@sanctix/client 0.1.0

package/cli/status.js

@@ -0,0 +1,103 @@
+import fs from 'fs-extra';
+import path from 'path';
+import chalk from 'chalk';
+import { httpRequestJson } from './runtime.js';
+
+export async function status() {
+  const cwd = process.cwd();
+  const manifestPath = path.join(cwd, '.sanctix/sanctix.config.json');
+
+  console.log(chalk.bold('Sanctix Status'));
+
+  if (!(await fs.pathExists(manifestPath))) {
+    console.log('Not initialized — run sanctix init to get started.');
+    process.exit(0);
+  }
+
+  const manifest = await fs.readJSON(manifestPath);
+  const auditUrl = manifest.auditUrl;
+  const runtime  = manifest.runtime;
+
+  // Step 2: audit service health.
+  const health = await httpRequestJson('GET', auditUrl.replace(/\/$/, '') + '/health', { timeoutMs: 3000 });
+  let auditStatus;
+  if (health.status === 200) {
+    auditStatus = chalk.green('connected');
+  } else if (health.error) {
+    auditStatus = chalk.red('disconnected (' + health.error + ')');
+  } else {
+    auditStatus = chalk.red('disconnected (HTTP ' + health.status + ')');
+  }
+
+  // Step 3: hook files.
+  const managedFiles = manifest.managedFiles || [];
+  let missingCount = 0;
+  for (const rel of managedFiles) {
+    if (!(await fs.pathExists(path.join(cwd, rel)))) missingCount++;
+  }
+  let hookStatus;
+  if (managedFiles.length === 0) {
+    hookStatus = 'n/a';
+  } else if (missingCount === 0) {
+    hookStatus = chalk.green('active');
+  } else if (missingCount === managedFiles.length) {
+    hookStatus = chalk.red('not installed');
+  } else {
+    hookStatus = chalk.yellow('partial (' + missingCount + ' missing)');
+  }
+
+  // Step 4: server-side fields.
+  let sessionsToday = 'n/a';
+  let trustLevel    = 'n/a';
+  let chainStatus   = 'n/a';
+  if (health.status === 200) {
+    const statusRes = await httpRequestJson('GET', auditUrl.replace(/\/$/, '') + '/status', { timeoutMs: 3000 });
+    if (statusRes.status === 200 && statusRes.body && typeof statusRes.body === 'object') {
+      if (statusRes.body.sessions_today !== undefined) sessionsToday = String(statusRes.body.sessions_today);
+      if (statusRes.body.trust_level    !== undefined) trustLevel    = String(statusRes.body.trust_level);
+      if (statusRes.body.chain_status   !== undefined) chainStatus   = String(statusRes.body.chain_status);
+    }
+  }
+
+  // Step 5: print.
+  console.log('Audit service:   ' + auditStatus);
+  console.log('Hooks:           ' + hookStatus + ' (' + runtime + ')');
+  console.log('Sessions today:  ' + sessionsToday);
+  console.log('Trust level:     ' + trustLevel);
+  console.log('Chain:           ' + chainStatus);
+
+  // Step 6: active session.
+  const sessionEnvPath = path.join(cwd, '.sanctix/session.env');
+  if (await fs.pathExists(sessionEnvPath)) {
+    const text = await fs.readFile(sessionEnvPath, 'utf8');
+    const sessionEnv = parseEnvFile(text);
+    if (sessionEnv.AWF_CORRELATION_ID) {
+      console.log('Active session:  ' + sessionEnv.AWF_CORRELATION_ID);
+      console.log('Task:            ' + (sessionEnv.SANCTIX_TASK || ''));
+      console.log('Risk:            ' + (sessionEnv.SANCTIX_RISK || 'unknown'));
+      console.log('Started:         ' + (sessionEnv.SANCTIX_SESSION_STARTED || ''));
+    } else {
+      console.log('Active session:  none (run sanctix start "task description")');
+    }
+  } else {
+    console.log('Active session:  none (run sanctix start "task description")');
+  }
+
+  // Suggested fix.
+  if (health.status !== 200) {
+    console.log('');
+    console.log(chalk.yellow('Fix: start the audit service at ' + auditUrl + ' or update .sanctix/sanctix.config.json.'));
+  } else if (missingCount > 0) {
+    console.log('');
+    console.log(chalk.yellow('Fix: hook files are missing — run sanctix init to reinstall.'));
+  }
+}
+
+function parseEnvFile(text) {
+  const out = {};
+  for (const line of text.split('\n')) {
+    const m = line.match(/^([A-Z0-9_]+)=(.*)$/);
+    if (m) out[m[1]] = m[2];
+  }
+  return out;
+}

package/cli/stop.js

@@ -0,0 +1,134 @@
+import fs from 'fs-extra';
+import path from 'path';
+import chalk from 'chalk';
+import { httpRequestJson } from './runtime.js';
+
+export async function stop(_options = {}) {
+  const cwd = process.cwd();
+
+  // Step 1: Read session env file.
+  const sessionEnvPath = path.join(cwd, '.sanctix/session.env');
+  if (!(await fs.pathExists(sessionEnvPath))) {
+    console.log('No active Sanctix session found.');
+    process.exit(0);
+  }
+
+  // Step 2: Parse session env.
+  const text = await fs.readFile(sessionEnvPath, 'utf8');
+  const env = parseEnvFile(text);
+  const correlationId = env.AWF_CORRELATION_ID;
+  const sessionId     = env.AWF_SESSION_ID;
+  const task          = env.SANCTIX_TASK || '';
+  const risk          = env.SANCTIX_RISK || 'unknown';
+  const startedAt     = env.SANCTIX_SESSION_STARTED;
+
+  // Step 3: Read manifest.
+  const manifestPath = path.join(cwd, '.sanctix/sanctix.config.json');
+  if (!(await fs.pathExists(manifestPath))) {
+    console.error(chalk.red('Sanctix manifest missing. Cannot complete session cleanly.'));
+    process.exit(1);
+  }
+  const manifest = await fs.readJSON(manifestPath);
+  const auditUrl = manifest.auditUrl.replace(/\/$/, '');
+  const apiKey = process.env.SANCTIX_API_KEY || readEnvKey(cwd, 'SANCTIX_API_KEY');
+
+  // Step 4: Get session summary from audit service.
+  const sessionRes = await httpRequestJson('GET', auditUrl + '/session/' + correlationId, {
+    apiKey: apiKey || null,
+    timeoutMs: 3000,
+  });
+  let summaryLine = null;
+  if (sessionRes.status === 200 && sessionRes.body && typeof sessionRes.body === 'object') {
+    const count = sessionRes.body.event_count;
+    const chain = sessionRes.body.chain_status;
+    summaryLine = 'Events:     ' + (count !== undefined ? count : 'n/a') +
+      (chain ? ' (chain: ' + chain + ')' : '');
+  } else {
+    summaryLine = 'Session data not yet available.';
+  }
+
+  // Step 5: Post SANCTIX_SESSION_COMPLETED event.
+  const completedAt = new Date().toISOString();
+  const userId = process.env.USER || process.env.USERNAME || 'user';
+  const postRes = await httpRequestJson('POST', auditUrl + '/events', {
+    apiKey: apiKey || null,
+    timeoutMs: 3000,
+    body: {
+      actor_type:       'agent',
+      event_type:       'sanctix.session.completed',
+      timestamp_utc:    completedAt,
+      correlation_id:   correlationId,
+      user_id:          userId,
+      runtime_provider: manifest.runtime,
+      event_data: {
+        session_id:    sessionId,
+        task:          task,
+        risk:          risk,
+        started_at:    startedAt,
+        completed_at:  completedAt,
+      },
+    },
+  });
+  if (postRes.status !== 201 && postRes.status !== 200) {
+    console.warn(chalk.yellow(
+      'Warning: failed to post session.completed event' +
+      (postRes.error ? ' (' + postRes.error + ')' : ' (HTTP ' + postRes.status + ')')
+    ));
+  }
+
+  // Step 6: Remove session env file.
+  await fs.remove(sessionEnvPath);
+
+  // Step 7: Print summary.
+  const duration = formatDuration(startedAt, completedAt);
+  console.log('');
+  console.log(chalk.bold('=== Sanctix Session Complete ==='));
+  console.log('Session:    ' + correlationId);
+  console.log('Task:       ' + task);
+  console.log('Risk:       ' + risk);
+  console.log('Duration:   ' + duration);
+  if (summaryLine) console.log(summaryLine);
+  console.log('');
+  console.log('To view this session:');
+  console.log('  awf audit show --correlation-id ' + correlationId);
+  console.log('');
+  console.log(chalk.bold('================================'));
+}
+
+function parseEnvFile(text) {
+  const out = {};
+  for (const line of text.split('\n')) {
+    const m = line.match(/^([A-Z0-9_]+)=(.*)$/);
+    if (m) out[m[1]] = m[2];
+  }
+  return out;
+}
+
+function formatDuration(startedAt, completedAt) {
+  try {
+    const ms = new Date(completedAt).getTime() - new Date(startedAt).getTime();
+    if (!isFinite(ms) || ms < 0) return 'n/a';
+    const totalSec = Math.floor(ms / 1000);
+    const h = Math.floor(totalSec / 3600);
+    const m = Math.floor((totalSec % 3600) / 60);
+    const s = totalSec % 60;
+    if (h > 0) return `${h}h ${m}m ${s}s`;
+    if (m > 0) return `${m}m ${s}s`;
+    return `${s}s`;
+  } catch (_e) {
+    return 'n/a';
+  }
+}
+
+function readEnvKey(cwd, key) {
+  try {
+    const envPath = path.join(cwd, '.env');
+    if (!fs.pathExistsSync(envPath)) return null;
+    const text = fs.readFileSync(envPath, 'utf8');
+    for (const line of text.split('\n')) {
+      const m = line.match(/^([A-Z0-9_]+)=(.*)$/);
+      if (m && m[1] === key && m[2]) return m[2];
+    }
+  } catch (_e) {}
+  return null;
+}

package/cli/uninstall.js

@@ -0,0 +1,195 @@
+import fs from 'fs-extra';
+import path from 'path';
+import inquirer from 'inquirer';
+import chalk from 'chalk';
+import { SANCTIX_HOOK_COMMANDS } from './init.js';
+
+export async function uninstall(options) {
+  const cwd = process.cwd();
+  const manifestPath = path.join(cwd, '.sanctix/sanctix.config.json');
+
+  // Step 1: Read manifest.
+  if (!(await fs.pathExists(manifestPath))) {
+    console.log('Sanctix is not installed in this directory.');
+    console.log('Run sanctix init to install.');
+    process.exit(0);
+  }
+  const manifest = await fs.readJSON(manifestPath);
+
+  // Step 2: Confirm.
+  if (!options.yes) {
+    console.log('The following will be removed:');
+    for (const f of manifest.managedFiles || []) console.log('  ' + f);
+    for (const k of manifest.managedEnvKeys || []) console.log('  .env: ' + k);
+    console.log('  .sanctix/sanctix.config.json');
+    const answer = await inquirer.prompt([{
+      type: 'confirm',
+      name: 'cont',
+      message: 'Remove Sanctix from this repo?',
+      default: false,
+    }]);
+    if (!answer.cont) {
+      console.log('Aborted.');
+      process.exit(0);
+    }
+  }
+
+  const removed = [];
+
+  // Step 3: Remove hook files (and any shared helpers we installed).
+  for (const rel of manifest.managedFiles || []) {
+    const full = path.join(cwd, rel);
+    if (await fs.pathExists(full)) {
+      await fs.remove(full);
+      console.log('[removed] ' + rel);
+      removed.push(rel);
+    }
+  }
+
+  if (manifest.runtime === 'claude_code') {
+    // Remove shared helpers from each hook subdir.
+    for (const sub of ['pre-tool-use', 'post-tool-use', 'sub-agent-start']) {
+      for (const helper of ['tool-capture.cjs', 'post-audit-event.cjs']) {
+        const helperPath = path.join(cwd, '.claude/hooks', sub, helper);
+        if (await fs.pathExists(helperPath)) {
+          await fs.remove(helperPath);
+        }
+      }
+      // Remove empty hook subdir.
+      const subDir = path.join(cwd, '.claude/hooks', sub);
+      if (await fs.pathExists(subDir)) {
+        const entries = await fs.readdir(subDir);
+        if (entries.length === 0) await fs.remove(subDir);
+      }
+    }
+    // Remove empty .claude/hooks/ if no remaining children.
+    const hooksDir = path.join(cwd, '.claude/hooks');
+    if (await fs.pathExists(hooksDir)) {
+      const entries = await fs.readdir(hooksDir);
+      if (entries.length === 0) await fs.remove(hooksDir);
+    }
+
+    // Update settings.json — strip Sanctix entries.
+    const settingsPath = path.join(cwd, '.claude/settings.json');
+    if (await fs.pathExists(settingsPath)) {
+      const settings = await fs.readJSON(settingsPath);
+      if (settings.hooks) {
+        for (const [event, entries] of Object.entries(SANCTIX_HOOK_COMMANDS)) {
+          if (!settings.hooks[event]) continue;
+          const ourCommands = new Set(entries.map((e) => e.command));
+          settings.hooks[event] = settings.hooks[event].filter((block) => {
+            const hooks = block.hooks || [];
+            const isOurs = hooks.length > 0 &&
+              hooks.every((h) => h && h.type === 'command' && ourCommands.has(h.command));
+            return !isOurs;
+          });
+          if (settings.hooks[event].length === 0) delete settings.hooks[event];
+        }
+        if (Object.keys(settings.hooks).length === 0) delete settings.hooks;
+      }
+      if (Object.keys(settings).length === 0) {
+        await fs.remove(settingsPath);
+      } else {
+        await fs.writeJSON(settingsPath, settings, { spaces: 2 });
+      }
+    }
+  }
+
+  // Step 4: Remove .env keys.
+  const envPath = path.join(cwd, '.env');
+  if (await fs.pathExists(envPath)) {
+    const text = await fs.readFile(envPath, 'utf8');
+    const managedKeys = new Set(manifest.managedEnvKeys || []);
+    const kept = text.split('\n').filter((line) => {
+      const m = line.match(/^([A-Z0-9_]+)=/);
+      if (m && managedKeys.has(m[1])) {
+        console.log('[removed] .env: ' + m[1]);
+        removed.push('.env:' + m[1]);
+        return false;
+      }
+      return true;
+    });
+    let out = kept.join('\n').replace(/\n{3,}/g, '\n\n');
+    if (out.trim() === '') {
+      await fs.remove(envPath);
+    } else {
+      if (!out.endsWith('\n')) out += '\n';
+      await fs.writeFile(envPath, out);
+    }
+  }
+
+  // Step 5: Runtime-specific cleanup.
+  if (manifest.runtime === 'codex') {
+    const agentsPath = path.join(cwd, 'AGENTS.md');
+    if (await fs.pathExists(agentsPath)) {
+      const text = await fs.readFile(agentsPath, 'utf8');
+      const cleaned = stripSanctixSection(text);
+      if (cleaned.trim() === '') {
+        await fs.remove(agentsPath);
+      } else {
+        await fs.writeFile(agentsPath, cleaned);
+      }
+    }
+  }
+  if (manifest.runtime === 'cursor') {
+    const hooksJsonPath = path.join(cwd, '.cursor/hooks.json');
+    if (await fs.pathExists(hooksJsonPath)) {
+      const json = await fs.readJSON(hooksJsonPath);
+      delete json.sanctix;
+      if (Object.keys(json).length === 0) {
+        await fs.remove(hooksJsonPath);
+      } else {
+        await fs.writeJSON(hooksJsonPath, json, { spaces: 2 });
+      }
+    }
+  }
+
+  // Step 6: Remove session env if present.
+  const sessionEnvPath = path.join(cwd, '.sanctix/session.env');
+  if (await fs.pathExists(sessionEnvPath)) {
+    await fs.remove(sessionEnvPath);
+    console.log('[removed] .sanctix/session.env');
+    removed.push('.sanctix/session.env');
+  }
+
+  // Step 7: Remove manifest.
+  await fs.remove(manifestPath);
+  const sanctixDir = path.join(cwd, '.sanctix');
+  if (await fs.pathExists(sanctixDir)) {
+    const entries = await fs.readdir(sanctixDir);
+    if (entries.length === 0) await fs.remove(sanctixDir);
+  }
+
+  // Step 7: Confirmation.
+  console.log('');
+  console.log(chalk.green('[ok] Sanctix removed from this repo.'));
+  console.log('');
+  console.log('  The following were removed:');
+  for (const r of removed) console.log('    ' + r);
+  console.log('    .sanctix/sanctix.config.json');
+  console.log('');
+  console.log('  Your repo is clean.');
+}
+
+function stripSanctixSection(text) {
+  const lines = text.split('\n');
+  const out = [];
+  let skipping = false;
+  for (const line of lines) {
+    if (line.startsWith('## Sanctix Governance')) {
+      skipping = true;
+      continue;
+    }
+    if (skipping) {
+      // Stop skipping at the next markdown header or document separator.
+      if (line.startsWith('## ') || line.startsWith('# ') || line === '---') {
+        skipping = false;
+        out.push(line);
+        continue;
+      }
+      continue;
+    }
+    out.push(line);
+  }
+  return out.join('\n').replace(/\n{3,}/g, '\n\n');
+}

package/hooks/check-agent-spawn-result.cjs

@@ -0,0 +1,60 @@
+#!/usr/bin/env node
+"use strict";
+
+const fs     = require('fs');
+const path   = require('path');
+const crypto = require('crypto');
+
+const { captureToolContext } = require(path.join(__dirname, 'tool-capture.cjs'));
+const { postAuditEvent }     = require(path.join(__dirname, 'post-audit-event.cjs'));
+
+const AUDIT_URL      = process.env.SANCTIX_AUDIT_URL  || 'http://localhost:8787';
+const API_KEY        = process.env.SANCTIX_API_KEY    || null;
+const CORRELATION_ID = process.env.AWF_CORRELATION_ID || crypto.randomUUID();
+const USER_ID        = process.env.AWF_USER_ID        || 'user';
+
+const LOG_PATH = '/tmp/sanctix-audit.log';
+
+let input = {};
+try {
+  input = JSON.parse(fs.readFileSync(0, 'utf8'));
+} catch (_e) {
+  input = {};
+}
+
+const timestamp = new Date().toISOString();
+
+try {
+  fs.appendFileSync(LOG_PATH, JSON.stringify({
+    timestamp,
+    tool: (input && input.tool_name) || 'Agent',
+    hook: 'post-tool-use',
+    decision: 'allow',
+  }) + '\n');
+} catch (_e) {}
+
+(async () => {
+  let toolCtx = null;
+  try { toolCtx = captureToolContext(input); } catch (_e) {}
+
+  try {
+    await postAuditEvent({
+      actor_type:       'agent',
+      event_type:       'hook.agent_spawn.post_tool_use',
+      timestamp_utc:    timestamp,
+      correlation_id:   CORRELATION_ID,
+      user_id:          USER_ID,
+      runtime_provider: 'claude_code',
+      event_data: {
+        tool_name:     toolCtx && toolCtx.tool_name,
+        file_path:     toolCtx && toolCtx.file_path,
+        command:       toolCtx && toolCtx.command,
+        args_redacted: toolCtx && toolCtx.args_redacted,
+      },
+      before_state: toolCtx && toolCtx.before_state,
+    }, { url: AUDIT_URL, apiKey: API_KEY, timeoutMs: 500 });
+  } catch (_e) {}
+
+  process.stdout.write(JSON.stringify({ decision: 'allow' }));
+  process.exit(0);
+})();

package/hooks/check-agent-spawn.cjs

@@ -0,0 +1,60 @@
+#!/usr/bin/env node
+"use strict";
+
+const fs     = require('fs');
+const path   = require('path');
+const crypto = require('crypto');
+
+const { captureToolContext } = require(path.join(__dirname, 'tool-capture.cjs'));
+const { postAuditEvent }     = require(path.join(__dirname, 'post-audit-event.cjs'));
+
+const AUDIT_URL      = process.env.SANCTIX_AUDIT_URL  || 'http://localhost:8787';
+const API_KEY        = process.env.SANCTIX_API_KEY    || null;
+const CORRELATION_ID = process.env.AWF_CORRELATION_ID || crypto.randomUUID();
+const USER_ID        = process.env.AWF_USER_ID        || 'user';
+
+const LOG_PATH = '/tmp/sanctix-audit.log';
+
+let input = {};
+try {
+  input = JSON.parse(fs.readFileSync(0, 'utf8'));
+} catch (_e) {
+  input = {};
+}
+
+const timestamp = new Date().toISOString();
+
+try {
+  fs.appendFileSync(LOG_PATH, JSON.stringify({
+    timestamp,
+    tool: (input && input.tool_name) || 'Agent',
+    hook: 'pre-tool-use',
+    decision: 'allow',
+  }) + '\n');
+} catch (_e) {}
+
+(async () => {
+  let toolCtx = null;
+  try { toolCtx = captureToolContext(input); } catch (_e) {}
+
+  try {
+    await postAuditEvent({
+      actor_type:       'agent',
+      event_type:       'hook.agent_spawn.pre_tool_use',
+      timestamp_utc:    timestamp,
+      correlation_id:   CORRELATION_ID,
+      user_id:          USER_ID,
+      runtime_provider: 'claude_code',
+      event_data: {
+        tool_name:     toolCtx && toolCtx.tool_name,
+        file_path:     toolCtx && toolCtx.file_path,
+        command:       toolCtx && toolCtx.command,
+        args_redacted: toolCtx && toolCtx.args_redacted,
+      },
+      before_state: toolCtx && toolCtx.before_state,
+    }, { url: AUDIT_URL, apiKey: API_KEY, timeoutMs: 500 });
+  } catch (_e) {}
+
+  process.stdout.write(JSON.stringify({ decision: 'allow' }));
+  process.exit(0);
+})();

package/hooks/check-bash.cjs

@@ -0,0 +1,75 @@
+#!/usr/bin/env node
+"use strict";
+
+const fs     = require('fs');
+const path   = require('path');
+const crypto = require('crypto');
+
+const { captureToolContext } = require(path.join(__dirname, 'tool-capture.cjs'));
+const { postAuditEvent }     = require(path.join(__dirname, 'post-audit-event.cjs'));
+
+const AUDIT_URL      = process.env.SANCTIX_AUDIT_URL  || 'http://localhost:8787';
+const API_KEY        = process.env.SANCTIX_API_KEY    || null;
+const HOOK_MODE      = process.env.SANCTIX_HOOK_MODE  || 'enforce';
+const CORRELATION_ID = process.env.AWF_CORRELATION_ID || crypto.randomUUID();
+const USER_ID        = process.env.AWF_USER_ID        || 'user';
+
+const LOG_PATH = '/tmp/sanctix-audit.log';
+
+let input = {};
+try {
+  input = JSON.parse(fs.readFileSync(0, 'utf8'));
+} catch (_e) {
+  input = {};
+}
+
+const command   = (input && input.tool_input && input.tool_input.command) || 'unknown';
+const timestamp = new Date().toISOString();
+
+const blocked = ['rm -rf /', 'DROP TABLE', 'delete from audit'];
+const isBlocked = HOOK_MODE === 'enforce' &&
+  blocked.some((b) => command.toLowerCase().includes(b.toLowerCase()));
+
+try {
+  fs.appendFileSync(LOG_PATH, JSON.stringify({
+    timestamp,
+    tool: 'Bash',
+    command: String(command).substring(0, 200),
+    hook: 'pre-tool-use',
+    decision: isBlocked ? 'block' : 'allow',
+  }) + '\n');
+} catch (_e) {}
+
+(async () => {
+  let toolCtx = null;
+  try { toolCtx = captureToolContext(input); } catch (_e) {}
+
+  try {
+    await postAuditEvent({
+      actor_type:       'agent',
+      event_type:       'hook.bash.pre_tool_use',
+      timestamp_utc:    timestamp,
+      correlation_id:   CORRELATION_ID,
+      user_id:          USER_ID,
+      runtime_provider: 'claude_code',
+      event_data: {
+        tool_name:     toolCtx && toolCtx.tool_name,
+        file_path:     toolCtx && toolCtx.file_path,
+        command:       toolCtx && toolCtx.command,
+        args_redacted: toolCtx && toolCtx.args_redacted,
+      },
+      before_state: toolCtx && toolCtx.before_state,
+    }, { url: AUDIT_URL, apiKey: API_KEY, timeoutMs: 500 });
+  } catch (_e) {}
+
+  if (isBlocked) {
+    process.stdout.write(JSON.stringify({
+      decision: 'block',
+      reason: 'Command blocked by Sanctix governance',
+    }));
+    process.exit(2);
+  }
+
+  process.stdout.write(JSON.stringify({ decision: 'allow' }));
+  process.exit(0);
+})();

package/hooks/check-file-edit-result.cjs

@@ -0,0 +1,63 @@
+#!/usr/bin/env node
+"use strict";
+
+const fs     = require('fs');
+const path   = require('path');
+const crypto = require('crypto');
+
+const { captureToolContext } = require(path.join(__dirname, 'tool-capture.cjs'));
+const { postAuditEvent }     = require(path.join(__dirname, 'post-audit-event.cjs'));
+
+const AUDIT_URL      = process.env.SANCTIX_AUDIT_URL  || 'http://localhost:8787';
+const API_KEY        = process.env.SANCTIX_API_KEY    || null;
+const CORRELATION_ID = process.env.AWF_CORRELATION_ID || crypto.randomUUID();
+const USER_ID        = process.env.AWF_USER_ID        || 'user';
+
+const LOG_PATH = '/tmp/sanctix-audit.log';
+
+let input = {};
+try {
+  input = JSON.parse(fs.readFileSync(0, 'utf8'));
+} catch (_e) {
+  input = {};
+}
+
+const toolName  = (input && input.tool_name) || '';
+const filePath  = (input && input.tool_input && (input.tool_input.path || input.tool_input.file_path)) || 'unknown';
+const timestamp = new Date().toISOString();
+
+try {
+  fs.appendFileSync(LOG_PATH, JSON.stringify({
+    timestamp,
+    tool: toolName,
+    file: filePath,
+    hook: 'post-tool-use',
+    decision: 'allow',
+  }) + '\n');
+} catch (_e) {}
+
+(async () => {
+  let toolCtx = null;
+  try { toolCtx = captureToolContext(input); } catch (_e) {}
+
+  try {
+    await postAuditEvent({
+      actor_type:       'agent',
+      event_type:       'hook.file_edit.post_tool_use',
+      timestamp_utc:    timestamp,
+      correlation_id:   CORRELATION_ID,
+      user_id:          USER_ID,
+      runtime_provider: 'claude_code',
+      event_data: {
+        tool_name:     toolCtx && toolCtx.tool_name,
+        file_path:     toolCtx && toolCtx.file_path,
+        command:       toolCtx && toolCtx.command,
+        args_redacted: toolCtx && toolCtx.args_redacted,
+      },
+      before_state: toolCtx && toolCtx.before_state,
+    }, { url: AUDIT_URL, apiKey: API_KEY, timeoutMs: 500 });
+  } catch (_e) {}
+
+  process.stdout.write(JSON.stringify({ decision: 'allow' }));
+  process.exit(0);
+})();