@askexenow/exe-os 0.9.286 → 0.9.288

package/dist/chunk-MUMBWV57.js

@@ -0,0 +1,379 @@
+import {
+  EXE_AI_DIR
+} from "./chunk-CEKZ77KA.js";
+
+// src/lib/license.ts
+import { readFileSync, writeFileSync, existsSync, mkdirSync, statSync } from "fs";
+import { randomUUID } from "crypto";
+import path from "path";
+import { jwtVerify, importSPKI } from "jose";
+var LICENSE_PATH = path.join(EXE_AI_DIR, "license.key");
+var CACHE_PATH = path.join(EXE_AI_DIR, "license-cache.json");
+var DEVICE_ID_PATH = path.join(EXE_AI_DIR, "device-id");
+var API_BASE = process.env.EXE_CLOUD_ENDPOINT ?? "https://api.askexe.com";
+var RETRY_DELAY_MS = 500;
+async function fetchRetry(url, init) {
+  try {
+    return await fetch(url, init);
+  } catch {
+    await new Promise((r) => setTimeout(r, RETRY_DELAY_MS));
+    return fetch(url, { ...init, signal: AbortSignal.timeout(1e4) });
+  }
+}
+var LICENSE_PUBLIC_KEY_PEM = `-----BEGIN PUBLIC KEY-----
+MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEeHztAMOpR/ZMh+rWuOASjEZ54CGY
+4uj+UqeKCcvtgNHKmOK278HJaJcANe9xAeji8AFYu27q3WtzCi04pHudow==
+-----END PUBLIC KEY-----`;
+var LICENSE_PUBLIC_KEY_PEM_PREV = `-----BEGIN PUBLIC KEY-----
+MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEVlMxzSQraFaXp+qRyRwDNg25R4qH
+sV3p1+vXy1GH/9W2VQyq3pUvOlAeeDMMT+hbL5kbtwCl7daoaZZ8Tv8acw==
+-----END PUBLIC KEY-----`;
+var LICENSE_PUBLIC_KEY_PEM_2026_06_17 = `-----BEGIN PUBLIC KEY-----
+MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEYdtXo668/3uHX+8DY9MOgm0HzVrP
+oR8NJBuiITKaerulCXiSiJMX1HP0+h5dHBVfCWQfIVk5BMdsheAMaP806w==
+-----END PUBLIC KEY-----`;
+var LICENSE_PUBLIC_KEYS = [LICENSE_PUBLIC_KEY_PEM_2026_06_17, LICENSE_PUBLIC_KEY_PEM, LICENSE_PUBLIC_KEY_PEM_PREV];
+var LICENSE_JWT_ALG = "ES256";
+var PLAN_LIMITS = {
+  free: { devices: 1, employees: 1, memories: 5e3 },
+  pro: { devices: 3, employees: 5, memories: 1e5 },
+  team: { devices: 10, employees: 20, memories: 1e6 },
+  agency: { devices: 50, employees: 100, memories: 1e7 },
+  enterprise: { devices: -1, employees: -1, memories: -1 }
+};
+var FREE_LICENSE = {
+  valid: true,
+  plan: "free",
+  email: "",
+  expiresAt: null,
+  deviceLimit: 1,
+  employeeLimit: 1,
+  memoryLimit: 5e3
+};
+function loadDeviceId() {
+  const deviceJsonPath = path.join(EXE_AI_DIR, "device.json");
+  try {
+    if (existsSync(deviceJsonPath)) {
+      const data = JSON.parse(readFileSync(deviceJsonPath, "utf8"));
+      if (data.deviceId) return data.deviceId;
+    }
+  } catch {
+  }
+  try {
+    if (existsSync(DEVICE_ID_PATH)) {
+      const id2 = readFileSync(DEVICE_ID_PATH, "utf8").trim();
+      if (id2) return id2;
+    }
+  } catch {
+  }
+  const id = randomUUID();
+  mkdirSync(EXE_AI_DIR, { recursive: true });
+  writeFileSync(DEVICE_ID_PATH, id, "utf8");
+  return id;
+}
+function loadLicense() {
+  try {
+    if (!existsSync(LICENSE_PATH)) return null;
+    return readFileSync(LICENSE_PATH, "utf8").trim();
+  } catch {
+    return null;
+  }
+}
+function saveLicense(apiKey) {
+  mkdirSync(EXE_AI_DIR, { recursive: true });
+  writeFileSync(LICENSE_PATH, apiKey.trim(), { encoding: "utf8", mode: 384 });
+}
+async function verifyLicenseJwt(token) {
+  for (const pem of LICENSE_PUBLIC_KEYS) {
+    try {
+      const key = await importSPKI(pem, LICENSE_JWT_ALG);
+      const { payload } = await jwtVerify(token, key, {
+        algorithms: [LICENSE_JWT_ALG]
+      });
+      const plan = payload.plan ?? "free";
+      const email = payload.sub ?? "";
+      const limits = PLAN_LIMITS[plan] ?? PLAN_LIMITS.free;
+      return {
+        valid: true,
+        plan,
+        email,
+        expiresAt: payload.exp ? new Date(payload.exp * 1e3).toISOString() : null,
+        deviceLimit: limits.devices,
+        employeeLimit: limits.employees,
+        memoryLimit: limits.memories
+      };
+    } catch {
+      continue;
+    }
+  }
+  return null;
+}
+async function getCachedLicense() {
+  try {
+    if (!existsSync(CACHE_PATH)) return null;
+    const raw = JSON.parse(readFileSync(CACHE_PATH, "utf8"));
+    if (!raw.token || typeof raw.token !== "string") return null;
+    return await verifyLicenseJwt(raw.token);
+  } catch {
+    return null;
+  }
+}
+async function getGraceVerifiedLicense(graceDays = 7) {
+  try {
+    const token = readCachedLicenseToken();
+    if (!token) return null;
+    const payloadB64 = token.split(".")[1];
+    if (!payloadB64) return null;
+    const payload = JSON.parse(Buffer.from(payloadB64, "base64url").toString());
+    const expMs = (payload.exp ?? 0) * 1e3;
+    if (Date.now() >= expMs + graceDays * 24 * 60 * 60 * 1e3) return null;
+    let verified = null;
+    for (const pem of LICENSE_PUBLIC_KEYS) {
+      try {
+        const key = await importSPKI(pem, LICENSE_JWT_ALG);
+        const result = await jwtVerify(token, key, {
+          algorithms: [LICENSE_JWT_ALG],
+          clockTolerance: graceDays * 24 * 60 * 60
+        });
+        verified = result.payload;
+        break;
+      } catch {
+        continue;
+      }
+    }
+    if (!verified) return null;
+    const plan = verified.plan ?? "free";
+    const limits = PLAN_LIMITS[plan] ?? PLAN_LIMITS.free;
+    process.stderr.write(
+      `[license] Offline grace: verified cached plan "${plan}" (expired, within ${graceDays}d grace).
+`
+    );
+    return {
+      valid: true,
+      plan,
+      email: verified.sub ?? "",
+      expiresAt: verified.exp ? new Date(verified.exp * 1e3).toISOString() : null,
+      deviceLimit: limits.devices,
+      employeeLimit: limits.employees,
+      memoryLimit: limits.memories
+    };
+  } catch {
+    return null;
+  }
+}
+function readCachedLicenseToken() {
+  try {
+    if (!existsSync(CACHE_PATH)) return null;
+    const raw = JSON.parse(readFileSync(CACHE_PATH, "utf8"));
+    return typeof raw.token === "string" ? raw.token : null;
+  } catch {
+    return null;
+  }
+}
+function cacheResponse(token) {
+  try {
+    writeFileSync(CACHE_PATH, JSON.stringify({ token }), "utf8");
+  } catch {
+  }
+}
+async function validateViaCFWorker(apiKey, deviceId) {
+  try {
+    const res = await fetchRetry(`${API_BASE}/auth/activate`, {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify({ apiKey, deviceId }),
+      signal: AbortSignal.timeout(1e4)
+    });
+    if (!res.ok) return null;
+    const data = await res.json();
+    if (data.error === "device_limit_exceeded") return null;
+    if (!data.valid) return null;
+    if (data.token) {
+      cacheResponse(data.token);
+      const verified = await verifyLicenseJwt(data.token);
+      if (verified) return verified;
+    }
+    const limits = PLAN_LIMITS[data.plan] ?? PLAN_LIMITS.free;
+    return {
+      valid: data.valid,
+      plan: data.plan,
+      email: data.email,
+      expiresAt: data.expiresAt,
+      deviceLimit: limits.devices,
+      employeeLimit: limits.employees,
+      memoryLimit: limits.memories
+    };
+  } catch {
+    return null;
+  }
+}
+async function validateLicense(apiKey, deviceId) {
+  const did = deviceId ?? loadDeviceId();
+  const cfResult = await validateViaCFWorker(apiKey, did);
+  if (cfResult) return cfResult;
+  const cached = await getCachedLicense();
+  if (cached) return cached;
+  const graced = await getGraceVerifiedLicense();
+  if (graced) return graced;
+  return { ...FREE_LICENSE, valid: false };
+}
+var CACHE_MAX_AGE_MS = 36e5;
+function getCacheAgeMs() {
+  try {
+    const s = statSync(CACHE_PATH);
+    return Date.now() - s.mtimeMs;
+  } catch {
+    return Infinity;
+  }
+}
+async function checkLicense() {
+  let key = loadLicense();
+  if (!key) {
+    try {
+      const configPath = path.join(EXE_AI_DIR, "config.json");
+      if (existsSync(configPath)) {
+        const raw = JSON.parse(readFileSync(configPath, "utf8"));
+        const cloud = raw.cloud;
+        if (cloud?.apiKey) {
+          key = cloud.apiKey;
+          saveLicense(key);
+        }
+      }
+    } catch {
+    }
+  }
+  if (!key) return FREE_LICENSE;
+  const cached = await getCachedLicense();
+  if (cached && getCacheAgeMs() < CACHE_MAX_AGE_MS) return cached;
+  const deviceId = loadDeviceId();
+  return validateLicense(key, deviceId);
+}
+function isFeatureAllowed(license, feature) {
+  switch (feature) {
+    case "cloud_sync":
+    case "external_agents":
+    case "wiki":
+      return license.plan !== "free";
+    case "unlimited_employees":
+      return license.plan === "team" || license.plan === "agency" || license.plan === "enterprise";
+  }
+}
+function mirrorLicenseKey(apiKey) {
+  const trimmed = apiKey.trim();
+  if (!trimmed) return;
+  saveLicense(trimmed);
+}
+async function assertVpsLicense(opts) {
+  const env = opts?.env ?? process.env;
+  const inProduction = env.NODE_ENV === "production";
+  if (!opts?.force && !inProduction) {
+    return { ...FREE_LICENSE, plan: "free" };
+  }
+  const envKey = env.EXE_LICENSE_KEY?.trim();
+  if (envKey) {
+    saveLicense(envKey);
+  }
+  const apiKey = envKey ?? loadLicense();
+  if (!apiKey) {
+    throw new Error(
+      "License required: set EXE_LICENSE_KEY env var with your exe_sk_* key. Purchase at https://askexe.com. This VPS image refuses to boot without a valid license."
+    );
+  }
+  const deviceId = loadDeviceId();
+  let backendResponse = null;
+  let explicitRejection = false;
+  let transientFailure = false;
+  try {
+    const res = await fetchRetry(`${API_BASE}/auth/activate`, {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify({ apiKey, deviceId }),
+      signal: AbortSignal.timeout(1e4)
+    });
+    if (res.ok) {
+      backendResponse = await res.json();
+      if (!backendResponse.valid) explicitRejection = true;
+    } else if (res.status === 401 || res.status === 403) {
+      explicitRejection = true;
+    } else {
+      transientFailure = true;
+    }
+  } catch {
+    transientFailure = true;
+  }
+  if (backendResponse?.valid) {
+    if (backendResponse.token) {
+      cacheResponse(backendResponse.token);
+      const verified = await verifyLicenseJwt(backendResponse.token);
+      if (verified) return verified;
+    }
+    const limits = PLAN_LIMITS[backendResponse.plan] ?? PLAN_LIMITS.free;
+    return {
+      valid: true,
+      plan: backendResponse.plan,
+      email: backendResponse.email,
+      expiresAt: backendResponse.expiresAt,
+      deviceLimit: limits.devices,
+      employeeLimit: limits.employees,
+      memoryLimit: limits.memories
+    };
+  }
+  if (explicitRejection) {
+    throw new Error(
+      `License invalid or expired. Renew at https://askexe.com, then restart. Backend rejected key ending in ...${apiKey.slice(-4)}.`
+    );
+  }
+  if (!transientFailure) {
+    throw new Error(
+      "License validation failed: unknown backend state. Restore network connectivity to https://api.askexe.com and retry."
+    );
+  }
+  const fresh = await getCachedLicense();
+  if (fresh && fresh.valid) return fresh;
+  const graceDays = opts?.offlineGraceDays ?? 7;
+  const graced = await getGraceVerifiedLicense(graceDays);
+  if (graced) return graced;
+  throw new Error(
+    `License validation unreachable for more than ${graceDays} days. Restore network connectivity to https://api.askexe.com and retry. This VPS image refuses to boot after the offline grace window.`
+  );
+}
+var _revalTimer = null;
+function startLicenseRevalidation(intervalMs = 36e5) {
+  if (_revalTimer) return;
+  _revalTimer = setInterval(async () => {
+    try {
+      const license = await checkLicense();
+      if (!license.valid) {
+        process.stderr.write("[exe-os] License expired or invalid \u2014 features may be restricted\n");
+      }
+    } catch {
+    }
+  }, intervalMs);
+  if (_revalTimer && typeof _revalTimer === "object" && "unref" in _revalTimer) {
+    _revalTimer.unref();
+  }
+}
+function stopLicenseRevalidation() {
+  if (_revalTimer) {
+    clearInterval(_revalTimer);
+    _revalTimer = null;
+  }
+}
+
+export {
+  LICENSE_PUBLIC_KEY_PEM,
+  PLAN_LIMITS,
+  loadDeviceId,
+  loadLicense,
+  saveLicense,
+  getCachedLicense,
+  getGraceVerifiedLicense,
+  readCachedLicenseToken,
+  validateLicense,
+  checkLicense,
+  isFeatureAllowed,
+  mirrorLicenseKey,
+  assertVpsLicense,
+  startLicenseRevalidation,
+  stopLicenseRevalidation
+};

package/dist/chunk-NAQLGLOG.js

@@ -0,0 +1,176 @@
+import {
+  loadConfigSync
+} from "./chunk-CEKZ77KA.js";
+
+// src/lib/push-notifications.ts
+import { execSync } from "child_process";
+import nodemailer from "nodemailer";
+var TELEGRAM_TIMEOUT_MS = 1e4;
+var SMTP_TIMEOUT_MS = 15e3;
+var DESKTOP_TIMEOUT_MS = 3e3;
+var _cachedConfig = null;
+var _notifyOn = null;
+function loadPushConfig() {
+  if (_cachedConfig && _notifyOn) return { config: _cachedConfig, notifyOn: _notifyOn };
+  try {
+    const cfg = loadConfigSync();
+    _cachedConfig = cfg.notifications ?? {};
+    const events = cfg.notify_on;
+    _notifyOn = new Set(events ?? ["task_complete", "task_blocked", "context_full", "error_spike", "daemon_crash", "review_ready"]);
+  } catch {
+    _cachedConfig = {};
+    _notifyOn = /* @__PURE__ */ new Set(["task_complete", "task_blocked", "context_full", "error_spike", "daemon_crash", "review_ready"]);
+  }
+  return { config: _cachedConfig, notifyOn: _notifyOn };
+}
+function _resetPushConfig() {
+  _cachedConfig = null;
+  _notifyOn = null;
+}
+function sendDesktopNotification(title, body, sessionScope) {
+  try {
+    const safeTitle = title.replace(/["\\\n]/g, " ").slice(0, 100);
+    const safeBody = body.replace(/["\\\n]/g, " ").slice(0, 200);
+    try {
+      const osc9 = `\x1B]9;${safeTitle}: ${safeBody}\x07`;
+      let coordinatorSession;
+      if (sessionScope) {
+        coordinatorSession = sessionScope;
+      } else {
+        const sessions = execSync("tmux list-sessions -F '#{session_name}' 2>/dev/null", { encoding: "utf8", timeout: 2e3 }).trim().split("\n");
+        coordinatorSession = sessions.find((s) => /^exe\d*$/.test(s));
+      }
+      if (coordinatorSession) {
+        execSync(`printf '${osc9.replace(/'/g, "'\\''")}' > /dev/tty 2>/dev/null || tmux display-message -p -t ${coordinatorSession} '' 2>/dev/null`, { timeout: 2e3, stdio: "ignore" });
+        return true;
+      }
+    } catch {
+    }
+    if (process.platform === "linux") {
+      execSync(`notify-send "${safeTitle}" "${safeBody}"`, {
+        timeout: DESKTOP_TIMEOUT_MS,
+        stdio: "ignore"
+      });
+      return true;
+    }
+    return false;
+  } catch (err) {
+    process.stderr.write(`[push-notify] Desktop notification failed: ${err instanceof Error ? err.message : String(err)}
+`);
+    return false;
+  }
+}
+async function sendTelegram(botToken, chatId, message) {
+  try {
+    const url = `https://api.telegram.org/bot${botToken}/sendMessage`;
+    const res = await fetch(url, {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify({
+        chat_id: chatId,
+        text: message,
+        parse_mode: "Markdown",
+        disable_web_page_preview: true
+      }),
+      signal: AbortSignal.timeout(TELEGRAM_TIMEOUT_MS)
+    });
+    return res.ok;
+  } catch (err) {
+    process.stderr.write(`[push-notify] Telegram send failed: ${err instanceof Error ? err.message : String(err)}
+`);
+    return false;
+  }
+}
+async function sendEmail(smtpUrl, from, to, subject, body) {
+  if (smtpUrl.startsWith("http")) {
+    try {
+      const res = await fetch(smtpUrl, {
+        method: "POST",
+        headers: { "Content-Type": "application/json" },
+        body: JSON.stringify({ from, to, subject, text: body }),
+        signal: AbortSignal.timeout(SMTP_TIMEOUT_MS)
+      });
+      return res.ok;
+    } catch (err) {
+      process.stderr.write(`[push-notify] Email send failed: ${err instanceof Error ? err.message : String(err)}
+`);
+      return false;
+    }
+  }
+  if (!smtpUrl.startsWith("smtp://") && !smtpUrl.startsWith("smtps://")) {
+    process.stderr.write(
+      `[push-notify] Unsupported email.smtp_url scheme "${smtpUrl}". Use an smtp:// / smtps:// connection URL or an https:// API endpoint.
+`
+    );
+    return false;
+  }
+  try {
+    const transporter = nodemailer.createTransport(smtpUrl);
+    await transporter.sendMail({ from, to, subject, text: body });
+    return true;
+  } catch (err) {
+    process.stderr.write(
+      `[push-notify] SMTP send failed: ${err instanceof Error ? err.message : String(err)}
+`
+    );
+    return false;
+  }
+}
+function formatMessage(msg) {
+  const emoji = msg.priority === "urgent" ? "\u{1F534}" : msg.priority === "low" ? "\u26AA" : "\u{1F535}";
+  const lines = [
+    `${emoji} *${msg.title}*`,
+    msg.body
+  ];
+  if (msg.agent) lines.push(`Agent: ${msg.agent}`);
+  if (msg.project) lines.push(`Project: ${msg.project}`);
+  return lines.join("\n");
+}
+async function pushNotify(msg) {
+  const { config, notifyOn } = loadPushConfig();
+  const result = { desktop: false, telegram: false, email: false };
+  if (!notifyOn.has(msg.event)) return result;
+  const formatted = formatMessage(msg);
+  if (config.desktop !== false) {
+    result.desktop = sendDesktopNotification(msg.title, msg.body, msg.sessionScope);
+  }
+  if (config.telegram?.bot_token && config.telegram?.chat_id) {
+    result.telegram = await sendTelegram(
+      config.telegram.bot_token,
+      config.telegram.chat_id,
+      formatted
+    );
+  }
+  if (config.email?.smtp_url && config.email?.from && config.email?.to) {
+    const url = config.email.smtp_url;
+    const recognized = url.startsWith("smtp://") || url.startsWith("smtps://") || url.startsWith("http");
+    if (!recognized) {
+      process.stderr.write(
+        `[push-notify] WARNING: email.smtp_url "${url}" has an unrecognized scheme. Use an smtp:// / smtps:// connection URL or an https:// email API endpoint.
+`
+      );
+    } else {
+      result.email = await sendEmail(
+        url,
+        config.email.from,
+        config.email.to,
+        `[exe-os] ${msg.title}`,
+        msg.body
+      );
+    }
+  }
+  return result;
+}
+function pushNotifyAsync(msg) {
+  pushNotify(msg).catch((err) => {
+    process.stderr.write(`[push-notify] async send failed: ${err instanceof Error ? err.message : String(err)}
+`);
+  });
+}
+
+export {
+  loadPushConfig,
+  _resetPushConfig,
+  pushNotify,
+  pushNotifyAsync
+};

package/dist/chunk-NIBCUAEI.js

@@ -0,0 +1,123 @@
+import {
+  getClient
+} from "./chunk-WLDBPKRL.js";
+
+// src/lib/session-kill-telemetry.ts
+import crypto from "crypto";
+import { appendFileSync } from "fs";
+import path from "path";
+import os from "os";
+var KILL_FILE_LOG = path.join(os.homedir(), ".exe-os", "logs", "session-kills.jsonl");
+var TOKENS_PER_IDLE_MINUTE = 50;
+async function recordSessionKill(input) {
+  const killedAt = (/* @__PURE__ */ new Date()).toISOString();
+  const id = crypto.randomUUID();
+  try {
+    const logEntry = JSON.stringify({
+      id,
+      timestamp: killedAt,
+      session: input.sessionName,
+      agent: input.agentId,
+      reason: input.reason,
+      ticksIdle: input.ticksIdle ?? null,
+      tokensSaved: input.estimatedTokensSaved ?? null
+    });
+    appendFileSync(KILL_FILE_LOG, logEntry + "\n");
+  } catch {
+    process.stderr.write(
+      `[session-kill-telemetry] file log write failed for ${input.sessionName}
+`
+    );
+  }
+  try {
+    const client = getClient();
+    await client.execute({
+      sql: `INSERT INTO session_kills
+              (id, session_name, agent_id, killed_at, reason,
+               ticks_idle, estimated_tokens_saved)
+            VALUES (?, ?, ?, ?, ?, ?, ?)`,
+      args: [
+        id,
+        input.sessionName,
+        input.agentId,
+        killedAt,
+        input.reason,
+        input.ticksIdle ?? null,
+        input.estimatedTokensSaved ?? null
+      ]
+    });
+  } catch (err) {
+    process.stderr.write(
+      `[session-kill-telemetry] DB write failed: ${err instanceof Error ? err.message : String(err)}
+`
+    );
+  }
+}
+async function countKillsSince(sinceISO) {
+  try {
+    const client = getClient();
+    const result = await client.execute({
+      sql: `SELECT COUNT(*) AS n FROM session_kills WHERE killed_at >= ?`,
+      args: [sinceISO]
+    });
+    const row = result.rows[0];
+    return row ? Number(row.n) : 0;
+  } catch {
+    return 0;
+  }
+}
+var IDLE_KILL_STREAK_META_KEY = "idle_kill_suspect_streak";
+var IDLE_KILL_SUSPECT_DAY_THRESHOLD = 3;
+var IDLE_KILL_MIN_LIVE_SESSIONS = 5;
+function parseStreakState(raw) {
+  if (!raw) return { lastDate: null, streak: 0 };
+  try {
+    const parsed = JSON.parse(raw);
+    return {
+      lastDate: typeof parsed.lastDate === "string" ? parsed.lastDate : null,
+      streak: typeof parsed.streak === "number" ? parsed.streak : 0
+    };
+  } catch {
+    return { lastDate: null, streak: 0 };
+  }
+}
+function nextStreakState(prev, qualifiesToday, todayDate) {
+  if (!qualifiesToday) return { lastDate: todayDate, streak: 0 };
+  if (prev.lastDate === todayDate) return prev;
+  return { lastDate: todayDate, streak: prev.streak + 1 };
+}
+function computeIdleKillSuspectStreak(prev, killsToday, liveSessions, todayDate) {
+  const qualifies = killsToday === 0 && liveSessions >= IDLE_KILL_MIN_LIVE_SESSIONS;
+  const state = nextStreakState(prev, qualifies, todayDate);
+  return {
+    state,
+    suspect: state.streak >= IDLE_KILL_SUSPECT_DAY_THRESHOLD
+  };
+}
+async function sumTokensSavedSince(sinceISO) {
+  try {
+    const client = getClient();
+    const result = await client.execute({
+      sql: `SELECT COALESCE(SUM(estimated_tokens_saved), 0) AS total
+            FROM session_kills
+            WHERE killed_at >= ?`,
+      args: [sinceISO]
+    });
+    const row = result.rows[0];
+    return row ? Number(row.total) : 0;
+  } catch {
+    return 0;
+  }
+}
+
+export {
+  TOKENS_PER_IDLE_MINUTE,
+  recordSessionKill,
+  countKillsSince,
+  IDLE_KILL_STREAK_META_KEY,
+  IDLE_KILL_SUSPECT_DAY_THRESHOLD,
+  IDLE_KILL_MIN_LIVE_SESSIONS,
+  parseStreakState,
+  computeIdleKillSuspectStreak,
+  sumTokensSavedSince
+};