tend-cli 0.1.0

package/dist/config-B5rO-fvz.js

@@ -0,0 +1,1745 @@
+import { existsSync, mkdirSync, readFileSync, rmSync, writeFileSync } from "node:fs";
+import { dirname, join } from "node:path";
+import { Command } from "commander";
+import { createHash } from "node:crypto";
+import { z } from "zod";
+import { tmpdir } from "node:os";
+import { simpleGit } from "simple-git";
+import PQueue from "p-queue";
+import { customAlphabet } from "nanoid";
+import Table from "cli-table3";
+import { Chalk, supportsColor } from "chalk";
+import gradient from "gradient-string";
+import { cosmiconfig } from "cosmiconfig";
+
+//#region src/cli.ts
+/** Build the commander program wiring each subcommand to a handler. */
+function buildProgram(handlers) {
+	const program = new Command();
+	program.name("tend").description("Audit a JS/TS repo and fix findings with AI in a safe loop.");
+	program.exitOverride();
+	program.command("run").description("snapshot → audit → fix loop → report (changed files)").argument("[paths...]", "fix only findings under these files/dirs (committed or not)").option("--all", "fix the entire backlog, not just changed files").option("--max-loops <n>", "cap on fix loops", (v) => parseInt(v, 10)).option("--max-sessions <n>", "concurrent AI sessions", (v) => parseInt(v, 10)).option("--model <model>", "model for fixes: sonnet (default), opus, haiku, or a full model id").option("--effort <level>", "reasoning effort for fixes: low | medium | high | xhigh | max").option("--include-tests", "also fix findings in test files (excluded by default)").option("--plain", "plain one-line-per-event output for pipes/CI (no color, no spinners)").option("--no-color", "disable color output").option("--verbose", "show the full per-tool / per-finding breakdown in the summary").action((paths, opts) => handlers.run({
+		...opts,
+		paths
+	}));
+	program.command("diff").description("show only the tool's edits").action(() => handlers.diff());
+	program.command("undo").description("restore the pre-run snapshot").action(() => handlers.undo());
+	program.command("show <id>").description("full detail on one finding").action((id) => handlers.show(id));
+	program.command("retry <id>").description("re-attempt a stubborn finding with a larger budget").action((id) => handlers.retry(id));
+	return program;
+}
+
+//#endregion
+//#region src/scanners/scope.ts
+/**
+* Files changed vs `HEAD` (tracked modifications/additions/renames plus untracked),
+* scoped and re-based to `git`'s working directory — see `changedVsHead` in git/repo.ts
+* for why this matters when tend runs from a subdirectory of the repo.
+*/
+async function changedFiles(git) {
+	const prefix = (await git.revparse(["--show-prefix"])).trim();
+	const status = await git.status();
+	const files = new Set();
+	for (const file of status.files) {
+		const path = file.path.includes(" -> ") ? file.path.split(" -> ")[1] : file.path;
+		if (!prefix) files.add(path);
+		else if (path.startsWith(prefix)) files.add(path.slice(prefix.length));
+	}
+	return [...files];
+}
+/** Keep only findings whose file is in the changed set. */
+function filterToChanged(findings, changed) {
+	const set = new Set(changed);
+	return findings.filter((f) => {
+		if (set.has(f.file)) return true;
+		if (f.category === "duplication") return (f.flowPath ?? []).some((p) => set.has(p.file));
+		return false;
+	});
+}
+/** Apply the fix scope: `--all` fixes everything, otherwise only changed files. */
+function scopeFindings(findings, opts) {
+	return opts.all ? findings : filterToChanged(findings, opts.changed);
+}
+
+//#endregion
+//#region src/findings/finding.ts
+const TOOLS = [
+	"sonarjs",
+	"knip",
+	"jscpd",
+	"semgrep",
+	"osv",
+	"gitleaks"
+];
+const RangeSchema = z.object({
+	startLine: z.number(),
+	startCol: z.number(),
+	endLine: z.number(),
+	endCol: z.number()
+});
+const FindingSchema = z.object({
+	id: z.string(),
+	retryId: z.string().optional(),
+	tool: z.enum(TOOLS),
+	rule: z.string(),
+	category: z.enum([
+		"bug",
+		"smell",
+		"dead-code",
+		"duplication",
+		"security",
+		"secret",
+		"vuln-dep"
+	]),
+	severity: z.enum([
+		"error",
+		"warning",
+		"info"
+	]),
+	file: z.string(),
+	range: RangeSchema,
+	message: z.string(),
+	helpUri: z.string().optional(),
+	flowPath: z.array(z.object({
+		file: z.string(),
+		line: z.number()
+	})).optional(),
+	remediation: z.string().optional(),
+	track: z.enum([
+		"ai-fix",
+		"deterministic",
+		"report-only"
+	]),
+	status: z.enum([
+		"pending",
+		"fixing",
+		"fixed",
+		"reverted",
+		"unfixable",
+		"skipped"
+	]),
+	attempts: z.number(),
+	revertReason: z.enum([
+		"broke-test",
+		"suppression",
+		"regression",
+		"typecheck",
+		"session-error"
+	]).optional(),
+	firstSeenLoop: z.number(),
+	lastSeenLoop: z.number(),
+	inScope: z.boolean().optional()
+});
+/**
+* Stable identity for a finding: hash(tool | rule | file | line | message).
+* Same components → same fingerprint, across loops and runs.
+*/
+function fingerprint(input) {
+	const key = [
+		input.tool,
+		input.rule,
+		input.file,
+		input.line,
+		input.message
+	].join("|");
+	return createHash("sha256").update(key).digest("hex");
+}
+
+//#endregion
+//#region src/findings/normalize.ts
+const TRACK_BY_TOOL = {
+	sonarjs: "ai-fix",
+	knip: "ai-fix",
+	jscpd: "ai-fix",
+	semgrep: "ai-fix",
+	osv: "deterministic",
+	gitleaks: "report-only"
+};
+const CROSS_FILE_JSCPD_REMEDIATION = "Requires a multi-file refactor across the duplicated clone sites; Tend does not run multi-file AI fixers for jscpd duplicates yet.";
+/** Which track a tool's findings flow into. */
+function trackForTool(tool) {
+	return TRACK_BY_TOOL[tool];
+}
+function isCrossFileJscpdDuplicate(raw) {
+	if (raw.tool !== "jscpd" || raw.rule !== "duplicate-code") return false;
+	return new Set((raw.flowPath ?? []).map((step) => step.file)).size > 1;
+}
+/** Which track a scanner finding flows into after rule-specific routing. */
+function trackForRawFinding(raw) {
+	if (isCrossFileJscpdDuplicate(raw)) return "report-only";
+	return trackForTool(raw.tool);
+}
+/** Turn a raw scanner record into a tracked `Finding` for the given loop. */
+function normalize(raw, loop) {
+	const id = fingerprint({
+		tool: raw.tool,
+		rule: raw.rule,
+		file: raw.file,
+		line: raw.range.startLine,
+		message: raw.message
+	});
+	const finding = {
+		id,
+		tool: raw.tool,
+		rule: raw.rule,
+		category: raw.category,
+		severity: raw.severity,
+		file: raw.file,
+		range: raw.range,
+		message: raw.message,
+		track: trackForRawFinding(raw),
+		status: "pending",
+		attempts: 0,
+		firstSeenLoop: loop,
+		lastSeenLoop: loop
+	};
+	if (raw.helpUri !== void 0) finding.helpUri = raw.helpUri;
+	if (raw.flowPath !== void 0) finding.flowPath = raw.flowPath;
+	if (raw.remediation !== void 0) finding.remediation = raw.remediation;
+	else if (isCrossFileJscpdDuplicate(raw)) finding.remediation = CROSS_FILE_JSCPD_REMEDIATION;
+	return finding;
+}
+
+//#endregion
+//#region src/scanners/scanner.ts
+/** Collapse a ScanResult to its reportable status: skipped → ran → failed (error present). */
+function scannerStatus(result$1) {
+	if (result$1.skipped) return {
+		tool: result$1.tool,
+		status: "skipped"
+	};
+	if (result$1.error !== void 0) return {
+		tool: result$1.tool,
+		status: "failed",
+		reason: result$1.error
+	};
+	return {
+		tool: result$1.tool,
+		status: "ran"
+	};
+}
+async function isAvailable(scanner, which) {
+	return which(scanner.binary);
+}
+/**
+* Shared run sequence for every scanner:
+*   availability → args → spawn → parse → normalize.
+* Missing binary → skipped (not fatal). Timeout/spawn error or malformed output → error result.
+*/
+async function runScanner(scanner, ctx, deps) {
+	if (!await isAvailable(scanner, deps.which)) return {
+		tool: scanner.tool,
+		findings: [],
+		skipped: true
+	};
+	const args = scanner.buildArgs(ctx);
+	let raw;
+	try {
+		raw = await deps.spawn(scanner.binary, args, {
+			cwd: ctx.cwd,
+			timeout: deps.timeout
+		});
+	} catch (err) {
+		return {
+			tool: scanner.tool,
+			findings: [],
+			skipped: false,
+			error: errorMessage(err)
+		};
+	}
+	try {
+		const findings = scanner.parse(raw, ctx).map((r) => normalize(r, ctx.loop));
+		return {
+			tool: scanner.tool,
+			findings,
+			skipped: false
+		};
+	} catch (err) {
+		const reason = raw.exitCode !== 0 ? raw.stderr.trim() || errorMessage(err) : errorMessage(err);
+		return {
+			tool: scanner.tool,
+			findings: [],
+			skipped: false,
+			error: reason
+		};
+	}
+}
+function errorMessage(err) {
+	return err instanceof Error ? err.message : String(err);
+}
+
+//#endregion
+//#region src/git/repo.ts
+/** Refuse to run outside a git repo — the snapshot/restore safety net needs it. */
+async function assertGitRepo(git) {
+	if (!await git.checkIsRepo()) throw new Error("not a git repository — run tend inside a git repo");
+}
+/**
+* `git status` reports paths relative to the repo root and for the whole repo, even
+* when run from a subdirectory. Scanners run from `git`'s working dir and report paths
+* relative to it, so we scope changed files to that subtree and re-base them onto it
+* using git's own cwd→root prefix (empty when run from the repo root).
+*/
+function scopeToCwd(repoPath, prefix) {
+	if (!prefix) return repoPath;
+	if (!repoPath.startsWith(prefix)) return null;
+	return repoPath.slice(prefix.length);
+}
+/**
+* Files changed vs `HEAD`: tracked modifications/additions/renames plus untracked files,
+* scoped and re-based to `git`'s working directory (so a run from `apps/foo` only sees
+* `apps/foo`'s changes, pathed as the scanners path them).
+*/
+async function changedVsHead(git) {
+	const prefix = (await git.revparse(["--show-prefix"])).trim();
+	const status = await git.status();
+	const files = new Set();
+	for (const file of status.files) {
+		const repoPath = file.path.includes(" -> ") ? file.path.split(" -> ")[1] : file.path;
+		const rel = scopeToCwd(repoPath, prefix);
+		if (rel !== null) files.add(rel);
+	}
+	return [...files];
+}
+/**
+* Concrete files under the given path(s) — tracked plus untracked (so newly-added files
+* are scoped too, mirroring `changedVsHead`). `git ls-files` reports paths relative to
+* `git`'s working directory and interprets the pathspecs the same way, so the result is
+* already in the coordinate system the scanners and `filterToChanged` expect. Expanding to
+* concrete files (not bare directories) matters: `filterToChanged` matches exact paths.
+*/
+async function filesUnder(git, paths) {
+	if (paths.length === 0) return [];
+	const list = async (args) => (await git.raw([
+		"ls-files",
+		...args,
+		"--",
+		...paths
+	])).split("\n").map((line) => line.trim()).filter((line) => line.length > 0);
+	const files = new Set([...await list([]), ...await list(["-o", "--exclude-standard"])]);
+	return [...files];
+}
+/** Revert a single file to its snapshot state. */
+function revertFile(snapshot, file) {
+	return snapshot.restoreFile(file);
+}
+
+//#endregion
+//#region src/git/client.ts
+const UNSAFE_GIT_ENV_KEYS = [
+	"GIT_EDITOR",
+	"GIT_PAGER",
+	"GIT_SEQUENCE_EDITOR",
+	"PAGER"
+];
+function gitEnv(extra = {}) {
+	const env = {
+		...process.env,
+		...extra
+	};
+	for (const key of UNSAFE_GIT_ENV_KEYS) delete env[key];
+	return env;
+}
+function createGit(root) {
+	return simpleGit(root).env(gitEnv());
+}
+
+//#endregion
+//#region src/git/snapshot.ts
+const SNAP_MSG = "tend snapshot";
+/** A private ref pins the snapshot commit so `git gc` can't prune it (it's on no branch). */
+const SNAP_REF = "refs/tend/snapshot";
+let indexCounter = 0;
+/**
+* Write the entire current working tree (tracked + untracked, honoring .gitignore) into a git
+* tree object, using a throwaway index so the user's real staging area is never touched.
+* Returns the tree's object id. Git stores only new blobs and reuses the rest — near-instant,
+* a few KB, not a full copy of every file.
+*/
+async function writeWorkingTree(root) {
+	const idxPath = join(tmpdir(), `tend-index-${process.pid}-${indexCounter++}`);
+	try {
+		const g = createGit(root).env(gitEnv({ GIT_INDEX_FILE: idxPath }));
+		await g.raw(["add", "-A"]);
+		return (await g.raw(["write-tree"])).trim();
+	} finally {
+		rmSync(idxPath, { force: true });
+	}
+}
+/** Keep tend's own `.tend/` artifacts out of snapshots and the user's `git status`. */
+function ensureTendIgnored(gitDir) {
+	const excludePath = join(gitDir, "info", "exclude");
+	const line = ".tend/";
+	let current = "";
+	try {
+		current = readFileSync(excludePath, "utf8");
+	} catch {}
+	if (current.split("\n").some((l) => l.trim() === line)) return;
+	mkdirSync(dirname(excludePath), { recursive: true });
+	const sep$1 = current === "" || current.endsWith("\n") ? "" : "\n";
+	writeFileSync(excludePath, `${current}${sep$1}${line}\n`);
+}
+const lines = (raw) => raw.split("\n").map((l) => l.trim()).filter(Boolean);
+/** Files currently in the repo: tracked + untracked (non-ignored), repo-root-relative. */
+async function currentFiles(root) {
+	const g = createGit(root);
+	const tracked = await g.raw(["ls-files"]);
+	const untracked = await g.raw([
+		"ls-files",
+		"--others",
+		"--exclude-standard"
+	]);
+	return [...new Set([...lines(tracked), ...lines(untracked)])];
+}
+/**
+* A silent restore point for the working tree, stored as a git commit object pinned by a private
+* ref (`refs/tend/snapshot`) — nothing committed to any branch, the editor sees no change. Backs
+* `tend undo` (exact restore) and `tend diff` (only the tool's edits). Reuses git's content store,
+* so the on-disk record is a 40-char id rather than a copy of every file.
+*/
+var Snapshot = class Snapshot {
+	constructor(cwd, root, sha) {
+		this.cwd = cwd;
+		this.root = root;
+		this.sha = sha;
+	}
+	static async capture(git, cwd) {
+		const root = (await git.revparse(["--show-toplevel"])).trim();
+		const gitDir = (await git.revparse(["--absolute-git-dir"])).trim();
+		ensureTendIgnored(gitDir);
+		const rg = createGit(root);
+		const tree = await writeWorkingTree(root);
+		let parent = null;
+		try {
+			parent = (await rg.revparse(["HEAD"])).trim();
+		} catch {
+			parent = null;
+		}
+		const commitArgs = parent ? [
+			"commit-tree",
+			tree,
+			"-p",
+			parent,
+			"-m",
+			SNAP_MSG
+		] : [
+			"commit-tree",
+			tree,
+			"-m",
+			SNAP_MSG
+		];
+		const sha = (await rg.raw(commitArgs)).trim();
+		await rg.raw([
+			"update-ref",
+			SNAP_REF,
+			sha
+		]);
+		return new Snapshot(cwd, root, sha);
+	}
+	/** Serialize to a tiny object for `.tend/snapshot.json` (powers `undo` across invocations). */
+	toJSON() {
+		return {
+			cwd: this.cwd,
+			root: this.root,
+			sha: this.sha
+		};
+	}
+	static fromJSON(data) {
+		return new Snapshot(data.cwd, data.root, data.sha);
+	}
+	/** Files whose contents differ from the snapshot, or that are new/deleted since it (sorted). */
+	async changedSince(_git) {
+		const currentTree = await writeWorkingTree(this.root);
+		const diff = await createGit(this.root).raw([
+			"diff",
+			"--name-only",
+			this.sha,
+			currentTree
+		]);
+		return lines(diff).sort();
+	}
+	/** Restore a single file to its captured contents (worktree only — the user's index is untouched). */
+	async restoreFile(rel) {
+		await createGit(this.root).raw([
+			"restore",
+			"--source",
+			this.sha,
+			"--worktree",
+			"--",
+			rel
+		]);
+	}
+	/** Restore the working tree exactly to the captured state (incl. deleting files created since). */
+	async restore(_git) {
+		const rg = createGit(this.root);
+		await rg.raw([
+			"restore",
+			"--source",
+			this.sha,
+			"--worktree",
+			"--",
+			":/"
+		]);
+		const inSnapshot = new Set(lines(await rg.raw([
+			"ls-tree",
+			"-r",
+			"--name-only",
+			this.sha
+		])));
+		for (const rel of await currentFiles(this.root)) if (!inSnapshot.has(rel)) rmSync(join(this.root, rel), { force: true });
+	}
+};
+
+//#endregion
+//#region src/detect/package-manager.ts
+const LOCKFILES = [
+	{
+		file: "pnpm-lock.yaml",
+		pm: "pnpm"
+	},
+	{
+		file: "yarn.lock",
+		pm: "yarn"
+	},
+	{
+		file: "bun.lockb",
+		pm: "bun"
+	},
+	{
+		file: "bun.lock",
+		pm: "bun"
+	},
+	{
+		file: "package-lock.json",
+		pm: "npm"
+	}
+];
+/** Detect the package manager from the lockfile present; defaults to npm. */
+function detectPackageManager(cwd) {
+	for (const { file, pm } of LOCKFILES) if (existsSync(join(cwd, file))) return pm;
+	return "npm";
+}
+
+//#endregion
+//#region src/session/types.ts
+/** A usage record with everything zeroed. */
+const zeroUsage = () => ({
+	estimatedCostUsd: 0,
+	inputTokens: 0,
+	outputTokens: 0,
+	cacheCreationInputTokens: 0,
+	cacheReadInputTokens: 0,
+	sessions: 0
+});
+/** Sum two usage records field-by-field (used to roll usage up through the run). */
+function addUsage(a, b) {
+	return {
+		estimatedCostUsd: a.estimatedCostUsd + b.estimatedCostUsd,
+		inputTokens: a.inputTokens + b.inputTokens,
+		outputTokens: a.outputTokens + b.outputTokens,
+		cacheCreationInputTokens: a.cacheCreationInputTokens + b.cacheCreationInputTokens,
+		cacheReadInputTokens: a.cacheReadInputTokens + b.cacheReadInputTokens,
+		sessions: a.sessions + b.sessions
+	};
+}
+
+//#endregion
+//#region src/fixing/dispatch.ts
+const TEST_FILE_RE = /^(.*)\.(test|spec)\.([cm]?[jt]sx?)$/;
+/** Whether a repo-relative path is a test file (`*.test.*` / `*.spec.*`). */
+const isTestFile = (file) => TEST_FILE_RE.test(file);
+/** A test file's owning code file (so both go to the same worker); else the file itself. */
+function ownerOf(file) {
+	const m = file.match(TEST_FILE_RE);
+	return m ? `${m[1]}.${m[3]}` : file;
+}
+/**
+* Group findings into work units so each worker owns a disjoint set of files
+* (a code file plus its sibling test). No two sessions ever touch the same file.
+*/
+function planWork(findings) {
+	const byOwner = new Map();
+	for (const finding of findings) {
+		const owner = ownerOf(finding.file);
+		let unit = byOwner.get(owner);
+		if (!unit) {
+			unit = {
+				file: owner,
+				files: [],
+				findings: []
+			};
+			byOwner.set(owner, unit);
+		}
+		unit.findings.push(finding);
+		if (!unit.files.includes(finding.file)) unit.files.push(finding.file);
+		if (!unit.files.includes(owner)) unit.files.push(owner);
+	}
+	return [...byOwner.values()];
+}
+/** Run each work unit through `runUnit`, capped at `concurrency` concurrent sessions. */
+async function dispatch(units, runUnit, opts) {
+	const queue = new PQueue({ concurrency: opts.concurrency });
+	return Promise.all(units.map((unit) => queue.add(() => runUnit(unit))));
+}
+
+//#endregion
+//#region src/session/stream-json.ts
+const RATE_LIMIT_RE = /rate.?limit|overloaded|\b429\b/i;
+/** A finite, non-negative number, or 0 for anything else (missing/NaN/negative). */
+function num(v) {
+	return typeof v === "number" && Number.isFinite(v) && v >= 0 ? v : 0;
+}
+const zeroCost = () => ({
+	estimatedCostUsd: 0,
+	inputTokens: 0,
+	outputTokens: 0,
+	cacheCreationInputTokens: 0,
+	cacheReadInputTokens: 0
+});
+function parseEvent(line) {
+	const trimmed = line.trim();
+	if (!trimmed) return null;
+	try {
+		return JSON.parse(trimmed);
+	} catch {
+		return null;
+	}
+}
+function extractUsage(event) {
+	const rawCost = event.total_cost_usd ?? event.cost_usd ?? event.costUSD;
+	const u = event.usage;
+	if (rawCost == null && u == null) return null;
+	return {
+		estimatedCostUsd: num(rawCost),
+		inputTokens: num(u?.input_tokens),
+		outputTokens: num(u?.output_tokens),
+		cacheCreationInputTokens: num(u?.cache_creation_input_tokens),
+		cacheReadInputTokens: num(u?.cache_read_input_tokens)
+	};
+}
+function extractEdits(event) {
+	const edits = [];
+	for (const block of event.message?.content ?? []) if (block.type === "tool_use" && block.name === "Write") {
+		const path = block.input?.["file_path"];
+		const contents = block.input?.["content"];
+		if (typeof path === "string" && typeof contents === "string") edits.push({
+			path,
+			contents
+		});
+	}
+	return edits;
+}
+/**
+* Parse Claude Code `--output-format stream-json` (newline-delimited JSON) into the
+* file edits it produced. `Write` tool uses carry full file contents. Malformed lines
+* are skipped. Rate-limit / error signals are surfaced for backoff.
+*/
+function parseStreamJson(raw) {
+	const edits = [];
+	let rateLimited = false;
+	let errored = false;
+	let usage = null;
+	for (const line of raw.split("\n")) {
+		const event = parseEvent(line);
+		if (!event) continue;
+		if (event.is_error) {
+			errored = true;
+			if (event.error && RATE_LIMIT_RE.test(event.error)) rateLimited = true;
+		}
+		if (event.type === "result") {
+			const u = extractUsage(event);
+			if (u) usage = u;
+		}
+		edits.push(...extractEdits(event));
+	}
+	return {
+		edits,
+		rateLimited,
+		errored,
+		usage: usage ?? zeroCost()
+	};
+}
+
+//#endregion
+//#region src/session/claude.ts
+/** Drives a real `claude -p` session and parses its stream-json into edits. */
+var ClaudeSession = class {
+	constructor(deps) {
+		this.deps = deps;
+	}
+	async run(request) {
+		let stdout;
+		let exitCode;
+		try {
+			({stdout, exitCode} = await this.deps.spawn(request));
+		} catch (err) {
+			return {
+				ok: false,
+				error: err instanceof Error ? err.message : String(err),
+				rateLimited: false,
+				usage: zeroUsage()
+			};
+		}
+		const parsed = parseStreamJson(stdout);
+		const usage = {
+			...parsed.usage,
+			sessions: 1
+		};
+		if (parsed.rateLimited) return {
+			ok: false,
+			error: "Claude session rate-limited",
+			rateLimited: true,
+			usage
+		};
+		if (exitCode !== 0 || parsed.errored) return {
+			ok: false,
+			error: `Claude session failed (exit ${exitCode})`,
+			rateLimited: false,
+			usage
+		};
+		return {
+			ok: true,
+			edits: parsed.edits,
+			usage
+		};
+	}
+};
+
+//#endregion
+//#region src/findings/store.ts
+const StoreSchema = z.array(FindingSchema);
+/** Holds Finding records keyed by fingerprint and tracks their state across loops. */
+var FindingStore = class FindingStore {
+	findings = new Map();
+	add(finding) {
+		this.findings.set(finding.id, finding);
+	}
+	get(id) {
+		return this.findings.get(id);
+	}
+	all() {
+		return [...this.findings.values()];
+	}
+	/**
+	* Diff a fresh audit against what the store knows, by fingerprint:
+	*   - known but absent now  → marked `fixed`
+	*   - present both loops     → stays as-is, carries attempts/history, bumps lastSeenLoop
+	*   - new fingerprint         → added `pending`, firstSeenLoop = loop
+	*/
+	reconcile(fresh, loop) {
+		const freshIds = new Set(fresh.map((f) => f.id));
+		for (const known of this.findings.values()) if (!freshIds.has(known.id)) known.status = "fixed";
+		for (const incoming of fresh) {
+			const known = this.findings.get(incoming.id);
+			if (known) {
+				known.lastSeenLoop = loop;
+				if (known.status === "fixed" || known.status === "reverted") known.status = "pending";
+			} else this.findings.set(incoming.id, {
+				...incoming,
+				firstSeenLoop: loop,
+				lastSeenLoop: loop
+			});
+		}
+	}
+	/** Findings matching every provided filter (track / status / file). */
+	query(filter) {
+		return this.all().filter((f) => (filter.track === void 0 || f.track === filter.track) && (filter.status === void 0 || f.status === filter.status) && (filter.file === void 0 || f.file === filter.file));
+	}
+	/** Record a failed fix attempt against a finding's fingerprint. */
+	recordFailedAttempt(id, reason) {
+		const finding = this.findings.get(id);
+		if (!finding) return;
+		finding.attempts += 1;
+		finding.revertReason = reason;
+	}
+	/** A finding's per-issue budget is exhausted once it has used `budget` attempts. */
+	isBudgetExhausted(id, budget) {
+		const finding = this.findings.get(id);
+		if (!finding) return false;
+		return finding.attempts >= budget;
+	}
+	/** Serialize to a plain array — `report.json`'s findings section. */
+	toJSON() {
+		return this.all();
+	}
+	/** Rebuild a store from serialized findings, validating each against the schema. */
+	static fromJSON(data) {
+		const findings = StoreSchema.parse(data);
+		const store = new FindingStore();
+		for (const finding of findings) store.add(finding);
+		return store;
+	}
+};
+
+//#endregion
+//#region src/findings/router.ts
+function isKnownTool(tool) {
+	return TOOLS.includes(tool);
+}
+/** Split findings into their assigned fix tracks; unknown tools are skipped with a warning. */
+function route(findings, opts = {}) {
+	const result$1 = {
+		aiFix: [],
+		deterministic: [],
+		reportOnly: [],
+		skipped: []
+	};
+	for (const finding of findings) {
+		if (!isKnownTool(finding.tool)) {
+			opts.warn?.(`Skipping finding from unknown tool "${finding.tool}"`);
+			result$1.skipped.push(finding);
+			continue;
+		}
+		switch (finding.track) {
+			case "ai-fix":
+				result$1.aiFix.push(finding);
+				break;
+			case "deterministic":
+				result$1.deterministic.push(finding);
+				break;
+			case "report-only":
+				result$1.reportOnly.push(finding);
+				break;
+		}
+	}
+	return result$1;
+}
+
+//#endregion
+//#region src/output/events.ts
+/** Minimal synchronous event bus. With no listener, emit is a no-op (silent mode). */
+var EventBus = class {
+	listeners = [];
+	on(listener) {
+		this.listeners.push(listener);
+		return () => {
+			const i = this.listeners.indexOf(listener);
+			if (i >= 0) this.listeners.splice(i, 1);
+		};
+	}
+	emit(event) {
+		for (const listener of this.listeners) listener(event);
+	}
+};
+
+//#endregion
+//#region src/orchestrator.ts
+/** AI-fixable findings still pending and under their retry budget. */
+function pendingUnderBudget(store, budget) {
+	return store.query({
+		track: "ai-fix",
+		status: "pending"
+	}).filter((f) => f.attempts < budget);
+}
+function dispatchableUnits(findings, includeTests) {
+	return planWork(findings).filter((u) => includeTests || u.findings.some((f) => !isTestFile(f.file)));
+}
+function statusAttemptSnapshot(store) {
+	return store.all().map((f) => `${f.id}:${f.status}:${f.attempts}`).sort().join("|");
+}
+function applyOutcome(store, unit, outcome, budget) {
+	for (const finding of unit.findings) if (outcome.kept) finding.status = "fixed";
+	else {
+		store.recordFailedAttempt(finding.id, outcome.reason ?? "session-error");
+		if (store.isBudgetExhausted(finding.id, budget)) finding.status = "unfixable";
+	}
+}
+/**
+* The scan → fix → re-audit loop. Terminates on the first of: converged (0 fixable),
+* no-progress (no dispatchable units or an attempted loop changed no attempt/status
+* state), per-issue budget exhaustion (mark unfixable, keep going), or max-loops.
+*/
+async function orchestrate(deps) {
+	const { config } = deps;
+	const inScope = deps.inScope ?? ((f) => f);
+	const bus = deps.bus ?? new EventBus();
+	const store = new FindingStore();
+	const secrets = new Map();
+	const depBumps = new Map();
+	let loop = 0;
+	let fixingLoops = 0;
+	let termination = "converged";
+	let scannerStatuses = [];
+	let usage = zeroUsage();
+	while (true) {
+		loop++;
+		bus.emit({
+			type: "scan-start",
+			loop
+		});
+		const audited = await deps.audit(loop);
+		scannerStatuses = audited.scannerStatuses ?? scannerStatuses;
+		if (loop === 1 && audited.allScannersMissing) {
+			bus.emit({
+				type: "done",
+				exitStatus: 1
+			});
+			return result("no-scanners", fixingLoops, 1, store, secrets, depBumps, scannerStatuses, usage);
+		}
+		store.reconcile(audited.findings, loop);
+		const scopedIds = new Set(inScope(store.all()).map((f) => f.id));
+		for (const f of store.all()) f.inScope = scopedIds.has(f.id);
+		const scopedFindings = inScope(audited.findings);
+		const routed = route(audited.findings);
+		for (const s of routed.reportOnly) secrets.set(s.id, s);
+		for (const d of routed.deterministic) depBumps.set(d.id, d);
+		bus.emit({
+			type: "audit",
+			loop,
+			findings: scopedFindings.length,
+			files: new Set(scopedFindings.map((f) => f.file)).size,
+			scanned: audited.scanned
+		});
+		if (loop === 1 && audited.findings.length === 0) {
+			termination = "converged";
+			break;
+		}
+		const pending = pendingUnderBudget(store, config.perIssueBudget);
+		const fixable = inScope(pending);
+		if (pending.length === 0) {
+			termination = "converged";
+			break;
+		}
+		const units = dispatchableUnits(fixable, config.includeTests);
+		if (units.length === 0) {
+			termination = "no-progress";
+			break;
+		}
+		if (fixingLoops >= config.maxLoops) {
+			termination = "max-loops";
+			break;
+		}
+		fixingLoops++;
+		const beforeAttemptState = statusAttemptSnapshot(store);
+		bus.emit({
+			type: "loop-start",
+			loop,
+			files: units.map((u) => u.file),
+			concurrency: config.maxSessions
+		});
+		const outcomes = await dispatch(units, async (unit) => {
+			bus.emit({
+				type: "file-start",
+				loop,
+				file: unit.file,
+				rule: unit.findings[0]?.rule
+			});
+			const outcome = await deps.fixUnit(unit, loop);
+			bus.emit({
+				type: "file-result",
+				loop,
+				file: unit.file,
+				outcome: outcome.kept ? "fixed" : "reverted",
+				reason: outcome.reason
+			});
+			return {
+				unit,
+				outcome
+			};
+		}, { concurrency: config.maxSessions });
+		for (const { unit, outcome } of outcomes) {
+			applyOutcome(store, unit, outcome, config.perIssueBudget);
+			if (outcome.usage) usage = addUsage(usage, outcome.usage);
+		}
+		bus.emit({
+			type: "loop-complete",
+			loop,
+			fixed: outcomes.filter((o) => o.outcome.kept).length
+		});
+		if (statusAttemptSnapshot(store) === beforeAttemptState) {
+			termination = "no-progress";
+			break;
+		}
+	}
+	const exitStatus = secrets.size > 0 ? 1 : 0;
+	bus.emit({
+		type: "done",
+		exitStatus
+	});
+	return result(termination, fixingLoops, exitStatus, store, secrets, depBumps, scannerStatuses, usage);
+}
+function result(termination, loops, exitStatus, store, secrets, depBumps, scannerStatuses, usage) {
+	return {
+		termination,
+		loops,
+		exitStatus: termination === "no-scanners" ? 1 : exitStatus,
+		findings: store.all(),
+		secrets: [...secrets.values()],
+		depBumps: [...depBumps.values()],
+		scannerStatuses,
+		usage
+	};
+}
+
+//#endregion
+//#region src/report/retry-id.ts
+const RETRY_ID_LENGTH = 6;
+const RETRY_ID_ALPHABET = "23456789abcdefghijkmnpqrstuvwxyz";
+const makeRetryId = customAlphabet(RETRY_ID_ALPHABET, RETRY_ID_LENGTH);
+function hasUsableRetryId(finding) {
+	return typeof finding.retryId === "string" && finding.retryId.length > 0;
+}
+function nextUniqueRetryId(used, generate) {
+	for (let attempt = 0; attempt < 100; attempt++) {
+		const retryId = generate();
+		if (!used.has(retryId)) return retryId;
+	}
+	throw new Error("Could not generate a unique retry id");
+}
+/** Ensure every finding in a persisted report has a human-facing id unique to that report. */
+function assignRetryIds(findings, generate = makeRetryId) {
+	const counts = new Map();
+	for (const finding of findings) {
+		if (!hasUsableRetryId(finding)) continue;
+		counts.set(finding.retryId, (counts.get(finding.retryId) ?? 0) + 1);
+	}
+	const used = new Set();
+	return findings.map((finding) => {
+		if (hasUsableRetryId(finding) && counts.get(finding.retryId) === 1) {
+			used.add(finding.retryId);
+			return finding;
+		}
+		const retryId = nextUniqueRetryId(used, generate);
+		used.add(retryId);
+		return {
+			...finding,
+			retryId
+		};
+	});
+}
+
+//#endregion
+//#region src/report/schema.ts
+const DepBumpSchema = z.object({
+	findingId: z.string(),
+	remediation: z.string()
+});
+/** Per-scanner outcome for a run: did it run clean, get skipped, or fail (with a reason). */
+const ScannerStatusSchema = z.object({
+	tool: z.enum(TOOLS),
+	status: z.enum([
+		"ran",
+		"skipped",
+		"failed"
+	]),
+	reason: z.string().optional()
+});
+const BehaviorChangeSchema = z.object({
+	findingId: z.string(),
+	file: z.string(),
+	note: z.string()
+});
+/**
+* Estimated AI cost/usage for a run. `estimatedCostUsd` is Claude's client-side
+* `total_cost_usd` estimate — never authoritative billing.
+*/
+const AiUsageSchema = z.object({
+	estimatedCostUsd: z.number().nonnegative(),
+	inputTokens: z.number().nonnegative(),
+	outputTokens: z.number().nonnegative(),
+	cacheCreationInputTokens: z.number().nonnegative(),
+	cacheReadInputTokens: z.number().nonnegative(),
+	sessions: z.number().int().nonnegative()
+});
+const ZERO_AI_USAGE$1 = {
+	estimatedCostUsd: 0,
+	inputTokens: 0,
+	outputTokens: 0,
+	cacheCreationInputTokens: 0,
+	cacheReadInputTokens: 0,
+	sessions: 0
+};
+const ReportSchema = z.object({
+	findings: z.array(FindingSchema),
+	secrets: z.array(FindingSchema),
+	depBumps: z.array(DepBumpSchema),
+	flaggedBehaviorChanges: z.array(BehaviorChangeSchema),
+	scannerStatuses: z.array(ScannerStatusSchema).default([]),
+	aiUsage: AiUsageSchema.default(ZERO_AI_USAGE$1),
+	loops: z.number().int().nonnegative(),
+	durationMs: z.number().nonnegative(),
+	exitStatus: z.number().int()
+});
+
+//#endregion
+//#region src/report/builder.ts
+const ZERO_AI_USAGE = {
+	estimatedCostUsd: 0,
+	inputTokens: 0,
+	outputTokens: 0,
+	cacheCreationInputTokens: 0,
+	cacheReadInputTokens: 0,
+	sessions: 0
+};
+/** Accumulates per-finding outcomes and run metadata into a validated report.json. */
+var ReportBuilder = class {
+	outcomes = new Map();
+	flagged = [];
+	scannerStatuses = [];
+	constructor(generateRetryId) {
+		this.generateRetryId = generateRetryId;
+	}
+	/** Record (or update) a finding's final outcome by fingerprint. */
+	recordOutcome(finding) {
+		this.outcomes.set(finding.id, finding);
+	}
+	recordOutcomes(findings) {
+		for (const f of findings) this.recordOutcome(f);
+	}
+	/** Flag a semantic test change for human review. */
+	flagBehaviorChange(entry) {
+		this.flagged.push(entry);
+	}
+	/** Record per-scanner run outcomes (ran / skipped / failed) for the scanner-status line. */
+	recordScannerStatuses(statuses) {
+		this.scannerStatuses = statuses;
+	}
+	build(meta) {
+		const findings = assignRetryIds([...this.outcomes.values()], this.generateRetryId);
+		const report = {
+			findings,
+			secrets: findings.filter((f) => f.category === "secret"),
+			depBumps: findings.filter((f) => f.remediation !== void 0).map((f) => ({
+				findingId: f.id,
+				remediation: f.remediation
+			})),
+			flaggedBehaviorChanges: this.flagged,
+			scannerStatuses: this.scannerStatuses,
+			aiUsage: meta.aiUsage ?? ZERO_AI_USAGE,
+			loops: meta.loops,
+			durationMs: meta.durationMs,
+			exitStatus: meta.exitStatus
+		};
+		return ReportSchema.parse(report);
+	}
+};
+
+//#endregion
+//#region src/output/format.ts
+/**
+* Human duration for the summary: sub-minute reads as "2.4s", longer as "3m 12s".
+* Deterministic — no locale, no rounding surprises.
+*/
+function formatDuration(ms) {
+	const totalSeconds = ms / 1e3;
+	if (totalSeconds < 60) return `${totalSeconds.toFixed(1)}s`;
+	const minutes = Math.floor(totalSeconds / 60);
+	const seconds = Math.round(totalSeconds % 60);
+	if (seconds === 60) return `${minutes + 1}m 0s`;
+	return `${minutes}m ${seconds}s`;
+}
+/** Stopwatch form for the live per-file timer: "0:42", "1:05". */
+function formatClock(ms) {
+	const totalSeconds = Math.floor(ms / 1e3);
+	const minutes = Math.floor(totalSeconds / 60);
+	const seconds = totalSeconds % 60;
+	return `${minutes}:${String(seconds).padStart(2, "0")}`;
+}
+/** Plain-language reason a fix was reverted — the most useful thing for a human. */
+function reasonLabel(reason) {
+	switch (reason) {
+		case "broke-test": return "broke tests";
+		case "typecheck": return "broke typecheck";
+		case "suppression": return "added a suppression";
+		case "regression": return "introduced a new issue";
+		case "session-error": return "the fix session failed";
+		default: return "couldn't fix";
+	}
+}
+
+//#endregion
+//#region src/output/theme.ts
+const PALETTE = {
+	accent: "#7AA2F7",
+	accentTo: "#9D7CD8",
+	green: "#9ECE6A",
+	amber: "#E0AF68",
+	red: "#E88388"
+};
+const UNICODE_GLYPHS = {
+	fixed: "✔",
+	reverted: "↩",
+	left: "–",
+	scanned: "✔",
+	bullet: "·",
+	rule: "─",
+	arrow: "→",
+	spinner: [
+		"⠋",
+		"⠙",
+		"⠹",
+		"⠸",
+		"⠼",
+		"⠴",
+		"⠦",
+		"⠧",
+		"⠇",
+		"⠏"
+	]
+};
+const ASCII_GLYPHS = {
+	fixed: "+",
+	reverted: "<",
+	left: "-",
+	scanned: "+",
+	bullet: "·",
+	rule: "-",
+	arrow: ">",
+	spinner: [
+		"-",
+		"\\",
+		"|",
+		"/"
+	]
+};
+/** Resolve the chalk color level: 0 (off) when color is disabled, else the terminal's. */
+function chalkLevel(env) {
+	if (!env.color) return 0;
+	const detected = supportsColor ? supportsColor.level : 0;
+	return detected > 0 ? detected : 1;
+}
+function makeTheme(env) {
+	const c = new Chalk({ level: chalkLevel(env) });
+	const glyph = env.unicode ? UNICODE_GLYPHS : ASCII_GLYPHS;
+	const accent = (s) => c.hex(PALETTE.accent)(s);
+	const wordmark = () => {
+		if (!env.color) return "tend";
+		if (c.level >= 3) return gradient([PALETTE.accent, PALETTE.accentTo])("tend");
+		return accent("tend");
+	};
+	return {
+		accent,
+		fixed: (s) => c.hex(PALETTE.green)(s),
+		reverted: (s) => c.hex(PALETTE.amber)(s),
+		error: (s) => c.hex(PALETTE.red)(s),
+		dim: (s) => c.dim(s),
+		bold: (s) => c.bold(s),
+		plain: (s) => s,
+		wordmark,
+		glyph
+	};
+}
+
+//#endregion
+//#region src/output/summary.ts
+const RULE_WIDTH = 49;
+const PLAIN_THEME = makeTheme({
+	color: false,
+	interactive: false,
+	unicode: true
+});
+/** A finding the developer can't read as part of their changes (scanned wide, out of scope). */
+function isOutOfScope(f) {
+	return f.inScope === false && f.category !== "secret";
+}
+function bucket(findings) {
+	const fixed = [];
+	const couldntFix = [];
+	const skippedTests = [];
+	const left = [];
+	const secrets = [];
+	for (const f of findings) if (f.category === "secret") secrets.push(f);
+	else if (isOutOfScope(f)) continue;
+	else if (f.status === "fixed") fixed.push(f);
+	else if (f.status === "reverted" || f.status === "unfixable") couldntFix.push(f);
+	else if (isTestFile(f.file)) skippedTests.push(f);
+	else left.push(f);
+	return {
+		fixed,
+		couldntFix,
+		skippedTests,
+		left,
+		secrets
+	};
+}
+/**
+* The final summary: a real headline (fixed / couldn't-fix / left / secrets + elapsed),
+* grouped by what the user must do, with revert reasons surfaced per file, and ending in
+* next-step affordances. Brief by default; `--verbose` adds the full per-finding listing.
+*/
+function renderSummary(report, opts = {}) {
+	const theme = opts.theme ?? PLAIN_THEME;
+	const { glyph } = theme;
+	const b = bucket(report.findings);
+	if (opts.plain) return renderPlainSummary(report, b, theme, Boolean(opts.verbose));
+	const lines$1 = [];
+	lines$1.push(theme.dim(glyph.rule.repeat(RULE_WIDTH)));
+	lines$1.push(`done ${theme.dim(`${glyph.bullet} ${report.loops} fix passes ${glyph.bullet} ${formatDuration(report.durationMs)}`)}`);
+	lines$1.push("");
+	lines$1.push(theme.bold("run summary"));
+	lines$1.push(renderOverallTable(report, b, theme));
+	lines$1.push("");
+	lines$1.push(theme.bold("scanner breakdown"));
+	lines$1.push(renderScannerBreakdownTable(report, theme));
+	if (b.couldntFix.length > 0) {
+		lines$1.push("");
+		lines$1.push(theme.bold("couldn't fix"));
+		lines$1.push(renderCouldntFixTable(b.couldntFix, theme));
+	}
+	if (b.secrets.length > 0) {
+		lines$1.push("");
+		lines$1.push(theme.bold("secrets"));
+		lines$1.push(renderSecretsTable(b.secrets, theme));
+	}
+	if (opts.verbose) lines$1.push("", renderVerbose(report, theme));
+	lines$1.push("");
+	lines$1.push(theme.bold("next commands"));
+	lines$1.push(renderNextCommandsTable());
+	return lines$1.join("\n");
+}
+function renderPlainSummary(report, b, theme, verbose) {
+	const lines$1 = [
+		`done ${theme.glyph.bullet} ${report.loops} fix passes ${theme.glyph.bullet} ${formatDuration(report.durationMs)}`,
+		[
+			"summary",
+			`fixed=${b.fixed.length}`,
+			`couldntFix=${b.couldntFix.length}`,
+			`skippedTests=${b.skippedTests.length}`,
+			`left=${b.left.length}`,
+			`secrets=${b.secrets.length}`
+		].join(" "),
+		[
+			"aiUsage",
+			`estimatedCostUsd=${report.aiUsage.estimatedCostUsd.toFixed(2)}`,
+			`sessions=${report.aiUsage.sessions}`,
+			`inputTokens=${report.aiUsage.inputTokens}`,
+			`outputTokens=${report.aiUsage.outputTokens}`,
+			`cacheReadInputTokens=${report.aiUsage.cacheReadInputTokens}`,
+			`cacheCreationInputTokens=${report.aiUsage.cacheCreationInputTokens}`
+		].join(" ")
+	];
+	const counts = inScopeByTool(report.findings);
+	const statusByTool = new Map(report.scannerStatuses.map((s) => [s.tool, s]));
+	const tools = TOOLS.filter((t) => statusByTool.has(t) || counts.has(t));
+	for (const tool of tools) {
+		const status = statusByTool.get(tool);
+		const c = counts.get(tool) ?? {
+			total: 0,
+			fixed: 0,
+			couldntFix: 0,
+			left: 0
+		};
+		const reason = status?.status === "failed" && status.reason ? ` reason=${JSON.stringify(firstLine(status.reason))}` : status?.status === "skipped" ? " reason=not-installed" : "";
+		lines$1.push(`scanner tool=${tool} status=${status?.status ?? "not-recorded"} scope=in-your-changes total=${c.total} fixed=${c.fixed} couldntFix=${c.couldntFix} left=${c.left}${reason}`);
+	}
+	for (const f of b.couldntFix) {
+		const id = retryTarget(f);
+		lines$1.push(`couldnt-fix retryId=${f.retryId ?? "(none)"} file=${JSON.stringify(f.file)} rule=${JSON.stringify(f.rule)} reason=${JSON.stringify(findingReason(f))} command=${JSON.stringify(`tend retry ${id}`)}`);
+	}
+	for (const f of b.secrets) lines$1.push(`secret retryId=${f.retryId ?? "(none)"} file=${JSON.stringify(f.file)} rule=${JSON.stringify(f.rule)} action=${JSON.stringify("rotate + scrub history")}`);
+	if (b.skippedTests.length > 0) lines$1.push(`skipped-tests count=${b.skippedTests.length} reason="test files are excluded by default" command="tend run --include-tests <path...>"`);
+	if (verbose) for (const f of report.findings) lines$1.push(`finding retryId=${f.retryId ?? ""} status=${f.status} tool=${f.tool} location=${JSON.stringify(`${f.file}:${f.range.startLine}`)} rule=${JSON.stringify(f.rule)} reason=${JSON.stringify(f.status === "fixed" ? "" : findingReason(f))}`);
+	lines$1.push("next command=\"tend diff\" command=\"git add -p\" command=\"tend undo\"");
+	return lines$1.join("\n");
+}
+function renderTable(head, rows) {
+	const table = new Table({
+		head,
+		wordWrap: true,
+		style: {
+			head: [],
+			border: []
+		}
+	});
+	table.push(...rows);
+	return table.toString();
+}
+function renderOverallTable(report, b, theme) {
+	const clean = b.fixed.length === 0 && b.couldntFix.length === 0 && b.skippedTests.length === 0 && b.left.length === 0 && b.secrets.length === 0;
+	const rows = [
+		["status", clean ? theme.fixed("nothing to fix") : "completed"],
+		["fix passes", String(report.loops)],
+		["elapsed", formatDuration(report.durationMs)],
+		["fixed", `${theme.fixed(theme.glyph.fixed)} ${b.fixed.length}`],
+		["couldn't fix", `${theme.reverted(theme.glyph.reverted)} ${b.couldntFix.length}`],
+		["skipped tests", `${theme.dim(theme.glyph.left)} ${b.skippedTests.length} (pass --include-tests)`],
+		["left", `${theme.dim(theme.glyph.left)} ${b.left.length}`],
+		["secrets", b.secrets.length > 0 ? theme.error(String(b.secrets.length)) : "0"],
+		["estimated AI cost", formatCost(report.aiUsage.estimatedCostUsd)],
+		["AI sessions", String(report.aiUsage.sessions)],
+		["tokens", formatTokens(report.aiUsage)]
+	];
+	return renderTable(["metric", "value"], rows);
+}
+/** Estimated AI cost as `$X.XX` — always two decimals, never called a "bill". */
+function formatCost(usd) {
+	return `$${usd.toFixed(2)}`;
+}
+/** `<input> in · <output> out · <cache read> cache read · <cache write> cache write`. */
+function formatTokens(u) {
+	return [
+		`${u.inputTokens} in`,
+		`${u.outputTokens} out`,
+		`${u.cacheReadInputTokens} cache read`,
+		`${u.cacheCreationInputTokens} cache write`
+	].join(" · ");
+}
+/** Per-tool tally over the in-scope (your-changes) findings only. */
+function inScopeByTool(findings) {
+	const counts = new Map();
+	for (const f of findings) {
+		if (f.inScope === false) continue;
+		const row = counts.get(f.tool) ?? {
+			total: 0,
+			fixed: 0,
+			couldntFix: 0,
+			skippedTests: 0,
+			left: 0
+		};
+		row.total += 1;
+		if (f.status === "fixed") row.fixed += 1;
+		else if (f.status === "reverted" || f.status === "unfixable") row.couldntFix += 1;
+		else if (isTestFile(f.file)) row.skippedTests += 1;
+		else row.left += 1;
+		counts.set(f.tool, row);
+	}
+	return counts;
+}
+function renderScannerBreakdownTable(report, theme) {
+	const counts = inScopeByTool(report.findings);
+	const statusByTool = new Map(report.scannerStatuses.map((s) => [s.tool, s]));
+	const tools = TOOLS.filter((t) => statusByTool.has(t) || counts.has(t));
+	if (tools.length === 0) return renderTable([
+		"scanner",
+		"status",
+		"scope",
+		"total",
+		"fixed",
+		"couldn't fix",
+		"skipped tests",
+		"left",
+		"reason"
+	], [[
+		"(none)",
+		"not recorded",
+		"in your changes",
+		"0",
+		"0",
+		"0",
+		"0",
+		"0",
+		""
+	]]);
+	const rows = tools.map((tool) => {
+		const status = statusByTool.get(tool);
+		const c = counts.get(tool) ?? {
+			total: 0,
+			fixed: 0,
+			couldntFix: 0,
+			skippedTests: 0,
+			left: 0
+		};
+		const label = scannerLabel(tool);
+		const statusText = status?.status === "ran" ? `${theme.fixed(theme.glyph.fixed)} ran` : status?.status === "failed" ? `${theme.error("!")} failed` : status?.status === "skipped" ? "skipped" : "not recorded";
+		const reason = status?.status === "failed" && status.reason ? firstLine(status.reason) : status?.status === "skipped" ? "not installed" : "";
+		return [
+			label,
+			statusText,
+			"in your changes",
+			String(c.total),
+			String(c.fixed),
+			String(c.couldntFix),
+			String(c.skippedTests),
+			String(c.left),
+			reason
+		];
+	});
+	return renderTable([
+		"scanner",
+		"status",
+		"scope",
+		"total",
+		"fixed",
+		"couldn't fix",
+		"skipped tests",
+		"left",
+		"reason"
+	], rows);
+}
+function findingReason(f) {
+	return f.status === "reverted" ? reasonLabel(f.revertReason) : "exhausted retries";
+}
+function retryTarget(f) {
+	return f.retryId ?? f.id;
+}
+function renderCouldntFixTable(findings, theme) {
+	const rows = findings.map((f) => [
+		f.retryId ?? "(none)",
+		f.file,
+		String(f.range.startLine),
+		f.rule,
+		f.message,
+		findingReason(f),
+		`${theme.glyph.arrow} tend retry ${retryTarget(f)}`
+	]);
+	return renderTable([
+		"retryId",
+		"file",
+		"line",
+		"rule",
+		"message",
+		"reason",
+		"command"
+	], rows);
+}
+function renderSecretsTable(findings, theme) {
+	const rows = findings.map((f) => [
+		f.retryId ?? "(none)",
+		f.file,
+		f.rule,
+		theme.error("rotate + scrub history")
+	]);
+	return renderTable([
+		"retryId",
+		"file",
+		"rule",
+		"action"
+	], rows);
+}
+function renderNextCommandsTable() {
+	return renderTable(["action", "command"], [
+		["review edits", "tend diff"],
+		["stage deliberately", "git add -p"],
+		["undo run", "tend undo"]
+	]);
+}
+/** First line of a (possibly multi-line) scanner error reason, trimmed. */
+function firstLine(s) {
+	return s.split("\n")[0].trim();
+}
+function scannerLabel(tool) {
+	return tool === "sonarjs" ? "sonarjs (bundled)" : tool;
+}
+function perToolCounts(findings) {
+	const counts = new Map();
+	for (const f of findings) {
+		const row = counts.get(f.tool) ?? {
+			fixed: 0,
+			reverted: 0,
+			left: 0
+		};
+		if (f.status === "fixed") row.fixed += 1;
+		else if (f.status === "reverted") row.reverted += 1;
+		else row.left += 1;
+		counts.set(f.tool, row);
+	}
+	return counts;
+}
+/** The exhaustive view behind `--verbose`: per-tool breakdown + every finding. */
+function renderVerbose(report, theme) {
+	const table = new Table({
+		head: [
+			"tool",
+			"fixed",
+			"reverted",
+			"left"
+		],
+		style: {
+			head: [],
+			border: []
+		}
+	});
+	for (const [tool, c] of perToolCounts(report.findings)) table.push([
+		tool,
+		String(c.fixed),
+		String(c.reverted),
+		String(c.left)
+	]);
+	const findingRows = report.findings.map((f) => [
+		f.retryId ?? "",
+		f.status,
+		f.tool,
+		`${f.file}:${f.range.startLine}`,
+		f.rule,
+		f.status === "fixed" ? "" : findingReason(f)
+	]);
+	return [
+		theme.bold("verbose totals"),
+		table.toString(),
+		theme.bold("verbose findings"),
+		renderTable([
+			"retryId",
+			"status",
+			"tool",
+			"location",
+			"rule",
+			"reason"
+		], findingRows)
+	].join("\n");
+}
+/**
+* Group the issues that still need a human, ordered by urgency:
+* secrets → security → couldn't-fix → needs-review. Empty groups are omitted.
+*/
+function groupRemaining(report) {
+	const unfixed = report.findings.filter((f) => f.status !== "fixed");
+	const secrets = unfixed.filter((f) => f.category === "secret");
+	const security = unfixed.filter((f) => f.category === "security");
+	const couldntFix = unfixed.filter((f) => f.status === "unfixable" && f.category !== "secret" && f.category !== "security");
+	const groups = [
+		{
+			key: "secrets",
+			title: "SECRETS — rotate now (never auto-fixed)",
+			count: secrets.length
+		},
+		{
+			key: "security",
+			title: "SECURITY",
+			count: security.length
+		},
+		{
+			key: "couldnt-fix",
+			title: "COULDN'T FIX",
+			count: couldntFix.length
+		},
+		{
+			key: "review",
+			title: "NEEDS YOUR REVIEW — behavior changed",
+			count: report.flaggedBehaviorChanges.length
+		}
+	];
+	return groups.filter((g) => g.count > 0);
+}
+
+//#endregion
+//#region src/commands/resolve-finding.ts
+function displayId(finding) {
+	return finding.retryId ?? finding.id;
+}
+function resolveFindingId(id, findings) {
+	const retryMatch = findings.find((f) => f.retryId === id);
+	if (retryMatch) return retryMatch;
+	const exact = findings.find((f) => f.id === id);
+	if (exact) return exact;
+	const prefixMatches = findings.filter((f) => f.id.startsWith(id));
+	if (prefixMatches.length === 0) return { error: `No finding with id "${id}"` };
+	if (prefixMatches.length > 1) {
+		const matches = prefixMatches.map(displayId).join(", ");
+		return { error: `Finding id "${id}" is ambiguous; matches ${matches}. Use the retry id or full fingerprint.` };
+	}
+	return prefixMatches[0];
+}
+
+//#endregion
+//#region src/commands/show.ts
+/** `tend show <id>` — full detail on one finding: attempts, revert reason, taint flow path. */
+function showCommand(id, findings) {
+	const resolved = resolveFindingId(id, findings);
+	if ("error" in resolved) return resolved.error;
+	const finding = resolved;
+	const lines$1 = [
+		`${finding.tool}  ${finding.rule}  [${finding.status}]`,
+		`retry id: ${finding.retryId ?? "(none)"}`,
+		`fingerprint: ${finding.id}`,
+		`${finding.file}:${finding.range.startLine}`,
+		finding.message,
+		`attempts: ${finding.attempts}`
+	];
+	if (finding.revertReason) lines$1.push(`last revert reason: ${finding.revertReason}`);
+	if (finding.flowPath?.length) {
+		lines$1.push("flow path:");
+		for (const step of finding.flowPath) lines$1.push(`  → ${step.file}:${step.line}`);
+	}
+	if (finding.helpUri) lines$1.push(`docs: ${finding.helpUri}`);
+	return lines$1.join("\n");
+}
+
+//#endregion
+//#region src/commands/retry.ts
+function findingsOf(deps) {
+	return deps.report?.findings ?? deps.findings ?? [];
+}
+function syncDerivedReportFields(report) {
+	report.secrets = report.findings.filter((f) => f.category === "secret");
+	report.depBumps = report.findings.filter((f) => f.remediation !== void 0).map((f) => ({
+		findingId: f.id,
+		remediation: f.remediation
+	}));
+	report.exitStatus = report.secrets.length > 0 ? 1 : 0;
+}
+function resolveRetryTarget(id, findings) {
+	const resolved = resolveFindingId(id, findings);
+	if ("error" in resolved) return resolved;
+	if (resolved.status === "fixed") return { error: `Finding ${resolved.id} is already fixed` };
+	if (resolved.track !== "ai-fix") return { error: `Finding ${resolved.id} is not AI-fixable` };
+	return resolved;
+}
+/** `tend retry <id>` — re-attempt a stubborn finding with a larger attempt budget. */
+async function retryCommand(id, deps) {
+	const resolved = resolveRetryTarget(id, findingsOf(deps));
+	if ("error" in resolved) return resolved;
+	const finding = resolved;
+	const largerBudget = Math.max(deps.baseBudget * 2, finding.attempts + 1);
+	finding.status = "fixing";
+	const outcome = await deps.runFix(finding, largerBudget);
+	if (outcome.kept) {
+		finding.status = "fixed";
+		delete finding.revertReason;
+		if (deps.report) syncDerivedReportFields(deps.report);
+		return {
+			outcome: "fixed",
+			finding,
+			budget: largerBudget
+		};
+	}
+	const reason = outcome.reason ?? "session-error";
+	finding.attempts += 1;
+	finding.revertReason = reason;
+	finding.status = finding.attempts >= largerBudget ? "unfixable" : "reverted";
+	if (deps.report) syncDerivedReportFields(deps.report);
+	return {
+		outcome: "reverted",
+		finding,
+		budget: largerBudget,
+		reason
+	};
+}
+
+//#endregion
+//#region src/config/config.ts
+const EFFORT_LEVELS = [
+	"low",
+	"medium",
+	"high",
+	"xhigh",
+	"max"
+];
+const ToolConfigSchema = z.object({
+	enabled: z.boolean().default(true),
+	configPath: z.string().optional()
+});
+const ConfigSchema = z.object({
+	maxSessions: z.number().int().positive().default(4),
+	maxLoops: z.number().int().positive().default(5),
+	perIssueBudget: z.number().int().positive().default(3),
+	test: z.string().optional(),
+	teethCheck: z.boolean().default(true),
+	includeTests: z.boolean().default(false),
+	model: z.string().default("sonnet"),
+	effort: z.enum(EFFORT_LEVELS).optional(),
+	tools: z.record(z.string(), ToolConfigSchema).default({})
+});
+/**
+* Load config via cosmiconfig (searching from `cwd`), validate with zod, and apply
+* zero-config defaults when no file is found. Invalid config throws a clear message.
+*/
+async function loadConfig(cwd) {
+	const explorer = cosmiconfig("tend", { stopDir: cwd });
+	const found = await explorer.search(cwd);
+	const raw = found?.config ?? {};
+	const parsed = ConfigSchema.safeParse(raw);
+	if (!parsed.success) {
+		const issues = parsed.error.issues.map((i) => `${i.path.join(".") || "(root)"}: ${i.message}`);
+		throw new Error(`Invalid tend config:\n  ${issues.join("\n  ")}`);
+	}
+	return parsed.data;
+}
+/** Overlay CLI flags onto a loaded config (flags win). */
+function applyCliOverrides(config, overrides) {
+	const result$1 = { ...config };
+	for (const [key, value] of Object.entries(overrides)) if (value !== void 0) result$1[key] = value;
+	return result$1;
+}
+
+//#endregion
+export { ClaudeSession, ConfigSchema, EFFORT_LEVELS, EventBus, FindingSchema, FindingStore, ReportBuilder, ReportSchema, Snapshot, addUsage, applyCliOverrides, assertGitRepo, buildProgram, changedFiles, changedVsHead, createGit, detectPackageManager, dispatch, filesUnder, filterToChanged, fingerprint, formatClock, groupRemaining, isAvailable, loadConfig, makeTheme, normalize, orchestrate, planWork, reasonLabel, renderSummary, resolveRetryTarget, retryCommand, revertFile, route, runScanner, scannerStatus, scopeFindings, showCommand, trackForTool, zeroUsage };