@highflame/overwatch 1.0.0

package/README.md

@@ -0,0 +1,337 @@
+# Overwatch
+
+**Overwatch** is a standalone security daemon that provides real-time threat detection and policy enforcement for AI coding assistants like Cursor, Claude Code, VS Code, Windsurf, Cline, and Aider.
+
+## What is Overwatch?
+
+Overwatch acts as a security layer between your IDE and AI assistants, intercepting and validating all actions (prompts, shell commands, file operations, MCP tool calls) through a multi-engine guardrail system:
+
+- **YARA Engine**: Fast local pattern matching for secrets, injection attacks, and malicious patterns
+- **Cedar Engine**: Policy-based authorization decisions using declarative rules
+- **Javelin API**: Remote LLM-powered guardrails for advanced threat detection
+
+### Key Features
+
+- **IDE-Agnostic**: Works with any IDE via universal bash hooks
+- **Zero Extensions Required**: Runs as a standalone system service
+- **Real-Time Protection**: Sub-second threat detection on every action
+- **Multi-IDE Support**: One daemon serves all IDEs simultaneously
+- **Policy Engine**: Declarative Cedar policies for fine-grained control
+- **Event Logging**: Complete audit trail in `~/.overwatch/events.jsonl`
+- **Web Dashboard**: Real-time monitoring at `http://localhost:17580/dashboard`
+- **Auto-Start**: System service (launchd/systemd) for automatic daemon startup
+
+---
+
+## Quick Start
+
+### Prerequisites
+
+- **Node.js**: 18+
+- **IDEs**: Cursor, Claude Code, VS Code (GitHub Copilot), or any IDE with hook support
+
+### Installation
+
+```bash
+# Install globally via npm
+npm install -g @highflame/overwatch
+
+# Start Overwatch daemon
+overwatch start
+
+# Verify daemon is running
+overwatch status
+# Output: ✅ Overwatch is running on port 17580
+
+# Install hooks for your IDE
+overwatch install cursor
+
+# (Optional) Install as system service for auto-start
+overwatch install-service
+```
+
+**That's it!** Overwatch is now protecting your IDE.
+
+---
+
+## Setup for Cursor IDE
+
+### Step 1: Install Hooks
+
+```bash
+overwatch install cursor
+```
+
+**What this does:**
+
+- Starts Overwatch daemon (if not running)
+- Copies hook scripts to `~/.overwatch/cursor/hooks/`
+- Updates `~/.cursor/hooks.json` with Overwatch hooks
+- Copies YARA rules and Cedar policy
+- Creates Overwatch config at `~/.overwatch/config.json`
+
+### Step 2: Restart Cursor
+
+```bash
+pkill -9 Cursor
+open -a Cursor
+```
+
+### Step 3: Verify Installation
+
+```bash
+# Check hooks are installed
+cat ~/.cursor/hooks.json | jq 'keys'
+
+# Check Overwatch is running
+overwatch status
+
+# Test in Cursor
+# Open Cursor, chat with AI, watch events:
+tail -f ~/.overwatch/events.jsonl | jq
+```
+
+### Cursor Hooks Installed
+
+Overwatch installs 12 hooks for Cursor:
+
+**Pre-execution (blocking)** - These validate actions and can block them:
+
+- `beforeSubmitPrompt` - Validates user prompts for injection attacks
+- `beforeShellExecution` - Validates shell commands before execution
+- `beforeMCPExecution` - Validates MCP tool/resource access
+- `beforeTabFileRead` - Validates file reads in tab context
+- `beforeReadFile` - Validates file reads by AI
+
+**Post-execution (observational)** - These record events for audit/analytics:
+
+- `afterShellExecution` - Records shell command results
+- `afterMCPExecution` - Records MCP tool execution results
+- `afterFileEdit` - Records file edit operations
+- `afterTabFileEdit` - Records tab file edit operations
+- `afterAgentResponse` - Records agent responses
+- `afterAgentThought` - Records agent reasoning steps
+
+**Session:**
+
+- `stop` - Records session stop events
+
+---
+
+## Setup for Claude Code
+
+Claude Code supports two integration approaches:
+
+### Option A: Plugin Installation (Recommended)
+
+Overwatch is available as a Claude Code plugin:
+
+```bash
+# Install from marketplace
+/plugin marketplace add overwatch
+
+# Enable the plugin
+/overwatch:enable
+
+# Restart the session
+```
+
+This approach provides:
+
+- Automatic updates via plugin marketplace
+- Enterprise deployment via `managed-settings.json`
+- Better integration with Claude Code's plugin ecosystem
+
+
+### Claude Code Hooks Installed
+
+Overwatch installs 3 hooks for Claude Code:
+
+1. **UserPromptSubmit** - Validates all user prompts for injection attacks
+2. **PreToolUse** - Validates tool use (Bash, Read, Write, etc.) before execution
+3. **PostToolUse** - Records tool execution results (observational, non-blocking)
+
+---
+
+## Setup for GitHub Copilot CLI
+
+GitHub Copilot CLI uses a hooks system via `.github/hooks/hooks.json`.
+
+### Prerequisites
+
+- **GitHub Copilot CLI** installed (`gh copilot`)
+- **Overwatch daemon** running (see Quick Start above)
+
+### Step 1: Install Hooks
+
+```bash
+overwatch install github_copilot
+```
+
+**What this does:**
+
+- Starts Overwatch daemon (if not running)
+- Creates `hooks.json` at `~/.overwatch/github_copilot/hooks/hooks.json`
+- Copies YARA rules and Cedar policy
+
+### Step 2: Copy Hooks to Your Repository
+
+Copy the generated hooks to each repository where you want Overwatch protection:
+
+```bash
+# Copy hooks.json to your repository
+mkdir -p /path/to/your/repo/.github/hooks
+cp ~/.overwatch/github_copilot/hooks/hooks.json /path/to/your/repo/.github/hooks/
+```
+
+### Step 3: Verify Installation
+
+```bash
+# Check Overwatch is running
+overwatch status
+
+# Verify hooks file in your repo
+cat /path/to/your/repo/.github/hooks/hooks.json | jq
+```
+
+### GitHub Copilot CLI Hooks Installed
+
+Overwatch installs 6 hooks for GitHub Copilot CLI:
+
+**Pre-execution (blocking)**:
+
+- `userPromptSubmitted` - Validates user prompts for injection attacks
+- `preToolUse` - Validates tool use before execution
+
+**Post-execution (observational)**:
+
+- `postToolUse` - Records tool execution results
+
+**Session management:**
+
+- `sessionStart` - Records when CLI session starts
+- `sessionEnd` - Records when CLI session ends
+
+**Error handling:**
+
+- `errorOccurred` - Records errors during execution
+
+---
+
+## CLI Commands
+
+```bash
+# Daemon Management
+overwatch start [--debug]     # Start daemon
+overwatch stop                # Stop daemon
+overwatch restart [--debug]   # Restart daemon
+overwatch status              # Show status
+
+# Hook Installation
+overwatch install <ide>       # Install hooks
+overwatch uninstall <ide>     # Uninstall hooks
+overwatch hooks               # List installed hooks
+
+# System Service (Auto-start on boot)
+overwatch install-service     # Install launchd/systemd service
+overwatch uninstall-service   # Uninstall service
+
+# Scanning
+overwatch scan                # Scan MCP servers
+
+# Supported IDEs: cursor, claudecode, github_copilot
+```
+
+---
+
+## Configuration
+
+### Global Configuration
+
+Located at `~/.overwatch/config.json`:
+
+```json
+{
+  "version": "2.0",
+  "createdAt": "<timestamp>",
+  "engines": {
+    "yara": {
+      "enabled": true
+    },
+    "cedar": {
+      "enabled": true
+    },
+    "javelin": {
+      "enabled": true
+    }
+  },
+  "daemon": {
+    "autoStart": true,
+    "logLevel": "info"
+  },
+  "enabled": true,
+  "ides": {
+    "cursor": {
+      "enabled": true,
+      "mode": "enforce",
+      "hooksInstalled": true,
+      "hooksPath": "~/.overwatch/cursor/hooks"
+    }
+  }
+}
+```
+
+---
+
+## File Locations
+
+| Component                   | Path                                             |
+| --------------------------- | ------------------------------------------------ |
+| **Overwatch Daemon**         |                                                  |
+| Overwatch port file          | `~/.overwatch/guardian_port`                     |
+| Daemon log                  | `~/.overwatch/guardian.log`                      |
+| **Events & Data**           |                                                  |
+| Events log                  | `~/.overwatch/events.jsonl`                      |
+| Scans log                   | `~/.overwatch/scans.jsonl`                       |
+| **Configuration**           |                                                  |
+| Global config               | `~/.overwatch/config.json`                       |
+| Global YARA rules           | `~/.overwatch/rules/pre/*.yar`                   |
+| Global Cedar policy         | `~/.overwatch/policy.cedar`                      |
+| **Universal Hook**          |                                                  |
+| Universal adapter           | `~/.overwatch/hooks/universal-hook.sh`           |
+| **Cursor Integration**      |                                                  |
+| Hooks config                | `~/.cursor/hooks.json`                           |
+| **Claude Code Integration** |                                                  |
+| Hooks config                | `~/.claude/hooks.json`                           |
+| **System Service**          |                                                  |
+| launchd plist (macOS)       | `~/Library/LaunchAgents/com.overwatch.plist`     |
+| systemd unit (Linux)        | `~/.config/systemd/user/overwatch.service`       |
+
+---
+
+## Troubleshooting
+
+### Hooks not executing
+
+- Verify Overwatch daemon is running: `overwatch status`
+- Check hook installation: `overwatch hooks`
+- Verify hooks.json syntax: `jq . ~/.cursor/hooks.json`
+
+### Events not appearing
+
+- Check Overwatch is running: `overwatch status`
+- Verify port file exists: `cat ~/.overwatch/guardian_port`
+- Check events log: `tail -f ~/.overwatch/events.jsonl | jq`
+
+### Hooks timing out
+
+- Default timeout is 10 seconds (configurable in hooks.json)
+- Check Overwatch daemon is responsive: `curl http://localhost:$(cat ~/.overwatch/guardian_port)/health`
+
+---
+
+---
+
+## License
+
+MIT

package/bin/overwatch

@@ -0,0 +1,12 @@
+#!/usr/bin/env node
+/**
+ * Overwatch CLI Entry Point
+ * This script is the main entry point for the overwatch command
+ */
+
+// Resolve the CLI module path relative to this script
+const path = require('path');
+const cliPath = path.join(__dirname, '..', 'dist', 'cli.js');
+
+// Load and run the CLI
+require(cliPath);

package/dist/auth/cli-oauth.d.ts

@@ -0,0 +1,13 @@
+/**
+ * CLI OAuth 2.0 PKCE flow
+ * Handles OAuth authentication flow for CLI commands
+ * Starts temporary callback server on ephemeral port
+ */
+/**
+ * Perform OAuth PKCE flow for CLI
+ * @param openBrowser Whether to open browser automatically (default: true)
+ * @returns User email on success
+ * @throws Error on failure
+ */
+export declare function performCLIOAuthFlow(openBrowser?: boolean): Promise<string>;
+//# sourceMappingURL=cli-oauth.d.ts.map

package/dist/auth/cli-oauth.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"cli-oauth.d.ts","sourceRoot":"","sources":["../../src/auth/cli-oauth.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AA4BH;;;;;GAKG;AACH,wBAAsB,mBAAmB,CACvC,WAAW,GAAE,OAAc,GAC1B,OAAO,CAAC,MAAM,CAAC,CAiDjB"}

package/dist/auth/html-utils.d.ts

@@ -0,0 +1,20 @@
+/**
+ * HTML utilities for OAuth responses
+ * Provides secure HTML generation with proper escaping
+ */
+/**
+ * Escape HTML entities to prevent XSS attacks
+ */
+export declare function escapeHtml(unsafe: string): string;
+/**
+ * Generate success HTML response for OAuth callback
+ * @param message Success message to display
+ * @param email Optional user email (will be escaped)
+ */
+export declare function generateSuccessHtml(message: string, email?: string): string;
+/**
+ * Generate error HTML response for OAuth callback
+ * @param error Error message to display (will be escaped)
+ */
+export declare function generateErrorHtml(error: string): string;
+//# sourceMappingURL=html-utils.d.ts.map

package/dist/auth/html-utils.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"html-utils.d.ts","sourceRoot":"","sources":["../../src/auth/html-utils.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH;;GAEG;AACH,wBAAgB,UAAU,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM,CAOjD;AA0CD;;;;GAIG;AACH,wBAAgB,mBAAmB,CAAC,OAAO,EAAE,MAAM,EAAE,KAAK,CAAC,EAAE,MAAM,GAAG,MAAM,CAkB3E;AAED;;;GAGG;AACH,wBAAgB,iBAAiB,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,CAiBvD"}

package/dist/auth/index.d.ts

@@ -0,0 +1,10 @@
+/**
+ * OAuth authentication module
+ * Provides PKCE-based OAuth 2.0 authentication for Highflame
+ */
+export { generateCodeVerifier, generateCodeChallenge, generateState, } from "./pkce";
+export { OAUTH_CONFIG, TOKEN_EXPIRY_SECONDS, OAuthState, TokenResponse, UserInfo, buildAuthorizationUrl, exchangeCodeForTokens, refreshAccessToken, isTokenExpired, createOAuthState, } from "./oauth";
+export { performCLIOAuthFlow } from "./cli-oauth";
+export { AuthStatus, saveTokens, loadTokens, clearTokens, getValidAccessToken, needsReauth, getAuthStatus, } from "./token-store";
+export { escapeHtml, generateSuccessHtml, generateErrorHtml, } from "./html-utils";
+//# sourceMappingURL=index.d.ts.map

package/dist/auth/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/auth/index.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAGH,OAAO,EACL,oBAAoB,EACpB,qBAAqB,EACrB,aAAa,GACd,MAAM,QAAQ,CAAC;AAGhB,OAAO,EACL,YAAY,EACZ,oBAAoB,EACpB,UAAU,EACV,aAAa,EACb,QAAQ,EACR,qBAAqB,EACrB,qBAAqB,EACrB,kBAAkB,EAClB,cAAc,EACd,gBAAgB,GACjB,MAAM,SAAS,CAAC;AAGjB,OAAO,EAAE,mBAAmB,EAAE,MAAM,aAAa,CAAC;AAGlD,OAAO,EACL,UAAU,EACV,UAAU,EACV,UAAU,EACV,WAAW,EACX,mBAAmB,EACnB,WAAW,EACX,aAAa,GACd,MAAM,eAAe,CAAC;AAGvB,OAAO,EACL,UAAU,EACV,mBAAmB,EACnB,iBAAiB,GAClB,MAAM,cAAc,CAAC"}

package/dist/auth/oauth.d.ts

@@ -0,0 +1,81 @@
+/**
+ * OAuth 2.0 flow manager for Highflame authentication
+ * Uses PKCE for secure public client authentication
+ */
+/**
+ * OAuth configuration for Highflame Studio
+ */
+export declare const OAUTH_CONFIG: {
+    authUrl: string;
+    tokenUrl: string;
+    clientId: string;
+    scopes: string[];
+};
+/**
+ * Token expiry: 90 days in seconds
+ */
+export declare const TOKEN_EXPIRY_SECONDS: number;
+/**
+ * Pending OAuth flow state
+ */
+export interface OAuthState {
+    state: string;
+    codeVerifier: string;
+    redirectUri: string;
+    createdAt: number;
+    status: "pending" | "completed" | "failed" | "expired";
+    tokens?: TokenResponse;
+    error?: string;
+    userInfo?: UserInfo;
+}
+/**
+ * Token response from Highflame Studio API
+ */
+export interface TokenResponse {
+    access_token: string;
+    refresh_token?: string;
+    expires_in: number;
+    token_type: "Bearer";
+    expires_at?: number;
+    scope?: string;
+    user?: {
+        id: string;
+        email: string;
+    };
+}
+/**
+ * User information from Highflame Studio API
+ */
+export interface UserInfo {
+    id: string;
+    email: string;
+}
+/**
+ * Build the OAuth authorization URL with PKCE parameters
+ */
+export declare function buildAuthorizationUrl(state: string, codeChallenge: string, redirectUri: string): string;
+/**
+ * Exchange authorization code for tokens
+ * Public client flow - no client_secret required, PKCE verifier proves identity
+ */
+export declare function exchangeCodeForTokens(code: string, codeVerifier: string, redirectUri: string): Promise<{
+    tokens: TokenResponse;
+    userInfo: UserInfo;
+}>;
+/**
+ * Refresh access token using refresh token
+ * Placeholder for future refresh endpoint implementation
+ */
+export declare function refreshAccessToken(_refreshToken: string): Promise<TokenResponse | null>;
+/**
+ * Check if tokens are expired or about to expire
+ * @param expiresAt Unix timestamp in milliseconds
+ * @param bufferSeconds Buffer time before actual expiry (default: 1 day)
+ */
+export declare function isTokenExpired(expiresAt: number, bufferSeconds?: number): boolean;
+/**
+ * Create a new OAuth flow state
+ * @param guardianPort The port Guardian daemon is running on
+ */
+export declare function createOAuthState(guardianPort: number): OAuthState;
+//# sourceMappingURL=oauth.d.ts.map

package/dist/auth/oauth.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"oauth.d.ts","sourceRoot":"","sources":["../../src/auth/oauth.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAIH;;GAEG;AACH,eAAO,MAAM,YAAY;;;;;CAKxB,CAAC;AAEF;;GAEG;AACH,eAAO,MAAM,oBAAoB,QAAoB,CAAC;AAEtD;;GAEG;AACH,MAAM,WAAW,UAAU;IACzB,KAAK,EAAE,MAAM,CAAC;IACd,YAAY,EAAE,MAAM,CAAC;IACrB,WAAW,EAAE,MAAM,CAAC;IACpB,SAAS,EAAE,MAAM,CAAC;IAClB,MAAM,EAAE,SAAS,GAAG,WAAW,GAAG,QAAQ,GAAG,SAAS,CAAC;IACvD,MAAM,CAAC,EAAE,aAAa,CAAC;IACvB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,QAAQ,CAAC,EAAE,QAAQ,CAAC;CACrB;AAED;;GAEG;AACH,MAAM,WAAW,aAAa;IAC5B,YAAY,EAAE,MAAM,CAAC;IACrB,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,UAAU,EAAE,MAAM,CAAC;IACnB,UAAU,EAAE,QAAQ,CAAC;IACrB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,IAAI,CAAC,EAAE;QACL,EAAE,EAAE,MAAM,CAAC;QACX,KAAK,EAAE,MAAM,CAAC;KACf,CAAC;CACH;AAED;;GAEG;AACH,MAAM,WAAW,QAAQ;IACvB,EAAE,EAAE,MAAM,CAAC;IACX,KAAK,EAAE,MAAM,CAAC;CACf;AAED;;GAEG;AACH,wBAAgB,qBAAqB,CACnC,KAAK,EAAE,MAAM,EACb,aAAa,EAAE,MAAM,EACrB,WAAW,EAAE,MAAM,GAClB,MAAM,CAYR;AAED;;;GAGG;AACH,wBAAsB,qBAAqB,CACzC,IAAI,EAAE,MAAM,EACZ,YAAY,EAAE,MAAM,EACpB,WAAW,EAAE,MAAM,GAClB,OAAO,CAAC;IAAE,MAAM,EAAE,aAAa,CAAC;IAAC,QAAQ,EAAE,QAAQ,CAAA;CAAE,CAAC,CAyCxD;AAED;;;GAGG;AACH,wBAAsB,kBAAkB,CACtC,aAAa,EAAE,MAAM,GACpB,OAAO,CAAC,aAAa,GAAG,IAAI,CAAC,CAI/B;AAED;;;;GAIG;AACH,wBAAgB,cAAc,CAC5B,SAAS,EAAE,MAAM,EACjB,aAAa,GAAE,MAAc,GAC5B,OAAO,CAET;AAED;;;GAGG;AACH,wBAAgB,gBAAgB,CAAC,YAAY,EAAE,MAAM,GAAG,UAAU,CAYjE"}

package/dist/auth/pkce.d.ts

@@ -0,0 +1,26 @@
+/**
+ * PKCE (Proof Key for Code Exchange) utilities
+ * Used for secure OAuth 2.0 flow without client_secret (public client)
+ * RFC 7636: https://tools.ietf.org/html/rfc7636
+ */
+/**
+ * Generate a cryptographically random code verifier
+ * Per RFC 7636: 43-128 characters, using unreserved characters
+ * [A-Z] / [a-z] / [0-9] / "-" / "." / "_" / "~"
+ *
+ * We use 32 random bytes → 43 base64url characters
+ */
+export declare function generateCodeVerifier(): string;
+/**
+ * Generate code challenge from verifier using S256 method
+ * challenge = BASE64URL(SHA256(verifier))
+ *
+ * S256 is more secure than plain method and required by most OAuth providers
+ */
+export declare function generateCodeChallenge(verifier: string): string;
+/**
+ * Generate random state parameter for CSRF protection
+ * Returns 32-character hex string (16 random bytes)
+ */
+export declare function generateState(): string;
+//# sourceMappingURL=pkce.d.ts.map

package/dist/auth/pkce.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"pkce.d.ts","sourceRoot":"","sources":["../../src/auth/pkce.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAgBH;;;;;;GAMG;AACH,wBAAgB,oBAAoB,IAAI,MAAM,CAG7C;AAED;;;;;GAKG;AACH,wBAAgB,qBAAqB,CAAC,QAAQ,EAAE,MAAM,GAAG,MAAM,CAG9D;AAED;;;GAGG;AACH,wBAAgB,aAAa,IAAI,MAAM,CAEtC"}

package/dist/auth/token-store.d.ts

@@ -0,0 +1,44 @@
+/**
+ * Token storage for OAuth authentication
+ * Stores tokens in ~/.overwatch/session.json (separate from config for security)
+ */
+import { TokenResponse, UserInfo } from "./oauth";
+import { AuthConfig } from "../types";
+/**
+ * Auth status response
+ */
+export interface AuthStatus {
+    authenticated: boolean;
+    email?: string;
+    name?: string;
+    orgName?: string;
+    expiresAt?: number;
+    expired?: boolean;
+}
+/**
+ * Save tokens to session.json file
+ */
+export declare function saveTokens(tokens: TokenResponse, userInfo?: UserInfo): void;
+/**
+ * Load tokens from session.json file
+ */
+export declare function loadTokens(): AuthConfig | null;
+/**
+ * Clear tokens by deleting session.json file
+ */
+export declare function clearTokens(): void;
+/**
+ * Get access token if valid, null if expired or missing
+ * Attempts to refresh token if expired and refresh token is available
+ */
+export declare function getValidAccessToken(): Promise<string | null>;
+/**
+ * Check if re-authentication is needed
+ * Returns true if tokens are expired or missing
+ */
+export declare function needsReauth(): boolean;
+/**
+ * Get auth status for display
+ */
+export declare function getAuthStatus(): AuthStatus;
+//# sourceMappingURL=token-store.d.ts.map

package/dist/auth/token-store.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"token-store.d.ts","sourceRoot":"","sources":["../../src/auth/token-store.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAKH,OAAO,EACL,aAAa,EACb,QAAQ,EAGT,MAAM,SAAS,CAAC;AACjB,OAAO,EAAE,UAAU,EAAE,MAAM,UAAU,CAAC;AAStC;;GAEG;AACH,MAAM,WAAW,UAAU;IACzB,aAAa,EAAE,OAAO,CAAC;IACvB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,OAAO,CAAC,EAAE,OAAO,CAAC;CACnB;AA0CD;;GAEG;AACH,wBAAgB,UAAU,CAAC,MAAM,EAAE,aAAa,EAAE,QAAQ,CAAC,EAAE,QAAQ,GAAG,IAAI,CAmB3E;AAED;;GAEG;AACH,wBAAgB,UAAU,IAAI,UAAU,GAAG,IAAI,CAE9C;AAED;;GAEG;AACH,wBAAgB,WAAW,IAAI,IAAI,CAWlC;AAED;;;GAGG;AACH,wBAAsB,mBAAmB,IAAI,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAoBlE;AAED;;;GAGG;AACH,wBAAgB,WAAW,IAAI,OAAO,CAIrC;AAED;;GAEG;AACH,wBAAgB,aAAa,IAAI,UAAU,CAc1C"}

package/dist/bin/overwatch

@@ -0,0 +1,12 @@
+#!/usr/bin/env node
+/**
+ * Overwatch CLI Entry Point
+ * This script is the main entry point for the overwatch command
+ */
+
+// Resolve the CLI module path relative to this script
+const path = require('path');
+const cliPath = path.join(__dirname, '..', 'dist', 'cli.js');
+
+// Load and run the CLI
+require(cliPath);

package/dist/cli.d.ts

@@ -0,0 +1,6 @@
+/**
+ * Overwatch CLI
+ * Standalone security daemon for IDE-agnostic AI agent security
+ */
+export {};
+//# sourceMappingURL=cli.d.ts.map

package/dist/cli.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"cli.d.ts","sourceRoot":"","sources":["../src/cli.ts"],"names":[],"mappings":"AAAA;;;GAGG"}