tend-cli 0.5.0 → 0.6.1

package/dist/config-Dz4byqjU.js

@@ -0,0 +1,3594 @@
+import { existsSync, mkdirSync, readFileSync, rmSync, writeFileSync } from "node:fs";
+import { dirname, isAbsolute, join, relative, resolve } from "node:path";
+import { Command } from "commander";
+import { ESLint } from "eslint";
+import sonarjs from "eslint-plugin-sonarjs";
+import { createHash } from "node:crypto";
+import { z } from "zod";
+import PQueue from "p-queue";
+import { fileURLToPath } from "node:url";
+import { tmpdir } from "node:os";
+import { simpleGit } from "simple-git";
+import ts from "typescript";
+import { customAlphabet } from "nanoid";
+import Table from "cli-table3";
+import { Chalk, supportsColor } from "chalk";
+import gradient from "gradient-string";
+import { cosmiconfig } from "cosmiconfig";
+
+//#region src/cli.ts
+const COMMAND_NAMES = new Set([
+	"diff",
+	"help",
+	"retry",
+	"run",
+	"show",
+	"undo"
+]);
+const RUN_OPTION_NAMES = new Set([
+	"--all",
+	"--effort",
+	"--include-tests",
+	"--max-loops",
+	"--max-sessions",
+	"--model",
+	"--no-color",
+	"--plain",
+	"--verbose"
+]);
+function addRunOptions(command) {
+	return command.option("--all", "fix the entire backlog, not just changed files").option("--max-loops <n>", "cap on fix loops", (v) => parseInt(v, 10)).option("--max-sessions <n>", "concurrent AI sessions", (v) => parseInt(v, 10)).option("--model <model>", "model for fixes: sonnet (default), opus, haiku, or a full model id").option("--effort <level>", "reasoning effort for fixes: low | medium | high | xhigh | max").option("--include-tests", "also fix findings in test files (excluded by default)").option("--plain", "plain one-line-per-event output for pipes/CI (no color, no spinners)").option("--no-color", "disable color output").option("--verbose", "show the full per-tool / per-finding breakdown in the summary");
+}
+function looksLikePath(value) {
+	return value.includes("/") || value.includes("\\") || value.startsWith(".") || existsSync(value);
+}
+function isRunOption(value) {
+	const name = value.split("=")[0] ?? value;
+	return RUN_OPTION_NAMES.has(name);
+}
+function shouldInsertRun(args) {
+	const first = args[0];
+	if (!first) return true;
+	if (first === "--help" || first === "-h" || COMMAND_NAMES.has(first)) return false;
+	return isRunOption(first) || looksLikePath(first);
+}
+function withDefaultRun(argv, from) {
+	const prefixLength = from === "user" ? 0 : 2;
+	const prefix = argv.slice(0, prefixLength);
+	const args = argv.slice(prefixLength);
+	return shouldInsertRun(args) ? [
+		...prefix,
+		"run",
+		...args
+	] : [...argv];
+}
+function enableDefaultRun(program) {
+	const parse = program.parse.bind(program);
+	const parseAsync = program.parseAsync.bind(program);
+	program.parse = (argv, options) => parse(withDefaultRun(argv ?? process.argv, options?.from), options);
+	program.parseAsync = (argv, options) => parseAsync(withDefaultRun(argv ?? process.argv, options?.from), options);
+}
+/** Build the commander program wiring each subcommand to a handler. */
+function buildProgram(handlers) {
+	const program = new Command();
+	program.name("tend").description("Audit a JS/TS repo and fix findings with AI in a safe loop.");
+	program.exitOverride();
+	program.addHelpCommand(true);
+	const run = program.command("run").description("snapshot → audit → fix loop → report (changed files)").argument("[paths...]", "fix only findings under these files/dirs (committed or not)");
+	addRunOptions(run).action((paths, opts) => handlers.run({
+		...opts,
+		paths
+	}));
+	program.command("diff").description("show only the tool's edits").action(() => handlers.diff());
+	program.command("undo").description("restore the pre-run snapshot").action(() => handlers.undo());
+	program.command("show <id>").description("full detail on one finding").action((id) => handlers.show(id));
+	program.command("retry <id>").description("re-attempt a stubborn finding with a larger budget").action((id) => handlers.retry(id));
+	enableDefaultRun(program);
+	return program;
+}
+
+//#endregion
+//#region src/scanners/scope.ts
+/**
+* Files changed vs `HEAD` (tracked modifications/additions/renames plus untracked),
+* scoped and re-based to `git`'s working directory — see `changedVsHead` in git/repo.ts
+* for why this matters when tend runs from a subdirectory of the repo.
+*/
+async function changedFiles(git) {
+	const prefix = (await git.revparse(["--show-prefix"])).trim();
+	const status = await git.status();
+	const files = new Set();
+	for (const file of status.files) {
+		const path = file.path.includes(" -> ") ? file.path.split(" -> ")[1] : file.path;
+		if (!prefix) files.add(path);
+		else if (path.startsWith(prefix)) files.add(path.slice(prefix.length));
+	}
+	return [...files];
+}
+/** Keep only findings whose file is in the changed set. */
+function filterToChanged(findings, changed) {
+	const set = new Set(changed);
+	return findings.filter((f) => {
+		if (set.has(f.file)) return true;
+		if (f.category === "duplication") return (f.flowPath ?? []).some((p) => set.has(p.file));
+		return false;
+	});
+}
+/** Apply the fix scope: `--all` fixes everything, otherwise only changed files. */
+function scopeFindings(findings, opts) {
+	return opts.all ? findings : filterToChanged(findings, opts.changed);
+}
+
+//#endregion
+//#region src/scanners/scope-policy.ts
+const OUT_OF_SCOPE_SEGMENTS = new Set(["node_modules", ".git"]);
+const GENERATED_SEGMENTS = new Set([
+	".tend",
+	".turbo",
+	".next",
+	".vercel",
+	"coverage",
+	"dist",
+	"build",
+	"out",
+	"generated",
+	"__generated__"
+]);
+const TEST_FILE_RE$1 = /(^|[/\\])[^/\\]+\.(test|spec)\.[cm]?[jt]sx?$/;
+function normalizePath$1(path) {
+	return path.replaceAll("\\", "/").replace(/^\.\//, "");
+}
+function pathSegments$1(path) {
+	return normalizePath$1(path).split("/").filter(Boolean);
+}
+function hasGlob(pattern) {
+	return /[*?[\]{}]/.test(pattern);
+}
+function escapeRegex(char) {
+	return char.replace(/[|\\{}()[\]^$+?.]/g, "\\$&");
+}
+function globToRegex(pattern) {
+	const normalized = normalizePath$1(pattern);
+	let source = "^";
+	for (let i = 0; i < normalized.length; i++) {
+		const char = normalized[i];
+		const next = normalized[i + 1];
+		if (char === "*") if (next === "*") {
+			const after = normalized[i + 2];
+			if (after === "/") {
+				source += "(?:.*/)?";
+				i += 2;
+			} else {
+				source += ".*";
+				i += 1;
+			}
+		} else source += "[^/]*";
+		else if (char === "?") source += "[^/]";
+		else source += escapeRegex(char);
+	}
+	source += "$";
+	return new RegExp(source);
+}
+function matchesPattern(path, pattern) {
+	const normalizedPath = normalizePath$1(path);
+	const normalizedPattern = normalizePath$1(pattern);
+	if (!hasGlob(normalizedPattern)) return normalizedPath === normalizedPattern || normalizedPath.startsWith(`${normalizedPattern}/`);
+	return globToRegex(normalizedPattern).test(normalizedPath);
+}
+function matchesAnyPath(paths, patterns) {
+	if (!patterns || patterns.length === 0) return false;
+	return paths.some((path) => patterns.some((pattern) => matchesPattern(path, pattern)));
+}
+function isFixturePath(path) {
+	const segments = pathSegments$1(path);
+	if (segments.includes("__fixtures__")) return true;
+	return segments.some((segment, index) => (segment === "test" || segment === "tests") && segments[index + 1] === "fixtures");
+}
+function isGeneratedPath(path) {
+	const segments = pathSegments$1(path);
+	if (segments.some((segment) => GENERATED_SEGMENTS.has(segment))) return true;
+	return /\.(d\.ts|d\.ts\.map)$/.test(normalizePath$1(path)) && segments.some((segment) => segment === "generated" || segment === "build");
+}
+function isOutOfScopePath(path) {
+	return pathSegments$1(path).some((segment) => OUT_OF_SCOPE_SEGMENTS.has(segment));
+}
+function isTestPath(path) {
+	return TEST_FILE_RE$1.test(normalizePath$1(path));
+}
+function findingPaths(finding) {
+	return [finding.file, ...(finding.flowPath ?? []).map((step) => step.file)].map(normalizePath$1);
+}
+function defaultExclusionReason(paths) {
+	if (paths.some(isOutOfScopePath)) return "out-of-scope";
+	if (paths.some(isFixturePath)) return "fixtures";
+	if (paths.some(isGeneratedPath)) return "generated";
+	if (paths.some(isTestPath)) return "tests";
+	return void 0;
+}
+/** Decide report/fix scope for a finding without mutating it. */
+function classifyScope(finding, options = {}) {
+	const paths = findingPaths(finding);
+	if (options.inChangedScope === false) return {
+		inReportScope: true,
+		inFixScope: false,
+		scopeExclusionReason: "out-of-scope"
+	};
+	if (matchesAnyPath(paths, options.exclude)) return {
+		inReportScope: true,
+		inFixScope: false,
+		scopeExclusionReason: "out-of-scope"
+	};
+	if (matchesAnyPath(paths, options.include)) return {
+		inReportScope: true,
+		inFixScope: true
+	};
+	const reason = defaultExclusionReason(paths);
+	if (reason === "generated" && options.includeGenerated) return {
+		inReportScope: true,
+		inFixScope: true
+	};
+	if (reason === "fixtures" && options.includeFixtures) return {
+		inReportScope: true,
+		inFixScope: true
+	};
+	if (reason === "tests" && options.includeTests) return {
+		inReportScope: true,
+		inFixScope: true
+	};
+	if (reason) return {
+		inReportScope: true,
+		inFixScope: false,
+		scopeExclusionReason: reason
+	};
+	return {
+		inReportScope: true,
+		inFixScope: true
+	};
+}
+/** Apply scope metadata in place so store/report state stays marked consistently. */
+function markScope(finding, options = {}) {
+	const decision = classifyScope(finding, options);
+	finding.inReportScope = decision.inReportScope;
+	finding.inFixScope = decision.inFixScope;
+	if (decision.scopeExclusionReason) finding.scopeExclusionReason = decision.scopeExclusionReason;
+	else delete finding.scopeExclusionReason;
+	return finding;
+}
+
+//#endregion
+//#region src/fixing/dispatch.ts
+const TEST_FILE_RE = /^(.*)\.(test|spec)\.([cm]?[jt]sx?)$/;
+/** Whether a repo-relative path is a test file (`*.test.*` / `*.spec.*`). */
+const isTestFile = (file) => TEST_FILE_RE.test(file);
+/** A test file's owning code file (so both go to the same worker); else the file itself. */
+function ownerOf(file) {
+	const m = file.match(TEST_FILE_RE);
+	return m ? `${m[1]}.${m[3]}` : file;
+}
+/**
+* Group findings into work units so each worker owns a disjoint set of files
+* (a code file plus its sibling test). No two sessions ever touch the same file.
+*/
+function planWork(findings) {
+	const byOwner = new Map();
+	for (const finding of findings) {
+		const owner = ownerOf(finding.file);
+		let unit = byOwner.get(owner);
+		if (!unit) {
+			unit = {
+				file: owner,
+				files: [],
+				findings: []
+			};
+			byOwner.set(owner, unit);
+		}
+		unit.findings.push(finding);
+		if (!unit.files.includes(finding.file)) unit.files.push(finding.file);
+		if (!unit.files.includes(owner)) unit.files.push(owner);
+	}
+	return [...byOwner.values()];
+}
+function strategyPriority(strategy) {
+	switch (strategy) {
+		case "multi-file-duplicate-refactor": return 6;
+		case "generated-source-repair": return 5;
+		case "test-file-repair": return 4;
+		case "dead-code-cleanup":
+		case "single-file-ai-edit": return 3;
+		case "deterministic-package-json-cleanup":
+		case "deterministic-ts-organize-imports":
+		case "deterministic-eslint-fix": return 2;
+		default: return 0;
+	}
+}
+function addUnique(target, values) {
+	for (const value of values) if (!target.includes(value)) target.push(value);
+}
+function ownerFiles(plan) {
+	const files = plan.editableFiles.length > 0 ? plan.editableFiles : [plan.finding.file];
+	if (plan.strategy === "multi-file-duplicate-refactor" || plan.strategy === "generated-source-repair") return files;
+	return uniqueValues(files.flatMap((file) => [file, ownerOf(file)]));
+}
+function uniqueValues(files) {
+	return [...new Set(files)];
+}
+function unitForPlan(plan) {
+	const files = ownerFiles(plan);
+	return {
+		file: plan.strategy === "test-file-repair" ? ownerOf(plan.finding.file) : files[0] ?? plan.finding.file,
+		files,
+		findings: [plan.finding],
+		strategy: plan.strategy,
+		strategies: [plan.strategy],
+		verificationTargets: uniqueValues(plan.verificationTargets)
+	};
+}
+function overlaps(a, b) {
+	const files = new Set(a.files);
+	return b.files.some((file) => files.has(file));
+}
+function mergeUnits(a, b) {
+	const strategies = uniqueValues([...a.strategies ?? (a.strategy ? [a.strategy] : []), ...b.strategies ?? (b.strategy ? [b.strategy] : [])]);
+	addUnique(a.files, b.files);
+	addUnique(a.findings, b.findings);
+	addUnique(a.verificationTargets ?? (a.verificationTargets = []), b.verificationTargets ?? []);
+	a.strategy = strategies.sort((left, right) => strategyPriority(right) - strategyPriority(left))[0];
+	a.strategies = strategies;
+	if (!a.files.includes(a.file)) a.file = a.files[0] ?? a.file;
+	return a;
+}
+/**
+* Group planned repairs into disjoint work units. Unlike `planWork`, this honors
+* planner-selected editable files, so cross-file duplicate plans reserve both clone sites.
+*/
+function planWorkFromRepairs(plans) {
+	const units = [];
+	for (const plan of plans) {
+		let next = unitForPlan(plan);
+		for (let index = 0; index < units.length; index++) {
+			if (!overlaps(units[index], next)) continue;
+			next = mergeUnits(units[index], next);
+			units.splice(index, 1);
+			index = -1;
+		}
+		units.push(next);
+	}
+	return units;
+}
+/** Run each work unit through `runUnit`, capped at `concurrency` concurrent sessions. */
+async function dispatch(units, runUnit, opts) {
+	const queue = new PQueue({ concurrency: opts.concurrency });
+	return Promise.all(units.map((unit) => queue.add(() => runUnit(unit))));
+}
+
+//#endregion
+//#region src/fixing/generated-source.ts
+const GENERATED_OUTPUT_SEGMENTS = new Set([
+	"dist",
+	"build",
+	"out"
+]);
+const SOURCE_EXTENSIONS = [
+	".ts",
+	".tsx",
+	".js",
+	".jsx",
+	".mts",
+	".cts",
+	".mjs",
+	".cjs"
+];
+const GENERATED_EXTENSIONS = [
+	".d.ts.map",
+	".d.ts",
+	".js.map",
+	".mjs.map",
+	".cjs.map",
+	".js",
+	".mjs",
+	".cjs"
+];
+function normalizePath(path) {
+	return path.replaceAll("\\", "/").replace(/^\.\//, "");
+}
+function toRepoRelative$1(cwd, file) {
+	const rel = isAbsolute(file) ? relative(cwd, file) : file;
+	return normalizePath(rel);
+}
+function absolutePath(cwd, file) {
+	return isAbsolute(file) ? file : join(cwd, file);
+}
+function pathSegments(file) {
+	return normalizePath(file).split("/").filter(Boolean);
+}
+function isGeneratedOutputPath(file) {
+	return pathSegments(file).some((segment) => GENERATED_OUTPUT_SEGMENTS.has(segment));
+}
+function isDeclarationArtifact(file) {
+	return /\.d\.ts(?:\.map)?$/.test(normalizePath(file));
+}
+function stripGeneratedExtension(file) {
+	const normalized = normalizePath(file);
+	const extension = GENERATED_EXTENSIONS.find((ext) => normalized.endsWith(ext));
+	return extension ? normalized.slice(0, -extension.length) : normalized.replace(/\.[^/.]+$/, "");
+}
+function sourceMappingUrl(contents) {
+	const match = contents.match(/[#@]\s*sourceMappingURL=([^\s]+)/);
+	if (!match?.[1] || match[1].startsWith("data:")) return void 0;
+	return decodeURIComponent(match[1]);
+}
+function readJson(path) {
+	try {
+		return JSON.parse(readFileSync(path, "utf8"));
+	} catch {
+		return void 0;
+	}
+}
+function existingRelative(cwd, abs) {
+	if (!existsSync(abs)) return void 0;
+	const rel = toRepoRelative$1(cwd, abs);
+	if (rel.startsWith("../")) return void 0;
+	return rel;
+}
+function sourceMapPathFor(cwd, file) {
+	const abs = absolutePath(cwd, file);
+	if (normalizePath(file).endsWith(".map") && existsSync(abs)) return abs;
+	if (existsSync(abs)) {
+		const url = sourceMappingUrl(readFileSync(abs, "utf8"));
+		if (url) {
+			const resolved = resolve(dirname(abs), url);
+			if (existsSync(resolved)) return resolved;
+		}
+	}
+	const sibling = `${abs}.map`;
+	if (existsSync(sibling)) return sibling;
+	return void 0;
+}
+function sourceOwnerFromMap(cwd, mapPath) {
+	const map = readJson(mapPath);
+	if (!map || !Array.isArray(map.sources)) return void 0;
+	for (const source of map.sources) {
+		if (typeof source !== "string" || source.startsWith("webpack://")) continue;
+		const candidates = [resolve(dirname(mapPath), map.sourceRoot ?? "", source), resolve(cwd, map.sourceRoot ?? "", source)];
+		const rel = candidates.map((candidate) => existingRelative(cwd, candidate)).find(Boolean);
+		if (rel && !isGeneratedOutputPath(rel)) return {
+			generatedFile: "",
+			sourceOwner: rel,
+			sourceMap: toRepoRelative$1(cwd, mapPath)
+		};
+	}
+	return {
+		generatedFile: "",
+		sourceMap: toRepoRelative$1(cwd, mapPath)
+	};
+}
+function packageJson(cwd) {
+	return readJson(join(cwd, "package.json"));
+}
+function tsdownEntries(cwd) {
+	const configPath = join(cwd, "tsdown.config.ts");
+	if (!existsSync(configPath)) return [];
+	const contents = readFileSync(configPath, "utf8");
+	const entries = new Set();
+	const arrayMatch = contents.match(/entry\s*:\s*\[([^\]]+)\]/s);
+	if (arrayMatch?.[1]) {
+		for (const match of arrayMatch[1].matchAll(/["']([^"']+)["']/g)) if (match[1]) entries.add(normalizePath(match[1]));
+	}
+	const stringMatch = contents.match(/entry\s*:\s*["']([^"']+)["']/);
+	if (stringMatch?.[1]) entries.add(normalizePath(stringMatch[1]));
+	return [...entries];
+}
+function collectExportTargets(value, out) {
+	if (typeof value === "string") {
+		out.push(value);
+		return;
+	}
+	if (Array.isArray(value)) {
+		for (const item of value) collectExportTargets(item, out);
+		return;
+	}
+	if (value && typeof value === "object") for (const item of Object.values(value)) collectExportTargets(item, out);
+}
+function packageTargets(pkg) {
+	if (!pkg) return [];
+	const targets = [];
+	if (pkg.main) targets.push(pkg.main);
+	if (pkg.module) targets.push(pkg.module);
+	if (pkg.types) targets.push(pkg.types);
+	if (pkg.typings) targets.push(pkg.typings);
+	if (typeof pkg.bin === "string") targets.push(pkg.bin);
+	else if (pkg.bin) targets.push(...Object.values(pkg.bin));
+	collectExportTargets(pkg.exports, targets);
+	return targets.map(normalizePath);
+}
+function sourceBasename(file) {
+	const base = stripGeneratedExtension(file).split("/").pop() ?? "";
+	return base === "index" ? "index" : base;
+}
+function sourceOwnerFromBuildConfig(cwd, file) {
+	const normalized = normalizePath(file);
+	const targets = new Set(packageTargets(packageJson(cwd)));
+	const entries = tsdownEntries(cwd);
+	for (const entry of entries) {
+		const entryBase = sourceBasename(entry);
+		const matchesPackageTarget = targets.has(normalized);
+		if ((matchesPackageTarget || sourceBasename(normalized) === entryBase) && existsSync(join(cwd, entry))) return entry;
+	}
+	return void 0;
+}
+function candidateSourcesForGenerated(file) {
+	const normalized = normalizePath(file);
+	const parts = pathSegments(stripGeneratedExtension(normalized));
+	const generatedIndex = parts.findIndex((part) => GENERATED_OUTPUT_SEGMENTS.has(part));
+	if (generatedIndex < 0) return [];
+	const suffix = parts.slice(generatedIndex + 1).join("/");
+	if (!suffix) return [];
+	return SOURCE_EXTENSIONS.map((ext) => `src/${suffix}${ext}`);
+}
+function sourceOwnerFromPathShape(cwd, file) {
+	return candidateSourcesForGenerated(file).find((candidate) => existsSync(join(cwd, candidate)));
+}
+function isGeneratedArtifact(cwd, file) {
+	const normalized = toRepoRelative$1(cwd, file);
+	if (isGeneratedOutputPath(normalized)) return true;
+	if (isDeclarationArtifact(normalized) && isGeneratedOutputPath(normalized)) return true;
+	return sourceMapPathFor(cwd, normalized) !== void 0;
+}
+function resolveGeneratedSourceOwner(cwd, file) {
+	const generatedFile = toRepoRelative$1(cwd, file);
+	if (!isGeneratedArtifact(cwd, generatedFile)) return void 0;
+	const mapPath = sourceMapPathFor(cwd, generatedFile);
+	let sourceMap;
+	if (mapPath) {
+		const fromMap = sourceOwnerFromMap(cwd, mapPath);
+		if (fromMap?.sourceOwner) return {
+			generatedFile,
+			sourceOwner: fromMap.sourceOwner,
+			sourceMap: fromMap.sourceMap
+		};
+		sourceMap = fromMap?.sourceMap ?? toRepoRelative$1(cwd, mapPath);
+	}
+	const sourceOwner = sourceOwnerFromBuildConfig(cwd, generatedFile) ?? sourceOwnerFromPathShape(cwd, generatedFile);
+	return sourceOwner ? {
+		generatedFile,
+		sourceOwner,
+		sourceMap
+	} : {
+		generatedFile,
+		sourceMap
+	};
+}
+function detectBuildCommand(cwd) {
+	const pkg = packageJson(cwd);
+	if (!pkg?.scripts?.build) return void 0;
+	return ["run", "build"];
+}
+
+//#endregion
+//#region src/fixing/repair-strategy.ts
+const REPAIR_STRATEGIES = [
+	"deterministic-eslint-fix",
+	"deterministic-ts-organize-imports",
+	"deterministic-package-json-cleanup",
+	"single-file-ai-edit",
+	"multi-file-duplicate-refactor",
+	"generated-source-repair",
+	"test-file-repair",
+	"dead-code-cleanup",
+	"unsupported"
+];
+const AUTO_FIX_RE = /\b(auto-?fix(?:able)?|eslint\s+--fix|fixable)\b/i;
+const UNUSED_IMPORT_RE = /(^|[/@])no-unused-imports?$|unused[- ]imports?/i;
+function unique(files) {
+	return [...new Set(files)];
+}
+function flowFiles(input) {
+	return unique([input.file ?? input.finding.file, ...(input.flowPath ?? input.finding.flowPath ?? []).map((step) => step.file)]);
+}
+function defaultPathReason(file) {
+	return classifyScope({ file }).scopeExclusionReason;
+}
+function configuredPathReason(file, config) {
+	return classifyScope({ file }, config).scopeExclusionReason;
+}
+function unsupported(input, reason) {
+	return {
+		finding: input.finding,
+		strategy: "unsupported",
+		editableFiles: [],
+		verificationTargets: flowFiles(input),
+		reason
+	};
+}
+function isGeneratedFile(file) {
+	return defaultPathReason(file) === "generated";
+}
+function sourceOwnerForGenerated(input) {
+	const generatedFile = input.file ?? input.finding.file;
+	if (input.cwd) {
+		const resolved = resolveGeneratedSourceOwner(input.cwd, generatedFile);
+		if (resolved?.sourceOwner) return resolved.sourceOwner;
+	}
+	return flowFiles(input).find((file) => file !== generatedFile && !isGeneratedFile(file));
+}
+function isGeneratedFinding(input) {
+	const file = input.file ?? input.finding.file;
+	if (input.cwd && isGeneratedArtifact(input.cwd, file)) return true;
+	return isGeneratedFile(file) || input.scope?.scopeExclusionReason === "generated";
+}
+function isJscpdDuplicate(input) {
+	return (input.tool ?? input.finding.tool) === "jscpd" && (input.rule ?? input.finding.rule) === "duplicate-code";
+}
+function isCrossFileDuplicate(input) {
+	return isJscpdDuplicate(input) && flowFiles(input).length > 1;
+}
+function isPackageJsonUnusedDependency(input) {
+	const file = input.file ?? input.finding.file;
+	const rule = input.rule ?? input.finding.rule;
+	const message = input.finding.message;
+	return /(^|\/)package\.json$/.test(file) && (rule === "unused-dependency" || /unused .*dependency/i.test(message));
+}
+function isUnusedImport(input) {
+	const rule = input.rule ?? input.finding.rule;
+	return UNUSED_IMPORT_RE.test(rule) || UNUSED_IMPORT_RE.test(input.finding.message);
+}
+function isEslintAutofixable(input) {
+	const tool = input.tool ?? input.finding.tool;
+	const rule = input.rule ?? input.finding.rule;
+	return tool === "sonarjs" && (input.finding.autofixable === true || input.config?.eslintAutofixableRules?.includes(rule) === true || AUTO_FIX_RE.test(input.finding.message) || AUTO_FIX_RE.test(input.finding.remediation ?? ""));
+}
+function firstExcludedReason(files, config) {
+	for (const file of files) {
+		const reason = configuredPathReason(file, config);
+		if (reason) return reason;
+	}
+	return void 0;
+}
+function planRepair(input) {
+	const file = input.file ?? input.finding.file;
+	const category = input.category ?? input.finding.category;
+	const scope = input.scope ?? input.finding;
+	const files = flowFiles(input);
+	if (category === "secret" || input.finding.track === "report-only") return unsupported(input, "report-only");
+	if (isCrossFileDuplicate(input)) {
+		if (scope.inScope === false) return unsupported(input, "out-of-scope");
+		const excluded = firstExcludedReason(files, input.config);
+		if (excluded) return unsupported(input, excluded);
+		if (scope.inFixScope === false) return unsupported(input, scope.scopeExclusionReason ?? "out-of-scope");
+		return {
+			finding: input.finding,
+			strategy: "multi-file-duplicate-refactor",
+			editableFiles: files,
+			verificationTargets: files
+		};
+	}
+	if (isGeneratedFinding(input)) {
+		const owner = sourceOwnerForGenerated(input);
+		if (!owner) return unsupported(input, "generated-source-not-found");
+		return {
+			finding: input.finding,
+			strategy: "generated-source-repair",
+			editableFiles: [owner],
+			verificationTargets: unique([file, owner])
+		};
+	}
+	if (isTestFile(file) && input.config?.includeTests && (scope.scopeExclusionReason === void 0 || scope.scopeExclusionReason === "tests")) return {
+		finding: input.finding,
+		strategy: "test-file-repair",
+		editableFiles: [file],
+		verificationTargets: [file]
+	};
+	if (scope.inFixScope === false) return unsupported(input, scope.scopeExclusionReason ?? "out-of-scope");
+	if (isPackageJsonUnusedDependency(input)) return {
+		finding: input.finding,
+		strategy: "deterministic-package-json-cleanup",
+		editableFiles: [file],
+		verificationTargets: [file],
+		reason: "deterministic-not-dispatched"
+	};
+	if (isUnusedImport(input)) return {
+		finding: input.finding,
+		strategy: "deterministic-ts-organize-imports",
+		editableFiles: [file],
+		verificationTargets: [file],
+		reason: "deterministic-not-dispatched"
+	};
+	if (isEslintAutofixable(input)) return {
+		finding: input.finding,
+		strategy: "deterministic-eslint-fix",
+		editableFiles: [file],
+		verificationTargets: [file],
+		reason: "deterministic-not-dispatched"
+	};
+	if (category === "dead-code") return {
+		finding: input.finding,
+		strategy: "dead-code-cleanup",
+		editableFiles: [file],
+		verificationTargets: [file]
+	};
+	return {
+		finding: input.finding,
+		strategy: "single-file-ai-edit",
+		editableFiles: [file],
+		verificationTargets: [file]
+	};
+}
+function applyRepairPlanToFinding(plan) {
+	plan.finding.repairStrategy = plan.strategy;
+	if (plan.reason) plan.finding.repairStrategyReason = plan.reason;
+	else delete plan.finding.repairStrategyReason;
+	return plan.finding;
+}
+function isAiDispatchStrategy(strategy) {
+	return strategy === "single-file-ai-edit" || strategy === "multi-file-duplicate-refactor" || strategy === "generated-source-repair" || strategy === "test-file-repair" || strategy === "dead-code-cleanup";
+}
+
+//#endregion
+//#region src/findings/finding.ts
+const TOOLS = [
+	"sonarjs",
+	"knip",
+	"jscpd",
+	"semgrep",
+	"osv",
+	"gitleaks"
+];
+const SCOPE_EXCLUSION_REASONS = [
+	"generated",
+	"fixtures",
+	"tests",
+	"out-of-scope"
+];
+const FAILURE_CLASSES = [
+	"tool-timeout",
+	"rate-limit",
+	"model-tool-failure",
+	"no-edit",
+	"no-op",
+	"regression",
+	"typecheck",
+	"broke-test",
+	"suppression",
+	"needs-lockfile-update"
+];
+const RangeSchema = z.object({
+	startLine: z.number(),
+	startCol: z.number(),
+	endLine: z.number(),
+	endCol: z.number()
+});
+const FindingSchema = z.object({
+	id: z.string(),
+	retryId: z.string().optional(),
+	tool: z.enum(TOOLS),
+	rule: z.string(),
+	category: z.enum([
+		"bug",
+		"smell",
+		"dead-code",
+		"duplication",
+		"security",
+		"secret",
+		"vuln-dep"
+	]),
+	severity: z.enum([
+		"error",
+		"warning",
+		"info"
+	]),
+	file: z.string(),
+	range: RangeSchema,
+	message: z.string(),
+	helpUri: z.string().optional(),
+	flowPath: z.array(z.object({
+		file: z.string(),
+		line: z.number(),
+		range: RangeSchema.optional()
+	})).optional(),
+	remediation: z.string().optional(),
+	autofixable: z.boolean().optional(),
+	repairStrategy: z.enum(REPAIR_STRATEGIES).optional(),
+	repairStrategyReason: z.string().optional(),
+	track: z.enum([
+		"ai-fix",
+		"deterministic",
+		"report-only"
+	]),
+	status: z.enum([
+		"pending",
+		"fixing",
+		"fixed",
+		"reverted",
+		"unfixable",
+		"skipped"
+	]),
+	attempts: z.number(),
+	revertReason: z.enum([
+		"broke-test",
+		"suppression",
+		"regression",
+		"typecheck",
+		"session-error",
+		"needs-lockfile-update"
+	]).optional(),
+	revertDetail: z.string().optional(),
+	finalFailureClass: z.enum(FAILURE_CLASSES).optional(),
+	firstSeenLoop: z.number(),
+	lastSeenLoop: z.number(),
+	inScope: z.boolean().optional(),
+	inReportScope: z.boolean().default(true),
+	inFixScope: z.boolean().default(true),
+	scopeExclusionReason: z.enum(SCOPE_EXCLUSION_REASONS).optional()
+});
+/**
+* Stable identity for a finding: hash(tool | rule | file | line | message).
+* Same components → same fingerprint, across loops and runs.
+*/
+function fingerprint(input) {
+	const key = [
+		input.tool,
+		input.rule,
+		input.file,
+		input.line,
+		input.message
+	].join("|");
+	return createHash("sha256").update(key).digest("hex");
+}
+
+//#endregion
+//#region src/findings/normalize.ts
+const TRACK_BY_TOOL = {
+	sonarjs: "ai-fix",
+	knip: "ai-fix",
+	jscpd: "ai-fix",
+	semgrep: "ai-fix",
+	osv: "deterministic",
+	gitleaks: "report-only"
+};
+/** Which track a tool's findings flow into. */
+function trackForTool(tool) {
+	return TRACK_BY_TOOL[tool];
+}
+/** Turn a raw scanner record into a tracked `Finding` for the given loop. */
+function normalize(raw, loop) {
+	const id = fingerprint({
+		tool: raw.tool,
+		rule: raw.rule,
+		file: raw.file,
+		line: raw.range.startLine,
+		message: raw.message
+	});
+	const finding = {
+		id,
+		tool: raw.tool,
+		rule: raw.rule,
+		category: raw.category,
+		severity: raw.severity,
+		file: raw.file,
+		range: raw.range,
+		message: raw.message,
+		track: trackForTool(raw.tool),
+		status: "pending",
+		attempts: 0,
+		firstSeenLoop: loop,
+		lastSeenLoop: loop,
+		inReportScope: true,
+		inFixScope: true
+	};
+	if (raw.helpUri !== void 0) finding.helpUri = raw.helpUri;
+	if (raw.flowPath !== void 0) finding.flowPath = raw.flowPath;
+	if (raw.remediation !== void 0) finding.remediation = raw.remediation;
+	if (raw.autofixable !== void 0) finding.autofixable = raw.autofixable;
+	return finding;
+}
+
+//#endregion
+//#region src/scanners/eslint-default-config.ts
+/** Walk up from this module to tend's own package root (dir of its package.json named tend-cli). */
+function tendPackageRoot() {
+	let dir = dirname(fileURLToPath(import.meta.url));
+	for (let i = 0; i < 8; i++) {
+		const pkgJson = join(dir, "package.json");
+		if (existsSync(pkgJson)) try {
+			if (JSON.parse(readFileSync(pkgJson, "utf8")).name === "tend-cli") return dir;
+		} catch {}
+		const parent = dirname(dir);
+		if (parent === dir) break;
+		dir = parent;
+	}
+	return dirname(dirname(fileURLToPath(import.meta.url)));
+}
+/** Absolute path to tend's bundled default config (eslint recommended + sonarjs). */
+function defaultEslintConfigPath() {
+	return join(tendPackageRoot(), "configs", "default.eslint.config.mjs");
+}
+const ESLINT_CONFIG_FILES = [
+	"eslint.config.js",
+	"eslint.config.mjs",
+	"eslint.config.cjs",
+	"eslint.config.ts",
+	"eslint.config.mts",
+	"eslint.config.cts",
+	".eslintrc.js",
+	".eslintrc.cjs",
+	".eslintrc.yaml",
+	".eslintrc.yml",
+	".eslintrc.json",
+	".eslintrc"
+];
+function readPackageJson(cwd) {
+	const p = join(cwd, "package.json");
+	if (!existsSync(p)) return null;
+	try {
+		return JSON.parse(readFileSync(p, "utf8"));
+	} catch {
+		return null;
+	}
+}
+/** Does the project have any eslint config (a config file, or an `eslintConfig` key in package.json)? */
+function projectHasEslintConfig(cwd) {
+	if (ESLINT_CONFIG_FILES.some((name) => existsSync(join(cwd, name)))) return true;
+	return Boolean(readPackageJson(cwd)?.["eslintConfig"]);
+}
+/**
+* Nearest directory at or above `startDir`, up to and including `boundaryDir`, that holds an
+* eslint config — or null if none. Lets tend resolve each scoped file's governing config by
+* walking upward from the file, so a monorepo package keeps its own config even when tend is
+* invoked from the repo root (where there may be no config at all).
+*/
+function findEslintConfigDir(startDir, boundaryDir) {
+	const boundary = resolve(boundaryDir);
+	let dir = resolve(startDir);
+	for (;;) {
+		if (projectHasEslintConfig(dir)) return dir;
+		if (dir === boundary) return null;
+		const parent = dirname(dir);
+		if (parent === dir) return null;
+		dir = parent;
+	}
+}
+function dependsOnSonarjs(cwd) {
+	const pkg = readPackageJson(cwd);
+	if (!pkg) return false;
+	for (const field of [
+		"dependencies",
+		"devDependencies",
+		"peerDependencies",
+		"optionalDependencies"
+	]) {
+		const deps = pkg[field];
+		if (deps?.["eslint-plugin-sonarjs"]) return true;
+	}
+	return false;
+}
+function configMentionsSonarjs(cwd) {
+	for (const name of ESLINT_CONFIG_FILES) {
+		const p = join(cwd, name);
+		if (existsSync(p)) try {
+			if (readFileSync(p, "utf8").includes("sonarjs")) return true;
+		} catch {}
+	}
+	const eslintConfig = readPackageJson(cwd)?.["eslintConfig"];
+	return eslintConfig ? JSON.stringify(eslintConfig).includes("sonarjs") : false;
+}
+/** Project configures sonarjs = plugin is a dependency AND a config references it. */
+function projectConfiguresSonarjs(cwd) {
+	return dependsOnSonarjs(cwd) && configMentionsSonarjs(cwd);
+}
+/**
+* How tend should run eslint+sonarjs for a project:
+*  - `default` — no project eslint config → use tend's config (eslint recommended + sonarjs)
+*  - `layer`   — project eslint config without sonarjs → use theirs + sonarjs layered on top
+*  - `defer`   — project eslint config already includes sonarjs → use theirs untouched
+*/
+function eslintMode(cwd) {
+	if (!projectHasEslintConfig(cwd)) return "default";
+	return projectConfiguresSonarjs(cwd) ? "defer" : "layer";
+}
+
+//#endregion
+//#region src/scanners/paths.ts
+/** Make a scanner-reported path repo-relative (POSIX separators); pass relatives through. */
+function toRepoRelative(cwd, file) {
+	const rel = isAbsolute(file) ? relative(cwd, file) : file;
+	return rel.split("\\").join("/");
+}
+
+//#endregion
+//#region src/scanners/eslint-sonarjs.ts
+/** Map ESLint results (CLI JSON or Node-API LintResult[]) into tend's RawFindings. */
+function mapEslintResults(results, ctx) {
+	const findings = [];
+	for (const result$1 of results) {
+		const file = toRepoRelative(ctx.cwd, result$1.filePath);
+		for (const msg of result$1.messages) {
+			if (msg.ruleId === null) continue;
+			findings.push({
+				tool: "sonarjs",
+				rule: msg.ruleId,
+				category: "smell",
+				severity: msg.severity === 2 ? "error" : "warning",
+				file,
+				range: {
+					startLine: msg.line,
+					startCol: msg.column,
+					endLine: msg.endLine ?? msg.line,
+					endCol: msg.endColumn ?? msg.column
+				},
+				message: msg.message,
+				autofixable: msg.fix !== void 0
+			});
+		}
+	}
+	return findings;
+}
+function relativeLintTarget(from, to) {
+	return relative(from, to) || ".";
+}
+/**
+* Group scoped files by their governing eslint config. Each file's config is resolved by walking
+* up from the file's directory (bounded by ctx.cwd) — NOT from ctx.cwd alone — so files in a
+* monorepo package use that package's config even when tend runs from the repo root.
+*/
+function groupByConfig(ctx) {
+	const boundary = resolve(ctx.cwd);
+	const byDir = new Map();
+	for (const file of ctx.files) {
+		const abs = resolve(ctx.cwd, file);
+		const configDir = findEslintConfigDir(dirname(abs), boundary);
+		const key = configDir ?? "";
+		(byDir.get(key) ?? byDir.set(key, []).get(key)).push(abs);
+	}
+	return [...byDir.entries()].map(([key, absFiles]) => {
+		if (key === "") return {
+			configDir: null,
+			mode: "default",
+			cwd: ctx.cwd,
+			targets: absFiles.map((f) => relativeLintTarget(ctx.cwd, f))
+		};
+		return {
+			configDir: key,
+			mode: projectConfiguresSonarjs(key) ? "defer" : "layer",
+			cwd: key,
+			targets: absFiles.map((f) => relativeLintTarget(key, f))
+		};
+	});
+}
+/** Lint one group through the Node API; ESLint returns absolute filePaths regardless of cwd. */
+function eslintOptionsForGroup(group) {
+	const options = {
+		cwd: group.cwd,
+		errorOnUnmatchedPattern: false
+	};
+	if (group.mode === "default") options.overrideConfigFile = defaultEslintConfigPath();
+	else if (group.mode === "layer") options.overrideConfig = [sonarjs.configs.recommended];
+	return options;
+}
+async function lintGroup(group) {
+	const eslint = new ESLint(eslintOptionsForGroup(group));
+	return await eslint.lintFiles(group.targets);
+}
+function messageMatchesFinding(message, finding) {
+	return message.ruleId === finding.rule && message.line === finding.range.startLine;
+}
+async function fixGroup(group, findings) {
+	const options = {
+		...eslintOptionsForGroup(group),
+		fix: (message) => findings.some((finding) => messageMatchesFinding(message, finding)),
+		fixTypes: [
+			"problem",
+			"suggestion",
+			"layout"
+		]
+	};
+	const eslint = new ESLint(options);
+	return await eslint.lintFiles(group.targets);
+}
+/**
+* Apply ESLint's own autofixes for the exact findings Tend has assigned to the current unit.
+* Each file is linted separately so the fix predicate's rule/line match is scoped to that file.
+*/
+async function applyEslintFixesForFindings(ctx, findings) {
+	const files = [...new Set(findings.map((finding) => finding.file))];
+	if (files.length === 0) return { changed: false };
+	try {
+		const results = [];
+		for (const file of files) {
+			const fileFindings = findings.filter((finding) => finding.file === file);
+			for (const group of groupByConfig({
+				...ctx,
+				files: [file]
+			})) results.push(...await fixGroup(group, fileFindings));
+		}
+		await ESLint.outputFixes(results);
+		return { changed: results.some((result$1) => "output" in result$1) };
+	} catch (err) {
+		return {
+			changed: false,
+			error: err instanceof Error ? err.message : String(err)
+		};
+	}
+}
+/**
+* Run eslint+sonarjs via the Node API (eslint is bundled). Resolves the applicable config PER
+* FILE and runs one pass per config group, so monorepo packages are linted under their own
+* config. Three modes per group:
+*  default → tend's config · layer → project config + sonarjs · defer → project config.
+* Output paths stay relative to the original ctx.cwd so finding IDs/filtering are unaffected.
+*/
+async function runEslintSonarjs(ctx) {
+	const groups = ctx.files.length === 0 || ctx.files.includes(".") ? [{
+		configDir: null,
+		mode: eslintMode(ctx.cwd),
+		cwd: ctx.cwd,
+		targets: ["."]
+	}] : groupByConfig(ctx);
+	try {
+		const results = [];
+		for (const group of groups) results.push(...await lintGroup(group));
+		const findings = mapEslintResults(results, ctx).map((r) => normalize(r, ctx.loop));
+		return {
+			tool: "sonarjs",
+			findings,
+			skipped: false
+		};
+	} catch (err) {
+		return {
+			tool: "sonarjs",
+			findings: [],
+			skipped: false,
+			error: err instanceof Error ? err.message : String(err)
+		};
+	}
+}
+
+//#endregion
+//#region src/scanners/scanner.ts
+/** Collapse a ScanResult to its reportable status: skipped → ran → failed (error present). */
+function scannerStatus(result$1) {
+	if (result$1.skipped) return {
+		tool: result$1.tool,
+		status: "skipped"
+	};
+	if (result$1.error !== void 0) return {
+		tool: result$1.tool,
+		status: "failed",
+		reason: result$1.error
+	};
+	return {
+		tool: result$1.tool,
+		status: "ran"
+	};
+}
+async function isAvailable(scanner, which) {
+	return which(scanner.binary);
+}
+/**
+* Shared run sequence for every scanner:
+*   availability → args → spawn → parse → normalize.
+* Missing binary → skipped (not fatal). Timeout/spawn error or malformed output → error result.
+*/
+async function runScanner(scanner, ctx, deps) {
+	if (!await isAvailable(scanner, deps.which)) return {
+		tool: scanner.tool,
+		findings: [],
+		skipped: true
+	};
+	const args = scanner.buildArgs(ctx);
+	let raw;
+	try {
+		raw = await deps.spawn(scanner.binary, args, {
+			cwd: ctx.cwd,
+			timeout: deps.timeout
+		});
+	} catch (err) {
+		return {
+			tool: scanner.tool,
+			findings: [],
+			skipped: false,
+			error: errorMessage(err)
+		};
+	}
+	try {
+		const findings = scanner.parse(raw, ctx).map((r) => normalize(r, ctx.loop));
+		return {
+			tool: scanner.tool,
+			findings,
+			skipped: false
+		};
+	} catch (err) {
+		const reason = raw.exitCode !== 0 ? raw.stderr.trim() || errorMessage(err) : errorMessage(err);
+		return {
+			tool: scanner.tool,
+			findings: [],
+			skipped: false,
+			error: reason
+		};
+	}
+}
+function errorMessage(err) {
+	return err instanceof Error ? err.message : String(err);
+}
+
+//#endregion
+//#region src/git/repo.ts
+/** Refuse to run outside a git repo — the snapshot/restore safety net needs it. */
+async function assertGitRepo(git) {
+	if (!await git.checkIsRepo()) throw new Error("not a git repository — run tend inside a git repo");
+}
+/**
+* `git status` reports paths relative to the repo root and for the whole repo, even
+* when run from a subdirectory. Scanners run from `git`'s working dir and report paths
+* relative to it, so we scope changed files to that subtree and re-base them onto it
+* using git's own cwd→root prefix (empty when run from the repo root).
+*/
+function scopeToCwd(repoPath, prefix) {
+	if (!prefix) return repoPath;
+	if (!repoPath.startsWith(prefix)) return null;
+	return repoPath.slice(prefix.length);
+}
+/**
+* Files changed vs `HEAD`: tracked modifications/additions/renames plus untracked files,
+* scoped and re-based to `git`'s working directory (so a run from `apps/foo` only sees
+* `apps/foo`'s changes, pathed as the scanners path them).
+*/
+async function changedVsHead(git) {
+	const prefix = (await git.revparse(["--show-prefix"])).trim();
+	const status = await git.status();
+	const files = new Set();
+	for (const file of status.files) {
+		const repoPath = file.path.includes(" -> ") ? file.path.split(" -> ")[1] : file.path;
+		const rel = scopeToCwd(repoPath, prefix);
+		if (rel !== null) files.add(rel);
+	}
+	return [...files];
+}
+/**
+* Concrete files under the given path(s) — tracked plus untracked (so newly-added files
+* are scoped too, mirroring `changedVsHead`). `git ls-files` reports paths relative to
+* `git`'s working directory and interprets the pathspecs the same way, so the result is
+* already in the coordinate system the scanners and `filterToChanged` expect. Expanding to
+* concrete files (not bare directories) matters: `filterToChanged` matches exact paths.
+*/
+async function filesUnder(git, paths) {
+	if (paths.length === 0) return [];
+	const list = async (args) => (await git.raw([
+		"ls-files",
+		...args,
+		"--",
+		...paths
+	])).split("\n").map((line) => line.trim()).filter((line) => line.length > 0);
+	const files = new Set([...await list([]), ...await list(["-o", "--exclude-standard"])]);
+	return [...files];
+}
+/** Revert a single file to its snapshot state. */
+function revertFile(snapshot, file) {
+	return snapshot.restoreFile(file);
+}
+
+//#endregion
+//#region src/git/client.ts
+const UNSAFE_GIT_ENV_KEYS = [
+	"EDITOR",
+	"VISUAL",
+	"GIT_EDITOR",
+	"GIT_SEQUENCE_EDITOR",
+	"GIT_PAGER",
+	"PAGER"
+];
+function gitEnv(extra = {}) {
+	const env = {
+		...process.env,
+		...extra
+	};
+	for (const key of UNSAFE_GIT_ENV_KEYS) delete env[key];
+	return env;
+}
+function createGit(root, extraEnv = {}) {
+	return simpleGit(root).env(gitEnv(extraEnv));
+}
+
+//#endregion
+//#region src/git/snapshot.ts
+const SNAP_MSG = "tend snapshot";
+/** A private ref pins the snapshot commit so `git gc` can't prune it (it's on no branch). */
+const SNAP_REF = "refs/tend/snapshot";
+let indexCounter = 0;
+/**
+* Write the entire current working tree (tracked + untracked, honoring .gitignore) into a git
+* tree object, using a throwaway index so the user's real staging area is never touched.
+* Returns the tree's object id. Git stores only new blobs and reuses the rest — near-instant,
+* a few KB, not a full copy of every file.
+*/
+async function writeWorkingTree(root) {
+	const idxPath = join(tmpdir(), `tend-index-${process.pid}-${indexCounter++}`);
+	try {
+		const g = createGit(root, { GIT_INDEX_FILE: idxPath });
+		await g.raw(["add", "-A"]);
+		return (await g.raw(["write-tree"])).trim();
+	} finally {
+		rmSync(idxPath, { force: true });
+	}
+}
+/** Keep tend's own `.tend/` artifacts out of snapshots and the user's `git status`. */
+function ensureTendIgnored(gitDir) {
+	const excludePath = join(gitDir, "info", "exclude");
+	const line = ".tend/";
+	let current = "";
+	try {
+		current = readFileSync(excludePath, "utf8");
+	} catch {}
+	if (current.split("\n").some((l) => l.trim() === line)) return;
+	mkdirSync(dirname(excludePath), { recursive: true });
+	const sep$1 = current === "" || current.endsWith("\n") ? "" : "\n";
+	writeFileSync(excludePath, `${current}${sep$1}${line}\n`);
+}
+const lines = (raw) => raw.split("\n").map((l) => l.trim()).filter(Boolean);
+/** Files currently in the repo: tracked + untracked (non-ignored), repo-root-relative. */
+async function currentFiles(root) {
+	const g = createGit(root);
+	const tracked = await g.raw(["ls-files"]);
+	const untracked = await g.raw([
+		"ls-files",
+		"--others",
+		"--exclude-standard"
+	]);
+	return [...new Set([...lines(tracked), ...lines(untracked)])];
+}
+/**
+* A silent restore point for the working tree, stored as a git commit object pinned by a private
+* ref (`refs/tend/snapshot`) — nothing committed to any branch, the editor sees no change. Backs
+* `tend undo` (exact restore) and `tend diff` (only the tool's edits). Reuses git's content store,
+* so the on-disk record is a 40-char id rather than a copy of every file.
+*/
+var Snapshot = class Snapshot {
+	constructor(cwd, root, sha) {
+		this.cwd = cwd;
+		this.root = root;
+		this.sha = sha;
+	}
+	static async capture(_git, cwd) {
+		const git = createGit(cwd);
+		const root = (await git.revparse(["--show-toplevel"])).trim();
+		const gitDir = (await git.revparse(["--absolute-git-dir"])).trim();
+		ensureTendIgnored(gitDir);
+		const rg = createGit(root);
+		const tree = await writeWorkingTree(root);
+		let parent = null;
+		try {
+			parent = (await rg.revparse(["HEAD"])).trim();
+		} catch {
+			parent = null;
+		}
+		const commitArgs = parent ? [
+			"commit-tree",
+			tree,
+			"-p",
+			parent,
+			"-m",
+			SNAP_MSG
+		] : [
+			"commit-tree",
+			tree,
+			"-m",
+			SNAP_MSG
+		];
+		const sha = (await rg.raw(commitArgs)).trim();
+		await rg.raw([
+			"update-ref",
+			SNAP_REF,
+			sha
+		]);
+		return new Snapshot(cwd, root, sha);
+	}
+	/** Serialize to a tiny object for `.tend/snapshot.json` (powers `undo` across invocations). */
+	toJSON() {
+		return {
+			cwd: this.cwd,
+			root: this.root,
+			sha: this.sha
+		};
+	}
+	static fromJSON(data) {
+		return new Snapshot(data.cwd, data.root, data.sha);
+	}
+	/** Files whose contents differ from the snapshot, or that are new/deleted since it (sorted). */
+	async changedSince(_git) {
+		const currentTree = await writeWorkingTree(this.root);
+		const diff = await createGit(this.root).raw([
+			"diff",
+			"--name-only",
+			this.sha,
+			currentTree
+		]);
+		return lines(diff).sort();
+	}
+	/** Restore a single file to its captured contents (worktree only — the user's index is untouched). */
+	async restoreFile(rel) {
+		await createGit(this.root).raw([
+			"restore",
+			"--source",
+			this.sha,
+			"--worktree",
+			"--",
+			rel
+		]);
+	}
+	/** Restore the working tree exactly to the captured state (incl. deleting files created since). */
+	async restore(_git) {
+		const rg = createGit(this.root);
+		await rg.raw([
+			"restore",
+			"--source",
+			this.sha,
+			"--worktree",
+			"--",
+			":/"
+		]);
+		const inSnapshot = new Set(lines(await rg.raw([
+			"ls-tree",
+			"-r",
+			"--name-only",
+			this.sha
+		])));
+		for (const rel of await currentFiles(this.root)) if (!inSnapshot.has(rel)) rmSync(join(this.root, rel), { force: true });
+	}
+};
+
+//#endregion
+//#region src/detect/package-manager.ts
+const LOCKFILES$1 = [
+	{
+		file: "pnpm-lock.yaml",
+		pm: "pnpm"
+	},
+	{
+		file: "yarn.lock",
+		pm: "yarn"
+	},
+	{
+		file: "bun.lockb",
+		pm: "bun"
+	},
+	{
+		file: "bun.lock",
+		pm: "bun"
+	},
+	{
+		file: "package-lock.json",
+		pm: "npm"
+	}
+];
+/** Detect the package manager from the lockfile present; defaults to npm. */
+function detectPackageManager(cwd) {
+	for (const { file, pm } of LOCKFILES$1) if (existsSync(join(cwd, file))) return pm;
+	return "npm";
+}
+
+//#endregion
+//#region src/session/types.ts
+/** A usage record with everything zeroed. */
+const zeroUsage = () => ({
+	estimatedCostUsd: 0,
+	inputTokens: 0,
+	outputTokens: 0,
+	cacheCreationInputTokens: 0,
+	cacheReadInputTokens: 0,
+	sessions: 0
+});
+/** Sum two usage records field-by-field (used to roll usage up through the run). */
+function addUsage(a, b) {
+	return {
+		estimatedCostUsd: a.estimatedCostUsd + b.estimatedCostUsd,
+		inputTokens: a.inputTokens + b.inputTokens,
+		outputTokens: a.outputTokens + b.outputTokens,
+		cacheCreationInputTokens: a.cacheCreationInputTokens + b.cacheCreationInputTokens,
+		cacheReadInputTokens: a.cacheReadInputTokens + b.cacheReadInputTokens,
+		sessions: a.sessions + b.sessions
+	};
+}
+
+//#endregion
+//#region src/gate/check.ts
+const pass = () => ({ ok: true });
+const reject = (reason, detail) => ({
+	ok: false,
+	reason,
+	detail
+});
+
+//#endregion
+//#region src/gate/checks/anti-regression.ts
+/**
+* Reject if the fix introduced any finding that wasn't present before — no lateral
+* moves. A fix must strictly reduce findings; trading one issue for another is what
+* would let the loop oscillate instead of converge.
+*/
+function antiRegression(before, after, opts = {}) {
+	const knownIds = new Set(before.map((f) => f.id));
+	if (opts.requireResolved) {
+		const unresolved = after.filter((f) => knownIds.has(f.id));
+		if (unresolved.length > 0) {
+			const detail = unresolved.map((f) => `${f.file}:${f.range.startLine} ${f.rule}`).join(", ");
+			return reject("regression", `Fix did not clear target finding(s): ${detail}`);
+		}
+	}
+	const introduced = after.filter((f) => !knownIds.has(f.id));
+	if (introduced.length > 0) {
+		const detail = introduced.map((f) => `${f.file}:${f.range.startLine} ${f.rule}`).join(", ");
+		return reject("regression", `Fix introduced new finding(s): ${detail}`);
+	}
+	return pass();
+}
+
+//#endregion
+//#region src/gate/checks/anti-suppression.ts
+const SUPPRESSION_PATTERNS = [
+	{
+		re: /eslint-disable/,
+		what: "eslint-disable"
+	},
+	{
+		re: /@ts-ignore/,
+		what: "@ts-ignore"
+	},
+	{
+		re: /@ts-nocheck/,
+		what: "@ts-nocheck"
+	},
+	{
+		re: /\bas\s+any\b/,
+		what: "cast to any"
+	},
+	{
+		re: /:\s*any\b/,
+		what: "any type annotation"
+	},
+	{
+		re: /<any>/,
+		what: "cast to any"
+	}
+];
+function splitDiff(diff) {
+	const added = [];
+	const removed = [];
+	for (const line of diff.split("\n")) {
+		if (line.startsWith("+++") || line.startsWith("---")) continue;
+		if (line.startsWith("+")) added.push(line.slice(1));
+		else if (line.startsWith("-")) removed.push(line.slice(1));
+	}
+	return {
+		added,
+		removed
+	};
+}
+const nonBlank = (lines$1) => lines$1.filter((l) => l.trim().length > 0);
+/**
+* Reject a change-set that cheats the scanner rather than fixing the code:
+* newly-added suppression comments / any-casts, or code deleted instead of fixed.
+* Only NEW (added) lines are inspected — pre-existing suppressions in context are ignored.
+*/
+function antiSuppression(diff, options = {}) {
+	const { added, removed } = splitDiff(diff);
+	for (const line of added) for (const { re, what } of SUPPRESSION_PATTERNS) if (re.test(line)) return reject("suppression", `Fix added ${what}`);
+	if (!options.allowDeleteOnly && nonBlank(removed).length > 0 && nonBlank(added).length === 0) return reject("suppression", "Code was deleted instead of fixed");
+	return pass();
+}
+
+//#endregion
+//#region src/gate/checks/typecheck.ts
+/** Reject a fix that breaks `tsc --noEmit`. Skipped (pass) when there's no tsconfig. */
+async function typecheck(deps) {
+	if (!await deps.hasTsconfig()) return pass();
+	const { exitCode, output } = await deps.runTsc();
+	if (exitCode === 0) return pass();
+	return reject("typecheck", output.trim() || "tsc --noEmit failed");
+}
+
+//#endregion
+//#region src/gate/checks/tests.ts
+/** Baseline-green tests that are red now. */
+function regressions(baseline, outcomes) {
+	return outcomes.filter((o) => o.status === "fail" && baseline.has(o.name));
+}
+/**
+* Apply→test→repair flow. A red previously-green test opens a bounded repair window
+* rather than an instant revert; exhausting it without going green is a reject.
+*/
+async function runTestPhase(deps) {
+	if (deps.hasTestRunner === false) return {
+		ok: true,
+		warning: "No test suite detected — behavior can't be verified"
+	};
+	let regressed = regressions(deps.baseline, await deps.runRelated());
+	if (regressed.length === 0) return pass();
+	for (let attempt = 1; attempt <= deps.maxRepairs; attempt++) {
+		await deps.repair(attempt, regressed);
+		regressed = regressions(deps.baseline, await deps.runRelated());
+		if (regressed.length === 0) return pass();
+	}
+	const names = regressed.map((o) => o.name).join(", ");
+	return reject("broke-test", `Fix left previously-green test(s) red: ${names}`);
+}
+
+//#endregion
+//#region src/fixing/unit-gate.ts
+/** A file's current contents, or null if it doesn't exist. */
+const snapshotFile = (abs) => existsSync(abs) ? readFileSync(abs, "utf8") : null;
+function snapshotUnitFiles(cwd, files) {
+	return new Map(files.map((f) => [f, snapshotFile(join(cwd, f))]));
+}
+function restoreSnapshot(cwd, before) {
+	for (const [f, original] of before) {
+		const p = join(cwd, f);
+		if (original === null) {
+			if (existsSync(p)) rmSync(p, { force: true });
+		} else writeFileSync(p, original);
+	}
+}
+function snapshotUnitNow(cwd, files) {
+	return snapshotUnitFiles(cwd, files);
+}
+function unitChanged(cwd, files, before) {
+	return files.some((f) => snapshotFile(join(cwd, f)) !== before.get(f));
+}
+/** Build a minimal unified diff from captured before/after contents. */
+function buildDiff(before, after) {
+	const out = [];
+	for (const [path, afterContent] of after) {
+		const beforeLines = (before.get(path) ?? "").split("\n");
+		const afterLines = (afterContent ?? "").split("\n");
+		for (const l of beforeLines) if (!afterLines.includes(l)) out.push(`-${l}`);
+		for (const l of afterLines) if (!beforeLines.includes(l)) out.push(`+${l}`);
+	}
+	return out.join("\n");
+}
+function isDeadCodeFinding(finding) {
+	return finding.category === "dead-code" || finding.tool === "knip" && finding.rule.startsWith("unused-");
+}
+function allowsDeleteOnly(unit) {
+	return unit.findings.length > 0 && unit.findings.every(isDeadCodeFinding);
+}
+async function gateUnitChanges(unit, before, deps, opts = {}) {
+	const usage = opts.usage ?? zeroUsage();
+	const after = snapshotUnitNow(deps.cwd, unit.files);
+	const supp = antiSuppression(buildDiff(before, after), { allowDeleteOnly: allowsDeleteOnly(unit) });
+	if (!supp.ok) return {
+		kept: false,
+		reason: supp.reason,
+		detail: supp.detail,
+		usage
+	};
+	const tc = await typecheck({
+		hasTsconfig: () => deps.typescript,
+		runTsc: deps.runTsc
+	});
+	if (!tc.ok) return {
+		kept: false,
+		reason: tc.reason,
+		detail: tc.detail,
+		usage
+	};
+	if (unit.strategy === "generated-source-repair" && deps.runBuild) {
+		const build = await deps.runBuild();
+		if (build.exitCode !== 0) return {
+			kept: false,
+			reason: "typecheck",
+			detail: `Build failed while regenerating generated artifact.\n${build.output}`.trim(),
+			usage
+		};
+	}
+	const phase = await runTestPhase({
+		baseline: deps.baseline,
+		runRelated: () => deps.runRelated(unit.files),
+		repair: opts.repair ?? (async () => {}),
+		maxRepairs: opts.maxRepairs ?? 0,
+		hasTestRunner: deps.hasTestRunner
+	});
+	if (!phase.ok) return {
+		kept: false,
+		reason: phase.reason,
+		detail: opts.repairFailureDetail?.() ?? phase.detail,
+		usage
+	};
+	const verificationTargets = unit.verificationTargets ?? unit.files;
+	const afterFindings = await deps.scanFindings(verificationTargets);
+	const regression = antiRegression(unit.findings, afterFindings, { requireResolved: opts.requireResolved || unit.strategy === "multi-file-duplicate-refactor" });
+	if (!regression.ok) return {
+		kept: false,
+		reason: regression.reason,
+		detail: regression.detail,
+		usage
+	};
+	return {
+		kept: true,
+		usage
+	};
+}
+
+//#endregion
+//#region src/fixing/deterministic.ts
+const ZERO_AI_USAGE$2 = zeroUsage();
+const LOCKFILES = [
+	"pnpm-lock.yaml",
+	"package-lock.json",
+	"yarn.lock",
+	"bun.lockb"
+];
+function strategiesFor(unit) {
+	return (unit.strategies ?? (unit.strategy ? [unit.strategy] : [])).filter((strategy) => strategy.startsWith("deterministic-"));
+}
+function packageNameFromFindingMessage(message) {
+	const match = message.match(/:\s*(@?[A-Za-z0-9._-]+(?:\/[A-Za-z0-9._-]+)?)(?:\s|$)/);
+	return match?.[1];
+}
+function hasLockfile(cwd) {
+	return LOCKFILES.some((file) => existsSync(join(cwd, file)));
+}
+function applyPackageJsonCleanup(cwd, unit) {
+	const packageFiles = [...new Set(unit.findings.map((finding) => finding.file).filter((file) => /(^|\/)package\.json$/.test(file)))];
+	for (const file of packageFiles) {
+		const abs = join(cwd, file);
+		const json = JSON.parse(readFileSync(abs, "utf8"));
+		let removed = false;
+		for (const finding of unit.findings.filter((f) => f.file === file)) {
+			const name = packageNameFromFindingMessage(finding.message);
+			if (!name) return {
+				ok: false,
+				reason: "session-error",
+				detail: `Could not parse unused dependency name from finding: ${finding.message}`
+			};
+			if (json.dependencies?.[name] !== void 0) {
+				delete json.dependencies[name];
+				removed = true;
+			} else if (json.devDependencies?.[name] !== void 0) {
+				delete json.devDependencies[name];
+				removed = true;
+			} else return {
+				ok: false,
+				reason: "session-error",
+				detail: `Dependency "${name}" was not found in dependencies or devDependencies`
+			};
+			if (json.dependencies && Object.keys(json.dependencies).length === 0) delete json.dependencies;
+			if (json.devDependencies && Object.keys(json.devDependencies).length === 0) delete json.devDependencies;
+		}
+		if (removed) writeFileSync(abs, `${JSON.stringify(json, null, 2)}\n`);
+	}
+	if (hasLockfile(cwd)) return {
+		ok: false,
+		reason: "needs-lockfile-update",
+		detail: "package.json dependency cleanup requires a lockfile update, which is not implemented yet"
+	};
+	return { ok: true };
+}
+function applyTextChanges(fileName, changes) {
+	let text = readFileSync(fileName, "utf8");
+	for (const change of [...changes].sort((a, b) => b.span.start - a.span.start)) text = `${text.slice(0, change.span.start)}${change.newText}${text.slice(change.span.start + change.span.length)}`;
+	writeFileSync(fileName, text);
+}
+function organizeImports(cwd, files) {
+	const fileNames = [...new Set(files)].filter((file) => /\.[cm]?[jt]sx?$/.test(file)).map((file) => resolve(cwd, file)).filter(existsSync);
+	if (fileNames.length === 0) return { ok: true };
+	const compilerOptions = {
+		allowJs: true,
+		checkJs: false,
+		jsx: ts.JsxEmit.ReactJSX,
+		module: ts.ModuleKind.NodeNext,
+		moduleResolution: ts.ModuleResolutionKind.NodeNext,
+		target: ts.ScriptTarget.ES2022
+	};
+	const host = {
+		getCompilationSettings: () => compilerOptions,
+		getScriptFileNames: () => fileNames,
+		getScriptVersion: () => "0",
+		getScriptSnapshot: (fileName) => {
+			if (!existsSync(fileName)) return void 0;
+			return ts.ScriptSnapshot.fromString(readFileSync(fileName, "utf8"));
+		},
+		getCurrentDirectory: () => cwd,
+		getDefaultLibFileName: (options) => ts.getDefaultLibFilePath(options),
+		fileExists: ts.sys.fileExists,
+		readFile: ts.sys.readFile,
+		readDirectory: ts.sys.readDirectory,
+		directoryExists: ts.sys.directoryExists,
+		getDirectories: ts.sys.getDirectories
+	};
+	const service = ts.createLanguageService(host);
+	try {
+		for (const fileName of fileNames) {
+			const changes = service.organizeImports({
+				type: "file",
+				fileName
+			}, {}, {});
+			for (const fileChanges of changes) applyTextChanges(fileChanges.fileName, fileChanges.textChanges);
+		}
+		return { ok: true };
+	} finally {
+		service.dispose();
+	}
+}
+async function applyEslint(cwd, unit) {
+	const result$1 = await applyEslintFixesForFindings({
+		cwd,
+		files: unit.findings.map((finding) => finding.file),
+		loop: 0
+	}, unit.findings.filter((finding) => finding.tool === "sonarjs"));
+	if (!result$1.error) return { ok: true };
+	return {
+		ok: false,
+		reason: "session-error",
+		detail: result$1.error
+	};
+}
+async function applyStrategy(strategy, cwd, unit) {
+	switch (strategy) {
+		case "deterministic-package-json-cleanup": return applyPackageJsonCleanup(cwd, unit);
+		case "deterministic-ts-organize-imports": return organizeImports(cwd, unit.findings.map((finding) => finding.file));
+		case "deterministic-eslint-fix": return applyEslint(cwd, unit);
+	}
+}
+function makeDeterministicFixer(deps) {
+	return { async fix(unit) {
+		const strategies = strategiesFor(unit);
+		if (strategies.length === 0) return {
+			kept: false,
+			reason: "session-error",
+			detail: "No deterministic strategy was planned for this unit",
+			usage: ZERO_AI_USAGE$2
+		};
+		const before = snapshotUnitFiles(deps.cwd, unit.files);
+		for (const strategy of strategies) {
+			const applied = await applyStrategy(strategy, deps.cwd, unit);
+			if (!applied.ok) {
+				restoreSnapshot(deps.cwd, before);
+				return {
+					kept: false,
+					reason: applied.reason,
+					detail: applied.detail,
+					usage: ZERO_AI_USAGE$2
+				};
+			}
+		}
+		if (!unitChanged(deps.cwd, unit.files, before)) return {
+			kept: false,
+			reason: "session-error",
+			detail: "Deterministic fixer completed without changing owned files",
+			usage: ZERO_AI_USAGE$2
+		};
+		const outcome = await gateUnitChanges(unit, before, deps, {
+			usage: ZERO_AI_USAGE$2,
+			requireResolved: true
+		});
+		if (!outcome.kept) {
+			restoreSnapshot(deps.cwd, before);
+			return {
+				...outcome,
+				usage: ZERO_AI_USAGE$2
+			};
+		}
+		return {
+			kept: true,
+			usage: ZERO_AI_USAGE$2
+		};
+	} };
+}
+const makeDeterministicFixUnit = (deps) => makeDeterministicFixer(deps).fix;
+
+//#endregion
+//#region src/session/stream-json.ts
+const RATE_LIMIT_RE = /rate.?limit|overloaded|\b429\b/i;
+/** A finite, non-negative number, or 0 for anything else (missing/NaN/negative). */
+function num(v) {
+	return typeof v === "number" && Number.isFinite(v) && v >= 0 ? v : 0;
+}
+const zeroCost = () => ({
+	estimatedCostUsd: 0,
+	inputTokens: 0,
+	outputTokens: 0,
+	cacheCreationInputTokens: 0,
+	cacheReadInputTokens: 0
+});
+function parseEvent(line) {
+	const trimmed = line.trim();
+	if (!trimmed) return null;
+	try {
+		return JSON.parse(trimmed);
+	} catch {
+		return null;
+	}
+}
+function extractUsage(event) {
+	const rawCost = event.total_cost_usd ?? event.cost_usd ?? event.costUSD;
+	const u = event.usage;
+	if (rawCost == null && u == null) return null;
+	return {
+		estimatedCostUsd: num(rawCost),
+		inputTokens: num(u?.input_tokens),
+		outputTokens: num(u?.output_tokens),
+		cacheCreationInputTokens: num(u?.cache_creation_input_tokens),
+		cacheReadInputTokens: num(u?.cache_read_input_tokens)
+	};
+}
+function extractEdits(event) {
+	const edits = [];
+	for (const block of event.message?.content ?? []) if (block.type === "tool_use" && block.name === "Write") {
+		const path = block.input?.["file_path"];
+		const contents = block.input?.["content"];
+		if (typeof path === "string" && typeof contents === "string") edits.push({
+			path,
+			contents
+		});
+	}
+	return edits;
+}
+/**
+* Parse Claude Code `--output-format stream-json` (newline-delimited JSON) into the
+* file edits it produced. `Write` tool uses carry full file contents. Malformed lines
+* are skipped. Rate-limit / error signals are surfaced for backoff.
+*/
+function parseStreamJson(raw) {
+	const edits = [];
+	let rateLimited = false;
+	let errored = false;
+	let usage = null;
+	for (const line of raw.split("\n")) {
+		const event = parseEvent(line);
+		if (!event) continue;
+		if (event.is_error) {
+			errored = true;
+			if (event.error && RATE_LIMIT_RE.test(event.error)) rateLimited = true;
+		}
+		if (event.type === "result") {
+			const u = extractUsage(event);
+			if (u) usage = u;
+		}
+		edits.push(...extractEdits(event));
+	}
+	return {
+		edits,
+		rateLimited,
+		errored,
+		usage: usage ?? zeroCost()
+	};
+}
+
+//#endregion
+//#region src/session/claude.ts
+/** Drives a real `claude -p` session and parses its stream-json into edits. */
+var ClaudeSession = class {
+	constructor(deps) {
+		this.deps = deps;
+	}
+	async run(request) {
+		let stdout;
+		let exitCode;
+		try {
+			({stdout, exitCode} = await this.deps.spawn(request));
+		} catch (err) {
+			const error = err instanceof Error ? err.message : String(err);
+			return {
+				ok: false,
+				error,
+				rateLimited: false,
+				failureClass: classifySessionFailure(error),
+				usage: zeroUsage()
+			};
+		}
+		const parsed = parseStreamJson(stdout);
+		const usage = {
+			...parsed.usage,
+			sessions: 1
+		};
+		if (parsed.rateLimited) return {
+			ok: false,
+			error: "Claude session rate-limited",
+			rateLimited: true,
+			failureClass: "rate-limit",
+			usage
+		};
+		if (exitCode !== 0 || parsed.errored) {
+			const error = `Claude session failed (exit ${exitCode})`;
+			return {
+				ok: false,
+				error,
+				rateLimited: false,
+				failureClass: classifySessionFailure(error, exitCode),
+				usage
+			};
+		}
+		return {
+			ok: true,
+			edits: parsed.edits,
+			usage
+		};
+	}
+};
+const TIMEOUT_OR_KILLED_RE = /\b(timed?\s*out|timeout|killed|terminated|sigterm|sigkill|exit\s+143)\b/i;
+function classifySessionFailure(error, exitCode) {
+	if (/rate.?limit|overloaded|\b429\b/i.test(error)) return "rate-limit";
+	if (exitCode === 143 || exitCode === 124 || TIMEOUT_OR_KILLED_RE.test(error)) return "tool-timeout";
+	return "model-tool-failure";
+}
+
+//#endregion
+//#region src/findings/revert-detail.ts
+const MAX_REVERT_DETAIL_LENGTH = 500;
+/** Keep persisted diagnostics readable and bounded for report.json. */
+function normalizeRevertDetail(detail) {
+	const trimmed = detail?.replace(/\r\n?/g, "\n").split("\n").map((line) => line.replace(/[ \t\f\v]+/g, " ").trim()).join("\n").trim();
+	if (!trimmed) return void 0;
+	if (trimmed.length <= MAX_REVERT_DETAIL_LENGTH) return trimmed;
+	return `${trimmed.slice(0, MAX_REVERT_DETAIL_LENGTH - 3)}...`;
+}
+
+//#endregion
+//#region src/findings/store.ts
+const StoreSchema = z.array(FindingSchema);
+/** Holds Finding records keyed by fingerprint and tracks their state across loops. */
+var FindingStore = class FindingStore {
+	findings = new Map();
+	add(finding) {
+		this.findings.set(finding.id, finding);
+	}
+	get(id) {
+		return this.findings.get(id);
+	}
+	all() {
+		return [...this.findings.values()];
+	}
+	/**
+	* Diff a fresh audit against what the store knows, by fingerprint:
+	*   - known but absent now  → marked `fixed`
+	*   - present both loops     → stays as-is, carries attempts/history, bumps lastSeenLoop
+	*   - new fingerprint         → added `pending`, firstSeenLoop = loop
+	*/
+	reconcile(fresh, loop) {
+		const freshIds = new Set(fresh.map((f) => f.id));
+		for (const known of this.findings.values()) if (!freshIds.has(known.id)) {
+			known.status = "fixed";
+			delete known.revertReason;
+			delete known.revertDetail;
+			delete known.finalFailureClass;
+		}
+		for (const incoming of fresh) {
+			const known = this.findings.get(incoming.id);
+			if (known) {
+				known.lastSeenLoop = loop;
+				if (known.status === "fixed" || known.status === "reverted") known.status = "pending";
+			} else this.findings.set(incoming.id, {
+				...incoming,
+				firstSeenLoop: loop,
+				lastSeenLoop: loop
+			});
+		}
+	}
+	/** Findings matching every provided filter (track / status / file). */
+	query(filter) {
+		return this.all().filter((f) => (filter.track === void 0 || f.track === filter.track) && (filter.status === void 0 || f.status === filter.status) && (filter.file === void 0 || f.file === filter.file));
+	}
+	/** Record a failed fix attempt against a finding's fingerprint. */
+	recordFailedAttempt(id, reason, detail, failureClass) {
+		const finding = this.findings.get(id);
+		if (!finding) return;
+		finding.attempts += 1;
+		finding.revertReason = reason;
+		if (failureClass) finding.finalFailureClass = failureClass;
+		const normalizedDetail = normalizeRevertDetail(detail);
+		if (normalizedDetail) finding.revertDetail = normalizedDetail;
+		else delete finding.revertDetail;
+	}
+	recordFailureWithoutAttempt(id, reason, detail, failureClass) {
+		const finding = this.findings.get(id);
+		if (!finding) return;
+		finding.revertReason = reason;
+		finding.finalFailureClass = failureClass;
+		const normalizedDetail = normalizeRevertDetail(detail);
+		if (normalizedDetail) finding.revertDetail = normalizedDetail;
+		else delete finding.revertDetail;
+	}
+	/** A finding's per-issue budget is exhausted once it has used `budget` attempts. */
+	isBudgetExhausted(id, budget) {
+		const finding = this.findings.get(id);
+		if (!finding) return false;
+		return finding.attempts >= budget;
+	}
+	/** Serialize to a plain array — `report.json`'s findings section. */
+	toJSON() {
+		return this.all();
+	}
+	/** Rebuild a store from serialized findings, validating each against the schema. */
+	static fromJSON(data) {
+		const findings = StoreSchema.parse(data);
+		const store = new FindingStore();
+		for (const finding of findings) store.add(finding);
+		return store;
+	}
+};
+
+//#endregion
+//#region src/findings/router.ts
+function isKnownTool(tool) {
+	return TOOLS.includes(tool);
+}
+/** Split findings into their assigned fix tracks; unknown tools are skipped with a warning. */
+function route(findings, opts = {}) {
+	const result$1 = {
+		aiFix: [],
+		deterministic: [],
+		reportOnly: [],
+		skipped: []
+	};
+	for (const finding of findings) {
+		if (!isKnownTool(finding.tool)) {
+			opts.warn?.(`Skipping finding from unknown tool "${finding.tool}"`);
+			result$1.skipped.push(finding);
+			continue;
+		}
+		switch (finding.track) {
+			case "ai-fix":
+				result$1.aiFix.push(finding);
+				break;
+			case "deterministic":
+				result$1.deterministic.push(finding);
+				break;
+			case "report-only":
+				result$1.reportOnly.push(finding);
+				break;
+		}
+	}
+	return result$1;
+}
+
+//#endregion
+//#region src/output/events.ts
+/** Minimal synchronous event bus. With no listener, emit is a no-op (silent mode). */
+var EventBus = class {
+	listeners = [];
+	on(listener) {
+		this.listeners.push(listener);
+		return () => {
+			const i = this.listeners.indexOf(listener);
+			if (i >= 0) this.listeners.splice(i, 1);
+		};
+	}
+	emit(event) {
+		for (const listener of this.listeners) listener(event);
+	}
+};
+
+//#endregion
+//#region src/report/retry-id.ts
+const RETRY_ID_LENGTH = 6;
+const RETRY_ID_ALPHABET = "23456789abcdefghijkmnpqrstuvwxyz";
+const makeRetryId = customAlphabet(RETRY_ID_ALPHABET, RETRY_ID_LENGTH);
+function hasUsableRetryId(finding) {
+	return typeof finding.retryId === "string" && finding.retryId.length > 0;
+}
+function nextUniqueRetryId(used, generate) {
+	for (let attempt = 0; attempt < 100; attempt++) {
+		const retryId = generate();
+		if (!used.has(retryId)) return retryId;
+	}
+	throw new Error("Could not generate a unique retry id");
+}
+/** Ensure every finding in a persisted report has a human-facing id unique to that report. */
+function assignRetryIds(findings, generate = makeRetryId) {
+	const counts = new Map();
+	for (const finding of findings) {
+		if (!hasUsableRetryId(finding)) continue;
+		counts.set(finding.retryId, (counts.get(finding.retryId) ?? 0) + 1);
+	}
+	const used = new Set();
+	return findings.map((finding) => {
+		if (hasUsableRetryId(finding) && counts.get(finding.retryId) === 1) {
+			used.add(finding.retryId);
+			return finding;
+		}
+		const retryId = nextUniqueRetryId(used, generate);
+		used.add(retryId);
+		return {
+			...finding,
+			retryId
+		};
+	});
+}
+
+//#endregion
+//#region src/report/schema.ts
+const DepBumpSchema = z.object({
+	findingId: z.string(),
+	remediation: z.string()
+});
+/** Per-scanner outcome for a run: did it run clean, get skipped, or fail (with a reason). */
+const ScannerStatusSchema = z.object({
+	tool: z.enum(TOOLS),
+	status: z.enum([
+		"ran",
+		"skipped",
+		"failed"
+	]),
+	reason: z.string().optional()
+});
+const BehaviorChangeSchema = z.object({
+	findingId: z.string(),
+	file: z.string(),
+	note: z.string()
+});
+/**
+* Estimated AI cost/usage for a run. `estimatedCostUsd` is Claude's client-side
+* `total_cost_usd` estimate — never authoritative billing.
+*/
+const AiUsageSchema = z.object({
+	estimatedCostUsd: z.number().nonnegative(),
+	inputTokens: z.number().nonnegative(),
+	outputTokens: z.number().nonnegative(),
+	cacheCreationInputTokens: z.number().nonnegative(),
+	cacheReadInputTokens: z.number().nonnegative(),
+	sessions: z.number().int().nonnegative()
+});
+const RunScopeSchema = z.object({
+	type: z.enum(["all", "scoped"]),
+	fileCount: z.number().int().nonnegative().optional()
+}).default({ type: "scoped" });
+const FixPolicySchema = z.object({
+	includeTests: z.boolean().default(false),
+	include: z.array(z.string()).default([]),
+	exclude: z.array(z.string()).default([]),
+	includeGenerated: z.boolean().default(false),
+	includeFixtures: z.boolean().default(false)
+}).default({
+	includeTests: false,
+	include: [],
+	exclude: [],
+	includeGenerated: false,
+	includeFixtures: false
+});
+const FailureSummarySchema = z.object({
+	blockingSecrets: z.number().int().nonnegative(),
+	unresolvedEligible: z.number().int().nonnegative(),
+	toolFailures: z.number().int().nonnegative(),
+	failedDeterministic: z.number().int().nonnegative(),
+	sessionErrors: z.number().int().nonnegative(),
+	regressions: z.number().int().nonnegative(),
+	typecheckFailures: z.number().int().nonnegative(),
+	testFailures: z.number().int().nonnegative()
+});
+const ZERO_AI_USAGE$1 = {
+	estimatedCostUsd: 0,
+	inputTokens: 0,
+	outputTokens: 0,
+	cacheCreationInputTokens: 0,
+	cacheReadInputTokens: 0,
+	sessions: 0
+};
+const ZERO_FAILURE_SUMMARY = {
+	blockingSecrets: 0,
+	unresolvedEligible: 0,
+	toolFailures: 0,
+	failedDeterministic: 0,
+	sessionErrors: 0,
+	regressions: 0,
+	typecheckFailures: 0,
+	testFailures: 0
+};
+const ReportSchema = z.object({
+	findings: z.array(FindingSchema),
+	secrets: z.array(FindingSchema),
+	reportOnly: z.array(FindingSchema).default([]),
+	depBumps: z.array(DepBumpSchema),
+	flaggedBehaviorChanges: z.array(BehaviorChangeSchema),
+	scannerStatuses: z.array(ScannerStatusSchema).default([]),
+	runScope: RunScopeSchema,
+	fixPolicy: FixPolicySchema,
+	aiUsage: AiUsageSchema.default(ZERO_AI_USAGE$1),
+	failureSummary: FailureSummarySchema.default(ZERO_FAILURE_SUMMARY),
+	unresolvedEligibleCount: z.number().int().nonnegative().default(0),
+	loops: z.number().int().nonnegative(),
+	durationMs: z.number().nonnegative(),
+	exitStatus: z.number().int()
+});
+
+//#endregion
+//#region src/report/builder.ts
+const ZERO_AI_USAGE = {
+	estimatedCostUsd: 0,
+	inputTokens: 0,
+	outputTokens: 0,
+	cacheCreationInputTokens: 0,
+	cacheReadInputTokens: 0,
+	sessions: 0
+};
+const DEFAULT_FIX_POLICY = {
+	includeTests: false,
+	include: [],
+	exclude: [],
+	includeGenerated: false,
+	includeFixtures: false
+};
+function isUnresolvedEligibleFinding(finding, fixPolicy = DEFAULT_FIX_POLICY) {
+	return finding.category !== "secret" && finding.track === "ai-fix" && finding.status !== "fixed" && finding.inScope !== false && finding.inReportScope !== false && finding.inFixScope !== false && (fixPolicy.includeTests || !isTestFile(finding.file));
+}
+function deriveReportFields(findings, scannerStatuses, fixPolicy = DEFAULT_FIX_POLICY) {
+	const unresolvedEligible = findings.filter((f) => isUnresolvedEligibleFinding(f, fixPolicy));
+	const blockingUnresolved = unresolvedEligible.filter((f) => f.status === "reverted" || f.status === "unfixable");
+	const pendingUnresolved = unresolvedEligible.filter((f) => f.status !== "reverted" && f.status !== "unfixable");
+	const failureSummary = {
+		blockingSecrets: findings.filter((f) => f.category === "secret" && f.status !== "fixed").length,
+		unresolvedEligible: pendingUnresolved.length,
+		toolFailures: scannerStatuses.filter((s) => s.status === "failed").length,
+		failedDeterministic: findings.filter((f) => f.track === "deterministic" && f.status !== "fixed").length,
+		sessionErrors: blockingUnresolved.filter((f) => f.revertReason === "session-error").length,
+		regressions: blockingUnresolved.filter((f) => f.revertReason === "regression").length,
+		typecheckFailures: blockingUnresolved.filter((f) => f.revertReason === "typecheck").length,
+		testFailures: blockingUnresolved.filter((f) => f.revertReason === "broke-test").length
+	};
+	return {
+		secrets: findings.filter((f) => f.category === "secret"),
+		reportOnly: findings.filter((f) => f.track === "report-only" && f.category !== "secret"),
+		depBumps: findings.filter((f) => f.track === "deterministic" && f.remediation !== void 0).map((f) => ({
+			findingId: f.id,
+			remediation: f.remediation
+		})),
+		failureSummary,
+		unresolvedEligibleCount: pendingUnresolved.length
+	};
+}
+/** Accumulates per-finding outcomes and run metadata into a validated report.json. */
+var ReportBuilder = class {
+	outcomes = new Map();
+	flagged = [];
+	scannerStatuses = [];
+	constructor(generateRetryId) {
+		this.generateRetryId = generateRetryId;
+	}
+	/** Record (or update) a finding's final outcome by fingerprint. */
+	recordOutcome(finding) {
+		const normalized = normalizeRevertDetail(finding.revertDetail);
+		const outcome = { ...finding };
+		if (normalized) outcome.revertDetail = normalized;
+		else delete outcome.revertDetail;
+		this.outcomes.set(finding.id, outcome);
+	}
+	recordOutcomes(findings) {
+		for (const f of findings) this.recordOutcome(f);
+	}
+	/** Flag a semantic test change for human review. */
+	flagBehaviorChange(entry) {
+		this.flagged.push(entry);
+	}
+	/** Record per-scanner run outcomes (ran / skipped / failed) for the scanner-status line. */
+	recordScannerStatuses(statuses) {
+		this.scannerStatuses = statuses;
+	}
+	build(meta) {
+		const findings = assignRetryIds([...this.outcomes.values()], this.generateRetryId);
+		const fixPolicy = meta.fixPolicy ?? DEFAULT_FIX_POLICY;
+		const derived = deriveReportFields(findings, this.scannerStatuses, fixPolicy);
+		const report = {
+			findings,
+			secrets: derived.secrets,
+			reportOnly: derived.reportOnly,
+			depBumps: derived.depBumps,
+			flaggedBehaviorChanges: this.flagged,
+			scannerStatuses: this.scannerStatuses,
+			runScope: meta.runScope ?? { type: "scoped" },
+			fixPolicy,
+			aiUsage: meta.aiUsage ?? ZERO_AI_USAGE,
+			failureSummary: derived.failureSummary,
+			unresolvedEligibleCount: derived.unresolvedEligibleCount,
+			loops: meta.loops,
+			durationMs: meta.durationMs,
+			exitStatus: meta.exitStatus
+		};
+		return ReportSchema.parse(report);
+	}
+};
+
+//#endregion
+//#region src/orchestrator.ts
+/** AI-fixable findings still pending and under their retry budget. */
+function pendingUnderBudget(store, budget) {
+	return store.query({
+		track: "ai-fix",
+		status: "pending"
+	}).filter((f) => f.attempts < budget);
+}
+function repairConfig(config) {
+	return {
+		...config.fix,
+		includeTests: config.includeTests
+	};
+}
+function plannedRepairs(findings, config, cwd) {
+	return findings.map((finding) => planRepair({
+		finding,
+		cwd,
+		scope: finding,
+		config: repairConfig(config),
+		flowPath: finding.flowPath,
+		file: finding.file,
+		category: finding.category,
+		rule: finding.rule,
+		tool: finding.tool
+	}));
+}
+function repairFiles(finding) {
+	return [...new Set([finding.file, ...(finding.flowPath ?? []).map((step) => step.file)])];
+}
+function needsAllRepairFilesInScope(finding) {
+	return finding.tool === "jscpd" && finding.rule === "duplicate-code" && repairFiles(finding).length > 1;
+}
+function allRepairFilesInScope(finding, inScope) {
+	return repairFiles(finding).every((file) => inScope([{
+		...finding,
+		file,
+		flowPath: void 0
+	}]).length > 0);
+}
+function dispatchableUnits(plans) {
+	return planWorkFromRepairs(plans).filter((unit) => unit.strategy !== void 0 && isAiDispatchStrategy(unit.strategy));
+}
+function isDeterministicStrategy(strategy) {
+	return strategy?.startsWith("deterministic-") === true;
+}
+function deterministicUnits(plans) {
+	return planWorkFromRepairs(plans.filter((plan) => isDeterministicStrategy(plan.strategy)));
+}
+function statusAttemptSnapshot(store) {
+	return store.all().map((f) => `${f.id}:${f.status}:${f.attempts}`).sort().join("|");
+}
+function classFromOutcome(outcome) {
+	if (outcome.failureClass) return outcome.failureClass;
+	switch (outcome.reason) {
+		case "regression": return "regression";
+		case "typecheck": return "typecheck";
+		case "broke-test": return "broke-test";
+		case "suppression": return "suppression";
+		case "needs-lockfile-update": return "needs-lockfile-update";
+		case "session-error": return "model-tool-failure";
+		default: return void 0;
+	}
+}
+function isTerminalNoBurnFailure(outcome) {
+	return outcome.failureClass === "tool-timeout" || outcome.failureClass === "no-op";
+}
+function applyOutcome(store, unit, outcome, budget) {
+	for (const finding of unit.findings) if (outcome.kept) {
+		finding.status = "fixed";
+		delete finding.revertReason;
+		delete finding.revertDetail;
+		delete finding.finalFailureClass;
+	} else {
+		const reason = outcome.reason ?? "session-error";
+		const failureClass = classFromOutcome(outcome);
+		if (failureClass === "rate-limit") store.recordFailureWithoutAttempt(finding.id, reason, outcome.detail, failureClass);
+		else if (isTerminalNoBurnFailure(outcome)) {
+			store.recordFailureWithoutAttempt(finding.id, reason, outcome.detail, failureClass);
+			finding.status = "unfixable";
+		} else {
+			store.recordFailedAttempt(finding.id, reason, outcome.detail, failureClass);
+			if (store.isBudgetExhausted(finding.id, budget)) finding.status = "unfixable";
+		}
+	}
+}
+function splitUnit(unit) {
+	if (unit.findings.length <= 1) return [];
+	return unit.findings.map((finding) => ({
+		...unit,
+		findings: [finding],
+		files: [...unit.files],
+		verificationTargets: unit.verificationTargets ? [...unit.verificationTargets] : void 0,
+		strategies: unit.strategies ? [...unit.strategies] : void 0
+	}));
+}
+function shouldSplitAfterFailure(unit, outcome) {
+	return unit.findings.length > 1 && (outcome.failureClass === "tool-timeout" || outcome.failureClass === "regression");
+}
+/**
+* The scan → fix → re-audit loop. Terminates on the first of: converged (0 fixable),
+* no-progress (no dispatchable units or an attempted loop changed no attempt/status
+* state), per-issue budget exhaustion (mark unfixable, keep going), or max-loops.
+*/
+async function orchestrate(deps) {
+	const { config } = deps;
+	const inScope = deps.inScope ?? ((f) => f);
+	const bus = deps.bus ?? new EventBus();
+	const store = new FindingStore();
+	const secrets = new Map();
+	const reportOnly = new Map();
+	const deterministic = new Map();
+	let loop = 0;
+	let fixingLoops = 0;
+	let termination = "converged";
+	let scannerStatuses = [];
+	let runScope = { type: "scoped" };
+	let usage = zeroUsage();
+	while (true) {
+		loop++;
+		bus.emit({
+			type: "scan-start",
+			loop
+		});
+		const audited = await deps.audit(loop);
+		scannerStatuses = audited.scannerStatuses ?? scannerStatuses;
+		if (loop === 1) runScope = audited.scanned == null ? { type: "all" } : {
+			type: "scoped",
+			fileCount: audited.scanned
+		};
+		if (loop === 1 && audited.allScannersMissing) {
+			bus.emit({
+				type: "done",
+				exitStatus: 1
+			});
+			return result("no-scanners", fixingLoops, 1, store, secrets, reportOnly, deterministic, scannerStatuses, runScope, usage);
+		}
+		store.reconcile(audited.findings, loop);
+		const scopedIds = new Set(inScope(store.all()).map((f) => f.id));
+		for (const f of store.all()) {
+			f.inScope = scopedIds.has(f.id);
+			markScope(f, {
+				...config.fix,
+				includeTests: config.includeTests,
+				inChangedScope: f.inScope === true && (!needsAllRepairFilesInScope(f) || allRepairFilesInScope(f, inScope))
+			});
+		}
+		for (const plan of plannedRepairs(store.all(), config, deps.cwd)) applyRepairPlanToFinding(plan);
+		const scopedFindings = inScope(audited.findings);
+		const routed = route(audited.findings);
+		for (const finding of routed.reportOnly) if (finding.category === "secret") secrets.set(finding.id, finding);
+		else reportOnly.set(finding.id, finding);
+		for (const finding of routed.deterministic) deterministic.set(finding.id, finding);
+		bus.emit({
+			type: "audit",
+			loop,
+			findings: scopedFindings.length,
+			files: new Set(scopedFindings.map((f) => f.file)).size,
+			scanned: audited.scanned
+		});
+		if (loop === 1 && audited.findings.length === 0) {
+			termination = "converged";
+			break;
+		}
+		const pending = pendingUnderBudget(store, config.perIssueBudget);
+		if (pending.length === 0) {
+			termination = "converged";
+			break;
+		}
+		const firstPlans = plannedRepairs(pending, config, deps.cwd);
+		const deterministicWork = deterministicUnits(firstPlans);
+		const aiWork = dispatchableUnits(firstPlans);
+		if (deterministicWork.length === 0 && aiWork.length === 0) {
+			termination = "no-progress";
+			break;
+		}
+		if (fixingLoops >= config.maxLoops) {
+			termination = "max-loops";
+			break;
+		}
+		fixingLoops++;
+		const beforeAttemptState = statusAttemptSnapshot(store);
+		if (deterministicWork.length > 0) {
+			bus.emit({
+				type: "loop-start",
+				loop,
+				files: deterministicWork.map((u) => u.file),
+				concurrency: 1
+			});
+			const deterministicFixUnit = deps.deterministicFixUnit ?? (async () => ({
+				kept: false,
+				reason: "session-error",
+				detail: "No deterministic fixer configured",
+				usage: zeroUsage()
+			}));
+			const outcomes$1 = [];
+			for (const unit of deterministicWork) {
+				bus.emit({
+					type: "file-start",
+					loop,
+					file: unit.file,
+					rule: unit.findings[0]?.rule
+				});
+				const outcome = await deterministicFixUnit(unit, loop);
+				bus.emit({
+					type: "file-result",
+					loop,
+					file: unit.file,
+					outcome: outcome.kept ? "fixed" : "reverted",
+					reason: outcome.reason
+				});
+				outcomes$1.push({
+					unit,
+					outcome
+				});
+			}
+			for (const { unit, outcome } of outcomes$1) {
+				applyOutcome(store, unit, outcome, config.perIssueBudget);
+				if (outcome.usage) usage = addUsage(usage, outcome.usage);
+			}
+			bus.emit({
+				type: "loop-complete",
+				loop,
+				fixed: outcomes$1.filter((o) => o.outcome.kept).length
+			});
+		}
+		const units = dispatchableUnits(plannedRepairs(pendingUnderBudget(store, config.perIssueBudget), config, deps.cwd));
+		if (units.length === 0) {
+			if (statusAttemptSnapshot(store) === beforeAttemptState) {
+				termination = "no-progress";
+				break;
+			}
+			continue;
+		}
+		bus.emit({
+			type: "loop-start",
+			loop,
+			files: units.map((u) => u.file),
+			concurrency: config.maxSessions
+		});
+		const outcomesNested = await dispatch(units, async (unit) => {
+			bus.emit({
+				type: "file-start",
+				loop,
+				file: unit.file,
+				rule: unit.findings[0]?.rule
+			});
+			const outcome = await deps.fixUnit(unit, loop);
+			bus.emit({
+				type: "file-result",
+				loop,
+				file: unit.file,
+				outcome: outcome.kept ? "fixed" : "reverted",
+				reason: outcome.reason
+			});
+			const smaller = shouldSplitAfterFailure(unit, outcome) ? splitUnit(unit) : [];
+			if (smaller.length === 0) return [{
+				unit,
+				outcome,
+				apply: true
+			}];
+			const splitOutcomes = [{
+				unit,
+				outcome,
+				apply: false
+			}];
+			for (const split of smaller) {
+				bus.emit({
+					type: "file-start",
+					loop,
+					file: split.file,
+					rule: split.findings[0]?.rule
+				});
+				const splitOutcome = await deps.fixUnit(split, loop);
+				bus.emit({
+					type: "file-result",
+					loop,
+					file: split.file,
+					outcome: splitOutcome.kept ? "fixed" : "reverted",
+					reason: splitOutcome.reason
+				});
+				splitOutcomes.push({
+					unit: split,
+					outcome: splitOutcome,
+					apply: true
+				});
+				if (splitOutcome.failureClass === "rate-limit") break;
+			}
+			return splitOutcomes;
+		}, { concurrency: config.maxSessions });
+		const outcomes = outcomesNested.flat();
+		for (const { unit, outcome, apply } of outcomes) {
+			if (apply) applyOutcome(store, unit, outcome, config.perIssueBudget);
+			if (outcome.usage) usage = addUsage(usage, outcome.usage);
+		}
+		bus.emit({
+			type: "loop-complete",
+			loop,
+			fixed: outcomes.filter((o) => o.apply && o.outcome.kept).length
+		});
+		if (outcomes.some((o) => o.outcome.failureClass === "rate-limit")) {
+			termination = "retryable-infrastructure";
+			break;
+		}
+		if (statusAttemptSnapshot(store) === beforeAttemptState) {
+			termination = "no-progress";
+			break;
+		}
+	}
+	const derived = deriveReportFields(store.all(), scannerStatuses, {
+		includeTests: Boolean(config.includeTests),
+		include: config.fix?.include ?? [],
+		exclude: config.fix?.exclude ?? [],
+		includeGenerated: Boolean(config.fix?.includeGenerated),
+		includeFixtures: Boolean(config.fix?.includeFixtures)
+	});
+	const hasBlockingFailure = derived.failureSummary.blockingSecrets > 0 || derived.failureSummary.unresolvedEligible > 0 || derived.failureSummary.toolFailures > 0 || derived.failureSummary.failedDeterministic > 0 || derived.failureSummary.sessionErrors > 0 || derived.failureSummary.regressions > 0 || derived.failureSummary.typecheckFailures > 0 || derived.failureSummary.testFailures > 0;
+	const exitStatus = termination === "retryable-infrastructure" ? 75 : hasBlockingFailure ? 1 : 0;
+	bus.emit({
+		type: "done",
+		exitStatus
+	});
+	return result(termination, fixingLoops, exitStatus, store, secrets, reportOnly, deterministic, scannerStatuses, runScope, usage);
+}
+function result(termination, loops, exitStatus, store, secrets, reportOnly, deterministic, scannerStatuses, runScope, usage) {
+	return {
+		termination,
+		loops,
+		exitStatus: termination === "no-scanners" ? 1 : exitStatus,
+		findings: store.all(),
+		secrets: [...secrets.values()],
+		reportOnly: [...reportOnly.values()],
+		deterministic: [...deterministic.values()],
+		depBumps: [...deterministic.values()],
+		scannerStatuses,
+		runScope,
+		usage
+	};
+}
+
+//#endregion
+//#region src/output/format.ts
+/**
+* Human duration for the summary: sub-minute reads as "2.4s", longer as "3m 12s".
+* Deterministic — no locale, no rounding surprises.
+*/
+function formatDuration(ms) {
+	const totalSeconds = ms / 1e3;
+	if (totalSeconds < 60) return `${totalSeconds.toFixed(1)}s`;
+	const minutes = Math.floor(totalSeconds / 60);
+	const seconds = Math.round(totalSeconds % 60);
+	if (seconds === 60) return `${minutes + 1}m 0s`;
+	return `${minutes}m ${seconds}s`;
+}
+/** Stopwatch form for the live per-file timer: "0:42", "1:05". */
+function formatClock(ms) {
+	const totalSeconds = Math.floor(ms / 1e3);
+	const minutes = Math.floor(totalSeconds / 60);
+	const seconds = totalSeconds % 60;
+	return `${minutes}:${String(seconds).padStart(2, "0")}`;
+}
+/** Plain-language reason a fix was reverted — the most useful thing for a human. */
+function reasonLabel(reason) {
+	switch (reason) {
+		case "broke-test": return "broke tests";
+		case "typecheck": return "broke typecheck";
+		case "suppression": return "added a suppression";
+		case "regression": return "introduced a new issue";
+		case "session-error": return "the fix session failed";
+		case "needs-lockfile-update": return "needs lockfile update";
+		default: return "couldn't fix";
+	}
+}
+
+//#endregion
+//#region src/output/theme.ts
+const PALETTE = {
+	accent: "#7AA2F7",
+	accentTo: "#9D7CD8",
+	green: "#9ECE6A",
+	amber: "#E0AF68",
+	red: "#E88388"
+};
+const UNICODE_GLYPHS = {
+	fixed: "✔",
+	reverted: "↩",
+	left: "–",
+	scanned: "✔",
+	bullet: "·",
+	rule: "─",
+	arrow: "→",
+	spinner: [
+		"⠋",
+		"⠙",
+		"⠹",
+		"⠸",
+		"⠼",
+		"⠴",
+		"⠦",
+		"⠧",
+		"⠇",
+		"⠏"
+	]
+};
+const ASCII_GLYPHS = {
+	fixed: "+",
+	reverted: "<",
+	left: "-",
+	scanned: "+",
+	bullet: "·",
+	rule: "-",
+	arrow: ">",
+	spinner: [
+		"-",
+		"\\",
+		"|",
+		"/"
+	]
+};
+/** Resolve the chalk color level: 0 (off) when color is disabled, else the terminal's. */
+function chalkLevel(env) {
+	if (!env.color) return 0;
+	const detected = supportsColor ? supportsColor.level : 0;
+	return detected > 0 ? detected : 1;
+}
+function makeTheme(env) {
+	const c = new Chalk({ level: chalkLevel(env) });
+	const glyph = env.unicode ? UNICODE_GLYPHS : ASCII_GLYPHS;
+	const accent = (s) => c.hex(PALETTE.accent)(s);
+	const wordmark = () => {
+		if (!env.color) return "tend";
+		if (c.level >= 3) return gradient([PALETTE.accent, PALETTE.accentTo])("tend");
+		return accent("tend");
+	};
+	return {
+		accent,
+		fixed: (s) => c.hex(PALETTE.green)(s),
+		reverted: (s) => c.hex(PALETTE.amber)(s),
+		error: (s) => c.hex(PALETTE.red)(s),
+		dim: (s) => c.dim(s),
+		bold: (s) => c.bold(s),
+		plain: (s) => s,
+		wordmark,
+		glyph
+	};
+}
+
+//#endregion
+//#region src/output/summary.ts
+const RULE_WIDTH = 49;
+const PLAIN_THEME = makeTheme({
+	color: false,
+	interactive: false,
+	unicode: true
+});
+/** A finding the developer can't read as part of their changes (scanned wide, out of scope). */
+function isOutOfScope(f) {
+	return f.inScope === false && f.category !== "secret";
+}
+function bucket(report) {
+	const fixed = [];
+	const skippedTests = [];
+	const generated = [];
+	const fixtures = [];
+	const outOfScope = [];
+	const reportOnly = [];
+	const timedOutSessionError = [];
+	const regressed = [];
+	const typecheckFailed = [];
+	const testFailed = [];
+	const retryExhausted = [];
+	const unresolvedEligible = [];
+	const secrets = [];
+	for (const f of report.findings) if (f.category === "secret") secrets.push(f);
+	else if (isOutOfScope(f)) outOfScope.push(f);
+	else if (f.inReportScope === false) continue;
+	else if (f.status === "fixed") fixed.push(f);
+	else if (f.status === "reverted" || f.status === "unfixable") if (f.revertReason === "session-error" || f.finalFailureClass === "tool-timeout") timedOutSessionError.push(f);
+	else if (f.revertReason === "regression") regressed.push(f);
+	else if (f.revertReason === "typecheck") typecheckFailed.push(f);
+	else if (f.revertReason === "broke-test") testFailed.push(f);
+	else retryExhausted.push(f);
+	else {
+		const pending = classifyPending(f, report);
+		if (pending === "skippedTests") skippedTests.push(f);
+		else if (pending === "generated") generated.push(f);
+		else if (pending === "fixtures") fixtures.push(f);
+		else if (pending === "outOfScope") outOfScope.push(f);
+		else if (pending === "reportOnly") reportOnly.push(f);
+		else unresolvedEligible.push(f);
+	}
+	return {
+		fixed,
+		skippedTests,
+		generated,
+		fixtures,
+		outOfScope,
+		reportOnly,
+		timedOutSessionError,
+		regressed,
+		typecheckFailed,
+		testFailed,
+		retryExhausted,
+		unresolvedEligible,
+		secrets
+	};
+}
+function classifyPending(f, report) {
+	if (f.inFixScope === false) {
+		if (f.scopeExclusionReason === "generated") return "generated";
+		if (f.scopeExclusionReason === "fixtures") return "fixtures";
+		if (f.scopeExclusionReason === "tests") return "skippedTests";
+		return "outOfScope";
+	}
+	if (f.track === "report-only") return "reportOnly";
+	if (f.track === "ai-fix" && !report.fixPolicy.includeTests && isTestFile(f.file)) return "skippedTests";
+	return "left";
+}
+function couldntFixFindings(b) {
+	return [
+		...b.timedOutSessionError,
+		...b.regressed,
+		...b.typecheckFailed,
+		...b.testFailed,
+		...b.retryExhausted
+	];
+}
+/**
+* The final summary: a real headline (fixed / couldn't-fix / left / secrets + elapsed),
+* grouped by what the user must do, with revert reasons surfaced per file, and ending in
+* next-step affordances. Brief by default; `--verbose` adds the full per-finding listing.
+*/
+function renderSummary(report, opts = {}) {
+	const theme = opts.theme ?? PLAIN_THEME;
+	const { glyph } = theme;
+	const b = bucket(report);
+	if (opts.plain) return renderPlainSummary(report, b, theme, Boolean(opts.verbose));
+	const lines$1 = [];
+	lines$1.push(theme.dim(glyph.rule.repeat(RULE_WIDTH)));
+	lines$1.push(`done ${theme.dim(`${glyph.bullet} ${report.loops} fix passes ${glyph.bullet} ${formatDuration(report.durationMs)}`)}`);
+	lines$1.push("");
+	lines$1.push(theme.bold("run summary"));
+	lines$1.push(renderOverallTable(report, b, theme));
+	lines$1.push("");
+	lines$1.push(theme.bold("scanner breakdown"));
+	lines$1.push(renderScannerBreakdownTable(report, theme));
+	const couldntFix = couldntFixFindings(b);
+	if (couldntFix.length > 0) {
+		lines$1.push("");
+		lines$1.push(theme.bold("couldn't fix"));
+		lines$1.push(renderCouldntFixSummaryTable(couldntFix));
+		if (opts.verbose) {
+			lines$1.push("");
+			lines$1.push(theme.bold("couldn't fix retry details"));
+			lines$1.push(renderCouldntFixDetailTable(couldntFix, theme));
+		}
+	}
+	if (b.secrets.length > 0) {
+		lines$1.push("");
+		lines$1.push(theme.bold("secrets"));
+		lines$1.push(renderSecretsTable(b.secrets, theme));
+	}
+	if (opts.verbose) lines$1.push("", renderVerbose(report, theme));
+	lines$1.push("");
+	lines$1.push(theme.bold("next commands"));
+	lines$1.push(renderNextCommandsTable());
+	return lines$1.join("\n");
+}
+function renderPlainSummary(report, b, theme, verbose) {
+	const lines$1 = [
+		`done ${theme.glyph.bullet} ${report.loops} fix passes ${theme.glyph.bullet} ${formatDuration(report.durationMs)}`,
+		[
+			"summary",
+			`fixed=${b.fixed.length}`,
+			`couldntFix=${couldntFixFindings(b).length}`,
+			`skippedTests=${b.skippedTests.length}`,
+			`reportOnly=${b.reportOnly.length}`,
+			`left=${b.unresolvedEligible.length}`,
+			`secrets=${b.secrets.length}`,
+			`generated=${b.generated.length}`,
+			`fixtures=${b.fixtures.length}`,
+			`outOfScope=${b.outOfScope.length}`,
+			`unresolvedEligible=${b.unresolvedEligible.length}`,
+			`timedOutSessionError=${b.timedOutSessionError.length}`,
+			`regressed=${b.regressed.length}`,
+			`typecheckFailed=${b.typecheckFailed.length}`,
+			`testFailed=${b.testFailed.length}`
+		].join(" "),
+		[
+			"aiUsage",
+			`estimatedCostUsd=${report.aiUsage.estimatedCostUsd.toFixed(2)}`,
+			`sessions=${report.aiUsage.sessions}`,
+			`inputTokens=${report.aiUsage.inputTokens}`,
+			`outputTokens=${report.aiUsage.outputTokens}`,
+			`cacheReadInputTokens=${report.aiUsage.cacheReadInputTokens}`,
+			`cacheCreationInputTokens=${report.aiUsage.cacheCreationInputTokens}`
+		].join(" ")
+	];
+	const strategyCounts = repairStrategyCounts(report);
+	if (strategyCounts.size > 0) lines$1.push(["repairStrategies", ...[...strategyCounts.entries()].map(([strategy, count]) => `${strategy}=${count}`)].join(" "));
+	if (report.exitStatus !== 0 || hasFailureSummary(report)) lines$1.push([
+		"failureSummary",
+		`blockingSecrets=${report.failureSummary.blockingSecrets}`,
+		`unresolvedEligible=${report.failureSummary.unresolvedEligible}`,
+		`toolFailures=${report.failureSummary.toolFailures}`,
+		`failedDeterministic=${report.failureSummary.failedDeterministic}`,
+		`sessionErrors=${report.failureSummary.sessionErrors}`,
+		`regressions=${report.failureSummary.regressions}`,
+		`typecheckFailures=${report.failureSummary.typecheckFailures}`,
+		`testFailures=${report.failureSummary.testFailures}`
+	].join(" "));
+	const counts = inScopeByTool(report);
+	const statusByTool = new Map(report.scannerStatuses.map((s) => [s.tool, s]));
+	const tools = TOOLS.filter((t) => statusByTool.has(t) || counts.has(t));
+	for (const tool of tools) {
+		const status = statusByTool.get(tool);
+		const c = counts.get(tool) ?? {
+			total: 0,
+			fixed: 0,
+			couldntFix: 0,
+			skippedTests: 0,
+			reportOnly: 0,
+			left: 0,
+			generated: 0,
+			fixtures: 0,
+			outOfScope: 0
+		};
+		const reason = status?.status === "failed" && status.reason ? ` reason=${JSON.stringify(firstLine(status.reason))}` : status?.status === "skipped" ? " reason=not-installed" : "";
+		lines$1.push(`scanner tool=${tool} status=${status?.status ?? "not-recorded"} scope=${plainScopeLabel(report)} total=${c.total} fixed=${c.fixed} couldntFix=${c.couldntFix} skippedTests=${c.skippedTests} reportOnly=${c.reportOnly} left=${c.left} unresolvedEligible=${c.left} generated=${c.generated} fixtures=${c.fixtures} outOfScope=${c.outOfScope}${reason}`);
+	}
+	for (const f of couldntFixFindings(b)) {
+		const id = retryTarget(f);
+		lines$1.push(`couldnt-fix retryId=${f.retryId ?? "(none)"} file=${JSON.stringify(f.file)} rule=${JSON.stringify(f.rule)} reason=${JSON.stringify(findingReason(f))} detail=${JSON.stringify(firstLine(f.revertDetail ?? ""))} command=${JSON.stringify(`tend retry ${id}`)}`);
+	}
+	for (const f of b.secrets) lines$1.push(`secret retryId=${f.retryId ?? "(none)"} file=${JSON.stringify(f.file)} rule=${JSON.stringify(f.rule)} action=${JSON.stringify("rotate + scrub history")}`);
+	if (b.skippedTests.length > 0) lines$1.push(`skipped-tests count=${b.skippedTests.length} reason="test files are excluded by default" command="tend run --include-tests <path...>"`);
+	if (b.generated.length > 0) lines$1.push(`generated count=${b.generated.length} reason="generated/cache/build output is excluded from fixes by default"`);
+	if (b.fixtures.length > 0) lines$1.push(`fixtures count=${b.fixtures.length} reason="fixture files are excluded from fixes by default"`);
+	if (b.outOfScope.length > 0) lines$1.push(`out-of-scope count=${b.outOfScope.length} reason="outside the current fix scope or explicitly excluded"`);
+	if (b.reportOnly.length > 0) lines$1.push(`report-only count=${b.reportOnly.length} reason="unsupported or report-only findings"`);
+	if (verbose) for (const f of report.findings) lines$1.push(`finding retryId=${f.retryId ?? ""} status=${f.status} strategy=${f.repairStrategy ?? ""} tool=${f.tool} location=${JSON.stringify(`${f.file}:${f.range.startLine}`)} rule=${JSON.stringify(f.rule)} reason=${JSON.stringify(f.status === "fixed" ? "" : findingReason(f))}`);
+	lines$1.push("next command=\"tend diff\" command=\"git add -p\" command=\"tend undo\"");
+	return lines$1.join("\n");
+}
+function repairStrategyCounts(report) {
+	const counts = new Map();
+	for (const finding of report.findings) {
+		if (!finding.repairStrategy) continue;
+		counts.set(finding.repairStrategy, (counts.get(finding.repairStrategy) ?? 0) + 1);
+	}
+	return counts;
+}
+function renderTable(head, rows) {
+	const table = new Table({
+		head,
+		wordWrap: true,
+		style: {
+			head: [],
+			border: []
+		}
+	});
+	table.push(...rows);
+	return table.toString();
+}
+function renderOverallTable(report, b, theme) {
+	const couldntFix = couldntFixFindings(b);
+	const clean = b.fixed.length === 0 && couldntFix.length === 0 && b.skippedTests.length === 0 && b.generated.length === 0 && b.fixtures.length === 0 && b.outOfScope.length === 0 && b.reportOnly.length === 0 && b.unresolvedEligible.length === 0 && b.secrets.length === 0 && !hasFailureSummary(report);
+	const status = report.exitStatus === 0 ? clean ? theme.fixed("success (nothing to fix)") : theme.fixed("success") : theme.error(`needs attention (exit ${report.exitStatus})`);
+	const rows = [
+		["status", status],
+		["fix passes", String(report.loops)],
+		["elapsed", formatDuration(report.durationMs)],
+		["fixed", `${theme.fixed(theme.glyph.fixed)} ${b.fixed.length}`],
+		["timed out/session error", `${theme.reverted(theme.glyph.reverted)} ${b.timedOutSessionError.length}`],
+		["regressed", `${theme.reverted(theme.glyph.reverted)} ${b.regressed.length}`],
+		["typecheck failed", `${theme.reverted(theme.glyph.reverted)} ${b.typecheckFailed.length}`],
+		["test failed", `${theme.reverted(theme.glyph.reverted)} ${b.testFailed.length}`],
+		["retries exhausted", `${theme.reverted(theme.glyph.reverted)} ${b.retryExhausted.length}`],
+		["skipped tests", `${theme.dim(theme.glyph.left)} ${b.skippedTests.length} (pass --include-tests)`],
+		["skipped generated", `${theme.dim(theme.glyph.left)} ${b.generated.length}`],
+		["skipped fixtures", `${theme.dim(theme.glyph.left)} ${b.fixtures.length}`],
+		["out of scope", `${theme.dim(theme.glyph.left)} ${b.outOfScope.length}`],
+		["report only", `${theme.dim(theme.glyph.left)} ${b.reportOnly.length}`],
+		["unresolved eligible", `${theme.dim(theme.glyph.left)} ${b.unresolvedEligible.length}`],
+		["secrets", b.secrets.length > 0 ? theme.error(String(b.secrets.length)) : "0"],
+		["tool failures", report.failureSummary.toolFailures > 0 ? theme.error(String(report.failureSummary.toolFailures)) : "0"],
+		["failed deterministic fixes", report.failureSummary.failedDeterministic > 0 ? theme.error(String(report.failureSummary.failedDeterministic)) : "0"],
+		["estimated AI cost", formatCost(report.aiUsage.estimatedCostUsd)],
+		["AI sessions", String(report.aiUsage.sessions)],
+		["tokens", formatTokens(report.aiUsage)]
+	];
+	if (report.exitStatus !== 0 && !hasFailureSummary(report) && couldntFix.length === 0) rows.splice(1, 0, ["failure reason", theme.error("exit status set without recorded blocking findings")]);
+	return renderTable(["metric", "value"], rows);
+}
+function hasFailureSummary(report) {
+	const summary = report.failureSummary;
+	return summary.blockingSecrets > 0 || summary.unresolvedEligible > 0 || summary.toolFailures > 0 || summary.failedDeterministic > 0 || summary.sessionErrors > 0 || summary.regressions > 0 || summary.typecheckFailures > 0 || summary.testFailures > 0;
+}
+/** Estimated AI cost as `$X.XX` — always two decimals, never called a "bill". */
+function formatCost(usd) {
+	return `$${usd.toFixed(2)}`;
+}
+/** `<input> in · <output> out · <cache read> cache read · <cache write> cache write`. */
+function formatTokens(u) {
+	return [
+		`${u.inputTokens} in`,
+		`${u.outputTokens} out`,
+		`${u.cacheReadInputTokens} cache read`,
+		`${u.cacheCreationInputTokens} cache write`
+	].join(" · ");
+}
+/** Per-tool tally over the in-scope findings only. */
+function inScopeByTool(report) {
+	const counts = new Map();
+	for (const f of report.findings) {
+		if (f.inScope === false) continue;
+		const row = counts.get(f.tool) ?? {
+			total: 0,
+			fixed: 0,
+			couldntFix: 0,
+			skippedTests: 0,
+			reportOnly: 0,
+			left: 0,
+			generated: 0,
+			fixtures: 0,
+			outOfScope: 0
+		};
+		row.total += 1;
+		if (f.status === "fixed") row.fixed += 1;
+		else if (f.status === "reverted" || f.status === "unfixable") row.couldntFix += 1;
+		else {
+			const pending = classifyPending(f, report);
+			if (pending === "skippedTests") row.skippedTests += 1;
+			else if (pending === "generated") row.generated += 1;
+			else if (pending === "fixtures") row.fixtures += 1;
+			else if (pending === "outOfScope") row.outOfScope += 1;
+			else if (pending === "reportOnly") row.reportOnly += 1;
+			else row.left += 1;
+		}
+		counts.set(f.tool, row);
+	}
+	return counts;
+}
+function renderScannerBreakdownTable(report, theme) {
+	const counts = inScopeByTool(report);
+	const statusByTool = new Map(report.scannerStatuses.map((s) => [s.tool, s]));
+	const tools = TOOLS.filter((t) => statusByTool.has(t) || counts.has(t));
+	if (tools.length === 0) return renderTable(scannerBreakdownHeaders(), [[
+		"(none)",
+		"not recorded",
+		scopeLabel(report),
+		"0",
+		"0",
+		"0",
+		"0",
+		"0",
+		"0",
+		"0",
+		"0",
+		"0",
+		""
+	]]);
+	const rows = tools.map((tool) => {
+		const status = statusByTool.get(tool);
+		const c = counts.get(tool) ?? {
+			total: 0,
+			fixed: 0,
+			couldntFix: 0,
+			skippedTests: 0,
+			reportOnly: 0,
+			left: 0,
+			generated: 0,
+			fixtures: 0,
+			outOfScope: 0
+		};
+		const label = scannerLabel(tool);
+		const statusText = status?.status === "ran" ? `${theme.fixed(theme.glyph.fixed)} ran` : status?.status === "failed" ? `${theme.error("!")} failed` : status?.status === "skipped" ? "skipped" : "not recorded";
+		const reason = status?.status === "failed" && status.reason ? firstLine(status.reason) : status?.status === "skipped" ? "not installed" : "";
+		return [
+			label,
+			statusText,
+			scopeLabel(report),
+			String(c.total),
+			String(c.fixed),
+			String(c.couldntFix),
+			String(c.skippedTests),
+			String(c.reportOnly),
+			String(c.left),
+			String(c.generated),
+			String(c.fixtures),
+			String(c.outOfScope),
+			reason
+		];
+	});
+	return renderTable(scannerBreakdownHeaders(), rows);
+}
+function scannerBreakdownHeaders() {
+	return [
+		"scanner",
+		"status",
+		"scope",
+		"total",
+		"fixed",
+		"couldn't fix",
+		"skipped tests",
+		"report only",
+		"unresolved eligible",
+		"generated",
+		"fixtures",
+		"out of scope",
+		"reason"
+	];
+}
+function scopeLabel(report) {
+	if (report.runScope.type === "all") return "whole repo";
+	if (report.runScope.fileCount !== void 0) return `${report.runScope.fileCount} scoped ${report.runScope.fileCount === 1 ? "file" : "files"}`;
+	return "in your changes";
+}
+function plainScopeLabel(report) {
+	return scopeLabel(report).replaceAll(" ", "-");
+}
+function findingReason(f) {
+	if (f.finalFailureClass === "tool-timeout") return "timeout/session error";
+	if (f.finalFailureClass === "rate-limit") return "rate limited";
+	if (f.finalFailureClass === "no-op") return "no-op";
+	switch (f.revertReason) {
+		case "session-error": return "timeout/session error";
+		case "regression": return "regression introduced";
+		case "typecheck": return "typecheck failed";
+		case "broke-test": return "tests failed";
+		case "suppression": return "added a suppression";
+		default: return "retries exhausted";
+	}
+}
+function retryTarget(f) {
+	return f.retryId ?? f.id;
+}
+const COULDNT_FIX_REASON_ORDER = [
+	"session error",
+	"regression",
+	"typecheck failed",
+	"test failed",
+	"retries exhausted",
+	"unsupported / report-only"
+];
+function couldntFixReason(f) {
+	if (f.track === "report-only") return "unsupported / report-only";
+	if (f.revertReason === "session-error" || f.finalFailureClass === "tool-timeout" || f.finalFailureClass === "rate-limit" || f.finalFailureClass === "model-tool-failure" || f.finalFailureClass === "no-edit") return "session error";
+	if (f.revertReason === "regression" || f.finalFailureClass === "regression") return "regression";
+	if (f.revertReason === "typecheck" || f.finalFailureClass === "typecheck") return "typecheck failed";
+	if (f.revertReason === "broke-test" || f.finalFailureClass === "broke-test") return "test failed";
+	return "retries exhausted";
+}
+function groupCouldntFixByReason(findings) {
+	const groups = new Map();
+	for (const finding of findings) {
+		const reason = couldntFixReason(finding);
+		const group = groups.get(reason) ?? [];
+		group.push(finding);
+		groups.set(reason, group);
+	}
+	return COULDNT_FIX_REASON_ORDER.flatMap((reason) => {
+		const group = groups.get(reason);
+		return group && group.length > 0 ? [{
+			reason,
+			findings: group
+		}] : [];
+	});
+}
+function truncateCell(value, maxLength = 64) {
+	const normalized = value.replace(/\s+/g, " ").trim();
+	if (normalized.length <= maxLength) return normalized;
+	return `${normalized.slice(0, Math.max(0, maxLength - 3))}...`;
+}
+function uniqueExampleFiles(findings, maxFiles = 3) {
+	const files = [];
+	const seen = new Set();
+	for (const finding of findings) {
+		if (seen.has(finding.file)) continue;
+		seen.add(finding.file);
+		files.push(finding.file);
+		if (files.length >= maxFiles) break;
+	}
+	return files;
+}
+function nextActionForCouldntFixGroup(findings) {
+	if (findings.length === 1) return `tend retry ${retryTarget(findings[0])}`;
+	return "run with --verbose";
+}
+function renderCouldntFixSummaryTable(findings) {
+	const rows = groupCouldntFixByReason(findings).map((group) => [
+		group.reason,
+		String(group.findings.length),
+		uniqueExampleFiles(group.findings).map((file) => truncateCell(file, 56)).join(", "),
+		nextActionForCouldntFixGroup(group.findings)
+	]);
+	return renderTable([
+		"reason",
+		"count",
+		"examples",
+		"next action"
+	], rows);
+}
+function renderCouldntFixDetailTable(findings, theme) {
+	const rows = findings.map((f) => [
+		f.retryId ?? "(none)",
+		f.file,
+		String(f.range.startLine),
+		f.rule,
+		findingReason(f),
+		firstLine(f.revertDetail ?? ""),
+		`${theme.glyph.arrow} tend retry ${retryTarget(f)}`
+	]);
+	return renderTable([
+		"retryId",
+		"file",
+		"line",
+		"rule",
+		"reason",
+		"detail",
+		"command"
+	], rows);
+}
+function renderSecretsTable(findings, theme) {
+	const rows = findings.map((f) => [
+		f.retryId ?? "(none)",
+		f.file,
+		f.rule,
+		theme.error("rotate + scrub history")
+	]);
+	return renderTable([
+		"retryId",
+		"file",
+		"rule",
+		"action"
+	], rows);
+}
+function renderNextCommandsTable() {
+	return renderTable(["action", "command"], [
+		["review edits", "tend diff"],
+		["stage deliberately", "git add -p"],
+		["undo run", "tend undo"]
+	]);
+}
+/** First line of a (possibly multi-line) scanner error reason, trimmed. */
+function firstLine(s) {
+	return s.split("\n")[0].trim();
+}
+function scannerLabel(tool) {
+	return tool === "sonarjs" ? "sonarjs (bundled)" : tool;
+}
+function perToolCounts(findings) {
+	const counts = new Map();
+	for (const f of findings) {
+		const row = counts.get(f.tool) ?? {
+			fixed: 0,
+			reverted: 0,
+			left: 0
+		};
+		if (f.status === "fixed") row.fixed += 1;
+		else if (f.status === "reverted") row.reverted += 1;
+		else row.left += 1;
+		counts.set(f.tool, row);
+	}
+	return counts;
+}
+/** The exhaustive view behind `--verbose`: per-tool breakdown + every finding. */
+function renderVerbose(report, theme) {
+	const table = new Table({
+		head: [
+			"tool",
+			"fixed",
+			"reverted",
+			"left"
+		],
+		style: {
+			head: [],
+			border: []
+		}
+	});
+	for (const [tool, c] of perToolCounts(report.findings)) table.push([
+		tool,
+		String(c.fixed),
+		String(c.reverted),
+		String(c.left)
+	]);
+	const findingRows = report.findings.map((f) => [
+		f.retryId ?? "",
+		f.status,
+		f.repairStrategy ?? "",
+		f.tool,
+		`${f.file}:${f.range.startLine}`,
+		f.rule,
+		f.status === "fixed" ? "" : findingReason(f)
+	]);
+	return [
+		theme.bold("verbose totals"),
+		table.toString(),
+		theme.bold("verbose findings"),
+		renderTable([
+			"retryId",
+			"status",
+			"strategy",
+			"tool",
+			"location",
+			"rule",
+			"reason"
+		], findingRows)
+	].join("\n");
+}
+/**
+* Group the issues that still need a human, ordered by urgency:
+* secrets → security → couldn't-fix → needs-review. Empty groups are omitted.
+*/
+function groupRemaining(report) {
+	const unfixed = report.findings.filter((f) => f.status !== "fixed");
+	const secrets = unfixed.filter((f) => f.category === "secret");
+	const security = unfixed.filter((f) => f.category === "security");
+	const couldntFix = unfixed.filter((f) => f.status === "unfixable" && f.category !== "secret" && f.category !== "security");
+	const groups = [
+		{
+			key: "secrets",
+			title: "SECRETS — rotate now (never auto-fixed)",
+			count: secrets.length
+		},
+		{
+			key: "security",
+			title: "SECURITY",
+			count: security.length
+		},
+		{
+			key: "couldnt-fix",
+			title: "COULDN'T FIX",
+			count: couldntFix.length
+		},
+		{
+			key: "review",
+			title: "NEEDS YOUR REVIEW — behavior changed",
+			count: report.flaggedBehaviorChanges.length
+		}
+	];
+	return groups.filter((g) => g.count > 0);
+}
+
+//#endregion
+//#region src/commands/resolve-finding.ts
+function displayId(finding) {
+	return finding.retryId ?? finding.id;
+}
+function resolveFindingId(id, findings) {
+	const retryMatch = findings.find((f) => f.retryId === id);
+	if (retryMatch) return retryMatch;
+	const exact = findings.find((f) => f.id === id);
+	if (exact) return exact;
+	const prefixMatches = findings.filter((f) => f.id.startsWith(id));
+	if (prefixMatches.length === 0) return { error: `No finding with id "${id}"` };
+	if (prefixMatches.length > 1) {
+		const matches = prefixMatches.map(displayId).join(", ");
+		return { error: `Finding id "${id}" is ambiguous; matches ${matches}. Use the retry id or full fingerprint.` };
+	}
+	return prefixMatches[0];
+}
+
+//#endregion
+//#region src/commands/show.ts
+/** `tend show <id>` — full detail on one finding: attempts, revert reason, taint flow path. */
+function showCommand(id, findings) {
+	const resolved = resolveFindingId(id, findings);
+	if ("error" in resolved) return resolved.error;
+	const finding = resolved;
+	const lines$1 = [
+		`${finding.tool}  ${finding.rule}  [${finding.status}]`,
+		`retry id: ${finding.retryId ?? "(none)"}`,
+		`fingerprint: ${finding.id}`,
+		`${finding.file}:${finding.range.startLine}`,
+		finding.message,
+		`attempts: ${finding.attempts}`
+	];
+	if (finding.revertReason) lines$1.push(`last revert reason: ${finding.revertReason}`);
+	if (finding.revertDetail) lines$1.push(`last revert detail: ${finding.revertDetail}`);
+	if (finding.flowPath?.length) {
+		lines$1.push("flow path:");
+		for (const step of finding.flowPath) lines$1.push(`  → ${step.file}:${step.line}`);
+	}
+	if (finding.helpUri) lines$1.push(`docs: ${finding.helpUri}`);
+	return lines$1.join("\n");
+}
+
+//#endregion
+//#region src/commands/retry.ts
+function findingsOf(deps) {
+	return deps.report?.findings ?? deps.findings ?? [];
+}
+function syncDerivedReportFields(report) {
+	const derived = deriveReportFields(report.findings, report.scannerStatuses, report.fixPolicy);
+	report.secrets = derived.secrets;
+	report.reportOnly = derived.reportOnly;
+	report.depBumps = derived.depBumps;
+	report.failureSummary = derived.failureSummary;
+	report.unresolvedEligibleCount = derived.unresolvedEligibleCount;
+	const hasBlockingFailure = derived.failureSummary.blockingSecrets > 0 || derived.failureSummary.unresolvedEligible > 0 || derived.failureSummary.toolFailures > 0 || derived.failureSummary.failedDeterministic > 0 || derived.failureSummary.sessionErrors > 0 || derived.failureSummary.regressions > 0 || derived.failureSummary.typecheckFailures > 0 || derived.failureSummary.testFailures > 0;
+	report.exitStatus = hasBlockingFailure ? 1 : 0;
+}
+function resolveRetryTarget(id, findings) {
+	const resolved = resolveFindingId(id, findings);
+	if ("error" in resolved) return resolved;
+	if (resolved.status === "fixed") return { error: `Finding ${resolved.id} is already fixed` };
+	if (resolved.track !== "ai-fix") return { error: `Finding ${resolved.id} is not AI-fixable` };
+	return resolved;
+}
+/** `tend retry <id>` — re-attempt a stubborn finding with a larger attempt budget. */
+async function retryCommand(id, deps) {
+	const resolved = resolveRetryTarget(id, findingsOf(deps));
+	if ("error" in resolved) return resolved;
+	const finding = resolved;
+	const largerBudget = Math.max(deps.baseBudget * 2, finding.attempts + 1);
+	finding.status = "fixing";
+	const outcome = await deps.runFix(finding, largerBudget);
+	if (outcome.kept) {
+		finding.status = "fixed";
+		delete finding.revertReason;
+		delete finding.revertDetail;
+		delete finding.finalFailureClass;
+		if (deps.report) syncDerivedReportFields(deps.report);
+		return {
+			outcome: "fixed",
+			finding,
+			budget: largerBudget
+		};
+	}
+	const reason = outcome.reason ?? "session-error";
+	finding.attempts += 1;
+	finding.revertReason = reason;
+	finding.finalFailureClass = outcome.failureClass;
+	const detail = normalizeRevertDetail(outcome.detail);
+	if (detail) finding.revertDetail = detail;
+	else delete finding.revertDetail;
+	finding.status = finding.attempts >= largerBudget ? "unfixable" : "reverted";
+	if (deps.report) syncDerivedReportFields(deps.report);
+	return {
+		outcome: "reverted",
+		finding,
+		budget: largerBudget,
+		reason
+	};
+}
+
+//#endregion
+//#region src/config/config.ts
+const EFFORT_LEVELS = [
+	"low",
+	"medium",
+	"high",
+	"xhigh",
+	"max"
+];
+const ToolConfigSchema = z.object({
+	enabled: z.boolean().default(true),
+	configPath: z.string().optional()
+});
+const FixScopeConfigSchema = z.object({
+	include: z.array(z.string()).default([]),
+	exclude: z.array(z.string()).default([]),
+	includeGenerated: z.boolean().default(false),
+	includeFixtures: z.boolean().default(false)
+}).default({
+	include: [],
+	exclude: [],
+	includeGenerated: false,
+	includeFixtures: false
+});
+const ConfigSchema = z.object({
+	maxSessions: z.number().int().positive().default(4),
+	maxLoops: z.number().int().positive().default(5),
+	perIssueBudget: z.number().int().positive().default(3),
+	test: z.string().optional(),
+	teethCheck: z.boolean().default(true),
+	includeTests: z.boolean().default(false),
+	model: z.string().default("sonnet"),
+	effort: z.enum(EFFORT_LEVELS).optional(),
+	fix: FixScopeConfigSchema,
+	tools: z.record(z.string(), ToolConfigSchema).default({})
+});
+/**
+* Load config via cosmiconfig (searching from `cwd`), validate with zod, and apply
+* zero-config defaults when no file is found. Invalid config throws a clear message.
+*/
+async function loadConfig(cwd) {
+	const explorer = cosmiconfig("tend", { stopDir: cwd });
+	const found = await explorer.search(cwd);
+	const raw = found?.config ?? {};
+	const parsed = ConfigSchema.safeParse(raw);
+	if (!parsed.success) {
+		const issues = parsed.error.issues.map((i) => `${i.path.join(".") || "(root)"}: ${i.message}`);
+		throw new Error(`Invalid tend config:\n  ${issues.join("\n  ")}`);
+	}
+	return parsed.data;
+}
+/** Overlay CLI flags onto a loaded config (flags win). */
+function applyCliOverrides(config, overrides) {
+	const result$1 = { ...config };
+	for (const [key, value] of Object.entries(overrides)) if (value !== void 0) result$1[key] = value;
+	return result$1;
+}
+
+//#endregion
+export { ClaudeSession, ConfigSchema, EFFORT_LEVELS, EventBus, FindingSchema, FindingStore, REPAIR_STRATEGIES, ReportBuilder, ReportSchema, Snapshot, addUsage, applyCliOverrides, applyRepairPlanToFinding, assertGitRepo, buildDiff, buildProgram, changedFiles, changedVsHead, createGit, detectBuildCommand, detectPackageManager, dispatch, filesUnder, filterToChanged, fingerprint, formatClock, gateUnitChanges, groupRemaining, isAiDispatchStrategy, isAvailable, loadConfig, makeDeterministicFixUnit, makeDeterministicFixer, makeTheme, normalize, orchestrate, planRepair, planWork, planWorkFromRepairs, reasonLabel, renderSummary, resolveRetryTarget, restoreSnapshot, retryCommand, revertFile, route, runEslintSonarjs, runScanner, scannerStatus, scopeFindings, showCommand, snapshotUnitFiles, snapshotUnitNow, toRepoRelative, trackForTool, unitChanged, zeroUsage };