@hasna/accounts 0.1.7 → 0.1.9

package/dist/cli.js

@@ -992,7 +992,7 @@ Expecting one of '${allowedValues.join("', '")}'`);
         this._exitCallback = (err) => {
           if (err.code !== "commander.executeSubCommandAsync") {
             throw err;
-          } else {}
+          }
         };
       }
       return this;
@@ -4307,7 +4307,7 @@ var require_config = __commonJS((exports) => {
   };
   var filePromises = {};
   var fileIntercept = {};
-  var readFile = (path, options) => {
+  var readFile2 = (path, options) => {
     if (fileIntercept[path] !== undefined) {
       return fileIntercept[path];
     }
@@ -4330,10 +4330,10 @@ var require_config = __commonJS((exports) => {
       resolvedConfigFilepath = node_path.join(homeDir, configFilepath.slice(2));
     }
     const parsedFiles = await Promise.all([
-      readFile(resolvedConfigFilepath, {
+      readFile2(resolvedConfigFilepath, {
         ignoreCache: init.ignoreCache
       }).then(parseIni).then(getConfigData).catch(swallowError$1),
-      readFile(resolvedFilepath, {
+      readFile2(resolvedFilepath, {
         ignoreCache: init.ignoreCache
       }).then(parseIni).catch(swallowError$1)
     ]);
@@ -4344,7 +4344,7 @@ var require_config = __commonJS((exports) => {
   };
   var getSsoSessionData = (data) => Object.entries(data).filter(([key]) => key.startsWith(types2.IniSectionType.SSO_SESSION + CONFIG_PREFIX_SEPARATOR)).reduce((acc, [key, value]) => ({ ...acc, [key.substring(key.indexOf(CONFIG_PREFIX_SEPARATOR) + 1)]: value }), {});
   var swallowError = () => ({});
-  var loadSsoSessionData = async (init = {}) => readFile(init.configFilepath ?? getConfigFilepath()).then(parseIni).then(getSsoSessionData).catch(swallowError);
+  var loadSsoSessionData = async (init = {}) => readFile2(init.configFilepath ?? getConfigFilepath()).then(parseIni).then(getSsoSessionData).catch(swallowError);
   var mergeConfigFiles = (...files) => {
     const merged = {};
     for (const file of files) {
@@ -4711,7 +4711,7 @@ var require_config = __commonJS((exports) => {
   exports.nodeFipsConfigSelectors = nodeFipsConfigSelectors;
   exports.numberSelector = numberSelector;
   exports.parseKnownFiles = parseKnownFiles;
-  exports.readFile = readFile;
+  exports.readFile = readFile2;
   exports.resolveCustomEndpointsConfig = resolveCustomEndpointsConfig;
   exports.resolveDefaultsModeConfig = resolveDefaultsModeConfig;
   exports.resolveEndpointsConfig = resolveEndpointsConfig;
@@ -5760,19 +5760,19 @@ var require_serde = __commonJS((exports) => {
   };
   var strictParseDouble = (value) => {
     if (typeof value == "string") {
-      return expectNumber(parseNumber(value));
+      return expectNumber(parseNumber2(value));
     }
     return expectNumber(value);
   };
   var strictParseFloat = strictParseDouble;
   var strictParseFloat32 = (value) => {
     if (typeof value == "string") {
-      return expectFloat32(parseNumber(value));
+      return expectFloat32(parseNumber2(value));
     }
     return expectFloat32(value);
   };
   var NUMBER_REGEX = /(-?(?:0|[1-9]\d*)(?:\.\d+)?(?:[eE][+-]?\d+)?)|(-?Infinity)|(NaN)/g;
-  var parseNumber = (value) => {
+  var parseNumber2 = (value) => {
     const matches = value.match(NUMBER_REGEX);
     if (matches === null || matches[0].length !== value.length) {
       throw new TypeError(`Expected real number, got implicit NaN`);
@@ -5807,26 +5807,26 @@ var require_serde = __commonJS((exports) => {
   };
   var strictParseLong = (value) => {
     if (typeof value === "string") {
-      return expectLong(parseNumber(value));
+      return expectLong(parseNumber2(value));
     }
     return expectLong(value);
   };
   var strictParseInt = strictParseLong;
   var strictParseInt32 = (value) => {
     if (typeof value === "string") {
-      return expectInt32(parseNumber(value));
+      return expectInt32(parseNumber2(value));
     }
     return expectInt32(value);
   };
   var strictParseShort = (value) => {
     if (typeof value === "string") {
-      return expectShort(parseNumber(value));
+      return expectShort(parseNumber2(value));
     }
     return expectShort(value);
   };
   var strictParseByte = (value) => {
     if (typeof value === "string") {
-      return expectByte(parseNumber(value));
+      return expectByte(parseNumber2(value));
     }
     return expectByte(value);
   };
@@ -12259,7 +12259,7 @@ var require_es5 = __commonJS((exports, module) => {
 
 // node_modules/@aws-sdk/core/dist-cjs/submodules/client/index.js
 var require_client2 = __commonJS((exports) => {
-  var __dirname = "/home/hasna/workspace/hasna/opensource/open-accounts/node_modules/@aws-sdk/core/dist-cjs/submodules/client";
+  var __dirname = "/tmp/open-accounts-events-release-384975/node_modules/@aws-sdk/core/dist-cjs/submodules/client";
   var retry = require_retry();
   var protocols = require_protocols();
   var lambdaInvokeStore = require_invoke_store();
@@ -14153,8 +14153,8 @@ ${serde.toHex(hashedRequest)}`;
         throw new Error("Resolved credential object is not valid");
       }
     }
-    formatDate(now) {
-      const longDate = iso8601(now).replace(/[\-:]/g, "");
+    formatDate(now2) {
+      const longDate = iso8601(now2).replace(/[\-:]/g, "");
       return {
         longDate,
         shortDate: longDate.slice(0, 8)
@@ -19955,8 +19955,8 @@ var require_s3 = __commonJS((exports) => {
       delete this.data[key];
     }
     async purgeExpired() {
-      const now = Date.now();
-      if (this.lastPurgeTime + S3ExpressIdentityCache.EXPIRED_CREDENTIAL_PURGE_INTERVAL_MS > now) {
+      const now2 = Date.now();
+      if (this.lastPurgeTime + S3ExpressIdentityCache.EXPIRED_CREDENTIAL_PURGE_INTERVAL_MS > now2) {
         return;
       }
       for (const key in this.data) {
@@ -19964,7 +19964,7 @@ var require_s3 = __commonJS((exports) => {
         if (!entry.isRefreshing) {
           const credential = await entry.identity;
           if (credential.expiration) {
-            if (credential.expiration.getTime() < now) {
+            if (credential.expiration.getTime() < now2) {
               delete this.data[key];
             }
           }
@@ -30963,11 +30963,11 @@ var require_dist_cjs15 = __commonJS((exports) => {
       throw new config.TokenProviderError(`Value not present for '${key}' in SSO Token${forRefresh ? ". Cannot refresh" : ""}. ${REFRESH_MESSAGE}`, false);
     }
   };
-  var { writeFile } = node_fs.promises;
+  var { writeFile: writeFile2 } = node_fs.promises;
   var writeSSOTokenToFile = (id, ssoToken) => {
     const tokenFilepath = config.getSSOTokenFilepath(id);
     const tokenString = JSON.stringify(ssoToken, null, 2);
-    return writeFile(tokenFilepath, tokenString);
+    return writeFile2(tokenFilepath, tokenString);
   };
   var lastRefreshAttemptTime = new Date(0);
   var fromSso = (init = {}) => async ({ callerClientConfig } = {}) => {
@@ -32364,9 +32364,9 @@ var require_dist_cjs17 = __commonJS((exports) => {
         throw new config.CredentialsProviderError(`Failed to load a token for session ${this.loginSession}, please re-authenticate using aws login`, { tryNextLink: false, logger: this.logger });
       }
       const accessToken = token.accessToken;
-      const now = Date.now();
+      const now2 = Date.now();
       const expiryTime = new Date(accessToken.expiresAt).getTime();
-      const timeUntilExpiry = expiryTime - now;
+      const timeUntilExpiry = expiryTime - now2;
       if (timeUntilExpiry <= LoginCredentialsFetcher.REFRESH_THRESHOLD) {
         return this.refresh(token);
       }
@@ -36797,9 +36797,9 @@ var require_dist_cjs22 = __commonJS((exports) => {
 
 // src/cli.ts
 import { spawnSync as spawnSync2 } from "node:child_process";
-import { existsSync as existsSync10, readFileSync as readFileSync6 } from "node:fs";
-import { homedir as homedir5 } from "node:os";
-import { dirname as dirname5, join as join11 } from "node:path";
+import { existsSync as existsSync12, readFileSync as readFileSync7 } from "node:fs";
+import { homedir as homedir6 } from "node:os";
+import { dirname as dirname5, join as join12 } from "node:path";
 import { fileURLToPath } from "node:url";
 
 // node_modules/commander/esm.mjs
@@ -36818,6 +36818,684 @@ var {
   Help
 } = import__.default;
 
+// node_modules/@hasna/events/dist/commander.js
+import { chmod, mkdir, readFile, rename, writeFile } from "fs/promises";
+import { existsSync } from "fs";
+import { homedir } from "os";
+import { join } from "path";
+import { createHmac, timingSafeEqual } from "crypto";
+import { randomUUID } from "crypto";
+import { spawn } from "child_process";
+import { randomUUID as randomUUID2 } from "crypto";
+function getPathValue(input, path) {
+  return path.split(".").reduce((value, part) => {
+    if (value && typeof value === "object" && part in value) {
+      return value[part];
+    }
+    return;
+  }, input);
+}
+function wildcardToRegExp(pattern) {
+  const escaped = pattern.replace(/[|\\{}()[\]^$+?.]/g, "\\$&").replace(/\*/g, ".*");
+  return new RegExp(`^${escaped}$`);
+}
+function matchString(value, matcher) {
+  if (matcher === undefined)
+    return true;
+  if (value === undefined)
+    return false;
+  const matchers = Array.isArray(matcher) ? matcher : [matcher];
+  return matchers.some((item) => wildcardToRegExp(item).test(value));
+}
+function matchRecord(input, matcher) {
+  if (!matcher)
+    return true;
+  return Object.entries(matcher).every(([path, expected]) => {
+    const actual = getPathValue(input, path);
+    if (typeof expected === "string" || Array.isArray(expected)) {
+      return matchString(actual === undefined ? undefined : String(actual), expected);
+    }
+    return actual === expected;
+  });
+}
+function eventMatchesFilter(event, filter) {
+  return matchString(event.source, filter.source) && matchString(event.type, filter.type) && matchString(event.subject, filter.subject) && matchString(event.severity, filter.severity) && matchRecord(event.data, filter.data) && matchRecord(event.metadata, filter.metadata);
+}
+function channelMatchesEvent(channel, event) {
+  if (!channel.enabled)
+    return false;
+  if (!channel.filters || channel.filters.length === 0)
+    return true;
+  return channel.filters.some((filter) => eventMatchesFilter(event, filter));
+}
+var HASNA_EVENTS_DIR_ENV = "HASNA_EVENTS_DIR";
+var HASNA_EVENTS_HOME_ENV = "HASNA_EVENTS_HOME";
+function getEventsDataDir(override) {
+  return override || process.env[HASNA_EVENTS_DIR_ENV] || process.env[HASNA_EVENTS_HOME_ENV] || join(homedir(), ".hasna", "events");
+}
+
+class JsonEventsStore {
+  dataDir;
+  channelsPath;
+  eventsPath;
+  deliveriesPath;
+  constructor(dataDir = getEventsDataDir()) {
+    this.dataDir = dataDir;
+    this.channelsPath = join(dataDir, "channels.json");
+    this.eventsPath = join(dataDir, "events.json");
+    this.deliveriesPath = join(dataDir, "deliveries.json");
+  }
+  async init() {
+    await mkdir(this.dataDir, { recursive: true, mode: 448 });
+    await chmod(this.dataDir, 448).catch(() => {
+      return;
+    });
+    await this.ensureArrayFile(this.channelsPath);
+    await this.ensureArrayFile(this.eventsPath);
+    await this.ensureArrayFile(this.deliveriesPath);
+  }
+  async addChannel(channel) {
+    await this.init();
+    const channels = await this.readJson(this.channelsPath, []);
+    const index = channels.findIndex((item) => item.id === channel.id);
+    if (index >= 0) {
+      channels[index] = { ...channel, createdAt: channels[index].createdAt, updatedAt: new Date().toISOString() };
+    } else {
+      channels.push(channel);
+    }
+    await this.writeJson(this.channelsPath, channels);
+    return index >= 0 ? channels[index] : channel;
+  }
+  async listChannels() {
+    await this.init();
+    return this.readJson(this.channelsPath, []);
+  }
+  async getChannel(id) {
+    const channels = await this.listChannels();
+    return channels.find((channel) => channel.id === id);
+  }
+  async removeChannel(id) {
+    await this.init();
+    const channels = await this.readJson(this.channelsPath, []);
+    const next = channels.filter((channel) => channel.id !== id);
+    await this.writeJson(this.channelsPath, next);
+    return next.length !== channels.length;
+  }
+  async appendEvent(event) {
+    await this.init();
+    const events = await this.readJson(this.eventsPath, []);
+    events.push(event);
+    await this.writeJson(this.eventsPath, events);
+    return event;
+  }
+  async listEvents() {
+    await this.init();
+    return this.readJson(this.eventsPath, []);
+  }
+  async findEventByIdentity(identity) {
+    const events = await this.listEvents();
+    return events.find((event) => identity.id !== undefined && event.id === identity.id || identity.dedupeKey !== undefined && event.dedupeKey === identity.dedupeKey);
+  }
+  async appendDelivery(result) {
+    await this.init();
+    const deliveries = await this.readJson(this.deliveriesPath, []);
+    deliveries.push(result);
+    await this.writeJson(this.deliveriesPath, deliveries);
+    return result;
+  }
+  async listDeliveries() {
+    await this.init();
+    return this.readJson(this.deliveriesPath, []);
+  }
+  async exportData() {
+    return {
+      channels: await this.listChannels(),
+      events: await this.listEvents(),
+      deliveries: await this.listDeliveries()
+    };
+  }
+  async ensureArrayFile(path) {
+    if (!existsSync(path)) {
+      await writeFile(path, `[]
+`, { encoding: "utf-8", mode: 384 });
+    }
+    await chmod(path, 384).catch(() => {
+      return;
+    });
+  }
+  async readJson(path, fallback) {
+    try {
+      const raw = await readFile(path, "utf-8");
+      if (!raw.trim())
+        return fallback;
+      return JSON.parse(raw);
+    } catch (error) {
+      if (error.code === "ENOENT")
+        return fallback;
+      throw error;
+    }
+  }
+  async writeJson(path, value) {
+    const tempPath = `${path}.${process.pid}.${Date.now()}.tmp`;
+    await writeFile(tempPath, `${JSON.stringify(value, null, 2)}
+`, { encoding: "utf-8", mode: 384 });
+    await rename(tempPath, path);
+    await chmod(path, 384).catch(() => {
+      return;
+    });
+  }
+}
+var DEFAULT_SIGNATURE_TOLERANCE_MS = 5 * 60 * 1000;
+function buildSignatureBase(timestamp, body) {
+  return `${timestamp}.${body}`;
+}
+function signPayload(secret, timestamp, body) {
+  const digest = createHmac("sha256", secret).update(buildSignatureBase(timestamp, body)).digest("hex");
+  return `sha256=${digest}`;
+}
+function now() {
+  return new Date().toISOString();
+}
+function truncate(value, max = 4096) {
+  return value.length > max ? `${value.slice(0, max)}...` : value;
+}
+function buildWebhookRequest(event, channel) {
+  if (!channel.webhook)
+    throw new Error(`Channel ${channel.id} has no webhook config`);
+  const body = JSON.stringify(event);
+  const timestamp = event.time;
+  const headers = {
+    "Content-Type": "application/json",
+    "User-Agent": "@hasna/events",
+    "X-Hasna-Event-Id": event.id,
+    "X-Hasna-Event-Type": event.type,
+    "X-Hasna-Timestamp": timestamp,
+    ...channel.webhook.headers
+  };
+  if (channel.webhook.secret) {
+    headers["X-Hasna-Signature"] = signPayload(channel.webhook.secret, timestamp, body);
+  }
+  return { body, headers };
+}
+async function dispatchWebhook(event, channel, options = {}) {
+  if (!channel.webhook)
+    throw new Error(`Channel ${channel.id} has no webhook config`);
+  const startedAt = now();
+  const { body, headers } = buildWebhookRequest(event, channel);
+  const controller = new AbortController;
+  const timeout = setTimeout(() => controller.abort(), channel.webhook.timeoutMs ?? 15000);
+  try {
+    const response = await (options.fetchImpl ?? fetch)(channel.webhook.url, {
+      method: "POST",
+      headers,
+      body,
+      signal: controller.signal
+    });
+    const responseBody = truncate(await response.text());
+    return {
+      attempt: 1,
+      status: response.ok ? "success" : "failed",
+      startedAt,
+      completedAt: now(),
+      responseStatus: response.status,
+      responseBody,
+      error: response.ok ? undefined : `Webhook returned HTTP ${response.status}`
+    };
+  } catch (error) {
+    return {
+      attempt: 1,
+      status: "failed",
+      startedAt,
+      completedAt: now(),
+      error: error instanceof Error ? error.message : String(error)
+    };
+  } finally {
+    clearTimeout(timeout);
+  }
+}
+async function dispatchCommand(event, channel) {
+  if (!channel.command)
+    throw new Error(`Channel ${channel.id} has no command config`);
+  const startedAt = now();
+  const eventJson = JSON.stringify(event);
+  const env = {
+    ...process.env,
+    ...channel.command.env,
+    HASNA_CHANNEL_ID: channel.id,
+    HASNA_EVENT_ID: event.id,
+    HASNA_EVENT_TYPE: event.type,
+    HASNA_EVENT_SOURCE: event.source,
+    HASNA_EVENT_SUBJECT: event.subject ?? "",
+    HASNA_EVENT_SEVERITY: event.severity,
+    HASNA_EVENT_TIME: event.time,
+    HASNA_EVENT_DEDUPE_KEY: event.dedupeKey ?? "",
+    HASNA_EVENT_SCHEMA_VERSION: event.schemaVersion,
+    HASNA_EVENT_JSON: eventJson
+  };
+  return new Promise((resolve) => {
+    const child = spawn(channel.command.command, channel.command.args ?? [], {
+      cwd: channel.command.cwd,
+      env,
+      stdio: ["pipe", "pipe", "pipe"]
+    });
+    let stdout = "";
+    let stderr = "";
+    const timeout = setTimeout(() => child.kill("SIGTERM"), channel.command.timeoutMs ?? 15000);
+    child.stdin.end(eventJson);
+    child.stdout.on("data", (chunk) => {
+      stdout += chunk.toString();
+    });
+    child.stderr.on("data", (chunk) => {
+      stderr += chunk.toString();
+    });
+    child.on("error", (error) => {
+      clearTimeout(timeout);
+      resolve({
+        attempt: 1,
+        status: "failed",
+        startedAt,
+        completedAt: now(),
+        stdout: truncate(stdout),
+        stderr: truncate(stderr),
+        error: error.message
+      });
+    });
+    child.on("close", (code, signal) => {
+      clearTimeout(timeout);
+      const success = code === 0;
+      resolve({
+        attempt: 1,
+        status: success ? "success" : "failed",
+        startedAt,
+        completedAt: now(),
+        stdout: truncate(stdout),
+        stderr: truncate(stderr),
+        error: success ? undefined : `Command exited with ${signal ? `signal ${signal}` : `code ${code}`}`
+      });
+    });
+  });
+}
+async function dispatchChannel(event, channel, options = {}) {
+  if (channel.transport === "webhook")
+    return dispatchWebhook(event, channel, options);
+  if (channel.transport === "command")
+    return dispatchCommand(event, channel);
+  return {
+    attempt: 1,
+    status: "skipped",
+    startedAt: now(),
+    completedAt: now(),
+    error: `Unsupported transport: ${channel.transport}`
+  };
+}
+function createDeliveryResult(event, channel, attempts) {
+  const status = attempts.some((attempt) => attempt.status === "success") ? "success" : attempts.every((attempt) => attempt.status === "skipped") ? "skipped" : "failed";
+  return {
+    id: randomUUID(),
+    eventId: event.id,
+    channelId: channel.id,
+    transport: channel.transport,
+    status,
+    attempts,
+    createdAt: attempts[0]?.startedAt ?? now(),
+    completedAt: attempts.at(-1)?.completedAt ?? now()
+  };
+}
+function createEvent(input) {
+  return {
+    id: input.id ?? randomUUID2(),
+    source: input.source,
+    type: input.type,
+    time: normalizeTime(input.time),
+    subject: input.subject,
+    severity: input.severity ?? "info",
+    data: input.data ?? {},
+    message: input.message,
+    dedupeKey: input.dedupeKey,
+    schemaVersion: input.schemaVersion ?? "1.0",
+    metadata: input.metadata ?? {}
+  };
+}
+
+class EventsClient {
+  store;
+  redactors;
+  transportOptions;
+  constructor(options = {}) {
+    this.store = options.store ?? new JsonEventsStore(options.dataDir);
+    this.redactors = options.redactors ?? [];
+    this.transportOptions = { fetchImpl: options.fetchImpl };
+  }
+  async addChannel(input) {
+    const timestamp = new Date().toISOString();
+    return this.store.addChannel({
+      ...input,
+      createdAt: input.createdAt ?? timestamp,
+      updatedAt: input.updatedAt ?? timestamp
+    });
+  }
+  async listChannels() {
+    return this.store.listChannels();
+  }
+  async removeChannel(id) {
+    return this.store.removeChannel(id);
+  }
+  async emit(input, options = {}) {
+    const event = options.redactSensitiveData === false ? createEvent(input) : redactSensitiveKeys(createEvent(input));
+    if (options.dedupe !== false) {
+      const existing = await this.store.findEventByIdentity({ id: input.id, dedupeKey: event.dedupeKey });
+      if (existing) {
+        return { event: existing, deliveries: [], deduped: true };
+      }
+    }
+    await this.store.appendEvent(event);
+    const deliveries = options.deliver === false ? [] : await this.deliver(event);
+    return { event, deliveries, deduped: false };
+  }
+  async listEvents() {
+    return this.store.listEvents();
+  }
+  async listDeliveries() {
+    return this.store.listDeliveries();
+  }
+  async deliver(event) {
+    const channels = await this.store.listChannels();
+    const selected = channels.filter((channel) => channelMatchesEvent(channel, event));
+    const deliveries = [];
+    for (const channel of selected) {
+      const eventForChannel = await this.applyRedaction(event, channel);
+      const result = await this.deliverWithRetry(eventForChannel, channel);
+      await this.store.appendDelivery(result);
+      deliveries.push(result);
+    }
+    return deliveries;
+  }
+  async testChannel(id, input = {}) {
+    const channel = await this.store.getChannel(id);
+    if (!channel)
+      throw new Error(`Channel not found: ${id}`);
+    const event = createEvent({
+      source: input.source ?? "hasna.events",
+      type: input.type ?? "events.test",
+      subject: input.subject ?? id,
+      severity: input.severity ?? "info",
+      data: input.data ?? { test: true },
+      message: input.message ?? "Hasna events test delivery",
+      dedupeKey: input.dedupeKey,
+      schemaVersion: input.schemaVersion,
+      metadata: input.metadata,
+      time: input.time,
+      id: input.id
+    });
+    const eventForChannel = await this.applyRedaction(event, channel);
+    const result = await this.deliverWithRetry(eventForChannel, channel);
+    await this.store.appendDelivery(result);
+    return result;
+  }
+  async replay(options = {}) {
+    const events = (await this.store.listEvents()).filter((event) => {
+      if (options.eventId && event.id !== options.eventId)
+        return false;
+      if (options.source && event.source !== options.source)
+        return false;
+      if (options.type && event.type !== options.type)
+        return false;
+      return true;
+    });
+    if (options.dryRun)
+      return { events, deliveries: [] };
+    const deliveries = [];
+    for (const event of events) {
+      deliveries.push(...await this.deliver(event));
+    }
+    return { events, deliveries };
+  }
+  async applyRedaction(event, channel) {
+    let next = redactPaths(event, channel.redact?.paths ?? [], channel.redact?.replacement ?? "[REDACTED]");
+    for (const redactor of this.redactors) {
+      next = await redactor(next, channel);
+    }
+    return next;
+  }
+  async deliverWithRetry(event, channel) {
+    const policy = normalizeRetryPolicy(channel.retry);
+    const attempts = [];
+    for (let index = 0;index < policy.maxAttempts; index += 1) {
+      const attempt = await dispatchChannel(event, channel, this.transportOptions);
+      attempt.attempt = index + 1;
+      if (attempt.status === "failed" && index + 1 < policy.maxAttempts) {
+        attempt.nextBackoffMs = Math.round(policy.backoffMs * policy.multiplier ** index);
+      }
+      attempts.push(attempt);
+      if (attempt.status !== "failed")
+        break;
+      if (attempt.nextBackoffMs)
+        await Bun.sleep(attempt.nextBackoffMs);
+    }
+    return createDeliveryResult(event, channel, attempts);
+  }
+}
+function redactPaths(event, paths, replacement = "[REDACTED]") {
+  if (paths.length === 0)
+    return event;
+  const copy = structuredClone(event);
+  for (const path of paths) {
+    setPath(copy, path, replacement);
+  }
+  return copy;
+}
+function sanitizeChannelForOutput(channel) {
+  const copy = structuredClone(channel);
+  if (copy.webhook?.secret)
+    copy.webhook.secret = "[REDACTED]";
+  if (copy.command?.env) {
+    copy.command.env = Object.fromEntries(Object.entries(copy.command.env).map(([key, value]) => [key, shouldRedactKey(key) ? "[REDACTED]" : value]));
+  }
+  return copy;
+}
+function sanitizeChannelsForOutput(channels) {
+  return channels.map(sanitizeChannelForOutput);
+}
+function redactSensitiveKeys(event, replacement = "[REDACTED]") {
+  return redactValue(event, replacement);
+}
+function shouldRedactKey(key) {
+  return /secret|token|password|api[_-]?key|authorization/i.test(key);
+}
+function redactValue(value, replacement) {
+  if (Array.isArray(value))
+    return value.map((item) => redactValue(item, replacement));
+  if (!value || typeof value !== "object")
+    return value;
+  return Object.fromEntries(Object.entries(value).map(([key, item]) => [
+    key,
+    shouldRedactKey(key) ? replacement : redactValue(item, replacement)
+  ]));
+}
+function setPath(input, path, replacement) {
+  const parts = path.split(".");
+  let cursor = input;
+  for (const part of parts.slice(0, -1)) {
+    const next = cursor[part];
+    if (!next || typeof next !== "object")
+      return;
+    cursor = next;
+  }
+  const last = parts.at(-1);
+  if (last && last in cursor)
+    cursor[last] = replacement;
+}
+function normalizeTime(value) {
+  if (!value)
+    return new Date().toISOString();
+  return value instanceof Date ? value.toISOString() : value;
+}
+function normalizeRetryPolicy(policy) {
+  return {
+    maxAttempts: Math.max(1, policy?.maxAttempts ?? 1),
+    backoffMs: Math.max(0, policy?.backoffMs ?? 250),
+    multiplier: Math.max(1, policy?.multiplier ?? 2)
+  };
+}
+function parseJsonObject(value, fallback) {
+  if (!value)
+    return fallback;
+  const parsed = JSON.parse(value);
+  if (!parsed || typeof parsed !== "object" || Array.isArray(parsed)) {
+    throw new Error("Expected a JSON object");
+  }
+  return parsed;
+}
+function parseHeaders(values) {
+  if (!values?.length)
+    return;
+  const headers = {};
+  for (const value of values) {
+    const separator = value.indexOf("=");
+    if (separator === -1)
+      throw new Error(`Invalid header, expected name=value: ${value}`);
+    headers[value.slice(0, separator)] = value.slice(separator + 1);
+  }
+  return headers;
+}
+function parseFilter(options) {
+  const filter2 = {};
+  if (options.source)
+    filter2.source = options.source;
+  if (options.type)
+    filter2.type = options.type;
+  if (options.subject)
+    filter2.subject = options.subject;
+  if (options.severity)
+    filter2.severity = options.severity;
+  return Object.keys(filter2).length > 0 ? [filter2] : undefined;
+}
+function createClient(options) {
+  if (options.createClient)
+    return options.createClient();
+  return new EventsClient({ store: new JsonEventsStore(options.dataDir) });
+}
+function print(value, json, text) {
+  if (json)
+    console.log(JSON.stringify(value, null, 2));
+  else
+    console.log(text);
+}
+function registerWebhookCommands(program2, options) {
+  const webhooks = program2.command(options.webhooksCommandName ?? "webhooks").description("Manage Hasna event webhook subscriptions");
+  webhooks.command("add").description("Add or replace a webhook or command subscription").argument("<target>", "Webhook URL or command binary").requiredOption("--id <id>", "Subscription/channel identifier").option("--transport <kind>", "Transport kind: webhook or command", "webhook").option("--name <name>", "Display name").option("--type <pattern>", "Event type filter, e.g. todos.task.*").option("--source <pattern>", "Event source filter").option("--subject <pattern>", "Event subject filter").option("--severity <pattern>", "Event severity filter").option("--secret <secret>", "Webhook HMAC secret").option("--header <name=value...>", "Webhook header", collectValues, []).option("--arg <arg...>", "Command argument", collectValues, []).option("--timeout-ms <ms>", "Transport timeout in milliseconds", parseNumber).option("--retry-attempts <n>", "Maximum delivery attempts", parseNumber).option("--retry-backoff-ms <ms>", "Initial retry backoff in milliseconds", parseNumber).option("--redact <path...>", "Event field path to redact before delivery", collectValues, []).option("--disabled", "Create channel disabled", false).option("-j, --json", "Print JSON output", false).action(async (target, actionOptions) => {
+    const timestamp = new Date().toISOString();
+    const channel = {
+      id: actionOptions.id,
+      name: actionOptions.name,
+      enabled: !actionOptions.disabled,
+      transport: actionOptions.transport,
+      filters: parseFilter(actionOptions),
+      retry: actionOptions.retryAttempts || actionOptions.retryBackoffMs ? { maxAttempts: actionOptions.retryAttempts, backoffMs: actionOptions.retryBackoffMs } : undefined,
+      redact: actionOptions.redact?.length ? { paths: actionOptions.redact } : undefined,
+      createdAt: timestamp,
+      updatedAt: timestamp
+    };
+    if (actionOptions.transport === "webhook") {
+      channel.webhook = { url: target, secret: actionOptions.secret, headers: parseHeaders(actionOptions.header), timeoutMs: actionOptions.timeoutMs };
+    } else if (actionOptions.transport === "command") {
+      channel.command = { command: target, args: actionOptions.arg ?? [], timeoutMs: actionOptions.timeoutMs };
+    } else {
+      throw new Error(`Transport ${actionOptions.transport} is reserved for future use and cannot be added yet`);
+    }
+    const saved = await createClient(options).addChannel(channel);
+    print(sanitizeChannelForOutput(saved), Boolean(actionOptions.json), `Added ${saved.transport} channel ${saved.id}`);
+  });
+  webhooks.command("list").description("List configured subscriptions").option("-j, --json", "Print JSON output", false).action(async (actionOptions) => {
+    const channels = await createClient(options).listChannels();
+    if (actionOptions.json) {
+      console.log(JSON.stringify(sanitizeChannelsForOutput(channels), null, 2));
+      return;
+    }
+    if (!channels.length) {
+      console.log("No channels configured.");
+      return;
+    }
+    for (const channel of channels) {
+      console.log(`${channel.id}	${channel.enabled ? "enabled" : "disabled"}	${channel.transport}	${channel.webhook?.url ?? channel.command?.command ?? channel.transport}`);
+    }
+  });
+  webhooks.command("remove").description("Remove a subscription").argument("<id>", "Subscription/channel identifier").option("-j, --json", "Print JSON output", false).action(async (id, actionOptions) => {
+    const removed = await createClient(options).removeChannel(id);
+    print({ removed }, Boolean(actionOptions.json), removed ? `Removed ${id}` : `Channel not found: ${id}`);
+  });
+  webhooks.command("test").description("Send a test event to one subscription").argument("<id>", "Subscription/channel identifier").option("--type <type>", "Event type", "events.test").option("--subject <subject>", "Event subject").option("--message <message>", "Event message", "Hasna events test delivery").option("--data <json>", "Event data JSON object").option("-j, --json", "Print JSON output", false).action(async (id, actionOptions) => {
+    const result = await createClient(options).testChannel(id, {
+      source: options.source,
+      type: actionOptions.type,
+      subject: actionOptions.subject ?? id,
+      message: actionOptions.message,
+      data: parseJsonObject(actionOptions.data, { test: true })
+    });
+    print(result, Boolean(actionOptions.json), `${result.status}: ${result.channelId}`);
+  });
+  return webhooks;
+}
+function registerEventCommands(program2, options) {
+  const events = program2.command(options.eventsCommandName ?? "events").description("Emit, list, and replay Hasna events");
+  events.command("emit").description("Emit an event from this app").argument("<type>", "Event type").option("--source <source>", "Event source override").option("--subject <subject>", "Event subject").option("--severity <severity>", "Event severity", "info").option("--message <message>", "Event message").option("--dedupe-key <key>", "Dedupe key").option("--data <json>", "Event data JSON object").option("--metadata <json>", "Event metadata JSON object").option("--no-deliver", "Record without delivering").option("--no-dedupe", "Allow duplicate id/dedupeKey events").option("-j, --json", "Print JSON output", false).action(async (type, actionOptions) => {
+    const result = await createClient(options).emit({
+      source: actionOptions.source ?? options.source,
+      type,
+      subject: actionOptions.subject,
+      severity: actionOptions.severity,
+      message: actionOptions.message,
+      dedupeKey: actionOptions.dedupeKey,
+      data: parseJsonObject(actionOptions.data, {}),
+      metadata: parseJsonObject(actionOptions.metadata, {})
+    }, { deliver: actionOptions.deliver, dedupe: actionOptions.dedupe });
+    print(result, Boolean(actionOptions.json), `${result.deduped ? "Deduped" : "Emitted"} ${result.event.id} to ${result.deliveries.length} channel(s)`);
+  });
+  events.command("list").description("List recorded events").option("--source <source>", "Filter by source").option("--type <type>", "Filter by type").option("--limit <n>", "Limit results", parseNumber).option("-j, --json", "Print JSON output", false).action(async (actionOptions) => {
+    let rows = await createClient(options).listEvents();
+    if (actionOptions.source)
+      rows = rows.filter((event) => event.source === actionOptions.source);
+    if (actionOptions.type)
+      rows = rows.filter((event) => event.type === actionOptions.type);
+    if (actionOptions.limit)
+      rows = rows.slice(-actionOptions.limit);
+    if (actionOptions.json) {
+      console.log(JSON.stringify(rows, null, 2));
+      return;
+    }
+    if (!rows.length) {
+      console.log("No events recorded.");
+      return;
+    }
+    for (const event of rows)
+      console.log(`${event.time}	${event.id}	${event.source}	${event.type}	${event.severity}`);
+  });
+  events.command("replay").description("Replay recorded events").option("--id <id>", "Replay one event id").option("--source <source>", "Filter by source").option("--type <type>", "Filter by type").option("--dry-run", "Preview without delivery", false).option("-j, --json", "Print JSON output", false).action(async (actionOptions) => {
+    const result = await createClient(options).replay({
+      eventId: actionOptions.id,
+      source: actionOptions.source,
+      type: actionOptions.type,
+      dryRun: actionOptions.dryRun
+    });
+    print(result, Boolean(actionOptions.json), `Replayed ${result.events.length} event(s), ${result.deliveries.length} delivery result(s)`);
+  });
+  return events;
+}
+function registerEventsCommands(program2, options) {
+  registerWebhookCommands(program2, options);
+  registerEventCommands(program2, options);
+}
+function parseNumber(value) {
+  const parsed = Number(value);
+  if (!Number.isFinite(parsed))
+    throw new Error(`Expected a number, got ${value}`);
+  return parsed;
+}
+function collectValues(value, previous) {
+  previous.push(value);
+  return previous;
+}
+
 // node_modules/chalk/source/vendor/ansi-styles/index.js
 var ANSI_BACKGROUND_OFFSET = 10;
 var wrapAnsi16 = (offset = 0) => (code) => `\x1B[${code + offset}m`;
@@ -41321,20 +41999,20 @@ class AccountsError extends Error {
 }
 
 // src/lib/tools.ts
-import { homedir as homedir2 } from "node:os";
-import { join as join2 } from "node:path";
+import { homedir as homedir3 } from "node:os";
+import { join as join3 } from "node:path";
 
 // src/storage.ts
-import { homedir } from "node:os";
+import { homedir as homedir2 } from "node:os";
 import { hostname } from "node:os";
-import { join } from "node:path";
-import { existsSync as existsSync2, mkdirSync as mkdirSync2, readFileSync, writeFileSync } from "node:fs";
+import { join as join2 } from "node:path";
+import { existsSync as existsSync3, mkdirSync as mkdirSync2, readFileSync, writeFileSync } from "node:fs";
 
 // src/lib/safe-path.ts
-import { existsSync, lstatSync, mkdirSync, realpathSync } from "node:fs";
+import { existsSync as existsSync2, lstatSync, mkdirSync, realpathSync } from "node:fs";
 import { dirname, resolve } from "node:path";
 function throwIfSymlink(path, label) {
-  if (existsSync(path) && lstatSync(path).isSymbolicLink()) {
+  if (existsSync2(path) && lstatSync(path).isSymbolicLink()) {
     throw new AccountsError(`${label}: ${path}`);
   }
 }
@@ -41370,11 +42048,11 @@ function assertDirChainSafe(targetFile, mustStayUnder) {
 function assertSafeWritePath(filePath, opts) {
   const absFile = resolve(filePath);
   const parent = dirname(absFile);
-  if (!existsSync(parent))
+  if (!existsSync2(parent))
     mkdirSync(parent, { recursive: true });
   throwIfSymlink(absFile, "refusing to write through symlink");
   assertDirChainSafe(absFile, opts?.mustStayUnder);
-  const resolved = realpathSync(existsSync(absFile) ? absFile : parent);
+  const resolved = realpathSync(existsSync2(absFile) ? absFile : parent);
   if (opts?.mustStayUnder) {
     const base = realpathSync(resolve(opts.mustStayUnder));
     if (resolved !== base && !resolved.startsWith(base + "/")) {
@@ -41416,21 +42094,21 @@ function accountsHome() {
   const override = process.env.ACCOUNTS_HOME;
   if (override && override.trim())
     return validateEnvPath(override, "ACCOUNTS_HOME");
-  return join(homedir(), ".hasna", "accounts");
+  return join2(homedir2(), ".hasna", "accounts");
 }
 function storePath() {
   const override = process.env.ACCOUNTS_STORE_PATH;
   if (override && override.trim())
     return validateEnvPath(override, "ACCOUNTS_STORE_PATH");
-  return join(accountsHome(), "accounts.json");
+  return join2(accountsHome(), "accounts.json");
 }
 function profilesDir() {
-  return join(accountsHome(), "profiles");
+  return join2(accountsHome(), "profiles");
 }
 var EMPTY_STORE = { version: 1, current: {}, applied: {}, profiles: [], tools: [] };
 function loadStore() {
   const path = storePath();
-  if (!existsSync2(path))
+  if (!existsSync3(path))
     return structuredClone(EMPTY_STORE);
   let raw;
   try {
@@ -41468,7 +42146,7 @@ function loadStore() {
 function saveStore(store) {
   const path = storePath();
   assertSafeWritePath(path, { mustStayUnder: accountsHome() });
-  mkdirSync2(join(path, ".."), { recursive: true });
+  mkdirSync2(join2(path, ".."), { recursive: true });
   writeFileSync(path, JSON.stringify(store, null, 2) + `
 `, { mode: 384 });
 }
@@ -41616,7 +42294,7 @@ var BUILTIN_TOOLS = [
     id: "claude",
     label: "Claude Code",
     envVar: "CLAUDE_CONFIG_DIR",
-    defaultDir: join2(homedir2(), ".claude"),
+    defaultDir: join3(homedir3(), ".claude"),
     bin: "claude",
     loginHint: "run /login inside Claude, then /exit when done",
     resumeArgs: ["--continue"],
@@ -41627,7 +42305,7 @@ var BUILTIN_TOOLS = [
     id: "codex",
     label: "Codex CLI",
     envVar: "CODEX_HOME",
-    defaultDir: join2(homedir2(), ".codex"),
+    defaultDir: join3(homedir3(), ".codex"),
     bin: "codex",
     loginArgs: ["login"],
     loginHint: "complete the Codex login flow for this CODEX_HOME",
@@ -41637,7 +42315,7 @@ var BUILTIN_TOOLS = [
     id: "takumi",
     label: "Takumi",
     envVar: "TAKUMI_CONFIG_DIR",
-    defaultDir: join2(homedir2(), ".takumi"),
+    defaultDir: join3(homedir3(), ".takumi"),
     bin: "takumi",
     loginHint: "complete Takumi auth in this TAKUMI_CONFIG_DIR",
     resumeArgs: ["--continue"],
@@ -41648,7 +42326,7 @@ var BUILTIN_TOOLS = [
     id: "gemini",
     label: "Gemini CLI",
     envVar: "GEMINI_CONFIG_DIR",
-    defaultDir: join2(homedir2(), ".gemini"),
+    defaultDir: join3(homedir3(), ".gemini"),
     bin: "gemini",
     loginHint: "complete Gemini auth in this GEMINI_CONFIG_DIR"
   },
@@ -41660,7 +42338,7 @@ var BUILTIN_TOOLS = [
       XDG_CONFIG_HOME: "{profileDir}/xdg-config",
       XDG_DATA_HOME: "{profileDir}/xdg-data"
     },
-    defaultDir: join2(homedir2(), ".config", "opencode"),
+    defaultDir: join3(homedir3(), ".config", "opencode"),
     bin: "opencode",
     loginArgs: ["auth", "login"],
     loginHint: "complete opencode auth login for this isolated config/data root",
@@ -41670,7 +42348,7 @@ var BUILTIN_TOOLS = [
     id: "cursor",
     label: "Cursor Agent",
     envVar: "CURSOR_CONFIG_DIR",
-    defaultDir: join2(homedir2(), ".cursor"),
+    defaultDir: join3(homedir3(), ".cursor"),
     bin: "cursor-agent",
     loginArgs: ["login"],
     loginHint: "complete cursor-agent login for this CURSOR_CONFIG_DIR"
@@ -41679,7 +42357,7 @@ var BUILTIN_TOOLS = [
     id: "pi",
     label: "Pi Coding Agent",
     envVar: "PI_CODING_AGENT_HOME",
-    defaultDir: join2(homedir2(), ".pi"),
+    defaultDir: join3(homedir3(), ".pi"),
     bin: "pi",
     loginHint: "complete Pi coding agent auth in this PI_CODING_AGENT_HOME"
   },
@@ -41687,7 +42365,7 @@ var BUILTIN_TOOLS = [
     id: "hermes",
     label: "Hermes",
     envVar: "HERMES_HOME",
-    defaultDir: join2(homedir2(), ".hermes"),
+    defaultDir: join3(homedir3(), ".hermes"),
     bin: "hermes",
     loginHint: "complete Hermes auth in this HERMES_HOME"
   },
@@ -41695,7 +42373,7 @@ var BUILTIN_TOOLS = [
     id: "kimi",
     label: "Kimi Code",
     envVar: "KIMI_CODE_HOME",
-    defaultDir: join2(homedir2(), ".kimi-code"),
+    defaultDir: join3(homedir3(), ".kimi-code"),
     bin: "kimi",
     loginArgs: ["login"],
     loginHint: "complete kimi login for this KIMI_CODE_HOME"
@@ -41704,7 +42382,7 @@ var BUILTIN_TOOLS = [
     id: "grok",
     label: "Grok Build",
     envVar: "HOME",
-    defaultDir: join2(homedir2(), ".grok"),
+    defaultDir: join3(homedir3(), ".grok"),
     bin: "grok",
     loginArgs: ["login"],
     loginHint: "complete grok login in this process-scoped HOME; prefer launch/shell over exporting HOME globally"
@@ -41765,19 +42443,19 @@ function removeCustomTool(id) {
 }
 
 // src/lib/profiles.ts
-import { homedir as homedir3 } from "node:os";
-import { isAbsolute, join as join4, resolve as resolve2 } from "node:path";
-import { existsSync as existsSync4, mkdirSync as mkdirSync3, rmSync } from "node:fs";
+import { homedir as homedir4 } from "node:os";
+import { isAbsolute, join as join5, resolve as resolve2 } from "node:path";
+import { existsSync as existsSync5, mkdirSync as mkdirSync3, rmSync } from "node:fs";
 
 // src/lib/detect.ts
-import { existsSync as existsSync3, readFileSync as readFileSync2 } from "node:fs";
-import { dirname as dirname2, join as join3 } from "node:path";
+import { existsSync as existsSync4, readFileSync as readFileSync2 } from "node:fs";
+import { dirname as dirname2, join as join4 } from "node:path";
 function detectEmail(dir, tool) {
   if (!tool.accountFile || !tool.emailPath)
     return;
-  const candidates = [join3(dir, tool.accountFile)];
+  const candidates = [join4(dir, tool.accountFile)];
   if (dir === tool.defaultDir)
-    candidates.push(join3(dirname2(dir), tool.accountFile));
+    candidates.push(join4(dirname2(dir), tool.accountFile));
   for (const file of candidates) {
     const email = readEmail(file, tool.emailPath);
     if (email)
@@ -41786,7 +42464,7 @@ function detectEmail(dir, tool) {
   return;
 }
 function readEmail(file, path) {
-  if (!existsSync3(file))
+  if (!existsSync4(file))
     return;
   let cursor;
   try {
@@ -41811,9 +42489,9 @@ function nowIso() {
 function expandPath(p) {
   let out = p;
   if (out === "~")
-    out = homedir3();
+    out = homedir4();
   else if (out.startsWith("~/"))
-    out = join4(homedir3(), out.slice(2));
+    out = join5(homedir4(), out.slice(2));
   return isAbsolute(out) ? out : resolve2(process.cwd(), out);
 }
 function listProfiles(toolId) {
@@ -41847,7 +42525,7 @@ function addProfile(opts) {
   if (store.profiles.some((p) => p.name === name && p.tool === toolId)) {
     throw new AccountsError(`a ${toolId} profile named "${name}" already exists`);
   }
-  const dir = opts.dir ? expandPath(opts.dir) : join4(profilesDir(), toolId, name);
+  const dir = opts.dir ? expandPath(opts.dir) : join5(profilesDir(), toolId, name);
   if (store.profiles.some((p) => p.dir === dir)) {
     throw new AccountsError(`a profile already uses config dir ${dir}`);
   }
@@ -41889,7 +42567,7 @@ function removeProfile(name, opts = {}) {
   if (options.purge) {
     const managed = profile.dir.startsWith(profilesDir());
     const isDefault = profile.dir === getTool(profile.tool).defaultDir;
-    if (managed && !isDefault && existsSync4(profile.dir)) {
+    if (managed && !isDefault && existsSync5(profile.dir)) {
       rmSync(profile.dir, { recursive: true, force: true });
       purged = true;
     } else {
@@ -41988,12 +42666,12 @@ function currentProfile(toolId) {
 }
 
 // src/lib/claude-auth.ts
-import { copyFileSync, existsSync as existsSync5, lstatSync as lstatSync2, mkdirSync as mkdirSync4, readFileSync as readFileSync3, statSync, unlinkSync, writeFileSync as writeFileSync2 } from "node:fs";
-import { dirname as dirname4, join as join6 } from "node:path";
+import { copyFileSync, existsSync as existsSync6, lstatSync as lstatSync2, mkdirSync as mkdirSync4, readFileSync as readFileSync3, statSync, unlinkSync, writeFileSync as writeFileSync2 } from "node:fs";
+import { dirname as dirname4, join as join7 } from "node:path";
 
 // src/lib/claude-layout.ts
-import { homedir as homedir4 } from "node:os";
-import { dirname as dirname3, join as join5 } from "node:path";
+import { homedir as homedir5 } from "node:os";
+import { dirname as dirname3, join as join6 } from "node:path";
 var CLAUDE_KEYCHAIN_SERVICE = "Claude Code-credentials";
 var ACCOUNTS_AUTH_DIR = ".accounts-auth";
 var OAUTH_SNAPSHOT = "oauth-account.json";
@@ -42001,36 +42679,36 @@ var CREDENTIALS_SNAPSHOT = "credentials.json";
 var KEYCHAIN_SNAPSHOT = "keychain.json";
 function liveClaudeBase() {
   const testBase = process.env.ACCOUNTS_TEST_LIVE_DIR;
-  return testBase && testBase.trim() ? testBase : homedir4();
+  return testBase && testBase.trim() ? testBase : homedir5();
 }
 function liveClaudePaths() {
   const base = liveClaudeBase();
-  const configDir = join5(base, ".claude");
+  const configDir = join6(base, ".claude");
   return {
     configDir,
-    homeJson: join5(base, ".claude.json"),
-    credentialsFile: join5(configDir, ".credentials.json")
+    homeJson: join6(base, ".claude.json"),
+    credentialsFile: join6(configDir, ".credentials.json")
   };
 }
 function profileAccountJsonPaths(profileDir, tool) {
   if (!tool.accountFile)
     return [];
-  const paths = [join5(profileDir, tool.accountFile)];
+  const paths = [join6(profileDir, tool.accountFile)];
   if (profileDir === tool.defaultDir)
-    paths.push(join5(dirname3(profileDir), tool.accountFile));
+    paths.push(join6(dirname3(profileDir), tool.accountFile));
   return paths;
 }
 function profileAuthDir(profileDir) {
-  return join5(profileDir, ACCOUNTS_AUTH_DIR);
+  return join6(profileDir, ACCOUNTS_AUTH_DIR);
 }
 function profileOAuthSnapshot(profileDir) {
-  return join5(profileAuthDir(profileDir), OAUTH_SNAPSHOT);
+  return join6(profileAuthDir(profileDir), OAUTH_SNAPSHOT);
 }
 function profileCredentialsSnapshot(profileDir) {
-  return join5(profileAuthDir(profileDir), CREDENTIALS_SNAPSHOT);
+  return join6(profileAuthDir(profileDir), CREDENTIALS_SNAPSHOT);
 }
 function profileKeychainSnapshot(profileDir) {
-  return join5(profileAuthDir(profileDir), KEYCHAIN_SNAPSHOT);
+  return join6(profileAuthDir(profileDir), KEYCHAIN_SNAPSHOT);
 }
 
 // src/lib/keychain.ts
@@ -42095,7 +42773,7 @@ function writeClaudeKeychain(cred) {
 
 // src/lib/claude-auth.ts
 function readJsonFile(path) {
-  if (!existsSync5(path))
+  if (!existsSync6(path))
     return;
   try {
     return JSON.parse(readFileSync3(path, "utf8"));
@@ -42122,7 +42800,7 @@ function findOAuthSource(paths) {
   return;
 }
 function snapshotIsStale(sourcePath, snapshotPath) {
-  if (!existsSync5(snapshotPath))
+  if (!existsSync6(snapshotPath))
     return true;
   try {
     return statSync(sourcePath).mtimeMs > statSync(snapshotPath).mtimeMs;
@@ -42161,13 +42839,13 @@ function liveOAuthEmail() {
 }
 function snapshotLiveAuthToProfile(profileDir, _tool) {
   const authDir = profileAuthDir(profileDir);
-  assertSafeWritePath(join6(authDir, OAUTH_SNAPSHOT), { mustStayUnder: profileDir });
+  assertSafeWritePath(join7(authDir, OAUTH_SNAPSHOT), { mustStayUnder: profileDir });
   mkdirSync4(authDir, { recursive: true });
   const live = liveClaudePaths();
   const oauth = readOAuthFromPaths([live.homeJson]);
   if (oauth)
     writeJsonFile(profileOAuthSnapshot(profileDir), { oauthAccount: oauth }, profileDir);
-  if (existsSync5(live.credentialsFile)) {
+  if (existsSync6(live.credentialsFile)) {
     const dest = profileCredentialsSnapshot(profileDir);
     assertSafeWritePath(dest, { mustStayUnder: profileDir });
     copyFileSync(live.credentialsFile, dest);
@@ -42180,16 +42858,16 @@ function snapshotLiveAuthToProfile(profileDir, _tool) {
 }
 function ensureProfileAuthSnapshot(profileDir, tool, opts = {}) {
   const authDir = profileAuthDir(profileDir);
-  assertSafeWritePath(join6(authDir, OAUTH_SNAPSHOT), { mustStayUnder: profileDir });
+  assertSafeWritePath(join7(authDir, OAUTH_SNAPSHOT), { mustStayUnder: profileDir });
   mkdirSync4(authDir, { recursive: true });
   const oauthSource = findOAuthSource(profileAccountJsonPaths(profileDir, tool));
   const oauthSnap = profileOAuthSnapshot(profileDir);
   if (oauthSource && (opts.overwrite || snapshotIsStale(oauthSource.path, oauthSnap))) {
     writeJsonFile(oauthSnap, { oauthAccount: oauthSource.oauth }, profileDir);
   }
-  const credFile = join6(profileDir, ".credentials.json");
+  const credFile = join7(profileDir, ".credentials.json");
   const credSnap = profileCredentialsSnapshot(profileDir);
-  if (existsSync5(credFile) && (opts.overwrite || snapshotIsStale(credFile, credSnap))) {
+  if (existsSync6(credFile) && (opts.overwrite || snapshotIsStale(credFile, credSnap))) {
     assertSafeWritePath(credSnap, { mustStayUnder: profileDir });
     copyFileSync(credFile, credSnap);
   }
@@ -42214,12 +42892,12 @@ function restoreClaudeAuthFromProfile(profileDir, tool, profileName) {
   assertSafeWritePath(live.homeJson, { mustStayUnder: liveRoot });
   mergeOAuthInto([live.homeJson], oauth, false, liveRoot);
   const credSnap = profileCredentialsSnapshot(profileDir);
-  if (existsSync5(credSnap)) {
+  if (existsSync6(credSnap)) {
     assertSafeWritePath(live.credentialsFile, { mustStayUnder: liveRoot });
     assertSafeWritePath(credSnap, { mustStayUnder: profileDir });
     copyFileSync(credSnap, live.credentialsFile);
     writeFileSync2(live.credentialsFile, readFileSync3(live.credentialsFile), { mode: 384 });
-  } else if (existsSync5(live.credentialsFile)) {
+  } else if (existsSync6(live.credentialsFile)) {
     if (!lstatSync2(live.credentialsFile).isSymbolicLink())
       unlinkSync(live.credentialsFile);
   }
@@ -42241,14 +42919,14 @@ function restoreClaudeAuthFromProfile(profileDir, tool, profileName) {
   }
 }
 function hasAuthSnapshot(profileDir) {
-  return existsSync5(profileOAuthSnapshot(profileDir)) || existsSync5(profileCredentialsSnapshot(profileDir)) || existsSync5(profileKeychainSnapshot(profileDir));
+  return existsSync6(profileOAuthSnapshot(profileDir)) || existsSync6(profileCredentialsSnapshot(profileDir)) || existsSync6(profileKeychainSnapshot(profileDir));
 }
 
 // src/lib/apply-lock.ts
-import { closeSync, existsSync as existsSync6, mkdirSync as mkdirSync5, openSync, unlinkSync as unlinkSync2, writeFileSync as writeFileSync3 } from "node:fs";
-import { join as join7 } from "node:path";
+import { closeSync, existsSync as existsSync7, mkdirSync as mkdirSync5, openSync, unlinkSync as unlinkSync2, writeFileSync as writeFileSync3 } from "node:fs";
+import { join as join8 } from "node:path";
 function lockPath() {
-  return join7(accountsHome(), ".apply.lock");
+  return join8(accountsHome(), ".apply.lock");
 }
 function withApplyLock(fn) {
   const home = accountsHome();
@@ -42273,7 +42951,7 @@ function withApplyLock(fn) {
     if (fd !== undefined) {
       closeSync(fd);
       try {
-        if (existsSync6(path))
+        if (existsSync7(path))
           unlinkSync2(path);
       } catch {}
     }
@@ -42319,6 +42997,7 @@ function applyProfileUnlocked(name, toolId) {
 
 // src/lib/agents.ts
 import { spawnSync } from "node:child_process";
+import { existsSync as existsSync8, readFileSync as readFileSync4 } from "node:fs";
 import { platform as platform2 } from "node:os";
 function extractJsonArray(raw) {
   const text = raw.replace(/\r/g, "");
@@ -42378,11 +43057,79 @@ function runClaudeAgentsJson(profile, timeoutMs = 20000) {
   }
   return { ok: true, raw: res.stdout ?? "" };
 }
+function isToolSessionCommand(command, bin) {
+  const argv = command.trim().split(/\s+/);
+  if (argv.length === 0)
+    return false;
+  const base = (p) => p.split("/").pop() ?? p;
+  let head = argv[0] ?? "";
+  let rest = argv.slice(1);
+  if ((base(head) === "node" || base(head) === "bun") && rest[0]) {
+    head = rest[0];
+    rest = rest.slice(1);
+  }
+  const isVersionedBuild = head.includes(`/${bin}/versions/`);
+  if (base(head) !== bin && !isVersionedBuild)
+    return false;
+  if (rest[0] === "agents")
+    return false;
+  const joined = rest.join(" ");
+  if (/--bg-pty-host|--bg-spare/.test(joined))
+    return false;
+  if (rest[0] === "daemon")
+    return false;
+  return true;
+}
+function scanToolProcesses(toolId = "claude") {
+  const tool = getTool(toolId);
+  const bin = tool.bin ?? toolId;
+  const res = spawnSync("ps", ["-axo", "pid=,ppid=,args="], {
+    encoding: "utf8",
+    stdio: ["ignore", "pipe", "ignore"]
+  });
+  if (res.status !== 0 || !res.stdout)
+    return [];
+  const out = [];
+  for (const line of res.stdout.split(`
+`)) {
+    const m = line.match(/^\s*(\d+)\s+(\d+)\s+(.+)$/);
+    if (!m)
+      continue;
+    const pid = Number(m[1]);
+    const ppid = Number(m[2]);
+    const command = m[3].trim();
+    if (pid === process.pid)
+      continue;
+    if (!isToolSessionCommand(command, bin))
+      continue;
+    const configDir = readProcessEnvVar(pid, tool.envVar);
+    out.push({ pid, ppid, command, ...configDir ? { configDir } : {} });
+  }
+  return out;
+}
+function readProcessEnvVar(pid, envVar) {
+  try {
+    const environ = readFileSync4(`/proc/${pid}/environ`, "utf8");
+    for (const kv of environ.split("\x00")) {
+      if (kv.startsWith(`${envVar}=`))
+        return kv.slice(envVar.length + 1) || undefined;
+    }
+  } catch {}
+  return;
+}
 function listAgentsAcrossProfiles(opts = {}) {
   const toolId = opts.tool ?? "claude";
   const runner = opts.runner ?? runClaudeAgentsJson;
-  const profiles = listProfiles(toolId).filter((p) => !opts.profile || p.name === opts.profile);
-  return profiles.map((profile) => {
+  const tool = getTool(toolId);
+  const registered = listProfiles(toolId);
+  const entries = [...registered];
+  const defaultDir = opts.defaultDir ?? tool.defaultDir;
+  if (defaultDir && !registered.some((p) => p.dir === defaultDir) && existsSync8(defaultDir)) {
+    entries.unshift({ name: "(default)", tool: toolId, dir: defaultDir });
+  }
+  const wanted = entries.filter((p) => !opts.profile || p.name === opts.profile || opts.profile === "default" && p.name === "(default)");
+  const reported = new Set;
+  const results = wanted.map((profile) => {
     const base = {
       profile: profile.name,
       tool: profile.tool,
@@ -42396,25 +43143,50 @@ function listAgentsAcrossProfiles(opts = {}) {
     const parsed = extractJsonArray(result.raw);
     if (!parsed)
       return { ...base, error: "could not parse agents output" };
+    for (const a of parsed) {
+      if (typeof a.pid === "number")
+        reported.add(a.pid);
+    }
     const agents = parsed.filter((a) => !opts.backgroundOnly || a.kind === "background");
     return { ...base, agents };
   });
+  if (!opts.profile) {
+    const scanner = opts.processScanner ?? scanToolProcesses;
+    const scanned = scanner();
+    if (scanned.length > 0) {
+      const untracked = scanned.filter((p) => !reported.has(p.pid) && !reported.has(p.ppid) && !scanned.some((q) => q.ppid === p.pid && reported.has(q.pid)));
+      if (untracked.length > 0) {
+        results.push({
+          profile: "(untracked)",
+          tool: toolId,
+          dir: "",
+          agents: untracked.map((p) => ({
+            kind: "process",
+            pid: p.pid,
+            command: p.command,
+            ...p.configDir ? { configDir: p.configDir } : {}
+          }))
+        });
+      }
+    }
+  }
+  return results;
 }
 
 // src/lib/import-profile.ts
-import { cpSync, existsSync as existsSync7 } from "node:fs";
-import { join as join8 } from "node:path";
+import { cpSync, existsSync as existsSync9 } from "node:fs";
+import { join as join9 } from "node:path";
 function importProfile(opts) {
   const toolId = opts.tool ?? DEFAULT_TOOL;
   const tool = getTool(toolId);
   const name = opts.name ?? "main";
   const sourceDir = opts.dir ? expandPath(opts.dir) : tool.defaultDir;
-  if (!existsSync7(sourceDir)) {
+  if (!existsSync9(sourceDir)) {
     throw new AccountsError(`config dir does not exist: ${sourceDir}`);
   }
   if (opts.copy) {
-    const targetDir = join8(profilesDir(), toolId, name);
-    if (existsSync7(targetDir)) {
+    const targetDir = join9(profilesDir(), toolId, name);
+    if (existsSync9(targetDir)) {
       throw new AccountsError(`managed copy target already exists: ${targetDir}`);
     }
     cpSync(sourceDir, targetDir, { recursive: true });
@@ -42498,8 +43270,8 @@ async function pickProfile(opts = {}) {
 }
 
 // src/lib/hook.ts
-import { existsSync as existsSync8, mkdirSync as mkdirSync6, readFileSync as readFileSync4, unlinkSync as unlinkSync3, writeFileSync as writeFileSync4 } from "node:fs";
-import { join as join9 } from "node:path";
+import { existsSync as existsSync10, mkdirSync as mkdirSync6, readFileSync as readFileSync5, unlinkSync as unlinkSync3, writeFileSync as writeFileSync4 } from "node:fs";
+import { join as join10 } from "node:path";
 var HOOK_FILE = "claude-hook.sh";
 var MARKER = "# accounts-claude-hook";
 var NAME_PATTERN = "^[a-z0-9][a-z0-9-]*$";
@@ -42507,7 +43279,7 @@ function shellQuotePath(path) {
   return `'${path.replace(/'/g, `'\\''`)}'`;
 }
 function hookPath() {
-  return join9(accountsHome(), HOOK_FILE);
+  return join10(accountsHome(), HOOK_FILE);
 }
 function hookScript() {
   const quotedHook = shellQuotePath(hookPath());
@@ -42538,15 +43310,15 @@ claude() {
 function installHook() {
   const path = hookPath();
   mkdirSync6(accountsHome(), { recursive: true });
-  const created = !existsSync8(path);
+  const created = !existsSync10(path);
   writeFileSync4(path, hookScript(), { mode: 493 });
   return { path, created };
 }
 function uninstallHook() {
   const path = hookPath();
-  if (!existsSync8(path))
+  if (!existsSync10(path))
     return false;
-  const content = readFileSync4(path, "utf8");
+  const content = readFileSync5(path, "utf8");
   if (!content.includes(MARKER))
     return false;
   unlinkSync3(path);
@@ -42636,24 +43408,24 @@ function switchProfile(name, opts = {}) {
 }
 
 // src/lib/supervisor.ts
-import { spawn } from "node:child_process";
+import { spawn as spawn2 } from "node:child_process";
 import { createHash } from "node:crypto";
-import { existsSync as existsSync9, mkdirSync as mkdirSync7, readFileSync as readFileSync5, readdirSync, rmSync as rmSync2, writeFileSync as writeFileSync5 } from "node:fs";
+import { existsSync as existsSync11, mkdirSync as mkdirSync7, readFileSync as readFileSync6, readdirSync, rmSync as rmSync2, writeFileSync as writeFileSync5 } from "node:fs";
 import { createConnection, createServer } from "node:net";
-import { basename, join as join10 } from "node:path";
+import { basename, join as join11 } from "node:path";
 var STATE_SUFFIX = ".json";
 function supervisorDir() {
-  return join10(accountsHome(), "supervisors");
+  return join11(accountsHome(), "supervisors");
 }
 function supervisorStatePath(toolId) {
-  return join10(supervisorDir(), `${toolId}${STATE_SUFFIX}`);
+  return join11(supervisorDir(), `${toolId}${STATE_SUFFIX}`);
 }
 function supervisorSocketPath(toolId) {
   if (process.platform === "win32") {
     const hash = createHash("sha1").update(accountsHome()).digest("hex").slice(0, 12);
     return `\\\\.\\pipe\\hasna-accounts-${hash}-${toolId}`;
   }
-  return join10(supervisorDir(), `${toolId}.sock`);
+  return join11(supervisorDir(), `${toolId}.sock`);
 }
 function nowIso2() {
   return new Date().toISOString();
@@ -42667,17 +43439,17 @@ function parseState(raw) {
 }
 function readSupervisorState(toolId) {
   const path = supervisorStatePath(toolId);
-  if (!existsSync9(path))
+  if (!existsSync11(path))
     return;
   try {
-    return parseState(readFileSync5(path, "utf8"));
+    return parseState(readFileSync6(path, "utf8"));
   } catch {
     return;
   }
 }
 function listSupervisorStates() {
   const dir = supervisorDir();
-  if (!existsSync9(dir))
+  if (!existsSync11(dir))
     return [];
   return readdirSync(dir).filter((name) => name.endsWith(STATE_SUFFIX)).map((name) => basename(name, STATE_SUFFIX)).map((toolId) => readSupervisorState(toolId)).filter((state) => state !== undefined);
 }
@@ -42900,7 +43672,7 @@ async function runSupervisedTool(initialProfile, tool, initialArgs = [], opts =
     useProfile(profile.name, tool.id);
     const env2 = profileEnv(profile, tool);
     log(`accounts supervisor: starting ${tool.bin} for ${profile.name}`);
-    const proc = spawn(tool.bin, childArgs, {
+    const proc = spawn2(tool.bin, childArgs, {
       stdio: opts.stdio ?? "inherit",
       env: { ...process.env, ...env2, ACCOUNTS_SUPERVISOR: "1", ACCOUNTS_ACTIVE: profile.name },
       detached: process.platform !== "win32"
@@ -43084,7 +43856,7 @@ program2.command("show").argument("<name>", "profile name").description("show fu
   console.log(`  tool:       ${p.tool} (${getTool(p.tool).label})`);
   console.log(`  active:     ${active ? source_default.green("yes") : source_default.dim("no")}`);
   console.log(`  applied:    ${isApplied ? source_default.magenta("yes") : source_default.dim("no")}`);
-  console.log(`  config dir: ${p.dir}${existsSync10(p.dir) ? "" : source_default.red("  [missing]")}`);
+  console.log(`  config dir: ${p.dir}${existsSync12(p.dir) ? "" : source_default.red("  [missing]")}`);
   console.log(`  email:      ${p.email ?? source_default.dim("(none)")}`);
   console.log(`  created:    ${p.createdAt}`);
   if (p.lastUsedAt)
@@ -43222,7 +43994,7 @@ program2.command("switch").argument("<name>", "profile name").argument("[args...
   }
 }));
 var hook = program2.command("hook").description("install a shell wrapper for claude");
-hook.command("install").description(`write ${join11(accountsHome(), "claude-hook.sh")}`).action(action(() => {
+hook.command("install").description(`write ${join12(accountsHome(), "claude-hook.sh")}`).action(action(() => {
   const { path, created } = installHook();
   console.log(source_default.green(created ? `✓ installed hook at ${path}` : `✓ updated hook at ${path}`));
   console.log(source_default.dim(`  add to ~/.zshrc:  ${shellSnippet()}`));
@@ -43366,6 +44138,12 @@ program2.command("agents").description("list Claude Code agent sessions (interac
       continue;
     }
     for (const a of r.agents) {
+      if (a.kind === "process") {
+        const cfg = typeof a.configDir === "string" ? source_default.dim(`  cfg=${a.configDir}`) : "";
+        const cmd = typeof a.command === "string" ? source_default.dim(`  ${a.command.slice(0, 100)}`) : "";
+        console.log(`  ${source_default.yellow("process    ")} pid ${a.pid}${cfg}${cmd}`);
+        continue;
+      }
       const kind = a.kind === "background" ? source_default.magenta("background ") : source_default.dim("interactive");
       const state = String(a.state ?? a.status ?? "");
       const stateFmt = state === "working" || state === "busy" ? source_default.green(state) : source_default.dim(state);
@@ -43441,7 +44219,7 @@ tools.command("add").argument("<id>", "tool id, e.g. cursor").description("regis
     label: opts.label,
     envVar: opts.envVar,
     bin: opts.bin,
-    defaultDir: opts.defaultDir ? expandPath(opts.defaultDir) : join11(homedir5(), `.${id}`),
+    defaultDir: opts.defaultDir ? expandPath(opts.defaultDir) : join12(homedir6(), `.${id}`),
     ...Object.keys(extraEnv).length > 0 ? { extraEnv } : {},
     ...opts.loginArg ? { loginArgs: opts.loginArg } : {},
     ...opts.resumeArg ? { resumeArgs: opts.resumeArg } : {},
@@ -43462,7 +44240,7 @@ program2.command("doctor").description("check the store and profile dirs for pro
   const profiles = listProfiles();
   let problems = 0;
   for (const p of profiles) {
-    const missing = !existsSync10(p.dir);
+    const missing = !existsSync12(p.dir);
     const noEmail = !p.email;
     if (missing) {
       console.log(source_default.red(`  ✗ ${p.name}: config dir missing (${p.dir})`));
@@ -43506,13 +44284,14 @@ ${problems} problem(s) found.`));
   console.log(source_default.green(`
 healthy.`));
 }));
+registerEventsCommands(program2, { source: "accounts" });
 program2.parseAsync(process.argv);
 function getVersion() {
   try {
     const here = dirname5(fileURLToPath(import.meta.url));
-    for (const candidate of [join11(here, "..", "package.json"), join11(here, "package.json")]) {
-      if (existsSync10(candidate)) {
-        const pkg = JSON.parse(readFileSync6(candidate, "utf8"));
+    for (const candidate of [join12(here, "..", "package.json"), join12(here, "package.json")]) {
+      if (existsSync12(candidate)) {
+        const pkg = JSON.parse(readFileSync7(candidate, "utf8"));
         if (pkg.version)
           return pkg.version;
       }