tend-cli 0.6.0 → 0.7.0

package/dist/bin.js

@@ -1,8 +1,9 @@
 #!/usr/bin/env node
-import { ClaudeSession, EFFORT_LEVELS, EventBus, ReportBuilder, ReportSchema, Snapshot, addUsage, applyCliOverrides, assertGitRepo, buildDiff, buildProgram, changedVsHead, createGit, detectBuildCommand, detectPackageManager, filesUnder, filterToChanged, formatClock, gateUnitChanges, loadConfig, makeDeterministicFixUnit, makeTheme, orchestrate, planRepair, planWorkFromRepairs, reasonLabel, renderSummary, resolveRetryTarget, restoreSnapshot, retryCommand, runEslintSonarjs, runScanner, scannerStatus, showCommand, snapshotUnitFiles, snapshotUnitNow, toRepoRelative, unitChanged, zeroUsage } from "./config-tbp_HMuZ.js";
+import { ClaudeSession, EFFORT_LEVELS, EventBus, ReportBuilder, ReportSchema, Snapshot, addUsage, applyCliOverrides, assertGitRepo, buildDiff, buildProgram, changedVsHead, createGit, detectBuildCommand, detectPackageManager, filesUnder, filterToChanged, formatClock, gateUnitChanges, loadConfig, makeDeterministicFixUnit, makeTheme, orchestrate, planRepair, planWorkFromRepairs, reasonLabel, renderSummary, resolveRetryTarget, restoreSnapshot, retryCommand, runEslintSonarjs, runScanner, scannerStatus, showCommand, snapshotUnitFiles, snapshotUnitNow, toRepoRelative, unitChanged, zeroUsage } from "./config-DPlVYfKX.js";
 import { existsSync, mkdirSync, readFileSync, rmSync, writeFileSync } from "node:fs";
 import { basename, dirname, join, relative, resolve, sep } from "node:path";
 import { execa } from "execa";
+import PQueue from "p-queue";
 import { fileURLToPath } from "node:url";
 import { tmpdir } from "node:os";
 import { createRequire } from "node:module";
@@ -390,13 +391,51 @@ async function runScanners(deps, files, loop) {
 		files,
 		loop
 	};
-	const spawned = await Promise.all(SPAWN_SCANNERS.map((scanner) => runScanner(scanner, ctx, {
-		which: deps.which,
-		spawn: deps.spawn,
-		timeout: deps.timeoutMs
-	})));
-	const eslint = await runEslintSonarjs(ctx);
-	const results = [...spawned, eslint];
+	const requested = deps.tools ? new Set(deps.tools) : void 0;
+	const shouldRun = (tool) => requested === void 0 || requested.has(tool);
+	const runWithEvents = async (scanner) => {
+		deps.bus?.emit({
+			type: "scanner-start",
+			loop,
+			tool: scanner.tool
+		});
+		const result = await runScanner(scanner, ctx, {
+			which: deps.which,
+			spawn: deps.spawn,
+			timeout: deps.timeoutMs
+		});
+		const status = scannerStatus(result);
+		deps.bus?.emit({
+			type: "scanner-result",
+			loop,
+			tool: scanner.tool,
+			status: status.status,
+			findings: result.findings.length,
+			reason: status.reason
+		});
+		return result;
+	};
+	const spawnedPromise = Promise.all(SPAWN_SCANNERS.filter((scanner) => shouldRun(scanner.tool)).map(runWithEvents));
+	const eslintPromise = shouldRun("sonarjs") ? (async () => {
+		deps.bus?.emit({
+			type: "scanner-start",
+			loop,
+			tool: "sonarjs"
+		});
+		const result = await runEslintSonarjs(ctx);
+		const status = scannerStatus(result);
+		deps.bus?.emit({
+			type: "scanner-result",
+			loop,
+			tool: "sonarjs",
+			status: status.status,
+			findings: result.findings.length,
+			reason: status.reason
+		});
+		return result;
+	})() : Promise.resolve(void 0);
+	const [spawned, eslint] = await Promise.all([spawnedPromise, eslintPromise]);
+	const results = eslint ? [...spawned, eslint] : spawned;
 	return {
 		results,
 		scannerStatuses: results.map(scannerStatus)
@@ -729,8 +768,8 @@ function renderPrompt(unit) {
 	});
 }
 function firstRelevantLines(output, max = 20) {
-	const lines = output.split("\n").map((line) => line.trimEnd()).filter((line) => line.trim().length > 0);
-	return lines.slice(0, max).join("\n") || "(none)";
+	const lines$1 = output.split("\n").map((line) => line.trimEnd()).filter((line) => line.trim().length > 0);
+	return lines$1.slice(0, max).join("\n") || "(none)";
 }
 function renderFindingsJson(findings) {
 	const data = findings.map((f) => ({
@@ -789,12 +828,21 @@ function classFromOutcome(reason, fallback) {
 * session error reverts the files to the snapshot. Nothing changed → not a fix.
 */
 function makeFixUnit(deps) {
-	return async (unit) => {
+	return async (unit, loop = 0) => {
+		const progress = (stage, detail) => {
+			deps.onProgress?.({
+				loop,
+				file: unit.file,
+				stage,
+				detail
+			});
+		};
 		const snapshotFiles = unit.strategy === "generated-source-repair" ? [...new Set([...unit.files, ...unit.verificationTargets ?? []])] : unit.files;
 		const before = snapshotUnitFiles(deps.cwd, snapshotFiles);
 		const restore = () => restoreSnapshot(deps.cwd, before);
 		const changedOnDisk = () => unitChanged(deps.cwd, unit.files, before);
 		let usage = zeroUsage();
+		progress("ai-edit");
 		const res = await deps.session.run({
 			file: unit.file,
 			findings: unit.findings,
@@ -812,6 +860,7 @@ function makeFixUnit(deps) {
 			};
 		}
 		if (!changedOnDisk()) {
+			progress("ai-no-edit-retry");
 			const retry = await deps.session.run({
 				file: unit.file,
 				findings: unit.findings,
@@ -837,14 +886,17 @@ function makeFixUnit(deps) {
 			};
 		}
 		async function scanNewFindings() {
+			progress("rescan");
 			const verificationTargets = unit.verificationTargets ?? unit.files;
-			const afterFindings = await deps.scanFindings(verificationTargets);
+			const scannerTools = [...new Set(unit.findings.map((finding) => finding.tool))];
+			const afterFindings = await deps.scanFindings(verificationTargets, scannerTools);
 			const originalIds = new Set(unit.findings.map((f) => f.id));
 			return afterFindings.filter((f) => !originalIds.has(f.id));
 		}
 		async function runRegressionRepair(outcome$1) {
 			if (outcome$1.reason !== "regression" && outcome$1.reason !== "typecheck") return false;
 			const after = snapshotUnitNow(deps.cwd, snapshotFiles);
+			progress("regression-repair");
 			const repair = await deps.session.run({
 				file: unit.file,
 				findings: unit.findings,
@@ -867,6 +919,7 @@ function makeFixUnit(deps) {
 		async function gateCurrent() {
 			return gateUnitChanges(unit, before, deps, {
 				usage,
+				onProgress: progress,
 				repair: async (_attempt, regressed) => {
 					const after = snapshotUnitNow(deps.cwd, snapshotFiles);
 					const repair = await deps.session.run({
@@ -904,6 +957,244 @@ function makeFixUnit(deps) {
 	};
 }
 
+//#endregion
+//#region src/fixing/worker-sandbox.ts
+var SandboxSetupError = class extends Error {
+	constructor(message) {
+		super(message);
+		this.name = "SandboxSetupError";
+	}
+};
+const cleanExcludes = [
+	"node_modules",
+	"node_modules/**",
+	"**/node_modules",
+	"**/node_modules/**"
+];
+function normalizeRel(path) {
+	return path.replaceAll("\\", "/").replace(/^\.?\//, "");
+}
+function lines(raw) {
+	return raw.split("\n").map((line) => normalizeRel(line.trim())).filter(Boolean);
+}
+function unique(values) {
+	return [...new Set(values.map(normalizeRel))];
+}
+function isGeneratedRepair(unit) {
+	return unit.strategy === "generated-source-repair" || unit.strategies?.includes("generated-source-repair") === true;
+}
+function allowedPatchFiles(unit) {
+	return unique([...unit.files, ...isGeneratedRepair(unit) ? unit.verificationTargets ?? [] : []]);
+}
+function installArgs(pm) {
+	switch (pm) {
+		case "pnpm": return [
+			"install",
+			"--frozen-lockfile",
+			"--prefer-offline"
+		];
+		case "yarn": return [
+			"install",
+			"--frozen-lockfile",
+			"--prefer-offline"
+		];
+		case "bun": return ["install", "--frozen-lockfile"];
+		case "npm": return ["ci", "--prefer-offline"];
+	}
+}
+var GitWorkerSandbox = class {
+	prepared = false;
+	constructor(cwd$1, deps) {
+		this.cwd = cwd$1;
+		this.deps = deps;
+	}
+	async reset() {
+		const git = createGit(this.cwd);
+		await git.raw([
+			"reset",
+			"--hard",
+			this.deps.snapshotSha
+		]);
+		await git.raw([
+			"clean",
+			"-ffdx",
+			...cleanExcludes.flatMap((pattern) => ["-e", pattern])
+		]);
+	}
+	async prepare() {
+		if (this.prepared || this.deps.prepareDependencies === false) return;
+		const args = installArgs(this.deps.packageManager);
+		const result = await this.deps.exec(this.deps.packageManager, args, {
+			cwd: this.cwd,
+			reject: false,
+			timeout: 10 * 6e4
+		});
+		if ((result.exitCode ?? 1) !== 0) throw new SandboxSetupError(`sandbox dependency install failed: ${result.stderr || result.stdout || `exit ${result.exitCode ?? 1}`}`);
+		this.prepared = true;
+	}
+	async collectPatch(unit) {
+		const git = createGit(this.cwd);
+		const tracked = lines(await git.raw([
+			"diff",
+			"--name-only",
+			this.deps.snapshotSha
+		]));
+		const untracked = lines(await git.raw([
+			"ls-files",
+			"--others",
+			"--exclude-standard"
+		]));
+		const changedFiles = unique([...tracked, ...untracked]).sort();
+		const allowed = new Set(allowedPatchFiles(unit));
+		const unowned = changedFiles.filter((file) => !allowed.has(file));
+		if (unowned.length > 0) return {
+			ok: false,
+			reason: "unowned-patch",
+			detail: `Worker modified unowned files: ${unowned.join(", ")}`,
+			changedFiles
+		};
+		const allowedFiles = [...allowed].sort();
+		if (allowedFiles.length === 0 || changedFiles.length === 0) return {
+			ok: true,
+			patch: "",
+			changedFiles
+		};
+		if (untracked.length > 0) await git.raw([
+			"add",
+			"-N",
+			"--",
+			...untracked.filter((file) => allowed.has(file))
+		]);
+		const patch = await git.raw([
+			"diff",
+			"--binary",
+			this.deps.snapshotSha,
+			"--",
+			...allowedFiles
+		]);
+		return {
+			ok: true,
+			patch,
+			changedFiles
+		};
+	}
+	async dispose() {
+		const git = createGit(this.deps.mainRoot);
+		try {
+			await git.raw([
+				"worktree",
+				"remove",
+				"--force",
+				this.cwd
+			]);
+		} finally {
+			rmSync(this.cwd, {
+				recursive: true,
+				force: true
+			});
+		}
+	}
+};
+var WorkerSandboxPool = class {
+	queue;
+	applyQueue = new PQueue({ concurrency: 1 });
+	idle = [];
+	sandboxes = new Set();
+	counter = 0;
+	disposed = false;
+	exec;
+	constructor(deps) {
+		this.deps = deps;
+		this.queue = new PQueue({ concurrency: deps.maxSandboxes });
+		this.exec = deps.exec ?? execa;
+	}
+	async withSandbox(run) {
+		return this.queue.add(async () => {
+			let sandbox;
+			try {
+				sandbox = await this.acquire();
+			} catch (error) {
+				throw new SandboxSetupError(error instanceof Error ? error.message : String(error));
+			}
+			try {
+				await sandbox.reset();
+				await sandbox.prepare();
+			} catch (error) {
+				this.idle.push(sandbox);
+				throw error instanceof SandboxSetupError ? error : new SandboxSetupError(error instanceof Error ? error.message : String(error));
+			}
+			try {
+				return await run(sandbox);
+			} finally {
+				this.idle.push(sandbox);
+			}
+		});
+	}
+	async applyPatchToMain(patch) {
+		return this.applyQueue.add(async () => {
+			if (patch.trim() === "") return { ok: true };
+			const check = await this.exec("git", [
+				"apply",
+				"--check",
+				"--3way"
+			], {
+				cwd: this.deps.mainRoot,
+				input: patch,
+				reject: false
+			});
+			if ((check.exitCode ?? 1) !== 0) return {
+				ok: false,
+				reason: "patch-conflict",
+				detail: check.stderr || check.stdout || "git apply --check --3way failed"
+			};
+			const applied = await this.exec("git", ["apply", "--3way"], {
+				cwd: this.deps.mainRoot,
+				input: patch,
+				reject: false
+			});
+			if ((applied.exitCode ?? 1) !== 0) return {
+				ok: false,
+				reason: "patch-conflict",
+				detail: applied.stderr || applied.stdout || "git apply --3way failed"
+			};
+			return { ok: true };
+		});
+	}
+	async dispose() {
+		if (this.disposed) return;
+		this.disposed = true;
+		await this.queue.onIdle();
+		await Promise.all([...this.sandboxes].map((sandbox) => sandbox.dispose()));
+		this.idle.length = 0;
+		this.sandboxes.clear();
+	}
+	async acquire() {
+		const existing = this.idle.pop();
+		if (existing) return existing;
+		const parent = this.deps.tempRoot ?? tmpdir();
+		mkdirSync(parent, { recursive: true });
+		const path = `${parent}/tend-worker-${process.pid}-${this.counter++}`;
+		const mainGit = createGit(this.deps.mainRoot);
+		await mainGit.raw([
+			"worktree",
+			"add",
+			"--detach",
+			path,
+			this.deps.snapshotSha
+		]);
+		const sandbox = new GitWorkerSandbox(path, {
+			...this.deps,
+			exec: this.exec
+		});
+		this.sandboxes.add(sandbox);
+		return sandbox;
+	}
+};
+function mapOwnerRoot(mainRoot, mainOwnerRoot, sandboxRoot) {
+	const rel = normalizeRel(relative(mainRoot, mainOwnerRoot));
+	return rel === "" ? sandboxRoot : `${sandboxRoot}/${rel}`;
+}
+
 //#endregion
 //#region src/output/env.ts
 /** Truthy in the env-var sense: present and not an explicit off value. */
@@ -939,6 +1230,28 @@ function detectOutputEnv(input = {}) {
 	};
 }
 
+//#endregion
+//#region src/fixing/progress.ts
+const LABELS = {
+	"ai-edit": "AI edit",
+	"ai-no-edit-retry": "AI retry",
+	"anti-suppression": "suppression check",
+	typecheck: "typecheck",
+	build: "build",
+	"related-tests": "related tests",
+	"test-repair": "test repair",
+	rescan: "rescan",
+	"regression-check": "regression check",
+	"regression-repair": "regression repair",
+	"patch-apply": "patch apply",
+	"patch-conflict": "patch conflict",
+	"sandbox-setup": "sandbox setup",
+	"final-integration": "final integration"
+};
+function fixStageLabel(stage) {
+	return LABELS[stage];
+}
+
 //#endregion
 //#region src/output/base-reporter.ts
 var BaseReporter = class {
@@ -987,6 +1300,7 @@ var LiveReporter = class extends BaseReporter {
 	audits = new Channel();
 	phases = new Channel();
 	fixTicks = new Channel();
+	loopCompletions = new Channel();
 	closed = false;
 	resolveClosed;
 	closedSignal = new Promise((resolve$1) => {
@@ -1002,7 +1316,11 @@ var LiveReporter = class extends BaseReporter {
 	currentFile;
 	currentConcurrency;
 	rules = new Map();
+	stages = new Map();
+	scannerStates = new Map();
+	currentScanLoop;
 	header;
+	scanHeader;
 	labelWidth = 0;
 	constructor(deps) {
 		super(deps);
@@ -1018,6 +1336,26 @@ var LiveReporter = class extends BaseReporter {
 					scanned: event.scanned
 				});
 				break;
+			case "scan-start":
+				this.currentScanLoop = event.loop;
+				this.scannerStates.clear();
+				this.scanStarts.push(event.loop);
+				this.refreshScanHeader();
+				break;
+			case "scanner-start":
+				if (event.loop !== this.currentScanLoop) break;
+				this.scannerStates.set(event.tool, { status: "running" });
+				this.refreshScanHeader();
+				break;
+			case "scanner-result":
+				if (event.loop !== this.currentScanLoop) break;
+				this.scannerStates.set(event.tool, {
+					status: event.status,
+					findings: event.findings,
+					reason: event.reason
+				});
+				this.refreshScanHeader();
+				break;
 			case "loop-start":
 				this.currentLoop = event.loop;
 				this.fixTotal = event.files.length;
@@ -1029,6 +1367,7 @@ var LiveReporter = class extends BaseReporter {
 				this.currentFile = void 0;
 				this.currentConcurrency = event.concurrency;
 				this.rules.clear();
+				this.stages.clear();
 				this.labelWidth = Math.max(0, ...event.files.map((f) => basename(f).length));
 				this.phases.push({
 					kind: "fix",
@@ -1041,12 +1380,19 @@ var LiveReporter = class extends BaseReporter {
 				break;
 			case "file-start":
 				this.started += 1;
+				this.fixTotal = Math.max(this.fixTotal, this.started);
 				this.currentFile = event.file;
 				if (event.rule) this.rules.set(event.file, event.rule);
 				this.refreshHeader();
 				break;
+			case "file-stage":
+				this.currentFile = event.file;
+				this.stages.set(event.file, event.stage);
+				this.refreshHeader();
+				break;
 			case "file-result":
 				this.finished += 1;
+				this.fixTotal = Math.max(this.fixTotal, this.started, this.finished);
 				if (event.outcome === "fixed") this.fixed += 1;
 				else if (event.outcome === "reverted") this.reverted += 1;
 				else this.notAttempted += 1;
@@ -1054,15 +1400,15 @@ var LiveReporter = class extends BaseReporter {
 				this.refreshHeader();
 				this.fixTicks.push();
 				break;
+			case "loop-complete":
+				this.loopCompletions.push(event.loop);
+				this.refreshHeader();
+				break;
 			case "done":
 				this.phases.push({ kind: "done" });
 				break;
-			case "scan-start":
-				this.scanStarts.push(event.loop);
-				break;
 			case "snapshot":
-			case "detected":
-			case "loop-complete": break;
+			case "detected": break;
 		}
 	}
 	close() {
@@ -1090,6 +1436,7 @@ var LiveReporter = class extends BaseReporter {
 		const list = new Listr([{
 			title: this.theme.dim("scanning…"),
 			task: async (_ctx, task) => {
+				this.scanHeader = task;
 				const loop = await this.race(this.scanStarts.take());
 				if (loop === CLOSED) {
 					live = false;
@@ -1102,6 +1449,7 @@ var LiveReporter = class extends BaseReporter {
 					return;
 				}
 				task.title = this.scannedTitle(audit);
+				this.scanHeader = void 0;
 			}
 		}], this.listrOptions());
 		await list.run();
@@ -1116,10 +1464,11 @@ var LiveReporter = class extends BaseReporter {
 				this.currentLoop = info.loop;
 				this.currentConcurrency = info.concurrency;
 				task.title = this.headerTitle();
-				while (this.finished < this.fixTotal) {
-					const tick = await this.race(this.fixTicks.take());
-					if (tick === CLOSED) return;
+				while (true) {
+					const tickOrComplete = await this.race(Promise.race([this.fixTicks.take().then(() => "tick"), this.loopCompletions.take().then(() => "complete")]));
+					if (tickOrComplete === CLOSED) return;
 					task.title = this.headerTitle();
+					if (tickOrComplete === "complete") break;
 				}
 			}
 		}], this.listrOptions());
@@ -1158,7 +1507,17 @@ var LiveReporter = class extends BaseReporter {
 		return meta;
 	}
 	scanTitle(loop) {
-		return this.theme.dim(loop === 1 ? "initial audit: scanning…" : `re-audit after fix pass ${loop - 1}: scanning…`);
+		const detail = this.scannerDetail();
+		return this.theme.dim(loop === 1 ? `initial audit: scanning…${detail}` : `re-audit after fix pass ${loop - 1}: scanning…${detail}`);
+	}
+	scannerDetail() {
+		const entries = [...this.scannerStates.entries()];
+		if (entries.length === 0) return "";
+		const running = entries.filter(([, info]) => info.status === "running");
+		const done = entries.length - running.length;
+		if (running.length === 0) return ` ${this.theme.glyph.bullet} scanners ${done}/${entries.length} done`;
+		const runningTools = running.map(([tool]) => tool).join(", ");
+		return ` ${this.theme.glyph.bullet} running ${runningTools} ${this.theme.glyph.bullet} ${done}/${entries.length} done`;
 	}
 	headerTitle() {
 		const running = Math.max(0, this.started - this.finished);
@@ -1173,12 +1532,17 @@ var LiveReporter = class extends BaseReporter {
 	refreshHeader() {
 		if (this.header) this.header.title = this.headerTitle();
 	}
+	refreshScanHeader() {
+		if (this.scanHeader && this.currentScanLoop !== void 0) this.scanHeader.title = this.scanTitle(this.currentScanLoop);
+	}
 	fileLabel(file) {
 		return basename(file).padEnd(this.labelWidth);
 	}
 	fileTitle(file) {
 		const rule = this.rules.get(file);
-		const suffix = rule ? `  ${this.theme.dim(rule)}` : "";
+		const stage = this.stages.get(file);
+		const detail = [rule, stage ? fixStageLabel(stage) : void 0].filter(Boolean).join(" · ");
+		const suffix = detail ? `  ${this.theme.dim(detail)}` : "";
 		return `${this.fileLabel(file)}${suffix}`;
 	}
 };
@@ -1200,6 +1564,15 @@ var PlainReporter = class extends BaseReporter {
 			case "scan-start":
 				this.write(event.loop === 1 ? "initial audit: scanning…" : `re-audit after fix pass ${event.loop - 1}: scanning…`);
 				break;
+			case "scanner-start":
+				this.write(`scanner ${event.tool}: running`);
+				break;
+			case "scanner-result": {
+				const count = event.status === "ran" ? ` ${event.findings} findings` : "";
+				const reason = event.reason ? ` — ${event.reason}` : "";
+				this.write(`scanner ${event.tool}: ${event.status}${count}${reason}`);
+				break;
+			}
 			case "audit": {
 				const scope = event.scanned != null ? `${event.scanned} files eligible for fixes` : "whole repo";
 				const phase = event.loop === 1 ? "initial audit" : `re-audit after fix pass ${event.loop - 1}`;
@@ -1214,6 +1587,9 @@ var PlainReporter = class extends BaseReporter {
 				else if (event.outcome === "reverted") this.write(`${glyph.reverted} reverted ${event.file} — ${reasonLabel(event.reason)}`);
 				else this.write(`${glyph.left} not attempted ${event.file}`);
 				break;
+			case "file-stage":
+				this.write(`progress ${event.file}: ${fixStageLabel(event.stage)}${event.detail ? ` (${event.detail})` : ""}`);
+				break;
 			case "snapshot":
 			case "detected":
 			case "file-start":
@@ -1264,8 +1640,8 @@ function loadReport() {
 * executes in). Files are re-based onto `root` so `vitest related` / `jest
 * --findRelatedTests` resolve them inside the owning package, not the repo root.
 */
-async function runTests(runner, files, root) {
-	const targets = toOwnerRelative(files, cwd, root);
+async function runTests(runner, files, root, repoRoot = cwd) {
+	const targets = toOwnerRelative(files, repoRoot, root);
 	const args = runner === "vitest" ? [
 		"vitest",
 		"related",
@@ -1295,79 +1671,181 @@ async function runTests(runner, files, root) {
 		return [];
 	}
 }
-async function makeProductionFixUnit(config, baselineTargets, ownerRoot = cwd) {
-	const typescript = detectTypeScript(ownerRoot);
-	const runner = detectTestRunner(ownerRoot) ?? null;
+async function makeProductionFixUnit(config, baselineTargets, ownerRoot = cwd, bus, detected, sandboxPool) {
+	const typescript = detected?.typescript ?? detectTypeScript(ownerRoot);
+	const runner = detected?.runner ?? detectTestRunner(ownerRoot) ?? null;
 	const buildArgs = detectBuildCommand(ownerRoot);
 	const pm = detectPackageManager(ownerRoot);
-	const baseline = new Set(runner && baselineTargets.length > 0 ? (await runTests(runner, baselineTargets, ownerRoot)).filter((t) => t.status === "pass").map((t) => t.name) : []);
-	const session = new ClaudeSession({ spawn: async (req) => {
-		const r = await execa("claude", [
-			"-p",
-			req.prompt,
-			"--model",
-			config.model,
-			...config.effort ? ["--effort", config.effort] : [],
-			"--output-format",
-			"stream-json",
-			"--verbose",
-			"--allowedTools",
-			"Read,Write,Edit"
-		], {
-			cwd,
-			reject: false,
-			timeout: CLAUDE_TIMEOUT_MS
-		});
-		const exitCode = r.exitCode ?? (r.timedOut ? 143 : r.failed ? 1 : 0);
-		return {
-			stdout: typeof r.stdout === "string" ? r.stdout : "",
-			exitCode
-		};
-	} });
-	const gateDeps = {
-		cwd,
-		typescript,
-		runTsc: async () => {
-			const r = await execa("npx", ["tsc", "--noEmit"], {
-				cwd: ownerRoot,
+	const baseline = new Set(runner && baselineTargets.length > 0 ? (await runTests(runner, baselineTargets, ownerRoot, cwd)).filter((t) => t.status === "pass").map((t) => t.name) : []);
+	const makeGateDeps = (sandbox) => {
+		const repoRoot = sandbox?.cwd ?? cwd;
+		const gateOwnerRoot = sandbox ? mapOwnerRoot(cwd, ownerRoot, sandbox.cwd) : ownerRoot;
+		const session = new ClaudeSession({ spawn: async (req) => {
+			const r = await execa("claude", [
+				"-p",
+				req.prompt,
+				"--model",
+				config.model,
+				...config.effort ? ["--effort", config.effort] : [],
+				"--output-format",
+				"stream-json",
+				"--verbose",
+				"--allowedTools",
+				"Read,Write,Edit"
+			], {
+				cwd: repoRoot,
 				reject: false,
-				timeout: TSC_TIMEOUT_MS
+				timeout: CLAUDE_TIMEOUT_MS
 			});
+			const exitCode = r.exitCode ?? (r.timedOut ? 143 : r.failed ? 1 : 0);
 			return {
-				exitCode: r.exitCode ?? 1,
-				output: `${r.stdout}\n${r.stderr}`
+				stdout: typeof r.stdout === "string" ? r.stdout : "",
+				exitCode
 			};
-		},
-		runBuild: buildArgs ? async () => {
-			const r = await execa(pm, buildArgs, {
-				cwd: ownerRoot,
-				reject: false,
-				timeout: BUILD_TIMEOUT_MS
+		} });
+		return {
+			cwd: repoRoot,
+			typescript,
+			runTsc: async () => {
+				const r = await execa("npx", ["tsc", "--noEmit"], {
+					cwd: gateOwnerRoot,
+					reject: false,
+					timeout: TSC_TIMEOUT_MS
+				});
+				return {
+					exitCode: r.exitCode ?? 1,
+					output: `${r.stdout}\n${r.stderr}`
+				};
+			},
+			runBuild: buildArgs ? async () => {
+				const r = await execa(pm, buildArgs, {
+					cwd: gateOwnerRoot,
+					reject: false,
+					timeout: BUILD_TIMEOUT_MS
+				});
+				return {
+					exitCode: r.exitCode ?? 1,
+					output: `${r.stdout}\n${r.stderr}`
+				};
+			} : void 0,
+			hasTestRunner: Boolean(runner),
+			runRelated: (files) => runner ? runTests(runner, files, gateOwnerRoot, repoRoot) : Promise.resolve([]),
+			scanFindings: async (files, tools) => (await scanFiles({
+				cwd: repoRoot,
+				which: realWhich,
+				spawn: realSpawn,
+				timeoutMs: 12e4,
+				tools
+			}, files, 0)).findings,
+			baseline,
+			session
+		};
+	};
+	const mainGateDeps = makeGateDeps();
+	const acceptedFiles = new Set();
+	const acceptedTools = new Set();
+	const buildFixUnit = (sandbox) => makeFixUnit({
+		...makeGateDeps(sandbox),
+		maxRepairs: 3,
+		onProgress: (event) => bus?.emit({
+			type: "file-stage",
+			...event
+		})
+	});
+	const fixUnit = async (unit, loop) => {
+		if (!sandboxPool) return buildFixUnit()(unit, loop);
+		try {
+			return await sandboxPool.withSandbox(async (sandbox) => {
+				const outcome = await buildFixUnit(sandbox)(unit, loop);
+				if (!outcome.kept) return outcome;
+				bus?.emit({
+					type: "file-stage",
+					loop,
+					file: unit.file,
+					stage: "patch-apply"
+				});
+				const patch = await sandbox.collectPatch(unit);
+				if (!patch.ok) return {
+					kept: false,
+					reason: "unowned-patch",
+					detail: patch.detail,
+					failureClass: "unowned-patch",
+					usage: outcome.usage
+				};
+				const applied = await sandboxPool.applyPatchToMain(patch.patch);
+				if (!applied.ok) {
+					bus?.emit({
+						type: "file-stage",
+						loop,
+						file: unit.file,
+						stage: "patch-conflict"
+					});
+					return {
+						kept: false,
+						reason: "patch-conflict",
+						detail: applied.detail,
+						failureClass: "patch-conflict",
+						usage: outcome.usage
+					};
+				}
+				for (const file of patch.changedFiles) acceptedFiles.add(file);
+				for (const finding of unit.findings) acceptedTools.add(finding.tool);
+				return outcome;
 			});
+		} catch (error) {
+			const detail = error instanceof Error ? error.message : String(error);
+			const setupFailed = error instanceof SandboxSetupError;
 			return {
-				exitCode: r.exitCode ?? 1,
-				output: `${r.stdout}\n${r.stderr}`
+				kept: false,
+				reason: setupFailed ? "sandbox-setup-failed" : "session-error",
+				detail,
+				failureClass: setupFailed ? "sandbox-setup-failed" : "model-tool-failure",
+				usage: zeroUsage()
 			};
-		} : void 0,
-		hasTestRunner: Boolean(runner),
-		runRelated: (files) => runner ? runTests(runner, files, ownerRoot) : Promise.resolve([]),
-		scanFindings: async (files) => (await scanFiles({
-			cwd,
-			which: realWhich,
-			spawn: realSpawn,
-			timeoutMs: 12e4
-		}, files, 0)).findings,
-		baseline
+		}
 	};
 	return {
 		typescript,
 		runner,
-		fixUnit: makeFixUnit({
-			...gateDeps,
-			session,
-			maxRepairs: 3
-		}),
-		deterministicFixUnit: makeDeterministicFixUnit(gateDeps)
+		fixUnit,
+		deterministicFixUnit: makeDeterministicFixUnit(mainGateDeps),
+		finalIntegration: async () => {
+			const files = [...acceptedFiles].sort();
+			if (files.length === 0) return {
+				ok: true,
+				files
+			};
+			if (typescript) {
+				const tc = await mainGateDeps.runTsc();
+				if (tc.exitCode !== 0) return {
+					ok: false,
+					files,
+					detail: `final integration typecheck failed: ${tc.output}`
+				};
+			}
+			if (runner) {
+				const tests = await mainGateDeps.runRelated(files);
+				const failed = tests.filter((test) => test.status === "fail");
+				if (failed.length > 0) return {
+					ok: false,
+					files,
+					detail: `final integration related tests failed: ${failed.map((test) => test.name).join(", ")}`
+				};
+			}
+			const tools = [...acceptedTools];
+			if (tools.length > 0) {
+				const findings = await mainGateDeps.scanFindings(files, tools);
+				if (findings.length > 0) return {
+					ok: false,
+					files,
+					detail: `final integration scanner rescan found ${findings.length} finding${findings.length === 1 ? "" : "s"}`
+				};
+			}
+			return {
+				ok: true,
+				files
+			};
+		}
 	};
 }
 function describeScopeNote(all, paths, scope) {
@@ -1389,6 +1867,8 @@ async function runRun(opts) {
 		write: out
 	});
 	reporter.start();
+	const bus = new EventBus();
+	bus.on((e) => reporter.onEvent(e));
 	const git = createGit(cwd);
 	await assertGitRepo(git);
 	if (opts.effort && !EFFORT_LEVELS.includes(opts.effort)) {
@@ -1427,16 +1907,27 @@ async function runRun(opts) {
 	} else scope = await changedVsHead(git);
 	const baselineTargets = scope ?? ["."];
 	const ownerRoot = scope ? resolveOwnerRoot(cwd, scope) : cwd;
-	const { fixUnit, deterministicFixUnit, runner, typescript } = await makeProductionFixUnit(config, baselineTargets, ownerRoot);
+	const typescript = detectTypeScript(ownerRoot);
+	const runner = detectTestRunner(ownerRoot) ?? null;
 	const pm = detectPackageManager(cwd);
 	reporter.note(`${pm} · ${typescript ? "TypeScript" : "JavaScript"} · ${runner ?? "no test runner"} · ${modelLabel}`);
 	const scopeNote = describeScopeNote(opts.all, paths, scope);
 	reporter.note(`${scopeNote} · ${plural(available.length, "scanner")}`);
-	const bus = new EventBus();
-	bus.on((e) => reporter.onEvent(e));
+	if (runner && baselineTargets.length > 0) reporter.note(`baseline: ${runner} related ${describeScopeNote(opts.all, paths, scope)} (one-time)`);
+	const sandboxPool = new WorkerSandboxPool({
+		mainRoot: snapshot.repoRoot(),
+		snapshotSha: snapshot.commitSha(),
+		maxSandboxes: config.maxSessions,
+		packageManager: pm
+	});
+	const { fixUnit, deterministicFixUnit, finalIntegration } = await makeProductionFixUnit(config, baselineTargets, ownerRoot, bus, {
+		typescript,
+		runner
+	}, sandboxPool);
 	const start = Date.now();
 	const drawing = reporter.run();
 	let result;
+	let finalIntegrationResult;
 	try {
 		result = await orchestrate({
 			cwd,
@@ -1445,7 +1936,8 @@ async function runRun(opts) {
 				which: realWhich,
 				spawn: realSpawn,
 				scope,
-				timeoutMs: 12e4
+				timeoutMs: 12e4,
+				bus
 			}),
 			fixUnit,
 			deterministicFixUnit,
@@ -1453,7 +1945,10 @@ async function runRun(opts) {
 			inScope: scope ? (fs) => filterToChanged(fs, scope) : void 0,
 			bus
 		});
+		finalIntegrationResult = await finalIntegration();
+		if (!finalIntegrationResult.ok) result.exitStatus = 1;
 	} finally {
+		await sandboxPool.dispose();
 		reporter.close();
 	}
 	await drawing;
@@ -1473,7 +1968,8 @@ async function runRun(opts) {
 			exclude: config.fix.exclude,
 			includeGenerated: config.fix.includeGenerated,
 			includeFixtures: config.fix.includeFixtures
-		}
+		},
+		finalIntegration: finalIntegrationResult
 	});
 	persist(REPORT_PATH, report);
 	out("");
@@ -1496,6 +1992,7 @@ async function runRetry(id) {
 	}
 	const config = await loadConfig(cwd);
 	let snapshotSaved = false;
+	let retrySandboxPool;
 	const result = await retryCommand(id, {
 		report,
 		baseBudget: config.perIssueBudget,
@@ -1517,12 +2014,20 @@ async function runRetry(id) {
 			if (!snapshotSaved) {
 				const snapshot = await Snapshot.capture(git, cwd);
 				persist(SNAPSHOT_PATH, snapshot.toJSON());
+				retrySandboxPool = new WorkerSandboxPool({
+					mainRoot: snapshot.repoRoot(),
+					snapshotSha: snapshot.commitSha(),
+					maxSandboxes: config.maxSessions,
+					packageManager: detectPackageManager(cwd)
+				});
 				snapshotSaved = true;
 			}
 			const ownerRoot = resolveOwnerRoot(cwd, unit.files);
-			const { fixUnit } = await makeProductionFixUnit(config, unit.files, ownerRoot);
+			const { fixUnit } = await makeProductionFixUnit(config, unit.files, ownerRoot, void 0, void 0, retrySandboxPool);
 			return fixUnit(unit, 1);
 		}
+	}).finally(async () => {
+		await retrySandboxPool?.dispose();
 	});
 	if ("error" in result) {
 		err(`✖ ${result.error}`);