npm - @taewooopark/agent-blackbox - Versions diffs - 0.45.0 → 0.46.1 - Mend

@taewooopark/agent-blackbox 0.45.0 → 0.46.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (6) hide show

package/dist/agent-blackbox.plugin.mjs +68 -20
package/dist/cli.js +165 -46
package/dist/dashboard/assets/index-4DvMVgn8.js +12 -0
package/dist/dashboard/index.html +1 -1
package/package.json +1 -1
package/dist/dashboard/assets/index-D1NSYhKy.js +0 -12

package/dist/agent-blackbox.plugin.mjs CHANGED Viewed

@@ -81,6 +81,7 @@ function createTraceEvent(seq, input) {
     runId: input.runId,
     sessionId: input.sessionId,
     ...input.parentSessionId ? { parentSessionId: input.parentSessionId } : {},
+    ...input.cwd ? { cwd: input.cwd } : {},
     ...input.agentId ? { agentId: input.agentId } : {},
     ...input.agentRole ? { agentRole: input.agentRole } : {},
     ...input.turnId ? { turnId: input.turnId } : {},
@@ -111,6 +112,9 @@ function validateTraceEvent(event) {
   requireEnum(event, "host", traceHosts, errors);
   requireString(event, "runId", errors);
   requireString(event, "sessionId", errors);
+  if (event.cwd !== void 0 && typeof event.cwd !== "string") {
+    errors.push("cwd must be a string when present");
+  }
   requireEnum(event, "kind", traceEventKinds, errors);
   requireEnum(event, "sensitivity", dataSensitivities, errors);
   if (!isRecord(event.payload)) {
@@ -168,16 +172,16 @@ var defaultRedactionRules = [
     pattern: /\b(?:ghp|gho|ghu|ghs|ghr)_[A-Za-z0-9_]{20,}\b/g,
     replacement: "[REDACTED_GITHUB_TOKEN]"
   },
-  {
-    name: "openai-key",
-    pattern: /\bsk-[A-Za-z0-9_-]{20,}\b/g,
-    replacement: "[REDACTED_OPENAI_KEY]"
-  },
   {
     name: "anthropic-key",
     pattern: /\bsk-ant-[A-Za-z0-9_-]{20,}\b/g,
     replacement: "[REDACTED_ANTHROPIC_KEY]"
   },
+  {
+    name: "openai-key",
+    pattern: /\bsk-[A-Za-z0-9_-]{20,}\b/g,
+    replacement: "[REDACTED_OPENAI_KEY]"
+  },
   {
     name: "private-key",
     pattern: /-----BEGIN [A-Z ]*PRIVATE KEY-----[\s\S]*?-----END [A-Z ]*PRIVATE KEY-----/g,
@@ -195,12 +199,12 @@ function redactJsonValue(value, options = {}) {
   const visit = (current) => {
     if (typeof current === "string") {
       let next = current;
-      if (options.homeDir) {
-        next = replaceLiteral(next, options.homeDir, "~", "home-dir", applied);
-      }
       if (options.projectDir) {
         next = replaceLiteral(next, options.projectDir, "$PROJECT", "project-dir", applied);
       }
+      if (options.homeDir) {
+        next = replaceLiteral(next, options.homeDir, "~", "home-dir", applied);
+      }
       for (const rule of rules) {
         if (rule.pattern.test(next)) {
           applied.add(rule.name);
@@ -429,6 +433,7 @@ function normalizeToolBefore(input, output, context) {
   const agentId = extractAgentId(input);
   if (agentId) {
     traceInput.agentId = agentId;
+    traceInput.agentRole = extractAgentRole(input);
   }
   return createTraceEvent(context.seq, traceInput);
 }
@@ -462,6 +467,7 @@ function normalizeToolAfter(input, output, context) {
     const agentId = extractAgentId(input);
     if (agentId) {
       traceInput.agentId = agentId;
+      traceInput.agentRole = extractAgentRole(input);
     }
   }
   return createTraceEvent(context.seq, traceInput);
@@ -618,7 +624,9 @@ function sanitizeJson(value, seen) {
       return "[Circular]";
     }
     seen.add(value);
-    return value.map((item) => sanitizeJson(item, seen));
+    const mapped = value.map((item) => sanitizeJson(item, seen));
+    seen.delete(value);
+    return mapped;
   }
   if (typeof value === "object") {
     if (seen.has(value)) {
@@ -632,6 +640,7 @@ function sanitizeJson(value, seen) {
       }
       output[key] = sanitizeJson(nested, seen);
     }
+    seen.delete(value);
     return output;
   }
   return String(value);
@@ -843,26 +852,48 @@ function serializeTraceEvent(event) {
   return `${JSON.stringify(event)}
 `;
 }
+var writeChains = /* @__PURE__ */ new Map();
 async function appendTraceEvent(filePath, event) {
-  await mkdir(dirname(filePath), { recursive: true });
-  await appendFile(filePath, serializeTraceEvent(event), "utf8");
+  const line = serializeTraceEvent(event);
+  const run = async () => {
+    await mkdir(dirname(filePath), { recursive: true });
+    await appendFile(filePath, line, "utf8");
+  };
+  const prev = writeChains.get(filePath) ?? Promise.resolve();
+  const next = prev.then(run, run);
+  const tail = next.then(
+    () => void 0,
+    () => void 0
+  );
+  writeChains.set(filePath, tail);
+  try {
+    await next;
+  } finally {
+    if (writeChains.get(filePath) === tail) writeChains.delete(filePath);
+  }
 }
 // packages/opencode-adapter/dist/sink.js
 import { join } from "node:path";
 function createTraceSink(options) {
-  if (options.sink) {
-    return options.sink;
-  }
-  if (options.daemonUrl) {
-    return createHttpTraceSink(options.daemonUrl);
-  }
-  return createFileTraceSink(options.eventsFile ?? join(options.directory, ".agent-blackbox", "events.ndjson"));
+  const base = options.sink ? options.sink : options.daemonUrl ? createHttpTraceSink(options.daemonUrl) : createFileTraceSink(options.eventsFile ?? join(options.directory, ".agent-blackbox", "events.ndjson"));
+  return {
+    async write(event) {
+      if (!event.cwd && options.directory) {
+        event.cwd = options.directory;
+      }
+      await base.write(event);
+    }
+  };
 }
 function createFileTraceSink(eventsFile) {
   return {
     async write(event) {
-      await appendTraceEvent(eventsFile, event);
+      try {
+        await appendTraceEvent(eventsFile, event);
+      } catch (error) {
+        console.warn(`[agent-blackbox] could not write event ${event.id}: ${error instanceof Error ? error.message : String(error)}`);
+      }
     }
   };
 }
@@ -933,7 +964,24 @@ function resolveRecorderOptions(options) {
 }
 // packages/opencode-adapter/dist/index.js
+function noopRecorderHooks() {
+  return {
+    event: async () => {
+    },
+    "tool.execute.before": async () => {
+    },
+    "tool.execute.after": async () => {
+    },
+    "experimental.session.compacting": async () => {
+    },
+    "experimental.chat.system.transform": async () => {
+    }
+  };
+}
 async function createOpenCodeRecorder(context, options = {}) {
+  if (process.env.AGENT_BLACKBOX_DISABLE === "1") {
+    return noopRecorderHooks();
+  }
   const resolved = resolveRecorderOptions(options);
   const directory = context.directory ?? process.cwd();
   const runId = resolved.runId ?? `opencode-${Date.now()}`;
@@ -1021,7 +1069,7 @@ function createOpenCodeEventFactory(options) {
     const decision = decideReadServe(readCache.get(key), { hash, content: current }, compactionGen, path);
     readCache.set(key, { hash, content: current, gen: compactionGen });
     bumpFile(path, "read", hash);
-    if (decision.mode !== "full" && typeof decision.output === "string") {
+    if (decision.mode !== "full" && typeof decision.output === "string" && decision.saved > 0) {
       output.output = decision.output;
     }
   };

package/dist/cli.js CHANGED Viewed

@@ -61,6 +61,9 @@ function validateTraceEvent(event) {
   requireEnum(event, "host", traceHosts, errors);
   requireString(event, "runId", errors);
   requireString(event, "sessionId", errors);
+  if (event.cwd !== void 0 && typeof event.cwd !== "string") {
+    errors.push("cwd must be a string when present");
+  }
   requireEnum(event, "kind", traceEventKinds, errors);
   requireEnum(event, "sensitivity", dataSensitivities, errors);
   if (!isRecord(event.payload)) {
@@ -134,6 +137,9 @@ function replayWorkflowGraphAtSeq(events, seq) {
 }
 function replayWorkflowGraphAtTime(events, at) {
   const atTime = new Date(at).getTime();
+  if (Number.isNaN(atTime)) {
+    throw new Error("replayWorkflowGraphAtTime: invalid time");
+  }
   return materializeWorkflowGraph(events.filter((event) => new Date(event.ts).getTime() <= atTime));
 }
 function applyTraceEvent(graph, event) {
@@ -248,7 +254,8 @@ function ensureSession(graph, event) {
     status: "ACTIVE",
     at: event.ts,
     eventId: event.id,
-    data: { sessionId: event.sessionId, parentSessionId: event.parentSessionId ?? null }
+    data: { sessionId: event.sessionId, parentSessionId: event.parentSessionId ?? null },
+    keepStatusIfExists: true
   });
   ensureEdge(graph, {
     from: runNodeId(event.runId),
@@ -270,7 +277,8 @@ function ensureAgent(graph, event) {
     status: "ACTIVE",
     at: event.ts,
     eventId: event.id,
-    data: { agentId: event.agentId, agentRole: event.agentRole ?? "unknown" }
+    data: { agentId: event.agentId, agentRole: event.agentRole ?? "unknown" },
+    keepStatusIfExists: true
   });
   ensureEdge(graph, {
     from: sessionNodeId(event.sessionId),
@@ -292,7 +300,8 @@ function ensureTurn(graph, event) {
     status: "ACTIVE",
     at: event.ts,
     eventId: event.id,
-    data: { turnId: event.turnId }
+    data: { turnId: event.turnId },
+    keepStatusIfExists: true
   });
   ensureEdge(graph, {
     from: event.agentId ? agentNodeId(event.agentId) : sessionNodeId(event.sessionId),
@@ -360,7 +369,9 @@ function ensureNode(graph, input) {
   const existing = graph.nodes.get(input.id);
   if (existing) {
     existing.updatedAt = input.at;
-    existing.status = input.status;
+    if (!input.keepStatusIfExists) {
+      existing.status = input.status;
+    }
     existing.data = { ...existing.data, ...input.data ?? {} };
     if (input.eventId && !existing.eventIds.includes(input.eventId)) {
       existing.eventIds.push(input.eventId);
@@ -514,7 +525,8 @@ function eventNodeIdFromEventId(eventId) {
   return `event:${stablePart(eventId)}`;
 }
 function workflowEdgeId(from, to, type) {
-  return `edge:${type}:${stablePart(from)}:${stablePart(to)}`;
+  const enc = (s) => s.replace(/:/g, "__");
+  return `edge:${type}:${enc(stablePart(from))}:${enc(stablePart(to))}`;
 }
 function stablePart(value) {
   return value.replace(/[^a-zA-Z0-9_.:-]/g, "_");
@@ -842,7 +854,7 @@ function computeEfficiencyReport(events) {
         label: "Large context injections",
         value: biggest,
         unit: "tokens",
-        display: biggest >= 2e3 ? formatTokens(biggest) : "none",
+        display: biggest >= 5e3 ? formatTokens(biggest) : "none",
         score,
         status,
         detail: over5k.length === 0 ? "No single tool output flooded the context." : `${over5k.length} output(s) added 5k+ tokens (largest ${formatTokens(biggest)}) \u2014 scope greps/reads or summarise.`,
@@ -979,7 +991,7 @@ function stringAt(event, key) {
   return typeof value === "string" && value.length > 0 ? value : void 0;
 }
 function readTokenSnapshot(event) {
-  const present = deepNumber(event.payload, "properties.info.tokens") !== void 0 || deepNumber(event.payload, "properties.tokens") !== void 0 || deepNumber(event.payload, "tokens") !== void 0 || isRecordAtPath(event.payload, "properties.info.tokens") || isRecordAtPath(event.payload, "properties.tokens") || isRecordAtPath(event.payload, "tokens");
+  const present = isRecordAtPath(event.payload, "properties.info.tokens") || isRecordAtPath(event.payload, "properties.tokens") || isRecordAtPath(event.payload, "tokens");
   if (!present) return void 0;
   return {
     input: deepNumber(event.payload, ["properties.info.tokens.input", "properties.tokens.input", "tokens.input"]) ?? 0,
@@ -1082,13 +1094,13 @@ function buildEfficiencyMemory(report, options = {}) {
   ].join("\n");
 }
 var escapeRegExp = (s) => s.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
-var managedBlockRegExp = () => new RegExp(`${escapeRegExp(EFFICIENCY_MEMORY_START)}[\\s\\S]*?${escapeRegExp(EFFICIENCY_MEMORY_END)}`);
+var managedBlockRegExp = () => new RegExp(`${escapeRegExp(EFFICIENCY_MEMORY_START)}[\\s\\S]*?${escapeRegExp(EFFICIENCY_MEMORY_END)}`, "g");
 function hasManagedBlock(content) {
   return managedBlockRegExp().test(content);
 }
 function upsertManagedBlock(content, block) {
   if (hasManagedBlock(content)) {
-    return content.replace(managedBlockRegExp(), block);
+    return content.replace(managedBlockRegExp(), () => block);
   }
   const base = content.trimEnd();
   return base.length === 0 ? `${block}
@@ -1139,7 +1151,14 @@ async function startDashboardServer(options) {
   const injected = indexHtml.replace("</head>", `  <script>window.AGENT_BLACKBOX_DAEMON_URL=${JSON.stringify(options.daemonUrl)};</script>
   </head>`);
   const server = createServer((request, response) => {
-    const rawPath = decodeURIComponent((request.url ?? "/").split("?")[0] ?? "/");
+    let rawPath;
+    try {
+      rawPath = decodeURIComponent((request.url ?? "/").split("?")[0] ?? "/");
+    } catch {
+      response.writeHead(400);
+      response.end("Bad Request");
+      return;
+    }
     if (rawPath === "/" || rawPath === "/index.html") {
       response.writeHead(200, { "content-type": "text/html; charset=utf-8" });
       response.end(injected);
@@ -1157,15 +1176,21 @@ async function startDashboardServer(options) {
         throw new Error("not a file");
       }
       response.writeHead(200, { "content-type": mimeTypes[extname(filePath)] ?? "application/octet-stream" });
-      createReadStream(filePath).pipe(response);
+      const rs = createReadStream(filePath);
+      rs.on("error", () => response.destroy());
+      rs.pipe(response);
     }).catch(() => {
       response.writeHead(200, { "content-type": "text/html; charset=utf-8" });
       response.end(injected);
     });
   });
   const port = options.port ?? 5173;
-  await new Promise((resolve2) => {
-    server.listen(port, "127.0.0.1", resolve2);
+  await new Promise((resolve2, reject) => {
+    server.once("error", reject);
+    server.listen(port, "127.0.0.1", () => {
+      server.off("error", reject);
+      resolve2();
+    });
   });
   const address = server.address();
   const actualPort = typeof address === "object" && address ? address.port : port;
@@ -1197,11 +1222,39 @@ function parseTraceEventLine(line) {
   return parsed;
 }
 function parseTraceEvents(input) {
-  return input.split(/\r?\n/).filter((line) => line.trim().length > 0).map((line) => parseTraceEventLine(line));
+  const lines = input.split(/\r?\n/).filter((line) => line.trim().length > 0);
+  const lastIsPossiblyTorn = lines.length > 0 && !/\r?\n$/.test(input);
+  const completeCount = lastIsPossiblyTorn ? lines.length - 1 : lines.length;
+  const events = lines.slice(0, completeCount).map((line) => parseTraceEventLine(line));
+  if (lastIsPossiblyTorn) {
+    const lastLine = lines[lines.length - 1];
+    try {
+      events.push(parseTraceEventLine(lastLine));
+    } catch (error) {
+      if (!(error instanceof SyntaxError)) throw error;
+    }
+  }
+  return events;
 }
+var writeChains = /* @__PURE__ */ new Map();
 async function appendTraceEvent(filePath, event) {
-  await mkdir(dirname(filePath), { recursive: true });
-  await appendFile(filePath, serializeTraceEvent(event), "utf8");
+  const line = serializeTraceEvent(event);
+  const run = async () => {
+    await mkdir(dirname(filePath), { recursive: true });
+    await appendFile(filePath, line, "utf8");
+  };
+  const prev = writeChains.get(filePath) ?? Promise.resolve();
+  const next = prev.then(run, run);
+  const tail = next.then(
+    () => void 0,
+    () => void 0
+  );
+  writeChains.set(filePath, tail);
+  try {
+    await next;
+  } finally {
+    if (writeChains.get(filePath) === tail) writeChains.delete(filePath);
+  }
 }
 async function readTraceEvents(filePath) {
   const input = await readFile2(filePath, "utf8");
@@ -1215,7 +1268,7 @@ import { WebSocket, WebSocketServer } from "ws";
 // apps/daemon/dist/optimize.js
 import { mkdir as mkdir2, readFile as readFile3, rm, writeFile } from "node:fs/promises";
-import { dirname as dirname2, join as join2 } from "node:path";
+import { dirname as dirname2, isAbsolute, join as join2 } from "node:path";
 var flaggedIds = (report) => report.metrics.filter((m) => m.status !== "good").map((m) => m.id);
 var joinIds = (ids) => ids.join(", ");
 var REVERT_MARGIN = 3;
@@ -1226,10 +1279,12 @@ async function runOptimize(options) {
 }
 async function computeOptimize(options) {
   const eventsFile = options.eventsFile ?? join2(options.projectDir, ".agent-blackbox", "events.ndjson");
-  const agentsMdPath = join2(options.projectDir, "AGENTS.md");
-  const statePath = join2(options.projectDir, ".agent-blackbox", "optimization.json");
   const events = await loadTraceEvents(eventsFile);
   const { runId, events: runEvents } = latestRun(events);
+  const runCwd = runEvents.find((e) => typeof e.cwd === "string" && e.cwd.length > 0)?.cwd;
+  const targetDir = runCwd && isAbsolute(runCwd) ? runCwd : options.projectDir;
+  const agentsMdPath = join2(targetDir, "AGENTS.md");
+  const statePath = join2(targetDir, ".agent-blackbox", "optimization.json");
   const latestTs = runEvents.reduce((max, e) => e.ts > max ? e.ts : max, "");
   const report = runEvents.length > 0 ? computeEfficiencyReport(runEvents) : null;
   const score = report ? report.overallScore : null;
@@ -1255,15 +1310,17 @@ async function computeOptimize(options) {
     }
     const prior = await readMaybe(agentsMdPath);
     const next = upsertManagedBlock(prior ?? "", block);
-    await writeFile(agentsMdPath, next, "utf8");
-    await writeState(statePath, {
-      runId: runId ?? "",
-      baselineScore: score,
-      baselineLatestTs: latestTs,
-      baselineFlagged: flaggedIds(report),
-      fileExisted: prior !== null,
-      appliedAt: (/* @__PURE__ */ new Date()).toISOString()
-    });
+    if (prior === null || next !== prior) {
+      await writeFile(agentsMdPath, next, "utf8");
+      await writeState(statePath, {
+        runId: runId ?? "",
+        baselineScore: score,
+        baselineLatestTs: latestTs,
+        baselineFlagged: flaggedIds(report),
+        fileExisted: prior !== null,
+        appliedAt: (/* @__PURE__ */ new Date()).toISOString()
+      });
+    }
     return {
       mode: "apply",
       action: `Wrote efficiency memory to AGENTS.md \u2014 targets ~${report.reclaimableTokens} reclaimable tokens on similar future runs (no re-run needed). Optional: re-run the same task + \`optimize --check\` to benchmark the gain.`,
@@ -1470,7 +1527,7 @@ function buildDigest(report) {
       id: m.id,
       label: m.label,
       status: m.status,
-      value: Number(m.value.toFixed(3)),
+      value: Number((typeof m.value === "number" && Number.isFinite(m.value) ? m.value : 0).toFixed(3)),
       display: m.display,
       detail: m.detail,
       ...m.reclaimableTokens ? { reclaimableTokens: m.reclaimableTokens } : {},
@@ -1492,6 +1549,8 @@ var freeCooldownUntil = /* @__PURE__ */ new Map();
 function orderFreePool(pool, cooldownUntil, cursor, now) {
   const fresh = pool.filter((entry) => (cooldownUntil.get(entry.model) ?? 0) <= now);
   const list = fresh.length > 0 ? fresh : pool;
+  if (list.length === 0)
+    return [];
   const start = (cursor % list.length + list.length) % list.length;
   return [...list.slice(start), ...list.slice(0, start)];
 }
@@ -1636,7 +1695,10 @@ async function fetchJson(url, body, extraHeaders = {}) {
 }
 function runCommand(command, args2) {
   return new Promise((resolve2, reject) => {
-    const child = spawn(command, args2, { stdio: ["ignore", "pipe", "ignore"] });
+    const child = spawn(command, args2, {
+      stdio: ["ignore", "pipe", "ignore"],
+      env: { ...process.env, AGENT_BLACKBOX_DISABLE: "1" }
+    });
     let out = "";
     const timer = setTimeout(() => {
       child.kill("SIGKILL");
@@ -1663,10 +1725,24 @@ function extractJsonObject(text) {
   if (start === -1)
     return void 0;
   let depth = 0;
+  let inString = false;
+  let escaped = false;
   for (let i = start; i < text.length; i += 1) {
-    if (text[i] === "{")
+    const ch = text[i];
+    if (inString) {
+      if (escaped)
+        escaped = false;
+      else if (ch === "\\")
+        escaped = true;
+      else if (ch === '"')
+        inString = false;
+      continue;
+    }
+    if (ch === '"')
+      inString = true;
+    else if (ch === "{")
       depth += 1;
-    else if (text[i] === "}") {
+    else if (ch === "}") {
       depth -= 1;
       if (depth === 0) {
         try {
@@ -1704,8 +1780,12 @@ async function startTraceDaemon(options) {
     });
   });
   const port = options.port ?? 47831;
-  await new Promise((resolve2) => {
-    server.listen(port, "127.0.0.1", resolve2);
+  await new Promise((resolve2, reject) => {
+    server.once("error", reject);
+    server.listen(port, "127.0.0.1", () => {
+      server.off("error", reject);
+      resolve2();
+    });
   });
   const address = server.address();
   const actualPort = typeof address === "object" && address ? address.port : port;
@@ -1714,8 +1794,12 @@ async function startTraceDaemon(options) {
     port: actualPort,
     eventsFile,
     close: () => new Promise((resolve2, reject) => {
+      for (const client of clients) {
+        client.terminate();
+      }
+      clients.clear();
+      streamServer.close();
       server.close((error) => {
-        streamServer.close();
         if (error) {
           reject(error);
         } else {
@@ -1768,12 +1852,13 @@ async function buildTraceSnapshot(eventsFile, replay = {}) {
 }
 async function handleRequest(request, response, eventsFile, clients, suggestConfig, projectDir) {
   try {
+    applyCors(request, response);
     const url = new URL(request.url ?? "/", "http://127.0.0.1");
-    const replay = parseReplayQuery(url);
     if (request.method === "OPTIONS") {
       sendEmpty(response, 204);
       return;
     }
+    const replay = parseReplayQuery(url);
     if (request.method === "GET" && url.pathname === "/health") {
       sendJson(response, 200, { ok: true, data: { status: "ok", eventsFile } });
       return;
@@ -1868,19 +1953,47 @@ async function sendSnapshot(client, eventsFile) {
     }
   }
 }
+var MAX_BODY_BYTES = 5e7;
 async function readJsonBody(request) {
   const chunks = [];
+  let total = 0;
   for await (const chunk of request) {
-    chunks.push(Buffer.isBuffer(chunk) ? chunk : Buffer.from(chunk));
+    const buffer = Buffer.isBuffer(chunk) ? chunk : Buffer.from(chunk);
+    total += buffer.length;
+    if (total > MAX_BODY_BYTES) {
+      throw new BadRequestError("Request body too large");
+    }
+    chunks.push(buffer);
   }
   const raw = Buffer.concat(chunks).toString("utf8");
-  return raw.length > 0 ? JSON.parse(raw) : {};
+  if (raw.length === 0) {
+    return {};
+  }
+  try {
+    return JSON.parse(raw);
+  } catch {
+    throw new BadRequestError("Invalid JSON body");
+  }
+}
+function applyCors(request, response) {
+  const origin = request.headers.origin;
+  if (typeof origin === "string" && isLoopbackOrigin(origin)) {
+    response.setHeader("access-control-allow-origin", origin);
+    response.setHeader("vary", "Origin");
+  }
+}
+function isLoopbackOrigin(origin) {
+  try {
+    const { hostname } = new URL(origin);
+    return hostname === "127.0.0.1" || hostname === "localhost" || hostname === "[::1]" || hostname === "::1";
+  } catch {
+    return false;
+  }
 }
 function sendJson(response, statusCode, payload) {
   response.writeHead(statusCode, {
     "access-control-allow-headers": "content-type",
     "access-control-allow-methods": "GET,POST,OPTIONS",
-    "access-control-allow-origin": "*",
     "content-type": "application/json; charset=utf-8"
   });
   response.end(JSON.stringify(payload));
@@ -1888,8 +2001,7 @@ function sendJson(response, statusCode, payload) {
 function sendEmpty(response, statusCode) {
   response.writeHead(statusCode, {
     "access-control-allow-headers": "content-type",
-    "access-control-allow-methods": "GET,POST,OPTIONS",
-    "access-control-allow-origin": "*"
+    "access-control-allow-methods": "GET,POST,OPTIONS"
   });
   response.end();
 }
@@ -2059,7 +2171,10 @@ function globalDataDir() {
   const xdg = process.env.XDG_DATA_HOME;
   return xdg && xdg.length > 0 ? join6(xdg, "agent-blackbox") : join6(homedir2(), ".local", "share", "agent-blackbox");
 }
-void main(args);
+void main(args).catch((error) => {
+  console.error(error instanceof Error ? error.message : String(error));
+  process.exitCode = 1;
+});
 async function main(argv) {
   if (argv.includes("--version") || argv.includes("-v")) {
     console.log(AGENT_BLACKBOX_DAEMON_VERSION);
@@ -2068,7 +2183,7 @@ async function main(argv) {
   const command = argv[0] ?? "help";
   if (command === "daemon") {
     const projectDir = readFlag(argv, "--project") ?? process.cwd();
-    const port = Number(readFlag(argv, "--port") ?? "47831");
+    const port = portArg(readFlag(argv, "--port"), 47831);
     const daemon = await startTraceDaemon({ projectDir, port });
     console.log(`Agent-Blackbox daemon listening on http://127.0.0.1:${daemon.port}`);
     console.log(`Trace file: ${daemon.eventsFile}`);
@@ -2077,8 +2192,8 @@ async function main(argv) {
   if (command === "up") {
     const projectFlag = readFlag(argv, "--project");
     const global = projectFlag === void 0;
-    const port = Number(readFlag(argv, "--port") ?? "47831");
-    const uiPort = Number(readFlag(argv, "--ui-port") ?? "5173");
+    const port = portArg(readFlag(argv, "--port"), 47831);
+    const uiPort = portArg(readFlag(argv, "--ui-port"), 5173);
     const daemonUrl = `http://127.0.0.1:${port}`;
     const suggest = readSuggestConfig(argv);
     let daemon;
@@ -2145,7 +2260,7 @@ async function main(argv) {
     return;
   }
   if (command === "install") {
-    const port = Number(readFlag(argv, "--port") ?? "47831");
+    const port = portArg(readFlag(argv, "--port"), 47831);
     const daemonUrl = `http://127.0.0.1:${port}`;
     if (!pluginBundlePath) {
       throw new Error("Global install needs the self-contained recorder bundle. Use the published npx package, or `npm run build:cli` first.");
@@ -2247,6 +2362,10 @@ function readFlag(argv, flag) {
   }
   return argv[index + 1];
 }
+function portArg(raw, fallback) {
+  const n = Number(raw);
+  return Number.isInteger(n) && n >= 0 && n <= 65535 ? n : fallback;
+}
 function readSuggestConfig(argv) {
   const modes = ["auto", "off", "free", "ollama", "opencode", "openai-compat"];
   const raw = readFlag(argv, "--suggest") ?? process.env.AGENT_BLACKBOX_SUGGEST ?? "auto";