tend-cli 0.5.0 → 0.6.0

package/dist/config-LHbm_R36.js

@@ -1,1875 +0,0 @@
-import { existsSync, mkdirSync, readFileSync, rmSync, writeFileSync } from "node:fs";
-import { dirname, join } from "node:path";
-import { Command } from "commander";
-import { createHash } from "node:crypto";
-import { z } from "zod";
-import { tmpdir } from "node:os";
-import { simpleGit } from "simple-git";
-import PQueue from "p-queue";
-import { customAlphabet } from "nanoid";
-import Table from "cli-table3";
-import { Chalk, supportsColor } from "chalk";
-import gradient from "gradient-string";
-import { cosmiconfig } from "cosmiconfig";
-
-//#region src/cli.ts
-const COMMAND_NAMES = new Set([
-	"diff",
-	"help",
-	"retry",
-	"run",
-	"show",
-	"undo"
-]);
-const RUN_OPTION_NAMES = new Set([
-	"--all",
-	"--effort",
-	"--include-tests",
-	"--max-loops",
-	"--max-sessions",
-	"--model",
-	"--no-color",
-	"--plain",
-	"--verbose"
-]);
-function addRunOptions(command) {
-	return command.option("--all", "fix the entire backlog, not just changed files").option("--max-loops <n>", "cap on fix loops", (v) => parseInt(v, 10)).option("--max-sessions <n>", "concurrent AI sessions", (v) => parseInt(v, 10)).option("--model <model>", "model for fixes: sonnet (default), opus, haiku, or a full model id").option("--effort <level>", "reasoning effort for fixes: low | medium | high | xhigh | max").option("--include-tests", "also fix findings in test files (excluded by default)").option("--plain", "plain one-line-per-event output for pipes/CI (no color, no spinners)").option("--no-color", "disable color output").option("--verbose", "show the full per-tool / per-finding breakdown in the summary");
-}
-function looksLikePath(value) {
-	return value.includes("/") || value.includes("\\") || value.startsWith(".") || existsSync(value);
-}
-function isRunOption(value) {
-	const name = value.split("=")[0] ?? value;
-	return RUN_OPTION_NAMES.has(name);
-}
-function shouldInsertRun(args) {
-	const first = args[0];
-	if (!first) return true;
-	if (first === "--help" || first === "-h" || COMMAND_NAMES.has(first)) return false;
-	return isRunOption(first) || looksLikePath(first);
-}
-function withDefaultRun(argv, from) {
-	const prefixLength = from === "user" ? 0 : 2;
-	const prefix = argv.slice(0, prefixLength);
-	const args = argv.slice(prefixLength);
-	return shouldInsertRun(args) ? [
-		...prefix,
-		"run",
-		...args
-	] : [...argv];
-}
-function enableDefaultRun(program) {
-	const parse = program.parse.bind(program);
-	const parseAsync = program.parseAsync.bind(program);
-	program.parse = (argv, options) => parse(withDefaultRun(argv ?? process.argv, options?.from), options);
-	program.parseAsync = (argv, options) => parseAsync(withDefaultRun(argv ?? process.argv, options?.from), options);
-}
-/** Build the commander program wiring each subcommand to a handler. */
-function buildProgram(handlers) {
-	const program = new Command();
-	program.name("tend").description("Audit a JS/TS repo and fix findings with AI in a safe loop.");
-	program.exitOverride();
-	program.addHelpCommand(true);
-	const run = program.command("run").description("snapshot → audit → fix loop → report (changed files)").argument("[paths...]", "fix only findings under these files/dirs (committed or not)");
-	addRunOptions(run).action((paths, opts) => handlers.run({
-		...opts,
-		paths
-	}));
-	program.command("diff").description("show only the tool's edits").action(() => handlers.diff());
-	program.command("undo").description("restore the pre-run snapshot").action(() => handlers.undo());
-	program.command("show <id>").description("full detail on one finding").action((id) => handlers.show(id));
-	program.command("retry <id>").description("re-attempt a stubborn finding with a larger budget").action((id) => handlers.retry(id));
-	enableDefaultRun(program);
-	return program;
-}
-
-//#endregion
-//#region src/scanners/scope.ts
-/**
-* Files changed vs `HEAD` (tracked modifications/additions/renames plus untracked),
-* scoped and re-based to `git`'s working directory — see `changedVsHead` in git/repo.ts
-* for why this matters when tend runs from a subdirectory of the repo.
-*/
-async function changedFiles(git) {
-	const prefix = (await git.revparse(["--show-prefix"])).trim();
-	const status = await git.status();
-	const files = new Set();
-	for (const file of status.files) {
-		const path = file.path.includes(" -> ") ? file.path.split(" -> ")[1] : file.path;
-		if (!prefix) files.add(path);
-		else if (path.startsWith(prefix)) files.add(path.slice(prefix.length));
-	}
-	return [...files];
-}
-/** Keep only findings whose file is in the changed set. */
-function filterToChanged(findings, changed) {
-	const set = new Set(changed);
-	return findings.filter((f) => {
-		if (set.has(f.file)) return true;
-		if (f.category === "duplication") return (f.flowPath ?? []).some((p) => set.has(p.file));
-		return false;
-	});
-}
-/** Apply the fix scope: `--all` fixes everything, otherwise only changed files. */
-function scopeFindings(findings, opts) {
-	return opts.all ? findings : filterToChanged(findings, opts.changed);
-}
-
-//#endregion
-//#region src/findings/finding.ts
-const TOOLS = [
-	"sonarjs",
-	"knip",
-	"jscpd",
-	"semgrep",
-	"osv",
-	"gitleaks"
-];
-const RangeSchema = z.object({
-	startLine: z.number(),
-	startCol: z.number(),
-	endLine: z.number(),
-	endCol: z.number()
-});
-const FindingSchema = z.object({
-	id: z.string(),
-	retryId: z.string().optional(),
-	tool: z.enum(TOOLS),
-	rule: z.string(),
-	category: z.enum([
-		"bug",
-		"smell",
-		"dead-code",
-		"duplication",
-		"security",
-		"secret",
-		"vuln-dep"
-	]),
-	severity: z.enum([
-		"error",
-		"warning",
-		"info"
-	]),
-	file: z.string(),
-	range: RangeSchema,
-	message: z.string(),
-	helpUri: z.string().optional(),
-	flowPath: z.array(z.object({
-		file: z.string(),
-		line: z.number()
-	})).optional(),
-	remediation: z.string().optional(),
-	track: z.enum([
-		"ai-fix",
-		"deterministic",
-		"report-only"
-	]),
-	status: z.enum([
-		"pending",
-		"fixing",
-		"fixed",
-		"reverted",
-		"unfixable",
-		"skipped"
-	]),
-	attempts: z.number(),
-	revertReason: z.enum([
-		"broke-test",
-		"suppression",
-		"regression",
-		"typecheck",
-		"session-error"
-	]).optional(),
-	revertDetail: z.string().optional(),
-	firstSeenLoop: z.number(),
-	lastSeenLoop: z.number(),
-	inScope: z.boolean().optional()
-});
-/**
-* Stable identity for a finding: hash(tool | rule | file | line | message).
-* Same components → same fingerprint, across loops and runs.
-*/
-function fingerprint(input) {
-	const key = [
-		input.tool,
-		input.rule,
-		input.file,
-		input.line,
-		input.message
-	].join("|");
-	return createHash("sha256").update(key).digest("hex");
-}
-
-//#endregion
-//#region src/findings/normalize.ts
-const TRACK_BY_TOOL = {
-	sonarjs: "ai-fix",
-	knip: "ai-fix",
-	jscpd: "ai-fix",
-	semgrep: "ai-fix",
-	osv: "deterministic",
-	gitleaks: "report-only"
-};
-const CROSS_FILE_JSCPD_REMEDIATION = "Requires a multi-file refactor across the duplicated clone sites; Tend does not run multi-file AI fixers for jscpd duplicates yet.";
-/** Which track a tool's findings flow into. */
-function trackForTool(tool) {
-	return TRACK_BY_TOOL[tool];
-}
-function isCrossFileJscpdDuplicate(raw) {
-	if (raw.tool !== "jscpd" || raw.rule !== "duplicate-code") return false;
-	return new Set((raw.flowPath ?? []).map((step) => step.file)).size > 1;
-}
-/** Which track a scanner finding flows into after rule-specific routing. */
-function trackForRawFinding(raw) {
-	if (isCrossFileJscpdDuplicate(raw)) return "report-only";
-	return trackForTool(raw.tool);
-}
-/** Turn a raw scanner record into a tracked `Finding` for the given loop. */
-function normalize(raw, loop) {
-	const id = fingerprint({
-		tool: raw.tool,
-		rule: raw.rule,
-		file: raw.file,
-		line: raw.range.startLine,
-		message: raw.message
-	});
-	const finding = {
-		id,
-		tool: raw.tool,
-		rule: raw.rule,
-		category: raw.category,
-		severity: raw.severity,
-		file: raw.file,
-		range: raw.range,
-		message: raw.message,
-		track: trackForRawFinding(raw),
-		status: "pending",
-		attempts: 0,
-		firstSeenLoop: loop,
-		lastSeenLoop: loop
-	};
-	if (raw.helpUri !== void 0) finding.helpUri = raw.helpUri;
-	if (raw.flowPath !== void 0) finding.flowPath = raw.flowPath;
-	if (raw.remediation !== void 0) finding.remediation = raw.remediation;
-	else if (isCrossFileJscpdDuplicate(raw)) finding.remediation = CROSS_FILE_JSCPD_REMEDIATION;
-	return finding;
-}
-
-//#endregion
-//#region src/scanners/scanner.ts
-/** Collapse a ScanResult to its reportable status: skipped → ran → failed (error present). */
-function scannerStatus(result$1) {
-	if (result$1.skipped) return {
-		tool: result$1.tool,
-		status: "skipped"
-	};
-	if (result$1.error !== void 0) return {
-		tool: result$1.tool,
-		status: "failed",
-		reason: result$1.error
-	};
-	return {
-		tool: result$1.tool,
-		status: "ran"
-	};
-}
-async function isAvailable(scanner, which) {
-	return which(scanner.binary);
-}
-/**
-* Shared run sequence for every scanner:
-*   availability → args → spawn → parse → normalize.
-* Missing binary → skipped (not fatal). Timeout/spawn error or malformed output → error result.
-*/
-async function runScanner(scanner, ctx, deps) {
-	if (!await isAvailable(scanner, deps.which)) return {
-		tool: scanner.tool,
-		findings: [],
-		skipped: true
-	};
-	const args = scanner.buildArgs(ctx);
-	let raw;
-	try {
-		raw = await deps.spawn(scanner.binary, args, {
-			cwd: ctx.cwd,
-			timeout: deps.timeout
-		});
-	} catch (err) {
-		return {
-			tool: scanner.tool,
-			findings: [],
-			skipped: false,
-			error: errorMessage(err)
-		};
-	}
-	try {
-		const findings = scanner.parse(raw, ctx).map((r) => normalize(r, ctx.loop));
-		return {
-			tool: scanner.tool,
-			findings,
-			skipped: false
-		};
-	} catch (err) {
-		const reason = raw.exitCode !== 0 ? raw.stderr.trim() || errorMessage(err) : errorMessage(err);
-		return {
-			tool: scanner.tool,
-			findings: [],
-			skipped: false,
-			error: reason
-		};
-	}
-}
-function errorMessage(err) {
-	return err instanceof Error ? err.message : String(err);
-}
-
-//#endregion
-//#region src/git/repo.ts
-/** Refuse to run outside a git repo — the snapshot/restore safety net needs it. */
-async function assertGitRepo(git) {
-	if (!await git.checkIsRepo()) throw new Error("not a git repository — run tend inside a git repo");
-}
-/**
-* `git status` reports paths relative to the repo root and for the whole repo, even
-* when run from a subdirectory. Scanners run from `git`'s working dir and report paths
-* relative to it, so we scope changed files to that subtree and re-base them onto it
-* using git's own cwd→root prefix (empty when run from the repo root).
-*/
-function scopeToCwd(repoPath, prefix) {
-	if (!prefix) return repoPath;
-	if (!repoPath.startsWith(prefix)) return null;
-	return repoPath.slice(prefix.length);
-}
-/**
-* Files changed vs `HEAD`: tracked modifications/additions/renames plus untracked files,
-* scoped and re-based to `git`'s working directory (so a run from `apps/foo` only sees
-* `apps/foo`'s changes, pathed as the scanners path them).
-*/
-async function changedVsHead(git) {
-	const prefix = (await git.revparse(["--show-prefix"])).trim();
-	const status = await git.status();
-	const files = new Set();
-	for (const file of status.files) {
-		const repoPath = file.path.includes(" -> ") ? file.path.split(" -> ")[1] : file.path;
-		const rel = scopeToCwd(repoPath, prefix);
-		if (rel !== null) files.add(rel);
-	}
-	return [...files];
-}
-/**
-* Concrete files under the given path(s) — tracked plus untracked (so newly-added files
-* are scoped too, mirroring `changedVsHead`). `git ls-files` reports paths relative to
-* `git`'s working directory and interprets the pathspecs the same way, so the result is
-* already in the coordinate system the scanners and `filterToChanged` expect. Expanding to
-* concrete files (not bare directories) matters: `filterToChanged` matches exact paths.
-*/
-async function filesUnder(git, paths) {
-	if (paths.length === 0) return [];
-	const list = async (args) => (await git.raw([
-		"ls-files",
-		...args,
-		"--",
-		...paths
-	])).split("\n").map((line) => line.trim()).filter((line) => line.length > 0);
-	const files = new Set([...await list([]), ...await list(["-o", "--exclude-standard"])]);
-	return [...files];
-}
-/** Revert a single file to its snapshot state. */
-function revertFile(snapshot, file) {
-	return snapshot.restoreFile(file);
-}
-
-//#endregion
-//#region src/git/client.ts
-const UNSAFE_GIT_ENV_KEYS = [
-	"EDITOR",
-	"VISUAL",
-	"GIT_EDITOR",
-	"GIT_SEQUENCE_EDITOR",
-	"GIT_PAGER",
-	"PAGER"
-];
-function gitEnv(extra = {}) {
-	const env = {
-		...process.env,
-		...extra
-	};
-	for (const key of UNSAFE_GIT_ENV_KEYS) delete env[key];
-	return env;
-}
-function createGit(root, extraEnv = {}) {
-	return simpleGit(root).env(gitEnv(extraEnv));
-}
-
-//#endregion
-//#region src/git/snapshot.ts
-const SNAP_MSG = "tend snapshot";
-/** A private ref pins the snapshot commit so `git gc` can't prune it (it's on no branch). */
-const SNAP_REF = "refs/tend/snapshot";
-let indexCounter = 0;
-/**
-* Write the entire current working tree (tracked + untracked, honoring .gitignore) into a git
-* tree object, using a throwaway index so the user's real staging area is never touched.
-* Returns the tree's object id. Git stores only new blobs and reuses the rest — near-instant,
-* a few KB, not a full copy of every file.
-*/
-async function writeWorkingTree(root) {
-	const idxPath = join(tmpdir(), `tend-index-${process.pid}-${indexCounter++}`);
-	try {
-		const g = createGit(root, { GIT_INDEX_FILE: idxPath });
-		await g.raw(["add", "-A"]);
-		return (await g.raw(["write-tree"])).trim();
-	} finally {
-		rmSync(idxPath, { force: true });
-	}
-}
-/** Keep tend's own `.tend/` artifacts out of snapshots and the user's `git status`. */
-function ensureTendIgnored(gitDir) {
-	const excludePath = join(gitDir, "info", "exclude");
-	const line = ".tend/";
-	let current = "";
-	try {
-		current = readFileSync(excludePath, "utf8");
-	} catch {}
-	if (current.split("\n").some((l) => l.trim() === line)) return;
-	mkdirSync(dirname(excludePath), { recursive: true });
-	const sep$1 = current === "" || current.endsWith("\n") ? "" : "\n";
-	writeFileSync(excludePath, `${current}${sep$1}${line}\n`);
-}
-const lines = (raw) => raw.split("\n").map((l) => l.trim()).filter(Boolean);
-/** Files currently in the repo: tracked + untracked (non-ignored), repo-root-relative. */
-async function currentFiles(root) {
-	const g = createGit(root);
-	const tracked = await g.raw(["ls-files"]);
-	const untracked = await g.raw([
-		"ls-files",
-		"--others",
-		"--exclude-standard"
-	]);
-	return [...new Set([...lines(tracked), ...lines(untracked)])];
-}
-/**
-* A silent restore point for the working tree, stored as a git commit object pinned by a private
-* ref (`refs/tend/snapshot`) — nothing committed to any branch, the editor sees no change. Backs
-* `tend undo` (exact restore) and `tend diff` (only the tool's edits). Reuses git's content store,
-* so the on-disk record is a 40-char id rather than a copy of every file.
-*/
-var Snapshot = class Snapshot {
-	constructor(cwd, root, sha) {
-		this.cwd = cwd;
-		this.root = root;
-		this.sha = sha;
-	}
-	static async capture(_git, cwd) {
-		const git = createGit(cwd);
-		const root = (await git.revparse(["--show-toplevel"])).trim();
-		const gitDir = (await git.revparse(["--absolute-git-dir"])).trim();
-		ensureTendIgnored(gitDir);
-		const rg = createGit(root);
-		const tree = await writeWorkingTree(root);
-		let parent = null;
-		try {
-			parent = (await rg.revparse(["HEAD"])).trim();
-		} catch {
-			parent = null;
-		}
-		const commitArgs = parent ? [
-			"commit-tree",
-			tree,
-			"-p",
-			parent,
-			"-m",
-			SNAP_MSG
-		] : [
-			"commit-tree",
-			tree,
-			"-m",
-			SNAP_MSG
-		];
-		const sha = (await rg.raw(commitArgs)).trim();
-		await rg.raw([
-			"update-ref",
-			SNAP_REF,
-			sha
-		]);
-		return new Snapshot(cwd, root, sha);
-	}
-	/** Serialize to a tiny object for `.tend/snapshot.json` (powers `undo` across invocations). */
-	toJSON() {
-		return {
-			cwd: this.cwd,
-			root: this.root,
-			sha: this.sha
-		};
-	}
-	static fromJSON(data) {
-		return new Snapshot(data.cwd, data.root, data.sha);
-	}
-	/** Files whose contents differ from the snapshot, or that are new/deleted since it (sorted). */
-	async changedSince(_git) {
-		const currentTree = await writeWorkingTree(this.root);
-		const diff = await createGit(this.root).raw([
-			"diff",
-			"--name-only",
-			this.sha,
-			currentTree
-		]);
-		return lines(diff).sort();
-	}
-	/** Restore a single file to its captured contents (worktree only — the user's index is untouched). */
-	async restoreFile(rel) {
-		await createGit(this.root).raw([
-			"restore",
-			"--source",
-			this.sha,
-			"--worktree",
-			"--",
-			rel
-		]);
-	}
-	/** Restore the working tree exactly to the captured state (incl. deleting files created since). */
-	async restore(_git) {
-		const rg = createGit(this.root);
-		await rg.raw([
-			"restore",
-			"--source",
-			this.sha,
-			"--worktree",
-			"--",
-			":/"
-		]);
-		const inSnapshot = new Set(lines(await rg.raw([
-			"ls-tree",
-			"-r",
-			"--name-only",
-			this.sha
-		])));
-		for (const rel of await currentFiles(this.root)) if (!inSnapshot.has(rel)) rmSync(join(this.root, rel), { force: true });
-	}
-};
-
-//#endregion
-//#region src/detect/package-manager.ts
-const LOCKFILES = [
-	{
-		file: "pnpm-lock.yaml",
-		pm: "pnpm"
-	},
-	{
-		file: "yarn.lock",
-		pm: "yarn"
-	},
-	{
-		file: "bun.lockb",
-		pm: "bun"
-	},
-	{
-		file: "bun.lock",
-		pm: "bun"
-	},
-	{
-		file: "package-lock.json",
-		pm: "npm"
-	}
-];
-/** Detect the package manager from the lockfile present; defaults to npm. */
-function detectPackageManager(cwd) {
-	for (const { file, pm } of LOCKFILES) if (existsSync(join(cwd, file))) return pm;
-	return "npm";
-}
-
-//#endregion
-//#region src/session/types.ts
-/** A usage record with everything zeroed. */
-const zeroUsage = () => ({
-	estimatedCostUsd: 0,
-	inputTokens: 0,
-	outputTokens: 0,
-	cacheCreationInputTokens: 0,
-	cacheReadInputTokens: 0,
-	sessions: 0
-});
-/** Sum two usage records field-by-field (used to roll usage up through the run). */
-function addUsage(a, b) {
-	return {
-		estimatedCostUsd: a.estimatedCostUsd + b.estimatedCostUsd,
-		inputTokens: a.inputTokens + b.inputTokens,
-		outputTokens: a.outputTokens + b.outputTokens,
-		cacheCreationInputTokens: a.cacheCreationInputTokens + b.cacheCreationInputTokens,
-		cacheReadInputTokens: a.cacheReadInputTokens + b.cacheReadInputTokens,
-		sessions: a.sessions + b.sessions
-	};
-}
-
-//#endregion
-//#region src/fixing/dispatch.ts
-const TEST_FILE_RE = /^(.*)\.(test|spec)\.([cm]?[jt]sx?)$/;
-/** Whether a repo-relative path is a test file (`*.test.*` / `*.spec.*`). */
-const isTestFile = (file) => TEST_FILE_RE.test(file);
-/** A test file's owning code file (so both go to the same worker); else the file itself. */
-function ownerOf(file) {
-	const m = file.match(TEST_FILE_RE);
-	return m ? `${m[1]}.${m[3]}` : file;
-}
-/**
-* Group findings into work units so each worker owns a disjoint set of files
-* (a code file plus its sibling test). No two sessions ever touch the same file.
-*/
-function planWork(findings) {
-	const byOwner = new Map();
-	for (const finding of findings) {
-		const owner = ownerOf(finding.file);
-		let unit = byOwner.get(owner);
-		if (!unit) {
-			unit = {
-				file: owner,
-				files: [],
-				findings: []
-			};
-			byOwner.set(owner, unit);
-		}
-		unit.findings.push(finding);
-		if (!unit.files.includes(finding.file)) unit.files.push(finding.file);
-		if (!unit.files.includes(owner)) unit.files.push(owner);
-	}
-	return [...byOwner.values()];
-}
-/** Run each work unit through `runUnit`, capped at `concurrency` concurrent sessions. */
-async function dispatch(units, runUnit, opts) {
-	const queue = new PQueue({ concurrency: opts.concurrency });
-	return Promise.all(units.map((unit) => queue.add(() => runUnit(unit))));
-}
-
-//#endregion
-//#region src/session/stream-json.ts
-const RATE_LIMIT_RE = /rate.?limit|overloaded|\b429\b/i;
-/** A finite, non-negative number, or 0 for anything else (missing/NaN/negative). */
-function num(v) {
-	return typeof v === "number" && Number.isFinite(v) && v >= 0 ? v : 0;
-}
-const zeroCost = () => ({
-	estimatedCostUsd: 0,
-	inputTokens: 0,
-	outputTokens: 0,
-	cacheCreationInputTokens: 0,
-	cacheReadInputTokens: 0
-});
-function parseEvent(line) {
-	const trimmed = line.trim();
-	if (!trimmed) return null;
-	try {
-		return JSON.parse(trimmed);
-	} catch {
-		return null;
-	}
-}
-function extractUsage(event) {
-	const rawCost = event.total_cost_usd ?? event.cost_usd ?? event.costUSD;
-	const u = event.usage;
-	if (rawCost == null && u == null) return null;
-	return {
-		estimatedCostUsd: num(rawCost),
-		inputTokens: num(u?.input_tokens),
-		outputTokens: num(u?.output_tokens),
-		cacheCreationInputTokens: num(u?.cache_creation_input_tokens),
-		cacheReadInputTokens: num(u?.cache_read_input_tokens)
-	};
-}
-function extractEdits(event) {
-	const edits = [];
-	for (const block of event.message?.content ?? []) if (block.type === "tool_use" && block.name === "Write") {
-		const path = block.input?.["file_path"];
-		const contents = block.input?.["content"];
-		if (typeof path === "string" && typeof contents === "string") edits.push({
-			path,
-			contents
-		});
-	}
-	return edits;
-}
-/**
-* Parse Claude Code `--output-format stream-json` (newline-delimited JSON) into the
-* file edits it produced. `Write` tool uses carry full file contents. Malformed lines
-* are skipped. Rate-limit / error signals are surfaced for backoff.
-*/
-function parseStreamJson(raw) {
-	const edits = [];
-	let rateLimited = false;
-	let errored = false;
-	let usage = null;
-	for (const line of raw.split("\n")) {
-		const event = parseEvent(line);
-		if (!event) continue;
-		if (event.is_error) {
-			errored = true;
-			if (event.error && RATE_LIMIT_RE.test(event.error)) rateLimited = true;
-		}
-		if (event.type === "result") {
-			const u = extractUsage(event);
-			if (u) usage = u;
-		}
-		edits.push(...extractEdits(event));
-	}
-	return {
-		edits,
-		rateLimited,
-		errored,
-		usage: usage ?? zeroCost()
-	};
-}
-
-//#endregion
-//#region src/session/claude.ts
-/** Drives a real `claude -p` session and parses its stream-json into edits. */
-var ClaudeSession = class {
-	constructor(deps) {
-		this.deps = deps;
-	}
-	async run(request) {
-		let stdout;
-		let exitCode;
-		try {
-			({stdout, exitCode} = await this.deps.spawn(request));
-		} catch (err) {
-			return {
-				ok: false,
-				error: err instanceof Error ? err.message : String(err),
-				rateLimited: false,
-				usage: zeroUsage()
-			};
-		}
-		const parsed = parseStreamJson(stdout);
-		const usage = {
-			...parsed.usage,
-			sessions: 1
-		};
-		if (parsed.rateLimited) return {
-			ok: false,
-			error: "Claude session rate-limited",
-			rateLimited: true,
-			usage
-		};
-		if (exitCode !== 0 || parsed.errored) return {
-			ok: false,
-			error: `Claude session failed (exit ${exitCode})`,
-			rateLimited: false,
-			usage
-		};
-		return {
-			ok: true,
-			edits: parsed.edits,
-			usage
-		};
-	}
-};
-
-//#endregion
-//#region src/findings/revert-detail.ts
-const MAX_REVERT_DETAIL_LENGTH = 500;
-/** Keep persisted diagnostics readable and bounded for report.json. */
-function normalizeRevertDetail(detail) {
-	const trimmed = detail?.replace(/\s+/g, " ").trim();
-	if (!trimmed) return void 0;
-	if (trimmed.length <= MAX_REVERT_DETAIL_LENGTH) return trimmed;
-	return `${trimmed.slice(0, MAX_REVERT_DETAIL_LENGTH - 3)}...`;
-}
-
-//#endregion
-//#region src/findings/store.ts
-const StoreSchema = z.array(FindingSchema);
-/** Holds Finding records keyed by fingerprint and tracks their state across loops. */
-var FindingStore = class FindingStore {
-	findings = new Map();
-	add(finding) {
-		this.findings.set(finding.id, finding);
-	}
-	get(id) {
-		return this.findings.get(id);
-	}
-	all() {
-		return [...this.findings.values()];
-	}
-	/**
-	* Diff a fresh audit against what the store knows, by fingerprint:
-	*   - known but absent now  → marked `fixed`
-	*   - present both loops     → stays as-is, carries attempts/history, bumps lastSeenLoop
-	*   - new fingerprint         → added `pending`, firstSeenLoop = loop
-	*/
-	reconcile(fresh, loop) {
-		const freshIds = new Set(fresh.map((f) => f.id));
-		for (const known of this.findings.values()) if (!freshIds.has(known.id)) {
-			known.status = "fixed";
-			delete known.revertReason;
-			delete known.revertDetail;
-		}
-		for (const incoming of fresh) {
-			const known = this.findings.get(incoming.id);
-			if (known) {
-				known.lastSeenLoop = loop;
-				if (known.status === "fixed" || known.status === "reverted") known.status = "pending";
-			} else this.findings.set(incoming.id, {
-				...incoming,
-				firstSeenLoop: loop,
-				lastSeenLoop: loop
-			});
-		}
-	}
-	/** Findings matching every provided filter (track / status / file). */
-	query(filter) {
-		return this.all().filter((f) => (filter.track === void 0 || f.track === filter.track) && (filter.status === void 0 || f.status === filter.status) && (filter.file === void 0 || f.file === filter.file));
-	}
-	/** Record a failed fix attempt against a finding's fingerprint. */
-	recordFailedAttempt(id, reason, detail) {
-		const finding = this.findings.get(id);
-		if (!finding) return;
-		finding.attempts += 1;
-		finding.revertReason = reason;
-		const normalizedDetail = normalizeRevertDetail(detail);
-		if (normalizedDetail) finding.revertDetail = normalizedDetail;
-		else delete finding.revertDetail;
-	}
-	/** A finding's per-issue budget is exhausted once it has used `budget` attempts. */
-	isBudgetExhausted(id, budget) {
-		const finding = this.findings.get(id);
-		if (!finding) return false;
-		return finding.attempts >= budget;
-	}
-	/** Serialize to a plain array — `report.json`'s findings section. */
-	toJSON() {
-		return this.all();
-	}
-	/** Rebuild a store from serialized findings, validating each against the schema. */
-	static fromJSON(data) {
-		const findings = StoreSchema.parse(data);
-		const store = new FindingStore();
-		for (const finding of findings) store.add(finding);
-		return store;
-	}
-};
-
-//#endregion
-//#region src/findings/router.ts
-function isKnownTool(tool) {
-	return TOOLS.includes(tool);
-}
-/** Split findings into their assigned fix tracks; unknown tools are skipped with a warning. */
-function route(findings, opts = {}) {
-	const result$1 = {
-		aiFix: [],
-		deterministic: [],
-		reportOnly: [],
-		skipped: []
-	};
-	for (const finding of findings) {
-		if (!isKnownTool(finding.tool)) {
-			opts.warn?.(`Skipping finding from unknown tool "${finding.tool}"`);
-			result$1.skipped.push(finding);
-			continue;
-		}
-		switch (finding.track) {
-			case "ai-fix":
-				result$1.aiFix.push(finding);
-				break;
-			case "deterministic":
-				result$1.deterministic.push(finding);
-				break;
-			case "report-only":
-				result$1.reportOnly.push(finding);
-				break;
-		}
-	}
-	return result$1;
-}
-
-//#endregion
-//#region src/output/events.ts
-/** Minimal synchronous event bus. With no listener, emit is a no-op (silent mode). */
-var EventBus = class {
-	listeners = [];
-	on(listener) {
-		this.listeners.push(listener);
-		return () => {
-			const i = this.listeners.indexOf(listener);
-			if (i >= 0) this.listeners.splice(i, 1);
-		};
-	}
-	emit(event) {
-		for (const listener of this.listeners) listener(event);
-	}
-};
-
-//#endregion
-//#region src/orchestrator.ts
-/** AI-fixable findings still pending and under their retry budget. */
-function pendingUnderBudget(store, budget) {
-	return store.query({
-		track: "ai-fix",
-		status: "pending"
-	}).filter((f) => f.attempts < budget);
-}
-function dispatchableUnits(findings, includeTests) {
-	return planWork(findings).filter((u) => includeTests || u.findings.some((f) => !isTestFile(f.file)));
-}
-function statusAttemptSnapshot(store) {
-	return store.all().map((f) => `${f.id}:${f.status}:${f.attempts}`).sort().join("|");
-}
-function applyOutcome(store, unit, outcome, budget) {
-	for (const finding of unit.findings) if (outcome.kept) {
-		finding.status = "fixed";
-		delete finding.revertReason;
-		delete finding.revertDetail;
-	} else {
-		store.recordFailedAttempt(finding.id, outcome.reason ?? "session-error", outcome.detail);
-		if (store.isBudgetExhausted(finding.id, budget)) finding.status = "unfixable";
-	}
-}
-/**
-* The scan → fix → re-audit loop. Terminates on the first of: converged (0 fixable),
-* no-progress (no dispatchable units or an attempted loop changed no attempt/status
-* state), per-issue budget exhaustion (mark unfixable, keep going), or max-loops.
-*/
-async function orchestrate(deps) {
-	const { config } = deps;
-	const inScope = deps.inScope ?? ((f) => f);
-	const bus = deps.bus ?? new EventBus();
-	const store = new FindingStore();
-	const secrets = new Map();
-	const depBumps = new Map();
-	let loop = 0;
-	let fixingLoops = 0;
-	let termination = "converged";
-	let scannerStatuses = [];
-	let runScope = { type: "scoped" };
-	let usage = zeroUsage();
-	while (true) {
-		loop++;
-		bus.emit({
-			type: "scan-start",
-			loop
-		});
-		const audited = await deps.audit(loop);
-		scannerStatuses = audited.scannerStatuses ?? scannerStatuses;
-		if (loop === 1) runScope = audited.scanned == null ? { type: "all" } : {
-			type: "scoped",
-			fileCount: audited.scanned
-		};
-		if (loop === 1 && audited.allScannersMissing) {
-			bus.emit({
-				type: "done",
-				exitStatus: 1
-			});
-			return result("no-scanners", fixingLoops, 1, store, secrets, depBumps, scannerStatuses, runScope, usage);
-		}
-		store.reconcile(audited.findings, loop);
-		const scopedIds = new Set(inScope(store.all()).map((f) => f.id));
-		for (const f of store.all()) f.inScope = scopedIds.has(f.id);
-		const scopedFindings = inScope(audited.findings);
-		const routed = route(audited.findings);
-		for (const s of routed.reportOnly) secrets.set(s.id, s);
-		for (const d of routed.deterministic) depBumps.set(d.id, d);
-		bus.emit({
-			type: "audit",
-			loop,
-			findings: scopedFindings.length,
-			files: new Set(scopedFindings.map((f) => f.file)).size,
-			scanned: audited.scanned
-		});
-		if (loop === 1 && audited.findings.length === 0) {
-			termination = "converged";
-			break;
-		}
-		const pending = pendingUnderBudget(store, config.perIssueBudget);
-		const fixable = inScope(pending);
-		if (pending.length === 0) {
-			termination = "converged";
-			break;
-		}
-		const units = dispatchableUnits(fixable, config.includeTests);
-		if (units.length === 0) {
-			termination = "no-progress";
-			break;
-		}
-		if (fixingLoops >= config.maxLoops) {
-			termination = "max-loops";
-			break;
-		}
-		fixingLoops++;
-		const beforeAttemptState = statusAttemptSnapshot(store);
-		bus.emit({
-			type: "loop-start",
-			loop,
-			files: units.map((u) => u.file),
-			concurrency: config.maxSessions
-		});
-		const outcomes = await dispatch(units, async (unit) => {
-			bus.emit({
-				type: "file-start",
-				loop,
-				file: unit.file,
-				rule: unit.findings[0]?.rule
-			});
-			const outcome = await deps.fixUnit(unit, loop);
-			bus.emit({
-				type: "file-result",
-				loop,
-				file: unit.file,
-				outcome: outcome.kept ? "fixed" : "reverted",
-				reason: outcome.reason
-			});
-			return {
-				unit,
-				outcome
-			};
-		}, { concurrency: config.maxSessions });
-		for (const { unit, outcome } of outcomes) {
-			applyOutcome(store, unit, outcome, config.perIssueBudget);
-			if (outcome.usage) usage = addUsage(usage, outcome.usage);
-		}
-		bus.emit({
-			type: "loop-complete",
-			loop,
-			fixed: outcomes.filter((o) => o.outcome.kept).length
-		});
-		if (statusAttemptSnapshot(store) === beforeAttemptState) {
-			termination = "no-progress";
-			break;
-		}
-	}
-	const exitStatus = secrets.size > 0 ? 1 : 0;
-	bus.emit({
-		type: "done",
-		exitStatus
-	});
-	return result(termination, fixingLoops, exitStatus, store, secrets, depBumps, scannerStatuses, runScope, usage);
-}
-function result(termination, loops, exitStatus, store, secrets, depBumps, scannerStatuses, runScope, usage) {
-	return {
-		termination,
-		loops,
-		exitStatus: termination === "no-scanners" ? 1 : exitStatus,
-		findings: store.all(),
-		secrets: [...secrets.values()],
-		depBumps: [...depBumps.values()],
-		scannerStatuses,
-		runScope,
-		usage
-	};
-}
-
-//#endregion
-//#region src/report/retry-id.ts
-const RETRY_ID_LENGTH = 6;
-const RETRY_ID_ALPHABET = "23456789abcdefghijkmnpqrstuvwxyz";
-const makeRetryId = customAlphabet(RETRY_ID_ALPHABET, RETRY_ID_LENGTH);
-function hasUsableRetryId(finding) {
-	return typeof finding.retryId === "string" && finding.retryId.length > 0;
-}
-function nextUniqueRetryId(used, generate) {
-	for (let attempt = 0; attempt < 100; attempt++) {
-		const retryId = generate();
-		if (!used.has(retryId)) return retryId;
-	}
-	throw new Error("Could not generate a unique retry id");
-}
-/** Ensure every finding in a persisted report has a human-facing id unique to that report. */
-function assignRetryIds(findings, generate = makeRetryId) {
-	const counts = new Map();
-	for (const finding of findings) {
-		if (!hasUsableRetryId(finding)) continue;
-		counts.set(finding.retryId, (counts.get(finding.retryId) ?? 0) + 1);
-	}
-	const used = new Set();
-	return findings.map((finding) => {
-		if (hasUsableRetryId(finding) && counts.get(finding.retryId) === 1) {
-			used.add(finding.retryId);
-			return finding;
-		}
-		const retryId = nextUniqueRetryId(used, generate);
-		used.add(retryId);
-		return {
-			...finding,
-			retryId
-		};
-	});
-}
-
-//#endregion
-//#region src/report/schema.ts
-const DepBumpSchema = z.object({
-	findingId: z.string(),
-	remediation: z.string()
-});
-/** Per-scanner outcome for a run: did it run clean, get skipped, or fail (with a reason). */
-const ScannerStatusSchema = z.object({
-	tool: z.enum(TOOLS),
-	status: z.enum([
-		"ran",
-		"skipped",
-		"failed"
-	]),
-	reason: z.string().optional()
-});
-const BehaviorChangeSchema = z.object({
-	findingId: z.string(),
-	file: z.string(),
-	note: z.string()
-});
-/**
-* Estimated AI cost/usage for a run. `estimatedCostUsd` is Claude's client-side
-* `total_cost_usd` estimate — never authoritative billing.
-*/
-const AiUsageSchema = z.object({
-	estimatedCostUsd: z.number().nonnegative(),
-	inputTokens: z.number().nonnegative(),
-	outputTokens: z.number().nonnegative(),
-	cacheCreationInputTokens: z.number().nonnegative(),
-	cacheReadInputTokens: z.number().nonnegative(),
-	sessions: z.number().int().nonnegative()
-});
-const RunScopeSchema = z.object({
-	type: z.enum(["all", "scoped"]),
-	fileCount: z.number().int().nonnegative().optional()
-}).default({ type: "scoped" });
-const FixPolicySchema = z.object({ includeTests: z.boolean().default(false) }).default({ includeTests: false });
-const ZERO_AI_USAGE$1 = {
-	estimatedCostUsd: 0,
-	inputTokens: 0,
-	outputTokens: 0,
-	cacheCreationInputTokens: 0,
-	cacheReadInputTokens: 0,
-	sessions: 0
-};
-const ReportSchema = z.object({
-	findings: z.array(FindingSchema),
-	secrets: z.array(FindingSchema),
-	depBumps: z.array(DepBumpSchema),
-	flaggedBehaviorChanges: z.array(BehaviorChangeSchema),
-	scannerStatuses: z.array(ScannerStatusSchema).default([]),
-	runScope: RunScopeSchema,
-	fixPolicy: FixPolicySchema,
-	aiUsage: AiUsageSchema.default(ZERO_AI_USAGE$1),
-	loops: z.number().int().nonnegative(),
-	durationMs: z.number().nonnegative(),
-	exitStatus: z.number().int()
-});
-
-//#endregion
-//#region src/report/builder.ts
-const ZERO_AI_USAGE = {
-	estimatedCostUsd: 0,
-	inputTokens: 0,
-	outputTokens: 0,
-	cacheCreationInputTokens: 0,
-	cacheReadInputTokens: 0,
-	sessions: 0
-};
-/** Accumulates per-finding outcomes and run metadata into a validated report.json. */
-var ReportBuilder = class {
-	outcomes = new Map();
-	flagged = [];
-	scannerStatuses = [];
-	constructor(generateRetryId) {
-		this.generateRetryId = generateRetryId;
-	}
-	/** Record (or update) a finding's final outcome by fingerprint. */
-	recordOutcome(finding) {
-		const normalized = normalizeRevertDetail(finding.revertDetail);
-		const outcome = { ...finding };
-		if (normalized) outcome.revertDetail = normalized;
-		else delete outcome.revertDetail;
-		this.outcomes.set(finding.id, outcome);
-	}
-	recordOutcomes(findings) {
-		for (const f of findings) this.recordOutcome(f);
-	}
-	/** Flag a semantic test change for human review. */
-	flagBehaviorChange(entry) {
-		this.flagged.push(entry);
-	}
-	/** Record per-scanner run outcomes (ran / skipped / failed) for the scanner-status line. */
-	recordScannerStatuses(statuses) {
-		this.scannerStatuses = statuses;
-	}
-	build(meta) {
-		const findings = assignRetryIds([...this.outcomes.values()], this.generateRetryId);
-		const report = {
-			findings,
-			secrets: findings.filter((f) => f.category === "secret"),
-			depBumps: findings.filter((f) => f.remediation !== void 0).map((f) => ({
-				findingId: f.id,
-				remediation: f.remediation
-			})),
-			flaggedBehaviorChanges: this.flagged,
-			scannerStatuses: this.scannerStatuses,
-			runScope: meta.runScope ?? { type: "scoped" },
-			fixPolicy: meta.fixPolicy ?? { includeTests: false },
-			aiUsage: meta.aiUsage ?? ZERO_AI_USAGE,
-			loops: meta.loops,
-			durationMs: meta.durationMs,
-			exitStatus: meta.exitStatus
-		};
-		return ReportSchema.parse(report);
-	}
-};
-
-//#endregion
-//#region src/output/format.ts
-/**
-* Human duration for the summary: sub-minute reads as "2.4s", longer as "3m 12s".
-* Deterministic — no locale, no rounding surprises.
-*/
-function formatDuration(ms) {
-	const totalSeconds = ms / 1e3;
-	if (totalSeconds < 60) return `${totalSeconds.toFixed(1)}s`;
-	const minutes = Math.floor(totalSeconds / 60);
-	const seconds = Math.round(totalSeconds % 60);
-	if (seconds === 60) return `${minutes + 1}m 0s`;
-	return `${minutes}m ${seconds}s`;
-}
-/** Stopwatch form for the live per-file timer: "0:42", "1:05". */
-function formatClock(ms) {
-	const totalSeconds = Math.floor(ms / 1e3);
-	const minutes = Math.floor(totalSeconds / 60);
-	const seconds = totalSeconds % 60;
-	return `${minutes}:${String(seconds).padStart(2, "0")}`;
-}
-/** Plain-language reason a fix was reverted — the most useful thing for a human. */
-function reasonLabel(reason) {
-	switch (reason) {
-		case "broke-test": return "broke tests";
-		case "typecheck": return "broke typecheck";
-		case "suppression": return "added a suppression";
-		case "regression": return "introduced a new issue";
-		case "session-error": return "the fix session failed";
-		default: return "couldn't fix";
-	}
-}
-
-//#endregion
-//#region src/output/theme.ts
-const PALETTE = {
-	accent: "#7AA2F7",
-	accentTo: "#9D7CD8",
-	green: "#9ECE6A",
-	amber: "#E0AF68",
-	red: "#E88388"
-};
-const UNICODE_GLYPHS = {
-	fixed: "✔",
-	reverted: "↩",
-	left: "–",
-	scanned: "✔",
-	bullet: "·",
-	rule: "─",
-	arrow: "→",
-	spinner: [
-		"⠋",
-		"⠙",
-		"⠹",
-		"⠸",
-		"⠼",
-		"⠴",
-		"⠦",
-		"⠧",
-		"⠇",
-		"⠏"
-	]
-};
-const ASCII_GLYPHS = {
-	fixed: "+",
-	reverted: "<",
-	left: "-",
-	scanned: "+",
-	bullet: "·",
-	rule: "-",
-	arrow: ">",
-	spinner: [
-		"-",
-		"\\",
-		"|",
-		"/"
-	]
-};
-/** Resolve the chalk color level: 0 (off) when color is disabled, else the terminal's. */
-function chalkLevel(env) {
-	if (!env.color) return 0;
-	const detected = supportsColor ? supportsColor.level : 0;
-	return detected > 0 ? detected : 1;
-}
-function makeTheme(env) {
-	const c = new Chalk({ level: chalkLevel(env) });
-	const glyph = env.unicode ? UNICODE_GLYPHS : ASCII_GLYPHS;
-	const accent = (s) => c.hex(PALETTE.accent)(s);
-	const wordmark = () => {
-		if (!env.color) return "tend";
-		if (c.level >= 3) return gradient([PALETTE.accent, PALETTE.accentTo])("tend");
-		return accent("tend");
-	};
-	return {
-		accent,
-		fixed: (s) => c.hex(PALETTE.green)(s),
-		reverted: (s) => c.hex(PALETTE.amber)(s),
-		error: (s) => c.hex(PALETTE.red)(s),
-		dim: (s) => c.dim(s),
-		bold: (s) => c.bold(s),
-		plain: (s) => s,
-		wordmark,
-		glyph
-	};
-}
-
-//#endregion
-//#region src/output/summary.ts
-const RULE_WIDTH = 49;
-const PLAIN_THEME = makeTheme({
-	color: false,
-	interactive: false,
-	unicode: true
-});
-/** A finding the developer can't read as part of their changes (scanned wide, out of scope). */
-function isOutOfScope(f) {
-	return f.inScope === false && f.category !== "secret";
-}
-function bucket(report) {
-	const fixed = [];
-	const couldntFix = [];
-	const skippedTests = [];
-	const reportOnly = [];
-	const left = [];
-	const secrets = [];
-	for (const f of report.findings) if (f.category === "secret") secrets.push(f);
-	else if (isOutOfScope(f)) continue;
-	else if (f.status === "fixed") fixed.push(f);
-	else if (f.status === "reverted" || f.status === "unfixable") couldntFix.push(f);
-	else {
-		const pending = classifyPending(f, report);
-		if (pending === "skippedTests") skippedTests.push(f);
-		else if (pending === "reportOnly") reportOnly.push(f);
-		else left.push(f);
-	}
-	return {
-		fixed,
-		couldntFix,
-		skippedTests,
-		reportOnly,
-		left,
-		secrets
-	};
-}
-function classifyPending(f, report) {
-	if (f.track === "report-only") return "reportOnly";
-	if (f.track === "ai-fix" && !report.fixPolicy.includeTests && isTestFile(f.file)) return "skippedTests";
-	return "left";
-}
-/**
-* The final summary: a real headline (fixed / couldn't-fix / left / secrets + elapsed),
-* grouped by what the user must do, with revert reasons surfaced per file, and ending in
-* next-step affordances. Brief by default; `--verbose` adds the full per-finding listing.
-*/
-function renderSummary(report, opts = {}) {
-	const theme = opts.theme ?? PLAIN_THEME;
-	const { glyph } = theme;
-	const b = bucket(report);
-	if (opts.plain) return renderPlainSummary(report, b, theme, Boolean(opts.verbose));
-	const lines$1 = [];
-	lines$1.push(theme.dim(glyph.rule.repeat(RULE_WIDTH)));
-	lines$1.push(`done ${theme.dim(`${glyph.bullet} ${report.loops} fix passes ${glyph.bullet} ${formatDuration(report.durationMs)}`)}`);
-	lines$1.push("");
-	lines$1.push(theme.bold("run summary"));
-	lines$1.push(renderOverallTable(report, b, theme));
-	lines$1.push("");
-	lines$1.push(theme.bold("scanner breakdown"));
-	lines$1.push(renderScannerBreakdownTable(report, theme));
-	if (b.couldntFix.length > 0) {
-		lines$1.push("");
-		lines$1.push(theme.bold("couldn't fix"));
-		lines$1.push(renderCouldntFixTable(b.couldntFix, theme));
-	}
-	if (b.secrets.length > 0) {
-		lines$1.push("");
-		lines$1.push(theme.bold("secrets"));
-		lines$1.push(renderSecretsTable(b.secrets, theme));
-	}
-	if (opts.verbose) lines$1.push("", renderVerbose(report, theme));
-	lines$1.push("");
-	lines$1.push(theme.bold("next commands"));
-	lines$1.push(renderNextCommandsTable());
-	return lines$1.join("\n");
-}
-function renderPlainSummary(report, b, theme, verbose) {
-	const lines$1 = [
-		`done ${theme.glyph.bullet} ${report.loops} fix passes ${theme.glyph.bullet} ${formatDuration(report.durationMs)}`,
-		[
-			"summary",
-			`fixed=${b.fixed.length}`,
-			`couldntFix=${b.couldntFix.length}`,
-			`skippedTests=${b.skippedTests.length}`,
-			`reportOnly=${b.reportOnly.length}`,
-			`left=${b.left.length}`,
-			`secrets=${b.secrets.length}`
-		].join(" "),
-		[
-			"aiUsage",
-			`estimatedCostUsd=${report.aiUsage.estimatedCostUsd.toFixed(2)}`,
-			`sessions=${report.aiUsage.sessions}`,
-			`inputTokens=${report.aiUsage.inputTokens}`,
-			`outputTokens=${report.aiUsage.outputTokens}`,
-			`cacheReadInputTokens=${report.aiUsage.cacheReadInputTokens}`,
-			`cacheCreationInputTokens=${report.aiUsage.cacheCreationInputTokens}`
-		].join(" ")
-	];
-	const counts = inScopeByTool(report);
-	const statusByTool = new Map(report.scannerStatuses.map((s) => [s.tool, s]));
-	const tools = TOOLS.filter((t) => statusByTool.has(t) || counts.has(t));
-	for (const tool of tools) {
-		const status = statusByTool.get(tool);
-		const c = counts.get(tool) ?? {
-			total: 0,
-			fixed: 0,
-			couldntFix: 0,
-			skippedTests: 0,
-			reportOnly: 0,
-			left: 0
-		};
-		const reason = status?.status === "failed" && status.reason ? ` reason=${JSON.stringify(firstLine(status.reason))}` : status?.status === "skipped" ? " reason=not-installed" : "";
-		lines$1.push(`scanner tool=${tool} status=${status?.status ?? "not-recorded"} scope=${plainScopeLabel(report)} total=${c.total} fixed=${c.fixed} couldntFix=${c.couldntFix} skippedTests=${c.skippedTests} reportOnly=${c.reportOnly} left=${c.left}${reason}`);
-	}
-	for (const f of b.couldntFix) {
-		const id = retryTarget(f);
-		lines$1.push(`couldnt-fix retryId=${f.retryId ?? "(none)"} file=${JSON.stringify(f.file)} rule=${JSON.stringify(f.rule)} reason=${JSON.stringify(findingReason(f))} command=${JSON.stringify(`tend retry ${id}`)}`);
-	}
-	for (const f of b.secrets) lines$1.push(`secret retryId=${f.retryId ?? "(none)"} file=${JSON.stringify(f.file)} rule=${JSON.stringify(f.rule)} action=${JSON.stringify("rotate + scrub history")}`);
-	if (b.skippedTests.length > 0) lines$1.push(`skipped-tests count=${b.skippedTests.length} reason="test files are excluded by default" command="tend run --include-tests <path...>"`);
-	if (b.reportOnly.length > 0) lines$1.push(`report-only count=${b.reportOnly.length} reason="unsupported or report-only findings"`);
-	if (verbose) for (const f of report.findings) lines$1.push(`finding retryId=${f.retryId ?? ""} status=${f.status} tool=${f.tool} location=${JSON.stringify(`${f.file}:${f.range.startLine}`)} rule=${JSON.stringify(f.rule)} reason=${JSON.stringify(f.status === "fixed" ? "" : findingReason(f))}`);
-	lines$1.push("next command=\"tend diff\" command=\"git add -p\" command=\"tend undo\"");
-	return lines$1.join("\n");
-}
-function renderTable(head, rows) {
-	const table = new Table({
-		head,
-		wordWrap: true,
-		style: {
-			head: [],
-			border: []
-		}
-	});
-	table.push(...rows);
-	return table.toString();
-}
-function renderOverallTable(report, b, theme) {
-	const clean = b.fixed.length === 0 && b.couldntFix.length === 0 && b.skippedTests.length === 0 && b.reportOnly.length === 0 && b.left.length === 0 && b.secrets.length === 0;
-	const status = report.exitStatus === 0 ? clean ? theme.fixed("success (nothing to fix)") : theme.fixed("success") : theme.error(`needs attention (exit ${report.exitStatus})`);
-	const rows = [
-		["status", status],
-		["fix passes", String(report.loops)],
-		["elapsed", formatDuration(report.durationMs)],
-		["fixed", `${theme.fixed(theme.glyph.fixed)} ${b.fixed.length}`],
-		["couldn't fix", `${theme.reverted(theme.glyph.reverted)} ${b.couldntFix.length}`],
-		["skipped tests", `${theme.dim(theme.glyph.left)} ${b.skippedTests.length} (pass --include-tests)`],
-		["report only", `${theme.dim(theme.glyph.left)} ${b.reportOnly.length}`],
-		["left", `${theme.dim(theme.glyph.left)} ${b.left.length}`],
-		["secrets", b.secrets.length > 0 ? theme.error(String(b.secrets.length)) : "0"],
-		["estimated AI cost", formatCost(report.aiUsage.estimatedCostUsd)],
-		["AI sessions", String(report.aiUsage.sessions)],
-		["tokens", formatTokens(report.aiUsage)]
-	];
-	return renderTable(["metric", "value"], rows);
-}
-/** Estimated AI cost as `$X.XX` — always two decimals, never called a "bill". */
-function formatCost(usd) {
-	return `$${usd.toFixed(2)}`;
-}
-/** `<input> in · <output> out · <cache read> cache read · <cache write> cache write`. */
-function formatTokens(u) {
-	return [
-		`${u.inputTokens} in`,
-		`${u.outputTokens} out`,
-		`${u.cacheReadInputTokens} cache read`,
-		`${u.cacheCreationInputTokens} cache write`
-	].join(" · ");
-}
-/** Per-tool tally over the in-scope findings only. */
-function inScopeByTool(report) {
-	const counts = new Map();
-	for (const f of report.findings) {
-		if (f.inScope === false) continue;
-		const row = counts.get(f.tool) ?? {
-			total: 0,
-			fixed: 0,
-			couldntFix: 0,
-			skippedTests: 0,
-			reportOnly: 0,
-			left: 0
-		};
-		row.total += 1;
-		if (f.status === "fixed") row.fixed += 1;
-		else if (f.status === "reverted" || f.status === "unfixable") row.couldntFix += 1;
-		else {
-			const pending = classifyPending(f, report);
-			if (pending === "skippedTests") row.skippedTests += 1;
-			else if (pending === "reportOnly") row.reportOnly += 1;
-			else row.left += 1;
-		}
-		counts.set(f.tool, row);
-	}
-	return counts;
-}
-function renderScannerBreakdownTable(report, theme) {
-	const counts = inScopeByTool(report);
-	const statusByTool = new Map(report.scannerStatuses.map((s) => [s.tool, s]));
-	const tools = TOOLS.filter((t) => statusByTool.has(t) || counts.has(t));
-	if (tools.length === 0) return renderTable(scannerBreakdownHeaders(), [[
-		"(none)",
-		"not recorded",
-		scopeLabel(report),
-		"0",
-		"0",
-		"0",
-		"0",
-		"0",
-		"0",
-		""
-	]]);
-	const rows = tools.map((tool) => {
-		const status = statusByTool.get(tool);
-		const c = counts.get(tool) ?? {
-			total: 0,
-			fixed: 0,
-			couldntFix: 0,
-			skippedTests: 0,
-			reportOnly: 0,
-			left: 0
-		};
-		const label = scannerLabel(tool);
-		const statusText = status?.status === "ran" ? `${theme.fixed(theme.glyph.fixed)} ran` : status?.status === "failed" ? `${theme.error("!")} failed` : status?.status === "skipped" ? "skipped" : "not recorded";
-		const reason = status?.status === "failed" && status.reason ? firstLine(status.reason) : status?.status === "skipped" ? "not installed" : "";
-		return [
-			label,
-			statusText,
-			scopeLabel(report),
-			String(c.total),
-			String(c.fixed),
-			String(c.couldntFix),
-			String(c.skippedTests),
-			String(c.reportOnly),
-			String(c.left),
-			reason
-		];
-	});
-	return renderTable(scannerBreakdownHeaders(), rows);
-}
-function scannerBreakdownHeaders() {
-	return [
-		"scanner",
-		"status",
-		"scope",
-		"total",
-		"fixed",
-		"couldn't fix",
-		"skipped tests",
-		"report only",
-		"left",
-		"reason"
-	];
-}
-function scopeLabel(report) {
-	if (report.runScope.type === "all") return "whole repo";
-	if (report.runScope.fileCount !== void 0) return `${report.runScope.fileCount} scoped ${report.runScope.fileCount === 1 ? "file" : "files"}`;
-	return "in your changes";
-}
-function plainScopeLabel(report) {
-	return scopeLabel(report).replaceAll(" ", "-");
-}
-function findingReason(f) {
-	return f.status === "reverted" ? reasonLabel(f.revertReason) : "exhausted retries";
-}
-function retryTarget(f) {
-	return f.retryId ?? f.id;
-}
-function renderCouldntFixTable(findings, theme) {
-	const rows = findings.map((f) => [
-		f.retryId ?? "(none)",
-		f.file,
-		String(f.range.startLine),
-		f.rule,
-		f.message,
-		findingReason(f),
-		`${theme.glyph.arrow} tend retry ${retryTarget(f)}`
-	]);
-	return renderTable([
-		"retryId",
-		"file",
-		"line",
-		"rule",
-		"message",
-		"reason",
-		"command"
-	], rows);
-}
-function renderSecretsTable(findings, theme) {
-	const rows = findings.map((f) => [
-		f.retryId ?? "(none)",
-		f.file,
-		f.rule,
-		theme.error("rotate + scrub history")
-	]);
-	return renderTable([
-		"retryId",
-		"file",
-		"rule",
-		"action"
-	], rows);
-}
-function renderNextCommandsTable() {
-	return renderTable(["action", "command"], [
-		["review edits", "tend diff"],
-		["stage deliberately", "git add -p"],
-		["undo run", "tend undo"]
-	]);
-}
-/** First line of a (possibly multi-line) scanner error reason, trimmed. */
-function firstLine(s) {
-	return s.split("\n")[0].trim();
-}
-function scannerLabel(tool) {
-	return tool === "sonarjs" ? "sonarjs (bundled)" : tool;
-}
-function perToolCounts(findings) {
-	const counts = new Map();
-	for (const f of findings) {
-		const row = counts.get(f.tool) ?? {
-			fixed: 0,
-			reverted: 0,
-			left: 0
-		};
-		if (f.status === "fixed") row.fixed += 1;
-		else if (f.status === "reverted") row.reverted += 1;
-		else row.left += 1;
-		counts.set(f.tool, row);
-	}
-	return counts;
-}
-/** The exhaustive view behind `--verbose`: per-tool breakdown + every finding. */
-function renderVerbose(report, theme) {
-	const table = new Table({
-		head: [
-			"tool",
-			"fixed",
-			"reverted",
-			"left"
-		],
-		style: {
-			head: [],
-			border: []
-		}
-	});
-	for (const [tool, c] of perToolCounts(report.findings)) table.push([
-		tool,
-		String(c.fixed),
-		String(c.reverted),
-		String(c.left)
-	]);
-	const findingRows = report.findings.map((f) => [
-		f.retryId ?? "",
-		f.status,
-		f.tool,
-		`${f.file}:${f.range.startLine}`,
-		f.rule,
-		f.status === "fixed" ? "" : findingReason(f)
-	]);
-	return [
-		theme.bold("verbose totals"),
-		table.toString(),
-		theme.bold("verbose findings"),
-		renderTable([
-			"retryId",
-			"status",
-			"tool",
-			"location",
-			"rule",
-			"reason"
-		], findingRows)
-	].join("\n");
-}
-/**
-* Group the issues that still need a human, ordered by urgency:
-* secrets → security → couldn't-fix → needs-review. Empty groups are omitted.
-*/
-function groupRemaining(report) {
-	const unfixed = report.findings.filter((f) => f.status !== "fixed");
-	const secrets = unfixed.filter((f) => f.category === "secret");
-	const security = unfixed.filter((f) => f.category === "security");
-	const couldntFix = unfixed.filter((f) => f.status === "unfixable" && f.category !== "secret" && f.category !== "security");
-	const groups = [
-		{
-			key: "secrets",
-			title: "SECRETS — rotate now (never auto-fixed)",
-			count: secrets.length
-		},
-		{
-			key: "security",
-			title: "SECURITY",
-			count: security.length
-		},
-		{
-			key: "couldnt-fix",
-			title: "COULDN'T FIX",
-			count: couldntFix.length
-		},
-		{
-			key: "review",
-			title: "NEEDS YOUR REVIEW — behavior changed",
-			count: report.flaggedBehaviorChanges.length
-		}
-	];
-	return groups.filter((g) => g.count > 0);
-}
-
-//#endregion
-//#region src/commands/resolve-finding.ts
-function displayId(finding) {
-	return finding.retryId ?? finding.id;
-}
-function resolveFindingId(id, findings) {
-	const retryMatch = findings.find((f) => f.retryId === id);
-	if (retryMatch) return retryMatch;
-	const exact = findings.find((f) => f.id === id);
-	if (exact) return exact;
-	const prefixMatches = findings.filter((f) => f.id.startsWith(id));
-	if (prefixMatches.length === 0) return { error: `No finding with id "${id}"` };
-	if (prefixMatches.length > 1) {
-		const matches = prefixMatches.map(displayId).join(", ");
-		return { error: `Finding id "${id}" is ambiguous; matches ${matches}. Use the retry id or full fingerprint.` };
-	}
-	return prefixMatches[0];
-}
-
-//#endregion
-//#region src/commands/show.ts
-/** `tend show <id>` — full detail on one finding: attempts, revert reason, taint flow path. */
-function showCommand(id, findings) {
-	const resolved = resolveFindingId(id, findings);
-	if ("error" in resolved) return resolved.error;
-	const finding = resolved;
-	const lines$1 = [
-		`${finding.tool}  ${finding.rule}  [${finding.status}]`,
-		`retry id: ${finding.retryId ?? "(none)"}`,
-		`fingerprint: ${finding.id}`,
-		`${finding.file}:${finding.range.startLine}`,
-		finding.message,
-		`attempts: ${finding.attempts}`
-	];
-	if (finding.revertReason) lines$1.push(`last revert reason: ${finding.revertReason}`);
-	if (finding.revertDetail) lines$1.push(`last revert detail: ${finding.revertDetail}`);
-	if (finding.flowPath?.length) {
-		lines$1.push("flow path:");
-		for (const step of finding.flowPath) lines$1.push(`  → ${step.file}:${step.line}`);
-	}
-	if (finding.helpUri) lines$1.push(`docs: ${finding.helpUri}`);
-	return lines$1.join("\n");
-}
-
-//#endregion
-//#region src/commands/retry.ts
-function findingsOf(deps) {
-	return deps.report?.findings ?? deps.findings ?? [];
-}
-function syncDerivedReportFields(report) {
-	report.secrets = report.findings.filter((f) => f.category === "secret");
-	report.depBumps = report.findings.filter((f) => f.remediation !== void 0).map((f) => ({
-		findingId: f.id,
-		remediation: f.remediation
-	}));
-	report.exitStatus = report.secrets.length > 0 ? 1 : 0;
-}
-function resolveRetryTarget(id, findings) {
-	const resolved = resolveFindingId(id, findings);
-	if ("error" in resolved) return resolved;
-	if (resolved.status === "fixed") return { error: `Finding ${resolved.id} is already fixed` };
-	if (resolved.track !== "ai-fix") return { error: `Finding ${resolved.id} is not AI-fixable` };
-	return resolved;
-}
-/** `tend retry <id>` — re-attempt a stubborn finding with a larger attempt budget. */
-async function retryCommand(id, deps) {
-	const resolved = resolveRetryTarget(id, findingsOf(deps));
-	if ("error" in resolved) return resolved;
-	const finding = resolved;
-	const largerBudget = Math.max(deps.baseBudget * 2, finding.attempts + 1);
-	finding.status = "fixing";
-	const outcome = await deps.runFix(finding, largerBudget);
-	if (outcome.kept) {
-		finding.status = "fixed";
-		delete finding.revertReason;
-		delete finding.revertDetail;
-		if (deps.report) syncDerivedReportFields(deps.report);
-		return {
-			outcome: "fixed",
-			finding,
-			budget: largerBudget
-		};
-	}
-	const reason = outcome.reason ?? "session-error";
-	finding.attempts += 1;
-	finding.revertReason = reason;
-	const detail = normalizeRevertDetail(outcome.detail);
-	if (detail) finding.revertDetail = detail;
-	else delete finding.revertDetail;
-	finding.status = finding.attempts >= largerBudget ? "unfixable" : "reverted";
-	if (deps.report) syncDerivedReportFields(deps.report);
-	return {
-		outcome: "reverted",
-		finding,
-		budget: largerBudget,
-		reason
-	};
-}
-
-//#endregion
-//#region src/config/config.ts
-const EFFORT_LEVELS = [
-	"low",
-	"medium",
-	"high",
-	"xhigh",
-	"max"
-];
-const ToolConfigSchema = z.object({
-	enabled: z.boolean().default(true),
-	configPath: z.string().optional()
-});
-const ConfigSchema = z.object({
-	maxSessions: z.number().int().positive().default(4),
-	maxLoops: z.number().int().positive().default(5),
-	perIssueBudget: z.number().int().positive().default(3),
-	test: z.string().optional(),
-	teethCheck: z.boolean().default(true),
-	includeTests: z.boolean().default(false),
-	model: z.string().default("sonnet"),
-	effort: z.enum(EFFORT_LEVELS).optional(),
-	tools: z.record(z.string(), ToolConfigSchema).default({})
-});
-/**
-* Load config via cosmiconfig (searching from `cwd`), validate with zod, and apply
-* zero-config defaults when no file is found. Invalid config throws a clear message.
-*/
-async function loadConfig(cwd) {
-	const explorer = cosmiconfig("tend", { stopDir: cwd });
-	const found = await explorer.search(cwd);
-	const raw = found?.config ?? {};
-	const parsed = ConfigSchema.safeParse(raw);
-	if (!parsed.success) {
-		const issues = parsed.error.issues.map((i) => `${i.path.join(".") || "(root)"}: ${i.message}`);
-		throw new Error(`Invalid tend config:\n  ${issues.join("\n  ")}`);
-	}
-	return parsed.data;
-}
-/** Overlay CLI flags onto a loaded config (flags win). */
-function applyCliOverrides(config, overrides) {
-	const result$1 = { ...config };
-	for (const [key, value] of Object.entries(overrides)) if (value !== void 0) result$1[key] = value;
-	return result$1;
-}
-
-//#endregion
-export { ClaudeSession, ConfigSchema, EFFORT_LEVELS, EventBus, FindingSchema, FindingStore, ReportBuilder, ReportSchema, Snapshot, addUsage, applyCliOverrides, assertGitRepo, buildProgram, changedFiles, changedVsHead, createGit, detectPackageManager, dispatch, filesUnder, filterToChanged, fingerprint, formatClock, groupRemaining, isAvailable, loadConfig, makeTheme, normalize, orchestrate, planWork, reasonLabel, renderSummary, resolveRetryTarget, retryCommand, revertFile, route, runScanner, scannerStatus, scopeFindings, showCommand, trackForTool, zeroUsage };