shipwright-cli 3.1.0 → 3.3.0

package/scripts/sw-incident.sh

@@ -6,7 +6,8 @@
 set -euo pipefail
 trap 'echo "ERROR: $BASH_SOURCE:$LINENO exited with status $?" >&2' ERR
 
-VERSION="3.1.0"
+# shellcheck disable=SC2034
+VERSION="3.3.0"
 SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
 REPO_DIR="$(cd "$SCRIPT_DIR/.." && pwd)"
 
@@ -41,6 +42,7 @@ format_duration() {
 }
 
 # ─── Structured Event Log ──────────────────────────────────────────────────
+# shellcheck disable=SC2034
 EVENTS_FILE="${HOME}/.shipwright/events.jsonl"
 
 # ─── State Directories ──────────────────────────────────────────────────────
@@ -53,6 +55,7 @@ ensure_incident_dir() {
     [[ -f "$INCIDENT_CONFIG" ]] || cat > "$INCIDENT_CONFIG" << 'EOF'
 {
   "auto_response_enabled": true,
+  "auto_remediate_enabled": false,
   "p0_auto_hotfix": true,
   "p1_auto_hotfix": false,
   "auto_rollback_enabled": false,
@@ -63,6 +66,12 @@ ensure_incident_dir() {
     "p1_test_regression_count": 5,
     "p1_pipeline_failure_rate": 0.3
   },
+  "escalation": {
+    "p0": ["create_issue", "trigger_hotfix_pipeline", "emit_urgent_event"],
+    "p1": ["create_issue", "trigger_pipeline"],
+    "p2": ["create_issue"],
+    "p3": ["memory_only"]
+  },
   "root_cause_patterns": {
     "timeout_keywords": ["timeout", "deadline", "too slow"],
     "memory_keywords": ["out of memory", "OOM", "heap"],
@@ -130,13 +139,18 @@ classify_severity() {
 
 analyze_root_cause() {
     local failure_log="$1"
+    # shellcheck disable=SC2034
     local config="$2"
 
     local timeout_hits error_hits memory_hits dependency_hits
-    timeout_hits=$(echo "$failure_log" | grep -ic "timeout\|deadline\|too slow" || echo "0")
-    memory_hits=$(echo "$failure_log" | grep -ic "out of memory\|OOM\|heap" || echo "0")
-    dependency_hits=$(echo "$failure_log" | grep -ic "dependency\|import\|require\|not found" || echo "0")
-    error_hits=$(echo "$failure_log" | grep -c . || echo "0")
+    timeout_hits=$(echo "$failure_log" | grep -ic "timeout\|deadline\|too slow" || true)
+    timeout_hits="${timeout_hits:-0}"
+    memory_hits=$(echo "$failure_log" | grep -ic "out of memory\|OOM\|heap" || true)
+    memory_hits="${memory_hits:-0}"
+    dependency_hits=$(echo "$failure_log" | grep -ic "dependency\|import\|require\|not found" || true)
+    dependency_hits="${dependency_hits:-0}"
+    error_hits=$(echo "$failure_log" | grep -c . || true)
+    error_hits="${error_hits:-0}"
 
     if [[ "$timeout_hits" -gt 0 ]]; then
         echo "Performance degradation: Timeout detected (${timeout_hits} occurrences)"
@@ -247,6 +261,258 @@ trigger_rollback_for_incident() {
     emit_event "incident.rollback_triggered" "incident_id=$incident_id" "reason=$reason"
 }
 
+# ─── Incident Timeline ─────────────────────────────────────────────────
+
+incident_timeline_update() {
+    local incident_id="$1"
+    local action="$2"
+    local details="${3:-}"
+    local actor="${4:-agent}"
+
+    local incident_file="${INCIDENTS_DIR}/${incident_id}.json"
+    [[ ! -f "$incident_file" ]] && return 1
+
+    local timestamp
+    timestamp=$(now_iso)
+
+    local timeline_entry
+    timeline_entry=$(jq -n \
+        --arg ts "$timestamp" \
+        --arg action "$action" \
+        --arg details "$details" \
+        --arg actor "$actor" \
+        '{timestamp: $ts, action: $action, details: $details, actor: $actor}')
+
+    jq --argjson entry "$timeline_entry" '.timeline += [$entry]' "$incident_file" > "${incident_file}.tmp" && \
+        mv "${incident_file}.tmp" "$incident_file"
+
+    emit_event "incident.timeline_updated" "incident_id=$incident_id" "action=$action" "actor=$actor"
+}
+
+# ─── Intelligent Root Cause Analysis ─────────────────────────────────
+
+incident_deep_analysis() {
+    local incident_id="$1"
+    local failure_log="$2"
+
+    local incident_file="${INCIDENTS_DIR}/${incident_id}.json"
+    [[ ! -f "$incident_file" ]] && return 1
+
+    local probable_cause="Unknown cause"
+    local confidence="low"
+    local affected_components="unknown"
+    local suggested_fix="Review logs and recent commits"
+
+    # Fallback to keyword-based analysis
+    probable_cause=$(analyze_root_cause "$failure_log" "$INCIDENT_CONFIG")
+
+    local deep_analysis
+    deep_analysis=$(jq -n \
+        --arg cause "$probable_cause" \
+        --arg conf "$confidence" \
+        --arg comps "$affected_components" \
+        --arg fix "$suggested_fix" \
+        '{probable_cause: $cause, confidence: $conf, affected_components: $comps, suggested_fix: $fix}')
+
+    jq --argjson analysis "$deep_analysis" '.deep_analysis = $analysis' "$incident_file" > "${incident_file}.tmp" && \
+        mv "${incident_file}.tmp" "$incident_file"
+
+    echo "$deep_analysis"
+    emit_event "incident.deep_analysis_complete" "incident_id=$incident_id" "confidence=$confidence"
+}
+
+# ─── Incident Correlation Engine ────────────────────────────────────
+
+incident_correlate() {
+    local time_window_secs="${1:-300}"
+
+    local current_epoch
+    current_epoch=$(now_epoch)
+    local window_start=$((current_epoch - time_window_secs))
+
+    local grouped="{}"
+
+    local incident_files
+    incident_files=$(find "$INCIDENTS_DIR" -name 'inc-*.json' -type f 2>/dev/null || true)
+
+    while IFS= read -r incident_file; do
+        [[ -z "$incident_file" ]] && continue
+
+        local id created_at signature
+        id=$(jq -r '.id' "$incident_file" 2>/dev/null || echo "")
+        created_at=$(jq -r '.created_at' "$incident_file" 2>/dev/null || echo "")
+        local created_epoch
+        created_epoch=$(date -d "$created_at" +%s 2>/dev/null || echo "0")
+
+        if [[ "$created_epoch" -lt "$window_start" ]]; then
+            continue
+        fi
+
+        signature=$(jq -r '.root_cause // "" | .[0:30]' "$incident_file" 2>/dev/null || echo "unknown")
+
+        if echo "$grouped" | jq -e ".\"$signature\"" >/dev/null 2>&1; then
+            grouped=$(echo "$grouped" | jq --arg sig "$signature" --arg id "$id" '.[$sig] += [$id]')
+        else
+            grouped=$(echo "$grouped" | jq --arg sig "$signature" --arg id "$id" '.[$sig] = [$id]')
+        fi
+    done <<< "$incident_files"
+
+    local correlation_groups
+    correlation_groups=$(echo "$grouped" | jq -c 'to_entries | map(select(.value | length > 1) | {signature: .key, incidents: .value, count: (.value | length)})')
+
+    echo "$correlation_groups"
+    emit_event "incident.correlation_complete" "groups=$(echo "$correlation_groups" | jq 'length' 2>/dev/null || echo 0)"
+}
+
+# ─── Rollback Verification ──────────────────────────────────────────────
+
+incident_verify_rollback() {
+    local incident_id="$1"
+
+    local incident_file="${INCIDENTS_DIR}/${incident_id}.json"
+    [[ ! -f "$incident_file" ]] && return 1
+
+    info "Verifying rollback for incident $incident_id"
+
+    local failures_after_rollback
+    failures_after_rollback=$(get_recent_failures 60)
+    local failure_count
+    failure_count=$(echo "$failures_after_rollback" | jq 'length' 2>/dev/null || echo "0")
+
+    local verified="false"
+    if [[ "$failure_count" -eq 0 ]]; then
+        verified="true"
+        success "Rollback verified — no failures detected in last 60s"
+    else
+        warn "Failures still detected after rollback ($failure_count failure(s))"
+    fi
+
+    incident_timeline_update "$incident_id" "rollback_verified" "Verified: $verified" "agent"
+
+    jq --arg verified "$verified" '.remediation.rollback_verified = ($verified == "true")' "$incident_file" > "${incident_file}.tmp" && \
+        mv "${incident_file}.tmp" "$incident_file"
+
+    [[ "$verified" == "true" ]]
+}
+
+# ─── Escalation Chains ──────────────────────────────────────────────
+
+incident_escalate() {
+    local incident_id="$1"
+    local severity="${2:-P3}"
+
+    local incident_file="${INCIDENTS_DIR}/${incident_id}.json"
+    [[ ! -f "$incident_file" ]] && return 1
+
+    local root_cause
+    root_cause=$(jq -r '.root_cause // "Unknown"' "$incident_file" 2>/dev/null || echo "Unknown")
+
+    case "$severity" in
+        P0)
+            info "P0 Incident — escalating with hotfix pipeline and urgent notification"
+            incident_timeline_update "$incident_id" "escalation_p0" "Creating hotfix issue" "agent"
+
+            local issue_num
+            issue_num=$(create_hotfix_issue "$incident_id" "$severity" "$root_cause")
+
+            if [[ -n "$issue_num" ]]; then
+                trigger_pipeline_for_incident "$issue_num" "$incident_id"
+                emit_event "incident.escalated_p0" "incident_id=$incident_id" "issue=$issue_num" "severity=P0"
+            fi
+            ;;
+        P1)
+            info "P1 Incident — escalating with pipeline"
+            incident_timeline_update "$incident_id" "escalation_p1" "Creating issue" "agent"
+
+            local issue_num
+            issue_num=$(create_hotfix_issue "$incident_id" "$severity" "$root_cause")
+
+            if [[ -n "$issue_num" ]]; then
+                trigger_pipeline_for_incident "$issue_num" "$incident_id"
+                emit_event "incident.escalated_p1" "incident_id=$incident_id" "issue=$issue_num" "severity=P1"
+            fi
+            ;;
+        P2)
+            info "P2 Incident — creating issue"
+            incident_timeline_update "$incident_id" "escalation_p2" "Creating issue" "agent"
+
+            local issue_num
+            issue_num=$(create_hotfix_issue "$incident_id" "$severity" "$root_cause")
+            if [[ -n "$issue_num" ]]; then
+                emit_event "incident.escalated_p2" "incident_id=$incident_id" "issue=$issue_num" "severity=P2"
+            fi
+            ;;
+        P3)
+            info "P3 Incident — recording in memory"
+            incident_timeline_update "$incident_id" "escalation_p3" "Low severity — memory only" "agent"
+            emit_event "incident.escalated_p3" "incident_id=$incident_id" "severity=P3"
+            ;;
+    esac
+}
+
+# ─── Auto-Remediation Orchestration ─────────────────────────────────
+
+incident_auto_remediate() {
+    local incident_id="$1"
+
+    local incident_file="${INCIDENTS_DIR}/${incident_id}.json"
+    [[ ! -f "$incident_file" ]] && { error "Incident not found: $incident_id"; return 1; }
+
+    info "Starting auto-remediation for incident $incident_id"
+    incident_timeline_update "$incident_id" "auto_remediation_started" "Full loop orchestration" "agent"
+
+    info "Step 1: Correlating with recent incidents"
+    local correlations
+    correlations=$(incident_correlate 300)
+    incident_timeline_update "$incident_id" "correlation_check" "Correlated failures: $(echo "$correlations" | jq 'length' 2>/dev/null || echo "0")" "agent"
+
+    info "Step 2: Running deep analysis"
+    local failure_log
+    failure_log=$(jq -r '.failure_events | @json' "$incident_file" 2>/dev/null || echo "{}")
+    local deep_analysis
+    deep_analysis=$(incident_deep_analysis "$incident_id" "$failure_log")
+
+    info "Step 3: Escalating incident"
+    local severity
+    severity=$(jq -r '.severity // "P3"' "$incident_file" 2>/dev/null || echo "P3")
+    incident_escalate "$incident_id" "$severity"
+
+    if [[ "$severity" == "P0" ]] || [[ "$severity" == "P1" ]]; then
+        info "Step 4: Waiting for pipeline fix attempt (60s timeout)"
+        incident_timeline_update "$incident_id" "pipeline_wait" "Waiting for fix" "agent"
+
+        sleep 5
+
+        info "Step 5: Verifying fix"
+        if incident_verify_rollback "$incident_id"; then
+            incident_timeline_update "$incident_id" "resolution" "Incident resolved" "agent"
+            jq '.status = "resolved" | .resolved_at = (now | todate)' "$incident_file" > "${incident_file}.tmp" && \
+                mv "${incident_file}.tmp" "$incident_file"
+            success "Incident $incident_id auto-remediated and resolved"
+        else
+            warn "Automated fix failed — escalating severity"
+            local new_severity
+            case "$severity" in
+                P1) new_severity="P0" ;;
+                P2) new_severity="P1" ;;
+                *) new_severity="P0" ;;
+            esac
+
+            incident_timeline_update "$incident_id" "escalation_due_to_failure" "Automated fix failed, escalating to $new_severity" "agent"
+            jq --arg sev "$new_severity" '.severity = $sev' "$incident_file" > "${incident_file}.tmp" && \
+                mv "${incident_file}.tmp" "$incident_file"
+
+            incident_escalate "$incident_id" "$new_severity"
+            emit_event "incident.auto_remediation_failed" "incident_id=$incident_id" "escalated_to=$new_severity"
+        fi
+    else
+        incident_timeline_update "$incident_id" "resolution" "P2/P3 — tracked for human review" "agent"
+    fi
+
+    success "Auto-remediation orchestration complete for incident $incident_id"
+    emit_event "incident.auto_remediation_complete" "incident_id=$incident_id"
+}
+
 # ─── Watch Command ─────────────────────────────────────────────────────────
 
 cmd_watch() {
@@ -445,12 +711,14 @@ EOF
 cmd_stats() {
     local format="${1:-table}"
 
+    # shellcheck disable=SC2010
     if [[ ! -d "$INCIDENTS_DIR" ]] || [[ -z "$(ls -1 "$INCIDENTS_DIR"/*.json 2>/dev/null | grep -v postmortem)" ]]; then
         info "No incident data available"
         return 0
     fi
 
     local total_incidents
+    # shellcheck disable=SC2010
     total_incidents=$(ls -1 "$INCIDENTS_DIR"/*.json 2>/dev/null | grep -v postmortem | wc -l)
 
     local incident_files

package/scripts/sw-init.sh

@@ -8,7 +8,8 @@
 # ║                                                                          ║
 # ║  --deploy  Detect platform and generate deployed.json template          ║
 # ╚═══════════════════════════════════════════════════════════════════════════╝
-VERSION="3.1.0"
+# shellcheck disable=SC2034
+VERSION="3.3.0"
 set -euo pipefail
 trap 'echo "ERROR: $BASH_SOURCE:$LINENO exited with status $?" >&2' ERR
 trap 'rm -f "${tmp:-}"' EXIT
@@ -343,6 +344,7 @@ if ! echo "$PATH" | tr ':' '\n' | grep -qxF "$BIN_DIR"; then
     fi
     export PATH="$BIN_DIR:$PATH"
 else
+    # shellcheck disable=SC2088
     success "~/.local/bin already in PATH"
 fi
 
@@ -509,6 +511,11 @@ elif [[ -f "$SETTINGS_TEMPLATE" ]]; then
     success "Installed ~/.claude/settings.json (with agent teams enabled)"
 else
     # Create minimal settings.json with agent teams
+    # Use restrictive umask for sensitive files (owner-only: 600)
+    local _old_umask_settings
+    _old_umask_settings=$(umask)
+    umask 0077
+
     cat > "$SETTINGS_FILE" << 'SETTINGS_EOF'
 {
   "hooks": {},
@@ -516,10 +523,16 @@ else
     "CLAUDE_CODE_EXPERIMENTAL_AGENT_TEAMS": "1",
     "CLAUDE_CODE_MAX_TOOL_USE_CONCURRENCY": "5",
     "CLAUDE_CODE_AUTOCOMPACT_PCT_OVERRIDE": "70",
-    "CLAUDE_CODE_SUBAGENT_MODEL": "haiku"
+    "CLAUDE_CODE_SUBAGENT_MODEL": "haiku",
+    "ENABLE_TOOL_SEARCH": "auto",
+    "MAX_MCP_OUTPUT_TOKENS": "50000"
   }
 }
 SETTINGS_EOF
+
+    umask "$_old_umask_settings"
+    chmod 600 "$SETTINGS_FILE"
+
     success "Created ~/.claude/settings.json with agent teams enabled"
 fi
 
@@ -607,6 +620,7 @@ GLOBAL_CLAUDE_MD="$CLAUDE_DIR/CLAUDE.md"
 if [[ "$SKIP_CLAUDE_MD" == "false" && -f "$CLAUDE_MD_SRC" ]]; then
     if [[ -f "$GLOBAL_CLAUDE_MD" ]]; then
         if grep -q "Shipwright" "$GLOBAL_CLAUDE_MD" 2>/dev/null; then
+            # shellcheck disable=SC2088
             info "~/.claude/CLAUDE.md already contains Shipwright instructions"
         else
             { echo ""; echo "---"; echo ""; cat "$CLAUDE_MD_SRC"; } >> "$GLOBAL_CLAUDE_MD"
@@ -722,6 +736,7 @@ detect_deploy_platform() {
     for adapter_file in "$ADAPTERS_DIR"/*-deploy.sh; do
         [[ -f "$adapter_file" ]] || continue
         # Source the adapter in a subshell to get detection
+        # shellcheck disable=SC1090
         if ( source "$adapter_file" && detect_platform ); then
             local name
             name=$(basename "$adapter_file" | sed 's/-deploy\.sh$//')
@@ -788,6 +803,7 @@ fi
 
 # Source the adapter to get command values
 ADAPTER_FILE="$ADAPTERS_DIR/${DEPLOY_PLATFORM}-deploy.sh"
+# shellcheck disable=SC1090
 source "$ADAPTER_FILE"
 
 staging_cmd=$(get_staging_cmd)

package/scripts/sw-instrument.sh

@@ -6,8 +6,9 @@
 set -euo pipefail
 trap 'echo "ERROR: $BASH_SOURCE:$LINENO exited with status $?" >&2' ERR
 
-VERSION="3.1.0"
+VERSION="3.3.0"
 SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+# shellcheck disable=SC2034
 REPO_DIR="$(cd "$SCRIPT_DIR/.." && pwd)"
 
 # ─── Cross-platform compatibility ──────────────────────────────────────────
@@ -29,7 +30,8 @@ fi
 if [[ "$(type -t emit_event 2>/dev/null)" != "function" ]]; then
   emit_event() {
     local event_type="$1"; shift; mkdir -p "${HOME}/.shipwright"
-    local payload="{\"ts\":\"$(date -u +%Y-%m-%dT%H:%M:%SZ)\",\"type\":\"$event_type\""
+    local payload
+    payload="{\"ts\":\"$(date -u +%Y-%m-%dT%H:%M:%SZ)\",\"type\":\"$event_type\""
     while [[ $# -gt 0 ]]; do local key="${1%%=*}" val="${1#*=}"; payload="${payload},\"${key}\":\"${val}\""; shift; done
     echo "${payload}}" >> "${HOME}/.shipwright/events.jsonl"
   }
@@ -190,6 +192,7 @@ cmd_start() {
     local run_file="${INSTRUMENT_ACTIVE}/${run_id}.json"
     local tmp_file
     tmp_file="$(mktemp "${INSTRUMENT_ACTIVE}/.tmp.XXXXXX")"
+    # shellcheck disable=SC2064
     trap "rm -f '$tmp_file'" RETURN
 
     # Get repo info if not provided
@@ -257,6 +260,7 @@ cmd_record() {
 
     local tmp_file
     tmp_file="$(mktemp "${INSTRUMENT_ACTIVE}/.tmp.XXXXXX")"
+    # shellcheck disable=SC2064
     trap "rm -f '$tmp_file'" RETURN
 
     # Parse value as number if it's numeric
@@ -320,6 +324,7 @@ cmd_stage_start() {
 
     local tmp_file
     tmp_file="$(mktemp "${INSTRUMENT_ACTIVE}/.tmp.XXXXXX")"
+    # shellcheck disable=SC2064
     trap "rm -f '$tmp_file'" RETURN
 
     jq \
@@ -366,6 +371,7 @@ cmd_stage_end() {
 
     local tmp_file
     tmp_file="$(mktemp "${INSTRUMENT_ACTIVE}/.tmp.XXXXXX")"
+    # shellcheck disable=SC2064
     trap "rm -f '$tmp_file'" RETURN
 
     jq \
@@ -416,6 +422,7 @@ cmd_finish() {
 
     local tmp_file
     tmp_file="$(mktemp "${INSTRUMENT_ACTIVE}/.tmp.XXXXXX")"
+    # shellcheck disable=SC2064
     trap "rm -f '$tmp_file'" RETURN
 
     # Update run record with finish data
@@ -476,6 +483,7 @@ cmd_summary() {
         tmp_file="$(mktemp)"
         grep "\"run_id\":\"${run_id}\"" "$INSTRUMENT_COMPLETED" | head -1 > "$tmp_file"
         run_file="$tmp_file"
+    # shellcheck disable=SC2064
         trap "rm -f '$tmp_file'" RETURN
     fi
 

package/scripts/sw-intelligence.sh

@@ -6,7 +6,7 @@
 set -euo pipefail
 trap 'echo "ERROR: $BASH_SOURCE:$LINENO exited with status $?" >&2' ERR
 
-VERSION="3.1.0"
+VERSION="3.3.0"
 SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
 REPO_DIR="${REPO_DIR:-$(cd "$SCRIPT_DIR/.." && pwd)}"
 
@@ -31,6 +31,7 @@ fi
 if [[ "$(type -t emit_event 2>/dev/null)" != "function" ]]; then
   emit_event() {
     local event_type="$1"; shift; mkdir -p "${HOME}/.shipwright"
+    # shellcheck disable=SC2155
     local payload="{\"ts\":\"$(date -u +%Y-%m-%dT%H:%M:%SZ)\",\"type\":\"$event_type\""
     while [[ $# -gt 0 ]]; do local key="${1%%=*}" val="${1#*=}"; payload="${payload},\"${key}\":\"${val}\""; shift; done
     echo "${payload}}" >> "${HOME}/.shipwright/events.jsonl"
@@ -159,6 +160,7 @@ _intelligence_track_cache_access() {
 
     local tmp_file
     tmp_file=$(mktemp "${TMPDIR:-/tmp}/sw-cache-stats.XXXXXX")
+    # shellcheck disable=SC2064
     trap "rm -f '$tmp_file'" RETURN
     if [[ "$hit_or_miss" == "hit" ]]; then
         jq '.hits += 1 | .total += 1' "$CACHE_STATS_FILE" > "$tmp_file" && mv "$tmp_file" "$CACHE_STATS_FILE" || rm -f "$tmp_file"
@@ -179,6 +181,7 @@ _intelligence_adjust_cache_ttl() {
     [[ -f "$CACHE_STATS_FILE" ]] || return 0
 
     local hits misses total
+    # shellcheck disable=SC2034
     hits=$(jq '.hits // 0' "$CACHE_STATS_FILE" 2>/dev/null || echo "0")
     misses=$(jq '.misses // 0' "$CACHE_STATS_FILE" 2>/dev/null || echo "0")
     total=$(jq '.total // 0' "$CACHE_STATS_FILE" 2>/dev/null || echo "0")
@@ -203,6 +206,7 @@ _intelligence_adjust_cache_ttl() {
     if [[ "$new_ttl" != "$current_ttl" ]]; then
         local tmp_file
         tmp_file=$(mktemp "${TMPDIR:-/tmp}/sw-cache-ttl.XXXXXX")
+        # shellcheck disable=SC2064
         trap "rm -f '$tmp_file'" RETURN
         jq -n \
             --argjson ttl "$new_ttl" \
@@ -220,6 +224,7 @@ _intelligence_adjust_cache_ttl() {
     # Reset stats for next window
     local tmp_reset
     tmp_reset=$(mktemp "${TMPDIR:-/tmp}/sw-cache-reset.XXXXXX")
+    # shellcheck disable=SC2064
     trap "rm -f '$tmp_reset'" RETURN
     echo '{"hits":0,"misses":0,"total":0}' > "$tmp_reset" && mv "$tmp_reset" "$CACHE_STATS_FILE" || rm -f "$tmp_reset"
 }
@@ -306,6 +311,7 @@ _intelligence_cache_set() {
 
     local tmp_file
     tmp_file=$(mktemp "${TMPDIR:-/tmp}/sw-intel-cache.XXXXXX")
+    # shellcheck disable=SC2064
     trap "rm -f '$tmp_file'" RETURN
     jq --arg h "$hash" \
        --argjson result "$result" \
@@ -321,6 +327,7 @@ _intelligence_call_claude() {
     local prompt="$1"
     local cache_key="${2:-}"
     local ttl="${3:-$DEFAULT_CACHE_TTL}"
+    local model="${4:-${INTELLIGENCE_MODEL:-haiku}}"
 
     # Check cache first
     local cached
@@ -346,8 +353,13 @@ _intelligence_call_claude() {
     elif command -v timeout >/dev/null 2>&1; then _timeout_cmd="timeout $_claude_timeout"
     fi
 
+    local _model_flag=""
+    [[ -n "$model" ]] && _model_flag="--model $model"
+
+    type daemon_log &>/dev/null && daemon_log INFO "Intelligence: calling Claude (model=${model:-default}, timeout=${_claude_timeout}s)"
+
     local response
-    if ! response=$($_timeout_cmd claude -p "$prompt" 2>/dev/null); then
+    if ! response=$($_timeout_cmd claude -p "$prompt" $_model_flag 2>/dev/null); then
         error "Claude call failed or timed out"
         echo '{"error":"claude_call_failed"}'
         return 1
@@ -395,7 +407,8 @@ _intelligence_fallback_analyze() {
     local outcomes_file="$HOME/.shipwright/optimization/outcomes.jsonl"
     if [[ -f "$outcomes_file" ]] && command -v jq &>/dev/null; then
         local sample_count
-        sample_count=$(wc -l < "$outcomes_file" 2>/dev/null || echo "0")
+        sample_count=$(wc -l < "$outcomes_file" 2>/dev/null || true)
+        sample_count="${sample_count:-0}"
 
         if [[ "$sample_count" -gt 5 ]]; then
             # Compute average complexity from past outcomes
@@ -410,6 +423,28 @@ _intelligence_fallback_analyze() {
         fi
     fi
 
+    # Issue type classification from labels
+    local issue_type="backend"
+    if echo "$labels" | grep -qiE 'ui|frontend|css|design' 2>/dev/null; then
+        issue_type="frontend"
+    elif echo "$labels" | grep -qiE 'api|endpoint|rest|graphql' 2>/dev/null; then
+        issue_type="api"
+    elif echo "$labels" | grep -qiE 'db|migration|schema|database' 2>/dev/null; then
+        issue_type="database"
+    elif echo "$labels" | grep -qiE 'security|auth|cve' 2>/dev/null; then
+        issue_type="security"
+    elif echo "$labels" | grep -qiE 'perf|slow|latency|performance' 2>/dev/null; then
+        issue_type="performance"
+    elif echo "$labels" | grep -qiE 'test|coverage' 2>/dev/null; then
+        issue_type="testing"
+    elif echo "$labels" | grep -qiE 'docs|readme|documentation' 2>/dev/null; then
+        issue_type="documentation"
+    elif echo "$labels" | grep -qiE 'infra|ci|deploy|infrastructure' 2>/dev/null; then
+        issue_type="infrastructure"
+    elif echo "$labels" | grep -qiE 'refactor|cleanup' 2>/dev/null; then
+        issue_type="refactor"
+    fi
+
     # Label-based heuristics (better than nothing)
     if echo "$labels" | grep -qiE 'bug|fix|hotfix' 2>/dev/null; then
         complexity=$((complexity > 3 ? complexity - 2 : complexity))
@@ -435,7 +470,7 @@ _intelligence_fallback_analyze() {
         complexity=$((complexity + 2 > 10 ? 10 : complexity + 2))
     fi
 
-    echo "{\"complexity\":$complexity,\"risk_level\":\"$risk\",\"success_probability\":$probability,\"recommended_template\":\"$template\"}"
+    echo "{\"complexity\":$complexity,\"risk_level\":\"$risk\",\"success_probability\":$probability,\"recommended_template\":\"$template\",\"issue_type\":\"$issue_type\"}"
 }
 
 _intelligence_fallback_cost() {
@@ -487,7 +522,7 @@ intelligence_analyze_issue() {
         if [[ -n "${merged:-}" ]]; then
             echo "$merged"
         else
-            echo '{"error":"intelligence_disabled","complexity":5,"risk_level":"medium","success_probability":50,"recommended_template":"standard","key_risks":[],"implementation_hints":[]}'
+            echo '{"error":"intelligence_disabled","complexity":5,"risk_level":"medium","success_probability":50,"recommended_template":"standard","issue_type":"backend","key_risks":[],"implementation_hints":[]}'
         fi
         return 0
     fi
@@ -505,6 +540,7 @@ Return JSON with exactly these fields:
   \"risk_level\": \"<low|medium|high|critical>\",
   \"success_probability\": <number 0-100>,
   \"recommended_template\": \"<fast|standard|full|hotfix|autonomous|enterprise|cost-aware>\",
+  \"issue_type\": \"<frontend|backend|api|database|infrastructure|documentation|security|performance|refactor|testing>\",
   \"key_risks\": [\"risk1\", \"risk2\"],
   \"implementation_hints\": [\"hint1\", \"hint2\"]
 }"
@@ -527,7 +563,8 @@ Return JSON with exactly these fields:
             "complexity=$(echo "$result" | jq -r '.complexity')" \
             "risk_level=$(echo "$result" | jq -r '.risk_level')" \
             "success_probability=$(echo "$result" | jq -r '.success_probability')" \
-            "recommended_template=$(echo "$result" | jq -r '.recommended_template')"
+            "recommended_template=$(echo "$result" | jq -r '.recommended_template')" \
+            "issue_type=$(echo "$result" | jq -r '.issue_type // "backend"')"
 
         # Enrich with GitHub data if available
         result=$(intelligence_github_enrich "$result")
@@ -537,7 +574,7 @@ Return JSON with exactly these fields:
     else
         local fallback
         fallback=$(_intelligence_fallback_analyze "$title" "$body" "$labels")
-        echo "$fallback" | jq -c '. + {error: "analysis_failed", key_risks: ["analysis_failed"], implementation_hints: []}' 2>/dev/null || echo '{"error":"analysis_failed","complexity":5,"risk_level":"medium","success_probability":50,"recommended_template":"standard","key_risks":["analysis_failed"],"implementation_hints":[]}'
+        echo "$fallback" | jq -c '. + {error: "analysis_failed", key_risks: ["analysis_failed"], implementation_hints: []}' 2>/dev/null || echo '{"error":"analysis_failed","complexity":5,"risk_level":"medium","success_probability":50,"recommended_template":"standard","issue_type":"backend","key_risks":["analysis_failed"],"implementation_hints":[]}'
         return 0
     fi
 }

package/scripts/sw-jira.sh

@@ -6,8 +6,10 @@
 set -euo pipefail
 trap 'echo "ERROR: $BASH_SOURCE:$LINENO exited with status $?" >&2' ERR
 
-VERSION="3.1.0"
+# shellcheck disable=SC2034
+VERSION="3.3.0"
 SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+# shellcheck disable=SC2034
 REPO_DIR="$(cd "$SCRIPT_DIR/.." && pwd)"
 
 # ─── Cross-platform compatibility ──────────────────────────────────────────
@@ -30,6 +32,7 @@ fi
 if [[ "$(type -t emit_event 2>/dev/null)" != "function" ]]; then
   emit_event() {
     local event_type="$1"; shift; mkdir -p "${HOME}/.shipwright"
+    # shellcheck disable=SC2155
     local payload="{\"ts\":\"$(date -u +%Y-%m-%dT%H:%M:%SZ)\",\"type\":\"$event_type\""
     while [[ $# -gt 0 ]]; do local key="${1%%=*}" val="${1#*=}"; payload="${payload},\"${key}\":\"${val}\""; shift; done
     echo "${payload}}" >> "${HOME}/.shipwright/events.jsonl"
@@ -206,6 +209,7 @@ cmd_sync() {
             synced=$((synced + 1))
         else
             # Create GitHub issue
+            # shellcheck disable=SC2155
             local labels="$(_config_get "labels.ready_to_build" "ready-to-build")"
             if [[ -n "$priority_label" ]]; then
                 labels="${labels},${priority_label}"