are the slow files?"`, it routes to `projscan_hotspots` so the developer sees the highest-risk files before editing. For exact-file risk questions, such as `projscan start --intent "why is src/core/start.ts risky?"`, it routes to `projscan_file` so the file's hotspot, ownership, issue, import, and export context explains the risk. For cleanup questions, such as `projscan start --intent "find dead code"`, `projscan start --intent "find dead code and unused exports I can delete"`, `projscan start --intent "what can I safely delete?"`, or `projscan start --intent "what can I remove safely?"`, it routes to `projscan_doctor` so dead code, unused exports, and adjacent health issues are reviewed before files are removed.
   For tech-debt and simplification questions, such as `projscan start --intent "what tech debt should I pay down?"` or `projscan start --intent "what code should I simplify?"`, it routes to `projscan_hotspots` instead of incident handling for the word `down`.
   For reviewer-proof requests, such as `projscan start --intent "write a PR comment for reviewers"`, `projscan start --intent "write a PR description"`, `projscan start --intent "what should my PR say?"`, `projscan start --intent "make a PR checklist"`, `projscan start --intent "summarize my changes for reviewers"`, or `projscan start --intent "what should I tell my team about this change?"`, it routes to `projscan_evidence_pack` with `pr_comment: true` so the developer gets a paste-ready verdict, top risks, owner routing, and next commands.
-  For shareable scoped-evidence requests, such as `projscan start --intent "share redacted evidence for src/api with a partner"`, it routes to `projscan_analyze` and returns ready analyze, doctor, and CI commands with `--report-scope` and `--redact-paths` so security reviewers and partners can receive path-safe artifacts without a full repo map.
+  For shareable scoped-evidence requests, such as `projscan start --intent "share redacted evidence for src/api with a partner"` or `projscan start --intent "share redacted evidence for src/api and packages/backend with a partner"`, it routes to `projscan_analyze` and returns ready analyze, doctor, and CI commands with `--report-scope` and `--redact-paths` so security reviewers and partners can receive path-safe artifacts without a full repo map.
   For reviewer-routing questions, such as `projscan start --intent "who should review this PR?"`, it routes to `projscan_evidence_pack` so likely owners and reviewer-facing context are prepared before a full review.
   For PR-readiness questions, such as `projscan start --intent "am I ready to open a PR?"`, it routes to `projscan_evidence_pack` so preflight, owner routing, top risks, and reviewer-facing proof are prepared before review starts.
   For changed-file owner questions, such as `projscan start --intent "who owns the changed files?"`, it routes to `projscan_evidence_pack` so changed-file owner routing is prepared without confusing it with single-file ownership inspection.
@@ -193,7 +231,7 @@ When the agent first opens a repo, or before starting a refactor, the question i
   For file-claim requests, such as `projscan start --intent "claim src/core/start.ts for me"`, it routes to `projscan_claim`, lists active claims first, then adds the requested target only after a real agent name replaces `Needs Input`.
   For architecture-coupling questions, such as `projscan start --intent "show circular dependencies"` or `projscan start --intent "find dependency cycles"`, it routes to `projscan_coupling` with `direction: "cycles_only"` / `projscan coupling --cycles-only --format json`; broader wording such as `projscan start --intent "what modules are tightly coupled"` routes to the full fan-in, fan-out, instability, cross-package-edge, and cycle report.
 - **`projscan_workplan` / `projscan workplan`** — agent mission control. Composes preflight, review, session, hotspot, plugin-policy, and supply-chain evidence into prioritized tasks with suggested tools, exact verification commands, and short handoff text. Modes: `before_edit`, `before_commit`, `before_merge`, `refactor`, `release`, `bug_hunt`, and `hardening`.
-- **`projscan_bug_hunt` / `projscan bug-hunt`** — bug-hunt action queue. Combines doctor issues, preflight, hotspots, and session coordination into ranked actions with verification commands; release-scale findings can be manual sign-off actions, while pure hotspot churn stays as watchlist/top-suspect evidence when health and gates are clean.
+- **`projscan_bug_hunt` / `projscan bug-hunt`** — bug-hunt action queue. Combines doctor issues, preflight, hotspots, and session coordination into ranked actions with verification commands; release-scale-only findings print as manual review/sign-off work while preserving JSON verdict compatibility, and pure hotspot churn stays as watchlist/top-suspect evidence when health and gates are clean.
 - **`projscan_agent_brief` / `projscan agent-brief`** — compact next-agent context packet with focus items, repo context, coordination hints, guardrails, and suggested next actions.
 - **`projscan_quality_scorecard` / `projscan quality-scorecard`** — dimensioned quality view across health, security, tests, maintainability, coordination, top risks, and verification commands.
 - **`projscan_understand` / `projscan understand`** — cited repo-comprehension surface. Returns repo maps, runtime flow maps, contract maps, change-readiness guidance, verification tiers, unknowns, read-first files, and exact next commands.
@@ -205,11 +243,11 @@ When the agent first opens a repo, or before starting a refactor, the question i
 - **`projscan_preflight` / `projscan preflight`** — agent safety gate. Returns `proceed`, `caution`, or `block` with health, changed-file, review, remembered session, hotspot, plugin-policy, supply-chain, and release-scale evidence. `evidence.riskSources.currentWorktree` is current Git/worktree evidence; `evidence.riskSources.sessionMemory` is remembered handoff context. Use `--mode before_edit` at the start of work and `--mode before_commit` / `--mode before_merge` before handing off or merging; scale-only commit blocks are cautions, while merge gates still require manual release sign-off.
 - **`projscan_hotspots` / `projscan hotspots`** — files ranked by `git churn × AST cyclomatic complexity × open issues × ownership × coverage`. Pass `view: "functions"` for top-N risky individual functions across the repo (0.13+).
 - **`projscan_semantic_graph` / `projscan semantic-graph`** — stable v3 graph contract with file, function, package, and symbol nodes plus imports, exports, definitions, and calls edges. Use it when an agent needs one normalized graph shape instead of several targeted queries.
-- **`projscan_dataflow` / `projscan dataflow`** — direct, propagated, and bridge source-to-sink dataflow risks, including framework-aware Next.js, Remix, SvelteKit, Hono, Express, Fastify, and Koa request sources. Use it for a focused safety pass before touching command execution, raw SQL, filesystem writes, or DOM sinks.
+- **`projscan_dataflow` / `projscan dataflow`** — direct, propagated, and bridge source-to-sink dataflow risks, including framework-aware Next.js, Remix, SvelteKit, Astro, Hono, Express, Fastify, and Koa request sources. Use it for a focused safety pass before touching command execution, raw SQL, filesystem writes, or DOM sinks.
 - **`projscan_coupling` / `projscan coupling`** — per-file fan-in / fan-out / instability plus circular-import cycles (Tarjan SCC). Use `direction: cycles_only` or `projscan coupling --cycles-only` to surface architectural debt directly.
 - **`projscan_analyze` / `projscan analyze`** — the everything report; useful at session start but verbose.
 
-**Typical agent flow:** start with `projscan privacy-check`, then `projscan_start` with an optional plain-language intent. If no explicit mode is supplied, start infers the workflow mode from the intent, such as `before_commit` for commit-safety checks; read `modeSource` and `modeReason` to see whether the mode was explicit, inferred, or defaulted. `modeReason` distinguishes workflow-mode defaulting from action routing, so an impact intent can still route through Mission Control while the workflow stays `before_edit`. The `firstTenMinutes` path and current-worktree coordination hint follow that resolved mode, so a commit-safety start does not send the developer back through a before-edit gate. Follow `missionControl.actionPlan`, call `missionControl.readyActions` immediately, use `missionControl.executionPlan.currentPhase` as the cursor-aligned phase pointer, and use `missionControl.executionPlan.cursor.tool` / `args` when the cursor is directly MCP-callable. Use routed-intent weighted `confidence`, `score`, and `matchedKeywords` to judge weak or ambiguous matches, and read the same confidence line in console output when working manually. Fill any `missionControl.unresolvedInputs` before running placeholder follow-ups, inspect `missionControl.alternatives` when the intent mixes goals, stop only when `missionControl.successCriteria` is satisfied, and hand off with `missionControl.handoff`, `missionControl.runbook`, or the concise `missionControl.handoffPrompt`. Use `missionControl.reviewGate` as the autonomous-work stop boundary: finish the current checklist and proof, capture `git status --short` and `git diff --stat`, then wait for approval before another slice, release, publish, or deploy. Read `missionControl.reviewGate.worktree` for current worktree availability, changed-file count, base ref, and visible changed files. Use `missionControl.reviewGate.proof` when the reviewer needs the remaining proof queue without reading the full resume object. Read `missionControl.reviewGate.doneWhen` for the success criteria the reviewer must confirm before approving more work. Read `missionControl.reviewGate.policy` before continuing from a review handoff; it lists the actions blocked until explicit reviewer approval: another slice, release, publish, deploy, push, merge, and version bump. Use `projscan start --review-gate-json --intent "<goal>"` or saved `review-gate.json` when a script needs proof, worktree evidence, done criteria, decisions, and policy in one review object. Use `projscan start --review-policy --intent "<goal>"` or saved `review-policy.json` when a script only needs that approval boundary. Use `missionControl.reviewGate.decisions` as the approval menu in review gates, task cards, and runbooks; each decision includes copyable reviewer reply text so agents do not infer permission to continue, release, or publish. The default console review gate, saved mission bundle README, concise handoff prompt, `--review-replies`, and saved `review-replies.txt` show those replies for first-open review. `missionControl.handoff.reviewGate`, `--handoff-json`, and saved `handoff.json` carry that same gate for transfer-only flows. The handoff prompt starts with `missionControl.resume.prompt`, so it carries the current cursor, runnable command or blocked input instruction, labeled unlocks or blockers, done criteria, ready proof, review stop condition, and reviewer replies in one copyable sentence; the normal console prints that same value as `Handoff Prompt` without requiring JSON or `--include-handoff`, `projscan start --handoff-prompt --intent "<goal>"` prints only that prompt for piping or copy/paste, and the Markdown runbook renders it as `## Handoff Prompt` so copied runbooks carry the same next-agent prompt. When a human just needs the runnable shell step, `projscan start --next-command --intent "<goal>"` prints only the current cursor command; when an MCP agent needs the callable equivalent, `projscan start --next-tool-call --intent "<goal>"` prints the current cursor tool call as compact JSON. Cite `missionControl.proofSummary` plus the runnable-only `missionControl.proofCommands` in broad handoff notes, and use `missionControl.handoff.readyProof.items` when resuming because it is the complete ordered remaining-proof queue; each item carries its CLI command and an optional MCP `toolCall`. `missionControl.handoff.readyProof.commands` and `toolCalls` remain convenient command-only and MCP-callable views. If the repo has `AGENTLOOP.md` or `agentloop.config.json`, start adds `npm exec agentloop -- status` to the coordination/proof queue; if `.agentflight/config.json` exists, it adds `npm exec agentflight -- verify`. These harness commands are emitted for agents, scripts, saved mission bundles, and `--proof-commands`; start reports them but does not execute them. MCP agents should use `missionControl.resume.toolCall` when present, use `missionControl.resume.inputBindings` to map unlocked placeholders to input steps, then call `missionControl.resume.followUps` as the next template calls; when they need one ordered sequence, follow `missionControl.resume.checklist`, whose `run_proof` rows include `tool` and `args` for MCP-callable proof steps. The normal console `Resume Checklist` and Markdown runbook checklist print callable rows inline as `(MCP: ...)` and mark unmapped proof rows as `(CLI only)`, so a copied runbook or default terminal run remains self-contained even outside the JSON payload. After the current action, prefer `missionControl.resume.remainingProofItems` for complete proof, using `remainingProofToolCalls` for the callable MCP subset without rerunning the current command. Humans can run the matching `command`; the normal console `Ready Proof` command list, normal console `Proof Queue`, and runbook `Proof queue` all use remaining proof so the current cursor command is not repeated, and each queued item shows either its MCP call or `CLI only`. Use `projscan_understand` and `projscan_preflight` when you need broader context or a safety gate. Use `projscan_workplan` when you need an ordered execution plan, `projscan_agent_brief` for a compact handoff, and `projscan_evidence_pack --pr-comment` when you need reviewer-facing proof. Deeper tools such as `doctor`, `hotspots`, `dataflow`, `review`, `bug-hunt`, `quality-scorecard`, `dogfood`, and `trial` are follow-up tools.
+**Typical agent flow:** start with `projscan privacy-check`, then `projscan_start` with an optional plain-language intent. Start JSON also includes `dailyWorkflows`: the three repeated command paths for before-edit, before-handoff/commit, and release-candidate review. If no explicit mode is supplied, start infers the workflow mode from the intent, such as `before_commit` for commit-safety checks; read `modeSource` and `modeReason` to see whether the mode was explicit, inferred, or defaulted. `modeReason` distinguishes workflow-mode defaulting from action routing, so an impact intent can still route through Mission Control while the workflow stays `before_edit`. The `firstTenMinutes` path and current-worktree coordination hint follow that resolved mode, so a commit-safety start does not send the developer back through a before-edit gate. The normal console keeps linear missions focused on Daily Workflows, Mission Control, Resume Checklist, Ready Proof, first-ten commands, Adoption Follow-Up, and a Watch List when healthy p2-only evidence is visible. Follow `missionControl.actionPlan`, call `missionControl.readyActions` immediately, use `missionControl.executionPlan.currentPhase` as the cursor-aligned phase pointer, and use `missionControl.executionPlan.cursor.tool` / `args` when the cursor is directly MCP-callable. Use routed-intent weighted `confidence`, `score`, and `matchedKeywords` to judge weak or ambiguous matches, and read the same confidence line in console output when working manually. Fill any `missionControl.unresolvedInputs` before running placeholder follow-ups, inspect `missionControl.alternatives` when the intent mixes goals, stop only when `missionControl.successCriteria` is satisfied, and hand off with `missionControl.handoff`, `missionControl.runbook`, or the concise `missionControl.handoffPrompt`. Use `missionControl.reviewGate` as the autonomous-work stop boundary: finish the current checklist and proof, capture `git status --short` and `git diff --stat`, then wait for approval before another slice, release, publish, or deploy. Read `missionControl.reviewGate.worktree` for current worktree availability, changed-file count, base ref, and visible changed files. Use `missionControl.reviewGate.proof` when the reviewer needs the remaining proof queue without reading the full resume object. Read `missionControl.reviewGate.doneWhen` for the success criteria the reviewer must confirm before approving more work. Read `missionControl.reviewGate.policy` before continuing from a review handoff; it lists the actions blocked until explicit reviewer approval: another slice, release, publish, deploy, push, merge, and version bump. Use `projscan start --review-gate-json --intent "<goal>"` or saved `review-gate.json` when a script needs proof, worktree evidence, done criteria, decisions, and policy in one review object. Use `projscan start --review-policy --intent "<goal>"` or saved `review-policy.json` when a script only needs that approval boundary. Use `missionControl.reviewGate.decisions` as the approval menu in review gates, task cards, and runbooks; each decision includes copyable reviewer reply text so agents do not infer permission to continue, release, or publish. Saved mission bundle README, concise handoff prompt, `--review-replies`, and saved `review-replies.txt` show those replies for review handoffs. Inline `Handoff Prompt` and `Review Gate` sections appear when the mission has unresolved inputs or the caller explicitly requests handoff output. Use `--handoff-prompt`, `--review-gate`, `--review-replies`, `--handoff-json`, the Markdown runbook, or saved mission bundles when detailed handoff/review policy text is needed. `missionControl.handoff.reviewGate`, `--handoff-json`, and saved `handoff.json` carry that same gate for transfer-only flows. The handoff prompt starts with `missionControl.resume.prompt`, so it carries the current cursor, runnable command or blocked input instruction, labeled unlocks or blockers, done criteria, ready proof, review stop condition, and reviewer replies in one copyable sentence; `projscan start --handoff-prompt --intent "<goal>"` prints only that prompt for piping or copy/paste, and the Markdown runbook renders it as `## Handoff Prompt` so copied runbooks carry the same next-agent prompt. When a human just needs the runnable shell step, `projscan start --next-command --intent "<goal>"` prints only the current cursor command; when an MCP agent needs the callable equivalent, `projscan start --next-tool-call --intent "<goal>"` prints the current cursor tool call as compact JSON. Cite `missionControl.proofSummary` plus the runnable-only `missionControl.proofCommands` in broad handoff notes, and use `missionControl.handoff.readyProof.items` when resuming because it is the complete ordered remaining-proof queue; each item carries its CLI command and an optional MCP `toolCall`. `missionControl.handoff.readyProof.commands` and `toolCalls` remain convenient command-only and MCP-callable views. If the repo has `AGENTLOOP.md` or `agentloop.config.json`, start adds `npm exec agentloop -- status` to the coordination/proof queue; if `.agentflight/config.json` exists, it adds `npm exec agentflight -- verify`. These harness commands are emitted for agents, scripts, saved mission bundles, and `--proof-commands`; start reports them but does not execute them. MCP agents should use `missionControl.resume.toolCall` when present, use `missionControl.resume.inputBindings` to map unlocked placeholders to input steps, then call `missionControl.resume.followUps` as the next template calls; when they need one ordered sequence, follow `missionControl.resume.checklist`, whose `run_proof` rows include `tool` and `args` for MCP-callable proof steps. The normal console `Resume Checklist` and Markdown runbook checklist print callable rows inline as `(MCP: ...)` and mark unmapped proof rows as `(CLI only)`, so a copied runbook or default terminal run remains self-contained even outside the JSON payload. After the current action, prefer `missionControl.resume.remainingProofItems` for complete proof, using `remainingProofToolCalls` for the callable MCP subset without rerunning the current command. Humans can run the matching `command`; the normal console `Ready Proof` command list, normal console `Proof Queue`, and runbook `Proof queue` all use remaining proof so the current cursor command is not repeated, and each queued item shows either its MCP call or `CLI only`. Use `projscan_understand` and `projscan_preflight` when you need broader context or a safety gate. Use `projscan_workplan` when you need an ordered execution plan, `projscan_agent_brief` for a compact handoff, and `projscan_evidence_pack --pr-comment` when you need reviewer-facing proof. Deeper tools such as `doctor`, `hotspots`, `dataflow`, `review`, `bug-hunt`, `quality-scorecard`, `dogfood`, and `trial` are follow-up tools.
 
 For shortcut discovery, `projscan start --shortcuts --intent "<goal>"` prints the copyable command menu for the current mission, and `projscan start --shortcuts-json --intent "<goal>"` prints the same menu as JSON for agents and scripts. For shell copy/paste, `projscan start --mission-script --intent "<goal>"` prints a POSIX script that runs the current cursor command, then the remaining proof queue, then prints the review evidence commands. For MCP queue copy/paste, `projscan start --ready-tool-calls --intent "<goal>"` prints the current cursor call followed by remaining MCP-callable proof as compact JSON. For structured resume handoff, `projscan start --resume-json --intent "<goal>"` prints only `missionControl.resume`. For the complete transfer object, `projscan start --handoff-json --intent "<goal>"` prints only `missionControl.handoff`. For a file bundle, `projscan start --save-mission .projscan/mission --intent "<goal>"` writes `README.md`, `next-command.txt`, `next-tool-call.json`, `handoff-prompt.txt`, `resume-prompt.txt`, `task-card.md`, `review-gate.md`, `review-gate.json`, `review-policy.json`, `review-replies.txt`, the runbook, handoff JSON, resume JSON, `ready-tool-calls.json`, `shortcuts.json`, `mission.sh`, `status.sh`, `proof-logs/README.md`, `proof-logs/status.jsonl`, `proof-logs/run-report.md`, `proof-logs/summary.json`, proof commands, and manifest. Saved `mission.sh` writes current-command and proof-command output under `proof-logs/`, appends exit-code rows to `status.jsonl`, refreshes `run-report.md`, and writes `summary.json`, so reviewers and wrappers can scan pass/fail proof before opening raw logs. Bundle `status.sh` reads `summary.json` and uses exit codes `0`, `1`, and `2` for passed, failed, and not-ready states. For verification-only copy/paste, `projscan start --proof-commands --intent "<goal>"` prints the remaining ready proof commands one per line without the rest of the start report. For an ordered checklist without the full report, `projscan start --checklist --intent "<goal>"` prints only the resume checklist rows. For paste-ready PR, issue, or handoff notes, `projscan start --task-card --intent "<goal>"` prints the Markdown task card. MCP agents can read `missionControl.taskCard.markdown` when they need the same checklist without rendering it from `resume.checklist`. For stop-and-review notes, `projscan start --review-gate --intent "<goal>"` prints only `missionControl.reviewGate.markdown`, `projscan start --review-gate-json --intent "<goal>"` prints only the review gate JSON, `projscan start --review-policy --intent "<goal>"` prints only the review policy JSON, and `projscan start --review-replies --intent "<goal>"` prints only the copyable reviewer replies. For a full Markdown artifact, `projscan start --runbook --intent "<goal>"` prints the mission runbook. For post-run proof, `projscan mission-proof --mission .projscan/mission --format markdown` prints a paste-ready evidence report, while `--format json` keeps the same data machine-readable. Add `--list` to show saved mission bundles, status, update time, totals, and copyable resume/proof commands before choosing a target; add `--needs-attention` or `--mission-status failed` to focus that list. Add `--latest` to select the saved mission bundle with the newest `proof-logs/summary.json`. Add `--all` to include `.projscan/mission` and direct child bundles under `.projscan/missions/`. Add `--summary` when logs need one pass/fail line. Add `--require-passed` when a local script should fail unless every selected bundle passed. Add `--write reports/mission-proof.md` or `--write reports/mission-proof.json` when a reviewer, CI job, or next agent needs a saved local artifact. Run `projscan mission-proof --init-baseline manual-runs.json` before manual comparison if the team has not created the baseline file yet; use `--add-baseline-run manual-runs.json --id manual-1 --status passed --minutes-spent 25` to append measured manual runs without editing JSON. Run `--check-baseline manual-runs.json` before comparison when you want to validate the file without scanning mission bundles. Add `--format json` to baseline init, append, or check commands when a wrapper needs the written path, run count, added run, or totals. Baseline run IDs must be non-empty and unique; statuses must be `passed`, `failed`, `running`, `not_run`, or `unknown`; metric fields must be non-negative numbers.
 
@@ -436,11 +474,11 @@ and a sink wrapper is surfaced even when legacy taint reachability cannot see a
 downstream call path from source to sink. By default, dataflow suppresses test-file paths,
 broad readFile/writeFile-style noise, and JavaScript RegExp.exec false positives.
 Framework request-source detection covers narrow tested patterns for Next.js, Remix,
-SvelteKit, Hono, Express, Fastify, and Koa handlers, including SvelteKit
-`RequestEvent` request/body/url/params/cookies evidence, Hono validator output,
-Express/Fastify/Koa request IP metadata, Fastify host/hostname and raw
-URL/header evidence, and Express/Koa header accessors plus Express
-`req.param(...)` and `req.originalUrl`, while
+SvelteKit, Astro, Hono, Express, Fastify, and Koa handlers, including SvelteKit
+`RequestEvent` request/body/url/params/cookies evidence, Astro endpoint
+request/params evidence, Hono validator output, Express/Fastify/Koa request IP
+metadata, Fastify host/hostname and raw URL/header evidence, and Express/Koa
+header accessors plus Express `req.param(...)` and `req.originalUrl`, while
 keeping lookalike helpers quiet.
 
 For release hardening, `npm run check:graph-corpus` compares bundled fixture metrics against `docs/graph-corpus-baseline.json`. The gate fails only when graph coverage drops below the baseline or dataflow risks rise above it.
@@ -894,6 +932,7 @@ Machine-readable output. Useful for piping into other tools, storing results, or
 projscan analyze --format json | jq '.issues[] | select(.severity == "error")'
 projscan analyze --format json > analysis.json
 projscan analyze --report-scope src/api --redact-paths --format json > scoped-analysis.json
+projscan analyze --report-scope "src/api,packages/backend" --redact-paths --format json > scoped-analysis.json
 projscan analyze --report-policy apiEvidence --format json > scoped-analysis.json
 ```
 

package/docs/ROADMAP.md

@@ -1,14 +1,16 @@
 # ProjScan Roadmap
 
-Last reviewed 2026-06-17.
+Last reviewed 2026-06-18.
 
 ---
 
 ## Vision
 
-**The shared code-intelligence substrate that AI coding agents stand on.**
+**Local code evidence for repeatable engineering workflows.**
 
-Every agent — Claude Code, Cursor, Codex, Continue, custom orchestrations — needs the same things from the codebase it's editing: structural awareness, change-impact analysis, health signals, fix guidance. None of them want to build that themselves. projscan is the open, offline, agent-native MCP server that gives every agent the same accurate view, so they can spend their context and inference budget on the actual reasoning, not on grepping the repo.
+projscan is useful when engineers can repeat three daily workflows with local proof: before editing, before handoff or commit, and before release-candidate review.
+
+The CLI and MCP server support those workflows with cited repo context, change-impact analysis, health signals, coordination evidence, and reviewer-facing proof commands. Broader capabilities only matter when they make one of those workflows quieter, more accurate, or easier to review.
 
 ## Stable since 1.0
 
@@ -16,15 +18,15 @@ projscan 1.0 shipped 2026-05-04. The stability contract is in force: MCP tool na
 
 ## Strategic context
 
-Three forces define the next 12 months for projscan:
+Three practical forces define the next 12 months for projscan:
 
-1. **MCP is the de-facto standard.** The ecosystem has 10,000+ public servers; Claude Code, Cursor, Continue, Windsurf, and Codex all consume MCP. The protocol war is over; the value migrates to the _quality_ of individual servers. Code-intelligence is one of the highest-value categories.
-2. **Multi-agent orchestration is the dominant 2026 pattern.** Claude Agent Teams, swarms, sub-agents. The new pain point is _coordination_: agents have separate context windows and need a shared source-of-truth about the codebase. projscan's graph + cache + budget-aware tools are uniquely positioned to be that shared substrate.
-3. **Context-window cost compounds.** Token spend per turn is no longer the bottleneck — it's the _accumulated_ cost of carrying tool results, AST excerpts, and prior turns through every inference call. Agents that retrieve narrowly and budget aggressively win. projscan's `max_tokens`-aware response shaping, cursor pagination, and per-function chunking are exactly the primitives this trend rewards.
+1. **MCP adoption raises the quality bar.** Agents and editors can call local tools, but teams still trust outputs only when commands are specific, repeatable, and easy to verify.
+2. **Parallel agent work creates coordination risk.** Separate worktrees and context windows need local evidence for collisions, claims, merge order, and handoff boundaries before integration.
+3. **Context still has a cost.** Agents that retrieve narrow, cited code evidence leave more room for reasoning. `max_tokens` response shaping, cursor pagination, and per-function chunking are valuable only when they reduce review noise.
 
 ## The competitive picture
 
-| Tool                       | Position                                 | What they do well                                                         | What we beat them on                                                                                                                                                   |
+| Tool                       | Position                                 | What they do well                                                         | Current projscan edge to validate                                                                                                                                      |
 | -------------------------- | ---------------------------------------- | ------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
 | **Code Pathfinder**        | Direct competitor (MCP code-intel)       | Deep static analysis: AST + CFG + DFG, dataflow tracking, security focus. | Language coverage (9 vs 1: Python). Composed agent tools (review / fix-suggest / impact / watch). Health signals (churn × CC, hotspots). Monorepo workspace awareness. |
 | **Sourcegraph Cody / Amp** | Enterprise paid tier                     | Cross-repo indexing at org scale. Polished editor integrations.           | Fully offline. Open source. No SaaS dependency. Free for everyone.                                                                                                     |
@@ -34,15 +36,15 @@ Three forces define the next 12 months for projscan:
 
 **Where we're vulnerable:** Code Pathfinder has deeper analysis (CFG, DFG) and a security-finding focus. If they ship a JavaScript or TypeScript adapter, our breadth lead narrows.
 
-**Where we lead:** breadth (11 languages), agent-native composition (one-call review, fix-suggest, impact), monorepo support, the 1.0 stability contract, and a cleaner agent-journey product story (diagnose → review → fix → reach → live).
+**Where projscan appears useful today:** breadth (11 languages), agent-native composition (one-call review, fix-suggest, impact), monorepo support, the 1.0 stability contract, and the three daily workflows this roadmap now treats as the proof path.
 
 ## Strategy
 
 Four plays, in order:
 
-1. **Defend the lead** — close the obvious gaps so users picking an MCP server for code intel have one less reason to go elsewhere. ✅ Largely complete (1.1–1.3).
-2. **Lean into multi-agent** — make projscan the _shared substrate_ for agent swarms. This is where the market is moving and where our context-budget design pays off. ✅ Largely shipped (1.4 Session, 1.5 Budgeted by default + Project Memory).
-3. **Become the operator, not the advisor** — stop suggesting and start acting (cross-repo, apply, security gate). ✅ Shipped in the 1.6 arc.
+1. **Defend the useful basics** — close the obvious gaps so the first local run gives cited context, not setup friction. ✅ Largely complete (1.1-1.3).
+2. **Make multi-agent work reviewable** — keep collisions, claims, merge order, and handoffs visible when several agents touch one repo. ✅ Largely shipped (1.4 Session, 1.5 Budgeted by default + Project Memory).
+3. **Turn advice into bounded local actions** — keep automated fixes, cross-repo reads, and security gates explicit, reversible, and reviewable. ✅ Shipped in the 1.6 arc.
 4. **Expand the moat** — depth where it matters (CFG / dataflow on hot paths, more languages, sub-file embeddings, cost analytics, live PR review, plugin extensibility). Not everywhere; we're not trying to be Cody. ✅ The 1.7 → 2.0 arc turns this into a platform contract.
 5. **Coordinate the swarm** — collision detection, claims/leases, merge-risk preflight, intent routing, one-call coordination, and live coordinate watch shipped across the 3.6 through 3.7 arc, with the 4.0 tool-surface consolidation now complete. The next work is evidence: prove which commands agents reach for in real multi-worktree sessions, then deepen only the paths that prevent integration failures.
 6. **Make agent proof release-ready** — 4.1 through 4.6 turned Mission Control into a goal → mission → proof → review harness and packaged the post-4.4 implementation train: current planning surfaces, adoption examples, precise framework dataflow, scoped/redacted evidence exports, Python upgrade previews, coordination evidence, public graph types, and hotspot maintainability cleanup.
@@ -56,21 +58,44 @@ We are _not_ trying to be:
 
 ## Now / Next / Later
 
-### Now — Post-4.6 Validation
+### Now — Post-4.8 Validation
+
+4.8.0 "Agent Research And Release Hardening" packages the latest post-4.7 validation train. The next work is validation and selective hardening from real use, not another broad feature push or another release push.
 
-4.6.0 "Agent Coordination And Routing Hardening" packages the latest post-4.4 implementation train. The next work is validation and selective hardening from real use, not another broad feature push or another release push.
+The next work is validation from real PRs and multi-agent sessions, not broader positioning.
 
 The active validation lines are:
 
 - **Swarm coordination evidence.** Validate how real agents use `collisions`, `claim`, `merge-risk`, `coordinate`, and `coordinate --watch`; deepen only the coordination paths that prevent integration failures.
 - **Evidence export adoption.** Prove scoped/redacted report controls work for partner, security, and release-review handoffs without leaking unnecessary repo structure.
 - **Python upgrade coverage.** Extend lockfile support only after Poetry and pinned-requirement evidence prove useful in real repos.
-- **Framework dataflow precision.** Add more framework patterns only when each has a narrow request source, sink, and false-positive fixture; current validation includes Remix route data and SvelteKit `RequestEvent` coverage.
+- **Framework dataflow precision.** Add more framework patterns only when each has a narrow request source, sink, and false-positive fixture; current validation includes Remix route data, SvelteKit `RequestEvent` coverage, and Astro endpoint request/params evidence.
 - **Hotspot maintainability.** Continue extracting and covering high-churn start/review/type surfaces when they show concrete review or defect risk.
 
 Strictly **local-first** throughout: same-repo / same-machine evidence, no daemon, no cloud, no hidden network calls, no new telemetry, and no secret-value reads.
 
-Success signals: teams copy the adoption examples into real reviews, scoped/redacted artifacts are accepted by reviewers, Python upgrade previews identify useful local evidence, coordination evidence explains multi-agent decisions, dataflow additions stay quiet on lookalikes, and release bug-hunts remain free of concrete defects.
+Success signals: teams copy the adoption examples into real reviews, scoped/redacted artifacts are accepted by reviewers, Python upgrade previews identify useful local evidence, coordination evidence explains multi-agent decisions, dataflow additions stay quiet on lookalikes, no-release continuation prompts stay in bounded workplans, and release bug-hunts remain free of concrete defects.
+
+### Recently Completed — 4.8.0 (2026)
+
+**4.8.0 "Agent Research And Release Hardening"** turned the post-4.7 agent-research loop into release-ready hardening:
+
+- SvelteKit `RequestEvent` handlers, server `load`, and hooks are covered by framework-gated request-source fixtures.
+- No-release continuation prompts route to bounded workplans while release, publish, deploy, push, merge, and version-bump actions stay blocked.
+- Scoped evidence prompts infer useful directory scopes such as `tests` and produce local analyze/doctor/CI commands.
+- Agent briefs carry clearer merge-order hints and preflight coordination proof paths for parallel-agent handoffs.
+- Python upgrade evidence handles numeric-looking package names, Poetry source lines, nested requirements, and nested constraints more reliably.
+- Mission Control route criteria, public start types, plugin loading, telemetry helpers, preflight/report assembly, code graph indexing, and HTML reporters were split into focused modules.
+
+### Recently Completed — 4.7.0 (2026)
+
+**4.7.0 "Roadmap Validation And Release Readiness"** deepened the validation train after 4.6:
+
+- Remix route request-source coverage detects `request` body readers, headers, URL, signal, and params with framework-gated false-positive fixtures.
+- Python requirements include traversal follows local `-r` requirement files and `-c` constraint files for offline upgrade previews.
+- Release-train roadmap routing and read-only roadmap preview evidence support build-next product-planning prompts.
+- Dataflow traversal, plugin manifest validation, file inspection, fix-suggest previews, search indexing, release evidence, and bug-hunt helpers moved into smaller modules.
+- Python lockfile, framework dataflow, intent router, preflight, MCP, and start tests were split into focused suites with architecture guards.
 
 ### Recently Completed — 4.6.0 (2026)
 

package/docs/demos/projscan-4-1-demo.html

@@ -427,7 +427,7 @@
         <div class="intro">
           <div>
             <p class="eyebrow">Mission Outcome Loop</p>
-            <h1>Resume from real proof.</h1>
+            <h1>Resume from saved proof.</h1>
             <p class="lead">
               projscan routes a developer goal, saves the mission, reads the proof state, and tells
               the next agent what changed, what remains, and whether the work is ready for version
@@ -548,7 +548,7 @@
         <div class="proof-header">
           <div>
             <p class="eyebrow">Proof, review, and adoption evidence</p>
-            <h2>Close the loop.</h2>
+            <h2>Check proof before release.</h2>
           </div>
           <p>
             Developers and agents can resume from a saved mission bundle, summarize pass/fail
@@ -577,9 +577,9 @@
               <span class="line term-heading">{"passed":1,"failed":0,</span>
               <span class="line success">&nbsp;"reruns":0,"reviewerApprovals":1}</span>
               <span class="line">&nbsp;</span>
-              <span class="line term-heading">Risk avoided</span>
+              <span class="line term-heading">Review signal</span>
               <span class="line success">- proof gate passed before release</span>
-              <span class="line success">- version review is safe to request</span>
+              <span class="line success">- request version review next</span>
               <span class="line notice">Next: projscan start --mission .projscan/mission</span>
             </div>
           </section>

package/docs/examples/adoption-workflows.md

@@ -5,6 +5,46 @@ habit. They are written around the personas in `docs/PERSONAS.md`: skeptical
 senior reviewer, platform lead, product engineer, release owner, and security
 reviewer.
 
+## Daily workflows engineers can trust
+
+Start with the workflows below before adding team policy, plugin, or rollout
+machinery.
+
+### Before editing a feature
+
+```bash
+projscan start --intent "what files do I need to change for auth?"
+projscan understand --view change --intent "add auth token refresh" --format json
+projscan preflight --mode before_edit --format json
+```
+
+Success criteria: the product engineer and agent agree on likely touched files,
+read-first context, and before-edit risk before code changes begin.
+
+### Before handoff or commit
+
+```bash
+projscan bug-hunt --format json
+projscan preflight --mode before_commit --format json
+projscan evidence-pack --pr-comment
+```
+
+Success criteria: the senior reviewer sees concrete defects, manual review
+gates, owner routing, and proof commands without reading the whole agent
+transcript.
+
+### Before release-candidate review
+
+```bash
+projscan release-train --format json
+projscan preflight --mode before_merge --format json
+projscan evidence-pack --pr-comment
+```
+
+Success criteria: the release owner gets read-only readiness evidence and a
+specific next action for `caution`, including manual sign-off when the signal is
+release scale rather than a concrete defect.
+
 ## 1. Agent Orchestration
 
 Use this when a team is standardizing how agents start work, prove changes, and
@@ -104,8 +144,16 @@ projscan start --intent "share redacted evidence for src/api with a partner" --f
 The routed start output returns the three artifact commands below as ready
 actions, using the requested scope when one is present in the intent.
 
+For a partner review that spans more than one area, name both scopes in the
+intent:
+
+```bash
+projscan start --intent "share redacted evidence for src/api and packages/backend with a partner" --format json
+```
+
 ```bash
 projscan analyze --report-scope src/api --redact-paths --format json > reports/api-analysis.json
+projscan analyze --report-scope "src/api,packages/backend" --redact-paths --format json > reports/api-backend-analysis.json
 projscan doctor --report-scope src/api --redact-paths --format markdown > reports/api-health.md
 projscan ci --report-scope src/api --redact-paths --format sarif > reports/api.sarif
 ```

package/package.json

@@ -1,13 +1,13 @@
 {
   "name": "projscan",
   "mcpName": "io.github.abhiyoheswaran1/projscan",
-  "version": "4.8.0",
-  "description": "Agent-first code intelligence. MCP server (2025-03-26) with 11 AST adapters covering 12 named languages: JavaScript, TypeScript, Python, Go, Java, Ruby, Rust, PHP, C#, Kotlin, Swift, and C++; repo understanding maps (projscan_understand), stable v3 semantic graph (projscan_semantic_graph), dataflow risk engine with bridge-helper detection (projscan_dataflow), code graph, file + per-function AST cyclomatic complexity, per-function fan-in + fan-out, coupling + cycle detection, structural PR diff with HTML reporter, coverage report with HTML reporter, intent-grounded one-call PR review (projscan_review with optional `intent` arg, new taint flows, contract changes, and newDataflowRisks) and long-running PR-watch mode with structured per-bucket deltas (projscan_review_watch), first-60-seconds workflow orientation (projscan_start), agent workplans (projscan_workplan), bug-hunt queues (projscan_bug_hunt), product-line planning (projscan_release_train), evidence packs (projscan_evidence_pack), regression planning (projscan_regression_plan), agent briefs (projscan_agent_brief), quality scorecards (projscan_quality_scorecard), and preflight with supply-chain IOC evidence, rule-driven fix suggestions + mechanical apply layer with rollback (projscan_apply_fix, projscan_fix_suggest, projscan_explain_issue), source-to-sink taint analysis (projscan_taint) with truncation reporting, transitive blast-radius analysis with cross-repo mode (projscan_impact for files and symbols), cross-repo workspace registration + intelligence (projscan_workspace_graph), per-function semantic search chunks (sub-file embeddings), per-rule confidence + severity drift + cost-summary analytics with live streaming (projscan_cost_summary), stable local analyzer + reporter plugin API (projscan_plugin, CLI --reporter, opt-in via PROJSCAN_PLUGINS_PREVIEW=1), monorepo workspace awareness with cross-package import policy + per-package dependencies / outdated / audit, BM25 + optional semantic search, cursor pagination, progress notifications, context-budgeted output, and a stable-surface CI guard. CLI on the side.",
+  "version": "4.9.2",
+  "description": "Local code intelligence for agent-assisted engineering. Focused daily workflows for repo orientation before edits, proof before handoff or commit, and release-candidate review, with AST-backed evidence through an MCP server and CLI. Runs locally by default.",
   "type": "module",
   "main": "./dist/index.js",
   "types": "./dist/index.d.ts",
   "bin": {
-    "projscan": "./dist/cli/index.js"
+    "projscan": "dist/cli/index.js"
   },
   "files": [
     "dist",
@@ -60,7 +60,7 @@
     "release:check": "node scripts/release-check.mjs",
     "security:release-gate": "node scripts/release-gate.mjs",
     "sbom:generate": "node scripts/generate-sbom.mjs",
-    "prepare": "npm run build",
+    "prepack": "npm run build",
     "check:graph-corpus": "node scripts/check-graph-corpus.mjs",
     "test:trust-smoke": "vitest run --exclude '.worktrees/**' tests/cli/privacyCheck.test.ts tests/cli/start.test.ts tests/cli/preflight.test.ts tests/mcp/start.test.ts tests/mcp/preflight.test.ts tests/mcp/fileChangedNotifications.test.ts tests/core/repositoryScanner.gitignore.test.ts tests/core/issueEngine.trustConfig.test.ts tests/utils/changedFiles.test.ts tests/core/auditRunner.offline.test.ts tests/core/upgradePreview.checkRegistry.test.ts tests/core/telemetry.test.ts tests/analyzers/securityCheck.test.ts --test-timeout 60000 --hook-timeout 60000"
   },
@@ -85,7 +85,7 @@
   "license": "MIT",
   "repository": {
     "type": "git",
-    "url": "https://github.com/abhiyoheswaran1/projscan.git"
+    "url": "git+https://github.com/abhiyoheswaran1/projscan.git"
   },
   "homepage": "https://github.com/abhiyoheswaran1/projscan#readme",
   "bugs": {
@@ -101,13 +101,6 @@
     "commander": "^12.1.0",
     "fast-glob": "^3.3.2",
     "ora": "^8.1.0",
-    "tree-sitter-c-sharp": "^0.23.5",
-    "tree-sitter-go": "^0.25.0",
-    "tree-sitter-java": "^0.23.5",
-    "tree-sitter-php": "^0.23.12",
-    "tree-sitter-python": "^0.25.0",
-    "tree-sitter-ruby": "^0.23.1",
-    "tree-sitter-rust": "^0.23.3",
     "web-tree-sitter": "^0.26.8"
   },
   "peerDependencies": {
@@ -127,8 +120,15 @@
     "eslint": "^10.0.3",
     "prettier": "^3.8.4",
     "tree-sitter-cli": "^0.26.8",
+    "tree-sitter-c-sharp": "^0.23.5",
     "tree-sitter-cpp": "^0.23.4",
+    "tree-sitter-go": "^0.25.0",
+    "tree-sitter-java": "^0.23.5",
     "tree-sitter-kotlin": "^0.3.8",
+    "tree-sitter-php": "^0.23.12",
+    "tree-sitter-python": "^0.25.0",
+    "tree-sitter-ruby": "^0.23.1",
+    "tree-sitter-rust": "^0.23.3",
     "tree-sitter-swift": "^0.7.1",
     "typescript": "^5.6.0",
     "typescript-eslint": "^8.57.0",