@oculisecurity/cli 0.1.0

package/dist/commands/tail.js

@@ -0,0 +1,211 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.formatEntry = formatEntry;
+exports.runTail = runTail;
+const fs = __importStar(require("fs"));
+const telemetry_log_1 = require("../services/telemetry-log");
+// ---------------------------------------------------------------------------
+// ANSI colors
+// ---------------------------------------------------------------------------
+function useColor() {
+    if (process.env.NO_COLOR)
+        return false;
+    return process.stdout.isTTY === true;
+}
+const color = {
+    reset: '\x1b[0m',
+    dim: '\x1b[2m',
+    green: '\x1b[32m',
+    yellow: '\x1b[33m',
+    red: '\x1b[31m',
+    cyan: '\x1b[36m',
+    white: '\x1b[37m',
+};
+function c(code, text, enabled) {
+    return enabled ? `${code}${text}${color.reset}` : text;
+}
+// ---------------------------------------------------------------------------
+// Formatting
+// ---------------------------------------------------------------------------
+function padRight(s, len) {
+    return s.length >= len ? s.slice(0, len) : s + ' '.repeat(len - s.length);
+}
+function truncate(s, max) {
+    return s.length <= max ? s : s.slice(0, max - 1) + '…';
+}
+function formatEntry(entry, colorEnabled) {
+    // Time: HH:MM:SS
+    const ts = new Date(entry.timestamp);
+    const time = [
+        String(ts.getHours()).padStart(2, '0'),
+        String(ts.getMinutes()).padStart(2, '0'),
+        String(ts.getSeconds()).padStart(2, '0'),
+    ].join(':');
+    // Phase
+    const phaseMap = { pre: 'PRE ', post: 'POST', complete: 'DONE' };
+    const phase = phaseMap[entry.phase] ?? entry.phase.toUpperCase().slice(0, 4);
+    // Tool
+    const tool = padRight(entry.tool ?? '—', 10);
+    // Detail: command for shell, file_path for file ops, mcp_server for mcp
+    let detail = '—';
+    if (entry.action?.command) {
+        detail = entry.action.command;
+    }
+    else if (entry.file_path) {
+        detail = entry.file_path;
+    }
+    else if (entry.shell_command) {
+        detail = entry.shell_command;
+    }
+    else if (entry.mcp_server) {
+        detail = entry.mcp_server;
+    }
+    else if (entry.tool_args) {
+        // Fallback: show first string arg value
+        for (const val of Object.values(entry.tool_args)) {
+            if (typeof val === 'string' && val.length > 0) {
+                detail = val;
+                break;
+            }
+        }
+    }
+    detail = truncate(detail, 40);
+    // Decision
+    let decisionStr;
+    const ruleIds = entry.policy_rule_ids?.length ? ` (${entry.policy_rule_ids.join(', ')})` : '';
+    switch (entry.policy_decision) {
+        case 'allow':
+            decisionStr = c(color.green, `✅ allow${ruleIds}`, colorEnabled);
+            break;
+        case 'warn':
+            decisionStr = c(color.yellow, `⚠️  warn${ruleIds}`, colorEnabled);
+            break;
+        case 'deny':
+            decisionStr = c(color.red, `🚫 deny${ruleIds}`, colorEnabled);
+            break;
+        default:
+            decisionStr = entry.policy_decision;
+    }
+    const timeStr = c(color.dim, `[${time}]`, colorEnabled);
+    const phaseStr = c(color.cyan, phase, colorEnabled);
+    const toolStr = c(color.white, tool, colorEnabled);
+    return `${timeStr} ${phaseStr} | ${toolStr} | ${padRight(detail, 40)} | ${decisionStr}`;
+}
+function runTail(opts) {
+    const logPath = (0, telemetry_log_1.findTelemetryLog)();
+    if (!logPath) {
+        process.stderr.write('oculi: no telemetry log found. Run some commands first.\n');
+        process.exit(1);
+    }
+    const colorEnabled = !opts.noColor && useColor();
+    // Print existing lines from near the end
+    let fileSize = 0;
+    try {
+        fileSize = fs.statSync(logPath).size;
+    }
+    catch {
+        // File might not exist yet
+    }
+    // Read last ~64KB for initial display
+    const TAIL_BYTES = 64 * 1024;
+    const startPos = Math.max(0, fileSize - TAIL_BYTES);
+    if (fileSize > 0) {
+        const fd = fs.openSync(logPath, 'r');
+        const buf = Buffer.alloc(Math.min(fileSize, TAIL_BYTES));
+        fs.readSync(fd, buf, 0, buf.length, startPos);
+        fs.closeSync(fd);
+        const text = buf.toString('utf8');
+        const lines = text.split('\n');
+        // If we started mid-line, skip the first partial line
+        const start = startPos > 0 ? 1 : 0;
+        for (let i = start; i < lines.length; i++) {
+            const line = lines[i].trim();
+            if (!line)
+                continue;
+            try {
+                const entry = JSON.parse(line);
+                if (opts.filter && entry.policy_decision !== opts.filter)
+                    continue;
+                process.stdout.write(formatEntry(entry, colorEnabled) + '\n');
+            }
+            catch {
+                // Skip malformed
+            }
+        }
+    }
+    // Watch for new lines
+    let currentSize = fileSize;
+    const watcher = fs.watch(logPath, () => {
+        let newSize;
+        try {
+            newSize = fs.statSync(logPath).size;
+        }
+        catch {
+            return;
+        }
+        if (newSize <= currentSize) {
+            // File was rotated — reset
+            currentSize = 0;
+            return;
+        }
+        const fd = fs.openSync(logPath, 'r');
+        const bytesToRead = newSize - currentSize;
+        const buf = Buffer.alloc(bytesToRead);
+        fs.readSync(fd, buf, 0, bytesToRead, currentSize);
+        fs.closeSync(fd);
+        currentSize = newSize;
+        const text = buf.toString('utf8');
+        for (const line of text.split('\n')) {
+            const trimmed = line.trim();
+            if (!trimmed)
+                continue;
+            try {
+                const entry = JSON.parse(trimmed);
+                if (opts.filter && entry.policy_decision !== opts.filter)
+                    continue;
+                process.stdout.write(formatEntry(entry, colorEnabled) + '\n');
+            }
+            catch {
+                // Skip
+            }
+        }
+    });
+    // Clean exit on SIGINT
+    process.on('SIGINT', () => {
+        watcher.close();
+        process.exit(0);
+    });
+}

package/dist/commands/uninstall.d.ts

@@ -0,0 +1,13 @@
+import { Agent } from '../install/detect';
+export interface UninstallOpts {
+    agent?: Agent;
+    /** Override the home directory (tests only). Production callers should omit this. */
+    home?: string;
+}
+export interface UninstallResult {
+    exitCode: 0;
+    removed: Partial<Record<Agent, string[]>>;
+    policyRemoved: boolean;
+    remainingAgents: Agent[];
+}
+export declare function runUninstall(opts?: UninstallOpts): UninstallResult;

package/dist/commands/uninstall.js

@@ -0,0 +1,111 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.runUninstall = runUninstall;
+const fs = __importStar(require("fs"));
+const path = __importStar(require("path"));
+const os = __importStar(require("os"));
+const detect_1 = require("../install/detect");
+const claude_code_1 = require("../install/claude-code");
+const cursor_1 = require("../install/cursor");
+const AGENT_LABEL = {
+    'claude-code': { configPath: '~/.claude/settings.json' },
+    cursor: { configPath: '~/.cursor/hooks.json' },
+};
+/** Render an absolute path with the user's home dir collapsed to ~. */
+function tilde(absPath, home) {
+    return absPath.startsWith(home) ? '~' + absPath.slice(home.length) : absPath;
+}
+function agentHasOculi(agent, home) {
+    return agent === 'claude-code' ? (0, claude_code_1.hasOculiHooks)(home) : (0, cursor_1.hasOculiHooks)(home);
+}
+function runUninstall(opts = {}) {
+    const home = opts.home ?? os.homedir();
+    const explicit = opts.agent !== undefined;
+    const targets = opts.agent ? [opts.agent] : [...detect_1.AGENTS];
+    const policyPath = path.join(home, '.oculi', 'policy.yaml');
+    const policyExistedBefore = fs.existsSync(policyPath);
+    // Remove hooks for each target. Existing per-agent uninstallers preserve
+    // non-oculi entries — we never write JSON files directly here.
+    const removed = {};
+    for (const a of targets) {
+        const r = a === 'claude-code' ? (0, claude_code_1.uninstallClaudeCode)({ home }) : (0, cursor_1.uninstallCursor)({ home });
+        removed[a] = r.removed;
+    }
+    // After per-agent uninstall, recompute which agents still have oculi markers
+    // on disk. We scan BOTH agents regardless of which one we just touched.
+    const remainingAgents = detect_1.AGENTS.filter((a) => agentHasOculi(a, home));
+    // Policy removal rule: delete ~/.oculi/policy.yaml iff no agent has an oculi marker.
+    let policyRemoved = false;
+    if (remainingAgents.length === 0 && policyExistedBefore) {
+        try {
+            fs.rmSync(policyPath);
+            policyRemoved = true;
+        }
+        catch {
+            // best effort
+        }
+        // NOTE: do NOT rmdir ~/.oculi/ — the dashboard's oculi.db and telemetry.jsonl
+        // live there. Only the policy file is owned by us.
+    }
+    // Build stdout.
+    const changes = [];
+    const notices = [];
+    for (const a of targets) {
+        const ev = removed[a] ?? [];
+        const cfg = AGENT_LABEL[a].configPath;
+        if (ev.length > 0) {
+            changes.push(`Removed ${a} hooks ← ${cfg}`);
+            for (const e of ev)
+                changes.push(`  - ${e}`);
+        }
+        else if (explicit) {
+            notices.push(`No oculi hooks found for ${a} in ${cfg}.`);
+        }
+    }
+    if (policyRemoved) {
+        changes.push(`Removed ${tilde(policyPath, home)}`);
+    }
+    else if (policyExistedBefore && remainingAgents.length > 0) {
+        notices.push(`Leaving ${tilde(policyPath, home)} in place (${remainingAgents.join(', ')} is still wired).`);
+    }
+    if (changes.length === 0 && notices.length === 0) {
+        process.stdout.write(`Nothing to remove — no oculi hooks or policy found.\n`);
+    }
+    else {
+        process.stdout.write([...changes, ...notices].join('\n') + '\n');
+    }
+    return { exitCode: 0, removed, policyRemoved, remainingAgents };
+}

package/dist/config.d.ts

@@ -0,0 +1,17 @@
+import { UpstreamConfig } from './types';
+export interface AppConfig {
+    port: number;
+    jwtSecret: string;
+    opaUrl: string;
+    opaEnabled: boolean;
+    dbPath: string;
+    storeFullArgs: boolean;
+    upstreams: UpstreamConfig[];
+    rateLimitCapacity: number;
+    rateLimitRefillPerSecond: number;
+    logLevel: string;
+}
+export declare class ConfigValidationError extends Error {
+    constructor(message: string);
+}
+export declare function loadConfig(): AppConfig;

package/dist/config.js

@@ -0,0 +1,90 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.ConfigValidationError = void 0;
+exports.loadConfig = loadConfig;
+const fs_1 = __importDefault(require("fs"));
+const path_1 = __importDefault(require("path"));
+/** Resolve ${ENV_VAR:-default} placeholders in strings */
+function resolveEnvVars(str) {
+    return str.replace(/\$\{(\w+)(?::-(.*?))?\}/g, (_, key, fallback) => {
+        return process.env[key] ?? fallback ?? '';
+    });
+}
+function loadUpstreams() {
+    const configPath = path_1.default.join(process.cwd(), 'config', 'upstreams.yaml');
+    if (!fs_1.default.existsSync(configPath)) {
+        // Hardcoded defaults for when config file is absent (tests, Docker, etc.)
+        return [
+            {
+                id: 'fs-server',
+                name: 'Demo Filesystem Server',
+                baseUrl: process.env.FS_SERVER_URL ?? 'http://localhost:3001',
+                timeout: 5000,
+                tools: ['readFile', 'listDir', 'writeFile'],
+            },
+            {
+                id: 'http-server',
+                name: 'Demo HTTP Fetch Server',
+                baseUrl: process.env.HTTP_SERVER_URL ?? 'http://localhost:3002',
+                timeout: 10000,
+                tools: ['fetchUrl', 'postUrl'],
+            },
+        ];
+    }
+    // Lazy-require yaml to keep startup fast when file doesn't exist
+    // eslint-disable-next-line @typescript-eslint/no-var-requires
+    const YAML = require('yaml');
+    const raw = fs_1.default.readFileSync(configPath, 'utf8');
+    const parsed = YAML.parse(raw);
+    return parsed.upstreams.map((u) => {
+        if (u.id.includes('__')) {
+            throw new Error(`Upstream id '${u.id}' must not contain '__' (reserved as tool name separator)`);
+        }
+        return {
+            ...u,
+            baseUrl: resolveEnvVars(u.baseUrl),
+            tools: Array.isArray(u.tools) ? u.tools : [],
+        };
+    });
+}
+class ConfigValidationError extends Error {
+    constructor(message) {
+        super(message);
+        this.name = 'ConfigValidationError';
+    }
+}
+exports.ConfigValidationError = ConfigValidationError;
+const JWT_SECRET_REQUIRED = 'JWT_SECRET environment variable is required for the gateway server.\n' +
+    '\n' +
+    'The gateway uses JWT_SECRET to verify tokens issued by your upstream\n' +
+    'authentication provider. It must match the secret your issuer uses to\n' +
+    'sign tokens, and must be at least 32 characters of high-entropy data.\n' +
+    '\n' +
+    'Generate a new secret with:\n' +
+    '  openssl rand -hex 32\n' +
+    '\n' +
+    'See https://docs.oculisecurity.com/gateway/configuration for details.';
+function requireJwtSecret() {
+    const v = process.env.JWT_SECRET;
+    if (!v || v.length < 32) {
+        throw new ConfigValidationError(JWT_SECRET_REQUIRED);
+    }
+    return v;
+}
+function loadConfig() {
+    return {
+        port: parseInt(process.env.PORT ?? '3000', 10),
+        jwtSecret: requireJwtSecret(),
+        opaUrl: process.env.OPA_URL ?? 'http://localhost:8181',
+        opaEnabled: process.env.OPA_ENABLED !== 'false',
+        dbPath: process.env.DB_PATH ?? path_1.default.join(process.cwd(), 'data', 'audit.db'),
+        storeFullArgs: process.env.STORE_FULL_ARGS !== 'false',
+        upstreams: loadUpstreams(),
+        rateLimitCapacity: parseInt(process.env.RATE_LIMIT_CAPACITY ?? '10', 10),
+        rateLimitRefillPerSecond: parseFloat(process.env.RATE_LIMIT_REFILL ?? '2'),
+        logLevel: process.env.LOG_LEVEL ?? 'info',
+    };
+}

package/dist/index.d.ts

@@ -0,0 +1 @@
+export {};

package/dist/index.js

@@ -0,0 +1,35 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+const config_1 = require("./config");
+const server_1 = require("./server");
+async function main() {
+    const config = (0, config_1.loadConfig)();
+    const { app, close } = await (0, server_1.buildServer)(config);
+    try {
+        await app.listen({ port: config.port, host: '0.0.0.0' });
+        console.log(`[gateway] Oculi Security Gateway listening on :${config.port}`);
+        console.log(`[gateway] OPA: ${config.opaEnabled ? config.opaUrl : 'disabled (built-in policy)'}`);
+        console.log(`[gateway] Upstreams: ${config.upstreams.map((u) => u.id).join(', ')}`);
+        console.log(`[gateway] Admin UI: http://localhost:${config.port}/admin`);
+    }
+    catch (err) {
+        app.log.error(err);
+        process.exit(1);
+    }
+    // Graceful shutdown
+    for (const signal of ['SIGINT', 'SIGTERM']) {
+        process.on(signal, async () => {
+            console.log(`\n[gateway] Received ${signal}, shutting down...`);
+            await close();
+            process.exit(0);
+        });
+    }
+}
+main().catch((err) => {
+    if (err instanceof config_1.ConfigValidationError) {
+        console.error(err.message);
+        process.exit(1);
+    }
+    console.error('[gateway] Fatal error:', err);
+    process.exit(1);
+});

package/dist/init.d.ts

@@ -0,0 +1,9 @@
+export interface InitOpts {
+    /** Override the home directory (tests only). Production callers should omit this. */
+    home?: string;
+}
+export interface InitResult {
+    path: string;
+    created: boolean;
+}
+export declare function runInit(opts?: InitOpts): InitResult;

package/dist/init.js

@@ -0,0 +1,50 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.runInit = runInit;
+const fs = __importStar(require("fs"));
+const path = __importStar(require("path"));
+const os = __importStar(require("os"));
+const local_policy_templates_1 = require("./services/local-policy-templates");
+function runInit(opts = {}) {
+    const base = opts.home ?? os.homedir();
+    const policyPath = path.join(base, '.oculi', 'policy.yaml');
+    if (fs.existsSync(policyPath)) {
+        return { path: policyPath, created: false };
+    }
+    fs.mkdirSync(path.dirname(policyPath), { recursive: true });
+    fs.writeFileSync(policyPath, local_policy_templates_1.templates.standard, 'utf8');
+    return { path: policyPath, created: true };
+}

package/dist/install/claude-code.d.ts

@@ -0,0 +1,13 @@
+export interface InstallOpts {
+    /** Override the home directory (tests only). Production callers should omit this. */
+    home?: string;
+}
+export interface InstallResult {
+    path: string;
+    added: string[];
+    removed: string[];
+}
+export declare function installClaudeCode(opts?: InstallOpts): InstallResult;
+export declare function uninstallClaudeCode(opts?: InstallOpts): InstallResult;
+/** Does ~/.claude/settings.json still have any oculi-marked hook? */
+export declare function hasOculiHooks(home?: string): boolean;

package/dist/install/claude-code.js

@@ -0,0 +1,118 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.installClaudeCode = installClaudeCode;
+exports.uninstallClaudeCode = uninstallClaudeCode;
+exports.hasOculiHooks = hasOculiHooks;
+const fs = __importStar(require("fs"));
+const path = __importStar(require("path"));
+const os = __importStar(require("os"));
+/** Claude Code hook events managed by Oculi. */
+const OCULI_EVENTS = ['PreToolUse', 'PostToolUse', 'Stop'];
+const OCULI_MARKER = 'oculi emit claude-code';
+function resolveConfigPath(opts) {
+    return path.join(opts.home ?? os.homedir(), '.claude', 'settings.json');
+}
+function readSettings(filePath) {
+    if (!fs.existsSync(filePath)) {
+        return {};
+    }
+    const raw = fs.readFileSync(filePath, 'utf8');
+    return JSON.parse(raw);
+}
+function groupHasOculi(group) {
+    return group.hooks.some((h) => h.command?.includes(OCULI_MARKER));
+}
+function installClaudeCode(opts = {}) {
+    const configPath = resolveConfigPath(opts);
+    const settings = readSettings(configPath);
+    const hooksMap = settings.hooks ?? {};
+    const added = [];
+    for (const event of OCULI_EVENTS) {
+        const groups = hooksMap[event] ?? [];
+        const alreadyInstalled = groups.some(groupHasOculi);
+        if (!alreadyInstalled) {
+            hooksMap[event] = [
+                ...groups,
+                {
+                    matcher: '',
+                    hooks: [{ type: 'command', command: `oculi emit claude-code ${event}` }],
+                },
+            ];
+            added.push(event);
+        }
+    }
+    if (added.length > 0) {
+        fs.mkdirSync(path.dirname(configPath), { recursive: true });
+        const updated = { ...settings, hooks: hooksMap };
+        fs.writeFileSync(configPath, JSON.stringify(updated, null, 2) + '\n', 'utf8');
+    }
+    return { path: configPath, added, removed: [] };
+}
+function uninstallClaudeCode(opts = {}) {
+    const configPath = resolveConfigPath(opts);
+    const settings = readSettings(configPath);
+    const hooksMap = settings.hooks ?? {};
+    const removed = [];
+    for (const event of Object.keys(hooksMap)) {
+        const before = hooksMap[event];
+        const after = before.filter((g) => !groupHasOculi(g));
+        if (after.length < before.length) {
+            removed.push(...before.filter(groupHasOculi).map(() => event));
+            if (after.length === 0) {
+                delete hooksMap[event];
+            }
+            else {
+                hooksMap[event] = after;
+            }
+        }
+    }
+    if (removed.length > 0) {
+        const updated = { ...settings, hooks: hooksMap };
+        fs.writeFileSync(configPath, JSON.stringify(updated, null, 2) + '\n', 'utf8');
+    }
+    return { path: configPath, added: [], removed };
+}
+/** Does ~/.claude/settings.json still have any oculi-marked hook? */
+function hasOculiHooks(home) {
+    const configPath = resolveConfigPath({ home });
+    const settings = readSettings(configPath);
+    const hooksMap = settings.hooks ?? {};
+    for (const groups of Object.values(hooksMap)) {
+        if (groups.some(groupHasOculi))
+            return true;
+    }
+    return false;
+}