@tuent/sentinel 0.1.0

package/dist/cli.js

@@ -0,0 +1,80 @@
+#!/usr/bin/env node
+import{runInitClaudeCode as le}from"./chunk-3U3PKD4N.js";import{AgentProfileManager as H,AlertManager as ce,AuditTrail as A,BaselineBuilder as k,CorrelationDetector as de,DeviationDetector as B,FileStorageBackend as ge,ProfileStore as ue,ReportGenerator as fe,Sentinel as C,SentinelRunner as pe,generateFleetReport as he}from"./chunk-QFRDEISP.js";import"./chunk-CUJKNIKT.js";import"./chunk-FMZWHT4M.js";import"./chunk-6MHWJATS.js";import{loadPolicy as me}from"./chunk-2FFMYSVC.js";import{getOrCreateKeyPair as M}from"./chunk-NUXSUSYY.js";import{join as u}from"path";import{homedir as m}from"os";import{readFile as E,writeFile as b,access as K,mkdir as W}from"fs/promises";function we(e){const o=new Date(e);if(isNaN(o.getTime()))return"unknown";const t=Date.now()-o.getTime();if(t<0)return"just now";const a=Math.floor(t/6e4);if(a<1)return"just now";if(a<60)return`${a} minute${a===1?"":"s"} ago`;const s=Math.floor(a/60);if(s<24)return`${s} hour${s===1?"":"s"} ago`;const r=Math.floor(s/24);if(r<14)return`${r} day${r===1?"":"s"} ago`;const d=Math.floor(r/7);if(r<60)return`${d} week${d===1?"":"s"} ago`;if(r>=365)return"over a year ago";const c=Math.floor(r/30);return`${c} month${c===1?"":"s"} ago`}function ye(e,o){const n=new Date(o),t=isNaN(n.getTime())?1/0:Math.floor((Date.now()-n.getTime())/864e5);return e<.3||t>30?"declining":e>.7&&t<7?"rising":"stable"}function $e(e){return e<.3?"inner":e<.65?"middle":"outer"}function U(e){if(e.length===0)return"No petals selected.";const o=new Map;for(const t of e)o.set(t.id,t.label);const n=[`Selected petals (${e.length}):
+`];for(const t of e){const a=$e(t.layer),s=t.isRichData?"":" [filler]";n.push(`- ${t.label}${s}`),n.push(`  Category: ${t.category}`),n.push(`  Layer zone: ${a} (${(t.layer*100).toFixed(0)}%)`),n.push(`  Openness: ${(t.openness*100).toFixed(0)}%`),n.push(`  Description: ${t.description}`),n.push(`  Last active: ${t.lastActive}`);const r=we(t.lastActive),d=t.weight!=null?ye(t.weight,t.lastActive):"stable";if(n.push(`  Temporal: Last active ${r} | Weight trend: ${d}`),t.source){const c={seed:"seed data",agent:"observed from activity",manual:"filesystem scan",diary:"personal diary entry",conversation:"created from conversation","agent-monitor":"monitored agent activity"};n.push(`  Source: ${c[t.source]??t.source}`)}if(t.weight!=null&&n.push(`  Weight: ${t.weight.toFixed(2)}`),t.connections.length>0){const c=t.connections.map(i=>o.get(i)??ve(i));n.push(`  Connections: ${c.join(", ")}`)}if(t.files&&t.files.length>0){const c=t.files.slice(0,10).map(i=>i.split("/").pop()??i);n.push(`  Key files: ${c.join(", ")}`)}if(t.fileContents&&t.fileContents.length>0){n.push("  File contents:");for(const c of t.fileContents)n.push(`  --- ${c.name} ---`),n.push(c.content.split(`
+`).map(i=>`  ${i}`).join(`
+`))}n.push("")}return n.join(`
+`)}function ve(e){return e.split("-").map(o=>o.charAt(0).toUpperCase()+o.slice(1)).join(" ")}function Ae(e){const o=[Ie(e.agentName,e.agentId,e.role),Se(e.baseline),De(e.e),Te(e.findings),Ce()],n=be(e.t);return n&&o.push(n),o.join(`
+
+`)}function Ie(e,o,n){const t=["=== Agent Identity ===",`Name: ${e}`,`ID: ${o}`];if(n){if(t.push(`Role: ${n.description}`),t.push(`Allowed actions: ${n.allowedActions.length>0?n.allowedActions.join(", "):"Not defined"}`),n.forbiddenTargetPatterns.length>0&&t.push(`Forbidden targets: ${n.forbiddenTargetPatterns.join(", ")}`),n.expectedSchedule){const a=[];n.expectedSchedule.activeHours&&a.push(`hours ${n.expectedSchedule.activeHours[0]}-${n.expectedSchedule.activeHours[1]}`),n.expectedSchedule.activeDays&&a.push(`days ${n.expectedSchedule.activeDays.join(", ")}`),a.length>0&&t.push(`Expected schedule: ${a.join("; ")}`)}}else t.push("No role definition \u2014 monitoring behavioral baseline only");return t.join(`
+`)}function Se(e){if(!e)return`=== Behavioral Baseline ===
+Not yet established. Insufficient data for baseline computation.`;const o=Object.entries(e.actionDistribution).map(([t,a])=>`${t}: ${a}%`).join(", ");return["=== Behavioral Baseline ===",`Period: ${e.periodDays} days`,`Total sessions: ${e.totalSessions}`,`Total events: ${e.totalEvents}`,`Average events per session: ${e.averageEventsPerSession}`,`Average session duration: ${e.averageSessionDurationMinutes} minutes`,`Typical active hours: ${e.typicalActiveHours[0]}-${e.typicalActiveHours[1]}`,`Typical active days: ${e.typicalActiveDays.length>0?e.typicalActiveDays.join(", "):"N/A"}`,`Action distribution: ${o||"N/A"}`,`Normal weight range: ${e.normalWeightRange[0].toFixed(2)}-${e.normalWeightRange[1].toFixed(2)}`,`Top targets: ${e.topTargets.length>0?e.topTargets.slice(0,10).join(", "):"N/A"}`].join(`
+`)}function De(e){const o=`=== Recent Activity (${e.length} sessions) ===`;return e.length===0?`${o}
+No recent activity recorded.`:`${o}
+${U(e)}`}function Te(e){const o="=== Security Findings ===";if(e.length===0)return`${o}
+No security findings detected. Agent behavior is within expected parameters.`;const n=[o];for(const t of e)n.push(`[${t.severity}] ${t.type}`),n.push(`  Description: ${t.description}`),n.push(`  Evidence: ${t.evidence.action} \u2192 ${t.evidence.target} at ${t.evidence.timestamp}`),t.evidence.baselineComparison&&n.push(`  Baseline comparison: ${t.evidence.baselineComparison}`),n.push(`  Recommendation: ${t.recommendation}`),n.push("");return n.join(`
+`)}function Ce(){return["=== Analysis Request ===","Based on the data above, provide:","1. OVERALL HEALTH ASSESSMENT: Is this agent operating normally?","2. RISK SUMMARY: What is the overall risk level?","3. FINDING REVIEW: For each finding, confirm or adjust its severity with reasoning.","4. RECOMMENDATIONS: Specific actions the owner should take.","5. MONITORING GUIDANCE: What patterns to watch for going forward."].join(`
+`)}function be(e){return!e||e.length===0?null:`=== Owner Context ===
+${U(e)}`}var f=process.argv.slice(2),p=y(f,"--agent"),G=y(f,"--name"),Re=y(f,"--role"),Me=f.includes("--create"),Ee=f.includes("--compute-baseline"),je=f.includes("--monitor"),Ne=f.includes("--init-config"),ke=f.includes("--init-policy"),Fe=f.includes("init")&&f.includes("claude-code"),xe=f.includes("--force"),_=y(f,"--from-policy"),Pe=f.includes("--report"),Le=f.includes("--report-all"),Oe=f.includes("--correlations"),qe=f.includes("--verify-audit"),He=f.includes("--enroll-manifest"),Be=f.includes("--recompute-stats"),Ke=f.includes("--health"),We=f.includes("--restrict"),Ue=f.includes("--quarantine"),Ge=f.includes("--release"),_e=f.includes("--status"),Je=f.includes("--start-task"),Qe=f.includes("--end-task"),Ve=f.includes("--intent-status"),ze=f.includes("--intent-report"),J=y(f,"--task-id"),Q=y(f,"--description"),V=y(f,"--relaxed-actions"),z=y(f,"--phases"),Y=y(f,"--reason"),F=y(f,"--quarantine"),x=y(f,"--quarantine-reason"),j=y(f,"--period"),X=y(f,"--format"),S=new H;function y(e,o){const n=e.find(a=>a.startsWith(o+"="));if(!n)return;const t=n.indexOf("=");return n.slice(t+1)}async function T(e,o){try{const n=await E(u(e,o,"mode.json"),"utf-8"),t=JSON.parse(n);return t.mode==="restricted"||t.mode==="quarantined"||t.mode==="normal"?t:{mode:"normal"}}catch{return{mode:"normal"}}}function Z(e){const o=["Agent","Score","Status","Mode","C/H/M/L","Last Event","Baseline"],n=e.map(i=>[i.agentId,String(i.score),i.status,i.mode,i.findings,i.lastEvent,i.baseline?"\u2713":"\u2717"]),t=[o,...n],a=o.map((i,l)=>Math.max(...t.map(g=>g[l].length))),s=(i,l)=>i+" ".repeat(l-i.length),r=o.map((i,l)=>s(i,a[l])).join("  "),d=a.map(i=>"-".repeat(i)).join("  "),c=n.map(i=>i.map((l,g)=>s(l,a[g])).join("  "));return[r,d,...c].join(`
+`)}function ee(e){const o=["Agent ID","Mode","Reason","Changed"],n=e.map(i=>[i.agentId,i.mode.toUpperCase(),i.reason,i.changed]),t=[o,...n],a=o.map((i,l)=>Math.max(...t.map(g=>g[l].length))),s=(i,l)=>i+" ".repeat(l-i.length),r=o.map((i,l)=>s(i,a[l])).join("  "),d=a.map(i=>"-".repeat(i)).join("  "),c=n.map(i=>i.map((l,g)=>s(l,a[g])).join("  "));return[r,d,...c].join(`
+`)}function te(e){const o=["Agent ID","Sessions","Last Active","Role","Baseline","Mode","Status"],n=e.map(i=>[i.agentId,String(i.sessions),i.lastActive,i.roleDefined?"\u2713":"\u2717",i.baselineDefined?"\u2713":"\u2717",i.mode??"normal",i.status]),t=[o,...n],a=o.map((i,l)=>Math.max(...t.map(g=>g[l].length))),s=(i,l)=>i+" ".repeat(l-i.length),r=o.map((i,l)=>s(i,a[l])).join("  "),d=a.map(i=>"-".repeat(i)).join("  "),c=n.map(i=>i.map((l,g)=>s(l,a[g])).join("  "));return[r,d,...c].join(`
+`)}function P(e,o){return e<10?"New":o.some(n=>n.severity==="HIGH"||n.severity==="CRITICAL")?"At Risk":o.some(n=>n.severity==="MEDIUM")?"Caution":"Healthy"}function L(e,o){const n=Date.now()-o*24*60*60*1e3;return e.filter(t=>new Date(t.lastActive).getTime()>=n)}function ne(e){return{id:e.id,label:e.label,category:e.category,description:e.description,layer:e.layer,lastActive:e.lastActive,openness:e.openness,connections:e.connections,isRichData:!0,source:e.source,core:e.core,sharable:e.sharable,weight:e.weight,files:e.files}}function O(e,o){const n=["Sentinel \u2014 Live Monitoring","\u2500".repeat(26)];for(const[t,a]of e){const s=(o.get(t)??"manual").toUpperCase(),r=a.getFindings(),d=r.filter(w=>w.severity==="HIGH"||w.severity==="CRITICAL").length,c=r.filter(w=>w.severity==="MEDIUM").length;let i=`${r.length} findings`;d>0?i=`${d} HIGH`:c>0&&(i=`${c} MEDIUM`);const l=P(a.sessionCount,r),g=t.padEnd(18),h=s.padEnd(5);n.push(`[${g}] ${h}| ${a.eventCount} events | ${a.sessionCount} sessions | ${i} | ${l}`)}return n.push(""),n.push("Press Ctrl+C to stop."),n.join(`
+`)}function oe(e){const o=["Monitoring stopped. Summary:"];for(const[n,t]of e){const a=t.getFindings();let s=`${a.length} findings`;if(a.length>0){const r={};for(const c of a)r[c.severity]=(r[c.severity]??0)+1;const d=Object.entries(r).map(([c,i])=>`${i} ${c}`);s=`${a.length} finding${a.length>1?"s":""} (${d.join(", ")})`}o.push(`- ${n}: ${t.eventCount} events, ${t.sessionCount} sessions, ${s}`)}return o.join(`
+`)}async function Ye(e,o){const n=u(m(),".dahlia","agents"),t=await T(n,e);if(t.mode==="quarantined"){console.log(`Agent ${e} is quarantined \u2014 cannot downgrade to restricted.`);return}const a=t.mode;await W(u(n,e),{recursive:!0}),await b(u(n,e,"mode.json"),JSON.stringify({mode:"restricted",reason:o,timestamp:new Date().toISOString(),previousMode:a}),"utf-8");const s=await M(u(n,e)),r=new A(e,{logDir:u(n,e)});await r.open(),r.setSigningKey(s.privateKey,s.publicKey),await r.logModeChange("restricted",o,a),await r.close(),console.log(`Agent ${e} RESTRICTED: ${o}`)}async function Xe(e,o){const n=u(m(),".dahlia","agents"),a=(await T(n,e)).mode;await W(u(n,e),{recursive:!0}),await b(u(n,e,"mode.json"),JSON.stringify({mode:"quarantined",reason:o,timestamp:new Date().toISOString(),previousMode:a}),"utf-8");const s=await M(u(n,e)),r=new A(e,{logDir:u(n,e)});await r.open(),r.setSigningKey(s.privateKey,s.publicKey),await r.logModeChange("quarantined",o,a),await r.close(),console.log(`Agent ${e} QUARANTINED: ${o}`)}async function Ze(e){const o=u(m(),".dahlia","agents"),n=await T(o,e);if(n.mode==="normal"){console.log(`Agent ${e} is already in normal mode.`);return}const t=n.mode;await b(u(o,e,"mode.json"),JSON.stringify({mode:"normal",reason:"manual release",timestamp:new Date().toISOString(),previousMode:t}),"utf-8");const a=await M(u(o,e)),s=new A(e,{logDir:u(o,e)});await s.open(),s.setSigningKey(a.privateKey,a.publicKey),await s.logModeChange("normal","manual release",t),await s.close(),console.log(`Agent ${e} RELEASED (was ${t})`)}async function et(){const e=await S.listAgents();if(e.length===0){console.log("No monitored agents found.");return}const o=u(m(),".dahlia","agents"),n=[];for(const a of e){const s=await T(o,a);n.push({agentId:a,mode:s.mode,reason:s.reason??"-",changed:s.timestamp?s.timestamp.split("T")[0]:"-"})}console.log(`Agent Mode Status
+`),console.log(ee(n));const t=n.filter(a=>a.mode!=="normal");if(t.length>0){console.log("");for(const a of t){const s=a.mode==="quarantined"?"QUARANTINED":"RESTRICTED";console.log(`\u26A0 ${a.agentId}: ${s}`)}}}async function tt(){const e=await S.listAgents();if(e.length===0){console.log("No monitored agents found. Create one with --create --agent=ID --name=NAME");return}const o=[];for(const t of e)try{const r=(await S.loadAgentProfile(t)).build().filter(I=>I.source==="agent-monitor"),d=r.length,c=r.length>0?r.map(I=>I.lastActive).sort().reverse()[0].split("T")[0]:"never",l=await new k(t).loadBaseline(t),g=await S.loadRole(t),h=[];if(l){const I=L(r,7),N=new B(l,g);for(const $ of I){const D={label:$.label,category:$.category,lastActive:$.lastActive,description:$.description,weight:$.weight,source:$.source,files:$.files,connections:$.connections};h.push(...N.analyzeSession(D))}}const w=u(m(),".dahlia","agents"),R=await T(w,t);o.push({agentId:t,sessions:d,lastActive:c,roleDefined:g!==null,baselineDefined:l!==null,status:P(d,h),mode:R.mode})}catch(a){console.warn(`Error loading agent ${t}:`,a),o.push({agentId:t,sessions:0,lastActive:"error",roleDefined:!1,baselineDefined:!1,status:"Error",mode:"normal"})}const n=o.filter(t=>t.mode&&t.mode!=="normal");if(n.length>0){for(const t of n){const a=t.mode==="quarantined"?"QUARANTINED":"RESTRICTED";console.log(`\u26A0 ${t.agentId}: ${a}`)}console.log("")}console.log(`Sentinel Agent Overview
+`),console.log(te(o))}async function nt(e){const o=await S.loadAgentProfile(e),n=await S.loadRole(e),a=await new k(e).loadBaseline(e),r=o.build().filter(D=>D.source==="agent-monitor"),d=L(r,7),c=d.map(ne),i=[];if(a){const D=new B(a,n);for(const v of d){const re={label:v.label,category:v.category,lastActive:v.lastActive,description:v.description,weight:v.weight,source:v.source,files:v.files,connections:v.connections};i.push(...D.analyzeSession(re))}}const l=u(m(),".dahlia","profile.json"),g=new ge(l),h=new ue({backend:g});let w=[];await h.load()&&(w=h.build().filter(v=>v.core===!0).map(ne));const I=Ae({agentId:e,agentName:e,role:n,baseline:a,e:c,findings:i,t:w}),N=new Date().toISOString().split("T")[0],$=`Sentinel Agent Report \u2014 ${e} \u2014 ${d.length} recent sessions \u2014 generated ${N}
+
+`;process.stdout.write($+I)}async function ot(e){const o=u(m(),".dahlia","agents"),n=new A(e,{logDir:u(o,e)});await n.open();const t=new k(e),a=await t.computeBaseline(n);await n.close(),await t.saveBaseline(a),console.log(`Baseline computed for agent: ${e}`),console.log(`  Sessions: ${a.totalSessions}`),console.log(`  Period: ${a.periodDays} days`),console.log("  Action distribution:");for(const[s,r]of Object.entries(a.actionDistribution))console.log(`    ${s}: ${r}%`);console.log(`  Saved to: ~/.dahlia/agents/${e}/baseline.json`)}async function at(e,o,n){let t;if(n){let a;try{a=await E(n,"utf-8")}catch(s){console.error(`Failed to read role file "${n}":`,s);return}try{t=JSON.parse(a)}catch(s){console.error(`Invalid JSON in role file "${n}":`,s.message);return}}await S.createAgent(e,o,t),console.log(`Agent created: ${e} (${o})`),t&&console.log(`  Role loaded from: ${n}`)}async function st(){const e=u(m(),".dahlia","sentinel.json");try{await K(e),console.log(`Config already exists at ${e}`);return}catch{}await b(e,JSON.stringify({agents:[{agentId:"example-agent",name:"Example Agent",adapterType:"log",logPath:"/path/to/agent/activity.log",logFormat:"json-lines",roleDefinitionPath:"~/.dahlia/agents/example-agent/role.json"}],baselineWindowDays:30},null,2)+`
+`),console.log("Template config created at ~/.dahlia/sentinel.json \u2014 edit it with your agent details then run: npm run sentinel -- --monitor")}async function q(){const e=u(m(),".dahlia","sentinel.json");try{const o=await E(e,"utf-8");return JSON.parse(o)}catch(o){if(o.code==="ENOENT")return null;if(o instanceof SyntaxError)return console.error(`Invalid JSON in sentinel config: ${o.message}`),null;throw o}}async function it(e){const o=await q();if(!o){console.log("No sentinel config found. Create ~/.dahlia/sentinel.json or use --init-config to add agents. See docs for config format.");return}let n=o.agents;if(e&&(n=n.filter(l=>l.agentId===e),n.length===0)){console.log(`Agent "${e}" not found in sentinel.json`);return}const t=new Map,a=new Map,s=l=>l&&l.startsWith("~/")?m()+l.slice(1):l;let r;if(o.alerts){const l={...o.alerts.minSeverity&&{minSeverity:o.alerts.minSeverity},...o.alerts.dedupeWindowMs!==void 0&&{dedupeWindowMs:o.alerts.dedupeWindowMs},...o.alerts.quietHoursEnabled!==void 0&&{quietHoursEnabled:o.alerts.quietHoursEnabled},...o.alerts.quietHours&&{quietHours:o.alerts.quietHours},...o.alerts.channels&&{channels:o.alerts.channels}};r=new ce(l)}for(const l of n)try{const g=new pe(l.agentId,void 0,{type:l.adapterType,logPath:s(l.logPath),logFormat:l.logFormat,fieldMapping:l.fieldMapping,mcpLogDir:s(l.mcpLogDir),webhookPort:l.webhookPort,webhookApiKey:l.webhookApiKey,readExisting:l.readExisting});g.setAuditLogDir(u(m(),".dahlia","agents",l.agentId)),g.setFindingCallback(h=>{(h.severity==="HIGH"||h.severity==="CRITICAL")&&console.log(`
+\u26A0 [${h.agentId}] ${h.severity}: ${h.description}`)}),r&&g.setAlertManager(r),await g.start(),t.set(l.agentId,g),a.set(l.agentId,l.adapterType)}catch(g){console.error(`Failed to start monitoring for agent ${l.agentId}:`,g)}console.log(O(t,a));const d=setInterval(()=>{console.clear(),console.log(O(t,a))},5e3),c=async()=>{clearInterval(d);for(const[l,g]of t)try{await g.stop()}catch(h){console.warn(`Error stopping runner ${l}:`,h)}console.log(`
+`+oe(t)),process.exit(0)},i=()=>{c().catch(l=>{console.error("Error during shutdown:",l),process.exit(1)})};process.on("SIGINT",i),process.on("SIGTERM",i)}async function rt(e,o,n){const a=await new fe(e).generateReport({periodDays:o,format:n});process.stdout.write(a)}async function lt(e,o){const n=await he({periodDays:e,format:o});process.stdout.write(n)}async function ct(){const e=await q();if(!e){console.log("No sentinel config found. Create ~/.dahlia/sentinel.json or use --init-config.");return}const o=u(m(),".dahlia","agents"),n=new Map;try{for(const s of e.agents){const r=new A(s.agentId,{logDir:u(o,s.agentId)});await r.open(),n.set(s.agentId,r)}const a=await new de().detect(n);if(a.length===0){console.log("No cross-agent correlations detected.");return}console.log(`Found ${a.length} cross-agent correlation(s):
+`);for(const s of a)console.log(`[${s.severity}] ${s.rule}`),console.log(`  Agent A: ${s.agentA.agentId} \u2014 ${s.agentA.action} on ${s.agentA.target}`),console.log(`  Agent B: ${s.agentB.agentId} \u2014 ${s.agentB.action} on ${s.agentB.target}`),console.log(`  Time delta: ${Math.round(s.timeDeltaMs/1e3)}s`),console.log(`  Recommendation: ${s.recommendation}`),console.log("")}finally{for(const t of n.values())await t.close()}}async function dt(e){const o=u(m(),".dahlia","agents"),n=u(o,e,"cumulative-stats.json");let t="(none)";try{t=JSON.parse(await E(n,"utf-8")).totalEntries}catch{}const s=await new A(e,{logDir:u(o,e)}).recomputeCumulativeStats();console.log(`Recomputed cumulative-stats for ${e}:`),console.log(`  totalEntries: ${t} \u2192 ${s.totalEntries}`),console.log(`  scope: ${s.countScope}`),console.log("  (Read-only over the signed trail; only cumulative-stats.json rewritten.)")}async function gt(e){const o=u(m(),".dahlia","agents"),n=u(o,e),t=await M(n),a=new A(e,{logDir:n});a.setSigningKey(t.privateKey,t.publicKey);const s=F&&x?[{file:F,reason:x}]:void 0,r=await a.enrollManifest(s?{quarantine:s}:void 0);console.log(`Manifest enrolled for ${e}: ${r.records} file record(s) signed + chained`+(r.quarantined?`, ${r.quarantined} quarantine record(s)`:"")+"."),s&&console.log(`  Quarantined: ${F} \u2014 ${x}`),console.log("  (Read-only over audit entries; protects from enrollment forward.)")}async function ut(e){const o=u(m(),".dahlia","agents"),n=new A(e,{logDir:u(o,e)});await n.open();const t=await n.verify();if(t.valid?console.log(`Audit trail for ${e}: VALID (${t.totalEntries} entries verified)`):t.brokenAt!==void 0?console.log(`Audit trail for ${e}: BROKEN at entry ${t.brokenAt} (${t.totalEntries} entries checked)`):console.log(`Audit trail for ${e}: INVALID \u2014 file-level manifest integrity failure (${t.totalEntries} entries chain-verified)`),t.manifest){const s=t.manifest;console.log(`  Manifest: ${s.recordCount} file record(s) \u2014 ${s.ok?"OK":`${s.issues.length} issue(s)`}`);for(const r of s.issues)console.log(`    [${r.type}] ${r.detail}`);for(const r of s.quarantined)console.log(`    [QUARANTINED] ${r.file} \u2014 ${r.reason} (retained on disk, excluded from verdict)`)}const a=await n.query({type:"finding",limit:1e4});if(a.length>0){let s=0,r=0,d=0;for(const i of a){const l=i.decision;l==="deny"?r++:l==="modify"?d++:s++}console.log(`  Findings: ${a.length} total \u2014 ${s} allowed, ${r} denied, ${d} modified`);const c=a.slice(0,5);for(const i of c){const l=i,g=l.decision,h=l.modification,w=l.description,R=l._decisionDefaulted===!0;g==="modify"&&h?.type==="append_args"?console.log(`    [modified] ${w} \u2014 appended args: [${h.args.join(", ")}]`):console.log(g==="deny"?`    [denied] ${w}`:R?`    [allowed (legacy)] ${w}`:`    [allowed] ${w}`)}}await n.close()}async function ft(){const e=u(m(),".dahlia","agents"),o=new C({agentsDir:e}),t=await new H(e).listAgents();if(t.length===0){console.log("No monitored agents found."),await o.stop();return}const a=[];for(const s of t){const r=await o.getHealthScore(s);a.push({agentId:s,score:r.score,status:r.status,mode:r.mode,findings:`${r.findings.critical}/${r.findings.high}/${r.findings.medium}/${r.findings.low}`,lastEvent:r.lastEvent?r.lastEvent.split("T")[0]:"-",baseline:r.baselineEstablished})}await o.stop(),console.log(`Agent Health Dashboard
+`),console.log(Z(a))}var ae=`# Sentinel \u2014 Agent Security Policy
+version: "1.0"
+
+agent:
+  id: my-agent              # unique agent identifier
+  name: My AI Agent          # human-readable name
+  # description: optional
+
+policy:
+  allow:
+    actions:                 # what the agent can do
+      - file_read
+      - file_write
+      - api_call
+      - tool_invocation
+    targets:                 # allowed target patterns
+      - "src/**"
+      - "docs/**"
+  forbid:
+    targets:                 # always denied
+      - "**/.env"
+      - "**/.ssh/**"
+      - "**/.aws/**"
+      - "/etc/**"
+      - "**/secrets/**"
+  # schedule:
+  #   hours: [9, 18]
+  #   days: [Monday, Tuesday, Wednesday, Thursday, Friday]
+  # limits:
+  #   maxEventsPerHour: 500
+
+# enforcement:
+#   restrictAfter: 2
+#   quarantineAfter: 3
+#   approvalRequired: false
+
+# alerts:
+#   channels: [console]
+#   minSeverity: MEDIUM
+
+# repo:
+#   repoRoot: .                        # scan this directory for sensitive files
+#   mapPath: ~/.dahlia/repo-sensitivity.json
+#   overlayPath: ~/.dahlia/repo-sensitivity.review.json
+`;async function se(){const e=u(process.cwd(),".sentinel.yaml");try{await K(e),console.log(`.sentinel.yaml already exists in ${process.cwd()}`);return}catch{}await b(e,ae,"utf-8"),console.log("Created .sentinel.yaml \u2014 edit then run: npm run sentinel -- --from-policy .sentinel.yaml")}async function ie(e){const o=await me(e),n=await C.fromPolicy(e);console.log(`Loaded policy for agent ${o.agent.id}. Monitoring active.`);const t=async()=>{await n.stop(),console.log("Monitoring stopped."),process.exit(0)},a=()=>{t().catch(s=>{console.error("Error during shutdown:",s),process.exit(1)})};process.on("SIGINT",a),process.on("SIGTERM",a)}async function pt(e,o,n){const t=u(m(),".dahlia","agents"),a=new C({agentsDir:t});await a.addAgent(e,e);const s=V?V.split(","):void 0,r=z?z.split(",").map(c=>c.trim()):void 0,d=a.startTask(e,o,n,{relaxedActions:s,phases:r});if(!d){console.log(`Failed to start task for agent ${e}.`),await a.stop();return}console.log(`Task started for agent ${e}:`),console.log(`  Task ID:     ${d.taskId}`),console.log(`  Description: ${d.description}`),console.log(`  Keywords:    ${d.keywords.join(", ")}`),d.relaxedActions?.length&&console.log(`  Relaxed:     ${d.relaxedActions.join(", ")}`),d.phases?.length&&console.log(`  Phases:      ${d.phases.join(", ")}`),console.log(`  TTL:         ${(d.ttlMs/6e4).toFixed(0)} minutes`),await a.stop()}async function ht(e){const o=u(m(),".dahlia","agents"),n=new C({agentsDir:o});await n.addAgent(e,e);const t=n.endTask(e);t?(console.log(`Task ended for agent ${e}:`),console.log(`  Task ID:     ${t.taskId}`),console.log(`  Description: ${t.description}`),console.log(`  Status:      ${t.status}`)):console.log(`No active task found for agent ${e}.`),await n.stop()}async function mt(e){const o=u(m(),".dahlia","agents"),n=new C({agentsDir:o});await n.addAgent(e,e);const t=n.getActiveTask(e);if(!t){console.log(`No active task for agent ${e}.`),await n.stop();return}const a=Date.now()-new Date(t.startedAt).getTime(),s=t.ttlMs-a;console.log(`Active task for agent ${e}:
+`),console.log(`  Task ID:     ${t.taskId}`),console.log(`  Description: ${t.description}`),console.log(`  Keywords:    ${t.keywords.join(", ")}`),console.log(`  Status:      ${t.status}`),console.log(`  Active for:  ${(a/6e4).toFixed(1)} minutes`),console.log(`  TTL remain:  ${s>0?(s/6e4).toFixed(1)+" minutes":"EXPIRED"}`),t.relaxedActions?.length&&console.log(`  Relaxed:     ${t.relaxedActions.join(", ")}`),t.phases?.length&&console.log(`  Phases:      ${t.phases.join(", ")}`),t.acceptableActions.length>0&&console.log(`  Acceptable:  ${t.acceptableActions.map(r=>`${r.action}:${r.targetPattern}`).join(", ")}`),await n.stop()}async function wt(e){const o=u(m(),".dahlia","agents"),n=new A(e,{logDir:u(o,e)});await n.open();const t=await n.getStats(),a=await n.query({type:"intent_check"}),r=(await n.query({type:"finding"})).filter(c=>typeof c.data=="object"&&c.data!==null&&"type"in c.data&&c.data.type==="intent_drift");console.log(`Intent Alignment Report \u2014 ${e}
+`),console.log(`  Intent starts:  ${t.intentStartCount}`),console.log(`  Intent ends:    ${t.intentEndCount}`),console.log(`  Intent checks:  ${t.intentCheckCount}`),console.log(`  Drift findings: ${t.intentDriftCount}`),t.averageAlignmentScore!==null&&console.log(`  Avg alignment:  ${t.averageAlignmentScore.toFixed(2)}`);const d=a.filter(c=>{const i=c.data;return i&&typeof i=="object"&&"aligned"in i&&!i.aligned}).slice(-5);if(d.length>0){console.log(`
+  Last ${d.length} misaligned action(s):`);for(const c of d){const i=c.data,l=typeof i.score=="number"?i.score.toFixed(2):"?",g=i.event,h=g?.action??"?",w=g?.primaryTarget??g?.targets?.[0]??g?.target??"?";console.log(`    score: ${l}  ${h} \u2192 ${w}  (${c.timestamp.split("T")[0]})`)}}if(r.length>0){console.log(`
+  Recent drift findings: ${r.length}`);for(const c of r.slice(-3)){const i=c.data,l=i.severity??"?",g=i.description??"";console.log(`    [${l}] ${typeof g=="string"?g.slice(0,80):g}`)}}await n.close()}async function yt(e,o){try{const n=await le({force:e,port:o});if(n.created.length>0){console.log("Created:");for(const t of n.created)console.log(`  ${t}`)}if(n.skipped.length>0){console.log("Skipped (already exists \u2014 use --force to overwrite):");for(const t of n.skipped)console.log(`  ${t}`)}if(n.merged.length>0){console.log("Merged:");for(const t of n.merged)console.log(`  ${t}`)}if(n.errors.length>0){console.log("Errors:");for(const t of n.errors)console.log(`  ${t}`)}n.errors.length===0&&console.log(`
+Sentinel + Claude Code integration ready.`)}catch(n){console.error(`Init failed: ${n.message}`),process.exit(1)}}if(Fe){const e=y(f,"--port");await yt(xe,e?parseInt(e,10):void 0)}else if(Je&&p&&J&&Q)await pt(p,J,Q);else if(Qe&&p)await ht(p);else if(Ve&&p)await mt(p);else if(ze&&p)await wt(p);else if(ke)await se();else if(_)await ie(_);else if(He&&p)await gt(p);else if(Be&&p)await dt(p);else if(qe&&p)await ut(p);else if(Ke)await ft();else if(We&&p)await Ye(p,Y??"No reason provided");else if(Ue&&p)await Xe(p,Y??"No reason provided");else if(Ge&&p)await Ze(p);else if(_e)await et();else if(Ne)await st();else if(je)await it(p);else if(Me&&p&&G)await at(p,G,Re);else if(Ee&&p)await ot(p);else if(Le){const e=j?parseInt(j,10):30;await lt(e,X==="json"?"json":"markdown")}else if(Pe&&p){const e=j?parseInt(j,10):30;await rt(p,e,X==="json"?"json":"markdown")}else Oe?await ct():p?await nt(p):await tt();

package/dist/gateway/index.d.ts

@@ -0,0 +1,241 @@
+import { v as Sentinel, e as AgentRole, S as SecurityFinding } from '../Sentinel-B_sv8Kiy.js';
+import 'node:crypto';
+
+/**
+ * Sentinel Gateway — HTTP server for Claude Code hook integration.
+ *
+ * Endpoints:
+ *   POST /api/sentinel/pre-tool-use/:agentType
+ *   POST /api/sentinel/post-tool-use/:agentType
+ *   POST /api/sentinel/session-end/:agentType
+ *   GET  /api/sentinel/telemetry
+ *   GET  /api/sentinel/health
+ *
+ * Lifecycle:
+ *   - Primary session end: SessionEnd hook → completeSession()
+ *   - Fallback: SIGTERM/SIGINT → completeSession() → clean exit
+ *
+ * Follows patterns from webhookReceiver.ts:
+ *   port 0 for tests, .once("error"), 1MB body limit.
+ */
+
+interface SentinelGatewayOptions {
+    port?: number;
+    sentinel: Sentinel;
+    /** Agent ID used for sentinel.wrap() / sentinel.completeSession() calls. */
+    agentId: string;
+    /**
+     * Forbidden target patterns for Bash L1 path-token checking.
+     * Defaults to standard Sentinel forbidden patterns if not provided.
+     */
+    forbiddenPatterns?: string[];
+    /**
+     * Workspace-isolation gate (Approach B). When true, the gateway runs the
+     * per-workspace B-path: derive identity per request, lazily create a
+     * per-workspace runner with a merged role, route by the derived id, run the
+     * idle sweep. The daemon/CLI sets this ON by default (B5b-Phase-2 cutover);
+     * an operator can force the single-global-workspace escape hatch with
+     * SENTINEL_WORKSPACE_ISOLATION=0. The SentinelGateway constructor's own
+     * library-level default (this field unset, env unset) stays FALSE for
+     * programmatic callers/tests. With it OFF the daemon serves one global
+     * workspace; Approach A's foreign-workspace refusal has been retired, so a
+     * foreign request in that mode is served as global rather than refused.
+     */
+    workspaceIsolation?: boolean;
+    /**
+     * Operator ceiling role (the daemon's launch --policy role), merged with each
+     * workspace's narrowing yaml via B1. Required for the B-path; unused gate-off.
+     */
+    operatorCeiling?: AgentRole;
+    /** Home dir bounding workspace policy discovery (B-path only). Defaults to os.homedir(). */
+    home?: string;
+}
+declare class SentinelGateway {
+    private readonly configuredPort;
+    private readonly sentinel;
+    private readonly registry;
+    private readonly agentId;
+    private readonly telemetry;
+    private readonly forbiddenPatterns;
+    /** B5a gate (default off). True → per-workspace B-path; false → today's behavior. */
+    private readonly workspaceIsolation;
+    private readonly operatorCeiling;
+    private readonly home;
+    private server;
+    private running;
+    private signalHandlersInstalled;
+    private boundSigterm;
+    private boundSigint;
+    constructor(options: SentinelGatewayOptions);
+    get port(): number;
+    isRunning(): boolean;
+    start(): Promise<void>;
+    stop(): Promise<void>;
+    /**
+     * Session completion. Safe to call multiple times — idempotency is provided
+     * by classifier.flush() returning null when no events have accumulated
+     * (runner.ts completeSession L612-613). Supports multi-session gateway
+     * lifetimes: each cc session's events flush independently.
+     */
+    completeSessionSafe(routingId?: string): Promise<void>;
+    /**
+     * B5b-Phase-2: complete EVERY active session on shutdown, not just the global
+     * identity. Under workspace isolation each workspace runs its own runner with
+     * its own session + audit trail; a clean SIGTERM/SIGINT must flush each one,
+     * otherwise a workspace's tail events are lost on daemon shutdown. The global
+     * agentId is always included (it is the only runner gate-off, so this reduces
+     * to today's single completeSession in the escape-hatch case). Per-id failures
+     * are swallowed by completeSessionSafe so one bad runner can't strand the rest;
+     * completeSession is idempotent (flush() returns null with nothing queued).
+     */
+    completeAllSessionsSafe(): Promise<void>;
+    private installSignalHandlers;
+    private removeSignalHandlers;
+    private handleSignal;
+    private handleRequest;
+    /**
+     * Emit a workspace-mismatch refusal as a finding + telemetry. Originally
+     * Approach A's foreign-refuse emitter; after the B5b-Phase-2 cutover this is
+     * reused by the B-path (resolveBPathRouting) for the no-cwd / unresolvable-
+     * workspace FAIL-CLOSED case — a request whose originating workspace cannot be
+     * resolved is still refused (correct fail-closed), even though foreign-but-
+     * resolvable workspaces are now SERVED.
+     *
+     * The finding's type is `workspace_mismatch`, which is NOT in
+     * `ESCALATION_ELIGIBLE_TYPES` — so `getEffectiveBlockCount` / `maybeEscalate`
+     * never count it, by design. This is the honest mechanism: a workspace
+     * mismatch is a ROUTING error (request from a different workspace than this
+     * daemon serves), not the served agent's misbehavior, so it denies the action
+     * but does not move the served agent's escalation ladder. Escalation-
+     * ineligibility is a consequence of what the finding IS, not a borrowed
+     * ineligible type. (An earlier version typed this `unauthorized_target`, which
+     * IS escalation-eligible; the audit-log-derived count then pulled foreign-
+     * workspace refusals into the shared ladder and collaterally quarantined the
+     * legitimate session — the bug this fix closes.)
+     *
+     * Emitted via logFinding() (not handleGatewayDeny()), matching the gateway's
+     * other non-eligible findings — e.g. the L3 case C/D `bash_analysis` records,
+     * which also use logFinding(). handleGatewayDeny() is reserved for the
+     * escalation-eligible deny paths (L1/L2/etc.).
+     */
+    private logWorkspaceMismatch;
+    /**
+     * Approach B / B5a — resolve a request to its per-workspace routing identity.
+     * Returns the derived agentId (used for BOTH routing and the event label) after
+     * lazily ensuring the workspace's runner exists with its merged role. Returns
+     * null and sends a fail-closed refusal when the workspace is unresolvable
+     * (no/empty cwd) — reusing the workspace_mismatch finding type. Only called
+     * when the isolation gate is ON.
+     */
+    private resolveBPathRouting;
+    private handlePreToolUse;
+    private handlePostToolUse;
+    private handleSessionEnd;
+    /**
+     * UserPromptSubmit handler (Sprint 23 P1 — automatic per-prompt intent
+     * capture). Fires once per prompt, BEFORE the turn's first PreToolUse (cc
+     * blocks on hook completion), and the hook AWAITS this response — so by the
+     * time cc proceeds to the first tool call, any declared intent is already
+     * stored and the first action IS checked against it.
+     *
+     * The intent is declared ONLY when the prompt has a leading `INTENT:` line
+     * (the opt-in convention). With no `INTENT:` line we no-op (sticky): the
+     * prior active task is left as-is, so a multi-turn session declares once at
+     * the top and holds it; a later `INTENT:` line supersedes via the existing
+     * IntentTracker auto-end+replace. We do NOT feed the whole prompt as the
+     * description (keyword extraction would be noisy).
+     *
+     * Declaration only. This endpoint never blocks a prompt and emits no
+     * permission decision; it reuses the existing per-workspace routing and the
+     * existing Sentinel.startTask. No block-ladder interaction whatsoever.
+     */
+    private handleUserPromptSubmit;
+    private readBody;
+    private sendJson;
+}
+
+/**
+ * Gateway types for the Sentinel + Claude Code integration.
+ *
+ * Written from scratch — does NOT import from @anthropic/claude-code.
+ * Payload types derived from https://code.claude.com/docs/en/hooks (verified May 2026).
+ */
+
+interface GatewayConfig {
+    port: number;
+    policyPath: string;
+}
+interface SessionEndInfo {
+    sessionId?: string;
+    cwd?: string;
+    reason?: string;
+}
+interface WrapResult {
+    blocked: boolean;
+    finding?: SecurityFinding;
+}
+type ToolDecision = "allowed" | "blocked";
+/** Common fields present in all cc hook payloads. */
+interface CcHookCommonFields {
+    session_id: string;
+    transcript_path?: string;
+    cwd: string;
+    permission_mode?: string;
+    hook_event_name?: string;
+    /** cc effort level — typed but ignored by Sprint 5 translator. */
+    effort?: {
+        level: "low" | "medium" | "high" | "xhigh" | "max";
+    };
+    /** Present for subagent tool calls — propagated to audit metadata as of Sprint 6c. */
+    agent_id?: string;
+    /** Present for subagent tool calls — propagated to audit metadata as of Sprint 6c. */
+    agent_type?: string;
+}
+/** PreToolUse hook input from Claude Code. */
+interface CcPreToolUsePayload extends CcHookCommonFields {
+    tool_name: string;
+    tool_input: Record<string, unknown>;
+    tool_use_id?: string;
+}
+/** PostToolUse hook input from Claude Code. */
+interface CcPostToolUsePayload extends CcHookCommonFields {
+    tool_name: string;
+    tool_input: Record<string, unknown>;
+    tool_use_id?: string;
+    tool_response?: unknown;
+}
+/** SessionStart hook input from Claude Code. */
+type CcSessionStartPayload = CcHookCommonFields;
+/** SessionEnd hook input from Claude Code. */
+type CcSessionEndPayload = CcHookCommonFields;
+/**
+ * Full permission decision enum from cc docs.
+ * Sprint 5 translator only emits "allow" and "deny".
+ * TODO: "ask" and "defer" are Sprint 6 product decisions
+ * (MEDIUM-finding triage UX).
+ */
+type CcPermissionDecision = "allow" | "deny" | "ask" | "defer";
+/** PreToolUse hook response to Claude Code. */
+interface CcPreToolUseResponse {
+    hookSpecificOutput: {
+        hookEventName: "PreToolUse";
+        permissionDecision: CcPermissionDecision;
+        permissionDecisionReason?: string;
+        /** Input modification — Sprint 6 product decision. */
+        updatedInput?: Record<string, unknown>;
+        /** Additional context injected into Claude's context. */
+        additionalContext?: string;
+    };
+}
+/** PostToolUse hook response to Claude Code (no decision field). */
+interface CcPostToolUseResponse {
+    hookSpecificOutput: {
+        hookEventName: "PostToolUse";
+    };
+}
+/** SessionEnd hook response to Claude Code (no decision field). */
+interface CcSessionEndResponse {
+    hookSpecificOutput: Record<string, never>;
+}
+
+export { type CcHookCommonFields, type CcPermissionDecision, type CcPostToolUsePayload, type CcPostToolUseResponse, type CcPreToolUsePayload, type CcPreToolUseResponse, type CcSessionEndPayload, type CcSessionEndResponse, type CcSessionStartPayload, type GatewayConfig, SentinelGateway, type SentinelGatewayOptions, type SessionEndInfo, type ToolDecision, type WrapResult };

package/dist/gateway/index.js

@@ -0,0 +1,10 @@
+import {
+  SentinelGateway
+} from "../chunk-Z3PWIJKT.js";
+import "../chunk-FMZWHT4M.js";
+import "../chunk-6MHWJATS.js";
+import "../chunk-2FFMYSVC.js";
+export {
+  SentinelGateway
+};
+//# sourceMappingURL=index.js.map

package/dist/gatewayDaemon.js

@@ -0,0 +1,25 @@
+#!/usr/bin/env node
+import {
+  runGatewayDaemon
+} from "./chunk-Z3PWIJKT.js";
+import "./chunk-FMZWHT4M.js";
+import "./chunk-6MHWJATS.js";
+import "./chunk-2FFMYSVC.js";
+
+// src/gatewayDaemon.ts
+var args = process.argv.slice(2);
+var policyPath;
+var port;
+for (let i = 0; i < args.length; i++) {
+  if (args[i] === "--policy" && args[i + 1]) policyPath = args[++i];
+  else if (args[i] === "--port" && args[i + 1]) port = parseInt(args[++i], 10);
+}
+if (!policyPath) {
+  console.error("[SENTINEL GATEWAY] --policy <path> is required");
+  process.exit(1);
+}
+runGatewayDaemon({ policyPath, port }).catch((err) => {
+  console.error("[SENTINEL GATEWAY] Fatal:", err);
+  process.exit(1);
+});
+//# sourceMappingURL=gatewayDaemon.js.map

package/dist/index.d.ts

@@ -0,0 +1,141 @@
+import { A as AgentActivityEvent, S as SecurityFinding } from './Sentinel-B_sv8Kiy.js';
+export { a as AcceptableAction, b as AdapterConfig, c as AgentBaseline, d as AgentMode, e as AgentRole, f as AlertChannel, g as AlertConfig, h as AllowResponse, i as AuditEntry, j as AuditQueryOptions, B as BlockResponse, C as CorrelationFinding, E as ExceptionApprovalContext, k as ExceptionApprovalFn, G as GuideResponse, H as HookCheckpoint, l as HookContext, m as HookHandler, n as HookRegistration, o as HookResponse, I as IntentAlignmentConfig, p as IntentAlignmentResult, M as ModifiableEventFields, q as MonitorOptions, O as OverlayDecisionType, R as RepoSensitivityMap, r as ReportOptions, s as RoleException, t as SecuritySeverity, u as SensitivityOverlay, v as Sentinel, w as SentinelConfig, T as TaskIntent } from './Sentinel-B_sv8Kiy.js';
+import 'node:crypto';
+
+interface SentinelPolicy {
+    version: "1.0";
+    agent: {
+        id: string;
+        name: string;
+        description?: string;
+    };
+    policy: {
+        allow: {
+            actions: string[];
+            targets: string[];
+            /**
+             * Host allowlist for network_request targets (Sprint 6b W3c).
+             * Entries are normalized on load: lowercased, trimmed, trailing dots stripped.
+             * Entries containing whitespace, slashes, or colons are rejected.
+             */
+            networkHosts?: string[];
+        };
+        forbid: {
+            targets: string[];
+        };
+        exceptions?: {
+            target: string;
+            allowedActions: string[];
+            requiresTask?: string;
+            requiresApproval?: boolean;
+            expiresAfter?: number;
+            downgradeKindTo?: "informational" | "actionable";
+        }[];
+        schedule?: {
+            hours: [number, number];
+            days?: string[];
+        };
+        limits?: {
+            maxEventsPerHour?: number;
+            maxSessionDuration?: number;
+        };
+    };
+    enforcement?: {
+        restrictAfter?: number;
+        quarantineAfter?: number;
+        approvalRequired?: boolean;
+        /** Minimum finding kind that triggers enforcement actions. Defaults to "actionable". */
+        minKind?: "informational" | "actionable";
+        /**
+         * List of finding types to promote from "informational" to "actionable".
+         * Cannot include LOCKED_ACTIONABLE_TYPES (they are already actionable).
+         */
+        promote?: string[];
+        /** Baseline maturity thresholds — overrides hardcoded defaults in DeviationDetector. */
+        baselineMaturity?: {
+            minSessions?: number;
+            minDaysObserved?: number;
+            minCategoryDiversity?: number;
+        };
+    };
+    alerts?: {
+        channels: (string | {
+            type: string;
+            minKind?: "informational" | "actionable";
+        })[];
+        webhookUrl?: string;
+        filePath?: string;
+        minSeverity?: "LOW" | "MEDIUM" | "HIGH" | "CRITICAL";
+        /** Top-level minimum finding kind for alert routing. Defaults to "actionable". */
+        minKind?: "informational" | "actionable";
+    };
+    repo?: {
+        root?: string;
+        scanOnStartup?: boolean;
+        mapPath?: string;
+        overlayPath?: string;
+    };
+}
+declare function loadPolicy(yamlPath: string): Promise<SentinelPolicy>;
+declare function loadPolicyFromString(yamlString: string): SentinelPolicy;
+
+interface CliApprovalOptions {
+    timeoutMs?: number;
+    defaultOnTimeout?: boolean;
+}
+declare function createCliApproval(options?: CliApprovalOptions): (event: AgentActivityEvent, finding: SecurityFinding) => Promise<boolean>;
+
+/**
+ * `sentinel init claude-code` — generates config files for cc + Sentinel integration.
+ *
+ * Creates:
+ *   <cwd>/.sentinel.yaml          — starter policy (skip if exists, --force overwrites)
+ *   ~/.dahlia/fail-closed-tiers.json — tier config for hook script
+ *   ~/.dahlia/cc-hook.mjs          — hook script with gateway path substituted
+ *   <cwd>/.claude/settings.local.json — always merged, never overwritten
+ *
+ * Pre-flight checks (all must pass before any files are written):
+ *   1. tsx is resolvable
+ *   2. Configured port (default 7847) is available
+ *   3. ~/.dahlia/ directory is creatable
+ */
+interface InitReport {
+    created: string[];
+    skipped: string[];
+    merged: string[];
+    errors: string[];
+}
+declare function runInitClaudeCode(options: {
+    force?: boolean;
+    port?: number;
+    cwd?: string;
+    home?: string;
+}): Promise<InitReport>;
+
+/**
+ * Walks up from a given directory looking for .sentinel.yaml.
+ * Stops at $HOME (inclusive) or filesystem root.
+ */
+declare function discoverPolicy(startDir: string, home: string): string | null;
+
+/**
+ * `session-start` entry point — called by the hook script on SessionStart.
+ *
+ * 1. Discover .sentinel.yaml (walk up from cwd to $HOME)
+ * 2. Acquire gateway lock (PID file check)
+ * 3. If gateway already running → exit early
+ * 4. If no policy found → exit early (no gateway needed)
+ * 5. Spawn gateway detached, write PID file, unref
+ */
+interface SessionStartResult {
+    action: "reused" | "spawned" | "no-policy";
+    pid?: number;
+    policyPath?: string;
+}
+declare function runSessionStart(options?: {
+    cwd?: string;
+    home?: string;
+    port?: number;
+}): Promise<SessionStartResult>;
+
+export { AgentActivityEvent, type CliApprovalOptions, type InitReport, SecurityFinding, type SentinelPolicy, type SessionStartResult, createCliApproval, discoverPolicy, loadPolicy, loadPolicyFromString, runInitClaudeCode, runSessionStart };

package/dist/index.js

@@ -0,0 +1,28 @@
+import {
+  runInitClaudeCode,
+  runSessionStart
+} from "./chunk-3U3PKD4N.js";
+import {
+  Sentinel,
+  createCliApproval
+} from "./chunk-QFRDEISP.js";
+import "./chunk-CUJKNIKT.js";
+import {
+  discoverPolicy
+} from "./chunk-FMZWHT4M.js";
+import "./chunk-6MHWJATS.js";
+import {
+  loadPolicy,
+  loadPolicyFromString
+} from "./chunk-2FFMYSVC.js";
+import "./chunk-NUXSUSYY.js";
+export {
+  Sentinel,
+  createCliApproval,
+  discoverPolicy,
+  loadPolicy,
+  loadPolicyFromString,
+  runInitClaudeCode,
+  runSessionStart
+};
+//# sourceMappingURL=index.js.map

package/dist/logAdapter-IB6ZDEV2.js

@@ -0,0 +1,7 @@
+import {
+  LogAdapter
+} from "./chunk-PDWWRZXF.js";
+export {
+  LogAdapter
+};
+//# sourceMappingURL=logAdapter-IB6ZDEV2.js.map