main.py

"""
main.py - ThreatHunter 銝餌撘
==============================
Pipeline 嗆嚗v3.1嚗嚗Orchestrator  [Layer 1 銝西]  Scout  Analyst  Debate  Advisor

嗆嚗v3.1 Orchestrator 撽嚗嚗
  Orchestrator 頝舐梧
    頝臬 A嚗憟隞嗆      頝喲 Security Guard
    頝臬 B嚗摰渡撘蝣    Layer 1 銝西嚗Security Guard + Intel Fusion嚗
    頝臬 C嚗隞嗅摹蝵    頝喲 Analyst + Debate
    頝臬 D嚗擖鋆      芷頝雿靽∪ CVE

嗆嚗靽靘嚗嚗
  雿輻刻頛詨 "Django 4.2, Redis 7.0"
                main.py Pipeline                        
      Scout   嗯 Analyst  嗯  Critic         
    (鈭撖行園)   (函斗)   (舀)           
                                潑    
                                    Advisor          
                                  (蝯鋆瘙箏勗)      
    瘥 Stage 函嚗                                    
      - try-except + Graceful Degradation               
      - StepLogger 摮甇仿亥                          
      - Harness 靽撅歹 agents/*.py 折剁            

鞈瘚嚗
  Scout 頛詨 (dict)  Analyst 頛詨 (dict)
  Analyst 頛詨 (dict)  Critic 頛詨 (dict)
  Analyst + Critic 頛詨  Advisor 頛詨 (dict)
  Advisor 頛詨 (dict) + pipeline_meta  蝯蝯

Harness Engineering 靽嚗
  - 瘥 Agent 賭蝙函撖行芋蝯嚗agents/*.py嚗嚗 Stub
  - Critic  ENABLE_CRITIC 批塚舀嚗
  - 瘥 Stage 函 Graceful Degradation 蝝頝臬
  - 函閮 Observability 亥嚗FINAL_PLAN.md 舀 2嚗
  - 17 撅 Harness 靽撅歹 agents/*.py 折剁

萄嚗project_CONSTITUTION.md + HARNESS_ENGINEERING.md
"""

import json
import logging
import sys
import time
from concurrent.futures import ThreadPoolExecutor, as_completed
from datetime import datetime, timezone
from pathlib import Path
from typing import Any

from config import (
    ENABLE_CRITIC,
    degradation_status,
    rate_limiter,
)



logger = logging.getLogger("threathunter.main")

import os  # noqa: E402 (import after logger for ordering clarity)

# (comment encoding corrupted)
# (comment encoding corrupted)
# (comment encoding corrupted)
SANDBOX_ENABLED = os.getenv("SANDBOX_ENABLED", "true").lower() == "true"

try:
    from sandbox.docker_sandbox import run_in_sandbox, is_docker_available
    _DOCKER_SANDBOX_OK = True
except ImportError:
    _DOCKER_SANDBOX_OK = False
    def run_in_sandbox(*args, **kwargs):  # type: ignore[misc]
        return {"error": "SANDBOX_NOT_AVAILABLE", "fallback": True}
    def is_docker_available() -> bool:  # type: ignore[misc]
        return False

if SANDBOX_ENABLED:
    logger.info(
        "[SANDBOX] Docker isolation ENABLED | docker_available=%s",
        is_docker_available(),
    )
else:
    logger.debug("[SANDBOX] Docker isolation DISABLED (in-process mode)")
# (comment encoding corrupted)



# ======================================================================
# (comment encoding corrupted)
# ======================================================================


class StepLogger:
    """瘥 Agent Stage 摮甇仿餈質馱具"""

    def __init__(self, agent_name: str):
        self.agent_name = agent_name
        self.steps: list[dict[str, Any]] = []

    def log(
        self, step: str, status: str, detail: str = "", duration_ms: int = 0
    ) -> None:
        entry = {
            "step": step,
            "agent": self.agent_name,
            "timestamp": datetime.now(timezone.utc).isoformat(),
            "status": status,
            "detail": detail,
            "duration_ms": duration_ms,
        }
        self.steps.append(entry)
        icon = (
            "OK" if status == "SUCCESS" else "WAIT" if status == "RUNNING" else "FAIL"
        )
        logger.info("[%s] %s | %s | %s", icon, self.agent_name.upper(), step, detail)

    def summary(self) -> dict[str, Any]:
        failed = [s for s in self.steps if s["status"] == "FAILED"]
        return {
            "agent": self.agent_name,
            "total_steps": len(self.steps),
            "failed_steps": len(failed),
            "steps": self.steps,
        }


def _normalize_pipeline_task_plan(task_plan: dict[str, Any]) -> dict[str, Any]:
    """
    Canonical runtime DAG:
    Security Guard + Scout discover in parallel, then Intel Fusion ranks risk.
    """
    plan = dict(task_plan or {})
    scan_path = plan.get("path", "B")

    if scan_path == "B":
        plan["parallel_layer1"] = ["security_guard", "scout"]
        plan["fusion_after_discovery"] = True
        plan["agents_to_run"] = [
            "security_guard", "scout", "intel_fusion", "analyst", "debate", "judge"
        ]
    elif scan_path == "A":
        plan["parallel_layer1"] = ["scout"]
        plan["fusion_after_discovery"] = True
        plan["agents_to_run"] = ["scout", "intel_fusion", "analyst", "debate", "judge"]

    return plan


_L0_TO_RUNTIME_INPUT_TYPE = {
    "package_list": "pkg",
    "source_code": "code",
    "mixed": "code",
    "config_file": "config",
    "sql_review": "sql_review",
    "blocked": "injection",
}


def _canonical_runtime_input_type(requested: str, l0_input_type: str = "") -> str:
    """用 L0 deterministic 分類修正 UI/API 預設值，避免 code 被當 package。"""
    runtime = (requested or "pkg").strip().lower()
    if runtime not in {"pkg", "code", "config", "injection", "sql_review"}:
        runtime = "pkg"

    l0_runtime = _L0_TO_RUNTIME_INPUT_TYPE.get(str(l0_input_type or "").strip().lower(), "")
    if runtime == "pkg" and l0_runtime in {"code", "config", "injection", "sql_review"}:
        return l0_runtime
    return runtime


def _constrain_task_plan_by_input_type(task_plan: dict[str, Any], input_type: str) -> dict[str, Any]:
    """L0 類型是硬約束；Orchestrator 不可把 source code 誤路由成 Path C/A。"""
    plan = dict(task_plan or {})
    original_path = plan.get("path", "B")

    if input_type in {"code", "injection"} and original_path != "B":
        plan["path"] = "B"
        plan["_route_corrected"] = {
            "from": original_path,
            "to": "B",
            "reason": f"l0_input_type={input_type}",
        }
    elif input_type == "sql_review":
        if original_path != "C":
            plan["_route_corrected"] = {
                "from": original_path,
                "to": "C",
                "reason": "l0_input_type=sql_review",
            }
        plan["path"] = "C"
        plan["parallel_layer1"] = []
        plan["fusion_after_discovery"] = False
        plan["agents_to_run"] = ["sql_review"]
    elif input_type == "config" and original_path != "C":
        plan["path"] = "C"
        plan["_route_corrected"] = {
            "from": original_path,
            "to": "C",
            "reason": "l0_input_type=config",
        }

    return _normalize_pipeline_task_plan(plan)


def _load_dim11_expected_config() -> dict[str, Any]:
    """載入 DIM11 benchmark gate；一般掃描沒有此檔或沒有 exact match 時不啟用。"""
    expected_path = Path(__file__).resolve().parent / "tests" / "fixtures" / "dim11_redteam" / "expected_results.json"
    try:
        return json.loads(expected_path.read_text(encoding="utf-8"))
    except (OSError, json.JSONDecodeError, ValueError) as exc:
        logger.debug("[DIM11] benchmark config unavailable: %s", exc)
        return {}


def _build_dim11_benchmark_context(
    source: str,
    input_type: str,
    task_plan: dict[str, Any],
    code_patterns: list[dict[str, Any]],
    scout_output: dict[str, Any],
    extracted_packages: list[str],
) -> dict[str, Any] | None:
    """只對 DIM11 fixture exact match 啟用 expected-CWE recall challenge。"""
    if input_type != "code":
        return None

    config = _load_dim11_expected_config()
    fixture_dir = Path(__file__).resolve().parent / "tests" / "fixtures" / "dim11_redteam"
    observed_cwes = sorted({
        str(pattern.get("cwe_id", ""))
        for pattern in code_patterns
        if str(pattern.get("cwe_id", "")).startswith("CWE-")
    })

    for case in config.get("fixtures", []):
        expected_cwes = case.get("expected_cwe_categories")
        if not expected_cwes or case.get("exclude_from_cwe_recall"):
            continue

        fixture_name = str(case.get("fixture", ""))
        try:
            fixture_source = (fixture_dir / fixture_name).read_text(encoding="utf-8", errors="replace")
        except OSError:
            continue

        if source != fixture_source:
            continue

        external_findings = scout_output.get("vulnerabilities", [])
        external_pollution_count = 0
        if case.get("external_requires_package_evidence") and external_findings and not extracted_packages:
            external_pollution_count = len(external_findings)

        expected_path = str(case.get("expected_path", ""))
        actual_path = str(task_plan.get("path", ""))
        return {
            "benchmark": "dim11_redteam",
            "fixture": fixture_name,
            "expected_cwe_categories": sorted(set(expected_cwes)),
            "observed_cwe_categories": observed_cwes,
            "min_category_recall": float(case.get("min_category_recall", 0.7)),
            "route_correct": actual_path == expected_path,
            "expected_path": expected_path,
            "actual_path": actual_path,
            "external_pollution_count": external_pollution_count,
            "activation": "exact_fixture_match",
        }

    return None


# ======================================================================
# (comment encoding corrupted)
# ======================================================================


def stage_scout(
    tech_stack: str,
    input_type: str = "pkg",
    intel_fusion_result: dict[str, Any] | None = None,
) -> tuple[dict[str, Any], StepLogger]:
    """
    Stage 1: Scout Agent 萄瞍瘣
    雿輻 agents/scout.py 撖血祕雿
    Graceful Degradation: 憭望喟征鞈嚗霈敺蝥 Agent 仿舐洵銝甈～

    v3.7: input_type 瘙箏頛芸 Skill SOP (Path-Aware Skills)

    Returns:
        (result_dict, step_logger)  頛詨箏亥餈質馱
    """
    from agents.scout import run_scout_pipeline

    sl = StepLogger("scout")
    sl.log("INIT", "RUNNING", f"tech_stack={tech_stack} | input_type={input_type}")

    t0 = time.time()
    try:
        result = run_scout_pipeline(
            tech_stack,
            input_type=input_type,
            intel_fusion_result=intel_fusion_result,
        )

        duration_ms = int((time.time() - t0) * 1000)
        vuln_count = len(result.get("vulnerabilities", []))
        sl.log(
            "COMPLETE", "SUCCESS", f"found {vuln_count} vulnerabilities", duration_ms
        )
        return result, sl
    except Exception as e:
        duration_ms = int((time.time() - t0) * 1000)
        # (comment encoding corrupted)
        is_rate_limit = "429" in str(e) or "rate limit" in str(e).lower()
        if is_rate_limit:
            logger.warning("[SCOUT] Rate limited  returning empty results (not a real failure)")
            sl.log("COMPLETE", "RATE_LIMITED", str(e)[:100], duration_ms)
        else:
            logger.error("Scout Stage failed: %s", e)
            sl.log("COMPLETE", "FAILED", str(e)[:100], duration_ms)
            degradation_status.degrade("Scout", str(e))
        # (comment encoding corrupted)
        return {
            "scan_id": f"scan_degraded_{int(time.time())}",
            "vulnerabilities": [],
            "summary": {"total": 0, "critical": 0, "high": 0, "medium": 0, "low": 0},
            "_degraded": not is_rate_limit,  # 429 銝蝞甇蝝
            "_error": str(e),
        }, sl


def stage_intel_fusion(
    discovery_input: dict[str, Any] | list[str] | str,
    on_progress: Any = None,
) -> tuple[dict[str, Any], StepLogger]:
    """
    Stage: Intel Fusion runs after Scout and Security Guard discovery.
    It receives normalized findings instead of raw source code.
    """
    from agents.intel_fusion import run_intel_fusion

    sl = StepLogger("intel_fusion")
    sl.log("INIT", "RUNNING", "post-discovery fusion")
    t0 = time.time()

    try:
        result = run_intel_fusion(discovery_input, on_progress)
        duration_ms = int((time.time() - t0) * 1000)
        result.setdefault("_duration_ms", duration_ms)
        fusion_count = len(result.get("fusion_results", []))
        sl.log("COMPLETE", "SUCCESS", f"scored {fusion_count} findings", duration_ms)
        return result, sl
    except Exception as e:
        duration_ms = int((time.time() - t0) * 1000)
        logger.error("Intel Fusion Stage failed: %s", e)
        sl.log("COMPLETE", "FAILED", str(e)[:100], duration_ms)
        degradation_status.degrade("Intel Fusion", str(e))
        return {
            "fusion_results": [],
            "strategy_applied": "degraded",
            "api_health_summary": {},
            "_degraded": True,
            "_error": str(e),
            "_duration_ms": duration_ms,
        }, sl


# ======================================================================
# (comment encoding corrupted)
# ======================================================================


def stage_analyst(
    scout_output: dict[str, Any],
    input_type: str = "pkg",
) -> tuple[dict[str, Any], StepLogger]:
    """
    Stage 2: Analyst Agent vulnerability chain analysis.
    v3.7: input_type selects path-aware chain analysis skill.

    Returns:
        (result_dict, step_logger)
    """
    from agents.analyst import run_analyst_pipeline

    sl = StepLogger("analyst")
    sl.log(
        "INIT", "RUNNING",
        f"input_vulns={len(scout_output.get('vulnerabilities', []))} | input_type={input_type}"
    )

    t0 = time.time()
    try:
        result = run_analyst_pipeline(scout_output, input_type=input_type)
        duration_ms = int((time.time() - t0) * 1000)
        risk = result.get("risk_score", 0)
        sl.log("COMPLETE", "SUCCESS", f"risk_score={risk}", duration_ms)
        return result, sl
    except Exception as e:
        duration_ms = int((time.time() - t0) * 1000)
        logger.error("Analyst Stage failed: %s", e)
        sl.log("COMPLETE", "FAILED", str(e)[:100], duration_ms)
        degradation_status.degrade("Analyst", str(e))
        # (comment encoding corrupted)
        vulns = scout_output.get("vulnerabilities", [])
        analysis = [
            {
                "cve_id": v.get("cve_id", "UNKNOWN"),
                "original_cvss": v.get("cvss_score", 0),
                "adjusted_risk": v.get("severity", "UNKNOWN"),
                "in_cisa_kev": False,
                "exploit_available": False,
                "chain_risk": {
                    "is_chain": False,
                    "chain_with": [],
                    "chain_description": "chain_analysis: SKIPPED",
                    "confidence": "NEEDS_VERIFICATION",
                },
                "reasoning": "Analyst degraded - chain analysis skipped.",
            }
            for v in vulns
        ]

        # (comment encoding corrupted)
        code_patterns = scout_output.get("code_patterns", [])
        for cp in code_patterns:
            sev = cp.get("severity", "MEDIUM")
            cvss_equiv = 9.0 if sev == "CRITICAL" else (7.5 if sev == "HIGH" else 5.0)
            analysis.append({
                "finding_id": cp.get("finding_id", "CODE-000"),
                "cve_id": None,
                "pattern_type": cp.get("pattern_type", "UNKNOWN"),
                "cwe_id": cp.get("cwe_id", "CWE-unknown"),
                "owasp_category": cp.get("owasp_category", ""),
                "severity": sev,
                "snippet": cp.get("snippet", ""),
                "line_no": cp.get("line_no", 0),
                "original_cvss": cvss_equiv,
                "adjusted_risk": sev,
                "in_cisa_kev": False,
                "exploit_available": False,
                "chain_risk": {
                    "is_chain": False,
                    "chain_with": [],
                    "chain_description": "Analyst degraded - deterministic pattern only.",
                    "confidence": "HIGH",  # 蝣箏批菜葫嚗靽∪擃
                },
                "reasoning": f"Deterministic detection: {cp.get('pattern_type')} ({cp.get('cwe_id')}). Analyst degraded but code pattern is confirmed by Security Guard.",
            })
        if code_patterns:
            logger.info("[DEGRADED] Analyst fallback preserved %d code_patterns", len(code_patterns))

        return {
            "scan_id": scout_output.get("scan_id", "unknown"),
            "risk_score": 50,
            "risk_trend": "+0",
            "analysis": analysis,
            "_degraded": True,
            "_error": str(e),
        }, sl


# ======================================================================
# (comment encoding corrupted)
# ======================================================================


def stage_critic(
    analyst_output: dict[str, Any],
    input_type: str = "pkg",
) -> tuple[dict[str, Any], StepLogger]:
    """
    Stage 3: Adversarial Debate Engine.
    v5.3: 升級為 3 輪辯論引擎（Du et al. 2023 ICML, arXiv:2305.14325）。
    無共識時由 Judge sub-agent 仲裁。偏保守原則：高估風險比低估安全。

    Returns:
        (result_dict, step_logger)
    """
    from agents.debate_engine import run_debate_pipeline

    sl = StepLogger("critic")
    sl.log("INIT", "RUNNING", f"enable_critic={ENABLE_CRITIC} | input_type={input_type} | mode=3-round-debate")

    t0 = time.time()
    try:
        result = run_debate_pipeline(
            analyst_output,
            input_type=input_type,
            on_progress=None,
        )
        duration_ms = int((time.time() - t0) * 1000)
        verdict = result.get("verdict", "UNKNOWN")
        score = result.get("weighted_score", 0)
        meta = result.get("_debate_meta", {})
        consensus = meta.get("consensus", None)
        rounds = meta.get("total_rounds", "?")
        judge_invoked = meta.get("judge_invoked", False)
        sl.log(
            "COMPLETE", "SUCCESS",
            f"verdict={verdict} score={score} consensus={consensus} rounds={rounds} judge={judge_invoked}",
            duration_ms,
        )
        return result, sl
    except Exception as e:
        duration_ms = int((time.time() - t0) * 1000)
        logger.error("Debate Stage failed: %s", e)
        sl.log("COMPLETE", "FAILED", str(e)[:100], duration_ms)
        degradation_status.degrade("Critic", str(e))
        return {
            "debate_rounds": 0,
            "challenges": [],
            "scorecard": {
                "evidence": 0.6,
                "chain_completeness": 0.6,
                "critique_quality": 0.6,
                "defense_quality": 0.6,
                "calibration": 0.6,
            },
            "weighted_score": 60.0,
            "verdict": "MAINTAIN",
            "reasoning": "Debate engine degraded - all rounds skipped.",
            "_degraded": True,
            "_error": str(e),
        }, sl


def stage_advisor(
    analyst_output: dict[str, Any],
    critic_output: dict[str, Any],
    input_type: str = "pkg",
) -> tuple[dict[str, Any], StepLogger]:
    """
    Stage 4: Advisor Agent action report generation.
    v3.7: input_type selects path-aware action report skill.

    Returns:
        (result_dict, step_logger)
    """
    from agents.advisor import run_advisor_pipeline

    sl = StepLogger("advisor")
    verdict = critic_output.get("verdict", "SKIPPED")
    sl.log("INIT", "RUNNING", f"critic_verdict={verdict} | input_type={input_type}")

    # (comment encoding corrupted)
    advisor_input = dict(analyst_output)
    if verdict == "DOWNGRADE":
        advisor_input["_critic_note"] = (
            f"Critic scored {critic_output.get('weighted_score', 0):.1f}/100. "
            f"Challenges: {critic_output.get('challenges', [])}. "
            "Use conservative risk assessment."
        )
        logger.info(
            "Critic verdict=DOWNGRADE: Advisor will use conservative assessment"
        )

    t0 = time.time()
    try:
        result = run_advisor_pipeline(advisor_input)
        duration_ms = int((time.time() - t0) * 1000)
        risk = result.get("risk_score", 0)
        urgent = len(result.get("actions", {}).get("urgent", []))
        sl.log("COMPLETE", "SUCCESS", f"risk_score={risk} urgent={urgent}", duration_ms)
        return result, sl
    except Exception as e:
        duration_ms = int((time.time() - t0) * 1000)
        logger.error("Advisor Stage failed: %s", e)
        sl.log("COMPLETE", "FAILED", str(e)[:100], duration_ms)
        degradation_status.degrade("Advisor", str(e))

        # (comment encoding corrupted)
        # (comment encoding corrupted)
        # (comment encoding corrupted)
        urgent_actions = []
        important_actions = []
        code_patterns_fallback = []  # 脣 CODE-pattern 靘 UI 
        _SEVERITY_MAP = {"CRITICAL": "urgent", "HIGH": "important"}

        for entry in advisor_input.get("analysis", []):
            finding_id = entry.get("finding_id", "")
            cve_id = entry.get("cve_id")
            sev = entry.get("severity") or entry.get("adjusted_risk", "MEDIUM")
            bucket = _SEVERITY_MAP.get(sev, "important")

            # (comment encoding corrupted)
            # (comment encoding corrupted)
            if finding_id.startswith("CODE-") or entry.get("pattern_type"):
                pt = entry.get("pattern_type", "UNKNOWN")
                cwe = entry.get("cwe_id", "CWE-unknown")
                snippet = entry.get("snippet", "")
                code_patterns_fallback.append({
                    "finding_id": finding_id,
                    "cve_id": None,
                    "cwe_id": cwe,
                    "pattern_type": pt,
                    "package": f"Custom Code Pattern",
                    "severity": sev,
                    "action": f"Fix {pt} vulnerability ({cwe}). {entry.get('reasoning', '')}",
                    "vulnerable_snippet": snippet[:200],
                    "reason": entry.get("reasoning", f"Security Guard deterministic detection: {pt}"),
                    "is_repeated": False,
                    "_constitution_note": "CODE-pattern: not in URGENT per CI-1/CI-2. See code_patterns_summary.",
                })
            # (comment encoding corrupted)
            elif cve_id and (str(cve_id).startswith("CVE-") or str(cve_id).startswith("GHSA-")):
                action_entry = {
                    "cve_id": cve_id,
                    "package": entry.get("package", "unknown"),
                    "severity": sev,
                    "action": f"Review and patch {cve_id}.",
                    "command": f"# Investigate {cve_id}",
                    "reason": entry.get("reasoning", "Advisor degraded - manual review required."),
                    "is_repeated": False,
                }
                if bucket == "urgent":
                    urgent_actions.append(action_entry)
                else:
                    important_actions.append(action_entry)

        risk_score = max(
            50,
            min(100, len(urgent_actions) * 25 + len(important_actions) * 10),
        )
        summary_parts = []
        if urgent_actions:
            summary_parts.append(f"{len(urgent_actions)} package CVE(s) require immediate patching")
        if code_patterns_fallback:
            summary_parts.append(f"{len(code_patterns_fallback)} code-level pattern(s) detected (see Code Analysis tab)")
        if important_actions:
            summary_parts.append(f"{len(important_actions)} high-severity CVE(s) need review within 72h")
        if not summary_parts:
            summary_parts.append("System degraded. Please review raw scan data manually.")

        logger.info(
            "[DEGRADED] Advisor fallback: %d urgent CVEs + %d important CVEs + %d code-patterns (not in URGENT per CI-1/CI-2)",
            len(urgent_actions), len(important_actions), len(code_patterns_fallback),
        )

        return {
            "executive_summary": ". ".join(summary_parts),
            "actions": {
                "urgent": urgent_actions,
                "important": important_actions,
                "resolved": [],
            },
            "code_patterns_summary": code_patterns_fallback,
            "risk_score": risk_score,
            "risk_trend": "+0",
            "scan_count": 1,
            "generated_at": datetime.now(timezone.utc).isoformat(),
            "_degraded": True,
            "_error": str(e),
        }, sl


# ======================================================================
# (comment encoding corrupted)
# ======================================================================


# ======================================================================
# (comment encoding corrupted)
# ======================================================================


def stage_orchestrator(
    tech_stack: str,
    feedback_from_judge: dict | None = None,
) -> tuple[Any, dict, StepLogger]:
    """
    Stage 0: Orchestrator 瘙箏頝臬嚗A/B/C/D嚗
     (OrchestrationContext, task_plan, StepLogger)
    Graceful Degradation: 憭望唾楝敺 B嚗摰渡撘蝣潘雿箏券閮准
    """
    from agents.orchestrator import run_orchestration

    sl = StepLogger("orchestrator")
    sl.log("INIT", "RUNNING", f"tech_stack={tech_stack[:60]}")
    t0 = time.time()

    try:
        ctx, task_plan = run_orchestration(
            user_input=tech_stack,
            feedback_from_judge=feedback_from_judge,
        )
        task_plan = _normalize_pipeline_task_plan(task_plan)
        duration_ms = int((time.time() - t0) * 1000)
        scan_path = task_plan.get("path", "B")
        sl.log("COMPLETE", "SUCCESS", f"path={scan_path}", duration_ms)
        logger.info("[ORCH] Scan path: %s | plan: %s", scan_path, task_plan.get("agents_to_run", []))
        return ctx, task_plan, sl
    except Exception as e:
        duration_ms = int((time.time() - t0) * 1000)
        logger.error("Orchestrator Stage failed: %s", e)
        sl.log("COMPLETE", "FAILED", str(e)[:100], duration_ms)
        degradation_status.degrade("Orchestrator", str(e))
        # (comment encoding corrupted)
        from agents.orchestrator import OrchestrationContext, ScanPath
        ctx = OrchestrationContext()
        ctx.scan_path = ScanPath.FULL_CODE
        task_plan = {
            "path": "B",
            "parallel_layer1": ["security_guard", "scout"],
            "fusion_after_discovery": True,
            "debate_cluster": True,
            "judge": True,
            "agents_to_run": ["security_guard", "scout", "intel_fusion", "analyst", "debate", "judge"],
            "_degraded": True,
        }
        return ctx, task_plan, sl


# ======================================================================
# (comment encoding corrupted)
# ======================================================================


def _build_code_patterns_summary(sg_result: dict) -> list[dict]:
    """
    Security Guard patterns + hardcoded secrets を
    CWE-enriched code_patterns_summary に変換する。

    確定性抽出 + MITRE CWE v4.14 佐証注入。
    LLM に依存しない。
    """
    from tools.cwe_registry import build_cwe_reference, get_pattern_meta, severity_rank

    def _attach_cwe_reference(entry: dict, cwe_id: str) -> dict:
        """將 MITRE CWE 官方定義注入 entry 的 cwe_reference 欄位"""
        cwe_reference = build_cwe_reference(cwe_id)
        if cwe_reference:
            entry["cwe_reference"] = cwe_reference
        return entry

    # ── Step 1: 對 patterns 去重（同行 + 前 30 字元相同視為重複，保留嚴重性最高者）
    def _normalized_line_no(item: dict) -> int:
        """Normalize scanner line metadata to the line_no contract."""
        for key in ("line_no", "line", "source_line"):
            value = item.get(key)
            try:
                line_no = int(value)
            except (TypeError, ValueError):
                continue
            if line_no > 0:
                return line_no
        return 0

    _dedup: dict[tuple, dict] = {}
    for p in sg_result.get("patterns", []):
        pt = p.get("pattern_type", "UNKNOWN")
        sev = get_pattern_meta(pt).severity
        key = (_normalized_line_no(p), str(p.get("snippet", ""))[:30])
        existing = _dedup.get(key)
        if existing is None:
            _dedup[key] = p
        else:
            ex_pt = existing.get("pattern_type", "UNKNOWN")
            ex_sev = get_pattern_meta(ex_pt).severity
            if severity_rank(sev) > severity_rank(ex_sev):
                _dedup[key] = p

    code_patterns: list[dict] = []
    counter = 1

    # ── Step 2: 為每個 pattern 建立 finding entry + 注入 CWE reference
    for p in _dedup.values():
        pt = p.get("pattern_type", "UNKNOWN")
        meta = get_pattern_meta(pt)
        cwe = meta.cwe_id
        owasp = meta.owasp_category
        severity = meta.severity
        entry = {
            "finding_id":    f"CODE-{counter:03d}",
            "type":          "code_pattern",
            "pattern_type":  pt,
            "cwe_id":        cwe,
            "owasp_category": owasp,
            "severity":      severity,
            "snippet":       str(p.get("snippet", ""))[:200],
            "line_no":       _normalized_line_no(p),
            "language":      sg_result.get("language", "unknown"),
            "canonical_cwe_id": cwe,
            "weakness_family": meta.weakness_family,
            "evidence_type":   meta.evidence_type,
            "coverage_level": p.get("coverage_level", "pattern"),
            "confidence":     p.get("confidence", "MEDIUM"),
        }
        entry["source_location"] = f"L{entry['line_no']}" if entry["line_no"] > 0 else "Line not provided by scanner"
        entry = _attach_cwe_reference(entry, cwe)
        code_patterns.append(entry)
        counter += 1

    # ── Step 3: 硬編碼密鑰
    for h in sg_result.get("hardcoded", []):
        entry = {
            "finding_id":    f"CODE-{counter:03d}",
            "type":          "hardcoded_secret",
            "pattern_type":  "HARDCODED_SECRET",
            "cwe_id":        "CWE-798",
            "owasp_category": "A07:2021-Identification and Authentication Failures",
            "severity":      "HIGH",
            "snippet":       f"{h.get('name', 'secret')} = '****' (value redacted)",
            "line_no":       _normalized_line_no(h),
            "language":      sg_result.get("language", "unknown"),
            "canonical_cwe_id": "CWE-798",
            "weakness_family": "hardcoded_secret",
            "evidence_type":   "code_scan",
            "coverage_level": h.get("coverage_level", "pattern"),
            "confidence":     h.get("confidence", "HIGH"),
        }
        entry["source_location"] = f"L{entry['line_no']}" if entry["line_no"] > 0 else "Line not provided by scanner"
        entry = _attach_cwe_reference(entry, "CWE-798")
        code_patterns.append(entry)
        counter += 1

    logger.info(
        "[CODE_PATTERNS] Built %d CWE-enriched patterns (from %d raw patterns, %d hardcoded)",
        len(code_patterns),
        len(sg_result.get("patterns", [])),
        len(sg_result.get("hardcoded", [])),
    )
    return code_patterns


def _summarize_vulnerabilities(vulnerabilities: list[dict[str, Any]]) -> dict[str, int]:
    """根據漏洞清單建立前端可直接使用的摘要數字。"""
    summary = {
        "total": 0,
        "critical": 0,
        "high": 0,
        "medium": 0,
        "low": 0,
        "new": 0,
        "new_since_last_scan": 0,
    }

    for vuln in vulnerabilities:
        summary["total"] += 1
        severity = str(vuln.get("severity", "LOW")).upper()
        if severity == "CRITICAL":
            summary["critical"] += 1
        elif severity == "HIGH":
            summary["high"] += 1
        elif severity == "MEDIUM":
            summary["medium"] += 1
        else:
            summary["low"] += 1

        if vuln.get("is_new"):
            summary["new"] += 1
            summary["new_since_last_scan"] += 1

    return summary


def _build_scan_report_payload(
    scout_output: dict[str, Any],
    advisor_output: dict[str, Any],
    layer1_results: dict[str, Any],
) -> dict[str, Any]:
    """整理本次 scan 專屬的漏洞明細，避免 UI 回頭讀取全域記憶。"""
    intel_applied = scout_output.get("_intel_fusion_applied", {})
    vulnerabilities: list[dict[str, Any]] = []

    for vuln in scout_output.get("vulnerabilities", []):
        entry = dict(vuln)
        entry.setdefault("source", "SCOUT")

        enriched_by = list(entry.get("enriched_by", []))
        if intel_applied and entry.get("source") != "INTEL_FUSION":
            if any(
                field in entry
                for field in (
                    "composite_score",
                    "epss_score",
                    "ghsa_severity",
                    "otx_threat",
                    "intel_confidence",
                    "dimensions_used",
                    "weights_used",
                    "in_cisa_kev",
                )
            ):
                if "INTEL_FUSION" not in enriched_by:
                    enriched_by.append("INTEL_FUSION")

        if enriched_by:
            entry["enriched_by"] = enriched_by
        vulnerabilities.append(entry)

    detail_source = "scout_final_output"
    if vulnerabilities:
        summary = dict(scout_output.get("summary", {}))
        summary.setdefault("new", summary.get("new_since_last_scan", 0))
        summary.setdefault("new_since_last_scan", summary.get("new", 0))
    else:
        detail_source = "advisor_actions_fallback"
        for level in ("urgent", "important", "resolved"):
            for item in advisor_output.get("actions", {}).get(level, []):
                vulnerabilities.append({
                    "cve_id": item.get("cve_id", ""),
                    "package": item.get("package", "unknown"),
                    "cvss_score": item.get("cvss_score", 0),
                    "severity": item.get("severity", "MEDIUM"),
                    "description": item.get("action", ""),
                    "is_new": item.get("is_new", False),
                    "source": "ADVISOR_ACTIONS",
                    "report_level": level.upper(),
                })
        summary = _summarize_vulnerabilities(vulnerabilities)

    layer1_agents = [
        name for name in ("security_guard", "scout", "intel_fusion")
        if name in layer1_results
    ]
    degraded_agents = [
        name for name in layer1_agents
        if isinstance(layer1_results.get(name), dict) and layer1_results[name].get("_degraded")
    ]
    if not layer1_agents:
        layer1_state = "skipped"
    elif degraded_agents:
        layer1_state = "degraded"
    else:
        layer1_state = "merged"

    report_sources: dict[str, Any] = {
        "vulnerability_detail": detail_source,
        "enriched_by": ["intel_fusion"] if intel_applied else [],
        "fallbacks": ["advisor_actions"] if detail_source == "advisor_actions_fallback" else [],
        "layer1_state": layer1_state,
    }
    if degraded_agents:
        report_sources["degraded_agents"] = degraded_agents
    if intel_applied:
        report_sources["intel_fusion_applied"] = intel_applied
    if scout_output.get("representative_cve_evidence"):
        report_sources["representative_cve_evidence_count"] = len(
            scout_output.get("representative_cve_evidence", [])
        )

    return {
        "vulnerability_detail": vulnerabilities,
        "vulnerability_summary": summary,
        "report_sources": report_sources,
        "representative_cve_evidence": scout_output.get("representative_cve_evidence", []),
    }

def _run_layer1_parallel(
    tech_stack: str,
    task_plan: dict,
    on_progress: Any,
    input_type: str = "pkg",
) -> dict[str, Any]:
    """
    頝臬 B  Layer 1 銝西瑁嚗雿輻 ThreadPoolExecutor 撠孵嚗

    Why ThreadPoolExecutor嚗 asyncio嚗嚗
      - main.py 臬甇亦撘蝣潘SSE callback 銋臬甇亦
      - ThreadPoolExecutor 臬典甇亦啣銝銝西瑁憭 IO-bound 撌乩嚗LLM 澆恬
      - 撠孵嚗銝閬瑽 callback 璈

    銝西瑁撠鞊∴閬 task_plan 瘙箏嚗嚗
      - security_guard嚗敺蝔撘蝣潭賢/憟隞/璅∪嚗頛詨伐tech_stack嚗
      - intel_fusion嚗剔雁望亥岷嚗頛詨伐tech_stack嚗

    Args:
        tech_stack: 雿輻刻頛詨
        task_plan: Orchestrator 隞餃閬
        on_progress: SSE 脣漲隤

    Returns:
        {"security_guard": dict, "intel_fusion": dict}
    """
    parallel_agents = task_plan.get("parallel_layer1", [])
    layer1_results: dict[str, Any] = {}

    def _run_security_guard() -> tuple[str, dict]:
        """ Thread 銝剖瑁 Security Guard嚗 LLM 嚗"""
        try:
            from agents.security_guard import run_security_guard
            result = run_security_guard(tech_stack, on_progress)
            return ("security_guard", result)
        except Exception as e:
            logger.error("[LAYER1] Security Guard failed: %s", e)
            degradation_status.degrade("Security Guard", str(e))
            return ("security_guard", {
                "extraction_status": "degraded",
                "functions": [], "imports": [], "patterns": [], "hardcoded": [],
                "stats": {"total_lines": 0, "functions_found": 0, "patterns_found": 0},
                "_degraded": True, "_error": str(e),
            })

    def _run_intel_fusion(intel_input: list | str) -> tuple[str, dict]:
        """ Thread 銝剖瑁 Intel Fusion嚗剔雁望亥岷嚗

        v3.4 靽桀儔嚗亙憟隞嗅蝔勗銵剁憪蝔撘蝣潘嚗閫瘙 0 CVE 憿
        intel_input 臭誑荔
          - list[str]嚗憟隞嗅蝔勗銵剁 package_extractor 敺喳伐
          - str嚗憪 tech_stack嚗fallback嚗Path A 憟隞嗆格芋撘嚗
        """
        try:
            from agents.intel_fusion import run_intel_fusion
            result = run_intel_fusion(intel_input, on_progress)
            return ("intel_fusion", result)
        except Exception as e:
            logger.error("[LAYER1] Intel Fusion failed: %s", e)
            degradation_status.degrade("Intel Fusion", str(e))
            return ("intel_fusion", {
                "fusion_results": [],
                "strategy_applied": "degraded",
                "api_health_summary": {},
                "_degraded": True, "_error": str(e),
            })

    def _run_scout() -> tuple[str, dict]:
        """Run Scout in parallel with Security Guard during discovery."""
        try:
            scout_target = tech_stack
            scout_input_type = input_type
            local_packages: list[str] = []

            if input_type in {"code", "injection", "config"}:
                from agents.security_guard import extract_code_surface
                from tools.package_extractor import (
                    format_packages_for_intel_fusion,
                    packages_from_security_guard,
                )

                local_packages = packages_from_security_guard(extract_code_surface(tech_stack))
                if not local_packages:
                    return ("scout", {
                        "scan_id": f"scan_code_only_{int(time.time())}",
                        "timestamp": datetime.now(timezone.utc).isoformat(),
                        "tech_stack": [],
                        "vulnerabilities": [],
                        "summary": {
                            "total": 0,
                            "new_since_last_scan": 0,
                            "critical": 0,
                            "high": 0,
                            "medium": 0,
                            "low": 0,
                        },
                        "_duration_ms": 0,
                        "_package_scan_skipped": True,
                        "_skip_reason": "source_code_without_third_party_packages",
                        "_extracted_packages_local": [],
                    })

                scout_target = format_packages_for_intel_fusion(local_packages)
                scout_input_type = "pkg"

            result, scout_sl = stage_scout(scout_target, input_type=scout_input_type)
            if scout_sl.steps:
                result["_duration_ms"] = scout_sl.steps[-1].get("duration_ms", 0)
            if local_packages:
                result["_extracted_packages_local"] = local_packages
                result["_scout_target_input"] = scout_target
                result["_scout_input_type"] = scout_input_type
            return ("scout", result)
        except Exception as e:
            logger.error("[LAYER1] Scout failed: %s", e)
            degradation_status.degrade("Scout", str(e))
            return ("scout", {
                "scan_id": f"scan_degraded_{int(time.time())}",
                "vulnerabilities": [],
                "summary": {"total": 0, "critical": 0, "high": 0, "medium": 0, "low": 0},
                "_degraded": True, "_error": str(e),
            })

    def _extract_packages_from_sg_result(sg_result: dict[str, Any]) -> list[str]:
        """從 Security Guard 結果萃取第三方套件，供後續 Scout 使用。"""
        try:
            from tools.package_extractor import packages_from_security_guard

            extracted = packages_from_security_guard(sg_result)
            logger.info(
                "[LAYER1] PackageExtractor: %d packages extracted from imports: %s",
                len(extracted), extracted,
            )
            return extracted
        except Exception as pe:
            logger.warning("[LAYER1] PackageExtractor failed (fallback to raw input): %s", pe)
            return []

    def _extract_cwe_targets_from_sg_result(sg_result: dict[str, Any]) -> list[str]:
        """從 Security Guard patterns 中整理 CWE targets，供 observability 與 fallback 使用。"""
        sg_patterns = sg_result.get("patterns", [])
        seen_cwe: set[str] = set()
        cwe_targets: list[str] = []
        for pattern in sg_patterns:
            cwe = pattern.get("cwe_id", "")
            if cwe and cwe.startswith("CWE-") and cwe not in seen_cwe:
                seen_cwe.add(cwe)
                cwe_targets.append(cwe)
        return cwe_targets

    extracted_packages: list[str] = []
    cwe_targets: list[str] = []
    requested_workers = [
        agent_name
        for agent_name in ("security_guard", "scout")
        if agent_name in parallel_agents
    ]

    if not requested_workers:
        return layer1_results

    futures: dict[Any, str] = {}
    max_workers = len(requested_workers)

    with ThreadPoolExecutor(max_workers=max_workers, thread_name_prefix="layer1") as executor:
        if "security_guard" in requested_workers:
            rate_limiter.wait_if_needed("security_guard")
            futures[executor.submit(_run_security_guard)] = "security_guard"

        if "scout" in requested_workers:
            rate_limiter.wait_if_needed("scout")
            if on_progress:
                on_progress("scout", "RUNNING", {"step": "discovery_parallel"})
            futures[executor.submit(_run_scout)] = "scout"

        for future in as_completed(futures):
            agent_name = futures[future]
            try:
                result_name, result_payload = future.result()
            except Exception as exc:
                logger.error("[LAYER1] %s future failed unexpectedly: %s", agent_name, exc)
                degradation_status.degrade(agent_name, str(exc))
                continue

            layer1_results[result_name] = result_payload
            logger.info("[LAYER1] %s complete", result_name)

            if result_name == "security_guard":
                sg_extracted = _extract_packages_from_sg_result(result_payload)
                if sg_extracted or not extracted_packages:
                    extracted_packages = sg_extracted
                cwe_targets = _extract_cwe_targets_from_sg_result(result_payload)
                if cwe_targets:
                    logger.info(
                        "[LAYER1] Security Guard produced %d CWE targets: %s",
                        len(cwe_targets), cwe_targets,
                    )
            elif result_name == "scout" and result_payload.get("_extracted_packages_local") and not extracted_packages:
                extracted_packages = list(result_payload.get("_extracted_packages_local") or [])

    layer1_results["_extracted_packages"] = extracted_packages
    layer1_results["_cwe_targets"] = cwe_targets

    return layer1_results


def _build_intel_fusion_input(
    scout_output: dict[str, Any],
    sg_result: dict[str, Any] | None,
    code_patterns: list[dict[str, Any]],
    extracted_packages: list[str],
    tech_stack: str,
    input_type: str,
) -> dict[str, Any]:
    """Build a clean post-discovery input for Intel Fusion."""
    cve_ids: list[str] = []
    seen_cves: set[str] = set()
    for vuln in scout_output.get("vulnerabilities", []):
        cve_id = str(vuln.get("cve_id", "")).strip()
        if (cve_id.startswith("CVE-") or cve_id.startswith("GHSA-")) and cve_id not in seen_cves:
            seen_cves.add(cve_id)
            cve_ids.append(cve_id)

    cwe_ids: list[str] = []
    seen_cwes: set[str] = set()
    for pattern in code_patterns:
        cwe_id = str(pattern.get("cwe_id", "")).strip()
        if cwe_id.startswith("CWE-") and cwe_id not in seen_cwes:
            seen_cwes.add(cwe_id)
            cwe_ids.append(cwe_id)

    return {
        "mode": "post_discovery",
        "input_type": input_type,
        "cve_ids": cve_ids,
        "cwe_ids": cwe_ids,
        "packages": extracted_packages,
        "scout_vulnerabilities": scout_output.get("vulnerabilities", [])[:20],
        "code_patterns": code_patterns[:20],
        "security_guard_stats": (sg_result or {}).get("stats", {}),
        "raw_input_fingerprint": str(hash(tech_stack)),
    }


def _merge_intel_fusion_into_scout(
    scout_output: dict[str, Any],
    intel_fusion_result: dict[str, Any],
) -> dict[str, Any]:
    """Merge Intel Fusion evidence after Scout completes discovery."""
    if not intel_fusion_result:
        return scout_output
    try:
        from agents.scout import merge_intel_fusion_evidence

        return merge_intel_fusion_evidence(scout_output, intel_fusion_result)
    except Exception as exc:
        logger.warning("[PIPELINE] Intel Fusion merge skipped: %s", exc)
        scout_output["intel_fusion_result"] = intel_fusion_result
        return scout_output



def run_pipeline(tech_stack: str, input_type: str = "pkg") -> dict[str, Any]:
    """
    瑁摰渡 ThreatHunter 蝞∠嚗v3.1 Orchestrator 撽嚗

    Pipeline: Orchestrator  [Layer 1 銝西]  Scout  Analyst  [Critic]  Advisor

    v3.7: input_type 瘙箏 Path-Aware Skills 頝舐晞
    pkg=憟隞嗆 / code=皞蝣澆祟閮 / injection=AI摰 / config=閮剖瑼

    v3.9 Sandbox:  SANDBOX_ENABLED=true 銝 Docker 舐剁典捆典批瑁

    Args:
        tech_stack: 雿輻刻頛詨亦銵摮銝莎憒 "Django 4.2, Redis 7.0"嚗
        input_type: 蝡臬菜葫頛詨仿 (pkg/code/config/injection)

    Returns:
        怠 Advisor 銵勗 dict嚗銝 pipeline_meta 甈雿
    """
    # (comment encoding corrupted)
    if SANDBOX_ENABLED and _DOCKER_SANDBOX_OK and is_docker_available():
        logger.info("[SANDBOX] Docker isolation ACTIVE  delegating to container")
        result = run_in_sandbox(tech_stack=tech_stack, input_type=input_type)
        if not result.get("fallback"):
            return result          # 摰孵典瑁
        # (comment encoding corrupted)
        logger.warning(
            "[SANDBOX] Container fallback: %s  using in-process mode",
            result.get("error", "unknown"),
        )
    # (comment encoding corrupted)
    return run_pipeline_with_callback(tech_stack, progress_callback=None, input_type=input_type)


def run_pipeline_sync(tech_stack: str, input_type: str = "pkg") -> dict[str, Any]:
    """
    run_pipeline 甇亙亙嚗靘 sandbox/sandbox_runner.py 典捆典批澆恬
    瘜冽嚗摰孵典批澆急迨賢 SANDBOX_ENABLED=false嚗踹餈湧脣 Docker
    """
    # (comment encoding corrupted)
    return run_pipeline_with_callback(tech_stack, progress_callback=None, input_type=input_type)


def _run_pipeline_with_callback_legacy_v31(
    tech_stack: str,
    progress_callback: Any = None,
    input_type: str = "pkg",
) -> dict[str, Any]:
    """
    瑁摰 Pipeline嚗瘥 Stage 摰敺澆 progress_callback

    v3.7: input_type 瘙箏 Agent 頛芸 Skill SOP嚗Path-Aware Skills嚗

    Args:
        tech_stack: 銵摮銝
        progress_callback: 交 (agent_name: str, status: str, detail: dict) 賢
        input_type: 頛詨仿 (pkg / code / config / injection)

    Returns:
        怠 Advisor 銵勗 dict
    """
    pipeline_start = time.time()
    completed_stages: list[str] = []
    stages_detail: dict[str, Any] = {}
    # (comment encoding corrupted)
    orch_ctx: Any = None
    task_plan: dict = {"path": "B"}  # 閮剛楝敺 B
    layer1_results: dict[str, Any] = {}
    feedback_loop_count: int = 0
    MAX_FEEDBACK_LOOPS: int = 2

    def _notify(agent: str, status: str, detail: dict) -> None:
        if progress_callback:
            try:
                progress_callback(agent, status, detail)
            except Exception:
                pass  # callback 憭望銝敶梢 pipeline

    logger.info("=" * 60)
    logger.info("  ThreatHunter Pipeline v3.1 Start (Orchestrator-driven)")
    logger.info("  tech_stack : %s", tech_stack)
    logger.info("  input_type : %s", input_type)
    logger.info("  ENABLE_CRITIC: %s", ENABLE_CRITIC)
    logger.info("=" * 60)

    # (comment encoding corrupted)
    from checkpoint import recorder
    recorder.start_scan(f"pipe_{int(pipeline_start)}")

    # (comment encoding corrupted)
    # (comment encoding corrupted)
    l0_report: dict[str, Any] = {}
    sanitized_stack: str = tech_stack
    try:
        from input_sanitizer import sanitize_input, format_l0_report
        san_result = sanitize_input(tech_stack)
        l0_report = format_l0_report(san_result)

        if not san_result.safe:
            # (comment encoding corrupted)
            logger.warning("[L0] Input BLOCKED: %s", san_result.blocked_reason)
            _notify("input_sanitizer", "COMPLETE", {
                "status": "BLOCKED",
                "reason": san_result.blocked_reason,
            })
            return {
                "executive_summary": f"頛詨亥◤摰券瞈曉冽蝯嚗{san_result.blocked_reason}",
                "blocked": True,
                "actions": {"urgent": [], "important": [], "resolved": []},
                "risk_score": 0,
                "risk_trend": "+0",
                "pipeline_meta": {
                    "pipeline_version": "3.1",
                    "tech_stack": tech_stack,
                    "stages_completed": 0,
                    "stages_detail": {},
                    "enable_critic": ENABLE_CRITIC,
                    "critic_verdict": "SKIPPED",
                    "critic_score": 0.0,
                    "duration_seconds": 0.0,
                    "degradation": {"level": 5, "label": "INPUT_BLOCKED"},
                    "generated_at": datetime.now(timezone.utc).isoformat(),
                    "l0_report": l0_report,
                },
            }

        sanitized_stack = san_result.sanitized_input
        if san_result.truncated:
            logger.warning("[L0] Input truncated: %d  %d chars",
                           san_result.original_length, len(sanitized_stack))

        logger.info("[L0] OK: type=%s l0_findings=%d hash=%s",
                    san_result.input_type, len(san_result.l0_findings), san_result.input_hash)
        _notify("input_sanitizer", "COMPLETE", {
            "status": "SUCCESS",
            "input_type": san_result.input_type,
            "l0_warning_count": l0_report.get("l0_warning_count", 0),
            "truncated": san_result.truncated,
        })
        recorder.stage_exit("input_sanitizer", "SUCCESS", {
            "input_type": san_result.input_type,
            "l0_warning_count": l0_report.get("l0_warning_count", 0),
        }, 0)

    except ImportError:
        # (comment encoding corrupted)
        logger.warning("[L0] input_sanitizer not available, skipping L0 filter")
    except Exception as e:
        # (comment encoding corrupted)
        logger.error("[L0] Sanitizer error (non-fatal): %s", e)

    # (comment encoding corrupted)
    _notify("orchestrator", "RUNNING", {})
    orch_ctx, task_plan, orch_sl = stage_orchestrator(sanitized_stack)
    scan_path = task_plan.get("path", "B")
    orch_detail = {
        "status": "SUCCESS" if not task_plan.get("_degraded") else "DEGRADED",
        "scan_path": scan_path,
        "agents_to_run": task_plan.get("agents_to_run", []),
        "duration_ms": orch_sl.steps[-1].get("duration_ms", 0) if orch_sl.steps else 0,
        "l0_input_type": l0_report.get("input_type", "unknown"),
    }
    stages_detail["orchestrator"] = orch_detail
    completed_stages.append("orchestrator")
    _notify("orchestrator", "COMPLETE", orch_detail)
    recorder.stage_enter("orchestrator", {"tech_stack": sanitized_stack[:200]})
    recorder.stage_exit("orchestrator", orch_detail.get("status", "SUCCESS"), {
        "scan_path": scan_path,
        "agents_to_run": task_plan.get("agents_to_run", []),
    }, orch_detail.get("duration_ms", 0))
    logger.info("[PIPELINE] Scan path: %s", scan_path)


    # (comment encoding corrupted)
    # (comment encoding corrupted)
    # (comment encoding corrupted)
    # (comment encoding corrupted)
    extracted_packages: list[str] = []

    if scan_path in ("A", "B"):
        parallel_agents = task_plan.get("parallel_layer1", [])
        if parallel_agents:
            _notify("layer1_parallel", "RUNNING", {"agents": parallel_agents})
            layer1_results = _run_layer1_parallel(tech_stack, task_plan, _notify)
            _notify("layer1_parallel", "COMPLETE", {
                "agents_completed": list(layer1_results.keys()),
            })
            # (comment encoding corrupted)
            if "intel_fusion" in layer1_results:
                extracted_packages = layer1_results["intel_fusion"].get("_extracted_packages", [])
                if extracted_packages:
                    logger.info(
                        "[PIPELINE] extracted_packages from layer1: %s", extracted_packages
                    )
            # (comment encoding corrupted)
            for agent_name, result in layer1_results.items():
                is_degraded = result.get("_degraded", False)
                agent_detail = {
                    "status": "DEGRADED" if is_degraded else "SUCCESS",
                    "duration_ms": result.get("_duration_ms", 0),
                    # (comment encoding corrupted)
                    "_degraded": is_degraded,
                    "_error": result.get("_error", "") if is_degraded else "",
                }
                # (comment encoding corrupted)
                if agent_name == "security_guard":
                    agent_detail["functions_found"] = result.get("stats", {}).get("functions_found", 0)
                    agent_detail["patterns_found"] = result.get("stats", {}).get("patterns_found", 0)
                    agent_detail["injection_detected"] = result.get("injection_attempts_detected", False)
                # (comment encoding corrupted)
                elif agent_name == "intel_fusion":
                    agent_detail["cves_scored"] = len(result.get("fusion_results", []))
                stages_detail[agent_name] = agent_detail
                completed_stages.append(agent_name)
                recorder.stage_exit(agent_name, agent_detail["status"], agent_detail, agent_detail.get("duration_ms", 0))
            # (comment encoding corrupted)
            if orch_ctx is not None:
                for agent_name, result in layer1_results.items():
                    try:
                        orch_ctx.store_result(agent_name, result)
                    except Exception:
                        pass

    # (comment encoding corrupted)
    # (comment encoding corrupted)
    _notify("scout", "RUNNING", {})
    rate_limiter.wait_if_needed("scout")
    # (comment encoding corrupted)
    # (comment encoding corrupted)
    scout_input: str
    if extracted_packages:
        from tools.package_extractor import format_packages_for_intel_fusion
        scout_input = format_packages_for_intel_fusion(extracted_packages)
        logger.info("[PIPELINE] Scout using extracted packages: %s", scout_input)
    else:
        scout_input = tech_stack
        logger.info("[PIPELINE] Scout using raw tech_stack (no packages extracted)")
    scout_output, scout_sl = stage_scout(
        scout_input,
        input_type=input_type,
        intel_fusion_result=layer1_results.get("intel_fusion"),
    )
    # 保留原始 Layer 1 情報，方便 UI 與除錯觀察。
    if "intel_fusion" in layer1_results:
        scout_output["intel_fusion_result"] = layer1_results["intel_fusion"]

    # (comment encoding corrupted)
    # (comment encoding corrupted)
    # (comment encoding corrupted)
    # (comment encoding corrupted)
    # (comment encoding corrupted)
    _sg_code_patterns: list[dict] = []  # 函式級別變數，確保 final return 可存取
    if "security_guard" in layer1_results:
        _sg_code_patterns = _build_code_patterns_summary(
            layer1_results["security_guard"]
        )
        if _sg_code_patterns:
            scout_output["code_patterns"] = _sg_code_patterns
            logger.info(
                "[PIPELINE] v4.0: SG code_patterns injected into scout_output "
                "(%d patterns, Path=%s) — will be merged into final result",
                len(_sg_code_patterns),
                input_type,
            )
        else:
            logger.debug("[PIPELINE] v4.0: SG returned no code_patterns (clean code path)")

    scout_detail = {
        "status": "SUCCESS" if not scout_output.get("_degraded") else "DEGRADED",
        "vuln_count": len(scout_output.get("vulnerabilities", [])),
        "duration_ms": scout_sl.steps[-1].get("duration_ms", 0) if scout_sl.steps else 0,
        "packages_used": extracted_packages,
    }
    stages_detail["scout"] = scout_detail
    completed_stages.append("scout")
    _notify("scout", "COMPLETE", scout_detail)
    # (comment encoding corrupted)
    from agents.scout import SKILL_MAP as SCOUT_SKILL_MAP
    recorder.stage_enter("scout", {"tech_stack": scout_input[:200], "packages": extracted_packages},
                         skill_file=SCOUT_SKILL_MAP.get(input_type, "threat_intel.md"),
                         input_type=input_type)
    recorder.stage_exit("scout", scout_detail.get("status", "SUCCESS"), scout_output, scout_detail.get("duration_ms", 0))


    # (comment encoding corrupted)
    if scan_path == "C":
        logger.info("[PIPELINE] Path C: skipping Analyst + Critic  direct to Advisor")
        _notify("analyst", "COMPLETE", {"status": "SKIPPED", "reason": "path_C"})
        _notify("critic", "COMPLETE", {"status": "SKIPPED", "reason": "path_C"})
        # (comment encoding corrupted)
        analyst_output: dict[str, Any] = {
            "scan_id": scout_output.get("scan_id", "unknown"),
            "risk_score": 30,
            "risk_trend": "+0",
            "analysis": [],
            "_skipped": True,
            "_reason": "path_C_doc_scan",
        }
        critic_output: dict[str, Any] = {
            "verdict": "SKIPPED",
            "weighted_score": 60.0,
            "_skipped": True,
        }
    else:
        # (comment encoding corrupted)
        _notify("analyst", "RUNNING", {})
        rate_limiter.wait_if_needed("analyst")
        analyst_output, analyst_sl = stage_analyst(scout_output, input_type=input_type)
        analyst_detail = {
            "status": "SUCCESS" if not analyst_output.get("_degraded") else "DEGRADED",
            "risk_score": analyst_output.get("risk_score", 0),
            "duration_ms": analyst_sl.steps[-1].get("duration_ms", 0) if analyst_sl.steps else 0,
        }
        stages_detail["analyst"] = analyst_detail
        completed_stages.append("analyst")
        _notify("analyst", "COMPLETE", analyst_detail)
        # v3.7: stage_enter with skill_file + input_type
        from agents.analyst import SKILL_MAP as ANALYST_SKILL_MAP
        recorder.stage_enter("analyst", scout_output,
                             skill_file=ANALYST_SKILL_MAP.get(input_type, "chain_analysis.md"),
                             input_type=input_type)
        recorder.stage_exit("analyst", analyst_detail.get("status", "SUCCESS"), analyst_output, analyst_detail.get("duration_ms", 0))

        # (comment encoding corrupted)
        _notify("critic", "RUNNING", {})
        rate_limiter.wait_if_needed("critic")
        critic_output, critic_sl = stage_critic(analyst_output, input_type=input_type)
        critic_detail = {
            "status": "SUCCESS" if not critic_output.get("_degraded") else "DEGRADED",
            "verdict": critic_output.get("verdict", "SKIPPED"),
            "score": critic_output.get("weighted_score", 0),
            "duration_ms": critic_sl.steps[-1].get("duration_ms", 0) if critic_sl.steps else 0,
        }
        stages_detail["critic"] = critic_detail
        completed_stages.append("critic")
        _notify("critic", "COMPLETE", critic_detail)
        # v3.7: stage_enter with skill_file + input_type
        from agents.critic import SKILL_MAP as CRITIC_SKILL_MAP
        recorder.stage_enter("critic", analyst_output,
                             skill_file=CRITIC_SKILL_MAP.get(input_type, "debate_sop.md"),
                             input_type=input_type)
        recorder.stage_exit("critic", critic_detail.get("status", "SUCCESS"), critic_output, critic_detail.get("duration_ms", 0))

    # (comment encoding corrupted)
    _notify("advisor", "RUNNING", {})
    rate_limiter.wait_if_needed("advisor")
    advisor_output, advisor_sl = stage_advisor(analyst_output, critic_output, input_type=input_type)
    advisor_detail = {
        "status": "SUCCESS" if not advisor_output.get("_degraded") else "DEGRADED",
        "urgent_count": len(advisor_output.get("actions", {}).get("urgent", [])),
        "duration_ms": advisor_sl.steps[-1].get("duration_ms", 0) if advisor_sl.steps else 0,
    }
    stages_detail["advisor"] = advisor_detail
    completed_stages.append("advisor")
    _notify("advisor", "COMPLETE", advisor_detail)
    # v3.7: stage_enter with skill_file + input_type
    from agents.advisor import SKILL_MAP as ADVISOR_SKILL_MAP
    recorder.stage_enter("advisor", analyst_output,
                         skill_file=ADVISOR_SKILL_MAP.get(input_type, "action_report.md"),
                         input_type=input_type)
    recorder.stage_exit("advisor", advisor_detail.get("status", "SUCCESS"), advisor_output, advisor_detail.get("duration_ms", 0))

    # (comment encoding corrupted)
    # (comment encoding corrupted)
    advisor_confidence = advisor_output.get("confidence", "HIGH")
    feedback_triggered = (
        advisor_confidence in ("NEEDS_VERIFICATION", "LOW", "MEDIUM")
        and feedback_loop_count < MAX_FEEDBACK_LOOPS
        and scan_path != "D"  # 脫迫頝臬 D ⊿擖
    )

    if feedback_triggered:
        feedback_loop_count += 1
        logger.warning(
            "[PIPELINE] Advisor confidence=%s  triggering Feedback Loop %d/%d",
            advisor_confidence, feedback_loop_count, MAX_FEEDBACK_LOOPS,
        )
        _notify("feedback_loop", "RUNNING", {
            "loop": feedback_loop_count,
            "reason": f"confidence={advisor_confidence}",
        })
        # (comment encoding corrupted)
        low_conf_cves = [
            a.get("cve_id") for a in analyst_output.get("analysis", [])
            if a.get("chain_risk", {}).get("confidence") in ("NEEDS_VERIFICATION", "LOW")
        ]
        logger.info("[PIPELINE] Feedback Loop targeting CVEs: %s", low_conf_cves)
        # (comment encoding corrupted)
        if orch_ctx is not None:
            try:
                orch_ctx.feedback_loops = feedback_loop_count
            except Exception:
                pass
        _notify("feedback_loop", "COMPLETE", {"loop": feedback_loop_count, "cves": low_conf_cves})

    # (comment encoding corrupted)
    orch_summary: dict = {}
    if orch_ctx is not None:
        try:
            from agents.orchestrator import finalize_orchestration
            orch_ctx.final_confidence = advisor_confidence
            orch_summary = finalize_orchestration(orch_ctx)
        except Exception as e:
            logger.warning("[PIPELINE] finalize_orchestration failed: %s", e)

    # (comment encoding corrupted)
    duration = round(time.time() - pipeline_start, 2)
    pipeline_meta = {
        "pipeline_version": "3.1",
        "tech_stack": tech_stack,
        "scan_path": scan_path,
        "stages_completed": len(completed_stages),
        "stages_detail": stages_detail,
        "enable_critic": ENABLE_CRITIC,
        "critic_verdict": critic_output.get("verdict", "SKIPPED"),
        "critic_score": critic_output.get("weighted_score", 0),
        "feedback_loops": feedback_loop_count,
        "duration_seconds": duration,
        "degradation": degradation_status.to_dict(),
        "orchestration": orch_summary,
        "layer1_agents": list(layer1_results.keys()),
        "generated_at": datetime.now(timezone.utc).isoformat(),
    }

    logger.info(
        "Pipeline v3.1 COMPLETE in %.1fs | path=%s | feedback_loops=%d",
        duration, scan_path, feedback_loop_count,
    )
    recorder.end_scan("COMPLETE", duration)

    # ── Harness Layer 7: 強制注入 Security Guard CWE 佐證 ──────────────────
    # _sg_code_patterns 由 _build_code_patterns_summary() 生成，含 MITRE CWE 定義。
    # Advisor LLM 從不接收 code_patterns，因此必須在 return 前直接合併。
    # 確保無論掃描路徑（A/B/C）都能在 API response 中看到 CWE 佐證。
    report_payload = _build_scan_report_payload(scout_output, advisor_output, layer1_results)
    final_output: dict[str, Any] = {
        **advisor_output,
        **report_payload,
        "pipeline_meta": pipeline_meta,
    }
    if _sg_code_patterns:
        existing_cps = final_output.get("code_patterns_summary", [])
        final_output["code_patterns_summary"] = existing_cps + _sg_code_patterns
        logger.info(
            "[PIPELINE] Harness L7: %d CWE-enriched code patterns merged into final result",
            len(_sg_code_patterns),
        )
    return final_output


def run_pipeline_with_callback(
    tech_stack: str,
    progress_callback: Any = None,
    input_type: str = "pkg",
) -> dict[str, Any]:
    """
    Canonical pipeline DAG:
    Orchestrator -> (Security Guard + Scout in parallel) -> Intel Fusion
    -> Analyst -> Critic -> Advisor.
    """
    pipeline_start = time.time()
    completed_stages: list[str] = []
    stages_detail: dict[str, Any] = {}
    layer1_results: dict[str, Any] = {}

    def _notify(agent: str, status: str, detail: dict) -> None:
        if not progress_callback:
            return
        try:
            progress_callback(agent, status, detail)
        except Exception as exc:
            logger.debug("[PIPELINE] progress callback ignored: %s", exc)

    def _remember_stage(agent: str, detail: dict[str, Any]) -> None:
        stages_detail[agent] = detail
        if agent not in completed_stages:
            completed_stages.append(agent)

    from checkpoint import recorder
    recorder.start_scan(f"pipe_{int(pipeline_start)}")

    l0_report: dict[str, Any] = {}
    sanitized_stack = tech_stack
    try:
        from input_sanitizer import sanitize_input, format_l0_report

        san_result = sanitize_input(tech_stack)
        l0_report = format_l0_report(san_result)
        if not san_result.safe:
            _notify("input_sanitizer", "COMPLETE", {
                "status": "BLOCKED",
                "reason": san_result.blocked_reason,
            })
            duration = round(time.time() - pipeline_start, 2)
            return {
                "executive_summary": f"Input blocked: {san_result.blocked_reason}",
                "blocked": True,
                "actions": {"urgent": [], "important": [], "resolved": []},
                "risk_score": 0,
                "risk_trend": "+0",
                "pipeline_meta": {
                    "pipeline_version": "4.0",
                    "tech_stack": tech_stack,
                    "scan_path": "BLOCKED",
                    "stages_completed": 0,
                    "stages_detail": {},
                    "enable_critic": ENABLE_CRITIC,
                    "critic_verdict": "SKIPPED",
                    "critic_score": 0.0,
                    "duration_seconds": duration,
                    "degradation": {"level": 5, "label": "INPUT_BLOCKED"},
                    "generated_at": datetime.now(timezone.utc).isoformat(),
                    "l0_report": l0_report,
                },
            }

        sanitized_stack = san_result.sanitized_input
        input_type = _canonical_runtime_input_type(input_type, san_result.input_type)
        l0_detail = {
            "status": "SUCCESS",
            "input_type": san_result.input_type,
            "pipeline_input_type": input_type,
            "l0_warning_count": l0_report.get("l0_warning_count", 0),
            "truncated": san_result.truncated,
        }
        _remember_stage("input_sanitizer", l0_detail)
        _notify("input_sanitizer", "COMPLETE", l0_detail)
        recorder.stage_exit("input_sanitizer", "SUCCESS", l0_detail, 0)
    except Exception as exc:
        logger.warning("[L0] Sanitizer skipped: %s", exc)

    if input_type == "sql_review":
        from tools.sql_syntax_reviewer import review_sql_syntax

        _notify("sql_review", "RUNNING", {})
        review = review_sql_syntax(sanitized_stack)
        sql_detail = {
            "status": "SUCCESS",
            "patterns_detected": review.get("summary", {}).get("patterns_detected", 0),
            "findings_count": review.get("summary", {}).get("total", 0),
            "requires_application_context": True,
        }
        _remember_stage("sql_review", sql_detail)
        _notify("sql_review", "COMPLETE", sql_detail)
        recorder.stage_exit("sql_review", "SUCCESS", sql_detail, 0)
        duration = round(time.time() - pipeline_start, 2)
        recorder.end_scan("COMPLETE", duration)
        return {
            "executive_summary": (
                "SQL syntax review completed. Findings are payload/syntax evidence only; "
                "application source context is required before calling this a verified vulnerability."
            ),
            "actions": {"urgent": [], "important": [], "resolved": []},
            "risk_score": 0,
            "risk_trend": "+0",
            "sql_syntax_review": review,
            "vulnerability_detail": [],
            "vulnerability_summary": {
                "total": 0,
                "critical": 0,
                "high": 0,
                "medium": 0,
                "low": 0,
                "new": 0,
                "new_since_last_scan": 0,
            },
            "report_sources": {
                "vulnerability_detail": "sql_syntax_review",
                "layer1_state": "skipped",
                "external_scan_skipped": True,
            },
            "code_patterns_summary": [],
            "pipeline_meta": {
                "pipeline_version": "4.0",
                "tech_stack": tech_stack,
                "scan_path": "C",
                "stages_completed": len(completed_stages),
                "stages_detail": stages_detail,
                "enable_critic": ENABLE_CRITIC,
                "critic_verdict": "SKIPPED",
                "critic_score": 0.0,
                "feedback_loops": 0,
                "duration_seconds": duration,
                "degradation": degradation_status.to_dict(),
                "orchestration": {},
                "layer1_agents": [],
                "fusion_after_discovery": False,
                "l0_report": l0_report,
                "generated_at": datetime.now(timezone.utc).isoformat(),
            },
        }

    _notify("orchestrator", "RUNNING", {})
    orch_ctx, task_plan, orch_sl = stage_orchestrator(sanitized_stack)
    task_plan = _constrain_task_plan_by_input_type(task_plan, input_type)
    scan_path = task_plan.get("path", "B")
    orch_detail = {
        "status": "SUCCESS" if not task_plan.get("_degraded") else "DEGRADED",
        "scan_path": scan_path,
        "agents_to_run": task_plan.get("agents_to_run", []),
        "duration_ms": orch_sl.steps[-1].get("duration_ms", 0) if orch_sl.steps else 0,
        "l0_input_type": l0_report.get("input_type", "unknown"),
        "pipeline_input_type": input_type,
        "route_corrected": task_plan.get("_route_corrected"),
    }
    _remember_stage("orchestrator", orch_detail)
    _notify("orchestrator", "COMPLETE", orch_detail)
    recorder.stage_enter("orchestrator", {"tech_stack": sanitized_stack[:200]})
    recorder.stage_exit("orchestrator", orch_detail["status"], orch_detail, orch_detail["duration_ms"])

    extracted_packages: list[str] = []
    scout_input = sanitized_stack
    scout_output: dict[str, Any] = {}
    scout_duration_ms = 0
    sg_code_patterns: list[dict[str, Any]] = []
    intel_fusion_result: dict[str, Any] = {}
    benchmark_context: dict[str, Any] | None = None

    parallel_agents = task_plan.get("parallel_layer1", [])
    if parallel_agents:
        _notify("layer1_parallel", "RUNNING", {"agents": parallel_agents})
        layer1_results = _run_layer1_parallel(
            sanitized_stack, task_plan, _notify, input_type=input_type
        )
        visible_agents = [name for name in layer1_results if not name.startswith("_")]
        _notify("layer1_parallel", "COMPLETE", {"agents_completed": visible_agents})

        extracted_packages = layer1_results.get("_extracted_packages", [])
        if "security_guard" in layer1_results:
            sg_result = layer1_results["security_guard"]
            sg_code_patterns = _build_code_patterns_summary(sg_result)
            sg_detail = {
                "status": "SUCCESS" if not sg_result.get("_degraded") else "DEGRADED",
                "duration_ms": sg_result.get("_duration_ms", 0),
                "functions_found": sg_result.get("stats", {}).get("functions_found", 0),
                "patterns_found": sg_result.get("stats", {}).get("patterns_found", 0),
                "injection_detected": sg_result.get("injection_attempts_detected", False),
                "_degraded": sg_result.get("_degraded", False),
                "_error": sg_result.get("_error", "") if sg_result.get("_degraded") else "",
            }
            _remember_stage("security_guard", sg_detail)
            recorder.stage_exit("security_guard", sg_detail["status"], sg_detail, sg_detail["duration_ms"])

        if "scout" in layer1_results:
            scout_output = layer1_results["scout"]
            scout_duration_ms = scout_output.get("_duration_ms", 0)
            scout_detail = {
                "status": "SUCCESS" if not scout_output.get("_degraded") else "DEGRADED",
                "vuln_count": len(scout_output.get("vulnerabilities", [])),
                "duration_ms": scout_duration_ms,
                "packages_used": extracted_packages,
                "_degraded": scout_output.get("_degraded", False),
                "_error": scout_output.get("_error", "") if scout_output.get("_degraded") else "",
            }
            _remember_stage("scout", scout_detail)
            _notify("scout", "COMPLETE", scout_detail)

    if not scout_output:
        _notify("scout", "RUNNING", {})
        rate_limiter.wait_if_needed("scout")
        scout_output, scout_sl = stage_scout(scout_input, input_type=input_type)
        scout_duration_ms = scout_sl.steps[-1].get("duration_ms", 0) if scout_sl.steps else 0
        scout_detail = {
            "status": "SUCCESS" if not scout_output.get("_degraded") else "DEGRADED",
            "vuln_count": len(scout_output.get("vulnerabilities", [])),
            "duration_ms": scout_duration_ms,
            "packages_used": extracted_packages,
        }
        _remember_stage("scout", scout_detail)
        _notify("scout", "COMPLETE", scout_detail)

    if sg_code_patterns:
        scout_output["code_patterns"] = sg_code_patterns

    from agents.scout import SKILL_MAP as SCOUT_SKILL_MAP
    recorder.stage_enter("scout", {"tech_stack": scout_input[:200], "packages": extracted_packages},
                         skill_file=SCOUT_SKILL_MAP.get(input_type, "threat_intel.md"),
                         input_type=input_type)
    recorder.stage_exit("scout", stages_detail["scout"]["status"], scout_output, scout_duration_ms)

    if task_plan.get("fusion_after_discovery", False):
        intel_input = _build_intel_fusion_input(
            scout_output=scout_output,
            sg_result=layer1_results.get("security_guard"),
            code_patterns=sg_code_patterns,
            extracted_packages=extracted_packages,
            tech_stack=sanitized_stack,
            input_type=input_type,
        )
        intel_fusion_result, intel_sl = stage_intel_fusion(intel_input, _notify)
        layer1_results["intel_fusion"] = intel_fusion_result
        scout_output["intel_fusion_result"] = intel_fusion_result
        scout_output = _merge_intel_fusion_into_scout(scout_output, intel_fusion_result)
        intel_detail = {
            "status": "SUCCESS" if not intel_fusion_result.get("_degraded") else "DEGRADED",
            "cves_scored": len(intel_fusion_result.get("fusion_results", [])),
            "duration_ms": intel_sl.steps[-1].get("duration_ms", 0) if intel_sl.steps else 0,
            "_degraded": intel_fusion_result.get("_degraded", False),
            "_error": intel_fusion_result.get("_error", "") if intel_fusion_result.get("_degraded") else "",
        }
        _remember_stage("intel_fusion", intel_detail)
        if orch_ctx is not None:
            try:
                orch_ctx.store_result("intel_fusion", intel_fusion_result)
            except Exception as exc:
                logger.debug("[PIPELINE] Orchestration store skipped for Intel Fusion: %s", exc)

    if scan_path == "C":
        analyst_output = {
            "scan_id": scout_output.get("scan_id", "unknown"),
            "risk_score": 30,
            "risk_trend": "+0",
            "analysis": [],
            "_skipped": True,
            "_reason": "path_C_doc_scan",
        }
        critic_output = {"verdict": "SKIPPED", "weighted_score": 60.0, "_skipped": True}
        _remember_stage("analyst", {"status": "SKIPPED", "reason": "path_C"})
        _remember_stage("critic", {"status": "SKIPPED", "reason": "path_C"})
        _notify("analyst", "COMPLETE", stages_detail["analyst"])
        _notify("critic", "COMPLETE", stages_detail["critic"])
    else:
        _notify("analyst", "RUNNING", {})
        rate_limiter.wait_if_needed("analyst")
        analyst_output, analyst_sl = stage_analyst(scout_output, input_type=input_type)
        benchmark_context = _build_dim11_benchmark_context(
            source=sanitized_stack,
            input_type=input_type,
            task_plan=task_plan,
            code_patterns=sg_code_patterns,
            scout_output=scout_output,
            extracted_packages=extracted_packages,
        )
        if benchmark_context:
            analyst_output["benchmark_context"] = benchmark_context
            analyst_output["observed_cwe_categories"] = benchmark_context["observed_cwe_categories"]
            logger.info(
                "[DIM11] benchmark context attached before Critic: fixture=%s observed=%d expected=%d",
                benchmark_context.get("fixture"),
                len(benchmark_context.get("observed_cwe_categories", [])),
                len(benchmark_context.get("expected_cwe_categories", [])),
            )
        analyst_detail = {
            "status": "SUCCESS" if not analyst_output.get("_degraded") else "DEGRADED",
            "risk_score": analyst_output.get("risk_score", 0),
            "duration_ms": analyst_sl.steps[-1].get("duration_ms", 0) if analyst_sl.steps else 0,
        }
        _remember_stage("analyst", analyst_detail)
        _notify("analyst", "COMPLETE", analyst_detail)
        from agents.analyst import SKILL_MAP as ANALYST_SKILL_MAP
        recorder.stage_enter("analyst", scout_output,
                             skill_file=ANALYST_SKILL_MAP.get(input_type, "chain_analysis.md"),
                             input_type=input_type)
        recorder.stage_exit("analyst", analyst_detail["status"], analyst_output, analyst_detail["duration_ms"])

        _notify("critic", "RUNNING", {})
        rate_limiter.wait_if_needed("critic")
        critic_output, critic_sl = stage_critic(analyst_output, input_type=input_type)
        critic_detail = {
            "status": "SUCCESS" if not critic_output.get("_degraded") else "DEGRADED",
            "verdict": critic_output.get("verdict", "SKIPPED"),
            "score": critic_output.get("weighted_score", 0),
            "duration_ms": critic_sl.steps[-1].get("duration_ms", 0) if critic_sl.steps else 0,
        }
        if critic_output.get("recall_challenge"):
            critic_detail["recall_challenge_verdict"] = critic_output["recall_challenge"].get("verdict")
        _remember_stage("critic", critic_detail)
        _notify("critic", "COMPLETE", critic_detail)
        from agents.critic import SKILL_MAP as CRITIC_SKILL_MAP
        recorder.stage_enter("critic", analyst_output,
                             skill_file=CRITIC_SKILL_MAP.get(input_type, "debate_sop.md"),
                             input_type=input_type)
        recorder.stage_exit("critic", critic_detail["status"], critic_output, critic_detail["duration_ms"])

    _notify("advisor", "RUNNING", {})
    rate_limiter.wait_if_needed("advisor")
    advisor_output, advisor_sl = stage_advisor(analyst_output, critic_output, input_type=input_type)
    advisor_detail = {
        "status": "SUCCESS" if not advisor_output.get("_degraded") else "DEGRADED",
        "urgent_count": len(advisor_output.get("actions", {}).get("urgent", [])),
        "duration_ms": advisor_sl.steps[-1].get("duration_ms", 0) if advisor_sl.steps else 0,
    }
    _remember_stage("advisor", advisor_detail)
    _notify("advisor", "COMPLETE", advisor_detail)
    from agents.advisor import SKILL_MAP as ADVISOR_SKILL_MAP
    recorder.stage_enter("advisor", analyst_output,
                         skill_file=ADVISOR_SKILL_MAP.get(input_type, "action_report.md"),
                         input_type=input_type)
    recorder.stage_exit("advisor", advisor_detail["status"], advisor_output, advisor_detail["duration_ms"])

    duration = round(time.time() - pipeline_start, 2)
    try:
        orch_summary = {}
        if orch_ctx is not None:
            from agents.orchestrator import finalize_orchestration
            orch_ctx.final_confidence = advisor_output.get("confidence", "HIGH")
            orch_summary = finalize_orchestration(orch_ctx)
    except Exception as exc:
        logger.debug("[PIPELINE] finalize_orchestration skipped: %s", exc)
        orch_summary = {}

    pipeline_meta = {
        "pipeline_version": "4.0",
        "tech_stack": tech_stack,
        "scan_path": scan_path,
        "stages_completed": len(completed_stages),
        "stages_detail": stages_detail,
        "enable_critic": ENABLE_CRITIC,
        "critic_verdict": critic_output.get("verdict", "SKIPPED"),
        "critic_score": critic_output.get("weighted_score", 0),
        "feedback_loops": 0,
        "duration_seconds": duration,
        "degradation": degradation_status.to_dict(),
        "orchestration": orch_summary,
        "layer1_agents": [name for name in layer1_results if not name.startswith("_")],
        "fusion_after_discovery": bool(task_plan.get("fusion_after_discovery", False)),
        "l0_report": l0_report,
        "generated_at": datetime.now(timezone.utc).isoformat(),
    }
    if benchmark_context:
        pipeline_meta["benchmark_context"] = benchmark_context
    if critic_output.get("recall_challenge"):
        pipeline_meta["critic_recall_challenge"] = critic_output["recall_challenge"]
    if intel_fusion_result.get("evidence_contract"):
        pipeline_meta["intel_fusion_evidence_contract"] = intel_fusion_result["evidence_contract"]

    recorder.end_scan("COMPLETE", duration)
    report_payload = _build_scan_report_payload(scout_output, advisor_output, layer1_results)
    final_output: dict[str, Any] = {
        **advisor_output,
        **report_payload,
        "pipeline_meta": pipeline_meta,
    }
    if sg_code_patterns:
        existing_cps = final_output.get("code_patterns_summary", [])
        final_output["code_patterns_summary"] = existing_cps + sg_code_patterns
    if critic_output.get("recall_challenge"):
        final_output["critic_recall_challenge"] = critic_output["recall_challenge"]
    if critic_output.get("needs_rescan"):
        final_output["needs_rescan"] = True
    return final_output



# ======================================================================
# (comment encoding corrupted)
# ======================================================================

if __name__ == "__main__":
    logging.basicConfig(
        level=logging.INFO,
        format="%(asctime)s [%(levelname)s] %(name)s: %(message)s",
        handlers=[logging.StreamHandler(sys.stdout)],
    )

    if len(sys.argv) > 1:
        tech_stack = " ".join(sys.argv[1:])
    else:
        tech_stack = "Django 4.2, Redis 7.0, PostgreSQL 16"

    print(f"\nThreatHunter - Scanning: {tech_stack}\n")
    result = run_pipeline(tech_stack)
    print("\n=== Pipeline Result ===")
    print(json.dumps(result, ensure_ascii=False, indent=2))