@tuent/sentinel 0.1.0

package/dist/chunk-Z3PWIJKT.js

@@ -0,0 +1,2268 @@
+import {
+  discoverPolicy
+} from "./chunk-FMZWHT4M.js";
+import {
+  DEFAULT_FORBIDDEN_PATTERNS,
+  matchGlobInsensitive,
+  normalizeForbiddenPattern
+} from "./chunk-6MHWJATS.js";
+import {
+  loadPolicy,
+  policyToConfig,
+  policyToRole
+} from "./chunk-2FFMYSVC.js";
+
+// src/gateway/workspaceRouter.ts
+import { resolve, dirname } from "path";
+
+// src/workspaceIdentity.ts
+var AGENT_PREFIX = "claude-code";
+function fnv1a32Hex(s) {
+  let h = 2166136261;
+  for (let i = 0; i < s.length; i++) {
+    h ^= s.charCodeAt(i);
+    h = Math.imul(h, 16777619);
+  }
+  return (h >>> 0).toString(16).padStart(8, "0");
+}
+function lastSegment(path) {
+  const parts = path.split("/").filter(Boolean);
+  return parts.length > 0 ? parts[parts.length - 1] : "";
+}
+function slugify(s) {
+  return s.toLowerCase().replace(/[^a-z0-9]+/g, "-").replace(/(^-|-$)/g, "");
+}
+function normalizeRoot(root) {
+  if (root === "" || root === "/") return root;
+  return root.replace(/\/+$/, "") || "/";
+}
+function deriveAgentId(workspaceRoot) {
+  const root = normalizeRoot(workspaceRoot);
+  const slug = slugify(lastSegment(root)) || "root";
+  const hash = fnv1a32Hex(root);
+  return `${AGENT_PREFIX}@${slug}-${hash}`;
+}
+
+// src/mergeRoles.ts
+function isWithinActiveHours(hour, range) {
+  const [startHour, endHour] = range;
+  const outsideHours = startHour <= endHour ? hour < startHour || hour > endHour : hour < startHour && hour > endHour;
+  return !outsideHours;
+}
+function toContiguousArc(activeHours) {
+  if (activeHours.size === 0) return null;
+  if (activeHours.size === 24) return [0, 23];
+  const starts = [];
+  for (let h = 0; h < 24; h++) {
+    const prev = (h + 23) % 24;
+    if (activeHours.has(h) && !activeHours.has(prev)) starts.push(h);
+  }
+  if (starts.length !== 1) return null;
+  const start = starts[0];
+  let end = start;
+  while (activeHours.has((end + 1) % 24)) end = (end + 1) % 24;
+  return [start, end];
+}
+function mergeActiveHours(ceilingHours, workspaceHours, warnings) {
+  if (workspaceHours === void 0) return ceilingHours;
+  if (ceilingHours === void 0) return workspaceHours;
+  const active = /* @__PURE__ */ new Set();
+  let workspaceWidens = false;
+  for (let h = 0; h < 24; h++) {
+    const inCeiling = isWithinActiveHours(h, ceilingHours);
+    const inWorkspace = isWithinActiveHours(h, workspaceHours);
+    if (inCeiling && inWorkspace) active.add(h);
+    if (inWorkspace && !inCeiling) workspaceWidens = true;
+  }
+  if (workspaceWidens) {
+    warnings.push(
+      `workspace activeHours [${workspaceHours.join(",")}] includes hours outside operator ceiling [${ceilingHours.join(
+        ","
+      )}] \u2014 clamped to the overlap.`
+    );
+  }
+  if (active.size === 0) {
+    warnings.push(
+      `workspace activeHours [${workspaceHours.join(",")}] is disjoint from operator ceiling [${ceilingHours.join(
+        ","
+      )}] \u2014 no overlapping active hours; using ceiling.`
+    );
+    return ceilingHours;
+  }
+  const arc = toContiguousArc(active);
+  if (arc === null) {
+    warnings.push(
+      `workspace activeHours [${workspaceHours.join(",")}] \u2229 ceiling [${ceilingHours.join(
+        ","
+      )}] is non-contiguous ({${[...active].sort((a, b) => a - b).join(",")}}) and cannot be a single range; using ceiling.`
+    );
+    return ceilingHours;
+  }
+  return arc;
+}
+function mergeLimit(dim, ceilingVal, workspaceVal, warnings) {
+  if (workspaceVal === void 0) return ceilingVal;
+  if (ceilingVal === void 0) return workspaceVal;
+  if (workspaceVal > ceilingVal) {
+    warnings.push(
+      `workspace ${dim} (${workspaceVal}) is looser than operator ceiling (${ceilingVal}) \u2014 clamped to ceiling.`
+    );
+    return ceilingVal;
+  }
+  return workspaceVal;
+}
+function intersectAllowlist(dim, ceilingArr, workspaceArr, warnings, caseInsensitive) {
+  const norm = (s) => caseInsensitive ? s.toLowerCase() : s;
+  const ceilingSet = new Set(ceilingArr.map(norm));
+  const widened = workspaceArr.filter((x) => !ceilingSet.has(norm(x)));
+  if (widened.length > 0) {
+    warnings.push(
+      `workspace ${dim} lists ${JSON.stringify(widened)} not in operator ceiling \u2014 excluded (cannot widen past ceiling).`
+    );
+  }
+  const result = workspaceArr.filter((x) => ceilingSet.has(norm(x)));
+  if (result.length === 0) {
+    warnings.push(
+      `workspace narrowed ${dim} to empty \u2014 this workspace can perform nothing on that dimension; was this intended?`
+    );
+  }
+  return result;
+}
+function mergeRoles(ceiling, workspace) {
+  const warnings = [];
+  if (workspace === null || workspace === void 0) {
+    return { role: cloneRole(ceiling), warnings };
+  }
+  if (typeof workspace !== "object" || Array.isArray(workspace)) {
+    warnings.push("workspace policy is not an object \u2014 using operator ceiling.");
+    return { role: cloneRole(ceiling), warnings };
+  }
+  const allowedActions = workspace.allowedActions === void 0 ? [...ceiling.allowedActions] : intersectAllowlist(
+    "allowedActions",
+    ceiling.allowedActions,
+    workspace.allowedActions,
+    warnings,
+    false
+  );
+  let forbiddenTargetPatterns;
+  if (workspace.forbiddenTargetPatterns === void 0) {
+    forbiddenTargetPatterns = [...ceiling.forbiddenTargetPatterns];
+  } else {
+    const wsNormalized = workspace.forbiddenTargetPatterns.map(normalizeForbiddenPattern);
+    forbiddenTargetPatterns = [.../* @__PURE__ */ new Set([...ceiling.forbiddenTargetPatterns, ...wsNormalized])];
+  }
+  const allowedTargetPatterns = [...ceiling.allowedTargetPatterns];
+  if (workspace.allowedTargetPatterns !== void 0) {
+    warnings.push(
+      "workspace allowedTargetPatterns narrowing is not supported in v1 \u2014 ignored (narrow via forbiddenTargetPatterns instead); effective allowed = operator ceiling."
+    );
+  }
+  let networkHosts;
+  if (workspace.networkHosts === void 0) {
+    networkHosts = ceiling.networkHosts ? [...ceiling.networkHosts] : void 0;
+  } else if (ceiling.networkHosts === void 0) {
+    networkHosts = void 0;
+    warnings.push(
+      "workspace defines networkHosts but operator ceiling has none \u2014 a workspace cannot create a host allowlist; ignored."
+    );
+  } else {
+    networkHosts = intersectAllowlist(
+      "networkHosts",
+      ceiling.networkHosts,
+      workspace.networkHosts,
+      warnings,
+      true
+    );
+  }
+  let expectedSchedule = ceiling.expectedSchedule ? { ...ceiling.expectedSchedule } : void 0;
+  if (workspace.expectedSchedule !== void 0) {
+    const cSched = ceiling.expectedSchedule;
+    const wSched = workspace.expectedSchedule;
+    let activeDays;
+    if (wSched.activeDays === void 0) {
+      activeDays = cSched?.activeDays ? [...cSched.activeDays] : void 0;
+    } else if (cSched?.activeDays === void 0) {
+      activeDays = [...wSched.activeDays];
+    } else {
+      activeDays = intersectAllowlist(
+        "activeDays",
+        cSched.activeDays,
+        wSched.activeDays,
+        warnings,
+        true
+      );
+    }
+    const activeHours = mergeActiveHours(cSched?.activeHours, wSched.activeHours, warnings);
+    expectedSchedule = {};
+    if (activeDays !== void 0) expectedSchedule.activeDays = activeDays;
+    if (activeHours !== void 0) expectedSchedule.activeHours = activeHours;
+    if (activeDays === void 0 && activeHours === void 0) expectedSchedule = void 0;
+  }
+  const maxEventsPerHour = mergeLimit(
+    "maxEventsPerHour",
+    ceiling.maxEventsPerHour,
+    workspace.maxEventsPerHour,
+    warnings
+  );
+  const maxSessionDuration = mergeLimit(
+    "maxSessionDuration",
+    ceiling.maxSessionDuration,
+    workspace.maxSessionDuration,
+    warnings
+  );
+  if (workspace.exceptions !== void 0 && workspace.exceptions.length > 0) {
+    warnings.push(
+      `workspace defines ${workspace.exceptions.length} exception(s) \u2014 dropped (exceptions can only widen; only operator exceptions apply).`
+    );
+  }
+  const exceptions = ceiling.exceptions ? [...ceiling.exceptions] : void 0;
+  const role = {
+    // identity fields preserved from ceiling; B5 overrides agentId with the per-workspace id.
+    agentId: ceiling.agentId,
+    name: ceiling.name,
+    description: ceiling.description,
+    allowedActions,
+    allowedTargetPatterns,
+    forbiddenTargetPatterns,
+    ...expectedSchedule !== void 0 && { expectedSchedule },
+    ...maxEventsPerHour !== void 0 && { maxEventsPerHour },
+    ...maxSessionDuration !== void 0 && { maxSessionDuration },
+    ...exceptions !== void 0 && { exceptions },
+    ...networkHosts !== void 0 && { networkHosts }
+  };
+  return { role, warnings };
+}
+function cloneRole(role) {
+  return {
+    agentId: role.agentId,
+    name: role.name,
+    description: role.description,
+    allowedActions: [...role.allowedActions],
+    allowedTargetPatterns: [...role.allowedTargetPatterns],
+    forbiddenTargetPatterns: [...role.forbiddenTargetPatterns],
+    ...role.expectedSchedule !== void 0 && {
+      expectedSchedule: {
+        ...role.expectedSchedule.activeDays !== void 0 && {
+          activeDays: [...role.expectedSchedule.activeDays]
+        },
+        ...role.expectedSchedule.activeHours !== void 0 && {
+          activeHours: [...role.expectedSchedule.activeHours]
+        }
+      }
+    },
+    ...role.maxEventsPerHour !== void 0 && { maxEventsPerHour: role.maxEventsPerHour },
+    ...role.maxSessionDuration !== void 0 && { maxSessionDuration: role.maxSessionDuration },
+    ...role.exceptions !== void 0 && { exceptions: [...role.exceptions] },
+    ...role.networkHosts !== void 0 && { networkHosts: [...role.networkHosts] }
+  };
+}
+
+// src/gateway/workspaceRouter.ts
+async function resolveWorkspace(cwd, home) {
+  if (!cwd || cwd.trim() === "") {
+    return {
+      ok: false,
+      reason: "request carries no cwd; the originating workspace cannot be resolved"
+    };
+  }
+  const start = resolve(cwd);
+  const policyPath = discoverPolicy(start, home);
+  let root = start;
+  let workspaceRole = null;
+  if (policyPath) {
+    const policy = await loadPolicy(policyPath);
+    const repoRoot = policyToConfig(policy).repo?.root;
+    root = repoRoot ? resolve(repoRoot) : dirname(resolve(policyPath));
+    workspaceRole = policyToRole(policy);
+  }
+  return {
+    ok: true,
+    resolution: { root, agentId: deriveAgentId(root), policyPath, workspaceRole }
+  };
+}
+function effectiveRole(ceiling, workspaceRole) {
+  if (!workspaceRole) return { role: ceiling, warnings: [] };
+  return mergeRoles(ceiling, workspaceRole);
+}
+
+// src/gateway/telemetry.ts
+var Telemetry = class {
+  startedAt = Date.now();
+  total = 0;
+  allowed = 0;
+  blocked = 0;
+  byAction = {};
+  byPhase = {};
+  latencies = [];
+  recordToolCall(action, phase, decision, durationMs) {
+    this.total++;
+    if (decision === "allowed") this.allowed++;
+    else this.blocked++;
+    this.byAction[action] = (this.byAction[action] ?? 0) + 1;
+    this.byPhase[phase] = (this.byPhase[phase] ?? 0) + 1;
+    const idx = this.bisect(durationMs);
+    this.latencies.splice(idx, 0, durationMs);
+  }
+  getSnapshot() {
+    return {
+      uptime_seconds: Math.floor((Date.now() - this.startedAt) / 1e3),
+      tool_calls: {
+        total: this.total,
+        allowed: this.allowed,
+        blocked: this.blocked
+      },
+      latency_ms: {
+        p50: this.percentile(50),
+        p95: this.percentile(95),
+        p99: this.percentile(99)
+      },
+      by_action: { ...this.byAction },
+      by_phase: { ...this.byPhase }
+    };
+  }
+  percentile(p) {
+    if (this.latencies.length === 0) return 0;
+    const idx = Math.ceil(p / 100 * this.latencies.length) - 1;
+    return this.latencies[Math.max(0, idx)];
+  }
+  bisect(val) {
+    let lo = 0;
+    let hi = this.latencies.length;
+    while (lo < hi) {
+      const mid = lo + hi >>> 1;
+      if (this.latencies[mid] < val) lo = mid + 1;
+      else hi = mid;
+    }
+    return lo;
+  }
+};
+
+// src/gateway/translatorRegistry.ts
+var TranslatorRegistry = class {
+  translators = /* @__PURE__ */ new Map();
+  insertionOrder = [];
+  /**
+   * Register a translator for an agent type.
+   * Throws if a translator is already registered for the same agentType.
+   */
+  register(translator) {
+    const { agentType } = translator;
+    if (this.translators.has(agentType)) {
+      throw new Error(`Translator already registered for agentType '${agentType}'`);
+    }
+    this.translators.set(agentType, translator);
+    this.insertionOrder.push(agentType);
+  }
+  /** Returns the translator for the given agent type, or null if none is registered. */
+  get(agentType) {
+    return this.translators.get(agentType) ?? null;
+  }
+  /** Returns registered agent types in registration order. */
+  listRegistered() {
+    return [...this.insertionOrder];
+  }
+};
+
+// src/gateway/bashScanner.ts
+import { parse as shellParse } from "shell-quote";
+import { realpathSync } from "fs";
+import { dirname as dirname2, join, basename, normalize } from "path";
+var BRACE_PATTERN_RE = /\{[^}]*,[^}]*\}/;
+var MAX_BRACE_EXPANSION = 64;
+function fnmatchBasename(pattern, candidate) {
+  if (pattern.length !== candidate.length) return false;
+  for (let i = 0; i < pattern.length; i++) {
+    const p = pattern[i].toLowerCase();
+    const c = candidate[i].toLowerCase();
+    if (p === "?") continue;
+    if (p !== c) return false;
+  }
+  return true;
+}
+function bracketTokenMatchesForbidden(token, forbiddenBasenames) {
+  const literals = [];
+  let current = "";
+  let inBracket = false;
+  for (let i = 0; i < token.length; i++) {
+    if (token[i] === "[" && !inBracket) {
+      if (current) literals.push(current);
+      current = "";
+      inBracket = true;
+    } else if (token[i] === "]" && inBracket) {
+      inBracket = false;
+    } else if (!inBracket) {
+      current += token[i];
+    }
+  }
+  if (current) literals.push(current);
+  for (const forbidden of forbiddenBasenames) {
+    const fl = forbidden.toLowerCase();
+    for (const lit of literals) {
+      if (lit.length === 0) continue;
+      if (fl.includes(lit.toLowerCase())) return forbidden;
+    }
+  }
+  return null;
+}
+function resolveBraceExpansion(token) {
+  const match = token.match(/^(.*?)\{([^}]*,[^}]*)\}(.*)$/);
+  if (!match) return null;
+  const [, prefix, alternatives, suffix] = match;
+  const parts = alternatives.split(",");
+  if (parts.length > MAX_BRACE_EXPANSION) return null;
+  return parts.map((p) => prefix + p + suffix);
+}
+function wildcardDispatch(token, forbiddenBasenames, metadataField) {
+  const result = {
+    resolvedBasenames: [],
+    unparseable: false,
+    metadata: {}
+  };
+  if (token === "*" || token === "**" || token === "?") {
+    return result;
+  }
+  if (BRACE_PATTERN_RE.test(token)) {
+    const expanded = resolveBraceExpansion(token);
+    if (expanded === null) {
+      result.unparseable = true;
+      return result;
+    }
+    for (const alt of expanded) {
+      const hasWildcard = /[?*[]/.test(alt);
+      if (hasWildcard) {
+        const sub = wildcardDispatch(alt, forbiddenBasenames, metadataField);
+        if (sub.resolvedBasenames.length > 0) {
+          result.resolvedBasenames.push(...sub.resolvedBasenames);
+          result.metadata["resolvedFromBrace"] = token;
+          Object.assign(result.metadata, sub.metadata);
+        }
+        if (sub.unparseable) result.unparseable = true;
+      } else {
+        const altLower = alt.toLowerCase();
+        for (const forbidden of forbiddenBasenames) {
+          if (altLower === forbidden.toLowerCase()) {
+            result.resolvedBasenames.push(forbidden);
+            result.metadata["resolvedFromBrace"] = token;
+            break;
+          }
+        }
+      }
+    }
+    return result;
+  }
+  const hasStar = token.includes("*");
+  const hasQuestion = token.includes("?");
+  const hasBracket = token.includes("[");
+  if (hasBracket) {
+    const matched = bracketTokenMatchesForbidden(token, forbiddenBasenames);
+    if (matched) {
+      result.resolvedBasenames.push(matched);
+      result.metadata["resolvedFromBracket"] = token;
+    } else {
+      result.unparseable = true;
+    }
+    return result;
+  }
+  if (hasStar && !hasQuestion) {
+    const matched = starLiteralSubstringCheck(token, forbiddenBasenames);
+    if (matched) {
+      result.resolvedBasenames.push(matched);
+      result.metadata[metadataField] = token;
+    }
+    return result;
+  }
+  if (hasQuestion && !hasStar) {
+    for (const forbidden of forbiddenBasenames) {
+      if (fnmatchBasename(token, forbidden)) {
+        result.resolvedBasenames.push(forbidden);
+        result.metadata[metadataField] = token;
+        break;
+      }
+    }
+    return result;
+  }
+  if (hasStar && hasQuestion) {
+    const starMatch = starLiteralSubstringCheck(token, forbiddenBasenames);
+    if (starMatch) {
+      result.resolvedBasenames.push(starMatch);
+      result.metadata[metadataField] = token;
+      return result;
+    }
+    const segments = token.split("*").filter((s) => s.includes("?"));
+    for (const seg of segments) {
+      for (const forbidden of forbiddenBasenames) {
+        if (fnmatchBasename(seg, forbidden)) {
+          result.resolvedBasenames.push(forbidden);
+          result.metadata[metadataField] = token;
+          return result;
+        }
+      }
+    }
+    return result;
+  }
+  return result;
+}
+function starLiteralSubstringCheck(token, forbiddenBasenames) {
+  const literals = token.split("*").filter((s) => s.length > 0);
+  for (const forbidden of forbiddenBasenames) {
+    const fl = forbidden.toLowerCase();
+    for (const lit of literals) {
+      if (fl.includes(lit.toLowerCase())) return forbidden;
+    }
+  }
+  return null;
+}
+function shouldDispatchWildcard(token) {
+  const hasMetachar = /[?*[{]/.test(token);
+  if (!hasMetachar) return false;
+  if (isPathShaped(token)) return true;
+  if (token.includes("[")) return true;
+  if (BRACE_PATTERN_RE.test(token)) return true;
+  return false;
+}
+var SENSITIVE_BASENAME_RE = /(?:\.env|\.ssh|secrets|credentials|id_rsa|id_dsa|id_ecdsa|id_ed25519|\.pem|\.key)/i;
+var DANGEROUS_COMMAND_TOKENS = /* @__PURE__ */ new Set(["eval"]);
+var COMMAND_SUBSTITUTION_RE = /\$\(|`/;
+var DANGEROUS_RAW_RE = /<<<|<\(|>\(/;
+function isVarMarker(token) {
+  return typeof token === "object" && token !== null && "__sentinel_var" in token && typeof token.__sentinel_var === "string";
+}
+function tokenizePaths(command) {
+  const result = {
+    paths: [],
+    unparseable: false,
+    hasDangerousConstruct: false
+  };
+  if (DANGEROUS_RAW_RE.test(command)) {
+    result.hasDangerousConstruct = true;
+  }
+  if (COMMAND_SUBSTITUTION_RE.test(command)) {
+    result.hasDangerousConstruct = true;
+  }
+  let tokens;
+  try {
+    tokens = shellParse(command, (key) => ({ __sentinel_var: key }));
+  } catch {
+    result.unparseable = true;
+    return result;
+  }
+  if (!Array.isArray(tokens)) {
+    result.unparseable = true;
+    return result;
+  }
+  let prevToken = null;
+  for (let i = 0; i < tokens.length; i++) {
+    const token = tokens[i];
+    if (isVarMarker(token)) {
+      const nextToken = tokens[i + 1];
+      const nextIsPathRelevant = nextToken === void 0 || // end of tokens — var is complete argument
+      typeof nextToken === "object" && nextToken !== null && "op" in nextToken || // followed by operator — var is complete argument
+      typeof nextToken === "string" && isPathShaped(nextToken);
+      const prevIsPathRelevant = prevToken !== null && isPathShaped(prevToken);
+      if (nextIsPathRelevant || prevIsPathRelevant) {
+        result.unparseable = true;
+      }
+      prevToken = null;
+      continue;
+    }
+    if (typeof token === "object" && token !== null) {
+      if ("pattern" in token) {
+        const globPattern = token.pattern;
+        const lastSlash = globPattern.lastIndexOf("/");
+        const dispatchTarget = lastSlash >= 0 ? globPattern.slice(lastSlash + 1) : globPattern;
+        const dispatch = wildcardDispatch(dispatchTarget, FORBIDDEN_BASENAMES, "resolvedFromGlob");
+        if (dispatch.resolvedBasenames.length > 0) {
+          for (const resolved of dispatch.resolvedBasenames) {
+            result.paths.push(resolved);
+          }
+        }
+        if (dispatch.unparseable) {
+          result.unparseable = true;
+        }
+        if (SENSITIVE_BASENAME_RE.test(globPattern)) {
+          result.unparseable = true;
+        }
+        prevToken = null;
+        continue;
+      }
+      if ("op" in token) {
+        if (token.op === "<(") {
+          result.hasDangerousConstruct = true;
+        }
+        prevToken = null;
+        continue;
+      }
+      prevToken = null;
+      continue;
+    }
+    if (typeof token !== "string") {
+      prevToken = null;
+      continue;
+    }
+    if (DANGEROUS_COMMAND_TOKENS.has(token.toLowerCase())) {
+      result.hasDangerousConstruct = true;
+    }
+    if ((prevToken === "sh" || prevToken === "bash" || prevToken === "/bin/sh" || prevToken === "/bin/bash") && token === "-c") {
+      result.hasDangerousConstruct = true;
+    }
+    if (shouldDispatchWildcard(token)) {
+      const metaField = "resolvedFromQuotedGlob";
+      const dispatch = wildcardDispatch(token, FORBIDDEN_BASENAMES, metaField);
+      if (dispatch.resolvedBasenames.length > 0) {
+        for (const resolved of dispatch.resolvedBasenames) {
+          result.paths.push(resolved);
+        }
+      }
+      if (dispatch.unparseable) {
+        result.unparseable = true;
+      }
+    } else if (isPathShaped(token)) {
+      const resolved = resolvePathToken(token);
+      result.paths.push(resolved);
+    }
+    prevToken = token;
+  }
+  return result;
+}
+function isPathShaped(token) {
+  if (token.includes("/")) return true;
+  if (token.startsWith(".")) return true;
+  if (SENSITIVE_BASENAME_RE.test(token)) return true;
+  return false;
+}
+function resolvePathToken(token) {
+  const normalized = normalize(token);
+  try {
+    return realpathSync(normalized);
+  } catch (err) {
+    const code = err.code;
+    if (code === "ENOENT") {
+      return resolveNonexistentPathToken(normalized);
+    }
+    return normalized;
+  }
+}
+function resolveNonexistentPathToken(normalizedPath) {
+  let current = normalizedPath;
+  let suffix = "";
+  for (let i = 0; i < 50; i++) {
+    const parent = dirname2(current);
+    if (parent === current) {
+      return normalizedPath;
+    }
+    if (parent === ".") {
+      return normalizedPath;
+    }
+    suffix = suffix ? join(basename(current), suffix) : basename(current);
+    current = parent;
+    try {
+      const resolved = realpathSync(current);
+      if (resolved !== current) {
+        return join(resolved, suffix);
+      }
+      return join(resolved, suffix);
+    } catch {
+      continue;
+    }
+  }
+  return normalizedPath;
+}
+var FORBIDDEN_BASENAMES = [
+  ".env",
+  ".ssh",
+  ".aws",
+  "secrets",
+  "credentials",
+  "id_rsa",
+  "id_dsa",
+  "id_ecdsa",
+  "id_ed25519",
+  ".pem",
+  ".key"
+];
+function scanBashCommand(command, forbiddenBasenames) {
+  const basenames = forbiddenBasenames ?? FORBIDDEN_BASENAMES;
+  const hits = [];
+  for (const basename2 of basenames) {
+    const pattern = buildPattern(basename2);
+    if (pattern.test(command)) {
+      hits.push(basename2);
+    }
+  }
+  return { matched: hits.length > 0, hits };
+}
+function buildPattern(basename2) {
+  const escaped = escapeRegex(basename2);
+  if (basename2.startsWith(".") && basename2.length <= 4 && !isAlphaAfterDot(basename2)) {
+    return new RegExp(`\\w${escaped}(?=$|[\\s;&|<>()'"=\\/])`, "i");
+  }
+  if (basename2.startsWith(".")) {
+    return new RegExp(`(?:^|[\\s;&|<>()\\/'"=])${escaped}(?=$|[\\s;&|<>()\\/'"=.])`, "i");
+  }
+  return new RegExp(`\\b${escaped}\\b`, "i");
+}
+function scanContentForForbiddenBasenames(content, forbiddenBasenames) {
+  const hits = [];
+  for (const basename2 of forbiddenBasenames) {
+    const pattern = buildContentPattern(basename2);
+    if (pattern.test(content)) {
+      hits.push(basename2);
+    }
+  }
+  return { matched: hits.length > 0, hits };
+}
+function buildContentPattern(basename2) {
+  const escaped = escapeRegex(basename2);
+  if (basename2.startsWith(".") && basename2.length <= 4 && !isAlphaAfterDot(basename2)) {
+    return new RegExp(`\\w${escaped}(?=$|[\\s;&|<>()'"=\\/])`, "i");
+  }
+  if (basename2.startsWith(".")) {
+    return new RegExp(`(?:^|[\\s;&|<>()\\/'"=])${escaped}(?=$|[\\s;&|<>()\\/'"=.])`, "i");
+  }
+  return new RegExp(`(?<=[/\\\\]\\.?)${escaped}\\b`, "i");
+}
+function isAlphaAfterDot(s) {
+  return /^\.[a-zA-Z]+$/.test(s);
+}
+function escapeRegex(s) {
+  return s.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
+}
+function scanGlobPattern(pattern, forbiddenBasenames) {
+  const basenames = forbiddenBasenames ?? FORBIDDEN_BASENAMES;
+  const hits = [];
+  for (const basename2 of basenames) {
+    const re = buildGlobContextPattern(basename2);
+    if (re.test(pattern)) {
+      hits.push(basename2);
+    }
+  }
+  return { matched: hits.length > 0, hits };
+}
+function buildGlobContextPattern(basename2) {
+  const escaped = escapeRegex(basename2);
+  const GLOB_DELIM = String.raw`\s;&|<>()\\/'"=.*?{}\[\]`;
+  if (basename2.startsWith(".") && basename2.length <= 4 && !isAlphaAfterDot(basename2)) {
+    return new RegExp(`[\\w*]${escaped}(?=$|[${GLOB_DELIM}])`, "i");
+  }
+  if (basename2.startsWith(".")) {
+    return new RegExp(`(?:^|[${GLOB_DELIM}])${escaped}(?=$|[${GLOB_DELIM}])`, "i");
+  }
+  return new RegExp(`\\b${escaped}\\b`, "i");
+}
+
+// src/gateway/runtimeConstructionResolvers.ts
+var MAX_RECURSION_DEPTH = 3;
+var INTERPRETER_RE = /\b(?:python[23]?|node|ruby|perl|php)\s+(?:-[cer])\s+(.+)/s;
+var NESTED_ENCODING_RE = /chr\(\d+\)|String\.fromCharCode|\\x[0-9a-fA-F]{2}|\\[0-7]{1,3}|printf\s/;
+var PRINTF_HEX_RE = /printf\s+['"]?[^'"]*\\x[0-9a-fA-F]{2}/;
+var PRINTF_OCT_RE = /printf\s+['"]?[^'"]*\\[0-7]{1,3}/;
+var B1_CONTEXT_RE = /(?:\bbase64\s+(?:-d|--decode)\b|\bopenssl\s+(?:enc\s+)?(?:-?base64\s+(?:-\w+\s+)*-d|-d\s+(?:-\w+\s+)*-?base64)\b)/;
+var ECHO_E_HEX_RE = /\becho\s+(?:-\w+\s+)*-\w*e\w*\b[^|;&\n]*\\x[0-9a-fA-F]{2}/;
+var ANSI_C_QUOTE_HEX_RE = /\$'[^']*\\x[0-9a-fA-F]{2}/;
+var ANSI_C_QUOTE_OCT_RE = /\$'[^']*\\[0-7]{1,3}/;
+var ANSI_C_QUOTE_UNICODE_RE = /\$'[^']*\\u[0-9a-fA-F]{4}/;
+var ANSI_C_BLOCK_RE = /\$'((?:\\.|[^'\\])*)'/g;
+var XXD_CONTEXT_RE = /\bxxd\s+(?:-r\s+-p|-p\s+-r)\b/;
+var AWK_RE = /\b[gmn]?awk\s/;
+var RESOLVERS = [
+  resolveCharCodeEncoding,
+  resolveInterpreterStringConcat,
+  resolveBase64Encoding,
+  resolveHexEscape,
+  resolveOctalEscape,
+  resolveUnicodeEscape,
+  resolveAnsiCBlock,
+  resolveXxdHexDecode
+];
+function runResolverPipeline(input, depth = 0) {
+  if (depth >= MAX_RECURSION_DEPTH) return [];
+  const results = [];
+  for (const resolver of RESOLVERS) {
+    for (const resolved of resolver(input)) {
+      if (resolved === input) continue;
+      results.push(resolved);
+      results.push(...runResolverPipeline(resolved, depth + 1));
+    }
+  }
+  return [...new Set(results)];
+}
+function resolveCharCodeEncoding(input) {
+  const results = [];
+  const TERM = String.raw`(?:chr\(\d+\)|'[^']*'|"(?:[^"\\]|\\.)*"|\\\"(?:[^"\\]|\\.)*\\\")`;
+  const CHAIN_RE = new RegExp(`${TERM}(?:\\s*\\+\\s*${TERM})+`, "g");
+  const SEG_RE = /chr\((\d+)\)|'([^']*)'|\\"([^"]*)\\"|"((?:[^"\\]|\\.)*)"/g;
+  const chains = [...input.matchAll(CHAIN_RE)];
+  for (const chain of chains) {
+    const segments = [...chain[0].matchAll(SEG_RE)];
+    const hasChr = segments.some((s) => s[1] !== void 0);
+    if (!hasChr) continue;
+    const decoded = segments.map((s) => {
+      if (s[1] !== void 0) return String.fromCharCode(parseInt(s[1], 10));
+      if (s[2] !== void 0) return s[2];
+      if (s[3] !== void 0) return s[3];
+      if (s[4] !== void 0) return s[4];
+      return "";
+    }).join("");
+    if (decoded.length > 0) results.push(decoded);
+  }
+  const JS_RE = /String\.fromCharCode\(\s*(\d+(?:\s*,\s*\d+)*)\s*\)/g;
+  let jsMatch;
+  while ((jsMatch = JS_RE.exec(input)) !== null) {
+    const argList = jsMatch[1];
+    const codePoints = argList.split(/\s*,\s*/).map((s) => parseInt(s, 10));
+    if (codePoints.some(isNaN)) continue;
+    const decoded = String.fromCharCode(...codePoints);
+    if (decoded.length > 0) results.push(decoded);
+  }
+  return [...new Set(results)];
+}
+function resolveBase64Encoding(input) {
+  if (!INTERPRETER_RE.test(input) && !B1_CONTEXT_RE.test(input)) return [];
+  const results = [];
+  const BASE64_RE = /[A-Za-z0-9+/]{4,}={0,2}/g;
+  let match;
+  while ((match = BASE64_RE.exec(input)) !== null) {
+    const candidate = match[0];
+    if (!isValidBase64(candidate)) continue;
+    let decoded;
+    try {
+      decoded = Buffer.from(candidate, "base64").toString("utf-8");
+    } catch {
+      continue;
+    }
+    if (decoded.length === 0) continue;
+    const scan = scanBashCommand(decoded, FORBIDDEN_BASENAMES);
+    if (scan.matched) {
+      results.push(decoded);
+      continue;
+    }
+    if (NESTED_ENCODING_RE.test(decoded)) {
+      results.push(decoded);
+    }
+  }
+  return [...new Set(results)];
+}
+function isValidBase64(s) {
+  if (s.length < 8) return false;
+  if (s.length % 4 !== 0) return false;
+  return /^[A-Za-z0-9+/]+={0,2}$/.test(s);
+}
+function resolveHexEscape(input) {
+  if (!INTERPRETER_RE.test(input) && !PRINTF_HEX_RE.test(input) && !ECHO_E_HEX_RE.test(input) && !ANSI_C_QUOTE_HEX_RE.test(input))
+    return [];
+  const results = [];
+  const HEX_RUN_RE = /(?:\\x[0-9a-fA-F]{2})+/g;
+  let match;
+  while ((match = HEX_RUN_RE.exec(input)) !== null) {
+    const hexRun = match[0];
+    const bytePairs = [...hexRun.matchAll(/\\x([0-9a-fA-F]{2})/g)];
+    const decoded = bytePairs.map((m) => String.fromCharCode(parseInt(m[1], 16))).join("");
+    if (decoded.length === 0) continue;
+    const afterIndex = match.index + hexRun.length;
+    const trailingMatch = /^'?([a-zA-Z0-9._-]*)/.exec(input.slice(afterIndex));
+    const trailing = trailingMatch ? trailingMatch[1] : "";
+    const fullCandidate = decoded + trailing;
+    const scan = scanBashCommand(fullCandidate, FORBIDDEN_BASENAMES);
+    if (!scan.matched) continue;
+    results.push(fullCandidate);
+  }
+  return [...new Set(results)];
+}
+function resolveOctalEscape(input) {
+  if (!INTERPRETER_RE.test(input) && !PRINTF_OCT_RE.test(input) && !ANSI_C_QUOTE_OCT_RE.test(input))
+    return [];
+  const results = [];
+  const OCTAL_RUN_RE = /(?:\\[0-7]{1,3})+/g;
+  let match;
+  while ((match = OCTAL_RUN_RE.exec(input)) !== null) {
+    const octalRun = match[0];
+    const octalDigits = [...octalRun.matchAll(/\\([0-7]{1,3})/g)];
+    const decoded = octalDigits.map((m) => {
+      const val = parseInt(m[1], 8);
+      if (val > 255) return "";
+      return String.fromCharCode(val);
+    }).join("");
+    if (decoded.length === 0) continue;
+    const afterIndex = match.index + octalRun.length;
+    const trailingMatch = /^'?([a-zA-Z0-9._-]*)/.exec(input.slice(afterIndex));
+    const trailing = trailingMatch ? trailingMatch[1] : "";
+    const fullCandidate = decoded + trailing;
+    const scan = scanBashCommand(fullCandidate, FORBIDDEN_BASENAMES);
+    if (!scan.matched) continue;
+    results.push(fullCandidate);
+  }
+  return [...new Set(results)];
+}
+function resolveUnicodeEscape(input) {
+  if (!INTERPRETER_RE.test(input) && !ANSI_C_QUOTE_UNICODE_RE.test(input)) return [];
+  const results = [];
+  const UNICODE_RUN_RE = /(?:\\u[0-9a-fA-F]{4})+/g;
+  let match;
+  while ((match = UNICODE_RUN_RE.exec(input)) !== null) {
+    const unicodeRun = match[0];
+    const codePoints = [...unicodeRun.matchAll(/\\u([0-9a-fA-F]{4})/g)];
+    const decoded = codePoints.map((m) => String.fromCharCode(parseInt(m[1], 16))).join("");
+    if (decoded.length === 0) continue;
+    const afterIndex = match.index + unicodeRun.length;
+    const trailingMatch = /^'?([a-zA-Z0-9._-]*)/.exec(input.slice(afterIndex));
+    const trailing = trailingMatch ? trailingMatch[1] : "";
+    const fullCandidate = decoded + trailing;
+    const scan = scanBashCommand(fullCandidate, FORBIDDEN_BASENAMES);
+    if (!scan.matched) continue;
+    results.push(fullCandidate);
+  }
+  return [...new Set(results)];
+}
+function resolveInterpreterStringConcat(input) {
+  if (!INTERPRETER_RE.test(input) && !AWK_RE.test(input)) return [];
+  const results = [];
+  const LIT_TERM = String.raw`(?:'[^']*'|"(?:[^"\\]|\\.)*"|\\\"(?:[^"\\]|\\.)*\\\")`;
+  const CONCAT_OP = String.raw`(?:\s*[+.]\s*|\s*(?=["']))`;
+  const CONCAT_CHAIN_RE = new RegExp(`${LIT_TERM}(?:${CONCAT_OP}${LIT_TERM})+`, "g");
+  const LIT_SEG_RE = /'([^']*)'|\\"([^"]*)\\"|"((?:[^"\\]|\\.)*)"/g;
+  for (const chain of input.matchAll(CONCAT_CHAIN_RE)) {
+    const segments = [...chain[0].matchAll(LIT_SEG_RE)];
+    const decoded = segments.map((s) => s[1] ?? s[2] ?? s[3] ?? "").join("");
+    if (decoded.length === 0) continue;
+    const scan = scanBashCommand(decoded, FORBIDDEN_BASENAMES);
+    if (!scan.matched) continue;
+    results.push(decoded);
+  }
+  return [...new Set(results)];
+}
+function decodeAnsiCBlock(raw) {
+  let result = "";
+  let i = 0;
+  while (i < raw.length) {
+    if (raw[i] === "\\" && i + 1 < raw.length) {
+      const next = raw[i + 1];
+      if (next === "x" && i + 3 < raw.length) {
+        const hex = raw.slice(i + 2, i + 4);
+        if (/^[0-9a-fA-F]{2}$/.test(hex)) {
+          result += String.fromCharCode(parseInt(hex, 16));
+          i += 4;
+          continue;
+        }
+      }
+      if (next === "u") {
+        const rest = raw.slice(i + 2, i + 6);
+        const m = /^[0-9a-fA-F]{1,4}/.exec(rest);
+        if (m) {
+          result += String.fromCodePoint(parseInt(m[0], 16));
+          i += 2 + m[0].length;
+          continue;
+        }
+      }
+      if (next === "U") {
+        const rest = raw.slice(i + 2, i + 10);
+        const m = /^[0-9a-fA-F]{1,8}/.exec(rest);
+        if (m) {
+          const cp = parseInt(m[0], 16);
+          if (cp <= 1114111) {
+            result += String.fromCodePoint(cp);
+            i += 2 + m[0].length;
+            continue;
+          }
+        }
+      }
+      if (next >= "0" && next <= "7") {
+        const rest = raw.slice(i + 1, i + 4);
+        const m = /^[0-7]{1,3}/.exec(rest);
+        if (m) {
+          const val = parseInt(m[0], 8);
+          if (val <= 255) {
+            result += String.fromCharCode(val);
+            i += 1 + m[0].length;
+            continue;
+          }
+        }
+      }
+      const NAMED = {
+        "\\": "\\",
+        "'": "'",
+        n: "\n",
+        t: "	",
+        r: "\r",
+        a: "\x07",
+        b: "\b",
+        f: "\f",
+        v: "\v",
+        e: "\x1B",
+        "?": "?"
+      };
+      if (next in NAMED) {
+        result += NAMED[next];
+        i += 2;
+        continue;
+      }
+      result += next;
+      i += 2;
+      continue;
+    }
+    result += raw[i];
+    i += 1;
+  }
+  return result;
+}
+function resolveAnsiCBlock(input) {
+  const results = [];
+  ANSI_C_BLOCK_RE.lastIndex = 0;
+  let match;
+  while ((match = ANSI_C_BLOCK_RE.exec(input)) !== null) {
+    const rawInner = match[1];
+    const decoded = decodeAnsiCBlock(rawInner);
+    if (decoded.length === 0) continue;
+    const afterIndex = match.index + match[0].length;
+    const trailingMatch = /^[a-zA-Z0-9._-]*/.exec(input.slice(afterIndex));
+    const trailing = trailingMatch ? trailingMatch[0] : "";
+    const fullCandidate = decoded + trailing;
+    const scan = scanBashCommand(fullCandidate, FORBIDDEN_BASENAMES);
+    if (!scan.matched) continue;
+    results.push(fullCandidate);
+  }
+  return [...new Set(results)];
+}
+function resolveXxdHexDecode(input) {
+  if (!XXD_CONTEXT_RE.test(input)) return [];
+  const results = [];
+  const RAW_HEX_RUN_RE = /\b(?:[0-9a-fA-F]{2}){4,}\b/g;
+  let match;
+  while ((match = RAW_HEX_RUN_RE.exec(input)) !== null) {
+    const hexStr = match[0];
+    const pairs = hexStr.match(/.{2}/g);
+    if (!pairs) continue;
+    const decoded = pairs.map((p) => String.fromCharCode(parseInt(p, 16))).join("");
+    if (decoded.length === 0) continue;
+    const scan = scanBashCommand(decoded, FORBIDDEN_BASENAMES);
+    if (!scan.matched) continue;
+    results.push(decoded);
+  }
+  return [...new Set(results)];
+}
+
+// src/gateway/claudeCodeTranslator.ts
+var TOOL_MAP = {
+  Bash: { action: "command_exec", targetKey: "command" },
+  Read: { action: "file_read", targetKey: "file_path" },
+  Write: { action: "file_write", targetKey: "file_path" },
+  Edit: { action: "file_write", targetKey: "file_path" },
+  Glob: { action: "file_read", targetKey: "pattern" },
+  Grep: { action: "file_read", targetKey: "path" },
+  WebFetch: { action: "network_request", targetKey: "url" },
+  WebSearch: { action: "network_request", targetKey: "query" },
+  Task: { action: "tool_invocation", targetKey: "description" },
+  Skill: { action: "tool_invocation", targetKey: "skill" },
+  NotebookEdit: { action: "file_write", targetKey: "notebook_path" }
+};
+var AGENT_ID = "claude-code";
+var AGENT_NAME = "Claude Code";
+var AGENT_ROLE = "coding-assistant";
+var TOOL_RESPONSE_MAX_CHARS = 500;
+function extractBashTargets(toolInput) {
+  const command = toolInput.command;
+  if (typeof command !== "string" || command.length === 0) return ["Bash"];
+  const targets = [command];
+  const resolved = runResolverPipeline(command);
+  for (const r of resolved) {
+    targets.push(r);
+  }
+  return targets;
+}
+function extractTaskTargets(toolInput) {
+  const targets = [];
+  const description = toolInput.description;
+  if (typeof description === "string" && description.length > 0) {
+    targets.push(description);
+  }
+  const prompt = toolInput.prompt;
+  if (typeof prompt === "string" && prompt.length > 0) {
+    targets.push(prompt);
+  }
+  const subagentType = toolInput.subagent_type;
+  if (typeof subagentType === "string" && subagentType.length > 0) {
+    targets.push(subagentType);
+  }
+  return targets.length > 0 ? targets : ["Task"];
+}
+function extractWebFetchTargets(toolInput) {
+  const url = toolInput.url;
+  if (typeof url !== "string" || url.length === 0) return ["WebFetch"];
+  const targets = [url];
+  try {
+    const parsed = new URL(url);
+    const hostTarget = `${parsed.protocol}//${parsed.host}`;
+    if (hostTarget !== url) targets.push(hostTarget);
+    if (parsed.pathname && parsed.pathname !== "/") targets.push(parsed.pathname);
+  } catch {
+  }
+  return targets;
+}
+function extractNotebookEditTargets(toolInput) {
+  const targets = [];
+  const notebookPath = toolInput.notebook_path;
+  if (typeof notebookPath === "string" && notebookPath.length > 0) {
+    targets.push(notebookPath);
+  }
+  const newSource = toolInput.new_source;
+  if (typeof newSource === "string" && newSource.length > 0) {
+    targets.push(newSource);
+    const resolved = runResolverPipeline(newSource);
+    for (const r of resolved) {
+      targets.push(r);
+    }
+  }
+  const cellId = toolInput.cell_id;
+  if (typeof cellId === "string" && cellId.length > 0) {
+    targets.push(cellId);
+  }
+  return targets.length > 0 ? targets : ["NotebookEdit"];
+}
+function extractGrepTargets(toolInput, cwd) {
+  const targets = [];
+  const path = toolInput.path;
+  if (typeof path === "string" && path.length > 0) {
+    targets.push(path);
+  } else if (cwd) {
+    targets.push(cwd);
+  }
+  const pattern = toolInput.pattern;
+  if (typeof pattern === "string" && pattern.length > 0) {
+    targets.push(pattern);
+  }
+  return targets.length > 0 ? targets : ["Grep"];
+}
+function extractTargets(toolName, toolInput, cwd) {
+  switch (toolName) {
+    case "Bash":
+      return extractBashTargets(toolInput);
+    case "Task":
+      return extractTaskTargets(toolInput);
+    case "WebFetch":
+      return extractWebFetchTargets(toolInput);
+    case "NotebookEdit":
+      return extractNotebookEditTargets(toolInput);
+    case "Grep":
+      return extractGrepTargets(toolInput, cwd);
+    default: {
+      const mapping = TOOL_MAP[toolName];
+      if (!mapping) return [toolName];
+      const val = toolInput[mapping.targetKey];
+      if (typeof val === "string" && val.length > 0) return [val];
+      return [toolName];
+    }
+  }
+}
+function isMcpTool(toolName) {
+  return toolName.startsWith("mcp__");
+}
+var MCP_MUTATING_VERBS = ["write", "delete", "exec", "create", "send", "put", "update", "remove"];
+function mcpVerbIsMutating(toolName) {
+  const seg = (toolName.split("__").pop() ?? "").toLowerCase();
+  const tokens = seg.split(/[_-]/).filter((t) => t.length > 0);
+  return tokens.some((t) => MCP_MUTATING_VERBS.some((v) => t.startsWith(v)));
+}
+function extractMcpTargets(toolName, toolInput) {
+  const targets = [toolName];
+  const keys = Object.keys(toolInput);
+  let extractedStrings = 0;
+  for (const key of keys) {
+    const value = toolInput[key];
+    if (typeof value !== "string" || value.length === 0) continue;
+    extractedStrings++;
+    targets.push(value);
+    const resolved = runResolverPipeline(value);
+    for (const r of resolved) {
+      targets.push(r);
+    }
+  }
+  return {
+    targets,
+    unextractable: keys.length > 0 && extractedStrings === 0,
+    mutating: mcpVerbIsMutating(toolName)
+  };
+}
+var UNKNOWN_TOOL_REASON = "tool schema unknown \u2014 sensitivity scoring and forbidden target patterns cannot evaluate this event";
+var ClaudeCodeTranslator = class {
+  agentType = "claude-code";
+  translatePreToolUse(payload) {
+    const p = payload;
+    if (!p || typeof p !== "object" || !p.tool_name) return null;
+    const toolName = p.tool_name;
+    const toolInput = p.tool_input ?? {};
+    const cwd = p.cwd ?? "";
+    const { action, targets, isUnknown, isMcp, mcpUnscanned, mcpMutating } = this.resolveToolMapping(toolName, toolInput, cwd);
+    const metadata = {
+      executionPhase: "pre",
+      ccToolName: toolName
+    };
+    if (cwd) metadata.cwd = cwd;
+    if (p.session_id) metadata.ccSessionId = p.session_id;
+    if (p.agent_id) metadata.agent_id = p.agent_id;
+    if (p.agent_type) metadata.agent_type = p.agent_type;
+    if (isUnknown) {
+      metadata._unknownTool = "true";
+      metadata._policyEnforcementBypassed = "true";
+      metadata._policyBypassReason = UNKNOWN_TOOL_REASON;
+      console.warn(
+        `[SENTINEL] Unknown Claude Code tool "${toolName}" \u2014 allowing with WARN. ${UNKNOWN_TOOL_REASON}`
+      );
+    }
+    if (isMcp) {
+      metadata._mcpTool = "true";
+      if (mcpUnscanned) {
+        metadata._mcpUnscanned = "true";
+        if (mcpMutating) {
+          metadata._mcpUnscannedMutating = "true";
+          console.warn(
+            `[SENTINEL] MCP tool "${toolName}" (mutating) called with unscannable arguments \u2014 escalating. Arguments contained no extractable string operand; forbidden-path and sensitivity checks could not evaluate them.`
+          );
+        } else {
+          console.warn(
+            `[SENTINEL] MCP tool "${toolName}" called with unscannable arguments \u2014 allowing with WARN. Arguments contained no extractable string operand.`
+          );
+        }
+      }
+    }
+    return {
+      agentId: AGENT_ID,
+      agentName: AGENT_NAME,
+      agentRole: AGENT_ROLE,
+      action,
+      targets,
+      primaryTarget: targets[0],
+      schemaVersion: 2,
+      timestamp: (/* @__PURE__ */ new Date()).toISOString(),
+      sessionId: p.session_id,
+      metadata
+    };
+  }
+  translatePostToolUse(payload) {
+    const p = payload;
+    if (!p || typeof p !== "object" || !p.tool_name) return null;
+    const toolName = p.tool_name;
+    const toolInput = p.tool_input ?? {};
+    const cwd = p.cwd ?? "";
+    const { action, targets, isUnknown, isMcp, mcpUnscanned, mcpMutating } = this.resolveToolMapping(toolName, toolInput, cwd);
+    const metadata = {
+      executionPhase: "post",
+      ccToolName: toolName
+    };
+    if (cwd) metadata.cwd = cwd;
+    if (p.session_id) metadata.ccSessionId = p.session_id;
+    if (p.agent_id) metadata.agent_id = p.agent_id;
+    if (p.agent_type) metadata.agent_type = p.agent_type;
+    if (p.tool_response !== void 0) {
+      const summary = String(p.tool_response);
+      metadata.toolResponseSummary = summary.length > TOOL_RESPONSE_MAX_CHARS ? summary.slice(0, TOOL_RESPONSE_MAX_CHARS) : summary;
+    }
+    if (isUnknown) {
+      metadata._unknownTool = "true";
+      metadata._policyEnforcementBypassed = "true";
+      metadata._policyBypassReason = UNKNOWN_TOOL_REASON;
+    }
+    if (isMcp) {
+      metadata._mcpTool = "true";
+      if (mcpUnscanned) {
+        metadata._mcpUnscanned = "true";
+        if (mcpMutating) metadata._mcpUnscannedMutating = "true";
+      }
+    }
+    return {
+      agentId: AGENT_ID,
+      agentName: AGENT_NAME,
+      agentRole: AGENT_ROLE,
+      action,
+      targets,
+      primaryTarget: targets[0],
+      schemaVersion: 2,
+      timestamp: (/* @__PURE__ */ new Date()).toISOString(),
+      sessionId: p.session_id,
+      metadata
+    };
+  }
+  translateSessionEnd(payload) {
+    const p = payload;
+    if (!p || typeof p !== "object") return null;
+    return {
+      sessionId: p.session_id,
+      cwd: p.cwd
+    };
+  }
+  translateUserPromptSubmit(payload) {
+    const p = payload;
+    if (!p || typeof p !== "object" || typeof p.prompt !== "string") return null;
+    return {
+      sessionId: p.session_id,
+      cwd: p.cwd,
+      prompt: p.prompt
+    };
+  }
+  formatPreToolUseResponse(result) {
+    if (result.blocked) {
+      const reason = result.finding ? `Sentinel blocked: ${result.finding.description}` : "Sentinel blocked this action";
+      return {
+        hookSpecificOutput: {
+          hookEventName: "PreToolUse",
+          permissionDecision: "deny",
+          permissionDecisionReason: reason
+        }
+      };
+    }
+    return {
+      hookSpecificOutput: {
+        hookEventName: "PreToolUse",
+        permissionDecision: "allow"
+      }
+    };
+  }
+  /**
+   * Format a MODIFY response — allows the tool call with rewritten arguments.
+   * Uses cc's updatedInput field (shallow merge with original tool_input)
+   * and additionalContext for transparency.
+   *
+   * Sprint 6a Prompt 8b: used by Grep handler to inject --glob exclusions.
+   */
+  formatPreToolUseModifyResponse(args) {
+    return {
+      hookSpecificOutput: {
+        hookEventName: "PreToolUse",
+        permissionDecision: "allow",
+        updatedInput: args.updatedInput,
+        additionalContext: args.additionalContext
+      }
+    };
+  }
+  formatPostToolUseResponse() {
+    return { hookSpecificOutput: { hookEventName: "PostToolUse" } };
+  }
+  formatSessionEndResponse() {
+    return { hookSpecificOutput: {} };
+  }
+  // -------------------------------------------------------------------------
+  // Internal
+  // -------------------------------------------------------------------------
+  resolveToolMapping(toolName, toolInput, cwd) {
+    const mapping = TOOL_MAP[toolName];
+    if (mapping) {
+      return {
+        action: mapping.action,
+        targets: extractTargets(toolName, toolInput, cwd),
+        isUnknown: false,
+        isMcp: false
+      };
+    }
+    if (isMcpTool(toolName)) {
+      const mcp = extractMcpTargets(toolName, toolInput);
+      return {
+        action: "tool_invocation",
+        targets: mcp.targets,
+        isUnknown: false,
+        isMcp: true,
+        mcpUnscanned: mcp.unextractable,
+        mcpMutating: mcp.mutating
+      };
+    }
+    return {
+      action: "tool_invocation",
+      targets: [toolName],
+      isUnknown: true,
+      isMcp: false
+    };
+  }
+};
+
+// src/gateway/grepRewriter.ts
+function buildGrepExclusions(forbiddenPatterns) {
+  const flags = [];
+  for (const pattern of forbiddenPatterns) {
+    flags.push("--glob", `!${pattern}`);
+  }
+  return flags;
+}
+function isPathItselfForbidden(searchPath, forbiddenPatterns) {
+  const matched = [];
+  for (const pattern of forbiddenPatterns) {
+    if (matchGlobInsensitive(pattern, searchPath)) {
+      matched.push(pattern);
+    }
+  }
+  return { forbidden: matched.length > 0, matchedPatterns: matched };
+}
+function buildModifiedGrepInput(originalInput, exclusions) {
+  const updated = { ...originalInput };
+  const exclusionPatterns = exclusions.filter((_, i) => i % 2 === 1).map((p) => p.slice(1));
+  const exclusionGlob = exclusionPatterns.length === 1 ? `!${exclusionPatterns[0]}` : `!{${exclusionPatterns.join(",")}}`;
+  updated.glob = exclusionGlob;
+  return updated;
+}
+
+// src/gateway/server.ts
+var DEFAULT_PORT = 7847;
+var MAX_BODY_SIZE = 1024 * 1024;
+var GATEWAY_VERSION = "0.1.0";
+function parseIntentLine(prompt) {
+  if (typeof prompt !== "string") return null;
+  const firstNonEmpty = prompt.split("\n").find((line) => line.trim().length > 0);
+  if (!firstNonEmpty) return null;
+  const match = firstNonEmpty.match(/^\s*intent:\s*(.+?)\s*$/i);
+  if (!match) return null;
+  const description = match[1].trim();
+  return description.length > 0 ? description : null;
+}
+function parseScopeLine(prompt) {
+  if (typeof prompt !== "string") return null;
+  const lines = prompt.split("\n");
+  let seenNonBlank = false;
+  for (const line of lines) {
+    const trimmed = line.trim();
+    if (trimmed.length === 0) {
+      if (seenNonBlank) break;
+      continue;
+    }
+    seenNonBlank = true;
+    const scopeMatch = trimmed.match(/^scope:\s*(.+?)\s*$/i);
+    if (scopeMatch) {
+      const globs = scopeMatch[1].split(/[\s,]+/).map((g) => g.trim()).filter((g) => g.length > 0);
+      return globs.length > 0 ? globs : null;
+    }
+    if (!/^intent:/i.test(trimmed)) break;
+  }
+  return null;
+}
+var SentinelGateway = class {
+  configuredPort;
+  sentinel;
+  registry;
+  agentId;
+  telemetry = new Telemetry();
+  forbiddenPatterns;
+  /** B5a gate (default off). True → per-workspace B-path; false → today's behavior. */
+  workspaceIsolation;
+  operatorCeiling;
+  home;
+  server = null;
+  running = false;
+  signalHandlersInstalled = false;
+  boundSigterm = null;
+  boundSigint = null;
+  constructor(options) {
+    this.configuredPort = options.port ?? DEFAULT_PORT;
+    this.sentinel = options.sentinel;
+    this.agentId = options.agentId;
+    this.forbiddenPatterns = options.forbiddenPatterns ?? DEFAULT_FORBIDDEN_PATTERNS;
+    this.workspaceIsolation = options.workspaceIsolation ?? process.env.SENTINEL_WORKSPACE_ISOLATION === "1";
+    this.operatorCeiling = options.operatorCeiling ?? null;
+    this.home = options.home ?? "";
+    const internal = options;
+    if (internal.registry) {
+      this.registry = internal.registry;
+    } else if (internal.translator) {
+      this.registry = new TranslatorRegistry();
+      this.registry.register(internal.translator);
+    } else {
+      this.registry = new TranslatorRegistry();
+      this.registry.register(new ClaudeCodeTranslator());
+    }
+  }
+  get port() {
+    const addr = this.server?.address();
+    if (addr && typeof addr === "object") return addr.port;
+    return this.configuredPort;
+  }
+  isRunning() {
+    return this.running;
+  }
+  async start() {
+    if (this.running) return;
+    this.running = true;
+    const http = await import("http");
+    this.server = http.createServer((req, res) => this.handleRequest(req, res));
+    await new Promise((resolve2, reject) => {
+      this.server.once("error", reject);
+      this.server.listen(this.configuredPort, () => {
+        this.server.removeListener("error", reject);
+        resolve2();
+      });
+    });
+    this.installSignalHandlers();
+    if (this.workspaceIsolation) this.sentinel.startWorkspaceSweep();
+    console.log(`[SENTINEL GATEWAY] Listening on port ${this.port}`);
+  }
+  async stop() {
+    if (!this.server) return;
+    this.removeSignalHandlers();
+    if (this.workspaceIsolation) this.sentinel.stopWorkspaceSweep();
+    await new Promise((resolve2, reject) => {
+      this.server.close((err) => err ? reject(err) : resolve2());
+    });
+    this.server = null;
+    this.running = false;
+    console.log("[SENTINEL GATEWAY] Stopped");
+  }
+  /**
+   * Session completion. Safe to call multiple times — idempotency is provided
+   * by classifier.flush() returning null when no events have accumulated
+   * (runner.ts completeSession L612-613). Supports multi-session gateway
+   * lifetimes: each cc session's events flush independently.
+   */
+  async completeSessionSafe(routingId = this.agentId) {
+    try {
+      await this.sentinel.completeSession(routingId);
+    } catch (err) {
+      console.error("[SENTINEL GATEWAY] completeSession error:", err);
+    }
+  }
+  /**
+   * B5b-Phase-2: complete EVERY active session on shutdown, not just the global
+   * identity. Under workspace isolation each workspace runs its own runner with
+   * its own session + audit trail; a clean SIGTERM/SIGINT must flush each one,
+   * otherwise a workspace's tail events are lost on daemon shutdown. The global
+   * agentId is always included (it is the only runner gate-off, so this reduces
+   * to today's single completeSession in the escape-hatch case). Per-id failures
+   * are swallowed by completeSessionSafe so one bad runner can't strand the rest;
+   * completeSession is idempotent (flush() returns null with nothing queued).
+   */
+  async completeAllSessionsSafe() {
+    const ids = /* @__PURE__ */ new Set([this.agentId, ...this.sentinel.listActiveAgentIds()]);
+    for (const id of ids) {
+      await this.completeSessionSafe(id);
+    }
+  }
+  // -------------------------------------------------------------------------
+  // Signal handlers (fallback for SIGTERM/SIGINT)
+  // -------------------------------------------------------------------------
+  installSignalHandlers() {
+    if (this.signalHandlersInstalled) return;
+    this.boundSigterm = () => {
+      this.handleSignal("SIGTERM", 0);
+    };
+    this.boundSigint = () => {
+      this.handleSignal("SIGINT", 130);
+    };
+    process.on("SIGTERM", this.boundSigterm);
+    process.on("SIGINT", this.boundSigint);
+    this.signalHandlersInstalled = true;
+  }
+  removeSignalHandlers() {
+    if (this.boundSigterm) process.removeListener("SIGTERM", this.boundSigterm);
+    if (this.boundSigint) process.removeListener("SIGINT", this.boundSigint);
+    this.boundSigterm = null;
+    this.boundSigint = null;
+    this.signalHandlersInstalled = false;
+  }
+  handleSignal(signal, exitCode) {
+    console.log(`[SENTINEL GATEWAY] Received ${signal}, shutting down...`);
+    this.completeAllSessionsSafe().then(() => this.stop()).then(() => this.sentinel.stop()).then(() => {
+      if (process.env.NODE_ENV !== "test") process.exit(exitCode);
+    }).catch((err) => {
+      console.error(`[SENTINEL GATEWAY] Shutdown error:`, err);
+      if (process.env.NODE_ENV !== "test") process.exit(1);
+    });
+  }
+  // -------------------------------------------------------------------------
+  // Request handling
+  // -------------------------------------------------------------------------
+  handleRequest(req, res) {
+    const url = req.url ?? "";
+    const method = req.method ?? "";
+    if (method === "GET") {
+      if (url === "/api/sentinel/health") {
+        const snap = this.telemetry.getSnapshot();
+        this.sendJson(res, 200, {
+          status: "running",
+          version: GATEWAY_VERSION,
+          uptime: snap.uptime_seconds
+        });
+        return;
+      }
+      if (url === "/api/sentinel/telemetry") {
+        this.sendJson(res, 200, this.telemetry.getSnapshot());
+        return;
+      }
+    }
+    if (method === "POST") {
+      const match = url.match(
+        /^\/api\/sentinel\/(pre-tool-use|post-tool-use|session-end|user-prompt-submit)\/(.+)$/
+      );
+      if (match) {
+        const [, endpoint, agentType] = match;
+        const translator = this.registry.get(agentType);
+        if (!translator) {
+          this.sendJson(res, 404, {
+            error: `Unknown agent type: "${agentType}". No translator registered.`,
+            registered: this.registry.listRegistered()
+          });
+          return;
+        }
+        this.readBody(req, res, (body) => {
+          if (endpoint === "pre-tool-use") this.handlePreToolUse(body, res, translator);
+          else if (endpoint === "post-tool-use") this.handlePostToolUse(body, res, translator);
+          else if (endpoint === "user-prompt-submit")
+            this.handleUserPromptSubmit(body, res, translator);
+          else this.handleSessionEnd(body, res, translator);
+        });
+        return;
+      }
+    }
+    this.sendJson(res, 404, { error: "not found" });
+  }
+  // -------------------------------------------------------------------------
+  // Endpoint handlers
+  // -------------------------------------------------------------------------
+  /**
+   * Emit a workspace-mismatch refusal as a finding + telemetry. Originally
+   * Approach A's foreign-refuse emitter; after the B5b-Phase-2 cutover this is
+   * reused by the B-path (resolveBPathRouting) for the no-cwd / unresolvable-
+   * workspace FAIL-CLOSED case — a request whose originating workspace cannot be
+   * resolved is still refused (correct fail-closed), even though foreign-but-
+   * resolvable workspaces are now SERVED.
+   *
+   * The finding's type is `workspace_mismatch`, which is NOT in
+   * `ESCALATION_ELIGIBLE_TYPES` — so `getEffectiveBlockCount` / `maybeEscalate`
+   * never count it, by design. This is the honest mechanism: a workspace
+   * mismatch is a ROUTING error (request from a different workspace than this
+   * daemon serves), not the served agent's misbehavior, so it denies the action
+   * but does not move the served agent's escalation ladder. Escalation-
+   * ineligibility is a consequence of what the finding IS, not a borrowed
+   * ineligible type. (An earlier version typed this `unauthorized_target`, which
+   * IS escalation-eligible; the audit-log-derived count then pulled foreign-
+   * workspace refusals into the shared ladder and collaterally quarantined the
+   * legitimate session — the bug this fix closes.)
+   *
+   * Emitted via logFinding() (not handleGatewayDeny()), matching the gateway's
+   * other non-eligible findings — e.g. the L3 case C/D `bash_analysis` records,
+   * which also use logFinding(). handleGatewayDeny() is reserved for the
+   * escalation-eligible deny paths (L1/L2/etc.).
+   */
+  async logWorkspaceMismatch(check, action, agentName, phase, routingId = this.agentId) {
+    const ts = (/* @__PURE__ */ new Date()).toISOString();
+    const finding = {
+      severity: "HIGH",
+      kind: "actionable",
+      type: "workspace_mismatch",
+      agentId: routingId,
+      agentName,
+      description: `Workspace mismatch \u2014 ${check.reason}`,
+      evidence: {
+        action,
+        target: check.requestCwd ?? "(no cwd)",
+        timestamp: ts,
+        baselineComparison: "workspace_mismatch"
+      },
+      recommendation: "This gateway serves a single workspace and has not loaded the originating workspace's policy. Start a session-local Sentinel gateway for that workspace.",
+      timestamp: ts,
+      decision: "deny"
+    };
+    await this.sentinel.logFinding(routingId, finding);
+    this.telemetry.recordToolCall(action, phase, "blocked", 0);
+    return finding;
+  }
+  /**
+   * Approach B / B5a — resolve a request to its per-workspace routing identity.
+   * Returns the derived agentId (used for BOTH routing and the event label) after
+   * lazily ensuring the workspace's runner exists with its merged role. Returns
+   * null and sends a fail-closed refusal when the workspace is unresolvable
+   * (no/empty cwd) — reusing the workspace_mismatch finding type. Only called
+   * when the isolation gate is ON.
+   */
+  async resolveBPathRouting(cwd, action, agentName, phase) {
+    const home = this.home || (await import("os")).homedir();
+    const resolved = await resolveWorkspace(cwd, home);
+    if (!resolved.ok) {
+      const check = { active: true, allowed: false, reason: resolved.reason };
+      const finding = await this.logWorkspaceMismatch(
+        check,
+        action,
+        agentName,
+        phase,
+        this.agentId
+      );
+      return { ok: false, finding };
+    }
+    const { root, agentId, workspaceRole } = resolved.resolution;
+    const ceiling = this.operatorCeiling;
+    if (!ceiling) {
+      const check = {
+        active: true,
+        allowed: false,
+        reason: "workspace isolation enabled but no operator ceiling configured"
+      };
+      const finding = await this.logWorkspaceMismatch(
+        check,
+        action,
+        agentName,
+        phase,
+        this.agentId
+      );
+      return { ok: false, finding };
+    }
+    const merged = effectiveRole(ceiling, workspaceRole);
+    for (const w of merged.warnings) {
+      console.warn(`[SENTINEL GATEWAY] policy-merge warning (${agentId}): ${w}`);
+    }
+    await this.sentinel.getOrCreateWorkspaceAgent(agentId, {
+      workspaceRoot: root,
+      role: merged.role,
+      name: agentId
+    });
+    this.sentinel.touchAgent(agentId);
+    return { ok: true, agentId };
+  }
+  async handlePreToolUse(body, res, translator) {
+    let payload;
+    try {
+      payload = JSON.parse(body);
+    } catch {
+      this.sendJson(res, 400, { error: "invalid JSON" });
+      return;
+    }
+    const event = translator.translatePreToolUse(payload);
+    if (!event) {
+      this.sendJson(res, 400, { error: "unable to translate payload" });
+      return;
+    }
+    let routingId = this.agentId;
+    if (this.workspaceIsolation) {
+      const routed = await this.resolveBPathRouting(
+        event.metadata?.cwd,
+        event.action,
+        event.agentName,
+        "pre"
+      );
+      if (!routed.ok) {
+        const response = translator.formatPreToolUseResponse({
+          blocked: true,
+          finding: routed.finding
+        });
+        this.sendJson(res, 200, response);
+        return;
+      }
+      routingId = routed.agentId;
+      event.agentId = routingId;
+    }
+    if (event.action === "command_exec" && event.targets && event.targets.length > 0) {
+      const allL2Hits = [];
+      for (const scanTarget of event.targets) {
+        const scan = scanBashCommand(scanTarget, FORBIDDEN_BASENAMES);
+        if (scan.matched) allL2Hits.push(...scan.hits);
+      }
+      if (allL2Hits.length > 0) {
+        const finding = {
+          severity: "HIGH",
+          kind: "actionable",
+          type: "unauthorized_target",
+          agentId: event.agentId,
+          agentName: event.agentName,
+          description: `Bash command references forbidden basename: ${allL2Hits.join(", ")}`,
+          evidence: {
+            action: event.action,
+            target: allL2Hits[0],
+            timestamp: event.timestamp,
+            baselineComparison: "credentials_exfil_attempt"
+          },
+          recommendation: "Review the command for credential access or exfiltration. If legitimate, use existing policy exception mechanisms.",
+          timestamp: event.timestamp,
+          decision: "deny"
+        };
+        await this.sentinel.handleGatewayDeny(routingId, finding);
+        this.telemetry.recordToolCall(event.action, "pre", "blocked", 0);
+        const response = translator.formatPreToolUseResponse({ blocked: true, finding });
+        this.sendJson(res, 200, response);
+        return;
+      }
+      const allTokenPaths = [];
+      let anyUnparseable = false;
+      let anyDangerousConstruct = false;
+      for (const tokenTarget of event.targets) {
+        const tr = tokenizePaths(tokenTarget);
+        allTokenPaths.push(...tr.paths);
+        if (tr.unparseable) anyUnparseable = true;
+        if (tr.hasDangerousConstruct) anyDangerousConstruct = true;
+      }
+      let matchedPath = null;
+      let matchedPattern = null;
+      for (const tokenPath of allTokenPaths) {
+        for (const pattern of this.forbiddenPatterns) {
+          if (matchGlobInsensitive(pattern, tokenPath)) {
+            matchedPath = tokenPath;
+            matchedPattern = pattern;
+            break;
+          }
+        }
+        if (matchedPath) break;
+      }
+      if (matchedPath) {
+        const finding = {
+          severity: "HIGH",
+          kind: "actionable",
+          type: "unauthorized_target",
+          agentId: event.agentId,
+          agentName: event.agentName,
+          description: `Bash command contains path '${matchedPath}' matching forbidden pattern '${matchedPattern}'`,
+          evidence: {
+            action: event.action,
+            target: matchedPath,
+            timestamp: event.timestamp,
+            baselineComparison: "forbidden_path_in_bash_command"
+          },
+          recommendation: "Review the command for credential or sensitive file access. If legitimate, use existing policy exception mechanisms.",
+          timestamp: event.timestamp,
+          decision: "deny"
+        };
+        await this.sentinel.handleGatewayDeny(routingId, finding);
+        this.telemetry.recordToolCall(event.action, "pre", "blocked", 0);
+        const response = translator.formatPreToolUseResponse({ blocked: true, finding });
+        this.sendJson(res, 200, response);
+        return;
+      }
+      const hasForbiddenIndicators = allL2Hits.length > 0 || matchedPath !== null;
+      if (anyDangerousConstruct && hasForbiddenIndicators) {
+        const finding = {
+          severity: "HIGH",
+          kind: "actionable",
+          type: "unauthorized_target",
+          agentId: event.agentId,
+          agentName: event.agentName,
+          description: `Bash command contains dangerous construct with forbidden indicators (${allL2Hits.join(", ") || matchedPath})`,
+          evidence: {
+            action: event.action,
+            target: event.primaryTarget,
+            timestamp: event.timestamp,
+            baselineComparison: "bash_dangerous_construct_with_forbidden_indicators"
+          },
+          recommendation: "Command uses eval/sh -c/command substitution and references forbidden targets. Review for injection or exfiltration.",
+          timestamp: event.timestamp,
+          decision: "deny"
+        };
+        await this.sentinel.handleGatewayDeny(routingId, finding);
+        this.telemetry.recordToolCall(event.action, "pre", "blocked", 0);
+        const response = translator.formatPreToolUseResponse({ blocked: true, finding });
+        this.sendJson(res, 200, response);
+        return;
+      }
+      if (anyUnparseable && hasForbiddenIndicators) {
+        const finding = {
+          severity: "HIGH",
+          kind: "actionable",
+          type: "unauthorized_target",
+          agentId: event.agentId,
+          agentName: event.agentName,
+          description: `Bash command is unparseable and references forbidden indicators (${allL2Hits.join(", ") || matchedPath})`,
+          evidence: {
+            action: event.action,
+            target: event.primaryTarget,
+            timestamp: event.timestamp,
+            baselineComparison: "bash_unparseable_with_forbidden_indicators"
+          },
+          recommendation: "Command cannot be fully parsed and references forbidden targets. Review for obfuscation or injection.",
+          timestamp: event.timestamp,
+          decision: "deny"
+        };
+        await this.sentinel.handleGatewayDeny(routingId, finding);
+        this.telemetry.recordToolCall(event.action, "pre", "blocked", 0);
+        const response = translator.formatPreToolUseResponse({ blocked: true, finding });
+        this.sendJson(res, 200, response);
+        return;
+      }
+      if (anyDangerousConstruct && !hasForbiddenIndicators) {
+        const findingC = {
+          severity: "MEDIUM",
+          kind: "informational",
+          type: "bash_analysis",
+          agentId: event.agentId,
+          agentName: event.agentName,
+          description: "Bash command uses dangerous construct (eval/sh -c/$(...)) without forbidden indicators",
+          evidence: {
+            action: event.action,
+            target: event.primaryTarget,
+            timestamp: event.timestamp,
+            baselineComparison: "bash_dangerous_construct_no_indicators"
+          },
+          recommendation: "Review command for potential obfuscation or staged exfiltration.",
+          timestamp: event.timestamp,
+          decision: "allow"
+        };
+        await this.sentinel.logFinding(routingId, findingC);
+        event.metadata = {
+          ...event.metadata,
+          bashTokenPaths: allTokenPaths.join(","),
+          bashUnparseable: String(anyUnparseable),
+          bashHasDangerousConstruct: String(anyDangerousConstruct),
+          bashFindingSeverity: "MEDIUM",
+          bashFindingCategory: "bash_dangerous_construct_no_indicators"
+        };
+      } else if (anyUnparseable && !hasForbiddenIndicators) {
+        const findingD = {
+          severity: "MEDIUM",
+          kind: "informational",
+          type: "bash_analysis",
+          agentId: event.agentId,
+          agentName: event.agentName,
+          description: "Bash command is unparseable (variable in path position) without forbidden indicators",
+          evidence: {
+            action: event.action,
+            target: event.primaryTarget,
+            timestamp: event.timestamp,
+            baselineComparison: "bash_unparseable_no_indicators"
+          },
+          recommendation: "Review command for potential obfuscation or staged exfiltration.",
+          timestamp: event.timestamp,
+          decision: "allow"
+        };
+        await this.sentinel.logFinding(routingId, findingD);
+        event.metadata = {
+          ...event.metadata,
+          bashTokenPaths: allTokenPaths.join(","),
+          bashUnparseable: String(anyUnparseable),
+          bashHasDangerousConstruct: String(anyDangerousConstruct),
+          bashFindingSeverity: "MEDIUM",
+          bashFindingCategory: "bash_unparseable_no_indicators"
+        };
+      }
+    }
+    const parsedPayload = payload;
+    const ccToolName = parsedPayload.tool_name;
+    if (ccToolName === "Grep") {
+      const toolInput = parsedPayload.tool_input ?? {};
+      const searchPath = typeof toolInput.path === "string" && toolInput.path.length > 0 ? toolInput.path : parsedPayload.cwd ?? ".";
+      const pathCheck = isPathItselfForbidden(searchPath, this.forbiddenPatterns);
+      if (pathCheck.forbidden) {
+        const finding2 = {
+          severity: "HIGH",
+          kind: "actionable",
+          type: "unauthorized_target",
+          agentId: event.agentId,
+          agentName: event.agentName,
+          description: `Grep blocked: search path '${searchPath}' matches forbidden pattern ${pathCheck.matchedPatterns.join(", ")}`,
+          evidence: {
+            action: event.action,
+            target: searchPath,
+            timestamp: event.timestamp,
+            baselineComparison: "grep_path_itself_forbidden"
+          },
+          recommendation: "To read forbidden file contents, use Read with explicit approval. Other paths can be grepped normally.",
+          timestamp: event.timestamp,
+          decision: "deny"
+        };
+        await this.sentinel.handleGatewayDeny(routingId, finding2);
+        this.telemetry.recordToolCall(event.action, "pre", "blocked", 0);
+        const response = translator.formatPreToolUseResponse({ blocked: true, finding: finding2 });
+        this.sendJson(res, 200, response);
+        return;
+      }
+      const exclusions = buildGrepExclusions(this.forbiddenPatterns);
+      const updatedInput = buildModifiedGrepInput(toolInput, exclusions);
+      const finding = {
+        severity: "MEDIUM",
+        kind: "informational",
+        type: "unauthorized_target",
+        agentId: event.agentId,
+        agentName: event.agentName,
+        description: `Grep search modified: injected exclusions for forbidden patterns on path '${searchPath}'`,
+        evidence: {
+          action: event.action,
+          target: searchPath,
+          timestamp: event.timestamp,
+          baselineComparison: "grep_rewritten_for_exclusion"
+        },
+        recommendation: "Search was narrowed to exclude forbidden files. To search specific forbidden files, use Read with explicit approval.",
+        timestamp: event.timestamp,
+        decision: "modify",
+        modification: { type: "append_args", args: exclusions }
+      };
+      await this.sentinel.logFinding(routingId, finding);
+      this.telemetry.recordToolCall(event.action, "pre", "allowed", 0);
+      const ccTranslator = translator;
+      const excludedPatterns = this.forbiddenPatterns.join(", ");
+      const additionalContext = `Sentinel: this Grep search was modified to exclude forbidden paths. Excluded patterns: ${excludedPatterns}. To search specific forbidden files, use Read with explicit approval.`;
+      if (typeof ccTranslator.formatPreToolUseModifyResponse === "function") {
+        const response = ccTranslator.formatPreToolUseModifyResponse({
+          updatedInput,
+          additionalContext
+        });
+        this.sendJson(res, 200, response);
+      } else {
+        this.sendJson(res, 200, {
+          hookSpecificOutput: {
+            hookEventName: "PreToolUse",
+            permissionDecision: "allow",
+            updatedInput,
+            additionalContext
+          }
+        });
+      }
+      return;
+    }
+    if (ccToolName === "NotebookEdit" && event.targets && event.targets.length > 0) {
+      const allL2Hits = [];
+      for (let i = 0; i < event.targets.length; i++) {
+        const scanTarget = event.targets[i];
+        const isContentTarget = i >= 1;
+        const scan = isContentTarget ? scanContentForForbiddenBasenames(scanTarget, FORBIDDEN_BASENAMES) : scanBashCommand(scanTarget, FORBIDDEN_BASENAMES);
+        if (scan.matched) allL2Hits.push(...scan.hits);
+      }
+      if (allL2Hits.length > 0) {
+        const finding = {
+          severity: "HIGH",
+          kind: "actionable",
+          type: "unauthorized_target",
+          agentId: event.agentId,
+          agentName: event.agentName,
+          description: `NotebookEdit cell contains forbidden basename: ${allL2Hits.join(", ")}`,
+          evidence: {
+            action: event.action,
+            target: allL2Hits[0],
+            timestamp: event.timestamp,
+            baselineComparison: "credentials_exfil_attempt"
+          },
+          recommendation: "Review notebook cell source for credential access or exfiltration. If legitimate, use existing policy exception mechanisms.",
+          timestamp: event.timestamp,
+          decision: "deny"
+        };
+        await this.sentinel.handleGatewayDeny(routingId, finding);
+        this.telemetry.recordToolCall(event.action, "pre", "blocked", 0);
+        const response = translator.formatPreToolUseResponse({ blocked: true, finding });
+        this.sendJson(res, 200, response);
+        return;
+      }
+    }
+    if (ccToolName === "Glob") {
+      const toolInput = parsedPayload.tool_input ?? {};
+      const globPattern = typeof toolInput.pattern === "string" ? toolInput.pattern : "";
+      if (globPattern.length > 0) {
+        const scanResult = scanGlobPattern(globPattern, FORBIDDEN_BASENAMES);
+        if (scanResult.matched) {
+          const finding = {
+            severity: "HIGH",
+            kind: "actionable",
+            type: "unauthorized_target",
+            agentId: event.agentId,
+            agentName: event.agentName,
+            description: `Glob pattern references forbidden basename: ${scanResult.hits.join(", ")}`,
+            evidence: {
+              action: event.action,
+              target: globPattern,
+              timestamp: event.timestamp,
+              baselineComparison: "glob_forbidden_pattern"
+            },
+            recommendation: "Glob patterns must not target forbidden file types. Use a more specific pattern that excludes sensitive paths.",
+            timestamp: event.timestamp,
+            decision: "deny"
+          };
+          await this.sentinel.handleGatewayDeny(routingId, finding);
+          this.telemetry.recordToolCall(event.action, "pre", "blocked", 0);
+          const response = translator.formatPreToolUseResponse({ blocked: true, finding });
+          this.sendJson(res, 200, response);
+          return;
+        }
+      }
+    }
+    const start = Date.now();
+    try {
+      const result = await this.sentinel.wrap(routingId, event, async () => void 0);
+      const duration = Date.now() - start;
+      this.telemetry.recordToolCall(
+        event.action,
+        "pre",
+        result.blocked ? "blocked" : "allowed",
+        duration
+      );
+      const response = translator.formatPreToolUseResponse(result);
+      this.sendJson(res, 200, response);
+    } catch (err) {
+      console.error("[SENTINEL GATEWAY] wrap() error:", err);
+      const response = translator.formatPreToolUseResponse({ blocked: false });
+      this.sendJson(res, 200, response);
+    }
+  }
+  async handlePostToolUse(body, res, translator) {
+    let payload;
+    try {
+      payload = JSON.parse(body);
+    } catch {
+      this.sendJson(res, 400, { error: "invalid JSON" });
+      return;
+    }
+    const event = translator.translatePostToolUse(payload);
+    if (!event) {
+      this.sendJson(res, 400, { error: "unable to translate payload" });
+      return;
+    }
+    if (this.workspaceIsolation) {
+      const routed = await this.resolveBPathRouting(
+        event.metadata?.cwd,
+        event.action,
+        event.agentName,
+        "post"
+      );
+      if (!routed.ok) {
+        const response2 = translator.formatPostToolUseResponse();
+        this.sendJson(res, 200, response2);
+        return;
+      }
+      event.agentId = routed.agentId;
+    }
+    const start = Date.now();
+    try {
+      await this.sentinel.record(event);
+      const duration = Date.now() - start;
+      this.telemetry.recordToolCall(event.action, "post", "allowed", duration);
+    } catch (err) {
+      console.error("[SENTINEL GATEWAY] record() error:", err);
+    }
+    const response = translator.formatPostToolUseResponse();
+    this.sendJson(res, 200, response);
+  }
+  async handleSessionEnd(body, res, translator) {
+    let payload;
+    try {
+      payload = JSON.parse(body);
+    } catch {
+      this.sendJson(res, 400, { error: "invalid JSON" });
+      return;
+    }
+    const sessionInfo = translator.translateSessionEnd(payload);
+    let routingId = this.agentId;
+    if (this.workspaceIsolation) {
+      const routed = await this.resolveBPathRouting(
+        sessionInfo?.cwd,
+        "session_end",
+        this.agentId,
+        "session-end"
+      );
+      if (!routed.ok) {
+        const response2 = translator.formatSessionEndResponse();
+        this.sendJson(res, 200, response2);
+        return;
+      }
+      routingId = routed.agentId;
+    }
+    const start = Date.now();
+    await this.completeSessionSafe(routingId);
+    const duration = Date.now() - start;
+    this.telemetry.recordToolCall("session_end", "session-end", "allowed", duration);
+    const response = translator.formatSessionEndResponse();
+    this.sendJson(res, 200, response);
+  }
+  /**
+   * UserPromptSubmit handler (Sprint 23 P1 — automatic per-prompt intent
+   * capture). Fires once per prompt, BEFORE the turn's first PreToolUse (cc
+   * blocks on hook completion), and the hook AWAITS this response — so by the
+   * time cc proceeds to the first tool call, any declared intent is already
+   * stored and the first action IS checked against it.
+   *
+   * The intent is declared ONLY when the prompt has a leading `INTENT:` line
+   * (the opt-in convention). With no `INTENT:` line we no-op (sticky): the
+   * prior active task is left as-is, so a multi-turn session declares once at
+   * the top and holds it; a later `INTENT:` line supersedes via the existing
+   * IntentTracker auto-end+replace. We do NOT feed the whole prompt as the
+   * description (keyword extraction would be noisy).
+   *
+   * Declaration only. This endpoint never blocks a prompt and emits no
+   * permission decision; it reuses the existing per-workspace routing and the
+   * existing Sentinel.startTask. No block-ladder interaction whatsoever.
+   */
+  async handleUserPromptSubmit(body, res, translator) {
+    let payload;
+    try {
+      payload = JSON.parse(body);
+    } catch {
+      this.sendJson(res, 400, { error: "invalid JSON" });
+      return;
+    }
+    const info = translator.translateUserPromptSubmit?.(payload) ?? null;
+    if (!info) {
+      this.sendJson(res, 200, { ok: true, intentDeclared: false });
+      return;
+    }
+    const description = parseIntentLine(info.prompt);
+    const scopePatterns = parseScopeLine(info.prompt);
+    if (!description && !scopePatterns) {
+      this.sendJson(res, 200, { ok: true, intentDeclared: false });
+      return;
+    }
+    let routingId = this.agentId;
+    if (this.workspaceIsolation) {
+      const routed = await this.resolveBPathRouting(
+        info.cwd,
+        "tool_invocation",
+        this.agentId,
+        "pre"
+      );
+      if (!routed.ok) {
+        this.sendJson(res, 200, { ok: true, intentDeclared: false });
+        return;
+      }
+      routingId = routed.agentId;
+    }
+    const taskDescription = description ?? `scope: ${scopePatterns.join(" ")}`;
+    const taskId = `prompt-${info.sessionId ?? "session"}-${Date.now()}`;
+    const task = scopePatterns ? this.sentinel.startTask(routingId, taskId, taskDescription, { scopePatterns }) : this.sentinel.startTask(routingId, taskId, taskDescription);
+    this.sendJson(res, 200, {
+      ok: true,
+      intentDeclared: task !== null && description !== null,
+      scopeDeclared: task !== null && scopePatterns !== null,
+      scopePatterns: scopePatterns ?? void 0,
+      taskId
+    });
+  }
+  // -------------------------------------------------------------------------
+  // HTTP helpers (from webhookReceiver.ts patterns)
+  // -------------------------------------------------------------------------
+  readBody(req, res, onBody) {
+    let size = 0;
+    let exceeded = false;
+    const chunks = [];
+    req.on("data", (chunk) => {
+      size += chunk.length;
+      if (size > MAX_BODY_SIZE) {
+        if (!exceeded) {
+          exceeded = true;
+          this.sendJson(res, 413, { error: "body too large" });
+          req.destroy();
+        }
+        return;
+      }
+      chunks.push(chunk);
+    });
+    req.on("end", () => {
+      if (exceeded) return;
+      onBody(Buffer.concat(chunks).toString("utf-8"));
+    });
+  }
+  sendJson(res, status, data) {
+    res.writeHead(status, { "Content-Type": "application/json" });
+    res.end(JSON.stringify(data));
+  }
+};
+async function runGatewayDaemon({
+  policyPath,
+  port = DEFAULT_PORT
+}) {
+  const { Sentinel: SentinelClass } = await import("./Sentinel-JLQL3YRD.js");
+  const { writePidFile } = await import("./pidManager-ZYC7SICM.js");
+  const { homedir } = await import("os");
+  const { loadPolicy: loadPolicy2, policyToRole: policyToRole2 } = await import("./policyLoader-6KR5VFVV.js");
+  const sentinel = await SentinelClass.fromPolicy(policyPath);
+  const baseline = await sentinel.computeBaseline("claude-code");
+  sentinel.setBaseline("claude-code", baseline);
+  const operatorCeiling = policyToRole2(await loadPolicy2(policyPath));
+  const gateway = new SentinelGateway({
+    port,
+    sentinel,
+    // No translator passed — the constructor auto-wires the cc translator.
+    agentId: "claude-code",
+    workspaceIsolation: process.env.SENTINEL_WORKSPACE_ISOLATION !== "0",
+    operatorCeiling,
+    home: homedir()
+  });
+  await gateway.start();
+  writePidFile(homedir(), process.pid);
+  console.log(`[SENTINEL GATEWAY] PID ${process.pid} written`);
+}
+
+export {
+  SentinelGateway,
+  runGatewayDaemon
+};
+//# sourceMappingURL=chunk-Z3PWIJKT.js.map