@kontourai/flow-agents 0.1.1

package/context/scripts/hooks/workflow-steering.js

@@ -0,0 +1,250 @@
+#!/usr/bin/env node
+/**
+ * Workflow Steering Hook
+ *
+ * Injects phase-transition reminders after use_subagent calls complete and
+ * ambient workflow-state reminders at the start of the next user turn.
+ *
+ * Non-blocking — always exits 0.
+ */
+
+'use strict';
+
+const fs = require('fs');
+const path = require('path');
+
+const STEERING = {
+  'tool-planner': [
+    '⚡ PLAN COMPLETE — Next: execute-plan (step 3).',
+    'Present plan to user. Get approval before executing.',
+  ].join(' '),
+
+  'tool-worker': [
+    '⚡ EXECUTION COMPLETE — Next: review (step 4) then verify (step 5).',
+    'Delegate to review-work for critique (report only — it cannot fix code).',
+    'Then delegate to verify-work for evidence (report only — it cannot fix code).',
+    'Do NOT deliver until review + verify are both clean.',
+    'If this was a VISUAL change (UI, CSS, HTML), you MUST delegate to tool-playwright for screenshot verification before delivering.',
+  ].join(' '),
+
+  'tool-code-reviewer': [
+    '⚡ REVIEW COMPLETE — Next: verify (step 5).',
+    'Reviewer reported findings only — it did NOT fix anything.',
+    'If CRITICAL/HIGH findings: route back to execute-plan, then re-review + re-verify.',
+    'If clean: proceed to verify-work. If findings exist, route back through execute-plan or a user decision.',
+  ].join(' '),
+
+  'tool-security-reviewer': [
+    '⚡ SECURITY REVIEW COMPLETE — Check findings.',
+    'If CRITICAL security findings: route back to execute-plan, then re-review + re-verify.',
+    'If clean: proceed to next step.',
+  ].join(' '),
+
+  'tool-verifier': [
+    '⚡ VERIFICATION COMPLETE — Route on verdict.',
+    'All PASS + no review issues → deliver.',
+    'Any FAIL or unfixed findings → route back to execute-plan, then re-review + re-verify.',
+    'Loop exits ONLY when review + verify are BOTH clean in the same iteration.',
+  ].join(' '),
+};
+
+const ACTIVE_STATE_STATUSES = new Set([
+  'new',
+  'planning',
+  'planned',
+  'in_progress',
+  'blocked',
+  'verifying',
+  'verified',
+  'needs_decision',
+  'not_verified',
+  'failed',
+  'delivered',
+]);
+
+function findRepoRoot(startDir) {
+  let dir = path.resolve(startDir || process.cwd());
+  const root = path.parse(dir).root;
+  for (let depth = 0; dir && depth < 40; depth++) {
+    if (fs.existsSync(path.join(dir, '.git')) || fs.existsSync(path.join(dir, 'AGENTS.md'))) return dir;
+    if (dir === root) break;
+    dir = path.dirname(dir);
+  }
+  return path.resolve(startDir || process.cwd());
+}
+
+function walkStateFiles(dir, out = []) {
+  if (!fs.existsSync(dir)) return out;
+  for (const entry of fs.readdirSync(dir, { withFileTypes: true })) {
+    const full = path.join(dir, entry.name);
+    if (entry.isDirectory()) {
+      if (entry.name === 'archive') continue;
+      walkStateFiles(full, out);
+    } else if (entry.isFile() && entry.name === 'state.json') {
+      out.push(full);
+    }
+  }
+  return out;
+}
+
+function readJson(file) {
+  try {
+    return JSON.parse(fs.readFileSync(file, 'utf8'));
+  } catch {
+    return null;
+  }
+}
+
+function latestWorkflowState(root) {
+  const states = walkStateFiles(path.join(root, '.flow-agents'))
+    .map(file => {
+      let stat;
+      try { stat = fs.statSync(file); } catch { return null; }
+      const payload = readJson(file);
+      if (!payload || !ACTIVE_STATE_STATUSES.has(payload.status)) return null;
+      return { file, payload, mtimeMs: stat.mtimeMs };
+    })
+    .filter(Boolean)
+    .sort((a, b) => b.mtimeMs - a.mtimeMs);
+  return states[0] || null;
+}
+
+function safeStateText(value, maxLength = 240) {
+  const text = String(value || '').replace(/\s+/g, ' ').trim();
+  if (text.length <= maxLength) return text;
+  return `${text.slice(0, maxLength - 3)}...`;
+}
+
+function normalizedStateValue(value) {
+  return safeStateText(value, 80).toLowerCase();
+}
+
+function stateNeedsAmbientSteering(state) {
+  if (!state || typeof state !== 'object') return false;
+  const status = normalizedStateValue(state.status);
+  const nextStatus = normalizedStateValue(state.next_action && state.next_action.status);
+  return (
+    status === 'blocked' ||
+    status === 'failed' ||
+    status === 'needs_decision' ||
+    status === 'not_verified' ||
+    nextStatus === 'needs_user'
+  );
+}
+
+function critiqueSteering(workflowDir) {
+  const critique = readJson(path.join(workflowDir, 'critique.json'));
+  if (!critique || critique.required !== true) return '';
+  if (critique.status === 'pass' || critique.status === 'not_required') return '';
+  const critiques = Array.isArray(critique.critiques) ? critique.critiques : [];
+  const openFindings = [];
+  let nonPassReviews = 0;
+  for (const review of critiques) {
+    if (!review || typeof review !== 'object') continue;
+    if (review.verdict === 'fail' || review.verdict === 'not_verified') nonPassReviews += 1;
+    const findings = Array.isArray(review.findings) ? review.findings : [];
+    for (const finding of findings) {
+      if (finding && finding.status === 'open') openFindings.push(finding);
+    }
+  }
+  const parts = [
+    `CRITIQUE: required critique is status:${safeStateText(critique.status, 60)}.`,
+  ];
+  if (nonPassReviews) parts.push(`${nonPassReviews} review(s) have fail/not_verified verdicts.`);
+  if (openFindings.length) {
+    const severityCounts = openFindings.reduce((acc, finding) => {
+      const severity = safeStateText(finding.severity || 'unknown', 30);
+      acc[severity] = (acc[severity] || 0) + 1;
+      return acc;
+    }, {});
+    const counts = Object.entries(severityCounts)
+      .map(([severity, count]) => `${severity}:${count}`)
+      .join(', ');
+    parts.push(`Open findings: ${counts}.`);
+    parts.push(`First open finding: "${safeStateText(openFindings[0].description)}"`);
+  }
+  parts.push('Do not deliver as complete until required critique is pass or findings are explicitly accepted.');
+  return parts.join(' ');
+}
+
+function stateSteering(root) {
+  const current = latestWorkflowState(root);
+  if (!current) return '';
+  const state = current.payload;
+  const next = state.next_action || {};
+  if (next.status === 'done' || state.status === 'archived' || state.status === 'accepted') return '';
+  const parts = [
+    `STATE: ${state.task_slug || path.basename(path.dirname(current.file))} is status:${state.status} phase:${state.phase}.`,
+  ];
+  if (next.summary) parts.push(`Recorded next_action.summary: "${safeStateText(next.summary)}"`);
+  if (next.target_phase) parts.push(`Target phase: ${safeStateText(next.target_phase, 80)}.`);
+  if (next.status === 'needs_user' || state.status === 'needs_decision' || state.status === 'not_verified') {
+    parts.push('Do not deliver as complete until the user decision or accepted gap is recorded.');
+  }
+  if (state.status === 'failed') {
+    parts.push('Route back through execution, then re-review and re-verify.');
+  }
+  const critiqueHint = critiqueSteering(path.dirname(current.file));
+  if (critiqueHint) parts.push(critiqueHint);
+  return parts.join(' ');
+}
+
+function contextMapSteering(root) {
+  const mapPath = path.join(root, 'docs', 'context-map.md');
+  if (!fs.existsSync(mapPath)) return '';
+  return [
+    'CONTEXT MAP: use docs/context-map.md before broad repo rediscovery.',
+    'If structure, commands, schemas, skills, agents, or packs changed, run `npm run context-map -- --check`.',
+  ].join(' ');
+}
+
+function run(rawInput) {
+  try {
+    const input = JSON.parse(rawInput);
+    const event = input.hook_event_name || '';
+    const toolOutput = input.tool_response || input.tool_output || '';
+    const toolInput = input.tool_input || {};
+    const root = findRepoRoot(input.cwd || process.cwd());
+    const current = latestWorkflowState(root);
+    const hints = [];
+    let shouldAppendWorkflowContext = false;
+
+    if (toolInput.command === 'InvokeSubagents') {
+      const subagents = toolInput.content?.subagents || [];
+      hints.push(...subagents
+        .map(s => STEERING[s.agent_name])
+        .filter(Boolean));
+      shouldAppendWorkflowContext = hints.length > 0;
+    }
+
+    if (event === 'UserPromptSubmit' && current && stateNeedsAmbientSteering(current.payload)) {
+      hints.push('WORKFLOW STATE ATTENTION: current sidecars show unresolved workflow state at turn start.');
+      shouldAppendWorkflowContext = true;
+    }
+
+    if (shouldAppendWorkflowContext) {
+      const stateHint = stateSteering(root);
+      if (stateHint) hints.push(stateHint);
+      const contextHint = contextMapSteering(root);
+      if (contextHint) hints.push(contextHint);
+    }
+    if (hints.length === 0) return rawInput;
+
+    const steering = '\n\n---\n' + hints.join('\n') + '\n---';
+    return rawInput + steering;
+  } catch { /* pass through */ }
+  return rawInput;
+}
+
+if (require.main === module) {
+  let data = '';
+  process.stdin.setEncoding('utf8');
+  process.stdin.on('data', chunk => {
+    data += chunk;
+  });
+  process.stdin.on('end', () => {
+    process.stdout.write(String(run(data)));
+  });
+}
+
+module.exports = { run, stateSteering, critiqueSteering, contextMapSteering, latestWorkflowState, findRepoRoot, safeStateText, stateNeedsAmbientSteering };

package/context/scripts/telemetry/console-presets.sh

@@ -0,0 +1,14 @@
+#!/usr/bin/env bash
+# Named Console telemetry sink defaults used by install/setup helpers.
+
+flow_agents_local_kontour_console_url() {
+  printf '%s\n' "${FLOW_AGENTS_LOCAL_KONTOUR_CONSOLE_URL:-http://127.0.0.1:3737}"
+}
+
+flow_agents_kontour_cloud_console_url() {
+  printf '%s\n' "${FLOW_AGENTS_KONTOUR_CLOUD_CONSOLE_URL:-https://console.kontourai.com}"
+}
+
+flow_agents_kontour_hosted_console_url() {
+  flow_agents_kontour_cloud_console_url
+}

package/context/scripts/telemetry/install-console-config.sh

@@ -0,0 +1,214 @@
+#!/usr/bin/env bash
+# Persist optional Console telemetry settings into an installed telemetry.conf.
+set -euo pipefail
+
+usage() {
+  cat >&2 <<'EOF'
+usage: install-console-config.sh /path/to/telemetry.conf [options]
+
+Options:
+  --telemetry-sink NAME   local-files, local-kontour-console,
+                          kontour-hosted-console, user-hosted-console,
+                          or legacy aliases. May be repeated.
+  --console-url URL       Console base URL. Derives /api/telemetry/records.
+  --console-endpoint URL  Full Console telemetry records endpoint URL.
+  --console-token-file PATH
+                          File containing the bearer token.
+  --console-tenant ID     Tenant identifier for hosted Console routing.
+EOF
+}
+
+die() {
+  echo "install-console-config.sh: $*" >&2
+  exit 2
+}
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+# shellcheck source=/dev/null
+source "$SCRIPT_DIR/console-presets.sh"
+
+append_sinks() {
+  local raw="$1"
+  local sink
+  raw="${raw//,/ }"
+  for sink in $raw; do
+    [[ -n "$sink" ]] && telemetry_sinks+=("$sink")
+  done
+}
+
+has_control_chars() {
+  [[ "$1" == *$'\n'* || "$1" == *$'\r'* || "$1" == *$'\t'* ]]
+}
+
+validate_url() {
+  local label="$1"
+  local value="$2"
+  [[ -z "$value" ]] && return 0
+  has_control_chars "$value" && die "$label must not contain control characters"
+  if [[ "$value" == https://* ]]; then
+    return 0
+  fi
+  if [[ "$value" == http://127.0.0.1:* || "$value" == http://127.0.0.1/* || "$value" == "http://127.0.0.1" ]]; then
+    return 0
+  fi
+  if [[ "$value" == http://localhost:* || "$value" == http://localhost/* || "$value" == "http://localhost" ]]; then
+    return 0
+  fi
+  die "$label must use https://, except localhost or 127.0.0.1 may use http://"
+}
+
+validate_token() {
+  local value="$1"
+  [[ -z "$value" ]] && return 0
+  [[ "${#value}" -le 4096 ]] || die "Console token must be 4096 characters or fewer"
+  has_control_chars "$value" && die "Console token must not contain control characters"
+  [[ "$value" =~ ^[A-Za-z0-9._~+/=-]+$ ]] || die "Console token contains unsupported characters"
+}
+
+read_token_file() {
+  local file="$1"
+  [[ -f "$file" ]] || die "--console-token-file does not exist: $file"
+  local value
+  value="$(tr -d '\r\n' <"$file")"
+  [[ -n "$value" ]] || die "--console-token-file is empty"
+  [[ "${#value}" -le 4096 ]] || die "Console token must be 4096 characters or fewer"
+  printf '%s\n' "$value"
+}
+
+validate_tenant() {
+  local value="$1"
+  [[ -z "$value" ]] && return 0
+  [[ "$value" =~ ^[A-Za-z0-9._:-]+$ ]] || die "--console-tenant contains unsupported characters"
+}
+
+set_config_key() {
+  local conf="$1"
+  local key="$2"
+  local value="$3"
+  [[ -z "$value" ]] && return 0
+  local tmp
+  tmp="$(mktemp "${TMPDIR:-/tmp}/flow-agents-telemetry-conf.XXXXXX")"
+  if [[ -f "$conf" ]]; then
+    awk -v key="$key" 'BEGIN { prefix = key "=" } index($0, prefix) != 1 { print }' "$conf" >"$tmp"
+  fi
+  printf '%s=%s\n' "$key" "$value" >>"$tmp"
+  mv "$tmp" "$conf"
+}
+
+main() {
+  [[ $# -ge 1 ]] || { usage; exit 2; }
+  local conf="$1"
+  shift
+
+  local console_url="${FLOW_AGENTS_CONSOLE_URL:-${CONSOLE_TELEMETRY_URL:-${CONSOLE_URL:-}}}"
+  local console_endpoint="${FLOW_AGENTS_CONSOLE_ENDPOINT_URL:-${CONSOLE_TELEMETRY_ENDPOINT_URL:-}}"
+  local console_token=""
+  local console_token_file="${FLOW_AGENTS_CONSOLE_TOKEN_FILE:-${CONSOLE_TELEMETRY_TOKEN_FILE:-}}"
+  local console_tenant="${FLOW_AGENTS_CONSOLE_TENANT:-${CONSOLE_TENANT_ID:-}}"
+  telemetry_sinks=()
+  if [[ -n "${FLOW_AGENTS_TELEMETRY_SINKS:-}" ]]; then
+    append_sinks "$FLOW_AGENTS_TELEMETRY_SINKS"
+  elif [[ -n "${FLOW_AGENTS_TELEMETRY_SINK:-}" ]]; then
+    append_sinks "$FLOW_AGENTS_TELEMETRY_SINK"
+  fi
+
+  while [[ $# -gt 0 ]]; do
+    case "$1" in
+      --telemetry-sink|--telemetry-sinks)
+        [[ $# -ge 2 ]] || die "$1 requires a value"
+        append_sinks "$2"
+        shift 2
+        ;;
+      --console-url)
+        [[ $# -ge 2 ]] || die "--console-url requires a value"
+        console_url="$2"
+        shift 2
+        ;;
+      --console-endpoint|--console-endpoint-url)
+        [[ $# -ge 2 ]] || die "$1 requires a value"
+        console_endpoint="$2"
+        shift 2
+        ;;
+      --console-token-file)
+        [[ $# -ge 2 ]] || die "--console-token-file requires a value"
+        console_token_file="$2"
+        shift 2
+        ;;
+      --console-tenant|--console-tenant-id)
+        [[ $# -ge 2 ]] || die "$1 requires a value"
+        console_tenant="$2"
+        shift 2
+        ;;
+      --help|-h)
+        usage
+        exit 0
+        ;;
+      *)
+        die "unknown option: $1"
+        ;;
+    esac
+  done
+
+  if [[ -n "$console_token_file" ]]; then
+    console_token="$(read_token_file "$console_token_file")"
+  fi
+
+  if [[ "${#telemetry_sinks[@]}" -eq 0 ]]; then
+    telemetry_sinks=("local-files")
+  fi
+  local sink
+  local console_sink_count=0
+  for sink in "${telemetry_sinks[@]}"; do
+    case "$sink" in
+      local-files)
+        ;;
+      local-kontour-console)
+        console_sink_count=$((console_sink_count + 1))
+        console_url="${console_url:-$(flow_agents_local_kontour_console_url)}"
+        ;;
+      kontour-hosted-console|kontour-cloud)
+        console_sink_count=$((console_sink_count + 1))
+        console_url="${console_url:-$(flow_agents_kontour_hosted_console_url)}"
+        ;;
+      user-hosted-console|hosted-kontour-console)
+        console_sink_count=$((console_sink_count + 1))
+        [[ -n "$console_url" || -n "$console_endpoint" ]] || die "user-hosted-console requires --console-url or --console-endpoint"
+        ;;
+      *)
+        die "unknown telemetry sink: $sink"
+        ;;
+    esac
+  done
+  [[ "$console_sink_count" -le 1 ]] || die "select at most one Console telemetry sink"
+
+  if [[ -z "$console_url" && -z "$console_endpoint" && -z "$console_token" && -z "$console_tenant" ]]; then
+    return 0
+  fi
+  if [[ -z "$console_url" && -z "$console_endpoint" && ( -n "$console_token" || -n "$console_tenant" ) ]]; then
+    die "--console-token-file and --console-tenant require --console-url or --console-endpoint"
+  fi
+
+  validate_url "--console-url" "$console_url"
+  validate_url "--console-endpoint" "$console_endpoint"
+  validate_token "$console_token"
+  validate_tenant "$console_tenant"
+
+  mkdir -p "$(dirname "$conf")"
+  [[ -f "$conf" ]] || : >"$conf"
+  set_config_key "$conf" "console_telemetry_url" "$console_url"
+  set_config_key "$conf" "console_telemetry_endpoint_url" "$console_endpoint"
+  set_config_key "$conf" "console_telemetry_token" "$console_token"
+  set_config_key "$conf" "console_tenant_id" "$console_tenant"
+  if [[ -n "$console_token" ]]; then
+    chmod 600 "$conf" 2>/dev/null || true
+  fi
+
+  local target="${console_endpoint:-$console_url}"
+  if [[ -n "$console_tenant" ]]; then
+    echo "Configured Console telemetry in $conf for $target (tenant: $console_tenant)"
+  else
+    echo "Configured Console telemetry in $conf for $target"
+  fi
+}
+
+main "$@"

package/context/scripts/telemetry/lib/config.sh

@@ -0,0 +1,85 @@
+#!/usr/bin/env bash
+# config.sh — Load telemetry configuration with defaults
+
+TELEMETRY_DIR="${TELEMETRY_DIR:-$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)}"
+TELEMETRY_CONFIG_FILE="${TELEMETRY_CONFIG_FILE:-${TELEMETRY_DIR}/telemetry.conf}"
+
+# Defaults
+TELEMETRY_ENABLED="${TELEMETRY_ENABLED:-true}"
+TELEMETRY_DATA_DIR="${TELEMETRY_DATA_DIR:-$(cd "${TELEMETRY_DIR}/../../.." && pwd)/.telemetry}"
+TELEMETRY_SESSION_DIR="${TELEMETRY_SESSION_DIR:-${TELEMETRY_DATA_DIR}/sessions}"
+TELEMETRY_ENRICH_SYSTEM="${TELEMETRY_ENRICH_SYSTEM:-true}"
+TELEMETRY_ENRICH_WORKSPACE="${TELEMETRY_ENRICH_WORKSPACE:-true}"
+TELEMETRY_ENRICH_AUTH="${TELEMETRY_ENRICH_AUTH:-true}"
+TELEMETRY_SYNC_INCLUDE="${TELEMETRY_SYNC_INCLUDE:-*}"
+TELEMETRY_SYNC_EXCLUDE="${TELEMETRY_SYNC_EXCLUDE:-neo-*,Neo,local-gamma-*}"
+TELEMETRY_MAX_LOG_SIZE_MB="${TELEMETRY_MAX_LOG_SIZE_MB:-50}"
+TELEMETRY_MAX_LOG_FILES="${TELEMETRY_MAX_LOG_FILES:-3}"
+TELEMETRY_CHANNELS="${TELEMETRY_CHANNELS:-full}"
+FLOW_AGENTS_TELEMETRY_CAPTURE_RAW_HOOK_INPUT="${FLOW_AGENTS_TELEMETRY_CAPTURE_RAW_HOOK_INPUT:-false}"
+TELEMETRY_USAGE_TRACKING="${TELEMETRY_USAGE_TRACKING:-true}"
+TELEMETRY_NOTIFICATIONS="${TELEMETRY_NOTIFICATIONS:-true}"
+TELEMETRY_NOTIFICATION_PROFILE="${TELEMETRY_NOTIFICATION_PROFILE:-standard}"
+TELEMETRY_GOVERNANCE="${TELEMETRY_GOVERNANCE:-true}"
+TELEMETRY_GOVERNANCE_AUDIT_MAX_SIZE_MB="${TELEMETRY_GOVERNANCE_AUDIT_MAX_SIZE_MB:-25}"
+TELEMETRY_GOVERNANCE_AUDIT_MAX_FILES="${TELEMETRY_GOVERNANCE_AUDIT_MAX_FILES:-5}"
+
+# Channel defaults
+TELEMETRY_CHANNEL_FULL_LOG_FILE="${TELEMETRY_CHANNEL_FULL_LOG_FILE:-${TELEMETRY_DATA_DIR}/full.jsonl}"
+TELEMETRY_CHANNEL_FULL_REDACT="${TELEMETRY_CHANNEL_FULL_REDACT:-hook.raw_input,turn.prompt_text,tool.input,tool.output}"
+TELEMETRY_CHANNEL_ANALYTICS_LOG_FILE="${TELEMETRY_CHANNEL_ANALYTICS_LOG_FILE:-${TELEMETRY_DATA_DIR}/analytics.jsonl}"
+TELEMETRY_CHANNEL_ANALYTICS_REDACT="${TELEMETRY_CHANNEL_ANALYTICS_REDACT:-tool.input,tool.output,turn.prompt_text,delegation.targets.query,context.cwd,hook.raw_input,hook.last_assistant_message,hook.transcript_path}"
+TELEMETRY_CHANNEL_ANALYTICS_ENDPOINT_URL="${TELEMETRY_CHANNEL_ANALYTICS_ENDPOINT_URL:-}"
+CONSOLE_TELEMETRY_URL="${CONSOLE_TELEMETRY_URL:-${CONSOLE_URL:-}}"
+CONSOLE_TELEMETRY_ENDPOINT_URL="${CONSOLE_TELEMETRY_ENDPOINT_URL:-}"
+CONSOLE_TELEMETRY_TOKEN="${CONSOLE_TELEMETRY_TOKEN:-${CONSOLE_AUTH_TOKEN:-}}"
+CONSOLE_TENANT_ID="${CONSOLE_TENANT_ID:-}"
+
+# Load config file if it exists
+if [[ -f "$TELEMETRY_CONFIG_FILE" ]]; then
+  while IFS='=' read -r key value; do
+    [[ -z "$key" || "$key" =~ ^[[:space:]]*# ]] && continue
+    key=$(echo "$key" | tr -d '[:space:]')
+    value=$(echo "$value" | sed 's/^[[:space:]]*//;s/[[:space:]]*$//')
+    
+    # Handle channel-specific config
+    if [[ "$key" =~ ^channel\.([^.]+)\.(.+)$ ]]; then
+      channel_name="${BASH_REMATCH[1]}"
+      channel_key="${BASH_REMATCH[2]}"
+      if [[ "$channel_name" =~ ^[A-Za-z0-9_]+$ && "$channel_key" =~ ^[A-Za-z0-9_]+$ ]]; then
+        var_name="TELEMETRY_CHANNEL_$(echo "$channel_name" | tr '[:lower:]' '[:upper:]')_$(echo "$channel_key" | tr '[:lower:]' '[:upper:]')"
+        printf -v "$var_name" '%s' "$value"
+      fi
+    else
+      # Standard config
+      case "$key" in
+        enabled) TELEMETRY_ENABLED="$value" ;;
+        channels) TELEMETRY_CHANNELS="$value" ;;
+        enrich_system) TELEMETRY_ENRICH_SYSTEM="$value" ;;
+        enrich_workspace) TELEMETRY_ENRICH_WORKSPACE="$value" ;;
+        enrich_auth) TELEMETRY_ENRICH_AUTH="$value" ;;
+        max_log_size_mb) TELEMETRY_MAX_LOG_SIZE_MB="$value" ;;
+        max_log_files) TELEMETRY_MAX_LOG_FILES="$value" ;;
+        sync_include) TELEMETRY_SYNC_INCLUDE="$value" ;;
+        sync_exclude) TELEMETRY_SYNC_EXCLUDE="$value" ;;
+        usage_tracking) TELEMETRY_USAGE_TRACKING="$value" ;;
+        notifications) TELEMETRY_NOTIFICATIONS="$value" ;;
+        notification_profile) TELEMETRY_NOTIFICATION_PROFILE="$value" ;;
+        governance) TELEMETRY_GOVERNANCE="$value" ;;
+        governance_audit_max_size_mb) TELEMETRY_GOVERNANCE_AUDIT_MAX_SIZE_MB="$value" ;;
+        governance_audit_max_files) TELEMETRY_GOVERNANCE_AUDIT_MAX_FILES="$value" ;;
+        console_url) CONSOLE_TELEMETRY_URL="$value" ;;
+        console_telemetry_url) CONSOLE_TELEMETRY_URL="$value" ;;
+        console_telemetry_endpoint_url) CONSOLE_TELEMETRY_ENDPOINT_URL="$value" ;;
+        console_telemetry_token) CONSOLE_TELEMETRY_TOKEN="$value" ;;
+        console_tenant_id) CONSOLE_TENANT_ID="$value" ;;
+        console_telemetry_redact) CONSOLE_TELEMETRY_REDACT="$value" ;;
+      esac
+    fi
+  done < "$TELEMETRY_CONFIG_FILE"
+fi
+
+CONSOLE_TELEMETRY_REDACT="${CONSOLE_TELEMETRY_REDACT:-${TELEMETRY_CHANNEL_ANALYTICS_REDACT}}"
+
+# Ensure directories exist
+mkdir -p "$TELEMETRY_DATA_DIR" "$TELEMETRY_SESSION_DIR" 2>/dev/null

package/context/scripts/telemetry/lib/enrich.sh

@@ -0,0 +1,115 @@
+#!/usr/bin/env bash
+# enrich.sh — Metadata enrichment functions
+
+enrich_system() {
+  [[ "$TELEMETRY_ENRICH_SYSTEM" != "true" ]] && echo '{}' && return
+  
+  local os os_version shell runtime_version node_version
+  os=$(uname -s | tr '[:upper:]' '[:lower:]')
+  os_version=$(uname -r)
+  shell=$(basename "${SHELL:-unknown}")
+  runtime_version=$(
+    kiro-cli --version 2>/dev/null &
+    _pid=$!; ( sleep 2; kill $_pid 2>/dev/null ) &
+    _guard=$!; wait $_pid 2>/dev/null; kill $_guard 2>/dev/null
+    wait $_pid 2>/dev/null
+  ) 2>/dev/null
+  runtime_version=$(echo "$runtime_version" | head -n1)
+  runtime_version="${runtime_version:-unknown}"
+  node_version=$(node --version 2>/dev/null || echo "unknown")
+  
+  jq -nc \
+    --arg os "$os" \
+    --arg osv "$os_version" \
+    --arg shell "$shell" \
+    --arg rv "$runtime_version" \
+    --arg nv "$node_version" \
+    '{
+      os: $os,
+      os_version: $osv,
+      shell: $shell,
+      runtime_version: $rv,
+      node_version: $nv
+    }'
+}
+
+enrich_workspace() {
+  [[ "$TELEMETRY_ENRICH_WORKSPACE" != "true" ]] && echo '{}' && return
+  
+  local session_id cache_file
+  session_id=$(session_get)
+  cache_file="${TELEMETRY_SESSION_DIR}/${session_id}.workspace"
+  
+  # Return cached if exists
+  [[ -f "$cache_file" ]] && cat "$cache_file" && return
+  
+  local has_git="false" git_branch="" git_hash=""
+  local file_count=0 workspace_size_mb=0 primary_languages=""
+  
+  if git rev-parse --git-dir >/dev/null 2>&1; then
+    has_git="true"
+    git_branch=$(git branch --show-current 2>/dev/null || echo "unknown")
+    git_hash=$(git rev-parse HEAD 2>/dev/null || echo "unknown")
+    
+    # Only scan files inside a git repo to avoid scanning ~ or /
+    file_count=$(find . -maxdepth 4 -type f 2>/dev/null | head -10000 | wc -l | tr -d ' ')
+    primary_languages=$(find . -maxdepth 4 \( -name "*.js" -o -name "*.ts" -o -name "*.py" -o -name "*.sh" -o -name "*.go" -o -name "*.rs" \) 2>/dev/null | \
+      head -5000 | sed 's/.*\.//' | sort | uniq -c | sort -nr | head -3 | awk '{print $2}' | tr '\n' ',' | sed 's/,$//')
+  fi
+  
+  local result
+  result=$(jq -nc \
+    --argjson hg "$has_git" \
+    --arg gb "$git_branch" \
+    --arg gh "$git_hash" \
+    --argjson fc "$file_count" \
+    --argjson ws "$workspace_size_mb" \
+    --arg pl "$primary_languages" \
+    '{
+      has_git: $hg,
+      git_branch_hash: ($gb + "@" + $gh),
+      file_count: $fc,
+      workspace_size_mb: $ws,
+      primary_languages: $pl
+    }')
+  
+  echo "$result" | tee "$cache_file"
+}
+
+enrich_auth() {
+  [[ "$TELEMETRY_ENRICH_AUTH" != "true" ]] && echo '{}' && return
+  
+  local mwinit_active="false" mwinit_age_minutes=0 cookie_exists="false"
+  
+  # Check mwinit status
+  if command -v mwinit >/dev/null 2>&1; then
+    if mwinit status >/dev/null 2>&1; then
+      mwinit_active="true"
+      local mwinit_file="$HOME/.mwinit"
+      if [[ -f "$mwinit_file" ]]; then
+        local mwinit_mtime current_time
+        # Try GNU stat first, then BSD
+        if stat -c %Y "$mwinit_file" >/dev/null 2>&1; then
+          mwinit_mtime=$(stat -c %Y "$mwinit_file")
+        else
+          mwinit_mtime=$(stat -f %m "$mwinit_file" 2>/dev/null || echo "0")
+        fi
+        current_time=$(date +%s)
+        mwinit_age_minutes=$(((current_time - mwinit_mtime) / 60))
+      fi
+    fi
+  fi
+  
+  # Check for auth cookies
+  [[ -f "$HOME/.aws/sso/cache" ]] && cookie_exists="true"
+  
+  jq -nc \
+    --argjson ma "$mwinit_active" \
+    --argjson mam "$mwinit_age_minutes" \
+    --argjson ce "$cookie_exists" \
+    '{
+      mwinit_active: $ma,
+      mwinit_age_minutes: $mam,
+      cookie_exists: $ce
+    }'
+}