@cybedefend/vibedefend 1.1.1 → 1.2.0

package/dist/hooks/install.js

@@ -17,6 +17,7 @@
 import { copyFileSync, existsSync, rmSync } from 'node:fs';
 import { dirname, join } from 'node:path';
 import { fileURLToPath } from 'node:url';
+import { detectInstallMode, resolveScriptPath, GLOBAL_MODES, } from '../self-update.js';
 import { ensureDirFor, home, log, writeJson } from '../utils.js';
 /** Top-level directory we own. */
 export const VIBEDEFEND_DIR = home('.cybedefend');
@@ -48,6 +49,23 @@ function locateBundledRunner() {
     }
     return null;
 }
+/**
+ * Resolve the bundled `shim.js` shipped alongside `hook-runner.js`.
+ * Same search strategy as `locateBundledRunner`. Returns null if absent.
+ */
+function locateBundledShim() {
+    const here = dirname(fileURLToPath(import.meta.url));
+    const candidates = [
+        join(here, 'shim.js'),
+        join(here, '..', 'dist', 'shim.js'),
+        join(here, '..', '..', 'dist', 'shim.js'),
+    ];
+    for (const c of candidates) {
+        if (existsSync(c))
+            return c;
+    }
+    return null;
+}
 /**
  * Drop any legacy `~/.cybedefend/hooks/` directory (V1 bash scripts).
  * Idempotent — silent no-op if the directory doesn't exist.
@@ -68,21 +86,36 @@ function removeLegacyHooks() {
  *
  * Steps:
  *   1. Sweep legacy `~/.cybedefend/hooks/` if present.
- *   2. Copy `dist/hook-runner.js` → `~/.cybedefend/hook-runner.js`.
+ *   2. For global installs: copy `dist/shim.js` → `~/.cybedefend/hook-runner.js`
+ *      and stamp `runnerSource` in the config so updates are live immediately.
+ *      For non-global installs: copy the full runner (legacy behaviour) and
+ *      force `autoUpdate: false`.
  *   3. Write `~/.cybedefend/runtime-config.json` with the user's
  *      region + hook settings.
  *
  * Returns the destination paths so the caller can `log.hint(...)` them.
  */
-export function installHookRuntime(opts) {
+export function installHookRuntime(opts, deps = {}) {
     removeLegacyHooks();
-    const source = locateBundledRunner();
-    if (source === null) {
+    const installMode = deps.installMode ?? detectInstallMode(resolveScriptPath());
+    const locateRunner = deps.locateRunner ?? locateBundledRunner;
+    const locateShim = deps.locateShim ?? locateBundledShim;
+    const runnerSource = locateRunner();
+    if (runnerSource === null) {
         throw new Error('Could not locate the bundled hook-runner.js. Did `pnpm run build` finish? ' +
             'Expected to find it under <package>/dist/.');
     }
-    ensureDirFor(HOOK_RUNNER_PATH);
-    copyFileSync(source, HOOK_RUNNER_PATH);
+    const dir = deps.cybeDir ?? VIBEDEFEND_DIR;
+    const hookRunnerDest = join(dir, 'hook-runner.js');
+    const configDest = join(dir, 'runtime-config.json');
+    // Global installs get the stable shim + a stamped runnerSource so a later
+    // `npm i -g` is immediately live with no recopy. Non-global installs have
+    // no stable package path, so we keep the legacy full-copy behaviour and
+    // disable background auto-update.
+    const shimPath = locateShim();
+    const useShim = GLOBAL_MODES.has(installMode) && shimPath !== null;
+    ensureDirFor(hookRunnerDest);
+    copyFileSync(useShim ? shimPath : runnerSource, hookRunnerDest);
     const runtimeConfig = {
         region: {
             id: opts.region.id,
@@ -95,11 +128,23 @@ export function installHookRuntime(opts) {
             enableSessionReview: opts.hooks.enableSessionReview,
             reviewThreshold: opts.hooks.reviewThreshold,
             autoProposeMode: opts.hooks.autoProposeMode,
+            autoUpdate: useShim ? opts.hooks.autoUpdate : false,
         },
         installedVersion: opts.installedVersion,
+        ...(useShim ? { runnerSource } : {}),
     };
-    writeJson(RUNTIME_CONFIG_PATH, runtimeConfig);
-    return { runnerPath: HOOK_RUNNER_PATH, configPath: RUNTIME_CONFIG_PATH };
+    writeJson(configDest, runtimeConfig);
+    return { runnerPath: hookRunnerDest, configPath: configDest };
+}
+/**
+ * Quote a path for embedding in a hook `command` string, but ONLY when it
+ * contains whitespace. Both POSIX `sh` and Windows `cmd.exe` (which run the
+ * hook command) accept a double-quoted path, so a home directory with a
+ * space (e.g. `C:\\Users\\First Last\\...`) no longer splits mid-argument.
+ * Space-free paths are left untouched so the common command is unchanged.
+ */
+export function quoteCommandPath(p) {
+    return /\s/.test(p) ? `"${p}"` : p;
 }
 /**
  * Compose the `command` field for a settings.json hook entry, targeting
@@ -107,7 +152,7 @@ export function installHookRuntime(opts) {
  * touching the filesystem.
  */
 export function hookCommand(subcommand) {
-    return `node ${HOOK_RUNNER_PATH} ${subcommand}`;
+    return `node ${quoteCommandPath(HOOK_RUNNER_PATH)} ${subcommand}`;
 }
 /**
  * Marker used by every adapter's `dropOurs` to identify legacy AND new

package/dist/hooks/install.js.map

@@ -1 +1 @@
-{"version":3,"file":"install.js","sourceRoot":"","sources":["../../src/hooks/install.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;GAeG;AACH,OAAO,EAAE,YAAY,EAAE,UAAU,EAAE,MAAM,EAAE,MAAM,SAAS,CAAC;AAC3D,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AAC1C,OAAO,EAAE,aAAa,EAAE,MAAM,UAAU,CAAC;AAIzC,OAAO,EAAE,YAAY,EAAE,IAAI,EAAE,GAAG,EAAE,SAAS,EAAE,MAAM,aAAa,CAAC;AAGjE,kCAAkC;AAClC,MAAM,CAAC,MAAM,cAAc,GAAG,IAAI,CAAC,aAAa,CAAC,CAAC;AAElD,0EAA0E;AAC1E,MAAM,CAAC,MAAM,gBAAgB,GAAG,IAAI,CAAC,aAAa,EAAE,gBAAgB,CAAC,CAAC;AAEtE,iEAAiE;AACjE,MAAM,CAAC,MAAM,mBAAmB,GAAG,IAAI,CACrC,aAAa,EACb,qBAAqB,CACtB,CAAC;AAEF,kEAAkE;AAClE,MAAM,gBAAgB,GAAG,IAAI,CAAC,aAAa,EAAE,OAAO,CAAC,CAAC;AAEtD;;;;;;;GAOG;AACH,SAAS,mBAAmB;IAC1B,MAAM,IAAI,GAAG,OAAO,CAAC,aAAa,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC;IACrD,iEAAiE;IACjE,MAAM,UAAU,GAAG;QACjB,IAAI,CAAC,IAAI,EAAE,gBAAgB,CAAC;QAC5B,IAAI,CAAC,IAAI,EAAE,IAAI,EAAE,MAAM,EAAE,gBAAgB,CAAC;QAC1C,IAAI,CAAC,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,MAAM,EAAE,gBAAgB,CAAC;KACjD,CAAC;IACF,KAAK,MAAM,CAAC,IAAI,UAAU,EAAE,CAAC;QAC3B,IAAI,UAAU,CAAC,CAAC,CAAC;YAAE,OAAO,CAAC,CAAC;IAC9B,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED;;;GAGG;AACH,SAAS,iBAAiB;IACxB,IAAI,UAAU,CAAC,gBAAgB,CAAC,EAAE,CAAC;QACjC,IAAI,CAAC;YACH,MAAM,CAAC,gBAAgB,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC;YAC3D,GAAG,CAAC,IAAI,CAAC,kCAAkC,gBAAgB,EAAE,CAAC,CAAC;QACjE,CAAC;QAAC,MAAM,CAAC;YACP,kCAAkC;QACpC,CAAC;IACH,CAAC;AACH,CAAC;AAED;;;;;;;;;;GAUG;AACH,MAAM,UAAU,kBAAkB,CAAC,IAIlC;IACC,iBAAiB,EAAE,CAAC;IAEpB,MAAM,MAAM,GAAG,mBAAmB,EAAE,CAAC;IACrC,IAAI,MAAM,KAAK,IAAI,EAAE,CAAC;QACpB,MAAM,IAAI,KAAK,CACb,4EAA4E;YAC1E,4CAA4C,CAC/C,CAAC;IACJ,CAAC;IAED,YAAY,CAAC,gBAAgB,CAAC,CAAC;IAC/B,YAAY,CAAC,MAAM,EAAE,gBAAgB,CAAC,CAAC;IAEvC,MAAM,aAAa,GAAkB;QACnC,MAAM,EAAE;YACN,EAAE,EAAE,IAAI,CAAC,MAAM,CAAC,EAAE;YAClB,KAAK,EAAE,IAAI,CAAC,MAAM,CAAC,KAAK;YACxB,OAAO,EAAE,IAAI,CAAC,MAAM,CAAC,OAAO;YAC5B,MAAM,EAAE,IAAI,CAAC,MAAM,CAAC,MAAM;YAC1B,OAAO,EAAE,IAAI,CAAC,MAAM,CAAC,OAAO;SAC7B;QACD,KAAK,EAAE;YACL,mBAAmB,EAAE,IAAI,CAAC,KAAK,CAAC,mBAAmB;YACnD,eAAe,EAAE,IAAI,CAAC,KAAK,CAAC,eAAe;YAC3C,eAAe,EAAE,IAAI,CAAC,KAAK,CAAC,eAAe;SAC5C;QACD,gBAAgB,EAAE,IAAI,CAAC,gBAAgB;KACxC,CAAC;IACF,SAAS,CAAC,mBAAmB,EAAE,aAAa,CAAC,CAAC;IAE9C,OAAO,EAAE,UAAU,EAAE,gBAAgB,EAAE,UAAU,EAAE,mBAAmB,EAAE,CAAC;AAC3E,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,WAAW,CACzB,UAMiB;IAEjB,OAAO,QAAQ,gBAAgB,IAAI,UAAU,EAAE,CAAC;AAClD,CAAC;AAED;;;;;;;;;;;;;;;GAeG;AACH,MAAM,CAAC,MAAM,sBAAsB,GAAG,cAAc,CAAC;AAErD;;;;;;;;;;;;;;;;;GAiBG;AACH,MAAM,mBAAmB,GAAsB;IAC7C,yBAAyB;CAC1B,CAAC;AAEF;;;;;;;GAOG;AACH,MAAM,UAAU,4BAA4B,CAAC,OAAe;IAC1D,IAAI,OAAO,OAAO,KAAK,QAAQ,IAAI,OAAO,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,KAAK,CAAC;IACtE,IAAI,OAAO,CAAC,QAAQ,CAAC,sBAAsB,CAAC;QAAE,OAAO,IAAI,CAAC;IAC1D,KAAK,MAAM,MAAM,IAAI,mBAAmB,EAAE,CAAC;QACzC,IAAI,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAC;YAAE,OAAO,IAAI,CAAC;IAC5C,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC"}
+{"version":3,"file":"install.js","sourceRoot":"","sources":["../../src/hooks/install.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;GAeG;AACH,OAAO,EAAE,YAAY,EAAE,UAAU,EAAE,MAAM,EAAE,MAAM,SAAS,CAAC;AAC3D,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AAC1C,OAAO,EAAE,aAAa,EAAE,MAAM,UAAU,CAAC;AAIzC,OAAO,EACL,iBAAiB,EACjB,iBAAiB,EACjB,YAAY,GAEb,MAAM,mBAAmB,CAAC;AAC3B,OAAO,EAAE,YAAY,EAAE,IAAI,EAAE,GAAG,EAAE,SAAS,EAAE,MAAM,aAAa,CAAC;AAGjE,kCAAkC;AAClC,MAAM,CAAC,MAAM,cAAc,GAAG,IAAI,CAAC,aAAa,CAAC,CAAC;AAElD,0EAA0E;AAC1E,MAAM,CAAC,MAAM,gBAAgB,GAAG,IAAI,CAAC,aAAa,EAAE,gBAAgB,CAAC,CAAC;AAEtE,iEAAiE;AACjE,MAAM,CAAC,MAAM,mBAAmB,GAAG,IAAI,CACrC,aAAa,EACb,qBAAqB,CACtB,CAAC;AAEF,kEAAkE;AAClE,MAAM,gBAAgB,GAAG,IAAI,CAAC,aAAa,EAAE,OAAO,CAAC,CAAC;AAEtD;;;;;;;GAOG;AACH,SAAS,mBAAmB;IAC1B,MAAM,IAAI,GAAG,OAAO,CAAC,aAAa,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC;IACrD,iEAAiE;IACjE,MAAM,UAAU,GAAG;QACjB,IAAI,CAAC,IAAI,EAAE,gBAAgB,CAAC;QAC5B,IAAI,CAAC,IAAI,EAAE,IAAI,EAAE,MAAM,EAAE,gBAAgB,CAAC;QAC1C,IAAI,CAAC,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,MAAM,EAAE,gBAAgB,CAAC;KACjD,CAAC;IACF,KAAK,MAAM,CAAC,IAAI,UAAU,EAAE,CAAC;QAC3B,IAAI,UAAU,CAAC,CAAC,CAAC;YAAE,OAAO,CAAC,CAAC;IAC9B,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED;;;GAGG;AACH,SAAS,iBAAiB;IACxB,MAAM,IAAI,GAAG,OAAO,CAAC,aAAa,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC;IACrD,MAAM,UAAU,GAAG;QACjB,IAAI,CAAC,IAAI,EAAE,SAAS,CAAC;QACrB,IAAI,CAAC,IAAI,EAAE,IAAI,EAAE,MAAM,EAAE,SAAS,CAAC;QACnC,IAAI,CAAC,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,MAAM,EAAE,SAAS,CAAC;KAC1C,CAAC;IACF,KAAK,MAAM,CAAC,IAAI,UAAU,EAAE,CAAC;QAC3B,IAAI,UAAU,CAAC,CAAC,CAAC;YAAE,OAAO,CAAC,CAAC;IAC9B,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED;;;GAGG;AACH,SAAS,iBAAiB;IACxB,IAAI,UAAU,CAAC,gBAAgB,CAAC,EAAE,CAAC;QACjC,IAAI,CAAC;YACH,MAAM,CAAC,gBAAgB,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC;YAC3D,GAAG,CAAC,IAAI,CAAC,kCAAkC,gBAAgB,EAAE,CAAC,CAAC;QACjE,CAAC;QAAC,MAAM,CAAC;YACP,kCAAkC;QACpC,CAAC;IACH,CAAC;AACH,CAAC;AAaD;;;;;;;;;;;;;GAaG;AACH,MAAM,UAAU,kBAAkB,CAChC,IAIC,EACD,OAA+B,EAAE;IAEjC,iBAAiB,EAAE,CAAC;IAEpB,MAAM,WAAW,GAAG,IAAI,CAAC,WAAW,IAAI,iBAAiB,CAAC,iBAAiB,EAAE,CAAC,CAAC;IAC/E,MAAM,YAAY,GAAG,IAAI,CAAC,YAAY,IAAI,mBAAmB,CAAC;IAC9D,MAAM,UAAU,GAAG,IAAI,CAAC,UAAU,IAAI,iBAAiB,CAAC;IAExD,MAAM,YAAY,GAAG,YAAY,EAAE,CAAC;IACpC,IAAI,YAAY,KAAK,IAAI,EAAE,CAAC;QAC1B,MAAM,IAAI,KAAK,CACb,4EAA4E;YAC1E,4CAA4C,CAC/C,CAAC;IACJ,CAAC;IAED,MAAM,GAAG,GAAG,IAAI,CAAC,OAAO,IAAI,cAAc,CAAC;IAC3C,MAAM,cAAc,GAAG,IAAI,CAAC,GAAG,EAAE,gBAAgB,CAAC,CAAC;IACnD,MAAM,UAAU,GAAG,IAAI,CAAC,GAAG,EAAE,qBAAqB,CAAC,CAAC;IAEpD,0EAA0E;IAC1E,0EAA0E;IAC1E,wEAAwE;IACxE,kCAAkC;IAClC,MAAM,QAAQ,GAAG,UAAU,EAAE,CAAC;IAC9B,MAAM,OAAO,GAAG,YAAY,CAAC,GAAG,CAAC,WAAW,CAAC,IAAI,QAAQ,KAAK,IAAI,CAAC;IAEnE,YAAY,CAAC,cAAc,CAAC,CAAC;IAC7B,YAAY,CAAC,OAAO,CAAC,CAAC,CAAC,QAAS,CAAC,CAAC,CAAC,YAAY,EAAE,cAAc,CAAC,CAAC;IAEjE,MAAM,aAAa,GAAkB;QACnC,MAAM,EAAE;YACN,EAAE,EAAE,IAAI,CAAC,MAAM,CAAC,EAAE;YAClB,KAAK,EAAE,IAAI,CAAC,MAAM,CAAC,KAAK;YACxB,OAAO,EAAE,IAAI,CAAC,MAAM,CAAC,OAAO;YAC5B,MAAM,EAAE,IAAI,CAAC,MAAM,CAAC,MAAM;YAC1B,OAAO,EAAE,IAAI,CAAC,MAAM,CAAC,OAAO;SAC7B;QACD,KAAK,EAAE;YACL,mBAAmB,EAAE,IAAI,CAAC,KAAK,CAAC,mBAAmB;YACnD,eAAe,EAAE,IAAI,CAAC,KAAK,CAAC,eAAe;YAC3C,eAAe,EAAE,IAAI,CAAC,KAAK,CAAC,eAAe;YAC3C,UAAU,EAAE,OAAO,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,UAAU,CAAC,CAAC,CAAC,KAAK;SACpD;QACD,gBAAgB,EAAE,IAAI,CAAC,gBAAgB;QACvC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE,YAAY,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;KACrC,CAAC;IACF,SAAS,CAAC,UAAU,EAAE,aAAa,CAAC,CAAC;IAErC,OAAO,EAAE,UAAU,EAAE,cAAc,EAAE,UAAU,EAAE,UAAU,EAAE,CAAC;AAChE,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,gBAAgB,CAAC,CAAS;IACxC,OAAO,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;AACrC,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,WAAW,CACzB,UAMiB;IAEjB,OAAO,QAAQ,gBAAgB,CAAC,gBAAgB,CAAC,IAAI,UAAU,EAAE,CAAC;AACpE,CAAC;AAED;;;;;;;;;;;;;;;GAeG;AACH,MAAM,CAAC,MAAM,sBAAsB,GAAG,cAAc,CAAC;AAErD;;;;;;;;;;;;;;;;;GAiBG;AACH,MAAM,mBAAmB,GAAsB;IAC7C,yBAAyB;CAC1B,CAAC;AAEF;;;;;;;GAOG;AACH,MAAM,UAAU,4BAA4B,CAAC,OAAe;IAC1D,IAAI,OAAO,OAAO,KAAK,QAAQ,IAAI,OAAO,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,KAAK,CAAC;IACtE,IAAI,OAAO,CAAC,QAAQ,CAAC,sBAAsB,CAAC;QAAE,OAAO,IAAI,CAAC;IAC1D,KAAK,MAAM,MAAM,IAAI,mBAAmB,EAAE,CAAC;QACzC,IAAI,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAC;YAAE,OAAO,IAAI,CAAC;IAC5C,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC"}

package/dist/hooks/runtime/guard-violations-buffer.js

@@ -3,8 +3,7 @@
  *
  * Violations (deny/warn outcomes) are appended as JSON lines to a local
  * buffer file (`~/.cybedefend/guards-violations-buffer.jsonl`) and flushed
- * to the gateway on demand (typically on hook process exit via
- * `process.on('beforeExit')`).
+ * to the gateway on demand by the hook before it returns.
  *
  * Why JSONL + append semantics?
  *  - Append to a file is atomic at the OS level for small writes.
@@ -13,6 +12,17 @@
  *  - The hook NEVER blocks on the audit write — `bufferViolation` is
  *    synchronous (sync appendFileSync with minimal data).
  *
+ * Per-project semantics:
+ *  - Each buffered record carries its own `projectId`. When the buffer is
+ *    flushed, records are grouped by `projectId` and each group is POSTed
+ *    to its own project's endpoint. This is required because a developer
+ *    may switch projects between hook invocations, and the user's Logto
+ *    token (same across all their projects) can authorise calls to any
+ *    project the Permify policy allows.
+ *  - On partial failure (e.g. permission denied for one project, success
+ *    for another) only the failed groups are kept in the buffer; the
+ *    successful ones are purged.
+ *
  * Violation semantics:
  *  - `deny`  → outcome = 'denied'
  *  - `warn`  → outcome = 'warned'
@@ -53,7 +63,7 @@ export function makeViolationsBuffer(opts = {}) {
             content = readFileSync(bufferFile, 'utf8').trim();
         }
         catch {
-            return; // can't read — skip
+            return;
         }
         if (!content)
             return;
@@ -63,30 +73,70 @@ export function makeViolationsBuffer(opts = {}) {
             if (!trimmed)
                 continue;
             try {
-                records.push(JSON.parse(trimmed));
+                const parsed = JSON.parse(trimmed);
+                // Drop records that pre-date the projectId field or are malformed
+                // beyond recovery — keeping them would block the flush forever
+                // since they cannot be addressed to a project.
+                if (typeof parsed.projectId === 'string' && parsed.projectId) {
+                    records.push(parsed);
+                }
             }
             catch {
-                // Corrupt line — skip it
+                // Corrupt line — drop it
             }
         }
-        if (records.length === 0)
+        if (records.length === 0) {
+            // Nothing salvageable — clear the file so corrupt content doesn't
+            // grow unboundedly.
+            try {
+                writeFileSync(bufferFile, '', 'utf8');
+            }
+            catch {
+                // Best-effort
+            }
             return;
+        }
+        // Group by projectId, preserving original insertion order within each group.
+        const groups = new Map();
+        for (const r of records) {
+            const arr = groups.get(r.projectId);
+            if (arr)
+                arr.push(r);
+            else
+                groups.set(r.projectId, [r]);
+        }
         const BATCH_SIZE = 100;
-        try {
-            for (let i = 0; i < records.length; i += BATCH_SIZE) {
-                const batch = records.slice(i, i + BATCH_SIZE);
-                await postFn(ctx, batch);
+        const failed = [];
+        for (const [projectId, group] of groups) {
+            let groupFailed = false;
+            for (let i = 0; i < group.length; i += BATCH_SIZE) {
+                const batch = group.slice(i, i + BATCH_SIZE);
+                try {
+                    await postFn(ctx, projectId, batch);
+                }
+                catch {
+                    groupFailed = true;
+                    break;
+                }
             }
-            // Truncate on success
-            try {
+            if (groupFailed) {
+                failed.push(...group);
+            }
+        }
+        // Rewrite the file with only the failed groups (or wipe it on full success).
+        try {
+            if (failed.length === 0) {
                 writeFileSync(bufferFile, '', 'utf8');
             }
-            catch {
-                // Best-effort truncate
+            else {
+                const serialised = failed.map((r) => JSON.stringify(r)).join('\n') + '\n';
+                writeFileSync(bufferFile, serialised, 'utf8');
             }
         }
         catch {
-            // POST failed — preserve buffer for next flush attempt
+            // Best-effort — if we can't rewrite, the worst case is that successful
+            // groups are re-flushed on the next attempt (the API push is idempotent
+            // at the (project_id, rule_id, target_hash, session_id) level).
         }
     }
     return { bufferViolation, flushViolations };

package/dist/hooks/runtime/guard-violations-buffer.js.map

@@ -1 +1 @@
-{"version":3,"file":"guard-violations-buffer.js","sourceRoot":"","sources":["../../../src/hooks/runtime/guard-violations-buffer.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;GAmBG;AACH,OAAO,EACL,cAAc,EACd,UAAU,EACV,YAAY,EACZ,aAAa,EACb,SAAS,GACV,MAAM,SAAS,CAAC;AACjB,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AACpC,OAAO,EAAE,OAAO,EAAE,MAAM,SAAS,CAAC;AAClC,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AAEjC,MAAM,CAAC,MAAM,mBAAmB,GAAG,IAAI,CACrC,OAAO,EAAE,EACT,aAAa,EACb,gCAAgC,CACjC,CAAC;AA2CF;;;;;GAKG;AACH,MAAM,UAAU,oBAAoB,CAClC,OAAgC,EAAE;IAElC,MAAM,UAAU,GAAG,IAAI,CAAC,UAAU,IAAI,mBAAmB,CAAC;IAE1D,SAAS,eAAe,CAAC,GAAe,EAAE,CAAY;QACpD,MAAM,MAAM,GAAoB;YAC9B,GAAG,CAAC;YACJ,SAAS,EAAE,GAAG,CAAC,SAAS;YACxB,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;SACpC,CAAC;QACF,IAAI,CAAC;YACH,YAAY,CAAC,UAAU,CAAC,CAAC;YACzB,cAAc,CAAC,UAAU,EAAE,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,GAAG,IAAI,EAAE,MAAM,CAAC,CAAC;QACpE,CAAC;QAAC,MAAM,CAAC;YACP,sDAAsD;QACxD,CAAC;IACH,CAAC;IAED,KAAK,UAAU,eAAe,CAC5B,GAAa,EACb,MAAwB;QAExB,IAAI,CAAC,UAAU,CAAC,UAAU,CAAC;YAAE,OAAO;QAEpC,IAAI,OAAe,CAAC;QACpB,IAAI,CAAC;YACH,OAAO,GAAG,YAAY,CAAC,UAAU,EAAE,MAAM,CAAC,CAAC,IAAI,EAAE,CAAC;QACpD,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,CAAC,oBAAoB;QAC9B,CAAC;QAED,IAAI,CAAC,OAAO;YAAE,OAAO;QAErB,MAAM,OAAO,GAAsB,EAAE,CAAC;QACtC,KAAK,MAAM,IAAI,IAAI,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC;YACvC,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,EAAE,CAAC;YAC5B,IAAI,CAAC,OAAO;gBAAE,SAAS;YACvB,IAAI,CAAC;gBACH,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,OAAO,CAAoB,CAAC,CAAC;YACvD,CAAC;YAAC,MAAM,CAAC;gBACP,yBAAyB;YAC3B,CAAC;QACH,CAAC;QAED,IAAI,OAAO,CAAC,MAAM,KAAK,CAAC;YAAE,OAAO;QAEjC,MAAM,UAAU,GAAG,GAAG,CAAC;QACvB,IAAI,CAAC;YACH,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,OAAO,CAAC,MAAM,EAAE,CAAC,IAAI,UAAU,EAAE,CAAC;gBACpD,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,GAAG,UAAU,CAAC,CAAC;gBAC/C,MAAM,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,CAAC;YAC3B,CAAC;YACD,sBAAsB;YACtB,IAAI,CAAC;gBACH,aAAa,CAAC,UAAU,EAAE,EAAE,EAAE,MAAM,CAAC,CAAC;YACxC,CAAC;YAAC,MAAM,CAAC;gBACP,uBAAuB;YACzB,CAAC;QACH,CAAC;QAAC,MAAM,CAAC;YACP,uDAAuD;QACzD,CAAC;IACH,CAAC;IAED,OAAO,EAAE,eAAe,EAAE,eAAe,EAAE,CAAC;AAC9C,CAAC;AAED,oDAAoD;AACpD,SAAS,YAAY,CAAC,QAAgB;IACpC,MAAM,GAAG,GAAG,OAAO,CAAC,QAAQ,CAAC,CAAC;IAC9B,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;QACrB,SAAS,CAAC,GAAG,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IACtC,CAAC;AACH,CAAC;AAED,gFAAgF;AAEhF,MAAM,cAAc,GAAG,oBAAoB,EAAE,CAAC;AAE9C,MAAM,CAAC,MAAM,eAAe,GAC1B,cAAc,CAAC,eAAe,CAAC,IAAI,CAAC,cAAc,CAAC,CAAC;AAEtD,MAAM,CAAC,MAAM,eAAe,GAC1B,cAAc,CAAC,eAAe,CAAC,IAAI,CAAC,cAAc,CAAC,CAAC"}
+{"version":3,"file":"guard-violations-buffer.js","sourceRoot":"","sources":["../../../src/hooks/runtime/guard-violations-buffer.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA6BG;AACH,OAAO,EACL,cAAc,EACd,UAAU,EACV,YAAY,EACZ,aAAa,EACb,SAAS,GACV,MAAM,SAAS,CAAC;AACjB,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AACpC,OAAO,EAAE,OAAO,EAAE,MAAM,SAAS,CAAC;AAClC,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AAEjC,MAAM,CAAC,MAAM,mBAAmB,GAAG,IAAI,CACrC,OAAO,EAAE,EACT,aAAa,EACb,gCAAgC,CACjC,CAAC;AAgDF;;;;;GAKG;AACH,MAAM,UAAU,oBAAoB,CAClC,OAAgC,EAAE;IAElC,MAAM,UAAU,GAAG,IAAI,CAAC,UAAU,IAAI,mBAAmB,CAAC;IAE1D,SAAS,eAAe,CAAC,GAAe,EAAE,CAAY;QACpD,MAAM,MAAM,GAAoB;YAC9B,GAAG,CAAC;YACJ,SAAS,EAAE,GAAG,CAAC,SAAS;YACxB,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;SACpC,CAAC;QACF,IAAI,CAAC;YACH,YAAY,CAAC,UAAU,CAAC,CAAC;YACzB,cAAc,CAAC,UAAU,EAAE,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,GAAG,IAAI,EAAE,MAAM,CAAC,CAAC;QACpE,CAAC;QAAC,MAAM,CAAC;YACP,sDAAsD;QACxD,CAAC;IACH,CAAC;IAED,KAAK,UAAU,eAAe,CAC5B,GAAa,EACb,MAAwB;QAExB,IAAI,CAAC,UAAU,CAAC,UAAU,CAAC;YAAE,OAAO;QAEpC,IAAI,OAAe,CAAC;QACpB,IAAI,CAAC;YACH,OAAO,GAAG,YAAY,CAAC,UAAU,EAAE,MAAM,CAAC,CAAC,IAAI,EAAE,CAAC;QACpD,CAAC;QAAC,MAAM,CAAC;YACP,OAAO;QACT,CAAC;QACD,IAAI,CAAC,OAAO;YAAE,OAAO;QAErB,MAAM,OAAO,GAAsB,EAAE,CAAC;QACtC,KAAK,MAAM,IAAI,IAAI,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC;YACvC,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,EAAE,CAAC;YAC5B,IAAI,CAAC,OAAO;gBAAE,SAAS;YACvB,IAAI,CAAC;gBACH,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,OAAO,CAA6B,CAAC;gBAC/D,kEAAkE;gBAClE,+DAA+D;gBAC/D,+CAA+C;gBAC/C,IAAI,OAAO,MAAM,CAAC,SAAS,KAAK,QAAQ,IAAI,MAAM,CAAC,SAAS,EAAE,CAAC;oBAC7D,OAAO,CAAC,IAAI,CAAC,MAAyB,CAAC,CAAC;gBAC1C,CAAC;YACH,CAAC;YAAC,MAAM,CAAC;gBACP,yBAAyB;YAC3B,CAAC;QACH,CAAC;QAED,IAAI,OAAO,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACzB,kEAAkE;YAClE,oBAAoB;YACpB,IAAI,CAAC;gBACH,aAAa,CAAC,UAAU,EAAE,EAAE,EAAE,MAAM,CAAC,CAAC;YACxC,CAAC;YAAC,MAAM,CAAC;gBACP,cAAc;YAChB,CAAC;YACD,OAAO;QACT,CAAC;QAED,6EAA6E;QAC7E,MAAM,MAAM,GAAG,IAAI,GAAG,EAA6B,CAAC;QACpD,KAAK,MAAM,CAAC,IAAI,OAAO,EAAE,CAAC;YACxB,MAAM,GAAG,GAAG,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC;YACpC,IAAI,GAAG;gBAAE,GAAG,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;;gBAChB,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,SAAS,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC;QACpC,CAAC;QAED,MAAM,UAAU,GAAG,GAAG,CAAC;QACvB,MAAM,MAAM,GAAsB,EAAE,CAAC;QAErC,KAAK,MAAM,CAAC,SAAS,EAAE,KAAK,CAAC,IAAI,MAAM,EAAE,CAAC;YACxC,IAAI,WAAW,GAAG,KAAK,CAAC;YACxB,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,IAAI,UAAU,EAAE,CAAC;gBAClD,MAAM,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,GAAG,UAAU,CAAC,CAAC;gBAC7C,IAAI,CAAC;oBACH,MAAM,MAAM,CAAC,GAAG,EAAE,SAAS,EAAE,KAAK,CAAC,CAAC;gBACtC,CAAC;gBAAC,MAAM,CAAC;oBACP,WAAW,GAAG,IAAI,CAAC;oBACnB,MAAM;gBACR,CAAC;YACH,CAAC;YACD,IAAI,WAAW,EAAE,CAAC;gBAChB,MAAM,CAAC,IAAI,CAAC,GAAG,KAAK,CAAC,CAAC;YACxB,CAAC;QACH,CAAC;QAED,6EAA6E;QAC7E,IAAI,CAAC;YACH,IAAI,MAAM,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;gBACxB,aAAa,CAAC,UAAU,EAAE,EAAE,EAAE,MAAM,CAAC,CAAC;YACxC,CAAC;iBAAM,CAAC;gBACN,MAAM,UAAU,GACd,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC;gBACzD,aAAa,CAAC,UAAU,EAAE,UAAU,EAAE,MAAM,CAAC,CAAC;YAChD,CAAC;QACH,CAAC;QAAC,MAAM,CAAC;YACP,uEAAuE;YACvE,wEAAwE;YACxE,gEAAgE;QAClE,CAAC;IACH,CAAC;IAED,OAAO,EAAE,eAAe,EAAE,eAAe,EAAE,CAAC;AAC9C,CAAC;AAED,oDAAoD;AACpD,SAAS,YAAY,CAAC,QAAgB;IACpC,MAAM,GAAG,GAAG,OAAO,CAAC,QAAQ,CAAC,CAAC;IAC9B,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;QACrB,SAAS,CAAC,GAAG,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IACtC,CAAC;AACH,CAAC;AAED,gFAAgF;AAEhF,MAAM,cAAc,GAAG,oBAAoB,EAAE,CAAC;AAE9C,MAAM,CAAC,MAAM,eAAe,GAC1B,cAAc,CAAC,eAAe,CAAC,IAAI,CAAC,cAAc,CAAC,CAAC;AAEtD,MAAM,CAAC,MAAM,eAAe,GAC1B,cAAc,CAAC,eAAe,CAAC,IAAI,CAAC,cAAc,CAAC,CAAC"}

package/dist/hooks/runtime/self-update-check.js

@@ -0,0 +1,196 @@
+/**
+ * Throttled, opt-out background self-update check. Runs once per session
+ * from the SessionStart hook. RETURNS a one-line notice to fold into the
+ * bootstrap body (or null) — it never writes to stdout itself (the caller
+ * emits once, so Codex's JSON envelope stays intact). Side effects: writes
+ * the throttle stamp and, when an update is due + enabled for a global
+ * install, spawns a DETACHED wrapper that runs the package-manager update
+ * and records the outcome to last-update.log.
+ *
+ * Source of truth: the npm registry (`/<pkg>/latest`). No gateway call.
+ */
+import { spawn } from 'node:child_process';
+import { existsSync, readFileSync, rmSync, writeFileSync } from 'node:fs';
+import { homedir } from 'node:os';
+import { join } from 'node:path';
+import { ensureDirFor } from '../../utils.js';
+import { isNewer } from './semver.js';
+import { detectInstallMode, resolveScriptPath, GLOBAL_MODES, } from '../../self-update.js';
+const PACKAGE_NAME = '@cybedefend/vibedefend';
+const REGISTRY_URL = `https://registry.npmjs.org/${PACKAGE_NAME}/latest`;
+const THROTTLE_MS = 24 * 60 * 60 * 1000;
+const FETCH_TIMEOUT_MS = 3000;
+export async function selfUpdateCheck(deps) {
+    const now = deps.now ?? (() => Date.now());
+    const dir = deps.cybeDir ?? join(process.env.CYBEDEFEND_HOME ?? homedir(), '.cybedefend');
+    const throttlePath = join(dir, 'update-check.json');
+    const logPath = join(dir, 'last-update.log');
+    // Derive the install mode from the stable global runner path
+    // (`runnerSource`) when available — NOT from `resolveScriptPath()`, which at
+    // runtime returns the shim (`~/.cybedefend/hook-runner.js` → `'unknown'`,
+    // never a global mode, so the background update would never spawn).
+    const installMode = deps.installMode ??
+        (deps.runnerSource
+            ? detectInstallMode(deps.runnerSource)
+            : detectInstallMode(resolveScriptPath()));
+    // Read + consume last-update.log (a prior background update's outcome),
+    // regardless of throttle — surface a failure as soon as possible.
+    const priorFailure = takeUpdateLogNotice(logPath);
+    const throttle = readThrottle(throttlePath);
+    if (throttle && now() - throttle.lastCheckedAt < THROTTLE_MS) {
+        return priorFailure;
+    }
+    const fetchLatest = deps.fetchLatest ?? defaultFetchLatest;
+    const latest = await fetchLatest();
+    // Stamp the check time regardless of fetch outcome so a flaky registry
+    // doesn't make every session hammer npm.
+    writeThrottle(throttlePath, { lastCheckedAt: now() });
+    if (!latest || !isNewer(latest, deps.installedVersion)) {
+        return priorFailure;
+    }
+    const updateNotice = applyOrNotify(deps, installMode, latest, logPath);
+    // Surface BOTH signals when present: a prior failure (its log was already
+    // consumed on read) AND the new pending update. They're independent.
+    return [priorFailure, updateNotice].filter(Boolean).join('\n') || null;
+}
+function applyOrNotify(deps, installMode, latest, logPath) {
+    const from = deps.installedVersion;
+    if (!deps.autoUpdate || !GLOBAL_MODES.has(installMode)) {
+        return `\u{1F6E1}️ vibedefend ${from} → ${latest} available — run \`vibedefend update --self\` to upgrade.`;
+    }
+    const spawnUpdate = deps.spawnUpdate ?? defaultSpawnUpdate;
+    spawnUpdate({
+        mode: installMode,
+        spec: `${PACKAGE_NAME}@${latest}`,
+        logPath,
+        from,
+        to: latest,
+    });
+    return `\u{1F6E1}️ vibedefend: updating in background ${from} → ${latest} (active next session).`;
+}
+function readThrottle(path) {
+    try {
+        if (!existsSync(path))
+            return null;
+        const data = JSON.parse(readFileSync(path, 'utf8'));
+        if (typeof data.lastCheckedAt !== 'number')
+            return null;
+        return { lastCheckedAt: data.lastCheckedAt };
+    }
+    catch {
+        return null;
+    }
+}
+function writeThrottle(path, throttle) {
+    try {
+        ensureDirFor(path);
+        writeFileSync(path, JSON.stringify(throttle) + '\n');
+    }
+    catch {
+        /* best-effort */
+    }
+}
+/**
+ * Read and CONSUME last-update.log (the prior background update's outcome).
+ * The log is always deleted on read — a failure is surfaced once, a stale
+ * success (or garbage) is simply dropped so it can't accumulate or re-nag.
+ * Returns a one-line notice only when the prior update failed.
+ */
+function takeUpdateLogNotice(logPath) {
+    try {
+        if (!existsSync(logPath))
+            return null;
+        let parsed = {};
+        try {
+            parsed = JSON.parse(readFileSync(logPath, 'utf8'));
+        }
+        catch {
+            parsed = {};
+        }
+        rmSync(logPath, { force: true }); // consume once, whatever the content
+        if (typeof parsed.exitCode === 'number' && parsed.exitCode !== 0) {
+            return `⚠ vibedefend: last auto-update to ${parsed.to ?? 'latest'} failed (exit ${parsed.exitCode}) — run \`vibedefend update --self\`.`;
+        }
+        return null;
+    }
+    catch {
+        return null;
+    }
+}
+async function defaultFetchLatest() {
+    try {
+        const res = await fetch(REGISTRY_URL, {
+            signal: AbortSignal.timeout(FETCH_TIMEOUT_MS),
+        });
+        if (!res.ok)
+            return null;
+        const body = (await res.json());
+        return typeof body.version === 'string' ? body.version : null;
+    }
+    catch {
+        return null;
+    }
+}
+/**
+ * Build the `node -e` wrapper script that runs the package-manager update and
+ * records the outcome (`{ from, to, exitCode, finishedAt }`) to last-update.log.
+ * Exported for tests. `shell: process.platform === 'win32'` so the
+ * `npm`/`pnpm`/`yarn` `.cmd` shims resolve on Windows; POSIX resolves the
+ * binaries directly (no shell layer). `node -e` runs as CommonJS, so `require`
+ * is available.
+ */
+export function buildUpdateWrapperScript(args) {
+    return `
+const { spawnSync } = require('node:child_process');
+const { writeFileSync } = require('node:fs');
+const r = spawnSync(${JSON.stringify(args.pm)}, ${JSON.stringify(args.pmArgs)}, {
+  stdio: 'ignore',
+  shell: process.platform === 'win32',
+});
+try {
+  writeFileSync(${JSON.stringify(args.logPath)}, JSON.stringify({
+    from: ${JSON.stringify(args.from)},
+    to: ${JSON.stringify(args.to)},
+    exitCode: r.status == null ? 1 : r.status,
+    finishedAt: Date.now(),
+  }) + "\\n");
+} catch {}
+`;
+}
+/**
+ * Spawn a DETACHED, unref'd wrapper that runs the package-manager update and
+ * records its outcome. `windowsHide` prevents a console window flashing on
+ * Windows.
+ */
+function defaultSpawnUpdate(args) {
+    const { pm, pmArgs } = pmCommand(args.mode, args.spec);
+    const script = buildUpdateWrapperScript({
+        pm,
+        pmArgs,
+        logPath: args.logPath,
+        from: args.from,
+        to: args.to,
+    });
+    try {
+        const child = spawn(process.execPath, ['-e', script], {
+            detached: true,
+            stdio: 'ignore',
+            windowsHide: true,
+        });
+        child.unref();
+    }
+    catch {
+        /* best-effort — failure is invisible; the 24h retry covers it */
+    }
+}
+function pmCommand(mode, spec) {
+    switch (mode) {
+        case 'pnpm-global':
+            return { pm: 'pnpm', pmArgs: ['add', '-g', spec] };
+        case 'yarn-global':
+            return { pm: 'yarn', pmArgs: ['global', 'add', spec] };
+        default:
+            return { pm: 'npm', pmArgs: ['install', '-g', spec] };
+    }
+}
+//# sourceMappingURL=self-update-check.js.map

package/dist/hooks/runtime/self-update-check.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"self-update-check.js","sourceRoot":"","sources":["../../../src/hooks/runtime/self-update-check.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AACH,OAAO,EAAE,KAAK,EAAE,MAAM,oBAAoB,CAAC;AAC3C,OAAO,EAAE,UAAU,EAAE,YAAY,EAAE,MAAM,EAAE,aAAa,EAAE,MAAM,SAAS,CAAC;AAC1E,OAAO,EAAE,OAAO,EAAE,MAAM,SAAS,CAAC;AAClC,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AAEjC,OAAO,EAAE,YAAY,EAAE,MAAM,gBAAgB,CAAC;AAC9C,OAAO,EAAE,OAAO,EAAE,MAAM,aAAa,CAAC;AACtC,OAAO,EACL,iBAAiB,EACjB,iBAAiB,EACjB,YAAY,GAEb,MAAM,sBAAsB,CAAC;AAE9B,MAAM,YAAY,GAAG,wBAAwB,CAAC;AAC9C,MAAM,YAAY,GAAG,8BAA8B,YAAY,SAAS,CAAC;AACzE,MAAM,WAAW,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC;AACxC,MAAM,gBAAgB,GAAG,IAAI,CAAC;AAqC9B,MAAM,CAAC,KAAK,UAAU,eAAe,CACnC,IAAyB;IAEzB,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC,IAAI,CAAC,GAAG,EAAE,CAAC,CAAC;IAC3C,MAAM,GAAG,GACP,IAAI,CAAC,OAAO,IAAI,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,eAAe,IAAI,OAAO,EAAE,EAAE,aAAa,CAAC,CAAC;IAChF,MAAM,YAAY,GAAG,IAAI,CAAC,GAAG,EAAE,mBAAmB,CAAC,CAAC;IACpD,MAAM,OAAO,GAAG,IAAI,CAAC,GAAG,EAAE,iBAAiB,CAAC,CAAC;IAC7C,6DAA6D;IAC7D,6EAA6E;IAC7E,0EAA0E;IAC1E,oEAAoE;IACpE,MAAM,WAAW,GACf,IAAI,CAAC,WAAW;QAChB,CAAC,IAAI,CAAC,YAAY;YAChB,CAAC,CAAC,iBAAiB,CAAC,IAAI,CAAC,YAAY,CAAC;YACtC,CAAC,CAAC,iBAAiB,CAAC,iBAAiB,EAAE,CAAC,CAAC,CAAC;IAE9C,wEAAwE;IACxE,kEAAkE;IAClE,MAAM,YAAY,GAAG,mBAAmB,CAAC,OAAO,CAAC,CAAC;IAElD,MAAM,QAAQ,GAAG,YAAY,CAAC,YAAY,CAAC,CAAC;IAC5C,IAAI,QAAQ,IAAI,GAAG,EAAE,GAAG,QAAQ,CAAC,aAAa,GAAG,WAAW,EAAE,CAAC;QAC7D,OAAO,YAAY,CAAC;IACtB,CAAC;IAED,MAAM,WAAW,GAAG,IAAI,CAAC,WAAW,IAAI,kBAAkB,CAAC;IAC3D,MAAM,MAAM,GAAG,MAAM,WAAW,EAAE,CAAC;IAEnC,uEAAuE;IACvE,yCAAyC;IACzC,aAAa,CAAC,YAAY,EAAE,EAAE,aAAa,EAAE,GAAG,EAAE,EAAE,CAAC,CAAC;IAEtD,IAAI,CAAC,MAAM,IAAI,CAAC,OAAO,CAAC,MAAM,EAAE,IAAI,CAAC,gBAAgB,CAAC,EAAE,CAAC;QACvD,OAAO,YAAY,CAAC;IACtB,CAAC;IAED,MAAM,YAAY,GAAG,aAAa,CAAC,IAAI,EAAE,WAAW,EAAE,MAAM,EAAE,OAAO,CAAC,CAAC;IACvE,0EAA0E;IAC1E,qEAAqE;IACrE,OAAO,CAAC,YAAY,EAAE,YAAY,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,IAAI,CAAC;AACzE,CAAC;AAED,SAAS,aAAa,CACpB,IAAyB,EACzB,WAAwB,EACxB,MAAc,EACd,OAAe;IAEf,MAAM,IAAI,GAAG,IAAI,CAAC,gBAAgB,CAAC;IACnC,IAAI,CAAC,IAAI,CAAC,UAAU,IAAI,CAAC,YAAY,CAAC,GAAG,CAAC,WAAW,CAAC,EAAE,CAAC;QACvD,OAAO,yBAAyB,IAAI,MAAM,MAAM,2DAA2D,CAAC;IAC9G,CAAC;IACD,MAAM,WAAW,GAAG,IAAI,CAAC,WAAW,IAAI,kBAAkB,CAAC;IAC3D,WAAW,CAAC;QACV,IAAI,EAAE,WAAW;QACjB,IAAI,EAAE,GAAG,YAAY,IAAI,MAAM,EAAE;QACjC,OAAO;QACP,IAAI;QACJ,EAAE,EAAE,MAAM;KACX,CAAC,CAAC;IACH,OAAO,iDAAiD,IAAI,MAAM,MAAM,yBAAyB,CAAC;AACpG,CAAC;AAED,SAAS,YAAY,CAAC,IAAY;IAChC,IAAI,CAAC;QACH,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC;YAAE,OAAO,IAAI,CAAC;QACnC,MAAM,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,YAAY,CAAC,IAAI,EAAE,MAAM,CAAC,CAAsB,CAAC;QACzE,IAAI,OAAO,IAAI,CAAC,aAAa,KAAK,QAAQ;YAAE,OAAO,IAAI,CAAC;QACxD,OAAO,EAAE,aAAa,EAAE,IAAI,CAAC,aAAa,EAAE,CAAC;IAC/C,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED,SAAS,aAAa,CAAC,IAAY,EAAE,QAAkB;IACrD,IAAI,CAAC;QACH,YAAY,CAAC,IAAI,CAAC,CAAC;QACnB,aAAa,CAAC,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,GAAG,IAAI,CAAC,CAAC;IACvD,CAAC;IAAC,MAAM,CAAC;QACP,iBAAiB;IACnB,CAAC;AACH,CAAC;AAED;;;;;GAKG;AACH,SAAS,mBAAmB,CAAC,OAAe;IAC1C,IAAI,CAAC;QACH,IAAI,CAAC,UAAU,CAAC,OAAO,CAAC;YAAE,OAAO,IAAI,CAAC;QACtC,IAAI,MAAM,GAAuC,EAAE,CAAC;QACpD,IAAI,CAAC;YACH,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,YAAY,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC,CAAC;QACrD,CAAC;QAAC,MAAM,CAAC;YACP,MAAM,GAAG,EAAE,CAAC;QACd,CAAC;QACD,MAAM,CAAC,OAAO,EAAE,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,qCAAqC;QACvE,IAAI,OAAO,MAAM,CAAC,QAAQ,KAAK,QAAQ,IAAI,MAAM,CAAC,QAAQ,KAAK,CAAC,EAAE,CAAC;YACjE,OAAO,qCAAqC,MAAM,CAAC,EAAE,IAAI,QAAQ,iBAAiB,MAAM,CAAC,QAAQ,uCAAuC,CAAC;QAC3I,CAAC;QACD,OAAO,IAAI,CAAC;IACd,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED,KAAK,UAAU,kBAAkB;IAC/B,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,YAAY,EAAE;YACpC,MAAM,EAAE,WAAW,CAAC,OAAO,CAAC,gBAAgB,CAAC;SAC9C,CAAC,CAAC;QACH,IAAI,CAAC,GAAG,CAAC,EAAE;YAAE,OAAO,IAAI,CAAC;QACzB,MAAM,IAAI,GAAG,CAAC,MAAM,GAAG,CAAC,IAAI,EAAE,CAA0B,CAAC;QACzD,OAAO,OAAO,IAAI,CAAC,OAAO,KAAK,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,CAAC,IAAI,CAAC;IAChE,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED;;;;;;;GAOG;AACH,MAAM,UAAU,wBAAwB,CAAC,IAMxC;IACC,OAAO;;;sBAGa,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,EAAE,CAAC,KAAK,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,MAAM,CAAC;;;;;kBAK3D,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,OAAO,CAAC;YAClC,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,IAAI,CAAC;UAC3B,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,EAAE,CAAC;;;;;CAKhC,CAAC;AACF,CAAC;AAED;;;;GAIG;AACH,SAAS,kBAAkB,CAAC,IAM3B;IACC,MAAM,EAAE,EAAE,EAAE,MAAM,EAAE,GAAG,SAAS,CAAC,IAAI,CAAC,IAAI,EAAE,IAAI,CAAC,IAAI,CAAC,CAAC;IACvD,MAAM,MAAM,GAAG,wBAAwB,CAAC;QACtC,EAAE;QACF,MAAM;QACN,OAAO,EAAE,IAAI,CAAC,OAAO;QACrB,IAAI,EAAE,IAAI,CAAC,IAAI;QACf,EAAE,EAAE,IAAI,CAAC,EAAE;KACZ,CAAC,CAAC;IACH,IAAI,CAAC;QACH,MAAM,KAAK,GAAG,KAAK,CAAC,OAAO,CAAC,QAAQ,EAAE,CAAC,IAAI,EAAE,MAAM,CAAC,EAAE;YACpD,QAAQ,EAAE,IAAI;YACd,KAAK,EAAE,QAAQ;YACf,WAAW,EAAE,IAAI;SAClB,CAAC,CAAC;QACH,KAAK,CAAC,KAAK,EAAE,CAAC;IAChB,CAAC;IAAC,MAAM,CAAC;QACP,iEAAiE;IACnE,CAAC;AACH,CAAC;AAED,SAAS,SAAS,CAChB,IAAiB,EACjB,IAAY;IAEZ,QAAQ,IAAI,EAAE,CAAC;QACb,KAAK,aAAa;YAChB,OAAO,EAAE,EAAE,EAAE,MAAM,EAAE,MAAM,EAAE,CAAC,KAAK,EAAE,IAAI,EAAE,IAAI,CAAC,EAAE,CAAC;QACrD,KAAK,aAAa;YAChB,OAAO,EAAE,EAAE,EAAE,MAAM,EAAE,MAAM,EAAE,CAAC,QAAQ,EAAE,KAAK,EAAE,IAAI,CAAC,EAAE,CAAC;QACzD;YACE,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,CAAC,SAAS,EAAE,IAAI,EAAE,IAAI,CAAC,EAAE,CAAC;IAC1D,CAAC;AACH,CAAC"}

package/dist/hooks/runtime/semver.js

@@ -0,0 +1,34 @@
+/**
+ * Minimal semver comparison for `x.y.z` version strings — no dependency,
+ * the CLI ships only what it needs. Tolerant: a leading `v` is stripped,
+ * prerelease/build suffixes are ignored, and any missing or non-numeric
+ * segment counts as 0, so a malformed input never throws (it simply
+ * compares as a low version).
+ */
+export function parseVersion(input) {
+    const cleaned = input.trim().replace(/^v/i, '');
+    const core = cleaned.split('-')[0].split('+')[0];
+    const parts = core.split('.');
+    const seg = (i) => {
+        const v = Number.parseInt(parts[i] ?? '0', 10);
+        return Number.isFinite(v) && v >= 0 ? v : 0;
+    };
+    return [seg(0), seg(1), seg(2)];
+}
+/** -1 if a<b, 0 if equal, 1 if a>b — by major, then minor, then patch. */
+export function compareVersions(a, b) {
+    const pa = parseVersion(a);
+    const pb = parseVersion(b);
+    for (let i = 0; i < 3; i++) {
+        if (pa[i] < pb[i])
+            return -1;
+        if (pa[i] > pb[i])
+            return 1;
+    }
+    return 0;
+}
+/** True iff `latest` is strictly newer than `current`. */
+export function isNewer(latest, current) {
+    return compareVersions(latest, current) > 0;
+}
+//# sourceMappingURL=semver.js.map

package/dist/hooks/runtime/semver.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"semver.js","sourceRoot":"","sources":["../../../src/hooks/runtime/semver.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AACH,MAAM,UAAU,YAAY,CAAC,KAAa;IACxC,MAAM,OAAO,GAAG,KAAK,CAAC,IAAI,EAAE,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;IAChD,MAAM,IAAI,GAAG,OAAO,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;IACjD,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAC9B,MAAM,GAAG,GAAG,CAAC,CAAS,EAAU,EAAE;QAChC,MAAM,CAAC,GAAG,MAAM,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAC,IAAI,GAAG,EAAE,EAAE,CAAC,CAAC;QAC/C,OAAO,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;IAC9C,CAAC,CAAC;IACF,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;AAClC,CAAC;AAED,0EAA0E;AAC1E,MAAM,UAAU,eAAe,CAAC,CAAS,EAAE,CAAS;IAClD,MAAM,EAAE,GAAG,YAAY,CAAC,CAAC,CAAC,CAAC;IAC3B,MAAM,EAAE,GAAG,YAAY,CAAC,CAAC,CAAC,CAAC;IAC3B,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC;QAC3B,IAAI,EAAE,CAAC,CAAC,CAAC,GAAG,EAAE,CAAC,CAAC,CAAC;YAAE,OAAO,CAAC,CAAC,CAAC;QAC7B,IAAI,EAAE,CAAC,CAAC,CAAC,GAAG,EAAE,CAAC,CAAC,CAAC;YAAE,OAAO,CAAC,CAAC;IAC9B,CAAC;IACD,OAAO,CAAC,CAAC;AACX,CAAC;AAED,0DAA0D;AAC1D,MAAM,UAAU,OAAO,CAAC,MAAc,EAAE,OAAe;IACrD,OAAO,eAAe,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,CAAC,CAAC;AAC9C,CAAC"}