agenttop 0.3.0

package/dist/chunk-4I4UZNKS.js

@@ -0,0 +1,1019 @@
+#!/usr/bin/env node
+
+// src/config/store.ts
+import { existsSync, readFileSync, writeFileSync, mkdirSync, statSync, renameSync } from "fs";
+import { join } from "path";
+import { homedir } from "os";
+var getConfigDir = () => {
+  const xdg = process.env.XDG_CONFIG_HOME;
+  return xdg ? join(xdg, "agenttop") : join(homedir(), ".config", "agenttop");
+};
+var getConfigPath = () => join(getConfigDir(), "config.json");
+var defaultConfig = () => ({
+  pollInterval: 1e4,
+  maxEvents: 200,
+  maxAlerts: 100,
+  alertLevel: "warn",
+  notifications: {
+    bell: true,
+    desktop: false,
+    minSeverity: "high"
+  },
+  alerts: {
+    logFile: join(getConfigDir(), "alerts.jsonl"),
+    enabled: true
+  },
+  updates: {
+    checkOnLaunch: true,
+    checkInterval: 216e5
+  },
+  nicknames: {},
+  keybindings: {
+    quit: "q",
+    navUp: "k",
+    navDown: "j",
+    panelNext: "tab",
+    panelPrev: "shift+tab",
+    scrollTop: "g",
+    scrollBottom: "G",
+    filter: "/",
+    nickname: "n",
+    clearNickname: "N",
+    detail: "enter",
+    update: "u"
+  },
+  security: {
+    enabled: true,
+    rules: {
+      network: true,
+      exfiltration: true,
+      sensitiveFiles: true,
+      shellEscape: true,
+      injection: true
+    }
+  },
+  prompts: {
+    hook: "pending",
+    mcp: "pending"
+  }
+});
+var deepMerge = (target, source) => {
+  const result = { ...target };
+  for (const key of Object.keys(target)) {
+    if (key in source) {
+      const tVal = target[key];
+      const sVal = source[key];
+      if (tVal && sVal && typeof tVal === "object" && typeof sVal === "object" && !Array.isArray(tVal)) {
+        result[key] = deepMerge(tVal, sVal);
+      } else {
+        result[key] = sVal;
+      }
+    }
+  }
+  for (const key of Object.keys(source)) {
+    if (!(key in target)) {
+      result[key] = source[key];
+    }
+  }
+  return result;
+};
+var loadConfig = () => {
+  const configPath = getConfigPath();
+  const defaults = defaultConfig();
+  if (!existsSync(configPath)) {
+    return defaults;
+  }
+  try {
+    const raw = JSON.parse(readFileSync(configPath, "utf-8"));
+    return deepMerge(defaults, raw);
+  } catch {
+    return defaults;
+  }
+};
+var saveConfig = (config) => {
+  const configDir = getConfigDir();
+  mkdirSync(configDir, { recursive: true });
+  writeFileSync(getConfigPath(), JSON.stringify(config, null, 2) + "\n");
+};
+var isFirstRun = () => !existsSync(getConfigPath());
+var setNickname = (sessionId, nickname) => {
+  const config = loadConfig();
+  config.nicknames[sessionId] = nickname;
+  saveConfig(config);
+};
+var clearNickname = (sessionId) => {
+  const config = loadConfig();
+  delete config.nicknames[sessionId];
+  saveConfig(config);
+};
+var getNicknames = () => {
+  return loadConfig().nicknames;
+};
+var resolveAlertLogPath = (config) => {
+  const logFile = config.alerts.logFile;
+  if (logFile.startsWith("~")) {
+    return join(homedir(), logFile.slice(1));
+  }
+  return logFile;
+};
+var rotateLogFile = (filePath, maxBytes = 10 * 1024 * 1024) => {
+  try {
+    const stat = statSync(filePath);
+    if (stat.size > maxBytes) {
+      const rotated = filePath + ".1";
+      if (existsSync(rotated)) {
+        try {
+          renameSync(rotated, filePath + ".2");
+        } catch {
+        }
+      }
+      renameSync(filePath, rotated);
+    }
+  } catch {
+  }
+};
+
+// src/mcp/server.ts
+import { Server } from "@modelcontextprotocol/sdk/server/index.js";
+import { StdioServerTransport } from "@modelcontextprotocol/sdk/server/stdio.js";
+import { CallToolRequestSchema, ListToolsRequestSchema } from "@modelcontextprotocol/sdk/types.js";
+
+// src/discovery/sessions.ts
+import { readdirSync as readdirSync2, statSync as statSync2, readlinkSync, openSync, readSync, closeSync } from "fs";
+import { join as join3, basename } from "path";
+import { execSync } from "child_process";
+
+// src/config.ts
+import { realpathSync, readdirSync } from "fs";
+import { homedir as homedir2, platform } from "os";
+import { join as join2 } from "path";
+var resolvePath = (p) => {
+  try {
+    return realpathSync(p);
+  } catch {
+    return p;
+  }
+};
+var getUid = () => process.getuid?.() ?? 0;
+var isRoot = () => getUid() === 0;
+var getTmpDir = () => resolvePath(platform() === "darwin" ? "/private/tmp" : "/tmp");
+var getTaskDirs = (allUsers) => {
+  const tmp = getTmpDir();
+  const uid = getUid();
+  if (allUsers && isRoot()) {
+    try {
+      return readdirSync(tmp).filter((d) => d.startsWith("claude-")).filter((d) => !d.endsWith("-cwd")).map((d) => join2(tmp, d));
+    } catch {
+      return [join2(tmp, `claude-${uid}`)];
+    }
+  }
+  return [join2(tmp, `claude-${uid}`)];
+};
+
+// src/discovery/sessions.ts
+var getClaudeProcesses = () => {
+  try {
+    const output = execSync("ps aux", { encoding: "utf-8", timeout: 5e3 });
+    const procs = output.split("\n").filter((line) => line.includes("/claude") && !line.includes("grep") && !line.includes("agenttop")).map((line) => {
+      const parts = line.trim().split(/\s+/);
+      const pid = parseInt(parts[1], 10);
+      let cwd = "";
+      try {
+        cwd = readlinkSync(`/proc/${pid}/cwd`);
+      } catch {
+      }
+      return {
+        pid,
+        cpu: parseFloat(parts[2]) || 0,
+        mem: parseFloat(parts[3]) || 0,
+        memKB: parseInt(parts[5], 10) || 0,
+        startTime: parts[8] || "",
+        command: parts.slice(10).join(" "),
+        cwd
+      };
+    }).filter((p) => !isNaN(p.pid)).filter((p) => !p.command.startsWith("sudo"));
+    return procs;
+  } catch {
+    return [];
+  }
+};
+var readFirstEvent = (filePath) => {
+  try {
+    const fd = openSync(filePath, "r");
+    const buf = Buffer.alloc(16384);
+    const bytesRead = readSync(fd, buf, 0, 16384, 0);
+    closeSync(fd);
+    const line = buf.subarray(0, bytesRead).toString("utf-8").split("\n")[0];
+    if (!line) return null;
+    return JSON.parse(line);
+  } catch {
+    return null;
+  }
+};
+var findModelAndUsage = (filePath) => {
+  const usage = { inputTokens: 0, cacheCreationTokens: 0, cacheReadTokens: 0, outputTokens: 0 };
+  let model = "";
+  try {
+    const fd = openSync(filePath, "r");
+    const buf = Buffer.alloc(65536);
+    const bytesRead = readSync(fd, buf, 0, 65536, 0);
+    closeSync(fd);
+    const text = buf.subarray(0, bytesRead).toString("utf-8");
+    const lines = text.split("\n");
+    for (const line of lines) {
+      if (!line) continue;
+      try {
+        const evt = JSON.parse(line);
+        if (evt.type === "assistant") {
+          if (!model && evt.message?.model) {
+            model = String(evt.message.model);
+          }
+          const u = evt.message?.usage;
+          if (u) {
+            usage.inputTokens += u.input_tokens ?? 0;
+            usage.cacheCreationTokens += u.cache_creation_input_tokens ?? 0;
+            usage.cacheReadTokens += u.cache_read_input_tokens ?? 0;
+            usage.outputTokens += u.output_tokens ?? 0;
+          }
+        }
+      } catch {
+        continue;
+      }
+    }
+  } catch {
+  }
+  return { model, usage };
+};
+var normalisePath = (p) => {
+  return p.replace(/\/+$/, "");
+};
+var discoverSessions = (allUsers) => {
+  const taskDirs = getTaskDirs(allUsers);
+  const processes = getClaudeProcesses();
+  const sessionMap = /* @__PURE__ */ new Map();
+  for (const taskDir of taskDirs) {
+    let projectDirs;
+    try {
+      projectDirs = readdirSync2(taskDir);
+    } catch {
+      continue;
+    }
+    for (const projectName of projectDirs) {
+      const projectPath = join3(taskDir, projectName);
+      let stat;
+      try {
+        stat = statSync2(projectPath);
+      } catch {
+        continue;
+      }
+      if (!stat.isDirectory()) continue;
+      const tasksDir = join3(projectPath, "tasks");
+      let outputFiles;
+      try {
+        outputFiles = readdirSync2(tasksDir).filter((f) => f.endsWith(".output")).map((f) => join3(tasksDir, f));
+      } catch {
+        continue;
+      }
+      if (outputFiles.length === 0) continue;
+      const agentIds = [];
+      let sessionId = "";
+      let slug = "";
+      let cwd = "";
+      let model = "";
+      let version = "";
+      let gitBranch = "";
+      let startTime = Infinity;
+      let lastActivity = 0;
+      const totalUsage = { inputTokens: 0, cacheCreationTokens: 0, cacheReadTokens: 0, outputTokens: 0 };
+      for (const outputFile of outputFiles) {
+        const agentId = basename(outputFile, ".output");
+        agentIds.push(agentId);
+        const firstEvent = readFirstEvent(outputFile);
+        if (firstEvent) {
+          if (!sessionId) sessionId = String(firstEvent.sessionId || "");
+          if (!slug) slug = String(firstEvent.slug || "");
+          if (!cwd) cwd = String(firstEvent.cwd || "");
+          if (!version) version = String(firstEvent.version || "");
+          if (!gitBranch) gitBranch = String(firstEvent.gitBranch || "");
+        }
+        try {
+          const fstat = statSync2(outputFile);
+          const created = fstat.birthtimeMs || fstat.ctimeMs;
+          if (created < startTime) startTime = created;
+          if (fstat.mtimeMs > lastActivity) lastActivity = fstat.mtimeMs;
+        } catch {
+        }
+        const result = findModelAndUsage(outputFile);
+        if (!model && result.model) {
+          model = result.model;
+        }
+        totalUsage.inputTokens += result.usage.inputTokens;
+        totalUsage.cacheCreationTokens += result.usage.cacheCreationTokens;
+        totalUsage.cacheReadTokens += result.usage.cacheReadTokens;
+        totalUsage.outputTokens += result.usage.outputTokens;
+      }
+      if (!model) {
+        model = "unknown";
+      }
+      const normCwd = normalisePath(cwd);
+      const matchingProcess = processes.find((p) => {
+        if (!p.cwd) return false;
+        return normalisePath(p.cwd) === normCwd;
+      });
+      const session = {
+        sessionId,
+        slug: slug || sessionId.slice(0, 12),
+        project: projectName.replace(/-/g, "/"),
+        cwd,
+        model,
+        version,
+        gitBranch,
+        pid: matchingProcess?.pid ?? null,
+        cpu: matchingProcess?.cpu ?? 0,
+        mem: matchingProcess?.mem ?? 0,
+        memMB: matchingProcess ? Math.round(matchingProcess.memKB / 1024) : 0,
+        agentCount: agentIds.length,
+        agentIds,
+        outputFiles,
+        startTime: startTime === Infinity ? Date.now() : startTime,
+        lastActivity,
+        usage: totalUsage
+      };
+      sessionMap.set(sessionId || projectName, session);
+    }
+  }
+  return Array.from(sessionMap.values()).sort((a, b) => b.lastActivity - a.lastActivity);
+};
+
+// src/discovery/types.ts
+var isToolResult = (event) => "toolUseId" in event;
+var isToolCall = (event) => "toolName" in event;
+
+// src/analysis/rules/network.ts
+var NETWORK_PATTERNS = [
+  /\bcurl\b/,
+  /\bwget\b/,
+  /\bfetch\s*\(/,
+  /\bnc\b/,
+  /\bnetcat\b/,
+  /\bpython3?\s+-m\s+http\.server\b/,
+  /\bncat\b/,
+  /\bsocat\b/,
+  /\btelnet\b/
+];
+var LOCALHOST = /\b(localhost|127\.0\.0\.1|0\.0\.0\.0|\[::1\])\b/;
+var checkNetwork = (call) => {
+  if (call.toolName !== "Bash") return null;
+  const command = String(call.toolInput.command || "");
+  const matched = NETWORK_PATTERNS.some((p) => p.test(command));
+  if (!matched) return null;
+  const isLocal = LOCALHOST.test(command);
+  const severity = isLocal ? "info" : "warn";
+  return {
+    id: `net-${call.timestamp}-${call.agentId}`,
+    severity,
+    rule: "network",
+    message: isLocal ? `Network command to localhost: ${command.slice(0, 80)}` : `Network command to external target: ${command.slice(0, 80)}`,
+    sessionSlug: call.slug,
+    sessionId: call.sessionId,
+    event: call,
+    timestamp: call.timestamp
+  };
+};
+
+// src/analysis/rules/exfiltration.ts
+var EXFIL_PATTERNS = [
+  /base64.*\|\s*(curl|wget|nc)/,
+  /cat\s+.*\|\s*(curl|wget|nc)/,
+  /(tar|zip|gzip).*\|\s*(curl|wget|nc)/,
+  /\bcurl\b.*-d\s*@/,
+  /\bcurl\b.*--data-binary/,
+  /\bscp\b/,
+  /\brsync\b.*[^/]@/,
+  />\s*\/dev\/tcp\//
+];
+var checkExfiltration = (call) => {
+  if (call.toolName !== "Bash") return null;
+  const command = String(call.toolInput.command || "");
+  const matched = EXFIL_PATTERNS.some((p) => p.test(command));
+  if (!matched) return null;
+  return {
+    id: `exfil-${call.timestamp}-${call.agentId}`,
+    severity: "high",
+    rule: "exfiltration",
+    message: `Potential data exfiltration: ${command.slice(0, 80)}`,
+    sessionSlug: call.slug,
+    sessionId: call.sessionId,
+    event: call,
+    timestamp: call.timestamp
+  };
+};
+
+// src/analysis/rules/sensitive-files.ts
+var SENSITIVE_PATTERNS = [
+  /\.env\b/,
+  /\.env\.\w+/,
+  /\.ssh\//,
+  /id_rsa/,
+  /id_ed25519/,
+  /\.pem$/,
+  /\.key$/,
+  /credentials/i,
+  /\/etc\/shadow/,
+  /\/etc\/passwd/,
+  /\.aws\/credentials/,
+  /\.kube\/config/,
+  /\.docker\/config\.json/,
+  /\.npmrc/,
+  /\.pypirc/,
+  /\.netrc/,
+  /secrets?\.\w+/i,
+  /token\.\w+/i
+];
+var TOOLS_THAT_READ = ["Read", "Bash", "Grep", "Glob"];
+var checkSensitiveFiles = (call) => {
+  if (!TOOLS_THAT_READ.includes(call.toolName)) return null;
+  const inputs = JSON.stringify(call.toolInput);
+  const matched = SENSITIVE_PATTERNS.some((p) => p.test(inputs));
+  if (!matched) return null;
+  const target = String(call.toolInput.file_path || call.toolInput.command || call.toolInput.pattern || "").slice(
+    0,
+    60
+  );
+  return {
+    id: `sens-${call.timestamp}-${call.agentId}`,
+    severity: "warn",
+    rule: "sensitive-files",
+    message: `Accessing sensitive file: ${target}`,
+    sessionSlug: call.slug,
+    sessionId: call.sessionId,
+    event: call,
+    timestamp: call.timestamp
+  };
+};
+
+// src/analysis/rules/shell-escape.ts
+var SHELL_PATTERNS = [
+  { pattern: /\beval\s*[("']/, severity: "high", label: "eval execution" },
+  { pattern: /\bchmod\s+777\b/, severity: "high", label: "chmod 777" },
+  { pattern: /\bchmod\s+\+s\b/, severity: "critical", label: "setuid chmod" },
+  { pattern: /\bsudo\b/, severity: "high", label: "sudo usage" },
+  { pattern: /\bsu\s+-?\s*\w/, severity: "high", label: "su usage" },
+  { pattern: />\s*\/etc\//, severity: "critical", label: "writing to /etc/" },
+  { pattern: />\s*\/usr\//, severity: "critical", label: "writing to /usr/" },
+  { pattern: /--privileged/, severity: "critical", label: "privileged flag" },
+  { pattern: /\brm\s+-rf\s+\/(?!\w)/, severity: "critical", label: "rm -rf /" },
+  { pattern: /\bdd\s+.*of=\/dev\//, severity: "critical", label: "dd to device" },
+  { pattern: /\bmkfs\b/, severity: "critical", label: "filesystem format" },
+  { pattern: /\biptables\b/, severity: "high", label: "firewall modification" }
+];
+var checkShellEscape = (call) => {
+  if (call.toolName !== "Bash") return null;
+  const command = String(call.toolInput.command || "");
+  for (const rule of SHELL_PATTERNS) {
+    if (rule.pattern.test(command)) {
+      return {
+        id: `shell-${call.timestamp}-${call.agentId}`,
+        severity: rule.severity,
+        rule: "shell-escape",
+        message: `${rule.label}: ${command.slice(0, 80)}`,
+        sessionSlug: call.slug,
+        sessionId: call.sessionId,
+        event: call,
+        timestamp: call.timestamp
+      };
+    }
+  }
+  return null;
+};
+
+// src/analysis/rules/injection.ts
+var INJECTION_PATTERNS = [
+  /ignore\s+(all\s+)?previous\s+instructions/i,
+  /ignore\s+(all\s+)?prior\s+instructions/i,
+  /disregard\s+(all\s+)?previous/i,
+  /you\s+are\s+now\s+/i,
+  /new\s+instructions?\s*:/i,
+  /system\s*:\s*you/i,
+  /\bdo\s+not\s+follow\s+(your|the)\s+(original|previous)/i,
+  /override\s+(your\s+)?(instructions|rules|guidelines)/i,
+  /forget\s+(your\s+)?(instructions|rules|guidelines)/i,
+  /act\s+as\s+(if\s+)?(you\s+are|a)\s+/i,
+  /pretend\s+(you\s+are|to\s+be)\s+/i,
+  /\bAI\s+assistant\b.*\bmust\b/i,
+  /\bhuman\s*:\s*/i,
+  /\bassistant\s*:\s*/i,
+  /<\s*system\s*>/i,
+  /\[\s*INST\s*\]/i,
+  /BEGIN\s+HIDDEN\s+INSTRUCTIONS/i
+];
+var ENCODED_PATTERNS = [
+  /aWdub3JlIHByZXZpb3Vz/,
+  // base64 "ignore previous"
+  /&#x[0-9a-f]+;/i,
+  // html hex entities
+  /&#\d+;/,
+  // html decimal entities
+  /\\u[0-9a-f]{4}/i
+  // unicode escapes
+];
+var checkInjection = (event) => {
+  if (isToolCall(event)) {
+    return checkToolCallInjection(event);
+  }
+  if (isToolResult(event)) {
+    return checkToolResultInjection(event);
+  }
+  return null;
+};
+var checkToolCallInjection = (call) => {
+  const inputs = JSON.stringify(call.toolInput);
+  const matched = INJECTION_PATTERNS.some((p) => p.test(inputs));
+  if (!matched) return null;
+  return {
+    id: `inject-call-${call.timestamp}-${call.agentId}`,
+    severity: "critical",
+    rule: "injection",
+    message: `Prompt injection in ${call.toolName} input`,
+    sessionSlug: call.slug,
+    sessionId: call.sessionId,
+    event: call,
+    timestamp: call.timestamp
+  };
+};
+var checkToolResultInjection = (result) => {
+  const content = result.content;
+  if (!content || content.length < 10) return null;
+  const textPatternMatch = INJECTION_PATTERNS.some((p) => p.test(content));
+  const encodedMatch = ENCODED_PATTERNS.some((p) => p.test(content));
+  if (!textPatternMatch && !encodedMatch) return null;
+  const matchedPattern = INJECTION_PATTERNS.find((p) => p.test(content));
+  const snippet = matchedPattern ? content.match(matchedPattern)?.[0]?.slice(0, 50) || "" : "encoded pattern";
+  return {
+    id: `inject-result-${result.timestamp}-${result.agentId}`,
+    severity: "critical",
+    rule: "injection-in-result",
+    message: `Prompt injection in tool result: "${snippet}"`,
+    sessionSlug: result.slug,
+    sessionId: result.sessionId,
+    event: result,
+    timestamp: result.timestamp
+  };
+};
+
+// src/analysis/security.ts
+var toolCallRules = [
+  { key: "network", fn: checkNetwork },
+  { key: "exfiltration", fn: checkExfiltration },
+  { key: "sensitiveFiles", fn: checkSensitiveFiles },
+  { key: "shellEscape", fn: checkShellEscape }
+];
+var allEventRules = [{ key: "injection", fn: checkInjection }];
+var SEVERITY_ORDER = {
+  info: 0,
+  warn: 1,
+  high: 2,
+  critical: 3
+};
+var DEDUP_WINDOW_MS = 3e4;
+var SecurityEngine = class {
+  recentAlerts = /* @__PURE__ */ new Map();
+  minLevel;
+  rulesConfig;
+  constructor(minLevel = "warn", rulesConfig) {
+    this.minLevel = minLevel;
+    this.rulesConfig = rulesConfig ?? {
+      network: true,
+      exfiltration: true,
+      sensitiveFiles: true,
+      shellEscape: true,
+      injection: true
+    };
+  }
+  analyze(call) {
+    return this.analyzeEvent(call);
+  }
+  analyzeResult(result) {
+    return this.analyzeEvent(result);
+  }
+  analyzeEvent(event) {
+    const alerts = [];
+    if (isToolCall(event)) {
+      for (const rule of toolCallRules) {
+        if (!this.rulesConfig[rule.key]) continue;
+        const alert = rule.fn(event);
+        if (alert) alerts.push(alert);
+      }
+    }
+    for (const rule of allEventRules) {
+      if (!this.rulesConfig[rule.key]) continue;
+      const alert = rule.fn(event);
+      if (alert) alerts.push(alert);
+    }
+    return alerts.filter((alert) => {
+      if (SEVERITY_ORDER[alert.severity] < SEVERITY_ORDER[this.minLevel]) return false;
+      const dedupKey = `${alert.rule}-${alert.sessionId}-${alert.message.slice(0, 40)}`;
+      const lastSeen = this.recentAlerts.get(dedupKey);
+      if (lastSeen && alert.timestamp - lastSeen < DEDUP_WINDOW_MS) return false;
+      this.recentAlerts.set(dedupKey, alert.timestamp);
+      return true;
+    });
+  }
+  pruneOldAlerts() {
+    const cutoff = Date.now() - DEDUP_WINDOW_MS * 2;
+    for (const [key, ts] of this.recentAlerts) {
+      if (ts < cutoff) this.recentAlerts.delete(key);
+    }
+  }
+};
+
+// src/ingestion/watcher.ts
+import { watch } from "chokidar";
+
+// src/ingestion/tail.ts
+import { openSync as openSync2, readSync as readSync2, closeSync as closeSync2, statSync as statSync3 } from "fs";
+var FileTailer = class {
+  offsets = /* @__PURE__ */ new Map();
+  readNewLines(filePath) {
+    let currentSize;
+    try {
+      currentSize = statSync3(filePath).size;
+    } catch {
+      return [];
+    }
+    const lastOffset = this.offsets.get(filePath) ?? 0;
+    if (currentSize <= lastOffset) return [];
+    const bytesToRead = currentSize - lastOffset;
+    const buf = Buffer.alloc(bytesToRead);
+    let fd;
+    try {
+      fd = openSync2(filePath, "r");
+    } catch {
+      return [];
+    }
+    try {
+      readSync2(fd, buf, 0, bytesToRead, lastOffset);
+    } finally {
+      closeSync2(fd);
+    }
+    this.offsets.set(filePath, currentSize);
+    const text = buf.toString("utf-8");
+    const lines = text.split("\n").filter((l) => l.trim().length > 0);
+    return lines;
+  }
+  seekToEnd(filePath) {
+    try {
+      const size = statSync3(filePath).size;
+      this.offsets.set(filePath, size);
+    } catch {
+    }
+  }
+  reset(filePath) {
+    this.offsets.delete(filePath);
+  }
+  resetAll() {
+    this.offsets.clear();
+  }
+};
+
+// src/ingestion/parser.ts
+var parseEventTimestamp = (event) => {
+  if (event.timestamp) {
+    const parsed = new Date(event.timestamp).getTime();
+    if (!isNaN(parsed)) return parsed;
+  }
+  return Date.now();
+};
+var parseLine = (line) => {
+  try {
+    return JSON.parse(line);
+  } catch {
+    return null;
+  }
+};
+var extractToolCalls = (event) => {
+  if (event.type !== "assistant") return [];
+  const content = event.message?.content;
+  if (!Array.isArray(content)) return [];
+  const ts = parseEventTimestamp(event);
+  const calls = [];
+  for (const block of content) {
+    if (typeof block === "object" && block !== null && "type" in block && block.type === "tool_use") {
+      const toolBlock = block;
+      calls.push({
+        sessionId: event.sessionId,
+        agentId: event.agentId,
+        slug: event.slug || "",
+        timestamp: ts,
+        toolName: toolBlock.name || "unknown",
+        toolInput: toolBlock.input || {},
+        cwd: event.cwd
+      });
+    }
+  }
+  return calls;
+};
+var extractToolResults = (event) => {
+  if (event.type !== "user") return [];
+  const content = event.message?.content;
+  if (!Array.isArray(content)) return [];
+  const ts = parseEventTimestamp(event);
+  const results = [];
+  for (const block of content) {
+    if (typeof block === "object" && block !== null && "type" in block && block.type === "tool_result") {
+      const resultBlock = block;
+      const resultContent = resultBlock.content;
+      let text = "";
+      if (typeof resultContent === "string") {
+        text = resultContent;
+      } else if (Array.isArray(resultContent)) {
+        text = resultContent.map((c) => typeof c === "object" && c !== null ? c.text || "" : String(c)).join("\n");
+      }
+      results.push({
+        sessionId: event.sessionId,
+        agentId: event.agentId,
+        slug: event.slug || "",
+        timestamp: ts,
+        toolUseId: String(resultBlock.tool_use_id || ""),
+        content: text,
+        isError: Boolean(resultBlock.is_error),
+        cwd: event.cwd
+      });
+    }
+  }
+  return results;
+};
+var extractUsage = (event) => {
+  if (event.type !== "assistant") return null;
+  const usage = event.message?.usage;
+  if (!usage) return null;
+  return {
+    inputTokens: usage.input_tokens ?? 0,
+    cacheCreationTokens: usage.cache_creation_input_tokens ?? 0,
+    cacheReadTokens: usage.cache_read_input_tokens ?? 0,
+    outputTokens: usage.output_tokens ?? 0
+  };
+};
+var parseLines = (lines) => {
+  const calls = [];
+  for (const line of lines) {
+    const event = parseLine(line);
+    if (event) {
+      calls.push(...extractToolCalls(event));
+    }
+  }
+  return calls;
+};
+var parseAllEvents = (lines) => {
+  const events = [];
+  for (const line of lines) {
+    const event = parseLine(line);
+    if (event) {
+      events.push(...extractToolCalls(event));
+      events.push(...extractToolResults(event));
+    }
+  }
+  return events;
+};
+var parseUsageFromLines = (lines) => {
+  const total = { inputTokens: 0, cacheCreationTokens: 0, cacheReadTokens: 0, outputTokens: 0 };
+  for (const line of lines) {
+    const event = parseLine(line);
+    if (event) {
+      const usage = extractUsage(event);
+      if (usage) {
+        total.inputTokens += usage.inputTokens;
+        total.cacheCreationTokens += usage.cacheCreationTokens;
+        total.cacheReadTokens += usage.cacheReadTokens;
+        total.outputTokens += usage.outputTokens;
+      }
+    }
+  }
+  return total;
+};
+
+// src/ingestion/watcher.ts
+var Watcher = class {
+  watcher = null;
+  tailer = new FileTailer();
+  handler;
+  securityHandler;
+  usageHandler;
+  allUsers;
+  knownFiles = /* @__PURE__ */ new Set();
+  constructor(handler, allUsers, securityHandler, usageHandler) {
+    this.handler = handler;
+    this.allUsers = allUsers;
+    this.securityHandler = securityHandler ?? null;
+    this.usageHandler = usageHandler ?? null;
+  }
+  start() {
+    const taskDirs = getTaskDirs(this.allUsers);
+    const globs = taskDirs.map((d) => `${d}/**/tasks/*.output`);
+    this.watcher = watch(globs, {
+      persistent: true,
+      ignoreInitial: false,
+      awaitWriteFinish: false,
+      usePolling: false
+    });
+    this.watcher.on("add", (filePath) => {
+      if (this.knownFiles.has(filePath)) return;
+      this.knownFiles.add(filePath);
+      this.tailer.seekToEnd(filePath);
+    });
+    this.watcher.on("change", (filePath) => {
+      const lines = this.tailer.readNewLines(filePath);
+      if (lines.length === 0) return;
+      const calls = parseLines(lines);
+      if (calls.length > 0) {
+        this.handler(calls);
+      }
+      if (this.securityHandler) {
+        const allEvents = parseAllEvents(lines);
+        if (allEvents.length > 0) {
+          this.securityHandler(allEvents);
+        }
+      }
+      if (this.usageHandler) {
+        const usage = parseUsageFromLines(lines);
+        if (usage.inputTokens > 0 || usage.outputTokens > 0) {
+          const firstCall = calls[0];
+          if (firstCall) {
+            this.usageHandler(firstCall.sessionId, usage);
+          }
+        }
+      }
+    });
+  }
+  stop() {
+    this.watcher?.close();
+    this.watcher = null;
+    this.tailer.resetAll();
+    this.knownFiles.clear();
+  }
+  readExisting(filePath) {
+    this.tailer.reset(filePath);
+    const lines = this.tailer.readNewLines(filePath);
+    return parseLines(lines);
+  }
+};
+
+// src/mcp/server.ts
+var MAX_ALERTS = 100;
+var MAX_ACTIVITY = 200;
+var startMcpServer = async (allUsers, noSecurity) => {
+  const alerts = [];
+  const activity = /* @__PURE__ */ new Map();
+  const engine = noSecurity ? null : new SecurityEngine("info");
+  const toolHandler = (calls) => {
+    for (const call of calls) {
+      const existing = activity.get(call.sessionId) ?? [];
+      existing.push(call);
+      if (existing.length > MAX_ACTIVITY) existing.splice(0, existing.length - MAX_ACTIVITY);
+      activity.set(call.sessionId, existing);
+    }
+  };
+  const securityHandler = engine ? (events) => {
+    for (const event of events) {
+      const newAlerts = engine.analyzeEvent(event);
+      alerts.push(...newAlerts);
+      if (alerts.length > MAX_ALERTS) alerts.splice(0, alerts.length - MAX_ALERTS);
+    }
+  } : void 0;
+  const watcher = new Watcher(toolHandler, allUsers, securityHandler);
+  watcher.start();
+  const server = new Server(
+    { name: "agenttop", version: "0.3.0" },
+    {
+      capabilities: { tools: {} }
+    }
+  );
+  server.setRequestHandler(ListToolsRequestSchema, async () => ({
+    tools: [
+      {
+        name: "agenttop_sessions",
+        description: "List active Claude Code sessions with model, CPU, MEM, tokens, nickname",
+        inputSchema: { type: "object", properties: {} }
+      },
+      {
+        name: "agenttop_alerts",
+        description: "Get recent security alerts, optionally filtered by severity",
+        inputSchema: {
+          type: "object",
+          properties: {
+            severity: {
+              type: "string",
+              enum: ["info", "warn", "high", "critical"],
+              description: "Minimum severity filter"
+            },
+            limit: { type: "number", description: "Max alerts to return (default 20)" }
+          }
+        }
+      },
+      {
+        name: "agenttop_usage",
+        description: "Get token usage for a session or all sessions",
+        inputSchema: {
+          type: "object",
+          properties: {
+            sessionId: { type: "string", description: "Session ID (omit for all)" }
+          }
+        }
+      },
+      {
+        name: "agenttop_activity",
+        description: "Get recent tool calls for a session",
+        inputSchema: {
+          type: "object",
+          properties: {
+            sessionId: { type: "string", description: "Session ID" },
+            limit: { type: "number", description: "Max events to return (default 20)" }
+          },
+          required: ["sessionId"]
+        }
+      }
+    ]
+  }));
+  server.setRequestHandler(CallToolRequestSchema, async (request) => {
+    const { name, arguments: args } = request.params;
+    switch (name) {
+      case "agenttop_sessions": {
+        const sessions = discoverSessions(allUsers);
+        const data = sessions.map((s) => ({
+          sessionId: s.sessionId,
+          slug: s.slug,
+          model: s.model,
+          cwd: s.cwd,
+          cpu: s.cpu,
+          memMB: s.memMB,
+          agents: s.agentCount,
+          tokens: { input: s.usage.inputTokens, output: s.usage.outputTokens, cacheRead: s.usage.cacheReadTokens }
+        }));
+        return { content: [{ type: "text", text: JSON.stringify(data, null, 2) }] };
+      }
+      case "agenttop_alerts": {
+        const severity = args?.severity ?? "info";
+        const limit = args?.limit ?? 20;
+        const order = { info: 0, warn: 1, high: 2, critical: 3 };
+        const minOrder = order[severity] ?? 0;
+        const filtered = alerts.filter((a) => (order[a.severity] ?? 0) >= minOrder).slice(-limit).map((a) => ({
+          severity: a.severity,
+          rule: a.rule,
+          message: a.message,
+          sessionSlug: a.sessionSlug,
+          timestamp: new Date(a.timestamp).toISOString()
+        }));
+        return { content: [{ type: "text", text: JSON.stringify(filtered, null, 2) }] };
+      }
+      case "agenttop_usage": {
+        const sessions = discoverSessions(allUsers);
+        const sessionId = args?.sessionId;
+        const targets = sessionId ? sessions.filter((s) => s.sessionId === sessionId) : sessions;
+        const data = targets.map((s) => ({
+          sessionId: s.sessionId,
+          slug: s.slug,
+          usage: s.usage
+        }));
+        return { content: [{ type: "text", text: JSON.stringify(data, null, 2) }] };
+      }
+      case "agenttop_activity": {
+        const sid = args?.sessionId;
+        const limit = args?.limit ?? 20;
+        const events = (activity.get(sid) ?? []).slice(-limit).map((e) => ({
+          timestamp: new Date(e.timestamp).toISOString(),
+          tool: e.toolName,
+          input: e.toolInput
+        }));
+        return { content: [{ type: "text", text: JSON.stringify(events, null, 2) }] };
+      }
+      default:
+        return { content: [{ type: "text", text: `Unknown tool: ${name}` }], isError: true };
+    }
+  });
+  const transport = new StdioServerTransport();
+  await server.connect(transport);
+  process.on("SIGINT", () => {
+    watcher.stop();
+    process.exit(0);
+  });
+  process.on("SIGTERM", () => {
+    watcher.stop();
+    process.exit(0);
+  });
+};
+
+export {
+  loadConfig,
+  saveConfig,
+  isFirstRun,
+  setNickname,
+  clearNickname,
+  getNicknames,
+  resolveAlertLogPath,
+  rotateLogFile,
+  discoverSessions,
+  Watcher,
+  SecurityEngine,
+  startMcpServer
+};
+//# sourceMappingURL=chunk-4I4UZNKS.js.map