@xshieldai/agent-kernel 2.0.2

package/dist/kavachos.js

@@ -0,0 +1,2687 @@
+#!/usr/bin/env bun
+// @bun
+var __defProp = Object.defineProperty;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __moduleCache = /* @__PURE__ */ new WeakMap;
+var __toCommonJS = (from) => {
+  var entry = __moduleCache.get(from), desc;
+  if (entry)
+    return entry;
+  entry = __defProp({}, "__esModule", { value: true });
+  if (from && typeof from === "object" || typeof from === "function")
+    __getOwnPropNames(from).map((key) => !__hasOwnProp.call(entry, key) && __defProp(entry, key, {
+      get: () => from[key],
+      enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable
+    }));
+  __moduleCache.set(from, entry);
+  return entry;
+};
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, {
+      get: all[name],
+      enumerable: true,
+      configurable: true,
+      set: (newValue) => all[name] = () => newValue
+    });
+};
+var __esm = (fn, res) => () => (fn && (res = fn(fn = 0)), res);
+var __require = import.meta.require;
+
+// ../../src/kernel/syscall-profiles.ts
+function buildSyscallSet(trustMask, domain) {
+  if (trustMask === 0)
+    return [...new Set(MINIMAL_READONLY_SYSCALLS)];
+  const set = new Set(BASELINE_SYSCALLS);
+  for (let bit = 0;bit < 16; bit++) {
+    if (trustMask & 1 << bit) {
+      const extras = TRUST_MASK_EXTRA_SYSCALLS[bit] ?? [];
+      extras.forEach((s) => set.add(s));
+    }
+  }
+  const domainExtras = DOMAIN_EXTRA_SYSCALLS[domain] ?? DOMAIN_EXTRA_SYSCALLS.general;
+  domainExtras.forEach((s) => set.add(s));
+  return [...set].sort();
+}
+var BASELINE_SYSCALLS, TRUST_MASK_EXTRA_SYSCALLS, DOMAIN_EXTRA_SYSCALLS, MINIMAL_READONLY_SYSCALLS, NOTIFY_SYSCALLS;
+var init_syscall_profiles = __esm(() => {
+  BASELINE_SYSCALLS = [
+    "read",
+    "write",
+    "open",
+    "openat",
+    "close",
+    "stat",
+    "fstat",
+    "lstat",
+    "newfstatat",
+    "mmap",
+    "munmap",
+    "mprotect",
+    "brk",
+    "exit_group",
+    "exit",
+    "futex",
+    "rt_sigreturn",
+    "restart_syscall",
+    "nanosleep",
+    "getpid",
+    "gettid",
+    "getcwd",
+    "getdents64",
+    "socket",
+    "connect",
+    "sendto",
+    "recvfrom",
+    "execve",
+    "wait4",
+    "clone",
+    "clone3",
+    "fork",
+    "ioctl",
+    "fcntl",
+    "dup",
+    "dup2",
+    "dup3",
+    "pipe",
+    "pipe2",
+    "select",
+    "pselect6",
+    "poll",
+    "ppoll",
+    "epoll_create1",
+    "epoll_ctl",
+    "epoll_wait",
+    "epoll_pwait",
+    "gettimeofday",
+    "clock_gettime",
+    "clock_nanosleep",
+    "sigaltstack",
+    "rt_sigaction",
+    "rt_sigprocmask",
+    "getrusage",
+    "sysinfo",
+    "times",
+    "madvise",
+    "mincore",
+    "msync",
+    "getuid",
+    "getgid",
+    "geteuid",
+    "getegid",
+    "setuid",
+    "setgid",
+    "readlink",
+    "readlinkat",
+    "access",
+    "faccessat",
+    "faccessat2",
+    "uname",
+    "sethostname",
+    "pread64",
+    "pwrite64",
+    "readv",
+    "writev",
+    "preadv",
+    "pwritev",
+    "lseek",
+    "ftruncate",
+    "truncate",
+    "mkdir",
+    "mkdirat",
+    "rmdir",
+    "rename",
+    "renameat",
+    "renameat2",
+    "unlink",
+    "unlinkat",
+    "chmod",
+    "fchmod",
+    "fchmodat",
+    "chown",
+    "fchown",
+    "lchown",
+    "fchownat",
+    "sendmsg",
+    "recvmsg",
+    "sendmmsg",
+    "recvmmsg",
+    "getsockname",
+    "getpeername",
+    "getsockopt",
+    "setsockopt",
+    "bind",
+    "listen",
+    "accept",
+    "accept4",
+    "shutdown",
+    "statfs",
+    "fstatfs",
+    "utime",
+    "utimes",
+    "utimensat",
+    "futimesat",
+    "getrandom",
+    "sched_yield",
+    "sched_getaffinity",
+    "sched_setaffinity",
+    "prctl",
+    "arch_prctl",
+    "set_tid_address",
+    "set_robust_list",
+    "get_robust_list",
+    "seccomp",
+    "landlock_create_ruleset",
+    "landlock_add_rule",
+    "landlock_restrict_self"
+  ];
+  TRUST_MASK_EXTRA_SYSCALLS = {
+    0: ["keyctl", "add_key", "request_key"],
+    1: ["capget", "capset"],
+    2: ["eventfd", "eventfd2", "signalfd", "signalfd4", "timerfd_create", "timerfd_settime", "timerfd_gettime"],
+    3: ["flock", "shmget", "shmat", "shmdt", "shmctl"],
+    4: ["sendfile", "splice", "tee"],
+    5: ["mlock", "munlock", "mlockall", "munlockall", "mremap"],
+    6: [],
+    7: ["memfd_create", "memfd_secret"],
+    8: ["mmap2"],
+    9: ["inotify_init1", "inotify_add_watch", "inotify_rm_watch", "inotify_init"],
+    10: [],
+    11: ["remap_file_pages", "mbind", "get_mempolicy", "set_mempolicy"],
+    12: [],
+    13: ["symlink", "symlinkat", "link", "linkat"],
+    14: ["kill", "tgkill", "tkill", "setpgid", "setsid", "getpgid", "getsid"],
+    15: ["execveat"]
+  };
+  DOMAIN_EXTRA_SYSCALLS = {
+    general: [],
+    maritime: [
+      "ioctl",
+      "tcsendbreak",
+      "tcdrain",
+      "tcflush",
+      "tcflow"
+    ],
+    logistics: [],
+    ot: [
+      "ioctl",
+      "sched_setscheduler",
+      "sched_getscheduler",
+      "sched_setparam",
+      "sched_getparam"
+    ],
+    finance: [
+      "ioctl"
+    ]
+  };
+  MINIMAL_READONLY_SYSCALLS = [
+    "read",
+    "open",
+    "openat",
+    "close",
+    "stat",
+    "fstat",
+    "lstat",
+    "newfstatat",
+    "mmap",
+    "munmap",
+    "mprotect",
+    "brk",
+    "exit_group",
+    "exit",
+    "futex",
+    "rt_sigreturn",
+    "restart_syscall",
+    "getpid",
+    "gettid",
+    "getcwd",
+    "getdents64",
+    "readlink",
+    "readlinkat",
+    "access",
+    "faccessat",
+    "gettimeofday",
+    "clock_gettime",
+    "arch_prctl",
+    "set_tid_address",
+    "set_robust_list",
+    "rt_sigaction",
+    "rt_sigprocmask",
+    "clone3",
+    "write"
+  ];
+  NOTIFY_SYSCALLS = [
+    "ptrace",
+    "bpf",
+    "mount",
+    "umount2",
+    "userfaultfd",
+    "perf_event_open",
+    "setns",
+    "capset"
+  ];
+});
+
+// ../../src/kernel/seccomp-profile-generator.ts
+var exports_seccomp_profile_generator = {};
+__export(exports_seccomp_profile_generator, {
+  profileSummary: () => profileSummary,
+  generateSeccompProfile: () => generateSeccompProfile,
+  canonicalJson: () => canonicalJson
+});
+import { createHash } from "crypto";
+function generateSeccompProfile(trustMask, domain, agentType = "claude-code") {
+  const syscalls = buildSyscallSet(trustMask, domain);
+  const allowSet = new Set(syscalls);
+  const notifySyscalls = trustMask > 0 ? NOTIFY_SYSCALLS.filter((s) => !allowSet.has(s)) : [];
+  const kSeal = createHash("sha256").update(syscalls.sort().join(",")).digest("hex");
+  const syscallEntries = [
+    { names: syscalls, action: "SCMP_ACT_ALLOW" }
+  ];
+  if (notifySyscalls.length > 0) {
+    syscallEntries.push({ names: notifySyscalls, action: "SCMP_ACT_NOTIFY" });
+  }
+  const profile = {
+    defaultAction: "SCMP_ACT_ERRNO",
+    architectures: ["SCMP_ARCH_X86_64", "SCMP_ARCH_X86", "SCMP_ARCH_X32"],
+    syscalls: syscallEntries,
+    _kavachos: {
+      version: "1.0",
+      trust_mask: trustMask,
+      domain,
+      agent_type: agentType,
+      generated_at: new Date().toISOString(),
+      k_seal: kSeal,
+      rule_ref: "KOS-010",
+      notify_syscalls: notifySyscalls
+    }
+  };
+  const canonical = canonicalJson(profile);
+  const hash = createHash("sha256").update(canonical).digest("hex");
+  return { profile, hash, syscall_count: syscalls.length };
+}
+function canonicalJson(obj) {
+  if (obj === null || typeof obj !== "object")
+    return JSON.stringify(obj);
+  if (Array.isArray(obj))
+    return `[${obj.map(canonicalJson).join(",")}]`;
+  const sorted = Object.keys(obj).sort().map((k) => `${JSON.stringify(k)}:${canonicalJson(obj[k])}`).join(",");
+  return `{${sorted}}`;
+}
+function profileSummary(result) {
+  const { profile, hash, syscall_count } = result;
+  return [
+    `KavachOS Seccomp Profile`,
+    `  trust_mask:    0x${profile._kavachos.trust_mask.toString(16).padStart(8, "0")}`,
+    `  domain:        ${profile._kavachos.domain}`,
+    `  agent_type:    ${profile._kavachos.agent_type}`,
+    `  syscalls:      ${syscall_count}`,
+    `  notify:        ${profile._kavachos.notify_syscalls.length} syscalls (supervisor gates)`,
+    `  default:       ERRNO (deny-all unmatched)`,
+    `  k_seal:        ${profile._kavachos.k_seal.slice(0, 16)}...`,
+    `  profile_hash:  ${hash.slice(0, 16)}...`,
+    `  rule_ref:      KOS-010`
+  ].join(`
+`);
+}
+var init_seccomp_profile_generator = __esm(() => {
+  init_syscall_profiles();
+});
+
+// ../../src/kernel/falco-rule-generator.ts
+var exports_falco_rule_generator = {};
+__export(exports_falco_rule_generator, {
+  generateFalcoRules: () => generateFalcoRules
+});
+function generateFalcoRules(domain, trustMask) {
+  const baseRules = generateBaseRules(trustMask);
+  const domainRules = generateDomainRules(domain, trustMask);
+  const allRules = [...baseRules, ...domainRules];
+  const yaml = buildYaml(allRules);
+  return {
+    version: "1.0",
+    domain,
+    trust_mask: trustMask,
+    rules: yaml,
+    rule_count: allRules.length,
+    generated_at: new Date().toISOString()
+  };
+}
+function generateBaseRules(trustMask) {
+  const rules = [];
+  rules.push({
+    name: "kavachos_unexpected_execve",
+    desc: "AI agent executed a binary not in the declared tool scope (potential exfil or lateral movement)",
+    condition: `evt.type = execve and proc.name in (node, bun, claude) and not proc.args startswith "${ALLOWED_CLAUDE_BINARIES.slice(0, 8).join('" and not proc.args startswith "')}"`,
+    output: "KavachOS: unexpected execve by AI agent (agent=%proc.name cmd=%proc.cmdline user=%user.name pid=%proc.pid)",
+    priority: "WARNING",
+    tags: ["kavachos", "process", "kos-infer-004"]
+  });
+  rules.push({
+    name: "kavachos_exfil_command",
+    desc: "AI agent attempted to execute a known data exfiltration command",
+    condition: `evt.type = execve and (${EXFIL_COMMANDS.map((c) => `proc.cmdline contains "${c.split(" ")[0]}"`).join(" or ")})`,
+    output: "KavachOS: EXFIL PATTERN detected (cmd=%proc.cmdline user=%user.name pid=%proc.pid container.id=%container.id)",
+    priority: "CRITICAL",
+    tags: ["kavachos", "exfil", "kos-007"]
+  });
+  rules.push({
+    name: "kavachos_file_write_outside_scope",
+    desc: "AI agent wrote a file outside its declared working directory",
+    condition: "evt.type in (open, openat) and evt.arg.flags contains O_WRONLY and not fd.name startswith /tmp and not fd.name startswith /root/.claude and not fd.name startswith /root/",
+    output: "KavachOS: file write outside scope (file=%fd.name agent=%proc.name pid=%proc.pid)",
+    priority: "WARNING",
+    tags: ["kavachos", "file", "kos-003"]
+  });
+  rules.push({
+    name: "kavachos_credential_read",
+    desc: "AI agent read a credential or private key file",
+    condition: `evt.type in (open, openat) and (fd.name contains ".pem" or fd.name contains ".key" or fd.name contains "id_rsa" or fd.name contains "credentials" or fd.name contains ".env" or fd.name endswith ".p12" or fd.name endswith ".pfx")`,
+    output: "KavachOS: credential file access (file=%fd.name agent=%proc.name pid=%proc.pid)",
+    priority: "ERROR",
+    tags: ["kavachos", "credentials", "kos-007"]
+  });
+  if (trustMask === 0) {
+    rules.push({
+      name: "kavachos_readonly_agent_network",
+      desc: "Read-only agent (trust_mask=0) attempted network connection \u2014 violation of INF-KOS-001",
+      condition: "evt.type in (connect, sendto, sendmsg) and proc.env contains KAVACHOS_TRUST_MASK=0",
+      output: "KavachOS: read-only agent network attempt BLOCKED (agent=%proc.name dst=%fd.rip pid=%proc.pid)",
+      priority: "CRITICAL",
+      tags: ["kavachos", "trust-mask-zero", "inf-kos-001"]
+    });
+  }
+  return rules;
+}
+function generateDomainRules(domain, trustMask) {
+  switch (domain) {
+    case "maritime":
+      return generateMaritimeRules(trustMask);
+    case "logistics":
+      return generateLogisticsRules(trustMask);
+    case "ot":
+      return generateOTRules(trustMask);
+    case "finance":
+      return generateFinanceRules(trustMask);
+    default:
+      return generateGeneralRules(trustMask);
+  }
+}
+function generateMaritimeRules(_trustMask) {
+  return [
+    {
+      name: "kavachos_maritime_nmea_write",
+      desc: "Agent wrote to NMEA serial device \u2014 potential navigation system tampering (MAR-001)",
+      condition: "evt.type in (open, openat) and evt.arg.flags contains O_WRONLY and (fd.name startswith /dev/ttyS or fd.name startswith /dev/ttyUSB)",
+      output: "KavachOS MARITIME: NMEA device write attempt (device=%fd.name agent=%proc.name pid=%proc.pid)",
+      priority: "CRITICAL",
+      tags: ["kavachos", "maritime", "nmea", "mar-001"]
+    },
+    {
+      name: "kavachos_maritime_ais_inject",
+      desc: "Agent attempted to write AIS position data \u2014 potential vessel spoofing (MAR-004)",
+      condition: `evt.type = write and fd.name contains "ais" and evt.arg.data startswith "!AIVDM"`,
+      output: "KavachOS MARITIME: AIS data injection attempt (agent=%proc.name pid=%proc.pid)",
+      priority: "CRITICAL",
+      tags: ["kavachos", "maritime", "ais", "mar-004"]
+    },
+    {
+      name: "kavachos_maritime_stcw_data",
+      desc: "Agent accessed STCW crew data file without maritime trust_mask bit set",
+      condition: `evt.type in (open, openat) and (fd.name contains "stcw" or fd.name contains "crew" or fd.name contains "certificate") and not proc.env contains "KAVACHOS_DOMAIN=maritime"`,
+      output: "KavachOS MARITIME: STCW data accessed without maritime clearance (file=%fd.name agent=%proc.name)",
+      priority: "ERROR",
+      tags: ["kavachos", "maritime", "stcw", "inf-kos-005"]
+    }
+  ];
+}
+function generateLogisticsRules(_trustMask) {
+  return [
+    {
+      name: "kavachos_logistics_ebl_write",
+      desc: "Agent wrote to eBL document store without eBL trust bit \u2014 potential document fraud",
+      condition: `evt.type in (open, openat) and evt.arg.flags contains O_WRONLY and (fd.name contains "ebl" or fd.name contains "bill-of-lading") and not proc.env contains "KAVACHOS_EBL_AUTHORIZED=1"`,
+      output: "KavachOS LOGISTICS: unauthorized eBL write (file=%fd.name agent=%proc.name pid=%proc.pid)",
+      priority: "ERROR",
+      tags: ["kavachos", "logistics", "ebl"]
+    }
+  ];
+}
+function generateOTRules(_trustMask) {
+  return [
+    {
+      name: "kavachos_ot_modbus_write",
+      desc: "Agent wrote to Modbus register \u2014 potential OT control system manipulation (IEC 62443)",
+      condition: `evt.type = sendto and fd.rport = 502 and evt.arg.data != ""`,
+      output: "KavachOS OT: Modbus write detected (dst=%fd.rip:%fd.rport agent=%proc.name pid=%proc.pid)",
+      priority: "CRITICAL",
+      tags: ["kavachos", "ot", "modbus", "iec-62443"]
+    },
+    {
+      name: "kavachos_ot_alarm_suppress",
+      desc: "Agent suppressed an OT alarm signal \u2014 critical safety violation",
+      condition: `evt.type = write and (fd.name contains "alarm" or fd.name contains "safety") and evt.arg.data contains "suppress"`,
+      output: "KavachOS OT: ALARM SUPPRESS attempt (file=%fd.name agent=%proc.name pid=%proc.pid)",
+      priority: "CRITICAL",
+      tags: ["kavachos", "ot", "safety", "varuna"]
+    }
+  ];
+}
+function generateFinanceRules(_trustMask) {
+  return [
+    {
+      name: "kavachos_fin_payment_write",
+      desc: "Agent wrote payment instruction without financial authorization trust bit",
+      condition: `evt.type = sendto and (fd.rport = 443 or fd.rport = 8443) and proc.env contains "PAYMENT_INSTRUCTION" and not proc.env contains "KAVACHOS_FIN_AUTHORIZED=1"`,
+      output: "KavachOS FIN: unauthorized payment instruction (agent=%proc.name dst=%fd.rip pid=%proc.pid)",
+      priority: "CRITICAL",
+      tags: ["kavachos", "finance", "payment", "kos-fin-class3"]
+    }
+  ];
+}
+function generateGeneralRules(_trustMask) {
+  return [
+    {
+      name: "kavachos_general_shell_spawn",
+      desc: "Agent spawned an interactive shell \u2014 potential container escape vector",
+      condition: `evt.type = execve and (proc.name = "bash" or proc.name = "sh" or proc.name = "zsh") and proc.args contains "-i"`,
+      output: "KavachOS: interactive shell spawn by AI agent (agent=%proc.name cmd=%proc.cmdline pid=%proc.pid)",
+      priority: "WARNING",
+      tags: ["kavachos", "general", "shell"]
+    }
+  ];
+}
+function buildYaml(rules) {
+  return rules.map((r) => `
+- rule: ${r.name}
+  desc: ${r.desc}
+  condition: >
+    ${r.condition}
+  output: "${r.output}"
+  priority: ${r.priority}
+  tags: [${r.tags.join(", ")}]
+`).join(`
+`);
+}
+var EXFIL_COMMANDS, ALLOWED_CLAUDE_BINARIES;
+var init_falco_rule_generator = __esm(() => {
+  EXFIL_COMMANDS = [
+    "curl",
+    "wget",
+    "nc",
+    "ncat",
+    "netcat",
+    "python3 -c",
+    "python -c",
+    "bash -i",
+    "sh -i",
+    "socat",
+    "openssl s_client"
+  ];
+  ALLOWED_CLAUDE_BINARIES = [
+    "node",
+    "bun",
+    "claude",
+    "git",
+    "npm",
+    "npx",
+    "cat",
+    "grep",
+    "ls",
+    "find",
+    "sed",
+    "awk",
+    "head",
+    "tail",
+    "wc",
+    "sort",
+    "uniq",
+    "mkdir",
+    "cp",
+    "mv",
+    "rm",
+    "touch",
+    "tar",
+    "gzip",
+    "gunzip",
+    "psql",
+    "pg_dump",
+    "docker",
+    "python3",
+    "python",
+    "bash",
+    "sh",
+    "zsh"
+  ];
+});
+
+// ../../src/core/config.ts
+import { existsSync, mkdirSync, writeFileSync, readFileSync } from "fs";
+import { join } from "path";
+function getAegisDir() {
+  return AEGIS_DIR;
+}
+function getDbPath() {
+  return join(AEGIS_DIR, "aegis.db");
+}
+function ensureAegisDir() {
+  if (!existsSync(AEGIS_DIR)) {
+    mkdirSync(AEGIS_DIR, { recursive: true });
+  }
+}
+function loadConfig() {
+  ensureAegisDir();
+  if (!existsSync(CONFIG_PATH)) {
+    writeFileSync(CONFIG_PATH, JSON.stringify(DEFAULT_CONFIG, null, 2));
+    return DEFAULT_CONFIG;
+  }
+  try {
+    const raw = readFileSync(CONFIG_PATH, "utf-8");
+    const parsed = JSON.parse(raw);
+    return { ...DEFAULT_CONFIG, ...parsed, budget: { ...DEFAULT_CONFIG.budget, ...parsed.budget } };
+  } catch {
+    return DEFAULT_CONFIG;
+  }
+}
+var AEGIS_DIR, CONFIG_PATH, DEFAULT_CONFIG;
+var init_config = __esm(() => {
+  AEGIS_DIR = join(process.env.HOME || "/root", ".aegis");
+  CONFIG_PATH = join(AEGIS_DIR, "config.json");
+  DEFAULT_CONFIG = {
+    plan: "max_5x",
+    budget: {
+      daily_limit_usd: 100,
+      weekly_limit_usd: 400,
+      monthly_limit_usd: 1200,
+      session_limit_usd: 25,
+      messages_per_5h: 225,
+      tokens_per_5h: 50000000,
+      weekly_messages: 3150,
+      weekly_tokens: 700000000,
+      spawn_limit_per_session: 50,
+      spawn_concurrent_max: 20,
+      cost_estimate_threshold_usd: 10,
+      max_depth: 5
+    },
+    heartbeat: {
+      timeout_seconds: 300,
+      action: "alert"
+    },
+    pricing_mode: "api",
+    max_plan_discount: 0.2,
+    dashboard: {
+      port: 4850,
+      auth: {
+        enabled: false,
+        username: "aegis",
+        password: "changeme"
+      }
+    },
+    monitor: {
+      health_port: 4851,
+      watch_paths: ["~/.claude/projects"],
+      poll_interval_ms: 2000
+    },
+    alerts: {
+      terminal_bell: true,
+      webhook_url: null
+    },
+    kavach: {
+      enabled: true,
+      notify_channel: "telegram",
+      notify_telegram_chat_id: process.env.KAVACH_TG_CHAT_ID || "",
+      notify_phone: process.env.KAVACH_NOTIFY_PHONE || "",
+      notify_email: process.env.KAVACH_NOTIFY_EMAIL || "",
+      notify_via_webhook: false,
+      webhook_url: "",
+      timeout_level1_s: 600,
+      timeout_level2_s: 300,
+      timeout_level3_s: 120,
+      timeout_level4_s: 60
+    },
+    enforcement: {
+      mode: "alert",
+      excluded_pids: [],
+      excluded_ppids: [],
+      registry_url: null,
+      registry_admin_key: null,
+      auto_restart_services: [],
+      auto_restart_delay_ms: 3000
+    }
+  };
+});
+
+// ../../src/core/db.ts
+var exports_db = {};
+__export(exports_db, {
+  upsertSession: () => upsertSession,
+  upsertAgent: () => upsertAgent,
+  touchAgent: () => touchAgent,
+  setSessionStatus: () => setSessionStatus,
+  setAgentState: () => setAgentState,
+  requestStop: () => requestStop,
+  recordDashboardAccess: () => recordDashboardAccess,
+  recordAgentUsage: () => recordAgentUsage,
+  rebalanceBudget: () => rebalanceBudget,
+  markKavachNotified: () => markKavachNotified,
+  listAgentRows: () => listAgentRows,
+  listActiveSessions: () => listActiveSessions,
+  isStopRequested: () => isStopRequested,
+  incrementViolationCount: () => incrementViolationCount,
+  getWindowBudget: () => getWindowBudget,
+  getSessionSpawnCount: () => getSessionSpawnCount,
+  getSession: () => getSession,
+  getRecentApprovals: () => getRecentApprovals,
+  getRecentAlerts: () => getRecentAlerts,
+  getPendingApprovals: () => getPendingApprovals,
+  getKavachApproval: () => getKavachApproval,
+  getDistinctDashboardIpCount: () => getDistinctDashboardIpCount,
+  getDb: () => getDb,
+  getDailySpend: () => getDailySpend,
+  getCostTree: () => getCostTree,
+  getBudgetState: () => getBudgetState,
+  getAgentRow: () => getAgentRow,
+  getAgentCostProjection: () => getAgentCostProjection,
+  decideKavachApproval: () => decideKavachApproval,
+  createKavachApproval: () => createKavachApproval,
+  checkBudgetInheritance: () => checkBudgetInheritance,
+  addUsage: () => addUsage,
+  addToBudget: () => addToBudget,
+  addAlert: () => addAlert
+});
+import { Database } from "bun:sqlite";
+function getDb() {
+  if (_db)
+    return _db;
+  ensureAegisDir();
+  _db = new Database(getDbPath(), { create: true });
+  _db.exec("PRAGMA journal_mode = WAL");
+  _db.exec("PRAGMA busy_timeout = 5000");
+  initSchema(_db);
+  return _db;
+}
+function initSchema(db) {
+  db.exec(`
+    CREATE TABLE IF NOT EXISTS usage_log (
+      id INTEGER PRIMARY KEY AUTOINCREMENT,
+      session_id TEXT NOT NULL,
+      timestamp TEXT NOT NULL,
+      model TEXT,
+      input_tokens INTEGER DEFAULT 0,
+      output_tokens INTEGER DEFAULT 0,
+      cache_read_tokens INTEGER DEFAULT 0,
+      cache_creation_tokens INTEGER DEFAULT 0,
+      estimated_cost_usd REAL DEFAULT 0,
+      is_agent_spawn INTEGER DEFAULT 0,
+      raw_json TEXT
+    );
+
+    CREATE TABLE IF NOT EXISTS sessions (
+      session_id TEXT PRIMARY KEY,
+      project_path TEXT,
+      first_seen TEXT NOT NULL,
+      last_activity TEXT NOT NULL,
+      total_cost_usd REAL DEFAULT 0,
+      message_count INTEGER DEFAULT 0,
+      agent_spawns INTEGER DEFAULT 0,
+      status TEXT DEFAULT 'active'
+    );
+
+    CREATE TABLE IF NOT EXISTS budget_state (
+      period TEXT PRIMARY KEY,
+      spent_usd REAL DEFAULT 0,
+      limit_usd REAL,
+      last_updated TEXT
+    );
+
+    CREATE TABLE IF NOT EXISTS alerts (
+      id INTEGER PRIMARY KEY AUTOINCREMENT,
+      type TEXT NOT NULL,
+      severity TEXT NOT NULL,
+      message TEXT,
+      session_id TEXT,
+      timestamp TEXT NOT NULL,
+      acknowledged INTEGER DEFAULT 0
+    );
+
+    CREATE INDEX IF NOT EXISTS idx_usage_session ON usage_log(session_id);
+    CREATE INDEX IF NOT EXISTS idx_usage_timestamp ON usage_log(timestamp);
+    CREATE INDEX IF NOT EXISTS idx_alerts_timestamp ON alerts(timestamp);
+
+    CREATE TABLE IF NOT EXISTS kavach_approvals (
+      id TEXT PRIMARY KEY,
+      created_at TEXT NOT NULL,
+      command TEXT NOT NULL,
+      tool_name TEXT NOT NULL DEFAULT 'Bash',
+      level INTEGER NOT NULL,
+      consequence TEXT NOT NULL,
+      session_id TEXT NOT NULL DEFAULT '',
+      status TEXT NOT NULL DEFAULT 'pending',
+      first_approver TEXT,
+      decided_at TEXT,
+      decided_by TEXT,
+      notified INTEGER DEFAULT 0,
+      timeout_ms INTEGER NOT NULL DEFAULT 600000
+    );
+
+    -- Migration: add first_approver if upgrading from older schema
+    CREATE INDEX IF NOT EXISTS idx_kavach_status ON kavach_approvals(status);
+    CREATE INDEX IF NOT EXISTS idx_kavach_created ON kavach_approvals(created_at);
+
+    -- Phase 2: durable agent session registry (V2-040)
+    -- @rule:KAV-002 Agent check-in, KAV-008 quarantine survives restart, KAV-011 identity
+    CREATE TABLE IF NOT EXISTS agents (
+      agent_id TEXT PRIMARY KEY,
+      state TEXT NOT NULL DEFAULT 'RUNNING',
+      identity_confidence TEXT NOT NULL DEFAULT 'unknown',
+      parent_id TEXT,
+      session_id TEXT NOT NULL,
+      depth INTEGER DEFAULT 0,
+      budget_cap_usd REAL DEFAULT 0,
+      budget_used_usd REAL DEFAULT 0,
+      budget_pool_reserved REAL DEFAULT 0,
+      tool_calls INTEGER DEFAULT 0,
+      loop_count INTEGER DEFAULT 0,
+      tools_declared INTEGER DEFAULT 0,
+      violation_count INTEGER DEFAULT 0,
+      spawn_timestamp TEXT NOT NULL,
+      last_seen TEXT NOT NULL,
+      policy_path TEXT,
+      stop_requested INTEGER DEFAULT 0,
+      quarantine_reason TEXT,
+      quarantine_rule TEXT,
+      release_reason TEXT,
+      released_by TEXT,
+      resume_manifest_path TEXT
+    );
+
+    CREATE INDEX IF NOT EXISTS idx_agents_state ON agents(state);
+    CREATE INDEX IF NOT EXISTS idx_agents_session ON agents(session_id);
+    CREATE INDEX IF NOT EXISTS idx_agents_last_seen ON agents(last_seen);
+
+    -- @rule:KAV-066 \u2014 hosted-service detection (V2-101)
+    -- Logs each unique IP that accesses the dashboard; watchdog checks distinct IP count
+    CREATE TABLE IF NOT EXISTS dashboard_access (
+      id INTEGER PRIMARY KEY AUTOINCREMENT,
+      ip TEXT NOT NULL,
+      timestamp TEXT NOT NULL,
+      path TEXT
+    );
+    CREATE INDEX IF NOT EXISTS idx_dashboard_access_ip ON dashboard_access(ip);
+    CREATE INDEX IF NOT EXISTS idx_dashboard_access_ts ON dashboard_access(timestamp);
+  `);
+  try {
+    db.exec(`ALTER TABLE kavach_approvals ADD COLUMN first_approver TEXT`);
+  } catch {}
+  try {
+    db.exec(`ALTER TABLE agents ADD COLUMN loop_count INTEGER DEFAULT 0`);
+  } catch {}
+  try {
+    db.exec(`ALTER TABLE agents ADD COLUMN tools_declared INTEGER DEFAULT 0`);
+  } catch {}
+  try {
+    db.exec(`ALTER TABLE agents ADD COLUMN stop_requested INTEGER DEFAULT 0`);
+  } catch {}
+  try {
+    db.exec(`ALTER TABLE agents ADD COLUMN budget_pool_reserved REAL DEFAULT 0`);
+  } catch {}
+  try {
+    db.exec(`ALTER TABLE agents ADD COLUMN tenant_id TEXT NOT NULL DEFAULT 'default'`);
+  } catch {}
+  try {
+    db.exec(`ALTER TABLE kavach_approvals ADD COLUMN tenant_id TEXT NOT NULL DEFAULT 'default'`);
+  } catch {}
+  try {
+    db.exec(`ALTER TABLE alerts ADD COLUMN tenant_id TEXT NOT NULL DEFAULT 'default'`);
+  } catch {}
+  try {
+    db.exec(`ALTER TABLE sessions ADD COLUMN tenant_id TEXT NOT NULL DEFAULT 'default'`);
+  } catch {}
+  try {
+    db.exec(`CREATE INDEX IF NOT EXISTS idx_agents_tenant ON agents(tenant_id)`);
+  } catch {}
+  try {
+    db.exec(`CREATE INDEX IF NOT EXISTS idx_approvals_tenant ON kavach_approvals(tenant_id)`);
+  } catch {}
+  try {
+    db.exec(`CREATE INDEX IF NOT EXISTS idx_alerts_tenant ON alerts(tenant_id)`);
+  } catch {}
+}
+function recordDashboardAccess(ip, path) {
+  const db = getDb();
+  db.run("INSERT INTO dashboard_access (ip, timestamp, path) VALUES (?, ?, ?)", [ip, new Date().toISOString(), path]);
+}
+function getDistinctDashboardIpCount(sinceHours = 24 * 7) {
+  const db = getDb();
+  const since = new Date(Date.now() - sinceHours * 60 * 60 * 1000).toISOString();
+  const row = db.query("SELECT COUNT(DISTINCT ip) as cnt FROM dashboard_access WHERE timestamp >= ?").get(since);
+  return row?.cnt ?? 0;
+}
+function addUsage(record) {
+  const db = getDb();
+  db.run(`INSERT INTO usage_log (session_id, timestamp, model, input_tokens, output_tokens, cache_read_tokens, cache_creation_tokens, estimated_cost_usd, is_agent_spawn, raw_json)
+     VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?)`, [
+    record.session_id,
+    record.timestamp,
+    record.model,
+    record.input_tokens,
+    record.output_tokens,
+    record.cache_read_tokens,
+    record.cache_creation_tokens,
+    record.estimated_cost_usd,
+    record.is_agent_spawn ? 1 : 0,
+    record.raw_json || null
+  ]);
+}
+function upsertSession(session_id, project_path, cost, is_spawn) {
+  const db = getDb();
+  const now = new Date().toISOString();
+  const existing = db.query("SELECT * FROM sessions WHERE session_id = ?").get(session_id);
+  if (existing) {
+    db.run(`UPDATE sessions SET last_activity = ?, total_cost_usd = total_cost_usd + ?, message_count = message_count + 1,
+       agent_spawns = agent_spawns + ? WHERE session_id = ?`, [now, cost, is_spawn ? 1 : 0, session_id]);
+  } else {
+    db.run(`INSERT INTO sessions (session_id, project_path, first_seen, last_activity, total_cost_usd, message_count, agent_spawns, status)
+       VALUES (?, ?, ?, ?, ?, 1, ?, 'active')`, [session_id, project_path, now, now, cost, is_spawn ? 1 : 0]);
+  }
+}
+function listActiveSessions() {
+  const db = getDb();
+  return db.query("SELECT * FROM sessions WHERE status IN ('active', 'paused') ORDER BY last_activity DESC").all();
+}
+function getSession(session_id) {
+  const db = getDb();
+  return db.query("SELECT * FROM sessions WHERE session_id = ?").get(session_id);
+}
+function setSessionStatus(session_id, status) {
+  const db = getDb();
+  db.run("UPDATE sessions SET status = ? WHERE session_id = ?", [status, session_id]);
+}
+function getSessionSpawnCount(session_id) {
+  const db = getDb();
+  const row = db.query("SELECT agent_spawns FROM sessions WHERE session_id = ?").get(session_id);
+  return row?.agent_spawns || 0;
+}
+function periodKey(type) {
+  const now = new Date;
+  if (type === "daily")
+    return `daily:${now.toISOString().slice(0, 10)}`;
+  if (type === "weekly") {
+    const d = new Date(now);
+    d.setDate(d.getDate() - d.getDay());
+    return `weekly:${d.toISOString().slice(0, 10)}`;
+  }
+  return `monthly:${now.toISOString().slice(0, 7)}`;
+}
+function addToBudget(cost, limits) {
+  const db = getDb();
+  const now = new Date().toISOString();
+  for (const [type, limit] of [["daily", limits.daily], ["weekly", limits.weekly], ["monthly", limits.monthly]]) {
+    const key = periodKey(type);
+    const existing = db.query("SELECT * FROM budget_state WHERE period = ?").get(key);
+    if (existing) {
+      db.run("UPDATE budget_state SET spent_usd = spent_usd + ?, last_updated = ? WHERE period = ?", [cost, now, key]);
+    } else {
+      db.run("INSERT INTO budget_state (period, spent_usd, limit_usd, last_updated) VALUES (?, ?, ?, ?)", [key, cost, limit, now]);
+    }
+  }
+}
+function getBudgetState(type, limit) {
+  const db = getDb();
+  const key = periodKey(type);
+  const row = db.query("SELECT * FROM budget_state WHERE period = ?").get(key);
+  const spent = row?.spent_usd || 0;
+  return {
+    period: key,
+    spent_usd: spent,
+    limit_usd: limit,
+    remaining_usd: Math.max(0, limit - spent),
+    percent: limit > 0 ? Math.min(100, spent / limit * 100) : 0
+  };
+}
+function getDailySpend() {
+  const db = getDb();
+  const key = periodKey("daily");
+  const row = db.query("SELECT spent_usd FROM budget_state WHERE period = ?").get(key);
+  return row?.spent_usd || 0;
+}
+function getWindowBudget(window_type, messages_limit, tokens_limit) {
+  const db = getDb();
+  const now = Date.now();
+  const windowMs = window_type === "5h" ? 5 * 60 * 60 * 1000 : 7 * 24 * 60 * 60 * 1000;
+  const windowStart = new Date(now - windowMs).toISOString();
+  const windowEnd = new Date(now + windowMs).toISOString();
+  const row = db.query(`
+    SELECT
+      COUNT(*) as message_count,
+      COALESCE(SUM(input_tokens + output_tokens + cache_read_tokens + cache_creation_tokens), 0) as total_tokens
+    FROM usage_log
+    WHERE timestamp >= ?
+  `).get(windowStart);
+  const messages_used = row?.message_count || 0;
+  const tokens_used = row?.total_tokens || 0;
+  const msgPct = messages_limit > 0 ? messages_used / messages_limit * 100 : 0;
+  const tokPct = tokens_limit > 0 ? tokens_used / tokens_limit * 100 : 0;
+  const percent = Math.min(100, Math.max(msgPct, tokPct));
+  const oldestInWindow = db.query(`
+    SELECT MIN(timestamp) as oldest FROM usage_log WHERE timestamp >= ?
+  `).get(windowStart);
+  let time_to_reset_s = Math.floor(windowMs / 1000);
+  if (oldestInWindow?.oldest) {
+    const oldestMs = new Date(oldestInWindow.oldest).getTime();
+    time_to_reset_s = Math.max(0, Math.floor((oldestMs + windowMs - now) / 1000));
+  }
+  return {
+    window_type,
+    window_start: windowStart,
+    window_end: windowEnd,
+    messages_used,
+    messages_limit,
+    tokens_used,
+    tokens_limit,
+    percent,
+    time_to_reset_s
+  };
+}
+function addAlert(alert) {
+  const db = getDb();
+  db.run("INSERT INTO alerts (type, severity, message, session_id, timestamp, acknowledged) VALUES (?, ?, ?, ?, ?, 0)", [alert.type, alert.severity, alert.message, alert.session_id || null, alert.timestamp]);
+}
+function getRecentAlerts(limit = 50) {
+  const db = getDb();
+  return db.query("SELECT * FROM alerts ORDER BY timestamp DESC LIMIT ?").all(limit);
+}
+function createKavachApproval(approval) {
+  const db = getDb();
+  const record = {
+    ...approval,
+    status: "pending",
+    first_approver: null,
+    decided_at: null,
+    decided_by: null,
+    notified: false
+  };
+  db.run(`INSERT INTO kavach_approvals (id, created_at, command, tool_name, level, consequence, session_id, status, first_approver, decided_at, decided_by, notified, timeout_ms)
+     VALUES (?, ?, ?, ?, ?, ?, ?, 'pending', NULL, NULL, NULL, 0, ?)`, [record.id, record.created_at, record.command, record.tool_name, record.level, record.consequence, record.session_id, record.timeout_ms]);
+  return record;
+}
+function getKavachApproval(id) {
+  const db = getDb();
+  return db.query("SELECT * FROM kavach_approvals WHERE id = ?").get(id);
+}
+function getPendingApprovals() {
+  const db = getDb();
+  return db.query("SELECT * FROM kavach_approvals WHERE status IN ('pending', 'pending_second') ORDER BY created_at DESC").all();
+}
+function decideKavachApproval(id, decision, decidedBy, opts = { dual_control: false, require_different_approvers: false }) {
+  const db = getDb();
+  const now = new Date().toISOString();
+  const approval = getKavachApproval(id);
+  if (!approval)
+    return false;
+  if (decision === "STOP" || decision === "TIMEOUT") {
+    const status = decision === "STOP" ? "stopped" : "timed_out";
+    const result = db.run("UPDATE kavach_approvals SET status = ?, decided_at = ?, decided_by = ? WHERE id = ? AND status IN ('pending', 'pending_second')", [status, now, decidedBy, id]);
+    return (result.changes ?? 0) > 0;
+  }
+  if (decision === "EXPLAIN") {
+    const result = db.run("UPDATE kavach_approvals SET status = 'explained', decided_at = ?, decided_by = ? WHERE id = ? AND status = 'pending'", [now, decidedBy, id]);
+    return (result.changes ?? 0) > 0;
+  }
+  if (approval.status === "pending") {
+    const isDualControl = opts.dual_control && approval.level === 4;
+    if (isDualControl) {
+      const result2 = db.run("UPDATE kavach_approvals SET status = 'pending_second', first_approver = ? WHERE id = ? AND status = 'pending'", [decidedBy, id]);
+      return (result2.changes ?? 0) > 0;
+    }
+    const result = db.run("UPDATE kavach_approvals SET status = 'allowed', decided_at = ?, decided_by = ? WHERE id = ? AND status = 'pending'", [now, decidedBy, id]);
+    return (result.changes ?? 0) > 0;
+  }
+  if (approval.status === "pending_second" && decision === "ALLOW") {
+    if (opts.require_different_approvers && approval.first_approver === decidedBy) {
+      return false;
+    }
+    const result = db.run("UPDATE kavach_approvals SET status = 'allowed', decided_at = ?, decided_by = ? WHERE id = ? AND status = 'pending_second'", [now, decidedBy, id]);
+    return (result.changes ?? 0) > 0;
+  }
+  return false;
+}
+function markKavachNotified(id) {
+  const db = getDb();
+  db.run("UPDATE kavach_approvals SET notified = 1 WHERE id = ?", [id]);
+}
+function getRecentApprovals(limit = 20) {
+  const db = getDb();
+  return db.query("SELECT * FROM kavach_approvals ORDER BY created_at DESC LIMIT ?").all(limit);
+}
+function upsertAgent(agent) {
+  const db = getDb();
+  db.run(`INSERT INTO agents (
+      agent_id, state, identity_confidence, parent_id, session_id, depth,
+      budget_cap_usd, budget_used_usd, budget_pool_reserved,
+      tool_calls, loop_count, tools_declared, violation_count,
+      spawn_timestamp, last_seen, policy_path, stop_requested,
+      quarantine_reason, quarantine_rule, release_reason, released_by, resume_manifest_path
+    ) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)
+    ON CONFLICT(agent_id) DO UPDATE SET
+      state = excluded.state,
+      identity_confidence = excluded.identity_confidence,
+      parent_id = excluded.parent_id,
+      budget_used_usd = excluded.budget_used_usd,
+      budget_pool_reserved = excluded.budget_pool_reserved,
+      tool_calls = excluded.tool_calls,
+      loop_count = excluded.loop_count,
+      tools_declared = excluded.tools_declared,
+      violation_count = excluded.violation_count,
+      last_seen = excluded.last_seen,
+      stop_requested = excluded.stop_requested,
+      quarantine_reason = excluded.quarantine_reason,
+      quarantine_rule = excluded.quarantine_rule,
+      release_reason = excluded.release_reason,
+      released_by = excluded.released_by,
+      resume_manifest_path = excluded.resume_manifest_path`, [
+    agent.agent_id,
+    agent.state,
+    agent.identity_confidence,
+    agent.parent_id,
+    agent.session_id,
+    agent.depth,
+    agent.budget_cap_usd,
+    agent.budget_used_usd,
+    agent.budget_pool_reserved,
+    agent.tool_calls,
+    agent.loop_count,
+    agent.tools_declared,
+    agent.violation_count,
+    agent.spawn_timestamp,
+    agent.last_seen,
+    agent.policy_path,
+    agent.stop_requested ? 1 : 0,
+    agent.quarantine_reason,
+    agent.quarantine_rule,
+    agent.release_reason,
+    agent.released_by,
+    agent.resume_manifest_path
+  ]);
+}
+function touchAgent(agentId) {
+  const db = getDb();
+  const now = new Date().toISOString();
+  db.run("UPDATE agents SET last_seen = ?, tool_calls = tool_calls + 1, loop_count = loop_count + 1 WHERE agent_id = ? AND state = 'RUNNING'", [now, agentId]);
+}
+function setAgentState(agentId, state, meta = {}) {
+  const db = getDb();
+  const now = new Date().toISOString();
+  db.run(`UPDATE agents SET state = ?, last_seen = ?,
+      quarantine_reason = CASE WHEN ? = 'QUARANTINED' THEN ? ELSE quarantine_reason END,
+      quarantine_rule   = CASE WHEN ? = 'QUARANTINED' THEN ? ELSE quarantine_rule END,
+      release_reason    = CASE WHEN ? = 'RUNNING' THEN ? ELSE release_reason END,
+      released_by       = CASE WHEN ? = 'RUNNING' THEN ? ELSE released_by END,
+      resume_manifest_path = COALESCE(?, resume_manifest_path)
+     WHERE agent_id = ?`, [
+    state,
+    now,
+    state,
+    meta.reason ?? null,
+    state,
+    meta.rule ?? null,
+    state,
+    meta.reason ?? null,
+    state,
+    meta.released_by ?? null,
+    meta.resume_manifest_path ?? null,
+    agentId
+  ]);
+}
+function requestStop(agentId) {
+  const db = getDb();
+  db.run("UPDATE agents SET stop_requested = 1 WHERE agent_id = ?", [agentId]);
+}
+function isStopRequested(agentId) {
+  const db = getDb();
+  const row = db.query("SELECT stop_requested FROM agents WHERE agent_id = ?").get(agentId);
+  return (row?.stop_requested ?? 0) === 1;
+}
+function getAgentRow(agentId) {
+  const db = getDb();
+  return db.query("SELECT * FROM agents WHERE agent_id = ?").get(agentId);
+}
+function listAgentRows(states) {
+  const db = getDb();
+  if (!states || states.length === 0) {
+    return db.query("SELECT * FROM agents ORDER BY spawn_timestamp DESC").all();
+  }
+  const placeholders = states.map(() => "?").join(",");
+  return db.query(`SELECT * FROM agents WHERE state IN (${placeholders}) ORDER BY spawn_timestamp DESC`).all(...states);
+}
+function incrementViolationCount(agentId) {
+  const db = getDb();
+  db.run("UPDATE agents SET violation_count = violation_count + 1 WHERE agent_id = ?", [agentId]);
+  const row = db.query("SELECT violation_count FROM agents WHERE agent_id = ?").get(agentId);
+  return row?.violation_count ?? 0;
+}
+function recordAgentUsage(opts) {
+  const db = getDb();
+  const now = new Date().toISOString();
+  db.run("UPDATE agents SET budget_used_usd = budget_used_usd + ? WHERE agent_id = ?", [opts.cost_usd, opts.agent_id]);
+  db.run(`INSERT INTO usage_log (session_id, timestamp, model, input_tokens, output_tokens, cache_read_tokens, cache_creation_tokens, estimated_cost_usd, is_agent_spawn, raw_json)
+     VALUES (?, ?, ?, ?, ?, ?, ?, ?, 0, ?)`, [
+    opts.agent_id,
+    now,
+    opts.model,
+    opts.input_tokens,
+    opts.output_tokens,
+    opts.cache_read_tokens ?? 0,
+    opts.cache_creation_tokens ?? 0,
+    opts.cost_usd,
+    null
+  ]);
+}
+function checkBudgetInheritance(opts) {
+  if (opts.child_cap_usd <= 0)
+    return { allowed: true };
+  const db = getDb();
+  const parent = db.query("SELECT budget_cap_usd, budget_used_usd, budget_pool_reserved FROM agents WHERE agent_id = ?").get(opts.parent_id);
+  if (!parent)
+    return { allowed: true };
+  const parentRemaining = parent.budget_cap_usd - parent.budget_used_usd - parent.budget_pool_reserved;
+  if (parentRemaining < opts.child_cap_usd) {
+    return {
+      allowed: false,
+      error: `Budget inheritance rejected: parent ${opts.parent_id} remaining $${parentRemaining.toFixed(4)} < child cap $${opts.child_cap_usd.toFixed(4)} (KAV-018)`
+    };
+  }
+  db.run("UPDATE agents SET budget_pool_reserved = budget_pool_reserved + ? WHERE agent_id = ?", [opts.child_cap_usd, opts.parent_id]);
+  return { allowed: true };
+}
+function rebalanceBudget(agentId) {
+  const db = getDb();
+  const agent = db.query("SELECT parent_id, budget_cap_usd, budget_used_usd FROM agents WHERE agent_id = ?").get(agentId);
+  if (!agent || !agent.parent_id || agent.budget_cap_usd <= 0)
+    return;
+  const unused = Math.max(0, agent.budget_cap_usd - agent.budget_used_usd);
+  if (unused <= 0)
+    return;
+  db.run(`UPDATE agents SET
+      budget_pool_reserved = MAX(0, budget_pool_reserved - ?),
+      budget_used_usd = budget_used_usd + ?
+     WHERE agent_id = ?`, [agent.budget_cap_usd, -unused, agent.parent_id]);
+}
+function getAgentCostProjection(agentId) {
+  const db = getDb();
+  const agent = db.query("SELECT budget_cap_usd, budget_used_usd, tool_calls FROM agents WHERE agent_id = ?").get(agentId);
+  if (!agent || agent.budget_cap_usd <= 0)
+    return null;
+  const avgCostPerCall = agent.tool_calls > 0 ? agent.budget_used_usd / agent.tool_calls : 0;
+  const projected = agent.budget_used_usd + avgCostPerCall * agent.tool_calls * 0.3;
+  const pct = projected / agent.budget_cap_usd * 100;
+  return {
+    budget_used_usd: agent.budget_used_usd,
+    budget_cap_usd: agent.budget_cap_usd,
+    projected_total_usd: projected,
+    pct_of_cap: pct,
+    alert_level: pct >= 95 ? "soft_stop" : pct >= 80 ? "warn" : "ok"
+  };
+}
+function getCostTree(sessionId) {
+  const db = getDb();
+  const rows = sessionId ? db.query("SELECT * FROM agents WHERE session_id = ? ORDER BY depth, spawn_timestamp").all(sessionId) : db.query("SELECT * FROM agents ORDER BY depth, spawn_timestamp DESC LIMIT 200").all();
+  const nodeMap = new Map;
+  const roots = [];
+  for (const row of rows) {
+    const node = {
+      agent_id: row.agent_id,
+      state: row.state,
+      depth: row.depth,
+      budget_cap_usd: row.budget_cap_usd,
+      budget_used_usd: row.budget_used_usd,
+      budget_pool_reserved: row.budget_pool_reserved,
+      tool_calls: row.tool_calls,
+      violation_count: row.violation_count,
+      children: []
+    };
+    nodeMap.set(row.agent_id, node);
+  }
+  for (const row of rows) {
+    const node = nodeMap.get(row.agent_id);
+    if (row.parent_id && nodeMap.has(row.parent_id)) {
+      nodeMap.get(row.parent_id).children.push(node);
+    } else {
+      roots.push(node);
+    }
+  }
+  return roots;
+}
+var _db = null;
+var init_db = __esm(() => {
+  init_config();
+});
+
+// ../../src/kernel/profile-store.ts
+var exports_profile_store = {};
+__export(exports_profile_store, {
+  verifyReceiptChain: () => verifyReceiptChain,
+  storeProfile: () => storeProfile,
+  recordKernelReceipt: () => recordKernelReceipt,
+  getReceiptChain: () => getReceiptChain,
+  getProfileForAgent: () => getProfileForAgent,
+  getProfile: () => getProfile,
+  ensureKernelSchema: () => ensureKernelSchema,
+  checkProfileDrift: () => checkProfileDrift
+});
+import { createHash as createHash2 } from "crypto";
+function ensureKernelSchema() {
+  const db = getDb();
+  db.exec(`
+    CREATE TABLE IF NOT EXISTS kernel_profiles (
+      id INTEGER PRIMARY KEY AUTOINCREMENT,
+      session_id TEXT NOT NULL,
+      agent_id TEXT,
+      profile_hash TEXT NOT NULL,
+      trust_mask INTEGER NOT NULL,
+      domain TEXT NOT NULL,
+      agent_type TEXT NOT NULL DEFAULT 'claude-code',
+      syscall_count INTEGER NOT NULL,
+      profile_json TEXT NOT NULL,
+      stored_at TEXT NOT NULL,
+      profile_path TEXT,
+      UNIQUE(session_id)
+    );
+
+    CREATE TABLE IF NOT EXISTS kernel_receipts (
+      id INTEGER PRIMARY KEY AUTOINCREMENT,
+      receipt_id TEXT NOT NULL UNIQUE,
+      session_id TEXT NOT NULL,
+      agent_id TEXT,
+      event_type TEXT NOT NULL,
+      syscall TEXT,
+      falco_rule TEXT,
+      severity TEXT NOT NULL DEFAULT 'WARN',
+      violation_details TEXT,
+      profile_hash TEXT,
+      receipt_hash TEXT NOT NULL,
+      prev_receipt_hash TEXT,
+      sealed_at TEXT NOT NULL
+    );
+
+    CREATE TABLE IF NOT EXISTS kernel_drift_events (
+      id INTEGER PRIMARY KEY AUTOINCREMENT,
+      session_id TEXT NOT NULL,
+      stored_hash TEXT NOT NULL,
+      actual_hash TEXT NOT NULL,
+      detected_at TEXT NOT NULL
+    );
+  `);
+}
+function storeProfile(sessionId, agentId, profile, profilePath = null) {
+  ensureKernelSchema();
+  const db = getDb();
+  const profileJson = JSON.stringify(profile);
+  const hash = createHash2("sha256").update(canonicalJson(profile)).digest("hex");
+  const syscallCount = profile.syscalls[0]?.names.length ?? 0;
+  db.run(`INSERT OR REPLACE INTO kernel_profiles
+     (session_id, agent_id, profile_hash, trust_mask, domain, agent_type, syscall_count, profile_json, stored_at, profile_path)
+     VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?)`, [
+    sessionId,
+    agentId,
+    hash,
+    profile._kavachos.trust_mask,
+    profile._kavachos.domain,
+    profile._kavachos.agent_type,
+    syscallCount,
+    profileJson,
+    new Date().toISOString(),
+    profilePath
+  ]);
+  return hash;
+}
+function getProfile(sessionId) {
+  ensureKernelSchema();
+  const db = getDb();
+  return db.query("SELECT * FROM kernel_profiles WHERE session_id = ?").get(sessionId) ?? null;
+}
+function getProfileForAgent(agentId, sessionId) {
+  ensureKernelSchema();
+  const db = getDb();
+  if (sessionId) {
+    return db.query("SELECT * FROM kernel_profiles WHERE agent_id = ? AND session_id = ? ORDER BY stored_at DESC LIMIT 1").get(agentId, sessionId) ?? null;
+  }
+  return db.query("SELECT * FROM kernel_profiles WHERE agent_id = ? ORDER BY stored_at DESC LIMIT 1").get(agentId) ?? null;
+}
+function checkProfileDrift(sessionId) {
+  const stored = getProfile(sessionId);
+  if (!stored)
+    return null;
+  const profile = JSON.parse(stored.profile_json);
+  const actualHash = createHash2("sha256").update(canonicalJson(profile)).digest("hex");
+  if (actualHash !== stored.profile_hash) {
+    const event = {
+      session_id: sessionId,
+      stored_hash: stored.profile_hash,
+      actual_hash: actualHash,
+      detected_at: new Date().toISOString()
+    };
+    const db = getDb();
+    db.run("INSERT INTO kernel_drift_events (session_id, stored_hash, actual_hash, detected_at) VALUES (?, ?, ?, ?)", [event.session_id, event.stored_hash, event.actual_hash, event.detected_at]);
+    return event;
+  }
+  return null;
+}
+function recordKernelReceipt(receiptId, sessionId, agentId, eventType, details) {
+  ensureKernelSchema();
+  const db = getDb();
+  db.run(`INSERT OR IGNORE INTO kernel_receipts
+     (receipt_id, session_id, agent_id, event_type, syscall, falco_rule, severity,
+      violation_details, profile_hash, receipt_hash, prev_receipt_hash, sealed_at)
+     VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)`, [
+    receiptId,
+    sessionId,
+    agentId,
+    eventType,
+    details.syscall ?? null,
+    details.falco_rule ?? null,
+    details.severity ?? "WARN",
+    details.violation_details ?? null,
+    details.profile_hash ?? null,
+    details.receipt_hash,
+    details.prev_receipt_hash ?? null,
+    new Date().toISOString()
+  ]);
+}
+function getReceiptChain(sessionId) {
+  ensureKernelSchema();
+  const db = getDb();
+  return db.query("SELECT receipt_id, receipt_hash, prev_receipt_hash, sealed_at FROM kernel_receipts WHERE session_id = ? ORDER BY id ASC").all(sessionId);
+}
+function verifyReceiptChain(sessionId) {
+  const chain = getReceiptChain(sessionId);
+  if (chain.length === 0)
+    return { valid: true, receipt_count: 0 };
+  let prevHash = null;
+  for (const receipt of chain) {
+    if (receipt.prev_receipt_hash !== prevHash) {
+      return { valid: false, gap_at: receipt.receipt_id, receipt_count: chain.length };
+    }
+    prevHash = receipt.receipt_hash;
+  }
+  return { valid: true, receipt_count: chain.length };
+}
+var init_profile_store = __esm(() => {
+  init_db();
+  init_seccomp_profile_generator();
+});
+
+// ../../src/kernel/kernel-receipt.ts
+import { createHash as createHash3, randomBytes } from "crypto";
+function sealKernelViolation(event) {
+  const receiptId = `KOS-PRAMANA-${randomBytes(8).toString("hex").toUpperCase()}`;
+  const sealedAt = new Date().toISOString();
+  const chain = getReceiptChain(event.session_id);
+  const prevHash = chain.length > 0 ? chain[chain.length - 1].receipt_hash : null;
+  const receiptHash = createHash3("sha256").update(`${receiptId}|${event.session_id}|${event.event_type}|${sealedAt}|${prevHash ?? "GENESIS"}`).digest("hex");
+  recordKernelReceipt(receiptId, event.session_id, event.agent_id ?? null, event.event_type, {
+    syscall: event.syscall,
+    falco_rule: event.falco_rule,
+    severity: event.severity ?? "WARN",
+    violation_details: event.violation_details,
+    profile_hash: event.profile_hash,
+    prev_receipt_hash: prevHash ?? undefined,
+    receipt_hash: receiptHash
+  });
+  return {
+    receipt_id: receiptId,
+    session_id: event.session_id,
+    event_type: event.event_type,
+    receipt_hash: receiptHash,
+    prev_receipt_hash: prevHash,
+    sealed_at: sealedAt,
+    pramana_version: "1.1",
+    rule_ref: "KOS-005"
+  };
+}
+function parseFalcoEvent(line) {
+  try {
+    const parsed = JSON.parse(line);
+    const priority = (parsed.priority ?? "WARNING").toUpperCase();
+    const severity = priority === "CRITICAL" || priority === "ERROR" ? "CRITICAL" : priority === "WARNING" ? "WARN" : "WARN";
+    return {
+      session_id: parsed.output_fields?.proc_env?.KAVACHOS_SESSION_ID ?? "unknown",
+      agent_id: parsed.output_fields?.proc_env?.KAVACHOS_AGENT_ID ?? null,
+      event_type: "FALCO_ALERT",
+      falco_rule: parsed.rule,
+      violation_details: parsed.output,
+      severity
+    };
+  } catch {
+    return null;
+  }
+}
+function checkViolationRate(events, windowMs = 60000) {
+  const cutoff = Date.now() - windowMs;
+  const recent = events.filter((e) => new Date(e.sealed_at).getTime() > cutoff);
+  return recent.length > 5;
+}
+var init_kernel_receipt = __esm(() => {
+  init_profile_store();
+});
+
+// ../../src/kernel/egress-policy.ts
+function buildEgressPolicy(trustMask, domain) {
+  const allow = [...BASE_ALLOW];
+  const extras = DOMAIN_EXTRA[domain] ?? DOMAIN_EXTRA.general;
+  allow.push(...extras);
+  for (let bit = 0;bit < 32; bit++) {
+    if (trustMask & 1 << bit) {
+      const extra = TRUST_MASK_EGRESS[bit] ?? [];
+      allow.push(...extra);
+    }
+  }
+  if (!(trustMask & 1 << 6)) {
+    allow.push({ host: "127.0.0.1", port: 0, note: "loopback" });
+    allow.push({ host: "::1", port: 0, note: "loopback IPv6" });
+  }
+  return { domain, trust_mask: trustMask, allow };
+}
+function serialiseEgressPolicy(policy) {
+  return JSON.stringify(policy, null, 2);
+}
+var BASE_ALLOW, DOMAIN_EXTRA, TRUST_MASK_EGRESS;
+var init_egress_policy = __esm(() => {
+  BASE_ALLOW = [
+    { host: "api.anthropic.com", port: 443, note: "Anthropic API" },
+    { host: "api.openai.com", port: 443, note: "OpenAI API" },
+    { host: "generativelanguage.googleapis.com", port: 443, note: "Gemini API" },
+    { host: "api.groq.com", port: 443, note: "Groq API (free_first)" },
+    { host: "api-inference.huggingface.co", port: 443, note: "HF Inference (free_first)" }
+  ];
+  DOMAIN_EXTRA = {
+    general: [
+      { host: "github.com", port: 443, note: "GitHub API" },
+      { host: "raw.githubusercontent.com", port: 443, note: "GitHub raw" },
+      { host: "registry.npmjs.org", port: 443, note: "npm registry" }
+    ],
+    maritime: [
+      { host: "api.aisstream.io", port: 443, note: "AIS stream" },
+      { host: "maddox.iho.int", port: 443, note: "IHO chart service" },
+      { host: "127.0.0.1", port: 0, note: "localhost (NMEA/Modbus)" }
+    ],
+    logistics: [
+      { host: "api.searates.com", port: 443, note: "freight rates" },
+      { host: "api.bolero.net", port: 443, note: "eBL platform" }
+    ],
+    ot: [
+      { host: "127.0.0.1", port: 0, note: "localhost (Modbus/NMEA/AIS)" }
+    ],
+    finance: [
+      { host: "api.stripe.com", port: 443, note: "Stripe" },
+      { host: "sandbox.hsm.example", port: 443, note: "HSM API" }
+    ]
+  };
+  TRUST_MASK_EGRESS = {
+    4: [{ host: "smtp.mailgun.org", port: 587, note: "Mailgun SMTP" }],
+    6: [
+      { host: "localhost", port: 0, note: "localhost" },
+      { host: "127.0.0.1", port: 0, note: "localhost" }
+    ]
+  };
+});
+
+// ../../src/kernel/runner.ts
+var exports_runner = {};
+__export(exports_runner, {
+  runWithKernel: () => runWithKernel,
+  generateOnly: () => generateOnly
+});
+import { writeFileSync as writeFileSync2, mkdirSync as mkdirSync2, existsSync as existsSync2, unlinkSync } from "fs";
+import { join as join2, dirname } from "path";
+import { spawn } from "child_process";
+import { randomBytes as randomBytes2 } from "crypto";
+function ensureKavachosDir() {
+  if (!existsSync2(KAVACHOS_DIR))
+    mkdirSync2(KAVACHOS_DIR, { recursive: true });
+}
+async function runWithKernel(agentCommand, opts) {
+  ensureKavachosDir();
+  const sessionId = opts.sessionId ?? `KOS-${randomBytes2(6).toString("hex").toUpperCase()}`;
+  const agentType = opts.agentType ?? "claude-code";
+  const { profile, hash: profileHash, syscall_count } = generateSeccompProfile(opts.trustMask, opts.domain, agentType);
+  if (opts.verbose) {
+    console.error(profileSummary({ profile, hash: profileHash, syscall_count }));
+  }
+  const profilePath = join2(KAVACHOS_DIR, `${sessionId}.seccomp.json`);
+  writeFileSync2(profilePath, JSON.stringify(profile, null, 2));
+  storeProfile(sessionId, opts.agentId ?? null, profile, profilePath);
+  let falcoRulesPath = null;
+  if (opts.falcoEnabled) {
+    const falcoRules = generateFalcoRules(opts.domain, opts.trustMask);
+    falcoRulesPath = join2(KAVACHOS_DIR, `${sessionId}.falco.yaml`);
+    writeFileSync2(falcoRulesPath, falcoRules.rules);
+    if (opts.verbose) {
+      console.error(`[kavachos] Falco rules written: ${falcoRulesPath} (${falcoRules.rule_count} rules)`);
+    }
+  }
+  let egressPolicyPath = null;
+  if (opts.egressEnabled !== false) {
+    const egressPolicy = buildEgressPolicy(opts.trustMask, opts.domain);
+    egressPolicyPath = join2(KAVACHOS_DIR, `${sessionId}.egress.json`);
+    writeFileSync2(egressPolicyPath, serialiseEgressPolicy(egressPolicy));
+    if (opts.verbose) {
+      console.error(`[kavachos] Egress policy written: ${egressPolicyPath} (${egressPolicy.allow.length} hosts)`);
+    }
+  }
+  if (opts.dryRun) {
+    console.log(JSON.stringify({
+      sessionId,
+      profileHash,
+      syscallCount: syscall_count,
+      profilePath,
+      falcoRulesPath,
+      egressPolicyPath,
+      dryRun: true
+    }, null, 2));
+    return { sessionId, profileHash, syscallCount: syscall_count, profilePath, falcoRulesPath, egressPolicyPath };
+  }
+  const env = {
+    ...process.env,
+    KAVACHOS_SESSION_ID: sessionId,
+    KAVACHOS_AGENT_ID: opts.agentId ?? sessionId,
+    KAVACHOS_TRUST_MASK: opts.trustMask.toString(),
+    KAVACHOS_DOMAIN: opts.domain
+  };
+  const launchArgs = [
+    "python3",
+    APPLY_SECCOMP_PY,
+    profilePath,
+    "--",
+    ...agentCommand
+  ];
+  if (opts.verbose) {
+    console.error(`[kavachos] Launching: ${launchArgs.join(" ")}`);
+  }
+  return new Promise((resolve, reject) => {
+    const child = spawn(launchArgs[0], launchArgs.slice(1), {
+      stdio: ["inherit", "inherit", "pipe"],
+      env
+    });
+    const result = {
+      sessionId,
+      profileHash,
+      syscallCount: syscall_count,
+      profilePath,
+      falcoRulesPath,
+      egressPolicyPath,
+      pid: child.pid
+    };
+    if (egressPolicyPath && child.pid) {
+      const CGROUP_EGRESS_PY = join2(dirname(new URL(import.meta.url).pathname), "cgroup-egress.py");
+      const egressSidecar = spawn("python3", [CGROUP_EGRESS_PY, sessionId, egressPolicyPath, String(child.pid)], {
+        stdio: ["ignore", "ignore", "pipe"]
+      });
+      egressSidecar.stderr?.on("data", (d) => {
+        const line = d.toString().trim();
+        if (line)
+          process.stderr.write(line + `
+`);
+      });
+      egressSidecar.on("error", (err) => {
+        process.stderr.write(`[kavachos:egress] sidecar error: ${err.message}
+`);
+      });
+    }
+    const recentReceipts = [];
+    child.stderr?.on("data", (data) => {
+      const lines = data.toString().split(`
+`).filter(Boolean);
+      for (const line of lines) {
+        if (line.includes("[kavachos]")) {
+          process.stderr.write(line + `
+`);
+        }
+        if (line.startsWith("{") && line.includes('"rule"')) {
+          const event = parseFalcoEvent(line);
+          if (event) {
+            event.session_id = sessionId;
+            const receipt = sealKernelViolation({ ...event, profile_hash: profileHash });
+            recentReceipts.push(receipt);
+            if (checkViolationRate(recentReceipts)) {
+              process.stderr.write(`[kavachos] RATE_EXCEEDED: >5 violations/min for session ${sessionId}
+`);
+              sealKernelViolation({
+                session_id: sessionId,
+                agent_id: opts.agentId ?? null,
+                event_type: "RATE_EXCEEDED",
+                violation_details: "Falco violation rate exceeded 5/min \u2014 potential low-and-slow exfil",
+                profile_hash: profileHash,
+                severity: "CRITICAL"
+              });
+            }
+          }
+        }
+      }
+    });
+    child.on("exit", (code) => {
+      result.exitCode = code ?? 0;
+      try {
+        unlinkSync(profilePath);
+      } catch {}
+      if (egressPolicyPath) {
+        try {
+          unlinkSync(egressPolicyPath);
+        } catch {}
+      }
+      const drift = checkProfileDrift(sessionId);
+      if (drift) {
+        process.stderr.write(`[kavachos] PROFILE DRIFT DETECTED for session ${sessionId}
+`);
+        sealKernelViolation({
+          session_id: sessionId,
+          agent_id: opts.agentId ?? null,
+          event_type: "PROFILE_DRIFT",
+          violation_details: `Hash mismatch: stored=${drift.stored_hash.slice(0, 16)}... actual=${drift.actual_hash.slice(0, 16)}...`,
+          severity: "CRITICAL"
+        });
+      }
+      resolve(result);
+    });
+    child.on("error", (err) => reject(err));
+  });
+}
+function generateOnly(trustMask, domain, agentType) {
+  const result = generateSeccompProfile(trustMask, domain, agentType);
+  const falcoRules = generateFalcoRules(domain, trustMask);
+  return { ...result, falcoRules };
+}
+var APPLY_SECCOMP_PY, KAVACHOS_DIR;
+var init_runner = __esm(() => {
+  init_seccomp_profile_generator();
+  init_falco_rule_generator();
+  init_profile_store();
+  init_kernel_receipt();
+  init_egress_policy();
+  init_config();
+  APPLY_SECCOMP_PY = join2(dirname(new URL(import.meta.url).pathname), "apply-seccomp.py");
+  KAVACHOS_DIR = join2(getAegisDir(), "kernel");
+});
+
+// ../../src/kernel/audit.ts
+var exports_audit = {};
+__export(exports_audit, {
+  printAudit: () => printAudit,
+  listSessions: () => listSessions,
+  auditSession: () => auditSession
+});
+function auditSession(sessionId) {
+  const profile = getProfile(sessionId);
+  if (!profile) {
+    return {
+      session_id: sessionId,
+      profile_found: false,
+      profile_drift: false,
+      receipt_count: 0,
+      chain_valid: false,
+      eu_ai_act_eligible: false,
+      verdict: "NO_SESSION",
+      summary: `Session ${sessionId} not found in kernel_profiles table. Either it was not launched via kavachos run, or records were cleaned up.`
+    };
+  }
+  const drift = checkProfileDrift(sessionId);
+  const chainVerification = verifyReceiptChain(sessionId);
+  const euEligible = !drift && chainVerification.valid;
+  let verdict = "CLEAN";
+  if (drift)
+    verdict = "PROFILE_DRIFT";
+  else if (!chainVerification.valid)
+    verdict = "CHAIN_BROKEN";
+  const verdictIcon = verdict === "CLEAN" ? "\u2705" : "\u274C";
+  const summary = [
+    `${verdictIcon} Session: ${sessionId}`,
+    `   Profile hash:   ${profile.profile_hash.slice(0, 16)}... (${drift ? "DRIFTED" : "verified"})`,
+    `   Trust mask:     0x${profile.trust_mask.toString(16).padStart(8, "0")}`,
+    `   Domain:         ${profile.domain}`,
+    `   Syscalls:       ${profile.syscall_count}`,
+    `   Receipts:       ${chainVerification.receipt_count} (chain ${chainVerification.valid ? "\u2705 unbroken" : "\u274C BROKEN at " + chainVerification.gap_at})`,
+    `   EU AI Act \xA714:  ${euEligible ? "\u2705 eligible" : "\u274C NOT eligible"}`,
+    `   Verdict:        ${verdict}`
+  ].join(`
+`);
+  return {
+    session_id: sessionId,
+    profile_found: true,
+    profile_hash: profile.profile_hash,
+    profile_drift: !!drift,
+    receipt_count: chainVerification.receipt_count,
+    chain_valid: chainVerification.valid,
+    chain_gap_at: chainVerification.gap_at,
+    eu_ai_act_eligible: euEligible,
+    verdict,
+    summary
+  };
+}
+function listSessions() {
+  const { getDb: getDb2 } = (init_db(), __toCommonJS(exports_db));
+  const { ensureKernelSchema: ensureKernelSchema2 } = (init_profile_store(), __toCommonJS(exports_profile_store));
+  ensureKernelSchema2();
+  const db = getDb2();
+  return db.query("SELECT session_id, domain, trust_mask, stored_at, syscall_count FROM kernel_profiles ORDER BY stored_at DESC LIMIT 50").all();
+}
+function printAudit(result) {
+  console.log(result.summary);
+  if (result.verdict !== "CLEAN") {
+    console.log(`
+  ACTION REQUIRED:`);
+    if (result.profile_drift) {
+      console.log("  \u2022 Profile drift detected \u2014 this session is a security incident (KOS-012)");
+      console.log("  \u2022 Emit kavach.kernel.violation.detected and quarantine session");
+    }
+    if (!result.chain_valid) {
+      console.log(`  \u2022 Receipt chain broken at ${result.chain_gap_at} \u2014 tampered or missing evidence (INF-KOS-003)`);
+      console.log("  \u2022 Session cannot be used as EU AI Act Article 14/15 evidence");
+    }
+  }
+}
+var init_audit = __esm(() => {
+  init_profile_store();
+});
+
+// ../../src/kavach/perm-mask.ts
+var PERM, PERM_READ_ONLY, PERM_STANDARD, PERM_PRIVILEGED, PERM_ADMIN, BIT_NAMES;
+var init_perm_mask = __esm(() => {
+  PERM = {
+    READ: 1,
+    WRITE: 2,
+    EXEC_BASH: 4,
+    SPAWN_AGENTS: 8,
+    NETWORK: 16,
+    DB_WRITE: 32,
+    DB_READ: 64,
+    DB_SCHEMA: 128,
+    FS_CREATE: 256,
+    FS_DELETE: 512,
+    SERVICE_OP: 1024,
+    SECRET_READ: 2048,
+    CONFIG_WRITE: 4096,
+    GIT_WRITE: 8192,
+    EXTERNAL_API: 16384,
+    PRIVILEGED: 32768,
+    POLICY_ADMIN: 65536,
+    MASK_ADMIN: 131072,
+    AUDIT_WRITE: 262144,
+    CROSS_SVC: 524288,
+    PRODUCTION: 1048576
+  };
+  PERM_READ_ONLY = PERM.READ | PERM.DB_READ;
+  PERM_STANDARD = PERM.READ | PERM.WRITE | PERM.EXEC_BASH | PERM.DB_READ | PERM.DB_WRITE | PERM.FS_CREATE | PERM.NETWORK | PERM.GIT_WRITE | PERM.EXTERNAL_API;
+  PERM_PRIVILEGED = PERM_STANDARD | PERM.DB_SCHEMA | PERM.FS_DELETE | PERM.SERVICE_OP | PERM.CONFIG_WRITE | PERM.PRIVILEGED;
+  PERM_ADMIN = PERM_PRIVILEGED | PERM.SECRET_READ | PERM.SPAWN_AGENTS | PERM.POLICY_ADMIN | PERM.MASK_ADMIN | PERM.AUDIT_WRITE | PERM.CROSS_SVC | PERM.PRODUCTION;
+  BIT_NAMES = Object.entries(PERM).map(([name, bit]) => [bit, name]);
+});
+
+// ../../src/kavach/class-mask.ts
+var CLASS, CLASS_DEV_ONLY, CLASS_STANDARD, CLASS_PRIVILEGED, CLASS_NAMES;
+var init_class_mask = __esm(() => {
+  CLASS = {
+    DEV: 1,
+    DEMO: 2,
+    PROD: 4,
+    SECRET: 8,
+    MARITIME: 16,
+    FINANCIAL: 32,
+    PERSONAL: 64,
+    INFRA: 128,
+    ANKR_INTERNAL: 256
+  };
+  CLASS_DEV_ONLY = CLASS.DEV;
+  CLASS_STANDARD = CLASS.DEV | CLASS.DEMO | CLASS.INFRA | CLASS.ANKR_INTERNAL;
+  CLASS_PRIVILEGED = CLASS.DEV | CLASS.DEMO | CLASS.PROD | CLASS.INFRA | CLASS.ANKR_INTERNAL | CLASS.MARITIME;
+  CLASS_NAMES = Object.entries(CLASS).map(([name, bit]) => [bit, name]);
+});
+
+// ../../src/sandbox/quarantine.ts
+import { existsSync as existsSync3, readFileSync as readFileSync2, writeFileSync as writeFileSync3, mkdirSync as mkdirSync3, readdirSync } from "fs";
+import { join as join3 } from "path";
+function tryDbSync(record) {
+  try {
+    const { upsertAgent: upsertAgent2 } = (init_db(), __toCommonJS(exports_db));
+    upsertAgent2({
+      ...record,
+      budget_pool_reserved: 0,
+      stop_requested: 0
+    });
+  } catch {}
+}
+function getAgentsDir() {
+  const dir = join3(getAegisDir(), "agents");
+  if (!existsSync3(dir))
+    mkdirSync3(dir, { recursive: true });
+  return dir;
+}
+function getStatePath(agentId) {
+  return join3(getAgentsDir(), `${agentId}.state.json`);
+}
+function loadAgent(agentId) {
+  const path = getStatePath(agentId);
+  if (!existsSync3(path))
+    return null;
+  try {
+    return JSON.parse(readFileSync2(path, "utf-8"));
+  } catch {
+    return null;
+  }
+}
+function saveAgent(record) {
+  writeFileSync3(getStatePath(record.agent_id), JSON.stringify(record, null, 2));
+  tryDbSync(record);
+}
+function transitionState(agentId, targetState, meta = {}) {
+  const record = loadAgent(agentId);
+  if (!record) {
+    return { success: false, error: `Agent ${agentId} not found`, record: {} };
+  }
+  const allowed = VALID_TRANSITIONS[record.state];
+  if (!allowed.includes(targetState)) {
+    return {
+      success: false,
+      error: `Invalid transition ${record.state} \u2192 ${targetState} (allowed: ${allowed.join(", ") || "none"})`,
+      record
+    };
+  }
+  record.state = targetState;
+  record.last_seen = new Date().toISOString();
+  if (targetState === "QUARANTINED") {
+    record.quarantine_reason = meta.reason ?? null;
+    record.quarantine_rule = meta.rule ?? null;
+  }
+  if (targetState === "RUNNING" && record.quarantine_reason) {
+    record.release_reason = meta.reason ?? null;
+    record.released_by = meta.released_by ?? null;
+    record.quarantine_reason = null;
+    record.quarantine_rule = null;
+  }
+  if (meta.resume_manifest_path) {
+    record.resume_manifest_path = meta.resume_manifest_path;
+  }
+  saveAgent(record);
+  return { success: true, record };
+}
+var VALID_TRANSITIONS;
+var init_quarantine = __esm(() => {
+  init_config();
+  VALID_TRANSITIONS = {
+    RUNNING: ["QUARANTINED", "FORCE_CLOSED", "KILLED", "COMPLETED", "ZOMBIE"],
+    QUARANTINED: ["RUNNING", "FORCE_CLOSED", "KILLED"],
+    ORPHAN: ["FORCE_CLOSED", "KILLED", "COMPLETED"],
+    ZOMBIE: ["FORCE_CLOSED", "KILLED"],
+    FORCE_CLOSED: [],
+    KILLED: [],
+    COMPLETED: []
+  };
+});
+
+// ../../src/kernel/kernel-notifier.ts
+var exports_kernel_notifier = {};
+__export(exports_kernel_notifier, {
+  syscallToPlain: () => syscallToPlain,
+  requestKernelApproval: () => requestKernelApproval,
+  notifyAutoBlock: () => notifyAutoBlock,
+  notifyAdvisory: () => notifyAdvisory
+});
+import { randomBytes as randomBytes3 } from "crypto";
+function syscallToPlain(syscall) {
+  return SYSCALL_PLAIN[syscall] ?? `call syscall "${syscall}"`;
+}
+function buildMessage(event, approvalId) {
+  const emoji = TIER_EMOJI[event.tier];
+  const tierLabel = event.tier === 3 ? "Action Required" : event.tier === 4 ? "Auto-Blocked" : "Advisory";
+  const lines = [
+    `${emoji} KavachOS \u2014 ${tierLabel}`,
+    ``,
+    `Agent: ${event.agent_id ?? "unknown"}  |  Domain: ${event.domain}`,
+    `Session: ${event.session_id}`,
+    ``,
+    `What happened:`,
+    event.plain_summary,
+    ``,
+    `Technical detail:`,
+    event.technical_detail
+  ];
+  if (event.falco_rule) {
+    lines.push(`Falco rule: "${event.falco_rule}"`);
+  }
+  if (event.trust_mask !== undefined) {
+    lines.push(`Trust mask: 0x${event.trust_mask.toString(16).padStart(8, "0")}`);
+  }
+  if (event.profile_hash) {
+    lines.push(`Profile: ${event.profile_hash.slice(0, 12)}...`);
+  }
+  lines.push(``);
+  lines.push(`Trigger: ${TRIGGER_LABEL[event.trigger]}`);
+  if (event.tier === 3 && approvalId) {
+    lines.push(``);
+    lines.push(`Reply with one word:`);
+    lines.push(`  ALLOW ${approvalId} \u2014 permit, restore gate valve to OPEN`);
+    lines.push(`  STOP ${approvalId}  \u2014 block, keep valve in current state`);
+    lines.push(``);
+    lines.push(`Expires: 10 min (silence = STOP)`);
+  } else if (event.tier === 4) {
+    lines.push(``);
+    lines.push(`Agent is already blocked. No action needed.`);
+    lines.push(`To release: kavachos valve release ${event.agent_id ?? event.session_id}`);
+  } else if (event.tier === 2) {
+    lines.push(``);
+    lines.push(`No action needed \u2014 this is for your awareness.`);
+    lines.push(`To review: kavachos profile show ${event.agent_id ?? event.session_id}`);
+  }
+  return lines.join(`
+`);
+}
+async function sendViaWebhook(message, approvalId) {
+  const config = loadConfig();
+  const kc = config.kavach;
+  if (!kc?.enabled)
+    return false;
+  const webhookUrl = kc.webhook_url || kc.ankrclaw_url || "";
+  if (!webhookUrl)
+    return false;
+  const channel = kc.notify_channel || "telegram";
+  const to = channel === "telegram" ? kc.notify_telegram_chat_id : kc.notify_phone;
+  if (!to)
+    return false;
+  try {
+    const res = await fetch(`${webhookUrl}/api/notify`, {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify({
+        to,
+        message,
+        service: "KAVACHOS",
+        channel,
+        approval_id: approvalId ?? undefined
+      })
+    });
+    return res.ok;
+  } catch {
+    process.stderr.write(`[kavachos:notify] webhook unreachable \u2014 notification skipped
+`);
+    return false;
+  }
+}
+async function pollForKernelDecision(approvalId, timeoutMs = 600000) {
+  const deadline = Date.now() + timeoutMs;
+  const POLL_INTERVAL = 2000;
+  process.stderr.write(`[kavachos:notify] Waiting for kernel decision ${approvalId} (${Math.round(timeoutMs / 1000)}s timeout)
+`);
+  while (Date.now() < deadline) {
+    await new Promise((r) => setTimeout(r, POLL_INTERVAL));
+    const approval = getKavachApproval(approvalId);
+    if (!approval)
+      continue;
+    if (approval.status === "allowed")
+      return "ALLOW";
+    if (approval.status === "stopped" || approval.status === "timed_out")
+      return "STOP";
+  }
+  process.stderr.write(`[kavachos:notify] Decision timeout for ${approvalId} \u2192 STOP
+`);
+  return "STOP";
+}
+async function notifyAdvisory(event) {
+  const message = buildMessage(event, null);
+  process.stderr.write(`[kavachos:notify] ADVISORY: ${event.plain_summary}
+`);
+  sendViaWebhook(message, null).catch(() => {});
+}
+async function requestKernelApproval(event) {
+  const approvalId = `KOS-${randomBytes3(4).toString("hex").toUpperCase()}`;
+  createKavachApproval({
+    id: approvalId,
+    created_at: new Date().toISOString(),
+    command: event.technical_detail,
+    tool_name: `kavachos:${event.trigger}`,
+    level: 3,
+    consequence: event.plain_summary,
+    session_id: event.session_id,
+    timeout_ms: 600000
+  });
+  const message = buildMessage(event, approvalId);
+  process.stderr.write(`[kavachos:notify] TIER-3 alert sent \u2014 ${approvalId}: ${event.plain_summary}
+`);
+  await sendViaWebhook(message, approvalId);
+  return pollForKernelDecision(approvalId);
+}
+async function notifyAutoBlock(event) {
+  const message = buildMessage(event, null);
+  process.stderr.write(`[kavachos:notify] AUTO-BLOCK: ${event.plain_summary}
+`);
+  sendViaWebhook(message, null).catch(() => {});
+}
+var SYSCALL_PLAIN, TIER_EMOJI, TRIGGER_LABEL;
+var init_kernel_notifier = __esm(() => {
+  init_config();
+  init_db();
+  SYSCALL_PLAIN = {
+    execve: "execute a program or shell command",
+    execveat: "execute a program from a file descriptor",
+    clone: "create a child process",
+    clone3: "create a child process (modern)",
+    fork: "duplicate the current process",
+    socket: "open a network socket",
+    connect: "connect to a remote server",
+    bind: "listen on a network port",
+    sendto: "send data over the network",
+    recvfrom: "receive data from the network",
+    open: "open a file",
+    openat: "open a file (relative path)",
+    unlink: "delete a file",
+    unlinkat: "delete a file (relative path)",
+    rename: "rename or move a file",
+    chmod: "change file permissions",
+    chown: "change file ownership",
+    ptrace: "attach to and control another process",
+    mmap: "map memory (large allocation)",
+    memfd_create: "create an anonymous memory region",
+    inotify_init1: "watch a directory for file changes",
+    keyctl: "access cryptographic keys",
+    sethostname: "change the system hostname",
+    prctl: "change process control settings",
+    kill: "send a signal to another process",
+    tgkill: "send a signal to a specific thread",
+    seccomp: "modify syscall filtering (privilege escalation attempt)",
+    mount: "mount a filesystem",
+    umount2: "unmount a filesystem",
+    chroot: "change the root directory",
+    pivot_root: "change the root filesystem",
+    setuid: "change user identity",
+    setgid: "change group identity",
+    capset: "modify Linux capabilities"
+  };
+  TIER_EMOJI = {
+    1: "\u2139\uFE0F",
+    2: "\uD83D\uDFE1",
+    3: "\uD83D\uDD34",
+    4: "\uD83D\uDED1"
+  };
+  TRIGGER_LABEL = {
+    falco_critical: "Falco CRITICAL \u2014 suspicious kernel event",
+    valve_cracked: "Gate valve \u2192 CRACKED (3+ violations)",
+    valve_locked: "Gate valve \u2192 LOCKED (agent fully stopped)",
+    rate_exceeded: "Violation rate exceeded (5+/min \u2014 possible exfil)",
+    supervisor_ambiguous: "Supervisor cannot auto-decide",
+    profile_drift: "Seccomp profile tampering detected"
+  };
+});
+
+// ../../src/kavach/gate-valve.ts
+var exports_gate_valve = {};
+__export(exports_gate_valve, {
+  throttleValve: () => throttleValve,
+  recordViolation: () => recordViolation,
+  readValve: () => readValve,
+  openValve: () => openValve,
+  lockValve: () => lockValve,
+  initValve: () => initValve,
+  incrementLoopCount: () => incrementLoopCount,
+  crackValve: () => crackValve,
+  closeValve: () => closeValve,
+  checkValve: () => checkValve
+});
+import { existsSync as existsSync4, readFileSync as readFileSync3, writeFileSync as writeFileSync4, mkdirSync as mkdirSync4 } from "fs";
+import { join as join4 } from "path";
+function getValveDir() {
+  const dir = join4(getAegisDir(), "agents");
+  if (!existsSync4(dir))
+    mkdirSync4(dir, { recursive: true });
+  return dir;
+}
+function valvePath(agentId) {
+  return join4(getValveDir(), `${agentId}.valve.json`);
+}
+function readValve(agentId) {
+  const path = valvePath(agentId);
+  if (!existsSync4(path)) {
+    const defaultRecord = {
+      agent_id: agentId,
+      state: "OPEN",
+      declared_perm_mask: PERM_STANDARD,
+      effective_perm_mask: PERM_STANDARD,
+      declared_class_mask: CLASS_STANDARD,
+      effective_class_mask: CLASS_STANDARD,
+      violation_count: 0,
+      loop_count: 0,
+      narrowed_at: null,
+      narrowed_reason: null,
+      locked_by: null,
+      locked_at: null,
+      quarantine_flag: false
+    };
+    writeValve(defaultRecord);
+    return defaultRecord;
+  }
+  try {
+    return JSON.parse(readFileSync3(path, "utf-8"));
+  } catch {
+    return readValve(agentId);
+  }
+}
+function writeValve(record) {
+  writeFileSync4(valvePath(record.agent_id), JSON.stringify(record, null, 2));
+}
+function initValve(agentId, declaredPermMask, declaredClassMask) {
+  const record = {
+    agent_id: agentId,
+    state: "OPEN",
+    declared_perm_mask: declaredPermMask,
+    effective_perm_mask: declaredPermMask,
+    declared_class_mask: declaredClassMask,
+    effective_class_mask: declaredClassMask,
+    violation_count: 0,
+    loop_count: 0,
+    narrowed_at: null,
+    narrowed_reason: null,
+    locked_by: null,
+    locked_at: null,
+    quarantine_flag: false
+  };
+  writeValve(record);
+  return record;
+}
+function recordViolation(agentId, reason) {
+  const record = readValve(agentId);
+  record.violation_count++;
+  if (record.violation_count === 1 && record.state === "OPEN") {
+    return throttleValve(agentId, `auto-throttle: first violation \u2014 ${reason}`);
+  }
+  if (record.violation_count >= 3 && record.state === "THROTTLED") {
+    return crackValve(agentId, `auto-crack: ${record.violation_count} violations \u2014 ${reason}`);
+  }
+  writeValve(record);
+  return record;
+}
+function incrementLoopCount(agentId) {
+  const record = readValve(agentId);
+  record.loop_count++;
+  if (record.loop_count > 100 && record.violation_count > 0 && record.state !== "CLOSED" && record.state !== "LOCKED") {
+    return closeValve(agentId, `auto-close: runaway agent (loop=${record.loop_count}, violations=${record.violation_count})`);
+  }
+  writeValve(record);
+  return record;
+}
+function throttleValve(agentId, reason) {
+  const record = readValve(agentId);
+  if (record.state === "CLOSED" || record.state === "LOCKED")
+    return record;
+  record.state = "THROTTLED";
+  record.effective_perm_mask &= ~PERM.SPAWN_AGENTS;
+  record.narrowed_at = new Date().toISOString();
+  record.narrowed_reason = reason;
+  writeValve(record);
+  process.stderr.write(`[KAVACH:valve] ${agentId} \u2192 THROTTLED \u2014 ${reason}
+`);
+  return record;
+}
+function crackValve(agentId, reason) {
+  const record = readValve(agentId);
+  if (record.state === "CLOSED" || record.state === "LOCKED")
+    return record;
+  record.state = "CRACKED";
+  record.effective_perm_mask &= ~(PERM.SPAWN_AGENTS | PERM.EXEC_BASH);
+  record.narrowed_at = new Date().toISOString();
+  record.narrowed_reason = reason;
+  writeValve(record);
+  process.stderr.write(`[KAVACH:valve] ${agentId} \u2192 CRACKED \u2014 ${reason}
+`);
+  Promise.resolve().then(() => (init_kernel_notifier(), exports_kernel_notifier)).then(({ requestKernelApproval: requestKernelApproval2 }) => {
+    requestKernelApproval2({
+      tier: 3,
+      session_id: agentId,
+      agent_id: agentId,
+      domain: "unknown",
+      trigger: "valve_cracked",
+      plain_summary: `Agent ${agentId} has triggered 3 or more violations. It is now running in restricted mode (no new processes, no shell commands). Decide whether to let it continue or stop it.`,
+      technical_detail: `Gate valve \u2192 CRACKED. Reason: ${reason}. SPAWN_AGENTS + EXEC_BASH bits cleared from effective_perm_mask.`
+    }).then((decision) => {
+      if (decision === "STOP") {
+        closeValve(agentId, "Human STOP after CRACKED notification");
+      }
+    });
+  }).catch(() => {});
+  return record;
+}
+function closeValve(agentId, reason) {
+  const record = readValve(agentId);
+  if (record.state === "LOCKED")
+    return record;
+  record.state = "CLOSED";
+  record.effective_perm_mask = 0;
+  record.effective_class_mask = 0;
+  record.narrowed_at = new Date().toISOString();
+  record.narrowed_reason = reason;
+  writeValve(record);
+  process.stderr.write(`[KAVACH:valve] ${agentId} \u2192 CLOSED \u2014 ${reason}
+`);
+  return record;
+}
+function lockValve(agentId, reason, lockedBy = "system") {
+  const record = readValve(agentId);
+  record.state = "LOCKED";
+  record.effective_perm_mask = 0;
+  record.effective_class_mask = 0;
+  record.narrowed_at = new Date().toISOString();
+  record.narrowed_reason = reason;
+  record.locked_by = lockedBy;
+  record.locked_at = new Date().toISOString();
+  record.quarantine_flag = true;
+  writeValve(record);
+  process.stderr.write(`[KAVACH:valve] ${agentId} \u2192 LOCKED by ${lockedBy} \u2014 ${reason}
+`);
+  Promise.resolve().then(() => (init_kernel_notifier(), exports_kernel_notifier)).then(({ notifyAutoBlock: notifyAutoBlock2 }) => {
+    notifyAutoBlock2({
+      tier: 4,
+      session_id: agentId,
+      agent_id: agentId,
+      domain: "unknown",
+      trigger: "valve_locked",
+      plain_summary: `Agent ${agentId} has been fully stopped and quarantined. It cannot perform any actions until a human releases it.`,
+      technical_detail: `Gate valve \u2192 LOCKED by ${lockedBy}. Reason: ${reason}. effective_perm_mask=0.`
+    });
+  }).catch(() => {});
+  try {
+    const agentRecord = loadAgent(agentId);
+    if (agentRecord && (agentRecord.state === "RUNNING" || agentRecord.state === "ORPHAN")) {
+      transitionState(agentId, "QUARANTINED", { reason: `valve LOCKED: ${reason}`, rule: "KAV-066" });
+    }
+  } catch {}
+  return record;
+}
+function openValve(agentId, releasedBy) {
+  const record = readValve(agentId);
+  if (record.state === "CLOSED" || record.state === "LOCKED") {
+    throw new Error(`Cannot auto-open ${record.state} valve for ${agentId} \u2014 requires human via quarantine release`);
+  }
+  record.state = "OPEN";
+  record.effective_perm_mask = record.declared_perm_mask;
+  record.effective_class_mask = record.declared_class_mask;
+  record.narrowed_at = null;
+  record.narrowed_reason = null;
+  writeValve(record);
+  process.stderr.write(`[KAVACH:valve] ${agentId} \u2192 OPEN (released by ${releasedBy})
+`);
+  return record;
+}
+function checkValve(agentId, requiredPermBits, resourceClassBits) {
+  const record = readValve(agentId);
+  if (record.state === "CLOSED" || record.state === "LOCKED") {
+    if (record.state === "CLOSED") {
+      lockValve(agentId, "closed agent attempted tool call", "auto-escalation");
+    }
+    return {
+      allowed: false,
+      level: 0,
+      reason: `Agent is in ${record.state} state \u2014 all capabilities revoked`,
+      rule: "KAV-063",
+      valve_state: record.state
+    };
+  }
+  if (requiredPermBits !== 0 && (record.effective_perm_mask & requiredPermBits) !== requiredPermBits) {
+    const missing = requiredPermBits & ~record.effective_perm_mask;
+    recordViolation(agentId, `perm_mask missing bits 0x${missing.toString(16)}`);
+    return {
+      allowed: false,
+      level: 0,
+      reason: `perm_mask check failed \u2014 required 0x${requiredPermBits.toString(16)}, effective 0x${record.effective_perm_mask.toString(16)}`,
+      rule: "KAV-061",
+      valve_state: record.state
+    };
+  }
+  const effectiveClass = record.effective_class_mask === 0 ? 1 : record.effective_class_mask;
+  if (resourceClassBits !== 0 && (effectiveClass & resourceClassBits) === 0) {
+    recordViolation(agentId, `class_mask 0x${resourceClassBits.toString(16)} not granted`);
+    return {
+      allowed: false,
+      level: 1,
+      reason: `class_mask check failed \u2014 resource requires class 0x${resourceClassBits.toString(16)}, agent has 0x${effectiveClass.toString(16)}`,
+      rule: "KAV-062",
+      valve_state: record.state
+    };
+  }
+  return {
+    allowed: true,
+    level: 0,
+    reason: "",
+    rule: "",
+    valve_state: record.state
+  };
+}
+var init_gate_valve = __esm(() => {
+  init_config();
+  init_perm_mask();
+  init_class_mask();
+  init_quarantine();
+});
+
+// ../../src/kavachos-cli.ts
+var command = Bun.argv[2] || "help";
+var subCommand = Bun.argv[3];
+var args = Bun.argv.slice(3);
+async function main() {
+  switch (command) {
+    case "run":
+      return cmdRun(args);
+    case "generate":
+    case "gen":
+      return cmdGenerate(args);
+    case "profile":
+      if (subCommand === "show")
+        return cmdProfileShow(Bun.argv.slice(4));
+      console.error(`Unknown profile sub-command: ${subCommand}. Try: kavachos profile show <agent-id>`);
+      process.exit(1);
+      break;
+    case "audit":
+      return cmdAudit(args);
+    case "rules":
+      return cmdRules(args);
+    case "init":
+      return cmdInit(args);
+    case "version":
+    case "--version":
+    case "-v":
+      console.log("kavachos 2.0.0 (KavachOS KERNEL \u2014 xShieldAI Posture Suite)");
+      console.log("AGPL-3.0 \xB7 DOI 10.5281/zenodo.19908430");
+      break;
+    case "help":
+    case "--help":
+    case "-h":
+      printHelp();
+      break;
+    default:
+      console.error(`Unknown command: ${command}`);
+      printHelp();
+      process.exit(1);
+  }
+}
+async function cmdRun(args2) {
+  const { runWithKernel: runWithKernel2 } = await Promise.resolve().then(() => (init_runner(), exports_runner));
+  const opts = parseRunOpts(args2);
+  const agentArgs = args2.filter((a) => !a.startsWith("--"));
+  if (agentArgs.length === 0) {
+    console.error("Usage: kavachos run <agent_binary> [args] [--trust-mask=N] [--domain=D] [--dry-run] [--verbose]");
+    process.exit(1);
+  }
+  try {
+    const result = await runWithKernel2(agentArgs, opts);
+    if (opts.dryRun)
+      return;
+    if (result.exitCode !== 0)
+      process.exit(result.exitCode);
+  } catch (err) {
+    const message = err instanceof Error ? err.message : String(err);
+    console.error(`[kavachos] run failed: ${message}`);
+    process.exit(1);
+  }
+}
+async function cmdGenerate(args2) {
+  const { generateOnly: generateOnly2 } = await Promise.resolve().then(() => (init_runner(), exports_runner));
+  const { profileSummary: profileSummary2 } = await Promise.resolve().then(() => (init_seccomp_profile_generator(), exports_seccomp_profile_generator));
+  const trustMask = parseTrustMask(args2);
+  const domain = parseDomain(args2);
+  const outFlag = args2.find((a) => a.startsWith("--out="))?.split("=")[1];
+  const jsonFlag = args2.includes("--json");
+  const agentType = args2.find((a) => a.startsWith("--agent-type="))?.split("=")[1] ?? "claude-code";
+  const result = generateOnly2(trustMask, domain, agentType);
+  if (jsonFlag) {
+    console.log(JSON.stringify(result.profile, null, 2));
+  } else {
+    console.log(profileSummary2(result));
+    console.log(`
+  trust_mask: 0x${trustMask.toString(16).padStart(8, "0")}`);
+    console.log(`  syscalls:   ${result.syscall_count}`);
+    console.log(`  hash:       ${result.hash}`);
+    console.log(`
+Falco rules: ${result.falcoRules.rule_count} rules for domain '${domain}'`);
+  }
+  if (outFlag) {
+    const { writeFileSync: writeFileSync5 } = await import("fs");
+    writeFileSync5(outFile(outFlag, "seccomp.json"), JSON.stringify(result.profile, null, 2));
+    writeFileSync5(outFile(outFlag, "falco.yaml"), result.falcoRules.rules);
+    console.log(`
+Written: ${outFile(outFlag, "seccomp.json")} + ${outFile(outFlag, "falco.yaml")}`);
+  }
+}
+async function cmdAudit(args2) {
+  const { auditSession: auditSession2, listSessions: listSessions2, printAudit: printAudit2 } = await Promise.resolve().then(() => (init_audit(), exports_audit));
+  const listAll = args2.includes("--all") || args2.length === 0;
+  if (listAll) {
+    const sessions = listSessions2();
+    if (sessions.length === 0) {
+      console.log("No kernel-governed sessions found in aegis.db");
+      return;
+    }
+    console.log(`
+KavachOS governed sessions (${sessions.length}):
+`);
+    for (const s of sessions) {
+      const result2 = auditSession2(s.session_id);
+      const icon = result2.verdict === "CLEAN" ? "\u2705" : "\u274C";
+      console.log(`${icon} ${s.session_id.padEnd(28)} domain=${s.domain.padEnd(12)} trust=0x${s.trust_mask.toString(16).padStart(8, "0")} syscalls=${s.syscall_count} chain=${result2.chain_valid ? "ok" : "BROKEN"}`);
+    }
+    return;
+  }
+  const sessionId = args2.find((a) => !a.startsWith("--")) ?? "";
+  if (!sessionId) {
+    console.error("Usage: kavachos audit <session-id> | --all");
+    process.exit(1);
+  }
+  const result = auditSession2(sessionId);
+  printAudit2(result);
+  if (result.verdict !== "CLEAN")
+    process.exit(1);
+}
+async function cmdRules(args2) {
+  const { generateFalcoRules: generateFalcoRules2 } = await Promise.resolve().then(() => (init_falco_rule_generator(), exports_falco_rule_generator));
+  const domain = parseDomain(args2);
+  const trustMask = parseTrustMask(args2);
+  const jsonFlag = args2.includes("--json");
+  const rules = generateFalcoRules2(domain, trustMask);
+  if (jsonFlag) {
+    console.log(JSON.stringify(rules, null, 2));
+  } else {
+    console.log(`# KavachOS Falco Rules \u2014 domain=${domain} trust_mask=0x${trustMask.toString(16).padStart(8, "0")}`);
+    console.log(`# Generated: ${rules.generated_at} | Rules: ${rules.rule_count}
+`);
+    console.log(rules.rules);
+  }
+}
+async function cmdProfileShow(args2) {
+  const { getProfileForAgent: getProfileForAgent2 } = await Promise.resolve().then(() => (init_profile_store(), exports_profile_store));
+  const { listSessions: listSessions2 } = await Promise.resolve().then(() => (init_audit(), exports_audit));
+  const jsonFlag = args2.includes("--json");
+  const sessionFlag = args2.find((a) => a.startsWith("--session="))?.split("=")[1] ?? args2[args2.indexOf("--session") + 1];
+  const agentId = args2.find((a) => !a.startsWith("--")) ?? null;
+  if (!agentId) {
+    const sessions = listSessions2();
+    if (sessions.length === 0) {
+      console.log("No governed sessions found in aegis.db");
+      return;
+    }
+    if (jsonFlag) {
+      console.log(JSON.stringify(sessions, null, 2));
+    } else {
+      console.log(`
+KavachOS profiles (${sessions.length} sessions):
+`);
+      for (const s of sessions) {
+        console.log(`  ${s.session_id.padEnd(28)}  domain=${s.domain.padEnd(12)}  trust=0x${s.trust_mask.toString(16).padStart(8, "0")}  syscalls=${s.syscall_count}  hash=${s.profile_hash?.slice(0, 12) ?? "n/a"}...`);
+      }
+    }
+    return;
+  }
+  const profile = getProfileForAgent2(agentId, sessionFlag ?? null);
+  if (!profile) {
+    console.error(`No profile found for agent-id="${agentId}"${sessionFlag ? ` session="${sessionFlag}"` : ""}`);
+    process.exit(1);
+  }
+  const { readValve: readValve2 } = await Promise.resolve().then(() => (init_gate_valve(), exports_gate_valve));
+  const valveState = readValve2(agentId);
+  if (jsonFlag) {
+    console.log(JSON.stringify({ profile, valve_state: valveState }, null, 2));
+    return;
+  }
+  const kv = profile._kavachos ?? {};
+  console.log(`
+KavachOS Profile \u2014 agent: ${agentId}`);
+  console.log(`  session_id:   ${profile._session_id ?? sessionFlag ?? "n/a"}`);
+  console.log(`  domain:       ${kv.domain ?? "n/a"}`);
+  console.log(`  trust_mask:   0x${(kv.trust_mask ?? 0).toString(16).padStart(8, "0")}`);
+  console.log(`  syscalls:     ${profile.syscalls?.[0]?.names?.length ?? 0}`);
+  console.log(`  k_seal:       ${kv.k_seal ?? "n/a"}`);
+  console.log(`  generated_at: ${kv.generated_at ?? "n/a"}`);
+  console.log(`  default:      ${profile.defaultAction}`);
+  console.log(`
+Gate valve state:`);
+  const icon = valveState.state === "OPEN" ? "\u2705" : valveState.state === "THROTTLED" ? "\u26A0\uFE0F" : valveState.state === "CRACKED" ? "\uD83D\uDFE0" : "\uD83D\uDD34";
+  console.log(`  ${icon} ${valveState.state}  violations=${valveState.violation_count}  reason="${valveState.narrowed_reason ?? "none"}"`);
+  if (valveState.state !== "OPEN") {
+    console.log(`  narrowed_at: ${valveState.narrowed_at ?? "n/a"}  locked_by: ${valveState.locked_by ?? "n/a"}`);
+  }
+}
+async function cmdInit(args2) {
+  const { existsSync: existsSync5, writeFileSync: writeFileSync5 } = await import("fs");
+  const { resolve } = await import("path");
+  const configPath = resolve(process.cwd(), ".kavachos.json");
+  const force = args2.includes("--force");
+  if (existsSync5(configPath) && !force) {
+    console.error(`.kavachos.json already exists (use --force to overwrite): ${configPath}`);
+    process.exit(1);
+  }
+  const domain = parseDomain(args2);
+  const trustMask = parseTrustMask(args2);
+  const agentType = args2.find((a) => a.startsWith("--agent-type="))?.split("=")[1] ?? "claude-code";
+  const config = {
+    kavachos_version: "2.0.0",
+    schema: "kavachos-config-v1",
+    project: {
+      name: resolve(process.cwd()).split("/").pop() ?? "unnamed",
+      domain
+    },
+    agents: [
+      {
+        id: agentType,
+        type: agentType,
+        trust_mask: trustMask,
+        domain,
+        description: `Default agent for ${domain} domain`
+      }
+    ],
+    enforcement: {
+      default_action: "SCMP_ACT_ERRNO",
+      falco_enabled: false,
+      verbose: false
+    },
+    xshieldai: {
+      posture_suite: "KavachOS",
+      homepage: "https://kavachos.xshieldai.com",
+      license: "AGPL-3.0"
+    },
+    _generated_at: new Date().toISOString(),
+    _rule_ref: "KOS-033"
+  };
+  writeFileSync5(configPath, JSON.stringify(config, null, 2));
+  console.log(`
+KavachOS initialized: ${configPath}`);
+  console.log(`  domain:     ${domain}`);
+  console.log(`  trust_mask: 0x${trustMask.toString(16).padStart(8, "0")}`);
+  console.log(`  agent_type: ${agentType}`);
+  console.log(`
+Next: kavachos run <your-agent> --domain=${domain} --trust-mask=0x${trustMask.toString(16)}`);
+  console.log(`      kavachos profile show  (after first run)`);
+}
+function parseRunOpts(args2) {
+  return {
+    trustMask: parseTrustMask(args2),
+    domain: parseDomain(args2),
+    agentType: args2.find((a) => a.startsWith("--agent-type="))?.split("=")[1] ?? "claude-code",
+    sessionId: args2.find((a) => a.startsWith("--session-id="))?.split("=")[1],
+    agentId: args2.find((a) => a.startsWith("--agent-id="))?.split("=")[1],
+    dryRun: args2.includes("--dry-run"),
+    verbose: args2.includes("--verbose") || args2.includes("-v"),
+    falcoEnabled: args2.includes("--falco")
+  };
+}
+function parseTrustMask(args2) {
+  const flag = args2.find((a) => a.startsWith("--trust-mask="));
+  if (!flag) {
+    return parseInt(process.env.KAVACHOS_TRUST_MASK ?? "1", 10);
+  }
+  const val = flag.split("=")[1];
+  return val.startsWith("0x") ? parseInt(val, 16) : parseInt(val, 10);
+}
+function parseDomain(args2) {
+  return args2.find((a) => a.startsWith("--domain="))?.split("=")[1] ?? process.env.KAVACHOS_DOMAIN ?? "general";
+}
+function outFile(base, ext) {
+  return base.includes(".") ? `${base.replace(/\.[^.]+$/, "")}.${ext}` : `${base}.${ext}`;
+}
+function printHelp() {
+  console.log(`
+kavachos \u2014 KavachOS kernel enforcement CLI
+Part of the xShieldAI Posture Suite \xB7 kavachos.xshieldai.com
+Version 2.0.0 | AGPL-3.0 | DOI 10.5281/zenodo.19908430
+
+Usage: kavachos <command> [options]
+
+Commands:
+  run <binary> [args]        Launch agent under seccomp-bpf governance (KOS-011)
+  generate                   Generate seccomp profile + Falco rules without exec
+  profile show [agent-id]    Show active seccomp profile + gate valve state (KOS-031)
+  audit [session-id]         Verify profile hash + PRAMANA receipt chain (KOS-012)
+  rules                      Print domain-specific Falco rules
+  init                       Write .kavachos.json config in project root (KOS-033)
+  version                    Print version
+
+Options for run / generate:
+  --trust-mask=<N>           trust_mask value (hex or decimal, default: 1)
+  --domain=<name>            Domain: general|maritime|logistics|ot|finance (default: general)
+  --agent-type=<name>        Agent type label (default: claude-code)
+  --session-id=<id>          Override session ID
+  --agent-id=<id>            Agent ID for receipt chain linkage
+  --falco                    Write Falco rules file alongside seccomp profile
+  --dry-run                  Generate profile only, do not exec
+  --verbose / -v             Verbose kernel messages on stderr
+  --json                     Output JSON (generate/rules/audit/profile)
+  --out=<path>               Write profile + rules to files (generate only)
+
+Options for audit / profile show:
+  --all                      List all sessions (audit) / all profiles (profile show)
+  --session=<id>             Filter profile show by session ID
+
+Options for init:
+  --force                    Overwrite existing .kavachos.json
+
+Examples:
+  kavachos init --domain=maritime --trust-mask=0xFF
+  kavachos run claude --trust-mask=0xFF --domain=general --verbose
+  kavachos run bun src/my-agent.ts --trust-mask=0x00FF0000 --domain=maritime --falco
+  kavachos generate --trust-mask=255 --domain=logistics --json
+  kavachos generate --trust-mask=0 --domain=general --out=/tmp/minimal
+  kavachos profile show agent-123
+  kavachos profile show
+  kavachos audit KOS-A1B2C3
+  kavachos audit --all
+  kavachos rules --domain=maritime --trust-mask=0x0000FF00
+
+Rules:
+  KOS-011: This CLI is the only approved path for governed agent launch
+  KOS-010: Profiles are generated deterministically \u2014 never hand-written
+  KOS-012: Profile drift = security incident
+  KOS-031: profile show = live posture view for any governed agent
+  KOS-033: init = project-level config, registers agent types + domains
+  INF-KOS-001: trust_mask=0 \u2192 read-only minimal profile
+  INF-KOS-007: --domain absent \u2192 trust_mask=1 \u2192 minimal safe profile
+`);
+}
+main().catch((err) => {
+  const message = err instanceof Error ? err.message : String(err);
+  console.error(`kavachos error: ${message}`);
+  process.exit(1);
+});