shipwright-cli 2.4.0 → 3.0.0

package/scripts/lib/helpers.sh

@@ -64,7 +64,7 @@ emit_event() {
     shift
 
     # Try SQLite first (via sw-db.sh's db_add_event)
-    if type db_add_event &>/dev/null; then
+    if type db_add_event >/dev/null 2>&1; then
         db_add_event "$event_type" "$@" 2>/dev/null || true
     fi
 
@@ -76,7 +76,10 @@ emit_event() {
         if [[ "$val" =~ ^-?[0-9]+\.?[0-9]*$ ]]; then
             json_fields="${json_fields},\"${key}\":${val}"
         else
-            val="${val//\"/\\\"}"
+            val="${val//\\/\\\\}"       # escape backslashes first
+            val="${val//\"/\\\"}"       # then quotes
+            val="${val//$'\n'/\\n}"     # then newlines
+            val="${val//$'\t'/\\t}"     # then tabs
             json_fields="${json_fields},\"${key}\":\"${val}\""
         fi
     done
@@ -85,11 +88,20 @@ emit_event() {
     # Use flock to prevent concurrent write corruption
     local _lock_file="${EVENTS_FILE}.lock"
     (
-        if command -v flock &>/dev/null; then
+        if command -v flock >/dev/null 2>&1; then
             flock -w 2 200 2>/dev/null || true
         fi
         echo "$_event_line" >> "$EVENTS_FILE"
     ) 200>"$_lock_file"
+
+    # Optional schema validation (dev mode only)
+    if [[ -n "${SHIPWRIGHT_DEV:-}" && -n "${_CONFIG_REPO_DIR:-}" && -f "${_CONFIG_REPO_DIR}/config/event-schema.json" ]]; then
+        local known_types
+        known_types=$(jq -r '.event_types | keys[]' "${_CONFIG_REPO_DIR}/config/event-schema.json" 2>/dev/null || true)
+        if [[ -n "$known_types" ]] && ! echo "$known_types" | grep -qx "$event_type"; then
+            echo "WARN: Unknown event type '$event_type'" >&2
+        fi
+    fi
 }
 
 # Rotate a JSONL file to keep it within max_lines.
@@ -103,9 +115,7 @@ with_retry() {
     local attempt=1
     local delay=1
     while [[ "$attempt" -le "$max_attempts" ]]; do
-        if "$@"; then
-            return 0
-        fi
+        "$@" && return 0
         local exit_code=$?
         if [[ "$attempt" -lt "$max_attempts" ]]; then
             warn "Attempt $attempt/$max_attempts failed (exit $exit_code), retrying in ${delay}s..."
@@ -187,3 +197,17 @@ _sw_github_url() {
     repo="$(_sw_github_repo)"
     echo "https://github.com/${repo}"
 }
+
+# ─── Network Safe Wrappers (config-aware timeouts) ─────────────────────────────
+# Use SHIPWRIGHT_* env vars if set; otherwise _config_get_int when config.sh is loaded
+# Usage: _curl_safe [curl args...]  |  _gh_safe [gh args...]
+_curl_safe() {
+    local ct="${SHIPWRIGHT_CONNECT_TIMEOUT:-$(_config_get_int "network.connect_timeout" 10 2>/dev/null || echo 10)}"
+    local mt="${SHIPWRIGHT_MAX_TIME:-$(_config_get_int "network.max_time" 60 2>/dev/null || echo 60)}"
+    curl --connect-timeout "$ct" --max-time "$mt" "$@"
+}
+
+_gh_safe() {
+    local gh_timeout="${SHIPWRIGHT_GH_TIMEOUT:-$(_config_get_int "network.gh_timeout" 30 2>/dev/null || echo 30)}"
+    GH_HTTP_TIMEOUT="$gh_timeout" _timeout "$gh_timeout" gh "$@"
+}

package/scripts/lib/pipeline-detection.sh

@@ -101,7 +101,7 @@ detect_project_lang() {
     fi
 
     # Intelligence: holistic analysis for polyglot/monorepo detection
-    if [[ "$detected" == "unknown" ]] && type intelligence_search_memory &>/dev/null 2>&1 && command -v claude &>/dev/null; then
+    if [[ "$detected" == "unknown" ]] && type intelligence_search_memory >/dev/null 2>&1 && command -v claude >/dev/null 2>&1; then
         local config_files
         config_files=$(ls "$root" 2>/dev/null | grep -E '\.(json|toml|yaml|yml|xml|gradle|lock|mod)$' | head -15)
         if [[ -n "$config_files" ]]; then
@@ -221,7 +221,7 @@ detect_task_type() {
     local goal="$1"
 
     # Intelligence: Claude classification with confidence score
-    if type intelligence_search_memory &>/dev/null 2>&1 && command -v claude &>/dev/null; then
+    if type intelligence_search_memory >/dev/null 2>&1 && command -v claude >/dev/null 2>&1; then
         local ai_result
         ai_result=$(claude --print --output-format text -p "Classify this task into exactly ONE category. Reply in format: CATEGORY|CONFIDENCE (0-100)
 

package/scripts/lib/pipeline-github.sh

@@ -9,14 +9,14 @@ gh_init() {
         return
     fi
 
-    if ! command -v gh &>/dev/null; then
+    if ! command -v gh >/dev/null 2>&1; then
         GH_AVAILABLE=false
         warn "gh CLI not found — GitHub integration disabled"
         return
     fi
 
     # Check if authenticated
-    if ! gh auth status &>/dev/null 2>&1; then
+    if ! gh auth status >/dev/null 2>&1; then
         GH_AVAILABLE=false
         warn "gh not authenticated — GitHub integration disabled"
         return
@@ -46,7 +46,7 @@ gh_init() {
 gh_comment_issue() {
     [[ "$GH_AVAILABLE" != "true" ]] && return 0
     local issue_num="$1" body="$2"
-    gh issue comment "$issue_num" --body "$body" 2>/dev/null || true
+    _timeout 30 gh issue comment "$issue_num" --body "$body" 2>/dev/null || true
 }
 
 # Post a progress-tracking comment and save its ID for later updates
@@ -56,7 +56,7 @@ gh_post_progress() {
     local issue_num="$1" body="$2"
     local result
     result=$(gh api "repos/${REPO_OWNER}/${REPO_NAME}/issues/${issue_num}/comments" \
-        -f body="$body" --jq '.id' 2>/dev/null) || true
+        -f body="$body" --jq '.id' --timeout 30 2>/dev/null) || true
     if [[ -n "$result" && "$result" != "null" ]]; then
         PROGRESS_COMMENT_ID="$result"
     fi
@@ -68,7 +68,7 @@ gh_update_progress() {
     [[ "$GH_AVAILABLE" != "true" || -z "$PROGRESS_COMMENT_ID" ]] && return 0
     local body="$1"
     gh api "repos/${REPO_OWNER}/${REPO_NAME}/issues/comments/${PROGRESS_COMMENT_ID}" \
-        -X PATCH -f body="$body" 2>/dev/null || true
+        -X PATCH -f body="$body" --timeout 30 2>/dev/null || true
 }
 
 # Add labels to an issue or PR
@@ -77,7 +77,7 @@ gh_add_labels() {
     [[ "$GH_AVAILABLE" != "true" ]] && return 0
     local issue_num="$1" labels="$2"
     [[ -z "$labels" ]] && return 0
-    gh issue edit "$issue_num" --add-label "$labels" 2>/dev/null || true
+    _timeout 30 gh issue edit "$issue_num" --add-label "$labels" 2>/dev/null || true
 }
 
 # Remove a label from an issue
@@ -85,7 +85,7 @@ gh_add_labels() {
 gh_remove_label() {
     [[ "$GH_AVAILABLE" != "true" ]] && return 0
     local issue_num="$1" label="$2"
-    gh issue edit "$issue_num" --remove-label "$label" 2>/dev/null || true
+    _timeout 30 gh issue edit "$issue_num" --remove-label "$label" 2>/dev/null || true
 }
 
 # Self-assign an issue
@@ -93,7 +93,7 @@ gh_remove_label() {
 gh_assign_self() {
     [[ "$GH_AVAILABLE" != "true" ]] && return 0
     local issue_num="$1"
-    gh issue edit "$issue_num" --add-assignee "@me" 2>/dev/null || true
+    _timeout 30 gh issue edit "$issue_num" --add-assignee "@me" 2>/dev/null || true
 }
 
 # Get full issue metadata as JSON
@@ -101,7 +101,7 @@ gh_assign_self() {
 gh_get_issue_meta() {
     [[ "$GH_AVAILABLE" != "true" ]] && return 0
     local issue_num="$1"
-    gh issue view "$issue_num" --json title,body,labels,milestone,assignees,comments,number,state 2>/dev/null || true
+    _timeout 30 gh issue view "$issue_num" --json title,body,labels,milestone,assignees,comments,number,state 2>/dev/null || true
 }
 
 # Build a progress table for GitHub comment

package/scripts/lib/pipeline-intelligence.sh

@@ -106,8 +106,45 @@ pipeline_should_skip_stage() {
 # Returns JSON with classified findings and routing recommendations.
 # ──────────────────────────────────────────────────────────────────────────────
 classify_quality_findings() {
-    local findings_dir="$ARTIFACTS_DIR"
-    local result_file="$ARTIFACTS_DIR/classified-findings.json"
+    local findings_dir="${1:-$ARTIFACTS_DIR}"
+    local result_file="$findings_dir/classified-findings.json"
+
+    # Build combined content for semantic classification
+    local content=""
+    if [[ -f "$findings_dir/adversarial-review.md" ]]; then
+        content="${content}
+--- adversarial-review.md ---
+$(head -500 "$findings_dir/adversarial-review.md" 2>/dev/null)"
+    fi
+    if [[ -f "$findings_dir/negative-review.md" ]]; then
+        content="${content}
+--- negative-review.md ---
+$(head -300 "$findings_dir/negative-review.md" 2>/dev/null)"
+    fi
+    if [[ -f "$findings_dir/security-audit.log" ]]; then
+        content="${content}
+--- security-audit.log ---
+$(cat "$findings_dir/security-audit.log" 2>/dev/null)"
+    fi
+    if [[ -f "$findings_dir/compound-architecture-validation.json" ]]; then
+        content="${content}
+--- compound-architecture-validation.json ---
+$(jq -r '.[] | "\(.severity): \(.message // .description // .)"' "$findings_dir/compound-architecture-validation.json" 2>/dev/null | head -50)"
+    fi
+
+    # Try semantic classification first when Claude is available
+    local route=""
+    if command -v claude &>/dev/null && [[ "${INTELLIGENCE_ENABLED:-false}" != "false" ]] && [[ -n "$content" ]]; then
+        local prompt="Classify these code review findings into exactly ONE primary category. Return ONLY a single word: security, architecture, correctness, performance, testing, documentation, style.
+
+Findings:
+$content"
+        local category
+        category=$(echo "$prompt" | timeout 30 claude -p --model sonnet 2>/dev/null | tr -d '[:space:]' | tr '[:upper:]' '[:lower:]')
+        if [[ "$category" =~ ^(security|architecture|correctness|performance|testing|documentation|style)$ ]]; then
+            route="$category"
+        fi
+    fi
 
     # Initialize counters
     local arch_count=0 security_count=0 correctness_count=0 performance_count=0 testing_count=0 style_count=0
@@ -173,40 +210,53 @@ classify_quality_findings() {
     fi
 
     # ── Determine routing ──
-    # Priority order: security > architecture > correctness > performance > testing > style
-    local route="correctness"  # default
+    # Use semantic classification when available; else fall back to grep-derived priority
     local needs_backtrack=false
     local priority_findings=""
 
-    if [[ "$security_count" -gt 0 ]]; then
-        route="security"
-        priority_findings="security:${security_count}"
-    fi
+    if [[ -z "$route" ]]; then
+        # Fallback: grep-based priority order: security > architecture > correctness > performance > testing > style
+        route="correctness"
 
-    if [[ "$arch_count" -gt 0 ]]; then
-        if [[ "$route" == "correctness" ]]; then
-            route="architecture"
-            needs_backtrack=true
+        if [[ "$security_count" -gt 0 ]]; then
+            route="security"
+            priority_findings="security:${security_count}"
         fi
-        priority_findings="${priority_findings:+${priority_findings},}architecture:${arch_count}"
-    fi
 
-    if [[ "$correctness_count" -gt 0 ]]; then
-        priority_findings="${priority_findings:+${priority_findings},}correctness:${correctness_count}"
-    fi
+        if [[ "$arch_count" -gt 0 ]]; then
+            if [[ "$route" == "correctness" ]]; then
+                route="architecture"
+                needs_backtrack=true
+            fi
+            priority_findings="${priority_findings:+${priority_findings},}architecture:${arch_count}"
+        fi
 
-    if [[ "$performance_count" -gt 0 ]]; then
-        if [[ "$route" == "correctness" && "$correctness_count" -eq 0 ]]; then
-            route="performance"
+        if [[ "$correctness_count" -gt 0 ]]; then
+            priority_findings="${priority_findings:+${priority_findings},}correctness:${correctness_count}"
         fi
-        priority_findings="${priority_findings:+${priority_findings},}performance:${performance_count}"
-    fi
 
-    if [[ "$testing_count" -gt 0 ]]; then
-        if [[ "$route" == "correctness" && "$correctness_count" -eq 0 && "$performance_count" -eq 0 ]]; then
-            route="testing"
+        if [[ "$performance_count" -gt 0 ]]; then
+            if [[ "$route" == "correctness" && "$correctness_count" -eq 0 ]]; then
+                route="performance"
+            fi
+            priority_findings="${priority_findings:+${priority_findings},}performance:${performance_count}"
         fi
-        priority_findings="${priority_findings:+${priority_findings},}testing:${testing_count}"
+
+        if [[ "$testing_count" -gt 0 ]]; then
+            if [[ "$route" == "correctness" && "$correctness_count" -eq 0 && "$performance_count" -eq 0 ]]; then
+                route="testing"
+            fi
+            priority_findings="${priority_findings:+${priority_findings},}testing:${testing_count}"
+        fi
+    else
+        # Semantic route: build priority_findings from counts, set needs_backtrack for architecture
+        [[ "$route" == "architecture" ]] && needs_backtrack=true
+        [[ "$arch_count" -gt 0 ]] && priority_findings="architecture:${arch_count}"
+        [[ "$security_count" -gt 0 ]] && priority_findings="${priority_findings:+${priority_findings},}security:${security_count}"
+        [[ "$correctness_count" -gt 0 ]] && priority_findings="${priority_findings:+${priority_findings},}correctness:${correctness_count}"
+        [[ "$performance_count" -gt 0 ]] && priority_findings="${priority_findings:+${priority_findings},}performance:${performance_count}"
+        [[ "$testing_count" -gt 0 ]] && priority_findings="${priority_findings:+${priority_findings},}testing:${testing_count}"
+        [[ -z "$priority_findings" ]] && priority_findings="${route}:1"
     fi
 
     # Style findings don't affect routing or count toward failure threshold
@@ -749,7 +799,7 @@ pipeline_record_quality_score() {
     rm -f "$tmp_score"
 
     # Rotate quality scores file to prevent unbounded growth
-    type rotate_jsonl &>/dev/null 2>&1 && rotate_jsonl "$scores_file" 5000
+    type rotate_jsonl >/dev/null 2>&1 && rotate_jsonl "$scores_file" 5000
 
     emit_event "pipeline.quality_score_recorded" \
         "issue=${ISSUE_NUMBER:-0}" \
@@ -1117,7 +1167,7 @@ stage_compound_quality() {
 
     # Intelligent audit selection
     local audit_plan='{"adversarial":"targeted","architecture":"targeted","simulation":"targeted","security":"targeted","dod":"targeted"}'
-    if type pipeline_select_audits &>/dev/null 2>&1; then
+    if type pipeline_select_audits >/dev/null 2>&1; then
         local _selected
         _selected=$(pipeline_select_audits 2>/dev/null) || true
         if [[ -n "$_selected" && "$_selected" != "null" ]]; then
@@ -1205,9 +1255,9 @@ stage_compound_quality() {
 
     # Vitals-driven adaptive cycle limit (preferred)
     local base_max_cycles="$max_cycles"
-    if type pipeline_adaptive_limit &>/dev/null 2>&1; then
+    if type pipeline_adaptive_limit >/dev/null 2>&1; then
         local _cq_vitals=""
-        if type pipeline_compute_vitals &>/dev/null 2>&1; then
+        if type pipeline_compute_vitals >/dev/null 2>&1; then
             _cq_vitals=$(pipeline_compute_vitals "$STATE_FILE" "$ARTIFACTS_DIR" "${ISSUE_NUMBER:-}" 2>/dev/null) || true
         fi
         local vitals_cq_limit
@@ -1270,7 +1320,7 @@ stage_compound_quality() {
         fi
 
         # 3. Developer Simulation (intelligence module)
-        if type simulation_review &>/dev/null 2>&1; then
+        if type simulation_review >/dev/null 2>&1; then
             local sim_enabled
             sim_enabled=$(jq -r '.intelligence.simulation_enabled // false' "$PIPELINE_CONFIG" 2>/dev/null || echo "false")
             local daemon_cfg="${PROJECT_ROOT}/.claude/daemon-config.json"
@@ -1310,7 +1360,7 @@ stage_compound_quality() {
         fi
 
         # 4. Architecture Enforcer (intelligence module)
-        if type architecture_validate_changes &>/dev/null 2>&1; then
+        if type architecture_validate_changes >/dev/null 2>&1; then
             local arch_enabled
             arch_enabled=$(jq -r '.intelligence.architecture_enabled // false' "$PIPELINE_CONFIG" 2>/dev/null || echo "false")
             local daemon_cfg="${PROJECT_ROOT}/.claude/daemon-config.json"
@@ -1474,7 +1524,7 @@ All quality checks clean:
 
             # DoD verification on successful pass
             local _dod_pass_rate=100
-            if type pipeline_verify_dod &>/dev/null 2>&1; then
+            if type pipeline_verify_dod >/dev/null 2>&1; then
                 pipeline_verify_dod "$ARTIFACTS_DIR" 2>/dev/null || true
                 if [[ -f "$ARTIFACTS_DIR/dod-verification.json" ]]; then
                     _dod_pass_rate=$(jq -r '.pass_rate // 100' "$ARTIFACTS_DIR/dod-verification.json" 2>/dev/null || echo "100")
@@ -1496,7 +1546,7 @@ All quality checks clean:
 
             # DoD verification on successful pass
             local _dod_pass_rate=100
-            if type pipeline_verify_dod &>/dev/null 2>&1; then
+            if type pipeline_verify_dod >/dev/null 2>&1; then
                 pipeline_verify_dod "$ARTIFACTS_DIR" 2>/dev/null || true
                 if [[ -f "$ARTIFACTS_DIR/dod-verification.json" ]]; then
                     _dod_pass_rate=$(jq -r '.pass_rate // 100' "$ARTIFACTS_DIR/dod-verification.json" 2>/dev/null || echo "100")
@@ -1590,7 +1640,7 @@ All quality checks clean:
 
     # DoD verification
     local _dod_pass_rate=0
-    if type pipeline_verify_dod &>/dev/null 2>&1; then
+    if type pipeline_verify_dod >/dev/null 2>&1; then
         pipeline_verify_dod "$ARTIFACTS_DIR" 2>/dev/null || true
         if [[ -f "$ARTIFACTS_DIR/dod-verification.json" ]]; then
             _dod_pass_rate=$(jq -r '.pass_rate // 0' "$ARTIFACTS_DIR/dod-verification.json" 2>/dev/null || echo "0")

package/scripts/lib/pipeline-quality-checks.sh

@@ -10,15 +10,15 @@ quality_check_security() {
     local tool_found=false
 
     # Try npm audit
-    if [[ -f "package.json" ]] && command -v npm &>/dev/null; then
+    if [[ -f "package.json" ]] && command -v npm >/dev/null 2>&1; then
         tool_found=true
         npm audit --production 2>&1 | tee "$audit_log" || audit_exit=$?
     # Try pip-audit
-    elif [[ -f "requirements.txt" || -f "pyproject.toml" ]] && command -v pip-audit &>/dev/null; then
+    elif [[ -f "requirements.txt" || -f "pyproject.toml" ]] && command -v pip-audit >/dev/null 2>&1; then
         tool_found=true
         pip-audit 2>&1 | tee "$audit_log" || audit_exit=$?
     # Try cargo audit
-    elif [[ -f "Cargo.toml" ]] && command -v cargo-audit &>/dev/null; then
+    elif [[ -f "Cargo.toml" ]] && command -v cargo-audit >/dev/null 2>&1; then
         tool_found=true
         cargo audit 2>&1 | tee "$audit_log" || audit_exit=$?
     fi
@@ -170,7 +170,7 @@ quality_check_bundle_size() {
     mv "$tmp_bundle_hist" "$bundle_history_file" 2>/dev/null || true
 
     # Intelligence: identify top dependency bloaters
-    if type intelligence_search_memory &>/dev/null 2>&1 && [[ -f "package.json" ]] && command -v jq &>/dev/null; then
+    if type intelligence_search_memory >/dev/null 2>&1 && [[ -f "package.json" ]] && command -v jq >/dev/null 2>&1; then
         local dep_sizes=""
         local deps
         deps=$(jq -r '.dependencies // {} | keys[]' package.json 2>/dev/null || true)
@@ -237,7 +237,7 @@ quality_check_perf_regression() {
         if [[ -f "$daemon_cfg" ]]; then
             intel_enabled=$(jq -r '.intelligence.enabled // false' "$daemon_cfg" 2>/dev/null || echo "false")
         fi
-        if [[ "$intel_enabled" == "true" ]] && command -v claude &>/dev/null; then
+        if [[ "$intel_enabled" == "true" ]] && command -v claude >/dev/null 2>&1; then
             local tail_output
             tail_output=$(tail -30 "$test_log" 2>/dev/null || true)
             if [[ -n "$tail_output" ]]; then
@@ -378,7 +378,7 @@ quality_check_api_compat() {
 
     # Check for breaking changes: removed endpoints, changed methods
     local removed_endpoints=""
-    if command -v jq &>/dev/null && [[ "$spec_file" == *.json ]]; then
+    if command -v jq >/dev/null 2>&1 && [[ "$spec_file" == *.json ]]; then
         local old_paths new_paths
         old_paths=$(echo "$old_spec" | jq -r '.paths | keys[]' 2>/dev/null | sort || true)
         new_paths=$(jq -r '.paths | keys[]' "$spec_file" 2>/dev/null | sort || true)
@@ -387,7 +387,7 @@ quality_check_api_compat() {
 
     # Enhanced schema diff: parameter changes, response schema, auth changes
     local param_changes="" schema_changes=""
-    if command -v jq &>/dev/null && [[ "$spec_file" == *.json ]]; then
+    if command -v jq >/dev/null 2>&1 && [[ "$spec_file" == *.json ]]; then
         # Detect parameter changes on existing endpoints
         local common_paths
         common_paths=$(comm -12 <(echo "$old_spec" | jq -r '.paths | keys[]' 2>/dev/null | sort) <(jq -r '.paths | keys[]' "$spec_file" 2>/dev/null | sort) 2>/dev/null || true)
@@ -407,7 +407,7 @@ quality_check_api_compat() {
 
     # Intelligence: semantic API diff for complex changes
     local semantic_diff=""
-    if type intelligence_search_memory &>/dev/null 2>&1 && command -v claude &>/dev/null; then
+    if type intelligence_search_memory >/dev/null 2>&1 && command -v claude >/dev/null 2>&1; then
         local spec_git_diff
         spec_git_diff=$(git diff "${BASE_BRANCH}...HEAD" -- "$spec_file" 2>/dev/null | head -200 || true)
         if [[ -n "$spec_git_diff" ]]; then
@@ -441,7 +441,7 @@ ${spec_git_diff}" --model haiku < /dev/null 2>/dev/null || true)
     if [[ -n "$removed_endpoints" || -n "$param_changes" ]]; then
         local issue_count=0
         [[ -n "$removed_endpoints" ]] && issue_count=$((issue_count + $(echo "$removed_endpoints" | wc -l | xargs)))
-        [[ -n "$param_changes" ]] && issue_count=$((issue_count + $(echo "$param_changes" | grep -c '.' || true)))
+        [[ -n "$param_changes" ]] && issue_count=$((issue_count + $(echo "$param_changes" | grep -c '.' 2>/dev/null || echo "0")))
         warn "API breaking changes: ${issue_count} issue(s) found"
         return 1
     fi
@@ -470,7 +470,7 @@ quality_check_coverage() {
         if [[ -f "$daemon_cfg_cov" ]]; then
             intel_enabled_cov=$(jq -r '.intelligence.enabled // false' "$daemon_cfg_cov" 2>/dev/null || echo "false")
         fi
-        if [[ "$intel_enabled_cov" == "true" ]] && command -v claude &>/dev/null; then
+        if [[ "$intel_enabled_cov" == "true" ]] && command -v claude >/dev/null 2>&1; then
             local tail_cov_output
             tail_cov_output=$(tail -40 "$test_log" 2>/dev/null || true)
             if [[ -n "$tail_cov_output" ]]; then
@@ -559,7 +559,7 @@ run_adversarial_review() {
     fi
 
     # Delegate to sw-adversarial.sh module when available (uses intelligence cache)
-    if type adversarial_review &>/dev/null 2>&1; then
+    if type adversarial_review >/dev/null 2>&1; then
         info "Using intelligence-backed adversarial review..."
         local json_result
         json_result=$(adversarial_review "$diff_content" "${GOAL:-}" 2>/dev/null || echo "[]")
@@ -605,7 +605,7 @@ run_adversarial_review() {
 
     # Inject previous adversarial findings from memory
     local adv_memory=""
-    if type intelligence_search_memory &>/dev/null 2>&1; then
+    if type intelligence_search_memory >/dev/null 2>&1; then
         adv_memory=$(intelligence_search_memory "adversarial review security findings for: ${GOAL:-}" "${HOME}/.shipwright/memory" 5 2>/dev/null) || true
     fi
 
@@ -676,7 +676,7 @@ $(head -200 "$file" 2>/dev/null || true)
 
     # Inject previous negative prompting findings from memory
     local neg_memory=""
-    if type intelligence_search_memory &>/dev/null 2>&1; then
+    if type intelligence_search_memory >/dev/null 2>&1; then
         neg_memory=$(intelligence_search_memory "negative prompting findings common concerns for: ${GOAL:-}" "${HOME}/.shipwright/memory" 5 2>/dev/null) || true
     fi
 
@@ -853,9 +853,9 @@ run_bash_compat_check() {
     while IFS= read -r filepath; do
         [[ -z "$filepath" ]] && continue
 
-        # declare -A (associative arrays)
+        # declare -A (associative arrays; declare -a is bash 3.2 compatible)
         local declare_a_count
-        declare_a_count=$(grep -c 'declare[[:space:]]*-[aA]' "$filepath" 2>/dev/null || true)
+        declare_a_count=$(grep -c 'declare[[:space:]]*-A' "$filepath" 2>/dev/null || true)
         if [[ "$declare_a_count" -gt 0 ]]; then
             violations=$((violations + declare_a_count))
             violation_details="${violation_details}${filepath}: declare -A (${declare_a_count} occurrences)
@@ -990,7 +990,7 @@ run_atomic_write_check() {
 
         # Check for direct redirection writes (> file) in state/config paths
         local bad_writes
-        bad_writes=$(git show "HEAD:$filepath" 2>/dev/null | grep -c 'echo.*>' "$filepath" 2>/dev/null || true)
+        bad_writes=$(git show "HEAD:$filepath" 2>/dev/null | grep -c 'echo.*>' 2>/dev/null || echo "0")
 
         if [[ "$bad_writes" -gt 0 ]]; then
             violations=$((violations + bad_writes))

package/scripts/lib/pipeline-quality.sh

@@ -5,7 +5,7 @@ _PIPELINE_QUALITY_LOADED=1
 
 # Policy overrides when config/policy.json exists
 [[ -f "${SCRIPT_DIR:-}/lib/policy.sh" ]] && source "${SCRIPT_DIR:-}/lib/policy.sh"
-if type policy_get &>/dev/null 2>&1; then
+if type policy_get >/dev/null 2>&1; then
     PIPELINE_COVERAGE_THRESHOLD=$(policy_get ".pipeline.coverage_threshold_percent" "60")
     PIPELINE_QUALITY_GATE_THRESHOLD=$(policy_get ".pipeline.quality_gate_score_threshold" "70")
     QUALITY_COVERAGE_THRESHOLD=$(policy_get ".quality.coverage_threshold" "70")