npm - @danielblomma/cortex-mcp - Versions diffs - 1.7.1 → 2.0.2 - Mend

@danielblomma/cortex-mcp 1.7.1 → 2.0.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (79) hide show

package/bin/cortex.mjs +679 -32
package/bin/style.mjs +349 -0
package/package.json +4 -3
package/scaffold/mcp/package-lock.json +834 -671
package/scaffold/mcp/package.json +1 -1
package/scaffold/mcp/src/cli/enterprise-setup.ts +124 -0
package/scaffold/mcp/src/cli/govern.ts +987 -0
package/scaffold/mcp/src/cli/run.ts +306 -0
package/scaffold/mcp/src/cli/telemetry-test.ts +158 -0
package/scaffold/mcp/src/cli/ungoverned-detector.ts +168 -0
package/scaffold/mcp/src/core/audit/query.ts +81 -0
package/scaffold/mcp/src/core/audit/writer.ts +68 -0
package/scaffold/mcp/src/core/config.ts +329 -0
package/scaffold/mcp/src/core/index.ts +34 -0
package/scaffold/mcp/src/core/license.ts +202 -0
package/scaffold/mcp/src/core/policy/enforce.ts +98 -0
package/scaffold/mcp/src/core/policy/injection.ts +229 -0
package/scaffold/mcp/src/core/policy/store.ts +197 -0
package/scaffold/mcp/src/core/rbac/check.ts +40 -0
package/scaffold/mcp/src/core/telemetry/collector.ts +234 -0
package/scaffold/mcp/src/core/validators/builtins.ts +711 -0
package/scaffold/mcp/src/core/validators/config.ts +47 -0
package/scaffold/mcp/src/core/validators/engine.ts +199 -0
package/scaffold/mcp/src/core/validators/evaluators/code_comments.ts +294 -0
package/scaffold/mcp/src/core/validators/evaluators/regex.ts +144 -0
package/scaffold/mcp/src/daemon/client.ts +155 -0
package/scaffold/mcp/src/daemon/egress-proxy.ts +331 -0
package/scaffold/mcp/src/daemon/heartbeat-pusher.ts +147 -0
package/scaffold/mcp/src/daemon/heartbeat-tracker.ts +223 -0
package/scaffold/mcp/src/daemon/host-events-pusher.ts +285 -0
package/scaffold/mcp/src/daemon/main.ts +300 -0
package/scaffold/mcp/src/daemon/paths.ts +41 -0
package/scaffold/mcp/src/daemon/protocol.ts +101 -0
package/scaffold/mcp/src/daemon/server.ts +227 -0
package/scaffold/mcp/src/daemon/sync-checker.ts +213 -0
package/scaffold/mcp/src/daemon/ungoverned-scanner.ts +149 -0
package/scaffold/mcp/src/embed.ts +1 -1
package/scaffold/mcp/src/embeddings.ts +1 -1
package/scaffold/mcp/src/enterprise/audit/push.ts +84 -0
package/scaffold/mcp/src/enterprise/index.ts +415 -0
package/scaffold/mcp/src/enterprise/model/deploy.ts +33 -0
package/scaffold/mcp/src/enterprise/policy/sync.ts +146 -0
package/scaffold/mcp/src/enterprise/privacy/boundary.ts +212 -0
package/scaffold/mcp/src/enterprise/reviews/push.ts +79 -0
package/scaffold/mcp/src/enterprise/telemetry/sync.ts +72 -0
package/scaffold/mcp/src/enterprise/tools/enterprise.ts +1031 -0
package/scaffold/mcp/src/enterprise/tools/walk.ts +79 -0
package/scaffold/mcp/src/enterprise/violations/push.ts +102 -0
package/scaffold/mcp/src/enterprise/workflow/push.ts +60 -0
package/scaffold/mcp/src/enterprise/workflow/state.ts +535 -0
package/scaffold/mcp/src/hooks/pre-compact.ts +54 -0
package/scaffold/mcp/src/hooks/pre-tool-use.ts +96 -0
package/scaffold/mcp/src/hooks/session-end.ts +73 -0
package/scaffold/mcp/src/hooks/session-start.ts +78 -0
package/scaffold/mcp/src/hooks/shared.ts +134 -0
package/scaffold/mcp/src/hooks/stop.ts +60 -0
package/scaffold/mcp/src/hooks/user-prompt-submit.ts +64 -0
package/scaffold/mcp/src/plugin.ts +150 -0
package/scaffold/mcp/src/server.ts +218 -7
package/scaffold/mcp/tests/copilot-shim.test.mjs +146 -0
package/scaffold/mcp/tests/daemon-client.test.mjs +32 -0
package/scaffold/mcp/tests/egress-proxy.test.mjs +239 -0
package/scaffold/mcp/tests/enterprise-config.test.mjs +154 -0
package/scaffold/mcp/tests/govern-install.test.mjs +320 -0
package/scaffold/mcp/tests/govern-repair.test.mjs +157 -0
package/scaffold/mcp/tests/govern-status.test.mjs +538 -0
package/scaffold/mcp/tests/govern.test.mjs +74 -0
package/scaffold/mcp/tests/heartbeat-pusher.test.mjs +154 -0
package/scaffold/mcp/tests/heartbeat-tracker.test.mjs +237 -0
package/scaffold/mcp/tests/host-events-pusher.test.mjs +347 -0
package/scaffold/mcp/tests/policy-check.test.mjs +220 -0
package/scaffold/mcp/tests/repo-name.test.mjs +134 -0
package/scaffold/mcp/tests/run.test.mjs +109 -0
package/scaffold/mcp/tests/sync-checker.test.mjs +188 -0
package/scaffold/mcp/tests/ungoverned-detector.test.mjs +191 -0
package/scaffold/mcp/tests/ungoverned-scanner.test.mjs +198 -0
package/scaffold/scripts/bootstrap.sh +0 -11
package/scaffold/scripts/doctor.sh +24 -4
package/types.js +5 -0

package/scaffold/mcp/src/daemon/main.ts ADDED Viewed

@@ -0,0 +1,300 @@
+import { readFileSync, existsSync } from "node:fs";
+import { basename, join } from "node:path";
+import { CortexDaemon } from "./server.js";
+import type {
+  PolicyCheckPayload,
+  PolicyCheckResult,
+  TelemetryFlushPayload,
+  TelemetryFlushResult,
+  AuditLogPayload,
+  AuditLogResult,
+} from "./protocol.js";
+import { loadEnterpriseConfig, resolveEnterpriseActivation } from "../core/config.js";
+import { pushMetrics } from "../enterprise/telemetry/sync.js";
+import type { TelemetryMetrics } from "../core/telemetry/collector.js";
+import { AuditWriter, type AuditEntry } from "../core/audit/writer.js";
+import { PolicyStore } from "../core/policy/store.js";
+import {
+  enforceInjectionPolicy,
+  isInjectionDefenseActive,
+} from "../core/policy/enforce.js";
+import { syncFromCloud } from "../enterprise/policy/sync.js";
+import { startUngovernedScanner } from "./ungoverned-scanner.js";
+import {
+  HeartbeatTracker,
+  writeTamperLock,
+  emitTamperAudit,
+} from "./heartbeat-tracker.js";
+import { startSyncTimer } from "./sync-checker.js";
+import { startHostEventsPusher } from "./host-events-pusher.js";
+import { startEgressProxy } from "./egress-proxy.js";
+import { startHeartbeatPusher } from "./heartbeat-pusher.js";
+import type { HeartbeatPayload, HeartbeatResult } from "./protocol.js";
+/**
+ * Daemon entry point. Run by `cortex daemon start` (or auto-spawned by
+ * the first hook that needs it).
+ *
+ * v2.0.0: policy.check is currently a stub allowing all calls (real policy
+ * evaluation in subsequent commit). telemetry.flush is fully wired — the
+ * Stop hook now reliably pushes metrics.json even if MCP died abruptly.
+ */
+function extractStringFields(value: unknown, out: string[] = []): string[] {
+  if (typeof value === "string") {
+    out.push(value);
+  } else if (Array.isArray(value)) {
+    for (const v of value) extractStringFields(v, out);
+  } else if (value && typeof value === "object") {
+    for (const v of Object.values(value as Record<string, unknown>)) {
+      extractStringFields(v, out);
+    }
+  }
+  return out;
+}
+async function policyCheck(
+  payload: PolicyCheckPayload,
+): Promise<PolicyCheckResult> {
+  if (!payload.cwd) return { allow: true };
+  const contextDir = join(payload.cwd, ".context");
+  if (!existsSync(contextDir)) return { allow: true };
+  const store = new PolicyStore(contextDir);
+  const policies = store.getMergedPolicies();
+  if (!isInjectionDefenseActive(policies)) {
+    return { allow: true };
+  }
+  const haystack = extractStringFields(payload.input).join("\n");
+  if (!haystack) return { allow: true };
+  const result = enforceInjectionPolicy(haystack, policies);
+  if (result.allowed) return { allow: true };
+  const topMatch = result.scan.matches[0];
+  const reason = topMatch
+    ? `prompt-injection-defense: ${topMatch.category} (${topMatch.matched.slice(0, 80)})`
+    : "prompt-injection-defense: flagged";
+  return { allow: false, reason };
+}
+function readMetrics(contextDir: string): TelemetryMetrics | null {
+  const path = join(contextDir, "telemetry", "metrics.json");
+  if (!existsSync(path)) return null;
+  try {
+    return JSON.parse(readFileSync(path, "utf8")) as TelemetryMetrics;
+  } catch {
+    return null;
+  }
+}
+async function telemetryFlush(
+  payload: TelemetryFlushPayload,
+): Promise<TelemetryFlushResult> {
+  const cwd = payload.cwd ?? process.cwd();
+  const contextDir = join(cwd, ".context");
+  if (!existsSync(contextDir)) {
+    return { flushed: false, events_pushed: 0 };
+  }
+  const config = loadEnterpriseConfig(contextDir);
+  const activation = resolveEnterpriseActivation(config);
+  if (!activation.active || !config.telemetry.enabled) {
+    // Community mode or telemetry disabled → nothing to push.
+    return { flushed: false, events_pushed: 0 };
+  }
+  if (!config.telemetry.endpoint || !config.telemetry.api_key) {
+    return { flushed: false, events_pushed: 0 };
+  }
+  const metrics = readMetrics(contextDir);
+  if (!metrics) {
+    // No metrics on disk yet — MCP probably hasn't flushed once. Nothing
+    // to push from disk. (MCP's interval flush + session-end push handle
+    // the in-memory case.)
+    return { flushed: false, events_pushed: 0 };
+  }
+  const result = await pushMetrics(
+    metrics,
+    config.telemetry.endpoint,
+    config.telemetry.api_key,
+    {
+      repo: basename(cwd),
+      session_id: payload.session_id,
+    },
+  );
+  if (!result.success) {
+    process.stderr.write(
+      `[cortex-daemon] telemetry push failed: ${result.error ?? "unknown"}\n`,
+    );
+    return { flushed: false, events_pushed: 0 };
+  }
+  return {
+    flushed: true,
+    events_pushed: metrics.total_tool_calls,
+  };
+}
+// Per-cwd AuditWriter cache. Daemon serves multiple projects so we don't
+// want to instantiate (and lose buffered state) on every audit.log call.
+const auditWriters = new Map<string, AuditWriter>();
+function getAuditWriter(cwd: string): AuditWriter {
+  const contextDir = join(cwd, ".context");
+  let writer = auditWriters.get(contextDir);
+  if (!writer) {
+    writer = new AuditWriter(contextDir);
+    auditWriters.set(contextDir, writer);
+  }
+  return writer;
+}
+async function auditLog(payload: AuditLogPayload): Promise<AuditLogResult> {
+  if (!payload.cwd || !payload.entry) {
+    return { written: false };
+  }
+  const contextDir = join(payload.cwd, ".context");
+  if (!existsSync(contextDir)) {
+    return { written: false };
+  }
+  const writer = getAuditWriter(payload.cwd);
+  const entry: AuditEntry = {
+    timestamp: payload.entry.timestamp,
+    tool: payload.entry.tool,
+    input: payload.entry.input,
+    result_count: payload.entry.result_count ?? 0,
+    entities_returned: [],
+    rules_applied: [],
+    duration_ms: payload.entry.duration_ms ?? 0,
+    status: payload.entry.status,
+    event_type: payload.entry.event_type as AuditEntry["event_type"],
+    evidence_level: payload.entry.evidence_level,
+    resource_type: payload.entry.resource_type,
+    session_id: payload.entry.session_id,
+    metadata: payload.entry.metadata,
+  };
+  writer.log(entry);
+  return { written: true };
+}
+async function main(): Promise<void> {
+  // Phase 6: hook heartbeat tracker (per-session activity record + tamper detect).
+  const tracker = new HeartbeatTracker();
+  async function heartbeat(payload: HeartbeatPayload): Promise<HeartbeatResult> {
+    return tracker.recordHeartbeat(payload);
+  }
+  const daemon = new CortexDaemon({
+    onPolicyCheck: policyCheck,
+    onTelemetryFlush: telemetryFlush,
+    onAuditLog: auditLog,
+    onHeartbeat: heartbeat,
+  });
+  await daemon.start();
+  // Phase 5: Tier 3 ungoverned-session detection. Periodic process scan, audit
+  // emit per finding, optional SIGTERM in enforced mode (same-user only).
+  const scanInterval = parseInt(process.env.CORTEX_UNGOVERNED_SCAN_MS ?? "", 10);
+  const intervalMs = Number.isFinite(scanInterval) && scanInterval > 0 ? scanInterval : 60_000;
+  if (process.env.CORTEX_DISABLE_UNGOVERNED_SCAN !== "1") {
+    startUngovernedScanner({ cwd: process.cwd(), intervalMs });
+  }
+  // Phase 6: periodic tamper-checker. For each active session that had at
+  // least one tool-fired hook then went silent past missing_threshold_seconds,
+  // write .cortex-tamper.lock + audit event. The next SessionStart in
+  // enforced mode will refuse to register tools until 'cortex enterprise
+  // repair' clears the lock.
+  const tamperThreshold = parseInt(process.env.CORTEX_TAMPER_MISSING_THRESHOLD_S ?? "", 10);
+  const missingThresholdSeconds =
+    Number.isFinite(tamperThreshold) && tamperThreshold > 0 ? tamperThreshold : 300;
+  const tamperCheckInterval = parseInt(process.env.CORTEX_TAMPER_CHECK_MS ?? "", 10);
+  const tamperCheckMs =
+    Number.isFinite(tamperCheckInterval) && tamperCheckInterval > 0 ? tamperCheckInterval : 60_000;
+  // Phase 7: periodic sync-version-check + host-events push to cortex-web.
+  // Daemon runs as the user post-Fas-3 privilege drop, so sync only checks
+  // version availability (writes a notification + audit). Re-applying
+  // managed-settings still requires 'sudo cortex enterprise sync'.
+  const syncIntervalRaw = parseInt(process.env.CORTEX_SYNC_CHECK_MS ?? "", 10);
+  const syncIntervalMs =
+    Number.isFinite(syncIntervalRaw) && syncIntervalRaw > 0 ? syncIntervalRaw : 60 * 60 * 1000;
+  const pushIntervalRaw = parseInt(process.env.CORTEX_HOST_EVENTS_PUSH_MS ?? "", 10);
+  const pushIntervalMs =
+    Number.isFinite(pushIntervalRaw) && pushIntervalRaw > 0 ? pushIntervalRaw : 5 * 60 * 1000;
+  if (process.env.CORTEX_DISABLE_SYNC_CHECK !== "1") {
+    startSyncTimer(process.cwd(), syncIntervalMs);
+  }
+  if (process.env.CORTEX_DISABLE_HOST_EVENTS_PUSH !== "1") {
+    startHostEventsPusher(process.cwd(), pushIntervalMs);
+  }
+  // Govern host heartbeat — fills host_enrollment on cortex-web so the
+  // dashboard at /dashboard/govern actually shows this host.
+  const heartbeatRaw = parseInt(process.env.CORTEX_HEARTBEAT_PUSH_MS ?? "", 10);
+  const heartbeatMs =
+    Number.isFinite(heartbeatRaw) && heartbeatRaw > 0 ? heartbeatRaw : 5 * 60 * 1000;
+  if (process.env.CORTEX_DISABLE_HEARTBEAT_PUSH !== "1") {
+    startHeartbeatPusher(process.cwd(), heartbeatMs);
+  }
+  // Phase 4 task 19: cortex egress proxy. Logs SNI + destination per
+  // outbound connection (no TLS termination). cortex run sets
+  // HTTPS_PROXY/HTTP_PROXY for the Copilot wrap; other AI CLIs respect
+  // these env vars too if a developer wires them in.
+  const proxyPortRaw = parseInt(process.env.CORTEX_EGRESS_PROXY_PORT ?? "", 10);
+  const proxyPort = Number.isFinite(proxyPortRaw) && proxyPortRaw > 0 ? proxyPortRaw : 18888;
+  if (process.env.CORTEX_DISABLE_EGRESS_PROXY !== "1") {
+    startEgressProxy({ cwd: process.cwd(), port: proxyPort })
+      .then((handle) => {
+        process.stderr.write(
+          `[cortex-daemon] egress proxy listening on 127.0.0.1:${handle.port}\n`,
+        );
+      })
+      .catch((err) => {
+        process.stderr.write(
+          `[cortex-daemon] egress proxy failed to start: ${err instanceof Error ? err.message : String(err)}\n`,
+        );
+      });
+  }
+  if (process.env.CORTEX_DISABLE_TAMPER_CHECK !== "1") {
+    const checkTimer = setInterval(() => {
+      const detected = tracker.detectTamper({
+        cwds: [process.cwd()],
+        missingThresholdSeconds,
+      });
+      for (const entry of detected) {
+        try {
+          writeTamperLock(entry.cwd, entry);
+        } catch (err) {
+          process.stderr.write(
+            `[cortex-daemon] failed to write tamper lock: ${err instanceof Error ? err.message : String(err)}\n`,
+          );
+        }
+        void emitTamperAudit(entry.cwd, entry).catch((err) => {
+          process.stderr.write(
+            `[cortex-daemon] failed to emit tamper audit: ${err instanceof Error ? err.message : String(err)}\n`,
+          );
+        });
+      }
+    }, tamperCheckMs);
+    if (typeof checkTimer.unref === "function") checkTimer.unref();
+  }
+}
+main().catch((err) => {
+  process.stderr.write(
+    `[cortex-daemon] fatal: ${err instanceof Error ? err.message : String(err)}\n`,
+  );
+  process.exit(1);
+});

package/scaffold/mcp/src/daemon/paths.ts ADDED Viewed

@@ -0,0 +1,41 @@
+import { join } from "node:path";
+import { homedir, tmpdir, userInfo } from "node:os";
+import { mkdirSync } from "node:fs";
+/**
+ * Resolves filesystem locations the daemon and hooks share.
+ * Per-user, not per-project — one daemon serves all projects so warm graph
+ * + embeddings stay loaded across switches.
+ */
+function safeUid(): string {
+  try {
+    const info = userInfo();
+    if (typeof info.uid === "number" && info.uid >= 0) {
+      return String(info.uid);
+    }
+    return info.username || "anon";
+  } catch {
+    return "anon";
+  }
+}
+export function daemonDir(): string {
+  const dir = join(homedir(), ".cortex");
+  mkdirSync(dir, { recursive: true });
+  return dir;
+}
+export function pidFilePath(): string {
+  return join(daemonDir(), "daemon.pid");
+}
+export function logFilePath(): string {
+  return join(daemonDir(), "daemon.log");
+}
+export function socketPath(): string {
+  // Keep socket in tmpdir per-user — Linux has 108-char path limit on
+  // sockaddr_un.sun_path so we avoid putting it under $HOME.
+  return join(tmpdir(), `cortex-${safeUid()}.sock`);
+}

package/scaffold/mcp/src/daemon/protocol.ts ADDED Viewed

@@ -0,0 +1,101 @@
+/**
+ * Wire protocol between cortex hooks and the cortex daemon.
+ * Newline-delimited JSON over a Unix socket.
+ *
+ * Each request: { id, type, payload }
+ * Each response: { id, ok, result?, error? }
+ */
+export type RequestType =
+  | "ping"
+  | "policy.check"
+  | "telemetry.flush"
+  | "audit.log"
+  | "heartbeat"
+  | "shutdown";
+export type Request<T extends RequestType = RequestType> = {
+  id: string;
+  type: T;
+  payload: unknown;
+};
+export type Response = {
+  id: string;
+  ok: boolean;
+  result?: unknown;
+  error?: string;
+};
+export type PolicyCheckPayload = {
+  tool: string;
+  cwd: string;
+  // Tool-specific input — Claude Code sends this verbatim from PreToolUse
+  input: Record<string, unknown>;
+};
+export type PolicyCheckResult = {
+  allow: boolean;
+  reason?: string;
+  // Optional context to inject when allowing (rules, ADRs)
+  inject?: string[];
+};
+export type TelemetryFlushPayload = {
+  reason: "stop" | "session_end" | "interval";
+  session_id?: string;
+  // Working directory of the project whose telemetry should flush.
+  // Hook scripts pass Claude Code's cwd through here.
+  cwd?: string;
+};
+export type TelemetryFlushResult = {
+  flushed: boolean;
+  events_pushed: number;
+};
+export type AuditLogPayload = {
+  cwd: string;
+  // Subset of AuditEntry — daemon fills in date-based file routing.
+  // Caller passes only the event-shaped fields; daemon writes them
+  // as-is to the per-day audit log.
+  entry: {
+    timestamp: string;
+    tool: string;
+    input: Record<string, unknown>;
+    result_count?: number;
+    duration_ms?: number;
+    status?: "success" | "error";
+    event_type?: string;
+    evidence_level?: "required" | "diagnostic";
+    resource_type?: string;
+    session_id?: string;
+    metadata?: Record<string, unknown>;
+  };
+};
+export type AuditLogResult = {
+  written: boolean;
+};
+export type HeartbeatPayload = {
+  cli: "claude" | "codex" | "copilot";
+  hook:
+    | "PreToolUse"
+    | "UserPromptSubmit"
+    | "SessionStart"
+    | "SessionEnd"
+    | "Stop"
+    | "PreCompact";
+  session_id: string;
+  instance_id?: string;
+  cwd: string;
+  ts: string;
+};
+export type HeartbeatResult = {
+  recorded: boolean;
+  tamper_lock_active?: boolean;
+};
+export const DEFAULT_REQUEST_TIMEOUT_MS = 5000;

package/scaffold/mcp/src/daemon/server.ts ADDED Viewed

@@ -0,0 +1,227 @@
+import { createServer, type Server, type Socket } from "node:net";
+import { writeFileSync, unlinkSync, existsSync } from "node:fs";
+import { socketPath, pidFilePath } from "./paths.js";
+import type {
+  Request,
+  Response,
+  PolicyCheckPayload,
+  PolicyCheckResult,
+  TelemetryFlushPayload,
+  TelemetryFlushResult,
+  AuditLogPayload,
+  AuditLogResult,
+  HeartbeatPayload,
+  HeartbeatResult,
+} from "./protocol.js";
+/**
+ * The cortex daemon serves hooks (PreToolUse, Stop, etc.) over a Unix socket.
+ * Long-lived per-user process. Hooks are thin shims; the daemon holds warm
+ * state (graph, embeddings, license cache).
+ *
+ * v2.0.0 MVP: ping + policy.check + telemetry.flush + shutdown.
+ * Future: full MCP-tool routing through the daemon (today MCP still runs
+ * its own per-session stdio process — see plan Fas 3.6).
+ */
+const IDLE_SHUTDOWN_MS = 30 * 60 * 1000; // 30 min idle → shutdown
+type DaemonOptions = {
+  onPolicyCheck?: (payload: PolicyCheckPayload) => Promise<PolicyCheckResult>;
+  onTelemetryFlush?: (
+    payload: TelemetryFlushPayload,
+  ) => Promise<TelemetryFlushResult>;
+  onAuditLog?: (payload: AuditLogPayload) => Promise<AuditLogResult>;
+  onHeartbeat?: (payload: HeartbeatPayload) => Promise<HeartbeatResult>;
+};
+export class CortexDaemon {
+  private server: Server | null = null;
+  private idleTimer: NodeJS.Timeout | null = null;
+  private readonly opts: DaemonOptions;
+  constructor(opts: DaemonOptions = {}) {
+    this.opts = opts;
+  }
+  async start(): Promise<void> {
+    const sockPath = socketPath();
+    // Clean up stale socket from a prior crash.
+    if (existsSync(sockPath)) {
+      try {
+        unlinkSync(sockPath);
+      } catch {
+        // ignore — listen() will surface the real error
+      }
+    }
+    const server = createServer((socket) => this.handleConnection(socket));
+    this.server = server;
+    await new Promise<void>((resolve, reject) => {
+      server.once("error", reject);
+      server.listen(sockPath, () => {
+        server.off("error", reject);
+        resolve();
+      });
+    });
+    // Persist PID so cortex CLI can detect a running daemon.
+    try {
+      writeFileSync(pidFilePath(), String(process.pid), "utf8");
+    } catch {
+      // Non-fatal — clients can still connect via socket existence.
+    }
+    this.armIdleTimer();
+    process.stderr.write(
+      `[cortex-daemon] listening on ${sockPath} pid=${process.pid}\n`,
+    );
+    // Best-effort cleanup on shutdown signals.
+    const cleanup = () => {
+      this.stop().finally(() => process.exit(0));
+    };
+    process.on("SIGINT", cleanup);
+    process.on("SIGTERM", cleanup);
+  }
+  async stop(): Promise<void> {
+    if (this.idleTimer) {
+      clearTimeout(this.idleTimer);
+      this.idleTimer = null;
+    }
+    if (this.server) {
+      const srv = this.server;
+      this.server = null;
+      await new Promise<void>((resolve) => srv.close(() => resolve()));
+    }
+    try {
+      unlinkSync(pidFilePath());
+    } catch {
+      // ignore
+    }
+    try {
+      unlinkSync(socketPath());
+    } catch {
+      // ignore
+    }
+  }
+  private armIdleTimer(): void {
+    if (this.idleTimer) clearTimeout(this.idleTimer);
+    this.idleTimer = setTimeout(() => {
+      process.stderr.write("[cortex-daemon] idle shutdown\n");
+      this.stop().finally(() => process.exit(0));
+    }, IDLE_SHUTDOWN_MS);
+    this.idleTimer.unref();
+  }
+  private handleConnection(socket: Socket): void {
+    this.armIdleTimer();
+    let buffer = "";
+    socket.on("data", (chunk) => {
+      buffer += chunk.toString("utf8");
+      let nlIndex: number;
+      while ((nlIndex = buffer.indexOf("\n")) !== -1) {
+        const line = buffer.slice(0, nlIndex);
+        buffer = buffer.slice(nlIndex + 1);
+        if (!line.trim()) continue;
+        void this.handleLine(socket, line);
+      }
+    });
+    socket.on("error", () => {
+      // Suppress — clients dropping mid-write must not crash the daemon.
+    });
+  }
+  private async handleLine(socket: Socket, line: string): Promise<void> {
+    let req: Request;
+    try {
+      req = JSON.parse(line) as Request;
+    } catch {
+      this.sendError(socket, "<unknown>", "invalid_json");
+      return;
+    }
+    try {
+      switch (req.type) {
+        case "ping":
+          this.sendOk(socket, req.id, { pong: true, pid: process.pid });
+          return;
+        case "policy.check": {
+          if (!this.opts.onPolicyCheck) {
+            this.sendOk(socket, req.id, { allow: true } as PolicyCheckResult);
+            return;
+          }
+          const result = await this.opts.onPolicyCheck(
+            req.payload as PolicyCheckPayload,
+          );
+          this.sendOk(socket, req.id, result);
+          return;
+        }
+        case "telemetry.flush": {
+          if (!this.opts.onTelemetryFlush) {
+            this.sendOk(socket, req.id, {
+              flushed: false,
+              events_pushed: 0,
+            } as TelemetryFlushResult);
+            return;
+          }
+          const result = await this.opts.onTelemetryFlush(
+            req.payload as TelemetryFlushPayload,
+          );
+          this.sendOk(socket, req.id, result);
+          return;
+        }
+        case "audit.log": {
+          if (!this.opts.onAuditLog) {
+            this.sendOk(socket, req.id, { written: false } as AuditLogResult);
+            return;
+          }
+          const result = await this.opts.onAuditLog(
+            req.payload as AuditLogPayload,
+          );
+          this.sendOk(socket, req.id, result);
+          return;
+        }
+        case "heartbeat": {
+          if (!this.opts.onHeartbeat) {
+            this.sendOk(socket, req.id, { recorded: false } as HeartbeatResult);
+            return;
+          }
+          const result = await this.opts.onHeartbeat(
+            req.payload as HeartbeatPayload,
+          );
+          this.sendOk(socket, req.id, result);
+          return;
+        }
+        case "shutdown":
+          this.sendOk(socket, req.id, { ok: true });
+          setTimeout(() => this.stop().finally(() => process.exit(0)), 50);
+          return;
+        default:
+          this.sendError(socket, req.id, `unknown_type: ${req.type}`);
+      }
+    } catch (err) {
+      this.sendError(
+        socket,
+        req.id,
+        err instanceof Error ? err.message : "unknown_error",
+      );
+    }
+  }
+  private sendOk(socket: Socket, id: string, result: unknown): void {
+    const payload: Response = { id, ok: true, result };
+    socket.write(`${JSON.stringify(payload)}\n`);
+  }
+  private sendError(socket: Socket, id: string, error: string): void {
+    const payload: Response = { id, ok: false, error };
+    socket.write(`${JSON.stringify(payload)}\n`);
+  }
+}