sentinelayer-cli 0.4.5 → 0.8.0

package/src/prompt/generator.js

@@ -34,6 +34,12 @@ const TARGET_GUIDANCE = Object.freeze({
   ],
 });
 
+const SESSION_COORDINATION_GUIDANCE = Object.freeze([
+  "Multi-agent coordination: use `sl session` commands to communicate with other agents.",
+  "Always update the session chat room with your current activity so joining agents have context.",
+  "Never break your autonomous loop on unexpected file changes; ask in the session first.",
+]);
+
 function normalizeTarget(target) {
   const normalized = String(target || "generic").trim().toLowerCase();
   if (!SUPPORTED_PROMPT_TARGETS.includes(normalized)) {
@@ -55,6 +61,14 @@ function buildAgentHeader(target) {
   return headers[target] || headers.generic;
 }
 
+function shouldAppendSessionGuidance(specMarkdown) {
+  const normalized = String(specMarkdown || "").toLowerCase();
+  if (!normalized) {
+    return false;
+  }
+  return normalized.includes("coordination protocol") || normalized.includes("session");
+}
+
 export function resolvePromptTarget(target) {
   return normalizeTarget(target);
 }
@@ -81,7 +95,11 @@ export function generateExecutionPrompt({
     throw new Error("Spec content is empty. Generate or provide a spec before creating a prompt.");
   }
 
-  const guidanceMarkdown = guidance.map((item, index) => `${index + 1}. ${item}`).join("\n");
+  const operatingRules = [...guidance];
+  if (shouldAppendSessionGuidance(specText)) {
+    operatingRules.push(...SESSION_COORDINATION_GUIDANCE);
+  }
+  const guidanceMarkdown = operatingRules.map((item, index) => `${index + 1}. ${item}`).join("\n");
 
   const hasAidenId = specText.toLowerCase().includes("aidenid");
   const aidenidGuidance = hasAidenId

package/src/review/ai-review.js

@@ -413,11 +413,21 @@ export async function runAiReviewLayer({
   const normalizedRunId = normalizeString(runId) || "review-ai";
 
   const config = await loadConfig({ cwd: normalizedTargetPath, env });
-  const resolvedProvider = resolveProvider({
+  let resolvedProvider = resolveProvider({
     provider,
     configProvider: config.resolved.defaultModelProvider,
     env,
   });
+  // If no explicit provider and default fell through to openai,
+  // check for stored sentinelayer session (async fallback)
+  if (resolvedProvider === "openai" && !provider && !config.resolved.defaultModelProvider) {
+    try {
+      const { resolveProviderAsync } = await import("../ai/client.js");
+      resolvedProvider = await resolveProviderAsync({ env });
+    } catch {
+      // keep sync result
+    }
+  }
   const resolvedModel = resolveModel({
     provider: resolvedProvider,
     model,

package/src/review/local-review.js

@@ -14,8 +14,34 @@ const IGNORED_DIRS = new Set([
   ".next",
   "dist",
   "build",
+  "out",
+  "coverage",
+  "__pycache__",
+  ".turbo",
+  ".cache",
+  ".parcel-cache",
+  ".svelte-kit",
+  ".nuxt",
+  ".output",
+  ".vercel",
   ".sentinelayer",
+  // v0.7 (2026-04-16): exclude generated demo/e2e folders that create massive
+  // self-scan noise. These are fixtures produced by the CLI itself and
+  // contain intentionally-naive demo code that pollutes reviewer signal.
+  "demo-e2e-cli-todo",
+  "demo-playground",
+  "e2e-demo-2026-04-10",
+  ".worktree-runtime",
 ]);
+
+// Paths that are always "test-like" — rules with high false-positive rates
+// in tests (hardcoded localhost, HTTP literals, example credentials) should
+// suppress or demote findings here. Keep narrow; do not suppress P0/P1.
+const TEST_LIKE_PATH_PATTERN = /(?:^|[\\/])(?:tests?|__tests__|fixtures?|e2e|demo|demo-[^\\/]*|examples?|samples?|docs?[\\/]examples?)(?:[\\/]|$)/i;
+
+function isTestLikePath(relPath) {
+  return TEST_LIKE_PATH_PATTERN.test(String(relPath || ""));
+}
 const MAX_FILE_SIZE_BYTES = 512 * 1024;
 const MAX_FINDINGS = 250;
 const STATIC_CHECK_TIMEOUT_MS = 120_000;
@@ -184,8 +210,12 @@ const DETERMINISTIC_REVIEW_RULES = Object.freeze([
     severity: "P2",
     message: "Plain HTTP endpoint literal found.",
     suggestedFix: "Prefer HTTPS endpoints in production paths.",
-    regex: /\bhttp:\/\/[^\s'"]+/i,
+    // Skip localhost/127.0.0.1/0.0.0.0 and common local-dev host patterns —
+    // those are dev-time fixtures and do not warrant P2. Plain http://example.com,
+    // cdn URLs, and external hosts still fire.
+    regex: /\bhttp:\/\/(?!(?:localhost|127\.0\.0\.1|0\.0\.0\.0|::1|\[::1\]))[^\s'"]+/i,
     sourceOnly: true,
+    excludePathPattern: TEST_LIKE_PATH_PATTERN,
   },
   {
     id: "SL-SEC-014",
@@ -203,6 +233,7 @@ const DETERMINISTIC_REVIEW_RULES = Object.freeze([
     suggestedFix: "Replace eval with explicit parser or safe handlers.",
     regex: /\beval\s*\(/,
     sourceOnly: true,
+    excludePathPattern: TEST_LIKE_PATH_PATTERN,
   },
   {
     id: "SL-SEC-016",
@@ -219,6 +250,9 @@ const DETERMINISTIC_REVIEW_RULES = Object.freeze([
     suggestedFix: "Use parameterized queries and prepared statements.",
     regex: /\b(?:SELECT|INSERT|UPDATE|DELETE)\b[^;\n]{0,140}\+/i,
     sourceOnly: true,
+    // Self-scan dampener: the local-review source itself contains SQL-like
+    // regex literals and must not flag itself.
+    excludePathPattern: LOCAL_REVIEW_SOURCE_PATH_PATTERN,
   },
   {
     id: "SL-SEC-018",
@@ -241,8 +275,12 @@ const DETERMINISTIC_REVIEW_RULES = Object.freeze([
     severity: "P2",
     message: "Potentially sensitive value logged directly.",
     suggestedFix: "Redact secrets/tokens before logging.",
-    regex: /console\.(?:log|debug|info)\([^)]*(token|secret|password|api[_-]?key)/i,
+    // Tighter regex: require the secret-like identifier to be a variable
+    // reference, not just appear inside any string/template. Excludes
+    // error-message text like "invalid token" and doc examples.
+    regex: /console\.(?:log|debug|info)\(\s*(?:[`"'][^`"']*\$\{)?\s*[A-Za-z_$][A-Za-z0-9_$]*\.?(token|secret|password|api[_-]?key)/i,
     sourceOnly: true,
+    excludePathPattern: TEST_LIKE_PATH_PATTERN,
   },
   {
     id: "SL-SEC-021",
@@ -260,6 +298,7 @@ const DETERMINISTIC_REVIEW_RULES = Object.freeze([
     suggestedFix: "Externalize callback URLs to environment config.",
     regex: /https?:\/\/localhost:\d{2,5}\//i,
     sourceOnly: true,
+    excludePathPattern: TEST_LIKE_PATH_PATTERN,
   },
 ]);
 
@@ -651,21 +690,33 @@ async function runPatternChecks({ rootPath, filePaths, maxFindings = MAX_FINDING
         continue;
       }
 
-      if (/dangerouslySetInnerHTML/.test(line) || /innerHTML\s*=/.test(line)) {
-        tryPushFinding(
-          findings,
-          createFinding({
-            severity: "P1",
-            file: relativePath,
-            line: index + 1,
-            message: "Direct HTML sink detected; validate/sanitize untrusted content.",
-            excerpt: sanitizeLineForExcerpt(line),
-            ruleId: "SL-PAT-002",
-            suggestedFix: "Apply strict sanitization and avoid raw HTML sinks.",
-            layer: "pattern",
-          }),
-          maxFindings
-        );
+      // Require actual JSX attribute usage OR DOM property assignment, not
+      // bare mentions in strings/docstrings (common in prompt templates and
+      // detector files that search for the pattern as a label).
+      const realJsxUsage = /dangerouslySetInnerHTML\s*=\s*\{\s*\{/.test(line);
+      const realDomAssign = /(?:^|[.\s])innerHTML\s*=\s*(?!=)/.test(line);
+      if (realJsxUsage || realDomAssign) {
+        const isPromptOrConfig =
+          /(?:^|[\\/])(?:config|prompts?|templates?|system-prompt|swarm|agents)[\\/]/i.test(relativePath) ||
+          /-prompts?\.(?:m?js|tsx?)$/i.test(relativePath) ||
+          /system-prompt\.(?:m?js|tsx?)$/i.test(relativePath) ||
+          /(?:file-scanner|pattern-hunter|-scanner|-hunter)\.(?:m?js|tsx?)$/i.test(relativePath);
+        if (!isTestLikePath(relativePath) && !isPromptOrConfig) {
+          tryPushFinding(
+            findings,
+            createFinding({
+              severity: "P1",
+              file: relativePath,
+              line: index + 1,
+              message: "Direct HTML sink detected; validate/sanitize untrusted content.",
+              excerpt: sanitizeLineForExcerpt(line),
+              ruleId: "SL-PAT-002",
+              suggestedFix: "Apply strict sanitization and avoid raw HTML sinks.",
+              layer: "pattern",
+            }),
+            maxFindings
+          );
+        }
       }
 
       if (/useEffect\s*\(/.test(line)) {
@@ -690,7 +741,7 @@ async function runPatternChecks({ rootPath, filePaths, maxFindings = MAX_FINDING
 
       if (/(for|while)\s*\([^)]*\)/.test(line)) {
         const window = lines.slice(index, Math.min(lines.length, index + 10)).join("\n");
-        if (/findMany\(|query\(|SELECT\b|fetch\(/i.test(window)) {
+        if (/findMany\(|query\(|SELECT\b|fetch\(/i.test(window) && !isTestLikePath(relativePath)) {
           tryPushFinding(
             findings,
             createFinding({
@@ -710,7 +761,12 @@ async function runPatternChecks({ rootPath, filePaths, maxFindings = MAX_FINDING
     }
 
     const sqlConcat = /\b(?:SELECT|INSERT|UPDATE|DELETE)\b[^\n]{0,160}\+/i.exec(text);
-    if (sqlConcat && findings.length < maxFindings) {
+    if (
+      sqlConcat &&
+      findings.length < maxFindings &&
+      !isTestLikePath(relativePath) &&
+      !LOCAL_REVIEW_SOURCE_PATH_PATTERN.test(relativePath)
+    ) {
       const lineNumber = resolveLineNumberFromIndex(text, sqlConcat.index);
       tryPushFinding(
         findings,

package/src/review/omargate-interactive.js

@@ -0,0 +1,68 @@
+/**
+ * Interactive post-scan menu for Omar Gate deep-dive.
+ *
+ * After the scan completes, prompts the user to select a domain agent
+ * for full agentic loop analysis (multi-turn, tool-using).
+ */
+
+import { createInterface } from "node:readline/promises";
+import { stdin as input, stdout as output } from "node:process";
+import pc from "picocolors";
+
+import { PERSONA_IDS } from "./persona-prompts.js";
+
+/**
+ * Show interactive persona selection after Omar Gate scan.
+ *
+ * @param {object} options
+ * @param {object} options.scanResult - Result from runOmarGateOrchestrator
+ * @returns {Promise<string|null>} Selected persona ID, "all", or null (skip)
+ */
+export async function promptPersonaDeepDive({ scanResult } = {}) {
+  const summary = scanResult?.summary || {};
+  const personas = scanResult?.personas || [];
+
+  console.log("");
+  console.log(pc.bold("Omar Gate scan complete."));
+  console.log(
+    `Findings: P0=${summary.P0 || 0} P1=${summary.P1 || 0} P2=${summary.P2 || 0} P3=${summary.P3 || 0} | ` +
+      `Cost: $${(scanResult?.totalCostUsd || 0).toFixed(4)} | ` +
+      `Duration: ${((scanResult?.totalDurationMs || 0) / 1000).toFixed(1)}s`
+  );
+  console.log("");
+
+  // Show persona results
+  for (const p of personas) {
+    const icon = p.status === "ok" ? pc.green("✓") : p.status === "skipped" ? pc.gray("○") : pc.red("✗");
+    const count = p.findings || 0;
+    console.log(`  ${icon} ${p.id} — ${count} finding${count === 1 ? "" : "s"}`);
+  }
+
+  console.log("");
+  console.log(pc.gray("Deep-dive runs a full agentic loop (multi-turn, tool-using) for deeper analysis."));
+  console.log(pc.gray(`Available: ${PERSONA_IDS.join(", ")}, all, none`));
+  console.log("");
+
+  const rl = createInterface({ input, output });
+  try {
+    const answer = await rl.question(pc.cyan("Deep-dive into which agent? [none] "));
+    const normalized = String(answer || "").trim().toLowerCase();
+
+    if (!normalized || normalized === "none" || normalized === "n" || normalized === "skip") {
+      return null;
+    }
+
+    if (normalized === "all") {
+      return "all";
+    }
+
+    if (PERSONA_IDS.includes(normalized)) {
+      return normalized;
+    }
+
+    console.log(pc.yellow(`Unknown agent '${normalized}'. Skipping deep-dive.`));
+    return null;
+  } finally {
+    rl.close();
+  }
+}

package/src/review/omargate-orchestrator.js

@@ -0,0 +1,404 @@
+/**
+ * Omar Gate multi-persona orchestrator.
+ *
+ * Runs N persona-scoped AI review calls in parallel (bounded concurrency),
+ * merges findings into a blackboard, deduplicates, and produces a unified report.
+ */
+
+import { randomUUID } from "node:crypto";
+
+import { runAiReviewLayer } from "./ai-review.js";
+import { buildPersonaReviewPrompt, PERSONA_IDS } from "./persona-prompts.js";
+import { resolveScanMode } from "./scan-modes.js";
+import { reconcileReviewFindings } from "./report.js";
+import { resolvePersonaVisual } from "../agents/persona-visuals.js";
+import { syncRunToDashboard } from "../telemetry/sync.js";
+import { createAgentEvent } from "../events/schema.js";
+
+const OMAR_ORCHESTRATOR_AGENT = Object.freeze({
+  id: "omar-orchestrator",
+  persona: "Omar Gate Orchestrator",
+});
+
+/**
+ * Run bounded-concurrency parallel execution.
+ * @param {Array} items
+ * @param {number} maxConcurrent
+ * @param {Function} fn
+ * @returns {Promise<Array>}
+ */
+async function runWithConcurrency(items, maxConcurrent, fn) {
+  const results = [];
+  const executing = new Set();
+
+  for (const item of items) {
+    const p = fn(item).then((result) => {
+      executing.delete(p);
+      return result;
+    });
+    executing.add(p);
+    results.push(p);
+
+    if (executing.size >= maxConcurrent) {
+      await Promise.race(executing);
+    }
+  }
+
+  return Promise.allSettled(results);
+}
+
+/**
+ * Annotate persona result with visual identity so stream consumers
+ * and downstream reports never see faceless persona IDs.
+ */
+function decoratePersonaResult(personaId, baseResult) {
+  const visual = resolvePersonaVisual(personaId) || {};
+  return {
+    ...baseResult,
+    personaId,
+    persona: {
+      id: personaId,
+      shortName: visual.shortName || personaId,
+      fullName: visual.fullName || personaId,
+      avatar: visual.avatar || "",
+      color: visual.color || "gray",
+      domain: visual.domain || personaId,
+    },
+  };
+}
+
+/**
+ * Run the Omar Gate multi-persona orchestrator.
+ *
+ * @param {object} options
+ * @param {string} options.targetPath - Repository path
+ * @param {string} [options.scanMode] - "baseline", "deep", or "full-depth"
+ * @param {number} [options.maxParallel] - Max concurrent persona calls (default 4)
+ * @param {string} [options.provider] - LLM provider override
+ * @param {string} [options.model] - LLM model override
+ * @param {number} [options.maxCostUsd] - Global cost ceiling (default 5.0)
+ * @param {boolean} [options.dryRun] - Dry-run mode (no LLM calls)
+ * @param {string} [options.outputDir] - Output directory override
+ * @param {object} [options.deterministic] - Deterministic scan results
+ * @param {Function} [options.onEvent] - Event callback for streaming
+ * @returns {Promise<object>} Orchestrated results
+ */
+export async function runOmarGateOrchestrator({
+  targetPath,
+  scanMode = "deep",
+  maxParallel = 4,
+  provider = "",
+  model = "",
+  maxCostUsd = 5.0,
+  dryRun = false,
+  outputDir = "",
+  deterministic = null,
+  onEvent = null,
+} = {}) {
+  const runId = `omargate-${Date.now()}-${randomUUID().slice(0, 8)}`;
+  const startTime = Date.now();
+
+  const { mode, personas } = resolveScanMode(scanMode);
+
+  const roster = personas.map((personaId) => {
+    const visual = resolvePersonaVisual(personaId) || {};
+    return {
+      id: personaId,
+      shortName: visual.shortName || personaId,
+      fullName: visual.fullName || personaId,
+      avatar: visual.avatar || "",
+      color: visual.color || "gray",
+      domain: visual.domain || personaId,
+    };
+  });
+
+  if (onEvent) {
+    onEvent(createAgentEvent({
+      event: "omargate_start",
+      agent: OMAR_ORCHESTRATOR_AGENT,
+      payload: { runId, mode, personas, roster, maxParallel, maxCostUsd, dryRun },
+      runId,
+    }));
+  }
+
+  const detSummary = deterministic?.summary || { P0: 0, P1: 0, P2: 0, P3: 0 };
+  const detFindings = deterministic?.findings || [];
+
+  // Per-persona cost budget = global / persona count (with minimum floor)
+  const perPersonaCost = Math.max(0.25, maxCostUsd / personas.length);
+  let runningCostUsd = 0;
+
+  const personaResults = await runWithConcurrency(personas, maxParallel, async (personaId) => {
+    const visual = resolvePersonaVisual(personaId) || {};
+    const identity = {
+      id: personaId,
+      shortName: visual.shortName || personaId,
+      fullName: visual.fullName || personaId,
+      avatar: visual.avatar || "",
+      color: visual.color || "gray",
+      domain: visual.domain || personaId,
+    };
+
+    // Global budget check — skip remaining personas if exhausted
+    if (runningCostUsd >= maxCostUsd) {
+      if (onEvent) {
+        onEvent(createAgentEvent({
+          event: "persona_skipped",
+          agent: {
+            id: identity.id,
+            persona: identity.fullName,
+            shortName: identity.shortName,
+            color: identity.color,
+            avatar: identity.avatar,
+            domain: identity.domain,
+          },
+          payload: { personaId, identity, reason: "global_budget_exhausted", runningCostUsd, maxCostUsd },
+          runId,
+        }));
+      }
+      return {
+        personaId,
+        status: "skipped",
+        findings: [],
+        summary: { P0: 0, P1: 0, P2: 0, P3: 0 },
+        costUsd: 0,
+        durationMs: 0,
+        reason: "global_budget_exhausted",
+      };
+    }
+
+    const personaStart = Date.now();
+
+    if (onEvent) {
+      onEvent(createAgentEvent({
+        event: "persona_start",
+        agent: {
+          id: identity.id,
+          persona: identity.fullName,
+          shortName: identity.shortName,
+          color: identity.color,
+          avatar: identity.avatar,
+          domain: identity.domain,
+        },
+        payload: { personaId, identity, mode, runId },
+        runId,
+      }));
+    }
+
+    try {
+      const systemPrompt = buildPersonaReviewPrompt({
+        personaId,
+        targetPath,
+        deterministicSummary: detSummary,
+      });
+
+      const result = await runAiReviewLayer({
+        targetPath,
+        mode: "full",
+        runId: `${runId}-${personaId}`,
+        runDirectory: targetPath,
+        deterministic: {
+          summary: detSummary,
+          findings: detFindings,
+          metadata: deterministic?.metadata || {},
+        },
+        outputDir,
+        provider: provider || undefined,
+        model: model || undefined,
+        maxCostUsd: perPersonaCost,
+        dryRun,
+        env: process.env,
+      });
+
+      const findings = (result?.findings || []).map((f) => ({
+        ...f,
+        persona: personaId,
+        layer: personaId,
+      }));
+
+      if (onEvent) {
+        for (const finding of findings) {
+          onEvent(createAgentEvent({
+            event: "persona_finding",
+            agent: {
+              id: identity.id,
+              persona: identity.fullName,
+              shortName: identity.shortName,
+              color: identity.color,
+              avatar: identity.avatar,
+              domain: identity.domain,
+            },
+            payload: { personaId, identity, ...finding },
+            runId,
+          }));
+        }
+        onEvent(createAgentEvent({
+          event: "persona_complete",
+          agent: {
+            id: identity.id,
+            persona: identity.fullName,
+            shortName: identity.shortName,
+            color: identity.color,
+            avatar: identity.avatar,
+            domain: identity.domain,
+          },
+          payload: {
+            personaId,
+            identity,
+            findings: findings.length,
+            summary: result?.summary || {},
+            costUsd: result?.costUsd || 0,
+            durationMs: Date.now() - personaStart,
+          },
+          runId,
+        }));
+      }
+
+      const personaCost = result?.costUsd || 0;
+      runningCostUsd += personaCost;
+
+      return {
+        personaId,
+        status: "ok",
+        findings,
+        summary: result?.summary || { P0: 0, P1: 0, P2: 0, P3: 0 },
+        costUsd: personaCost,
+        model: result?.model || model || null,
+        durationMs: Date.now() - personaStart,
+      };
+    } catch (err) {
+      if (onEvent) {
+        onEvent(createAgentEvent({
+          event: "persona_error",
+          agent: {
+            id: identity.id,
+            persona: identity.fullName,
+            shortName: identity.shortName,
+            color: identity.color,
+            avatar: identity.avatar,
+            domain: identity.domain,
+          },
+          payload: { personaId, identity, error: err.message },
+          runId,
+        }));
+      }
+      return {
+        personaId,
+        status: "error",
+        findings: [],
+        summary: { P0: 0, P1: 0, P2: 0, P3: 0 },
+        costUsd: 0,
+        error: err.message,
+        durationMs: Date.now() - personaStart,
+      };
+    }
+  });
+
+  // Collect results (handle settled promises)
+  const settled = personaResults.map((r) =>
+    r.status === "fulfilled"
+      ? decoratePersonaResult(r.value.personaId, r.value)
+      : decoratePersonaResult("unknown", {
+          status: "error",
+          findings: [],
+          summary: { P0: 0, P1: 0, P2: 0, P3: 0 },
+          costUsd: 0,
+          error: r.reason?.message || "unknown",
+          durationMs: 0,
+        })
+  );
+
+  // Reconcile AI findings with deterministic findings — canonical single list.
+  // Confidence boost when multiple layers agree; deterministic findings get
+  // confidence 1.0; AI findings keep their self-reported confidence.
+  const allAiFindings = settled.flatMap((r) => r.findings);
+  const reconciled = reconcileReviewFindings({
+    deterministicFindings: detFindings,
+    aiFindings: allAiFindings,
+  });
+  const reconciledFindings = reconciled.findings;
+  const reconciledSummary = reconciled.summary;
+
+  const totalCost = settled.reduce((sum, r) => sum + (r.costUsd || 0), 0);
+  const totalDuration = Date.now() - startTime;
+
+  const result = {
+    runId,
+    mode,
+    roster,
+    personas: settled.map((r) => ({
+      id: r.personaId,
+      identity: r.persona,
+      status: r.status,
+      findings: (r.findings || []).length,
+      summary: r.summary || { P0: 0, P1: 0, P2: 0, P3: 0 },
+      costUsd: r.costUsd,
+      durationMs: r.durationMs,
+      model: r.model || null,
+      error: r.error || null,
+    })),
+    findings: reconciledFindings,
+    findingsBySource: {
+      deterministic: detFindings.length,
+      ai: allAiFindings.length,
+      reconciled: reconciledFindings.length,
+    },
+    summary: reconciledSummary,
+    totalCostUsd: totalCost,
+    totalDurationMs: totalDuration,
+    reconciliation: {
+      deterministicFindings: detFindings.length,
+      aiFindings: allAiFindings.length,
+      reconciledFindings: reconciledFindings.length,
+      dedupedCount: detFindings.length + allAiFindings.length - reconciledFindings.length,
+      multiSourceFindings: reconciledFindings.filter(
+        (f) => Array.isArray(f.sources) && f.sources.length > 1
+      ).length,
+    },
+    dryRun,
+  };
+
+  if (onEvent) {
+    onEvent(createAgentEvent({
+      event: "omargate_complete",
+      agent: OMAR_ORCHESTRATOR_AGENT,
+      payload: {
+        runId,
+        mode,
+        personaCount: settled.length,
+        findings: reconciledFindings.length,
+        summary: result.summary,
+        reconciliation: result.reconciliation,
+        totalCostUsd: totalCost,
+        totalDurationMs: totalDuration,
+      },
+      runId,
+    }));
+  }
+
+  // Fire-and-forget telemetry sync to dashboard
+  syncRunToDashboard({
+    command: `omargate deep --scan-mode ${mode}`,
+    persona: "omar-orchestrator",
+    usage: {
+      inputTokens: 0,
+      outputTokens: 0,
+      costUsd: totalCost,
+      durationMs: totalDuration,
+      toolCalls: personas.length,
+    },
+    summary: result.summary,
+    reconciliation: result.reconciliation,
+    stopReason: result.summary.blocking ? "blocked" : "passed",
+    personaBreakdown: settled.map((r) => ({
+      personaId: r.personaId,
+      fullName: r.persona?.fullName || r.personaId,
+      findings: r.findings?.length || 0,
+      costUsd: r.costUsd || 0,
+      durationMs: r.durationMs || 0,
+      status: r.status,
+    })),
+  }).catch(() => {});
+
+  return result;
+}