@swarmclawai/swarmclaw 0.6.8 → 0.7.0

package/src/lib/server/cost.test.ts

@@ -0,0 +1,73 @@
+import assert from 'node:assert/strict'
+import { test } from 'node:test'
+import type { Agent } from '@/types'
+import { checkAgentBudgetLimits, getAgentSpendWindows } from './cost.ts'
+
+function buildNowTs(): number {
+  const d = new Date()
+  d.setFullYear(2026, 2, 15)
+  d.setHours(12, 0, 0, 0)
+  return d.getTime()
+}
+
+test('getAgentSpendWindows aggregates hourly/daily/monthly windows', () => {
+  const now = buildNowTs()
+  const previousMonth = new Date(2026, 1, 20, 12, 0, 0, 0).getTime()
+
+  const sessions = {
+    s1: { agentId: 'agent-a' },
+    s2: { agentId: 'agent-b' },
+  }
+  const usage = {
+    s1: [
+      { timestamp: now - 20 * 60_000, estimatedCost: 1.25 },      // within hour
+      { timestamp: now - 3 * 60 * 60_000, estimatedCost: 0.5 },    // today
+      { timestamp: now - 26 * 60 * 60_000, estimatedCost: 2.0 },   // yesterday
+      { timestamp: previousMonth, estimatedCost: 4.0 },            // previous month
+    ],
+    s2: [
+      { timestamp: now - 5 * 60_000, estimatedCost: 99 },          // different agent
+    ],
+  }
+
+  const spend = getAgentSpendWindows('agent-a', now, { sessions, usage })
+  assert.equal(spend.hourly, 1.25)
+  assert.equal(spend.daily, 1.75)
+  assert.equal(spend.monthly, 3.75)
+})
+
+test('checkAgentBudgetLimits reports exceeded and warning windows', () => {
+  const now = buildNowTs()
+  const sessions = { s1: { agentId: 'agent-a' } }
+  const usage = {
+    s1: [
+      { timestamp: now - 15 * 60_000, estimatedCost: 1.25 },       // hourly over
+      { timestamp: now - 4 * 60 * 60_000, estimatedCost: 0.5 },    // daily near
+      { timestamp: now - 26 * 60 * 60_000, estimatedCost: 2.0 },   // monthly near
+    ],
+  }
+  const agent = {
+    id: 'agent-a',
+    name: 'Agent A',
+    hourlyBudget: 1.0,
+    dailyBudget: 2.0,
+    monthlyBudget: 4.0,
+  } as Agent
+
+  const result = checkAgentBudgetLimits(agent, now, { sessions, usage })
+  assert.equal(result.ok, false)
+  assert.deepEqual(result.exceeded.map((x) => x.window), ['hourly'])
+  assert.deepEqual(result.warnings.map((x) => x.window), ['daily', 'monthly'])
+})
+
+test('checkAgentBudgetLimits is ok when no caps are configured', () => {
+  const now = buildNowTs()
+  const sessions = { s1: { agentId: 'agent-a' } }
+  const usage = { s1: [{ timestamp: now - 10 * 60_000, estimatedCost: 10 }] }
+  const agent = { id: 'agent-a', name: 'Agent A' } as Agent
+
+  const result = checkAgentBudgetLimits(agent, now, { sessions, usage })
+  assert.equal(result.ok, true)
+  assert.equal(result.exceeded.length, 0)
+  assert.equal(result.warnings.length, 0)
+})

package/src/lib/server/cost.ts

@@ -1,3 +1,6 @@
+import type { Agent, UsageRecord } from '@/types'
+import { loadSessions, loadUsage } from './storage'
+
 // Model cost table: [inputCostPer1M, outputCostPer1M] in USD
 const MODEL_COSTS: Record<string, [number, number]> = {
   // Anthropic
@@ -11,7 +14,7 @@ const MODEL_COSTS: Record<string, [number, number]> = {
   'gpt-4.1': [2, 8],
   'gpt-4.1-mini': [0.4, 1.6],
   'gpt-4.1-nano': [0.1, 0.4],
-  'o3': [10, 40],
+  o3: [10, 40],
   'o3-mini': [1.1, 4.4],
   'o4-mini': [1.1, 4.4],
   // OpenAI embeddings
@@ -19,6 +22,38 @@ const MODEL_COSTS: Record<string, [number, number]> = {
   'text-embedding-3-large': [0.13, 0],
 }
 
+const ONE_HOUR_MS = 60 * 60 * 1000
+const WARNING_RATIO = 0.8
+
+type GenericRecord = Record<string, unknown>
+type SessionsMap = Record<string, GenericRecord>
+type UsageMap = Record<string, unknown>
+
+function parsePositiveBudget(value: unknown): number | null {
+  if (typeof value !== 'number' || !Number.isFinite(value) || value <= 0) return null
+  return value
+}
+
+function toDateBoundaries(now: number) {
+  const d = new Date(now)
+  const dayStart = new Date(d)
+  dayStart.setHours(0, 0, 0, 0)
+  const monthStart = new Date(d.getFullYear(), d.getMonth(), 1)
+  return {
+    hourStartTs: now - ONE_HOUR_MS,
+    dayStartTs: dayStart.getTime(),
+    monthStartTs: monthStart.getTime(),
+  }
+}
+
+function getAgentSessionIds(agentId: string, sessions: SessionsMap): Set<string> {
+  const ids = new Set<string>()
+  for (const [sid, session] of Object.entries(sessions)) {
+    if (session?.agentId === agentId) ids.add(sid)
+  }
+  return ids
+}
+
 export function estimateCost(model: string, inputTokens: number, outputTokens: number): number {
   const costs = MODEL_COSTS[model]
   if (!costs) return 0
@@ -30,41 +65,141 @@ export function getModelCosts(): Record<string, [number, number]> {
   return { ...MODEL_COSTS }
 }
 
-// --- Agent Monthly Budget ---
-
-import { loadUsage, loadSessions } from './storage'
-import type { Agent, UsageRecord } from '@/types'
+export interface AgentSpendWindows {
+  hourly: number
+  daily: number
+  monthly: number
+}
 
-/**
- * Sum the estimated cost for an agent in the current calendar month.
- * Usage records are keyed by sessionId; we resolve agentId through sessions.
- */
-export function getAgentMonthlySpend(agentId: string): number {
-  const sessions = loadSessions()
-  // Build a set of sessionIds linked to this agent
-  const agentSessionIds = new Set<string>()
-  for (const [sid, session] of Object.entries(sessions)) {
-    if (session?.agentId === agentId) agentSessionIds.add(sid)
+export function getAgentSpendWindows(
+  agentId: string,
+  now = Date.now(),
+  opts?: { sessions?: SessionsMap; usage?: UsageMap },
+): AgentSpendWindows {
+  const sessions = opts?.sessions ?? (loadSessions() as SessionsMap)
+  const usage = opts?.usage ?? (loadUsage() as UsageMap)
+  const agentSessionIds = getAgentSessionIds(agentId, sessions)
+  if (agentSessionIds.size === 0) {
+    return { hourly: 0, daily: 0, monthly: 0 }
   }
-  if (agentSessionIds.size === 0) return 0
 
-  const now = new Date()
-  const monthStart = new Date(now.getFullYear(), now.getMonth(), 1).getTime()
+  const { hourStartTs, dayStartTs, monthStartTs } = toDateBoundaries(now)
+  const spend: AgentSpendWindows = { hourly: 0, daily: 0, monthly: 0 }
 
-  const usage = loadUsage()
-  let total = 0
   for (const sid of agentSessionIds) {
-    const records = usage[sid]
-    if (!Array.isArray(records)) continue
-    for (const record of records) {
+    const raw = usage[sid]
+    if (!Array.isArray(raw)) continue
+    for (const record of raw) {
       const r = record as UsageRecord
-      if (typeof r.timestamp !== 'number' || r.timestamp < monthStart) continue
-      if (typeof r.estimatedCost === 'number' && Number.isFinite(r.estimatedCost) && r.estimatedCost > 0) {
-        total += r.estimatedCost
-      }
+      const ts = typeof r?.timestamp === 'number' ? r.timestamp : 0
+      if (ts <= 0) continue
+      const cost = typeof r?.estimatedCost === 'number' ? r.estimatedCost : 0
+      if (!Number.isFinite(cost) || cost <= 0) continue
+
+      if (ts >= monthStartTs) spend.monthly += cost
+      if (ts >= dayStartTs) spend.daily += cost
+      if (ts >= hourStartTs) spend.hourly += cost
     }
   }
-  return total
+
+  return spend
+}
+
+export function getAgentMonthlySpend(
+  agentId: string,
+  now = Date.now(),
+  opts?: { sessions?: SessionsMap; usage?: UsageMap },
+): number {
+  return getAgentSpendWindows(agentId, now, opts).monthly
+}
+
+export function getAgentDailySpend(
+  agentId: string,
+  now = Date.now(),
+  opts?: { sessions?: SessionsMap; usage?: UsageMap },
+): number {
+  return getAgentSpendWindows(agentId, now, opts).daily
+}
+
+export function getAgentHourlySpend(
+  agentId: string,
+  now = Date.now(),
+  opts?: { sessions?: SessionsMap; usage?: UsageMap },
+): number {
+  return getAgentSpendWindows(agentId, now, opts).hourly
+}
+
+export type AgentBudgetWindow = 'hourly' | 'daily' | 'monthly'
+
+export interface AgentBudgetStatus {
+  window: AgentBudgetWindow
+  spend: number
+  budget: number
+  ratio: number
+  message: string
+}
+
+export interface AgentBudgetCheckSummary {
+  ok: boolean
+  spend: AgentSpendWindows
+  exceeded: AgentBudgetStatus[]
+  warnings: AgentBudgetStatus[]
+}
+
+function budgetWindowLabel(window: AgentBudgetWindow): string {
+  if (window === 'hourly') return 'hourly'
+  if (window === 'daily') return 'daily'
+  return 'monthly'
+}
+
+function buildBudgetStatus(
+  agentName: string,
+  window: AgentBudgetWindow,
+  spend: number,
+  budget: number,
+  exceeded: boolean,
+): AgentBudgetStatus {
+  const ratio = budget > 0 ? spend / budget : 0
+  const label = budgetWindowLabel(window)
+  const message = exceeded
+    ? `Agent "${agentName}" has reached its ${label} budget: $${spend.toFixed(4)} spent of $${budget.toFixed(2)} cap.`
+    : `Agent "${agentName}" is nearing its ${label} budget: $${spend.toFixed(4)} of $${budget.toFixed(2)} (${Math.round(ratio * 100)}%).`
+  return { window, spend, budget, ratio, message }
+}
+
+export function checkAgentBudgetLimits(
+  agent: Agent,
+  now = Date.now(),
+  opts?: { sessions?: SessionsMap; usage?: UsageMap },
+): AgentBudgetCheckSummary {
+  const budgets: Partial<Record<AgentBudgetWindow, number>> = {
+    hourly: parsePositiveBudget(agent.hourlyBudget) ?? undefined,
+    daily: parsePositiveBudget(agent.dailyBudget) ?? undefined,
+    monthly: parsePositiveBudget(agent.monthlyBudget) ?? undefined,
+  }
+  const spend = getAgentSpendWindows(agent.id, now, opts)
+  const exceeded: AgentBudgetStatus[] = []
+  const warnings: AgentBudgetStatus[] = []
+
+  for (const window of ['hourly', 'daily', 'monthly'] as const) {
+    const budget = budgets[window]
+    if (!budget) continue
+    const windowSpend = spend[window]
+    if (windowSpend >= budget) {
+      exceeded.push(buildBudgetStatus(agent.name, window, windowSpend, budget, true))
+      continue
+    }
+    if (windowSpend >= budget * WARNING_RATIO) {
+      warnings.push(buildBudgetStatus(agent.name, window, windowSpend, budget, false))
+    }
+  }
+
+  return {
+    ok: exceeded.length === 0,
+    spend,
+    exceeded,
+    warnings,
+  }
 }
 
 export interface BudgetCheckResult {
@@ -75,14 +210,10 @@ export interface BudgetCheckResult {
 }
 
 /**
- * Check whether an agent is within its monthly budget.
- * Returns ok: true if no budget is set or spend is under the cap.
+ * Backwards-compatible monthly-only budget check.
  */
 export function checkBudget(agent: Agent): BudgetCheckResult {
-  const budget = typeof agent.monthlyBudget === 'number' && Number.isFinite(agent.monthlyBudget) && agent.monthlyBudget > 0
-    ? agent.monthlyBudget
-    : 0
-
+  const budget = parsePositiveBudget(agent.monthlyBudget) ?? 0
   if (budget <= 0) {
     return { ok: true, spend: 0, budget: 0 }
   }

package/src/lib/server/daemon-state.ts

@@ -17,9 +17,11 @@ import { hasOpenClawAgents, ensureGatewayConnected, disconnectGateway, getGatewa
 import { enqueueSessionRun } from './session-run-manager'
 import { WORKSPACE_DIR } from './data-dir'
 import { genId } from '@/lib/id'
+import path from 'node:path'
 import type { WebhookRetryEntry } from '@/types'
 import { createNotification } from '@/lib/server/create-notification'
 import { pingProvider, OPENAI_COMPATIBLE_DEFAULTS } from '@/lib/server/provider-health'
+import { runIntegrityMonitor } from '@/lib/server/integrity-monitor'
 
 const QUEUE_CHECK_INTERVAL = 30_000 // 30 seconds
 const BROWSER_SWEEP_INTERVAL = 60_000 // 60 seconds
@@ -88,6 +90,8 @@ const ds: {
   openclawDownAgentIds: Set<string>
   /** Per-agent auto-repair state for OpenClaw gateways. */
   openclawRepairState: Map<string, { attempts: number; lastAttemptAt: number; cooldownUntil: number }>
+  lastIntegrityCheckAt: number | null
+  lastIntegrityDriftCount: number
   manualStopRequested: boolean
   running: boolean
   lastProcessedAt: number | null
@@ -103,6 +107,8 @@ const ds: {
   connectorRestartState: new Map<string, { lastAttemptAt: number; failCount: number; wakeAttempts: number }>(),
   openclawDownAgentIds: new Set<string>(),
   openclawRepairState: new Map<string, { attempts: number; lastAttemptAt: number; cooldownUntil: number }>(),
+  lastIntegrityCheckAt: null,
+  lastIntegrityDriftCount: 0,
   manualStopRequested: false,
   running: false,
   lastProcessedAt: null,
@@ -113,6 +119,8 @@ if (!ds.staleSessionIds) ds.staleSessionIds = new Set<string>()
 if (!ds.connectorRestartState) ds.connectorRestartState = new Map<string, { lastAttemptAt: number; failCount: number; wakeAttempts: number }>()
 if (!ds.openclawDownAgentIds) ds.openclawDownAgentIds = new Set<string>()
 if (!ds.openclawRepairState) ds.openclawRepairState = new Map<string, { attempts: number; lastAttemptAt: number; cooldownUntil: number }>()
+if (ds.lastIntegrityCheckAt === undefined) ds.lastIntegrityCheckAt = null
+if (ds.lastIntegrityDriftCount === undefined) ds.lastIntegrityDriftCount = 0
 // Migrate from old issueLastAlertAt map if present (HMR across code versions)
 // eslint-disable-next-line @typescript-eslint/no-explicit-any
 if ((ds as any).issueLastAlertAt) delete (ds as any).issueLastAlertAt
@@ -731,6 +739,35 @@ async function runHealthChecks() {
     console.error('[daemon] OpenClaw gateway health check failed:', err instanceof Error ? err.message : String(err))
   }
 
+  // Integrity drift monitoring for identity/config/plugin files.
+  try {
+    const integrity = runIntegrityMonitor(loadSettings())
+    ds.lastIntegrityCheckAt = integrity.checkedAt
+    ds.lastIntegrityDriftCount = integrity.drifts.length
+    if (integrity.drifts.length > 0) {
+      for (const drift of integrity.drifts) {
+        const rel = path.relative(process.cwd(), drift.filePath)
+        const shortPath = rel && !rel.startsWith('..') ? rel : drift.filePath
+        const action = drift.type === 'created'
+          ? 'created'
+          : drift.type === 'deleted'
+            ? 'deleted'
+            : 'modified'
+        createNotification({
+          type: drift.type === 'deleted' ? 'error' : 'warning',
+          title: `Integrity drift detected (${drift.kind})`,
+          message: `${shortPath} was ${action}.`,
+          dedupKey: `integrity:${drift.id}:${drift.nextHash || 'missing'}`,
+          entityType: 'session',
+          entityId: drift.id,
+        })
+      }
+      await sendHealthAlert(`Integrity monitor detected ${integrity.drifts.length} file drift event(s).`)
+    }
+  } catch (err: unknown) {
+    console.error('[daemon] Integrity monitor check failed:', err instanceof Error ? err.message : String(err))
+  }
+
   // Process webhook retry queue
   try {
     await processWebhookRetries()
@@ -892,6 +929,11 @@ export function getDaemonStatus() {
       staleSessions: ds.staleSessionIds.size,
       connectorsInBackoff: ds.connectorRestartState.size,
       checkIntervalSec: Math.trunc(HEALTH_CHECK_INTERVAL / 1000),
+      integrity: {
+        enabled: loadSettings().integrityMonitorEnabled !== false,
+        lastCheckedAt: ds.lastIntegrityCheckAt,
+        lastDriftCount: ds.lastIntegrityDriftCount,
+      },
     },
     webhookRetry: {
       pendingRetries,

package/src/lib/server/data-dir.ts

@@ -1,4 +1,21 @@
 import path from 'path'
+import os from 'os'
+import fs from 'fs'
 
 export const DATA_DIR = process.env.DATA_DIR || path.join(process.cwd(), 'data')
-export const WORKSPACE_DIR = path.join(DATA_DIR, 'workspace')
+
+// Workspace lives outside the project directory to avoid triggering Next.js HMR
+// when agents create/modify files. Falls back to data/workspace for Docker/CI.
+function resolveWorkspaceDir(): string {
+  if (process.env.WORKSPACE_DIR) return process.env.WORKSPACE_DIR
+  const external = path.join(os.homedir(), '.swarmclaw', 'workspace')
+  try {
+    fs.mkdirSync(external, { recursive: true })
+    return external
+  } catch {
+    // If we can't create the external dir (permissions, etc.), fall back to in-project
+    return path.join(DATA_DIR, 'workspace')
+  }
+}
+
+export const WORKSPACE_DIR = resolveWorkspaceDir()

package/src/lib/server/integrity-monitor.ts

@@ -0,0 +1,208 @@
+import fs from 'node:fs'
+import path from 'node:path'
+import crypto from 'node:crypto'
+import { DATA_DIR } from './data-dir'
+import { resolveOpenClawWorkspace } from './openclaw-sync'
+import { loadIntegrityBaselines, saveIntegrityBaselines } from './storage'
+
+export interface IntegrityBaselineEntry {
+  id: string
+  filePath: string
+  kind: 'identity' | 'config' | 'plugin'
+  present: boolean
+  hash: string | null
+  size: number | null
+  mtimeMs: number | null
+  updatedAt: number
+}
+
+export interface IntegrityDrift {
+  id: string
+  filePath: string
+  kind: IntegrityBaselineEntry['kind']
+  type: 'created' | 'modified' | 'deleted'
+  previousHash: string | null
+  nextHash: string | null
+  checkedAt: number
+}
+
+export interface IntegrityMonitorResult {
+  enabled: boolean
+  checkedAt: number
+  checkedFiles: number
+  drifts: IntegrityDrift[]
+}
+
+interface WatchTarget {
+  id: string
+  filePath: string
+  kind: IntegrityBaselineEntry['kind']
+}
+
+function parseBool(value: unknown, fallback: boolean): boolean {
+  if (typeof value === 'boolean') return value
+  if (typeof value === 'string') {
+    const normalized = value.trim().toLowerCase()
+    if (['1', 'true', 'yes', 'on'].includes(normalized)) return true
+    if (['0', 'false', 'no', 'off'].includes(normalized)) return false
+  }
+  return fallback
+}
+
+function fileHash(filePath: string): string {
+  const hasher = crypto.createHash('sha256')
+  const content = fs.readFileSync(filePath)
+  hasher.update(content)
+  return hasher.digest('hex')
+}
+
+function safeStat(filePath: string): fs.Stats | null {
+  try {
+    return fs.statSync(filePath)
+  } catch {
+    return null
+  }
+}
+
+function toId(filePath: string): string {
+  return crypto.createHash('sha1').update(path.resolve(filePath)).digest('hex')
+}
+
+function pushIfExists(targets: WatchTarget[], filePath: string, kind: WatchTarget['kind']): void {
+  if (!fs.existsSync(filePath)) return
+  targets.push({
+    id: toId(filePath),
+    filePath: path.resolve(filePath),
+    kind,
+  })
+}
+
+function collectWatchTargets(): WatchTarget[] {
+  const targets: WatchTarget[] = []
+  const cwd = process.cwd()
+
+  // Core workspace identity/config files.
+  pushIfExists(targets, path.join(cwd, 'AGENTS.md'), 'identity')
+  pushIfExists(targets, path.join(cwd, 'SOUL.md'), 'identity')
+  pushIfExists(targets, path.join(cwd, 'IDENTITY.md'), 'identity')
+  pushIfExists(targets, path.join(cwd, '.env.local'), 'config')
+
+  // Repo-level AGENTS.md (one level above app dir when present).
+  pushIfExists(targets, path.resolve(cwd, '..', 'AGENTS.md'), 'identity')
+
+  // Plugin files + plugin config.
+  pushIfExists(targets, path.join(DATA_DIR, 'plugins.json'), 'config')
+  const pluginDir = path.join(DATA_DIR, 'plugins')
+  if (fs.existsSync(pluginDir)) {
+    for (const entry of fs.readdirSync(pluginDir)) {
+      if (!entry.endsWith('.js') && !entry.endsWith('.mjs') && !entry.endsWith('.cjs')) continue
+      pushIfExists(targets, path.join(pluginDir, entry), 'plugin')
+    }
+  }
+
+  // OpenClaw agent identity files.
+  try {
+    const workspace = resolveOpenClawWorkspace()
+    const agentsDir = path.join(workspace, 'agents')
+    if (fs.existsSync(agentsDir)) {
+      for (const agentDirName of fs.readdirSync(agentsDir)) {
+        const dirPath = path.join(agentsDir, agentDirName)
+        if (!safeStat(dirPath)?.isDirectory()) continue
+        pushIfExists(targets, path.join(dirPath, 'SOUL.md'), 'identity')
+        pushIfExists(targets, path.join(dirPath, 'IDENTITY.md'), 'identity')
+        pushIfExists(targets, path.join(dirPath, 'TOOLS.md'), 'identity')
+        pushIfExists(targets, path.join(dirPath, 'AGENTS.md'), 'identity')
+      }
+    }
+  } catch {
+    // OpenClaw workspace is optional.
+  }
+
+  // Deduplicate path collisions.
+  const seen = new Set<string>()
+  return targets.filter((target) => {
+    if (seen.has(target.id)) return false
+    seen.add(target.id)
+    return true
+  })
+}
+
+function toBaseline(target: WatchTarget, checkedAt: number): IntegrityBaselineEntry {
+  const stat = safeStat(target.filePath)
+  const present = !!stat && stat.isFile()
+  return {
+    id: target.id,
+    filePath: target.filePath,
+    kind: target.kind,
+    present,
+    hash: present ? fileHash(target.filePath) : null,
+    size: present ? stat!.size : null,
+    mtimeMs: present ? Math.trunc(stat!.mtimeMs) : null,
+    updatedAt: checkedAt,
+  }
+}
+
+export function runIntegrityMonitor(settings?: Record<string, unknown> | null): IntegrityMonitorResult {
+  const enabled = parseBool(settings?.integrityMonitorEnabled, true)
+  const checkedAt = Date.now()
+  if (!enabled) {
+    return {
+      enabled: false,
+      checkedAt,
+      checkedFiles: 0,
+      drifts: [],
+    }
+  }
+
+  const targets = collectWatchTargets()
+  const stored = loadIntegrityBaselines() as Record<string, IntegrityBaselineEntry>
+  const nextBaselines: Record<string, IntegrityBaselineEntry> = { ...stored }
+  const drifts: IntegrityDrift[] = []
+  let dirty = false
+
+  for (const target of targets) {
+    const previous = stored[target.id]
+    const current = toBaseline(target, checkedAt)
+
+    if (!previous) {
+      nextBaselines[target.id] = current
+      dirty = true
+      continue
+    }
+
+    const changed = (
+      previous.present !== current.present
+      || previous.hash !== current.hash
+      || previous.filePath !== current.filePath
+      || previous.kind !== current.kind
+    )
+
+    if (changed) {
+      let type: IntegrityDrift['type'] = 'modified'
+      if (!previous.present && current.present) type = 'created'
+      else if (previous.present && !current.present) type = 'deleted'
+      drifts.push({
+        id: current.id,
+        filePath: current.filePath,
+        kind: current.kind,
+        type,
+        previousHash: previous.hash || null,
+        nextHash: current.hash || null,
+        checkedAt,
+      })
+      nextBaselines[target.id] = current
+      dirty = true
+    }
+  }
+
+  if (dirty) {
+    saveIntegrityBaselines(nextBaselines)
+  }
+
+  return {
+    enabled: true,
+    checkedAt,
+    checkedFiles: targets.length,
+    drifts,
+  }
+}