@pan-sec/notebooklm-mcp 2026.3.2 → 2026.4.0

package/dist/auth/auth-manager.d.ts

@@ -174,4 +174,3 @@ export declare class AuthManager {
      */
     hardResetState(): Promise<boolean>;
 }
-//# sourceMappingURL=auth-manager.d.ts.map

package/dist/auth/auth-manager.js

@@ -1211,4 +1211,3 @@ export class AuthManager {
         }
     }
 }
-//# sourceMappingURL=auth-manager.js.map

package/dist/auth/mcp-auth.d.ts

@@ -136,4 +136,3 @@ export declare function authenticateMCPRequest(token: string | undefined, client
  *   (none)  — Print help
  */
 export declare function handleTokenCommand(args: string[]): Promise<void>;
-//# sourceMappingURL=mcp-auth.d.ts.map

package/dist/auth/mcp-auth.js

@@ -549,4 +549,3 @@ If you lose it, use 'token rotate' to create a new one.
     `);
     }
 }
-//# sourceMappingURL=mcp-auth.js.map

package/dist/compliance/alert-manager.d.ts

@@ -15,6 +15,7 @@ export declare class AlertManager {
     private config;
     private alertHistory;
     private hourlyAlerts;
+    private recentAlerts;
     private alertsDir;
     private constructor();
     /**
@@ -34,7 +35,9 @@ export declare class AlertManager {
      */
     private isHourlyLimitExceeded;
     /**
-     * Record that an alert was sent
+     * Record that an alert was sent. When a severity is provided the alert is
+     * also added to the 24h rolling window used for dashboard metrics; internal
+     * bookkeeping keys (e.g. the rate-limit warning) omit it.
      */
     private recordAlert;
     /**
@@ -94,6 +97,8 @@ export declare class AlertManager {
         cooldown_seconds: number;
         max_alerts_per_hour: number;
         alerts_this_hour: number;
+        alerts_24h: number;
+        critical_24h: number;
         channels: string[];
     };
     /**
@@ -117,4 +122,3 @@ export declare function alertCritical(title: string, message: string, source: st
  * Send a warning alert
  */
 export declare function alertWarning(title: string, message: string, source: string, details?: Record<string, unknown>): Promise<Alert | null>;
-//# sourceMappingURL=alert-manager.d.ts.map

package/dist/compliance/alert-manager.js

@@ -18,6 +18,23 @@ import { log } from "../utils/logger.js";
 function generateUUID() {
     return crypto.randomUUID();
 }
+/**
+ * Parse webhook headers from environment. Malformed JSON must not throw during
+ * singleton construction (which would cascade through every getInstance caller);
+ * fall back to no custom headers with a logged warning instead.
+ */
+function parseWebhookHeaders() {
+    const raw = process.env.NLMCP_ALERTS_WEBHOOK_HEADERS;
+    if (!raw)
+        return undefined;
+    try {
+        return JSON.parse(raw);
+    }
+    catch (err) {
+        log.warning(`alert-manager: ignoring malformed NLMCP_ALERTS_WEBHOOK_HEADERS: ${err instanceof Error ? err.message : String(err)}`);
+        return undefined;
+    }
+}
 /**
  * Get alert configuration from environment
  */
@@ -32,9 +49,7 @@ function getAlertConfig() {
             } : undefined,
             webhook: process.env.NLMCP_ALERTS_WEBHOOK_URL ? {
                 url: process.env.NLMCP_ALERTS_WEBHOOK_URL,
-                headers: process.env.NLMCP_ALERTS_WEBHOOK_HEADERS
-                    ? JSON.parse(process.env.NLMCP_ALERTS_WEBHOOK_HEADERS)
-                    : undefined,
+                headers: parseWebhookHeaders(),
             } : undefined,
         },
         min_severity: process.env.NLMCP_ALERTS_MIN_SEVERITY || "warning",
@@ -59,6 +74,8 @@ export class AlertManager {
     config;
     alertHistory = new Map(); // key -> last alert timestamp
     hourlyAlerts = [];
+    // 24h rolling window of sent alerts with severity, for dashboard reporting.
+    recentAlerts = [];
     alertsDir;
     constructor() {
         this.config = getAlertConfig();
@@ -102,11 +119,19 @@ export class AlertManager {
         return this.hourlyAlerts.length >= this.config.max_alerts_per_hour;
     }
     /**
-     * Record that an alert was sent
+     * Record that an alert was sent. When a severity is provided the alert is
+     * also added to the 24h rolling window used for dashboard metrics; internal
+     * bookkeeping keys (e.g. the rate-limit warning) omit it.
      */
-    recordAlert(key) {
-        this.alertHistory.set(key, Date.now());
-        this.hourlyAlerts.push({ timestamp: Date.now() });
+    recordAlert(key, severity) {
+        const now = Date.now();
+        this.alertHistory.set(key, now);
+        this.hourlyAlerts.push({ timestamp: now });
+        if (severity) {
+            const dayAgo = now - 24 * 60 * 60 * 1000;
+            this.recentAlerts = this.recentAlerts.filter(a => a.timestamp > dayAgo);
+            this.recentAlerts.push({ timestamp: now, severity });
+        }
     }
     /**
      * Generate a unique key for deduplication
@@ -167,7 +192,7 @@ export class AlertManager {
             alert.sent_to.push("webhook");
         }
         // Record this alert
-        this.recordAlert(key);
+        this.recordAlert(key, severity);
         return alert;
     }
     /**
@@ -372,14 +397,20 @@ export class AlertManager {
             channels.push("file");
         if (this.config.channels.webhook)
             channels.push("webhook");
-        const oneHourAgo = Date.now() - 60 * 60 * 1000;
+        const now = Date.now();
+        const oneHourAgo = now - 60 * 60 * 1000;
+        const dayAgo = now - 24 * 60 * 60 * 1000;
         const alertsThisHour = this.hourlyAlerts.filter(a => a.timestamp > oneHourAgo).length;
+        const recent24h = this.recentAlerts.filter(a => a.timestamp > dayAgo);
+        const critical24h = recent24h.filter(a => a.severity === "critical").length;
         return {
             enabled: this.config.enabled,
             min_severity: this.config.min_severity,
             cooldown_seconds: this.config.cooldown_seconds,
             max_alerts_per_hour: this.config.max_alerts_per_hour,
             alerts_this_hour: alertsThisHour,
+            alerts_24h: recent24h.length,
+            critical_24h: critical24h,
             channels,
         };
     }
@@ -420,4 +451,3 @@ export async function alertCritical(title, message, source, details) {
 export async function alertWarning(title, message, source, details) {
     return getAlertManager().warning(title, message, source, details);
 }
-//# sourceMappingURL=alert-manager.js.map

package/dist/compliance/breach-detection.d.ts

@@ -131,4 +131,3 @@ export declare function isPatternBlocked(pattern: string): boolean;
  */
 export declare function getBreachRules(): Promise<BreachRule[]>;
 export {};
-//# sourceMappingURL=breach-detection.d.ts.map

package/dist/compliance/breach-detection.js

@@ -460,4 +460,3 @@ export function isPatternBlocked(pattern) {
 export async function getBreachRules() {
     return getBreachDetector().getRules();
 }
-//# sourceMappingURL=breach-detection.js.map

package/dist/compliance/change-log.d.ts

@@ -54,6 +54,19 @@ export declare class ChangeLog {
      * Get all changes (most recent first)
      */
     getAllChanges(limit?: number): Promise<ChangeRecord[]>;
+    /**
+     * Select monthly log files whose YYYY-MM month overlaps the [from, to] range.
+     * Filenames are `changes-YYYY-MM.jsonl`; pushing the date filter into file
+     * selection avoids reading (and event-loop-blocking on) years of history when
+     * only a narrow report window is requested (L48). Returns newest-first.
+     */
+    private getLogFilesInRange;
+    /**
+     * Read change records from a specific set of files, applying an optional
+     * date-range predicate. Used by range-bounded queries so only relevant
+     * monthly files are read rather than the entire history.
+     */
+    private readChangesFromFiles;
     /**
      * Get high-impact changes
      */
@@ -110,4 +123,3 @@ export declare function getRecentChanges(limit?: number): Promise<ChangeRecord[]
  * Get change statistics
  */
 export declare function getChangeStatistics(from?: Date, to?: Date): Promise<ReturnType<ChangeLog["getStatistics"]>>;
-//# sourceMappingURL=change-log.d.ts.map

package/dist/compliance/change-log.js

@@ -121,13 +121,12 @@ export class ChangeLog {
      * Get changes within date range
      */
     async getChangesInRange(from, to, limit = 1000) {
-        const changes = await this.getAllChanges(limit * 2);
-        return changes
-            .filter(c => {
-            const date = new Date(c.timestamp);
-            return date >= from && date <= to;
-        })
-            .slice(0, limit);
+        // Read only the monthly files overlapping the range (L48) rather than the
+        // whole history, then sort most-recent-first to preserve the prior contract.
+        const files = this.getLogFilesInRange(from, to);
+        const changes = this.readChangesFromFiles(files, from, to);
+        changes.sort((a, b) => b.timestamp.localeCompare(a.timestamp));
+        return changes.slice(0, limit);
     }
     /**
      * Get all changes (most recent first)
@@ -168,6 +167,77 @@ export class ChangeLog {
         }
         return changes;
     }
+    /**
+     * Select monthly log files whose YYYY-MM month overlaps the [from, to] range.
+     * Filenames are `changes-YYYY-MM.jsonl`; pushing the date filter into file
+     * selection avoids reading (and event-loop-blocking on) years of history when
+     * only a narrow report window is requested (L48). Returns newest-first.
+     */
+    getLogFilesInRange(from, to) {
+        if (!fs.existsSync(this.logDir))
+            return [];
+        // Use the same (local-time) month derivation as the filename convention
+        // (initializeLogFile/getLogFilePath). Widen the window by one month on each
+        // side so a record whose UTC timestamp lands in a file named for an adjacent
+        // local month is still considered; readChangesFromFiles applies the exact
+        // per-record date predicate, so widening never admits out-of-range records.
+        const monthKey = (d) => `${d.getFullYear()}-${String(d.getMonth() + 1).padStart(2, "0")}`;
+        const shiftMonth = (d, delta) => new Date(d.getFullYear(), d.getMonth() + delta, 1);
+        const fromKey = from ? monthKey(shiftMonth(from, -1)) : undefined;
+        const toKey = to ? monthKey(shiftMonth(to, 1)) : undefined;
+        return fs.readdirSync(this.logDir)
+            .filter(f => f.startsWith("changes-") && f.endsWith(".jsonl"))
+            .filter(f => {
+            const month = f.slice("changes-".length, f.length - ".jsonl".length);
+            if (!/^\d{4}-\d{2}$/.test(month))
+                return false;
+            // Inclusive month-boundary comparison (lexicographic works for YYYY-MM).
+            if (fromKey && month < fromKey)
+                return false;
+            if (toKey && month > toKey)
+                return false;
+            return true;
+        })
+            .map(f => path.join(this.logDir, f))
+            .sort()
+            .reverse();
+    }
+    /**
+     * Read change records from a specific set of files, applying an optional
+     * date-range predicate. Used by range-bounded queries so only relevant
+     * monthly files are read rather than the entire history.
+     */
+    readChangesFromFiles(files, from, to) {
+        const changes = [];
+        for (const filePath of files) {
+            try {
+                const content = fs.readFileSync(filePath, "utf-8");
+                const lines = content.trim().split("\n").filter(l => l);
+                for (const line of lines) {
+                    try {
+                        const record = JSON.parse(line);
+                        if (from || to) {
+                            const date = new Date(record.timestamp);
+                            if (from && date < from)
+                                continue;
+                            if (to && date > to)
+                                continue;
+                        }
+                        changes.push(record);
+                    }
+                    catch (err) {
+                        log.debug(`change-log: parse change record line: ${err instanceof Error ? err.message : String(err)}`);
+                        // Skip malformed lines
+                    }
+                }
+            }
+            catch (err) {
+                log.debug(`change-log: read change log file in range: ${err instanceof Error ? err.message : String(err)}`);
+                // Skip unreadable files
+            }
+        }
+        return changes;
+    }
     /**
      * Get high-impact changes
      */
@@ -197,14 +267,11 @@ export class ChangeLog {
      * Get change statistics
      */
     async getStatistics(from, to) {
-        const allChanges = await this.getAllChanges(10000);
-        let changes = allChanges;
-        if (from) {
-            changes = changes.filter(c => new Date(c.timestamp) >= from);
-        }
-        if (to) {
-            changes = changes.filter(c => new Date(c.timestamp) <= to);
-        }
+        // Read only the monthly files overlapping [from, to] and apply the exact
+        // date predicate per record, instead of slurping the entire 7-year history
+        // and filtering in memory (L48).
+        const files = this.getLogFilesInRange(from, to);
+        const changes = this.readChangesFromFiles(files, from, to);
         const byComponent = {};
         const byImpact = {};
         const byMethod = {};
@@ -275,4 +342,3 @@ export async function getRecentChanges(limit = 100) {
 export async function getChangeStatistics(from, to) {
     return getChangeLog().getStatistics(from, to);
 }
-//# sourceMappingURL=change-log.js.map

package/dist/compliance/compliance-logger.d.ts

@@ -30,7 +30,20 @@ export declare class ComplianceLogger {
      */
     private getLogFilePath;
     /**
-     * Load the last hash from the current log file
+     * Read the last event's hash from a specific log file, or null if the file is
+     * absent/empty/unreadable.
+     */
+    private readLastHashFromFile;
+    /**
+     * Return the last hash from the most recent monthly file before the current
+     * one, so a fresh month seeds its chain from the prior month rather than
+     * forking a new chain at month rollover (L49).
+     */
+    private findPreviousMonthLastHash;
+    /**
+     * Load the last hash to continue the chain. Prefer the current month's file;
+     * if it is empty/absent (month rollover), seed from the previous month's last
+     * hash so cross-month gaps don't fork the chain and trigger a false tamper signal.
      */
     private loadLastHash;
     /**
@@ -38,7 +51,15 @@ export declare class ComplianceLogger {
      */
     private createEvent;
     /**
-     * Write event to log file
+     * Write event to log file.
+     *
+     * The chain link (previous_hash), hash computation, append, and lastHash
+     * advance all happen inside a single withLock critical section so that
+     * concurrent processes / calls serialize their appends and never fork the
+     * hash chain (L49, mirrors audit-logger H20). The on-disk tail is treated as
+     * the source of truth for previous_hash, re-seeding from the file (including a
+     * prior-month seed on rollover) so a stale in-memory pointer cannot break the
+     * chain after another process appended.
      */
     private writeEvent;
     /**
@@ -106,6 +127,12 @@ export declare class ComplianceLogger {
         totalEvents: number;
         validEvents: number;
     }>;
+    /**
+     * Return the current in-memory chain head (hash of the last event this process
+     * wrote, or the seeded value at startup). Diagnostic only — writeEvent always
+     * re-reads the authoritative tail from disk under lock before linking (L49).
+     */
+    getChainHead(): string;
     /**
      * Get compliance log statistics
      */
@@ -133,4 +160,3 @@ export declare function logComplianceEvent(category: ComplianceEventCategory, ev
     retentionDays?: number;
     failureReason?: string;
 }): Promise<ComplianceEvent>;
-//# sourceMappingURL=compliance-logger.d.ts.map

package/dist/compliance/compliance-logger.js

@@ -10,6 +10,7 @@ import crypto from "crypto";
 import path from "path";
 import fs from "fs";
 import { mkdirSecure, appendFileSecure } from "../utils/file-permissions.js";
+import { withLock } from "../utils/file-lock.js";
 import { log } from "../utils/logger.js";
 import { CONFIG } from "../config.js";
 /**
@@ -96,26 +97,65 @@ export class ComplianceLogger {
         return path.join(this.complianceDir, `events-${year}-${month}.jsonl`);
     }
     /**
-     * Load the last hash from the current log file
+     * Read the last event's hash from a specific log file, or null if the file is
+     * absent/empty/unreadable.
      */
-    loadLastHash() {
+    readLastHashFromFile(logPath) {
         try {
-            const logPath = this.getLogFilePath();
-            if (fs.existsSync(logPath)) {
-                const content = fs.readFileSync(logPath, "utf-8");
-                const lines = content.trim().split("\n").filter(line => line);
-                if (lines.length > 0) {
-                    const lastLine = lines[lines.length - 1];
-                    const lastEvent = JSON.parse(lastLine);
-                    this.lastHash = lastEvent.hash;
-                }
+            if (!fs.existsSync(logPath))
+                return null;
+            const content = fs.readFileSync(logPath, "utf-8");
+            const lines = content.trim().split("\n").filter(line => line);
+            if (lines.length === 0)
+                return null;
+            const lastEvent = JSON.parse(lines[lines.length - 1]);
+            return typeof lastEvent.hash === "string" && lastEvent.hash.length > 0
+                ? lastEvent.hash
+                : null;
+        }
+        catch (err) {
+            log.debug(`compliance-logger: readLastHashFromFile read log file: ${err instanceof Error ? err.message : String(err)}`);
+            return null;
+        }
+    }
+    /**
+     * Return the last hash from the most recent monthly file before the current
+     * one, so a fresh month seeds its chain from the prior month rather than
+     * forking a new chain at month rollover (L49).
+     */
+    findPreviousMonthLastHash() {
+        try {
+            if (!fs.existsSync(this.complianceDir))
+                return null;
+            const currentFile = path.basename(this.getLogFilePath());
+            const candidates = fs.readdirSync(this.complianceDir)
+                .filter(f => f.startsWith("events-") && f.endsWith(".jsonl") && f < currentFile)
+                .sort()
+                .reverse(); // most recent prior month first
+            for (const f of candidates) {
+                const hash = this.readLastHashFromFile(path.join(this.complianceDir, f));
+                if (hash)
+                    return hash;
             }
         }
         catch (err) {
-            log.debug(`compliance-logger: loadLastHash read log file: ${err instanceof Error ? err.message : String(err)}`);
-            // If we can't read the hash, start fresh
-            this.lastHash = "0".repeat(64);
+            log.debug(`compliance-logger: findPreviousMonthLastHash: ${err instanceof Error ? err.message : String(err)}`);
         }
+        return null;
+    }
+    /**
+     * Load the last hash to continue the chain. Prefer the current month's file;
+     * if it is empty/absent (month rollover), seed from the previous month's last
+     * hash so cross-month gaps don't fork the chain and trigger a false tamper signal.
+     */
+    loadLastHash() {
+        const current = this.readLastHashFromFile(this.getLogFilePath());
+        if (current) {
+            this.lastHash = current;
+            return;
+        }
+        const prevMonth = this.findPreviousMonthLastHash();
+        this.lastHash = prevMonth || "0".repeat(64);
     }
     /**
      * Create a compliance event
@@ -139,27 +179,43 @@ export class ComplianceLogger {
             retention_days: options.retentionDays || this.retentionYears * 365,
             outcome,
             failure_reason: options.failureReason,
-            hash: "", // Will be computed
-            previous_hash: this.lastHash,
+            // previous_hash and hash are intentionally left blank here. They are stamped
+            // inside writeEvent's lock so concurrent log() calls and other processes
+            // cannot read the same this.lastHash and fork the chain (L49, mirrors H20).
+            hash: "",
+            previous_hash: "",
         };
-        // Compute hash (exclude hash field itself)
-        const hashInput = JSON.stringify({
-            ...event,
-            hash: undefined,
-        });
-        event.hash = computeHash(hashInput);
-        this.lastHash = event.hash;
         return event;
     }
     /**
-     * Write event to log file
+     * Write event to log file.
+     *
+     * The chain link (previous_hash), hash computation, append, and lastHash
+     * advance all happen inside a single withLock critical section so that
+     * concurrent processes / calls serialize their appends and never fork the
+     * hash chain (L49, mirrors audit-logger H20). The on-disk tail is treated as
+     * the source of truth for previous_hash, re-seeding from the file (including a
+     * prior-month seed on rollover) so a stale in-memory pointer cannot break the
+     * chain after another process appended.
      */
     async writeEvent(event) {
         if (!this.enabled)
             return;
         const logPath = this.getLogFilePath();
-        const line = JSON.stringify(event) + "\n";
-        appendFileSecure(logPath, line);
+        await withLock(logPath, async () => {
+            // Re-read the authoritative tail under the lock so the chain links from
+            // whatever was actually last written (by this or any other process).
+            const diskHash = this.readLastHashFromFile(logPath)
+                ?? this.findPreviousMonthLastHash()
+                ?? "0".repeat(64);
+            event.previous_hash = diskHash;
+            const hashInput = JSON.stringify({ ...event, hash: undefined });
+            event.hash = computeHash(hashInput);
+            const line = JSON.stringify(event) + "\n";
+            appendFileSecure(logPath, line);
+            // Advance the in-memory pointer only after the write succeeds.
+            this.lastHash = event.hash;
+        });
     }
     /**
      * Log a compliance event
@@ -362,6 +418,14 @@ export class ComplianceLogger {
             validEvents,
         };
     }
+    /**
+     * Return the current in-memory chain head (hash of the last event this process
+     * wrote, or the seeded value at startup). Diagnostic only — writeEvent always
+     * re-reads the authoritative tail from disk under lock before linking (L49).
+     */
+    getChainHead() {
+        return this.lastHash;
+    }
     /**
      * Get compliance log statistics
      */
@@ -427,4 +491,3 @@ export function getComplianceLogger() {
 export async function logComplianceEvent(category, eventType, actor, outcome, options) {
     return getComplianceLogger().log(category, eventType, actor, outcome, options);
 }
-//# sourceMappingURL=compliance-logger.js.map

package/dist/compliance/compliance-tools.d.ts

@@ -15,4 +15,3 @@ export declare function getComplianceTools(): Tool[];
  * Handle compliance tool calls
  */
 export declare function handleComplianceToolCall(toolName: string, args: Record<string, unknown>): Promise<TextContent[]>;
-//# sourceMappingURL=compliance-tools.d.ts.map

package/dist/compliance/compliance-tools.js

@@ -695,4 +695,3 @@ async function handleGetPolicy(args) {
     }
     return [{ type: "text", text: JSON.stringify(policy, null, 2) }];
 }
-//# sourceMappingURL=compliance-tools.js.map

package/dist/compliance/consent-manager.d.ts

@@ -127,4 +127,3 @@ export declare function grantConsent(purposes: ConsentPurpose[], options?: {
  * Revoke a consent
  */
 export declare function revokeConsent(consentId: string, reason?: string): Promise<boolean>;
-//# sourceMappingURL=consent-manager.d.ts.map

package/dist/compliance/consent-manager.js

@@ -385,4 +385,3 @@ export async function grantConsent(purposes, options) {
 export async function revokeConsent(consentId, reason) {
     return getConsentManager().revokeConsent(consentId, reason);
 }
-//# sourceMappingURL=consent-manager.js.map

package/dist/compliance/dashboard.d.ts

@@ -66,7 +66,8 @@ interface SOC2Dashboard {
     status: "compliant" | "at_risk" | "non_compliant";
     availability: {
         current_status: string;
-        uptime_percentage: number;
+        uptime_percentage: number | null;
+        uptime_percentage_measured: boolean;
         last_incident?: string;
     };
     security: {
@@ -123,7 +124,8 @@ interface SecurityDashboard {
     alerts: {
         total_24h: number;
         critical_24h: number;
-        unacknowledged: number;
+        unacknowledged: number | null;
+        unacknowledged_tracked: boolean;
     };
     breach_detection: {
         enabled: boolean;
@@ -240,4 +242,3 @@ export declare function getComplianceScore(): Promise<ReturnType<ComplianceDashb
  */
 export declare function getDashboardCLI(): Promise<string>;
 export {};
-//# sourceMappingURL=dashboard.d.ts.map

package/dist/compliance/dashboard.js

@@ -185,9 +185,9 @@ export class ComplianceDashboard {
         // Get logging status
         const loggerStats = await complianceLogger.getStats();
         const integrity = await complianceLogger.verifyIntegrity();
-        // Calculate uptime (simplified - would need more sophisticated tracking)
-        const uptimePercentage = metrics?.status === "healthy" ? 99.9 :
-            metrics?.status === "degraded" ? 95.0 : 90.0;
+        // Availability percentage is intentionally NOT computed: there is no
+        // downtime/incident-duration tracking, so any number here would be a
+        // fabricated SOC2 metric. Report null + measured=false instead.
         // Determine status
         let status = "compliant";
         if (!security.encryption_enabled || openIncidents.length > 0) {
@@ -200,7 +200,8 @@ export class ComplianceDashboard {
             status,
             availability: {
                 current_status: metrics?.status || "unknown",
-                uptime_percentage: uptimePercentage,
+                uptime_percentage: null,
+                uptime_percentage_measured: false,
                 last_incident: lastIncident,
             },
             security: {
@@ -301,9 +302,12 @@ export class ComplianceDashboard {
                 by_type: incidentStats.by_type,
             },
             alerts: {
-                total_24h: alertStats.alerts_this_hour * 24, // Estimate
-                critical_24h: 0, // Not tracked by alert manager
-                unacknowledged: 0, // Alert manager doesn't track acknowledgments
+                // Real 24h counts from AlertManager's rolling window (not an estimate).
+                total_24h: alertStats.alerts_24h,
+                critical_24h: alertStats.critical_24h,
+                // No acknowledgment model exists — report not-tracked rather than a fake 0.
+                unacknowledged: null,
+                unacknowledged_tracked: false,
             },
             breach_detection: {
                 enabled: true,
@@ -516,4 +520,3 @@ export async function getComplianceScore() {
 export async function getDashboardCLI() {
     return getComplianceDashboard().getSummaryForCLI();
 }
-//# sourceMappingURL=dashboard.js.map

package/dist/compliance/data-classification.d.ts

@@ -114,4 +114,3 @@ export declare function isExportable(dataType: string): boolean;
  * Check if data can be erased for GDPR
  */
 export declare function isErasable(dataType: string): boolean;
-//# sourceMappingURL=data-classification.d.ts.map

package/dist/compliance/data-classification.js

@@ -466,4 +466,3 @@ export function isExportable(dataType) {
 export function isErasable(dataType) {
     return getDataClassifier().isErasable(dataType);
 }
-//# sourceMappingURL=data-classification.js.map

package/dist/compliance/data-erasure.d.ts

@@ -107,4 +107,3 @@ export declare function executeErasureRequest(requestId: string): Promise<Erasur
  * Get pending erasure requests
  */
 export declare function getPendingErasureRequests(): Promise<ErasureRequest[]>;
-//# sourceMappingURL=data-erasure.d.ts.map

package/dist/compliance/data-erasure.js

@@ -557,4 +557,3 @@ export async function executeErasureRequest(requestId) {
 export async function getPendingErasureRequests() {
     return getDataErasureManager().getPendingRequests();
 }
-//# sourceMappingURL=data-erasure.js.map