@cybedefend/vibedefend 1.1.1 → 1.2.0

package/dist/hook-runner.js

@@ -3654,10 +3654,10 @@ var require_re2 = __commonJS({
     } });
     var calledRun;
     dependenciesFulfilled = function runCaller() {
-      if (!calledRun) run();
+      if (!calledRun) run3();
       if (!calledRun) dependenciesFulfilled = runCaller;
     };
-    function run(args) {
+    function run3(args) {
       args = args || arguments_;
       if (runDependencies > 0) {
         return;
@@ -3690,7 +3690,7 @@ var require_re2 = __commonJS({
       }
       checkStackCookie();
     }
-    Module["run"] = run;
+    Module["run"] = run3;
     if (Module["preInit"]) {
       if (typeof Module["preInit"] == "function") Module["preInit"] = [Module["preInit"]];
       while (Module["preInit"].length > 0) {
@@ -3698,7 +3698,7 @@ var require_re2 = __commonJS({
       }
     }
     noExitRuntime = true;
-    run();
+    run3();
   }
 });
 
@@ -5135,6 +5135,323 @@ function composeSecurityBody(markdown, total, filePath) {
   ].join("\n");
 }
 
+// src/hooks/runtime/self-update-check.ts
+import { spawn } from "node:child_process";
+import { existsSync as existsSync6, readFileSync as readFileSync5, rmSync, writeFileSync as writeFileSync3 } from "node:fs";
+import { homedir as homedir3 } from "node:os";
+import { join as join4 } from "node:path";
+
+// src/utils.ts
+import { existsSync as existsSync4, mkdirSync as mkdirSync2, readFileSync as readFileSync4, writeFileSync as writeFileSync2 } from "node:fs";
+import { dirname, join as join3 } from "node:path";
+
+// node_modules/.pnpm/kleur@4.1.5/node_modules/kleur/index.mjs
+var FORCE_COLOR;
+var NODE_DISABLE_COLORS;
+var NO_COLOR;
+var TERM;
+var isTTY = true;
+if (typeof process !== "undefined") {
+  ({ FORCE_COLOR, NODE_DISABLE_COLORS, NO_COLOR, TERM } = process.env || {});
+  isTTY = process.stdout && process.stdout.isTTY;
+}
+var $ = {
+  enabled: !NODE_DISABLE_COLORS && NO_COLOR == null && TERM !== "dumb" && (FORCE_COLOR != null && FORCE_COLOR !== "0" || isTTY),
+  // modifiers
+  reset: init(0, 0),
+  bold: init(1, 22),
+  dim: init(2, 22),
+  italic: init(3, 23),
+  underline: init(4, 24),
+  inverse: init(7, 27),
+  hidden: init(8, 28),
+  strikethrough: init(9, 29),
+  // colors
+  black: init(30, 39),
+  red: init(31, 39),
+  green: init(32, 39),
+  yellow: init(33, 39),
+  blue: init(34, 39),
+  magenta: init(35, 39),
+  cyan: init(36, 39),
+  white: init(37, 39),
+  gray: init(90, 39),
+  grey: init(90, 39),
+  // background colors
+  bgBlack: init(40, 49),
+  bgRed: init(41, 49),
+  bgGreen: init(42, 49),
+  bgYellow: init(43, 49),
+  bgBlue: init(44, 49),
+  bgMagenta: init(45, 49),
+  bgCyan: init(46, 49),
+  bgWhite: init(47, 49)
+};
+function run(arr, str) {
+  let i = 0, tmp, beg = "", end = "";
+  for (; i < arr.length; i++) {
+    tmp = arr[i];
+    beg += tmp.open;
+    end += tmp.close;
+    if (!!~str.indexOf(tmp.close)) {
+      str = str.replace(tmp.rgx, tmp.close + tmp.open);
+    }
+  }
+  return beg + str + end;
+}
+function chain(has, keys) {
+  let ctx = { has, keys };
+  ctx.reset = $.reset.bind(ctx);
+  ctx.bold = $.bold.bind(ctx);
+  ctx.dim = $.dim.bind(ctx);
+  ctx.italic = $.italic.bind(ctx);
+  ctx.underline = $.underline.bind(ctx);
+  ctx.inverse = $.inverse.bind(ctx);
+  ctx.hidden = $.hidden.bind(ctx);
+  ctx.strikethrough = $.strikethrough.bind(ctx);
+  ctx.black = $.black.bind(ctx);
+  ctx.red = $.red.bind(ctx);
+  ctx.green = $.green.bind(ctx);
+  ctx.yellow = $.yellow.bind(ctx);
+  ctx.blue = $.blue.bind(ctx);
+  ctx.magenta = $.magenta.bind(ctx);
+  ctx.cyan = $.cyan.bind(ctx);
+  ctx.white = $.white.bind(ctx);
+  ctx.gray = $.gray.bind(ctx);
+  ctx.grey = $.grey.bind(ctx);
+  ctx.bgBlack = $.bgBlack.bind(ctx);
+  ctx.bgRed = $.bgRed.bind(ctx);
+  ctx.bgGreen = $.bgGreen.bind(ctx);
+  ctx.bgYellow = $.bgYellow.bind(ctx);
+  ctx.bgBlue = $.bgBlue.bind(ctx);
+  ctx.bgMagenta = $.bgMagenta.bind(ctx);
+  ctx.bgCyan = $.bgCyan.bind(ctx);
+  ctx.bgWhite = $.bgWhite.bind(ctx);
+  return ctx;
+}
+function init(open, close) {
+  let blk = {
+    open: `\x1B[${open}m`,
+    close: `\x1B[${close}m`,
+    rgx: new RegExp(`\\x1b\\[${close}m`, "g")
+  };
+  return function(txt) {
+    if (this !== void 0 && this.has !== void 0) {
+      !!~this.has.indexOf(open) || (this.has.push(open), this.keys.push(blk));
+      return txt === void 0 ? this : $.enabled ? run(this.keys, txt + "") : txt + "";
+    }
+    return txt === void 0 ? chain([open], [blk]) : $.enabled ? run([blk], txt + "") : txt + "";
+  };
+}
+
+// src/utils.ts
+function ensureDirFor(filePath) {
+  const dir = dirname(filePath);
+  if (!existsSync4(dir)) mkdirSync2(dir, { recursive: true });
+}
+
+// src/hooks/runtime/semver.ts
+function parseVersion(input) {
+  const cleaned = input.trim().replace(/^v/i, "");
+  const core = cleaned.split("-")[0].split("+")[0];
+  const parts = core.split(".");
+  const seg = (i) => {
+    const v = Number.parseInt(parts[i] ?? "0", 10);
+    return Number.isFinite(v) && v >= 0 ? v : 0;
+  };
+  return [seg(0), seg(1), seg(2)];
+}
+function compareVersions(a, b) {
+  const pa = parseVersion(a);
+  const pb = parseVersion(b);
+  for (let i = 0; i < 3; i++) {
+    if (pa[i] < pb[i]) return -1;
+    if (pa[i] > pb[i]) return 1;
+  }
+  return 0;
+}
+function isNewer(latest, current) {
+  return compareVersions(latest, current) > 0;
+}
+
+// src/self-update.ts
+import { fileURLToPath } from "node:url";
+import { existsSync as existsSync5 } from "node:fs";
+var GLOBAL_MODES = /* @__PURE__ */ new Set([
+  "npm-global",
+  "pnpm-global",
+  "yarn-global"
+]);
+function detectInstallMode(scriptPath) {
+  if (/[\\/]_npx[\\/]/i.test(scriptPath)) return "npx-cache";
+  if (/[\\/]pnpm(?:[\\/]global|[\\/]nodejs|[\\/]node_modules)/i.test(scriptPath)) {
+    return "pnpm-global";
+  }
+  if (/[\\/]\.pnpm-global[\\/]/i.test(scriptPath)) return "pnpm-global";
+  if (/[\\/]yarn[\\/](?:[^\\/]+[\\/])?global[\\/]/i.test(scriptPath)) {
+    return "yarn-global";
+  }
+  if (/[\\/]lib[\\/]node_modules[\\/]/i.test(scriptPath)) return "npm-global";
+  if (/[\\/](?:npm|nodejs)[\\/]node_modules[\\/]/i.test(scriptPath)) {
+    return "npm-global";
+  }
+  if (/[\\/]nvm[\\/][^\\/]+[\\/]node_modules[\\/]/i.test(scriptPath)) {
+    return "npm-global";
+  }
+  if (/[\\/]node_modules[\\/]/i.test(scriptPath)) return "project-local";
+  return "unknown";
+}
+function resolveScriptPath() {
+  const fromArgv = process.argv[1];
+  if (fromArgv && existsSync5(fromArgv)) return fromArgv;
+  return fileURLToPath(import.meta.url);
+}
+
+// src/hooks/runtime/self-update-check.ts
+var PACKAGE_NAME = "@cybedefend/vibedefend";
+var REGISTRY_URL = `https://registry.npmjs.org/${PACKAGE_NAME}/latest`;
+var THROTTLE_MS = 24 * 60 * 60 * 1e3;
+var FETCH_TIMEOUT_MS = 3e3;
+async function selfUpdateCheck(deps) {
+  const now = deps.now ?? (() => Date.now());
+  const dir = deps.cybeDir ?? join4(process.env.CYBEDEFEND_HOME ?? homedir3(), ".cybedefend");
+  const throttlePath = join4(dir, "update-check.json");
+  const logPath = join4(dir, "last-update.log");
+  const installMode = deps.installMode ?? (deps.runnerSource ? detectInstallMode(deps.runnerSource) : detectInstallMode(resolveScriptPath()));
+  const priorFailure = takeUpdateLogNotice(logPath);
+  const throttle = readThrottle(throttlePath);
+  if (throttle && now() - throttle.lastCheckedAt < THROTTLE_MS) {
+    return priorFailure;
+  }
+  const fetchLatest = deps.fetchLatest ?? defaultFetchLatest;
+  const latest = await fetchLatest();
+  writeThrottle(throttlePath, { lastCheckedAt: now() });
+  if (!latest || !isNewer(latest, deps.installedVersion)) {
+    return priorFailure;
+  }
+  const updateNotice = applyOrNotify(deps, installMode, latest, logPath);
+  return [priorFailure, updateNotice].filter(Boolean).join("\n") || null;
+}
+function applyOrNotify(deps, installMode, latest, logPath) {
+  const from = deps.installedVersion;
+  if (!deps.autoUpdate || !GLOBAL_MODES.has(installMode)) {
+    return `\u{1F6E1}\uFE0F vibedefend ${from} \u2192 ${latest} available \u2014 run \`vibedefend update --self\` to upgrade.`;
+  }
+  const spawnUpdate = deps.spawnUpdate ?? defaultSpawnUpdate;
+  spawnUpdate({
+    mode: installMode,
+    spec: `${PACKAGE_NAME}@${latest}`,
+    logPath,
+    from,
+    to: latest
+  });
+  return `\u{1F6E1}\uFE0F vibedefend: updating in background ${from} \u2192 ${latest} (active next session).`;
+}
+function readThrottle(path) {
+  try {
+    if (!existsSync6(path)) return null;
+    const data = JSON.parse(readFileSync5(path, "utf8"));
+    if (typeof data.lastCheckedAt !== "number") return null;
+    return { lastCheckedAt: data.lastCheckedAt };
+  } catch {
+    return null;
+  }
+}
+function writeThrottle(path, throttle) {
+  try {
+    ensureDirFor(path);
+    writeFileSync3(path, JSON.stringify(throttle) + "\n");
+  } catch {
+  }
+}
+function takeUpdateLogNotice(logPath) {
+  try {
+    if (!existsSync6(logPath)) return null;
+    let parsed = {};
+    try {
+      parsed = JSON.parse(readFileSync5(logPath, "utf8"));
+    } catch {
+      parsed = {};
+    }
+    rmSync(logPath, { force: true });
+    if (typeof parsed.exitCode === "number" && parsed.exitCode !== 0) {
+      return `\u26A0 vibedefend: last auto-update to ${parsed.to ?? "latest"} failed (exit ${parsed.exitCode}) \u2014 run \`vibedefend update --self\`.`;
+    }
+    return null;
+  } catch {
+    return null;
+  }
+}
+async function defaultFetchLatest() {
+  try {
+    const res = await fetch(REGISTRY_URL, {
+      signal: AbortSignal.timeout(FETCH_TIMEOUT_MS)
+    });
+    if (!res.ok) return null;
+    const body = await res.json();
+    return typeof body.version === "string" ? body.version : null;
+  } catch {
+    return null;
+  }
+}
+function buildUpdateWrapperScript(args) {
+  return `
+const { spawnSync } = require('node:child_process');
+const { writeFileSync } = require('node:fs');
+const r = spawnSync(${JSON.stringify(args.pm)}, ${JSON.stringify(args.pmArgs)}, {
+  stdio: 'ignore',
+  shell: process.platform === 'win32',
+});
+try {
+  writeFileSync(${JSON.stringify(args.logPath)}, JSON.stringify({
+    from: ${JSON.stringify(args.from)},
+    to: ${JSON.stringify(args.to)},
+    exitCode: r.status == null ? 1 : r.status,
+    finishedAt: Date.now(),
+  }) + "\\n");
+} catch {}
+`;
+}
+function defaultSpawnUpdate(args) {
+  const { pm, pmArgs } = pmCommand(args.mode, args.spec);
+  const script = buildUpdateWrapperScript({
+    pm,
+    pmArgs,
+    logPath: args.logPath,
+    from: args.from,
+    to: args.to
+  });
+  try {
+    const child = spawn(process.execPath, ["-e", script], {
+      detached: true,
+      stdio: "ignore",
+      windowsHide: true
+    });
+    child.unref();
+  } catch {
+  }
+}
+function pmCommand(mode, spec) {
+  switch (mode) {
+    case "pnpm-global":
+      return { pm: "pnpm", pmArgs: ["add", "-g", spec] };
+    case "yarn-global":
+      return { pm: "yarn", pmArgs: ["global", "add", spec] };
+    default:
+      return { pm: "npm", pmArgs: ["install", "-g", spec] };
+  }
+}
+
+// src/version.ts
+import { readFileSync as readFileSync6 } from "node:fs";
+import { fileURLToPath as fileURLToPath2 } from "node:url";
+import { dirname as dirname2, join as join5 } from "node:path";
+var here = dirname2(fileURLToPath2(import.meta.url));
+var pkgPath = join5(here, "..", "package.json");
+var pkg = JSON.parse(
+  readFileSync6(pkgPath, "utf8")
+);
+
 // src/hooks/runtime/session-start.ts
 async function sessionStartHook(deps = {}) {
   const readStdin = deps.readStdin ?? readStdinJson;
@@ -5142,6 +5459,7 @@ async function sessionStartHook(deps = {}) {
   const resolveProject = deps.resolveProject ?? resolveProjectId;
   const resolveTok = deps.resolveTokenFn ?? resolveToken;
   const fetchProposals = deps.fetchProposalsFn ?? fetchProposalsCount;
+  const selfUpdateCheckFn = deps.selfUpdateCheckFn ?? selfUpdateCheck;
   const emitFn = deps.emitFn ?? emitContext;
   const stdin = await readStdin();
   const event = sniff(stdin);
@@ -5213,11 +5531,27 @@ async function sessionStartHook(deps = {}) {
       "  and respect a deny verdict."
     );
   }
+  try {
+    const notice = await selfUpdateCheckFn({
+      // The version actually loaded right now — NOT config.installedVersion,
+      // which is the install-time stamp and goes stale after a background
+      // update (causing perpetual re-spawn / re-notify). pkg.version tracks
+      // the running bundle, so a completed update self-resolves to a no-op.
+      installedVersion: pkg.version,
+      autoUpdate: config.hooks.autoUpdate,
+      // Stable global package path so the check derives the REAL install mode
+      // (the runtime script path is the shim → 'unknown'). Undefined on
+      // non-global installs (which fall back to notify-only).
+      runnerSource: config.runnerSource
+    });
+    if (notice) lines.push("", notice);
+  } catch {
+  }
   emitFn(lines.join("\n") + "\n", event.client);
 }
 
 // src/hooks/runtime/session-review.ts
-import { existsSync as existsSync4, readFileSync as readFileSync4 } from "node:fs";
+import { existsSync as existsSync7, readFileSync as readFileSync7 } from "node:fs";
 var COUNTED_TOOLS = /* @__PURE__ */ new Set([
   "Edit",
   "Write",
@@ -5278,42 +5612,87 @@ function loadTranscript(stdin, readFile) {
   return out;
 }
 function defaultReadTranscript(path) {
-  if (!existsSync4(path)) return null;
+  if (!existsSync7(path)) return null;
   try {
-    return readFileSync4(path, "utf8");
+    return readFileSync7(path, "utf8");
   } catch {
     return null;
   }
 }
+function toolNameOf(obj) {
+  return typeof obj.name === "string" && obj.name || typeof obj.tool_name === "string" && obj.tool_name || typeof obj.toolName === "string" && obj.toolName || "";
+}
+function countToolUsesDeep(node, depth) {
+  if (depth > 8 || node === null || typeof node !== "object") return 0;
+  if (Array.isArray(node)) {
+    let n2 = 0;
+    for (const item of node) n2 += countToolUsesDeep(item, depth + 1);
+    return n2;
+  }
+  const obj = node;
+  if (COUNTED_TOOLS.has(toolNameOf(obj))) return 1;
+  let n = 0;
+  for (const value of Object.values(obj)) {
+    if (value && typeof value === "object") {
+      n += countToolUsesDeep(value, depth + 1);
+    }
+  }
+  return n;
+}
 function countEdits(transcript) {
   let n = 0;
   for (const event of transcript) {
-    if (!event || typeof event !== "object") continue;
-    const rec = event;
-    const candidates = [];
-    for (const key of ["tool_uses", "toolCalls", "tools", "message"]) {
-      const v = rec[key];
-      if (Array.isArray(v)) candidates.push(...v);
-      else if (v && typeof v === "object") candidates.push(v);
-    }
-    candidates.push(rec);
-    for (const c of candidates) {
-      if (!c || typeof c !== "object") continue;
-      const obj = c;
-      const name = typeof obj.name === "string" && obj.name || typeof obj.tool_name === "string" && obj.tool_name || typeof obj.toolName === "string" && obj.toolName || "";
-      if (COUNTED_TOOLS.has(name)) n += 1;
-    }
+    n += countToolUsesDeep(event, 0);
   }
   return n;
 }
+var COMMAND_WRAPPER_PREFIXES = [
+  "<local-command-",
+  "<command-name>",
+  "<command-message>",
+  "<command-args>",
+  "<command-stdout>",
+  "<bash-input>",
+  "<bash-stdout>",
+  "<bash-stderr>"
+];
+function isCommandWrapper(text) {
+  const t = text.trimStart();
+  return COMMAND_WRAPPER_PREFIXES.some((p) => t.startsWith(p));
+}
+function userText(rec) {
+  if (typeof rec.content === "string" && rec.content) return rec.content;
+  if (typeof rec.text === "string" && rec.text) return rec.text;
+  if (typeof rec.message === "string" && rec.message) return rec.message;
+  const msg = rec.message;
+  if (msg && typeof msg === "object") {
+    const content = msg.content;
+    if (typeof content === "string" && content) return content;
+    if (Array.isArray(content)) {
+      const parts = [];
+      for (const block of content) {
+        if (!block || typeof block !== "object") continue;
+        const b = block;
+        if (typeof b.text === "string" && (b.type === "text" || b.type === void 0)) {
+          parts.push(b.text);
+        }
+      }
+      const joined = parts.join("\n").trim();
+      if (joined) return joined;
+    }
+  }
+  return "";
+}
 function extractFirstUserPrompt(transcript) {
   for (const event of transcript) {
     if (!event || typeof event !== "object") continue;
     const rec = event;
+    if (rec.isSidechain === true || rec.isMeta === true) continue;
     const isUser = rec.role === "user" || rec.type === "user" || rec.from === "user";
     if (!isUser) continue;
-    const text = typeof rec.content === "string" && rec.content || typeof rec.text === "string" && rec.text || typeof rec.message === "string" && rec.message || "";
-    if (text) return text.slice(0, 600);
+    const text = userText(rec);
+    if (!text || isCommandWrapper(text)) continue;
+    return text.slice(0, 600);
   }
   return "";
 }
@@ -5323,8 +5702,8 @@ function composeReviewBody(editCount, client, userPrompt, autoPropose) {
     "   **Auto-propose mode is ON** (configured at install). Without asking the user,",
     "   call `cybe_rules_report_missing(projectId, { rule_text, evidence_files,",
     '   rationale: "<quote user prompt>", confirmed_by_user: true })` for each',
-    "   uncovered concern. The user will validate them at the next session start",
-    "   via the Accept/Reject picker."
+    "   selected concern (1\u20132 max). The user will validate them at the next",
+    "   session start via the Accept/Reject picker."
   ].join("\n") : [
     "   Ask the user via AskUserQuestion:",
     '   > "Your prompt mentioned <concern>, but no business rule covers it.',
@@ -5345,9 +5724,13 @@ function composeReviewBody(editCount, client, userPrompt, autoPropose) {
     "### Required next-turn action",
     "1. Extract security/business concerns the prompt mentions.",
     "2. List CybeDefend rules returned during the session.",
-    "3. For each concern WITHOUT a matching rule:",
+    "3. Identify concerns WITHOUT a matching rule, then select **AT MOST the",
+    "   1\u20132 most important** (prefer security-critical / data-handling). Ignore",
+    "   the rest \u2014 over-proposing causes proposal fatigue and users end up",
+    "   rejecting everything. Propose nothing if no gap is worth a standing rule.",
+    "4. For each selected concern (1\u20132 max):",
     proposalLine,
-    "4. If every concern is covered, say so:",
+    "5. If every concern is covered (or none warrants a rule), say so:",
     '   "\u{1F6E1}\uFE0F CybeDefend gap analysis: every concern in your request was covered',
     '    by an existing rule. No new proposals."',
     ""
@@ -5387,19 +5770,19 @@ async function preCompactHook(deps = {}) {
 }
 
 // src/hooks/runtime/user-prompt-submit.ts
-import { existsSync as existsSync5, mkdirSync as mkdirSync2, readFileSync as readFileSync5, writeFileSync as writeFileSync2 } from "node:fs";
-import { homedir as homedir3 } from "node:os";
-import { join as join3 } from "node:path";
+import { existsSync as existsSync8, mkdirSync as mkdirSync3, readFileSync as readFileSync8, writeFileSync as writeFileSync4 } from "node:fs";
+import { homedir as homedir4 } from "node:os";
+import { join as join6 } from "node:path";
 var SESSIONS_CAP = 100;
 function defaultSessionsFile() {
-  const dir = process.env.CYBEDEFEND_BASELINE_DIR ?? join3(homedir3(), ".cybedefend");
-  return join3(dir, "user-prompt-seen-sessions.json");
+  const dir = process.env.CYBEDEFEND_BASELINE_DIR ?? join6(homedir4(), ".cybedefend");
+  return join6(dir, "user-prompt-seen-sessions.json");
 }
 function defaultSessionTracker(file = defaultSessionsFile()) {
   function load() {
-    if (!existsSync5(file)) return [];
+    if (!existsSync8(file)) return [];
     try {
-      const raw = readFileSync5(file, "utf8");
+      const raw = readFileSync8(file, "utf8");
       const data = JSON.parse(raw);
       if (!Array.isArray(data.sessions)) return [];
       return data.sessions.filter((s) => typeof s === "string");
@@ -5416,8 +5799,8 @@ function defaultSessionTracker(file = defaultSessionsFile()) {
       if (existing.includes(sessionId)) return;
       const next = [...existing, sessionId].slice(-SESSIONS_CAP);
       try {
-        mkdirSync2(join3(file, ".."), { recursive: true });
-        writeFileSync2(file, JSON.stringify({ sessions: next }), "utf8");
+        mkdirSync3(join6(file, ".."), { recursive: true });
+        writeFileSync4(file, JSON.stringify({ sessions: next }), "utf8");
       } catch {
       }
     }
@@ -6037,12 +6420,12 @@ function hashTarget(text) {
 }
 
 // src/hooks/runtime/guard-rules-cache.ts
-import { readFileSync as readFileSync6, writeFileSync as writeFileSync3, existsSync as existsSync6, mkdirSync as mkdirSync3 } from "node:fs";
-import { dirname } from "node:path";
-import { homedir as homedir4 } from "node:os";
-import { join as join4 } from "node:path";
-var DEFAULT_CACHE_FILE = join4(
-  homedir4(),
+import { readFileSync as readFileSync9, writeFileSync as writeFileSync5, existsSync as existsSync9, mkdirSync as mkdirSync4 } from "node:fs";
+import { dirname as dirname3 } from "node:path";
+import { homedir as homedir5 } from "node:os";
+import { join as join7 } from "node:path";
+var DEFAULT_CACHE_FILE = join7(
+  homedir5(),
   ".cybedefend",
   "guards-cache.json"
 );
@@ -6139,9 +6522,9 @@ function makeGuardRulesCache(opts) {
     }
   }
   function readCache(projectId) {
-    if (!existsSync6(cacheFile)) return null;
+    if (!existsSync9(cacheFile)) return null;
     try {
-      const raw = readFileSync6(cacheFile, "utf8");
+      const raw = readFileSync9(cacheFile, "utf8");
       const data = JSON.parse(raw);
       if (data.projectId !== projectId) return null;
       return data;
@@ -6151,17 +6534,17 @@ function makeGuardRulesCache(opts) {
   }
   function writeCache(entry) {
     try {
-      ensureDirFor(cacheFile);
-      writeFileSync3(cacheFile, JSON.stringify(entry), "utf8");
+      ensureDirFor2(cacheFile);
+      writeFileSync5(cacheFile, JSON.stringify(entry), "utf8");
     } catch {
     }
   }
   return { refreshIfStale };
 }
-function ensureDirFor(filePath) {
-  const dir = dirname(filePath);
-  if (!existsSync6(dir)) {
-    mkdirSync3(dir, { recursive: true });
+function ensureDirFor2(filePath) {
+  const dir = dirname3(filePath);
+  if (!existsSync9(dir)) {
+    mkdirSync4(dir, { recursive: true });
   }
 }
 var DEFAULT_TIMEOUT_MS2 = 8e3;
@@ -6196,16 +6579,16 @@ async function fetchEffectiveRulesFromGateway(ctx, opts = {}) {
 // src/hooks/runtime/guard-violations-buffer.ts
 import {
   appendFileSync,
-  existsSync as existsSync7,
-  readFileSync as readFileSync7,
-  writeFileSync as writeFileSync4,
-  mkdirSync as mkdirSync4
+  existsSync as existsSync10,
+  readFileSync as readFileSync10,
+  writeFileSync as writeFileSync6,
+  mkdirSync as mkdirSync5
 } from "node:fs";
-import { dirname as dirname2 } from "node:path";
-import { homedir as homedir5 } from "node:os";
-import { join as join5 } from "node:path";
-var DEFAULT_BUFFER_FILE = join5(
-  homedir5(),
+import { dirname as dirname4 } from "node:path";
+import { homedir as homedir6 } from "node:os";
+import { join as join8 } from "node:path";
+var DEFAULT_BUFFER_FILE = join8(
+  homedir6(),
   ".cybedefend",
   "guards-violations-buffer.jsonl"
 );
@@ -6218,16 +6601,16 @@ function makeViolationsBuffer(opts = {}) {
       timestamp: (/* @__PURE__ */ new Date()).toISOString()
     };
     try {
-      ensureDirFor2(bufferFile);
+      ensureDirFor3(bufferFile);
       appendFileSync(bufferFile, JSON.stringify(record) + "\n", "utf8");
     } catch {
     }
   }
   async function flushViolations2(ctx, postFn) {
-    if (!existsSync7(bufferFile)) return;
+    if (!existsSync10(bufferFile)) return;
     let content;
     try {
-      content = readFileSync7(bufferFile, "utf8").trim();
+      content = readFileSync10(bufferFile, "utf8").trim();
     } catch {
       return;
     }
@@ -6237,30 +6620,59 @@ function makeViolationsBuffer(opts = {}) {
       const trimmed = line.trim();
       if (!trimmed) continue;
       try {
-        records.push(JSON.parse(trimmed));
+        const parsed = JSON.parse(trimmed);
+        if (typeof parsed.projectId === "string" && parsed.projectId) {
+          records.push(parsed);
+        }
       } catch {
       }
     }
-    if (records.length === 0) return;
-    const BATCH_SIZE = 100;
-    try {
-      for (let i = 0; i < records.length; i += BATCH_SIZE) {
-        const batch = records.slice(i, i + BATCH_SIZE);
-        await postFn(ctx, batch);
-      }
+    if (records.length === 0) {
       try {
-        writeFileSync4(bufferFile, "", "utf8");
+        writeFileSync6(bufferFile, "", "utf8");
       } catch {
       }
+      return;
+    }
+    const groups = /* @__PURE__ */ new Map();
+    for (const r of records) {
+      const arr = groups.get(r.projectId);
+      if (arr) arr.push(r);
+      else groups.set(r.projectId, [r]);
+    }
+    const BATCH_SIZE = 100;
+    const failed = [];
+    for (const [projectId, group] of groups) {
+      let groupFailed = false;
+      for (let i = 0; i < group.length; i += BATCH_SIZE) {
+        const batch = group.slice(i, i + BATCH_SIZE);
+        try {
+          await postFn(ctx, projectId, batch);
+        } catch {
+          groupFailed = true;
+          break;
+        }
+      }
+      if (groupFailed) {
+        failed.push(...group);
+      }
+    }
+    try {
+      if (failed.length === 0) {
+        writeFileSync6(bufferFile, "", "utf8");
+      } else {
+        const serialised = failed.map((r) => JSON.stringify(r)).join("\n") + "\n";
+        writeFileSync6(bufferFile, serialised, "utf8");
+      }
     } catch {
     }
   }
   return { bufferViolation: bufferViolation2, flushViolations: flushViolations2 };
 }
-function ensureDirFor2(filePath) {
-  const dir = dirname2(filePath);
-  if (!existsSync7(dir)) {
-    mkdirSync4(dir, { recursive: true });
+function ensureDirFor3(filePath) {
+  const dir = dirname4(filePath);
+  if (!existsSync10(dir)) {
+    mkdirSync5(dir, { recursive: true });
   }
 }
 var _defaultBuffer = makeViolationsBuffer();
@@ -6286,11 +6698,11 @@ function appendDebugLog(entry) {
   try {
     const homeDir = process.env.HOME ?? process.env.USERPROFILE ?? "";
     if (!homeDir) return;
-    const { mkdirSync: mkdirSync5, appendFileSync: appendFileSync2 } = __require("node:fs");
-    const { join: join6 } = __require("node:path");
-    const dir = join6(homeDir, ".cybedefend");
-    mkdirSync5(dir, { recursive: true });
-    appendFileSync2(join6(dir, "hook-debug.log"), entry + "\n", "utf8");
+    const { mkdirSync: mkdirSync6, appendFileSync: appendFileSync2 } = __require("node:fs");
+    const { join: join9 } = __require("node:path");
+    const dir = join9(homeDir, ".cybedefend");
+    mkdirSync6(dir, { recursive: true });
+    appendFileSync2(join9(dir, "hook-debug.log"), entry + "\n", "utf8");
   } catch {
   }
 }
@@ -6598,36 +7010,60 @@ async function runPreToolUseGuard() {
       apiBaseResolved
     });
     const buffer = makeViolationsBuffer();
-    process.once("beforeExit", () => {
-      buffer.flushViolations(
-        { projectId, token, apiBaseResolved },
-        async (ctx, batch) => {
-          const f = globalThis.fetch;
-          const url = `${ctx.apiBaseResolved}/project/${encodeURIComponent(ctx.projectId)}/action-guards/violations`;
-          await f(url, {
-            method: "POST",
-            headers: {
-              Authorization: `Bearer ${ctx.token}`,
-              "Content-Type": "application/json"
-            },
-            body: JSON.stringify({ violations: batch }),
-            signal: AbortSignal.timeout(5e3)
-          });
-        }
-      ).catch(() => {
-      });
-    });
-    return await runPreToolUseGuardWith({
+    const exitCode = await runPreToolUseGuardWith({
       stdinEnvelope: envelope,
       projectContext,
       rulesOutcome,
       evaluateFn: evaluate,
       bufferViolationFn: buffer.bufferViolation.bind(buffer)
     });
+    try {
+      await buffer.flushViolations(
+        { token, apiBaseResolved },
+        makeGuardViolationsPostFn()
+      );
+    } catch {
+    }
+    return exitCode;
   } catch {
     return 0;
   }
 }
+function makeGuardViolationsPostFn() {
+  return async (ctx, projectId, batch) => {
+    const url = `${ctx.apiBaseResolved}/project/${encodeURIComponent(projectId)}/action-guards/violations`;
+    const resp = await globalThis.fetch(url, {
+      method: "POST",
+      headers: {
+        Authorization: `Bearer ${ctx.token}`,
+        "Content-Type": "application/json"
+      },
+      body: JSON.stringify({ violations: batch.map(toApiViolation) }),
+      signal: AbortSignal.timeout(2e3)
+    });
+    if (!resp.ok) {
+      throw new Error(
+        `POST /action-guards/violations rejected by gateway: ${resp.status}`
+      );
+    }
+  };
+}
+function toApiViolation(r) {
+  const out = {
+    rule_id: r.ruleId,
+    agent: r.agent,
+    tool: r.tool,
+    outcome: r.outcome,
+    // Backend enforces max_length=256 on target_summary — clamp here so a
+    // verbose redactor output never costs us the whole batch.
+    target_summary: (r.targetSummary ?? "").slice(0, 256),
+    target_hash: r.targetHash
+  };
+  if (r.sessionId) {
+    out.session_id = r.sessionId;
+  }
+  return out;
+}
 
 // src/hooks/runtime/index.ts
 async function main() {