shipwright-cli 2.4.0 → 3.1.0

package/scripts/lib/compat.sh

@@ -9,11 +9,14 @@
 #
 # Provides:
 #   - NO_COLOR / dumb terminal / non-tty detection (auto-blanks color vars)
+#   - _to_lower() / _to_upper() — bash 3.2 compat (${var,,}/${var^^} require bash 4+)
+#   - file_mtime() — cross-platform file modification time (epoch)
 #   - sed_i()    — cross-platform sed in-place editing
 #   - open_url() — cross-platform browser open
 #   - tmp_dir()  — returns best temp directory for platform
 #   - is_wsl()   — detect WSL environment
 #   - is_macos() / is_linux() — platform checks
+#   - _timeout() — run command with timeout (timeout/gtimeout or no-op on macOS)
 
 # ─── NO_COLOR support (https://no-color.org/) ─────────────────────────────
 # Blanks standard color variables when:
@@ -30,6 +33,11 @@ _COMPAT_UNAME="${_COMPAT_UNAME:-$(uname -s 2>/dev/null || echo "Unknown")}"
 
 is_macos() { [[ "$_COMPAT_UNAME" == "Darwin" ]]; }
 is_linux() { [[ "$_COMPAT_UNAME" == "Linux" ]]; }
+
+# ─── Bash 3.2 compat (macOS ships bash 3.2) ───────────────────────────────
+# Case conversion: ${var,,} and ${var^^} require bash 4+. Use these instead:
+_to_lower() { echo "$1" | tr '[:upper:]' '[:lower:]'; }
+_to_upper() { echo "$1" | tr '[:lower:]' '[:upper:]'; }
 is_wsl()   { is_linux && [[ -n "${WSL_DISTRO_NAME:-}" || -f /proc/version ]] && grep -qi microsoft /proc/version 2>/dev/null; }
 
 # ─── sed -i (macOS vs GNU) ────────────────────────────────────────────────
@@ -49,14 +57,14 @@ open_url() {
         open "$url"
     elif is_wsl; then
         # WSL: use wslview (from wslu) or powershell
-        if command -v wslview &>/dev/null; then
+        if command -v wslview >/dev/null 2>&1; then
             wslview "$url"
-        elif command -v powershell.exe &>/dev/null; then
+        elif command -v powershell.exe >/dev/null 2>&1; then
             powershell.exe -Command "Start-Process '$url'" 2>/dev/null
         else
             return 1
         fi
-    elif command -v xdg-open &>/dev/null; then
+    elif command -v xdg-open >/dev/null 2>&1; then
         xdg-open "$url"
     else
         return 1
@@ -83,7 +91,7 @@ sw_valid_error_category() {
     local category="${1:-}"
     local custom_file="$HOME/.shipwright/optimization/error-taxonomy.json"
     # Check custom taxonomy first
-    if [[ -f "$custom_file" ]] && command -v jq &>/dev/null; then
+    if [[ -f "$custom_file" ]] && command -v jq >/dev/null 2>&1; then
         local custom_cats
         custom_cats=$(jq -r '.categories[]? // empty' "$custom_file" 2>/dev/null || true)
         if [[ -n "$custom_cats" ]]; then
@@ -113,7 +121,7 @@ complexity_bucket() {
     local config_file="$HOME/.shipwright/optimization/complexity-clusters.json"
     local low_boundary=3
     local high_boundary=6
-    if [[ -f "$config_file" ]] && command -v jq &>/dev/null; then
+    if [[ -f "$config_file" ]] && command -v jq >/dev/null 2>&1; then
         local lb hb
         lb=$(jq -r '.low_boundary // 3' "$config_file" 2>/dev/null || echo "3")
         hb=$(jq -r '.high_boundary // 6' "$config_file" 2>/dev/null || echo "6")
@@ -156,7 +164,7 @@ detect_primary_language() {
 
 detect_test_framework() {
     local dir="${1:-.}"
-    if [[ -f "$dir/package.json" ]] && command -v jq &>/dev/null; then
+    if [[ -f "$dir/package.json" ]] && command -v jq >/dev/null 2>&1; then
         local runner
         runner=$(jq -r '
             if .devDependencies.vitest then "vitest"
@@ -184,6 +192,81 @@ detect_test_framework() {
     fi
 }
 
+# ─── Cross-platform file modification time (epoch) ────────────────────────
+# macOS/BSD: stat -f %m; Linux: stat -c '%Y'
+file_mtime() {
+    local file="$1"
+    stat -f %m "$file" 2>/dev/null || stat -c '%Y' "$file" 2>/dev/null || echo "0"
+}
+
+# ─── Timeout command (macOS may lack timeout; gtimeout from coreutils) ─────
+# Usage: _timeout <seconds> <command> [args...]
+_timeout() {
+    local secs="$1"
+    shift
+    if command -v timeout >/dev/null 2>&1; then
+        timeout "$secs" "$@"
+    elif command -v gtimeout >/dev/null 2>&1; then
+        gtimeout "$secs" "$@"
+    else
+        # Fallback: run without timeout (e.g. on older macOS)
+        "$@"
+    fi
+}
+
+# ─── Cross-platform date helpers (GNU date -d vs BSD date -j/-v) ──────────
+# date_to_epoch: convert date string to Unix epoch
+# date_days_ago: YYYY-MM-DD for N days ago
+# date_add_days: YYYY-MM-DD for base_date + N days
+# epoch_to_iso: convert epoch to ISO 8601
+date_to_epoch() {
+    local datestr="$1"
+    local fmt=""
+    if [[ "$datestr" == *"T"* ]]; then
+        fmt="%Y-%m-%dT%H:%M:%SZ"
+    else
+        fmt="%Y-%m-%d"
+    fi
+    if date -u -d "$datestr" +%s 2>/dev/null; then
+        return
+    fi
+    # BSD date: -j = don't set date, -f = format
+    date -u -j -f "$fmt" "$datestr" +%s 2>/dev/null || echo "0"
+}
+
+date_days_ago() {
+    local days="$1"
+    if date -u -d "$days days ago" +%Y-%m-%d 2>/dev/null; then
+        return
+    fi
+    date -u -v-${days}d +%Y-%m-%d 2>/dev/null || echo "1970-01-01"
+}
+
+date_add_days() {
+    local base_date="$1"
+    local days="$2"
+    if date -u -d "${base_date} + ${days} days" +%Y-%m-%d 2>/dev/null; then
+        return
+    fi
+    # BSD: compute via epoch arithmetic
+    local base_epoch
+    base_epoch=$(date_to_epoch "$base_date")
+    if [[ -n "$base_epoch" && "$base_epoch" != "0" ]]; then
+        local result_epoch=$((base_epoch + (days * 86400)))
+        date -u -r "$result_epoch" +%Y-%m-%d 2>/dev/null || date -u -d "@$result_epoch" +%Y-%m-%d 2>/dev/null || echo "1970-01-01"
+    else
+        echo "1970-01-01"
+    fi
+}
+
+epoch_to_iso() {
+    local epoch="$1"
+    date -u -r "$epoch" +"%Y-%m-%dT%H:%M:%SZ" 2>/dev/null || \
+    date -u -d "@$epoch" +"%Y-%m-%dT%H:%M:%SZ" 2>/dev/null || \
+    python3 -c "import datetime; print(datetime.datetime.utcfromtimestamp($epoch).strftime('%Y-%m-%dT%H:%M:%SZ'))" 2>/dev/null || \
+    echo "1970-01-01T00:00:00Z"
+}
+
 # ─── Cross-platform MD5 ──────────────────────────────────────────────────
 # Usage:
 #   compute_md5 --string "some text"   → md5 hash of string

package/scripts/lib/config.sh

@@ -0,0 +1,91 @@
+#!/usr/bin/env bash
+# config.sh — Centralized configuration reader for Shipwright
+# Precedence: SHIPWRIGHT_* env var > daemon-config.json > policy.json > defaults.json
+# Usage: source "$SCRIPT_DIR/lib/config.sh"
+#        val=$(_config_get "daemon.poll_interval")
+[[ -n "${_SW_CONFIG_LOADED:-}" ]] && return 0
+_SW_CONFIG_LOADED=1
+
+_CONFIG_SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+_CONFIG_REPO_DIR="$(cd "$_CONFIG_SCRIPT_DIR/../.." 2>/dev/null && pwd || echo "")"
+
+_DEFAULTS_FILE="${_CONFIG_REPO_DIR}/config/defaults.json"
+_POLICY_FILE="${_CONFIG_REPO_DIR}/config/policy.json"
+_DAEMON_CONFIG_FILE=".claude/daemon-config.json"
+
+# Resolve daemon config relative to git root or cwd
+if [[ ! -f "$_DAEMON_CONFIG_FILE" ]]; then
+    local_root="$(git rev-parse --show-toplevel 2>/dev/null || echo ".")"
+    _DAEMON_CONFIG_FILE="${local_root}/.claude/daemon-config.json"
+fi
+
+# _config_get "section.key" [default]
+# Reads config with full precedence chain
+_config_get() {
+    local dotpath="$1"
+    local fallback="${2:-}"
+
+    # 1. Check env var: daemon.poll_interval -> SHIPWRIGHT_DAEMON_POLL_INTERVAL
+    local env_name="SHIPWRIGHT_$(echo "$dotpath" | tr '[:lower:].' '[:upper:]_')"
+    local env_val="${!env_name:-}"
+    if [[ -n "$env_val" ]]; then
+        echo "$env_val"
+        return 0
+    fi
+
+    # Convert dotpath to jq path: "daemon.poll_interval" -> ".daemon.poll_interval"
+    local jq_path=".${dotpath}"
+
+    # 2. Check daemon-config.json
+    if [[ -f "$_DAEMON_CONFIG_FILE" ]]; then
+        local val
+        val=$(jq -r "${jq_path} // \"\"" "$_DAEMON_CONFIG_FILE" 2>/dev/null || echo "")
+        if [[ -n "$val" && "$val" != "null" ]]; then
+            echo "$val"
+            return 0
+        fi
+    fi
+
+    # 3. Check policy.json
+    if [[ -f "$_POLICY_FILE" ]]; then
+        local val
+        val=$(jq -r "${jq_path} // \"\"" "$_POLICY_FILE" 2>/dev/null || echo "")
+        if [[ -n "$val" && "$val" != "null" ]]; then
+            echo "$val"
+            return 0
+        fi
+    fi
+
+    # 4. Check defaults.json
+    if [[ -f "$_DEFAULTS_FILE" ]]; then
+        local val
+        val=$(jq -r "${jq_path} // \"\"" "$_DEFAULTS_FILE" 2>/dev/null || echo "")
+        if [[ -n "$val" && "$val" != "null" ]]; then
+            echo "$val"
+            return 0
+        fi
+    fi
+
+    # 5. Return fallback
+    echo "$fallback"
+}
+
+# _config_get_int "section.key" [default]
+# Same as _config_get but ensures integer output
+_config_get_int() {
+    local val
+    val=$(_config_get "$1" "${2:-0}")
+    # Strip non-numeric
+    echo "${val//[!0-9-]/}"
+}
+
+# _config_get_bool "section.key" [default]
+# Returns 0 (true) or 1 (false) for use in conditionals
+_config_get_bool() {
+    local val
+    val=$(_config_get "$1" "${2:-false}")
+    case "$val" in
+        true|1|yes|on) return 0 ;;
+        *) return 1 ;;
+    esac
+}

package/scripts/lib/daemon-adaptive.sh

@@ -85,9 +85,9 @@ get_adaptive_heartbeat_timeout() {
 
     # Stage-specific defaults (daemon-health.sh when sourced, else policy_get, else literal)
     local default_timeout="${HEALTH_HEARTBEAT_TIMEOUT:-120}"
-    if type daemon_health_timeout_for_stage &>/dev/null 2>&1; then
+    if type daemon_health_timeout_for_stage >/dev/null 2>&1; then
         default_timeout=$(daemon_health_timeout_for_stage "$stage" "$default_timeout")
-    elif type policy_get &>/dev/null 2>&1; then
+    elif type policy_get >/dev/null 2>&1; then
         local policy_stage
         policy_stage=$(policy_get ".daemon.stage_timeouts.$stage" "")
         [[ -n "$policy_stage" && "$policy_stage" =~ ^[0-9]+$ ]] && default_timeout="$policy_stage"
@@ -385,7 +385,7 @@ daemon_assess_progress() {
         ' "$progress_file" > "$tmp_progress" 2>/dev/null && mv "$tmp_progress" "$progress_file"
 
     # ── Vitals-based verdict (preferred over static thresholds) ──
-    if type pipeline_compute_vitals &>/dev/null 2>&1 && type pipeline_health_verdict &>/dev/null 2>&1; then
+    if type pipeline_compute_vitals >/dev/null 2>&1 && type pipeline_health_verdict >/dev/null 2>&1; then
         # Compute vitals using the worktree's pipeline state if available
         local _worktree_state=""
         local _worktree_artifacts=""

package/scripts/lib/daemon-dispatch.sh

@@ -37,6 +37,22 @@ daemon_spawn_pipeline() {
 
     daemon_log INFO "Spawning pipeline for issue #${issue_num}: ${issue_title}"
 
+    # ── Budget gate: hard-stop if daily budget exhausted ──
+    if [[ -x "${SCRIPT_DIR}/sw-cost.sh" ]]; then
+        local remaining
+        remaining=$("${SCRIPT_DIR}/sw-cost.sh" remaining-budget 2>/dev/null || echo "")
+        if [[ -n "$remaining" && "$remaining" != "unlimited" ]]; then
+            if awk -v r="$remaining" 'BEGIN { exit !(r <= 0) }' 2>/dev/null; then
+                daemon_log WARN "Budget exhausted (remaining: \$${remaining}) — skipping issue #${issue_num}"
+                emit_event "daemon.budget_exhausted" "remaining=$remaining" "issue=$issue_num"
+                return 1
+            fi
+            if awk -v r="$remaining" 'BEGIN { exit !(r < 1.0) }' 2>/dev/null; then
+                daemon_log WARN "Budget low: \$${remaining} remaining"
+            fi
+        fi
+    fi
+
     # ── Issue decomposition (if decomposer available) ──
     local decompose_script="${SCRIPT_DIR}/sw-decompose.sh"
     if [[ -x "$decompose_script" && "$NO_GITHUB" != "true" ]]; then
@@ -45,7 +61,7 @@ daemon_spawn_pipeline() {
         if [[ "$decompose_result" == *"decomposed"* ]]; then
             daemon_log INFO "Issue #${issue_num} decomposed into subtasks — skipping pipeline"
             # Remove the shipwright label so decomposed parent doesn't re-queue
-            gh issue edit "$issue_num" --remove-label "shipwright" 2>/dev/null || true
+            _timeout 30 gh issue edit "$issue_num" --remove-label "shipwright" 2>/dev/null || true
             return 0
         fi
     fi
@@ -54,14 +70,14 @@ daemon_spawn_pipeline() {
     local issue_goal="$issue_title"
     if [[ "$NO_GITHUB" != "true" ]]; then
         local issue_body_first
-        issue_body_first=$(gh issue view "$issue_num" --json body --jq '.body' 2>/dev/null | head -3 | tr '\n' ' ' | cut -c1-200 || true)
+        issue_body_first=$(_timeout 30 gh issue view "$issue_num" --json body --jq '.body' 2>/dev/null | head -3 | tr '\n' ' ' | cut -c1-200 || true)
         if [[ -n "$issue_body_first" ]]; then
             issue_goal="${issue_title}: ${issue_body_first}"
         fi
     fi
 
     # ── Predictive risk assessment (if enabled) ──
-    if [[ "${PREDICTION_ENABLED:-false}" == "true" ]] && type predict_pipeline_risk &>/dev/null 2>&1; then
+    if [[ "${PREDICTION_ENABLED:-false}" == "true" ]] && type predict_pipeline_risk >/dev/null 2>&1; then
         local issue_json_for_pred=""
         if [[ "$NO_GITHUB" != "true" ]]; then
             issue_json_for_pred=$(gh issue view "$issue_num" --json number,title,body,labels 2>/dev/null || echo "")
@@ -214,7 +230,7 @@ daemon_track_job() {
     local issue_num="$1" pid="$2" worktree="$3" title="${4:-}" repo="${5:-}" goal="${6:-}"
 
     # Write to SQLite (non-blocking, best-effort)
-    if type db_save_job &>/dev/null; then
+    if type db_save_job >/dev/null 2>&1; then
         local job_id="daemon-${issue_num}-$(now_epoch)"
         db_save_job "$job_id" "$issue_num" "$title" "$pid" "$worktree" "" "${PIPELINE_TEMPLATE:-autonomous}" "$goal" 2>/dev/null || true
     fi
@@ -266,7 +282,30 @@ daemon_reap_completed() {
 
         # Check if process is still running
         if kill -0 "$pid" 2>/dev/null; then
-            continue
+            # Guard against PID reuse: if job has been running > 6 hours and
+            # the process tree doesn't contain sw-pipeline/sw-loop, it's stale
+            local _started_at _start_e _age_s
+            _started_at=$(echo "$job" | jq -r '.started_at // empty')
+            if [[ -n "$_started_at" ]]; then
+                _start_e=$(TZ=UTC date -j -f "%Y-%m-%dT%H:%M:%SZ" "$_started_at" +%s 2>/dev/null || date -d "$_started_at" +%s 2>/dev/null || echo "0")
+                _age_s=$(( $(now_epoch) - ${_start_e:-0} ))
+                if [[ "$_age_s" -gt 21600 ]]; then  # 6 hours
+                    # Verify this PID is actually our pipeline (not a reused PID)
+                    local _proc_cmd
+                    _proc_cmd=$(ps -p "$pid" -o command= 2>/dev/null || true)
+                    if [[ -z "$_proc_cmd" ]] || ! echo "$_proc_cmd" | grep -qE 'sw-pipeline|sw-loop|claude' 2>/dev/null; then
+                        daemon_log WARN "Stale job #${issue_num}: PID $pid running ${_age_s}s but not a pipeline process — force-reaping"
+                        emit_event "daemon.stale_dead" "issue=$issue_num" "pid=$pid" "elapsed_s=$_age_s"
+                        # Fall through to reap logic
+                    else
+                        continue
+                    fi
+                else
+                    continue
+                fi
+            else
+                continue
+            fi
         fi
 
         # Process is dead — determine exit code
@@ -309,7 +348,7 @@ daemon_reap_completed() {
         emit_event "daemon.reap" "issue=$issue_num" "result=$result_str" "duration_s=$dur_s"
 
         # Update SQLite (mark job complete/failed)
-        if type db_complete_job &>/dev/null && type db_fail_job &>/dev/null; then
+        if type db_complete_job >/dev/null 2>&1 && type db_fail_job >/dev/null 2>&1; then
             local _db_job_id="daemon-${issue_num}-${start_epoch}"
             if [[ "$exit_code" -eq 0 ]]; then
                 db_complete_job "$_db_job_id" "$result_str" 2>/dev/null || true
@@ -343,7 +382,7 @@ daemon_reap_completed() {
                                     --method PATCH \
                                     --field status=completed \
                                     --field conclusion=cancelled \
-                                    --silent 2>/dev/null || true
+                                    --silent --timeout 30 2>/dev/null || true
                             fi
                         fi
                     done < <(jq -r 'keys[]' "$check_ids_file" 2>/dev/null || true)
@@ -352,13 +391,18 @@ daemon_reap_completed() {
         fi
 
         # Finalize memory (capture failure patterns for future runs)
-        if type memory_finalize_pipeline &>/dev/null 2>&1; then
+        if type memory_finalize_pipeline >/dev/null 2>&1; then
             local _job_state _job_artifacts
             _job_state="${worktree:-.}/.claude/pipeline-state.md"
             _job_artifacts="${worktree:-.}/.claude/pipeline-artifacts"
             memory_finalize_pipeline "$_job_state" "$_job_artifacts" 2>/dev/null || true
         fi
 
+        # Trigger learning after pipeline reap
+        if type optimize_full_analysis &>/dev/null; then
+            optimize_full_analysis &>/dev/null &
+        fi
+
         # Clean up progress tracking for this job
         daemon_clear_progress "$issue_num"
 
@@ -400,13 +444,15 @@ daemon_reap_completed() {
         local current_active
         current_active=$(locked_get_active_count)
         if [[ "$current_active" -lt "$MAX_PARALLEL" ]]; then
-            local next_issue
-            next_issue=$(dequeue_next)
-            if [[ -n "$next_issue" ]]; then
+            local next_issue_key
+            next_issue_key=$(dequeue_next)
+            if [[ -n "$next_issue_key" ]]; then
+                local next_issue_num="$next_issue_key" next_repo=""
+                [[ "$next_issue_key" == *:* ]] && next_repo="${next_issue_key%%:*}" && next_issue_num="${next_issue_key##*:}"
                 local next_title
-                next_title=$(jq -r --arg n "$next_issue" '.titles[$n] // ""' "$STATE_FILE" 2>/dev/null || true)
-                daemon_log INFO "Dequeuing issue #${next_issue}: ${next_title}"
-                daemon_spawn_pipeline "$next_issue" "$next_title"
+                next_title=$(jq -r --arg n "$next_issue_key" '.titles[$n] // ""' "$STATE_FILE" 2>/dev/null || true)
+                daemon_log INFO "Dequeuing issue #${next_issue_num}${next_repo:+, repo=${next_repo}}: ${next_title}"
+                daemon_spawn_pipeline "$next_issue_num" "$next_title" "$next_repo"
             fi
         fi
     done <<< "$jobs"
@@ -453,12 +499,12 @@ daemon_on_success() {
 
     if [[ "$NO_GITHUB" != "true" ]]; then
         # Remove watch label, add success label
-        gh issue edit "$issue_num" \
+        _timeout 30 gh issue edit "$issue_num" \
             --remove-label "$ON_SUCCESS_REMOVE_LABEL" \
             --add-label "$ON_SUCCESS_ADD_LABEL" 2>/dev/null || true
 
         # Comment on issue
-        gh issue comment "$issue_num" --body "## ✅ Pipeline Complete
+        _timeout 30 gh issue comment "$issue_num" --body "## ✅ Pipeline Complete
 
 The autonomous pipeline finished successfully.
 
@@ -471,7 +517,7 @@ Check the associated PR for the implementation." 2>/dev/null || true
 
         # Optionally close the issue
         if [[ "$ON_SUCCESS_CLOSE_ISSUE" == "true" ]]; then
-            gh issue close "$issue_num" 2>/dev/null || true
+            _timeout 30 gh issue close "$issue_num" 2>/dev/null || true
         fi
     fi
 

package/scripts/lib/daemon-health.sh

@@ -11,7 +11,7 @@ _DAEMON_HEALTH_LOADED=1
 daemon_health_timeout_for_stage() {
     local stage="${1:-unknown}"
     local fallback="${2:-120}"
-    if type policy_get &>/dev/null 2>&1; then
+    if type policy_get >/dev/null 2>&1; then
         local policy_val
         policy_val=$(policy_get ".daemon.stage_timeouts.$stage" "")
         if [[ -n "$policy_val" && "$policy_val" =~ ^[0-9]+$ ]]; then

package/scripts/lib/daemon-patrol.sh

@@ -3,6 +3,28 @@
 [[ -n "${_DAEMON_PATROL_LOADED:-}" ]] && return 0
 _DAEMON_PATROL_LOADED=1
 
+# ─── Decision Engine Signal Mode ─────────────────────────────────────────────
+# When DECISION_ENGINE_ENABLED=true, patrol writes candidates to the pending
+# signals file instead of creating GitHub issues directly. The decision engine
+# collects, scores, and acts on these signals with tiered autonomy.
+SIGNALS_PENDING_FILE="${HOME}/.shipwright/signals/pending.jsonl"
+
+_patrol_emit_signal() {
+    local id="$1" signal="$2" category="$3" title="$4" description="$5"
+    local risk="${6:-50}" confidence="${7:-0.80}" dedup_key="$8"
+    mkdir -p "$(dirname "$SIGNALS_PENDING_FILE")"
+    local ts
+    ts=$(now_iso)
+    local candidate
+    candidate=$(jq -n \
+        --arg id "$id" --arg signal "$signal" --arg category "$category" \
+        --arg title "$title" --arg desc "$description" \
+        --argjson risk "$risk" --arg conf "$confidence" \
+        --arg dedup "$dedup_key" --arg ts "$ts" \
+        '{id:$id, signal:$signal, category:$category, title:$title, description:$desc, evidence:{}, risk_score:$risk, confidence:$conf, dedup_key:$dedup, collected_at:$ts}')
+    echo "$candidate" >> "$SIGNALS_PENDING_FILE"
+}
+
 patrol_build_labels() {
     local check_label="$1"
     local labels="${PATROL_LABEL},${check_label}"
@@ -45,10 +67,22 @@ daemon_patrol() {
         local findings=0
 
         # npm audit
-        if [[ -f "package.json" ]] && command -v npm &>/dev/null; then
+        if [[ -f "package.json" ]] && command -v npm >/dev/null 2>&1; then
             local audit_json
-            audit_json=$(npm audit --json 2>/dev/null || true)
-            if [[ -n "$audit_json" ]]; then
+            audit_json=$(npm audit --json 2>/dev/null || echo '{}')
+            local audit_version
+            audit_version=$(echo "$audit_json" | jq -r '.auditReportVersion // 1')
+
+            local vuln_list
+            if [[ "$audit_version" == "2" ]]; then
+                # npm 7+ format: .vulnerabilities is an object keyed by package name
+                vuln_list=$(echo "$audit_json" | jq -c '[.vulnerabilities | to_entries[] | .value | {name: .name, severity: .severity, url: (.via[0].url // "N/A"), title: (.via[0].title // .name)}]' 2>/dev/null || echo '[]')
+            else
+                # npm 6 format: .advisories is an object keyed by advisory ID
+                vuln_list=$(echo "$audit_json" | jq -c '[.advisories | to_entries[] | .value | {name: .module_name, severity: .severity, url: .url, title: .title}]' 2>/dev/null || echo '[]')
+            fi
+
+            if [[ -n "$vuln_list" && "$vuln_list" != "[]" ]]; then
                 while IFS= read -r vuln; do
                     local severity name advisory_url title
                     severity=$(echo "$vuln" | jq -r '.severity // "unknown"')
@@ -64,8 +98,16 @@ daemon_patrol() {
                     findings=$((findings + 1))
                     emit_event "patrol.finding" "check=security" "severity=$severity" "package=$name"
 
-                    # Check if issue already exists
-                    if [[ "$NO_GITHUB" != "true" ]] && [[ "$dry_run" != "true" ]]; then
+                    # Route to decision engine or create issue directly
+                    if [[ "${DECISION_ENGINE_ENABLED:-false}" == "true" ]]; then
+                        local _cat="security_patch"
+                        [[ "$severity" == "critical" ]] && _cat="security_critical"
+                        _patrol_emit_signal "sec-${name}" "security" "$_cat" \
+                            "Security: ${title} in ${name}" \
+                            "Fix ${severity} vulnerability in ${name}" \
+                            "$([[ "$severity" == "critical" ]] && echo 80 || echo 50)" \
+                            "0.95" "security:${name}:${title}"
+                    elif [[ "$NO_GITHUB" != "true" ]] && [[ "$dry_run" != "true" ]]; then
                         local existing
                         existing=$(gh issue list --label "$PATROL_LABEL" --label "security" \
                             --search "Security: $name" --json number -q 'length' 2>/dev/null || echo "0")
@@ -90,12 +132,12 @@ Auto-detected by \`shipwright daemon patrol\`." \
                     else
                         echo -e "    ${RED}●${RESET} ${BOLD}${severity}${RESET}: ${title} in ${CYAN}${name}${RESET}"
                     fi
-                done < <(echo "$audit_json" | jq -c '.vulnerabilities | to_entries[] | .value' 2>/dev/null)
+                done < <(echo "$vuln_list" | jq -c '.[]' 2>/dev/null)
             fi
         fi
 
         # pip-audit
-        if [[ -f "requirements.txt" ]] && command -v pip-audit &>/dev/null; then
+        if [[ -f "requirements.txt" ]] && command -v pip-audit >/dev/null 2>&1; then
             local pip_json
             pip_json=$(pip-audit --format=json 2>/dev/null || true)
             if [[ -n "$pip_json" ]]; then
@@ -106,7 +148,7 @@ Auto-detected by \`shipwright daemon patrol\`." \
         fi
 
         # cargo audit
-        if [[ -f "Cargo.toml" ]] && command -v cargo-audit &>/dev/null; then
+        if [[ -f "Cargo.toml" ]] && command -v cargo-audit >/dev/null 2>&1; then
             local cargo_json
             cargo_json=$(cargo audit --json 2>/dev/null || true)
             if [[ -n "$cargo_json" ]]; then
@@ -117,8 +159,8 @@ Auto-detected by \`shipwright daemon patrol\`." \
         fi
 
         # Enrich with GitHub security alerts
-        if type gh_security_alerts &>/dev/null 2>&1 && [[ "${NO_GITHUB:-false}" != "true" ]]; then
-            if type _gh_detect_repo &>/dev/null 2>&1; then
+        if type gh_security_alerts >/dev/null 2>&1 && [[ "${NO_GITHUB:-false}" != "true" ]]; then
+            if type _gh_detect_repo >/dev/null 2>&1; then
                 _gh_detect_repo 2>/dev/null || true
             fi
             local gh_owner="${GH_OWNER:-}" gh_repo="${GH_REPO:-}"
@@ -135,7 +177,7 @@ Auto-detected by \`shipwright daemon patrol\`." \
         fi
 
         # Enrich with GitHub Dependabot alerts
-        if type gh_dependabot_alerts &>/dev/null 2>&1 && [[ "${NO_GITHUB:-false}" != "true" ]]; then
+        if type gh_dependabot_alerts >/dev/null 2>&1 && [[ "${NO_GITHUB:-false}" != "true" ]]; then
             local gh_owner="${GH_OWNER:-}" gh_repo="${GH_REPO:-}"
             if [[ -n "$gh_owner" && -n "$gh_repo" ]]; then
                 local dep_alerts
@@ -162,7 +204,7 @@ Auto-detected by \`shipwright daemon patrol\`." \
         daemon_log INFO "Patrol: checking for stale dependencies"
         local findings=0
 
-        if [[ -f "package.json" ]] && command -v npm &>/dev/null; then
+        if [[ -f "package.json" ]] && command -v npm >/dev/null 2>&1; then
             local outdated_json
             outdated_json=$(npm outdated --json 2>/dev/null || true)
             if [[ -n "$outdated_json" ]] && [[ "$outdated_json" != "{}" ]]; then
@@ -190,8 +232,13 @@ Auto-detected by \`shipwright daemon patrol\`." \
                     fi
                 done < <(echo "$outdated_json" | jq -c 'to_entries[]' 2>/dev/null)
 
-                # Create a single issue for all stale deps
-                if [[ "$findings" -gt 0 ]] && [[ "$NO_GITHUB" != "true" ]] && [[ "$dry_run" != "true" ]]; then
+                # Route to decision engine or create issue
+                if [[ "$findings" -gt 0 ]] && [[ "${DECISION_ENGINE_ENABLED:-false}" == "true" ]]; then
+                    _patrol_emit_signal "deps-stale-${findings}" "deps" "deps_major" \
+                        "Update ${findings} stale dependencies" \
+                        "Packages 2+ major versions behind" \
+                        45 "0.90" "deps:stale:${findings}"
+                elif [[ "$findings" -gt 0 ]] && [[ "$NO_GITHUB" != "true" ]] && [[ "$dry_run" != "true" ]]; then
                     local existing
                     existing=$(gh issue list --label "$PATROL_LABEL" --label "dependencies" \
                         --search "Stale dependencies" --json number -q 'length' 2>/dev/null || echo "0")
@@ -534,7 +581,7 @@ Auto-detected by \`shipwright daemon patrol\` on $(now_iso)." \
         failures_json=$(
             (
                 source "$memory_script" > /dev/null 2>&1 || true
-                if command -v memory_get_actionable_failures &>/dev/null; then
+                if command -v memory_get_actionable_failures >/dev/null 2>&1; then
                     memory_get_actionable_failures "$PATROL_FAILURES_THRESHOLD"
                 else
                     echo "[]"
@@ -802,7 +849,7 @@ Auto-detected by \`shipwright daemon patrol\` on $(now_iso)." \
             if [[ ! -f "$scripts_dir/sw-${name}-test.sh" ]]; then
                 # Count usage across other scripts
                 local usage_count
-                usage_count=$(grep -rl "sw-${name}" "$scripts_dir"/sw-*.sh 2>/dev/null | grep -cv "$basename" 2>/dev/null || echo "0")
+                usage_count=$(grep -rl "sw-${name}" "$scripts_dir"/sw-*.sh 2>/dev/null | grep -cv "$basename" 2>/dev/null || true)
                 usage_count=${usage_count:-0}
 
                 local line_count
@@ -1046,7 +1093,7 @@ Auto-detected by \`shipwright daemon patrol\` on $(now_iso)." \
     echo ""
 
     # ── Stage 2: AI-Powered Confirmation (if enabled) ──
-    if [[ "${PREDICTION_ENABLED:-false}" == "true" ]] && type patrol_ai_analyze &>/dev/null 2>&1; then
+    if [[ "${PREDICTION_ENABLED:-false}" == "true" ]] && type patrol_ai_analyze >/dev/null 2>&1; then
         daemon_log INFO "Intelligence: using AI patrol analysis (prediction enabled)"
         echo -e "  ${BOLD}AI Deep Analysis${RESET}"
         # Sample recent source files for AI analysis