@omnitype-code/journal 2.0.0

package/dist/cli.js

@@ -0,0 +1,638 @@
+#!/usr/bin/env node
+/**
+ * omnitype-daemon CLI
+ * Commands: start, stop, status, health, doctor, blame
+ */
+import { program } from 'commander';
+import { existsSync, readFileSync, writeFileSync, mkdirSync } from 'node:fs';
+import { join, resolve, relative } from 'node:path';
+import { execSync, spawn, execFileSync } from 'node:child_process';
+import { join as joinPath } from 'node:path';
+import { Journal, resolvePaths } from './daemon/journal.js';
+import { DaemonServer, JournalClient, getSocketPath } from './daemon/server.js';
+import { loadOrCreateInstallKeySecure } from './security/keychain.js';
+import { CloudShipper } from './cloud/shipper.js';
+import { CloudAnchor, AnchorQueue } from './cloud/anchor.js';
+import { resolveLegacyLineMap, parseGitBlamePorcelain } from './blame/legacy.js';
+import { mergeLineAttribution } from './blame/merge.js';
+// Lazy import adapter-sdk so the daemon CLI works without it installed
+async function loadAdapterSdk() {
+    try {
+        return await import('@omnitype-code/adapter-sdk');
+    }
+    catch {
+        return null;
+    }
+}
+function getWorkspaceRoot() {
+    try {
+        return execSync('git rev-parse --show-toplevel', { encoding: 'utf-8', stdio: ['pipe', 'pipe', 'pipe'] }).trim();
+    }
+    catch {
+        return process.cwd();
+    }
+}
+function getJournalRoot(workspace) {
+    return join(workspace, '.omnitype', 'journal');
+}
+function getPidFile(journalRoot) {
+    return join(journalRoot, 'daemon.pid');
+}
+// ─── start ────────────────────────────────────────────────────────────────────
+program
+    .command('start')
+    .description('Start the journal daemon in the background')
+    .option('--foreground', 'Run in foreground (for debugging)')
+    .action(async (opts) => {
+    const workspace = getWorkspaceRoot();
+    const journalRoot = getJournalRoot(workspace);
+    mkdirSync(journalRoot, { recursive: true });
+    const socketPath = getSocketPath(journalRoot);
+    if (await JournalClient.isRunning(socketPath)) {
+        console.log('Daemon already running.');
+        return;
+    }
+    if (opts.foreground) {
+        runDaemon(workspace, journalRoot, socketPath);
+        return;
+    }
+    // Spawn detached background process
+    const child = spawn(process.execPath, [process.argv[1], 'start', '--foreground'], {
+        detached: true,
+        stdio: 'ignore',
+        env: { ...process.env, OMNITYPE_WORKSPACE: workspace },
+    });
+    child.unref();
+    writeFileSync(getPidFile(journalRoot), String(child.pid), 'utf-8');
+    console.log(`Daemon started (pid ${child.pid})`);
+});
+// ─── stop ─────────────────────────────────────────────────────────────────────
+program
+    .command('stop')
+    .description('Stop the journal daemon')
+    .action(async () => {
+    const workspace = getWorkspaceRoot();
+    const journalRoot = getJournalRoot(workspace);
+    const pidFile = getPidFile(journalRoot);
+    if (existsSync(pidFile)) {
+        const pid = parseInt(readFileSync(pidFile, 'utf-8').trim(), 10);
+        try {
+            process.kill(pid, 'SIGTERM');
+            console.log(`Sent SIGTERM to pid ${pid}`);
+        }
+        catch {
+            console.log(`Process ${pid} not found (already stopped?)`);
+        }
+    }
+    else {
+        console.log('No daemon pid file found.');
+    }
+});
+// ─── restart ──────────────────────────────────────────────────────────────────
+program
+    .command('restart')
+    .description('Restart the journal daemon (re-evaluates org policy / key storage)')
+    .action(async () => {
+    const workspace = getWorkspaceRoot();
+    const journalRoot = getJournalRoot(workspace);
+    const socketPath = getSocketPath(journalRoot);
+    const pidFile = getPidFile(journalRoot);
+    // Stop if running
+    if (existsSync(pidFile)) {
+        const pid = parseInt(readFileSync(pidFile, 'utf-8').trim(), 10);
+        try {
+            process.kill(pid, 'SIGTERM');
+        }
+        catch { /* already stopped */ }
+    }
+    // Wait for the socket to go down (up to ~3s)
+    for (let i = 0; i < 12; i++) {
+        if (!(await JournalClient.isRunning(socketPath)))
+            break;
+        await new Promise((r) => setTimeout(r, 250));
+    }
+    // Start fresh
+    const child = spawn(process.execPath, [process.argv[1], 'start', '--foreground'], {
+        detached: true,
+        stdio: 'ignore',
+        env: { ...process.env, OMNITYPE_WORKSPACE: workspace },
+    });
+    child.unref();
+    writeFileSync(pidFile, String(child.pid), 'utf-8');
+    console.log(`Daemon restarted (pid ${child.pid})`);
+});
+// ─── status ───────────────────────────────────────────────────────────────────
+program
+    .command('status')
+    .description('Check daemon status')
+    .action(async () => {
+    const workspace = getWorkspaceRoot();
+    const journalRoot = getJournalRoot(workspace);
+    const socketPath = getSocketPath(journalRoot);
+    const running = await JournalClient.isRunning(socketPath);
+    console.log(running ? 'running' : 'stopped');
+    process.exit(running ? 0 : 1);
+});
+// ─── health ───────────────────────────────────────────────────────────────────
+program
+    .command('health')
+    .description('Show journal health and attribution tier breakdown')
+    .option('--json', 'Output as JSON')
+    .action(async (opts) => {
+    const workspace = getWorkspaceRoot();
+    const journalRoot = getJournalRoot(workspace);
+    const socketPath = getSocketPath(journalRoot);
+    if (!(await JournalClient.isRunning(socketPath))) {
+        console.error('Daemon not running. Start it with: omnitype-daemon start');
+        process.exit(1);
+    }
+    const client = new JournalClient(socketPath);
+    await client.connect();
+    const { head, install } = await client.health();
+    // Query overall attribution across all tracked files for tier breakdown
+    const tierCounts = { T0: 0, T1: 0, T2: 0, T3: 0 };
+    const originCounts = { ai: 0, user: 0, paste: 0, tool: 0, external: 0, unknown: 0 };
+    let totalSpans = 0;
+    try {
+        const { spans: allSpans } = await client.querySpans('*', 'T3');
+        for (const sp of allSpans) {
+            tierCounts[sp.tier] = (tierCounts[sp.tier] ?? 0) + 1;
+            originCounts[sp.origin] = (originCounts[sp.origin] ?? 0) + 1;
+            totalSpans++;
+        }
+    }
+    catch { /* daemon may not support wildcard — skip tier breakdown */ }
+    client.disconnect();
+    if (opts.json) {
+        console.log(JSON.stringify({ head, install, tierCounts, originCounts, totalSpans }, null, 2));
+        return;
+    }
+    const tierBar = (tier, count) => {
+        const pct = totalSpans > 0 ? Math.round((count / totalSpans) * 20) : 0;
+        const bar = '█'.repeat(pct) + '░'.repeat(20 - pct);
+        const label = { T0: 'Deterministic', T1: 'Hook-inferred', T2: 'Retrospective', T3: 'Filesystem-only' }[tier] ?? tier;
+        return `  ${tier}  ${bar}  ${count.toString().padStart(6)} spans  ${label}`;
+    };
+    console.log('\n\x1b[1mOmniType Journal — Health\x1b[0m');
+    console.log('─'.repeat(56));
+    console.log(`  Install ID : ${install.install_id}`);
+    console.log(`  Workspace  : ${install.workspace}`);
+    console.log(`  Head seq   : ${head.seq}`);
+    console.log(`  Head hash  : ${head.lastHash.slice(0, 16)}...`);
+    console.log(`  Protocol   : v${install.protocol_version}`);
+    console.log('');
+    if (totalSpans > 0) {
+        console.log('\x1b[1m  Attribution Tier Breakdown\x1b[0m');
+        console.log('  ' + '─'.repeat(54));
+        for (const tier of ['T0', 'T1', 'T2', 'T3']) {
+            console.log(tierBar(tier, tierCounts[tier] ?? 0));
+        }
+        console.log('');
+        const confScore = ((tierCounts['T0'] ?? 0) * 1.0 +
+            (tierCounts['T1'] ?? 0) * 0.85 +
+            (tierCounts['T2'] ?? 0) * 0.60 +
+            (tierCounts['T3'] ?? 0) * 0.30) / totalSpans;
+        console.log('\x1b[1m  Origin Breakdown\x1b[0m');
+        console.log('  ' + '─'.repeat(54));
+        for (const [origin, count] of Object.entries(originCounts).filter(([, c]) => c > 0)) {
+            const pct = Math.round((count / totalSpans) * 100);
+            console.log(`  ${origin.padEnd(10)} ${count.toString().padStart(6)} spans  (${pct}%)`);
+        }
+        console.log('');
+        console.log(`  Confidence score: \x1b[1m${(confScore * 100).toFixed(1)}%\x1b[0m  (weighted average across tiers)`);
+        console.log('  Note: "unknown" origin = unattributed write, NOT assumed AI');
+    }
+    else {
+        console.log('  No spans recorded yet. Start coding with an AI tool to populate attribution data.');
+    }
+    console.log('');
+});
+// ─── doctor ───────────────────────────────────────────────────────────────────
+program
+    .command('doctor')
+    .description('Verify chain integrity and diagnose issues')
+    .action(async () => {
+    const workspace = getWorkspaceRoot();
+    const journalRoot = getJournalRoot(workspace);
+    const paths = resolvePaths(journalRoot);
+    console.log('\nOmniType — Doctor\n');
+    const checks = [];
+    // 1. Journal directory exists
+    checks.push({ label: 'Journal directory', ok: existsSync(journalRoot) });
+    // 2. Install key exists and is 32 bytes
+    const keyPath = join(paths.keysDir, 'install.key');
+    const keyOk = existsSync(keyPath) && readFileSync(keyPath).length === 32;
+    checks.push({ label: 'Install key (32 bytes, mode 0600)', ok: keyOk });
+    // 3. Daemon running
+    const socketPath = getSocketPath(journalRoot);
+    const running = await JournalClient.isRunning(socketPath);
+    checks.push({ label: 'Daemon running', ok: running });
+    // 4. Head.json consistent
+    const headPath = join(paths.chainDir, 'head.json');
+    let headOk = false;
+    if (existsSync(headPath)) {
+        try {
+            const h = JSON.parse(readFileSync(headPath, 'utf-8'));
+            headOk = typeof h.seq === 'number' && typeof h.hash === 'string' && h.hash.length === 64;
+        }
+        catch { /* not ok */ }
+    }
+    checks.push({ label: 'Chain head valid', ok: headOk });
+    // 5. git notes.rewriteRef configured
+    let rewriteOk = false;
+    try {
+        const val = execSync('git config notes.rewriteRef', { encoding: 'utf-8', cwd: workspace, stdio: ['pipe', 'pipe', 'pipe'] }).trim();
+        rewriteOk = val.includes('refs/notes/ai');
+    }
+    catch { /* not set */ }
+    checks.push({
+        label: 'git notes.rewriteRef configured',
+        ok: rewriteOk,
+        detail: rewriteOk ? undefined : 'Run: git config notes.rewriteRef refs/notes/ai',
+    });
+    let allOk = true;
+    for (const check of checks) {
+        const icon = check.ok ? '✓' : '✗';
+        console.log(`  ${icon} ${check.label}`);
+        if (!check.ok && check.detail)
+            console.log(`    → ${check.detail}`);
+        if (!check.ok)
+            allOk = false;
+    }
+    console.log('');
+    console.log(allOk ? 'All checks passed.' : 'Some checks failed — see above.');
+    process.exit(allOk ? 0 : 1);
+});
+// ─── blame ────────────────────────────────────────────────────────────────────
+program
+    .command('blame <file>')
+    .description('Show per-line attribution (v2 journal + legacy .omni / git notes)')
+    .option('--min-tier <tier>', 'Minimum journal tier (T0/T1/T2/T3)', 'T3')
+    .action(async (file, opts) => {
+    const workspace = getWorkspaceRoot();
+    const journalRoot = getJournalRoot(workspace);
+    const socketPath = getSocketPath(journalRoot);
+    const absPath = resolve(workspace, file);
+    const relPath = relative(workspace, absPath).replace(/\\/g, '/');
+    let fileContent;
+    try {
+        fileContent = readFileSync(absPath, 'utf-8');
+    }
+    catch {
+        console.error(`Cannot read file: ${absPath}`);
+        process.exit(1);
+    }
+    const lines = fileContent.split('\n');
+    const legacyMap = resolveLegacyLineMap(workspace, relPath, absPath);
+    // Journal spans (optional — daemon may be stopped)
+    const journalByLine = new Map();
+    let spanCount = 0;
+    if (await JournalClient.isRunning(socketPath)) {
+        const client = new JournalClient(socketPath);
+        try {
+            await client.connect();
+            const installKey = loadOrCreateInstallKeySecure(joinPath(journalRoot, 'keys'));
+            await client.authenticate(installKey, 'omnitype-cli', {
+                capabilities: { 'cli.query': 'available' },
+                manifestSigVerified: true,
+                runtimeMode: 'in-process',
+            });
+            const { spans } = await client.querySpans(relPath, opts.minTier);
+            spanCount = spans.length;
+            const bytes = Buffer.from(fileContent, 'utf-8');
+            const lineStarts = [0];
+            for (let i = 0; i < bytes.length; i++) {
+                if (bytes[i] === 0x0a)
+                    lineStarts.push(i + 1);
+            }
+            for (const span of spans) {
+                const startLine = lineStarts.findLastIndex((s) => s <= span.byte_start);
+                const endLine = lineStarts.findLastIndex((s) => s <= span.byte_end);
+                for (let l = Math.max(0, startLine); l <= Math.min(endLine, lines.length - 1); l++) {
+                    journalByLine.set(l + 1, {
+                        origin: span.origin,
+                        tool: span.actor?.tool ?? '',
+                        tier: span.tier,
+                        confidence: span.confidence ?? 0,
+                    });
+                }
+            }
+        }
+        finally {
+            client.disconnect();
+        }
+    }
+    let gitBlame = [];
+    try {
+        const raw = execFileSync('git', ['-C', workspace, 'blame', '--line-porcelain', absPath], {
+            encoding: 'utf-8',
+            stdio: ['pipe', 'pipe', 'ignore'],
+        });
+        gitBlame = parseGitBlamePorcelain(raw);
+    }
+    catch { /* no git blame */ }
+    const gitByLine = new Map(gitBlame.map((b) => [b.lineNum, b]));
+    const COLORS = {
+        ai: '\x1b[35m',
+        user: '\x1b[32m',
+        paste: '\x1b[34m',
+        tool: '\x1b[33m',
+        existing: '\x1b[90m',
+        unknown: '\x1b[90m',
+        external: '\x1b[90m',
+        reset: '\x1b[0m',
+    };
+    const originCounts = {};
+    const sourceCounts = {};
+    console.log(`\n\x1b[1mAttribution: ${relPath}\x1b[0m  (journal tier >= ${opts.minTier})`);
+    console.log(`Lines: ${lines.length}  |  Journal spans: ${spanCount}  |  Legacy (.omni/git-note): ${legacyMap.size}`);
+    console.log('');
+    console.log(`  LINE  COMMIT AUTHOR     TIER  CONF   ORIGIN    TOOL         SOURCE`);
+    console.log('  ' + '─'.repeat(78));
+    lines.forEach((line, i) => {
+        const lineNum = i + 1;
+        const merged = mergeLineAttribution(journalByLine.get(lineNum), legacyMap.get(lineNum));
+        const git = gitByLine.get(lineNum);
+        const sha = git?.shortSha ?? '       ';
+        const author = (git?.author ?? '').slice(0, 12).padEnd(12);
+        const origin = merged.origin;
+        const tool = (merged.tool || merged.model || '').slice(0, 10);
+        const color = COLORS[origin] ?? COLORS['unknown'];
+        const num = String(lineNum).padStart(5, ' ');
+        const conf = merged.confidence > 0 ? `${(merged.confidence * 100).toFixed(0)}%` : '   ';
+        const truncated = line.length > 60 ? line.slice(0, 57) + '...' : line;
+        originCounts[origin] = (originCounts[origin] ?? 0) + 1;
+        sourceCounts[merged.source] = (sourceCounts[merged.source] ?? 0) + 1;
+        console.log(`${num}  ${sha} ${author} ${merged.tier}   ${conf.padStart(4)}   ${color}${origin.padEnd(8)}  ${tool.padEnd(10)}${COLORS['reset']}  ${merged.source.padEnd(8)}  ${truncated}`);
+    });
+    const originSummary = Object.entries(originCounts)
+        .map(([o, c]) => `${o}:${c}`)
+        .join('  ');
+    const srcSummary = Object.entries(sourceCounts)
+        .map(([s, c]) => `${s}:${c}`)
+        .join('  ');
+    console.log('');
+    console.log(`Origins: ${originSummary}`);
+    console.log(`Sources: ${srcSummary}`);
+});
+// ─── push ─────────────────────────────────────────────────────────────────────
+program
+    .command('push')
+    .description('Manually push pending journal events to the cloud (org installs only)')
+    .option('--project <name>', 'Override project name')
+    .option('--dry-run', 'Show what would be uploaded without uploading')
+    .action(async (opts) => {
+    const workspace = getWorkspaceRoot();
+    const journalRoot = getJournalRoot(workspace);
+    // Load install info to get org_id and auth_token
+    const infoPath = join(journalRoot, 'install.json');
+    if (!existsSync(infoPath)) {
+        console.error('No install.json found. Is the daemon initialized?');
+        process.exit(1);
+    }
+    const install = JSON.parse(readFileSync(infoPath, 'utf-8'));
+    if (!install.org_id) {
+        console.log('Cloud sync disabled (personal install). Sign in to an org to enable cloud push.');
+        return;
+    }
+    const queue = new (await import('./cloud/pending.js')).PendingQueue(journalRoot);
+    queue.load();
+    const pending = queue.pendingCount;
+    if (pending === 0) {
+        console.log('Nothing to push — no pending events.');
+        return;
+    }
+    if (opts.dryRun) {
+        console.log(`Dry run: ${pending} event(s) would be uploaded to ${INGEST_ENDPOINT}.`);
+        return;
+    }
+    // We need a live Journal to use CloudShipper; use a read-only shimmed one
+    // by starting a minimal shipper against the pending queue directly
+    console.log(`Uploading ${pending} pending event(s)...`);
+    const shipper = new CloudShipper(
+    // Minimal Journal stub — shipper only needs subscribe() for start()
+    { subscribe: () => () => { } }, { ...install, project_name: opts.project ?? install.project_name ?? 'default' }, journalRoot);
+    const result = await shipper.flush();
+    console.log(`Pushed: accepted=${result.accepted} skipped=${result.skipped} still-pending=${result.pending}`);
+});
+const INGEST_ENDPOINT = 'https://api.imrishav.life/v2/journal/ingest';
+// ─── export ───────────────────────────────────────────────────────────────────
+program
+    .command('export')
+    .description('Export raw journal events to stdout')
+    .option('--format <fmt>', 'Output format: ndjson (default) or json', 'ndjson')
+    .option('--from-seq <n>', 'Start from sequence number', '0')
+    .action(async (opts) => {
+    const workspace = getWorkspaceRoot();
+    const journalRoot = getJournalRoot(workspace);
+    const paths = resolvePaths(journalRoot);
+    const fromSeq = parseInt(opts.fromSeq, 10) || 0;
+    const { SegmentReader } = await import('./log/segment.js');
+    const events = [];
+    for (const evt of SegmentReader.readAll(paths.segmentsDir)) {
+        if (evt.seq >= fromSeq)
+            events.push(evt);
+    }
+    if (opts.format === 'json') {
+        process.stdout.write(JSON.stringify(events, null, 2) + '\n');
+    }
+    else {
+        for (const evt of events) {
+            process.stdout.write(JSON.stringify(evt) + '\n');
+        }
+    }
+});
+// ─── verify ───────────────────────────────────────────────────────────────────
+program
+    .command('verify')
+    .description('Verify chain integrity (seq gaps, prev-hash pointers, HMAC sigs)')
+    .option('--from-seq <n>', 'Start from sequence number')
+    .option('--to-seq <n>', 'End at sequence number')
+    .option('--report <fmt>', 'Output format: text (default) or json', 'text')
+    .action(async (opts) => {
+    const workspace = getWorkspaceRoot();
+    const journalRoot = getJournalRoot(workspace);
+    const paths = resolvePaths(journalRoot);
+    const { verifyChain, formatVerifyResult } = await import('./verify/chain-verify.js');
+    const result = await verifyChain({
+        fromSeq: opts.fromSeq !== undefined ? parseInt(opts.fromSeq, 10) : undefined,
+        toSeq: opts.toSeq !== undefined ? parseInt(opts.toSeq, 10) : undefined,
+        report: opts.report,
+        keysDir: paths.keysDir,
+        segmentsDir: paths.segmentsDir,
+    });
+    process.stdout.write(formatVerifyResult(result, opts.report));
+    process.exit(result.ok ? 0 : 1);
+});
+// ─── install-hooks ────────────────────────────────────────────────────────────
+program
+    .command('install-hooks')
+    .description('Install preToolUse hooks into all detected AI tools')
+    .action(async () => {
+    const workspace = getWorkspaceRoot();
+    const sdk = await loadAdapterSdk();
+    if (!sdk) {
+        console.error('@omnitype-code/adapter-sdk not found. Run: npm install @omnitype-code/adapter-sdk');
+        process.exit(1);
+    }
+    const results = sdk.installHooks(workspace);
+    console.log('\nOmniType — Hook Installation\n');
+    for (const r of results) {
+        if (r.skipped) {
+            console.log(`  -  ${r.toolId.padEnd(16)} (not installed)`);
+        }
+        else if (r.alreadyCurrent) {
+            console.log(`  ✓  ${r.toolId.padEnd(16)} already up to date`);
+        }
+        else if (r.installed) {
+            console.log(`  ✓  ${r.toolId.padEnd(16)} hook installed`);
+        }
+        else {
+            console.log(`  ✗  ${r.toolId.padEnd(16)} FAILED: ${r.reason}`);
+        }
+    }
+    const installed = results.filter((r) => r.installed).length;
+    console.log(`\n${installed} hook(s) installed/updated.`);
+});
+// ─── Internal daemon runner (called when --foreground) ────────────────────────
+function omniHome() {
+    return join(process.env['HOME'] ?? process.env['USERPROFILE'] ?? '', '.omnitype');
+}
+function apiBase() {
+    if (process.env['OMNITYPE_API_URL'])
+        return process.env['OMNITYPE_API_URL'].replace(/\/$/, '');
+    try {
+        const cfg = JSON.parse(readFileSync(join(omniHome(), 'config.json'), 'utf-8'));
+        if (cfg.api_url)
+            return cfg.api_url.replace(/\/$/, '');
+    }
+    catch { /* default below */ }
+    return 'https://api.imrishav.life';
+}
+/**
+ * Resolve whether hardened mode is enabled. Source of truth is org policy, which
+ * the daemon fetches from the backend and caches to ~/.omnitype/policy.json.
+ * Reading the cache is synchronous so the key-storage decision is available at
+ * startup; a fresh value (see refreshPolicyCache) applies on the next start.
+ * Personal / non-hardened installs leave this false → frictionless, no prompt.
+ */
+function resolveHardened() {
+    try {
+        const cache = JSON.parse(readFileSync(join(omniHome(), 'policy.json'), 'utf-8'));
+        // Hardened only applies to org installs (defense in depth: never harden a personal install).
+        return cache.hardened === true && !!cache.org_id;
+    }
+    catch {
+        return false;
+    }
+}
+/**
+ * Fetch the latest org policy and cache it. Runs in the background on daemon
+ * start so an admin toggling hardened mode propagates to every member with zero
+ * per-user setup — they just need a daemon restart for the new key-storage mode
+ * to take effect. Returns the freshly-fetched hardened value (or null if offline).
+ */
+async function refreshPolicyCache() {
+    let token = '';
+    try {
+        const cfg = JSON.parse(readFileSync(join(omniHome(), 'config.json'), 'utf-8'));
+        token = cfg.token ?? process.env['OMNITYPE_TOKEN'] ?? '';
+    }
+    catch {
+        token = process.env['OMNITYPE_TOKEN'] ?? '';
+    }
+    if (!token)
+        return null;
+    try {
+        const controller = new AbortController();
+        const t = setTimeout(() => controller.abort(), 10_000);
+        const resp = await fetch(`${apiBase()}/v2/journal/merge/_policy`, {
+            headers: { Authorization: `Bearer ${token}` },
+            signal: controller.signal,
+        });
+        clearTimeout(t);
+        if (!resp.ok)
+            return null;
+        const policy = await resp.json();
+        mkdirSync(omniHome(), { recursive: true });
+        writeFileSync(join(omniHome(), 'policy.json'), JSON.stringify(policy, null, 2));
+        return policy.hardened === true && !!policy.org_id;
+    }
+    catch {
+        return null;
+    }
+}
+function runDaemon(workspace, journalRoot, socketPath) {
+    process.title = 'omnitype-daemon';
+    const hardened = resolveHardened();
+    if (hardened) {
+        console.error('[omnitype-daemon] hardened mode ON — install key held in OS keychain, not mirrored to disk');
+    }
+    // Refresh org policy in the background; a change applies on the next restart.
+    void refreshPolicyCache().then((fresh) => {
+        if (fresh !== null && fresh !== hardened) {
+            console.error(`[omnitype-daemon] org policy changed (hardened=${fresh}). Restart the daemon to apply: omnitype-daemon restart`);
+        }
+    });
+    const journal = new Journal(journalRoot, workspace, { hardened });
+    const installKey = journal.getInstallKey();
+    const server = new DaemonServer(journal, socketPath, installKey, hardened);
+    // Start cloud shipper (org-only; silently disabled for personal installs)
+    const installInfo = journal.getInstallInfo();
+    const shipper = new CloudShipper(journal, installInfo, journalRoot);
+    shipper.start();
+    // Cloud anchor — pins the chain head server-side so local tampering / deletion
+    // is detectable. Org-only and zero-config: it reuses the login token already in
+    // install.json, so an org user does nothing extra. Personal installs skip it.
+    const ingestUrl = process.env['OMNITYPE_INGEST_URL'] ?? 'https://api.imrishav.life/v2/journal/ingest';
+    const anchorAuth = installInfo.auth_token ?? process.env['OMNITYPE_TOKEN'] ?? '';
+    const anchor = new CloudAnchor(installKey, installInfo.install_id, new AnchorQueue(journalRoot), () => journal.getChainHead(), {
+        ingestUrl,
+        authToken: anchorAuth,
+        orgId: installInfo.org_id ?? null,
+        projectName: installInfo.project_name ?? 'default',
+    });
+    if (anchor.publishing) {
+        anchor.start();
+        console.error(`[omnitype-daemon] cloud anchor ON — chain head pinned server-side every 30s${hardened ? ' (hardened)' : ''}`);
+    }
+    // Wire adapter suite (lazy — graceful if adapter-sdk not installed)
+    loadAdapterSdk().then((sdk) => {
+        if (!sdk)
+            return;
+        const info = journal.getInstallInfo();
+        const emit = (actor, body, tier, adapterId) => {
+            journal.append(actor, body, tier, adapterId);
+        };
+        const suite = sdk.startBuiltinAdapters(emit, workspace, info.user, info.host);
+        process.once('SIGTERM', () => suite.stop());
+        console.error(`[omnitype-daemon] built-in adapters started (hook-poller + transcript-scavenger + filesystem-watcher)`);
+    });
+    process.on('SIGTERM', () => {
+        console.error('[omnitype-daemon] shutting down');
+        shipper.stop();
+        anchor.stop();
+        server.close().then(() => {
+            journal.close();
+            process.exit(0);
+        });
+    });
+    process.on('SIGINT', () => process.kill(process.pid, 'SIGTERM'));
+    // Heartbeat every 5s
+    setInterval(() => {
+        journal.appendSync({
+            kind: 'system',
+            tool: 'omnitype-daemon',
+            user: journal.getInstallInfo().user,
+            host: journal.getInstallInfo().host,
+            workspace,
+        }, {
+            type: 'Heartbeat',
+            head_seq: journal.getChainHead().seq,
+            head_hash: journal.getChainHead().lastHash,
+        }, 'T0', 'omnitype-daemon');
+    }, 5000).unref();
+    console.error(`[omnitype-daemon] ready — workspace: ${workspace}`);
+}
+program.parse(process.argv);
+//# sourceMappingURL=cli.js.map