@roxy-agent/agents 0.1.0

package/dist/dashboard/styles.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"styles.js","sourceRoot":"","sources":["../../src/dashboard/styles.ts"],"names":[],"mappings":"AAAA,2EAA2E;AAC3E,qDAAqD;AACrD,MAAM,CAAC,MAAM,aAAa,GAAG,MAAM,CAAC,GAAG,CAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CAipDtC,CAAC"}

package/dist/dashboard.js

@@ -0,0 +1,2 @@
+export { startDashboard } from "./dashboard/server.js";
+//# sourceMappingURL=dashboard.js.map

package/dist/dashboard.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"dashboard.js","sourceRoot":"","sources":["../src/dashboard.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,cAAc,EAAE,MAAM,uBAAuB,CAAC"}

package/dist/db.js

@@ -0,0 +1,526 @@
+import Database from "better-sqlite3";
+import path from "node:path";
+import fs from "node:fs";
+import os from "node:os";
+import { fileURLToPath } from "node:url";
+const __dirname = path.dirname(fileURLToPath(import.meta.url));
+// Resolve the data directory. Order of precedence:
+//   1. AGENT_PROXY_DATA_DIR env override
+//   2. ~/.agent-proxy/ (default — works whether the server was npm-installed,
+//      run via `npx`, or cloned from source)
+//   3. <repo>/data/ if we detect we're running from a source checkout and
+//      the repo-local data dir already exists (back-compat for existing dev
+//      installs).
+function resolveDataDir() {
+    const env = process.env.AGENT_PROXY_DATA_DIR;
+    if (env && env.trim())
+        return path.resolve(env.trim());
+    const home = os.homedir();
+    const userDir = path.join(home, ".agent-proxy");
+    // Back-compat: if a developer is running from a source checkout that
+    // already has <repo>/data/audit.db, keep using it so we don't orphan
+    // their existing audit history.
+    const repoLocal = path.resolve(__dirname, "..", "data");
+    const repoLocalDb = path.join(repoLocal, "audit.db");
+    if (fs.existsSync(repoLocalDb) &&
+        !fs.existsSync(path.join(userDir, "audit.db"))) {
+        return repoLocal;
+    }
+    return userDir;
+}
+const DATA_DIR = resolveDataDir();
+const DB_PATH = path.join(DATA_DIR, "audit.db");
+if (!fs.existsSync(DATA_DIR))
+    fs.mkdirSync(DATA_DIR, { recursive: true });
+export const db = new Database(DB_PATH);
+// WAL mode keeps the dashboard responsive while the MCP server writes events.
+db.pragma("journal_mode = WAL");
+db.pragma("synchronous = NORMAL");
+export function initDb() {
+    db.exec(`
+    CREATE TABLE IF NOT EXISTS events (
+      id          INTEGER PRIMARY KEY AUTOINCREMENT,
+      timestamp   TEXT NOT NULL,
+      session_id  TEXT NOT NULL,
+      tool        TEXT NOT NULL,
+      action_type TEXT NOT NULL,
+      payload     TEXT NOT NULL,
+      risk_level  TEXT NOT NULL CHECK(risk_level IN ('low', 'medium', 'high')),
+      decision    TEXT NOT NULL CHECK(decision IN ('allowed', 'denied', 'flagged', 'pending_approval')),
+      result      TEXT,
+      duration_ms INTEGER,
+      error       TEXT,
+      reason      TEXT
+    );
+
+    CREATE INDEX IF NOT EXISTS idx_timestamp ON events(timestamp);
+    CREATE INDEX IF NOT EXISTS idx_session ON events(session_id);
+    CREATE INDEX IF NOT EXISTS idx_risk ON events(risk_level);
+    CREATE INDEX IF NOT EXISTS idx_decision ON events(decision);
+
+    CREATE TABLE IF NOT EXISTS usage (
+      period       TEXT PRIMARY KEY,
+      used         INTEGER NOT NULL DEFAULT 0,
+      last_event   TEXT,
+      synced_at    TEXT
+    );
+
+    CREATE TABLE IF NOT EXISTS builtin_rule_overrides (
+      id           TEXT PRIMARY KEY,
+      enabled      INTEGER NOT NULL DEFAULT 1,
+      updated_at   TEXT NOT NULL DEFAULT (datetime('now'))
+    );
+
+    CREATE TABLE IF NOT EXISTS approvals (
+      id           INTEGER PRIMARY KEY AUTOINCREMENT,
+      event_id     INTEGER,
+      tool         TEXT NOT NULL,
+      summary      TEXT NOT NULL,
+      reason       TEXT NOT NULL,
+      status       TEXT NOT NULL DEFAULT 'pending',
+      requested_at TEXT NOT NULL DEFAULT (datetime('now')),
+      decided_at   TEXT,
+      decided_by   TEXT,
+      slack_ts     TEXT,
+      payload      TEXT,
+      session_id   TEXT
+    );
+    CREATE INDEX IF NOT EXISTS idx_approvals_status ON approvals(status);
+
+    CREATE TABLE IF NOT EXISTS app_settings (
+      key   TEXT PRIMARY KEY,
+      value TEXT NOT NULL,
+      updated_at TEXT NOT NULL DEFAULT (datetime('now'))
+    );
+  `);
+    // Soft-migration: relax the events.decision CHECK constraint so existing
+    // databases accept the new 'pending_approval' value. SQLite stores CHECK
+    // constraints inline, so we patch the schema string in sqlite_master. This
+    // requires temporarily disabling better-sqlite3's "defensive" mode.
+    const evRow = db
+        .prepare(`SELECT sql FROM sqlite_master WHERE type='table' AND name='events'`)
+        .get();
+    if (evRow && !evRow.sql.includes("pending_approval")) {
+        try {
+            db.unsafeMode(true);
+            db.pragma("writable_schema = ON");
+            db.prepare(`UPDATE sqlite_master SET sql = ? WHERE type='table' AND name='events'`).run(evRow.sql.replace("decision IN ('allowed', 'denied', 'flagged')", "decision IN ('allowed', 'denied', 'flagged', 'pending_approval')"));
+            // Force every connection to re-read the schema by bumping the cookie.
+            const v = db.pragma("schema_version", { simple: true });
+            db.pragma(`schema_version = ${v + 1}`);
+            db.pragma("writable_schema = OFF");
+        }
+        finally {
+            db.unsafeMode(false);
+        }
+    }
+    // Lightweight migration: older databases may not yet have the `reason`
+    // column, so add it on the fly.
+    const cols = db.prepare(`PRAGMA table_info(events)`).all();
+    if (!cols.some((c) => c.name === "reason")) {
+        db.exec(`ALTER TABLE events ADD COLUMN reason TEXT`);
+    }
+}
+// ---------------------------------------------------------------------------
+// Usage / billing
+// ---------------------------------------------------------------------------
+export function getUsage(period) {
+    const row = db
+        .prepare(`SELECT used FROM usage WHERE period = ?`)
+        .get(period);
+    return row?.used ?? 0;
+}
+export function incrementUsage(period) {
+    db.prepare(`INSERT INTO usage (period, used, last_event)
+     VALUES (?, 1, datetime('now'))
+     ON CONFLICT(period) DO UPDATE SET
+       used = used + 1,
+       last_event = datetime('now')`).run(period);
+    return getUsage(period);
+}
+export function setUsageSyncedAt(period, ts) {
+    db.prepare(`INSERT INTO usage (period, used, synced_at)
+     VALUES (?, 0, ?)
+     ON CONFLICT(period) DO UPDATE SET synced_at = excluded.synced_at`).run(period, ts);
+}
+export function getRecentUsage(limit = 6) {
+    return db
+        .prepare(`SELECT * FROM usage ORDER BY period DESC LIMIT ?`)
+        .all(limit);
+}
+export function getBuiltinRuleOverrides() {
+    const rows = db
+        .prepare(`SELECT id, enabled FROM builtin_rule_overrides`)
+        .all();
+    const out = new Map();
+    for (const r of rows)
+        out.set(r.id, !!r.enabled);
+    return out;
+}
+export function setBuiltinRuleOverride(id, enabled) {
+    db.prepare(`INSERT INTO builtin_rule_overrides (id, enabled, updated_at)
+     VALUES (?, ?, datetime('now'))
+     ON CONFLICT(id) DO UPDATE SET
+       enabled = excluded.enabled,
+       updated_at = datetime('now')`).run(id, enabled ? 1 : 0);
+}
+export function createApprovalRow(input) {
+    const r = db
+        .prepare(`INSERT INTO approvals (event_id, tool, summary, reason, payload, session_id)
+       VALUES (?, ?, ?, ?, ?, ?)`)
+        .run(input.event_id, input.tool, input.summary.slice(0, 500), input.reason, input.payload === undefined ? null : JSON.stringify(input.payload), input.session_id ?? null);
+    return Number(r.lastInsertRowid);
+}
+export function setApprovalStatus(id, status, by) {
+    const r = db
+        .prepare(`UPDATE approvals SET status = ?, decided_at = datetime('now'), decided_by = ?
+       WHERE id = ? AND status = 'pending'`)
+        .run(status, by, id);
+    return r.changes > 0;
+}
+export function setApprovalSlackTs(id, ts) {
+    db.prepare(`UPDATE approvals SET slack_ts = ? WHERE id = ?`).run(ts, id);
+}
+export function getApproval(id) {
+    return db.prepare(`SELECT * FROM approvals WHERE id = ?`).get(id);
+}
+export function listApprovals(opts) {
+    const limit = opts?.limit ?? 100;
+    if (opts?.status) {
+        return db
+            .prepare(`SELECT * FROM approvals WHERE status = ? ORDER BY id DESC LIMIT ?`)
+            .all(opts.status, limit);
+    }
+    return db
+        .prepare(`SELECT * FROM approvals ORDER BY id DESC LIMIT ?`)
+        .all(limit);
+}
+export function countPendingApprovals() {
+    const row = db
+        .prepare(`SELECT COUNT(*) AS n FROM approvals WHERE status = 'pending'`)
+        .get();
+    return row.n;
+}
+// Mark any approvals left over from a previous process run as 'timeout' since
+// the awaiting promise can't be rehydrated across restarts.
+export function expireOrphanApprovals() {
+    const r = db
+        .prepare(`UPDATE approvals SET status = 'timeout', decided_at = datetime('now'),
+                            decided_by = COALESCE(decided_by, 'process restart')
+       WHERE status = 'pending'`)
+        .run();
+    return r.changes;
+}
+// ---------------------------------------------------------------------------
+// Update an event row's decision/reason after the fact (used when an HITL
+// approval resolves: pending_approval → allowed/denied so aggregation queries
+// stay consistent).
+// ---------------------------------------------------------------------------
+export function updateEventDecision(id, decision, reason) {
+    db.prepare(`UPDATE events SET decision = ?, reason = COALESCE(?, reason) WHERE id = ?`).run(decision, reason, id);
+}
+// ---------------------------------------------------------------------------
+// App settings (small key/value store for things like Slack webhook URL).
+// ---------------------------------------------------------------------------
+export function getAppSetting(key) {
+    const row = db
+        .prepare(`SELECT value FROM app_settings WHERE key = ?`)
+        .get(key);
+    return row?.value ?? null;
+}
+export function setAppSetting(key, value) {
+    if (value == null || value === "") {
+        db.prepare(`DELETE FROM app_settings WHERE key = ?`).run(key);
+        return;
+    }
+    db.prepare(`INSERT INTO app_settings (key, value, updated_at)
+     VALUES (?, ?, datetime('now'))
+     ON CONFLICT(key) DO UPDATE SET value = excluded.value, updated_at = datetime('now')`).run(key, value);
+}
+export function getAllAppSettings() {
+    const rows = db
+        .prepare(`SELECT key, value FROM app_settings`)
+        .all();
+    const out = {};
+    for (const r of rows)
+        out[r.key] = r.value;
+    return out;
+}
+let _insert = null;
+let _updateResult = null;
+function insertStmt() {
+    if (_insert)
+        return _insert;
+    _insert = db.prepare(`
+    INSERT INTO events
+      (timestamp, session_id, tool, action_type, payload, risk_level, decision, result, duration_ms, error, reason)
+    VALUES
+      (datetime('now'), @session_id, @tool, @action_type, @payload, @risk_level, @decision, @result, @duration_ms, @error, @reason)
+  `);
+    return _insert;
+}
+function updateResultStmt() {
+    if (_updateResult)
+        return _updateResult;
+    _updateResult = db.prepare(`
+    UPDATE events
+    SET result = ?, duration_ms = ?, error = ?
+    WHERE id = ?
+  `);
+    return _updateResult;
+}
+export function logEvent(event) {
+    const result = insertStmt().run({
+        session_id: event.session_id,
+        tool: event.tool,
+        action_type: event.action_type,
+        payload: JSON.stringify(event.payload),
+        risk_level: event.risk_level,
+        decision: event.decision,
+        result: event.result ?? null,
+        duration_ms: event.duration_ms ?? null,
+        error: event.error ?? null,
+        reason: event.reason ?? null,
+    });
+    return Number(result.lastInsertRowid);
+}
+export function updateEventResult(id, result, duration_ms, error) {
+    updateResultStmt().run(truncate(result, 100_000), duration_ms, error ?? null, id);
+}
+function truncate(s, max) {
+    if (s.length <= max)
+        return s;
+    return s.slice(0, max) + `… [truncated, ${s.length - max} more chars]`;
+}
+export function getRecentEvents(limit = 100) {
+    return db
+        .prepare(`SELECT * FROM events ORDER BY id DESC LIMIT ?`)
+        .all(limit);
+}
+export function getEventsSince(sinceId, limit = 500) {
+    return db
+        .prepare(`SELECT * FROM events WHERE id > ? ORDER BY id ASC LIMIT ?`)
+        .all(sinceId, limit);
+}
+export function getEvent(id) {
+    return db.prepare(`SELECT * FROM events WHERE id = ?`).get(id);
+}
+export function getSessionEvents(session_id) {
+    return db
+        .prepare(`SELECT * FROM events WHERE session_id = ? ORDER BY id ASC`)
+        .all(session_id);
+}
+export function getStats() {
+    return db
+        .prepare(`
+    SELECT
+      COUNT(*) as total,
+      COALESCE(SUM(CASE WHEN risk_level = 'high'   THEN 1 ELSE 0 END), 0) as high_risk,
+      COALESCE(SUM(CASE WHEN risk_level = 'medium' THEN 1 ELSE 0 END), 0) as medium_risk,
+      COALESCE(SUM(CASE WHEN risk_level = 'low'    THEN 1 ELSE 0 END), 0) as low_risk,
+      COALESCE(SUM(CASE WHEN decision = 'denied'   THEN 1 ELSE 0 END), 0) as denied,
+      COALESCE(SUM(CASE WHEN decision = 'flagged'  THEN 1 ELSE 0 END), 0) as flagged,
+      COALESCE(SUM(CASE WHEN tool = 'bash'         THEN 1 ELSE 0 END), 0) as bash_calls,
+      COALESCE(SUM(CASE WHEN tool = 'filesystem'   THEN 1 ELSE 0 END), 0) as file_calls,
+      COALESCE(SUM(CASE WHEN tool = 'network'      THEN 1 ELSE 0 END), 0) as network_calls,
+      COALESCE(SUM(CASE WHEN error IS NOT NULL AND error <> '' THEN 1 ELSE 0 END), 0) as errors,
+      COUNT(DISTINCT session_id) as sessions
+    FROM events
+  `)
+        .get();
+}
+export function getDbPath() {
+    return DB_PATH;
+}
+function strftimeFmt(g) {
+    if (g === "minute")
+        return "%Y-%m-%d %H:%M";
+    if (g === "day")
+        return "%Y-%m-%d";
+    return "%Y-%m-%d %H:00";
+}
+// Returns one row per bucket in the requested window, zero-filled when a
+// concrete window is given, sorted oldest→newest. Pass `hours = null` for
+// "all time" (no zero-fill — only buckets that actually have data).
+export function getActivityAggregate(hours = 24, granularity = "hour") {
+    const fmt = strftimeFmt(granularity);
+    const filterClause = hours == null ? "" : "WHERE timestamp >= ?";
+    const params = hours == null
+        ? []
+        : [
+            new Date(Date.now() - hours * 60 * 60 * 1000)
+                .toISOString()
+                .slice(0, 19)
+                .replace("T", " "),
+        ];
+    const rows = db
+        .prepare(`
+      SELECT
+        strftime('${fmt}', timestamp) AS hour,
+        COUNT(*) AS total,
+        COALESCE(SUM(CASE WHEN decision = 'allowed' THEN 1 ELSE 0 END), 0) AS allowed,
+        COALESCE(SUM(CASE WHEN decision = 'flagged' THEN 1 ELSE 0 END), 0) AS flagged,
+        COALESCE(SUM(CASE WHEN decision = 'denied'  THEN 1 ELSE 0 END), 0) AS denied
+      FROM events
+      ${filterClause}
+      GROUP BY hour
+      ORDER BY hour ASC
+    `)
+        .all(...params);
+    // No concrete window → return raw buckets (sparse).
+    if (hours == null)
+        return rows;
+    // Zero-fill so charts have a continuous x-axis.
+    const byKey = new Map(rows.map((r) => [r.hour, r]));
+    const out = [];
+    const now = new Date();
+    if (granularity === "day") {
+        now.setUTCHours(0, 0, 0, 0);
+        const days = Math.max(1, Math.ceil(hours / 24));
+        for (let i = days - 1; i >= 0; i--) {
+            const d = new Date(now.getTime() - i * 24 * 60 * 60 * 1000);
+            const key = d.toISOString().slice(0, 10);
+            out.push(byKey.get(key) ?? { hour: key, total: 0, allowed: 0, flagged: 0, denied: 0 });
+        }
+    }
+    else if (granularity === "minute") {
+        now.setUTCSeconds(0, 0);
+        const mins = Math.max(1, Math.ceil(hours * 60));
+        for (let i = mins - 1; i >= 0; i--) {
+            const d = new Date(now.getTime() - i * 60 * 1000);
+            const key = d.toISOString().slice(0, 16).replace("T", " ");
+            out.push(byKey.get(key) ?? { hour: key, total: 0, allowed: 0, flagged: 0, denied: 0 });
+        }
+    }
+    else {
+        now.setUTCMinutes(0, 0, 0);
+        const buckets = Math.max(1, Math.ceil(hours));
+        for (let i = buckets - 1; i >= 0; i--) {
+            const d = new Date(now.getTime() - i * 60 * 60 * 1000);
+            const key = d.toISOString().slice(0, 13).replace("T", " ") + ":00";
+            out.push(byKey.get(key) ?? { hour: key, total: 0, allowed: 0, flagged: 0, denied: 0 });
+        }
+    }
+    return out;
+}
+// Backwards-compat alias used elsewhere.
+export function getHourlyAggregate(hours = 24) {
+    return getActivityAggregate(hours, "hour");
+}
+// Frequency table of recent commands/paths/urls grouped by their canonical
+// summary. Used by the Insights "top denied / flagged" cards.
+export function getTopActions(decision = "any", limit = 8, windowHours = 24 * 7) {
+    const decisionFilter = decision === "any" ? "1=1" : `decision = '${decision}'`;
+    const params = [];
+    let timeClause = "";
+    if (windowHours != null) {
+        timeClause = "timestamp >= ? AND ";
+        params.push(new Date(Date.now() - windowHours * 60 * 60 * 1000)
+            .toISOString()
+            .slice(0, 19)
+            .replace("T", " "));
+    }
+    params.push(limit);
+    const rows = db
+        .prepare(`
+      SELECT
+        tool,
+        decision,
+        risk_level,
+        COALESCE(json_extract(payload, '$.command'),
+                 json_extract(payload, '$.path'),
+                 json_extract(payload, '$.url'),
+                 substr(payload, 1, 80)) AS summary,
+        COUNT(*) AS count
+      FROM events
+      WHERE ${timeClause}${decisionFilter}
+      GROUP BY summary, tool, decision, risk_level
+      ORDER BY count DESC, MAX(id) DESC
+      LIMIT ?
+    `)
+        .all(...params);
+    return rows;
+}
+export function getRecentSessions(limit = 10) {
+    return db
+        .prepare(`
+      SELECT
+        session_id,
+        MAX(timestamp) AS last_event,
+        COUNT(*) AS events,
+        COALESCE(SUM(CASE WHEN decision = 'flagged' THEN 1 ELSE 0 END), 0) AS flagged,
+        COALESCE(SUM(CASE WHEN decision = 'denied'  THEN 1 ELSE 0 END), 0) AS denied,
+        GROUP_CONCAT(DISTINCT tool) AS tools
+      FROM events
+      GROUP BY session_id
+      ORDER BY MAX(id) DESC
+      LIMIT ?
+    `)
+        .all(limit);
+}
+export function getToolBreakdown(windowHours = 24 * 7) {
+    const params = [];
+    let where = "";
+    if (windowHours != null) {
+        where = "WHERE timestamp >= ?";
+        params.push(new Date(Date.now() - windowHours * 60 * 60 * 1000)
+            .toISOString()
+            .slice(0, 19)
+            .replace("T", " "));
+    }
+    return db
+        .prepare(`
+      SELECT
+        tool,
+        COUNT(*) AS count,
+        COALESCE(SUM(CASE WHEN decision = 'allowed' THEN 1 ELSE 0 END), 0) AS allowed,
+        COALESCE(SUM(CASE WHEN decision = 'flagged' THEN 1 ELSE 0 END), 0) AS flagged,
+        COALESCE(SUM(CASE WHEN decision = 'denied'  THEN 1 ELSE 0 END), 0) AS denied
+      FROM events
+      ${where}
+      GROUP BY tool
+      ORDER BY count DESC
+    `)
+        .all(...params);
+}
+// Stats over an arbitrary trailing window. `hours = null` returns all-time.
+export function getRangedStats(hours = 24) {
+    const params = [];
+    let where = "";
+    if (hours != null) {
+        where = "WHERE timestamp >= ?";
+        params.push(new Date(Date.now() - hours * 60 * 60 * 1000)
+            .toISOString()
+            .slice(0, 19)
+            .replace("T", " "));
+    }
+    return db
+        .prepare(`
+      SELECT
+        COUNT(*) AS total,
+        COALESCE(SUM(CASE WHEN decision = 'flagged' THEN 1 ELSE 0 END), 0) AS flagged,
+        COALESCE(SUM(CASE WHEN decision = 'denied'  THEN 1 ELSE 0 END), 0) AS denied,
+        COUNT(DISTINCT session_id) AS sessions
+      FROM events
+      ${where}
+    `)
+        .get(...params);
+}
+// "Today" stats (since UTC midnight) used by the Overview hero KPIs.
+export function getTodayStats() {
+    const since = new Date();
+    since.setUTCHours(0, 0, 0, 0);
+    const sinceStr = since.toISOString().slice(0, 19).replace("T", " ");
+    return db
+        .prepare(`
+      SELECT
+        COUNT(*) AS total,
+        COALESCE(SUM(CASE WHEN decision = 'flagged' THEN 1 ELSE 0 END), 0) AS flagged,
+        COALESCE(SUM(CASE WHEN decision = 'denied'  THEN 1 ELSE 0 END), 0) AS denied,
+        COUNT(DISTINCT session_id) AS sessions
+      FROM events
+      WHERE timestamp >= ?
+    `)
+        .get(sinceStr);
+}
+//# sourceMappingURL=db.js.map

package/dist/db.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"db.js","sourceRoot":"","sources":["../src/db.ts"],"names":[],"mappings":"AAAA,OAAO,QAAQ,MAAM,gBAAgB,CAAC;AACtC,OAAO,IAAI,MAAM,WAAW,CAAC;AAC7B,OAAO,EAAE,MAAM,SAAS,CAAC;AACzB,OAAO,EAAE,MAAM,SAAS,CAAC;AACzB,OAAO,EAAE,aAAa,EAAE,MAAM,UAAU,CAAC;AAEzC,MAAM,SAAS,GAAG,IAAI,CAAC,OAAO,CAAC,aAAa,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC;AAE/D,mDAAmD;AACnD,yCAAyC;AACzC,8EAA8E;AAC9E,6CAA6C;AAC7C,0EAA0E;AAC1E,4EAA4E;AAC5E,kBAAkB;AAClB,SAAS,cAAc;IACrB,MAAM,GAAG,GAAG,OAAO,CAAC,GAAG,CAAC,oBAAoB,CAAC;IAC7C,IAAI,GAAG,IAAI,GAAG,CAAC,IAAI,EAAE;QAAE,OAAO,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,IAAI,EAAE,CAAC,CAAC;IAEvD,MAAM,IAAI,GAAG,EAAE,CAAC,OAAO,EAAE,CAAC;IAC1B,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,CAAC,IAAI,EAAE,cAAc,CAAC,CAAC;IAEhD,qEAAqE;IACrE,qEAAqE;IACrE,gCAAgC;IAChC,MAAM,SAAS,GAAG,IAAI,CAAC,OAAO,CAAC,SAAS,EAAE,IAAI,EAAE,MAAM,CAAC,CAAC;IACxD,MAAM,WAAW,GAAG,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,UAAU,CAAC,CAAC;IACrD,IACE,EAAE,CAAC,UAAU,CAAC,WAAW,CAAC;QAC1B,CAAC,EAAE,CAAC,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,UAAU,CAAC,CAAC,EAC9C,CAAC;QACD,OAAO,SAAS,CAAC;IACnB,CAAC;IAED,OAAO,OAAO,CAAC;AACjB,CAAC;AAED,MAAM,QAAQ,GAAG,cAAc,EAAE,CAAC;AAClC,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,CAAC,QAAQ,EAAE,UAAU,CAAC,CAAC;AAEhD,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,QAAQ,CAAC;IAAE,EAAE,CAAC,SAAS,CAAC,QAAQ,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;AAE1E,MAAM,CAAC,MAAM,EAAE,GAAG,IAAI,QAAQ,CAAC,OAAO,CAAC,CAAC;AAExC,8EAA8E;AAC9E,EAAE,CAAC,MAAM,CAAC,oBAAoB,CAAC,CAAC;AAChC,EAAE,CAAC,MAAM,CAAC,sBAAsB,CAAC,CAAC;AAoBlC,MAAM,UAAU,MAAM;IACpB,EAAE,CAAC,IAAI,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAuDP,CAAC,CAAC;IAEH,yEAAyE;IACzE,yEAAyE;IACzE,2EAA2E;IAC3E,oEAAoE;IACpE,MAAM,KAAK,GAAG,EAAE;SACb,OAAO,CAAC,oEAAoE,CAAC;SAC7E,GAAG,EAAiC,CAAC;IACxC,IAAI,KAAK,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,QAAQ,CAAC,kBAAkB,CAAC,EAAE,CAAC;QACrD,IAAI,CAAC;YACH,EAAE,CAAC,UAAU,CAAC,IAAI,CAAC,CAAC;YACpB,EAAE,CAAC,MAAM,CAAC,sBAAsB,CAAC,CAAC;YAClC,EAAE,CAAC,OAAO,CACR,uEAAuE,CACxE,CAAC,GAAG,CACH,KAAK,CAAC,GAAG,CAAC,OAAO,CACf,8CAA8C,EAC9C,kEAAkE,CACnE,CACF,CAAC;YACF,sEAAsE;YACtE,MAAM,CAAC,GAAG,EAAE,CAAC,MAAM,CAAC,gBAAgB,EAAE,EAAE,MAAM,EAAE,IAAI,EAAE,CAAW,CAAC;YAClE,EAAE,CAAC,MAAM,CAAC,oBAAoB,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;YACvC,EAAE,CAAC,MAAM,CAAC,uBAAuB,CAAC,CAAC;QACrC,CAAC;gBAAS,CAAC;YACT,EAAE,CAAC,UAAU,CAAC,KAAK,CAAC,CAAC;QACvB,CAAC;IACH,CAAC;IAED,uEAAuE;IACvE,gCAAgC;IAChC,MAAM,IAAI,GAAG,EAAE,CAAC,OAAO,CAAC,2BAA2B,CAAC,CAAC,GAAG,EAEtD,CAAC;IACH,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,QAAQ,CAAC,EAAE,CAAC;QAC3C,EAAE,CAAC,IAAI,CAAC,2CAA2C,CAAC,CAAC;IACvD,CAAC;AACH,CAAC;AAED,8EAA8E;AAC9E,kBAAkB;AAClB,8EAA8E;AAE9E,MAAM,UAAU,QAAQ,CAAC,MAAc;IACrC,MAAM,GAAG,GAAG,EAAE;SACX,OAAO,CAAC,yCAAyC,CAAC;SAClD,GAAG,CAAC,MAAM,CAAiC,CAAC;IAC/C,OAAO,GAAG,EAAE,IAAI,IAAI,CAAC,CAAC;AACxB,CAAC;AAED,MAAM,UAAU,cAAc,CAAC,MAAc;IAC3C,EAAE,CAAC,OAAO,CACR;;;;oCAIgC,CACjC,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;IACd,OAAO,QAAQ,CAAC,MAAM,CAAC,CAAC;AAC1B,CAAC;AAED,MAAM,UAAU,gBAAgB,CAAC,MAAc,EAAE,EAAU;IACzD,EAAE,CAAC,OAAO,CACR;;sEAEkE,CACnE,CAAC,GAAG,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC;AACpB,CAAC;AASD,MAAM,UAAU,cAAc,CAAC,KAAK,GAAG,CAAC;IACtC,OAAO,EAAE;SACN,OAAO,CAAC,kDAAkD,CAAC;SAC3D,GAAG,CAAC,KAAK,CAAe,CAAC;AAC9B,CAAC;AAcD,MAAM,UAAU,uBAAuB;IACrC,MAAM,IAAI,GAAG,EAAE;SACZ,OAAO,CAAC,gDAAgD,CAAC;SACzD,GAAG,EAA4C,CAAC;IACnD,MAAM,GAAG,GAAG,IAAI,GAAG,EAAmB,CAAC;IACvC,KAAK,MAAM,CAAC,IAAI,IAAI;QAAE,GAAG,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC;IACjD,OAAO,GAAG,CAAC;AACb,CAAC;AAED,MAAM,UAAU,sBAAsB,CAAC,EAAU,EAAE,OAAgB;IACjE,EAAE,CAAC,OAAO,CACR;;;;oCAIgC,CACjC,CAAC,GAAG,CAAC,EAAE,EAAE,OAAO,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;AAC7B,CAAC;AAuBD,MAAM,UAAU,iBAAiB,CAAC,KAOjC;IACC,MAAM,CAAC,GAAG,EAAE;SACT,OAAO,CACN;iCAC2B,CAC5B;SACA,GAAG,CACF,KAAK,CAAC,QAAQ,EACd,KAAK,CAAC,IAAI,EACV,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC,EAC3B,KAAK,CAAC,MAAM,EACZ,KAAK,CAAC,OAAO,KAAK,SAAS,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,OAAO,CAAC,EAClE,KAAK,CAAC,UAAU,IAAI,IAAI,CACzB,CAAC;IACJ,OAAO,MAAM,CAAC,CAAC,CAAC,eAAe,CAAC,CAAC;AACnC,CAAC;AAED,MAAM,UAAU,iBAAiB,CAC/B,EAAU,EACV,MAA0C,EAC1C,EAAU;IAEV,MAAM,CAAC,GAAG,EAAE;SACT,OAAO,CACN;2CACqC,CACtC;SACA,GAAG,CAAC,MAAM,EAAE,EAAE,EAAE,EAAE,CAAC,CAAC;IACvB,OAAO,CAAC,CAAC,OAAO,GAAG,CAAC,CAAC;AACvB,CAAC;AAED,MAAM,UAAU,kBAAkB,CAAC,EAAU,EAAE,EAAU;IACvD,EAAE,CAAC,OAAO,CAAC,gDAAgD,CAAC,CAAC,GAAG,CAAC,EAAE,EAAE,EAAE,CAAC,CAAC;AAC3E,CAAC;AAED,MAAM,UAAU,WAAW,CAAC,EAAU;IACpC,OAAO,EAAE,CAAC,OAAO,CAAC,sCAAsC,CAAC,CAAC,GAAG,CAAC,EAAE,CAEnD,CAAC;AAChB,CAAC;AAED,MAAM,UAAU,aAAa,CAAC,IAG7B;IACC,MAAM,KAAK,GAAG,IAAI,EAAE,KAAK,IAAI,GAAG,CAAC;IACjC,IAAI,IAAI,EAAE,MAAM,EAAE,CAAC;QACjB,OAAO,EAAE;aACN,OAAO,CACN,mEAAmE,CACpE;aACA,GAAG,CAAC,IAAI,CAAC,MAAM,EAAE,KAAK,CAAkB,CAAC;IAC9C,CAAC;IACD,OAAO,EAAE;SACN,OAAO,CAAC,kDAAkD,CAAC;SAC3D,GAAG,CAAC,KAAK,CAAkB,CAAC;AACjC,CAAC;AAED,MAAM,UAAU,qBAAqB;IACnC,MAAM,GAAG,GAAG,EAAE;SACX,OAAO,CAAC,8DAA8D,CAAC;SACvE,GAAG,EAAmB,CAAC;IAC1B,OAAO,GAAG,CAAC,CAAC,CAAC;AACf,CAAC;AAED,8EAA8E;AAC9E,4DAA4D;AAC5D,MAAM,UAAU,qBAAqB;IACnC,MAAM,CAAC,GAAG,EAAE;SACT,OAAO,CACN;;gCAE0B,CAC3B;SACA,GAAG,EAAE,CAAC;IACT,OAAO,CAAC,CAAC,OAAO,CAAC;AACnB,CAAC;AAED,8EAA8E;AAC9E,0EAA0E;AAC1E,8EAA8E;AAC9E,oBAAoB;AACpB,8EAA8E;AAC9E,MAAM,UAAU,mBAAmB,CACjC,EAAU,EACV,QAAkB,EAClB,MAAc;IAEd,EAAE,CAAC,OAAO,CACR,2EAA2E,CAC5E,CAAC,GAAG,CAAC,QAAQ,EAAE,MAAM,EAAE,EAAE,CAAC,CAAC;AAC9B,CAAC;AAED,8EAA8E;AAC9E,0EAA0E;AAC1E,8EAA8E;AAE9E,MAAM,UAAU,aAAa,CAAC,GAAW;IACvC,MAAM,GAAG,GAAG,EAAE;SACX,OAAO,CAAC,8CAA8C,CAAC;SACvD,GAAG,CAAC,GAAG,CAAkC,CAAC;IAC7C,OAAO,GAAG,EAAE,KAAK,IAAI,IAAI,CAAC;AAC5B,CAAC;AAED,MAAM,UAAU,aAAa,CAAC,GAAW,EAAE,KAAoB;IAC7D,IAAI,KAAK,IAAI,IAAI,IAAI,KAAK,KAAK,EAAE,EAAE,CAAC;QAClC,EAAE,CAAC,OAAO,CAAC,wCAAwC,CAAC,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;QAC9D,OAAO;IACT,CAAC;IACD,EAAE,CAAC,OAAO,CACR;;yFAEqF,CACtF,CAAC,GAAG,CAAC,GAAG,EAAE,KAAK,CAAC,CAAC;AACpB,CAAC;AAED,MAAM,UAAU,iBAAiB;IAC/B,MAAM,IAAI,GAAG,EAAE;SACZ,OAAO,CAAC,qCAAqC,CAAC;SAC9C,GAAG,EAA2C,CAAC;IAClD,MAAM,GAAG,GAA2B,EAAE,CAAC;IACvC,KAAK,MAAM,CAAC,IAAI,IAAI;QAAE,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,KAAK,CAAC;IAC3C,OAAO,GAAG,CAAC;AACb,CAAC;AAmBD,IAAI,OAAO,GAAgD,IAAI,CAAC;AAChE,IAAI,aAAa,GACf,IAAI,CAAC;AAEP,SAAS,UAAU;IACjB,IAAI,OAAO;QAAE,OAAO,OAAO,CAAC;IAC5B,OAAO,GAAG,EAAE,CAAC,OAAO,CAAC;;;;;GAKpB,CAAC,CAAC;IACH,OAAO,OAAO,CAAC;AACjB,CAAC;AAED,SAAS,gBAAgB;IAGvB,IAAI,aAAa;QAAE,OAAO,aAAa,CAAC;IACxC,aAAa,GAAG,EAAE,CAAC,OAAO,CAAC;;;;GAI1B,CAAC,CAAC;IACH,OAAO,aAAa,CAAC;AACvB,CAAC;AAED,MAAM,UAAU,QAAQ,CAAC,KAAoB;IAC3C,MAAM,MAAM,GAAG,UAAU,EAAE,CAAC,GAAG,CAAC;QAC9B,UAAU,EAAE,KAAK,CAAC,UAAU;QAC5B,IAAI,EAAE,KAAK,CAAC,IAAI;QAChB,WAAW,EAAE,KAAK,CAAC,WAAW;QAC9B,OAAO,EAAE,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,OAAO,CAAC;QACtC,UAAU,EAAE,KAAK,CAAC,UAAU;QAC5B,QAAQ,EAAE,KAAK,CAAC,QAAQ;QACxB,MAAM,EAAE,KAAK,CAAC,MAAM,IAAI,IAAI;QAC5B,WAAW,EAAE,KAAK,CAAC,WAAW,IAAI,IAAI;QACtC,KAAK,EAAE,KAAK,CAAC,KAAK,IAAI,IAAI;QAC1B,MAAM,EAAE,KAAK,CAAC,MAAM,IAAI,IAAI;KAC7B,CAAC,CAAC;IACH,OAAO,MAAM,CAAC,MAAM,CAAC,eAAe,CAAC,CAAC;AACxC,CAAC;AAED,MAAM,UAAU,iBAAiB,CAC/B,EAAU,EACV,MAAc,EACd,WAAmB,EACnB,KAAc;IAEd,gBAAgB,EAAE,CAAC,GAAG,CACpB,QAAQ,CAAC,MAAM,EAAE,OAAO,CAAC,EACzB,WAAW,EACX,KAAK,IAAI,IAAI,EACb,EAAE,CACH,CAAC;AACJ,CAAC;AAED,SAAS,QAAQ,CAAC,CAAS,EAAE,GAAW;IACtC,IAAI,CAAC,CAAC,MAAM,IAAI,GAAG;QAAE,OAAO,CAAC,CAAC;IAC9B,OAAO,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC,GAAG,iBAAiB,CAAC,CAAC,MAAM,GAAG,GAAG,cAAc,CAAC;AACzE,CAAC;AAED,MAAM,UAAU,eAAe,CAAC,KAAK,GAAG,GAAG;IACzC,OAAO,EAAE;SACN,OAAO,CAAC,+CAA+C,CAAC;SACxD,GAAG,CAAC,KAAK,CAAe,CAAC;AAC9B,CAAC;AAED,MAAM,UAAU,cAAc,CAAC,OAAe,EAAE,KAAK,GAAG,GAAG;IACzD,OAAO,EAAE;SACN,OAAO,CAAC,2DAA2D,CAAC;SACpE,GAAG,CAAC,OAAO,EAAE,KAAK,CAAe,CAAC;AACvC,CAAC;AAED,MAAM,UAAU,QAAQ,CAAC,EAAU;IACjC,OAAO,EAAE,CAAC,OAAO,CAAC,mCAAmC,CAAC,CAAC,GAAG,CAAC,EAAE,CAEhD,CAAC;AAChB,CAAC;AAED,MAAM,UAAU,gBAAgB,CAAC,UAAkB;IACjD,OAAO,EAAE;SACN,OAAO,CAAC,2DAA2D,CAAC;SACpE,GAAG,CAAC,UAAU,CAAe,CAAC;AACnC,CAAC;AAgBD,MAAM,UAAU,QAAQ;IACtB,OAAO,EAAE;SACN,OAAO,CACN;;;;;;;;;;;;;;GAcH,CACE;SACA,GAAG,EAAW,CAAC;AACpB,CAAC;AAED,MAAM,UAAU,SAAS;IACvB,OAAO,OAAO,CAAC;AACjB,CAAC;AAgBD,SAAS,WAAW,CAAC,CAAc;IACjC,IAAI,CAAC,KAAK,QAAQ;QAAE,OAAO,gBAAgB,CAAC;IAC5C,IAAI,CAAC,KAAK,KAAK;QAAE,OAAO,UAAU,CAAC;IACnC,OAAO,gBAAgB,CAAC;AAC1B,CAAC;AAED,yEAAyE;AACzE,0EAA0E;AAC1E,oEAAoE;AACpE,MAAM,UAAU,oBAAoB,CAClC,QAAuB,EAAE,EACzB,cAA2B,MAAM;IAEjC,MAAM,GAAG,GAAG,WAAW,CAAC,WAAW,CAAC,CAAC;IACrC,MAAM,YAAY,GAAG,KAAK,IAAI,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,sBAAsB,CAAC;IACjE,MAAM,MAAM,GACV,KAAK,IAAI,IAAI;QACX,CAAC,CAAC,EAAE;QACJ,CAAC,CAAC;YACE,IAAI,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,KAAK,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC;iBAC1C,WAAW,EAAE;iBACb,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC;iBACZ,OAAO,CAAC,GAAG,EAAE,GAAG,CAAC;SACrB,CAAC;IACR,MAAM,IAAI,GAAG,EAAE;SACZ,OAAO,CACN;;oBAEc,GAAG;;;;;;QAMf,YAAY;;;KAGf,CACA;SACA,GAAG,CAAC,GAAG,MAAM,CAAiB,CAAC;IAElC,oDAAoD;IACpD,IAAI,KAAK,IAAI,IAAI;QAAE,OAAO,IAAI,CAAC;IAE/B,gDAAgD;IAChD,MAAM,KAAK,GAAG,IAAI,GAAG,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC;IACpD,MAAM,GAAG,GAAiB,EAAE,CAAC;IAC7B,MAAM,GAAG,GAAG,IAAI,IAAI,EAAE,CAAC;IACvB,IAAI,WAAW,KAAK,KAAK,EAAE,CAAC;QAC1B,GAAG,CAAC,WAAW,CAAC,CAAC,EAAE,CAAC,EAAE,CAAC,EAAE,CAAC,CAAC,CAAC;QAC5B,MAAM,IAAI,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,IAAI,CAAC,IAAI,CAAC,KAAK,GAAG,EAAE,CAAC,CAAC,CAAC;QAChD,KAAK,IAAI,CAAC,GAAG,IAAI,GAAG,CAAC,EAAE,CAAC,IAAI,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC;YACnC,MAAM,CAAC,GAAG,IAAI,IAAI,CAAC,GAAG,CAAC,OAAO,EAAE,GAAG,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;YAC5D,MAAM,GAAG,GAAG,CAAC,CAAC,WAAW,EAAE,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;YACzC,GAAG,CAAC,IAAI,CACN,KAAK,CAAC,GAAG,CAAC,GAAG,CAAC,IAAI,EAAE,IAAI,EAAE,GAAG,EAAE,KAAK,EAAE,CAAC,EAAE,OAAO,EAAE,CAAC,EAAE,OAAO,EAAE,CAAC,EAAE,MAAM,EAAE,CAAC,EAAE,CAC7E,CAAC;QACJ,CAAC;IACH,CAAC;SAAM,IAAI,WAAW,KAAK,QAAQ,EAAE,CAAC;QACpC,GAAG,CAAC,aAAa,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC;QACxB,MAAM,IAAI,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,IAAI,CAAC,IAAI,CAAC,KAAK,GAAG,EAAE,CAAC,CAAC,CAAC;QAChD,KAAK,IAAI,CAAC,GAAG,IAAI,GAAG,CAAC,EAAE,CAAC,IAAI,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC;YACnC,MAAM,CAAC,GAAG,IAAI,IAAI,CAAC,GAAG,CAAC,OAAO,EAAE,GAAG,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;YAClD,MAAM,GAAG,GAAG,CAAC,CAAC,WAAW,EAAE,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,OAAO,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC;YAC3D,GAAG,CAAC,IAAI,CACN,KAAK,CAAC,GAAG,CAAC,GAAG,CAAC,IAAI,EAAE,IAAI,EAAE,GAAG,EAAE,KAAK,EAAE,CAAC,EAAE,OAAO,EAAE,CAAC,EAAE,OAAO,EAAE,CAAC,EAAE,MAAM,EAAE,CAAC,EAAE,CAC7E,CAAC;QACJ,CAAC;IACH,CAAC;SAAM,CAAC;QACN,GAAG,CAAC,aAAa,CAAC,CAAC,EAAE,CAAC,EAAE,CAAC,CAAC,CAAC;QAC3B,MAAM,OAAO,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC;QAC9C,KAAK,IAAI,CAAC,GAAG,OAAO,GAAG,CAAC,EAAE,CAAC,IAAI,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC;YACtC,MAAM,CAAC,GAAG,IAAI,IAAI,CAAC,GAAG,CAAC,OAAO,EAAE,GAAG,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;YACvD,MAAM,GAAG,GAAG,CAAC,CAAC,WAAW,EAAE,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,OAAO,CAAC,GAAG,EAAE,GAAG,CAAC,GAAG,KAAK,CAAC;YACnE,GAAG,CAAC,IAAI,CACN,KAAK,CAAC,GAAG,CAAC,GAAG,CAAC,IAAI,EAAE,IAAI,EAAE,GAAG,EAAE,KAAK,EAAE,CAAC,EAAE,OAAO,EAAE,CAAC,EAAE,OAAO,EAAE,CAAC,EAAE,MAAM,EAAE,CAAC,EAAE,CAC7E,CAAC;QACJ,CAAC;IACH,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC;AAED,yCAAyC;AACzC,MAAM,UAAU,kBAAkB,CAAC,KAAK,GAAG,EAAE;IAC3C,OAAO,oBAAoB,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC;AAC7C,CAAC;AAUD,2EAA2E;AAC3E,8DAA8D;AAC9D,MAAM,UAAU,aAAa,CAC3B,WAA6B,KAAK,EAClC,KAAK,GAAG,CAAC,EACT,cAA6B,EAAE,GAAG,CAAC;IAEnC,MAAM,cAAc,GAClB,QAAQ,KAAK,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,eAAe,QAAQ,GAAG,CAAC;IAC1D,MAAM,MAAM,GAAc,EAAE,CAAC;IAC7B,IAAI,UAAU,GAAG,EAAE,CAAC;IACpB,IAAI,WAAW,IAAI,IAAI,EAAE,CAAC;QACxB,UAAU,GAAG,qBAAqB,CAAC;QACnC,MAAM,CAAC,IAAI,CACT,IAAI,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,WAAW,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC;aAChD,WAAW,EAAE;aACb,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC;aACZ,OAAO,CAAC,GAAG,EAAE,GAAG,CAAC,CACrB,CAAC;IACJ,CAAC;IACD,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IACnB,MAAM,IAAI,GAAG,EAAE;SACZ,OAAO,CACN;;;;;;;;;;;cAWQ,UAAU,GAAG,cAAc;;;;KAIpC,CACA;SACA,GAAG,CAAC,GAAG,MAAM,CAAgB,CAAC;IACjC,OAAO,IAAI,CAAC;AACd,CAAC;AAWD,MAAM,UAAU,iBAAiB,CAAC,KAAK,GAAG,EAAE;IAC1C,OAAO,EAAE;SACN,OAAO,CACN;;;;;;;;;;;;KAYD,CACA;SACA,GAAG,CAAC,KAAK,CAAqB,CAAC;AACpC,CAAC;AAUD,MAAM,UAAU,gBAAgB,CAC9B,cAA6B,EAAE,GAAG,CAAC;IAEnC,MAAM,MAAM,GAAc,EAAE,CAAC;IAC7B,IAAI,KAAK,GAAG,EAAE,CAAC;IACf,IAAI,WAAW,IAAI,IAAI,EAAE,CAAC;QACxB,KAAK,GAAG,sBAAsB,CAAC;QAC/B,MAAM,CAAC,IAAI,CACT,IAAI,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,WAAW,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC;aAChD,WAAW,EAAE;aACb,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC;aACZ,OAAO,CAAC,GAAG,EAAE,GAAG,CAAC,CACrB,CAAC;IACJ,CAAC;IACD,OAAO,EAAE;SACN,OAAO,CACN;;;;;;;;QAQE,KAAK;;;KAGR,CACA;SACA,GAAG,CAAC,GAAG,MAAM,CAAoB,CAAC;AACvC,CAAC;AASD,4EAA4E;AAC5E,MAAM,UAAU,cAAc,CAAC,QAAuB,EAAE;IACtD,MAAM,MAAM,GAAc,EAAE,CAAC;IAC7B,IAAI,KAAK,GAAG,EAAE,CAAC;IACf,IAAI,KAAK,IAAI,IAAI,EAAE,CAAC;QAClB,KAAK,GAAG,sBAAsB,CAAC;QAC/B,MAAM,CAAC,IAAI,CACT,IAAI,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,KAAK,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC;aAC1C,WAAW,EAAE;aACb,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC;aACZ,OAAO,CAAC,GAAG,EAAE,GAAG,CAAC,CACrB,CAAC;IACJ,CAAC;IACD,OAAO,EAAE;SACN,OAAO,CACN;;;;;;;QAOE,KAAK;KACR,CACA;SACA,GAAG,CAAC,GAAG,MAAM,CAAgB,CAAC;AACnC,CAAC;AAED,qEAAqE;AACrE,MAAM,UAAU,aAAa;IAC3B,MAAM,KAAK,GAAG,IAAI,IAAI,EAAE,CAAC;IACzB,KAAK,CAAC,WAAW,CAAC,CAAC,EAAE,CAAC,EAAE,CAAC,EAAE,CAAC,CAAC,CAAC;IAC9B,MAAM,QAAQ,GAAG,KAAK,CAAC,WAAW,EAAE,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,OAAO,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC;IACpE,OAAO,EAAE;SACN,OAAO,CACN;;;;;;;;KAQD,CACA;SACA,GAAG,CAAC,QAAQ,CAAgB,CAAC;AAClC,CAAC"}

package/dist/index.js

@@ -0,0 +1,94 @@
+#!/usr/bin/env node
+import { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
+import { StdioServerTransport } from "@modelcontextprotocol/sdk/server/stdio.js";
+import { randomUUID } from "node:crypto";
+import { initDb } from "./db.js";
+import { startDashboard } from "./dashboard.js";
+import { prepareBashML } from "./ml/bash-classifier.js";
+import { initPoliciesTable, ensureEmbeddings } from "./policies.js";
+import { initApprovals } from "./approvals.js";
+import { bashToolDefinition, executeBash } from "./tools/bash.js";
+import { readFileToolDefinition, writeFileToolDefinition, deleteFileToolDefinition, listDirectoryToolDefinition, readFile, writeFile, deleteFile, listDirectory, } from "./tools/filesystem.js";
+import { networkToolDefinition, fetchUrl } from "./tools/network.js";
+import { classifyToolDefinition, classify, recentEventsToolDefinition, recentEvents, proxyStatsToolDefinition, proxyStats, } from "./tools/introspect.js";
+import { addPolicyToolDefinition, addPolicy, listPoliciesToolDefinition, listPoliciesTool, deletePolicyToolDefinition, deletePolicyTool, updatePolicyToolDefinition, updatePolicyTool, } from "./tools/policies.js";
+import { ensureLicense, checkQuota, chargeUsage, syncWithCloud, } from "./license.js";
+// One session ID per server run (one per agent session). The agent or
+// orchestrator can override it via AGENT_PROXY_SESSION_ID for traceability.
+const SESSION_ID = process.env.AGENT_PROXY_SESSION_ID ?? randomUUID();
+const DASHBOARD_PORT = Number(process.env.AGENT_PROXY_PORT) || 4242;
+const DASHBOARD_DISABLED = process.env.AGENT_PROXY_DISABLE_DASHBOARD === "1";
+initDb();
+initPoliciesTable();
+initApprovals();
+const LICENSE = ensureLicense();
+if (!DASHBOARD_DISABLED)
+    startDashboard(DASHBOARD_PORT);
+process.stderr.write(`[agent-proxy] license user=${LICENSE.user_id} plan=${LICENSE.plan} quota=${LICENSE.quota}\n`);
+// Background cloud sync — best-effort, non-fatal. Pulls fresh quota from the
+// remote API every 5 min so paid upgrades take effect without a restart.
+if (LICENSE.jwt) {
+    syncWithCloud().catch(() => { });
+    setInterval(() => {
+        syncWithCloud().catch(() => { });
+    }, 5 * 60 * 1000);
+}
+process.stderr.write(`[agent-proxy] session=${SESSION_ID} pid=${process.pid}\n`);
+// Kick off ML embedder + prototype embedding in the background. We don't
+// await: bash calls that arrive before the model is ready transparently fall
+// back to the rule-based classifier. Set AGENT_PROXY_ML=0 to skip entirely.
+if (process.env.AGENT_PROXY_ML !== "0") {
+    prepareBashML()
+        .then(() => ensureEmbeddings())
+        .catch((err) => {
+        process.stderr.write(`[agent-proxy] ML prep failed: ${err.message}\n`);
+    });
+}
+const server = new McpServer({
+    name: "agent-proxy",
+    version: "0.1.0",
+});
+function asText(value) {
+    return {
+        content: [{ type: "text", text: JSON.stringify(value, null, 2) }],
+    };
+}
+// Quota gate — runs before any billable tool. Returns the agent a structured
+// "blocked" object (mirroring how policy/classifier blocks already look) when
+// the current month's free quota is exhausted, and bumps the counter on
+// successful execution.
+async function billable(toolName, fn, actionHint) {
+    const block = checkQuota(toolName, actionHint);
+    if (block)
+        return block;
+    const result = await fn();
+    chargeUsage(toolName, actionHint);
+    return result;
+}
+server.tool(bashToolDefinition.name, bashToolDefinition.description, bashToolDefinition.schema.shape, async (args) => asText(await billable("bash", () => executeBash(args, SESSION_ID))));
+server.tool(readFileToolDefinition.name, readFileToolDefinition.description, readFileToolDefinition.schema.shape, async (args) => asText(await readFile(args, SESSION_ID)));
+server.tool(writeFileToolDefinition.name, writeFileToolDefinition.description, writeFileToolDefinition.schema.shape, async (args) => asText(await billable("write_file", () => writeFile({ ...args, append: args.append ?? false }, SESSION_ID))));
+server.tool(deleteFileToolDefinition.name, deleteFileToolDefinition.description, deleteFileToolDefinition.schema.shape, async (args) => asText(await billable("delete_file", () => deleteFile(args, SESSION_ID))));
+server.tool(listDirectoryToolDefinition.name, listDirectoryToolDefinition.description, listDirectoryToolDefinition.schema.shape, async (args) => asText(await listDirectory(args, SESSION_ID)));
+server.tool(networkToolDefinition.name, networkToolDefinition.description, networkToolDefinition.schema.shape, async (args) => asText(await billable("network", () => fetchUrl({ ...args, method: args.method ?? "GET" }, SESSION_ID))));
+// Introspection tools (read-only — no audit entry generated).
+server.tool(classifyToolDefinition.name, classifyToolDefinition.description, classifyToolDefinition.schema.shape, async (args) => asText(await classify(args)));
+server.tool(recentEventsToolDefinition.name, recentEventsToolDefinition.description, recentEventsToolDefinition.schema.shape, async (args) => asText(recentEvents(args, SESSION_ID)));
+server.tool(proxyStatsToolDefinition.name, proxyStatsToolDefinition.description, proxyStatsToolDefinition.schema.shape, async () => asText(proxyStats(SESSION_ID, DASHBOARD_PORT)));
+// Policy management tools — persist guardrails across sessions.
+server.tool(addPolicyToolDefinition.name, addPolicyToolDefinition.description, addPolicyToolDefinition.schema.shape, async (args) => asText(await addPolicy(args)));
+server.tool(listPoliciesToolDefinition.name, listPoliciesToolDefinition.description, listPoliciesToolDefinition.schema.shape, async (args) => asText(await listPoliciesTool(args)));
+server.tool(updatePolicyToolDefinition.name, updatePolicyToolDefinition.description, updatePolicyToolDefinition.schema.shape, async (args) => asText(await updatePolicyTool(args)));
+server.tool(deletePolicyToolDefinition.name, deletePolicyToolDefinition.description, deletePolicyToolDefinition.schema.shape, async (args) => asText(deletePolicyTool(args)));
+const transport = new StdioServerTransport();
+process.on("SIGINT", () => {
+    process.stderr.write("[agent-proxy] SIGINT — shutting down\n");
+    process.exit(0);
+});
+process.on("SIGTERM", () => {
+    process.stderr.write("[agent-proxy] SIGTERM — shutting down\n");
+    process.exit(0);
+});
+await server.connect(transport);
+process.stderr.write("[agent-proxy] MCP server ready on stdio\n");
+//# sourceMappingURL=index.js.map