@frostbridge/imdl 0.1.13 → 0.1.14

package/dist/index.js

@@ -1376,6 +1376,7 @@ async function initCommand(options) {
     }
   }
   installDaemon();
+  setupGateway(detectedAgents);
   let apiConnected = false;
   try {
     const healthRes = await fetch(`${config.apiUrl}/health`, { signal: AbortSignal.timeout(3e3) });
@@ -1401,9 +1402,10 @@ async function initCommand(options) {
   console.log("");
   console.log(pc2.bold("  Useful commands:"));
   console.log(pc2.dim("  \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500"));
-  console.log(`  ${pc2.cyan("imdl status")}    Show connection, agents, and policy summary`);
-  console.log(`  ${pc2.cyan("imdl scan")}      Scan MCP servers for supply chain risks`);
-  console.log(`  ${pc2.cyan("imdl login")}     Authenticate to access your team dashboard`);
+  console.log(`  ${pc2.cyan("imdl status")}         Show connection, agents, and policy summary`);
+  console.log(`  ${pc2.cyan("imdl sync-history")}   Import past sessions and detect historical violations`);
+  console.log(`  ${pc2.cyan("imdl scan")}           Scan MCP servers for supply chain risks`);
+  console.log(`  ${pc2.cyan("imdl login")}          Authenticate to access your team dashboard`);
   console.log("");
   if (!options.teamToken && config.teamId === "default") {
     console.log(pc2.dim("  Tip: Got an invite token? Run: imdl init --token <token>"));
@@ -1594,6 +1596,126 @@ function installMCPProxy(mcpConfigPath, agentName) {
   writeFileSync4(mcpConfigPath, JSON.stringify(existing, null, 2));
   console.log(pc2.green(`  \u2713 MCP proxy registered for ${agentName}`));
 }
+function setupGateway(detectedAgents) {
+  console.log("");
+  console.log(pc2.bold("  [8/9] AI Gateway (token optimization + cost tracking)"));
+  const IMDL_DIR4 = join6(homedir4(), ".imdl");
+  const gatewayConfig = join6(IMDL_DIR4, "gateway.toml");
+  if (!existsSync7(gatewayConfig)) {
+    if (!existsSync7(IMDL_DIR4)) mkdirSync2(IMDL_DIR4, { recursive: true });
+    writeFileSync4(gatewayConfig, `listen_host = "127.0.0.1"
+listen_port = 9443
+
+[secret_scanning]
+enabled = true
+mode = "audit"
+
+[dlp]
+enabled = true
+mode = "audit"
+
+[injection_detection]
+enabled = true
+mode = "block"
+
+[routing]
+enabled = true
+
+[budget]
+enabled = false
+
+[shadow_ai]
+enabled = true
+
+[upstream]
+anthropic_url = "https://api.anthropic.com"
+openai_url = "https://api.openai.com"
+
+[context_optimization]
+enabled = true
+
+[optimization]
+enabled = true
+effort_modulation = true
+prompt_caching = true
+
+[audit]
+enabled = true
+
+[reporter]
+enabled = true
+api_url = "https://imdl-api-1028078600113.us-central1.run.app"
+flush_interval_secs = 30
+`, { mode: 384 });
+    console.log(pc2.green("  \u2713 Gateway config created"));
+  } else {
+    console.log(pc2.dim("  \u2713 Gateway config exists"));
+  }
+  const claudeSettings = join6(homedir4(), ".claude", "settings.json");
+  const hasClaudeCode = detectedAgents.some((a) => a.name === "claude-code");
+  const hasCodex = detectedAgents.some((a) => a.name === "codex");
+  if (hasClaudeCode && existsSync7(claudeSettings)) {
+    try {
+      const settings = JSON.parse(readFileSync4(claudeSettings, "utf-8"));
+      if (!settings.env) settings.env = {};
+      if (!settings.env.ANTHROPIC_BEDROCK_BASE_URL) {
+        settings.env.ANTHROPIC_BEDROCK_BASE_URL = "http://127.0.0.1:9443";
+        writeFileSync4(claudeSettings, JSON.stringify(settings, null, 2) + "\n");
+        console.log(pc2.green("  \u2713 Claude Code \u2192 gateway (ANTHROPIC_BEDROCK_BASE_URL)"));
+      } else {
+        console.log(pc2.dim("  \u2713 Claude Code already routed through gateway"));
+      }
+    } catch {
+    }
+  }
+  const vsCodeSettings = join6(homedir4(), "Library", "Application Support", "Code", "User", "settings.json");
+  if (existsSync7(vsCodeSettings)) {
+    try {
+      let content = readFileSync4(vsCodeSettings, "utf-8");
+      if (!content.includes('"http.proxy"')) {
+        const insertion = `  "http.proxy": "http://127.0.0.1:9443",
+  "http.proxyStrictSSL": false,
+`;
+        const lastBrace = content.lastIndexOf("}");
+        if (lastBrace > 0) {
+          content = content.slice(0, lastBrace) + insertion + content.slice(lastBrace);
+          writeFileSync4(vsCodeSettings, content);
+          console.log(pc2.green("  \u2713 VS Code http.proxy \u2192 gateway (Copilot optimization)"));
+        }
+      } else {
+        console.log(pc2.dim("  \u2713 VS Code proxy already configured"));
+      }
+    } catch {
+    }
+  }
+  const gatewayCandidates = [
+    join6(IMDL_DIR4, "bin", "imdl-gateway"),
+    join6(process.cwd(), "packages", "ai-gateway", "target", "release", "imdl-gateway")
+  ];
+  const gatewayBin = gatewayCandidates.find((p) => existsSync7(p));
+  if (gatewayBin) {
+    try {
+      const net = __require("net");
+      const sock = new net.Socket();
+      sock.setTimeout(1e3);
+      sock.on("connect", () => {
+        sock.destroy();
+      });
+      sock.on("error", () => {
+        const { spawn: spawn2 } = __require("child_process");
+        const child = spawn2(gatewayBin, [], { detached: true, stdio: "ignore", env: { ...process.env, RUST_LOG: "imdl_ai_gateway=info" } });
+        child.unref();
+        console.log(pc2.green(`  \u2713 Gateway started (PID ${child.pid})`));
+      });
+      sock.connect(9443, "127.0.0.1");
+    } catch {
+      console.log(pc2.dim("  \u26A0 Gateway binary found but could not start"));
+    }
+  } else {
+    console.log(pc2.dim("  \u26A0 Gateway binary not found \u2014 run separately: imdl gateway start"));
+  }
+  console.log(pc2.dim("  Dashboard: http://127.0.0.1:9443/dashboard"));
+}
 
 // src/commands/login.ts
 import pc3 from "picocolors";
@@ -2587,12 +2709,12 @@ function detectAgents() {
   const home = homedir11();
   const claudeDir = join13(home, ".claude");
   if (existsSync14(claudeDir)) {
-    const hooksPath = join13(claudeDir, "hooks.json");
     let hooked = false;
-    if (existsSync14(hooksPath)) {
+    const settingsPath = join13(claudeDir, "settings.json");
+    if (existsSync14(settingsPath)) {
       try {
-        const hooks = JSON.parse(readFileSync10(hooksPath, "utf-8"));
-        hooked = JSON.stringify(hooks).includes("imdl hook");
+        const settings = JSON.parse(readFileSync10(settingsPath, "utf-8"));
+        hooked = JSON.stringify(settings).includes("imdl hook");
       } catch {
       }
     }
@@ -2708,8 +2830,8 @@ function resumeCommand() {
 import pc6 from "picocolors";
 
 // src/adapters/index.ts
-import { existsSync as existsSync19, readFileSync as readFileSync14, writeFileSync as writeFileSync6 } from "fs";
-import { join as join18 } from "path";
+import { existsSync as existsSync19, readFileSync as readFileSync14, writeFileSync as writeFileSync7 } from "fs";
+import { join as join19 } from "path";
 
 // src/transport/buffer.ts
 import { appendFileSync, readFileSync as readFileSync11, writeFileSync as writeFileSync5, existsSync as existsSync15, statSync as statSync7, unlinkSync as unlinkSync2 } from "fs";
@@ -2787,29 +2909,75 @@ function releaseLock() {
 }
 
 // src/transport/sender.ts
+import { writeFileSync as writeFileSync6 } from "fs";
+import { join as join15 } from "path";
+import { homedir as homedir12 } from "os";
 var FLUSH_TIMEOUT = 1e4;
-var BATCH_SIZE = 50;
+var BATCH_SIZE = 25;
+var DEBUG_LOG = join15(homedir12(), ".imdl", "flush-debug.log");
+function debugLog(msg) {
+  try {
+    writeFileSync6(DEBUG_LOG, `${(/* @__PURE__ */ new Date()).toISOString()} ${msg}
+`, { flag: "a" });
+  } catch {
+  }
+}
 async function tryFlush() {
   if (!acquireLock()) return;
   try {
     const events = readBuffer();
     if (events.length === 0) return;
     const config = loadConfig();
+    if (!config.apiUrl) {
+      debugLog("No apiUrl configured, skipping flush");
+      return;
+    }
     const grouped = groupBySession(events);
-    let allSuccess = true;
+    const failedEvents = [];
+    debugLog(`Flushing ${events.length} events across ${grouped.size} sessions`);
     for (const [sessionId, sessionEvents] of grouped) {
-      for (let i = 0; i < sessionEvents.length; i += BATCH_SIZE) {
-        const batch = sessionEvents.slice(i, i + BATCH_SIZE);
+      if (!sessionId || sessionId === "unknown" || sessionId === "?") {
+        debugLog(`Skipping invalid session: ${sessionId}`);
+        continue;
+      }
+      const validTypes = /* @__PURE__ */ new Set(["user_prompt", "pre_tool_use", "post_tool_use", "response", "notification", "tool_call", "tool_result", "prompt", "violation", "error", "system"]);
+      const apiEvents = [];
+      for (const e of sessionEvents) {
+        if (e.type === "usage") continue;
+        const copy = { ...e };
+        if (copy.type === "assistant_response") copy.type = "response";
+        if (copy.toolOutput && typeof copy.toolOutput !== "string") {
+          copy.toolOutput = JSON.stringify(copy.toolOutput);
+        }
+        if (copy.toolOutput && copy.toolOutput.length > 5e4) {
+          copy.toolOutput = copy.toolOutput.slice(0, 5e4) + "\u2026[truncated]";
+        }
+        if (copy.prompt && copy.prompt.length > 5e4) {
+          copy.prompt = copy.prompt.slice(0, 5e4) + "\u2026[truncated]";
+        }
+        if (!validTypes.has(copy.type)) continue;
+        apiEvents.push(copy);
+      }
+      let sessionFailed = false;
+      for (let i = 0; i < apiEvents.length; i += BATCH_SIZE) {
+        const batch = apiEvents.slice(i, i + BATCH_SIZE);
         const success = await sendBatch(config.apiUrl, sessionId, batch, config.developerId);
         if (!success) {
-          allSuccess = false;
+          failedEvents.push(...sessionEvents.slice(i));
+          sessionFailed = true;
           break;
         }
       }
-      if (!allSuccess) break;
+      if (sessionFailed) continue;
     }
-    if (allSuccess) {
-      clearBuffer();
+    clearBuffer();
+    if (failedEvents.length > 0) {
+      debugLog(`Re-queuing ${failedEvents.length} failed events`);
+      for (const event of failedEvents) {
+        appendEvent(event);
+      }
+    } else {
+      debugLog("All events flushed successfully");
     }
   } finally {
     releaseLock();
@@ -2829,8 +2997,13 @@ async function sendBatch(apiUrl, sessionId, events, developerId) {
       body: JSON.stringify({ events, developerId, ...agentType && { agentType } }),
       signal: AbortSignal.timeout(FLUSH_TIMEOUT)
     });
+    if (!res.ok) {
+      const body = await res.text().catch(() => "");
+      debugLog(`sendBatch FAILED for ${sessionId}: ${res.status} ${body.slice(0, 200)}`);
+    }
     return res.ok;
-  } catch {
+  } catch (e) {
+    debugLog(`sendBatch ERROR for ${sessionId}: ${e.message}`);
     return false;
   }
 }
@@ -2962,20 +3135,85 @@ function redactObject(obj) {
 
 // src/hooks/prompt-scanner.ts
 var KNOWN_PREFIX_PATTERNS = [
+  // ─── Cloud Providers ───
   { pattern: /AKIA[0-9A-Z]{16}/g, label: "AWS Access Key", severity: "critical" },
+  { pattern: /(?:ASIA|ABIA|ACCA)[0-9A-Z]{16}/g, label: "AWS Temporary Key", severity: "critical" },
+  { pattern: /aws_secret_access_key\s*[=:]\s*["']?([A-Za-z0-9/+=]{40})["']?/gi, label: "AWS Secret Key", severity: "critical" },
+  { pattern: /AIzaSy[A-Za-z0-9_\-]{30,36}/g, label: "Google API Key", severity: "critical" },
+  { pattern: /[0-9]+-[a-z0-9]{32}\.apps\.googleusercontent\.com/g, label: "Google OAuth Client ID", severity: "high" },
+  { pattern: /ya29\.[A-Za-z0-9_\-]{50,}/g, label: "Google OAuth Token", severity: "critical" },
+  { pattern: /GOCSPX-[A-Za-z0-9_\-]{28}/g, label: "Google OAuth Secret", severity: "critical" },
+  // ─── AI/LLM Providers ───
+  { pattern: /sk-ant-[A-Za-z0-9\-_]{20,}/g, label: "Anthropic Key", severity: "critical" },
+  { pattern: /sk-(?:proj-)?[A-Za-z0-9\-_]{20,}/g, label: "OpenAI Key", severity: "critical" },
+  { pattern: /sess-[A-Za-z0-9]{40,}/g, label: "OpenAI Session Token", severity: "critical" },
+  { pattern: /r8_[A-Za-z0-9]{20,}/g, label: "Replicate Token", severity: "critical" },
+  { pattern: /hf_[A-Za-z0-9]{20,}/g, label: "Hugging Face Token", severity: "critical" },
+  { pattern: /key-[A-Za-z0-9]{32,}/g, label: "Cohere API Key", severity: "critical" },
+  // ─── Code Platforms ───
   { pattern: /gh[pousr]_[A-Za-z0-9_]{36,255}/g, label: "GitHub Token", severity: "critical" },
   { pattern: /github_pat_[A-Za-z0-9_]{22,255}/g, label: "GitHub PAT", severity: "critical" },
+  { pattern: /ghu_[A-Za-z0-9]{36,}/g, label: "GitHub User Token", severity: "critical" },
+  { pattern: /glpat-[A-Za-z0-9\-_]{20,}/g, label: "GitLab PAT", severity: "critical" },
+  { pattern: /glrt-[A-Za-z0-9\-_]{20,}/g, label: "GitLab Runner Token", severity: "critical" },
+  { pattern: /ATATT[A-Za-z0-9\-_+/=]{30,}/g, label: "Atlassian/Bitbucket Token", severity: "critical" },
   { pattern: /npm_[A-Za-z0-9]{36,}/g, label: "NPM Token", severity: "critical" },
+  { pattern: /pypi-[A-Za-z0-9\-_]{100,}/g, label: "PyPI API Token", severity: "critical" },
+  { pattern: /nuget\.org\/v3\/[A-Za-z0-9\-]{30,}/g, label: "NuGet API Key", severity: "critical" },
+  { pattern: /rubygems_[A-Za-z0-9]{48}/g, label: "RubyGems Token", severity: "critical" },
+  // ─── Communication ───
   { pattern: /xox[baprs]-[A-Za-z0-9\-]{10,}/g, label: "Slack Token", severity: "critical" },
+  { pattern: /https:\/\/hooks\.slack\.com\/services\/T[A-Z0-9]+\/B[A-Z0-9]+\/[A-Za-z0-9]+/g, label: "Slack Webhook", severity: "high" },
+  { pattern: /https:\/\/discord(?:app)?\.com\/api\/webhooks\/[0-9]+\/[A-Za-z0-9_\-]+/g, label: "Discord Webhook", severity: "high" },
+  { pattern: /[0-9]{8,}:[A-Za-z0-9_\-]{35}/g, label: "Telegram Bot Token", severity: "critical" },
+  { pattern: /EAA[A-Za-z0-9]{100,}/g, label: "Facebook Access Token", severity: "critical" },
+  // ─── Payment/Financial ───
   { pattern: /[spr]k_(?:live|test)_[A-Za-z0-9]{24,}/g, label: "Stripe Key", severity: "critical" },
+  { pattern: /whsec_[A-Za-z0-9]{32,}/g, label: "Stripe Webhook Secret", severity: "critical" },
+  { pattern: /sq0[a-z]{3}-[A-Za-z0-9\-_]{22,}/g, label: "Square Token", severity: "critical" },
+  { pattern: /access_token\$(?:sandbox|production)\$[a-z0-9]{16}\$[a-f0-9]{32}/g, label: "PayPal Token", severity: "critical" },
+  // ─── Messaging/Email ───
   { pattern: /SG\.[A-Za-z0-9_\-]{22,}\.[A-Za-z0-9_\-]{22,}/g, label: "SendGrid Key", severity: "critical" },
-  { pattern: /sk-ant-[A-Za-z0-9\-_]{20,}/g, label: "Anthropic Key", severity: "critical" },
-  { pattern: /sk-(?:proj-)?[A-Za-z0-9\-_]{20,}/g, label: "OpenAI Key", severity: "critical" },
-  { pattern: /AIzaSy[A-Za-z0-9_\-]{30,36}/g, label: "Google API Key", severity: "critical" },
+  { pattern: /key-[a-f0-9]{32}/g, label: "Mailgun Key", severity: "critical" },
+  { pattern: /re_[A-Za-z0-9]{20,}/g, label: "Resend API Key", severity: "critical" },
+  { pattern: /[a-f0-9]{32}-us[0-9]{1,2}/g, label: "Mailchimp Key", severity: "high" },
+  // ─── Infrastructure ───
+  { pattern: /SK[0-9a-fA-F]{32}/g, label: "Twilio Key", severity: "critical" },
+  { pattern: /AC[a-f0-9]{32}/g, label: "Twilio Account SID", severity: "high" },
+  { pattern: /dop_v1_[a-f0-9]{64}/g, label: "DigitalOcean Token", severity: "critical" },
+  { pattern: /do[po]_v1_[a-f0-9]{64}/g, label: "DigitalOcean PAT", severity: "critical" },
+  { pattern: /FLWSECK_TEST-[a-f0-9]{32}/g, label: "Flutterwave Secret", severity: "critical" },
+  { pattern: /vault:[a-z0-9_\-\/]+#[A-Za-z0-9_\-]{8,}/g, label: "Vault Path", severity: "high" },
+  { pattern: /AgEAAr[A-Za-z0-9+/=]{40,}/g, label: "Doppler Token", severity: "critical" },
+  // ─── CI/CD ───
+  { pattern: /v1\.[a-f0-9]{40}/g, label: "CircleCI Token", severity: "critical" },
+  { pattern: /tfp_[A-Za-z0-9]{40,}/g, label: "Terraform Cloud Token", severity: "critical" },
+  { pattern: /AstraCS:[A-Za-z0-9+/=]{40,}/g, label: "DataStax Token", severity: "critical" },
+  { pattern: /snyk[_-][a-f0-9\-]{36,}/gi, label: "Snyk Token", severity: "critical" },
+  // ─── Observability ───
+  { pattern: /https?:\/\/[a-f0-9]{32}@[^\s"']+\.sentry\.io/g, label: "Sentry DSN", severity: "high" },
+  { pattern: /dd[apt]_[A-Za-z0-9]{32,40}/g, label: "Datadog API Key", severity: "critical" },
+  { pattern: /[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}:x-]?[a-f0-9]{8}/g, label: "New Relic Key", severity: "high" },
+  // ─── Database ───
+  { pattern: /(?:postgres(?:ql)?|mysql|mongodb(?:\+srv)?|redis|amqp|mssql|cockroachdb):\/\/[^:]+:[^@\s]+@/gi, label: "Database Connection String", severity: "critical" },
+  { pattern: /redis:\/\/default:[^\s@]+@/gi, label: "Redis Password URL", severity: "critical" },
+  // ─── Crypto/Keys ───
   { pattern: /-----BEGIN (?:RSA |EC |DSA |ED25519 |OPENSSH )?PRIVATE KEY-----/g, label: "Private Key", severity: "critical" },
+  { pattern: /-----BEGIN PGP PRIVATE KEY BLOCK-----/g, label: "PGP Private Key", severity: "critical" },
+  { pattern: /age1[a-z0-9]{58}/g, label: "Age Encryption Key", severity: "critical" },
+  // ─── Auth/Session ───
   { pattern: /eyJ[A-Za-z0-9_-]{10,}\.eyJ[A-Za-z0-9_-]{10,}\.[A-Za-z0-9_\-+/=]{10,}/g, label: "JWT Token", severity: "high" },
-  { pattern: /(?:postgres(?:ql)?|mysql|mongodb(?:\+srv)?|redis|amqp):\/\/[^:]+:[^@\s]+@/gi, label: "Database Connection String", severity: "critical" },
-  { pattern: /Bearer\s+[A-Za-z0-9_\-./+=]{20,}/g, label: "Bearer Token", severity: "high" }
+  { pattern: /Bearer\s+[A-Za-z0-9_\-./+=]{20,}/g, label: "Bearer Token", severity: "high" },
+  { pattern: /Basic\s+[A-Za-z0-9+/=]{20,}/g, label: "Basic Auth Credential", severity: "high" },
+  { pattern: /SAML[A-Za-z0-9+/=]{50,}/g, label: "SAML Token", severity: "high" },
+  // ─── Cloud-specific secrets ───
+  { pattern: /AccountKey=[A-Za-z0-9+/=]{86}==/g, label: "Azure Storage Key", severity: "critical" },
+  { pattern: /SharedAccessSignature=sv=[^&\s]{50,}/g, label: "Azure SAS Token", severity: "critical" },
+  { pattern: /DefaultEndpointsProtocol=https;AccountName=[^;]+;AccountKey=[^;]+/g, label: "Azure Connection String", severity: "critical" },
+  { pattern: /AKCp[A-Za-z0-9]{50,}/g, label: "Artifactory Token", severity: "critical" },
+  // ─── Clerk (our own auth!) ───
+  { pattern: /sk_(?:live|test)_[A-Za-z0-9]{20,}/g, label: "Clerk Secret Key", severity: "critical" },
+  { pattern: /pk_(?:live|test)_[A-Za-z0-9]{20,}/g, label: "Clerk Publishable Key", severity: "medium" }
 ];
 function shannonEntropy(str) {
   if (str.length === 0) return 0;
@@ -3103,12 +3341,75 @@ function createPromptViolation(findings) {
     reason
   };
 }
+var LLM_SCAN_PROMPT = `You are a security scanner. Determine if the text below contains a secret, credential, API key, or sensitive token that should NOT be shared.
+
+Respond ONLY with JSON: {"isSecret": true/false, "confidence": 0.0-1.0, "label": "type if found"}
+
+Text to analyze:
+`;
+async function llmScanAmbiguous(text, config) {
+  if (!config.enabled || !config.apiUrl) {
+    return { isSecret: false, confidence: 0 };
+  }
+  const maxChars = config.maxInputChars || 500;
+  const truncated = text.length > maxChars ? text.slice(0, maxChars) : text;
+  try {
+    const res = await fetch(config.apiUrl, {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify({
+        model: config.model || "claude-haiku-4-5-20251001",
+        max_tokens: 80,
+        messages: [{ role: "user", content: LLM_SCAN_PROMPT + truncated }]
+      }),
+      signal: AbortSignal.timeout(3e3)
+    });
+    if (!res.ok) return { isSecret: false, confidence: 0 };
+    const data = await res.json();
+    const content = data.content?.[0]?.text || data.choices?.[0]?.message?.content || "";
+    const jsonMatch = content.match(/\{[^}]+\}/);
+    if (!jsonMatch) return { isSecret: false, confidence: 0 };
+    const parsed = JSON.parse(jsonMatch[0]);
+    return {
+      isSecret: parsed.isSecret === true,
+      confidence: typeof parsed.confidence === "number" ? parsed.confidence : 0,
+      label: parsed.label,
+      reasoning: parsed.reasoning
+    };
+  } catch {
+    return { isSecret: false, confidence: 0 };
+  }
+}
+async function scanWithLlmFallback(prompt, llmConfig) {
+  const regexResult = scanPromptForSecrets(prompt);
+  if (regexResult.hasSecrets || !llmConfig.enabled) {
+    return regexResult;
+  }
+  const hasAssignments = ENV_ASSIGNMENT.test(prompt);
+  ENV_ASSIGNMENT.lastIndex = 0;
+  const hasLongStrings = /[A-Za-z0-9_\-]{30,}/.test(prompt);
+  if (!hasAssignments && !hasLongStrings) {
+    return regexResult;
+  }
+  const llmResult = await llmScanAmbiguous(prompt, llmConfig);
+  if (llmResult.isSecret && llmResult.confidence >= 0.7) {
+    return {
+      hasSecrets: true,
+      findings: [{
+        label: llmResult.label || "LLM-detected secret",
+        severity: llmResult.confidence >= 0.9 ? "critical" : "high",
+        snippet: prompt.slice(0, 20) + "..."
+      }]
+    };
+  }
+  return regexResult;
+}
 
 // src/adapters/claude-code.ts
 import { createReadStream, existsSync as existsSync16, statSync as statSync8, readdirSync as readdirSync3 } from "fs";
 import { createInterface } from "readline";
-import { join as join15 } from "path";
-import { homedir as homedir12 } from "os";
+import { join as join16 } from "path";
+import { homedir as homedir13 } from "os";
 var ClaudeCodeAdapter = class {
   agentType = "claude-code";
   async extractEvents(source) {
@@ -3196,7 +3497,7 @@ var ClaudeCodeAdapter = class {
     const events = [];
     const files = readdirSync3(dirPath).filter((f) => f.endsWith(".jsonl"));
     for (const file of files) {
-      const filePath = join15(dirPath, file);
+      const filePath = join16(dirPath, file);
       if (since) {
         const stat = statSync8(filePath);
         if (stat.mtimeMs < since.getTime()) continue;
@@ -3221,20 +3522,20 @@ var ClaudeCodeAdapter = class {
   }
   static getProjectLogDir(projectPath) {
     const encoded = projectPath.replace(/\//g, "-");
-    const logDir = join15(homedir12(), ".claude", "projects", encoded);
+    const logDir = join16(homedir13(), ".claude", "projects", encoded);
     return existsSync16(logDir) ? logDir : null;
   }
   static getAllProjectDirs() {
-    const base = join15(homedir12(), ".claude", "projects");
+    const base = join16(homedir13(), ".claude", "projects");
     if (!existsSync16(base)) return [];
-    return readdirSync3(base).map((d) => join15(base, d)).filter((p) => statSync8(p).isDirectory());
+    return readdirSync3(base).map((d) => join16(base, d)).filter((p) => statSync8(p).isDirectory());
   }
 };
 
 // src/adapters/cursor.ts
 import { existsSync as existsSync17, readdirSync as readdirSync4, readFileSync as readFileSync12, statSync as statSync9 } from "fs";
-import { join as join16 } from "path";
-import { homedir as homedir13 } from "os";
+import { join as join17 } from "path";
+import { homedir as homedir14 } from "os";
 import { createRequire } from "module";
 var esmRequire = createRequire(import.meta.url);
 function loadSqlite() {
@@ -3287,7 +3588,7 @@ var CursorAdapter = class _CursorAdapter {
    */
   findVscdbFiles(baseDir) {
     const files = [];
-    const directDb = join16(baseDir, "state.vscdb");
+    const directDb = join17(baseDir, "state.vscdb");
     if (existsSync17(directDb)) {
       files.push(directDb);
       return files;
@@ -3295,11 +3596,11 @@ var CursorAdapter = class _CursorAdapter {
     try {
       const entries = readdirSync4(baseDir);
       for (const entry of entries) {
-        const entryPath = join16(baseDir, entry);
+        const entryPath = join17(baseDir, entry);
         try {
           const stat = statSync9(entryPath);
           if (stat.isDirectory()) {
-            const dbPath = join16(entryPath, "state.vscdb");
+            const dbPath = join17(entryPath, "state.vscdb");
             if (existsSync17(dbPath)) {
               files.push(dbPath);
             }
@@ -3620,14 +3921,14 @@ var CursorAdapter = class _CursorAdapter {
    * Uses offsets to only read new lines since last scan.
    */
   extractFromTranscripts(since, offsets) {
-    const projectsDir = join16(homedir13(), ".cursor", "projects");
+    const projectsDir = join17(homedir14(), ".cursor", "projects");
     if (!existsSync17(projectsDir)) return { events: [], newOffsets: offsets };
     const events = [];
     const newOffsets = { ...offsets };
     try {
       const projects = readdirSync4(projectsDir);
       for (const proj of projects) {
-        const transcriptsDir = join16(projectsDir, proj, "agent-transcripts");
+        const transcriptsDir = join17(projectsDir, proj, "agent-transcripts");
         if (!existsSync17(transcriptsDir)) continue;
         let sessionDirs;
         try {
@@ -3636,7 +3937,7 @@ var CursorAdapter = class _CursorAdapter {
           continue;
         }
         for (const sessionDir of sessionDirs) {
-          const jsonlPath = join16(transcriptsDir, sessionDir, `${sessionDir}.jsonl`);
+          const jsonlPath = join17(transcriptsDir, sessionDir, `${sessionDir}.jsonl`);
           if (!existsSync17(jsonlPath)) continue;
           if (since) {
             try {
@@ -3727,8 +4028,8 @@ var CursorAdapter = class _CursorAdapter {
    */
   static getLogPath() {
     const paths = [
-      join16(homedir13(), ".cursor", "User", "workspaceStorage"),
-      join16(homedir13(), "Library", "Application Support", "Cursor", "User", "workspaceStorage")
+      join17(homedir14(), ".cursor", "User", "workspaceStorage"),
+      join17(homedir14(), "Library", "Application Support", "Cursor", "User", "workspaceStorage")
     ];
     for (const p of paths) {
       if (existsSync17(p)) return p;
@@ -3742,7 +4043,7 @@ var CursorAdapter = class _CursorAdapter {
     const base = _CursorAdapter.getLogPath();
     if (!base) return [];
     try {
-      return readdirSync4(base).map((d) => join16(base, d)).filter((p) => {
+      return readdirSync4(base).map((d) => join17(base, d)).filter((p) => {
         try {
           return statSync9(p).isDirectory();
         } catch {
@@ -3757,16 +4058,17 @@ var CursorAdapter = class _CursorAdapter {
    * Returns the Cursor projects directory for transcript scanning.
    */
   static getProjectsDir() {
-    const dir = join16(homedir13(), ".cursor", "projects");
+    const dir = join17(homedir14(), ".cursor", "projects");
     return existsSync17(dir) ? dir : null;
   }
 };
 
 // src/adapters/codex.ts
 import { existsSync as existsSync18, readdirSync as readdirSync5, readFileSync as readFileSync13, statSync as statSync10 } from "fs";
-import { join as join17 } from "path";
-import { homedir as homedir14 } from "os";
-var CodexAdapter = class {
+import { join as join18 } from "path";
+import { homedir as homedir15 } from "os";
+var MAX_FILE_SIZE = 50 * 1024 * 1024;
+var CodexAdapter = class _CodexAdapter {
   agentType = "codex";
   async extractEvents(source) {
     if (source.kind === "directory") {
@@ -3774,6 +4076,22 @@ var CodexAdapter = class {
     }
     return [];
   }
+  extractWithOffsets(since, offsets = {}) {
+    const basePath = _CodexAdapter.getSessionsDir();
+    if (!basePath) return { events: [], newOffsets: offsets };
+    const events = [];
+    const newOffsets = { ...offsets };
+    const files = this.findSessionFiles(basePath);
+    for (const filePath of files) {
+      const prevOffset = offsets[filePath] || 0;
+      const { events: fileEvents, newOffset } = this.readSessionFileWithOffset(filePath, prevOffset, since);
+      events.push(...fileEvents);
+      if (newOffset > prevOffset) {
+        newOffsets[filePath] = newOffset;
+      }
+    }
+    return { events, newOffsets };
+  }
   readSessionsDir(basePath, since) {
     if (!existsSync18(basePath)) return [];
     const events = [];
@@ -3784,20 +4102,19 @@ var CodexAdapter = class {
     }
     return events;
   }
-  findSessionFiles(basePath, since) {
+  findSessionFiles(basePath, _since) {
     const files = [];
     const walk = (dir) => {
       try {
         for (const entry of readdirSync5(dir)) {
-          const full = join17(dir, entry);
+          const full = join18(dir, entry);
           try {
             const stat = statSync10(full);
             if (stat.isDirectory()) {
               walk(full);
             } else if (entry.endsWith(".jsonl")) {
-              if (!since || stat.mtimeMs >= since.getTime()) {
-                files.push(full);
-              }
+              if (stat.size > MAX_FILE_SIZE) continue;
+              files.push(full);
             }
           } catch {
           }
@@ -3808,6 +4125,120 @@ var CodexAdapter = class {
     walk(basePath);
     return files;
   }
+  readSessionFileWithOffset(filePath, lineOffset, since) {
+    const events = [];
+    let content;
+    try {
+      content = readFileSync13(filePath, "utf-8");
+    } catch {
+      return { events, newOffset: lineOffset };
+    }
+    const lines = content.split("\n").filter((l) => l.trim());
+    const sessionId = this.sessionIdFromPath(filePath);
+    let cwd;
+    for (let i = 0; i < lines.length; i++) {
+      let entry;
+      try {
+        entry = JSON.parse(lines[i]);
+      } catch {
+        continue;
+      }
+      if (entry.type === "turn_context" && entry.payload?.cwd) {
+        cwd = entry.payload.cwd;
+      }
+      if (i < lineOffset) continue;
+      if (since && entry.timestamp) {
+        const entryTime = new Date(entry.timestamp).getTime();
+        if (entryTime <= since.getTime()) continue;
+      }
+      const ptype = entry.payload?.type;
+      if (ptype === "user_message" && entry.payload.message) {
+        const msg = entry.payload.message.trim();
+        if (msg.length > 0) {
+          events.push({
+            sessionId,
+            type: "user_prompt",
+            prompt: msg.slice(0, 1e4),
+            timestamp: entry.timestamp,
+            cwd,
+            agentType: "codex"
+          });
+        }
+      }
+      if (ptype === "function_call" && entry.payload.name) {
+        let toolInput;
+        if (entry.payload.arguments) {
+          try {
+            toolInput = JSON.parse(entry.payload.arguments);
+          } catch {
+            toolInput = { raw: entry.payload.arguments };
+          }
+        }
+        events.push({
+          sessionId,
+          type: "pre_tool_use",
+          toolName: entry.payload.name,
+          toolInput,
+          timestamp: entry.timestamp,
+          cwd,
+          agentType: "codex"
+        });
+      }
+      if (ptype === "function_call_output" && entry.payload.output) {
+        events.push({
+          sessionId,
+          type: "post_tool_use",
+          toolName: entry.payload.call_id || "unknown",
+          toolOutput: entry.payload.output.slice(0, 1e4),
+          timestamp: entry.timestamp,
+          cwd,
+          agentType: "codex"
+        });
+      }
+      if (ptype === "web_search_end" || ptype === "web_search_call") {
+        const action = entry.payload.action;
+        events.push({
+          sessionId,
+          type: "pre_tool_use",
+          toolName: "web_search",
+          toolInput: action ? { query: action.query, type: action.type } : void 0,
+          timestamp: entry.timestamp,
+          cwd,
+          agentType: "codex"
+        });
+      }
+      if (ptype === "agent_message" && entry.payload.message) {
+        events.push({
+          sessionId,
+          type: "response",
+          toolOutput: entry.payload.message.slice(0, 1e4),
+          timestamp: entry.timestamp,
+          cwd,
+          agentType: "codex"
+        });
+      }
+      if (ptype === "token_count") {
+        const p = entry.payload;
+        if (p.input_tokens || p.output_tokens) {
+          events.push({
+            sessionId,
+            type: "usage",
+            timestamp: entry.timestamp,
+            cwd,
+            agentType: "codex",
+            usage: {
+              model: p.model || "unknown",
+              inputTokens: p.input_tokens || 0,
+              outputTokens: p.output_tokens || 0,
+              cacheReadTokens: p.cache_read_tokens || 0,
+              cacheWriteTokens: p.cache_write_tokens || 0
+            }
+          });
+        }
+      }
+    }
+    return { events, newOffset: lines.length };
+  }
   readSessionFile(filePath, since) {
     const events = [];
     let content;
@@ -3831,7 +4262,7 @@ var CodexAdapter = class {
         if (entryTime <= since.getTime()) continue;
       }
       const ptype = entry.payload?.type;
-      if (ptype === "turn_context" && entry.payload.cwd) {
+      if (entry.type === "turn_context" && entry.payload?.cwd) {
         cwd = entry.payload.cwd;
       }
       if (ptype === "user_message" && entry.payload.message) {
@@ -3877,6 +4308,47 @@ var CodexAdapter = class {
           agentType: "codex"
         });
       }
+      if (ptype === "web_search_end" || ptype === "web_search_call") {
+        const action = entry.payload.action;
+        events.push({
+          sessionId,
+          type: "pre_tool_use",
+          toolName: "web_search",
+          toolInput: action ? { query: action.query, type: action.type } : void 0,
+          timestamp: entry.timestamp,
+          cwd,
+          agentType: "codex"
+        });
+      }
+      if (ptype === "agent_message" && entry.payload.message) {
+        events.push({
+          sessionId,
+          type: "response",
+          toolOutput: entry.payload.message.slice(0, 1e4),
+          timestamp: entry.timestamp,
+          cwd,
+          agentType: "codex"
+        });
+      }
+      if (ptype === "token_count") {
+        const p = entry.payload;
+        if (p.input_tokens || p.output_tokens) {
+          events.push({
+            sessionId,
+            type: "usage",
+            timestamp: entry.timestamp,
+            cwd,
+            agentType: "codex",
+            usage: {
+              model: p.model || "unknown",
+              inputTokens: p.input_tokens || 0,
+              outputTokens: p.output_tokens || 0,
+              cacheReadTokens: p.cache_read_tokens || 0,
+              cacheWriteTokens: p.cache_write_tokens || 0
+            }
+          });
+        }
+      }
     }
     return events;
   }
@@ -3886,13 +4358,13 @@ var CodexAdapter = class {
     return match ? `codex-${match[1].slice(0, 8)}` : `codex-${filename.replace(".jsonl", "").slice(-8)}`;
   }
   static getSessionsDir() {
-    const dir = join17(homedir14(), ".codex", "sessions");
+    const dir = join18(homedir15(), ".codex", "sessions");
     return existsSync18(dir) ? dir : null;
   }
 };
 
 // src/adapters/index.ts
-var STATE_FILE = join18(getImdlDir(), "adapter-state.json");
+var STATE_FILE = join19(getImdlDir(), "adapter-state.json");
 function loadState() {
   try {
     if (existsSync19(STATE_FILE)) {
@@ -3904,7 +4376,7 @@ function loadState() {
 }
 function saveState(state) {
   ensureImdlDir();
-  writeFileSync6(STATE_FILE, JSON.stringify(state, null, 2), { mode: 384 });
+  writeFileSync7(STATE_FILE, JSON.stringify(state, null, 2), { mode: 384 });
 }
 var adapters = [
   new ClaudeCodeAdapter(),
@@ -3934,16 +4406,18 @@ async function collectPrompts() {
       path: dir,
       since: new Date(state.lastRun)
     });
-    const usageBySession = /* @__PURE__ */ new Map();
+    const usageBySessionDay = /* @__PURE__ */ new Map();
     for (const event of events) {
       if (event.usage) {
-        const existing = usageBySession.get(event.sessionId) || { model: event.usage.model, input: 0, output: 0, cacheRead: 0, cacheWrite: 0 };
+        const date = event.timestamp ? event.timestamp.slice(0, 10) : (/* @__PURE__ */ new Date()).toISOString().slice(0, 10);
+        const key = `${event.sessionId}|${date}`;
+        const existing = usageBySessionDay.get(key) || { model: event.usage.model, input: 0, output: 0, cacheRead: 0, cacheWrite: 0, date };
         existing.model = event.usage.model;
         existing.input += event.usage.inputTokens;
         existing.output += event.usage.outputTokens;
         existing.cacheRead += event.usage.cacheReadTokens;
         existing.cacheWrite += event.usage.cacheWriteTokens;
-        usageBySession.set(event.sessionId, existing);
+        usageBySessionDay.set(key, existing);
         continue;
       }
       let violation;
@@ -3966,7 +4440,8 @@ async function collectPrompts() {
       appendEvent(buffered);
       collected++;
     }
-    for (const [sessionId, usage] of usageBySession) {
+    for (const [key, usage] of usageBySessionDay) {
+      const sessionId = key.split("|")[0];
       try {
         await fetch(`${config.apiUrl}/api/sessions/${sessionId}/usage`, {
           method: "POST",
@@ -3979,20 +4454,22 @@ async function collectPrompts() {
     }
   }
   const cursorAdapter = new CursorAdapter();
-  const cursorUsageBySession = /* @__PURE__ */ new Map();
+  const cursorUsageBySessionDay = /* @__PURE__ */ new Map();
   if (CursorAdapter.getProjectsDir()) {
     try {
       const { events: transcriptEvents, newOffsets } = cursorAdapter.extractFromTranscripts(new Date(state.lastRun), state.offsets);
       state.offsets = newOffsets;
       for (const event of transcriptEvents) {
         if (event.usage) {
-          const existing = cursorUsageBySession.get(event.sessionId) || { model: event.usage.model, input: 0, output: 0, cacheRead: 0, cacheWrite: 0 };
+          const date = event.timestamp ? event.timestamp.slice(0, 10) : (/* @__PURE__ */ new Date()).toISOString().slice(0, 10);
+          const key = `${event.sessionId}|${date}`;
+          const existing = cursorUsageBySessionDay.get(key) || { model: event.usage.model, input: 0, output: 0, cacheRead: 0, cacheWrite: 0, date };
           existing.model = event.usage.model;
           existing.input += event.usage.inputTokens;
           existing.output += event.usage.outputTokens;
           existing.cacheRead += event.usage.cacheReadTokens;
           existing.cacheWrite += event.usage.cacheWriteTokens;
-          cursorUsageBySession.set(event.sessionId, existing);
+          cursorUsageBySessionDay.set(key, existing);
           continue;
         }
         let violation;
@@ -4054,7 +4531,8 @@ async function collectPrompts() {
       }
     }
   }
-  for (const [sessionId, usage] of cursorUsageBySession) {
+  for (const [key, usage] of cursorUsageBySessionDay) {
+    const sessionId = key.split("|")[0];
     try {
       await fetch(`${config.apiUrl}/api/sessions/${sessionId}/usage`, {
         method: "POST",
@@ -4069,11 +4547,13 @@ async function collectPrompts() {
   if (codexSessionsDir) {
     try {
       const codexAdapter = new CodexAdapter();
-      const codexEvents = await codexAdapter.extractEvents({
-        kind: "directory",
-        path: codexSessionsDir,
-        since: new Date(state.lastRun)
-      });
+      const { events: codexEvents, newOffsets: codexOffsets } = codexAdapter.extractWithOffsets(
+        new Date(state.lastRun),
+        state.offsets
+      );
+      for (const [k, v] of Object.entries(codexOffsets)) {
+        state.offsets[k] = v;
+      }
       for (const event of codexEvents) {
         let violation;
         if (event.prompt) {
@@ -4087,7 +4567,7 @@ async function collectPrompts() {
           type: event.type,
           toolName: event.toolName,
           toolInput: event.toolInput ? redactObject(event.toolInput) : void 0,
-          toolOutput: event.toolOutput ? redactObject(event.toolOutput) : void 0,
+          toolOutput: event.toolOutput ? String(typeof event.toolOutput === "string" ? redactObject(event.toolOutput) : JSON.stringify(redactObject(event.toolOutput))) : void 0,
           prompt: event.prompt ? redactObject(event.prompt) : void 0,
           timestamp: event.timestamp,
           cwd: event.cwd,
@@ -4124,8 +4604,8 @@ async function collectCommand() {
 
 // src/commands/daemon.ts
 import pc7 from "picocolors";
-import { existsSync as existsSync20, readFileSync as readFileSync15, writeFileSync as writeFileSync7 } from "fs";
-import { join as join19 } from "path";
+import { existsSync as existsSync20, readFileSync as readFileSync15, writeFileSync as writeFileSync8 } from "fs";
+import { join as join20 } from "path";
 var INTERVAL_MS = 3e4;
 async function daemonCommand() {
   console.log(pc7.cyan("imdl daemon started \u2014 collecting every 30s"));
@@ -4148,7 +4628,7 @@ async function daemonCommand() {
   setInterval(tick, INTERVAL_MS);
 }
 async function ingestAgentEvents() {
-  const agentLog = join19(getBufferDir(), "agent-events.ndjson");
+  const agentLog = join20(getBufferDir(), "agent-events.ndjson");
   if (!existsSync20(agentLog)) return 0;
   const content = readFileSync15(agentLog, "utf-8").trim();
   if (!content) return 0;
@@ -4198,12 +4678,12 @@ async function ingestAgentEvents() {
     }
   }
   if (sent === apiEvents.length) {
-    writeFileSync7(agentLog, "", { mode: 384 });
+    writeFileSync8(agentLog, "", { mode: 384 });
   }
   return sent;
 }
 async function ingestShellEvents() {
-  const shellLog = join19(getBufferDir(), "shell-events.ndjson");
+  const shellLog = join20(getBufferDir(), "shell-events.ndjson");
   if (!existsSync20(shellLog)) return 0;
   const content = readFileSync15(shellLog, "utf-8").trim();
   if (!content) return 0;
@@ -4242,7 +4722,7 @@ async function ingestShellEvents() {
     }
   }
   if (sent === apiEvents.length) {
-    writeFileSync7(shellLog, "", { mode: 384 });
+    writeFileSync8(shellLog, "", { mode: 384 });
   }
   return sent;
 }
@@ -4310,8 +4790,8 @@ async function requestCommand(options) {
 // src/commands/lock.ts
 import pc9 from "picocolors";
 import { createHash as createHash2 } from "crypto";
-import { readFileSync as readFileSync16, writeFileSync as writeFileSync8, existsSync as existsSync21 } from "fs";
-import { join as join20, resolve as resolve3 } from "path";
+import { readFileSync as readFileSync16, writeFileSync as writeFileSync9, existsSync as existsSync21 } from "fs";
+import { join as join21, resolve as resolve3 } from "path";
 var LOCKFILE_NAME = "mcp-lock.json";
 function computeIntegrity(server, identity) {
   const payload = JSON.stringify({
@@ -4326,7 +4806,7 @@ function computeIntegrity(server, identity) {
 }
 function getLockfilePath(customPath) {
   if (customPath) return resolve3(customPath);
-  return join20(process.cwd(), LOCKFILE_NAME);
+  return join21(process.cwd(), LOCKFILE_NAME);
 }
 async function lockCommand(options) {
   const detection = await detectMCPConfigs(options.path);
@@ -4373,7 +4853,7 @@ async function lockCommand(options) {
     servers: entries
   };
   const lockPath = getLockfilePath(options.output);
-  writeFileSync8(lockPath, JSON.stringify(lockfile, null, 2), { mode: 420 });
+  writeFileSync9(lockPath, JSON.stringify(lockfile, null, 2), { mode: 420 });
   if (options.json) {
     console.log(JSON.stringify(lockfile, null, 2));
   } else {
@@ -4817,12 +5297,12 @@ async function checkCompliance(developerId) {
 }
 
 // src/permissions/fixer.ts
-import { existsSync as existsSync22, readFileSync as readFileSync17, writeFileSync as writeFileSync9 } from "fs";
-import { join as join21 } from "path";
-import { homedir as homedir15 } from "os";
+import { existsSync as existsSync22, readFileSync as readFileSync17, writeFileSync as writeFileSync10 } from "fs";
+import { join as join22 } from "path";
+import { homedir as homedir16 } from "os";
 function buildFixesFromChanges(changes) {
   const fixes = [];
-  const home = homedir15();
+  const home = homedir16();
   for (const change of changes) {
     const fix = buildFixForAgent(change, home);
     if (fix) fixes.push(fix);
@@ -4832,7 +5312,7 @@ function buildFixesFromChanges(changes) {
 function buildFixForAgent(change, home) {
   const { agentType, category, action, targetGrant } = change;
   if (agentType === "claude-code") {
-    const configPath = join21(home, ".claude", "settings.json");
+    const configPath = join22(home, ".claude", "settings.json");
     if (!existsSync22(configPath)) return null;
     try {
       const settings = JSON.parse(readFileSync17(configPath, "utf-8"));
@@ -4863,7 +5343,7 @@ function buildFixForAgent(change, home) {
     }
   }
   if (agentType === "cursor") {
-    const configPath = join21(home, ".cursor", "settings.json");
+    const configPath = join22(home, ".cursor", "settings.json");
     if (!existsSync22(configPath)) return null;
     try {
       const settings = JSON.parse(readFileSync17(configPath, "utf-8"));
@@ -4875,7 +5355,7 @@ function buildFixForAgent(change, home) {
     }
   }
   if (agentType === "codex") {
-    const configPath = join21(home, ".codex", "config.json");
+    const configPath = join22(home, ".codex", "config.json");
     if (!existsSync22(configPath)) return null;
     try {
       const config = JSON.parse(readFileSync17(configPath, "utf-8"));
@@ -4887,7 +5367,7 @@ function buildFixForAgent(change, home) {
     }
   }
   if (agentType === "copilot") {
-    const configPath = join21(home, "Library", "Application Support", "Code", "User", "settings.json");
+    const configPath = join22(home, "Library", "Application Support", "Code", "User", "settings.json");
     if (!existsSync22(configPath)) return null;
     try {
       const settings = JSON.parse(readFileSync17(configPath, "utf-8"));
@@ -4900,7 +5380,7 @@ function buildFixForAgent(change, home) {
   }
   if (agentType === "windsurf") {
     if (category === "mcp_tools") {
-      const configPath = join21(home, ".windsurf", "mcp.json");
+      const configPath = join22(home, ".windsurf", "mcp.json");
       if (!existsSync22(configPath)) return null;
       try {
         const config = JSON.parse(readFileSync17(configPath, "utf-8"));
@@ -4970,7 +5450,7 @@ function applyFix(fix) {
       }
     }
     if (modified) {
-      writeFileSync9(fix.configPath, JSON.stringify(config, null, 2) + "\n");
+      writeFileSync10(fix.configPath, JSON.stringify(config, null, 2) + "\n");
       return { fix, applied: true };
     }
     return { fix, applied: false, error: "No changes needed" };
@@ -5207,13 +5687,13 @@ function grantLevel(grant) {
 
 // src/commands/gateway.ts
 import pc12 from "picocolors";
-import { existsSync as existsSync23, readFileSync as readFileSync18, writeFileSync as writeFileSync10, mkdirSync as mkdirSync3 } from "fs";
-import { join as join22 } from "path";
-import { homedir as homedir16 } from "os";
+import { existsSync as existsSync23, readFileSync as readFileSync18, writeFileSync as writeFileSync11, mkdirSync as mkdirSync3 } from "fs";
+import { join as join23 } from "path";
+import { homedir as homedir17 } from "os";
 import { execSync as execSync2, spawn } from "child_process";
-var IMDL_DIR3 = join22(homedir16(), ".imdl");
-var GATEWAY_CONFIG = join22(IMDL_DIR3, "gateway.toml");
-var GATEWAY_PID_FILE = join22(IMDL_DIR3, "gateway.pid");
+var IMDL_DIR3 = join23(homedir17(), ".imdl");
+var GATEWAY_CONFIG = join23(IMDL_DIR3, "gateway.toml");
+var GATEWAY_PID_FILE = join23(IMDL_DIR3, "gateway.pid");
 var DEFAULT_PORT = 9443;
 async function gatewayCommand(opts) {
   const status = await getGatewayStatus();
@@ -5289,7 +5769,7 @@ async function gatewayStartCommand(opts) {
     child.unref();
     if (child.pid) {
       if (!existsSync23(IMDL_DIR3)) mkdirSync3(IMDL_DIR3, { recursive: true });
-      writeFileSync10(GATEWAY_PID_FILE, String(child.pid));
+      writeFileSync11(GATEWAY_PID_FILE, String(child.pid));
       console.log(pc12.green(`Gateway started (PID ${child.pid}, port ${port})`));
       console.log(pc12.dim(`  Config: ${GATEWAY_CONFIG}`));
       console.log(pc12.dim(`  Set ANTHROPIC_BASE_URL=http://127.0.0.1:${port} to intercept traffic`));
@@ -5348,7 +5828,7 @@ async function gatewayDisableCommand(opts) {
   console.log(pc12.dim("Restart gateway for changes to take effect."));
 }
 async function gatewayAlertsCommand(opts) {
-  const logPath = join22(IMDL_DIR3, "gateway-alerts.jsonl");
+  const logPath = join23(IMDL_DIR3, "gateway-alerts.jsonl");
   if (!existsSync23(logPath)) {
     console.log(pc12.dim("No alerts logged yet."));
     return;
@@ -5387,9 +5867,26 @@ async function gatewayAlertsCommand(opts) {
     }
   }
 }
-async function gatewayCostCommand(opts) {
+async function gatewayDashboardCommand() {
   const port = getConfiguredPort();
-  let data;
+  const url = `http://127.0.0.1:${port}/dashboard`;
+  try {
+    const controller = new AbortController();
+    const timeout = setTimeout(() => controller.abort(), 2e3);
+    const res = await fetch(`http://127.0.0.1:${port}/health`, { signal: controller.signal });
+    clearTimeout(timeout);
+    if (!res.ok) throw new Error();
+  } catch {
+    console.log(pc12.red("Gateway is not running. Start it first: `imdl gateway start`"));
+    return;
+  }
+  console.log(pc12.green(`Opening dashboard: ${url}`));
+  const { exec } = await import("child_process");
+  exec(`open "${url}"`);
+}
+async function gatewayCostCommand(opts) {
+  const port = getConfiguredPort();
+  let data;
   try {
     const controller = new AbortController();
     const timeout = setTimeout(() => controller.abort(), 2e3);
@@ -5483,9 +5980,9 @@ function getConfiguredPort() {
 }
 function findGatewayBinary() {
   const candidates = [
-    join22(process.cwd(), "target", "release", "imdl-gateway"),
-    join22(process.cwd(), "..", "ai-gateway", "target", "release", "imdl-gateway"),
-    join22(homedir16(), ".imdl", "bin", "imdl-gateway")
+    join23(process.cwd(), "target", "release", "imdl-gateway"),
+    join23(process.cwd(), "..", "ai-gateway", "target", "release", "imdl-gateway"),
+    join23(homedir17(), ".imdl", "bin", "imdl-gateway")
   ];
   for (const path of candidates) {
     if (existsSync23(path)) return path;
@@ -5526,7 +6023,7 @@ openai_url = "https://api.openai.com"
 [audit]
 enabled = true
 `;
-  writeFileSync10(GATEWAY_CONFIG, defaultToml, { mode: 384 });
+  writeFileSync11(GATEWAY_CONFIG, defaultToml, { mode: 384 });
 }
 function normalizeModule(input) {
   const map = {
@@ -5549,7 +6046,7 @@ function loadGatewayToml() {
   return readFileSync18(GATEWAY_CONFIG, "utf-8");
 }
 function saveGatewayToml(content) {
-  writeFileSync10(GATEWAY_CONFIG, content, { mode: 384 });
+  writeFileSync11(GATEWAY_CONFIG, content, { mode: 384 });
 }
 function setModuleEnabled(content, module, enabled) {
   const sectionRegex = new RegExp(`(\\[${module}\\][^\\[]*?)enabled\\s*=\\s*(true|false)`, "s");
@@ -5563,6 +6060,153 @@ function printModule(name, enabled, mode) {
   const modeStr = mode ? pc12.dim(` (${mode})`) : "";
   console.log(`    ${icon} ${name}${modeStr}`);
 }
+async function gatewayActivateCommand(opts = {}) {
+  const port = getConfiguredPort();
+  try {
+    const controller = new AbortController();
+    const timeout = setTimeout(() => controller.abort(), 3e3);
+    const res = await fetch(`http://127.0.0.1:${port}/health`, { signal: controller.signal });
+    clearTimeout(timeout);
+    if (!res.ok) {
+      console.log(pc12.red("Gateway is not responding. Start it first: `imdl gateway start`"));
+      return;
+    }
+  } catch {
+    console.log(pc12.red(`Cannot reach gateway on port ${port}. Start it first: \`imdl gateway start\``));
+    return;
+  }
+  if (opts.copilot) {
+    activateCopilot(port);
+    return;
+  }
+  const claudeSettings = getClaudeSettingsPath();
+  if (!claudeSettings) {
+    console.log(pc12.red("Claude Code settings not found at ~/.claude/settings.json"));
+    return;
+  }
+  let settings;
+  try {
+    settings = JSON.parse(readFileSync18(claudeSettings, "utf-8"));
+  } catch {
+    console.log(pc12.red("Could not parse Claude Code settings."));
+    return;
+  }
+  if (!settings.env) settings.env = {};
+  settings.env.ANTHROPIC_BEDROCK_BASE_URL = `http://127.0.0.1:${port}`;
+  if (opts.codex) {
+    settings.env.OPENAI_BASE_URL = `http://127.0.0.1:${port}`;
+    updateCodexConfig(port, true);
+  }
+  writeFileSync11(claudeSettings, JSON.stringify(settings, null, 2) + "\n");
+  console.log(pc12.green("Gateway activated for Claude Code"));
+  console.log(pc12.dim(`  ANTHROPIC_BEDROCK_BASE_URL \u2192 http://127.0.0.1:${port}`));
+  if (opts.codex) {
+    console.log(pc12.dim(`  OPENAI_BASE_URL \u2192 http://127.0.0.1:${port}`));
+    console.log(pc12.dim("  Codex WebSocket traffic will also route through the gateway."));
+  }
+  console.log(pc12.dim("  New Claude Code sessions will route through the gateway."));
+  console.log(pc12.dim("  Run `imdl gateway deactivate` to revert immediately."));
+  console.log("");
+  console.log(pc12.yellow("  \u26A0 Current session is unaffected. Only NEW sessions use the gateway."));
+  console.log(pc12.yellow("  \u26A0 If gateway goes down, run `imdl gateway deactivate` to restore direct access."));
+}
+function activateCopilot(port) {
+  const caCertPath = join23(homedir17(), ".imdl", "gateway-ca.pem");
+  if (!existsSync23(caCertPath)) {
+    console.log(pc12.red("CA certificate not found at " + caCertPath));
+    console.log(pc12.dim("The gateway generates this automatically on startup."));
+    console.log(pc12.dim("Start the gateway first: `imdl gateway start`"));
+    return;
+  }
+  console.log("");
+  console.log(pc12.bold(pc12.cyan("Copilot Gateway Activation")));
+  console.log(pc12.dim("\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550"));
+  console.log("");
+  console.log(pc12.green("CA certificate: ") + caCertPath);
+  console.log("");
+  console.log(pc12.bold("  VS Code Settings (settings.json):"));
+  console.log("");
+  console.log(pc12.cyan("  {"));
+  console.log(pc12.cyan(`    "http.proxy": "http://127.0.0.1:${port}",`));
+  console.log(pc12.cyan('    "http.proxyStrictSSL": false'));
+  console.log(pc12.cyan("  }"));
+  console.log("");
+  console.log(pc12.bold("  OR use NODE_EXTRA_CA_CERTS (strict TLS):"));
+  console.log("");
+  console.log(pc12.cyan(`  export NODE_EXTRA_CA_CERTS="${caCertPath}"`));
+  console.log("");
+  console.log(pc12.dim("  Then set the proxy in VS Code settings:"));
+  console.log(pc12.cyan(`    "http.proxy": "http://127.0.0.1:${port}"`));
+  console.log("");
+  console.log(pc12.bold("  What happens:"));
+  console.log(pc12.dim("  - Copilot traffic (api.githubcopilot.com) is intercepted"));
+  console.log(pc12.dim("  - Context optimization reduces token usage"));
+  console.log(pc12.dim("  - Cost tracking reports Copilot spend"));
+  console.log(pc12.dim("  - All other HTTPS traffic tunnels through transparently"));
+  console.log("");
+}
+async function gatewayDeactivateCommand() {
+  const claudeSettings = getClaudeSettingsPath();
+  if (!claudeSettings) {
+    console.log(pc12.red("Claude Code settings not found at ~/.claude/settings.json"));
+    return;
+  }
+  let settings;
+  try {
+    settings = JSON.parse(readFileSync18(claudeSettings, "utf-8"));
+  } catch {
+    console.log(pc12.red("Could not parse Claude Code settings."));
+    return;
+  }
+  if (settings.env) {
+    delete settings.env.ANTHROPIC_BEDROCK_BASE_URL;
+    delete settings.env.ANTHROPIC_BASE_URL;
+    delete settings.env.OPENAI_BASE_URL;
+  }
+  writeFileSync11(claudeSettings, JSON.stringify(settings, null, 2) + "\n");
+  updateCodexConfig(0, false);
+  console.log(pc12.green("Gateway deactivated"));
+  console.log(pc12.dim("  Claude Code will connect directly to Bedrock/Anthropic (no gateway)."));
+  console.log(pc12.dim("  Codex will connect directly to OpenAI (no gateway)."));
+  console.log(pc12.dim("  Existing sessions are unaffected \u2014 only new sessions pick up this change."));
+}
+function getClaudeSettingsPath() {
+  const candidates = [
+    join23(homedir17(), ".claude", "settings.json")
+  ];
+  for (const p of candidates) {
+    if (existsSync23(p)) return p;
+  }
+  return null;
+}
+function updateCodexConfig(port, enable) {
+  const codexConfig = join23(homedir17(), ".codex", "config.toml");
+  if (!existsSync23(codexConfig)) return;
+  try {
+    let content = readFileSync18(codexConfig, "utf-8");
+    if (enable) {
+      if (content.includes("# openai_base_url")) {
+        content = content.replace(/# *openai_base_url *= *"[^"]*"/, `openai_base_url = "http://127.0.0.1:${port}"`);
+      } else if (content.includes("openai_base_url")) {
+        content = content.replace(/openai_base_url *= *"[^"]*"/, `openai_base_url = "http://127.0.0.1:${port}"`);
+      } else {
+        if (content.includes("[model_providers]")) {
+          content = content.replace("[model_providers]", `openai_base_url = "http://127.0.0.1:${port}"
+
+[model_providers]`);
+        } else {
+          content += `
+openai_base_url = "http://127.0.0.1:${port}"
+`;
+        }
+      }
+    } else {
+      content = content.replace(/^(openai_base_url *= *"[^"]*")/m, "# $1");
+    }
+    writeFileSync11(codexConfig, content);
+  } catch {
+  }
+}
 function formatUptime(seconds) {
   if (seconds < 60) return `${seconds}s`;
   if (seconds < 3600) return `${Math.floor(seconds / 60)}m ${seconds % 60}s`;
@@ -5571,24 +6215,712 @@ function formatUptime(seconds) {
   return `${h}h ${m}m`;
 }
 
+// src/commands/sync-history.ts
+import { createReadStream as createReadStream2, existsSync as existsSync24, readdirSync as readdirSync6, statSync as statSync11 } from "fs";
+import { createInterface as createInterface2 } from "readline";
+import { join as join24 } from "path";
+import { homedir as homedir18 } from "os";
+import pc13 from "picocolors";
+var BATCH_SIZE2 = 50;
+var SEND_TIMEOUT = 15e3;
+async function syncHistoryCommand(opts) {
+  const config = loadConfig();
+  if (!config.apiUrl || !config.developerId) {
+    console.log(pc13.red("Not configured. Run `imdl init` first."));
+    return;
+  }
+  const days = parseInt(opts.days || "30", 10);
+  const since = new Date(Date.now() - days * 864e5);
+  const agentFilter = opts.agent?.toLowerCase();
+  console.log(pc13.bold("Syncing historical session data"));
+  console.log(pc13.dim(`  Period: last ${days} days (since ${since.toISOString().split("T")[0]})`));
+  console.log(pc13.dim(`  Agent filter: ${agentFilter || "all"}`));
+  if (opts.dryRun) console.log(pc13.yellow("  DRY RUN \u2014 no data will be sent"));
+  console.log("");
+  const stats = {
+    filesScanned: 0,
+    filesSkipped: 0,
+    eventsProcessed: 0,
+    eventsSent: 0,
+    violationsFound: 0,
+    secretsFound: 0,
+    errors: 0,
+    bytesProcessed: 0
+  };
+  const sessionFiles = [];
+  if (!agentFilter || agentFilter === "claude-code" || agentFilter === "claude") {
+    const claudeDirs = ClaudeCodeAdapter.getAllProjectDirs();
+    for (const dir of claudeDirs) {
+      const sessionsDir = join24(dir, "sessions");
+      if (!existsSync24(sessionsDir)) continue;
+      for (const file of safeReaddir(sessionsDir)) {
+        if (!file.endsWith(".jsonl")) continue;
+        const full = join24(sessionsDir, file);
+        const stat = safeStat(full);
+        if (!stat) continue;
+        if (stat.mtimeMs < since.getTime()) continue;
+        sessionFiles.push({ path: full, agent: "claude-code", size: stat.size });
+      }
+    }
+  }
+  if (!agentFilter || agentFilter === "codex") {
+    const codexDir = join24(homedir18(), ".codex", "sessions");
+    if (existsSync24(codexDir)) {
+      const files = findJsonlFiles(codexDir, since);
+      for (const f of files) {
+        const stat = safeStat(f);
+        if (stat) sessionFiles.push({ path: f, agent: "codex", size: stat.size });
+      }
+    }
+  }
+  if (!agentFilter || agentFilter === "cursor") {
+    const cursorProjects = join24(homedir18(), ".cursor", "projects");
+    if (existsSync24(cursorProjects)) {
+      const files = findJsonlFiles(cursorProjects, since);
+      for (const f of files) {
+        const stat = safeStat(f);
+        if (stat) sessionFiles.push({ path: f, agent: "cursor", size: stat.size });
+      }
+    }
+  }
+  const totalSize = sessionFiles.reduce((sum, f) => sum + f.size, 0);
+  console.log(pc13.dim(`Found ${sessionFiles.length} session files (${formatBytes2(totalSize)})`));
+  console.log("");
+  if (sessionFiles.length === 0) {
+    console.log(pc13.dim("No session files found for the specified period."));
+    return;
+  }
+  for (let i = 0; i < sessionFiles.length; i++) {
+    const { path: filePath, agent, size } = sessionFiles[i];
+    const shortPath = filePath.replace(homedir18(), "~");
+    const progress = `[${i + 1}/${sessionFiles.length}]`;
+    process.stdout.write(`${pc13.dim(progress)} ${shortPath} (${formatBytes2(size)})...`);
+    try {
+      const result = await processFile(filePath, agent, since, config, opts.dryRun || false);
+      stats.filesScanned++;
+      stats.eventsProcessed += result.events;
+      stats.eventsSent += result.sent;
+      stats.violationsFound += result.violations;
+      stats.secretsFound += result.secrets;
+      stats.bytesProcessed += size;
+      const parts = [];
+      if (result.events > 0) parts.push(`${result.events} events`);
+      if (result.violations > 0) parts.push(pc13.yellow(`${result.violations} violations`));
+      if (result.secrets > 0) parts.push(pc13.red(`${result.secrets} secrets`));
+      if (parts.length > 0) {
+        console.log(` ${parts.join(", ")}`);
+      } else {
+        console.log(pc13.dim(" (no new events)"));
+      }
+    } catch {
+      stats.errors++;
+      stats.filesSkipped++;
+      console.log(pc13.red(" error"));
+    }
+  }
+  console.log("");
+  console.log(pc13.bold("\u2500\u2500\u2500 Sync Complete \u2500\u2500\u2500"));
+  console.log(`  Files processed: ${stats.filesScanned} (${formatBytes2(stats.bytesProcessed)})`);
+  if (stats.filesSkipped > 0) console.log(`  Files skipped: ${pc13.yellow(String(stats.filesSkipped))}`);
+  console.log(`  Events found: ${stats.eventsProcessed}`);
+  if (!opts.dryRun) console.log(`  Events synced: ${pc13.green(String(stats.eventsSent))}`);
+  if (stats.violationsFound > 0) {
+    console.log(`  ${pc13.yellow("\u26A0")} Historical violations: ${pc13.yellow(String(stats.violationsFound))}`);
+    console.log(pc13.dim("    These violations occurred before IMDL was monitoring."));
+    console.log(pc13.dim("    They are tagged as historical in the dashboard."));
+  }
+  if (stats.secretsFound > 0) {
+    console.log(`  ${pc13.red("\u26A0")} Secrets detected: ${pc13.red(String(stats.secretsFound))}`);
+    console.log(pc13.dim("    Secrets were found in historical prompts/tool calls."));
+    console.log(pc13.dim("    Review in Dashboard \u2192 Violations (filter: historical)."));
+  }
+  if (stats.errors > 0) console.log(`  Errors: ${pc13.red(String(stats.errors))}`);
+}
+async function processFile(filePath, agent, since, config, dryRun) {
+  const result = { events: 0, sent: 0, violations: 0, secrets: 0 };
+  const batch = [];
+  const sessionId = deriveSessionId(filePath, agent);
+  let cwd;
+  const rl = createInterface2({
+    input: createReadStream2(filePath, { encoding: "utf-8" }),
+    crlfDelay: Infinity
+  });
+  for await (const line of rl) {
+    if (!line.trim()) continue;
+    let entry;
+    try {
+      entry = JSON.parse(line);
+    } catch {
+      continue;
+    }
+    const ts = entry.timestamp || entry.ts;
+    if (ts) {
+      const entryTime = new Date(ts).getTime();
+      if (entryTime < since.getTime()) continue;
+    }
+    const event = parseEntry(entry, agent, sessionId, cwd);
+    if (!event && entry.type === "turn_context" && entry.payload?.cwd) {
+      cwd = entry.payload.cwd;
+      continue;
+    }
+    if (!event) continue;
+    if (event.cwd) cwd = event.cwd;
+    let violation;
+    if (event.prompt) {
+      const scan = scanPromptForSecrets(event.prompt);
+      if (scan.hasSecrets) {
+        violation = createPromptViolation(scan.findings);
+        if (violation) violation.action = "logged";
+        result.violations++;
+        result.secrets += scan.findings.length;
+      }
+    }
+    if (event.toolInput) {
+      const inputStr = JSON.stringify(event.toolInput);
+      const scan = scanPromptForSecrets(inputStr);
+      if (scan.hasSecrets && !violation) {
+        violation = {
+          policyId: "builtin:prompt-secrets",
+          ruleId: "tool-input-secret-scan",
+          action: "logged",
+          reason: `Secret in tool input (historical): ${scan.findings.map((f) => f.label).join(", ")}`
+        };
+        result.violations++;
+        result.secrets += scan.findings.length;
+      }
+    }
+    const buffered = {
+      sessionId: event.sessionId,
+      type: event.type,
+      toolName: event.toolName,
+      toolInput: event.toolInput ? redactObject(event.toolInput) : void 0,
+      toolOutput: event.toolOutput ? redactObject(event.toolOutput) : void 0,
+      prompt: event.prompt ? redactObject(event.prompt) : void 0,
+      timestamp: event.timestamp,
+      cwd: event.cwd || cwd,
+      agentType: agent,
+      violation
+    };
+    batch.push(buffered);
+    result.events++;
+    if (batch.length >= BATCH_SIZE2) {
+      if (!dryRun) {
+        const sent = await sendBatch2(config, sessionId, batch.splice(0, BATCH_SIZE2), agent);
+        if (sent) result.sent += BATCH_SIZE2;
+      } else {
+        batch.splice(0, BATCH_SIZE2);
+      }
+    }
+  }
+  if (batch.length > 0 && !dryRun) {
+    const sent = await sendBatch2(config, sessionId, batch, agent);
+    if (sent) result.sent += batch.length;
+  } else if (batch.length > 0) {
+  }
+  return result;
+}
+function parseEntry(entry, agent, sessionId, cwd) {
+  const ts = entry.timestamp || entry.ts || (/* @__PURE__ */ new Date()).toISOString();
+  if (agent === "codex") {
+    const ptype = entry.payload?.type;
+    if (ptype === "user_message" && entry.payload.message?.trim()) {
+      return { sessionId, type: "user_prompt", prompt: entry.payload.message.trim().slice(0, 1e4), timestamp: ts, cwd };
+    }
+    if (ptype === "function_call" && entry.payload.name) {
+      let toolInput;
+      if (entry.payload.arguments) {
+        try {
+          toolInput = JSON.parse(entry.payload.arguments);
+        } catch {
+          toolInput = { raw: entry.payload.arguments };
+        }
+      }
+      return { sessionId, type: "pre_tool_use", toolName: entry.payload.name, toolInput, timestamp: ts, cwd };
+    }
+    if (ptype === "function_call_output" && entry.payload.output) {
+      return { sessionId, type: "post_tool_use", toolName: entry.payload.call_id || "unknown", toolOutput: entry.payload.output.slice(0, 1e4), timestamp: ts, cwd };
+    }
+    return null;
+  }
+  if (agent === "claude-code") {
+    if (entry.type === "human" && entry.message?.content) {
+      const text = Array.isArray(entry.message.content) ? entry.message.content.filter((b) => b.type === "text").map((b) => b.text).join("\n") : typeof entry.message.content === "string" ? entry.message.content : "";
+      if (text.trim()) {
+        return { sessionId, type: "user_prompt", prompt: text.trim().slice(0, 1e4), timestamp: ts, cwd: entry.cwd || cwd };
+      }
+    }
+    if (entry.type === "assistant" && entry.message?.content) {
+      const blocks = Array.isArray(entry.message.content) ? entry.message.content : [];
+      for (const block of blocks) {
+        if (block.type === "tool_use") {
+          return { sessionId, type: "pre_tool_use", toolName: block.name, toolInput: block.input, timestamp: ts, cwd: entry.cwd || cwd };
+        }
+      }
+    }
+    if (entry.type === "tool_result" || entry.type === "result") {
+      const output = typeof entry.content === "string" ? entry.content : JSON.stringify(entry.content || "").slice(0, 1e4);
+      return { sessionId, type: "post_tool_use", toolName: entry.tool_use_id || "unknown", toolOutput: output, timestamp: ts, cwd: entry.cwd || cwd };
+    }
+    return null;
+  }
+  if (agent === "cursor") {
+    if (entry.role === "user" && entry.content) {
+      const text = typeof entry.content === "string" ? entry.content : "";
+      if (text.trim()) {
+        return { sessionId, type: "user_prompt", prompt: text.trim().slice(0, 1e4), timestamp: ts, cwd };
+      }
+    }
+    if (entry.role === "assistant" && entry.tool_calls) {
+      for (const tc of entry.tool_calls) {
+        if (tc.function?.name) {
+          let toolInput;
+          if (tc.function.arguments) {
+            try {
+              toolInput = JSON.parse(tc.function.arguments);
+            } catch {
+              toolInput = { raw: tc.function.arguments };
+            }
+          }
+          return { sessionId, type: "pre_tool_use", toolName: tc.function.name, toolInput, timestamp: ts, cwd };
+        }
+      }
+    }
+    return null;
+  }
+  return null;
+}
+async function sendBatch2(config, sessionId, events, agentType) {
+  const headers = { "Content-Type": "application/json" };
+  if (config.authToken) headers["X-IMDL-Key"] = config.authToken;
+  try {
+    const res = await fetch(`${config.apiUrl}/api/sessions/${sessionId}/events`, {
+      method: "POST",
+      headers,
+      body: JSON.stringify({
+        events,
+        developerId: config.developerId,
+        agentType,
+        historical: true
+      }),
+      signal: AbortSignal.timeout(SEND_TIMEOUT)
+    });
+    return res.ok;
+  } catch {
+    return false;
+  }
+}
+function deriveSessionId(filePath, agent) {
+  const filename = filePath.split("/").pop() || "";
+  if (agent === "codex") {
+    const match = filename.match(/([0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12})/);
+    return match ? `codex-${match[1].slice(0, 8)}` : `codex-${filename.replace(".jsonl", "").slice(-8)}`;
+  }
+  if (agent === "claude-code") {
+    const parts = filePath.split("/");
+    const sessionsIdx = parts.indexOf("sessions");
+    if (sessionsIdx >= 0 && parts[sessionsIdx + 1]) {
+      return parts[sessionsIdx + 1];
+    }
+    return `cc-${filename.replace(".jsonl", "").slice(-8)}`;
+  }
+  if (agent === "cursor") {
+    const match = filename.match(/([0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12})/);
+    return match ? `cursor-${match[1].slice(0, 8)}` : `cursor-${filename.replace(".jsonl", "").slice(-8)}`;
+  }
+  return `unknown-${filename.slice(-8)}`;
+}
+function findJsonlFiles(basePath, since) {
+  const files = [];
+  const walk = (dir) => {
+    try {
+      for (const entry of readdirSync6(dir)) {
+        const full = join24(dir, entry);
+        try {
+          const stat = statSync11(full);
+          if (stat.isDirectory()) walk(full);
+          else if (entry.endsWith(".jsonl") && stat.mtimeMs >= since.getTime()) {
+            files.push(full);
+          }
+        } catch {
+        }
+      }
+    } catch {
+    }
+  };
+  walk(basePath);
+  return files;
+}
+function safeReaddir(dir) {
+  try {
+    return readdirSync6(dir);
+  } catch {
+    return [];
+  }
+}
+function safeStat(path) {
+  try {
+    return statSync11(path);
+  } catch {
+    return null;
+  }
+}
+function formatBytes2(bytes) {
+  if (bytes < 1024) return `${bytes}B`;
+  if (bytes < 1024 * 1024) return `${(bytes / 1024).toFixed(1)}KB`;
+  if (bytes < 1024 * 1024 * 1024) return `${(bytes / (1024 * 1024)).toFixed(1)}MB`;
+  return `${(bytes / (1024 * 1024 * 1024)).toFixed(1)}GB`;
+}
+
+// src/commands/optimize.ts
+import pc14 from "picocolors";
+import { existsSync as existsSync25, readFileSync as readFileSync19 } from "fs";
+import { join as join25 } from "path";
+import { homedir as homedir19 } from "os";
+var FEATURES = [
+  { id: "prompt_cache", name: "Prompt Semantic Cache", category: "optimization" },
+  { id: "tool_call_cache", name: "Tool Call Cache", category: "optimization" },
+  { id: "model_routing", name: "Smart Model Routing", category: "optimization" },
+  { id: "idle_alerts", name: "Idle Session Alerts", category: "optimization" },
+  { id: "session_resume", name: "Session Resume Hints", category: "optimization" },
+  { id: "context_optimization", name: "Context Window Optimizer", category: "optimization" },
+  { id: "budget_enforcement", name: "Budget Enforcement", category: "governance" },
+  { id: "model_governance", name: "Model Governance", category: "governance" }
+];
+async function optimizeCommand(opts) {
+  const config = loadConfig();
+  if (opts.enable) {
+    await toggleFeature(config, opts.enable, true);
+    return;
+  }
+  if (opts.disable) {
+    await toggleFeature(config, opts.disable, false);
+    return;
+  }
+  if (opts.check) {
+    await checkCompliance2(config, opts.json);
+    return;
+  }
+  if (opts.report) {
+    await sendReport(config);
+    return;
+  }
+  await showSummary(config, opts);
+}
+async function showSummary(config, opts) {
+  console.log("");
+  console.log(pc14.bold("Token Usage & Optimization"));
+  console.log(pc14.dim("\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550"));
+  console.log("");
+  const claudeUsage = readClaudeCodeUsage();
+  const codexUsage = await readCodexUsage();
+  if (claudeUsage) {
+    const models = Object.entries(claudeUsage.modelUsage || {});
+    console.log(pc14.bold("  Claude Code") + pc14.dim(` (${claudeUsage.configuredModel || "default"})`));
+    let totalCost = 0;
+    for (const [model, usage] of models) {
+      const u = usage;
+      const cost = u.costUSD || estimateCost(model, u.inputTokens || 0, u.outputTokens || 0);
+      totalCost += cost;
+      console.log(`    ${pc14.dim("\u25CF")} ${shortenModel(model)}`);
+      console.log(`      Input: ${formatTokens(u.inputTokens || 0)} ${pc14.dim(`($${((u.inputTokens || 0) * inputRate(model) / 1e6).toFixed(2)})`)}`);
+      console.log(`      Output: ${formatTokens(u.outputTokens || 0)} ${pc14.dim(`($${((u.outputTokens || 0) * outputRate(model) / 1e6).toFixed(2)})`)}`);
+      if (u.cacheReadInputTokens) {
+        console.log(`      Cache: ${formatTokens(u.cacheReadInputTokens)} reads`);
+      }
+    }
+    console.log(`    ${pc14.bold("Total")}: $${totalCost.toFixed(2)}`);
+    if (claudeUsage.totalSessions) console.log(`    Sessions: ${claudeUsage.totalSessions} | Messages: ${claudeUsage.totalMessages || 0}`);
+    console.log("");
+  }
+  if (codexUsage) {
+    console.log(pc14.bold("  Codex") + pc14.dim(` (${codexUsage.model || "default"})`));
+    console.log(`    Tokens: ${formatTokens(codexUsage.totalTokens)}`);
+    console.log(`    Sessions: ${codexUsage.sessionCount}`);
+    if (codexUsage.estimatedCost > 0) {
+      console.log(`    Est. cost: $${codexUsage.estimatedCost.toFixed(2)}`);
+    }
+    console.log("");
+  }
+  if (!claudeUsage && !codexUsage) {
+    console.log(pc14.dim("  No local usage data found."));
+    console.log(pc14.dim("  Usage is tracked per-session and visible in the dashboard."));
+    console.log("");
+  }
+  console.log(pc14.bold("  Optimization Features"));
+  console.log(pc14.dim("  \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500"));
+  let features = null;
+  if (config.apiUrl && config.authToken) {
+    try {
+      const headers = { "Content-Type": "application/json" };
+      if (config.authToken) headers["X-IMDL-Key"] = config.authToken;
+      const res = await fetch(`${config.apiUrl}/api/optimize/my-features`, {
+        headers,
+        signal: AbortSignal.timeout(5e3)
+      });
+      if (res.ok) {
+        const data = await res.json();
+        features = data.features;
+      }
+    } catch {
+    }
+  }
+  if (features) {
+    for (const f of features) {
+      const icon = f.enabled ? pc14.green("\u25CF") : pc14.dim("\u25CB");
+      const locked = f.lockedByAdmin ? pc14.yellow(" (admin)") : "";
+      console.log(`  ${icon} ${f.name}${locked}`);
+    }
+  } else {
+    for (const f of FEATURES) {
+      console.log(`  ${pc14.dim("\u25CB")} ${f.name} ${pc14.dim("(connect to API for status)")}`);
+    }
+  }
+  console.log("");
+  console.log(pc14.dim("  Toggle: imdl optimize --enable <feature> | --disable <feature>"));
+  console.log(pc14.dim("  Features: prompt_cache, tool_call_cache, model_routing,"));
+  console.log(pc14.dim("            idle_alerts, session_resume, context_optimization"));
+  console.log("");
+  if (opts.json) {
+    const output = {
+      claude_code: claudeUsage,
+      codex: codexUsage,
+      features: features || FEATURES.map((f) => ({ ...f, enabled: false }))
+    };
+    console.log(JSON.stringify(output, null, 2));
+  }
+}
+async function toggleFeature(config, feature, enabled) {
+  const valid = FEATURES.find((f) => f.id === feature);
+  if (!valid) {
+    console.log(pc14.red(`Unknown feature: ${feature}`));
+    console.log(pc14.dim(`Available: ${FEATURES.map((f) => f.id).join(", ")}`));
+    return;
+  }
+  if (!config.apiUrl || !config.authToken) {
+    console.log(pc14.red("Not connected to API. Run `imdl init` first."));
+    return;
+  }
+  const headers = { "Content-Type": "application/json" };
+  if (config.authToken) headers["X-IMDL-Key"] = config.authToken;
+  try {
+    const res = await fetch(`${config.apiUrl}/api/optimize/my-features`, {
+      method: "PUT",
+      headers,
+      body: JSON.stringify({ feature, enabled }),
+      signal: AbortSignal.timeout(5e3)
+    });
+    if (res.ok) {
+      const icon = enabled ? pc14.green("\u25CF") : pc14.dim("\u25CB");
+      console.log(`${icon} ${valid.name}: ${enabled ? pc14.green("enabled") : pc14.dim("disabled")}`);
+    } else {
+      const data = await res.json().catch(() => ({}));
+      if (data.error?.includes("locked")) {
+        console.log(pc14.yellow(`Cannot toggle "${valid.name}" \u2014 locked by your admin.`));
+      } else {
+        console.log(pc14.red(`Failed: ${data.error || res.statusText}`));
+      }
+    }
+  } catch {
+    console.log(pc14.red("Failed to reach API."));
+  }
+}
+async function checkCompliance2(config, json) {
+  if (!config.apiUrl || !config.authToken) {
+    console.log(pc14.red("Not connected to API. Run `imdl init` first."));
+    return;
+  }
+  const headers = { "Content-Type": "application/json" };
+  if (config.authToken) headers["X-IMDL-Key"] = config.authToken;
+  try {
+    const res = await fetch(`${config.apiUrl}/api/optimize/check`, {
+      headers,
+      signal: AbortSignal.timeout(5e3)
+    });
+    if (!res.ok) {
+      console.log(pc14.dim("No cost policies configured for your team."));
+      return;
+    }
+    const data = await res.json();
+    if (json) {
+      console.log(JSON.stringify(data, null, 2));
+      return;
+    }
+    if (!data.violations || data.violations.length === 0) {
+      console.log(pc14.green("\u2713 All cost policies satisfied."));
+      return;
+    }
+    console.log(pc14.yellow(`\u26A0 ${data.violations.length} cost policy violation(s):`));
+    for (const v of data.violations) {
+      console.log(`  ${pc14.yellow("\u25CF")} ${v.detail}`);
+      if (v.costImpact) console.log(pc14.dim(`    Excess cost: $${v.costImpact.toFixed(2)}`));
+    }
+  } catch {
+    console.log(pc14.red("Failed to reach API."));
+  }
+}
+async function sendReport(config) {
+  if (!config.apiUrl || !config.authToken) {
+    console.log(pc14.red("Not connected to API. Run `imdl init` first."));
+    return;
+  }
+  const claudeUsage = readClaudeCodeUsage();
+  const codexUsage = await readCodexUsage();
+  const report = {
+    developerId: config.developerId,
+    reportedAt: (/* @__PURE__ */ new Date()).toISOString(),
+    agents: []
+  };
+  if (claudeUsage) {
+    report.agents.push({
+      agentType: "claude-code",
+      configuredModel: claudeUsage.configuredModel,
+      aggregate: Object.entries(claudeUsage.modelUsage || {}).map(([model, u]) => ({
+        model,
+        provider: "anthropic",
+        inputTokens: u.inputTokens || 0,
+        outputTokens: u.outputTokens || 0,
+        cacheReadTokens: u.cacheReadInputTokens || 0,
+        cacheWriteTokens: u.cacheCreationInputTokens || 0,
+        estimatedCostUSD: u.costUSD || estimateCost(model, u.inputTokens || 0, u.outputTokens || 0)
+      }))
+    });
+  }
+  if (codexUsage) {
+    report.agents.push({
+      agentType: "codex",
+      configuredModel: codexUsage.model,
+      aggregate: [{
+        model: codexUsage.model || "gpt-5",
+        provider: "openai",
+        inputTokens: codexUsage.totalTokens,
+        outputTokens: 0,
+        estimatedCostUSD: codexUsage.estimatedCost
+      }]
+    });
+  }
+  const headers = { "Content-Type": "application/json" };
+  if (config.authToken) headers["X-IMDL-Key"] = config.authToken;
+  try {
+    const res = await fetch(`${config.apiUrl}/api/optimize/report`, {
+      method: "POST",
+      headers,
+      body: JSON.stringify(report),
+      signal: AbortSignal.timeout(1e4)
+    });
+    if (res.ok) {
+      console.log(pc14.green("\u2713 Usage report sent to dashboard."));
+    } else {
+      console.log(pc14.red("Failed to send report."));
+    }
+  } catch {
+    console.log(pc14.red("Failed to reach API."));
+  }
+}
+function readClaudeCodeUsage() {
+  const baseDir = join25(homedir19(), ".claude");
+  const statsPath = join25(baseDir, "stats-cache.json");
+  const settingsPath = join25(baseDir, "settings.json");
+  if (!existsSync25(statsPath)) return null;
+  try {
+    const stats = JSON.parse(readFileSync19(statsPath, "utf-8"));
+    let configuredModel = "unknown";
+    if (existsSync25(settingsPath)) {
+      try {
+        const settings = JSON.parse(readFileSync19(settingsPath, "utf-8"));
+        configuredModel = settings.model || "default";
+      } catch {
+      }
+    }
+    return {
+      configuredModel,
+      modelUsage: stats.modelUsage || {},
+      totalSessions: stats.totalSessions || 0,
+      totalMessages: stats.totalMessages || 0
+    };
+  } catch {
+    return null;
+  }
+}
+async function readCodexUsage() {
+  const baseDir = join25(homedir19(), ".codex");
+  const configPath = join25(baseDir, "config.toml");
+  const dbPath = join25(baseDir, "state_5.sqlite");
+  if (!existsSync25(dbPath)) return null;
+  let model = "unknown";
+  if (existsSync25(configPath)) {
+    try {
+      const content = readFileSync19(configPath, "utf-8");
+      const modelMatch = content.match(/^model\s*=\s*"([^"]+)"/m);
+      if (modelMatch) model = modelMatch[1];
+    } catch {
+    }
+  }
+  try {
+    const Database = (await import("better-sqlite3")).default;
+    const db = new Database(dbPath, { readonly: true });
+    const row = db.prepare("SELECT SUM(tokens_used) as total, COUNT(*) as cnt FROM threads WHERE tokens_used > 0").get();
+    db.close();
+    const totalTokens = row?.total || 0;
+    const sessionCount = row?.cnt || 0;
+    const estimatedCost = estimateCost(model, totalTokens * 0.6, totalTokens * 0.4);
+    return { model, totalTokens, sessionCount, estimatedCost };
+  } catch {
+    return null;
+  }
+}
+function estimateCost(model, inputTokens, outputTokens) {
+  return inputTokens / 1e6 * inputRate(model) + outputTokens / 1e6 * outputRate(model);
+}
+function inputRate(model) {
+  if (model.includes("opus")) return 15;
+  if (model.includes("sonnet")) return 3;
+  if (model.includes("haiku")) return 0.8;
+  if (model.includes("gpt-5")) return 10;
+  if (model.includes("gpt-4o") || model.includes("gpt-4.1")) return 2;
+  return 3;
+}
+function outputRate(model) {
+  if (model.includes("opus")) return 75;
+  if (model.includes("sonnet")) return 15;
+  if (model.includes("haiku")) return 4;
+  if (model.includes("gpt-5")) return 30;
+  if (model.includes("gpt-4o") || model.includes("gpt-4.1")) return 8;
+  return 15;
+}
+function formatTokens(n) {
+  if (n >= 1e9) return `${(n / 1e9).toFixed(1)}B`;
+  if (n >= 1e6) return `${(n / 1e6).toFixed(1)}M`;
+  if (n >= 1e3) return `${(n / 1e3).toFixed(1)}K`;
+  return String(n);
+}
+function shortenModel(model) {
+  if (model.includes("opus")) return "Claude Opus";
+  if (model.includes("sonnet")) return "Claude Sonnet";
+  if (model.includes("haiku")) return "Claude Haiku";
+  if (model.includes("gpt-5")) return "GPT-5";
+  if (model.includes("gpt-4")) return "GPT-4";
+  if (model.length > 25) return model.slice(0, 22) + "...";
+  return model;
+}
+
 // src/commands/uninstall.ts
 import { Command } from "commander";
-import { existsSync as existsSync24, readFileSync as readFileSync19, rmSync, unlinkSync as unlinkSync3 } from "fs";
-import { homedir as homedir17 } from "os";
-import { join as join23 } from "path";
-import pc13 from "picocolors";
+import { existsSync as existsSync26, readFileSync as readFileSync20, rmSync, unlinkSync as unlinkSync3 } from "fs";
+import { homedir as homedir20 } from "os";
+import { join as join26 } from "path";
+import pc15 from "picocolors";
 var uninstall = new Command("uninstall").description("Remove all IMDL components, hooks, and configuration").option("--keep-config", "Keep ~/.imdl config directory").option("--force", "Skip confirmation prompt").action(async (opts) => {
-  const home = homedir17();
-  const imdlDir = join23(home, ".imdl");
+  const home = homedir20();
+  const imdlDir = join26(home, ".imdl");
   console.log("");
-  console.log(pc13.bold("  Frostbridge IMDL \u2014 Uninstaller"));
+  console.log(pc15.bold("  Frostbridge IMDL \u2014 Uninstaller"));
   console.log("");
   const removed = [];
   const skipped = [];
-  const claudeSettings = join23(home, ".claude", "settings.json");
-  if (existsSync24(claudeSettings)) {
+  const claudeSettings = join26(home, ".claude", "settings.json");
+  if (existsSync26(claudeSettings)) {
     try {
-      const raw = readFileSync19(claudeSettings, "utf8");
+      const raw = readFileSync20(claudeSettings, "utf8");
       const settings = JSON.parse(raw);
       let modified = false;
       for (const hookType of ["PreToolUse", "PostToolUse", "UserPromptSubmit"]) {
@@ -5603,18 +6935,18 @@ var uninstall = new Command("uninstall").description("Remove all IMDL components
       }
       if (settings.hooks && Object.keys(settings.hooks).length === 0) delete settings.hooks;
       if (modified) {
-        const { writeFileSync: writeFileSync12 } = await import("fs");
-        writeFileSync12(claudeSettings, JSON.stringify(settings, null, 2));
+        const { writeFileSync: writeFileSync13 } = await import("fs");
+        writeFileSync13(claudeSettings, JSON.stringify(settings, null, 2));
         removed.push("Claude Code hooks");
       }
     } catch {
       skipped.push("Claude Code hooks (could not parse settings.json)");
     }
   }
-  const cursorSettings = join23(home, ".cursor", "settings.json");
-  if (existsSync24(cursorSettings)) {
+  const cursorSettings = join26(home, ".cursor", "settings.json");
+  if (existsSync26(cursorSettings)) {
     try {
-      const raw = readFileSync19(cursorSettings, "utf8");
+      const raw = readFileSync20(cursorSettings, "utf8");
       const settings = JSON.parse(raw);
       let modified = false;
       if (settings.hooks) {
@@ -5629,8 +6961,8 @@ var uninstall = new Command("uninstall").description("Remove all IMDL components
         }
       }
       if (modified) {
-        const { writeFileSync: writeFileSync12 } = await import("fs");
-        writeFileSync12(cursorSettings, JSON.stringify(settings, null, 2));
+        const { writeFileSync: writeFileSync13 } = await import("fs");
+        writeFileSync13(cursorSettings, JSON.stringify(settings, null, 2));
         removed.push("Cursor hooks");
       }
     } catch {
@@ -5638,18 +6970,18 @@ var uninstall = new Command("uninstall").description("Remove all IMDL components
     }
   }
   for (const rc of [".bashrc", ".zshrc", ".profile"]) {
-    const rcPath = join23(home, rc);
-    if (existsSync24(rcPath)) {
+    const rcPath = join26(home, rc);
+    if (existsSync26(rcPath)) {
       try {
-        const content = readFileSync19(rcPath, "utf8");
+        const content = readFileSync20(rcPath, "utf8");
         if (content.includes("imdl") || content.includes("frostbridge")) {
           const lines = content.split("\n");
           const filtered = lines.filter(
             (l) => !l.includes("imdl") && !l.includes("frostbridge") && !l.includes("# Added by Frostbridge")
           );
           if (filtered.length < lines.length) {
-            const { writeFileSync: writeFileSync12 } = await import("fs");
-            writeFileSync12(rcPath, filtered.join("\n"));
+            const { writeFileSync: writeFileSync13 } = await import("fs");
+            writeFileSync13(rcPath, filtered.join("\n"));
             removed.push(`Shell rc entries (${rc})`);
           }
         }
@@ -5658,9 +6990,9 @@ var uninstall = new Command("uninstall").description("Remove all IMDL components
     }
   }
   try {
-    const pidFile = join23(imdlDir, "daemon.pid");
-    if (existsSync24(pidFile)) {
-      const pid = parseInt(readFileSync19(pidFile, "utf8").trim());
+    const pidFile = join26(imdlDir, "daemon.pid");
+    if (existsSync26(pidFile)) {
+      const pid = parseInt(readFileSync20(pidFile, "utf8").trim());
       if (pid > 0) {
         try {
           process.kill(pid, "SIGTERM");
@@ -5672,18 +7004,18 @@ var uninstall = new Command("uninstall").description("Remove all IMDL components
     }
   } catch {
   }
-  if (!opts.keepConfig && existsSync24(imdlDir)) {
+  if (!opts.keepConfig && existsSync26(imdlDir)) {
     rmSync(imdlDir, { recursive: true, force: true });
     removed.push("~/.imdl config directory");
   } else if (opts.keepConfig) {
     skipped.push("~/.imdl (--keep-config)");
   }
-  const bufferDir = join23(home, ".imdl", "buffer");
-  if (existsSync24(bufferDir)) {
+  const bufferDir = join26(home, ".imdl", "buffer");
+  if (existsSync26(bufferDir)) {
     rmSync(bufferDir, { recursive: true, force: true });
     removed.push("Event buffer");
   }
-  console.log(pc13.dim("  Uninstalling npm packages..."));
+  console.log(pc15.dim("  Uninstalling npm packages..."));
   const { execSync: execSync3 } = await import("child_process");
   const packages = ["@frostbridge/imdl", "@frostbridge/imdl-shell-wrapper", "@frostbridge/imdl-mcp-proxy"];
   for (const pkg of packages) {
@@ -5695,19 +7027,19 @@ var uninstall = new Command("uninstall").description("Remove all IMDL components
   }
   console.log("");
   if (removed.length > 0) {
-    console.log(pc13.green(pc13.bold("  Removed:")));
+    console.log(pc15.green(pc15.bold("  Removed:")));
     for (const item of removed) {
-      console.log(pc13.green(`    \u2713 ${item}`));
+      console.log(pc15.green(`    \u2713 ${item}`));
     }
   }
   if (skipped.length > 0) {
-    console.log(pc13.yellow(pc13.bold("  Skipped:")));
+    console.log(pc15.yellow(pc15.bold("  Skipped:")));
     for (const item of skipped) {
-      console.log(pc13.yellow(`    \u25CB ${item}`));
+      console.log(pc15.yellow(`    \u25CB ${item}`));
     }
   }
   console.log("");
-  console.log(pc13.dim("  IMDL has been completely removed from this machine."));
+  console.log(pc15.dim("  IMDL has been completely removed from this machine."));
   console.log("");
 });
 
@@ -6019,18 +7351,18 @@ function ruleTypeToCategory(type) {
 }
 
 // src/transport/sync.ts
-import { readFileSync as readFileSync20, writeFileSync as writeFileSync11, existsSync as existsSync25 } from "fs";
-import { join as join24 } from "path";
+import { readFileSync as readFileSync21, writeFileSync as writeFileSync12, existsSync as existsSync27 } from "fs";
+import { join as join27 } from "path";
 var SYNC_INTERVAL = 6e4;
 var SYNC_TIMEOUT = 3e3;
 function getSyncStateFile() {
-  return join24(getImdlDir(), "last_sync.json");
+  return join27(getImdlDir(), "last_sync.json");
 }
 function getLastSyncTime() {
   try {
     const file = getSyncStateFile();
-    if (existsSync25(file)) {
-      const data = JSON.parse(readFileSync20(file, "utf-8"));
+    if (existsSync27(file)) {
+      const data = JSON.parse(readFileSync21(file, "utf-8"));
       return data.lastSync || 0;
     }
   } catch {
@@ -6039,7 +7371,7 @@ function getLastSyncTime() {
 }
 function setLastSyncTime() {
   try {
-    writeFileSync11(getSyncStateFile(), JSON.stringify({ lastSync: Date.now() }), { mode: 384 });
+    writeFileSync12(getSyncStateFile(), JSON.stringify({ lastSync: Date.now() }), { mode: 384 });
   } catch {
   }
 }
@@ -6351,7 +7683,19 @@ async function handleHook(type) {
       };
     }
   } else if (hookType === "user_prompt" && event.prompt) {
-    const scan = scanPromptForSecrets(event.prompt);
+    const config = loadConfig();
+    const llmConfig = {
+      enabled: config.features?.prompt_llm_scan === true,
+      apiUrl: config.llmScanUrl || (config.apiUrl ? `${config.apiUrl}/api/gateway/scan` : void 0),
+      model: config.llmScanModel || "claude-haiku-4-5-20251001",
+      maxInputChars: 500
+    };
+    let scan;
+    if (llmConfig.enabled) {
+      scan = await scanWithLlmFallback(event.prompt, llmConfig);
+    } else {
+      scan = scanPromptForSecrets(event.prompt);
+    }
     if (scan.hasSecrets) {
       violationData = createPromptViolation(scan.findings);
     }
@@ -6378,13 +7722,14 @@ async function handleHook(type) {
       behaviorRiskScore = computeRiskScore(signals);
     }
   }
+  const toolOutput = event.tool_output || event.tool_response;
   const sessionId = event.session_id || getLastSessionId();
   const buffered = {
     sessionId,
     type: hookType,
     toolName: event.tool_name,
     toolInput: redactObject(event.tool_input),
-    toolOutput: event.tool_output ? redactObject(event.tool_output) : void 0,
+    toolOutput: toolOutput ? String(typeof toolOutput === "string" ? redactObject(toolOutput) : JSON.stringify(redactObject(toolOutput))) : void 0,
     prompt: event.prompt ? redactObject(event.prompt) : void 0,
     timestamp: event.timestamp || (/* @__PURE__ */ new Date()).toISOString(),
     violation: violationData,
@@ -6442,7 +7787,7 @@ function getSafeAlternative(toolName, toolInput) {
 
 // src/index.ts
 var program = new Command2();
-program.name("imdl").description("IMDL \u2014 Intelligent Mediation & Detection Layer. AI agent security.").version("0.1.0");
+program.name("imdl").description("IMDL \u2014 Intelligent Mediation & Detection Layer. AI agent security.").version("0.1.13");
 program.command("scan").description("Scan MCP server configs for security risks").option("-p, --path <path>", "Path to MCP config file").option("-u, --url <url>", "GitHub URL or org/repo to scan").option("--json", "Output as JSON").option("--no-color", "Disable colored output").option("-q, --quiet", "Only show warnings and errors").option("-d, --deep", "Deep scan: static code analysis + GitHub issue scanning").action(scanCommand);
 program.command("init").description("Detect AI agents and install monitoring hooks").option("-t, --token <token>", "Invite token to join a team").option("--team-token <token>", "Alias for --token").option("--api <url>", "API URL to connect to").option("--non-interactive", "Skip all prompts and use defaults").action((opts) => initCommand({ teamToken: opts.token || opts.teamToken, apiUrl: opts.api, nonInteractive: opts.nonInteractive }));
 program.command("login").description("Authenticate to your IMDL team").action(loginCommand);
@@ -6468,6 +7813,12 @@ gwCmd.command("enable <module>").description("Enable a gateway module (secrets,
 gwCmd.command("disable <module>").description("Disable a gateway module").action((module) => gatewayDisableCommand({ module }));
 gwCmd.command("alerts").description("Show recent gateway security alerts").option("-n, --limit <count>", "Number of alerts to show", "20").option("--json", "Output as JSON").action(gatewayAlertsCommand);
 gwCmd.command("cost").description("Show AI spend and usage breakdown").option("--json", "Output as JSON").action(gatewayCostCommand);
+gwCmd.command("dashboard").description("Open the local gateway dashboard in your browser").action(gatewayDashboardCommand);
+gwCmd.command("activate").description("Route Claude Code through the gateway (adds env to settings.json)").option("--codex", "Also route Codex (OpenAI) WebSocket traffic through the gateway").option("--copilot", "Show setup instructions for routing GitHub Copilot through the gateway").action(gatewayActivateCommand);
+gwCmd.command("deactivate").description("Stop routing Claude Code through gateway (direct to Bedrock/Anthropic)").action(gatewayDeactivateCommand);
+program.command("sync-history").description("Sync historical session data and retroactively detect violations").option("-d, --days <days>", "Number of days to look back (default: 30)", "30").option("-a, --agent <agent>", "Only sync a specific agent (claude-code, codex, cursor)").option("--dry-run", "Scan and report without sending data to the API").action(syncHistoryCommand);
+program.command("optimize").description("Token usage, cost policies, and optimization features").option("--enable <feature>", "Enable an optimization feature").option("--disable <feature>", "Disable an optimization feature").option("--report", "Send local usage data to your team dashboard").option("--check", "Check compliance against org cost policies").option("--json", "Output as JSON").action(optimizeCommand);
 program.addCommand(uninstall);
+program.command("dashboard").description("Open the IMDL control panel in your browser").action(gatewayDashboardCommand);
 program.command("hook <type>").description("Handle hook events from AI agents (internal)").action(handleHook);
 program.parse();