npm - @rulecatch/ai-pooler - Versions diffs - 0.4.0 - Mend

@rulecatch/ai-pooler 0.4.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (12) hide show

package/README.md +232 -0
package/dist/cli.js +1338 -0
package/dist/cli.js.map +1 -0
package/dist/flush.js +1114 -0
package/dist/flush.js.map +1 -0
package/dist/index.cjs +1278 -0
package/dist/index.cjs.map +1 -0
package/dist/index.d.ts +625 -0
package/dist/index.js +1240 -0
package/dist/index.js.map +1 -0
package/package.json +63 -0
package/templates/rulecatch-track.sh +549 -0

package/templates/rulecatch-track.sh ADDED Viewed

@@ -0,0 +1,549 @@
+#!/bin/bash
+# Rulecatch AI tracking hook - Auto-generated
+# Writes events to buffer files for batch processing
+# Supports: Zero-knowledge encryption, Regional routing, Adaptive throttling
+# Debug logging - set RULECATCH_DEBUG=true for verbose output
+DEBUG="${RULECATCH_DEBUG:-false}"
+LOG_FILE="/tmp/rulecatch-hook.log"
+log() {
+  echo "[$(date)] $1" >> "$LOG_FILE"
+}
+log_debug() {
+  if [ "$DEBUG" == "true" ]; then
+    echo "[$(date)] [DEBUG] $1" >> "$LOG_FILE"
+  fi
+}
+log "Hook called"
+# ============================================================================
+# CONFIGURATION
+# ============================================================================
+CONFIG_DIR="$HOME/.claude/rulecatch"
+CONFIG_FILE="$CONFIG_DIR/config.json"
+BUFFER_DIR="$CONFIG_DIR/buffer"
+FLUSH_SCRIPT="$HOME/.claude/hooks/rulecatch-flush.js"
+# Exit if not configured
+[ ! -f "$CONFIG_FILE" ] && exit 0
+# Exit if data collection is paused (subscription expired)
+# User must run `npx @rulecatch/ai-pooler reactivate` to resume
+PAUSED_FILE="$CONFIG_DIR/.paused"
+[ -f "$PAUSED_FILE" ] && exit 0
+# Read config
+API_KEY=$(jq -r '.apiKey // empty' "$CONFIG_FILE")
+[ -z "$API_KEY" ] && exit 0
+REGION=$(jq -r '.region // "us"' "$CONFIG_FILE")
+ENCRYPTION_KEY=$(jq -r '.encryptionKey // empty' "$CONFIG_FILE")
+SALT=$(jq -r '.salt // "rulecatch"' "$CONFIG_FILE")
+# Ensure buffer directory exists
+mkdir -p "$BUFFER_DIR"
+# Determine if privacy/encryption is enabled
+PRIVACY_ENABLED="false"
+if [ -n "$ENCRYPTION_KEY" ]; then
+  PRIVACY_ENABLED="true"
+fi
+# ============================================================================
+# ENCRYPTION FUNCTIONS
+# Uses AES-256-GCM with PBKDF2 key derivation
+# Format: iv_base64:ciphertext_base64 (compatible with browser Web Crypto API)
+# ============================================================================
+# Encrypt a single value using AES-256-GCM
+encrypt_pii() {
+  local plaintext="$1"
+  if [ -z "$plaintext" ] || [ "$PRIVACY_ENABLED" != "true" ]; then
+    echo "$plaintext"
+    return
+  fi
+  # Use Python for reliable PBKDF2 + AES-GCM (matches browser Web Crypto)
+  python3 - "$plaintext" "$ENCRYPTION_KEY" <<'PYEOF' 2>/dev/null
+import sys
+import os
+import base64
+import hashlib
+from cryptography.hazmat.primitives.ciphers.aead import AESGCM
+from cryptography.hazmat.primitives.kdf.pbkdf2 import PBKDF2HMAC
+from cryptography.hazmat.primitives import hashes
+plaintext = sys.argv[1]
+password = sys.argv[2]
+# Derive key using PBKDF2 (must match browser: salt="rulecatch", iterations=100000)
+kdf = PBKDF2HMAC(
+    algorithm=hashes.SHA256(),
+    length=32,
+    salt=b'rulecatch',
+    iterations=100000,
+)
+key = kdf.derive(password.encode())
+# Generate random IV (12 bytes for GCM)
+iv = os.urandom(12)
+# Encrypt with AES-256-GCM
+aesgcm = AESGCM(key)
+ciphertext = aesgcm.encrypt(iv, plaintext.encode(), None)
+# Output format: iv:ciphertext (both base64)
+print(base64.b64encode(iv).decode() + ':' + base64.b64encode(ciphertext).decode())
+PYEOF
+  # If Python encryption failed, return original value
+  if [ $? -ne 0 ]; then
+    echo "$plaintext"
+  fi
+}
+# Hash a value for searchable indexing (one-way, for grouping/filtering)
+hash_for_index() {
+  local plaintext="$1"
+  if [ -z "$plaintext" ]; then
+    echo ""
+    return
+  fi
+  # Truncated SHA256 hash with salt
+  echo -n "${plaintext}${SALT}" | sha256sum | cut -c1-16
+}
+# ============================================================================
+# MAIN LOGIC
+# ============================================================================
+# Read JSON from stdin
+INPUT=$(cat)
+# Extract hook event name
+HOOK_EVENT=$(echo "$INPUT" | jq -r '.hook_event_name // empty')
+SESSION_ID=$(echo "$INPUT" | jq -r '.session_id // empty')
+CWD=$(echo "$INPUT" | jq -r '.cwd // empty')
+# Capture git info (run in CWD context)
+log_debug "CWD=$CWD"
+log_debug "Checking git repo..."
+if [ -n "$CWD" ] && (cd "$CWD" && git rev-parse --git-dir >/dev/null 2>&1); then
+  log_debug "In git repo, capturing git info"
+  GIT_USERNAME=$(cd "$CWD" && git config user.name 2>/dev/null || echo "")
+  GIT_EMAIL=$(cd "$CWD" && git config user.email 2>/dev/null || echo "")
+  GIT_REPO=$(cd "$CWD" && git remote get-url origin 2>/dev/null || echo "")
+  GIT_BRANCH=$(cd "$CWD" && git branch --show-current 2>/dev/null || echo "")
+  GIT_COMMIT=$(cd "$CWD" && git rev-parse --short HEAD 2>/dev/null || echo "")
+  GIT_DIRTY=$(cd "$CWD" && [ -n "$(git status --porcelain 2>/dev/null)" ] && echo "true" || echo "false")
+  log_debug "Git: user=$GIT_USERNAME, email=$GIT_EMAIL, repo=$GIT_REPO, branch=$GIT_BRANCH, commit=$GIT_COMMIT"
+else
+  log_debug "Not in git repo or CWD empty"
+  GIT_USERNAME=""
+  GIT_EMAIL=""
+  GIT_REPO=""
+  GIT_BRANCH=""
+  GIT_COMMIT=""
+  GIT_DIRTY="false"
+fi
+# ============================================================================
+# ENCRYPT PII FIELDS
+# ============================================================================
+# Auto-detect project ID from git repo name (BEFORE encryption clears CWD)
+PROJECT_ID=""
+if [ -n "$GIT_REPO" ]; then
+  # Extract repo name from URL (handles both HTTPS and SSH)
+  PROJECT_ID=$(echo "$GIT_REPO" | sed 's/.*[/:]\([^/]*\)\.git$/\1/' | sed 's/.*[/:]\([^/]*\)$/\1/')
+fi
+if [ -z "$PROJECT_ID" ] && [ -n "$CWD" ]; then
+  PROJECT_ID=$(basename "$CWD")
+fi
+[ -z "$PROJECT_ID" ] && PROJECT_ID="unknown"
+# Initialize encrypted/hash variables
+GIT_USERNAME_ENCRYPTED=""
+GIT_EMAIL_ENCRYPTED=""
+CWD_ENCRYPTED=""
+PROJECT_ID_ENCRYPTED=""
+GIT_USERNAME_HASH=""
+GIT_EMAIL_HASH=""
+CWD_HASH=""
+PROJECT_ID_HASH=""
+# If privacy is enabled, encrypt PII fields (decryptable) + create hashes (for indexing)
+if [ "$PRIVACY_ENABLED" == "true" ]; then
+  GIT_USERNAME_ENCRYPTED=$(encrypt_pii "$GIT_USERNAME")
+  GIT_EMAIL_ENCRYPTED=$(encrypt_pii "$GIT_EMAIL")
+  CWD_ENCRYPTED=$(encrypt_pii "$CWD")
+  PROJECT_ID_ENCRYPTED=$(encrypt_pii "$PROJECT_ID")
+  GIT_USERNAME_HASH=$(hash_for_index "$GIT_USERNAME")
+  GIT_EMAIL_HASH=$(hash_for_index "$GIT_EMAIL")
+  CWD_HASH=$(hash_for_index "$CWD")
+  PROJECT_ID_HASH=$(hash_for_index "$PROJECT_ID")
+  # Clear plaintext values
+  GIT_USERNAME=""
+  GIT_EMAIL=""
+  CWD=""
+  PROJECT_ID=""
+fi
+# ============================================================================
+# BUILD EVENT PAYLOAD
+# ============================================================================
+case "$HOOK_EVENT" in
+  "SessionStart")
+    STATS_FILE="$HOME/.claude/stats-cache.json"
+    if [ -f "$STATS_FILE" ]; then
+      cp "$STATS_FILE" "/tmp/rulecatch-stats-start-$SESSION_ID.json"
+    fi
+    CLAUDE_VERSION=$(echo "$INPUT" | jq -r '.version // empty')
+    # Get account info
+    ACCOUNT_EMAIL=""
+    ORG_NAME=""
+    BILLING_TYPE=""
+    HAS_OPUS_DEFAULT="false"
+    for f in "$HOME/.claude/"*.json; do
+      if [ -f "$f" ]; then
+        EMAIL=$(jq -r '.oauthAccount.emailAddress // empty' "$f" 2>/dev/null)
+        if [ -n "$EMAIL" ]; then
+          ACCOUNT_EMAIL="$EMAIL"
+          ORG_NAME=$(jq -r '.oauthAccount.organizationName // empty' "$f" 2>/dev/null)
+          BILLING_TYPE=$(jq -r '.oauthAccount.organizationBillingType // empty' "$f" 2>/dev/null)
+          HAS_OPUS_DEFAULT=$(jq -r '.hasOpusPlanDefault // false' "$f" 2>/dev/null)
+          break
+        fi
+      fi
+    done
+    # Encrypt/hash account email if privacy enabled
+    ACCOUNT_EMAIL_ENCRYPTED=""
+    ACCOUNT_EMAIL_HASH=""
+    if [ "$PRIVACY_ENABLED" == "true" ]; then
+      ACCOUNT_EMAIL_ENCRYPTED=$(encrypt_pii "$ACCOUNT_EMAIL")
+      ACCOUNT_EMAIL_HASH=$(hash_for_index "$ACCOUNT_EMAIL")
+      ACCOUNT_EMAIL=""
+    fi
+    EVENT=$(jq -n \
+      --arg type "session_start" \
+      --arg sessionId "$SESSION_ID" \
+      --arg projectId "$PROJECT_ID" \
+      --arg projectIdEncrypted "$PROJECT_ID_ENCRYPTED" \
+      --arg projectIdHash "$PROJECT_ID_HASH" \
+      --arg cwd "$CWD" \
+      --arg cwdEncrypted "$CWD_ENCRYPTED" \
+      --arg cwdHash "$CWD_HASH" \
+      --arg timestamp "$(date -u +%Y-%m-%dT%H:%M:%SZ)" \
+      --arg claudeVersion "$CLAUDE_VERSION" \
+      --arg accountEmail "$ACCOUNT_EMAIL" \
+      --arg accountEmailEncrypted "$ACCOUNT_EMAIL_ENCRYPTED" \
+      --arg accountEmailHash "$ACCOUNT_EMAIL_HASH" \
+      --arg orgName "$ORG_NAME" \
+      --arg billingType "$BILLING_TYPE" \
+      --argjson hasOpusDefault "$HAS_OPUS_DEFAULT" \
+      --arg gitUsername "$GIT_USERNAME" \
+      --arg gitUsernameEncrypted "$GIT_USERNAME_ENCRYPTED" \
+      --arg gitUsernameHash "$GIT_USERNAME_HASH" \
+      --arg gitEmail "$GIT_EMAIL" \
+      --arg gitEmailEncrypted "$GIT_EMAIL_ENCRYPTED" \
+      --arg gitEmailHash "$GIT_EMAIL_HASH" \
+      --arg gitRepo "$GIT_REPO" \
+      --arg gitBranch "$GIT_BRANCH" \
+      --arg gitCommit "$GIT_COMMIT" \
+      --argjson gitDirty "$GIT_DIRTY" \
+      --arg region "$REGION" \
+      --argjson privacyEnabled "$PRIVACY_ENABLED" \
+      '{type: $type, sessionId: $sessionId, projectId: $projectId, projectIdEncrypted: $projectIdEncrypted, projectIdHash: $projectIdHash, cwd: $cwd, cwdEncrypted: $cwdEncrypted, cwdHash: $cwdHash, timestamp: $timestamp, claudeVersion: $claudeVersion, accountEmail: $accountEmail, accountEmailEncrypted: $accountEmailEncrypted, accountEmailHash: $accountEmailHash, orgName: $orgName, billingType: $billingType, hasOpusDefault: $hasOpusDefault, gitUsername: $gitUsername, gitUsernameEncrypted: $gitUsernameEncrypted, gitUsernameHash: $gitUsernameHash, gitEmail: $gitEmail, gitEmailEncrypted: $gitEmailEncrypted, gitEmailHash: $gitEmailHash, gitRepo: $gitRepo, gitBranch: $gitBranch, gitCommit: $gitCommit, gitDirty: $gitDirty, region: $region, privacyEnabled: $privacyEnabled}')
+    ;;
+  "SessionEnd")
+    TOTAL_ADDED=0
+    TOTAL_REMOVED=0
+    FILES_CHANGED=0
+    CHANGED_FILES_JSON="[]"
+    CHANGED_FILES_HASHES="[]"
+    # Use original CWD for git operations (before encryption cleared it)
+    ORIGINAL_CWD=$(echo "$INPUT" | jq -r '.cwd // empty')
+    if [ -n "$ORIGINAL_CWD" ] && (cd "$ORIGINAL_CWD" && git rev-parse --git-dir >/dev/null 2>&1); then
+      DIFF_STAT=$(cd "$ORIGINAL_CWD" && git diff --numstat HEAD 2>/dev/null)
+      STAGED_STAT=$(cd "$ORIGINAL_CWD" && git diff --numstat --cached 2>/dev/null)
+      ALL_STATS=$(echo -e "$DIFF_STAT\n$STAGED_STAT" | grep -v '^$')
+      if [ -n "$ALL_STATS" ]; then
+        while IFS=$'\t' read -r added removed file; do
+          if [ "$added" != "-" ] && [ "$removed" != "-" ]; then
+            TOTAL_ADDED=$((TOTAL_ADDED + added))
+            TOTAL_REMOVED=$((TOTAL_REMOVED + removed))
+          fi
+          FILES_CHANGED=$((FILES_CHANGED + 1))
+        done <<< "$ALL_STATS"
+        if [ "$PRIVACY_ENABLED" == "true" ]; then
+          CHANGED_FILES_HASHES=$(cd "$ORIGINAL_CWD" && git diff --name-only HEAD 2>/dev/null | while read f; do hash_for_index "$f"; done | jq -R -s 'split("\n") | map(select(length > 0))')
+          CHANGED_FILES_JSON="[]"
+        else
+          CHANGED_FILES_JSON=$(cd "$ORIGINAL_CWD" && git diff --name-only HEAD 2>/dev/null | jq -R -s 'split("\n") | map(select(length > 0))')
+        fi
+        [ -z "$CHANGED_FILES_JSON" ] && CHANGED_FILES_JSON="[]"
+        [ -z "$CHANGED_FILES_HASHES" ] && CHANGED_FILES_HASHES="[]"
+      fi
+    fi
+    # Token delta calculation
+    STATS_FILE="$HOME/.claude/stats-cache.json"
+    START_STATS="/tmp/rulecatch-stats-start-$SESSION_ID.json"
+    INPUT_TOKENS=0
+    OUTPUT_TOKENS=0
+    CACHE_READ_TOKENS=0
+    CACHE_WRITE_TOKENS=0
+    MODEL_USED=""
+    if [ -f "$STATS_FILE" ] && [ -f "$START_STATS" ]; then
+      END_STATS=$(cat "$STATS_FILE")
+      START_STATS_JSON=$(cat "$START_STATS")
+      for MODEL in "claude-opus-4-5-20251101" "claude-sonnet-4-5-20250929"; do
+        START_IN=$(echo "$START_STATS_JSON" | jq -r ".modelUsage.\"$MODEL\".inputTokens // 0")
+        END_IN=$(echo "$END_STATS" | jq -r ".modelUsage.\"$MODEL\".inputTokens // 0")
+        DELTA_IN=$((END_IN - START_IN))
+        if [ "$DELTA_IN" -gt 0 ]; then
+          MODEL_USED="$MODEL"
+          INPUT_TOKENS=$DELTA_IN
+          START_OUT=$(echo "$START_STATS_JSON" | jq -r ".modelUsage.\"$MODEL\".outputTokens // 0")
+          END_OUT=$(echo "$END_STATS" | jq -r ".modelUsage.\"$MODEL\".outputTokens // 0")
+          OUTPUT_TOKENS=$((END_OUT - START_OUT))
+          START_CACHE_R=$(echo "$START_STATS_JSON" | jq -r ".modelUsage.\"$MODEL\".cacheReadInputTokens // 0")
+          END_CACHE_R=$(echo "$END_STATS" | jq -r ".modelUsage.\"$MODEL\".cacheReadInputTokens // 0")
+          CACHE_READ_TOKENS=$((END_CACHE_R - START_CACHE_R))
+          START_CACHE_W=$(echo "$START_STATS_JSON" | jq -r ".modelUsage.\"$MODEL\".cacheCreationInputTokens // 0")
+          END_CACHE_W=$(echo "$END_STATS" | jq -r ".modelUsage.\"$MODEL\".cacheCreationInputTokens // 0")
+          CACHE_WRITE_TOKENS=$((END_CACHE_W - START_CACHE_W))
+          break
+        fi
+      done
+      rm -f "$START_STATS"
+    fi
+    ESTIMATED_COST=0
+    if [ -n "$MODEL_USED" ]; then
+      case "$MODEL_USED" in
+        *opus*)
+          COST_IN=$(echo "scale=6; $INPUT_TOKENS * 0.000015" | bc)
+          COST_OUT=$(echo "scale=6; $OUTPUT_TOKENS * 0.000075" | bc)
+          ESTIMATED_COST=$(echo "scale=6; $COST_IN + $COST_OUT" | bc)
+          ;;
+        *sonnet*)
+          COST_IN=$(echo "scale=6; $INPUT_TOKENS * 0.000003" | bc)
+          COST_OUT=$(echo "scale=6; $OUTPUT_TOKENS * 0.000015" | bc)
+          ESTIMATED_COST=$(echo "scale=6; $COST_IN + $COST_OUT" | bc)
+          ;;
+      esac
+    fi
+    # Encrypt file paths if privacy enabled
+    CHANGED_FILES_ENCRYPTED="[]"
+    if [ "$PRIVACY_ENABLED" == "true" ] && [ "$CHANGED_FILES_JSON" != "[]" ]; then
+      CHANGED_FILES_ENCRYPTED=$(echo "$CHANGED_FILES_JSON" | jq -r '.[]' | while read f; do
+        encrypted=$(encrypt_pii "$f")
+        echo "\"$encrypted\""
+      done | jq -s '.')
+    fi
+    EVENT=$(jq -n \
+      --arg type "session_end" \
+      --arg sessionId "$SESSION_ID" \
+      --arg projectId "$PROJECT_ID" \
+      --arg projectIdEncrypted "$PROJECT_ID_ENCRYPTED" \
+      --arg projectIdHash "$PROJECT_ID_HASH" \
+      --arg timestamp "$(date -u +%Y-%m-%dT%H:%M:%SZ)" \
+      --argjson linesAdded "$TOTAL_ADDED" \
+      --argjson linesRemoved "$TOTAL_REMOVED" \
+      --argjson filesChanged "$FILES_CHANGED" \
+      --argjson filesModified "$CHANGED_FILES_JSON" \
+      --argjson filesModifiedEncrypted "$CHANGED_FILES_ENCRYPTED" \
+      --argjson filesModifiedHashes "$CHANGED_FILES_HASHES" \
+      --arg model "$MODEL_USED" \
+      --argjson inputTokens "$INPUT_TOKENS" \
+      --argjson outputTokens "$OUTPUT_TOKENS" \
+      --argjson cacheReadTokens "$CACHE_READ_TOKENS" \
+      --argjson cacheWriteTokens "$CACHE_WRITE_TOKENS" \
+      --argjson estimatedCost "${ESTIMATED_COST:-0}" \
+      --arg gitUsername "$GIT_USERNAME" \
+      --arg gitUsernameEncrypted "$GIT_USERNAME_ENCRYPTED" \
+      --arg gitUsernameHash "$GIT_USERNAME_HASH" \
+      --arg gitEmail "$GIT_EMAIL" \
+      --arg gitEmailEncrypted "$GIT_EMAIL_ENCRYPTED" \
+      --arg gitEmailHash "$GIT_EMAIL_HASH" \
+      --arg gitRepo "$GIT_REPO" \
+      --arg gitBranch "$GIT_BRANCH" \
+      --arg gitCommit "$GIT_COMMIT" \
+      --argjson gitDirty "$GIT_DIRTY" \
+      '{type: $type, sessionId: $sessionId, projectId: $projectId, projectIdEncrypted: $projectIdEncrypted, projectIdHash: $projectIdHash, timestamp: $timestamp, linesAdded: $linesAdded, linesRemoved: $linesRemoved, filesChanged: $filesChanged, filesModified: $filesModified, filesModifiedEncrypted: $filesModifiedEncrypted, filesModifiedHashes: $filesModifiedHashes, model: $model, inputTokens: $inputTokens, outputTokens: $outputTokens, cacheReadTokens: $cacheReadTokens, cacheWriteTokens: $cacheWriteTokens, estimatedCost: $estimatedCost, gitUsername: $gitUsername, gitUsernameEncrypted: $gitUsernameEncrypted, gitUsernameHash: $gitUsernameHash, gitEmail: $gitEmail, gitEmailEncrypted: $gitEmailEncrypted, gitEmailHash: $gitEmailHash, gitRepo: $gitRepo, gitBranch: $gitBranch, gitCommit: $gitCommit, gitDirty: $gitDirty}')
+    ;;
+  "PostToolUse"|"PostToolUseFailure")
+    TOOL_NAME=$(echo "$INPUT" | jq -r '.tool_name // empty')
+    TOOL_INPUT=$(echo "$INPUT" | jq -c '.tool_input // {}')
+    TOOL_RESPONSE=$(echo "$INPUT" | jq -c '.tool_response // {}')
+    SUCCESS=$([[ "$HOOK_EVENT" == "PostToolUse" ]] && echo "true" || echo "false")
+    FILE_PATH=$(echo "$TOOL_INPUT" | jq -r '.file_path // .path // empty')
+    INPUT_SIZE=$(echo "$TOOL_INPUT" | wc -c)
+    OUTPUT_SIZE=$(echo "$TOOL_RESPONSE" | wc -c)
+    TOOL_INPUT_TOKENS=$((INPUT_SIZE / 4))
+    TOOL_OUTPUT_TOKENS=$((OUTPUT_SIZE / 4))
+    # Truncate tool input/output for rule matching (max 4KB each)
+    TOOL_INPUT_TRUNCATED=$(echo "$TOOL_INPUT" | head -c 4096)
+    TOOL_OUTPUT_TRUNCATED=$(echo "$TOOL_RESPONSE" | head -c 4096)
+    # Save original file path for language detection before encryption
+    FILE_PATH_ORIGINAL="$FILE_PATH"
+    # Encrypt/hash file path if privacy enabled
+    FILE_PATH_ENCRYPTED=""
+    FILE_PATH_HASH=""
+    if [ "$PRIVACY_ENABLED" == "true" ] && [ -n "$FILE_PATH" ]; then
+      FILE_PATH_ENCRYPTED=$(encrypt_pii "$FILE_PATH")
+      FILE_PATH_HASH=$(hash_for_index "$FILE_PATH")
+      FILE_PATH=""
+    fi
+    # Detect language from original path
+    LANGUAGE=""
+    if [ -n "$FILE_PATH_ORIGINAL" ]; then
+      EXT="${FILE_PATH_ORIGINAL##*.}"
+      case "$EXT" in
+        ts|tsx) LANGUAGE="typescript" ;;
+        js|jsx|mjs|cjs) LANGUAGE="javascript" ;;
+        py) LANGUAGE="python" ;;
+        rs) LANGUAGE="rust" ;;
+        go) LANGUAGE="go" ;;
+        java) LANGUAGE="java" ;;
+        rb) LANGUAGE="ruby" ;;
+        php) LANGUAGE="php" ;;
+        cs) LANGUAGE="csharp" ;;
+        cpp|cc|cxx|c|h|hpp) LANGUAGE="cpp" ;;
+        swift) LANGUAGE="swift" ;;
+        kt|kts) LANGUAGE="kotlin" ;;
+        sh|bash|zsh) LANGUAGE="shell" ;;
+        sql) LANGUAGE="sql" ;;
+        html|htm) LANGUAGE="html" ;;
+        css|scss|sass|less) LANGUAGE="css" ;;
+        json) LANGUAGE="json" ;;
+        yaml|yml) LANGUAGE="yaml" ;;
+        md|mdx) LANGUAGE="markdown" ;;
+        *) LANGUAGE="other" ;;
+      esac
+    fi
+    case "$TOOL_NAME" in
+      "Edit") FILE_OP="edit" ;;
+      "Write") FILE_OP="write" ;;
+      "Read") FILE_OP="read" ;;
+      "Bash") FILE_OP="bash" ;;
+      "Glob"|"Grep") FILE_OP="search" ;;
+      "Task") FILE_OP="agent" ;;
+      "WebFetch"|"WebSearch") FILE_OP="web" ;;
+      *) FILE_OP="other" ;;
+    esac
+    EVENT=$(jq -n \
+      --arg type "tool_call" \
+      --arg sessionId "$SESSION_ID" \
+      --arg projectId "$PROJECT_ID" \
+      --arg projectIdEncrypted "$PROJECT_ID_ENCRYPTED" \
+      --arg projectIdHash "$PROJECT_ID_HASH" \
+      --arg timestamp "$(date -u +%Y-%m-%dT%H:%M:%SZ)" \
+      --arg toolName "$TOOL_NAME" \
+      --argjson toolSuccess "$SUCCESS" \
+      --arg filePath "$FILE_PATH" \
+      --arg filePathEncrypted "$FILE_PATH_ENCRYPTED" \
+      --arg filePathHash "$FILE_PATH_HASH" \
+      --argjson toolInputSize "$TOOL_INPUT_TOKENS" \
+      --argjson toolOutputSize "$TOOL_OUTPUT_TOKENS" \
+      --arg toolInput "$TOOL_INPUT_TRUNCATED" \
+      --arg toolOutput "$TOOL_OUTPUT_TRUNCATED" \
+      --arg language "$LANGUAGE" \
+      --arg fileOperation "$FILE_OP" \
+      --arg gitUsername "$GIT_USERNAME" \
+      --arg gitUsernameEncrypted "$GIT_USERNAME_ENCRYPTED" \
+      --arg gitUsernameHash "$GIT_USERNAME_HASH" \
+      --arg gitEmail "$GIT_EMAIL" \
+      --arg gitEmailEncrypted "$GIT_EMAIL_ENCRYPTED" \
+      --arg gitEmailHash "$GIT_EMAIL_HASH" \
+      --arg gitRepo "$GIT_REPO" \
+      --arg gitBranch "$GIT_BRANCH" \
+      --arg gitCommit "$GIT_COMMIT" \
+      --argjson gitDirty "$GIT_DIRTY" \
+      '{type: $type, sessionId: $sessionId, projectId: $projectId, projectIdEncrypted: $projectIdEncrypted, projectIdHash: $projectIdHash, timestamp: $timestamp, toolName: $toolName, toolSuccess: $toolSuccess, filePath: $filePath, filePathEncrypted: $filePathEncrypted, filePathHash: $filePathHash, toolInputSize: $toolInputSize, toolOutputSize: $toolOutputSize, toolInput: $toolInput, toolOutput: $toolOutput, language: $language, fileOperation: $fileOperation, gitUsername: $gitUsername, gitUsernameEncrypted: $gitUsernameEncrypted, gitUsernameHash: $gitUsernameHash, gitEmail: $gitEmail, gitEmailEncrypted: $gitEmailEncrypted, gitEmailHash: $gitEmailHash, gitRepo: $gitRepo, gitBranch: $gitBranch, gitCommit: $gitCommit, gitDirty: $gitDirty}')
+    ;;
+  "Stop")
+    EVENT=$(jq -n \
+      --arg type "turn_complete" \
+      --arg sessionId "$SESSION_ID" \
+      --arg projectId "$PROJECT_ID" \
+      --arg projectIdEncrypted "$PROJECT_ID_ENCRYPTED" \
+      --arg projectIdHash "$PROJECT_ID_HASH" \
+      --arg timestamp "$(date -u +%Y-%m-%dT%H:%M:%SZ)" \
+      '{type: $type, sessionId: $sessionId, projectId: $projectId, projectIdEncrypted: $projectIdEncrypted, projectIdHash: $projectIdHash, timestamp: $timestamp}')
+    ;;
+  *)
+    exit 0
+    ;;
+esac
+# ============================================================================
+# WRITE TO BUFFER FILE
+# ============================================================================
+# Generate unique filename: timestamp-random.json
+TIMESTAMP=$(date +%s%N 2>/dev/null || date +%s)
+RANDOM_SUFFIX=$(head -c 4 /dev/urandom | od -An -tx1 | tr -d ' \n')
+BUFFER_FILE="$BUFFER_DIR/${TIMESTAMP}-${RANDOM_SUFFIX}.json"
+echo "$EVENT" > "$BUFFER_FILE"
+log_debug "Event type: $HOOK_EVENT -> $BUFFER_FILE"
+# ============================================================================
+# TRIGGER FLUSH
+# ============================================================================
+if [ "$HOOK_EVENT" == "SessionEnd" ] || [ "$HOOK_EVENT" == "Stop" ]; then
+  # Force flush on session end (synchronous)
+  if [ -f "$FLUSH_SCRIPT" ]; then
+    node "$FLUSH_SCRIPT" --force 2>/dev/null
+  fi
+else
+  # Async flush attempt (non-blocking)
+  if [ -f "$FLUSH_SCRIPT" ]; then
+    node "$FLUSH_SCRIPT" 2>/dev/null &
+  fi
+fi
+exit 0