codebot-ai 1.8.0 → 2.0.0

package/README.md

@@ -4,7 +4,7 @@
 [![license](https://img.shields.io/npm/l/codebot-ai.svg)](https://github.com/zanderone1980/codebot-ai/blob/main/LICENSE)
 [![node](https://img.shields.io/node/v/codebot-ai.svg)](https://nodejs.org)
 
-**Zero-dependency autonomous AI agent.** Works with any LLM — local or cloud. Code, browse the web, run commands, search, automate routines, and more.
+**Zero-dependency autonomous AI coding agent with enterprise security.** Works with any LLM — local or cloud. Code, browse the web, run commands, search, automate routines, and more. Includes VS Code extension, GitHub Action, policy engine, risk scoring, and hash-chained audit trail.
 
 Built by [Ascendral Software Development & Innovation](https://github.com/AscendralSoftware).
 
@@ -22,6 +22,27 @@ That's it. The setup wizard launches on first run — pick your model, paste an
 npx codebot-ai
 ```
 
+### VS Code Extension
+
+Install from the VS Code Marketplace: search for **CodeBot AI**, or:
+
+```bash
+code --install-extension codebot-ai-vscode-2.0.0.vsix
+```
+
+Features: sidebar chat panel, inline diff preview, status bar (tokens, cost, risk level), and full theme integration.
+
+### GitHub Action
+
+```yaml
+- uses: zanderone1980/codebot-ai/actions/codebot@v2
+  with:
+    task: review    # or: fix, scan
+    api-key: ${{ secrets.ANTHROPIC_API_KEY }}
+```
+
+Tasks: `review` (PR code review), `fix` (auto-fix CI failures), `scan` (security scan with SARIF upload).
+
 ## What Can It Do?
 
 - **Write & edit code** — reads your codebase, makes targeted edits, runs tests
@@ -101,6 +122,8 @@ echo "explain this error" | codebot            # Pipe mode
 /usage      Show token usage for this session
 /clear      Clear conversation
 /compact    Force context compaction
+/metrics    Show session metrics (token counts, latency, costs)
+/risk       Show risk assessment history
 /config     Show configuration
 /quit       Exit
 ```
@@ -217,16 +240,31 @@ Connect external tool servers via [Model Context Protocol](https://modelcontextp
 
 MCP tools appear automatically with the `mcp_<server>_<tool>` prefix.
 
+## Security
+
+CodeBot v2.0.0 is built with security as a core architectural principle:
+
+- **Policy engine** — declarative JSON policies control tool access, filesystem scope, and execution limits
+- **Risk scoring** — every tool call receives a 0-100 risk score based on 6 weighted factors
+- **Secret detection** — scans for AWS keys, GitHub tokens, JWTs, private keys before writing
+- **Sandbox execution** — Docker-based sandboxing with network, CPU, and memory limits
+- **Audit trail** — hash-chained JSONL log with `--verify-audit` integrity check
+- **SARIF export** — `--export-audit sarif` for GitHub Code Scanning integration
+- **SSRF protection** — blocks localhost, private IPs, cloud metadata endpoints
+- **Path safety** — blocks writes to system directories, detects path traversal
+
+See [SECURITY.md](SECURITY.md) and [docs/HARDENING.md](docs/HARDENING.md) for the full security model.
+
 ## Stability
 
-CodeBot v1.3.0 is hardened for continuous operation:
+CodeBot is hardened for continuous operation:
 
 - **Automatic retry** — network errors, rate limits (429), and server errors (5xx) retry with exponential backoff
 - **Stream recovery** — if the LLM connection drops mid-response, the agent loop retries on the next iteration
 - **Context compaction** — when the conversation exceeds the model's context window, messages are intelligently summarized
 - **Process resilience** — unhandled exceptions and rejections are caught, logged, and the REPL keeps running
 - **Routine timeouts** — scheduled tasks are capped at 5 minutes to prevent the scheduler from hanging
-- **99 tests** — comprehensive suite covering error recovery, retry logic, tool execution, and edge cases
+- **483 tests** — comprehensive suite covering core agent, security, extension, and action
 
 ## Programmatic API
 
@@ -245,6 +283,7 @@ const agent = new Agent({
   provider,
   model: 'claude-sonnet-4-6',
   autoApprove: true,
+  projectRoot: '/path/to/project', // optional, defaults to cwd
 });
 
 for await (const event of agent.run('list all TypeScript files')) {

package/dist/agent.d.ts

@@ -2,6 +2,8 @@ import { Message, AgentEvent, LLMProvider } from './types';
 import { AuditLogger } from './audit';
 import { PolicyEnforcer } from './policy';
 import { TokenTracker } from './telemetry';
+import { MetricsCollector } from './metrics';
+import { RiskScorer } from './risk';
 export declare class Agent {
     private provider;
     private tools;
@@ -15,6 +17,9 @@ export declare class Agent {
     private auditLogger;
     private policyEnforcer;
     private tokenTracker;
+    private metricsCollector;
+    private riskScorer;
+    private projectRoot;
     private branchCreated;
     private askPermission;
     private onMessage?;
@@ -24,6 +29,7 @@ export declare class Agent {
         providerName?: string;
         maxIterations?: number;
         autoApprove?: boolean;
+        projectRoot?: string;
         askPermission?: (tool: string, args: Record<string, unknown>) => Promise<boolean>;
         onMessage?: (message: Message) => void;
     });
@@ -44,6 +50,10 @@ export declare class Agent {
     getPolicyEnforcer(): PolicyEnforcer;
     /** Get the audit logger for verification */
     getAuditLogger(): AuditLogger;
+    /** Get the metrics collector for session metrics */
+    getMetrics(): MetricsCollector;
+    /** Get the risk scorer for risk assessment history */
+    getRiskScorer(): RiskScorer;
     /**
      * Validate and repair message history to prevent OpenAI 400 errors.
      * Handles three types of corruption:

package/dist/agent.js

@@ -48,6 +48,8 @@ const rate_limiter_1 = require("./rate-limiter");
 const audit_1 = require("./audit");
 const policy_1 = require("./policy");
 const telemetry_1 = require("./telemetry");
+const metrics_1 = require("./metrics");
+const risk_1 = require("./risk");
 /** Lightweight schema validation — returns error string or null if valid */
 function validateToolArgs(args, schema) {
     const props = schema.properties;
@@ -104,15 +106,19 @@ class Agent {
     auditLogger;
     policyEnforcer;
     tokenTracker;
+    metricsCollector;
+    riskScorer;
+    projectRoot;
     branchCreated = false;
     askPermission;
     onMessage;
     constructor(opts) {
         this.provider = opts.provider;
         this.model = opts.model;
+        this.projectRoot = opts.projectRoot || process.cwd();
         // Load policy FIRST — tools need it for filesystem/git enforcement
-        this.policyEnforcer = new policy_1.PolicyEnforcer((0, policy_1.loadPolicy)(process.cwd()), process.cwd());
-        this.tools = new tools_1.ToolRegistry(process.cwd(), this.policyEnforcer);
+        this.policyEnforcer = new policy_1.PolicyEnforcer((0, policy_1.loadPolicy)(this.projectRoot), this.projectRoot);
+        this.tools = new tools_1.ToolRegistry(this.projectRoot, this.policyEnforcer);
         this.context = new manager_1.ContextManager(opts.model, opts.provider);
         // Use policy-defined max iterations as default, CLI overrides
         this.maxIterations = opts.maxIterations || this.policyEnforcer.getMaxIterations();
@@ -124,12 +130,14 @@ class Agent {
         this.auditLogger = new audit_1.AuditLogger();
         // Token & cost tracking
         this.tokenTracker = new telemetry_1.TokenTracker(opts.model, opts.providerName || 'unknown');
+        this.metricsCollector = new metrics_1.MetricsCollector();
+        this.riskScorer = new risk_1.RiskScorer();
         const costLimit = this.policyEnforcer.getCostLimitUsd();
         if (costLimit > 0)
             this.tokenTracker.setCostLimit(costLimit);
         // Load plugins
         try {
-            const plugins = (0, plugins_1.loadPlugins)(process.cwd());
+            const plugins = (0, plugins_1.loadPlugins)(this.projectRoot);
             for (const plugin of plugins) {
                 this.tools.register(plugin);
             }
@@ -196,6 +204,9 @@ class Agent {
                             // Track tokens and cost
                             if (event.usage) {
                                 this.tokenTracker.recordUsage(event.usage.inputTokens || 0, event.usage.outputTokens || 0);
+                                this.metricsCollector.increment('llm_requests_total');
+                                this.metricsCollector.increment('llm_tokens_total', { direction: 'input' }, event.usage.inputTokens || 0);
+                                this.metricsCollector.increment('llm_tokens_total', { direction: 'output' }, event.usage.outputTokens || 0);
                             }
                             yield { type: 'usage', usage: event.usage };
                             break;
@@ -282,10 +293,17 @@ class Agent {
                     prepared.push({ tc, tool, args, denied: false, error: `Error: ${validationError} for ${toolName}` });
                     continue;
                 }
-                yield { type: 'tool_call', toolCall: { name: toolName, args } };
-                // Permission check: policy override > tool default
+                // Compute risk score before execution
                 const policyPermission = this.policyEnforcer.getToolPermission(toolName);
                 const effectivePermission = policyPermission || tool.permission;
+                const riskAssessment = this.riskScorer.assess(toolName, args, effectivePermission);
+                yield { type: 'tool_call', toolCall: { name: toolName, args }, risk: { score: riskAssessment.score, level: riskAssessment.level } };
+                // Log risk breakdown for high-risk calls
+                if (riskAssessment.score > 50) {
+                    const breakdown = riskAssessment.factors.map(f => `${f.name}=${f.rawScore}`).join(', ');
+                    this.auditLogger.log({ tool: toolName, action: 'execute', args, result: `risk:${riskAssessment.score}`, reason: breakdown });
+                }
+                // Permission check: policy override > tool default
                 const needsPermission = effectivePermission === 'always-ask' ||
                     (effectivePermission === 'prompt' && !this.autoApprove);
                 let denied = false;
@@ -294,6 +312,7 @@ class Agent {
                     if (!approved) {
                         denied = true;
                         this.auditLogger.log({ tool: toolName, action: 'deny', args, reason: 'User denied permission' });
+                        this.metricsCollector.increment('permission_denials_total', { tool: toolName });
                     }
                 }
                 prepared.push({ tc, tool, args, denied });
@@ -324,9 +343,10 @@ class Agent {
                     parallelBatch.push(item);
                 }
             }
-            // Helper to execute a single tool with cache + rate limiting
+            // Helper to execute a single tool with cache + rate limiting + metrics
             const executeTool = async (prep) => {
                 const toolName = prep.tc.function.name;
+                const toolStartTime = Date.now();
                 // Auto-branch on first write/edit when always_branch is enabled (v1.8.0)
                 if (toolName === 'write_file' || toolName === 'edit_file' || toolName === 'batch_edit') {
                     const branchName = await this.ensureBranch();
@@ -338,6 +358,7 @@ class Agent {
                 const capBlock = this.checkToolCapabilities(toolName, prep.args);
                 if (capBlock) {
                     this.auditLogger.log({ tool: toolName, action: 'capability_block', args: prep.args, reason: capBlock });
+                    this.metricsCollector.increment('security_blocks_total', { tool: toolName, type: 'capability' });
                     return { content: `Error: ${capBlock}`, is_error: true };
                 }
                 // Check cache first
@@ -345,19 +366,30 @@ class Agent {
                     const cacheKey = cache_1.ToolCache.key(toolName, prep.args);
                     const cached = this.cache.get(cacheKey);
                     if (cached !== null) {
+                        this.metricsCollector.increment('cache_hits_total', { tool: toolName });
                         return { content: cached };
                     }
+                    this.metricsCollector.increment('cache_misses_total', { tool: toolName });
                 }
                 // Rate limit
                 await this.rateLimiter.throttle(toolName);
                 try {
                     const output = await prep.tool.execute(prep.args);
+                    // Record tool latency
+                    const latencyMs = Date.now() - toolStartTime;
+                    this.metricsCollector.observe('tool_latency_seconds', latencyMs / 1000, { tool: toolName });
+                    this.metricsCollector.increment('tool_calls_total', { tool: toolName });
                     // Audit log: successful execution
                     this.auditLogger.log({ tool: toolName, action: 'execute', args: prep.args, result: 'success' });
                     // Telemetry: track tool calls and file modifications
                     this.tokenTracker.recordToolCall();
                     if ((toolName === 'write_file' || toolName === 'edit_file' || toolName === 'batch_edit') && prep.args.path) {
                         this.tokenTracker.recordFileModified(prep.args.path);
+                        this.metricsCollector.increment('files_written_total', { tool: toolName });
+                    }
+                    // Track commands executed
+                    if (toolName === 'execute') {
+                        this.metricsCollector.increment('commands_executed_total');
                     }
                     // Store in cache for cacheable tools
                     if (prep.tool.cacheable) {
@@ -373,11 +405,16 @@ class Agent {
                     // Audit log: check if tool returned a security block
                     if (output.startsWith('Error: Blocked:') || output.startsWith('Error: CWD')) {
                         this.auditLogger.log({ tool: toolName, action: 'security_block', args: prep.args, reason: output });
+                        this.metricsCollector.increment('security_blocks_total', { tool: toolName, type: 'security' });
                     }
                     return { content: output };
                 }
                 catch (err) {
                     const errMsg = err instanceof Error ? err.message : String(err);
+                    // Record latency even on error
+                    const latencyMs = Date.now() - toolStartTime;
+                    this.metricsCollector.observe('tool_latency_seconds', latencyMs / 1000, { tool: toolName });
+                    this.metricsCollector.increment('errors_total', { tool: toolName });
                     // Audit log: error
                     this.auditLogger.log({ tool: toolName, action: 'error', args: prep.args, result: 'error', reason: errMsg });
                     return { content: `Error: ${errMsg}`, is_error: true };
@@ -448,6 +485,14 @@ class Agent {
     getAuditLogger() {
         return this.auditLogger;
     }
+    /** Get the metrics collector for session metrics */
+    getMetrics() {
+        return this.metricsCollector;
+    }
+    /** Get the risk scorer for risk assessment history */
+    getRiskScorer() {
+        return this.riskScorer;
+    }
     /**
      * Validate and repair message history to prevent OpenAI 400 errors.
      * Handles three types of corruption:
@@ -526,9 +571,8 @@ class Agent {
             return null;
         try {
             const { execSync } = require('child_process');
-            const cwd = process.cwd();
             const currentBranch = execSync('git rev-parse --abbrev-ref HEAD', {
-                cwd, encoding: 'utf-8', timeout: 5000,
+                cwd: this.projectRoot, encoding: 'utf-8', timeout: 5000,
             }).trim();
             if (currentBranch !== 'main' && currentBranch !== 'master') {
                 this.branchCreated = true;
@@ -541,7 +585,7 @@ class Agent {
             const slug = this.sanitizeSlug(firstUserMsg?.content || 'task');
             const branchName = `${prefix}${timestamp}-${slug}`;
             execSync(`git checkout -b "${branchName}"`, {
-                cwd, encoding: 'utf-8', timeout: 10000,
+                cwd: this.projectRoot, encoding: 'utf-8', timeout: 10000,
             });
             this.branchCreated = true;
             return branchName;
@@ -590,7 +634,7 @@ class Agent {
     buildSystemPrompt(supportsTools) {
         let repoMap = '';
         try {
-            repoMap = (0, repo_map_1.buildRepoMap)(process.cwd());
+            repoMap = (0, repo_map_1.buildRepoMap)(this.projectRoot);
         }
         catch {
             repoMap = 'Project structure: (unable to scan)';
@@ -598,7 +642,7 @@ class Agent {
         // Load persistent memory
         let memoryBlock = '';
         try {
-            const memory = new memory_1.MemoryManager(process.cwd());
+            const memory = new memory_1.MemoryManager(this.projectRoot);
             memoryBlock = memory.getContextBlock();
         }
         catch {

package/dist/cli.js

@@ -50,7 +50,9 @@ const audit_1 = require("./audit");
 const policy_1 = require("./policy");
 const sandbox_1 = require("./sandbox");
 const replay_1 = require("./replay");
-const VERSION = '1.8.0';
+const risk_1 = require("./risk");
+const sarif_1 = require("./sarif");
+const VERSION = '2.0.0';
 const C = {
     reset: '\x1b[0m',
     bold: '\x1b[1m',
@@ -228,6 +230,19 @@ async function main() {
         }
         return;
     }
+    // --export-audit sarif: Export audit log as SARIF 2.1.0
+    if (args['export-audit'] === 'sarif' || args['export-audit'] === true) {
+        const logger = new audit_1.AuditLogger();
+        const sessionId = typeof args['session'] === 'string' ? args['session'] : undefined;
+        const entries = sessionId ? logger.query({ sessionId }) : logger.query();
+        if (entries.length === 0) {
+            console.error(c('No audit entries found.', 'yellow'));
+            process.exit(1);
+        }
+        const sarif = (0, sarif_1.exportSarif)(entries, { version: VERSION, sessionId });
+        process.stdout.write((0, sarif_1.sarifToString)(sarif) + '\n');
+        return;
+    }
     // First run: auto-launch setup if nothing is configured
     if ((0, setup_1.isFirstRun)() && process.stdin.isTTY && !args.message) {
         console.log(c('Welcome! No configuration found — launching setup...', 'cyan'));
@@ -299,7 +314,7 @@ async function main() {
     // Cleanup scheduler on exit
     scheduler.stop();
 }
-/** Print session summary with tokens, cost, tool calls, files modified */
+/** Print session summary with tokens, cost, tool calls, files modified, metrics */
 function printSessionSummary(agent) {
     const tracker = agent.getTokenTracker();
     tracker.saveUsage();
@@ -314,6 +329,27 @@ function printSessionSummary(agent) {
     console.log(`  Requests:  ${summary.requestCount}`);
     console.log(`  Tools:     ${summary.toolCalls} calls`);
     console.log(`  Files:     ${summary.filesModified} modified`);
+    // v1.9.0: Per-tool breakdown from MetricsCollector
+    const metrics = agent.getMetrics();
+    const snap = metrics.snapshot();
+    const toolCounters = snap.counters.filter(c => c.name === 'tool_calls_total');
+    if (toolCounters.length > 0) {
+        console.log(c('  Per-tool:', 'dim'));
+        for (const tc of toolCounters.sort((a, b) => b.value - a.value)) {
+            const hist = snap.histograms.find(h => h.name === 'tool_latency_seconds' && h.labels.tool === tc.labels.tool);
+            const avg = hist && hist.count > 0 ? (hist.sum / hist.count * 1000).toFixed(0) : '?';
+            console.log(c(`    ${tc.labels.tool}: ${tc.value} calls (avg ${avg}ms)`, 'dim'));
+        }
+    }
+    // Risk summary
+    const riskScorer = agent.getRiskScorer();
+    const riskAvg = riskScorer.getSessionAverage();
+    if (riskScorer.getHistory().length > 0) {
+        console.log(`  Risk:      avg ${riskAvg}/100`);
+    }
+    // Save metrics
+    metrics.save();
+    metrics.exportOtel();
 }
 function createProvider(config) {
     if (config.provider === 'anthropic') {
@@ -393,8 +429,14 @@ function renderEvent(event, agent) {
                 process.stdout.write('\n');
                 isThinking = false;
             }
-            console.log(c(`\n⚡ ${event.toolCall?.name}`, 'yellow') +
-                c(`(${formatArgs(event.toolCall?.args)})`, 'dim'));
+            {
+                const riskStr = event.risk
+                    ? ' ' + risk_1.RiskScorer.formatIndicator({ score: event.risk.score, level: event.risk.level, factors: [] })
+                    : '';
+                console.log(c(`\n⚡ ${event.toolCall?.name}`, 'yellow') +
+                    c(`(${formatArgs(event.toolCall?.args)})`, 'dim') +
+                    riskStr);
+            }
             break;
         case 'tool_result':
             if (event.toolResult?.is_error) {
@@ -467,6 +509,8 @@ function handleSlashCommand(input, agent, config) {
   /undo      Undo last file edit (/undo [path])
   /usage     Show token usage & cost for this session
   /cost      Show running cost
+  /metrics   Show session metrics (counters + histograms)
+  /risk      Show risk assessment summary
   /policy    Show current security policy
   /audit     Verify audit chain for this session
   /config    Show current config
@@ -543,6 +587,26 @@ function handleSlashCommand(input, agent, config) {
             console.log(c(`  ${tracker.formatStatusLine()}`, 'dim'));
             break;
         }
+        case '/metrics': {
+            const metricsOutput = agent.getMetrics().formatSummary();
+            console.log('\n' + metricsOutput);
+            break;
+        }
+        case '/risk': {
+            const riskHistory = agent.getRiskScorer().getHistory();
+            if (riskHistory.length === 0) {
+                console.log(c('No risk assessments yet.', 'dim'));
+            }
+            else {
+                const avg = agent.getRiskScorer().getSessionAverage();
+                console.log(c(`\nRisk Summary: ${riskHistory.length} assessments, avg ${avg}/100`, 'bold'));
+                const last5 = riskHistory.slice(-5);
+                for (const a of last5) {
+                    console.log(`  ${risk_1.RiskScorer.formatIndicator(a)}`);
+                }
+            }
+            break;
+        }
         case '/policy': {
             const policy = agent.getPolicyEnforcer().getPolicy();
             console.log(c('\nCurrent Policy:', 'bold'));
@@ -702,6 +766,17 @@ function parseArgs(argv) {
             }
             continue;
         }
+        if (arg === '--export-audit') {
+            const next = argv[i + 1];
+            if (next && !next.startsWith('--')) {
+                result['export-audit'] = next;
+                i++;
+            }
+            else {
+                result['export-audit'] = true;
+            }
+            continue;
+        }
         if (arg === '--replay') {
             const next = argv[i + 1];
             if (next && !next.startsWith('--')) {
@@ -770,6 +845,7 @@ ${c('Options:', 'bold')}
 ${c('Security & Policy:', 'bold')}
   --init-policy        Generate default .codebot/policy.json
   --verify-audit [id]  Verify audit log hash chain integrity
+  --export-audit sarif Export audit log as SARIF 2.1.0 JSON
   --sandbox-info       Show Docker sandbox status
 
 ${c('Debugging & Replay:', 'bold')}
@@ -795,6 +871,7 @@ ${c('Examples:', 'bold')}
   codebot --autonomous "refactor src/"     Full auto, no prompts
   codebot --init-policy                    Create security policy
   codebot --verify-audit                   Check audit integrity
+  codebot --export-audit sarif > r.sarif   Export SARIF report
 
 ${c('Interactive Commands:', 'bold')}
   /help      Show commands
@@ -806,6 +883,8 @@ ${c('Interactive Commands:', 'bold')}
   /compact   Force context compaction
   /usage     Show token usage & cost
   /cost      Show running cost
+  /metrics   Show session metrics
+  /risk      Show risk assessment summary
   /policy    Show security policy
   /audit     Verify session audit chain
   /config    Show configuration

package/dist/index.d.ts

@@ -1,3 +1,4 @@
+export declare const VERSION = "2.0.0";
 export { Agent } from './agent';
 export { OpenAIProvider } from './providers/openai';
 export { AnthropicProvider } from './providers/anthropic';
@@ -17,5 +18,11 @@ export { deriveSessionKey, signMessage, verifyMessage, verifyMessages } from './
 export type { IntegrityResult } from './integrity';
 export { ReplayProvider, loadSessionForReplay, compareOutputs, listReplayableSessions } from './replay';
 export type { SessionReplayData, ReplayDivergence } from './replay';
+export { MetricsCollector } from './metrics';
+export type { MetricsSnapshot, CounterValue, HistogramValue } from './metrics';
+export { RiskScorer } from './risk';
+export type { RiskAssessment, RiskFactor } from './risk';
+export { exportSarif, sarifToString } from './sarif';
+export type { SarifLog, SarifResult, SarifRule } from './sarif';
 export * from './types';
 //# sourceMappingURL=index.d.ts.map

package/dist/index.js

@@ -14,7 +14,8 @@ var __exportStar = (this && this.__exportStar) || function(m, exports) {
     for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
 };
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.listReplayableSessions = exports.compareOutputs = exports.loadSessionForReplay = exports.ReplayProvider = exports.verifyMessages = exports.verifyMessage = exports.signMessage = exports.deriveSessionKey = exports.CapabilityChecker = exports.detectProvider = exports.getModelInfo = exports.PROVIDER_DEFAULTS = exports.MODEL_REGISTRY = exports.loadMCPTools = exports.loadPlugins = exports.parseToolCalls = exports.MemoryManager = exports.SessionManager = exports.buildRepoMap = exports.ContextManager = exports.ToolRegistry = exports.AnthropicProvider = exports.OpenAIProvider = exports.Agent = void 0;
+exports.sarifToString = exports.exportSarif = exports.RiskScorer = exports.MetricsCollector = exports.listReplayableSessions = exports.compareOutputs = exports.loadSessionForReplay = exports.ReplayProvider = exports.verifyMessages = exports.verifyMessage = exports.signMessage = exports.deriveSessionKey = exports.CapabilityChecker = exports.detectProvider = exports.getModelInfo = exports.PROVIDER_DEFAULTS = exports.MODEL_REGISTRY = exports.loadMCPTools = exports.loadPlugins = exports.parseToolCalls = exports.MemoryManager = exports.SessionManager = exports.buildRepoMap = exports.ContextManager = exports.ToolRegistry = exports.AnthropicProvider = exports.OpenAIProvider = exports.Agent = exports.VERSION = void 0;
+exports.VERSION = '2.0.0';
 var agent_1 = require("./agent");
 Object.defineProperty(exports, "Agent", { enumerable: true, get: function () { return agent_1.Agent; } });
 var openai_1 = require("./providers/openai");
@@ -54,5 +55,12 @@ Object.defineProperty(exports, "ReplayProvider", { enumerable: true, get: functi
 Object.defineProperty(exports, "loadSessionForReplay", { enumerable: true, get: function () { return replay_1.loadSessionForReplay; } });
 Object.defineProperty(exports, "compareOutputs", { enumerable: true, get: function () { return replay_1.compareOutputs; } });
 Object.defineProperty(exports, "listReplayableSessions", { enumerable: true, get: function () { return replay_1.listReplayableSessions; } });
+var metrics_1 = require("./metrics");
+Object.defineProperty(exports, "MetricsCollector", { enumerable: true, get: function () { return metrics_1.MetricsCollector; } });
+var risk_1 = require("./risk");
+Object.defineProperty(exports, "RiskScorer", { enumerable: true, get: function () { return risk_1.RiskScorer; } });
+var sarif_1 = require("./sarif");
+Object.defineProperty(exports, "exportSarif", { enumerable: true, get: function () { return sarif_1.exportSarif; } });
+Object.defineProperty(exports, "sarifToString", { enumerable: true, get: function () { return sarif_1.sarifToString; } });
 __exportStar(require("./types"), exports);
 //# sourceMappingURL=index.js.map

package/dist/metrics.d.ts

@@ -0,0 +1,60 @@
+/**
+ * MetricsCollector for CodeBot v1.9.0
+ *
+ * Structured telemetry: counters + histograms.
+ * Persists to ~/.codebot/telemetry/metrics-YYYY-MM-DD.jsonl
+ * Optional OTLP HTTP export when OTEL_EXPORTER_OTLP_ENDPOINT is set.
+ *
+ * Pattern: fail-safe, session-scoped, never throws.
+ * Follows TokenTracker conventions from src/telemetry.ts.
+ */
+export interface CounterValue {
+    name: string;
+    labels: Record<string, string>;
+    value: number;
+}
+export interface HistogramValue {
+    name: string;
+    labels: Record<string, string>;
+    count: number;
+    sum: number;
+    min: number;
+    max: number;
+    buckets: number[];
+}
+export interface MetricsSnapshot {
+    sessionId: string;
+    timestamp: string;
+    counters: CounterValue[];
+    histograms: HistogramValue[];
+}
+export declare class MetricsCollector {
+    private sessionId;
+    private counters;
+    private histograms;
+    constructor(sessionId?: string);
+    getSessionId(): string;
+    /** Increment a counter by delta (default 1) */
+    increment(name: string, labels?: Record<string, string>, delta?: number): void;
+    /** Record a histogram observation */
+    observe(name: string, value: number, labels?: Record<string, string>): void;
+    /** Read a counter value */
+    getCounter(name: string, labels?: Record<string, string>): number;
+    /** Read a histogram summary */
+    getHistogram(name: string, labels?: Record<string, string>): HistogramValue | null;
+    /** Full session snapshot */
+    snapshot(): MetricsSnapshot;
+    /** Persist snapshot to ~/.codebot/telemetry/metrics-YYYY-MM-DD.jsonl */
+    save(sessionId?: string): void;
+    /** Human-readable per-tool breakdown */
+    formatSummary(): string;
+    /**
+     * Export snapshot in OTLP JSON format via HTTP POST.
+     * Only fires when OTEL_EXPORTER_OTLP_ENDPOINT is set.
+     * Fails silently — never blocks or crashes.
+     */
+    exportOtel(snap?: MetricsSnapshot): void;
+    /** Build OTLP-compatible JSON payload */
+    private buildOtlpPayload;
+}
+//# sourceMappingURL=metrics.d.ts.map