@tuent/sentinel 0.1.2 → 0.1.3

package/SECURITY_MODEL.md

@@ -68,6 +68,15 @@ All target paths are normalized with `path.normalize()` before pattern matching.
 - `src/../.env` is normalized to `.env` before checking against `**/.env`
 - `project/subdir/../../.ssh/id_rsa` is normalized to `.ssh/id_rsa`
 
+Conversely, `command_exec` targets (whole shell command strings) are **never glob-matched as if they were a path**. They are screened by a scanner: the command is tokenized, path-shaped tokens are resolved and matched against the forbidden patterns, and every argv token's basename is matched against each pattern's basename component with **component-boundary** semantics (the basename must match as a whole, not as a substring). So `process.env` and similarly-shaped code constructs are not treated as file access (the basename `process.env` is not the basename `.env`), while a real operand like `payroll.csv` against a `payroll.csv` forbid pattern is denied — in any command position, not only at the end. This screen is the single source of truth for command screening on **both** the gateway and the embedded-SDK (`wrap()`/`check()`) paths; the gateway additionally keeps its inline L1/L2 scan as defense-in-depth. Correspondingly, `command_exec` is **exempt from the allowed-target allowlist** (and session `SCOPE:` narrowing): those are path globs, and a command string is not a path, so matching it there only produced false `scope_violation`s — which the sensitivity scorer could escalate to a hard block when the command merely named a credential token (e.g. `process.env`). Whether an agent may run commands at all is governed by `allowedActions`; whether a given command is forbidden is the command screen above.
+
+Two residuals of letting operators forbid bare basenames in commands (both pre-existing, narrower than the prior whole-string glob, and operator-self-inflicted):
+
+- **R1 — generic-word custom basenames.** A custom forbid pattern whose basename is a common word (e.g. a pattern ending in `build`) will also match a command that uses that word as a non-file argument (e.g. `npm run build`). This is intrinsic to forbidding a bare common word; prefer specific basenames for custom command-forbid patterns. The same property holds for path-target matching.
+- **R2 — positional-safety scope.** The echo-class positional-safety suppression (`isPositionallySafeMention`) is scoped to the built-in basename list, not to operator-custom patterns, so a custom basename mentioned in an otherwise-safe position (e.g. as an `echo` argument) is still denied.
+
+SDK-path residual: obfuscated/encoded command operands are de-obfuscated only on the gateway path (the translator's resolver pipeline); a direct `wrap()`/`check()` caller gets tokenized + basename + substring screening but not the decode layer.
+
 ### Self-Protection: Policy and Hook-Wiring Files
 
 The agent's own tool-writes to the live policy file (`.sentinel.yaml`) and to Claude Code's hook-wiring settings files (`.claude/settings.json` and `.claude/settings.local.json`, project- and user-level) are **denied by default**. Without this, an agent could rewrite its own policy or remove the hook entries that route its tool calls through the gateway with an ordinary file write. The corresponding forbid patterns ship in the defaults and the starter policy; the read carve-out is appended **code-side at ceiling-role construction** and is deliberately not authorable from the workspace yaml (workspace-authored exceptions are dropped by the ceiling merge, so a policy file can never widen its own protection away).

package/dist/Sentinel-5CQ6HKXS.js

@@ -0,0 +1,10 @@
+import {
+  Sentinel
+} from "./chunk-SSDIBY52.js";
+import "./chunk-JTR2E7RD.js";
+import "./chunk-WLIDSTS4.js";
+import "./chunk-NUXSUSYY.js";
+export {
+  Sentinel
+};
+//# sourceMappingURL=Sentinel-5CQ6HKXS.js.map

package/dist/{Sentinel-xFCyXH45.d.ts → Sentinel-BVoMEF3F.d.ts}

@@ -299,6 +299,21 @@ interface SecurityFinding {
      * finding is its own distinct entry (never merged).
      */
     dedupKey?: string;
+    /**
+     * Sprint 26B F-5a (corroboration-by-distinct-target). Identity of the RESOLVED
+     * forbidden target the deny fired on: the L1-resolved path when one exists,
+     * else a basename-family fallback (`l2:<sorted basenames>`) for L2-only hits
+     * that never produced a resolved path (unparseable / construct ambiguity).
+     * When present, getEffectiveBlockCount keys distinct-counting on it INSTEAD of
+     * dedupKey, so repeated denials against the same forbidden target — e.g. many
+     * differently-shaped commands all naming one token during self-hosted
+     * development — contribute ONE count toward the escalation ladder, while
+     * distinct forbidden targets still accumulate (a real multi-file sweep
+     * escalates as before). Additive and conditional (soft-signal discipline):
+     * absent on pre-F-5a entries, which keep counting by dedupKey / keyless
+     * exactly as before. NEVER changes the per-command deny disposition.
+     */
+    targetKey?: string;
 }
 /** Computed behavioral baseline for an agent over a time window. */
 /**

package/dist/{chunk-FWIISAZZ.js → chunk-2TJ5Z53T.js}

@@ -7,7 +7,7 @@ import {
 } from "./chunk-FMZWHT4M.js";
 import {
   FORBIDDEN_BASENAMES
-} from "./chunk-QIYQWOLO.js";
+} from "./chunk-JTR2E7RD.js";
 import {
   loadPolicy,
   loadPolicyFromString
@@ -32,6 +32,7 @@ var HOOK_SCRIPT_SOURCE = `#!/usr/bin/env node
 import { readFileSync, appendFileSync, existsSync } from "node:fs";
 import { join, resolve, sep } from "node:path";
 import { spawn } from "node:child_process";
+import { createRequire } from "node:module";
 
 const GATEWAY_ENTRY_POINT = "__GATEWAY_ENTRY_POINT__";
 const PORT = 7847;
@@ -214,65 +215,37 @@ if (mode === "pre") {
   process.exit(0);
 
 } else if (mode === "session-start") {
-  // P5 cold-start readiness poll (kept byte-equivalent to
-  // setup/gatewayReadiness.ts \u2014 a generated string can't import it). Bounded WAIT
-  // on /api/sentinel/health so cc's first PreToolUse hits a LISTENING gateway
-  // instead of racing the daemon's warmup into the tiered fail-closed. Health
-  // returns 200 only once the port is bound AFTER baseline+translator wiring, so
-  // 200 == evaluation-ready. On timeout we exit anyway; the first pre-tool-use
-  // uses the existing fail-closed, UNCHANGED. Never fail-opens.
-  async function waitForGatewayReady() {
-    const deadline = Date.now() + 5000;
-    while (Date.now() < deadline) {
-      try {
-        const controller = new AbortController();
-        const timer = setTimeout(() => controller.abort(), 500);
-        try {
-          const res = await fetch(BASE_URL + "/api/sentinel/health", { signal: controller.signal });
-          if (res.ok) return; // evaluation-ready
-        } finally { clearTimeout(timer); }
-      } catch { /* not listening yet \u2014 retry until the bound */ }
-      await new Promise((r) => setTimeout(r, 100));
-    }
-    // timed out \u2014 fall through; the first pre-tool-use uses the existing fail-closed.
-  }
-
-  // Check if gateway is already running (simple liveness; full PID validity is 5c)
-  if (existsSync(PID_PATH)) {
+  // Delegate the FULL lifecycle decision \u2014 liveness, build-version check, relaunch
+  // on stale build, and spawn \u2014 to runSessionStart via the dual-mode daemon entry.
+  // One source of truth: this generated file carries NO copy of that logic
+  // (anti-drift). We resolve the daemon entry from the PROJECT (cwd) at
+  // hook-runtime so a relocated install (pnpm / version bump) launches the CURRENT
+  // build rather than the init-time baked path; we fall back to the baked path
+  // (dev tree, or package not resolvable from cwd). The launcher itself performs
+  // the bounded readiness wait, so awaiting its exit preserves the cold-start
+  // guarantee (first PreToolUse hits a ready gateway, or the existing fail-closed).
+  function resolveDaemonEntry() {
     try {
-      const pid = parseInt(readFileSync(PID_PATH, "utf-8").trim(), 10);
-      process.kill(pid, 0); // throws if process doesn't exist
-      await waitForGatewayReady(); // alive but may still be warming \u2014 wait, bounded
-      process.exit(0); // gateway is running (and now ready, or timed out)
-    } catch {
-      // Stale PID \u2014 continue to launch
-    }
-  }
-
-  // Discover .sentinel.yaml by walking up from cwd
-  let dir = process.cwd();
-  let policyPath = null;
-  while (true) {
-    const candidate = join(dir, ".sentinel.yaml");
-    if (existsSync(candidate)) { policyPath = candidate; break; }
-    const parent = join(dir, "..");
-    if (parent === dir) break; // filesystem root
-    dir = parent;
+      const require = createRequire(join(process.cwd(), "package.json"));
+      const pkg = require.resolve("@tuent/sentinel/package.json");
+      const candidate = join(pkg, "..", "dist", "gatewayDaemon.js");
+      if (existsSync(candidate)) return candidate;
+    } catch { /* not resolvable from cwd \u2014 fall back */ }
+    return GATEWAY_ENTRY_POINT;
   }
 
-  if (!policyPath) {
-    process.stderr.write("Sentinel: no .sentinel.yaml found. Gateway not started.\\n", () => process.exit(0));
-  }
-
-  // Launch gateway daemon (detached). Extension-aware: an installed package
-  // substitutes dist/gatewayDaemon.js (plain node); the dev tree substitutes a
-  // .ts (node --import tsx/esm).
-  const gatewayArgs = GATEWAY_ENTRY_POINT.endsWith(".ts")
-    ? ["--import", "tsx/esm", GATEWAY_ENTRY_POINT, "--policy", policyPath, "--port", String(PORT)]
-    : [GATEWAY_ENTRY_POINT, "--policy", policyPath, "--port", String(PORT)];
-  const child = spawn("node", gatewayArgs, { detached: true, stdio: "ignore" });
-  child.unref();
-  await waitForGatewayReady(); // bounded wait for the just-spawned daemon to bind
+  const entry = resolveDaemonEntry();
+  const launchArgs = entry.endsWith(".ts")
+    ? ["--import", "tsx/esm", entry, "--session-start", "--port", String(PORT), "--cwd", process.cwd()]
+    : [entry, "--session-start", "--port", String(PORT), "--cwd", process.cwd()];
+  await new Promise((res) => {
+    const child = spawn("node", launchArgs, { stdio: "ignore" });
+    // Safety bound: a wedged launcher must never hang the cc session. On timeout
+    // we return; the daemon may still be coming up and the first call fail-closes.
+    const safety = setTimeout(() => { try { child.kill(); } catch {} res(undefined); }, 15000);
+    child.on("exit", () => { clearTimeout(safety); res(undefined); });
+    child.on("error", () => { clearTimeout(safety); res(undefined); });
+  });
   process.exit(0);
 
 } else if (mode === "session-end") {
@@ -588,9 +561,22 @@ async function writeIfAbsent(path, content, force, report, mode) {
   report.created.push(path);
 }
 
+// src/setup/buildId.ts
+import { createHash } from "crypto";
+import { readFileSync } from "fs";
+function computeBuildId(entryPath) {
+  try {
+    return createHash("sha256").update(readFileSync(entryPath)).digest("hex");
+  } catch {
+    return "unknown";
+  }
+}
+
 // src/setup/sessionStart.ts
 import { spawn } from "child_process";
 import { homedir } from "os";
+import { openSync, closeSync, unlinkSync, statSync, mkdirSync } from "fs";
+import { join as join2 } from "path";
 
 // src/setup/gatewayReadiness.ts
 var GATEWAY_READY_TIMEOUT_MS = 5e3;
@@ -619,6 +605,87 @@ async function waitForGatewayReady(port, options) {
 }
 
 // src/setup/sessionStart.ts
+var KILL_GRACE_MS = 3e3;
+var KILL_POLL_MS = 100;
+var RELAUNCH_LOCK_STALE_MS = 15e3;
+function relaunchLockPath(home) {
+  return join2(home, ".dahlia", "gateway-relaunch.lock");
+}
+async function fetchHealthBuildId(port) {
+  try {
+    const controller = new AbortController();
+    const timer = setTimeout(() => controller.abort(), 500);
+    try {
+      const res = await fetch(`http://localhost:${port}/api/sentinel/health`, {
+        signal: controller.signal
+      });
+      if (!res.ok) return null;
+      const body = await res.json();
+      return typeof body.buildId === "string" ? body.buildId : null;
+    } finally {
+      clearTimeout(timer);
+    }
+  } catch {
+    return null;
+  }
+}
+function isAlive(pid) {
+  try {
+    process.kill(pid, 0);
+    return true;
+  } catch {
+    return false;
+  }
+}
+async function terminateDaemon(pid) {
+  try {
+    process.kill(pid, "SIGTERM");
+  } catch {
+    return;
+  }
+  const deadline = Date.now() + KILL_GRACE_MS;
+  while (Date.now() < deadline) {
+    if (!isAlive(pid)) return;
+    await new Promise((r) => setTimeout(r, KILL_POLL_MS));
+  }
+  if (isAlive(pid)) {
+    try {
+      process.kill(pid, "SIGKILL");
+    } catch {
+    }
+  }
+}
+function acquireRelaunchLock(home) {
+  const path = relaunchLockPath(home);
+  try {
+    closeSync(openSync(path, "wx"));
+    return true;
+  } catch {
+    try {
+      const age = Date.now() - statSync(path).mtimeMs;
+      if (age > RELAUNCH_LOCK_STALE_MS) {
+        unlinkSync(path);
+        closeSync(openSync(path, "wx"));
+        return true;
+      }
+    } catch {
+    }
+    return false;
+  }
+}
+function releaseRelaunchLock(home) {
+  try {
+    unlinkSync(relaunchLockPath(home));
+  } catch {
+  }
+}
+function spawnDaemon(entry, policyPath, port, home) {
+  const args = entry.endsWith(".ts") ? ["--import", "tsx/esm", entry, "--policy", policyPath, "--port", String(port)] : [entry, "--policy", policyPath, "--port", String(port)];
+  const child = spawn("node", args, { detached: true, stdio: "ignore" });
+  child.unref();
+  if (child.pid) writePidFile(home, child.pid);
+  return child.pid;
+}
 async function runSessionStart(options) {
   const cwd = options?.cwd ?? process.cwd();
   const home = options?.home ?? homedir();
@@ -627,24 +694,39 @@ async function runSessionStart(options) {
   if (!policyPath) {
     return { action: "no-policy" };
   }
+  mkdirSync(join2(home, ".dahlia"), { recursive: true });
+  const gatewayEntry = options?.gatewayEntry ?? resolveGatewayEntryPoint();
+  const localBuildId = computeBuildId(gatewayEntry);
   const lock = acquireGatewayLock(home);
   if (lock.reused) {
-    await waitForGatewayReady(port);
-    return { action: "reused", pid: lock.pid, policyPath };
-  }
-  const gatewayEntry = resolveGatewayEntryPoint();
-  const gatewayArgs = gatewayEntry.endsWith(".ts") ? ["--import", "tsx/esm", gatewayEntry, "--policy", policyPath, "--port", String(port)] : [gatewayEntry, "--policy", policyPath, "--port", String(port)];
-  const child = spawn("node", gatewayArgs, { detached: true, stdio: "ignore" });
-  child.unref();
-  if (child.pid) {
-    writePidFile(home, child.pid);
+    const remoteBuildId = await fetchHealthBuildId(port);
+    if (remoteBuildId !== null && remoteBuildId === localBuildId) {
+      await waitForGatewayReady(port);
+      return { action: "reused", pid: lock.pid, policyPath, relaunchReason: null };
+    }
+    const reason = remoteBuildId === null ? "health-unreachable-or-unknown" : "build-mismatch";
+    if (!acquireRelaunchLock(home)) {
+      await waitForGatewayReady(port);
+      const peerPid = acquireGatewayLock(home).pid ?? lock.pid;
+      return { action: "reused", pid: peerPid, policyPath, relaunchReason: null };
+    }
+    try {
+      if (lock.pid) await terminateDaemon(lock.pid);
+      const pid2 = spawnDaemon(gatewayEntry, policyPath, port, home);
+      await waitForGatewayReady(port);
+      return { action: "relaunched", pid: pid2, policyPath, relaunchReason: reason };
+    } finally {
+      releaseRelaunchLock(home);
+    }
   }
+  const pid = spawnDaemon(gatewayEntry, policyPath, port, home);
   await waitForGatewayReady(port);
-  return { action: "spawned", pid: child.pid, policyPath };
+  return { action: "spawned", pid, policyPath, relaunchReason: null };
 }
 
 export {
   runInitClaudeCode,
+  computeBuildId,
   runSessionStart
 };
-//# sourceMappingURL=chunk-FWIISAZZ.js.map
+//# sourceMappingURL=chunk-2TJ5Z53T.js.map

package/dist/{chunk-L4R3LPJS.js → chunk-G74MMDKA.js}

@@ -15,7 +15,7 @@ import {
   scanContentForForbiddenBasenames,
   scanGlobPattern,
   tokenizePaths
-} from "./chunk-QIYQWOLO.js";
+} from "./chunk-JTR2E7RD.js";
 import {
   loadPolicy,
   policyToConfig,
@@ -786,23 +786,39 @@ function mcpVerbIsMutating(toolName) {
   const tokens = seg.split(/[_-]/).filter((t) => t.length > 0);
   return tokens.some((t) => MCP_MUTATING_VERBS.some((v) => t.startsWith(v)));
 }
+var MCP_MAX_DEPTH = 6;
+var MCP_MAX_NODES = 1e3;
+function collectMcpStrings(value, depth, state) {
+  if (state.nodes >= MCP_MAX_NODES) {
+    state.truncated = true;
+    return;
+  }
+  state.nodes++;
+  if (typeof value === "string") {
+    if (value.length > 0) state.strings.push(value);
+    return;
+  }
+  if (value === null || typeof value !== "object") return;
+  if (depth >= MCP_MAX_DEPTH) {
+    state.truncated = true;
+    return;
+  }
+  const children = Array.isArray(value) ? value : Object.values(value);
+  for (const child of children) collectMcpStrings(child, depth + 1, state);
+}
 function extractMcpTargets(toolName, toolInput) {
   const targets = [toolName];
   const keys = Object.keys(toolInput);
-  let extractedStrings = 0;
-  for (const key of keys) {
-    const value = toolInput[key];
-    if (typeof value !== "string" || value.length === 0) continue;
-    extractedStrings++;
+  const state = { strings: [], nodes: 0, truncated: false };
+  for (const key of keys) collectMcpStrings(toolInput[key], 1, state);
+  for (const value of state.strings) {
     targets.push(value);
     const resolved = runResolverPipeline(value);
-    for (const r of resolved) {
-      targets.push(r);
-    }
+    for (const r of resolved) targets.push(r);
   }
   return {
     targets,
-    unextractable: keys.length > 0 && extractedStrings === 0,
+    unextractable: keys.length > 0 && (state.strings.length === 0 || state.truncated),
     mutating: mcpVerbIsMutating(toolName)
   };
 }
@@ -1044,7 +1060,6 @@ function buildModifiedGrepInput(originalInput, exclusions) {
 import { timingSafeEqual } from "crypto";
 var DEFAULT_PORT = 7847;
 var MAX_BODY_SIZE = 1024 * 1024;
-var GATEWAY_VERSION = "0.1.0";
 function isLoopbackAddress(addr) {
   if (!addr) return false;
   return addr === "127.0.0.1" || addr === "::1" || addr === "::ffff:127.0.0.1" || addr.startsWith("127.");
@@ -1101,6 +1116,9 @@ var SentinelGateway = class {
   releaseToken;
   /** Item D (F-8): disposition for unknown (non-MCP, unrecognized) tool names. */
   unknownTools;
+  /** Daemon-staleness build identity (content hash of the launched-from entry),
+   *  reported via /health. "unknown" when not supplied by the launcher. */
+  buildId;
   server = null;
   running = false;
   signalHandlersInstalled = false;
@@ -1116,6 +1134,7 @@ var SentinelGateway = class {
     this.home = options.home ?? "";
     this.releaseToken = options.releaseToken ?? null;
     this.unknownTools = options.unknownTools ?? "warn";
+    this.buildId = options.buildId ?? "unknown";
     const internal = options;
     if (internal.registry) {
       this.registry = internal.registry;
@@ -1235,7 +1254,11 @@ var SentinelGateway = class {
         const snap = this.telemetry.getSnapshot();
         this.sendJson(res, 200, {
           status: "running",
-          version: GATEWAY_VERSION,
+          // Daemon-staleness build identity (content hash of the launched-from
+          // entry). Replaces the former hardcoded GATEWAY_VERSION, which had
+          // drifted from package.json and would have mismatched spuriously.
+          // session-start compares this to the current on-disk entry hash.
+          buildId: this.buildId,
           uptime: snap.uptime_seconds
         });
         return;
@@ -1548,6 +1571,7 @@ var SentinelGateway = class {
           unparseable: anyUnparseable,
           hasDangerousConstruct: anyDangerousConstruct
         });
+        const targetKey = matchedPath ?? `l2:${[...new Set(allL2Hits)].sort().join(",")}`;
         const finding = {
           severity: "HIGH",
           kind: "actionable",
@@ -1565,7 +1589,8 @@ var SentinelGateway = class {
           timestamp: event.timestamp,
           decision: "deny",
           mentionOnly,
-          dedupKey: event.primaryTarget
+          dedupKey: event.primaryTarget,
+          targetKey
         };
         await this.sentinel.handleGatewayDeny(routingId, finding);
         this.telemetry.recordToolCall(event.action, "pre", "blocked", 0);
@@ -1592,7 +1617,9 @@ var SentinelGateway = class {
           decision: "deny",
           // A resolved path-glob hit is a file target — never a mention.
           mentionOnly: false,
-          dedupKey: event.primaryTarget
+          dedupKey: event.primaryTarget,
+          // F-5a: the resolved forbidden path IS the target identity here.
+          targetKey: matchedPath
         };
         await this.sentinel.handleGatewayDeny(routingId, finding);
         this.telemetry.recordToolCall(event.action, "pre", "blocked", 0);
@@ -2022,9 +2049,10 @@ var SentinelGateway = class {
 };
 async function runGatewayDaemon({
   policyPath,
-  port = DEFAULT_PORT
+  port = DEFAULT_PORT,
+  buildId
 }) {
-  const { Sentinel: SentinelClass } = await import("./Sentinel-XMSJE4DZ.js");
+  const { Sentinel: SentinelClass } = await import("./Sentinel-5CQ6HKXS.js");
   const { writePidFile, writeReleaseToken } = await import("./pidManager-DOGVN6ZT.js");
   const { homedir } = await import("os");
   const { randomBytes } = await import("crypto");
@@ -2046,7 +2074,8 @@ async function runGatewayDaemon({
     home: homedir(),
     releaseToken,
     unknownTools: operatorConfig.enforcement?.unknownTools,
-    allowUnknownTools: operatorConfig.enforcement?.allowUnknownTools
+    allowUnknownTools: operatorConfig.enforcement?.allowUnknownTools,
+    buildId
   });
   await gateway.start();
   const home = homedir();
@@ -2059,4 +2088,4 @@ export {
   SentinelGateway,
   runGatewayDaemon
 };
-//# sourceMappingURL=chunk-L4R3LPJS.js.map
+//# sourceMappingURL=chunk-G74MMDKA.js.map

package/dist/{chunk-QIYQWOLO.js → chunk-JTR2E7RD.js}

@@ -550,7 +550,7 @@ function tokenizePaths(command) {
       if (dispatch.unparseable) {
         result.unparseable = true;
       }
-    } else if (isPathShaped(token)) {
+    } else if (isPathShaped(token) && !isEnvIdentifierChain(token)) {
       const resolved = resolvePathToken(token);
       result.paths.push(resolved);
     }
@@ -558,6 +558,21 @@ function tokenizePaths(command) {
   }
   return result;
 }
+function isEnvIdentifierChain(token) {
+  if (token.includes("/") || token.startsWith(".")) return false;
+  if (!allEnvOccurrencesIdentifierEmbedded(token)) return false;
+  return !SENSITIVE_BASENAME_RE.test(token.replace(/\.env/gi, " "));
+}
+function allEnvOccurrencesIdentifierEmbedded(s) {
+  const envHits = /\.env/gi;
+  let m;
+  let any = false;
+  while ((m = envHits.exec(s)) !== null) {
+    any = true;
+    if (!/[A-Za-z0-9_$]/.test(s[m.index - 1] ?? "")) return false;
+  }
+  return any;
+}
 function isPathShaped(token) {
   if (token.includes("/")) return true;
   if (token.startsWith(".")) return true;
@@ -816,6 +831,7 @@ function classifyDeny(command, signals) {
 }
 
 // src/roleValidator.ts
+import { parse as shellParse2 } from "shell-quote";
 var SUSPICIOUS_BASENAME_RE = /^\.|(\.env|secret|credential|key|config|token)/i;
 function resolveSymlinks(normalizedPath) {
   if (!normalizedPath || normalizedPath.includes("://")) return normalizedPath;
@@ -1148,10 +1164,26 @@ var RoleValidator = class {
         }
       }
     }
-    const safeCommandMention = event.action === "command_exec" && isPositionallySafeMention(event.primaryTarget);
+    if (event.action === "command_exec") {
+      const cmd = this.screenCommandTarget(event);
+      if (cmd) {
+        const finding = this.buildForbiddenFinding(
+          event,
+          cmd.matchedTarget,
+          cmd.matchedPattern,
+          activeTask ?? null
+        );
+        if (finding) {
+          finding.targetKey = cmd.targetKey;
+          finding.dedupKey = event.primaryTarget;
+          finding.mentionOnly = false;
+          return finding;
+        }
+      }
+    }
     for (const pattern of this.role.forbiddenTargetPatterns) {
       let matchedTargetValue = null;
-      if (!safeCommandMention && primaryTargetPaths.some((tp) => matchGlobInsensitive(pattern, tp))) {
+      if (event.action !== "command_exec" && primaryTargetPaths.some((tp) => matchGlobInsensitive(pattern, tp))) {
         matchedTargetValue = normalizedPrimaryTarget;
       }
       if (!matchedTargetValue) {
@@ -1169,57 +1201,13 @@ var RoleValidator = class {
         }
       }
       if (matchedTargetValue) {
-        const sensitivity = this.sensitivityScorer?.scoreTarget(matchedTargetValue, event.action);
-        const isCritical = sensitivity ? sensitivity.effectiveScore >= 0.9 : false;
-        const finding = this.makeFinding(event, {
-          severity: "HIGH",
-          type: "unauthorized_target",
-          description: `Agent accessed '${matchedTargetValue}' which matches forbidden pattern '${pattern}'`,
-          recommendation: getTargetRecommendation(
-            "unauthorized_target",
-            matchedTargetValue,
-            event.action
-          ),
-          matchedTarget: matchedTargetValue
-        });
-        if (!isCritical) {
-          const exception = findMatchingException(this.role.exceptions, event, activeTask ?? null);
-          if (exception) {
-            this.onAuditEntry?.({
-              type: "exception_applied",
-              timestamp: (/* @__PURE__ */ new Date()).toISOString(),
-              agentId: event.agentId,
-              target: matchedTargetValue,
-              action: event.action,
-              exceptionTarget: exception.target,
-              taskId: activeTask?.taskId ?? null
-            });
-            if (exception.requiresApproval) {
-              const ctx = {
-                finding,
-                exception,
-                activeTask: activeTask ?? null,
-                expiresAt: exception.expiresAfter != null && activeTask ? new Date(new Date(activeTask.startedAt).getTime() + exception.expiresAfter) : null
-              };
-              const approved = this.approvalFn?.(ctx) === true;
-              if (approved) {
-                this.onAuditEntry?.({
-                  type: "exception_approved",
-                  timestamp: (/* @__PURE__ */ new Date()).toISOString(),
-                  agentId: event.agentId,
-                  target: matchedTargetValue,
-                  action: event.action,
-                  exceptionTarget: exception.target,
-                  taskId: activeTask?.taskId ?? null
-                });
-                continue;
-              }
-            } else {
-              continue;
-            }
-          }
-        }
-        return this.enhanceWithSensitivity(finding, event);
+        const finding = this.buildForbiddenFinding(
+          event,
+          matchedTargetValue,
+          pattern,
+          activeTask ?? null
+        );
+        if (finding) return finding;
       }
     }
     if (this.sensitivityScorer && event.metadata?._mcpTool === "true") {
@@ -1238,7 +1226,7 @@ var RoleValidator = class {
         });
       }
     }
-    if (this.role.allowedTargetPatterns.length > 0) {
+    if (this.role.allowedTargetPatterns.length > 0 && event.action !== "command_exec") {
       const anchor = this.workspaceRoot !== "" && PATH_TARGET_ACTIONS.has(event.action);
       const matched = this.role.allowedTargetPatterns.some((pattern) => {
         const candidates = anchor ? [pattern, anchorAllowedPattern(pattern, this.workspaceRoot)] : [pattern];
@@ -1276,7 +1264,7 @@ var RoleValidator = class {
       }
     }
     const scopePatterns = activeTask?.scopePatterns;
-    if (scopePatterns && scopePatterns.length > 0) {
+    if (scopePatterns && scopePatterns.length > 0 && event.action !== "command_exec") {
       const anchor = this.workspaceRoot !== "" && PATH_TARGET_ACTIONS.has(event.action);
       const inScope = scopePatterns.some((pattern) => {
         const candidates = anchor ? [pattern, anchorAllowedPattern(pattern, this.workspaceRoot)] : [pattern];
@@ -1340,6 +1328,127 @@ var RoleValidator = class {
     }
     return finding;
   }
+  /**
+   * Sprint 26B B′ — scanner-authoritative forbidden screen for a command_exec
+   * PRIMARY target (the command string). Three layers, first match wins:
+   *
+   *  L1 — tokenizePaths(command): resolved path-shaped tokens (symlink-resolved,
+   *       dir-globs, F-5b's isEnvIdentifierChain guard inside) matched against the
+   *       FULL role patterns via matchGlob.
+   *  Boundary — every argv token's basename vs each pattern's basename component
+   *       via the SAME matchGlob (its `^…$` anchoring → true boundary, so
+   *       `^\.env$` rejects `process.env` and `^payroll\.csv$` rejects
+   *       `mypayroll.csv`, while a `payroll.csv` token matches a `payroll.csv`
+   *       pattern basename). Patterns whose basename is pure-wildcard (a bare
+   *       star or globstar) are dir-globs and are skipped here (L1 handles them
+   *       on resolved paths).
+   *  L2 — scanBashCommand substring net (fixed FORBIDDEN_BASENAMES) gated by
+   *       isPositionallySafeMention, for heredoc/substitution shapes tokenization
+   *       can't cleanly split.
+   *
+   * Returns the matched target + the F-5a targetKey (resolved path / token /
+   * `l2:<basenames>`, mirroring the gateway emit) + a pattern label for the
+   * finding description, or null when nothing matches.
+   */
+  screenCommandTarget(event) {
+    const command = event.primaryTarget;
+    if (isPositionallySafeMention(command)) return null;
+    const tr = tokenizePaths(command);
+    for (const p of tr.paths) {
+      for (const pattern of this.role.forbiddenTargetPatterns) {
+        if (matchGlobInsensitive(pattern, p)) {
+          return { matchedTarget: p, targetKey: p, matchedPattern: pattern };
+        }
+      }
+    }
+    let tokens;
+    try {
+      tokens = shellParse2(command);
+    } catch {
+      tokens = [];
+    }
+    for (const tok of tokens) {
+      if (typeof tok !== "string") continue;
+      const tokBase = basename2(tok);
+      if (tokBase.length === 0) continue;
+      for (const pattern of this.role.forbiddenTargetPatterns) {
+        const patBase = basename2(pattern);
+        if (patBase === "*" || patBase === "**") continue;
+        if (matchGlobInsensitive(patBase, tokBase)) {
+          return { matchedTarget: tok, targetKey: tok, matchedPattern: pattern };
+        }
+      }
+    }
+    const scan = scanBashCommand(command, FORBIDDEN_BASENAMES);
+    if (scan.matched) {
+      const hits = [...new Set(scan.hits)].sort();
+      return {
+        matchedTarget: scan.hits[0],
+        targetKey: `l2:${hits.join(",")}`,
+        matchedPattern: hits.join(", ")
+      };
+    }
+    return null;
+  }
+  /**
+   * Build the unauthorized_target finding for a matched forbidden target, applying
+   * the same exception/approval/sensitivity flow shared by Check 2's per-pattern
+   * loop and the B′ command screen. Returns the finding to emit, or null when an
+   * exception (auto, or approved) suppresses it (caller continues / falls through).
+   */
+  buildForbiddenFinding(event, matchedTargetValue, pattern, activeTask) {
+    const sensitivity = this.sensitivityScorer?.scoreTarget(matchedTargetValue, event.action);
+    const isCritical = sensitivity ? sensitivity.effectiveScore >= 0.9 : false;
+    const finding = this.makeFinding(event, {
+      severity: "HIGH",
+      type: "unauthorized_target",
+      description: `Agent accessed '${matchedTargetValue}' which matches forbidden pattern '${pattern}'`,
+      recommendation: getTargetRecommendation(
+        "unauthorized_target",
+        matchedTargetValue,
+        event.action
+      ),
+      matchedTarget: matchedTargetValue
+    });
+    if (!isCritical) {
+      const exception = findMatchingException(this.role.exceptions, event, activeTask);
+      if (exception) {
+        this.onAuditEntry?.({
+          type: "exception_applied",
+          timestamp: (/* @__PURE__ */ new Date()).toISOString(),
+          agentId: event.agentId,
+          target: matchedTargetValue,
+          action: event.action,
+          exceptionTarget: exception.target,
+          taskId: activeTask?.taskId ?? null
+        });
+        if (exception.requiresApproval) {
+          const ctx = {
+            finding,
+            exception,
+            activeTask,
+            expiresAt: exception.expiresAfter != null && activeTask ? new Date(new Date(activeTask.startedAt).getTime() + exception.expiresAfter) : null
+          };
+          const approved = this.approvalFn?.(ctx) === true;
+          if (approved) {
+            this.onAuditEntry?.({
+              type: "exception_approved",
+              timestamp: (/* @__PURE__ */ new Date()).toISOString(),
+              agentId: event.agentId,
+              target: matchedTargetValue,
+              action: event.action,
+              exceptionTarget: exception.target,
+              taskId: activeTask?.taskId ?? null
+            });
+            return null;
+          }
+        } else {
+          return null;
+        }
+      }
+    }
+    return this.enhanceWithSensitivity(finding, event);
+  }
   makeFinding(event, details) {
     return {
       severity: details.severity,
@@ -1788,4 +1897,4 @@ export {
   findMatchingException,
   RoleValidator
 };
-//# sourceMappingURL=chunk-QIYQWOLO.js.map
+//# sourceMappingURL=chunk-JTR2E7RD.js.map

package/dist/{chunk-GRN5P3H2.js → chunk-SSDIBY52.js}

@@ -18,7 +18,7 @@ import {
   unionWithDefaultForbiddenPatterns,
   walkForbiddenInodeRoots,
   withPolicyReadExceptions
-} from "./chunk-QIYQWOLO.js";
+} from "./chunk-JTR2E7RD.js";
 import {
   loadPolicy,
   policyToConfig,
@@ -315,6 +315,9 @@ var ProfileStore = class {
     this.profile = await this.backend.read();
     this.engine = new DataEngine({ petalCount: this.petalCount });
     if (this.profile) {
+      if (!Array.isArray(this.profile.dataPoints)) {
+        this.profile.dataPoints = [];
+      }
       for (const point of this.profile.dataPoints) {
         this.engine.addPoint(point);
       }
@@ -618,6 +621,7 @@ var AgentActivityClassifier = class {
 
 // src/auditTrail.ts
 import { createHash } from "crypto";
+import { existsSync } from "fs";
 var AuditTrail = class _AuditTrail {
   static GENESIS_HASH = "0".repeat(64);
   /** S21-P4: honest label for cumulative-stats.json's totalEntries. */
@@ -651,6 +655,11 @@ var AuditTrail = class _AuditTrail {
     this.agentId = agentId;
     const home = process.env.HOME ?? process.env.USERPROFILE ?? "/tmp";
     const logDir = options?.logDir ?? `${home}/.dahlia/agents/${agentId}`;
+    if (options?.logDir && !existsSync(`${logDir}/audit.log`) && existsSync(`${logDir}/${agentId}/audit.log`)) {
+      throw new Error(
+        `AuditTrail logDir must be the agent's own directory, not the agents root: "${logDir}" contains no audit.log, but "${logDir}/${agentId}/audit.log" exists. Pass join(agentsRoot, "${agentId}") instead.`
+      );
+    }
     this.logPath = `${logDir}/audit.log`;
     this.statsPath = `${logDir}/cumulative-stats.json`;
     this.manifestPath = `${logDir}/audit.manifest`;
@@ -749,6 +758,9 @@ var AuditTrail = class _AuditTrail {
     if (finding.dedupKey !== void 0) {
       entry.dedupKey = finding.dedupKey;
     }
+    if (finding.targetKey !== void 0) {
+      entry.targetKey = finding.targetKey;
+    }
     await this.writeLine(entry);
   }
   /**
@@ -2978,6 +2990,7 @@ var SentinelRunner = class {
   }
   async runGapCheck() {
     if (!this._deviationDetector || !this.auditTrail) return;
+    if (this._eventCount === 0) return;
     const finding = await this._deviationDetector.checkActivityGap(this.auditTrail);
     if (finding) {
       this.findings.push(finding);
@@ -3529,7 +3542,7 @@ var SentinelManager = class {
 };
 
 // src/Sentinel.ts
-import { lstatSync, existsSync } from "fs";
+import { lstatSync, existsSync as existsSync2 } from "fs";
 import { resolve as resolve2, dirname, sep as sep2 } from "path";
 
 // src/baselineBuilder.ts
@@ -6418,7 +6431,7 @@ var Sentinel = class _Sentinel {
         );
       }
     }
-    if (!existsSync(root)) {
+    if (!existsSync2(root)) {
       console.warn(
         `[Sentinel] Workspace root '${root}' does not exist on disk \u2014 anchored allowed patterns will match nothing and every allowed read may be denied.`
       );
@@ -7421,8 +7434,10 @@ var Sentinel = class _Sentinel {
     const distinctKeys = /* @__PURE__ */ new Set();
     let keyless = 0;
     for (const f of survivors) {
-      const key = f.dedupKey;
-      if (typeof key === "string" && key.length > 0) distinctKeys.add(key);
+      const tk = f.targetKey;
+      const dk = f.dedupKey;
+      if (typeof tk === "string" && tk.length > 0) distinctKeys.add(`t:${tk}`);
+      else if (typeof dk === "string" && dk.length > 0) distinctKeys.add(`c:${dk}`);
       else keyless++;
     }
     return distinctKeys.size + keyless;
@@ -7470,4 +7485,4 @@ export {
   createCliApproval,
   Sentinel
 };
-//# sourceMappingURL=chunk-GRN5P3H2.js.map
+//# sourceMappingURL=chunk-SSDIBY52.js.map

package/dist/chunk-TKAKHSZ3.js

@@ -0,0 +1 @@
+//# sourceMappingURL=chunk-TKAKHSZ3.js.map

package/dist/cli.js

@@ -1,7 +1,7 @@
 #!/usr/bin/env node
-import{runInitClaudeCode as de}from"./chunk-FWIISAZZ.js";import{AgentProfileManager as H,AlertManager as ge,AuditTrail as A,BaselineBuilder as N,CorrelationDetector as ue,DeviationDetector as B,FileStorageBackend as fe,ProfileStore as pe,ReportGenerator as me,Sentinel as T,SentinelRunner as he,generateFleetReport as ye}from"./chunk-GRN5P3H2.js";import{readReleaseToken as we}from"./chunk-LATQNIRW.js";import{deriveAgentId as $e}from"./chunk-B5QKJHSV.js";import"./chunk-FMZWHT4M.js";import"./chunk-QIYQWOLO.js";import{loadPolicy as ve}from"./chunk-WLIDSTS4.js";import{getOrCreateKeyPair as E}from"./chunk-NUXSUSYY.js";import{join as u}from"path";import{homedir as m}from"os";import{readFile as M,writeFile as R,access as K,mkdir as W}from"fs/promises";function Ae(e){const o=new Date(e);if(isNaN(o.getTime()))return"unknown";const t=Date.now()-o.getTime();if(t<0)return"just now";const a=Math.floor(t/6e4);if(a<1)return"just now";if(a<60)return`${a} minute${a===1?"":"s"} ago`;const r=Math.floor(a/60);if(r<24)return`${r} hour${r===1?"":"s"} ago`;const i=Math.floor(r/24);if(i<14)return`${i} day${i===1?"":"s"} ago`;const d=Math.floor(i/7);if(i<60)return`${d} week${d===1?"":"s"} ago`;if(i>=365)return"over a year ago";const c=Math.floor(i/30);return`${c} month${c===1?"":"s"} ago`}function Ie(e,o){const n=new Date(o),t=isNaN(n.getTime())?1/0:Math.floor((Date.now()-n.getTime())/864e5);return e<.3||t>30?"declining":e>.7&&t<7?"rising":"stable"}function Se(e){return e<.3?"inner":e<.65?"middle":"outer"}function G(e){if(e.length===0)return"No petals selected.";const o=new Map;for(const t of e)o.set(t.id,t.label);const n=[`Selected petals (${e.length}):
-`];for(const t of e){const a=Se(t.layer),r=t.isRichData?"":" [filler]";n.push(`- ${t.label}${r}`),n.push(`  Category: ${t.category}`),n.push(`  Layer zone: ${a} (${(t.layer*100).toFixed(0)}%)`),n.push(`  Openness: ${(t.openness*100).toFixed(0)}%`),n.push(`  Description: ${t.description}`),n.push(`  Last active: ${t.lastActive}`);const i=Ae(t.lastActive),d=t.weight!=null?Ie(t.weight,t.lastActive):"stable";if(n.push(`  Temporal: Last active ${i} | Weight trend: ${d}`),t.source){const c={seed:"seed data",agent:"observed from activity",manual:"filesystem scan",diary:"personal diary entry",conversation:"created from conversation","agent-monitor":"monitored agent activity"};n.push(`  Source: ${c[t.source]??t.source}`)}if(t.weight!=null&&n.push(`  Weight: ${t.weight.toFixed(2)}`),t.connections.length>0){const c=t.connections.map(s=>o.get(s)??De(s));n.push(`  Connections: ${c.join(", ")}`)}if(t.files&&t.files.length>0){const c=t.files.slice(0,10).map(s=>s.split("/").pop()??s);n.push(`  Key files: ${c.join(", ")}`)}if(t.fileContents&&t.fileContents.length>0){n.push("  File contents:");for(const c of t.fileContents)n.push(`  --- ${c.name} ---`),n.push(c.content.split(`
-`).map(s=>`  ${s}`).join(`
+import"./chunk-TKAKHSZ3.js";import{AgentProfileManager as H,AlertManager as de,AuditTrail as A,BaselineBuilder as N,CorrelationDetector as ge,DeviationDetector as B,FileStorageBackend as ue,ProfileStore as fe,ReportGenerator as pe,Sentinel as R,SentinelRunner as me,generateFleetReport as he}from"./chunk-SSDIBY52.js";import{runInitClaudeCode as ye}from"./chunk-2TJ5Z53T.js";import{readReleaseToken as we}from"./chunk-LATQNIRW.js";import{deriveAgentId as $e}from"./chunk-B5QKJHSV.js";import"./chunk-FMZWHT4M.js";import"./chunk-JTR2E7RD.js";import{loadPolicy as ve}from"./chunk-WLIDSTS4.js";import{getOrCreateKeyPair as M}from"./chunk-NUXSUSYY.js";import{join as u}from"path";import{homedir as m}from"os";import{readFile as j,writeFile as C,access as K,mkdir as W}from"fs/promises";function Ae(e){const o=new Date(e);if(isNaN(o.getTime()))return"unknown";const t=Date.now()-o.getTime();if(t<0)return"just now";const a=Math.floor(t/6e4);if(a<1)return"just now";if(a<60)return`${a} minute${a===1?"":"s"} ago`;const r=Math.floor(a/60);if(r<24)return`${r} hour${r===1?"":"s"} ago`;const s=Math.floor(r/24);if(s<14)return`${s} day${s===1?"":"s"} ago`;const d=Math.floor(s/7);if(s<60)return`${d} week${d===1?"":"s"} ago`;if(s>=365)return"over a year ago";const c=Math.floor(s/30);return`${c} month${c===1?"":"s"} ago`}function Ie(e,o){const n=new Date(o),t=isNaN(n.getTime())?1/0:Math.floor((Date.now()-n.getTime())/864e5);return e<.3||t>30?"declining":e>.7&&t<7?"rising":"stable"}function Se(e){return e<.3?"inner":e<.65?"middle":"outer"}function G(e){if(e.length===0)return"No petals selected.";const o=new Map;for(const t of e)o.set(t.id,t.label);const n=[`Selected petals (${e.length}):
+`];for(const t of e){const a=Se(t.layer),r=t.isRichData?"":" [filler]";n.push(`- ${t.label}${r}`),n.push(`  Category: ${t.category}`),n.push(`  Layer zone: ${a} (${(t.layer*100).toFixed(0)}%)`),n.push(`  Openness: ${(t.openness*100).toFixed(0)}%`),n.push(`  Description: ${t.description}`),n.push(`  Last active: ${t.lastActive}`);const s=Ae(t.lastActive),d=t.weight!=null?Ie(t.weight,t.lastActive):"stable";if(n.push(`  Temporal: Last active ${s} | Weight trend: ${d}`),t.source){const c={seed:"seed data",agent:"observed from activity",manual:"filesystem scan",diary:"personal diary entry",conversation:"created from conversation","agent-monitor":"monitored agent activity"};n.push(`  Source: ${c[t.source]??t.source}`)}if(t.weight!=null&&n.push(`  Weight: ${t.weight.toFixed(2)}`),t.connections.length>0){const c=t.connections.map(i=>o.get(i)??De(i));n.push(`  Connections: ${c.join(", ")}`)}if(t.files&&t.files.length>0){const c=t.files.slice(0,10).map(i=>i.split("/").pop()??i);n.push(`  Key files: ${c.join(", ")}`)}if(t.fileContents&&t.fileContents.length>0){n.push("  File contents:");for(const c of t.fileContents)n.push(`  --- ${c.name} ---`),n.push(c.content.split(`
+`).map(i=>`  ${i}`).join(`
 `))}n.push("")}return n.join(`
 `)}function De(e){return e.split("-").map(o=>o.charAt(0).toUpperCase()+o.slice(1)).join(" ")}function be(e){const o=[Te(e.agentName,e.agentId,e.role),Re(e.baseline),Ce(e.e),Ee(e.findings),Me()],n=je(e.t);return n&&o.push(n),o.join(`
 
@@ -14,20 +14,20 @@ ${G(e)}`}function Ee(e){const o="=== Security Findings ===";if(e.length===0)retu
 No security findings detected. Agent behavior is within expected parameters.`;const n=[o];for(const t of e)n.push(`[${t.severity}] ${t.type}`),n.push(`  Description: ${t.description}`),n.push(`  Evidence: ${t.evidence.action} \u2192 ${t.evidence.target} at ${t.evidence.timestamp}`),t.evidence.baselineComparison&&n.push(`  Baseline comparison: ${t.evidence.baselineComparison}`),n.push(`  Recommendation: ${t.recommendation}`),n.push("");return n.join(`
 `)}function Me(){return["=== Analysis Request ===","Based on the data above, provide:","1. OVERALL HEALTH ASSESSMENT: Is this agent operating normally?","2. RISK SUMMARY: What is the overall risk level?","3. FINDING REVIEW: For each finding, confirm or adjust its severity with reasoning.","4. RECOMMENDATIONS: Specific actions the owner should take.","5. MONITORING GUIDANCE: What patterns to watch for going forward."].join(`
 `)}function je(e){return!e||e.length===0?null:`=== Owner Context ===
-${G(e)}`}import{request as J}from"http";var f=process.argv.slice(2),p=w(f,"--agent"),U=w(f,"--name"),ke=w(f,"--role"),Ne=f.includes("--create"),Fe=f.includes("--compute-baseline"),xe=f.includes("--monitor"),Pe=f.includes("--init-config"),Oe=f.includes("--init-policy"),Le=f.includes("init")&&f.includes("claude-code"),qe=f.includes("--force"),_=w(f,"--from-policy"),He=f.includes("--report"),Be=f.includes("--report-all"),Ke=f.includes("--correlations"),We=f.includes("--verify-audit"),Ge=f.includes("--enroll-manifest"),Je=f.includes("--recompute-stats"),Ue=f.includes("--health"),_e=f.includes("--restrict"),Qe=f.includes("--quarantine"),Ve=f.includes("--release")||f[0]==="release",ze=f.includes("--status"),Ye=f.includes("--start-task"),Xe=f.includes("--end-task"),Ze=f.includes("--intent-status"),et=f.includes("--intent-report"),Q=w(f,"--task-id"),V=w(f,"--description"),z=w(f,"--relaxed-actions"),Y=w(f,"--phases"),X=w(f,"--reason"),F=w(f,"--quarantine"),x=w(f,"--quarantine-reason"),j=w(f,"--period"),Z=w(f,"--format"),S=new H;function w(e,o){const n=e.find(a=>a.startsWith(o+"="));if(!n)return;const t=n.indexOf("=");return n.slice(t+1)}async function b(e,o){try{const n=await M(u(e,o,"mode.json"),"utf-8"),t=JSON.parse(n);return t.mode==="restricted"||t.mode==="quarantined"||t.mode==="normal"?t:{mode:"normal"}}catch{return{mode:"normal"}}}function ee(e){const o=["Agent","Score","Status","Mode","C/H/M/L","Last Event","Baseline"],n=e.map(s=>[s.agentId,String(s.score),s.status,s.mode,s.findings,s.lastEvent,s.baseline?"\u2713":"\u2717"]),t=[o,...n],a=o.map((s,l)=>Math.max(...t.map(g=>g[l].length))),r=(s,l)=>s+" ".repeat(l-s.length),i=o.map((s,l)=>r(s,a[l])).join("  "),d=a.map(s=>"-".repeat(s)).join("  "),c=n.map(s=>s.map((l,g)=>r(l,a[g])).join("  "));return[i,d,...c].join(`
-`)}function te(e){const o=["Agent ID","Mode","Reason","Changed"],n=e.map(s=>[s.agentId,s.mode.toUpperCase(),s.reason,s.changed]),t=[o,...n],a=o.map((s,l)=>Math.max(...t.map(g=>g[l].length))),r=(s,l)=>s+" ".repeat(l-s.length),i=o.map((s,l)=>r(s,a[l])).join("  "),d=a.map(s=>"-".repeat(s)).join("  "),c=n.map(s=>s.map((l,g)=>r(l,a[g])).join("  "));return[i,d,...c].join(`
-`)}function ne(e){const o=["Agent ID","Sessions","Last Active","Role","Baseline","Mode","Status"],n=e.map(s=>[s.agentId,String(s.sessions),s.lastActive,s.roleDefined?"\u2713":"\u2717",s.baselineDefined?"\u2713":"\u2717",s.mode??"normal",s.status]),t=[o,...n],a=o.map((s,l)=>Math.max(...t.map(g=>g[l].length))),r=(s,l)=>s+" ".repeat(l-s.length),i=o.map((s,l)=>r(s,a[l])).join("  "),d=a.map(s=>"-".repeat(s)).join("  "),c=n.map(s=>s.map((l,g)=>r(l,a[g])).join("  "));return[i,d,...c].join(`
-`)}function P(e,o){return e<10?"New":o.some(n=>n.severity==="HIGH"||n.severity==="CRITICAL")?"At Risk":o.some(n=>n.severity==="MEDIUM")?"Caution":"Healthy"}function O(e,o){const n=Date.now()-o*24*60*60*1e3;return e.filter(t=>new Date(t.lastActive).getTime()>=n)}function oe(e){return{id:e.id,label:e.label,category:e.category,description:e.description,layer:e.layer,lastActive:e.lastActive,openness:e.openness,connections:e.connections,isRichData:!0,source:e.source,core:e.core,sharable:e.sharable,weight:e.weight,files:e.files}}function L(e,o){const n=["Sentinel \u2014 Live Monitoring","\u2500".repeat(26)];for(const[t,a]of e){const r=(o.get(t)??"manual").toUpperCase(),i=a.getFindings(),d=i.filter(y=>y.severity==="HIGH"||y.severity==="CRITICAL").length,c=i.filter(y=>y.severity==="MEDIUM").length;let s=`${i.length} findings`;d>0?s=`${d} HIGH`:c>0&&(s=`${c} MEDIUM`);const l=P(a.sessionCount,i),g=t.padEnd(18),h=r.padEnd(5);n.push(`[${g}] ${h}| ${a.eventCount} events | ${a.sessionCount} sessions | ${s} | ${l}`)}return n.push(""),n.push("Press Ctrl+C to stop."),n.join(`
-`)}function ae(e){const o=["Monitoring stopped. Summary:"];for(const[n,t]of e){const a=t.getFindings();let r=`${a.length} findings`;if(a.length>0){const i={};for(const c of a)i[c.severity]=(i[c.severity]??0)+1;const d=Object.entries(i).map(([c,s])=>`${s} ${c}`);r=`${a.length} finding${a.length>1?"s":""} (${d.join(", ")})`}o.push(`- ${n}: ${t.eventCount} events, ${t.sessionCount} sessions, ${r}`)}return o.join(`
-`)}async function tt(e,o){const n=u(m(),".dahlia","agents"),t=await b(n,e);if(t.mode==="quarantined"){console.log(`Agent ${e} is quarantined \u2014 cannot downgrade to restricted.`);return}const a=t.mode;await W(u(n,e),{recursive:!0}),await R(u(n,e,"mode.json"),JSON.stringify({mode:"restricted",reason:o,timestamp:new Date().toISOString(),previousMode:a}),"utf-8");const r=await E(u(n,e)),i=new A(e,{logDir:u(n,e)});await i.open(),i.setSigningKey(r.privateKey,r.publicKey),await i.logModeChange("restricted",o,a),await i.close(),console.log(`Agent ${e} RESTRICTED: ${o}`)}async function nt(e,o){const n=u(m(),".dahlia","agents"),a=(await b(n,e)).mode;await W(u(n,e),{recursive:!0}),await R(u(n,e,"mode.json"),JSON.stringify({mode:"quarantined",reason:o,timestamp:new Date().toISOString(),previousMode:a}),"utf-8");const r=await E(u(n,e)),i=new A(e,{logDir:u(n,e)});await i.open(),i.setSigningKey(r.privateKey,r.publicKey),await i.logModeChange("quarantined",o,a),await i.close(),console.log(`Agent ${e} QUARANTINED: ${o}`)}function ot(e,o=1500){return new Promise(n=>{const t=J({host:"127.0.0.1",port:e,path:"/api/sentinel/health",method:"GET"},a=>{a.resume(),n(a.statusCode===200)});t.on("error",()=>n(!1)),t.setTimeout(o,()=>{t.destroy(),n(!1)}),t.end()})}function at(e,o,n){return new Promise((t,a)=>{const r=JSON.stringify({agentId:n,reason:"operator release (sentinel release)"}),i=J({host:"127.0.0.1",port:e,path:"/api/sentinel/release",method:"POST",headers:{"content-type":"application/json","content-length":Buffer.byteLength(r),"x-sentinel-token":o}},d=>{let c="";d.on("data",s=>c+=s),d.on("end",()=>{try{t({status:d.statusCode??0,body:JSON.parse(c)})}catch{t({status:d.statusCode??0,body:c})}})});i.on("error",a),i.setTimeout(3e3,()=>i.destroy(new Error("timeout"))),i.write(r),i.end()})}function se(e){const{id:o,selfDerived:n,previousMode:t,mode:a}=e;return n&&t==="normal"?`Agent ${o} was already normal \u2014 no change. If you are still locked out, your workspace id may differ (e.g. a symlinked root). Run: sentinel release --agent=<id>`:`[live] Agent ${o} RELEASED \u2014 was ${t}, now ${a}. Applied to the running daemon (no restart).`}async function st(e){const o=u(m(),".dahlia","agents"),n=e===void 0,t=e??$e(process.cwd());n&&console.log(`Resolved agent-id from cwd: ${t}`);const a=we(m());if(a&&await ot(a.port))try{const s=await at(a.port,a.token,t);if(s.status===200&&typeof s.body=="object"&&s.body.ok){console.log(se({id:t,selfDerived:n,previousMode:String(s.body.previousMode),mode:String(s.body.mode)}));return}const l=typeof s.body=="object"?JSON.stringify(s.body):s.body;console.error(`[live] daemon refused release (HTTP ${s.status}): ${l}`);return}catch(s){console.error(`[live] daemon release call failed: ${s.message}. Falling back to mode.json.`)}const r=await b(o,t);if(r.mode==="normal"){console.log(`Agent ${t} is already in normal mode.`);return}const i=r.mode;await R(u(o,t,"mode.json"),JSON.stringify({mode:"normal",reason:"manual release",timestamp:new Date().toISOString(),previousMode:i}),"utf-8");const d=await E(u(o,t)),c=new A(t,{logDir:u(o,t)});await c.open(),c.setSigningKey(d.privateKey,d.publicKey),await c.logModeChange("normal","manual release",i),await c.close(),console.log(`[fallback] Agent ${t} RELEASED (was ${i}) \u2014 no running daemon; mode.json written, applies on the daemon's next start.`)}async function it(){const e=await S.listAgents();if(e.length===0){console.log("No monitored agents found.");return}const o=u(m(),".dahlia","agents"),n=[];for(const a of e){const r=await b(o,a);n.push({agentId:a,mode:r.mode,reason:r.reason??"-",changed:r.timestamp?r.timestamp.split("T")[0]:"-"})}console.log(`Agent Mode Status
-`),console.log(te(n));const t=n.filter(a=>a.mode!=="normal");if(t.length>0){console.log("");for(const a of t){const r=a.mode==="quarantined"?"QUARANTINED":"RESTRICTED";console.log(`\u26A0 ${a.agentId}: ${r}`)}}}async function rt(){const e=await S.listAgents();if(e.length===0){console.log("No monitored agents found. Create one with --create --agent=ID --name=NAME");return}const o=[];for(const t of e)try{const i=(await S.loadAgentProfile(t)).build().filter(I=>I.source==="agent-monitor"),d=i.length,c=i.length>0?i.map(I=>I.lastActive).sort().reverse()[0].split("T")[0]:"never",l=await new N(t).loadBaseline(t),g=await S.loadRole(t),h=[];if(l){const I=O(i,7),k=new B(l,g);for(const $ of I){const D={label:$.label,category:$.category,lastActive:$.lastActive,description:$.description,weight:$.weight,source:$.source,files:$.files,connections:$.connections};h.push(...k.analyzeSession(D))}}const y=u(m(),".dahlia","agents"),C=await b(y,t);o.push({agentId:t,sessions:d,lastActive:c,roleDefined:g!==null,baselineDefined:l!==null,status:P(d,h),mode:C.mode})}catch(a){console.warn(`Error loading agent ${t}:`,a),o.push({agentId:t,sessions:0,lastActive:"error",roleDefined:!1,baselineDefined:!1,status:"Error",mode:"normal"})}const n=o.filter(t=>t.mode&&t.mode!=="normal");if(n.length>0){for(const t of n){const a=t.mode==="quarantined"?"QUARANTINED":"RESTRICTED";console.log(`\u26A0 ${t.agentId}: ${a}`)}console.log("")}console.log(`Sentinel Agent Overview
-`),console.log(ne(o))}async function lt(e){const o=await S.loadAgentProfile(e),n=await S.loadRole(e),a=await new N(e).loadBaseline(e),i=o.build().filter(D=>D.source==="agent-monitor"),d=O(i,7),c=d.map(oe),s=[];if(a){const D=new B(a,n);for(const v of d){const ce={label:v.label,category:v.category,lastActive:v.lastActive,description:v.description,weight:v.weight,source:v.source,files:v.files,connections:v.connections};s.push(...D.analyzeSession(ce))}}const l=u(m(),".dahlia","profile.json"),g=new fe(l),h=new pe({backend:g});let y=[];await h.load()&&(y=h.build().filter(v=>v.core===!0).map(oe));const I=be({agentId:e,agentName:e,role:n,baseline:a,e:c,findings:s,t:y}),k=new Date().toISOString().split("T")[0],$=`Sentinel Agent Report \u2014 ${e} \u2014 ${d.length} recent sessions \u2014 generated ${k}
+${G(e)}`}import{request as J}from"http";var f=process.argv.slice(2),p=w(f,"--agent"),U=w(f,"--name"),ke=w(f,"--role"),Ne=f.includes("--create"),Fe=f.includes("--compute-baseline"),xe=f.includes("--monitor"),Pe=f.includes("--init-config"),Oe=f.includes("--init-policy"),Le=f.includes("init")&&f.includes("claude-code"),qe=f.includes("--force"),_=w(f,"--from-policy"),He=f.includes("--report"),Be=f.includes("--report-all"),Ke=f.includes("--correlations"),We=f.includes("--verify-audit"),Ge=f.includes("--enroll-manifest"),Je=f.includes("--recompute-stats"),Ue=f.includes("--health"),_e=f.includes("--restrict"),Qe=f.includes("--quarantine"),Ve=f.includes("--release")||f[0]==="release",ze=f.includes("--status"),Ye=f.includes("--start-task"),Xe=f.includes("--end-task"),Ze=f.includes("--intent-status"),et=f.includes("--intent-report"),Q=w(f,"--task-id"),V=w(f,"--description"),z=w(f,"--relaxed-actions"),Y=w(f,"--phases"),X=w(f,"--reason"),F=w(f,"--quarantine"),x=w(f,"--quarantine-reason"),b=w(f,"--period"),Z=w(f,"--format"),S=new H;function w(e,o){const n=e.find(a=>a.startsWith(o+"="));if(!n)return;const t=n.indexOf("=");return n.slice(t+1)}async function T(e,o){try{const n=await j(u(e,o,"mode.json"),"utf-8"),t=JSON.parse(n);return t.mode==="restricted"||t.mode==="quarantined"||t.mode==="normal"?t:{mode:"normal"}}catch{return{mode:"normal"}}}function ee(e){const o=["Agent","Score","Status","Mode","C/H/M/L","Last Event","Baseline"],n=e.map(i=>[i.agentId,String(i.score),i.status,i.mode,i.findings,i.lastEvent,i.baseline?"\u2713":"\u2717"]),t=[o,...n],a=o.map((i,l)=>Math.max(...t.map(g=>g[l].length))),r=(i,l)=>i+" ".repeat(l-i.length),s=o.map((i,l)=>r(i,a[l])).join("  "),d=a.map(i=>"-".repeat(i)).join("  "),c=n.map(i=>i.map((l,g)=>r(l,a[g])).join("  "));return[s,d,...c].join(`
+`)}function te(e){const o=["Agent ID","Mode","Reason","Changed"],n=e.map(i=>[i.agentId,i.mode.toUpperCase(),i.reason,i.changed]),t=[o,...n],a=o.map((i,l)=>Math.max(...t.map(g=>g[l].length))),r=(i,l)=>i+" ".repeat(l-i.length),s=o.map((i,l)=>r(i,a[l])).join("  "),d=a.map(i=>"-".repeat(i)).join("  "),c=n.map(i=>i.map((l,g)=>r(l,a[g])).join("  "));return[s,d,...c].join(`
+`)}function ne(e){const o=["Agent ID","Sessions","Last Active","Role","Baseline","Mode","Status"],n=e.map(i=>[i.agentId,String(i.sessions),i.lastActive,i.roleDefined?"\u2713":"\u2717",i.baselineDefined?"\u2713":"\u2717",i.mode??"normal",i.status]),t=[o,...n],a=o.map((i,l)=>Math.max(...t.map(g=>g[l].length))),r=(i,l)=>i+" ".repeat(l-i.length),s=o.map((i,l)=>r(i,a[l])).join("  "),d=a.map(i=>"-".repeat(i)).join("  "),c=n.map(i=>i.map((l,g)=>r(l,a[g])).join("  "));return[s,d,...c].join(`
+`)}function P(e,o){return e<10?"New":o.some(n=>n.severity==="HIGH"||n.severity==="CRITICAL")?"At Risk":o.some(n=>n.severity==="MEDIUM")?"Caution":"Healthy"}function O(e,o){const n=Date.now()-o*24*60*60*1e3;return e.filter(t=>new Date(t.lastActive).getTime()>=n)}function oe(e){return{id:e.id,label:e.label,category:e.category,description:e.description,layer:e.layer,lastActive:e.lastActive,openness:e.openness,connections:e.connections,isRichData:!0,source:e.source,core:e.core,sharable:e.sharable,weight:e.weight,files:e.files}}function L(e,o){const n=["Sentinel \u2014 Live Monitoring","\u2500".repeat(26)];for(const[t,a]of e){const r=(o.get(t)??"manual").toUpperCase(),s=a.getFindings(),d=s.filter(y=>y.severity==="HIGH"||y.severity==="CRITICAL").length,c=s.filter(y=>y.severity==="MEDIUM").length;let i=`${s.length} findings`;d>0?i=`${d} HIGH`:c>0&&(i=`${c} MEDIUM`);const l=P(a.sessionCount,s),g=t.padEnd(18),h=r.padEnd(5);n.push(`[${g}] ${h}| ${a.eventCount} events | ${a.sessionCount} sessions | ${i} | ${l}`)}return n.push(""),n.push("Press Ctrl+C to stop."),n.join(`
+`)}function ae(e){const o=["Monitoring stopped. Summary:"];for(const[n,t]of e){const a=t.getFindings();let r=`${a.length} findings`;if(a.length>0){const s={};for(const c of a)s[c.severity]=(s[c.severity]??0)+1;const d=Object.entries(s).map(([c,i])=>`${i} ${c}`);r=`${a.length} finding${a.length>1?"s":""} (${d.join(", ")})`}o.push(`- ${n}: ${t.eventCount} events, ${t.sessionCount} sessions, ${r}`)}return o.join(`
+`)}async function tt(e,o){const n=u(m(),".dahlia","agents"),t=await T(n,e);if(t.mode==="quarantined"){console.log(`Agent ${e} is quarantined \u2014 cannot downgrade to restricted.`);return}const a=t.mode;await W(u(n,e),{recursive:!0}),await C(u(n,e,"mode.json"),JSON.stringify({mode:"restricted",reason:o,timestamp:new Date().toISOString(),previousMode:a}),"utf-8");const r=await M(u(n,e)),s=new A(e,{logDir:u(n,e)});await s.open(),s.setSigningKey(r.privateKey,r.publicKey),await s.logModeChange("restricted",o,a),await s.close(),console.log(`Agent ${e} RESTRICTED: ${o}`)}async function nt(e,o){const n=u(m(),".dahlia","agents"),a=(await T(n,e)).mode;await W(u(n,e),{recursive:!0}),await C(u(n,e,"mode.json"),JSON.stringify({mode:"quarantined",reason:o,timestamp:new Date().toISOString(),previousMode:a}),"utf-8");const r=await M(u(n,e)),s=new A(e,{logDir:u(n,e)});await s.open(),s.setSigningKey(r.privateKey,r.publicKey),await s.logModeChange("quarantined",o,a),await s.close(),console.log(`Agent ${e} QUARANTINED: ${o}`)}function ot(e,o=1500){return new Promise(n=>{const t=J({host:"127.0.0.1",port:e,path:"/api/sentinel/health",method:"GET"},a=>{a.resume(),n(a.statusCode===200)});t.on("error",()=>n(!1)),t.setTimeout(o,()=>{t.destroy(),n(!1)}),t.end()})}function at(e,o,n){return new Promise((t,a)=>{const r=JSON.stringify({agentId:n,reason:"operator release (sentinel release)"}),s=J({host:"127.0.0.1",port:e,path:"/api/sentinel/release",method:"POST",headers:{"content-type":"application/json","content-length":Buffer.byteLength(r),"x-sentinel-token":o}},d=>{let c="";d.on("data",i=>c+=i),d.on("end",()=>{try{t({status:d.statusCode??0,body:JSON.parse(c)})}catch{t({status:d.statusCode??0,body:c})}})});s.on("error",a),s.setTimeout(3e3,()=>s.destroy(new Error("timeout"))),s.write(r),s.end()})}function se(e){const{id:o,selfDerived:n,previousMode:t,mode:a}=e;return n&&t==="normal"?`Agent ${o} was already normal \u2014 no change. If you are still locked out, your workspace id may differ (e.g. a symlinked root). Run: sentinel release --agent=<id>`:`[live] Agent ${o} RELEASED \u2014 was ${t}, now ${a}. Applied to the running daemon (no restart).`}async function st(e){const o=u(m(),".dahlia","agents"),n=e===void 0,t=e??$e(process.cwd());n&&console.log(`Resolved agent-id from cwd: ${t}`);const a=we(m());if(a&&await ot(a.port))try{const i=await at(a.port,a.token,t);if(i.status===200&&typeof i.body=="object"&&i.body.ok){console.log(se({id:t,selfDerived:n,previousMode:String(i.body.previousMode),mode:String(i.body.mode)}));return}const l=typeof i.body=="object"?JSON.stringify(i.body):i.body;console.error(`[live] daemon refused release (HTTP ${i.status}): ${l}`);return}catch(i){console.error(`[live] daemon release call failed: ${i.message}. Falling back to mode.json.`)}const r=await T(o,t);if(r.mode==="normal"){console.log(`Agent ${t} is already in normal mode.`);return}const s=r.mode;await C(u(o,t,"mode.json"),JSON.stringify({mode:"normal",reason:"manual release",timestamp:new Date().toISOString(),previousMode:s}),"utf-8");const d=await M(u(o,t)),c=new A(t,{logDir:u(o,t)});await c.open(),c.setSigningKey(d.privateKey,d.publicKey),await c.logModeChange("normal","manual release",s),await c.close(),console.log(`[fallback] Agent ${t} RELEASED (was ${s}) \u2014 no running daemon; mode.json written, applies on the daemon's next start.`)}async function it(){const e=await S.listAgents();if(e.length===0){console.log("No monitored agents found.");return}const o=u(m(),".dahlia","agents"),n=[];for(const a of e){const r=await T(o,a);n.push({agentId:a,mode:r.mode,reason:r.reason??"-",changed:r.timestamp?r.timestamp.split("T")[0]:"-"})}console.log(`Agent Mode Status
+`),console.log(te(n));const t=n.filter(a=>a.mode!=="normal");if(t.length>0){console.log("");for(const a of t){const r=a.mode==="quarantined"?"QUARANTINED":"RESTRICTED";console.log(`\u26A0 ${a.agentId}: ${r}`)}}}async function rt(){const e=await S.listAgents();if(e.length===0){console.log("No monitored agents found. Create one with --create --agent=ID --name=NAME");return}const o=[];for(const t of e)try{const s=(await S.loadAgentProfile(t)).build().filter(I=>I.source==="agent-monitor"),d=s.length,c=s.length>0?s.map(I=>I.lastActive).sort().reverse()[0].split("T")[0]:"never",l=await new N(t).loadBaseline(t),g=await S.loadRole(t),h=[];if(l){const I=O(s,7),k=new B(l,g);for(const $ of I){const D={label:$.label,category:$.category,lastActive:$.lastActive,description:$.description,weight:$.weight,source:$.source,files:$.files,connections:$.connections};h.push(...k.analyzeSession(D))}}const y=u(m(),".dahlia","agents"),E=await T(y,t);o.push({agentId:t,sessions:d,lastActive:c,roleDefined:g!==null,baselineDefined:l!==null,status:P(d,h),mode:E.mode})}catch(a){console.warn(`Error loading agent ${t}:`,a),o.push({agentId:t,sessions:0,lastActive:"error",roleDefined:!1,baselineDefined:!1,status:"Error",mode:"normal"})}const n=o.filter(t=>t.mode&&t.mode!=="normal");if(n.length>0){for(const t of n){const a=t.mode==="quarantined"?"QUARANTINED":"RESTRICTED";console.log(`\u26A0 ${t.agentId}: ${a}`)}console.log("")}console.log(`Sentinel Agent Overview
+`),console.log(ne(o))}async function lt(e){const o=await S.loadAgentProfile(e),n=await S.loadRole(e),a=await new N(e).loadBaseline(e),s=o.build().filter(D=>D.source==="agent-monitor"),d=O(s,7),c=d.map(oe),i=[];if(a){const D=new B(a,n);for(const v of d){const ce={label:v.label,category:v.category,lastActive:v.lastActive,description:v.description,weight:v.weight,source:v.source,files:v.files,connections:v.connections};i.push(...D.analyzeSession(ce))}}const l=u(m(),".dahlia","profile.json"),g=new ue(l),h=new fe({backend:g});let y=[];await h.load()&&(y=h.build().filter(v=>v.core===!0).map(oe));const I=be({agentId:e,agentName:e,role:n,baseline:a,e:c,findings:i,t:y}),k=new Date().toISOString().split("T")[0],$=`Sentinel Agent Report \u2014 ${e} \u2014 ${d.length} recent sessions \u2014 generated ${k}
 
-`;process.stdout.write($+I)}async function ct(e){const o=u(m(),".dahlia","agents"),n=new A(e,{logDir:u(o,e)});await n.open();const t=new N(e),a=await t.computeBaseline(n);await n.close(),await t.saveBaseline(a),console.log(`Baseline computed for agent: ${e}`),console.log(`  Sessions: ${a.totalSessions}`),console.log(`  Period: ${a.periodDays} days`),console.log("  Action distribution:");for(const[r,i]of Object.entries(a.actionDistribution))console.log(`    ${r}: ${i}%`);console.log(`  Saved to: ~/.dahlia/agents/${e}/baseline.json`)}async function dt(e,o,n){let t;if(n){let a;try{a=await M(n,"utf-8")}catch(r){console.error(`Failed to read role file "${n}":`,r);return}try{t=JSON.parse(a)}catch(r){console.error(`Invalid JSON in role file "${n}":`,r.message);return}}await S.createAgent(e,o,t),console.log(`Agent created: ${e} (${o})`),t&&console.log(`  Role loaded from: ${n}`)}async function gt(){const e=u(m(),".dahlia","sentinel.json");try{await K(e),console.log(`Config already exists at ${e}`);return}catch{}await R(e,JSON.stringify({agents:[{agentId:"example-agent",name:"Example Agent",adapterType:"log",logPath:"/path/to/agent/activity.log",logFormat:"json-lines",roleDefinitionPath:"~/.dahlia/agents/example-agent/role.json"}],baselineWindowDays:30},null,2)+`
-`),console.log("Template config created at ~/.dahlia/sentinel.json \u2014 edit it with your agent details then run: npm run sentinel -- --monitor")}async function q(){const e=u(m(),".dahlia","sentinel.json");try{const o=await M(e,"utf-8");return JSON.parse(o)}catch(o){if(o.code==="ENOENT")return null;if(o instanceof SyntaxError)return console.error(`Invalid JSON in sentinel config: ${o.message}`),null;throw o}}async function ut(e){const o=await q();if(!o){console.log("No sentinel config found. Create ~/.dahlia/sentinel.json or use --init-config to add agents. See docs for config format.");return}let n=o.agents;if(e&&(n=n.filter(l=>l.agentId===e),n.length===0)){console.log(`Agent "${e}" not found in sentinel.json`);return}const t=new Map,a=new Map,r=l=>l&&l.startsWith("~/")?m()+l.slice(1):l;let i;if(o.alerts){const l={...o.alerts.minSeverity&&{minSeverity:o.alerts.minSeverity},...o.alerts.dedupeWindowMs!==void 0&&{dedupeWindowMs:o.alerts.dedupeWindowMs},...o.alerts.quietHoursEnabled!==void 0&&{quietHoursEnabled:o.alerts.quietHoursEnabled},...o.alerts.quietHours&&{quietHours:o.alerts.quietHours},...o.alerts.channels&&{channels:o.alerts.channels}};i=new ge(l)}for(const l of n)try{const g=new he(l.agentId,void 0,{type:l.adapterType,logPath:r(l.logPath),logFormat:l.logFormat,fieldMapping:l.fieldMapping,mcpLogDir:r(l.mcpLogDir),webhookPort:l.webhookPort,webhookApiKey:l.webhookApiKey,readExisting:l.readExisting});g.setAuditLogDir(u(m(),".dahlia","agents",l.agentId)),g.setFindingCallback(h=>{(h.severity==="HIGH"||h.severity==="CRITICAL")&&console.log(`
-\u26A0 [${h.agentId}] ${h.severity}: ${h.description}`)}),i&&g.setAlertManager(i),await g.start(),t.set(l.agentId,g),a.set(l.agentId,l.adapterType)}catch(g){console.error(`Failed to start monitoring for agent ${l.agentId}:`,g)}console.log(L(t,a));const d=setInterval(()=>{console.clear(),console.log(L(t,a))},5e3),c=async()=>{clearInterval(d);for(const[l,g]of t)try{await g.stop()}catch(h){console.warn(`Error stopping runner ${l}:`,h)}console.log(`
-`+ae(t)),process.exit(0)},s=()=>{c().catch(l=>{console.error("Error during shutdown:",l),process.exit(1)})};process.on("SIGINT",s),process.on("SIGTERM",s)}async function ft(e,o,n){const a=await new me(e).generateReport({periodDays:o,format:n});process.stdout.write(a)}async function pt(e,o){const n=await ye({periodDays:e,format:o});process.stdout.write(n)}async function mt(){const e=await q();if(!e){console.log("No sentinel config found. Create ~/.dahlia/sentinel.json or use --init-config.");return}const o=u(m(),".dahlia","agents"),n=new Map;try{for(const r of e.agents){const i=new A(r.agentId,{logDir:u(o,r.agentId)});await i.open(),n.set(r.agentId,i)}const a=await new ue().detect(n);if(a.length===0){console.log("No cross-agent correlations detected.");return}console.log(`Found ${a.length} cross-agent correlation(s):
-`);for(const r of a)console.log(`[${r.severity}] ${r.rule}`),console.log(`  Agent A: ${r.agentA.agentId} \u2014 ${r.agentA.action} on ${r.agentA.target}`),console.log(`  Agent B: ${r.agentB.agentId} \u2014 ${r.agentB.action} on ${r.agentB.target}`),console.log(`  Time delta: ${Math.round(r.timeDeltaMs/1e3)}s`),console.log(`  Recommendation: ${r.recommendation}`),console.log("")}finally{for(const t of n.values())await t.close()}}async function ht(e){const o=u(m(),".dahlia","agents"),n=u(o,e,"cumulative-stats.json");let t="(none)";try{t=JSON.parse(await M(n,"utf-8")).totalEntries}catch{}const r=await new A(e,{logDir:u(o,e)}).recomputeCumulativeStats();console.log(`Recomputed cumulative-stats for ${e}:`),console.log(`  totalEntries: ${t} \u2192 ${r.totalEntries}`),console.log(`  scope: ${r.countScope}`),console.log("  (Read-only over the signed trail; only cumulative-stats.json rewritten.)")}async function yt(e){const o=u(m(),".dahlia","agents"),n=u(o,e),t=await E(n),a=new A(e,{logDir:n});a.setSigningKey(t.privateKey,t.publicKey);const r=F&&x?[{file:F,reason:x}]:void 0,i=await a.enrollManifest(r?{quarantine:r}:void 0);console.log(`Manifest enrolled for ${e}: ${i.records} file record(s) signed + chained`+(i.quarantined?`, ${i.quarantined} quarantine record(s)`:"")+"."),r&&console.log(`  Quarantined: ${F} \u2014 ${x}`),console.log("  (Read-only over audit entries; protects from enrollment forward.)")}async function wt(e){const o=u(m(),".dahlia","agents"),n=new A(e,{logDir:u(o,e)});await n.open();const t=await n.verify();if(t.valid?console.log(`Audit trail for ${e}: VALID (${t.totalEntries} entries verified)`):t.brokenAt!==void 0?console.log(`Audit trail for ${e}: BROKEN at entry ${t.brokenAt} (${t.totalEntries} entries checked)`):console.log(`Audit trail for ${e}: INVALID \u2014 file-level manifest integrity failure (${t.totalEntries} entries chain-verified)`),t.manifest){const r=t.manifest;console.log(`  Manifest: ${r.recordCount} file record(s) \u2014 ${r.ok?"OK":`${r.issues.length} issue(s)`}`);for(const i of r.issues)console.log(`    [${i.type}] ${i.detail}`);for(const i of r.quarantined)console.log(`    [QUARANTINED] ${i.file} \u2014 ${i.reason} (retained on disk, excluded from verdict)`)}const a=await n.query({type:"finding",limit:1e4});if(a.length>0){let r=0,i=0,d=0;for(const s of a){const l=s.decision;l==="deny"?i++:l==="modify"?d++:r++}console.log(`  Findings: ${a.length} total \u2014 ${r} allowed, ${i} denied, ${d} modified`);const c=a.slice(0,5);for(const s of c){const l=s,g=l.decision,h=l.modification,y=l.description,C=l._decisionDefaulted===!0;g==="modify"&&h?.type==="append_args"?console.log(`    [modified] ${y} \u2014 appended args: [${h.args.join(", ")}]`):console.log(g==="deny"?`    [denied] ${y}`:C?`    [allowed (legacy)] ${y}`:`    [allowed] ${y}`)}}await n.close()}async function $t(){const e=u(m(),".dahlia","agents"),o=new T({agentsDir:e}),t=await new H(e).listAgents();if(t.length===0){console.log("No monitored agents found."),await o.stop();return}const a=[];for(const r of t){const i=await o.getHealthScore(r);a.push({agentId:r,score:i.score,status:i.status,mode:i.mode,findings:`${i.findings.critical}/${i.findings.high}/${i.findings.medium}/${i.findings.low}`,lastEvent:i.lastEvent?i.lastEvent.split("T")[0]:"-",baseline:i.baselineEstablished})}await o.stop(),console.log(`Agent Health Dashboard
+`;process.stdout.write($+I)}async function ct(e){const o=u(m(),".dahlia","agents"),n=new A(e,{logDir:u(o,e)});await n.open();const t=new N(e),a=await t.computeBaseline(n);await n.close(),await t.saveBaseline(a),console.log(`Baseline computed for agent: ${e}`),console.log(`  Sessions: ${a.totalSessions}`),console.log(`  Period: ${a.periodDays} days`),console.log("  Action distribution:");for(const[r,s]of Object.entries(a.actionDistribution))console.log(`    ${r}: ${s}%`);console.log(`  Saved to: ~/.dahlia/agents/${e}/baseline.json`)}async function dt(e,o,n){let t;if(n){let a;try{a=await j(n,"utf-8")}catch(r){console.error(`Failed to read role file "${n}":`,r);return}try{t=JSON.parse(a)}catch(r){console.error(`Invalid JSON in role file "${n}":`,r.message);return}}await S.createAgent(e,o,t),console.log(`Agent created: ${e} (${o})`),t&&console.log(`  Role loaded from: ${n}`)}async function gt(){const e=u(m(),".dahlia","sentinel.json");try{await K(e),console.log(`Config already exists at ${e}`);return}catch{}await C(e,JSON.stringify({agents:[{agentId:"example-agent",name:"Example Agent",adapterType:"log",logPath:"/path/to/agent/activity.log",logFormat:"json-lines",roleDefinitionPath:"~/.dahlia/agents/example-agent/role.json"}],baselineWindowDays:30},null,2)+`
+`),console.log("Template config created at ~/.dahlia/sentinel.json \u2014 edit it with your agent details then run: npm run sentinel -- --monitor")}async function q(){const e=u(m(),".dahlia","sentinel.json");try{const o=await j(e,"utf-8");return JSON.parse(o)}catch(o){if(o.code==="ENOENT")return null;if(o instanceof SyntaxError)return console.error(`Invalid JSON in sentinel config: ${o.message}`),null;throw o}}async function ut(e){const o=await q();if(!o){console.log("No sentinel config found. Create ~/.dahlia/sentinel.json or use --init-config to add agents. See docs for config format.");return}let n=o.agents;if(e&&(n=n.filter(l=>l.agentId===e),n.length===0)){console.log(`Agent "${e}" not found in sentinel.json`);return}const t=new Map,a=new Map,r=l=>l&&l.startsWith("~/")?m()+l.slice(1):l;let s;if(o.alerts){const l={...o.alerts.minSeverity&&{minSeverity:o.alerts.minSeverity},...o.alerts.dedupeWindowMs!==void 0&&{dedupeWindowMs:o.alerts.dedupeWindowMs},...o.alerts.quietHoursEnabled!==void 0&&{quietHoursEnabled:o.alerts.quietHoursEnabled},...o.alerts.quietHours&&{quietHours:o.alerts.quietHours},...o.alerts.channels&&{channels:o.alerts.channels}};s=new de(l)}for(const l of n)try{const g=new me(l.agentId,void 0,{type:l.adapterType,logPath:r(l.logPath),logFormat:l.logFormat,fieldMapping:l.fieldMapping,mcpLogDir:r(l.mcpLogDir),webhookPort:l.webhookPort,webhookApiKey:l.webhookApiKey,readExisting:l.readExisting});g.setAuditLogDir(u(m(),".dahlia","agents",l.agentId)),g.setFindingCallback(h=>{(h.severity==="HIGH"||h.severity==="CRITICAL")&&console.log(`
+\u26A0 [${h.agentId}] ${h.severity}: ${h.description}`)}),s&&g.setAlertManager(s),await g.start(),t.set(l.agentId,g),a.set(l.agentId,l.adapterType)}catch(g){console.error(`Failed to start monitoring for agent ${l.agentId}:`,g)}console.log(L(t,a));const d=setInterval(()=>{console.clear(),console.log(L(t,a))},5e3),c=async()=>{clearInterval(d);for(const[l,g]of t)try{await g.stop()}catch(h){console.warn(`Error stopping runner ${l}:`,h)}console.log(`
+`+ae(t)),process.exit(0)},i=()=>{c().catch(l=>{console.error("Error during shutdown:",l),process.exit(1)})};process.on("SIGINT",i),process.on("SIGTERM",i)}async function ft(e,o,n){const a=await new pe(e).generateReport({periodDays:o,format:n});process.stdout.write(a)}async function pt(e,o){const n=await he({periodDays:e,format:o});process.stdout.write(n)}async function mt(e=30){const o=await q();if(!o){console.log("No sentinel config found. Create ~/.dahlia/sentinel.json or use --init-config.");return}const n=u(m(),".dahlia","agents"),t=new Map;try{for(const s of o.agents){const d=new A(s.agentId,{logDir:u(n,s.agentId)});await d.open(),t.set(s.agentId,d)}const r=await new ge().detect(t,e*24*60*60*1e3);if(r.length===0){console.log("No cross-agent correlations detected.");return}console.log(`Found ${r.length} cross-agent correlation(s):
+`);for(const s of r)console.log(`[${s.severity}] ${s.rule}`),console.log(`  Agent A: ${s.agentA.agentId} \u2014 ${s.agentA.action} on ${s.agentA.target}`),console.log(`  Agent B: ${s.agentB.agentId} \u2014 ${s.agentB.action} on ${s.agentB.target}`),console.log(`  Time delta: ${Math.round(s.timeDeltaMs/1e3)}s`),console.log(`  Recommendation: ${s.recommendation}`),console.log("")}finally{for(const a of t.values())await a.close()}}async function ht(e){const o=u(m(),".dahlia","agents"),n=u(o,e,"cumulative-stats.json");let t="(none)";try{t=JSON.parse(await j(n,"utf-8")).totalEntries}catch{}const r=await new A(e,{logDir:u(o,e)}).recomputeCumulativeStats();console.log(`Recomputed cumulative-stats for ${e}:`),console.log(`  totalEntries: ${t} \u2192 ${r.totalEntries}`),console.log(`  scope: ${r.countScope}`),console.log("  (Read-only over the signed trail; only cumulative-stats.json rewritten.)")}async function yt(e){const o=u(m(),".dahlia","agents"),n=u(o,e),t=await M(n),a=new A(e,{logDir:n});a.setSigningKey(t.privateKey,t.publicKey);const r=F&&x?[{file:F,reason:x}]:void 0,s=await a.enrollManifest(r?{quarantine:r}:void 0);console.log(`Manifest enrolled for ${e}: ${s.records} file record(s) signed + chained`+(s.quarantined?`, ${s.quarantined} quarantine record(s)`:"")+"."),r&&console.log(`  Quarantined: ${F} \u2014 ${x}`),console.log("  (Read-only over audit entries; protects from enrollment forward.)")}async function wt(e){const o=u(m(),".dahlia","agents"),n=new A(e,{logDir:u(o,e)});await n.open();const t=await n.verify();if(t.valid?console.log(`Audit trail for ${e}: VALID (${t.totalEntries} entries verified)`):t.brokenAt!==void 0?console.log(`Audit trail for ${e}: BROKEN at entry ${t.brokenAt} (${t.totalEntries} entries checked)`):console.log(`Audit trail for ${e}: INVALID \u2014 file-level manifest integrity failure (${t.totalEntries} entries chain-verified)`),t.manifest){const r=t.manifest;console.log(`  Manifest: ${r.recordCount} file record(s) \u2014 ${r.ok?"OK":`${r.issues.length} issue(s)`}`);for(const s of r.issues)console.log(`    [${s.type}] ${s.detail}`);for(const s of r.quarantined)console.log(`    [QUARANTINED] ${s.file} \u2014 ${s.reason} (retained on disk, excluded from verdict)`)}const a=await n.query({type:"finding",limit:1e4});if(a.length>0){let r=0,s=0,d=0;for(const i of a){const l=i.decision;l==="deny"?s++:l==="modify"?d++:r++}console.log(`  Findings: ${a.length} total \u2014 ${r} allowed, ${s} denied, ${d} modified`);const c=a.slice(0,5);for(const i of c){const l=i,g=l.decision,h=l.modification,y=l.description,E=l._decisionDefaulted===!0;g==="modify"&&h?.type==="append_args"?console.log(`    [modified] ${y} \u2014 appended args: [${h.args.join(", ")}]`):console.log(g==="deny"?`    [denied] ${y}`:E?`    [allowed (legacy)] ${y}`:`    [allowed] ${y}`)}}await n.close()}async function $t(){const e=u(m(),".dahlia","agents"),o=new R({agentsDir:e}),t=await new H(e).listAgents();if(t.length===0){console.log("No monitored agents found."),await o.stop();return}const a=[];for(const r of t){const s=await o.getHealthScore(r);a.push({agentId:r,score:s.score,status:s.status,mode:s.mode,findings:`${s.findings.critical}/${s.findings.high}/${s.findings.medium}/${s.findings.low}`,lastEvent:s.lastEvent?s.lastEvent.split("T")[0]:"-",baseline:s.baselineEstablished})}await o.stop(),console.log(`Agent Health Dashboard
 `),console.log(ee(a))}var ie=`# Sentinel \u2014 Agent Security Policy
 version: "1.0"
 
@@ -72,9 +72,9 @@ policy:
 #   repoRoot: .                        # scan this directory for sensitive files
 #   mapPath: ~/.dahlia/repo-sensitivity.json
 #   overlayPath: ~/.dahlia/repo-sensitivity.review.json
-`;async function re(){const e=u(process.cwd(),".sentinel.yaml");try{await K(e),console.log(`.sentinel.yaml already exists in ${process.cwd()}`);return}catch{}await R(e,ie,"utf-8"),console.log("Created .sentinel.yaml \u2014 edit then run: npm run sentinel -- --from-policy .sentinel.yaml")}async function le(e){const o=await ve(e),n=await T.fromPolicy(e);console.log(`Loaded policy for agent ${o.agent.id}. Monitoring active.`);const t=async()=>{await n.stop(),console.log("Monitoring stopped."),process.exit(0)},a=()=>{t().catch(r=>{console.error("Error during shutdown:",r),process.exit(1)})};process.on("SIGINT",a),process.on("SIGTERM",a)}async function vt(e,o,n){const t=u(m(),".dahlia","agents"),a=new T({agentsDir:t});await a.addAgent(e,e);const r=z?z.split(","):void 0,i=Y?Y.split(",").map(c=>c.trim()):void 0,d=a.startTask(e,o,n,{relaxedActions:r,phases:i});if(!d){console.log(`Failed to start task for agent ${e}.`),await a.stop();return}console.log(`Task started for agent ${e}:`),console.log(`  Task ID:     ${d.taskId}`),console.log(`  Description: ${d.description}`),console.log(`  Keywords:    ${d.keywords.join(", ")}`),d.relaxedActions?.length&&console.log(`  Relaxed:     ${d.relaxedActions.join(", ")}`),d.phases?.length&&console.log(`  Phases:      ${d.phases.join(", ")}`),console.log(`  TTL:         ${(d.ttlMs/6e4).toFixed(0)} minutes`),await a.stop()}async function At(e){const o=u(m(),".dahlia","agents"),n=new T({agentsDir:o});await n.addAgent(e,e);const t=n.endTask(e);t?(console.log(`Task ended for agent ${e}:`),console.log(`  Task ID:     ${t.taskId}`),console.log(`  Description: ${t.description}`),console.log(`  Status:      ${t.status}`)):console.log(`No active task found for agent ${e}.`),await n.stop()}async function It(e){const o=u(m(),".dahlia","agents"),n=new T({agentsDir:o});await n.addAgent(e,e);const t=n.getActiveTask(e);if(!t){console.log(`No active task for agent ${e}.`),await n.stop();return}const a=Date.now()-new Date(t.startedAt).getTime(),r=t.ttlMs-a;console.log(`Active task for agent ${e}:
-`),console.log(`  Task ID:     ${t.taskId}`),console.log(`  Description: ${t.description}`),console.log(`  Keywords:    ${t.keywords.join(", ")}`),console.log(`  Status:      ${t.status}`),console.log(`  Active for:  ${(a/6e4).toFixed(1)} minutes`),console.log(`  TTL remain:  ${r>0?(r/6e4).toFixed(1)+" minutes":"EXPIRED"}`),t.relaxedActions?.length&&console.log(`  Relaxed:     ${t.relaxedActions.join(", ")}`),t.phases?.length&&console.log(`  Phases:      ${t.phases.join(", ")}`),t.acceptableActions.length>0&&console.log(`  Acceptable:  ${t.acceptableActions.map(i=>`${i.action}:${i.targetPattern}`).join(", ")}`),await n.stop()}async function St(e){const o=u(m(),".dahlia","agents"),n=new A(e,{logDir:u(o,e)});await n.open();const t=await n.getStats(),a=await n.query({type:"intent_check"}),i=(await n.query({type:"finding"})).filter(c=>typeof c.data=="object"&&c.data!==null&&"type"in c.data&&c.data.type==="intent_drift");console.log(`Intent Alignment Report \u2014 ${e}
-`),console.log(`  Intent starts:  ${t.intentStartCount}`),console.log(`  Intent ends:    ${t.intentEndCount}`),console.log(`  Intent checks:  ${t.intentCheckCount}`),console.log(`  Drift findings: ${t.intentDriftCount}`),t.averageAlignmentScore!==null&&console.log(`  Avg alignment:  ${t.averageAlignmentScore.toFixed(2)}`);const d=a.filter(c=>{const s=c.data;return s&&typeof s=="object"&&"aligned"in s&&!s.aligned}).slice(-5);if(d.length>0){console.log(`
-  Last ${d.length} misaligned action(s):`);for(const c of d){const s=c.data,l=typeof s.score=="number"?s.score.toFixed(2):"?",g=s.event,h=g?.action??"?",y=g?.primaryTarget??g?.targets?.[0]??g?.target??"?";console.log(`    score: ${l}  ${h} \u2192 ${y}  (${c.timestamp.split("T")[0]})`)}}if(i.length>0){console.log(`
-  Recent drift findings: ${i.length}`);for(const c of i.slice(-3)){const s=c.data,l=s.severity??"?",g=s.description??"";console.log(`    [${l}] ${typeof g=="string"?g.slice(0,80):g}`)}}await n.close()}async function Dt(e,o){try{const n=await de({force:e,port:o});if(n.created.length>0){console.log("Created:");for(const t of n.created)console.log(`  ${t}`)}if(n.skipped.length>0){console.log("Skipped (already exists \u2014 use --force to overwrite):");for(const t of n.skipped)console.log(`  ${t}`)}if(n.merged.length>0){console.log("Merged:");for(const t of n.merged)console.log(`  ${t}`)}if(n.errors.length>0){console.log("Errors:");for(const t of n.errors)console.log(`  ${t}`)}n.errors.length===0&&console.log(`
-Sentinel + Claude Code integration ready.`)}catch(n){console.error(`Init failed: ${n.message}`),process.exit(1)}}if(Le){const e=w(f,"--port");await Dt(qe,e?parseInt(e,10):void 0)}else if(Ye&&p&&Q&&V)await vt(p,Q,V);else if(Xe&&p)await At(p);else if(Ze&&p)await It(p);else if(et&&p)await St(p);else if(Oe)await re();else if(_)await le(_);else if(Ge&&p)await yt(p);else if(Je&&p)await ht(p);else if(We&&p)await wt(p);else if(Ue)await $t();else if(_e&&p)await tt(p,X??"No reason provided");else if(Qe&&p)await nt(p,X??"No reason provided");else if(Ve)await st(p);else if(ze)await it();else if(Pe)await gt();else if(xe)await ut(p);else if(Ne&&p&&U)await dt(p,U,ke);else if(Fe&&p)await ct(p);else if(Be){const e=j?parseInt(j,10):30;await pt(e,Z==="json"?"json":"markdown")}else if(He&&p){const e=j?parseInt(j,10):30;await ft(p,e,Z==="json"?"json":"markdown")}else Ke?await mt():p?await lt(p):await rt();
+`;async function re(){const e=u(process.cwd(),".sentinel.yaml");try{await K(e),console.log(`.sentinel.yaml already exists in ${process.cwd()}`);return}catch{}await C(e,ie,"utf-8"),console.log("Created .sentinel.yaml \u2014 edit then run: npm run sentinel -- --from-policy .sentinel.yaml")}async function le(e){const o=await ve(e),n=await R.fromPolicy(e);console.log(`Loaded policy for agent ${o.agent.id}. Monitoring active.`);const t=async()=>{await n.stop(),console.log("Monitoring stopped."),process.exit(0)},a=()=>{t().catch(r=>{console.error("Error during shutdown:",r),process.exit(1)})};process.on("SIGINT",a),process.on("SIGTERM",a)}async function vt(e,o,n){const t=u(m(),".dahlia","agents"),a=new R({agentsDir:t});await a.addAgent(e,e);const r=z?z.split(","):void 0,s=Y?Y.split(",").map(c=>c.trim()):void 0,d=a.startTask(e,o,n,{relaxedActions:r,phases:s});if(!d){console.log(`Failed to start task for agent ${e}.`),await a.stop();return}console.log(`Task started for agent ${e}:`),console.log(`  Task ID:     ${d.taskId}`),console.log(`  Description: ${d.description}`),console.log(`  Keywords:    ${d.keywords.join(", ")}`),d.relaxedActions?.length&&console.log(`  Relaxed:     ${d.relaxedActions.join(", ")}`),d.phases?.length&&console.log(`  Phases:      ${d.phases.join(", ")}`),console.log(`  TTL:         ${(d.ttlMs/6e4).toFixed(0)} minutes`),await a.stop()}async function At(e){const o=u(m(),".dahlia","agents"),n=new R({agentsDir:o});await n.addAgent(e,e);const t=n.endTask(e);t?(console.log(`Task ended for agent ${e}:`),console.log(`  Task ID:     ${t.taskId}`),console.log(`  Description: ${t.description}`),console.log(`  Status:      ${t.status}`)):console.log(`No active task found for agent ${e}.`),await n.stop()}async function It(e){const o=u(m(),".dahlia","agents"),n=new R({agentsDir:o});await n.addAgent(e,e);const t=n.getActiveTask(e);if(!t){console.log(`No active task for agent ${e}.`),await n.stop();return}const a=Date.now()-new Date(t.startedAt).getTime(),r=t.ttlMs-a;console.log(`Active task for agent ${e}:
+`),console.log(`  Task ID:     ${t.taskId}`),console.log(`  Description: ${t.description}`),console.log(`  Keywords:    ${t.keywords.join(", ")}`),console.log(`  Status:      ${t.status}`),console.log(`  Active for:  ${(a/6e4).toFixed(1)} minutes`),console.log(`  TTL remain:  ${r>0?(r/6e4).toFixed(1)+" minutes":"EXPIRED"}`),t.relaxedActions?.length&&console.log(`  Relaxed:     ${t.relaxedActions.join(", ")}`),t.phases?.length&&console.log(`  Phases:      ${t.phases.join(", ")}`),t.acceptableActions.length>0&&console.log(`  Acceptable:  ${t.acceptableActions.map(s=>`${s.action}:${s.targetPattern}`).join(", ")}`),await n.stop()}async function St(e){const o=u(m(),".dahlia","agents"),n=new A(e,{logDir:u(o,e)});await n.open();const t=await n.getStats(),a=await n.query({type:"intent_check"}),s=(await n.query({type:"finding"})).filter(c=>typeof c.data=="object"&&c.data!==null&&"type"in c.data&&c.data.type==="intent_drift");console.log(`Intent Alignment Report \u2014 ${e}
+`),console.log(`  Intent starts:  ${t.intentStartCount}`),console.log(`  Intent ends:    ${t.intentEndCount}`),console.log(`  Intent checks:  ${t.intentCheckCount}`),console.log(`  Drift findings: ${t.intentDriftCount}`),t.averageAlignmentScore!==null&&console.log(`  Avg alignment:  ${t.averageAlignmentScore.toFixed(2)}`);const d=a.filter(c=>{const i=c.data;return i&&typeof i=="object"&&"aligned"in i&&!i.aligned}).slice(-5);if(d.length>0){console.log(`
+  Last ${d.length} misaligned action(s):`);for(const c of d){const i=c.data,l=typeof i.score=="number"?i.score.toFixed(2):"?",g=i.event,h=g?.action??"?",y=g?.primaryTarget??g?.targets?.[0]??g?.target??"?";console.log(`    score: ${l}  ${h} \u2192 ${y}  (${c.timestamp.split("T")[0]})`)}}if(s.length>0){console.log(`
+  Recent drift findings: ${s.length}`);for(const c of s.slice(-3)){const i=c.data,l=i.severity??"?",g=i.description??"";console.log(`    [${l}] ${typeof g=="string"?g.slice(0,80):g}`)}}await n.close()}async function Dt(e,o){try{const n=await ye({force:e,port:o});if(n.created.length>0){console.log("Created:");for(const t of n.created)console.log(`  ${t}`)}if(n.skipped.length>0){console.log("Skipped (already exists \u2014 use --force to overwrite):");for(const t of n.skipped)console.log(`  ${t}`)}if(n.merged.length>0){console.log("Merged:");for(const t of n.merged)console.log(`  ${t}`)}if(n.errors.length>0){console.log("Errors:");for(const t of n.errors)console.log(`  ${t}`)}n.errors.length===0&&console.log(`
+Sentinel + Claude Code integration ready.`)}catch(n){console.error(`Init failed: ${n.message}`),process.exit(1)}}if(Le){const e=w(f,"--port");await Dt(qe,e?parseInt(e,10):void 0)}else if(Ye&&p&&Q&&V)await vt(p,Q,V);else if(Xe&&p)await At(p);else if(Ze&&p)await It(p);else if(et&&p)await St(p);else if(Oe)await re();else if(_)await le(_);else if(Ge&&p)await yt(p);else if(Je&&p)await ht(p);else if(We&&p)await wt(p);else if(Ue)await $t();else if(_e&&p)await tt(p,X??"No reason provided");else if(Qe&&p)await nt(p,X??"No reason provided");else if(Ve)await st(p);else if(ze)await it();else if(Pe)await gt();else if(xe)await ut(p);else if(Ne&&p&&U)await dt(p,U,ke);else if(Fe&&p)await ct(p);else if(Be){const e=b?parseInt(b,10):30;await pt(e,Z==="json"?"json":"markdown")}else if(He&&p){const e=b?parseInt(b,10):30;await ft(p,e,Z==="json"?"json":"markdown")}else if(Ke){const e=b?parseInt(b,10):30;await mt(e)}else p?await lt(p):await rt();

package/dist/gateway/index.d.ts

@@ -1,4 +1,4 @@
-import { v as Sentinel, e as AgentRole, S as SecurityFinding } from '../Sentinel-xFCyXH45.js';
+import { v as Sentinel, e as AgentRole, S as SecurityFinding } from '../Sentinel-BVoMEF3F.js';
 import 'node:crypto';
 
 /**
@@ -75,6 +75,13 @@ interface SentinelGatewayOptions {
      * Operator-only, same channel as unknownTools.
      */
     allowUnknownTools?: string[];
+    /**
+     * Build identity reported via /health (daemon-staleness fix). Content hash of
+     * the daemon entry file this process was launched from; session-start compares
+     * it to the hash of the current on-disk entry and relaunches on mismatch.
+     * Absent → /health reports "unknown" → next session-start relaunches (safe side).
+     */
+    buildId?: string;
 }
 declare class SentinelGateway {
     private readonly configuredPort;
@@ -90,6 +97,9 @@ declare class SentinelGateway {
     private readonly releaseToken;
     /** Item D (F-8): disposition for unknown (non-MCP, unrecognized) tool names. */
     private readonly unknownTools;
+    /** Daemon-staleness build identity (content hash of the launched-from entry),
+     *  reported via /health. "unknown" when not supplied by the launcher. */
+    private readonly buildId;
     private server;
     private running;
     private signalHandlersInstalled;

package/dist/gateway/index.js

@@ -1,9 +1,9 @@
 import {
   SentinelGateway
-} from "../chunk-L4R3LPJS.js";
+} from "../chunk-G74MMDKA.js";
 import "../chunk-B5QKJHSV.js";
 import "../chunk-FMZWHT4M.js";
-import "../chunk-QIYQWOLO.js";
+import "../chunk-JTR2E7RD.js";
 import "../chunk-WLIDSTS4.js";
 export {
   SentinelGateway

package/dist/gatewayDaemon.js

@@ -1,26 +1,48 @@
 #!/usr/bin/env node
 import {
   runGatewayDaemon
-} from "./chunk-L4R3LPJS.js";
+} from "./chunk-G74MMDKA.js";
+import {
+  computeBuildId,
+  runSessionStart
+} from "./chunk-2TJ5Z53T.js";
+import "./chunk-LATQNIRW.js";
 import "./chunk-B5QKJHSV.js";
 import "./chunk-FMZWHT4M.js";
-import "./chunk-QIYQWOLO.js";
+import "./chunk-JTR2E7RD.js";
 import "./chunk-WLIDSTS4.js";
 
 // src/gatewayDaemon.ts
+import { fileURLToPath } from "url";
 var args = process.argv.slice(2);
-var policyPath;
-var port;
-for (let i = 0; i < args.length; i++) {
-  if (args[i] === "--policy" && args[i + 1]) policyPath = args[++i];
-  else if (args[i] === "--port" && args[i + 1]) port = parseInt(args[++i], 10);
+var selfPath = fileURLToPath(import.meta.url);
+function getFlag(name) {
+  for (let i = 0; i < args.length; i++) {
+    if (args[i] === name && args[i + 1]) return args[i + 1];
+  }
+  return void 0;
 }
-if (!policyPath) {
-  console.error("[SENTINEL GATEWAY] --policy <path> is required");
-  process.exit(1);
+if (args.includes("--session-start")) {
+  const portArg = getFlag("--port");
+  runSessionStart({
+    cwd: getFlag("--cwd"),
+    port: portArg ? parseInt(portArg, 10) : void 0,
+    gatewayEntry: selfPath
+  }).catch((err) => {
+    console.error("[SENTINEL GATEWAY] session-start error:", err);
+    process.exit(0);
+  });
+} else {
+  const policyPath = getFlag("--policy");
+  const portArg = getFlag("--port");
+  const port = portArg ? parseInt(portArg, 10) : void 0;
+  if (!policyPath) {
+    console.error("[SENTINEL GATEWAY] --policy <path> is required");
+    process.exit(1);
+  }
+  runGatewayDaemon({ policyPath, port, buildId: computeBuildId(selfPath) }).catch((err) => {
+    console.error("[SENTINEL GATEWAY] Fatal:", err);
+    process.exit(1);
+  });
 }
-runGatewayDaemon({ policyPath, port }).catch((err) => {
-  console.error("[SENTINEL GATEWAY] Fatal:", err);
-  process.exit(1);
-});
 //# sourceMappingURL=gatewayDaemon.js.map

package/dist/index.d.ts

@@ -1,5 +1,5 @@
-import { A as AgentActivityEvent, S as SecurityFinding } from './Sentinel-xFCyXH45.js';
-export { a as AcceptableAction, b as AdapterConfig, c as AgentBaseline, d as AgentMode, e as AgentRole, f as AlertChannel, g as AlertConfig, h as AllowResponse, i as AuditEntry, j as AuditQueryOptions, B as BlockResponse, C as CorrelationFinding, E as ExceptionApprovalContext, k as ExceptionApprovalFn, G as GuideResponse, H as HookCheckpoint, l as HookContext, m as HookHandler, n as HookRegistration, o as HookResponse, I as IntentAlignmentConfig, p as IntentAlignmentResult, M as ModifiableEventFields, q as MonitorOptions, O as OverlayDecisionType, R as RepoSensitivityMap, r as ReportOptions, s as RoleException, t as SecuritySeverity, u as SensitivityOverlay, v as Sentinel, w as SentinelConfig, T as TaskIntent } from './Sentinel-xFCyXH45.js';
+import { A as AgentActivityEvent, S as SecurityFinding } from './Sentinel-BVoMEF3F.js';
+export { a as AcceptableAction, b as AdapterConfig, c as AgentBaseline, d as AgentMode, e as AgentRole, f as AlertChannel, g as AlertConfig, h as AllowResponse, i as AuditEntry, j as AuditQueryOptions, B as BlockResponse, C as CorrelationFinding, E as ExceptionApprovalContext, k as ExceptionApprovalFn, G as GuideResponse, H as HookCheckpoint, l as HookContext, m as HookHandler, n as HookRegistration, o as HookResponse, I as IntentAlignmentConfig, p as IntentAlignmentResult, M as ModifiableEventFields, q as MonitorOptions, O as OverlayDecisionType, R as RepoSensitivityMap, r as ReportOptions, s as RoleException, t as SecuritySeverity, u as SensitivityOverlay, v as Sentinel, w as SentinelConfig, T as TaskIntent } from './Sentinel-BVoMEF3F.js';
 import 'node:crypto';
 
 interface SentinelPolicy {
@@ -128,23 +128,45 @@ declare function runInitClaudeCode(options: {
 declare function discoverPolicy(startDir: string, home: string): string | null;
 
 /**
- * `session-start` entry point — called by the hook script on SessionStart.
+ * `session-start` entry point — called by the hook script on SessionStart, and
+ * the single source of truth for the gateway lifecycle decision (anti-drift: the
+ * cc hook delegates here via the dual-mode daemon entry rather than carrying its
+ * own copy of this logic).
  *
- * 1. Discover .sentinel.yaml (walk up from cwd to $HOME)
- * 2. Acquire gateway lock (PID file check)
- * 3. If gateway already running → exit early
- * 4. If no policy found → exit early (no gateway needed)
- * 5. Spawn gateway detached, write PID file, unref
+ * Flow:
+ *   1. Discover .sentinel.yaml (walk up from cwd to $HOME); none → no gateway.
+ *   2. Resolve the daemon entry AT LAUNCH (not a baked path) and hash it — the
+ *      current build identity.
+ *   3. Liveness: is a daemon already running (PID file)?
+ *      - none        → cold spawn (today's path).
+ *      - running     → GET /health, compare its build id to the current entry hash:
+ *          match     → reuse (unchanged fast path).
+ *          mismatch  → RELAUNCH: SIGTERM (→ SIGKILL fallback) the stale daemon,
+ *                      spawn the current build, wait ready. This is pure process
+ *                      replacement: it writes NO mode_change / release / trail
+ *                      state — the new daemon rebuilds mode (mode.json) and count
+ *                      (the append-only trail) lazily via _initWorkspaceAgent, so
+ *                      a restricted/quarantined agent stays restricted/quarantined
+ *                      with the same escalation count across the relaunch.
+ *   Concurrency: a relaunch holds an atomic lock so two simultaneous session-
+ *   starts converge on ONE daemon (the loser waits for ready and reuses) instead
+ *   of racing two daemons onto the port.
  */
 interface SessionStartResult {
-    action: "reused" | "spawned" | "no-policy";
+    action: "reused" | "spawned" | "relaunched" | "no-policy";
     pid?: number;
     policyPath?: string;
+    /** Why a relaunch happened (build mismatch) or null — for telemetry/tests. */
+    relaunchReason?: string | null;
 }
 declare function runSessionStart(options?: {
     cwd?: string;
     home?: string;
     port?: number;
+    /** Daemon entry to launch. Defaults to resolveGatewayEntryPoint() (resolved at
+     *  launch, NOT a baked path — closes the pnpm-relocation / dangling cases). The
+     *  dual-mode entry passes its own path so the launcher spawns the current build. */
+    gatewayEntry?: string;
 }): Promise<SessionStartResult>;
 
 export { AgentActivityEvent, type CliApprovalOptions, type InitReport, SecurityFinding, type SentinelPolicy, type SessionStartResult, createCliApproval, discoverPolicy, loadPolicy, loadPolicyFromString, runInitClaudeCode, runSessionStart };

package/dist/index.js

@@ -1,16 +1,17 @@
-import {
-  runInitClaudeCode,
-  runSessionStart
-} from "./chunk-FWIISAZZ.js";
+import "./chunk-TKAKHSZ3.js";
 import {
   Sentinel,
   createCliApproval
-} from "./chunk-GRN5P3H2.js";
+} from "./chunk-SSDIBY52.js";
+import {
+  runInitClaudeCode,
+  runSessionStart
+} from "./chunk-2TJ5Z53T.js";
 import "./chunk-LATQNIRW.js";
 import {
   discoverPolicy
 } from "./chunk-FMZWHT4M.js";
-import "./chunk-QIYQWOLO.js";
+import "./chunk-JTR2E7RD.js";
 import {
   loadPolicy,
   loadPolicyFromString

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@tuent/sentinel",
-  "version": "0.1.2",
+  "version": "0.1.3",
   "description": "AI agent behavioral security monitoring SDK",
   "author": "Tuent LLC",
   "keywords": [

package/dist/Sentinel-XMSJE4DZ.js

@@ -1,10 +0,0 @@
-import {
-  Sentinel
-} from "./chunk-GRN5P3H2.js";
-import "./chunk-QIYQWOLO.js";
-import "./chunk-WLIDSTS4.js";
-import "./chunk-NUXSUSYY.js";
-export {
-  Sentinel
-};
-//# sourceMappingURL=Sentinel-XMSJE4DZ.js.map