Introduce small/medium/large model tiers so agents use the appropriate
model for their task complexity. Pre-recon uses Opus (large) for deep
source code analysis, most agents use Sonnet (medium), and report uses
Haiku (small) for summarization.
- Add src/ai/models.ts with ModelTier type and resolveModel()
- Add modelTier field to AgentDefinition
- Refactor claude-executor env var passthrough into loop
- Add Bedrock credential validation in preflight and CLI
- Pass through Bedrock and model env vars in docker-compose
- Add `pipeline` config section with `retry_preset` and `max_concurrent_pipelines` options
- Add `subscription` retry preset with extended 6h max interval for Anthropic rate limit windows
- Replace Promise.allSettled with concurrency-limited runner for vuln/exploit pipelines
- Wire pipeline config through client, shared types, and workflow activity proxy selection
ANTHROPIC_BASE_URL and ANTHROPIC_AUTH_TOKEN were not forwarded to the
SDK subprocess environment, causing router mode to fail with
"Authentication failed: Invalid API key" as the subprocess hit
Anthropic directly with the placeholder key.
Replaces validateApiKey and validateOAuthToken (direct fetch calls) with
a single SDK-based query using claude-haiku-4-5-20251001. Uses
SDKAssistantMessageError types for structured error classification and
returns human-readable error messages for each failure case.
- Remove empty section markers (// === ... ===, // --- ... ---) that duplicate JSDoc or function names
- Remove "what" comments that restate the next line of code (e.g. // Save to disk, // Check for retryable patterns)
- Remove file-level descriptions that restate the filename (e.g. // Pure functions for formatting console output)
- Fix "Added by client" comment referencing implementation history → "Used for audit correlation"
- Preserve all WHY comments: error classification groups, billing/session limit explanations, ESM interop, exactOptionalPropertyTypes, mutex reasoning
- Move error-handling, git-manager, prompt-manager, queue-validation, and reporting into src/services/
- Delete src/constants.ts — relocate AGENT_VALIDATORS and MCP_AGENT_MAPPING into session-manager.ts alongside agent definitions
- Delete src/utils/output-formatter.ts — absorb filterJsonToolCalls and getAgentPrefix into ai/output-formatters.ts
- Extract ActivityLogger interface into src/types/activity-logger.ts to break temporal/ → services circular dependency
- Consolidate VulnType, ExploitationDecision into types/agents.ts and SessionMetadata into types/audit.ts
- Remove dead timingResults/costResults globals from utils/metrics.ts and all consumers
