@occasiolabs/occasio 0.8.3 → 0.8.5

package/src/index.js

@@ -71,70 +71,14 @@ function todayStr() { const d = new Date(); return `${d.getFullYear()}-${String(
 function getLogFile()     { return path.join(LOG_DIR, 'logs',    `${todayStr()}.jsonl`); }
 function getBlockedFile() { return path.join(LOG_DIR, 'blocked', `${todayStr()}-secrets.log`); }
 
-const MODEL_PRICES = {
-  'claude-opus-4-6':   { in: 15.00, out: 75.00, cache_write:  18.75, cache_read:  1.50 },
-  'claude-opus-4':     { in: 15.00, out: 75.00, cache_write:  18.75, cache_read:  1.50 },
-  'claude-sonnet-4-6': { in:  3.00, out: 15.00, cache_write:   3.75, cache_read:  0.30 },
-  'claude-sonnet-4':   { in:  3.00, out: 15.00, cache_write:   3.75, cache_read:  0.30 },
-  'claude-haiku-4-5':  { in:  0.25, out:  1.25, cache_write:   0.30, cache_read:  0.03 },
-  'claude-haiku-4':    { in:  0.25, out:  1.25, cache_write:   0.30, cache_read:  0.03 },
-  'default':           { in:  3.00, out: 15.00, cache_write:   3.75, cache_read:  0.30 },
-};
-
-function getPrice(model) {
-  if (!model) return MODEL_PRICES.default;
-  for (const [k, v] of Object.entries(MODEL_PRICES)) {
-    if (k !== 'default' && model.includes(k)) return v;
-  }
-  return MODEL_PRICES.default;
-}
-
-function calcCost(model, inp, out, cacheWrite = 0, cacheRead = 0) {
-  const p = getPrice(model);
-  return (inp / 1e6 * p.in) + (out / 1e6 * p.out)
-       + (cacheWrite / 1e6 * p.cache_write) + (cacheRead / 1e6 * p.cache_read);
-}
-
-// Savings from Anthropic prompt caching: cache reads are 10× cheaper than fresh input.
-function calcCacheSavings(model, cacheReadTokens) {
-  if (!cacheReadTokens) return 0;
-  const p = getPrice(model);
-  return (cacheReadTokens / 1e6) * (p.in - p.cache_read);
-}
-
-// Cross-request compounding savings: reads the run's JSONL entries in sequence order
-// and weights each distilled batch by the exact number of subsequent API calls that
-// carry the smaller result in their conversation history.
-// Formula: Σ (distill_tokens_saved[i] / 1M × price_in × (N - i - 1))
-// Returns { savings: float, carryInstances: int }
-// carryInstances = total sum of subsequent-call counts across all distilled batches
-// — the actual multiplier used — so the display is self-explanatory.
-// Assumption: tool results accumulate in Claude Code's message history for all
-// subsequent requests in the session (true for normal sessions; may not hold if
-// Claude Code resets context mid-session).
-function calcCompoundingSavings(runId, logFile, model) {
-  if (!runId) return { savings: 0, carryInstances: 0 };
-  let entries;
-  try {
-    const lines = fs.readFileSync(logFile, 'utf8').trim().split('\n').filter(Boolean);
-    entries = lines
-      .map(l => { try { return JSON.parse(l); } catch { return null; } })
-      .filter(e => e && e.run_id === runId);
-  } catch { return { savings: 0, carryInstances: 0 }; }
-  const N = entries.length;
-  if (N < 2) return { savings: 0, carryInstances: 0 };
-  const p = getPrice(model);
-  let savings = 0, carryInstances = 0;
-  for (let i = 0; i < N; i++) {
-    const dt = entries[i].distill_tokens_saved || 0;
-    if (dt > 0) {
-      const subsequent = N - i - 1;
-      savings += (dt / 1e6) * p.in * subsequent;
-      carryInstances += subsequent;
-    }
-  }
-  return { savings, carryInstances };
-}
+// Pricing extracted to its own module — see src/cost/prices.js for the
+// MODEL_PRICES table + cost-arithmetic helpers. Re-exported here so the
+// rest of index.js keeps its existing call sites unchanged.
+const {
+  calcCost,
+  calcCacheSavings,
+  calcCompoundingSavings,
+} = require('./cost/prices');
 
 // ── Persistence ────────────────────────────────────────────────────────────────
 
@@ -156,7 +100,7 @@ function updateSession(e) {
     lao_tokens_saved:0, lao_cost_saved:0, tools_local_count:0, tools_mcp_count:0,
     tools_attempted:0,
   };
-  try { s = JSON.parse(fs.readFileSync(SESSION_FILE, 'utf8')); } catch {}
+  try { s = JSON.parse(fs.readFileSync(SESSION_FILE, 'utf8')); } catch { /* ignore */ }
   s.requests++;
   s.input_tokens       += e.input_tokens       || 0;
   s.output_tokens      += e.output_tokens      || 0;
@@ -311,223 +255,22 @@ const cmd = args[0];
 if (cmd === '--version' || cmd === '-v') { console.log(`occasio v${VERSION}`); process.exit(0); }
 
 if (cmd === 'help' || cmd === '--help' || cmd === '-h') {
-  console.log(`
-${col.b(`⚡ Occasio v${VERSION}`)}
-
-${col.b('Usage:')}
-  occasio claude [args...]   Start Claude with local proxy (intercept + log)
-  occasio demo               10-second proof: see Occasio block real secrets
-  occasio demo attest        End-to-end attestation pipeline against a synthetic audit chain
-  occasio demo anomalies     End-to-end EDR test: synthetic adversarial chain → all 4 detectors
-  occasio dashboard          Open live dashboard for the running session
-  occasio register           Register shell alias (type 'claude' directly)
-  occasio status             Show session stats and savings breakdown
-  occasio doctor             Check setup: Node, claude CLI, port, Python, profile
-  occasio clear              Reset today's log and session data
-  occasio clear --history    Wipe all historical logs
-  occasio ledger             Inspect token ledger (--last N, --summary, --scope session|today)
-  occasio replay             Replay run audit (--last N, --detail, --run <id>, --attribute)
-  occasio distill            Inspect distilled outputs (--last N, --entry <N> for raw)
-  occasio inspect            Cloud-boundary manifest (--last N, --entry N, --run <id>)
-  occasio boundary           Per-request three-column view: produced / re-entered / prevented
-  occasio baseline           Behavior baseline: [learn|show|compare|reset] (per project cwd)
-  occasio harness            Run a real Claude Code session against scratch fixtures and verify governance claims (needs ANTHROPIC_API_KEY)
-  occasio redteam            Autonomous adversarial test — tester LLM probes a subject Claude Code session under Occasio (needs ANTHROPIC_API_KEY + @anthropic-ai/sdk)
-  occasio policy [show]      Show active policy: flags, tool routing, overrides
-  occasio policy show --diff Only values that differ from defaults
-  occasio policy validate    Validate policy.yml and report errors/warnings
-  occasio policy init        Create a starter policy.yml (safe, non-destructive)
-                                Use --template strict|finance for a non-default starter
-  occasio policy doctor      Cross-reference session logs with policy; surface suggestions
-  occasio audit [verify]     Verify tamper-evident hash chain in pipeline-events.jsonl
-  occasio report             Governance export: file access log, blocked paths, secret events
-  occasio anomalies          Live anomaly detection over the audit chain (--window 15m, --json)
-  occasio computer-use       Apply a Computer-Use policy to a JSONL of tool_use blocks (--dry-run --example)
-  occasio attest --run-id <uuid>  AI-Agent Behavioral Attestation v1: hash-chain commitment + execution summary for one run
-                              Add --sign in GitHub Actions (with permissions: id-token: write) for Sigstore keyless signing
-  occasio attest verify <file>   Re-verify a signed attestation: Sigstore bundle + DSSE payload match + audit chain integrity
-  occasio selftest           Run governance self-checks on a scratch chain (does not touch your audit log)
-  occasio report --format csv  CSV export for auditors / SIEM import
-  occasio mcp-experiment     MCP vs. built-in tool adoption stats (experiment)
-
-${col.b('Presets:')}
-  --preset balanced  (default)  Intercept safe reads locally, log all requests
-  --preset strict               Block requests that contain detected secrets
-  --preset off                  Log only — no interception, no blocking
-
-${col.b('Flags:')}
-  --budget <N>                  Block requests once session cost exceeds $N (e.g. --budget 1.00)
-  --hardened                    Route Read/Glob/Grep through unified runtime (distill + secret scan)
-  --block-secrets               Alias for --preset strict
-  --log-only                    Alias for --preset off
-  --dashboard                   Open live dashboard at http://localhost:3001
-  --port <N>                    Proxy port (default: 8081)
-  --verbose                     Print live per-request chatter (off by default — quiet for Claude Code's TUI)
-
-${col.b('Multi-agent routing:')}
-  Default               → Claude Code adapter
-  Header x-occasio-agent: cline → Cline adapter (synthetic; live validation pending)
-
-${col.b('Logs:')} ~/.occasio/logs/YYYY-MM-DD.jsonl
-`);
+  require('./cli/help').run();
   process.exit(0);
 }
 
 if (cmd === 'register') {
-  const shell = process.env.SHELL || '';
-  const isWindows = process.platform === 'win32';
-
-  if (isWindows) {
-    const profileDir  = path.join(os.homedir(), 'Documents', 'PowerShell');
-    const profileFile = path.join(profileDir, 'Microsoft.PowerShell_profile.ps1');
-    const snippet = `\n# Occasio — intercept Claude Code traffic\nfunction claude { occasio claude @args }\n`;
-    const alreadyMarker = 'occasio claude @args';
-    const legacyMarker  = 'occasio --intercept @args';
-    try {
-      if (!fs.existsSync(profileDir)) fs.mkdirSync(profileDir, { recursive: true });
-      const existing = fs.existsSync(profileFile) ? fs.readFileSync(profileFile, 'utf8') : '';
-      if (existing.includes(alreadyMarker)) {
-        console.log(col.g('✓ Already registered (PowerShell)'));
-        console.log(col.d('  Type: claude'));
-      } else if (existing.includes(legacyMarker)) {
-        // Upgrade old --intercept form to canonical `occasio claude`
-        const updated = existing.replace(
-          /function claude \{ occasio --intercept @args \}/g,
-          'function claude { occasio claude @args }'
-        );
-        fs.writeFileSync(profileFile, updated);
-        console.log(col.g('✓ Updated to canonical form (occasio claude)'));
-        console.log('');
-        console.log(col.y(`  ⚠  Restart PowerShell — the 'claude' alias is not active yet.`));
-        console.log(col.d(`     Open a new terminal, or run:  . $PROFILE`));
-        console.log('');
-      } else {
-        fs.appendFileSync(profileFile, snippet);
-        console.log(col.g(`✓ Registered in ${profileFile}`));
-        console.log('');
-        console.log(col.y(`  ⚠  Restart PowerShell — the 'claude' alias is not active yet.`));
-        console.log(col.d(`     Open a new terminal, or run:  . $PROFILE`));
-        console.log('');
-      }
-    } catch (e) {
-      console.log(col.r(`✗ Could not write profile: ${e.message}`));
-      console.log(col.d(`  Add manually to your PowerShell profile:\n  function claude { occasio claude @args }`));
-    }
-  } else {
-    const rcFile = (process.env.SHELL || '').includes('zsh')
-      ? path.join(os.homedir(), '.zshrc')
-      : path.join(os.homedir(), '.bashrc');
-    const snippet = `\n# Occasio — intercept Claude Code traffic\nclaude() { occasio claude "$@"; }\n`;
-    const alreadyMarker = 'occasio claude "$@"';
-    const legacyMarker  = 'occasio --intercept "$@"';
-    try {
-      const existing = fs.existsSync(rcFile) ? fs.readFileSync(rcFile, 'utf8') : '';
-      if (existing.includes(alreadyMarker)) {
-        console.log(col.g(`✓ Already registered (${rcFile})`));
-      } else if (existing.includes(legacyMarker)) {
-        const updated = existing.replace(
-          /claude\(\) \{ occasio --intercept "\$@"; \}/g,
-          'claude() { occasio claude "$@"; }'
-        );
-        fs.writeFileSync(rcFile, updated);
-        console.log(col.g(`✓ Updated to canonical form in ${rcFile}`));
-      } else {
-        fs.appendFileSync(rcFile, snippet);
-        console.log(col.g(`✓ Registered in ${rcFile}`));
-      }
-      console.log(col.d('  Run: source ' + rcFile + '  — then type: claude'));
-    } catch (e) {
-      console.log(col.r(`✗ Could not write ${rcFile}: ${e.message}`));
-      console.log(col.d(`  Add manually:\n  claude() { occasio claude "$@"; }`));
-    }
-  }
+  require('./cli/register').run();
   process.exit(0);
 }
 
 if (cmd === 'status' || cmd === 'stats') {
-  let s = null; try { s = JSON.parse(fs.readFileSync(SESSION_FILE, 'utf8')); } catch {}
-  console.log(col.b('\n⚡ Occasio\n'));
-  if (!s) { console.log(col.d('  No session data yet. Run: occasio claude\n')); process.exit(0); }
-
-  const cacheSav  = s.cache_savings      || 0;
-  const laoSav    = s.lao_cost_saved     || 0;
-  const distSav   = s.distill_cost_saved || 0;
-  const payload   = laoSav + distSav;
-  const { savings: context } =
-    calcCompoundingSavings(s.run_id, s.log_file || getLogFile(), s.model || '');
-  const totalSav  = payload + context + cacheSav;
-  const broaderCf = (s.cost || 0) + totalSav;
-  const savedPct  = broaderCf > 0.00001 ? Math.round(totalSav / broaderCf * 100) : 0;
-
-  // Headline
-  if (totalSav > 0.00001) {
-    console.log(col.g(`  Saved:       $${totalSav.toFixed(4)}`) +
-      col.d(`  (${savedPct}% off — would have cost $${broaderCf.toFixed(4)})`));
-  } else {
-    console.log(col.d(`  Saved:       $0.0000  (no interceptable tool calls in this session yet)`));
-  }
-  console.log(col.y(`  Cost:        $${s.cost.toFixed(4)}`));
-
-  // Plain-English coverage. Defensive: legacy sessions (pre-multi-round-fix)
-  // may have tools_attempted undercounted relative to tools_local_count.
-  // We clamp the denominator to at least the numerator so the displayed
-  // ratio is always 0–100% and never reads "X of Y < X (>100%)".
-  const localCnt   = s.tools_local_count || 0;
-  const mcpCnt     = s.tools_mcp_count   || 0;
-  const attempted  = s.tools_attempted   || 0;
-  const totalLocal = localCnt + mcpCnt;
-  const denom      = Math.max(attempted, totalLocal);
-  if (denom > 0) {
-    const cpct = Math.round(totalLocal / denom * 100);
-    const cColor = cpct >= 80 ? col.g : cpct >= 50 ? col.y : col.r;
-    console.log(cColor(`  Ran locally: ${totalLocal} of ${denom} tool calls (${cpct}%)`));
-  }
-  if (s.blocked) console.log(col.r(`  Blocked:     ${s.blocked} secrets`));
-  if (s.secrets_redacted) console.log(col.c(`  Redacted:    ${s.secrets_redacted} secret${s.secrets_redacted !== 1 ? 's' : ''} in tool results`));
-  if (s.tools_transformed) console.log(col.c(`  Transforms:  ${s.tools_transformed} tool result${s.tools_transformed !== 1 ? 's' : ''} shaped`));
-  if (s.budget != null) {
-    const pct = Math.min(999, Math.round((s.cost || 0) / s.budget * 100));
-    const budgetStr = fmtBudget(s.cost || 0, s.budget);
-    const budgetColor = pct >= 100 ? col.r : pct >= 80 ? col.y : col.g;
-    console.log(budgetColor(`  Budget:      ${budgetStr}`));
-    if (s.budget_exceeded_count) console.log(col.r(`  BudgetBlk:   ${s.budget_exceeded_count} request(s) blocked`));
-  }
-
-  // Detail
-  console.log(col.d(`  ────`));
-  console.log(col.d(`  Requests:    ${s.requests} · ${(s.input_tokens/1000).toFixed(1)}k tokens in · ${(s.output_tokens/1000).toFixed(1)}k out`));
-  if (totalSav > 0.00001) {
-    const parts = [];
-    if (payload  > 0.00001) parts.push(`$${payload.toFixed(4)} payload`);
-    if (context  > 0.00001) parts.push(`$${context.toFixed(4)} context`);
-    if (cacheSav > 0.00001) parts.push(`$${cacheSav.toFixed(4)} cache`);
-    if (parts.length) console.log(col.d(`  Breakdown:   ${parts.join(' + ')}`));
-  }
-  const tail = [];
-  if (s.mode)  tail.push(`Mode: ${s.mode}`);
-  if (s.start) tail.push(`Since: ${new Date(s.start).toLocaleString()}`);
-  if (tail.length) console.log(col.d(`  ${tail.join('   ·   ')}`));
-  console.log(''); process.exit(0);
+  require('./cli/status').run();
+  process.exit(0);
 }
 
 if (cmd === 'clear') {
-  ensureDirs();
-  const clearAll = args.slice(1).includes('--history');
-  if (clearAll) {
-    const logsDir = path.join(LOG_DIR, 'logs');
-    const blockedDir = path.join(LOG_DIR, 'blocked');
-    let n = 0;
-    for (const dir of [logsDir, blockedDir]) {
-      try { for (const f of fs.readdirSync(dir)) { fs.unlinkSync(path.join(dir, f)); n++; } } catch {}
-    }
-    try { fs.unlinkSync(SESSION_FILE); } catch {}
-    console.log(col.g(`✓ Cleared all history (${n} log files) and session data`));
-  } else {
-    try { fs.unlinkSync(getLogFile()); } catch {}
-    try { fs.unlinkSync(SESSION_FILE); } catch {}
-    console.log(col.g("✓ Cleared today's log and session data"));
-    console.log(col.d('  Use --history to wipe all historical logs'));
-  }
+  require('./cli/clear').run(args.slice(1));
   process.exit(0);
 }
 
@@ -817,7 +560,7 @@ if (cmd === 'doctor' || cmd === 'check') {
           stdio: ['pipe', 'pipe', 'pipe'],
         }).toString().trim();
         ok('Python (LAO)', out); pyFound = true;
-      } catch {}
+      } catch { /* ignore */ }
     }
     if (!pyFound) bad('Python (LAO)', 'not found — context trimming disabled');
     if (laoPyExists) ok('LAO scorer', laoPyPath);
@@ -943,7 +686,7 @@ const sessionAuditor = _createAuditor(process.env.OCCASIO_AUDIT_FILE || undefine
       process.stderr.write(`\n${col.r('[occasio][audit-fatal]')} policy_loaded write failed: ${status.error?.message}\n`);
       process.stderr.write(`${col.r('[occasio][audit-fatal] dropped row:')} ${dropped}\n`);
       process.stderr.write(`${col.r('[occasio][audit-fatal] proxy aborting; supervisor will restart.')}\n`);
-      try { server && server.close && server.close(); } catch {}
+      try { server && server.close && server.close(); } catch { /* ignore */ }
       setTimeout(() => process.exit(1), 250);
     }
   });
@@ -982,7 +725,7 @@ if (budget !== null) {
   const { execSync: _ex } = require('child_process');
   let _pyOk = false;
   for (const _cmd of ['python', 'python3']) {
-    try { _ex(`${_cmd} --version`, { shell: process.platform === 'win32', timeout: 3000, stdio: 'pipe' }); _pyOk = true; break; } catch {}
+    try { _ex(`${_cmd} --version`, { shell: process.platform === 'win32', timeout: 3000, stdio: 'pipe' }); _pyOk = true; break; } catch { /* ignore */ }
   }
   if (!_pyOk) process.stderr.write(col.y(`  ⚠ LAO disabled — Python not found (context trimming inactive)\n`));
 }
@@ -1030,7 +773,7 @@ const server = http.createServer((req, res) => {
           try {
             const rules = JSON.parse(fs.readFileSync(rp, 'utf8'));
             blocked = files.filter(f => (rules.block || []).some(p => f.includes(p.replace(/\*\*/g, '').replace(/\*/g, ''))));
-          } catch {}
+          } catch { /* ignore */ }
         }
 
         const shouldBlock = (mode === 'block_secrets' && secrets.length) || (mode === 'block_rules' && blocked.length);
@@ -1063,7 +806,7 @@ const server = http.createServer((req, res) => {
           res.end(JSON.stringify({ error: { type: 'blocked', reason: secrets.length ? secrets[0].label : 'rule', by: 'Occasio' } }));
           return;
         }
-      } catch {}
+      } catch { /* ignore */ }
     }
 
     // ── Budget enforcement (Stage 2: policy-driven BLOCK) ─────────────────────
@@ -1097,7 +840,7 @@ const server = http.createServer((req, res) => {
           const s = JSON.parse(fs.readFileSync(SESSION_FILE, 'utf8'));
           s.budget_exceeded_count = (s.budget_exceeded_count || 0) + 1;
           fs.writeFileSync(SESSION_FILE, JSON.stringify(s));
-        } catch {}
+        } catch { /* ignore */ }
         const synth = decision.syntheticResponse;
         res.writeHead(synth.status, { 'Content-Type': 'application/json' });
         res.end(JSON.stringify(synth.body));
@@ -1125,7 +868,7 @@ const server = http.createServer((req, res) => {
             }
           }
         }
-      } catch {}
+      } catch { /* ignore */ }
     }
     // ──────────────────────────────────────────────────────────────────────────
 
@@ -1312,7 +1055,7 @@ const server = http.createServer((req, res) => {
         }
         forwardBody = Buffer.from(JSON.stringify(b));
         outboundMessageCount = b.messages?.length ?? outboundMessageCount;
-      } catch {}
+      } catch { /* ignore */ }
     }
     if (laoDropped.length > 0) {
       const ts0  = new Date().toTimeString().slice(0, 8);
@@ -1438,7 +1181,7 @@ const server = http.createServer((req, res) => {
               process.stderr.write(`\n${col.r('[occasio][audit-fatal]')} ${e.message}\n`);
               process.stderr.write(`${col.r('[occasio][audit-fatal] dropped row:')} ${dropped}\n`);
               process.stderr.write(`${col.r('[occasio][audit-fatal] proxy aborting; supervisor will restart.')}\n`);
-              try { server && server.close && server.close(); } catch {}
+              try { server && server.close && server.close(); } catch { /* ignore */ }
               setTimeout(() => process.exit(1), 250);
               return;
             }
@@ -1467,10 +1210,10 @@ const server = http.createServer((req, res) => {
                     cacheRead  = d.usage.cache_read_input_tokens     || cacheRead;
                   }
                   if (d.type === 'message_delta' && d.usage) out = d.usage.output_tokens || out;
-                } catch {}
+                } catch { /* ignore */ }
               }
             }
-          } catch {}
+          } catch { /* ignore */ }
 
           // When the interceptor ran, Anthropic was billed for N calls:
           //   call #1  → initial tool_use round  (toolCallUsage)
@@ -1705,7 +1448,7 @@ server.listen(PORT, '127.0.0.1', () => {
         if (parts.length) process.stderr.write(col.d(`  Breakdown:   ${parts.join(' + ')}\n`));
       }
       process.stderr.write('────────────────────────────────────────\n\n');
-    } catch {}
+    } catch { /* ignore */ }
     process.exit(code || 0);
   });
 

package/src/inspect.js

@@ -268,7 +268,7 @@ function printBoundaryEntry(entry, idxLabel, total) {
 
 function runInspectCli(args) {
   let session = null;
-  try { session = JSON.parse(fs.readFileSync(SESSION_FILE, 'utf8')); } catch {}
+  try { session = JSON.parse(fs.readFileSync(SESSION_FILE, 'utf8')); } catch { /* ignore */ }
 
   const todayEntries = readDayLog(todayStr());
 

package/src/interceptor.js

@@ -24,14 +24,13 @@
 const fs   = require('fs');
 const path = require('path');
 const { exec } = require('child_process');
-const https    = require('https');
 const { routeLocally } = require('./classifier');
 const { distill }      = require('./distiller');
 const { scanSecrets }  = require('./analyzer');
 
 const {
   MAX_OUTPUT,
-  readFileNative,
+  readFileNative, READ_SKIP_EXTENSIONS,
   isReadHandleable, handleReadTool,
   isGlobHandleable, handleGlobTool, globToRegex,
   isGrepHandleable, handleGrepTool,
@@ -455,7 +454,7 @@ function nativeHandle(cmd) {
             }
           }
         }
-      } catch {}
+      } catch { /* skip unreadable dir */ }
     }
     walk(abs);
     return { output: results.join('\n') || '', exitCode: 0 };
@@ -487,7 +486,7 @@ function nativeHandle(cmd) {
     if (!filePart) return null;
     const abs = path.resolve(cwd, filePart);
     let exists = false;
-    try { fs.statSync(abs); exists = true; } catch {}
+    try { fs.statSync(abs); exists = true; } catch { /* missing → exists stays false */ }
     return { output: exists ? 'True' : 'False', exitCode: exists ? 0 : 1 };
   }
 
@@ -689,11 +688,11 @@ function isInterceptable(block) {
   if (block.name === 'TodoWrite') return isTodoHandleable(block.input, 'TodoWrite');
   if (block.name === 'TodoRead')  return isTodoHandleable(block.input, 'TodoRead');
   if (block.name === 'PowerShell') {
-    const cmd = (block.input?.command || '').trim();
+    const cmd = (typeof block.input?.command === 'string' ? block.input.command : '').trim();
     return cmd ? isPowerShellNativeHandleable(cmd) : false;
   }
   if (block.name !== 'Bash') return false;
-  const cmd = (block.input?.command || '').trim();
+  const cmd = (typeof block.input?.command === 'string' ? block.input.command : '').trim();
   if (!cmd) return false;
   if (isNativeHandleable(cmd)) return true;
   if (SHELL_META.test(cmd)) return false;
@@ -738,7 +737,7 @@ function classifyBlock(block) {
   }
 
   if (block.name === 'PowerShell') {
-    const rawCmd = (block.input?.command || '').trim();
+    const rawCmd = (typeof block.input?.command === 'string' ? block.input.command : '').trim();
     if (!rawCmd) return { handled: false, reason: FALLBACK_REASONS.BASH_EMPTY_CMD };
     const expanded = expandPsEnvVars(rawCmd);
     let normalized = expanded.trim();
@@ -760,7 +759,7 @@ function classifyBlock(block) {
   }
 
   // Bash
-  const cmd = (block.input?.command || '').trim();
+  const cmd = (typeof block.input?.command === 'string' ? block.input.command : '').trim();
   if (!cmd) return { handled: false, reason: FALLBACK_REASONS.BASH_EMPTY_CMD };
   if (isNativeHandleable(cmd)) return { handled: true, reason: 'ok' };
   if (SHELL_META.test(cmd)) return { handled: false, reason: FALLBACK_REASONS.BASH_SHELL_META };
@@ -891,27 +890,6 @@ function buildFollowUpHeaders(authHeaders, payloadLength) {
   return h;
 }
 
-function anthropicRequest(body, authHeaders) {
-  return new Promise((resolve, reject) => {
-    const payload = JSON.stringify({ ...body, stream: false });
-    const headers = buildFollowUpHeaders(authHeaders, Buffer.byteLength(payload));
-
-    const req = https.request(
-      { hostname: 'api.anthropic.com', port: 443, path: '/v1/messages', method: 'POST', headers },
-      res => {
-        const chunks = [];
-        res.on('data', c => chunks.push(c));
-        res.on('end', () => {
-          try   { resolve({ status: res.statusCode, body: JSON.parse(Buffer.concat(chunks).toString()) }); }
-          catch (e) { reject(e); }
-        });
-      }
-    );
-    req.on('error', reject);
-    req.end(payload);
-  });
-}
-
 // ── Main export ────────────────────────────────────────────────────────────────
 
 /**
@@ -1185,6 +1163,8 @@ module.exports = {
   isGrepHandleable,
   isTodoHandleable,
   nativeHandle,
+  readFileNative,
+  READ_SKIP_EXTENSIONS,
   handleReadTool,
   handleGlobTool,
   globToRegex,

package/src/ledger.js

@@ -26,7 +26,7 @@ function readDayLog(dateStr) {
   for (const raw of lines) {
     const line = raw.trim();
     if (!line) continue;
-    try { result.push(JSON.parse(line)); } catch {}
+    try { result.push(JSON.parse(line)); } catch { /* ignore */ }
   }
   return result;
 }
@@ -119,7 +119,6 @@ function printEntry(e, idx) {
 
 function printSummary(totals, scope, runId) {
   const { requests, cloud_sent = 0, local_only = 0, blocked = 0, trimmed = 0,
-          budget_exceeded = 0,
           input_tokens, output_tokens, cost,
           cache_savings, lao_cost_saved, distill_cost_saved = 0,
           distill_tokens_saved = 0, tools_local_count } = totals;
@@ -167,7 +166,7 @@ function runLedgerCli(args) {
   if (args.includes('--summary')) showSummary = true;
 
   let session = null;
-  try { session = JSON.parse(fs.readFileSync(SESSION_FILE, 'utf8')); } catch {}
+  try { session = JSON.parse(fs.readFileSync(SESSION_FILE, 'utf8')); } catch { /* ignore */ }
 
   const todayEntries = readDayLog(todayStr());
   const entries = scope === 'session'

package/src/mcp-experiment.js

@@ -33,7 +33,7 @@ function runStats() {
   try {
     mcpEntries = fs.readFileSync(MCP_LOG, 'utf8').trim().split('\n')
       .filter(Boolean).map(l => { try { return JSON.parse(l); } catch { return null; } }).filter(Boolean);
-  } catch {}
+  } catch { /* ignore */ }
 
   // ── Built-in path: read today's session log, count intercepted Read/Glob/Grep ─
   let builtinTools = [];
@@ -44,9 +44,9 @@ function runStats() {
         const entry = JSON.parse(line);
         const tools = (entry.tools || []).filter(t => ['Read', 'Glob', 'Grep'].includes(t.tool));
         builtinTools.push(...tools);
-      } catch {}
+      } catch { /* ignore */ }
     }
-  } catch {}
+  } catch { /* ignore */ }
 
   const mcpTotal     = mcpEntries.length;
   const builtinTotal = builtinTools.length;
@@ -116,7 +116,7 @@ function runStats() {
 }
 
 function runClear() {
-  try { fs.unlinkSync(MCP_LOG); console.log(col.g('✓ mcp-experiment.jsonl cleared')); } catch {}
+  try { fs.unlinkSync(MCP_LOG); console.log(col.g('✓ mcp-experiment.jsonl cleared')); } catch { /* ignore */ }
 }
 
 function runRaw() {

package/src/mcp-server.js

@@ -86,7 +86,7 @@ function logCall(entry) {
     const dir = path.dirname(LOG_FILE);
     if (!fs.existsSync(dir)) fs.mkdirSync(dir, { recursive: true });
     fs.appendFileSync(LOG_FILE, JSON.stringify(entry) + '\n');
-  } catch {}
+  } catch { /* ignore */ }
 }
 
 // ── Tool definitions (lao-compatible schemas) ──────────────────────────────────
@@ -274,7 +274,7 @@ async function handleRequest(req) {
             content: [{ type: 'text', text: 'audit-fatal: MCP server aborting' }],
             isError: true,
           });
-        } catch {}
+        } catch { /* ignore */ }
         setTimeout(() => process.exit(1), 250);
         return;
       }
@@ -301,7 +301,7 @@ process.stdin.on('data', chunk => {
   for (const line of lines) {
     const trimmed = line.trim();
     if (!trimmed) continue;
-    try { handleRequest(JSON.parse(trimmed)); } catch (e) { /* malformed JSON-RPC frame */ }
+    try { handleRequest(JSON.parse(trimmed)); } catch { /* malformed JSON-RPC frame */ }
   }
 });
 process.stdin.on('end', () => process.exit(0));

package/src/policy/doctor.js

@@ -56,10 +56,10 @@ function readRecentLogs(days, logsDir) {
     for (const f of files) {
       for (const line of fs.readFileSync(path.join(dir, f), 'utf8').split('\n')) {
         if (!line.trim()) continue;
-        try { entries.push(JSON.parse(line)); } catch {}
+        try { entries.push(JSON.parse(line)); } catch { /* ignore */ }
       }
     }
-  } catch {}
+  } catch { /* ignore */ }
   return entries;
 }
 

package/src/policy/engine.js

@@ -16,7 +16,6 @@
 const fs   = require('fs');
 const path = require('path');
 const os   = require('os');
-const adapter = require('../adapters/claude-code');
 const { PASS, LOCAL, BLOCK, TRANSFORM, TRANSFORM_CHAIN } = require('../core/decision');
 const loader = require('./loader');
 const builtIn = require('./built-in-classifiers');

package/src/policy/init.js

@@ -101,7 +101,7 @@ function runInitCli(args, opts = {}) {
 
   // Guard: refuse to overwrite without --force
   let exists = false;
-  try { fsMod.statSync(filePath); exists = true; } catch {}
+  try { fsMod.statSync(filePath); exists = true; } catch { /* ignore */ }
 
   if (exists && !force) {
     console.log(`  File:    ${filePath}  ${col.y('(already exists)')}\n`);