npm - @danielblomma/cortex-mcp - Versions diffs - 1.7.2 → 2.0.3 - Mend

@danielblomma/cortex-mcp 1.7.2 → 2.0.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (79) hide show

package/README.md +4 -24
package/bin/cortex.mjs +679 -32
package/bin/style.mjs +349 -0
package/package.json +4 -3
package/scaffold/mcp/src/cli/enterprise-setup.ts +124 -0
package/scaffold/mcp/src/cli/govern.ts +987 -0
package/scaffold/mcp/src/cli/run.ts +306 -0
package/scaffold/mcp/src/cli/telemetry-test.ts +158 -0
package/scaffold/mcp/src/cli/ungoverned-detector.ts +168 -0
package/scaffold/mcp/src/core/audit/query.ts +81 -0
package/scaffold/mcp/src/core/audit/writer.ts +68 -0
package/scaffold/mcp/src/core/config.ts +329 -0
package/scaffold/mcp/src/core/index.ts +34 -0
package/scaffold/mcp/src/core/license.ts +202 -0
package/scaffold/mcp/src/core/policy/enforce.ts +98 -0
package/scaffold/mcp/src/core/policy/injection.ts +229 -0
package/scaffold/mcp/src/core/policy/store.ts +197 -0
package/scaffold/mcp/src/core/rbac/check.ts +40 -0
package/scaffold/mcp/src/core/telemetry/collector.ts +408 -0
package/scaffold/mcp/src/core/validators/builtins.ts +711 -0
package/scaffold/mcp/src/core/validators/config.ts +47 -0
package/scaffold/mcp/src/core/validators/engine.ts +199 -0
package/scaffold/mcp/src/core/validators/evaluators/code_comments.ts +294 -0
package/scaffold/mcp/src/core/validators/evaluators/regex.ts +144 -0
package/scaffold/mcp/src/daemon/client.ts +155 -0
package/scaffold/mcp/src/daemon/egress-proxy.ts +331 -0
package/scaffold/mcp/src/daemon/heartbeat-pusher.ts +147 -0
package/scaffold/mcp/src/daemon/heartbeat-tracker.ts +223 -0
package/scaffold/mcp/src/daemon/host-events-pusher.ts +285 -0
package/scaffold/mcp/src/daemon/main.ts +435 -0
package/scaffold/mcp/src/daemon/paths.ts +41 -0
package/scaffold/mcp/src/daemon/protocol.ts +101 -0
package/scaffold/mcp/src/daemon/server.ts +227 -0
package/scaffold/mcp/src/daemon/sync-checker.ts +213 -0
package/scaffold/mcp/src/daemon/ungoverned-scanner.ts +149 -0
package/scaffold/mcp/src/enterprise/audit/push.ts +84 -0
package/scaffold/mcp/src/enterprise/index.ts +386 -0
package/scaffold/mcp/src/enterprise/model/deploy.ts +33 -0
package/scaffold/mcp/src/enterprise/policy/sync.ts +146 -0
package/scaffold/mcp/src/enterprise/privacy/boundary.ts +214 -0
package/scaffold/mcp/src/enterprise/reviews/push.ts +79 -0
package/scaffold/mcp/src/enterprise/telemetry/sync.ts +73 -0
package/scaffold/mcp/src/enterprise/tools/enterprise.ts +1031 -0
package/scaffold/mcp/src/enterprise/tools/walk.ts +79 -0
package/scaffold/mcp/src/enterprise/violations/push.ts +102 -0
package/scaffold/mcp/src/enterprise/workflow/push.ts +60 -0
package/scaffold/mcp/src/enterprise/workflow/state.ts +535 -0
package/scaffold/mcp/src/hooks/pre-compact.ts +54 -0
package/scaffold/mcp/src/hooks/pre-tool-use.ts +96 -0
package/scaffold/mcp/src/hooks/session-end.ts +73 -0
package/scaffold/mcp/src/hooks/session-start.ts +78 -0
package/scaffold/mcp/src/hooks/shared.ts +134 -0
package/scaffold/mcp/src/hooks/stop.ts +60 -0
package/scaffold/mcp/src/hooks/user-prompt-submit.ts +64 -0
package/scaffold/mcp/src/loadGraph.ts +2 -0
package/scaffold/mcp/src/plugin.ts +150 -0
package/scaffold/mcp/src/server.ts +218 -7
package/scaffold/mcp/tests/copilot-shim.test.mjs +146 -0
package/scaffold/mcp/tests/daemon-client.test.mjs +32 -0
package/scaffold/mcp/tests/egress-proxy.test.mjs +239 -0
package/scaffold/mcp/tests/enterprise-config.test.mjs +154 -0
package/scaffold/mcp/tests/govern-install.test.mjs +320 -0
package/scaffold/mcp/tests/govern-repair.test.mjs +157 -0
package/scaffold/mcp/tests/govern-status.test.mjs +538 -0
package/scaffold/mcp/tests/govern.test.mjs +74 -0
package/scaffold/mcp/tests/heartbeat-pusher.test.mjs +154 -0
package/scaffold/mcp/tests/heartbeat-tracker.test.mjs +237 -0
package/scaffold/mcp/tests/host-events-pusher.test.mjs +347 -0
package/scaffold/mcp/tests/policy-check.test.mjs +220 -0
package/scaffold/mcp/tests/repo-name.test.mjs +134 -0
package/scaffold/mcp/tests/run.test.mjs +109 -0
package/scaffold/mcp/tests/sync-checker.test.mjs +188 -0
package/scaffold/mcp/tests/telemetry-collector.test.mjs +30 -0
package/scaffold/mcp/tests/ungoverned-detector.test.mjs +191 -0
package/scaffold/mcp/tests/ungoverned-scanner.test.mjs +198 -0
package/scaffold/scripts/bootstrap.sh +0 -11
package/scaffold/scripts/doctor.sh +24 -4
package/types.js +5 -0
package/docs/MCP_MARKETPLACE.md +0 -160

package/scaffold/mcp/src/daemon/server.ts ADDED Viewed

@@ -0,0 +1,227 @@
+import { createServer, type Server, type Socket } from "node:net";
+import { writeFileSync, unlinkSync, existsSync } from "node:fs";
+import { socketPath, pidFilePath } from "./paths.js";
+import type {
+  Request,
+  Response,
+  PolicyCheckPayload,
+  PolicyCheckResult,
+  TelemetryFlushPayload,
+  TelemetryFlushResult,
+  AuditLogPayload,
+  AuditLogResult,
+  HeartbeatPayload,
+  HeartbeatResult,
+} from "./protocol.js";
+/**
+ * The cortex daemon serves hooks (PreToolUse, Stop, etc.) over a Unix socket.
+ * Long-lived per-user process. Hooks are thin shims; the daemon holds warm
+ * state (graph, embeddings, license cache).
+ *
+ * v2.0.0 MVP: ping + policy.check + telemetry.flush + shutdown.
+ * Future: full MCP-tool routing through the daemon (today MCP still runs
+ * its own per-session stdio process — see plan Fas 3.6).
+ */
+const IDLE_SHUTDOWN_MS = 30 * 60 * 1000; // 30 min idle → shutdown
+type DaemonOptions = {
+  onPolicyCheck?: (payload: PolicyCheckPayload) => Promise<PolicyCheckResult>;
+  onTelemetryFlush?: (
+    payload: TelemetryFlushPayload,
+  ) => Promise<TelemetryFlushResult>;
+  onAuditLog?: (payload: AuditLogPayload) => Promise<AuditLogResult>;
+  onHeartbeat?: (payload: HeartbeatPayload) => Promise<HeartbeatResult>;
+};
+export class CortexDaemon {
+  private server: Server | null = null;
+  private idleTimer: NodeJS.Timeout | null = null;
+  private readonly opts: DaemonOptions;
+  constructor(opts: DaemonOptions = {}) {
+    this.opts = opts;
+  }
+  async start(): Promise<void> {
+    const sockPath = socketPath();
+    // Clean up stale socket from a prior crash.
+    if (existsSync(sockPath)) {
+      try {
+        unlinkSync(sockPath);
+      } catch {
+        // ignore — listen() will surface the real error
+      }
+    }
+    const server = createServer((socket) => this.handleConnection(socket));
+    this.server = server;
+    await new Promise<void>((resolve, reject) => {
+      server.once("error", reject);
+      server.listen(sockPath, () => {
+        server.off("error", reject);
+        resolve();
+      });
+    });
+    // Persist PID so cortex CLI can detect a running daemon.
+    try {
+      writeFileSync(pidFilePath(), String(process.pid), "utf8");
+    } catch {
+      // Non-fatal — clients can still connect via socket existence.
+    }
+    this.armIdleTimer();
+    process.stderr.write(
+      `[cortex-daemon] listening on ${sockPath} pid=${process.pid}\n`,
+    );
+    // Best-effort cleanup on shutdown signals.
+    const cleanup = () => {
+      this.stop().finally(() => process.exit(0));
+    };
+    process.on("SIGINT", cleanup);
+    process.on("SIGTERM", cleanup);
+  }
+  async stop(): Promise<void> {
+    if (this.idleTimer) {
+      clearTimeout(this.idleTimer);
+      this.idleTimer = null;
+    }
+    if (this.server) {
+      const srv = this.server;
+      this.server = null;
+      await new Promise<void>((resolve) => srv.close(() => resolve()));
+    }
+    try {
+      unlinkSync(pidFilePath());
+    } catch {
+      // ignore
+    }
+    try {
+      unlinkSync(socketPath());
+    } catch {
+      // ignore
+    }
+  }
+  private armIdleTimer(): void {
+    if (this.idleTimer) clearTimeout(this.idleTimer);
+    this.idleTimer = setTimeout(() => {
+      process.stderr.write("[cortex-daemon] idle shutdown\n");
+      this.stop().finally(() => process.exit(0));
+    }, IDLE_SHUTDOWN_MS);
+    this.idleTimer.unref();
+  }
+  private handleConnection(socket: Socket): void {
+    this.armIdleTimer();
+    let buffer = "";
+    socket.on("data", (chunk) => {
+      buffer += chunk.toString("utf8");
+      let nlIndex: number;
+      while ((nlIndex = buffer.indexOf("\n")) !== -1) {
+        const line = buffer.slice(0, nlIndex);
+        buffer = buffer.slice(nlIndex + 1);
+        if (!line.trim()) continue;
+        void this.handleLine(socket, line);
+      }
+    });
+    socket.on("error", () => {
+      // Suppress — clients dropping mid-write must not crash the daemon.
+    });
+  }
+  private async handleLine(socket: Socket, line: string): Promise<void> {
+    let req: Request;
+    try {
+      req = JSON.parse(line) as Request;
+    } catch {
+      this.sendError(socket, "<unknown>", "invalid_json");
+      return;
+    }
+    try {
+      switch (req.type) {
+        case "ping":
+          this.sendOk(socket, req.id, { pong: true, pid: process.pid });
+          return;
+        case "policy.check": {
+          if (!this.opts.onPolicyCheck) {
+            this.sendOk(socket, req.id, { allow: true } as PolicyCheckResult);
+            return;
+          }
+          const result = await this.opts.onPolicyCheck(
+            req.payload as PolicyCheckPayload,
+          );
+          this.sendOk(socket, req.id, result);
+          return;
+        }
+        case "telemetry.flush": {
+          if (!this.opts.onTelemetryFlush) {
+            this.sendOk(socket, req.id, {
+              flushed: false,
+              events_pushed: 0,
+            } as TelemetryFlushResult);
+            return;
+          }
+          const result = await this.opts.onTelemetryFlush(
+            req.payload as TelemetryFlushPayload,
+          );
+          this.sendOk(socket, req.id, result);
+          return;
+        }
+        case "audit.log": {
+          if (!this.opts.onAuditLog) {
+            this.sendOk(socket, req.id, { written: false } as AuditLogResult);
+            return;
+          }
+          const result = await this.opts.onAuditLog(
+            req.payload as AuditLogPayload,
+          );
+          this.sendOk(socket, req.id, result);
+          return;
+        }
+        case "heartbeat": {
+          if (!this.opts.onHeartbeat) {
+            this.sendOk(socket, req.id, { recorded: false } as HeartbeatResult);
+            return;
+          }
+          const result = await this.opts.onHeartbeat(
+            req.payload as HeartbeatPayload,
+          );
+          this.sendOk(socket, req.id, result);
+          return;
+        }
+        case "shutdown":
+          this.sendOk(socket, req.id, { ok: true });
+          setTimeout(() => this.stop().finally(() => process.exit(0)), 50);
+          return;
+        default:
+          this.sendError(socket, req.id, `unknown_type: ${req.type}`);
+      }
+    } catch (err) {
+      this.sendError(
+        socket,
+        req.id,
+        err instanceof Error ? err.message : "unknown_error",
+      );
+    }
+  }
+  private sendOk(socket: Socket, id: string, result: unknown): void {
+    const payload: Response = { id, ok: true, result };
+    socket.write(`${JSON.stringify(payload)}\n`);
+  }
+  private sendError(socket: Socket, id: string, error: string): void {
+    const payload: Response = { id, ok: false, error };
+    socket.write(`${JSON.stringify(payload)}\n`);
+  }
+}

package/scaffold/mcp/src/daemon/sync-checker.ts ADDED Viewed

@@ -0,0 +1,213 @@
+import { existsSync, readFileSync, writeFileSync, mkdirSync } from "node:fs";
+import { hostname } from "node:os";
+import { join } from "node:path";
+import { loadEnterpriseConfig } from "../core/config.js";
+import { writeHostAuditEvent } from "./ungoverned-scanner.js";
+/**
+ * Phase 7 sync flow — daemon side.
+ *
+ * The daemon periodically pings cortex-web /api/v1/govern/config to learn
+ * whether a new config version is available. It does NOT re-apply (that
+ * would require root, which the daemon explicitly doesn't have post-Fas-3
+ * privilege drop). Instead it emits an audit event and writes a
+ * notification file that 'cortex enterprise status' surfaces. The
+ * operator must then run 'sudo cortex enterprise sync' to actually
+ * re-fetch + write managed-settings.
+ *
+ * Three audit outcomes per tick:
+ *  - govern_config_unchanged  (304 / same version) — heartbeat that
+ *                              cortex-web is reachable and we're current.
+ *  - govern_config_available  (200 with new version) — operator action needed.
+ *  - govern_config_sync_failed (network / auth error) — also written so
+ *                              admin sees blackouts in audit timeline.
+ */
+const NOTIFICATION_FILENAME = ".govern-update-available.json";
+export type SyncCheckOptions = {
+  cwd: string;
+  cli: "claude" | "codex" | "copilot";
+  now?: () => Date;
+};
+export type SyncCheckOutcome =
+  | { kind: "unchanged"; version: string }
+  | { kind: "available"; latest_version: string; current_version: string | null }
+  | { kind: "failed"; error: string };
+type LocalGovernState = {
+  installs?: Record<
+    string,
+    {
+      version?: string;
+      mode?: string;
+      frameworks?: Array<{ id: string; version: string }>;
+    }
+  >;
+};
+function readLocalGovernState(cwd: string): LocalGovernState {
+  const path = join(cwd, ".context", "govern.local.json");
+  if (!existsSync(path)) return {};
+  try {
+    return JSON.parse(readFileSync(path, "utf8")) as LocalGovernState;
+  } catch {
+    return {};
+  }
+}
+function activeFrameworks(cwd: string): string[] {
+  const state = readLocalGovernState(cwd);
+  for (const inst of Object.values(state.installs ?? {})) {
+    if (inst.frameworks?.length) {
+      return inst.frameworks.map((f) => f.id);
+    }
+  }
+  // Fall back to enterprise.yml's compliance.frameworks
+  const config = loadEnterpriseConfig(join(cwd, ".context"));
+  return config.compliance.frameworks;
+}
+function currentVersion(cwd: string, cli: string): string | null {
+  const state = readLocalGovernState(cwd);
+  return state.installs?.[cli]?.version ?? null;
+}
+export async function checkSyncForCli(
+  options: SyncCheckOptions,
+): Promise<SyncCheckOutcome> {
+  const cwd = options.cwd;
+  const config = loadEnterpriseConfig(join(cwd, ".context"));
+  const apiKey = config.enterprise.api_key.trim();
+  const baseUrl = (config.enterprise.base_url || config.enterprise.endpoint).trim();
+  if (!apiKey || !baseUrl) {
+    return { kind: "failed", error: "enterprise not configured" };
+  }
+  const frameworks = activeFrameworks(cwd);
+  if (frameworks.length === 0) {
+    return { kind: "failed", error: "no active frameworks" };
+  }
+  const url = new URL(baseUrl.replace(/\/$/, "") + "/api/v1/govern/config");
+  url.searchParams.set("cli", options.cli);
+  url.searchParams.set("frameworks", frameworks.join(","));
+  const installedVersion = currentVersion(cwd, options.cli);
+  const headers: Record<string, string> = {
+    Authorization: `Bearer ${apiKey}`,
+  };
+  if (installedVersion) headers["If-None-Match"] = `"${installedVersion}"`;
+  let res: Response;
+  try {
+    res = await fetch(url, { headers });
+  } catch (err) {
+    return { kind: "failed", error: err instanceof Error ? err.message : String(err) };
+  }
+  if (res.status === 304) {
+    return { kind: "unchanged", version: installedVersion ?? "unknown" };
+  }
+  if (!res.ok) {
+    return { kind: "failed", error: `HTTP ${res.status} ${res.statusText}` };
+  }
+  const etag = (res.headers.get("etag") ?? "").replace(/"/g, "");
+  if (etag && etag === installedVersion) {
+    return { kind: "unchanged", version: etag };
+  }
+  return {
+    kind: "available",
+    latest_version: etag || "unknown",
+    current_version: installedVersion,
+  };
+}
+function writeUpdateNotification(
+  cwd: string,
+  data: { latest_version: string; current_version: string | null; cli: string; detected_at: string },
+): void {
+  const dir = join(cwd, ".context");
+  mkdirSync(dir, { recursive: true });
+  writeFileSync(
+    join(dir, NOTIFICATION_FILENAME),
+    JSON.stringify(data, null, 2) + "\n",
+    "utf8",
+  );
+}
+export async function runSyncCheckOnce(
+  cwd: string,
+  clis: Array<"claude" | "codex" | "copilot">,
+): Promise<SyncCheckOutcome[]> {
+  const outcomes: SyncCheckOutcome[] = [];
+  const now = new Date().toISOString();
+  for (const cli of clis) {
+    const outcome = await checkSyncForCli({ cwd, cli });
+    outcomes.push(outcome);
+    const eventBase = {
+      timestamp: now,
+      host_id: hostname(),
+      cli,
+    };
+    if (outcome.kind === "unchanged") {
+      await writeHostAuditEvent(cwd, {
+        ...eventBase,
+        event_type: "govern_config_unchanged",
+        version: outcome.version,
+      }).catch(() => undefined);
+    } else if (outcome.kind === "available") {
+      await writeHostAuditEvent(cwd, {
+        ...eventBase,
+        event_type: "govern_config_available",
+        latest_version: outcome.latest_version,
+        current_version: outcome.current_version,
+      }).catch(() => undefined);
+      writeUpdateNotification(cwd, {
+        latest_version: outcome.latest_version,
+        current_version: outcome.current_version,
+        cli,
+        detected_at: now,
+      });
+    } else {
+      await writeHostAuditEvent(cwd, {
+        ...eventBase,
+        event_type: "govern_config_sync_failed",
+        error: outcome.error,
+      }).catch(() => undefined);
+    }
+  }
+  return outcomes;
+}
+export type SyncTimerHandle = {
+  stop(): void;
+};
+export function startSyncTimer(
+  cwd: string,
+  intervalMs: number,
+): SyncTimerHandle {
+  const tick = () => {
+    const state = readLocalGovernState(cwd);
+    const clis = Object.keys(state.installs ?? {}) as Array<
+      "claude" | "codex" | "copilot"
+    >;
+    if (clis.length === 0) return;
+    void runSyncCheckOnce(cwd, clis).catch((err) => {
+      process.stderr.write(
+        `[cortex-daemon] sync check failed: ${err instanceof Error ? err.message : String(err)}\n`,
+      );
+    });
+  };
+  void Promise.resolve().then(tick);
+  const handle = setInterval(tick, intervalMs);
+  if (typeof handle.unref === "function") handle.unref();
+  return {
+    stop() {
+      clearInterval(handle);
+    },
+  };
+}

package/scaffold/mcp/src/daemon/ungoverned-scanner.ts ADDED Viewed

@@ -0,0 +1,149 @@
+import { appendFile, mkdir } from "node:fs/promises";
+import { existsSync, readFileSync } from "node:fs";
+import { join } from "node:path";
+import { userInfo } from "node:os";
+import {
+  detectUngoverned,
+  enforceFinding,
+  type DetectorOptions,
+  type EnforcementMode,
+  type UngovernedFinding,
+} from "../cli/ungoverned-detector.js";
+export type ScannerOptions = {
+  cwd: string;
+  intervalMs?: number;
+  mode?: EnforcementMode;
+  detectorOptions?: DetectorOptions;
+  onFinding?: (finding: UngovernedFinding & { action: string }) => void;
+};
+const DEFAULT_INTERVAL_MS = 60_000;
+const TIER1_CLIS = new Set(["claude", "codex"]);
+function readMode(cwd: string): EnforcementMode {
+  const stateFile = join(cwd, ".context", "govern.local.json");
+  if (!existsSync(stateFile)) return "advisory";
+  try {
+    const raw = readFileSync(stateFile, "utf8");
+    const parsed = JSON.parse(raw) as {
+      installs?: Record<string, { mode?: EnforcementMode }>;
+    };
+    for (const inst of Object.values(parsed.installs ?? {})) {
+      if (inst.mode === "enforced") return "enforced";
+    }
+    return "advisory";
+  } catch {
+    return "advisory";
+  }
+}
+function readManagedTier1Clis(cwd: string): Set<string> {
+  const stateFile = join(cwd, ".context", "govern.local.json");
+  const managed = new Set<string>();
+  if (!existsSync(stateFile)) return managed;
+  try {
+    const raw = readFileSync(stateFile, "utf8");
+    const parsed = JSON.parse(raw) as {
+      installs?: Record<string, { path?: string }>;
+    };
+    for (const [cli, inst] of Object.entries(parsed.installs ?? {})) {
+      if (!TIER1_CLIS.has(cli)) continue;
+      if (!inst?.path || !existsSync(inst.path)) continue;
+      managed.add(cli);
+    }
+  } catch {
+    return managed;
+  }
+  return managed;
+}
+function filterManagedTier1Findings(
+  findings: UngovernedFinding[],
+  managedTier1Clis: Set<string>,
+): UngovernedFinding[] {
+  if (managedTier1Clis.size === 0) return findings;
+  return findings.filter((finding) => !managedTier1Clis.has(finding.cli));
+}
+export async function writeHostAuditEvent(
+  cwd: string,
+  event: Record<string, unknown>,
+): Promise<void> {
+  const auditDir = join(cwd, ".context", "audit");
+  await mkdir(auditDir, { recursive: true });
+  const date = new Date().toISOString().slice(0, 10);
+  const file = join(auditDir, `host-events-${date}.jsonl`);
+  await appendFile(file, JSON.stringify(event) + "\n");
+}
+export async function runScanOnce(options: ScannerOptions): Promise<UngovernedFinding[]> {
+  const mode = options.mode ?? readMode(options.cwd);
+  const managedTier1Clis = readManagedTier1Clis(options.cwd);
+  const findings = filterManagedTier1Findings(
+    detectUngoverned(options.detectorOptions),
+    managedTier1Clis,
+  );
+  const me = userInfo().username;
+  for (const finding of findings) {
+    const action = enforceFinding(finding, { mode, currentUser: me });
+    const event = {
+      event_type: "ungoverned_ai_session_detected",
+      timestamp: finding.detected_at,
+      host_id: finding.host_id,
+      cli: finding.cli,
+      binary: finding.binary,
+      pid: finding.pid,
+      ppid: finding.ppid,
+      user: finding.user,
+      args: finding.args,
+      parent_chain: finding.parent_chain,
+      mode,
+      action,
+    };
+    try {
+      await writeHostAuditEvent(options.cwd, event);
+    } catch (err) {
+      process.stderr.write(
+        `[cortex-daemon] failed to write ungoverned audit: ${err instanceof Error ? err.message : String(err)}\n`,
+      );
+    }
+    options.onFinding?.({ ...finding, action });
+  }
+  return findings;
+}
+export type ScannerHandle = {
+  stop(): void;
+  isRunning(): boolean;
+};
+export function startUngovernedScanner(options: ScannerOptions): ScannerHandle {
+  const interval = options.intervalMs ?? DEFAULT_INTERVAL_MS;
+  let running = true;
+  const tick = async () => {
+    if (!running) return;
+    try {
+      await runScanOnce(options);
+    } catch (err) {
+      process.stderr.write(
+        `[cortex-daemon] ungoverned scan failed: ${err instanceof Error ? err.message : String(err)}\n`,
+      );
+    }
+  };
+  void tick();
+  const handle = setInterval(() => void tick(), interval);
+  if (typeof handle.unref === "function") handle.unref();
+  return {
+    stop() {
+      running = false;
+      clearInterval(handle);
+    },
+    isRunning() {
+      return running;
+    },
+  };
+}

package/scaffold/mcp/src/enterprise/audit/push.ts ADDED Viewed

@@ -0,0 +1,84 @@
+import type { AuditEntry } from "../../core/audit/writer.js";
+import { sanitizeAuditEntryForPush } from "../privacy/boundary.js";
+export type AuditPushContext = {
+  repo?: string;
+  instance_id?: string;
+  session_id?: string;
+};
+export type AuditPushResult = {
+  success: boolean;
+  count: number;
+  error?: string;
+};
+const pending: AuditEntry[] = [];
+let activeContext: AuditPushContext = {};
+export function setAuditPushContext(context: AuditPushContext): void {
+  activeContext = { ...context };
+}
+export function queueAuditEvent(entry: AuditEntry): void {
+  pending.push(sanitizeAuditEntryForPush({
+    ...entry,
+    repo: entry.repo ?? activeContext.repo,
+    instance_id: entry.instance_id ?? activeContext.instance_id,
+    session_id: entry.session_id ?? activeContext.session_id,
+  }));
+}
+export function pendingCount(): number {
+  return pending.length;
+}
+export async function pushAuditEvents(
+  baseUrl: string,
+  apiKey: string,
+): Promise<AuditPushResult> {
+  if (pending.length === 0) {
+    return { success: true, count: 0 };
+  }
+  const auditUrl = `${baseUrl.replace(/\/$/, "")}/api/v1/audit/push`;
+  let pushedCount = 0;
+  while (pending.length > 0) {
+    const batch = pending.splice(0, 100);
+    try {
+      const response = await fetch(auditUrl, {
+        method: "POST",
+        headers: {
+          Authorization: `Bearer ${apiKey}`,
+          "Content-Type": "application/json",
+          Accept: "application/json",
+        },
+        body: JSON.stringify({
+          repo: activeContext.repo,
+          instance_id: activeContext.instance_id,
+          session_id: activeContext.session_id,
+          events: batch,
+        }),
+        signal: AbortSignal.timeout(10_000),
+      });
+      if (!response.ok) {
+        pending.unshift(...batch);
+        return { success: false, count: pushedCount, error: `HTTP ${response.status}` };
+      }
+      pushedCount += batch.length;
+    } catch (err) {
+      pending.unshift(...batch);
+      return {
+        success: false,
+        count: pushedCount,
+        error: err instanceof Error ? err.message : "unknown error",
+      };
+    }
+  }
+  return { success: true, count: pushedCount };
+}