bashbros 0.1.0

package/dist/cli.js

@@ -0,0 +1,2448 @@
+#!/usr/bin/env node
+import {
+  formatAllAgentsInfo,
+  formatPermissionsTable
+} from "./chunk-4R4GV5V2.js";
+import {
+  BashBro,
+  BashBros,
+  ClaudeCodeHooks,
+  CostEstimator,
+  LoopDetector,
+  MetricsCollector,
+  ReportGenerator,
+  UndoStack,
+  gateCommand,
+  getBashgymIntegration
+} from "./chunk-43W3RVEL.js";
+import "./chunk-SG752FZC.js";
+import "./chunk-DLP2O6PN.js";
+import {
+  findConfig,
+  getDefaultConfig,
+  loadConfig
+} from "./chunk-SB4JS3GU.js";
+import {
+  allowForSession
+} from "./chunk-GD5VNHIN.js";
+import {
+  RiskScorer
+} from "./chunk-DEAF6PYM.js";
+import {
+  formatRedactedConfig,
+  parseAgentConfig
+} from "./chunk-ID2O2QTI.js";
+import {
+  MoltbotHooks
+} from "./chunk-J37RHCFJ.js";
+import {
+  DashboardDB
+} from "./chunk-CSRPOGHY.js";
+import "./chunk-7OCVIDC7.js";
+
+// src/cli.ts
+import { Command } from "commander";
+import chalk5 from "chalk";
+
+// src/onboarding.ts
+import inquirer from "inquirer";
+import chalk from "chalk";
+import { writeFileSync, existsSync, mkdirSync } from "fs";
+import { join } from "path";
+import { homedir } from "os";
+import { stringify } from "yaml";
+async function runOnboarding() {
+  console.log(chalk.dim(`  "I watch your agent's back so you don't have to."
+`));
+  const bashgymAvailable = existsSync(join(homedir(), ".bashgym", "integration"));
+  const questions = [
+    {
+      type: "list",
+      name: "agent",
+      message: "What agent are you protecting?",
+      choices: [
+        { name: "Claude Code", value: "claude-code" },
+        { name: "Moltbot (clawd.bot)", value: "moltbot" },
+        { name: "Clawdbot (legacy)", value: "clawdbot" },
+        { name: "Gemini CLI", value: "gemini-cli" },
+        { name: "Aider", value: "aider" },
+        { name: "OpenCode", value: "opencode" },
+        { name: "Other (custom)", value: "custom" }
+      ]
+    },
+    {
+      type: "list",
+      name: "projectType",
+      message: "What's this project about? (helps tune defaults)",
+      choices: [
+        { name: "Web development", value: "web" },
+        { name: "DevOps / Infrastructure", value: "devops" },
+        { name: "Data engineering", value: "data" },
+        { name: "General coding", value: "general" },
+        { name: "Sensitive/regulated work", value: "sensitive" }
+      ]
+    },
+    {
+      type: "list",
+      name: "profile",
+      message: "Security posture:",
+      choices: [
+        {
+          name: "Balanced (recommended) - Block dangerous, allow common dev tools",
+          value: "balanced"
+        },
+        {
+          name: "Strict - Allowlist only, explicit approval for new commands",
+          value: "strict"
+        },
+        {
+          name: "Permissive - Log everything, block only critical threats",
+          value: "permissive"
+        },
+        {
+          name: "Custom - I'll configure manually",
+          value: "custom"
+        }
+      ]
+    },
+    {
+      type: "list",
+      name: "secrets",
+      message: "Protect secrets? (scans for .env, credentials, SSH keys)",
+      choices: [
+        { name: "Yes, block access and warn (recommended)", value: "block" },
+        { name: "Yes, but allow read with audit log", value: "audit" },
+        { name: "No", value: "disabled" }
+      ]
+    },
+    {
+      type: "list",
+      name: "audit",
+      message: "Enable audit logging?",
+      choices: [
+        { name: "Local file (~/.bashbros/audit.log)", value: "local" },
+        { name: "Send to remote (Datadog, Splunk, webhook)", value: "remote" },
+        { name: "Both", value: "both" },
+        { name: "None", value: "disabled" }
+      ]
+    }
+  ];
+  if (bashgymAvailable) {
+    questions.push({
+      type: "list",
+      name: "bashgym",
+      message: "Link to BashGym? (enables self-improving AI sidekick)",
+      choices: [
+        {
+          name: "Yes (recommended) - Export traces for training, get smarter sidekick",
+          value: "link"
+        },
+        {
+          name: "No - Use bashbros standalone",
+          value: "skip"
+        }
+      ]
+    });
+  }
+  const answers = await inquirer.prompt(questions);
+  const config = buildConfig(answers);
+  const configYaml = stringify(config);
+  writeFileSync(".bashbros.yml", configYaml);
+  console.log();
+  console.log(chalk.green("\u2713"), "Config written to", chalk.cyan(".bashbros.yml"));
+  console.log(chalk.green("\u2713"), "PTY wrapper ready");
+  console.log(chalk.green("\u2713"), "Audit logging", answers.audit !== "disabled" ? "enabled" : "disabled");
+  if (answers.bashgym === "link") {
+    const linked = await linkBashgym();
+    if (linked) {
+      console.log(chalk.green("\u2713"), "BashGym integration", chalk.cyan("linked"));
+      console.log(chalk.dim("  Traces will be exported for training"));
+      console.log(chalk.dim("  AI sidekick will improve over time"));
+    } else {
+      console.log(chalk.yellow("\u26A0"), "BashGym integration", chalk.dim("not linked (bashgym not running?)"));
+    }
+  } else if (bashgymAvailable) {
+    console.log(chalk.dim("\u25CB"), "BashGym integration", chalk.dim("skipped"));
+  }
+  console.log();
+  console.log(chalk.dim("Run"), chalk.cyan("'bashbros doctor'"), chalk.dim("to verify setup"));
+  console.log(chalk.dim("Run"), chalk.cyan("'bashbros watch'"), chalk.dim("to start protection"));
+  console.log();
+}
+async function linkBashgym() {
+  try {
+    const integration = getBashgymIntegration();
+    if (!integration.isAvailable()) {
+      const integrationDir = join(homedir(), ".bashgym", "integration");
+      const dirs = [
+        join(integrationDir, "traces", "pending"),
+        join(integrationDir, "traces", "processed"),
+        join(integrationDir, "traces", "failed"),
+        join(integrationDir, "models", "latest"),
+        join(integrationDir, "config"),
+        join(integrationDir, "status")
+      ];
+      for (const dir of dirs) {
+        mkdirSync(dir, { recursive: true });
+      }
+      const settingsPath = join(integrationDir, "config", "settings.json");
+      const settings = {
+        version: "1.0",
+        updated_at: (/* @__PURE__ */ new Date()).toISOString(),
+        updated_by: "bashbros",
+        integration: {
+          enabled: true,
+          linked_at: (/* @__PURE__ */ new Date()).toISOString()
+        },
+        capture: {
+          mode: "successful_only",
+          auto_stream: true
+        },
+        training: {
+          auto_enabled: false,
+          quality_threshold: 50,
+          trigger: "quality_based"
+        },
+        security: {
+          bashbros_primary: true,
+          policy_path: null
+        },
+        model_sync: {
+          auto_export_ollama: true,
+          ollama_model_name: "bashgym-sidekick",
+          notify_on_update: true
+        }
+      };
+      writeFileSync(settingsPath, JSON.stringify(settings, null, 2));
+    } else {
+      integration.updateSettings({
+        integration: {
+          enabled: true,
+          linked_at: (/* @__PURE__ */ new Date()).toISOString()
+        }
+      });
+    }
+    return true;
+  } catch (error) {
+    console.error("Failed to link bashgym:", error);
+    return false;
+  }
+}
+function buildConfig(answers) {
+  const defaults = getDefaultConfig();
+  const config = {
+    ...defaults,
+    agent: answers.agent,
+    profile: answers.profile,
+    secrets: {
+      ...defaults.secrets,
+      enabled: answers.secrets !== "disabled",
+      mode: answers.secrets === "audit" ? "audit" : "block"
+    },
+    audit: {
+      ...defaults.audit,
+      enabled: answers.audit !== "disabled",
+      destination: answers.audit === "disabled" ? "local" : answers.audit
+    }
+  };
+  if (answers.projectType === "sensitive") {
+    config.profile = "strict";
+    config.rateLimit.maxPerMinute = 50;
+  }
+  if (answers.projectType === "devops") {
+    config.commands.allow.push("docker *", "kubectl *", "terraform *", "aws *");
+  }
+  if (answers.projectType === "data") {
+    config.commands.allow.push("python *", "jupyter *", "pandas *", "psql *");
+  }
+  return config;
+}
+
+// src/doctor.ts
+import chalk2 from "chalk";
+import { existsSync as existsSync4 } from "fs";
+import { join as join3 } from "path";
+import { homedir as homedir3 } from "os";
+
+// src/transparency/agent-config.ts
+import { existsSync as existsSync2, statSync } from "fs";
+import { join as join2 } from "path";
+import { homedir as homedir2, platform } from "os";
+import { execFileSync } from "child_process";
+var AGENT_CONFIG_PATHS = {
+  "claude-code": [
+    join2(homedir2(), ".claude", "settings.json")
+  ],
+  "clawdbot": [
+    join2(homedir2(), ".clawdbot", "moltbot.json"),
+    // New primary (moltbot format)
+    join2(homedir2(), ".clawdbot", "config.yml"),
+    // Legacy
+    join2(homedir2(), ".config", "clawdbot", "config.yml")
+  ],
+  "moltbot": [
+    join2(homedir2(), ".moltbot", "config.json"),
+    join2(homedir2(), ".clawdbot", "moltbot.json"),
+    // Common location
+    join2(homedir2(), ".config", "moltbot", "config.json")
+  ],
+  "aider": [
+    join2(homedir2(), ".aider.conf.yml"),
+    join2(homedir2(), ".config", "aider", "aider.conf.yml")
+  ],
+  "gemini-cli": [
+    join2(homedir2(), ".config", "gemini-cli", "config.json")
+  ],
+  "opencode": [
+    join2(homedir2(), ".opencode", "config.yml"),
+    join2(homedir2(), ".config", "opencode", "config.yml")
+  ],
+  "custom": []
+};
+var AGENT_COMMANDS = {
+  "claude-code": "claude",
+  "clawdbot": "clawdbot",
+  "moltbot": "moltbot",
+  "aider": "aider",
+  "gemini-cli": "gemini",
+  "opencode": "opencode",
+  "custom": ""
+};
+function commandExists(cmd) {
+  if (!cmd) return false;
+  try {
+    const whichCmd = platform() === "win32" ? "where" : "which";
+    execFileSync(whichCmd, [cmd], {
+      stdio: "pipe",
+      timeout: 3e3,
+      windowsHide: true
+    });
+    return true;
+  } catch {
+    return false;
+  }
+}
+function getAgentVersion(agent) {
+  const cmd = AGENT_COMMANDS[agent];
+  if (!cmd) return void 0;
+  try {
+    const output = execFileSync(cmd, ["--version"], {
+      encoding: "utf-8",
+      timeout: 5e3,
+      stdio: ["pipe", "pipe", "pipe"],
+      windowsHide: true
+    }).trim();
+    const match = output.match(/(\d+\.\d+(?:\.\d+)?(?:-[\w.]+)?)/i);
+    return match ? match[1] : output.split("\n")[0].slice(0, 50);
+  } catch {
+    return void 0;
+  }
+}
+function findAgentConfigPath(agent) {
+  const paths = AGENT_CONFIG_PATHS[agent];
+  for (const configPath of paths) {
+    if (existsSync2(configPath)) {
+      return configPath;
+    }
+  }
+  return void 0;
+}
+function getLastModified(filePath) {
+  try {
+    const stats = statSync(filePath);
+    return stats.mtime;
+  } catch {
+    return void 0;
+  }
+}
+async function isBashbrosIntegrated(agent) {
+  if (agent === "claude-code") {
+    const status = ClaudeCodeHooks.getStatus();
+    return status.hooksInstalled;
+  }
+  if (agent === "moltbot" || agent === "clawdbot") {
+    try {
+      const { MoltbotHooks: MoltbotHooks2 } = await import("./moltbot-DXZFVK3X.js");
+      return MoltbotHooks2.isInstalled();
+    } catch {
+      return false;
+    }
+  }
+  return false;
+}
+async function getAgentConfigInfo(agent) {
+  const cmd = AGENT_COMMANDS[agent];
+  const installed = cmd ? commandExists(cmd) : false;
+  const configPath = findAgentConfigPath(agent);
+  const configExists = configPath ? existsSync2(configPath) : false;
+  const info = {
+    agent,
+    installed,
+    configPath,
+    configExists,
+    bashbrosIntegrated: await isBashbrosIntegrated(agent)
+  };
+  if (installed) {
+    info.version = getAgentVersion(agent);
+  }
+  if (configExists && configPath) {
+    info.lastModified = getLastModified(configPath);
+    const parsed = await parseAgentConfig(agent, configPath);
+    if (parsed) {
+      info.permissions = parsed.permissions;
+      info.hooks = parsed.hooks;
+    }
+  }
+  return info;
+}
+async function getAllAgentConfigs() {
+  const agents = ["claude-code", "moltbot", "clawdbot", "aider", "gemini-cli", "opencode"];
+  const results = [];
+  for (const agent of agents) {
+    const info = await getAgentConfigInfo(agent);
+    results.push(info);
+  }
+  return results;
+}
+
+// src/policy/ward/exposure.ts
+import { exec } from "child_process";
+import { promisify } from "util";
+import { existsSync as existsSync3, readFileSync } from "fs";
+import { platform as platform2 } from "os";
+var execAsync = promisify(exec);
+var DEFAULT_AGENT_SIGNATURES = [
+  {
+    name: "claude-code",
+    processNames: ["claude", "claude-code", "claude_code"],
+    defaultPorts: [3e3, 3001, 8080],
+    configPaths: [
+      "~/.claude/config.json",
+      "~/.config/claude/config.json"
+    ],
+    authIndicators: ["api_key", "auth_token", "authorization"]
+  },
+  {
+    name: "aider",
+    processNames: ["aider", "aider-chat"],
+    defaultPorts: [8501, 8e3],
+    configPaths: [
+      "~/.aider.conf.yml",
+      ".aider.conf.yml"
+    ],
+    authIndicators: ["api_key", "openai_api_key"]
+  },
+  {
+    name: "continue",
+    processNames: ["continue", "continue-server"],
+    defaultPorts: [65432, 65433],
+    configPaths: [
+      "~/.continue/config.json",
+      ".continue/config.json"
+    ],
+    authIndicators: ["apiKey", "auth"]
+  },
+  {
+    name: "cursor",
+    processNames: ["cursor", "Cursor", "cursor-server"],
+    defaultPorts: [3e3, 8080, 9e3],
+    configPaths: [
+      "~/.cursor/config.json",
+      "%APPDATA%/Cursor/config.json"
+    ],
+    authIndicators: ["apiKey", "token", "auth"]
+  }
+];
+var DEFAULT_SEVERITY_ACTIONS = {
+  low: "alert",
+  medium: "alert",
+  high: "block",
+  critical: "block_and_kill"
+};
+var ExposureScanner = class {
+  config;
+  agents;
+  constructor(config) {
+    this.agents = [...DEFAULT_AGENT_SIGNATURES];
+    this.config = {
+      enabled: true,
+      scanInterval: 6e4,
+      externalProbe: false,
+      severityActions: { ...DEFAULT_SEVERITY_ACTIONS },
+      agents: this.agents,
+      ...config
+    };
+    if (config?.agents) {
+      for (const agent of config.agents) {
+        if (!this.agents.find((a) => a.name === agent.name)) {
+          this.agents.push(agent);
+        }
+      }
+    }
+  }
+  /**
+   * Scan for exposed agent servers
+   */
+  async scan() {
+    const results = [];
+    const listeningPorts = await this.getListeningPorts();
+    for (const port of listeningPorts) {
+      for (const agent of this.agents) {
+        if (agent.defaultPorts.includes(port.localPort)) {
+          const hasAuth = await this.checkAuthConfig(agent);
+          const externallyReachable = this.isExternallyReachable(port.localAddress);
+          const severity = this.assessSeverity({
+            bindAddress: port.localAddress,
+            hasAuth,
+            externallyReachable,
+            hasActiveSessions: false
+          });
+          const action = this.getActionForSeverity(severity);
+          results.push({
+            agent: agent.name,
+            pid: port.pid,
+            port: port.localPort,
+            bindAddress: port.localAddress,
+            hasAuth,
+            severity,
+            action,
+            message: this.generateMessage(agent.name, port, severity, hasAuth),
+            timestamp: /* @__PURE__ */ new Date()
+          });
+        }
+      }
+    }
+    return results;
+  }
+  /**
+   * Assess severity based on exposure factors
+   */
+  assessSeverity(input) {
+    const { bindAddress, hasAuth, externallyReachable, hasActiveSessions } = input;
+    if (externallyReachable && hasAuth !== true) {
+      return "critical";
+    }
+    if (externallyReachable && hasActiveSessions) {
+      return "critical";
+    }
+    const isWildcardBind = bindAddress === "0.0.0.0" || bindAddress === "::" || bindAddress === "*";
+    if (isWildcardBind && hasAuth !== true) {
+      return "high";
+    }
+    if (isWildcardBind && hasAuth === true) {
+      return "medium";
+    }
+    const isLocalhost = bindAddress === "127.0.0.1" || bindAddress === "::1" || bindAddress === "localhost";
+    if (isLocalhost && hasAuth !== true) {
+      return "medium";
+    }
+    return "low";
+  }
+  /**
+   * Get action for a given severity level
+   */
+  getActionForSeverity(severity) {
+    return this.config.severityActions[severity];
+  }
+  /**
+   * Parse a Windows netstat output line
+   */
+  parseNetstatLine(line) {
+    const trimmed = line.trim();
+    if (!trimmed || !trimmed.includes("LISTENING")) {
+      return null;
+    }
+    const parts = trimmed.split(/\s+/);
+    if (parts.length < 5) {
+      return null;
+    }
+    const protocol = parts[0];
+    if (protocol !== "TCP" && protocol !== "UDP") {
+      return null;
+    }
+    const localAddressPart = parts[1];
+    const state = parts[3];
+    const pid = parseInt(parts[4], 10);
+    if (state !== "LISTENING" || isNaN(pid)) {
+      return null;
+    }
+    let localAddress;
+    let localPort;
+    if (localAddressPart.startsWith("[")) {
+      const match = localAddressPart.match(/^\[([^\]]+)\]:(\d+)$/);
+      if (!match) {
+        return null;
+      }
+      localAddress = match[1];
+      localPort = parseInt(match[2], 10);
+    } else {
+      const lastColonIndex = localAddressPart.lastIndexOf(":");
+      if (lastColonIndex === -1) {
+        return null;
+      }
+      localAddress = localAddressPart.substring(0, lastColonIndex);
+      localPort = parseInt(localAddressPart.substring(lastColonIndex + 1), 10);
+    }
+    if (isNaN(localPort)) {
+      return null;
+    }
+    return {
+      protocol,
+      localAddress,
+      localPort,
+      state,
+      pid
+    };
+  }
+  /**
+   * Get all listening TCP ports (cross-platform)
+   */
+  async getListeningPorts() {
+    const results = [];
+    try {
+      if (platform2() === "win32") {
+        const { stdout } = await execAsync("netstat -ano -p TCP");
+        const lines = stdout.split("\n");
+        for (const line of lines) {
+          const parsed = this.parseNetstatLine(line);
+          if (parsed) {
+            results.push(parsed);
+          }
+        }
+      } else {
+        try {
+          const { stdout } = await execAsync("ss -tlnp 2>/dev/null || netstat -tlnp 2>/dev/null");
+          const lines = stdout.split("\n");
+          for (const line of lines) {
+            const parsed = this.parseUnixListeningLine(line);
+            if (parsed) {
+              results.push(parsed);
+            }
+          }
+        } catch {
+          const { stdout } = await execAsync("lsof -iTCP -sTCP:LISTEN -n -P 2>/dev/null || true");
+          const lines = stdout.split("\n");
+          for (const line of lines) {
+            const parsed = this.parseLsofLine(line);
+            if (parsed) {
+              results.push(parsed);
+            }
+          }
+        }
+      }
+    } catch {
+    }
+    return results;
+  }
+  /**
+   * Parse Unix ss/netstat output line
+   */
+  parseUnixListeningLine(line) {
+    const trimmed = line.trim();
+    if (!trimmed || trimmed.startsWith("State") || trimmed.startsWith("Proto")) {
+      return null;
+    }
+    const ssMatch = trimmed.match(/LISTEN\s+\d+\s+\d+\s+([^\s]+):(\d+)\s+.*?pid=(\d+)/);
+    if (ssMatch) {
+      return {
+        protocol: "TCP",
+        localAddress: ssMatch[1] === "*" ? "0.0.0.0" : ssMatch[1],
+        localPort: parseInt(ssMatch[2], 10),
+        state: "LISTENING",
+        pid: parseInt(ssMatch[3], 10)
+      };
+    }
+    const netstatMatch = trimmed.match(/tcp\s+\d+\s+\d+\s+([^\s]+):(\d+)\s+.*?LISTEN\s+(\d+)/);
+    if (netstatMatch) {
+      return {
+        protocol: "TCP",
+        localAddress: netstatMatch[1] === "*" ? "0.0.0.0" : netstatMatch[1],
+        localPort: parseInt(netstatMatch[2], 10),
+        state: "LISTENING",
+        pid: parseInt(netstatMatch[3], 10)
+      };
+    }
+    return null;
+  }
+  /**
+   * Parse lsof output line (macOS fallback)
+   */
+  parseLsofLine(line) {
+    const trimmed = line.trim();
+    if (!trimmed || trimmed.startsWith("COMMAND")) {
+      return null;
+    }
+    const parts = trimmed.split(/\s+/);
+    if (parts.length < 9) {
+      return null;
+    }
+    const pid = parseInt(parts[1], 10);
+    if (isNaN(pid)) {
+      return null;
+    }
+    const tcpIndex = parts.findIndex((p) => p === "TCP" || p === "TCP6");
+    if (tcpIndex === -1) {
+      return null;
+    }
+    const addressPart = parts[tcpIndex + 1];
+    if (!addressPart) {
+      return null;
+    }
+    const match = addressPart.match(/^([^:]+):(\d+)$/);
+    if (!match) {
+      return null;
+    }
+    return {
+      protocol: "TCP",
+      localAddress: match[1] === "*" ? "0.0.0.0" : match[1],
+      localPort: parseInt(match[2], 10),
+      state: "LISTENING",
+      pid
+    };
+  }
+  /**
+   * Check if an agent has auth configured
+   */
+  async checkAuthConfig(agent) {
+    for (const configPath of agent.configPaths) {
+      const expandedPath = this.expandPath(configPath);
+      if (existsSync3(expandedPath)) {
+        try {
+          const content = readFileSync(expandedPath, "utf-8");
+          for (const indicator of agent.authIndicators) {
+            if (content.includes(indicator)) {
+              return true;
+            }
+          }
+          return false;
+        } catch {
+        }
+      }
+    }
+    return "unknown";
+  }
+  /**
+   * Check if an address is externally reachable
+   */
+  isExternallyReachable(bindAddress) {
+    if (bindAddress === "0.0.0.0" || bindAddress === "::" || bindAddress === "*") {
+      return this.config.externalProbe;
+    }
+    if (bindAddress === "127.0.0.1" || bindAddress === "::1" || bindAddress === "localhost") {
+      return false;
+    }
+    if (this.isPrivateIP(bindAddress)) {
+      return this.config.externalProbe;
+    }
+    return true;
+  }
+  /**
+   * Check if an IP is in a private range
+   */
+  isPrivateIP(ip) {
+    if (ip.startsWith("10.")) return true;
+    if (ip.startsWith("172.")) {
+      const second = parseInt(ip.split(".")[1], 10);
+      if (second >= 16 && second <= 31) return true;
+    }
+    if (ip.startsWith("192.168.")) return true;
+    if (ip.toLowerCase().startsWith("fc") || ip.toLowerCase().startsWith("fd")) {
+      return true;
+    }
+    return false;
+  }
+  /**
+   * Expand path with home directory and environment variables
+   */
+  expandPath(path) {
+    let expanded = path;
+    if (expanded.startsWith("~")) {
+      const home = process.env.HOME || process.env.USERPROFILE || "";
+      expanded = expanded.replace("~", home);
+    }
+    expanded = expanded.replace(/%([^%]+)%/g, (_, name) => process.env[name] || "");
+    expanded = expanded.replace(/\$([A-Za-z_][A-Za-z0-9_]*)/g, (_, name) => process.env[name] || "");
+    return expanded;
+  }
+  /**
+   * Generate human-readable message for an exposure
+   */
+  generateMessage(agentName, port, severity, hasAuth) {
+    const authStatus = hasAuth === true ? "with authentication" : hasAuth === false ? "without authentication" : "authentication status unknown";
+    const bindDesc = port.localAddress === "0.0.0.0" || port.localAddress === "::" ? "all interfaces" : port.localAddress;
+    return `${agentName} server detected on port ${port.localPort} (${bindDesc}) ${authStatus}. Severity: ${severity}`;
+  }
+  /**
+   * Add a custom agent signature
+   */
+  addAgent(agent) {
+    this.agents.push(agent);
+  }
+  /**
+   * Get all configured agent signatures
+   */
+  getAgents() {
+    return [...this.agents];
+  }
+};
+
+// src/policy/ward/patterns.ts
+var DEFAULT_PATTERNS = [
+  // Credential patterns
+  {
+    name: "api_key",
+    regex: `(?:api[_-]?key|apikey)[\\s]*[=:][\\s]*["']?([a-zA-Z0-9_\\-]{20,})["']?`,
+    severity: "high",
+    action: "block",
+    category: "credentials",
+    description: "Generic API key pattern"
+  },
+  {
+    name: "aws_secret",
+    regex: `(?:AWS_SECRET_ACCESS_KEY|aws_secret_access_key)[\\s]*[=:][\\s]*["']?([a-zA-Z0-9/+=]{40})["']?`,
+    severity: "critical",
+    action: "block",
+    category: "credentials",
+    description: "AWS Secret Access Key"
+  },
+  {
+    name: "private_key",
+    regex: "-----BEGIN (?:RSA |EC |DSA |OPENSSH )?PRIVATE KEY-----",
+    severity: "critical",
+    action: "block",
+    category: "credentials",
+    description: "Private key header"
+  },
+  {
+    name: "github_token",
+    regex: "(?:gh[pousr]_[a-zA-Z0-9]{36,}|github_pat_[a-zA-Z0-9]{22}_[a-zA-Z0-9]{59})",
+    severity: "critical",
+    action: "block",
+    category: "credentials",
+    description: "GitHub personal access token"
+  },
+  {
+    name: "openai_key",
+    regex: "sk-[a-zA-Z0-9]{20,}T3BlbkFJ[a-zA-Z0-9]{20,}",
+    severity: "critical",
+    action: "block",
+    category: "credentials",
+    description: "OpenAI API key"
+  },
+  {
+    name: "jwt_token",
+    regex: "eyJ[a-zA-Z0-9_-]*\\.eyJ[a-zA-Z0-9_-]*\\.[a-zA-Z0-9_-]*",
+    severity: "high",
+    action: "alert",
+    category: "credentials",
+    description: "JSON Web Token"
+  },
+  // PII patterns
+  {
+    name: "ssn",
+    regex: "\\b\\d{3}[- ]?\\d{2}[- ]?\\d{4}\\b",
+    severity: "critical",
+    action: "block",
+    category: "pii",
+    description: "US Social Security Number"
+  },
+  {
+    name: "credit_card",
+    regex: "\\b(?:4[0-9]{3}|5[1-5][0-9]{2}|6(?:011|5[0-9]{2})|3[47][0-9]{2})[- ]?[0-9]{4}[- ]?[0-9]{4}[- ]?[0-9]{4}\\b",
+    severity: "critical",
+    action: "block",
+    category: "pii",
+    description: "Credit card number (Visa, MasterCard, Amex, Discover)"
+  },
+  {
+    name: "email",
+    regex: "\\b[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\\.[a-zA-Z]{2,}\\b",
+    severity: "low",
+    action: "log",
+    category: "pii",
+    description: "Email address"
+  },
+  {
+    name: "phone_us",
+    regex: "\\b(?:\\+1[- ]?)?(?:\\([0-9]{3}\\)|[0-9]{3})[- ]?[0-9]{3}[- ]?[0-9]{4}\\b",
+    severity: "medium",
+    action: "alert",
+    category: "pii",
+    description: "US phone number"
+  }
+];
+var SEVERITY_ORDER = {
+  low: 1,
+  medium: 2,
+  high: 3,
+  critical: 4
+};
+var EgressPatternMatcher = class {
+  patterns;
+  compiledPatterns;
+  constructor(customPatterns) {
+    this.patterns = [...DEFAULT_PATTERNS];
+    this.compiledPatterns = /* @__PURE__ */ new Map();
+    if (customPatterns) {
+      for (const pattern of customPatterns) {
+        this.patterns.push(pattern);
+      }
+    }
+    this.compilePatterns();
+  }
+  /**
+   * Compile regex patterns for efficient matching
+   */
+  compilePatterns() {
+    for (const pattern of this.patterns) {
+      if (!this.compiledPatterns.has(pattern.name)) {
+        try {
+          this.compiledPatterns.set(pattern.name, new RegExp(pattern.regex, "gi"));
+        } catch {
+          console.warn(`Invalid regex for pattern ${pattern.name}: ${pattern.regex}`);
+        }
+      }
+    }
+  }
+  /**
+   * Find all pattern matches in text
+   */
+  match(text) {
+    const matches = [];
+    for (const pattern of this.patterns) {
+      const regex = this.compiledPatterns.get(pattern.name);
+      if (!regex) continue;
+      regex.lastIndex = 0;
+      let match;
+      while ((match = regex.exec(text)) !== null) {
+        matches.push({
+          pattern,
+          matchedText: match[0],
+          index: match.index
+        });
+      }
+    }
+    return matches;
+  }
+  /**
+   * Check if any blocking patterns match the text
+   */
+  shouldBlock(text) {
+    const matches = this.match(text);
+    return matches.some((m) => m.pattern.action === "block");
+  }
+  /**
+   * Get the highest severity level from all matches
+   */
+  getHighestSeverity(text) {
+    const matches = this.match(text);
+    if (matches.length === 0) return null;
+    let highest = "low";
+    for (const m of matches) {
+      if (SEVERITY_ORDER[m.pattern.severity] > SEVERITY_ORDER[highest]) {
+        highest = m.pattern.severity;
+      }
+    }
+    return highest;
+  }
+  /**
+   * Redact sensitive data from text
+   */
+  redact(text) {
+    const matches = this.match(text);
+    const redactions = [];
+    let redacted = text;
+    const sortedMatches = [...matches].sort((a, b) => b.index - a.index);
+    for (const m of sortedMatches) {
+      const replacement = `[REDACTED:${m.pattern.name}]`;
+      let redactionType;
+      if (m.pattern.name === "api_key" || m.pattern.name === "aws_secret" || m.pattern.name === "private_key" || m.pattern.name === "github_token" || m.pattern.name === "openai_key" || m.pattern.name === "jwt_token") {
+        redactionType = "api_key";
+      } else if (m.pattern.name === "email") {
+        redactionType = "email";
+      } else if (m.pattern.name === "phone_us") {
+        redactionType = "phone";
+      } else if (m.pattern.name === "ssn") {
+        redactionType = "ssn";
+      } else if (m.pattern.name === "credit_card") {
+        redactionType = "credit_card";
+      } else {
+        redactionType = "custom";
+      }
+      redactions.push({
+        type: redactionType,
+        replacement
+      });
+      redacted = redacted.substring(0, m.index) + replacement + redacted.substring(m.index + m.matchedText.length);
+    }
+    return {
+      original: text,
+      redacted,
+      redactions: redactions.reverse()
+      // Return in original order
+    };
+  }
+  /**
+   * Add a custom pattern
+   */
+  addPattern(pattern) {
+    this.patterns.push(pattern);
+    try {
+      this.compiledPatterns.set(pattern.name, new RegExp(pattern.regex, "gi"));
+    } catch {
+      console.warn(`Invalid regex for pattern ${pattern.name}: ${pattern.regex}`);
+    }
+  }
+  /**
+   * Get all configured patterns
+   */
+  getPatterns() {
+    return [...this.patterns];
+  }
+  /**
+   * Test helper - returns matches, shouldBlock, and redacted result
+   */
+  test(text) {
+    return {
+      matches: this.match(text),
+      shouldBlock: this.shouldBlock(text),
+      redacted: this.redact(text)
+    };
+  }
+};
+
+// src/policy/ward/egress.ts
+var DashboardDB2 = null;
+try {
+  const dbModule = await import("./db-EHQDB5OL.js");
+  DashboardDB2 = dbModule.DashboardDB;
+} catch {
+}
+var DEFAULT_EGRESS_CONFIG = {
+  enabled: true,
+  defaultAction: "block",
+  allowlist: []
+};
+var EgressMonitor = class {
+  config;
+  matcher;
+  db = null;
+  allowlist;
+  constructor(config) {
+    this.config = { ...DEFAULT_EGRESS_CONFIG, ...config };
+    this.matcher = new EgressPatternMatcher();
+    this.allowlist = [...this.config.allowlist];
+    if (DashboardDB2) {
+      try {
+        this.db = new DashboardDB2();
+      } catch {
+      }
+    }
+  }
+  /**
+   * Inspect content for sensitive data
+   *
+   * @param content - The content to inspect
+   * @param connector - Optional connector name for allowlist checking
+   * @param destination - Optional destination for allowlist checking
+   * @returns Inspection result with blocking decision and matches
+   */
+  inspect(content, connector, destination) {
+    if (this.isAllowlisted(connector, destination)) {
+      return {
+        blocked: false,
+        allowlisted: true,
+        matches: [],
+        redacted: content
+      };
+    }
+    const allMatches = this.matcher.match(content);
+    const effectiveMatches = allMatches.filter((match) => {
+      return !this.isPatternAllowlisted(match.pattern.name, connector, destination);
+    });
+    const shouldBlock = effectiveMatches.some((m) => m.pattern.action === "block");
+    let redacted = content;
+    if (effectiveMatches.length > 0) {
+      const sortedMatches = [...effectiveMatches].sort((a, b) => b.index - a.index);
+      for (const m of sortedMatches) {
+        const replacement = `[REDACTED:${m.pattern.name}]`;
+        redacted = redacted.substring(0, m.index) + replacement + redacted.substring(m.index + m.matchedText.length);
+      }
+    }
+    const wasAllowlisted = allMatches.length > 0 && effectiveMatches.length === 0;
+    const result = {
+      blocked: shouldBlock,
+      allowlisted: wasAllowlisted,
+      matches: effectiveMatches,
+      redacted
+    };
+    if (shouldBlock && this.db) {
+      try {
+        for (const match of effectiveMatches.filter((m) => m.pattern.action === "block")) {
+          const blockId = this.db.insertEgressBlock({
+            pattern: match.pattern,
+            matchedText: match.matchedText.substring(0, 100),
+            // Truncate for safety
+            redactedText: redacted,
+            connector,
+            destination
+          });
+          result.blockId = blockId;
+        }
+        this.db.insertEvent({
+          source: "ward",
+          level: "warn",
+          category: "egress",
+          message: `Blocked egress: ${effectiveMatches.map((m) => m.pattern.name).join(", ")}`,
+          data: {
+            connector,
+            destination,
+            patternNames: effectiveMatches.map((m) => m.pattern.name)
+          }
+        });
+      } catch {
+      }
+    }
+    return result;
+  }
+  /**
+   * Check if connector/destination combination is fully allowlisted
+   */
+  isAllowlisted(connector, destination) {
+    return this.allowlist.some((entry) => {
+      if (entry.pattern) return false;
+      if (entry.connector && entry.destination) {
+        return entry.connector === connector && entry.destination === destination;
+      }
+      if (entry.connector) {
+        return entry.connector === connector;
+      }
+      if (entry.destination) {
+        return entry.destination === destination;
+      }
+      return false;
+    });
+  }
+  /**
+   * Check if a specific pattern is allowlisted for the connector/destination
+   */
+  isPatternAllowlisted(patternName, connector, destination) {
+    return this.allowlist.some((entry) => {
+      if (!entry.pattern || entry.pattern !== patternName) return false;
+      if (entry.connector && entry.destination) {
+        return entry.connector === connector && entry.destination === destination;
+      }
+      if (entry.connector) {
+        return entry.connector === connector;
+      }
+      if (entry.destination) {
+        return entry.destination === destination;
+      }
+      return true;
+    });
+  }
+  /**
+   * Add an allowlist entry
+   */
+  addAllowlistEntry(entry) {
+    this.allowlist.push(entry);
+  }
+  /**
+   * Add a custom pattern
+   */
+  addPattern(pattern) {
+    this.matcher.addPattern(pattern);
+  }
+  /**
+   * Get pending blocks from database
+   */
+  getPendingBlocks() {
+    if (!this.db) return [];
+    try {
+      return this.db.getPendingBlocks();
+    } catch {
+      return [];
+    }
+  }
+  /**
+   * Approve a pending block
+   */
+  approveBlock(id, approvedBy) {
+    if (!this.db) return;
+    try {
+      this.db.approveBlock(id, approvedBy ?? "system");
+    } catch {
+    }
+  }
+  /**
+   * Deny a pending block
+   */
+  denyBlock(id) {
+    if (!this.db) return;
+    try {
+      this.db.denyBlock(id, "system");
+    } catch {
+    }
+  }
+  /**
+   * Test content without recording to database
+   * Useful for CLI testing of patterns
+   */
+  test(content) {
+    const matches = this.matcher.match(content);
+    const shouldBlock = matches.some((m) => m.pattern.action === "block");
+    let redacted = content;
+    if (matches.length > 0) {
+      const sortedMatches = [...matches].sort((a, b) => b.index - a.index);
+      for (const m of sortedMatches) {
+        const replacement = `[REDACTED:${m.pattern.name}]`;
+        redacted = redacted.substring(0, m.index) + replacement + redacted.substring(m.index + m.matchedText.length);
+      }
+    }
+    return {
+      blocked: shouldBlock,
+      matches,
+      redacted
+    };
+  }
+};
+
+// src/doctor.ts
+async function checkAgentConfigs(agents) {
+  const checks = [];
+  for (const agent of agents) {
+    const agentName = agent.agent.charAt(0).toUpperCase() + agent.agent.slice(1).replace("-", " ");
+    if (agent.configPath && !agent.configExists) {
+      checks.push({
+        name: `${agentName} config`,
+        passed: false,
+        message: `Config path known (${agent.configPath}) but file not found`
+      });
+    } else if (agent.configExists) {
+      checks.push({
+        name: `${agentName} config`,
+        passed: true,
+        message: `Found at ${agent.configPath}`
+      });
+    }
+    if (agent.agent === "claude-code") {
+      checks.push({
+        name: `${agentName} integration`,
+        passed: agent.bashbrosIntegrated,
+        message: agent.bashbrosIntegrated ? "BashBros hooks installed" : 'Hooks not installed. Run "bashbros hook install" to protect Claude Code'
+      });
+    }
+    if (agent.agent === "moltbot" || agent.agent === "clawdbot") {
+      checks.push({
+        name: `${agentName} integration`,
+        passed: agent.bashbrosIntegrated,
+        message: agent.bashbrosIntegrated ? "BashBros hooks installed" : 'Hooks not installed. Run "bashbros moltbot install" to protect moltbot'
+      });
+      try {
+        const { MoltbotHooks: MoltbotHooks2 } = await import("./moltbot-DXZFVK3X.js");
+        const status = MoltbotHooks2.getStatus();
+        if (status.sandboxMode) {
+          checks.push({
+            name: `${agentName} sandbox`,
+            passed: status.sandboxMode === "strict",
+            message: status.sandboxMode === "strict" ? "Sandbox mode enabled (strict)" : `Sandbox mode: ${status.sandboxMode} (consider "strict" for better security)`
+          });
+        }
+        if (status.gatewayRunning) {
+          const gatewayStatus = await MoltbotHooks2.getGatewayStatus();
+          checks.push({
+            name: `${agentName} gateway`,
+            passed: gatewayStatus.running,
+            message: gatewayStatus.running ? `Gateway running on port ${gatewayStatus.port}` : "Gateway configured but not running"
+          });
+        }
+      } catch {
+      }
+    }
+    if (agent.permissions) {
+      const config = loadConfig();
+      if ((!agent.permissions.allowedPaths || agent.permissions.allowedPaths.length === 0) && config.paths.allow.length > 0 && !config.paths.allow.includes("*")) {
+        checks.push({
+          name: `${agentName} path policy`,
+          passed: true,
+          // Not a failure, just a note
+          message: `Agent has no path restrictions; bashbros will enforce: ${config.paths.allow.slice(0, 3).join(", ")}`
+        });
+      }
+    }
+  }
+  return checks;
+}
+async function runDoctor() {
+  console.log(chalk2.bold("\nRunning diagnostics...\n"));
+  const checks = [];
+  const configPath = findConfig();
+  checks.push({
+    name: "Config file",
+    passed: configPath !== null,
+    message: configPath ? `Found at ${configPath}` : 'Not found. Run "bashbros init" to create one.'
+  });
+  if (configPath) {
+    try {
+      const config = loadConfig(configPath);
+      checks.push({
+        name: "Config valid",
+        passed: true,
+        message: `Profile: ${config.profile}, Agent: ${config.agent}`
+      });
+    } catch (error) {
+      checks.push({
+        name: "Config valid",
+        passed: false,
+        message: `Parse error: ${error}`
+      });
+    }
+  }
+  const auditDir = join3(homedir3(), ".bashbros");
+  checks.push({
+    name: "Audit directory",
+    passed: existsSync4(auditDir),
+    message: existsSync4(auditDir) ? `Found at ${auditDir}` : "Will be created on first run"
+  });
+  try {
+    await import("node-pty");
+    checks.push({
+      name: "PTY support",
+      passed: true,
+      message: "node-pty loaded successfully"
+    });
+  } catch (error) {
+    checks.push({
+      name: "PTY support",
+      passed: false,
+      message: 'node-pty not available. Run "npm install" to install dependencies.'
+    });
+  }
+  if (configPath) {
+    const config = loadConfig(configPath);
+    const secretsEnabled = config.secrets.enabled;
+    checks.push({
+      name: "Secrets protection",
+      passed: secretsEnabled,
+      message: secretsEnabled ? `Enabled with ${config.secrets.patterns.length} patterns` : "Disabled - credentials may be exposed"
+    });
+  }
+  if (configPath) {
+    const config = loadConfig(configPath);
+    checks.push({
+      name: "Rate limiting",
+      passed: config.rateLimit.enabled,
+      message: config.rateLimit.enabled ? `${config.rateLimit.maxPerMinute}/min, ${config.rateLimit.maxPerHour}/hr` : "Disabled - runaway agents possible"
+    });
+  }
+  const agents = await getAllAgentConfigs();
+  const installedAgents = agents.filter((a) => a.installed);
+  if (installedAgents.length > 0) {
+    const agentChecks = await checkAgentConfigs(installedAgents);
+    checks.push(...agentChecks);
+  } else {
+    checks.push({
+      name: "Agent detection",
+      passed: true,
+      message: "No agents detected (install claude, aider, etc. to use bashbros protection)"
+    });
+  }
+  if (configPath) {
+    const config = loadConfig(configPath);
+    const wardEnabled = config.ward?.enabled ?? false;
+    checks.push({
+      name: "Ward security",
+      passed: wardEnabled,
+      message: wardEnabled ? `Enabled (exposure scan: ${config.ward.exposure.scanInterval}ms)` : "Disabled - network exposure monitoring off"
+    });
+  }
+  if (configPath) {
+    const config = loadConfig(configPath);
+    const dashEnabled = config.dashboard?.enabled ?? false;
+    checks.push({
+      name: "Dashboard",
+      passed: dashEnabled,
+      message: dashEnabled ? `Enabled on ${config.dashboard.bind}:${config.dashboard.port}` : 'Disabled - run "bashbros dashboard" to start'
+    });
+  }
+  try {
+    const scanner = new ExposureScanner();
+    const agentSignatures = scanner.getAgents();
+    checks.push({
+      name: "Exposure scanner",
+      passed: true,
+      message: `Ready, monitoring ${agentSignatures.length} agent signatures`
+    });
+  } catch {
+    checks.push({
+      name: "Exposure scanner",
+      passed: false,
+      message: "Failed to initialize exposure scanner"
+    });
+  }
+  try {
+    const matcher = new EgressPatternMatcher();
+    const patterns = matcher.getPatterns();
+    const credPatterns = patterns.filter((p) => p.category === "credentials").length;
+    const piiPatterns = patterns.filter((p) => p.category === "pii").length;
+    checks.push({
+      name: "Egress patterns",
+      passed: true,
+      message: `Loaded ${patterns.length} patterns (${credPatterns} credential, ${piiPatterns} PII)`
+    });
+  } catch {
+    checks.push({
+      name: "Egress patterns",
+      passed: false,
+      message: "Failed to initialize egress patterns"
+    });
+  }
+  let passed = 0;
+  let failed = 0;
+  for (const check of checks) {
+    const icon = check.passed ? chalk2.green("\u2713") : chalk2.red("\u2717");
+    const status = check.passed ? chalk2.green("OK") : chalk2.red("FAIL");
+    console.log(`  ${icon} ${chalk2.bold(check.name)}: ${status}`);
+    console.log(chalk2.dim(`    ${check.message}`));
+    console.log();
+    if (check.passed) passed++;
+    else failed++;
+  }
+  console.log(chalk2.bold("\u2500".repeat(40)));
+  if (failed === 0) {
+    console.log(chalk2.green(`
+\u2713 All ${passed} checks passed. BashBros is ready.
+`));
+  } else {
+    console.log(chalk2.yellow(`
+${passed} passed, ${failed} failed. Fix issues above.
+`));
+  }
+}
+
+// src/watch.ts
+import chalk3 from "chalk";
+async function startWatch(options) {
+  const configPath = findConfig();
+  if (!configPath) {
+    console.log(chalk3.red('No config found. Run "bashbros init" first.'));
+    process.exit(1);
+  }
+  console.log(chalk3.dim(`  "I watch your agent's back so you don't have to."`));
+  console.log();
+  console.log(chalk3.green("\u2713"), "Protection active");
+  console.log(chalk3.dim(`  Config: ${configPath}`));
+  console.log(chalk3.dim("  Press Ctrl+C to stop"));
+  console.log();
+  const bashbros = new BashBros(configPath);
+  bashbros.on("blocked", (command, violations) => {
+    console.log();
+    console.log(chalk3.red("\u{1F6E1}\uFE0F  BashBros blocked a command"));
+    console.log();
+    console.log(chalk3.dim("  Command:"), command);
+    console.log(chalk3.dim("  Reason:"), violations[0].message);
+    console.log(chalk3.dim("  Policy:"), violations[0].rule);
+    console.log();
+    console.log(chalk3.dim("  To allow this command:"));
+    console.log(chalk3.cyan(`    bashbros allow "${command}" --once`));
+    console.log(chalk3.cyan(`    bashbros allow "${command}" --persist`));
+    console.log();
+  });
+  bashbros.on("allowed", (result) => {
+    if (options.verbose) {
+      console.log(chalk3.green("\u2713"), chalk3.dim(result.command));
+    }
+  });
+  bashbros.on("output", (data) => {
+    process.stdout.write(data);
+  });
+  bashbros.on("error", (error) => {
+    console.error(chalk3.red("Error:"), error.message);
+  });
+  process.on("SIGINT", () => {
+    console.log();
+    console.log(chalk3.yellow("Stopping BashBros..."));
+    bashbros.stop();
+    process.exit(0);
+  });
+  process.on("SIGTERM", () => {
+    bashbros.stop();
+    process.exit(0);
+  });
+  bashbros.start();
+  await new Promise(() => {
+  });
+}
+
+// src/allow.ts
+import chalk4 from "chalk";
+import { readFileSync as readFileSync2, writeFileSync as writeFileSync2 } from "fs";
+import { parse, stringify as stringify2 } from "yaml";
+async function handleAllow(command, options) {
+  if (options.once) {
+    allowForSession(command);
+    console.log(chalk4.green("\u2713"), `Allowed for this session: ${command}`);
+    console.log(chalk4.dim("  This will reset when BashBros restarts."));
+    return;
+  }
+  if (options.persist) {
+    const configPath = findConfig();
+    if (!configPath) {
+      console.log(chalk4.red('No config found. Run "bashbros init" first.'));
+      process.exit(1);
+    }
+    try {
+      const content = readFileSync2(configPath, "utf-8");
+      const config = parse(content);
+      if (!config.commands) {
+        config.commands = { allow: [], block: [] };
+      }
+      if (!config.commands.allow) {
+        config.commands.allow = [];
+      }
+      if (!config.commands.allow.includes(command)) {
+        config.commands.allow.push(command);
+        writeFileSync2(configPath, stringify2(config));
+        console.log(chalk4.green("\u2713"), `Added to allowlist: ${command}`);
+        console.log(chalk4.dim(`  Updated ${configPath}`));
+      } else {
+        console.log(chalk4.yellow("Already in allowlist:"), command);
+      }
+    } catch (error) {
+      console.error(chalk4.red("Failed to update config:"), error);
+      process.exit(1);
+    }
+    return;
+  }
+  console.log(chalk4.yellow("Specify how to allow this command:"));
+  console.log();
+  console.log(chalk4.cyan(`  bashbros allow "${command}" --once`));
+  console.log(chalk4.dim("    Allow for current session only"));
+  console.log();
+  console.log(chalk4.cyan(`  bashbros allow "${command}" --persist`));
+  console.log(chalk4.dim("    Add to config file permanently"));
+}
+
+// src/dashboard/server.ts
+import express from "express";
+import { WebSocketServer } from "ws";
+import { createServer } from "http";
+import { fileURLToPath } from "url";
+import { dirname, join as join4 } from "path";
+var DashboardServer = class {
+  app;
+  server = null;
+  wss = null;
+  db;
+  port;
+  bind;
+  clients = /* @__PURE__ */ new Set();
+  constructor(config = {}) {
+    this.port = config.port ?? 17800;
+    this.bind = config.bind ?? "127.0.0.1";
+    this.db = new DashboardDB(config.dbPath ?? ":memory:");
+    this.app = express();
+    this.setupMiddleware();
+    this.setupRoutes();
+  }
+  setupMiddleware() {
+    this.app.use(express.json());
+    this.app.use((_req, res, next) => {
+      res.header("Access-Control-Allow-Origin", "*");
+      res.header("Access-Control-Allow-Methods", "GET, POST, OPTIONS");
+      res.header("Access-Control-Allow-Headers", "Content-Type");
+      next();
+    });
+  }
+  setupRoutes() {
+    this.app.get("/api/health", (_req, res) => {
+      res.json({ status: "ok", timestamp: (/* @__PURE__ */ new Date()).toISOString() });
+    });
+    this.app.get("/api/stats", (_req, res) => {
+      try {
+        const stats = this.db.getStats();
+        res.json(stats);
+      } catch (error) {
+        res.status(500).json({ error: "Failed to fetch stats" });
+      }
+    });
+    this.app.get("/api/events", (req, res) => {
+      try {
+        const filter = {};
+        if (req.query.source) filter.source = req.query.source;
+        if (req.query.level) filter.level = req.query.level;
+        if (req.query.category) filter.category = req.query.category;
+        if (req.query.limit) filter.limit = parseInt(req.query.limit, 10);
+        if (req.query.offset) filter.offset = parseInt(req.query.offset, 10);
+        if (req.query.since) filter.since = new Date(req.query.since);
+        const events = this.db.getEvents(filter);
+        res.json(events);
+      } catch (error) {
+        res.status(500).json({ error: "Failed to fetch events" });
+      }
+    });
+    this.app.get("/api/connectors", (_req, res) => {
+      try {
+        const events = this.db.getAllConnectorEvents(1e3);
+        const connectors = [...new Set(events.map((e) => e.connector))];
+        res.json(connectors);
+      } catch (error) {
+        res.status(500).json({ error: "Failed to fetch connectors" });
+      }
+    });
+    this.app.get("/api/connectors/:name/events", (req, res) => {
+      try {
+        const limit = req.query.limit ? parseInt(req.query.limit, 10) : 100;
+        const events = this.db.getConnectorEvents(req.params.name, limit);
+        res.json(events);
+      } catch (error) {
+        res.status(500).json({ error: "Failed to fetch connector events" });
+      }
+    });
+    this.app.get("/api/blocked", (_req, res) => {
+      try {
+        const blocks = this.db.getPendingBlocks();
+        res.json(blocks);
+      } catch (error) {
+        res.status(500).json({ error: "Failed to fetch blocked items" });
+      }
+    });
+    this.app.post("/api/blocked/:id/approve", (req, res) => {
+      try {
+        const { id } = req.params;
+        const approvedBy = req.body?.approvedBy ?? "dashboard-user";
+        const block = this.db.getBlock(id);
+        if (!block) {
+          res.status(404).json({ error: "Block not found" });
+          return;
+        }
+        this.db.approveBlock(id, approvedBy);
+        this.broadcast({ type: "block-approved", id });
+        res.json({ success: true });
+      } catch (error) {
+        res.status(500).json({ error: "Failed to approve block" });
+      }
+    });
+    this.app.post("/api/blocked/:id/deny", (req, res) => {
+      try {
+        const { id } = req.params;
+        const deniedBy = req.body?.deniedBy ?? "dashboard-user";
+        const block = this.db.getBlock(id);
+        if (!block) {
+          res.status(404).json({ error: "Block not found" });
+          return;
+        }
+        this.db.denyBlock(id, deniedBy);
+        this.broadcast({ type: "block-denied", id });
+        res.json({ success: true });
+      } catch (error) {
+        res.status(500).json({ error: "Failed to deny block" });
+      }
+    });
+    const __filename = fileURLToPath(import.meta.url);
+    const __dirname = dirname(__filename);
+    const staticPath = join4(__dirname, "static");
+    this.app.use(express.static(staticPath));
+    this.app.get("/{*path}", (_req, res) => {
+      res.sendFile(join4(staticPath, "index.html"));
+    });
+  }
+  setupWebSocket() {
+    if (!this.server) return;
+    this.wss = new WebSocketServer({ server: this.server });
+    this.wss.on("connection", (ws) => {
+      this.clients.add(ws);
+      ws.on("close", () => {
+        this.clients.delete(ws);
+      });
+      ws.on("error", () => {
+        this.clients.delete(ws);
+      });
+      try {
+        const stats = this.db.getStats();
+        ws.send(JSON.stringify({ type: "stats", data: stats }));
+      } catch {
+      }
+    });
+  }
+  /**
+   * Start the dashboard server
+   */
+  async start() {
+    return new Promise((resolve, reject) => {
+      this.server = createServer(this.app);
+      this.setupWebSocket();
+      this.server.on("error", (error) => {
+        if (error.code === "EADDRINUSE") {
+          reject(new Error(`Port ${this.port} is already in use`));
+        } else {
+          reject(error);
+        }
+      });
+      this.server.listen(this.port, this.bind, () => {
+        resolve();
+      });
+    });
+  }
+  /**
+   * Stop the dashboard server
+   */
+  async stop() {
+    return new Promise((resolve) => {
+      for (const client of this.clients) {
+        client.close();
+      }
+      this.clients.clear();
+      if (this.wss) {
+        this.wss.close();
+        this.wss = null;
+      }
+      if (this.server) {
+        this.server.close(() => {
+          this.server = null;
+          this.db.close();
+          resolve();
+        });
+      } else {
+        this.db.close();
+        resolve();
+      }
+    });
+  }
+  /**
+   * Broadcast a message to all connected WebSocket clients
+   */
+  broadcast(message) {
+    const data = JSON.stringify(message);
+    for (const client of this.clients) {
+      if (client.readyState === 1) {
+        client.send(data);
+      }
+    }
+  }
+  /**
+   * Get the database instance for external use
+   */
+  getDB() {
+    return this.db;
+  }
+  /**
+   * Get the port the server is running on
+   */
+  getPort() {
+    return this.port;
+  }
+};
+
+// src/cli.ts
+var metricsCollector = null;
+var costEstimator = null;
+var loopDetector = null;
+var undoStack = null;
+var logo = `
+  \u2571BashBros \u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501
+  \u{1F91D} Your Friendly Bash Agent Helper
+`;
+var program = new Command();
+program.name("bashbros").description("The Bash Agent Helper").version("0.1.0");
+program.command("init").description("Set up BashBros for your project").action(async () => {
+  console.log(chalk5.cyan(logo));
+  await runOnboarding();
+});
+program.command("watch").description("Start protecting your agent").option("-v, --verbose", "Show all commands as they run").action(async (options) => {
+  console.log(chalk5.cyan(logo));
+  await startWatch(options);
+});
+program.command("doctor").description("Check your BashBros configuration").action(async () => {
+  console.log(chalk5.cyan(logo));
+  await runDoctor();
+});
+program.command("allow <command>").description("Allow a specific command").option("--once", "Allow only for current session").option("--persist", "Add to config permanently").action(async (command, options) => {
+  await handleAllow(command, options);
+});
+program.command("audit").description("View recent command history").option("-n, --lines <number>", "Number of lines to show", "50").option("--violations", "Show only blocked commands").action(async (options) => {
+  const { viewAudit } = await import("./audit-MCFNGOIM.js");
+  await viewAudit(options);
+});
+program.command("scan").description("Scan your system and project environment").option("-p, --project <path>", "Project path to scan", ".").action(async (options) => {
+  console.log(chalk5.cyan(logo));
+  console.log(chalk5.dim("  Scanning your environment...\n"));
+  const bro = new BashBro();
+  await bro.initialize();
+  if (options.project) {
+    bro.scanProject(options.project);
+  }
+  console.log(bro.getSystemContext());
+  console.log();
+  console.log(chalk5.bold("\n## Agent Configurations\n"));
+  const { formatAgentSummary } = await import("./display-IN4NRJJS.js");
+  const agents = await getAllAgentConfigs();
+  console.log(formatAgentSummary(agents));
+  console.log();
+  console.log(chalk5.green("\u2713"), "System profile saved to ~/.bashbros/system-profile.json");
+});
+program.command("status").alias("bro").description("Show Bash Bro status and system info").action(async () => {
+  console.log(chalk5.cyan(logo));
+  const bro = new BashBro();
+  await bro.initialize();
+  console.log(bro.status());
+});
+program.command("suggest").description("Get command suggestions based on context").option("-c, --command <cmd>", "Last command for context").option("-e, --error <msg>", "Last error message").action(async (options) => {
+  const bro = new BashBro();
+  await bro.initialize();
+  const suggestions = bro.suggest({
+    lastCommand: options.command,
+    lastError: options.error,
+    cwd: process.cwd()
+  });
+  if (suggestions.length === 0) {
+    console.log(chalk5.dim("No suggestions available."));
+    return;
+  }
+  console.log(chalk5.bold("\u{1F91D} Bash Bro suggests:\n"));
+  for (const s of suggestions) {
+    const confidence = Math.round(s.confidence * 100);
+    console.log(`  ${chalk5.cyan(s.command)}`);
+    console.log(chalk5.dim(`    ${s.description} (${confidence}% confidence)`));
+    console.log();
+  }
+});
+program.command("route <command>").description("Check how a command would be routed").action(async (command) => {
+  const bro = new BashBro();
+  await bro.initialize();
+  const result = bro.route(command);
+  const icon = result.decision === "bro" ? "\u{1F91D}" : result.decision === "main" ? "\u{1F916}" : "\u26A1";
+  const label = result.decision === "bro" ? "Bash Bro" : result.decision === "main" ? "Main Agent" : "Both (parallel)";
+  console.log();
+  console.log(`${icon} Route: ${chalk5.bold(label)}`);
+  console.log(chalk5.dim(`   Reason: ${result.reason}`));
+  console.log(chalk5.dim(`   Confidence: ${Math.round(result.confidence * 100)}%`));
+  console.log();
+});
+program.command("run <command>").description("Run a command through Bash Bro").option("-b, --background", "Run in background").action(async (command, options) => {
+  const bro = new BashBro();
+  await bro.initialize();
+  if (options.background) {
+    const task = bro.runBackground(command);
+    console.log(chalk5.green("\u2713"), `Started background task: ${task.id}`);
+    console.log(chalk5.dim(`  Command: ${command}`));
+    console.log(chalk5.dim(`  Run 'bashbros tasks' to check status`));
+  } else {
+    console.log(chalk5.dim(`\u{1F91D} Bash Bro executing: ${command}
+`));
+    const output = await bro.execute(command);
+    console.log(output);
+  }
+});
+program.command("tasks").description("List background tasks").option("-a, --all", "Show all tasks (not just running)").action(async (options) => {
+  const bro = new BashBro();
+  const tasks = options.all ? bro.getBackgroundTasks() : bro.getBackgroundTasks().filter((t) => t.status === "running");
+  if (tasks.length === 0) {
+    console.log(chalk5.dim("No background tasks."));
+    return;
+  }
+  console.log(chalk5.bold("\u{1F91D} Background Tasks:\n"));
+  for (const task of tasks) {
+    const elapsed = Math.round((Date.now() - task.startTime.getTime()) / 1e3);
+    const statusIcon = task.status === "running" ? "\u23F3" : task.status === "completed" ? "\u2713" : task.status === "failed" ? "\u2717" : "\u25CB";
+    console.log(`  ${statusIcon} [${task.id}] ${task.command}`);
+    console.log(chalk5.dim(`    Status: ${task.status}, Elapsed: ${elapsed}s`));
+    console.log();
+  }
+});
+program.command("explain <command>").description("Ask Bash Bro to explain a command").action(async (command) => {
+  const bro = new BashBro();
+  await bro.initialize();
+  if (!bro.isOllamaAvailable()) {
+    console.log(chalk5.yellow("Ollama not available. Start Ollama to use AI features."));
+    return;
+  }
+  console.log(chalk5.dim("\u{1F91D} Bash Bro is thinking...\n"));
+  const explanation = await bro.aiExplain(command);
+  console.log(explanation);
+});
+program.command("fix <command>").description("Ask Bash Bro to fix a failed command").option("-e, --error <message>", "Error message from the failed command").action(async (command, options) => {
+  const bro = new BashBro();
+  await bro.initialize();
+  if (!bro.isOllamaAvailable()) {
+    console.log(chalk5.yellow("Ollama not available. Start Ollama to use AI features."));
+    return;
+  }
+  const error = options.error || "Command failed";
+  console.log(chalk5.dim("\u{1F91D} Bash Bro is analyzing...\n"));
+  const fixed = await bro.aiFix(command, error);
+  if (fixed) {
+    console.log(chalk5.green("Suggested fix:"));
+    console.log(chalk5.cyan(`  ${fixed}`));
+  } else {
+    console.log(chalk5.yellow("Could not suggest a fix."));
+  }
+});
+program.command("ai <prompt>").description("Ask Bash Bro anything").action(async (prompt) => {
+  const bro = new BashBro();
+  await bro.initialize();
+  if (!bro.isOllamaAvailable()) {
+    console.log(chalk5.yellow("Ollama not available. Start Ollama to use AI features."));
+    return;
+  }
+  console.log(chalk5.dim("\u{1F91D} Bash Bro is thinking...\n"));
+  const suggestion = await bro.aiSuggest(prompt);
+  if (suggestion) {
+    console.log(chalk5.cyan(suggestion));
+  } else {
+    console.log(chalk5.dim("No suggestion available."));
+  }
+});
+program.command("script <description>").description("Generate a shell script from description").option("-o, --output <file>", "Save script to file").action(async (description, options) => {
+  const bro = new BashBro();
+  await bro.initialize();
+  if (!bro.isOllamaAvailable()) {
+    console.log(chalk5.yellow("Ollama not available. Start Ollama to use AI features."));
+    return;
+  }
+  console.log(chalk5.dim("\u{1F91D} Bash Bro is generating script...\n"));
+  const script = await bro.aiGenerateScript(description);
+  if (script) {
+    console.log(chalk5.cyan(script));
+    if (options.output) {
+      const { writeFileSync: writeFileSync3 } = await import("fs");
+      writeFileSync3(options.output, script, { mode: 493 });
+      console.log(chalk5.green(`
+\u2713 Saved to ${options.output}`));
+    }
+  } else {
+    console.log(chalk5.yellow("Could not generate script."));
+  }
+});
+program.command("safety <command>").description("Analyze a command for security risks").action(async (command) => {
+  const bro = new BashBro();
+  await bro.initialize();
+  if (!bro.isOllamaAvailable()) {
+    console.log(chalk5.yellow("Ollama not available. Start Ollama to use AI features."));
+    return;
+  }
+  console.log(chalk5.dim("\u{1F91D} Bash Bro is analyzing...\n"));
+  const analysis = await bro.aiAnalyzeSafety(command);
+  const riskColors = {
+    low: chalk5.green,
+    medium: chalk5.yellow,
+    high: chalk5.red,
+    critical: chalk5.bgRed.white
+  };
+  const icon = analysis.safe ? "\u2713" : "\u26A0";
+  const color = riskColors[analysis.risk];
+  console.log(`${icon} Risk Level: ${color(analysis.risk.toUpperCase())}`);
+  console.log();
+  console.log(chalk5.bold("Explanation:"));
+  console.log(`  ${analysis.explanation}`);
+  if (analysis.suggestions.length > 0) {
+    console.log();
+    console.log(chalk5.bold("Suggestions:"));
+    for (const suggestion of analysis.suggestions) {
+      console.log(`  \u2022 ${suggestion}`);
+    }
+  }
+});
+program.command("help-ai <topic>").alias("h").description("Get AI help for a command or topic").action(async (topic) => {
+  const bro = new BashBro();
+  await bro.initialize();
+  if (!bro.isOllamaAvailable()) {
+    console.log(chalk5.yellow("Ollama not available. Start Ollama to use AI features."));
+    return;
+  }
+  console.log(chalk5.dim("\u{1F91D} Bash Bro is looking that up...\n"));
+  const help = await bro.aiHelp(topic);
+  console.log(help);
+});
+program.command("do <description>").description("Convert natural language to a command").option("-x, --execute", "Execute the command after showing it").action(async (description, options) => {
+  const bro = new BashBro();
+  await bro.initialize();
+  if (!bro.isOllamaAvailable()) {
+    console.log(chalk5.yellow("Ollama not available. Start Ollama to use AI features."));
+    return;
+  }
+  console.log(chalk5.dim("\u{1F91D} Bash Bro is translating...\n"));
+  const command = await bro.aiToCommand(description);
+  if (command) {
+    console.log(chalk5.bold("Command:"));
+    console.log(chalk5.cyan(`  $ ${command}`));
+    if (options.execute) {
+      console.log();
+      console.log(chalk5.dim("Executing..."));
+      const output = await bro.execute(command);
+      console.log(output);
+    }
+  } else {
+    console.log(chalk5.yellow("Could not translate to a command."));
+  }
+});
+program.command("models").description("List available Ollama models").action(async () => {
+  console.log(chalk5.cyan(logo));
+  const { OllamaClient } = await import("./ollama-HY35OHW4.js");
+  const ollama = new OllamaClient();
+  const available = await ollama.isAvailable();
+  if (!available) {
+    console.log(chalk5.yellow("Ollama not running. Start Ollama to see available models."));
+    return;
+  }
+  const models = await ollama.listModels();
+  if (models.length === 0) {
+    console.log(chalk5.dim("No models installed. Run: ollama pull qwen2.5-coder:7b"));
+    return;
+  }
+  console.log(chalk5.bold("\u{1F91D} Available Models:\n"));
+  for (const model of models) {
+    const current = model === ollama.getModel() ? chalk5.green(" (current)") : "";
+    console.log(`  \u2022 ${model}${current}`);
+  }
+});
+var hookCmd = program.command("hook").description("Manage Claude Code hook integration");
+hookCmd.command("install").description("Install BashBros hooks into Claude Code").action(() => {
+  const result = ClaudeCodeHooks.install();
+  if (result.success) {
+    console.log(chalk5.green("\u2713"), result.message);
+  } else {
+    console.log(chalk5.red("\u2717"), result.message);
+    process.exit(1);
+  }
+});
+hookCmd.command("uninstall").description("Remove BashBros hooks from Claude Code").action(() => {
+  const result = ClaudeCodeHooks.uninstall();
+  if (result.success) {
+    console.log(chalk5.green("\u2713"), result.message);
+  } else {
+    console.log(chalk5.red("\u2717"), result.message);
+    process.exit(1);
+  }
+});
+hookCmd.command("status").description("Check Claude Code hook status").action(() => {
+  const status = ClaudeCodeHooks.getStatus();
+  console.log();
+  console.log(chalk5.bold("Claude Code Integration Status"));
+  console.log();
+  console.log(`  Claude Code: ${status.claudeInstalled ? chalk5.green("installed") : chalk5.yellow("not found")}`);
+  console.log(`  BashBros hooks: ${status.hooksInstalled ? chalk5.green("active") : chalk5.dim("not installed")}`);
+  if (status.hooks.length > 0) {
+    console.log(`  Active hooks: ${status.hooks.join(", ")}`);
+  }
+  console.log();
+});
+var moltbotCmd = program.command("moltbot").alias("clawdbot").description("Manage Moltbot/Clawdbot integration");
+moltbotCmd.command("install").description("Install BashBros hooks into Moltbot").action(() => {
+  const result = MoltbotHooks.install();
+  if (result.success) {
+    console.log(chalk5.green("\u2713"), result.message);
+  } else {
+    console.log(chalk5.red("\u2717"), result.message);
+    process.exit(1);
+  }
+});
+moltbotCmd.command("uninstall").description("Remove BashBros hooks from Moltbot").action(() => {
+  const result = MoltbotHooks.uninstall();
+  if (result.success) {
+    console.log(chalk5.green("\u2713"), result.message);
+  } else {
+    console.log(chalk5.red("\u2717"), result.message);
+    process.exit(1);
+  }
+});
+moltbotCmd.command("status").description("Check Moltbot integration status").action(async () => {
+  const status = MoltbotHooks.getStatus();
+  console.log();
+  console.log(chalk5.bold("Moltbot Integration Status"));
+  console.log();
+  if (status.moltbotInstalled) {
+    console.log(`  Moltbot:       ${chalk5.green("installed")}`);
+  } else if (status.clawdbotInstalled) {
+    console.log(`  Clawdbot:      ${chalk5.green("installed")} ${chalk5.dim("(legacy)")}`);
+  } else {
+    console.log(`  Moltbot:       ${chalk5.yellow("not found")}`);
+  }
+  if (status.configPath) {
+    console.log(`  Config:        ${chalk5.green(status.configPath)}`);
+  } else {
+    console.log(`  Config:        ${chalk5.dim("not found")}`);
+  }
+  console.log(`  BashBros hooks: ${status.hooksInstalled ? chalk5.green("active") : chalk5.dim("not installed")}`);
+  if (status.hooks.length > 0) {
+    console.log(`  Active hooks:  ${status.hooks.join(", ")}`);
+  }
+  if (status.sandboxMode) {
+    const sandboxColor = status.sandboxMode === "strict" ? chalk5.green : chalk5.yellow;
+    console.log(`  Sandbox mode:  ${sandboxColor(status.sandboxMode)}`);
+  }
+  console.log();
+});
+moltbotCmd.command("gateway").description("Check Moltbot gateway status").action(async () => {
+  console.log();
+  console.log(chalk5.bold("Moltbot Gateway Status"));
+  console.log();
+  const gatewayStatus = await MoltbotHooks.getGatewayStatus();
+  if (gatewayStatus.running) {
+    console.log(`  Status:     ${chalk5.green("running")}`);
+    console.log(`  Host:       ${gatewayStatus.host}`);
+    console.log(`  Port:       ${gatewayStatus.port}`);
+    console.log(`  Sandbox:    ${gatewayStatus.sandboxMode ? chalk5.green("enabled") : chalk5.yellow("disabled")}`);
+  } else {
+    console.log(`  Status:     ${chalk5.yellow("not running")}`);
+    console.log(`  Expected:   ${gatewayStatus.host}:${gatewayStatus.port}`);
+    if (gatewayStatus.error) {
+      console.log(`  Error:      ${chalk5.dim(gatewayStatus.error)}`);
+    }
+  }
+  console.log();
+});
+moltbotCmd.command("audit").description("Run Moltbot security audit").option("--json", "Output as JSON").action(async (options) => {
+  console.log(chalk5.dim("Running security audit...\n"));
+  const result = await MoltbotHooks.runSecurityAudit();
+  if (options.json) {
+    console.log(JSON.stringify(result, null, 2));
+    return;
+  }
+  const statusIcon = result.passed ? chalk5.green("\u2713") : chalk5.red("\u2717");
+  const statusText = result.passed ? chalk5.green("PASSED") : chalk5.red("FAILED");
+  console.log(`${statusIcon} Security Audit: ${statusText}`);
+  console.log();
+  if (result.findings.length === 0) {
+    console.log(chalk5.dim("  No findings."));
+  } else {
+    const severityColors = {
+      critical: chalk5.bgRed.white,
+      warning: chalk5.yellow,
+      info: chalk5.dim
+    };
+    for (const finding of result.findings) {
+      const color = severityColors[finding.severity] || chalk5.white;
+      console.log(`  ${color(`[${finding.severity.toUpperCase()}]`)} ${finding.message}`);
+      console.log(chalk5.dim(`    Category: ${finding.category}`));
+      if (finding.recommendation) {
+        console.log(chalk5.dim(`    Fix: ${finding.recommendation}`));
+      }
+      console.log();
+    }
+  }
+  console.log(chalk5.dim(`Audit completed at ${result.timestamp.toLocaleString()}`));
+  console.log();
+});
+program.command("agent-info [agent]").description("Show detailed info about installed agents and their configurations").option("-r, --raw", "Show raw (redacted) config contents").action(async (agent, options) => {
+  console.log(chalk5.cyan(logo));
+  if (agent) {
+    const validAgents = ["claude-code", "moltbot", "clawdbot", "aider", "gemini-cli", "opencode"];
+    if (!validAgents.includes(agent)) {
+      console.log(chalk5.red(`Unknown agent: ${agent}`));
+      console.log(chalk5.dim(`Valid agents: ${validAgents.join(", ")}`));
+      return;
+    }
+    const info = await getAgentConfigInfo(agent);
+    const { formatAgentInfo: formatAgentInfo2 } = await import("./display-IN4NRJJS.js");
+    console.log();
+    console.log(formatAgentInfo2(info));
+    if (options.raw && info.configExists && info.configPath) {
+      const { parseAgentConfig: parseAgentConfig2 } = await import("./config-parser-XHE7BC7H.js");
+      const parsed = await parseAgentConfig2(agent, info.configPath);
+      if (parsed?.rawRedacted) {
+        console.log();
+        console.log(chalk5.bold("Configuration (sensitive data redacted):"));
+        console.log(formatRedactedConfig(parsed.rawRedacted));
+      }
+    }
+  } else {
+    const agents = await getAllAgentConfigs();
+    console.log();
+    console.log(formatAllAgentsInfo(agents));
+  }
+  console.log();
+});
+program.command("permissions").description("Show combined permissions view across bashbros and agents").action(async () => {
+  console.log(chalk5.cyan(logo));
+  const agents = await getAllAgentConfigs();
+  const installed = agents.filter((a) => a.installed);
+  if (installed.length === 0) {
+    console.log(chalk5.yellow("No agents installed to compare permissions with."));
+    console.log(chalk5.dim("Install an agent (claude, aider, etc.) to see combined permissions."));
+    return;
+  }
+  console.log();
+  console.log(formatPermissionsTable(agents));
+  console.log();
+});
+program.command("gate <command>").description("Check if a command should be allowed (used by hooks)").action(async (command) => {
+  const result = await gateCommand(command);
+  if (!result.allowed) {
+    console.error(`BLOCKED: ${result.reason}`);
+    process.exit(2);
+  }
+  process.exit(0);
+});
+program.command("record <command>").description("Record a command execution (used by hooks)").option("-o, --output <output>", "Command output").option("-e, --exit-code <code>", "Exit code", "0").action(async (command, options) => {
+  if (!metricsCollector) metricsCollector = new MetricsCollector();
+  if (!costEstimator) costEstimator = new CostEstimator();
+  if (!loopDetector) loopDetector = new LoopDetector();
+  if (!undoStack) undoStack = new UndoStack();
+  const scorer = new RiskScorer();
+  const risk = scorer.score(command);
+  metricsCollector.record({
+    command,
+    timestamp: /* @__PURE__ */ new Date(),
+    duration: 0,
+    // Not available in hook
+    allowed: true,
+    riskScore: risk,
+    violations: [],
+    exitCode: parseInt(options.exitCode) || 0
+  });
+  costEstimator.recordToolCall(command, options.output || "");
+  const loopAlert = loopDetector.check(command);
+  if (loopAlert) {
+    console.error(chalk5.yellow(`\u26A0 Loop detected: ${loopAlert.message}`));
+  }
+  const paths = command.match(/(?:^|\s)(\.\/|\.\.\/|\/|~\/)[^\s]+/g) || [];
+  const cleanPaths = paths.map((p) => p.trim());
+  if (cleanPaths.length > 0) {
+    undoStack.recordFromCommand(command, cleanPaths);
+  }
+});
+program.command("session-end").description("Generate session report (used by hooks)").option("-f, --format <format>", "Output format (text, markdown, json)", "text").action((options) => {
+  if (!metricsCollector) {
+    console.log(chalk5.dim("No session data to report."));
+    return;
+  }
+  const metrics = metricsCollector.getMetrics();
+  const cost = costEstimator?.getEstimate();
+  const report = ReportGenerator.generate(metrics, cost, { format: options.format });
+  console.log();
+  console.log(report);
+  console.log();
+});
+program.command("report").description("Generate a session report").option("-f, --format <format>", "Output format (text, markdown, json)", "text").option("--no-cost", "Hide cost estimate").option("--no-risk", "Hide risk distribution").action((options) => {
+  if (!metricsCollector) {
+    console.log(chalk5.dim("No session data. Run some commands first."));
+    return;
+  }
+  const metrics = metricsCollector.getMetrics();
+  const cost = options.cost ? costEstimator?.getEstimate() : void 0;
+  const report = ReportGenerator.generate(metrics, cost, {
+    format: options.format,
+    showCost: options.cost,
+    showRisk: options.risk
+  });
+  console.log();
+  console.log(report);
+  console.log();
+});
+program.command("risk <command>").description("Score a command for security risk").action((command) => {
+  const scorer = new RiskScorer();
+  const result = scorer.score(command);
+  const colors = {
+    safe: chalk5.green,
+    caution: chalk5.yellow,
+    dangerous: chalk5.red,
+    critical: chalk5.bgRed.white
+  };
+  const color = colors[result.level];
+  console.log();
+  console.log(`  Risk Score: ${color(`${result.score}/10`)} (${color(result.level.toUpperCase())})`);
+  console.log();
+  console.log(chalk5.bold("  Factors:"));
+  for (const factor of result.factors) {
+    console.log(`    \u2022 ${factor}`);
+  }
+  console.log();
+});
+var undoCmd = program.command("undo").description("Undo file operations");
+undoCmd.command("last").alias("pop").description("Undo the last file operation").action(() => {
+  if (!undoStack) {
+    console.log(chalk5.dim("No operations to undo."));
+    return;
+  }
+  const result = undoStack.undo();
+  if (result.success) {
+    console.log(chalk5.green("\u2713"), result.message);
+  } else {
+    console.log(chalk5.red("\u2717"), result.message);
+  }
+});
+undoCmd.command("all").description("Undo all file operations in session").action(() => {
+  if (!undoStack || undoStack.size() === 0) {
+    console.log(chalk5.dim("No operations to undo."));
+    return;
+  }
+  const results = undoStack.undoAll();
+  let success = 0, failed = 0;
+  for (const result of results) {
+    if (result.success) {
+      console.log(chalk5.green("\u2713"), result.message);
+      success++;
+    } else {
+      console.log(chalk5.red("\u2717"), result.message);
+      failed++;
+    }
+  }
+  console.log();
+  console.log(`Undone: ${success} successful, ${failed} failed`);
+});
+undoCmd.command("list").description("Show undo stack").action(() => {
+  if (!undoStack) {
+    undoStack = new UndoStack();
+  }
+  console.log();
+  console.log(undoStack.formatStack());
+  console.log();
+});
+var dashboardServer = null;
+program.command("dashboard").description("Start the BashBros dashboard").option("-p, --port <port>", "Port to run on", "7890").option("-b, --bind <address>", "Address to bind to", "127.0.0.1").action(async (options) => {
+  console.log(chalk5.cyan(logo));
+  console.log(chalk5.dim("  Starting dashboard...\n"));
+  dashboardServer = new DashboardServer({
+    port: parseInt(options.port),
+    bind: options.bind
+  });
+  await dashboardServer.start();
+  console.log(chalk5.green("\u2713"), `Dashboard running at http://${options.bind}:${options.port}`);
+  console.log(chalk5.dim("  Press Ctrl+C to stop"));
+  process.on("SIGINT", async () => {
+    console.log(chalk5.dim("\n  Stopping dashboard..."));
+    await dashboardServer?.stop();
+    process.exit(0);
+  });
+});
+var wardCmd = program.command("ward").description("Network and connector security");
+wardCmd.command("status").description("Show ward security status").action(async () => {
+  console.log(chalk5.cyan(logo));
+  console.log(chalk5.bold("Ward Security Status\n"));
+  const scanner = new ExposureScanner();
+  const results = await scanner.scan();
+  if (results.length === 0) {
+    console.log(chalk5.green("\u2713"), "No exposed agent servers detected");
+  } else {
+    console.log(chalk5.yellow("\u26A0"), `Found ${results.length} exposure(s):
+`);
+    for (const r of results) {
+      const color = r.severity === "critical" ? chalk5.bgRed.white : r.severity === "high" ? chalk5.red : r.severity === "medium" ? chalk5.yellow : chalk5.dim;
+      console.log(`  ${color(r.severity.toUpperCase().padEnd(8))} ${r.message}`);
+    }
+  }
+  console.log();
+});
+wardCmd.command("scan").description("Run exposure scan").action(async () => {
+  console.log(chalk5.cyan(logo));
+  console.log(chalk5.dim("  Scanning for exposed agent servers...\n"));
+  const scanner = new ExposureScanner();
+  const results = await scanner.scan();
+  if (results.length === 0) {
+    console.log(chalk5.green("\u2713"), "No exposed agent servers detected");
+  } else {
+    for (const r of results) {
+      const icon = r.severity === "critical" ? "\u{1F6A8}" : r.severity === "high" ? "\u26A0\uFE0F" : r.severity === "medium" ? "\u26A1" : "\u2139\uFE0F";
+      console.log(`${icon} ${r.agent}`);
+      console.log(chalk5.dim(`   Port: ${r.port}`));
+      console.log(chalk5.dim(`   Bind: ${r.bindAddress}`));
+      console.log(chalk5.dim(`   Auth: ${r.hasAuth}`));
+      console.log(chalk5.dim(`   Severity: ${r.severity}`));
+      console.log(chalk5.dim(`   Action: ${r.action}`));
+      console.log();
+    }
+  }
+});
+var exposureCmd = wardCmd.command("exposure").description("Exposure scanner commands");
+exposureCmd.command("list").description("List monitored agents").action(() => {
+  const scanner = new ExposureScanner();
+  const agents = scanner.getAgents();
+  console.log(chalk5.bold("\nMonitored Agent Signatures:\n"));
+  for (const agent of agents) {
+    console.log(`  ${chalk5.cyan(agent.name)}`);
+    console.log(chalk5.dim(`    Processes: ${agent.processNames.join(", ")}`));
+    console.log(chalk5.dim(`    Ports: ${agent.defaultPorts.join(", ")}`));
+    console.log();
+  }
+});
+exposureCmd.command("scan").description("Run immediate exposure scan").action(async () => {
+  const scanner = new ExposureScanner();
+  const results = await scanner.scan();
+  console.log(chalk5.bold("\nExposure Scan Results:\n"));
+  if (results.length === 0) {
+    console.log(chalk5.green("  \u2713 No exposures detected"));
+  } else {
+    for (const r of results) {
+      const color = r.severity === "critical" ? chalk5.bgRed.white : r.severity === "high" ? chalk5.red : r.severity === "medium" ? chalk5.yellow : chalk5.green;
+      console.log(`  ${color(r.severity.toUpperCase().padEnd(10))} ${r.message}`);
+    }
+  }
+  console.log();
+});
+wardCmd.command("blocked").description("Show pending blocked egress items").action(() => {
+  const monitor = new EgressMonitor();
+  const pending = monitor.getPendingBlocks();
+  console.log(chalk5.bold("\nPending Egress Blocks:\n"));
+  if (pending.length === 0) {
+    console.log(chalk5.dim("  No pending blocks"));
+  } else {
+    for (const block of pending) {
+      const severityColor = block.pattern.severity === "critical" ? chalk5.bgRed.white : block.pattern.severity === "high" ? chalk5.red : block.pattern.severity === "medium" ? chalk5.yellow : chalk5.dim;
+      console.log(`  ${chalk5.cyan(block.id)} ${severityColor(block.pattern.severity.toUpperCase())}`);
+      console.log(chalk5.dim(`    Pattern: ${block.pattern.name} (${block.pattern.category})`));
+      console.log(chalk5.dim(`    Matched: ${block.matchedText.substring(0, 50)}${block.matchedText.length > 50 ? "..." : ""}`));
+      if (block.connector) console.log(chalk5.dim(`    Connector: ${block.connector}`));
+      if (block.destination) console.log(chalk5.dim(`    Destination: ${block.destination}`));
+      console.log();
+    }
+    console.log(chalk5.dim(`  Use 'bashbros ward approve <id>' or 'bashbros ward deny <id>' to resolve`));
+  }
+  console.log();
+});
+wardCmd.command("approve <id>").description("Approve a blocked egress item").option("--by <name>", "Name of approver", "user").action((id, options) => {
+  const monitor = new EgressMonitor();
+  monitor.approveBlock(id, options.by);
+  console.log(chalk5.green("\u2713"), `Approved block ${id}`);
+});
+wardCmd.command("deny <id>").description("Deny a blocked egress item").action((id) => {
+  const monitor = new EgressMonitor();
+  monitor.denyBlock(id);
+  console.log(chalk5.green("\u2713"), `Denied block ${id}`);
+});
+var patternsCmd = wardCmd.command("patterns").description("Egress pattern detection commands");
+patternsCmd.command("list").description("List active detection patterns").option("--category <cat>", "Filter by category (credentials, pii)").action((options) => {
+  const matcher = new EgressPatternMatcher();
+  let patterns = matcher.getPatterns();
+  if (options.category) {
+    patterns = patterns.filter((p) => p.category === options.category);
+  }
+  console.log(chalk5.bold("\nActive Egress Patterns:\n"));
+  const byCategory = {};
+  for (const p of patterns) {
+    const cat = p.category;
+    if (!byCategory[cat]) byCategory[cat] = [];
+    byCategory[cat].push(p);
+  }
+  for (const [category, categoryPatterns] of Object.entries(byCategory)) {
+    console.log(chalk5.cyan(`  ${category.toUpperCase()}`));
+    for (const p of categoryPatterns) {
+      const severityColor = p.severity === "critical" ? chalk5.red : p.severity === "high" ? chalk5.yellow : p.severity === "medium" ? chalk5.blue : chalk5.dim;
+      const actionColor = p.action === "block" ? chalk5.red : p.action === "alert" ? chalk5.yellow : chalk5.dim;
+      console.log(`    ${chalk5.bold(p.name.padEnd(16))} ${severityColor(p.severity.padEnd(10))} ${actionColor(p.action.padEnd(6))} ${p.description}`);
+    }
+    console.log();
+  }
+});
+patternsCmd.command("test <text>").description("Test if text matches any detection pattern").action((text) => {
+  const monitor = new EgressMonitor();
+  const result = monitor.test(text);
+  console.log(chalk5.bold("\nPattern Test Results:\n"));
+  if (result.matches.length === 0) {
+    console.log(chalk5.green("  \u2713 No patterns matched"));
+  } else {
+    console.log(`  ${result.blocked ? chalk5.red("WOULD BLOCK") : chalk5.yellow("WOULD ALERT")}`);
+    console.log();
+    console.log(chalk5.bold("  Matches:"));
+    for (const m of result.matches) {
+      const severityColor = m.pattern.severity === "critical" ? chalk5.red : m.pattern.severity === "high" ? chalk5.yellow : m.pattern.severity === "medium" ? chalk5.blue : chalk5.dim;
+      console.log(`    ${chalk5.cyan(m.pattern.name)} ${severityColor(`[${m.pattern.severity}]`)} - "${m.matchedText.substring(0, 30)}${m.matchedText.length > 30 ? "..." : ""}"`);
+    }
+    console.log();
+    console.log(chalk5.bold("  Redacted output:"));
+    console.log(chalk5.dim(`    ${result.redacted.substring(0, 100)}${result.redacted.length > 100 ? "..." : ""}`));
+  }
+  console.log();
+});
+program.parse();
+//# sourceMappingURL=cli.js.map