@cognisos/liminal 2.3.0 → 2.4.1

package/dist/bin.js

@@ -1,7 +1,84 @@
 #!/usr/bin/env node
+var __defProp = Object.defineProperty;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __esm = (fn, res) => function __init() {
+  return fn && (res = (0, fn[__getOwnPropNames(fn)[0]])(fn = 0)), res;
+};
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+
+// src/rsc/pipeline.ts
+var pipeline_exports = {};
+__export(pipeline_exports, {
+  RSCPipelineWrapper: () => RSCPipelineWrapper
+});
+import {
+  CompressionPipeline,
+  RSCTransport,
+  RSCEventEmitter,
+  Session,
+  CircuitBreaker
+} from "@cognisos/rsc-sdk";
+var RSCPipelineWrapper;
+var init_pipeline = __esm({
+  "src/rsc/pipeline.ts"() {
+    "use strict";
+    RSCPipelineWrapper = class {
+      pipeline;
+      session;
+      events;
+      transport;
+      circuitBreaker;
+      constructor(config) {
+        this.circuitBreaker = new CircuitBreaker(5, 5 * 60 * 1e3);
+        this.transport = new RSCTransport({
+          baseUrl: config.rscBaseUrl,
+          apiKey: config.rscApiKey,
+          timeout: 3e4,
+          maxRetries: 3,
+          circuitBreaker: this.circuitBreaker
+        });
+        this.events = new RSCEventEmitter();
+        this.session = new Session(config.sessionId);
+        this.pipeline = new CompressionPipeline(
+          this.transport,
+          {
+            threshold: config.compressionThreshold,
+            learnFromResponses: config.learnFromResponses,
+            latencyBudgetMs: config.latencyBudgetMs,
+            sessionId: this.session.sessionId
+          },
+          this.events
+        );
+      }
+      async healthCheck() {
+        try {
+          await this.transport.get("/health");
+          return true;
+        } catch {
+          return false;
+        }
+      }
+      getSessionSummary() {
+        return this.session.getSummary();
+      }
+      getCircuitState() {
+        return this.circuitBreaker.getState();
+      }
+      isCircuitOpen() {
+        return this.circuitBreaker.getState() === "open";
+      }
+      resetCircuitBreaker() {
+        this.circuitBreaker.reset();
+      }
+    };
+  }
+});
 
 // src/version.ts
-var VERSION = true ? "2.3.0" : "0.2.1";
+var VERSION = true ? "2.4.1" : "0.2.1";
 var BANNER_LINES = [
   " ___       ___  _____ ______   ___  ________   ________  ___",
   "|\\  \\     |\\  \\|\\   _ \\  _   \\|\\  \\|\\   ___  \\|\\   __  \\|\\  \\",
@@ -21,15 +98,8 @@ function printBanner() {
   console.log();
 }
 
-// src/commands/init.ts
-import { createInterface as createInterface2 } from "readline/promises";
-import { stdin as stdin2, stdout as stdout2 } from "process";
-import { existsSync as existsSync2, readFileSync as readFileSync2, appendFileSync } from "fs";
-import { join as join2 } from "path";
-import { homedir as homedir2 } from "os";
-
 // src/config/loader.ts
-import { readFileSync, writeFileSync, mkdirSync, existsSync } from "fs";
+import { readFileSync, writeFileSync, mkdirSync, existsSync, chmodSync } from "fs";
 import { dirname } from "path";
 
 // src/config/paths.ts
@@ -43,16 +113,26 @@ var LOG_FILE = join(LOG_DIR, "liminal.log");
 
 // src/config/schema.ts
 var DEFAULTS = {
-  apiBaseUrl: "https://rsc-platform-production.up.railway.app",
+  apiBaseUrl: "https://api.cognisos.ai",
   upstreamBaseUrl: "https://api.openai.com",
   anthropicUpstreamUrl: "https://api.anthropic.com",
   port: 3141,
   compressionThreshold: 100,
-  compressRoles: ["user"],
+  aggregateThreshold: 500,
+  hotFraction: 0.3,
+  coldFraction: 0.3,
+  compressRoles: ["user", "assistant"],
+  compressToolResults: true,
   learnFromResponses: true,
   latencyBudgetMs: 5e3,
   enabled: true,
-  tools: []
+  tools: [],
+  concurrencyLimit: 6,
+  concurrencyTimeoutMs: 15e3,
+  maxSessions: 10,
+  sessionTtlMs: 18e5,
+  latencyWarningMs: 4e3,
+  latencyCriticalMs: 8e3
 };
 var CONFIGURABLE_KEYS = /* @__PURE__ */ new Set([
   "apiBaseUrl",
@@ -60,11 +140,21 @@ var CONFIGURABLE_KEYS = /* @__PURE__ */ new Set([
   "anthropicUpstreamUrl",
   "port",
   "compressionThreshold",
+  "aggregateThreshold",
+  "hotFraction",
+  "coldFraction",
   "compressRoles",
+  "compressToolResults",
   "learnFromResponses",
   "latencyBudgetMs",
   "enabled",
-  "tools"
+  "tools",
+  "concurrencyLimit",
+  "concurrencyTimeoutMs",
+  "maxSessions",
+  "sessionTtlMs",
+  "latencyWarningMs",
+  "latencyCriticalMs"
 ]);
 
 // src/config/loader.ts
@@ -84,11 +174,21 @@ function loadConfig() {
     anthropicUpstreamUrl: DEFAULTS.anthropicUpstreamUrl,
     port: DEFAULTS.port,
     compressionThreshold: DEFAULTS.compressionThreshold,
+    aggregateThreshold: DEFAULTS.aggregateThreshold,
+    hotFraction: DEFAULTS.hotFraction,
+    coldFraction: DEFAULTS.coldFraction,
     compressRoles: DEFAULTS.compressRoles,
+    compressToolResults: DEFAULTS.compressToolResults,
     learnFromResponses: DEFAULTS.learnFromResponses,
     latencyBudgetMs: DEFAULTS.latencyBudgetMs,
     enabled: DEFAULTS.enabled,
     tools: DEFAULTS.tools,
+    concurrencyLimit: DEFAULTS.concurrencyLimit,
+    concurrencyTimeoutMs: DEFAULTS.concurrencyTimeoutMs,
+    maxSessions: DEFAULTS.maxSessions,
+    sessionTtlMs: DEFAULTS.sessionTtlMs,
+    latencyWarningMs: DEFAULTS.latencyWarningMs,
+    latencyCriticalMs: DEFAULTS.latencyCriticalMs,
     ...fileConfig
   };
   if (process.env.LIMINAL_API_KEY) merged.apiKey = process.env.LIMINAL_API_KEY;
@@ -111,11 +211,15 @@ function saveConfig(config) {
     }
   }
   const merged = { ...existing, ...config };
-  writeFileSync(CONFIG_FILE, JSON.stringify(merged, null, 2) + "\n", "utf-8");
+  writeFileSync(CONFIG_FILE, JSON.stringify(merged, null, 2) + "\n", { encoding: "utf-8", mode: 384 });
+  try {
+    chmodSync(CONFIG_FILE, 384);
+  } catch {
+  }
 }
 function ensureDirectories() {
-  if (!existsSync(LIMINAL_DIR)) mkdirSync(LIMINAL_DIR, { recursive: true });
-  if (!existsSync(LOG_DIR)) mkdirSync(LOG_DIR, { recursive: true });
+  if (!existsSync(LIMINAL_DIR)) mkdirSync(LIMINAL_DIR, { recursive: true, mode: 448 });
+  if (!existsSync(LOG_DIR)) mkdirSync(LOG_DIR, { recursive: true, mode: 448 });
   const configDir = dirname(CONFIG_FILE);
   if (!existsSync(configDir)) mkdirSync(configDir, { recursive: true });
 }
@@ -132,6 +236,99 @@ function maskApiKey(key) {
   return key.slice(0, 8) + "..." + key.slice(-4);
 }
 
+// src/config/shell.ts
+import { existsSync as existsSync2, readFileSync as readFileSync2, writeFileSync as writeFileSync2, appendFileSync } from "fs";
+import { join as join2 } from "path";
+import { homedir as homedir2 } from "os";
+var LIMINAL_BLOCK_HEADER = "# Liminal \u2014 route AI tools through compression proxy";
+function detectShellProfile() {
+  const shell = process.env.SHELL || "";
+  const home = homedir2();
+  if (shell.endsWith("/zsh")) {
+    return { name: "~/.zshrc", path: join2(home, ".zshrc") };
+  }
+  if (shell.endsWith("/bash")) {
+    const bashProfile = join2(home, ".bash_profile");
+    if (existsSync2(bashProfile)) {
+      return { name: "~/.bash_profile", path: bashProfile };
+    }
+    return { name: "~/.bashrc", path: join2(home, ".bashrc") };
+  }
+  const candidates = [
+    { name: "~/.zshrc", path: join2(home, ".zshrc") },
+    { name: "~/.bashrc", path: join2(home, ".bashrc") },
+    { name: "~/.profile", path: join2(home, ".profile") }
+  ];
+  for (const c of candidates) {
+    if (existsSync2(c.path)) return c;
+  }
+  return null;
+}
+function lineExistsInFile(filePath, line) {
+  if (!existsSync2(filePath)) return false;
+  try {
+    const content = readFileSync2(filePath, "utf-8");
+    return content.includes(line);
+  } catch {
+    return false;
+  }
+}
+function appendToShellProfile(profile, lines) {
+  const newLines = lines.filter((line) => !lineExistsInFile(profile.path, line));
+  if (newLines.length === 0) return [];
+  const block = [
+    "",
+    LIMINAL_BLOCK_HEADER,
+    ...newLines
+  ].join("\n") + "\n";
+  appendFileSync(profile.path, block, "utf-8");
+  return newLines;
+}
+function removeLiminalFromShellProfile(profile) {
+  if (!existsSync2(profile.path)) return [];
+  let content;
+  try {
+    content = readFileSync2(profile.path, "utf-8");
+  } catch {
+    return [];
+  }
+  const lines = content.split("\n");
+  const removed = [];
+  const kept = [];
+  for (const line of lines) {
+    if (line.trim() === LIMINAL_BLOCK_HEADER) {
+      removed.push(line);
+      continue;
+    }
+    if (isLiminalExportLine(line)) {
+      removed.push(line);
+      continue;
+    }
+    kept.push(line);
+  }
+  if (removed.length > 0) {
+    const cleaned = kept.join("\n").replace(/\n{3,}/g, "\n\n");
+    writeFileSync2(profile.path, cleaned, "utf-8");
+  }
+  return removed;
+}
+function isLiminalExportLine(line) {
+  const trimmed = line.trim();
+  if (!trimmed.startsWith("export ")) return false;
+  if (trimmed.includes("ANTHROPIC_BASE_URL=http://127.0.0.1:")) return true;
+  if (trimmed.includes("OPENAI_BASE_URL=http://127.0.0.1:")) return true;
+  return false;
+}
+function findLiminalExportsInProfile(profile) {
+  if (!existsSync2(profile.path)) return [];
+  try {
+    const content = readFileSync2(profile.path, "utf-8");
+    return content.split("\n").filter(isLiminalExportLine);
+  } catch {
+    return [];
+  }
+}
+
 // src/ui/prompts.ts
 var ANSI = {
   HIDE_CURSOR: "\x1B[?25l",
@@ -190,23 +387,23 @@ function renderMultiSelect(options, cursorIndex, selected, message) {
     lines.push(`  ${pointer} ${box} ${label}${desc}`);
   }
   lines.push("");
-  lines.push(`  ${ANSI.DIM}Space to toggle, Enter to confirm${ANSI.RESET}`);
+  lines.push(`  ${ANSI.DIM}\u2191/\u2193 Navigate  ${ANSI.RESET}${ANSI.CYAN}Space${ANSI.RESET}${ANSI.DIM} Select  ${ANSI.RESET}${ANSI.CYAN}Enter${ANSI.RESET}${ANSI.DIM} Confirm${ANSI.RESET}`);
   lines.push("");
   return { text: lines.join("\n"), lineCount: lines.length };
 }
 function withRawMode(streams, handler) {
-  const { stdin: stdin3, stdout: stdout3 } = streams;
+  const { stdin: stdin2, stdout: stdout2 } = streams;
   return new Promise((resolve, reject) => {
     let cleaned = false;
     function cleanup() {
       if (cleaned) return;
       cleaned = true;
-      stdin3.removeListener("data", onData);
-      if (stdin3.setRawMode) stdin3.setRawMode(false);
-      if ("pause" in stdin3 && typeof stdin3.pause === "function") {
-        stdin3.pause();
+      stdin2.removeListener("data", onData);
+      if (stdin2.setRawMode) stdin2.setRawMode(false);
+      if ("pause" in stdin2 && typeof stdin2.pause === "function") {
+        stdin2.pause();
       }
-      stdout3.write(ANSI.SHOW_CURSOR);
+      stdout2.write(ANSI.SHOW_CURSOR);
       process.removeListener("exit", cleanup);
     }
     function onData(data) {
@@ -223,11 +420,11 @@ function withRawMode(streams, handler) {
     });
     process.on("exit", cleanup);
     try {
-      if (stdin3.setRawMode) stdin3.setRawMode(true);
-      stdout3.write(ANSI.HIDE_CURSOR);
-      stdin3.on("data", onData);
-      if ("resume" in stdin3 && typeof stdin3.resume === "function") {
-        stdin3.resume();
+      if (stdin2.setRawMode) stdin2.setRawMode(true);
+      stdout2.write(ANSI.HIDE_CURSOR);
+      stdin2.on("data", onData);
+      if ("resume" in stdin2 && typeof stdin2.resume === "function") {
+        stdin2.resume();
       }
     } catch (err) {
       cleanup();
@@ -395,7 +592,7 @@ import { createInterface } from "readline/promises";
 import { stdin, stdout } from "process";
 
 // src/auth/supabase.ts
-import { randomBytes } from "crypto";
+import { randomBytes, createHash } from "crypto";
 var SUPABASE_URL = "https://nzcneiyymvgxvttbenhp.supabase.co";
 var SUPABASE_ANON_KEY = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJzdXBhYmFzZSIsInJlZiI6Im56Y25laXl5bXZneHZ0dGJlbmhwIiwicm9sZSI6ImFub24iLCJpYXQiOjE3NTQwNjQ0MjcsImV4cCI6MjA2OTY0MDQyN30.x3E-zGRadbPMmxRqT_PB_KOi00htKpgeb8GiQa4g2z0";
 function supabaseHeaders(accessToken) {
@@ -452,25 +649,13 @@ async function signUp(email, password, name) {
     email: body.user?.email ?? email
   };
 }
-async function fetchApiKey(accessToken, userId) {
-  const params = new URLSearchParams({
-    user_id: `eq.${userId}`,
-    is_active: "eq.true",
-    select: "api_key",
-    limit: "1"
-  });
-  const res = await fetch(`${SUPABASE_URL}/rest/v1/user_api_keys?${params}`, {
+async function createApiKey(accessToken, userId) {
+  await fetch(`${SUPABASE_URL}/rest/v1/user_api_keys?user_id=eq.${userId}`, {
+    method: "DELETE",
     headers: supabaseHeaders(accessToken)
   });
-  if (!res.ok) return null;
-  const rows = await res.json();
-  if (Array.isArray(rows) && rows.length > 0 && rows[0].api_key) {
-    return rows[0].api_key;
-  }
-  return null;
-}
-async function createApiKey(accessToken, userId) {
-  const apiKey = `fmcp_${randomBytes(32).toString("hex")}`;
+  const apiKey = `lim_${randomBytes(32).toString("hex")}`;
+  const keyHash = createHash("sha256").update(apiKey).digest("hex");
   const res = await fetch(`${SUPABASE_URL}/rest/v1/user_api_keys`, {
     method: "POST",
     headers: {
@@ -480,7 +665,7 @@ async function createApiKey(accessToken, userId) {
     body: JSON.stringify({
       user_id: userId,
       key_name: "Liminal CLI",
-      api_key: apiKey,
+      key_hash: keyHash,
       is_active: true
     })
   });
@@ -492,8 +677,6 @@ async function createApiKey(accessToken, userId) {
   return apiKey;
 }
 async function authenticateAndGetKey(auth) {
-  const existingKey = await fetchApiKey(auth.accessToken, auth.userId);
-  if (existingKey) return existingKey;
   return createApiKey(auth.accessToken, auth.userId);
 }
 
@@ -502,7 +685,7 @@ async function loginCommand() {
   printBanner();
   try {
     const config = loadConfig();
-    if (config.apiKey && config.apiKey.startsWith("fmcp_")) {
+    if (config.apiKey && (config.apiKey.startsWith("lim_") || config.apiKey.startsWith("fmcp_"))) {
       console.log("  Already logged in.");
       console.log("  Run \x1B[1mliminal logout\x1B[0m first to switch accounts.");
       return;
@@ -575,59 +758,327 @@ async function runAuthFlow() {
   }
 }
 
-// src/commands/init.ts
-function detectShellProfile() {
-  const shell = process.env.SHELL || "";
-  const home = homedir2();
-  if (shell.endsWith("/zsh")) {
-    const zshrc = join2(home, ".zshrc");
-    return { name: "~/.zshrc", path: zshrc };
+// src/connectors/claude-code.ts
+import { execSync } from "child_process";
+var ENV_VAR = "ANTHROPIC_BASE_URL";
+var INFO = {
+  id: "claude-code",
+  label: "Claude Code",
+  description: "Anthropic CLI for coding with Claude",
+  protocol: "anthropic-messages",
+  automatable: true
+};
+function isClaudeInstalled() {
+  try {
+    execSync("which claude", { stdio: "ignore" });
+    return true;
+  } catch {
+    return false;
   }
-  if (shell.endsWith("/bash")) {
-    const bashProfile = join2(home, ".bash_profile");
-    if (existsSync2(bashProfile)) {
-      return { name: "~/.bash_profile", path: bashProfile };
+}
+function getCurrentBaseUrl() {
+  return process.env[ENV_VAR] || void 0;
+}
+var claudeCodeConnector = {
+  info: INFO,
+  async detect() {
+    const installed = isClaudeInstalled();
+    const currentUrl = getCurrentBaseUrl();
+    const configured = currentUrl?.includes("127.0.0.1") ?? false;
+    if (!installed) {
+      return { installed, configured: false, detail: "Claude Code not found in PATH" };
     }
-    return { name: "~/.bashrc", path: join2(home, ".bashrc") };
+    if (configured) {
+      return { installed, configured, detail: `Routing through ${currentUrl}` };
+    }
+    return { installed, configured, detail: "Installed but not routing through Liminal" };
+  },
+  getShellExports(port) {
+    return [`export ${ENV_VAR}=http://127.0.0.1:${port}`];
+  },
+  async setup(port) {
+    const exports = this.getShellExports(port);
+    return {
+      success: true,
+      shellExports: exports,
+      postSetupInstructions: [
+        "Claude Code will automatically route through Liminal.",
+        "Make sure to source your shell profile or restart your terminal."
+      ]
+    };
+  },
+  async teardown() {
+    return {
+      success: true,
+      manualSteps: [
+        `Remove the line \`export ${ENV_VAR}=...\` from your shell profile (~/.zshrc or ~/.bashrc).`,
+        "Restart your terminal or run: unset ANTHROPIC_BASE_URL"
+      ]
+    };
   }
-  const candidates = [
-    { name: "~/.zshrc", path: join2(home, ".zshrc") },
-    { name: "~/.bashrc", path: join2(home, ".bashrc") },
-    { name: "~/.profile", path: join2(home, ".profile") }
-  ];
-  for (const c of candidates) {
-    if (existsSync2(c.path)) return c;
+};
+
+// src/connectors/codex.ts
+import { execSync as execSync2 } from "child_process";
+import { existsSync as existsSync3, readFileSync as readFileSync3 } from "fs";
+import { join as join3 } from "path";
+import { homedir as homedir3 } from "os";
+var ENV_VAR2 = "OPENAI_BASE_URL";
+var CODEX_CONFIG_DIR = join3(homedir3(), ".codex");
+var CODEX_CONFIG_FILE = join3(CODEX_CONFIG_DIR, "config.toml");
+var INFO2 = {
+  id: "codex",
+  label: "Codex CLI",
+  description: "OpenAI CLI agent for coding (Responses API)",
+  protocol: "openai-responses",
+  automatable: true
+};
+function isCodexInstalled() {
+  try {
+    execSync2("which codex", { stdio: "ignore" });
+    return true;
+  } catch {
+    return false;
   }
-  return null;
 }
-function getExportLines(tools, port) {
-  const base = `http://127.0.0.1:${port}`;
-  const lines = [];
-  if (tools.includes("claude-code")) {
-    lines.push(`export ANTHROPIC_BASE_URL=${base}`);
-  }
-  if (tools.includes("codex") || tools.includes("openai-compatible")) {
-    lines.push(`export OPENAI_BASE_URL=${base}/v1`);
-  }
-  return lines;
+function getCurrentBaseUrl2() {
+  return process.env[ENV_VAR2] || void 0;
 }
-function lineExistsInFile(filePath, line) {
-  if (!existsSync2(filePath)) return false;
+function hasCodexConfig() {
+  return existsSync3(CODEX_CONFIG_FILE);
+}
+function codexConfigMentionsLiminal() {
+  if (!hasCodexConfig()) return false;
   try {
-    const content = readFileSync2(filePath, "utf-8");
-    return content.includes(line);
+    const content = readFileSync3(CODEX_CONFIG_FILE, "utf-8");
+    return content.includes("127.0.0.1") || content.includes("liminal");
   } catch {
     return false;
   }
 }
-function appendToShellProfile(profile, lines) {
-  const block = [
-    "",
-    "# Liminal \u2014 route AI tools through compression proxy",
-    ...lines
-  ].join("\n") + "\n";
-  appendFileSync(profile.path, block, "utf-8");
+var codexConnector = {
+  info: INFO2,
+  async detect() {
+    const installed = isCodexInstalled();
+    const currentUrl = getCurrentBaseUrl2();
+    const envConfigured = currentUrl?.includes("127.0.0.1") ?? false;
+    const tomlConfigured = codexConfigMentionsLiminal();
+    const configured = envConfigured || tomlConfigured;
+    if (!installed) {
+      return { installed, configured: false, detail: "Codex CLI not found in PATH" };
+    }
+    if (configured) {
+      const via = envConfigured ? ENV_VAR2 : "config.toml";
+      return { installed, configured, detail: `Routing through Liminal (via ${via})` };
+    }
+    return { installed, configured, detail: "Installed but not routing through Liminal" };
+  },
+  getShellExports(port) {
+    return [`export ${ENV_VAR2}=http://127.0.0.1:${port}/v1`];
+  },
+  async setup(port) {
+    const exports = this.getShellExports(port);
+    const instructions = [
+      "Codex CLI will automatically route through Liminal.",
+      "Make sure to source your shell profile or restart your terminal."
+    ];
+    instructions.push(
+      "Codex uses the OpenAI Responses API (/v1/responses) by default."
+    );
+    return {
+      success: true,
+      shellExports: exports,
+      postSetupInstructions: instructions
+    };
+  },
+  async teardown() {
+    const steps = [
+      `Remove the line \`export ${ENV_VAR2}=...\` from your shell profile (~/.zshrc or ~/.bashrc).`,
+      "Restart your terminal or run: unset OPENAI_BASE_URL"
+    ];
+    if (codexConfigMentionsLiminal()) {
+      steps.push(
+        `Remove the Liminal provider block from ${CODEX_CONFIG_FILE}.`
+      );
+    }
+    return { success: true, manualSteps: steps };
+  }
+};
+
+// src/connectors/cursor.ts
+import { existsSync as existsSync4 } from "fs";
+import { join as join4 } from "path";
+import { homedir as homedir4 } from "os";
+var INFO3 = {
+  id: "cursor",
+  label: "Cursor",
+  description: "AI-first code editor (GUI config required)",
+  protocol: "openai-chat",
+  automatable: false
+};
+function getCursorPaths() {
+  const platform = process.platform;
+  const home = homedir4();
+  if (platform === "darwin") {
+    return {
+      app: "/Applications/Cursor.app",
+      data: join4(home, "Library", "Application Support", "Cursor")
+    };
+  }
+  if (platform === "win32") {
+    const appData = process.env.APPDATA || join4(home, "AppData", "Roaming");
+    const localAppData = process.env.LOCALAPPDATA || join4(home, "AppData", "Local");
+    return {
+      app: join4(localAppData, "Programs", "Cursor", "Cursor.exe"),
+      data: join4(appData, "Cursor")
+    };
+  }
+  return {
+    app: "/usr/bin/cursor",
+    data: join4(home, ".config", "Cursor")
+  };
+}
+function isCursorInstalled() {
+  const { app, data } = getCursorPaths();
+  return existsSync4(app) || existsSync4(data);
+}
+function getSettingsDbPath() {
+  const { data } = getCursorPaths();
+  return join4(data, "User", "globalStorage", "state.vscdb");
+}
+var cursorConnector = {
+  info: INFO3,
+  async detect() {
+    const installed = isCursorInstalled();
+    const dbExists = existsSync4(getSettingsDbPath());
+    if (!installed) {
+      return { installed, configured: false, detail: "Cursor not found on this system" };
+    }
+    return {
+      installed,
+      configured: false,
+      detail: dbExists ? "Installed \u2014 configuration requires Cursor Settings GUI" : "Installed but settings database not found"
+    };
+  },
+  getShellExports(_port) {
+    return [];
+  },
+  async setup(port) {
+    return {
+      success: true,
+      shellExports: [],
+      // No env vars — GUI only
+      postSetupInstructions: [
+        "Cursor routes API calls through its cloud servers, so localhost",
+        "URLs are blocked. You need a tunnel to expose the proxy:",
+        "",
+        `  npx cloudflared tunnel --url http://localhost:${port}`,
+        "",
+        "Then configure Cursor with the tunnel URL:",
+        "",
+        "  1. Open Cursor Settings (not VS Code settings)",
+        "  2. Go to Models",
+        '  3. Enable "Override OpenAI Base URL (when using key)"',
+        "  4. Set the base URL to your tunnel URL + /v1",
+        "     (e.g., https://abc123.trycloudflare.com/v1)",
+        "  5. Enter your real OpenAI/Anthropic API key",
+        "  6. Restart Cursor",
+        "",
+        "Cursor uses OpenAI format for all models, including Claude.",
+        "Both Chat Completions and Agent mode (Responses API) are supported."
+      ]
+    };
+  },
+  async teardown() {
+    return {
+      success: true,
+      manualSteps: [
+        "In Cursor Settings > Models:",
+        '  1. Disable "Override OpenAI Base URL (when using key)"',
+        "  2. Clear the base URL field",
+        "  3. Restart Cursor"
+      ]
+    };
+  }
+};
+
+// src/connectors/openai-compatible.ts
+var ENV_VAR3 = "OPENAI_BASE_URL";
+var INFO4 = {
+  id: "openai-compatible",
+  label: "Other / OpenAI-compatible",
+  description: "Any tool that reads OPENAI_BASE_URL",
+  protocol: "openai-chat",
+  automatable: true
+};
+function getCurrentBaseUrl3() {
+  return process.env[ENV_VAR3] || void 0;
+}
+var openaiCompatibleConnector = {
+  info: INFO4,
+  async detect() {
+    const currentUrl = getCurrentBaseUrl3();
+    const configured = currentUrl?.includes("127.0.0.1") ?? false;
+    return {
+      installed: true,
+      // Generic — always "available"
+      configured,
+      detail: configured ? `OPENAI_BASE_URL \u2192 ${currentUrl}` : "OPENAI_BASE_URL not set to Liminal"
+    };
+  },
+  getShellExports(port) {
+    return [`export ${ENV_VAR3}=http://127.0.0.1:${port}/v1`];
+  },
+  async setup(port) {
+    const exports = this.getShellExports(port);
+    return {
+      success: true,
+      shellExports: exports,
+      postSetupInstructions: [
+        "Any tool that reads OPENAI_BASE_URL will route through Liminal.",
+        "Make sure to source your shell profile or restart your terminal.",
+        "",
+        "If your tool uses a different env var (e.g., OPENAI_API_BASE),",
+        `set it to: http://127.0.0.1:${port}/v1`
+      ]
+    };
+  },
+  async teardown() {
+    return {
+      success: true,
+      manualSteps: [
+        `Remove the line \`export ${ENV_VAR3}=...\` from your shell profile (~/.zshrc or ~/.bashrc).`,
+        "Restart your terminal or run: unset OPENAI_BASE_URL"
+      ]
+    };
+  }
+};
+
+// src/connectors/index.ts
+var CONNECTORS = [
+  claudeCodeConnector,
+  codexConnector,
+  cursorConnector,
+  openaiCompatibleConnector
+];
+function getConnector(id) {
+  const connector = CONNECTORS.find((c) => c.info.id === id);
+  if (!connector) {
+    throw new Error(`Unknown connector: ${id}`);
+  }
+  return connector;
 }
+function getConnectors(ids) {
+  return ids.map(getConnector);
+}
+
+// src/commands/init.ts
+var BOLD = "\x1B[1m";
+var DIM = "\x1B[2m";
+var CYAN = "\x1B[36m";
+var GREEN = "\x1B[32m";
+var YELLOW = "\x1B[33m";
+var RESET = "\x1B[0m";
 async function initCommand() {
   printBanner();
   console.log("  Welcome to Liminal -- Your Transparency & Context Partner");
@@ -636,29 +1087,38 @@ async function initCommand() {
   console.log();
   const apiKey = await runAuthFlow();
   console.log();
-  const rl = createInterface2({ input: stdin2, output: stdout2 });
-  let port;
-  try {
-    const portInput = await rl.question(`  Proxy port [${DEFAULTS.port}]: `);
-    port = portInput.trim() ? parseInt(portInput.trim(), 10) : DEFAULTS.port;
-    if (isNaN(port) || port < 1 || port > 65535) {
-      console.error("\n  Error: Invalid port number.");
-      process.exit(1);
-    }
-  } finally {
-    rl.close();
+  const port = DEFAULTS.port;
+  console.log(`  ${BOLD}Detecting installed tools...${RESET}`);
+  console.log();
+  const detectionResults = await Promise.all(
+    CONNECTORS.map(async (c) => {
+      const status = await c.detect();
+      return { connector: c, status };
+    })
+  );
+  for (const { connector, status } of detectionResults) {
+    const icon = status.installed ? `${GREEN}\u2713${RESET}` : `${DIM}\xB7${RESET}`;
+    console.log(`    ${icon} ${connector.info.label}  ${DIM}${status.detail}${RESET}`);
   }
   console.log();
+  const toolOptions = CONNECTORS.map((c) => {
+    const detected = detectionResults.find((r) => r.connector.info.id === c.info.id);
+    const installed = detected?.status.installed ?? false;
+    let description = c.info.description;
+    if (!installed) description += ` ${DIM}(not detected)${RESET}`;
+    if (!c.info.automatable) description += ` ${DIM}(manual setup)${RESET}`;
+    return {
+      label: c.info.label,
+      value: c.info.id,
+      description,
+      default: c.info.id === "claude-code" && installed
+    };
+  });
   const toolsResult = await multiSelectPrompt({
     message: "Which AI tools will you use with Liminal?",
-    options: [
-      { label: "Claude Code", value: "claude-code", default: true },
-      { label: "Codex", value: "codex" },
-      { label: "Cursor", value: "cursor" },
-      { label: "Other / OpenAI", value: "openai-compatible" }
-    ]
+    options: toolOptions
   });
-  const tools = toolsResult ?? ["claude-code"];
+  const selectedIds = toolsResult ?? ["claude-code"];
   console.log();
   const learnResult = await selectPrompt({
     message: "Learn from LLM responses?",
@@ -670,78 +1130,100 @@ async function initCommand() {
   });
   const learnFromResponses = learnResult ?? true;
   console.log();
-  const apiBaseUrl = DEFAULTS.apiBaseUrl;
   ensureDirectories();
   saveConfig({
     apiKey,
-    apiBaseUrl,
+    apiBaseUrl: DEFAULTS.apiBaseUrl,
     upstreamBaseUrl: DEFAULTS.upstreamBaseUrl,
     anthropicUpstreamUrl: DEFAULTS.anthropicUpstreamUrl,
     port,
     learnFromResponses,
-    tools,
+    tools: selectedIds,
     compressionThreshold: DEFAULTS.compressionThreshold,
     compressRoles: DEFAULTS.compressRoles,
     latencyBudgetMs: DEFAULTS.latencyBudgetMs,
     enabled: DEFAULTS.enabled
   });
+  console.log(`  ${GREEN}\u2713${RESET} Configuration saved to ${DIM}${CONFIG_FILE}${RESET}`);
   console.log();
-  console.log(`  Configuration saved to ${CONFIG_FILE}`);
-  console.log();
-  const exportLines = getExportLines(tools, port);
-  const hasCursor = tools.includes("cursor");
-  if (exportLines.length > 0) {
-    const profile = detectShellProfile();
-    if (profile) {
-      const allExist = exportLines.every((line) => lineExistsInFile(profile.path, line));
-      if (allExist) {
-        console.log(`  Shell already configured in ${profile.name}`);
+  const connectors = getConnectors(selectedIds);
+  const allShellExports = [];
+  const profile = detectShellProfile();
+  console.log(`  ${BOLD}Configuring ${connectors.length} tool${connectors.length > 1 ? "s" : ""}...${RESET}`);
+  for (const connector of connectors) {
+    const result = await connector.setup(port);
+    const protocol = connector.info.protocol === "anthropic-messages" ? "Anthropic Messages API" : connector.info.protocol === "openai-responses" ? "Responses API" : "Chat Completions API";
+    console.log();
+    console.log(`  ${CYAN}\u2500\u2500 ${connector.info.label} ${RESET}${DIM}(${protocol})${RESET}`);
+    if (connector.info.automatable && result.shellExports.length > 0) {
+      for (const line of result.shellExports) {
+        console.log(`     ${GREEN}\u2713${RESET} ${line}`);
+      }
+      allShellExports.push(...result.shellExports);
+    }
+    for (const line of result.postSetupInstructions) {
+      if (line === "") {
+        console.log();
       } else {
-        const autoResult = await selectPrompt({
-          message: "Configure shell automatically?",
-          options: [
-            { label: "Yes", value: true, description: `Add to ${profile.name}` },
-            { label: "No", value: false, description: "I'll set it up manually" }
-          ],
-          defaultIndex: 0
-        });
-        if (autoResult === true) {
-          const newLines = exportLines.filter((line) => !lineExistsInFile(profile.path, line));
-          if (newLines.length > 0) {
-            appendToShellProfile(profile, newLines);
-          }
-          console.log();
-          console.log(`  Added to ${profile.name}:`);
-          for (const line of exportLines) {
-            console.log(`    ${line}`);
-          }
-          console.log();
-          console.log(`  Run \x1B[1msource ${profile.name}\x1B[0m or restart your terminal to apply.`);
+        if (line.includes("source your shell profile") || line.includes("restart your terminal")) continue;
+        if (line.includes("will automatically route through Liminal")) {
+          console.log(`     ${DIM}${line}${RESET}`);
+        } else if (line.startsWith("  ")) {
+          console.log(`   ${line}`);
         } else {
-          console.log();
-          console.log("  Add these to your shell profile:");
-          console.log();
-          for (const line of exportLines) {
-            console.log(`    ${line}`);
-          }
+          console.log(`     ${line}`);
         }
       }
+    }
+    if (!connector.info.automatable) {
+      console.log(`     ${YELLOW}\u26A0 Requires manual configuration (see steps above)${RESET}`);
+    }
+  }
+  const uniqueExports = [...new Set(allShellExports)];
+  if (uniqueExports.length > 0 && profile) {
+    const allExist = uniqueExports.every((line) => lineExistsInFile(profile.path, line));
+    console.log();
+    if (allExist) {
+      console.log(`  ${GREEN}\u2713${RESET} Shell already configured in ${profile.name}`);
     } else {
-      console.log("  Add these to your shell profile:");
-      console.log();
-      for (const line of exportLines) {
-        console.log(`    ${line}`);
+      const autoResult = await selectPrompt({
+        message: `Add proxy exports to ${profile.name}?`,
+        options: [
+          { label: "Yes", value: true, description: "Automatic shell configuration" },
+          { label: "No", value: false, description: "I'll set it up manually" }
+        ],
+        defaultIndex: 0
+      });
+      if (autoResult === true) {
+        const added = appendToShellProfile(profile, uniqueExports);
+        if (added.length > 0) {
+          console.log();
+          console.log(`  ${GREEN}\u2713${RESET} Added to ${profile.name}`);
+          console.log();
+          console.log(`  Run ${BOLD}source ${profile.name}${RESET} or restart your terminal.`);
+        }
+      } else {
+        console.log();
+        console.log("  Add these to your shell profile:");
+        console.log();
+        for (const line of uniqueExports) {
+          console.log(`    ${CYAN}${line}${RESET}`);
+        }
       }
     }
-  }
-  if (hasCursor) {
+  } else if (uniqueExports.length > 0) {
+    console.log();
+    console.log("  Add these to your shell profile:");
     console.log();
-    console.log("  Cursor setup (manual):");
-    console.log(`    Settings > Models > OpenAI API Base URL: http://127.0.0.1:${port}/v1`);
+    for (const line of uniqueExports) {
+      console.log(`    ${CYAN}${line}${RESET}`);
+    }
   }
   console.log();
+  console.log(`  ${BOLD}Setup complete!${RESET}`);
+  console.log();
   console.log("  Next step:");
-  console.log("    liminal start");
+  console.log(`    ${BOLD}liminal start${RESET}`);
   console.log();
 }
 
@@ -756,64 +1238,6 @@ async function logoutCommand() {
   console.log("  Run \x1B[1mliminal login\x1B[0m to reconnect.");
 }
 
-// src/rsc/pipeline.ts
-import {
-  CompressionPipeline,
-  RSCTransport,
-  RSCEventEmitter,
-  Session,
-  CircuitBreaker
-} from "@cognisos/rsc-sdk";
-var RSCPipelineWrapper = class {
-  pipeline;
-  session;
-  events;
-  transport;
-  circuitBreaker;
-  constructor(config) {
-    this.circuitBreaker = new CircuitBreaker(5, 5 * 60 * 1e3);
-    this.transport = new RSCTransport({
-      baseUrl: config.rscBaseUrl,
-      apiKey: config.rscApiKey,
-      timeout: 3e4,
-      maxRetries: 3,
-      circuitBreaker: this.circuitBreaker
-    });
-    this.events = new RSCEventEmitter();
-    this.session = new Session(config.sessionId);
-    this.pipeline = new CompressionPipeline(
-      this.transport,
-      {
-        threshold: config.compressionThreshold,
-        learnFromResponses: config.learnFromResponses,
-        latencyBudgetMs: config.latencyBudgetMs,
-        sessionId: this.session.sessionId
-      },
-      this.events
-    );
-  }
-  async healthCheck() {
-    try {
-      await this.transport.get("/health");
-      return true;
-    } catch {
-      return false;
-    }
-  }
-  getSessionSummary() {
-    return this.session.getSummary();
-  }
-  getCircuitState() {
-    return this.circuitBreaker.getState();
-  }
-  isCircuitOpen() {
-    return this.circuitBreaker.getState() === "open";
-  }
-  resetCircuitBreaker() {
-    this.circuitBreaker.reset();
-  }
-};
-
 // src/proxy/completions.ts
 import { RSCCircuitOpenError as RSCCircuitOpenError2 } from "@cognisos/rsc-sdk";
 
@@ -919,66 +1343,115 @@ function isIndentedCodeLine(line) {
 }
 
 // src/rsc/message-compressor.ts
+var PASSTHROUGH_BLOCK_TYPES = /* @__PURE__ */ new Set(["thinking", "tool_use", "image"]);
+function sanitizeCompressedText(text) {
+  return text.replace(/[\x00-\x08\x0B\x0C\x0E-\x1F\x7F]/g, "");
+}
 async function compressMessages(messages, pipeline, session, compressRoles) {
   let anyCompressed = false;
   let totalTokensSaved = 0;
   const compressed = await Promise.all(
     messages.map(async (msg) => {
       if (!compressRoles.has(msg.role)) return msg;
-      if (typeof msg.content === "string") {
-        return compressStringContent(msg, pipeline, session, (c, saved) => {
-          anyCompressed = anyCompressed || c;
-          totalTokensSaved += saved;
-        });
+      return compressMessage(msg, pipeline, session, (c, saved) => {
+        anyCompressed = anyCompressed || c;
+        totalTokensSaved += saved;
+      });
+    })
+  );
+  return { messages: compressed, anyCompressed, totalTokensSaved };
+}
+async function compressConversation(pipeline, session, plan, options = { compressToolResults: true }) {
+  if (!plan.shouldCompress) {
+    return {
+      messages: plan.messages.map((tm) => tm.message),
+      anyCompressed: false,
+      totalTokensSaved: 0
+    };
+  }
+  let anyCompressed = false;
+  let totalTokensSaved = 0;
+  const record = (c, saved) => {
+    anyCompressed = anyCompressed || c;
+    totalTokensSaved += saved;
+  };
+  const log = options.logFn;
+  const compressed = await Promise.all(
+    plan.messages.map(async (tm) => {
+      const role = tm.message.role;
+      const blockTypes = Array.isArray(tm.message.content) ? tm.message.content.map((b) => b.type).join(",") : "string";
+      if (tm.tier === "hot") {
+        log?.(`[BLOCK] #${tm.index} ${role} [${blockTypes}] \u2192 HOT (verbatim)`);
+        return tm.message;
       }
-      if (Array.isArray(msg.content)) {
-        return compressArrayContent(msg, pipeline, session, (c, saved) => {
-          anyCompressed = anyCompressed || c;
-          totalTokensSaved += saved;
-        });
+      if (tm.eligibleTokens === 0) {
+        log?.(`[BLOCK] #${tm.index} ${role} [${blockTypes}] \u2192 ${tm.tier.toUpperCase()} (0 eligible tok, skip)`);
+        return tm.message;
       }
-      return msg;
+      log?.(`[BLOCK] #${tm.index} ${role} [${blockTypes}] \u2192 ${tm.tier.toUpperCase()} (${tm.eligibleTokens} eligible tok, batch compressing)`);
+      return batchCompressMessage(tm.message, pipeline, session, record, options);
     })
   );
   return { messages: compressed, anyCompressed, totalTokensSaved };
 }
-async function compressStringContent(msg, pipeline, session, record) {
-  const text = msg.content;
-  const segments = segmentContent(text);
-  const hasCode = segments.some((s) => s.type === "code");
-  if (!hasCode) {
-    try {
-      const result = await pipeline.compressForLLM(text);
-      session.recordCompression(result.metrics);
-      record(!result.metrics.skipped, result.metrics.tokensSaved);
-      return { ...msg, content: result.text };
-    } catch (err) {
-      if (err instanceof RSCCircuitOpenError) {
-        session.recordFailure();
-        throw err;
+function extractToolResultText(part) {
+  if (typeof part.content === "string" && part.content.trim()) {
+    return part.content;
+  }
+  if (Array.isArray(part.content)) {
+    const texts = part.content.filter((inner) => inner.type === "text" && typeof inner.text === "string" && inner.text.trim()).map((inner) => inner.text);
+    return texts.length > 0 ? texts.join("\n") : null;
+  }
+  return null;
+}
+async function batchCompressMessage(msg, pipeline, session, record, options = { compressToolResults: true }) {
+  if (typeof msg.content === "string") {
+    return compressStringContent(msg, pipeline, session, record, options.semaphore, options.semaphoreTimeoutMs);
+  }
+  if (!Array.isArray(msg.content)) return msg;
+  const parts = msg.content;
+  const textSegments = [];
+  const batchedIndices = /* @__PURE__ */ new Set();
+  for (let i = 0; i < parts.length; i++) {
+    const part = parts[i];
+    if (PASSTHROUGH_BLOCK_TYPES.has(part.type)) continue;
+    if (part.type === "text" && typeof part.text === "string" && part.text.trim()) {
+      textSegments.push(part.text);
+      batchedIndices.add(i);
+    }
+    if (part.type === "tool_result" && options.compressToolResults) {
+      const extracted = extractToolResultText(part);
+      if (extracted) {
+        textSegments.push(extracted);
+        batchedIndices.add(i);
       }
-      session.recordFailure();
-      return msg;
     }
   }
+  if (textSegments.length === 0) return msg;
+  const batchText = textSegments.join("\n\n");
   try {
-    const parts = await Promise.all(
-      segments.map(async (seg) => {
-        if (seg.type === "code") return seg.text;
-        if (seg.text.trim().length === 0) return seg.text;
-        try {
-          const result = await pipeline.compressForLLM(seg.text);
-          session.recordCompression(result.metrics);
-          record(!result.metrics.skipped, result.metrics.tokensSaved);
-          return result.text;
-        } catch (err) {
-          if (err instanceof RSCCircuitOpenError) throw err;
-          session.recordFailure();
-          return seg.text;
+    const compressed = await compressTextWithSegmentation(batchText, pipeline, session, record, options.semaphore, options.semaphoreTimeoutMs);
+    const newParts = [];
+    let isFirstEligible = true;
+    for (let i = 0; i < parts.length; i++) {
+      if (!batchedIndices.has(i)) {
+        newParts.push(parts[i]);
+        continue;
+      }
+      if (isFirstEligible) {
+        if (parts[i].type === "text") {
+          newParts.push({ ...parts[i], text: compressed });
+        } else if (parts[i].type === "tool_result") {
+          newParts.push({ ...parts[i], content: compressed });
         }
-      })
-    );
-    return { ...msg, content: parts.join("") };
+        isFirstEligible = false;
+      } else {
+        if (parts[i].type === "tool_result") {
+          newParts.push({ ...parts[i], content: "" });
+        }
+      }
+    }
+    return { ...msg, content: newParts };
   } catch (err) {
     if (err instanceof RSCCircuitOpenError) {
       session.recordFailure();
@@ -988,37 +1461,34 @@ async function compressStringContent(msg, pipeline, session, record) {
     return msg;
   }
 }
-async function compressTextWithSegmentation(text, pipeline, session, record) {
-  const segments = segmentContent(text);
-  const hasCode = segments.some((s) => s.type === "code");
-  if (!hasCode) {
-    const result = await pipeline.compressForLLM(text);
-    session.recordCompression(result.metrics);
-    record(!result.metrics.skipped, result.metrics.tokensSaved);
-    return result.text;
+async function compressMessage(msg, pipeline, session, record, options = { compressToolResults: true }) {
+  if (typeof msg.content === "string") {
+    return compressStringContent(msg, pipeline, session, record);
+  }
+  if (Array.isArray(msg.content)) {
+    return compressArrayContent(msg, pipeline, session, record, options);
+  }
+  return msg;
+}
+async function compressStringContent(msg, pipeline, session, record, semaphore, semaphoreTimeoutMs) {
+  const text = msg.content;
+  try {
+    const compressed = await compressTextWithSegmentation(text, pipeline, session, record, semaphore, semaphoreTimeoutMs);
+    return { ...msg, content: compressed };
+  } catch (err) {
+    if (err instanceof RSCCircuitOpenError) {
+      session.recordFailure();
+      throw err;
+    }
+    session.recordFailure();
+    return msg;
   }
-  const parts = await Promise.all(
-    segments.map(async (seg) => {
-      if (seg.type === "code") return seg.text;
-      if (seg.text.trim().length === 0) return seg.text;
-      try {
-        const result = await pipeline.compressForLLM(seg.text);
-        session.recordCompression(result.metrics);
-        record(!result.metrics.skipped, result.metrics.tokensSaved);
-        return result.text;
-      } catch (err) {
-        if (err instanceof RSCCircuitOpenError) throw err;
-        session.recordFailure();
-        return seg.text;
-      }
-    })
-  );
-  return parts.join("");
 }
-async function compressArrayContent(msg, pipeline, session, record) {
+async function compressArrayContent(msg, pipeline, session, record, options = { compressToolResults: true }) {
   const parts = msg.content;
   const compressedParts = await Promise.all(
     parts.map(async (part) => {
+      if (PASSTHROUGH_BLOCK_TYPES.has(part.type)) return part;
       if (part.type === "text" && typeof part.text === "string") {
         try {
           const compressed = await compressTextWithSegmentation(part.text, pipeline, session, record);
@@ -1032,11 +1502,183 @@ async function compressArrayContent(msg, pipeline, session, record) {
           return part;
         }
       }
+      if (part.type === "tool_result" && options.compressToolResults) {
+        return compressToolResult(part, pipeline, session, record);
+      }
       return part;
     })
   );
   return { ...msg, content: compressedParts };
 }
+async function compressToolResult(part, pipeline, session, record) {
+  const content = part.content;
+  if (typeof content === "string") {
+    try {
+      const compressed = await compressTextWithSegmentation(content, pipeline, session, record);
+      return { ...part, content: compressed };
+    } catch (err) {
+      if (err instanceof RSCCircuitOpenError) {
+        session.recordFailure();
+        throw err;
+      }
+      session.recordFailure();
+      return part;
+    }
+  }
+  if (Array.isArray(content)) {
+    try {
+      const compressedInner = await Promise.all(
+        content.map(async (inner) => {
+          if (inner.type === "text" && typeof inner.text === "string") {
+            try {
+              const compressed = await compressTextWithSegmentation(inner.text, pipeline, session, record);
+              return { ...inner, text: compressed };
+            } catch (err) {
+              if (err instanceof RSCCircuitOpenError) throw err;
+              session.recordFailure();
+              return inner;
+            }
+          }
+          return inner;
+        })
+      );
+      return { ...part, content: compressedInner };
+    } catch (err) {
+      if (err instanceof RSCCircuitOpenError) {
+        session.recordFailure();
+        throw err;
+      }
+      session.recordFailure();
+      return part;
+    }
+  }
+  return part;
+}
+async function compressTextWithSegmentation(text, pipeline, session, record, semaphore, semaphoreTimeoutMs) {
+  const segments = segmentContent(text);
+  const hasCode = segments.some((s) => s.type === "code");
+  if (!hasCode) {
+    if (semaphore) await semaphore.acquire(semaphoreTimeoutMs);
+    try {
+      const result = await pipeline.compressForLLM(text);
+      session.recordCompression(result.metrics);
+      const saved = Math.max(0, result.metrics.tokensSaved);
+      record(!result.metrics.skipped, saved);
+      return sanitizeCompressedText(result.text);
+    } finally {
+      if (semaphore) semaphore.release();
+    }
+  }
+  const parts = await Promise.all(
+    segments.map(async (seg) => {
+      if (seg.type === "code") return seg.text;
+      if (seg.text.trim().length === 0) return seg.text;
+      if (semaphore) await semaphore.acquire(semaphoreTimeoutMs);
+      try {
+        const result = await pipeline.compressForLLM(seg.text);
+        session.recordCompression(result.metrics);
+        const saved = Math.max(0, result.metrics.tokensSaved);
+        record(!result.metrics.skipped, saved);
+        return sanitizeCompressedText(result.text);
+      } catch (err) {
+        if (err instanceof RSCCircuitOpenError) throw err;
+        session.recordFailure();
+        return seg.text;
+      } finally {
+        if (semaphore) semaphore.release();
+      }
+    })
+  );
+  return parts.join("");
+}
+
+// src/rsc/conversation-analyzer.ts
+var SKIP_BLOCK_TYPES = /* @__PURE__ */ new Set(["thinking", "tool_use", "image"]);
+function estimateTokens(text) {
+  return Math.ceil(text.length / 4);
+}
+function estimateBlockTokens(block, compressToolResults) {
+  if (SKIP_BLOCK_TYPES.has(block.type)) return 0;
+  if (block.type === "text" && typeof block.text === "string") {
+    return estimateTokens(block.text);
+  }
+  if (block.type === "tool_result" && compressToolResults) {
+    if (typeof block.content === "string") {
+      return estimateTokens(block.content);
+    }
+    if (Array.isArray(block.content)) {
+      return block.content.reduce(
+        (sum, inner) => sum + estimateBlockTokens(inner, compressToolResults),
+        0
+      );
+    }
+  }
+  return 0;
+}
+function estimateMessageTokens(msg, config) {
+  if (!config.compressRoles.has(msg.role)) return 0;
+  if (typeof msg.content === "string") {
+    return estimateTokens(msg.content);
+  }
+  if (Array.isArray(msg.content)) {
+    return msg.content.reduce(
+      (sum, part) => sum + estimateBlockTokens(part, config.compressToolResults),
+      0
+    );
+  }
+  return 0;
+}
+function analyzeConversation(messages, config) {
+  const n = messages.length;
+  if (n < 5) {
+    const tiered2 = messages.map((msg, i) => ({
+      index: i,
+      message: msg,
+      tier: "hot",
+      eligibleTokens: estimateMessageTokens(msg, config)
+    }));
+    return {
+      messages: tiered2,
+      totalEligibleTokens: 0,
+      shouldCompress: false,
+      hotCount: n,
+      warmCount: 0,
+      coldCount: 0
+    };
+  }
+  const coldEnd = Math.floor(n * config.coldFraction);
+  const hotStart = n - Math.floor(n * config.hotFraction);
+  let totalEligibleTokens = 0;
+  let hotCount = 0;
+  let warmCount = 0;
+  let coldCount = 0;
+  const tiered = messages.map((msg, i) => {
+    let tier;
+    if (i >= hotStart) {
+      tier = "hot";
+      hotCount++;
+    } else if (i < coldEnd) {
+      tier = "cold";
+      coldCount++;
+    } else {
+      tier = "warm";
+      warmCount++;
+    }
+    const eligibleTokens = estimateMessageTokens(msg, config);
+    if (tier !== "hot") {
+      totalEligibleTokens += eligibleTokens;
+    }
+    return { index: i, message: msg, tier, eligibleTokens };
+  });
+  return {
+    messages: tiered,
+    totalEligibleTokens,
+    shouldCompress: totalEligibleTokens >= config.aggregateThreshold,
+    hotCount,
+    warmCount,
+    coldCount
+  };
+}
 
 // src/rsc/learning.ts
 function createStreamLearningBuffer(pipeline) {
@@ -1061,7 +1703,7 @@ function createStreamLearningBuffer(pipeline) {
 }
 
 // src/proxy/streaming.ts
-async function pipeSSEResponse(upstreamResponse, clientRes, onContentDelta, onComplete) {
+async function pipeSSEResponse(upstreamResponse, clientRes, onContentDelta, onComplete, totalTokensSaved = 0) {
   clientRes.writeHead(200, {
     "Content-Type": "text/event-stream",
     "Cache-Control": "no-cache",
@@ -1071,27 +1713,67 @@ async function pipeSSEResponse(upstreamResponse, clientRes, onContentDelta, onCo
   const reader = upstreamResponse.body.getReader();
   const decoder = new TextDecoder();
   let lineBuf = "";
+  const needsAdjustment = totalTokensSaved > 0;
   try {
     while (true) {
       const { done, value } = await reader.read();
       if (done) break;
       const chunk = decoder.decode(value, { stream: true });
-      clientRes.write(chunk);
+      if (!needsAdjustment) {
+        clientRes.write(chunk);
+        lineBuf += chunk;
+        const lines2 = lineBuf.split("\n");
+        lineBuf = lines2.pop() || "";
+        for (const line of lines2) {
+          if (line.startsWith("data: ") && line !== "data: [DONE]") {
+            try {
+              const json = JSON.parse(line.slice(6));
+              const content = json?.choices?.[0]?.delta?.content;
+              if (typeof content === "string") {
+                onContentDelta(content);
+              }
+            } catch {
+            }
+          }
+        }
+        continue;
+      }
       lineBuf += chunk;
       const lines = lineBuf.split("\n");
       lineBuf = lines.pop() || "";
+      let adjusted = false;
+      const outputLines = [];
       for (const line of lines) {
         if (line.startsWith("data: ") && line !== "data: [DONE]") {
           try {
             const json = JSON.parse(line.slice(6));
+            if (json?.usage?.prompt_tokens != null) {
+              json.usage.prompt_tokens += totalTokensSaved;
+              if (json.usage.total_tokens != null) {
+                json.usage.total_tokens += totalTokensSaved;
+              }
+              outputLines.push(`data: ${JSON.stringify(json)}`);
+              adjusted = true;
+            } else {
+              outputLines.push(line);
+            }
             const content = json?.choices?.[0]?.delta?.content;
             if (typeof content === "string") {
               onContentDelta(content);
             }
           } catch {
+            outputLines.push(line);
           }
+        } else {
+          outputLines.push(line);
         }
       }
+      if (adjusted) {
+        const reconstructed = outputLines.join("\n") + "\n";
+        clientRes.write(reconstructed);
+      } else {
+        clientRes.write(chunk);
+      }
     }
   } finally {
     clientRes.end();
@@ -1099,6 +1781,25 @@ async function pipeSSEResponse(upstreamResponse, clientRes, onContentDelta, onCo
   }
 }
 
+// src/terminology.ts
+var TIER_LABELS = {
+  HOT: "Active",
+  WARM: "Recent",
+  COLD: "Archived"
+};
+function formatTiersLog(hot, warm, cold, eligibleTokens) {
+  return `[MEMORY] ${TIER_LABELS.HOT}:${hot} ${TIER_LABELS.WARM}:${warm} ${TIER_LABELS.COLD}:${cold} \xB7 ${eligibleTokens} tokens eligible`;
+}
+function formatSavedLog(tokensSaved, latencyMs) {
+  return `[SAVED] ${tokensSaved} tokens (${latencyMs}ms)`;
+}
+function formatDegradeLog() {
+  return "[STATUS] Connection degraded \u2014 passing through directly";
+}
+function formatResponseLog(model, tokensSaved, streaming = false) {
+  return `[RESPONSE] ${streaming ? "Streaming " : ""}${model} response \u2192 client (saved:${tokensSaved}tok)`;
+}
+
 // src/proxy/completions.ts
 function setCORSHeaders(res) {
   res.setHeader("Access-Control-Allow-Origin", "*");
@@ -1115,7 +1816,7 @@ function extractBearerToken(req) {
   if (!auth || !auth.startsWith("Bearer ")) return null;
   return auth.slice(7);
 }
-async function handleChatCompletions(req, res, body, pipeline, config, logger) {
+async function handleChatCompletions(req, res, body, pipeline, config, logger, semaphore, latencyMonitor, sessionKey) {
   const request = body;
   if (!request.messages || !Array.isArray(request.messages)) {
     sendJSON(res, 400, {
@@ -1132,23 +1833,46 @@ async function handleChatCompletions(req, res, body, pipeline, config, logger) {
   }
   let messages = request.messages;
   let anyCompressed = false;
+  let totalTokensSaved = 0;
   if (config.enabled && !pipeline.isCircuitOpen()) {
+    const compressStart = Date.now();
     try {
       const compressRoles = new Set(config.compressRoles);
-      const result = await compressMessages(
-        request.messages,
+      const plan = analyzeConversation(request.messages, {
+        hotFraction: config.hotFraction,
+        coldFraction: config.coldFraction,
+        aggregateThreshold: config.aggregateThreshold,
+        compressRoles,
+        compressToolResults: config.compressToolResults
+      });
+      if (plan.shouldCompress) {
+        logger.log(formatTiersLog(plan.hotCount, plan.warmCount, plan.coldCount, plan.totalEligibleTokens));
+      }
+      const result = await compressConversation(
         pipeline.pipeline,
         pipeline.session,
-        compressRoles
+        plan,
+        {
+          compressToolResults: config.compressToolResults,
+          logFn: (msg) => logger.log(msg),
+          semaphore,
+          semaphoreTimeoutMs: config.concurrencyTimeoutMs
+        }
       );
       messages = result.messages;
       anyCompressed = result.anyCompressed;
+      totalTokensSaved = result.totalTokensSaved;
+      const latencyMs = Date.now() - compressStart;
+      const alert = latencyMonitor.record(sessionKey, latencyMs);
+      if (alert) {
+        logger.log(`[LATENCY] ${alert.type.toUpperCase()}: ${alert.message}`);
+      }
       if (result.totalTokensSaved > 0) {
-        logger.log(`[COMPRESS] Saved ${result.totalTokensSaved} tokens`);
+        logger.log(formatSavedLog(result.totalTokensSaved, latencyMs));
       }
     } catch (err) {
       if (err instanceof RSCCircuitOpenError2) {
-        logger.log("[DEGRADE] Circuit breaker open \u2014 passing through directly");
+        logger.log(formatDegradeLog());
       } else {
         logger.log(`[ERROR] Compression failed: ${err instanceof Error ? err.message : String(err)}`);
       }
@@ -1181,18 +1905,36 @@ async function handleChatCompletions(req, res, body, pipeline, config, logger) {
     }
     if (request.stream && upstreamResponse.body) {
       const learningBuffer = anyCompressed ? createStreamLearningBuffer(pipeline.pipeline) : null;
+      logger.log(formatResponseLog(request.model, totalTokensSaved, true));
       await pipeSSEResponse(
         upstreamResponse,
         res,
         (text) => learningBuffer?.append(text),
-        () => learningBuffer?.flush()
+        () => learningBuffer?.flush(),
+        totalTokensSaved
       );
       return;
     }
     const responseBody = await upstreamResponse.text();
+    logger.log(formatResponseLog(request.model, totalTokensSaved));
+    let finalBody = responseBody;
+    if (totalTokensSaved > 0) {
+      try {
+        const parsed = JSON.parse(responseBody);
+        if (parsed?.usage?.prompt_tokens != null) {
+          parsed.usage.prompt_tokens += totalTokensSaved;
+          if (parsed.usage.total_tokens != null) {
+            parsed.usage.total_tokens += totalTokensSaved;
+          }
+          finalBody = JSON.stringify(parsed);
+          logger.log(`[TOKENS] Adjusted prompt_tokens by +${totalTokensSaved}`);
+        }
+      } catch {
+      }
+    }
     setCORSHeaders(res);
     res.writeHead(200, { "Content-Type": "application/json" });
-    res.end(responseBody);
+    res.end(finalBody);
     if (anyCompressed) {
       try {
         const parsed = JSON.parse(responseBody);
@@ -1218,7 +1960,18 @@ async function handleChatCompletions(req, res, body, pipeline, config, logger) {
 import { RSCCircuitOpenError as RSCCircuitOpenError3 } from "@cognisos/rsc-sdk";
 
 // src/proxy/anthropic-streaming.ts
-async function pipeAnthropicSSEResponse(upstreamResponse, clientRes, onContentDelta, onComplete) {
+function adjustMessageStartLine(dataLine, tokensSaved) {
+  try {
+    const json = JSON.parse(dataLine.slice(6));
+    if (json?.message?.usage?.input_tokens != null) {
+      json.message.usage.input_tokens += tokensSaved;
+      return `data: ${JSON.stringify(json)}`;
+    }
+  } catch {
+  }
+  return null;
+}
+async function pipeAnthropicSSEResponse(upstreamResponse, clientRes, onContentDelta, onComplete, totalTokensSaved = 0) {
   clientRes.writeHead(200, {
     "Content-Type": "text/event-stream",
     "Cache-Control": "no-cache",
@@ -1229,28 +1982,70 @@ async function pipeAnthropicSSEResponse(upstreamResponse, clientRes, onContentDe
   const decoder = new TextDecoder();
   let lineBuf = "";
   let currentEvent = "";
+  let usageAdjusted = false;
+  const needsAdjustment = totalTokensSaved > 0;
   try {
     while (true) {
       const { done, value } = await reader.read();
       if (done) break;
       const chunk = decoder.decode(value, { stream: true });
-      clientRes.write(chunk);
+      if (!needsAdjustment || usageAdjusted) {
+        clientRes.write(chunk);
+        lineBuf += chunk;
+        const lines2 = lineBuf.split("\n");
+        lineBuf = lines2.pop() || "";
+        for (const line of lines2) {
+          if (line.startsWith("event: ")) {
+            currentEvent = line.slice(7).trim();
+          } else if (line.startsWith("data: ") && currentEvent === "content_block_delta") {
+            try {
+              const json = JSON.parse(line.slice(6));
+              if (json?.delta?.type === "text_delta" && typeof json.delta.text === "string") {
+                onContentDelta(json.delta.text);
+              }
+            } catch {
+            }
+          }
+        }
+        continue;
+      }
       lineBuf += chunk;
       const lines = lineBuf.split("\n");
       lineBuf = lines.pop() || "";
+      let adjusted = false;
+      const outputLines = [];
       for (const line of lines) {
         if (line.startsWith("event: ")) {
           currentEvent = line.slice(7).trim();
-        } else if (line.startsWith("data: ") && currentEvent === "content_block_delta") {
-          try {
-            const json = JSON.parse(line.slice(6));
-            if (json?.delta?.type === "text_delta" && typeof json.delta.text === "string") {
-              onContentDelta(json.delta.text);
+          outputLines.push(line);
+        } else if (line.startsWith("data: ") && currentEvent === "message_start" && !usageAdjusted) {
+          const adjustedLine = adjustMessageStartLine(line, totalTokensSaved);
+          if (adjustedLine) {
+            outputLines.push(adjustedLine);
+            usageAdjusted = true;
+            adjusted = true;
+          } else {
+            outputLines.push(line);
+          }
+        } else {
+          outputLines.push(line);
+          if (line.startsWith("data: ") && currentEvent === "content_block_delta") {
+            try {
+              const json = JSON.parse(line.slice(6));
+              if (json?.delta?.type === "text_delta" && typeof json.delta.text === "string") {
+                onContentDelta(json.delta.text);
+              }
+            } catch {
             }
-          } catch {
           }
         }
       }
+      if (adjusted) {
+        const reconstructed = outputLines.join("\n") + "\n" + (lineBuf ? "" : "");
+        clientRes.write(reconstructed);
+      } else {
+        clientRes.write(chunk);
+      }
     }
   } finally {
     clientRes.end();
@@ -1262,7 +2057,7 @@ async function pipeAnthropicSSEResponse(upstreamResponse, clientRes, onContentDe
 function setCORSHeaders2(res) {
   res.setHeader("Access-Control-Allow-Origin", "*");
   res.setHeader("Access-Control-Allow-Methods", "POST, GET, OPTIONS");
-  res.setHeader("Access-Control-Allow-Headers", "Content-Type, Authorization, x-api-key, anthropic-version, anthropic-beta");
+  res.setHeader("Access-Control-Allow-Headers", "Content-Type, Authorization, x-api-key, anthropic-version, anthropic-beta, x-liminal-session");
 }
 function sendAnthropicError(res, status, type, message) {
   setCORSHeaders2(res);
@@ -1293,7 +2088,7 @@ function convertCompressedToAnthropic(messages) {
     content: msg.content
   }));
 }
-async function handleAnthropicMessages(req, res, body, pipeline, config, logger) {
+async function handleAnthropicMessages(req, res, body, pipeline, config, logger, semaphore, latencyMonitor, sessionKey) {
   const request = body;
   if (!request.messages || !Array.isArray(request.messages)) {
     sendAnthropicError(res, 400, "invalid_request_error", "messages is required and must be an array");
@@ -1310,24 +2105,47 @@ async function handleAnthropicMessages(req, res, body, pipeline, config, logger)
   }
   let messages = request.messages;
   let anyCompressed = false;
+  let totalTokensSaved = 0;
   if (config.enabled && !pipeline.isCircuitOpen()) {
+    const compressStart = Date.now();
     try {
       const compressRoles = new Set(config.compressRoles);
       const compressible = convertAnthropicToCompressible(request.messages);
-      const result = await compressMessages(
-        compressible,
+      const plan = analyzeConversation(compressible, {
+        hotFraction: config.hotFraction,
+        coldFraction: config.coldFraction,
+        aggregateThreshold: config.aggregateThreshold,
+        compressRoles,
+        compressToolResults: config.compressToolResults
+      });
+      if (plan.shouldCompress) {
+        logger.log(formatTiersLog(plan.hotCount, plan.warmCount, plan.coldCount, plan.totalEligibleTokens));
+      }
+      const result = await compressConversation(
         pipeline.pipeline,
         pipeline.session,
-        compressRoles
+        plan,
+        {
+          compressToolResults: config.compressToolResults,
+          logFn: (msg) => logger.log(msg),
+          semaphore,
+          semaphoreTimeoutMs: config.concurrencyTimeoutMs
+        }
       );
       messages = convertCompressedToAnthropic(result.messages);
       anyCompressed = result.anyCompressed;
+      totalTokensSaved = result.totalTokensSaved;
+      const latencyMs = Date.now() - compressStart;
+      const alert = latencyMonitor.record(sessionKey, latencyMs);
+      if (alert) {
+        logger.log(`[LATENCY] ${alert.type.toUpperCase()}: ${alert.message}`);
+      }
       if (result.totalTokensSaved > 0) {
-        logger.log(`[COMPRESS] Saved ${result.totalTokensSaved} tokens`);
+        logger.log(formatSavedLog(result.totalTokensSaved, latencyMs));
       }
     } catch (err) {
       if (err instanceof RSCCircuitOpenError3) {
-        logger.log("[DEGRADE] Circuit breaker open -- passing through directly");
+        logger.log(formatDegradeLog());
       } else {
         logger.log(`[ERROR] Compression failed: ${err instanceof Error ? err.message : String(err)}`);
       }
@@ -1365,18 +2183,33 @@ async function handleAnthropicMessages(req, res, body, pipeline, config, logger)
     }
     if (request.stream && upstreamResponse.body) {
       const learningBuffer = anyCompressed ? createStreamLearningBuffer(pipeline.pipeline) : null;
+      logger.log(formatResponseLog(request.model, totalTokensSaved, true));
       await pipeAnthropicSSEResponse(
         upstreamResponse,
         res,
         (text) => learningBuffer?.append(text),
-        () => learningBuffer?.flush()
+        () => learningBuffer?.flush(),
+        totalTokensSaved
       );
       return;
     }
     const responseBody = await upstreamResponse.text();
+    logger.log(formatResponseLog(request.model, totalTokensSaved));
+    let finalBody = responseBody;
+    if (totalTokensSaved > 0) {
+      try {
+        const parsed = JSON.parse(responseBody);
+        if (parsed?.usage?.input_tokens != null) {
+          parsed.usage.input_tokens += totalTokensSaved;
+          finalBody = JSON.stringify(parsed);
+          logger.log(`[TOKENS] Adjusted input_tokens by +${totalTokensSaved}`);
+        }
+      } catch {
+      }
+    }
     setCORSHeaders2(res);
     res.writeHead(200, { "Content-Type": "application/json" });
-    res.end(responseBody);
+    res.end(finalBody);
     if (anyCompressed) {
       try {
         const parsed = JSON.parse(responseBody);
@@ -1399,61 +2232,478 @@ async function handleAnthropicMessages(req, res, body, pipeline, config, logger)
   }
 }
 
-// src/proxy/handler.ts
+// src/proxy/responses.ts
+import { RSCCircuitOpenError as RSCCircuitOpenError4 } from "@cognisos/rsc-sdk";
+
+// src/proxy/responses-streaming.ts
+async function pipeResponsesSSE(upstreamResponse, clientRes, onContentDelta, onComplete, totalTokensSaved = 0) {
+  clientRes.writeHead(200, {
+    "Content-Type": "text/event-stream",
+    "Cache-Control": "no-cache",
+    "Connection": "keep-alive",
+    "Access-Control-Allow-Origin": "*"
+  });
+  const reader = upstreamResponse.body.getReader();
+  const decoder = new TextDecoder();
+  let lineBuf = "";
+  let currentEvent = "";
+  let usageAdjusted = false;
+  const needsAdjustment = totalTokensSaved > 0;
+  try {
+    while (true) {
+      const { done, value } = await reader.read();
+      if (done) break;
+      const chunk = decoder.decode(value, { stream: true });
+      if (!needsAdjustment || usageAdjusted) {
+        clientRes.write(chunk);
+        lineBuf += chunk;
+        const lines2 = lineBuf.split("\n");
+        lineBuf = lines2.pop() || "";
+        for (const line of lines2) {
+          if (line.startsWith("event: ")) {
+            currentEvent = line.slice(7).trim();
+          } else if (line.startsWith("data: ") && currentEvent === "response.output_text.delta") {
+            try {
+              const json = JSON.parse(line.slice(6));
+              if (typeof json?.delta === "string") {
+                onContentDelta(json.delta);
+              }
+            } catch {
+            }
+          }
+        }
+        continue;
+      }
+      lineBuf += chunk;
+      const lines = lineBuf.split("\n");
+      lineBuf = lines.pop() || "";
+      let adjusted = false;
+      const outputLines = [];
+      for (const line of lines) {
+        if (line.startsWith("event: ")) {
+          currentEvent = line.slice(7).trim();
+          outputLines.push(line);
+        } else if (line.startsWith("data: ") && currentEvent === "response.completed" && !usageAdjusted) {
+          try {
+            const json = JSON.parse(line.slice(6));
+            if (json?.response?.usage?.input_tokens != null) {
+              json.response.usage.input_tokens += totalTokensSaved;
+              if (json.response.usage.total_tokens != null) {
+                json.response.usage.total_tokens += totalTokensSaved;
+              }
+              outputLines.push(`data: ${JSON.stringify(json)}`);
+              usageAdjusted = true;
+              adjusted = true;
+            } else {
+              outputLines.push(line);
+            }
+          } catch {
+            outputLines.push(line);
+          }
+        } else {
+          outputLines.push(line);
+          if (line.startsWith("data: ") && currentEvent === "response.output_text.delta") {
+            try {
+              const json = JSON.parse(line.slice(6));
+              if (typeof json?.delta === "string") {
+                onContentDelta(json.delta);
+              }
+            } catch {
+            }
+          }
+        }
+      }
+      if (adjusted) {
+        const reconstructed = outputLines.join("\n") + "\n";
+        clientRes.write(reconstructed);
+      } else {
+        clientRes.write(chunk);
+      }
+    }
+  } finally {
+    clientRes.end();
+    onComplete();
+  }
+}
+
+// src/proxy/responses.ts
 function setCORSHeaders3(res) {
   res.setHeader("Access-Control-Allow-Origin", "*");
   res.setHeader("Access-Control-Allow-Methods", "POST, GET, OPTIONS");
-  res.setHeader("Access-Control-Allow-Headers", "Content-Type, Authorization, x-api-key, anthropic-version, anthropic-beta");
-  res.setHeader("Access-Control-Max-Age", "86400");
+  res.setHeader("Access-Control-Allow-Headers", "Content-Type, Authorization");
 }
 function sendJSON2(res, status, body) {
   setCORSHeaders3(res);
   res.writeHead(status, { "Content-Type": "application/json" });
   res.end(JSON.stringify(body));
 }
-function readBody(req) {
-  return new Promise((resolve, reject) => {
-    const chunks = [];
-    req.on("data", (chunk) => chunks.push(chunk));
-    req.on("end", () => resolve(Buffer.concat(chunks).toString("utf-8")));
-    req.on("error", reject);
-  });
+function extractBearerToken2(req) {
+  const auth = req.headers.authorization;
+  if (!auth || !auth.startsWith("Bearer ")) return null;
+  return auth.slice(7);
 }
-async function passthroughAnthropic(req, res, fullUrl, config, logger) {
-  const upstreamUrl = `${config.anthropicUpstreamUrl}${fullUrl}`;
-  const headers = {
-    "Content-Type": "application/json"
-  };
-  const xApiKey = req.headers["x-api-key"];
-  if (typeof xApiKey === "string") headers["x-api-key"] = xApiKey;
-  const auth = req.headers["authorization"];
-  if (typeof auth === "string") headers["Authorization"] = auth;
-  const version = req.headers["anthropic-version"];
-  if (typeof version === "string") headers["anthropic-version"] = version;
-  const beta = req.headers["anthropic-beta"];
-  if (typeof beta === "string") headers["anthropic-beta"] = beta;
-  try {
-    const body = await readBody(req);
-    const upstreamRes = await fetch(upstreamUrl, {
-      method: "POST",
-      headers,
-      body
-    });
-    const responseBody = await upstreamRes.text();
-    setCORSHeaders3(res);
-    res.writeHead(upstreamRes.status, {
-      "Content-Type": upstreamRes.headers.get("Content-Type") || "application/json"
-    });
-    res.end(responseBody);
-  } catch (err) {
-    const message = err instanceof Error ? err.message : String(err);
-    logger.log(`[ERROR] Passthrough failed: ${message}`);
-    setCORSHeaders3(res);
-    res.writeHead(502, { "Content-Type": "application/json" });
-    res.end(JSON.stringify({ type: "error", error: { type: "api_error", message: `Failed to reach upstream: ${message}` } }));
+function isMessageItem(item) {
+  return item.type === "message";
+}
+function inputToCompressibleMessages(input) {
+  if (typeof input === "string") {
+    return [{ role: "user", content: input }];
+  }
+  const messages = [];
+  for (const item of input) {
+    if (!isMessageItem(item)) continue;
+    if (typeof item.content === "string") {
+      const role = item.role === "developer" ? "system" : item.role;
+      messages.push({ role, content: item.content });
+    } else if (Array.isArray(item.content)) {
+      const role = item.role === "developer" ? "system" : item.role;
+      const parts = item.content.map((c) => {
+        if (c.type === "input_text") {
+          return { type: "text", text: c.text };
+        }
+        return c;
+      });
+      messages.push({ role, content: parts });
+    }
+  }
+  return messages;
+}
+function applyCompressedToInput(originalInput, compressedMessages) {
+  if (typeof originalInput === "string") {
+    const first = compressedMessages[0];
+    if (first && typeof first.content === "string") {
+      return first.content;
+    }
+    return originalInput;
+  }
+  let msgIdx = 0;
+  const result = [];
+  for (const item of originalInput) {
+    if (!isMessageItem(item)) {
+      result.push(item);
+      continue;
+    }
+    const compressed = compressedMessages[msgIdx];
+    msgIdx++;
+    if (!compressed) {
+      result.push(item);
+      continue;
+    }
+    if (typeof compressed.content === "string") {
+      result.push({
+        ...item,
+        content: compressed.content
+      });
+    } else if (Array.isArray(compressed.content)) {
+      const content = compressed.content.map((part) => {
+        if (part.type === "text" && "text" in part) {
+          return { type: "input_text", text: part.text };
+        }
+        return part;
+      });
+      result.push({
+        ...item,
+        content
+      });
+    } else {
+      result.push(item);
+    }
+  }
+  return result;
+}
+function extractOutputText(output) {
+  const texts = [];
+  for (const item of output) {
+    if (item.type === "message") {
+      const msg = item;
+      for (const block of msg.content) {
+        if (block.type === "output_text" && typeof block.text === "string") {
+          texts.push(block.text);
+        }
+      }
+    }
   }
+  return texts.join("");
 }
-function createRequestHandler(pipeline, config, logger) {
+async function handleResponses(req, res, body, pipeline, config, logger, semaphore, latencyMonitor, sessionKey) {
+  const request = body;
+  if (request.input === void 0 || request.input === null) {
+    sendJSON2(res, 400, {
+      error: { message: "input is required", type: "invalid_request_error" }
+    });
+    return;
+  }
+  const llmApiKey = extractBearerToken2(req);
+  if (!llmApiKey) {
+    sendJSON2(res, 401, {
+      error: { message: "Authorization header with Bearer token is required", type: "authentication_error" }
+    });
+    return;
+  }
+  let compressedInput = request.input;
+  let anyCompressed = false;
+  let totalTokensSaved = 0;
+  if (config.enabled && !pipeline.isCircuitOpen()) {
+    const compressStart = Date.now();
+    try {
+      const compressRoles = new Set(config.compressRoles);
+      const compressible = inputToCompressibleMessages(request.input);
+      if (compressible.length > 0) {
+        const result = await compressMessages(
+          compressible,
+          pipeline.pipeline,
+          pipeline.session,
+          compressRoles
+        );
+        compressedInput = applyCompressedToInput(request.input, result.messages);
+        anyCompressed = result.anyCompressed;
+        totalTokensSaved = result.totalTokensSaved;
+        const latencyMs = Date.now() - compressStart;
+        const alert = latencyMonitor.record(sessionKey, latencyMs);
+        if (alert) {
+          logger.log(`[LATENCY] ${alert.type.toUpperCase()}: ${alert.message}`);
+        }
+        if (result.totalTokensSaved > 0) {
+          logger.log(formatSavedLog(result.totalTokensSaved, latencyMs));
+        }
+      }
+    } catch (err) {
+      if (err instanceof RSCCircuitOpenError4) {
+        logger.log(formatDegradeLog());
+      } else {
+        logger.log(`[ERROR] Compression failed: ${err instanceof Error ? err.message : String(err)}`);
+      }
+      compressedInput = request.input;
+    }
+  }
+  const upstreamUrl = `${config.upstreamBaseUrl}/v1/responses`;
+  const upstreamBody = { ...request, input: compressedInput };
+  const upstreamHeaders = {
+    "Authorization": `Bearer ${llmApiKey}`,
+    "Content-Type": "application/json"
+  };
+  if (request.stream) {
+    upstreamHeaders["Accept"] = "text/event-stream";
+  }
+  logger.log(`[RESPONSES] ${request.model} \u2192 ${upstreamUrl}`);
+  try {
+    const upstreamResponse = await fetch(upstreamUrl, {
+      method: "POST",
+      headers: upstreamHeaders,
+      body: JSON.stringify(upstreamBody)
+    });
+    if (!upstreamResponse.ok) {
+      const errorBody = await upstreamResponse.text();
+      logger.log(`[RESPONSES] Upstream error ${upstreamResponse.status}: ${errorBody.slice(0, 500)}`);
+      setCORSHeaders3(res);
+      res.writeHead(upstreamResponse.status, {
+        "Content-Type": upstreamResponse.headers.get("Content-Type") || "application/json"
+      });
+      res.end(errorBody);
+      return;
+    }
+    if (request.stream && upstreamResponse.body) {
+      const learningBuffer = anyCompressed ? createStreamLearningBuffer(pipeline.pipeline) : null;
+      logger.log(formatResponseLog(request.model, totalTokensSaved, true));
+      await pipeResponsesSSE(
+        upstreamResponse,
+        res,
+        (text) => learningBuffer?.append(text),
+        () => learningBuffer?.flush(),
+        totalTokensSaved
+      );
+      return;
+    }
+    const responseBody = await upstreamResponse.text();
+    logger.log(formatResponseLog(request.model, totalTokensSaved));
+    let finalBody = responseBody;
+    if (totalTokensSaved > 0) {
+      try {
+        const parsed = JSON.parse(responseBody);
+        if (parsed?.usage?.input_tokens != null) {
+          parsed.usage.input_tokens += totalTokensSaved;
+          if (parsed.usage.total_tokens != null) {
+            parsed.usage.total_tokens += totalTokensSaved;
+          }
+          finalBody = JSON.stringify(parsed);
+          logger.log(`[TOKENS] Adjusted input_tokens by +${totalTokensSaved}`);
+        }
+      } catch {
+      }
+    }
+    setCORSHeaders3(res);
+    res.writeHead(200, { "Content-Type": "application/json" });
+    res.end(finalBody);
+    if (anyCompressed) {
+      try {
+        const parsed = JSON.parse(responseBody);
+        if (parsed?.output) {
+          const text = extractOutputText(parsed.output);
+          if (text.length > 0) {
+            pipeline.pipeline.triggerLearning(text);
+          }
+        }
+      } catch {
+      }
+    }
+  } catch (err) {
+    const message = err instanceof Error ? err.message : String(err);
+    logger.log(`[ERROR] Upstream request failed: ${message}`);
+    if (!res.headersSent) {
+      sendJSON2(res, 502, {
+        error: { message: `Failed to reach upstream LLM: ${message}`, type: "server_error" }
+      });
+    }
+  }
+}
+
+// src/proxy/session-identity.ts
+import * as crypto from "crypto";
+function identifySession(req, pathname) {
+  const connector = detectConnector(req, pathname);
+  const windowHash = deriveWindowHash(req);
+  return { connector, windowHash, raw: `${connector}:${windowHash}` };
+}
+function detectConnector(req, pathname) {
+  if (req.headers["x-api-key"] || req.headers["anthropic-version"]) {
+    return "claude-code";
+  }
+  if (pathname.startsWith("/v1/responses") || pathname.startsWith("/responses")) {
+    return "codex";
+  }
+  const ua = req.headers["user-agent"] ?? "";
+  if (/cursor/i.test(ua)) {
+    return "cursor";
+  }
+  return "openai-compatible";
+}
+function deriveWindowHash(req) {
+  const liminalSession = req.headers["x-liminal-session"];
+  if (typeof liminalSession === "string" && liminalSession.length > 0) {
+    return liminalSession;
+  }
+  const credential = extractCredential(req);
+  if (!credential) return "anonymous";
+  return crypto.createHash("sha256").update(credential).digest("hex").slice(0, 8);
+}
+function extractCredential(req) {
+  const apiKey = req.headers["x-api-key"];
+  if (typeof apiKey === "string" && apiKey.length > 0) return apiKey;
+  const auth = req.headers["authorization"];
+  if (typeof auth === "string") {
+    const match = auth.match(/^Bearer\s+(.+)$/i);
+    if (match) return match[1];
+  }
+  return null;
+}
+
+// src/proxy/handler.ts
+function setCORSHeaders4(res) {
+  res.setHeader("Access-Control-Allow-Origin", "*");
+  res.setHeader("Access-Control-Allow-Methods", "POST, GET, OPTIONS, PUT, DELETE, PATCH");
+  res.setHeader("Access-Control-Allow-Headers", "Content-Type, Authorization, x-api-key, anthropic-version, anthropic-beta, anthropic-dangerous-direct-browser-access, x-liminal-session");
+  res.setHeader("Access-Control-Max-Age", "86400");
+}
+function sendJSON3(res, status, body) {
+  setCORSHeaders4(res);
+  res.writeHead(status, { "Content-Type": "application/json" });
+  res.end(JSON.stringify(body));
+}
+function readBody(req) {
+  return new Promise((resolve, reject) => {
+    const chunks = [];
+    req.on("data", (chunk) => chunks.push(chunk));
+    req.on("end", () => resolve(Buffer.concat(chunks)));
+    req.on("error", reject);
+  });
+}
+function detectUpstream(req, url) {
+  if (req.headers["x-api-key"]) return "anthropic";
+  if (req.headers["anthropic-version"]) return "anthropic";
+  if (url.startsWith("/v1/messages") || url.startsWith("/messages")) return "anthropic";
+  return "anthropic";
+}
+function getUpstreamBaseUrl(target, config) {
+  return target === "anthropic" ? config.anthropicUpstreamUrl : config.upstreamBaseUrl;
+}
+var HOP_BY_HOP = /* @__PURE__ */ new Set([
+  "host",
+  "connection",
+  "keep-alive",
+  "transfer-encoding",
+  "te",
+  "trailer",
+  "upgrade",
+  "proxy-authorization",
+  "proxy-authenticate"
+]);
+function buildUpstreamHeaders(req) {
+  const headers = {};
+  for (const [key, value] of Object.entries(req.headers)) {
+    if (HOP_BY_HOP.has(key)) continue;
+    if (value === void 0) continue;
+    headers[key] = Array.isArray(value) ? value.join(", ") : value;
+  }
+  return headers;
+}
+async function passthroughToUpstream(req, res, fullUrl, config, logger) {
+  const target = detectUpstream(req, fullUrl);
+  const upstreamBase = getUpstreamBaseUrl(target, config);
+  const upstreamUrl = `${upstreamBase}${fullUrl}`;
+  const method = req.method?.toUpperCase() ?? "GET";
+  logger.log(`[PASSTHROUGH] ${method} ${fullUrl} \u2192 ${target} (${upstreamUrl})`);
+  const headers = buildUpstreamHeaders(req);
+  try {
+    const hasBody = method !== "GET" && method !== "HEAD";
+    const body = hasBody ? await readBody(req) : void 0;
+    const upstreamRes = await fetch(upstreamUrl, {
+      method,
+      headers,
+      body
+    });
+    const contentType = upstreamRes.headers.get("Content-Type") || "application/json";
+    const isStreaming = contentType.includes("text/event-stream");
+    if (isStreaming && upstreamRes.body) {
+      setCORSHeaders4(res);
+      res.writeHead(upstreamRes.status, {
+        "Content-Type": contentType,
+        "Cache-Control": "no-cache",
+        "Connection": "keep-alive"
+      });
+      const reader = upstreamRes.body.getReader();
+      try {
+        while (true) {
+          const { done, value } = await reader.read();
+          if (done) break;
+          res.write(value);
+        }
+      } finally {
+        res.end();
+      }
+    } else {
+      const responseBody = await upstreamRes.arrayBuffer();
+      setCORSHeaders4(res);
+      const responseHeaders = { "Content-Type": contentType };
+      const reqId = upstreamRes.headers.get("request-id");
+      if (reqId) responseHeaders["request-id"] = reqId;
+      res.writeHead(upstreamRes.status, responseHeaders);
+      res.end(Buffer.from(responseBody));
+    }
+  } catch (err) {
+    const message = err instanceof Error ? err.message : String(err);
+    logger.log(`[ERROR] Passthrough to ${target} failed: ${message}`);
+    if (!res.headersSent) {
+      setCORSHeaders4(res);
+      res.writeHead(502, { "Content-Type": "application/json" });
+      res.end(JSON.stringify({
+        type: "error",
+        error: { type: "api_error", message: `Liminal proxy: failed to reach ${target} upstream: ${message}` }
+      }));
+    }
+  }
+}
+function createRequestHandler(deps) {
+  const { sessions, semaphore, latencyMonitor, config, logger } = deps;
   const startTime = Date.now();
   return async (req, res) => {
     try {
@@ -1463,100 +2713,92 @@ function createRequestHandler(pipeline, config, logger) {
       const authType = req.headers["x-api-key"] ? "x-api-key" : req.headers["authorization"] ? "bearer" : "none";
       logger.log(`[REQUEST] ${method} ${fullUrl} (auth: ${authType})`);
       if (method === "OPTIONS") {
-        setCORSHeaders3(res);
+        setCORSHeaders4(res);
         res.writeHead(204);
         res.end();
         return;
       }
       if (method === "GET" && (url === "/health" || url === "/")) {
-        const summary = pipeline.getSessionSummary();
-        sendJSON2(res, 200, {
+        const sessionSummaries = sessions.getAllSummaries();
+        sendJSON3(res, 200, {
           status: "ok",
           version: config.rscApiKey ? "connected" : "no-api-key",
-          rsc_connected: !pipeline.isCircuitOpen(),
-          circuit_state: pipeline.getCircuitState(),
-          session_id: summary.sessionId,
           uptime_ms: Date.now() - startTime,
-          session: {
-            tokens_processed: summary.tokensProcessed,
-            tokens_saved: summary.tokensSaved,
-            calls_total: summary.totalCalls,
-            calls_compressed: summary.compressedCalls,
-            calls_skipped: summary.skippedCalls,
-            calls_failed: summary.failedCalls,
-            patterns_learned: summary.patternsLearned,
-            estimated_cost_saved_usd: summary.estimatedCostSaved
-          }
+          concurrency: {
+            active_sessions: sessions.activeCount,
+            semaphore_available: semaphore.available,
+            semaphore_waiting: semaphore.waiting,
+            max_concurrent_rsc_calls: config.concurrencyLimit
+          },
+          latency: {
+            global_p95_ms: latencyMonitor.getGlobalP95()
+          },
+          sessions: sessionSummaries.map((s) => ({
+            session_key: s.key,
+            connector: s.connector,
+            circuit_state: s.circuitState,
+            tokens_processed: s.tokensProcessed,
+            tokens_saved: s.tokensSaved,
+            calls_total: s.totalCalls,
+            calls_compressed: s.compressedCalls,
+            calls_failed: s.failedCalls,
+            p95_latency_ms: latencyMonitor.getSessionP95(s.key),
+            last_active_ago_ms: Date.now() - s.lastAccessedAt
+          }))
         });
         return;
       }
-      if (method === "GET" && (url === "/v1/models" || url === "/models")) {
-        const llmApiKey = req.headers.authorization?.slice(7);
-        if (!llmApiKey) {
-          sendJSON2(res, 401, {
-            error: { message: "Authorization header with Bearer token is required", type: "authentication_error" }
-          });
-          return;
-        }
+      const sessionKey = identifySession(req, url);
+      const pipeline = sessions.getOrCreate(sessionKey);
+      if (method === "POST" && (url === "/v1/chat/completions" || url === "/chat/completions")) {
+        const body = await readBody(req);
+        let parsed;
         try {
-          const upstreamRes = await fetch(`${config.upstreamBaseUrl}/v1/models`, {
-            headers: { "Authorization": `Bearer ${llmApiKey}` }
-          });
-          const body = await upstreamRes.text();
-          setCORSHeaders3(res);
-          res.writeHead(upstreamRes.status, {
-            "Content-Type": upstreamRes.headers.get("Content-Type") || "application/json"
-          });
-          res.end(body);
-        } catch (err) {
-          const message = err instanceof Error ? err.message : String(err);
-          sendJSON2(res, 502, {
-            error: { message: `Failed to reach upstream: ${message}`, type: "server_error" }
+          parsed = JSON.parse(body.toString("utf-8"));
+        } catch {
+          sendJSON3(res, 400, {
+            error: { message: "Invalid JSON body", type: "invalid_request_error" }
           });
+          return;
         }
+        await handleChatCompletions(req, res, parsed, pipeline, config, logger, semaphore, latencyMonitor, sessionKey.raw);
         return;
       }
-      if (method === "POST" && (url === "/v1/chat/completions" || url === "/chat/completions")) {
+      if (method === "POST" && (url === "/v1/responses" || url === "/responses")) {
         const body = await readBody(req);
         let parsed;
         try {
-          parsed = JSON.parse(body);
+          parsed = JSON.parse(body.toString("utf-8"));
         } catch {
-          sendJSON2(res, 400, {
+          sendJSON3(res, 400, {
             error: { message: "Invalid JSON body", type: "invalid_request_error" }
           });
           return;
         }
-        await handleChatCompletions(req, res, parsed, pipeline, config, logger);
+        await handleResponses(req, res, parsed, pipeline, config, logger, semaphore, latencyMonitor, sessionKey.raw);
         return;
       }
       if (method === "POST" && (url === "/v1/messages" || url === "/messages")) {
         const body = await readBody(req);
         let parsed;
         try {
-          parsed = JSON.parse(body);
+          parsed = JSON.parse(body.toString("utf-8"));
         } catch {
-          sendJSON2(res, 400, {
+          sendJSON3(res, 400, {
             type: "error",
             error: { type: "invalid_request_error", message: "Invalid JSON body" }
           });
           return;
         }
-        await handleAnthropicMessages(req, res, parsed, pipeline, config, logger);
-        return;
-      }
-      if (method === "POST" && url.startsWith("/v1/messages/")) {
-        await passthroughAnthropic(req, res, fullUrl, config, logger);
+        await handleAnthropicMessages(req, res, parsed, pipeline, config, logger, semaphore, latencyMonitor, sessionKey.raw);
         return;
       }
-      sendJSON2(res, 404, {
-        error: { message: `Not found: ${method} ${url}`, type: "invalid_request_error" }
-      });
+      await passthroughToUpstream(req, res, fullUrl, config, logger);
     } catch (err) {
       const message = err instanceof Error ? err.message : String(err);
       logger.log(`[ERROR] Proxy handler error: ${message}`);
       if (!res.headersSent) {
-        sendJSON2(res, 500, {
+        sendJSON3(res, 500, {
           error: { message: "Internal proxy error", type: "server_error" }
         });
       }
@@ -1564,123 +2806,783 @@ function createRequestHandler(pipeline, config, logger) {
   };
 }
 
-// src/proxy/server.ts
-import * as http from "http";
-var MAX_PORT_RETRIES = 5;
-var ProxyServer = class {
-  server = null;
-  activePort = null;
-  requestedPort;
-  handler;
-  constructor(port, handler) {
-    this.requestedPort = port;
-    this.handler = handler;
+// src/proxy/server.ts
+import * as http from "http";
+var MAX_PORT_RETRIES = 5;
+var ProxyServer = class {
+  server = null;
+  activePort = null;
+  requestedPort;
+  handler;
+  connectHandler;
+  constructor(port, handler, connectHandler) {
+    this.requestedPort = port;
+    this.handler = handler;
+    this.connectHandler = connectHandler ?? null;
+  }
+  async start() {
+    let lastError = null;
+    for (let attempt = 0; attempt < MAX_PORT_RETRIES; attempt++) {
+      const port = this.requestedPort + attempt;
+      try {
+        await this.listen(port);
+        this.activePort = port;
+        return port;
+      } catch (err) {
+        lastError = err instanceof Error ? err : new Error(String(err));
+        if (err.code !== "EADDRINUSE") {
+          throw lastError;
+        }
+      }
+    }
+    throw lastError ?? new Error(`All ports ${this.requestedPort}-${this.requestedPort + MAX_PORT_RETRIES - 1} in use`);
+  }
+  listen(port) {
+    return new Promise((resolve, reject) => {
+      const server = http.createServer(this.handler);
+      if (this.connectHandler) {
+        server.on("connect", this.connectHandler);
+      }
+      server.on("error", reject);
+      server.listen(port, "127.0.0.1", () => {
+        server.removeListener("error", reject);
+        this.server = server;
+        resolve();
+      });
+    });
+  }
+  async stop() {
+    if (!this.server) return;
+    return new Promise((resolve) => {
+      this.server.close(() => {
+        this.server = null;
+        this.activePort = null;
+        resolve();
+      });
+    });
+  }
+  isRunning() {
+    return this.server !== null && this.server.listening;
+  }
+  getPort() {
+    return this.activePort;
+  }
+  /** Expose internal HTTP server for MITM bridge socket injection */
+  getHttpServer() {
+    return this.server;
+  }
+};
+
+// src/daemon/logger.ts
+import { appendFileSync as appendFileSync2, statSync, renameSync, mkdirSync as mkdirSync2, existsSync as existsSync5 } from "fs";
+import { dirname as dirname2 } from "path";
+var MAX_LOG_SIZE = 10 * 1024 * 1024;
+var MAX_BACKUPS = 2;
+var FileLogger = class {
+  logFile;
+  mirrorStdout;
+  constructor(options) {
+    this.logFile = options?.logFile ?? LOG_FILE;
+    this.mirrorStdout = options?.mirrorStdout ?? false;
+    const logDir = dirname2(this.logFile);
+    if (!existsSync5(logDir)) {
+      mkdirSync2(logDir, { recursive: true });
+    }
+  }
+  log(message) {
+    const timestamp = (/* @__PURE__ */ new Date()).toISOString().slice(11, 23);
+    const line = `[${timestamp}] ${message}
+`;
+    try {
+      appendFileSync2(this.logFile, line);
+    } catch {
+      process.stderr.write(`[LOG-WRITE-FAILED] ${line}`);
+    }
+    if (this.mirrorStdout) {
+      process.stdout.write(line);
+    }
+    this.rotateIfNeeded();
+  }
+  rotateIfNeeded() {
+    try {
+      const stats = statSync(this.logFile);
+      if (stats.size <= MAX_LOG_SIZE) return;
+      for (let i = MAX_BACKUPS - 1; i >= 1; i--) {
+        const from = `${this.logFile}.${i}`;
+        const to = `${this.logFile}.${i + 1}`;
+        if (existsSync5(from)) renameSync(from, to);
+      }
+      renameSync(this.logFile, `${this.logFile}.1`);
+    } catch {
+    }
+  }
+  getLogFile() {
+    return this.logFile;
+  }
+};
+
+// src/rsc/session-manager.ts
+init_pipeline();
+var DEFAULT_MAX_SESSIONS = 10;
+var DEFAULT_SESSION_TTL_MS = 30 * 60 * 1e3;
+var EVICTION_INTERVAL_MS = 6e4;
+var SessionManager = class {
+  sessions = /* @__PURE__ */ new Map();
+  config;
+  evictionTimer = null;
+  constructor(config) {
+    this.config = {
+      ...config,
+      maxSessions: config.maxSessions ?? DEFAULT_MAX_SESSIONS,
+      sessionTtlMs: config.sessionTtlMs ?? DEFAULT_SESSION_TTL_MS
+    };
+    this.evictionTimer = setInterval(() => this.evictStale(), EVICTION_INTERVAL_MS);
+    if (this.evictionTimer.unref) {
+      this.evictionTimer.unref();
+    }
+  }
+  // ── Public API ──────────────────────────────────────────────────────
+  getOrCreate(key) {
+    const existing = this.sessions.get(key.raw);
+    if (existing) {
+      existing.lastAccessedAt = Date.now();
+      existing.requestCount++;
+      return existing.pipeline;
+    }
+    if (this.sessions.size >= this.config.maxSessions) {
+      this.evictLRU();
+    }
+    const pipeline = new RSCPipelineWrapper({
+      ...this.config.pipelineConfig,
+      sessionId: key.raw
+    });
+    this.sessions.set(key.raw, {
+      pipeline,
+      lastAccessedAt: Date.now(),
+      requestCount: 1,
+      connector: key.connector
+    });
+    this.config.onSessionCreated?.(key.raw, pipeline);
+    return pipeline;
+  }
+  getAllSummaries() {
+    const entries = [];
+    for (const [key, managed] of this.sessions) {
+      entries.push(this.buildHealthEntry(key, managed));
+    }
+    return entries;
+  }
+  getSessionSummary(key) {
+    const managed = this.sessions.get(key);
+    if (!managed) return null;
+    return this.buildHealthEntry(key, managed);
+  }
+  get activeCount() {
+    return this.sessions.size;
+  }
+  shutdown() {
+    if (this.evictionTimer !== null) {
+      clearInterval(this.evictionTimer);
+      this.evictionTimer = null;
+    }
+    this.sessions.clear();
+  }
+  // ── Internals ───────────────────────────────────────────────────────
+  buildHealthEntry(key, managed) {
+    const summary = managed.pipeline.getSessionSummary();
+    return {
+      key,
+      connector: managed.connector,
+      circuitState: managed.pipeline.getCircuitState(),
+      tokensProcessed: summary.tokensProcessed,
+      tokensSaved: summary.tokensSaved,
+      totalCalls: summary.totalCalls,
+      compressedCalls: summary.compressedCalls,
+      failedCalls: summary.failedCalls,
+      lastAccessedAt: managed.lastAccessedAt
+    };
+  }
+  evictStale() {
+    const now = Date.now();
+    const cutoff = now - this.config.sessionTtlMs;
+    for (const [key, managed] of this.sessions) {
+      if (managed.lastAccessedAt < cutoff) {
+        this.sessions.delete(key);
+        this.config.onSessionEvicted?.(key);
+      }
+    }
+  }
+  evictLRU() {
+    let oldestKey = null;
+    let oldestTime = Infinity;
+    for (const [key, managed] of this.sessions) {
+      if (managed.lastAccessedAt < oldestTime) {
+        oldestTime = managed.lastAccessedAt;
+        oldestKey = key;
+      }
+    }
+    if (oldestKey !== null) {
+      this.sessions.delete(oldestKey);
+      this.config.onSessionEvicted?.(oldestKey);
+    }
+  }
+};
+
+// src/rsc/semaphore.ts
+var SemaphoreTimeoutError = class extends Error {
+  constructor(timeoutMs) {
+    super(`Semaphore acquire timed out after ${timeoutMs}ms`);
+    this.name = "SemaphoreTimeoutError";
+  }
+};
+var Semaphore = class {
+  permits;
+  queue = [];
+  constructor(maxPermits) {
+    if (maxPermits < 1) throw new RangeError("maxPermits must be >= 1");
+    this.permits = maxPermits;
+  }
+  get available() {
+    return this.permits;
+  }
+  get waiting() {
+    return this.queue.length;
+  }
+  acquire(timeoutMs) {
+    if (this.permits > 0) {
+      this.permits--;
+      return Promise.resolve();
+    }
+    return new Promise((resolve, reject) => {
+      const waiter = { resolve, reject };
+      this.queue.push(waiter);
+      if (timeoutMs !== void 0 && timeoutMs >= 0) {
+        const timer = setTimeout(() => {
+          const idx = this.queue.indexOf(waiter);
+          if (idx !== -1) {
+            this.queue.splice(idx, 1);
+            reject(new SemaphoreTimeoutError(timeoutMs));
+          }
+        }, timeoutMs);
+        const originalResolve = waiter.resolve;
+        waiter.resolve = () => {
+          clearTimeout(timer);
+          originalResolve();
+        };
+      }
+    });
+  }
+  release() {
+    const next = this.queue.shift();
+    if (next) {
+      next.resolve();
+    } else {
+      this.permits++;
+    }
+  }
+};
+
+// src/rsc/latency-monitor.ts
+var DEFAULT_CONFIG = {
+  warningThresholdMs: 4e3,
+  criticalThresholdMs: 8e3,
+  windowSize: 50
+};
+var CircularBuffer = class {
+  buffer;
+  index = 0;
+  count = 0;
+  capacity;
+  constructor(capacity) {
+    this.capacity = capacity;
+    this.buffer = new Array(capacity);
+  }
+  push(value) {
+    this.buffer[this.index] = value;
+    this.index = (this.index + 1) % this.capacity;
+    if (this.count < this.capacity) {
+      this.count++;
+    }
+  }
+  getValues() {
+    if (this.count < this.capacity) {
+      return this.buffer.slice(0, this.count);
+    }
+    return [...this.buffer.slice(this.index), ...this.buffer.slice(0, this.index)];
+  }
+  get size() {
+    return this.count;
+  }
+};
+function calculateP95(values) {
+  if (values.length === 0) return null;
+  const sorted = [...values].sort((a, b) => a - b);
+  const idx = Math.floor(sorted.length * 0.95);
+  return sorted[Math.min(idx, sorted.length - 1)];
+}
+var LatencyMonitor = class {
+  config;
+  sessionWindows = /* @__PURE__ */ new Map();
+  globalWindow;
+  callbacks = [];
+  constructor(config) {
+    this.config = { ...DEFAULT_CONFIG, ...config };
+    this.globalWindow = new CircularBuffer(this.config.windowSize * 4);
+  }
+  record(sessionKey, latencyMs) {
+    let sessionBuf = this.sessionWindows.get(sessionKey);
+    if (!sessionBuf) {
+      sessionBuf = new CircularBuffer(this.config.windowSize);
+      this.sessionWindows.set(sessionKey, sessionBuf);
+    }
+    sessionBuf.push(latencyMs);
+    this.globalWindow.push(latencyMs);
+    const globalP95 = calculateP95(this.globalWindow.getValues());
+    if (globalP95 === null) return null;
+    let alert = null;
+    if (globalP95 >= this.config.criticalThresholdMs) {
+      alert = {
+        type: "critical",
+        message: `Global p95 latency ${globalP95.toFixed(0)}ms exceeds critical threshold ${this.config.criticalThresholdMs}ms`,
+        sessionKey,
+        p95Ms: globalP95,
+        thresholdMs: this.config.criticalThresholdMs,
+        activeSessions: this.sessionWindows.size,
+        suggestion: "Reduce active sessions or increase latency budget"
+      };
+    } else if (globalP95 >= this.config.warningThresholdMs) {
+      alert = {
+        type: "warning",
+        message: `Global p95 latency ${globalP95.toFixed(0)}ms exceeds warning threshold ${this.config.warningThresholdMs}ms`,
+        sessionKey,
+        p95Ms: globalP95,
+        thresholdMs: this.config.warningThresholdMs,
+        activeSessions: this.sessionWindows.size,
+        suggestion: "Consider reducing active sessions"
+      };
+    }
+    if (alert) {
+      for (const cb of this.callbacks) {
+        cb(alert);
+      }
+    }
+    return alert;
+  }
+  getSessionP95(sessionKey) {
+    const buf = this.sessionWindows.get(sessionKey);
+    if (!buf) return null;
+    return calculateP95(buf.getValues());
+  }
+  getGlobalP95() {
+    return calculateP95(this.globalWindow.getValues());
+  }
+  onAlert(cb) {
+    this.callbacks.push(cb);
+  }
+  get sessionCount() {
+    return this.sessionWindows.size;
+  }
+};
+
+// src/tls/connect-handler.ts
+import * as net from "net";
+
+// src/tls/allowlist.ts
+var MITM_HOSTS = /* @__PURE__ */ new Set([
+  "api.openai.com",
+  "api.anthropic.com",
+  "generativelanguage.googleapis.com"
+]);
+function shouldIntercept(hostname) {
+  return MITM_HOSTS.has(hostname);
+}
+
+// src/tls/connect-handler.ts
+function createConnectHandler(options) {
+  const { logger, onIntercept } = options;
+  return (req, clientSocket, head) => {
+    const target = req.url ?? "";
+    const [hostname, portStr] = parseConnectTarget(target);
+    const port = parseInt(portStr, 10) || 443;
+    if (!hostname) {
+      logger.log(`[CONNECT] Invalid target: ${target}`);
+      clientSocket.write("HTTP/1.1 400 Bad Request\r\n\r\n");
+      clientSocket.destroy();
+      return;
+    }
+    if (shouldIntercept(hostname) && onIntercept) {
+      logger.log(`[CONNECT] ${hostname}:${port} \u2192 intercept`);
+      clientSocket.write("HTTP/1.1 200 Connection Established\r\n\r\n");
+      if (head.length > 0) {
+        clientSocket.unshift(head);
+      }
+      onIntercept(clientSocket, hostname, port);
+    } else {
+      logger.log(`[TUNNEL] ${hostname}:${port} \u2192 passthrough`);
+      const upstreamSocket = net.connect(port, hostname, () => {
+        clientSocket.write("HTTP/1.1 200 Connection Established\r\n\r\n");
+        if (head.length > 0) {
+          upstreamSocket.write(head);
+        }
+        clientSocket.pipe(upstreamSocket);
+        upstreamSocket.pipe(clientSocket);
+      });
+      upstreamSocket.on("error", (err) => {
+        logger.log(`[TUNNEL] ${hostname}:${port} upstream error: ${err.message}`);
+        clientSocket.write("HTTP/1.1 502 Bad Gateway\r\n\r\n");
+        clientSocket.destroy();
+      });
+      clientSocket.on("error", (err) => {
+        logger.log(`[TUNNEL] ${hostname}:${port} client error: ${err.message}`);
+        upstreamSocket.destroy();
+      });
+      clientSocket.on("close", () => upstreamSocket.destroy());
+      upstreamSocket.on("close", () => clientSocket.destroy());
+    }
+  };
+}
+function parseConnectTarget(target) {
+  const colonIdx = target.lastIndexOf(":");
+  if (colonIdx === -1) return [target, "443"];
+  return [target.slice(0, colonIdx), target.slice(colonIdx + 1)];
+}
+
+// src/tls/ca.ts
+import { existsSync as existsSync6, readFileSync as readFileSync4, writeFileSync as writeFileSync3, mkdirSync as mkdirSync3, unlinkSync } from "fs";
+import { join as join5 } from "path";
+import forge from "node-forge";
+var CA_CERT_PATH = join5(LIMINAL_DIR, "ca.pem");
+var CA_KEY_PATH = join5(LIMINAL_DIR, "ca-key.pem");
+function generateCA() {
+  const keys = forge.pki.rsa.generateKeyPair(2048);
+  const cert = forge.pki.createCertificate();
+  cert.publicKey = keys.publicKey;
+  cert.serialNumber = generateSerialNumber();
+  cert.validity.notBefore = /* @__PURE__ */ new Date();
+  cert.validity.notAfter = /* @__PURE__ */ new Date();
+  cert.validity.notAfter.setFullYear(cert.validity.notAfter.getFullYear() + 5);
+  const attrs = [
+    { name: "commonName", value: "Liminal Proxy CA" },
+    { name: "organizationName", value: "Liminal (Cognisos)" },
+    { shortName: "OU", value: "Local Development" }
+  ];
+  cert.setSubject(attrs);
+  cert.setIssuer(attrs);
+  cert.setExtensions([
+    { name: "basicConstraints", cA: true, critical: true },
+    { name: "keyUsage", keyCertSign: true, cRLSign: true, critical: true },
+    {
+      name: "subjectKeyIdentifier"
+    }
+  ]);
+  cert.sign(keys.privateKey, forge.md.sha256.create());
+  return {
+    certPem: forge.pki.certificateToPem(cert),
+    keyPem: forge.pki.privateKeyToPem(keys.privateKey)
+  };
+}
+function generateAndSaveCA() {
+  if (!existsSync6(LIMINAL_DIR)) {
+    mkdirSync3(LIMINAL_DIR, { recursive: true, mode: 448 });
+  }
+  const { certPem, keyPem } = generateCA();
+  writeFileSync3(CA_CERT_PATH, certPem, { encoding: "utf-8", mode: 420 });
+  writeFileSync3(CA_KEY_PATH, keyPem, { encoding: "utf-8", mode: 384 });
+  return { certPem, keyPem };
+}
+function loadCA() {
+  if (!existsSync6(CA_CERT_PATH) || !existsSync6(CA_KEY_PATH)) {
+    return null;
+  }
+  return {
+    certPem: readFileSync4(CA_CERT_PATH, "utf-8"),
+    keyPem: readFileSync4(CA_KEY_PATH, "utf-8")
+  };
+}
+function ensureCA() {
+  const existing = loadCA();
+  if (existing) return existing;
+  return generateAndSaveCA();
+}
+function hasCA() {
+  return existsSync6(CA_CERT_PATH) && existsSync6(CA_KEY_PATH);
+}
+function removeCA() {
+  if (existsSync6(CA_CERT_PATH)) unlinkSync(CA_CERT_PATH);
+  if (existsSync6(CA_KEY_PATH)) unlinkSync(CA_KEY_PATH);
+}
+function getCAInfo() {
+  const ca = loadCA();
+  if (!ca) return null;
+  const cert = forge.pki.certificateFromPem(ca.certPem);
+  const cn = cert.subject.getField("CN");
+  const der = forge.asn1.toDer(forge.pki.certificateToAsn1(cert)).getBytes();
+  const md = forge.md.sha256.create();
+  md.update(der);
+  const fingerprint = md.digest().toHex().match(/.{2}/g).join(":").toUpperCase();
+  return {
+    commonName: cn ? cn.value : "Unknown",
+    validFrom: cert.validity.notBefore,
+    validTo: cert.validity.notAfter,
+    fingerprint
+  };
+}
+function generateSerialNumber() {
+  const bytes = forge.random.getBytesSync(16);
+  return forge.util.bytesToHex(bytes);
+}
+
+// src/tls/trust.ts
+import { execSync as execSync3 } from "child_process";
+import { existsSync as existsSync7, copyFileSync, unlinkSync as unlinkSync2 } from "fs";
+function installCA() {
+  if (!existsSync7(CA_CERT_PATH)) {
+    return { success: false, message: 'CA certificate not found. Run "liminal init" first.', requiresSudo: false };
   }
-  async start() {
-    let lastError = null;
-    for (let attempt = 0; attempt < MAX_PORT_RETRIES; attempt++) {
-      const port = this.requestedPort + attempt;
-      try {
-        await this.listen(port);
-        this.activePort = port;
-        return port;
-      } catch (err) {
-        lastError = err instanceof Error ? err : new Error(String(err));
-        if (err.code !== "EADDRINUSE") {
-          throw lastError;
-        }
-      }
+  const platform = process.platform;
+  if (platform === "darwin") return installMacOS();
+  if (platform === "linux") return installLinux();
+  if (platform === "win32") return installWindows();
+  return { success: false, message: `Unsupported platform: ${platform}`, requiresSudo: false };
+}
+function removeCA2() {
+  const platform = process.platform;
+  if (platform === "darwin") return removeMacOS();
+  if (platform === "linux") return removeLinux();
+  if (platform === "win32") return removeWindows();
+  return { success: false, message: `Unsupported platform: ${platform}`, requiresSudo: false };
+}
+function isCATrusted() {
+  const platform = process.platform;
+  if (platform === "darwin") return isTrustedMacOS();
+  if (platform === "linux") return isTrustedLinux();
+  if (platform === "win32") return isTrustedWindows();
+  return false;
+}
+var MACOS_LABEL = "Liminal Proxy CA";
+function installMacOS() {
+  try {
+    execSync3(
+      `security add-trusted-cert -r trustRoot -k ~/Library/Keychains/login.keychain-db "${CA_CERT_PATH}"`,
+      { stdio: "pipe" }
+    );
+    return { success: true, message: "CA installed in login keychain (trusted for SSL)", requiresSudo: false };
+  } catch (err) {
+    const msg = err instanceof Error ? err.message : String(err);
+    if (msg.includes("authorization") || msg.includes("permission")) {
+      return {
+        success: false,
+        message: "Keychain access denied. You may need to unlock your keychain or run with sudo.",
+        requiresSudo: true
+      };
     }
-    throw lastError ?? new Error(`All ports ${this.requestedPort}-${this.requestedPort + MAX_PORT_RETRIES - 1} in use`);
+    return { success: false, message: `Failed to install CA: ${msg}`, requiresSudo: false };
   }
-  listen(port) {
-    return new Promise((resolve, reject) => {
-      const server = http.createServer(this.handler);
-      server.on("error", reject);
-      server.listen(port, "127.0.0.1", () => {
-        server.removeListener("error", reject);
-        this.server = server;
-        resolve();
-      });
-    });
+}
+function removeMacOS() {
+  try {
+    execSync3(
+      `security delete-certificate -c "${MACOS_LABEL}" ~/Library/Keychains/login.keychain-db`,
+      { stdio: "pipe" }
+    );
+    return { success: true, message: "CA removed from login keychain", requiresSudo: false };
+  } catch (err) {
+    const msg = err instanceof Error ? err.message : String(err);
+    if (msg.includes("could not be found")) {
+      return { success: true, message: "CA was not in keychain (already removed)", requiresSudo: false };
+    }
+    return { success: false, message: `Failed to remove CA: ${msg}`, requiresSudo: false };
   }
-  async stop() {
-    if (!this.server) return;
-    return new Promise((resolve) => {
-      this.server.close(() => {
-        this.server = null;
-        this.activePort = null;
-        resolve();
-      });
-    });
+}
+function isTrustedMacOS() {
+  try {
+    const out = execSync3(
+      `security find-certificate -c "${MACOS_LABEL}" ~/Library/Keychains/login.keychain-db`,
+      { stdio: "pipe", encoding: "utf-8" }
+    );
+    return out.includes(MACOS_LABEL);
+  } catch {
+    return false;
   }
-  isRunning() {
-    return this.server !== null && this.server.listening;
+}
+var LINUX_CERT_PATH = "/usr/local/share/ca-certificates/liminal-proxy-ca.crt";
+function installLinux() {
+  try {
+    copyFileSync(CA_CERT_PATH, LINUX_CERT_PATH);
+    execSync3("update-ca-certificates", { stdio: "pipe" });
+    return { success: true, message: "CA installed in system trust store", requiresSudo: true };
+  } catch (err) {
+    const msg = err instanceof Error ? err.message : String(err);
+    if (msg.includes("EACCES") || msg.includes("permission")) {
+      return {
+        success: false,
+        message: `Permission denied. Run with sudo:
+  sudo liminal trust-ca`,
+        requiresSudo: true
+      };
+    }
+    return { success: false, message: `Failed to install CA: ${msg}`, requiresSudo: true };
   }
-  getPort() {
-    return this.activePort;
+}
+function removeLinux() {
+  try {
+    if (existsSync7(LINUX_CERT_PATH)) {
+      unlinkSync2(LINUX_CERT_PATH);
+      execSync3("update-ca-certificates --fresh", { stdio: "pipe" });
+    }
+    return { success: true, message: "CA removed from system trust store", requiresSudo: true };
+  } catch (err) {
+    const msg = err instanceof Error ? err.message : String(err);
+    return { success: false, message: `Failed to remove CA: ${msg}`, requiresSudo: true };
   }
-};
+}
+function isTrustedLinux() {
+  return existsSync7(LINUX_CERT_PATH);
+}
+function installWindows() {
+  try {
+    execSync3(`certutil -addstore -user -f "ROOT" "${CA_CERT_PATH}"`, { stdio: "pipe" });
+    return { success: true, message: "CA installed in user certificate store", requiresSudo: false };
+  } catch (err) {
+    const msg = err instanceof Error ? err.message : String(err);
+    return { success: false, message: `Failed to install CA: ${msg}`, requiresSudo: false };
+  }
+}
+function removeWindows() {
+  try {
+    execSync3(`certutil -delstore -user "ROOT" "${MACOS_LABEL}"`, { stdio: "pipe" });
+    return { success: true, message: "CA removed from user certificate store", requiresSudo: false };
+  } catch (err) {
+    const msg = err instanceof Error ? err.message : String(err);
+    return { success: false, message: `Failed to remove CA: ${msg}`, requiresSudo: false };
+  }
+}
+function isTrustedWindows() {
+  try {
+    const out = execSync3(`certutil -verifystore -user "ROOT" "${MACOS_LABEL}"`, {
+      stdio: "pipe",
+      encoding: "utf-8"
+    });
+    return out.includes("Liminal");
+  } catch {
+    return false;
+  }
+}
 
-// src/daemon/logger.ts
-import { appendFileSync as appendFileSync2, statSync, renameSync, mkdirSync as mkdirSync2, existsSync as existsSync3 } from "fs";
-import { dirname as dirname2 } from "path";
-var MAX_LOG_SIZE = 10 * 1024 * 1024;
-var MAX_BACKUPS = 2;
-var FileLogger = class {
-  logFile;
-  mirrorStdout;
-  constructor(options) {
-    this.logFile = options?.logFile ?? LOG_FILE;
-    this.mirrorStdout = options?.mirrorStdout ?? false;
-    const logDir = dirname2(this.logFile);
-    if (!existsSync3(logDir)) {
-      mkdirSync2(logDir, { recursive: true });
-    }
+// src/tls/mitm-bridge.ts
+import * as tls from "tls";
+
+// src/tls/cert-generator.ts
+import forge2 from "node-forge";
+var CERT_TTL_MS = 24 * 60 * 60 * 1e3;
+var MAX_CACHE_SIZE = 50;
+var CertGenerator = class {
+  caCert;
+  caKey;
+  cache = /* @__PURE__ */ new Map();
+  constructor(caCertPem, caKeyPem) {
+    this.caCert = forge2.pki.certificateFromPem(caCertPem);
+    this.caKey = forge2.pki.privateKeyFromPem(caKeyPem);
   }
-  log(message) {
-    const timestamp = (/* @__PURE__ */ new Date()).toISOString().slice(11, 23);
-    const line = `[${timestamp}] ${message}
-`;
-    try {
-      appendFileSync2(this.logFile, line);
-    } catch {
-      process.stderr.write(`[LOG-WRITE-FAILED] ${line}`);
+  /**
+   * Get or generate a TLS certificate for the given hostname.
+   * Certificates are cached for 24 hours.
+   */
+  getCert(hostname) {
+    const now = Date.now();
+    const cached = this.cache.get(hostname);
+    if (cached && cached.expiresAt > now) {
+      return cached.cert;
     }
-    if (this.mirrorStdout) {
-      process.stdout.write(line);
+    const cert = this.generate(hostname);
+    if (this.cache.size >= MAX_CACHE_SIZE) {
+      const oldest = this.cache.keys().next().value;
+      if (oldest) this.cache.delete(oldest);
     }
-    this.rotateIfNeeded();
+    this.cache.set(hostname, { cert, expiresAt: now + CERT_TTL_MS });
+    return cert;
   }
-  rotateIfNeeded() {
-    try {
-      const stats = statSync(this.logFile);
-      if (stats.size <= MAX_LOG_SIZE) return;
-      for (let i = MAX_BACKUPS - 1; i >= 1; i--) {
-        const from = `${this.logFile}.${i}`;
-        const to = `${this.logFile}.${i + 1}`;
-        if (existsSync3(from)) renameSync(from, to);
-      }
-      renameSync(this.logFile, `${this.logFile}.1`);
-    } catch {
-    }
+  get cacheSize() {
+    return this.cache.size;
   }
-  getLogFile() {
-    return this.logFile;
+  generate(hostname) {
+    const keys = forge2.pki.rsa.generateKeyPair(2048);
+    const cert = forge2.pki.createCertificate();
+    cert.publicKey = keys.publicKey;
+    cert.serialNumber = randomSerial();
+    cert.validity.notBefore = new Date(Date.now() - 24 * 60 * 60 * 1e3);
+    cert.validity.notAfter = new Date(Date.now() + 24 * 60 * 60 * 1e3);
+    cert.setSubject([
+      { name: "commonName", value: hostname },
+      { name: "organizationName", value: "Liminal Proxy (local)" }
+    ]);
+    cert.setIssuer(this.caCert.subject.attributes);
+    cert.setExtensions([
+      { name: "basicConstraints", cA: false },
+      {
+        name: "keyUsage",
+        digitalSignature: true,
+        keyEncipherment: true,
+        critical: true
+      },
+      {
+        name: "extKeyUsage",
+        serverAuth: true
+      },
+      {
+        name: "subjectAltName",
+        altNames: [{ type: 2, value: hostname }]
+        // DNS name
+      }
+    ]);
+    cert.sign(this.caKey, forge2.md.sha256.create());
+    return {
+      certPem: forge2.pki.certificateToPem(cert),
+      keyPem: forge2.pki.privateKeyToPem(keys.privateKey)
+    };
   }
 };
+function randomSerial() {
+  return forge2.util.bytesToHex(forge2.random.getBytesSync(16));
+}
+
+// src/tls/mitm-bridge.ts
+function createMitmBridge(options) {
+  const { httpServer, caCertPem, caKeyPem, logger } = options;
+  const certGen = new CertGenerator(caCertPem, caKeyPem);
+  return (clientSocket, hostname, _port) => {
+    try {
+      const { certPem, keyPem } = certGen.getCert(hostname);
+      const tlsSocket = new tls.TLSSocket(clientSocket, {
+        isServer: true,
+        key: keyPem,
+        cert: certPem
+      });
+      tlsSocket.on("error", (err) => {
+        logger.log(`[MITM] TLS error for ${hostname}: ${err.message}`);
+        tlsSocket.destroy();
+      });
+      httpServer.emit("connection", tlsSocket);
+      logger.log(`[MITM] TLS bridge established for ${hostname} (cert cache: ${certGen.cacheSize})`);
+    } catch (err) {
+      const message = err instanceof Error ? err.message : String(err);
+      logger.log(`[MITM] Failed to establish bridge for ${hostname}: ${message}`);
+      clientSocket.destroy();
+    }
+  };
+}
 
 // src/daemon/lifecycle.ts
-import { readFileSync as readFileSync3, writeFileSync as writeFileSync2, unlinkSync, existsSync as existsSync4 } from "fs";
+import { readFileSync as readFileSync5, writeFileSync as writeFileSync4, unlinkSync as unlinkSync3, existsSync as existsSync8 } from "fs";
 import { fork } from "child_process";
 import { fileURLToPath } from "url";
 function writePidFile(pid) {
-  writeFileSync2(PID_FILE, String(pid), "utf-8");
+  writeFileSync4(PID_FILE, String(pid), "utf-8");
 }
 function readPidFile() {
-  if (!existsSync4(PID_FILE)) return null;
+  if (!existsSync8(PID_FILE)) return null;
   try {
-    const content = readFileSync3(PID_FILE, "utf-8").trim();
+    const content = readFileSync5(PID_FILE, "utf-8").trim();
     const pid = parseInt(content, 10);
     return isNaN(pid) ? null : pid;
   } catch {
@@ -1689,7 +3591,7 @@ function readPidFile() {
 }
 function removePidFile() {
   try {
-    if (existsSync4(PID_FILE)) unlinkSync(PID_FILE);
+    if (existsSync8(PID_FILE)) unlinkSync3(PID_FILE);
   } catch {
   }
 }
@@ -1791,37 +3693,81 @@ async function startCommand(flags) {
     rscBaseUrl: config.apiBaseUrl,
     proxyPort: config.port,
     compressionThreshold: config.compressionThreshold,
+    aggregateThreshold: config.aggregateThreshold,
+    hotFraction: config.hotFraction,
+    coldFraction: config.coldFraction,
     compressRoles: config.compressRoles,
+    compressToolResults: config.compressToolResults,
     learnFromResponses: config.learnFromResponses,
     latencyBudgetMs: config.latencyBudgetMs || void 0,
     upstreamBaseUrl: config.upstreamBaseUrl,
     anthropicUpstreamUrl: config.anthropicUpstreamUrl,
     enabled: config.enabled,
-    tools: config.tools
+    tools: config.tools,
+    concurrencyLimit: config.concurrencyLimit,
+    concurrencyTimeoutMs: config.concurrencyTimeoutMs,
+    maxSessions: config.maxSessions,
+    sessionTtlMs: config.sessionTtlMs,
+    latencyWarningMs: config.latencyWarningMs,
+    latencyCriticalMs: config.latencyCriticalMs
   };
-  const pipeline = new RSCPipelineWrapper({
-    rscApiKey: config.apiKey,
-    rscBaseUrl: config.apiBaseUrl,
-    compressionThreshold: config.compressionThreshold,
-    learnFromResponses: config.learnFromResponses,
-    latencyBudgetMs: config.latencyBudgetMs || void 0
+  const semaphore = new Semaphore(resolvedConfig.concurrencyLimit);
+  const latencyMonitor = new LatencyMonitor({
+    warningThresholdMs: resolvedConfig.latencyWarningMs,
+    criticalThresholdMs: resolvedConfig.latencyCriticalMs
   });
-  pipeline.events.on("compression", (event) => {
-    if (event.tokensSaved > 0) {
-      logger.log(`[LIMINAL] Compressed: ${event.tokensSaved} tokens saved (${event.ratio.toFixed(3)} ratio)`);
+  function wireSessionEvents(key, pipeline) {
+    pipeline.events.on("compression", (event) => {
+      if (event.tokensSaved > 0) {
+        logger.log(`[LIMINAL] [${key}] Compressed: ${event.tokensSaved} tokens saved (${event.ratio.toFixed(3)} ratio)`);
+      }
+    });
+    pipeline.events.on("compression_skipped", (event) => {
+      const detail = event.reason === "latency_budget" ? `${event.reason} (${event.estimatedTokens}tok, budget:${event.budgetMs}ms, elapsed:${event.elapsedMs}ms)` : event.reason === "below_threshold" ? `${event.reason} (${event.estimatedTokens}tok < ${config.compressionThreshold}tok threshold)` : `${event.reason} (${event.estimatedTokens}tok)`;
+      logger.log(`[LIMINAL] [${key}] Skipped: ${detail}`);
+    });
+    pipeline.events.on("error", (event) => {
+      logger.log(`[LIMINAL] [${key}] Error: ${event.error.message}`);
+    });
+    pipeline.events.on("degradation", (event) => {
+      logger.log(`[LIMINAL] [${key}] Circuit ${event.circuitState}: ${event.reason}`);
+    });
+  }
+  const sessions = new SessionManager({
+    pipelineConfig: {
+      rscApiKey: config.apiKey,
+      rscBaseUrl: config.apiBaseUrl,
+      compressionThreshold: config.compressionThreshold,
+      learnFromResponses: config.learnFromResponses,
+      latencyBudgetMs: config.latencyBudgetMs || void 0
+    },
+    maxSessions: resolvedConfig.maxSessions,
+    sessionTtlMs: resolvedConfig.sessionTtlMs,
+    onSessionCreated: (key, pipeline) => {
+      logger.log(`[SESSION] Created: ${key}`);
+      wireSessionEvents(key, pipeline);
+    },
+    onSessionEvicted: (key) => {
+      logger.log(`[SESSION] Evicted: ${key} (idle)`);
     }
   });
-  pipeline.events.on("compression_skipped", (event) => {
-    logger.log(`[LIMINAL] Skipped: ${event.reason}`);
-  });
-  pipeline.events.on("error", (event) => {
-    logger.log(`[LIMINAL] Error: ${event.error.message}`);
+  latencyMonitor.onAlert((alert) => {
+    logger.log(`[LATENCY] ${alert.type.toUpperCase()}: ${alert.message} (${alert.activeSessions} sessions) \u2014 ${alert.suggestion}`);
   });
-  pipeline.events.on("degradation", (event) => {
-    logger.log(`[LIMINAL] Circuit ${event.circuitState}: ${event.reason}`);
+  const deps = { sessions, semaphore, latencyMonitor, config: resolvedConfig, logger };
+  const handler = createRequestHandler(deps);
+  let mitmHandler;
+  const connectHandler = createConnectHandler({
+    logger,
+    onIntercept: (socket, hostname, port) => {
+      if (mitmHandler) {
+        mitmHandler(socket, hostname, port);
+      } else {
+        logger.log(`[MITM] No bridge available for ${hostname} \u2014 falling back to passthrough`);
+      }
+    }
   });
-  const handler = createRequestHandler(pipeline, resolvedConfig, logger);
-  const server = new ProxyServer(config.port, handler);
+  const server = new ProxyServer(config.port, handler, connectHandler);
   setupSignalHandlers(server, logger);
   try {
     const actualPort = await server.start();
@@ -1831,15 +3777,42 @@ async function startCommand(flags) {
     logger.log(`[DAEMON] Upstream (Anthropic): ${config.anthropicUpstreamUrl}`);
     logger.log(`[DAEMON] Liminal API: ${config.apiBaseUrl}`);
     logger.log(`[DAEMON] PID: ${process.pid}`);
+    logger.log(`[DAEMON] Max sessions: ${resolvedConfig.maxSessions}, Concurrency limit: ${resolvedConfig.concurrencyLimit}`);
+    const caReady = hasCA() && isCATrusted();
+    if (caReady) {
+      const httpServer = server.getHttpServer();
+      const ca = loadCA();
+      if (httpServer && ca) {
+        mitmHandler = createMitmBridge({
+          httpServer,
+          caCertPem: ca.certPem,
+          caKeyPem: ca.keyPem,
+          logger
+        });
+        logger.log("[MITM] TLS bridge active \u2014 intercepting LLM API calls");
+      }
+    }
+    logger.log(`[DAEMON] CONNECT handler: active | MITM: ${caReady ? "ready (CA trusted)" : "passthrough only (run liminal trust-ca)"}`);
     if (isForeground && !isForked) {
       printBanner();
       console.log(`  Liminal proxy running on http://127.0.0.1:${actualPort}/v1`);
       console.log(`  Upstream: ${config.upstreamBaseUrl}`);
+      console.log(`  Max sessions: ${resolvedConfig.maxSessions} | Concurrency: ${resolvedConfig.concurrencyLimit}`);
+      if (caReady) {
+        console.log("  MITM:     active (Cursor interception ready)");
+      }
       console.log();
       console.log("  Point your AI tool's base URL here. Press Ctrl+C to stop.");
       console.log();
     }
-    const healthy = await pipeline.healthCheck();
+    const { RSCPipelineWrapper: RSCPipelineWrapper2 } = await Promise.resolve().then(() => (init_pipeline(), pipeline_exports));
+    const probe = new RSCPipelineWrapper2({
+      rscApiKey: config.apiKey,
+      rscBaseUrl: config.apiBaseUrl,
+      compressionThreshold: config.compressionThreshold,
+      learnFromResponses: false
+    });
+    const healthy = await probe.healthCheck();
     if (healthy) {
       logger.log("[DAEMON] Liminal API health check: OK");
     } else {
@@ -1906,19 +3879,39 @@ async function statusCommand() {
     const data = await res.json();
     const uptime = formatUptime(data.uptime_ms);
     console.log(`Liminal Daemon: running (PID ${state.pid}, port ${port})`);
-    console.log(`Circuit:    ${data.circuit_state}`);
-    console.log(`Session:    ${data.session_id}`);
+    console.log(`Status:     ${data.status} (${data.version})`);
     console.log(`Uptime:     ${uptime}`);
-    if (data.session) {
-      const s = data.session;
-      const savingsPercent = s.tokens_processed > 0 ? (s.tokens_saved / s.tokens_processed * 100).toFixed(1) : "0.0";
+    console.log();
+    const c = data.concurrency;
+    console.log(`Sessions:   ${c.active_sessions} active (max ${config.maxSessions})`);
+    console.log(`Semaphore:  ${c.semaphore_available}/${c.max_concurrent_rsc_calls} available` + (c.semaphore_waiting > 0 ? ` (${c.semaphore_waiting} waiting)` : ""));
+    const globalP95 = data.latency.global_p95_ms;
+    if (globalP95 !== null) {
+      const latencyFlag = globalP95 >= config.latencyCriticalMs ? " CRITICAL" : globalP95 >= config.latencyWarningMs ? " WARNING" : "";
+      console.log(`Latency:    p95 ${globalP95.toFixed(0)}ms${latencyFlag}`);
+    }
+    if (data.sessions.length > 0) {
+      console.log();
+      console.log("\u2500\u2500\u2500 Sessions \u2500\u2500\u2500");
+      for (const s of data.sessions) {
+        const savingsPercent = s.tokens_processed > 0 ? (s.tokens_saved / s.tokens_processed * 100).toFixed(1) : "0.0";
+        const activeAgo = formatUptime(s.last_active_ago_ms);
+        const p95 = s.p95_latency_ms !== null ? `${s.p95_latency_ms.toFixed(0)}ms` : "-";
+        console.log();
+        console.log(`  ${s.connector} [${s.session_key}]`);
+        console.log(`    Circuit:  ${s.circuit_state}`);
+        console.log(`    Tokens:   ${s.tokens_processed.toLocaleString()} processed, ${s.tokens_saved.toLocaleString()} saved (${savingsPercent}%)`);
+        console.log(`    Calls:    ${s.calls_total} total (${s.calls_compressed} compressed, ${s.calls_failed} failed)`);
+        console.log(`    Latency:  p95 ${p95}`);
+        console.log(`    Active:   ${activeAgo} ago`);
+      }
+    } else {
       console.log();
-      console.log(`Tokens:     ${s.tokens_processed.toLocaleString()} processed, ${s.tokens_saved.toLocaleString()} saved (${savingsPercent}%)`);
-      console.log(`Calls:      ${s.calls_total} total (${s.calls_compressed} compressed, ${s.calls_skipped} skipped, ${s.calls_failed} failed)`);
+      console.log("No active sessions.");
     }
   } catch {
     console.log(`Liminal Daemon: running (PID ${state.pid}, port ${port})`);
-    console.log("Circuit:    unknown (could not reach /health)");
+    console.log("Status:     unknown (could not reach /health)");
   }
 }
 function formatUptime(ms) {
@@ -2070,17 +4063,17 @@ async function configCommand(flags) {
 }
 
 // src/commands/logs.ts
-import { readFileSync as readFileSync4, existsSync as existsSync5, statSync as statSync2, createReadStream } from "fs";
+import { readFileSync as readFileSync6, existsSync as existsSync9, statSync as statSync2, createReadStream } from "fs";
 import { watchFile, unwatchFile } from "fs";
 async function logsCommand(flags) {
   const follow = flags.has("follow") || flags.has("f");
   const linesFlag = flags.get("lines") ?? flags.get("n");
   const lines = typeof linesFlag === "string" ? parseInt(linesFlag, 10) : 50;
-  if (!existsSync5(LOG_FILE)) {
+  if (!existsSync9(LOG_FILE)) {
     console.log('No log file found. Start the daemon with "liminal start" to generate logs.');
     return;
   }
-  const content = readFileSync4(LOG_FILE, "utf-8");
+  const content = readFileSync6(LOG_FILE, "utf-8");
   const allLines = content.split("\n");
   const tail = allLines.slice(-lines - 1);
   process.stdout.write(tail.join("\n"));
@@ -2105,6 +4098,219 @@ async function logsCommand(flags) {
   });
 }
 
+// src/commands/uninstall.ts
+import { existsSync as existsSync10, rmSync, readFileSync as readFileSync7 } from "fs";
+var BOLD2 = "\x1B[1m";
+var DIM2 = "\x1B[2m";
+var GREEN2 = "\x1B[32m";
+var YELLOW2 = "\x1B[33m";
+var RESET2 = "\x1B[0m";
+function loadConfiguredTools() {
+  if (!existsSync10(CONFIG_FILE)) return [];
+  try {
+    const raw = readFileSync7(CONFIG_FILE, "utf-8");
+    const config = JSON.parse(raw);
+    if (Array.isArray(config.tools)) return config.tools;
+  } catch {
+  }
+  return [];
+}
+async function uninstallCommand() {
+  console.log();
+  console.log(`  ${BOLD2}Liminal Uninstall${RESET2}`);
+  console.log();
+  const confirm = await selectPrompt({
+    message: "Remove Liminal configuration and restore tool settings?",
+    options: [
+      { label: "Yes", value: true, description: "Undo all Liminal setup" },
+      { label: "No", value: false, description: "Cancel" }
+    ],
+    defaultIndex: 1
+    // Default to No for safety
+  });
+  if (confirm !== true) {
+    console.log();
+    console.log("  Cancelled.");
+    console.log();
+    return;
+  }
+  console.log();
+  const state = isDaemonRunning();
+  if (state.running && state.pid) {
+    console.log(`  Stopping Liminal daemon (PID ${state.pid})...`);
+    try {
+      process.kill(state.pid, "SIGTERM");
+      for (let i = 0; i < 15; i++) {
+        await sleep(200);
+        if (!isProcessAlive(state.pid)) break;
+      }
+      if (isProcessAlive(state.pid)) {
+        process.kill(state.pid, "SIGKILL");
+      }
+    } catch {
+    }
+    removePidFile();
+    console.log(`  ${GREEN2}\u2713${RESET2} Daemon stopped`);
+  } else {
+    console.log(`  ${DIM2}\xB7${RESET2} Daemon not running`);
+  }
+  const profile = detectShellProfile();
+  if (profile) {
+    const existing = findLiminalExportsInProfile(profile);
+    if (existing.length > 0) {
+      const removed = removeLiminalFromShellProfile(profile);
+      if (removed.length > 0) {
+        console.log(`  ${GREEN2}\u2713${RESET2} Removed ${removed.length} line${removed.length > 1 ? "s" : ""} from ${profile.name}:`);
+        for (const line of removed) {
+          const trimmed = line.trim();
+          if (trimmed && trimmed !== "# Liminal \u2014 route AI tools through compression proxy") {
+            console.log(`    ${DIM2}${trimmed}${RESET2}`);
+          }
+        }
+      }
+    } else {
+      console.log(`  ${DIM2}\xB7${RESET2} No Liminal exports found in ${profile.name}`);
+    }
+  }
+  const configuredTools = loadConfiguredTools();
+  const allTools = configuredTools.length > 0 ? configuredTools : CONNECTORS.map((c) => c.info.id);
+  const connectors = getConnectors(allTools);
+  const manualSteps = [];
+  for (const connector of connectors) {
+    const result = await connector.teardown();
+    if (result.manualSteps.length > 0 && !connector.info.automatable) {
+      manualSteps.push({
+        label: connector.info.label,
+        steps: result.manualSteps
+      });
+    }
+  }
+  if (manualSteps.length > 0) {
+    console.log();
+    console.log(`  ${YELLOW2}Manual steps needed:${RESET2}`);
+    for (const { label, steps } of manualSteps) {
+      console.log();
+      console.log(`  ${BOLD2}${label}:${RESET2}`);
+      for (const step of steps) {
+        console.log(`    ${step}`);
+      }
+    }
+  }
+  if (existsSync10(LIMINAL_DIR)) {
+    console.log();
+    const removeData = await selectPrompt({
+      message: "Remove ~/.liminal/ directory? (config, logs, PID file)",
+      options: [
+        { label: "Yes", value: true, description: "Delete all Liminal data" },
+        { label: "No", value: false, description: "Keep config and logs" }
+      ],
+      defaultIndex: 1
+      // Default to keep
+    });
+    if (removeData === true) {
+      rmSync(LIMINAL_DIR, { recursive: true, force: true });
+      console.log(`  ${GREEN2}\u2713${RESET2} Removed ~/.liminal/`);
+    } else {
+      console.log(`  ${DIM2}\xB7${RESET2} Kept ~/.liminal/`);
+    }
+  }
+  console.log();
+  console.log(`  ${GREEN2}Liminal has been uninstalled.${RESET2}`);
+  console.log();
+  console.log(`  ${DIM2}Your AI tools will connect directly to their APIs.${RESET2}`);
+  console.log(`  ${DIM2}Restart your terminal for shell changes to take effect.${RESET2}`);
+  if (manualSteps.length > 0) {
+    console.log(`  ${YELLOW2}Don't forget the manual steps above for ${manualSteps.map((s) => s.label).join(", ")}.${RESET2}`);
+  }
+  console.log();
+  console.log(`  ${DIM2}To reinstall: npx @cognisos/liminal init${RESET2}`);
+  console.log();
+}
+
+// src/commands/trust-ca.ts
+async function trustCACommand() {
+  printBanner();
+  if (isCATrusted()) {
+    console.log("  Liminal CA is already trusted.");
+    const info = getCAInfo();
+    if (info) {
+      console.log(`  Fingerprint: ${info.fingerprint}`);
+      console.log(`  Valid until:  ${info.validTo.toLocaleDateString()}`);
+    }
+    return;
+  }
+  if (!hasCA()) {
+    console.log("  Generating CA certificate...");
+    ensureCA();
+    console.log("  Created ~/.liminal/ca.pem");
+    console.log();
+  }
+  console.log("  Installing Liminal CA certificate");
+  console.log();
+  console.log("  This allows Liminal to transparently compress LLM API");
+  console.log("  traffic from Cursor and other Electron-based editors.");
+  console.log();
+  console.log("  The certificate is scoped to your user account and only");
+  console.log("  used by the local Liminal proxy on 127.0.0.1.");
+  console.log();
+  console.log(`  Certificate: ${CA_CERT_PATH}`);
+  console.log();
+  const result = installCA();
+  if (result.success) {
+    console.log(`  ${result.message}`);
+    console.log();
+    const info = getCAInfo();
+    if (info) {
+      console.log(`  Fingerprint: ${info.fingerprint}`);
+      console.log(`  Valid until:  ${info.validTo.toLocaleDateString()}`);
+    }
+    console.log();
+    console.log("  You can now use Liminal with Cursor:");
+    console.log("    liminal start");
+    console.log("    cursor --proxy-server=http://127.0.0.1:3141 --disable-http2");
+  } else {
+    console.error(`  Failed: ${result.message}`);
+    if (result.requiresSudo) {
+      console.log();
+      console.log("  Try running with elevated permissions:");
+      console.log("    sudo liminal trust-ca");
+    }
+    process.exit(1);
+  }
+}
+
+// src/commands/untrust-ca.ts
+async function untrustCACommand() {
+  printBanner();
+  if (!hasCA() && !isCATrusted()) {
+    console.log("  No Liminal CA found (nothing to remove).");
+    return;
+  }
+  if (isCATrusted()) {
+    console.log("  Removing CA from system trust store...");
+    const result = removeCA2();
+    if (result.success) {
+      console.log(`  ${result.message}`);
+    } else {
+      console.error(`  ${result.message}`);
+      if (result.requiresSudo) {
+        console.log();
+        console.log("  Try running with elevated permissions:");
+        console.log("    sudo liminal untrust-ca");
+      }
+      process.exit(1);
+    }
+  }
+  if (hasCA()) {
+    console.log("  Removing CA certificate files...");
+    removeCA();
+    console.log("  Removed ~/.liminal/ca.pem and ca-key.pem");
+  }
+  console.log();
+  console.log("  Liminal CA fully removed.");
+  console.log("  Cursor MITM interception is no longer available.");
+}
+
 // src/bin.ts
 var USAGE = `
   liminal v${VERSION} \u2014 Transparent LLM context compression proxy
@@ -2119,6 +4325,9 @@ var USAGE = `
     liminal summary                       Detailed session metrics
     liminal config [--set k=v] [--get k]  View or edit configuration
     liminal logs [--follow] [--lines N]   View proxy logs
+    liminal trust-ca                      Install CA cert (for Cursor MITM)
+    liminal untrust-ca                    Remove CA cert
+    liminal uninstall                     Remove Liminal configuration
 
   Options:
     -h, --help       Show this help message
@@ -2130,7 +4339,7 @@ var USAGE = `
     3. Connect your AI tools:
        Claude Code:   export ANTHROPIC_BASE_URL=http://localhost:3141
        Codex:         export OPENAI_BASE_URL=http://localhost:3141/v1
-       Cursor:        Settings > Models > Base URL > http://localhost:3141/v1
+       Cursor:        liminal trust-ca && cursor --proxy-server=http://localhost:3141
 `;
 function parseArgs(argv) {
   const command = argv[2] ?? "";
@@ -2196,6 +4405,15 @@ async function main() {
       case "logs":
         await logsCommand(flags);
         break;
+      case "trust-ca":
+        await trustCACommand();
+        break;
+      case "untrust-ca":
+        await untrustCACommand();
+        break;
+      case "uninstall":
+        await uninstallCommand();
+        break;
       case "":
         console.log(USAGE);
         process.exit(0);