@ironbee-ai/cli 0.21.1 → 0.22.0

package/CHANGELOG.md

@@ -1,5 +1,17 @@
 # Changelog
 
+## 0.22.0 (2026-06-12)
+
+### Features
+
+* android platform support ([#25](https://github.com/ironbee-ai/ironbee-cli/issues/25)) ([f155488](https://github.com/ironbee-ai/ironbee-cli/commit/f155488bcb595895ce0b4b6383207a9e5466a41b))
+
+## 0.21.2 (2026-06-09)
+
+### Features
+
+* **pricing:** add Claude Fable 5 / Mythos 5 model pricing ([3efc304](https://github.com/ironbee-ai/ironbee-cli/commit/3efc304d784f6637ab8c6e83a3f9c451cd0a16c8))
+
 ## 0.21.1 (2026-06-09)
 
 ## 0.21.0 (2026-06-09)

package/dist/analytics/claude/pricing.js

@@ -1 +1 @@
-"use strict";var u=Object.defineProperty;var s=Object.getOwnPropertyDescriptor;var p=Object.getOwnPropertyNames;var d=Object.prototype.hasOwnProperty;var o=(e,c)=>u(e,"name",{value:c,configurable:!0});var b=(e,c)=>{for(var a in c)u(e,a,{get:c[a],enumerable:!0})},l=(e,c,a,r)=>{if(c&&typeof c=="object"||typeof c=="function")for(let t of p(c))!d.call(e,t)&&t!==a&&u(e,t,{get:()=>c[t],enumerable:!(r=s(c,t))||r.enumerable});return e};var k=e=>l(u({},"__esModule",{value:!0}),e);var m={};b(m,{BYTES_PER_TOKEN:()=>i.BYTES_PER_TOKEN,OPUS_4_6_FAST_PRICING:()=>_,PRICING:()=>n,computeMessageCostUsd:()=>f,lookupPricing:()=>h,lookupPricingForUsage:()=>w});module.exports=k(m);var i=require("../shared/tokens");const n={"claude-opus-4-8":{input:5,output:25,cache_read:.5,cache_creation:6.25,cache_creation_1h:10,web_search:.01},"claude-opus-4-7":{input:5,output:25,cache_read:.5,cache_creation:6.25,cache_creation_1h:10,web_search:.01},"claude-opus-4-6":{input:5,output:25,cache_read:.5,cache_creation:6.25,cache_creation_1h:10,web_search:.01},"claude-opus-4-5":{input:5,output:25,cache_read:.5,cache_creation:6.25,cache_creation_1h:10,web_search:.01},"claude-opus-4-1":{input:15,output:75,cache_read:1.5,cache_creation:18.75,cache_creation_1h:30,web_search:.01},"claude-opus-4":{input:15,output:75,cache_read:1.5,cache_creation:18.75,cache_creation_1h:30,web_search:.01},"claude-sonnet-4-6":{input:3,output:15,cache_read:.3,cache_creation:3.75,cache_creation_1h:6,web_search:.01},"claude-sonnet-4-5":{input:3,output:15,cache_read:.3,cache_creation:3.75,cache_creation_1h:6,web_search:.01},"claude-sonnet-4":{input:3,output:15,cache_read:.3,cache_creation:3.75,cache_creation_1h:6,web_search:.01},"claude-haiku-4-5":{input:1,output:5,cache_read:.1,cache_creation:1.25,cache_creation_1h:2,web_search:.01},"claude-haiku-4":{input:1,output:5,cache_read:.1,cache_creation:1.25,cache_creation_1h:2,web_search:.01}},_={input:30,output:150,cache_read:3,cache_creation:37.5,cache_creation_1h:60,web_search:.01};function h(e){const c=n[e];return c!==void 0?c:e.startsWith("claude-opus-")?n["claude-opus-4-8"]:e.startsWith("claude-sonnet-")?n["claude-sonnet-4-6"]:e.startsWith("claude-haiku-")?n["claude-haiku-4-5"]:null}o(h,"lookupPricing");function w(e,c){return c==="fast"&&e.includes("opus-4-6")?_:h(e)}o(w,"lookupPricingForUsage");function f(e,c){if(c===null)return 0;const a=e.cache_creation_tokens*c.cache_creation,r=e.web_search_requests??0,t=c.web_search??0;return(e.input_tokens*c.input+e.output_tokens*c.output+a+e.cache_read_tokens*c.cache_read)/1e6+r*t}o(f,"computeMessageCostUsd");0&&(module.exports={BYTES_PER_TOKEN,OPUS_4_6_FAST_PRICING,PRICING,computeMessageCostUsd,lookupPricing,lookupPricingForUsage});
+"use strict";var u=Object.defineProperty;var s=Object.getOwnPropertyDescriptor;var d=Object.getOwnPropertyNames;var p=Object.prototype.hasOwnProperty;var o=(e,c)=>u(e,"name",{value:c,configurable:!0});var l=(e,c)=>{for(var r in c)u(e,r,{get:c[r],enumerable:!0})},b=(e,c,r,n)=>{if(c&&typeof c=="object"||typeof c=="function")for(let a of d(c))!p.call(e,a)&&a!==r&&u(e,a,{get:()=>c[a],enumerable:!(n=s(c,a))||n.enumerable});return e};var f=e=>b(u({},"__esModule",{value:!0}),e);var m={};l(m,{BYTES_PER_TOKEN:()=>i.BYTES_PER_TOKEN,OPUS_4_6_FAST_PRICING:()=>_,PRICING:()=>t,computeMessageCostUsd:()=>k,lookupPricing:()=>h,lookupPricingForUsage:()=>w});module.exports=f(m);var i=require("../shared/tokens");const t={"claude-fable-5":{input:10,output:50,cache_read:1,cache_creation:12.5,cache_creation_1h:20,web_search:.01},"claude-mythos-5":{input:10,output:50,cache_read:1,cache_creation:12.5,cache_creation_1h:20,web_search:.01},"claude-opus-4-8":{input:5,output:25,cache_read:.5,cache_creation:6.25,cache_creation_1h:10,web_search:.01},"claude-opus-4-7":{input:5,output:25,cache_read:.5,cache_creation:6.25,cache_creation_1h:10,web_search:.01},"claude-opus-4-6":{input:5,output:25,cache_read:.5,cache_creation:6.25,cache_creation_1h:10,web_search:.01},"claude-opus-4-5":{input:5,output:25,cache_read:.5,cache_creation:6.25,cache_creation_1h:10,web_search:.01},"claude-opus-4-1":{input:15,output:75,cache_read:1.5,cache_creation:18.75,cache_creation_1h:30,web_search:.01},"claude-opus-4":{input:15,output:75,cache_read:1.5,cache_creation:18.75,cache_creation_1h:30,web_search:.01},"claude-sonnet-4-6":{input:3,output:15,cache_read:.3,cache_creation:3.75,cache_creation_1h:6,web_search:.01},"claude-sonnet-4-5":{input:3,output:15,cache_read:.3,cache_creation:3.75,cache_creation_1h:6,web_search:.01},"claude-sonnet-4":{input:3,output:15,cache_read:.3,cache_creation:3.75,cache_creation_1h:6,web_search:.01},"claude-haiku-4-5":{input:1,output:5,cache_read:.1,cache_creation:1.25,cache_creation_1h:2,web_search:.01},"claude-haiku-4":{input:1,output:5,cache_read:.1,cache_creation:1.25,cache_creation_1h:2,web_search:.01}},_={input:30,output:150,cache_read:3,cache_creation:37.5,cache_creation_1h:60,web_search:.01};function h(e){const c=t[e];return c!==void 0?c:e.startsWith("claude-fable-")?t["claude-fable-5"]:e.startsWith("claude-mythos-")?t["claude-mythos-5"]:e.startsWith("claude-opus-")?t["claude-opus-4-8"]:e.startsWith("claude-sonnet-")?t["claude-sonnet-4-6"]:e.startsWith("claude-haiku-")?t["claude-haiku-4-5"]:null}o(h,"lookupPricing");function w(e,c){return c==="fast"&&e.includes("opus-4-6")?_:h(e)}o(w,"lookupPricingForUsage");function k(e,c){if(c===null)return 0;const r=e.cache_creation_tokens*c.cache_creation,n=e.web_search_requests??0,a=c.web_search??0;return(e.input_tokens*c.input+e.output_tokens*c.output+r+e.cache_read_tokens*c.cache_read)/1e6+n*a}o(k,"computeMessageCostUsd");0&&(module.exports={BYTES_PER_TOKEN,OPUS_4_6_FAST_PRICING,PRICING,computeMessageCostUsd,lookupPricing,lookupPricingForUsage});

package/dist/clients/claude/agents/ironbee-verifier.md

@@ -6,7 +6,7 @@ description: >
   cycle out-of-band — it drives the devtools tools, judges the result, and records the
   verdict in the shared session, then returns a short summary. It does NOT edit code: if it
   finds problems it reports them as issues for the main agent to fix.
-tools: Bash, mcp__browser-devtools__*, mcp__node-devtools__*, mcp__backend-devtools__*
+tools: Bash, mcp__browser-devtools__*, mcp__node-devtools__*, mcp__backend-devtools__*, mcp__android-devtools__*
 ---
 
 # IronBee Verifier (delegated verification)
@@ -42,6 +42,12 @@ echo '{"status":"pass","checks":["..."]}' | ironbee hook submit-verdict
    ```
    echo '{}' | ironbee hook verification-start
    ```
+   **If the delegating prompt contains a `Mode: fix` line**, pass the intent
+   along so IronBee's completion gate enforces fix-until-pass on the main agent:
+   ```
+   echo '{}' | ironbee hook verification-start --intent fix
+   ```
+   (No declared mode → plain form as above, no flag.)
 2. Build and start the application **only if it isn't already running** (check
    `docker compose ps` / process output / config — don't guess ports). **Track whether YOU
    started it**: if it was already up, the user or main agent owns it — leave it alone.
@@ -53,7 +59,8 @@ echo '{"status":"pass","checks":["..."]}' | ironbee hook submit-verdict
    this verification*, stop it now before you return — kill the exact process/container you
    launched (e.g. the backgrounded `npm run dev`, the `docker compose up` you ran). **Never
    stop a server that was already running** (user/main-agent-owned). Also honor any
-   cycle-specific teardown (e.g. `bdt_content_stop-recording`) BEFORE submitting your verdict.
+   cycle-specific teardown noted in the platform sections (e.g. stopping an active screen
+   recording) BEFORE submitting your verdict.
 5. **Submit your verdict immediately** — do NOT wait:
    ```
    echo '<verdict-json>' | ironbee hook submit-verdict
@@ -76,3 +83,6 @@ echo '{"status":"pass","checks":["..."]}' | ironbee hook submit-verdict
 
 <!--IRONBEE:PLATFORM:backend-->
 <!--/IRONBEE:PLATFORM:backend-->
+
+<!--IRONBEE:PLATFORM:android-->
+<!--/IRONBEE:PLATFORM:android-->

package/dist/clients/claude/commands/ironbee-verify.md

@@ -1,18 +1,28 @@
 ---
-argument-hint: "[scenario text | path to scenario file]"
-description: Delegate verification of the current code changes to the ironbee-verifier sub-agent; optionally pass a custom scenario (inline text or a file path) that defines what to verify.
+argument-hint: "[fix|report] [scenario text | path to scenario file]"
+description: Delegate verification of the current code changes to the ironbee-verifier sub-agent. Default is verify-only (report the verdict and stop); a leading `fix` argument adds the fix-and-re-verify loop until pass. Optionally pass a custom scenario (inline text or a file path) that defines what to verify.
 ---
 
 # IronBee Verify
 
-Verify the current code changes by **delegating to the `ironbee-verifier` sub-agent**. It drives the verification tools out-of-band in this **shared session** and returns a verdict summary — so the heavy devtools output (DOM, console, screenshots) stays in its context, not yours. **You do not run the verification tools yourself**: you resolve the scenario (below), spawn the verifier, and relay its result. The gate still runs every active cycle and all must pass for `status: pass`.
+Verify the current code changes by **delegating to the `ironbee-verifier` sub-agent**. It drives the verification tools out-of-band in this **shared session** and returns a verdict summary — so the heavy devtools output (DOM, console, screenshots) stays in its context, not yours. **You do not run the verification tools yourself**: you resolve the mode and scenario (below), spawn the verifier, and relay its result. The gate still runs every active cycle and all must pass for `status: pass`.
+
+## Mode
+
+The FIRST whitespace-delimited token of the arguments selects the mode; everything after it is the scenario:
+
+- `fix` → **verify-and-fix**: on a fail verdict, fix the reported issues and re-delegate until the verdict passes.
+- `report` → **verify-only** (the explicit form of the default).
+- Anything else, or no arguments → **verify-only** (default), and the WHOLE argument string is the scenario.
+
+**Verify-only** means: relay the verdict and STOP — do **not** edit code, do **not** re-delegate on fail. The fail verdict is still submitted and recorded (that's the point — an honest status report). If the user wants the issues repaired, suggest `/ironbee-verify fix`. One caveat (enforce mode): if code was edited earlier in THIS turn, the Stop gate may still block on the fail verdict and demand fixes — follow the gate then; the mode token never overrides enforcement.
 
 ## Verification scenario
 
 A custom verification scenario may be supplied when this command is invoked — either as **inline text** or as a **path to a file** (any location, any format; read at run time).
 
-> Scenario argument: `$ARGUMENTS`
-> *(empty if none — when empty, the verifier uses its default flow)*
+> Mode + scenario argument: `$ARGUMENTS`
+> *(strip a leading `fix` / `report` mode token first — the remainder is the scenario; empty remainder → the verifier uses its default flow)*
 
 - **If a scenario is supplied, it is authoritative**: the verifier must verify exactly what it describes, exercising precisely the flows/states/endpoints it names — this **replaces** the default "exercise the changed pages/endpoints" guidance.
 - **If the scenario is (or points to) a file path**, read that file with your file-read tool yourself and pass its **contents** into the verifier's prompt (the verifier has no file-read tool). Do not assume a fixed location or format — read whatever path was given.
@@ -21,17 +31,20 @@ A custom verification scenario may be supplied when this command is invoked —
 
 ## Steps
 
-1. **Resolve the scenario**: file path → read it now; inline text → use as-is; empty → none.
-2. **Spawn the verifier** via the Agent tool with `subagent_type: "ironbee-verifier"` and a prompt that states the task plus the resolved scenario, e.g.:
+1. **Resolve the mode and scenario**: strip a leading `fix` / `report` token (see **Mode**); then file path → read it now; inline text → use as-is; empty → none.
+2. **Spawn the verifier** via the Agent tool with `subagent_type: "ironbee-verifier"` and a prompt that states the task, the mode, and the resolved scenario, e.g.:
    > Verify the current code changes.
+   > Mode: \<`fix` in fix mode — OMIT this line entirely in verify-only mode>
    > Scenario: \<the resolved scenario text, or "none — exercise the changed pages/endpoints">
-   The verifier runs `verification-start` → drives every active cycle's tools → submits the single verdict, all in this shared session. It resolves the session id from the environment, so you don't pass one.
+   The verifier runs `verification-start` (relaying the fix intent to IronBee's completion gate, which then enforces fix-until-pass on you) → drives every active cycle's tools → submits the single verdict, all in this shared session. It resolves the session id from the environment, so you don't pass one.
 3. **Relay the verifier's summary** — the verdict status and, on fail, the issues it found.
-4. **If it FAILED**: fix the issues it reported. Optionally record what you fixed so the next pass verdict can describe it:
-   ```
-   echo '{"fixes":["what you repaired"]}' | ironbee hook record-fix
-   ```
-   Then re-run `/ironbee-verify` to re-delegate. (If you skip `record-fix`, IronBee fills `fixes` from the files you changed since the fail.)
+4. **On a fail verdict, branch by mode**:
+   - **Verify-only (default)**: stop here. Report the issues clearly and suggest `/ironbee-verify fix` to repair them. Do not edit code.
+   - **Fix mode (`fix` token)**: fix the issues it reported. Optionally record what you fixed so the next pass verdict can describe it:
+     ```
+     echo '{"fixes":["what you repaired"]}' | ironbee hook record-fix
+     ```
+     Then re-run the verification by re-delegating (step 2) — repeat until the verdict passes. (If you skip `record-fix`, IronBee fills `fixes` from the files you changed since the fail.)
 
 Do NOT verify inline — always delegate, so your context stays clean. The per-cycle "how to verify" detail (which tools to drive, the verdict expectations) lives in the `ironbee-verifier` sub-agent itself — you don't need it here to delegate.
 
@@ -43,6 +56,6 @@ Do NOT verify inline — always delegate, so your context stays clean. The per-c
 - Its `checks` are specific observations (e.g. `"submitted valid credentials, redirected to /dashboard"`, `"console clean — 0 errors"`), not `"it works"`.
 
 ## Important
-- The **verifier** produces the verdict; your job is to delegate, relay it, and fix on fail.
-- A fail verdict means you must fix the issues and re-delegate — do not just report and stop.
+- The **verifier** produces the verdict; your job is to delegate, relay it, and — in fix mode — fix on fail.
+- **Fix mode only**: a fail verdict means you must fix the issues and re-delegate until pass. In verify-only mode (the default) you report and stop — fixing without the `fix` token is overstepping.
 - Never verify inline to "save a round trip" — delegation keeps your context clean and is the supported path.

package/dist/clients/claude/hooks/activity-start.js

@@ -1 +1 @@
-"use strict";var r=Object.defineProperty;var d=Object.getOwnPropertyDescriptor;var l=Object.getOwnPropertyNames;var g=Object.prototype.hasOwnProperty;var a=(t,s)=>r(t,"name",{value:s,configurable:!0});var f=(t,s)=>{for(var e in s)r(t,e,{get:s[e],enumerable:!0})},b=(t,s,e,o)=>{if(s&&typeof s=="object"||typeof s=="function")for(let i of l(s))!g.call(t,i)&&i!==e&&r(t,i,{get:()=>s[i],enumerable:!(o=d(s,i))||o.enumerable});return t};var S=t=>b(r({},"__esModule",{value:!0}),t);var C={};f(C,{run:()=>$});module.exports=S(C);var u=require("../../../hooks/core/activity"),n=require("../../../lib/logger"),p=require("../../../lib/stdin"),m=require("../../../otel/claude/daemon/ensure");async function $(t){let s;try{s=JSON.parse((0,p.readStdin)())}catch(c){n.logger.debug(`failed to parse stdin: ${c}`),process.exit(0)}const e=s.session_id??"default",o=`${t}/.ironbee/sessions/${e}`;(0,n.setLogFile)(`${o}/session.log`);const i=`${o}/actions.jsonl`;await(0,u.startActivity)({sessionDir:o,actionsFile:i,source:"user_prompt"}),await(0,m.ensureOTELCollector)(t),process.exit(0)}a($,"run");0&&(module.exports={run});
+"use strict";var r=Object.defineProperty;var f=Object.getOwnPropertyDescriptor;var g=Object.getOwnPropertyNames;var b=Object.prototype.hasOwnProperty;var a=(s,t)=>r(s,"name",{value:t,configurable:!0});var S=(s,t)=>{for(var e in t)r(s,e,{get:t[e],enumerable:!0})},$=(s,t,e,o)=>{if(t&&typeof t=="object"||typeof t=="function")for(let i of g(t))!b.call(s,i)&&i!==e&&r(s,i,{get:()=>t[i],enumerable:!(o=f(t,i))||o.enumerable});return s};var w=s=>$(r({},"__esModule",{value:!0}),s);var A={};S(A,{run:()=>y});module.exports=w(A);var p=require("../../../hooks/core/actions"),m=require("../../../hooks/core/activity"),c=require("../../../hooks/core/session-state"),n=require("../../../lib/logger"),u=require("../../../lib/stdin"),d=require("../../../otel/claude/daemon/ensure");async function y(s){let t;try{t=JSON.parse((0,u.readStdin)())}catch(l){n.logger.debug(`failed to parse stdin: ${l}`),process.exit(0)}const e=t.session_id??"default",o=`${s}/.ironbee/sessions/${e}`;(0,n.setLogFile)(`${o}/session.log`);const i=`${o}/actions.jsonl`;await(0,c.reconcileAbandonedActivity)(o,i,p.appendAction),await(0,m.startActivity)({sessionDir:o,actionsFile:i,source:"user_prompt"}),await(0,d.ensureOTELCollector)(s),process.exit(0)}a(y,"run");0&&(module.exports={run});

package/dist/clients/claude/hooks/require-verdict.js

@@ -1,7 +1,7 @@
-"use strict";var a=Object.defineProperty;var $=Object.getOwnPropertyDescriptor;var x=Object.getOwnPropertyNames;var y=Object.prototype.hasOwnProperty;var _=(e,o)=>a(e,"name",{value:o,configurable:!0});var T=(e,o)=>{for(var i in o)a(e,i,{get:o[i],enumerable:!0})},w=(e,o,i,t)=>{if(o&&typeof o=="object"||typeof o=="function")for(let s of x(o))!y.call(e,s)&&s!==i&&a(e,s,{get:()=>o[s],enumerable:!(t=$(o,s))||t.enumerable});return e};var I=e=>w(a({},"__esModule",{value:!0}),e);var E={};T(E,{run:()=>k});module.exports=I(E);var d=require("fs"),b=require("../../../hooks/core/actions"),h=require("../../../hooks/core/activity"),C=require("../../../hooks/core/tool-use-stash"),l=require("../../../lib/config"),n=require("../../../lib/logger"),v=require("../../../lib/stdin");async function k(e,o){const i=o?.soft===!0;let t;try{t=JSON.parse((0,v.readStdin)())}catch(c){n.logger.debug(`failed to parse stdin: ${c}`),process.exit(0)}const s=t.session_id??"default";(0,n.setLogFile)(`${e}/.ironbee/sessions/${s}/session.log`);const u=`${e}/.ironbee/sessions/${s}`,f=`${u}/actions.jsonl`;!i&&(0,b.hasToolCallsSinceLastVerdict)(f)&&(process.stderr.write(`BLOCKED: You used verification tools (browser-devtools / node-devtools / backend-devtools) but did not submit a verdict. You MUST submit a verdict (pass or fail) before editing code.
+"use strict";var a=Object.defineProperty;var $=Object.getOwnPropertyDescriptor;var x=Object.getOwnPropertyNames;var y=Object.prototype.hasOwnProperty;var _=(e,o)=>a(e,"name",{value:o,configurable:!0});var T=(e,o)=>{for(var i in o)a(e,i,{get:o[i],enumerable:!0})},w=(e,o,i,t)=>{if(o&&typeof o=="object"||typeof o=="function")for(let s of x(o))!y.call(e,s)&&s!==i&&a(e,s,{get:()=>o[s],enumerable:!(t=$(o,s))||t.enumerable});return e};var I=e=>w(a({},"__esModule",{value:!0}),e);var E={};T(E,{run:()=>k});module.exports=I(E);var d=require("fs"),b=require("../../../hooks/core/actions"),h=require("../../../hooks/core/activity"),v=require("../../../hooks/core/tool-use-stash"),l=require("../../../lib/config"),n=require("../../../lib/logger"),C=require("../../../lib/stdin");async function k(e,o){const i=o?.soft===!0;let t;try{t=JSON.parse((0,C.readStdin)())}catch(c){n.logger.debug(`failed to parse stdin: ${c}`),process.exit(0)}const s=t.session_id??"default";(0,n.setLogFile)(`${e}/.ironbee/sessions/${s}/session.log`);const u=`${e}/.ironbee/sessions/${s}`,f=`${u}/actions.jsonl`;!i&&(0,b.hasToolCallsSinceLastVerdict)(f)&&(process.stderr.write(`BLOCKED: You used verification tools (browser-devtools / node-devtools / backend-devtools / android-devtools) but did not submit a verdict. You MUST submit a verdict (pass or fail) before editing code.
 
 Submit your verdict first:
   echo '{"session_id":"${s}","status":"fail","checks":["..."],"issues":["describe what failed"]}' | ironbee hook submit-verdict
 
 Then you can edit code to fix the issues.
-`),process.exit(2));const r=t.tool_input?.file_path;if(r&&t.tool_use_id){const c=(0,l.loadConfig)(e),p=(0,l.getCaptureFileChangeset)(c),g=(0,d.existsSync)(r);if(t.tool_name==="Write"||t.tool_name==="Edit"&&p){const m={file_existed:g};if(p&&g)try{m.prior_content=(0,d.readFileSync)(r,"utf-8")}catch(S){n.logger.debug(`failed to pre-read ${r} for changeset capture: ${S}`)}(0,C.stashToolUseData)(s,t.tool_use_id,m)}}await(0,h.startActivity)({sessionDir:u,actionsFile:f,source:"pre_tool_use"}),process.exit(0)}_(k,"run");0&&(module.exports={run});
+`),process.exit(2));const r=t.tool_input?.file_path;if(r&&t.tool_use_id){const c=(0,l.loadConfig)(e),p=(0,l.getCaptureFileChangeset)(c),g=(0,d.existsSync)(r);if(t.tool_name==="Write"||t.tool_name==="Edit"&&p){const m={file_existed:g};if(p&&g)try{m.prior_content=(0,d.readFileSync)(r,"utf-8")}catch(S){n.logger.debug(`failed to pre-read ${r} for changeset capture: ${S}`)}(0,v.stashToolUseData)(s,t.tool_use_id,m)}}await(0,h.startActivity)({sessionDir:u,actionsFile:f,source:"pre_tool_use"}),process.exit(0)}_(k,"run");0&&(module.exports={run});

package/dist/clients/claude/hooks/require-verification.js

@@ -1,17 +1,17 @@
-"use strict";var l=Object.defineProperty;var V=Object.getOwnPropertyDescriptor;var K=Object.getOwnPropertyNames;var B=Object.prototype.hasOwnProperty;var S=(t,o)=>l(t,"name",{value:o,configurable:!0});var F=(t,o)=>{for(var s in o)l(t,s,{get:o[s],enumerable:!0})},L=(t,o,s,n)=>{if(o&&typeof o=="object"||typeof o=="function")for(let e of K(o))!B.call(t,e)&&e!==s&&l(t,e,{get:()=>o[e],enumerable:!(n=V(o,e))||n.enumerable});return t};var j=t=>L(l({},"__esModule",{value:!0}),t);var W={};F(W,{run:()=>M});module.exports=j(W);var R=require("crypto"),i=require("../../../hooks/core/session-state"),k=require("../../../hooks/core/actions"),y=require("../../../hooks/core/activity"),E=require("../../../hooks/core/verification-lifecycle"),O=require("../../../hooks/core/verification-context"),U=require("../../../lib/config"),u=require("../../../lib/logger"),T=require("../util"),$=require("../../../lib/stdin");const D="browser-devtools";async function M(t,o){const s=o?.soft===!0;let n;try{n=JSON.parse((0,$.readStdin)())}catch(C){u.logger.debug(`failed to parse stdin: ${C}`),process.exit(0)}const e=n.session_id??"default",r=`${t}/.ironbee/sessions/${e}`;(0,u.setLogFile)(`${r}/session.log`);const m=`${r}/actions.jsonl`,_=(0,i.getActiveVerificationId)(r);!_&&!s&&(process.stderr.write(`BLOCKED: You must start a verification cycle before using devtools tools (browser-devtools / node-devtools / backend-devtools).
+"use strict";var u=Object.defineProperty;var V=Object.getOwnPropertyDescriptor;var F=Object.getOwnPropertyNames;var K=Object.prototype.hasOwnProperty;var R=(o,t)=>u(o,"name",{value:t,configurable:!0});var L=(o,t)=>{for(var n in t)u(o,n,{get:t[n],enumerable:!0})},j=(o,t,n,s)=>{if(t&&typeof t=="object"||typeof t=="function")for(let e of F(t))!K.call(o,e)&&e!==n&&u(o,e,{get:()=>t[e],enumerable:!(s=V(t,e))||s.enumerable});return o};var B=o=>j(u({},"__esModule",{value:!0}),o);var q={};L(q,{run:()=>M});module.exports=B(q);var T=require("crypto"),i=require("../../../hooks/core/session-state"),k=require("../../../hooks/core/actions"),$=require("../../../hooks/core/activity"),E=require("../../../hooks/core/verification-lifecycle"),O=require("../../../hooks/core/verification-context"),U=require("../../../lib/config"),x=require("../../../lib/recording-tools"),f=require("../../../lib/logger"),v=require("../util"),A=require("../../../lib/stdin");const D="browser-devtools";async function M(o,t){const n=t?.soft===!0;let s;try{s=JSON.parse((0,A.readStdin)())}catch(w){f.logger.debug(`failed to parse stdin: ${w}`),process.exit(0)}const e=s.session_id??"default",r=`${o}/.ironbee/sessions/${e}`;(0,f.setLogFile)(`${r}/session.log`);const _=`${r}/actions.jsonl`,h=(0,i.getActiveVerificationId)(r);!h&&!n&&(process.stderr.write(`BLOCKED: You must start a verification cycle before using devtools tools (browser-devtools / node-devtools / backend-devtools / android-devtools).
 
 Start verification first:
   echo '{"session_id":"${e}"}' | ironbee hook verification-start
 
-Then use the verification tools for the active cycle(s) \u2014 bdt_* for browser, ndt_* for node, bedt_* for backend.
-`),process.exit(2));const v=n.tool_name??"",x=v.startsWith("mcp__browser-devtools__"),A=v.endsWith("bdt_content_start-recording");!s&&x&&(0,i.isRecordingRequired)(r)&&!(0,i.isRecordingActive)(r)&&!A&&(process.stderr.write(`BLOCKED: Recording is required but not started.
+Then use the verification tools for the active cycle(s) \u2014 bdt_* for browser, ndt_* for node, bedt_* for backend, adt_* for android.
+`),process.exit(2));const b=s.tool_name??"",c=(0,x.recordingToolsForServer)((0,v.extractMcpServerName)(b));!n&&c!==null&&(0,i.isRecordingRequired)(r)&&!(0,i.isRecordingActive)(r)&&!b.endsWith(c.startTool)&&(process.stderr.write(`BLOCKED: Recording is required but not started.
 
 1. Start recording NOW:
-     Use mcp__browser-devtools__bdt_content_start-recording
+     Use mcp__${c.server}__${c.startTool}
 
-2. Run the verification (navigate, screenshot, aria, console, etc.)
+2. Run the verification flow for the active cycle(s)
 
 3. **Stop recording BEFORE submitting verdict:**
-     Use mcp__browser-devtools__bdt_content_stop-recording
+     Use mcp__${c.server}__${c.stopTool}
    submit-verdict will reject with "recording is still active" if you skip this.
-`),process.exit(2)),await(0,y.startActivity)({sessionDir:r,actionsFile:m,source:"pre_tool_use"});let c=_;s&&!c&&(c=(await(0,E.startVerification)({sessionId:e,sessionDir:r,actionsFile:m,recordingEnabled:!1})).verificationId);const N=(0,i.getActiveTraceId)(r),f=(0,i.getActiveActivityId)(r),b=(0,k.resolveProjectName)(t),p=[`prj:${b}`,`sid:${e}`];f&&p.push(`aid:${f}`),c&&p.push(`vid:${c}`);const P=`ironbee=${p.join(";")}`,d=(0,U.loadConfig)(t),h={...n.tool_input??{}},a={projectName:b,sessionId:e,activityId:f,verificationId:c,traceId:N,traceState:P,toolCallId:(0,R.randomUUID)()};n.tool_use_id&&(a.toolUseId=n.tool_use_id),a.mcpServer=(0,T.extractMcpServerName)(n.tool_name)??D;const w=(0,i.getUserEmail)(r);w&&(a.userEmail=w),d.collector?.url&&(a.collectorUrl=d.collector.url),d.collector?.apiKey&&(a.collectorApiKey=d.collector.apiKey),h._metadata=a;const g={hookSpecificOutput:{hookEventName:"PreToolUse",permissionDecision:"allow",updatedInput:h}},I=(0,O.buildVerificationContextOnceForCycle)({projectDir:t,sessionId:e,sessionDir:r,activeVerificationId:c,config:d});I.length>0&&g.hookSpecificOutput&&(g.hookSpecificOutput.additionalContext=I),process.stdout.write(JSON.stringify(g)),process.exit(0)}S(M,"run");0&&(module.exports={run});
+`),process.exit(2)),await(0,$.startActivity)({sessionDir:r,actionsFile:_,source:"pre_tool_use"});let d=h;n&&!d&&(d=(await(0,E.startVerification)({sessionId:e,sessionDir:r,actionsFile:_,recordingEnabled:!1})).verificationId);const N=(0,i.getActiveTraceId)(r),p=(0,i.getActiveActivityId)(r),C=(0,k.resolveProjectName)(o),g=[`prj:${C}`,`sid:${e}`];p&&g.push(`aid:${p}`),d&&g.push(`vid:${d}`);const P=`ironbee=${g.join(";")}`,l=(0,U.loadConfig)(o),I={...s.tool_input??{}},a={projectName:C,sessionId:e,activityId:p,verificationId:d,traceId:N,traceState:P,toolCallId:(0,T.randomUUID)()};s.tool_use_id&&(a.toolUseId=s.tool_use_id),a.mcpServer=(0,v.extractMcpServerName)(s.tool_name)??D;const y=(0,i.getUserEmail)(r);y&&(a.userEmail=y),l.collector?.url&&(a.collectorUrl=l.collector.url),l.collector?.apiKey&&(a.collectorApiKey=l.collector.apiKey),I._metadata=a;const m={hookSpecificOutput:{hookEventName:"PreToolUse",permissionDecision:"allow",updatedInput:I}},S=(0,O.buildVerificationContextOnceForCycle)({projectDir:o,sessionId:e,sessionDir:r,activeVerificationId:d,config:l});S.length>0&&m.hookSpecificOutput&&(m.hookSpecificOutput.additionalContext=S),process.stdout.write(JSON.stringify(m)),process.exit(0)}R(M,"run");0&&(module.exports={run});

package/dist/clients/claude/hooks/track-action.js

@@ -1 +1 @@
-"use strict";var y=Object.defineProperty;var F=Object.getOwnPropertyDescriptor;var V=Object.getOwnPropertyNames;var J=Object.prototype.hasOwnProperty;var c=(o,t)=>y(o,"name",{value:t,configurable:!0});var U=(o,t)=>{for(var i in t)y(o,i,{get:t[i],enumerable:!0})},z=(o,t,i,e)=>{if(t&&typeof t=="object"||typeof t=="function")for(let n of V(t))!J.call(o,n)&&n!==i&&y(o,n,{get:()=>t[n],enumerable:!(e=F(t,n))||e.enumerable});return o};var M=o=>z(y({},"__esModule",{value:!0}),o);var ot={};U(ot,{run:()=>Z});module.exports=M(ot);var _=require("../../../hooks/core/actions"),l=require("../../../hooks/core/session-state"),h=require("../../../import/ids"),I=require("../../../lib/config"),s=require("../../../lib/logger"),x=require("../../../lib/stdin"),f=require("../../../queue"),E=require("../util");const k=/callTool\(\s*['"]([^'"]+)['"]/g,N="mcp__browser-devtools__",O="bdt_",W="browser-devtools",X="node-devtools",G="backend-devtools",K=`${O}execute`,Q=`${O}content_start-recording`,Y=`${O}content_stop-recording`;function j(o){return o.startsWith(N)?o:`${N}${o}`}c(j,"toFullName");function q(o,t){if(o[t]!=="{")return;let i=0;for(let e=t;e<o.length;e++)if(o[e]==="{")i++;else if(o[e]==="}"&&(i--,i===0))return o.slice(t,e+1)}c(q,"extractBalancedBraces");function H(o){const t=typeof o=="string"?o:JSON.stringify(o??""),i=[],e=new Set;let n=k.exec(t);for(;n!==null;){const a=j(n[1]);if(!e.has(a)){e.add(a);let d;const g=n.index+n[0].length,p=t.slice(g).trimStart();if(p.startsWith(",")){const m=p.slice(1).trimStart();if(m.startsWith("{")){const u=q(m,0);if(u)try{d=JSON.parse(u)}catch{d=u}}}i.push({name:a,args:d})}n=k.exec(t)}return i}c(H,"extractNestedToolCalls");async function Z(o){let t;try{t=JSON.parse((0,x.readStdin)())}catch(v){s.logger.debug(`failed to parse stdin: ${v}`),process.exit(0)}const i=t.session_id??"default",e=`${o}/.ironbee/sessions/${i}`,n=`${e}/actions.jsonl`;(0,s.setLogFile)(`${e}/session.log`);const a=t.tool_name??"unknown",d=Date.now(),g=t.tool_input&&typeof t.tool_input=="object"&&!Array.isArray(t.tool_input)?{...t.tool_input,_metadata:void 0}:t.tool_input,p=(0,l.getActiveActivityId)(e),m=(0,l.getActiveVerificationId)(e),u=(0,l.getActiveTraceId)(e),r=(0,E.classifyTool)(a,t.tool_input),w=r.tool_type==="mcp"&&r.mcp_server===W,L=r.tool_type==="mcp"&&r.mcp_server===X,B=r.tool_type==="mcp"&&r.mcp_server===G,S=w||L||B,P=S?g:(0,E.extractClaudeToolInput)(a,g),C=typeof t.error=="string"&&t.error.length>0?t.error:void 0,T=C?t.is_interrupt?`interrupted: ${C}`:C:void 0,R={...(0,_.baseFields)(n),type:"tool_call",timestamp:d,tool_name:r.tool_name,tool_type:r.tool_type,tool_use_id:t.tool_use_id,tool_input:P,tool_input_size:$(g),tool_response:T?void 0:t.tool_response,tool_response_size:$(T?void 0:t.tool_response),activity_id:p,verification_id:m,trace_id:u,duration:typeof t.duration_ms=="number"?t.duration_ms:null,mcp_server:r.mcp_server,error:T};if(t.tool_use_id!==void 0&&t.tool_use_id.length>0&&(R.id=(0,h.deriveToolCallEventIdFromToolUseId)(i,t.tool_use_id)),S?(await(0,_.appendAction)(n,R),w&&(r.tool_name===Q?((0,l.setRecordingActive)(e,!0),s.logger.debug("track-action: recording started")):r.tool_name===Y&&((0,l.setRecordingActive)(e,!1),s.logger.debug("track-action: recording stopped")))):tt(o,i,R),s.logger.debug(`track-action: ${a}${T?" (failed)":""}`),w&&r.tool_name===K&&!T){const v=H(t.tool_input);for(const b of v){const A=(0,E.classifyTool)(b.name,b.args),D={...(0,_.baseFields)(n),type:"tool_call",timestamp:d,tool_name:A.tool_name,tool_type:A.tool_type,tool_input:b.args,activity_id:p,verification_id:m,trace_id:u,duration:null,mcp_server:A.mcp_server};await(0,_.appendAction)(n,D),s.logger.debug(`track-action (nested): ${b.name}`)}}process.exit(0)}c(Z,"run");function tt(o,t,i){if(!(0,I.isJobQueueEnabled)(o))return;const e={...i};delete e.tool_response;try{(0,f.submit)(o,t,f.SEND_EVENT_TYPE,e)}catch(n){if(n instanceof f.JobTooLargeError){s.logger.debug(`track-action: wire event too large for ${i.tool_name}; dropping`);return}s.logger.debug(`track-action: failed to submit ${i.tool_name}: ${n instanceof Error?n.message:n}`)}}c(tt,"submitEvent");function $(o){if(o==null)return 0;try{const t=typeof o=="string"?o:JSON.stringify(o);return t===void 0?0:Buffer.byteLength(t,"utf-8")}catch{return 0}}c($,"byteSize");0&&(module.exports={run});
+"use strict";var v=Object.defineProperty;var B=Object.getOwnPropertyDescriptor;var J=Object.getOwnPropertyNames;var U=Object.prototype.hasOwnProperty;var d=(t,o)=>v(t,"name",{value:o,configurable:!0});var z=(t,o)=>{for(var i in o)v(t,i,{get:o[i],enumerable:!0})},M=(t,o,i,e)=>{if(o&&typeof o=="object"||typeof o=="function")for(let n of J(o))!U.call(t,n)&&n!==i&&v(t,n,{get:()=>o[n],enumerable:!(e=B(o,n))||e.enumerable});return t};var W=t=>M(v({},"__esModule",{value:!0}),t);var eo={};z(eo,{run:()=>oo});module.exports=W(eo);var f=require("../../../hooks/core/actions"),c=require("../../../hooks/core/session-state"),$=require("../../../import/ids"),h=require("../../../lib/config"),s=require("../../../lib/logger"),I=require("../../../lib/recording-tools"),L=require("../../../lib/stdin"),g=require("../../../queue"),y=require("../util");const k=/callTool\(\s*['"]([^'"]+)['"]/g,A="mcp__browser-devtools__",X="bdt_",K="browser-devtools",Q="node-devtools",Y="backend-devtools",j="android-devtools",q=`${X}execute`;function G(t){return t.startsWith(A)?t:`${A}${t}`}d(G,"toFullName");function H(t,o){if(t[o]!=="{")return;let i=0;for(let e=o;e<t.length;e++)if(t[e]==="{")i++;else if(t[e]==="}"&&(i--,i===0))return t.slice(o,e+1)}d(H,"extractBalancedBraces");function Z(t){const o=typeof t=="string"?t:JSON.stringify(t??""),i=[],e=new Set;let n=k.exec(o);for(;n!==null;){const a=G(n[1]);if(!e.has(a)){e.add(a);let u;const p=n.index+n[0].length,m=o.slice(p).trimStart();if(m.startsWith(",")){const T=m.slice(1).trimStart();if(T.startsWith("{")){const _=H(T,0);if(_)try{u=JSON.parse(_)}catch{u=_}}}i.push({name:a,args:u})}n=k.exec(o)}return i}d(Z,"extractNestedToolCalls");async function oo(t){let o;try{o=JSON.parse((0,L.readStdin)())}catch(l){s.logger.debug(`failed to parse stdin: ${l}`),process.exit(0)}const i=o.session_id??"default",e=`${t}/.ironbee/sessions/${i}`,n=`${e}/actions.jsonl`;(0,s.setLogFile)(`${e}/session.log`);const a=o.tool_name??"unknown",u=Date.now(),p=o.tool_input&&typeof o.tool_input=="object"&&!Array.isArray(o.tool_input)?{...o.tool_input,_metadata:void 0}:o.tool_input,m=(0,c.getActiveActivityId)(e),T=(0,c.getActiveVerificationId)(e),_=(0,c.getActiveTraceId)(e),r=(0,y.classifyTool)(a,o.tool_input),S=r.tool_type==="mcp"&&r.mcp_server===K,x=r.tool_type==="mcp"&&r.mcp_server===Q,D=r.tool_type==="mcp"&&r.mcp_server===Y,V=r.tool_type==="mcp"&&r.mcp_server===j,O=S||x||D||V,F=O?p:(0,y.extractClaudeToolInput)(a,p),w=typeof o.error=="string"&&o.error.length>0?o.error:void 0,E=w?o.is_interrupt?`interrupted: ${w}`:w:void 0,C={...(0,f.baseFields)(n),type:"tool_call",timestamp:u,tool_name:r.tool_name,tool_type:r.tool_type,tool_use_id:o.tool_use_id,tool_input:F,tool_input_size:N(p),tool_response:E?void 0:o.tool_response,tool_response_size:N(E?void 0:o.tool_response),activity_id:m,verification_id:T,trace_id:_,duration:typeof o.duration_ms=="number"?o.duration_ms:null,mcp_server:r.mcp_server,error:E};if(o.tool_use_id!==void 0&&o.tool_use_id.length>0&&(C.id=(0,$.deriveToolCallEventIdFromToolUseId)(i,o.tool_use_id)),O){await(0,f.appendAction)(n,C);const l=(0,I.recordingToolsForServer)(r.mcp_server);l!==null&&(r.tool_name===l.startTool?((0,c.setRecordingActive)(e,!0),s.logger.debug(`track-action: recording started (${l.cycle})`)):r.tool_name===l.stopTool&&((0,c.setRecordingActive)(e,!1),s.logger.debug(`track-action: recording stopped (${l.cycle})`)))}else to(t,i,C);if(s.logger.debug(`track-action: ${a}${E?" (failed)":""}`),S&&r.tool_name===q&&!E){const l=Z(o.tool_input);for(const b of l){const R=(0,y.classifyTool)(b.name,b.args),P={...(0,f.baseFields)(n),type:"tool_call",timestamp:u,tool_name:R.tool_name,tool_type:R.tool_type,tool_input:b.args,activity_id:m,verification_id:T,trace_id:_,duration:null,mcp_server:R.mcp_server};await(0,f.appendAction)(n,P),s.logger.debug(`track-action (nested): ${b.name}`)}}process.exit(0)}d(oo,"run");function to(t,o,i){if(!(0,h.isJobQueueEnabled)(t))return;const e={...i};delete e.tool_response;try{(0,g.submit)(t,o,g.SEND_EVENT_TYPE,e)}catch(n){if(n instanceof g.JobTooLargeError){s.logger.debug(`track-action: wire event too large for ${i.tool_name}; dropping`);return}s.logger.debug(`track-action: failed to submit ${i.tool_name}: ${n instanceof Error?n.message:n}`)}}d(to,"submitEvent");function N(t){if(t==null)return 0;try{const o=typeof t=="string"?t:JSON.stringify(t);return o===void 0?0:Buffer.byteLength(o,"utf-8")}catch{return 0}}d(N,"byteSize");0&&(module.exports={run});

package/dist/clients/claude/index.js

@@ -1,7 +1,7 @@
-"use strict";var Z=Object.create;var b=Object.defineProperty;var ee=Object.getOwnPropertyDescriptor;var ne=Object.getOwnPropertyNames;var oe=Object.getPrototypeOf,re=Object.prototype.hasOwnProperty;var k=(t,e)=>b(t,"name",{value:e,configurable:!0});var ie=(t,e)=>{for(var n in e)b(t,n,{get:e[n],enumerable:!0})},T=(t,e,n,o)=>{if(e&&typeof e=="object"||typeof e=="function")for(let r of ne(e))!re.call(t,r)&&r!==n&&b(t,r,{get:()=>e[r],enumerable:!(o=ee(e,r))||o.enumerable});return t};var se=(t,e,n)=>(n=t!=null?Z(oe(t)):{},T(e||!t||!t.__esModule?b(n,"default",{value:t,enumerable:!0}):n,t)),te=t=>T(b({},"__esModule",{value:!0}),t);var Se={};ie(Se,{ClaudeClient:()=>ve,prepareIronBeeDir:()=>ye});module.exports=te(Se);var s=require("fs"),l=require("path"),p=require("../../lib/logger"),a=require("../../lib/output"),L=require("../../lib/gitignore"),A=require("../../lib/fs-prune"),P=require("./hooks/verify-gate"),M=require("./hooks/clear-verdict"),N=require("./hooks/track-action"),I=require("./hooks/track-action-monitor"),B=require("./hooks/session-start"),H=require("./hooks/require-verdict"),U=require("./hooks/require-verification"),j=require("./hooks/activity-start"),J=require("./hooks/activity-end"),V=require("./hooks/session-end"),d=require("../../lib/config"),D=require("../../hooks/core/actions"),F=require("../../lib/platform-section"),v=require("../../lib/install-snapshots"),w=require("./hooks/session-status");const y="browser-devtools",S="node-devtools",h="backend-devtools",ce="ironbee",ae="ironbee hook session-status";function le(t){return(0,l.join)(__dirname,"..",t,"platforms")}k(le,"platformsDirFor");function _(t,e,n){return e?(t.includes(n)||t.push(n),t):t.filter(o=>o!==n)}k(_,"syncCyclePermission");function R(t){const e=Object.keys(t);if(e.length===0)return!0;if(e.length===1&&e[0]==="mcpServers"){const n=t.mcpServers;return n===void 0||Object.keys(n).length===0}return!1}k(R,"isMcpConfigEmpty");function ue(t,e){const n=[`  - ${t}:`];!("type"in e)&&"command"in e&&n.push("      type: stdio");for(const[o,r]of Object.entries(e))if(r!==void 0)if(r!==null&&typeof r=="object"&&!Array.isArray(r)){const i=Object.entries(r);if(i.length===0)n.push(`      ${o}: {}`);else{n.push(`      ${o}:`);for(const[c,f]of i)n.push(`        ${c}: ${JSON.stringify(f)}`)}}else n.push(`      ${o}: ${JSON.stringify(r)}`);return n}k(ue,"renderInlineMcpServerYaml");function de(t,e){const n=[];if((0,d.isCycleEnabled)(e,"browser")&&n.push({key:y,entry:(0,d.getMcpServerEntry)(t)}),(0,d.isCycleEnabled)(e,"node")&&n.push({key:S,entry:(0,d.getNodeDevToolsMcpEntry)(t)}),(0,d.isCycleEnabled)(e,"backend")&&n.push({key:h,entry:(0,d.getBackendDevToolsMcpEntry)(t)}),n.length===0)return"";const o=["mcpServers:"];for(const{key:r,entry:i}of n)o.push(...ue(r,i));return o.join(`
-`)}k(de,"buildVerifierMcpServersBlock");function me(t,e){if(e.length===0)return t;const n=t.split(`
+"use strict";var ee=Object.create;var _=Object.defineProperty;var ne=Object.getOwnPropertyDescriptor;var oe=Object.getOwnPropertyNames;var re=Object.getPrototypeOf,ie=Object.prototype.hasOwnProperty;var v=(t,e)=>_(t,"name",{value:e,configurable:!0});var se=(t,e)=>{for(var n in e)_(t,n,{get:e[n],enumerable:!0})},C=(t,e,n,o)=>{if(e&&typeof e=="object"||typeof e=="function")for(let r of oe(e))!ie.call(t,r)&&r!==n&&_(t,r,{get:()=>e[r],enumerable:!(o=ne(e,r))||o.enumerable});return t};var te=(t,e,n)=>(n=t!=null?ee(re(t)):{},C(e||!t||!t.__esModule?_(n,"default",{value:t,enumerable:!0}):n,t)),ce=t=>C(_({},"__esModule",{value:!0}),t);var he={};se(he,{ClaudeClient:()=>ye,prepareIronBeeDir:()=>Se});module.exports=ce(he);var s=require("fs"),l=require("path"),k=require("../../lib/logger"),a=require("../../lib/output"),M=require("../../lib/gitignore"),P=require("../../lib/fs-prune"),N=require("./hooks/verify-gate"),I=require("./hooks/clear-verdict"),B=require("./hooks/track-action"),H=require("./hooks/track-action-monitor"),U=require("./hooks/session-start"),J=require("./hooks/require-verdict"),V=require("./hooks/require-verification"),j=require("./hooks/activity-start"),D=require("./hooks/activity-end"),F=require("./hooks/session-end"),u=require("../../lib/config"),X=require("../../hooks/core/actions"),x=require("../../lib/platform-section"),y=require("../../lib/install-snapshots"),$=require("./hooks/session-status");const S="browser-devtools",h="node-devtools",b="backend-devtools",E="android-devtools",ae="ironbee",le="ironbee hook session-status";function ue(t){return(0,l.join)(__dirname,"..",t,"platforms")}v(ue,"platformsDirFor");function w(t,e,n){return e?(t.includes(n)||t.push(n),t):t.filter(o=>o!==n)}v(w,"syncCyclePermission");function L(t){const e=Object.keys(t);if(e.length===0)return!0;if(e.length===1&&e[0]==="mcpServers"){const n=t.mcpServers;return n===void 0||Object.keys(n).length===0}return!1}v(L,"isMcpConfigEmpty");function de(t,e){const n=[`  - ${t}:`];!("type"in e)&&"command"in e&&n.push("      type: stdio");for(const[o,r]of Object.entries(e))if(r!==void 0)if(r!==null&&typeof r=="object"&&!Array.isArray(r)){const i=Object.entries(r);if(i.length===0)n.push(`      ${o}: {}`);else{n.push(`      ${o}:`);for(const[c,m]of i)n.push(`        ${c}: ${JSON.stringify(m)}`)}}else n.push(`      ${o}: ${JSON.stringify(r)}`);return n}v(de,"renderInlineMcpServerYaml");function me(t,e){const n=[];if((0,u.isCycleEnabled)(e,"browser")&&n.push({key:S,entry:(0,u.getMcpServerEntry)(t)}),(0,u.isCycleEnabled)(e,"node")&&n.push({key:h,entry:(0,u.getNodeDevToolsMcpEntry)(t)}),(0,u.isCycleEnabled)(e,"backend")&&n.push({key:b,entry:(0,u.getBackendDevToolsMcpEntry)(t)}),(0,u.isCycleEnabled)(e,"android")&&n.push({key:E,entry:(0,u.getAndroidDevToolsMcpEntry)(t)}),n.length===0)return"";const o=["mcpServers:"];for(const{key:r,entry:i}of n)o.push(...de(r,i));return o.join(`
+`)}v(me,"buildVerifierMcpServersBlock");function fe(t,e){if(e.length===0)return t;const n=t.split(`
 `);if(n[0]!=="---")return t;let o=-1;for(let c=1;c<n.length;c++)if(n[c]==="---"){o=c;break}if(o<0)return t;const r=n.slice(0,o),i=n.slice(o);return[...r,...e.split(`
 `),...i].join(`
-`)}k(me,"injectVerifierMcpServers");function fe(t,e){if(!e)return t;const n=t.split(`
+`)}v(fe,"injectVerifierMcpServers");function ge(t,e){if(!e)return t;const n=t.split(`
 `);if(n[0]!=="---")return t;let o=-1;for(let c=1;c<n.length;c++)if(n[c]==="---"){o=c;break}if(o<0)return t;const r=n.slice(0,o);if(r.some(c=>/^model\s*:/.test(c)))return t;const i=n.slice(o);return[...r,`model: ${e}`,...i].join(`
-`)}k(fe,"injectVerifierModel");function ge(t){const e=new Set(["hooks","permissions"]);for(const n of Object.keys(t))if(!e.has(n))return!1;if(t.hooks!==void 0&&Object.keys(t.hooks).length>0)return!1;if(t.permissions!==void 0){const n=t.permissions.allow??[],o=t.permissions.deny??[];if(n.length>0||o.length>0)return!1}return!0}k(ge,"isClaudeSettingsEmpty");const pe=["CLAUDE_CODE_ENABLE_TELEMETRY","OTEL_LOGS_EXPORTER","OTEL_METRICS_EXPORTER","OTEL_EXPORTER_OTLP_PROTOCOL","OTEL_EXPORTER_OTLP_ENDPOINT","OTEL_LOG_RAW_API_BODIES","OTEL_RESOURCE_ATTRIBUTES","OTEL_LOGS_EXPORT_INTERVAL"];function C(t){const e=t.OTEL_RESOURCE_ATTRIBUTES;return typeof e=="string"&&e.includes("ironbee.project_name")}k(C,"otelEnvOwnedByUs");function ke(t){return t.replace(/[,=\s]+/g,"-").replace(/^-+|-+$/g,"")||"project"}k(ke,"sanitizeResourceValue");class ve{constructor(){this.name="claude";this.supportsVerifierModel=!0}static{k(this,"ClaudeClient")}detect(e){return(0,s.existsSync)((0,l.join)(e,".claude"))}resolveProjectDir(){return process.env.CLAUDE_PROJECT_DIR??process.cwd()}resolveAgentSessionId(e,n){const o=process.env.CLAUDE_CODE_SESSION_ID;return typeof o=="string"&&o.length>0?o:void 0}async runSessionStatus(){const{runSessionStatus:e}=await Promise.resolve().then(()=>se(require("./hooks/session-status")));await e()}install(e,n){const o=n??(0,d.loadConfig)(e),r=(0,d.getVerificationMode)(o),i=r!=="monitor";this.cleanupArtifacts(e);const c=(0,l.join)(e,".claude"),f=(0,l.join)(c,"skills"),m=(0,l.join)(c,"rules"),g=(0,l.join)(c,"commands");(0,s.mkdirSync)(f,{recursive:!0}),(0,s.mkdirSync)(m,{recursive:!0}),(0,s.mkdirSync)(g,{recursive:!0});const u=(0,l.join)(c,"settings.json");if(this.mergeHooksConfig(u,r),this.writePermissions(u,i,e),(0,d.isOTELEnabled)(o)&&this.writeOTELEnv(u,e,o),this.installStatusLine(e,o),i){if(r==="enforce"){const K=(0,l.join)(f,"ironbee-verification.md"),W=(0,s.readFileSync)((0,l.join)(__dirname,"skills","ironbee-verification.md"),"utf-8");(0,s.writeFileSync)(K,W);const Y=(0,l.join)(m,"ironbee-verification.md"),Q=(0,s.readFileSync)((0,l.join)(__dirname,"rules","ironbee-verification.md"),"utf-8");(0,s.writeFileSync)(Y,Q)}const E=(0,l.join)(g,"ironbee-verify.md"),X=(0,s.readFileSync)((0,l.join)(__dirname,"commands","ironbee-verify.md"),"utf-8");(0,s.writeFileSync)(E,X);const O=(0,l.join)(c,"agents");(0,s.mkdirSync)(O,{recursive:!0});const x=(0,l.join)(O,"ironbee-verifier.md"),G=(0,s.readFileSync)((0,l.join)(__dirname,"agents","ironbee-verifier.md"),"utf-8"),z=me(G,de(e,o)),q=fe(z,(0,d.getVerificationModel)(o,"claude"));(0,s.writeFileSync)(x,q);const $=(0,l.join)(e,".mcp.json");this.writeMcpConfig($,e),(0,F.syncPlatformSectionsToConfig)(e,le),console.log(`  ${a.pc.dim("\u2192")} ${(0,a.orange)("[claude]")} settings ${a.pc.dim("\u2192")} ${a.pc.dim(u)}`),r==="enforce"?(console.log(`  ${a.pc.dim("\u2192")} ${(0,a.orange)("[claude]")} skills   ${a.pc.dim("\u2192")} ${a.pc.dim(f)}`),console.log(`  ${a.pc.dim("\u2192")} ${(0,a.orange)("[claude]")} rule     ${a.pc.dim("\u2192")} ${a.pc.dim(m)}`)):console.log(`  ${a.pc.dim("\u2192")} ${(0,a.orange)("[claude]")} ${a.pc.yellow("assist mode")} (verification.auto: false) \u2014 manual /ironbee-verify only, no enforcement`),console.log(`  ${a.pc.dim("\u2192")} ${(0,a.orange)("[claude]")} commands ${a.pc.dim("\u2192")} ${a.pc.dim(g)}`),console.log(`  ${a.pc.dim("\u2192")} ${(0,a.orange)("[claude]")} agents   ${a.pc.dim("\u2192")} ${a.pc.dim((0,l.join)(c,"agents"))}`),console.log(`  ${a.pc.dim("\u2192")} ${(0,a.orange)("[claude]")} mcp      ${a.pc.dim("\u2192")} ${a.pc.dim($)}`)}else console.log(`  ${a.pc.dim("\u2192")} ${(0,a.orange)("[claude]")} ${a.pc.yellow("monitoring-only mode")} (verification.enable: false)`),console.log(`  ${a.pc.dim("\u2192")} ${(0,a.orange)("[claude]")} settings ${a.pc.dim("\u2192")} ${a.pc.dim(u)}`)}uninstall(e){this.cleanupArtifacts(e),console.log(`  ${a.pc.dim("\u2192")} ${(0,a.orange)("[claude]")} removed hooks, skill, rule, command, MCP, and permissions`)}cleanupArtifacts(e){const n=(0,l.join)(e,".claude"),o=(0,l.join)(n,"skills","ironbee-verification.md"),r=(0,l.join)(n,"skills","ironbee-analyze.md"),i=(0,l.join)(n,"rules","ironbee-verification.md"),c=(0,l.join)(n,"commands","ironbee-analyze.md"),f=(0,l.join)(n,"commands","ironbee-verify.md"),m=(0,l.join)(n,"agents","ironbee-verifier.md");this.removeFile(o),this.removeFile(r),this.removeFile(i),this.removeFile(c),this.removeFile(f),this.removeFile(m);const g=(0,l.join)(n,"settings.json");this.removeIronBeeHooks(g),this.removePermission(g),this.removeOTELEnv(g),this.maybeDeleteEmptySettings(g);const u=(0,l.join)(e,".mcp.json");this.removeMcpServer(u),this.uninstallStatusLine(e),(0,A.pruneEmptyDirs)(n)}installStatusLine(e,n){if(!(0,d.isSessionStatusEnabled)(n))return;const o=(0,l.join)(e,".claude","settings.local.json"),r=this.readStatusLineBlock(o);r&&!(0,w.isIronbeeStatusLine)(r.command)&&(0,v.readStatusLineSnapshot)(e,"claude")===void 0&&(0,v.upsertStatusLineSnapshot)(e,"claude",r);const i={type:"command",command:ae},c=(0,d.getStatusLineRefreshInterval)(n);c!==void 0&&(i.refreshInterval=c),this.writeStatusLineBlock(o,i),console.log(`  ${a.pc.dim("\u2192")} ${(0,a.orange)("[claude]")} statusline ${a.pc.dim("\u2192")} ${a.pc.dim(o)}`)}uninstallStatusLine(e){const n=(0,l.join)(e,".claude","settings.local.json"),o=(0,v.readStatusLineSnapshot)(e,"claude");if(o){this.writeStatusLineBlock(n,o),(0,v.clearStatusLineSnapshot)(e,"claude");return}const r=this.readStatusLineBlock(n);r&&(0,w.isIronbeeStatusLine)(r.command)&&this.removeStatusLineBlock(n)}readStatusLineBlock(e){if((0,s.existsSync)(e))try{const n=JSON.parse((0,s.readFileSync)(e,"utf-8"));if(n===null||typeof n!="object")return;const o=n.statusLine;if(o===null||typeof o!="object")return;const r=o.command;if(typeof r!="string"||r.length===0)return;const i=o.padding,c=o.refreshInterval,f={type:"command",command:r};return typeof i=="number"&&(f.padding=i),typeof c=="number"&&(f.refreshInterval=c),f}catch(n){p.logger.debug(`failed to read statusLine from ${e}: ${n}`);return}}writeStatusLineBlock(e,n){let o={};if((0,s.existsSync)(e))try{const r=JSON.parse((0,s.readFileSync)(e,"utf-8"));r!==null&&typeof r=="object"&&!Array.isArray(r)&&(o=r)}catch(r){p.logger.debug(`failed to read ${e} for statusLine write: ${r}`)}else(0,s.mkdirSync)((0,l.join)(e,".."),{recursive:!0});o.statusLine=n,(0,s.writeFileSync)(e,JSON.stringify(o,null,2))}removeStatusLineBlock(e){if((0,s.existsSync)(e))try{const n=JSON.parse((0,s.readFileSync)(e,"utf-8"));if(n===null||typeof n!="object"||Array.isArray(n))return;const o=n;delete o.statusLine,Object.keys(o).length===0?(0,s.unlinkSync)(e):(0,s.writeFileSync)(e,JSON.stringify(o,null,2))}catch(n){p.logger.debug(`failed to remove statusLine from ${e}: ${n}`)}}writeOTELEnv(e,n,o){let r={};if((0,s.existsSync)(e))try{const u=JSON.parse((0,s.readFileSync)(e,"utf-8"));u!==null&&typeof u=="object"&&!Array.isArray(u)&&(r=u)}catch(u){p.logger.debug(`failed to read ${e} for otel env write: ${u}`)}else(0,s.mkdirSync)((0,l.join)(e,".."),{recursive:!0});const i=r.env,c=i!==null&&typeof i=="object"&&!Array.isArray(i)?i:{},f=c.OTEL_EXPORTER_OTLP_ENDPOINT;if(typeof f=="string"&&f.length>0&&!C(c)){console.log(`  ${a.pc.dim("\u2192")} ${(0,a.orange)("[claude]")} ${a.pc.yellow("existing OTEL telemetry env detected \u2014 left untouched (session_context not wired for this project)")}`);return}const m=(0,d.getOTELPort)(o),g=ke((0,D.resolveProjectName)(n));c.CLAUDE_CODE_ENABLE_TELEMETRY="1",c.OTEL_LOGS_EXPORTER="otlp",c.OTEL_METRICS_EXPORTER="none",c.OTEL_EXPORTER_OTLP_PROTOCOL="http/json",c.OTEL_EXPORTER_OTLP_ENDPOINT=`http://127.0.0.1:${m}`,c.OTEL_LOG_RAW_API_BODIES="file:.ironbee/otel",c.OTEL_RESOURCE_ATTRIBUTES=`ironbee.project_name=${g}`,c.OTEL_LOGS_EXPORT_INTERVAL="5000",r.env=c,(0,s.writeFileSync)(e,JSON.stringify(r,null,2)),console.log(`  ${a.pc.dim("\u2192")} ${(0,a.orange)("[claude]")} otel env ${a.pc.dim("\u2192")} ${a.pc.dim(`${e} (127.0.0.1:${m})`)}`)}removeOTELEnv(e){if((0,s.existsSync)(e))try{const n=JSON.parse((0,s.readFileSync)(e,"utf-8"));if(n===null||typeof n!="object"||Array.isArray(n))return;const o=n,r=o.env;if(r===null||typeof r!="object"||Array.isArray(r))return;const i=r;if(!C(i))return;for(const c of pe)delete i[c];Object.keys(i).length===0&&delete o.env,(0,s.writeFileSync)(e,JSON.stringify(o,null,2))}catch(n){p.logger.debug(`failed to remove otel env from ${e}: ${n}`)}}maybeDeleteEmptySettings(e){if((0,s.existsSync)(e))try{const n=JSON.parse((0,s.readFileSync)(e,"utf-8"));ge(n)&&(0,s.unlinkSync)(e)}catch(n){p.logger.debug(`failed to inspect ${e} for emptiness: ${n}`)}}async runVerifyGate(e){await(0,P.run)(e)}async runClearVerdict(e){await(0,M.run)(e)}async runTrackAction(e){await(0,N.run)(e)}async runSessionStart(e){await(0,B.run)(e)}async runRequireVerdict(e,n){await(0,H.run)(e,n)}async runRequireVerification(e,n){await(0,U.run)(e,n)}async runActivityStart(e){await(0,j.run)(e)}async runActivityEnd(e){await(0,J.run)(e)}async runTrackActionMonitor(e){await(0,I.run)(e)}async runSessionEnd(e){await(0,V.run)(e)}async runTrackActionPre(e){}isIronBeeHook(e){return e.hooks.some(n=>n.command.includes(ce))}mergeHooksConfig(e,n){const o=n!=="monitor",r=n==="assist"?" --soft":"";let i={};if((0,s.existsSync)(e))try{i=JSON.parse((0,s.readFileSync)(e,"utf-8"))}catch(m){p.logger.debug(`failed to parse ${e}: ${m}`),i={}}i.hooks||(i.hooks={});for(const m of Object.keys(i.hooks)){const g=i.hooks[m].filter(u=>!this.isIronBeeHook(u));g.length===0?delete i.hooks[m]:i.hooks[m]=g}i.hooks.SessionStart||(i.hooks.SessionStart=[]),i.hooks.SessionStart.push({matcher:"",hooks:[{type:"command",command:"ironbee hook session-start --client claude"}]}),i.hooks.UserPromptSubmit||(i.hooks.UserPromptSubmit=[]),i.hooks.UserPromptSubmit.push({matcher:"",hooks:[{type:"command",command:"ironbee hook activity-start --client claude"}]}),o&&(i.hooks.PreToolUse||(i.hooks.PreToolUse=[]),i.hooks.PreToolUse.push({matcher:"mcp__browser-devtools__.*|mcp__node-devtools__.*|mcp__backend-devtools__.*",hooks:[{type:"command",command:`ironbee hook require-verification --client claude${r}`}]}),i.hooks.PreToolUse.push({matcher:"Write|Edit",hooks:[{type:"command",command:`ironbee hook require-verdict --client claude${r}`}]}),i.hooks.PostToolUse||(i.hooks.PostToolUse=[]),i.hooks.PostToolUse.push({matcher:"Write|Edit",hooks:[{type:"command",command:"ironbee hook clear-verdict --client claude"}]})),i.hooks.PostToolUse||(i.hooks.PostToolUse=[]);const c=o?"ironbee hook track-action --client claude":"ironbee hook track-action-monitor --client claude";i.hooks.PostToolUse.push({matcher:"",hooks:[{type:"command",command:c}]}),i.hooks.PostToolUseFailure||(i.hooks.PostToolUseFailure=[]),i.hooks.PostToolUseFailure.push({matcher:"",hooks:[{type:"command",command:c}]}),i.hooks.Stop||(i.hooks.Stop=[]);const f=n==="enforce"?"ironbee hook verify-gate --client claude":"ironbee hook activity-end --client claude";i.hooks.Stop.push({matcher:"",hooks:[{type:"command",command:f}]}),i.hooks.SessionEnd||(i.hooks.SessionEnd=[]),i.hooks.SessionEnd.push({matcher:"",hooks:[{type:"command",command:"ironbee hook session-end --client claude"}]}),(0,s.writeFileSync)(e,JSON.stringify(i,null,2))}removeIronBeeHooks(e){if((0,s.existsSync)(e))try{const n=JSON.parse((0,s.readFileSync)(e,"utf-8"));if(!n.hooks)return;for(const o of Object.keys(n.hooks)){const r=n.hooks[o].filter(i=>!this.isIronBeeHook(i));r.length===0?delete n.hooks[o]:n.hooks[o]=r}(0,s.writeFileSync)(e,JSON.stringify(n,null,2))}catch(n){p.logger.debug(`failed to remove hooks from ${e}: ${n}`)}}removeMcpServer(e){if((0,s.existsSync)(e))try{const n=JSON.parse((0,s.readFileSync)(e,"utf-8"));let o=!1;n.mcpServers&&n.mcpServers[y]&&(delete n.mcpServers[y],o=!0),n.mcpServers&&n.mcpServers[S]&&(delete n.mcpServers[S],o=!0),n.mcpServers&&n.mcpServers[h]&&(delete n.mcpServers[h],o=!0),R(n)?(0,s.unlinkSync)(e):o&&(0,s.writeFileSync)(e,JSON.stringify(n,null,2))}catch(n){p.logger.debug(`failed to remove MCP server from ${e}: ${n}`)}}removePermission(e){if((0,s.existsSync)(e))try{const n=JSON.parse((0,s.readFileSync)(e,"utf-8")),o=`mcp__${y}__*`,r=`mcp__${S}__*`,i=`mcp__${h}__*`,c="Bash(ironbee *)",f="Bash(ironbee analyze)";n.permissions?.allow&&(n.permissions.allow=n.permissions.allow.filter(m=>m!==o&&m!==r&&m!==i&&m!==c&&m!==f),(0,s.writeFileSync)(e,JSON.stringify(n,null,2)))}catch(n){p.logger.debug(`failed to remove permission from ${e}: ${n}`)}}removeFile(e){(0,s.existsSync)(e)&&(0,s.unlinkSync)(e)}writeMcpConfig(e,n){let o={mcpServers:{}};if((0,s.existsSync)(e))try{o=JSON.parse((0,s.readFileSync)(e,"utf-8")),o.mcpServers||(o.mcpServers={})}catch(r){p.logger.debug(`failed to parse ${e}: ${r}`),o={mcpServers:{}}}if(delete o.mcpServers[y],delete o.mcpServers[S],delete o.mcpServers[h],R(o)){try{(0,s.rmSync)(e,{force:!0})}catch(r){p.logger.debug(`failed to remove empty ${e}: ${r}`)}return}(0,s.writeFileSync)(e,JSON.stringify(o,null,2))}writePermissions(e,n,o){let r={};if((0,s.existsSync)(e))try{r=JSON.parse((0,s.readFileSync)(e,"utf-8"))}catch(u){p.logger.debug(`failed to parse ${e}: ${u}`),r={}}r.permissions||(r.permissions={allow:[],deny:[]}),r.permissions.allow||(r.permissions.allow=[]);const i=`mcp__${y}__*`,c=`mcp__${S}__*`,f=`mcp__${h}__*`,m="Bash(ironbee *)",g="Bash(ironbee analyze)";if(n){const u=(0,d.loadConfig)(o);r.permissions.allow=_(r.permissions.allow,(0,d.isCycleEnabled)(u,"browser"),i),r.permissions.allow=_(r.permissions.allow,(0,d.isCycleEnabled)(u,"node"),c),r.permissions.allow=_(r.permissions.allow,(0,d.isCycleEnabled)(u,"backend"),f),r.permissions.allow=r.permissions.allow.filter(E=>E!==g),r.permissions.allow.includes(m)||r.permissions.allow.push(m)}else r.permissions.allow=r.permissions.allow.filter(u=>u!==i&&u!==c&&u!==f&&u!==m&&u!==g);(0,s.writeFileSync)(e,JSON.stringify(r,null,2))}}function ye(t){(0,s.mkdirSync)((0,l.join)(t,".ironbee"),{recursive:!0}),(0,L.ensureIronBeeGitignored)(t)}k(ye,"prepareIronBeeDir");0&&(module.exports={ClaudeClient,prepareIronBeeDir});
+`)}v(ge,"injectVerifierModel");function pe(t){const e=new Set(["hooks","permissions"]);for(const n of Object.keys(t))if(!e.has(n))return!1;if(t.hooks!==void 0&&Object.keys(t.hooks).length>0)return!1;if(t.permissions!==void 0){const n=t.permissions.allow??[],o=t.permissions.deny??[];if(n.length>0||o.length>0)return!1}return!0}v(pe,"isClaudeSettingsEmpty");const ke=["CLAUDE_CODE_ENABLE_TELEMETRY","OTEL_LOGS_EXPORTER","OTEL_METRICS_EXPORTER","OTEL_EXPORTER_OTLP_PROTOCOL","OTEL_EXPORTER_OTLP_ENDPOINT","OTEL_LOG_RAW_API_BODIES","OTEL_RESOURCE_ATTRIBUTES","OTEL_LOGS_EXPORT_INTERVAL"];function A(t){const e=t.OTEL_RESOURCE_ATTRIBUTES;return typeof e=="string"&&e.includes("ironbee.project_name")}v(A,"otelEnvOwnedByUs");function ve(t){return t.replace(/[,=\s]+/g,"-").replace(/^-+|-+$/g,"")||"project"}v(ve,"sanitizeResourceValue");class ye{constructor(){this.name="claude";this.supportsVerifierModel=!0}static{v(this,"ClaudeClient")}detect(e){return(0,s.existsSync)((0,l.join)(e,".claude"))}resolveProjectDir(){return process.env.CLAUDE_PROJECT_DIR??process.cwd()}resolveAgentSessionId(e,n){const o=process.env.CLAUDE_CODE_SESSION_ID;return typeof o=="string"&&o.length>0?o:void 0}async runSessionStatus(){const{runSessionStatus:e}=await Promise.resolve().then(()=>te(require("./hooks/session-status")));await e()}install(e,n){const o=n??(0,u.loadConfig)(e),r=(0,u.getVerificationMode)(o),i=r!=="monitor";this.cleanupArtifacts(e);const c=(0,l.join)(e,".claude"),m=(0,l.join)(c,"skills"),f=(0,l.join)(c,"rules"),d=(0,l.join)(c,"commands");(0,s.mkdirSync)(m,{recursive:!0}),(0,s.mkdirSync)(f,{recursive:!0}),(0,s.mkdirSync)(d,{recursive:!0});const g=(0,l.join)(c,"settings.json");if(this.mergeHooksConfig(g,r),this.writePermissions(g,i,e),(0,u.isOTELEnabled)(o)&&this.writeOTELEnv(g,e,o),this.installStatusLine(e,o),i){if(r==="enforce"){const W=(0,l.join)(m,"ironbee-verification.md"),Y=(0,s.readFileSync)((0,l.join)(__dirname,"skills","ironbee-verification.md"),"utf-8");(0,s.writeFileSync)(W,Y);const Q=(0,l.join)(f,"ironbee-verification.md"),Z=(0,s.readFileSync)((0,l.join)(__dirname,"rules","ironbee-verification.md"),"utf-8");(0,s.writeFileSync)(Q,Z)}const p=(0,l.join)(d,"ironbee-verify.md"),O=(0,s.readFileSync)((0,l.join)(__dirname,"commands","ironbee-verify.md"),"utf-8");(0,s.writeFileSync)(p,O);const T=(0,l.join)(c,"agents");(0,s.mkdirSync)(T,{recursive:!0});const G=(0,l.join)(T,"ironbee-verifier.md"),z=(0,s.readFileSync)((0,l.join)(__dirname,"agents","ironbee-verifier.md"),"utf-8"),q=fe(z,me(e,o)),K=ge(q,(0,u.getVerificationModel)(o,"claude"));(0,s.writeFileSync)(G,K);const R=(0,l.join)(e,".mcp.json");this.writeMcpConfig(R,e),(0,x.syncPlatformSectionsToConfig)(e,ue),console.log(`  ${a.pc.dim("\u2192")} ${(0,a.orange)("[claude]")} settings ${a.pc.dim("\u2192")} ${a.pc.dim(g)}`),r==="enforce"?(console.log(`  ${a.pc.dim("\u2192")} ${(0,a.orange)("[claude]")} skills   ${a.pc.dim("\u2192")} ${a.pc.dim(m)}`),console.log(`  ${a.pc.dim("\u2192")} ${(0,a.orange)("[claude]")} rule     ${a.pc.dim("\u2192")} ${a.pc.dim(f)}`)):console.log(`  ${a.pc.dim("\u2192")} ${(0,a.orange)("[claude]")} ${a.pc.yellow("assist mode")} (verification.auto: false) \u2014 manual /ironbee-verify only, no enforcement`),console.log(`  ${a.pc.dim("\u2192")} ${(0,a.orange)("[claude]")} commands ${a.pc.dim("\u2192")} ${a.pc.dim(d)}`),console.log(`  ${a.pc.dim("\u2192")} ${(0,a.orange)("[claude]")} agents   ${a.pc.dim("\u2192")} ${a.pc.dim((0,l.join)(c,"agents"))}`),console.log(`  ${a.pc.dim("\u2192")} ${(0,a.orange)("[claude]")} mcp      ${a.pc.dim("\u2192")} ${a.pc.dim(R)}`)}else console.log(`  ${a.pc.dim("\u2192")} ${(0,a.orange)("[claude]")} ${a.pc.yellow("monitoring-only mode")} (verification.enable: false)`),console.log(`  ${a.pc.dim("\u2192")} ${(0,a.orange)("[claude]")} settings ${a.pc.dim("\u2192")} ${a.pc.dim(g)}`)}uninstall(e){this.cleanupArtifacts(e),console.log(`  ${a.pc.dim("\u2192")} ${(0,a.orange)("[claude]")} removed hooks, skill, rule, command, MCP, and permissions`)}cleanupArtifacts(e){const n=(0,l.join)(e,".claude"),o=(0,l.join)(n,"skills","ironbee-verification.md"),r=(0,l.join)(n,"skills","ironbee-analyze.md"),i=(0,l.join)(n,"rules","ironbee-verification.md"),c=(0,l.join)(n,"commands","ironbee-analyze.md"),m=(0,l.join)(n,"commands","ironbee-verify.md"),f=(0,l.join)(n,"agents","ironbee-verifier.md");this.removeFile(o),this.removeFile(r),this.removeFile(i),this.removeFile(c),this.removeFile(m),this.removeFile(f);const d=(0,l.join)(n,"settings.json");this.removeIronBeeHooks(d),this.removePermission(d),this.removeOTELEnv(d),this.maybeDeleteEmptySettings(d);const g=(0,l.join)(e,".mcp.json");this.removeMcpServer(g),this.uninstallStatusLine(e),(0,P.pruneEmptyDirs)(n)}installStatusLine(e,n){if(!(0,u.isSessionStatusEnabled)(n))return;const o=(0,l.join)(e,".claude","settings.local.json"),r=this.readStatusLineBlock(o);r&&!(0,$.isIronbeeStatusLine)(r.command)&&(0,y.readStatusLineSnapshot)(e,"claude")===void 0&&(0,y.upsertStatusLineSnapshot)(e,"claude",r);const i={type:"command",command:le},c=(0,u.getStatusLineRefreshInterval)(n);c!==void 0&&(i.refreshInterval=c),this.writeStatusLineBlock(o,i),console.log(`  ${a.pc.dim("\u2192")} ${(0,a.orange)("[claude]")} statusline ${a.pc.dim("\u2192")} ${a.pc.dim(o)}`)}uninstallStatusLine(e){const n=(0,l.join)(e,".claude","settings.local.json"),o=(0,y.readStatusLineSnapshot)(e,"claude");if(o){this.writeStatusLineBlock(n,o),(0,y.clearStatusLineSnapshot)(e,"claude");return}const r=this.readStatusLineBlock(n);r&&(0,$.isIronbeeStatusLine)(r.command)&&this.removeStatusLineBlock(n)}readStatusLineBlock(e){if((0,s.existsSync)(e))try{const n=JSON.parse((0,s.readFileSync)(e,"utf-8"));if(n===null||typeof n!="object")return;const o=n.statusLine;if(o===null||typeof o!="object")return;const r=o.command;if(typeof r!="string"||r.length===0)return;const i=o.padding,c=o.refreshInterval,m={type:"command",command:r};return typeof i=="number"&&(m.padding=i),typeof c=="number"&&(m.refreshInterval=c),m}catch(n){k.logger.debug(`failed to read statusLine from ${e}: ${n}`);return}}writeStatusLineBlock(e,n){let o={};if((0,s.existsSync)(e))try{const r=JSON.parse((0,s.readFileSync)(e,"utf-8"));r!==null&&typeof r=="object"&&!Array.isArray(r)&&(o=r)}catch(r){k.logger.debug(`failed to read ${e} for statusLine write: ${r}`)}else(0,s.mkdirSync)((0,l.join)(e,".."),{recursive:!0});o.statusLine=n,(0,s.writeFileSync)(e,JSON.stringify(o,null,2))}removeStatusLineBlock(e){if((0,s.existsSync)(e))try{const n=JSON.parse((0,s.readFileSync)(e,"utf-8"));if(n===null||typeof n!="object"||Array.isArray(n))return;const o=n;delete o.statusLine,Object.keys(o).length===0?(0,s.unlinkSync)(e):(0,s.writeFileSync)(e,JSON.stringify(o,null,2))}catch(n){k.logger.debug(`failed to remove statusLine from ${e}: ${n}`)}}writeOTELEnv(e,n,o){let r={};if((0,s.existsSync)(e))try{const g=JSON.parse((0,s.readFileSync)(e,"utf-8"));g!==null&&typeof g=="object"&&!Array.isArray(g)&&(r=g)}catch(g){k.logger.debug(`failed to read ${e} for otel env write: ${g}`)}else(0,s.mkdirSync)((0,l.join)(e,".."),{recursive:!0});const i=r.env,c=i!==null&&typeof i=="object"&&!Array.isArray(i)?i:{},m=c.OTEL_EXPORTER_OTLP_ENDPOINT;if(typeof m=="string"&&m.length>0&&!A(c)){console.log(`  ${a.pc.dim("\u2192")} ${(0,a.orange)("[claude]")} ${a.pc.yellow("existing OTEL telemetry env detected \u2014 left untouched (session_context not wired for this project)")}`);return}const f=(0,u.getOTELPort)(o),d=ve((0,X.resolveProjectName)(n));c.CLAUDE_CODE_ENABLE_TELEMETRY="1",c.OTEL_LOGS_EXPORTER="otlp",c.OTEL_METRICS_EXPORTER="none",c.OTEL_EXPORTER_OTLP_PROTOCOL="http/json",c.OTEL_EXPORTER_OTLP_ENDPOINT=`http://127.0.0.1:${f}`,c.OTEL_LOG_RAW_API_BODIES="file:.ironbee/otel",c.OTEL_RESOURCE_ATTRIBUTES=`ironbee.project_name=${d}`,c.OTEL_LOGS_EXPORT_INTERVAL="5000",r.env=c,(0,s.writeFileSync)(e,JSON.stringify(r,null,2)),console.log(`  ${a.pc.dim("\u2192")} ${(0,a.orange)("[claude]")} otel env ${a.pc.dim("\u2192")} ${a.pc.dim(`${e} (127.0.0.1:${f})`)}`)}removeOTELEnv(e){if((0,s.existsSync)(e))try{const n=JSON.parse((0,s.readFileSync)(e,"utf-8"));if(n===null||typeof n!="object"||Array.isArray(n))return;const o=n,r=o.env;if(r===null||typeof r!="object"||Array.isArray(r))return;const i=r;if(!A(i))return;for(const c of ke)delete i[c];Object.keys(i).length===0&&delete o.env,(0,s.writeFileSync)(e,JSON.stringify(o,null,2))}catch(n){k.logger.debug(`failed to remove otel env from ${e}: ${n}`)}}maybeDeleteEmptySettings(e){if((0,s.existsSync)(e))try{const n=JSON.parse((0,s.readFileSync)(e,"utf-8"));pe(n)&&(0,s.unlinkSync)(e)}catch(n){k.logger.debug(`failed to inspect ${e} for emptiness: ${n}`)}}async runVerifyGate(e){await(0,N.run)(e)}async runClearVerdict(e){await(0,I.run)(e)}async runTrackAction(e){await(0,B.run)(e)}async runSessionStart(e){await(0,U.run)(e)}async runRequireVerdict(e,n){await(0,J.run)(e,n)}async runRequireVerification(e,n){await(0,V.run)(e,n)}async runActivityStart(e){await(0,j.run)(e)}async runActivityEnd(e){await(0,D.run)(e)}async runTrackActionMonitor(e){await(0,H.run)(e)}async runSessionEnd(e){await(0,F.run)(e)}async runTrackActionPre(e){}isIronBeeHook(e){return e.hooks.some(n=>n.command.includes(ae))}mergeHooksConfig(e,n){const o=n!=="monitor",r=n==="assist"?" --soft":"";let i={};if((0,s.existsSync)(e))try{i=JSON.parse((0,s.readFileSync)(e,"utf-8"))}catch(f){k.logger.debug(`failed to parse ${e}: ${f}`),i={}}i.hooks||(i.hooks={});for(const f of Object.keys(i.hooks)){const d=i.hooks[f].filter(g=>!this.isIronBeeHook(g));d.length===0?delete i.hooks[f]:i.hooks[f]=d}i.hooks.SessionStart||(i.hooks.SessionStart=[]),i.hooks.SessionStart.push({matcher:"",hooks:[{type:"command",command:"ironbee hook session-start --client claude"}]}),i.hooks.UserPromptSubmit||(i.hooks.UserPromptSubmit=[]),i.hooks.UserPromptSubmit.push({matcher:"",hooks:[{type:"command",command:"ironbee hook activity-start --client claude"}]}),o&&(i.hooks.PreToolUse||(i.hooks.PreToolUse=[]),i.hooks.PreToolUse.push({matcher:"mcp__browser-devtools__.*|mcp__node-devtools__.*|mcp__backend-devtools__.*|mcp__android-devtools__.*",hooks:[{type:"command",command:`ironbee hook require-verification --client claude${r}`}]}),i.hooks.PreToolUse.push({matcher:"Write|Edit",hooks:[{type:"command",command:`ironbee hook require-verdict --client claude${r}`}]}),i.hooks.PostToolUse||(i.hooks.PostToolUse=[]),i.hooks.PostToolUse.push({matcher:"Write|Edit",hooks:[{type:"command",command:"ironbee hook clear-verdict --client claude"}]})),i.hooks.PostToolUse||(i.hooks.PostToolUse=[]);const c=o?"ironbee hook track-action --client claude":"ironbee hook track-action-monitor --client claude";i.hooks.PostToolUse.push({matcher:"",hooks:[{type:"command",command:c}]}),i.hooks.PostToolUseFailure||(i.hooks.PostToolUseFailure=[]),i.hooks.PostToolUseFailure.push({matcher:"",hooks:[{type:"command",command:c}]}),i.hooks.Stop||(i.hooks.Stop=[]);const m=n==="enforce"?"ironbee hook verify-gate --client claude":"ironbee hook activity-end --client claude";i.hooks.Stop.push({matcher:"",hooks:[{type:"command",command:m}]}),i.hooks.SessionEnd||(i.hooks.SessionEnd=[]),i.hooks.SessionEnd.push({matcher:"",hooks:[{type:"command",command:"ironbee hook session-end --client claude"}]}),(0,s.writeFileSync)(e,JSON.stringify(i,null,2))}removeIronBeeHooks(e){if((0,s.existsSync)(e))try{const n=JSON.parse((0,s.readFileSync)(e,"utf-8"));if(!n.hooks)return;for(const o of Object.keys(n.hooks)){const r=n.hooks[o].filter(i=>!this.isIronBeeHook(i));r.length===0?delete n.hooks[o]:n.hooks[o]=r}(0,s.writeFileSync)(e,JSON.stringify(n,null,2))}catch(n){k.logger.debug(`failed to remove hooks from ${e}: ${n}`)}}removeMcpServer(e){if((0,s.existsSync)(e))try{const n=JSON.parse((0,s.readFileSync)(e,"utf-8"));let o=!1;n.mcpServers&&n.mcpServers[S]&&(delete n.mcpServers[S],o=!0),n.mcpServers&&n.mcpServers[h]&&(delete n.mcpServers[h],o=!0),n.mcpServers&&n.mcpServers[b]&&(delete n.mcpServers[b],o=!0),n.mcpServers&&n.mcpServers[E]&&(delete n.mcpServers[E],o=!0),L(n)?(0,s.unlinkSync)(e):o&&(0,s.writeFileSync)(e,JSON.stringify(n,null,2))}catch(n){k.logger.debug(`failed to remove MCP server from ${e}: ${n}`)}}removePermission(e){if((0,s.existsSync)(e))try{const n=JSON.parse((0,s.readFileSync)(e,"utf-8")),o=`mcp__${S}__*`,r=`mcp__${h}__*`,i=`mcp__${b}__*`,c=`mcp__${E}__*`,m="Bash(ironbee *)",f="Bash(ironbee analyze)";n.permissions?.allow&&(n.permissions.allow=n.permissions.allow.filter(d=>d!==o&&d!==r&&d!==i&&d!==c&&d!==m&&d!==f),(0,s.writeFileSync)(e,JSON.stringify(n,null,2)))}catch(n){k.logger.debug(`failed to remove permission from ${e}: ${n}`)}}removeFile(e){(0,s.existsSync)(e)&&(0,s.unlinkSync)(e)}writeMcpConfig(e,n){let o={mcpServers:{}};if((0,s.existsSync)(e))try{o=JSON.parse((0,s.readFileSync)(e,"utf-8")),o.mcpServers||(o.mcpServers={})}catch(r){k.logger.debug(`failed to parse ${e}: ${r}`),o={mcpServers:{}}}if(delete o.mcpServers[S],delete o.mcpServers[h],delete o.mcpServers[b],delete o.mcpServers[E],L(o)){try{(0,s.rmSync)(e,{force:!0})}catch(r){k.logger.debug(`failed to remove empty ${e}: ${r}`)}return}(0,s.writeFileSync)(e,JSON.stringify(o,null,2))}writePermissions(e,n,o){let r={};if((0,s.existsSync)(e))try{r=JSON.parse((0,s.readFileSync)(e,"utf-8"))}catch(p){k.logger.debug(`failed to parse ${e}: ${p}`),r={}}r.permissions||(r.permissions={allow:[],deny:[]}),r.permissions.allow||(r.permissions.allow=[]);const i=`mcp__${S}__*`,c=`mcp__${h}__*`,m=`mcp__${b}__*`,f=`mcp__${E}__*`,d="Bash(ironbee *)",g="Bash(ironbee analyze)";if(n){const p=(0,u.loadConfig)(o);r.permissions.allow=w(r.permissions.allow,(0,u.isCycleEnabled)(p,"browser"),i),r.permissions.allow=w(r.permissions.allow,(0,u.isCycleEnabled)(p,"node"),c),r.permissions.allow=w(r.permissions.allow,(0,u.isCycleEnabled)(p,"backend"),m),r.permissions.allow=w(r.permissions.allow,(0,u.isCycleEnabled)(p,"android"),f),r.permissions.allow=r.permissions.allow.filter(O=>O!==g),r.permissions.allow.includes(d)||r.permissions.allow.push(d)}else r.permissions.allow=r.permissions.allow.filter(p=>p!==i&&p!==c&&p!==m&&p!==f&&p!==d&&p!==g);(0,s.writeFileSync)(e,JSON.stringify(r,null,2))}}function Se(t){(0,s.mkdirSync)((0,l.join)(t,".ironbee"),{recursive:!0}),(0,M.ensureIronBeeGitignored)(t)}v(Se,"prepareIronBeeDir");0&&(module.exports={ClaudeClient,prepareIronBeeDir});

package/dist/clients/claude/platforms/skill.android.md

@@ -0,0 +1,65 @@
+<!-- Android mobile verification is ENABLED for this project. The Stop hook
+     enforces an android cycle whenever an edited file matches
+     `android.verifyPatterns`. -->
+
+## ⚠️ CRITICAL: when NOT to use android-devtools
+
+**`android-devtools` is ONLY for Android apps** (native Kotlin/Java + React Native / Expo with an Android target). Do **NOT** call `adt_*` tools for projects that do not have an Android target.
+
+**How to tell whether the project targets Android:**
+- `android/` directory at the project root (React Native, Expo)
+- `app/build.gradle` or `build.gradle.kts` with `com.android.application`
+- `AndroidManifest.xml` present under `android/` or `app/src/main/`
+
+If you see only `ios/`, `web/`, or no mobile directories — the project does NOT target Android. Do NOT call any `adt_*` tools.
+
+**Misconfiguration recovery.** If this cycle activated but the project isn't an Android project, the operator enabled the android cycle by mistake. The Stop hook will keep blocking with `incomplete_tools` until `maxRetries` is exhausted. Don't attempt a device connection. Stop and tell the user clearly: the project does not target Android; ask them to run `ironbee android disable` to unblock the gate.
+
+## Android flow
+
+> **Recording (only when `recording.enable` is on in config):** the gate blocks every other android tool until you first call `mcp__android-devtools__adt_content_start-recording`, and `submit-verdict` rejects with `"recording is still active"` unless you call `mcp__android-devtools__adt_content_stop-recording` after the steps below. **Treat start/stop as bookends around steps 1-3.** The recording ships to the collector as verification evidence.
+
+1. **Connect to a running device or emulator**: `mcp__android-devtools__adt_device_connect` (list available targets first with `mcp__android-devtools__adt_device_list-targets` if needed).
+   - For an emulator, the device is usually `emulator-5554`.
+   - For a physical device with USB debugging on, it will appear in the target list.
+2. **Ensure the app is running** on the target device: `mcp__android-devtools__adt_device_launch-app` with the package name.
+3. **Pick an evidence path** per changed code area:
+   - **Device-evidence path** (UI interaction confirms the change is live):
+     - Drive the app UI to exercise the changed code: `mcp__android-devtools__adt_interaction_tap`, `mcp__android-devtools__adt_interaction_input-text`, `mcp__android-devtools__adt_interaction_swipe`, `mcp__android-devtools__adt_interaction_scroll` as needed (use `mcp__android-devtools__adt_a11y_find-element` to locate elements).
+     - Take a screenshot: `mcp__android-devtools__adt_content_take-screenshot` — then STOP and visually analyze it (readability, layout, cut-off content, expected state rendered). The screenshot tells you what the user actually sees.
+     - Take a UI snapshot: `mcp__android-devtools__adt_a11y_take-ui-snapshot` — verify the view hierarchy / labels / structure match the change.
+     - Screenshot AND UI snapshot are BOTH MANDATORY on this path (the Stop hook checks each) — visual + structural evidence, like the browser cycle's screenshot + aria-snapshot pair.
+   - **Log-evidence path** (device logs confirm the changed code path executed):
+     - Read Logcat output for the tag(s) relevant to the changed code: `mcp__android-devtools__adt_o11y_log-read` or `mcp__android-devtools__adt_o11y_log-follow` (drain a follow with `mcp__android-devtools__adt_o11y_log-get-followed`, stop it with `mcp__android-devtools__adt_o11y_log-stop-follow`).
+     - Confirm expected log lines appear AND no unexpected crashes (FATAL / E/ entries for the app package).
+
+### Verdict fields
+The verdict is platform-agnostic — submit only semantic judgment:
+
+```json
+{
+  "session_id": "<sid>",
+  "status": "pass",
+  "checks": ["LoginActivity renders correctly after auth change", "no crash in Logcat"]
+}
+```
+
+On fail, include `issues`. On pass after a previous fail, include `fixes`.
+
+Android-cycle pass criteria:
+- **Device-evidence**: at least one UI interaction tool fired AND a screenshot was taken AND a UI snapshot was taken AND both show the expected UI state/structure.
+- **Log-evidence**: Logcat was read AND the expected log lines are present AND no crash (FATAL / unhandled exception) from the app's package.
+
+## Multi-cycle (browser + android simultaneously)
+
+When you edit both a web frontend file (browser-cycle) and an Android source file (android-cycle) in the same task, both cycles activate. **Single** `verification-start`, **single** `verdict.json`, **single** retry counter cover both. One platform-agnostic verdict regardless of how many cycles ran:
+
+```json
+{
+  "session_id": "<sid>",
+  "status": "pass",
+  "checks": ["web checkout form renders", "Android app shows order confirmation screen"]
+}
+```
+
+For a multi-cycle `pass`, ALL active cycles' pass criteria must hold.

package/dist/clients/codex/agents/ironbee-verifier.md

@@ -34,6 +34,12 @@ echo '{"status":"pass","checks":["..."]}' | ironbee hook submit-verdict
    ```
    echo '{}' | ironbee hook verification-start
    ```
+   **If the delegating prompt contains a `Mode: fix` line**, pass the intent
+   along so IronBee's completion gate enforces fix-until-pass on the main agent:
+   ```
+   echo '{}' | ironbee hook verification-start --intent fix
+   ```
+   (No declared mode → plain form as above, no flag.)
 2. Build and start the application **only if it isn't already running** (check
    `docker compose ps` / process output / config — don't guess ports). **Track whether YOU
    started it**: if it was already up, the user or main agent owns it — leave it alone.
@@ -43,7 +49,8 @@ echo '{"status":"pass","checks":["..."]}' | ironbee hook submit-verdict
 4. **Teardown — shut down ONLY what you started, every run.** If in step 2 YOU started the
    app / dev server *for this verification*, stop it now before you return. **Never stop a
    server that was already running** (user/main-agent-owned). Honor any cycle-specific
-   teardown (e.g. `bdt_content_stop-recording`) BEFORE submitting your verdict.
+   teardown noted in the platform sections (e.g. stopping an active screen recording)
+   BEFORE submitting your verdict.
 5. **Submit your verdict immediately** — do NOT wait:
    ```
    echo '<verdict-json>' | ironbee hook submit-verdict
@@ -65,3 +72,6 @@ echo '{"status":"pass","checks":["..."]}' | ironbee hook submit-verdict
 
 <!--IRONBEE:PLATFORM:backend-->
 <!--/IRONBEE:PLATFORM:backend-->
+
+<!--IRONBEE:PLATFORM:android-->
+<!--/IRONBEE:PLATFORM:android-->

package/dist/clients/codex/commands/ironbee-verify/SKILL.md

@@ -5,17 +5,29 @@ description: >
   Use when the user types `$ironbee-verify` to explicitly run the verify flow,
   or when you need to verify ad-hoc outside the normal post-edit gate. Runs the
   full multi-cycle verification (browser/node/backend as configured) and
-  submits a verdict. A custom scenario may ride along with the invocation —
-  inline text or a path to a scenario file — defining exactly what to verify.
+  submits a verdict. Default is verify-only (report the verdict and stop); a
+  leading `fix` argument adds the fix-and-re-verify loop until pass. A custom
+  scenario may ride along with the invocation — inline text or a path to a
+  scenario file — defining exactly what to verify.
 ---
 
 # IronBee Verify
 
 Verify the current code changes through real tools. The gate runs every cycle that has been wired up for this project, and all active cycles must be satisfied within a single verification cycle for `status: pass`. Each cycle has its own tools and flow — **see the platform sections near the bottom of this file** for which cycles apply and what to call. The verdict shape itself is platform-agnostic (`status`, `checks`, `issues?`, `fixes?`); the gate enforces that you called each cycle's required tools and that `checks` is non-empty.
 
+## Mode
+
+The FIRST whitespace-delimited token of whatever the user provided alongside `$ironbee-verify` selects the mode; everything after it is the scenario:
+
+- `fix` → **verify-and-fix**: on a fail verdict, fix the reported issues, rebuild, and re-verify until the verdict passes.
+- `report` → **verify-only** (the explicit form of the default).
+- Anything else, or nothing → **verify-only** (default), and the WHOLE provided text is the scenario.
+
+**Verify-only** means: submit the (possibly fail) verdict, report the issues to the user, and STOP — do **not** edit code, do **not** re-verify. The fail verdict is still recorded (that's the point — an honest status report). If the user wants the issues repaired, suggest `$ironbee-verify fix`. The mode token never overrides the gate: if enforcement blocks completion because of this turn's edits, follow the gate.
+
 ## Verification scenario
 
-A custom verification scenario may be supplied when this command is invoked — either as **inline text** or as a **path to a file** (any location, any format; it is read at run time). The scenario is whatever the user provided alongside invoking this command.
+A custom verification scenario may be supplied when this command is invoked — either as **inline text** or as a **path to a file** (any location, any format; it is read at run time). The scenario is whatever the user provided alongside invoking this command, after stripping a leading `fix` / `report` mode token (see **Mode**).
 
 - **If a scenario is supplied, it is authoritative**: verify exactly what it describes. Drive each active cycle's tools to exercise precisely the flows, states, and endpoints it names — this **replaces** the default "exercise the changed pages/endpoints" guidance.
 - **If the scenario is (or points to) a file path**, read that file with your file-read tool and treat its contents as the scenario. Do not assume a fixed location or format — read whatever path was given.
@@ -27,6 +39,8 @@ Whatever the scenario directs, the gate is unchanged — you must still call eve
 ## Universal steps
 
 1. **Start verification**: Run `echo '{"session_id":"<your-session-id>"}' | ironbee hook verification-start` via Bash (substitute the actual session ID printed by the SessionStart hook).
+   **In fix mode**, add the intent flag so IronBee's completion gate enforces fix-until-pass:
+   `echo '{"session_id":"<your-session-id>"}' | ironbee hook verification-start --intent fix`
 2. **Build and start** the application if not already running.
 3. **For every active cycle, run its flow** — driven by the **Verification scenario** above when one was supplied, otherwise as described in the platform sections near the bottom of this file. All active cycles must be exercised within this same verification cycle.
 4. **Stop** the dev server when verification is complete (every cycle — including the final one).
@@ -34,7 +48,9 @@ Whatever the scenario directs, the gate is unchanged — you must still call eve
 6. **Submit your verdict** via Bash. One verdict covers every active cycle:
     - Pass: `echo '{"session_id":"...","status":"pass","checks":["..."]}' | ironbee hook submit-verdict`
     - Fail: `echo '{"session_id":"...","status":"fail","checks":["..."],"issues":["describe what failed"]}' | ironbee hook submit-verdict`
-7. **If failed** → collect ALL issues first (finish testing every active cycle), submit one fail verdict with all issues, then fix everything, rebuild, and re-verify. Do not fix one issue at a time — batch fixes to avoid repeated build/restart cycles.
+7. **If failed** → collect ALL issues first (finish testing every active cycle) and submit ONE fail verdict with all issues. Then branch by mode:
+   - **Verify-only (default)**: report the issues to the user and stop — do not edit code. Suggest `$ironbee-verify fix` to repair them.
+   - **Fix mode (`fix` token)**: fix everything, rebuild, and re-verify until pass. Do not fix one issue at a time — batch fixes to avoid repeated build/restart cycles.
 8. If pass after a previous fail, include `"fixes"` in the verdict describing what was fixed.
 
 ---
@@ -48,6 +64,9 @@ Whatever the scenario directs, the gate is unchanged — you must still call eve
 <!--IRONBEE:PLATFORM:backend-->
 <!--/IRONBEE:PLATFORM:backend-->
 
+<!--IRONBEE:PLATFORM:android-->
+<!--/IRONBEE:PLATFORM:android-->
+
 ---
 
 ## When to FAIL
@@ -56,7 +75,7 @@ If you observe ANY problem on any active cycle — wrong data, unexpected errors
 
 **Do NOT rationalize away problems.** If something looks wrong or behaves unexpectedly, it IS wrong.
 
-**After a fail verdict, you MUST fix the issues and re-verify.** Do not just report and stop.
+**After a fail verdict in fix mode, you MUST fix the issues and re-verify** — do not just report and stop. In verify-only mode (the default) the opposite holds: report and stop; fixing without the `fix` token is overstepping.
 
 ## Verdict Quality
 

package/dist/clients/codex/hooks/require-verification.js

@@ -1,15 +1,15 @@
-"use strict";var f=Object.defineProperty;var P=Object.getOwnPropertyDescriptor;var j=Object.getOwnPropertyNames;var K=Object.prototype.hasOwnProperty;var C=(o,t)=>f(o,"name",{value:t,configurable:!0});var B=(o,t)=>{for(var s in t)f(o,s,{get:t[s],enumerable:!0})},F=(o,t,s,r)=>{if(t&&typeof t=="object"||typeof t=="function")for(let e of j(t))!K.call(o,e)&&e!==s&&f(o,e,{get:()=>t[e],enumerable:!(r=P(t,e))||r.enumerable});return o};var q=o=>F(f({},"__esModule",{value:!0}),o);var L={};B(L,{run:()=>J});module.exports=q(L);var N=require("crypto"),x=require("../../../hooks/core/activity"),i=require("../../../hooks/core/session-state"),E=require("../../../hooks/core/actions"),T=require("../../../hooks/core/verification-lifecycle"),O=require("../../../hooks/core/verification-context"),$=require("../../../lib/config"),p=require("../../../lib/logger"),U=require("../../../lib/stdin"),d=require("../util");async function J(o,t){const s=t?.soft===!0,r=(0,d.parseCodexHookStdin)((0,U.readStdin)()),e=r.session_id??"default",n=`${o}/.ironbee/sessions/${e}`,v=`${n}/actions.jsonl`;(0,p.setLogFile)(`${n}/session.log`);const b=(0,i.getActiveVerificationId)(n);if(!b&&!s){const _=`BLOCKED: You must start a verification cycle before using devtools tools.
+"use strict";var u=Object.defineProperty;var j=Object.getOwnPropertyDescriptor;var F=Object.getOwnPropertyNames;var K=Object.prototype.hasOwnProperty;var C=(o,e)=>u(o,"name",{value:e,configurable:!0});var q=(o,e)=>{for(var s in e)u(o,s,{get:e[s],enumerable:!0})},B=(o,e,s,n)=>{if(e&&typeof e=="object"||typeof e=="function")for(let t of F(e))!K.call(o,t)&&t!==s&&u(o,t,{get:()=>e[t],enumerable:!(n=j(e,t))||n.enumerable});return o};var J=o=>B(u({},"__esModule",{value:!0}),o);var H={};q(H,{run:()=>L});module.exports=J(H);var T=require("crypto"),$=require("../../../hooks/core/activity"),i=require("../../../hooks/core/session-state"),x=require("../../../hooks/core/actions"),N=require("../../../hooks/core/verification-lifecycle"),E=require("../../../hooks/core/verification-context"),O=require("../../../lib/config"),m=require("../../../lib/logger"),U=require("../../../lib/recording-tools"),A=require("../../../lib/stdin"),l=require("../util");async function L(o,e){const s=e?.soft===!0,n=(0,l.parseCodexHookStdin)((0,A.readStdin)()),t=n.session_id??"default",r=`${o}/.ironbee/sessions/${t}`,y=`${r}/actions.jsonl`;(0,m.setLogFile)(`${r}/session.log`);const b=(0,i.getActiveVerificationId)(r);if(!b&&!s){const p=`BLOCKED: You must start a verification cycle before using devtools tools.
 
 Start verification first:
-  echo '{"session_id":"${e}"}' | ironbee hook verification-start
+  echo '{"session_id":"${t}"}' | ironbee hook verification-start
 
-Then use the verification tools for the active cycle(s) \u2014 mcp__browser-devtools__bdt_* for browser, mcp__node-devtools__ndt_* for node, mcp__backend-devtools__bedt_* for backend.`;process.stdout.write(JSON.stringify({hookSpecificOutput:{hookEventName:"PreToolUse",permissionDecision:"deny",permissionDecisionReason:_}})),process.exit(0);return}const u=r.tool_name??"",w=(0,d.extractCodexMcpServer)(u),y=w==="browser-devtools",D=(y?(0,d.canonicalizeCodexToolName)(u.split("__").pop()??""):"")==="bdt_content_start-recording";if(!s&&y&&(0,i.isRecordingRequired)(n)&&!(0,i.isRecordingActive)(n)&&!D){process.stdout.write(JSON.stringify({hookSpecificOutput:{hookEventName:"PreToolUse",permissionDecision:"deny",permissionDecisionReason:`BLOCKED: Recording is required but not started.
+Then use the verification tools for the active cycle(s) \u2014 mcp__browser-devtools__bdt_* for browser, mcp__node-devtools__ndt_* for node, mcp__backend-devtools__bedt_* for backend, mcp__android-devtools__adt_* for android.`;process.stdout.write(JSON.stringify({hookSpecificOutput:{hookEventName:"PreToolUse",permissionDecision:"deny",permissionDecisionReason:p}})),process.exit(0);return}const g=n.tool_name??"",h=(0,l.extractCodexMcpServer)(g),c=(0,U.recordingToolsForServer)(h),D=c!==null?(0,l.canonicalizeCodexToolName)(g.split("__").pop()??""):"";if(!s&&c!==null&&(0,i.isRecordingRequired)(r)&&!(0,i.isRecordingActive)(r)&&D!==c.startTool){const p=`BLOCKED: Recording is required but not started.
 
 1. Start recording NOW:
-     Use mcp__browser-devtools__bdt_content_start-recording
+     Use mcp__${c.server}__${c.startTool}
 
-2. Run the verification (navigate, screenshot, aria, console, etc.)
+2. Run the verification flow for the active cycle(s)
 
 3. **Stop recording BEFORE submitting verdict:**
-     Use mcp__browser-devtools__bdt_content_stop-recording
-   submit-verdict will reject with "recording is still active" if you skip this.`}})),process.exit(0);return}await(0,x.startActivity)({sessionDir:n,actionsFile:v,source:"pre_tool_use"});let c=b;s&&!c&&(c=(await(0,T.startVerification)({sessionId:e,sessionDir:n,actionsFile:v,recordingEnabled:!1})).verificationId);const A=(0,i.getActiveTraceId)(n),g=(0,i.getActiveActivityId)(n),h=(0,E.resolveProjectName)(o),m=[`prj:${h}`,`sid:${e}`];g&&m.push(`aid:${g}`),c&&m.push(`vid:${c}`);const V=`ironbee=${m.join(";")}`,l=(0,$.loadConfig)(o),S={...r.tool_input&&typeof r.tool_input=="object"?r.tool_input:{}},a={projectName:h,sessionId:e,activityId:g,verificationId:c,traceId:A,traceState:V,toolCallId:(0,N.randomUUID)()};r.tool_use_id&&(a.toolUseId=r.tool_use_id),a.mcpServer=w??"browser-devtools";const I=(0,i.getUserEmail)(n);I&&(a.userEmail=I),l.collector?.url&&(a.collectorUrl=l.collector.url),l.collector?.apiKey&&(a.collectorApiKey=l.collector.apiKey),S._metadata=a;const k={hookEventName:"PreToolUse",permissionDecision:"allow",updatedInput:S},R=(0,O.buildVerificationContextOnceForCycle)({projectDir:o,sessionId:e,sessionDir:n,activeVerificationId:c,config:l});R.length>0&&(k.additionalContext=R),process.stdout.write(JSON.stringify({hookSpecificOutput:k})),p.logger.debug(`require-verification: allowed ${u} with _metadata`),process.exit(0)}C(J,"run");0&&(module.exports={run});
+     Use mcp__${c.server}__${c.stopTool}
+   submit-verdict will reject with "recording is still active" if you skip this.`;process.stdout.write(JSON.stringify({hookSpecificOutput:{hookEventName:"PreToolUse",permissionDecision:"deny",permissionDecisionReason:p}})),process.exit(0);return}await(0,$.startActivity)({sessionDir:r,actionsFile:y,source:"pre_tool_use"});let a=b;s&&!a&&(a=(await(0,N.startVerification)({sessionId:t,sessionDir:r,actionsFile:y,recordingEnabled:!1})).verificationId);const V=(0,i.getActiveTraceId)(r),_=(0,i.getActiveActivityId)(r),S=(0,x.resolveProjectName)(o),v=[`prj:${S}`,`sid:${t}`];_&&v.push(`aid:${_}`),a&&v.push(`vid:${a}`);const P=`ironbee=${v.join(";")}`,f=(0,O.loadConfig)(o),w={...n.tool_input&&typeof n.tool_input=="object"?n.tool_input:{}},d={projectName:S,sessionId:t,activityId:_,verificationId:a,traceId:V,traceState:P,toolCallId:(0,T.randomUUID)()};n.tool_use_id&&(d.toolUseId=n.tool_use_id),d.mcpServer=h??"browser-devtools";const I=(0,i.getUserEmail)(r);I&&(d.userEmail=I),f.collector?.url&&(d.collectorUrl=f.collector.url),f.collector?.apiKey&&(d.collectorApiKey=f.collector.apiKey),w._metadata=d;const R={hookEventName:"PreToolUse",permissionDecision:"allow",updatedInput:w},k=(0,E.buildVerificationContextOnceForCycle)({projectDir:o,sessionId:t,sessionDir:r,activeVerificationId:a,config:f});k.length>0&&(R.additionalContext=k),process.stdout.write(JSON.stringify({hookSpecificOutput:R})),m.logger.debug(`require-verification: allowed ${g} with _metadata`),process.exit(0)}C(L,"run");0&&(module.exports={run});