sentinelayer-cli 0.1.1 → 0.3.0

package/bin/create-sentinelayer.js

@@ -1,5 +1,5 @@
-#!/usr/bin/env node
-
-import { runCli } from "../src/cli.js";
-
-await runCli();
+#!/usr/bin/env node
+
+import { runCli } from "../src/cli.js";
+
+await runCli();

package/bin/sentinelayer-cli.js

@@ -1,5 +1,5 @@
-#!/usr/bin/env node
-
-import { runCli } from "../src/cli.js";
-
+#!/usr/bin/env node
+
+import { runCli } from "../src/cli.js";
+
 await runCli();

package/bin/sl.js

@@ -1,5 +1,5 @@
-#!/usr/bin/env node
-
-import { runCli } from "../src/cli.js";
-
-await runCli();
+#!/usr/bin/env node
+
+import { runCli } from "../src/cli.js";
+
+await runCli();

package/package.json

@@ -1,54 +1,62 @@
-{
-  "name": "sentinelayer-cli",
-  "version": "0.1.1",
-  "description": "Scaffold Sentinelayer spec/prompt/guide artifacts with secure browser auth and token bootstrap.",
-  "type": "module",
-  "scripts": {
-    "check": "node --check bin/sentinelayer-cli.js && node --check bin/create-sentinelayer.js && node --check bin/sl.js && node --check src/cli.js && node --check src/legacy-cli.js && node --check src/commands/config.js && node --check src/commands/ingest.js && node --check src/commands/spec.js && node --check src/commands/prompt.js && node --check src/commands/scan.js && node --check src/commands/guide.js && node --check src/commands/cost.js && node --check src/commands/telemetry.js && node --check src/commands/auth.js && node --check src/commands/watch.js && node --check src/commands/mcp.js && node --check src/commands/plugin.js && node --check src/commands/ai.js && node --check src/commands/review.js && node --check src/commands/chat.js && node --check src/commands/policy.js && node --check src/commands/swarm.js && node --check src/commands/daemon.js && node --check src/commands/audit.js && node --check src/config/service.js && node --check src/ingest/engine.js && node --check src/spec/generator.js && node --check src/spec/regenerate.js && node --check src/spec/templates.js && node --check src/prompt/generator.js && node --check src/scan/generator.js && node --check src/guide/generator.js && node --check src/cost/tracker.js && node --check src/cost/history.js && node --check src/cost/budget.js && node --check src/ai/client.js && node --check src/ai/aidenid.js && node --check src/ai/identity-store.js && node --check src/ai/domain-target-store.js && node --check src/ai/site-store.js && node --check src/review/local-review.js && node --check src/review/ai-review.js && node --check src/review/report.js && node --check src/review/replay.js && node --check src/audit/registry.js && node --check src/audit/orchestrator.js && node --check src/audit/package.js && node --check src/audit/replay.js && node --check src/audit/agents/security.js && node --check src/audit/agents/architecture.js && node --check src/audit/agents/testing.js && node --check src/audit/agents/performance.js && node --check src/audit/agents/compliance.js && node --check src/audit/agents/documentation.js && node --check src/swarm/registry.js && node --check src/swarm/factory.js && node --check src/swarm/runtime.js && node --check src/swarm/scenario-dsl.js && node --check src/swarm/dashboard.js && node --check src/swarm/report.js && node --check src/swarm/pentest.js && node --check src/daemon/error-worker.js && node --check src/daemon/assignment-ledger.js && node --check src/daemon/jira-lifecycle.js && node --check src/daemon/budget-governor.js && node --check src/daemon/operator-control.js && node --check src/daemon/artifact-lineage.js && node --check src/daemon/ast-parser-layer.js && node --check src/daemon/callgraph-overlay.js && node --check src/daemon/hybrid-mapper.js && node --check src/daemon/reliability-lane.js && node --check src/daemon/watchdog.js && node --check src/telemetry/ledger.js && node --check src/auth/http.js && node --check src/auth/session-store.js && node --check src/auth/service.js && node --check src/mcp/registry.js && node --check src/memory/blackboard.js && node --check src/memory/retrieval.js && node --check src/plugin/manifest.js && node --check src/policy/packs.js && node --check src/ui/markdown.js && node --check src/ui/progress.js && node --check src/agents/jules/tools/file-read.js && node --check src/agents/jules/tools/grep.js && node --check src/agents/jules/tools/glob.js && node --check src/agents/jules/tools/shell.js && node --check src/agents/jules/tools/file-edit.js && node --check src/agents/jules/tools/dispatch.js && node --check src/agents/jules/tools/index.js && node --check src/agents/jules/tools/frontend-analyze.js && node --check src/agents/jules/swarm/sub-agent.js && node --check src/agents/jules/swarm/file-scanner.js && node --check src/agents/jules/swarm/pattern-hunter.js && node --check src/agents/jules/swarm/index.js && node --check src/agents/jules/swarm/orchestrator.js && node --check src/agents/jules/config/definition.js && node --check src/agents/jules/loop.js && node --check src/agents/jules/stream.js && node --check src/agents/jules/fix-cycle.js && node --check src/agents/jules/error-intake.js && node --check src/agents/jules/tools/runtime-audit.js && node --check src/agents/jules/config/system-prompt.js && node --check src/agents/jules/tools/auth-audit.js && node --check src/auth/gate.js",
-    "test": "npm run test:unit && npm run test:e2e",
-    "test:unit": "node --test tests/unit*.test.mjs",
-    "test:e2e": "node --test tests/e2e.test.mjs",
-    "test:coverage": "c8 node --test tests/unit*.test.mjs",
-    "verify": "npm run check && npm run test:e2e && npm run test:coverage && npm pack --dry-run"
-  },
-  "bin": {
-    "sentinelayer-cli": "bin/sentinelayer-cli.js",
-    "create-sentinelayer": "bin/create-sentinelayer.js",
-    "sentinel": "bin/create-sentinelayer.js",
-    "sl": "bin/sl.js"
-  },
-  "files": [
-    "bin",
-    "src",
-    "README.md"
-  ],
-  "engines": {
-    "node": ">=18.17.0"
-  },
-  "keywords": [
-    "sentinelayer",
-    "sentinelayer-cli",
-    "omar-gate",
-    "security",
-    "scaffold",
-    "cli"
-  ],
-  "license": "MIT",
-  "dependencies": {
-    "@babel/parser": "7.29.2",
-    "cli-highlight": "2.1.11",
-    "commander": "14.0.1",
-    "ignore": "7.0.5",
-    "open": "10.1.2",
-    "picocolors": "1.1.1",
-    "prompts": "2.4.2",
-    "yaml": "2.8.3",
-    "zod": "4.1.12"
-  },
-  "optionalDependencies": {
-    "keytar": "7.9.0"
-  },
-  "devDependencies": {
-    "c8": "10.1.3"
-  }
-}
+{
+  "name": "sentinelayer-cli",
+  "version": "0.3.0",
+  "description": "Scaffold Sentinelayer spec/prompt/guide artifacts with secure browser auth and token bootstrap.",
+  "type": "module",
+  "scripts": {
+    "check": "node --check bin/sentinelayer-cli.js && node --check bin/create-sentinelayer.js && node --check bin/sl.js && node --check src/cli.js && node --check src/legacy-cli.js && node --check src/commands/config.js && node --check src/commands/ingest.js && node --check src/commands/spec.js && node --check src/commands/prompt.js && node --check src/commands/scan.js && node --check src/commands/guide.js && node --check src/commands/cost.js && node --check src/commands/telemetry.js && node --check src/commands/auth.js && node --check src/commands/watch.js && node --check src/commands/mcp.js && node --check src/commands/plugin.js && node --check src/commands/ai.js && node --check src/commands/review.js && node --check src/commands/chat.js && node --check src/commands/policy.js && node --check src/commands/swarm.js && node --check src/commands/daemon.js && node --check src/commands/audit.js && node --check src/config/service.js && node --check src/ingest/engine.js && node --check src/spec/generator.js && node --check src/spec/regenerate.js && node --check src/spec/templates.js && node --check src/prompt/generator.js && node --check src/scan/generator.js && node --check src/guide/generator.js && node --check src/cost/tracker.js && node --check src/cost/history.js && node --check src/cost/budget.js && node --check src/ai/client.js && node --check src/ai/aidenid.js && node --check src/ai/identity-store.js && node --check src/ai/domain-target-store.js && node --check src/ai/site-store.js && node --check src/review/local-review.js && node --check src/review/ai-review.js && node --check src/review/report.js && node --check src/review/replay.js && node --check src/audit/registry.js && node --check src/audit/orchestrator.js && node --check src/audit/package.js && node --check src/audit/replay.js && node --check src/audit/agents/security.js && node --check src/audit/agents/architecture.js && node --check src/audit/agents/testing.js && node --check src/audit/agents/performance.js && node --check src/audit/agents/compliance.js && node --check src/audit/agents/documentation.js && node --check src/swarm/registry.js && node --check src/swarm/factory.js && node --check src/swarm/runtime.js && node --check src/swarm/scenario-dsl.js && node --check src/swarm/dashboard.js && node --check src/swarm/report.js && node --check src/swarm/pentest.js && node --check src/daemon/error-worker.js && node --check src/daemon/assignment-ledger.js && node --check src/daemon/jira-lifecycle.js && node --check src/daemon/budget-governor.js && node --check src/daemon/operator-control.js && node --check src/daemon/artifact-lineage.js && node --check src/daemon/ast-parser-layer.js && node --check src/daemon/callgraph-overlay.js && node --check src/daemon/hybrid-mapper.js && node --check src/daemon/reliability-lane.js && node --check src/daemon/watchdog.js && node --check src/telemetry/ledger.js && node --check src/auth/http.js && node --check src/auth/session-store.js && node --check src/auth/service.js && node --check src/mcp/registry.js && node --check src/memory/blackboard.js && node --check src/memory/retrieval.js && node --check src/plugin/manifest.js && node --check src/policy/packs.js && node --check src/ui/markdown.js && node --check src/ui/progress.js && node --check src/agents/jules/tools/file-read.js && node --check src/agents/jules/tools/grep.js && node --check src/agents/jules/tools/glob.js && node --check src/agents/jules/tools/shell.js && node --check src/agents/jules/tools/file-edit.js && node --check src/agents/jules/tools/dispatch.js && node --check src/agents/jules/tools/index.js && node --check src/agents/jules/tools/frontend-analyze.js && node --check src/agents/jules/swarm/sub-agent.js && node --check src/agents/jules/swarm/file-scanner.js && node --check src/agents/jules/swarm/pattern-hunter.js && node --check src/agents/jules/swarm/index.js && node --check src/agents/jules/swarm/orchestrator.js && node --check src/agents/jules/config/definition.js && node --check src/agents/jules/loop.js && node --check src/agents/jules/stream.js && node --check src/agents/jules/fix-cycle.js && node --check src/agents/jules/error-intake.js && node --check src/agents/jules/tools/runtime-audit.js && node --check src/agents/jules/config/system-prompt.js && node --check src/agents/jules/tools/auth-audit.js && node --check src/auth/gate.js && node --check src/telemetry/sync.js && node --check src/telemetry/session-tracker.js && node --check src/interactive/workspace.js && node --check src/interactive/auto-ingest.js && node --check src/interactive/action-menu.js && node --check src/interactive/index.js && node --check src/daemon/ingest-refresh.js",
+    "test": "npm run test:unit && npm run test:e2e",
+    "test:unit": "node --test tests/unit*.test.mjs",
+    "test:e2e": "node --test tests/e2e.test.mjs",
+    "test:coverage": "c8 node --test tests/unit*.test.mjs",
+    "verify": "npm run check && npm run test:e2e && npm run test:coverage && npm pack --dry-run"
+  },
+  "bin": {
+    "sentinelayer-cli": "bin/sentinelayer-cli.js",
+    "create-sentinelayer": "bin/create-sentinelayer.js",
+    "sentinel": "bin/create-sentinelayer.js",
+    "sl": "bin/sl.js"
+  },
+  "files": [
+    "bin",
+    "src",
+    "README.md"
+  ],
+  "engines": {
+    "node": ">=18.17.0"
+  },
+  "keywords": [
+    "sentinelayer",
+    "sentinelayer-cli",
+    "omar-gate",
+    "security",
+    "scaffold",
+    "cli"
+  ],
+  "license": "MIT",
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/mrrCarter/create-sentinelayer"
+  },
+  "homepage": "https://github.com/mrrCarter/create-sentinelayer#readme",
+  "bugs": {
+    "url": "https://github.com/mrrCarter/create-sentinelayer/issues"
+  },
+  "dependencies": {
+    "@babel/parser": "7.29.2",
+    "cli-highlight": "2.1.11",
+    "commander": "14.0.1",
+    "ignore": "7.0.5",
+    "open": "10.1.2",
+    "picocolors": "1.1.1",
+    "prompts": "2.4.2",
+    "yaml": "2.8.3",
+    "zod": "4.1.12"
+  },
+  "optionalDependencies": {
+    "keytar": "7.9.0"
+  },
+  "devDependencies": {
+    "c8": "10.1.3"
+  }
+}

package/src/agents/jules/config/definition.js

@@ -1,209 +1,209 @@
-/**
- * Jules Tanaka — Agent Definition
- *
- * Declarative configuration for the Jules Tanaka frontend audit persona.
- * Used by the audit orchestrator and standalone invocation to configure
- * tools, budget, scope, persona identity, and visual styling.
- */
-
-export const JULES_DEFINITION = Object.freeze({
-  id: "frontend",
-  persona: "Jules Tanaka",
-  fullTitle: "SentinelLayer Frontend Specialist",
-  domain: "frontend_runtime",
-  signature: "— Jules Tanaka, SentinelLayer Frontend Specialist",
-
-  // Visual identity
-  color: "cyan",
-  avatar: "\u{1F3AF}", // 🎯
-  shortName: "Jules",
-
-  // Execution constraints
-  permissionMode: "plan", // read-only for audit
-  fixPermissionMode: "worktree", // worktree isolation for fix mode
-  maxTurns: 25,
-  maxSubAgents: 4,
-
-  // Budget
-  budget: {
-    maxCostUsd: 5.0,
-    maxOutputTokens: 12000,
-    maxRuntimeMs: 300000, // 5 minutes
-    maxToolCalls: 150,
-    warningThresholdPercent: 70,
-  },
-
-  // Tool access (audit mode)
-  auditTools: ["FileRead", "Grep", "Glob", "FrontendAnalyze", "RuntimeAudit", "AuthAudit"],
-
-  // Tool access (fix mode — adds write capabilities in worktree)
-  fixTools: ["FileRead", "Grep", "Glob", "FrontendAnalyze", "FileEdit", "Shell"],
-
-  // Tools never allowed
-  disallowedTools: [],
-
-  // Scope patterns (used when no explicit scope map provided)
-  defaultScope: {
-    primaryPatterns: [
-      "src/app/**", "src/pages/**", "src/components/**",
-      "src/hooks/**", "src/contexts/**", "src/providers/**",
-      "app/**", "pages/**", "components/**",
-    ],
-    secondaryPatterns: [
-      "src/lib/**", "src/utils/**", "src/styles/**",
-      "src/middleware.*", "next.config.*", "vite.config.*",
-      "tailwind.config.*", "webpack.config.*",
-    ],
-    tertiaryPatterns: [
-      "tests/**", "**/*.test.*", "**/*.spec.*",
-      "**/*.stories.*", "cypress/**", "playwright/**",
-    ],
-  },
-
-  // Evidence requirements
-  evidenceRequirements: [
-    "file_path_and_line",
-    "reproduction_steps",
-    "user_impact_statement",
-  ],
-  confidenceFloor: 0.75,
-
-  // Escalation
-  escalationTargets: ["security", "testing", "performance"],
-
-  // Agent modes
-  modes: {
-    primary: "maximize recall over the reachable frontend runtime graph",
-    secondary: "attack blind spots: SSR/CSR seams, middleware, caching, headers, providers, tests, CI, mobile",
-    tertiary: "adversarial verifier: falsify weak findings, detect contamination, collapse noise",
-  },
-
-  // Swarm configuration (for large codebases)
-  swarm: {
-    spawnThresholds: {
-      minFiles: 15,
-      minRouteGroups: 3,
-      minLoc: 5000,
-    },
-    maxFilesPerScanner: 12,
-    maxConcurrent: 4,
-    hunterTypes: ["xss", "state", "hydration", "a11y", "perf", "security"],
-  },
-
-  // Performance thresholds (SWE Excellence Framework defaults)
-  thresholds: {
-    LCP_good_ms: 2500,
-    LCP_poor_ms: 4000,
-    INP_good_ms: 200,
-    INP_poor_ms: 500,
-    CLS_good: 0.1,
-    CLS_poor: 0.25,
-    initial_js_target_kb: 200,
-    initial_js_critical_kb: 500,
-    initial_css_target_kb: 50,
-    per_route_chunk_target_kb: 100,
-    per_route_chunk_critical_kb: 200,
-    useState_normal: 5,
-    useState_scrutiny: 10,
-    useState_refactor: 15,
-    useState_god: 16,
-    component_loc_hotspot: 300,
-    component_loc_god: 700,
-  },
-
-  // Severity model
-  severityExamples: {
-    P0: [
-      "white screen or hydration crash on critical route",
-      "clearly poor mobile LCP on key journey",
-      "broken keyboard-only critical flow",
-      "unsafe HTML injection on untrusted content",
-      "core journey impossible to complete on mobile",
-    ],
-    P1: [
-      "severe bundle bloat on hot route",
-      "repeated stale-closure / cleanup bugs in critical UI",
-      "major accessibility failures on core flow",
-      "broken cache/data refresh behavior",
-      "strong evidence of jank on frequent interaction",
-    ],
-    P2: [
-      "localized but real performance regressions",
-      "medium-sized god components",
-      "weak error/loading states",
-      "missing mobile fallback in important but non-core surfaces",
-      "weak regression coverage for risky touched code",
-    ],
-  },
-
-  // Automation safety classification
-  automationSafety: {
-    green: "auto-safe, no user-flow change",
-    yellow: "draft + human approval + QA signoff",
-    red: "escalate, no autonomous change",
-    alwaysYellowOrRed: [
-      "auth flow", "payment UI", "data collection",
-      "trust-critical UX", "cookie/session handling",
-      "third-party script loading",
-    ],
-  },
-});
-
-/**
- * All 13 SentinelLayer personas — visual identity, domain specialty, and bias.
- * Jules Tanaka was the first onboarded, but every persona follows the same
- * tool-equipped, budget-governed, isolated-context architecture.
- */
-export const PERSONA_VISUALS = Object.freeze({
-  frontend:        { color: "cyan",    avatar: "\u{1F3AF}", shortName: "Jules",  fullName: "Jules Tanaka",     domain: "frontend_runtime",      specialty: "React/Next.js/Vue production specialist — hydration safety, render cost, accessibility, bundle weight, mobile responsiveness", bias: "user-perceived performance over vanity optimization" },
-  security:        { color: "red",     avatar: "\u{1F6E1}\uFE0F", shortName: "Nina",   fullName: "Nina Patel",       domain: "security_overlay",      specialty: "AuthZ breaks, secret exposure, injection paths, policy bypass, externally reachable abuse conditions", bias: "assume hostile inputs until proven safe" },
-  backend:         { color: "blue",    avatar: "\u2699\uFE0F",    shortName: "Maya",   fullName: "Maya Volkov",      domain: "backend_runtime",       specialty: "Unsafe request handling, runtime crashes, unbounded work, validation gaps, server-side trust boundary failures", bias: "every request is potentially adversarial" },
-  testing:         { color: "green",   avatar: "\u{1F9EA}",       shortName: "Priya",  fullName: "Priya Raman",      domain: "testing_correctness",   specialty: "Missing regression coverage, false confidence from shallow tests, broken invariants with no executable proof", bias: "tests that pass but miss real bugs are worse than no tests" },
-  release:         { color: "yellow",  avatar: "\u{1F680}",       shortName: "Omar",   fullName: "Omar Singh",       domain: "release_engineering",   specialty: "CI/CD integrity, workflow trust, artifact provenance, bypassable gates, unsafe deployment automation", bias: "every deployment is a security boundary" },
-  "code-quality":  { color: "purple",  avatar: "\u{1F48E}",       shortName: "Ethan",  fullName: "Ethan Park",       domain: "code_quality",          specialty: "Complexity hotspots, unsafe shortcuts, brittle structure, maintenance risks that hide future defects", bias: "simplicity is a security feature" },
-  infrastructure:  { color: "orange",  avatar: "\u{1F3D7}\uFE0F", shortName: "Kat",    fullName: "Kat Hughes",       domain: "infrastructure",        specialty: "IAM blast radius, public exposure, network posture, secrets placement, infrastructure policy drift", bias: "least privilege by default, explicit escalation required" },
-  data:            { color: "pink",    avatar: "\u{1F5C4}\uFE0F", shortName: "Linh",   fullName: "Linh Tran",        domain: "data_layer",            specialty: "Query safety, migration drift, integrity failures, tenancy leaks, schema/application mismatches", bias: "data integrity is non-negotiable" },
-  observability:   { color: "magenta", avatar: "\u{1F4CA}",       shortName: "Sofia",  fullName: "Sofia Alvarez",    domain: "observability",         specialty: "Missing telemetry, broken alerting, weak auditability, blind spots that hide failures or attacks", bias: "if you can't observe it, you can't secure it" },
-  reliability:     { color: "white",   avatar: "\u{1F504}",       shortName: "Noah",   fullName: "Noah Ben-David",   domain: "reliability_sre",       specialty: "Timeout safety, retry storms, backlog growth, partial failure handling, operational blast radius", bias: "graceful degradation over silent failure" },
-  documentation:   { color: "gray",    avatar: "\u{1F4DD}",       shortName: "Samir",  fullName: "Samir Okafor",     domain: "docs_knowledge",        specialty: "Operational drift between docs and code, missing runbook steps, misleading instructions that break operators", bias: "documentation is a contract, not decoration" },
-  "supply-chain":  { color: "brown",   avatar: "\u{1F4E6}",       shortName: "Nora",   fullName: "Nora Kline",       domain: "supply_chain",          specialty: "Dependency risk, provenance gaps, pinning drift, artifact trust, compromised build inputs", bias: "every dependency is a trust decision" },
-  "ai-governance": { color: "violet",  avatar: "\u{1F916}",       shortName: "Amina",  fullName: "Amina Chen",       domain: "ai_pipeline",           specialty: "Prompt injection, tool abuse, eval regressions, unsafe model routing, guardrail bypass, policy drift in agentic flows", bias: "AI autonomy requires proportional governance" },
-});
-
-/**
- * Resolve persona visual identity by agent ID or persona name.
- */
-export function resolvePersonaVisual(idOrName) {
-  if (!idOrName) return null;
-  const lower = String(idOrName).toLowerCase();
-
-  // Direct ID match
-  if (PERSONA_VISUALS[lower]) return { id: lower, ...PERSONA_VISUALS[lower] };
-
-  // Name match (first name or full name)
-  for (const [id, visual] of Object.entries(PERSONA_VISUALS)) {
-    if (visual.shortName.toLowerCase() === lower || visual.fullName.toLowerCase() === lower) {
-      return { id, ...visual };
-    }
-  }
-
-  return null;
-}
-
-/**
- * List all persona IDs for autocomplete.
- */
-export function listPersonaIds() {
-  return Object.keys(PERSONA_VISUALS);
-}
-
-/**
- * List all persona names (short + full) for autocomplete.
- */
-export function listPersonaNames() {
-  const names = [];
-  for (const [id, visual] of Object.entries(PERSONA_VISUALS)) {
-    names.push(id, visual.shortName.toLowerCase(), visual.fullName.toLowerCase());
-  }
-  return names;
-}
+/**
+ * Jules Tanaka — Agent Definition
+ *
+ * Declarative configuration for the Jules Tanaka frontend audit persona.
+ * Used by the audit orchestrator and standalone invocation to configure
+ * tools, budget, scope, persona identity, and visual styling.
+ */
+
+export const JULES_DEFINITION = Object.freeze({
+  id: "frontend",
+  persona: "Jules Tanaka",
+  fullTitle: "SentinelLayer Frontend Specialist",
+  domain: "frontend_runtime",
+  signature: "— Jules Tanaka, SentinelLayer Frontend Specialist",
+
+  // Visual identity
+  color: "cyan",
+  avatar: "\u{1F3AF}", // 🎯
+  shortName: "Jules",
+
+  // Execution constraints
+  permissionMode: "plan", // read-only for audit
+  fixPermissionMode: "worktree", // worktree isolation for fix mode
+  maxTurns: 25,
+  maxSubAgents: 4,
+
+  // Budget
+  budget: {
+    maxCostUsd: 5.0,
+    maxOutputTokens: 12000,
+    maxRuntimeMs: 300000, // 5 minutes
+    maxToolCalls: 150,
+    warningThresholdPercent: 70,
+  },
+
+  // Tool access (audit mode)
+  auditTools: ["FileRead", "Grep", "Glob", "FrontendAnalyze", "RuntimeAudit", "AuthAudit"],
+
+  // Tool access (fix mode — adds write capabilities in worktree)
+  fixTools: ["FileRead", "Grep", "Glob", "FrontendAnalyze", "FileEdit", "Shell"],
+
+  // Tools never allowed
+  disallowedTools: [],
+
+  // Scope patterns (used when no explicit scope map provided)
+  defaultScope: {
+    primaryPatterns: [
+      "src/app/**", "src/pages/**", "src/components/**",
+      "src/hooks/**", "src/contexts/**", "src/providers/**",
+      "app/**", "pages/**", "components/**",
+    ],
+    secondaryPatterns: [
+      "src/lib/**", "src/utils/**", "src/styles/**",
+      "src/middleware.*", "next.config.*", "vite.config.*",
+      "tailwind.config.*", "webpack.config.*",
+    ],
+    tertiaryPatterns: [
+      "tests/**", "**/*.test.*", "**/*.spec.*",
+      "**/*.stories.*", "cypress/**", "playwright/**",
+    ],
+  },
+
+  // Evidence requirements
+  evidenceRequirements: [
+    "file_path_and_line",
+    "reproduction_steps",
+    "user_impact_statement",
+  ],
+  confidenceFloor: 0.75,
+
+  // Escalation
+  escalationTargets: ["security", "testing", "performance"],
+
+  // Agent modes
+  modes: {
+    primary: "maximize recall over the reachable frontend runtime graph",
+    secondary: "attack blind spots: SSR/CSR seams, middleware, caching, headers, providers, tests, CI, mobile",
+    tertiary: "adversarial verifier: falsify weak findings, detect contamination, collapse noise",
+  },
+
+  // Swarm configuration (for large codebases)
+  swarm: {
+    spawnThresholds: {
+      minFiles: 15,
+      minRouteGroups: 3,
+      minLoc: 5000,
+    },
+    maxFilesPerScanner: 12,
+    maxConcurrent: 4,
+    hunterTypes: ["xss", "state", "hydration", "a11y", "perf", "security"],
+  },
+
+  // Performance thresholds (SWE Excellence Framework defaults)
+  thresholds: {
+    LCP_good_ms: 2500,
+    LCP_poor_ms: 4000,
+    INP_good_ms: 200,
+    INP_poor_ms: 500,
+    CLS_good: 0.1,
+    CLS_poor: 0.25,
+    initial_js_target_kb: 200,
+    initial_js_critical_kb: 500,
+    initial_css_target_kb: 50,
+    per_route_chunk_target_kb: 100,
+    per_route_chunk_critical_kb: 200,
+    useState_normal: 5,
+    useState_scrutiny: 10,
+    useState_refactor: 15,
+    useState_god: 16,
+    component_loc_hotspot: 300,
+    component_loc_god: 700,
+  },
+
+  // Severity model
+  severityExamples: {
+    P0: [
+      "white screen or hydration crash on critical route",
+      "clearly poor mobile LCP on key journey",
+      "broken keyboard-only critical flow",
+      "unsafe HTML injection on untrusted content",
+      "core journey impossible to complete on mobile",
+    ],
+    P1: [
+      "severe bundle bloat on hot route",
+      "repeated stale-closure / cleanup bugs in critical UI",
+      "major accessibility failures on core flow",
+      "broken cache/data refresh behavior",
+      "strong evidence of jank on frequent interaction",
+    ],
+    P2: [
+      "localized but real performance regressions",
+      "medium-sized god components",
+      "weak error/loading states",
+      "missing mobile fallback in important but non-core surfaces",
+      "weak regression coverage for risky touched code",
+    ],
+  },
+
+  // Automation safety classification
+  automationSafety: {
+    green: "auto-safe, no user-flow change",
+    yellow: "draft + human approval + QA signoff",
+    red: "escalate, no autonomous change",
+    alwaysYellowOrRed: [
+      "auth flow", "payment UI", "data collection",
+      "trust-critical UX", "cookie/session handling",
+      "third-party script loading",
+    ],
+  },
+});
+
+/**
+ * All 13 SentinelLayer personas — visual identity, domain specialty, and bias.
+ * Jules Tanaka was the first onboarded, but every persona follows the same
+ * tool-equipped, budget-governed, isolated-context architecture.
+ */
+export const PERSONA_VISUALS = Object.freeze({
+  frontend:        { color: "cyan",    avatar: "\u{1F3AF}", shortName: "Jules",  fullName: "Jules Tanaka",     domain: "frontend_runtime",      specialty: "React/Next.js/Vue production specialist — hydration safety, render cost, accessibility, bundle weight, mobile responsiveness", bias: "user-perceived performance over vanity optimization" },
+  security:        { color: "red",     avatar: "\u{1F6E1}\uFE0F", shortName: "Nina",   fullName: "Nina Patel",       domain: "security_overlay",      specialty: "AuthZ breaks, secret exposure, injection paths, policy bypass, externally reachable abuse conditions", bias: "assume hostile inputs until proven safe" },
+  backend:         { color: "blue",    avatar: "\u2699\uFE0F",    shortName: "Maya",   fullName: "Maya Volkov",      domain: "backend_runtime",       specialty: "Unsafe request handling, runtime crashes, unbounded work, validation gaps, server-side trust boundary failures", bias: "every request is potentially adversarial" },
+  testing:         { color: "green",   avatar: "\u{1F9EA}",       shortName: "Priya",  fullName: "Priya Raman",      domain: "testing_correctness",   specialty: "Missing regression coverage, false confidence from shallow tests, broken invariants with no executable proof", bias: "tests that pass but miss real bugs are worse than no tests" },
+  release:         { color: "yellow",  avatar: "\u{1F680}",       shortName: "Omar",   fullName: "Omar Singh",       domain: "release_engineering",   specialty: "CI/CD integrity, workflow trust, artifact provenance, bypassable gates, unsafe deployment automation", bias: "every deployment is a security boundary" },
+  "code-quality":  { color: "purple",  avatar: "\u{1F48E}",       shortName: "Ethan",  fullName: "Ethan Park",       domain: "code_quality",          specialty: "Complexity hotspots, unsafe shortcuts, brittle structure, maintenance risks that hide future defects", bias: "simplicity is a security feature" },
+  infrastructure:  { color: "orange",  avatar: "\u{1F3D7}\uFE0F", shortName: "Kat",    fullName: "Kat Hughes",       domain: "infrastructure",        specialty: "IAM blast radius, public exposure, network posture, secrets placement, infrastructure policy drift", bias: "least privilege by default, explicit escalation required" },
+  data:            { color: "pink",    avatar: "\u{1F5C4}\uFE0F", shortName: "Linh",   fullName: "Linh Tran",        domain: "data_layer",            specialty: "Query safety, migration drift, integrity failures, tenancy leaks, schema/application mismatches", bias: "data integrity is non-negotiable" },
+  observability:   { color: "magenta", avatar: "\u{1F4CA}",       shortName: "Sofia",  fullName: "Sofia Alvarez",    domain: "observability",         specialty: "Missing telemetry, broken alerting, weak auditability, blind spots that hide failures or attacks", bias: "if you can't observe it, you can't secure it" },
+  reliability:     { color: "white",   avatar: "\u{1F504}",       shortName: "Noah",   fullName: "Noah Ben-David",   domain: "reliability_sre",       specialty: "Timeout safety, retry storms, backlog growth, partial failure handling, operational blast radius", bias: "graceful degradation over silent failure" },
+  documentation:   { color: "gray",    avatar: "\u{1F4DD}",       shortName: "Samir",  fullName: "Samir Okafor",     domain: "docs_knowledge",        specialty: "Operational drift between docs and code, missing runbook steps, misleading instructions that break operators", bias: "documentation is a contract, not decoration" },
+  "supply-chain":  { color: "brown",   avatar: "\u{1F4E6}",       shortName: "Nora",   fullName: "Nora Kline",       domain: "supply_chain",          specialty: "Dependency risk, provenance gaps, pinning drift, artifact trust, compromised build inputs", bias: "every dependency is a trust decision" },
+  "ai-governance": { color: "violet",  avatar: "\u{1F916}",       shortName: "Amina",  fullName: "Amina Chen",       domain: "ai_pipeline",           specialty: "Prompt injection, tool abuse, eval regressions, unsafe model routing, guardrail bypass, policy drift in agentic flows", bias: "AI autonomy requires proportional governance" },
+});
+
+/**
+ * Resolve persona visual identity by agent ID or persona name.
+ */
+export function resolvePersonaVisual(idOrName) {
+  if (!idOrName) return null;
+  const lower = String(idOrName).toLowerCase();
+
+  // Direct ID match
+  if (PERSONA_VISUALS[lower]) return { id: lower, ...PERSONA_VISUALS[lower] };
+
+  // Name match (first name or full name)
+  for (const [id, visual] of Object.entries(PERSONA_VISUALS)) {
+    if (visual.shortName.toLowerCase() === lower || visual.fullName.toLowerCase() === lower) {
+      return { id, ...visual };
+    }
+  }
+
+  return null;
+}
+
+/**
+ * List all persona IDs for autocomplete.
+ */
+export function listPersonaIds() {
+  return Object.keys(PERSONA_VISUALS);
+}
+
+/**
+ * List all persona names (short + full) for autocomplete.
+ */
+export function listPersonaNames() {
+  const names = [];
+  for (const [id, visual] of Object.entries(PERSONA_VISUALS)) {
+    names.push(id, visual.shortName.toLowerCase(), visual.fullName.toLowerCase());
+  }
+  return names;
+}