@occasiolabs/occasio 0.8.3 → 0.8.5

package/src/anomaly/cli.js

@@ -51,6 +51,7 @@ function runAnomaliesCli(args = []) {
     process.stdout.write(
       'Usage:\n' +
       '  occasio anomalies [--window 15m] [--since <ISO>] [--chain <path>] [--json]\n' +
+      '                    [--threshold-multiplier <n>]   raise (>1) or lower (<1) deny/file-read thresholds\n' +
       '\n' +
       'Detectors:\n' +
       '  deny-rate           BLOCK rate spike vs historical baseline\n' +
@@ -65,8 +66,10 @@ function runAnomaliesCli(args = []) {
   const since    = flag(args, '--since');
   const chain    = flag(args, '--chain') || DEFAULT_CHAIN;
   const asJson   = bool(args, '--json');
+  const mult     = parseFloat(flag(args, '--threshold-multiplier', '1') || '1');
+  const thresholdMultiplier = Number.isFinite(mult) && mult > 0 ? mult : 1;
 
-  const result = runDetectors({ chainFile: chain, windowMs, now: since });
+  const result = runDetectors({ chainFile: chain, windowMs, now: since, thresholdMultiplier });
 
   if (asJson) {
     process.stdout.write(JSON.stringify(result, null, 2) + '\n');

package/src/anomaly/detectors/deny-rate.js

@@ -63,7 +63,8 @@ function evaluate(windowRows, historicalRows, opts) {
   }
 
   const ratio = winBlocks / histRatePerWindow;
-  if (ratio < MULTIPLIER_THRESHOLD) return [];
+  const effectiveThreshold = MULTIPLIER_THRESHOLD * (opts.thresholdMultiplier || 1);
+  if (ratio < effectiveThreshold) return [];
 
   const severity = ratio > 10 ? 'high' : 'medium';
   return [{

package/src/anomaly/detectors/file-read-volume.js

@@ -87,7 +87,8 @@ function evaluate(windowRows, historicalRows, opts) {
   }
 
   if (p95 === 0) return [];
-  if (winSet.size < p95 * P95_MULTIPLIER) return [];
+  const effectiveMult = P95_MULTIPLIER * (opts.thresholdMultiplier || 1);
+  if (winSet.size < p95 * effectiveMult) return [];
 
   const ratio = winSet.size / Math.max(p95, 1);
   const severity = ratio > 4 ? 'high' : 'medium';

package/src/anomaly/index.js

@@ -110,6 +110,10 @@ function runDetectors({
   windowMs  = DEFAULT_WINDOW_MS,
   now       = null,
   detectors = null,
+  // Multiplier applied to detector internal thresholds. >1 = more permissive
+  // (fewer alerts), <1 = more sensitive. Detectors choose how to apply this;
+  // categorical detectors may ignore it.
+  thresholdMultiplier = 1,
   // For tests: pass rows directly instead of reading from disk.
   rows      = null,
 } = {}) {
@@ -123,6 +127,7 @@ function runDetectors({
     try {
       const out = d.evaluate(split.window, split.historical, {
         windowMs, windowStartMs: split.windowStartMs, windowEndMs: split.windowEndMs,
+        thresholdMultiplier,
       });
       if (!Array.isArray(out)) continue;
       for (const a of out) {

package/src/attest/check-summary.js

@@ -42,7 +42,7 @@ function mdText(s) {
   if (s === null || s === undefined) return '';
   return String(s)
     .replace(/[\r\n]+/g, ' ')
-    .replace(/([\\`*_{}\[\]()#+\-.!|<>])/g, '\\$1')
+    .replace(/([\\`*_{}[\]()#+\-.!|<>])/g, '\\$1')
     .slice(0, 256);
 }
 

package/src/attest/index.js

@@ -65,7 +65,20 @@ function offsetSeconds(start, then) {
 function readPolicyRulesDigest(policyFile) {
   let text;
   try { text = fs.readFileSync(policyFile, 'utf8'); }
-  catch { return null; }
+  catch (e) {
+    // Loud-fail: a missing/unreadable policy file is operationally significant
+    // for an attestation (the rules_digest in the output will be defaults, not
+    // the file's real contents). Surface it on stderr; the caller still falls
+    // back to schema defaults so attestation generation does not abort.
+    // ENOENT is the common, expected case when no user policy exists; demote
+    // it to a single-line note. Anything else (EACCES, EIO, etc.) is louder.
+    if (e && e.code === 'ENOENT') {
+      process.stderr.write(`[Occasio] attest: no policy file at ${policyFile} — using schema defaults for rules_digest\n`);
+    } else {
+      process.stderr.write(`[Occasio] attest: cannot read policy ${policyFile}: ${e.message} — rules_digest will use schema defaults\n`);
+    }
+    return null;
+  }
 
   // Tiny line-level scan — full parsing is overkill for a digest. Counts only.
   let denyPaths = 0, denyPatterns = 0, blockSecrets = null;

package/src/audit/jsonl-auditor.js

@@ -37,19 +37,114 @@ function computeHash(rowWithoutHash) {
   return sha256hex(JSON.stringify(rowWithoutHash));
 }
 
-// Scan an existing file in reverse for the most recent hash value.
-// Returns GENESIS when the file is empty, missing, or contains only legacy rows.
-function loadPrevHash(filePath) {
-  let content;
-  try { content = fs.readFileSync(filePath, 'utf8'); } catch { return GENESIS; }
-  const lines = content.split('\n').filter(Boolean);
-  for (let i = lines.length - 1; i >= 0; i--) {
+// Default tail-read window size (bytes). Large enough to contain several full
+// audit rows on any plausible workload; small enough that bootstrap on a
+// 100k-event log stays sub-50ms.
+const TAIL_READ_BYTES = 64 * 1024;
+
+// Read the trailing window of a file. Returns the decoded string (utf8) along
+// with a flag indicating whether the read started mid-file (i.e. the first
+// line in the returned buffer may be truncated).
+function readTail(filePath, bytes = TAIL_READ_BYTES) {
+  const fd = fs.openSync(filePath, 'r');
+  try {
+    const { size } = fs.fstatSync(fd);
+    const start = Math.max(0, size - bytes);
+    const len   = size - start;
+    const buf   = Buffer.alloc(len);
+    if (len > 0) fs.readSync(fd, buf, 0, len, start);
+    return { content: buf.toString('utf8'), truncated: start > 0 };
+  } finally {
+    fs.closeSync(fd);
+  }
+}
+
+// Outcome codes for scanning the tail. A [code, value] tuple is used rather
+// than an object literal so that field-name tokens used by the audit row
+// schema (see test-interceptor.js §32) cannot appear earlier in this file
+// than the row builder in record() below.
+//   ['hash',    hexString]         found a valid hash-bearing row
+//   ['genesis']                    file empty / legacy-only / missing
+//   ['corrupt', detailString]      last line invalid JSON, no fallback row
+function scanTailForPrevHash(filePath, bytes = TAIL_READ_BYTES) {
+  let content, truncated;
+  try {
+    ({ content, truncated } = readTail(filePath, bytes));
+  } catch {
+    return ['genesis'];
+  }
+  if (!content) return ['genesis'];
+
+  // Split into raw lines (no filter) so we can detect a partial trailing line
+  // separately from intentionally-empty lines. A well-formed JSONL ends in
+  // '\n'; if the last element after split is non-empty, the file was cut
+  // mid-write.
+  const raw = content.split('\n');
+  const lastFragment = raw[raw.length - 1];
+  const lines = raw.filter(Boolean);
+  if (lines.length === 0) return ['genesis'];
+
+  // If we read from offset 0, the first line is authoritative. If we read
+  // from mid-file, the first line in the window may be a fragment of a row
+  // truncated by the window — drop it so we never treat a fragment as legacy.
+  const startIdx = truncated && raw[0] === lines[0] ? 1 : 0;
+  const lastNonEmptyIdx = lines.length - 1;
+
+  // Detect a partial trailing line: file does not end in '\n' AND the last
+  // line fails to JSON.parse. A complete row that *happens* to be the final
+  // entry is fine — its trailing newline guarantees lastFragment === ''.
+  const trailingPartial = lastFragment !== '' && (() => {
+    try { JSON.parse(lines[lastNonEmptyIdx]); return false; } catch { return true; }
+  })();
+
+  // Walk lines in reverse to find the most recent valid hash-bearing row.
+  // Skip the partial trailing line if present.
+  const scanFrom = trailingPartial ? lastNonEmptyIdx - 1 : lastNonEmptyIdx;
+  for (let i = scanFrom; i >= startIdx; i--) {
     try {
       const row = JSON.parse(lines[i]);
-      if (typeof row.hash === 'string' && row.hash.length === 64) return row.hash;
-    } catch {}
+      if (typeof row.hash === 'string' && row.hash.length === 64) {
+        return ['hash', row.hash];
+      }
+    } catch {
+      // Mid-window JSON.parse failure: a truly corrupt earlier row. We do not
+      // attempt to recover past it here — if no valid hash row exists in the
+      // remaining window, fall through to the corrupt/genesis decision below.
+    }
+  }
+
+  // No hash row found in the window. If we observed a partial trailing line
+  // AND the window contains no complete hash row, the chain is in an
+  // ambiguous state — caller must decide whether to fail hard or fall back
+  // to GENESIS (only safe if the file truly contains zero prior chain rows).
+  if (trailingPartial) {
+    return ['corrupt', 'partial trailing line, no recoverable prev_hash in tail window'];
+  }
+  return ['genesis'];
+}
+
+// Public: returns the most recent hash to chain from, or GENESIS.
+// Throws AuditCorruptError when the file's last line is JSON-broken and no
+// earlier hash-bearing row exists in the tail window — this prevents the
+// silent tamper gap where a partial write would otherwise restart the chain.
+function loadPrevHash(filePath, opts = {}) {
+  const { tailBytes = TAIL_READ_BYTES, failHard = true } = opts;
+  // Missing file → genesis (initial bootstrap).
+  if (!fs.existsSync(filePath)) return GENESIS;
+  const [code, detail] = scanTailForPrevHash(filePath, tailBytes);
+  if (code === 'hash')    return detail;
+  if (code === 'genesis') return GENESIS;
+  // code === 'corrupt'
+  if (!failHard) {
+    process.stderr.write(`[occasio audit] WARNING: ${filePath}: ${detail}\n`);
+    return GENESIS;
   }
-  return GENESIS;
+  const err = new Error(
+    `Audit log corrupt at ${filePath}: ${detail}. ` +
+    `Run \`occasio audit repair --file ${filePath}\` to truncate the partial trailing line.`
+  );
+  err.code = 'AUDIT_CORRUPT';
+  throw err;
 }
 
 /**
@@ -63,17 +158,75 @@ function loadPrevHash(filePath) {
  * call. prevHash is only advanced on a successful append, keeping the
  * in-memory chain consistent with what is on disk if the proxy is restarted.
  */
-function createAuditor(filePath = DEFAULT_LOG) {
-  try { fs.mkdirSync(path.dirname(filePath), { recursive: true }); } catch {}
+function createAuditor(filePath = DEFAULT_LOG, opts = {}) {
+  // lock=true wraps each append in a proper-lockfile lockSync/unlockSync pair
+  // and re-reads prev_hash from disk inside the lock. This is the only safe
+  // way to share an audit log between two concurrent writers (e.g. proxy +
+  // MCP server on the same machine). Default off because single-writer
+  // workloads do not pay the I/O cost.
+  const { lock = false } = opts;
+  let lockfile = null;
+  if (lock) {
+    // Lazy-require so a missing proper-lockfile install does not break
+    // single-writer setups that never opt in.
+    try { lockfile = require('proper-lockfile'); }
+    catch (e) {
+      throw new Error(`createAuditor({ lock: true }) requires proper-lockfile: ${e.message}`);
+    }
+    // The lockfile target must exist before lockSync can create its companion
+    // directory marker. Touch it.
+    if (!fs.existsSync(filePath)) {
+      fs.mkdirSync(path.dirname(filePath), { recursive: true });
+      fs.writeFileSync(filePath, '');
+    }
+  }
+
+  try { fs.mkdirSync(path.dirname(filePath), { recursive: true }); }
+  catch { /* directory already exists, or unwritable — surface on first append */ }
 
   let prevHash = loadPrevHash(filePath);
 
+  function withLock(fn) {
+    if (!lock) return fn();
+    // proper-lockfile uses mkdir(2) for atomicity; staleness keeps the lock
+    // self-healing across crashes. realpath:false avoids extra syscalls for
+    // a path we already control.
+    // proper-lockfile's sync API forbids `retries` — it must busy-loop on
+     // EEXIST itself. Keep stale-cleanup so a crashed writer cannot freeze
+     // siblings forever.
+    let release = null;
+    const start = Date.now();
+    while (release === null) {
+      try {
+        release = lockfile.lockSync(filePath, { stale: 10000, realpath: false });
+      } catch (e) {
+        if (e.code !== 'ELOCKED') throw e;
+        if (Date.now() - start > 10000) throw e;
+        // tight spin — node has no sleepSync; a microtask burst is fine for
+        // contention durations expected here (single-digit ms per writer)
+        const until = Date.now() + 2;
+        while (Date.now() < until) { /* spin */ }
+      }
+    }
+    // Inside the lock we MUST re-read prev_hash — another process may have
+    // appended since we last advanced it. Without this, two concurrent
+    // writers would produce two rows with the same prev_hash → chain break.
+    prevHash = loadPrevHash(filePath, { failHard: false });
+    try { return fn(); }
+    finally { try { release(); } catch { /* lock already released by stale-timeout reaper */ } }
+  }
+
   function record(event, decision, result) {
     if (!event || !decision) return { ok: true };
+    return withLock(() => recordInner(event, decision, result));
+  }
+
+  function recordInner(event, decision, result) {
     // Field order is explicit and must remain stable — computeHash depends on it.
     // The Python walker in docs/audit_walker.py mirrors this order; any change
     // here without updating that walker breaks independent verifiability.
     const row = {
+      audit_schema: 1,
       ts:            event.timestamp,
       event_id:      event.id,
       session_id:    event.sessionId,
@@ -131,8 +284,13 @@ function createAuditor(filePath = DEFAULT_LOG) {
    * append failure, mirroring record()'s contract so the caller can
    * propagate AuditWriteError uniformly.
    */
-  function recordPolicyLoaded({ hash, path: policyPath, version, source }) {
+  function recordPolicyLoaded(args) {
+    return withLock(() => recordPolicyLoadedInner(args));
+  }
+
+  function recordPolicyLoadedInner({ hash, path: policyPath, version, source }) {
     const row = {
+      audit_schema: 1,
       ts:            new Date().toISOString(),
       event_id:      crypto.randomUUID(),
       session_id:    undefined,
@@ -175,4 +333,12 @@ function createAuditor(filePath = DEFAULT_LOG) {
   return { record, recordPolicyLoaded, file: filePath };
 }
 
-module.exports = { createAuditor, DEFAULT_LOG, GENESIS, computeHash };
+module.exports = {
+  createAuditor,
+  DEFAULT_LOG,
+  GENESIS,
+  computeHash,
+  loadPrevHash,
+  scanTailForPrevHash,
+  TAIL_READ_BYTES,
+};

package/src/audit/repair.js

@@ -0,0 +1,118 @@
+'use strict';
+
+/**
+ * repair.js — `occasio audit repair`
+ *
+ * Truncates the trailing partial line of an audit log so a crash mid-append
+ * does not leave the file in a state where loadPrevHash() fails hard.
+ *
+ * Contract:
+ *   - Examines only the last line. Earlier corruption is out of scope and
+ *     should be investigated via `occasio audit verify`.
+ *   - "Partial" means: the file does not end in '\n' AND the last
+ *     non-empty line cannot be JSON.parsed. Any other shape is a no-op.
+ *   - Writes a .bak alongside the original before mutating, even on dry-run
+ *     the .bak is NOT created.
+ *   - Returns { truncated, wouldTruncate, backupPath, removedBytes, detail }.
+ */
+
+const fs   = require('fs');
+const path = require('path');
+
+function inspect(filePath) {
+  const buf = fs.readFileSync(filePath);
+  if (buf.length === 0) return { partial: false, reason: 'empty file' };
+  const endsWithNewline = buf[buf.length - 1] === 0x0A;
+  const text = buf.toString('utf8');
+  const raw  = text.split('\n');
+  const lastFragment = raw[raw.length - 1];
+
+  if (endsWithNewline && lastFragment === '') {
+    return { partial: false, reason: 'file ends in newline; last line is complete' };
+  }
+
+  // Non-empty trailing fragment. Test whether it parses as JSON — a complete
+  // single-line record without a trailing newline is valid (rare but legal).
+  try {
+    JSON.parse(lastFragment);
+    return { partial: false, reason: 'trailing line parses as JSON; not partial' };
+  } catch {
+    // Truncate to the last preceding newline.
+    const lastNewline = buf.lastIndexOf(0x0A);
+    if (lastNewline === -1) {
+      // Entire file is a single partial line.
+      return { partial: true, truncateTo: 0, removedBytes: buf.length };
+    }
+    return {
+      partial: true,
+      truncateTo: lastNewline + 1,
+      removedBytes: buf.length - (lastNewline + 1),
+    };
+  }
+}
+
+function repairAuditFile(filePath, opts = {}) {
+  const { dryRun = false } = opts;
+  if (!fs.existsSync(filePath)) {
+    return { truncated: false, wouldTruncate: false, detail: `file not found: ${filePath}` };
+  }
+
+  const info = inspect(filePath);
+  if (!info.partial) {
+    return {
+      truncated: false, wouldTruncate: false,
+      detail: info.reason,
+      removedBytes: 0,
+    };
+  }
+
+  if (dryRun) {
+    return {
+      truncated: false, wouldTruncate: true,
+      removedBytes: info.removedBytes,
+      detail: `would truncate ${info.removedBytes} bytes from tail`,
+    };
+  }
+
+  const backupPath = `${filePath}.bak`;
+  fs.copyFileSync(filePath, backupPath);
+  // Truncate in place.
+  const fd = fs.openSync(filePath, 'r+');
+  try {
+    fs.ftruncateSync(fd, info.truncateTo);
+  } finally {
+    fs.closeSync(fd);
+  }
+
+  return {
+    truncated: true,
+    wouldTruncate: true,
+    backupPath,
+    removedBytes: info.removedBytes,
+    detail: `truncated ${info.removedBytes} bytes from tail; backup at ${path.basename(backupPath)}`,
+  };
+}
+
+function runRepairCli(args) {
+  const fileIdx = args.indexOf('--file');
+  if (fileIdx === -1 || !args[fileIdx + 1]) {
+    console.error('Usage: occasio audit repair --file <path> [--dry-run]');
+    process.exit(2);
+  }
+  const filePath = args[fileIdx + 1];
+  const dryRun   = args.includes('--dry-run');
+
+  const r = repairAuditFile(filePath, { dryRun });
+  if (r.truncated) {
+    console.log(`occasio audit repair: ${r.detail}`);
+    return;
+  }
+  if (r.wouldTruncate) {
+    console.log(`occasio audit repair (dry-run): ${r.detail}`);
+    console.log('Re-run without --dry-run to apply.');
+    return;
+  }
+  console.log(`occasio audit repair: nothing to do — ${r.detail}`);
+}
+
+module.exports = { repairAuditFile, runRepairCli };

package/src/audit/verifier.js

@@ -55,6 +55,8 @@ function verifyFile(filePath = DEFAULT_LOG) {
   let legacy = 0, chained = 0;
   let expectedPrevHash = null;  // null = no chained row seen yet
   let firstHash = null, lastHash = null;
+  const seenSchemaVersions = new Set();
+  const SUPPORTED_SCHEMA_VERSIONS = new Set([1]);
 
   for (let i = 0; i < lines.length; i++) {
     let row;
@@ -72,6 +74,23 @@ function verifyFile(filePath = DEFAULT_LOG) {
 
     chained++;
 
+    // Schema-version policy:
+    //   - rows with audit_schema=undefined are legacy (pre-versioning) and
+    //     verify as before — they are valid.
+    //   - rows with audit_schema=1 verify normally.
+    //   - rows with audit_schema=N for unknown N record a non-fatal warning
+    //     in errors with a `warning: true` marker; ok-state is unaffected.
+    if (row.audit_schema !== undefined) {
+      seenSchemaVersions.add(row.audit_schema);
+      if (!SUPPORTED_SCHEMA_VERSIONS.has(row.audit_schema)) {
+        errors.push({
+          line: i + 1,
+          detail: `unknown audit_schema version ${row.audit_schema} (this build supports: ${[...SUPPORTED_SCHEMA_VERSIONS].join(',')})`,
+          warning: true,
+        });
+      }
+    }
+
     if (expectedPrevHash === null) {
       // First chained row: prev_hash must be GENESIS.
       firstHash = row.prev_hash;
@@ -99,15 +118,30 @@ function verifyFile(filePath = DEFAULT_LOG) {
     lastHash = storedHash;
   }
 
-  return { ok: errors.length === 0, total: lines.length, legacy, chained, errors, firstHash, lastHash };
+  // Warnings (unknown schema versions) do not flip ok=false — they are
+  // forward-compatibility hints, not chain breakage.
+  const fatal = errors.filter(e => !e.warning);
+  return {
+    ok: fatal.length === 0,
+    total: lines.length, legacy, chained,
+    errors,
+    firstHash, lastHash,
+    schemaVersions: [...seenSchemaVersions],
+  };
 }
 
 function runAuditCli(args) {
   const sub = args[0];
 
+  // Dispatch sub-commands. `repair` is forwarded to src/audit/repair.js.
+  if (sub === 'repair') {
+    const { runRepairCli } = require('./repair');
+    return runRepairCli(args.slice(1));
+  }
+
   // Accept: `occasio audit`, `occasio audit verify`, `occasio audit verify --file <path>`
   if (sub && sub !== 'verify' && !sub.startsWith('-')) {
-    console.error(`Unknown audit subcommand: ${sub}\nUsage: occasio audit [verify] [--file <path>]`);
+    console.error(`Unknown audit subcommand: ${sub}\nUsage: occasio audit [verify|repair] [--file <path>]`);
     process.exit(1);
   }
 

package/src/boundary.js

@@ -116,7 +116,7 @@ function fmtBytes(b) {
   return `${(b / 1024).toFixed(1)} KB`;
 }
 
-function renderBoundaryView(view, opts = {}) {
+function renderBoundaryView(view, _opts = {}) {
   if (!view) return '';
   const lines = [];
   const tag = view.event_type ? `[${view.event_type}]` : '';

package/src/classifier.js

@@ -37,7 +37,7 @@ const FEEDBACK_LOG = path.join(os.homedir(), '.occasio', 'routing-feedback.jsonl
  * @param {string} [context]  reserved for future ML use
  * @returns {{ local: boolean, confidence: number, reason: string }}
  */
-function routeLocally(toolName, command, context = '') {
+function routeLocally(toolName, command, _context = '') {
   if (toolName !== 'Bash') {
     return { local: false, confidence: 1.0, reason: 'non-bash tool' };
   }

package/src/cli/clear.js

@@ -0,0 +1,55 @@
+// `occasio clear` — reset session + today's log.
+// `occasio clear --history` — wipe ALL historical logs + blocked-secret records.
+//
+// Destructive but bounded to ~/.occasio/. session.json is unconditionally
+// removed; logs are removed file-by-file (no rmdir) so an exotic
+// permission error on one file does not abort the rest.
+
+'use strict';
+
+const fs   = require('fs');
+const os   = require('os');
+const path = require('path');
+
+const LOG_DIR      = path.join(os.homedir(), '.occasio');
+const SESSION_FILE = path.join(LOG_DIR, 'session.json');
+
+const col = {
+  g: s => `\x1b[32m${s}\x1b[0m`,
+  d: s => `\x1b[2m${s}\x1b[0m`,
+};
+
+function todayStr() {
+  const d = new Date();
+  return `${d.getFullYear()}-${String(d.getMonth()+1).padStart(2,'0')}-${String(d.getDate()).padStart(2,'0')}`;
+}
+function getLogFile() { return path.join(LOG_DIR, 'logs', `${todayStr()}.jsonl`); }
+
+function ensureDirs() {
+  for (const sub of ['', 'logs', 'reports', 'blocked', 'distilled']) {
+    const d = path.join(LOG_DIR, sub);
+    if (!fs.existsSync(d)) fs.mkdirSync(d, { recursive: true });
+  }
+}
+
+function run(args) {
+  ensureDirs();
+  const clearAll = (args || []).includes('--history');
+  if (clearAll) {
+    const logsDir = path.join(LOG_DIR, 'logs');
+    const blockedDir = path.join(LOG_DIR, 'blocked');
+    let n = 0;
+    for (const dir of [logsDir, blockedDir]) {
+      try { for (const f of fs.readdirSync(dir)) { fs.unlinkSync(path.join(dir, f)); n++; } } catch { /* ignore */ }
+    }
+    try { fs.unlinkSync(SESSION_FILE); } catch { /* ignore */ }
+    console.log(col.g(`✓ Cleared all history (${n} log files) and session data`));
+  } else {
+    try { fs.unlinkSync(getLogFile()); } catch { /* ignore */ }
+    try { fs.unlinkSync(SESSION_FILE); } catch { /* ignore */ }
+    console.log(col.g("✓ Cleared today's log and session data"));
+    console.log(col.d('  Use --history to wipe all historical logs'));
+  }
+}
+
+module.exports = { run };