@ijfw/memory-server 1.4.0 → 1.4.3

package/README.md

@@ -0,0 +1,67 @@
+# @ijfw/memory-server
+
+IJFW MCP memory server — the runtime backend that powers memory, metrics,
+update checks, and the extension sandbox for all supported AI coding agents.
+
+## Install
+
+This package is installed automatically by `@ijfw/install`. You generally
+do not need to install it manually.
+
+```bash
+npm install -g @ijfw/memory-server
+```
+
+## Extension CLI
+
+IJFW ships a full extension system for installing and sandboxing third-party skills.
+
+```bash
+# Publisher key management
+ijfw extension keygen <author>              # Generate an Ed25519 publisher keypair
+ijfw extension trust <keyId> <publicKey>   # Add a publisher to your trusted store
+ijfw extension trust-registry [<url>]      # Pull + apply the hosted publisher registry
+ijfw extension untrust <keyId>             # Remove a publisher from your trusted store
+ijfw extension trusted                     # List all trusted publishers
+
+# Extension lifecycle
+ijfw extension add <source> [flags]        # Install an extension (npm name, local path, or https git URL)
+  --allow-unsigned                         #   Accept extensions with no signature
+  --accept-untrusted                       #   Accept extensions signed by an untrusted publisher (prompts on TTY)
+  --activate                               #   Auto-activate after install
+ijfw extension activate <name>             # Activate an installed extension (enforces declared permissions)
+ijfw extension deactivate                  # Deactivate the current extension
+
+# Admin / registry maintainer (rare)
+ijfw extension rotate-keys <oldKeyId> <newKeyId>   # Produce a signed rotation token
+ijfw extension keygen-meta <author>                # Generate the registry meta-keypair
+ijfw extension sign-registry <path>                # Sign a registry JSON file in place
+ijfw extension verify-registry <path>              # Verify a registry JSON signature
+ijfw extension registry-status                     # Show registry cache age + signature status
+```
+
+The rotation flow and registry maintainer docs live in `docs/REGISTRY-MAINTAINER.md`.
+
+## MCP Tools
+
+| Tool | Description |
+|------|-------------|
+| `ijfw_memory_store` | Store a memory entry |
+| `ijfw_memory_recall` | Recall memory entries |
+| `ijfw_memory_search` | Full-text search over memories |
+| `ijfw_memory_prelude` | Load project context at session start |
+| `ijfw_cross_project_search` | Search memories across projects |
+| `ijfw_metrics` | Read cost + usage metrics |
+| `ijfw_update_check` | Check for IJFW updates |
+| `ijfw_update_apply` | Apply a pending IJFW update |
+| `ijfw_prompt_check` | Validate a prompt against IJFW rules |
+| `ijfw_run` | Run a sandboxed IJFW command |
+
+## Build (contributors)
+
+```bash
+cd mcp-server
+npm install
+npm test
+node --experimental-sqlite --test test-*.js
+```

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@ijfw/memory-server",
-  "version": "1.4.0",
+  "version": "1.4.3",
   "description": "Cross-platform persistent memory server for IJFW. 10 MCP tools (memory + admin/update). Works with 13 MCP-using platforms (Claude Code, Codex, Gemini CLI, Cursor, Windsurf, Copilot, Hermes, Wayland, OpenCode, QwenCode, Cline, KimiCode, OpenClaw) plus Aider via rules-only tier.",
   "author": "Sean Donahoe",
   "license": "MIT",

package/src/.registry-meta-key.pem

@@ -0,0 +1,3 @@
+-----BEGIN PUBLIC KEY-----
+MCowBQYDK2VwAyEAL2lCdti0bYiFTGUo/hffy+NiBUBXdbDcdaDmjJS27i0=
+-----END PUBLIC KEY-----

package/src/active-extension-writer.js

@@ -7,23 +7,40 @@
  *   - installExtension when opts.activate is set
  */
 
-import { readFile, writeFile, unlink, mkdir } from 'node:fs/promises';
+import { readFile, writeFile, unlink, mkdir, readdir, stat } from 'node:fs/promises';
 import { join, dirname } from 'node:path';
 import { homedir } from 'node:os';
+import { randomBytes } from 'node:crypto';
+
+import { resetExtensionQuotas } from './extension-quota-tracker.js';
 
 const STATE_PATH_REL = ['.ijfw', 'state', 'active-extension.json'];
 
+// B18 — stale last-seen-by-<ide>.json files older than this get cleaned on read.
+const LAST_SEEN_STALE_MS = 30 * 24 * 60 * 60 * 1000;
+
+// Valid IDE id pattern (matches ide-detect.js). Keep in sync.
+const IDE_ID_PATTERN = /^[a-z0-9-]+$/;
+
 function statePath(home) {
   return join(home || homedir(), ...STATE_PATH_REL);
 }
 
+function lastSeenPath(home, ideId) {
+  return join(home || homedir(), '.ijfw', 'state', `last-seen-by-${ideId}.json`);
+}
+
+function stateDir(home) {
+  return join(home || homedir(), '.ijfw', 'state');
+}
+
 /**
  * Write the active-extension state file from a manifest + scope.
  * Validates required fields before write. Atomic write via tmp+rename.
  *
  * @param {{ name: string, permissions: { reads: string[], writes: string[] } }} manifest
  * @param {'project'|'org'|'user'} scope
- * @param {{ homeDir?: string }} [opts]
+ * @param {{ homeDir?: string, ideId?: string|null }} [opts]
  * @returns {Promise<{ ok: boolean, path?: string, error?: string }>}
  */
 export async function writeActiveExtension(manifest, scope, opts = {}) {
@@ -41,19 +58,63 @@ export async function writeActiveExtension(manifest, scope, opts = {}) {
   }
   const reads = Array.isArray(manifest.permissions.reads) ? manifest.permissions.reads : [];
   const writes = Array.isArray(manifest.permissions.writes) ? manifest.permissions.writes : [];
+  const activatedAt = new Date().toISOString();
+  // B18: stamp activated_by_ide + activated_by_pid when ideId is provided.
+  // Caller (CLI) is responsible for calling detectIde() and threading the
+  // value in. When opts.ideId is null/undefined, fields are omitted (so the
+  // file stays back-compatible with v1.4.1 readers).
+  const ideId = (typeof opts.ideId === 'string' && IDE_ID_PATTERN.test(opts.ideId))
+    ? opts.ideId
+    : null;
   const out = {
     name: manifest.name,
     scope,
     permissions: { reads, writes },
-    activated_at: new Date().toISOString(),
+    activated_at: activatedAt,
   };
+  if (ideId) {
+    out.activated_by_ide = ideId;
+    out.activated_by_pid = process.pid;
+  }
+  // R12-H-01: persist manifest.quotas so the tier-2 hook
+  // (extension-permission-check.mjs) can enforce quotas on Edit/Write/Bash
+  // dispatch. Without this the tier-2 hook reads `active.quotas` as undefined
+  // and silently bypasses the v1.4.3 quota gate that the server-side
+  // gatePermissionAndQuota path enforces. Schema (extension-manifest-schema.js):
+  // optional object whose values are positive integers — currently
+  // max_files_written / max_bytes_written / max_wall_clock_ms (forward-compat:
+  // unknown dimensions are kept as-is — schema rejects unknowns at install).
+  if (
+    manifest.quotas !== undefined &&
+    manifest.quotas !== null &&
+    typeof manifest.quotas === 'object' &&
+    !Array.isArray(manifest.quotas)
+  ) {
+    const cleanQuotas = {};
+    let copied = 0;
+    for (const [k, v] of Object.entries(manifest.quotas)) {
+      if (typeof v === 'number' && Number.isFinite(v) && Number.isInteger(v) && v > 0) {
+        cleanQuotas[k] = v;
+        copied++;
+      }
+    }
+    if (copied > 0) out.quotas = cleanQuotas;
+  }
   const home = opts && opts.homeDir ? opts.homeDir : (process.env.HOME || homedir());
   const path = statePath(home);
   await mkdir(dirname(path), { recursive: true });
-  const tmp = `${path}.tmp.${process.pid}.${Date.now()}`;
+  const tmp = `${path}.tmp.${randomBytes(4).toString('hex')}`;
   await writeFile(tmp, JSON.stringify(out, null, 2) + '\n', 'utf8');
   const { rename } = await import('node:fs/promises');
   await rename(tmp, path);
+  // B16/SEC-M-02: reset quota counters on activate; stamp activated_at so
+  // wall_clock_ms can be computed against this activation window.
+  try {
+    await resetExtensionQuotas(manifest.name, { homeDir: home, activated_at: activatedAt });
+  } catch {
+    // Quota reset failure must not block activation. Counters will self-heal
+    // on next deactivate or the next activate of the same name.
+  }
   return { ok: true, path };
 }
 
@@ -65,11 +126,38 @@ export async function writeActiveExtension(manifest, scope, opts = {}) {
  */
 export async function clearActiveExtension(opts = {}) {
   const home = opts && opts.homeDir ? opts.homeDir : (process.env.HOME || homedir());
+  // B16/SEC-M-02: read the active extension name BEFORE unlinking so we can
+  // clear its quota counters. Best-effort: if the file is missing or
+  // malformed, deactivate still succeeds.
+  let extName = null;
+  try {
+    const raw = await readFile(statePath(home), 'utf8');
+    const parsed = JSON.parse(raw);
+    if (parsed && typeof parsed === 'object' && typeof parsed.name === 'string') {
+      extName = parsed.name;
+    }
+  } catch {
+    // ignore — extName stays null
+  }
   try {
     await unlink(statePath(home));
+    if (extName) {
+      try {
+        await resetExtensionQuotas(extName, { homeDir: home });
+      } catch {
+        // best-effort
+      }
+    }
     return { ok: true, removed: true };
   } catch (err) {
-    if (err && err.code === 'ENOENT') return { ok: true, removed: false };
+    if (err && err.code === 'ENOENT') {
+      if (extName) {
+        try {
+          await resetExtensionQuotas(extName, { homeDir: home });
+        } catch { /* best-effort */ }
+      }
+      return { ok: true, removed: false };
+    }
     return { ok: false, removed: false };
   }
 }
@@ -86,7 +174,7 @@ export async function clearActiveExtension(opts = {}) {
  *
  * @param {string} name
  * @param {string} [projectRoot]
- * @param {{ homeDir?: string }} [opts]
+ * @param {{ homeDir?: string, strictShadow?: boolean }} [opts]
  * @returns {Promise<{ ok: boolean, manifest?: object, scope?: string, path?: string, error?: string }>}
  */
 export async function findInstalledManifest(name, projectRoot, opts = {}) {
@@ -102,15 +190,233 @@ export async function findInstalledManifest(name, projectRoot, opts = {}) {
   candidates.push({ scope: 'org', path: join(home, '.ijfw', 'extensions-org', name, 'manifest.json') });
   candidates.push({ scope: 'user', path: join(home, '.ijfw', 'extensions-user', name, 'manifest.json') });
 
+  // Collect all found manifests to detect project-scope shadowing.
+  const found = [];
   for (const c of candidates) {
     try {
       const raw = await readFile(c.path, 'utf8');
       const manifest = JSON.parse(raw);
-      return { ok: true, manifest, scope: c.scope, path: c.path };
+      found.push({ scope: c.scope, path: c.path, manifest });
     } catch (err) {
       if (err && err.code === 'ENOENT') continue;
       if (err instanceof SyntaxError) continue;
     }
   }
-  return { ok: false, error: `extension "${name}" not found in project/org/user scope` };
+
+  if (found.length === 0) {
+    return { ok: false, error: `extension "${name}" not found in project/org/user scope` };
+  }
+
+  const winner = found[0];
+
+  // B13.1: warn when project-scope shadows a lower-priority scope entry.
+  if (winner.scope === 'project' && found.length > 1) {
+    const shadowed = found[1];
+    const winnerKeyId = winner.manifest.signature?.keyId ?? '(unsigned)';
+    const shadowedKeyId = shadowed.manifest.signature?.keyId ?? '(unsigned)';
+    if (opts && opts.strictShadow) {
+      return {
+        ok: false,
+        error: `extension activate: project-scope "${name}" shadows ${shadowed.scope}-scope "${name}" (keyId ${winnerKeyId} vs ${shadowedKeyId}) — refused by strictShadow`,
+      };
+    }
+    process.stderr.write(
+      `[ijfw] extension activate: project-scope "${name}" shadows ${shadowed.scope}-scope "${name}" (keyId ${winnerKeyId} vs ${shadowedKeyId}) — using project\n`,
+    );
+  }
+
+  return { ok: true, manifest: winner.manifest, scope: winner.scope, path: winner.path };
+}
+
+// ============================================================================
+// B18 — Cross-IDE Conflict Detection
+// ============================================================================
+
+/**
+ * Write the current IDE's last-seen marker. Best-effort: never throws.
+ * Atomic via tmp+rename.
+ *
+ * @param {string} ideId
+ * @param {{ homeDir?: string }} [opts]
+ */
+async function writeLastSeen(ideId, opts = {}) {
+  if (!ideId || typeof ideId !== 'string' || !IDE_ID_PATTERN.test(ideId)) return;
+  if (ideId === 'unknown') return;
+  const home = opts && opts.homeDir ? opts.homeDir : (process.env.HOME || homedir());
+  const path = lastSeenPath(home, ideId);
+  try {
+    await mkdir(dirname(path), { recursive: true });
+    const body = JSON.stringify({ ide: ideId, last_seen_at: new Date().toISOString() }, null, 2) + '\n';
+    const tmp = `${path}.tmp.${randomBytes(4).toString('hex')}`;
+    await writeFile(tmp, body, 'utf8');
+    const { rename } = await import('node:fs/promises');
+    await rename(tmp, path);
+  } catch {
+    // best-effort
+  }
+}
+
+/**
+ * Read another IDE's last-seen marker. Returns null on any read error or
+ * missing file.
+ *
+ * @param {string} ideId
+ * @param {{ homeDir?: string }} [opts]
+ * @returns {Promise<{ ide: string, last_seen_at: string }|null>}
+ */
+async function readLastSeen(ideId, opts = {}) {
+  if (!ideId || !IDE_ID_PATTERN.test(ideId)) return null;
+  const home = opts && opts.homeDir ? opts.homeDir : (process.env.HOME || homedir());
+  try {
+    const raw = await readFile(lastSeenPath(home, ideId), 'utf8');
+    const parsed = JSON.parse(raw);
+    if (!parsed || typeof parsed !== 'object') return null;
+    if (typeof parsed.last_seen_at !== 'string') return null;
+    return parsed;
+  } catch {
+    return null;
+  }
 }
+
+/**
+ * Scan ~/.ijfw/state/ for last-seen-by-<ide>.json files older than 30 days
+ * and unlink them. Best-effort: never throws. Returns the number removed.
+ *
+ * @param {{ homeDir?: string, now?: number }} [opts]
+ * @returns {Promise<number>}
+ */
+async function cleanupStaleLastSeen(opts = {}) {
+  const home = opts && opts.homeDir ? opts.homeDir : (process.env.HOME || homedir());
+  const now = typeof opts.now === 'number' ? opts.now : Date.now();
+  let removed = 0;
+  let entries;
+  try {
+    entries = await readdir(stateDir(home));
+  } catch {
+    return 0;
+  }
+  for (const entry of entries) {
+    if (!entry.startsWith('last-seen-by-') || !entry.endsWith('.json')) continue;
+    const full = join(stateDir(home), entry);
+    try {
+      const st = await stat(full);
+      if (now - st.mtimeMs > LAST_SEEN_STALE_MS) {
+        await unlink(full);
+        removed++;
+      }
+    } catch {
+      // best-effort
+    }
+  }
+  return removed;
+}
+
+/**
+ * Detect divergence between the IDE that wrote active.json and the current IDE.
+ *
+ * Semantics:
+ *   - active.json missing OR no activated_by_ide field (pre-v1.4.3) → not divergent
+ *   - active.activated_by_ide === current_ide → not divergent
+ *   - active.activated_by_ide !== current_ide AND current_ide has a last-seen
+ *     file AND active.activated_at is OLDER than current_ide's last_seen_at →
+ *     divergent (this IDE was here before; a different IDE has since taken over
+ *     stale state)
+ *   - otherwise → not divergent (legitimate cross-IDE hand-off)
+ *
+ * Side effects:
+ *   - writes current_ide's last-seen marker
+ *   - cleans up stale last-seen files (>30 days)
+ *
+ * @param {{ homeDir?: string, currentIde?: string, now?: number }} [opts]
+ * @returns {Promise<{ divergent: boolean, last_writer: string|null, current_ide: string, age_seconds: number|null, reason?: string }>}
+ */
+export async function detectCrossIdeDivergence(opts = {}) {
+  const home = opts && opts.homeDir ? opts.homeDir : (process.env.HOME || homedir());
+  const now = typeof opts.now === 'number' ? opts.now : Date.now();
+  // Lazy import to avoid a hard module dependency cycle in test scaffolds.
+  let currentIde = opts.currentIde;
+  if (!currentIde) {
+    try {
+      const { detectIde } = await import('./ide-detect.js');
+      currentIde = detectIde();
+    } catch {
+      currentIde = 'unknown';
+    }
+  }
+
+  // Best-effort stale cleanup on every divergence check.
+  await cleanupStaleLastSeen({ homeDir: home, now });
+
+  // Read active.json. Missing or unreadable → not divergent.
+  let active;
+  try {
+    const raw = await readFile(statePath(home), 'utf8');
+    active = JSON.parse(raw);
+  } catch {
+    return { divergent: false, last_writer: null, current_ide: currentIde, age_seconds: null, reason: 'no active extension' };
+  }
+
+  // Pre-v1.4.3 active.json — silently no-divergence.
+  if (!active || typeof active !== 'object' || typeof active.activated_by_ide !== 'string') {
+    return { divergent: false, last_writer: null, current_ide: currentIde, age_seconds: null, reason: 'pre-v1.4.3 active.json' };
+  }
+
+  const lastWriter = active.activated_by_ide;
+  const activatedAtMs = typeof active.activated_at === 'string' ? Date.parse(active.activated_at) : NaN;
+  const ageSeconds = Number.isFinite(activatedAtMs) ? Math.max(0, Math.floor((now - activatedAtMs) / 1000)) : null;
+
+  // CRITICAL ORDERING: read prior last-seen BEFORE overwriting it. Otherwise
+  // the divergence comparison degrades to "now vs activated_at" which is
+  // always non-divergent.
+  let priorSeen = null;
+  if (lastWriter !== currentIde && currentIde !== 'unknown') {
+    priorSeen = await readLastSeen(currentIde, { homeDir: home });
+  }
+
+  // Now write our own last-seen marker (best-effort; we ARE the current IDE).
+  if (currentIde !== 'unknown') {
+    await writeLastSeen(currentIde, { homeDir: home });
+  }
+
+  if (lastWriter === currentIde) {
+    return { divergent: false, last_writer: lastWriter, current_ide: currentIde, age_seconds: ageSeconds, reason: 'same ide' };
+  }
+
+  // If current_ide is 'unknown', divergence detection is disabled.
+  if (currentIde === 'unknown') {
+    return { divergent: false, last_writer: lastWriter, current_ide: currentIde, age_seconds: ageSeconds, reason: 'detection disabled' };
+  }
+
+  if (!priorSeen) {
+    // Current IDE has no prior history → legitimate first-time hand-off.
+    return { divergent: false, last_writer: lastWriter, current_ide: currentIde, age_seconds: ageSeconds, reason: 'first-time current ide' };
+  }
+  const seenMs = Date.parse(priorSeen.last_seen_at);
+  if (!Number.isFinite(seenMs) || !Number.isFinite(activatedAtMs)) {
+    return { divergent: false, last_writer: lastWriter, current_ide: currentIde, age_seconds: ageSeconds, reason: 'unparseable timestamps' };
+  }
+
+  // Design rule (per B18 spec):
+  //   divergent iff active.activated_by_ide != currentIde
+  //                AND active.activated_at < currentIde.last_seen
+  //
+  // Reading: the slot says some other IDE wrote it, but the current IDE has
+  // a more recent last-seen — i.e., the current IDE has been touching state
+  // more recently than the write, yet a different IDE's name is on it. Stale
+  // cross-IDE state divergence.
+  if (activatedAtMs < seenMs) {
+    return { divergent: true, last_writer: lastWriter, current_ide: currentIde, age_seconds: ageSeconds, reason: 'stale active.json: current ide last-seen is more recent than active.activated_at' };
+  }
+
+  // active was written AFTER current ide's last_seen — legitimate hand-off
+  // (another IDE took over while current was away).
+  return { divergent: false, last_writer: lastWriter, current_ide: currentIde, age_seconds: ageSeconds, reason: 'legitimate handoff: foreign ide wrote after current ide was last here' };
+}
+
+// Internal helpers exported for tests only.
+export const __testing = Object.freeze({
+  writeLastSeen,
+  readLastSeen,
+  cleanupStaleLastSeen,
+  LAST_SEEN_STALE_MS,
+});

package/src/dashboard-aggregator.js

@@ -0,0 +1,165 @@
+/**
+ * dashboard-aggregator.js — IJFW v1.4.3 W9-C (B19)
+ *
+ * Server-side aggregation of ~/.ijfw/state/permission-events.jsonl for the
+ * dashboard's per-tool audit charts. Reads only the last TAIL_CHUNK bytes
+ * (same 2MB cap as the events endpoint) so this is bounded-memory even
+ * across rotations.
+ *
+ * Cache: 60s OR until the events file mtime changes, whichever first.
+ * Malformed JSONL lines are dropped silently — never crash the dashboard
+ * on a partial write.
+ *
+ * Returned shape:
+ *   {
+ *     hourly:        { [hourISO]: count },
+ *     by_extension:  { [ext]:    { allowed: number, denied: number } },
+ *     by_tool_denied:{ [tool]:   count }
+ *   }
+ *
+ * Helper `computeWarnBashBypass(manifest)` implements ARCH-M-01: an extension
+ * with `tool:bash` or `tool:exec` in writes AND a strict files/bytes quota
+ * declared in the manifest gets a warning chip in the dashboard. The chip is
+ * an information channel — quota enforcement still applies, but bash content
+ * bypasses per-file accounting at the API surface.
+ */
+
+import { existsSync, statSync, readFileSync } from 'node:fs';
+import { join } from 'node:path';
+
+// Match dashboard-server's TAIL_CHUNK. Kept here so this module is
+// self-contained for the test harness.
+export const TAIL_CHUNK = 2 * 1024 * 1024; // 2MB
+const CACHE_TTL_MS = 60_000;
+
+// Module-level cache. Key = canonical path; value = { mtimeMs, builtAt, result }.
+const _cache = new Map();
+
+export function _resetAggregatorCacheForTest() {
+  _cache.clear();
+}
+
+function _readTailLines(eventsPath) {
+  if (!existsSync(eventsPath)) return { lines: [], mtimeMs: 0 };
+  let st;
+  try { st = statSync(eventsPath); } catch { return { lines: [], mtimeMs: 0 }; }
+  if (!st.size) return { lines: [], mtimeMs: st.mtimeMs };
+  let buf;
+  try { buf = readFileSync(eventsPath); } catch { return { lines: [], mtimeMs: st.mtimeMs }; }
+  const slice = buf.subarray(Math.max(0, buf.length - TAIL_CHUNK));
+  let lines = slice.toString('utf8').split('\n').filter(Boolean);
+  // If we sliced mid-line, drop the partial leading element.
+  if (buf.length > TAIL_CHUNK) lines = lines.slice(1);
+  return { lines, mtimeMs: st.mtimeMs };
+}
+
+function _hourBucket(tsMs) {
+  const d = new Date(tsMs);
+  d.setUTCMinutes(0, 0, 0);
+  return d.toISOString();
+}
+
+/**
+ * Aggregate permission events within `windowMs` of `now`.
+ *
+ * @param {string} eventsPath  absolute path to permission-events.jsonl
+ * @param {{ windowMs?: number, now?: number }} [opts]
+ */
+export async function aggregateEvents(eventsPath, opts = {}) {
+  const windowMs = (opts && typeof opts.windowMs === 'number') ? opts.windowMs : 24 * 3600 * 1000;
+  const now      = (opts && typeof opts.now      === 'number') ? opts.now      : Date.now();
+
+  const { lines, mtimeMs } = _readTailLines(eventsPath);
+
+  const cached = _cache.get(eventsPath);
+  if (cached
+      && cached.mtimeMs === mtimeMs
+      && (now - cached.builtAt) < CACHE_TTL_MS
+      && cached.windowMs === windowMs) {
+    return cached.result;
+  }
+
+  const cutoff = now - windowMs;
+  const hourly         = Object.create(null);
+  const byExt          = Object.create(null);
+  const byToolDenied   = Object.create(null);
+
+  for (const line of lines) {
+    let obj;
+    try { obj = JSON.parse(line); } catch { continue; }
+    if (!obj || typeof obj !== 'object') continue;
+    const t = typeof obj.ts === 'string' ? Date.parse(obj.ts) : (typeof obj.ts === 'number' ? obj.ts : NaN);
+    if (!Number.isFinite(t)) continue;
+    if (t < cutoff) continue;
+
+    const ext     = (typeof obj.extension === 'string' && obj.extension) ? obj.extension : '<unknown>';
+    const tool    = (typeof obj.tool === 'string' && obj.tool) ? obj.tool : (typeof obj.action === 'string' ? obj.action : '<unknown>');
+    const allowed = obj.allowed !== false; // anything other than explicit false is allowed.
+
+    // hourly
+    const hk = _hourBucket(t);
+    hourly[hk] = (hourly[hk] || 0) + 1;
+
+    // by_extension
+    if (!byExt[ext]) byExt[ext] = { allowed: 0, denied: 0 };
+    if (allowed) byExt[ext].allowed += 1;
+    else         byExt[ext].denied  += 1;
+
+    // by_tool_denied
+    if (!allowed) {
+      byToolDenied[tool] = (byToolDenied[tool] || 0) + 1;
+    }
+  }
+
+  const result = { hourly, by_extension: byExt, by_tool_denied: byToolDenied };
+  _cache.set(eventsPath, { mtimeMs, builtAt: now, windowMs, result });
+  return result;
+}
+
+/**
+ * ARCH-M-01: compute whether an extension's manifest combines a bash/exec
+ * write permission with a strict files/bytes quota.
+ *
+ * Returns true iff:
+ *   manifest.permissions.writes includes "tool:bash" or "tool:exec"
+ *   AND (quotas.max_files_written OR quotas.max_bytes_written is set)
+ */
+export function computeWarnBashBypass(manifest) {
+  if (!manifest || typeof manifest !== 'object') return false;
+  const perms = manifest.permissions || {};
+  const writes = Array.isArray(perms.writes) ? perms.writes : [];
+  const hasBashOrExec = writes.some((w) => w === 'tool:bash' || w === 'tool:exec');
+  if (!hasBashOrExec) return false;
+  const q = manifest.quotas || {};
+  const hasStrictQuota =
+    (typeof q.max_files_written === 'number' && Number.isFinite(q.max_files_written)) ||
+    (typeof q.max_bytes_written === 'number' && Number.isFinite(q.max_bytes_written));
+  return Boolean(hasStrictQuota);
+}
+
+/**
+ * Resolve `<scope>/<name>/manifest.json` and read it. Returns the parsed
+ * manifest object or `null` if the file is missing/unreadable/malformed.
+ *
+ * Scope→path map mirrors `active-extension-writer.js`:
+ *   project: <projectRoot>/.ijfw/extensions/<name>/manifest.json
+ *   org:     <home>/.ijfw/extensions-org/<name>/manifest.json
+ *   user:    <home>/.ijfw/extensions-user/<name>/manifest.json
+ */
+export function readActiveManifest({ scope, name, home, projectRoot }) {
+  if (!scope || !name) return null;
+  let path = null;
+  if (scope === 'project' && projectRoot) {
+    path = join(projectRoot, '.ijfw', 'extensions', name, 'manifest.json');
+  } else if (scope === 'org' && home) {
+    path = join(home, '.ijfw', 'extensions-org', name, 'manifest.json');
+  } else if (scope === 'user' && home) {
+    path = join(home, '.ijfw', 'extensions-user', name, 'manifest.json');
+  }
+  if (!path) return null;
+  try {
+    return JSON.parse(readFileSync(path, 'utf8'));
+  } catch {
+    return null;
+  }
+}