engrm 0.1.0 → 0.2.0

package/dist/cli.js

@@ -0,0 +1,2712 @@
+#!/usr/bin/env node
+// @bun
+import { createRequire } from "node:module";
+var __defProp = Object.defineProperty;
+var __returnValue = (v) => v;
+function __exportSetter(name, newValue) {
+  this[name] = __returnValue.bind(null, newValue);
+}
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, {
+      get: all[name],
+      enumerable: true,
+      configurable: true,
+      set: __exportSetter.bind(all, name)
+    });
+};
+var __require = /* @__PURE__ */ createRequire(import.meta.url);
+
+// src/cli.ts
+import { existsSync as existsSync6, mkdirSync as mkdirSync3, readFileSync as readFileSync6 } from "fs";
+import { hostname as hostname2, homedir as homedir3 } from "os";
+import { join as join6 } from "path";
+import { randomBytes as randomBytes3 } from "crypto";
+
+// src/config.ts
+import { existsSync, mkdirSync, readFileSync, writeFileSync } from "node:fs";
+import { homedir, hostname } from "node:os";
+import { join } from "node:path";
+import { randomBytes } from "node:crypto";
+var CONFIG_DIR = join(homedir(), ".engrm");
+var SETTINGS_PATH = join(CONFIG_DIR, "settings.json");
+var DB_PATH = join(CONFIG_DIR, "engrm.db");
+function getConfigDir() {
+  return CONFIG_DIR;
+}
+function getSettingsPath() {
+  return SETTINGS_PATH;
+}
+function getDbPath() {
+  return DB_PATH;
+}
+function generateDeviceId() {
+  const host = hostname().toLowerCase().replace(/[^a-z0-9-]/g, "");
+  const suffix = randomBytes(4).toString("hex");
+  return `${host}-${suffix}`;
+}
+function createDefaultConfig() {
+  return {
+    candengo_url: "",
+    candengo_api_key: "",
+    site_id: "",
+    namespace: "",
+    user_id: "",
+    user_email: "",
+    device_id: generateDeviceId(),
+    teams: [],
+    sync: {
+      enabled: true,
+      interval_seconds: 30,
+      batch_size: 50
+    },
+    search: {
+      default_limit: 10,
+      local_boost: 1.2,
+      scope: "all"
+    },
+    scrubbing: {
+      enabled: true,
+      custom_patterns: [],
+      default_sensitivity: "shared"
+    },
+    sentinel: {
+      enabled: false,
+      mode: "advisory",
+      provider: "openai",
+      model: "gpt-4o-mini",
+      api_key: "",
+      base_url: "",
+      skip_patterns: [],
+      daily_limit: 100,
+      tier: "free"
+    },
+    observer: {
+      enabled: true,
+      mode: "per_event",
+      model: "haiku"
+    }
+  };
+}
+function loadConfig() {
+  if (!existsSync(SETTINGS_PATH)) {
+    throw new Error(`Config not found at ${SETTINGS_PATH}. Run 'engrm init --manual' to configure.`);
+  }
+  const raw = readFileSync(SETTINGS_PATH, "utf-8");
+  let parsed;
+  try {
+    parsed = JSON.parse(raw);
+  } catch {
+    throw new Error(`Invalid JSON in ${SETTINGS_PATH}`);
+  }
+  if (typeof parsed !== "object" || parsed === null) {
+    throw new Error(`Config at ${SETTINGS_PATH} is not a JSON object`);
+  }
+  const config = parsed;
+  const defaults = createDefaultConfig();
+  return {
+    candengo_url: asString(config["candengo_url"], defaults.candengo_url),
+    candengo_api_key: asString(config["candengo_api_key"], defaults.candengo_api_key),
+    site_id: asString(config["site_id"], defaults.site_id),
+    namespace: asString(config["namespace"], defaults.namespace),
+    user_id: asString(config["user_id"], defaults.user_id),
+    user_email: asString(config["user_email"], defaults.user_email),
+    device_id: asString(config["device_id"], defaults.device_id),
+    teams: asTeams(config["teams"], defaults.teams),
+    sync: {
+      enabled: asBool(config["sync"]?.["enabled"], defaults.sync.enabled),
+      interval_seconds: asNumber(config["sync"]?.["interval_seconds"], defaults.sync.interval_seconds),
+      batch_size: asNumber(config["sync"]?.["batch_size"], defaults.sync.batch_size)
+    },
+    search: {
+      default_limit: asNumber(config["search"]?.["default_limit"], defaults.search.default_limit),
+      local_boost: asNumber(config["search"]?.["local_boost"], defaults.search.local_boost),
+      scope: asScope(config["search"]?.["scope"], defaults.search.scope)
+    },
+    scrubbing: {
+      enabled: asBool(config["scrubbing"]?.["enabled"], defaults.scrubbing.enabled),
+      custom_patterns: asStringArray(config["scrubbing"]?.["custom_patterns"], defaults.scrubbing.custom_patterns),
+      default_sensitivity: asSensitivity(config["scrubbing"]?.["default_sensitivity"], defaults.scrubbing.default_sensitivity)
+    },
+    sentinel: {
+      enabled: asBool(config["sentinel"]?.["enabled"], defaults.sentinel.enabled),
+      mode: asSentinelMode(config["sentinel"]?.["mode"], defaults.sentinel.mode),
+      provider: asLlmProvider(config["sentinel"]?.["provider"], defaults.sentinel.provider),
+      model: asString(config["sentinel"]?.["model"], defaults.sentinel.model),
+      api_key: asString(config["sentinel"]?.["api_key"], defaults.sentinel.api_key),
+      base_url: asString(config["sentinel"]?.["base_url"], defaults.sentinel.base_url),
+      skip_patterns: asStringArray(config["sentinel"]?.["skip_patterns"], defaults.sentinel.skip_patterns),
+      daily_limit: asNumber(config["sentinel"]?.["daily_limit"], defaults.sentinel.daily_limit),
+      tier: asTier(config["sentinel"]?.["tier"], defaults.sentinel.tier)
+    },
+    observer: {
+      enabled: asBool(config["observer"]?.["enabled"], defaults.observer.enabled),
+      mode: asObserverMode(config["observer"]?.["mode"], defaults.observer.mode),
+      model: asString(config["observer"]?.["model"], defaults.observer.model)
+    }
+  };
+}
+function saveConfig(config) {
+  if (!existsSync(CONFIG_DIR)) {
+    mkdirSync(CONFIG_DIR, { recursive: true });
+  }
+  writeFileSync(SETTINGS_PATH, JSON.stringify(config, null, 2) + `
+`, "utf-8");
+}
+function configExists() {
+  return existsSync(SETTINGS_PATH);
+}
+function asString(value, fallback) {
+  return typeof value === "string" ? value : fallback;
+}
+function asNumber(value, fallback) {
+  return typeof value === "number" && !Number.isNaN(value) ? value : fallback;
+}
+function asBool(value, fallback) {
+  return typeof value === "boolean" ? value : fallback;
+}
+function asStringArray(value, fallback) {
+  return Array.isArray(value) && value.every((v) => typeof v === "string") ? value : fallback;
+}
+function asScope(value, fallback) {
+  if (value === "personal" || value === "team" || value === "all")
+    return value;
+  return fallback;
+}
+function asSensitivity(value, fallback) {
+  if (value === "shared" || value === "personal" || value === "secret")
+    return value;
+  return fallback;
+}
+function asSentinelMode(value, fallback) {
+  if (value === "advisory" || value === "blocking")
+    return value;
+  return fallback;
+}
+function asLlmProvider(value, fallback) {
+  if (value === "openai" || value === "anthropic" || value === "ollama" || value === "custom")
+    return value;
+  return fallback;
+}
+function asTier(value, fallback) {
+  if (value === "free" || value === "vibe" || value === "solo" || value === "pro" || value === "team" || value === "enterprise")
+    return value;
+  return fallback;
+}
+function asObserverMode(value, fallback) {
+  if (value === "per_event" || value === "per_session")
+    return value;
+  return fallback;
+}
+function asTeams(value, fallback) {
+  if (!Array.isArray(value))
+    return fallback;
+  return value.filter((t) => typeof t === "object" && t !== null && typeof t.id === "string" && typeof t.name === "string" && typeof t.namespace === "string");
+}
+
+// src/storage/migrations.ts
+var MIGRATIONS = [
+  {
+    version: 1,
+    description: "Initial schema: projects, observations, sessions, sync, FTS5",
+    sql: `
+      -- Projects (canonical identity across machines)
+      CREATE TABLE projects (
+          id              INTEGER PRIMARY KEY AUTOINCREMENT,
+          canonical_id    TEXT UNIQUE NOT NULL,
+          name            TEXT NOT NULL,
+          local_path      TEXT,
+          remote_url      TEXT,
+          first_seen_epoch INTEGER NOT NULL,
+          last_active_epoch INTEGER NOT NULL
+      );
+
+      -- Core observations table
+      CREATE TABLE observations (
+          id              INTEGER PRIMARY KEY AUTOINCREMENT,
+          session_id      TEXT,
+          project_id      INTEGER NOT NULL REFERENCES projects(id),
+          type            TEXT NOT NULL CHECK (type IN (
+              'bugfix', 'discovery', 'decision', 'pattern',
+              'change', 'feature', 'refactor', 'digest'
+          )),
+          title           TEXT NOT NULL,
+          narrative       TEXT,
+          facts           TEXT,
+          concepts        TEXT,
+          files_read      TEXT,
+          files_modified  TEXT,
+          quality         REAL DEFAULT 0.5 CHECK (quality BETWEEN 0.0 AND 1.0),
+          lifecycle       TEXT DEFAULT 'active' CHECK (lifecycle IN (
+              'active', 'aging', 'archived', 'purged', 'pinned'
+          )),
+          sensitivity     TEXT DEFAULT 'shared' CHECK (sensitivity IN (
+              'shared', 'personal', 'secret'
+          )),
+          user_id         TEXT NOT NULL,
+          device_id       TEXT NOT NULL,
+          agent           TEXT DEFAULT 'claude-code',
+          created_at      TEXT NOT NULL,
+          created_at_epoch INTEGER NOT NULL,
+          archived_at_epoch INTEGER,
+          compacted_into  INTEGER REFERENCES observations(id) ON DELETE SET NULL
+      );
+
+      -- Session tracking
+      CREATE TABLE sessions (
+          id              INTEGER PRIMARY KEY AUTOINCREMENT,
+          session_id      TEXT UNIQUE NOT NULL,
+          project_id      INTEGER REFERENCES projects(id),
+          user_id         TEXT NOT NULL,
+          device_id       TEXT NOT NULL,
+          agent           TEXT DEFAULT 'claude-code',
+          status          TEXT DEFAULT 'active' CHECK (status IN ('active', 'completed')),
+          observation_count INTEGER DEFAULT 0,
+          started_at_epoch INTEGER,
+          completed_at_epoch INTEGER
+      );
+
+      -- Session summaries (generated on Stop hook)
+      CREATE TABLE session_summaries (
+          id              INTEGER PRIMARY KEY AUTOINCREMENT,
+          session_id      TEXT UNIQUE NOT NULL,
+          project_id      INTEGER REFERENCES projects(id),
+          user_id         TEXT NOT NULL,
+          request         TEXT,
+          investigated    TEXT,
+          learned         TEXT,
+          completed       TEXT,
+          next_steps      TEXT,
+          created_at_epoch INTEGER
+      );
+
+      -- Sync outbox (offline-first queue)
+      CREATE TABLE sync_outbox (
+          id              INTEGER PRIMARY KEY AUTOINCREMENT,
+          record_type     TEXT NOT NULL CHECK (record_type IN ('observation', 'summary')),
+          record_id       INTEGER NOT NULL,
+          status          TEXT DEFAULT 'pending' CHECK (status IN (
+              'pending', 'syncing', 'synced', 'failed'
+          )),
+          retry_count     INTEGER DEFAULT 0,
+          max_retries     INTEGER DEFAULT 10,
+          last_error      TEXT,
+          created_at_epoch INTEGER NOT NULL,
+          synced_at_epoch  INTEGER,
+          next_retry_epoch INTEGER
+      );
+
+      -- Sync high-water mark and lifecycle job tracking
+      CREATE TABLE sync_state (
+          key   TEXT PRIMARY KEY,
+          value TEXT NOT NULL
+      );
+
+      -- FTS5 for local offline search (external content mode)
+      CREATE VIRTUAL TABLE observations_fts USING fts5(
+          title, narrative, facts, concepts,
+          content=observations,
+          content_rowid=id
+      );
+
+      -- Indexes: observations
+      CREATE INDEX idx_observations_project ON observations(project_id);
+      CREATE INDEX idx_observations_project_lifecycle ON observations(project_id, lifecycle);
+      CREATE INDEX idx_observations_type ON observations(type);
+      CREATE INDEX idx_observations_created ON observations(created_at_epoch);
+      CREATE INDEX idx_observations_session ON observations(session_id);
+      CREATE INDEX idx_observations_lifecycle ON observations(lifecycle);
+      CREATE INDEX idx_observations_quality ON observations(quality);
+      CREATE INDEX idx_observations_user ON observations(user_id);
+
+      -- Indexes: sessions
+      CREATE INDEX idx_sessions_project ON sessions(project_id);
+
+      -- Indexes: sync outbox
+      CREATE INDEX idx_outbox_status ON sync_outbox(status, next_retry_epoch);
+      CREATE INDEX idx_outbox_record ON sync_outbox(record_type, record_id);
+    `
+  },
+  {
+    version: 2,
+    description: "Add superseded_by for knowledge supersession",
+    sql: `
+      ALTER TABLE observations ADD COLUMN superseded_by INTEGER REFERENCES observations(id) ON DELETE SET NULL;
+      CREATE INDEX idx_observations_superseded ON observations(superseded_by);
+    `
+  },
+  {
+    version: 3,
+    description: "Add remote_source_id for pull deduplication",
+    sql: `
+      ALTER TABLE observations ADD COLUMN remote_source_id TEXT;
+      CREATE UNIQUE INDEX idx_observations_remote_source ON observations(remote_source_id) WHERE remote_source_id IS NOT NULL;
+    `
+  },
+  {
+    version: 4,
+    description: "Add sqlite-vec for local semantic search",
+    sql: `
+      CREATE VIRTUAL TABLE vec_observations USING vec0(
+        observation_id INTEGER PRIMARY KEY,
+        embedding float[384]
+      );
+    `,
+    condition: (db) => isVecExtensionLoaded(db)
+  },
+  {
+    version: 5,
+    description: "Session metrics and security findings",
+    sql: `
+      ALTER TABLE sessions ADD COLUMN files_touched_count INTEGER DEFAULT 0;
+      ALTER TABLE sessions ADD COLUMN searches_performed INTEGER DEFAULT 0;
+      ALTER TABLE sessions ADD COLUMN tool_calls_count INTEGER DEFAULT 0;
+
+      CREATE TABLE security_findings (
+          id              INTEGER PRIMARY KEY AUTOINCREMENT,
+          session_id      TEXT,
+          project_id      INTEGER NOT NULL REFERENCES projects(id),
+          finding_type    TEXT NOT NULL,
+          severity        TEXT NOT NULL DEFAULT 'medium' CHECK (severity IN ('critical', 'high', 'medium', 'low')),
+          pattern_name    TEXT NOT NULL,
+          file_path       TEXT,
+          snippet         TEXT,
+          tool_name       TEXT,
+          user_id         TEXT NOT NULL,
+          device_id       TEXT NOT NULL,
+          created_at_epoch INTEGER NOT NULL
+      );
+
+      CREATE INDEX idx_security_findings_session ON security_findings(session_id);
+      CREATE INDEX idx_security_findings_project ON security_findings(project_id, created_at_epoch);
+      CREATE INDEX idx_security_findings_severity ON security_findings(severity);
+    `
+  },
+  {
+    version: 6,
+    description: "Add risk_score, expand observation types to include standard",
+    sql: `
+      ALTER TABLE sessions ADD COLUMN risk_score INTEGER;
+
+      -- Recreate observations table with expanded type CHECK to include 'standard'
+      -- SQLite doesn't support ALTER CHECK, so we recreate the table
+      CREATE TABLE observations_new (
+          id              INTEGER PRIMARY KEY AUTOINCREMENT,
+          session_id      TEXT,
+          project_id      INTEGER NOT NULL REFERENCES projects(id),
+          type            TEXT NOT NULL CHECK (type IN (
+              'bugfix', 'discovery', 'decision', 'pattern',
+              'change', 'feature', 'refactor', 'digest', 'standard'
+          )),
+          title           TEXT NOT NULL,
+          narrative       TEXT,
+          facts           TEXT,
+          concepts        TEXT,
+          files_read      TEXT,
+          files_modified  TEXT,
+          quality         REAL DEFAULT 0.5 CHECK (quality BETWEEN 0.0 AND 1.0),
+          lifecycle       TEXT DEFAULT 'active' CHECK (lifecycle IN (
+              'active', 'aging', 'archived', 'purged', 'pinned'
+          )),
+          sensitivity     TEXT DEFAULT 'shared' CHECK (sensitivity IN (
+              'shared', 'personal', 'secret'
+          )),
+          user_id         TEXT NOT NULL,
+          device_id       TEXT NOT NULL,
+          agent           TEXT DEFAULT 'claude-code',
+          created_at      TEXT NOT NULL,
+          created_at_epoch INTEGER NOT NULL,
+          archived_at_epoch INTEGER,
+          compacted_into  INTEGER REFERENCES observations(id) ON DELETE SET NULL,
+          superseded_by   INTEGER REFERENCES observations(id) ON DELETE SET NULL,
+          remote_source_id TEXT
+      );
+
+      INSERT INTO observations_new SELECT * FROM observations;
+
+      DROP TABLE observations;
+      ALTER TABLE observations_new RENAME TO observations;
+
+      -- Recreate indexes
+      CREATE INDEX idx_observations_project ON observations(project_id);
+      CREATE INDEX idx_observations_project_lifecycle ON observations(project_id, lifecycle);
+      CREATE INDEX idx_observations_type ON observations(type);
+      CREATE INDEX idx_observations_created ON observations(created_at_epoch);
+      CREATE INDEX idx_observations_session ON observations(session_id);
+      CREATE INDEX idx_observations_lifecycle ON observations(lifecycle);
+      CREATE INDEX idx_observations_quality ON observations(quality);
+      CREATE INDEX idx_observations_user ON observations(user_id);
+      CREATE INDEX idx_observations_superseded ON observations(superseded_by);
+      CREATE UNIQUE INDEX idx_observations_remote_source ON observations(remote_source_id) WHERE remote_source_id IS NOT NULL;
+
+      -- Recreate FTS5 (external content mode — must rebuild after table recreation)
+      DROP TABLE IF EXISTS observations_fts;
+      CREATE VIRTUAL TABLE observations_fts USING fts5(
+          title, narrative, facts, concepts,
+          content=observations,
+          content_rowid=id
+      );
+      -- Rebuild FTS index
+      INSERT INTO observations_fts(observations_fts) VALUES('rebuild');
+    `
+  },
+  {
+    version: 7,
+    description: "Add packs_installed table for help pack tracking",
+    sql: `
+      CREATE TABLE IF NOT EXISTS packs_installed (
+          name            TEXT PRIMARY KEY,
+          installed_at    INTEGER NOT NULL,
+          observation_count INTEGER DEFAULT 0
+      );
+    `
+  }
+];
+function isVecExtensionLoaded(db) {
+  try {
+    db.exec("SELECT vec_version()");
+    return true;
+  } catch {
+    return false;
+  }
+}
+function runMigrations(db) {
+  const currentVersion = db.query("PRAGMA user_version").get();
+  let version = currentVersion.user_version;
+  for (const migration of MIGRATIONS) {
+    if (migration.version <= version)
+      continue;
+    if (migration.condition && !migration.condition(db)) {
+      continue;
+    }
+    db.exec("BEGIN TRANSACTION");
+    try {
+      db.exec(migration.sql);
+      db.exec(`PRAGMA user_version = ${migration.version}`);
+      db.exec("COMMIT");
+      version = migration.version;
+    } catch (error) {
+      db.exec("ROLLBACK");
+      throw new Error(`Migration ${migration.version} (${migration.description}) failed: ${error instanceof Error ? error.message : String(error)}`);
+    }
+  }
+}
+var LATEST_SCHEMA_VERSION = MIGRATIONS.filter((m) => !m.condition).reduce((max, m) => Math.max(max, m.version), 0);
+
+// src/storage/sqlite.ts
+var IS_BUN = typeof globalThis.Bun !== "undefined";
+function openDatabase(dbPath) {
+  if (IS_BUN) {
+    return openBunDatabase(dbPath);
+  }
+  return openNodeDatabase(dbPath);
+}
+function openBunDatabase(dbPath) {
+  const { Database } = __require("bun:sqlite");
+  if (process.platform === "darwin") {
+    const { existsSync: existsSync2 } = __require("node:fs");
+    const paths = [
+      "/opt/homebrew/opt/sqlite/lib/libsqlite3.dylib",
+      "/usr/local/opt/sqlite3/lib/libsqlite3.dylib"
+    ];
+    for (const p of paths) {
+      if (existsSync2(p)) {
+        try {
+          Database.setCustomSQLite(p);
+        } catch {}
+        break;
+      }
+    }
+  }
+  const db = new Database(dbPath);
+  return db;
+}
+function openNodeDatabase(dbPath) {
+  const BetterSqlite3 = __require("better-sqlite3");
+  const raw = new BetterSqlite3(dbPath);
+  return {
+    query(sql) {
+      const stmt = raw.prepare(sql);
+      return {
+        get(...params) {
+          return stmt.get(...params);
+        },
+        all(...params) {
+          return stmt.all(...params);
+        },
+        run(...params) {
+          return stmt.run(...params);
+        }
+      };
+    },
+    exec(sql) {
+      raw.exec(sql);
+    },
+    close() {
+      raw.close();
+    }
+  };
+}
+
+class MemDatabase {
+  db;
+  vecAvailable;
+  constructor(dbPath) {
+    this.db = openDatabase(dbPath);
+    this.db.exec("PRAGMA journal_mode = WAL");
+    this.db.exec("PRAGMA foreign_keys = ON");
+    this.vecAvailable = this.loadVecExtension();
+    runMigrations(this.db);
+  }
+  loadVecExtension() {
+    try {
+      const sqliteVec = __require("sqlite-vec");
+      sqliteVec.load(this.db);
+      return true;
+    } catch {
+      return false;
+    }
+  }
+  close() {
+    this.db.close();
+  }
+  upsertProject(project) {
+    const now = Math.floor(Date.now() / 1000);
+    const existing = this.db.query("SELECT * FROM projects WHERE canonical_id = ?").get(project.canonical_id);
+    if (existing) {
+      this.db.query(`UPDATE projects SET
+            local_path = COALESCE(?, local_path),
+            remote_url = COALESCE(?, remote_url),
+            last_active_epoch = ?
+          WHERE id = ?`).run(project.local_path ?? null, project.remote_url ?? null, now, existing.id);
+      return {
+        ...existing,
+        local_path: project.local_path ?? existing.local_path,
+        remote_url: project.remote_url ?? existing.remote_url,
+        last_active_epoch: now
+      };
+    }
+    const result = this.db.query(`INSERT INTO projects (canonical_id, name, local_path, remote_url, first_seen_epoch, last_active_epoch)
+        VALUES (?, ?, ?, ?, ?, ?)`).run(project.canonical_id, project.name, project.local_path ?? null, project.remote_url ?? null, now, now);
+    return this.db.query("SELECT * FROM projects WHERE id = ?").get(Number(result.lastInsertRowid));
+  }
+  getProjectByCanonicalId(canonicalId) {
+    return this.db.query("SELECT * FROM projects WHERE canonical_id = ?").get(canonicalId) ?? null;
+  }
+  getProjectById(id) {
+    return this.db.query("SELECT * FROM projects WHERE id = ?").get(id) ?? null;
+  }
+  insertObservation(obs) {
+    const now = Math.floor(Date.now() / 1000);
+    const createdAt = new Date().toISOString();
+    const result = this.db.query(`INSERT INTO observations (
+          session_id, project_id, type, title, narrative, facts, concepts,
+          files_read, files_modified, quality, lifecycle, sensitivity,
+          user_id, device_id, agent, created_at, created_at_epoch
+        ) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)`).run(obs.session_id ?? null, obs.project_id, obs.type, obs.title, obs.narrative ?? null, obs.facts ?? null, obs.concepts ?? null, obs.files_read ?? null, obs.files_modified ?? null, obs.quality, obs.lifecycle ?? "active", obs.sensitivity ?? "shared", obs.user_id, obs.device_id, obs.agent ?? "claude-code", createdAt, now);
+    const id = Number(result.lastInsertRowid);
+    const row = this.getObservationById(id);
+    this.ftsInsert(row);
+    if (obs.session_id) {
+      this.db.query("UPDATE sessions SET observation_count = observation_count + 1 WHERE session_id = ?").run(obs.session_id);
+    }
+    return row;
+  }
+  getObservationById(id) {
+    return this.db.query("SELECT * FROM observations WHERE id = ?").get(id) ?? null;
+  }
+  getObservationsByIds(ids) {
+    if (ids.length === 0)
+      return [];
+    const placeholders = ids.map(() => "?").join(",");
+    return this.db.query(`SELECT * FROM observations WHERE id IN (${placeholders}) ORDER BY created_at_epoch DESC`).all(...ids);
+  }
+  getRecentObservations(projectId, sincEpoch, limit = 50) {
+    return this.db.query(`SELECT * FROM observations
+        WHERE project_id = ? AND created_at_epoch > ?
+        ORDER BY created_at_epoch DESC
+        LIMIT ?`).all(projectId, sincEpoch, limit);
+  }
+  searchFts(query, projectId, lifecycles = ["active", "aging", "pinned"], limit = 20) {
+    const lifecyclePlaceholders = lifecycles.map(() => "?").join(",");
+    if (projectId !== null) {
+      return this.db.query(`SELECT o.id, observations_fts.rank
+          FROM observations_fts
+          JOIN observations o ON o.id = observations_fts.rowid
+          WHERE observations_fts MATCH ?
+            AND o.project_id = ?
+            AND o.lifecycle IN (${lifecyclePlaceholders})
+          ORDER BY observations_fts.rank
+          LIMIT ?`).all(query, projectId, ...lifecycles, limit);
+    }
+    return this.db.query(`SELECT o.id, observations_fts.rank
+        FROM observations_fts
+        JOIN observations o ON o.id = observations_fts.rowid
+        WHERE observations_fts MATCH ?
+          AND o.lifecycle IN (${lifecyclePlaceholders})
+        ORDER BY observations_fts.rank
+        LIMIT ?`).all(query, ...lifecycles, limit);
+  }
+  getTimeline(anchorId, projectId, depthBefore = 3, depthAfter = 3) {
+    const anchor = this.getObservationById(anchorId);
+    if (!anchor)
+      return [];
+    const projectFilter = projectId !== null ? "AND project_id = ?" : "";
+    const projectParams = projectId !== null ? [projectId] : [];
+    const before = this.db.query(`SELECT * FROM observations
+        WHERE created_at_epoch < ? ${projectFilter}
+          AND lifecycle IN ('active', 'aging', 'pinned')
+        ORDER BY created_at_epoch DESC
+        LIMIT ?`).all(anchor.created_at_epoch, ...projectParams, depthBefore);
+    const after = this.db.query(`SELECT * FROM observations
+        WHERE created_at_epoch > ? ${projectFilter}
+          AND lifecycle IN ('active', 'aging', 'pinned')
+        ORDER BY created_at_epoch ASC
+        LIMIT ?`).all(anchor.created_at_epoch, ...projectParams, depthAfter);
+    return [...before.reverse(), anchor, ...after];
+  }
+  pinObservation(id, pinned) {
+    const obs = this.getObservationById(id);
+    if (!obs)
+      return false;
+    if (pinned) {
+      if (obs.lifecycle !== "active" && obs.lifecycle !== "aging")
+        return false;
+      this.db.query("UPDATE observations SET lifecycle = 'pinned' WHERE id = ?").run(id);
+    } else {
+      if (obs.lifecycle !== "pinned")
+        return false;
+      this.db.query("UPDATE observations SET lifecycle = 'active' WHERE id = ?").run(id);
+    }
+    return true;
+  }
+  getActiveObservationCount(userId) {
+    if (userId) {
+      const result2 = this.db.query(`SELECT COUNT(*) as count FROM observations
+          WHERE lifecycle IN ('active', 'aging')
+            AND sensitivity != 'secret'
+            AND user_id = ?`).get(userId);
+      return result2?.count ?? 0;
+    }
+    const result = this.db.query(`SELECT COUNT(*) as count FROM observations
+        WHERE lifecycle IN ('active', 'aging')
+          AND sensitivity != 'secret'`).get();
+    return result?.count ?? 0;
+  }
+  supersedeObservation(oldId, newId) {
+    if (oldId === newId)
+      return false;
+    const replacement = this.getObservationById(newId);
+    if (!replacement)
+      return false;
+    let targetId = oldId;
+    const visited = new Set;
+    for (let depth = 0;depth < 10; depth++) {
+      const target2 = this.getObservationById(targetId);
+      if (!target2)
+        return false;
+      if (target2.superseded_by === null)
+        break;
+      if (target2.superseded_by === newId)
+        return true;
+      visited.add(targetId);
+      targetId = target2.superseded_by;
+      if (visited.has(targetId))
+        return false;
+    }
+    const target = this.getObservationById(targetId);
+    if (!target)
+      return false;
+    if (target.superseded_by !== null)
+      return false;
+    if (targetId === newId)
+      return false;
+    const now = Math.floor(Date.now() / 1000);
+    this.db.query(`UPDATE observations
+         SET superseded_by = ?, lifecycle = 'archived', archived_at_epoch = ?
+         WHERE id = ?`).run(newId, now, targetId);
+    this.ftsDelete(target);
+    this.vecDelete(targetId);
+    return true;
+  }
+  isSuperseded(id) {
+    const obs = this.getObservationById(id);
+    return obs !== null && obs.superseded_by !== null;
+  }
+  upsertSession(sessionId, projectId, userId, deviceId, agent = "claude-code") {
+    const existing = this.db.query("SELECT * FROM sessions WHERE session_id = ?").get(sessionId);
+    if (existing)
+      return existing;
+    const now = Math.floor(Date.now() / 1000);
+    this.db.query(`INSERT INTO sessions (session_id, project_id, user_id, device_id, agent, started_at_epoch)
+        VALUES (?, ?, ?, ?, ?, ?)`).run(sessionId, projectId, userId, deviceId, agent, now);
+    return this.db.query("SELECT * FROM sessions WHERE session_id = ?").get(sessionId);
+  }
+  completeSession(sessionId) {
+    const now = Math.floor(Date.now() / 1000);
+    this.db.query("UPDATE sessions SET status = 'completed', completed_at_epoch = ? WHERE session_id = ?").run(now, sessionId);
+  }
+  addToOutbox(recordType, recordId) {
+    const now = Math.floor(Date.now() / 1000);
+    this.db.query(`INSERT INTO sync_outbox (record_type, record_id, created_at_epoch)
+        VALUES (?, ?, ?)`).run(recordType, recordId, now);
+  }
+  getSyncState(key) {
+    const row = this.db.query("SELECT value FROM sync_state WHERE key = ?").get(key);
+    return row?.value ?? null;
+  }
+  setSyncState(key, value) {
+    this.db.query("INSERT INTO sync_state (key, value) VALUES (?, ?) ON CONFLICT(key) DO UPDATE SET value = ?").run(key, value, value);
+  }
+  ftsInsert(obs) {
+    this.db.query(`INSERT INTO observations_fts (rowid, title, narrative, facts, concepts)
+        VALUES (?, ?, ?, ?, ?)`).run(obs.id, obs.title, obs.narrative, obs.facts, obs.concepts);
+  }
+  ftsDelete(obs) {
+    this.db.query(`INSERT INTO observations_fts (observations_fts, rowid, title, narrative, facts, concepts)
+        VALUES ('delete', ?, ?, ?, ?, ?)`).run(obs.id, obs.title, obs.narrative, obs.facts, obs.concepts);
+  }
+  vecInsert(observationId, embedding) {
+    if (!this.vecAvailable)
+      return;
+    this.db.query("INSERT OR REPLACE INTO vec_observations (observation_id, embedding) VALUES (?, ?)").run(observationId, new Uint8Array(embedding.buffer));
+  }
+  vecDelete(observationId) {
+    if (!this.vecAvailable)
+      return;
+    this.db.query("DELETE FROM vec_observations WHERE observation_id = ?").run(observationId);
+  }
+  searchVec(queryEmbedding, projectId, lifecycles = ["active", "aging", "pinned"], limit = 20) {
+    if (!this.vecAvailable)
+      return [];
+    const lifecyclePlaceholders = lifecycles.map(() => "?").join(",");
+    const embeddingBlob = new Uint8Array(queryEmbedding.buffer);
+    if (projectId !== null) {
+      return this.db.query(`SELECT v.observation_id, v.distance
+           FROM vec_observations v
+           JOIN observations o ON o.id = v.observation_id
+           WHERE v.embedding MATCH ?
+             AND k = ?
+             AND o.project_id = ?
+             AND o.lifecycle IN (${lifecyclePlaceholders})
+             AND o.superseded_by IS NULL`).all(embeddingBlob, limit, projectId, ...lifecycles);
+    }
+    return this.db.query(`SELECT v.observation_id, v.distance
+         FROM vec_observations v
+         JOIN observations o ON o.id = v.observation_id
+         WHERE v.embedding MATCH ?
+           AND k = ?
+           AND o.lifecycle IN (${lifecyclePlaceholders})
+           AND o.superseded_by IS NULL`).all(embeddingBlob, limit, ...lifecycles);
+  }
+  getUnembeddedCount() {
+    if (!this.vecAvailable)
+      return 0;
+    const result = this.db.query(`SELECT COUNT(*) as count FROM observations o
+         WHERE o.lifecycle IN ('active', 'aging', 'pinned')
+         AND o.superseded_by IS NULL
+         AND NOT EXISTS (
+           SELECT 1 FROM vec_observations v WHERE v.observation_id = o.id
+         )`).get();
+    return result?.count ?? 0;
+  }
+  getUnembeddedObservations(limit = 100) {
+    if (!this.vecAvailable)
+      return [];
+    return this.db.query(`SELECT o.* FROM observations o
+         WHERE o.lifecycle IN ('active', 'aging', 'pinned')
+         AND o.superseded_by IS NULL
+         AND NOT EXISTS (
+           SELECT 1 FROM vec_observations v WHERE v.observation_id = o.id
+         )
+         ORDER BY o.created_at_epoch DESC
+         LIMIT ?`).all(limit);
+  }
+  insertSessionSummary(summary) {
+    const now = Math.floor(Date.now() / 1000);
+    const result = this.db.query(`INSERT INTO session_summaries (session_id, project_id, user_id, request, investigated, learned, completed, next_steps, created_at_epoch)
+        VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?)`).run(summary.session_id, summary.project_id, summary.user_id, summary.request, summary.investigated, summary.learned, summary.completed, summary.next_steps, now);
+    const id = Number(result.lastInsertRowid);
+    return this.db.query("SELECT * FROM session_summaries WHERE id = ?").get(id);
+  }
+  getSessionSummary(sessionId) {
+    return this.db.query("SELECT * FROM session_summaries WHERE session_id = ?").get(sessionId) ?? null;
+  }
+  getRecentSummaries(projectId, limit = 5) {
+    return this.db.query(`SELECT * FROM session_summaries
+         WHERE project_id = ?
+         ORDER BY created_at_epoch DESC, id DESC
+         LIMIT ?`).all(projectId, limit);
+  }
+  incrementSessionMetrics(sessionId, increments) {
+    const sets = [];
+    const params = [];
+    if (increments.files) {
+      sets.push("files_touched_count = files_touched_count + ?");
+      params.push(increments.files);
+    }
+    if (increments.searches) {
+      sets.push("searches_performed = searches_performed + ?");
+      params.push(increments.searches);
+    }
+    if (increments.toolCalls) {
+      sets.push("tool_calls_count = tool_calls_count + ?");
+      params.push(increments.toolCalls);
+    }
+    if (sets.length === 0)
+      return;
+    params.push(sessionId);
+    this.db.query(`UPDATE sessions SET ${sets.join(", ")} WHERE session_id = ?`).run(...params);
+  }
+  getSessionMetrics(sessionId) {
+    return this.db.query("SELECT * FROM sessions WHERE session_id = ?").get(sessionId) ?? null;
+  }
+  insertSecurityFinding(finding) {
+    const now = Math.floor(Date.now() / 1000);
+    const result = this.db.query(`INSERT INTO security_findings (session_id, project_id, finding_type, severity, pattern_name, file_path, snippet, tool_name, user_id, device_id, created_at_epoch)
+        VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)`).run(finding.session_id ?? null, finding.project_id, finding.finding_type, finding.severity, finding.pattern_name, finding.file_path ?? null, finding.snippet ?? null, finding.tool_name ?? null, finding.user_id, finding.device_id, now);
+    const id = Number(result.lastInsertRowid);
+    return this.db.query("SELECT * FROM security_findings WHERE id = ?").get(id);
+  }
+  getSecurityFindings(projectId, options = {}) {
+    const limit = options.limit ?? 50;
+    if (options.severity) {
+      return this.db.query(`SELECT * FROM security_findings
+           WHERE project_id = ? AND severity = ?
+           ORDER BY created_at_epoch DESC
+           LIMIT ?`).all(projectId, options.severity, limit);
+    }
+    return this.db.query(`SELECT * FROM security_findings
+         WHERE project_id = ?
+         ORDER BY created_at_epoch DESC
+         LIMIT ?`).all(projectId, limit);
+  }
+  getSecurityFindingsCount(projectId) {
+    const rows = this.db.query(`SELECT severity, COUNT(*) as count FROM security_findings
+         WHERE project_id = ?
+         GROUP BY severity`).all(projectId);
+    const counts = {
+      critical: 0,
+      high: 0,
+      medium: 0,
+      low: 0
+    };
+    for (const row of rows) {
+      counts[row.severity] = row.count;
+    }
+    return counts;
+  }
+  setSessionRiskScore(sessionId, score) {
+    this.db.query("UPDATE sessions SET risk_score = ? WHERE session_id = ?").run(score, sessionId);
+  }
+  getObservationsBySession(sessionId) {
+    return this.db.query(`SELECT * FROM observations WHERE session_id = ? ORDER BY created_at_epoch ASC`).all(sessionId);
+  }
+  getInstalledPacks() {
+    try {
+      const rows = this.db.query("SELECT name FROM packs_installed").all();
+      return rows.map((r) => r.name);
+    } catch {
+      return [];
+    }
+  }
+  markPackInstalled(name, observationCount) {
+    const now = Math.floor(Date.now() / 1000);
+    this.db.query("INSERT OR REPLACE INTO packs_installed (name, installed_at, observation_count) VALUES (?, ?, ?)").run(name, now, observationCount);
+  }
+}
+
+// src/storage/outbox.ts
+function getOutboxStats(db) {
+  const rows = db.db.query("SELECT status, COUNT(*) as count FROM sync_outbox GROUP BY status").all();
+  const stats = {
+    pending: 0,
+    syncing: 0,
+    synced: 0,
+    failed: 0
+  };
+  for (const row of rows) {
+    stats[row.status] = row.count;
+  }
+  return stats;
+}
+
+// src/provisioning/provision.ts
+var DEFAULT_CANDENGO_URL = "https://www.candengo.com";
+
+class ProvisionError extends Error {
+  status;
+  detail;
+  constructor(status, detail) {
+    super(detail);
+    this.status = status;
+    this.detail = detail;
+    this.name = "ProvisionError";
+  }
+}
+async function provision(baseUrl, request) {
+  const url = `${baseUrl.replace(/\/$/, "")}/v1/mem/provision`;
+  const response = await fetch(url, {
+    method: "POST",
+    headers: { "Content-Type": "application/json" },
+    body: JSON.stringify(request)
+  });
+  if (!response.ok) {
+    let detail;
+    try {
+      const body = await response.json();
+      detail = body.detail ?? `HTTP ${response.status}`;
+    } catch {
+      detail = `HTTP ${response.status}`;
+    }
+    if (response.status === 401 || response.status === 403) {
+      throw new ProvisionError(response.status, "Invalid or expired provisioning token");
+    }
+    if (response.status === 409) {
+      throw new ProvisionError(response.status, "Token has already been used");
+    }
+    throw new ProvisionError(response.status, detail);
+  }
+  const data = await response.json();
+  if (!data.api_key?.startsWith("cvk_")) {
+    throw new ProvisionError(0, "Server returned invalid API key format");
+  }
+  if (!data.site_id || !data.namespace || !data.user_id) {
+    throw new ProvisionError(0, "Server returned incomplete credentials");
+  }
+  return data;
+}
+
+// src/provisioning/browser-auth.ts
+import { randomBytes as randomBytes2 } from "node:crypto";
+import { createServer } from "node:http";
+import { execFile } from "node:child_process";
+var CALLBACK_TIMEOUT_MS = 120000;
+async function runBrowserAuth(candengoUrl) {
+  const state = randomBytes2(16).toString("hex");
+  const { port, waitForCallback, stop } = await startCallbackServer(state);
+  const redirectUri = `http://localhost:${port}/callback`;
+  const authUrl = new URL("/connect/mem", candengoUrl);
+  authUrl.searchParams.set("redirect_uri", redirectUri);
+  authUrl.searchParams.set("state", state);
+  console.log(`
+Opening browser to authorize Engrm...`);
+  console.log(`If the browser doesn't open, visit:
+  ${authUrl.toString()}
+`);
+  const opened = await openBrowser(authUrl.toString());
+  if (!opened) {
+    console.log("Could not open browser. Use --token or --no-browser instead.");
+    stop();
+    throw new Error("Browser launch failed");
+  }
+  console.log("Waiting for authorization...");
+  try {
+    const result = await waitForCallback;
+    return result;
+  } finally {
+    stop();
+  }
+}
+async function startCallbackServer(expectedState) {
+  let resolveCallback;
+  let rejectCallback;
+  const waitForCallback = new Promise((resolve, reject) => {
+    resolveCallback = resolve;
+    rejectCallback = reject;
+  });
+  const server = createServer((req, res) => {
+    const url = new URL(req.url ?? "/", `http://localhost`);
+    if (url.pathname === "/callback") {
+      const code = url.searchParams.get("code");
+      const state = url.searchParams.get("state");
+      const error = url.searchParams.get("error");
+      if (error) {
+        const desc = url.searchParams.get("error_description") ?? "Authorization denied";
+        rejectCallback(new Error(desc));
+        res.writeHead(200, { "Content-Type": "text/html" });
+        res.end(errorPage(desc));
+        return;
+      }
+      if (!code || !state) {
+        rejectCallback(new Error("Missing code or state in callback"));
+        res.writeHead(200, { "Content-Type": "text/html" });
+        res.end(errorPage("Missing authorization parameters"));
+        return;
+      }
+      if (state !== expectedState) {
+        rejectCallback(new Error("State mismatch — possible CSRF"));
+        res.writeHead(200, { "Content-Type": "text/html" });
+        res.end(errorPage("Security error: state mismatch"));
+        return;
+      }
+      resolveCallback({ code, state });
+      res.writeHead(200, { "Content-Type": "text/html" });
+      res.end(successPage());
+      return;
+    }
+    res.writeHead(404);
+    res.end("Not found");
+  });
+  await new Promise((resolve) => {
+    server.listen(0, "127.0.0.1", resolve);
+  });
+  const addr = server.address();
+  const port = typeof addr === "object" && addr ? addr.port : 0;
+  const timeout = setTimeout(() => {
+    rejectCallback(new Error("Authorization timed out. Please try again."));
+  }, CALLBACK_TIMEOUT_MS);
+  const stop = () => {
+    clearTimeout(timeout);
+    server.close();
+  };
+  return { port, waitForCallback, stop };
+}
+async function openBrowser(url) {
+  try {
+    const cmd = process.platform === "darwin" ? "open" : process.platform === "win32" ? "cmd" : "xdg-open";
+    const args = process.platform === "win32" ? ["/c", "start", url] : [url];
+    return new Promise((resolve) => {
+      execFile(cmd, args, (error) => {
+        resolve(!error);
+      });
+    });
+  } catch {
+    return false;
+  }
+}
+function successPage() {
+  return `<!DOCTYPE html>
+<html><head><title>Engrm</title>
+<style>body{font-family:system-ui;display:flex;justify-content:center;align-items:center;min-height:100vh;margin:0;background:#f8f9fa}
+.card{text-align:center;padding:3rem;border-radius:12px;background:white;box-shadow:0 2px 12px rgba(0,0,0,0.1)}
+h1{color:#10b981;margin-bottom:0.5rem}p{color:#6b7280}</style></head>
+<body><div class="card"><h1>Connected!</h1><p>You can close this tab and return to the terminal.</p></div></body></html>`;
+}
+function errorPage(message) {
+  return `<!DOCTYPE html>
+<html><head><title>Engrm</title>
+<style>body{font-family:system-ui;display:flex;justify-content:center;align-items:center;min-height:100vh;margin:0;background:#f8f9fa}
+.card{text-align:center;padding:3rem;border-radius:12px;background:white;box-shadow:0 2px 12px rgba(0,0,0,0.1)}
+h1{color:#ef4444;margin-bottom:0.5rem}p{color:#6b7280}</style></head>
+<body><div class="card"><h1>Authorization Failed</h1><p>${message}</p></div></body></html>`;
+}
+
+// src/register.ts
+import { existsSync as existsSync2, mkdirSync as mkdirSync2, readFileSync as readFileSync2, writeFileSync as writeFileSync2 } from "node:fs";
+import { homedir as homedir2 } from "node:os";
+import { join as join2, dirname } from "node:path";
+import { fileURLToPath } from "node:url";
+var CLAUDE_JSON = join2(homedir2(), ".claude.json");
+var CLAUDE_SETTINGS = join2(homedir2(), ".claude", "settings.json");
+function isBuiltDist() {
+  const thisDir = dirname(fileURLToPath(import.meta.url));
+  return thisDir.endsWith("/dist") || thisDir.endsWith("\\dist");
+}
+function findRuntime() {
+  if (isBuiltDist()) {
+    return process.execPath;
+  }
+  const candidates = [
+    join2(homedir2(), ".bun", "bin", "bun"),
+    "/usr/local/bin/bun",
+    "/opt/homebrew/bin/bun"
+  ];
+  for (const p of candidates) {
+    if (existsSync2(p))
+      return p;
+  }
+  if (process.execPath && process.execPath.endsWith("bun")) {
+    return process.execPath;
+  }
+  return "bun";
+}
+function findPackageRoot() {
+  const thisDir = dirname(fileURLToPath(import.meta.url));
+  return join2(thisDir, "..");
+}
+function readJsonFile(path) {
+  if (!existsSync2(path))
+    return {};
+  try {
+    const raw = readFileSync2(path, "utf-8");
+    const parsed = JSON.parse(raw);
+    if (typeof parsed === "object" && parsed !== null) {
+      return parsed;
+    }
+  } catch {}
+  return {};
+}
+function writeJsonFile(path, data) {
+  const dir = dirname(path);
+  if (!existsSync2(dir)) {
+    mkdirSync2(dir, { recursive: true });
+  }
+  writeFileSync2(path, JSON.stringify(data, null, 2) + `
+`, "utf-8");
+}
+function registerMcpServer() {
+  const runtime = findRuntime();
+  const root = findPackageRoot();
+  const dist = isBuiltDist();
+  const serverPath = dist ? join2(root, "dist", "server.js") : join2(root, "src", "server.ts");
+  const config = readJsonFile(CLAUDE_JSON);
+  const servers = config["mcpServers"] ?? {};
+  servers["engrm"] = {
+    type: "stdio",
+    command: runtime,
+    args: dist ? [serverPath] : ["run", serverPath]
+  };
+  config["mcpServers"] = servers;
+  writeJsonFile(CLAUDE_JSON, config);
+  return { path: CLAUDE_JSON, added: true };
+}
+function registerHooks() {
+  const runtime = findRuntime();
+  const root = findPackageRoot();
+  const dist = isBuiltDist();
+  const hooksDir = dist ? join2(root, "dist", "hooks") : join2(root, "hooks");
+  const ext = dist ? ".js" : ".ts";
+  const runArg = dist ? [] : ["run"];
+  function hookCmd(name) {
+    return [runtime, ...runArg, join2(hooksDir, `${name}${ext}`)].join(" ");
+  }
+  const sessionStartCmd = hookCmd("session-start");
+  const preCompactCmd = hookCmd("pre-compact");
+  const preToolUseCmd = hookCmd("sentinel");
+  const postToolUseCmd = hookCmd("post-tool-use");
+  const elicitationResultCmd = hookCmd("elicitation-result");
+  const stopCmd = hookCmd("stop");
+  const settings = readJsonFile(CLAUDE_SETTINGS);
+  const hooks = settings["hooks"] ?? {};
+  hooks["SessionStart"] = replaceEngrmHook(hooks["SessionStart"], { hooks: [{ type: "command", command: sessionStartCmd }] }, "session-start");
+  hooks["PreCompact"] = replaceEngrmHook(hooks["PreCompact"], { hooks: [{ type: "command", command: preCompactCmd }] }, "pre-compact");
+  hooks["PreToolUse"] = replaceEngrmHook(hooks["PreToolUse"], {
+    matcher: "Edit|Write",
+    hooks: [{ type: "command", command: preToolUseCmd }]
+  }, "sentinel");
+  hooks["PostToolUse"] = replaceEngrmHook(hooks["PostToolUse"], {
+    matcher: "Edit|Write|Bash|Read|mcp__.*",
+    hooks: [{ type: "command", command: postToolUseCmd }]
+  }, "post-tool-use");
+  hooks["ElicitationResult"] = replaceEngrmHook(hooks["ElicitationResult"], {
+    hooks: [{ type: "command", command: elicitationResultCmd }]
+  }, "elicitation-result");
+  hooks["Stop"] = replaceEngrmHook(hooks["Stop"], { hooks: [{ type: "command", command: stopCmd }] }, "stop");
+  settings["hooks"] = hooks;
+  writeJsonFile(CLAUDE_SETTINGS, settings);
+  return { path: CLAUDE_SETTINGS, added: true };
+}
+function replaceEngrmHook(existing, newEntry, hookFilename) {
+  if (!existing || !Array.isArray(existing))
+    return [newEntry];
+  const isEngrmHook = (entry) => entry.hooks?.some((h) => h.command?.includes("engrm") || h.command?.includes(hookFilename)) ?? false;
+  const others = existing.filter((e) => !isEngrmHook(e));
+  return [...others, newEntry];
+}
+function registerAll() {
+  return {
+    mcp: registerMcpServer(),
+    hooks: registerHooks()
+  };
+}
+
+// src/packs/loader.ts
+import { existsSync as existsSync4, readFileSync as readFileSync4, readdirSync } from "node:fs";
+import { join as join4, dirname as dirname2 } from "node:path";
+import { fileURLToPath as fileURLToPath2 } from "node:url";
+
+// src/tools/save.ts
+import { relative, isAbsolute } from "node:path";
+
+// src/capture/scrubber.ts
+var DEFAULT_PATTERNS = [
+  {
+    source: "sk-[a-zA-Z0-9]{20,}",
+    flags: "g",
+    replacement: "[REDACTED_API_KEY]",
+    description: "OpenAI API keys",
+    category: "api_key",
+    severity: "critical"
+  },
+  {
+    source: "Bearer [a-zA-Z0-9\\-._~+/]+=*",
+    flags: "g",
+    replacement: "[REDACTED_BEARER]",
+    description: "Bearer auth tokens",
+    category: "token",
+    severity: "medium"
+  },
+  {
+    source: "password[=:]\\s*\\S+",
+    flags: "gi",
+    replacement: "password=[REDACTED]",
+    description: "Passwords in config",
+    category: "password",
+    severity: "high"
+  },
+  {
+    source: "postgresql://[^\\s]+",
+    flags: "g",
+    replacement: "[REDACTED_DB_URL]",
+    description: "PostgreSQL connection strings",
+    category: "db_url",
+    severity: "high"
+  },
+  {
+    source: "mongodb://[^\\s]+",
+    flags: "g",
+    replacement: "[REDACTED_DB_URL]",
+    description: "MongoDB connection strings",
+    category: "db_url",
+    severity: "high"
+  },
+  {
+    source: "mysql://[^\\s]+",
+    flags: "g",
+    replacement: "[REDACTED_DB_URL]",
+    description: "MySQL connection strings",
+    category: "db_url",
+    severity: "high"
+  },
+  {
+    source: "AKIA[A-Z0-9]{16}",
+    flags: "g",
+    replacement: "[REDACTED_AWS_KEY]",
+    description: "AWS access keys",
+    category: "api_key",
+    severity: "critical"
+  },
+  {
+    source: "ghp_[a-zA-Z0-9]{36}",
+    flags: "g",
+    replacement: "[REDACTED_GH_TOKEN]",
+    description: "GitHub personal access tokens",
+    category: "token",
+    severity: "high"
+  },
+  {
+    source: "gho_[a-zA-Z0-9]{36}",
+    flags: "g",
+    replacement: "[REDACTED_GH_TOKEN]",
+    description: "GitHub OAuth tokens",
+    category: "token",
+    severity: "high"
+  },
+  {
+    source: "github_pat_[a-zA-Z0-9_]{22,}",
+    flags: "g",
+    replacement: "[REDACTED_GH_TOKEN]",
+    description: "GitHub fine-grained PATs",
+    category: "token",
+    severity: "high"
+  },
+  {
+    source: "cvk_[a-f0-9]{64}",
+    flags: "g",
+    replacement: "[REDACTED_CANDENGO_KEY]",
+    description: "Candengo API keys",
+    category: "api_key",
+    severity: "critical"
+  },
+  {
+    source: "xox[bpras]-[a-zA-Z0-9\\-]+",
+    flags: "g",
+    replacement: "[REDACTED_SLACK_TOKEN]",
+    description: "Slack tokens",
+    category: "token",
+    severity: "high"
+  }
+];
+function compileCustomPatterns(patterns) {
+  const compiled = [];
+  for (const pattern of patterns) {
+    try {
+      new RegExp(pattern);
+      compiled.push({
+        source: pattern,
+        flags: "g",
+        replacement: "[REDACTED_CUSTOM]",
+        description: `Custom pattern: ${pattern}`,
+        category: "custom",
+        severity: "medium"
+      });
+    } catch {}
+  }
+  return compiled;
+}
+function scrubSecrets(text, customPatterns = []) {
+  let result = text;
+  const allPatterns = [...DEFAULT_PATTERNS, ...compileCustomPatterns(customPatterns)];
+  for (const pattern of allPatterns) {
+    result = result.replace(new RegExp(pattern.source, pattern.flags), pattern.replacement);
+  }
+  return result;
+}
+function containsSecrets(text, customPatterns = []) {
+  const allPatterns = [...DEFAULT_PATTERNS, ...compileCustomPatterns(customPatterns)];
+  for (const pattern of allPatterns) {
+    if (new RegExp(pattern.source, pattern.flags).test(text))
+      return true;
+  }
+  return false;
+}
+
+// src/capture/quality.ts
+var QUALITY_THRESHOLD = 0.1;
+function scoreQuality(input) {
+  let score = 0;
+  switch (input.type) {
+    case "bugfix":
+      score += 0.3;
+      break;
+    case "decision":
+      score += 0.3;
+      break;
+    case "discovery":
+      score += 0.2;
+      break;
+    case "pattern":
+      score += 0.2;
+      break;
+    case "feature":
+      score += 0.15;
+      break;
+    case "refactor":
+      score += 0.15;
+      break;
+    case "change":
+      score += 0.05;
+      break;
+    case "digest":
+      score += 0.3;
+      break;
+  }
+  if (input.narrative && input.narrative.length > 50) {
+    score += 0.15;
+  }
+  if (input.facts) {
+    try {
+      const factsArray = JSON.parse(input.facts);
+      if (factsArray.length >= 2)
+        score += 0.15;
+      else if (factsArray.length === 1)
+        score += 0.05;
+    } catch {
+      if (input.facts.length > 20)
+        score += 0.05;
+    }
+  }
+  if (input.concepts) {
+    try {
+      const conceptsArray = JSON.parse(input.concepts);
+      if (conceptsArray.length >= 1)
+        score += 0.1;
+    } catch {
+      if (input.concepts.length > 10)
+        score += 0.05;
+    }
+  }
+  const modifiedCount = input.filesModified?.length ?? 0;
+  if (modifiedCount >= 3)
+    score += 0.2;
+  else if (modifiedCount >= 1)
+    score += 0.1;
+  if (input.isDuplicate) {
+    score -= 0.3;
+  }
+  return Math.max(0, Math.min(1, score));
+}
+function meetsQualityThreshold(input) {
+  return scoreQuality(input) >= QUALITY_THRESHOLD;
+}
+
+// src/capture/dedup.ts
+function tokenise(text) {
+  const cleaned = text.toLowerCase().replace(/[^a-z0-9\s]/g, " ").trim();
+  const tokens = cleaned.split(/\s+/).filter((t) => t.length > 0);
+  return new Set(tokens);
+}
+function jaccardSimilarity(a, b) {
+  const tokensA = tokenise(a);
+  const tokensB = tokenise(b);
+  if (tokensA.size === 0 && tokensB.size === 0)
+    return 1;
+  if (tokensA.size === 0 || tokensB.size === 0)
+    return 0;
+  let intersectionSize = 0;
+  for (const token of tokensA) {
+    if (tokensB.has(token))
+      intersectionSize++;
+  }
+  const unionSize = tokensA.size + tokensB.size - intersectionSize;
+  if (unionSize === 0)
+    return 0;
+  return intersectionSize / unionSize;
+}
+var DEDUP_THRESHOLD = 0.8;
+function findDuplicate(newTitle, candidates) {
+  let bestMatch = null;
+  let bestScore = 0;
+  for (const candidate of candidates) {
+    const similarity = jaccardSimilarity(newTitle, candidate.title);
+    if (similarity > DEDUP_THRESHOLD && similarity > bestScore) {
+      bestScore = similarity;
+      bestMatch = candidate;
+    }
+  }
+  return bestMatch;
+}
+
+// src/storage/projects.ts
+import { execSync } from "node:child_process";
+import { existsSync as existsSync3, readFileSync as readFileSync3 } from "node:fs";
+import { basename, join as join3 } from "node:path";
+function normaliseGitRemoteUrl(remoteUrl) {
+  let url = remoteUrl.trim();
+  url = url.replace(/^(?:https?|ssh|git):\/\//, "");
+  url = url.replace(/^[^@]+@/, "");
+  url = url.replace(/^([^/:]+):(?!\d)/, "$1/");
+  url = url.replace(/\.git$/, "");
+  url = url.replace(/\/+$/, "");
+  const slashIndex = url.indexOf("/");
+  if (slashIndex !== -1) {
+    const host = url.substring(0, slashIndex).toLowerCase();
+    const path = url.substring(slashIndex);
+    url = host + path;
+  } else {
+    url = url.toLowerCase();
+  }
+  return url;
+}
+function projectNameFromCanonicalId(canonicalId) {
+  const parts = canonicalId.split("/");
+  return parts[parts.length - 1] ?? canonicalId;
+}
+function getGitRemoteUrl(directory) {
+  try {
+    const url = execSync("git remote get-url origin", {
+      cwd: directory,
+      encoding: "utf-8",
+      timeout: 5000,
+      stdio: ["pipe", "pipe", "pipe"]
+    }).trim();
+    return url || null;
+  } catch {
+    try {
+      const remotes = execSync("git remote", {
+        cwd: directory,
+        encoding: "utf-8",
+        timeout: 5000,
+        stdio: ["pipe", "pipe", "pipe"]
+      }).trim().split(`
+`).filter(Boolean);
+      if (remotes.length === 0)
+        return null;
+      const url = execSync(`git remote get-url ${remotes[0]}`, {
+        cwd: directory,
+        encoding: "utf-8",
+        timeout: 5000,
+        stdio: ["pipe", "pipe", "pipe"]
+      }).trim();
+      return url || null;
+    } catch {
+      return null;
+    }
+  }
+}
+function readProjectConfigFile(directory) {
+  const configPath = join3(directory, ".engrm.json");
+  if (!existsSync3(configPath))
+    return null;
+  try {
+    const raw = readFileSync3(configPath, "utf-8");
+    const parsed = JSON.parse(raw);
+    if (typeof parsed["project_id"] !== "string" || !parsed["project_id"]) {
+      return null;
+    }
+    return {
+      project_id: parsed["project_id"],
+      name: typeof parsed["name"] === "string" ? parsed["name"] : undefined
+    };
+  } catch {
+    return null;
+  }
+}
+function detectProject(directory) {
+  const remoteUrl = getGitRemoteUrl(directory);
+  if (remoteUrl) {
+    const canonicalId = normaliseGitRemoteUrl(remoteUrl);
+    return {
+      canonical_id: canonicalId,
+      name: projectNameFromCanonicalId(canonicalId),
+      remote_url: remoteUrl,
+      local_path: directory
+    };
+  }
+  const configFile = readProjectConfigFile(directory);
+  if (configFile) {
+    return {
+      canonical_id: configFile.project_id,
+      name: configFile.name ?? projectNameFromCanonicalId(configFile.project_id),
+      remote_url: null,
+      local_path: directory
+    };
+  }
+  const dirName = basename(directory);
+  return {
+    canonical_id: `local/${dirName}`,
+    name: dirName,
+    remote_url: null,
+    local_path: directory
+  };
+}
+
+// src/embeddings/embedder.ts
+var _available = null;
+var _pipeline = null;
+var MODEL_NAME = "Xenova/all-MiniLM-L6-v2";
+async function isEmbeddingAvailable() {
+  if (_available !== null)
+    return _available;
+  try {
+    await getPipeline();
+    return _available;
+  } catch {
+    _available = false;
+    return false;
+  }
+}
+async function embedText(text) {
+  const pipe = await getPipeline();
+  if (!pipe)
+    return null;
+  try {
+    const output = await pipe(text, { pooling: "mean", normalize: true });
+    return new Float32Array(output.data);
+  } catch {
+    return null;
+  }
+}
+function composeEmbeddingText(obs) {
+  const parts = [obs.title];
+  if (obs.narrative)
+    parts.push(obs.narrative);
+  if (obs.facts) {
+    try {
+      const facts = JSON.parse(obs.facts);
+      if (Array.isArray(facts) && facts.length > 0) {
+        parts.push(facts.map((f) => `- ${f}`).join(`
+`));
+      }
+    } catch {
+      parts.push(obs.facts);
+    }
+  }
+  if (obs.concepts) {
+    try {
+      const concepts = JSON.parse(obs.concepts);
+      if (Array.isArray(concepts) && concepts.length > 0) {
+        parts.push(concepts.join(", "));
+      }
+    } catch {}
+  }
+  return parts.join(`
+
+`);
+}
+async function getPipeline() {
+  if (_pipeline)
+    return _pipeline;
+  if (_available === false)
+    return null;
+  try {
+    const { pipeline } = await import("@xenova/transformers");
+    _pipeline = await pipeline("feature-extraction", MODEL_NAME);
+    _available = true;
+    return _pipeline;
+  } catch (err) {
+    _available = false;
+    console.error(`[engrm] Local embedding model unavailable: ${err instanceof Error ? err.message : String(err)}`);
+    return null;
+  }
+}
+
+// src/capture/recurrence.ts
+var DISTANCE_THRESHOLD = 0.15;
+async function detectRecurrence(db, config, observation) {
+  if (observation.type !== "bugfix") {
+    return { patternCreated: false };
+  }
+  if (!db.vecAvailable) {
+    return { patternCreated: false };
+  }
+  const text = composeEmbeddingText(observation);
+  const embedding = await embedText(text);
+  if (!embedding) {
+    return { patternCreated: false };
+  }
+  const vecResults = db.searchVec(embedding, null, ["active", "aging", "pinned"], 10);
+  for (const match of vecResults) {
+    if (match.observation_id === observation.id)
+      continue;
+    if (match.distance > DISTANCE_THRESHOLD)
+      continue;
+    const matched = db.getObservationById(match.observation_id);
+    if (!matched)
+      continue;
+    if (matched.type !== "bugfix")
+      continue;
+    if (matched.session_id === observation.session_id)
+      continue;
+    if (await patternAlreadyExists(db, observation, matched))
+      continue;
+    let matchedProjectName;
+    if (matched.project_id !== observation.project_id) {
+      const proj = db.getProjectById(matched.project_id);
+      if (proj)
+        matchedProjectName = proj.name;
+    }
+    const similarity = 1 - match.distance;
+    const result = await saveObservation(db, config, {
+      type: "pattern",
+      title: `Recurring bugfix: ${observation.title}`,
+      narrative: `This bug pattern has appeared in multiple sessions. Original: "${matched.title}" (session ${matched.session_id?.slice(0, 8) ?? "unknown"}). Latest: "${observation.title}". Similarity: ${(similarity * 100).toFixed(0)}%. Consider addressing the root cause.`,
+      facts: [
+        `First seen: ${matched.created_at.split("T")[0]}`,
+        `Recurred: ${observation.created_at.split("T")[0]}`,
+        `Similarity: ${(similarity * 100).toFixed(0)}%`
+      ],
+      concepts: mergeConceptsFromBoth(observation, matched),
+      cwd: process.cwd(),
+      session_id: observation.session_id ?? undefined
+    });
+    if (result.success && result.observation_id) {
+      return {
+        patternCreated: true,
+        patternId: result.observation_id,
+        matchedObservationId: matched.id,
+        matchedProjectName,
+        matchedTitle: matched.title,
+        similarity
+      };
+    }
+  }
+  return { patternCreated: false };
+}
+async function patternAlreadyExists(db, obs1, obs2) {
+  const recentPatterns = db.db.query(`SELECT * FROM observations
+       WHERE type = 'pattern' AND lifecycle IN ('active', 'aging', 'pinned')
+       AND title LIKE ?
+       ORDER BY created_at_epoch DESC LIMIT 5`).all(`%${obs1.title.slice(0, 30)}%`);
+  for (const p of recentPatterns) {
+    if (p.narrative?.includes(obs2.title.slice(0, 30)))
+      return true;
+  }
+  return false;
+}
+function mergeConceptsFromBoth(obs1, obs2) {
+  const concepts = new Set;
+  for (const obs of [obs1, obs2]) {
+    if (obs.concepts) {
+      try {
+        const parsed = JSON.parse(obs.concepts);
+        if (Array.isArray(parsed)) {
+          for (const c of parsed) {
+            if (typeof c === "string")
+              concepts.add(c);
+          }
+        }
+      } catch {}
+    }
+  }
+  return [...concepts];
+}
+
+// src/capture/conflict.ts
+var SIMILARITY_THRESHOLD = 0.25;
+async function detectDecisionConflict(db, observation) {
+  if (observation.type !== "decision") {
+    return { hasConflict: false };
+  }
+  if (!observation.narrative || observation.narrative.trim().length < 20) {
+    return { hasConflict: false };
+  }
+  if (db.vecAvailable) {
+    return detectViaVec(db, observation);
+  }
+  return detectViaFts(db, observation);
+}
+async function detectViaVec(db, observation) {
+  const text = composeEmbeddingText(observation);
+  const embedding = await embedText(text);
+  if (!embedding)
+    return { hasConflict: false };
+  const results = db.searchVec(embedding, observation.project_id, ["active", "aging", "pinned"], 10);
+  for (const match of results) {
+    if (match.observation_id === observation.id)
+      continue;
+    if (match.distance > SIMILARITY_THRESHOLD)
+      continue;
+    const existing = db.getObservationById(match.observation_id);
+    if (!existing)
+      continue;
+    if (existing.type !== "decision")
+      continue;
+    if (!existing.narrative)
+      continue;
+    const conflict = narrativesConflict(observation.narrative, existing.narrative);
+    if (conflict) {
+      return {
+        hasConflict: true,
+        conflictingId: existing.id,
+        conflictingTitle: existing.title,
+        reason: conflict
+      };
+    }
+  }
+  return { hasConflict: false };
+}
+async function detectViaFts(db, observation) {
+  const keywords = observation.title.split(/\s+/).filter((w) => w.length > 3).slice(0, 5).join(" ");
+  if (!keywords)
+    return { hasConflict: false };
+  const ftsResults = db.searchFts(keywords, observation.project_id, ["active", "aging", "pinned"], 10);
+  for (const match of ftsResults) {
+    if (match.id === observation.id)
+      continue;
+    const existing = db.getObservationById(match.id);
+    if (!existing)
+      continue;
+    if (existing.type !== "decision")
+      continue;
+    if (!existing.narrative)
+      continue;
+    const conflict = narrativesConflict(observation.narrative, existing.narrative);
+    if (conflict) {
+      return {
+        hasConflict: true,
+        conflictingId: existing.id,
+        conflictingTitle: existing.title,
+        reason: conflict
+      };
+    }
+  }
+  return { hasConflict: false };
+}
+function narrativesConflict(narrative1, narrative2) {
+  const n1 = narrative1.toLowerCase();
+  const n2 = narrative2.toLowerCase();
+  const opposingPairs = [
+    [["should use", "decided to use", "chose", "prefer", "went with"], ["should not", "decided against", "avoid", "rejected", "don't use"]],
+    [["enable", "turn on", "activate", "add"], ["disable", "turn off", "deactivate", "remove"]],
+    [["increase", "more", "higher", "scale up"], ["decrease", "less", "lower", "scale down"]],
+    [["keep", "maintain", "preserve"], ["replace", "migrate", "switch from", "deprecate"]]
+  ];
+  for (const [positive, negative] of opposingPairs) {
+    const n1HasPositive = positive.some((w) => n1.includes(w));
+    const n1HasNegative = negative.some((w) => n1.includes(w));
+    const n2HasPositive = positive.some((w) => n2.includes(w));
+    const n2HasNegative = negative.some((w) => n2.includes(w));
+    if (n1HasPositive && n2HasNegative || n1HasNegative && n2HasPositive) {
+      return "Narratives suggest opposing conclusions on a similar topic";
+    }
+  }
+  return null;
+}
+
+// src/tools/save.ts
+var VALID_TYPES = [
+  "bugfix",
+  "discovery",
+  "decision",
+  "pattern",
+  "change",
+  "feature",
+  "refactor",
+  "digest",
+  "standard"
+];
+async function saveObservation(db, config, input) {
+  if (!VALID_TYPES.includes(input.type)) {
+    return {
+      success: false,
+      reason: `Invalid type '${input.type}'. Must be one of: ${VALID_TYPES.join(", ")}`
+    };
+  }
+  if (!input.title || input.title.trim().length === 0) {
+    return { success: false, reason: "Title is required" };
+  }
+  const cwd = input.cwd ?? process.cwd();
+  const detected = detectProject(cwd);
+  const project = db.upsertProject({
+    canonical_id: detected.canonical_id,
+    name: detected.name,
+    local_path: detected.local_path,
+    remote_url: detected.remote_url
+  });
+  const customPatterns = config.scrubbing.enabled ? config.scrubbing.custom_patterns : [];
+  const title = config.scrubbing.enabled ? scrubSecrets(input.title, customPatterns) : input.title;
+  const narrative = input.narrative ? config.scrubbing.enabled ? scrubSecrets(input.narrative, customPatterns) : input.narrative : null;
+  const factsJson = input.facts ? config.scrubbing.enabled ? scrubSecrets(JSON.stringify(input.facts), customPatterns) : JSON.stringify(input.facts) : null;
+  const conceptsJson = input.concepts ? JSON.stringify(input.concepts) : null;
+  const filesRead = input.files_read ? input.files_read.map((f) => toRelativePath(f, cwd)) : null;
+  const filesModified = input.files_modified ? input.files_modified.map((f) => toRelativePath(f, cwd)) : null;
+  const filesReadJson = filesRead ? JSON.stringify(filesRead) : null;
+  const filesModifiedJson = filesModified ? JSON.stringify(filesModified) : null;
+  let sensitivity = input.sensitivity ?? config.scrubbing.default_sensitivity;
+  if (config.scrubbing.enabled && containsSecrets([input.title, input.narrative, JSON.stringify(input.facts)].filter(Boolean).join(" "), customPatterns)) {
+    if (sensitivity === "shared") {
+      sensitivity = "personal";
+    }
+  }
+  const oneDayAgo = Math.floor(Date.now() / 1000) - 86400;
+  const recentObs = db.getRecentObservations(project.id, oneDayAgo);
+  const candidates = recentObs.map((o) => ({
+    id: o.id,
+    title: o.title
+  }));
+  const duplicate = findDuplicate(title, candidates);
+  const qualityInput = {
+    type: input.type,
+    title,
+    narrative,
+    facts: factsJson,
+    concepts: conceptsJson,
+    filesRead,
+    filesModified,
+    isDuplicate: duplicate !== null
+  };
+  const qualityScore = scoreQuality(qualityInput);
+  if (!meetsQualityThreshold(qualityInput)) {
+    return {
+      success: false,
+      quality_score: qualityScore,
+      reason: `Quality score ${qualityScore.toFixed(2)} below threshold`
+    };
+  }
+  if (duplicate) {
+    return {
+      success: true,
+      merged_into: duplicate.id,
+      quality_score: qualityScore,
+      reason: `Merged into existing observation #${duplicate.id}`
+    };
+  }
+  const obs = db.insertObservation({
+    session_id: input.session_id ?? null,
+    project_id: project.id,
+    type: input.type,
+    title,
+    narrative,
+    facts: factsJson,
+    concepts: conceptsJson,
+    files_read: filesReadJson,
+    files_modified: filesModifiedJson,
+    quality: qualityScore,
+    lifecycle: "active",
+    sensitivity,
+    user_id: config.user_id,
+    device_id: config.device_id,
+    agent: input.agent ?? "claude-code"
+  });
+  db.addToOutbox("observation", obs.id);
+  if (db.vecAvailable) {
+    try {
+      const text = composeEmbeddingText(obs);
+      const embedding = await embedText(text);
+      if (embedding) {
+        db.vecInsert(obs.id, embedding);
+      }
+    } catch {}
+  }
+  let recallHint;
+  if (input.type === "bugfix") {
+    try {
+      const recurrence = await detectRecurrence(db, config, obs);
+      if (recurrence.patternCreated && recurrence.matchedTitle) {
+        const projectLabel = recurrence.matchedProjectName ? ` in ${recurrence.matchedProjectName}` : "";
+        recallHint = `You solved a similar issue${projectLabel}: "${recurrence.matchedTitle}"`;
+      }
+    } catch {}
+  }
+  let conflictWarning;
+  if (input.type === "decision") {
+    try {
+      const conflict = await detectDecisionConflict(db, obs);
+      if (conflict.hasConflict && conflict.conflictingTitle) {
+        conflictWarning = `Potential conflict with existing decision: "${conflict.conflictingTitle}" — ${conflict.reason}`;
+      }
+    } catch {}
+  }
+  return {
+    success: true,
+    observation_id: obs.id,
+    quality_score: qualityScore,
+    recall_hint: recallHint,
+    conflict_warning: conflictWarning
+  };
+}
+function toRelativePath(filePath, projectRoot) {
+  if (!isAbsolute(filePath))
+    return filePath;
+  const rel = relative(projectRoot, filePath);
+  if (rel.startsWith(".."))
+    return filePath;
+  return rel;
+}
+
+// src/packs/loader.ts
+function getPacksDir() {
+  const thisDir = dirname2(fileURLToPath2(import.meta.url));
+  return join4(thisDir, "..", "..", "packs");
+}
+function listPacks() {
+  const dir = getPacksDir();
+  if (!existsSync4(dir))
+    return [];
+  return readdirSync(dir).filter((f) => f.endsWith(".json")).map((f) => f.replace(/\.json$/, ""));
+}
+function loadPack(name) {
+  const filePath = join4(getPacksDir(), `${name}.json`);
+  if (!existsSync4(filePath))
+    return null;
+  try {
+    const raw = readFileSync4(filePath, "utf-8");
+    const parsed = JSON.parse(raw);
+    if (!parsed.name || !Array.isArray(parsed.observations))
+      return null;
+    return parsed;
+  } catch {
+    return null;
+  }
+}
+async function installPack(db, config, packName, cwd) {
+  const pack = loadPack(packName);
+  if (!pack) {
+    throw new Error(`Pack '${packName}' not found. Available: ${listPacks().join(", ") || "none"}`);
+  }
+  let installed = 0;
+  let skipped = 0;
+  for (const obs of pack.observations) {
+    const result = await saveObservation(db, config, {
+      type: obs.type,
+      title: obs.title,
+      narrative: obs.narrative,
+      facts: obs.facts,
+      concepts: obs.concepts,
+      cwd
+    });
+    if (result.success && result.observation_id) {
+      installed++;
+    } else {
+      skipped++;
+    }
+  }
+  return { installed, skipped, total: pack.observations.length };
+}
+
+// src/sentinel/rules.ts
+import { existsSync as existsSync5, readFileSync as readFileSync5, readdirSync as readdirSync2 } from "node:fs";
+import { join as join5, dirname as dirname3 } from "node:path";
+import { fileURLToPath as fileURLToPath3 } from "node:url";
+function getRulePacksDir() {
+  const thisDir = dirname3(fileURLToPath3(import.meta.url));
+  return join5(thisDir, "rule-packs");
+}
+function listRulePacks() {
+  const dir = getRulePacksDir();
+  if (!existsSync5(dir))
+    return [];
+  return readdirSync2(dir).filter((f) => f.endsWith(".json")).map((f) => f.replace(/\.json$/, ""));
+}
+function loadRulePack(name) {
+  const filePath = join5(getRulePacksDir(), `${name}.json`);
+  if (!existsSync5(filePath))
+    return null;
+  try {
+    const raw = readFileSync5(filePath, "utf-8");
+    return JSON.parse(raw);
+  } catch {
+    return null;
+  }
+}
+async function installRulePacks(db, config, packNames) {
+  const names = packNames ?? listRulePacks();
+  let installed = 0;
+  let skipped = 0;
+  for (const name of names) {
+    const pack = loadRulePack(name);
+    if (!pack) {
+      skipped++;
+      continue;
+    }
+    for (const obs of pack.observations) {
+      const result = await saveObservation(db, config, {
+        type: obs.type,
+        title: obs.title,
+        narrative: obs.narrative,
+        facts: obs.facts,
+        concepts: obs.concepts ?? [name, "sentinel-standard"],
+        cwd: process.cwd()
+      });
+      if (result.success && result.observation_id) {
+        installed++;
+      } else {
+        skipped++;
+      }
+    }
+  }
+  return { installed, skipped };
+}
+
+// src/cli.ts
+var args = process.argv.slice(2);
+var command = args[0];
+switch (command) {
+  case "init":
+    await handleInit(args.slice(1));
+    break;
+  case "status":
+    handleStatus();
+    break;
+  case "install-pack":
+    await handleInstallPack(args.slice(1));
+    break;
+  case "packs":
+    handleListPacks();
+    break;
+  case "sentinel":
+    await handleSentinel(args.slice(1));
+    break;
+  default:
+    printUsage();
+    break;
+}
+async function handleInit(flags) {
+  const tokenFlag = flags.find((f) => f.startsWith("--token"));
+  if (tokenFlag) {
+    let token;
+    if (tokenFlag.includes("=")) {
+      token = tokenFlag.split("=")[1];
+    } else {
+      const idx = flags.indexOf("--token");
+      token = flags[idx + 1] ?? "";
+    }
+    if (!token || !token.startsWith("cmt_")) {
+      console.error("Error: --token requires a cmt_ provisioning token");
+      process.exit(1);
+    }
+    const url2 = extractUrlFlag(flags) ?? DEFAULT_CANDENGO_URL;
+    await initWithToken(url2, token);
+    await maybeInstallPack(flags);
+    return;
+  }
+  if (flags.includes("--config")) {
+    const configIndex = flags.indexOf("--config");
+    const configPath = flags[configIndex + 1];
+    if (!configPath) {
+      console.error("Error: --config requires a file path");
+      process.exit(1);
+    }
+    initFromFile(configPath);
+    return;
+  }
+  if (flags.includes("--manual")) {
+    await initManual();
+    return;
+  }
+  if (flags.includes("--no-browser")) {
+    console.error("Device code flow is not yet implemented.");
+    console.error("Use: engrm init --token=cmt_xxx");
+    process.exit(1);
+  }
+  const url = extractUrlFlag(flags) ?? DEFAULT_CANDENGO_URL;
+  await initWithBrowser(url);
+  await maybeInstallPack(flags);
+}
+async function maybeInstallPack(flags) {
+  const packFlag = flags.find((f) => f.startsWith("--pack"));
+  if (!packFlag)
+    return;
+  let packName;
+  if (packFlag.includes("=")) {
+    packName = packFlag.split("=")[1];
+  } else {
+    const idx = flags.indexOf("--pack");
+    packName = flags[idx + 1] ?? "";
+  }
+  if (!packName) {
+    console.error("--pack requires a pack name. Available: " + listPacks().join(", "));
+    return;
+  }
+  const config = loadConfig();
+  const db = new MemDatabase(getDbPath());
+  try {
+    console.log(`
+Installing starter pack: ${packName}...`);
+    const result = await installPack(db, config, packName, process.cwd());
+    console.log(`Loaded ${result.installed} observations from '${packName}' pack`);
+  } catch (error) {
+    console.error(`Pack install failed: ${error instanceof Error ? error.message : String(error)}`);
+  } finally {
+    db.close();
+  }
+}
+function extractUrlFlag(flags) {
+  const urlFlag = flags.find((f) => f.startsWith("--url"));
+  if (!urlFlag)
+    return;
+  if (urlFlag.includes("="))
+    return urlFlag.split("=")[1];
+  const idx = flags.indexOf("--url");
+  return flags[idx + 1];
+}
+async function initWithToken(baseUrl, token) {
+  if (configExists()) {
+    console.log(`Existing configuration found. Overwriting...
+`);
+  }
+  console.log("Exchanging provisioning token...");
+  try {
+    const result = await provision(baseUrl, {
+      token,
+      device_name: hostname2()
+    });
+    writeConfigFromProvision(baseUrl, result);
+    console.log(`
+Connected as ${result.user_email}`);
+    printPostInit();
+  } catch (error) {
+    if (error instanceof ProvisionError) {
+      console.error(`
+Provisioning failed: ${error.detail}`);
+      process.exit(1);
+    }
+    throw error;
+  }
+}
+async function initWithBrowser(baseUrl) {
+  if (configExists()) {
+    console.log(`Existing configuration found. Overwriting...
+`);
+  }
+  try {
+    const { code } = await runBrowserAuth(baseUrl);
+    console.log("Exchanging authorization code...");
+    const result = await provision(baseUrl, {
+      code,
+      device_name: hostname2()
+    });
+    writeConfigFromProvision(baseUrl, result);
+    console.log(`
+Connected as ${result.user_email}`);
+    printPostInit();
+  } catch (error) {
+    if (error instanceof ProvisionError) {
+      console.error(`
+Provisioning failed: ${error.detail}`);
+      process.exit(1);
+    }
+    console.error(`
+Authorization failed: ${error instanceof Error ? error.message : String(error)}`);
+    console.error("Try: engrm init --token=cmt_xxx");
+    process.exit(1);
+  }
+}
+function writeConfigFromProvision(baseUrl, result) {
+  ensureConfigDir();
+  const config = {
+    candengo_url: baseUrl,
+    candengo_api_key: result.api_key,
+    site_id: result.site_id,
+    namespace: result.namespace,
+    user_id: result.user_id,
+    user_email: result.user_email,
+    device_id: generateDeviceId2(),
+    teams: result.teams ?? [],
+    sync: {
+      enabled: true,
+      interval_seconds: 30,
+      batch_size: 50
+    },
+    search: {
+      default_limit: 10,
+      local_boost: 1.2,
+      scope: "all"
+    },
+    scrubbing: {
+      enabled: true,
+      custom_patterns: [],
+      default_sensitivity: "shared"
+    },
+    sentinel: {
+      enabled: false,
+      mode: "advisory",
+      provider: "openai",
+      model: "gpt-4o-mini",
+      api_key: "",
+      base_url: "",
+      skip_patterns: [],
+      daily_limit: 100,
+      tier: "free"
+    }
+  };
+  saveConfig(config);
+  const db = new MemDatabase(getDbPath());
+  db.close();
+  console.log(`Configuration saved to ${getSettingsPath()}`);
+  console.log(`Database initialised at ${getDbPath()}`);
+}
+function initFromFile(configPath) {
+  if (!existsSync6(configPath)) {
+    console.error(`Config file not found: ${configPath}`);
+    process.exit(1);
+  }
+  let parsed;
+  try {
+    const raw = readFileSync6(configPath, "utf-8");
+    parsed = JSON.parse(raw);
+  } catch {
+    console.error(`Invalid JSON in ${configPath}`);
+    process.exit(1);
+  }
+  if (typeof parsed !== "object" || parsed === null) {
+    console.error("Config file must contain a JSON object");
+    process.exit(1);
+  }
+  const input = parsed;
+  const required = [
+    "candengo_url",
+    "candengo_api_key",
+    "site_id",
+    "namespace",
+    "user_id"
+  ];
+  for (const field of required) {
+    if (typeof input[field] !== "string" || !input[field].trim()) {
+      console.error(`Missing required field: ${field}`);
+      process.exit(1);
+    }
+  }
+  ensureConfigDir();
+  const config = {
+    candengo_url: input["candengo_url"].trim(),
+    candengo_api_key: input["candengo_api_key"].trim(),
+    site_id: input["site_id"].trim(),
+    namespace: input["namespace"].trim(),
+    user_id: input["user_id"].trim(),
+    user_email: typeof input["user_email"] === "string" ? input["user_email"].trim() : "",
+    device_id: typeof input["device_id"] === "string" ? input["device_id"] : generateDeviceId2(),
+    teams: [],
+    sync: {
+      enabled: true,
+      interval_seconds: 30,
+      batch_size: 50
+    },
+    search: {
+      default_limit: 10,
+      local_boost: 1.2,
+      scope: "all"
+    },
+    scrubbing: {
+      enabled: true,
+      custom_patterns: [],
+      default_sensitivity: "shared"
+    },
+    sentinel: {
+      enabled: false,
+      mode: "advisory",
+      provider: "openai",
+      model: "gpt-4o-mini",
+      api_key: "",
+      base_url: "",
+      skip_patterns: [],
+      daily_limit: 100,
+      tier: "free"
+    }
+  };
+  saveConfig(config);
+  const db = new MemDatabase(getDbPath());
+  db.close();
+  console.log(`Configuration saved to ${getSettingsPath()}`);
+  console.log(`Database initialised at ${getDbPath()}`);
+  printPostInit();
+}
+async function initManual() {
+  const prompt = createPrompter();
+  console.log(`Engrm \u2014 Interactive Setup
+`);
+  if (configExists()) {
+    const overwrite = await prompt("Config already exists. Overwrite? [y/N]: ");
+    if (overwrite.toLowerCase() !== "y") {
+      console.log("Aborted.");
+      return;
+    }
+  }
+  const candengoUrl = await prompt("Candengo Vector URL (e.g. https://www.candengo.com): ");
+  const apiKey = await prompt("API key (cvk_...): ");
+  const siteId = await prompt("Site ID: ");
+  const namespace = await prompt("Namespace: ");
+  const userId = await prompt("User ID: ");
+  const userEmail = await prompt("Email (optional): ");
+  if (!candengoUrl || !apiKey || !siteId || !namespace || !userId) {
+    console.error("All fields (except email) are required.");
+    process.exit(1);
+  }
+  ensureConfigDir();
+  const config = {
+    candengo_url: candengoUrl.trim(),
+    candengo_api_key: apiKey.trim(),
+    site_id: siteId.trim(),
+    namespace: namespace.trim(),
+    user_id: userId.trim(),
+    user_email: userEmail.trim(),
+    device_id: generateDeviceId2(),
+    teams: [],
+    sync: {
+      enabled: true,
+      interval_seconds: 30,
+      batch_size: 50
+    },
+    search: {
+      default_limit: 10,
+      local_boost: 1.2,
+      scope: "all"
+    },
+    scrubbing: {
+      enabled: true,
+      custom_patterns: [],
+      default_sensitivity: "shared"
+    },
+    sentinel: {
+      enabled: false,
+      mode: "advisory",
+      provider: "openai",
+      model: "gpt-4o-mini",
+      api_key: "",
+      base_url: "",
+      skip_patterns: [],
+      daily_limit: 100,
+      tier: "free"
+    }
+  };
+  saveConfig(config);
+  const db = new MemDatabase(getDbPath());
+  db.close();
+  console.log(`
+Configuration saved to ${getSettingsPath()}`);
+  console.log(`Database initialised at ${getDbPath()}`);
+  printPostInit();
+}
+function handleStatus() {
+  if (!configExists()) {
+    console.log("Engrm is not configured.");
+    console.log("Run: npx engrm init");
+    return;
+  }
+  const config = loadConfig();
+  console.log(`Engrm Status
+`);
+  console.log("  Account");
+  console.log(`    User:          ${config.user_id}`);
+  if (config.user_email) {
+    console.log(`    Email:         ${config.user_email}`);
+  }
+  console.log(`    Device:        ${config.device_id}`);
+  if (config.teams.length > 0) {
+    console.log(`    Teams:         ${config.teams.map((t) => t.name).join(", ")}`);
+  }
+  const tierLabels = {
+    free: "Free",
+    vibe: "Vibe ($9/mo)",
+    solo: "Vibe ($9/mo)",
+    pro: "Pro ($15/mo)",
+    team: "Team",
+    enterprise: "Enterprise"
+  };
+  const tier = config.sentinel?.tier ?? "free";
+  console.log(`    Plan:          ${tierLabels[tier] ?? tier}`);
+  console.log(`
+  Integration`);
+  console.log(`    Candengo:      ${config.candengo_url || "(not set)"}`);
+  console.log(`    Sync:          ${config.sync.enabled ? "enabled" : "disabled"}`);
+  const claudeJson = join6(homedir3(), ".claude.json");
+  const claudeSettings = join6(homedir3(), ".claude", "settings.json");
+  const mcpRegistered = existsSync6(claudeJson) && readFileSync6(claudeJson, "utf-8").includes('"engrm"');
+  const settingsContent = existsSync6(claudeSettings) ? readFileSync6(claudeSettings, "utf-8") : "";
+  const hooksRegistered = settingsContent.includes("engrm") || settingsContent.includes("session-start");
+  let hookCount = 0;
+  if (hooksRegistered) {
+    try {
+      const settings = JSON.parse(settingsContent);
+      const hooks = settings?.hooks ?? {};
+      for (const entries of Object.values(hooks)) {
+        if (Array.isArray(entries)) {
+          for (const entry of entries) {
+            const e = entry;
+            if (e.hooks?.some((h) => h.command?.includes("engrm") || h.command?.includes("session-start") || h.command?.includes("sentinel") || h.command?.includes("post-tool-use") || h.command?.includes("pre-compact") || h.command?.includes("stop") || h.command?.includes("elicitation"))) {
+              hookCount++;
+            }
+          }
+        }
+      }
+    } catch {}
+  }
+  console.log(`    MCP server:    ${mcpRegistered ? "registered" : "not registered"}`);
+  console.log(`    Hooks:         ${hooksRegistered ? `registered (${hookCount || "?"} hooks)` : "not registered"}`);
+  if (config.sentinel?.enabled) {
+    console.log(`
+  Sentinel`);
+    console.log(`    Mode:          ${config.sentinel.mode}`);
+    console.log(`    Daily limit:   ${config.sentinel.daily_limit}`);
+    if (config.sentinel.provider) {
+      console.log(`    Provider:      ${config.sentinel.provider}${config.sentinel.model ? ` (${config.sentinel.model})` : ""}`);
+    }
+    if (existsSync6(getDbPath())) {
+      try {
+        const db = new MemDatabase(getDbPath());
+        const todayStart = Math.floor(new Date().setHours(0, 0, 0, 0) / 1000);
+        const todayAudits = db.db.query("SELECT COUNT(*) as count FROM security_findings WHERE finding_type LIKE 'sentinel_%' AND created_at_epoch >= ?").get(todayStart)?.count ?? 0;
+        console.log(`    Today:         ${todayAudits}/${config.sentinel.daily_limit} audits`);
+        db.close();
+      } catch {}
+    }
+  } else {
+    console.log(`
+  Sentinel:        disabled`);
+  }
+  if (existsSync6(getDbPath())) {
+    try {
+      const db = new MemDatabase(getDbPath());
+      const obsCount = db.getActiveObservationCount();
+      const outbox = getOutboxStats(db);
+      console.log(`
+  Memory`);
+      console.log(`    Observations:  ${obsCount.toLocaleString()} active`);
+      try {
+        const byType = db.db.query(`SELECT type, COUNT(*) as count FROM observations
+             WHERE lifecycle IN ('active', 'aging', 'pinned') AND superseded_by IS NULL
+             GROUP BY type ORDER BY count DESC`).all();
+        if (byType.length > 0) {
+          const typeParts = byType.map((t) => `${t.type}: ${t.count}`);
+          console.log(`    By type:       ${typeParts.join(", ")}`);
+        }
+      } catch {}
+      const summaryCount = db.db.query("SELECT COUNT(*) as count FROM session_summaries").get()?.count ?? 0;
+      console.log(`    Sessions:      ${summaryCount} summarised`);
+      try {
+        const lastSummary = db.db.query(`SELECT request, created_at_epoch FROM session_summaries
+             ORDER BY created_at_epoch DESC LIMIT 1`).get();
+        if (lastSummary) {
+          const label = lastSummary.request ? lastSummary.request.length > 50 ? lastSummary.request.slice(0, 47) + "..." : lastSummary.request : "(no request recorded)";
+          const ago = formatTimeAgo(lastSummary.created_at_epoch);
+          console.log(`    Last session:  ${label} (${ago})`);
+        }
+      } catch {}
+      try {
+        const packs = db.getInstalledPacks();
+        if (packs.length > 0) {
+          console.log(`    Packs:         ${packs.join(", ")}`);
+        }
+      } catch {}
+      console.log(`
+  Sync`);
+      console.log(`    Outbox:        ${outbox["pending"] ?? 0} pending, ${outbox["failed"] ?? 0} failed, ${outbox["synced"] ?? 0} synced`);
+      try {
+        const lastPush = db.db.query("SELECT value FROM sync_state WHERE key = ?").get("last_push_epoch");
+        const lastPull = db.db.query("SELECT value FROM sync_state WHERE key = ?").get("last_pull_epoch");
+        console.log(`    Last push:     ${formatSyncTime(lastPush?.value)}`);
+        console.log(`    Last pull:     ${formatSyncTime(lastPull?.value)}`);
+      } catch {}
+      try {
+        const findings = db.db.query("SELECT severity, COUNT(*) as count FROM security_findings GROUP BY severity").all();
+        if (findings.length > 0) {
+          const bySeverity = Object.fromEntries(findings.map((f) => [f.severity, f.count]));
+          const total = findings.reduce((s, f) => s + f.count, 0);
+          const parts = [];
+          if (bySeverity["critical"])
+            parts.push(`${bySeverity["critical"]} critical`);
+          if (bySeverity["high"])
+            parts.push(`${bySeverity["high"]} high`);
+          if (bySeverity["medium"])
+            parts.push(`${bySeverity["medium"]} medium`);
+          if (bySeverity["low"])
+            parts.push(`${bySeverity["low"]} low`);
+          console.log(`
+  Security:        ${total} finding${total === 1 ? "" : "s"} (${parts.join(", ")})`);
+        }
+      } catch {}
+      db.close();
+    } catch (error) {
+      console.log(`
+  Database error: ${error instanceof Error ? error.message : String(error)}`);
+    }
+  }
+  console.log(`
+  Files`);
+  console.log(`    Config:        ${getSettingsPath()}`);
+  console.log(`    Database:      ${getDbPath()}`);
+}
+function formatTimeAgo(epoch) {
+  const ago = Math.floor(Date.now() / 1000) - epoch;
+  if (ago < 60)
+    return `${ago}s ago`;
+  if (ago < 3600)
+    return `${Math.floor(ago / 60)}m ago`;
+  if (ago < 86400)
+    return `${Math.floor(ago / 3600)}h ago`;
+  return `${Math.floor(ago / 86400)}d ago`;
+}
+function formatSyncTime(epochStr) {
+  if (!epochStr)
+    return "never";
+  const epoch = parseInt(epochStr, 10);
+  if (isNaN(epoch) || epoch === 0)
+    return "never";
+  return formatTimeAgo(epoch);
+}
+function ensureConfigDir() {
+  const dir = getConfigDir();
+  if (!existsSync6(dir)) {
+    mkdirSync3(dir, { recursive: true });
+  }
+}
+function generateDeviceId2() {
+  const host = hostname2().toLowerCase().replace(/[^a-z0-9-]/g, "");
+  const suffix = randomBytes3(4).toString("hex");
+  return `${host}-${suffix}`;
+}
+async function handleInstallPack(flags) {
+  const packName = flags[0];
+  if (!packName) {
+    console.error("Usage: engrm install-pack <name>");
+    console.error(`Available: ${listPacks().join(", ") || "none"}`);
+    process.exit(1);
+  }
+  if (!configExists()) {
+    console.error("Engrm is not configured. Run: engrm init");
+    process.exit(1);
+  }
+  const config = loadConfig();
+  const db = new MemDatabase(getDbPath());
+  try {
+    console.log(`Installing pack: ${packName}...`);
+    const result = await installPack(db, config, packName, process.cwd());
+    console.log(`Installed ${result.installed}/${result.total} observations (${result.skipped} skipped)`);
+  } catch (error) {
+    console.error(error instanceof Error ? error.message : String(error));
+    process.exit(1);
+  } finally {
+    db.close();
+  }
+}
+async function handleSentinel(flags) {
+  const subcommand = flags[0];
+  if (subcommand === "init-rules") {
+    if (!configExists()) {
+      console.error("Engrm is not configured. Run: engrm init");
+      process.exit(1);
+    }
+    const config = loadConfig();
+    const db = new MemDatabase(getDbPath());
+    try {
+      const packNames = flags.slice(1);
+      const names = packNames.length > 0 ? packNames : undefined;
+      console.log(`Installing Sentinel rule packs: ${(names ?? listRulePacks()).join(", ")}...`);
+      const result = await installRulePacks(db, config, names);
+      console.log(`Installed ${result.installed} standards (${result.skipped} skipped)`);
+    } catch (error) {
+      console.error(error instanceof Error ? error.message : String(error));
+      process.exit(1);
+    } finally {
+      db.close();
+    }
+    return;
+  }
+  if (subcommand === "rules") {
+    const packs = listRulePacks();
+    console.log(`Available Sentinel rule packs:
+`);
+    for (const name of packs) {
+      console.log(`  ${name}`);
+    }
+    console.log(`
+Install all: engrm sentinel init-rules`);
+    console.log(`Install one: engrm sentinel init-rules <name>`);
+    return;
+  }
+  console.log(`Sentinel \u2014 Real-time AI code audit
+`);
+  console.log("Commands:");
+  console.log("  engrm sentinel init-rules           Install all rule packs");
+  console.log("  engrm sentinel init-rules <name>     Install specific pack");
+  console.log("  engrm sentinel rules                 List available rule packs");
+}
+function handleListPacks() {
+  const packs = listPacks();
+  if (packs.length === 0) {
+    console.log("No starter packs available.");
+    return;
+  }
+  console.log(`Available starter packs:
+`);
+  for (const name of packs) {
+    console.log(`  ${name}`);
+  }
+  console.log(`
+Install with: engrm install-pack <name>`);
+}
+function printPostInit() {
+  console.log(`
+Registering with Claude Code...`);
+  try {
+    const result = registerAll();
+    console.log(`  MCP server registered \u2192 ${result.mcp.path}`);
+    console.log(`  Hooks registered \u2192 ${result.hooks.path}`);
+    console.log(`
+Engrm is ready! Start a new Claude Code session to use memory.`);
+  } catch (error) {
+    console.log(`
+Could not auto-register with Claude Code.`);
+    console.log(`Error: ${error instanceof Error ? error.message : String(error)}`);
+    console.log(`
+Manual setup \u2014 add to ~/.claude.json:`);
+    console.log(`
+{
+  "mcpServers": {
+    "engrm": {
+      "type": "stdio",
+      "command": "bun",
+      "args": ["run", "${process.cwd()}/src/server.ts"]
+    }
+  }
+}`);
+  }
+}
+function printUsage() {
+  console.log(`Engrm \u2014 Memory layer for AI coding agents
+`);
+  console.log("Usage:");
+  console.log("  engrm init                  Setup via browser (recommended)");
+  console.log("  engrm init --token=cmt_xxx  Setup from provisioning token");
+  console.log("  engrm init --pack=<name>    Setup + install a starter pack");
+  console.log("  engrm init --no-browser     Setup via device code (SSH/headless)");
+  console.log("  engrm init --manual         Manual setup (enter all values)");
+  console.log("  engrm init --config <file>  Setup from JSON file");
+  console.log("  engrm status                Show status");
+  console.log("  engrm packs                 List available starter packs");
+  console.log("  engrm install-pack <name>   Install a starter pack");
+  console.log("  engrm sentinel              Sentinel code audit commands");
+  console.log("  engrm sentinel init-rules   Install Sentinel rule packs");
+}
+function createPrompter() {
+  return async (question) => {
+    process.stdout.write(question);
+    for await (const chunk of process.stdin) {
+      const line = (typeof chunk === "string" ? chunk : Buffer.from(chunk).toString()).trim();
+      return line;
+    }
+    return "";
+  };
+}