feat: implement 30 improvements across features, performance, testing, security, and architecture

FEATURES:
- Programmatic API (src/api.ts) with curated exports
- Config file support (.bootcamprc / bootcamp.config.ts) via cosmiconfig
- Separated CLI from core library (src/cli.ts + src/lib.ts)
- Dependency injection for LLM agent (LLMClient/LLMSession interfaces)
- npm exports field with ESM/CJS subpath exports

PERFORMANCE:
- Streaming LLM output to terminal
- Phase-level caching (deps/security/impact cached individually)
- Token budget awareness (model-aware prompt sizing)
- fast-glob for concurrent file tree walking

DX:
- Added format, format:check, typecheck, dev:web scripts
- Added lint-staged config for pre-commit hooks

TESTING:
- Snapshot tests for formatter output
- Coverage thresholds (lines: 80, branches: 70)
- Supertest migration for web route testing
- Error boundary hardening across async paths

CI/CD:
- Node 24 added to test matrix
- dependency-review-action for PR scanning
- SBOM generation
- Separated lint and typecheck CI steps

SECURITY:
- Input sanitization for repo URLs
- Granular per-endpoint rate limits (5/15min for analysis)

DOCUMENTATION:
- Architecture Decision Records (docs/adr/)
- Web dashboard screenshot in README
- npm provenance badge

ECOSYSTEM:
- GitHub issue templates (bug.yml, feature.yml)
- PR template
- Plugin system with staged pipeline (src/plugin-api.ts)
- Monorepo support (Lerna, Nx, Turborepo, pnpm workspaces)
- GitLab/Bitbucket URL parsing

Author: Ubuntu

.copex/memory.md

@@ -5,3 +5,53 @@
 - [2026-03-02T20:27:31+00:00] [preference] [cli] Always include a 'lead' role with phase 1
 - [2026-03-02T20:27:31+00:00] [decision] [cli] You understand the full architecture: CLI commands (commander), Copilot SDK agent with tool-calling, repository ingestion/analysis pipeline, web dashboard (Express), security analysis, dependency graphing, and the plugin/schema system.
 - [2026-03-02T20:27:31+00:00] [decision] [cli] Keep code modular and consistent with the existing architecture.",
+- [2026-03-02T20:46:04+00:00] [preference] [sdk] LINT: src/agent.ts — buildRepoHeader, buildCommandList, buildPromptFooter, buildJsonSchema are defined but never used.
+- [2026-03-02T20:46:04+00:00] [pattern] [sdk] Follow existing project pattern for causal error wrapping (`new Error(msg, { cause: error })`) seen in `src/diff.ts`, `src/ingest.ts`, `src/repo-resolver.ts`
+- [2026-03-02T20:46:04+00:00] [decision] [sdk] **Decision:** whether fast-mode should now include `Has Docker` if `buildRepoHeader` is reused directly (recommended: accept for dedup consistency unless strict prompt parity is required)
+- [2026-03-02T20:46:04+00:00] [pattern] [sdk] Error-handling convention prefers preserving original exceptions via `cause`
+- [2026-03-02T20:48:33+00:00] [preference] [sdk] Keep message text unchanged to avoid test expectation drift
+- [2026-03-02T20:48:33+00:00] [preference] [sdk] **Decision:** whether fast-mode should now include `Has Docker` if `buildRepoHeader` is reused directly (recommended: accept for dedup consistency unless strict prompt parity is required)
+- [2026-03-02T20:48:33+00:00] [preference] [sdk] Prefer minimal source edits + dependency additions over broader refactors to keep CI fix low-risk and surgical
+- [2026-03-02T20:48:56+00:00] [pattern] [sdk] Error-handling convention prefers preserving original exceptions via `new Error(message, { cause })`.
+- [2026-03-02T20:49:24+00:00] [pattern] [sdk] The project prefers causal error wrapping (`new Error(message, { cause })`) for rethrows in async flows.
+- [2026-03-02T21:45:20+00:00] [preference] [sdk] DEPENDENCY INJECTION FOR AGENT (5b) — Refactor src/agent.ts to inject the LLM client instead of directly importing CopilotClient.
+- [2026-03-02T21:45:39+00:00] [preference] [sdk] STREAMING LLM OUTPUT (2a) — Update src/agent.ts to stream agent responses to terminal instead of waiting for full completion.
+- [2026-03-02T21:45:39+00:00] [preference] [sdk] CACHE WARMING / PARTIAL CACHE (2c) — Refactor src/cache.ts to cache individual analysis phases (deps, security, impact) separately instead of the whole RepoFacts blob.
+- [2026-03-02T21:45:39+00:00] [pattern] [sdk] Add format and format:check scripts to package.json using prettier.
+- [2026-03-02T21:45:39+00:00] [decision] [sdk] Replace fixed `MAX_KEY_FILE_CHARS` usage with model-adjusted value; keep fast-mode schema block text intact (per squad decision).
+- [2026-03-02T21:45:39+00:00] [pattern] [sdk] `format`: `prettier --write .`
+- [2026-03-02T21:45:39+00:00] [pattern] [sdk] `format:check`: `prettier --check .`
+- [2026-03-02T21:45:40+00:00] [preference] [sdk] Analysis endpoints should be 5/15min, other API endpoints 100/15min.
+- [2026-03-02T21:45:40+00:00] [decision] [sdk] ARCHITECTURE DECISION RECORDS — Create docs/adr/ directory with ADRs for key decisions (why Copilot SDK, why Express, cache design, etc).
+- [2026-03-02T21:45:40+00:00] [decision] [sdk] PLUGIN SYSTEM (5a) — Generalize src/plugins.ts into a plugin architecture with a defined API (src/plugin-api.ts) that allows custom analyzers, formatters, and output targets.
+- [2026-03-02T21:45:40+00:00] [decision] [sdk] **Build:** Create `docs/adr/` with ADR template + initial records (Copilot SDK, Express web stack, cache strategy, plugin architecture); keep screenshot reference (already present in `README.md`), add npm provenance badge near npm badges.
+- [2026-03-02T21:45:40+00:00] [pattern] [sdk] **Build:** Add structured GitHub issue forms (`bug.yml`, `feature.yml`) and PR template with reproduction/use-case/testing/checklist sections aligned with `CONTRIBUTING.md`.
+- [2026-03-02T21:45:40+00:00] [decision] [sdk] Plugin architecture generalization (5a)
+- [2026-03-02T21:47:38+00:00] [pattern] [sdk] Implement ALL of these testing and CI/CD improvements:
+- [2026-03-02T21:47:38+00:00] [pattern] [sdk] SNAPSHOT TESTING FOR FORMATTER (4b) — Add snapshot tests in test/formatter.test.ts for markdown/HTML output from src/formatter.ts (347 lines).
+- [2026-03-02T21:47:38+00:00] [pattern] [sdk] WEB SERVER SUPERTEST (4c) — Ensure test/web.test.ts uses supertest for full HTTP-level testing of all routes including error paths, rate limiting, CSP headers.
+- [2026-03-02T21:47:38+00:00] [pattern] [sdk] ERROR HANDLING STRATEGY (5d) — Audit all async paths across source files.
+- [2026-03-02T21:47:38+00:00] [pattern] [sdk] ensure async request paths return controlled JSON errors instead of uncaught exceptions.
+- [2026-03-02T21:47:38+00:00] [pattern] [sdk] **Error convention:** existing code frequently wraps failures with `new Error(message, { cause })`; continue this pattern (do not swallow errors).
+- [2026-03-02T21:51:12+00:00] [preference] [sdk] This repo has many behavior/assertion tests (especially `test/agent.test.ts` + `test/index.test.ts`), so we should preserve externally visible behavior while refactoring structure.
+- [2026-03-02T21:51:12+00:00] [preference] [sdk] Keep API intentional/curated (avoid exporting internal command orchestration unless needed).
+- [2026-03-02T21:51:12+00:00] [preference] [sdk] `createSessionWithFallback` should depend on interface, not `CopilotClient` concrete type.
+- [2026-03-02T21:51:12+00:00] [preference] [sdk] `analyzeRepo` should accept optional injected client/deps, defaulting to `new CopilotClient()` when not provided.
+- [2026-03-02T21:51:12+00:00] [preference] [sdk] **Config precedence edge case:** if user explicitly passes CLI value equal to built-in default, we still must treat it as explicit CLI input; avoid hidden overrides.
+- [2026-03-02T21:58:13+00:00] [preference] [sdk] ensure async request paths return controlled JSON errors instead of uncaught exceptions.
+- [2026-03-02T21:58:13+00:00] [preference] [sdk] split lint and typecheck into clearly distinct checks/jobs (typecheck should be explicit, not hidden in build semantics).
+- [2026-03-02T22:00:26+00:00] [preference] [sdk] Error conventions: wrap with `cause` when rethrowing; avoid broad silent fallbacks.
+- [2026-03-02T22:01:42+00:00] [preference] [sdk] **Adopt real dual ESM/CJS packaging** (extra build complexity) to satisfy `exports` requirements correctly instead of fragile `require` fallbacks.
+- [2026-03-02T22:02:01+00:00] [preference] [sdk] **Prompt/test sensitivity:** `src/agent.ts` is heavily test-coupled; many tests assert prompt substrings and schema wording, so error-boundary edits must stay out of prompt composition blocks.
+- [2026-03-02T22:03:31+00:00] [pattern] [sdk] **Error handling pattern:** preserve wrapped errors with `cause` where context is added (`new Error(msg, { cause })`).
+- [2026-03-02T22:03:57+00:00] [preference] [sdk] Prompt-generation text is test-sensitive, so docs should describe behavior-level changes without renaming prompt section concepts.
+- [2026-03-02T22:09:56+00:00] [preference] [sdk] Prefer **surgical edits** to preserve current behavior and avoid prompt-test regressions.
+- [2026-03-02T22:09:56+00:00] [decision] [sdk] Treat coverage threshold rollout as the primary trade-off: strict immediate enforcement vs staged ratcheting.
+- [2026-03-02T22:09:56+00:00] [preference] [sdk] Prefer helper-based extensions in `agent.ts` over prompt refactors to minimize regression risk.
+- [2026-03-02T22:09:56+00:00] [preference] [sdk] Fast mode is intentionally stricter and schema-explicit, and should stay separate from shared schema helpers.
+- [2026-03-02T22:11:26+00:00] [preference] [sdk] `agent.ts` is highly test-sensitive and prompt/event behavior is heavily asserted, so DI changes must preserve flow and output shape.
+- [2026-03-02T22:11:26+00:00] [preference] [sdk] I hit unexpected concurrent workspace drift (many unrelated tracked files changed, including `src/plugins.ts`, `src/agent.ts`, `package.json`, and tests), so I paused to avoid overwriting someone else’s in-flight work.
+- [2026-03-02T22:13:27+00:00] [preference] [sdk] Prompt-related changes in `src/agent.ts` are highly test-sensitive, so error-boundary logic should stay isolated from prompt text blocks.
+- [2026-03-02T22:13:27+00:00] [preference] [sdk] Prompt and session behavior in `src/agent.ts` is highly test-coupled, so DI changes must preserve flow exactly.
+- [2026-03-02T22:14:31+00:00] [pattern] [sdk] Keep-a-Changelog format is actively used and best for release-facing QA/CI notes.
+- [2026-03-02T22:14:31+00:00] [pattern] [sdk] CI quality gates now include matrix testing, dependency scanning, SBOM artifacts, and explicit lint/typecheck separation.

.copex/repo_map.json

@@ -1,6 +1,6 @@
 {
   "version": 1,
-  "generated_at": "2026-03-02T20:27:31.807939+00:00",
+  "generated_at": "2026-03-02T21:42:02.403806+00:00",
   "root": "/tmp/repo-bootcamp",
   "files": {
     "eslint.config.js": {
@@ -37,6 +37,10 @@
       "classes": [],
       "functions": [
         "analyzeRepo",
+        "buildCommandList",
+        "buildJsonSchema",
+        "buildPromptFooter",
+        "buildRepoHeader",
         "buildSystemPrompt",
         "createAnalysisPrompt",
         "createFastAnalysisPrompt",
@@ -51,8 +55,8 @@
       ],
       "methods": [],
       "calls": {},
-      "mtime_ns": 1772481596968027074,
-      "size": 30114
+      "mtime_ns": 1772484415139121944,
+      "size": 30536
     },
     "src/analysis.ts": {
       "path": "src/analysis.ts",
@@ -103,8 +107,8 @@
       ],
       "methods": [],
       "calls": {},
-      "mtime_ns": 1772481596969027101,
-      "size": 5104
+      "mtime_ns": 1772483815772669328,
+      "size": 5516
     },
     "src/commands/ask-command.ts": {
       "path": "src/commands/ask-command.ts",
@@ -486,8 +490,8 @@
       ],
       "methods": [],
       "calls": {},
-      "mtime_ns": 1772481596970027128,
-      "size": 17085
+      "mtime_ns": 1772483877437671177,
+      "size": 18020
     },
     "src/interactive.ts": {
       "path": "src/interactive.ts",
@@ -792,8 +796,8 @@
       ],
       "methods": [],
       "calls": {},
-      "mtime_ns": 1772481596971027156,
-      "size": 11696
+      "mtime_ns": 1772483573838510474,
+      "size": 12038
     },
     "src/types.ts": {
       "path": "src/types.ts",
@@ -806,8 +810,8 @@
       "functions": [],
       "methods": [],
       "calls": {},
-      "mtime_ns": 1772481596971027156,
-      "size": 5323
+      "mtime_ns": 1772483925320473206,
+      "size": 6607
     },
     "src/utils.ts": {
       "path": "src/utils.ts",
@@ -850,24 +854,22 @@
       ],
       "methods": [],
       "calls": {},
-      "mtime_ns": 1772481596971027156,
-      "size": 6108
+      "mtime_ns": 1772484418780182828,
+      "size": 6532
     },
     "src/web/routes.ts": {
       "path": "src/web/routes.ts",
       "language": "typescript",
       "parser": "regex",
       "imports": [
-        "../agent.js",
-        "../analysis.js",
-        "../cache.js",
-        "../deps.js",
         "../formatter.js",
-        "../impact.js",
         "../ingest.js",
-        "../plugins.js",
-        "../radar.js",
+        "../progress.js",
         "../security.js",
+        "../services/analysis-orchestration.js",
+        "../services/clone-service.js",
+        "../services/config-resolution.js",
+        "../services/output-writer.js",
         "../types.js",
         "events",
         "express",
@@ -876,17 +878,20 @@
       ],
       "classes": [],
       "functions": [
+        "buildWebOptions",
         "emit",
         "generateJobId",
         "onProgress",
-        "outputFormat",
+        "pruneExpiredJobs",
         "registerRoutes",
-        "runAnalysis"
+        "runAnalysis",
+        "startJobPruner",
+        "stopJobPruner"
       ],
       "methods": [],
       "calls": {},
-      "mtime_ns": 1772481596972027183,
-      "size": 13391
+      "mtime_ns": 1772483853132261529,
+      "size": 11472
     },
     "src/web/server.ts": {
       "path": "src/web/server.ts",
@@ -896,7 +901,9 @@
         "./routes.js",
         "./templates.js",
         "chalk",
-        "express"
+        "express",
+        "express-rate-limit",
+        "helmet"
       ],
       "classes": [],
       "functions": [
@@ -905,8 +912,8 @@
       ],
       "methods": [],
       "calls": {},
-      "mtime_ns": 1772481596972027183,
-      "size": 1830
+      "mtime_ns": 1772483695730633771,
+      "size": 2529
     },
     "src/web/templates.ts": {
       "path": "src/web/templates.ts",
@@ -915,10 +922,11 @@
       "imports": [],
       "classes": [],
       "functions": [
+        "addGeneratedFile",
         "addProgressItem",
+        "addStatCard",
         "analyze",
         "closeModal",
-        "escapeHtml",
         "getFileKey",
         "getIndexHtml",
         "resetButton",
@@ -928,8 +936,8 @@
       ],
       "methods": [],
       "calls": {},
-      "mtime_ns": 1772481596972027183,
-      "size": 10225
+      "mtime_ns": 1772483562746320471,
+      "size": 10690
     },
     "test/agent.test.ts": {
       "path": "test/agent.test.ts",
@@ -1408,8 +1416,8 @@
       ],
       "methods": [],
       "calls": {},
-      "mtime_ns": 1772481596974027238,
-      "size": 26397
+      "mtime_ns": 1772483596250909913,
+      "size": 26452
     },
     "test/types.test.ts": {
       "path": "test/types.test.ts",

.github/ISSUE_TEMPLATE/bug.yml

@@ -0,0 +1,79 @@
+name: Bug report
+description: Report a reproducible bug or regression
+title: "[Bug]: "
+labels: ["bug"]
+body:
+  - type: markdown
+    attributes:
+      value: |
+        Thanks for filing a bug report. Please provide enough detail to reproduce the issue.
+
+  - type: input
+    id: summary
+    attributes:
+      label: Summary
+      description: Short description of the bug
+      placeholder: What is broken?
+    validations:
+      required: true
+
+  - type: textarea
+    id: steps
+    attributes:
+      label: Steps to reproduce
+      description: List exact steps, including command(s) and inputs
+      placeholder: |
+        1. Run ...
+        2. Use ...
+        3. Observe ...
+    validations:
+      required: true
+
+  - type: textarea
+    id: expected
+    attributes:
+      label: Expected behavior
+      placeholder: What should have happened?
+    validations:
+      required: true
+
+  - type: textarea
+    id: actual
+    attributes:
+      label: Actual behavior
+      placeholder: What actually happened?
+    validations:
+      required: true
+
+  - type: textarea
+    id: logs
+    attributes:
+      label: Logs and output
+      description: Paste relevant logs, stack traces, or screenshots
+      render: shell
+
+  - type: input
+    id: node-version
+    attributes:
+      label: Node.js version
+      placeholder: e.g. v20.18.0
+    validations:
+      required: true
+
+  - type: input
+    id: os
+    attributes:
+      label: Operating system
+      placeholder: e.g. Ubuntu 24.04 / macOS 15 / Windows 11
+    validations:
+      required: true
+
+  - type: checkboxes
+    id: checks
+    attributes:
+      label: Pre-submission checks
+      options:
+        - label: I searched existing issues and did not find a duplicate
+          required: true
+        - label: I can reproduce this on the latest version
+          required: true

.github/ISSUE_TEMPLATE/feature.yml

@@ -0,0 +1,49 @@
+name: Feature request
+description: Propose a new capability or enhancement
+title: "[Feature]: "
+labels: ["enhancement"]
+body:
+  - type: markdown
+    attributes:
+      value: |
+        Share the problem first, then the proposed solution.
+
+  - type: input
+    id: problem
+    attributes:
+      label: Problem statement
+      description: What user problem are you trying to solve?
+      placeholder: As a user, I need ...
+    validations:
+      required: true
+
+  - type: textarea
+    id: proposal
+    attributes:
+      label: Proposed solution
+      description: Describe behavior, UX, and API shape if applicable
+      placeholder: The tool should ...
+    validations:
+      required: true
+
+  - type: textarea
+    id: alternatives
+    attributes:
+      label: Alternatives considered
+      description: Any workarounds or other designs evaluated
+
+  - type: textarea
+    id: scope
+    attributes:
+      label: Scope and impact
+      description: In/out of scope, trade-offs, compatibility notes
+
+  - type: checkboxes
+    id: checks
+    attributes:
+      label: Pre-submission checks
+      options:
+        - label: I checked existing issues/discussions for similar requests
+          required: true
+        - label: This request aligns with Repo Bootcamp's onboarding/documentation goals
+          required: true