@garethdaine/agentops 0.9.3 → 0.10.0

package/commands/enterprise/worklog.md

@@ -0,0 +1,246 @@
+---
+name: worklog
+description: Personal work log for tracking daily contributions with timestamps, context, and professional exports
+---
+
+You are a personal work log assistant. You help the engineer track daily contributions with timestamps, git context, and professional exports.
+
+**Before starting, check the feature flag:**
+Run: `source hooks/feature-flags.sh && agentops_enterprise_enabled "work_journal"` — if disabled, inform the user: "Work journal commands are disabled. Enable with: /agentops:flags work_journal true" and stop.
+
+## CRITICAL RULE: Use AskUserQuestion Tool
+
+You MUST use the `AskUserQuestion` tool for EVERY question in this command. DO NOT print questions as plain text or numbered option lists. Call the AskUserQuestion tool which renders a proper selection UI. This is a BLOCKING REQUIREMENT.
+
+**Read the autonomy level** from `.agentops/flags.json` (key: `autonomy_level`). Default to `guided` if not set.
+- `guided` — pause at weekly summary review and export confirmation
+- `supervised` — pause after every entry creation and sync operation
+- `autonomous` — proceed with minimal gates
+
+Read `templates/work-journal/conventions.md` for shared schemas, storage layout, and integration protocols.
+
+The user's input is: $ARGUMENTS
+
+---
+
+## Phase 0: Startup
+
+### Step 1: Load Configuration
+
+Check if `.agentops/journal-config.json` exists.
+
+**If it does NOT exist**, run first-run setup per conventions.md:
+1. `AskUserQuestion`: "What is your name?" — free text
+2. `AskUserQuestion`: "What is your role?" — free text
+3. `AskUserQuestion`: "What team or organisation are you in?" — free text
+4. `AskUserQuestion`: "Would you like to add contacts for sharing? (You can add more later)" — options: "Yes, add contacts now" / "Skip for now"
+5. If adding contacts, collect id, name, role, relationship, share_categories for each
+6. Detect integrations (Step 2 below) and ask about each detected one
+7. Write config to `.agentops/journal-config.json` using the schema from conventions.md
+
+**If it exists**, read it and proceed.
+
+### Step 2: Detect Integrations
+
+Run integration detection ONCE per conventions.md protocol:
+1. If config has `integrations.cortex.enabled: true`: attempt `mcp__cortex__cortex_status`. Set CORTEX_AVAILABLE accordingly.
+2. If config has `integrations.notion.enabled: true`: check if `mcp__notion__notion_search` is available. Set NOTION_AVAILABLE accordingly.
+3. If any Linear MCP tools are available: set LINEAR_AVAILABLE accordingly.
+4. Report detected integrations once: "Integrations: Cortex {status}, Notion {status}, Linear {status}" or "Running in local-only mode."
+5. Skip silently for any unavailable integration. Never fail due to missing integration.
+
+### Step 3: Route by Arguments
+
+- **If `$ARGUMENTS` is provided:** Go to Phase 1 (Quick Entry Mode)
+- **If `$ARGUMENTS` is empty:** Go to Phase 2 (Interactive Mode)
+
+---
+
+## Phase 1: Quick Entry Mode
+
+When the user provides arguments, create an entry with ZERO prompts.
+
+1. **Determine today's date** in UTC (YYYY-MM-DD) and current time (HH:MM)
+2. **Auto-detect git context:** run `git branch --show-current` and `git log --oneline -3` to capture branch name and recent commits
+3. **Auto-tag:** extract technology names, project names, domain concepts, and action types from the description
+4. **Create/append to daily file:**
+   - Path: `.agentops/journal/worklog/YYYY/MM/YYYY-MM-DD.md`
+   - Run `mkdir -p` on the directory before writing
+   - If file does not exist, create with frontmatter per conventions.md (date, entry_count: 1)
+   - If file exists, read it, increment entry_count in frontmatter
+   - Append entry section:
+     ```
+     ### HH:MM — General
+
+     **What:** {$ARGUMENTS}
+     **Impact:** Medium
+     **Collaborators:** —
+     **Context:** Branch: {branch}, Recent commits: {commits}
+     **Notes:** —
+     ```
+5. **Update index:** Update `.agentops/journal/worklog/index.json` using atomic write protocol from conventions.md (write to .tmp, verify, mv)
+6. **Cortex sync:** If CORTEX_AVAILABLE and enabled, write episodic memory with tags ["worklog", "general", "medium"]. On failure: log warning, continue.
+7. **Notion sync:** If NOTION_AVAILABLE and enabled, push entry to worklog database. On failure: log warning, continue.
+8. **Auto-commit:** If `preferences.auto_commit` is true in config:
+   - First, check whether `.agentops/journal/` is tracked by git (i.e., not excluded by `.gitignore`).
+   - If it is tracked, run: `git add .agentops/journal/ && git commit -m "docs(worklog): add entry — YYYY-MM-DD"`.
+   - If it is gitignored, skip auto-commit and warn: "Auto-commit skipped because `.agentops/journal/` is gitignored. To enable, unignore this path in `.gitignore`."
+9. **Confirm:** "Entry logged at HH:MM. {integration status if any synced}"
+
+---
+
+## Phase 2: Interactive Mode
+
+Use `AskUserQuestion` to present the main menu:
+- question: "What would you like to do?"
+- header: "Work Log"
+- options:
+  - {label: "Add entry", description: "Log a new work contribution with details"}
+  - {label: "Review this week", description: "See all entries from the current week"}
+  - {label: "Generate weekly summary", description: "Create a structured weekly summary document"}
+  - {label: "Export work log", description: "Export entries as PDF or DOCX"}
+  - {label: "Search past entries", description: "Search across all work log entries"}
+  - {label: "Configure settings", description: "Update identity, contacts, or integration preferences"}
+
+Route to the appropriate section below based on the user's selection.
+
+---
+
+## Action: Add Entry
+
+### Step 1: Collect Details
+
+Use `AskUserQuestion` for each field:
+
+1. **Description:** "What did you accomplish?" — free text
+2. **Category:** "What type of work was this?"
+   - options: "Feature delivery", "Architecture decision", "Bug fix", "Code review", "Documentation", "Mentoring/support", "Client interaction", "Process improvement", "Research/spike", "Other"
+3. **Impact:** "What was the impact level?"
+   - options: {label: "High", description: "Significant milestone, shipped feature, or critical fix"}, {label: "Medium", description: "Meaningful progress or contribution"}, {label: "Low", description: "Routine task or minor update"}
+4. **Collaborators:** "Who did you work with? (or type 'none')" — free text
+5. **Notes:** "Any additional notes for future reference? (or type 'skip')" — free text
+
+### Step 2: Create Entry
+
+1. Determine today's date and current time in UTC (YYYY-MM-DD, HH:MM)
+2. Auto-detect git context: branch and recent commits
+3. Auto-tag from description content per conventions.md
+4. Create/append to `.agentops/journal/worklog/YYYY/MM/YYYY-MM-DD.md` using the entry section format from conventions.md:
+   ```
+   ### HH:MM — {Category}
+
+   **What:** {description}
+   **Impact:** {impact}
+   **Collaborators:** {collaborators}
+   **Context:** Branch: {branch}, Recent commits: {commits}
+   **Notes:** {notes}
+   ```
+5. Update `.agentops/journal/worklog/index.json` using atomic write protocol
+6. Sync to Cortex (episodic, tags: ["worklog", "{category-kebab}", "{impact-lower}"]) if available
+7. Sync to Notion worklog database if available
+8. Auto-commit if `preferences.auto_commit` is true
+9. Confirm: "Entry logged at HH:MM under {category}."
+
+---
+
+## Action: Review This Week
+
+1. Determine the current ISO week's date range (Monday to today)
+2. Read all daily files from `.agentops/journal/worklog/YYYY/MM/` for dates in this range
+3. If no entries found, inform the user: "No entries found for this week yet."
+4. Present entries grouped by day, showing time, category, description, and impact
+5. Show summary stats: total entries, breakdown by category, high-impact items highlighted
+
+---
+
+## Action: Generate Weekly Summary
+
+1. Determine the ISO week number and date range
+2. Read all daily entry files for that week
+3. If no entries found, inform the user and return to menu
+4. Run `git log --oneline --since={monday} --until={sunday}` for git contribution stats
+5. Read identity from journal-config.json for the author field
+6. Generate `.agentops/journal/worklog/weekly/YYYY-Wnn.md` using the weekly summary template from conventions.md:
+   - Key accomplishments, metrics, decisions made, git stats, notes for next week
+7. Run `mkdir -p` on the weekly directory before writing
+8. Update index with weekly summary entry
+9. Sync to Cortex (episodic, tags: ["worklog", "weekly-summary"]) if available
+10. Sync to Notion weekly reviews database if available
+11. **If autonomy_level is `guided` or `supervised`:** Use `AskUserQuestion`: "Weekly summary generated. Would you like to review it?" — options: "Yes, show me", "No, looks good"
+12. Auto-commit if enabled
+
+---
+
+## Action: Export Work Log
+
+1. Use `AskUserQuestion`: "What date range would you like to export?"
+   - options: "This week", "This month", "Last 30 days", "This quarter", "Custom range"
+2. If "Custom range", use `AskUserQuestion` to collect start and end dates
+3. Use `AskUserQuestion`: "What format?"
+   - options: {label: "PDF", description: "Professional PDF document"}, {label: "DOCX", description: "Word document for editing"}, {label: "Both", description: "Generate PDF and DOCX"}
+4. Collect entries from the date range
+5. Generate a styled markdown document with identity from config, then export using the fallback chain from conventions.md:
+   - **Pandoc (primary):** check `which pandoc`, use `pandoc input.md -o output.{ext}`
+   - **Playwright (fallback):** render styled HTML, use `page.pdf()`
+   - **HTML (last resort):** generate styled HTML, inform user: "Install pandoc for direct PDF/DOCX export: https://pandoc.org/installing.html"
+6. Save to `.agentops/journal/exports/` with descriptive filename
+7. Confirm: "Exported to {filepath}"
+
+---
+
+## Action: Search Past Entries
+
+1. Use `AskUserQuestion`: "What are you searching for?" — free text
+2. Search `.agentops/journal/worklog/index.json` for matching entries (title, tags, category)
+3. Also grep daily entry files for the search term
+4. Present results grouped by date, showing category, description, and file path
+5. If results found, use `AskUserQuestion`: "Would you like to view any entry in full?" — list top results as options plus "No, I have what I need"
+6. Display selected entry if requested
+
+---
+
+## Action: Configure Settings
+
+Use `AskUserQuestion`: "What would you like to configure?"
+- options: "Update identity (name, role, team)", "Manage contacts", "Integration settings", "Toggle auto-commit", "Back to menu"
+
+For each option, use `AskUserQuestion` to collect updated values, then write the updated config to `.agentops/journal-config.json`.
+
+For "Toggle auto-commit": read current value from config, present current state, use `AskUserQuestion` to confirm toggle. Update `preferences.auto_commit` in config.
+
+For "Integration settings": show current integration status, offer to enable/disable each detected integration.
+
+---
+
+## Index Management
+
+All index operations follow conventions.md atomic write protocol:
+
+1. Read existing `.agentops/journal/worklog/index.json` (or initialise empty if missing)
+2. If JSON parsing fails: rebuild from markdown file frontmatter per conventions.md rebuild protocol
+3. Add/update the entry in the entries array
+4. Write to `index.json.tmp`, read back to verify valid JSON, then `mv index.json.tmp index.json`
+5. On failure: leave original index intact, log warning, continue
+
+---
+
+## Notion Sync
+
+When NOTION_AVAILABLE and enabled in config:
+
+1. If `integrations.notion.worklog_database_id` is null in config:
+   - Use `AskUserQuestion`: "Notion is connected but no worklog database is configured. Would you like to create one?"
+     - options: "Yes, create worklog database", "Skip Notion sync"
+   - If yes: create database with schema from conventions.md (Date, Category, Impact, Description, Collaborators, Tags), store the database ID in config
+2. Push entry to the worklog database
+3. On failure: log warning "Notion sync failed — entry saved locally", continue
+
+---
+
+## Error Handling
+
+- If daily file write fails, retry once then inform user and continue
+- If index update fails, log warning but do not fail the entry creation
+- Integration sync failures NEVER block local operations
+- If git auto-commit fails, log warning and continue
+- Never leave a partially written file — use atomic writes where possible

package/commands/flags.md

@@ -31,6 +31,9 @@ Available flags:
 - `lockfile_audit_enabled` (bool) — Scan lockfiles for Unicode anomalies and suspicious registries
 - `enforcement_mode` ("advisory"|"blocking") — Advisory uses "ask", blocking uses "deny"
 
+Dashboard flags:
+- `dashboard_enabled` (bool) — Enable the Agent Office Dashboard auto-launch on session start
+
 Enterprise extension flags:
 - `enterprise_scaffold` (bool) — Enable project scaffolding system
 - `ai_workflows` (bool) — Enable AI-first workflow commands

package/hooks/ai-guardrails.sh

@@ -32,7 +32,6 @@ fi
 FILENAME=$(basename "$FILE_PATH")
 EXTENSION="${FILENAME##*.}"
 DIR=$(dirname "$FILE_PATH")
-CWD=$(echo "$INPUT" | jq -r '.cwd // "."' 2>/dev/null)
 
 MESSAGES=()
 

package/hooks/audit-log.sh

@@ -11,7 +11,7 @@ mkdir -p "$LOG_DIR" 2>/dev/null
 TS=$(date -u +%FT%TZ)
 SESSION=$(echo "$INPUT" | jq -r '.session_id // "unknown"' 2>/dev/null) || SESSION="unknown"
 EVENT=$(echo "$INPUT" | jq -r '.hook_event_name // "unknown"' 2>/dev/null) || EVENT="unknown"
-TOOL=$(echo "$INPUT" | jq -r '.tool_name // ""' 2>/dev/null) || TOOL=""
+TOOL=$(echo "$INPUT" | jq -r '.tool_name // "unknown"' 2>/dev/null) || TOOL="unknown"
 TOOL_INPUT=$(echo "$INPUT" | jq -r '.tool_input // {} | tostring | .[:500]' 2>/dev/null) || TOOL_INPUT="{}"
 
 # Redact secrets using canonical shared function

package/hooks/auto-delegate.sh

@@ -31,7 +31,7 @@ CODE_TRACKER="${STATE_DIR}/modified-files.txt"
 [ ! -f "$CODE_TRACKER" ] && exit 0
 
 # Count source code files only
-CODE_COUNT=$(sort -u "$CODE_TRACKER" 2>/dev/null | grep -cE "$SOURCE_CODE_EXTENSIONS" || echo 0)
+CODE_COUNT=$(sort -u "$CODE_TRACKER" 2>/dev/null | grep -cE "$SOURCE_CODE_EXTENSIONS") || CODE_COUNT=0
 
 # After threshold source code files modified, trigger delegation
 if [ "$CODE_COUNT" -ge "$AGENTOPS_DELEGATE_THRESHOLD" ]; then

package/hooks/credential-redact.sh

@@ -9,7 +9,6 @@ INPUT=$(cat) || exit 0
 TOOL=$(echo "$INPUT" | jq -r '.tool_name // empty' 2>/dev/null) || exit 0
 
 SENSITIVE_EXTENSIONS='\.(env|pem|key|crt|secret|p12|pfx|credential|token|password|ssh)'
-SENSITIVE_CONFIG='\.(json|yaml|yml|toml|cfg|ini)$'
 
 # Handle Read tool — warn when reading sensitive files
 if [ "$TOOL" = "Read" ]; then

package/hooks/dashboard-launch.sh

@@ -0,0 +1,146 @@
+#!/bin/bash
+set -uo pipefail
+
+# SessionStart hook: register session and auto-launch Agent Office Dashboard.
+# Reads JSON on stdin: {"session_id":"...","hook_event_name":"SessionStart","cwd":"..."}
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+source "$SCRIPT_DIR/flag-utils.sh"
+
+INPUT=$(cat) || exit 0
+CWD=$(echo "$INPUT" | jq -r '.cwd // "."' 2>/dev/null) || CWD="."
+SESSION_ID=$(echo "$INPUT" | jq -r '.session_id // ""' 2>/dev/null) || SESSION_ID=""
+export CLAUDE_PROJECT_DIR="$CWD"
+
+# Check dashboard_enabled flag — exit silently if disabled
+agentops_dashboard_enabled || exit 0
+
+# ── Session Registry ─────────────────────────────────────────────────────────
+SAFE_HOME="${HOME:-$(cd ~ 2>/dev/null && pwd)}"
+if [ -z "$SAFE_HOME" ]; then
+  exit 0
+fi
+REGISTRY_DIR="${SAFE_HOME}/.agentops"
+REGISTRY_FILE="$REGISTRY_DIR/active-sessions.jsonl"
+mkdir -p "$REGISTRY_DIR" 2>/dev/null
+
+# Skip registry write if session_id is empty
+[ -z "$SESSION_ID" ] && exit 0
+
+# Append session metadata
+jq -nc \
+  --arg sid "$SESSION_ID" \
+  --arg dir "$CWD" \
+  --arg ts "$(date -u +%FT%TZ)" \
+  --arg pid "$$" \
+  '{session_id:$sid, project_dir:$dir, started_at:$ts, pid:($pid|tonumber)}' \
+  >> "$REGISTRY_FILE" 2>/dev/null
+
+# ── Dashboard Launch ─────────────────────────────────────────────────────────
+STATE_DIR="$CWD/.agentops"
+PID_FILE="$STATE_DIR/dashboard.pid"
+PLUGIN_ROOT="$(cd "$SCRIPT_DIR/.." && pwd)"
+
+mkdir -p "$STATE_DIR" 2>/dev/null
+
+# Ports used by the dashboard
+RELAY_PORT=3099
+NEXT_PORT=3100
+
+# Quick check: if dashboard is already running with valid PID file and both ports LISTENING, exit
+if [ -f "$PID_FILE" ] && lsof -iTCP:"$NEXT_PORT" -sTCP:LISTEN >/dev/null 2>&1 && lsof -iTCP:"$RELAY_PORT" -sTCP:LISTEN >/dev/null 2>&1; then
+  exit 0
+fi
+
+# Detach the full cleanup + launch sequence so the hook returns immediately.
+# This avoids the hook timeout (5s) killing the launch mid-flight.
+(
+  # Kill stale server processes on dashboard ports (only LISTEN sockets, not browser clients)
+  stale=false
+  for port in $RELAY_PORT $NEXT_PORT; do
+    pids=$(lsof -tiTCP:"$port" -sTCP:LISTEN 2>/dev/null) || true
+    if [ -n "$pids" ]; then
+      stale=true
+      echo "$pids" | xargs kill 2>/dev/null || true
+    fi
+  done
+
+  if [ "$stale" = true ]; then
+    rm -f "$PID_FILE"
+    # Wait for ports to actually be released (up to 5 seconds)
+    attempts=0
+    while [ $attempts -lt 10 ]; do
+      if ! lsof -tiTCP:"$RELAY_PORT" -sTCP:LISTEN >/dev/null 2>&1 && ! lsof -tiTCP:"$NEXT_PORT" -sTCP:LISTEN >/dev/null 2>&1; then
+        break
+      fi
+      sleep 0.5
+      attempts=$((attempts + 1))
+    done
+    # Force-kill if still hanging after graceful attempt
+    if [ $attempts -ge 10 ]; then
+      for port in $RELAY_PORT $NEXT_PORT; do
+        pids=$(lsof -tiTCP:"$port" -sTCP:LISTEN 2>/dev/null) || true
+        [ -n "$pids" ] && echo "$pids" | xargs kill -9 2>/dev/null || true
+      done
+      sleep 1
+    fi
+  fi
+
+  # Ensure both ports are free before launching (handles TIME_WAIT / slow teardown)
+  for port in $RELAY_PORT $NEXT_PORT; do
+    attempts=0
+    while lsof -tiTCP:"$port" -sTCP:LISTEN >/dev/null 2>&1 && [ $attempts -lt 10 ]; do
+      sleep 0.5
+      attempts=$((attempts + 1))
+    done
+  done
+
+  # Launch relay + Next.js in background
+  DASHBOARD_BIN="$PLUGIN_ROOT/dashboard/node_modules/.bin"
+  LOG_DIR="$STATE_DIR"
+  DASHBOARD_DIR="$PLUGIN_ROOT/dashboard"
+
+  # Relay — must cd to CWD so relay.ts process.cwd() resolves .agentops/ correctly
+  nohup bash -c "cd '$CWD' && exec '$DASHBOARD_BIN/tsx' '$DASHBOARD_DIR/server/relay.ts'" > "$LOG_DIR/relay.log" 2>&1 &
+  RELAY_PID=$!
+
+  # Next.js — must run from dashboard dir for Turbopack to find src/app/
+  nohup bash -c "cd '$DASHBOARD_DIR' && exec '$DASHBOARD_BIN/next' dev --port $NEXT_PORT" > "$LOG_DIR/next.log" 2>&1 &
+  NEXT_PID=$!
+
+  echo "$RELAY_PID $NEXT_PID" > "$PID_FILE"
+
+  # Verify processes started — clean up if either died immediately
+  sleep 1
+  if ! kill -0 "$RELAY_PID" 2>/dev/null; then
+    kill "$NEXT_PID" 2>/dev/null || true
+    rm -f "$PID_FILE"
+    exit 0
+  fi
+  if ! kill -0 "$NEXT_PID" 2>/dev/null; then
+    kill "$RELAY_PID" 2>/dev/null || true
+    rm -f "$PID_FILE"
+    exit 0
+  fi
+
+  # Wait for the server to be ready, then open browser if no client is already connected
+  for _i in $(seq 1 30); do
+    if curl -s -o /dev/null "http://localhost:$NEXT_PORT" 2>/dev/null; then
+      # Query relay for connected client count — skip browser open if a tab is already open
+      CLIENT_COUNT=$(curl -s "http://localhost:$RELAY_PORT/api/clients" 2>/dev/null | jq -r '.count // 0' 2>/dev/null) || CLIENT_COUNT=0
+      if [ "$CLIENT_COUNT" -gt 0 ] 2>/dev/null; then
+        break
+      fi
+      if command -v open >/dev/null 2>&1; then
+        open "http://localhost:$NEXT_PORT"
+      elif command -v xdg-open >/dev/null 2>&1; then
+        xdg-open "http://localhost:$NEXT_PORT"
+      fi
+      break
+    fi
+    sleep 0.5
+  done
+) </dev/null >/dev/null 2>&1 &
+disown 2>/dev/null || true
+
+exit 0

package/hooks/enforcement-lib.sh

@@ -29,7 +29,8 @@ agentops_enforcement_action() {
     echo "allow"
     return
   fi
-  local MODE=$(agentops_mode)
+  local MODE
+  MODE=$(agentops_mode)
   if [ "$MODE" = "blocking" ]; then
     echo "deny"
   else
@@ -51,7 +52,8 @@ agentops_fail_closed() {
 
 # Returns "block" in blocking mode, "approve" in advisory mode (for Stop hooks).
 agentops_stop_action() {
-  local MODE=$(agentops_mode)
+  local MODE
+  MODE=$(agentops_mode)
   if [ "$MODE" = "blocking" ]; then
     echo "block"
   else

package/hooks/feature-flags.sh

@@ -32,6 +32,10 @@ source "${_AGENTOPS_LIB_DIR}/evolve-lib.sh"
 #                                 Unicode anomalies, suspicious registries, and
 #                                 malformed integrity hashes.
 
+# ── Dashboard Flags ────────────────────────────────────────────────────────
+# dashboard_enabled             Controls auto-launch of Agent Office Dashboard
+#                               on session start.  Default: true.
+
 # ── Enterprise Extension Flags ──────────────────────────────────────────────
 # These flags gate the enterprise delivery framework capabilities.
 # All default to "true" via agentops_flag's default mechanism.

package/hooks/flag-utils.sh

@@ -45,3 +45,9 @@ agentops_enterprise_enabled() {
   local FLAG="$1"
   [ "$(agentops_flag "$FLAG" "true")" = "true" ]
 }
+
+# Dashboard flag — controls auto-launch of Agent Office Dashboard.
+# Usage: agentops_dashboard_enabled && launch_dashboard
+agentops_dashboard_enabled() {
+  [ "$(agentops_flag "dashboard_enabled" "true")" = "true" ]
+}

package/hooks/hooks.json

@@ -11,7 +11,8 @@
           { "type": "command", "command": "${CLAUDE_PLUGIN_ROOT}/hooks/budget-check.sh", "timeout": 10 },
           { "type": "command", "command": "${CLAUDE_PLUGIN_ROOT}/hooks/unicode-scan-session.sh", "timeout": 30 },
           { "type": "command", "command": "${CLAUDE_PLUGIN_ROOT}/hooks/integrity-verify.sh", "timeout": 15 },
-          { "type": "command", "command": "${CLAUDE_PLUGIN_ROOT}/hooks/lockfile-audit.sh", "timeout": 15 }
+          { "type": "command", "command": "${CLAUDE_PLUGIN_ROOT}/hooks/lockfile-audit.sh", "timeout": 15 },
+          { "type": "command", "command": "${CLAUDE_PLUGIN_ROOT}/hooks/dashboard-launch.sh", "timeout": 5 }
         ]
       }
     ],
@@ -54,6 +55,12 @@
         "hooks": [
           { "type": "command", "command": "${CLAUDE_PLUGIN_ROOT}/hooks/unicode-firewall.sh", "timeout": 5 }
         ]
+      },
+      {
+        "matcher": "Bash|Read|Write|Edit|Glob|Grep|WebFetch|WebSearch|mcp__.*",
+        "hooks": [
+          { "type": "command", "command": "${CLAUDE_PLUGIN_ROOT}/hooks/telemetry.sh", "timeout": 10, "async": true }
+        ]
       }
     ],
     "PostToolUse": [

package/hooks/integrity-verify.sh

@@ -27,7 +27,7 @@ if [ "$EVENT" = "PostToolUse" ]; then
       [ -z "$HASH" ] && exit 0
 
       # Make path relative to project for portability
-      REL_PATH="${FILE_PATH#$PROJECT_DIR/}"
+      REL_PATH="${FILE_PATH#"$PROJECT_DIR"/}"
 
       SESSION=$(echo "$INPUT" | jq -r '.session_id // "unknown"' 2>/dev/null)
       TS=$(date -u +%FT%TZ)
@@ -69,7 +69,7 @@ if [ "$EVENT" = "SessionStart" ]; then
 
     if [ "$ACTUAL" != "$EXPECTED" ]; then
       MISMATCH_COUNT=$((MISMATCH_COUNT + 1))
-      REL="${ABS#$PROJECT_DIR/}"
+      REL="${ABS#"$PROJECT_DIR"/}"
       MISMATCHES="${MISMATCHES}\n  - ${REL} (expected: ${EXPECTED:0:12}... got: ${ACTUAL:0:12}...)"
     fi
   done

package/hooks/lockfile-audit.sh

@@ -46,7 +46,7 @@ done
 
 # ── Check 1: Unicode anomalies in lockfiles ─────────────────────────────────
 for LF in "${LOCKFILES[@]}"; do
-  REL="${LF#$PROJECT_DIR/}"
+  REL="${LF#"$PROJECT_DIR"/}"
 
   # Invisible Unicode check
   if unicode_detect_file "$LF"; then

package/hooks/patterns-lib.sh

@@ -1,6 +1,7 @@
 #!/bin/bash
 # Shared patterns, thresholds, and protected path constants.
 # Sourced by: feature-flags.sh (facade)
+# shellcheck disable=SC2034  # Shared constants file; variables may be used by sourcing scripts
 
 # ── Shared thresholds ────────────────────────────────────────────────────────
 # Number of modified files before plan/test/compliance gates trigger.

package/hooks/session-cleanup.sh

@@ -3,10 +3,33 @@ set -uo pipefail
 
 INPUT=$(cat) || exit 0
 CWD=$(echo "$INPUT" | jq -r '.cwd // "."' 2>/dev/null) || CWD="."
+SESSION_ID=$(echo "$INPUT" | jq -r '.session_id // ""' 2>/dev/null) || SESSION_ID=""
 STATE_DIR="${CWD}/.agentops"
 
 mkdir -p "$STATE_DIR" 2>/dev/null
 
+# ── Session Registry Cleanup ─────────────────────────────────────────────────
+# Remove previous session entry from the global active-sessions registry.
+SAFE_HOME="${HOME:-$(cd ~ 2>/dev/null && pwd)}"
+REGISTRY_FILE="${SAFE_HOME}/.agentops/active-sessions.jsonl"
+if [ -n "$SESSION_ID" ] && [ -f "$REGISTRY_FILE" ]; then
+  LOCK_FILE="${REGISTRY_FILE}.lock"
+  TMP_REG=$(mktemp)
+  trap 'rm -f "$TMP_REG" "$LOCK_FILE"' EXIT
+  # Advisory lock to prevent concurrent read-modify-write races
+  (
+    if command -v flock >/dev/null 2>&1; then
+      flock -w 5 200
+    fi
+    # Use jq for exact field matching (not regex) to avoid injection via session_id
+    while IFS= read -r line; do
+      sid=$(echo "$line" | jq -r '.session_id // ""' 2>/dev/null) || sid=""
+      [ "$sid" != "$SESSION_ID" ] && echo "$line"
+    done < "$REGISTRY_FILE" > "$TMP_REG" 2>/dev/null || true
+    mv "$TMP_REG" "$REGISTRY_FILE" 2>/dev/null || true
+  ) 200>"$LOCK_FILE"
+fi
+
 # Mark session start time for staleness checks
 date -u +%FT%TZ > "${STATE_DIR}/session-start" 2>/dev/null
 

package/hooks/telemetry.sh

@@ -10,11 +10,12 @@ TS=$(date -u +%FT%TZ)
 EVENT=$(echo "$INPUT" | jq -r '.hook_event_name // "unknown"' 2>/dev/null) || EVENT="unknown"
 SESSION=$(echo "$INPUT" | jq -r '.session_id // "unknown"' 2>/dev/null) || SESSION="unknown"
 TOOL=$(echo "$INPUT" | jq -r '.tool_name // ""' 2>/dev/null) || TOOL=""
+CWD=$(echo "$INPUT" | jq -r '.cwd // ""' 2>/dev/null) || CWD=""
 
 jq -nc \
   --arg ts "$TS" --arg event "$EVENT" --arg session "$SESSION" \
-  --arg tool "$TOOL" \
-  '{ts:$ts, event:$event, session:$session, tool:$tool}' >> "$LOG_FILE" 2>/dev/null || true
+  --arg tool "$TOOL" --arg cwd "$CWD" \
+  '{ts:$ts, event:$event, session:$session, tool:$tool, cwd:$cwd}' >> "$LOG_FILE" 2>/dev/null || true
 
 # Forward to OTLP if configured — validate endpoint with hostname allowlist
 if [ -n "${OTLP_ENDPOINT:-}" ]; then
@@ -52,14 +53,14 @@ if [ -n "${OTLP_ENDPOINT:-}" ]; then
 
   PAYLOAD=$(tail -1 "$LOG_FILE" 2>/dev/null) || true
   if [ -n "$PAYLOAD" ]; then
-    AUTH_HEADER=""
+    CURL_ARGS=(
+      -sf --max-time 10 --connect-timeout 5 --no-location
+      -X POST "$OTLP_ENDPOINT/v1/logs"
+      -H "Content-Type: application/json"
+    )
     if [ -n "${OTLP_AUTH_TOKEN:-}" ]; then
-      AUTH_HEADER="-H \"Authorization: Bearer ${OTLP_AUTH_TOKEN}\""
+      CURL_ARGS+=(-H "Authorization: Bearer ${OTLP_AUTH_TOKEN}")
     fi
-    eval curl -sf --max-time 10 --connect-timeout 5 --no-location \
-      -X POST "$OTLP_ENDPOINT/v1/logs" \
-      -H "Content-Type: application/json" \
-      $AUTH_HEADER \
-      -d "'$PAYLOAD'" '&>/dev/null &'
+    printf '%s' "$PAYLOAD" | curl "${CURL_ARGS[@]}" --data-binary @- &>/dev/null &
   fi
 fi

package/hooks/unicode-lib.sh

@@ -15,9 +15,9 @@ UNICODE_PATTERN='[\x{200B}-\x{200F}\x{2060}-\x{2064}\x{FEFF}\x{202A}-\x{202E}\x{
 #        unicode_detect "filepath"
 unicode_detect() {
   if [ $# -gt 0 ]; then
-    perl -CSD -ne "if (/$UNICODE_PATTERN/) { exit 0 } END { exit 1 }" "$1" 2>/dev/null
+    perl -CSD -ne "BEGIN{\$r=1} if (/$UNICODE_PATTERN/) {\$r=0;last} END{exit \$r}" "$1" 2>/dev/null
   else
-    perl -CSD -ne "if (/$UNICODE_PATTERN/) { exit 0 } END { exit 1 }" 2>/dev/null
+    perl -CSD -ne "BEGIN{\$r=1} if (/$UNICODE_PATTERN/) {\$r=0;last} END{exit \$r}" 2>/dev/null
   fi
 }
 
@@ -25,7 +25,6 @@ unicode_detect() {
 # Usage: unicode_classify < file    OR    echo "$text" | unicode_classify
 #        unicode_classify "filepath"
 unicode_classify() {
-  local _ARGS=("$@")
   perl -CSD -ne '
     BEGIN { %c = () }
     $c{"zero-width chars"}++            if /[\x{200B}-\x{200F}\x{2060}-\x{2064}\x{FEFF}]/;
@@ -34,7 +33,7 @@ unicode_classify() {
     $c{"tag characters"}++              if /[\x{E0001}-\x{E007F}]/;
     $c{"variation sel. supplement"}++   if /[\x{E0100}-\x{E01EF}]/;
     END { print join(", ", sort keys %c) if %c }
-  ' "${_ARGS[@]}" 2>/dev/null
+  ' "$@" 2>/dev/null
 }
 
 # Count affected lines.

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@garethdaine/agentops",
-  "version": "0.9.3",
+  "version": "0.10.0",
   "description": "Enterprise guardrails, delivery lifecycle, and self-evolution for Claude Code CLI",
   "author": {
     "name": "Gareth Daine",