@runtimescope/collector 0.10.0 → 0.10.1

package/dist/{chunk-WWFIEANS.js → chunk-M2V4EFJY.js}

@@ -76,6 +76,57 @@ var EventStore = class {
     this.sqliteStore = store;
     this.currentProject = project;
   }
+  /**
+   * Pre-load recent events from a SqliteStore into the in-memory ring buffer.
+   * Used at collector startup to make MCP tools immediately useful after a
+   * restart — without this, the buffer is empty until the SDK reconnects and
+   * generates new traffic.
+   *
+   * Also rehydrates the session→projectId map from SqliteStore's `sessions`
+   * table. Without this, queries filtered by `project_id` after a crash
+   * return nothing because the in-memory map is empty: events are tagged
+   * by sessionId, and matchesProjectId() looks up the session record to
+   * find the project. (Pre-fix: only sessions whose `session` event happens
+   * to be in the warmed window got rehydrated, which is rare in long runs.)
+   *
+   * Does NOT propagate to SqliteStore (we just read FROM it). Ring-buffer
+   * eviction handles overflow naturally if multiple projects are warmed.
+   */
+  warmFromSqlite(sqliteStore, project, limit) {
+    for (const stored of sqliteStore.getStoredSessions(project)) {
+      if (this.sessions.has(stored.sessionId)) continue;
+      this.sessions.set(stored.sessionId, {
+        sessionId: stored.sessionId,
+        appName: stored.appName,
+        connectedAt: stored.connectedAt,
+        sdkVersion: stored.sdkVersion,
+        eventCount: 0,
+        // recompute from warmed events below
+        isConnected: false,
+        projectId: stored.projectId
+      });
+    }
+    const events = sqliteStore.getRecentEvents(project, limit);
+    for (const event of events) {
+      if (event.eventType === "session") {
+        const se = event;
+        if (!this.sessions.has(se.sessionId)) {
+          this.sessions.set(se.sessionId, {
+            sessionId: se.sessionId,
+            appName: se.appName,
+            connectedAt: se.connectedAt,
+            sdkVersion: se.sdkVersion,
+            eventCount: 0,
+            isConnected: false,
+            projectId: se.projectId
+          });
+        }
+      }
+      const session = this.sessions.get(event.sessionId);
+      if (session) session.eventCount++;
+      this.buffer.push(event);
+    }
+  }
   onEvent(callback) {
     this.onEventCallbacks.push(callback);
   }
@@ -144,6 +195,19 @@ var EventStore = class {
   getSessionInfo() {
     return Array.from(this.sessions.values());
   }
+  /**
+   * Fast O(sessions) event count for a specific projectId. Callers that just
+   * want to know "have any events arrived for project X yet?" should use this
+   * instead of `getAllEvents(..., projectId).length`, which allocates and
+   * filters the entire 10K-event ring buffer on every call.
+   */
+  eventCountForProject(projectId) {
+    let total = 0;
+    for (const session of this.sessions.values()) {
+      if (session.projectId === projectId) total += session.eventCount;
+    }
+    return total;
+  }
   markDisconnected(sessionId) {
     const s = this.sessions.get(sessionId);
     if (s) s.isConnected = false;
@@ -381,7 +445,7 @@ function resolveProjectId(projectManager, appName, pmStore) {
 }
 
 // src/sqlite-store.ts
-import { renameSync, existsSync } from "fs";
+import { renameSync, existsSync, statSync } from "fs";
 import { createRequire } from "module";
 var DatabaseConstructor;
 function getDatabase() {
@@ -459,8 +523,8 @@ var SqliteStore = class _SqliteStore {
     this.insertSessionStmt = db.prepare(`
       INSERT OR REPLACE INTO sessions (
         session_id, project, app_name, connected_at, sdk_version,
-        event_count, is_connected, build_meta
-      ) VALUES (?, ?, ?, ?, ?, ?, ?, ?)
+        event_count, is_connected, build_meta, project_id
+      ) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?)
     `);
     this.updateSessionDisconnectedStmt = db.prepare(`
       UPDATE sessions SET is_connected = 0, disconnected_at = ? WHERE session_id = ?
@@ -512,6 +576,14 @@ var SqliteStore = class _SqliteStore {
       CREATE INDEX IF NOT EXISTS idx_snapshots_session ON session_snapshots(session_id);
       CREATE INDEX IF NOT EXISTS idx_snapshots_project ON session_snapshots(project, created_at);
     `);
+    try {
+      d.exec("ALTER TABLE sessions ADD COLUMN project_id TEXT");
+    } catch {
+    }
+    try {
+      d.exec("CREATE INDEX IF NOT EXISTS idx_sessions_project_id ON sessions(project_id)");
+    } catch {
+    }
     this.migrateSessionMetrics(d);
   }
   // --- Write Operations ---
@@ -554,9 +626,37 @@ var SqliteStore = class _SqliteStore {
       info.sdkVersion,
       info.eventCount,
       info.isConnected ? 1 : 0,
-      info.buildMeta ? JSON.stringify(info.buildMeta) : null
+      info.buildMeta ? JSON.stringify(info.buildMeta) : null,
+      info.projectId ?? null
     );
   }
+  /**
+   * Read every session record stored for a project. Used by the in-memory
+   * EventStore at startup to rehydrate the session→projectId map after a
+   * crash, so post-recovery `?project_id=...` queries return the right rows.
+   * Each row is returned as a `SessionInfo` shape compatible with EventStore.
+   */
+  getStoredSessions(project) {
+    const rows = this.db.prepare(
+      `SELECT session_id, project, app_name, connected_at, disconnected_at,
+                sdk_version, event_count, is_connected, build_meta, project_id
+         FROM sessions WHERE project = ?`
+    ).all(project);
+    return rows.map((r) => ({
+      sessionId: r.session_id,
+      project: r.project,
+      appName: r.app_name,
+      connectedAt: r.connected_at,
+      sdkVersion: r.sdk_version,
+      eventCount: r.event_count,
+      // Recovered sessions are NEVER live — only an active WS reconnect
+      // flips this back to true. The persisted `is_connected = 1` only
+      // means "was connected when last written"; if we crashed, it's stale.
+      isConnected: false,
+      buildMeta: r.build_meta ? JSON.parse(r.build_meta) : void 0,
+      projectId: r.project_id ?? void 0
+    }));
+  }
   updateSessionDisconnected(sessionId, disconnectedAt) {
     this.updateSessionDisconnectedStmt.run(disconnectedAt, sessionId);
   }
@@ -582,6 +682,17 @@ var SqliteStore = class _SqliteStore {
     }
   }
   // --- Read Operations ---
+  /**
+   * Return the most recent `limit` events for a project, in chronological
+   * order (oldest-first). Used at startup to warm the in-memory ring buffer
+   * so MCP tools see recent activity immediately after a collector restart.
+   */
+  getRecentEvents(project, limit) {
+    const rows = this.db.prepare(
+      `SELECT data FROM events WHERE project = ? ORDER BY timestamp DESC LIMIT ?`
+    ).all(project, limit);
+    return rows.reverse().map((row) => JSON.parse(row.data));
+  }
   getEvents(filter) {
     const conditions = [];
     const params = [];
@@ -726,6 +837,24 @@ var SqliteStore = class _SqliteStore {
   vacuum() {
     this.db.exec("VACUUM");
   }
+  /**
+   * Atomically copy the live database to `targetPath` using SQLite's
+   * `VACUUM INTO`. The destination is a self-contained, defragmented copy of
+   * the DB at the moment the statement runs — no readers are blocked beyond
+   * the duration of the copy, and the WAL/journal contents are folded in.
+   * The target file must not already exist; SQLite refuses to overwrite.
+   *
+   * Returns the size in bytes of the resulting file.
+   */
+  snapshotTo(targetPath) {
+    this.flush();
+    this.db.prepare("VACUUM INTO ?").run(targetPath);
+    try {
+      return statSync(targetPath).size;
+    } catch {
+      return 0;
+    }
+  }
   close() {
     if (this.flushTimer) {
       clearInterval(this.flushTimer);
@@ -756,6 +885,672 @@ function isSqliteAvailable() {
   return _available;
 }
 
+// src/wal.ts
+import {
+  closeSync,
+  existsSync as existsSync2,
+  fsyncSync,
+  mkdirSync,
+  openSync,
+  readFileSync,
+  readdirSync,
+  renameSync as renameSync2,
+  statSync as statSync2,
+  unlinkSync,
+  writeSync
+} from "fs";
+import { join } from "path";
+var Wal = class {
+  dir;
+  rotateSize;
+  fd = null;
+  activeSize = 0;
+  seq = 0;
+  closed = false;
+  constructor(options) {
+    this.dir = options.dir;
+    this.rotateSize = options.rotateSizeBytes ?? 8 * 1024 * 1024;
+    mkdirSync(this.dir, { recursive: true });
+    this.openActive();
+  }
+  openActive() {
+    const path = this.activePath();
+    this.fd = openSync(path, "a");
+    try {
+      this.activeSize = statSync2(path).size;
+    } catch {
+      this.activeSize = 0;
+    }
+  }
+  activePath() {
+    return join(this.dir, "active.jsonl");
+  }
+  /**
+   * Buffer events into the active file. Not durable yet — must be followed by
+   * `commit()` before the caller treats the events as persisted.
+   */
+  append(events) {
+    if (this.closed || this.fd === null || events.length === 0) return;
+    const lines = [];
+    for (const ev of events) {
+      this.seq++;
+      const entry = { seq: this.seq, event: ev };
+      lines.push(JSON.stringify(entry));
+    }
+    const payload = Buffer.from(lines.join("\n") + "\n", "utf8");
+    writeSync(this.fd, payload);
+    this.activeSize += payload.length;
+  }
+  /** fsync the active file. Durability contract: returns only after bytes are on stable storage. */
+  commit() {
+    if (this.closed || this.fd === null) return;
+    try {
+      fsyncSync(this.fd);
+    } catch {
+    }
+  }
+  /** True if the active file has exceeded the rotate threshold. */
+  shouldRotate() {
+    return this.activeSize >= this.rotateSize;
+  }
+  /**
+   * Rotate the active file: fsync, close, rename to `sealed-<ts>-<seq>.jsonl`,
+   * then open a fresh active file. Returns the sealed path so the caller can
+   * schedule deletion after confirming persistence elsewhere.
+   */
+  rotate() {
+    if (this.closed || this.fd === null) return null;
+    this.commit();
+    closeSync(this.fd);
+    this.fd = null;
+    const active = this.activePath();
+    if (!existsSync2(active)) {
+      this.openActive();
+      return null;
+    }
+    const sealed = join(this.dir, `sealed-${Date.now()}-${this.seq}.jsonl`);
+    renameSync2(active, sealed);
+    this.activeSize = 0;
+    this.openActive();
+    return sealed;
+  }
+  /** Remove a sealed file once its events are durable in the downstream store. */
+  static deleteSealed(path) {
+    try {
+      unlinkSync(path);
+    } catch {
+    }
+  }
+  /** List sealed files in this WAL's directory, sorted oldest-first. */
+  listSealed() {
+    try {
+      return readdirSync(this.dir).filter((f) => f.startsWith("sealed-") && f.endsWith(".jsonl")).sort().map((f) => join(this.dir, f));
+    } catch {
+      return [];
+    }
+  }
+  /**
+   * Parse a WAL file back into its events, skipping any corrupt or truncated
+   * trailing line. A crash mid-append can leave a partial line; the parser
+   * tolerates it because fsync had never completed for that line, which means
+   * the event was never treated as durable.
+   */
+  static readFile(path) {
+    let raw;
+    try {
+      raw = readFileSync(path, "utf8");
+    } catch {
+      return [];
+    }
+    if (!raw) return [];
+    const events = [];
+    for (const line of raw.split("\n")) {
+      if (!line.trim()) continue;
+      try {
+        const parsed = JSON.parse(line);
+        if (parsed && parsed.event) events.push(parsed.event);
+      } catch {
+        break;
+      }
+    }
+    return events;
+  }
+  /**
+   * List the WAL files that need recovery for a project: any sealed files
+   * plus the active file if it has content. Returned in ingestion order
+   * (sealed oldest-first, then active last).
+   */
+  static listRecoveryFiles(dir) {
+    if (!existsSync2(dir)) return [];
+    let entries;
+    try {
+      entries = readdirSync(dir);
+    } catch {
+      return [];
+    }
+    const sealed = entries.filter((f) => f.startsWith("sealed-") && f.endsWith(".jsonl")).sort();
+    const files = sealed.map((f) => join(dir, f));
+    const active = join(dir, "active.jsonl");
+    try {
+      const s = statSync2(active);
+      if (s.size > 0) files.push(active);
+    } catch {
+    }
+    return files;
+  }
+  close() {
+    if (this.closed || this.fd === null) return;
+    this.commit();
+    try {
+      closeSync(this.fd);
+    } catch {
+    }
+    this.fd = null;
+    this.closed = true;
+  }
+  /**
+   * Copy the active file (post-fsync) and any sealed files into `targetDir`.
+   * Returns the total bytes copied. Used by snapshot endpoints — pairing the
+   * SQLite snapshot with the WAL means a restore captures any events that
+   * hadn't yet been drained into SQLite at snapshot time.
+   */
+  snapshotTo(targetDir) {
+    this.commit();
+    mkdirSync(targetDir, { recursive: true });
+    let total = 0;
+    const copyOne = (src, dstName) => {
+      try {
+        const data = readFileSync(src);
+        const dst = join(targetDir, dstName);
+        const fd = openSync(dst, "wx");
+        try {
+          writeSync(fd, data);
+        } finally {
+          closeSync(fd);
+        }
+        total += data.length;
+      } catch {
+      }
+    };
+    const active = this.activePath();
+    try {
+      if (statSync2(active).size > 0) copyOne(active, "active.jsonl");
+    } catch {
+    }
+    for (const sealed of this.listSealed()) {
+      copyOne(sealed, sealed.split("/").pop() ?? "sealed.jsonl");
+    }
+    return total;
+  }
+};
+
+// src/metrics.ts
+var Metric = class {
+  constructor(name, help, labelNames = []) {
+    this.name = name;
+    this.help = help;
+    this.labelNames = labelNames;
+    if (!/^[a-zA-Z_:][a-zA-Z0-9_:]*$/.test(name)) {
+      throw new Error(`Invalid metric name "${name}" \u2014 must match Prometheus naming rules`);
+    }
+  }
+};
+var Counter = class extends Metric {
+  values = /* @__PURE__ */ new Map();
+  type() {
+    return "counter";
+  }
+  inc(value = 1, labels = {}) {
+    if (!Number.isFinite(value) || value < 0) return;
+    const key = labelKey(labels, this.labelNames);
+    const existing = this.values.get(key);
+    if (existing) {
+      existing.value += value;
+    } else {
+      this.values.set(key, { labels: orderLabels(labels, this.labelNames), value });
+    }
+  }
+  reset() {
+    this.values.clear();
+  }
+  collect() {
+    return Array.from(this.values.values());
+  }
+};
+var Gauge = class extends Metric {
+  values = /* @__PURE__ */ new Map();
+  collectFn = null;
+  type() {
+    return "gauge";
+  }
+  /**
+   * Set a fixed value for the given label set. Per the Prometheus spec, gauges
+   * may take any numeric value including +Inf / -Inf / NaN — the renderer
+   * handles formatting. Only actually-not-a-number inputs (`undefined`, etc.)
+   * are silently dropped.
+   */
+  set(value, labels = {}) {
+    if (typeof value !== "number") return;
+    const key = labelKey(labels, this.labelNames);
+    this.values.set(key, { labels: orderLabels(labels, this.labelNames), value });
+  }
+  /**
+   * Compute the gauge dynamically at scrape time. Useful for things like
+   * "currently-connected sessions" where caching a stale value is wrong.
+   * Mutually exclusive with `set()` — last writer wins.
+   */
+  setCollect(fn) {
+    this.collectFn = () => {
+      const result = fn();
+      if (typeof result === "number") return [{ labels: {}, value: result }];
+      return result;
+    };
+  }
+  collect() {
+    if (this.collectFn) return this.collectFn();
+    return Array.from(this.values.values());
+  }
+};
+var MetricsRegistry = class {
+  metrics = [];
+  counter(name, help, labelNames = []) {
+    const c = new Counter(name, help, labelNames);
+    this.metrics.push(c);
+    return c;
+  }
+  gauge(name, help, labelNames = []) {
+    const g = new Gauge(name, help, labelNames);
+    this.metrics.push(g);
+    return g;
+  }
+  /** Serialize every registered metric in Prometheus exposition format. */
+  render() {
+    const out = [];
+    for (const metric of this.metrics) {
+      out.push(`# HELP ${metric.name} ${escapeHelp(metric.help)}`);
+      out.push(`# TYPE ${metric.name} ${metric.type()}`);
+      for (const sample of metric.collect()) {
+        out.push(formatSample(metric.name, sample));
+      }
+    }
+    return out.join("\n") + "\n";
+  }
+};
+function labelKey(labels, expected) {
+  const ordered = orderLabels(labels, expected);
+  const pairs = [];
+  for (const name of Object.keys(ordered).sort()) {
+    pairs.push(`${name}=${ordered[name]}`);
+  }
+  return pairs.join("|");
+}
+function orderLabels(labels, expected) {
+  const out = {};
+  for (const name of expected) {
+    out[name] = labels[name] ?? "";
+  }
+  return out;
+}
+function formatSample(name, sample) {
+  const labelPart = renderLabels(sample.labels);
+  return `${name}${labelPart} ${formatNumber(sample.value)}`;
+}
+function renderLabels(labels) {
+  const keys = Object.keys(labels);
+  if (keys.length === 0) return "";
+  const parts = [];
+  for (const k of keys.sort()) {
+    parts.push(`${k}="${escapeLabelValue(labels[k])}"`);
+  }
+  return `{${parts.join(",")}}`;
+}
+function escapeLabelValue(v) {
+  return v.replace(/\\/g, "\\\\").replace(/"/g, '\\"').replace(/\n/g, "\\n");
+}
+function escapeHelp(v) {
+  return v.replace(/\\/g, "\\\\").replace(/\n/g, "\\n");
+}
+function formatNumber(n) {
+  if (Number.isNaN(n)) return "NaN";
+  if (n === Infinity) return "+Inf";
+  if (n === -Infinity) return "-Inf";
+  if (Number.isInteger(n)) return String(n);
+  return n.toString();
+}
+
+// src/otel-exporter.ts
+import { createHash, randomBytes as randomBytes2 } from "crypto";
+var SpanKind = {
+  INTERNAL: 1,
+  SERVER: 2,
+  CLIENT: 3
+};
+var StatusCode = {
+  UNSET: 0,
+  OK: 1,
+  ERROR: 2
+};
+var OtelExporter = class {
+  spans = [];
+  logs = [];
+  metrics = [];
+  flushTimer = null;
+  closed = false;
+  lastFailureLog = 0;
+  endpoint;
+  serviceName;
+  serviceNamespace;
+  headers;
+  maxBatchSize;
+  constructor(options) {
+    if (!options.endpoint) throw new Error("OtelExporter requires an endpoint");
+    this.endpoint = options.endpoint.replace(/\/$/, "");
+    this.serviceName = options.serviceName ?? "runtimescope-collector";
+    this.serviceNamespace = options.serviceNamespace;
+    this.headers = options.headers ?? {};
+    this.maxBatchSize = options.maxBatchSize ?? 1e3;
+    const interval = options.flushIntervalMs ?? 1e4;
+    this.flushTimer = setInterval(() => {
+      void this.flush().catch(() => {
+      });
+    }, interval);
+    this.flushTimer.unref?.();
+  }
+  /** Convert a RuntimeScope event to its OTel signal(s) and buffer. */
+  ingest(event) {
+    if (this.closed) return;
+    switch (event.eventType) {
+      case "network":
+        this.spans.push(this.networkToSpan(event));
+        break;
+      case "database":
+        this.spans.push(this.databaseToSpan(event));
+        break;
+      case "render":
+        this.spans.push(...this.renderToSpans(event));
+        break;
+      case "console":
+        this.logs.push(this.consoleToLog(event));
+        break;
+      case "performance": {
+        const m = this.performanceToMetric(event);
+        if (m) this.metrics.push(m);
+        break;
+      }
+      default:
+        break;
+    }
+    if (this.spans.length + this.logs.length + this.metrics.length >= this.maxBatchSize) {
+      void this.flush().catch(() => {
+      });
+    }
+  }
+  /** POST any buffered signals to the OTLP endpoint. */
+  async flush() {
+    if (this.closed) return;
+    const spans = this.spans;
+    const logs = this.logs;
+    const metrics = this.metrics;
+    this.spans = [];
+    this.logs = [];
+    this.metrics = [];
+    const tasks = [];
+    if (spans.length) tasks.push(this.send("/v1/traces", { resourceSpans: this.wrapSpans(spans) }));
+    if (logs.length) tasks.push(this.send("/v1/logs", { resourceLogs: this.wrapLogs(logs) }));
+    if (metrics.length) tasks.push(this.send("/v1/metrics", { resourceMetrics: this.wrapMetrics(metrics) }));
+    await Promise.all(tasks);
+  }
+  async close() {
+    if (this.closed) return;
+    this.closed = true;
+    if (this.flushTimer) {
+      clearInterval(this.flushTimer);
+      this.flushTimer = null;
+    }
+    await this.flush();
+  }
+  // ------------------------------------------------------------------------
+  // Event-to-signal converters
+  // ------------------------------------------------------------------------
+  networkToSpan(e) {
+    const start = (e.timestamp - (e.duration ?? 0)) * 1e6;
+    const end = e.timestamp * 1e6;
+    const isError = e.status >= 400 || e.status === 0;
+    return {
+      traceId: traceIdFromSession(e.sessionId),
+      spanId: randomSpanId(),
+      name: `${e.method} ${stripQuery(e.url)}`,
+      kind: SpanKind.CLIENT,
+      startTimeUnixNano: String(start),
+      endTimeUnixNano: String(end),
+      attributes: [
+        attrStr("http.request.method", e.method),
+        attrStr("url.full", e.url),
+        attrInt("http.response.status_code", e.status),
+        attrInt("http.request.body.size", e.requestBodySize ?? 0),
+        attrInt("http.response.body.size", e.responseBodySize ?? 0),
+        attrStr("runtimescope.session_id", e.sessionId)
+      ],
+      status: {
+        code: isError ? StatusCode.ERROR : StatusCode.OK,
+        message: isError ? `HTTP ${e.status}` : void 0
+      }
+    };
+  }
+  databaseToSpan(e) {
+    const start = (e.timestamp - (e.duration ?? 0)) * 1e6;
+    const end = e.timestamp * 1e6;
+    const primaryTable = e.tablesAccessed?.[0] ?? "";
+    return {
+      traceId: traceIdFromSession(e.sessionId),
+      spanId: randomSpanId(),
+      name: `${(e.operation ?? "query").toUpperCase()} ${primaryTable}`.trim(),
+      kind: SpanKind.CLIENT,
+      startTimeUnixNano: String(start),
+      endTimeUnixNano: String(end),
+      attributes: [
+        attrStr("db.system", e.source ?? "unknown"),
+        attrStr("db.operation", e.operation ?? ""),
+        attrStr("db.statement", e.query ?? ""),
+        attrStr("db.sql.table", primaryTable),
+        attrInt("db.response.returned_rows", e.rowsReturned ?? 0),
+        attrStr("runtimescope.session_id", e.sessionId)
+      ],
+      status: { code: e.error ? StatusCode.ERROR : StatusCode.OK, message: e.error }
+    };
+  }
+  /**
+   * Render events bundle multiple component profiles in one event. We emit
+   * one span per profile so the OTel UI can show each component's render
+   * timing independently — sharing the same trace via the sessionId.
+   */
+  renderToSpans(e) {
+    const traceId = traceIdFromSession(e.sessionId);
+    const profiles = e.profiles ?? [];
+    const out = [];
+    for (const p of profiles) {
+      const dur = p.totalDuration ?? 0;
+      const end = e.timestamp * 1e6;
+      const start = end - Math.round(dur * 1e6);
+      out.push({
+        traceId,
+        spanId: randomSpanId(),
+        name: `render ${p.componentName}`,
+        kind: SpanKind.INTERNAL,
+        startTimeUnixNano: String(start),
+        endTimeUnixNano: String(end),
+        attributes: [
+          attrStr("react.component", p.componentName),
+          attrStr("react.phase", p.lastRenderPhase ?? ""),
+          attrInt("react.render_count", p.renderCount ?? 0),
+          attrStr("react.last_render_cause", p.lastRenderCause ?? ""),
+          attrStr("runtimescope.session_id", e.sessionId)
+        ],
+        status: { code: p.suspicious ? StatusCode.ERROR : StatusCode.UNSET }
+      });
+    }
+    return out;
+  }
+  /**
+   * `console` events with `level: 'error'` carry stack traces; we surface them
+   * via OTel's exception attributes so log-search backends can show them
+   * inline. Lower-severity console events become plain log records.
+   */
+  consoleToLog(e) {
+    const attrs = [attrStr("runtimescope.session_id", e.sessionId)];
+    if (e.source) attrs.push(attrStr("runtimescope.source", e.source));
+    if (e.level === "error" && e.stackTrace) {
+      attrs.push(attrStr("exception.message", e.message ?? ""));
+      attrs.push(attrStr("exception.stacktrace", e.stackTrace));
+    }
+    return {
+      timeUnixNano: String(e.timestamp * 1e6),
+      severityNumber: severityFromConsole(e.level),
+      severityText: e.level,
+      body: { stringValue: e.message ?? "" },
+      attributes: attrs,
+      traceId: traceIdFromSession(e.sessionId)
+    };
+  }
+  performanceToMetric(e) {
+    if (!e.metricName || typeof e.value !== "number") return null;
+    const isWebVital = WEB_VITALS.has(e.metricName);
+    const name = isWebVital ? `runtimescope.web_vitals.${e.metricName.toLowerCase()}` : `runtimescope.server.${e.metricName.toLowerCase()}`;
+    return {
+      name,
+      unit: e.unit ?? webVitalUnit(e.metricName),
+      gauge: {
+        dataPoints: [
+          {
+            asDouble: e.value,
+            timeUnixNano: String(e.timestamp * 1e6),
+            attributes: [
+              attrStr("rating", e.rating ?? "unknown"),
+              attrStr("runtimescope.session_id", e.sessionId)
+            ]
+          }
+        ]
+      }
+    };
+  }
+  // ------------------------------------------------------------------------
+  // OTLP envelope wrapping + transport
+  // ------------------------------------------------------------------------
+  resourceAttributes() {
+    const attrs = [
+      attrStr("service.name", this.serviceName),
+      attrStr("telemetry.sdk.name", "runtimescope"),
+      attrStr("telemetry.sdk.language", "nodejs")
+    ];
+    if (this.serviceNamespace) attrs.push(attrStr("service.namespace", this.serviceNamespace));
+    return attrs;
+  }
+  wrapSpans(spans) {
+    return [
+      {
+        resource: { attributes: this.resourceAttributes() },
+        scopeSpans: [{ scope: { name: "runtimescope" }, spans }]
+      }
+    ];
+  }
+  wrapLogs(logs) {
+    return [
+      {
+        resource: { attributes: this.resourceAttributes() },
+        scopeLogs: [{ scope: { name: "runtimescope" }, logRecords: logs }]
+      }
+    ];
+  }
+  wrapMetrics(metrics) {
+    return [
+      {
+        resource: { attributes: this.resourceAttributes() },
+        scopeMetrics: [{ scope: { name: "runtimescope" }, metrics }]
+      }
+    ];
+  }
+  async send(path, body) {
+    try {
+      const res = await fetch(this.endpoint + path, {
+        method: "POST",
+        headers: {
+          "content-type": "application/json",
+          ...this.headers
+        },
+        body: JSON.stringify(body)
+      });
+      if (!res.ok) {
+        this.logFailure(`OTel POST ${path} \u2192 ${res.status} ${res.statusText}`);
+      }
+    } catch (err) {
+      this.logFailure(`OTel POST ${path} failed: ${err.message}`);
+    }
+  }
+  /** Rate-limit failure logs to once every 60s — don't spam stderr. */
+  logFailure(msg) {
+    const now = Date.now();
+    if (now - this.lastFailureLog < 6e4) return;
+    this.lastFailureLog = now;
+    console.error(`[RuntimeScope] ${msg}`);
+  }
+};
+function traceIdFromSession(sessionId) {
+  return createHash("sha256").update(sessionId).digest("hex").slice(0, 32);
+}
+function randomSpanId() {
+  return randomBytes2(8).toString("hex");
+}
+function attrStr(key, value) {
+  return { key, value: { stringValue: value } };
+}
+function attrInt(key, value) {
+  return { key, value: { intValue: String(Math.trunc(value)) } };
+}
+function severityFromConsole(level) {
+  switch (level) {
+    case "debug":
+      return 5;
+    case "log":
+    case "info":
+      return 9;
+    case "warn":
+      return 13;
+    case "error":
+      return 17;
+    default:
+      return 9;
+  }
+}
+var WEB_VITALS = /* @__PURE__ */ new Set(["LCP", "FCP", "CLS", "TTFB", "FID", "INP"]);
+function webVitalUnit(name) {
+  return name.toUpperCase() === "CLS" ? "1" : "ms";
+}
+function stripQuery(url) {
+  const i = url.indexOf("?");
+  return i >= 0 ? url.slice(0, i) : url;
+}
+function parseOtelHeaders(raw) {
+  if (!raw) return {};
+  const out = {};
+  for (const pair of raw.split(",")) {
+    const eq = pair.indexOf("=");
+    if (eq <= 0) continue;
+    const k = pair.slice(0, eq).trim();
+    const v = pair.slice(eq + 1).trim();
+    if (k) out[k] = v;
+  }
+  return out;
+}
+function otelOptionsFromEnv() {
+  const endpoint = process.env.RUNTIMESCOPE_OTEL_ENDPOINT;
+  if (!endpoint) return null;
+  return {
+    endpoint,
+    serviceName: process.env.RUNTIMESCOPE_OTEL_SERVICE_NAME,
+    headers: parseOtelHeaders(process.env.RUNTIMESCOPE_OTEL_HEADERS)
+  };
+}
+
 // src/rate-limiter.ts
 var SessionRateLimiter = class {
   windows = /* @__PURE__ */ new Map();
@@ -845,12 +1640,12 @@ var SessionRateLimiter = class {
 };
 
 // src/tls.ts
-import { readFileSync } from "fs";
+import { readFileSync as readFileSync2 } from "fs";
 function loadTlsOptions(config) {
   return {
-    cert: readFileSync(config.certPath, "utf-8"),
-    key: readFileSync(config.keyPath, "utf-8"),
-    ...config.caPath ? { ca: readFileSync(config.caPath, "utf-8") } : {}
+    cert: readFileSync2(config.certPath, "utf-8"),
+    key: readFileSync2(config.keyPath, "utf-8"),
+    ...config.caPath ? { ca: readFileSync2(config.caPath, "utf-8") } : {}
   };
 }
 function resolveTlsConfig() {
@@ -867,6 +1662,8 @@ function resolveTlsConfig() {
 // src/server.ts
 import { createServer as createHttpsServer } from "https";
 import { WebSocketServer } from "ws";
+import { dirname, join as join2 } from "path";
+import { mkdirSync as mkdirSync2, writeFileSync } from "fs";
 var CollectorServer = class {
   wss = null;
   store;
@@ -877,6 +1674,12 @@ var CollectorServer = class {
   pendingHandshakes = /* @__PURE__ */ new Set();
   pendingCommands = /* @__PURE__ */ new Map();
   sqliteStores = /* @__PURE__ */ new Map();
+  wals = /* @__PURE__ */ new Map();
+  ready = false;
+  metrics = new MetricsRegistry();
+  startedAt = Date.now();
+  counters;
+  otelExporter = null;
   connectCallbacks = [];
   disconnectCallbacks = [];
   pruneTimer = null;
@@ -895,6 +1698,70 @@ var CollectorServer = class {
     if (this.rateLimiter.isEnabled()) {
       this.pruneTimer = setInterval(() => this.rateLimiter.prune(), 6e4);
     }
+    this.counters = {
+      eventsTotal: this.metrics.counter(
+        "runtimescope_events_total",
+        "Total events accepted by the collector since start.",
+        ["type"]
+      ),
+      eventsDropped: this.metrics.counter(
+        "runtimescope_events_dropped_total",
+        "Total events dropped before reaching the in-memory store.",
+        ["reason"]
+      ),
+      wsDisconnects: this.metrics.counter(
+        "runtimescope_ws_disconnects_total",
+        "WebSocket disconnects (clean + abnormal) since start.",
+        ["cause"]
+      )
+    };
+    this.store.onEvent((event) => {
+      this.counters.eventsTotal.inc(1, { type: event.eventType });
+    });
+    const uptime = this.metrics.gauge(
+      "runtimescope_collector_uptime_seconds",
+      "Seconds since the collector process started."
+    );
+    uptime.setCollect(() => Math.floor((Date.now() - this.startedAt) / 1e3));
+    const sessionsConnected = this.metrics.gauge(
+      "runtimescope_sessions_connected",
+      "SDK sessions currently connected via WebSocket."
+    );
+    sessionsConnected.setCollect(
+      () => this.store.getSessionInfo().filter((s) => s.isConnected).length
+    );
+    const bufferSize = this.metrics.gauge(
+      "runtimescope_buffer_size",
+      "Events currently held in the in-memory ring buffer."
+    );
+    bufferSize.setCollect(() => this.store.eventCount);
+    const projectsGauge = this.metrics.gauge(
+      "runtimescope_projects",
+      "Distinct projects (apps) the collector has seen."
+    );
+    projectsGauge.setCollect(() => this.projectManager?.listProjects().length ?? 0);
+    const workspacesGauge = this.metrics.gauge(
+      "runtimescope_workspaces",
+      "Workspaces (multi-tenant containers) registered in PmStore."
+    );
+    workspacesGauge.setCollect(() => {
+      const pm = this.pmStore;
+      return pm?.listWorkspaces ? pm.listWorkspaces().length : 0;
+    });
+    const otelOptions = options.otel ?? otelOptionsFromEnv();
+    if (otelOptions) {
+      this.otelExporter = new OtelExporter(otelOptions);
+      this.store.onEvent((event) => {
+        this.otelExporter?.ingest(event);
+      });
+      console.error(
+        `[RuntimeScope] OpenTelemetry export enabled \u2192 ${otelOptions.endpoint}`
+      );
+    }
+  }
+  /** Public access to the metrics registry — HttpServer renders this at /metrics. */
+  getMetricsRegistry() {
+    return this.metrics;
   }
   getStore() {
     return this.store;
@@ -928,14 +1795,137 @@ var CollectorServer = class {
   onDisconnect(cb) {
     this.disconnectCallbacks.push(cb);
   }
-  start(options = {}) {
+  /** True after start() finishes recovery. False during startup or after stop(). */
+  isReady() {
+    return this.ready;
+  }
+  /**
+   * Snapshot every project's SQLite DB and WAL into a fresh directory under
+   * `<runtimescope-root>/snapshots/<ISO>/`. Atomic via SQLite's `VACUUM INTO`;
+   * non-blocking for ongoing event ingestion (the live DB keeps accepting
+   * writes during the copy).
+   *
+   * Returns metadata for the admin endpoint to serialize.
+   */
+  createSnapshot() {
+    if (!this.projectManager) {
+      throw new Error("Cannot snapshot \u2014 no projectManager configured");
+    }
+    const timestamp = (/* @__PURE__ */ new Date()).toISOString().replace(/[:.]/g, "-");
+    const root = join2(this.projectManager.rootDir, "snapshots", timestamp);
+    mkdirSync2(root, { recursive: true });
+    const projects = [];
+    let totalBytes = 0;
+    for (const projectName of this.projectManager.listProjects()) {
+      const projectDir = join2(root, projectName);
+      mkdirSync2(projectDir, { recursive: true });
+      let sqliteBytes = 0;
+      let eventCount = 0;
+      const sqliteStore = this.sqliteStores.get(projectName);
+      if (sqliteStore) {
+        const sqlitePath = join2(projectDir, "events.db");
+        try {
+          sqliteBytes = sqliteStore.snapshotTo(sqlitePath);
+          eventCount = sqliteStore.getEventCount({ project: projectName });
+        } catch (err) {
+          console.error(
+            `[RuntimeScope] Snapshot of "${projectName}" SQLite failed:`,
+            err.message
+          );
+        }
+      }
+      let walBytes = 0;
+      const wal = this.wals.get(projectName);
+      if (wal) {
+        try {
+          walBytes = wal.snapshotTo(join2(projectDir, "wal"));
+        } catch (err) {
+          console.error(
+            `[RuntimeScope] Snapshot of "${projectName}" WAL failed:`,
+            err.message
+          );
+        }
+      }
+      projects.push({ name: projectName, sqliteBytes, walBytes, eventCount });
+      totalBytes += sqliteBytes + walBytes;
+    }
+    const manifest = {
+      timestamp,
+      createdAt: Date.now(),
+      collectorVersion: process.env.npm_package_version ?? "0.0.0",
+      projects,
+      totalBytes
+    };
+    writeFileSync(join2(root, "manifest.json"), JSON.stringify(manifest, null, 2));
+    return { path: root, timestamp, projects, totalBytes };
+  }
+  async start(options = {}) {
     const port = options.port ?? 6767;
     const host = options.host ?? "127.0.0.1";
     const maxRetries = options.maxRetries ?? 5;
     const retryDelayMs = options.retryDelayMs ?? 1e3;
     const tls = options.tls ?? this.tlsConfig;
+    try {
+      this.runStartupRecovery();
+    } catch (err) {
+      console.error("[RuntimeScope] Startup recovery failed (non-fatal):", err.message);
+    }
+    this.ready = true;
     return this.tryStart(port, host, maxRetries, retryDelayMs, tls);
   }
+  /**
+   * On collector startup, for each known project:
+   *   1. Replay any sealed/active WAL files into SqliteStore (mirror of the
+   *      lazy recovery in `ensureWal`, but proactive — handles the case where
+   *      a crashed project never reconnects).
+   *   2. Warm the in-memory ring buffer with recent events from SqliteStore so
+   *      MCP tools see history immediately, not just events from the next
+   *      session that connects.
+   *
+   * Runs synchronously — better-sqlite3 is sync — so callers can `await
+   * collector.start()` and trust the buffer is hot when it returns.
+   */
+  runStartupRecovery() {
+    if (!this.projectManager) return;
+    const projects = this.projectManager.listProjects();
+    if (projects.length === 0) return;
+    let walReplayed = 0;
+    let warmed = 0;
+    for (const project of projects) {
+      const dir = this.walDirFor(project);
+      if (dir) {
+        const files = Wal.listRecoveryFiles(dir);
+        if (files.length > 0) {
+          const sqliteStore2 = this.ensureSqliteStore(project);
+          if (sqliteStore2) {
+            for (const file of files) {
+              const events = Wal.readFile(file);
+              for (const ev of events) {
+                try {
+                  sqliteStore2.addEvent(ev, project);
+                } catch {
+                }
+              }
+              walReplayed += events.length;
+            }
+            sqliteStore2.flush();
+            for (const file of files) Wal.deleteSealed(file);
+          }
+        }
+      }
+      const sqliteStore = this.ensureSqliteStore(project);
+      if (sqliteStore) {
+        const before = this.store.eventCount;
+        this.store.warmFromSqlite(sqliteStore, project, 1e3);
+        warmed += this.store.eventCount - before;
+      }
+    }
+    if (walReplayed > 0 || warmed > 0) {
+      console.error(
+        `[RuntimeScope] Recovery: ${walReplayed} WAL events replayed, ${warmed} events warmed into ring buffer.`
+      );
+    }
+  }
   tryStart(port, host, retriesLeft, retryDelayMs, tls) {
     return new Promise((resolve2, reject) => {
       let wss;
@@ -974,12 +1964,11 @@ var CollectorServer = class {
   }
   handleStartError(err, port, host, retriesLeft, retryDelayMs, tls, resolve2, reject) {
     if (err.code === "EADDRINUSE" && retriesLeft > 0) {
+      const nextPort = port + 1;
       console.error(
-        `[RuntimeScope] Port ${port} in use, retrying in ${retryDelayMs}ms (${retriesLeft} attempts left)...`
+        `[RuntimeScope] Port ${port} in use, trying ${nextPort}...`
       );
-      setTimeout(() => {
-        this.tryStart(port, host, retriesLeft - 1, retryDelayMs, tls).then(resolve2).catch(reject);
-      }, retryDelayMs);
+      this.tryStart(nextPort, host, retriesLeft - 1, retryDelayMs, tls).then(resolve2).catch(reject);
     } else {
       console.error("[RuntimeScope] WebSocket server error:", err.message);
       reject(err);
@@ -1007,6 +1996,88 @@ var CollectorServer = class {
     }
     return sqliteStore;
   }
+  walDirFor(projectName) {
+    if (!this.projectManager) return null;
+    try {
+      this.projectManager.ensureProjectDir(projectName);
+      const dbPath = this.projectManager.getProjectDbPath(projectName);
+      return join2(dirname(dbPath), "wal");
+    } catch {
+      return null;
+    }
+  }
+  /**
+   * Open (or return) the WAL for a project. Every event ingested for this
+   * project is first appended + fsync'd here before being pushed to the ring
+   * buffer and SqliteStore, so a crash between receipt and SqliteStore flush
+   * doesn't lose acknowledged events.
+   */
+  ensureWal(projectName) {
+    if (!this.projectManager) return null;
+    let wal = this.wals.get(projectName);
+    if (wal) return wal;
+    const dir = this.walDirFor(projectName);
+    if (!dir) return null;
+    try {
+      this.recoverWalForProject(projectName, dir);
+      wal = new Wal({ dir });
+      this.wals.set(projectName, wal);
+      return wal;
+    } catch (err) {
+      console.error(
+        `[RuntimeScope] Failed to open WAL for "${projectName}":`,
+        err.message
+      );
+      return null;
+    }
+  }
+  /**
+   * Replay any sealed or non-empty active WAL files into SqliteStore, then
+   * delete them. Called lazily the first time a project's WAL is opened — if
+   * the prior collector crashed mid-batch, those events survive in the WAL
+   * and we'd otherwise leave them stranded on disk forever.
+   */
+  recoverWalForProject(projectName, dir) {
+    const files = Wal.listRecoveryFiles(dir);
+    if (files.length === 0) return;
+    const sqliteStore = this.ensureSqliteStore(projectName);
+    let replayed = 0;
+    for (const file of files) {
+      const events = Wal.readFile(file);
+      if (events.length === 0) {
+        Wal.deleteSealed(file);
+        continue;
+      }
+      if (sqliteStore) {
+        for (const ev of events) {
+          try {
+            sqliteStore.addEvent(ev, projectName);
+          } catch {
+          }
+        }
+        replayed += events.length;
+      }
+    }
+    if (sqliteStore && replayed > 0) {
+      sqliteStore.flush();
+      for (const file of files) Wal.deleteSealed(file);
+      console.error(
+        `[RuntimeScope] WAL recovery: replayed ${replayed} events for "${projectName}"`
+      );
+    }
+  }
+  /**
+   * Rotate the project's WAL, flush SqliteStore so the rotated file's events
+   * are persisted, then delete the sealed file. Called when the active file
+   * has grown past its rotate threshold.
+   */
+  checkpointWal(projectName, wal) {
+    const sealed = wal.rotate();
+    if (!sealed) return;
+    const sqliteStore = this.sqliteStores.get(projectName);
+    sqliteStore?.flush();
+    setTimeout(() => Wal.deleteSealed(sealed), 5e3).unref();
+  }
   /** Catch runtime errors on the WSS so an unhandled error doesn't crash the process */
   setupPersistentErrorHandler(wss) {
     wss.on("error", (err) => {
@@ -1063,7 +2134,9 @@ var CollectorServer = class {
           console.error("[RuntimeScope] Malformed WebSocket message, ignoring");
         }
       });
-      ws.on("close", () => {
+      ws.on("close", (code) => {
+        const cause = code === 1e3 || code === 1001 ? "clean" : "abnormal";
+        this.counters.wsDisconnects.inc(1, { cause });
         const clientInfo = this.clients.get(ws);
         if (clientInfo) {
           this.store.markDisconnected(clientInfo.sessionId);
@@ -1141,7 +2214,8 @@ var CollectorServer = class {
             connectedAt: msg.timestamp,
             sdkVersion: payload.sdkVersion,
             eventCount: 0,
-            isConnected: true
+            isConnected: true,
+            projectId
           };
           sqliteStore.saveSession(sessionInfo);
         }
@@ -1170,12 +2244,38 @@ var CollectorServer = class {
         if (this.pendingHandshakes.has(ws)) return;
         const clientInfo = this.clients.get(ws);
         const payload = msg.payload;
-        if (Array.isArray(payload.events)) {
-          for (const event of payload.events) {
-            if (clientInfo && !this.rateLimiter.allow(clientInfo.sessionId)) {
-              break;
-            }
-            this.store.addEvent(event);
+        if (!Array.isArray(payload.events)) break;
+        const accepted = [];
+        let rateLimited = 0;
+        for (const event of payload.events) {
+          if (clientInfo && !this.rateLimiter.allow(clientInfo.sessionId)) {
+            rateLimited = payload.events.length - accepted.length;
+            break;
+          }
+          accepted.push(event);
+        }
+        if (rateLimited > 0) {
+          this.counters.eventsDropped.inc(rateLimited, { reason: "rate_limit" });
+        }
+        if (accepted.length === 0) break;
+        const wal = clientInfo?.projectName ? this.ensureWal(clientInfo.projectName) : null;
+        if (wal) {
+          try {
+            wal.append(accepted);
+            wal.commit();
+          } catch (err) {
+            console.error("[RuntimeScope] WAL append/commit failed:", err.message);
+            this.counters.eventsDropped.inc(accepted.length, { reason: "wal_backpressure" });
+          }
+        }
+        for (const event of accepted) {
+          this.store.addEvent(event);
+        }
+        if (wal?.shouldRotate() && clientInfo?.projectName) {
+          try {
+            this.checkpointWal(clientInfo.projectName, wal);
+          } catch (err) {
+            console.error("[RuntimeScope] WAL checkpoint failed:", err.message);
           }
         }
         break;
@@ -1272,6 +2372,21 @@ var CollectorServer = class {
         }
       }
     }
+    if (this.otelExporter) {
+      try {
+        void this.otelExporter.close();
+      } catch {
+      }
+      this.otelExporter = null;
+    }
+    for (const [name, wal] of this.wals) {
+      try {
+        wal.close();
+      } catch {
+        console.error(`[RuntimeScope] WAL close error for "${name}" (non-fatal)`);
+      }
+    }
+    this.wals.clear();
     for (const [name, sqliteStore] of this.sqliteStores) {
       try {
         sqliteStore.close();
@@ -1285,12 +2400,13 @@ var CollectorServer = class {
       this.wss = null;
       console.error("[RuntimeScope] Collector stopped");
     }
+    this.ready = false;
   }
 };
 
 // src/project-manager.ts
-import { mkdirSync, readFileSync as readFileSync2, writeFileSync, existsSync as existsSync2, readdirSync } from "fs";
-import { join } from "path";
+import { mkdirSync as mkdirSync3, readFileSync as readFileSync3, writeFileSync as writeFileSync2, existsSync as existsSync3, readdirSync as readdirSync2 } from "fs";
+import { join as join3 } from "path";
 import { homedir } from "os";
 var DEFAULT_GLOBAL_CONFIG = {
   defaultPort: 6767,
@@ -1301,7 +2417,7 @@ var ProjectManager = class {
   baseDir;
   appProjectIndex = /* @__PURE__ */ new Map();
   constructor(baseDir) {
-    this.baseDir = baseDir ?? join(homedir(), ".runtimescope");
+    this.baseDir = baseDir ?? join3(homedir(), ".runtimescope");
   }
   get rootDir() {
     return this.baseDir;
@@ -1310,27 +2426,27 @@ var ProjectManager = class {
   getProjectDir(projectName) {
     const safe = projectName.replace(/[^a-zA-Z0-9_.-]/g, "_");
     if (!safe || safe === "." || safe === "..") {
-      return join(this.baseDir, "projects", "_invalid");
+      return join3(this.baseDir, "projects", "_invalid");
     }
-    return join(this.baseDir, "projects", safe);
+    return join3(this.baseDir, "projects", safe);
   }
   getProjectDbPath(projectName) {
-    return join(this.getProjectDir(projectName), "events.db");
+    return join3(this.getProjectDir(projectName), "events.db");
   }
   // --- Lifecycle (idempotent) ---
   ensureGlobalDir() {
     this.mkdirp(this.baseDir);
-    this.mkdirp(join(this.baseDir, "projects"));
-    const configPath = join(this.baseDir, "config.json");
-    if (!existsSync2(configPath)) {
+    this.mkdirp(join3(this.baseDir, "projects"));
+    const configPath = join3(this.baseDir, "config.json");
+    if (!existsSync3(configPath)) {
       this.writeJson(configPath, DEFAULT_GLOBAL_CONFIG);
     }
   }
   ensureProjectDir(projectName) {
     const projectDir = this.getProjectDir(projectName);
     this.mkdirp(projectDir);
-    const configPath = join(projectDir, "config.json");
-    if (!existsSync2(configPath)) {
+    const configPath = join3(projectDir, "config.json");
+    if (!existsSync3(configPath)) {
       const config = {
         name: projectName,
         createdAt: (/* @__PURE__ */ new Date()).toISOString(),
@@ -1343,31 +2459,31 @@ var ProjectManager = class {
   }
   // --- Config ---
   getGlobalConfig() {
-    const configPath = join(this.baseDir, "config.json");
-    if (!existsSync2(configPath)) return { ...DEFAULT_GLOBAL_CONFIG };
+    const configPath = join3(this.baseDir, "config.json");
+    if (!existsSync3(configPath)) return { ...DEFAULT_GLOBAL_CONFIG };
     return { ...DEFAULT_GLOBAL_CONFIG, ...this.readJson(configPath) };
   }
   saveGlobalConfig(config) {
-    this.writeJson(join(this.baseDir, "config.json"), config);
+    this.writeJson(join3(this.baseDir, "config.json"), config);
   }
   getProjectConfig(projectName) {
-    const configPath = join(this.getProjectDir(projectName), "config.json");
-    if (!existsSync2(configPath)) return null;
+    const configPath = join3(this.getProjectDir(projectName), "config.json");
+    if (!existsSync3(configPath)) return null;
     return this.readJson(configPath);
   }
   saveProjectConfig(projectName, config) {
-    this.writeJson(join(this.getProjectDir(projectName), "config.json"), config);
+    this.writeJson(join3(this.getProjectDir(projectName), "config.json"), config);
   }
   getInfrastructureConfig(projectName) {
-    const jsonPath = join(this.getProjectDir(projectName), "infrastructure.json");
-    if (existsSync2(jsonPath)) {
+    const jsonPath = join3(this.getProjectDir(projectName), "infrastructure.json");
+    if (existsSync3(jsonPath)) {
       const config = this.readJson(jsonPath);
       return this.resolveConfigEnvVars(config);
     }
-    const yamlPath = join(this.getProjectDir(projectName), "infrastructure.yaml");
-    if (existsSync2(yamlPath)) {
+    const yamlPath = join3(this.getProjectDir(projectName), "infrastructure.yaml");
+    if (existsSync3(yamlPath)) {
       try {
-        const content = readFileSync2(yamlPath, "utf-8");
+        const content = readFileSync3(yamlPath, "utf-8");
         return this.resolveConfigEnvVars(this.parseSimpleYaml(content));
       } catch {
         return null;
@@ -1376,18 +2492,18 @@ var ProjectManager = class {
     return null;
   }
   getClaudeInstructions(projectName) {
-    const filePath = join(this.getProjectDir(projectName), "claude-instructions.md");
-    if (!existsSync2(filePath)) return null;
-    return readFileSync2(filePath, "utf-8");
+    const filePath = join3(this.getProjectDir(projectName), "claude-instructions.md");
+    if (!existsSync3(filePath)) return null;
+    return readFileSync3(filePath, "utf-8");
   }
   // --- Discovery ---
   listProjects() {
-    const projectsDir = join(this.baseDir, "projects");
-    if (!existsSync2(projectsDir)) return [];
-    return readdirSync(projectsDir, { withFileTypes: true }).filter((d) => d.isDirectory()).map((d) => d.name);
+    const projectsDir = join3(this.baseDir, "projects");
+    if (!existsSync3(projectsDir)) return [];
+    return readdirSync2(projectsDir, { withFileTypes: true }).filter((d) => d.isDirectory()).map((d) => d.name);
   }
   projectExists(projectName) {
-    return existsSync2(this.getProjectDir(projectName));
+    return existsSync3(this.getProjectDir(projectName));
   }
   // --- Project ID helpers ---
   /** Look up the stored projectId for an appName. Returns null if none set. */
@@ -1439,9 +2555,9 @@ var ProjectManager = class {
       for (const p of pmStore.listProjects()) {
         if (p.path) {
           try {
-            const configPath = join(p.path, ".runtimescope", "config.json");
-            if (existsSync2(configPath)) {
-              const content = readFileSync2(configPath, "utf-8");
+            const configPath = join3(p.path, ".runtimescope", "config.json");
+            if (existsSync3(configPath)) {
+              const content = readFileSync3(configPath, "utf-8");
               const config = JSON.parse(content);
               if (config.projectId) {
                 if (config.appName) {
@@ -1474,16 +2590,16 @@ var ProjectManager = class {
   }
   // --- Private helpers ---
   mkdirp(dir) {
-    if (!existsSync2(dir)) {
-      mkdirSync(dir, { recursive: true });
+    if (!existsSync3(dir)) {
+      mkdirSync3(dir, { recursive: true });
     }
   }
   readJson(path) {
-    const content = readFileSync2(path, "utf-8");
+    const content = readFileSync3(path, "utf-8");
     return JSON.parse(content);
   }
   writeJson(path, data) {
-    writeFileSync(path, JSON.stringify(data, null, 2) + "\n", "utf-8");
+    writeFileSync2(path, JSON.stringify(data, null, 2) + "\n", "utf-8");
   }
   resolveConfigEnvVars(config) {
     const resolve2 = (obj) => {
@@ -1520,8 +2636,8 @@ var ProjectManager = class {
 };
 
 // src/project-config.ts
-import { readFileSync as readFileSync3, existsSync as existsSync3, writeFileSync as writeFileSync2, mkdirSync as mkdirSync2 } from "fs";
-import { join as join2 } from "path";
+import { readFileSync as readFileSync4, existsSync as existsSync4, writeFileSync as writeFileSync3, mkdirSync as mkdirSync4 } from "fs";
+import { join as join4 } from "path";
 var DEFAULT_CAPTURE = {
   network: true,
   console: true,
@@ -1536,19 +2652,19 @@ var DEFAULT_CAPTURE = {
   stackTraces: false
 };
 function readProjectConfig(projectDir) {
-  const configPath = join2(projectDir, ".runtimescope", "config.json");
-  if (!existsSync3(configPath)) return null;
+  const configPath = join4(projectDir, ".runtimescope", "config.json");
+  if (!existsSync4(configPath)) return null;
   try {
-    const content = readFileSync3(configPath, "utf-8");
+    const content = readFileSync4(configPath, "utf-8");
     return JSON.parse(content);
   } catch {
     return null;
   }
 }
 function writeProjectConfig(projectDir, config) {
-  const dir = join2(projectDir, ".runtimescope");
-  if (!existsSync3(dir)) mkdirSync2(dir, { recursive: true });
-  writeFileSync2(join2(dir, "config.json"), JSON.stringify(config, null, 2) + "\n", "utf-8");
+  const dir = join4(projectDir, ".runtimescope");
+  if (!existsSync4(dir)) mkdirSync4(dir, { recursive: true });
+  writeFileSync3(join4(dir, "config.json"), JSON.stringify(config, null, 2) + "\n", "utf-8");
 }
 function scaffoldProjectConfig(projectDir, opts) {
   const existing = readProjectConfig(projectDir);
@@ -1579,9 +2695,9 @@ function scaffoldProjectConfig(projectDir, opts) {
     category: opts.category
   };
   writeProjectConfig(projectDir, config);
-  const gitignorePath = join2(projectDir, ".runtimescope", ".gitignore");
-  if (!existsSync3(gitignorePath)) {
-    writeFileSync2(gitignorePath, "# Keep config.json committed, ignore local state\n*.log\n*.db\n.env\n", "utf-8");
+  const gitignorePath = join4(projectDir, ".runtimescope", ".gitignore");
+  if (!existsSync4(gitignorePath)) {
+    writeFileSync3(gitignorePath, "# Keep config.json committed, ignore local state\n*.log\n*.db\n.env\n", "utf-8");
   }
   return config;
 }
@@ -1603,9 +2719,9 @@ function migrateProjectIds(projectManager, pmStore) {
     }
     let canonicalId = null;
     try {
-      const configPath = join2(project.path, ".runtimescope", "config.json");
-      if (existsSync3(configPath)) {
-        const config = JSON.parse(readFileSync3(configPath, "utf-8"));
+      const configPath = join4(project.path, ".runtimescope", "config.json");
+      if (existsSync4(configPath)) {
+        const config = JSON.parse(readFileSync4(configPath, "utf-8"));
         if (config.projectId) canonicalId = config.projectId;
       }
     } catch {
@@ -1643,7 +2759,7 @@ function migrateProjectIds(projectManager, pmStore) {
 }
 
 // src/auth.ts
-import { randomBytes as randomBytes2, timingSafeEqual } from "crypto";
+import { randomBytes as randomBytes3, timingSafeEqual } from "crypto";
 var AuthManager = class {
   keys = /* @__PURE__ */ new Map();
   enabled;
@@ -1690,7 +2806,7 @@ var AuthManager = class {
 };
 function generateApiKey(label, project) {
   return {
-    key: randomBytes2(32).toString("hex"),
+    key: randomBytes3(32).toString("hex"),
     label,
     project,
     createdAt: Date.now()
@@ -1805,8 +2921,8 @@ var Redactor = class {
 
 // src/platform.ts
 import { execFileSync, execSync } from "child_process";
-import { readlinkSync, readdirSync as readdirSync2 } from "fs";
-import { join as join3 } from "path";
+import { readlinkSync, readdirSync as readdirSync3 } from "fs";
+import { join as join5 } from "path";
 var IS_WIN = process.platform === "win32";
 var IS_LINUX = process.platform === "linux";
 function runFile(cmd, args, timeoutMs = 5e3) {
@@ -1921,11 +3037,11 @@ function findPidsInDir_linux(dir) {
   if (lsofResult.length > 0) return lsofResult;
   try {
     const pids = [];
-    for (const entry of readdirSync2("/proc")) {
+    for (const entry of readdirSync3("/proc")) {
       const pid = parseInt(entry, 10);
       if (isNaN(pid) || pid <= 1) continue;
       try {
-        const cwd = readlinkSync(join3("/proc", entry, "cwd"));
+        const cwd = readlinkSync(join5("/proc", entry, "cwd"));
         if (cwd.startsWith(dir)) pids.push(pid);
       } catch {
       }
@@ -2129,15 +3245,15 @@ var SessionManager = class {
 // src/http-server.ts
 import { createServer } from "http";
 import { createServer as createHttpsServer2 } from "https";
-import { readFileSync as readFileSync4, existsSync as existsSync5 } from "fs";
-import { resolve, dirname } from "path";
+import { readFileSync as readFileSync5, existsSync as existsSync6 } from "fs";
+import { resolve, dirname as dirname2 } from "path";
 import { fileURLToPath } from "url";
 import { WebSocketServer as WebSocketServer2 } from "ws";
 
 // src/pm/pm-routes.ts
 import { readdir, readFile, writeFile, unlink, mkdir } from "fs/promises";
-import { existsSync as existsSync4 } from "fs";
-import { join as join4 } from "path";
+import { existsSync as existsSync5 } from "fs";
+import { join as join6 } from "path";
 import { homedir as homedir2 } from "os";
 import { spawn, execFileSync as execFileSync2 } from "child_process";
 var LOG_RING_SIZE = 500;
@@ -2147,6 +3263,19 @@ function pushLog(mp, stream, line) {
   if (mp.logs.length >= LOG_RING_SIZE) mp.logs.shift();
   mp.logs.push(entry);
 }
+function requireWorkspaceAccess(helpers, req, res, targetWorkspaceId) {
+  const caller = helpers.resolveCaller(req);
+  if (caller.isAdmin) return true;
+  if (caller.workspaceId && caller.workspaceId === targetWorkspaceId) return true;
+  helpers.json(res, { error: "Forbidden: caller not authorized for this workspace" }, 403);
+  return false;
+}
+function requireAdmin(helpers, req, res) {
+  const caller = helpers.resolveCaller(req);
+  if (caller.isAdmin) return true;
+  helpers.json(res, { error: "Forbidden: admin required" }, 403);
+  return false;
+}
 function createPmRouter(pmStore, discovery, helpers, broadcastDevServer) {
   const routes = [];
   function route(method, pattern, handler) {
@@ -2306,6 +3435,20 @@ function createPmRouter(pmStore, discovery, helpers, broadcastDevServer) {
       helpers.json(res, { error: "Missing workspace_id" }, 400);
       return;
     }
+    const project = pmStore.getProject(id);
+    if (!project) {
+      helpers.json(res, { error: "Project not found" }, 404);
+      return;
+    }
+    const caller = helpers.resolveCaller(req);
+    if (!caller.isAdmin) {
+      const sourceOk = !!project.workspaceId && project.workspaceId === caller.workspaceId;
+      const destOk = parsed.workspace_id === caller.workspaceId;
+      if (!sourceOk || !destOk) {
+        helpers.json(res, { error: "Forbidden: caller must own both source and destination workspace" }, 403);
+        return;
+      }
+    }
     try {
       pmStore.setProjectWorkspace(id, parsed.workspace_id);
       helpers.json(res, { ok: true });
@@ -2313,10 +3456,18 @@ function createPmRouter(pmStore, discovery, helpers, broadcastDevServer) {
       helpers.json(res, { error: err.message }, 400);
     }
   });
-  route("GET", "/api/pm/workspaces", (_req, res) => {
-    helpers.json(res, { data: pmStore.listWorkspaces() });
+  route("GET", "/api/pm/workspaces", (req, res) => {
+    const caller = helpers.resolveCaller(req);
+    const all = pmStore.listWorkspaces();
+    if (caller.isAdmin) {
+      helpers.json(res, { data: all });
+      return;
+    }
+    const filtered = caller.workspaceId ? all.filter((w) => w.id === caller.workspaceId) : [];
+    helpers.json(res, { data: filtered });
   });
   route("POST", "/api/pm/workspaces", async (req, res) => {
+    if (!requireAdmin(helpers, req, res)) return;
     const body = await helpers.readBody(req, 4096);
     if (!body) {
       helpers.json(res, { error: "Missing body" }, 400);
@@ -2340,8 +3491,9 @@ function createPmRouter(pmStore, discovery, helpers, broadcastDevServer) {
       helpers.json(res, { error: err.message }, 400);
     }
   });
-  route("GET", "/api/pm/workspaces/:id", (_req, res, params) => {
+  route("GET", "/api/pm/workspaces/:id", (req, res, params) => {
     const id = params.get("id");
+    if (!requireWorkspaceAccess(helpers, req, res, id)) return;
     const ws = pmStore.getWorkspace(id);
     if (!ws) {
       helpers.json(res, { error: "Workspace not found" }, 404);
@@ -2351,6 +3503,7 @@ function createPmRouter(pmStore, discovery, helpers, broadcastDevServer) {
   });
   route("PUT", "/api/pm/workspaces/:id", async (req, res, params) => {
     const id = params.get("id");
+    if (!requireWorkspaceAccess(helpers, req, res, id)) return;
     if (!pmStore.getWorkspace(id)) {
       helpers.json(res, { error: "Workspace not found" }, 404);
       return;
@@ -2374,7 +3527,8 @@ function createPmRouter(pmStore, discovery, helpers, broadcastDevServer) {
       helpers.json(res, { error: err.message }, 400);
     }
   });
-  route("DELETE", "/api/pm/workspaces/:id", (_req, res, params) => {
+  route("DELETE", "/api/pm/workspaces/:id", (req, res, params) => {
+    if (!requireAdmin(helpers, req, res)) return;
     const id = params.get("id");
     try {
       pmStore.deleteWorkspace(id);
@@ -2383,8 +3537,9 @@ function createPmRouter(pmStore, discovery, helpers, broadcastDevServer) {
       helpers.json(res, { error: err.message }, 400);
     }
   });
-  route("GET", "/api/pm/workspaces/:id/api-keys", (_req, res, params) => {
+  route("GET", "/api/pm/workspaces/:id/api-keys", (req, res, params) => {
     const id = params.get("id");
+    if (!requireWorkspaceAccess(helpers, req, res, id)) return;
     if (!pmStore.getWorkspace(id)) {
       helpers.json(res, { error: "Workspace not found" }, 404);
       return;
@@ -2393,6 +3548,7 @@ function createPmRouter(pmStore, discovery, helpers, broadcastDevServer) {
   });
   route("POST", "/api/pm/workspaces/:id/api-keys", async (req, res, params) => {
     const id = params.get("id");
+    if (!requireWorkspaceAccess(helpers, req, res, id)) return;
     if (!pmStore.getWorkspace(id)) {
       helpers.json(res, { error: "Workspace not found" }, 404);
       return;
@@ -2420,8 +3576,15 @@ function createPmRouter(pmStore, discovery, helpers, broadcastDevServer) {
       helpers.json(res, { error: err.message }, 400);
     }
   });
-  route("DELETE", "/api/pm/api-keys/:key", (_req, res, params) => {
-    pmStore.revokeApiKey(params.get("key"));
+  route("DELETE", "/api/pm/api-keys/:prefix", (req, res, params) => {
+    const prefix = params.get("prefix");
+    const key = pmStore.findApiKeyByPrefix(prefix);
+    if (!key) {
+      helpers.json(res, { error: "Key not found" }, 404);
+      return;
+    }
+    if (!requireWorkspaceAccess(helpers, req, res, key.workspaceId)) return;
+    pmStore.revokeApiKey(prefix);
     helpers.json(res, { ok: true });
   });
   route("GET", "/api/pm/tasks", (_req, res, params) => {
@@ -2599,13 +3762,13 @@ function createPmRouter(pmStore, discovery, helpers, broadcastDevServer) {
       helpers.json(res, { data: [], count: 0 });
       return;
     }
-    const memoryDir = join4(homedir2(), ".claude", "projects", project.claudeProjectKey, "memory");
+    const memoryDir = join6(homedir2(), ".claude", "projects", project.claudeProjectKey, "memory");
     try {
       const files = await readdir(memoryDir);
       const mdFiles = files.filter((f) => f.endsWith(".md"));
       const result = await Promise.all(
         mdFiles.map(async (filename) => {
-          const content = await readFile(join4(memoryDir, filename), "utf-8");
+          const content = await readFile(join6(memoryDir, filename), "utf-8");
           return { filename, content, sizeBytes: Buffer.byteLength(content) };
         })
       );
@@ -2622,7 +3785,7 @@ function createPmRouter(pmStore, discovery, helpers, broadcastDevServer) {
       helpers.json(res, { error: "Project not found" }, 404);
       return;
     }
-    const filePath = join4(homedir2(), ".claude", "projects", project.claudeProjectKey, "memory", filename);
+    const filePath = join6(homedir2(), ".claude", "projects", project.claudeProjectKey, "memory", filename);
     try {
       const content = await readFile(filePath, "utf-8");
       helpers.json(res, { filename, content, sizeBytes: Buffer.byteLength(content) });
@@ -2645,9 +3808,9 @@ function createPmRouter(pmStore, discovery, helpers, broadcastDevServer) {
     }
     try {
       const { content } = JSON.parse(body);
-      const memoryDir = join4(homedir2(), ".claude", "projects", project.claudeProjectKey, "memory");
+      const memoryDir = join6(homedir2(), ".claude", "projects", project.claudeProjectKey, "memory");
       await mkdir(memoryDir, { recursive: true });
-      await writeFile(join4(memoryDir, filename), content, "utf-8");
+      await writeFile(join6(memoryDir, filename), content, "utf-8");
       helpers.json(res, { ok: true });
     } catch (err) {
       helpers.json(res, { error: err.message }, 500);
@@ -2661,7 +3824,7 @@ function createPmRouter(pmStore, discovery, helpers, broadcastDevServer) {
       helpers.json(res, { error: "Project not found" }, 404);
       return;
     }
-    const filePath = join4(homedir2(), ".claude", "projects", project.claudeProjectKey, "memory", filename);
+    const filePath = join6(homedir2(), ".claude", "projects", project.claudeProjectKey, "memory", filename);
     try {
       await unlink(filePath);
       helpers.json(res, { ok: true });
@@ -2721,7 +3884,7 @@ function createPmRouter(pmStore, discovery, helpers, broadcastDevServer) {
       const { content } = JSON.parse(body);
       const paths = getRulesPaths(project.claudeProjectKey, project.path);
       const filePath = paths[scope];
-      const dir = join4(filePath, "..");
+      const dir = join6(filePath, "..");
       await mkdir(dir, { recursive: true });
       await writeFile(filePath, content, "utf-8");
       helpers.json(res, { ok: true });
@@ -2741,7 +3904,7 @@ function createPmRouter(pmStore, discovery, helpers, broadcastDevServer) {
       return;
     }
     try {
-      const pkgPath = join4(project.path, "package.json");
+      const pkgPath = join6(project.path, "package.json");
       const pkg = JSON.parse(await readFile(pkgPath, "utf-8"));
       const scripts = pkg.scripts ?? {};
       const recommended = ["dev", "start", "serve"].find((s) => s in scripts) ?? null;
@@ -3267,9 +4430,9 @@ function sanitizeFilename(name) {
 function getRulesPaths(claudeProjectKey, projectPath) {
   const home = homedir2();
   return {
-    global: join4(home, ".claude", "CLAUDE.md"),
-    project: claudeProjectKey ? join4(home, ".claude", "projects", claudeProjectKey, "CLAUDE.md") : join4(projectPath ?? "", ".claude", "CLAUDE.md"),
-    local: projectPath ? join4(projectPath, "CLAUDE.md") : join4(home, "CLAUDE.md")
+    global: join6(home, ".claude", "CLAUDE.md"),
+    project: claudeProjectKey ? join6(home, ".claude", "projects", claudeProjectKey, "CLAUDE.md") : join6(projectPath ?? "", ".claude", "CLAUDE.md"),
+    local: projectPath ? join6(projectPath, "CLAUDE.md") : join6(home, "CLAUDE.md")
   };
 }
 function execGit(args, cwd) {
@@ -3314,7 +4477,7 @@ function parseGitStatus(porcelain) {
 }
 async function readRuleFile(filePath) {
   try {
-    if (existsSync4(filePath)) {
+    if (existsSync5(filePath)) {
       const content = await readFile(filePath, "utf-8");
       return { path: filePath, content, exists: true };
     }
@@ -3326,8 +4489,8 @@ async function readRuleFile(filePath) {
 // src/http-server.ts
 var COLLECTOR_VERSION = (() => {
   try {
-    const here = dirname(fileURLToPath(import.meta.url));
-    const pkgJson = readFileSync4(resolve(here, "..", "package.json"), "utf-8");
+    const here = dirname2(fileURLToPath(import.meta.url));
+    const pkgJson = readFileSync5(resolve(here, "..", "package.json"), "utf-8");
     const pkg = JSON.parse(pkgJson);
     return pkg.version ?? "unknown";
   } catch {
@@ -3352,6 +4515,10 @@ var HttpServer = class {
   connectedSessionsGetter = null;
   pmStore = null;
   projectManager = null;
+  isReadyGetter = null;
+  snapshotFn = null;
+  lastSnapshotAt = 0;
+  renderMetricsFn = null;
   constructor(store, processMonitor, options) {
     this.store = store;
     this.processMonitor = processMonitor ?? null;
@@ -3361,11 +4528,15 @@ var HttpServer = class {
     this.connectedSessionsGetter = options?.getConnectedSessions ?? null;
     this.pmStore = options?.pmStore ?? null;
     this.projectManager = options?.projectManager ?? null;
+    this.isReadyGetter = options?.isReady ?? null;
+    this.snapshotFn = options?.createSnapshot ?? null;
+    this.renderMetricsFn = options?.renderMetrics ?? null;
     this.registerRoutes();
     if (options?.pmStore && options?.discovery) {
       this.pmRouter = createPmRouter(options.pmStore, options.discovery, {
         json: (res, data, status) => this.json(res, data, status),
-        readBody: (req, maxBytes) => this.readBody(req, maxBytes)
+        readBody: (req, maxBytes) => this.readBody(req, maxBytes),
+        resolveCaller: (req) => req._rsCaller ?? { isAdmin: !this.authManager?.isEnabled(), workspaceId: null }
       }, (msg) => this.broadcastDevServer(msg));
     }
   }
@@ -3380,6 +4551,58 @@ var HttpServer = class {
         authEnabled: this.authManager?.isEnabled() ?? false
       });
     });
+    this.routes.set("GET /readyz", (_req, res) => {
+      const ready = this.isReadyGetter ? this.isReadyGetter() : true;
+      if (ready) {
+        this.json(res, { status: "ready", timestamp: Date.now() });
+      } else {
+        this.json(res, { status: "starting", timestamp: Date.now() }, 503);
+      }
+    });
+    this.routes.set("GET /metrics", (_req, res) => {
+      if (process.env.RUNTIMESCOPE_DISABLE_METRICS === "1") {
+        res.writeHead(404, { "Content-Type": "text/plain" });
+        res.end("Metrics disabled (RUNTIMESCOPE_DISABLE_METRICS=1).\n");
+        return;
+      }
+      const body = this.renderMetricsFn ? this.renderMetricsFn() : "";
+      res.writeHead(200, { "Content-Type": "text/plain; version=0.0.4; charset=utf-8" });
+      res.end(body);
+    });
+    this.routes.set("POST /api/v1/admin/snapshot", (req, res) => {
+      if (!this.snapshotFn) {
+        this.json(res, { error: "Snapshot is not available on this collector" }, 501);
+        return;
+      }
+      const caller = req._rsCaller ?? {
+        isAdmin: !this.authManager?.isEnabled(),
+        workspaceId: null
+      };
+      if (!caller.isAdmin) {
+        this.json(res, { error: "Forbidden: snapshot requires admin" }, 403);
+        return;
+      }
+      const now = Date.now();
+      const sinceLast = now - this.lastSnapshotAt;
+      const COOLDOWN_MS = 6e4;
+      if (sinceLast < COOLDOWN_MS) {
+        const retryAfter = Math.ceil((COOLDOWN_MS - sinceLast) / 1e3);
+        res.setHeader("Retry-After", String(retryAfter));
+        this.json(
+          res,
+          { error: "Snapshot rate-limited", retryAfterSeconds: retryAfter },
+          429
+        );
+        return;
+      }
+      this.lastSnapshotAt = now;
+      try {
+        const result = this.snapshotFn();
+        this.json(res, result, 201);
+      } catch (err) {
+        this.json(res, { error: err.message }, 500);
+      }
+    });
     this.routes.set("GET /api/sessions", (_req, res) => {
       const sessions = this.store.getSessionInfo();
       this.json(res, { data: sessions, count: sessions.length });
@@ -3465,90 +4688,108 @@ var HttpServer = class {
       const ports = this.processMonitor.getPortUsage(port);
       this.json(res, { data: ports, count: ports.length });
     });
-    this.routes.set("GET /api/events/network", (_req, res, params) => {
+    this.routes.set("GET /api/events/network", (req, res, params) => {
+      const projectId = this.authorizeProjectIdParam(req, res, params);
+      if (projectId === false) return;
       const events = this.store.getNetworkRequests({
         sinceSeconds: numParam(params, "since_seconds"),
         urlPattern: params.get("url_pattern") ?? void 0,
         method: params.get("method") ?? void 0,
         sessionId: params.get("session_id") ?? void 0,
-        projectId: params.get("project_id") ?? void 0
+        projectId
       });
       this.json(res, { data: events, count: events.length });
     });
-    this.routes.set("GET /api/events/console", (_req, res, params) => {
+    this.routes.set("GET /api/events/console", (req, res, params) => {
+      const projectId = this.authorizeProjectIdParam(req, res, params);
+      if (projectId === false) return;
       const events = this.store.getConsoleMessages({
         sinceSeconds: numParam(params, "since_seconds"),
         level: params.get("level") ?? void 0,
         search: params.get("search") ?? void 0,
         sessionId: params.get("session_id") ?? void 0,
-        projectId: params.get("project_id") ?? void 0
+        projectId
       });
       this.json(res, { data: events, count: events.length });
     });
-    this.routes.set("GET /api/events/state", (_req, res, params) => {
+    this.routes.set("GET /api/events/state", (req, res, params) => {
+      const projectId = this.authorizeProjectIdParam(req, res, params);
+      if (projectId === false) return;
       const events = this.store.getStateEvents({
         sinceSeconds: numParam(params, "since_seconds"),
         storeId: params.get("store_id") ?? void 0,
         sessionId: params.get("session_id") ?? void 0,
-        projectId: params.get("project_id") ?? void 0
+        projectId
       });
       this.json(res, { data: events, count: events.length });
     });
-    this.routes.set("GET /api/events/renders", (_req, res, params) => {
+    this.routes.set("GET /api/events/renders", (req, res, params) => {
+      const projectId = this.authorizeProjectIdParam(req, res, params);
+      if (projectId === false) return;
       const events = this.store.getRenderEvents({
         sinceSeconds: numParam(params, "since_seconds"),
         componentName: params.get("component") ?? void 0,
         sessionId: params.get("session_id") ?? void 0,
-        projectId: params.get("project_id") ?? void 0
+        projectId
       });
       this.json(res, { data: events, count: events.length });
     });
-    this.routes.set("GET /api/events/performance", (_req, res, params) => {
+    this.routes.set("GET /api/events/performance", (req, res, params) => {
+      const projectId = this.authorizeProjectIdParam(req, res, params);
+      if (projectId === false) return;
       const events = this.store.getPerformanceMetrics({
         sinceSeconds: numParam(params, "since_seconds"),
         metricName: params.get("metric") ?? void 0,
         sessionId: params.get("session_id") ?? void 0,
-        projectId: params.get("project_id") ?? void 0
+        projectId
       });
       this.json(res, { data: events, count: events.length });
     });
-    this.routes.set("GET /api/events/database", (_req, res, params) => {
+    this.routes.set("GET /api/events/database", (req, res, params) => {
+      const projectId = this.authorizeProjectIdParam(req, res, params);
+      if (projectId === false) return;
       const events = this.store.getDatabaseEvents({
         sinceSeconds: numParam(params, "since_seconds"),
         table: params.get("table") ?? void 0,
         minDurationMs: numParam(params, "min_duration_ms"),
         search: params.get("search") ?? void 0,
         sessionId: params.get("session_id") ?? void 0,
-        projectId: params.get("project_id") ?? void 0
+        projectId
       });
       this.json(res, { data: events, count: events.length });
     });
-    this.routes.set("GET /api/events/timeline", (_req, res, params) => {
+    this.routes.set("GET /api/events/timeline", (req, res, params) => {
+      const projectId = this.authorizeProjectIdParam(req, res, params);
+      if (projectId === false) return;
       const eventTypes = params.get("event_types")?.split(",") ?? void 0;
       const events = this.store.getEventTimeline({
         sinceSeconds: numParam(params, "since_seconds"),
         eventTypes,
         sessionId: params.get("session_id") ?? void 0,
-        projectId: params.get("project_id") ?? void 0
+        projectId
       });
       this.json(res, { data: events, count: events.length });
     });
-    this.routes.set("GET /api/events/custom", (_req, res, params) => {
+    this.routes.set("GET /api/events/custom", (req, res, params) => {
+      const projectId = this.authorizeProjectIdParam(req, res, params);
+      if (projectId === false) return;
       const events = this.store.getCustomEvents({
         name: params.get("name") ?? void 0,
         sinceSeconds: numParam(params, "since_seconds"),
         sessionId: params.get("session_id") ?? void 0,
-        projectId: params.get("project_id") ?? void 0
+        projectId
       });
       this.json(res, { data: events, count: events.length });
     });
-    this.routes.set("GET /api/events/ui", (_req, res, params) => {
+    this.routes.set("GET /api/events/ui", (req, res, params) => {
+      const projectId = this.authorizeProjectIdParam(req, res, params);
+      if (projectId === false) return;
       const action = params.get("action");
       const events = this.store.getUIInteractions({
         action: action ?? void 0,
         sinceSeconds: numParam(params, "since_seconds"),
         sessionId: params.get("session_id") ?? void 0,
-        projectId: params.get("project_id") ?? void 0
+        projectId
       });
       this.json(res, { data: events, count: events.length });
     });
@@ -3662,7 +4903,7 @@ var HttpServer = class {
    */
   resolveSdkPath() {
     if (this.sdkBundlePath) return this.sdkBundlePath;
-    const __dir = dirname(fileURLToPath(import.meta.url));
+    const __dir = dirname2(fileURLToPath(import.meta.url));
     const candidates = [
       resolve(__dir, "../../sdk/dist/index.global.js"),
       // monorepo: packages/collector/dist -> packages/sdk/dist
@@ -3670,13 +4911,55 @@ var HttpServer = class {
       // npm installed
     ];
     for (const p of candidates) {
-      if (existsSync5(p)) {
+      if (existsSync6(p)) {
         this.sdkBundlePath = p;
         return p;
       }
     }
     return null;
   }
+  getPort() {
+    return this.activePort;
+  }
+  /**
+   * Validate the `project_id` query parameter against the caller's workspace.
+   *
+   * Returns:
+   *   - `string`  — the caller is authorized; pass to store.
+   *   - `undefined` — caller is admin and didn't specify a project_id (all projects allowed).
+   *   - `false`   — not authorized (a 400 or 403 response has already been written); the handler must return immediately.
+   *
+   * Callers with a workspace-scoped token MUST provide `project_id`, and it
+   * must resolve to a PM project in the caller's workspace. Runtime projectIds
+   * without a PM record (never registered via setup_project) fall through to
+   * admin-only; workspace-scoped callers get 403.
+   */
+  authorizeProjectIdParam(req, res, params) {
+    const caller = req._rsCaller ?? {
+      isAdmin: !this.authManager?.isEnabled(),
+      workspaceId: null
+    };
+    const projectId = params.get("project_id") ?? void 0;
+    if (caller.isAdmin) return projectId;
+    if (!projectId) {
+      this.json(
+        res,
+        { error: "project_id query param is required for workspace-scoped callers" },
+        400
+      );
+      return false;
+    }
+    const projectWorkspaceId = this.pmStore?.getWorkspaceIdByRuntimeProjectId(projectId) ?? null;
+    if (!projectWorkspaceId) {
+      this.json(res, { error: "Forbidden: project is not registered with any workspace" }, 403);
+      return false;
+    }
+    if (projectWorkspaceId !== caller.workspaceId) {
+      this.json(res, { error: "Forbidden: project belongs to a different workspace" }, 403);
+      return false;
+    }
+    return projectId;
+  }
   async start(options = {}) {
     const basePort = options.port ?? parseInt(process.env.RUNTIMESCOPE_HTTP_PORT ?? "6768", 10);
     const host = options.host ?? "127.0.0.1";
@@ -3719,10 +5002,12 @@ var HttpServer = class {
       this.store.onEvent(this.eventListener);
       server.on("listening", () => {
         this.server = server;
-        this.activePort = port;
+        const addr = server.address();
+        const boundPort = addr && typeof addr === "object" && typeof addr.port === "number" ? addr.port : port;
+        this.activePort = boundPort;
         this.startedAt = Date.now();
         const proto = tls ? "https" : "http";
-        console.error(`[RuntimeScope] HTTP API listening on ${proto}://${host}:${port}`);
+        console.error(`[RuntimeScope] HTTP API listening on ${proto}://${host}:${boundPort}`);
         resolve2();
       });
       server.on("error", (err) => {
@@ -3807,20 +5092,29 @@ var HttpServer = class {
       res.end();
       return;
     }
-    const isPublic = url.pathname === "/api/health" || url.pathname === "/runtimescope.js" || url.pathname === "/snippet";
-    if (!isPublic && this.authManager?.isEnabled()) {
+    const isPublic = url.pathname === "/api/health" || url.pathname === "/readyz" || url.pathname === "/metrics" || url.pathname === "/runtimescope.js" || url.pathname === "/snippet";
+    const workspaceKeysExist = !!this.pmStore?.hasActiveApiKeys?.();
+    const authActive = !!this.authManager?.isEnabled() || workspaceKeysExist;
+    const caller = {
+      isAdmin: !authActive,
+      workspaceId: null
+    };
+    if (!isPublic && authActive) {
       const token = AuthManager.extractBearer(req.headers.authorization);
-      const isGlobal = this.authManager.isAuthorized(token);
-      const isWorkspaceToken = !!(token && this.pmStore?.getWorkspaceByApiKey(token));
-      if (!isGlobal && !isWorkspaceToken) {
+      const isGlobal = !!(token && this.authManager?.validate(token));
+      const workspace = token ? this.pmStore?.getWorkspaceByApiKey(token) : null;
+      if (!isGlobal && !workspace) {
         this.json(res, { error: "Unauthorized", code: "AUTH_FAILED" }, 401);
         return;
       }
+      caller.isAdmin = isGlobal;
+      caller.workspaceId = workspace?.id ?? null;
     }
+    req._rsCaller = caller;
     if (req.method === "GET" && url.pathname === "/runtimescope.js") {
       const sdkPath = this.resolveSdkPath();
       if (sdkPath) {
-        const bundle = readFileSync4(sdkPath, "utf-8");
+        const bundle = readFileSync5(sdkPath, "utf-8");
         res.writeHead(200, {
           "Content-Type": "application/javascript",
           "Cache-Control": "no-cache"
@@ -3944,7 +5238,7 @@ function numParam(params, key) {
 
 // src/pm/pm-store.ts
 import Database from "better-sqlite3";
-import { randomBytes as randomBytes3 } from "crypto";
+import { randomBytes as randomBytes4, createHash as createHash2, timingSafeEqual as timingSafeEqual2 } from "crypto";
 var PmStore = class {
   db;
   constructor(options) {
@@ -4124,6 +5418,23 @@ var PmStore = class {
       this.db.exec("ALTER TABLE pm_projects ADD COLUMN workspace_id TEXT DEFAULT NULL");
     } catch {
     }
+    let apiKeyColumnsAdded = false;
+    try {
+      this.db.exec("ALTER TABLE pm_api_keys ADD COLUMN key_prefix TEXT");
+      apiKeyColumnsAdded = true;
+    } catch {
+    }
+    try {
+      this.db.exec("ALTER TABLE pm_api_keys ADD COLUMN key_last4 TEXT");
+    } catch {
+    }
+    try {
+      this.db.exec("CREATE INDEX IF NOT EXISTS idx_api_keys_prefix ON pm_api_keys(key_prefix)");
+    } catch {
+    }
+    if (apiKeyColumnsAdded) {
+      this.db.prepare("UPDATE pm_api_keys SET revoked_at = ? WHERE revoked_at IS NULL AND key_prefix IS NULL").run(Date.now());
+    }
     this.ensureDefaultWorkspace();
   }
   /**
@@ -4149,8 +5460,11 @@ var PmStore = class {
   // Projects
   // ============================================================
   upsertProject(project) {
-    const workspaceId = project.workspaceId ?? this.db.prepare("SELECT id FROM pm_workspaces WHERE is_default = 1 LIMIT 1").get();
-    const resolvedWorkspaceId = typeof workspaceId === "string" ? workspaceId : workspaceId?.id ?? null;
+    let resolvedWorkspaceId = project.workspaceId ?? null;
+    if (!resolvedWorkspaceId) {
+      const row = this.db.prepare("SELECT id FROM pm_workspaces WHERE is_default = 1 LIMIT 1").get();
+      resolvedWorkspaceId = row?.id ?? null;
+    }
     this.db.prepare(`
       INSERT INTO pm_projects (id, workspace_id, name, path, claude_project_key, runtimescope_project,
         phase, management_authorized, probable_to_complete, project_status,
@@ -4387,13 +5701,16 @@ var PmStore = class {
   createApiKey(workspaceId, label, expiresAt) {
     const ws = this.getWorkspace(workspaceId);
     if (!ws) throw new Error(`Workspace ${workspaceId} does not exist`);
-    const key = `tk_${randomBytes3(24).toString("hex")}`;
+    const raw = `tk_${randomBytes4(24).toString("hex")}`;
+    const hash = hashApiKey(raw);
+    const prefix = raw.slice(0, 11);
+    const last4 = raw.slice(-4);
     const now = Date.now();
     this.db.prepare(
-      `INSERT INTO pm_api_keys (key, workspace_id, label, created_at, expires_at)
-         VALUES (?, ?, ?, ?, ?)`
-    ).run(key, workspaceId, label, now, expiresAt ?? null);
-    return { key, workspaceId, label, createdAt: now, expiresAt };
+      `INSERT INTO pm_api_keys (key, workspace_id, label, created_at, expires_at, key_prefix, key_last4)
+         VALUES (?, ?, ?, ?, ?, ?, ?)`
+    ).run(hash, workspaceId, label, now, expiresAt ?? null, prefix, last4);
+    return { key: raw, keyPrefix: prefix, keyLast4: last4, workspaceId, label, createdAt: now, expiresAt };
   }
   listApiKeys(workspaceId) {
     const rows = this.db.prepare(
@@ -4401,19 +5718,49 @@ var PmStore = class {
     ).all(workspaceId);
     return rows.map(mapApiKeyRow);
   }
-  revokeApiKey(key) {
-    this.db.prepare("UPDATE pm_api_keys SET revoked_at = ? WHERE key = ?").run(Date.now(), key);
+  /** Revoke by the public prefix (what the dashboard shows), not the raw secret. */
+  revokeApiKey(prefix) {
+    this.db.prepare("UPDATE pm_api_keys SET revoked_at = ? WHERE key_prefix = ?").run(Date.now(), prefix);
+  }
+  /** Look up an API key's workspace by its public prefix. Used for per-workspace authorization on the revoke route. */
+  findApiKeyByPrefix(prefix) {
+    const row = this.db.prepare(`SELECT * FROM pm_api_keys WHERE key_prefix = ? AND revoked_at IS NULL LIMIT 1`).get(prefix);
+    return row ? mapApiKeyRow(row) : null;
+  }
+  /**
+   * True if any non-revoked workspace API key exists. The HTTP auth gate uses
+   * this to enforce auth whenever workspace keys are in play, even when the
+   * global AuthManager has no keys configured. Without this check, a user who
+   * creates a workspace key expecting it to gate access gets no auth at all
+   * (the H5 bypass).
+   */
+  hasActiveApiKeys() {
+    const row = this.db.prepare("SELECT 1 AS n FROM pm_api_keys WHERE revoked_at IS NULL LIMIT 1").get();
+    return !!row;
   }
-  getWorkspaceByApiKey(key) {
+  /**
+   * Given a runtime projectId (proj_xxx), return the workspaceId it belongs to,
+   * or null if the projectId isn't registered with any PM project. Used to
+   * enforce per-workspace isolation on event-read routes — the caller can only
+   * query events from runtime projects owned by their workspace.
+   */
+  getWorkspaceIdByRuntimeProjectId(runtimeProjectId) {
+    if (!runtimeProjectId) return null;
+    const row = this.db.prepare("SELECT workspace_id FROM pm_projects WHERE runtime_project_id = ? LIMIT 1").get(runtimeProjectId);
+    return row?.workspace_id ?? null;
+  }
+  getWorkspaceByApiKey(rawKey) {
+    if (!rawKey || typeof rawKey !== "string") return null;
+    const hash = hashApiKey(rawKey);
     const row = this.db.prepare(
       `SELECT w.* FROM pm_api_keys k
          JOIN pm_workspaces w ON w.id = k.workspace_id
          WHERE k.key = ? AND k.revoked_at IS NULL
          AND (k.expires_at IS NULL OR k.expires_at > ?)`
-    ).get(key, Date.now());
+    ).get(hash, Date.now());
     if (!row) return null;
     try {
-      this.db.prepare("UPDATE pm_api_keys SET last_used_at = ? WHERE key = ?").run(Date.now(), key);
+      this.db.prepare("UPDATE pm_api_keys SET last_used_at = ? WHERE key = ?").run(Date.now(), hash);
     } catch {
     }
     return mapWorkspaceRow(row);
@@ -5212,8 +6559,11 @@ var PmStore = class {
     this.db.close();
   }
 };
+function hashApiKey(raw) {
+  return createHash2("sha256").update(raw, "utf8").digest("hex");
+}
 function generateWorkspaceId() {
-  return `ws_${randomBytes3(8).toString("hex")}`;
+  return `ws_${randomBytes4(8).toString("hex")}`;
 }
 function mapWorkspaceRow(row) {
   return {
@@ -5228,7 +6578,11 @@ function mapWorkspaceRow(row) {
 }
 function mapApiKeyRow(row) {
   return {
-    key: row.key,
+    // Never return the stored value (it's the hash) — list responses expose
+    // only prefix + last4 for display. The raw token appears once, at create.
+    key: "",
+    keyPrefix: row.key_prefix ?? "",
+    keyLast4: row.key_last4 ?? "",
     workspaceId: row.workspace_id,
     label: row.label,
     createdAt: row.created_at,
@@ -5443,13 +6797,13 @@ async function parseSessionJsonl(jsonlPath, sessionId, projectId) {
 
 // src/pm/project-discovery.ts
 import { readdir as readdir2, readFile as readFile2, stat as stat2 } from "fs/promises";
-import { join as join5, basename as basename2 } from "path";
-import { existsSync as existsSync6 } from "fs";
+import { join as join7, basename as basename2 } from "path";
+import { existsSync as existsSync7 } from "fs";
 import { homedir as homedir3 } from "os";
 var LOG_PREFIX = "[RuntimeScope PM]";
 async function detectSdkInstalled(projectPath) {
   try {
-    const pkgPath = join5(projectPath, "package.json");
+    const pkgPath = join7(projectPath, "package.json");
     const pkg = JSON.parse(await readFile2(pkgPath, "utf-8"));
     const allDeps = { ...pkg.dependencies, ...pkg.devDependencies };
     if ("@runtimescope/sdk" in allDeps || "@runtimescope/server-sdk" in allDeps) {
@@ -5459,13 +6813,13 @@ async function detectSdkInstalled(projectPath) {
       const workspaces = Array.isArray(pkg.workspaces) ? pkg.workspaces : pkg.workspaces.packages ?? [];
       for (const ws of workspaces) {
         const wsBase = ws.replace(/\/?\*$/, "");
-        const wsDir = join5(projectPath, wsBase);
+        const wsDir = join7(projectPath, wsBase);
         try {
           const entries = await readdir2(wsDir, { withFileTypes: true });
           for (const entry of entries) {
             if (!entry.isDirectory()) continue;
             try {
-              const wsPkg = JSON.parse(await readFile2(join5(wsDir, entry.name, "package.json"), "utf-8"));
+              const wsPkg = JSON.parse(await readFile2(join7(wsDir, entry.name, "package.json"), "utf-8"));
               const wsDeps = { ...wsPkg.dependencies, ...wsPkg.devDependencies };
               if ("@runtimescope/sdk" in wsDeps || "@runtimescope/server-sdk" in wsDeps) {
                 return true;
@@ -5480,7 +6834,7 @@ async function detectSdkInstalled(projectPath) {
   } catch {
   }
   try {
-    await stat2(join5(projectPath, "node_modules", "@runtimescope"));
+    await stat2(join7(projectPath, "node_modules", "@runtimescope"));
     return true;
   } catch {
     return false;
@@ -5511,7 +6865,7 @@ function slugifyPath(fsPath) {
 }
 function decodeClaudeKey(key) {
   const naive = "/" + key.slice(1).replace(/-/g, "/");
-  if (existsSync6(naive)) return naive;
+  if (existsSync7(naive)) return naive;
   const parts = key.slice(1).split("-");
   return resolvePathSegments(parts);
 }
@@ -5519,16 +6873,16 @@ function resolvePathSegments(parts) {
   if (parts.length === 0) return null;
   function tryResolve(prefix, remaining) {
     if (remaining.length === 0) {
-      return existsSync6(prefix) ? prefix : null;
+      return existsSync7(prefix) ? prefix : null;
     }
     for (let count = remaining.length; count >= 1; count--) {
       const segment = remaining.slice(0, count).join("-");
-      const candidate = join5(prefix, segment);
+      const candidate = join7(prefix, segment);
       if (count === remaining.length) {
-        if (existsSync6(candidate)) return candidate;
+        if (existsSync7(candidate)) return candidate;
       } else {
         try {
-          if (existsSync6(candidate)) {
+          if (existsSync7(candidate)) {
             const result = tryResolve(candidate, remaining.slice(count));
             if (result) return result;
           }
@@ -5551,7 +6905,7 @@ var ProjectDiscovery = class {
   constructor(pmStore, projectManager, claudeBaseDir) {
     this.pmStore = pmStore;
     this.projectManager = projectManager;
-    this.claudeBaseDir = claudeBaseDir ?? join5(homedir3(), ".claude");
+    this.claudeBaseDir = claudeBaseDir ?? join7(homedir3(), ".claude");
   }
   claudeBaseDir;
   /**
@@ -5584,7 +6938,7 @@ var ProjectDiscovery = class {
       sessionsUpdated: 0,
       errors: []
     };
-    const projectsDir = join5(this.claudeBaseDir, "projects");
+    const projectsDir = join7(this.claudeBaseDir, "projects");
     try {
       await stat2(projectsDir);
     } catch {
@@ -5697,10 +7051,10 @@ var ProjectDiscovery = class {
     if (!project.claudeProjectKey) {
       return 0;
     }
-    const projectDir = join5(this.claudeBaseDir, "projects", project.claudeProjectKey);
+    const projectDir = join7(this.claudeBaseDir, "projects", project.claudeProjectKey);
     let sessionsIndexed = 0;
     try {
-      const indexPath = join5(projectDir, "sessions-index.json");
+      const indexPath = join7(projectDir, "sessions-index.json");
       let indexEntries = null;
       try {
         const indexContent = await readFile2(indexPath, "utf-8");
@@ -5713,7 +7067,7 @@ var ProjectDiscovery = class {
       for (const jsonlFile of jsonlFiles) {
         try {
           const sessionId = jsonlFile.replace(".jsonl", "");
-          const jsonlPath = join5(projectDir, jsonlFile);
+          const jsonlPath = join7(projectDir, jsonlFile);
           const fileStat = await stat2(jsonlPath);
           const fileSize = fileStat.size;
           const existingSession = await this.pmStore.getSession(sessionId);
@@ -5748,7 +7102,7 @@ var ProjectDiscovery = class {
    * Process a single Claude project directory key.
    */
   async processClaudeProject(key, result) {
-    const projectDir = join5(this.claudeBaseDir, "projects", key);
+    const projectDir = join7(this.claudeBaseDir, "projects", key);
     let fsPath = decodeClaudeKey(key);
     if (!fsPath) {
       fsPath = await this.resolvePathFromIndex(projectDir);
@@ -5802,7 +7156,7 @@ var ProjectDiscovery = class {
    */
   async resolvePathFromIndex(projectDir) {
     try {
-      const indexPath = join5(projectDir, "sessions-index.json");
+      const indexPath = join7(projectDir, "sessions-index.json");
       const content = await readFile2(indexPath, "utf-8");
       const index = JSON.parse(content);
       const entry = index.entries?.find((e) => e.projectPath);
@@ -5817,11 +7171,11 @@ var ProjectDiscovery = class {
    */
   async indexSessionsForClaudeProject(projectId, claudeKey) {
     const counts = { discovered: 0, updated: 0 };
-    const projectDir = join5(this.claudeBaseDir, "projects", claudeKey);
+    const projectDir = join7(this.claudeBaseDir, "projects", claudeKey);
     try {
       let indexEntries = null;
       try {
-        const indexPath = join5(projectDir, "sessions-index.json");
+        const indexPath = join7(projectDir, "sessions-index.json");
         const indexContent = await readFile2(indexPath, "utf-8");
         const index = JSON.parse(indexContent);
         indexEntries = index.entries ?? [];
@@ -5832,7 +7186,7 @@ var ProjectDiscovery = class {
       for (const jsonlFile of jsonlFiles) {
         try {
           const sessionId = jsonlFile.replace(".jsonl", "");
-          const jsonlPath = join5(projectDir, jsonlFile);
+          const jsonlPath = join7(projectDir, jsonlFile);
           const fileStat = await stat2(jsonlPath);
           const fileSize = fileStat.size;
           const existingSession = await this.pmStore.getSession(sessionId);
@@ -6017,6 +7371,15 @@ export {
   getOrCreateProjectId,
   SqliteStore,
   isSqliteAvailable,
+  Wal,
+  Counter,
+  Gauge,
+  MetricsRegistry,
+  OtelExporter,
+  traceIdFromSession,
+  randomSpanId,
+  parseOtelHeaders,
+  otelOptionsFromEnv,
   SessionRateLimiter,
   loadTlsOptions,
   resolveTlsConfig,
@@ -6045,4 +7408,4 @@ export {
   parseSessionJsonl,
   ProjectDiscovery
 };
-//# sourceMappingURL=chunk-WWFIEANS.js.map
+//# sourceMappingURL=chunk-M2V4EFJY.js.map