wogiflow 2.29.1 → 2.29.3

package/scripts/flow-long-input-pending.js

@@ -0,0 +1,110 @@
+#!/usr/bin/env node
+
+'use strict';
+
+/**
+ * Wogi Flow — long-input-pending CLI
+ *
+ * Subcommands:
+ *   status                       — show whether the marker is set + payload
+ *   dismiss [--reason="<text>"]  — clear the marker after the AI / user has
+ *                                  decided this prompt does NOT create work
+ *                                  (escape hatch for the P11.6 gate)
+ *
+ * The marker file is written by user-prompt-submit when a long-form prompt
+ * arrives without a source-link. The PreToolUse `checkLongInputPendingGate`
+ * (long-input-enforcement.js) consults it and blocks Edit/Write/Bash/Skill
+ * (with a small allow-list) until either /wogi-extract-review runs or this
+ * dispatcher's `dismiss` command clears it.
+ */
+
+const fs = require('node:fs');
+const path = require('node:path');
+const { PATHS } = require('./flow-utils');
+const {
+  isLongInputPending,
+  readLongInputPending,
+  clearLongInputPending,
+  PENDING_PATH
+} = require('./hooks/core/long-input-enforcement');
+
+const DISMISS_LOG = path.join(PATHS.state, 'long-input-pending-dismiss.log');
+
+function showStatus() {
+  if (!isLongInputPending()) {
+    process.stdout.write('long-input-pending: not set\n');
+    return 0;
+  }
+  const payload = readLongInputPending() || {};
+  process.stdout.write('long-input-pending: SET\n');
+  process.stdout.write(`  marker:  ${PENDING_PATH}\n`);
+  process.stdout.write(`  level:   ${payload.level || 'unknown'}\n`);
+  process.stdout.write(`  reason:  ${payload.reason || 'unknown'}\n`);
+  process.stdout.write(`  marked:  ${payload.markedAt || 'unknown'}\n`);
+  return 0;
+}
+
+function dismiss(args) {
+  if (!isLongInputPending()) {
+    process.stdout.write('long-input-pending: nothing to dismiss (marker not set)\n');
+    return 0;
+  }
+  const reasonArg = args.find(a => a.startsWith('--reason='));
+  const reason = reasonArg ? reasonArg.slice('--reason='.length).replace(/^['"]|['"]$/g, '').trim() : '';
+  if (!reason) {
+    process.stderr.write([
+      'Usage: flow long-input-pending dismiss --reason="<concrete reason>"',
+      '',
+      'A reason is required so the dismissal is auditable. Examples:',
+      '  --reason="log dump, no work created"',
+      '  --reason="verbatim error trace, already linked to wf-12345678"',
+      '  --reason="conversational question, not work-creating"'
+    ].join('\n') + '\n');
+    return 1;
+  }
+  const payload = readLongInputPending() || {};
+  clearLongInputPending();
+  try {
+    fs.mkdirSync(path.dirname(DISMISS_LOG), { recursive: true });
+    fs.appendFileSync(DISMISS_LOG, JSON.stringify({
+      dismissedAt: new Date().toISOString(),
+      reason,
+      markerPayload: payload
+    }) + '\n');
+  } catch (_err) { /* best-effort log */ }
+  process.stdout.write('long-input-pending: dismissed\n');
+  process.stdout.write(`  reason:  ${reason}\n`);
+  process.stdout.write(`  logged:  ${DISMISS_LOG}\n`);
+  return 0;
+}
+
+function showHelp() {
+  process.stdout.write([
+    'Usage: flow long-input-pending <subcommand> [options]',
+    '',
+    'Subcommands:',
+    '  status                       Show whether the P11.6 long-input-pending marker is set',
+    '  dismiss --reason="<text>"    Clear the marker after deciding the prompt does',
+    '                               NOT create work. A reason is required and is',
+    '                               appended to .workflow/state/long-input-pending-dismiss.log',
+    '                               for telemetry/learning.',
+    '  help                         Show this help',
+    ''
+  ].join('\n'));
+  return 0;
+}
+
+const [, , sub, ...rest] = process.argv;
+let exitCode = 0;
+switch (sub) {
+  case 'status': exitCode = showStatus(); break;
+  case 'dismiss': exitCode = dismiss(rest); break;
+  case 'help':
+  case '--help':
+  case '-h':
+  case undefined: exitCode = showHelp(); break;
+  default:
+    process.stderr.write(`Unknown subcommand: ${sub}\nRun 'flow long-input-pending help' for usage.\n`);
+    exitCode = 2;
+}
+process.exit(exitCode);

package/scripts/flow-long-input-stories.js

@@ -2099,6 +2099,14 @@ async function finalizeDigestion(options = {}) {
     cleanupResult = cleanupTempFiles(activeDigest.session.digest_id);
   }
 
+  // 7. Clear the P11.6 long-input-pending marker — extraction is the
+  // documented "way out" of the gate, so finalize-success means the
+  // forcing reason is now resolved. Best-effort: a missing marker is
+  // expected when finalize was triggered without the gate firing.
+  try {
+    require('./hooks/core/long-input-enforcement').clearLongInputPending();
+  } catch (_err) { /* best-effort */ }
+
   return {
     success: true,
     approved_count: exportResult.summary.total_approved,

package/scripts/flow-orchestrate-corrections.js

@@ -0,0 +1,158 @@
+#!/usr/bin/env node
+
+/**
+ * Wogi Flow — Auto-Correction Helpers (Story 14 / wf-d0937c83)
+ *
+ * Splits flow-orchestrate's autoCorrectCode into focused helpers:
+ *
+ *   - fixForbiddenImports       (section 1: doNotImport, default/combined/namespace forms)
+ *   - fixComponentPaths         (section 2: shadcn @/components/ui/X mapping)
+ *   - fixFeatureTypePaths       (section 3: ../types in /features/ files)
+ *   - fixNoExternalUtils        (section 4: @/lib/utils removal + formatCurrency inline + cn() unwrap)
+ *   - normalizeQuotes           (section 5: double-quote → single-quote when single dominates)
+ *   - cleanupEmptyImports       (section 6: empty `import {} from "..."` cleanup)
+ *   - collapseBlankLines        (section 7: 3+ blanks → 2)
+ *
+ * Each helper takes a `(code, ...args)` shape and returns
+ * `{ corrected, corrections }`. The orchestrator (flow-orchestrate.js
+ * `autoCorrectCode`) chains them in section order.
+ *
+ * Behavior is preserved verbatim from the pre-extraction implementation;
+ * pinned by characterization tests in
+ * `tests/flow-orchestrate-corrections.test.js` (Tier-3 integration test
+ * per the Cross-Story Integration Tier-3 Rule — feeds real input through
+ * the public `autoCorrectCode` API and asserts the output).
+ *
+ * Programmatic:
+ *   const c = require('./flow-orchestrate-corrections');
+ *   const { corrected, corrections } = c.fixForbiddenImports(code, ['React']);
+ */
+
+'use strict';
+
+function fixForbiddenImports(code, doNotImport) {
+  let corrected = code;
+  const corrections = [];
+  const list = Array.isArray(doNotImport) && doNotImport.length ? doNotImport : ['React'];
+  for (const forbidden of list) {
+    const defaultImportRegex = new RegExp(`^import ${forbidden} from ['"][^'"]+['"];?\\s*\\n?`, 'gm');
+    if (defaultImportRegex.test(corrected)) {
+      corrected = corrected.replace(defaultImportRegex, '');
+      corrections.push(`Removed forbidden import: ${forbidden}`);
+    }
+
+    const combinedImportRegex = new RegExp(`^import ${forbidden},\\s*(\\{[^}]+\\})\\s+from\\s+(['"][^'"]+['"])`, 'gm');
+    if (combinedImportRegex.test(corrected)) {
+      corrected = corrected.replace(combinedImportRegex, 'import $1 from $2');
+      corrections.push(`Removed ${forbidden} from combined import`);
+    }
+
+    const namespaceImportRegex = new RegExp(`^import \\* as ${forbidden} from ['"][^'"]+['"];?\\s*\\n?`, 'gm');
+    if (namespaceImportRegex.test(corrected)) {
+      corrected = corrected.replace(namespaceImportRegex, '');
+      corrections.push(`Removed namespace import: ${forbidden}`);
+    }
+  }
+  return { corrected, corrections };
+}
+
+function fixComponentPaths(code, componentPaths) {
+  let corrected = code;
+  const corrections = [];
+  const map = (componentPaths && typeof componentPaths === 'object') ? componentPaths : {};
+  const shadcnPattern = /@\/components\/ui\/(\w+)/g;
+  corrected = corrected.replace(shadcnPattern, (match, component) => {
+    const capitalName = component.charAt(0).toUpperCase() + component.slice(1);
+    const configPath = map[capitalName];
+    if (configPath) {
+      corrections.push(`Fixed import: ${match} → ${configPath}`);
+      return configPath;
+    }
+    return match;
+  });
+  return { corrected, corrections };
+}
+
+function fixFeatureTypePaths(code, filePath, typePaths) {
+  let corrected = code;
+  const corrections = [];
+  const paths = (typePaths && typeof typePaths === 'object') ? typePaths : { features: '../api/types' };
+  if (filePath && filePath.includes('/features/') && paths.features) {
+    const wrongPaths = ["'../types'", '"../types"', "'./types'", '"./types"'];
+    for (const wrong of wrongPaths) {
+      if (corrected.includes(wrong)) {
+        corrected = corrected.replace(new RegExp(wrong.replace(/['"]/g, '[\'"]'), 'g'), `'${paths.features}'`);
+        corrections.push('Fixed type import path');
+      }
+    }
+  }
+  return { corrected, corrections };
+}
+
+function fixNoExternalUtils(code, ctx) {
+  let corrected = code;
+  const corrections = [];
+  if (!(ctx && ctx.noExternalUtils && corrected.includes('@/lib/utils'))) {
+    return { corrected, corrections };
+  }
+
+  const hadFormatCurrency = corrected.includes('formatCurrency');
+  const hadCn = corrected.includes(' cn(') || corrected.includes(' cn`');
+
+  corrected = corrected.replace(/^import.*from ['"]@\/lib\/utils['"];?\s*\n?/gm, '');
+  corrections.push('Removed @/lib/utils import');
+
+  if (hadFormatCurrency) {
+    const formatCurrencyFn = `\nconst formatCurrency = (amount: number) =>\n  new Intl.NumberFormat('en-US', { style: 'currency', currency: 'USD' }).format(amount);\n`;
+    const lastImportMatch = corrected.match(/^import[^;]+;?\s*\n/gm);
+    if (lastImportMatch) {
+      const lastImport = lastImportMatch[lastImportMatch.length - 1];
+      const insertPos = corrected.lastIndexOf(lastImport) + lastImport.length;
+      corrected = corrected.slice(0, insertPos) + formatCurrencyFn + corrected.slice(insertPos);
+    }
+    corrections.push('Inlined formatCurrency');
+  }
+
+  if (hadCn) {
+    corrected = corrected.replace(/cn\((['"`][^'"`]+['"`])\)/g, '$1');
+    corrections.push('Removed cn() wrapper');
+  }
+
+  return { corrected, corrections };
+}
+
+function normalizeQuotes(code) {
+  let corrected = code;
+  const corrections = [];
+  const singleQuoteCount = (corrected.match(/from '/g) || []).length;
+  const doubleQuoteCount = (corrected.match(/from "/g) || []).length;
+  if (singleQuoteCount > doubleQuoteCount && doubleQuoteCount > 0) {
+    corrected = corrected.replace(/from "([^"]+)"/g, "from '$1'");
+    corrections.push('Normalized import quotes to single quotes');
+  }
+  return { corrected, corrections };
+}
+
+function cleanupEmptyImports(code) {
+  return {
+    corrected: code.replace(/^import\s*\{\s*\}\s*from\s*['"][^'"]+['"];?\s*\n?/gm, ''),
+    corrections: []
+  };
+}
+
+function collapseBlankLines(code) {
+  return {
+    corrected: code.replace(/\n{3,}/g, '\n\n'),
+    corrections: []
+  };
+}
+
+module.exports = {
+  fixForbiddenImports,
+  fixComponentPaths,
+  fixFeatureTypePaths,
+  fixNoExternalUtils,
+  normalizeQuotes,
+  cleanupEmptyImports,
+  collapseBlankLines
+};

package/scripts/flow-orchestrate.js

@@ -307,109 +307,34 @@ function autoCorrectCode(code, filePath, projectConfig = null) {
     return { corrected: code, corrections: [] };
   }
 
-  // Load project context from config if not provided
   const ctx = projectConfig?.projectContext ?? getProjectContext();
-
-  let corrected = code;
   const corrections = [];
 
-  // 1. Remove forbidden imports (from config, defaults to ['React'])
-  const doNotImport = ctx.doNotImport || ['React'];
-  for (const forbidden of doNotImport) {
-    // Case A: Default import - "import X from '...'"
-    const defaultImportRegex = new RegExp(`^import ${forbidden} from ['"][^'"]+['"];?\\s*\\n?`, 'gm');
-    if (defaultImportRegex.test(corrected)) {
-      corrected = corrected.replace(defaultImportRegex, '');
-      corrections.push(`Removed forbidden import: ${forbidden}`);
-    }
-
-    // Case B: Combined with named imports - "import X, { y, z } from '...'"
-    const combinedImportRegex = new RegExp(`^import ${forbidden},\\s*(\\{[^}]+\\})\\s+from\\s+(['"][^'"]+['"])`, 'gm');
-    if (combinedImportRegex.test(corrected)) {
-      corrected = corrected.replace(combinedImportRegex, 'import $1 from $2');
-      corrections.push(`Removed ${forbidden} from combined import`);
-    }
-
-    // Case C: Namespace import - "import * as X from '...'"
-    const namespaceImportRegex = new RegExp(`^import \\* as ${forbidden} from ['"][^'"]+['"];?\\s*\\n?`, 'gm');
-    if (namespaceImportRegex.test(corrected)) {
-      corrected = corrected.replace(namespaceImportRegex, '');
-      corrections.push(`Removed namespace import: ${forbidden}`);
-    }
-  }
-
-  // 2. Fix component paths based on config mappings
-  const componentPaths = ctx.componentPaths ?? {};
-
-  // Build reverse mapping from shadcn-style to project paths
-  // @/components/ui/button → project's Button path
-  const shadcnPattern = /@\/components\/ui\/(\w+)/g;
-  corrected = corrected.replace(shadcnPattern, (match, component) => {
-    const capitalName = component.charAt(0).toUpperCase() + component.slice(1);
-    const configPath = componentPaths[capitalName];
-    if (configPath) {
-      corrections.push(`Fixed import: ${match} → ${configPath}`);
-      return configPath;
-    }
-    return match; // Leave as-is if no mapping
-  });
-
-  // 3. Fix type paths for features (from config)
-  const typePaths = ctx.typePaths || { features: '../api/types' };
-  if (filePath && filePath.includes('/features/') && typePaths.features) {
-    const wrongPaths = ["'../types'", '"../types"', "'./types'", '"./types"'];
-    for (const wrong of wrongPaths) {
-      if (corrected.includes(wrong)) {
-        corrected = corrected.replace(new RegExp(wrong.replace(/['"]/g, '[\'"]'), 'g'), `'${typePaths.features}'`);
-        corrections.push('Fixed type import path');
-      }
-    }
-  }
-
-  // 4. Remove external utils if configured (noExternalUtils: true)
-  if (ctx.noExternalUtils && corrected.includes('@/lib/utils')) {
-    const hadFormatCurrency = corrected.includes('formatCurrency');
-    const hadCn = corrected.includes(' cn(') || corrected.includes(' cn`');
-
-    // Remove the import
-    corrected = corrected.replace(/^import.*from ['"]@\/lib\/utils['"];?\s*\n?/gm, '');
-    corrections.push('Removed @/lib/utils import');
-
-    // Inline formatCurrency if it was used
-    if (hadFormatCurrency) {
-      const formatCurrencyFn = `\nconst formatCurrency = (amount: number) =>\n  new Intl.NumberFormat('en-US', { style: 'currency', currency: 'USD' }).format(amount);\n`;
-      // Insert after imports
-      const lastImportMatch = corrected.match(/^import[^;]+;?\s*\n/gm);
-      if (lastImportMatch) {
-        const lastImport = lastImportMatch[lastImportMatch.length - 1];
-        const insertPos = corrected.lastIndexOf(lastImport) + lastImport.length;
-        corrected = corrected.slice(0, insertPos) + formatCurrencyFn + corrected.slice(insertPos);
-      }
-      corrections.push('Inlined formatCurrency');
-    }
+  // Lazy-load the helpers — avoids module-load-order issues with the
+  // legacy CLI bootstrap at the bottom of this file.
+  const c = require('./flow-orchestrate-corrections');
 
-    // Remove cn() usage - just use template literals or className directly
-    if (hadCn) {
-      corrected = corrected.replace(/cn\((['"`][^'"`]+['"`])\)/g, '$1');
-      corrections.push('Removed cn() wrapper');
-    }
-  }
-
-  // 5. Fix double-quoted imports to single quotes (style consistency)
-  const singleQuoteCount = (corrected.match(/from '/g) || []).length;
-  const doubleQuoteCount = (corrected.match(/from "/g) || []).length;
-  if (singleQuoteCount > doubleQuoteCount && doubleQuoteCount > 0) {
-    corrected = corrected.replace(/from "([^"]+)"/g, "from '$1'");
-    corrections.push('Normalized import quotes to single quotes');
+  // CL-007 fix (2026-04-26): non-closure data-driven form. The previous
+  // array-of-closure form worked correctly under sequential iteration but
+  // would silently break under any future parallel/lazy execution because
+  // each closure captured `corrected` by reference. Using a plain
+  // step-name + args list is equally readable and closure-trap-free.
+  let corrected = code;
+  const steps = [
+    ['fixForbiddenImports', [ctx.doNotImport]],
+    ['fixComponentPaths', [ctx.componentPaths]],
+    ['fixFeatureTypePaths', [filePath, ctx.typePaths]],
+    ['fixNoExternalUtils', [ctx]],
+    ['normalizeQuotes', []],
+    ['cleanupEmptyImports', []],
+    ['collapseBlankLines', []]
+  ];
+  for (const [fn, args] of steps) {
+    const r = c[fn](corrected, ...args);
+    corrected = r.corrected;
+    if (r.corrections.length) corrections.push(...r.corrections);
   }
 
-  // 6. Remove empty import statements (artifact of removing imports)
-  corrected = corrected.replace(/^import\s*\{\s*\}\s*from\s*['"][^'"]+['"];?\s*\n?/gm, '');
-
-  // 7. Fix multiple consecutive blank lines (cleanup)
-  corrected = corrected.replace(/\n{3,}/g, '\n\n');
-
-  // Log corrections if any
   if (corrections.length > 0 && typeof log === 'function') {
     log('dim', `   🔧 Auto-corrected: ${corrections.join(', ')}`);
   }

package/scripts/flow-question-queue.js

@@ -26,10 +26,17 @@
 const path = require('node:path');
 const fs = require('node:fs');
 const { PATHS } = require('./flow-paths');
-const { readJson, writeJson } = require('./flow-io');
+const { readJson, writeJson, withLock } = require('./flow-io');
 
 const QUEUE_PATH = path.join(PATHS.state, 'question-queue.json');
 
+// SEC-004 caps (2026-04-26): bound disk consumption for buggy classifier
+// over-flag and prompt-injection that intentionally generates many questions.
+// Overflow rotates the current queue to an archive file, never silently drops.
+const MAX_QUESTIONS_PER_FILE = 100;
+const MAX_QUESTION_TEXT_BYTES = 4 * 1024;          // 4 KB per question text
+const MAX_QUEUE_FILE_BYTES = 1 * 1024 * 1024;      // 1 MB total queue file
+
 function emptyQueue() {
   return { questions: [], skippedTasks: [] };
 }
@@ -52,6 +59,29 @@ function saveQueue(data) {
   return data;
 }
 
+/**
+ * Rotate the current queue to a timestamped archive file, then return an
+ * empty queue. Used when overflow caps are hit (SEC-004).
+ */
+function rotateQueue() {
+  try {
+    if (!fs.existsSync(QUEUE_PATH)) return emptyQueue();
+    const ts = new Date().toISOString().replace(/[:.]/g, '-');
+    const archivePath = path.join(PATHS.state, `question-queue-archive-${ts}.json`);
+    fs.renameSync(QUEUE_PATH, archivePath);
+  } catch (_err) { /* best-effort archive */ }
+  return emptyQueue();
+}
+
+function truncateText(text) {
+  if (typeof text !== 'string') return '';
+  const buf = Buffer.from(text, 'utf-8');
+  if (buf.byteLength <= MAX_QUESTION_TEXT_BYTES) return text;
+  // Truncate by bytes, then drop last char to avoid mid-codepoint cuts.
+  const truncated = buf.slice(0, MAX_QUESTION_TEXT_BYTES - 1).toString('utf-8');
+  return truncated.replace(/.$/, '') + '… [truncated]';
+}
+
 function clearQueue() {
   try {
     if (fs.existsSync(QUEUE_PATH)) fs.unlinkSync(QUEUE_PATH);
@@ -74,10 +104,18 @@ function shortId() {
  */
 function addQuestion(q) {
   if (!q || !q.text) throw new Error('addQuestion: text is required');
-  const queue = loadQueue();
+  // SEC-004: cap text size, count, file size with archive rotation on overflow
+  const text = truncateText(String(q.text));
+  let queue = loadQueue();
+
+  // Count cap — rotate before append if at limit
+  if (queue.questions.length >= MAX_QUESTIONS_PER_FILE) {
+    queue = rotateQueue();
+  }
+
   const entry = {
     id: `q-${shortId()}`,
-    text: q.text,
+    text,
     classifiedBucket: q.classifiedBucket || null,
     taskContext: q.taskContext || null,
     dependencies: Array.isArray(q.dependencies) ? q.dependencies : [],
@@ -86,10 +124,27 @@ function addQuestion(q) {
     answered: false
   };
   queue.questions.push(entry);
+
+  // File-size cap (defense-in-depth — covers degenerate per-question payloads).
+  const candidate = JSON.stringify(queue);
+  if (Buffer.byteLength(candidate, 'utf-8') > MAX_QUEUE_FILE_BYTES) {
+    queue = rotateQueue();
+    queue.questions.push(entry);
+  }
+
   saveQueue(queue);
   return entry;
 }
 
+/**
+ * Async variant of addQuestion that holds an inter-process lock around the
+ * read-modify-write cycle (CL-002 fix). Prefer this in concurrent contexts
+ * (autonomous worker + manager dispatch handler running in parallel).
+ */
+async function addQuestionAsync(q) {
+  return withLock(QUEUE_PATH, async () => addQuestion(q));
+}
+
 /**
  * Mark a task as skipped, recording the reason and (optionally) the question
  * blocking it.
@@ -113,12 +168,17 @@ function skipTask({ taskId, reason, blockingQuestionId } = {}) {
   return record;
 }
 
+async function skipTaskAsync(args) {
+  return withLock(QUEUE_PATH, async () => skipTask(args));
+}
+
 /**
  * Conservative dependency classifier — text-match only.
- * AI classifier (Haiku) fallback is intentionally NOT inlined here; callers
- * that have access to Haiku invoke `classifyDependenciesWithAi()` and merge
- * results with `unionDependencies()`. This keeps the hot path classifier-free
- * for tests and for environments without Anthropic credentials.
+ * AI classifier integration is handled by `classifyDependenciesSafe(text,
+ * tasks, aiClassifier)` below — callers pass an injected classifier
+ * function. This keeps the hot path classifier-free for tests and for
+ * environments without Anthropic credentials. (CL-008 fix 2026-04-26 —
+ * removed misleading reference to a non-existent classifyDependenciesWithAi.)
  *
  * Rules:
  * 1. Exact task ID match (wf-XXXXXXXX) → flag dependency.
@@ -216,12 +276,18 @@ function listSkippedTasks() {
 
 module.exports = {
   QUEUE_PATH,
+  MAX_QUESTIONS_PER_FILE,
+  MAX_QUESTION_TEXT_BYTES,
+  MAX_QUEUE_FILE_BYTES,
   emptyQueue,
   loadQueue,
   saveQueue,
+  rotateQueue,
   clearQueue,
   addQuestion,
+  addQuestionAsync,
   skipTask,
+  skipTaskAsync,
   classifyDependencies,
   classifyDependenciesSafe,
   unionDependencies,

package/scripts/flow-scanner-base.js

@@ -387,9 +387,63 @@ class BaseScanner {
         }
       });
 
-      // Pass 2: Collect all exported names
+      // Pass 2: Collect all exported names (handles BOTH ESM `export` and
+      // CommonJS `module.exports`/`exports` patterns).
+      // arch-005 fix (2026-04-26): the original Babel scanner only handled
+      // ESM. wogi-flow's source is CommonJS, so all exports were invisible
+      // and function-map.md was empty after every scan.
       const exported = new Map();
 
+      // CJS helper: handle `module.exports = { ... }` and
+      // `module.exports.x = ...` and `exports.x = ...`.
+      const handleCjsExportAssignment = (assignNode) => {
+        const left = assignNode.left;
+        const right = assignNode.right;
+        if (!left || !right) return;
+
+        // Pattern: module.exports = { foo, bar, baz }
+        // or:      exports        = { foo, bar, baz }  (rare)
+        const isModuleExports =
+          left.type === 'MemberExpression' &&
+          left.object?.name === 'module' &&
+          left.property?.name === 'exports' &&
+          !left.computed;
+        const isBareExports =
+          left.type === 'Identifier' && left.name === 'exports';
+
+        if ((isModuleExports || isBareExports) && right.type === 'ObjectExpression') {
+          for (const prop of right.properties) {
+            if (prop.type === 'ObjectProperty' || prop.type === 'Property') {
+              // Shorthand: { foo }  → key = foo (identifier), value = foo
+              // Long form: { foo: bar }  → key = foo, value = bar (identifier)
+              const keyName = prop.key?.name || prop.key?.value;
+              if (typeof keyName === 'string' && keyName) {
+                exported.set(keyName, { isDefault: false });
+              }
+            }
+          }
+          return;
+        }
+
+        // Pattern: module.exports.foo = bar
+        //          exports.foo        = bar
+        // (left is MemberExpression where the property is the export name)
+        const isModuleExportsDotX =
+          left.type === 'MemberExpression' &&
+          left.object?.type === 'MemberExpression' &&
+          left.object.object?.name === 'module' &&
+          left.object.property?.name === 'exports';
+        const isExportsDotX =
+          left.type === 'MemberExpression' &&
+          left.object?.name === 'exports';
+        if (isModuleExportsDotX || isExportsDotX) {
+          const name = left.property?.name;
+          if (typeof name === 'string' && name) {
+            exported.set(name, { isDefault: false });
+          }
+        }
+      };
+
       this.traverse(ast, {
         ExportNamedDeclaration: (nodePath) => {
           const decl = nodePath.node.declaration;
@@ -415,6 +469,10 @@ class BaseScanner {
           } else if (decl.type === 'Identifier') {
             exported.set(decl.name, { isDefault: true });
           }
+        },
+        // CommonJS exports — `module.exports = { ... }`, `exports.x = ...`
+        AssignmentExpression: (nodePath) => {
+          handleCjsExportAssignment(nodePath.node);
         }
       });
 
@@ -456,6 +514,24 @@ class BaseScanner {
       }
     }
 
+    // CommonJS: module.exports = { foo, bar, baz }
+    // arch-005 fix (2026-04-26): regex fallback was ESM-only, missing all
+    // CJS exports. Same gap as the Babel scanner had.
+    const cjsObjectExportRegex = /module\.exports\s*=\s*\{([^}]+)\}/g;
+    while ((match = cjsObjectExportRegex.exec(content)) !== null) {
+      const specifiers = match[1].split(',');
+      for (const spec of specifiers) {
+        const name = spec.trim().split(/[:\s]/)[0].trim();
+        if (name && /^[a-zA-Z_$][\w$]*$/.test(name)) exported.add(name);
+      }
+    }
+
+    // CommonJS: module.exports.foo = ... or exports.foo = ...
+    const cjsDotExportRegex = /(?:module\.exports|^exports)\s*\.\s*([a-zA-Z_$][\w$]*)\s*=/gm;
+    while ((match = cjsDotExportRegex.exec(content)) !== null) {
+      exported.add(match[1]);
+    }
+
     return exported;
   }