shipwright-cli 3.1.0 → 3.3.0

package/.claude/agents/code-reviewer.md

@@ -2,6 +2,8 @@
 
 You are a code review specialist for the Shipwright project. Your job is to review shell scripts, GitHub Actions workflows, and configuration files for correctness, security, and adherence to project conventions.
 
+**Model Guidance**: Use Opus 4.6 for thorough architectural reviews. Set `maxTurns: 2` to prevent context bloat during iterative reviews. Use `worktree: true` for parallel code review runs.
+
 ## Review Checklist
 
 ### Bash 3.2 Compatibility (Blockers)

package/.claude/agents/devops-engineer.md

@@ -2,6 +2,8 @@
 
 You are a DevOps and CI/CD specialist for the Shipwright project. You work on GitHub Actions workflows, deployment pipelines, infrastructure automation, and operational tooling.
 
+**Model Guidance**: Use Opus 4.6 for complex infrastructure changes. Use `worktree: true` to isolate concurrent infrastructure updates. Set `maxTurns: 2` for exploratory work.
+
 ## GitHub Actions Workflows
 
 Workflows live in `.github/workflows/` with the `shipwright-*.yml` naming prefix:

package/.claude/agents/doc-fleet-agent.md

@@ -2,6 +2,8 @@
 
 You are a specialized agent in the Shipwright documentation fleet. The fleet orchestrates multiple agents, each with a focused documentation role. Your specific role is assigned at spawn time.
 
+**Model Guidance**: Use Sonnet 4.6 for documentation work. Use `background: true` for parallel doc fleet agents (audit, refactor, enhance). Set `maxTurns: 2` per role to focus on specialized tasks.
+
 ## Fleet Roles
 
 ### 1. Doc Architect (leader)

package/.claude/agents/pipeline-agent.md

@@ -2,6 +2,8 @@
 
 You are an autonomous agent running inside the Shipwright delivery pipeline's build stage. You were spawned by `shipwright loop`, which was called by `shipwright pipeline` during the build stage.
 
+**Model Guidance**: Use Opus 4.6 for complex builds, Sonnet 4.6 for standard features, and Haiku for simple bug fixes. For background tasks (long-running test suites), set `background: true` and allow pre-approved tool permissions.
+
 ## Your Context
 
 Your goal comes from the **enriched goal** assembled by the pipeline, which includes:

package/.claude/agents/shell-script-specialist.md

@@ -2,6 +2,8 @@
 
 You are a shell script development specialist for the Shipwright project — an autonomous delivery platform built entirely in Bash (37+ scripts, 25,000+ lines).
 
+**Model Guidance**: Use Sonnet 4.6 for script development. For long-running test harnesses, use `background: true` with pre-approved permissions.
+
 ## Bash 3.2 Compatibility (CRITICAL)
 
 Shipwright must run on macOS default Bash 3.2. The following are **forbidden**:

package/.claude/agents/test-specialist.md

@@ -2,6 +2,8 @@
 
 You are a test development specialist for the Shipwright project. The project has 90+ test suites (see `package.json` scripts.test and the AUTO:test-suites table in `.claude/CLAUDE.md`), all written in Bash following a consistent harness pattern.
 
+**Model Guidance**: Use Sonnet 4.6 for test development. Use `background: true` and `maxTurns: 3` for long test runs to prevent context bloat.
+
 ## Test Harness Conventions
 
 ### File Structure

package/.claude/hooks/agent-crash-capture.sh

@@ -0,0 +1,32 @@
+#!/usr/bin/env bash
+# Hook: Capture diagnostics when a Skipper agent crashes
+# Trigger: Post-tool-use on Bash failures that look like agent crashes
+
+set -euo pipefail
+
+# Read stdin for tool result context
+INPUT="$(cat)"
+
+# Check if this looks like an agent crash
+if echo "$INPUT" | grep -qi "panic\|segfault\|killed\|oom\|fatal\|crash"; then
+    TIMESTAMP="$(date +%Y%m%d_%H%M%S)"
+    CRASH_DIR="${HOME}/.shipwright/crash-reports"
+    mkdir -p "$CRASH_DIR"
+
+    REPORT_FILE="${CRASH_DIR}/crash_${TIMESTAMP}.json"
+
+    # Capture diagnostics
+    cat > "$REPORT_FILE" << EOF
+{
+    "timestamp": "$(date -u +%Y-%m-%dT%H:%M:%SZ)",
+    "working_directory": "$(pwd)",
+    "git_branch": "$(git branch --show-current 2>/dev/null || echo 'unknown')",
+    "git_commit": "$(git rev-parse HEAD 2>/dev/null || echo 'unknown')",
+    "error_context": $(echo "$INPUT" | python3 -c "import sys,json; print(json.dumps(sys.stdin.read()[:2000]))" 2>/dev/null || echo '"capture_failed"'),
+    "pipeline_state": "$(cat .claude/pipeline-state.md 2>/dev/null | head -20 | python3 -c "import sys,json; print(json.dumps(sys.stdin.read()))" 2>/dev/null || echo '"none"')",
+    "recent_commits": "$(git log --oneline -5 2>/dev/null | python3 -c "import sys,json; print(json.dumps(sys.stdin.read()))" 2>/dev/null || echo '"none"')"
+}
+EOF
+
+    echo "Crash report saved to $REPORT_FILE" >&2
+fi

package/.claude/hooks/post-tool-use.sh

@@ -19,8 +19,9 @@ if [[ "$tool_name" == "Bash" ]] && [[ "${exit_code:-0}" != "0" ]]; then
     # Classify error type
     error_type="unknown"
     case "$error_snippet" in
-        *"test"*|*"FAIL"*|*"assert"*|*"expect"*)        error_type="test" ;;
-        *"syntax"*|*"unexpected"*|*"parse error"*)       error_type="syntax" ;;
+        *"syntax"*|*"parse error"*)                       error_type="syntax" ;;
+        *"unexpected token"*|*"unexpected end"*)          error_type="syntax" ;;
+        *"test"*|*"FAIL"*|*"assert"*|*"expect"*)         error_type="test" ;;
         *"not found"*|*"No such"*|*"ENOENT"*)            error_type="missing" ;;
         *"permission"*|*"denied"*|*"EACCES"*)            error_type="permission" ;;
         *"timeout"*|*"timed out"*|*"ETIMEDOUT"*)         error_type="timeout" ;;

package/.claude/hooks/pre-tool-use.sh

@@ -1,14 +1,46 @@
 #!/usr/bin/env bash
-# Hook: PreToolUse — Context injection for .sh file editing
+# Hook: PreToolUse — Security checks and context injection
 # Triggered before Write/Edit tools
 
 # Read tool input from stdin (JSON)
 input=$(cat)
 
-# Extract file path from tool input
+# Extract tool name and file path
+tool_name=$(echo "$input" | jq -r '.tool_name // empty' 2>/dev/null)
 file_path=$(echo "$input" | jq -r '.tool_input.file_path // empty' 2>/dev/null)
+new_string=$(echo "$input" | jq -r '.tool_input.new_string // empty' 2>/dev/null)
+tool_input=$(echo "$input" | jq -r '.tool_input // empty' 2>/dev/null)
 
-# Only trigger for shell script files
+# Security check: Block git push --no-verify (bypasses pre-commit hooks)
+if echo "$tool_input" | grep -qE 'git\s+push.*--no-verify'; then
+    echo '{"message":"Blocked: git push --no-verify bypasses safety checks. Remove --no-verify flag."}'
+    exit 2
+fi
+
+# Security check: Detect secrets being written to non-secret files
+if [[ "$tool_name" == "Edit" || "$tool_name" == "Write" ]]; then
+    # Sensitive files that should not be added to version control
+    if [[ ! "$file_path" =~ (\.env|\.secret|secret|credential|key|token|private) ]]; then
+        # Check for common secret patterns
+        secret_patterns="sk-ant-|ANTHROPIC_API_KEY|GITHUB_TOKEN|OPENAI_API_KEY|AWS_SECRET|DATABASE_URL|PRIVATE_KEY|api_key|BEGIN RSA PRIVATE KEY|BEGIN PRIVATE KEY"
+
+        if echo "$new_string" | grep -qE "$secret_patterns"; then
+            cat << "SECURITY_WARNING"
+⚠️  SECURITY WARNING: Secret pattern detected in non-secret file
+
+The content being written to this file contains a potential secret.
+File: $file_path
+
+Sensitive data should NEVER be committed to version control.
+
+If this is intentional (e.g., example code), please review carefully.
+SECURITY_WARNING
+            exit 2
+        fi
+    fi
+fi
+
+# Shell script context injection
 if [[ "$file_path" == *.sh ]]; then
     cat << 'REMINDER'
 SHIPWRIGHT SHELL RULES:

package/README.md

@@ -13,9 +13,9 @@
   <a href="https://github.com/sethdford/shipwright/actions/workflows/test.yml"><img src="https://github.com/sethdford/shipwright/actions/workflows/test.yml/badge.svg" alt="Tests"></a>
   <a href="https://github.com/sethdford/shipwright/actions/workflows/shipwright-pipeline.yml"><img src="https://github.com/sethdford/shipwright/actions/workflows/shipwright-pipeline.yml/badge.svg" alt="Pipeline"></a>
   <img src="https://img.shields.io/badge/tests-141_suites_passing-4ade80?style=flat-square" alt="141 suites">
-  <img src="https://img.shields.io/badge/version-3.1.0-00d4ff?style=flat-square" alt="v3.1.0">
+  <img src="https://img.shields.io/badge/version-3.3.0-00d4ff?style=flat-square" alt="v3.3.0">
   <img src="https://img.shields.io/badge/license-MIT-green?style=flat-square" alt="MIT License">
-  <img src="https://img.shields.io/badge/bash-3.2%2B-7c3aed?style=flat-square" alt="Bash 3.2+">
+  <img src="https://img.shields.io/badge/bash-3.2%2B-555a66?style=flat-square" alt="Bash 3.2+">
 </p>
 
 ---
@@ -24,7 +24,7 @@
 
 - [Shipwright Builds Itself](#shipwright-builds-itself)
 - [Code Factory Pattern](#code-factory-pattern)
-- [What's New in v3.1.0](#whats-new-in-v310)
+- [What's New in v3.3.0](#whats-new-in-v330)
 - [How It Works](#how-it-works)
 - [Install](#install)
 - [Quick Start](#quick-start)
@@ -77,7 +77,8 @@ Shipwright extends the Code Factory pattern with capabilities most implementatio
 - **12-stage pipeline** with self-healing builds, adversarial review, and compound quality gates
 - **Predictive risk scoring** using GitHub signals (security alerts, contributor expertise, file churn)
 - **Persistent memory** — failure patterns, fix effectiveness, and prediction accuracy compound over time
-- **Auto-learning** — self-optimize runs automatically after every pipeline completion
+- **Auto-learning** — self-optimize runs automatically after every pipeline completion, including context efficiency tuning
+- **Decision engine** — tiered autonomous decisions with outcome learning and deduplication
 - **Unified model routing** — single source of truth for model selection across all components
 - **Evidence-gated merges** — SHA discipline ensures all evidence validated against current PR head
 - **Semantic quality audits** — Claude-powered audits with grep fallback when Claude unavailable
@@ -108,7 +109,7 @@ shipwright incident gap sla
 
 ---
 
-## What's New in v3.1.0
+## What's New in v3.3.0
 
 **Code Factory pattern** — deterministic, risk-aware agent delivery with machine-verifiable evidence:
 
@@ -282,7 +283,7 @@ Each stage is configurable with quality gates that auto-proceed or pause for app
 
 ### Intelligence Layer
 
-7 modules that make the pipeline smarter over time. **Auto mode**: intelligence is enabled when Claude CLI is available; set `intelligence.enabled=false` to disable. All modules degrade gracefully.
+7 modules that make the pipeline smarter over time. **Enabled by default**: intelligence is on when Claude CLI is available, with optimization and prediction active out of the box. Set `intelligence.enabled=false` to disable. All modules degrade gracefully.
 
 | Module                       | What It Does                                                                                                          |
 | ---------------------------- | --------------------------------------------------------------------------------------------------------------------- |
@@ -290,7 +291,7 @@ Each stage is configurable with quality gates that auto-proceed or pause for app
 | **Pipeline Composer**        | Generates custom pipeline configs from codebase analysis (file churn, test coverage, dependencies)                    |
 | **Predictive Risk**          | Scores issues for risk using GitHub signals (security alerts, similar past issues, contributor expertise)             |
 | **Adversarial Review**       | Red-team code review — finds security flaws, edge cases, failure modes. Cross-checks against CodeQL/Dependabot alerts |
-| **Self-Optimization**        | Reads DORA metrics and auto-tunes daemon config. Proportional template weighting, adaptive memory timescales          |
+| **Self-Optimization**        | Reads DORA metrics and auto-tunes daemon config. Includes context efficiency closed loop for token budget tuning      |
 | **Developer Simulation**     | 3-persona review (security, performance, maintainability) before PR creation                                          |
 | **Architecture Enforcement** | Living architectural model with violation detection and dependency direction rules                                    |
 
@@ -309,6 +310,19 @@ Native GitHub API integration enriches every intelligence module:
 | **Contributors**      | CODEOWNERS-based reviewer routing, top-contributor fallback, auto-approve as last resort |
 | **Branch Protection** | Checks required reviews and status checks before attempting auto-merge                   |
 
+### Decision Engine
+
+The autonomous decision engine (`config/policy.json` → `decision` section) handles routine operational decisions with outcome learning. Decisions are tiered by risk, with low-risk actions auto-approved and higher tiers escalated. The engine learns from outcomes to improve future decisions.
+
+### Context Engineering
+
+Intelligent context window management for pipeline agents:
+
+- **Budget-aware trimming** — Configurable character budgets for prompt composition (`context_budget_chars`)
+- **Section-level trimming** — Independent limits for memory, git history, hotspot files, and test output
+- **Context efficiency metrics** — Tracks budget utilization and trim ratios per iteration
+- **Self-tuning** — The self-optimization loop analyzes context efficiency events and recommends budget adjustments
+
 ### Autonomous Daemon
 
 ```bash
@@ -354,7 +368,7 @@ Per-pipeline cost tracking with model pricing, budget enforcement, and ROI analy
 shipwright dashboard start
 ```
 
-Web dashboard with live pipeline progress, GitHub context (security alerts, contributors, deployments), DORA metrics, and cost tracking. WebSocket-powered, updates in real-time.
+Web dashboard with live pipeline progress, GitHub context (security alerts, contributors, deployments), DORA metrics, cost tracking, and context efficiency metrics. WebSocket-powered, updates in real-time.
 
 ### Webhook Receiver
 

package/claude-code/hooks/config-change.sh

@@ -0,0 +1,18 @@
+#!/usr/bin/env bash
+# Hook: ConfigChange — notify daemon of config updates
+set -euo pipefail
+
+input=$(cat)
+
+# Log config change event
+mkdir -p "$HOME/.shipwright" 2>/dev/null || true
+echo "{\"ts\":\"$(date -u +%Y-%m-%dT%H:%M:%SZ)\",\"type\":\"config.changed\",\"detail\":$(echo "$input" | jq -c '.' 2>/dev/null || echo '{}')}" >> "$HOME/.shipwright/events.jsonl" 2>/dev/null || true
+
+# Signal running daemon to reload config (if PID file exists)
+pid_file="$HOME/.shipwright/daemon.pid"
+if [[ -f "$pid_file" ]]; then
+    daemon_pid=$(cat "$pid_file" 2>/dev/null || true)
+    if [[ -n "$daemon_pid" ]] && kill -0 "$daemon_pid" 2>/dev/null; then
+        kill -USR1 "$daemon_pid" 2>/dev/null || true
+    fi
+fi

package/claude-code/hooks/instructions-reloaded.sh

@@ -0,0 +1,7 @@
+#!/usr/bin/env bash
+# Hook: InstructionsLoaded (matcher: "compact")
+# After auto-compaction, log reload event for observability
+set -euo pipefail
+
+mkdir -p "$HOME/.shipwright" 2>/dev/null || true
+echo "{\"ts\":\"$(date -u +%Y-%m-%dT%H:%M:%SZ)\",\"type\":\"instructions.reloaded\",\"trigger\":\"compaction\"}" >> "$HOME/.shipwright/events.jsonl" 2>/dev/null || true

package/claude-code/hooks/worktree-create.sh

@@ -0,0 +1,25 @@
+#!/usr/bin/env bash
+# Hook: WorktreeCreate — auto-setup worktree for pipeline agents
+# Copies essential config into new worktrees so agents inherit settings
+set -euo pipefail
+
+# Read hook input from stdin (JSON with worktree details)
+input=$(cat)
+worktree_path=$(echo "$input" | jq -r '.worktree_path // empty' 2>/dev/null || true)
+
+[[ -z "$worktree_path" ]] && exit 0
+
+# Copy daemon config if it exists
+src_root=$(git rev-parse --show-toplevel 2>/dev/null || true)
+if [[ -n "$src_root" ]]; then
+    src_config="$src_root/.claude/daemon-config.json"
+    if [[ -f "$src_config" ]]; then
+        mkdir -p "$worktree_path/.claude" 2>/dev/null || true
+        cp "$src_config" "$worktree_path/.claude/daemon-config.json" 2>/dev/null || true
+    fi
+
+    # Copy pipeline artifacts directory structure
+    if [[ -d "$src_root/.claude/pipeline-artifacts" ]]; then
+        mkdir -p "$worktree_path/.claude/pipeline-artifacts" 2>/dev/null || true
+    fi
+fi

package/claude-code/hooks/worktree-remove.sh

@@ -0,0 +1,20 @@
+#!/usr/bin/env bash
+# Hook: WorktreeRemove — clean up state for removed worktree agents
+set -euo pipefail
+
+input=$(cat)
+worktree_path=$(echo "$input" | jq -r '.worktree_path // empty' 2>/dev/null || true)
+
+[[ -z "$worktree_path" ]] && exit 0
+
+# Clean up heartbeat files associated with this worktree
+heartbeat_dir="$HOME/.shipwright/heartbeats"
+if [[ -d "$heartbeat_dir" ]]; then
+    for hb in "$heartbeat_dir"/*.json; do
+        [[ -f "$hb" ]] || continue
+        hb_path=$(jq -r '.worktree // empty' "$hb" 2>/dev/null || true)
+        if [[ "$hb_path" == "$worktree_path" ]]; then
+            rm -f "$hb"
+        fi
+    done
+fi

package/config/code-constitution.json

@@ -0,0 +1,130 @@
+{
+  "version": "1.0",
+  "description": "Constitutional principles for autonomous code self-critique",
+  "principles": {
+    "security": [
+      {
+        "id": "SEC-001",
+        "rule": "No hardcoded secrets, API keys, or passwords",
+        "severity": "critical",
+        "check": "grep -nE '(password|api_key|secret_key|api_secret|auth_token)\\s*=\\s*[\"'\"'\"']' {file}"
+      },
+      {
+        "id": "SEC-002",
+        "rule": "All user inputs must be validated before use",
+        "severity": "critical"
+      },
+      {
+        "id": "SEC-003",
+        "rule": "No eval() or exec() with dynamic content",
+        "severity": "critical",
+        "check": "grep -nE '\\beval\\b.*\\$|\\bexec\\b.*\\$' {file}"
+      },
+      {
+        "id": "SEC-004",
+        "rule": "No SQL string concatenation — use parameterized queries",
+        "severity": "high"
+      },
+      {
+        "id": "SEC-005",
+        "rule": "No shell injection via unquoted variables in commands",
+        "severity": "critical",
+        "check": "grep -nE '\\$\\{?[A-Za-z_]+\\}?[^\"'\"'\"']' {file}"
+      }
+    ],
+    "error_handling": [
+      {
+        "id": "ERR-001",
+        "rule": "No empty catch blocks — all errors must be handled or re-thrown",
+        "severity": "high",
+        "check": "grep -nE 'catch\\s*\\([^)]*\\)\\s*\\{\\s*\\}' {file}"
+      },
+      {
+        "id": "ERR-002",
+        "rule": "Error messages must be descriptive — no generic 'Error occurred'",
+        "severity": "medium",
+        "check": "grep -niE '(error occurred|something went wrong|an error happened)' {file}"
+      },
+      {
+        "id": "ERR-003",
+        "rule": "Return values from commands must be checked",
+        "severity": "high"
+      },
+      {
+        "id": "ERR-004",
+        "rule": "No silent failures — failed operations must log or propagate errors",
+        "severity": "medium"
+      }
+    ],
+    "quality": [
+      {
+        "id": "QUA-001",
+        "rule": "Functions should be under 100 lines",
+        "severity": "medium"
+      },
+      {
+        "id": "QUA-002",
+        "rule": "No TODO/FIXME/HACK comments in production code",
+        "severity": "low",
+        "check": "grep -nE '(TODO|FIXME|HACK|XXX)' {file}"
+      },
+      {
+        "id": "QUA-003",
+        "rule": "No magic numbers — use named constants",
+        "severity": "low"
+      },
+      {
+        "id": "QUA-004",
+        "rule": "No duplicate code blocks over 10 lines",
+        "severity": "medium"
+      },
+      {
+        "id": "QUA-005",
+        "rule": "No console.log or print statements left in production code",
+        "severity": "low",
+        "check": "grep -nE '\\bconsole\\.log\\b|\\bprint\\(' {file}"
+      }
+    ],
+    "testing": [
+      {
+        "id": "TST-001",
+        "rule": "New functions must have corresponding tests",
+        "severity": "high"
+      },
+      {
+        "id": "TST-002",
+        "rule": "Tests must cover error and edge cases, not just happy path",
+        "severity": "medium"
+      },
+      {
+        "id": "TST-003",
+        "rule": "No test-only code in production files",
+        "severity": "medium",
+        "check": "grep -nE '(if.*TEST|ifdef.*TEST|IS_TEST)' {file}"
+      },
+      {
+        "id": "TST-004",
+        "rule": "Test assertions must be specific — no assertTrue(result) without message",
+        "severity": "low"
+      }
+    ],
+    "performance": [
+      {
+        "id": "PRF-001",
+        "rule": "All database queries must have .limit() or LIMIT clause",
+        "severity": "high"
+      },
+      {
+        "id": "PRF-002",
+        "rule": "No unbounded loops over external data",
+        "severity": "medium"
+      },
+      {
+        "id": "PRF-003",
+        "rule": "Avoid synchronous file I/O in hot paths",
+        "severity": "medium",
+        "check": "grep -nE 'readFileSync|writeFileSync' {file}"
+      }
+    ]
+  }
+}

package/config/defaults.json

@@ -25,6 +25,7 @@
     "build_test_retries": 3,
     "claude_timeout": 1800,
     "heartbeat_interval": 30,
+    "composed_cache_ttl": 3600,
     "branch_pattern": "shipwright/issue-{issue}",
     "stage_order": [
       "intake",
@@ -47,7 +48,12 @@
     "max_restarts": 0,
     "fast_test_interval": 5,
     "convergence_threshold": 3,
-    "multi_agent_sleep": 5
+    "multi_agent_sleep": 5,
+    "context_budget_chars": 180000,
+    "context_trim_memory_chars": 20000,
+    "context_trim_git_entries": 10,
+    "context_trim_hotspot_files": 5,
+    "context_trim_test_lines": 50
   },
   "dashboard": {
     "port": 8767,
@@ -77,12 +83,29 @@
     "ab_test_ratio": 0.2,
     "claude_timeout": 60
   },
+  "predictive": {
+    "default_risk_score": 50,
+    "keyword_risk_score": 70
+  },
+  "api_optimization": {
+    "programmatic_tool_calling": true,
+    "tool_search_enabled": true,
+    "tool_search_type": "bm25",
+    "defer_unused_tools": true,
+    "web_search_version": "web_search_20260209",
+    "web_fetch_version": "web_fetch_20260209",
+    "dynamic_filtering": true,
+    "code_execution_sandbox": true,
+    "beta_header": "code-execution-web-tools-2026-02-09"
+  },
   "quality": {
     "gate_score_threshold": 70,
     "secret_threshold": 3,
     "min_file_count": 10,
     "score_weight_per_file": 25,
-    "pass_rate_threshold": 5.0
+    "pass_rate_threshold": 5.0,
+    "bundle_growth_legacy_pct": 20,
+    "perf_regression_legacy_pct": 30
   },
   "cleanup": {
     "artifact_age_days": 7,

package/config/policy.json

@@ -224,7 +224,7 @@
     "promote_threshold_success_rate": 85
   },
   "decision": {
-    "enabled": false,
+    "enabled": true,
     "cycle_interval_seconds": 1800,
     "tiers_file": "config/decision-tiers.json",
     "outcome_learning_enabled": true,

package/dashboard/middleware/auth.ts

@@ -0,0 +1,134 @@
+import { join, extname } from "path";
+import { readFileSync, existsSync, writeFileSync, mkdirSync, renameSync } from "fs";
+import type { Session, AuthMode } from "../types/index.js";
+import { SESSION_TTL_MS } from "./constants.js";
+
+// Auth Config
+const GITHUB_CLIENT_ID = process.env.GITHUB_CLIENT_ID || "";
+const GITHUB_CLIENT_SECRET = process.env.GITHUB_CLIENT_SECRET || "";
+const GITHUB_PAT = process.env.GITHUB_PAT || "";
+const DASHBOARD_REPO = process.env.DASHBOARD_REPO || "";
+const SESSION_SECRET = process.env.SESSION_SECRET || crypto.randomUUID();
+
+const HOME = process.env.HOME || "";
+const SESSIONS_FILE = join(HOME, ".shipwright", "sessions.json");
+
+export const sessions = new Map<string, Session>();
+
+export function createSession(data: Omit<Session, "expiresAt">): string {
+  const sessionId = crypto.randomUUID();
+  sessions.set(sessionId, {
+    ...data,
+    expiresAt: Date.now() + SESSION_TTL_MS,
+  });
+  saveSessions();
+  return sessionId;
+}
+
+export function getSession(req: Request): Session | null {
+  const cookie = req.headers.get("cookie");
+  if (!cookie) return null;
+
+  const match = cookie.match(/fleet_session=([^;]+)/);
+  if (!match) return null;
+
+  const sessionId = match[1];
+  const session = sessions.get(sessionId);
+  if (!session) return null;
+
+  if (Date.now() > session.expiresAt) {
+    sessions.delete(sessionId);
+    saveSessions();
+    return null;
+  }
+
+  return session;
+}
+
+export function getSessionFromCookie(cookie: string | null): Session | null {
+  if (!cookie) return null;
+  const match = cookie.match(/fleet_session=([^;]+)/);
+  if (!match) return null;
+  const session = sessions.get(match[1]);
+  if (!session || Date.now() > session.expiresAt) return null;
+  return session;
+}
+
+export function sessionCookie(sessionId: string): string {
+  return `fleet_session=${sessionId}; Path=/; HttpOnly; SameSite=Lax; Max-Age=${Math.floor(SESSION_TTL_MS / 1000)}`;
+}
+
+export function isLocalConnection(req: Request): boolean {
+  const host = req.headers.get("host") || "";
+  return (
+    host.startsWith("localhost:") ||
+    host.startsWith("127.0.0.1:") ||
+    host.startsWith("[::1]:")
+  );
+}
+
+export function clearSessionCookie(): string {
+  return "fleet_session=; Path=/; HttpOnly; SameSite=Lax; Max-Age=0";
+}
+
+export function loadSessions(): void {
+  try {
+    if (existsSync(SESSIONS_FILE)) {
+      const data = JSON.parse(readFileSync(SESSIONS_FILE, "utf-8"));
+      const now = Date.now();
+      if (data && typeof data === "object") {
+        for (const [id, sess] of Object.entries(data)) {
+          const s = sess as Session;
+          if (s.expiresAt > now) {
+            sessions.set(id, s);
+          }
+        }
+      }
+    }
+  } catch {
+    /* start fresh */
+  }
+}
+
+export function saveSessions(): void {
+  const dir = join(HOME, ".shipwright");
+  if (!existsSync(dir)) mkdirSync(dir, { recursive: true });
+  const obj: Record<string, Session> = {};
+  for (const [id, sess] of sessions) {
+    obj[id] = sess;
+  }
+  const tmp = SESSIONS_FILE + ".tmp";
+  writeFileSync(tmp, JSON.stringify(obj, null, 2));
+  renameSync(tmp, SESSIONS_FILE);
+}
+
+export function getAuthMode(): AuthMode {
+  if (GITHUB_CLIENT_ID && GITHUB_CLIENT_SECRET && DASHBOARD_REPO)
+    return "oauth";
+  if (GITHUB_PAT && DASHBOARD_REPO) return "pat";
+  return "none";
+}
+
+export function isAuthEnabled(): boolean {
+  return getAuthMode() !== "none";
+}
+
+export function isPublicRoute(pathname: string): boolean {
+  return (
+    pathname === "/login" ||
+    pathname.startsWith("/auth/") ||
+    pathname === "/api/health" ||
+    pathname === "/api/ws-status" ||
+    pathname.startsWith("/api/join/") ||
+    pathname.startsWith("/api/connect/") ||
+    pathname === "/api/team" ||
+    pathname === "/api/team/activity" ||
+    pathname === "/api/team/invite" ||
+    pathname.startsWith("/api/team/invite/") ||
+    pathname === "/api/claim" ||
+    pathname === "/api/claim/release" ||
+    pathname === "/api/webhook/ci"
+  );
+}
+
+export { SESSION_SECRET, GITHUB_CLIENT_ID, GITHUB_CLIENT_SECRET, GITHUB_PAT, DASHBOARD_REPO };