@upx-us/shield 0.2.12-beta

package/dist/src/events/message/index.js

@@ -0,0 +1,13 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.MessageSchema = void 0;
+const enrich_1 = require("./enrich");
+const redactions_1 = require("./redactions");
+const validations_1 = require("./validations");
+exports.MessageSchema = {
+    category: 'message',
+    match: (tool) => tool.name === 'message',
+    enrich: enrich_1.enrich,
+    redactions: redactions_1.redactions,
+    validate: validations_1.validate,
+};

package/dist/src/events/message/redactions.d.ts

@@ -0,0 +1,2 @@
+import { FieldRedaction } from '../base';
+export declare const redactions: FieldRedaction[];

package/dist/src/events/message/redactions.js

@@ -0,0 +1,4 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.redactions = void 0;
+exports.redactions = [];

package/dist/src/events/message/validations.d.ts

@@ -0,0 +1,3 @@
+import { ValidationResult } from '../base';
+import { MessageEvent } from './event';
+export declare function validate(_event: MessageEvent): ValidationResult;

package/dist/src/events/message/validations.js

@@ -0,0 +1,7 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.validate = validate;
+// MessageEvent has no required type-specific fields beyond BaseEvent.
+// Base validations (timestamp, session_id, tool_name, principal.hostname) run
+// automatically before this function — no additional checks needed here.
+function validate(_event) { return { valid: true }; }

package/dist/src/events/sessions-spawn/enrich.d.ts

@@ -0,0 +1,3 @@
+import { RawToolCall, EnrichmentContext } from '../base';
+import { SessionsSpawnEvent } from './event';
+export declare function enrich(tool: RawToolCall, ctx: EnrichmentContext): SessionsSpawnEvent;

package/dist/src/events/sessions-spawn/enrich.js

@@ -0,0 +1,40 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.enrich = enrich;
+const base_1 = require("../base");
+function enrich(tool, ctx) {
+    const args = tool.arguments;
+    const task = args.task || '';
+    const meta = {
+        tool_name: 'sessions_spawn',
+        'openclaw.session_id': ctx.sessionId,
+        'openclaw.agent_id': ctx.agentId,
+        sub_action: 'spawn',
+        spawn_agent_id: args.agentId || null,
+        spawn_label: args.label || null,
+        spawn_model: args.model || null,
+        spawn_task_has_exec: /\b(exec|run|execute|shell|command|bash|sh)\b/i.test(task),
+        spawn_task_has_cred: /\b(password|credential|secret|key|token|ssh)\b/i.test(task),
+        spawn_task_has_exfil: /\b(send|upload|post|transfer|exfil)/i.test(task),
+    };
+    return {
+        timestamp: ctx.timestamp,
+        event_type: 'TOOL_CALL',
+        tool_name: 'sessions_spawn',
+        tool_category: 'sessions_spawn',
+        session_id: ctx.sessionId,
+        model: ctx.model,
+        product_name: 'OpenClaw',
+        vendor_name: 'UPX',
+        principal: {
+            hostname: ctx.source.hostname,
+            ip: ctx.source.ip_addresses?.[0] || '',
+            platform: ctx.source.os.platform,
+            user: ctx.agentId,
+        },
+        arguments_summary: (0, base_1.truncate)(task),
+        // target.command_line required by parser for PROCESS_LAUNCH mapping
+        target: { command_line: (0, base_1.truncate)(task) },
+        tool_metadata: (0, base_1.stringifyMetadata)(meta),
+    };
+}

package/dist/src/events/sessions-spawn/event.d.ts

@@ -0,0 +1,9 @@
+import { BaseEvent } from '../base';
+export interface SessionsSpawnEvent extends BaseEvent {
+    tool_category: 'sessions_spawn';
+    arguments_summary?: string;
+    /** target.command_line = task description — required by parser for PROCESS_LAUNCH mapping */
+    target?: {
+        command_line?: string;
+    };
+}

package/dist/src/events/sessions-spawn/event.js

@@ -0,0 +1,2 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });

package/dist/src/events/sessions-spawn/index.d.ts

@@ -0,0 +1,4 @@
+import { EventSchema } from '../base';
+import { SessionsSpawnEvent } from './event';
+export type { SessionsSpawnEvent };
+export declare const SessionsSpawnSchema: EventSchema<SessionsSpawnEvent>;

package/dist/src/events/sessions-spawn/index.js

@@ -0,0 +1,13 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.SessionsSpawnSchema = void 0;
+const enrich_1 = require("./enrich");
+const redactions_1 = require("./redactions");
+const validations_1 = require("./validations");
+exports.SessionsSpawnSchema = {
+    category: 'sessions_spawn',
+    match: (tool) => tool.name === 'sessions_spawn',
+    enrich: enrich_1.enrich,
+    redactions: redactions_1.redactions,
+    validate: validations_1.validate,
+};

package/dist/src/events/sessions-spawn/redactions.d.ts

@@ -0,0 +1,2 @@
+import { FieldRedaction } from '../base';
+export declare const redactions: FieldRedaction[];

package/dist/src/events/sessions-spawn/redactions.js

@@ -0,0 +1,4 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.redactions = void 0;
+exports.redactions = [];

package/dist/src/events/sessions-spawn/validations.d.ts

@@ -0,0 +1,3 @@
+import { ValidationResult } from '../base';
+import { SessionsSpawnEvent } from './event';
+export declare function validate(_event: SessionsSpawnEvent): ValidationResult;

package/dist/src/events/sessions-spawn/validations.js

@@ -0,0 +1,4 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.validate = validate;
+function validate(_event) { return { valid: true }; }

package/dist/src/events/tool-result/enrich.d.ts

@@ -0,0 +1,13 @@
+import { EnrichmentContext } from '../base';
+import { ToolResultEvent } from './event';
+export interface RawToolResult {
+    toolName?: string;
+    content?: Array<{
+        text?: string;
+    }> | string;
+    details?: {
+        exitCode?: number;
+        durationMs?: number;
+    };
+}
+export declare function buildToolResult(raw: RawToolResult, ctx: EnrichmentContext): ToolResultEvent;

package/dist/src/events/tool-result/enrich.js

@@ -0,0 +1,46 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.buildToolResult = buildToolResult;
+const base_1 = require("../base");
+function buildToolResult(raw, ctx) {
+    const toolName = raw.toolName || 'unknown';
+    const resultText = Array.isArray(raw.content)
+        ? raw.content.map((c) => c.text || '').join('\n')
+        : '';
+    const truncated = resultText.length > 300 ? resultText.slice(0, 300) : resultText;
+    const meta = {
+        tool_name: toolName,
+        'openclaw.session_id': ctx.sessionId,
+        'openclaw.agent_id': ctx.agentId,
+        result_size_bytes: String(resultText.length),
+        result_is_large: resultText.length > 50000,
+    };
+    // ANSI injection detection
+    const ansiMatches = resultText.match(/\x1b\[[0-9;]*[a-zA-Z]|\x1b\]|\x07|\x1b\(B/g);
+    if (ansiMatches && ansiMatches.length > 0) {
+        meta['ansi_content_detected'] = 'true';
+        meta['ansi_sequences'] = ansiMatches.slice(0, 10).map((s) => s.replace(/\x1b/g, 'ESC')).join(', ');
+    }
+    const event = {
+        timestamp: ctx.timestamp,
+        event_type: 'TOOL_RESULT',
+        tool_name: toolName,
+        tool_category: 'tool_result',
+        session_id: ctx.sessionId,
+        product_name: 'OpenClaw',
+        vendor_name: 'UPX',
+        principal: {
+            hostname: ctx.source.hostname,
+            ip: ctx.source.ip_addresses?.[0] || '',
+            platform: ctx.source.os.platform,
+            user: ctx.agentId,
+        },
+        result_summary: truncated,
+        tool_metadata: (0, base_1.stringifyMetadata)(meta),
+    };
+    if (raw.details?.exitCode !== undefined)
+        event.exit_code = String(raw.details.exitCode);
+    if (raw.details?.durationMs !== undefined)
+        event.duration_ms = String(raw.details.durationMs);
+    return event;
+}

package/dist/src/events/tool-result/event.d.ts

@@ -0,0 +1,7 @@
+import { BaseEvent } from '../base';
+export interface ToolResultEvent extends BaseEvent {
+    tool_category: 'tool_result';
+    result_summary: string;
+    exit_code?: string;
+    duration_ms?: string;
+}

package/dist/src/events/tool-result/event.js

@@ -0,0 +1,2 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });

package/dist/src/events/tool-result/index.d.ts

@@ -0,0 +1,4 @@
+export type { ToolResultEvent } from './event';
+export { buildToolResult } from './enrich';
+export { redactions } from './redactions';
+export { validate } from './validations';

package/dist/src/events/tool-result/index.js

@@ -0,0 +1,9 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.validate = exports.redactions = exports.buildToolResult = void 0;
+var enrich_1 = require("./enrich");
+Object.defineProperty(exports, "buildToolResult", { enumerable: true, get: function () { return enrich_1.buildToolResult; } });
+var redactions_1 = require("./redactions");
+Object.defineProperty(exports, "redactions", { enumerable: true, get: function () { return redactions_1.redactions; } });
+var validations_1 = require("./validations");
+Object.defineProperty(exports, "validate", { enumerable: true, get: function () { return validations_1.validate; } });

package/dist/src/events/tool-result/redactions.d.ts

@@ -0,0 +1,2 @@
+import { FieldRedaction } from '../base';
+export declare const redactions: FieldRedaction[];

package/dist/src/events/tool-result/redactions.js

@@ -0,0 +1,7 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.redactions = void 0;
+exports.redactions = [
+    // result_summary may contain API keys or tokens in command output — scrub them
+    { path: 'result_summary', strategy: 'secret-key' },
+];

package/dist/src/events/tool-result/validations.d.ts

@@ -0,0 +1,3 @@
+import { ValidationResult } from '../base';
+import { ToolResultEvent } from './event';
+export declare function validate(event: ToolResultEvent): ValidationResult;

package/dist/src/events/tool-result/validations.js

@@ -0,0 +1,9 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.validate = validate;
+function validate(event) {
+    if (event.result_summary === undefined || event.result_summary === null) {
+        return { valid: false, field: 'result_summary', error: 'missing result_summary' };
+    }
+    return { valid: true };
+}

package/dist/src/events/web/enrich.d.ts

@@ -0,0 +1,8 @@
+import { RawToolCall, EnrichmentContext } from '../base';
+import { WebEvent } from './event';
+/**
+ * Returns true for loopback, RFC 1918, link-local, and cloud metadata endpoints.
+ * 169.254.169.254 is the AWS/GCP/Azure instance metadata endpoint — a critical IoC.
+ */
+export declare function isInternalUrl(u: URL): boolean;
+export declare function enrich(tool: RawToolCall, ctx: EnrichmentContext): WebEvent;

package/dist/src/events/web/enrich.js

@@ -0,0 +1,78 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.isInternalUrl = isInternalUrl;
+exports.enrich = enrich;
+const base_1 = require("../base");
+/**
+ * Returns true for loopback, RFC 1918, link-local, and cloud metadata endpoints.
+ * 169.254.169.254 is the AWS/GCP/Azure instance metadata endpoint — a critical IoC.
+ */
+function isInternalUrl(u) {
+    // Node.js URL parser wraps IPv6 in brackets: [::1] — strip them for comparison
+    const h = u.hostname;
+    const bare = h.startsWith('[') && h.endsWith(']') ? h.slice(1, -1) : h;
+    if (bare === 'localhost' || bare === '127.0.0.1' || bare === '::1')
+        return true;
+    if (/^169\.254\./.test(bare))
+        return true; // link-local / cloud metadata
+    if (/^10\./.test(bare))
+        return true; // RFC 1918 Class A
+    if (/^192\.168\./.test(bare))
+        return true; // RFC 1918 Class C
+    if (/^172\.(1[6-9]|2\d|3[01])\./.test(bare))
+        return true; // RFC 1918 Class B
+    if (/\.(local|internal|localhost)$/.test(bare))
+        return true; // internal hostnames
+    return false;
+}
+function enrich(tool, ctx) {
+    const args = tool.arguments;
+    // web_search args have `query` but no `url` — synthesise a canonical search URL
+    // so the parser gets a valid target hostname for NETWORK_HTTP mapping
+    const rawUrl = args.url || args.targetUrl || '';
+    const url = rawUrl || (tool.name === 'web_search' && args.query
+        ? `https://search.brave.com/search?q=${encodeURIComponent(String(args.query).slice(0, 200))}`
+        : '');
+    const event = {
+        timestamp: ctx.timestamp,
+        event_type: 'TOOL_CALL',
+        tool_name: tool.name,
+        tool_category: 'web',
+        session_id: ctx.sessionId,
+        model: ctx.model,
+        product_name: 'OpenClaw',
+        vendor_name: 'UPX',
+        principal: {
+            hostname: ctx.source.hostname,
+            ip: ctx.source.ip_addresses?.[0] || '',
+            platform: ctx.source.os.platform,
+            user: ctx.agentId,
+        },
+        url,
+        target: { url },
+        network: { session_id: ctx.sessionId, protocol: 'HTTPS', direction: 'OUTBOUND' },
+        tool_metadata: (0, base_1.stringifyMetadata)({
+            tool_name: tool.name,
+            'openclaw.session_id': ctx.sessionId,
+            'openclaw.agent_id': ctx.agentId,
+        }),
+    };
+    try {
+        const u = new URL(url);
+        event.target.hostname = u.hostname;
+        event.target.url_domain = u.hostname;
+        // Reflect actual protocol (HTTP vs HTTPS) in the network block
+        if (event.network) {
+            event.network.protocol = u.protocol === 'http:' ? 'HTTP' : 'HTTPS';
+        }
+        event.tool_metadata = (0, base_1.stringifyMetadata)({
+            tool_name: tool.name,
+            'openclaw.session_id': ctx.sessionId,
+            'openclaw.agent_id': ctx.agentId,
+            url_domain: u.hostname,
+            url_is_internal: isInternalUrl(u),
+        });
+    }
+    catch { /* malformed URL — keep defaults */ }
+    return event;
+}

package/dist/src/events/web/event.d.ts

@@ -0,0 +1,10 @@
+import { BaseEvent, NetworkBlock } from '../base';
+export interface WebEvent extends BaseEvent, NetworkBlock {
+    tool_category: 'web';
+    url: string;
+    target: {
+        url: string;
+        hostname?: string;
+        url_domain?: string;
+    };
+}

package/dist/src/events/web/event.js

@@ -0,0 +1,2 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });

package/dist/src/events/web/index.d.ts

@@ -0,0 +1,4 @@
+import { EventSchema } from '../base';
+import { WebEvent } from './event';
+export type { WebEvent };
+export declare const WebSchema: EventSchema<WebEvent>;

package/dist/src/events/web/index.js

@@ -0,0 +1,13 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.WebSchema = void 0;
+const enrich_1 = require("./enrich");
+const redactions_1 = require("./redactions");
+const validations_1 = require("./validations");
+exports.WebSchema = {
+    category: 'web',
+    match: (tool) => ['web_fetch', 'web_search'].includes(tool.name),
+    enrich: enrich_1.enrich,
+    redactions: redactions_1.redactions,
+    validate: validations_1.validate,
+};

package/dist/src/events/web/redactions.d.ts

@@ -0,0 +1,2 @@
+import { FieldRedaction } from '../base';
+export declare const redactions: FieldRedaction[];

package/dist/src/events/web/redactions.js

@@ -0,0 +1,6 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.redactions = void 0;
+exports.redactions = [
+// URLs are kept as-is for detection value; no PII expected in URLs at this layer
+];

package/dist/src/events/web/validations.d.ts

@@ -0,0 +1,3 @@
+import { ValidationResult } from '../base';
+import { WebEvent } from './event';
+export declare function validate(event: WebEvent): ValidationResult;

package/dist/src/events/web/validations.js

@@ -0,0 +1,10 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.validate = validate;
+function validate(event) {
+    if (!event.url)
+        return { valid: false, field: 'url', error: 'missing url' };
+    if (!event.network?.protocol)
+        return { valid: false, field: 'network.protocol', error: 'missing network.protocol' };
+    return { valid: true };
+}

package/dist/src/fetcher.d.ts

@@ -0,0 +1,12 @@
+import { Config } from './config';
+export interface RawEntry {
+    type: string;
+    id: string;
+    parentId?: string;
+    timestamp: string;
+    message: any;
+    _sessionId: string;
+    _agentId: string;
+}
+export declare function fetchNewEntries(config: Config): Promise<RawEntry[]>;
+export declare function commitCursors(config: Config, _entries: RawEntry[]): void;

package/dist/src/fetcher.js

@@ -0,0 +1,182 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.fetchNewEntries = fetchNewEntries;
+exports.commitCursors = commitCursors;
+const fs_1 = require("fs");
+const path_1 = require("path");
+const log = __importStar(require("./log"));
+function loadCursors(cursorFile) {
+    if ((0, fs_1.existsSync)(cursorFile)) {
+        return JSON.parse((0, fs_1.readFileSync)(cursorFile, 'utf-8'));
+    }
+    return {};
+}
+/**
+ * Initialize cursors for a new session directory.
+ * Sets all file offsets to current file size (skip historical data).
+ * Only called for directories that have NO existing cursor entries.
+ */
+function initCursorsForDir(sessionDir, agentId, existingCursors) {
+    const init = {};
+    let files;
+    try {
+        files = (0, fs_1.readdirSync)(sessionDir).filter(f => f.endsWith('.jsonl'));
+    }
+    catch (err) {
+        log.warn('fetcher', `Cannot read session directory ${sessionDir}: ${err instanceof Error ? err.message : String(err)}`);
+        return init;
+    }
+    let skipped = 0;
+    for (const file of files) {
+        const cursorKey = `${agentId}/${file}`;
+        // Also check legacy key (without agent prefix) for migration
+        if (existingCursors[cursorKey] !== undefined || existingCursors[file] !== undefined) {
+            // Already tracked — migrate legacy key if needed
+            if (existingCursors[file] !== undefined && existingCursors[cursorKey] === undefined) {
+                init[cursorKey] = existingCursors[file];
+            }
+            continue;
+        }
+        // New file — set cursor to current size (skip history)
+        const filePath = (0, path_1.join)(sessionDir, file);
+        const fd = (0, fs_1.openSync)(filePath, 'r');
+        try {
+            const size = (0, fs_1.fstatSync)(fd).size;
+            init[cursorKey] = size;
+            skipped++;
+        }
+        finally {
+            (0, fs_1.closeSync)(fd);
+        }
+    }
+    if (skipped > 0) {
+        log.info('fetcher', `Initialized ${skipped} cursors for agent "${agentId}" (skipping historical data)`);
+    }
+    return init;
+}
+function saveCursors(cursorFile, state) {
+    const dir = (0, path_1.dirname)(cursorFile);
+    if (!(0, fs_1.existsSync)(dir))
+        (0, fs_1.mkdirSync)(dir, { recursive: true });
+    const tmp = cursorFile + '.tmp';
+    (0, fs_1.writeFileSync)(tmp, JSON.stringify(state, null, 2));
+    (0, fs_1.renameSync)(tmp, cursorFile);
+}
+/**
+ * Read only the new bytes from a file starting at the given byte offset.
+ * Uses low-level fd + read to avoid loading the entire file into memory.
+ */
+function readNewBytes(filePath, offset) {
+    const fd = (0, fs_1.openSync)(filePath, 'r');
+    try {
+        const stat = (0, fs_1.fstatSync)(fd);
+        const fileSize = stat.size;
+        if (offset >= fileSize) {
+            return { content: '', newSize: fileSize };
+        }
+        const bytesToRead = fileSize - offset;
+        const buffer = Buffer.alloc(bytesToRead);
+        (0, fs_1.readSync)(fd, buffer, 0, bytesToRead, offset);
+        return { content: buffer.toString('utf-8'), newSize: fileSize };
+    }
+    finally {
+        (0, fs_1.closeSync)(fd);
+    }
+}
+// In-memory cursor state for the current poll cycle (committed only after successful send)
+let _pendingCursors = {};
+async function fetchNewEntries(config) {
+    const cursors = loadCursors(config.cursorFile);
+    _pendingCursors = { ...cursors };
+    const results = [];
+    for (const sessionDir of config.sessionDirs) {
+        if (!(0, fs_1.existsSync)(sessionDir))
+            continue;
+        // Derive agent name from directory path: .../agents/{agentId}/sessions
+        const agentId = (0, path_1.basename)((0, path_1.dirname)(sessionDir));
+        // Initialize cursors for newly discovered agents (skip historical data)
+        const initCursors = initCursorsForDir(sessionDir, agentId, _pendingCursors);
+        Object.assign(_pendingCursors, initCursors);
+        let files;
+        try {
+            files = (0, fs_1.readdirSync)(sessionDir).filter(f => f.endsWith('.jsonl'));
+        }
+        catch {
+            continue;
+        }
+        for (const file of files) {
+            const filePath = (0, path_1.join)(sessionDir, file);
+            const sessionId = (0, path_1.basename)(file, '.jsonl');
+            // Cursor key includes agent to avoid collisions across agents
+            const cursorKey = `${agentId}/${file}`;
+            const offset = _pendingCursors[cursorKey] ?? cursors[cursorKey] ?? 0;
+            const { content, newSize } = readNewBytes(filePath, offset);
+            if (!content) {
+                _pendingCursors[cursorKey] = newSize;
+                continue;
+            }
+            const lines = content.split('\n').filter(l => l.trim());
+            for (const line of lines) {
+                try {
+                    const entry = JSON.parse(line);
+                    if (entry.type !== 'message')
+                        continue;
+                    const msg = entry.message;
+                    if (!msg)
+                        continue;
+                    if (msg.role === 'assistant' && Array.isArray(msg.content)) {
+                        const hasToolCall = msg.content.some((c) => c.type === 'toolCall');
+                        if (hasToolCall) {
+                            results.push({ ...entry, _sessionId: sessionId, _agentId: agentId });
+                        }
+                    }
+                    else if (msg.role === 'toolResult') {
+                        results.push({ ...entry, _sessionId: sessionId, _agentId: agentId });
+                    }
+                }
+                catch { /* skip malformed lines */ }
+            }
+            _pendingCursors[cursorKey] = newSize;
+        }
+    }
+    return results;
+}
+function commitCursors(config, _entries) {
+    if (Object.keys(_pendingCursors).length === 0)
+        return;
+    saveCursors(config.cursorFile, _pendingCursors);
+    _pendingCursors = {};
+}

package/dist/src/host-collector.d.ts

@@ -0,0 +1 @@
+export declare function collectHostMetrics(): Promise<any[]>;