@highflame/overwatch-v2 2.0.0-internal.1

package/dist/daemon.js

@@ -0,0 +1,3578 @@
+#!/usr/bin/env node
+"use strict";
+var __create = Object.create;
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __getProtoOf = Object.getPrototypeOf;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __esm = (fn, res) => function __init() {
+  return fn && (res = (0, fn[__getOwnPropNames(fn)[0]])(fn = 0)), res;
+};
+var __commonJS = (cb, mod) => function __require() {
+  return mod || (0, cb[__getOwnPropNames(cb)[0]])((mod = { exports: {} }).exports, mod), mod.exports;
+};
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(
+  // If the importer is in node compatibility mode or this is not an ESM
+  // file that has been converted to a CommonJS file using a Babel-
+  // compatible transform (i.e. "__esModule" has not been set), then set
+  // "default" to the CommonJS "module.exports" for node compatibility.
+  isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target,
+  mod
+));
+
+// src/utils/logger.ts
+var fs, path, os, LOG_FILE, Logger, logger;
+var init_logger = __esm({
+  "src/utils/logger.ts"() {
+    "use strict";
+    fs = __toESM(require("fs"));
+    path = __toESM(require("path"));
+    os = __toESM(require("os"));
+    LOG_FILE = path.join(os.homedir(), ".overwatch", "guardian.log");
+    Logger = class {
+      constructor(level = 1 /* INFO */) {
+        this.fileEnabled = true;
+        this.level = level;
+        this.ensureLogDir();
+      }
+      ensureLogDir() {
+        try {
+          const dir = path.dirname(LOG_FILE);
+          if (!fs.existsSync(dir)) {
+            fs.mkdirSync(dir, { recursive: true });
+          }
+        } catch {
+          this.fileEnabled = false;
+        }
+      }
+      setLevel(level) {
+        this.level = level;
+      }
+      getCallerFile(offset) {
+        const err = new Error();
+        const stack = err.stack?.split("\n");
+        if (stack && stack.length > offset) {
+          const callerLine = stack[offset] || "";
+          const match = callerLine.match(/at\s+(?:.*\s+\()?(.+?):\d+:\d+\)?$/);
+          if (match && match[1]) {
+            return path.basename(match[1]);
+          }
+        }
+        return "unknown";
+      }
+      formatArgs(args) {
+        if (args.length === 0)
+          return "";
+        return args.map((arg) => {
+          if (typeof arg === "object" && arg !== null) {
+            try {
+              return JSON.stringify(arg).replace(/^{|}$/g, "").replace(/"([^"]+)":/g, "$1=");
+            } catch {
+              return String(arg);
+            }
+          }
+          return String(arg);
+        }).join(" ");
+      }
+      writeToFile(level, message, args) {
+        if (!this.fileEnabled)
+          return;
+        try {
+          const timestamp = (/* @__PURE__ */ new Date()).toISOString();
+          const callerFile = this.getCallerFile(4);
+          const formattedArgs = this.formatArgs(args);
+          const argsStr = formattedArgs ? " " + formattedArgs : "";
+          const line = `${timestamp} [${level.padEnd(5)}] [${callerFile}] ${message}${argsStr}
+`;
+          fs.appendFileSync(LOG_FILE, line);
+        } catch {
+        }
+      }
+      debug(message, ...args) {
+        if (this.level <= 0 /* DEBUG */) {
+          const callerFile = this.getCallerFile(3);
+          console.debug(`[DEBUG] [${callerFile}] ${message}`, ...args);
+          this.writeToFile("DEBUG", message, args);
+        }
+      }
+      info(message, ...args) {
+        if (this.level <= 1 /* INFO */) {
+          const callerFile = this.getCallerFile(3);
+          console.info(`[INFO ] [${callerFile}] ${message}`, ...args);
+          this.writeToFile("INFO", message, args);
+        }
+      }
+      warn(message, ...args) {
+        if (this.level <= 2 /* WARN */) {
+          const callerFile = this.getCallerFile(3);
+          console.warn(`[WARN ] [${callerFile}] ${message}`, ...args);
+          this.writeToFile("WARN", message, args);
+        }
+      }
+      error(message, ...args) {
+        if (this.level <= 3 /* ERROR */) {
+          const callerFile = this.getCallerFile(3);
+          console.error(`[ERROR] [${callerFile}] ${message}`, ...args);
+          this.writeToFile("ERROR", message, args);
+        }
+      }
+    };
+    logger = new Logger();
+  }
+});
+
+// src/utils/performance.ts
+var init_performance = __esm({
+  "src/utils/performance.ts"() {
+    "use strict";
+  }
+});
+
+// src/utils/index.ts
+var init_utils = __esm({
+  "src/utils/index.ts"() {
+    "use strict";
+    init_logger();
+    init_performance();
+  }
+});
+
+// src/auth/pkce.ts
+function base64URLEncode(buffer) {
+  return buffer.toString("base64").replace(/\+/g, "-").replace(/\//g, "_").replace(/=/g, "");
+}
+function generateCodeVerifier() {
+  const buffer = crypto.randomBytes(32);
+  return base64URLEncode(buffer);
+}
+function generateCodeChallenge(verifier) {
+  const hash = crypto.createHash("sha256").update(verifier).digest();
+  return base64URLEncode(hash);
+}
+function generateState() {
+  return crypto.randomBytes(16).toString("hex");
+}
+var crypto;
+var init_pkce = __esm({
+  "src/auth/pkce.ts"() {
+    "use strict";
+    crypto = __toESM(require("crypto"));
+  }
+});
+
+// src/version.ts
+var VERSION, HIGHFLAME_API_URL, HIGHFLAME_OAUTH_URL, HIGHFLAME_CERBERUS_URL;
+var init_version = __esm({
+  "src/version.ts"() {
+    "use strict";
+    VERSION = true ? "2.0.0-internal.1" : "0.0.0-dev";
+    HIGHFLAME_API_URL = "https://api.highflame.ai";
+    HIGHFLAME_OAUTH_URL = "https://studio.highflame.ai";
+    HIGHFLAME_CERBERUS_URL = "https://cerberus.highflame.ai";
+  }
+});
+
+// src/types/config.ts
+var DEFAULT_OVERWATCH_CONFIG;
+var init_config = __esm({
+  "src/types/config.ts"() {
+    "use strict";
+    init_version();
+    DEFAULT_OVERWATCH_CONFIG = {
+      version: VERSION,
+      createdAt: (/* @__PURE__ */ new Date()).toISOString(),
+      highflame: {
+        baseUrl: HIGHFLAME_API_URL,
+        oauthUrl: HIGHFLAME_OAUTH_URL,
+        cerberusUrl: HIGHFLAME_CERBERUS_URL
+      },
+      engines: {
+        javelin: {
+          enabled: true
+        }
+      },
+      daemon: {
+        autoStart: true,
+        logLevel: "info"
+      },
+      enabled: true
+    };
+  }
+});
+
+// src/types/events.ts
+var init_events = __esm({
+  "src/types/events.ts"() {
+    "use strict";
+  }
+});
+
+// src/types/remote-policy.ts
+var init_remote_policy = __esm({
+  "src/types/remote-policy.ts"() {
+    "use strict";
+  }
+});
+
+// src/types/index.ts
+var init_types = __esm({
+  "src/types/index.ts"() {
+    "use strict";
+    init_config();
+    init_events();
+    init_remote_policy();
+  }
+});
+
+// src/auth/token-store.ts
+function loadSession() {
+  try {
+    if (fs2.existsSync(SESSION_PATH)) {
+      const data = fs2.readFileSync(SESSION_PATH, "utf-8");
+      return JSON.parse(data);
+    }
+  } catch (e) {
+    logger.debug("Failed to load session file", {
+      error: e instanceof Error ? e.message : String(e),
+      path: SESSION_PATH
+    });
+  }
+  return null;
+}
+function writeSession(session) {
+  if (!fs2.existsSync(CONFIG_DIR)) {
+    fs2.mkdirSync(CONFIG_DIR, { recursive: true });
+  }
+  const data = JSON.stringify(session, null, 2);
+  fs2.writeFileSync(SESSION_PATH, data, { mode: SESSION_FILE_MODE });
+  try {
+    fs2.chmodSync(SESSION_PATH, SESSION_FILE_MODE);
+  } catch (e) {
+    logger.debug("Failed to set session file permissions", {
+      error: e instanceof Error ? e.message : String(e)
+    });
+  }
+}
+function saveTokens(tokens, userInfo2) {
+  const expiresAt = tokens.expires_at ?? Date.now() + TOKEN_EXPIRY_SECONDS * 1e3;
+  const auth = {
+    access_token: tokens.access_token,
+    refresh_token: tokens.refresh_token || "",
+    expires_at: expiresAt,
+    token_type: tokens.token_type,
+    user: userInfo2 ? {
+      email: userInfo2.email
+    } : void 0,
+    authenticated_at: (/* @__PURE__ */ new Date()).toISOString()
+  };
+  writeSession(auth);
+}
+function loadTokens() {
+  return loadSession();
+}
+async function getValidAccessToken() {
+  const auth = loadTokens();
+  if (!auth)
+    return null;
+  if (isTokenExpired(auth.expires_at)) {
+    if (auth.refresh_token) {
+      const { refreshAccessToken: refreshAccessToken2 } = await Promise.resolve().then(() => (init_oauth(), oauth_exports));
+      const refreshed = await refreshAccessToken2(auth.refresh_token);
+      if (refreshed) {
+        saveTokens(refreshed);
+        return refreshed.access_token;
+      }
+    }
+    return null;
+  }
+  return auth.access_token;
+}
+function getAuthStatus() {
+  const auth = loadTokens();
+  if (!auth) {
+    return { authenticated: false };
+  }
+  return {
+    authenticated: true,
+    email: auth.user?.email,
+    name: auth.user?.name,
+    orgName: auth.user?.org_name,
+    expiresAt: auth.expires_at,
+    expired: isTokenExpired(auth.expires_at),
+    expiringSoon: isTokenExpiringSoon(auth.expires_at)
+  };
+}
+var fs2, path2, os2, CONFIG_DIR, SESSION_PATH, SESSION_FILE_MODE;
+var init_token_store = __esm({
+  "src/auth/token-store.ts"() {
+    "use strict";
+    fs2 = __toESM(require("fs"));
+    path2 = __toESM(require("path"));
+    os2 = __toESM(require("os"));
+    init_oauth();
+    init_utils();
+    CONFIG_DIR = path2.join(os2.homedir(), ".overwatch");
+    SESSION_PATH = path2.join(CONFIG_DIR, "session.json");
+    SESSION_FILE_MODE = 384;
+  }
+});
+
+// src/config/manager.ts
+function loadConfig() {
+  try {
+    if (fs3.existsSync(CONFIG_PATH)) {
+      const data = fs3.readFileSync(CONFIG_PATH, "utf-8");
+      return JSON.parse(data);
+    }
+  } catch (e) {
+    console.error("Failed to load config:", e);
+  }
+  return null;
+}
+function getBaseUrl() {
+  const config = loadConfig();
+  return config?.highflame?.baseUrl || process.env.HIGHFLAME_BASE_URL || HIGHFLAME_API_URL;
+}
+function getOAuthUrl() {
+  const config = loadConfig();
+  return config?.highflame?.oauthUrl || HIGHFLAME_OAUTH_URL;
+}
+function getCerberusUrl() {
+  const config = loadConfig();
+  return config?.highflame?.cerberusUrl || process.env.CERBERUS_BASE_URL || HIGHFLAME_CERBERUS_URL;
+}
+function getLLMConfig() {
+  const config = loadConfig();
+  const envKey = process.env.LLM_API_KEY || process.env.OPENAI_API_KEY;
+  if (envKey) {
+    return {
+      apiKey: envKey,
+      provider: config?.llm?.provider || "openai"
+    };
+  }
+  return config?.llm || null;
+}
+var fs3, path3, os3, CONFIG_DIR2, CONFIG_PATH;
+var init_manager = __esm({
+  "src/config/manager.ts"() {
+    "use strict";
+    fs3 = __toESM(require("fs"));
+    path3 = __toESM(require("path"));
+    os3 = __toESM(require("os"));
+    init_types();
+    init_token_store();
+    init_version();
+    CONFIG_DIR2 = path3.join(os3.homedir(), ".overwatch");
+    CONFIG_PATH = path3.join(CONFIG_DIR2, "config.json");
+  }
+});
+
+// src/config/index.ts
+var init_config2 = __esm({
+  "src/config/index.ts"() {
+    "use strict";
+    init_manager();
+  }
+});
+
+// src/auth/oauth.ts
+var oauth_exports = {};
+__export(oauth_exports, {
+  DEFAULT_EXPIRY_BUFFER_SECONDS: () => DEFAULT_EXPIRY_BUFFER_SECONDS,
+  EXPIRY_WARN_THRESHOLD_SECONDS: () => EXPIRY_WARN_THRESHOLD_SECONDS,
+  OAUTH_CONFIG: () => OAUTH_CONFIG,
+  TOKEN_EXPIRY_SECONDS: () => TOKEN_EXPIRY_SECONDS,
+  buildAuthorizationUrl: () => buildAuthorizationUrl,
+  createOAuthState: () => createOAuthState,
+  exchangeCodeForTokens: () => exchangeCodeForTokens,
+  isTokenExpired: () => isTokenExpired,
+  isTokenExpiringSoon: () => isTokenExpiringSoon,
+  refreshAccessToken: () => refreshAccessToken
+});
+function buildAuthorizationUrl(state, codeChallenge, redirectUri) {
+  const params = new URLSearchParams({
+    response_type: "code",
+    client_id: OAUTH_CONFIG.clientId,
+    redirect_uri: redirectUri,
+    code_challenge: codeChallenge,
+    code_challenge_method: "S256",
+    state,
+    scope: OAUTH_CONFIG.scopes.join(" ")
+  });
+  return `${OAUTH_CONFIG.authUrl}?${params.toString()}`;
+}
+async function exchangeCodeForTokens(code, codeVerifier, redirectUri) {
+  logger.debug("[OAuth] Exchanging code for tokens", {
+    tokenUrl: OAUTH_CONFIG.tokenUrl
+  });
+  const response = await fetch(OAUTH_CONFIG.tokenUrl, {
+    method: "POST",
+    headers: {
+      "Content-Type": "application/json",
+      Accept: "application/json"
+    },
+    body: JSON.stringify({
+      grant_type: "authorization_code",
+      client_id: OAUTH_CONFIG.clientId,
+      code,
+      redirect_uri: redirectUri,
+      code_verifier: codeVerifier
+    }),
+    signal: AbortSignal.timeout(3e4)
+  });
+  if (!response.ok) {
+    const errorText = await response.text();
+    logger.error("[OAuth] Token exchange failed", {
+      status: response.status,
+      body: errorText.substring(0, 500)
+    });
+    throw new Error(`Token exchange failed: ${response.status} ${errorText}`);
+  }
+  const data = await response.json();
+  logger.debug("[OAuth] Token exchange successful");
+  const expiresInSeconds = data.expires_in || TOKEN_EXPIRY_SECONDS;
+  data.expires_at = Date.now() + expiresInSeconds * 1e3;
+  const userInfo2 = {
+    id: data.user?.id || "",
+    email: data.user?.email || ""
+  };
+  return { tokens: data, userInfo: userInfo2 };
+}
+async function refreshAccessToken(_refreshToken) {
+  return null;
+}
+function isTokenExpired(expiresAt, bufferSeconds = DEFAULT_EXPIRY_BUFFER_SECONDS) {
+  return Date.now() >= expiresAt - bufferSeconds * 1e3;
+}
+function isTokenExpiringSoon(expiresAt, thresholdSeconds = EXPIRY_WARN_THRESHOLD_SECONDS) {
+  if (isTokenExpired(expiresAt))
+    return false;
+  return Date.now() >= expiresAt - thresholdSeconds * 1e3;
+}
+function createOAuthState(guardianPort) {
+  const state = generateState();
+  const codeVerifier = generateCodeVerifier();
+  const redirectUri = `http://127.0.0.1:${guardianPort}/oauth/callback`;
+  return {
+    state,
+    codeVerifier,
+    redirectUri,
+    createdAt: Date.now(),
+    status: "pending"
+  };
+}
+var OAUTH_CONFIG, TOKEN_EXPIRY_SECONDS, DEFAULT_EXPIRY_BUFFER_SECONDS, EXPIRY_WARN_THRESHOLD_SECONDS;
+var init_oauth = __esm({
+  "src/auth/oauth.ts"() {
+    "use strict";
+    init_pkce();
+    init_config2();
+    init_utils();
+    OAUTH_CONFIG = {
+      get authUrl() {
+        return `${getOAuthUrl()}/cli-auth`;
+      },
+      get tokenUrl() {
+        return `${getOAuthUrl()}/api/cli-auth/token`;
+      },
+      clientId: "overwatch-cli",
+      scopes: ["account:read", "gateway:read"]
+    };
+    TOKEN_EXPIRY_SECONDS = 90 * 24 * 60 * 60;
+    DEFAULT_EXPIRY_BUFFER_SECONDS = 5 * 60;
+    EXPIRY_WARN_THRESHOLD_SECONDS = 7 * 24 * 60 * 60;
+  }
+});
+
+// lib/platform-loader.js
+var require_platform_loader = __commonJS({
+  "lib/platform-loader.js"(exports2, module2) {
+    "use strict";
+    var path14 = require("path");
+    var fs15 = require("fs");
+    var os14 = require("os");
+    var PLATFORM_MAP = {
+      "darwin-arm64": {
+        package: "@highflame/overwatch-v2-darwin-arm64",
+        rustTarget: "aarch64-apple-darwin",
+        binaryName: "ramparts-aarch64-apple-darwin"
+      },
+      "darwin-x64": {
+        package: "@highflame/overwatch-v2-darwin-x64",
+        rustTarget: "x86_64-apple-darwin",
+        binaryName: "ramparts-x86_64-apple-darwin"
+      },
+      "linux-x64": {
+        package: "@highflame/overwatch-v2-linux-x64",
+        rustTarget: "x86_64-unknown-linux-gnu",
+        binaryName: "ramparts-x86_64-unknown-linux-gnu"
+      },
+      "linux-arm64": {
+        package: "@highflame/overwatch-v2-linux-arm64",
+        rustTarget: "aarch64-unknown-linux-gnu",
+        binaryName: "ramparts-aarch64-unknown-linux-gnu"
+      },
+      "win32-x64": {
+        package: "@highflame/overwatch-v2-win32-x64",
+        rustTarget: "x86_64-pc-windows-msvc",
+        binaryName: "ramparts-x86_64-pc-windows-msvc.exe"
+      },
+      "win32-arm64": {
+        package: "@highflame/overwatch-v2-win32-arm64",
+        rustTarget: "aarch64-pc-windows-msvc",
+        binaryName: "ramparts-aarch64-pc-windows-msvc.exe"
+      }
+    };
+    function getPlatformKey() {
+      return `${process.platform}-${process.arch}`;
+    }
+    function getPlatformConfig() {
+      const key = getPlatformKey();
+      return PLATFORM_MAP[key] || null;
+    }
+    function loadPlatformPackage() {
+      const config = getPlatformConfig();
+      if (!config) {
+        return null;
+      }
+      try {
+        const dynamicRequire = typeof __non_webpack_require__ !== "undefined" ? __non_webpack_require__ : require;
+        return dynamicRequire(config.package);
+      } catch (error) {
+        return null;
+      }
+    }
+    function getPackageRoot() {
+      let currentDir = __dirname;
+      const baseName = path14.basename(currentDir);
+      if (baseName === "lib" || baseName === "dist") {
+        return path14.resolve(currentDir, "..");
+      }
+      return path14.resolve(currentDir, "..");
+    }
+    function getRampartsBinaryPath() {
+      const config = getPlatformConfig();
+      const platformPkg = loadPlatformPackage();
+      if (platformPkg && typeof platformPkg.getRampartsBinaryPath === "function") {
+        const binaryPath = platformPkg.getRampartsBinaryPath();
+        if (binaryPath && fs15.existsSync(binaryPath)) {
+          return binaryPath;
+        }
+      }
+      const packageRoot = getPackageRoot();
+      const localPaths = [];
+      const isWindows = process.platform === "win32";
+      const genericBinaryName = isWindows ? "ramparts.exe" : "ramparts";
+      if (config) {
+        localPaths.push(path14.join(packageRoot, "bin", config.binaryName));
+      }
+      localPaths.push(
+        path14.join(packageRoot, "bin", genericBinaryName),
+        path14.join(packageRoot, "dist", "bin", genericBinaryName)
+      );
+      for (const p of localPaths) {
+        if (fs15.existsSync(p)) {
+          return p;
+        }
+      }
+      const overwatchPaths = [];
+      if (config) {
+        overwatchPaths.push(
+          path14.join(os14.homedir(), ".overwatch", "bin", config.binaryName)
+        );
+      }
+      overwatchPaths.push(
+        path14.join(os14.homedir(), ".overwatch", "bin", genericBinaryName)
+      );
+      for (const p of overwatchPaths) {
+        if (fs15.existsSync(p)) {
+          return p;
+        }
+      }
+      try {
+        const { execSync } = require("child_process");
+        const findCmd = isWindows ? `where ${genericBinaryName}` : `which ${genericBinaryName}`;
+        const result = execSync(findCmd, { encoding: "utf-8" }).trim();
+        const foundPath = result.split(/\r?\n/)[0];
+        if (foundPath && fs15.existsSync(foundPath)) {
+          return foundPath;
+        }
+      } catch {
+      }
+      return null;
+    }
+    function isPlatformSupported() {
+      return getPlatformConfig() !== null;
+    }
+    function getPlatformNotFoundMessage() {
+      const key = getPlatformKey();
+      const config = getPlatformConfig();
+      if (!config) {
+        return `Unsupported platform: ${key}. Supported platforms: ${Object.keys(PLATFORM_MAP).join(", ")}`;
+      }
+      return `Platform binaries not found for ${key}.
+
+To fix this, either:
+  1. Install the platform package: npm install ${config.package}
+  2. Run the native deps build: ./scripts/build-native-deps.sh
+  3. Place binaries in ~/.overwatch/bin/
+`;
+    }
+    module2.exports = {
+      getPlatformKey,
+      getPlatformConfig,
+      loadPlatformPackage,
+      getRampartsBinaryPath,
+      isPlatformSupported,
+      getPlatformNotFoundMessage,
+      PLATFORM_MAP
+    };
+  }
+});
+
+// src/daemon.ts
+var fs14 = __toESM(require("fs"));
+var path13 = __toESM(require("path"));
+var os13 = __toESM(require("os"));
+
+// src/http/server.ts
+var http = __toESM(require("http"));
+init_utils();
+var GuardianHttpServer = class {
+  constructor(port) {
+    this.requestListeners = /* @__PURE__ */ new Map();
+    this.requestCount = 0;
+    this.port = port;
+    logger.debug("Creating server instance", {
+      requestedPort: port,
+      isEphemeral: port === 0
+    });
+    this.server = http.createServer(this.handleRequest.bind(this));
+  }
+  /**
+   * Start the server
+   */
+  start() {
+    logger.info("Starting server...");
+    return new Promise((resolve, reject) => {
+      this.server.listen(this.port, "127.0.0.1", () => {
+        const address = this.server.address();
+        const originalPort = this.port;
+        if (address && typeof address === "object") {
+          this.port = address.port;
+        }
+        logger.info("Server started successfully", {
+          requestedPort: originalPort,
+          assignedPort: this.port,
+          host: "127.0.0.1",
+          registeredPaths: Array.from(this.requestListeners.keys())
+        });
+        resolve();
+      });
+      this.server.on("error", (error) => {
+        logger.error("Server startup error:", {
+          code: error.code,
+          message: error.message,
+          port: this.port
+        });
+        reject(error);
+      });
+      this.server.on("close", () => {
+        logger.debug("Server closed");
+      });
+      this.server.on("connection", (socket) => {
+        logger.debug("New connection", {
+          remoteAddress: socket.remoteAddress,
+          remotePort: socket.remotePort
+        });
+      });
+    });
+  }
+  /**
+   * Stop the server
+   */
+  stop() {
+    logger.info("Stopping server...");
+    return new Promise((resolve) => {
+      if (this.server.listening) {
+        this.server.close(() => {
+          logger.info("Server stopped", {
+            totalRequestsServed: this.requestCount
+          });
+          resolve();
+        });
+      } else {
+        logger.debug("Server was not listening");
+        resolve();
+      }
+    });
+  }
+  /**
+   * Register a request handler for a specific path
+   */
+  on(path14, listener) {
+    this.requestListeners.set(path14, listener);
+    logger.debug("Registered handler", {
+      path: path14,
+      totalHandlers: this.requestListeners.size
+    });
+  }
+  /**
+   * Handle incoming requests
+   */
+  handleRequest(req, res) {
+    const startTime = Date.now();
+    const url = new URL(req.url || "", `http://${req.headers.host}`);
+    logger.debug("Incoming request", {
+      method: req.method,
+      path: url.pathname,
+      query: url.search || "(none)",
+      userAgent: req.headers["user-agent"],
+      contentLength: req.headers["content-length"]
+    });
+    let listener = this.requestListeners.get(url.pathname);
+    let matchedPath = url.pathname;
+    if (!listener) {
+      for (const [path14, handler] of this.requestListeners.entries()) {
+        if (url.pathname.startsWith(path14 + "/") || url.pathname === path14) {
+          listener = handler;
+          matchedPath = path14;
+          break;
+        }
+      }
+    }
+    if (listener) {
+      logger.debug(`Handler found for ${matchedPath}`);
+      const originalEnd = res.end.bind(res);
+      res.end = (...args) => {
+        const duration = Date.now() - startTime;
+        logger.debug("Response sent", {
+          statusCode: res.statusCode,
+          duration
+        });
+        return originalEnd(...args);
+      };
+      listener(req, res);
+    } else {
+      const duration = Date.now() - startTime;
+      logger.warn(`No handler for path: ${url.pathname}`, {
+        availablePaths: Array.from(this.requestListeners.keys()),
+        duration
+      });
+      res.writeHead(404, { "Content-Type": "application/json" });
+      res.end(JSON.stringify({ error: "Not Found", path: url.pathname }));
+    }
+  }
+  /**
+   * Get the port the server is listening on
+   */
+  getPort() {
+    return this.port;
+  }
+  /**
+   * Check if server is currently listening
+   */
+  isListening() {
+    return this.server.listening;
+  }
+};
+
+// src/javelin/config-reader.ts
+var fs4 = __toESM(require("fs"));
+var path4 = __toESM(require("path"));
+var os4 = __toESM(require("os"));
+init_utils();
+
+// src/auth/index.ts
+init_pkce();
+init_oauth();
+
+// src/auth/cli-oauth.ts
+init_pkce();
+init_oauth();
+init_token_store();
+
+// src/auth/html-utils.ts
+function escapeHtml(unsafe) {
+  return unsafe.replace(/&/g, "&amp;").replace(/</g, "&lt;").replace(/>/g, "&gt;").replace(/"/g, "&quot;").replace(/'/g, "&#039;");
+}
+var COMMON_STYLES = `
+  * {
+    margin: 0;
+    padding: 0;
+    box-sizing: border-box;
+  }
+  body {
+    font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', 'Roboto', 'Oxygen', 'Ubuntu', 'Cantarell', 'Fira Sans', 'Droid Sans', 'Helvetica Neue', sans-serif;
+    -webkit-font-smoothing: antialiased;
+    -moz-osx-font-smoothing: grayscale;
+    background: #ffffff;
+    min-height: 100vh;
+    display: flex;
+    align-items: center;
+    justify-content: center;
+    padding: 16px;
+  }
+  .container {
+    background: white;
+    border-radius: 12px;
+    box-shadow: 0 1px 3px 0 rgba(0, 0, 0, 0.1), 0 1px 2px 0 rgba(0, 0, 0, 0.06);
+    width: 100%;
+    max-width: 448px;
+    padding: 0;
+    overflow: hidden;
+  }
+  .card-header {
+    text-align: center;
+    padding: 32px 24px 24px;
+  }
+  .icon-container {
+    margin: 0 auto 16px;
+    width: 64px;
+    height: 64px;
+    display: flex;
+    align-items: center;
+    justify-content: center;
+    border-radius: 50%;
+  }
+  .success .icon-container {
+    background: #dcfce7;
+  }
+  .error .icon-container {
+    background: #fee2e2;
+  }
+  .icon {
+    width: 32px;
+    height: 32px;
+  }
+  .success .icon {
+    color: #16a34a;
+  }
+  .error .icon {
+    color: #dc2626;
+  }
+  h1 {
+    font-size: 24px;
+    font-weight: 600;
+    line-height: 1.2;
+    margin-bottom: 8px;
+  }
+  .success h1 {
+    color: #16a34a;
+  }
+  .error h1 {
+    color: #dc2626;
+  }
+  .description {
+    color: #6b7280;
+    font-size: 14px;
+    line-height: 1.5;
+    margin-top: 8px;
+  }
+  .email {
+    font-weight: 500;
+    color: #111827;
+  }
+  .error-message {
+    color: #dc2626;
+    font-family: 'Monaco', 'Menlo', 'Ubuntu Mono', monospace;
+    font-size: 13px;
+    background: #fef2f2;
+    padding: 12px;
+    border-radius: 6px;
+    margin: 16px 24px;
+    border: 1px solid #fecaca;
+    word-break: break-word;
+  }
+`;
+function generateSuccessHtml(message, email) {
+  const safeMessage = escapeHtml(message);
+  const safeEmail = email ? escapeHtml(email) : "user";
+  return `<!DOCTYPE html>
+<html lang="en">
+<head>
+  <meta charset="UTF-8">
+  <meta name="viewport" content="width=device-width, initial-scale=1.0">
+  <title>Authorization Successful</title>
+  <style>${COMMON_STYLES}</style>
+</head>
+<body>
+  <div class="container success">
+    <div class="card-header">
+      <div class="icon-container">
+        <svg class="icon" fill="none" viewBox="0 0 24 24" stroke="currentColor" stroke-width="2">
+          <path stroke-linecap="round" stroke-linejoin="round" d="M5 13l4 4L19 7" />
+        </svg>
+      </div>
+      <h1>Authorization Successful!</h1>
+      <p class="description">
+        ${email ? `Welcome, <span class="email">${safeEmail}</span>!` : ""}
+        ${safeMessage}
+      </p>
+    </div>
+  </div>
+</body>
+</html>`;
+}
+function generateErrorHtml(error) {
+  const safeError = escapeHtml(error);
+  return `<!DOCTYPE html>
+<html lang="en">
+<head>
+  <meta charset="UTF-8">
+  <meta name="viewport" content="width=device-width, initial-scale=1.0">
+  <title>Authorization Failed</title>
+  <style>${COMMON_STYLES}</style>
+</head>
+<body>
+  <div class="container error">
+    <div class="card-header">
+      <div class="icon-container">
+        <svg class="icon" fill="none" viewBox="0 0 24 24" stroke="currentColor" stroke-width="2">
+          <path stroke-linecap="round" stroke-linejoin="round" d="M6 18L18 6M6 6l12 12" />
+        </svg>
+      </div>
+      <h1>Authorization Failed</h1>
+      <p class="description">Please try again from the terminal.</p>
+    </div>
+    <div class="error-message">${safeError}</div>
+  </div>
+</body>
+</html>`;
+}
+
+// src/auth/cli-oauth.ts
+var OAUTH_TIMEOUT_MS = 5 * 60 * 1e3;
+
+// src/auth/index.ts
+init_token_store();
+
+// src/javelin/config-reader.ts
+init_config2();
+var ConfigReader = class {
+  constructor(configPath) {
+    this.rawConfig = null;
+    this.configPath = configPath || path4.join(os4.homedir(), ".overwatch", "config.json");
+    logger.debug("Initialized", { configPath: this.configPath });
+  }
+  /**
+   * Get Highflame API configuration
+   */
+  getHighflameConfig() {
+    const envBaseUrl = process.env.HIGHFLAME_BASE_URL;
+    return {
+      baseUrl: envBaseUrl || getBaseUrl(),
+      enabled: this.rawConfig?.engines?.javelin?.enabled !== false
+    };
+  }
+  /**
+   * Get a fresh, validated JWT token for API authentication.
+   * Re-reads session.json each time, checks expiry, and refreshes if needed.
+   */
+  async getJwtToken() {
+    const envToken = process.env.HIGHFLAME_TOKEN;
+    if (envToken) {
+      return envToken;
+    }
+    const token = await getValidAccessToken();
+    if (!token) {
+      logger.warn(
+        "No valid authentication token. Admin API calls will be skipped. Run `overwatch login` to authenticate."
+      );
+    }
+    return token;
+  }
+  /**
+   * Get the full overwatch config
+   */
+  getOverwatchConfig() {
+    return this.rawConfig;
+  }
+  /**
+   * Load raw config from file
+   */
+  async loadRawConfig() {
+    if (!fs4.existsSync(this.configPath)) {
+      logger.warn(`Config file not found: ${this.configPath}`);
+      this.rawConfig = null;
+      return;
+    }
+    try {
+      const configData = await fs4.promises.readFile(this.configPath, "utf-8");
+      this.rawConfig = JSON.parse(configData);
+      logger.info("Config loaded:", {
+        version: this.rawConfig.version,
+        hasHighflame: !!this.rawConfig.highflame
+      });
+    } catch (error) {
+      logger.error("Failed to load config:", {
+        error: String(error)
+      });
+      this.rawConfig = null;
+    }
+  }
+  /**
+   * Get admin API configuration (derived from Highflame config)
+   */
+  getAdminConfig() {
+    const highflameConfig = this.getHighflameConfig();
+    return {
+      enabled: highflameConfig.enabled,
+      baseUrl: highflameConfig.baseUrl || null
+    };
+  }
+  /**
+   * Get admin token for API authentication
+   */
+  async getAdminToken() {
+    return await this.getJwtToken();
+  }
+};
+
+// src/javelin/admin-client.ts
+init_utils();
+var DEFAULT_TIMEOUT = 5e3;
+var AdminClient = class {
+  constructor(baseUrl, tokenGetter, timeout = DEFAULT_TIMEOUT) {
+    this.baseUrl = baseUrl.replace(/\/$/, "");
+    this.tokenGetter = typeof tokenGetter === "string" ? () => Promise.resolve(tokenGetter) : tokenGetter;
+    this.timeout = timeout;
+    logger.debug("Initialized", {
+      baseUrl: this.baseUrl,
+      timeout: this.timeout
+    });
+  }
+  async getToken() {
+    return this.tokenGetter();
+  }
+  /**
+   * Record installation event
+   * Called on first event from a new user/IDE combination
+   */
+  async recordInstallation(event) {
+    const url = `${this.baseUrl}/v1/admin/guardian/installations`;
+    const token = await this.getToken();
+    if (!token) {
+      logger.warn("No valid auth token, skipping installation recording");
+      return false;
+    }
+    logger.info("Recording installation", {
+      ide_type: event.ide_type,
+      user_email: event.user_email
+    });
+    try {
+      const response = await fetch(url, {
+        method: "POST",
+        headers: {
+          "Content-Type": "application/json",
+          Authorization: `Bearer ${token}`
+        },
+        body: JSON.stringify(event),
+        signal: AbortSignal.timeout(this.timeout)
+      });
+      if (!response.ok) {
+        const errorText = await response.text();
+        logger.error("Failed to record installation", {
+          status: response.status,
+          error: errorText
+        });
+        return false;
+      }
+      logger.info("Installation recorded successfully");
+      return true;
+    } catch (error) {
+      logger.error("Error recording installation", {
+        error: String(error)
+      });
+      return false;
+    }
+  }
+  /**
+   * Report coverage metrics to admin API.
+   * Called periodically by GuardianModule (default cadence: every 10
+   * minutes; see COVERAGE_INTERVAL_MS in module.ts) to report agent
+   * detection coverage.
+   */
+  async reportCoverageMetrics(report) {
+    const url = `${this.baseUrl}/v1/admin/guardian/coverage`;
+    const token = await this.getToken();
+    if (!token) {
+      logger.warn("No valid auth token, skipping coverage reporting");
+      return false;
+    }
+    logger.info("Reporting coverage metrics", {
+      installed_count: report.installed_count,
+      monitored_count: report.monitored_count,
+      coverage_percentage: report.coverage_percentage,
+      platform: report.platform
+    });
+    try {
+      const response = await fetch(url, {
+        method: "POST",
+        headers: {
+          "Content-Type": "application/json",
+          Authorization: `Bearer ${token}`
+        },
+        body: JSON.stringify(report),
+        signal: AbortSignal.timeout(this.timeout)
+      });
+      if (!response.ok) {
+        const errorText = await response.text();
+        logger.error("Failed to report coverage metrics", {
+          status: response.status,
+          error: errorText
+        });
+        return false;
+      }
+      logger.info("Coverage metrics reported successfully");
+      return true;
+    } catch (error) {
+      logger.error("Error reporting coverage metrics", {
+        error: String(error)
+      });
+      return false;
+    }
+  }
+  /**
+   * Health check - verify connection to admin API
+   */
+  async healthCheck() {
+    const token = await this.getToken();
+    if (!token)
+      return false;
+    try {
+      const response = await fetch(
+        `${this.baseUrl}/v1/admin/applications?type=code_agent&limit=1`,
+        {
+          method: "GET",
+          headers: {
+            "Content-Type": "application/json",
+            Authorization: `Bearer ${token}`
+          },
+          signal: AbortSignal.timeout(5e3)
+        }
+      );
+      const healthy = response.ok;
+      logger.debug(`Health check: ${healthy ? "OK" : "FAILED"}`);
+      return healthy;
+    } catch (error) {
+      logger.debug("Health check failed", {
+        error: String(error)
+      });
+      return false;
+    }
+  }
+};
+
+// src/module.ts
+init_utils();
+
+// src/scanner.ts
+var import_child_process = require("child_process");
+var fs5 = __toESM(require("fs"));
+init_utils();
+init_config2();
+var platformLoader = require_platform_loader();
+var MCPScanner = class {
+  constructor() {
+    this.rampartsPath = null;
+    this.rampartsPath = this.findRampartsBinary();
+  }
+  /**
+   * Find the ramparts binary based on platform
+   * Uses platform-loader for cross-platform discovery.
+   *
+   * Search order:
+   * 1. Platform package (npm optionalDependency)
+   * 2. Local bin/ directory (dev mode)
+   * 3. ~/.overwatch/bin/
+   * 4. System PATH
+   */
+  findRampartsBinary() {
+    if (!platformLoader.isPlatformSupported()) {
+      const key = platformLoader.getPlatformKey();
+      logger.warn(`Unsupported platform: ${key}`);
+      return null;
+    }
+    const binaryPath = platformLoader.getRampartsBinaryPath();
+    if (binaryPath) {
+      logger.info(`Found ramparts at: ${binaryPath}`);
+      return binaryPath;
+    }
+    logger.warn("ramparts binary not found");
+    logger.warn(platformLoader.getPlatformNotFoundMessage());
+    return null;
+  }
+  /**
+   * Check if scanner is available
+   */
+  isAvailable() {
+    return this.rampartsPath !== null;
+  }
+  /**
+   * Get the path to ramparts binary
+   */
+  getBinaryPath() {
+    return this.rampartsPath;
+  }
+  /**
+   * Run MCP config scan
+   * @param rulesDir Optional custom YARA rules directory
+   */
+  async runScan(rulesDir) {
+    if (!this.rampartsPath) {
+      throw new Error("ramparts binary not found");
+    }
+    const args = ["scan-config", "--format", "json"];
+    const env = {
+      ...process.env,
+      JAVELIN_BYPASS: "true"
+      // Skip Javelin checks during scan
+    };
+    if (rulesDir && fs5.existsSync(rulesDir)) {
+      env.RAMPARTS_RULES_DIR = rulesDir;
+      logger.debug(`Using rules from: ${rulesDir}`);
+    }
+    const llmConfig = getLLMConfig();
+    if (llmConfig?.apiKey) {
+      env.LLM_API_KEY = llmConfig.apiKey;
+      if (llmConfig.provider === "openai") {
+        env.OPENAI_API_KEY = llmConfig.apiKey;
+      } else if (llmConfig.provider === "anthropic") {
+        env.ANTHROPIC_API_KEY = llmConfig.apiKey;
+      }
+      logger.debug(
+        `LLM API key configured for ramparts (${llmConfig.provider || "openai"})`
+      );
+    }
+    logger.info(`Running: ${this.rampartsPath} ${args.join(" ")}`);
+    return new Promise((resolve, reject) => {
+      const proc = (0, import_child_process.spawn)(this.rampartsPath, args, {
+        env,
+        stdio: ["ignore", "pipe", "pipe"]
+      });
+      let stdout = "";
+      let stderr = "";
+      proc.stdout?.on("data", (data) => {
+        stdout += data.toString();
+      });
+      proc.stderr?.on("data", (data) => {
+        stderr += data.toString();
+      });
+      proc.on("close", (code) => {
+        if (code !== 0) {
+          logger.warn(`ramparts exited with code ${code}`);
+          if (stderr) {
+            logger.debug(`stderr: ${stderr}`);
+          }
+        }
+        try {
+          const result = this.parseOutput(stdout);
+          resolve(result);
+        } catch (error) {
+          const errorMsg = error instanceof Error ? error.message : String(error);
+          logger.error(`Failed to parse output: ${errorMsg}`);
+          reject(new Error(`Failed to parse scan output: ${errorMsg}`));
+        }
+      });
+      proc.on("error", (err) => {
+        logger.error(`Process error: ${err.message}`);
+        reject(err);
+      });
+      setTimeout(() => {
+        proc.kill();
+        reject(new Error("Scan timed out after 600 seconds"));
+      }, 6e5);
+    });
+  }
+  /**
+   * Parse ramparts CLI output
+   * Handles cases where CLI prints banner/logs before JSON
+   */
+  parseOutput(output) {
+    try {
+      return JSON.parse(output);
+    } catch {
+    }
+    const cleanOutput = output.replace(/\x1b\[[0-9;]*m/g, "");
+    let searchIndex = cleanOutput.indexOf('"scan_type"');
+    if (searchIndex === -1) {
+      searchIndex = cleanOutput.indexOf('"results"');
+    }
+    if (searchIndex === -1) {
+      logger.warn("Could not find JSON content in output");
+      return this.getEmptyResult();
+    }
+    let startIndex = -1;
+    for (let i = searchIndex; i >= 0; i--) {
+      if (cleanOutput[i] === "{") {
+        startIndex = i;
+        break;
+      }
+    }
+    if (startIndex !== -1) {
+      let braceCount = 0;
+      let endIndex = -1;
+      for (let i = startIndex; i < cleanOutput.length; i++) {
+        if (cleanOutput[i] === "{")
+          braceCount++;
+        else if (cleanOutput[i] === "}")
+          braceCount--;
+        if (braceCount === 0) {
+          endIndex = i + 1;
+          break;
+        }
+      }
+      if (endIndex !== -1) {
+        const jsonStr = cleanOutput.substring(startIndex, endIndex);
+        try {
+          return JSON.parse(jsonStr);
+        } catch (error) {
+          const errorMsg = error instanceof Error ? error.message : String(error);
+          logger.warn(`Failed to parse extracted JSON: ${errorMsg}`);
+        }
+      }
+    }
+    logger.warn("Could not parse JSON, returning empty result");
+    return this.getEmptyResult();
+  }
+  getEmptyResult() {
+    return {
+      scan_type: "mcp_config",
+      total_servers: 0,
+      results: []
+    };
+  }
+};
+
+// src/module.ts
+init_version();
+
+// src/cerberus/client.ts
+init_utils();
+init_version();
+
+// src/handlers/utils.ts
+async function parseBody(req) {
+  return new Promise((resolve) => {
+    let body = "";
+    req.on("data", (chunk) => {
+      body += chunk.toString();
+    });
+    req.on("end", () => {
+      try {
+        resolve(JSON.parse(body || "{}"));
+      } catch {
+        resolve({});
+      }
+    });
+    req.on("error", () => resolve({}));
+  });
+}
+function getOfflineFailOpen(_source) {
+  return {};
+}
+
+// src/cerberus/client.ts
+var DEFAULT_TIMEOUT2 = 1e4;
+var CerberusClient = class {
+  constructor(baseUrl, tokenGetter, machineId, timeout = DEFAULT_TIMEOUT2) {
+    this.baseUrl = baseUrl.replace(/\/$/, "");
+    this.tokenGetter = tokenGetter;
+    this.machineId = machineId;
+    this.timeout = timeout;
+    logger.debug("CerberusClient initialized", {
+      baseUrl: this.baseUrl,
+      timeout: this.timeout
+    });
+  }
+  /**
+   * Forward a hook event to Cerberus for evaluation.
+   * Returns the Cerberus response, or a fail-open allow on error.
+   */
+  async evaluate(req) {
+    const url = `${this.baseUrl}/v1/hooks/evaluate`;
+    const startTime = Date.now();
+    const body = {
+      source: req.source,
+      event: req.event,
+      payload: req.payload,
+      client: {
+        version: VERSION,
+        machine_id: this.machineId,
+        platform: process.platform,
+        ...req.client
+      }
+    };
+    const token = await this.tokenGetter();
+    if (!token) {
+      logger.warn("No auth token \u2014 allowing (fail-open)");
+      return this.failOpen(req.source);
+    }
+    const headers = {
+      "Content-Type": "application/json",
+      Authorization: `Bearer ${token}`,
+      "User-Agent": `overwatch/${VERSION}`
+    };
+    const requestBody = JSON.stringify(body);
+    logger.info("Cerberus request", {
+      url,
+      source: req.source,
+      event: req.event,
+      bodySize: requestBody.length
+    });
+    logger.debug("Cerberus request body (shape)", {
+      payloadKeys: Object.keys(body.payload || {}),
+      bodySize: requestBody.length
+    });
+    try {
+      const response = await fetch(url, {
+        method: "POST",
+        headers,
+        body: requestBody,
+        signal: AbortSignal.timeout(this.timeout)
+      });
+      const duration = Date.now() - startTime;
+      const responseText = await response.text();
+      logger.debug("Cerberus raw response", {
+        status: response.status,
+        duration: `${duration}ms`,
+        body: responseText.substring(0, 1e3)
+      });
+      if (!response.ok) {
+        logger.error("Cerberus returned error \u2014 allowing (fail-open)", {
+          status: response.status,
+          error: responseText.substring(0, 500),
+          duration: `${duration}ms`
+        });
+        return this.failOpen(req.source);
+      }
+      const result = JSON.parse(responseText);
+      logger.info(`Cerberus response in ${duration}ms`, {
+        decision: result.decision,
+        allowed: result.allowed,
+        reason: result.reason,
+        event_id: result.event_id,
+        ide_response: result.ide_response
+      });
+      return result;
+    } catch (error) {
+      const duration = Date.now() - startTime;
+      const errorMessage = error instanceof Error ? error.message : String(error);
+      logger.error("Cerberus call failed \u2014 allowing (fail-open)", {
+        error: errorMessage,
+        duration: `${duration}ms`,
+        url
+      });
+      return this.failOpen(req.source);
+    }
+  }
+  failOpen(source) {
+    return {
+      allowed: true,
+      decision: "allow",
+      reason: "Cerberus unavailable \u2014 fail-open",
+      ide_response: getOfflineFailOpen(source)
+    };
+  }
+};
+
+// src/module.ts
+init_config2();
+
+// src/data/ingestor.ts
+var fs6 = __toESM(require("fs"));
+var path5 = __toESM(require("path"));
+var os5 = __toESM(require("os"));
+init_utils();
+var MAX_RETRIES = 5;
+var RETRY_INTERVAL_MS = 3e4;
+var AdminIngestor = class {
+  constructor(baseUrl, tokenGetter, endpoint, applicationIdResolver) {
+    this.retryTimer = null;
+    // Mid-flight guard so boot + interval calls don't overlap on the pending file.
+    this.processing = false;
+    this.applicationIdResolver = null;
+    this.baseUrl = baseUrl;
+    this.tokenGetter = tokenGetter;
+    this.endpoint = endpoint;
+    this.applicationIdResolver = applicationIdResolver || null;
+    this.pendingFile = path5.join(
+      os5.homedir(),
+      ".overwatch",
+      `pending-${endpoint}.jsonl`
+    );
+    this.deadLetterFile = path5.join(
+      os5.homedir(),
+      ".overwatch",
+      `dead-letter-${endpoint}.jsonl`
+    );
+    logger.info(`Initialized`, {
+      baseUrl: this.baseUrl,
+      endpoint: this.endpoint,
+      pendingFile: this.pendingFile,
+      deadLetterFile: this.deadLetterFile
+    });
+  }
+  start() {
+    if (this.retryTimer) {
+      logger.debug("Already started");
+      return;
+    }
+    logger.info("Starting", {
+      retryIntervalMs: RETRY_INTERVAL_MS
+    });
+    this.processQueue();
+    this.retryTimer = setInterval(() => this.processQueue(), RETRY_INTERVAL_MS);
+  }
+  stop() {
+    if (this.retryTimer) {
+      logger.info("Stopping");
+      clearInterval(this.retryTimer);
+      this.retryTimer = null;
+    }
+  }
+  /** Fire-and-forget record ingestion */
+  ingest(record) {
+    const recordObj = record;
+    logger.debug("Ingesting record", {
+      recordSize: JSON.stringify(record).length,
+      recordKeys: Object.keys(recordObj),
+      hasResults: "results" in recordObj,
+      resultsType: recordObj.results ? Array.isArray(recordObj.results) ? "array" : typeof recordObj.results : "missing",
+      resultsLength: Array.isArray(recordObj.results) ? recordObj.results.length : "N/A"
+    });
+    this.send(record).catch((error) => {
+      logger.warn(
+        `[AdminIngestor:${this.endpoint}] Initial send failed, saving for retry`,
+        {
+          error: String(error),
+          errorMessage: error?.message
+        }
+      );
+      this.saveForRetry(record, 0);
+    });
+  }
+  async send(record) {
+    const url = `${this.baseUrl}/v1/admin/guardian/${this.endpoint}`;
+    const body = JSON.stringify(record);
+    const token = await this.tokenGetter();
+    if (!token) {
+      logger.warn(`[AdminIngestor:${this.endpoint}] No valid auth token, skipping send`);
+      return;
+    }
+    const applicationId = this.applicationIdResolver ? this.applicationIdResolver(record) : null;
+    logger.debug("Sending record", {
+      url,
+      method: "POST",
+      bodySize: body.length,
+      hasApplicationId: !!applicationId
+    });
+    const headers = {
+      "Content-Type": "application/json",
+      Authorization: `Bearer ${token}`
+    };
+    try {
+      const res = await fetch(url, {
+        method: "POST",
+        headers,
+        body,
+        signal: AbortSignal.timeout(3e4)
+      });
+      if (!res.ok) {
+        const errorText = await res.text().catch(() => "");
+        logger.error("Send failed", {
+          status: res.status,
+          statusText: res.statusText,
+          errorBody: errorText.substring(0, 200),
+          url
+        });
+        throw new Error(`${res.status} ${res.statusText}`);
+      }
+      logger.info("Successfully sent record", {
+        status: res.status,
+        url
+      });
+    } catch (error) {
+      const errorObj = error;
+      logger.error("Send error", {
+        error: String(error),
+        errorMessage: errorObj?.message,
+        errorName: errorObj?.name,
+        url
+      });
+      throw error;
+    }
+  }
+  saveForRetry(record, retryCount) {
+    try {
+      this.ensureDir(this.pendingFile);
+      fs6.appendFileSync(
+        this.pendingFile,
+        JSON.stringify({ record, retryCount }) + "\n"
+      );
+      logger.info("Saved record for retry", {
+        retryCount,
+        pendingFile: this.pendingFile
+      });
+    } catch (e) {
+      logger.error(
+        `[AdminIngestor:${this.endpoint}] Failed to save for retry`,
+        {
+          error: String(e),
+          retryCount,
+          pendingFile: this.pendingFile
+        }
+      );
+    }
+  }
+  async processQueue() {
+    if (this.processing) {
+      logger.debug(
+        `[AdminIngestor:${this.endpoint}] processQueue already running, skipping this tick`
+      );
+      return;
+    }
+    this.processing = true;
+    try {
+      await this.processQueueInner();
+    } finally {
+      this.processing = false;
+    }
+  }
+  async processQueueInner() {
+    if (!fs6.existsSync(this.pendingFile)) {
+      logger.debug(
+        `[AdminIngestor:${this.endpoint}] No pending file, skipping queue processing`
+      );
+      return;
+    }
+    const pending = this.loadPending();
+    if (pending.length === 0) {
+      logger.debug(
+        `[AdminIngestor:${this.endpoint}] No pending records to process`
+      );
+      return;
+    }
+    logger.info("Processing queue", {
+      pendingCount: pending.length
+    });
+    const remaining = [];
+    for (const item of pending) {
+      try {
+        logger.debug("Retrying record", {
+          retryCount: item.retryCount
+        });
+        await this.send(item.record);
+        logger.info(
+          `[AdminIngestor:${this.endpoint}] Successfully retried record`,
+          {
+            retryCount: item.retryCount
+          }
+        );
+      } catch (e) {
+        const newRetryCount = item.retryCount + 1;
+        if (newRetryCount >= MAX_RETRIES) {
+          logger.error(
+            `[AdminIngestor:${this.endpoint}] Max retries reached, moving to dead letter`,
+            {
+              retryCount: item.retryCount,
+              maxRetries: MAX_RETRIES,
+              error: String(e)
+            }
+          );
+          this.moveToDeadLetter(item, String(e));
+        } else {
+          logger.warn(
+            `[AdminIngestor:${this.endpoint}] Retry failed, will retry again`,
+            {
+              retryCount: item.retryCount,
+              newRetryCount,
+              maxRetries: MAX_RETRIES,
+              error: String(e)
+            }
+          );
+          remaining.push({ record: item.record, retryCount: newRetryCount });
+        }
+      }
+    }
+    if (remaining.length > 0) {
+      logger.info(
+        `[AdminIngestor:${this.endpoint}] Queue processing complete, ${remaining.length} records remaining`,
+        {
+          remainingCount: remaining.length,
+          processedCount: pending.length - remaining.length
+        }
+      );
+    } else {
+      logger.info(
+        `[AdminIngestor:${this.endpoint}] Queue processing complete, all records processed`,
+        {
+          processedCount: pending.length
+        }
+      );
+    }
+    this.savePending(remaining);
+  }
+  loadPending() {
+    try {
+      const content = fs6.readFileSync(this.pendingFile, "utf-8");
+      return content.split("\n").filter(Boolean).map((line) => {
+        try {
+          return JSON.parse(line);
+        } catch {
+          return null;
+        }
+      }).filter(Boolean);
+    } catch {
+      return [];
+    }
+  }
+  savePending(items) {
+    try {
+      if (items.length === 0) {
+        if (fs6.existsSync(this.pendingFile))
+          fs6.unlinkSync(this.pendingFile);
+      } else {
+        fs6.writeFileSync(
+          this.pendingFile,
+          items.map((i) => JSON.stringify(i)).join("\n") + "\n"
+        );
+      }
+    } catch (e) {
+      logger.error("Failed to save pending", {
+        error: String(e)
+      });
+    }
+  }
+  moveToDeadLetter(item, reason) {
+    try {
+      this.ensureDir(this.deadLetterFile);
+      fs6.appendFileSync(
+        this.deadLetterFile,
+        JSON.stringify({
+          ...item,
+          reason,
+          failedAt: (/* @__PURE__ */ new Date()).toISOString()
+        }) + "\n"
+      );
+      logger.error(
+        `[AdminIngestor:${this.endpoint}] Moved record to dead letter`,
+        {
+          retryCount: item.retryCount,
+          reason,
+          deadLetterFile: this.deadLetterFile
+        }
+      );
+    } catch (e) {
+      logger.error(
+        `[AdminIngestor:${this.endpoint}] Failed to write dead letter`,
+        {
+          error: String(e),
+          deadLetterFile: this.deadLetterFile
+        }
+      );
+    }
+  }
+  ensureDir(filePath) {
+    const dir = path5.dirname(filePath);
+    if (!fs6.existsSync(dir))
+      fs6.mkdirSync(dir, { recursive: true });
+  }
+};
+
+// src/data/installation-recorder.ts
+var InstallationRecorder = class {
+  constructor(send) {
+    this.send = send;
+    this.seen = /* @__PURE__ */ new Set();
+    this.inflight = /* @__PURE__ */ new Map();
+  }
+  async tryRecord(source, userEmail) {
+    const key = `${userEmail}:${source}`;
+    if (this.seen.has(key))
+      return;
+    let p = this.inflight.get(key);
+    if (!p) {
+      p = this.send(source, userEmail);
+      this.inflight.set(key, p);
+      void p.finally(() => {
+        this.inflight.delete(key);
+      }).catch(() => {
+      });
+    }
+    try {
+      const ok = await p;
+      if (ok)
+        this.seen.add(key);
+    } catch {
+    }
+  }
+  // Test-only accessors keyed as `${userEmail}:${source}`.
+  has(key) {
+    return this.seen.has(key);
+  }
+  inflightCount() {
+    return this.inflight.size;
+  }
+};
+
+// src/pipeline/hook-pipeline.ts
+init_utils();
+var HookPipeline = class {
+  constructor(cerberusClient, onFirstInstall) {
+    this.cerberusClient = cerberusClient;
+    this.onFirstInstall = onFirstInstall;
+  }
+  async process(source, event, input) {
+    logger.debug("Pipeline processing", { source, event });
+    try {
+      this.onFirstInstall(source);
+    } catch (err) {
+      logger.error("onFirstInstall threw, continuing", {
+        source,
+        error: err instanceof Error ? err.message : String(err)
+      });
+    }
+    try {
+      const cerberusResponse = await this.cerberusClient.evaluate({
+        source,
+        event,
+        payload: input
+      });
+      return {
+        response: cerberusResponse.ide_response,
+        allowed: cerberusResponse.allowed,
+        decision: cerberusResponse.decision,
+        reason: cerberusResponse.reason,
+        eventId: cerberusResponse.event_id
+      };
+    } catch (error) {
+      const errorMessage = error instanceof Error ? error.message : String(error);
+      logger.error("Pipeline error \u2014 allowing (fail-open)", {
+        error: errorMessage,
+        source,
+        event
+      });
+      return {
+        response: getOfflineFailOpen(source),
+        allowed: true,
+        decision: "allow",
+        reason: `Pipeline error: ${errorMessage}`
+      };
+    }
+  }
+};
+
+// src/module.ts
+init_token_store();
+
+// src/handlers/hook-handler.ts
+init_utils();
+
+// src/data/recorder.ts
+var path6 = __toESM(require("path"));
+var os6 = __toESM(require("os"));
+var fs7 = __toESM(require("fs"));
+var import_crypto = require("crypto");
+init_utils();
+var EVENTS_FILE = path6.join(os6.homedir(), ".overwatch", "events.jsonl");
+function getHookCategory(event) {
+  if (event === "stop" || event === "SessionEnd")
+    return "stop";
+  if (event === "SessionStart")
+    return "before";
+  if (event.startsWith("after"))
+    return "after";
+  if (event === "PostToolUse" || event === "AfterTool")
+    return "after";
+  if (event === "UserPromptSubmit" || event === "PreToolUse" || event === "BeforeAgent" || event === "BeforeTool") {
+    return "before";
+  }
+  return "before";
+}
+function recordEvent(source, event, input, cerberusResponse, totalDuration) {
+  const record = {
+    id: cerberusResponse.event_id || (0, import_crypto.randomUUID)(),
+    timestamp: (/* @__PURE__ */ new Date()).toISOString(),
+    source,
+    event,
+    hook_category: getHookCategory(event),
+    input,
+    allowed: cerberusResponse.allowed,
+    decision: cerberusResponse.decision,
+    reason: cerberusResponse.reason,
+    response: cerberusResponse.ide_response,
+    total_duration_ms: totalDuration
+  };
+  try {
+    const dir = path6.dirname(EVENTS_FILE);
+    if (!fs7.existsSync(dir)) {
+      fs7.mkdirSync(dir, { recursive: true });
+    }
+    fs7.appendFile(EVENTS_FILE, JSON.stringify(record) + "\n", (err) => {
+      if (err) {
+        logger.error("Failed to write event:", { error: String(err) });
+        return;
+      }
+      logger.debug("Recorded:", {
+        id: record.id,
+        event,
+        allowed: record.allowed,
+        decision: record.decision
+      });
+    });
+  } catch (error) {
+    logger.error("Failed to write event:", { error: String(error) });
+  }
+  return record;
+}
+
+// src/handlers/hook-handler.ts
+var HOOK_SOURCE_ALLOWLIST = /* @__PURE__ */ new Set([
+  "cursor",
+  "claudecode",
+  "github_copilot",
+  "gemini_cli",
+  "codex",
+  "langgraph",
+  "pydantic_ai"
+]);
+var HookHandler = class {
+  constructor(pipeline) {
+    this.pipeline = pipeline;
+    this.eventCount = 0;
+  }
+  /**
+   * Set callback for project skills scanning
+   */
+  setProjectSkillsScanCallback(callback) {
+    this.onProjectSkillsScan = callback;
+  }
+  getEventCount() {
+    return this.eventCount;
+  }
+  async handle(req, res) {
+    const startTime = Date.now();
+    const url = new URL(req.url || "", `http://${req.headers.host}`);
+    const pathParts = url.pathname.split("/").filter(Boolean);
+    const sourceRaw = pathParts[1];
+    const eventRaw = pathParts[2];
+    if (!sourceRaw || !eventRaw) {
+      res.writeHead(400, { "Content-Type": "application/json" });
+      res.end(
+        JSON.stringify({
+          error: "Missing source or event in path",
+          expected: "/hook/<source>/<event>"
+        })
+      );
+      return;
+    }
+    if (!HOOK_SOURCE_ALLOWLIST.has(sourceRaw)) {
+      res.writeHead(400, { "Content-Type": "application/json" });
+      res.end(
+        JSON.stringify({
+          error: `Unsupported source: ${sourceRaw}`,
+          supported: Array.from(HOOK_SOURCE_ALLOWLIST)
+        })
+      );
+      return;
+    }
+    const source = sourceRaw;
+    const event = eventRaw;
+    logger.info(`${source}/${event} received`);
+    const body = await parseBody(req);
+    const result = await this.pipeline.process(source, event, body);
+    this.eventCount++;
+    const duration = Date.now() - startTime;
+    const cerberusResponse = {
+      allowed: result.allowed,
+      decision: result.decision,
+      reason: result.reason,
+      ide_response: result.response,
+      event_id: result.eventId
+    };
+    logger.info(
+      `${source}/${event} completed in ${duration}ms`,
+      result.response
+    );
+    res.writeHead(200, { "Content-Type": "application/json" });
+    res.end(JSON.stringify(result.response));
+    recordEvent(
+      source,
+      event,
+      body,
+      cerberusResponse,
+      duration
+    );
+    const workspace = this.extractWorkspace(body);
+    if (workspace && this.onProjectSkillsScan) {
+      try {
+        this.onProjectSkillsScan(workspace);
+      } catch (error) {
+        logger.error("Error in project skills scan callback", {
+          workspace,
+          error: String(error)
+        });
+      }
+    }
+  }
+  /**
+   * Extract workspace path from event body
+   */
+  extractWorkspace(body) {
+    if (body && typeof body === "object" && body !== null) {
+      const input = body;
+      if (input.workspace_roots && Array.isArray(input.workspace_roots)) {
+        const roots = input.workspace_roots;
+        if (roots.length > 0 && typeof roots[0] === "string" && roots[0].length > 0) {
+          return roots[0];
+        }
+      }
+    }
+    const workspaceFields = ["cwd", "workingDirectory", "workspace", "directory", "path"];
+    for (const field of workspaceFields) {
+      const value = body[field];
+      if (typeof value === "string" && value.length > 0) {
+        return value;
+      }
+    }
+    if (body.context && typeof body.context === "object" && body.context !== null) {
+      const context = body.context;
+      for (const field of workspaceFields) {
+        const value = context[field];
+        if (typeof value === "string" && value.length > 0) {
+          return value;
+        }
+      }
+    }
+    return null;
+  }
+};
+
+// src/handlers/scan-handler.ts
+var fs8 = __toESM(require("fs"));
+var path7 = __toESM(require("path"));
+var os7 = __toESM(require("os"));
+var crypto2 = __toESM(require("crypto"));
+init_utils();
+var SCANS_FILE = path7.join(os7.homedir(), ".overwatch", "scans.jsonl");
+var ScanHandler = class {
+  constructor(scanner, ingestor) {
+    this.scanner = scanner;
+    this.ingestor = ingestor;
+  }
+  async handle(req, res) {
+    const body = await parseBody(req);
+    if (body.action === "run") {
+      logger.info("Running internal scan...");
+      if (!this.scanner.isAvailable()) {
+        res.writeHead(503, { "Content-Type": "application/json" });
+        res.end(
+          JSON.stringify({ status: "error", error: "Scanner not available" })
+        );
+        return;
+      }
+      try {
+        const rulesDir = body.rulesDir;
+        const results = await this.scanner.runScan(rulesDir);
+        this.recordScan(results);
+        res.writeHead(200, { "Content-Type": "application/json" });
+        res.end(JSON.stringify({ status: "ok", ...results }));
+      } catch (error) {
+        const errorMsg = error instanceof Error ? error.message : String(error);
+        logger.error("Internal scan failed:", { error: errorMsg });
+        res.writeHead(500, { "Content-Type": "application/json" });
+        res.end(JSON.stringify({ status: "error", error: errorMsg }));
+      }
+      return;
+    }
+    logger.info("Received external scan results");
+    this.recordScan(body);
+    res.writeHead(200, { "Content-Type": "application/json" });
+    res.end(JSON.stringify({ status: "ok" }));
+  }
+  // Public so module.ts can use it for initial scan
+  async runInitialScan() {
+    if (!this.scanner.isAvailable()) {
+      logger.warn("Scanner not available, skipping initial MCP scan");
+      return;
+    }
+    try {
+      logger.info("Running initial MCP scan...");
+      const results = await this.scanner.runScan();
+      this.recordScan(results);
+      logger.info("Initial MCP scan completed");
+    } catch (error) {
+      logger.error("Initial MCP scan failed:", { error: String(error) });
+    }
+  }
+  recordScan(input) {
+    const results = input.results || [];
+    const totalServers = input.total_servers || results.length;
+    let totalIssues = 0;
+    let maxSeverity;
+    const severityOrder = {
+      low: 1,
+      medium: 2,
+      high: 3,
+      critical: 4
+    };
+    for (const result of results) {
+      const yaraResults = result.yara_results || [];
+      for (const yr of yaraResults) {
+        if (yr.status === "warning") {
+          totalIssues++;
+          const metadata = yr.rule_metadata;
+          const sev = (metadata?.severity || "low").toLowerCase();
+          if (!maxSeverity || (severityOrder[sev] || 0) > (severityOrder[maxSeverity] || 0)) {
+            maxSeverity = sev;
+          }
+        }
+      }
+    }
+    const source = results[0]?.ide_source || "cursor";
+    const record = {
+      id: crypto2.randomUUID(),
+      timestamp: (/* @__PURE__ */ new Date()).toISOString(),
+      source,
+      total_servers: totalServers,
+      total_issues: totalIssues,
+      max_severity: maxSeverity,
+      raw: input
+    };
+    try {
+      const dir = path7.dirname(SCANS_FILE);
+      if (!fs8.existsSync(dir))
+        fs8.mkdirSync(dir, { recursive: true });
+      fs8.appendFileSync(SCANS_FILE, JSON.stringify(record) + "\n");
+      logger.info("Recorded:", {
+        id: record.id,
+        servers: totalServers,
+        issues: totalIssues
+      });
+      const serverPayload = {
+        id: record.id,
+        timestamp: record.timestamp,
+        source: record.source,
+        total_servers: record.total_servers,
+        total_issues: record.total_issues,
+        max_severity: record.max_severity,
+        results: input.results,
+        scan_type: input.scan_type,
+        ...input.total_servers !== void 0 && {
+          total_servers_raw: input.total_servers
+        }
+      };
+      logger.debug("Ingesting scan with results at top level", {
+        id: record.id,
+        resultsCount: Array.isArray(input.results) ? input.results.length : 0
+      });
+      if (results.length === 0) {
+        logger.info("Skipping ingestion: no scan results to send");
+      } else {
+        this.ingestor?.ingest(serverPayload);
+      }
+    } catch (error) {
+      logger.error("Failed to write scan:", { error: String(error) });
+    }
+  }
+};
+
+// src/handlers/oauth-handler.ts
+init_utils();
+var OAuthHandler = class {
+  constructor(port, pendingOAuthStates, oauthStateTimeout) {
+    this.port = port;
+    this.pendingOAuthStates = pendingOAuthStates;
+    this.oauthStateTimeout = oauthStateTimeout;
+  }
+  async handleStart(req, res) {
+    if (req.method !== "POST") {
+      res.writeHead(405, { "Content-Type": "application/json" });
+      res.end(JSON.stringify({ error: "Method not allowed" }));
+      return;
+    }
+    const oauthState = createOAuthState(this.port);
+    const codeChallenge = generateCodeChallenge(oauthState.codeVerifier);
+    const authUrl = buildAuthorizationUrl(
+      oauthState.state,
+      codeChallenge,
+      oauthState.redirectUri
+    );
+    this.pendingOAuthStates.set(oauthState.state, oauthState);
+    setTimeout(() => {
+      const state = this.pendingOAuthStates.get(oauthState.state);
+      if (state && state.status === "pending") {
+        state.status = "expired";
+      }
+      setTimeout(() => {
+        this.pendingOAuthStates.delete(oauthState.state);
+      }, 3e4);
+    }, this.oauthStateTimeout);
+    logger.info("Started new auth flow", { state: oauthState.state });
+    res.writeHead(200, { "Content-Type": "application/json" });
+    res.end(
+      JSON.stringify({
+        state: oauthState.state,
+        auth_url: authUrl
+      })
+    );
+  }
+  async handleCallback(req, res) {
+    const url = new URL(req.url || "", `http://${req.headers.host}`);
+    const code = url.searchParams.get("code");
+    const state = url.searchParams.get("state");
+    const error = url.searchParams.get("error");
+    const errorDescription = url.searchParams.get("error_description");
+    if (error) {
+      logger.error("Auth error:", { error, errorDescription });
+      res.writeHead(400, { "Content-Type": "text/html" });
+      res.end(generateErrorHtml(errorDescription || error));
+      return;
+    }
+    if (!state || !code) {
+      logger.error("Missing state or code parameter");
+      res.writeHead(400, { "Content-Type": "text/html" });
+      res.end(generateErrorHtml("Missing required parameters"));
+      return;
+    }
+    const oauthState = this.pendingOAuthStates.get(state);
+    if (!oauthState) {
+      logger.error("Unknown or expired state:", { state });
+      res.writeHead(400, { "Content-Type": "text/html" });
+      res.end(generateErrorHtml("Invalid or expired login session"));
+      return;
+    }
+    if (oauthState.status !== "pending") {
+      logger.error("State not pending:", { state, status: oauthState.status });
+      res.writeHead(400, { "Content-Type": "text/html" });
+      res.end(generateErrorHtml("Login session already processed"));
+      return;
+    }
+    try {
+      const { tokens, userInfo: userInfo2 } = await exchangeCodeForTokens(
+        code,
+        oauthState.codeVerifier,
+        oauthState.redirectUri
+      );
+      saveTokens(tokens, userInfo2);
+      oauthState.status = "completed";
+      oauthState.tokens = tokens;
+      oauthState.userInfo = userInfo2;
+      logger.info("Login successful", { email: userInfo2?.email });
+      res.writeHead(200, { "Content-Type": "text/html" });
+      res.end(
+        generateSuccessHtml(
+          "You can close this window and return to the terminal.",
+          userInfo2?.email
+        )
+      );
+    } catch (err) {
+      const errorMsg = err instanceof Error ? err.message : String(err);
+      logger.error("Token exchange failed:", { error: errorMsg });
+      oauthState.status = "failed";
+      oauthState.error = errorMsg;
+      res.writeHead(400, { "Content-Type": "text/html" });
+      res.end(generateErrorHtml(errorMsg));
+    }
+  }
+  async handleStatus(req, res) {
+    const url = new URL(req.url || "", `http://${req.headers.host}`);
+    const state = url.searchParams.get("state");
+    if (!state) {
+      res.writeHead(400, { "Content-Type": "application/json" });
+      res.end(JSON.stringify({ error: "Missing state parameter" }));
+      return;
+    }
+    const oauthState = this.pendingOAuthStates.get(state);
+    if (!oauthState) {
+      res.writeHead(404, { "Content-Type": "application/json" });
+      res.end(JSON.stringify({ error: "Unknown state", status: "unknown" }));
+      return;
+    }
+    res.writeHead(200, { "Content-Type": "application/json" });
+    res.end(
+      JSON.stringify({
+        status: oauthState.status,
+        user: oauthState.userInfo,
+        error: oauthState.error
+      })
+    );
+    if (oauthState.status !== "pending") {
+      this.pendingOAuthStates.delete(state);
+    }
+  }
+};
+
+// src/skills/scanner.ts
+var fs9 = __toESM(require("fs/promises"));
+var path8 = __toESM(require("path"));
+var os8 = __toESM(require("os"));
+var crypto3 = __toESM(require("crypto"));
+init_utils();
+var CLAUDE_SKILLS_DIR = path8.join(os8.homedir(), ".claude", "skills");
+var CURSOR_SKILLS_DIR = path8.join(os8.homedir(), ".cursor", "skills");
+var SkillsScanner = class {
+  /**
+   * Scan personal skills from both directories:
+   * - ~/.claude/skills/
+   * - ~/.cursor/skills/
+   * Returns current state
+   */
+  async scan() {
+    const startTime = Date.now();
+    logger.info("Starting skills scan", {
+      directories: [CLAUDE_SKILLS_DIR, CURSOR_SKILLS_DIR]
+    });
+    const [claudeSkills, cursorSkills] = await Promise.all([
+      this.scanDirectory(CLAUDE_SKILLS_DIR),
+      this.scanDirectory(CURSOR_SKILLS_DIR)
+    ]);
+    const skills = [...claudeSkills, ...cursorSkills];
+    const scanDurationMs = Date.now() - startTime;
+    const result = {
+      timestamp: (/* @__PURE__ */ new Date()).toISOString(),
+      totalSkills: skills.length,
+      skills,
+      scanDurationMs
+    };
+    logger.info("Skills scan completed", {
+      totalSkills: skills.length,
+      durationMs: scanDurationMs
+    });
+    return result;
+  }
+  /**
+   * Scan skills directory
+   */
+  async scanDirectory(dir) {
+    const skills = [];
+    if (!await this.exists(dir)) {
+      logger.debug("Skills directory does not exist", { dir });
+      return skills;
+    }
+    try {
+      const entries = await fs9.readdir(dir, { withFileTypes: true });
+      for (const entry of entries) {
+        if (!entry.isDirectory())
+          continue;
+        const skillDir = path8.join(dir, entry.name);
+        const content = await this.readSkillContent(skillDir);
+        if (content === null) {
+          continue;
+        }
+        const files = await this.listSkillFiles(skillDir);
+        const contentHash = this.hashContent(content);
+        skills.push({
+          name: entry.name,
+          path: skillDir,
+          content,
+          contentHash,
+          files
+        });
+      }
+    } catch (error) {
+      logger.error("Failed to scan skills directory", {
+        dir,
+        error: String(error)
+      });
+    }
+    return skills;
+  }
+  /**
+   * Check if a path exists
+   */
+  async exists(filePath) {
+    try {
+      await fs9.access(filePath);
+      return true;
+    } catch {
+      return false;
+    }
+  }
+  /**
+   * Read full SKILL.md content
+   */
+  async readSkillContent(skillDir) {
+    const skillFile = path8.join(skillDir, "SKILL.md");
+    if (!await this.exists(skillFile)) {
+      return null;
+    }
+    try {
+      return await fs9.readFile(skillFile, "utf-8");
+    } catch (error) {
+      logger.error("Failed to read skill file", {
+        skillFile,
+        error: String(error)
+      });
+      return null;
+    }
+  }
+  /**
+   * List files in skill directory (recursive)
+   */
+  async listSkillFiles(skillDir) {
+    const files = [];
+    try {
+      const listFiles = async (dir, prefix = "") => {
+        const entries = await fs9.readdir(dir, { withFileTypes: true });
+        for (const entry of entries) {
+          const relativePath = prefix ? `${prefix}/${entry.name}` : entry.name;
+          if (entry.isDirectory()) {
+            await listFiles(path8.join(dir, entry.name), relativePath);
+          } else {
+            files.push(relativePath);
+          }
+        }
+      };
+      await listFiles(skillDir);
+    } catch (error) {
+      logger.error("Failed to list skill files", {
+        skillDir,
+        error: String(error)
+      });
+    }
+    return files;
+  }
+  /**
+   * Hash content for backend deduplication
+   */
+  hashContent(content) {
+    const hash = crypto3.createHash("sha256");
+    hash.update(content);
+    return `sha256:${hash.digest("hex")}`;
+  }
+  /**
+   * Scan project-level skills from:
+   * - {workspace}/.claude/skills/
+   * - {workspace}/.cursor/skills/
+   */
+  async scanProjectSkills(workspace) {
+    const startTime = Date.now();
+    const claudeSkillsDir = path8.join(workspace, ".claude", "skills");
+    const cursorSkillsDir = path8.join(workspace, ".cursor", "skills");
+    logger.info("Starting project skills scan", {
+      workspace,
+      directories: [claudeSkillsDir, cursorSkillsDir]
+    });
+    const [claudeSkills, cursorSkills] = await Promise.all([
+      this.scanDirectory(claudeSkillsDir),
+      this.scanDirectory(cursorSkillsDir)
+    ]);
+    const skills = [...claudeSkills, ...cursorSkills];
+    const scanDurationMs = Date.now() - startTime;
+    const result = {
+      timestamp: (/* @__PURE__ */ new Date()).toISOString(),
+      totalSkills: skills.length,
+      skills,
+      scanDurationMs,
+      workspace
+    };
+    logger.info("Project skills scan completed", {
+      workspace,
+      totalSkills: skills.length,
+      durationMs: scanDurationMs
+    });
+    return result;
+  }
+};
+
+// src/coverage/detector.ts
+var fs12 = __toESM(require("fs"));
+var path12 = __toESM(require("path"));
+
+// src/installer.ts
+var fs11 = __toESM(require("fs"));
+var path10 = __toESM(require("path"));
+var os10 = __toESM(require("os"));
+init_version();
+
+// src/utils/port-manager.ts
+var net = __toESM(require("net"));
+var fs10 = __toESM(require("fs"));
+var os9 = __toESM(require("os"));
+var path9 = __toESM(require("path"));
+var GUARDIAN_PORT = 17580;
+var PID_FILE_PATH = path9.join(
+  os9.homedir(),
+  ".overwatch",
+  "guardian.pid"
+);
+var PortManager = class _PortManager {
+  static async isPortAvailable(port) {
+    return new Promise((resolve) => {
+      const server = net.createServer();
+      server.once("error", () => resolve(false));
+      server.once("listening", () => {
+        server.close(() => resolve(true));
+      });
+      server.listen(port, "127.0.0.1");
+    });
+  }
+  static writePidFile(pid = process.pid) {
+    const dir = path9.dirname(PID_FILE_PATH);
+    if (!fs10.existsSync(dir)) {
+      fs10.mkdirSync(dir, { recursive: true });
+    }
+    fs10.writeFileSync(PID_FILE_PATH, String(pid));
+  }
+  static readPidFile() {
+    try {
+      const raw = fs10.readFileSync(PID_FILE_PATH, "utf-8").trim();
+      const pid = parseInt(raw, 10);
+      if (!Number.isFinite(pid) || pid <= 0) {
+        return null;
+      }
+      return pid;
+    } catch {
+      return null;
+    }
+  }
+  static removePidFile() {
+    try {
+      fs10.unlinkSync(PID_FILE_PATH);
+    } catch {
+    }
+  }
+  static isProcessAlive(pid) {
+    try {
+      process.kill(pid, 0);
+      return true;
+    } catch (err) {
+      return err?.code === "EPERM";
+    }
+  }
+  /**
+   * If GUARDIAN_PORT is held by a process whose PID matches our pidfile, send
+   * SIGTERM (then SIGKILL) and wait for the port to free. Returns:
+   *   - "free":    port was already available; nothing to do
+   *   - "killed":  port was held by our pidfile owner; we killed it and the port is now free
+   *   - "foreign": port is held by something we don't own (or pidfile is stale and the holder is unknown)
+   */
+  static async reconcileStaleDaemon() {
+    if (await _PortManager.isPortAvailable(GUARDIAN_PORT)) {
+      const stalePid = _PortManager.readPidFile();
+      if (stalePid !== null && !_PortManager.isProcessAlive(stalePid)) {
+        _PortManager.removePidFile();
+      }
+      return { kind: "free" };
+    }
+    const pid = _PortManager.readPidFile();
+    if (pid === null || !_PortManager.isProcessAlive(pid)) {
+      return { kind: "foreign" };
+    }
+    try {
+      process.kill(pid, "SIGTERM");
+    } catch {
+    }
+    const sigtermDeadline = Date.now() + 5e3;
+    while (Date.now() < sigtermDeadline) {
+      await new Promise((resolve) => setTimeout(resolve, 100));
+      if (await _PortManager.isPortAvailable(GUARDIAN_PORT)) {
+        _PortManager.removePidFile();
+        return { kind: "killed", pid };
+      }
+    }
+    try {
+      process.kill(pid, "SIGKILL");
+    } catch {
+    }
+    const sigkillDeadline = Date.now() + 2e3;
+    while (Date.now() < sigkillDeadline) {
+      await new Promise((resolve) => setTimeout(resolve, 100));
+      if (await _PortManager.isPortAvailable(GUARDIAN_PORT)) {
+        _PortManager.removePidFile();
+        return { kind: "killed", pid };
+      }
+    }
+    return { kind: "foreign" };
+  }
+};
+
+// src/installer.ts
+var IDE_REGISTRY = {
+  cursor: {
+    hooksLocation: path10.join(os10.homedir(), ".cursor", "hooks.json"),
+    events: [
+      "beforeSubmitPrompt",
+      "beforeShellExecution",
+      "beforeMCPExecution",
+      "beforeReadFile",
+      "afterShellExecution",
+      "afterMCPExecution",
+      "afterFileEdit",
+      "afterAgentResponse",
+      "afterAgentThought",
+      "stop"
+    ],
+    installMethod: "native"
+  },
+  claudecode: {
+    hooksLocation: path10.join(os10.homedir(), ".claude", "settings.json"),
+    events: ["UserPromptSubmit", "PreToolUse", "PostToolUse"],
+    installMethod: "native"
+    // Writes hooks to ~/.claude/settings.json
+  },
+  github_copilot: {
+    hooksLocation: path10.join(os10.homedir(), ".overwatch", "github_copilot", "hooks.json"),
+    events: ["sessionStart", "sessionEnd", "userPromptSubmitted", "preToolUse", "postToolUse", "errorOccurred"],
+    installMethod: "native"
+  },
+  gemini_cli: {
+    hooksLocation: path10.join(os10.homedir(), ".gemini", "settings.json"),
+    events: [
+      "SessionStart",
+      "SessionEnd",
+      "BeforeAgent",
+      "AfterAgent",
+      "BeforeModel",
+      "AfterModel",
+      "BeforeToolSelection",
+      "BeforeTool",
+      "AfterTool",
+      "PreCompress",
+      "Notification"
+    ],
+    installMethod: "native"
+  },
+  codex: {
+    hooksLocation: path10.join(os10.homedir(), ".codex", "hooks.json"),
+    events: [
+      "SessionStart",
+      "PreToolUse",
+      "PermissionRequest",
+      "PostToolUse",
+      "UserPromptSubmit",
+      "Stop"
+    ],
+    installMethod: "native"
+  }
+};
+var SUPPORTED_IDES = [
+  "cursor",
+  "claudecode",
+  "github_copilot",
+  "gemini_cli",
+  "codex"
+];
+var OVERWATCH_META_KEY = "_overwatch";
+async function listInstalledHooks() {
+  const results = [];
+  for (const ide of SUPPORTED_IDES) {
+    const ideConfig = IDE_REGISTRY[ide];
+    const hooksLocation = ideConfig.hooksLocation;
+    if (fs11.existsSync(hooksLocation)) {
+      try {
+        const content = fs11.readFileSync(hooksLocation, "utf-8");
+        const hasOverwatchHooks = content.includes(`"${OVERWATCH_META_KEY}"`) || content.includes("universal-hook.sh") || content.includes("universal-hook.ps1");
+        results.push({
+          ide,
+          hooksLocation,
+          hooksInstalled: hasOverwatchHooks
+        });
+      } catch {
+        results.push({
+          ide,
+          hooksLocation,
+          hooksInstalled: false
+        });
+      }
+    }
+  }
+  return results;
+}
+
+// src/coverage/detector.ts
+init_utils();
+
+// src/coverage/definitions.ts
+var path11 = __toESM(require("path"));
+var os11 = __toESM(require("os"));
+var HOME = os11.homedir();
+var VSCODE_EXTENSIONS = {
+  darwin: path11.join(HOME, ".vscode", "extensions"),
+  linux: path11.join(HOME, ".vscode", "extensions"),
+  win32: path11.join(HOME, ".vscode", "extensions")
+};
+var JETBRAINS_CONFIG = {
+  darwin: path11.join(HOME, "Library", "Application Support", "JetBrains"),
+  linux: path11.join(HOME, ".config", "JetBrains"),
+  win32: path11.join(HOME, "AppData", "Roaming", "JetBrains")
+};
+var AGENT_DEFINITIONS = [
+  // ============================================
+  // AI-Native IDEs
+  // ============================================
+  {
+    id: "cursor",
+    name: "Cursor",
+    category: "ide",
+    paths: {
+      darwin: [
+        path11.join(HOME, ".cursor"),
+        "/Applications/Cursor.app"
+      ],
+      linux: [
+        path11.join(HOME, ".cursor"),
+        "/usr/share/applications/cursor.desktop"
+      ],
+      win32: [
+        path11.join(HOME, ".cursor"),
+        path11.join(process.env.LOCALAPPDATA || "", "Programs", "cursor")
+      ]
+    }
+  },
+  {
+    id: "zed",
+    name: "Zed",
+    category: "ide",
+    paths: {
+      darwin: [
+        path11.join(HOME, ".zed"),
+        "/Applications/Zed.app"
+      ],
+      linux: [path11.join(HOME, ".config", "zed")]
+      // Zed not available on Windows
+    }
+  },
+  {
+    id: "void",
+    name: "Void",
+    category: "ide",
+    paths: {
+      darwin: [
+        path11.join(HOME, ".void"),
+        "/Applications/Void.app"
+      ],
+      linux: [path11.join(HOME, ".void")],
+      win32: [path11.join(HOME, ".void")]
+    }
+  },
+  {
+    id: "pearai",
+    name: "PearAI",
+    category: "ide",
+    paths: {
+      darwin: [
+        path11.join(HOME, ".pearai"),
+        "/Applications/PearAI.app"
+      ],
+      linux: [path11.join(HOME, ".pearai")],
+      win32: [path11.join(HOME, ".pearai")]
+    }
+  },
+  // ============================================
+  // CLI Coding Tools
+  // ============================================
+  {
+    id: "claudecode",
+    name: "Claude Code",
+    category: "cli",
+    paths: {
+      darwin: [path11.join(HOME, ".claude")],
+      linux: [path11.join(HOME, ".claude")],
+      win32: [path11.join(HOME, ".claude")]
+    }
+  },
+  {
+    id: "aider",
+    name: "Aider",
+    category: "cli",
+    paths: {
+      darwin: [path11.join(HOME, ".aider")],
+      linux: [path11.join(HOME, ".aider")],
+      win32: [path11.join(HOME, ".aider")]
+    }
+  },
+  {
+    id: "mentat",
+    name: "Mentat",
+    category: "cli",
+    paths: {
+      darwin: [path11.join(HOME, ".mentat")],
+      linux: [path11.join(HOME, ".mentat")],
+      win32: [path11.join(HOME, ".mentat")]
+    }
+  },
+  {
+    id: "gpt_pilot",
+    name: "GPT-Pilot",
+    category: "cli",
+    paths: {
+      darwin: [path11.join(HOME, ".gpt-pilot")],
+      linux: [path11.join(HOME, ".gpt-pilot")],
+      win32: [path11.join(HOME, ".gpt-pilot")]
+    }
+  },
+  {
+    id: "codex",
+    name: "OpenAI Codex",
+    category: "cli",
+    paths: {
+      darwin: [path11.join(HOME, ".codex")],
+      linux: [path11.join(HOME, ".codex")],
+      win32: [path11.join(HOME, ".codex")]
+    }
+  },
+  {
+    id: "gemini_cli",
+    name: "Gemini CLI",
+    category: "cli",
+    paths: {
+      darwin: [path11.join(HOME, ".gemini")],
+      linux: [path11.join(HOME, ".gemini")],
+      win32: [path11.join(HOME, ".gemini")]
+    }
+  },
+  // ============================================
+  // Traditional IDEs with AI
+  // ============================================
+  {
+    id: "vscode",
+    name: "VS Code",
+    category: "ide",
+    paths: {
+      darwin: [path11.join(HOME, ".vscode")],
+      linux: [path11.join(HOME, ".vscode")],
+      win32: [path11.join(HOME, ".vscode")]
+    }
+  },
+  {
+    id: "jetbrains",
+    name: "JetBrains IDEs",
+    category: "ide",
+    paths: {
+      darwin: [path11.join(HOME, "Library", "Application Support", "JetBrains")],
+      linux: [path11.join(HOME, ".config", "JetBrains")],
+      win32: [path11.join(HOME, "AppData", "Roaming", "JetBrains")]
+    }
+  },
+  // ============================================
+  // VS Code Plugins
+  // ============================================
+  {
+    id: "github_copilot",
+    name: "GitHub Copilot",
+    category: "plugin",
+    hostIde: "vscode",
+    paths: {},
+    vscodeExtension: "github.copilot"
+  },
+  {
+    id: "continue",
+    name: "Continue",
+    category: "plugin",
+    hostIde: "vscode",
+    paths: {
+      darwin: [path11.join(HOME, ".continue")],
+      linux: [path11.join(HOME, ".continue")],
+      win32: [path11.join(HOME, ".continue")]
+    },
+    vscodeExtension: "continue.continue"
+  },
+  {
+    id: "tabnine",
+    name: "Tabnine",
+    category: "plugin",
+    hostIde: "vscode",
+    paths: {
+      darwin: [path11.join(HOME, ".tabnine")],
+      linux: [path11.join(HOME, ".tabnine")],
+      win32: [path11.join(HOME, ".tabnine")]
+    },
+    vscodeExtension: "tabnine.tabnine"
+  },
+  {
+    id: "codeium",
+    name: "Codeium",
+    category: "plugin",
+    hostIde: "vscode",
+    paths: {},
+    vscodeExtension: "codeium.codeium"
+  },
+  // ============================================
+  // JetBrains Plugins
+  // ============================================
+  {
+    id: "jetbrains_ai",
+    name: "JetBrains AI Assistant",
+    category: "plugin",
+    hostIde: "jetbrains",
+    paths: {},
+    jetbrainsPlugin: "com.intellij.ai"
+  }
+];
+var MONITORABLE_AGENTS = /* @__PURE__ */ new Set([
+  "cursor",
+  "claudecode",
+  "github_copilot",
+  "gemini_cli",
+  "codex"
+]);
+
+// src/coverage/detector.ts
+var PLATFORM = process.platform;
+var AgentDetector = class {
+  constructor() {
+    this.cachedMetrics = null;
+    this.cacheTimestamp = 0;
+    this.CACHE_TTL_MS = 10 * 60 * 1e3;
+  }
+  // 10 minute cache
+  /**
+   * Detect all agents and return coverage metrics
+   */
+  async detectAll() {
+    if (this.cachedMetrics && Date.now() - this.cacheTimestamp < this.CACHE_TTL_MS) {
+      return this.cachedMetrics;
+    }
+    const detected = await this.detectInstalledAgents();
+    const monitoredAgents = await this.getMonitoredAgents();
+    const monitoredIds = new Set(monitoredAgents.map((a) => a.id));
+    const agents = detected.map((a) => ({
+      ...a,
+      monitored: monitoredIds.has(a.id)
+    }));
+    const installedAgents = agents.filter((a) => a.installed);
+    const installedCount = installedAgents.length;
+    const monitoredCount = installedAgents.filter((a) => a.monitored).length;
+    const metrics = {
+      installedCount,
+      monitoredCount,
+      percentage: installedCount > 0 ? Math.round(monitoredCount / installedCount * 100) : 0,
+      agents,
+      timestamp: (/* @__PURE__ */ new Date()).toISOString(),
+      platform: PLATFORM
+    };
+    this.cachedMetrics = metrics;
+    this.cacheTimestamp = Date.now();
+    logger.debug("Agent detection completed", {
+      installed: installedCount,
+      monitored: monitoredCount,
+      percentage: metrics.percentage
+    });
+    return metrics;
+  }
+  /**
+   * Detect all installed agents on the system
+   */
+  async detectInstalledAgents() {
+    const agents = [];
+    for (const def of AGENT_DEFINITIONS) {
+      const detected = this.detectAgent(def);
+      agents.push(detected);
+    }
+    return agents;
+  }
+  /**
+   * Get agents that are currently monitored by Overwatch
+   */
+  async getMonitoredAgents() {
+    const installedHooks = await listInstalledHooks();
+    const monitoredAgents = [];
+    for (const hook of installedHooks) {
+      if (hook.hooksInstalled) {
+        const def = AGENT_DEFINITIONS.find((d) => d.id === hook.ide);
+        if (def) {
+          monitoredAgents.push({
+            id: def.id,
+            name: def.name,
+            category: def.category,
+            installed: true,
+            monitored: true,
+            configPath: hook.hooksLocation,
+            hostIde: def.hostIde
+          });
+        }
+      }
+    }
+    return monitoredAgents;
+  }
+  /**
+   * Check if a specific agent can be monitored by Overwatch
+   */
+  isMonitorable(agentId) {
+    return MONITORABLE_AGENTS.has(agentId);
+  }
+  /**
+   * Clear cached detection results
+   */
+  clearCache() {
+    this.cachedMetrics = null;
+    this.cacheTimestamp = 0;
+  }
+  /**
+   * Generate a coverage report ready for the Admin API
+   * Handles the transformation from internal CoverageMetrics to API CoverageReport
+   * @param machineId - Machine identifier (generated once at module init)
+   */
+  async generateCoverageReport(machineId) {
+    const metrics = await this.detectAll();
+    const installedAgents = metrics.agents.filter((a) => a.installed);
+    return {
+      machine_id: machineId,
+      platform: metrics.platform,
+      agents: installedAgents.map((agent) => ({
+        id: agent.id,
+        name: agent.name,
+        category: agent.category,
+        installed: agent.installed,
+        monitored: agent.monitored,
+        config_path: agent.configPath,
+        host_ide: agent.hostIde
+      })),
+      installed_count: metrics.installedCount,
+      monitored_count: metrics.monitoredCount,
+      coverage_percentage: metrics.percentage,
+      timestamp: metrics.timestamp
+    };
+  }
+  /**
+   * Detect a single agent based on its definition
+   */
+  detectAgent(def) {
+    let installed = false;
+    let configPath;
+    const platformPaths = def.paths[PLATFORM] || [];
+    for (const p of platformPaths) {
+      if (this.checkPathExists(p)) {
+        installed = true;
+        configPath = p;
+        break;
+      }
+    }
+    if (!installed && def.vscodeExtension) {
+      const extensionPath = this.findVSCodeExtension(def.vscodeExtension);
+      if (extensionPath) {
+        installed = true;
+        configPath = extensionPath;
+      }
+    }
+    if (!installed && def.jetbrainsPlugin) {
+      const pluginPath = this.findJetBrainsPlugin(def.jetbrainsPlugin);
+      if (pluginPath) {
+        installed = true;
+        configPath = pluginPath;
+      }
+    }
+    return {
+      id: def.id,
+      name: def.name,
+      category: def.category,
+      installed,
+      monitored: false,
+      // Will be updated by detectAll()
+      configPath,
+      hostIde: def.hostIde
+    };
+  }
+  /**
+   * Check if a path exists (file or directory)
+   */
+  checkPathExists(p) {
+    try {
+      return fs12.existsSync(p);
+    } catch {
+      return false;
+    }
+  }
+  /**
+   * Find a VS Code extension by ID pattern
+   */
+  findVSCodeExtension(extensionId) {
+    const extensionsDir = VSCODE_EXTENSIONS[PLATFORM];
+    if (!extensionsDir || !this.checkPathExists(extensionsDir)) {
+      return void 0;
+    }
+    try {
+      const entries = fs12.readdirSync(extensionsDir);
+      const target = extensionId.toLowerCase();
+      for (const entry of entries) {
+        const lower = entry.toLowerCase();
+        const versionTail = lower.startsWith(target + "-") ? lower.slice(target.length + 1) : null;
+        if (lower === target || versionTail !== null && /^\d/.test(versionTail)) {
+          return path12.join(extensionsDir, entry);
+        }
+      }
+    } catch {
+    }
+    return void 0;
+  }
+  /**
+   * Find a JetBrains plugin by ID
+   */
+  findJetBrainsPlugin(pluginId) {
+    const jetbrainsDir = JETBRAINS_CONFIG[PLATFORM];
+    if (!jetbrainsDir || !this.checkPathExists(jetbrainsDir)) {
+      return void 0;
+    }
+    try {
+      const entries = fs12.readdirSync(jetbrainsDir);
+      for (const entry of entries) {
+        const pluginsDir = path12.join(jetbrainsDir, entry, "plugins");
+        if (this.checkPathExists(pluginsDir)) {
+          const plugins = fs12.readdirSync(pluginsDir);
+          for (const plugin of plugins) {
+            if (plugin.toLowerCase().includes(pluginId.toLowerCase())) {
+              return path12.join(pluginsDir, plugin);
+            }
+          }
+        }
+      }
+    } catch {
+    }
+    return void 0;
+  }
+};
+var agentDetector = new AgentDetector();
+
+// src/coverage/machine-id.ts
+var fs13 = __toESM(require("fs"));
+var os12 = __toESM(require("os"));
+var crypto4 = __toESM(require("crypto"));
+function generateMachineId() {
+  const platformId = getPlatformMachineId();
+  if (platformId) {
+    return crypto4.createHash("sha256").update(platformId).digest("hex").substring(0, 32);
+  }
+  const components = [
+    os12.hostname(),
+    os12.platform(),
+    os12.arch(),
+    os12.userInfo().username || "unknown",
+    os12.homedir()
+  ];
+  const combined = components.join("|");
+  return crypto4.createHash("sha256").update(combined).digest("hex").substring(0, 32);
+}
+function getPlatformMachineId() {
+  try {
+    switch (os12.platform()) {
+      case "darwin":
+        return getMacOSMachineId();
+      case "linux":
+        return getLinuxMachineId();
+      case "win32":
+        return getWindowsMachineId();
+      default:
+        return null;
+    }
+  } catch {
+    return null;
+  }
+}
+function getMacOSMachineId() {
+  try {
+    const { execSync } = require("child_process");
+    const output = execSync(
+      "ioreg -rd1 -c IOPlatformExpertDevice | grep IOPlatformUUID",
+      { encoding: "utf-8", timeout: 5e3 }
+    );
+    const match = output.match(/"IOPlatformUUID"\s*=\s*"([^"]+)"/);
+    return match ? match[1] : null;
+  } catch {
+    return null;
+  }
+}
+function getLinuxMachineId() {
+  try {
+    const machineIdPath = "/etc/machine-id";
+    if (fs13.existsSync(machineIdPath)) {
+      return fs13.readFileSync(machineIdPath, "utf-8").trim();
+    }
+    const dbusPath = "/var/lib/dbus/machine-id";
+    if (fs13.existsSync(dbusPath)) {
+      return fs13.readFileSync(dbusPath, "utf-8").trim();
+    }
+    return null;
+  } catch {
+    return null;
+  }
+}
+function getWindowsMachineId() {
+  try {
+    const { execSync } = require("child_process");
+    const output = execSync(
+      'reg query "HKLM\\SOFTWARE\\Microsoft\\Cryptography" /v MachineGuid',
+      { encoding: "utf-8", timeout: 5e3 }
+    );
+    const match = output.match(/MachineGuid\s+REG_SZ\s+([^\s\r\n]+)/);
+    return match ? match[1] : null;
+  } catch {
+    return null;
+  }
+}
+
+// src/module.ts
+var GuardianModule = class _GuardianModule {
+  constructor(config = {}) {
+    this.projectSkillsCache = /* @__PURE__ */ new Map();
+    this.machineId = "";
+    this.coverageInterval = null;
+    // 10 minutes
+    // Ingestors (scan results + skill scan results to admin API)
+    this.scanIngestor = null;
+    this.skillsIngestor = null;
+    // Admin client (for installation tracking + coverage reporting)
+    this.adminClient = null;
+    // Tracks (user, IDE) installation records that have already been
+    // sent to the admin API, with success-only caching and in-flight
+    // dedup. See InstallationRecorder for the rationale.
+    this.installationRecorder = new InstallationRecorder(
+      (source, email) => this.recordInstallation(source, email)
+    );
+    this.pendingOAuthStates = /* @__PURE__ */ new Map();
+    this.oauthStateTimeout = 5 * 60 * 1e3;
+    this.initialized = false;
+    this.debug = config.debug || false;
+    this.configReader = new ConfigReader();
+    this.scanner = new MCPScanner();
+    this.skillsScanner = new SkillsScanner();
+    this.agentDetector = new AgentDetector();
+    if (this.debug)
+      logger.setLevel(0 /* DEBUG */);
+    this.httpServer = new GuardianHttpServer(config.httpPort || 0);
+  }
+  static {
+    this.PROJECT_SKILLS_CACHE_TTL = 5 * 60 * 1e3;
+  }
+  static {
+    // Cadence at which the daemon reports coverage metrics to the admin
+    // API. 10 minutes = 144 calls/day/machine; if backend cost becomes a
+    // concern, raise this to 1h or 24h. Keep the comments at module.ts
+    // line 140 and javelin/admin-client.ts (reportCoverageMetrics) in
+    // sync with this value.
+    this.COVERAGE_INTERVAL_MS = 10 * 60 * 1e3;
+  }
+  async init() {
+    if (this.initialized)
+      return;
+    logger.info("Initializing...");
+    this.machineId = generateMachineId();
+    logger.debug("Generated machine ID", { machineId: this.machineId });
+    await this.initAdminClient();
+    const highflameConfig = this.configReader.getHighflameConfig();
+    if (highflameConfig.enabled) {
+      const ingestorTokenGetter = () => this.configReader.getJwtToken();
+      this.scanIngestor = new AdminIngestor(
+        highflameConfig.baseUrl,
+        ingestorTokenGetter,
+        "mcp-scans"
+      );
+      this.scanIngestor.start();
+      this.skillsIngestor = new AdminIngestor(
+        highflameConfig.baseUrl,
+        ingestorTokenGetter,
+        "skills"
+      );
+      this.skillsIngestor.start();
+    }
+    const tokenGetter = () => this.configReader.getJwtToken();
+    this.cerberusClient = new CerberusClient(
+      getCerberusUrl(),
+      tokenGetter,
+      this.machineId
+    );
+    this.hookPipeline = new HookPipeline(
+      this.cerberusClient,
+      (source) => this.checkInstallation(source)
+    );
+    this.hookHandler = new HookHandler(this.hookPipeline);
+    this.hookHandler.setProjectSkillsScanCallback((workspace) => {
+      this.scanProjectSkillsIfNeeded(workspace).catch(() => {
+      });
+    });
+    this.scanHandler = new ScanHandler(this.scanner, this.scanIngestor);
+    this.oauthHandler = new OAuthHandler(
+      this.httpServer.getPort(),
+      this.pendingOAuthStates,
+      this.oauthStateTimeout
+    );
+    this.initialized = true;
+    logger.info("Initialized");
+    this.startCoverageReporting();
+  }
+  /**
+   * Start coverage reporting - runs on startup and every 10 minutes
+   */
+  startCoverageReporting() {
+    this.reportCoverage().catch((error) => {
+      logger.error("Failed to report initial coverage", { error: String(error) });
+    });
+    this.coverageInterval = setInterval(
+      () => this.reportCoverage().catch((error) => {
+        logger.error("Failed to report periodic coverage", { error: String(error) });
+      }),
+      _GuardianModule.COVERAGE_INTERVAL_MS
+    );
+  }
+  /**
+   * Report coverage metrics to admin API
+   */
+  async reportCoverage() {
+    if (!this.adminClient) {
+      logger.debug("Coverage reporting skipped - no admin client");
+      return;
+    }
+    const report = await this.agentDetector.generateCoverageReport(this.machineId);
+    const success = await this.adminClient.reportCoverageMetrics(report);
+    if (success) {
+      logger.info("Coverage report sent successfully", {
+        installed: report.installed_count,
+        monitored: report.monitored_count,
+        percentage: report.coverage_percentage
+      });
+    }
+  }
+  /**
+   * Initialize admin client for installation tracking and coverage reporting.
+   * Extracted from the removed initPolicyManager().
+   */
+  async initAdminClient() {
+    const adminConfig = this.configReader.getAdminConfig();
+    const tokenGetter = () => this.configReader.getAdminToken();
+    if (adminConfig.enabled && adminConfig.baseUrl) {
+      this.adminClient = new AdminClient(adminConfig.baseUrl, tokenGetter);
+      logger.info("Admin client initialized", { baseUrl: adminConfig.baseUrl });
+    }
+  }
+  checkInstallation(source) {
+    const authStatus = getAuthStatus();
+    if (!authStatus.authenticated || !authStatus.email) {
+      return;
+    }
+    this.installationRecorder.tryRecord(source, authStatus.email).catch(() => {
+    });
+  }
+  async recordInstallation(source, userEmail) {
+    if (!this.adminClient)
+      return false;
+    try {
+      return await this.adminClient.recordInstallation({
+        user_id: userEmail,
+        user_email: userEmail,
+        ide_type: source,
+        version: VERSION,
+        timestamp: (/* @__PURE__ */ new Date()).toISOString()
+      });
+    } catch (error) {
+      logger.error("Failed to record installation", { error: String(error) });
+      return false;
+    }
+  }
+  async startServer() {
+    if (!this.initialized)
+      await this.init();
+    this.httpServer.on(
+      "/hook",
+      (req, res) => this.hookHandler?.handle(req, res)
+    );
+    this.httpServer.on("/health", async (_req, res) => {
+      const authStatus = getAuthStatus();
+      res.writeHead(200, { "Content-Type": "application/json" });
+      res.end(
+        JSON.stringify({
+          status: "ok",
+          version: VERSION,
+          initialized: this.initialized,
+          eventCount: this.hookHandler?.getEventCount() || 0,
+          auth: {
+            authenticated: authStatus.authenticated,
+            expired: authStatus.expired || false,
+            expiringSoon: authStatus.expiringSoon || false,
+            email: authStatus.email
+          }
+        })
+      );
+    });
+    this.httpServer.on("/coverage", async (_req, res) => {
+      try {
+        const metrics = await this.agentDetector.detectAll();
+        res.writeHead(200, { "Content-Type": "application/json" });
+        res.end(JSON.stringify(metrics));
+      } catch (error) {
+        res.writeHead(500, { "Content-Type": "application/json" });
+        res.end(JSON.stringify({ error: "Failed to detect agents" }));
+      }
+    });
+    this.httpServer.on(
+      "/scan",
+      (req, res) => this.scanHandler?.handle(req, res)
+    );
+    this.httpServer.on(
+      "/oauth/start",
+      (req, res) => this.oauthHandler?.handleStart(req, res)
+    );
+    this.httpServer.on(
+      "/oauth/callback",
+      (req, res) => this.oauthHandler?.handleCallback(req, res)
+    );
+    this.httpServer.on(
+      "/oauth/status",
+      (req, res) => this.oauthHandler?.handleStatus(req, res)
+    );
+    this.httpServer.on(
+      "/shutdown",
+      (req, res) => this.handleShutdown(req, res)
+    );
+    await this.httpServer.start();
+    logger.info(`Server started on port ${this.httpServer.getPort()}`);
+    if (this.scanHandler)
+      this.scanHandler.runInitialScan();
+    this.runStartupSkillsScan();
+  }
+  async runStartupSkillsScan() {
+    if (!this.skillsIngestor) {
+      logger.debug("Skipping startup skills scan: no ingestor configured");
+      return;
+    }
+    try {
+      logger.info("Running startup skills scan...");
+      const result = await this.skillsScanner.scan();
+      if (this.skillsIngestor) {
+        this.skillsIngestor.ingest(result);
+      }
+      logger.info("Startup skills scan completed", {
+        totalSkills: result.totalSkills
+      });
+    } catch (error) {
+      logger.error("Startup skills scan failed", { error: String(error) });
+    }
+  }
+  handleShutdown(req, res) {
+    if (req.method !== "POST") {
+      res.writeHead(405, { "Content-Type": "application/json" });
+      res.end(JSON.stringify({ error: "Method not allowed" }));
+      return;
+    }
+    res.writeHead(200, { "Content-Type": "application/json" });
+    res.end(JSON.stringify({ status: "shutting_down" }), () => {
+      logger.info("Shutdown requested via API, sending SIGTERM...");
+      process.kill(process.pid, "SIGTERM");
+    });
+  }
+  async stopServer() {
+    if (this.coverageInterval) {
+      clearInterval(this.coverageInterval);
+      this.coverageInterval = null;
+    }
+    this.scanIngestor?.stop();
+    this.skillsIngestor?.stop();
+    await this.httpServer.stop();
+  }
+  getPort() {
+    return this.httpServer.getPort();
+  }
+  /**
+   * Scan project-level skills if not recently cached
+   * Called from hook handler when workspace is present in event
+   */
+  async scanProjectSkillsIfNeeded(workspace) {
+    const cached = this.projectSkillsCache.get(workspace);
+    const now = Date.now();
+    if (cached && now - cached.timestamp < _GuardianModule.PROJECT_SKILLS_CACHE_TTL) {
+      logger.debug("Project skills cache hit", { workspace });
+      return;
+    }
+    try {
+      const result = await this.skillsScanner.scanProjectSkills(workspace);
+      this.projectSkillsCache.set(workspace, { timestamp: now });
+      if (result.totalSkills > 0 && this.skillsIngestor) {
+        this.skillsIngestor.ingest(result);
+      }
+    } catch (error) {
+      logger.error("Failed to scan project skills", {
+        workspace,
+        error: String(error)
+      });
+    }
+  }
+};
+
+// src/daemon.ts
+function parseArgs() {
+  const args = process.argv.slice(2);
+  let debug = false;
+  for (const arg of args) {
+    if (arg === "--debug") {
+      debug = true;
+    }
+  }
+  return { debug };
+}
+async function main() {
+  const { debug } = parseArgs();
+  const portFile = path13.join(os13.homedir(), ".overwatch", "guardian_port");
+  console.log("[Guardian] Starting daemon...");
+  console.log(`[Guardian] Port: ${GUARDIAN_PORT}`);
+  console.log(`[Guardian] Debug: ${debug}`);
+  const portDir = path13.dirname(portFile);
+  if (!fs14.existsSync(portDir)) {
+    fs14.mkdirSync(portDir, { recursive: true });
+  }
+  const port = GUARDIAN_PORT;
+  const guardian = new GuardianModule({
+    httpPort: port,
+    debug
+  });
+  try {
+    await guardian.startServer();
+  } catch (err) {
+    const code = err?.code;
+    if (code === "EADDRINUSE") {
+      console.error(
+        `[Guardian] Port ${port} is already in use. Another instance is likely running; exiting cleanly.`
+      );
+      process.exit(0);
+    }
+    throw err;
+  }
+  fs14.writeFileSync(portFile, String(port));
+  PortManager.writePidFile();
+  console.log(`[Guardian] Server started on port ${port}`);
+  console.log(`[Guardian] Port written to ${portFile}`);
+  const shutdown = async (signal) => {
+    console.log(`[Guardian] Received ${signal}, shutting down...`);
+    try {
+      await guardian.stopServer();
+      if (fs14.existsSync(portFile)) {
+        fs14.unlinkSync(portFile);
+      }
+      PortManager.removePidFile();
+      console.log("[Guardian] Shutdown complete");
+      process.exit(0);
+    } catch (error) {
+      console.error("[Guardian] Error during shutdown:", error);
+      process.exit(1);
+    }
+  };
+  process.on("SIGTERM", () => shutdown("SIGTERM"));
+  process.on("SIGINT", () => shutdown("SIGINT"));
+  process.on("uncaughtException", (error) => {
+    console.error("[Guardian] Uncaught exception:", error);
+    process.exit(1);
+  });
+  process.on("unhandledRejection", (reason) => {
+    console.error("[Guardian] Unhandled rejection:", reason);
+    process.exit(1);
+  });
+  console.log("[Guardian] Daemon running. Press Ctrl+C to stop.");
+}
+main().catch((error) => {
+  console.error("[Guardian] Failed to start:", error);
+  process.exit(1);
+});