@cognisos/liminal 2.4.0 → 2.4.1

package/dist/bin.js

@@ -1,7 +1,84 @@
 #!/usr/bin/env node
+var __defProp = Object.defineProperty;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __esm = (fn, res) => function __init() {
+  return fn && (res = (0, fn[__getOwnPropNames(fn)[0]])(fn = 0)), res;
+};
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+
+// src/rsc/pipeline.ts
+var pipeline_exports = {};
+__export(pipeline_exports, {
+  RSCPipelineWrapper: () => RSCPipelineWrapper
+});
+import {
+  CompressionPipeline,
+  RSCTransport,
+  RSCEventEmitter,
+  Session,
+  CircuitBreaker
+} from "@cognisos/rsc-sdk";
+var RSCPipelineWrapper;
+var init_pipeline = __esm({
+  "src/rsc/pipeline.ts"() {
+    "use strict";
+    RSCPipelineWrapper = class {
+      pipeline;
+      session;
+      events;
+      transport;
+      circuitBreaker;
+      constructor(config) {
+        this.circuitBreaker = new CircuitBreaker(5, 5 * 60 * 1e3);
+        this.transport = new RSCTransport({
+          baseUrl: config.rscBaseUrl,
+          apiKey: config.rscApiKey,
+          timeout: 3e4,
+          maxRetries: 3,
+          circuitBreaker: this.circuitBreaker
+        });
+        this.events = new RSCEventEmitter();
+        this.session = new Session(config.sessionId);
+        this.pipeline = new CompressionPipeline(
+          this.transport,
+          {
+            threshold: config.compressionThreshold,
+            learnFromResponses: config.learnFromResponses,
+            latencyBudgetMs: config.latencyBudgetMs,
+            sessionId: this.session.sessionId
+          },
+          this.events
+        );
+      }
+      async healthCheck() {
+        try {
+          await this.transport.get("/health");
+          return true;
+        } catch {
+          return false;
+        }
+      }
+      getSessionSummary() {
+        return this.session.getSummary();
+      }
+      getCircuitState() {
+        return this.circuitBreaker.getState();
+      }
+      isCircuitOpen() {
+        return this.circuitBreaker.getState() === "open";
+      }
+      resetCircuitBreaker() {
+        this.circuitBreaker.reset();
+      }
+    };
+  }
+});
 
 // src/version.ts
-var VERSION = true ? "2.4.0" : "0.2.1";
+var VERSION = true ? "2.4.1" : "0.2.1";
 var BANNER_LINES = [
   " ___       ___  _____ ______   ___  ________   ________  ___",
   "|\\  \\     |\\  \\|\\   _ \\  _   \\|\\  \\|\\   ___  \\|\\   __  \\|\\  \\",
@@ -41,11 +118,21 @@ var DEFAULTS = {
   anthropicUpstreamUrl: "https://api.anthropic.com",
   port: 3141,
   compressionThreshold: 100,
-  compressRoles: ["user"],
+  aggregateThreshold: 500,
+  hotFraction: 0.3,
+  coldFraction: 0.3,
+  compressRoles: ["user", "assistant"],
+  compressToolResults: true,
   learnFromResponses: true,
   latencyBudgetMs: 5e3,
   enabled: true,
-  tools: []
+  tools: [],
+  concurrencyLimit: 6,
+  concurrencyTimeoutMs: 15e3,
+  maxSessions: 10,
+  sessionTtlMs: 18e5,
+  latencyWarningMs: 4e3,
+  latencyCriticalMs: 8e3
 };
 var CONFIGURABLE_KEYS = /* @__PURE__ */ new Set([
   "apiBaseUrl",
@@ -53,11 +140,21 @@ var CONFIGURABLE_KEYS = /* @__PURE__ */ new Set([
   "anthropicUpstreamUrl",
   "port",
   "compressionThreshold",
+  "aggregateThreshold",
+  "hotFraction",
+  "coldFraction",
   "compressRoles",
+  "compressToolResults",
   "learnFromResponses",
   "latencyBudgetMs",
   "enabled",
-  "tools"
+  "tools",
+  "concurrencyLimit",
+  "concurrencyTimeoutMs",
+  "maxSessions",
+  "sessionTtlMs",
+  "latencyWarningMs",
+  "latencyCriticalMs"
 ]);
 
 // src/config/loader.ts
@@ -77,11 +174,21 @@ function loadConfig() {
     anthropicUpstreamUrl: DEFAULTS.anthropicUpstreamUrl,
     port: DEFAULTS.port,
     compressionThreshold: DEFAULTS.compressionThreshold,
+    aggregateThreshold: DEFAULTS.aggregateThreshold,
+    hotFraction: DEFAULTS.hotFraction,
+    coldFraction: DEFAULTS.coldFraction,
     compressRoles: DEFAULTS.compressRoles,
+    compressToolResults: DEFAULTS.compressToolResults,
     learnFromResponses: DEFAULTS.learnFromResponses,
     latencyBudgetMs: DEFAULTS.latencyBudgetMs,
     enabled: DEFAULTS.enabled,
     tools: DEFAULTS.tools,
+    concurrencyLimit: DEFAULTS.concurrencyLimit,
+    concurrencyTimeoutMs: DEFAULTS.concurrencyTimeoutMs,
+    maxSessions: DEFAULTS.maxSessions,
+    sessionTtlMs: DEFAULTS.sessionTtlMs,
+    latencyWarningMs: DEFAULTS.latencyWarningMs,
+    latencyCriticalMs: DEFAULTS.latencyCriticalMs,
     ...fileConfig
   };
   if (process.env.LIMINAL_API_KEY) merged.apiKey = process.env.LIMINAL_API_KEY;
@@ -485,7 +592,7 @@ import { createInterface } from "readline/promises";
 import { stdin, stdout } from "process";
 
 // src/auth/supabase.ts
-import { randomBytes } from "crypto";
+import { randomBytes, createHash } from "crypto";
 var SUPABASE_URL = "https://nzcneiyymvgxvttbenhp.supabase.co";
 var SUPABASE_ANON_KEY = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJzdXBhYmFzZSIsInJlZiI6Im56Y25laXl5bXZneHZ0dGJlbmhwIiwicm9sZSI6ImFub24iLCJpYXQiOjE3NTQwNjQ0MjcsImV4cCI6MjA2OTY0MDQyN30.x3E-zGRadbPMmxRqT_PB_KOi00htKpgeb8GiQa4g2z0";
 function supabaseHeaders(accessToken) {
@@ -542,25 +649,13 @@ async function signUp(email, password, name) {
     email: body.user?.email ?? email
   };
 }
-async function fetchApiKey(accessToken, userId) {
-  const params = new URLSearchParams({
-    user_id: `eq.${userId}`,
-    is_active: "eq.true",
-    select: "api_key",
-    limit: "1"
-  });
-  const res = await fetch(`${SUPABASE_URL}/rest/v1/user_api_keys?${params}`, {
+async function createApiKey(accessToken, userId) {
+  await fetch(`${SUPABASE_URL}/rest/v1/user_api_keys?user_id=eq.${userId}`, {
+    method: "DELETE",
     headers: supabaseHeaders(accessToken)
   });
-  if (!res.ok) return null;
-  const rows = await res.json();
-  if (Array.isArray(rows) && rows.length > 0 && rows[0].api_key) {
-    return rows[0].api_key;
-  }
-  return null;
-}
-async function createApiKey(accessToken, userId) {
-  const apiKey = `fmcp_${randomBytes(32).toString("hex")}`;
+  const apiKey = `lim_${randomBytes(32).toString("hex")}`;
+  const keyHash = createHash("sha256").update(apiKey).digest("hex");
   const res = await fetch(`${SUPABASE_URL}/rest/v1/user_api_keys`, {
     method: "POST",
     headers: {
@@ -570,7 +665,7 @@ async function createApiKey(accessToken, userId) {
     body: JSON.stringify({
       user_id: userId,
       key_name: "Liminal CLI",
-      api_key: apiKey,
+      key_hash: keyHash,
       is_active: true
     })
   });
@@ -582,8 +677,6 @@ async function createApiKey(accessToken, userId) {
   return apiKey;
 }
 async function authenticateAndGetKey(auth) {
-  const existingKey = await fetchApiKey(auth.accessToken, auth.userId);
-  if (existingKey) return existingKey;
   return createApiKey(auth.accessToken, auth.userId);
 }
 
@@ -592,7 +685,7 @@ async function loginCommand() {
   printBanner();
   try {
     const config = loadConfig();
-    if (config.apiKey && config.apiKey.startsWith("fmcp_")) {
+    if (config.apiKey && (config.apiKey.startsWith("lim_") || config.apiKey.startsWith("fmcp_"))) {
       console.log("  Already logged in.");
       console.log("  Run \x1B[1mliminal logout\x1B[0m first to switch accounts.");
       return;
@@ -871,19 +964,24 @@ var cursorConnector = {
     return [];
   },
   async setup(port) {
-    const baseUrl = `http://127.0.0.1:${port}/v1`;
     return {
       success: true,
       shellExports: [],
       // No env vars — GUI only
       postSetupInstructions: [
-        "Cursor requires manual configuration:",
+        "Cursor routes API calls through its cloud servers, so localhost",
+        "URLs are blocked. You need a tunnel to expose the proxy:",
+        "",
+        `  npx cloudflared tunnel --url http://localhost:${port}`,
+        "",
+        "Then configure Cursor with the tunnel URL:",
         "",
         "  1. Open Cursor Settings (not VS Code settings)",
         "  2. Go to Models",
         '  3. Enable "Override OpenAI Base URL (when using key)"',
-        `  4. Set the base URL to: ${baseUrl}`,
-        '  5. Enter any string as the API key (e.g., "liminal")',
+        "  4. Set the base URL to your tunnel URL + /v1",
+        "     (e.g., https://abc123.trycloudflare.com/v1)",
+        "  5. Enter your real OpenAI/Anthropic API key",
         "  6. Restart Cursor",
         "",
         "Cursor uses OpenAI format for all models, including Claude.",
@@ -1140,64 +1238,6 @@ async function logoutCommand() {
   console.log("  Run \x1B[1mliminal login\x1B[0m to reconnect.");
 }
 
-// src/rsc/pipeline.ts
-import {
-  CompressionPipeline,
-  RSCTransport,
-  RSCEventEmitter,
-  Session,
-  CircuitBreaker
-} from "@cognisos/rsc-sdk";
-var RSCPipelineWrapper = class {
-  pipeline;
-  session;
-  events;
-  transport;
-  circuitBreaker;
-  constructor(config) {
-    this.circuitBreaker = new CircuitBreaker(5, 5 * 60 * 1e3);
-    this.transport = new RSCTransport({
-      baseUrl: config.rscBaseUrl,
-      apiKey: config.rscApiKey,
-      timeout: 3e4,
-      maxRetries: 3,
-      circuitBreaker: this.circuitBreaker
-    });
-    this.events = new RSCEventEmitter();
-    this.session = new Session(config.sessionId);
-    this.pipeline = new CompressionPipeline(
-      this.transport,
-      {
-        threshold: config.compressionThreshold,
-        learnFromResponses: config.learnFromResponses,
-        latencyBudgetMs: config.latencyBudgetMs,
-        sessionId: this.session.sessionId
-      },
-      this.events
-    );
-  }
-  async healthCheck() {
-    try {
-      await this.transport.get("/health");
-      return true;
-    } catch {
-      return false;
-    }
-  }
-  getSessionSummary() {
-    return this.session.getSummary();
-  }
-  getCircuitState() {
-    return this.circuitBreaker.getState();
-  }
-  isCircuitOpen() {
-    return this.circuitBreaker.getState() === "open";
-  }
-  resetCircuitBreaker() {
-    this.circuitBreaker.reset();
-  }
-};
-
 // src/proxy/completions.ts
 import { RSCCircuitOpenError as RSCCircuitOpenError2 } from "@cognisos/rsc-sdk";
 
@@ -1303,66 +1343,115 @@ function isIndentedCodeLine(line) {
 }
 
 // src/rsc/message-compressor.ts
+var PASSTHROUGH_BLOCK_TYPES = /* @__PURE__ */ new Set(["thinking", "tool_use", "image"]);
+function sanitizeCompressedText(text) {
+  return text.replace(/[\x00-\x08\x0B\x0C\x0E-\x1F\x7F]/g, "");
+}
 async function compressMessages(messages, pipeline, session, compressRoles) {
   let anyCompressed = false;
   let totalTokensSaved = 0;
   const compressed = await Promise.all(
     messages.map(async (msg) => {
       if (!compressRoles.has(msg.role)) return msg;
-      if (typeof msg.content === "string") {
-        return compressStringContent(msg, pipeline, session, (c, saved) => {
-          anyCompressed = anyCompressed || c;
-          totalTokensSaved += saved;
-        });
+      return compressMessage(msg, pipeline, session, (c, saved) => {
+        anyCompressed = anyCompressed || c;
+        totalTokensSaved += saved;
+      });
+    })
+  );
+  return { messages: compressed, anyCompressed, totalTokensSaved };
+}
+async function compressConversation(pipeline, session, plan, options = { compressToolResults: true }) {
+  if (!plan.shouldCompress) {
+    return {
+      messages: plan.messages.map((tm) => tm.message),
+      anyCompressed: false,
+      totalTokensSaved: 0
+    };
+  }
+  let anyCompressed = false;
+  let totalTokensSaved = 0;
+  const record = (c, saved) => {
+    anyCompressed = anyCompressed || c;
+    totalTokensSaved += saved;
+  };
+  const log = options.logFn;
+  const compressed = await Promise.all(
+    plan.messages.map(async (tm) => {
+      const role = tm.message.role;
+      const blockTypes = Array.isArray(tm.message.content) ? tm.message.content.map((b) => b.type).join(",") : "string";
+      if (tm.tier === "hot") {
+        log?.(`[BLOCK] #${tm.index} ${role} [${blockTypes}] \u2192 HOT (verbatim)`);
+        return tm.message;
       }
-      if (Array.isArray(msg.content)) {
-        return compressArrayContent(msg, pipeline, session, (c, saved) => {
-          anyCompressed = anyCompressed || c;
-          totalTokensSaved += saved;
-        });
+      if (tm.eligibleTokens === 0) {
+        log?.(`[BLOCK] #${tm.index} ${role} [${blockTypes}] \u2192 ${tm.tier.toUpperCase()} (0 eligible tok, skip)`);
+        return tm.message;
       }
-      return msg;
+      log?.(`[BLOCK] #${tm.index} ${role} [${blockTypes}] \u2192 ${tm.tier.toUpperCase()} (${tm.eligibleTokens} eligible tok, batch compressing)`);
+      return batchCompressMessage(tm.message, pipeline, session, record, options);
     })
   );
   return { messages: compressed, anyCompressed, totalTokensSaved };
 }
-async function compressStringContent(msg, pipeline, session, record) {
-  const text = msg.content;
-  const segments = segmentContent(text);
-  const hasCode = segments.some((s) => s.type === "code");
-  if (!hasCode) {
-    try {
-      const result = await pipeline.compressForLLM(text);
-      session.recordCompression(result.metrics);
-      record(!result.metrics.skipped, result.metrics.tokensSaved);
-      return { ...msg, content: result.text };
-    } catch (err) {
-      if (err instanceof RSCCircuitOpenError) {
-        session.recordFailure();
-        throw err;
+function extractToolResultText(part) {
+  if (typeof part.content === "string" && part.content.trim()) {
+    return part.content;
+  }
+  if (Array.isArray(part.content)) {
+    const texts = part.content.filter((inner) => inner.type === "text" && typeof inner.text === "string" && inner.text.trim()).map((inner) => inner.text);
+    return texts.length > 0 ? texts.join("\n") : null;
+  }
+  return null;
+}
+async function batchCompressMessage(msg, pipeline, session, record, options = { compressToolResults: true }) {
+  if (typeof msg.content === "string") {
+    return compressStringContent(msg, pipeline, session, record, options.semaphore, options.semaphoreTimeoutMs);
+  }
+  if (!Array.isArray(msg.content)) return msg;
+  const parts = msg.content;
+  const textSegments = [];
+  const batchedIndices = /* @__PURE__ */ new Set();
+  for (let i = 0; i < parts.length; i++) {
+    const part = parts[i];
+    if (PASSTHROUGH_BLOCK_TYPES.has(part.type)) continue;
+    if (part.type === "text" && typeof part.text === "string" && part.text.trim()) {
+      textSegments.push(part.text);
+      batchedIndices.add(i);
+    }
+    if (part.type === "tool_result" && options.compressToolResults) {
+      const extracted = extractToolResultText(part);
+      if (extracted) {
+        textSegments.push(extracted);
+        batchedIndices.add(i);
       }
-      session.recordFailure();
-      return msg;
     }
   }
+  if (textSegments.length === 0) return msg;
+  const batchText = textSegments.join("\n\n");
   try {
-    const parts = await Promise.all(
-      segments.map(async (seg) => {
-        if (seg.type === "code") return seg.text;
-        if (seg.text.trim().length === 0) return seg.text;
-        try {
-          const result = await pipeline.compressForLLM(seg.text);
-          session.recordCompression(result.metrics);
-          record(!result.metrics.skipped, result.metrics.tokensSaved);
-          return result.text;
-        } catch (err) {
-          if (err instanceof RSCCircuitOpenError) throw err;
-          session.recordFailure();
-          return seg.text;
+    const compressed = await compressTextWithSegmentation(batchText, pipeline, session, record, options.semaphore, options.semaphoreTimeoutMs);
+    const newParts = [];
+    let isFirstEligible = true;
+    for (let i = 0; i < parts.length; i++) {
+      if (!batchedIndices.has(i)) {
+        newParts.push(parts[i]);
+        continue;
+      }
+      if (isFirstEligible) {
+        if (parts[i].type === "text") {
+          newParts.push({ ...parts[i], text: compressed });
+        } else if (parts[i].type === "tool_result") {
+          newParts.push({ ...parts[i], content: compressed });
         }
-      })
-    );
-    return { ...msg, content: parts.join("") };
+        isFirstEligible = false;
+      } else {
+        if (parts[i].type === "tool_result") {
+          newParts.push({ ...parts[i], content: "" });
+        }
+      }
+    }
+    return { ...msg, content: newParts };
   } catch (err) {
     if (err instanceof RSCCircuitOpenError) {
       session.recordFailure();
@@ -1372,37 +1461,34 @@ async function compressStringContent(msg, pipeline, session, record) {
     return msg;
   }
 }
-async function compressTextWithSegmentation(text, pipeline, session, record) {
-  const segments = segmentContent(text);
-  const hasCode = segments.some((s) => s.type === "code");
-  if (!hasCode) {
-    const result = await pipeline.compressForLLM(text);
-    session.recordCompression(result.metrics);
-    record(!result.metrics.skipped, result.metrics.tokensSaved);
-    return result.text;
+async function compressMessage(msg, pipeline, session, record, options = { compressToolResults: true }) {
+  if (typeof msg.content === "string") {
+    return compressStringContent(msg, pipeline, session, record);
   }
-  const parts = await Promise.all(
-    segments.map(async (seg) => {
-      if (seg.type === "code") return seg.text;
-      if (seg.text.trim().length === 0) return seg.text;
-      try {
-        const result = await pipeline.compressForLLM(seg.text);
-        session.recordCompression(result.metrics);
-        record(!result.metrics.skipped, result.metrics.tokensSaved);
-        return result.text;
-      } catch (err) {
-        if (err instanceof RSCCircuitOpenError) throw err;
-        session.recordFailure();
-        return seg.text;
-      }
-    })
-  );
-  return parts.join("");
+  if (Array.isArray(msg.content)) {
+    return compressArrayContent(msg, pipeline, session, record, options);
+  }
+  return msg;
 }
-async function compressArrayContent(msg, pipeline, session, record) {
+async function compressStringContent(msg, pipeline, session, record, semaphore, semaphoreTimeoutMs) {
+  const text = msg.content;
+  try {
+    const compressed = await compressTextWithSegmentation(text, pipeline, session, record, semaphore, semaphoreTimeoutMs);
+    return { ...msg, content: compressed };
+  } catch (err) {
+    if (err instanceof RSCCircuitOpenError) {
+      session.recordFailure();
+      throw err;
+    }
+    session.recordFailure();
+    return msg;
+  }
+}
+async function compressArrayContent(msg, pipeline, session, record, options = { compressToolResults: true }) {
   const parts = msg.content;
   const compressedParts = await Promise.all(
     parts.map(async (part) => {
+      if (PASSTHROUGH_BLOCK_TYPES.has(part.type)) return part;
       if (part.type === "text" && typeof part.text === "string") {
         try {
           const compressed = await compressTextWithSegmentation(part.text, pipeline, session, record);
@@ -1416,11 +1502,183 @@ async function compressArrayContent(msg, pipeline, session, record) {
           return part;
         }
       }
+      if (part.type === "tool_result" && options.compressToolResults) {
+        return compressToolResult(part, pipeline, session, record);
+      }
       return part;
     })
   );
   return { ...msg, content: compressedParts };
 }
+async function compressToolResult(part, pipeline, session, record) {
+  const content = part.content;
+  if (typeof content === "string") {
+    try {
+      const compressed = await compressTextWithSegmentation(content, pipeline, session, record);
+      return { ...part, content: compressed };
+    } catch (err) {
+      if (err instanceof RSCCircuitOpenError) {
+        session.recordFailure();
+        throw err;
+      }
+      session.recordFailure();
+      return part;
+    }
+  }
+  if (Array.isArray(content)) {
+    try {
+      const compressedInner = await Promise.all(
+        content.map(async (inner) => {
+          if (inner.type === "text" && typeof inner.text === "string") {
+            try {
+              const compressed = await compressTextWithSegmentation(inner.text, pipeline, session, record);
+              return { ...inner, text: compressed };
+            } catch (err) {
+              if (err instanceof RSCCircuitOpenError) throw err;
+              session.recordFailure();
+              return inner;
+            }
+          }
+          return inner;
+        })
+      );
+      return { ...part, content: compressedInner };
+    } catch (err) {
+      if (err instanceof RSCCircuitOpenError) {
+        session.recordFailure();
+        throw err;
+      }
+      session.recordFailure();
+      return part;
+    }
+  }
+  return part;
+}
+async function compressTextWithSegmentation(text, pipeline, session, record, semaphore, semaphoreTimeoutMs) {
+  const segments = segmentContent(text);
+  const hasCode = segments.some((s) => s.type === "code");
+  if (!hasCode) {
+    if (semaphore) await semaphore.acquire(semaphoreTimeoutMs);
+    try {
+      const result = await pipeline.compressForLLM(text);
+      session.recordCompression(result.metrics);
+      const saved = Math.max(0, result.metrics.tokensSaved);
+      record(!result.metrics.skipped, saved);
+      return sanitizeCompressedText(result.text);
+    } finally {
+      if (semaphore) semaphore.release();
+    }
+  }
+  const parts = await Promise.all(
+    segments.map(async (seg) => {
+      if (seg.type === "code") return seg.text;
+      if (seg.text.trim().length === 0) return seg.text;
+      if (semaphore) await semaphore.acquire(semaphoreTimeoutMs);
+      try {
+        const result = await pipeline.compressForLLM(seg.text);
+        session.recordCompression(result.metrics);
+        const saved = Math.max(0, result.metrics.tokensSaved);
+        record(!result.metrics.skipped, saved);
+        return sanitizeCompressedText(result.text);
+      } catch (err) {
+        if (err instanceof RSCCircuitOpenError) throw err;
+        session.recordFailure();
+        return seg.text;
+      } finally {
+        if (semaphore) semaphore.release();
+      }
+    })
+  );
+  return parts.join("");
+}
+
+// src/rsc/conversation-analyzer.ts
+var SKIP_BLOCK_TYPES = /* @__PURE__ */ new Set(["thinking", "tool_use", "image"]);
+function estimateTokens(text) {
+  return Math.ceil(text.length / 4);
+}
+function estimateBlockTokens(block, compressToolResults) {
+  if (SKIP_BLOCK_TYPES.has(block.type)) return 0;
+  if (block.type === "text" && typeof block.text === "string") {
+    return estimateTokens(block.text);
+  }
+  if (block.type === "tool_result" && compressToolResults) {
+    if (typeof block.content === "string") {
+      return estimateTokens(block.content);
+    }
+    if (Array.isArray(block.content)) {
+      return block.content.reduce(
+        (sum, inner) => sum + estimateBlockTokens(inner, compressToolResults),
+        0
+      );
+    }
+  }
+  return 0;
+}
+function estimateMessageTokens(msg, config) {
+  if (!config.compressRoles.has(msg.role)) return 0;
+  if (typeof msg.content === "string") {
+    return estimateTokens(msg.content);
+  }
+  if (Array.isArray(msg.content)) {
+    return msg.content.reduce(
+      (sum, part) => sum + estimateBlockTokens(part, config.compressToolResults),
+      0
+    );
+  }
+  return 0;
+}
+function analyzeConversation(messages, config) {
+  const n = messages.length;
+  if (n < 5) {
+    const tiered2 = messages.map((msg, i) => ({
+      index: i,
+      message: msg,
+      tier: "hot",
+      eligibleTokens: estimateMessageTokens(msg, config)
+    }));
+    return {
+      messages: tiered2,
+      totalEligibleTokens: 0,
+      shouldCompress: false,
+      hotCount: n,
+      warmCount: 0,
+      coldCount: 0
+    };
+  }
+  const coldEnd = Math.floor(n * config.coldFraction);
+  const hotStart = n - Math.floor(n * config.hotFraction);
+  let totalEligibleTokens = 0;
+  let hotCount = 0;
+  let warmCount = 0;
+  let coldCount = 0;
+  const tiered = messages.map((msg, i) => {
+    let tier;
+    if (i >= hotStart) {
+      tier = "hot";
+      hotCount++;
+    } else if (i < coldEnd) {
+      tier = "cold";
+      coldCount++;
+    } else {
+      tier = "warm";
+      warmCount++;
+    }
+    const eligibleTokens = estimateMessageTokens(msg, config);
+    if (tier !== "hot") {
+      totalEligibleTokens += eligibleTokens;
+    }
+    return { index: i, message: msg, tier, eligibleTokens };
+  });
+  return {
+    messages: tiered,
+    totalEligibleTokens,
+    shouldCompress: totalEligibleTokens >= config.aggregateThreshold,
+    hotCount,
+    warmCount,
+    coldCount
+  };
+}
 
 // src/rsc/learning.ts
 function createStreamLearningBuffer(pipeline) {
@@ -1523,6 +1781,25 @@ async function pipeSSEResponse(upstreamResponse, clientRes, onContentDelta, onCo
   }
 }
 
+// src/terminology.ts
+var TIER_LABELS = {
+  HOT: "Active",
+  WARM: "Recent",
+  COLD: "Archived"
+};
+function formatTiersLog(hot, warm, cold, eligibleTokens) {
+  return `[MEMORY] ${TIER_LABELS.HOT}:${hot} ${TIER_LABELS.WARM}:${warm} ${TIER_LABELS.COLD}:${cold} \xB7 ${eligibleTokens} tokens eligible`;
+}
+function formatSavedLog(tokensSaved, latencyMs) {
+  return `[SAVED] ${tokensSaved} tokens (${latencyMs}ms)`;
+}
+function formatDegradeLog() {
+  return "[STATUS] Connection degraded \u2014 passing through directly";
+}
+function formatResponseLog(model, tokensSaved, streaming = false) {
+  return `[RESPONSE] ${streaming ? "Streaming " : ""}${model} response \u2192 client (saved:${tokensSaved}tok)`;
+}
+
 // src/proxy/completions.ts
 function setCORSHeaders(res) {
   res.setHeader("Access-Control-Allow-Origin", "*");
@@ -1539,7 +1816,7 @@ function extractBearerToken(req) {
   if (!auth || !auth.startsWith("Bearer ")) return null;
   return auth.slice(7);
 }
-async function handleChatCompletions(req, res, body, pipeline, config, logger) {
+async function handleChatCompletions(req, res, body, pipeline, config, logger, semaphore, latencyMonitor, sessionKey) {
   const request = body;
   if (!request.messages || !Array.isArray(request.messages)) {
     sendJSON(res, 400, {
@@ -1558,23 +1835,44 @@ async function handleChatCompletions(req, res, body, pipeline, config, logger) {
   let anyCompressed = false;
   let totalTokensSaved = 0;
   if (config.enabled && !pipeline.isCircuitOpen()) {
+    const compressStart = Date.now();
     try {
       const compressRoles = new Set(config.compressRoles);
-      const result = await compressMessages(
-        request.messages,
+      const plan = analyzeConversation(request.messages, {
+        hotFraction: config.hotFraction,
+        coldFraction: config.coldFraction,
+        aggregateThreshold: config.aggregateThreshold,
+        compressRoles,
+        compressToolResults: config.compressToolResults
+      });
+      if (plan.shouldCompress) {
+        logger.log(formatTiersLog(plan.hotCount, plan.warmCount, plan.coldCount, plan.totalEligibleTokens));
+      }
+      const result = await compressConversation(
         pipeline.pipeline,
         pipeline.session,
-        compressRoles
+        plan,
+        {
+          compressToolResults: config.compressToolResults,
+          logFn: (msg) => logger.log(msg),
+          semaphore,
+          semaphoreTimeoutMs: config.concurrencyTimeoutMs
+        }
       );
       messages = result.messages;
       anyCompressed = result.anyCompressed;
       totalTokensSaved = result.totalTokensSaved;
+      const latencyMs = Date.now() - compressStart;
+      const alert = latencyMonitor.record(sessionKey, latencyMs);
+      if (alert) {
+        logger.log(`[LATENCY] ${alert.type.toUpperCase()}: ${alert.message}`);
+      }
       if (result.totalTokensSaved > 0) {
-        logger.log(`[COMPRESS] Saved ${result.totalTokensSaved} tokens`);
+        logger.log(formatSavedLog(result.totalTokensSaved, latencyMs));
       }
     } catch (err) {
       if (err instanceof RSCCircuitOpenError2) {
-        logger.log("[DEGRADE] Circuit breaker open \u2014 passing through directly");
+        logger.log(formatDegradeLog());
       } else {
         logger.log(`[ERROR] Compression failed: ${err instanceof Error ? err.message : String(err)}`);
       }
@@ -1607,6 +1905,7 @@ async function handleChatCompletions(req, res, body, pipeline, config, logger) {
     }
     if (request.stream && upstreamResponse.body) {
       const learningBuffer = anyCompressed ? createStreamLearningBuffer(pipeline.pipeline) : null;
+      logger.log(formatResponseLog(request.model, totalTokensSaved, true));
       await pipeSSEResponse(
         upstreamResponse,
         res,
@@ -1617,6 +1916,7 @@ async function handleChatCompletions(req, res, body, pipeline, config, logger) {
       return;
     }
     const responseBody = await upstreamResponse.text();
+    logger.log(formatResponseLog(request.model, totalTokensSaved));
     let finalBody = responseBody;
     if (totalTokensSaved > 0) {
       try {
@@ -1757,7 +2057,7 @@ async function pipeAnthropicSSEResponse(upstreamResponse, clientRes, onContentDe
 function setCORSHeaders2(res) {
   res.setHeader("Access-Control-Allow-Origin", "*");
   res.setHeader("Access-Control-Allow-Methods", "POST, GET, OPTIONS");
-  res.setHeader("Access-Control-Allow-Headers", "Content-Type, Authorization, x-api-key, anthropic-version, anthropic-beta");
+  res.setHeader("Access-Control-Allow-Headers", "Content-Type, Authorization, x-api-key, anthropic-version, anthropic-beta, x-liminal-session");
 }
 function sendAnthropicError(res, status, type, message) {
   setCORSHeaders2(res);
@@ -1788,7 +2088,7 @@ function convertCompressedToAnthropic(messages) {
     content: msg.content
   }));
 }
-async function handleAnthropicMessages(req, res, body, pipeline, config, logger) {
+async function handleAnthropicMessages(req, res, body, pipeline, config, logger, semaphore, latencyMonitor, sessionKey) {
   const request = body;
   if (!request.messages || !Array.isArray(request.messages)) {
     sendAnthropicError(res, 400, "invalid_request_error", "messages is required and must be an array");
@@ -1807,24 +2107,45 @@ async function handleAnthropicMessages(req, res, body, pipeline, config, logger)
   let anyCompressed = false;
   let totalTokensSaved = 0;
   if (config.enabled && !pipeline.isCircuitOpen()) {
+    const compressStart = Date.now();
     try {
       const compressRoles = new Set(config.compressRoles);
       const compressible = convertAnthropicToCompressible(request.messages);
-      const result = await compressMessages(
-        compressible,
+      const plan = analyzeConversation(compressible, {
+        hotFraction: config.hotFraction,
+        coldFraction: config.coldFraction,
+        aggregateThreshold: config.aggregateThreshold,
+        compressRoles,
+        compressToolResults: config.compressToolResults
+      });
+      if (plan.shouldCompress) {
+        logger.log(formatTiersLog(plan.hotCount, plan.warmCount, plan.coldCount, plan.totalEligibleTokens));
+      }
+      const result = await compressConversation(
         pipeline.pipeline,
         pipeline.session,
-        compressRoles
+        plan,
+        {
+          compressToolResults: config.compressToolResults,
+          logFn: (msg) => logger.log(msg),
+          semaphore,
+          semaphoreTimeoutMs: config.concurrencyTimeoutMs
+        }
       );
       messages = convertCompressedToAnthropic(result.messages);
       anyCompressed = result.anyCompressed;
       totalTokensSaved = result.totalTokensSaved;
+      const latencyMs = Date.now() - compressStart;
+      const alert = latencyMonitor.record(sessionKey, latencyMs);
+      if (alert) {
+        logger.log(`[LATENCY] ${alert.type.toUpperCase()}: ${alert.message}`);
+      }
       if (result.totalTokensSaved > 0) {
-        logger.log(`[COMPRESS] Saved ${result.totalTokensSaved} tokens`);
+        logger.log(formatSavedLog(result.totalTokensSaved, latencyMs));
       }
     } catch (err) {
       if (err instanceof RSCCircuitOpenError3) {
-        logger.log("[DEGRADE] Circuit breaker open -- passing through directly");
+        logger.log(formatDegradeLog());
       } else {
         logger.log(`[ERROR] Compression failed: ${err instanceof Error ? err.message : String(err)}`);
       }
@@ -1862,6 +2183,7 @@ async function handleAnthropicMessages(req, res, body, pipeline, config, logger)
     }
     if (request.stream && upstreamResponse.body) {
       const learningBuffer = anyCompressed ? createStreamLearningBuffer(pipeline.pipeline) : null;
+      logger.log(formatResponseLog(request.model, totalTokensSaved, true));
       await pipeAnthropicSSEResponse(
         upstreamResponse,
         res,
@@ -1872,6 +2194,7 @@ async function handleAnthropicMessages(req, res, body, pipeline, config, logger)
       return;
     }
     const responseBody = await upstreamResponse.text();
+    logger.log(formatResponseLog(request.model, totalTokensSaved));
     let finalBody = responseBody;
     if (totalTokensSaved > 0) {
       try {
@@ -2102,7 +2425,7 @@ function extractOutputText(output) {
   }
   return texts.join("");
 }
-async function handleResponses(req, res, body, pipeline, config, logger) {
+async function handleResponses(req, res, body, pipeline, config, logger, semaphore, latencyMonitor, sessionKey) {
   const request = body;
   if (request.input === void 0 || request.input === null) {
     sendJSON2(res, 400, {
@@ -2121,6 +2444,7 @@ async function handleResponses(req, res, body, pipeline, config, logger) {
   let anyCompressed = false;
   let totalTokensSaved = 0;
   if (config.enabled && !pipeline.isCircuitOpen()) {
+    const compressStart = Date.now();
     try {
       const compressRoles = new Set(config.compressRoles);
       const compressible = inputToCompressibleMessages(request.input);
@@ -2134,13 +2458,18 @@ async function handleResponses(req, res, body, pipeline, config, logger) {
         compressedInput = applyCompressedToInput(request.input, result.messages);
         anyCompressed = result.anyCompressed;
         totalTokensSaved = result.totalTokensSaved;
+        const latencyMs = Date.now() - compressStart;
+        const alert = latencyMonitor.record(sessionKey, latencyMs);
+        if (alert) {
+          logger.log(`[LATENCY] ${alert.type.toUpperCase()}: ${alert.message}`);
+        }
         if (result.totalTokensSaved > 0) {
-          logger.log(`[COMPRESS] Responses API: saved ${result.totalTokensSaved} tokens`);
+          logger.log(formatSavedLog(result.totalTokensSaved, latencyMs));
         }
       }
     } catch (err) {
       if (err instanceof RSCCircuitOpenError4) {
-        logger.log("[DEGRADE] Circuit breaker open \u2014 passing through directly");
+        logger.log(formatDegradeLog());
       } else {
         logger.log(`[ERROR] Compression failed: ${err instanceof Error ? err.message : String(err)}`);
       }
@@ -2175,6 +2504,7 @@ async function handleResponses(req, res, body, pipeline, config, logger) {
     }
     if (request.stream && upstreamResponse.body) {
       const learningBuffer = anyCompressed ? createStreamLearningBuffer(pipeline.pipeline) : null;
+      logger.log(formatResponseLog(request.model, totalTokensSaved, true));
       await pipeResponsesSSE(
         upstreamResponse,
         res,
@@ -2185,6 +2515,7 @@ async function handleResponses(req, res, body, pipeline, config, logger) {
       return;
     }
     const responseBody = await upstreamResponse.text();
+    logger.log(formatResponseLog(request.model, totalTokensSaved));
     let finalBody = responseBody;
     if (totalTokensSaved > 0) {
       try {
@@ -2226,11 +2557,51 @@ async function handleResponses(req, res, body, pipeline, config, logger) {
   }
 }
 
+// src/proxy/session-identity.ts
+import * as crypto from "crypto";
+function identifySession(req, pathname) {
+  const connector = detectConnector(req, pathname);
+  const windowHash = deriveWindowHash(req);
+  return { connector, windowHash, raw: `${connector}:${windowHash}` };
+}
+function detectConnector(req, pathname) {
+  if (req.headers["x-api-key"] || req.headers["anthropic-version"]) {
+    return "claude-code";
+  }
+  if (pathname.startsWith("/v1/responses") || pathname.startsWith("/responses")) {
+    return "codex";
+  }
+  const ua = req.headers["user-agent"] ?? "";
+  if (/cursor/i.test(ua)) {
+    return "cursor";
+  }
+  return "openai-compatible";
+}
+function deriveWindowHash(req) {
+  const liminalSession = req.headers["x-liminal-session"];
+  if (typeof liminalSession === "string" && liminalSession.length > 0) {
+    return liminalSession;
+  }
+  const credential = extractCredential(req);
+  if (!credential) return "anonymous";
+  return crypto.createHash("sha256").update(credential).digest("hex").slice(0, 8);
+}
+function extractCredential(req) {
+  const apiKey = req.headers["x-api-key"];
+  if (typeof apiKey === "string" && apiKey.length > 0) return apiKey;
+  const auth = req.headers["authorization"];
+  if (typeof auth === "string") {
+    const match = auth.match(/^Bearer\s+(.+)$/i);
+    if (match) return match[1];
+  }
+  return null;
+}
+
 // src/proxy/handler.ts
 function setCORSHeaders4(res) {
   res.setHeader("Access-Control-Allow-Origin", "*");
   res.setHeader("Access-Control-Allow-Methods", "POST, GET, OPTIONS, PUT, DELETE, PATCH");
-  res.setHeader("Access-Control-Allow-Headers", "Content-Type, Authorization, x-api-key, anthropic-version, anthropic-beta, anthropic-dangerous-direct-browser-access");
+  res.setHeader("Access-Control-Allow-Headers", "Content-Type, Authorization, x-api-key, anthropic-version, anthropic-beta, anthropic-dangerous-direct-browser-access, x-liminal-session");
   res.setHeader("Access-Control-Max-Age", "86400");
 }
 function sendJSON3(res, status, body) {
@@ -2331,7 +2702,8 @@ async function passthroughToUpstream(req, res, fullUrl, config, logger) {
     }
   }
 }
-function createRequestHandler(pipeline, config, logger) {
+function createRequestHandler(deps) {
+  const { sessions, semaphore, latencyMonitor, config, logger } = deps;
   const startTime = Date.now();
   return async (req, res) => {
     try {
@@ -2347,27 +2719,37 @@ function createRequestHandler(pipeline, config, logger) {
         return;
       }
       if (method === "GET" && (url === "/health" || url === "/")) {
-        const summary = pipeline.getSessionSummary();
+        const sessionSummaries = sessions.getAllSummaries();
         sendJSON3(res, 200, {
           status: "ok",
           version: config.rscApiKey ? "connected" : "no-api-key",
-          rsc_connected: !pipeline.isCircuitOpen(),
-          circuit_state: pipeline.getCircuitState(),
-          session_id: summary.sessionId,
           uptime_ms: Date.now() - startTime,
-          session: {
-            tokens_processed: summary.tokensProcessed,
-            tokens_saved: summary.tokensSaved,
-            calls_total: summary.totalCalls,
-            calls_compressed: summary.compressedCalls,
-            calls_skipped: summary.skippedCalls,
-            calls_failed: summary.failedCalls,
-            patterns_learned: summary.patternsLearned,
-            estimated_cost_saved_usd: summary.estimatedCostSaved
-          }
+          concurrency: {
+            active_sessions: sessions.activeCount,
+            semaphore_available: semaphore.available,
+            semaphore_waiting: semaphore.waiting,
+            max_concurrent_rsc_calls: config.concurrencyLimit
+          },
+          latency: {
+            global_p95_ms: latencyMonitor.getGlobalP95()
+          },
+          sessions: sessionSummaries.map((s) => ({
+            session_key: s.key,
+            connector: s.connector,
+            circuit_state: s.circuitState,
+            tokens_processed: s.tokensProcessed,
+            tokens_saved: s.tokensSaved,
+            calls_total: s.totalCalls,
+            calls_compressed: s.compressedCalls,
+            calls_failed: s.failedCalls,
+            p95_latency_ms: latencyMonitor.getSessionP95(s.key),
+            last_active_ago_ms: Date.now() - s.lastAccessedAt
+          }))
         });
         return;
       }
+      const sessionKey = identifySession(req, url);
+      const pipeline = sessions.getOrCreate(sessionKey);
       if (method === "POST" && (url === "/v1/chat/completions" || url === "/chat/completions")) {
         const body = await readBody(req);
         let parsed;
@@ -2379,7 +2761,7 @@ function createRequestHandler(pipeline, config, logger) {
           });
           return;
         }
-        await handleChatCompletions(req, res, parsed, pipeline, config, logger);
+        await handleChatCompletions(req, res, parsed, pipeline, config, logger, semaphore, latencyMonitor, sessionKey.raw);
         return;
       }
       if (method === "POST" && (url === "/v1/responses" || url === "/responses")) {
@@ -2393,7 +2775,7 @@ function createRequestHandler(pipeline, config, logger) {
           });
           return;
         }
-        await handleResponses(req, res, parsed, pipeline, config, logger);
+        await handleResponses(req, res, parsed, pipeline, config, logger, semaphore, latencyMonitor, sessionKey.raw);
         return;
       }
       if (method === "POST" && (url === "/v1/messages" || url === "/messages")) {
@@ -2408,7 +2790,7 @@ function createRequestHandler(pipeline, config, logger) {
           });
           return;
         }
-        await handleAnthropicMessages(req, res, parsed, pipeline, config, logger);
+        await handleAnthropicMessages(req, res, parsed, pipeline, config, logger, semaphore, latencyMonitor, sessionKey.raw);
         return;
       }
       await passthroughToUpstream(req, res, fullUrl, config, logger);
@@ -2432,9 +2814,11 @@ var ProxyServer = class {
   activePort = null;
   requestedPort;
   handler;
-  constructor(port, handler) {
+  connectHandler;
+  constructor(port, handler, connectHandler) {
     this.requestedPort = port;
     this.handler = handler;
+    this.connectHandler = connectHandler ?? null;
   }
   async start() {
     let lastError = null;
@@ -2456,6 +2840,9 @@ var ProxyServer = class {
   listen(port) {
     return new Promise((resolve, reject) => {
       const server = http.createServer(this.handler);
+      if (this.connectHandler) {
+        server.on("connect", this.connectHandler);
+      }
       server.on("error", reject);
       server.listen(port, "127.0.0.1", () => {
         server.removeListener("error", reject);
@@ -2480,6 +2867,10 @@ var ProxyServer = class {
   getPort() {
     return this.activePort;
   }
+  /** Expose internal HTTP server for MITM bridge socket injection */
+  getHttpServer() {
+    return this.server;
+  }
 };
 
 // src/daemon/logger.ts
@@ -2530,17 +2921,668 @@ var FileLogger = class {
   }
 };
 
+// src/rsc/session-manager.ts
+init_pipeline();
+var DEFAULT_MAX_SESSIONS = 10;
+var DEFAULT_SESSION_TTL_MS = 30 * 60 * 1e3;
+var EVICTION_INTERVAL_MS = 6e4;
+var SessionManager = class {
+  sessions = /* @__PURE__ */ new Map();
+  config;
+  evictionTimer = null;
+  constructor(config) {
+    this.config = {
+      ...config,
+      maxSessions: config.maxSessions ?? DEFAULT_MAX_SESSIONS,
+      sessionTtlMs: config.sessionTtlMs ?? DEFAULT_SESSION_TTL_MS
+    };
+    this.evictionTimer = setInterval(() => this.evictStale(), EVICTION_INTERVAL_MS);
+    if (this.evictionTimer.unref) {
+      this.evictionTimer.unref();
+    }
+  }
+  // ── Public API ──────────────────────────────────────────────────────
+  getOrCreate(key) {
+    const existing = this.sessions.get(key.raw);
+    if (existing) {
+      existing.lastAccessedAt = Date.now();
+      existing.requestCount++;
+      return existing.pipeline;
+    }
+    if (this.sessions.size >= this.config.maxSessions) {
+      this.evictLRU();
+    }
+    const pipeline = new RSCPipelineWrapper({
+      ...this.config.pipelineConfig,
+      sessionId: key.raw
+    });
+    this.sessions.set(key.raw, {
+      pipeline,
+      lastAccessedAt: Date.now(),
+      requestCount: 1,
+      connector: key.connector
+    });
+    this.config.onSessionCreated?.(key.raw, pipeline);
+    return pipeline;
+  }
+  getAllSummaries() {
+    const entries = [];
+    for (const [key, managed] of this.sessions) {
+      entries.push(this.buildHealthEntry(key, managed));
+    }
+    return entries;
+  }
+  getSessionSummary(key) {
+    const managed = this.sessions.get(key);
+    if (!managed) return null;
+    return this.buildHealthEntry(key, managed);
+  }
+  get activeCount() {
+    return this.sessions.size;
+  }
+  shutdown() {
+    if (this.evictionTimer !== null) {
+      clearInterval(this.evictionTimer);
+      this.evictionTimer = null;
+    }
+    this.sessions.clear();
+  }
+  // ── Internals ───────────────────────────────────────────────────────
+  buildHealthEntry(key, managed) {
+    const summary = managed.pipeline.getSessionSummary();
+    return {
+      key,
+      connector: managed.connector,
+      circuitState: managed.pipeline.getCircuitState(),
+      tokensProcessed: summary.tokensProcessed,
+      tokensSaved: summary.tokensSaved,
+      totalCalls: summary.totalCalls,
+      compressedCalls: summary.compressedCalls,
+      failedCalls: summary.failedCalls,
+      lastAccessedAt: managed.lastAccessedAt
+    };
+  }
+  evictStale() {
+    const now = Date.now();
+    const cutoff = now - this.config.sessionTtlMs;
+    for (const [key, managed] of this.sessions) {
+      if (managed.lastAccessedAt < cutoff) {
+        this.sessions.delete(key);
+        this.config.onSessionEvicted?.(key);
+      }
+    }
+  }
+  evictLRU() {
+    let oldestKey = null;
+    let oldestTime = Infinity;
+    for (const [key, managed] of this.sessions) {
+      if (managed.lastAccessedAt < oldestTime) {
+        oldestTime = managed.lastAccessedAt;
+        oldestKey = key;
+      }
+    }
+    if (oldestKey !== null) {
+      this.sessions.delete(oldestKey);
+      this.config.onSessionEvicted?.(oldestKey);
+    }
+  }
+};
+
+// src/rsc/semaphore.ts
+var SemaphoreTimeoutError = class extends Error {
+  constructor(timeoutMs) {
+    super(`Semaphore acquire timed out after ${timeoutMs}ms`);
+    this.name = "SemaphoreTimeoutError";
+  }
+};
+var Semaphore = class {
+  permits;
+  queue = [];
+  constructor(maxPermits) {
+    if (maxPermits < 1) throw new RangeError("maxPermits must be >= 1");
+    this.permits = maxPermits;
+  }
+  get available() {
+    return this.permits;
+  }
+  get waiting() {
+    return this.queue.length;
+  }
+  acquire(timeoutMs) {
+    if (this.permits > 0) {
+      this.permits--;
+      return Promise.resolve();
+    }
+    return new Promise((resolve, reject) => {
+      const waiter = { resolve, reject };
+      this.queue.push(waiter);
+      if (timeoutMs !== void 0 && timeoutMs >= 0) {
+        const timer = setTimeout(() => {
+          const idx = this.queue.indexOf(waiter);
+          if (idx !== -1) {
+            this.queue.splice(idx, 1);
+            reject(new SemaphoreTimeoutError(timeoutMs));
+          }
+        }, timeoutMs);
+        const originalResolve = waiter.resolve;
+        waiter.resolve = () => {
+          clearTimeout(timer);
+          originalResolve();
+        };
+      }
+    });
+  }
+  release() {
+    const next = this.queue.shift();
+    if (next) {
+      next.resolve();
+    } else {
+      this.permits++;
+    }
+  }
+};
+
+// src/rsc/latency-monitor.ts
+var DEFAULT_CONFIG = {
+  warningThresholdMs: 4e3,
+  criticalThresholdMs: 8e3,
+  windowSize: 50
+};
+var CircularBuffer = class {
+  buffer;
+  index = 0;
+  count = 0;
+  capacity;
+  constructor(capacity) {
+    this.capacity = capacity;
+    this.buffer = new Array(capacity);
+  }
+  push(value) {
+    this.buffer[this.index] = value;
+    this.index = (this.index + 1) % this.capacity;
+    if (this.count < this.capacity) {
+      this.count++;
+    }
+  }
+  getValues() {
+    if (this.count < this.capacity) {
+      return this.buffer.slice(0, this.count);
+    }
+    return [...this.buffer.slice(this.index), ...this.buffer.slice(0, this.index)];
+  }
+  get size() {
+    return this.count;
+  }
+};
+function calculateP95(values) {
+  if (values.length === 0) return null;
+  const sorted = [...values].sort((a, b) => a - b);
+  const idx = Math.floor(sorted.length * 0.95);
+  return sorted[Math.min(idx, sorted.length - 1)];
+}
+var LatencyMonitor = class {
+  config;
+  sessionWindows = /* @__PURE__ */ new Map();
+  globalWindow;
+  callbacks = [];
+  constructor(config) {
+    this.config = { ...DEFAULT_CONFIG, ...config };
+    this.globalWindow = new CircularBuffer(this.config.windowSize * 4);
+  }
+  record(sessionKey, latencyMs) {
+    let sessionBuf = this.sessionWindows.get(sessionKey);
+    if (!sessionBuf) {
+      sessionBuf = new CircularBuffer(this.config.windowSize);
+      this.sessionWindows.set(sessionKey, sessionBuf);
+    }
+    sessionBuf.push(latencyMs);
+    this.globalWindow.push(latencyMs);
+    const globalP95 = calculateP95(this.globalWindow.getValues());
+    if (globalP95 === null) return null;
+    let alert = null;
+    if (globalP95 >= this.config.criticalThresholdMs) {
+      alert = {
+        type: "critical",
+        message: `Global p95 latency ${globalP95.toFixed(0)}ms exceeds critical threshold ${this.config.criticalThresholdMs}ms`,
+        sessionKey,
+        p95Ms: globalP95,
+        thresholdMs: this.config.criticalThresholdMs,
+        activeSessions: this.sessionWindows.size,
+        suggestion: "Reduce active sessions or increase latency budget"
+      };
+    } else if (globalP95 >= this.config.warningThresholdMs) {
+      alert = {
+        type: "warning",
+        message: `Global p95 latency ${globalP95.toFixed(0)}ms exceeds warning threshold ${this.config.warningThresholdMs}ms`,
+        sessionKey,
+        p95Ms: globalP95,
+        thresholdMs: this.config.warningThresholdMs,
+        activeSessions: this.sessionWindows.size,
+        suggestion: "Consider reducing active sessions"
+      };
+    }
+    if (alert) {
+      for (const cb of this.callbacks) {
+        cb(alert);
+      }
+    }
+    return alert;
+  }
+  getSessionP95(sessionKey) {
+    const buf = this.sessionWindows.get(sessionKey);
+    if (!buf) return null;
+    return calculateP95(buf.getValues());
+  }
+  getGlobalP95() {
+    return calculateP95(this.globalWindow.getValues());
+  }
+  onAlert(cb) {
+    this.callbacks.push(cb);
+  }
+  get sessionCount() {
+    return this.sessionWindows.size;
+  }
+};
+
+// src/tls/connect-handler.ts
+import * as net from "net";
+
+// src/tls/allowlist.ts
+var MITM_HOSTS = /* @__PURE__ */ new Set([
+  "api.openai.com",
+  "api.anthropic.com",
+  "generativelanguage.googleapis.com"
+]);
+function shouldIntercept(hostname) {
+  return MITM_HOSTS.has(hostname);
+}
+
+// src/tls/connect-handler.ts
+function createConnectHandler(options) {
+  const { logger, onIntercept } = options;
+  return (req, clientSocket, head) => {
+    const target = req.url ?? "";
+    const [hostname, portStr] = parseConnectTarget(target);
+    const port = parseInt(portStr, 10) || 443;
+    if (!hostname) {
+      logger.log(`[CONNECT] Invalid target: ${target}`);
+      clientSocket.write("HTTP/1.1 400 Bad Request\r\n\r\n");
+      clientSocket.destroy();
+      return;
+    }
+    if (shouldIntercept(hostname) && onIntercept) {
+      logger.log(`[CONNECT] ${hostname}:${port} \u2192 intercept`);
+      clientSocket.write("HTTP/1.1 200 Connection Established\r\n\r\n");
+      if (head.length > 0) {
+        clientSocket.unshift(head);
+      }
+      onIntercept(clientSocket, hostname, port);
+    } else {
+      logger.log(`[TUNNEL] ${hostname}:${port} \u2192 passthrough`);
+      const upstreamSocket = net.connect(port, hostname, () => {
+        clientSocket.write("HTTP/1.1 200 Connection Established\r\n\r\n");
+        if (head.length > 0) {
+          upstreamSocket.write(head);
+        }
+        clientSocket.pipe(upstreamSocket);
+        upstreamSocket.pipe(clientSocket);
+      });
+      upstreamSocket.on("error", (err) => {
+        logger.log(`[TUNNEL] ${hostname}:${port} upstream error: ${err.message}`);
+        clientSocket.write("HTTP/1.1 502 Bad Gateway\r\n\r\n");
+        clientSocket.destroy();
+      });
+      clientSocket.on("error", (err) => {
+        logger.log(`[TUNNEL] ${hostname}:${port} client error: ${err.message}`);
+        upstreamSocket.destroy();
+      });
+      clientSocket.on("close", () => upstreamSocket.destroy());
+      upstreamSocket.on("close", () => clientSocket.destroy());
+    }
+  };
+}
+function parseConnectTarget(target) {
+  const colonIdx = target.lastIndexOf(":");
+  if (colonIdx === -1) return [target, "443"];
+  return [target.slice(0, colonIdx), target.slice(colonIdx + 1)];
+}
+
+// src/tls/ca.ts
+import { existsSync as existsSync6, readFileSync as readFileSync4, writeFileSync as writeFileSync3, mkdirSync as mkdirSync3, unlinkSync } from "fs";
+import { join as join5 } from "path";
+import forge from "node-forge";
+var CA_CERT_PATH = join5(LIMINAL_DIR, "ca.pem");
+var CA_KEY_PATH = join5(LIMINAL_DIR, "ca-key.pem");
+function generateCA() {
+  const keys = forge.pki.rsa.generateKeyPair(2048);
+  const cert = forge.pki.createCertificate();
+  cert.publicKey = keys.publicKey;
+  cert.serialNumber = generateSerialNumber();
+  cert.validity.notBefore = /* @__PURE__ */ new Date();
+  cert.validity.notAfter = /* @__PURE__ */ new Date();
+  cert.validity.notAfter.setFullYear(cert.validity.notAfter.getFullYear() + 5);
+  const attrs = [
+    { name: "commonName", value: "Liminal Proxy CA" },
+    { name: "organizationName", value: "Liminal (Cognisos)" },
+    { shortName: "OU", value: "Local Development" }
+  ];
+  cert.setSubject(attrs);
+  cert.setIssuer(attrs);
+  cert.setExtensions([
+    { name: "basicConstraints", cA: true, critical: true },
+    { name: "keyUsage", keyCertSign: true, cRLSign: true, critical: true },
+    {
+      name: "subjectKeyIdentifier"
+    }
+  ]);
+  cert.sign(keys.privateKey, forge.md.sha256.create());
+  return {
+    certPem: forge.pki.certificateToPem(cert),
+    keyPem: forge.pki.privateKeyToPem(keys.privateKey)
+  };
+}
+function generateAndSaveCA() {
+  if (!existsSync6(LIMINAL_DIR)) {
+    mkdirSync3(LIMINAL_DIR, { recursive: true, mode: 448 });
+  }
+  const { certPem, keyPem } = generateCA();
+  writeFileSync3(CA_CERT_PATH, certPem, { encoding: "utf-8", mode: 420 });
+  writeFileSync3(CA_KEY_PATH, keyPem, { encoding: "utf-8", mode: 384 });
+  return { certPem, keyPem };
+}
+function loadCA() {
+  if (!existsSync6(CA_CERT_PATH) || !existsSync6(CA_KEY_PATH)) {
+    return null;
+  }
+  return {
+    certPem: readFileSync4(CA_CERT_PATH, "utf-8"),
+    keyPem: readFileSync4(CA_KEY_PATH, "utf-8")
+  };
+}
+function ensureCA() {
+  const existing = loadCA();
+  if (existing) return existing;
+  return generateAndSaveCA();
+}
+function hasCA() {
+  return existsSync6(CA_CERT_PATH) && existsSync6(CA_KEY_PATH);
+}
+function removeCA() {
+  if (existsSync6(CA_CERT_PATH)) unlinkSync(CA_CERT_PATH);
+  if (existsSync6(CA_KEY_PATH)) unlinkSync(CA_KEY_PATH);
+}
+function getCAInfo() {
+  const ca = loadCA();
+  if (!ca) return null;
+  const cert = forge.pki.certificateFromPem(ca.certPem);
+  const cn = cert.subject.getField("CN");
+  const der = forge.asn1.toDer(forge.pki.certificateToAsn1(cert)).getBytes();
+  const md = forge.md.sha256.create();
+  md.update(der);
+  const fingerprint = md.digest().toHex().match(/.{2}/g).join(":").toUpperCase();
+  return {
+    commonName: cn ? cn.value : "Unknown",
+    validFrom: cert.validity.notBefore,
+    validTo: cert.validity.notAfter,
+    fingerprint
+  };
+}
+function generateSerialNumber() {
+  const bytes = forge.random.getBytesSync(16);
+  return forge.util.bytesToHex(bytes);
+}
+
+// src/tls/trust.ts
+import { execSync as execSync3 } from "child_process";
+import { existsSync as existsSync7, copyFileSync, unlinkSync as unlinkSync2 } from "fs";
+function installCA() {
+  if (!existsSync7(CA_CERT_PATH)) {
+    return { success: false, message: 'CA certificate not found. Run "liminal init" first.', requiresSudo: false };
+  }
+  const platform = process.platform;
+  if (platform === "darwin") return installMacOS();
+  if (platform === "linux") return installLinux();
+  if (platform === "win32") return installWindows();
+  return { success: false, message: `Unsupported platform: ${platform}`, requiresSudo: false };
+}
+function removeCA2() {
+  const platform = process.platform;
+  if (platform === "darwin") return removeMacOS();
+  if (platform === "linux") return removeLinux();
+  if (platform === "win32") return removeWindows();
+  return { success: false, message: `Unsupported platform: ${platform}`, requiresSudo: false };
+}
+function isCATrusted() {
+  const platform = process.platform;
+  if (platform === "darwin") return isTrustedMacOS();
+  if (platform === "linux") return isTrustedLinux();
+  if (platform === "win32") return isTrustedWindows();
+  return false;
+}
+var MACOS_LABEL = "Liminal Proxy CA";
+function installMacOS() {
+  try {
+    execSync3(
+      `security add-trusted-cert -r trustRoot -k ~/Library/Keychains/login.keychain-db "${CA_CERT_PATH}"`,
+      { stdio: "pipe" }
+    );
+    return { success: true, message: "CA installed in login keychain (trusted for SSL)", requiresSudo: false };
+  } catch (err) {
+    const msg = err instanceof Error ? err.message : String(err);
+    if (msg.includes("authorization") || msg.includes("permission")) {
+      return {
+        success: false,
+        message: "Keychain access denied. You may need to unlock your keychain or run with sudo.",
+        requiresSudo: true
+      };
+    }
+    return { success: false, message: `Failed to install CA: ${msg}`, requiresSudo: false };
+  }
+}
+function removeMacOS() {
+  try {
+    execSync3(
+      `security delete-certificate -c "${MACOS_LABEL}" ~/Library/Keychains/login.keychain-db`,
+      { stdio: "pipe" }
+    );
+    return { success: true, message: "CA removed from login keychain", requiresSudo: false };
+  } catch (err) {
+    const msg = err instanceof Error ? err.message : String(err);
+    if (msg.includes("could not be found")) {
+      return { success: true, message: "CA was not in keychain (already removed)", requiresSudo: false };
+    }
+    return { success: false, message: `Failed to remove CA: ${msg}`, requiresSudo: false };
+  }
+}
+function isTrustedMacOS() {
+  try {
+    const out = execSync3(
+      `security find-certificate -c "${MACOS_LABEL}" ~/Library/Keychains/login.keychain-db`,
+      { stdio: "pipe", encoding: "utf-8" }
+    );
+    return out.includes(MACOS_LABEL);
+  } catch {
+    return false;
+  }
+}
+var LINUX_CERT_PATH = "/usr/local/share/ca-certificates/liminal-proxy-ca.crt";
+function installLinux() {
+  try {
+    copyFileSync(CA_CERT_PATH, LINUX_CERT_PATH);
+    execSync3("update-ca-certificates", { stdio: "pipe" });
+    return { success: true, message: "CA installed in system trust store", requiresSudo: true };
+  } catch (err) {
+    const msg = err instanceof Error ? err.message : String(err);
+    if (msg.includes("EACCES") || msg.includes("permission")) {
+      return {
+        success: false,
+        message: `Permission denied. Run with sudo:
+  sudo liminal trust-ca`,
+        requiresSudo: true
+      };
+    }
+    return { success: false, message: `Failed to install CA: ${msg}`, requiresSudo: true };
+  }
+}
+function removeLinux() {
+  try {
+    if (existsSync7(LINUX_CERT_PATH)) {
+      unlinkSync2(LINUX_CERT_PATH);
+      execSync3("update-ca-certificates --fresh", { stdio: "pipe" });
+    }
+    return { success: true, message: "CA removed from system trust store", requiresSudo: true };
+  } catch (err) {
+    const msg = err instanceof Error ? err.message : String(err);
+    return { success: false, message: `Failed to remove CA: ${msg}`, requiresSudo: true };
+  }
+}
+function isTrustedLinux() {
+  return existsSync7(LINUX_CERT_PATH);
+}
+function installWindows() {
+  try {
+    execSync3(`certutil -addstore -user -f "ROOT" "${CA_CERT_PATH}"`, { stdio: "pipe" });
+    return { success: true, message: "CA installed in user certificate store", requiresSudo: false };
+  } catch (err) {
+    const msg = err instanceof Error ? err.message : String(err);
+    return { success: false, message: `Failed to install CA: ${msg}`, requiresSudo: false };
+  }
+}
+function removeWindows() {
+  try {
+    execSync3(`certutil -delstore -user "ROOT" "${MACOS_LABEL}"`, { stdio: "pipe" });
+    return { success: true, message: "CA removed from user certificate store", requiresSudo: false };
+  } catch (err) {
+    const msg = err instanceof Error ? err.message : String(err);
+    return { success: false, message: `Failed to remove CA: ${msg}`, requiresSudo: false };
+  }
+}
+function isTrustedWindows() {
+  try {
+    const out = execSync3(`certutil -verifystore -user "ROOT" "${MACOS_LABEL}"`, {
+      stdio: "pipe",
+      encoding: "utf-8"
+    });
+    return out.includes("Liminal");
+  } catch {
+    return false;
+  }
+}
+
+// src/tls/mitm-bridge.ts
+import * as tls from "tls";
+
+// src/tls/cert-generator.ts
+import forge2 from "node-forge";
+var CERT_TTL_MS = 24 * 60 * 60 * 1e3;
+var MAX_CACHE_SIZE = 50;
+var CertGenerator = class {
+  caCert;
+  caKey;
+  cache = /* @__PURE__ */ new Map();
+  constructor(caCertPem, caKeyPem) {
+    this.caCert = forge2.pki.certificateFromPem(caCertPem);
+    this.caKey = forge2.pki.privateKeyFromPem(caKeyPem);
+  }
+  /**
+   * Get or generate a TLS certificate for the given hostname.
+   * Certificates are cached for 24 hours.
+   */
+  getCert(hostname) {
+    const now = Date.now();
+    const cached = this.cache.get(hostname);
+    if (cached && cached.expiresAt > now) {
+      return cached.cert;
+    }
+    const cert = this.generate(hostname);
+    if (this.cache.size >= MAX_CACHE_SIZE) {
+      const oldest = this.cache.keys().next().value;
+      if (oldest) this.cache.delete(oldest);
+    }
+    this.cache.set(hostname, { cert, expiresAt: now + CERT_TTL_MS });
+    return cert;
+  }
+  get cacheSize() {
+    return this.cache.size;
+  }
+  generate(hostname) {
+    const keys = forge2.pki.rsa.generateKeyPair(2048);
+    const cert = forge2.pki.createCertificate();
+    cert.publicKey = keys.publicKey;
+    cert.serialNumber = randomSerial();
+    cert.validity.notBefore = new Date(Date.now() - 24 * 60 * 60 * 1e3);
+    cert.validity.notAfter = new Date(Date.now() + 24 * 60 * 60 * 1e3);
+    cert.setSubject([
+      { name: "commonName", value: hostname },
+      { name: "organizationName", value: "Liminal Proxy (local)" }
+    ]);
+    cert.setIssuer(this.caCert.subject.attributes);
+    cert.setExtensions([
+      { name: "basicConstraints", cA: false },
+      {
+        name: "keyUsage",
+        digitalSignature: true,
+        keyEncipherment: true,
+        critical: true
+      },
+      {
+        name: "extKeyUsage",
+        serverAuth: true
+      },
+      {
+        name: "subjectAltName",
+        altNames: [{ type: 2, value: hostname }]
+        // DNS name
+      }
+    ]);
+    cert.sign(this.caKey, forge2.md.sha256.create());
+    return {
+      certPem: forge2.pki.certificateToPem(cert),
+      keyPem: forge2.pki.privateKeyToPem(keys.privateKey)
+    };
+  }
+};
+function randomSerial() {
+  return forge2.util.bytesToHex(forge2.random.getBytesSync(16));
+}
+
+// src/tls/mitm-bridge.ts
+function createMitmBridge(options) {
+  const { httpServer, caCertPem, caKeyPem, logger } = options;
+  const certGen = new CertGenerator(caCertPem, caKeyPem);
+  return (clientSocket, hostname, _port) => {
+    try {
+      const { certPem, keyPem } = certGen.getCert(hostname);
+      const tlsSocket = new tls.TLSSocket(clientSocket, {
+        isServer: true,
+        key: keyPem,
+        cert: certPem
+      });
+      tlsSocket.on("error", (err) => {
+        logger.log(`[MITM] TLS error for ${hostname}: ${err.message}`);
+        tlsSocket.destroy();
+      });
+      httpServer.emit("connection", tlsSocket);
+      logger.log(`[MITM] TLS bridge established for ${hostname} (cert cache: ${certGen.cacheSize})`);
+    } catch (err) {
+      const message = err instanceof Error ? err.message : String(err);
+      logger.log(`[MITM] Failed to establish bridge for ${hostname}: ${message}`);
+      clientSocket.destroy();
+    }
+  };
+}
+
 // src/daemon/lifecycle.ts
-import { readFileSync as readFileSync4, writeFileSync as writeFileSync3, unlinkSync, existsSync as existsSync6 } from "fs";
+import { readFileSync as readFileSync5, writeFileSync as writeFileSync4, unlinkSync as unlinkSync3, existsSync as existsSync8 } from "fs";
 import { fork } from "child_process";
 import { fileURLToPath } from "url";
 function writePidFile(pid) {
-  writeFileSync3(PID_FILE, String(pid), "utf-8");
+  writeFileSync4(PID_FILE, String(pid), "utf-8");
 }
 function readPidFile() {
-  if (!existsSync6(PID_FILE)) return null;
+  if (!existsSync8(PID_FILE)) return null;
   try {
-    const content = readFileSync4(PID_FILE, "utf-8").trim();
+    const content = readFileSync5(PID_FILE, "utf-8").trim();
     const pid = parseInt(content, 10);
     return isNaN(pid) ? null : pid;
   } catch {
@@ -2549,7 +3591,7 @@ function readPidFile() {
 }
 function removePidFile() {
   try {
-    if (existsSync6(PID_FILE)) unlinkSync(PID_FILE);
+    if (existsSync8(PID_FILE)) unlinkSync3(PID_FILE);
   } catch {
   }
 }
@@ -2651,37 +3693,81 @@ async function startCommand(flags) {
     rscBaseUrl: config.apiBaseUrl,
     proxyPort: config.port,
     compressionThreshold: config.compressionThreshold,
+    aggregateThreshold: config.aggregateThreshold,
+    hotFraction: config.hotFraction,
+    coldFraction: config.coldFraction,
     compressRoles: config.compressRoles,
+    compressToolResults: config.compressToolResults,
     learnFromResponses: config.learnFromResponses,
     latencyBudgetMs: config.latencyBudgetMs || void 0,
     upstreamBaseUrl: config.upstreamBaseUrl,
     anthropicUpstreamUrl: config.anthropicUpstreamUrl,
     enabled: config.enabled,
-    tools: config.tools
+    tools: config.tools,
+    concurrencyLimit: config.concurrencyLimit,
+    concurrencyTimeoutMs: config.concurrencyTimeoutMs,
+    maxSessions: config.maxSessions,
+    sessionTtlMs: config.sessionTtlMs,
+    latencyWarningMs: config.latencyWarningMs,
+    latencyCriticalMs: config.latencyCriticalMs
   };
-  const pipeline = new RSCPipelineWrapper({
-    rscApiKey: config.apiKey,
-    rscBaseUrl: config.apiBaseUrl,
-    compressionThreshold: config.compressionThreshold,
-    learnFromResponses: config.learnFromResponses,
-    latencyBudgetMs: config.latencyBudgetMs || void 0
+  const semaphore = new Semaphore(resolvedConfig.concurrencyLimit);
+  const latencyMonitor = new LatencyMonitor({
+    warningThresholdMs: resolvedConfig.latencyWarningMs,
+    criticalThresholdMs: resolvedConfig.latencyCriticalMs
   });
-  pipeline.events.on("compression", (event) => {
-    if (event.tokensSaved > 0) {
-      logger.log(`[LIMINAL] Compressed: ${event.tokensSaved} tokens saved (${event.ratio.toFixed(3)} ratio)`);
+  function wireSessionEvents(key, pipeline) {
+    pipeline.events.on("compression", (event) => {
+      if (event.tokensSaved > 0) {
+        logger.log(`[LIMINAL] [${key}] Compressed: ${event.tokensSaved} tokens saved (${event.ratio.toFixed(3)} ratio)`);
+      }
+    });
+    pipeline.events.on("compression_skipped", (event) => {
+      const detail = event.reason === "latency_budget" ? `${event.reason} (${event.estimatedTokens}tok, budget:${event.budgetMs}ms, elapsed:${event.elapsedMs}ms)` : event.reason === "below_threshold" ? `${event.reason} (${event.estimatedTokens}tok < ${config.compressionThreshold}tok threshold)` : `${event.reason} (${event.estimatedTokens}tok)`;
+      logger.log(`[LIMINAL] [${key}] Skipped: ${detail}`);
+    });
+    pipeline.events.on("error", (event) => {
+      logger.log(`[LIMINAL] [${key}] Error: ${event.error.message}`);
+    });
+    pipeline.events.on("degradation", (event) => {
+      logger.log(`[LIMINAL] [${key}] Circuit ${event.circuitState}: ${event.reason}`);
+    });
+  }
+  const sessions = new SessionManager({
+    pipelineConfig: {
+      rscApiKey: config.apiKey,
+      rscBaseUrl: config.apiBaseUrl,
+      compressionThreshold: config.compressionThreshold,
+      learnFromResponses: config.learnFromResponses,
+      latencyBudgetMs: config.latencyBudgetMs || void 0
+    },
+    maxSessions: resolvedConfig.maxSessions,
+    sessionTtlMs: resolvedConfig.sessionTtlMs,
+    onSessionCreated: (key, pipeline) => {
+      logger.log(`[SESSION] Created: ${key}`);
+      wireSessionEvents(key, pipeline);
+    },
+    onSessionEvicted: (key) => {
+      logger.log(`[SESSION] Evicted: ${key} (idle)`);
     }
   });
-  pipeline.events.on("compression_skipped", (event) => {
-    logger.log(`[LIMINAL] Skipped: ${event.reason}`);
-  });
-  pipeline.events.on("error", (event) => {
-    logger.log(`[LIMINAL] Error: ${event.error.message}`);
+  latencyMonitor.onAlert((alert) => {
+    logger.log(`[LATENCY] ${alert.type.toUpperCase()}: ${alert.message} (${alert.activeSessions} sessions) \u2014 ${alert.suggestion}`);
   });
-  pipeline.events.on("degradation", (event) => {
-    logger.log(`[LIMINAL] Circuit ${event.circuitState}: ${event.reason}`);
+  const deps = { sessions, semaphore, latencyMonitor, config: resolvedConfig, logger };
+  const handler = createRequestHandler(deps);
+  let mitmHandler;
+  const connectHandler = createConnectHandler({
+    logger,
+    onIntercept: (socket, hostname, port) => {
+      if (mitmHandler) {
+        mitmHandler(socket, hostname, port);
+      } else {
+        logger.log(`[MITM] No bridge available for ${hostname} \u2014 falling back to passthrough`);
+      }
+    }
   });
-  const handler = createRequestHandler(pipeline, resolvedConfig, logger);
-  const server = new ProxyServer(config.port, handler);
+  const server = new ProxyServer(config.port, handler, connectHandler);
   setupSignalHandlers(server, logger);
   try {
     const actualPort = await server.start();
@@ -2691,15 +3777,42 @@ async function startCommand(flags) {
     logger.log(`[DAEMON] Upstream (Anthropic): ${config.anthropicUpstreamUrl}`);
     logger.log(`[DAEMON] Liminal API: ${config.apiBaseUrl}`);
     logger.log(`[DAEMON] PID: ${process.pid}`);
+    logger.log(`[DAEMON] Max sessions: ${resolvedConfig.maxSessions}, Concurrency limit: ${resolvedConfig.concurrencyLimit}`);
+    const caReady = hasCA() && isCATrusted();
+    if (caReady) {
+      const httpServer = server.getHttpServer();
+      const ca = loadCA();
+      if (httpServer && ca) {
+        mitmHandler = createMitmBridge({
+          httpServer,
+          caCertPem: ca.certPem,
+          caKeyPem: ca.keyPem,
+          logger
+        });
+        logger.log("[MITM] TLS bridge active \u2014 intercepting LLM API calls");
+      }
+    }
+    logger.log(`[DAEMON] CONNECT handler: active | MITM: ${caReady ? "ready (CA trusted)" : "passthrough only (run liminal trust-ca)"}`);
     if (isForeground && !isForked) {
       printBanner();
       console.log(`  Liminal proxy running on http://127.0.0.1:${actualPort}/v1`);
       console.log(`  Upstream: ${config.upstreamBaseUrl}`);
+      console.log(`  Max sessions: ${resolvedConfig.maxSessions} | Concurrency: ${resolvedConfig.concurrencyLimit}`);
+      if (caReady) {
+        console.log("  MITM:     active (Cursor interception ready)");
+      }
       console.log();
       console.log("  Point your AI tool's base URL here. Press Ctrl+C to stop.");
       console.log();
     }
-    const healthy = await pipeline.healthCheck();
+    const { RSCPipelineWrapper: RSCPipelineWrapper2 } = await Promise.resolve().then(() => (init_pipeline(), pipeline_exports));
+    const probe = new RSCPipelineWrapper2({
+      rscApiKey: config.apiKey,
+      rscBaseUrl: config.apiBaseUrl,
+      compressionThreshold: config.compressionThreshold,
+      learnFromResponses: false
+    });
+    const healthy = await probe.healthCheck();
     if (healthy) {
       logger.log("[DAEMON] Liminal API health check: OK");
     } else {
@@ -2766,19 +3879,39 @@ async function statusCommand() {
     const data = await res.json();
     const uptime = formatUptime(data.uptime_ms);
     console.log(`Liminal Daemon: running (PID ${state.pid}, port ${port})`);
-    console.log(`Circuit:    ${data.circuit_state}`);
-    console.log(`Session:    ${data.session_id}`);
+    console.log(`Status:     ${data.status} (${data.version})`);
     console.log(`Uptime:     ${uptime}`);
-    if (data.session) {
-      const s = data.session;
-      const savingsPercent = s.tokens_processed > 0 ? (s.tokens_saved / s.tokens_processed * 100).toFixed(1) : "0.0";
+    console.log();
+    const c = data.concurrency;
+    console.log(`Sessions:   ${c.active_sessions} active (max ${config.maxSessions})`);
+    console.log(`Semaphore:  ${c.semaphore_available}/${c.max_concurrent_rsc_calls} available` + (c.semaphore_waiting > 0 ? ` (${c.semaphore_waiting} waiting)` : ""));
+    const globalP95 = data.latency.global_p95_ms;
+    if (globalP95 !== null) {
+      const latencyFlag = globalP95 >= config.latencyCriticalMs ? " CRITICAL" : globalP95 >= config.latencyWarningMs ? " WARNING" : "";
+      console.log(`Latency:    p95 ${globalP95.toFixed(0)}ms${latencyFlag}`);
+    }
+    if (data.sessions.length > 0) {
+      console.log();
+      console.log("\u2500\u2500\u2500 Sessions \u2500\u2500\u2500");
+      for (const s of data.sessions) {
+        const savingsPercent = s.tokens_processed > 0 ? (s.tokens_saved / s.tokens_processed * 100).toFixed(1) : "0.0";
+        const activeAgo = formatUptime(s.last_active_ago_ms);
+        const p95 = s.p95_latency_ms !== null ? `${s.p95_latency_ms.toFixed(0)}ms` : "-";
+        console.log();
+        console.log(`  ${s.connector} [${s.session_key}]`);
+        console.log(`    Circuit:  ${s.circuit_state}`);
+        console.log(`    Tokens:   ${s.tokens_processed.toLocaleString()} processed, ${s.tokens_saved.toLocaleString()} saved (${savingsPercent}%)`);
+        console.log(`    Calls:    ${s.calls_total} total (${s.calls_compressed} compressed, ${s.calls_failed} failed)`);
+        console.log(`    Latency:  p95 ${p95}`);
+        console.log(`    Active:   ${activeAgo} ago`);
+      }
+    } else {
       console.log();
-      console.log(`Tokens:     ${s.tokens_processed.toLocaleString()} processed, ${s.tokens_saved.toLocaleString()} saved (${savingsPercent}%)`);
-      console.log(`Calls:      ${s.calls_total} total (${s.calls_compressed} compressed, ${s.calls_skipped} skipped, ${s.calls_failed} failed)`);
+      console.log("No active sessions.");
     }
   } catch {
     console.log(`Liminal Daemon: running (PID ${state.pid}, port ${port})`);
-    console.log("Circuit:    unknown (could not reach /health)");
+    console.log("Status:     unknown (could not reach /health)");
   }
 }
 function formatUptime(ms) {
@@ -2930,17 +4063,17 @@ async function configCommand(flags) {
 }
 
 // src/commands/logs.ts
-import { readFileSync as readFileSync5, existsSync as existsSync7, statSync as statSync2, createReadStream } from "fs";
+import { readFileSync as readFileSync6, existsSync as existsSync9, statSync as statSync2, createReadStream } from "fs";
 import { watchFile, unwatchFile } from "fs";
 async function logsCommand(flags) {
   const follow = flags.has("follow") || flags.has("f");
   const linesFlag = flags.get("lines") ?? flags.get("n");
   const lines = typeof linesFlag === "string" ? parseInt(linesFlag, 10) : 50;
-  if (!existsSync7(LOG_FILE)) {
+  if (!existsSync9(LOG_FILE)) {
     console.log('No log file found. Start the daemon with "liminal start" to generate logs.');
     return;
   }
-  const content = readFileSync5(LOG_FILE, "utf-8");
+  const content = readFileSync6(LOG_FILE, "utf-8");
   const allLines = content.split("\n");
   const tail = allLines.slice(-lines - 1);
   process.stdout.write(tail.join("\n"));
@@ -2966,16 +4099,16 @@ async function logsCommand(flags) {
 }
 
 // src/commands/uninstall.ts
-import { existsSync as existsSync8, rmSync, readFileSync as readFileSync6 } from "fs";
+import { existsSync as existsSync10, rmSync, readFileSync as readFileSync7 } from "fs";
 var BOLD2 = "\x1B[1m";
 var DIM2 = "\x1B[2m";
 var GREEN2 = "\x1B[32m";
 var YELLOW2 = "\x1B[33m";
 var RESET2 = "\x1B[0m";
 function loadConfiguredTools() {
-  if (!existsSync8(CONFIG_FILE)) return [];
+  if (!existsSync10(CONFIG_FILE)) return [];
   try {
-    const raw = readFileSync6(CONFIG_FILE, "utf-8");
+    const raw = readFileSync7(CONFIG_FILE, "utf-8");
     const config = JSON.parse(raw);
     if (Array.isArray(config.tools)) return config.tools;
   } catch {
@@ -3063,7 +4196,7 @@ async function uninstallCommand() {
       }
     }
   }
-  if (existsSync8(LIMINAL_DIR)) {
+  if (existsSync10(LIMINAL_DIR)) {
     console.log();
     const removeData = await selectPrompt({
       message: "Remove ~/.liminal/ directory? (config, logs, PID file)",
@@ -3094,6 +4227,90 @@ async function uninstallCommand() {
   console.log();
 }
 
+// src/commands/trust-ca.ts
+async function trustCACommand() {
+  printBanner();
+  if (isCATrusted()) {
+    console.log("  Liminal CA is already trusted.");
+    const info = getCAInfo();
+    if (info) {
+      console.log(`  Fingerprint: ${info.fingerprint}`);
+      console.log(`  Valid until:  ${info.validTo.toLocaleDateString()}`);
+    }
+    return;
+  }
+  if (!hasCA()) {
+    console.log("  Generating CA certificate...");
+    ensureCA();
+    console.log("  Created ~/.liminal/ca.pem");
+    console.log();
+  }
+  console.log("  Installing Liminal CA certificate");
+  console.log();
+  console.log("  This allows Liminal to transparently compress LLM API");
+  console.log("  traffic from Cursor and other Electron-based editors.");
+  console.log();
+  console.log("  The certificate is scoped to your user account and only");
+  console.log("  used by the local Liminal proxy on 127.0.0.1.");
+  console.log();
+  console.log(`  Certificate: ${CA_CERT_PATH}`);
+  console.log();
+  const result = installCA();
+  if (result.success) {
+    console.log(`  ${result.message}`);
+    console.log();
+    const info = getCAInfo();
+    if (info) {
+      console.log(`  Fingerprint: ${info.fingerprint}`);
+      console.log(`  Valid until:  ${info.validTo.toLocaleDateString()}`);
+    }
+    console.log();
+    console.log("  You can now use Liminal with Cursor:");
+    console.log("    liminal start");
+    console.log("    cursor --proxy-server=http://127.0.0.1:3141 --disable-http2");
+  } else {
+    console.error(`  Failed: ${result.message}`);
+    if (result.requiresSudo) {
+      console.log();
+      console.log("  Try running with elevated permissions:");
+      console.log("    sudo liminal trust-ca");
+    }
+    process.exit(1);
+  }
+}
+
+// src/commands/untrust-ca.ts
+async function untrustCACommand() {
+  printBanner();
+  if (!hasCA() && !isCATrusted()) {
+    console.log("  No Liminal CA found (nothing to remove).");
+    return;
+  }
+  if (isCATrusted()) {
+    console.log("  Removing CA from system trust store...");
+    const result = removeCA2();
+    if (result.success) {
+      console.log(`  ${result.message}`);
+    } else {
+      console.error(`  ${result.message}`);
+      if (result.requiresSudo) {
+        console.log();
+        console.log("  Try running with elevated permissions:");
+        console.log("    sudo liminal untrust-ca");
+      }
+      process.exit(1);
+    }
+  }
+  if (hasCA()) {
+    console.log("  Removing CA certificate files...");
+    removeCA();
+    console.log("  Removed ~/.liminal/ca.pem and ca-key.pem");
+  }
+  console.log();
+  console.log("  Liminal CA fully removed.");
+  console.log("  Cursor MITM interception is no longer available.");
+}
+
 // src/bin.ts
 var USAGE = `
   liminal v${VERSION} \u2014 Transparent LLM context compression proxy
@@ -3108,6 +4325,8 @@ var USAGE = `
     liminal summary                       Detailed session metrics
     liminal config [--set k=v] [--get k]  View or edit configuration
     liminal logs [--follow] [--lines N]   View proxy logs
+    liminal trust-ca                      Install CA cert (for Cursor MITM)
+    liminal untrust-ca                    Remove CA cert
     liminal uninstall                     Remove Liminal configuration
 
   Options:
@@ -3120,7 +4339,7 @@ var USAGE = `
     3. Connect your AI tools:
        Claude Code:   export ANTHROPIC_BASE_URL=http://localhost:3141
        Codex:         export OPENAI_BASE_URL=http://localhost:3141/v1
-       Cursor:        Settings > Models > Base URL > http://localhost:3141/v1
+       Cursor:        liminal trust-ca && cursor --proxy-server=http://localhost:3141
 `;
 function parseArgs(argv) {
   const command = argv[2] ?? "";
@@ -3186,6 +4405,12 @@ async function main() {
       case "logs":
         await logsCommand(flags);
         break;
+      case "trust-ca":
+        await trustCACommand();
+        break;
+      case "untrust-ca":
+        await untrustCACommand();
+        break;
       case "uninstall":
         await uninstallCommand();
         break;