tend-cli 0.1.0

package/dist/bin.js

@@ -0,0 +1,1754 @@
+#!/usr/bin/env node
+import { ClaudeSession, EFFORT_LEVELS, EventBus, ReportBuilder, ReportSchema, Snapshot, addUsage, applyCliOverrides, assertGitRepo, buildProgram, changedVsHead, createGit, detectPackageManager, filesUnder, filterToChanged, formatClock, loadConfig, makeTheme, normalize, orchestrate, planWork, reasonLabel, renderSummary, resolveRetryTarget, retryCommand, runScanner, scannerStatus, showCommand, zeroUsage } from "./config-B5rO-fvz.js";
+import { existsSync, mkdirSync, readFileSync, rmSync, writeFileSync } from "node:fs";
+import { basename, dirname, isAbsolute, join, relative, resolve, sep } from "node:path";
+import { execa } from "execa";
+import { ESLint } from "eslint";
+import sonarjs from "eslint-plugin-sonarjs";
+import { fileURLToPath } from "node:url";
+import { tmpdir } from "node:os";
+import { createRequire } from "node:module";
+import { Listr, ListrDefaultRendererLogLevels } from "listr2";
+
+//#region src/scanners/eslint-default-config.ts
+/** Walk up from this module to tend's own package root (dir of its package.json named tend-cli). */
+function tendPackageRoot() {
+	let dir = dirname(fileURLToPath(import.meta.url));
+	for (let i = 0; i < 8; i++) {
+		const pkgJson = join(dir, "package.json");
+		if (existsSync(pkgJson)) try {
+			if (JSON.parse(readFileSync(pkgJson, "utf8")).name === "tend-cli") return dir;
+		} catch {}
+		const parent = dirname(dir);
+		if (parent === dir) break;
+		dir = parent;
+	}
+	return dirname(dirname(fileURLToPath(import.meta.url)));
+}
+/** Absolute path to tend's bundled default config (eslint recommended + sonarjs). */
+function defaultEslintConfigPath() {
+	return join(tendPackageRoot(), "configs", "default.eslint.config.mjs");
+}
+const ESLINT_CONFIG_FILES = [
+	"eslint.config.js",
+	"eslint.config.mjs",
+	"eslint.config.cjs",
+	"eslint.config.ts",
+	"eslint.config.mts",
+	"eslint.config.cts",
+	".eslintrc.js",
+	".eslintrc.cjs",
+	".eslintrc.yaml",
+	".eslintrc.yml",
+	".eslintrc.json",
+	".eslintrc"
+];
+function readPackageJson(cwd$1) {
+	const p = join(cwd$1, "package.json");
+	if (!existsSync(p)) return null;
+	try {
+		return JSON.parse(readFileSync(p, "utf8"));
+	} catch {
+		return null;
+	}
+}
+/** Does the project have any eslint config (a config file, or an `eslintConfig` key in package.json)? */
+function projectHasEslintConfig(cwd$1) {
+	if (ESLINT_CONFIG_FILES.some((name) => existsSync(join(cwd$1, name)))) return true;
+	return Boolean(readPackageJson(cwd$1)?.["eslintConfig"]);
+}
+/**
+* Nearest directory at or above `startDir`, up to and including `boundaryDir`, that holds an
+* eslint config — or null if none. Lets tend resolve each scoped file's governing config by
+* walking upward from the file, so a monorepo package keeps its own config even when tend is
+* invoked from the repo root (where there may be no config at all).
+*/
+function findEslintConfigDir(startDir, boundaryDir) {
+	const boundary = resolve(boundaryDir);
+	let dir = resolve(startDir);
+	for (;;) {
+		if (projectHasEslintConfig(dir)) return dir;
+		if (dir === boundary) return null;
+		const parent = dirname(dir);
+		if (parent === dir) return null;
+		dir = parent;
+	}
+}
+function dependsOnSonarjs(cwd$1) {
+	const pkg = readPackageJson(cwd$1);
+	if (!pkg) return false;
+	for (const field of [
+		"dependencies",
+		"devDependencies",
+		"peerDependencies",
+		"optionalDependencies"
+	]) {
+		const deps = pkg[field];
+		if (deps?.["eslint-plugin-sonarjs"]) return true;
+	}
+	return false;
+}
+function configMentionsSonarjs(cwd$1) {
+	for (const name of ESLINT_CONFIG_FILES) {
+		const p = join(cwd$1, name);
+		if (existsSync(p)) try {
+			if (readFileSync(p, "utf8").includes("sonarjs")) return true;
+		} catch {}
+	}
+	const eslintConfig = readPackageJson(cwd$1)?.["eslintConfig"];
+	return eslintConfig ? JSON.stringify(eslintConfig).includes("sonarjs") : false;
+}
+/** Project configures sonarjs = plugin is a dependency AND a config references it. */
+function projectConfiguresSonarjs(cwd$1) {
+	return dependsOnSonarjs(cwd$1) && configMentionsSonarjs(cwd$1);
+}
+/**
+* How tend should run eslint+sonarjs for a project:
+*  - `default` — no project eslint config → use tend's config (eslint recommended + sonarjs)
+*  - `layer`   — project eslint config without sonarjs → use theirs + sonarjs layered on top
+*  - `defer`   — project eslint config already includes sonarjs → use theirs untouched
+*/
+function eslintMode(cwd$1) {
+	if (!projectHasEslintConfig(cwd$1)) return "default";
+	return projectConfiguresSonarjs(cwd$1) ? "defer" : "layer";
+}
+
+//#endregion
+//#region src/scanners/paths.ts
+/** Make a scanner-reported path repo-relative (POSIX separators); pass relatives through. */
+function toRepoRelative(cwd$1, file) {
+	const rel = isAbsolute(file) ? relative(cwd$1, file) : file;
+	return rel.split("\\").join("/");
+}
+
+//#endregion
+//#region src/scanners/eslint-sonarjs.ts
+/** Map ESLint results (CLI JSON or Node-API LintResult[]) into tend's RawFindings. */
+function mapEslintResults(results, ctx) {
+	const findings = [];
+	for (const result of results) {
+		const file = toRepoRelative(ctx.cwd, result.filePath);
+		for (const msg of result.messages) {
+			if (msg.ruleId === null) continue;
+			findings.push({
+				tool: "sonarjs",
+				rule: msg.ruleId,
+				category: "smell",
+				severity: msg.severity === 2 ? "error" : "warning",
+				file,
+				range: {
+					startLine: msg.line,
+					startCol: msg.column,
+					endLine: msg.endLine ?? msg.line,
+					endCol: msg.endColumn ?? msg.column
+				},
+				message: msg.message
+			});
+		}
+	}
+	return findings;
+}
+/**
+* Group scoped files by their governing eslint config. Each file's config is resolved by walking
+* up from the file's directory (bounded by ctx.cwd) — NOT from ctx.cwd alone — so files in a
+* monorepo package use that package's config even when tend runs from the repo root.
+*/
+function groupByConfig(ctx) {
+	const boundary = resolve(ctx.cwd);
+	const byDir = new Map();
+	for (const file of ctx.files) {
+		const abs = resolve(ctx.cwd, file);
+		const configDir = findEslintConfigDir(dirname(abs), boundary);
+		const key = configDir ?? "";
+		(byDir.get(key) ?? byDir.set(key, []).get(key)).push(abs);
+	}
+	return [...byDir.entries()].map(([key, absFiles]) => {
+		if (key === "") return {
+			configDir: null,
+			mode: "default",
+			cwd: ctx.cwd,
+			targets: absFiles.map((f) => relative(ctx.cwd, f))
+		};
+		return {
+			configDir: key,
+			mode: projectConfiguresSonarjs(key) ? "defer" : "layer",
+			cwd: key,
+			targets: absFiles.map((f) => relative(key, f))
+		};
+	});
+}
+/** Lint one group through the Node API; ESLint returns absolute filePaths regardless of cwd. */
+async function lintGroup(group) {
+	const options = {
+		cwd: group.cwd,
+		errorOnUnmatchedPattern: false
+	};
+	if (group.mode === "default") options.overrideConfigFile = defaultEslintConfigPath();
+	else if (group.mode === "layer") options.overrideConfig = [sonarjs.configs.recommended];
+	const eslint = new ESLint(options);
+	return await eslint.lintFiles(group.targets);
+}
+/**
+* Run eslint+sonarjs via the Node API (eslint is bundled). Resolves the applicable config PER
+* FILE and runs one pass per config group, so monorepo packages are linted under their own
+* config. Three modes per group:
+*  default → tend's config · layer → project config + sonarjs · defer → project config.
+* Output paths stay relative to the original ctx.cwd so finding IDs/filtering are unaffected.
+*/
+async function runEslintSonarjs(ctx) {
+	const groups = ctx.files.length === 0 ? [{
+		configDir: null,
+		mode: eslintMode(ctx.cwd),
+		cwd: ctx.cwd,
+		targets: ["."]
+	}] : groupByConfig(ctx);
+	try {
+		const results = [];
+		for (const group of groups) results.push(...await lintGroup(group));
+		const findings = mapEslintResults(results, ctx).map((r) => normalize(r, ctx.loop));
+		return {
+			tool: "sonarjs",
+			findings,
+			skipped: false
+		};
+	} catch (err$1) {
+		return {
+			tool: "sonarjs",
+			findings: [],
+			skipped: false,
+			error: err$1 instanceof Error ? err$1.message : String(err$1)
+		};
+	}
+}
+
+//#endregion
+//#region src/scanners/gitleaks.ts
+const gitleaksScanner = {
+	tool: "gitleaks",
+	binary: "gitleaks",
+	buildArgs() {
+		return [
+			"git",
+			"--report-format",
+			"json",
+			"--report-path",
+			"/dev/stdout",
+			"--no-banner"
+		];
+	},
+	parse(raw, ctx) {
+		const report = JSON.parse(raw.stdout);
+		return report.map((f) => ({
+			tool: "gitleaks",
+			rule: f.RuleID,
+			category: "secret",
+			severity: "error",
+			file: toRepoRelative(ctx.cwd, f.File),
+			range: {
+				startLine: f.StartLine,
+				startCol: f.StartColumn,
+				endLine: f.EndLine,
+				endCol: f.EndColumn
+			},
+			message: f.Description
+		}));
+	}
+};
+
+//#endregion
+//#region src/scanners/jscpd.ts
+const DEFAULT_JSCPD_IGNORE_PATTERNS = [
+	"**/node_modules/**",
+	"**/.git/**",
+	"**/.next/**",
+	"**/.turbo/**",
+	"**/.vercel/**",
+	"**/coverage/**",
+	"**/dist/**",
+	"**/build/**",
+	"**/out/**",
+	"**/report/**"
+];
+/**
+* Where jscpd's JSON report lives for this loop: a throwaway dir OUTSIDE the repo, so the
+* `--reporters json` file never dirties the user's working tree. Deterministic in (pid, loop)
+* so `buildArgs` (which creates it) and `parse` (which reads it) agree without shared state.
+*/
+function jscpdReportPath(ctx) {
+	const dir = join(tmpdir(), `tend-jscpd-${process.pid}-loop${ctx.loop}`);
+	return {
+		dir,
+		file: join(dir, "jscpd-report.json")
+	};
+}
+/** Turn a parsed jscpd report into duplication findings. Pure — no IO. */
+function mapJscpdReport(report, ctx) {
+	return (report.duplicates ?? []).map((dup) => {
+		const first = dup.firstFile;
+		const second = dup.secondFile;
+		const file = toRepoRelative(ctx.cwd, first.name);
+		const cloneFile = toRepoRelative(ctx.cwd, second.name);
+		return {
+			tool: "jscpd",
+			rule: "duplicate-code",
+			category: "duplication",
+			severity: "warning",
+			file,
+			range: {
+				startLine: first.start,
+				startCol: first.startLoc?.column ?? 0,
+				endLine: first.end,
+				endCol: second.endLoc?.column ?? 0
+			},
+			message: `Duplicated ${dup.lines} lines, also at ${cloneFile}:${second.start}-${second.end}`,
+			flowPath: [{
+				file,
+				line: first.start
+			}, {
+				file: cloneFile,
+				line: second.start
+			}]
+		};
+	});
+}
+const jscpdScanner = {
+	tool: "jscpd",
+	binary: "jscpd",
+	buildArgs(ctx) {
+		const { dir } = jscpdReportPath(ctx);
+		mkdirSync(dir, { recursive: true });
+		return [
+			"--absolute",
+			"--reporters",
+			"json",
+			"--silent",
+			"--output",
+			dir,
+			"--ignore",
+			DEFAULT_JSCPD_IGNORE_PATTERNS.join(","),
+			ctx.cwd
+		];
+	},
+	parse(_raw, ctx) {
+		const { dir, file } = jscpdReportPath(ctx);
+		let json;
+		try {
+			json = readFileSync(file, "utf8");
+		} catch {
+			return [];
+		} finally {
+			rmSync(dir, {
+				recursive: true,
+				force: true
+			});
+		}
+		return mapJscpdReport(JSON.parse(json), ctx);
+	}
+};
+
+//#endregion
+//#region src/scanners/knip.ts
+/** Each knip issue type → (rule name, human label). */
+const ISSUE_TYPES = [
+	{
+		key: "files",
+		rule: "unused-file",
+		label: "Unused file"
+	},
+	{
+		key: "exports",
+		rule: "unused-export",
+		label: "Unused export"
+	},
+	{
+		key: "types",
+		rule: "unused-type",
+		label: "Unused exported type"
+	},
+	{
+		key: "enumMembers",
+		rule: "unused-enum-member",
+		label: "Unused enum member"
+	},
+	{
+		key: "dependencies",
+		rule: "unused-dependency",
+		label: "Unused dependency"
+	},
+	{
+		key: "devDependencies",
+		rule: "unused-dependency",
+		label: "Unused devDependency"
+	},
+	{
+		key: "optionalPeerDependencies",
+		rule: "unused-dependency",
+		label: "Unused optional peer dependency"
+	},
+	{
+		key: "unlisted",
+		rule: "unlisted-dependency",
+		label: "Unlisted dependency"
+	},
+	{
+		key: "unresolved",
+		rule: "unresolved-import",
+		label: "Unresolved import"
+	}
+];
+const knipScanner = {
+	tool: "knip",
+	binary: "knip",
+	buildArgs() {
+		return [
+			"--reporter",
+			"json",
+			"--no-progress"
+		];
+	},
+	parse(raw, ctx) {
+		const report = JSON.parse(raw.stdout);
+		const findings = [];
+		for (const path of report.files ?? []) findings.push({
+			tool: "knip",
+			rule: "unused-file",
+			category: "dead-code",
+			severity: "warning",
+			file: toRepoRelative(ctx.cwd, path),
+			range: {
+				startLine: 0,
+				startCol: 0,
+				endLine: 0,
+				endCol: 0
+			},
+			message: `Unused file: ${path}`
+		});
+		for (const entry of report.issues ?? []) {
+			const file = toRepoRelative(ctx.cwd, entry.file);
+			for (const { key, rule, label } of ISSUE_TYPES) {
+				const items = entry[key];
+				if (!Array.isArray(items)) continue;
+				for (const item of items) {
+					const line = item.line ?? 0;
+					findings.push({
+						tool: "knip",
+						rule,
+						category: "dead-code",
+						severity: "warning",
+						file,
+						range: {
+							startLine: line,
+							startCol: item.col ?? 0,
+							endLine: line,
+							endCol: item.col ?? 0
+						},
+						message: `${label}: ${item.name}`
+					});
+				}
+			}
+		}
+		return findings;
+	}
+};
+
+//#endregion
+//#region src/scanners/osv.ts
+/** First `fixed` version across a vulnerability's affected ranges, if any. */
+function fixedVersion(vuln) {
+	for (const affected of vuln.affected ?? []) for (const range of affected.ranges ?? []) for (const event of range.events ?? []) if (event.fixed) return event.fixed;
+	return void 0;
+}
+const osvScanner = {
+	tool: "osv",
+	binary: "osv-scanner",
+	buildArgs(ctx) {
+		return [
+			"--format",
+			"json",
+			"--recursive",
+			ctx.cwd
+		];
+	},
+	parse(raw, ctx) {
+		const report = JSON.parse(raw.stdout);
+		const findings = [];
+		for (const result of report.results ?? []) {
+			const file = toRepoRelative(ctx.cwd, result.source.path);
+			for (const pkg of result.packages ?? []) {
+				const { name, version } = pkg.package;
+				for (const vuln of pkg.vulnerabilities ?? []) {
+					const fixed = fixedVersion(vuln);
+					const finding = {
+						tool: "osv",
+						rule: vuln.id,
+						category: "vuln-dep",
+						severity: "error",
+						file,
+						range: {
+							startLine: 0,
+							startCol: 0,
+							endLine: 0,
+							endCol: 0
+						},
+						message: vuln.summary ?? `${name}@${version} is vulnerable (${vuln.id})`
+					};
+					if (fixed) finding.remediation = `Bump ${name} from ${version} to ${fixed}`;
+					const ref = vuln.references?.[0]?.url;
+					if (ref) finding.helpUri = ref;
+					findings.push(finding);
+				}
+			}
+		}
+		return findings;
+	}
+};
+
+//#endregion
+//#region src/scanners/semgrep.ts
+const SEVERITY = {
+	ERROR: "error",
+	WARNING: "warning",
+	INFO: "info"
+};
+/** Pull the anchored location out of a taint_source/taint_sink tagged tuple. */
+function locOf(trace) {
+	if (!Array.isArray(trace)) return void 0;
+	const [tag, payload] = trace;
+	if (tag === "CliLoc") return payload[0];
+	if (tag === "CliCall") return payload[0][0];
+	return void 0;
+}
+const semgrepScanner = {
+	tool: "semgrep",
+	binary: "semgrep",
+	buildArgs(ctx) {
+		return [
+			"--json",
+			"--quiet",
+			...ctx.files
+		];
+	},
+	parse(raw, ctx) {
+		const report = JSON.parse(raw.stdout);
+		const rel = (p) => toRepoRelative(ctx.cwd, p);
+		return (report.results ?? []).map((r) => {
+			const finding = {
+				tool: "semgrep",
+				rule: r.check_id,
+				category: "security",
+				severity: SEVERITY[r.extra.severity] ?? "warning",
+				file: rel(r.path),
+				range: {
+					startLine: r.start.line,
+					startCol: r.start.col,
+					endLine: r.end.line,
+					endCol: r.end.col
+				},
+				message: r.extra.message
+			};
+			const ref = r.extra.metadata?.references?.[0];
+			if (ref) finding.helpUri = ref;
+			const trace = r.extra.dataflow_trace;
+			if (trace) {
+				const steps = [];
+				const source = locOf(trace.taint_source);
+				if (source) steps.push({
+					file: rel(source.path),
+					line: source.start.line
+				});
+				for (const v of trace.intermediate_vars ?? []) steps.push({
+					file: rel(v.location.path),
+					line: v.location.start.line
+				});
+				const sink = locOf(trace.taint_sink);
+				if (sink) steps.push({
+					file: rel(sink.path),
+					line: sink.start.line
+				});
+				if (steps.length > 0) finding.flowPath = steps;
+			}
+			return finding;
+		});
+	}
+};
+
+//#endregion
+//#region src/scanners/all.ts
+/** Spawn-based scanners. eslint+sonarjs runs separately via the Node API (see runEslintSonarjs). */
+const SPAWN_SCANNERS = [
+	knipScanner,
+	jscpdScanner,
+	semgrepScanner,
+	osvScanner,
+	gitleaksScanner
+];
+/** Bundled scanners that do not require an external binary on PATH. */
+const BUNDLED_SCANNERS = ["sonarjs"];
+/** External scanner binary names, for the preflight availability hint. */
+const EXTERNAL_SCANNER_BINARIES = SPAWN_SCANNERS.map((scanner) => scanner.binary);
+async function runScanners(deps, files, loop) {
+	const ctx = {
+		cwd: deps.cwd,
+		files,
+		loop
+	};
+	const spawned = await Promise.all(SPAWN_SCANNERS.map((scanner) => runScanner(scanner, ctx, {
+		which: deps.which,
+		spawn: deps.spawn,
+		timeout: deps.timeoutMs
+	})));
+	const eslint = await runEslintSonarjs(ctx);
+	const results = [...spawned, eslint];
+	return {
+		results,
+		scannerStatuses: results.map(scannerStatus)
+	};
+}
+/** Re-scan an explicit file scope and discard findings outside that affected scope. */
+async function scanFiles(deps, files, loop) {
+	const { results, scannerStatuses } = await runScanners(deps, files, loop);
+	const findings = results.flatMap((r) => r.findings);
+	const scoped = files.includes(".") ? findings : filterToChanged(findings, files);
+	const attempted = results.filter((r) => !r.skipped);
+	return {
+		findings: scoped,
+		allScannersMissing: attempted.length === 0,
+		scanned: files.includes(".") ? void 0 : files.length,
+		scannerStatuses
+	};
+}
+/** Assemble the six scanners into an audit function for the orchestrator. */
+function buildAudit(deps) {
+	return async (loop) => {
+		const files = deps.scope ?? ["."];
+		const { results, scannerStatuses } = await runScanners(deps, files, loop);
+		const attempted = results.filter((r) => !r.skipped);
+		const findings = results.flatMap((r) => r.findings);
+		const scanned = deps.scope ? deps.scope.length : void 0;
+		return {
+			findings,
+			allScannersMissing: attempted.length === 0,
+			scanned,
+			scannerStatuses
+		};
+	};
+}
+/** Tools available vs missing, for the preflight install hint. Bundled sonarjs is always available. */
+async function scannerAvailability(which) {
+	const available = [...BUNDLED_SCANNERS];
+	const missing = [];
+	for (const binary of EXTERNAL_SCANNER_BINARIES) if (await which(binary)) available.push(binary);
+	else missing.push(binary);
+	return {
+		available,
+		missing
+	};
+}
+
+//#endregion
+//#region src/scanners/exec.ts
+/** Scanner binary name → the npm package tend bundles for it. */
+const BUNDLED_PACKAGE = {
+	eslint: "eslint",
+	knip: "knip",
+	jscpd: "jscpd"
+};
+/**
+* Resolve a bin script from a package.json at `pkgDir`.
+* When `expectedName` is supplied, skips the directory if the package name does not match —
+* used by resolveBinFrom when walking up from an entry-point to find the owning package root.
+*/
+function binScriptIn(pkgDir, binary, expectedName) {
+	const pkgJson = join(pkgDir, "package.json");
+	if (!existsSync(pkgJson)) return null;
+	try {
+		const json = JSON.parse(readFileSync(pkgJson, "utf8"));
+		if (expectedName && json.name !== expectedName) return null;
+		const rel = typeof json.bin === "string" ? json.bin : json.bin?.[binary];
+		if (!rel) return null;
+		const script = join(pkgDir, rel);
+		return existsSync(script) ? script : null;
+	} catch {
+		return null;
+	}
+}
+/** Find a package's bin script via a given resolver base, robust to `exports` hiding package.json. */
+function resolveBinFrom(base, pkg, binary) {
+	try {
+		const req = createRequire(base);
+		let dir = dirname(req.resolve(pkg));
+		for (let i = 0; i < 8; i++) {
+			const found = binScriptIn(dir, binary, pkg);
+			if (found) return found;
+			const parent = dirname(dir);
+			if (parent === dir) break;
+			dir = parent;
+		}
+	} catch {}
+	return null;
+}
+/** A scanner's bin resolved from tend's own dependencies (always present for bundled tools). */
+function resolveBundledScanner(binary) {
+	const pkg = BUNDLED_PACKAGE[binary];
+	return pkg ? resolveBinFrom(import.meta.url, pkg, binary) : null;
+}
+/**
+* A scanner's bin resolved strictly from the TARGET PROJECT's node_modules (walking up
+* workspace roots), if it ships its own copy. No fallback to cwd/global — so an unrelated
+* install never leaks in. Returns null when the project doesn't have its own copy.
+*/
+function resolveProjectScanner(binary, cwd$1) {
+	const pkg = BUNDLED_PACKAGE[binary];
+	if (!pkg) return null;
+	let dir = cwd$1;
+	for (let i = 0; i < 12; i++) {
+		const found = binScriptIn(join(dir, "node_modules", pkg), binary);
+		if (found) return found;
+		const parent = dirname(dir);
+		if (parent === dir) break;
+		dir = parent;
+	}
+	return null;
+}
+async function onPath(binary) {
+	const finder = process.platform === "win32" ? "where" : "which";
+	const result = await execa(finder, [binary], { reject: false });
+	return result.exitCode === 0;
+}
+/** Available if tend bundles it, or it's on PATH. */
+const realWhich = async (binary) => {
+	if (resolveBundledScanner(binary)) return true;
+	return onPath(binary);
+};
+/**
+* Run a scanner. For the npm-based tools, prefer the PROJECT's own installed version (respects
+* their pinned version + config), falling back to tend's bundled copy; run either via node.
+* Native tools fall back to the PATH binary. Never rejects on non-zero exit.
+*/
+const realSpawn = async (binary, args, opts) => {
+	const resolved = resolveProjectScanner(binary, opts.cwd) ?? resolveBundledScanner(binary);
+	const [cmd, cmdArgs] = resolved ? [process.execPath, [resolved, ...args]] : [binary, args];
+	const result = await execa(cmd, cmdArgs, {
+		cwd: opts.cwd,
+		timeout: opts.timeout,
+		reject: false,
+		all: false
+	});
+	if (result.timedOut) throw new Error(`${binary} timed out after ${opts.timeout}ms`);
+	return {
+		stdout: typeof result.stdout === "string" ? result.stdout : "",
+		stderr: typeof result.stderr === "string" ? result.stderr : "",
+		exitCode: result.exitCode ?? 0
+	};
+};
+
+//#endregion
+//#region src/detect/test-runner.ts
+const CONFIG_GLOBS = {
+	vitest: [
+		"vitest.config.ts",
+		"vitest.config.js",
+		"vitest.config.mjs",
+		"vitest.config.mts"
+	],
+	jest: [
+		"jest.config.ts",
+		"jest.config.js",
+		"jest.config.mjs",
+		"jest.config.cjs",
+		"jest.config.json"
+	]
+};
+function dependsOn(cwd$1, pkg) {
+	const pkgJsonPath = join(cwd$1, "package.json");
+	if (!existsSync(pkgJsonPath)) return false;
+	try {
+		const json = JSON.parse(readFileSync(pkgJsonPath, "utf8"));
+		return Boolean(json.dependencies?.[pkg] ?? json.devDependencies?.[pkg]);
+	} catch {
+		return false;
+	}
+}
+const hasConfig = (cwd$1, runner) => CONFIG_GLOBS[runner].some((f) => existsSync(join(cwd$1, f)));
+/** cwd and each ancestor directory up to (and including) the filesystem root. */
+function ancestors(cwd$1) {
+	const dirs = [];
+	for (let dir = cwd$1;; dir = dirname(dir)) {
+		dirs.push(dir);
+		if (dirname(dir) === dir) return dirs;
+	}
+}
+/**
+* Detect the test runner from config files + package.json deps; `undefined` if none.
+* Walks up the directory tree so it still resolves when run from a nested directory
+* inside a workspace (the config/deps usually live at the package root, not the cwd).
+*/
+function detectTestRunner(cwd$1) {
+	for (const dir of ancestors(cwd$1)) for (const runner of ["vitest", "jest"]) if (hasConfig(dir, runner) || dependsOn(dir, runner)) return runner;
+	return void 0;
+}
+
+//#endregion
+//#region src/detect/typescript.ts
+/** TS mode when a tsconfig is present; otherwise JS mode. */
+function detectTypeScript(cwd$1) {
+	return existsSync(join(cwd$1, "tsconfig.json"));
+}
+
+//#endregion
+//#region src/detect/project-root.ts
+const PACKAGE_JSON = "package.json";
+const PROJECT_ROOT_MARKERS = [
+	"tsconfig.json",
+	"vitest.config.ts",
+	"vitest.config.js",
+	"vitest.config.mjs",
+	"vitest.config.mts",
+	"jest.config.ts",
+	"jest.config.js",
+	"jest.config.mjs",
+	"jest.config.cjs",
+	"jest.config.json",
+	"eslint.config.js",
+	"eslint.config.mjs",
+	"eslint.config.cjs",
+	"eslint.config.ts",
+	"eslint.config.mts",
+	"eslint.config.cts"
+];
+/**
+* Nearest directory at or above `from` (bounded by `stopAt`, inclusive) that holds any of
+* `markers`. Returns `null` when none is found before reaching `stopAt` or the filesystem
+* root — never walks above `stopAt` (the repo root we were invoked from).
+*/
+function nearestWithMarker(from, stopAt, markers) {
+	for (let dir = from;; dir = dirname(dir)) {
+		if (markers.some((m) => existsSync(join(dir, m)))) return dir;
+		if (dir === stopAt) return null;
+		const parent = dirname(dir);
+		if (parent === dir) return null;
+	}
+}
+/**
+* The package/project root owning `from`: the nearest ancestor with a package.json, or —
+* only when none exists up to `stopAt` — the nearest ancestor carrying a tsconfig/test/lint
+* config. `null` when neither is found.
+*/
+function nearestOwnerRoot(from, stopAt) {
+	return nearestWithMarker(from, stopAt, [PACKAGE_JSON]) ?? nearestWithMarker(from, stopAt, PROJECT_ROOT_MARKERS);
+}
+/** Deepest directory that is an ancestor of every path in `absDirs` (all absolute). */
+function commonAncestorDir(absDirs) {
+	let parts = absDirs[0].split(sep);
+	for (const dir of absDirs.slice(1)) {
+		const other = dir.split(sep);
+		let i = 0;
+		while (i < parts.length && i < other.length && parts[i] === other[i]) i++;
+		parts = parts.slice(0, i);
+	}
+	return parts.join(sep) || sep;
+}
+/**
+* Resolve the package root that owns the scoped files, for stack detection and gate
+* execution. Takes the common ancestor directory of the scoped files and walks up from
+* there to the nearest package/project root (a package.json, or failing that a
+* tsconfig/test/lint config), bounded by `cwd` (the repo root tend was invoked from).
+*
+* Using the common ancestor — rather than resolving each file independently — means
+* nested packages *below* the scope (e.g. test fixtures with their own package.json under
+* `packages/tend/test/fixtures/`) don't fragment the result: a `tend run packages/tend`
+* still resolves to `packages/tend`. A scope that genuinely straddles sibling packages
+* has a common ancestor above any one package, so it falls back to `cwd` — the
+* conservative repo-root behavior. Empty scope also falls back to `cwd`.
+*
+* `files` must be concrete repo-relative paths (not `.`); callers pass `cwd` directly
+* for whole-repo runs rather than routing through here.
+*/
+function resolveOwnerRoot(cwd$1, files) {
+	if (files.length === 0) return cwd$1;
+	const dirs = files.map((file) => dirname(resolve(cwd$1, file)));
+	return nearestOwnerRoot(commonAncestorDir(dirs), cwd$1) ?? cwd$1;
+}
+/**
+* Re-base repo-relative file paths onto `ownerRoot` so a test runner invoked with its
+* cwd set to the owning package receives paths it can resolve. Identity when the owner
+* root is the repo root (`cwd`), so whole-repo and single-package-at-root runs are
+* unchanged.
+*/
+function toOwnerRelative(files, cwd$1, ownerRoot) {
+	if (ownerRoot === cwd$1) return files;
+	return files.map((file) => relative(ownerRoot, resolve(cwd$1, file)) || ".");
+}
+
+//#endregion
+//#region src/gate/check.ts
+const pass = () => ({ ok: true });
+const reject = (reason, detail) => ({
+	ok: false,
+	reason,
+	detail
+});
+
+//#endregion
+//#region src/gate/checks/anti-regression.ts
+/**
+* Reject if the fix introduced any finding that wasn't present before — no lateral
+* moves. A fix must strictly reduce findings; trading one issue for another is what
+* would let the loop oscillate instead of converge.
+*/
+function antiRegression(before, after) {
+	const knownIds = new Set(before.map((f) => f.id));
+	const introduced = after.filter((f) => !knownIds.has(f.id));
+	if (introduced.length > 0) {
+		const detail = introduced.map((f) => `${f.file}:${f.range.startLine} ${f.rule}`).join(", ");
+		return reject("regression", `Fix introduced new finding(s): ${detail}`);
+	}
+	return pass();
+}
+
+//#endregion
+//#region src/gate/checks/anti-suppression.ts
+const SUPPRESSION_PATTERNS = [
+	{
+		re: /eslint-disable/,
+		what: "eslint-disable"
+	},
+	{
+		re: /@ts-ignore/,
+		what: "@ts-ignore"
+	},
+	{
+		re: /@ts-nocheck/,
+		what: "@ts-nocheck"
+	},
+	{
+		re: /\bas\s+any\b/,
+		what: "cast to any"
+	},
+	{
+		re: /:\s*any\b/,
+		what: "any type annotation"
+	},
+	{
+		re: /<any>/,
+		what: "cast to any"
+	}
+];
+function splitDiff(diff) {
+	const added = [];
+	const removed = [];
+	for (const line of diff.split("\n")) {
+		if (line.startsWith("+++") || line.startsWith("---")) continue;
+		if (line.startsWith("+")) added.push(line.slice(1));
+		else if (line.startsWith("-")) removed.push(line.slice(1));
+	}
+	return {
+		added,
+		removed
+	};
+}
+const nonBlank = (lines) => lines.filter((l) => l.trim().length > 0);
+/**
+* Reject a change-set that cheats the scanner rather than fixing the code:
+* newly-added suppression comments / any-casts, or code deleted instead of fixed.
+* Only NEW (added) lines are inspected — pre-existing suppressions in context are ignored.
+*/
+function antiSuppression(diff) {
+	const { added, removed } = splitDiff(diff);
+	for (const line of added) for (const { re, what } of SUPPRESSION_PATTERNS) if (re.test(line)) return reject("suppression", `Fix added ${what}`);
+	if (nonBlank(removed).length > 0 && nonBlank(added).length === 0) return reject("suppression", "Code was deleted instead of fixed");
+	return pass();
+}
+
+//#endregion
+//#region src/gate/checks/typecheck.ts
+/** Reject a fix that breaks `tsc --noEmit`. Skipped (pass) when there's no tsconfig. */
+async function typecheck(deps) {
+	if (!await deps.hasTsconfig()) return pass();
+	const { exitCode, output } = await deps.runTsc();
+	if (exitCode === 0) return pass();
+	return reject("typecheck", output.trim() || "tsc --noEmit failed");
+}
+
+//#endregion
+//#region src/gate/checks/tests.ts
+/** Baseline-green tests that are red now. */
+function regressions(baseline, outcomes) {
+	return outcomes.filter((o) => o.status === "fail" && baseline.has(o.name));
+}
+/**
+* Apply→test→repair flow. A red previously-green test opens a bounded repair window
+* rather than an instant revert; exhausting it without going green is a reject.
+*/
+async function runTestPhase(deps) {
+	if (deps.hasTestRunner === false) return {
+		ok: true,
+		warning: "No test suite detected — behavior can't be verified"
+	};
+	let regressed = regressions(deps.baseline, await deps.runRelated());
+	if (regressed.length === 0) return pass();
+	for (let attempt = 1; attempt <= deps.maxRepairs; attempt++) {
+		await deps.repair(attempt);
+		regressed = regressions(deps.baseline, await deps.runRelated());
+		if (regressed.length === 0) return pass();
+	}
+	const names = regressed.map((o) => o.name).join(", ");
+	return reject("broke-test", `Fix left previously-green test(s) red: ${names}`);
+}
+
+//#endregion
+//#region src/fixing/fix-unit.ts
+/** Render the fix prompt for a unit's findings. */
+function renderPrompt(unit) {
+	const lines = unit.findings.map((f) => `- ${f.file}:${f.range.startLine} [${f.tool}/${f.rule}] ${f.message}`);
+	return [
+		`Fix the following findings in ${unit.file} (and its sibling test only).`,
+		"Fix the underlying issue — never suppress, cast to any, or delete code to silence a scanner.",
+		"Emit the full corrected file contents with the Write tool.",
+		"",
+		"Findings:",
+		...lines
+	].join("\n");
+}
+/** Build a minimal unified diff from captured before/after contents. */
+function buildDiff(before, after) {
+	const out$1 = [];
+	for (const [path, afterContent] of after) {
+		const beforeLines = (before.get(path) ?? "").split("\n");
+		const afterLines = (afterContent ?? "").split("\n");
+		for (const l of beforeLines) if (!afterLines.includes(l)) out$1.push(`-${l}`);
+		for (const l of afterLines) if (!beforeLines.includes(l)) out$1.push(`+${l}`);
+	}
+	return out$1.join("\n");
+}
+/** A file's current contents, or null if it doesn't exist. */
+const snapshotFile = (abs) => existsSync(abs) ? readFileSync(abs, "utf8") : null;
+/**
+* Production fix worker. The session edits files directly on disk (`claude -p
+* --allowedTools Read,Write,Edit`), so the **disk is the source of truth** — we
+* snapshot the unit's files before the session and judge by what actually changed,
+* never by the session's stream-json (which can under-report or read as errored even
+* when a file was written). What changed runs the gate (anti-suppression · typecheck ·
+* tests with a bounded repair window · anti-regression re-scan); any gate failure or
+* session error reverts the files to the snapshot. Nothing changed → not a fix.
+*/
+function makeFixUnit(deps) {
+	return async (unit) => {
+		const abs = (f) => join(deps.cwd, f);
+		const before = new Map(unit.files.map((f) => [f, snapshotFile(abs(f))]));
+		const restore = () => {
+			for (const [f, original] of before) {
+				const p = abs(f);
+				if (original === null) {
+					if (existsSync(p)) rmSync(p, { force: true });
+				} else writeFileSync(p, original);
+			}
+		};
+		const diskNow = () => new Map(unit.files.map((f) => [f, snapshotFile(abs(f))]));
+		const changedOnDisk = () => unit.files.some((f) => snapshotFile(abs(f)) !== before.get(f));
+		let usage = zeroUsage();
+		const res = await deps.session.run({
+			file: unit.file,
+			findings: unit.findings,
+			prompt: renderPrompt(unit)
+		});
+		if (res.usage) usage = addUsage(usage, res.usage);
+		if (!changedOnDisk()) return {
+			kept: false,
+			reason: "session-error",
+			usage
+		};
+		if (!res.ok) {
+			restore();
+			return {
+				kept: false,
+				reason: "session-error",
+				usage
+			};
+		}
+		const supp = antiSuppression(buildDiff(before, diskNow()));
+		if (!supp.ok) {
+			restore();
+			return {
+				kept: false,
+				reason: supp.reason,
+				usage
+			};
+		}
+		const tc = await typecheck({
+			hasTsconfig: () => deps.typescript,
+			runTsc: deps.runTsc
+		});
+		if (!tc.ok) {
+			restore();
+			return {
+				kept: false,
+				reason: tc.reason,
+				usage
+			};
+		}
+		const phase = await runTestPhase({
+			baseline: deps.baseline,
+			runRelated: () => deps.runRelated(unit.files),
+			repair: async () => {
+				const repair = await deps.session.run({
+					file: unit.file,
+					findings: unit.findings,
+					prompt: `${renderPrompt(unit)}\n\nThe previous edit left a test red — diagnose and fix.`
+				});
+				if (repair.usage) usage = addUsage(usage, repair.usage);
+			},
+			maxRepairs: deps.maxRepairs,
+			hasTestRunner: deps.hasTestRunner
+		});
+		if (!phase.ok) {
+			restore();
+			return {
+				kept: false,
+				reason: phase.reason,
+				usage
+			};
+		}
+		const afterFindings = await deps.scanFindings(unit.files);
+		const regression = antiRegression(unit.findings, afterFindings);
+		if (!regression.ok) {
+			restore();
+			return {
+				kept: false,
+				reason: regression.reason,
+				usage
+			};
+		}
+		return {
+			kept: true,
+			usage
+		};
+	};
+}
+
+//#endregion
+//#region src/output/env.ts
+/** Truthy in the env-var sense: present and not an explicit off value. */
+function flagOn(value) {
+	return value !== void 0 && value !== "" && value !== "0" && value !== "false";
+}
+function isCI(env) {
+	return flagOn(env.CI) || flagOn(env.CONTINUOUS_INTEGRATION) || env.GITHUB_ACTIONS !== void 0;
+}
+function unicodeSupported(env, platform) {
+	if (platform !== "win32") return true;
+	return Boolean(env.WT_SESSION) || env.TERM_PROGRAM === "vscode" || env.TERM === "xterm-256color";
+}
+/**
+* Resolve color + interactivity from the environment and flags.
+*
+* Color is disabled when stdout is not a TTY, NO_COLOR is set, TERM=dumb, --no-color,
+* TEND_NO_COLOR, or --plain. FORCE_COLOR re-enables it for a non-TTY (but never overrides
+* an explicit opt-out). Interactivity additionally requires not being in CI.
+*/
+function detectOutputEnv(input = {}) {
+	const env = input.env ?? {};
+	const platform = input.platform ?? "linux";
+	const isTTY = Boolean(input.stream?.isTTY);
+	const explicitlyOff = input.noColor === true || input.plain === true || "NO_COLOR" in env || flagOn(env.TEND_NO_COLOR) || env.TERM === "dumb";
+	const forced = !explicitlyOff && flagOn(env.FORCE_COLOR);
+	const color = !explicitlyOff && (isTTY || forced);
+	const interactive = isTTY && !input.plain && env.TERM !== "dumb" && !isCI(env);
+	return {
+		color,
+		interactive,
+		unicode: unicodeSupported(env, platform)
+	};
+}
+
+//#endregion
+//#region src/output/base-reporter.ts
+var BaseReporter = class {
+	theme;
+	write;
+	constructor(deps) {
+		this.theme = deps.theme;
+		this.write = deps.write;
+	}
+	start() {
+		this.write(this.theme.wordmark());
+	}
+	note(line) {
+		this.write(this.theme.dim(line));
+	}
+};
+
+//#endregion
+//#region src/output/live-reporter.ts
+/** A one-shot value channel: take() resolves now if buffered, else when the next push lands. */
+var Channel = class {
+	buffer = [];
+	waiters = [];
+	push(value) {
+		const waiter = this.waiters.shift();
+		if (waiter) waiter(value);
+		else this.buffer.push(value);
+	}
+	take() {
+		if (this.buffer.length > 0) return Promise.resolve(this.buffer.shift());
+		return new Promise((resolve$1) => this.waiters.push(resolve$1));
+	}
+};
+const CLOSED = Symbol("closed");
+/**
+* The live TTY view. Scanning shows a spinner with elapsed time; fixing shows one compact
+* redrawing listr2 progress row with X-of-Y · running · queued · outcome counts.
+*
+* Events arrive synchronously on the bus while the orchestrator runs; this reporter buffers
+* them into channels and drives a sequence of listr instances (scan → fix → scan → …) from
+* `run()`, which the caller awaits concurrently with the orchestration.
+*/
+var LiveReporter = class extends BaseReporter {
+	env;
+	scanStarts = new Channel();
+	audits = new Channel();
+	phases = new Channel();
+	fixTicks = new Channel();
+	closed = false;
+	resolveClosed;
+	closedSignal = new Promise((resolve$1) => {
+		this.resolveClosed = () => resolve$1(CLOSED);
+	});
+	fixTotal = 0;
+	started = 0;
+	finished = 0;
+	fixed = 0;
+	reverted = 0;
+	left = 0;
+	currentLoop = 0;
+	currentFile;
+	currentConcurrency;
+	rules = new Map();
+	header;
+	labelWidth = 0;
+	constructor(deps) {
+		super(deps);
+		this.env = deps.env;
+	}
+	onEvent(event) {
+		switch (event.type) {
+			case "audit":
+				this.audits.push({
+					loop: event.loop,
+					findings: event.findings,
+					files: event.files,
+					scanned: event.scanned
+				});
+				break;
+			case "loop-start":
+				this.currentLoop = event.loop;
+				this.fixTotal = event.files.length;
+				this.started = 0;
+				this.finished = 0;
+				this.fixed = 0;
+				this.reverted = 0;
+				this.left = 0;
+				this.currentFile = void 0;
+				this.currentConcurrency = event.concurrency;
+				this.rules.clear();
+				this.labelWidth = Math.max(0, ...event.files.map((f) => basename(f).length));
+				this.phases.push({
+					kind: "fix",
+					info: {
+						loop: event.loop,
+						files: event.files,
+						concurrency: event.concurrency
+					}
+				});
+				break;
+			case "file-start":
+				this.started += 1;
+				this.currentFile = event.file;
+				if (event.rule) this.rules.set(event.file, event.rule);
+				this.refreshHeader();
+				break;
+			case "file-result":
+				this.finished += 1;
+				if (event.outcome === "fixed") this.fixed += 1;
+				else if (event.outcome === "reverted") this.reverted += 1;
+				else this.left += 1;
+				this.currentFile = void 0;
+				this.refreshHeader();
+				this.fixTicks.push();
+				break;
+			case "done":
+				this.phases.push({ kind: "done" });
+				break;
+			case "scan-start":
+				this.scanStarts.push(event.loop);
+				break;
+			case "snapshot":
+			case "detected":
+			case "loop-complete": break;
+		}
+	}
+	close() {
+		if (this.closed) return;
+		this.closed = true;
+		this.phases.push({ kind: "done" });
+		this.resolveClosed();
+	}
+	async run() {
+		while (!this.closed) {
+			const stillRunning = await this.scanPhase();
+			if (!stillRunning) break;
+			const phase = await this.race(this.phases.take());
+			if (phase === CLOSED || phase.kind === "done") break;
+			await this.fixPhase(phase.info);
+		}
+	}
+	/** Race a promise against close() so the view can wind down even mid-wait. */
+	race(promise) {
+		return Promise.race([promise, this.closedSignal]);
+	}
+	/** Spinner + elapsed until the next audit lands. Returns false if we were closed first. */
+	async scanPhase() {
+		let live = true;
+		const list = new Listr([{
+			title: this.theme.dim("scanning…"),
+			task: async (_ctx, task) => {
+				const loop = await this.race(this.scanStarts.take());
+				if (loop === CLOSED) {
+					live = false;
+					return;
+				}
+				task.title = this.scanTitle(loop);
+				const audit = await this.race(this.audits.take());
+				if (audit === CLOSED) {
+					live = false;
+					return;
+				}
+				task.title = this.scannedTitle(audit);
+			}
+		}], this.listrOptions());
+		await list.run();
+		return live;
+	}
+	/** The redrawing progress row for one fix loop. Counters are reset by loop-start. */
+	async fixPhase(info) {
+		const list = new Listr([{
+			title: this.headerTitle(),
+			task: async (_ctx, task) => {
+				this.header = task;
+				this.currentLoop = info.loop;
+				this.currentConcurrency = info.concurrency;
+				task.title = this.headerTitle();
+				while (this.finished < this.fixTotal) {
+					const tick = await this.race(this.fixTicks.take());
+					if (tick === CLOSED) return;
+					task.title = this.headerTitle();
+				}
+			}
+		}], this.listrOptions());
+		await list.run();
+		this.header = void 0;
+	}
+	listrOptions() {
+		const accent = this.theme.accent;
+		const icon = {
+			[ListrDefaultRendererLogLevels.COMPLETED]: this.theme.fixed(this.theme.glyph.fixed),
+			[ListrDefaultRendererLogLevels.FAILED]: this.theme.reverted(this.theme.glyph.reverted)
+		};
+		const color = { [ListrDefaultRendererLogLevels.PENDING]: (message) => accent(message ?? "") };
+		const timer = {
+			field: (duration) => formatClock(duration),
+			format: () => (message) => this.theme.dim(message ?? "")
+		};
+		return {
+			concurrent: false,
+			exitOnError: false,
+			registerSignalListeners: false,
+			rendererOptions: {
+				collapseSubtasks: true,
+				lazy: !this.env.interactive,
+				showErrorMessage: false,
+				timer,
+				icon,
+				color
+			}
+		};
+	}
+	scannedTitle(a) {
+		const scope = a.scanned != null ? `${a.scanned} files eligible for fixes` : "whole repo";
+		const label = a.loop === 1 ? "initial audit" : `re-audit after fix pass ${a.loop - 1}`;
+		const meta = this.theme.dim(`${label}: fix scope ${scope} ${this.theme.glyph.bullet} in-scope findings ${a.findings} across ${a.files} files`);
+		return meta;
+	}
+	scanTitle(loop) {
+		return this.theme.dim(loop === 1 ? "initial audit: scanning…" : `re-audit after fix pass ${loop - 1}: scanning…`);
+	}
+	headerTitle() {
+		const running = Math.max(0, this.started - this.finished);
+		const queued = Math.max(0, this.fixTotal - this.started);
+		const bullet = this.theme.glyph.bullet;
+		const outcomes = `${this.fixed} fixed ${bullet} ${this.reverted} reverted ${bullet} ${this.left} left`;
+		const parallel = this.currentConcurrency ? `${bullet} ${this.currentConcurrency} concurrent ` : "";
+		const current = this.currentFile ? `${bullet} ${this.fileTitle(this.currentFile)}` : "";
+		const detail = `${bullet} ${running} running ${bullet} ${queued} queued ${bullet} ${outcomes} ${parallel}${current}`;
+		return `fix pass ${this.currentLoop} ${this.finished}/${this.fixTotal} ${this.theme.dim(detail)}`;
+	}
+	refreshHeader() {
+		if (this.header) this.header.title = this.headerTitle();
+	}
+	fileLabel(file) {
+		return basename(file).padEnd(this.labelWidth);
+	}
+	fileTitle(file) {
+		const rule = this.rules.get(file);
+		const suffix = rule ? `  ${this.theme.dim(rule)}` : "";
+		return `${this.fileLabel(file)}${suffix}`;
+	}
+};
+
+//#endregion
+//#region src/output/plain-reporter.ts
+/**
+* The non-TTY / CI / piped / `--plain` view: one line per meaningful event, no spinners, no
+* redraw, no color (the theme is already colorless in this mode). Deterministic and easy to
+* grep or pipe into another tool. The final summary is rendered separately by the caller.
+*/
+var PlainReporter = class extends BaseReporter {
+	constructor(deps) {
+		super(deps);
+	}
+	onEvent(event) {
+		const { glyph } = this.theme;
+		switch (event.type) {
+			case "scan-start":
+				this.write(event.loop === 1 ? "initial audit: scanning…" : `re-audit after fix pass ${event.loop - 1}: scanning…`);
+				break;
+			case "audit": {
+				const scope = event.scanned != null ? `${event.scanned} files eligible for fixes` : "whole repo";
+				const phase = event.loop === 1 ? "initial audit" : `re-audit after fix pass ${event.loop - 1}`;
+				this.write(`${glyph.scanned} ${phase}: fix scope ${scope} ${glyph.bullet} in-scope findings ${event.findings} across ${event.files} files`);
+				break;
+			}
+			case "loop-start":
+				this.write(`fix pass ${event.loop} ${glyph.bullet} ${event.files.length} files ${glyph.bullet} ${event.concurrency} concurrent`);
+				break;
+			case "file-result":
+				if (event.outcome === "fixed") this.write(`${glyph.fixed} fixed ${event.file}`);
+				else if (event.outcome === "reverted") this.write(`${glyph.reverted} reverted ${event.file} — ${reasonLabel(event.reason)}`);
+				else this.write(`${glyph.left} left ${event.file}`);
+				break;
+			case "snapshot":
+			case "detected":
+			case "file-start":
+			case "loop-complete":
+			case "done": break;
+		}
+	}
+	run() {
+		return Promise.resolve();
+	}
+	close() {}
+};
+
+//#endregion
+//#region src/output/reporter.ts
+/** Pick the reporter that fits the environment. */
+function createReporter(deps) {
+	return deps.env.interactive ? new LiveReporter(deps) : new PlainReporter(deps);
+}
+
+//#endregion
+//#region src/bin.ts
+const cwd = process.cwd();
+const TEND_DIR = join(cwd, ".tend");
+const SNAPSHOT_PATH = join(TEND_DIR, "snapshot.json");
+const REPORT_PATH = join(TEND_DIR, "report.json");
+const CLAUDE_TIMEOUT_MS = 10 * 6e4;
+const TSC_TIMEOUT_MS = 5 * 6e4;
+const TEST_TIMEOUT_MS = 5 * 6e4;
+const out = (s) => process.stdout.write(`${s}\n`);
+const err = (s) => process.stderr.write(`${s}\n`);
+const plural = (n, one) => `${n} ${n === 1 ? one : one + "s"}`;
+function persist(path, value) {
+	mkdirSync(TEND_DIR, { recursive: true });
+	writeFileSync(path, JSON.stringify(value, null, 2));
+}
+function loadJson(path) {
+	return JSON.parse(readFileSync(path, "utf8"));
+}
+function loadReport() {
+	if (!existsSync(REPORT_PATH)) throw new Error("No .tend/report.json found. Run `tend run` first.");
+	return ReportSchema.parse(loadJson(REPORT_PATH));
+}
+/**
+* Run the detected test runner over the given files and parse pass/fail per test.
+* `files` are repo-relative; `root` is the package that owns them (the cwd the runner
+* executes in). Files are re-based onto `root` so `vitest related` / `jest
+* --findRelatedTests` resolve them inside the owning package, not the repo root.
+*/
+async function runTests(runner, files, root) {
+	const targets = toOwnerRelative(files, cwd, root);
+	const args = runner === "vitest" ? [
+		"vitest",
+		"related",
+		...targets,
+		"--run",
+		"--reporter=json"
+	] : [
+		"jest",
+		"--findRelatedTests",
+		...targets,
+		"--json"
+	];
+	const res = await execa("npx", args, {
+		cwd: root,
+		reject: false,
+		timeout: TEST_TIMEOUT_MS
+	});
+	try {
+		const json = JSON.parse(res.stdout);
+		const outcomes = [];
+		for (const file of json.testResults ?? []) for (const a of file.assertionResults ?? []) outcomes.push({
+			name: a.fullName ?? a.title ?? "",
+			status: a.status === "passed" ? "pass" : "fail"
+		});
+		return outcomes;
+	} catch {
+		return [];
+	}
+}
+async function makeProductionFixUnit(config, baselineTargets, ownerRoot = cwd) {
+	const typescript = detectTypeScript(ownerRoot);
+	const runner = detectTestRunner(ownerRoot) ?? null;
+	const baseline = new Set(runner && baselineTargets.length > 0 ? (await runTests(runner, baselineTargets, ownerRoot)).filter((t) => t.status === "pass").map((t) => t.name) : []);
+	const session = new ClaudeSession({ spawn: async (req) => {
+		const r = await execa("claude", [
+			"-p",
+			req.prompt,
+			"--model",
+			config.model,
+			...config.effort ? ["--effort", config.effort] : [],
+			"--output-format",
+			"stream-json",
+			"--verbose",
+			"--allowedTools",
+			"Read,Write,Edit"
+		], {
+			cwd,
+			reject: false,
+			timeout: CLAUDE_TIMEOUT_MS
+		});
+		const exitCode = r.exitCode ?? (r.failed ? 1 : 0);
+		return {
+			stdout: typeof r.stdout === "string" ? r.stdout : "",
+			exitCode
+		};
+	} });
+	return {
+		typescript,
+		runner,
+		fixUnit: makeFixUnit({
+			cwd,
+			session,
+			typescript,
+			runTsc: async () => {
+				const r = await execa("npx", ["tsc", "--noEmit"], {
+					cwd: ownerRoot,
+					reject: false,
+					timeout: TSC_TIMEOUT_MS
+				});
+				return {
+					exitCode: r.exitCode ?? 1,
+					output: `${r.stdout}\n${r.stderr}`
+				};
+			},
+			hasTestRunner: Boolean(runner),
+			runRelated: (files) => runner ? runTests(runner, files, ownerRoot) : Promise.resolve([]),
+			scanFindings: async (files) => (await scanFiles({
+				cwd,
+				which: realWhich,
+				spawn: realSpawn,
+				timeoutMs: 12e4
+			}, files, 0)).findings,
+			baseline,
+			maxRepairs: 3
+		})
+	};
+}
+function describeScopeNote(all, paths, scope) {
+	if (all) return "whole repo";
+	if (paths.length > 0) return `${plural(scope?.length ?? 0, "file")} under ${paths.join(", ")}`;
+	return `${plural(scope?.length ?? 0, "changed file")}`;
+}
+async function runRun(opts) {
+	const env = detectOutputEnv({
+		stream: process.stdout,
+		env: process.env,
+		plain: opts.plain,
+		noColor: opts.color === false
+	});
+	const theme = makeTheme(env);
+	const reporter = createReporter({
+		env,
+		theme,
+		write: out
+	});
+	reporter.start();
+	const git = createGit(cwd);
+	await assertGitRepo(git);
+	if (opts.effort && !EFFORT_LEVELS.includes(opts.effort)) {
+		err(`✖ invalid --effort "${opts.effort}" (expected: ${EFFORT_LEVELS.join(" | ")})`);
+		process.exitCode = 1;
+		return;
+	}
+	const config = applyCliOverrides(await loadConfig(cwd), {
+		maxLoops: opts.maxLoops,
+		maxSessions: opts.maxSessions,
+		model: opts.model,
+		effort: opts.effort,
+		includeTests: opts.includeTests
+	});
+	const snapshot = await Snapshot.capture(git, cwd);
+	persist(SNAPSHOT_PATH, snapshot.toJSON());
+	reporter.note("snapshot saved · undo: tend undo");
+	const modelLabel = config.effort ? `${config.model} (effort ${config.effort})` : config.model;
+	const { available, missing } = await scannerAvailability(realWhich);
+	if (available.length === 0) {
+		err(`No scanners found. Install at least one of: ${missing.join(", ")}`);
+		process.exitCode = 1;
+		return;
+	}
+	if (missing.length > 0) reporter.note(`skipping missing external scanners: ${missing.join(", ")}`);
+	const paths = opts.paths ?? [];
+	let scope;
+	if (opts.all) scope = null;
+	else if (paths.length > 0) {
+		scope = await filesUnder(git, paths);
+		if (scope.length === 0) {
+			err(`✖ no files under ${paths.join(", ")}`);
+			process.exitCode = 1;
+			return;
+		}
+	} else scope = await changedVsHead(git);
+	const baselineTargets = scope ?? ["."];
+	const ownerRoot = scope ? resolveOwnerRoot(cwd, scope) : cwd;
+	const { fixUnit, runner, typescript } = await makeProductionFixUnit(config, baselineTargets, ownerRoot);
+	const pm = detectPackageManager(cwd);
+	reporter.note(`${pm} · ${typescript ? "TypeScript" : "JavaScript"} · ${runner ?? "no test runner"} · ${modelLabel}`);
+	const scopeNote = describeScopeNote(opts.all, paths, scope);
+	reporter.note(`${scopeNote} · ${plural(available.length, "scanner")}`);
+	const bus = new EventBus();
+	bus.on((e) => reporter.onEvent(e));
+	const start = Date.now();
+	const drawing = reporter.run();
+	let result;
+	try {
+		result = await orchestrate({
+			audit: buildAudit({
+				cwd,
+				which: realWhich,
+				spawn: realSpawn,
+				scope,
+				timeoutMs: 12e4
+			}),
+			fixUnit,
+			config,
+			inScope: scope ? (fs) => filterToChanged(fs, scope) : void 0,
+			bus
+		});
+	} finally {
+		reporter.close();
+	}
+	await drawing;
+	const durationMs = Date.now() - start;
+	const builder = new ReportBuilder();
+	builder.recordOutcomes(result.findings);
+	builder.recordScannerStatuses(result.scannerStatuses);
+	const report = builder.build({
+		loops: result.loops,
+		durationMs,
+		exitStatus: result.exitStatus,
+		aiUsage: result.usage
+	});
+	persist(REPORT_PATH, report);
+	out("");
+	out(renderSummary(report, {
+		theme,
+		verbose: opts.verbose,
+		plain: Boolean(opts.plain) || !env.interactive
+	}));
+	process.exitCode = result.exitStatus;
+}
+async function runRetry(id) {
+	const git = createGit(cwd);
+	await assertGitRepo(git);
+	const report = loadReport();
+	const target = resolveRetryTarget(id, report.findings);
+	if ("error" in target) {
+		err(`✖ ${target.error}`);
+		process.exitCode = 1;
+		return;
+	}
+	const config = await loadConfig(cwd);
+	let snapshotSaved = false;
+	const result = await retryCommand(id, {
+		report,
+		baseBudget: config.perIssueBudget,
+		runFix: async (finding) => {
+			const unit = planWork([finding])[0];
+			if (!unit) return {
+				kept: false,
+				reason: "session-error"
+			};
+			if (!snapshotSaved) {
+				const snapshot = await Snapshot.capture(git, cwd);
+				persist(SNAPSHOT_PATH, snapshot.toJSON());
+				snapshotSaved = true;
+			}
+			const ownerRoot = resolveOwnerRoot(cwd, unit.files);
+			const { fixUnit } = await makeProductionFixUnit(config, unit.files, ownerRoot);
+			return fixUnit(unit, 1);
+		}
+	});
+	if ("error" in result) {
+		err(`✖ ${result.error}`);
+		process.exitCode = 1;
+		return;
+	}
+	persist(REPORT_PATH, report);
+	if (result.outcome === "fixed") {
+		out(`✔ fixed ${result.finding.file} (retry budget ${result.budget})`);
+		process.exitCode = 0;
+		return;
+	}
+	out(`↩ reverted ${result.finding.file} — ${reasonLabel(result.reason)} (retry budget ${result.budget})`);
+	process.exitCode = 1;
+}
+const program = buildProgram({
+	run: (opts) => runRun(opts),
+	diff: async () => {
+		const snapshot = Snapshot.fromJSON(loadJson(SNAPSHOT_PATH));
+		const changed = await snapshot.changedSince(createGit(cwd));
+		out(changed.length ? changed.join("\n") : "No tool edits.");
+	},
+	undo: async () => {
+		const snapshot = Snapshot.fromJSON(loadJson(SNAPSHOT_PATH));
+		await snapshot.restore(createGit(cwd));
+		out("✔ Restored pre-run snapshot.");
+	},
+	show: (id) => {
+		const report = loadReport();
+		out(showCommand(id, report.findings));
+	},
+	retry: (id) => runRetry(id)
+});
+const argv = process.argv.slice(2).length === 0 ? [...process.argv, "run"] : process.argv;
+program.parseAsync(argv).catch((e) => {
+	if (e instanceof Error && e.name === "CommanderError") {
+		process.exitCode = e.exitCode ?? 1;
+		return;
+	}
+	err(e instanceof Error ? e.message : String(e));
+	process.exitCode = 1;
+});
+
+//#endregion