@aurora-foundation/obsidian-next 0.4.7 → 0.4.9

package/dist/chunk-K4CHTTCJ.js

@@ -0,0 +1,942 @@
+import {
+  context
+} from "./chunk-DPNIQWKZ.js";
+import {
+  config
+} from "./chunk-G3CZKGYA.js";
+import {
+  settings
+} from "./chunk-HRKJ3R2U.js";
+import {
+  bus
+} from "./chunk-WQM6FFSD.js";
+import {
+  db
+} from "./chunk-R6P2E2ZQ.js";
+
+// src/core/scheduler.ts
+import cronParser from "cron-parser";
+
+// src/core/auditLog.ts
+import fs from "fs/promises";
+import path from "path";
+import os from "os";
+
+// src/core/redactor.ts
+var BUILTIN_RULES = [
+  // Email addresses
+  {
+    name: "email",
+    pattern: /[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}/g,
+    replacement: "[REDACTED:email]",
+    enabled: true,
+    description: "Email addresses"
+  },
+  // Phone numbers (various formats) - must have separators to avoid false positives
+  {
+    name: "phone",
+    pattern: /(\+?1[-.\s])?\(?\d{3}\)?[-.\s]\d{3,4}[-.\s]\d{4}\b/g,
+    replacement: "[REDACTED:phone]",
+    enabled: true,
+    description: "Phone numbers (US format with separators)"
+  },
+  // Social Security Numbers
+  {
+    name: "ssn",
+    pattern: /\b\d{3}[-\s]?\d{2}[-\s]?\d{4}\b/g,
+    replacement: "[REDACTED:ssn]",
+    enabled: true,
+    description: "Social Security Numbers"
+  },
+  // Credit card numbers (basic patterns)
+  {
+    name: "credit-card",
+    pattern: /\b(?:4\d{3}|5[1-5]\d{2}|6(?:011|5\d{2})|3[47]\d{2})[-\s]?\d{4}[-\s]?\d{4}[-\s]?\d{4}\b/g,
+    replacement: "[REDACTED:credit-card]",
+    enabled: true,
+    description: "Credit card numbers"
+  },
+  // AWS Access Keys
+  {
+    name: "aws-access-key",
+    pattern: /\b(AKIA|ABIA|ACCA|ASIA)[A-Z0-9]{16}\b/g,
+    replacement: "[REDACTED:aws-key]",
+    enabled: true,
+    description: "AWS access key IDs"
+  },
+  // AWS Secret Keys (40 char base64-like)
+  {
+    name: "aws-secret-key",
+    pattern: /\b[A-Za-z0-9/+=]{40}\b/g,
+    replacement: (match) => {
+      if (/[A-Z]/.test(match) && /[a-z]/.test(match) && /[/+=]/.test(match)) {
+        return "[REDACTED:aws-secret]";
+      }
+      return match;
+    },
+    enabled: true,
+    description: "AWS secret access keys"
+  },
+  // Anthropic API Keys
+  {
+    name: "anthropic-key",
+    pattern: /\bsk-ant-[a-zA-Z0-9-_]{20,}/g,
+    replacement: "[REDACTED:anthropic-key]",
+    enabled: true,
+    description: "Anthropic API keys"
+  },
+  // OpenAI API Keys (start with sk- but not sk-ant-, may contain hyphens)
+  {
+    name: "openai-key",
+    pattern: /sk-(?!ant)[a-zA-Z0-9-]{20,}/g,
+    replacement: "[REDACTED:openai-key]",
+    enabled: true,
+    description: "OpenAI API keys"
+  },
+  // Generic API keys (common patterns)
+  {
+    name: "api-key-generic",
+    pattern: /\b(api[_-]?key|apikey|api[_-]?secret|api[_-]?token)\s*[=:]\s*['"]?([a-zA-Z0-9_-]{20,})['"]?/gi,
+    replacement: (match) => {
+      const keyName = match.split(/[=:]/)[0].trim();
+      return `${keyName}=[REDACTED:api-key]`;
+    },
+    enabled: true,
+    description: "Generic API keys in config"
+  },
+  // Passwords in config files (various naming conventions)
+  {
+    name: "password-config",
+    pattern: /\b([A-Z_]*(?:PASSWORD|PASSWD|PWD|SECRET)[A-Z_]*)\s*[=:]\s*['"]?([^'"\s\n]{4,})['"]?/gi,
+    replacement: (match) => {
+      const keyName = match.split(/[=:]/)[0].trim();
+      return `${keyName}=[REDACTED:password]`;
+    },
+    enabled: true,
+    description: "Passwords in configuration"
+  },
+  // Private keys (PEM format)
+  {
+    name: "private-key",
+    pattern: /-----BEGIN\s+(RSA\s+)?PRIVATE\s+KEY-----[\s\S]*?-----END\s+(RSA\s+)?PRIVATE\s+KEY-----/g,
+    replacement: "[REDACTED:private-key]",
+    enabled: true,
+    description: "PEM private keys"
+  },
+  // JWT tokens
+  {
+    name: "jwt",
+    pattern: /\beyJ[a-zA-Z0-9_-]*\.eyJ[a-zA-Z0-9_-]*\.[a-zA-Z0-9_-]*/g,
+    replacement: "[REDACTED:jwt]",
+    enabled: true,
+    description: "JWT tokens"
+  },
+  // GitHub tokens (various prefixes)
+  {
+    name: "github-token",
+    pattern: /(ghp|gho|ghu|ghs|ghr)_[a-zA-Z0-9]{20,}/g,
+    replacement: "[REDACTED:github-token]",
+    enabled: true,
+    description: "GitHub tokens"
+  },
+  // Stripe keys
+  {
+    name: "stripe-key",
+    pattern: /\b(sk|pk)_(test|live)_[a-zA-Z0-9]{24,}/g,
+    replacement: "[REDACTED:stripe-key]",
+    enabled: true,
+    description: "Stripe API keys"
+  },
+  // IP addresses (private networks only by default)
+  {
+    name: "private-ip",
+    pattern: /\b(10\.\d{1,3}\.\d{1,3}\.\d{1,3}|172\.(1[6-9]|2\d|3[01])\.\d{1,3}\.\d{1,3}|192\.168\.\d{1,3}\.\d{1,3})\b/g,
+    replacement: "[REDACTED:private-ip]",
+    enabled: false,
+    // Disabled by default - may cause issues with code
+    description: "Private IP addresses"
+  },
+  // GitHub Fine-grained Personal Access Tokens (newer format)
+  {
+    name: "github-fine-grained-pat",
+    pattern: /github_pat_[a-zA-Z0-9]{22}_[a-zA-Z0-9]{59}/g,
+    replacement: "[REDACTED:github-pat]",
+    enabled: true,
+    description: "GitHub fine-grained personal access tokens"
+  },
+  // Slack tokens (various types)
+  {
+    name: "slack-token",
+    pattern: /xox[baprs]-[a-zA-Z0-9-]{10,}/g,
+    replacement: "[REDACTED:slack-token]",
+    enabled: true,
+    description: "Slack API tokens"
+  },
+  // Discord tokens
+  {
+    name: "discord-token",
+    pattern: /[MN][A-Za-z\d]{23,}\.[\w-]{6}\.[\w-]{27}/g,
+    replacement: "[REDACTED:discord-token]",
+    enabled: true,
+    description: "Discord bot tokens"
+  },
+  // Google API keys
+  {
+    name: "google-api-key",
+    pattern: /AIza[0-9A-Za-z\\-_]{35}/g,
+    replacement: "[REDACTED:google-api-key]",
+    enabled: true,
+    description: "Google API keys"
+  },
+  // Twilio keys
+  {
+    name: "twilio-key",
+    pattern: /SK[a-f0-9]{32}/g,
+    replacement: "[REDACTED:twilio-key]",
+    enabled: true,
+    description: "Twilio API keys"
+  },
+  // SendGrid keys
+  {
+    name: "sendgrid-key",
+    pattern: /SG\.[a-zA-Z0-9_-]{22}\.[a-zA-Z0-9_-]{43}/g,
+    replacement: "[REDACTED:sendgrid-key]",
+    enabled: true,
+    description: "SendGrid API keys"
+  },
+  // NPM tokens
+  {
+    name: "npm-token",
+    pattern: /npm_[a-zA-Z0-9]{36}/g,
+    replacement: "[REDACTED:npm-token]",
+    enabled: true,
+    description: "NPM access tokens"
+  },
+  // PyPI tokens
+  {
+    name: "pypi-token",
+    pattern: /pypi-[a-zA-Z0-9_-]{100,}/g,
+    replacement: "[REDACTED:pypi-token]",
+    enabled: true,
+    description: "PyPI API tokens"
+  },
+  // Database connection strings
+  {
+    name: "db-connection-string",
+    pattern: /(mongodb(\+srv)?|postgres(ql)?|mysql|redis):\/\/[^\s'"]+/gi,
+    replacement: "[REDACTED:db-connection-string]",
+    enabled: true,
+    description: "Database connection strings"
+  },
+  // Bearer tokens in headers
+  {
+    name: "bearer-token",
+    pattern: /Bearer\s+[a-zA-Z0-9_-]{20,}/gi,
+    replacement: "Bearer [REDACTED:bearer-token]",
+    enabled: true,
+    description: "Bearer authentication tokens"
+  },
+  // Basic auth in URLs
+  {
+    name: "basic-auth-url",
+    pattern: /:\/\/[^:]+:[^@]+@/g,
+    replacement: "://[REDACTED:credentials]@",
+    enabled: true,
+    description: "Basic auth credentials in URLs"
+  }
+];
+var Redactor = class {
+  rules = [...BUILTIN_RULES];
+  enabled = true;
+  allowlist = /* @__PURE__ */ new Set();
+  /**
+   * Enable or disable redaction globally
+   */
+  setEnabled(enabled) {
+    this.enabled = enabled;
+  }
+  /**
+   * Check if redaction is enabled
+   */
+  isEnabled() {
+    return this.enabled;
+  }
+  /**
+   * Enable or disable a specific rule
+   */
+  setRuleEnabled(ruleName, enabled) {
+    const rule = this.rules.find((r) => r.name === ruleName);
+    if (rule) {
+      rule.enabled = enabled;
+    }
+  }
+  /**
+   * Add a pattern to the allowlist (won't be redacted)
+   */
+  addToAllowlist(pattern) {
+    this.allowlist.add(pattern);
+  }
+  /**
+   * Remove a pattern from the allowlist
+   */
+  removeFromAllowlist(pattern) {
+    this.allowlist.delete(pattern);
+  }
+  /**
+   * Add a custom redaction rule
+   */
+  addRule(rule) {
+    this.rules.push(rule);
+  }
+  /**
+   * Get all available rules
+   */
+  getRules() {
+    return this.rules;
+  }
+  /**
+   * Redact sensitive information from text
+   */
+  redact(text) {
+    if (!this.enabled || !text) {
+      return { text, redactionCount: 0, redactedTypes: [] };
+    }
+    let result = text;
+    let totalRedactions = 0;
+    const redactedTypes = /* @__PURE__ */ new Set();
+    for (const rule of this.rules) {
+      if (!rule.enabled) continue;
+      rule.pattern.lastIndex = 0;
+      const matches = text.match(rule.pattern);
+      if (matches) {
+        for (const match of matches) {
+          if (this.allowlist.has(match)) continue;
+          const replacement = typeof rule.replacement === "function" ? rule.replacement(match) : rule.replacement;
+          if (replacement !== match) {
+            result = result.replace(match, replacement);
+            totalRedactions++;
+            redactedTypes.add(rule.name);
+          }
+        }
+      }
+    }
+    return {
+      text: result,
+      redactionCount: totalRedactions,
+      redactedTypes: Array.from(redactedTypes)
+    };
+  }
+  /**
+   * Redact tool output specifically (used before sending to LLM)
+   */
+  redactToolOutput(toolName, output) {
+    return this.redact(output);
+  }
+  /**
+   * Check if text contains any sensitive patterns
+   */
+  containsSensitiveData(text) {
+    if (!text) {
+      return { hasSensitive: false, types: [] };
+    }
+    const types = [];
+    for (const rule of this.rules) {
+      if (!rule.enabled) continue;
+      rule.pattern.lastIndex = 0;
+      if (rule.pattern.test(text)) {
+        types.push(rule.name);
+      }
+    }
+    return { hasSensitive: types.length > 0, types };
+  }
+  /**
+   * Get statistics about what would be redacted
+   */
+  analyze(text) {
+    const stats = [];
+    for (const rule of this.rules) {
+      if (!rule.enabled) continue;
+      rule.pattern.lastIndex = 0;
+      const matches = text.match(rule.pattern) || [];
+      if (matches.length > 0) {
+        stats.push({
+          ruleName: rule.name,
+          count: matches.length,
+          // Only show first 3 examples, partially masked
+          examples: matches.slice(0, 3).map(
+            (m) => m.length > 10 ? m.slice(0, 5) + "..." + m.slice(-3) : "***"
+          )
+        });
+      }
+    }
+    return stats;
+  }
+};
+var redactor = new Redactor();
+
+// src/core/auditLog.ts
+var LOG_DIR = ".obsidian-next";
+var LOG_FILE = "audit.log";
+var MAX_LOG_SIZE = 10 * 1024 * 1024;
+var AuditLogger = class {
+  logPath;
+  sessionId;
+  enabled = true;
+  writeQueue = [];
+  isWriting = false;
+  constructor() {
+    this.logPath = path.join(os.homedir(), LOG_DIR, LOG_FILE);
+    this.sessionId = `sess_${Date.now()}_${Math.random().toString(36).slice(2, 8)}`;
+  }
+  /**
+   * Initialize the audit logger
+   */
+  async init() {
+    const s = await settings.load();
+    this.enabled = s.security?.auditLogging ?? true;
+    if (!this.enabled) return;
+    const dir = path.dirname(this.logPath);
+    await fs.mkdir(dir, { recursive: true });
+    await this.rotateIfNeeded();
+    const cfg = await config.load();
+    await this.log({
+      eventType: "session_start",
+      success: true,
+      metadata: {
+        cwd: cfg.workspaceRoot,
+        pid: process.pid,
+        nodeVersion: process.version
+      }
+    });
+  }
+  /**
+   * Set the session ID (called from agent)
+   */
+  setSessionId(sessionId) {
+    this.sessionId = sessionId;
+  }
+  /**
+   * Enable or disable logging
+   */
+  setEnabled(enabled) {
+    this.enabled = enabled;
+  }
+  /**
+   * Log a command execution
+   */
+  async logCommand(command, success, reason) {
+    await this.log({
+      eventType: success ? "command_executed" : "command_blocked",
+      tool: "bash",
+      command: redactor.redact(command).text,
+      success,
+      reason
+    });
+  }
+  /**
+   * Log a file operation
+   */
+  async logFileOperation(operation, filePath, success, reason) {
+    const eventMap = {
+      read: "file_read",
+      write: "file_write",
+      edit: "file_edit",
+      delete: "file_delete"
+    };
+    await this.log({
+      eventType: eventMap[operation],
+      filePath,
+      success,
+      reason
+    });
+  }
+  /**
+   * Log an approval decision
+   */
+  async logApproval(status, command, reason) {
+    const eventMap = {
+      requested: "approval_requested",
+      granted: "approval_granted",
+      denied: "approval_denied",
+      timeout: "approval_timeout"
+    };
+    await this.log({
+      eventType: eventMap[status],
+      command,
+      success: status === "granted",
+      reason
+    });
+  }
+  /**
+   * Log a security violation
+   */
+  async logSecurityViolation(command, reason) {
+    await this.log({
+      eventType: "security_violation",
+      command,
+      success: false,
+      reason
+    });
+  }
+  /**
+   * Log a system event
+   */
+  async logSystemEvent(event, metadata) {
+    await this.log({
+      eventType: "security_violation",
+      // Mapping generic system events to generic log type for now, or add new type
+      command: event,
+      success: false,
+      // Usually error events
+      reason: JSON.stringify(metadata)
+    });
+  }
+  /**
+   * Log PII redaction
+   */
+  async logRedaction(count, types) {
+    await this.log({
+      eventType: "pii_redacted",
+      success: true,
+      metadata: { count, types }
+    });
+  }
+  /**
+   * Core logging function
+   */
+  async log(entry) {
+    if (!this.enabled) return;
+    const fullEntry = {
+      timestamp: (/* @__PURE__ */ new Date()).toISOString(),
+      sessionId: this.sessionId,
+      ...entry
+    };
+    this.writeQueue.push(fullEntry);
+    if (!this.isWriting) {
+      await this.processQueue();
+    }
+  }
+  /**
+   * Process the write queue
+   */
+  async processQueue() {
+    if (this.isWriting || this.writeQueue.length === 0) return;
+    this.isWriting = true;
+    try {
+      const entries = [...this.writeQueue];
+      this.writeQueue = [];
+      const lines = entries.map((e) => JSON.stringify(e)).join("\n") + "\n";
+      await fs.appendFile(this.logPath, lines, {
+        encoding: "utf-8",
+        mode: 384
+      });
+    } catch (error) {
+    } finally {
+      this.isWriting = false;
+      if (this.writeQueue.length > 0) {
+        setImmediate(() => this.processQueue());
+      }
+    }
+  }
+  /**
+   * Rotate log file if too large
+   */
+  async rotateIfNeeded() {
+    try {
+      const stats = await fs.stat(this.logPath);
+      if (stats.size >= MAX_LOG_SIZE) {
+        const timestamp = (/* @__PURE__ */ new Date()).toISOString().replace(/[:.]/g, "-");
+        const rotatedPath = this.logPath.replace(".log", `.${timestamp}.log`);
+        await fs.rename(this.logPath, rotatedPath);
+        await this.cleanupOldLogs();
+      }
+    } catch {
+    }
+  }
+  /**
+   * Clean up old rotated log files
+   */
+  async cleanupOldLogs() {
+    try {
+      const dir = path.dirname(this.logPath);
+      const files = await fs.readdir(dir);
+      const auditLogs = files.filter(
+        (f) => f.startsWith("audit.") && f.endsWith(".log") && f !== "audit.log"
+      ).sort().reverse();
+      for (const file of auditLogs.slice(5)) {
+        await fs.unlink(path.join(dir, file));
+      }
+    } catch {
+    }
+  }
+  /**
+   * Get recent audit entries formatted for display
+   */
+  async getRecentActivities(count = 50) {
+    const entries = await this.getRecentEntries(count);
+    return entries.map((entry) => {
+      let content = "";
+      let color = "white";
+      switch (entry.eventType) {
+        case "command_executed":
+          content = `CMD: ${entry.command || "unknown command"}`;
+          color = "blue";
+          break;
+        case "command_blocked":
+        case "command_denied":
+        case "security_violation":
+          content = `SECURITY: ${entry.reason || entry.command || "security event"}`;
+          color = "red";
+          break;
+        case "approval_requested":
+          content = `APPROVAL: Requested for "${entry.command || "action"}"`;
+          color = "yellow";
+          break;
+        case "approval_granted":
+          content = `APPROVAL: Granted for "${entry.command || "action"}"`;
+          color = "green";
+          break;
+        case "approval_denied":
+          content = `APPROVAL: Denied for "${entry.command || "action"}"`;
+          color = "red";
+          break;
+        case "file_read":
+          content = `FILE: Read ${entry.filePath}`;
+          color = "cyan";
+          break;
+        case "file_write":
+          content = `FILE: Wrote ${entry.filePath}`;
+          color = "magenta";
+          break;
+        case "file_edit":
+          content = `FILE: Edited ${entry.filePath}`;
+          color = "magentaBright";
+          break;
+        case "file_delete":
+          content = `FILE: Deleted ${entry.filePath}`;
+          color = "redBright";
+          break;
+        case "session_start":
+          content = `SESSION: Started`;
+          color = "green";
+          break;
+        case "session_end":
+          content = `SESSION: Ended`;
+          color = "gray";
+          break;
+        case "pii_redacted":
+          content = `SECURITY: PII Redacted (${entry.metadata?.count || 0} items)`;
+          color = "yellow";
+          break;
+        default:
+          content = `EVENT: ${entry.eventType}`;
+          break;
+      }
+      if (entry.filePath && entry.filePath.length > 50) {
+        content = content.replace(
+          entry.filePath,
+          `...${entry.filePath.slice(-47)}`
+        );
+      }
+      return {
+        timestamp: new Date(entry.timestamp).toLocaleTimeString(),
+        content,
+        color
+      };
+    }).reverse();
+  }
+  /**
+   * Get recent audit entries
+   */
+  async getRecentEntries(count = 100) {
+    try {
+      const content = await fs.readFile(this.logPath, "utf-8");
+      const lines = content.trim().split("\n").filter((l) => l);
+      const entries = lines.slice(-count).map((line) => {
+        try {
+          return JSON.parse(line);
+        } catch {
+          return null;
+        }
+      }).filter((e) => e !== null);
+      return entries;
+    } catch {
+      return [];
+    }
+  }
+  /**
+   * Search audit log by event type or command
+   */
+  async search(query) {
+    const entries = await this.getRecentEntries(1e3);
+    return entries.filter((e) => {
+      if (query.eventType && e.eventType !== query.eventType) return false;
+      if (query.command && (!e.command || !e.command.includes(query.command)))
+        return false;
+      if (query.since && new Date(e.timestamp) < query.since) return false;
+      return true;
+    });
+  }
+  /**
+   * Log session end (call on shutdown)
+   */
+  async close() {
+    if (!this.enabled) return;
+    await this.log({
+      eventType: "session_end",
+      success: true
+    });
+    await this.processQueue();
+  }
+};
+var auditLog = new AuditLogger();
+
+// src/core/scheduler.ts
+var parseExpression = cronParser.parseExpression || cronParser.default?.parseExpression || cronParser.parse || cronParser.default?.parse;
+var MAX_CONSECUTIVE_FAILURES = 3;
+var Scheduler = class _Scheduler {
+  static instance;
+  abilities = /* @__PURE__ */ new Map();
+  timer = null;
+  isRunning = false;
+  failureCounts = /* @__PURE__ */ new Map();
+  constructor() {
+  }
+  static getInstance() {
+    if (!_Scheduler.instance) {
+      _Scheduler.instance = new _Scheduler();
+    }
+    return _Scheduler.instance;
+  }
+  /**
+   * Initialize the scheduler loop
+   */
+  start() {
+    if (this.isRunning) return;
+    this.isRunning = true;
+    this.tick().catch(
+      (err) => bus.emitAgent({
+        type: "error",
+        message: `[Scheduler] Initial tick failed: ${err instanceof Error ? err.message : String(err)}`
+      })
+    );
+    this.timer = setInterval(() => this.tick(), 1e4);
+    bus.emitAgent({
+      type: "thought",
+      content: "[Obsidian] Started background task monitor [Active Heartbeat]"
+    });
+  }
+  stop() {
+    if (this.timer) {
+      clearInterval(this.timer);
+      this.timer = null;
+    }
+    this.isRunning = false;
+  }
+  /**
+   * Register a new ability that can be scheduled
+   */
+  registerAbility(name, func) {
+    this.abilities.set(name, func);
+  }
+  /**
+   * Get list of registered abilities
+   */
+  getAbilities() {
+    return Array.from(this.abilities.keys());
+  }
+  /**
+   * Schedule a new task
+   */
+  async scheduleTask(cronExpression, abilityName, params = {}) {
+    try {
+      parseExpression(cronExpression);
+    } catch (err) {
+      throw new Error(`Invalid cron expression: ${cronExpression}`);
+    }
+    if (!this.abilities.has(abilityName)) {
+      throw new Error(`Unknown ability: ${abilityName}`);
+    }
+    const id = `task_${Date.now()}_${Math.random().toString(36).slice(2, 6)}`;
+    const sessionId = context.get().session_id;
+    const task = {
+      id,
+      session_id: sessionId,
+      cron_expression: cronExpression,
+      command: abilityName,
+      params: JSON.stringify(params),
+      last_run_at: Date.now(),
+      active: 1
+    };
+    db.getDb().prepare(
+      `
+            INSERT INTO scheduled_tasks (id, session_id, cron_expression, command, params, last_run_at, active)
+            VALUES (?, ?, ?, ?, ?, ?, ?)
+        `
+    ).run(
+      task.id,
+      task.session_id,
+      task.cron_expression,
+      task.command,
+      task.params,
+      task.last_run_at,
+      task.active
+    );
+    bus.emitAgent({
+      type: "thought",
+      content: `[Scheduler] Scheduled ${abilityName} (${cronExpression})`
+    });
+    return task;
+  }
+  /**
+   * List all active tasks
+   */
+  listTasks() {
+    const tasks = db.getDb().prepare(
+      `
+            SELECT * FROM scheduled_tasks WHERE active = 1
+        `
+    ).all();
+    return tasks.map((t) => {
+      try {
+        const interval = parseExpression(t.cron_expression);
+        t.next_run_at = interval.next().getTime();
+      } catch {
+        t.next_run_at = 0;
+      }
+      return t;
+    });
+  }
+  /**
+   * Main execution loop
+   */
+  async tick() {
+    const tasks = this.listTasks();
+    const now = Date.now();
+    for (const task of tasks) {
+      try {
+        const baseline = task.last_run_at || now - 61e3;
+        let taskParams = {};
+        try {
+          taskParams = task.params ? JSON.parse(task.params) : {};
+        } catch {
+        }
+        if (taskParams.__once && taskParams.__target) {
+          if (now >= taskParams.__target) {
+            await this.executeTask(task);
+          }
+          continue;
+        }
+        const interval = parseExpression(task.cron_expression, {
+          currentDate: baseline
+        });
+        const nextRun = interval.next().getTime();
+        if (nextRun <= now) {
+          await this.executeTask(task);
+        }
+      } catch (error) {
+        bus.emitAgent({
+          type: "error",
+          message: `[Scheduler] Error checking task ${task.id}: ${error instanceof Error ? error.message : String(error)}`
+        });
+      }
+    }
+  }
+  async executeTask(task) {
+    const ability = this.abilities.get(task.command);
+    if (!ability) {
+      bus.emitAgent({
+        type: "error",
+        message: `[Scheduler] Ability "${task.command}" not found. Disabling task ${task.id}.`
+      });
+      db.getDb().prepare("UPDATE scheduled_tasks SET active = 0 WHERE id = ?").run(task.id);
+      return;
+    }
+    bus.emitAgent({
+      type: "scheduler_task_started",
+      taskId: task.id,
+      command: task.command
+    });
+    try {
+      let params = {};
+      if (task.params) {
+        try {
+          params = JSON.parse(task.params);
+        } catch {
+        }
+      }
+      await ability(params);
+      bus.emitAgent({
+        type: "scheduler_task_completed",
+        taskId: task.id,
+        command: task.command
+      });
+      this.failureCounts.delete(task.id);
+      if (params.__once) {
+        db.getDb().prepare(`UPDATE scheduled_tasks SET active = 0 WHERE id = ?`).run(task.id);
+        bus.emitAgent({
+          type: "thought",
+          content: `[Scheduler] One-time task ${task.id} completed and deactivated.`
+        });
+      }
+    } catch (error) {
+      await auditLog.logSystemEvent("scheduler_error", {
+        taskId: task.id,
+        error: error.message
+      });
+      bus.emitAgent({
+        type: "scheduler_task_failed",
+        taskId: task.id,
+        command: task.command,
+        error: error.message
+      });
+      const failures = (this.failureCounts.get(task.id) || 0) + 1;
+      this.failureCounts.set(task.id, failures);
+      if (failures >= MAX_CONSECUTIVE_FAILURES) {
+        db.getDb().prepare("UPDATE scheduled_tasks SET active = 0 WHERE id = ?").run(task.id);
+        this.failureCounts.delete(task.id);
+        bus.emitAgent({
+          type: "error",
+          message: `[Scheduler] Task ${task.id} (${task.command}) disabled after ${MAX_CONSECUTIVE_FAILURES} consecutive failures.`
+        });
+      } else {
+        bus.emitAgent({
+          type: "error",
+          message: `[Scheduler] Task ${task.id} (${task.command}) failed: ${error.message} (${failures}/${MAX_CONSECUTIVE_FAILURES} before auto-disable)`
+        });
+      }
+    } finally {
+      db.getDb().prepare(
+        `
+                UPDATE scheduled_tasks SET last_run_at = ? WHERE id = ?
+            `
+      ).run(Date.now(), task.id);
+    }
+  }
+  /**
+   * Remove (deactivate) a scheduled task
+   */
+  async removeTask(taskId) {
+    const result = db.getDb().prepare(
+      `
+            UPDATE scheduled_tasks SET active = 0 WHERE id = ?
+        `
+    ).run(taskId);
+    if (result.changes && result.changes > 0) {
+      bus.emitAgent({
+        type: "thought",
+        content: `[Scheduler] Deactivated task: ${taskId}`
+      });
+      return true;
+    }
+    return false;
+  }
+};
+var scheduler = Scheduler.getInstance();
+
+export {
+  redactor,
+  auditLog,
+  Scheduler,
+  scheduler
+};