@posthog/wizard 2.30.0 → 2.32.0

package/dist/{agent-interface-CYFyWCMj.js → agent-interface-c7B2JZEd.js}

@@ -1,14 +1,15 @@
 import { n as __require } from "./rolldown-runtime-B_-DWIq7.js";
-import { $ as WIZARD_VARIANTS, J as WIZARD_ORCHESTRATOR_FLAG_KEY, L as POSTHOG_FLAG_HEADER_PREFIX, Q as WIZARD_USER_AGENT, V as POSTHOG_PROPERTY_HEADER_PREFIX, X as WIZARD_REMARK_EVENT_NAME, a as getLogFilePath, et as WIZARD_VARIANT_FLAG_KEY, f as skillTmpPath, o as initLogFile, p as getUI, r as debug, s as logToFile, u as WIZARD_YARA_REPORT_FILE } from "./debug-D9giWww2.js";
-import { t as analytics } from "./analytics-CdT0VV8s.js";
-import { i as getLlmGatewayUrlFromHost } from "./urls-93eQ-Rd0.js";
+import { J as WIZARD_ORCHESTRATOR_FLAG_KEY, L as POSTHOG_FLAG_HEADER_PREFIX, Q as WIZARD_USER_AGENT, V as POSTHOG_PROPERTY_HEADER_PREFIX, X as WIZARD_REMARK_EVENT_NAME, a as getLogFilePath, f as skillTmpPath, o as initLogFile, p as getUI, r as debug, rt as runtimeEnv, s as logToFile, u as WIZARD_YARA_REPORT_FILE } from "./debug-AdvgwKEw.js";
+import { t as analytics } from "./analytics-CBIKy9PZ.js";
+import { i as getLlmGatewayUrlFromHost } from "./urls-B3JumpLT.js";
 import { n as ADDITIONAL_FEATURE_PROMPTS } from "./wizard-session-G3VWD6hv.js";
-import { i as wizardAbort, n as registerCleanup, t as WizardError } from "./wizard-abort-BehJBPpy.js";
+import { i as wizardAbort, n as registerCleanup, t as WizardError } from "./wizard-abort-PqLMKSh1.js";
 import { createRequire } from "node:module";
 import * as fs$1 from "fs";
 import fs from "fs";
 import * as path$1 from "path";
 import path from "path";
+import axios from "axios";
 import { z } from "zod";
 import fg from "fast-glob";
 import { execFileSync } from "child_process";
@@ -1210,253 +1211,6 @@ const LINTING_TOOLS = [
 	"yamllint"
 ];
 //#endregion
-//#region src/lib/yara-scanner.ts
-const POST_WRITE_EDIT = [{
-	phase: "PostToolUse",
-	tool: "Write"
-}, {
-	phase: "PostToolUse",
-	tool: "Edit"
-}];
-const POST_READ_GREP = [{
-	phase: "PostToolUse",
-	tool: "Read"
-}, {
-	phase: "PostToolUse",
-	tool: "Grep"
-}];
-const PRE_BASH = [{
-	phase: "PreToolUse",
-	tool: "Bash"
-}];
-const RULES = [
-	{
-		name: "pii_in_capture_call",
-		description: "Detects PII fields passed to posthog.capture() — violates 'NEVER send PII in capture()' commandment",
-		severity: "high",
-		category: "posthog_pii",
-		appliesTo: POST_WRITE_EDIT,
-		patterns: [
-			/\.capture\s*\([^)]{0,200}email/i,
-			/\.capture\s*\([^)]{0,200}phone/i,
-			/\.capture\s*\([^)]{0,200}full[_\s]?name/i,
-			/\.capture\s*\([^)]{0,200}first[_\s]?name/i,
-			/\.capture\s*\([^)]{0,200}last[_\s]?name/i,
-			/\.capture\s*\([^)]{0,200}(street|mailing|home|billing)[_\s]?address/i,
-			/\.capture\s*\([^)]{0,200}(ssn|social[_\s]?security)/i,
-			/\.capture\s*\([^)]{0,200}(date[_\s]?of[_\s]?birth|dob|birthday)/i,
-			/\.capture\s*\([^)]{0,200}\$ip/,
-			/\.identify\s*\([^)]{0,200}(ssn|social[_\s]?security)/i,
-			/\.identify\s*\([^)]{0,200}(card[_\s]?number|cvv|credit[_\s]?card)/i,
-			/\.identify\s*\([^)]{0,200}(date[_\s]?of[_\s]?birth|dob|birthday)/i,
-			/\.identify\s*\([^)]{0,200}(street|mailing|home|billing)[_\s]?address/i,
-			/\$set[^}]{0,200}email/i,
-			/\$set[^}]{0,200}phone/i
-		]
-	},
-	{
-		name: "hardcoded_posthog_key",
-		description: "Detects hardcoded PostHog API keys in source — violates 'use environment variables' commandment",
-		severity: "high",
-		category: "posthog_hardcoded_key",
-		appliesTo: POST_WRITE_EDIT,
-		patterns: [
-			/phc_[a-zA-Z0-9]{20,}/,
-			/phx_[a-zA-Z0-9]{20,}/,
-			/apiKey\s*[:=]\s*['"][a-zA-Z0-9_]{20,}['"]/,
-			/api_key\s*[:=]\s*['"][a-zA-Z0-9_]{20,}['"]/,
-			/POSTHOG_PROJECT_TOKEN\s*[:=]\s*['"][a-zA-Z0-9_]{20,}['"]/
-		]
-	},
-	{
-		name: "autocapture_disabled",
-		description: "Detects agent disabling autocapture — violates 'don't disable autocapture' commandment",
-		severity: "medium",
-		category: "posthog_autocapture",
-		appliesTo: POST_WRITE_EDIT,
-		patterns: [
-			/autocapture\s*:\s*false/,
-			/autocapture\s*:\s*'false'/,
-			/autocapture\s*:\s*"false"/,
-			/autocapture\s*=\s*False/,
-			/disable_autocapture\s*[:=]\s*(true|True|1)/
-		]
-	},
-	{
-		name: "hardcoded_posthog_host",
-		description: "Detects hardcoded PostHog host URLs in source — should use environment variables",
-		severity: "high",
-		category: "posthog_hardcoded_key",
-		appliesTo: POST_WRITE_EDIT,
-		patterns: [/['"]https:\/\/(us|eu)\.i\.posthog\.com['"]/]
-	},
-	{
-		name: "session_recording_disabled",
-		description: "Detects agent disabling session recording",
-		severity: "medium",
-		category: "posthog_config",
-		appliesTo: POST_WRITE_EDIT,
-		patterns: [/disable_session_recording\s*:\s*true/i, /disable_session_recording\s*=\s*True/]
-	},
-	{
-		name: "opt_out_capturing",
-		description: "Detects agent opting out of PostHog capturing entirely",
-		severity: "medium",
-		category: "posthog_config",
-		appliesTo: POST_WRITE_EDIT,
-		patterns: [/opt_out_capturing\s*[:=]\s*(true|True|1)/i, /opted_out\s*[:=]\s*(true|True|1)/i]
-	},
-	{
-		name: "prompt_injection_wizard_override",
-		description: "Detects classic prompt injection attempting to override agent instructions",
-		severity: "critical",
-		category: "prompt_injection",
-		appliesTo: POST_READ_GREP,
-		patterns: [
-			/ignore previous instructions/i,
-			/disregard all/i,
-			/forget your instructions/i,
-			/override your rules/i,
-			/act as a different/i,
-			/new instructions:/i
-		]
-	},
-	{
-		name: "prompt_injection_wizard_specific",
-		description: "Detects wizard-specific manipulation or tool abuse attempts in project files",
-		severity: "medium",
-		category: "prompt_injection",
-		appliesTo: POST_READ_GREP,
-		patterns: [
-			/skip posthog/i,
-			/do not install posthog/i,
-			/remove posthog/i,
-			/uninstall posthog/i,
-			/delete the posthog/i,
-			/run the following command/i,
-			/execute this shell command/i,
-			/you are now a\s/i
-		]
-	},
-	{
-		name: "prompt_injection_base64",
-		description: "Detects suspicious base64-encoded blocks in file content that may contain obfuscated prompt injection",
-		severity: "critical",
-		category: "prompt_injection",
-		appliesTo: POST_READ_GREP,
-		patterns: [/(?:\/\/|#|\/\*)\s*[A-Za-z0-9+/]{100,}={0,2}/]
-	},
-	{
-		name: "secret_exfiltration_via_command",
-		description: "Detects shell commands attempting to exfiltrate secrets or credentials",
-		severity: "critical",
-		category: "exfiltration",
-		appliesTo: PRE_BASH,
-		patterns: [
-			/curl\s+.*\$\{?[A-Z_]*(KEY|TOKEN|SECRET|PASSWORD|CREDENTIAL)/i,
-			/wget\s+.*\$\{?[A-Z_]*(KEY|TOKEN|SECRET|PASSWORD|CREDENTIAL)/i,
-			/(\$\{?[A-Z_]*(KEY|TOKEN|SECRET|PASSWORD)|\.env|credentials)\S*.*\|\s*curl/i,
-			/(\$\{?[A-Z_]*(KEY|TOKEN|SECRET|PASSWORD)|\.env|credentials)\S*.*\|\s*wget/i,
-			/\|\s*nc\s/,
-			/\|\s*netcat\s/,
-			/base64.*\|\s*(curl|wget|nc\s)/i,
-			/cat\s+.*\.env.*\|\s*(curl|wget)/,
-			/curl.*phc_[a-zA-Z0-9]/,
-			/wget.*phc_[a-zA-Z0-9]/
-		]
-	},
-	{
-		name: "destructive_rm",
-		description: "Detects rm -rf or rm -r commands that could mass-delete files",
-		severity: "critical",
-		category: "filesystem_safety",
-		appliesTo: PRE_BASH,
-		patterns: [
-			/\brm\s+(-[a-zA-Z]*r[a-zA-Z]*f|-[a-zA-Z]*f[a-zA-Z]*r)\b/,
-			/\brm\s+(-[a-zA-Z]*\s+)*-[a-zA-Z]*r[a-zA-Z]*\s+(-[a-zA-Z]*\s+)*-[a-zA-Z]*f\b/,
-			/\brm\s+(-[a-zA-Z]*\s+)*-[a-zA-Z]*f[a-zA-Z]*\s+(-[a-zA-Z]*\s+)*-[a-zA-Z]*r\b/
-		]
-	},
-	{
-		name: "git_force_push",
-		description: "Detects git push --force which can overwrite remote history",
-		severity: "critical",
-		category: "filesystem_safety",
-		appliesTo: PRE_BASH,
-		patterns: [/git\s+push\s+.*--force/, /git\s+push\s+.*-f\b/]
-	},
-	{
-		name: "git_reset_hard",
-		description: "Detects git reset --hard which discards all uncommitted changes",
-		severity: "critical",
-		category: "filesystem_safety",
-		appliesTo: PRE_BASH,
-		patterns: [/git\s+reset\s+--hard/]
-	},
-	{
-		name: "wrong_posthog_package",
-		description: "Detects installing the wrong PostHog npm package — should be posthog-js or posthog-node",
-		severity: "high",
-		category: "supply_chain",
-		appliesTo: PRE_BASH,
-		patterns: [
-			/npm\s+install\s+(?:--save\s+|--save-dev\s+|-[SD]\s+)*posthog(?!\s*-)/,
-			/pnpm\s+(?:add|install)\s+(?:--save\s+|--save-dev\s+|-[SD]\s+)*posthog(?!\s*-)/,
-			/yarn\s+add\s+(?:--dev\s+|-D\s+)*posthog(?!\s*-)/,
-			/bun\s+(?:add|install)\s+(?:--dev\s+|-[dD]\s+)*posthog(?!\s*-)/
-		]
-	},
-	{
-		name: "npm_install_global",
-		description: "Detects global npm installs — should never install packages globally",
-		severity: "high",
-		category: "supply_chain",
-		appliesTo: PRE_BASH,
-		patterns: [/npm\s+install\s+-g\b/, /npm\s+install\s+--global\b/]
-	}
-];
-/** Maximum content length to scan (100 KB). Inputs beyond this are truncated. */
-const MAX_SCAN_LENGTH = 1e5;
-/**
-* Scan content against rules applicable to a given hook phase and tool.
-* Returns all matching rules (one match per rule, first pattern wins).
-*/
-function scan(content, phase, tool) {
-	const scanContent = content.length > MAX_SCAN_LENGTH ? content.slice(0, MAX_SCAN_LENGTH) : content;
-	const applicableRules = RULES.filter((r) => r.appliesTo.some((a) => a.phase === phase && a.tool === tool));
-	const matches = [];
-	for (const rule of applicableRules) for (const pattern of rule.patterns) {
-		const match = pattern.exec(scanContent);
-		if (match) {
-			matches.push({
-				rule,
-				matchedText: match[0],
-				offset: match.index
-			});
-			break;
-		}
-	}
-	return matches.length > 0 ? {
-		matched: true,
-		matches
-	} : { matched: false };
-}
-/**
-* Scan all files in a skill directory for prompt injection.
-* Used for context-mill scanning after skill installation.
-*/
-function scanSkillDirectory(files) {
-	const allMatches = [];
-	for (const file of files) {
-		const result = scan(file.content, "PostToolUse", "Read");
-		if (result.matched) allMatches.push(...result.matches);
-	}
-	return allMatches.length > 0 ? {
-		matched: true,
-		matches: allMatches
-	} : { matched: false };
-}
-//#endregion
 //#region src/lib/skill-install.ts
 /**
 * Check if command is a PostHog skill installation from MCP.
@@ -1475,26 +1229,98 @@ function isSkillInstallCommand(command) {
 	return url.startsWith("https://github.com/PostHog/context-mill/releases/") || /^http:\/\/localhost:\d+\//.test(url);
 }
 //#endregion
+//#region src/lib/programs/events-audit/constants.ts
+/**
+* Leaf-level constants for the events-audit program.
+*
+* Kept separate from `index.ts` so files like `yara-hooks.ts` can import
+* the filename constants without dragging in `index.ts`'s heavier imports
+* (agent-runner, audit/seed, etc.) — which can create import cycles.
+*/
+const SETUP_REPORT_FILE = "posthog-events-audit-report.md";
+const EVENT_INVENTORY_FILE = ".posthog-events-inventory.json";
+/** Per-part filename pattern emitted by events-audit subagents (e.g. `.posthog-events-inventory.part-3.json`). */
+const EVENT_INVENTORY_PART_PATTERN = /^\.posthog-events-inventory\.part-\d+\.json$/;
+//#endregion
+//#region src/lib/programs/posthog-integration/constants.ts
+/**
+* Leaf-level constants for the posthog-integration program.
+*
+* Kept separate from `index.ts` so files like `yara-hooks.ts` can import
+* the filename constants without dragging in `index.ts`'s heavier imports
+* (agent-interface, framework-config, etc.) — which would create an import
+* cycle through agent-interface → yara-hooks.
+*/
+const EVENT_PLAN_FILE = ".posthog-events.json";
+//#endregion
 //#region src/lib/yara-hooks.ts
 /**
 * YARA hook wiring for the Claude Agent SDK.
 *
-* Creates PreToolUse and PostToolUse hook callback arrays that
-* integrate the YARA scanner into the wizard's agent loop. These
-* hooks are registered in the SDK's query() options alongside the
-* existing Stop hook.
+* Creates PreToolUse and PostToolUse hook callback arrays that integrate the
+* real @posthog/warlock security scanner (YARA-X via WASM) into the wizard's
+* agent loop. These hooks are registered in the SDK's query() options alongside
+* the existing Stop hook.
+*
+* PreToolUse hooks block dangerous commands before execution. PostToolUse hooks
+* detect violations in written code and prompt injection in read content, and
+* scan context-mill skill downloads.
 *
-* PreToolUse hooks block dangerous commands before execution.
-* PostToolUse hooks detect violations in written code and prompt
-* injection in read content, and scan context-mill skill downloads.
+* Warlock owns the rules; this file owns the *policy* — how a match maps to a
+* block / revert / terminate response, plus the optional LLM triage pass that
+* filters false positives before we act.
+*
+* Naming: "yara" is the technique — scanning content against YARA rules — so the
+* wizard-side wiring keeps that name. "warlock" is the engine package that runs
+* the rules. Both names showing up here is intentional.
+*
+* This is Layer 2 (L2) in the wizard's defense-in-depth model, complementing the
+* prompt-based commandments (L0) and the canUseTool() allowlist (L1).
 */
+let warlockModulePromise = null;
+function getWarlock() {
+	if (!warlockModulePromise) warlockModulePromise = import("@posthog/warlock").catch((err) => {
+		warlockModulePromise = null;
+		throw err;
+	});
+	return warlockModulePromise;
+}
+/**
+* Pay the WASM-init + rule-compile cost up front, off the hook path, so the
+* first real tool-call scan doesn't eat cold-start under a hook timeout.
+* Best-effort: a failure here is non-fatal — hooks still fail closed per scan.
+*/
+async function prewarmYaraScanner() {
+	try {
+		await (await getWarlock()).scan("");
+		logToFile("[YARA] warlock pre-warmed");
+	} catch (err) {
+		logToFile("[YARA] warlock pre-warm failed:", err);
+	}
+}
 let scanCount = 0;
 const scanViolations = [];
 function recordScan() {
 	scanCount++;
 }
-function recordViolation(entry) {
-	scanViolations.push(entry);
+/**
+* Log a match to the run log + PostHog, and record it in the run's scan report.
+* Single entry point so every violation is reported consistently.
+*/
+function recordMatch(phase, tool, match, action) {
+	const triage = match.triage;
+	logYaraMatch(phase, tool, match, action);
+	scanViolations.push({
+		rule: match.rule,
+		severity: match.metadata.severity ?? "unknown",
+		category: match.metadata.category ?? "unknown",
+		action,
+		phase,
+		tool,
+		description: match.metadata.description ?? "",
+		triageVerdict: triage?.verdict,
+		triageReason: triage?.reason
+	});
 }
 /** Format the scan report summary. Returns null if no scans occurred */
 function formatScanReport() {
@@ -1536,28 +1362,96 @@ function writeScanReport() {
 	}
 	return WIZARD_YARA_REPORT_FILE;
 }
-/** Timeout for synchronous scan hooks (PreToolUse, PostToolUse Write/Edit/Read) */
-const HOOK_TIMEOUT_MS = 60;
-/** Timeout for skill install hook (involves filesystem I/O) */
-const SKILL_SCAN_HOOK_TIMEOUT_MS = 120;
+/** Timeout for scan hooks (PreToolUse, PostToolUse Write/Edit/Read/Grep) */
+const HOOK_TIMEOUT_MS = 3e4;
+/** Timeout for the skill install hook (filesystem I/O + multiple scans) */
+const SKILL_SCAN_HOOK_TIMEOUT_MS = 3e4;
+/**
+* Chunk size for scanning (100 KB). Oversized content is scanned in
+* overlapping chunks so coverage is complete — nothing is silently truncated.
+* The size also bounds what a single triage call pastes into the LLM prompt
+* (~25K tokens), so triage always sees the chunk its matches came from.
+*/
+const SCAN_CHUNK_SIZE = 1e5;
+/**
+* Overlap between adjacent chunks so a pattern straddling a chunk boundary
+* still lands whole inside at least one chunk. YARA rule strings are at most
+* a few hundred bytes; 4 KB is generous.
+*/
+const SCAN_CHUNK_OVERLAP = 4096;
 function logYaraMatch(phase, tool, match, action) {
-	logToFile(`[YARA] ${phase}:${tool} [${action.toUpperCase()}] rule "${match.rule.name}" (severity: ${match.rule.severity}, category: ${match.rule.category})\n  Description: ${match.rule.description}\n  Matched text: "${match.matchedText.substring(0, 200)}"`);
+	const severity = match.metadata.severity ?? "unknown";
+	const category = match.metadata.category ?? "unknown";
+	const ruleAction = match.metadata.action ?? "unknown";
+	const description = match.metadata.description ?? "";
+	logToFile(`[YARA] ${phase}:${tool} [${action.toUpperCase()}] rule "${match.rule}" (severity: ${severity}, category: ${category}, action: ${ruleAction})\n  Description: ${description}`);
 	analytics.wizardCapture("yara rule matched", {
-		rule: match.rule.name,
-		severity: match.rule.severity,
-		category: match.rule.category,
+		rule: match.rule,
+		severity: match.metadata.severity,
+		category: match.metadata.category,
+		rule_action: match.metadata.action,
 		action,
 		phase,
-		tool
+		tool,
+		description: match.metadata.description,
+		triage_verdict: match.triage?.verdict
+	});
+}
+/**
+* Send the run's full scan report to PostHog so maintainers can see why a run
+* was flagged, warned, or aborted. This is the maintainer-facing report — it is
+* NEVER shown to the user. No-op if nothing was scanned. The free-text triage
+* reason is omitted to avoid sending scanned content off the user's machine.
+*/
+function captureScanReport() {
+	if (scanCount === 0) return;
+	analytics.wizardCapture("yara scan report", {
+		total_scans: scanCount,
+		violation_count: scanViolations.length,
+		clean_count: scanCount - scanViolations.length,
+		violations: scanViolations.map((v) => ({
+			rule: v.rule,
+			severity: v.severity,
+			category: v.category,
+			action: v.action,
+			phase: v.phase,
+			tool: v.tool,
+			description: v.description,
+			triage_verdict: v.triageVerdict
+		}))
 	});
+	scanCount = 0;
+	scanViolations.length = 0;
+}
+/**
+* End-of-run flush for the scan report. Wired once at the runner seam so every
+* harness (linear, orchestrator, and any future shape) reports without having
+* to know warlock exists — scanning is already harness-agnostic (it runs from
+* SDK Pre/PostToolUse hooks), and this keeps reporting at a single shared seam.
+*
+* Order matters: write the local --yara-report file FIRST (it reads scanCount /
+* scanViolations), THEN send telemetry. captureScanReport() zeroes scan state,
+* which is what makes this whole function idempotent — a second call from
+* another termination path (e.g. finally after an abort already flushed) finds
+* scanCount === 0 and every step no-ops.
+*/
+function flushScanReport(session) {
+	if (session.yaraReport) {
+		const reportPath = writeScanReport();
+		if (reportPath) {
+			const summary = formatScanReport();
+			getUI().log.info(`YARA scan report: ${reportPath}${summary ?? ""}`);
+		}
+	}
+	captureScanReport();
 }
 const WIZARD_DOC_BASENAMES = new Set([
-	".posthog-events-inventory.json",
-	"posthog-events-audit-report.md",
-	"posthog-audit-report.md",
-	".posthog-events.json"
+	EVENT_INVENTORY_FILE,
+	SETUP_REPORT_FILE,
+	AUDIT_REPORT_FILE,
+	EVENT_PLAN_FILE
 ]);
-const WIZARD_DOC_PATTERNS = [/^\.posthog-events-inventory\.part-\d+\.json$/];
+const WIZARD_DOC_PATTERNS = [EVENT_INVENTORY_PART_PATTERN];
 function isWizardDocumentationPath(filePath) {
 	if (!filePath) return false;
 	const basename = path.basename(filePath);
@@ -1572,43 +1466,150 @@ const SEVERITY_RANK = {
 };
 /** Return the highest-severity match from a list of matches. */
 function highestSeverityMatch(matches) {
-	return matches.reduce((worst, m) => (SEVERITY_RANK[m.rule.severity] ?? 0) > (SEVERITY_RANK[worst.rule.severity] ?? 0) ? m : worst);
+	return matches.reduce((worst, m) => (SEVERITY_RANK[m.metadata.severity ?? ""] ?? 0) > (SEVERITY_RANK[worst.metadata.severity ?? ""] ?? 0) ? m : worst);
+}
+/**
+* Keep only matches whose rule targets this content surface. Rules carry a
+* `scan_context` of 'command' | 'input' | 'output'. An undefined context is
+* treated as "applies everywhere" (fail-safe — a rule that forgets the tag
+* still gets enforced rather than silently skipped).
+*/
+function matchesForContext(matches, ctx) {
+	return matches.filter((m) => {
+		const c = m.metadata.scan_context;
+		return c === ctx || c === void 0;
+	});
+}
+/**
+* Drop false positives via warlock's LLM triage. Fail-closed: if no provider is
+* available, or the triage call throws, every match is treated as real — we
+* never silently suppress a flagged match.
+*
+* Every overruled match is reported to PostHog (rule metadata only, never the
+* free-text reason) so maintainers can alert on triage-overrule patterns — the
+* signal that someone is either tripping a noisy rule or trying to talk the
+* triage model out of a real finding.
+*/
+async function triageFilter(content, matches, ctx, llmProvider) {
+	if (matches.length === 0) return [];
+	if (!llmProvider) {
+		logToFile(`[YARA] triage skipped (no provider) — treating ${matches.length} match(es) as real`);
+		return matches;
+	}
+	try {
+		const triaged = await (await getWarlock()).triageMatches(content, matches, llmProvider);
+		const kept = triaged.filter((m) => m.triage.verdict === "true_positive");
+		for (const m of triaged) {
+			if (m.triage.verdict === "true_positive") continue;
+			logToFile(`[YARA] triage overruled rule "${m.rule}" (${m.metadata.severity ?? "unknown"}) — not acting on it`);
+			analytics.wizardCapture("yara triage overruled", {
+				rule: m.rule,
+				severity: m.metadata.severity,
+				category: m.metadata.category,
+				scan_context: ctx
+			});
+		}
+		logToFile(`[YARA] triage: ${matches.length} flagged → ${kept.length} kept as real`);
+		return kept;
+	} catch (err) {
+		logToFile("[YARA] triage failed — treating all matches as real:", err);
+		return matches;
+	}
+}
+/**
+* Split oversized content into overlapping chunks so the scanner covers all
+* of it. Content that fits in one chunk is returned as-is.
+*/
+function chunkContent(content) {
+	if (content.length <= SCAN_CHUNK_SIZE) return [content];
+	const chunks = [];
+	const step = SCAN_CHUNK_SIZE - SCAN_CHUNK_OVERLAP;
+	for (let start = 0; start < content.length; start += step) {
+		chunks.push(content.slice(start, start + SCAN_CHUNK_SIZE));
+		if (start + SCAN_CHUNK_SIZE >= content.length) break;
+	}
+	return chunks;
+}
+/**
+* Scan content against warlock rules — chunked when oversized, so nothing is
+* skipped — and keep only matches for this content surface. Chunks scan
+* sequentially (the WASM engine is single-threaded; parallelism buys nothing).
+* Returns each flagged chunk with its matches so triage can later judge every
+* match against the exact content it came from.
+*/
+async function scanForContext(content, ctx) {
+	const warlock = await getWarlock();
+	const chunks = chunkContent(content);
+	if (chunks.length > 1) {
+		logToFile(`[YARA] content is ${content.length} chars — scanning ${chunks.length} overlapping chunks`);
+		analytics.wizardCapture("yara scan chunked", {
+			content_length: content.length,
+			chunk_count: chunks.length,
+			scan_context: ctx
+		});
+	}
+	const flagged = [];
+	for (const chunk of chunks) {
+		const result = await warlock.scan(chunk);
+		if (!result.matched) continue;
+		const matches = matchesForContext(result.matches, ctx);
+		if (matches.length === 0) continue;
+		flagged.push({
+			chunk,
+			matches
+		});
+	}
+	return flagged;
+}
+/** The overlap between chunks can surface the same rule twice; count it once. */
+function dedupeByRule(matches) {
+	const seen = /* @__PURE__ */ new Set();
+	return matches.filter((m) => {
+		if (seen.has(m.rule)) return false;
+		seen.add(m.rule);
+		return true;
+	});
+}
+/**
+* Triage each flagged chunk against its own content — the evidence is always
+* inside the window the LLM sees. Triage calls run in parallel (each is just
+* an HTTP round trip) so N flagged chunks cost ~1× triage latency, not N×.
+*/
+async function triageFlagged(flagged, ctx, llmProvider) {
+	return dedupeByRule((await Promise.all(flagged.map(({ chunk, matches }) => triageFilter(chunk, matches, ctx, llmProvider)))).flat());
+}
+/** Scan content, filter to the relevant context, triage. Returns real matches. */
+async function scanAndTriage(content, ctx, llmProvider) {
+	return triageFlagged(await scanForContext(content, ctx), ctx, llmProvider);
 }
 /**
 * Create PreToolUse hook matchers for YARA scanning.
-* Scans Bash commands before execution for exfiltration,
-* destructive operations, and supply chain violations.
+* Scans Bash commands before execution for exfiltration, destructive
+* operations, and supply chain violations ('command'-context rules).
 */
-function createPreToolUseYaraHooks() {
+function createPreToolUseYaraHooks(_llmProvider) {
 	return [{
-		hooks: [(input) => {
+		hooks: [async (input) => {
 			try {
-				if (input.tool_name !== "Bash") return Promise.resolve({});
+				if (input.tool_name !== "Bash") return {};
 				const toolInput = input.tool_input;
 				const command = typeof toolInput?.command === "string" ? toolInput.command : "";
-				if (!command) return Promise.resolve({});
+				if (!command) return {};
 				recordScan();
-				const result = scan(command, "PreToolUse", "Bash");
-				if (!result.matched) return Promise.resolve({});
-				const match = highestSeverityMatch(result.matches);
-				logYaraMatch("PreToolUse", "Bash", match, "blocked");
-				recordViolation({
-					rule: match.rule.name,
-					severity: match.rule.severity,
-					action: "blocked",
-					phase: "PreToolUse",
-					tool: "Bash"
-				});
-				return Promise.resolve({
+				const matches = await scanAndTriage(command, "command", void 0);
+				if (matches.length === 0) return {};
+				const match = highestSeverityMatch(matches);
+				recordMatch("PreToolUse", "Bash", match, "blocked");
+				return {
 					decision: "block",
-					reason: `[YARA] ${match.rule.name}: ${match.rule.description}. Command blocked for security.`
-				});
+					reason: `[YARA] ${match.rule}: ${match.metadata.description ?? "security policy violation"}. Command blocked for security.`
+				};
 			} catch (error) {
 				logToFile("[YARA] PreToolUse hook error:", error);
-				return Promise.resolve({
+				return {
 					decision: "block",
 					reason: "[YARA] Scanner error — command blocked as a precaution."
-				});
+				};
 			}
 		}],
 		timeout: HOOK_TIMEOUT_MS
@@ -1618,95 +1619,84 @@ function createPreToolUseYaraHooks() {
 * Create PostToolUse hook matchers for YARA scanning.
 *
 * Three matchers:
-* 1. Write/Edit — scan written content for PII, secrets, config violations
-* 2. Read/Grep — scan read content for prompt injection
+* 1. Write/Edit — scan written content ('output'-context rules: PII, secrets)
+* 2. Read/Grep — scan read content ('input'-context rules: prompt injection)
 * 3. Bash (skill install) — scan downloaded skill files for poisoned content
+*
+* `onTerminate` is invoked on the terminal paths (critical prompt injection in
+* read content, a poisoned skill, or a scanner error under fail-closed). It is
+* what ACTUALLY stops the run — returning `stopReason` from a PostToolUse hook
+* is not honored by the SDK, so the caller wires this to the run's
+* AbortController (see agent-interface).
 */
-function createPostToolUseYaraHooks() {
+function createPostToolUseYaraHooks(llmProvider, onTerminate) {
 	return [
 		{
-			hooks: [(input) => {
+			hooks: [async (input) => {
 				try {
 					const toolName = input.tool_name;
-					if (toolName !== "Write" && toolName !== "Edit") return Promise.resolve({});
+					if (toolName !== "Write" && toolName !== "Edit") return {};
 					const toolInput = input.tool_input;
-					const content = toolName === "Write" ? toolInput?.content ?? "" : toolInput?.new_str ?? "";
-					if (!content) return Promise.resolve({});
+					const content = toolName === "Write" ? toolInput?.content ?? "" : toolInput?.new_string ?? "";
+					if (!content) return {};
 					recordScan();
-					const tool = toolName;
-					const result = scan(content, "PostToolUse", tool);
-					if (!result.matched) return Promise.resolve({});
+					const flagged = await scanForContext(content, "output");
+					if (flagged.length === 0) return {};
 					const filePath = toolInput?.file_path;
-					if (isWizardDocumentationPath(filePath)) {
-						const nonPiiMatches = result.matches.filter((m) => m.rule.category !== "posthog_pii");
-						if (nonPiiMatches.length === 0) {
-							logToFile(`[YARA] posthog_pii match suppressed on wizard doc ${path.basename(filePath ?? "")} (rule: ${result.matches[0]?.rule.name})`);
-							return Promise.resolve({});
-						}
-						result.matches = nonPiiMatches;
+					const activeFlagged = isWizardDocumentationPath(filePath) ? flagged.map(({ chunk, matches }) => ({
+						chunk,
+						matches: matches.filter((m) => m.metadata.category !== "posthog_pii")
+					})).filter(({ matches }) => matches.length > 0) : flagged;
+					if (activeFlagged.length === 0) {
+						logToFile(`[YARA] posthog_pii match suppressed on wizard doc ${path.basename(filePath ?? "")} (rule: ${flagged[0]?.matches[0]?.rule})`);
+						return {};
 					}
-					const match = highestSeverityMatch(result.matches);
-					logYaraMatch("PostToolUse", tool, match, "reverted");
-					recordViolation({
-						rule: match.rule.name,
-						severity: match.rule.severity,
-						action: "reverted",
-						phase: "PostToolUse",
-						tool
-					});
-					return Promise.resolve({ hookSpecificOutput: {
+					const matches = await triageFlagged(activeFlagged, "output", llmProvider);
+					if (matches.length === 0) return {};
+					const match = highestSeverityMatch(matches);
+					recordMatch("PostToolUse", toolName, match, "reverted");
+					return { hookSpecificOutput: {
 						hookEventName: "PostToolUse",
-						additionalContext: `[YARA VIOLATION] ${match.rule.name}: ${match.rule.description}. You MUST revert this change immediately. The content you just wrote violates security policy.`
-					} });
+						additionalContext: `[YARA VIOLATION] ${match.rule}: ${match.metadata.description ?? ""}. You MUST revert this change immediately. The content you just wrote violates security policy.`
+					} };
 				} catch (error) {
 					logToFile("[YARA] PostToolUse Write/Edit hook error:", error);
-					return Promise.resolve({ hookSpecificOutput: {
-						hookEventName: "PostToolUse",
-						additionalContext: "[YARA] Scanner error — you MUST revert this change as a precaution."
-					} });
+					const reason = "[YARA] Scanner error while scanning written content — session terminated as a precaution.";
+					onTerminate(reason);
+					return { stopReason: reason };
 				}
 			}],
 			timeout: HOOK_TIMEOUT_MS
 		},
 		{
-			hooks: [(input) => {
+			hooks: [async (input) => {
 				try {
 					const toolName = input.tool_name;
-					if (toolName !== "Read" && toolName !== "Grep") return Promise.resolve({});
+					if (toolName !== "Read" && toolName !== "Grep") return {};
 					const toolResponse = input.tool_response;
-					const content = typeof toolResponse === "string" ? toolResponse : JSON.stringify(toolResponse ?? "");
-					if (!content) return Promise.resolve({});
+					if (toolResponse == null) return {};
+					const content = typeof toolResponse === "string" ? toolResponse : JSON.stringify(toolResponse);
+					if (!content) return {};
 					recordScan();
-					const tool = toolName;
-					const result = scan(content, "PostToolUse", tool);
-					if (!result.matched) return Promise.resolve({});
-					const match = highestSeverityMatch(result.matches);
-					if (match.rule.severity === "critical") {
-						logYaraMatch("PostToolUse", tool, match, "aborted");
-						recordViolation({
-							rule: match.rule.name,
-							severity: match.rule.severity,
-							action: "aborted",
-							phase: "PostToolUse",
-							tool
-						});
-						return Promise.resolve({ stopReason: `[YARA CRITICAL] ${match.rule.name}: Prompt injection detected in file content. Agent context is potentially poisoned. Session terminated for safety.` });
+					const matches = await scanAndTriage(content, "input", llmProvider);
+					if (matches.length === 0) return {};
+					const match = highestSeverityMatch(matches);
+					if (match.metadata.severity === "critical" || match.metadata.action === "block") {
+						recordMatch("PostToolUse", toolName, match, "aborted");
+						const reason = `[YARA CRITICAL] ${match.rule}: Prompt injection detected in file content. Agent context is potentially poisoned. Session terminated for safety.`;
+						onTerminate(reason);
+						return { stopReason: reason };
 					}
-					logYaraMatch("PostToolUse", tool, match, "warned");
-					recordViolation({
-						rule: match.rule.name,
-						severity: match.rule.severity,
-						action: "warned",
-						phase: "PostToolUse",
-						tool
-					});
-					return Promise.resolve({ hookSpecificOutput: {
+					recordMatch("PostToolUse", toolName, match, "warned");
+					return { hookSpecificOutput: {
 						hookEventName: "PostToolUse",
-						additionalContext: `[YARA WARNING] ${match.rule.name}: ${match.rule.description}`
-					} });
+						additionalContext: `[YARA WARNING] ${match.rule}: ${match.metadata.description ?? ""}`
+					} };
 				} catch (error) {
 					logToFile("[YARA] PostToolUse Read/Grep hook error:", error);
-					return Promise.resolve({ stopReason: "[YARA] Scanner error while scanning read content — session terminated as a precaution." });
+					const reason = "[YARA] Scanner error while scanning read content — session terminated as a precaution.";
+					onTerminate(reason);
+					return { stopReason: reason };
 				}
 			}],
 			timeout: HOOK_TIMEOUT_MS
@@ -1723,21 +1713,18 @@ function createPostToolUseYaraHooks() {
 					const skillDir = dirMatch[1];
 					const cwd = input.cwd ?? process.cwd();
 					recordScan();
-					const result = await scanSkillFiles(cwd, skillDir);
-					if (!result.matched) return {};
-					const match = highestSeverityMatch(result.matches);
-					logYaraMatch("PostToolUse", "Bash (skill install)", match, "aborted");
-					recordViolation({
-						rule: match.rule.name,
-						severity: match.rule.severity,
-						action: "aborted",
-						phase: "PostToolUse",
-						tool: "Bash (skill)"
-					});
-					return { stopReason: `[YARA CRITICAL] Poisoned skill detected in ${skillDir}: ${match.rule.name}. The downloaded skill contains potential prompt injection. Session terminated for safety.` };
+					const matches = await scanSkillFiles(cwd, skillDir, llmProvider);
+					if (matches.length === 0) return {};
+					const match = highestSeverityMatch(matches);
+					recordMatch("PostToolUse", "Bash (skill install)", match, "aborted");
+					const reason = `[YARA CRITICAL] Poisoned skill detected in ${skillDir}: ${match.rule}. The downloaded skill contains potential prompt injection. Session terminated for safety.`;
+					onTerminate(reason);
+					return { stopReason: reason };
 				} catch (error) {
 					logToFile("[YARA] PostToolUse skill install hook error:", error);
-					return { stopReason: "[YARA] Scanner error while scanning skill files — session terminated as a precaution." };
+					const reason = "[YARA] Scanner error while scanning skill files — session terminated as a precaution.";
+					onTerminate(reason);
+					return { stopReason: reason };
 				}
 			}],
 			timeout: SKILL_SCAN_HOOK_TIMEOUT_MS
@@ -1746,12 +1733,15 @@ function createPostToolUseYaraHooks() {
 }
 /**
 * Read and scan all text files in a skill directory for prompt injection.
+* Scans each file sequentially (single-threaded WASM — parallelism buys
+* nothing), unions the 'input'-context matches, then triages once across the
+* combined content. Returns the real (post-triage) matches.
 */
-async function scanSkillFiles(cwd, skillDir) {
+async function scanSkillFiles(cwd, skillDir, llmProvider) {
 	const absoluteDir = path.resolve(cwd, skillDir);
 	if (!fs.existsSync(absoluteDir)) {
 		logToFile(`[YARA] Skill directory does not exist: ${absoluteDir}`);
-		return { matched: false };
+		return [];
 	}
 	const files = await fg("**/*.{md,txt,yaml,yml,json,js,ts,py,rb,sh}", {
 		cwd: absoluteDir,
@@ -1759,20 +1749,68 @@ async function scanSkillFiles(cwd, skillDir) {
 	});
 	const fileContents = [];
 	for (const filePath of files) try {
-		const content = fs.readFileSync(filePath, "utf-8");
-		fileContents.push({
-			path: filePath,
-			content
-		});
+		fileContents.push(fs.readFileSync(filePath, "utf-8"));
 	} catch (err) {
 		logToFile(`[YARA] Could not read skill file ${filePath}:`, err);
 	}
 	if (fileContents.length === 0) {
 		logToFile(`[YARA] No text files found in skill directory: ${absoluteDir}`);
-		return { matched: false };
+		return [];
 	}
 	logToFile(`[YARA] Scanning ${fileContents.length} files in skill directory: ${skillDir}`);
-	return scanSkillDirectory(fileContents);
+	const flagged = [];
+	for (const content of fileContents) flagged.push(...await scanForContext(content, "input"));
+	return triageFlagged(flagged, "input", llmProvider);
+}
+//#endregion
+//#region src/lib/agent/triage-provider.ts
+/**
+* LLM provider for warlock security-scan triage.
+*
+* Warlock's triageMatches() takes a consumer-supplied `(prompt) => Promise<string>`
+* to run a second pass that filters false positives out of YARA matches. This
+* builds that provider on top of the wizard's existing PostHog LLM gateway auth
+* — the same ANTHROPIC_BASE_URL / ANTHROPIC_AUTH_TOKEN that initializeAgent()
+* sets for the agent SDK. The gateway speaks the standard Anthropic Messages API,
+* so we POST to it directly with axios (the plain @anthropic-ai/sdk isn't a dep).
+*/
+const TRIAGE_MODEL = "claude-haiku-4-5";
+const TRIAGE_MAX_TOKENS = 16384;
+const TRIAGE_TIMEOUT_MS = 2e4;
+/**
+* Build the triage LLM provider from the gateway auth on process.env (set by
+* initializeAgent before any agent run). Returns undefined if auth isn't
+* configured — callers then skip triage and fail closed (act on every flagged
+* match), so a missing key never silently disables the scanner.
+*/
+function createTriageLLMProvider() {
+	const baseURL = process.env.ANTHROPIC_BASE_URL;
+	const authToken = process.env.ANTHROPIC_AUTH_TOKEN;
+	if (!baseURL || !authToken) {
+		logToFile("[YARA] triage provider unavailable (no gateway auth) — flagged scans will fail closed");
+		return;
+	}
+	logToFile(`[YARA] triage provider ready (model: ${TRIAGE_MODEL})`);
+	return async (prompt) => {
+		const content = (await axios.post(`${baseURL}/v1/messages`, {
+			model: TRIAGE_MODEL,
+			max_tokens: TRIAGE_MAX_TOKENS,
+			temperature: 0,
+			messages: [{
+				role: "user",
+				content: prompt
+			}]
+		}, {
+			headers: {
+				Authorization: `Bearer ${authToken}`,
+				"anthropic-version": "2023-06-01",
+				"content-type": "application/json"
+			},
+			timeout: TRIAGE_TIMEOUT_MS
+		})).data?.content;
+		if (Array.isArray(content)) return content.filter((b) => b?.type === "text" && typeof b.text === "string").map((b) => b.text).join("");
+		return "";
+	};
 }
 //#endregion
 //#region src/lib/agent/commandments.ts
@@ -1789,6 +1827,7 @@ const WIZARD_COMMANDMENTS = [
 	"When installing packages, start the installation as a background task and then continue with other work. Do not block waiting for installs to finish unless explicitly instructed.",
 	"Before writing to any file, you MUST read that exact file immediately beforehand using the Read tool, even if you have already read it earlier in the run. This avoids tool failures and stale edits.",
 	"Treat feature flags, custom properties, and event names as part of an analytics contract. Prefer reusing existing names and patterns in the project. When you must introduce new ones, make them clear, descriptive, and consistent with existing conventions, and avoid scattering the same flag or property across many unrelated callsites.",
+	"Keep PostHog data capture at its defaults unless the user explicitly asks otherwise. Do not disable autocapture, do not disable session recording, and never set opt_out_capturing (or opted_out) to true in the SDK init config — these turn off data the user almost always wants. Note: posthog.opt_out_capturing() called at runtime for GDPR consent flows is legitimate; the rule is about the init configuration.",
 	"Prefer minimal, targeted edits that achieve the requested behavior while preserving existing structure and style. Avoid large refactors, broad reformatting, or unrelated changes unless explicitly requested.",
 	"Do not spawn subagents unless explicitly instructed to do so.",
 	"Create tasks as soon as you understand the work you are going to carry out. Break the list into distinct stages of work that the user can follow through. Create all tasks in a single tool call, in the order you will be performing them. Drive the work with TaskUpdate: status in_progress when you begin a task, completed when done.",
@@ -1844,10 +1883,15 @@ const AgentSignals = {
 /**
 * Parses the signal-bearing lines out of agent output and discards the rest.
 *
-* The agent and SDK communicate non-content events (auth/API errors, YARA
-* violations, missing MCP/resource, the end-of-run remark) by emitting marker
-* strings inside their prose. `AgentOutputSignals` keeps only the lines that
-* carry such a marker, so the buffer stays bounded regardless of run length.
+* The agent and SDK communicate non-content events (auth/API errors, missing
+* MCP/resource, the end-of-run remark) by emitting marker strings inside
+* their prose. `AgentOutputSignals` keeps only the lines that carry such a
+* marker, so the buffer stays bounded regardless of run length.
+*
+* YARA violations are deliberately NOT detected here: scanning the agent's
+* prose for "[YARA ...]" markers false-positives when the agent merely
+* *mentions* a non-terminal block. Terminal YARA outcomes flow through the
+* hooks' onTerminate callback (`yaraViolationReason` in runAgent) instead.
 */
 /**
 * Single source of truth for the substrings runAgent scans agent output for.
@@ -1858,8 +1902,6 @@ const AgentSignals = {
 */
 const OUTPUT_SIGNALS = {
 	API_ERROR: "API Error:",
-	YARA_CRITICAL: "[YARA CRITICAL]",
-	YARA_SCANNER_ERROR: "[YARA] Scanner error",
 	MCP_MISSING: AgentSignals.ERROR_MCP_MISSING,
 	RESOURCE_MISSING: AgentSignals.ERROR_RESOURCE_MISSING,
 	WIZARD_REMARK: AgentSignals.WIZARD_REMARK
@@ -1885,9 +1927,6 @@ var AgentOutputSignals = class {
 	hasApiErrorStatus(code) {
 		return this.text.includes(`${OUTPUT_SIGNALS.API_ERROR} ${code}`);
 	}
-	hasYaraViolation() {
-		return this.has("YARA_CRITICAL") || this.has("YARA_SCANNER_ERROR");
-	}
 	/** Joined `API Error: …` lines for the user-facing message, or undefined. */
 	apiErrorMessage() {
 		const m = this.text.match(new RegExp(`${OUTPUT_SIGNALS.API_ERROR} [^\\n]+`, "g"));
@@ -2166,12 +2205,31 @@ function createStopHook(featureQueue, signals, requestRemark = true) {
 	};
 }
 /**
-* Select wizard metadata from WIZARD_VARIANTS using the variant feature flag.
-* If the flag is missing or the value is not in config, returns the "base" variant (VARIANT: "base").
+* Global identifiers attached to every LLM gateway trace for a run. They ride on
+* each `$ai_generation` the gateway emits (as `X-POSTHOG-PROPERTY-*` headers via
+* `buildAgentEnv`), so traces are filterable by program, framework, run, and build
+* type for cost attribution and dashboards. `skill_id` is omitted when the run has
+* none.
+*/
+function buildRunTags(args) {
+	return {
+		program_id: args.programId,
+		integration: args.integration,
+		run_id: args.runId,
+		build: args.build,
+		...args.skillId ? { skill_id: args.skillId } : {}
+	};
+}
+/**
+* Whether the Warlock/YARA kill switch is engaged for this run. Off by default:
+* scanning is disabled only when the feature flag resolves to the explicit
+* string 'true', or the local POSTHOG_WIZARD_WARLOCK_DISABLED env override is
+* set. A missing flag, an empty flag map (the safe default returned when the
+* flag fetch fails), or any other value all leave scanning ON — a network blip
+* must never silently disable a security control.
 */
-function buildWizardMetadata(flags = {}) {
-	const variantKey = flags[WIZARD_VARIANT_FLAG_KEY];
-	return { ...(variantKey && WIZARD_VARIANTS[variantKey]) ?? WIZARD_VARIANTS["base"] };
+function isWarlockDisabled(flags = {}) {
+	return flags["wizard-warlock-disabled"] === "true" || runtimeEnv("POSTHOG_WIZARD_WARLOCK_DISABLED") === "true";
 }
 /**
 * Whether this run uses the experimental task-queue orchestrator. Gated by the
@@ -2440,6 +2498,7 @@ async function initializeAgent(config, options) {
 			gatewayUrl,
 			apiKeyPresent: !!config.posthogApiKey
 		});
+		prewarmYaraScanner();
 		return agentRunConfig;
 	} catch (error) {
 		getUI().log.error(`Failed to initialize agent: ${error.message}`);
@@ -2449,18 +2508,6 @@ async function initializeAgent(config, options) {
 	}
 }
 /**
-* Check agent output for YARA scanner violations.
-* Used in both the success and catch paths of runAgent.
-*/
-function checkYaraViolation(signals, spinner) {
-	if (signals.hasYaraViolation()) {
-		logToFile("Agent error: YARA_VIOLATION");
-		spinner.stop("Security violation detected");
-		return { error: "WIZARD_YARA_VIOLATION" };
-	}
-	return null;
-}
-/**
 * Execute an agent with the provided prompt and options
 * Handles the full lifecycle: spinner, execution, error handling
 *
@@ -2529,10 +2576,24 @@ async function runAgent(agentConfig, prompt, options, spinner, config, middlewar
 	};
 	const abortController = new AbortController();
 	let abortReason = null;
+	let yaraViolationReason = null;
 	try {
 		const disallow = new Set(agentConfig.disallowedTools ?? []);
 		const allowedTools = [...BASE_ALLOWED_TOOLS, ...agentConfig.allowedTools ?? []].filter((t) => !disallow.has(t));
 		const inheritedMcpServerNames = Object.keys(agentConfig.mcpServers);
+		const triageProvider = createTriageLLMProvider();
+		const onYaraTerminate = (reason) => {
+			if (yaraViolationReason) return;
+			yaraViolationReason = reason;
+			logToFile(`[YARA] terminating run: ${reason}`);
+			abortController.abort();
+			signalDone();
+		};
+		const warlockDisabled = isWarlockDisabled(agentConfig.wizardFlags);
+		if (warlockDisabled) {
+			logToFile("[warlock] kill switch active — YARA scanning disabled for run");
+			analytics.wizardCapture("warlock disabled", { reason: "kill-switch" });
+		}
 		const response = query({
 			prompt: createPromptStream(),
 			options: {
@@ -2621,8 +2682,8 @@ async function runAgent(agentConfig, prompt, options, spinner, config, middlewar
 					if (options.debug) debug("CLI stderr:", data);
 				},
 				hooks: {
-					PreToolUse: createPreToolUseYaraHooks(),
-					PostToolUse: createPostToolUseYaraHooks(),
+					PreToolUse: warlockDisabled ? [] : createPreToolUseYaraHooks(triageProvider),
+					PostToolUse: warlockDisabled ? [] : createPostToolUseYaraHooks(triageProvider, onYaraTerminate),
 					Stop: [{
 						hooks: [createStopHook(config?.additionalFeatureQueue ?? [], signals, config?.requestRemark ?? true)],
 						timeout: 30
@@ -2698,6 +2759,11 @@ async function runAgent(agentConfig, prompt, options, spinner, config, middlewar
 				signalDone();
 			}
 		}
+		if (yaraViolationReason) {
+			logToFile("Agent error: YARA_VIOLATION");
+			spinner.stop("Security violation detected");
+			return { error: "WIZARD_YARA_VIOLATION" };
+		}
 		if (abortReason) {
 			spinner.stop("Wizard aborted");
 			return {
@@ -2705,8 +2771,6 @@ async function runAgent(agentConfig, prompt, options, spinner, config, middlewar
 				message: abortReason
 			};
 		}
-		const yaraResult = checkYaraViolation(signals, spinner);
-		if (yaraResult) return yaraResult;
 		if (signals.has("MCP_MISSING")) {
 			logToFile("Agent error: MCP_MISSING");
 			spinner.stop("Agent could not access PostHog MCP");
@@ -2738,6 +2802,11 @@ async function runAgent(agentConfig, prompt, options, spinner, config, middlewar
 		return completeWithSuccess();
 	} catch (error) {
 		signalDone();
+		if (yaraViolationReason) {
+			logToFile("Agent error: YARA_VIOLATION");
+			spinner.stop("Security violation detected");
+			return { error: "WIZARD_YARA_VIOLATION" };
+		}
 		if (abortReason) {
 			spinner.stop("Wizard aborted");
 			return {
@@ -2746,8 +2815,6 @@ async function runAgent(agentConfig, prompt, options, spinner, config, middlewar
 			};
 		}
 		if (receivedSuccessResult) return completeWithSuccess(error);
-		const yaraResult = checkYaraViolation(signals, spinner);
-		if (yaraResult) return yaraResult;
 		const apiErrorMessage = signals.apiErrorMessage() ?? "Unknown API error";
 		if (signals.hasApiErrorStatus(429)) {
 			logToFile("Agent error (caught): RATE_LIMIT");
@@ -2989,6 +3056,6 @@ function handleSDKMessage(message, options, spinner, signals, receivedSuccessRes
 	}
 }
 //#endregion
-export { AUDIT_SEVERITY_STYLE as C, AUDIT_REPORT_FILE as S, getAuditChecks as T, QUEUE_DIR_NAME as _, runAgent as a, AUDIT_CHECKS_FILE as b, recoverOrphanedSettingsBackups as c, formatScanReport as d, writeScanReport as f, installSkillById as g, fetchSkillMenu as h, isOrchestratorEnabled as i, restoreClaudeSettings as l, downloadSkill as m, buildWizardMetadata as n, backupAndFixClaudeSettings as o, WIZARD_TOOL_NAMES as p, initializeAgent as r, checkAllSettingsConflicts as s, buildAgentEnv as t, AgentSignals as u, QueueStore as v, coerceAuditChecks as w, AUDIT_CHECKS_KEY as x, TaskStatus as y };
+export { AUDIT_CHECKS_FILE as C, coerceAuditChecks as D, AUDIT_SEVERITY_STYLE as E, getAuditChecks as O, TaskStatus as S, AUDIT_REPORT_FILE as T, downloadSkill as _, runAgent as a, QUEUE_DIR_NAME as b, recoverOrphanedSettingsBackups as c, flushScanReport as d, formatScanReport as f, WIZARD_TOOL_NAMES as g, SETUP_REPORT_FILE as h, isOrchestratorEnabled as i, restoreClaudeSettings as l, EVENT_PLAN_FILE as m, buildRunTags as n, backupAndFixClaudeSettings as o, writeScanReport as p, initializeAgent as r, checkAllSettingsConflicts as s, buildAgentEnv as t, AgentSignals as u, fetchSkillMenu as v, AUDIT_CHECKS_KEY as w, QueueStore as x, installSkillById as y };
 
-//# sourceMappingURL=agent-interface-CYFyWCMj.js.map
+//# sourceMappingURL=agent-interface-c7B2JZEd.js.map