@lousy-agents/agent-shell 5.8.7 → 5.9.0

package/dist/index.js

@@ -425,6 +425,8 @@ const external_node_child_process_namespaceObject = __rspack_createRequire_requi
 const external_node_crypto_namespaceObject = __rspack_createRequire_require("node:crypto");
 ;// CONCATENATED MODULE: external "node:fs/promises"
 const promises_namespaceObject = __rspack_createRequire_require("node:fs/promises");
+;// CONCATENATED MODULE: external "node:readline"
+const external_node_readline_namespaceObject = __rspack_createRequire_require("node:readline");
 ;// CONCATENATED MODULE: external "node:path"
 const external_node_path_namespaceObject = __rspack_createRequire_require("node:path");
 ;// CONCATENATED MODULE: ./src/git-utils.ts
@@ -490,73 +492,6 @@ function defaultExecutor(env) {
 }
 /** Process-scoped singleton for production use. */ const git_utils_getRepositoryRoot = createGetRepositoryRoot();
 
-;// CONCATENATED MODULE: external "node:fs"
-const external_node_fs_namespaceObject = __rspack_createRequire_require("node:fs");
-;// CONCATENATED MODULE: external "node:readline"
-const external_node_readline_namespaceObject = __rspack_createRequire_require("node:readline");
-;// CONCATENATED MODULE: ./src/log/format.ts
-function formatDuration(ms) {
-    if (ms < 1000) return `${Math.round(ms)}ms`;
-    if (ms < 60000) return `${(ms / 1000).toFixed(1)}s`;
-    return `${(ms / 60000).toFixed(1)}m`;
-}
-function formatTimestamp(iso) {
-    const d = new Date(iso);
-    return d.toISOString().replace("T", " ").replace(/\.\d{3}Z$/, "");
-}
-function truncateCommand(command, maxLen) {
-    if (command.length <= maxLen) return command;
-    return `${command.slice(0, maxLen - 3)}...`;
-}
-function padRight(str, width) {
-    if (str.length >= width) return str;
-    return str + " ".repeat(width - str.length);
-}
-const COL_TIMESTAMP = 21;
-const COL_SCRIPT = 9;
-const COL_ACTOR = 13;
-const COL_EXIT = 6;
-const COL_DURATION = 10;
-const MAX_COMMAND_LEN = 50;
-function formatEventsTable(events) {
-    const header = padRight("TIMESTAMP", COL_TIMESTAMP) + padRight("SCRIPT", COL_SCRIPT) + padRight("ACTOR", COL_ACTOR) + padRight("EXIT", COL_EXIT) + padRight("DURATION", COL_DURATION) + "COMMAND";
-    const rows = events.map((event)=>{
-        const timestamp = formatTimestamp(event.timestamp);
-        const script = event.event === "script_end" ? event.script ?? "-" : "-";
-        const actor = event.actor;
-        const exitCode = event.event === "script_end" ? String(event.exit_code) : "-";
-        const duration = event.event === "script_end" ? formatDuration(event.duration_ms) : "-";
-        const command = truncateCommand(event.command, MAX_COMMAND_LEN);
-        return padRight(timestamp, COL_TIMESTAMP) + padRight(script, COL_SCRIPT) + padRight(actor, COL_ACTOR) + padRight(exitCode, COL_EXIT) + padRight(duration, COL_DURATION) + command;
-    });
-    return [
-        header,
-        ...rows
-    ].join("\n");
-}
-function formatSessionsTable(sessions) {
-    const colSession = 11;
-    const colFirstEvent = 21;
-    const colLastEvent = 21;
-    const colEvents = 9;
-    const header = padRight("SESSION", colSession) + padRight("FIRST EVENT", colFirstEvent) + padRight("LAST EVENT", colLastEvent) + padRight("EVENTS", colEvents) + "ACTORS";
-    const rows = sessions.map((s)=>{
-        const sessionTrunc = s.sessionId.slice(0, 8);
-        const firstEvent = formatTimestamp(s.firstEvent);
-        const lastEvent = formatTimestamp(s.lastEvent);
-        const eventCount = String(s.eventCount);
-        const actors = s.actors.join(", ");
-        return padRight(sessionTrunc, colSession) + padRight(firstEvent, colFirstEvent) + padRight(lastEvent, colLastEvent) + padRight(eventCount, colEvents) + actors;
-    });
-    return [
-        header,
-        ...rows
-    ].join("\n");
-}
-function formatEventsJson(events) {
-    return JSON.stringify(events, null, 2);
-}
-
 ;// CONCATENATED MODULE: ./src/path-utils.ts
 
 function isWithinProjectRoot(resolvedPath, projectRoot) {
@@ -14310,2031 +14245,2710 @@ core_config(en());
 
 /* export default */ const v4 = ((/* unused pure expression or super */ null && (z4)));
 
-;// CONCATENATED MODULE: ./src/types.ts
-// biome-ignore-all lint/style/useNamingConvention: telemetry schema uses snake_case field names
+;// CONCATENATED MODULE: ./src/sanitize.ts
+/**
+ * Escapes ASCII and C1 control characters in error messages before writing
+ * to stderr. Replaces each control character with its `\xNN` hex
+ * representation to prevent log/terminal injection when errors embed
+ * untrusted data.
+ */ function sanitizeForStderr(err) {
+    const msg = err instanceof Error ? err.message : String(err);
+    // biome-ignore lint/suspicious/noControlCharactersInRegex: intentionally matching control characters for sanitization
+    return msg.replace(/[\u0000-\u001f\u007f-\u009f]/g, (ch)=>{
+        return `\\x${ch.charCodeAt(0).toString(16).padStart(2, "0")}`;
+    });
+}
+/**
+ * Escapes ASCII and C1 control characters (except newline) in output text.
+ * Like sanitizeForStderr but preserves newlines for JSON formatting.
+ */ function sanitizeOutput(text) {
+    // biome-ignore lint/suspicious/noControlCharactersInRegex: intentionally matching control characters for sanitization
+    return text.replace(/[\u0000-\u0009\u000b-\u001f\u007f-\u009f]/g, (ch)=>{
+        return `\\x${ch.charCodeAt(0).toString(16).padStart(2, "0")}`;
+    });
+}
+/**
+ * Sanitizes untrusted values before embedding in prompts.
+ * Strips newlines and all backticks that could inject instructions,
+ * and truncates to a safe length.
+ */ function sanitizePromptValue(value) {
+    return value.replace(/[\n\r]/g, " ").replace(/`/g, "").slice(0, 256);
+}
+/**
+ * Shell metacharacters that indicate compound or piped commands.
+ * Commands containing these are excluded from the allow list because
+ * they could mask injection (e.g. `npm test && curl evil`).
+ */ const SHELL_METACHAR_PATTERN = /[;|&`><$()\\\n\r]/;
+/**
+ * Returns true if the command is non-empty, contains no shell metacharacters,
+ * and is safe to include in a policy allow list.
+ */ function isSafeCommand(command) {
+    const normalized = command.trim();
+    if (normalized.length === 0) {
+        return false;
+    }
+    return !SHELL_METACHAR_PATTERN.test(normalized);
+}
 
-const SCHEMA_VERSION = 1;
-const baseFields = {
-    v: literal(1),
-    session_id: schemas_string(),
-    command: schemas_string(),
-    actor: schemas_string(),
-    timestamp: schemas_string(),
-    env: record(schemas_string(), schemas_string()),
-    tags: record(schemas_string(), schemas_string())
-};
-const ScriptEndEventSchema = schemas_object({
-    ...baseFields,
-    event: literal("script_end"),
-    script: schemas_string().optional(),
-    package: schemas_string().optional(),
-    package_version: schemas_string().optional(),
-    exit_code: schemas_number().int(),
-    signal: schemas_string().nullable(),
-    duration_ms: schemas_number()
-}).strict();
-const ShimErrorEventSchema = schemas_object({
-    ...baseFields,
-    event: literal("shim_error")
-}).strict();
-const PolicyDecisionEventSchema = schemas_object({
-    ...baseFields,
-    event: literal("policy_decision"),
-    decision: schemas_enum([
-        "allow",
-        "deny"
-    ]),
-    matched_rule: schemas_string().nullable()
-}).strict();
-const ScriptEventSchema = discriminatedUnion("event", [
-    ScriptEndEventSchema,
-    ShimErrorEventSchema,
-    PolicyDecisionEventSchema
-]);
-const MAX_POLICY_RULES = 10_000;
-const MAX_RULE_LENGTH = 1024;
-const policyRuleArray = schemas_array(schemas_string().max(MAX_RULE_LENGTH)).max(MAX_POLICY_RULES);
-const PolicyConfigSchema = schemas_object({
-    allow: policyRuleArray.optional(),
-    deny: policyRuleArray.default(()=>[])
-}).strict();
-// NOTE: This schema mirrors CopilotHookCommandSchema in @lousy-agents/core
-// (packages/core/src/entities/copilot-hook-schema.ts). Keep them aligned.
-// agent-shell cannot import from core since it is a standalone published binary.
-const MAX_HOOKS_PER_EVENT = 100;
-/** Regex that allows standard env var names and rejects __proto__ (the prototype-polluting key). */ const ENV_KEY_PATTERN = /^(?!__proto__$)[a-zA-Z_][a-zA-Z0-9_]*$/;
-const HookCommandSchema = schemas_object({
-    type: literal("command"),
-    bash: schemas_string().min(1, "Hook bash command must not be empty").optional(),
-    powershell: schemas_string().min(1, "Hook PowerShell command must not be empty").optional(),
-    cwd: schemas_string().optional(),
-    timeoutSec: schemas_number().positive().optional(),
-    env: record(schemas_string().regex(ENV_KEY_PATTERN, "Hook env key must be a valid identifier (no prototype-polluting keys)"), schemas_string()).optional()
-}).strict().refine((data)=>Boolean(data.bash) || Boolean(data.powershell), {
-    message: "At least one of 'bash' or 'powershell' must be provided and non-empty"
-});
-const hookArray = schemas_array(HookCommandSchema).max(MAX_HOOKS_PER_EVENT);
-const HooksConfigSchema = schemas_object({
-    version: literal(1),
-    hooks: schemas_object({
-        sessionStart: hookArray.optional(),
-        userPromptSubmitted: hookArray.optional(),
-        preToolUse: hookArray.optional(),
-        postToolUse: hookArray.optional(),
-        sessionEnd: hookArray.optional()
-    }).strict()
-}).strict();
+;// CONCATENATED MODULE: ./src/copilot-prompt.ts
 
-;// CONCATENATED MODULE: ./src/log/query.ts
-// biome-ignore-all lint/style/useNamingConvention: telemetry schema uses snake_case field names
+function formatScriptsSummary(scripts) {
+    return scripts.map((s)=>`  - \`${sanitizePromptValue(s.name)}\`: \`${sanitizePromptValue(s.command)}\``).join("\n");
+}
+function formatWorkflowSummary(commands) {
+    return commands.map((cmd)=>`  - \`${sanitizePromptValue(cmd)}\``).join("\n");
+}
+function formatMiseTasksSummary(tasks) {
+    return tasks.map((t)=>`  - \`${sanitizePromptValue(t.name)}\`: \`${sanitizePromptValue(t.command)}\``).join("\n");
+}
+/**
+ * Builds the system message that establishes persistent behavioral
+ * constraints for the Copilot SDK session. This includes security goals,
+ * tool descriptions, and response format requirements — context that
+ * must be respected across all tool interactions during the session.
+ */ function buildSystemMessage() {
+    return `You are a security-focused policy analyst for agent-shell — a security layer that intercepts terminal commands executed by AI coding agents. Your goal is to generate a minimal, secure allow list for a \`policy.json\` file.
 
+## Security Principles
 
+- Only commands genuinely needed for development workflows should be permitted
+- Overly broad rules create security risks (e.g. an agent could chain \`npm test && curl evil.com\`)
+- Use exact commands — avoid wildcards unless the command is genuinely read-only (e.g. \`git status *\`)
+- Always validate proposed commands with \`validate_allow_rule\` before including them
+- Commands containing shell metacharacters (\`;\`, \`|\`, \`&\`, \`\`\`, \`$\`, etc.) are never safe
 
-const DURATION_PATTERN = /^(\d+)([mhd])$/;
-const MAX_LINE_BYTES = 65_536;
-const MAX_LINES_PER_FILE = 100_000;
-const UNIT_MS = {
-    m: 60 * 1000,
-    h: 60 * 60 * 1000,
-    d: 24 * 60 * 60 * 1000
-};
-function parseDuration(duration) {
-    const match = DURATION_PATTERN.exec(duration);
-    if (!match) {
-        throw new Error(`Invalid duration format: "${duration}". Expected format: <number><unit> where unit is m, h, or d`);
-    }
-    const value = Number.parseInt(match[1], 10);
-    if (value <= 0) {
-        throw new Error(`Duration must be a positive value, got: "${duration}"`);
-    }
-    const unit = match[2];
-    return value * UNIT_MS[unit];
+## Available Tools
+
+### MCP Tools (lousy-agents server)
+
+- **discover_feedback_loops**: Discover npm scripts and CLI tools from workflows, mapped to SDLC phases (test, build, lint, format, security). Returns structured results grouped by phase. **Start here.**
+- **discover_environment**: Discover environment config files (mise.toml, .nvmrc, .python-version, etc.) and detect package managers.
+
+### Custom Tools
+
+- **read_project_file**: Read any file in the repository (truncated at 100KB). Use to inspect configs discovered via MCP tools.
+- **validate_allow_rule**: Check whether a proposed command is safe for the allow list (rejects commands containing shell metacharacters).
+
+## Response Format
+
+After exploring, respond with **only** a JSON object matching this exact schema — no markdown fences, no explanation:
+
+\`\`\`json
+{
+  "additionalAllowRules": ["<command>", ...],
+  "suggestions": ["<human-readable suggestion>", ...]
 }
-async function resolveReadEventsDir(env, deps) {
-    const projectRoot = deps.cwd();
-    const defaultDir = (0,external_node_path_namespaceObject.join)(projectRoot, ".agent-shell", "events");
-    const logDir = env.AGENTSHELL_LOG_DIR;
-    if (logDir !== undefined && logDir !== "") {
-        const projectRootReal = await deps.realpath(projectRoot);
-        const candidate = (0,external_node_path_namespaceObject.resolve)(projectRoot, logDir);
-        if (!isWithinProjectRoot(candidate, projectRoot) && !isWithinProjectRoot(candidate, projectRootReal)) {
-            return {
-                dir: "",
-                error: "AGENTSHELL_LOG_DIR resolves outside project root"
-            };
-        }
-        let resolved;
+\`\`\`
+
+- \`additionalAllowRules\`: string array of specific commands to add to the allow list
+- \`suggestions\`: string array of human-readable observations or recommendations about the policy`;
+}
+/**
+ * Builds the user prompt containing project-specific scan results
+ * and Socratic questions to guide exploration.
+ */ function buildAnalysisPrompt(scanResult, repoRoot) {
+    const scriptsList = scanResult.scripts.length > 0 ? formatScriptsSummary(scanResult.scripts) : "  (none found)";
+    const workflowList = scanResult.workflowCommands.length > 0 ? formatWorkflowSummary(scanResult.workflowCommands) : "  (none found)";
+    const miseList = scanResult.miseTasks.length > 0 ? formatMiseTasksSummary(scanResult.miseTasks) : "  (none found)";
+    const languagesList = scanResult.languages.length > 0 ? scanResult.languages.join(", ") : "(none detected)";
+    const safeRepoRoot = sanitizePromptValue(repoRoot);
+    return `# Project Analysis Request
+
+## Static Analysis Results
+
+We have already discovered the following from static file analysis:
+
+- **Repository root**: \`${safeRepoRoot}\`
+- **Detected languages**: ${languagesList}
+
+### npm scripts (from package.json)
+${scriptsList}
+
+### GitHub Actions workflow commands
+${workflowList}
+
+### Mise tasks (from mise.toml)
+${miseList}
+
+## Questions to Explore
+
+1. Call \`discover_feedback_loops\` to get a structured view of project commands mapped to SDLC phases. Are there commands the static analysis missed?
+2. Call \`discover_environment\` to understand the runtime setup. What toolchain commands does the environment require?
+3. Given the detected languages (${languagesList}), what language-specific toolchain commands (e.g. \`cargo test\`, \`go build\`, \`pip install\`) might be needed but aren't captured above?
+4. Are there any commands in the discovered lists that look suspicious or overly broad for a development workflow?
+5. Use \`validate_allow_rule\` to verify each proposed command before including it in your response.`;
+}
+
+;// CONCATENATED MODULE: external "node:fs"
+const external_node_fs_namespaceObject = __rspack_createRequire_require("node:fs");
+;// CONCATENATED MODULE: external "node:module"
+const external_node_module_namespaceObject = __rspack_createRequire_require("node:module");
+;// CONCATENATED MODULE: external "node:url"
+const external_node_url_namespaceObject = __rspack_createRequire_require("node:url");
+;// CONCATENATED MODULE: ./src/resolve-sdk.ts
+
+
+
+
+/**
+ * Resolves an npm package's ESM entry point from the user's project directory.
+ *
+ * Bundled CLIs resolve bare specifiers relative to the bundle location, not
+ * the user's working directory. This uses `createRequire` anchored at the
+ * project root to locate the package, then reads its `package.json` exports
+ * map to select the ESM entry that `import()` would use.
+ *
+ * @returns A file:// URL to the package ESM entry point, or null if not found
+ */ function resolveSdkPath(repoRoot, packageName) {
+    if (!repoRoot || !(0,external_node_path_namespaceObject.isAbsolute)(repoRoot)) return null;
+    if (/^[./]/.test(packageName) || packageName.includes("..")) return null;
+    try {
+        const projectRequire = (0,external_node_module_namespaceObject.createRequire)((0,external_node_path_namespaceObject.resolve)(repoRoot, "package.json"));
+        const cjsResolved = projectRequire.resolve(packageName);
+        const esmUrl = findEsmEntry(cjsResolved, packageName);
+        return esmUrl ?? (0,external_node_url_namespaceObject.pathToFileURL)(cjsResolved).href;
+    } catch  {
+        return null;
+    }
+}
+/**
+ * Walks up from a resolved module path to find the package root directory,
+ * then extracts the ESM entry point from its exports map.
+ */ function findEsmEntry(resolvedPath, packageName) {
+    let dir = (0,external_node_path_namespaceObject.dirname)(resolvedPath);
+    while(true){
         try {
-            resolved = await deps.realpath(candidate);
-        } catch (err) {
-            if (isPathNotFoundError(err)) {
-                return {
-                    dir: "",
-                    error: "AGENTSHELL_LOG_DIR does not exist or is not a directory"
-                };
+            const raw = (0,external_node_fs_namespaceObject.readFileSync)((0,external_node_path_namespaceObject.join)(dir, "package.json"), "utf-8");
+            const pkg = JSON.parse(raw);
+            if (typeof pkg === "object" && pkg !== null && pkg.name === packageName) {
+                const esmEntry = extractEsmEntry(pkg);
+                const full = (0,external_node_path_namespaceObject.resolve)(dir, esmEntry);
+                try {
+                    return (0,external_node_url_namespaceObject.pathToFileURL)((0,external_node_fs_namespaceObject.realpathSync)(full)).href;
+                } catch  {
+                    return null;
+                }
             }
-            throw err;
-        }
-        if (!isWithinProjectRoot(resolved, projectRootReal)) {
-            return {
-                dir: "",
-                error: "AGENTSHELL_LOG_DIR resolves outside project root"
-            };
-        }
-        return {
-            dir: resolved
-        };
+        } catch  {
+        /* no package.json at this level */ }
+        const parent = (0,external_node_path_namespaceObject.dirname)(dir);
+        if (parent === dir) return null;
+        dir = parent;
     }
-    return {
-        dir: defaultDir
-    };
 }
-function findMostRecentFile(fileMtimes) {
-    let mostRecent = fileMtimes[0];
-    for(let i = 1; i < fileMtimes.length; i++){
-        if (fileMtimes[i].mtimeMs > mostRecent.mtimeMs) {
-            mostRecent = fileMtimes[i];
-        }
+/**
+ * Extracts the ESM entry point from a parsed package.json object.
+ */ function extractEsmEntry(pkgJson) {
+    if (typeof pkgJson === "object" && pkgJson !== null) {
+        const pkg = pkgJson;
+        const esmPath = resolveExportsImportEntry(pkg.exports);
+        if (esmPath) return esmPath;
+        if (typeof pkg.main === "string" && pkg.main.length > 0) return pkg.main;
     }
-    return mostRecent.file;
+    return "index.js";
 }
-function matchesFilters(event, filters, cutoffMs) {
-    if (filters.actor !== undefined && event.actor !== filters.actor) {
-        return false;
-    }
-    if (filters.failures && !(event.event === "script_end" && event.exit_code !== 0)) {
-        return false;
-    }
-    if (filters.script !== undefined && !(event.event === "script_end" && event.script === filters.script)) {
-        return false;
+/**
+ * Navigates the exports map to find the ESM entry. Supports string-shaped
+ * exports, string-valued `exports["."]`, `exports["."].import` (string),
+ * `exports["."].import.default`, and the sugar form where condition keys
+ * (`import`/`require`) appear directly on the exports object.
+ */ function resolveExportsImportEntry(exports) {
+    if (typeof exports === "string") return exports;
+    if (typeof exports !== "object" || exports === null) return null;
+    const exportsMap = exports;
+    const dotEntry = exportsMap["."];
+    if (typeof dotEntry === "string") return dotEntry;
+    const conditionSource = typeof dotEntry === "object" && dotEntry !== null && !Array.isArray(dotEntry) ? dotEntry : exportsMap;
+    const importEntry = conditionSource.import;
+    if (typeof importEntry === "string") return importEntry;
+    if (typeof importEntry === "object" && importEntry !== null) {
+        const importMap = importEntry;
+        if (typeof importMap.default === "string") return importMap.default;
     }
-    if (cutoffMs !== undefined) {
-        const eventMs = new Date(event.timestamp).getTime();
-        if (eventMs < cutoffMs) {
-            return false;
-        }
+    return null;
+}
+
+;// CONCATENATED MODULE: ./src/copilot-enhance.ts
+
+
+
+
+
+
+const DEFAULT_MODEL = "claude-sonnet-4-6";
+const MAX_FILE_READ_BYTES = 102_400;
+const AnalysisResponseSchema = schemas_object({
+    additionalAllowRules: schemas_array(schemas_string().max(512)).max(100),
+    suggestions: schemas_array(schemas_string().max(1024)).max(100)
+});
+/**
+ * Resolves a relative path against a root directory and verifies it
+ * does not escape the root via traversal (e.g. `../../etc/passwd`).
+ *
+ * @returns The resolved absolute path, or null if it escapes the root
+ */ function resolveSafePath(repoRoot, relativePath) {
+    const root = repoRoot.replace(/\/+$/, "") || "/";
+    const resolved = (0,external_node_path_namespaceObject.resolve)(root, (0,external_node_path_namespaceObject.normalize)(relativePath));
+    const prefix = root === "/" ? "/" : `${root}/`;
+    if (!resolved.startsWith(prefix) && resolved !== root) {
+        return null;
     }
-    return true;
+    return resolved;
 }
-function parseLine(line) {
-    if (Buffer.byteLength(line, "utf-8") > MAX_LINE_BYTES) {
-        return undefined;
+/**
+ * Finds the largest byte offset ≤ maxBytes that falls on a clean UTF-8
+ * codepoint boundary within the given buffer.
+ *
+ * Prevents splitting multi-byte sequences when truncating raw buffers.
+ */ function findUtf8Boundary(buf, maxBytes) {
+    if (maxBytes >= buf.length) return buf.length;
+    if (maxBytes === 0) return 0;
+    // Check the byte at the cut point (first excluded byte).
+    // If it's not a continuation byte (10xxxxxx), maxBytes is already a
+    // clean boundary — the previous character ended before this position.
+    if ((buf[maxBytes] & 0xc0) !== 0x80) {
+        return maxBytes;
+    }
+    // The first excluded byte is a continuation byte, so we're splitting
+    // a multi-byte character. Walk backwards to find the start byte.
+    let boundary = maxBytes;
+    while(boundary > 0 && (buf[boundary - 1] & 0xc0) === 0x80){
+        boundary--;
+    }
+    // boundary-1 is now the start byte of the incomplete character.
+    // Exclude it since its full sequence extends past maxBytes.
+    if (boundary > 0) {
+        boundary--;
+    }
+    return boundary;
+}
+/**
+ * Reads a project file safely, enforcing path traversal protection
+ * and byte-level truncation. Extracted for testability.
+ */ async function readProjectFileSafe(repoRoot, pathArg) {
+    if (pathArg.length === 0) {
+        return {
+            error: "Path is required"
+        };
     }
-    let parsed;
+    const safePath = resolveSafePath(repoRoot, pathArg);
+    if (safePath === null) {
+        return {
+            error: "Path is outside the repository"
+        };
+    }
+    let fileBuffer;
     try {
-        parsed = JSON.parse(line);
+        const root = repoRoot.replace(/\/+$/, "") || "/";
+        const [realRoot, realPath] = await Promise.all([
+            (0,promises_namespaceObject.realpath)(root),
+            (0,promises_namespaceObject.realpath)(safePath)
+        ]);
+        const realPrefix = realRoot === "/" ? "/" : `${realRoot}/`;
+        if (!realPath.startsWith(realPrefix) && realPath !== realRoot) {
+            return {
+                error: "Path is outside the repository"
+            };
+        }
+        fileBuffer = await (0,promises_namespaceObject.readFile)(realPath);
     } catch  {
-        return undefined;
-    }
-    const result = ScriptEventSchema.safeParse(parsed);
-    if (!result.success) {
-        return undefined;
+        return {
+            error: "File not found or unreadable"
+        };
     }
-    return result.data;
-}
-async function queryEvents(eventsDir, filters, deps) {
-    const allFiles = await deps.readdir(eventsDir);
-    const jsonlFiles = allFiles.filter((f)=>f.endsWith(".jsonl"));
-    if (jsonlFiles.length === 0) {
+    // Buffer processing outside I/O catch — programming bugs in
+    // findUtf8Boundary propagate instead of being silently swallowed.
+    if (fileBuffer.length <= MAX_FILE_READ_BYTES) {
         return {
-            events: [],
-            truncatedFiles: []
+            content: fileBuffer.toString("utf-8"),
+            truncated: false
         };
     }
-    let filesToRead;
-    if (filters.last === undefined) {
-        const fileMtimes = await Promise.all(jsonlFiles.map(async (file)=>{
-            const filePath = (0,external_node_path_namespaceObject.join)(eventsDir, file);
-            const s = await deps.stat(filePath);
-            return {
-                file,
-                mtimeMs: s.mtimeMs
-            };
-        }));
-        filesToRead = [
-            findMostRecentFile(fileMtimes)
-        ];
-    } else {
-        filesToRead = jsonlFiles;
-    }
-    const cutoffMs = filters.last ? Date.now() - parseDuration(filters.last) : undefined;
-    const events = [];
-    const truncatedFiles = [];
-    for (const file of filesToRead){
-        const filePath = (0,external_node_path_namespaceObject.join)(eventsDir, file);
-        let lineCount = 0;
-        for await (const line of deps.readFileLines(filePath)){
-            if (lineCount >= MAX_LINES_PER_FILE) {
-                deps.writeStderr(`agent-shell: file ${file} exceeds ${MAX_LINES_PER_FILE} lines, truncating\n`);
-                truncatedFiles.push(file);
-                break;
-            }
-            lineCount++;
-            const event = parseLine(line);
-            if (event === undefined) {
-                continue;
+    const boundary = findUtf8Boundary(fileBuffer, MAX_FILE_READ_BYTES);
+    return {
+        content: fileBuffer.subarray(0, boundary).toString("utf-8"),
+        truncated: true
+    };
+}
+/**
+ * Creates custom tools that allow the Copilot model to read files
+ * and validate proposed allow rules. Structured project discovery
+ * is handled by the lousy-agents MCP server (connected via mcpServers).
+ */ function createCustomTools(repoRoot, defineTool) {
+    const readProjectFile = defineTool("read_project_file", {
+        description: "Read a file from the project repository. Returns file content (truncated at 100KB). Use to inspect build configs, Dockerfiles, Makefiles, etc.",
+        parameters: {
+            type: "object",
+            properties: {
+                path: {
+                    type: "string",
+                    description: "Relative path from repository root"
+                }
+            },
+            required: [
+                "path"
+            ]
+        },
+        skipPermission: true,
+        handler: (args)=>readProjectFileSafe(repoRoot, args.path ?? "")
+    });
+    const validateAllowRule = defineTool("validate_allow_rule", {
+        description: "Check whether a proposed allow rule is safe (does not contain shell metacharacters like ;, |, &, `, $, etc.).",
+        parameters: {
+            type: "object",
+            properties: {
+                command: {
+                    type: "string",
+                    description: "The command to validate as a policy rule"
+                }
+            },
+            required: [
+                "command"
+            ]
+        },
+        skipPermission: true,
+        handler: async (args)=>{
+            const command = args.command ?? "";
+            if (isSafeCommand(command)) {
+                return {
+                    safe: true,
+                    reason: "No shell metacharacters detected"
+                };
             }
-            if (matchesFilters(event, filters, cutoffMs)) {
-                events.push(event);
+            const normalized = command.trim();
+            if (normalized.length === 0) {
+                return {
+                    safe: false,
+                    reason: "Empty or whitespace-only commands are not allowed in policy rules"
+                };
             }
+            return {
+                safe: false,
+                reason: "Contains shell metacharacters — compound commands are not allowed in policy rules"
+            };
         }
-    }
-    return {
-        events,
-        truncatedFiles
-    };
+    });
+    return [
+        readProjectFile,
+        validateAllowRule
+    ];
 }
-async function listSessions(eventsDir, deps) {
-    const allFiles = await deps.readdir(eventsDir);
-    const jsonlFiles = allFiles.filter((f)=>f.endsWith(".jsonl"));
-    if (jsonlFiles.length === 0) {
-        return [];
-    }
-    const summaries = [];
-    for (const file of jsonlFiles){
-        const sessionId = file.replace(/\.jsonl$/, "");
-        const filePath = (0,external_node_path_namespaceObject.join)(eventsDir, file);
-        let firstEvent;
-        let lastEvent;
-        let eventCount = 0;
-        const actorSet = new Set();
-        for await (const line of deps.readFileLines(filePath)){
-            let parsed;
+/**
+ * Attempts to use the @github/copilot-sdk to enhance policy generation
+ * with AI-powered project analysis. Connects to the lousy-agents MCP
+ * server for structured project discovery (feedback loops, environment)
+ * and provides custom tools for file reading and rule validation.
+ * Falls back gracefully if the SDK or Copilot CLI is not available.
+ *
+ * @returns Enhanced analysis results, or null if the SDK is unavailable
+ */ async function enhanceWithCopilot(scanResult, repoRoot, writeStderr, model = DEFAULT_MODEL) {
+    let importSucceeded = false;
+    try {
+        const sdkPath = resolveSdkPath(repoRoot, "@github/copilot-sdk");
+        const { CopilotClient, defineTool, approveAll } = sdkPath ? await import(/* webpackIgnore: true */ sdkPath) : await __webpack_require__.e(/* import() */ "300").then(__webpack_require__.bind(__webpack_require__, 791));
+        importSucceeded = true;
+        const client = new CopilotClient();
+        const tools = createCustomTools(repoRoot, defineTool);
+        try {
+            await client.start();
+            const session = await client.createSession({
+                model,
+                tools,
+                onPermissionRequest: approveAll,
+                systemMessage: {
+                    content: buildSystemMessage()
+                },
+                mcpServers: {
+                    "lousy-agents": {
+                        type: "local",
+                        command: "npx",
+                        args: [
+                            "-y",
+                            "@lousy-agents/mcp"
+                        ],
+                        cwd: repoRoot,
+                        tools: [
+                            "discover_feedback_loops",
+                            "discover_environment"
+                        ]
+                    }
+                }
+            });
             try {
-                parsed = JSON.parse(line);
-            } catch  {
-                continue;
-            }
-            const result = ScriptEventSchema.safeParse(parsed);
-            if (!result.success) {
-                continue;
+                const prompt = buildAnalysisPrompt(scanResult, repoRoot);
+                const response = await session.sendAndWait({
+                    prompt
+                });
+                const data = typeof response?.data === "object" && response.data !== null ? response.data : undefined;
+                const content = data !== undefined && "content" in data && typeof data.content === "string" ? data.content : "";
+                return parseAnalysisResponse(content);
+            } finally{
+                await session.disconnect();
             }
-            const event = result.data;
-            eventCount++;
-            actorSet.add(event.actor);
-            if (firstEvent === undefined || event.timestamp < firstEvent) {
-                firstEvent = event.timestamp;
+        } finally{
+            await client.stop();
+        }
+    } catch (err) {
+        if (process.env.AGENT_SHELL_COPILOT_DEBUG) {
+            if (importSucceeded) {
+                writeStderr(`agent-shell: Copilot analysis failed — ${sanitizeForStderr(err)}\n`);
+            } else {
+                writeStderr("agent-shell: Copilot SDK not available — using static analysis only\n");
             }
-            if (lastEvent === undefined || event.timestamp > lastEvent) {
-                lastEvent = event.timestamp;
+        }
+        return null;
+    }
+}
+/**
+ * Finds the first well-formed JSON object in `content` using brace-balancing,
+ * rather than a greedy regex that could capture extra trailing braces and
+ * fail JSON.parse on valid responses that include preamble or postamble text.
+ */ function extractFirstJsonObject(content) {
+    const start = content.indexOf("{");
+    if (start === -1) {
+        return null;
+    }
+    let inString = false;
+    let escaping = false;
+    let depth = 0;
+    for(let i = start; i < content.length; i += 1){
+        const ch = content[i];
+        if (escaping) {
+            escaping = false;
+            continue;
+        }
+        if (ch === "\\") {
+            if (inString) {
+                escaping = true;
             }
+            continue;
         }
-        if (eventCount > 0 && firstEvent !== undefined && lastEvent !== undefined) {
-            summaries.push({
-                sessionId,
-                firstEvent,
-                lastEvent,
-                eventCount,
-                actors: [
-                    ...actorSet
-                ]
-            });
+        if (ch === '"') {
+            inString = !inString;
+            continue;
+        }
+        if (!inString) {
+            if (ch === "{") {
+                depth += 1;
+            } else if (ch === "}") {
+                depth -= 1;
+                if (depth === 0) {
+                    return content.slice(start, i + 1);
+                }
+            }
         }
     }
-    summaries.sort((a, b)=>b.lastEvent.localeCompare(a.lastEvent));
-    return summaries;
+    return null;
+}
+function parseAnalysisResponse(content) {
+    const jsonText = extractFirstJsonObject(content);
+    if (!jsonText) {
+        return null;
+    }
+    try {
+        const parsed = JSON.parse(jsonText);
+        return AnalysisResponseSchema.parse(parsed);
+    } catch  {
+        return null;
+    }
 }
 
-;// CONCATENATED MODULE: ./src/log/index.ts
-
-
-
+;// CONCATENATED MODULE: ./src/project-scanner.ts
 
 
-function parseLogArgs(args) {
-    const options = {
-        failures: false,
-        listSessions: false,
-        json: false
-    };
-    let i = 0;
-    while(i < args.length){
-        const arg = args[i];
-        switch(arg){
-            case "--last":
-                if (i + 1 < args.length) {
-                    options.last = args[++i];
-                } else {
-                    options.errors = options.errors ?? [];
-                    options.errors.push("--last requires a value (e.g., 30m, 1h, 1d)");
-                }
-                break;
-            case "--actor":
-                if (i + 1 < args.length) {
-                    options.actor = args[++i];
-                } else {
-                    options.errors = options.errors ?? [];
-                    options.errors.push("--actor requires a value");
-                }
-                break;
-            case "--failures":
-                options.failures = true;
-                break;
-            case "--script":
-                if (i + 1 < args.length) {
-                    options.script = args[++i];
-                } else {
-                    options.errors = options.errors ?? [];
-                    options.errors.push("--script requires a value");
-                }
-                break;
-            case "--list-sessions":
-                options.listSessions = true;
-                break;
-            case "--json":
-                options.json = true;
-                break;
-        }
-        i++;
+const MAX_WORKFLOW_FILES = 100;
+const MAX_FILE_SIZE_BYTES = 524_288;
+const LANGUAGE_MARKERS = {
+    "package.json": "node",
+    "requirements.txt": "python",
+    // biome-ignore lint/style/useNamingConvention: filename on disk
+    Pipfile: "python",
+    "pyproject.toml": "python",
+    "setup.py": "python",
+    "go.mod": "go",
+    "Cargo.toml": "rust",
+    // biome-ignore lint/style/useNamingConvention: filename on disk
+    Gemfile: "ruby",
+    "pom.xml": "java",
+    "build.gradle": "java",
+    "build.gradle.kts": "java"
+};
+async function fileExists(path) {
+    try {
+        const s = await (0,promises_namespaceObject.stat)(path);
+        return s.isFile();
+    } catch  {
+        return false;
     }
-    return options;
 }
-function createDefaultQueryDeps() {
-    return {
-        readdir: (path)=>(0,promises_namespaceObject.readdir)(path),
-        stat: (path)=>(0,promises_namespaceObject.stat)(path).then((s)=>({
-                    mtimeMs: s.mtimeMs
-                })),
-        realpath: (path)=>(0,promises_namespaceObject.realpath)(path),
-        cwd: ()=>process.cwd(),
-        readFileLines: (path)=>(0,external_node_readline_namespaceObject.createInterface)({
-                input: (0,external_node_fs_namespaceObject.createReadStream)(path, {
-                    encoding: "utf-8"
-                })
-            }),
-        writeStderr: (msg)=>{
-            process.stderr.write(msg);
-        }
-    };
-}
-async function runLog(args) {
-    const options = parseLogArgs(args);
-    const deps = createDefaultQueryDeps();
-    if (options.errors && options.errors.length > 0) {
-        for (const err of options.errors){
-            process.stderr.write(`agent-shell: ${err}\n`);
-        }
-        return 1;
-    }
-    const { dir, error } = await resolveReadEventsDir(process.env, deps);
-    if (error) {
-        process.stderr.write(`agent-shell: ${error}\n`);
-        return 1;
-    }
-    if (options.last) {
-        try {
-            parseDuration(options.last);
-        } catch (err) {
-            process.stderr.write(`agent-shell: ${err.message}\n`);
-            return 1;
-        }
-    }
+async function dirExists(path) {
     try {
-        await deps.readdir(dir);
+        const s = await (0,promises_namespaceObject.stat)(path);
+        return s.isDirectory();
     } catch  {
-        process.stdout.write("No events recorded yet.\n\n");
-        process.stdout.write("To enable instrumentation, add to your .npmrc:\n");
-        process.stdout.write("  script-shell=./node_modules/.bin/agent-shell\n");
-        return 0;
-    }
-    if (options.listSessions) {
-        const sessions = await listSessions(dir, deps);
-        if (sessions.length === 0) {
-            process.stdout.write("No sessions found.\n");
-            return 0;
-        }
-        process.stdout.write(formatSessionsTable(sessions));
-        process.stdout.write("\n");
-        return 0;
-    }
-    const result = await queryEvents(dir, {
-        actor: options.actor,
-        failures: options.failures || undefined,
-        script: options.script,
-        last: options.last
-    }, deps);
-    if (result.events.length === 0) {
-        process.stdout.write("No matching events found.\n");
-        return 0;
-    }
-    if (options.json) {
-        process.stdout.write(formatEventsJson(result.events));
-        process.stdout.write("\n");
-    } else {
-        process.stdout.write(formatEventsTable(result.events));
-        process.stdout.write("\n");
+        return false;
     }
-    return 0;
 }
-
-;// CONCATENATED MODULE: ./src/mode.ts
-const MODEL_PATTERN = /^[a-zA-Z0-9._-]+$/;
-function parsePolicyInitOptions(args) {
-    const options = {};
-    for (const arg of args.slice(2)){
-        if (arg.startsWith("--model=")) {
-            const value = arg.slice("--model=".length);
-            if (value.length > 0 && value.length <= 128 && MODEL_PATTERN.test(value)) {
-                options.model = value;
+async function discoverScripts(targetDir) {
+    const packageJsonPath = (0,external_node_path_namespaceObject.join)(targetDir, "package.json");
+    if (!await fileExists(packageJsonPath)) {
+        return [];
+    }
+    try {
+        const fileStat = await (0,promises_namespaceObject.stat)(packageJsonPath);
+        if (fileStat.size > MAX_FILE_SIZE_BYTES) {
+            return [];
+        }
+        const content = await (0,promises_namespaceObject.readFile)(packageJsonPath, "utf-8");
+        const parsed = JSON.parse(content);
+        if (parsed === null || typeof parsed !== "object" || Array.isArray(parsed)) {
+            return [];
+        }
+        const pkg = parsed;
+        const scripts = pkg.scripts;
+        if (scripts === null || scripts === undefined || typeof scripts !== "object" || Array.isArray(scripts)) {
+            return [];
+        }
+        const result = [];
+        for (const [name, command] of Object.entries(scripts)){
+            if (typeof command === "string") {
+                result.push({
+                    name,
+                    command
+                });
             }
         }
+        return result;
+    } catch  {
+        return [];
     }
-    return options;
 }
-function resolveMode(args, env) {
-    const firstArg = args[0];
-    if (firstArg === "policy-check") return {
-        type: "policy-check"
-    };
-    if (firstArg === "policy" && args[1] === "--init") {
-        const options = parsePolicyInitOptions(args);
-        return {
-            type: "policy-init",
-            model: options.model
-        };
+async function discoverWorkflowCommands(targetDir) {
+    const workflowsDir = (0,external_node_path_namespaceObject.join)(targetDir, ".github", "workflows");
+    if (!await dirExists(workflowsDir)) {
+        return [];
     }
-    if (env.AGENTSHELL_PASSTHROUGH === "1") {
-        return {
-            type: "passthrough",
-            args
-        };
+    let files;
+    try {
+        files = await (0,promises_namespaceObject.readdir)(workflowsDir);
+    } catch  {
+        return [];
     }
-    if (firstArg === "--version") return {
-        type: "version"
-    };
-    if (firstArg === "-c" && args[1]) return {
-        type: "shim",
-        command: args[1]
-    };
-    if (firstArg === "log") return {
-        type: "log"
-    };
-    return {
-        type: "usage"
-    };
-}
-
-;// CONCATENATED MODULE: ./src/sanitize.ts
-/**
- * Escapes ASCII and C1 control characters in error messages before writing
- * to stderr. Replaces each control character with its `\xNN` hex
- * representation to prevent log/terminal injection when errors embed
- * untrusted data.
- */ function sanitizeForStderr(err) {
-    const msg = err instanceof Error ? err.message : String(err);
-    // biome-ignore lint/suspicious/noControlCharactersInRegex: intentionally matching control characters for sanitization
-    return msg.replace(/[\u0000-\u001f\u007f-\u009f]/g, (ch)=>{
-        return `\\x${ch.charCodeAt(0).toString(16).padStart(2, "0")}`;
-    });
+    const yamlFiles = files.filter((f)=>f.endsWith(".yml") || f.endsWith(".yaml")).slice(0, MAX_WORKFLOW_FILES);
+    const allCommands = [];
+    for (const file of yamlFiles){
+        try {
+            const filePath = (0,external_node_path_namespaceObject.join)(workflowsDir, file);
+            const fileStat = await (0,promises_namespaceObject.stat)(filePath);
+            if (fileStat.size > MAX_FILE_SIZE_BYTES) {
+                continue;
+            }
+            const content = await (0,promises_namespaceObject.readFile)(filePath, "utf-8");
+            const commands = extractRunCommandsFromYaml(content);
+            allCommands.push(...commands);
+        } catch  {}
+    }
+    return [
+        ...new Set(allCommands)
+    ].filter(isUsefulCommand);
 }
 /**
- * Escapes ASCII and C1 control characters (except newline) in output text.
- * Like sanitizeForStderr but preserves newlines for JSON formatting.
- */ function sanitizeOutput(text) {
-    // biome-ignore lint/suspicious/noControlCharactersInRegex: intentionally matching control characters for sanitization
-    return text.replace(/[\u0000-\u0009\u000b-\u001f\u007f-\u009f]/g, (ch)=>{
-        return `\\x${ch.charCodeAt(0).toString(16).padStart(2, "0")}`;
-    });
-}
-/**
- * Sanitizes untrusted values before embedding in prompts.
- * Strips newlines and all backticks that could inject instructions,
- * and truncates to a safe length.
- */ function sanitizePromptValue(value) {
-    return value.replace(/[\n\r]/g, " ").replace(/`/g, "").slice(0, 256);
-}
-/**
- * Shell metacharacters that indicate compound or piped commands.
- * Commands containing these are excluded from the allow list because
- * they could mask injection (e.g. `npm test && curl evil`).
- */ const SHELL_METACHAR_PATTERN = /[;|&`><$()\\\n\r]/;
-/**
- * Returns true if the command is non-empty, contains no shell metacharacters,
- * and is safe to include in a policy allow list.
- */ function isSafeCommand(command) {
-    const normalized = command.trim();
-    if (normalized.length === 0) {
-        return false;
-    }
-    return !SHELL_METACHAR_PATTERN.test(normalized);
+ * Patterns that match shell control structures, variable assignments,
+ * and other non-command lines extracted from multi-line workflow `run:`
+ * blocks. These are filtered out because they are not meaningful tool
+ * invocations that should appear in a policy allow list — only actual
+ * commands (npm, mise, node, git, etc.) are useful for policy rules.
+ */ const SHELL_NOISE_PATTERNS = [
+    /^(if|then|else|elif|fi|for|while|do|done|case|esac)\b/,
+    /^(set\s+[+-]e|set\s+[+-]o)/,
+    /^(exit\s+\d|exit\s+\$)/,
+    /^\w+="?\$\{\{/,
+    /^[A-Z_]+=("[^"]*"|'[^']*'|\S+)\s*\\?$/,
+    /^(echo|printf)\s/,
+    /^(cd|mkdir|rm|test)\s/,
+    /^>\s/,
+    /^(else|fi|done|esac)$/,
+    /^\w+=\$\?$/,
+    /^\\$/,
+    /^'[^']*'\s*\\?$/,
+    /^"[^"]*"\s*\\?$/,
+    /^node\s+"?\$/
+];
+function isUsefulCommand(cmd) {
+    if (cmd.length < 3) return false;
+    if (cmd.endsWith(")") && !cmd.includes("(")) return false;
+    return !SHELL_NOISE_PATTERNS.some((pattern)=>pattern.test(cmd));
 }
-
-;// CONCATENATED MODULE: ./src/policy.ts
-
-
-
-
-const DEFAULT_POLICY_SUBPATH = ".github/hooks/agent-shell/policy.json";
 /**
- * Glob matcher supporting only `*` wildcards.
- *
- * Splits the rule on `*` into literal segments and checks that each
- * segment appears in the command in order. O(n·m) worst case where
- * n = command length and m = rule length, with no exponential
- * backtracking (unlike regex `.*` quantifiers).
- */ function matchesRule(command, rule) {
-    const segments = rule.split("*");
-    if (segments.length === 1) {
-        return command === rule;
-    }
-    const prefixSegment = segments[0];
-    const suffixSegment = segments[segments.length - 1];
-    const innerSegments = segments.slice(1, -1);
-    if (!command.startsWith(prefixSegment)) {
-        return false;
-    }
-    let cursor = prefixSegment.length;
-    for (const segment of innerSegments){
-        const index = command.indexOf(segment, cursor);
-        if (index === -1) {
-            return false;
+ * Simple extraction of `run:` values from YAML content.
+ * Uses line-based parsing rather than a full YAML parser to avoid
+ * adding yaml as a dependency to agent-shell.
+ */ function extractRunCommandsFromYaml(content) {
+    const commands = [];
+    const lines = content.split("\n");
+    let inRunBlock = false;
+    let runIndent = 0;
+    let isFoldedBlock = false;
+    let foldedLines = [];
+    let continuationBuffer = "";
+    function flushFoldedBlock() {
+        if (foldedLines.length > 0) {
+            commands.push(foldedLines.join(" "));
+            foldedLines = [];
         }
-        cursor = index + segment.length;
-    }
-    const suffixStart = command.length - suffixSegment.length;
-    return suffixStart >= cursor && command.endsWith(suffixSegment);
-}
-function evaluatePolicy(policy, command) {
-    if (policy === null) {
-        return {
-            decision: "allow",
-            matchedRule: null
-        };
     }
-    const trimmed = command.trim();
-    if (SHELL_METACHAR_PATTERN.test(trimmed)) {
-        return {
-            decision: "deny",
-            matchedRule: null
-        };
-    }
-    for (const rule of policy.deny){
-        if (matchesRule(trimmed, rule)) {
-            return {
-                decision: "deny",
-                matchedRule: rule
-            };
+    function flushContinuation() {
+        if (continuationBuffer.length > 0) {
+            commands.push(continuationBuffer);
+            continuationBuffer = "";
         }
     }
-    if (policy.allow !== undefined) {
-        const matchesAny = policy.allow.some((rule)=>matchesRule(trimmed, rule));
-        if (!matchesAny) {
-            return {
-                decision: "deny",
-                matchedRule: null
-            };
+    for(let i = 0; i < lines.length; i++){
+        const line = lines[i];
+        if (line === undefined) continue;
+        const trimmed = line.trimStart();
+        const indent = line.length - trimmed.length;
+        if (inRunBlock) {
+            if (trimmed.length === 0) {
+                continue;
+            }
+            if (indent > runIndent) {
+                let cmd = trimmed.trimEnd();
+                cmd = cmd.replace(/\s+#.*$/, "").trimEnd();
+                const isContinuation = cmd.endsWith("\\");
+                if (isContinuation) {
+                    cmd = cmd.slice(0, -1).trimEnd();
+                }
+                if (cmd.length > 0 && !cmd.startsWith("#")) {
+                    if (isFoldedBlock) {
+                        foldedLines.push(cmd);
+                    } else if (isContinuation) {
+                        continuationBuffer = continuationBuffer.length > 0 ? `${continuationBuffer} ${cmd}` : cmd;
+                    } else if (continuationBuffer.length > 0) {
+                        commands.push(`${continuationBuffer} ${cmd}`);
+                        continuationBuffer = "";
+                    } else {
+                        commands.push(cmd);
+                    }
+                }
+            } else {
+                flushContinuation();
+                if (isFoldedBlock) {
+                    flushFoldedBlock();
+                }
+                inRunBlock = false;
+                isFoldedBlock = false;
+            }
+        }
+        if (!inRunBlock) {
+            const runMatch = trimmed.match(/^-?\s*run:\s*(.*)$/);
+            if (runMatch) {
+                const value = runMatch[1]?.trim();
+                const firstToken = value ? value.split(/[ \t#]/, 1)[0] ?? "" : "";
+                if (/^[|>][-+]?$/.test(firstToken)) {
+                    inRunBlock = true;
+                    runIndent = indent;
+                    isFoldedBlock = firstToken.startsWith(">");
+                    foldedLines = [];
+                } else if (value && value.length > 0) {
+                    let command;
+                    const quoteMatch = value.match(/^(["'])(.*)\1/);
+                    if (quoteMatch) {
+                        command = quoteMatch[2] ?? "";
+                    } else {
+                        command = value.replace(/\s+#.*$/, "").trim();
+                    }
+                    if (command.length > 0 && !command.startsWith("#")) {
+                        commands.push(command);
+                    }
+                }
+            }
         }
     }
-    return {
-        decision: "allow",
-        matchedRule: null
-    };
+    flushContinuation();
+    if (isFoldedBlock) {
+        flushFoldedBlock();
+    }
+    return commands;
 }
 /**
- * Escapes ASCII control characters in a path before embedding it in an error
- * message. Prevents log/terminal injection when the path originates from an
- * environment variable (e.g. AGENTSHELL_POLICY_PATH).
- */ function sanitizePath(path) {
-    // biome-ignore lint/suspicious/noControlCharactersInRegex: intentionally matching control characters for sanitization
-    return path.replace(/[\u0000-\u001f\u007f]/g, (ch)=>{
-        return `\\x${ch.charCodeAt(0).toString(16).padStart(2, "0")}`;
-    });
-}
-function resolvePolicyPath(env, repoRoot) {
-    const override = env.AGENTSHELL_POLICY_PATH;
-    if (override !== undefined && override !== "") {
-        if ((0,external_node_path_namespaceObject.isAbsolute)(override)) {
-            // Absolute path — use as-is (will be validated after realpath)
-            return {
-                path: override,
-                isOverride: true
-            };
-        }
-        // Relative path — resolve relative to repo root
-        return {
-            path: (0,external_node_path_namespaceObject.join)(repoRoot, override),
-            isOverride: true
-        };
+ * Parse mise.toml to extract task definitions.
+ * Uses simple line-based parsing for [tasks.*] sections.
+ */ async function discoverMiseTasks(targetDir) {
+    const miseTomlPath = (0,external_node_path_namespaceObject.join)(targetDir, "mise.toml");
+    if (!await fileExists(miseTomlPath)) {
+        return [];
     }
-    return {
-        path: (0,external_node_path_namespaceObject.join)(repoRoot, DEFAULT_POLICY_SUBPATH),
-        isOverride: false
-    };
-}
-async function loadPolicy(env, deps) {
-    const rawRepoRoot = deps.getRepositoryRoot();
-    const repoRoot = await deps.realpath(rawRepoRoot);
-    const { path: candidatePath, isOverride } = resolvePolicyPath(env, repoRoot);
-    let resolvedPath;
     try {
-        resolvedPath = await deps.realpath(candidatePath);
-    } catch (error) {
-        if (isPathNotFoundError(error)) {
-            if (isOverride) {
-                throw new Error(`Policy override path does not exist: ${sanitizePath(candidatePath)}`);
-            }
-            return null;
+        const fileStat = await (0,promises_namespaceObject.stat)(miseTomlPath);
+        if (fileStat.size > MAX_FILE_SIZE_BYTES) {
+            return [];
         }
-        throw error;
-    }
-    if (!isWithinProjectRoot(resolvedPath, repoRoot)) {
-        throw new Error(`Policy file path resolves outside the repository root: ${sanitizePath(resolvedPath)}`);
+        const content = await (0,promises_namespaceObject.readFile)(miseTomlPath, "utf-8");
+        return parseMiseTomlTasks(content);
+    } catch  {
+        return [];
     }
-    let content;
-    try {
-        content = await deps.readFile(resolvedPath, "utf-8");
-    } catch (error) {
-        if (isPathNotFoundError(error)) {
-            if (isOverride) {
-                throw new Error(`Policy override path does not exist: ${sanitizePath(resolvedPath)}`);
+}
+function parseMiseTomlTasks(content) {
+    const tasks = [];
+    const lines = content.split("\n");
+    let currentTaskName = null;
+    let inMultiLineRun = false;
+    let multiLineCommand = "";
+    for (const line of lines){
+        const trimmed = line.trim();
+        if (inMultiLineRun) {
+            if (trimmed === '"""' || trimmed === "'''") {
+                inMultiLineRun = false;
+                const cmd = multiLineCommand.trim();
+                if (currentTaskName !== null && cmd.length > 0) {
+                    const firstLine = cmd.split("\n").map((l)=>l.trim()).find((l)=>l.length > 0);
+                    if (firstLine) {
+                        tasks.push({
+                            name: currentTaskName,
+                            command: firstLine
+                        });
+                    }
+                }
+                multiLineCommand = "";
+                continue;
+            }
+            multiLineCommand += `${trimmed}\n`;
+            continue;
+        }
+        const sectionMatch = trimmed.match(/^\[tasks\.([^\]]+)\]$/);
+        if (sectionMatch?.[1]) {
+            currentTaskName = sectionMatch[1];
+            continue;
+        }
+        if (trimmed.startsWith("[") && !trimmed.startsWith("[tasks.")) {
+            currentTaskName = null;
+            continue;
+        }
+        if (currentTaskName !== null) {
+            if (/^run\s*=\s*"""/.test(trimmed) || /^run\s*=\s*'''/.test(trimmed)) {
+                inMultiLineRun = true;
+                multiLineCommand = "";
+                continue;
+            }
+            const runMatch = trimmed.match(/^run\s*=\s*(?:"([^"]*)"|'([^']*)')/);
+            if (runMatch) {
+                const command = runMatch[1] ?? runMatch[2] ?? "";
+                if (command.length > 0) {
+                    tasks.push({
+                        name: currentTaskName,
+                        command
+                    });
+                }
             }
-            return null;
         }
-        throw error;
-    }
-    let parsed;
-    try {
-        parsed = JSON.parse(content);
-    } catch  {
-        throw new Error(`Invalid JSON in policy file ${sanitizePath(resolvedPath)}: file exists but contains malformed JSON`);
-    }
-    return PolicyConfigSchema.parse(parsed);
-}
-
-;// CONCATENATED MODULE: ./src/actor.ts
-// Best-effort agent detection env vars (Phase 1):
-// - CLAUDE_CODE: Set by Claude Code (`CLAUDE_CODE=1`) in its shell sessions
-// - COPILOT_AGENT: Set by GitHub Copilot coding agent in its shell sessions
-// - COPILOT_CLI: Set by GitHub Copilot CLI (`COPILOT_CLI=1`) in its shell sessions
-// - COPILOT_CLI_BINARY_VERSION: Set by GitHub Copilot CLI (e.g. `COPILOT_CLI_BINARY_VERSION=1.0.4`)
-// If these prove incorrect, the detection rule should be removed entirely.
-/**
- * Determines who initiated a script execution based on environment variables.
- *
- * Detection priority (first match wins):
- * 1. Explicit override via AGENTSHELL_ACTOR
- * 2. CI detection via GITHUB_ACTIONS
- * 3. Known coding agent detection (Claude Code, GitHub Copilot)
- * 4. Fallback to "human"
- */ function detectActor(env) {
-    const override = env.AGENTSHELL_ACTOR;
-    if (override !== undefined && override !== "") {
-        return override;
-    }
-    if (env.GITHUB_ACTIONS === "true") {
-        return "ci";
-    }
-    if (env.CLAUDE_CODE !== undefined && env.CLAUDE_CODE !== "") {
-        return "claude-code";
-    }
-    if (env.COPILOT_AGENT !== undefined && env.COPILOT_AGENT !== "") {
-        return "copilot";
-    }
-    if (env.COPILOT_CLI !== undefined && env.COPILOT_CLI !== "" || env.COPILOT_CLI_BINARY_VERSION !== undefined && env.COPILOT_CLI_BINARY_VERSION !== "") {
-        return "copilot";
     }
-    return "human";
+    return tasks;
 }
-
-;// CONCATENATED MODULE: ./src/env-capture.ts
-const TAG_PREFIX = "AGENTSHELL_TAG_";
-const MAX_VALUE_BYTES = 1024;
-const MAX_TAGS = 50;
-const TRUNCATION_SUFFIX = "…[truncated]";
-const PROTOTYPE_POLLUTION_KEYS = new Set([
-    "__proto__",
-    "constructor",
-    "prototype"
-]);
-const ALLOWLIST_PREFIXES = [
-    "npm_lifecycle_",
-    "github_",
-    "agentshell_"
-];
-const ALLOWLIST_EXACT = new Set([
-    "npm_package_name",
-    "npm_package_version",
-    "node_env",
-    "ci"
-]);
-const BLOCKLIST_PATTERNS = [
-    "secret",
-    "token",
-    "key",
-    "password",
-    "credential",
-    "auth"
-];
-function isAllowlisted(name) {
-    const lower = name.toLowerCase();
-    if (ALLOWLIST_EXACT.has(lower)) {
-        return true;
+async function detectLanguages(targetDir) {
+    const detected = new Set();
+    for (const [filename, language] of Object.entries(LANGUAGE_MARKERS)){
+        if (await fileExists((0,external_node_path_namespaceObject.join)(targetDir, filename))) {
+            detected.add(language);
+        }
     }
-    return ALLOWLIST_PREFIXES.some((prefix)=>lower.startsWith(prefix));
-}
-function isBlocklisted(name) {
-    const lower = name.toLowerCase();
-    return BLOCKLIST_PATTERNS.some((pattern)=>lower.includes(pattern));
-}
-function isTagVariable(name) {
-    return name.startsWith(TAG_PREFIX);
+    return [
+        ...detected
+    ];
 }
-function truncateValue(value) {
-    const bytes = Buffer.byteLength(value, "utf-8");
-    if (bytes <= MAX_VALUE_BYTES) {
-        return {
-            value,
-            truncated: false
-        };
-    }
-    const buf = Buffer.from(value, "utf-8");
-    const sliced = buf.subarray(0, MAX_VALUE_BYTES).toString("utf-8");
+/**
+ * Scans a project directory to discover tools, commands, and languages.
+ * Uses static file analysis without requiring external dependencies.
+ */ async function scanProject(targetDir) {
+    const [scripts, workflowCommands, miseTasks, languages] = await Promise.all([
+        discoverScripts(targetDir),
+        discoverWorkflowCommands(targetDir),
+        discoverMiseTasks(targetDir),
+        detectLanguages(targetDir)
+    ]);
     return {
-        value: `${sliced}${TRUNCATION_SUFFIX}`,
-        truncated: true
+        scripts,
+        workflowCommands,
+        miseTasks,
+        languages
     };
 }
-function captureEnv(env) {
-    const result = Object.create(null);
-    let anyTruncated = false;
-    for (const [name, value] of Object.entries(env)){
-        if (value === undefined) continue;
-        if (!isAllowlisted(name)) continue;
-        if (isBlocklisted(name)) continue;
-        if (isTagVariable(name)) continue;
-        const { value: finalValue, truncated } = truncateValue(value);
-        result[name] = finalValue;
-        if (truncated) anyTruncated = true;
-    }
-    if (anyTruncated) {
-        result._env_truncated = "true";
-    }
-    return result;
-}
-function captureTags(env) {
-    const result = Object.create(null);
-    let anyTruncatedOrDiscarded = false;
-    const entries = [];
-    for (const [name, value] of Object.entries(env)){
-        if (value === undefined) continue;
-        if (!name.startsWith(TAG_PREFIX)) continue;
-        const tagKey = name.slice(TAG_PREFIX.length).toLowerCase();
-        if (PROTOTYPE_POLLUTION_KEYS.has(tagKey)) continue;
-        entries.push([
-            tagKey,
-            value
-        ]);
-    }
-    entries.sort((a, b)=>a[0].localeCompare(b[0]));
-    if (entries.length > MAX_TAGS) {
-        anyTruncatedOrDiscarded = true;
-        entries.length = MAX_TAGS;
-    }
-    for (const [key, rawValue] of entries){
-        const { value, truncated } = truncateValue(rawValue);
-        result[key] = value;
-        if (truncated) anyTruncatedOrDiscarded = true;
-    }
-    if (anyTruncatedOrDiscarded) {
-        result._tags_truncated = "true";
-    }
-    return result;
-}
 
-;// CONCATENATED MODULE: ./src/telemetry.ts
-// biome-ignore-all lint/style/useNamingConvention: telemetry schema uses snake_case field names
+;// CONCATENATED MODULE: ./src/policy-init.ts
 
 
 
 
 
-const SESSION_ID_PATTERN = /^[a-zA-Z0-9_-]+$/;
-const DEFAULT_EVENTS_SUBDIR = ".agent-shell/events";
-async function realpathExistingAncestor(targetPath, deps) {
-    let current = targetPath;
-    while(true){
-        try {
-            return await deps.realpath(current);
-        } catch (err) {
-            if (!isPathNotFoundError(err)) throw err;
-            const parent = (0,external_node_path_namespaceObject.dirname)(current);
-            if (parent === current) return null;
-            current = parent;
-        }
-    }
-}
-function resolveSessionId(env, deps) {
-    const provided = env.AGENTSHELL_SESSION_ID;
-    if (provided === undefined || provided === "") {
-        return deps.randomUUID();
-    }
-    if (provided.includes("..") || provided.includes("/") || provided.includes("\\") || !SESSION_ID_PATTERN.test(provided)) {
-        deps.writeStderr(`agent-shell: invalid AGENTSHELL_SESSION_ID "${provided}", generating new ID\n`);
-        return deps.randomUUID();
-    }
-    return provided;
-}
-async function resolveWriteEventsDir(env, deps) {
-    const projectRoot = deps.cwd();
-    const defaultDir = (0,external_node_path_namespaceObject.join)(projectRoot, DEFAULT_EVENTS_SUBDIR);
-    const logDir = env.AGENTSHELL_LOG_DIR;
-    if (logDir !== undefined && logDir !== "") {
-        // Canonicalize projectRoot for real-path comparisons; handles symlinked cwd
-        const projectRootReal = await deps.realpath(projectRoot);
-        // Reject external paths (allowing either logical or real project root)
-        const resolvedLogical = (0,external_node_path_namespaceObject.resolve)(projectRoot, logDir);
-        if (!isWithinProjectRoot(resolvedLogical, projectRoot) && !isWithinProjectRoot(resolvedLogical, projectRootReal)) {
-            deps.writeStderr(`agent-shell: AGENTSHELL_LOG_DIR resolves outside project root, using default\n`);
-            await deps.mkdir(defaultDir, {
-                recursive: true
-            });
-            return defaultDir;
+// Exact-match entries for agent-shell's own commands prevent the preToolUse
+// hook from blocking its sibling hooks. Wildcard entries (ending with *) cover
+// common read-only git commands. The final allow list is sorted alphabetically.
+const DEFAULT_SAFE_COMMANDS = [
+    "agent-shell policy-check",
+    "agent-shell record",
+    "git status *",
+    "git diff *",
+    "git log *",
+    "git show *",
+    "git branch --show-current",
+    "git branch --list *",
+    "git rev-parse *",
+    "pwd"
+];
+const DEFAULT_DENY_RULES = [
+    "rm -rf *",
+    "sudo *"
+];
+const POLICY_SUBPATH = ".github/hooks/agent-shell/policy.json";
+const HOOKS_SUBPATH = ".github/hooks/agent-shell/hooks.json";
+/**
+ * Extracts the script or task name from a command string, skipping any
+ * flags (tokens starting with `-`) that appear between the prefix and
+ * the actual name. For example, `npm run -s build` or `npm run --silent build`
+ * both return `build`. Splits on any whitespace to avoid empty tokens from
+ * multiple consecutive spaces.
+ */ function extractNameAfterPrefix(cmd, prefix) {
+    const tokens = cmd.slice(prefix.length).trim().split(/\s+/);
+    for (const token of tokens){
+        if (token.length > 0 && !token.startsWith("-")) {
+            return token;
         }
-        // Validate existing ancestor realpath before mkdir to prevent symlink escape
-        const ancestorReal = await realpathExistingAncestor(resolvedLogical, deps);
-        if (ancestorReal === null || !isWithinProjectRoot(ancestorReal, projectRootReal)) {
-            deps.writeStderr(`agent-shell: AGENTSHELL_LOG_DIR resolves outside project root via ancestor symlink, using default\n`);
-            await deps.mkdir(defaultDir, {
-                recursive: true
-            });
-            return defaultDir;
+    }
+    return "";
+}
+/**
+ * Generates a policy configuration from project scan results.
+ * Creates an allow list of commands discovered in the project,
+ * plus common safe defaults. Includes standard deny rules.
+ *
+ * Allow rules use exact match by default to prevent shell
+ * metacharacter bypass (e.g. `npm test && curl evil`).
+ * Wildcard `*` is only used for commands where subcommand
+ * arguments are inherently expected and the base command
+ * is genuinely read-only (e.g. `git status *`).
+ */ function generatePolicy(scanResult) {
+    const allowSet = new Set();
+    for (const cmd of DEFAULT_SAFE_COMMANDS){
+        allowSet.add(cmd);
+    }
+    for (const script of scanResult.scripts){
+        const name = script.name.trim();
+        if (name.length === 0) {
+            continue;
         }
-        await deps.mkdir(resolvedLogical, {
-            recursive: true
-        });
-        const resolved = await deps.realpath(resolvedLogical);
-        if (!isWithinProjectRoot(resolved, projectRootReal)) {
-            deps.writeStderr(`agent-shell: AGENTSHELL_LOG_DIR resolves outside project root, using default\n`);
-            await deps.mkdir(defaultDir, {
-                recursive: true
-            });
-            return defaultDir;
+        if (SHELL_METACHAR_PATTERN.test(name)) {
+            continue;
+        }
+        if (name === "test") {
+            allowSet.add("npm test");
+        } else {
+            allowSet.add(`npm run ${name}`);
         }
-        return resolved;
     }
-    await deps.mkdir(defaultDir, {
+    for (const cmd of scanResult.workflowCommands){
+        if (cmd === "npm test" || cmd.startsWith("npm test ")) {
+            allowSet.add("npm test");
+            if (cmd !== "npm test" && !SHELL_METACHAR_PATTERN.test(cmd)) {
+                allowSet.add(cmd);
+            }
+        } else if (cmd.startsWith("npm run ")) {
+            const scriptName = extractNameAfterPrefix(cmd, "npm run ");
+            if (scriptName) {
+                allowSet.add(`npm run ${scriptName}`);
+                if (cmd !== `npm run ${scriptName}` && !SHELL_METACHAR_PATTERN.test(cmd)) {
+                    allowSet.add(cmd);
+                }
+            } else if (!SHELL_METACHAR_PATTERN.test(cmd)) {
+                allowSet.add(cmd);
+            }
+        } else if (cmd === "npm ci" || cmd === "npm install") {
+            allowSet.add(cmd);
+        } else if (cmd.startsWith("npx ")) {
+            if (!SHELL_METACHAR_PATTERN.test(cmd)) {
+                allowSet.add(cmd);
+            }
+        } else if (cmd.startsWith("mise run ")) {
+            const taskName = extractNameAfterPrefix(cmd, "mise run ");
+            if (taskName) {
+                allowSet.add(`mise run ${taskName}`);
+                if (cmd !== `mise run ${taskName}` && !SHELL_METACHAR_PATTERN.test(cmd)) {
+                    allowSet.add(cmd);
+                }
+            } else if (!SHELL_METACHAR_PATTERN.test(cmd)) {
+                allowSet.add(cmd);
+            }
+        } else {
+            if (!SHELL_METACHAR_PATTERN.test(cmd)) {
+                allowSet.add(cmd);
+            }
+        }
+    }
+    for (const task of scanResult.miseTasks){
+        const taskName = task.name.trim();
+        if (taskName.length > 0 && !SHELL_METACHAR_PATTERN.test(taskName)) {
+            allowSet.add(`mise run ${taskName}`);
+        }
+    }
+    if (scanResult.miseTasks.length > 0) {
+        allowSet.add("mise install");
+    }
+    const allow = [
+        ...allowSet
+    ].sort();
+    return {
+        allow,
+        deny: [
+            ...DEFAULT_DENY_RULES
+        ]
+    };
+}
+/**
+ * Generates the Copilot hooks.json configuration with agent-shell
+ * hooks based on the provided feature flags.
+ * Defaults to policyCheck only for backward compatibility.
+ */ function generateHooksConfig(options = {}) {
+    const { flightRecorder, policyCheck } = {
+        policyCheck: true,
+        ...options
+    };
+    const config = {
+        version: 1,
+        hooks: {}
+    };
+    if (policyCheck) {
+        config.hooks.preToolUse = [
+            {
+                type: "command",
+                bash: "agent-shell policy-check",
+                timeoutSec: 30
+            }
+        ];
+    }
+    if (flightRecorder) {
+        config.hooks.postToolUse = [
+            {
+                type: "command",
+                bash: "agent-shell record",
+                timeoutSec: 30
+            }
+        ];
+    }
+    return config;
+}
+/**
+ * Writes a file atomically, skipping if the file already exists.
+ * Uses the `wx` (exclusive create) flag to avoid TOCTOU races
+ * between a check and write.
+ */ async function writeFileIfNotExists(filePath, parentDir, content, subpath, writeStdout) {
+    await (0,promises_namespaceObject.mkdir)(parentDir, {
         recursive: true
     });
-    return defaultDir;
+    try {
+        await (0,promises_namespaceObject.writeFile)(filePath, content, {
+            flag: "wx"
+        });
+        writeStdout(`Created ${subpath}\n`);
+    } catch (error) {
+        if (error && typeof error === "object" && "code" in error && error.code === "EEXIST") {
+            writeStdout(`Skipping ${subpath} — file already exists\n`);
+        } else {
+            throw error;
+        }
+    }
 }
-async function writeEvent(eventsDir, sessionId, event, deps) {
-    const filePath = (0,external_node_path_namespaceObject.join)(eventsDir, `${sessionId}.jsonl`);
-    const line = `${JSON.stringify(event)}\n`;
-    await deps.appendFile(filePath, line);
+/**
+ * Handles the `policy --init` command.
+ * Scans the project, generates a policy and hooks configuration,
+ * and writes them to disk. Optionally uses @github/copilot-sdk
+ * for AI-enhanced analysis when available.
+ */ async function handlePolicyInit(deps) {
+    const repoRoot = deps.getRepositoryRoot();
+    deps.writeStdout("Scanning project...\n");
+    const scanResult = await scanProject(repoRoot);
+    deps.writeStdout(`Discovered: ${scanResult.scripts.length} npm script(s), ` + `${scanResult.workflowCommands.length} workflow command(s), ` + `${scanResult.miseTasks.length} mise task(s), ` + `${scanResult.languages.length} language(s)\n`);
+    const policy = generatePolicy(scanResult);
+    const enhanced = await enhanceWithCopilot(scanResult, repoRoot, deps.writeStderr, deps.model);
+    if (enhanced !== null) {
+        deps.writeStdout("Enhanced with Copilot analysis\n");
+        if (enhanced.additionalAllowRules.length > 0) {
+            deps.writeStdout("\nSuggested additional allow rules from Copilot (not auto-applied):\n");
+            for (const rule of enhanced.additionalAllowRules){
+                if (isSafeCommand(rule)) {
+                    deps.writeStdout(`  - ${sanitizeOutput(rule)}\n`);
+                } else {
+                    deps.writeStdout(`  - [UNSAFE, skipped] ${sanitizeOutput(rule)}\n`);
+                }
+            }
+        }
+        if (enhanced.suggestions.length > 0) {
+            deps.writeStdout("\nSuggestions from Copilot:\n");
+            for (const suggestion of enhanced.suggestions){
+                deps.writeStdout(`  - ${sanitizeOutput(suggestion)}\n`);
+            }
+        }
+    }
+    const hooksConfig = generateHooksConfig();
+    const policyPath = (0,external_node_path_namespaceObject.join)(repoRoot, POLICY_SUBPATH);
+    const hooksPath = (0,external_node_path_namespaceObject.join)(repoRoot, HOOKS_SUBPATH);
+    const policyContent = `${JSON.stringify(policy, null, 2)}\n`;
+    const hooksContent = `${JSON.stringify(hooksConfig, null, 2)}\n`;
+    await writeFileIfNotExists(policyPath, (0,external_node_path_namespaceObject.join)(repoRoot, ".github", "hooks", "agent-shell"), policyContent, POLICY_SUBPATH, deps.writeStdout);
+    await writeFileIfNotExists(hooksPath, (0,external_node_path_namespaceObject.join)(repoRoot, ".github", "hooks", "agent-shell"), hooksContent, HOOKS_SUBPATH, deps.writeStdout);
+    deps.writeStdout("\n--- Proposed Policy ---\n");
+    deps.writeStdout(`${sanitizeOutput(JSON.stringify(policy, null, 2))}\n`);
+    deps.writeStdout("\n--- Hook Configuration ---\n");
+    deps.writeStdout(`${sanitizeOutput(JSON.stringify(hooksConfig, null, 2))}\n`);
 }
-async function emitScriptEndEvent(options, deps) {
-    const sessionId = resolveSessionId(options.env, deps);
-    const eventsDir = await resolveWriteEventsDir(options.env, deps);
-    const capturedEnv = captureEnv(options.env);
-    const tags = captureTags(options.env);
-    const event = {
-        v: SCHEMA_VERSION,
-        session_id: sessionId,
-        event: "script_end",
-        command: options.command,
-        actor: detectActor(options.env),
-        exit_code: options.result.exitCode,
-        signal: options.result.signal,
-        duration_ms: options.result.durationMs,
-        timestamp: deps.now(),
-        env: capturedEnv,
-        tags,
-        ...options.env.npm_lifecycle_event && {
-            script: options.env.npm_lifecycle_event
-        },
-        ...options.env.npm_package_name && {
-            package: options.env.npm_package_name
-        },
-        ...options.env.npm_package_version && {
-            package_version: options.env.npm_package_version
+
+;// CONCATENATED MODULE: ./src/types.ts
+// biome-ignore-all lint/style/useNamingConvention: telemetry schema uses snake_case field names
+
+const SCHEMA_VERSION = 1;
+const baseFields = {
+    v: literal(1),
+    session_id: schemas_string(),
+    command: schemas_string(),
+    actor: schemas_string(),
+    timestamp: schemas_string(),
+    env: record(schemas_string(), schemas_string()),
+    tags: record(schemas_string(), schemas_string())
+};
+const ScriptEndEventSchema = schemas_object({
+    ...baseFields,
+    event: literal("script_end"),
+    script: schemas_string().optional(),
+    package: schemas_string().optional(),
+    package_version: schemas_string().optional(),
+    exit_code: schemas_number().int(),
+    signal: schemas_string().nullable(),
+    duration_ms: schemas_number()
+}).strict();
+const ShimErrorEventSchema = schemas_object({
+    ...baseFields,
+    event: literal("shim_error")
+}).strict();
+const PolicyDecisionEventSchema = schemas_object({
+    ...baseFields,
+    event: literal("policy_decision"),
+    decision: schemas_enum([
+        "allow",
+        "deny"
+    ]),
+    matched_rule: schemas_string().nullable()
+}).strict();
+const ToolUseEventSchema = schemas_object({
+    ...baseFields,
+    event: literal("tool_use"),
+    tool_name: schemas_string()
+}).strict();
+const ScriptEventSchema = discriminatedUnion("event", [
+    ScriptEndEventSchema,
+    ShimErrorEventSchema,
+    PolicyDecisionEventSchema,
+    ToolUseEventSchema
+]);
+const MAX_POLICY_RULES = 10_000;
+const MAX_RULE_LENGTH = 1024;
+const policyRuleArray = schemas_array(schemas_string().max(MAX_RULE_LENGTH)).max(MAX_POLICY_RULES);
+const PolicyConfigSchema = schemas_object({
+    allow: policyRuleArray.optional(),
+    deny: policyRuleArray.default(()=>[])
+}).strict();
+// NOTE: This schema mirrors CopilotHookCommandSchema in @lousy-agents/core
+// (packages/core/src/entities/copilot-hook-schema.ts). Keep them aligned.
+// agent-shell cannot import from core since it is a standalone published binary.
+const MAX_HOOKS_PER_EVENT = 100;
+/** Regex that allows standard env var names and rejects __proto__ (the prototype-polluting key). */ const ENV_KEY_PATTERN = /^(?!__proto__$)[a-zA-Z_][a-zA-Z0-9_]*$/;
+const HookCommandSchema = schemas_object({
+    type: literal("command"),
+    bash: schemas_string().min(1, "Hook bash command must not be empty").optional(),
+    powershell: schemas_string().min(1, "Hook PowerShell command must not be empty").optional(),
+    cwd: schemas_string().optional(),
+    timeoutSec: schemas_number().positive().optional(),
+    env: record(schemas_string().regex(ENV_KEY_PATTERN, "Hook env key must be a valid identifier (no prototype-polluting keys)"), schemas_string()).optional()
+}).strict().refine((data)=>Boolean(data.bash) || Boolean(data.powershell), {
+    message: "At least one of 'bash' or 'powershell' must be provided and non-empty"
+});
+const hookArray = schemas_array(HookCommandSchema).max(MAX_HOOKS_PER_EVENT);
+const HooksConfigSchema = schemas_object({
+    version: literal(1),
+    hooks: schemas_object({
+        sessionStart: hookArray.optional(),
+        userPromptSubmitted: hookArray.optional(),
+        preToolUse: hookArray.optional(),
+        postToolUse: hookArray.optional(),
+        sessionEnd: hookArray.optional()
+    }).strict()
+}).strict();
+
+;// CONCATENATED MODULE: ./src/init-command.ts
+
+
+
+
+
+
+const init_command_HOOKS_SUBPATH = ".github/hooks/agent-shell/hooks.json";
+const init_command_POLICY_SUBPATH = ".github/hooks/agent-shell/policy.json";
+const HOOKS_PARENT = ".github/hooks/agent-shell";
+const AGENT_SHELL_POLICY_CHECK = "agent-shell policy-check";
+const AGENT_SHELL_RECORD = "agent-shell record";
+const AGENT_SHELL_ALLOW_ENTRIES = [
+    AGENT_SHELL_POLICY_CHECK,
+    AGENT_SHELL_RECORD
+];
+function hasHookCommand(hooks, expectedCommand) {
+    if (!Array.isArray(hooks)) {
+        return false;
+    }
+    return hooks.some((hook)=>{
+        if (typeof hook !== "object" || hook === null) {
+            return false;
         }
-    };
-    await writeEvent(eventsDir, sessionId, event, deps);
+        const bashMatch = "bash" in hook && typeof hook.bash === "string" && hook.bash === expectedCommand;
+        const powershellMatch = "powershell" in hook && typeof hook.powershell === "string" && hook.powershell === expectedCommand;
+        return bashMatch || powershellMatch;
+    });
 }
-async function emitShimErrorEvent(options, deps) {
-    const sessionId = resolveSessionId(options.env, deps);
-    const eventsDir = await resolveWriteEventsDir(options.env, deps);
-    const capturedEnv = captureEnv(options.env);
-    const tags = captureTags(options.env);
-    const event = {
-        v: SCHEMA_VERSION,
-        session_id: sessionId,
-        event: "shim_error",
-        command: options.command,
-        actor: detectActor(options.env),
-        timestamp: deps.now(),
-        env: capturedEnv,
-        tags
+/**
+ * Ensures agent-shell's own commands are in an existing policy.json allow list.
+ * Returns a discriminated union:
+ * - `patched` with new content when entries were added
+ * - `unchanged` when all entries are already present
+ * - `invalid` when the file cannot be parsed or fails schema validation
+ */ function ensureAgentShellAllowed(content) {
+    let parsed;
+    try {
+        parsed = JSON.parse(content);
+    } catch  {
+        return {
+            status: "invalid",
+            reason: "JSON parse error"
+        };
+    }
+    const result = PolicyConfigSchema.safeParse(parsed);
+    if (!result.success) {
+        return {
+            status: "invalid",
+            reason: "policy schema validation failed"
+        };
+    }
+    const policy = result.data;
+    const allow = policy.allow ? [
+        ...policy.allow
+    ] : [];
+    const missing = AGENT_SHELL_ALLOW_ENTRIES.filter((entry)=>!allow.includes(entry));
+    if (missing.length === 0) {
+        return {
+            status: "unchanged"
+        };
+    }
+    allow.push(...missing);
+    const patched = {
+        ...policy,
+        allow
+    };
+    return {
+        status: "patched",
+        content: `${JSON.stringify(patched, null, 2)}\n`
     };
-    await writeEvent(eventsDir, sessionId, event, deps);
 }
-async function emitPolicyDecisionEvent(options, deps) {
-    const depsWithProjectRoot = {
-        ...deps,
-        cwd: ()=>options.projectRoot
+function detectExistingFeatures(config) {
+    return {
+        hasPreToolUse: hasHookCommand(config.hooks.preToolUse, AGENT_SHELL_POLICY_CHECK),
+        hasPostToolUse: hasHookCommand(config.hooks.postToolUse, AGENT_SHELL_RECORD)
     };
-    const sessionId = resolveSessionId(options.env, deps);
-    const eventsDir = await resolveWriteEventsDir(options.env, depsWithProjectRoot);
-    const capturedEnv = captureEnv(options.env);
-    const tags = captureTags(options.env);
-    const event = {
-        v: SCHEMA_VERSION,
-        session_id: sessionId,
-        event: "policy_decision",
-        command: options.command,
-        decision: options.decision,
-        matched_rule: options.matched_rule,
-        actor: detectActor(options.env),
-        timestamp: deps.now(),
-        env: capturedEnv,
-        tags
+}
+async function loadExistingHooksConfig(hooksPath, deps) {
+    try {
+        const raw = await deps.readFile(hooksPath, "utf-8");
+        const parsed = JSON.parse(raw);
+        return {
+            config: HooksConfigSchema.parse(parsed),
+            error: false
+        };
+    } catch (err) {
+        if (isPathNotFoundError(err)) {
+            return {
+                config: null,
+                error: false
+            };
+        }
+        deps.writeStderr(`agent-shell: failed to read existing hooks.json: ${sanitizeForStderr(err)}\n`);
+        return {
+            config: null,
+            error: true
+        };
+    }
+}
+function hasExplicitFlags(flags) {
+    return flags.flightRecorder || flags.policy || flags.noFlightRecorder || flags.noPolicy;
+}
+/**
+ * Resolves feature selections in explicit-flag mode.
+ * Only features with an explicit --flag are enabled; unspecified features
+ * are not added (existing hooks are preserved via config merge).
+ */ function resolveExplicitFlagSelections(flags) {
+    let enableFlightRecorder;
+    let enablePolicy;
+    if (flags.noFlightRecorder) {
+        enableFlightRecorder = false;
+    } else {
+        enableFlightRecorder = flags.flightRecorder;
+    }
+    if (flags.noPolicy) {
+        enablePolicy = false;
+    } else {
+        enablePolicy = flags.policy;
+    }
+    return {
+        enableFlightRecorder,
+        enablePolicy
     };
-    await writeEvent(eventsDir, sessionId, event, depsWithProjectRoot);
 }
-
-;// CONCATENATED MODULE: ./src/policy-check.ts
-// biome-ignore-all lint/style/useNamingConvention: telemetry schema uses snake_case field names
-
-
-
-
-const TERMINAL_TOOLS = new Set([
-    "bash",
-    "zsh",
-    "ash",
-    "sh"
-]);
-const HookInputSchema = schemas_object({
-    toolName: schemas_string(),
-    toolArgs: unknown().optional()
-});
-function allowResponse() {
-    return JSON.stringify({
-        permissionDecision: "allow"
-    });
+async function validatePathContainment(subpath, repoRoot, deps) {
+    const resolvedPath = (0,external_node_path_namespaceObject.resolve)(repoRoot, subpath);
+    if (!isWithinProjectRoot(resolvedPath, repoRoot)) {
+        deps.writeStderr(`agent-shell: path ${subpath} resolves outside repository root, aborting\n`);
+        return false;
+    }
+    // Canonicalize repoRoot first — if this fails, the containment check
+    // is impossible and we must abort.
+    let realRepoRoot;
+    try {
+        realRepoRoot = await deps.realpath(repoRoot);
+    } catch (err) {
+        if (!isPathNotFoundError(err)) {
+            throw err;
+        }
+        deps.writeStderr(`agent-shell: repository root ${sanitizeForStderr(repoRoot)} is unreachable or cannot be canonicalized, aborting\n`);
+        return false;
+    }
+    try {
+        const realPath = await deps.realpath(resolvedPath);
+        if (!isWithinProjectRoot(realPath, realRepoRoot)) {
+            deps.writeStderr(`agent-shell: path ${subpath} resolves outside repository root via symlink, aborting\n`);
+            return false;
+        }
+    } catch (err) {
+        if (!isPathNotFoundError(err)) {
+            throw err;
+        }
+    // Target path doesn't exist yet, which is fine for new config files
+    }
+    return true;
 }
-function denyResponse(reason) {
-    return JSON.stringify({
-        permissionDecision: "deny",
-        permissionDecisionReason: reason
+async function writeConfigFile(repoRoot, subpath, content, deps) {
+    const valid = await validatePathContainment(subpath, repoRoot, deps);
+    if (!valid) {
+        return false;
+    }
+    const filePath = (0,external_node_path_namespaceObject.join)(repoRoot, subpath);
+    const parentDir = (0,external_node_path_namespaceObject.join)(repoRoot, HOOKS_PARENT);
+    await deps.mkdir(parentDir, {
+        recursive: true
     });
-}
-const TELEMETRY_TIMEOUT_MS = 5_000;
-async function tryEmitTelemetry(deps, command, decision, matchedRule) {
+    // Post-mkdir containment recheck: verify the parent directory hasn't
+    // been redirected via symlink created between the pre-check and mkdir.
+    let realRepoRoot;
     try {
-        const repoRoot = deps.policyDeps.getRepositoryRoot();
-        const emission = emitPolicyDecisionEvent({
-            command,
-            decision,
-            matched_rule: matchedRule,
-            env: deps.env,
-            projectRoot: repoRoot
-        }, deps.telemetryDeps);
-        // Prevent unhandled rejection if emission rejects after timeout wins the race
-        emission.catch(()=>{});
-        let timeoutHandle;
-        const timeout = new Promise((_, reject)=>{
-            timeoutHandle = setTimeout(()=>reject(new Error("telemetry write timed out")), TELEMETRY_TIMEOUT_MS);
-            timeoutHandle.unref();
-        });
-        try {
-            await Promise.race([
-                emission,
-                timeout
-            ]);
-        } finally{
-            if (timeoutHandle !== undefined) {
-                clearTimeout(timeoutHandle);
-            }
+        realRepoRoot = await deps.realpath(repoRoot);
+    } catch (err) {
+        if (!isPathNotFoundError(err)) {
+            throw err;
+        }
+        deps.writeStderr(`agent-shell: repository root ${sanitizeForStderr(repoRoot)} is unreachable or cannot be canonicalized, aborting\n`);
+        return false;
+    }
+    try {
+        const realParent = await deps.realpath(parentDir);
+        if (!isWithinProjectRoot(realParent, realRepoRoot)) {
+            deps.writeStderr(`agent-shell: parent directory resolves outside repository root after mkdir, aborting\n`);
+            return false;
         }
     } catch (err) {
-        deps.writeStderr(`agent-shell: telemetry write error: ${sanitizeForStderr(err)}\n`);
+        if (!isPathNotFoundError(err)) {
+            throw err;
+        }
     }
-}
-async function handlePolicyCheck(deps) {
+    // Atomic write: write to a temp file in the same directory, then rename.
+    // rename() replaces the destination directory entry atomically — if the
+    // target path is (or becomes) a symlink, rename replaces the symlink
+    // itself rather than following it, closing the TOCTOU window between
+    // validation and write.
+    // Uses crypto.randomBytes for an unpredictable suffix and exclusive-create
+    // flag ('wx' = O_CREAT | O_WRONLY | O_EXCL) so writeFile fails if a
+    // symlink or file already exists at the temp path.
+    const tmpSuffix = (0,external_node_crypto_namespaceObject.randomBytes)(8).toString("hex");
+    const tmpPath = `${filePath}.${tmpSuffix}.tmp`;
     try {
-        const rawStdin = await deps.readStdin();
-        let input;
+        await deps.writeFile(tmpPath, content, {
+            flag: "wx"
+        });
+        await deps.rename(tmpPath, filePath);
+    } catch (err) {
+        // Best-effort cleanup of orphaned temp file on rename failure
         try {
-            input = JSON.parse(rawStdin);
+            await deps.unlink(tmpPath);
         } catch  {
-            deps.writeStderr("agent-shell: failed to parse stdin as JSON\n");
-            deps.writeStdout(denyResponse("Invalid JSON input"));
-            return;
+        // Ignore cleanup errors — the temp file may not exist if
+        // writeFile failed, or the directory may be read-only.
         }
-        const hookResult = HookInputSchema.safeParse(input);
-        if (!hookResult.success) {
-            deps.writeStdout(denyResponse("Missing or invalid toolName field"));
-            return;
+        throw err;
+    }
+    deps.writeStdout(`Wrote ${subpath}\n`);
+    return true;
+}
+async function handleInit(flags, deps) {
+    const repoRoot = deps.getRepositoryRoot();
+    const hooksPath = (0,external_node_path_namespaceObject.join)(repoRoot, init_command_HOOKS_SUBPATH);
+    const { config: existingConfig, error: loadError } = await loadExistingHooksConfig(hooksPath, deps);
+    if (loadError) {
+        return false;
+    }
+    const existing = existingConfig ? detectExistingFeatures(existingConfig) : {
+        hasPreToolUse: false,
+        hasPostToolUse: false
+    };
+    if (existing.hasPreToolUse && existing.hasPostToolUse) {
+        deps.writeStdout("All features already configured in hooks.json\n");
+        return true;
+    }
+    let enableFlightRecorder;
+    let enablePolicy;
+    if (hasExplicitFlags(flags)) {
+        // Non-interactive: apply explicit flags only — don't add unspecified features
+        const selections = resolveExplicitFlagSelections(flags);
+        enableFlightRecorder = selections.enableFlightRecorder && !existing.hasPostToolUse;
+        enablePolicy = selections.enablePolicy && !existing.hasPreToolUse;
+        // If the user requested features but they're all already configured, report no-op
+        if (!enableFlightRecorder && !enablePolicy && (selections.enableFlightRecorder || selections.enablePolicy)) {
+            deps.writeStdout("Requested features already configured in hooks.json; nothing to do\n");
+            return true;
         }
-        const { toolName, toolArgs } = hookResult.data;
-        // Step 3 (per spec): load and validate policy before terminal tool check
-        // (fail-closed on invalid policy, even for non-terminal tools)
-        let policy;
-        try {
-            policy = await loadPolicy(deps.env, deps.policyDeps);
-        } catch (err) {
-            deps.writeStderr(`agent-shell: policy load error: ${sanitizeForStderr(err)}\n`);
-            deps.writeStdout(denyResponse("Failed to load policy"));
-            return;
+    } else if (!deps.isTty && deps.prompt === undefined) {
+        // Non-TTY with no explicit flags: default to enabling all missing features
+        const missing = [];
+        enableFlightRecorder = !existing.hasPostToolUse;
+        enablePolicy = !existing.hasPreToolUse;
+        if (enableFlightRecorder) missing.push("flight recording");
+        if (enablePolicy) missing.push("policy blocking");
+        if (missing.length > 0) {
+            deps.writeStderr(`agent-shell: non-interactive mode, auto-enabling: ${missing.join(", ")}\n`);
+        }
+    } else if (deps.prompt) {
+        // Interactive: prompt for each missing feature
+        enableFlightRecorder = false;
+        enablePolicy = false;
+        if (!existing.hasPostToolUse) {
+            enableFlightRecorder = await deps.prompt("Enable flight recording to capture all agent tool usage?");
+        }
+        if (!existing.hasPreToolUse) {
+            enablePolicy = await deps.prompt("Enable policy-based command blocking?");
         }
-        // Step 4 (per spec): non-terminal tools pass through with allow.
-        // Per spec: command field is empty string for non-terminal tool decisions
-        // (toolArgs is never parsed, so no command string is available).
-        if (!TERMINAL_TOOLS.has(toolName)) {
-            deps.writeStdout(allowResponse());
-            await tryEmitTelemetry(deps, "", "allow", null);
-            return;
+    } else {
+        // Fallback: enable all missing features
+        enableFlightRecorder = !existing.hasPostToolUse;
+        enablePolicy = !existing.hasPreToolUse;
+    }
+    if (!enableFlightRecorder && !enablePolicy) {
+        deps.writeStdout("No features selected, nothing to do.\n");
+        return true;
+    }
+    // Build the hooks config by merging agent-shell hooks into existing config,
+    // preserving any other hooks (sessionStart, sessionEnd, userPromptSubmitted, etc.)
+    const mergedConfig = existingConfig ? structuredClone(existingConfig) : {
+        version: 1,
+        hooks: {}
+    };
+    if (enablePolicy && !existing.hasPreToolUse) {
+        const policyHook = {
+            type: "command",
+            bash: AGENT_SHELL_POLICY_CHECK,
+            timeoutSec: 30
+        };
+        mergedConfig.hooks.preToolUse = [
+            ...mergedConfig.hooks.preToolUse ?? [],
+            policyHook
+        ];
+    }
+    if (enableFlightRecorder && !existing.hasPostToolUse) {
+        const recordHook = {
+            type: "command",
+            bash: AGENT_SHELL_RECORD,
+            timeoutSec: 30
+        };
+        mergedConfig.hooks.postToolUse = [
+            ...mergedConfig.hooks.postToolUse ?? [],
+            recordHook
+        ];
+    }
+    const hooksContent = `${JSON.stringify(mergedConfig, null, 2)}\n`;
+    const hooksWritten = await writeConfigFile(repoRoot, init_command_HOOKS_SUBPATH, hooksContent, deps);
+    if (!hooksWritten) {
+        return false;
+    }
+    // Generate policy.json if policy is being enabled and no policy file exists yet.
+    // If the file already exists, ensure agent-shell's own commands are in the allow list
+    // so that the preToolUse hook doesn't block the sibling postToolUse hook.
+    if (enablePolicy) {
+        const policyPath = (0,external_node_path_namespaceObject.join)(repoRoot, init_command_POLICY_SUBPATH);
+        let existingContent = null;
+        try {
+            existingContent = await deps.readFile(policyPath, "utf-8");
+        } catch (error) {
+            if (!isPathNotFoundError(error)) {
+                throw error;
+            }
+        }
+        if (existingContent === null) {
+            deps.writeStdout("Scanning project...\n");
+            const scanResult = await deps.scanProject(repoRoot);
+            const policy = generatePolicy(scanResult);
+            const policyContent = `${JSON.stringify(policy, null, 2)}\n`;
+            const policyWritten = await writeConfigFile(repoRoot, init_command_POLICY_SUBPATH, policyContent, deps);
+            if (!policyWritten) {
+                return false;
+            }
+        } else {
+            // Ensure agent-shell commands are in the existing allow list
+            const patchResult = ensureAgentShellAllowed(existingContent);
+            switch(patchResult.status){
+                case "patched":
+                    {
+                        const policyWritten = await writeConfigFile(repoRoot, init_command_POLICY_SUBPATH, patchResult.content, deps);
+                        if (!policyWritten) {
+                            return false;
+                        }
+                        break;
+                    }
+                case "unchanged":
+                    deps.writeStdout("Policy already exists with agent-shell rules; skipping policy.json generation.\n");
+                    break;
+                case "invalid":
+                    deps.writeStderr(`agent-shell: existing policy.json is invalid (${sanitizeForStderr(patchResult.reason)}), regenerating\n`);
+                    deps.writeStdout("Scanning project...\n");
+                    {
+                        const scanResult = await deps.scanProject(repoRoot);
+                        const policy = generatePolicy(scanResult);
+                        const policyContent = `${JSON.stringify(policy, null, 2)}\n`;
+                        const policyWritten = await writeConfigFile(repoRoot, init_command_POLICY_SUBPATH, policyContent, deps);
+                        if (!policyWritten) {
+                            return false;
+                        }
+                    }
+                    break;
+                default:
+                    {
+                        const _exhaustive = patchResult;
+                        throw new Error(`Unhandled policy patch status: ${_exhaustive.status}`);
+                    }
+            }
         }
-        // Terminal tool — validate toolArgs
-        if (typeof toolArgs !== "string") {
-            deps.writeStdout(denyResponse("Missing or non-string toolArgs for terminal tool"));
-            return;
+    }
+    // Print summary
+    const actions = [];
+    if (enableFlightRecorder) actions.push("flight recording");
+    if (enablePolicy) actions.push("policy blocking");
+    deps.writeStdout(`\nEnabled: ${actions.join(", ")}\n`);
+    return true;
+}
+
+;// CONCATENATED MODULE: ./src/log/format.ts
+
+function formatDuration(ms) {
+    if (ms < 1000) return `${Math.round(ms)}ms`;
+    if (ms < 60000) return `${(ms / 1000).toFixed(1)}s`;
+    return `${(ms / 60000).toFixed(1)}m`;
+}
+function formatTimestamp(iso) {
+    const d = new Date(iso);
+    return d.toISOString().replace("T", " ").replace(/\.\d{3}Z$/, "");
+}
+function truncateCommand(command, maxLen) {
+    if (command.length <= maxLen) return command;
+    return `${command.slice(0, maxLen - 3)}...`;
+}
+function padRight(str, width) {
+    if (str.length >= width) return str;
+    return str + " ".repeat(width - str.length);
+}
+const COL_TIMESTAMP = 21;
+const COL_SCRIPT = 9;
+const COL_ACTOR = 13;
+const COL_EXIT = 6;
+const COL_DURATION = 10;
+const MAX_COMMAND_LEN = 50;
+function formatEventsTable(events) {
+    const header = padRight("TIMESTAMP", COL_TIMESTAMP) + padRight("SCRIPT", COL_SCRIPT) + padRight("ACTOR", COL_ACTOR) + padRight("EXIT", COL_EXIT) + padRight("DURATION", COL_DURATION) + "COMMAND";
+    const rows = events.map((event)=>{
+        const timestamp = formatTimestamp(event.timestamp);
+        const script = event.event === "script_end" ? event.script ?? "-" : event.event === "tool_use" ? sanitizeOutput(event.tool_name) : "-";
+        const actor = event.actor;
+        const exitCode = event.event === "script_end" ? String(event.exit_code) : "-";
+        const duration = event.event === "script_end" ? formatDuration(event.duration_ms) : "-";
+        const command = truncateCommand(event.command, MAX_COMMAND_LEN);
+        return padRight(timestamp, COL_TIMESTAMP) + padRight(script, COL_SCRIPT) + padRight(actor, COL_ACTOR) + padRight(exitCode, COL_EXIT) + padRight(duration, COL_DURATION) + command;
+    });
+    return [
+        header,
+        ...rows
+    ].join("\n");
+}
+function formatSessionsTable(sessions) {
+    const colSession = 11;
+    const colFirstEvent = 21;
+    const colLastEvent = 21;
+    const colEvents = 9;
+    const header = padRight("SESSION", colSession) + padRight("FIRST EVENT", colFirstEvent) + padRight("LAST EVENT", colLastEvent) + padRight("EVENTS", colEvents) + "ACTORS";
+    const rows = sessions.map((s)=>{
+        const sessionTrunc = s.sessionId.slice(0, 8);
+        const firstEvent = formatTimestamp(s.firstEvent);
+        const lastEvent = formatTimestamp(s.lastEvent);
+        const eventCount = String(s.eventCount);
+        const actors = s.actors.join(", ");
+        return padRight(sessionTrunc, colSession) + padRight(firstEvent, colFirstEvent) + padRight(lastEvent, colLastEvent) + padRight(eventCount, colEvents) + actors;
+    });
+    return [
+        header,
+        ...rows
+    ].join("\n");
+}
+function formatEventsJson(events) {
+    return JSON.stringify(events, null, 2);
+}
+
+;// CONCATENATED MODULE: ./src/log/query.ts
+// biome-ignore-all lint/style/useNamingConvention: telemetry schema uses snake_case field names
+
+
+
+const DURATION_PATTERN = /^(\d+)([mhd])$/;
+const MAX_LINE_BYTES = 65_536;
+const MAX_LINES_PER_FILE = 100_000;
+const UNIT_MS = {
+    m: 60 * 1000,
+    h: 60 * 60 * 1000,
+    d: 24 * 60 * 60 * 1000
+};
+function parseDuration(duration) {
+    const match = DURATION_PATTERN.exec(duration);
+    if (!match) {
+        throw new Error(`Invalid duration format: "${duration}". Expected format: <number><unit> where unit is m, h, or d`);
+    }
+    const value = Number.parseInt(match[1], 10);
+    if (value <= 0) {
+        throw new Error(`Duration must be a positive value, got: "${duration}"`);
+    }
+    const unit = match[2];
+    return value * UNIT_MS[unit];
+}
+async function resolveReadEventsDir(env, deps) {
+    const projectRoot = deps.cwd();
+    const defaultDir = (0,external_node_path_namespaceObject.join)(projectRoot, ".agent-shell", "events");
+    const logDir = env.AGENTSHELL_LOG_DIR;
+    if (logDir !== undefined && logDir !== "") {
+        const projectRootReal = await deps.realpath(projectRoot);
+        const candidate = (0,external_node_path_namespaceObject.resolve)(projectRoot, logDir);
+        if (!isWithinProjectRoot(candidate, projectRoot) && !isWithinProjectRoot(candidate, projectRootReal)) {
+            return {
+                dir: "",
+                error: "AGENTSHELL_LOG_DIR resolves outside project root"
+            };
         }
-        let parsedArgs;
+        let resolved;
         try {
-            parsedArgs = JSON.parse(toolArgs);
-        } catch  {
-            deps.writeStderr("agent-shell: failed to parse toolArgs as JSON\n");
-            deps.writeStdout(denyResponse("Invalid JSON in toolArgs"));
-            return;
-        }
-        // toolArgs must be a non-null plain object
-        if (parsedArgs === null || typeof parsedArgs !== "object" || Array.isArray(parsedArgs)) {
-            deps.writeStdout(denyResponse("toolArgs must be a non-null plain object for terminal tools"));
-            return;
-        }
-        const obj = parsedArgs;
-        if (!Object.hasOwn(obj, "command")) {
-            deps.writeStdout(denyResponse("Missing command field in toolArgs"));
-            return;
+            resolved = await deps.realpath(candidate);
+        } catch (err) {
+            if (isPathNotFoundError(err)) {
+                return {
+                    dir: "",
+                    error: "AGENTSHELL_LOG_DIR does not exist or is not a directory"
+                };
+            }
+            throw err;
         }
-        if (typeof obj.command !== "string") {
-            deps.writeStdout(denyResponse("command field must be a string"));
-            return;
+        if (!isWithinProjectRoot(resolved, projectRootReal)) {
+            return {
+                dir: "",
+                error: "AGENTSHELL_LOG_DIR resolves outside project root"
+            };
         }
-        const command = obj.command;
-        const result = evaluatePolicy(policy, command);
-        const responseJson = result.decision === "allow" ? allowResponse() : denyResponse(`Command '${command}' denied by policy rule: ${result.matchedRule ?? "not in allow list"}`);
-        deps.writeStdout(responseJson);
-        await tryEmitTelemetry(deps, command.trim(), result.decision, result.matchedRule);
-    } catch (err) {
-        deps.writeStderr(`agent-shell: unexpected error: ${sanitizeForStderr(err)}\n`);
-        deps.writeStdout(denyResponse("Internal error during policy evaluation"));
+        return {
+            dir: resolved
+        };
     }
+    return {
+        dir: defaultDir
+    };
 }
-
-;// CONCATENATED MODULE: ./src/copilot-prompt.ts
-
-function formatScriptsSummary(scripts) {
-    return scripts.map((s)=>`  - \`${sanitizePromptValue(s.name)}\`: \`${sanitizePromptValue(s.command)}\``).join("\n");
-}
-function formatWorkflowSummary(commands) {
-    return commands.map((cmd)=>`  - \`${sanitizePromptValue(cmd)}\``).join("\n");
+function findMostRecentFile(fileMtimes) {
+    let mostRecent = fileMtimes[0];
+    for(let i = 1; i < fileMtimes.length; i++){
+        if (fileMtimes[i].mtimeMs > mostRecent.mtimeMs) {
+            mostRecent = fileMtimes[i];
+        }
+    }
+    return mostRecent.file;
 }
-function formatMiseTasksSummary(tasks) {
-    return tasks.map((t)=>`  - \`${sanitizePromptValue(t.name)}\`: \`${sanitizePromptValue(t.command)}\``).join("\n");
+function matchesFilters(event, filters, cutoffMs) {
+    if (filters.actor !== undefined && event.actor !== filters.actor) {
+        return false;
+    }
+    if (filters.failures && !(event.event === "script_end" && event.exit_code !== 0)) {
+        return false;
+    }
+    if (filters.script !== undefined && !(event.event === "script_end" && event.script === filters.script)) {
+        return false;
+    }
+    if (cutoffMs !== undefined) {
+        const eventMs = new Date(event.timestamp).getTime();
+        if (eventMs < cutoffMs) {
+            return false;
+        }
+    }
+    return true;
 }
-/**
- * Builds the system message that establishes persistent behavioral
- * constraints for the Copilot SDK session. This includes security goals,
- * tool descriptions, and response format requirements — context that
- * must be respected across all tool interactions during the session.
- */ function buildSystemMessage() {
-    return `You are a security-focused policy analyst for agent-shell — a security layer that intercepts terminal commands executed by AI coding agents. Your goal is to generate a minimal, secure allow list for a \`policy.json\` file.
-
-## Security Principles
-
-- Only commands genuinely needed for development workflows should be permitted
-- Overly broad rules create security risks (e.g. an agent could chain \`npm test && curl evil.com\`)
-- Use exact commands — avoid wildcards unless the command is genuinely read-only (e.g. \`git status *\`)
-- Always validate proposed commands with \`validate_allow_rule\` before including them
-- Commands containing shell metacharacters (\`;\`, \`|\`, \`&\`, \`\`\`, \`$\`, etc.) are never safe
-
-## Available Tools
-
-### MCP Tools (lousy-agents server)
-
-- **discover_feedback_loops**: Discover npm scripts and CLI tools from workflows, mapped to SDLC phases (test, build, lint, format, security). Returns structured results grouped by phase. **Start here.**
-- **discover_environment**: Discover environment config files (mise.toml, .nvmrc, .python-version, etc.) and detect package managers.
-
-### Custom Tools
-
-- **read_project_file**: Read any file in the repository (truncated at 100KB). Use to inspect configs discovered via MCP tools.
-- **validate_allow_rule**: Check whether a proposed command is safe for the allow list (rejects commands containing shell metacharacters).
-
-## Response Format
-
-After exploring, respond with **only** a JSON object matching this exact schema — no markdown fences, no explanation:
-
-\`\`\`json
-{
-  "additionalAllowRules": ["<command>", ...],
-  "suggestions": ["<human-readable suggestion>", ...]
+function parseLine(line) {
+    if (Buffer.byteLength(line, "utf-8") > MAX_LINE_BYTES) {
+        return undefined;
+    }
+    let parsed;
+    try {
+        parsed = JSON.parse(line);
+    } catch  {
+        return undefined;
+    }
+    const result = ScriptEventSchema.safeParse(parsed);
+    if (!result.success) {
+        return undefined;
+    }
+    return result.data;
 }
-\`\`\`
-
-- \`additionalAllowRules\`: string array of specific commands to add to the allow list
-- \`suggestions\`: string array of human-readable observations or recommendations about the policy`;
+async function queryEvents(eventsDir, filters, deps) {
+    const allFiles = await deps.readdir(eventsDir);
+    const jsonlFiles = allFiles.filter((f)=>f.endsWith(".jsonl"));
+    if (jsonlFiles.length === 0) {
+        return {
+            events: [],
+            truncatedFiles: []
+        };
+    }
+    let filesToRead;
+    if (filters.last === undefined) {
+        const fileMtimes = await Promise.all(jsonlFiles.map(async (file)=>{
+            const filePath = (0,external_node_path_namespaceObject.join)(eventsDir, file);
+            const s = await deps.stat(filePath);
+            return {
+                file,
+                mtimeMs: s.mtimeMs
+            };
+        }));
+        filesToRead = [
+            findMostRecentFile(fileMtimes)
+        ];
+    } else {
+        filesToRead = jsonlFiles;
+    }
+    const cutoffMs = filters.last ? Date.now() - parseDuration(filters.last) : undefined;
+    const events = [];
+    const truncatedFiles = [];
+    for (const file of filesToRead){
+        const filePath = (0,external_node_path_namespaceObject.join)(eventsDir, file);
+        let lineCount = 0;
+        for await (const line of deps.readFileLines(filePath)){
+            if (lineCount >= MAX_LINES_PER_FILE) {
+                deps.writeStderr(`agent-shell: file ${file} exceeds ${MAX_LINES_PER_FILE} lines, truncating\n`);
+                truncatedFiles.push(file);
+                break;
+            }
+            lineCount++;
+            const event = parseLine(line);
+            if (event === undefined) {
+                continue;
+            }
+            if (matchesFilters(event, filters, cutoffMs)) {
+                events.push(event);
+            }
+        }
+    }
+    return {
+        events,
+        truncatedFiles
+    };
+}
+async function listSessions(eventsDir, deps) {
+    const allFiles = await deps.readdir(eventsDir);
+    const jsonlFiles = allFiles.filter((f)=>f.endsWith(".jsonl"));
+    if (jsonlFiles.length === 0) {
+        return [];
+    }
+    const summaries = [];
+    for (const file of jsonlFiles){
+        const sessionId = file.replace(/\.jsonl$/, "");
+        const filePath = (0,external_node_path_namespaceObject.join)(eventsDir, file);
+        let firstEvent;
+        let lastEvent;
+        let eventCount = 0;
+        const actorSet = new Set();
+        for await (const line of deps.readFileLines(filePath)){
+            let parsed;
+            try {
+                parsed = JSON.parse(line);
+            } catch  {
+                continue;
+            }
+            const result = ScriptEventSchema.safeParse(parsed);
+            if (!result.success) {
+                continue;
+            }
+            const event = result.data;
+            eventCount++;
+            actorSet.add(event.actor);
+            if (firstEvent === undefined || event.timestamp < firstEvent) {
+                firstEvent = event.timestamp;
+            }
+            if (lastEvent === undefined || event.timestamp > lastEvent) {
+                lastEvent = event.timestamp;
+            }
+        }
+        if (eventCount > 0 && firstEvent !== undefined && lastEvent !== undefined) {
+            summaries.push({
+                sessionId,
+                firstEvent,
+                lastEvent,
+                eventCount,
+                actors: [
+                    ...actorSet
+                ]
+            });
+        }
+    }
+    summaries.sort((a, b)=>b.lastEvent.localeCompare(a.lastEvent));
+    return summaries;
 }
-/**
- * Builds the user prompt containing project-specific scan results
- * and Socratic questions to guide exploration.
- */ function buildAnalysisPrompt(scanResult, repoRoot) {
-    const scriptsList = scanResult.scripts.length > 0 ? formatScriptsSummary(scanResult.scripts) : "  (none found)";
-    const workflowList = scanResult.workflowCommands.length > 0 ? formatWorkflowSummary(scanResult.workflowCommands) : "  (none found)";
-    const miseList = scanResult.miseTasks.length > 0 ? formatMiseTasksSummary(scanResult.miseTasks) : "  (none found)";
-    const languagesList = scanResult.languages.length > 0 ? scanResult.languages.join(", ") : "(none detected)";
-    const safeRepoRoot = sanitizePromptValue(repoRoot);
-    return `# Project Analysis Request
-
-## Static Analysis Results
-
-We have already discovered the following from static file analysis:
 
-- **Repository root**: \`${safeRepoRoot}\`
-- **Detected languages**: ${languagesList}
+;// CONCATENATED MODULE: ./src/log/index.ts
 
-### npm scripts (from package.json)
-${scriptsList}
 
-### GitHub Actions workflow commands
-${workflowList}
 
-### Mise tasks (from mise.toml)
-${miseList}
 
-## Questions to Explore
 
-1. Call \`discover_feedback_loops\` to get a structured view of project commands mapped to SDLC phases. Are there commands the static analysis missed?
-2. Call \`discover_environment\` to understand the runtime setup. What toolchain commands does the environment require?
-3. Given the detected languages (${languagesList}), what language-specific toolchain commands (e.g. \`cargo test\`, \`go build\`, \`pip install\`) might be needed but aren't captured above?
-4. Are there any commands in the discovered lists that look suspicious or overly broad for a development workflow?
-5. Use \`validate_allow_rule\` to verify each proposed command before including it in your response.`;
+function parseLogArgs(args) {
+    const options = {
+        failures: false,
+        listSessions: false,
+        json: false
+    };
+    let i = 0;
+    while(i < args.length){
+        const arg = args[i];
+        switch(arg){
+            case "--last":
+                if (i + 1 < args.length) {
+                    options.last = args[++i];
+                } else {
+                    options.errors = options.errors ?? [];
+                    options.errors.push("--last requires a value (e.g., 30m, 1h, 1d)");
+                }
+                break;
+            case "--actor":
+                if (i + 1 < args.length) {
+                    options.actor = args[++i];
+                } else {
+                    options.errors = options.errors ?? [];
+                    options.errors.push("--actor requires a value");
+                }
+                break;
+            case "--failures":
+                options.failures = true;
+                break;
+            case "--script":
+                if (i + 1 < args.length) {
+                    options.script = args[++i];
+                } else {
+                    options.errors = options.errors ?? [];
+                    options.errors.push("--script requires a value");
+                }
+                break;
+            case "--list-sessions":
+                options.listSessions = true;
+                break;
+            case "--json":
+                options.json = true;
+                break;
+        }
+        i++;
+    }
+    return options;
 }
-
-;// CONCATENATED MODULE: external "node:module"
-const external_node_module_namespaceObject = __rspack_createRequire_require("node:module");
-;// CONCATENATED MODULE: external "node:url"
-const external_node_url_namespaceObject = __rspack_createRequire_require("node:url");
-;// CONCATENATED MODULE: ./src/resolve-sdk.ts
-
-
-
-
-/**
- * Resolves an npm package's ESM entry point from the user's project directory.
- *
- * Bundled CLIs resolve bare specifiers relative to the bundle location, not
- * the user's working directory. This uses `createRequire` anchored at the
- * project root to locate the package, then reads its `package.json` exports
- * map to select the ESM entry that `import()` would use.
- *
- * @returns A file:// URL to the package ESM entry point, or null if not found
- */ function resolveSdkPath(repoRoot, packageName) {
-    if (!repoRoot || !(0,external_node_path_namespaceObject.isAbsolute)(repoRoot)) return null;
-    if (/^[./]/.test(packageName) || packageName.includes("..")) return null;
+function createDefaultQueryDeps() {
+    return {
+        readdir: (path)=>(0,promises_namespaceObject.readdir)(path),
+        stat: (path)=>(0,promises_namespaceObject.stat)(path).then((s)=>({
+                    mtimeMs: s.mtimeMs
+                })),
+        realpath: (path)=>(0,promises_namespaceObject.realpath)(path),
+        cwd: ()=>process.cwd(),
+        readFileLines: (path)=>(0,external_node_readline_namespaceObject.createInterface)({
+                input: (0,external_node_fs_namespaceObject.createReadStream)(path, {
+                    encoding: "utf-8"
+                })
+            }),
+        writeStderr: (msg)=>{
+            process.stderr.write(msg);
+        }
+    };
+}
+async function runLog(args) {
+    const options = parseLogArgs(args);
+    const deps = createDefaultQueryDeps();
+    if (options.errors && options.errors.length > 0) {
+        for (const err of options.errors){
+            process.stderr.write(`agent-shell: ${err}\n`);
+        }
+        return 1;
+    }
+    const { dir, error } = await resolveReadEventsDir(process.env, deps);
+    if (error) {
+        process.stderr.write(`agent-shell: ${error}\n`);
+        return 1;
+    }
+    if (options.last) {
+        try {
+            parseDuration(options.last);
+        } catch (err) {
+            process.stderr.write(`agent-shell: ${err.message}\n`);
+            return 1;
+        }
+    }
     try {
-        const projectRequire = (0,external_node_module_namespaceObject.createRequire)((0,external_node_path_namespaceObject.resolve)(repoRoot, "package.json"));
-        const cjsResolved = projectRequire.resolve(packageName);
-        const esmUrl = findEsmEntry(cjsResolved, packageName);
-        return esmUrl ?? (0,external_node_url_namespaceObject.pathToFileURL)(cjsResolved).href;
+        await deps.readdir(dir);
     } catch  {
-        return null;
+        process.stdout.write("No events recorded yet.\n\n");
+        process.stdout.write("To enable instrumentation, add to your .npmrc:\n");
+        process.stdout.write("  script-shell=./node_modules/.bin/agent-shell\n");
+        return 0;
+    }
+    if (options.listSessions) {
+        const sessions = await listSessions(dir, deps);
+        if (sessions.length === 0) {
+            process.stdout.write("No sessions found.\n");
+            return 0;
+        }
+        process.stdout.write(formatSessionsTable(sessions));
+        process.stdout.write("\n");
+        return 0;
+    }
+    const result = await queryEvents(dir, {
+        actor: options.actor,
+        failures: options.failures || undefined,
+        script: options.script,
+        last: options.last
+    }, deps);
+    if (result.events.length === 0) {
+        process.stdout.write("No matching events found.\n");
+        return 0;
+    }
+    if (options.json) {
+        process.stdout.write(formatEventsJson(result.events));
+        process.stdout.write("\n");
+    } else {
+        process.stdout.write(formatEventsTable(result.events));
+        process.stdout.write("\n");
     }
+    return 0;
 }
-/**
- * Walks up from a resolved module path to find the package root directory,
- * then extracts the ESM entry point from its exports map.
- */ function findEsmEntry(resolvedPath, packageName) {
-    let dir = (0,external_node_path_namespaceObject.dirname)(resolvedPath);
-    while(true){
-        try {
-            const raw = (0,external_node_fs_namespaceObject.readFileSync)((0,external_node_path_namespaceObject.join)(dir, "package.json"), "utf-8");
-            const pkg = JSON.parse(raw);
-            if (typeof pkg === "object" && pkg !== null && pkg.name === packageName) {
-                const esmEntry = extractEsmEntry(pkg);
-                const full = (0,external_node_path_namespaceObject.resolve)(dir, esmEntry);
-                try {
-                    return (0,external_node_url_namespaceObject.pathToFileURL)((0,external_node_fs_namespaceObject.realpathSync)(full)).href;
-                } catch  {
-                    return null;
-                }
+
+;// CONCATENATED MODULE: ./src/mode.ts
+const MODEL_PATTERN = /^[a-zA-Z0-9._-]+$/;
+function parsePolicyInitOptions(args) {
+    const options = {};
+    for (const arg of args.slice(2)){
+        if (arg.startsWith("--model=")) {
+            const value = arg.slice("--model=".length);
+            if (value.length > 0 && value.length <= 128 && MODEL_PATTERN.test(value)) {
+                options.model = value;
             }
-        } catch  {
-        /* no package.json at this level */ }
-        const parent = (0,external_node_path_namespaceObject.dirname)(dir);
-        if (parent === dir) return null;
-        dir = parent;
+        }
     }
+    return options;
 }
-/**
- * Extracts the ESM entry point from a parsed package.json object.
- */ function extractEsmEntry(pkgJson) {
-    if (typeof pkgJson === "object" && pkgJson !== null) {
-        const pkg = pkgJson;
-        const esmPath = resolveExportsImportEntry(pkg.exports);
-        if (esmPath) return esmPath;
-        if (typeof pkg.main === "string" && pkg.main.length > 0) return pkg.main;
+function parseInitOptions(args) {
+    const options = {
+        flightRecorder: false,
+        policy: false,
+        noFlightRecorder: false,
+        noPolicy: false,
+        unknownArgs: []
+    };
+    for (const arg of args.slice(1)){
+        switch(arg){
+            case "--flight-recorder":
+                options.flightRecorder = true;
+                break;
+            case "--policy":
+                options.policy = true;
+                break;
+            case "--no-flight-recorder":
+                options.noFlightRecorder = true;
+                break;
+            case "--no-policy":
+                options.noPolicy = true;
+                break;
+            default:
+                options.unknownArgs.push(arg);
+                break;
+        }
     }
-    return "index.js";
+    return options;
 }
-/**
- * Navigates the exports map to find the ESM entry. Supports string-shaped
- * exports, string-valued `exports["."]`, `exports["."].import` (string),
- * `exports["."].import.default`, and the sugar form where condition keys
- * (`import`/`require`) appear directly on the exports object.
- */ function resolveExportsImportEntry(exports) {
-    if (typeof exports === "string") return exports;
-    if (typeof exports !== "object" || exports === null) return null;
-    const exportsMap = exports;
-    const dotEntry = exportsMap["."];
-    if (typeof dotEntry === "string") return dotEntry;
-    const conditionSource = typeof dotEntry === "object" && dotEntry !== null && !Array.isArray(dotEntry) ? dotEntry : exportsMap;
-    const importEntry = conditionSource.import;
-    if (typeof importEntry === "string") return importEntry;
-    if (typeof importEntry === "object" && importEntry !== null) {
-        const importMap = importEntry;
-        if (typeof importMap.default === "string") return importMap.default;
+function resolveMode(args, env) {
+    const firstArg = args[0];
+    if (firstArg === "policy-check") return {
+        type: "policy-check"
+    };
+    if (firstArg === "record") return {
+        type: "record"
+    };
+    if (firstArg === "init") {
+        const options = parseInitOptions(args);
+        return {
+            type: "init",
+            ...options
+        };
+    }
+    if (firstArg === "policy" && args[1] === "--init") {
+        const options = parsePolicyInitOptions(args);
+        return {
+            type: "policy-init",
+            model: options.model
+        };
+    }
+    if (env.AGENTSHELL_PASSTHROUGH === "1") {
+        return {
+            type: "passthrough",
+            args
+        };
     }
-    return null;
+    if (firstArg === "--version") return {
+        type: "version"
+    };
+    if (firstArg === "-c" && args[1]) return {
+        type: "shim",
+        command: args[1]
+    };
+    if (firstArg === "log") return {
+        type: "log"
+    };
+    return {
+        type: "usage"
+    };
 }
 
-;// CONCATENATED MODULE: ./src/copilot-enhance.ts
-
-
+;// CONCATENATED MODULE: ./src/policy.ts
 
 
 
 
-const DEFAULT_MODEL = "claude-sonnet-4-6";
-const MAX_FILE_READ_BYTES = 102_400;
-const AnalysisResponseSchema = schemas_object({
-    additionalAllowRules: schemas_array(schemas_string().max(512)).max(100),
-    suggestions: schemas_array(schemas_string().max(1024)).max(100)
-});
+const DEFAULT_POLICY_SUBPATH = ".github/hooks/agent-shell/policy.json";
 /**
- * Resolves a relative path against a root directory and verifies it
- * does not escape the root via traversal (e.g. `../../etc/passwd`).
+ * Glob matcher supporting only `*` wildcards.
  *
- * @returns The resolved absolute path, or null if it escapes the root
- */ function resolveSafePath(repoRoot, relativePath) {
-    const root = repoRoot.replace(/\/+$/, "") || "/";
-    const resolved = (0,external_node_path_namespaceObject.resolve)(root, (0,external_node_path_namespaceObject.normalize)(relativePath));
-    const prefix = root === "/" ? "/" : `${root}/`;
-    if (!resolved.startsWith(prefix) && resolved !== root) {
-        return null;
+ * Splits the rule on `*` into literal segments and checks that each
+ * segment appears in the command in order. O(n·m) worst case where
+ * n = command length and m = rule length, with no exponential
+ * backtracking (unlike regex `.*` quantifiers).
+ */ function matchesRule(command, rule) {
+    const segments = rule.split("*");
+    if (segments.length === 1) {
+        return command === rule;
     }
-    return resolved;
+    const prefixSegment = segments[0];
+    const suffixSegment = segments[segments.length - 1];
+    const innerSegments = segments.slice(1, -1);
+    if (!command.startsWith(prefixSegment)) {
+        return false;
+    }
+    let cursor = prefixSegment.length;
+    for (const segment of innerSegments){
+        const index = command.indexOf(segment, cursor);
+        if (index === -1) {
+            return false;
+        }
+        cursor = index + segment.length;
+    }
+    const suffixStart = command.length - suffixSegment.length;
+    return suffixStart >= cursor && command.endsWith(suffixSegment);
 }
-/**
- * Reads a project file safely, enforcing path traversal protection
- * and byte-level truncation. Extracted for testability.
- */ async function readProjectFileSafe(repoRoot, pathArg) {
-    if (pathArg.length === 0) {
+function evaluatePolicy(policy, command) {
+    if (policy === null) {
         return {
-            error: "Path is required"
+            decision: "allow",
+            matchedRule: null
         };
     }
-    const safePath = resolveSafePath(repoRoot, pathArg);
-    if (safePath === null) {
+    const trimmed = command.trim();
+    if (SHELL_METACHAR_PATTERN.test(trimmed)) {
         return {
-            error: "Path is outside the repository"
+            decision: "deny",
+            matchedRule: null
         };
     }
-    try {
-        const root = repoRoot.replace(/\/+$/, "") || "/";
-        const [realRoot, realPath] = await Promise.all([
-            (0,promises_namespaceObject.realpath)(root),
-            (0,promises_namespaceObject.realpath)(safePath)
-        ]);
-        const realPrefix = realRoot === "/" ? "/" : `${realRoot}/`;
-        if (!realPath.startsWith(realPrefix) && realPath !== realRoot) {
+    for (const rule of policy.deny){
+        if (matchesRule(trimmed, rule)) {
             return {
-                error: "Path is outside the repository"
+                decision: "deny",
+                matchedRule: rule
+            };
+        }
+    }
+    if (policy.allow !== undefined) {
+        const matchesAny = policy.allow.some((rule)=>matchesRule(trimmed, rule));
+        if (!matchesAny) {
+            return {
+                decision: "deny",
+                matchedRule: null
             };
         }
-        const fileBuffer = await (0,promises_namespaceObject.readFile)(realPath);
-        const isTruncated = fileBuffer.length > MAX_FILE_READ_BYTES;
-        const limitedBuffer = isTruncated ? fileBuffer.subarray(0, MAX_FILE_READ_BYTES) : fileBuffer;
-        return {
-            content: limitedBuffer.toString("utf-8"),
-            truncated: isTruncated
-        };
-    } catch  {
-        return {
-            error: "File not found or unreadable"
-        };
     }
+    return {
+        decision: "allow",
+        matchedRule: null
+    };
 }
 /**
- * Creates custom tools that allow the Copilot model to read files
- * and validate proposed allow rules. Structured project discovery
- * is handled by the lousy-agents MCP server (connected via mcpServers).
- */ function createCustomTools(repoRoot, defineTool) {
-    const readProjectFile = defineTool("read_project_file", {
-        description: "Read a file from the project repository. Returns file content (truncated at 100KB). Use to inspect build configs, Dockerfiles, Makefiles, etc.",
-        parameters: {
-            type: "object",
-            properties: {
-                path: {
-                    type: "string",
-                    description: "Relative path from repository root"
-                }
-            },
-            required: [
-                "path"
-            ]
-        },
-        skipPermission: true,
-        handler: (args)=>readProjectFileSafe(repoRoot, args.path ?? "")
+ * Escapes ASCII control characters in a path before embedding it in an error
+ * message. Prevents log/terminal injection when the path originates from an
+ * environment variable (e.g. AGENTSHELL_POLICY_PATH).
+ */ function sanitizePath(path) {
+    // biome-ignore lint/suspicious/noControlCharactersInRegex: intentionally matching control characters for sanitization
+    return path.replace(/[\u0000-\u001f\u007f]/g, (ch)=>{
+        return `\\x${ch.charCodeAt(0).toString(16).padStart(2, "0")}`;
     });
-    const validateAllowRule = defineTool("validate_allow_rule", {
-        description: "Check whether a proposed allow rule is safe (does not contain shell metacharacters like ;, |, &, `, $, etc.).",
-        parameters: {
-            type: "object",
-            properties: {
-                command: {
-                    type: "string",
-                    description: "The command to validate as a policy rule"
-                }
-            },
-            required: [
-                "command"
-            ]
-        },
-        skipPermission: true,
-        handler: async (args)=>{
-            const command = args.command ?? "";
-            if (isSafeCommand(command)) {
-                return {
-                    safe: true,
-                    reason: "No shell metacharacters detected"
-                };
-            }
-            const normalized = command.trim();
-            if (normalized.length === 0) {
-                return {
-                    safe: false,
-                    reason: "Empty or whitespace-only commands are not allowed in policy rules"
-                };
-            }
+}
+function resolvePolicyPath(env, repoRoot) {
+    const override = env.AGENTSHELL_POLICY_PATH;
+    if (override !== undefined && override !== "") {
+        if ((0,external_node_path_namespaceObject.isAbsolute)(override)) {
+            // Absolute path — use as-is (will be validated after realpath)
             return {
-                safe: false,
-                reason: "Contains shell metacharacters — compound commands are not allowed in policy rules"
+                path: override,
+                isOverride: true
             };
         }
-    });
-    return [
-        readProjectFile,
-        validateAllowRule
-    ];
+        // Relative path — resolve relative to repo root
+        return {
+            path: (0,external_node_path_namespaceObject.join)(repoRoot, override),
+            isOverride: true
+        };
+    }
+    return {
+        path: (0,external_node_path_namespaceObject.join)(repoRoot, DEFAULT_POLICY_SUBPATH),
+        isOverride: false
+    };
 }
-/**
- * Attempts to use the @github/copilot-sdk to enhance policy generation
- * with AI-powered project analysis. Connects to the lousy-agents MCP
- * server for structured project discovery (feedback loops, environment)
- * and provides custom tools for file reading and rule validation.
- * Falls back gracefully if the SDK or Copilot CLI is not available.
- *
- * @returns Enhanced analysis results, or null if the SDK is unavailable
- */ async function enhanceWithCopilot(scanResult, repoRoot, writeStderr, model = DEFAULT_MODEL) {
-    let importSucceeded = false;
-    try {
-        const sdkPath = resolveSdkPath(repoRoot, "@github/copilot-sdk");
-        const { CopilotClient, defineTool, approveAll } = sdkPath ? await import(/* webpackIgnore: true */ sdkPath) : await __webpack_require__.e(/* import() */ "300").then(__webpack_require__.bind(__webpack_require__, 791));
-        importSucceeded = true;
-        const client = new CopilotClient();
-        const tools = createCustomTools(repoRoot, defineTool);
-        try {
-            await client.start();
-            const session = await client.createSession({
-                model,
-                tools,
-                onPermissionRequest: approveAll,
-                systemMessage: {
-                    content: buildSystemMessage()
-                },
-                mcpServers: {
-                    "lousy-agents": {
-                        type: "local",
-                        command: "npx",
-                        args: [
-                            "-y",
-                            "@lousy-agents/mcp"
-                        ],
-                        cwd: repoRoot,
-                        tools: [
-                            "discover_feedback_loops",
-                            "discover_environment"
-                        ]
-                    }
-                }
-            });
-            try {
-                const prompt = buildAnalysisPrompt(scanResult, repoRoot);
-                const response = await session.sendAndWait({
-                    prompt
-                });
-                const data = typeof response?.data === "object" && response.data !== null ? response.data : undefined;
-                const content = data !== undefined && "content" in data && typeof data.content === "string" ? data.content : "";
-                return parseAnalysisResponse(content);
-            } finally{
-                await session.disconnect();
-            }
-        } finally{
-            await client.stop();
-        }
-    } catch (err) {
-        if (process.env.AGENT_SHELL_COPILOT_DEBUG) {
-            if (importSucceeded) {
-                writeStderr(`agent-shell: Copilot analysis failed — ${sanitizeForStderr(err)}\n`);
-            } else {
-                writeStderr("agent-shell: Copilot SDK not available — using static analysis only\n");
+async function loadPolicy(env, deps) {
+    const rawRepoRoot = deps.getRepositoryRoot();
+    const repoRoot = await deps.realpath(rawRepoRoot);
+    const { path: candidatePath, isOverride } = resolvePolicyPath(env, repoRoot);
+    let resolvedPath;
+    try {
+        resolvedPath = await deps.realpath(candidatePath);
+    } catch (error) {
+        if (isPathNotFoundError(error)) {
+            if (isOverride) {
+                throw new Error(`Policy override path does not exist: ${sanitizePath(candidatePath)}`);
             }
+            return null;
         }
-        return null;
+        throw error;
     }
-}
-/**
- * Finds the first well-formed JSON object in `content` using brace-balancing,
- * rather than a greedy regex that could capture extra trailing braces and
- * fail JSON.parse on valid responses that include preamble or postamble text.
- */ function extractFirstJsonObject(content) {
-    const start = content.indexOf("{");
-    if (start === -1) {
-        return null;
+    if (!isWithinProjectRoot(resolvedPath, repoRoot)) {
+        throw new Error(`Policy file path resolves outside the repository root: ${sanitizePath(resolvedPath)}`);
     }
-    let inString = false;
-    let escaping = false;
-    let depth = 0;
-    for(let i = start; i < content.length; i += 1){
-        const ch = content[i];
-        if (escaping) {
-            escaping = false;
-            continue;
-        }
-        if (ch === "\\") {
-            if (inString) {
-                escaping = true;
-            }
-            continue;
-        }
-        if (ch === '"') {
-            inString = !inString;
-            continue;
-        }
-        if (!inString) {
-            if (ch === "{") {
-                depth += 1;
-            } else if (ch === "}") {
-                depth -= 1;
-                if (depth === 0) {
-                    return content.slice(start, i + 1);
-                }
+    let content;
+    try {
+        content = await deps.readFile(resolvedPath, "utf-8");
+    } catch (error) {
+        if (isPathNotFoundError(error)) {
+            if (isOverride) {
+                throw new Error(`Policy override path does not exist: ${sanitizePath(resolvedPath)}`);
             }
+            return null;
         }
+        throw error;
     }
-    return null;
-}
-function parseAnalysisResponse(content) {
-    const jsonText = extractFirstJsonObject(content);
-    if (!jsonText) {
-        return null;
-    }
+    let parsed;
     try {
-        const parsed = JSON.parse(jsonText);
-        return AnalysisResponseSchema.parse(parsed);
+        parsed = JSON.parse(content);
     } catch  {
-        return null;
+        throw new Error(`Invalid JSON in policy file ${sanitizePath(resolvedPath)}: file exists but contains malformed JSON`);
     }
+    return PolicyConfigSchema.parse(parsed);
 }
 
-;// CONCATENATED MODULE: ./src/project-scanner.ts
-
+;// CONCATENATED MODULE: ./src/actor.ts
+// Best-effort agent detection env vars (Phase 1):
+// - CLAUDE_CODE: Set by Claude Code (`CLAUDE_CODE=1`) in its shell sessions
+// - COPILOT_AGENT: Set by GitHub Copilot coding agent in its shell sessions
+// - COPILOT_CLI: Set by GitHub Copilot CLI (`COPILOT_CLI=1`) in its shell sessions
+// - COPILOT_CLI_BINARY_VERSION: Set by GitHub Copilot CLI (e.g. `COPILOT_CLI_BINARY_VERSION=1.0.4`)
+// If these prove incorrect, the detection rule should be removed entirely.
+/**
+ * Determines who initiated a script execution based on environment variables.
+ *
+ * Detection priority (first match wins):
+ * 1. Explicit override via AGENTSHELL_ACTOR
+ * 2. CI detection via GITHUB_ACTIONS
+ * 3. Known coding agent detection (Claude Code, GitHub Copilot)
+ * 4. Fallback to "human"
+ */ function detectActor(env) {
+    const override = env.AGENTSHELL_ACTOR;
+    if (override !== undefined && override !== "") {
+        return override;
+    }
+    if (env.GITHUB_ACTIONS === "true") {
+        return "ci";
+    }
+    if (env.CLAUDE_CODE !== undefined && env.CLAUDE_CODE !== "") {
+        return "claude-code";
+    }
+    if (env.COPILOT_AGENT !== undefined && env.COPILOT_AGENT !== "") {
+        return "copilot";
+    }
+    if (env.COPILOT_CLI !== undefined && env.COPILOT_CLI !== "" || env.COPILOT_CLI_BINARY_VERSION !== undefined && env.COPILOT_CLI_BINARY_VERSION !== "") {
+        return "copilot";
+    }
+    return "human";
+}
 
-const MAX_WORKFLOW_FILES = 100;
-const MAX_FILE_SIZE_BYTES = 524_288;
-const LANGUAGE_MARKERS = {
-    "package.json": "node",
-    "requirements.txt": "python",
-    // biome-ignore lint/style/useNamingConvention: filename on disk
-    Pipfile: "python",
-    "pyproject.toml": "python",
-    "setup.py": "python",
-    "go.mod": "go",
-    "Cargo.toml": "rust",
-    // biome-ignore lint/style/useNamingConvention: filename on disk
-    Gemfile: "ruby",
-    "pom.xml": "java",
-    "build.gradle": "java",
-    "build.gradle.kts": "java"
-};
-async function fileExists(path) {
-    try {
-        const s = await (0,promises_namespaceObject.stat)(path);
-        return s.isFile();
-    } catch  {
-        return false;
+;// CONCATENATED MODULE: ./src/env-capture.ts
+const TAG_PREFIX = "AGENTSHELL_TAG_";
+const MAX_VALUE_BYTES = 1024;
+const MAX_TAGS = 50;
+const TRUNCATION_SUFFIX = "…[truncated]";
+const PROTOTYPE_POLLUTION_KEYS = new Set([
+    "__proto__",
+    "constructor",
+    "prototype"
+]);
+const ALLOWLIST_PREFIXES = [
+    "npm_lifecycle_",
+    "github_",
+    "agentshell_"
+];
+const ALLOWLIST_EXACT = new Set([
+    "npm_package_name",
+    "npm_package_version",
+    "node_env",
+    "ci"
+]);
+const BLOCKLIST_PATTERNS = [
+    "secret",
+    "token",
+    "key",
+    "password",
+    "credential",
+    "auth"
+];
+function isAllowlisted(name) {
+    const lower = name.toLowerCase();
+    if (ALLOWLIST_EXACT.has(lower)) {
+        return true;
     }
+    return ALLOWLIST_PREFIXES.some((prefix)=>lower.startsWith(prefix));
 }
-async function dirExists(path) {
-    try {
-        const s = await (0,promises_namespaceObject.stat)(path);
-        return s.isDirectory();
-    } catch  {
-        return false;
+function isBlocklisted(name) {
+    const lower = name.toLowerCase();
+    return BLOCKLIST_PATTERNS.some((pattern)=>lower.includes(pattern));
+}
+function isTagVariable(name) {
+    return name.startsWith(TAG_PREFIX);
+}
+function truncateValue(value) {
+    const bytes = Buffer.byteLength(value, "utf-8");
+    if (bytes <= MAX_VALUE_BYTES) {
+        return {
+            value,
+            truncated: false
+        };
+    }
+    // Codepoint-aware truncation: iterate Unicode codepoints to prevent
+    // splitting multi-byte UTF-8 sequences at arbitrary byte boundaries
+    let byteCount = 0;
+    let truncated = "";
+    for (const ch of value){
+        const charBytes = Buffer.byteLength(ch, "utf-8");
+        if (byteCount + charBytes > MAX_VALUE_BYTES) break;
+        byteCount += charBytes;
+        truncated += ch;
     }
+    return {
+        value: `${truncated}${TRUNCATION_SUFFIX}`,
+        truncated: true
+    };
 }
-async function discoverScripts(targetDir) {
-    const packageJsonPath = (0,external_node_path_namespaceObject.join)(targetDir, "package.json");
-    if (!await fileExists(packageJsonPath)) {
-        return [];
+function captureEnv(env) {
+    const result = Object.create(null);
+    let anyTruncated = false;
+    for (const [name, value] of Object.entries(env)){
+        if (value === undefined) continue;
+        if (!isAllowlisted(name)) continue;
+        if (isBlocklisted(name)) continue;
+        if (isTagVariable(name)) continue;
+        const { value: finalValue, truncated } = truncateValue(value);
+        result[name] = finalValue;
+        if (truncated) anyTruncated = true;
     }
-    try {
-        const fileStat = await (0,promises_namespaceObject.stat)(packageJsonPath);
-        if (fileStat.size > MAX_FILE_SIZE_BYTES) {
-            return [];
-        }
-        const content = await (0,promises_namespaceObject.readFile)(packageJsonPath, "utf-8");
-        const parsed = JSON.parse(content);
-        if (parsed === null || typeof parsed !== "object" || Array.isArray(parsed)) {
-            return [];
-        }
-        const pkg = parsed;
-        const scripts = pkg.scripts;
-        if (scripts === null || scripts === undefined || typeof scripts !== "object" || Array.isArray(scripts)) {
-            return [];
-        }
-        const result = [];
-        for (const [name, command] of Object.entries(scripts)){
-            if (typeof command === "string") {
-                result.push({
-                    name,
-                    command
-                });
-            }
-        }
-        return result;
-    } catch  {
-        return [];
+    if (anyTruncated) {
+        result._env_truncated = "true";
     }
+    return result;
 }
-async function discoverWorkflowCommands(targetDir) {
-    const workflowsDir = (0,external_node_path_namespaceObject.join)(targetDir, ".github", "workflows");
-    if (!await dirExists(workflowsDir)) {
-        return [];
+function captureTags(env) {
+    const result = Object.create(null);
+    let anyTruncatedOrDiscarded = false;
+    const entries = [];
+    for (const [name, value] of Object.entries(env)){
+        if (value === undefined) continue;
+        if (!name.startsWith(TAG_PREFIX)) continue;
+        const tagKey = name.slice(TAG_PREFIX.length).toLowerCase();
+        if (PROTOTYPE_POLLUTION_KEYS.has(tagKey)) continue;
+        entries.push([
+            tagKey,
+            value
+        ]);
+    }
+    entries.sort((a, b)=>a[0].localeCompare(b[0]));
+    if (entries.length > MAX_TAGS) {
+        anyTruncatedOrDiscarded = true;
+        entries.length = MAX_TAGS;
     }
-    let files;
-    try {
-        files = await (0,promises_namespaceObject.readdir)(workflowsDir);
-    } catch  {
-        return [];
+    for (const [key, rawValue] of entries){
+        const { value, truncated } = truncateValue(rawValue);
+        result[key] = value;
+        if (truncated) anyTruncatedOrDiscarded = true;
     }
-    const yamlFiles = files.filter((f)=>f.endsWith(".yml") || f.endsWith(".yaml")).slice(0, MAX_WORKFLOW_FILES);
-    const allCommands = [];
-    for (const file of yamlFiles){
+    if (anyTruncatedOrDiscarded) {
+        result._tags_truncated = "true";
+    }
+    return result;
+}
+
+;// CONCATENATED MODULE: ./src/telemetry.ts
+// biome-ignore-all lint/style/useNamingConvention: telemetry schema uses snake_case field names
+
+
+
+
+
+const SESSION_ID_PATTERN = /^[a-zA-Z0-9_-]+$/;
+const DEFAULT_EVENTS_SUBDIR = ".agent-shell/events";
+async function realpathExistingAncestor(targetPath, deps) {
+    let current = targetPath;
+    while(true){
         try {
-            const filePath = (0,external_node_path_namespaceObject.join)(workflowsDir, file);
-            const fileStat = await (0,promises_namespaceObject.stat)(filePath);
-            if (fileStat.size > MAX_FILE_SIZE_BYTES) {
-                continue;
-            }
-            const content = await (0,promises_namespaceObject.readFile)(filePath, "utf-8");
-            const commands = extractRunCommandsFromYaml(content);
-            allCommands.push(...commands);
-        } catch  {}
+            return await deps.realpath(current);
+        } catch (err) {
+            if (!isPathNotFoundError(err)) throw err;
+            const parent = (0,external_node_path_namespaceObject.dirname)(current);
+            if (parent === current) return null;
+            current = parent;
+        }
     }
-    return [
-        ...new Set(allCommands)
-    ].filter(isUsefulCommand);
 }
-/**
- * Patterns that match shell control structures, variable assignments,
- * and other non-command lines extracted from multi-line workflow `run:`
- * blocks. These are filtered out because they are not meaningful tool
- * invocations that should appear in a policy allow list — only actual
- * commands (npm, mise, node, git, etc.) are useful for policy rules.
- */ const SHELL_NOISE_PATTERNS = [
-    /^(if|then|else|elif|fi|for|while|do|done|case|esac)\b/,
-    /^(set\s+[+-]e|set\s+[+-]o)/,
-    /^(exit\s+\d|exit\s+\$)/,
-    /^\w+="?\$\{\{/,
-    /^[A-Z_]+=("[^"]*"|'[^']*'|\S+)\s*\\?$/,
-    /^(echo|printf)\s/,
-    /^(cd|mkdir|rm|test)\s/,
-    /^>\s/,
-    /^(else|fi|done|esac)$/,
-    /^\w+=\$\?$/,
-    /^\\$/,
-    /^'[^']*'\s*\\?$/,
-    /^"[^"]*"\s*\\?$/,
-    /^node\s+"?\$/
-];
-function isUsefulCommand(cmd) {
-    if (cmd.length < 3) return false;
-    if (cmd.endsWith(")") && !cmd.includes("(")) return false;
-    return !SHELL_NOISE_PATTERNS.some((pattern)=>pattern.test(cmd));
+function resolveSessionId(env, deps) {
+    const provided = env.AGENTSHELL_SESSION_ID;
+    if (provided === undefined || provided === "") {
+        return deps.randomUUID();
+    }
+    if (provided.includes("..") || provided.includes("/") || provided.includes("\\") || !SESSION_ID_PATTERN.test(provided)) {
+        deps.writeStderr(`agent-shell: invalid AGENTSHELL_SESSION_ID "${provided}", generating new ID\n`);
+        return deps.randomUUID();
+    }
+    return provided;
 }
-/**
- * Simple extraction of `run:` values from YAML content.
- * Uses line-based parsing rather than a full YAML parser to avoid
- * adding yaml as a dependency to agent-shell.
- */ function extractRunCommandsFromYaml(content) {
-    const commands = [];
-    const lines = content.split("\n");
-    let inRunBlock = false;
-    let runIndent = 0;
-    let isFoldedBlock = false;
-    let foldedLines = [];
-    let continuationBuffer = "";
-    function flushFoldedBlock() {
-        if (foldedLines.length > 0) {
-            commands.push(foldedLines.join(" "));
-            foldedLines = [];
+async function resolveWriteEventsDir(env, deps) {
+    const projectRoot = deps.cwd();
+    const defaultDir = (0,external_node_path_namespaceObject.join)(projectRoot, DEFAULT_EVENTS_SUBDIR);
+    const logDir = env.AGENTSHELL_LOG_DIR;
+    if (logDir !== undefined && logDir !== "") {
+        // Canonicalize projectRoot for real-path comparisons; handles symlinked cwd
+        const projectRootReal = await deps.realpath(projectRoot);
+        // Reject external paths (allowing either logical or real project root)
+        const resolvedLogical = (0,external_node_path_namespaceObject.resolve)(projectRoot, logDir);
+        if (!isWithinProjectRoot(resolvedLogical, projectRoot) && !isWithinProjectRoot(resolvedLogical, projectRootReal)) {
+            deps.writeStderr(`agent-shell: AGENTSHELL_LOG_DIR resolves outside project root, using default\n`);
+            await deps.mkdir(defaultDir, {
+                recursive: true
+            });
+            return defaultDir;
         }
-    }
-    function flushContinuation() {
-        if (continuationBuffer.length > 0) {
-            commands.push(continuationBuffer);
-            continuationBuffer = "";
+        // Validate existing ancestor realpath before mkdir to prevent symlink escape
+        const ancestorReal = await realpathExistingAncestor(resolvedLogical, deps);
+        if (ancestorReal === null || !isWithinProjectRoot(ancestorReal, projectRootReal)) {
+            deps.writeStderr(`agent-shell: AGENTSHELL_LOG_DIR resolves outside project root via ancestor symlink, using default\n`);
+            await deps.mkdir(defaultDir, {
+                recursive: true
+            });
+            return defaultDir;
+        }
+        await deps.mkdir(resolvedLogical, {
+            recursive: true
+        });
+        const resolved = await deps.realpath(resolvedLogical);
+        if (!isWithinProjectRoot(resolved, projectRootReal)) {
+            deps.writeStderr(`agent-shell: AGENTSHELL_LOG_DIR resolves outside project root, using default\n`);
+            await deps.mkdir(defaultDir, {
+                recursive: true
+            });
+            return defaultDir;
         }
+        return resolved;
     }
-    for(let i = 0; i < lines.length; i++){
-        const line = lines[i];
-        if (line === undefined) continue;
-        const trimmed = line.trimStart();
-        const indent = line.length - trimmed.length;
-        if (inRunBlock) {
-            if (trimmed.length === 0) {
-                continue;
-            }
-            if (indent > runIndent) {
-                let cmd = trimmed.trimEnd();
-                cmd = cmd.replace(/\s+#.*$/, "").trimEnd();
-                const isContinuation = cmd.endsWith("\\");
-                if (isContinuation) {
-                    cmd = cmd.slice(0, -1).trimEnd();
-                }
-                if (cmd.length > 0 && !cmd.startsWith("#")) {
-                    if (isFoldedBlock) {
-                        foldedLines.push(cmd);
-                    } else if (isContinuation) {
-                        continuationBuffer = continuationBuffer.length > 0 ? `${continuationBuffer} ${cmd}` : cmd;
-                    } else if (continuationBuffer.length > 0) {
-                        commands.push(`${continuationBuffer} ${cmd}`);
-                        continuationBuffer = "";
-                    } else {
-                        commands.push(cmd);
-                    }
-                }
-            } else {
-                flushContinuation();
-                if (isFoldedBlock) {
-                    flushFoldedBlock();
-                }
-                inRunBlock = false;
-                isFoldedBlock = false;
-            }
+    await deps.mkdir(defaultDir, {
+        recursive: true
+    });
+    return defaultDir;
+}
+async function writeEvent(eventsDir, sessionId, event, deps) {
+    const filePath = (0,external_node_path_namespaceObject.join)(eventsDir, `${sessionId}.jsonl`);
+    const line = `${JSON.stringify(event)}\n`;
+    await deps.appendFile(filePath, line);
+}
+async function emitScriptEndEvent(options, deps) {
+    const sessionId = resolveSessionId(options.env, deps);
+    const eventsDir = await resolveWriteEventsDir(options.env, deps);
+    const capturedEnv = captureEnv(options.env);
+    const tags = captureTags(options.env);
+    const event = {
+        v: SCHEMA_VERSION,
+        session_id: sessionId,
+        event: "script_end",
+        command: options.command,
+        actor: detectActor(options.env),
+        exit_code: options.result.exitCode,
+        signal: options.result.signal,
+        duration_ms: options.result.durationMs,
+        timestamp: deps.now(),
+        env: capturedEnv,
+        tags,
+        ...options.env.npm_lifecycle_event && {
+            script: options.env.npm_lifecycle_event
+        },
+        ...options.env.npm_package_name && {
+            package: options.env.npm_package_name
+        },
+        ...options.env.npm_package_version && {
+            package_version: options.env.npm_package_version
         }
-        if (!inRunBlock) {
-            const runMatch = trimmed.match(/^-?\s*run:\s*(.*)$/);
-            if (runMatch) {
-                const value = runMatch[1]?.trim();
-                const firstToken = value ? value.split(/[ \t#]/, 1)[0] ?? "" : "";
-                if (/^[|>][-+]?$/.test(firstToken)) {
-                    inRunBlock = true;
-                    runIndent = indent;
-                    isFoldedBlock = firstToken.startsWith(">");
-                    foldedLines = [];
-                } else if (value && value.length > 0) {
-                    let command;
-                    const quoteMatch = value.match(/^(["'])(.*)\1/);
-                    if (quoteMatch) {
-                        command = quoteMatch[2] ?? "";
-                    } else {
-                        command = value.replace(/\s+#.*$/, "").trim();
-                    }
-                    if (command.length > 0 && !command.startsWith("#")) {
-                        commands.push(command);
-                    }
-                }
+    };
+    await writeEvent(eventsDir, sessionId, event, deps);
+}
+async function emitShimErrorEvent(options, deps) {
+    const sessionId = resolveSessionId(options.env, deps);
+    const eventsDir = await resolveWriteEventsDir(options.env, deps);
+    const capturedEnv = captureEnv(options.env);
+    const tags = captureTags(options.env);
+    const event = {
+        v: SCHEMA_VERSION,
+        session_id: sessionId,
+        event: "shim_error",
+        command: options.command,
+        actor: detectActor(options.env),
+        timestamp: deps.now(),
+        env: capturedEnv,
+        tags
+    };
+    await writeEvent(eventsDir, sessionId, event, deps);
+}
+async function emitPolicyDecisionEvent(options, deps) {
+    const depsWithProjectRoot = {
+        ...deps,
+        cwd: ()=>options.projectRoot
+    };
+    const sessionId = resolveSessionId(options.env, deps);
+    const eventsDir = await resolveWriteEventsDir(options.env, depsWithProjectRoot);
+    const capturedEnv = captureEnv(options.env);
+    const tags = captureTags(options.env);
+    const event = {
+        v: SCHEMA_VERSION,
+        session_id: sessionId,
+        event: "policy_decision",
+        command: options.command,
+        decision: options.decision,
+        matched_rule: options.matched_rule,
+        actor: detectActor(options.env),
+        timestamp: deps.now(),
+        env: capturedEnv,
+        tags
+    };
+    await writeEvent(eventsDir, sessionId, event, depsWithProjectRoot);
+}
+async function emitToolUseEvent(options, deps) {
+    const depsWithProjectRoot = {
+        ...deps,
+        cwd: ()=>options.projectRoot
+    };
+    const sessionId = resolveSessionId(options.env, deps);
+    const eventsDir = await resolveWriteEventsDir(options.env, depsWithProjectRoot);
+    const capturedEnv = captureEnv(options.env);
+    const tags = captureTags(options.env);
+    const event = {
+        v: SCHEMA_VERSION,
+        session_id: sessionId,
+        event: "tool_use",
+        tool_name: options.tool_name,
+        command: options.command,
+        actor: detectActor(options.env),
+        timestamp: deps.now(),
+        env: capturedEnv,
+        tags
+    };
+    await writeEvent(eventsDir, sessionId, event, depsWithProjectRoot);
+}
+
+;// CONCATENATED MODULE: ./src/policy-check.ts
+// biome-ignore-all lint/style/useNamingConvention: telemetry schema uses snake_case field names
+
+
+
+
+const TERMINAL_TOOLS = new Set([
+    "bash",
+    "zsh",
+    "ash",
+    "sh"
+]);
+const HookInputSchema = schemas_object({
+    toolName: schemas_string(),
+    toolArgs: unknown().optional()
+});
+function allowResponse() {
+    return JSON.stringify({
+        permissionDecision: "allow"
+    });
+}
+function denyResponse(reason) {
+    return JSON.stringify({
+        permissionDecision: "deny",
+        permissionDecisionReason: reason
+    });
+}
+const TELEMETRY_TIMEOUT_MS = 5_000;
+async function tryEmitTelemetry(deps, command, decision, matchedRule) {
+    try {
+        const repoRoot = deps.policyDeps.getRepositoryRoot();
+        const emission = emitPolicyDecisionEvent({
+            command,
+            decision,
+            matched_rule: matchedRule,
+            env: deps.env,
+            projectRoot: repoRoot
+        }, deps.telemetryDeps);
+        // Prevent unhandled rejection if emission rejects after timeout wins the race
+        emission.catch(()=>{});
+        let timeoutHandle;
+        const timeout = new Promise((_, reject)=>{
+            timeoutHandle = setTimeout(()=>reject(new Error("telemetry write timed out")), TELEMETRY_TIMEOUT_MS);
+            timeoutHandle.unref();
+        });
+        try {
+            await Promise.race([
+                emission,
+                timeout
+            ]);
+        } finally{
+            if (timeoutHandle !== undefined) {
+                clearTimeout(timeoutHandle);
             }
         }
+    } catch (err) {
+        deps.writeStderr(`agent-shell: telemetry write error: ${sanitizeForStderr(err)}\n`);
     }
-    flushContinuation();
-    if (isFoldedBlock) {
-        flushFoldedBlock();
-    }
-    return commands;
 }
-/**
- * Parse mise.toml to extract task definitions.
- * Uses simple line-based parsing for [tasks.*] sections.
- */ async function discoverMiseTasks(targetDir) {
-    const miseTomlPath = (0,external_node_path_namespaceObject.join)(targetDir, "mise.toml");
-    if (!await fileExists(miseTomlPath)) {
-        return [];
-    }
+async function handlePolicyCheck(deps) {
     try {
-        const fileStat = await (0,promises_namespaceObject.stat)(miseTomlPath);
-        if (fileStat.size > MAX_FILE_SIZE_BYTES) {
-            return [];
+        const rawStdin = await deps.readStdin();
+        let input;
+        try {
+            input = JSON.parse(rawStdin);
+        } catch  {
+            deps.writeStderr("agent-shell: failed to parse stdin as JSON\n");
+            deps.writeStdout(denyResponse("Invalid JSON input"));
+            return;
         }
-        const content = await (0,promises_namespaceObject.readFile)(miseTomlPath, "utf-8");
-        return parseMiseTomlTasks(content);
-    } catch  {
-        return [];
-    }
-}
-function parseMiseTomlTasks(content) {
-    const tasks = [];
-    const lines = content.split("\n");
-    let currentTaskName = null;
-    let inMultiLineRun = false;
-    let multiLineCommand = "";
-    for (const line of lines){
-        const trimmed = line.trim();
-        if (inMultiLineRun) {
-            if (trimmed === '"""' || trimmed === "'''") {
-                inMultiLineRun = false;
-                const cmd = multiLineCommand.trim();
-                if (currentTaskName !== null && cmd.length > 0) {
-                    const firstLine = cmd.split("\n").map((l)=>l.trim()).find((l)=>l.length > 0);
-                    if (firstLine) {
-                        tasks.push({
-                            name: currentTaskName,
-                            command: firstLine
-                        });
-                    }
-                }
-                multiLineCommand = "";
-                continue;
-            }
-            multiLineCommand += `${trimmed}\n`;
-            continue;
+        const hookResult = HookInputSchema.safeParse(input);
+        if (!hookResult.success) {
+            deps.writeStdout(denyResponse("Missing or invalid toolName field"));
+            return;
         }
-        const sectionMatch = trimmed.match(/^\[tasks\.([^\]]+)\]$/);
-        if (sectionMatch?.[1]) {
-            currentTaskName = sectionMatch[1];
-            continue;
+        const { toolName, toolArgs } = hookResult.data;
+        // Step 3 (per spec): load and validate policy before terminal tool check
+        // (fail-closed on invalid policy, even for non-terminal tools)
+        let policy;
+        try {
+            policy = await loadPolicy(deps.env, deps.policyDeps);
+        } catch (err) {
+            deps.writeStderr(`agent-shell: policy load error: ${sanitizeForStderr(err)}\n`);
+            deps.writeStdout(denyResponse("Failed to load policy"));
+            return;
         }
-        if (trimmed.startsWith("[") && !trimmed.startsWith("[tasks.")) {
-            currentTaskName = null;
-            continue;
+        // Step 4 (per spec): non-terminal tools pass through with allow.
+        // Per spec: command field is empty string for non-terminal tool decisions
+        // (toolArgs is never parsed, so no command string is available).
+        if (!TERMINAL_TOOLS.has(toolName)) {
+            deps.writeStdout(allowResponse());
+            await tryEmitTelemetry(deps, "", "allow", null);
+            return;
         }
-        if (currentTaskName !== null) {
-            if (/^run\s*=\s*"""/.test(trimmed) || /^run\s*=\s*'''/.test(trimmed)) {
-                inMultiLineRun = true;
-                multiLineCommand = "";
-                continue;
-            }
-            const runMatch = trimmed.match(/^run\s*=\s*(?:"([^"]*)"|'([^']*)')/);
-            if (runMatch) {
-                const command = runMatch[1] ?? runMatch[2] ?? "";
-                if (command.length > 0) {
-                    tasks.push({
-                        name: currentTaskName,
-                        command
-                    });
-                }
-            }
+        // Terminal tool — validate toolArgs
+        if (typeof toolArgs !== "string") {
+            deps.writeStdout(denyResponse("Missing or non-string toolArgs for terminal tool"));
+            return;
         }
-    }
-    return tasks;
-}
-async function detectLanguages(targetDir) {
-    const detected = new Set();
-    for (const [filename, language] of Object.entries(LANGUAGE_MARKERS)){
-        if (await fileExists((0,external_node_path_namespaceObject.join)(targetDir, filename))) {
-            detected.add(language);
+        let parsedArgs;
+        try {
+            parsedArgs = JSON.parse(toolArgs);
+        } catch  {
+            deps.writeStderr("agent-shell: failed to parse toolArgs as JSON\n");
+            deps.writeStdout(denyResponse("Invalid JSON in toolArgs"));
+            return;
         }
-    }
-    return [
-        ...detected
-    ];
-}
-/**
- * Scans a project directory to discover tools, commands, and languages.
- * Uses static file analysis without requiring external dependencies.
- */ async function scanProject(targetDir) {
-    const [scripts, workflowCommands, miseTasks, languages] = await Promise.all([
-        discoverScripts(targetDir),
-        discoverWorkflowCommands(targetDir),
-        discoverMiseTasks(targetDir),
-        detectLanguages(targetDir)
-    ]);
-    return {
-        scripts,
-        workflowCommands,
-        miseTasks,
-        languages
-    };
+        // toolArgs must be a non-null plain object
+        if (parsedArgs === null || typeof parsedArgs !== "object" || Array.isArray(parsedArgs)) {
+            deps.writeStdout(denyResponse("toolArgs must be a non-null plain object for terminal tools"));
+            return;
+        }
+        const obj = parsedArgs;
+        if (!Object.hasOwn(obj, "command")) {
+            deps.writeStdout(denyResponse("Missing command field in toolArgs"));
+            return;
+        }
+        if (typeof obj.command !== "string") {
+            deps.writeStdout(denyResponse("command field must be a string"));
+            return;
+        }
+        const command = obj.command;
+        const result = evaluatePolicy(policy, command);
+        const responseJson = result.decision === "allow" ? allowResponse() : denyResponse(`Command '${command}' denied by policy rule: ${result.matchedRule ?? "not in allow list"}`);
+        deps.writeStdout(responseJson);
+        await tryEmitTelemetry(deps, command.trim(), result.decision, result.matchedRule);
+    } catch (err) {
+        deps.writeStderr(`agent-shell: unexpected error: ${sanitizeForStderr(err)}\n`);
+        deps.writeStdout(denyResponse("Internal error during policy evaluation"));
+    }
 }
 
-;// CONCATENATED MODULE: ./src/policy-init.ts
-
-
+;// CONCATENATED MODULE: ./src/record.ts
+// biome-ignore-all lint/style/useNamingConvention: telemetry schema uses snake_case field names
 
 
 
-const DEFAULT_SAFE_COMMANDS = [
-    "git status *",
-    "git diff *",
-    "git log *",
-    "git show *",
-    "git branch --show-current",
-    "git branch --list *",
-    "git rev-parse *",
-    "pwd"
-];
-const DEFAULT_DENY_RULES = [
-    "rm -rf *",
-    "sudo *"
-];
-const POLICY_SUBPATH = ".github/hooks/agent-shell/policy.json";
-const HOOKS_SUBPATH = ".github/hooks/agent-shell/hooks.json";
-/**
- * Extracts the script or task name from a command string, skipping any
- * flags (tokens starting with `-`) that appear between the prefix and
- * the actual name. For example, `npm run -s build` or `npm run --silent build`
- * both return `build`. Splits on any whitespace to avoid empty tokens from
- * multiple consecutive spaces.
- */ function extractNameAfterPrefix(cmd, prefix) {
-    const tokens = cmd.slice(prefix.length).trim().split(/\s+/);
-    for (const token of tokens){
-        if (token.length > 0 && !token.startsWith("-")) {
-            return token;
-        }
-    }
-    return "";
-}
+const record_TERMINAL_TOOLS = new Set([
+    "bash",
+    "zsh",
+    "ash",
+    "sh"
+]);
+const MAX_COMMAND_BYTES = 4096;
+const record_HookInputSchema = schemas_object({
+    toolName: schemas_string().max(1024),
+    toolArgs: unknown().optional()
+});
 /**
- * Generates a policy configuration from project scan results.
- * Creates an allow list of commands discovered in the project,
- * plus common safe defaults. Includes standard deny rules.
+ * Extracts a command string from toolArgs for terminal tools.
  *
- * Allow rules use exact match by default to prevent shell
- * metacharacter bypass (e.g. `npm test && curl evil`).
- * Wildcard `*` is only used for commands where subcommand
- * arguments are inherently expected and the base command
- * is genuinely read-only (e.g. `git status *`).
- */ function generatePolicy(scanResult) {
-    const allowSet = new Set();
-    for (const cmd of DEFAULT_SAFE_COMMANDS){
-        allowSet.add(cmd);
+ * Parsing chain (mirrors policy-check.ts but observation-only):
+ * 1. Check if toolArgs is a string
+ * 2. Parse that string as JSON
+ * 3. Verify result is a non-null plain object
+ * 4. Check for a `command` property
+ * 5. Verify `command` is a string
+ *
+ * Returns the command string on success, or an empty string for any failure.
+ */ function extractTerminalCommand(toolArgs) {
+    // Step 1: toolArgs must be a string
+    if (typeof toolArgs !== "string") {
+        return "";
     }
-    for (const script of scanResult.scripts){
-        const name = script.name.trim();
-        if (name.length === 0) {
-            continue;
-        }
-        if (SHELL_METACHAR_PATTERN.test(name)) {
-            continue;
-        }
-        if (name === "test") {
-            allowSet.add("npm test");
-        } else {
-            allowSet.add(`npm run ${name}`);
-        }
+    // Step 2: parse as JSON
+    let parsedArgs;
+    try {
+        parsedArgs = JSON.parse(toolArgs);
+    } catch  {
+        return "";
     }
-    for (const cmd of scanResult.workflowCommands){
-        if (cmd === "npm test" || cmd.startsWith("npm test ")) {
-            allowSet.add("npm test");
-            if (cmd !== "npm test" && !SHELL_METACHAR_PATTERN.test(cmd)) {
-                allowSet.add(cmd);
-            }
-        } else if (cmd.startsWith("npm run ")) {
-            const scriptName = extractNameAfterPrefix(cmd, "npm run ");
-            if (scriptName) {
-                allowSet.add(`npm run ${scriptName}`);
-                if (cmd !== `npm run ${scriptName}` && !SHELL_METACHAR_PATTERN.test(cmd)) {
-                    allowSet.add(cmd);
-                }
-            } else if (!SHELL_METACHAR_PATTERN.test(cmd)) {
-                allowSet.add(cmd);
-            }
-        } else if (cmd === "npm ci" || cmd === "npm install") {
-            allowSet.add(cmd);
-        } else if (cmd.startsWith("npx ")) {
-            if (!SHELL_METACHAR_PATTERN.test(cmd)) {
-                allowSet.add(cmd);
-            }
-        } else if (cmd.startsWith("mise run ")) {
-            const taskName = extractNameAfterPrefix(cmd, "mise run ");
-            if (taskName) {
-                allowSet.add(`mise run ${taskName}`);
-                if (cmd !== `mise run ${taskName}` && !SHELL_METACHAR_PATTERN.test(cmd)) {
-                    allowSet.add(cmd);
-                }
-            } else if (!SHELL_METACHAR_PATTERN.test(cmd)) {
-                allowSet.add(cmd);
-            }
-        } else {
-            if (!SHELL_METACHAR_PATTERN.test(cmd)) {
-                allowSet.add(cmd);
-            }
-        }
+    // Step 3: must be a non-null plain object
+    if (parsedArgs === null || typeof parsedArgs !== "object" || Array.isArray(parsedArgs)) {
+        return "";
     }
-    for (const task of scanResult.miseTasks){
-        const taskName = task.name.trim();
-        if (taskName.length > 0 && !SHELL_METACHAR_PATTERN.test(taskName)) {
-            allowSet.add(`mise run ${taskName}`);
-        }
+    // Step 4: must have `command` property (reject prototype pollution keys)
+    const obj = parsedArgs;
+    if (Object.hasOwn(obj, "__proto__") || Object.hasOwn(obj, "constructor") || Object.hasOwn(obj, "prototype")) {
+        return "";
     }
-    if (scanResult.miseTasks.length > 0) {
-        allowSet.add("mise install");
+    if (!Object.hasOwn(obj, "command")) {
+        return "";
     }
-    const allow = [
-        ...allowSet
-    ].sort();
-    return {
-        allow,
-        deny: [
-            ...DEFAULT_DENY_RULES
-        ]
-    };
-}
-/**
- * Generates the Copilot hooks.json configuration with agent-shell
- * policy-check as a preToolUse hook.
- */ function generateHooksConfig() {
-    return {
-        version: 1,
-        hooks: {
-            preToolUse: [
-                {
-                    type: "command",
-                    bash: "agent-shell policy-check",
-                    timeoutSec: 30
-                }
-            ]
-        }
-    };
-}
-/**
- * Writes a file atomically, skipping if the file already exists.
- * Uses the `wx` (exclusive create) flag to avoid TOCTOU races
- * between a check and write.
- */ async function writeFileIfNotExists(filePath, parentDir, content, subpath, writeStdout) {
-    await (0,promises_namespaceObject.mkdir)(parentDir, {
-        recursive: true
-    });
+    // Step 5: command must be a string
+    if (typeof obj.command !== "string") {
+        return "";
+    }
+    // Truncate to MAX_COMMAND_BYTES using byte-aware slicing (matching env-capture.ts pattern)
+    if (Buffer.byteLength(obj.command, "utf-8") > MAX_COMMAND_BYTES) {
+        // Codepoint-aware truncation: stop before exceeding the byte limit.
+        // for...of iterates Unicode codepoints, so surrogate pairs are handled
+        // correctly and we never truncate mid-sequence.
+        let byteCount = 0;
+        let truncated = "";
+        for (const ch of obj.command){
+            const charBytes = Buffer.byteLength(ch, "utf-8");
+            if (byteCount + charBytes > MAX_COMMAND_BYTES) break;
+            byteCount += charBytes;
+            truncated += ch;
+        }
+        return truncated;
+    }
+    return obj.command;
+}
+async function handleRecord(deps) {
+    let rawStdin;
     try {
-        await (0,promises_namespaceObject.writeFile)(filePath, content, {
-            flag: "wx"
-        });
-        writeStdout(`Created ${subpath}\n`);
-    } catch (error) {
-        if (error && typeof error === "object" && "code" in error && error.code === "EEXIST") {
-            writeStdout(`Skipping ${subpath} — file already exists\n`);
-        } else {
-            throw error;
-        }
+        rawStdin = await deps.readStdin();
+    } catch (err) {
+        deps.writeStderr(`agent-shell: failed to read stdin: ${sanitizeForStderr(err)}\n`);
+        return false;
     }
-}
-/**
- * Handles the `policy --init` command.
- * Scans the project, generates a policy and hooks configuration,
- * and writes them to disk. Optionally uses @github/copilot-sdk
- * for AI-enhanced analysis when available.
- */ async function handlePolicyInit(deps) {
-    const repoRoot = deps.getRepositoryRoot();
-    deps.writeStdout("Scanning project...\n");
-    const scanResult = await scanProject(repoRoot);
-    deps.writeStdout(`Discovered: ${scanResult.scripts.length} npm script(s), ` + `${scanResult.workflowCommands.length} workflow command(s), ` + `${scanResult.miseTasks.length} mise task(s), ` + `${scanResult.languages.length} language(s)\n`);
-    const policy = generatePolicy(scanResult);
-    const enhanced = await enhanceWithCopilot(scanResult, repoRoot, deps.writeStderr, deps.model);
-    if (enhanced !== null) {
-        deps.writeStdout("Enhanced with Copilot analysis\n");
-        if (enhanced.additionalAllowRules.length > 0) {
-            deps.writeStdout("\nSuggested additional allow rules from Copilot (not auto-applied):\n");
-            for (const rule of enhanced.additionalAllowRules){
-                if (isSafeCommand(rule)) {
-                    deps.writeStdout(`  - ${sanitizeOutput(rule)}\n`);
-                } else {
-                    deps.writeStdout(`  - [UNSAFE, skipped] ${sanitizeOutput(rule)}\n`);
-                }
-            }
-        }
-        if (enhanced.suggestions.length > 0) {
-            deps.writeStdout("\nSuggestions from Copilot:\n");
-            for (const suggestion of enhanced.suggestions){
-                deps.writeStdout(`  - ${sanitizeOutput(suggestion)}\n`);
-            }
-        }
+    let input;
+    try {
+        input = JSON.parse(rawStdin);
+    } catch  {
+        deps.writeStderr("agent-shell: failed to parse stdin as JSON\n");
+        return false;
     }
-    const hooksConfig = generateHooksConfig();
-    const policyPath = (0,external_node_path_namespaceObject.join)(repoRoot, POLICY_SUBPATH);
-    const hooksPath = (0,external_node_path_namespaceObject.join)(repoRoot, HOOKS_SUBPATH);
-    const policyContent = `${JSON.stringify(policy, null, 2)}\n`;
-    const hooksContent = `${JSON.stringify(hooksConfig, null, 2)}\n`;
-    await writeFileIfNotExists(policyPath, (0,external_node_path_namespaceObject.join)(repoRoot, ".github", "hooks", "agent-shell"), policyContent, POLICY_SUBPATH, deps.writeStdout);
-    await writeFileIfNotExists(hooksPath, (0,external_node_path_namespaceObject.join)(repoRoot, ".github", "hooks", "agent-shell"), hooksContent, HOOKS_SUBPATH, deps.writeStdout);
-    deps.writeStdout("\n--- Proposed Policy ---\n");
-    deps.writeStdout(`${sanitizeOutput(JSON.stringify(policy, null, 2))}\n`);
-    deps.writeStdout("\n--- Hook Configuration ---\n");
-    deps.writeStdout(`${sanitizeOutput(JSON.stringify(hooksConfig, null, 2))}\n`);
+    const hookResult = record_HookInputSchema.safeParse(input);
+    if (!hookResult.success) {
+        deps.writeStderr("agent-shell: missing or invalid toolName field, skipping telemetry\n");
+        return false;
+    }
+    const { toolName, toolArgs } = hookResult.data;
+    const command = record_TERMINAL_TOOLS.has(toolName) ? extractTerminalCommand(toolArgs) : "";
+    try {
+        const repoRoot = deps.getRepositoryRoot();
+        await emitToolUseEvent({
+            tool_name: toolName,
+            command,
+            env: deps.env,
+            projectRoot: repoRoot
+        }, deps.telemetryDeps);
+    } catch (err) {
+        deps.writeStderr(`agent-shell: telemetry write error: ${sanitizeForStderr(err)}\n`);
+        return false;
+    }
+    return true;
 }
 
 ;// CONCATENATED MODULE: ./src/shim.ts
@@ -16428,12 +17042,18 @@ async function runShim(options) {
 
 
 
+
+
+
+
 const VERSION = "0.1.0";
 const USAGE = `Usage: agent-shell -c <command>
+       agent-shell init [--flight-recorder] [--policy] [--no-flight-recorder] [--no-policy]
+       agent-shell record
        agent-shell policy-check
        agent-shell policy --init [--model=<model>]
-       agent-shell --version
        agent-shell log
+       agent-shell --version
 
 Environment:
   AGENTSHELL_PASSTHROUGH=1  Bypass instrumentation
@@ -16496,6 +17116,79 @@ async function main() {
                 }
                 return;
             }
+        case "record":
+            {
+                const getRepositoryRoot = createGetRepositoryRoot(undefined, process.env);
+                try {
+                    await handleRecord({
+                        readStdin: ()=>readStdin(),
+                        writeStderr: (data)=>process.stderr.write(data),
+                        env: process.env,
+                        telemetryDeps: createDefaultDeps(),
+                        getRepositoryRoot
+                    });
+                } catch (err) {
+                    // Log unexpected exceptions but don't change exit code
+                    process.stderr.write(`agent-shell: record error: ${sanitizeForStderr(err)}\n`);
+                }
+                // Observation-only: always exit 0 regardless of parse/emit errors.
+                // postToolUse hooks must not block agent operations and the agent
+                // ignores the exit code anyway.
+                process.exitCode = 0;
+                return;
+            }
+        case "init":
+            {
+                try {
+                    if (mode.unknownArgs.length > 0) {
+                        process.stderr.write(`agent-shell: unknown flag(s): ${mode.unknownArgs.map(sanitizeForStderr).join(", ")}\n`);
+                        process.exitCode = 1;
+                        return;
+                    }
+                    const getRepositoryRoot = createGetRepositoryRoot(undefined, process.env);
+                    const isTty = Boolean(process.stdin.isTTY);
+                    const prompt = isTty ? async (message)=>{
+                        const rl = (0,external_node_readline_namespaceObject.createInterface)({
+                            input: process.stdin,
+                            output: process.stdout
+                        });
+                        try {
+                            return await new Promise((resolvePrompt)=>{
+                                rl.question(`${message} (Y/n) `, (answer)=>{
+                                    const trimmed = answer.trim().toLowerCase();
+                                    resolvePrompt(trimmed === "" || trimmed === "y" || trimmed === "yes");
+                                });
+                            });
+                        } finally{
+                            rl.close();
+                        }
+                    } : undefined;
+                    const ok = await handleInit({
+                        flightRecorder: mode.flightRecorder,
+                        policy: mode.policy,
+                        noFlightRecorder: mode.noFlightRecorder,
+                        noPolicy: mode.noPolicy
+                    }, {
+                        getRepositoryRoot,
+                        writeStdout: (data)=>process.stdout.write(data),
+                        writeStderr: (data)=>process.stderr.write(data),
+                        readFile: (path, encoding)=>(0,promises_namespaceObject.readFile)(path, encoding),
+                        writeFile: (path, content, options)=>(0,promises_namespaceObject.writeFile)(path, content, options),
+                        rename: (oldPath, newPath)=>(0,promises_namespaceObject.rename)(oldPath, newPath),
+                        unlink: (path)=>(0,promises_namespaceObject.unlink)(path),
+                        mkdir: (path, opts)=>(0,promises_namespaceObject.mkdir)(path, opts).then(()=>undefined),
+                        realpath: (path)=>(0,promises_namespaceObject.realpath)(path),
+                        scanProject: (dir)=>scanProject(dir),
+                        isTty,
+                        prompt
+                    });
+                    process.exitCode = ok ? 0 : 1;
+                } catch (err) {
+                    process.stderr.write(`agent-shell: init error: ${sanitizeForStderr(err)}\n`);
+                    process.exitCode = 1;
+                }
+                return;
+            }
         case "passthrough":
             {
                 const result = (0,external_node_child_process_namespaceObject.spawnSync)("/bin/sh", mode.args, {