zeitzeuge 0.8.2 → 0.9.0

package/dist/cli.js

@@ -125,6 +125,7 @@ class TodoProgressRenderer {
   totalTodos = 0;
   completedTodos = 0;
   subagentTodos = new Map;
+  pendingAutoTasks = new Set;
   canAnimate;
   constructor(spinner, { animate = true } = {}) {
     this.spinner = spinner;
@@ -234,11 +235,13 @@ class TodoProgressRenderer {
     }
     const toolCalls = extractToolCallsFromStreamChunk(chunk);
     if (toolCalls && toolCalls.length > 0) {
+      const newlyDispatched = [];
       for (const tc of toolCalls) {
         if (!isSubagent && tc.name === "task") {
           const subagentType = tc.args.subagent_type;
           if (typeof subagentType === "string" && !this.dispatchedSubagents.includes(subagentType)) {
             this.dispatchedSubagents.push(subagentType);
+            newlyDispatched.push(subagentType);
           }
         }
         if (tc.name === "write_todos") {
@@ -247,6 +250,11 @@ class TodoProgressRenderer {
             if (Array.isArray(todos2)) {
               const displayName = this.resolveSubagentName(nsKey, meta?.namespace);
               this.handleSubagentTodos(todos2, nsKey, displayName);
+              const autoNsKey = `auto:${displayName}`;
+              if (this.subagentTodos.has(autoNsKey)) {
+                this.subagentTodos.delete(autoNsKey);
+                this.pendingAutoTasks.delete(displayName);
+              }
             }
           }
           continue;
@@ -276,6 +284,21 @@ class TodoProgressRenderer {
           this.persistLine(" ", pc.dim(label));
         }
       }
+      for (const name of newlyDispatched) {
+        const autoNsKey = `auto:${name}`;
+        this.handleSubagentTodos([{ content: "analyzing", status: "in_progress" }], autoNsKey, name);
+        this.pendingAutoTasks.add(name);
+      }
+      if (!isSubagent && this.pendingAutoTasks.size > 0) {
+        const hasNonTaskCalls = toolCalls.some((tc) => tc.name !== "task" && tc.name !== "write_todos");
+        if (hasNonTaskCalls) {
+          for (const name of this.pendingAutoTasks) {
+            const autoNsKey = `auto:${name}`;
+            this.handleSubagentTodos([{ content: "analyzing", status: "completed" }], autoNsKey, name);
+          }
+          this.pendingAutoTasks.clear();
+        }
+      }
     }
     if (isSubagent)
       return;
@@ -497,6 +520,49 @@ async function invokeWithTodoStreaming(agent, userMessage, spinner, { animatePro
   }
   return lastValues;
 }
+// ../utils/src/analysis/merge-findings.ts
+var FINDINGS_DIR = "/findings";
+var MERGED_FILENAME = "merged.json";
+function toAbsoluteFindingsPath(entryPath) {
+  const lastSlash = entryPath.lastIndexOf("/");
+  const filename = lastSlash >= 0 ? entryPath.slice(lastSlash + 1) : entryPath;
+  return `${FINDINGS_DIR}/${filename}`;
+}
+async function mergeFindings(backend) {
+  let entries;
+  try {
+    entries = await backend.lsInfo(FINDINGS_DIR);
+  } catch {
+    return [];
+  }
+  const jsonFiles = entries.filter((e) => e.path.endsWith(".json") && !e.path.endsWith(MERGED_FILENAME));
+  if (jsonFiles.length === 0) {
+    return [];
+  }
+  const allFindings = [];
+  for (const entry of jsonFiles) {
+    const filePath = toAbsoluteFindingsPath(entry.path);
+    try {
+      const fileData = await backend.readRaw(filePath);
+      const raw = fileData.content.join(`
+`);
+      const parsed = JSON.parse(raw);
+      const validated = FindingsSchema.safeParse(parsed);
+      if (validated.success) {
+        allFindings.push(...validated.data.findings);
+      } else {
+        console.warn(`[merge-findings] Skipping ${filePath}: schema validation failed`);
+      }
+    } catch (err) {
+      console.warn(`[merge-findings] Skipping ${filePath}: ${err instanceof Error ? err.message : String(err)}`);
+    }
+  }
+  try {
+    const mergedContent = JSON.stringify({ findings: allFindings }, null, 2);
+    await backend.write(`${FINDINGS_DIR}/${MERGED_FILENAME}`, mergedContent);
+  } catch {}
+  return allFindings;
+}
 // ../utils/src/analysis/deduplication.ts
 function extractFunctionName(finding) {
   if (finding.hotFunction?.name) {
@@ -655,21 +721,47 @@ Each finding MUST use one of these EXACT category values — do NOT invent new c
 
 Prefer more specific categories (algorithm, serialization, allocation, event-handling,
 blocking-io, listener-leak, gc-pressure) over generic ones (hot-function, other).`;
-var FULL_RESPONSE_REQUIREMENT = `## CRITICAL — Your response MUST contain ALL findings in full
+var PARALLEL_TOOL_CALLS = `## CRITICAL: Tool call strategy — scripts for data, read_file for source
+
+Your FIRST turn MUST:
+1. Run analysis scripts (execute_command) to query the JSON data files.
+   Use pre-built helper scripts in skills/ or write your own using the
+   data-scripting skill.
+2. Call read_file for ALL application source files listed above.
+
+Batch everything into ONE turn. Do NOT read data files one-at-a-time.
 
-Your final response is the ONLY thing the orchestrator sees. If you write a short summary
-like "All N findings have been reported", the orchestrator CANNOT see your findings and
-they will be LOST.
+For data files: run a helper script or write a custom one. This is faster
+and uses fewer tokens than reading raw JSON.
+
+For source files: use read_file since you need to see the exact code for
+beforeCode/afterCode suggestions.
+
+FORBIDDEN actions:
+- ls — NEVER call ls. File paths are already listed above.
+- glob — NEVER call glob. File paths are already listed above.
+- Reading JSON data files with read_file — use scripts instead.`;
+var WRITE_FINDINGS_REQUIREMENT = `## CRITICAL — Persist your findings to a file
 
-You MUST include the COMPLETE analysis in your response text. For EVERY finding, write out:
-- Title, category, severity, sourceFile, lineNumber
-- Full description of the issue
-- Complete beforeCode (verbatim from the source file)
-- Complete afterCode (working drop-in replacement)
+When your analysis is complete, you MUST write ALL findings to a JSON file using write_file.
 
-Do NOT abbreviate. Do NOT say "findings have been reported" without listing them.
-The orchestrator will extract findings from your response text — if a finding is not
-in your text, it does not exist.`;
+1. Call write_file with path: \`/findings/<YOUR_AGENT_NAME>.json\`
+   Use your agent name as the filename (e.g. memory-heap, page-load, runtime-blocking,
+   code-pattern, cpu-hotspot, listener-leak, memory-closure).
+
+2. The file content MUST be a JSON object with this exact structure:
+   { "findings": [ { "severity": "...", "title": "...", ... }, ... ] }
+   Each finding must include ALL required fields: severity, title, description,
+   category, sourceFile, lineNumber, suggestedFix, beforeCode, afterCode,
+   confidence, impactMs, estimatedSavingsMs.
+
+3. Write ALL findings in a SINGLE write_file call. Do NOT write findings one at a time.
+
+4. After writing the file, respond with ONLY a brief summary like:
+   "Found 4 issues: 2 critical, 1 warning, 1 info. Written to /findings/memory-heap.json"
+
+The orchestrator reads findings from the file directly — your text response is only for
+progress display. If a finding is not in the JSON file, it does not exist.`;
 var STRUCTURED_OUTPUT_FIELDS = `## Structured output fields — REQUIRED for every finding
 
 Every finding MUST include ALL of these fields:
@@ -1906,6 +1998,504 @@ var BROWSER_ANALYSIS_SKILL_FILES = {
   "skills/browser-analysis/helpers/analyze-heap.js": ANALYZE_HEAP_JS,
   "skills/browser-analysis/helpers/find-patterns.js": FIND_PATTERNS_JS
 };
+// ../utils/src/profiling/profile-parser.ts
+var META_FUNCTIONS = new Set(["(root)", "(idle)", "(program)"]);
+// ../utils/src/profiling/agent.ts
+import { createDeepAgent } from "deepagents";
+
+// ../utils/src/profiling/prompts/test-shared.ts
+var SEVERITY_RULES = `## Severity classification
+
+Assign severity based on the nature and measured impact of the issue:
+
+- **critical** — Any of:
+  - Synchronous blocking of the event loop (CPU-bound loops, sync crypto, sync I/O)
+  - Functions that CALL blocking functions (compound blockers)
+  - Listener exceedances (count exceeding maxListeners threshold)
+  - GC overhead >10% of total profile duration
+  - A single function consuming >15% of APPLICATION code self-time
+- **warning** — Any of:
+  - Listener add/remove imbalance (addCount > 2× removeCount) without exceedance
+  - O(n²) or worse algorithms on collections
+  - Unnecessary serialization (JSON.parse/JSON.stringify) on hot paths
+  - Closure-based memory leaks or unbounded data structures
+  - A function consuming 5–15% of application self-time
+- **info** — Minor inefficiencies, small optimisation opportunities, per-call
+  object allocation (TextEncoder, RegExp, DateTimeFormat), or patterns that only
+  matter at scale
+
+IMPORTANT: Blocking/event-loop-blocking operations are ALWAYS critical, regardless
+of measured self-time percentage. Even a short blocking call prevents the event loop
+from processing other work and is a correctness issue, not just a performance issue.`;
+
+// ../utils/src/profiling/prompts/cpu-hotspot.ts
+var CPU_HOTSPOT_PROMPT = `You are a specialist in detecting CPU-blocking operations and excessive object instantiation in JavaScript/TypeScript code.
+
+You have access to a workspace with V8 CPU profiling data from a Vitest test run.
+
+## Your focus areas
+
+### 1. Blocking / Event-Loop-Blocking Operations (HIGHEST PRIORITY)
+
+Look for functions that block the event loop with synchronous CPU-intensive work:
+- Synchronous crypto operations (hashing, encryption) that should use async APIs
+- CPU-bound loops (e.g., manual hashing with many iterations, busy-waits)
+- Functions that CALL other blocking functions (compound blocking). Report the
+  CALLER as a separate finding.
+- Synchronous file I/O in hot paths (readFileSync, writeFileSync, etc.)
+- Heavy computation without yielding (e.g., large matrix operations, parsing)
+
+**How to detect:** Read hot-functions/application.json for functions with high selfTime.
+For each one with >= 1% selfPercent, read the source code and check for:
+- Loops with many iterations doing CPU work
+- Calls to other blocking functions (trace the call chain — read the callee's source!)
+- Missing async/await for operations that have async alternatives (e.g., crypto.pbkdf2 vs crypto.pbkdf2Sync)
+
+**IMPORTANT — Compound blockers are SEPARATE findings:**
+If function A calls function B and B is blocking, you MUST report TWO findings:
+1. Function B: the primary blocking operation
+2. Function A: a "compound blocker" that calls B, inheriting and compounding B's cost
+Do NOT just report B and skip A. The developer needs to know both call sites.
+
+### 2. Excessive Object Instantiation (SECONDARY)
+
+Look for functions creating stateless objects on every call that should be
+module-level singletons or hoisted out of loops:
+- \`new TextEncoder()\` / \`new TextDecoder()\` — stateless, should be module-level
+- \`new Intl.DateTimeFormat()\` / \`new Intl.NumberFormat()\` — locale-dependent but cacheable
+- \`new Map()\` / \`new Set()\` — if used as temporary lookup then discarded each call
+- \`new RegExp()\` — if the pattern is constant, compile once at module level
+- \`new Date()\` inside sort comparators — called O(n log n) times
+- Any constructor call inside a hot loop that produces a stateless, reusable object
+
+**How to detect:** Read source files for hot functions and look for object
+construction inside function bodies that could be hoisted to module scope.
+
+**IMPORTANT:** If a function has BOTH a blocking issue AND an instantiation issue,
+report them as TWO separate findings with different categories (blocking-io vs allocation).
+Do NOT skip the instantiation finding just because you already reported a blocking finding
+for the same function.
+
+## Your scope — categories YOU own
+
+You are one of four parallel subagents. Use ONLY these categories:
+- **blocking-io** — for event-loop-blocking operations (sync crypto, CPU loops, sync I/O)
+- **allocation** — for per-call object instantiation (new TextEncoder, new Intl.DateTimeFormat, new Map per call)
+
+Do NOT report findings with categories: algorithm, serialization, gc-pressure,
+listener-leak, event-handling, unnecessary-computation. Other subagents handle those.
+Do NOT report findings about test files (tests/*.ts) — only about src/ files.
+
+## Your workflow
+
+1. In your FIRST turn, do ALL of these in ONE batch:
+   a. Run the workspace overview script:
+      execute_command: node skills/profile-analysis/helpers/analyze-workspace.js
+   b. Run the detailed hot functions script:
+      execute_command: node skills/profile-analysis/helpers/analyze-hotfunctions.js
+   c. Call read_file for EVERY src/ file listed in "FILES IN THIS WORKSPACE" above.
+   Do NOT use ls or glob. Batch everything into ONE turn.
+2. From the script outputs, identify hot functions (>= 1% selfPercent) and match
+   them to the source code you read.
+3. For EACH hot function, analyze its source for blocking patterns or unnecessary instantiation.
+4. Check EVERY source file top-to-bottom, not just the hot ones.
+5. For compound blockers, trace the call chain using the callerChain data from the script output.
+
+${PARALLEL_TOOL_CALLS}
+${VERIFICATION_RULES}
+${SEVERITY_RULES}
+${FINDING_CATEGORIES}
+${OUTPUT_FORMAT}
+${STRUCTURED_OUTPUT_FIELDS}
+${WRITE_FINDINGS_REQUIREMENT}`;
+// ../utils/src/profiling/prompts/listener-leak.ts
+var LISTENER_LEAK_PROMPT = `You are a specialist in detecting event listener leaks and event handling imbalances in JavaScript/TypeScript code.
+
+You have access to a workspace with V8 CPU profiling data and event listener tracking from a Vitest test run.
+
+## Your SOLE focus: Event Listener Leaks
+
+You look for ONE thing: code that registers event listeners without proper cleanup,
+causing listener accumulation, memory growth, and MaxListenersExceededWarning.
+
+### Pattern A — Listener accumulation per call
+
+A function that adds a new listener EVERY TIME it is called, but never removes
+old ones. After N calls, there are N active listeners.
+
+\`\`\`typescript
+// BAD: adds a new listener on every call
+function getData() {
+  emitter.on('update', handler); // accumulates!
+}
+\`\`\`
+
+**Correct fix pattern — use a guard flag + named handler:**
+
+\`\`\`typescript
+// GOOD: register once, named handler, proper cleanup
+let registered = false;
+const onUpdate = () => { cache = null; };
+
+function getData() {
+  if (!registered) {
+    emitter.on('update', onUpdate);
+    registered = true;
+  }
+  // ... rest of function
+}
+
+function reset() {
+  if (registered) {
+    emitter.off('update', onUpdate);  // surgical removal
+    registered = false;
+  }
+}
+\`\`\`
+
+CRITICAL for afterCode: always use a NAMED handler (const onUpdate = ...) so
+it can be removed with .off(). NEVER use anonymous functions with .on().
+If the file has an existing cleanup/reset function, update it to call
+.off(event, handler) and reset the guard flag.
+
+### Pattern B — Missing unsubscribe mechanism
+
+A subscribe-style function that adds listeners but returns no way to remove them.
+
+\`\`\`typescript
+// BAD: no way to unsubscribe
+function subscribe(channel) {
+  emitter.on(channel, handler); // no return value, no cleanup
+}
+\`\`\`
+
+**Correct fix pattern — return an unsubscribe function:**
+
+\`\`\`typescript
+// GOOD: returns cleanup function
+function subscribe(channel, handler) {
+  emitter.on(channel, handler);
+  return () => { emitter.off(channel, handler); };
+}
+\`\`\`
+
+### Pattern C — MaxListeners exceeded (MUST report as a SEPARATE finding)
+
+When listener counts exceed the default maxListeners threshold (10), this
+triggers a MaxListenersExceededWarning at runtime. Check listener-tracking.json
+for the "exceedances" array — each entry shows an event type where the listener
+count exceeded the threshold.
+
+**This is a SEPARATE finding from Pattern A/B**, even if the same function causes
+both the accumulation AND the exceedance. You MUST report:
+1. Pattern A or B finding: the code that adds listeners without cleanup
+2. Pattern C finding: the maxListeners threshold being exceeded, with the
+   specific count, threshold, and event name from the exceedance data
+
+The Pattern C finding MUST have:
+- category: **"event-handling"** (do NOT use "listener-leak" — use a DIFFERENT
+  category from Pattern A/B so both findings survive deduplication)
+- severity: "critical" (exceedances are always critical)
+- title: focus on the event name and threshold, e.g. "maxListeners threshold
+  exceeded for task:changed event (11 listeners, threshold 10)"
+- description: MUST mention ALL of these terms: "maxListeners", "threshold",
+  "exceeded", the event name (e.g. "task:changed"), and the numeric count
+  (e.g. "11") and threshold (e.g. "10") from the tracking data
+
+## Your scope — categories YOU own
+
+You are one of four parallel subagents. Use ONLY these categories:
+- **listener-leak** — for Pattern A (accumulation) and Pattern B (missing unsubscribe)
+- **event-handling** — for Pattern C (maxListeners exceeded)
+
+Do NOT report findings with categories: blocking-io, allocation, algorithm,
+serialization, gc-pressure, unnecessary-computation. Other subagents handle those.
+Do NOT report findings about test files (tests/*.ts) — only about src/ files.
+
+## Your workflow (follow this EXACTLY)
+
+1. In your FIRST turn, do ALL of these in ONE batch:
+   a. Run the workspace overview script:
+      execute_command: node skills/profile-analysis/helpers/analyze-workspace.js
+   b. Run the detailed listener analysis script:
+      execute_command: node skills/profile-analysis/helpers/analyze-listeners.js
+   c. Call read_file for EVERY src/ file listed in "FILES IN THIS WORKSPACE" above.
+   Do NOT use ls or glob. Batch everything into ONE turn.
+2. From the script outputs, identify:
+   - exceedances (listenerCount > maxListeners threshold)
+   - add/remove imbalances (addCount with zero removeCount = leak candidates)
+3. In the source files you already read, find the .on() / .addEventListener() calls
+   and check if corresponding removal exists.
+4. For each issue found, provide before/after code.
+
+## Important: Report EACH pattern as a SEPARATE finding
+
+- If a function adds a listener without removal → one finding about accumulation
+- If a subscribe function has no unsubscribe mechanism → a separate finding
+- If maxListeners is exceeded → a SEPARATE finding (cross-reference with the causal
+  pattern above). This must be its own finding even if you already reported the
+  listener accumulation that caused it. The developer needs to know BOTH that
+  listeners accumulate AND that the threshold is exceeded.
+
+### Minimum expected findings
+
+For a typical codebase with listener leaks, expect at least:
+1. One finding per function that adds listeners without cleanup (Pattern A)
+2. One finding per subscribe function without unsubscribe (Pattern B)
+3. One finding per maxListeners exceedance from tracking data (Pattern C)
+
+${PARALLEL_TOOL_CALLS}
+${VERIFICATION_RULES}
+${SEVERITY_RULES}
+${FINDING_CATEGORIES}
+${OUTPUT_FORMAT}
+${STRUCTURED_OUTPUT_FIELDS}
+${WRITE_FINDINGS_REQUIREMENT}`;
+// ../utils/src/profiling/prompts/memory-closure.ts
+var MEMORY_CLOSURE_PROMPT = `You are a specialist in detecting memory leaks caused by closures, unbounded data structures, and missing cleanup/eviction in JavaScript/TypeScript code.
+
+You have access to a workspace with V8 CPU profiling data from a Vitest test run.
+
+## Your SOLE focus: Closure & Memory Leak Patterns
+
+You look for code where objects, closures, or data structures retain references
+longer than necessary, preventing garbage collection and causing continuous
+memory growth.
+
+### Pattern A — Closures capturing outer-scope data
+
+Closures stored in long-lived data structures that capture variables from
+the enclosing scope — even after the captured data is conceptually stale.
+
+\`\`\`typescript
+// BAD: closure captures 'value' and 'ctx' from enclosing scope
+set(key, value, ctx) {
+  this.cache.set(key, {
+    data: value,
+    refresher: () => {
+      // This closure captures 'value' and 'ctx' — they can
+      // never be garbage collected while the cache entry exists
+      return fetchFresh(key, ctx);
+    }
+  });
+}
+\`\`\`
+
+### Pattern B — Unbounded data structures (no eviction)
+
+Arrays, Maps, or Sets that only grow — elements are added but never removed,
+cleared, or evicted. Over time, memory grows monotonically.
+
+\`\`\`typescript
+// BAD: log grows without bound
+process(item) {
+  this.log.push({
+    item,
+    timestamp: Date.now(),
+    context: this.currentContext  // retains reference forever
+  });
+}
+\`\`\`
+
+### Pattern C — Closures capturing request/response or transient objects
+
+Code that stores closures capturing objects meant to be short-lived (e.g.
+request bodies, response objects, connection handles), preventing them from
+being freed after their lifecycle ends.
+
+\`\`\`typescript
+// BAD: closure captures the full transient object forever
+record(obj) {
+  this.entries.push({
+    id: obj.id,
+    timestamp: Date.now(),
+    getDetails: () => ({
+      payload: obj.payload,   // captures obj.payload forever
+      metadata: obj.metadata  // captures obj.metadata forever
+    })
+  });
+}
+\`\`\`
+
+## Your scope — categories YOU own
+
+You are one of four parallel subagents. Use ONLY this category:
+- **gc-pressure** — for closures capturing outer-scope data, unbounded data
+  structures (Maps, arrays) without eviction, and closures retaining transient objects
+
+Do NOT report findings with categories: blocking-io, allocation, algorithm,
+serialization, listener-leak, event-handling, unnecessary-computation. Other
+subagents handle those. Specifically:
+- Do NOT report event listener leaks (the listener-leak agent handles those)
+- Do NOT report blocking I/O or CPU loops (the cpu-hotspot agent handles those)
+- Do NOT report algorithmic inefficiencies (the code-pattern agent handles those)
+Do NOT report findings about test files (tests/*.ts) — only about src/ files.
+
+## Your workflow (follow this EXACTLY)
+
+1. In your FIRST turn, do ALL of these in ONE batch:
+   a. Run the workspace overview script:
+      execute_command: node skills/profile-analysis/helpers/analyze-workspace.js
+   b. Run the leak finder script:
+      execute_command: node skills/profile-analysis/helpers/find-leaks.js
+   c. Call read_file for EVERY src/ file listed in "FILES IN THIS WORKSPACE" above.
+   Do NOT use ls or glob. Batch everything into ONE turn.
+2. From the script outputs, identify potential leak patterns and allocation hotspots.
+3. For each source file you read, look for:
+   - Module-level or class-level Maps, Sets, Arrays used as stores
+   - Whether a corresponding removal mechanism exists
+   - Closures stored as values that capture outer-scope variables
+4. For each issue found, provide before/after code with proper cleanup.
+
+### CRITICAL: Report EVERY distinct issue, even in the same class
+
+A single class or module can have multiple closure/memory issues. Report
+each as a SEPARATE finding. For example, a CacheService class might have:
+1. A \`set()\` method with a closure that captures outer-scope data
+2. An unbounded access log in \`get()\` that grows without eviction
+3. A Map that stores entries without any TTL or maxSize
+These are THREE separate findings, not one.
+
+${PARALLEL_TOOL_CALLS}
+${VERIFICATION_RULES}
+${SEVERITY_RULES}
+${FINDING_CATEGORIES}
+${OUTPUT_FORMAT}
+${STRUCTURED_OUTPUT_FIELDS}
+${WRITE_FINDINGS_REQUIREMENT}`;
+// ../utils/src/profiling/prompts/code-pattern.ts
+var CODE_PATTERN_PROMPT = `You are a specialist in detecting algorithmic inefficiencies, unnecessary computation, and serialization overhead in JavaScript/TypeScript code.
+
+You have access to a workspace with V8 CPU profiling data from a Vitest test run.
+
+## Your focus areas
+
+### 1. Quadratic or Worse Algorithms (HIGHEST PRIORITY)
+
+Look for O(n²) or worse complexity patterns:
+
+**Pattern A — Nested iteration over same collection:**
+\`\`\`typescript
+// BAD: O(n²) — filter inside a loop
+for (const item of items) {
+  const dupes = items.filter(other => other.id === item.id);
+}
+\`\`\`
+
+**Pattern B — Pairwise comparison:**
+\`\`\`typescript
+// BAD: O(n²) or worse — nested loops over the same or related collections
+for (const a of items) {
+  for (const b of items) {
+    // comparison or accumulation logic
+  }
+}
+\`\`\`
+
+**Pattern C — O(n²) duplicate detection:**
+\`\`\`typescript
+// BAD: filter().length for each element = O(n²)
+items.forEach(item => {
+  if (items.filter(x => x === item).length > 1) { /* duplicate */ }
+});
+// FIX: Use a Set or Map for O(n)
+\`\`\`
+
+### 2. Unnecessary Serialization (SECONDARY)
+
+\`\`\`typescript
+// BAD: deep clone via JSON roundtrip on every call
+return JSON.parse(JSON.stringify(data));
+// FIX: structuredClone(data) or spread operator for shallow copies
+\`\`\`
+
+### 3. Regex Recompilation
+
+\`\`\`typescript
+// BAD: compiles regex on every call
+function validate(input) {
+  const pattern = new RegExp('^[a-z]+$');  // recompiled every call!
+  return pattern.test(input);
+}
+// FIX: const PATTERN = /^[a-z]+$/; at module level
+\`\`\`
+
+### 4. Expensive Sort Comparators
+
+\`\`\`typescript
+// BAD: creates objects inside sort comparator (called O(n log n) times)
+items.sort((a, b) => {
+  const dateA = new Date(a.createdAt);  // new object per comparison!
+  return dateA.getTime() - new Date(b.createdAt).getTime();
+});
+// FIX: pre-compute timestamps before sorting
+\`\`\`
+
+Also check for **functions called FROM sort comparators**. If \`items.sort((a, b) => computeWeight(a) - computeWeight(b))\` calls a function that does expensive work (Date parsing, string operations, object creation), that function runs O(n log n) times per sort — report it as a separate finding.
+
+### 5. Pairwise Correlation / Tag Comparison (O(n² × m²))
+
+Look for functions that compare every pair of items AND every pair of their sub-elements:
+\`\`\`typescript
+// BAD: O(n²×m²) — for each pair of tasks, compare all pairs of their tags
+for (const taskA of tasks) {
+  for (const taskB of tasks) {
+    for (const tagA of taskA.tags) {
+      for (const tagB of taskB.tags) { /* ... */ }
+    }
+  }
+}
+\`\`\`
+Functions named like \`computeCorrelations\`, \`computeTagCorrelations\`, \`findPairs\`, etc. are prime suspects. Also look for \`.sort()\` and \`.join()\` inside inner loops.
+
+## How to detect
+
+1. Read hot-functions/application.json to identify which functions are CPU-hot
+2. Read EVERY application source file — not just the hot ones
+3. Go through EVERY FUNCTION in every file and check for the patterns above
+4. Pay special attention to:
+   - Functions that operate on arrays or collections
+   - Any function containing nested loops or chained .filter/.map/.reduce calls
+   - Functions that call JSON.parse, JSON.stringify, or new RegExp inside a loop or on every invocation
+   - Sort comparators that create objects (new Date(), etc.) — the comparator runs O(n log n) times
+   - Functions called from sort comparators (they inherit O(n log n) invocations)
+   - Functions that do pairwise comparison of collection elements (O(n²) or O(n²×m²))
+   - Duplicate detection using .filter() instead of Set (O(n²) vs O(n))
+
+## Your scope — categories YOU own
+
+You are one of four parallel subagents. Use ONLY these categories:
+- **algorithm** — for O(n²) loops, brute-force, pairwise comparison, expensive sort comparators
+- **serialization** — for unnecessary JSON.parse/JSON.stringify roundtrips
+- **unnecessary-computation** — for regex recompilation with constant patterns
+
+Do NOT report findings with categories: blocking-io, allocation, gc-pressure,
+listener-leak, event-handling. Other subagents handle those. Specifically:
+- Do NOT report per-call object instantiation (new TextEncoder, etc.) — the cpu-hotspot agent handles those
+- Do NOT report event listener leaks — the listener-leak agent handles those
+- Do NOT report closure/memory leaks — the memory-closure agent handles those
+Do NOT report findings about test files (tests/*.ts) — only about src/ files.
+
+## Your workflow
+
+1. In your FIRST turn, do ALL of these in ONE batch:
+   a. Run the workspace overview script:
+      execute_command: node skills/profile-analysis/helpers/analyze-workspace.js
+   b. Call read_file for ALL of these in ONE batch:
+      - scripts/application.json
+      - EVERY src/ file listed in "FILES IN THIS WORKSPACE" above
+   Do NOT use ls or glob.
+2. From the script output, identify which functions are CPU-hot.
+3. For EVERY function in EVERY source file, check for the patterns above.
+4. Report each distinct pattern as a separate finding.
+
+${PARALLEL_TOOL_CALLS}
+${VERIFICATION_RULES}
+${SEVERITY_RULES}
+${FINDING_CATEGORIES}
+${OUTPUT_FORMAT}
+${STRUCTURED_OUTPUT_FIELDS}
+${WRITE_FINDINGS_REQUIREMENT}`;
 // ../utils/src/output/terminal.ts
 import pc2 from "picocolors";
 import ora from "ora";
@@ -2230,8 +2820,7 @@ function generateMarkdown(options) {
 `);
 }
 // src/analysis/agent.ts
-import { createDeepAgent } from "deepagents";
-import { toolStrategy } from "langchain";
+import { createDeepAgent as createDeepAgent2 } from "deepagents";
 
 // src/analysis/prompts/shared.ts
 var BROWSER_TOOL_CALL_STRATEGY = `## CRITICAL: Tool call strategy — scripts first, source selectively
@@ -2274,7 +2863,7 @@ When source code is minified/compiled:
 Only provide \`afterCode\` when the source is clearly human-authored (readable
 variable names, formatting, comments) — e.g. inline scripts in HTML or
 un-minified CSS.`;
-var SEVERITY_RULES = `## Severity classification
+var SEVERITY_RULES2 = `## Severity classification
 
 Assign severity based on measured impact — do NOT guess:
 
@@ -2429,14 +3018,14 @@ These are THREE separate findings, not one.
 
 ${BROWSER_TOOL_CALL_STRATEGY}
 ${VERIFICATION_RULES}
-${SEVERITY_RULES}
+${SEVERITY_RULES2}
 ${FINDING_CATEGORIES}
 ${OUTPUT_FORMAT}
 ${STRUCTURED_OUTPUT_FIELDS}
 ${MINIFIED_SOURCE_HANDLING}
 ${CROSS_REFERENCING}
 ${IMPACT_ESTIMATION}
-${FULL_RESPONSE_REQUIREMENT}`;
+${WRITE_FINDINGS_REQUIREMENT}`;
 // src/analysis/prompts/page-load.ts
 var PAGE_LOAD_PROMPT = `You are a specialist in analyzing page load performance, render-blocking resources, and network waterfall patterns.
 
@@ -2530,13 +3119,13 @@ Assets served without compression or with missing cache headers.
 
 ${BROWSER_TOOL_CALL_STRATEGY}
 ${VERIFICATION_RULES}
-${SEVERITY_RULES}
+${SEVERITY_RULES2}
 ${FINDING_CATEGORIES}
 ${OUTPUT_FORMAT}
 ${STRUCTURED_OUTPUT_FIELDS}
 ${MINIFIED_SOURCE_HANDLING}
 ${IMPACT_ESTIMATION}
-${FULL_RESPONSE_REQUIREMENT}`;
+${WRITE_FINDINGS_REQUIREMENT}`;
 // src/analysis/prompts/runtime-blocking.ts
 var RUNTIME_BLOCKING_PROMPT = `You are a specialist in analyzing Chrome runtime traces to find main-thread blocking operations, event listener leaks, and layout performance issues.
 
@@ -2704,16 +3293,16 @@ window.addEventListener('scroll', () => {
 
 ${BROWSER_TOOL_CALL_STRATEGY}
 ${VERIFICATION_RULES}
-${SEVERITY_RULES}
+${SEVERITY_RULES2}
 ${FINDING_CATEGORIES}
 ${OUTPUT_FORMAT}
 ${STRUCTURED_OUTPUT_FIELDS}
 ${MINIFIED_SOURCE_HANDLING}
 ${CROSS_REFERENCING}
 ${IMPACT_ESTIMATION}
-${FULL_RESPONSE_REQUIREMENT}`;
+${WRITE_FINDINGS_REQUIREMENT}`;
 // src/analysis/prompts/code-pattern.ts
-var CODE_PATTERN_PROMPT = `You are a specialist in detecting frontend performance anti-patterns in JavaScript, CSS, and HTML source code.
+var CODE_PATTERN_PROMPT2 = `You are a specialist in detecting frontend performance anti-patterns in JavaScript, CSS, and HTML source code.
 
 You have access to a workspace with actual source files captured from a real page load.
 
@@ -2865,13 +3454,13 @@ point to as potentially problematic. A typical page has 3-8 issues.
 
 ${BROWSER_TOOL_CALL_STRATEGY}
 ${VERIFICATION_RULES}
-${SEVERITY_RULES}
+${SEVERITY_RULES2}
 ${FINDING_CATEGORIES}
 ${OUTPUT_FORMAT}
 ${STRUCTURED_OUTPUT_FIELDS}
 ${MINIFIED_SOURCE_HANDLING}
 ${IMPACT_ESTIMATION}
-${FULL_RESPONSE_REQUIREMENT}`;
+${WRITE_FINDINGS_REQUIREMENT}`;
 
 // src/analysis/prompts.ts
 var BROWSER_ORCHESTRATOR_PROMPT = `You are a performance analysis orchestrator.
@@ -2883,22 +3472,15 @@ var BROWSER_ORCHESTRATOR_PROMPT = `You are a performance analysis orchestrator.
    For each, set subagent_type and description EXACTLY as written in the
    user message. Copy the FULL multi-line description verbatim, including
    every file path listed.
-3. After all 4 subagents return, consolidate ALL findings into your
-   structured response.
-
-## Consolidation rules — CRITICAL
-
-- Include EVERY finding from EVERY subagent in your structured response.
-- Do NOT filter, drop, or summarize findings. Each distinct finding from each
-  subagent must appear as a separate entry.
-- If a subagent reports 6 findings, your output must contain all 6.
-- Preserve the exact sourceFile, category, severity, beforeCode, and afterCode
-  from each subagent finding. Do NOT rewrite or abbreviate them.
-- If two subagents report findings for the same script but with DIFFERENT
-  categories (e.g., render-blocking vs frame-blocking-function), include BOTH
-  as separate findings.
-- Do NOT add your own findings — only include what subagents reported.
-- Do NOT call read_file, grep, ls, or glob. All analysis is done by subagents.`;
+3. After all 4 subagents return, respond with: "All subagents complete."
+
+## CRITICAL rules
+
+- Do NOT consolidate, re-read, or re-serialize findings. Subagents write
+  their findings to /findings/*.json files directly.
+- Do NOT add your own findings — all analysis is done by subagents.
+- Do NOT call read_file, grep, ls, or glob.
+- Your response should be SHORT — just confirm completion.`;
 
 // src/analysis/agent.ts
 function categoriseWorkspaceFiles(workspaceFiles) {
@@ -3030,7 +3612,7 @@ function buildSubagents(ctx) {
     {
       name: "code-pattern",
       description: "Detects frontend code anti-patterns: inline scripts, DOM manipulation in loops, missing event delegation, non-passive listeners.",
-      prompt: CODE_PATTERN_PROMPT
+      prompt: CODE_PATTERN_PROMPT2
     }
   ];
   return agentDefs.map(({ name, description, prompt }) => {
@@ -3045,13 +3627,12 @@ function buildSubagents(ctx) {
 }
 async function analyze(model, backend, spinner, context, { animateProgress = true } = {}) {
   const subagents = buildSubagents(context);
-  const agent = createDeepAgent({
+  const agent = createDeepAgent2({
     model,
     systemPrompt: BROWSER_ORCHESTRATOR_PROMPT,
     backend,
     subagents,
-    skills: ["skills/"],
-    responseFormat: toolStrategy(FindingsSchema)
+    skills: ["skills/"]
   });
   const userMessage = context ? buildBrowserUserMessage(context) : [
     "Analyze the frontend performance data in this workspace.",
@@ -3060,10 +3641,10 @@ async function analyze(model, backend, spinner, context, { animateProgress = tru
     "to understand the overall picture, then explore source files to verify root causes."
   ].join(`
 `);
-  const result = await invokeWithTodoStreaming(agent, userMessage, spinner, { animateProgress });
-  const findings = result.structuredResponse?.findings;
-  if (!Array.isArray(findings)) {
-    throw new Error(`Agent did not return structured findings: ${result.messages.at(-1)?.text}`);
+  await invokeWithTodoStreaming(agent, userMessage, spinner, { animateProgress });
+  const findings = await mergeFindings(backend);
+  if (findings.length === 0) {
+    throw new Error("Subagents did not write any findings to /findings/*.json");
   }
   const deduped = deduplicateFindings(findings);
   return rankFindings(deduped);
@@ -3982,7 +4563,11 @@ var argv = yargs(hideBin(process.argv)).scriptName("zeitzeuge").usage("Usage: $0
   alias: "o",
   type: "string",
   default: "zeitzeuge-report.md",
-  describe: "Output path for the Markdown report"
+  describe: "Output path for the report (use .json extension for JSON output)"
+}).option("format", {
+  type: "string",
+  choices: ["markdown", "json"],
+  describe: "Output format (auto-detected from --output extension if omitted)"
 }).help("help", "Show help").alias("h", "help").version(VERSION).strict().parseSync();
 function validateUrl(url) {
   try {
@@ -4074,24 +4659,52 @@ async function main() {
       agentSpinner.succeed(`Analysis complete — ${findings.length} findings`);
     } catch (err) {
       agentSpinner.fail(`Analysis failed: ${err instanceof Error ? err.message : "Unknown error"}`);
+      console.error(err);
       throw new Error(`LLM analysis failed. Check your API key and network connection.
 ` + (err instanceof Error ? `  Details: ${err.message}` : ""));
     } finally {
       workspace.cleanup();
     }
-    printFindings(findings);
-    printCaptureInfo(heapSummary, captureResult.trace);
     const outputPath = argv.output;
-    const reportPath = writeReport(resolve(outputPath), {
-      url,
-      version: VERSION,
-      findings,
-      heapSummary,
-      trace: captureResult.trace
-    });
-    console.log(`
+    const explicitFormat = argv.format;
+    const outputFormat = explicitFormat ?? (outputPath.endsWith(".json") ? "json" : "markdown");
+    if (outputFormat === "json") {
+      const jsonReport = {
+        url,
+        version: VERSION,
+        analyzedAt: new Date().toISOString(),
+        findings,
+        metrics: {
+          loadComplete: captureResult.trace.metrics.loadComplete,
+          firstContentfulPaint: captureResult.trace.metrics.firstContentfulPaint,
+          largestContentfulPaint: captureResult.trace.metrics.largestContentfulPaint,
+          totalBlockingTime: captureResult.trace.metrics.totalBlockingTime,
+          heapTotalSize: heapSummary.metadata.totalSize,
+          heapNodeCount: heapSummary.metadata.nodeCount,
+          detachedDomNodes: heapSummary.detachedNodes.count,
+          networkRequests: captureResult.trace.networkRequests.length,
+          totalTransferSize: captureResult.trace.networkRequests.reduce((s, r) => s + r.encodedSize, 0)
+        }
+      };
+      const { writeFileSync: writeFileSync2 } = await import("node:fs");
+      writeFileSync2(resolve(outputPath), JSON.stringify(jsonReport, null, 2), "utf-8");
+      console.log(`
+\uD83D\uDCC4 JSON report written to ${resolve(outputPath)}
+`);
+    } else {
+      printFindings(findings);
+      printCaptureInfo(heapSummary, captureResult.trace);
+      const reportPath = writeReport(resolve(outputPath), {
+        url,
+        version: VERSION,
+        findings,
+        heapSummary,
+        trace: captureResult.trace
+      });
+      console.log(`
 \uD83D\uDCC4 Report written to ${reportPath}
 `);
+    }
   } catch (err) {
     printError(err);
     process.exit(1);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "zeitzeuge",
-  "version": "0.8.2",
+  "version": "0.9.0",
   "description": "A deepagent to witnessing slowdowns in your test runs.",
   "keywords": [
     "analysis",
@@ -38,15 +38,16 @@
     "test": "bun test"
   },
   "dependencies": {
-    "@langchain/anthropic": "^1.3.18",
-    "@langchain/core": "^1.1.25",
+    "@langchain/anthropic": "^1.3.20",
+    "@langchain/core": "^1.1.27",
     "@langchain/node-vfs": "^0.1.2",
-    "@langchain/openai": "^1.2.8",
+    "@langchain/openai": "^1.2.9",
+    "chalk": "^5.6.2",
     "deepagents": "^1.8.0",
-    "langchain": "^1.2.23",
+    "langchain": "^1.2.26",
     "ora": "^9.3.0",
     "picocolors": "^1.1.1",
-    "puppeteer-core": "^24.37.2",
+    "puppeteer-core": "^24.37.5",
     "webdriverio": "^9.24.0",
     "yargs": "^18.0.0",
     "zod": "^4.3.6"
@@ -56,8 +57,8 @@
     "@types/yargs": "^17",
     "@zeitzeuge/utils": "workspace:*",
     "lint-staged": "^16.2.7",
-    "oxfmt": "^0.32.0",
-    "oxlint": "^1.47.0",
+    "oxfmt": "^0.35.0",
+    "oxlint": "^1.50.0",
     "simple-git-hooks": "^2.13.1",
     "typescript": "^5"
   },