failproofai 0.0.6-beta.2 → 0.0.6-beta.4

package/.next/standalone/dist/cli.mjs

@@ -1,3595 +0,0 @@
-#!/usr/bin/env node
-var __defProp = Object.defineProperty;
-var __returnValue = (v) => v;
-function __exportSetter(name, newValue) {
-  this[name] = __returnValue.bind(null, newValue);
-}
-var __export = (target, all) => {
-  for (var name in all)
-    __defProp(target, name, {
-      get: all[name],
-      enumerable: true,
-      configurable: true,
-      set: __exportSetter.bind(all, name)
-    });
-};
-var __esm = (fn, res) => () => (fn && (res = fn(fn = 0)), res);
-
-// src/hooks/hook-logger.ts
-import {
-  appendFileSync,
-  renameSync,
-  mkdirSync,
-  existsSync,
-  statSync
-} from "node:fs";
-import { join } from "node:path";
-import { homedir } from "node:os";
-function ensureResolved() {
-  if (resolved)
-    return;
-  resolved = true;
-  const rawLevel = (process.env.FAILPROOFAI_LOG_LEVEL ?? "").toLowerCase();
-  if (rawLevel === "info" || rawLevel === "warn" || rawLevel === "error") {
-    currentLevel = rawLevel;
-  }
-  const rawFile = (process.env.FAILPROOFAI_HOOK_LOG_FILE ?? "").trim();
-  if (rawFile) {
-    fileLoggingEnabled = true;
-    if (rawFile !== "1" && rawFile !== "true") {
-      logDir = rawFile;
-    }
-  }
-}
-function shouldEmit(level) {
-  ensureResolved();
-  return LEVEL_ORDER[level] >= LEVEL_ORDER[currentLevel];
-}
-function emitStderr(label, msg) {
-  process.stderr.write(`[failproofai:hook] ${label} ${msg}
-`);
-}
-function ensureLogDir() {
-  if (!existsSync(logDir)) {
-    mkdirSync(logDir, { recursive: true });
-  }
-}
-function rotateIfNeeded(filePath) {
-  try {
-    const stats = statSync(filePath);
-    if (stats.size >= MAX_FILE_SIZE) {
-      const archiveName = `hooks-${Date.now()}.log`;
-      renameSync(filePath, join(logDir, archiveName));
-    }
-  } catch {}
-}
-function appendToFile(label, msg) {
-  if (!fileLoggingEnabled)
-    return;
-  try {
-    ensureLogDir();
-    const filePath = join(logDir, LOG_FILENAME);
-    rotateIfNeeded(filePath);
-    const timestamp = new Date().toISOString();
-    const line = `[${timestamp}] ${label} ${msg}
-`;
-    appendFileSync(filePath, line, "utf-8");
-  } catch {}
-}
-function hookLogInfo(msg) {
-  if (!shouldEmit("info"))
-    return;
-  emitStderr("INFO", msg);
-  appendToFile("INFO", msg);
-}
-function hookLogWarn(msg) {
-  if (!shouldEmit("warn"))
-    return;
-  emitStderr("WARN", msg);
-  appendToFile("WARN", msg);
-}
-function hookLogError(msg) {
-  if (!shouldEmit("error"))
-    return;
-  emitStderr("ERROR", msg);
-  appendToFile("ERROR", msg);
-}
-var LEVEL_ORDER, MAX_FILE_SIZE, LOG_FILENAME = "hooks.log", DEFAULT_LOG_DIR, resolved = false, currentLevel = "warn", fileLoggingEnabled = false, logDir;
-var init_hook_logger = __esm(() => {
-  LEVEL_ORDER = { info: 0, warn: 1, error: 2 };
-  MAX_FILE_SIZE = 512 * 1024;
-  DEFAULT_LOG_DIR = join(homedir(), ".failproofai", "logs");
-  logDir = DEFAULT_LOG_DIR;
-});
-
-// src/hooks/hooks-config.ts
-import { readFileSync, writeFileSync, existsSync as existsSync2, mkdirSync as mkdirSync2 } from "node:fs";
-import { resolve, dirname } from "node:path";
-import { homedir as homedir2 } from "node:os";
-function readConfigAt(path) {
-  if (!existsSync2(path))
-    return {};
-  try {
-    const raw = readFileSync(path, "utf8");
-    return JSON.parse(raw);
-  } catch (err) {
-    hookLogWarn(`failed to parse config at ${path}: ${err instanceof Error ? err.message : String(err)}`);
-    return {};
-  }
-}
-function readMergedHooksConfig(cwd) {
-  const base = cwd ? resolve(cwd) : process.cwd();
-  const projectPath = resolve(base, ".failproofai", "policies-config.json");
-  const localPath = resolve(base, ".failproofai", "policies-config.local.json");
-  const globalPath = resolve(homedir2(), ".failproofai", "policies-config.json");
-  const project = readConfigAt(projectPath);
-  const local = readConfigAt(localPath);
-  const global_ = readConfigAt(globalPath);
-  const enabledSet = new Set([
-    ...project.enabledPolicies ?? [],
-    ...local.enabledPolicies ?? [],
-    ...global_.enabledPolicies ?? []
-  ]);
-  const mergedParams = {};
-  for (const scope of [project, local, global_]) {
-    if (!scope.policyParams)
-      continue;
-    for (const [policyName, params] of Object.entries(scope.policyParams)) {
-      if (!(policyName in mergedParams)) {
-        mergedParams[policyName] = params;
-      }
-    }
-  }
-  const customPoliciesPath = project.customPoliciesPath ?? local.customPoliciesPath ?? global_.customPoliciesPath;
-  const llm = project.llm ?? local.llm ?? global_.llm;
-  return {
-    enabledPolicies: [...enabledSet],
-    ...Object.keys(mergedParams).length > 0 ? { policyParams: mergedParams } : {},
-    ...customPoliciesPath !== undefined ? { customPoliciesPath } : {},
-    ...llm !== undefined ? { llm } : {}
-  };
-}
-function getConfigPathForScope(scope, cwd) {
-  const base = cwd ? resolve(cwd) : process.cwd();
-  switch (scope) {
-    case "user":
-      return resolve(homedir2(), ".failproofai", "policies-config.json");
-    case "project":
-      return resolve(base, ".failproofai", "policies-config.json");
-    case "local":
-      return resolve(base, ".failproofai", "policies-config.local.json");
-  }
-}
-function readScopedHooksConfig(scope, cwd) {
-  const configPath = getConfigPathForScope(scope, cwd);
-  if (!existsSync2(configPath)) {
-    return { enabledPolicies: [] };
-  }
-  try {
-    const raw = readFileSync(configPath, "utf8");
-    return JSON.parse(raw);
-  } catch (err) {
-    hookLogWarn(`failed to parse config at ${configPath}: ${err instanceof Error ? err.message : String(err)}`);
-    return { enabledPolicies: [] };
-  }
-}
-function writeScopedHooksConfig(config, scope, cwd) {
-  const configPath = getConfigPathForScope(scope, cwd);
-  const dir = dirname(configPath);
-  if (!existsSync2(dir)) {
-    mkdirSync2(dir, { recursive: true });
-  }
-  writeFileSync(configPath, JSON.stringify(config, null, 2) + `
-`, "utf8");
-}
-var init_hooks_config = __esm(() => {
-  init_hook_logger();
-});
-
-// src/hooks/policy-helpers.ts
-function allow(reason) {
-  return reason ? { decision: "allow", reason } : { decision: "allow" };
-}
-function deny(reason) {
-  return { decision: "deny", reason };
-}
-function instruct(reason) {
-  return { decision: "instruct", reason };
-}
-
-// src/hooks/policy-registry.ts
-function getIndexCache() {
-  return globalThis[INDEX_CACHE_KEY];
-}
-function setIndexCache(cache) {
-  globalThis[INDEX_CACHE_KEY] = cache;
-}
-function getRegistry() {
-  const g = globalThis;
-  if (!g[REGISTRY_KEY]) {
-    g[REGISTRY_KEY] = [];
-  }
-  return g[REGISTRY_KEY];
-}
-function registerPolicy(name, description, fn, match, priority = 0) {
-  const registry = getRegistry();
-  const idx = registry.findIndex((p) => p.name === name);
-  const entry = { name, description, fn, match, priority };
-  if (idx >= 0) {
-    registry[idx] = entry;
-  } else {
-    registry.push(entry);
-  }
-  setIndexCache(null);
-}
-function getPoliciesForEvent(eventType, toolName) {
-  let cache = getIndexCache();
-  if (!cache) {
-    cache = new Map;
-    setIndexCache(cache);
-  }
-  const key = `${eventType}:${toolName ?? ""}`;
-  const cached = cache.get(key);
-  if (cached)
-    return cached;
-  const result = getRegistry().filter((p) => {
-    if (p.match.events && p.match.events.length > 0) {
-      if (!p.match.events.includes(eventType))
-        return false;
-    }
-    if (p.match.toolNames && p.match.toolNames.length > 0) {
-      if (!toolName || !p.match.toolNames.includes(toolName))
-        return false;
-    }
-    return true;
-  }).sort((a, b) => b.priority - a.priority);
-  cache.set(key, result);
-  return result;
-}
-function clearPolicies() {
-  const g = globalThis;
-  g[REGISTRY_KEY] = [];
-  setIndexCache(null);
-}
-var REGISTRY_KEY = "__FAILPROOFAI_POLICY_REGISTRY__", INDEX_CACHE_KEY = "__FAILPROOFAI_POLICY_INDEX_CACHE__";
-
-// src/hooks/builtin-policies.ts
-import { resolve as resolve2, join as join2 } from "node:path";
-import { readFile, writeFile } from "node:fs/promises";
-import { execSync, execFileSync } from "node:child_process";
-import { homedir as homedir3 } from "node:os";
-function isClaudeInternalPath(resolved2) {
-  const claudeDir = join2(homedir3(), ".claude");
-  return resolved2 === claudeDir || resolved2.startsWith(claudeDir + "/");
-}
-function isClaudeSettingsFile(resolved2) {
-  return /[\\/]\.claude[\\/]settings(?:\.[^/\\]+)?\.json$/.test(resolved2);
-}
-function getCommand(ctx) {
-  return ctx.toolInput?.command ?? "";
-}
-function getFilePath(ctx) {
-  return ctx.toolInput?.file_path ?? "";
-}
-function parseArgvTokens(cmd) {
-  return cmd.trim().split(/\s+/).map((t) => t.replace(/^['"]|['"]$/g, ""));
-}
-function getCurrentBranch(cwd) {
-  try {
-    let branch = gitBranchCache.get(cwd);
-    if (branch === undefined) {
-      branch = execSync("git rev-parse --abbrev-ref HEAD", {
-        cwd,
-        encoding: "utf8",
-        timeout: 3000
-      }).trim();
-      gitBranchCache.set(cwd, branch);
-    }
-    return branch || null;
-  } catch {
-    return null;
-  }
-}
-function getHeadSha(cwd) {
-  try {
-    const sha = execSync("git rev-parse HEAD", {
-      cwd,
-      encoding: "utf8",
-      timeout: 3000
-    }).trim();
-    return sha || null;
-  } catch {
-    return null;
-  }
-}
-function getThirdPartyCheckRuns(cwd, sha) {
-  try {
-    const json = execFileSync("gh", [
-      "api",
-      `repos/{owner}/{repo}/commits/${sha}/check-runs`,
-      "--jq",
-      '.check_runs | map(select(.app.slug != "github-actions")) | map({name: .name, status: .status, conclusion: (.conclusion // "")})'
-    ], {
-      cwd,
-      encoding: "utf8",
-      timeout: 15000
-    }).trim();
-    if (!json || json === "[]")
-      return [];
-    return JSON.parse(json);
-  } catch {
-    return [];
-  }
-}
-function getCommitStatuses(cwd, sha) {
-  try {
-    const json = execFileSync("gh", [
-      "api",
-      `repos/{owner}/{repo}/commits/${sha}/statuses`,
-      "--jq",
-      "map({name: .context, state: .state}) | unique_by(.name)"
-    ], {
-      cwd,
-      encoding: "utf8",
-      timeout: 15000
-    }).trim();
-    if (!json || json === "[]")
-      return [];
-    const statuses = JSON.parse(json);
-    return statuses.map((s) => ({
-      name: s.name,
-      status: s.state === "pending" ? "in_progress" : "completed",
-      conclusion: s.state === "pending" ? "" : s.state === "success" ? "success" : "failure"
-    }));
-  } catch {
-    return [];
-  }
-}
-function matchesAllowedPattern(cmd, pattern) {
-  const cmdTokens = parseArgvTokens(cmd);
-  const patTokens = parseArgvTokens(pattern);
-  if (cmdTokens.length < patTokens.length)
-    return false;
-  if (cmdTokens.some((tok) => SHELL_OPERATORS.has(tok)))
-    return false;
-  if (cmdTokens.some((tok) => SHELL_METACHAR_RE.test(tok)))
-    return false;
-  return patTokens.every((tok, i) => tok === "*" || tok === cmdTokens[i]);
-}
-function sanitizeJwt(ctx) {
-  const output = JSON.stringify(ctx.payload);
-  if (JWT_RE.test(output)) {
-    return {
-      decision: "deny",
-      reason: "JWT token detected in tool output",
-      message: "[REDACTED: JWT token removed by failproofai]"
-    };
-  }
-  return allow();
-}
-function sanitizeApiKeys(ctx) {
-  const output = JSON.stringify(ctx.payload);
-  for (const [pattern, label] of API_KEY_PATTERNS) {
-    if (pattern.test(output)) {
-      return {
-        decision: "deny",
-        reason: `${label} detected in tool output`,
-        message: `[REDACTED: ${label} removed by failproofai]`
-      };
-    }
-  }
-  const additional = ctx.params?.additionalPatterns ?? [];
-  for (const { regex, label } of additional) {
-    try {
-      if (new RegExp(regex).test(output)) {
-        return {
-          decision: "deny",
-          reason: `${label} detected in tool output`,
-          message: `[REDACTED: ${label} removed by failproofai]`
-        };
-      }
-    } catch {
-      hookLogWarn(`additionalPatterns: invalid regex "${regex}", skipping`);
-    }
-  }
-  return allow();
-}
-function sanitizeConnectionStrings(ctx) {
-  const output = JSON.stringify(ctx.payload);
-  if (CONNECTION_STRING_RE.test(output)) {
-    return {
-      decision: "deny",
-      reason: "Database connection string with credentials detected in tool output",
-      message: "[REDACTED: connection string removed by failproofai]"
-    };
-  }
-  return allow();
-}
-function sanitizePrivateKeyContent(ctx) {
-  const output = JSON.stringify(ctx.payload);
-  if (PRIVATE_KEY_RE.test(output)) {
-    return {
-      decision: "deny",
-      reason: "Private key content detected in tool output",
-      message: "[REDACTED: private key content removed by failproofai]"
-    };
-  }
-  return allow();
-}
-function sanitizeBearerTokens(ctx) {
-  const output = JSON.stringify(ctx.payload);
-  if (BEARER_TOKEN_RE.test(output)) {
-    return {
-      decision: "deny",
-      reason: "Bearer token detected in tool output",
-      message: "[REDACTED: Bearer token removed by failproofai]"
-    };
-  }
-  return allow();
-}
-function warnDestructiveSql(ctx) {
-  if (ctx.toolName !== "Bash")
-    return allow();
-  const cmd = getCommand(ctx);
-  if (!SQL_TOOL_RE.test(cmd))
-    return allow();
-  if (DESTRUCTIVE_SQL_RE.test(cmd)) {
-    return instruct("STOP: This command contains destructive SQL (DROP/TRUNCATE/DELETE). Confirm with the user before executing.");
-  }
-  if (DELETE_NO_WHERE_RE.test(cmd) && !SQL_WHERE_RE.test(cmd)) {
-    return instruct("STOP: This command contains destructive SQL (DROP/TRUNCATE/DELETE). Confirm with the user before executing.");
-  }
-  return allow();
-}
-function warnLargeFileWrite(ctx) {
-  if (ctx.toolName !== "Write")
-    return allow();
-  const content = ctx.toolInput?.content;
-  if (typeof content !== "string")
-    return allow();
-  const thresholdKb = ctx.params?.thresholdKb ?? 1024;
-  const thresholdBytes = thresholdKb * 1024;
-  if (content.length > thresholdBytes) {
-    return instruct(`STOP: You are writing a file larger than ${thresholdKb}KB (${Math.round(content.length / 1024)}KB). This is unusually large. Confirm this is intentional before proceeding.`);
-  }
-  return allow();
-}
-function warnPackagePublish(ctx) {
-  if (ctx.toolName !== "Bash")
-    return allow();
-  const cmd = getCommand(ctx);
-  if (PUBLISH_CMD_RE.test(cmd)) {
-    return instruct("STOP: This command publishes a package to a public registry. Confirm with the user that this is intentional.");
-  }
-  return allow();
-}
-function protectEnvVars(ctx) {
-  if (ctx.toolName !== "Bash")
-    return allow();
-  const cmd = getCommand(ctx);
-  if (ENV_PRINTENV_RE.test(cmd)) {
-    return deny("Command reads environment variables");
-  }
-  if (ECHO_ENV_RE.test(cmd)) {
-    return deny("Command echoes environment variable");
-  }
-  if (EXPORT_RE.test(cmd)) {
-    return deny("Command exports environment variable");
-  }
-  if (PS_ENV_VAR_RE.test(cmd)) {
-    return deny("Command reads environment variable via PowerShell");
-  }
-  if (PS_CHILDITEM_ENV_RE.test(cmd)) {
-    return deny("Command reads environment variables via PowerShell");
-  }
-  if (DOTNET_GETENV_RE.test(cmd)) {
-    return deny("Command reads environment variable via .NET");
-  }
-  if (CMD_ECHO_ENV_RE.test(cmd)) {
-    return deny("Command echoes environment variable via cmd");
-  }
-  return allow();
-}
-function blockEnvFiles(ctx) {
-  const cmd = getCommand(ctx);
-  const filePath = getFilePath(ctx);
-  if (filePath && ENV_FILE_PATH_RE.test(filePath)) {
-    return deny("Access to .env file blocked");
-  }
-  if (ctx.toolName === "Bash" && ENV_CMD_RE.test(cmd)) {
-    return deny("Command references .env file");
-  }
-  return allow();
-}
-function blockSudo(ctx) {
-  if (ctx.toolName !== "Bash")
-    return allow();
-  const cmd = getCommand(ctx).trimStart();
-  if (SUDO_RE.test(cmd) || cmd.startsWith("sudo ")) {
-    const allowPatterns = ctx.params?.allowPatterns ?? [];
-    if (allowPatterns.some((p) => matchesAllowedPattern(cmd, p)))
-      return allow();
-    return deny("sudo commands are blocked");
-  }
-  if (PS_ELEVATION_RE.test(cmd)) {
-    return deny("Elevated process launch is blocked");
-  }
-  if (RUNAS_RE.test(cmd)) {
-    return deny("runas elevation is blocked");
-  }
-  return allow();
-}
-function blockCurlPipeSh(ctx) {
-  if (ctx.toolName !== "Bash")
-    return allow();
-  const cmd = getCommand(ctx);
-  if (CURL_PIPE_SH_RE.test(cmd)) {
-    return deny("Piping downloads to shell is blocked");
-  }
-  if (PS_WEB_PIPE_RE.test(cmd)) {
-    return deny("Piping downloads to Invoke-Expression is blocked");
-  }
-  return allow();
-}
-function extractGitPushArgs(cmd) {
-  return cmd.split(/&&|\|\||[|;\n]/).map((s) => s.trim()).filter((s) => /^git\s+push\s/.test(s)).map((s) => s.replace(/^git\s+push\s+/, ""));
-}
-function blockPushMaster(ctx) {
-  if (ctx.toolName !== "Bash")
-    return allow();
-  const protectedBranches = ctx.params?.protectedBranches ?? ["main", "master"];
-  if (protectedBranches.length === 0)
-    return allow();
-  const args = extractGitPushArgs(getCommand(ctx));
-  const branchPattern = new RegExp(`\\b(?:${protectedBranches.map((b) => b.replace(/[.*+?^${}()|[\]\\]/g, "\\$&")).join("|")})\\b`);
-  if (args.some((a) => branchPattern.test(a))) {
-    return deny(`Pushing to ${protectedBranches.join("/")} is blocked`);
-  }
-  return allow();
-}
-function rmTargetIsAllowed(cmd, allowPaths) {
-  if (allowPaths.length === 0)
-    return false;
-  const segments = cmd.split(/&&|\|\||[|;\n]/).map((s) => s.trim()).filter((s) => /\brm\b/.test(s));
-  if (segments.length === 0)
-    return false;
-  for (const seg of segments) {
-    const tokens = parseArgvTokens(seg);
-    const rmIdx = tokens.findIndex((t) => t === "rm");
-    if (rmIdx < 0)
-      continue;
-    const flagTokens = tokens.slice(rmIdx + 1).filter((t) => /^-[^-]/.test(t));
-    const longFlagsInSeg = tokens.slice(rmIdx + 1).filter((t) => /^--/.test(t));
-    if (!/r/i.test(flagTokens.join("")) && !longFlagsInSeg.some((f) => /^--recursive$/i.test(f)))
-      continue;
-    const pathArgs = tokens.slice(rmIdx + 1).filter((t) => !t.startsWith("-"));
-    for (const target of pathArgs) {
-      const normalized = target.replace(/\/\*$/, "").replace(/\/+$/, "") || "/";
-      const covered = allowPaths.some((p) => {
-        const np = p.replace(/\/+$/, "") || "/";
-        return normalized === np || normalized.startsWith(np + "/");
-      });
-      if (!covered) {
-        const segCovered = allowPaths.some((p) => {
-          const escaped = p.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
-          return new RegExp(`${escaped}(?:[/"'\\s/*]|$)`).test(seg);
-        });
-        if (!segCovered)
-          return false;
-      }
-    }
-  }
-  return true;
-}
-function blockRmRf(ctx) {
-  if (ctx.toolName !== "Bash")
-    return allow();
-  const cmd = getCommand(ctx);
-  const hasDestructivePath = parseArgvTokens(cmd).some((token) => {
-    const normalized = token.replace(/\/\*$/, "").replace(/\/+$/, "") || (token.startsWith("/") ? "/" : "");
-    return normalized === "/" || normalized === "~" || /^\/[A-Za-z_][\w.-]*$/.test(normalized);
-  });
-  if (hasDestructivePath && (/rm\s+-[^\s]*r[^\s]*f[^\s]*/.test(cmd) || /rm\s+-[^\s]*f[^\s]*r[^\s]*/.test(cmd))) {
-    const allowPaths = ctx.params?.allowPaths ?? [];
-    if (rmTargetIsAllowed(cmd, allowPaths))
-      return allow();
-    return deny("Catastrophic deletion blocked");
-  }
-  if (hasDestructivePath && /\brm\b/.test(cmd)) {
-    const tokens = parseArgvTokens(cmd);
-    const shortFlags = tokens.filter((t) => /^-[^-]/.test(t)).join("");
-    const longFlags = tokens.filter((t) => /^--/.test(t));
-    const hasRecursive = /r/i.test(shortFlags) || longFlags.some((f) => /^--recursive$/i.test(f));
-    const hasForce = /f/.test(shortFlags) || longFlags.some((f) => /^--force$/i.test(f));
-    if (hasRecursive && hasForce) {
-      const allowPaths = ctx.params?.allowPaths ?? [];
-      if (rmTargetIsAllowed(cmd, allowPaths))
-        return allow();
-      return deny("Catastrophic deletion blocked");
-    }
-  }
-  if (/Remove-Item\s+.*-Recurse.*-Force.*(?:[A-Z]:\\(?:\s|$)|\\\*)/i.test(cmd)) {
-    return deny("Catastrophic deletion blocked");
-  }
-  if (/(?:rd|rmdir)\s+\/s\s+\/q\s+[A-Z]:\\/i.test(cmd)) {
-    return deny("Catastrophic deletion blocked");
-  }
-  return allow();
-}
-function blockForcePush(ctx) {
-  if (ctx.toolName !== "Bash")
-    return allow();
-  const args = extractGitPushArgs(getCommand(ctx));
-  if (args.some((a) => FORCE_PUSH_RE.test(a))) {
-    return deny("Force-pushing is blocked");
-  }
-  return allow();
-}
-function blockSecretsWrite(ctx) {
-  if (ctx.toolName !== "Write")
-    return allow();
-  const filePath = getFilePath(ctx);
-  if (SECRET_FILE_RE.test(filePath) || SECRET_FILE_ID_RSA_RE.test(filePath) || SECRET_FILE_CREDENTIALS_RE.test(filePath)) {
-    return deny("Writing secret key files is blocked");
-  }
-  const additionalPatterns = ctx.params?.additionalPatterns ?? [];
-  for (const pattern of additionalPatterns) {
-    if (filePath.includes(pattern)) {
-      return deny(`Writing blocked file pattern: ${pattern}`);
-    }
-  }
-  return allow();
-}
-function extractAbsolutePaths(command) {
-  const paths = [];
-  const pathRe = /(?<![a-zA-Z0-9_.\-~\\])(?:~\/[^\s;|&"'()\[\]{}]*|~(?=\s|$|[;|&"'()\[\]{}])|\/[^\s;|&"'()\[\]{}]*)/g;
-  function addPaths(s) {
-    pathRe.lastIndex = 0;
-    let m;
-    while ((m = pathRe.exec(s)) !== null) {
-      let p = m[0];
-      if (p === "~")
-        p = homedir3();
-      else if (p.startsWith("~/"))
-        p = join2(homedir3(), p.slice(2));
-      paths.push(p);
-    }
-  }
-  let firstBarePipe = command.length;
-  let inDouble = false, inSingle = false;
-  for (let i = 0;i < command.length; i++) {
-    const c = command[i];
-    if (c === '"' && !inSingle)
-      inDouble = !inDouble;
-    else if (c === "'" && !inDouble)
-      inSingle = !inSingle;
-    else if (c === "|" && !inDouble && !inSingle) {
-      firstBarePipe = i;
-      break;
-    }
-  }
-  const firstSegment = command.slice(0, firstBarePipe);
-  const quotedRe = /"([^"]*)"|'([^']*)'/g;
-  let qm;
-  while ((qm = quotedRe.exec(firstSegment)) !== null) {
-    const content = qm[1] ?? qm[2] ?? "";
-    if (/[*?\[\]^$+()\\]/.test(content))
-      continue;
-    addPaths(content);
-  }
-  const stripped = command.replace(/"[^"]*"/g, (m) => " ".repeat(m.length)).replace(/'[^']*'/g, (m) => " ".repeat(m.length));
-  addPaths(stripped);
-  return paths;
-}
-function blockReadOutsideCwd(ctx) {
-  const cwd = ctx.session?.cwd;
-  if (!cwd)
-    return allow();
-  const allowPaths = ctx.params?.allowPaths ?? [];
-  if (ctx.toolName === "Bash") {
-    const cmd = getCommand(ctx);
-    if (!READ_LIKE_CMDS.test(cmd))
-      return allow();
-    const paths = extractAbsolutePaths(cmd);
-    const cwdWithSep2 = cwd.endsWith("/") ? cwd : cwd + "/";
-    for (const p of paths) {
-      const resolved3 = resolve2(cwd, p);
-      if (isClaudeSettingsFile(resolved3)) {
-        return deny(`Reading Claude settings file blocked: ${resolved3}`);
-      }
-      if (isClaudeInternalPath(resolved3))
-        continue;
-      if (resolved3 === "/dev/null")
-        continue;
-      if (resolved3 !== cwd && !resolved3.startsWith(cwdWithSep2)) {
-        if (allowPaths.some((ap) => resolved3 === ap || resolved3.startsWith(ap.endsWith("/") ? ap : ap + "/")))
-          continue;
-        return deny(`Bash read outside project directory blocked: ${resolved3}`);
-      }
-    }
-    return allow();
-  }
-  const filePath = getFilePath(ctx);
-  const searchPath = ctx.toolInput?.path ?? "";
-  const target = filePath || searchPath;
-  if (!target)
-    return allow();
-  const resolved2 = resolve2(cwd, target);
-  if (isClaudeSettingsFile(resolved2)) {
-    return deny(`Reading Claude settings file blocked: ${resolved2}`);
-  }
-  if (isClaudeInternalPath(resolved2))
-    return allow();
-  if (resolved2 === "/dev/null")
-    return allow();
-  const cwdWithSep = cwd.endsWith("/") ? cwd : cwd + "/";
-  if (resolved2 !== cwd && !resolved2.startsWith(cwdWithSep)) {
-    if (allowPaths.some((ap) => resolved2 === ap || resolved2.startsWith(ap.endsWith("/") ? ap : ap + "/")))
-      return allow();
-    return deny(`Access outside project directory blocked: ${resolved2}`);
-  }
-  return allow();
-}
-function blockWorkOnMain(ctx) {
-  if (ctx.toolName !== "Bash")
-    return allow();
-  const cmd = getCommand(ctx);
-  if (!GIT_COMMIT_MERGE_RE.test(cmd))
-    return allow();
-  const cwd = ctx.session?.cwd;
-  if (!cwd)
-    return allow();
-  const branch = getCurrentBranch(cwd);
-  if (!branch)
-    return allow();
-  const protectedBranches = ctx.params?.protectedBranches ?? ["main", "master"];
-  if (protectedBranches.includes(branch)) {
-    return deny(`Git ${cmd.match(/git\s+(\S+)/)?.[1] ?? "operation"} on ${branch} is blocked. Create a feature branch first.`);
-  }
-  return allow();
-}
-function blockFailproofaiCommands(ctx) {
-  if (ctx.toolName !== "Bash")
-    return allow();
-  const cmd = getCommand(ctx);
-  if (FAILPROOFAI_CLI_RE.test(cmd)) {
-    return deny("Running failproofai CLI commands is blocked");
-  }
-  if (FAILPROOFAI_UNINSTALL_RE.test(cmd)) {
-    return deny("Uninstalling failproofai is blocked");
-  }
-  return allow();
-}
-async function warnRepeatedToolCalls(ctx) {
-  const THRESHOLD = 3;
-  const transcriptPath = ctx.session?.transcriptPath;
-  if (!transcriptPath || !ctx.toolName || !ctx.toolInput)
-    return allow();
-  const trackerPath = `${transcriptPath}.tool-calls.json`;
-  const fingerprint = JSON.stringify({ tool: ctx.toolName, input: ctx.toolInput });
-  let counts = {};
-  try {
-    const raw = await readFile(trackerPath, "utf8");
-    counts = JSON.parse(raw);
-  } catch {}
-  const prevCount = counts[fingerprint] ?? 0;
-  if (prevCount >= THRESHOLD) {
-    return instruct(`STOP: You have already called ${ctx.toolName} ${prevCount} times with identical parameters. This is wasteful and unproductive. Do NOT repeat this call — use a different approach or ask the user for clarification.`);
-  }
-  counts[fingerprint] = prevCount + 1;
-  try {
-    const serialized = JSON.stringify(counts);
-    if (serialized.length <= TOOL_CALL_TRACKER_MAX_BYTES) {
-      await writeFile(trackerPath, serialized, "utf8");
-    }
-  } catch {}
-  return allow();
-}
-function warnGitAmend(ctx) {
-  if (ctx.toolName !== "Bash")
-    return allow();
-  const cmd = getCommand(ctx);
-  if (GIT_AMEND_RE.test(cmd)) {
-    return instruct("STOP: This command amends the last commit, which rewrites git history. If this commit has already been pushed to a shared branch, this will cause divergence for other contributors. Confirm with the user before executing.");
-  }
-  return allow();
-}
-function warnGitStashDrop(ctx) {
-  if (ctx.toolName !== "Bash")
-    return allow();
-  const cmd = getCommand(ctx);
-  if (GIT_STASH_DROP_RE.test(cmd)) {
-    return instruct("STOP: This command permanently deletes stashed changes (git stash drop/clear). Stash entries cannot be recovered after deletion. Confirm with the user before executing.");
-  }
-  return allow();
-}
-function warnAllFilesStaged(ctx) {
-  if (ctx.toolName !== "Bash")
-    return allow();
-  const cmd = getCommand(ctx);
-  if (GIT_ADD_ALL_RE.test(cmd)) {
-    return instruct("STOP: This command stages all files in the working tree (git add -A / --all / .). This may inadvertently include build artifacts, generated files, or sensitive files not covered by .gitignore. Confirm with the user before executing.");
-  }
-  return allow();
-}
-function warnSchemaAlteration(ctx) {
-  if (ctx.toolName !== "Bash")
-    return allow();
-  const cmd = getCommand(ctx);
-  if (!SQL_TOOL_RE.test(cmd))
-    return allow();
-  if (SCHEMA_ALTER_RE.test(cmd)) {
-    return instruct("STOP: This command contains a schema-altering SQL statement (ALTER TABLE with column or rename operation). Schema changes on production databases are irreversible or disruptive. Confirm with the user before executing.");
-  }
-  return allow();
-}
-function warnGlobalPackageInstall(ctx) {
-  if (ctx.toolName !== "Bash")
-    return allow();
-  const cmd = getCommand(ctx);
-  const isGlobal = NPM_GLOBAL_RE.test(cmd) || YARN_GLOBAL_RE.test(cmd) || PNPM_GLOBAL_RE.test(cmd) || BUN_GLOBAL_RE.test(cmd) || CARGO_INSTALL_RE.test(cmd) || PIP_SYSTEM_RE.test(cmd);
-  if (isGlobal) {
-    return instruct("STOP: This command installs a package globally, which modifies the system-wide environment outside the project. This can conflict with other projects or system tools. Confirm with the user before executing.");
-  }
-  return allow();
-}
-function preferPackageManager(ctx) {
-  if (ctx.toolName !== "Bash")
-    return allow();
-  const cmd = getCommand(ctx);
-  if (!cmd)
-    return allow();
-  const allowed = ctx.params?.allowed ?? [];
-  if (allowed.length === 0)
-    return allow();
-  const allowedSet = new Set(allowed.map((a) => a.toLowerCase()));
-  const blocked = ctx.params?.blocked ?? [];
-  const allowedList = allowed.join(", ");
-  const segments = cmd.split(SEGMENT_SPLIT_RE);
-  for (const segment of segments) {
-    const trimmed = segment.trim();
-    if (!trimmed)
-      continue;
-    let segmentAllowed = false;
-    for (const manager of allowedSet) {
-      const patterns = PKG_MANAGER_DETECTORS[manager];
-      if (!patterns)
-        continue;
-      for (const pattern of patterns) {
-        if (pattern.test(trimmed)) {
-          segmentAllowed = true;
-          break;
-        }
-      }
-      if (segmentAllowed)
-        break;
-    }
-    if (segmentAllowed)
-      continue;
-    for (const [manager, patterns] of Object.entries(PKG_MANAGER_DETECTORS)) {
-      if (allowedSet.has(manager))
-        continue;
-      for (const pattern of patterns) {
-        if (pattern.test(trimmed)) {
-          return deny(`"${manager}" is not an allowed package manager. ` + `Allowed package managers for this project: ${allowedList}. ` + `Rewrite this command using an allowed package manager.`);
-        }
-      }
-    }
-    for (const name of blocked) {
-      const lower = name.toLowerCase();
-      if (allowedSet.has(lower))
-        continue;
-      const re = new RegExp(`\\b${lower.replace(/[.*+?^${}()|[\]\\]/g, "\\$&")}\\b`);
-      if (re.test(trimmed)) {
-        return deny(`"${lower}" is not an allowed package manager. ` + `Allowed package managers for this project: ${allowedList}. ` + `Rewrite this command using an allowed package manager.`);
-      }
-    }
-  }
-  return allow();
-}
-function warnBackgroundProcess(ctx) {
-  if (ctx.toolName !== "Bash")
-    return allow();
-  const cmd = getCommand(ctx);
-  const isBackground = NOHUP_RE.test(cmd) || SCREEN_DETACH_RE.test(cmd) || TMUX_DETACH_RE.test(cmd) || DISOWN_RE.test(cmd) || BACKGROUND_AMPERSAND_RE.test(cmd);
-  if (isBackground) {
-    return instruct("STOP: This command starts a background or detached process (nohup, screen -d, tmux -d, or trailing &). Background processes persist after Claude's session and may be difficult to track or stop. Confirm with the user before executing.");
-  }
-  return allow();
-}
-function requireCommitBeforeStop(ctx) {
-  const cwd = ctx.session?.cwd;
-  if (!cwd)
-    return allow("No working directory available, skipping commit check.");
-  try {
-    const status = execSync("git status --porcelain", {
-      cwd,
-      encoding: "utf8",
-      timeout: 5000
-    }).trim();
-    if (status.length > 0) {
-      return deny("You have uncommitted changes in the working directory. Commit all changes now.");
-    }
-    return allow("All changes are committed.");
-  } catch {
-    return allow("Not a git repository, skipping commit check.");
-  }
-}
-function requirePushBeforeStop(ctx) {
-  const cwd = ctx.session?.cwd;
-  if (!cwd)
-    return allow("No working directory available, skipping push check.");
-  try {
-    const remotes = execSync("git remote", {
-      cwd,
-      encoding: "utf8",
-      timeout: 3000
-    }).trim();
-    if (!remotes)
-      return allow("No git remote configured, skipping push check.");
-    const remote = ctx.params?.remote ?? "origin";
-    const branch = getCurrentBranch(cwd);
-    if (!branch || branch === "HEAD")
-      return allow("Detached HEAD, skipping push check.");
-    const baseBranch = ctx.params?.baseBranch ?? "main";
-    if (branch === baseBranch) {
-      return allow(`On base branch "${baseBranch}", skipping push check.`);
-    }
-    try {
-      const ahead = execFileSync("git", ["log", `${remote}/${baseBranch}..HEAD`, "--oneline"], { cwd, encoding: "utf8", timeout: 5000 }).trim();
-      if (!ahead) {
-        return allow(`No commits ahead of ${remote}/${baseBranch}, skipping push check.`);
-      }
-      const diff = execFileSync("git", ["diff", "--stat", `${remote}/${baseBranch}`, "HEAD"], { cwd, encoding: "utf8", timeout: 5000 }).trim();
-      if (!diff) {
-        return allow(`No file changes compared to ${remote}/${baseBranch}, skipping push check.`);
-      }
-    } catch {}
-    let hasTracking = false;
-    try {
-      execFileSync("git", ["rev-parse", "--verify", `${remote}/${branch}`], {
-        cwd,
-        encoding: "utf8",
-        timeout: 3000
-      });
-      hasTracking = true;
-    } catch {}
-    if (!hasTracking) {
-      return deny(`Branch "${branch}" has not been pushed to remote "${remote}". ` + `Run now: git push -u ${remote} ${branch}`);
-    }
-    const unpushed = execFileSync("git", ["log", `${remote}/${branch}..HEAD`, "--oneline"], {
-      cwd,
-      encoding: "utf8",
-      timeout: 5000
-    }).trim();
-    if (unpushed.length > 0) {
-      const commitCount = unpushed.split(`
-`).length;
-      return deny(`You have ${commitCount} unpushed commit${commitCount > 1 ? "s" : ""} on branch "${branch}". ` + `Run now: git push`);
-    }
-    return allow(`All commits pushed to "${remote}".`);
-  } catch {
-    return allow("Could not check push status, skipping.");
-  }
-}
-function requirePrBeforeStop(ctx) {
-  const cwd = ctx.session?.cwd;
-  if (!cwd)
-    return allow("No working directory available, skipping PR check.");
-  try {
-    try {
-      execSync("gh --version", { cwd, encoding: "utf8", timeout: 3000 });
-    } catch {
-      return allow("GitHub CLI (gh) not installed, skipping PR check.");
-    }
-    const branch = getCurrentBranch(cwd);
-    if (!branch || branch === "HEAD")
-      return allow("Detached HEAD, skipping PR check.");
-    const baseBranch = ctx.params?.baseBranch ?? "main";
-    if (branch === baseBranch) {
-      return allow(`On base branch "${baseBranch}", skipping PR check.`);
-    }
-    try {
-      const ahead = execFileSync("git", ["log", `origin/${baseBranch}..HEAD`, "--oneline"], { cwd, encoding: "utf8", timeout: 5000 }).trim();
-      if (!ahead) {
-        return allow(`No commits ahead of origin/${baseBranch}, skipping PR check.`);
-      }
-      const diff = execFileSync("git", ["diff", "--stat", `origin/${baseBranch}`, "HEAD"], { cwd, encoding: "utf8", timeout: 5000 }).trim();
-      if (!diff) {
-        return allow(`No file changes compared to origin/${baseBranch}, skipping PR check.`);
-      }
-    } catch {}
-    let prJson;
-    try {
-      prJson = execSync("gh pr view --json number,url,state", {
-        cwd,
-        encoding: "utf8",
-        timeout: 15000
-      }).trim();
-    } catch {
-      return deny(`No pull request found for branch "${branch}". ` + `Run now: gh pr create`);
-    }
-    const pr = JSON.parse(prJson);
-    if (pr.state === "OPEN") {
-      return allow(`PR #${pr.number} exists: ${pr.url}`);
-    }
-    if (pr.state === "MERGED") {
-      try {
-        execFileSync("git", ["fetch", "origin", `+refs/heads/${baseBranch}:refs/remotes/origin/${baseBranch}`], {
-          cwd,
-          encoding: "utf8",
-          timeout: 1e4
-        });
-        const freshAhead = execFileSync("git", ["log", `origin/${baseBranch}..HEAD`, "--oneline"], { cwd, encoding: "utf8", timeout: 5000 }).trim();
-        if (!freshAhead) {
-          return allow(`PR #${pr.number} was merged; branch is up to date with ${baseBranch}.`);
-        }
-        const freshDiff = execFileSync("git", ["diff", "--stat", `origin/${baseBranch}`, "HEAD"], { cwd, encoding: "utf8", timeout: 5000 }).trim();
-        if (!freshDiff) {
-          return allow(`PR #${pr.number} was merged; no file changes vs ${baseBranch}.`);
-        }
-      } catch {}
-    }
-    return deny(`Pull request for branch "${branch}" is ${pr.state.toLowerCase()}. Run now: gh pr create`);
-  } catch {
-    return allow("Could not check PR status, skipping.");
-  }
-}
-function requireCiGreenBeforeStop(ctx) {
-  const cwd = ctx.session?.cwd;
-  if (!cwd)
-    return allow("No working directory available, skipping CI check.");
-  try {
-    try {
-      execSync("gh --version", { cwd, encoding: "utf8", timeout: 3000 });
-    } catch {
-      return allow("GitHub CLI (gh) not installed, skipping CI check.");
-    }
-    const branch = getCurrentBranch(cwd);
-    if (!branch || branch === "HEAD")
-      return allow("Detached HEAD, skipping CI check.");
-    let workflowRuns = [];
-    try {
-      const runsJson = execFileSync("gh", ["run", "list", "--branch", branch, "--limit", "5", "--json", "status,conclusion,name"], { cwd, encoding: "utf8", timeout: 15000 }).trim();
-      if (runsJson && runsJson !== "[]") {
-        workflowRuns = JSON.parse(runsJson);
-      }
-    } catch {}
-    let thirdPartyChecks = [];
-    let commitStatuses = [];
-    const sha = getHeadSha(cwd);
-    if (sha) {
-      thirdPartyChecks = getThirdPartyCheckRuns(cwd, sha);
-      commitStatuses = getCommitStatuses(cwd, sha);
-    }
-    const allChecks = [...workflowRuns, ...thirdPartyChecks, ...commitStatuses];
-    if (allChecks.length === 0)
-      return allow(`No CI runs found for branch "${branch}".`);
-    const failing = allChecks.filter((r) => r.status === "completed" && r.conclusion !== "success" && r.conclusion !== "skipped" && r.conclusion !== "cancelled");
-    if (failing.length > 0) {
-      const names = failing.map((r) => `"${r.name}"`).join(", ");
-      return deny(`CI checks are failing on branch "${branch}": ${names}. Fix the failing checks now.`);
-    }
-    const pending = allChecks.filter((r) => r.status === "in_progress" || r.status === "queued" || r.status === "waiting");
-    if (pending.length > 0) {
-      const names = pending.map((r) => `"${r.name}"`).join(", ");
-      return deny(`CI checks are still running on branch "${branch}": ${names}. Wait for all checks to complete, then verify they pass.`);
-    }
-    return allow(`All CI checks passed on branch "${branch}".`);
-  } catch {
-    return allow("Could not check CI status, skipping.");
-  }
-}
-function registerBuiltinPolicies(enabledNames) {
-  const enabledSet = new Set(enabledNames);
-  for (const policy of BUILTIN_POLICIES) {
-    if (enabledSet.has(policy.name)) {
-      registerPolicy(policy.name, policy.description, policy.fn, policy.match);
-    }
-  }
-}
-var SHELL_OPERATORS, SHELL_METACHAR_RE, JWT_RE, API_KEY_PATTERNS, CONNECTION_STRING_RE, PRIVATE_KEY_RE, BEARER_TOKEN_RE, SQL_TOOL_RE, DESTRUCTIVE_SQL_RE, DELETE_NO_WHERE_RE, SQL_WHERE_RE, SCHEMA_ALTER_RE, PUBLISH_CMD_RE, ENV_PRINTENV_RE, ECHO_ENV_RE, EXPORT_RE, PS_ENV_VAR_RE, PS_CHILDITEM_ENV_RE, DOTNET_GETENV_RE, CMD_ECHO_ENV_RE, ENV_FILE_PATH_RE, ENV_CMD_RE, SUDO_RE, PS_ELEVATION_RE, RUNAS_RE, CURL_PIPE_SH_RE, PS_WEB_PIPE_RE, FORCE_PUSH_RE, SECRET_FILE_RE, SECRET_FILE_ID_RSA_RE, SECRET_FILE_CREDENTIALS_RE, GIT_COMMIT_MERGE_RE, FAILPROOFAI_CLI_RE, FAILPROOFAI_UNINSTALL_RE, GIT_AMEND_RE, GIT_STASH_DROP_RE, GIT_ADD_ALL_RE, NPM_GLOBAL_RE, YARN_GLOBAL_RE, PNPM_GLOBAL_RE, BUN_GLOBAL_RE, CARGO_INSTALL_RE, PIP_SYSTEM_RE, PKG_MANAGER_DETECTORS, NOHUP_RE, SCREEN_DETACH_RE, TMUX_DETACH_RE, DISOWN_RE, BACKGROUND_AMPERSAND_RE, gitBranchCache, READ_LIKE_CMDS, TOOL_CALL_TRACKER_MAX_BYTES = 65536, SEGMENT_SPLIT_RE, BUILTIN_POLICIES;
-var init_builtin_policies = __esm(() => {
-  init_hook_logger();
-  SHELL_OPERATORS = new Set(["&&", "||", "|", ";"]);
-  SHELL_METACHAR_RE = /[;&<>`$()\\]/;
-  JWT_RE = /eyJ[A-Za-z0-9_-]{10,}\.[A-Za-z0-9_-]{10,}\.[A-Za-z0-9_-]{10,}/;
-  API_KEY_PATTERNS = [
-    [/sk-ant-[A-Za-z0-9\-_]{20,}/, "Anthropic API key"],
-    [/sk-proj-[A-Za-z0-9\-_]{20,}/, "OpenAI project API key"],
-    [/sk-[A-Za-z0-9]{20,}/, "OpenAI API key"],
-    [/ghp_[A-Za-z0-9]{36}/, "GitHub personal access token"],
-    [/github_pat_[A-Za-z0-9_]{82}/, "GitHub fine-grained token"],
-    [/AKIA[A-Z0-9]{16}/, "AWS access key ID"],
-    [/sk_live_[A-Za-z0-9]{24,}/, "Stripe live secret key"],
-    [/sk_test_[A-Za-z0-9]{24,}/, "Stripe test secret key"],
-    [/AIza[0-9A-Za-z\-_]{35}/, "Google API key"]
-  ];
-  CONNECTION_STRING_RE = /(?:postgresql|postgres|mysql|mongodb(?:\+srv)?|redis|amqps?|smtps?):\/\/[^@\s]+@/;
-  PRIVATE_KEY_RE = /-----BEGIN (?:[A-Z]+ )?PRIVATE KEY-----/;
-  BEARER_TOKEN_RE = /Authorization:\s*Bearer\s+[A-Za-z0-9\-._~+/]{20,}/i;
-  SQL_TOOL_RE = /\b(?:psql|mysql|sqlite3|pgcli|clickhouse-client)\b/;
-  DESTRUCTIVE_SQL_RE = /\b(?:DROP\s+(?:TABLE|DATABASE|SCHEMA)|TRUNCATE\b)/i;
-  DELETE_NO_WHERE_RE = /\bDELETE\s+FROM\b/i;
-  SQL_WHERE_RE = /\bWHERE\b/i;
-  SCHEMA_ALTER_RE = /\bALTER\s+TABLE\b[\s\S]*\b(?:DROP\s+COLUMN|ADD\s+COLUMN|RENAME\s+(?:COLUMN|TO)|MODIFY\s+COLUMN)\b/i;
-  PUBLISH_CMD_RE = /(?:npm\s+publish|bun\s+publish|pnpm\s+publish|yarn\s+npm\s+publish|twine\s+upload|poetry\s+publish|cargo\s+publish|gem\s+push)\b/;
-  ENV_PRINTENV_RE = /(?:^|\s|;|&&|\|\|)(?:env|printenv)(?:\s|$|;|&&|\|)/;
-  ECHO_ENV_RE = /echo\s+.*\$\{?[A-Za-z_]/;
-  EXPORT_RE = /(?:^|\s|;|&&|\|\|)export\s+\w+/;
-  PS_ENV_VAR_RE = /\$env:[A-Za-z_]/i;
-  PS_CHILDITEM_ENV_RE = /(?:Get-ChildItem|dir|gci|ls)\s+Env:/i;
-  DOTNET_GETENV_RE = /\[Environment\]::GetEnvironment/i;
-  CMD_ECHO_ENV_RE = /echo\s+%[A-Za-z_]/i;
-  ENV_FILE_PATH_RE = /(?:^|[\\/])\.env(?:\.|$)/;
-  ENV_CMD_RE = /\.env(?:\b|\s|$|\.)/;
-  SUDO_RE = /(?:^|;|&&|\|\|)\s*sudo\s/;
-  PS_ELEVATION_RE = /Start-Process\s+.*-Verb\s+RunAs/i;
-  RUNAS_RE = /(?:^|;|&&|\|\|)\s*runas\s/i;
-  CURL_PIPE_SH_RE = /(?:curl|wget)\s.*\|\s*(?:sh|bash|zsh|dash|ksh|csh|tcsh|fish|ash)\b/;
-  PS_WEB_PIPE_RE = /(?:Invoke-WebRequest|iwr|Invoke-RestMethod|irm)\s+.*\|\s*(?:Invoke-Expression|iex)/i;
-  FORCE_PUSH_RE = /(?:--force|-f\b)/;
-  SECRET_FILE_RE = /\.(?:pem|key)$/;
-  SECRET_FILE_ID_RSA_RE = /id_rsa/;
-  SECRET_FILE_CREDENTIALS_RE = /credentials/;
-  GIT_COMMIT_MERGE_RE = /git\s+(?:commit|merge|rebase|cherry-pick)\b/;
-  FAILPROOFAI_CLI_RE = /(?:^|;|&&|\|\||\|)\s*failproofai(?:\s|$)/;
-  FAILPROOFAI_UNINSTALL_RE = /(?:npm\s+(?:uninstall|remove|un|r)\s.*failproofai|bun\s+remove\s.*failproofai|yarn\s+global\s+remove\s+failproofai|pnpm\s+(?:remove|uninstall|un)\s.*failproofai)/;
-  GIT_AMEND_RE = /\bgit\s+commit\b.*--amend\b/;
-  GIT_STASH_DROP_RE = /\bgit\s+stash\s+(?:drop|clear)\b/;
-  GIT_ADD_ALL_RE = /\bgit\s+add\s+(?:-A\b|--all\b|\.(?:\s|$|;|&&|\|\|))/;
-  NPM_GLOBAL_RE = /\bnpm\s+(?:install|i)\b(?=.*(?:\s-g\b|--global\b))/;
-  YARN_GLOBAL_RE = /\byarn\s+global\s+add\b/;
-  PNPM_GLOBAL_RE = /\bpnpm\s+(?:add|install|i)\b(?=.*(?:\s-g\b|--global\b))/;
-  BUN_GLOBAL_RE = /\bbun\s+(?:install|add)\b(?=.*(?:\s-g\b|--global\b))/;
-  CARGO_INSTALL_RE = /\bcargo\s+install\b/;
-  PIP_SYSTEM_RE = /\bpip(?:3)?\s+install\b(?=.*(?:--user\b|--break-system-packages\b))/;
-  PKG_MANAGER_DETECTORS = {
-    pip: [/\bpip\b/, /\bpip3\b/, /\bpython3?\s+-m\s+pip\b/],
-    npm: [/\bnpm\b/, /\bnpx\b/],
-    yarn: [/\byarn\b/],
-    pnpm: [/\bpnpm\b/, /\bpnpx\b/],
-    bun: [/\bbun\b/, /\bbunx\b/],
-    uv: [/\buv\b/],
-    poetry: [/\bpoetry\b/],
-    pipenv: [/\bpipenv\b/],
-    conda: [/\bconda\b/],
-    cargo: [/\bcargo\b/]
-  };
-  NOHUP_RE = /\bnohup\s+\S/;
-  SCREEN_DETACH_RE = /\bscreen\s+-[A-Za-z]*d[A-Za-z]*\b/;
-  TMUX_DETACH_RE = /\btmux\s+(?:new-session|new)\b[^|&;]*-d\b/;
-  DISOWN_RE = /\bdisown\b/;
-  BACKGROUND_AMPERSAND_RE = /(?<![&|])\s?&\s*(?:$|#|;)/;
-  gitBranchCache = new Map;
-  READ_LIKE_CMDS = /(?:^|;|&&|\|\||\|)\s*(?:ls|find|cat|head|tail|less|more|wc|file|stat|tree|du)\s/;
-  SEGMENT_SPLIT_RE = /\s*(?:&&|\|\||\||;)\s*/;
-  BUILTIN_POLICIES = [
-    {
-      name: "sanitize-jwt",
-      description: "Stop Claude from reading JWTs in tool responses",
-      fn: sanitizeJwt,
-      match: { events: ["PostToolUse"] },
-      defaultEnabled: true,
-      category: "Sanitize"
-    },
-    {
-      name: "sanitize-api-keys",
-      description: "Stop Claude from reading API keys (OpenAI, Anthropic, GitHub, AWS, Stripe, Google) in tool responses",
-      fn: sanitizeApiKeys,
-      match: { events: ["PostToolUse"] },
-      defaultEnabled: true,
-      category: "Sanitize",
-      params: {
-        additionalPatterns: {
-          type: "pattern[]",
-          description: "Additional API key patterns to scrub, each with { regex, label }",
-          default: []
-        }
-      }
-    },
-    {
-      name: "sanitize-connection-strings",
-      description: "Stop Claude from reading database connection strings with embedded credentials in tool responses",
-      fn: sanitizeConnectionStrings,
-      match: { events: ["PostToolUse"] },
-      defaultEnabled: true,
-      category: "Sanitize"
-    },
-    {
-      name: "sanitize-private-key-content",
-      description: "Stop Claude from reading PEM private key content in tool responses",
-      fn: sanitizePrivateKeyContent,
-      match: { events: ["PostToolUse"] },
-      defaultEnabled: true,
-      category: "Sanitize"
-    },
-    {
-      name: "sanitize-bearer-tokens",
-      description: "Stop Claude from reading Authorization Bearer tokens in tool responses",
-      fn: sanitizeBearerTokens,
-      match: { events: ["PostToolUse"] },
-      defaultEnabled: true,
-      category: "Sanitize"
-    },
-    {
-      name: "protect-env-vars",
-      description: "Prevent commands that read environment variables",
-      fn: protectEnvVars,
-      match: { events: ["PreToolUse"], toolNames: ["Bash"] },
-      defaultEnabled: true,
-      category: "Environment"
-    },
-    {
-      name: "block-env-files",
-      description: "Block reading/writing .env files",
-      fn: blockEnvFiles,
-      match: { events: ["PreToolUse"] },
-      defaultEnabled: true,
-      category: "Environment"
-    },
-    {
-      name: "block-read-outside-cwd",
-      description: "Block file reads outside the session working directory",
-      fn: blockReadOutsideCwd,
-      match: { events: ["PreToolUse"], toolNames: ["Read", "Glob", "Grep", "Bash"] },
-      defaultEnabled: false,
-      category: "Environment",
-      params: {
-        allowPaths: {
-          type: "string[]",
-          description: "Absolute paths outside cwd that are allowed to be read",
-          default: []
-        }
-      }
-    },
-    {
-      name: "block-sudo",
-      description: "Block sudo commands",
-      fn: blockSudo,
-      match: { events: ["PreToolUse"], toolNames: ["Bash"] },
-      defaultEnabled: true,
-      category: "Dangerous Commands",
-      params: {
-        allowPatterns: {
-          type: "string[]",
-          description: "Sudo command patterns to allow, matched token-by-token (e.g. 'sudo systemctl status')",
-          default: []
-        }
-      }
-    },
-    {
-      name: "block-curl-pipe-sh",
-      description: "Block piping downloads to shell",
-      fn: blockCurlPipeSh,
-      match: { events: ["PreToolUse"], toolNames: ["Bash"] },
-      defaultEnabled: true,
-      category: "Dangerous Commands"
-    },
-    {
-      name: "block-rm-rf",
-      description: "Prevent catastrophic deletions",
-      fn: blockRmRf,
-      match: { events: ["PreToolUse"], toolNames: ["Bash"] },
-      defaultEnabled: false,
-      category: "Dangerous Commands",
-      params: {
-        allowPaths: {
-          type: "string[]",
-          description: "Paths that are allowed to be recursively deleted",
-          default: []
-        }
-      }
-    },
-    {
-      name: "block-failproofai-commands",
-      description: "Block failproofai CLI commands and uninstallation",
-      fn: blockFailproofaiCommands,
-      match: { events: ["PreToolUse"], toolNames: ["Bash"] },
-      defaultEnabled: true,
-      category: "Dangerous Commands"
-    },
-    {
-      name: "block-secrets-write",
-      description: "Block writing secret key files",
-      fn: blockSecretsWrite,
-      match: { events: ["PreToolUse"], toolNames: ["Write"] },
-      defaultEnabled: false,
-      category: "Dangerous Commands",
-      params: {
-        additionalPatterns: {
-          type: "string[]",
-          description: "Additional filename patterns (substrings) to block",
-          default: []
-        }
-      }
-    },
-    {
-      name: "block-push-master",
-      description: "Block pushing to main/master",
-      fn: blockPushMaster,
-      match: { events: ["PreToolUse"], toolNames: ["Bash"] },
-      defaultEnabled: true,
-      category: "Git",
-      params: {
-        protectedBranches: {
-          type: "string[]",
-          description: "Branch names to protect from direct pushes",
-          default: ["main", "master"]
-        }
-      }
-    },
-    {
-      name: "block-force-push",
-      description: "Prevent force-pushing to any branch",
-      fn: blockForcePush,
-      match: { events: ["PreToolUse"], toolNames: ["Bash"] },
-      defaultEnabled: false,
-      category: "Git"
-    },
-    {
-      name: "block-work-on-main",
-      description: "Block git commits and merges on main/master branch",
-      fn: blockWorkOnMain,
-      match: { events: ["PreToolUse"], toolNames: ["Bash"] },
-      defaultEnabled: false,
-      category: "Git",
-      params: {
-        protectedBranches: {
-          type: "string[]",
-          description: "Branch names where commits/merges are blocked",
-          default: ["main", "master"]
-        }
-      }
-    },
-    {
-      name: "warn-git-amend",
-      description: "Warns before amending git commits, which rewrites history",
-      fn: warnGitAmend,
-      match: { events: ["PreToolUse"], toolNames: ["Bash"] },
-      defaultEnabled: false,
-      category: "Git"
-    },
-    {
-      name: "warn-git-stash-drop",
-      description: "Warns before permanently deleting stashed changes",
-      fn: warnGitStashDrop,
-      match: { events: ["PreToolUse"], toolNames: ["Bash"] },
-      defaultEnabled: false,
-      category: "Git"
-    },
-    {
-      name: "warn-all-files-staged",
-      description: "Warns before staging all working tree files with git add -A / . / --all",
-      fn: warnAllFilesStaged,
-      match: { events: ["PreToolUse"], toolNames: ["Bash"] },
-      defaultEnabled: false,
-      category: "Git"
-    },
-    {
-      name: "warn-destructive-sql",
-      description: "Warn before executing destructive SQL (DROP/TRUNCATE/DELETE without WHERE) via database clients",
-      fn: warnDestructiveSql,
-      match: { events: ["PreToolUse"], toolNames: ["Bash"] },
-      defaultEnabled: false,
-      category: "Database"
-    },
-    {
-      name: "warn-schema-alteration",
-      description: "Warns before SQL schema changes (ALTER TABLE with column or rename operations)",
-      fn: warnSchemaAlteration,
-      match: { events: ["PreToolUse"], toolNames: ["Bash"] },
-      defaultEnabled: false,
-      category: "Database"
-    },
-    {
-      name: "warn-package-publish",
-      description: "Warn before publishing packages to public registries (npm, PyPI, crates.io, RubyGems, etc.)",
-      fn: warnPackagePublish,
-      match: { events: ["PreToolUse"], toolNames: ["Bash"] },
-      defaultEnabled: false,
-      category: "Packages & System"
-    },
-    {
-      name: "warn-global-package-install",
-      description: "Warns before installing packages globally (npm -g, cargo install, etc.)",
-      fn: warnGlobalPackageInstall,
-      match: { events: ["PreToolUse"], toolNames: ["Bash"] },
-      defaultEnabled: false,
-      category: "Packages & System"
-    },
-    {
-      name: "prefer-package-manager",
-      description: "Blocks non-preferred package managers and tells Claude to use an allowed one (e.g., uv instead of pip)",
-      fn: preferPackageManager,
-      match: { events: ["PreToolUse"], toolNames: ["Bash"] },
-      defaultEnabled: false,
-      category: "Packages & System",
-      params: {
-        allowed: {
-          type: "string[]",
-          description: "Allowed package manager names (e.g. ['uv', 'bun']). Any detected manager not in this list is blocked.",
-          default: []
-        },
-        blocked: {
-          type: "string[]",
-          description: "Additional manager names to block beyond the built-in list (e.g. ['pdm', 'pipx']).",
-          default: []
-        }
-      }
-    },
-    {
-      name: "warn-large-file-write",
-      description: "Warn before writing files larger than 1MB (configurable via thresholdKb param)",
-      fn: warnLargeFileWrite,
-      match: { events: ["PreToolUse"], toolNames: ["Write"] },
-      defaultEnabled: false,
-      category: "Packages & System",
-      params: {
-        thresholdKb: {
-          type: "number",
-          description: "File size threshold in KB above which a warning is issued",
-          default: 1024
-        }
-      }
-    },
-    {
-      name: "warn-background-process",
-      description: "Warns before starting detached or background processes",
-      fn: warnBackgroundProcess,
-      match: { events: ["PreToolUse"], toolNames: ["Bash"] },
-      defaultEnabled: false,
-      category: "Packages & System"
-    },
-    {
-      name: "warn-repeated-tool-calls",
-      description: "Warn when the same tool is called 3+ times with identical parameters",
-      fn: warnRepeatedToolCalls,
-      match: { events: ["PreToolUse"] },
-      defaultEnabled: false,
-      category: "AI Behavior"
-    },
-    {
-      name: "require-commit-before-stop",
-      description: "Require all changes to be committed before Claude stops",
-      fn: requireCommitBeforeStop,
-      match: { events: ["Stop"] },
-      defaultEnabled: false,
-      category: "Workflow"
-    },
-    {
-      name: "require-push-before-stop",
-      description: "Require all commits to be pushed to remote before Claude stops",
-      fn: requirePushBeforeStop,
-      match: { events: ["Stop"] },
-      defaultEnabled: false,
-      category: "Workflow",
-      params: {
-        remote: {
-          type: "string",
-          description: "Remote name to push to (default: origin)",
-          default: "origin"
-        },
-        baseBranch: {
-          type: "string",
-          description: "Base branch to compare against (default: main)",
-          default: "main"
-        }
-      }
-    },
-    {
-      name: "require-pr-before-stop",
-      description: "Require a pull request to exist for the current branch before Claude stops",
-      fn: requirePrBeforeStop,
-      match: { events: ["Stop"] },
-      defaultEnabled: false,
-      category: "Workflow",
-      params: {
-        baseBranch: {
-          type: "string",
-          description: "Base branch to compare against (default: main)",
-          default: "main"
-        }
-      }
-    },
-    {
-      name: "require-ci-green-before-stop",
-      description: "Require CI checks to pass on the current branch before Claude stops",
-      fn: requireCiGreenBeforeStop,
-      match: { events: ["Stop"] },
-      defaultEnabled: false,
-      category: "Workflow"
-    }
-  ];
-});
-
-// src/hooks/policy-evaluator.ts
-function appendHint(baseReason, hint) {
-  const base = baseReason.trim();
-  const normalizedHint = typeof hint === "string" ? hint.trim() : "";
-  if (!normalizedHint)
-    return base;
-  if (!base)
-    return normalizedHint;
-  return `${base}. ${normalizedHint}`;
-}
-async function evaluatePolicies(eventType, payload, session, config) {
-  const toolName = payload.tool_name;
-  const toolInput = payload.tool_input;
-  const policies = getPoliciesForEvent(eventType, toolName);
-  hookLogInfo(`evaluating ${policies.length} policies for ${eventType}`);
-  if (policies.length === 0) {
-    return { exitCode: 0, stdout: "", stderr: "", policyName: null, reason: null, decision: "allow" };
-  }
-  const baseCtx = {
-    eventType,
-    payload,
-    toolName,
-    toolInput,
-    session
-  };
-  const instructEntries = [];
-  const allowEntries = [];
-  for (const policy of policies) {
-    const schema = POLICY_PARAMS_MAP.get(policy.name);
-    let ctx;
-    if (schema) {
-      const userParams = config?.policyParams?.[policy.name] ?? {};
-      const resolvedParams = {};
-      for (const [key, spec] of Object.entries(schema)) {
-        resolvedParams[key] = key in userParams ? userParams[key] : spec.default;
-      }
-      ctx = { ...baseCtx, params: resolvedParams };
-    } else {
-      ctx = { ...baseCtx, params: {} };
-    }
-    let result;
-    try {
-      result = await policy.fn(ctx);
-    } catch (err) {
-      hookLogWarn(`policy "${policy.name}" threw: ${err instanceof Error ? err.message : String(err)}`);
-      continue;
-    }
-    if (result.decision === "deny") {
-      const reason = appendHint(result.reason ?? `Blocked by policy: ${policy.name}`, config?.policyParams?.[policy.name]?.hint);
-      hookLogInfo(`deny by "${policy.name}": ${reason}`);
-      const displayTool = ctx.toolName ?? "unknown tool";
-      if (eventType === "PreToolUse") {
-        const response = {
-          hookSpecificOutput: {
-            hookEventName: eventType,
-            permissionDecision: "deny",
-            permissionDecisionReason: `Blocked ${displayTool} by failproofai because: ${reason}, as per the policy configured by the user`
-          }
-        };
-        return {
-          exitCode: 0,
-          stdout: JSON.stringify(response),
-          stderr: "",
-          policyName: policy.name,
-          reason,
-          decision: "deny"
-        };
-      }
-      if (eventType === "PostToolUse") {
-        const response = {
-          hookSpecificOutput: {
-            hookEventName: eventType,
-            additionalContext: `Blocked ${displayTool} by failproofai because: ${reason}, as per the policy configured by the user`
-          }
-        };
-        return {
-          exitCode: 0,
-          stdout: JSON.stringify(response),
-          stderr: "",
-          policyName: policy.name,
-          reason,
-          decision: "deny"
-        };
-      }
-      if (eventType === "Stop") {
-        return {
-          exitCode: 2,
-          stdout: "",
-          stderr: `MANDATORY ACTION REQUIRED from failproofai (policy: ${policy.name}): ${reason}
-
-You MUST complete the above action NOW. Do NOT ask the user for confirmation — execute the required action, then attempt to finish your task again.`,
-          policyName: policy.name,
-          reason,
-          decision: "deny"
-        };
-      }
-      return {
-        exitCode: 2,
-        stdout: "",
-        stderr: reason,
-        policyName: policy.name,
-        reason,
-        decision: "deny"
-      };
-    }
-    if (result.decision === "instruct") {
-      const reason = appendHint(result.reason ?? `Instruction from policy: ${policy.name}`, config?.policyParams?.[policy.name]?.hint);
-      instructEntries.push({ policyName: policy.name, reason });
-      hookLogInfo(`instruct by "${policy.name}": ${reason}`);
-    }
-    if (result.decision === "allow" && result.reason) {
-      allowEntries.push({ policyName: policy.name, reason: result.reason });
-    }
-  }
-  if (instructEntries.length > 0) {
-    const combined = instructEntries.map((e) => e.reason).join(`
-`);
-    const policyNames = instructEntries.map((e) => e.policyName);
-    if (eventType === "Stop") {
-      const policyAttribution = policyNames.length === 1 ? `policy: ${policyNames[0]}` : `policies: ${policyNames.join(", ")}`;
-      return {
-        exitCode: 2,
-        stdout: "",
-        stderr: `MANDATORY ACTION REQUIRED from failproofai (${policyAttribution}): ${combined}
-
-You MUST complete the above action(s) NOW. Do NOT ask the user for confirmation — execute the required action(s), then attempt to finish your task again.`,
-        policyName: policyNames[0],
-        policyNames,
-        reason: combined,
-        decision: "instruct"
-      };
-    }
-    const response = {
-      hookSpecificOutput: {
-        hookEventName: eventType,
-        additionalContext: `Instruction from failproofai: ${combined}`
-      }
-    };
-    return {
-      exitCode: 0,
-      stdout: JSON.stringify(response),
-      stderr: "",
-      policyName: policyNames[0],
-      policyNames,
-      reason: combined,
-      decision: "instruct"
-    };
-  }
-  if (allowEntries.length > 0) {
-    const combined = allowEntries.map((e) => e.reason).join(`
-`);
-    const policyNames = allowEntries.map((e) => e.policyName);
-    const supportsHookSpecificOutput = eventType === "PreToolUse" || eventType === "PostToolUse" || eventType === "UserPromptSubmit";
-    const response = supportsHookSpecificOutput ? { hookSpecificOutput: { hookEventName: eventType, additionalContext: `Note from failproofai: ${combined}` } } : { reason: combined };
-    const stderrMsg = allowEntries.map((e) => `[failproofai] ${e.policyName}: ${e.reason}`).join(`
-`);
-    return { exitCode: 0, stdout: JSON.stringify(response), stderr: stderrMsg + `
-`, policyName: policyNames[0], policyNames, reason: combined, decision: "allow" };
-  }
-  return { exitCode: 0, stdout: "", stderr: "", policyName: null, reason: null, decision: "allow" };
-}
-var POLICY_PARAMS_MAP;
-var init_policy_evaluator = __esm(() => {
-  init_builtin_policies();
-  init_hook_logger();
-  POLICY_PARAMS_MAP = new Map(BUILTIN_POLICIES.filter((p) => p.params).map((p) => [p.name, p.params]));
-});
-
-// src/hooks/custom-hooks-registry.ts
-function getRegistry2() {
-  const g = globalThis;
-  if (!Array.isArray(g[REGISTRY_KEY2]))
-    g[REGISTRY_KEY2] = [];
-  return g[REGISTRY_KEY2];
-}
-function getCustomHooks() {
-  return getRegistry2();
-}
-function clearCustomHooks() {
-  const g = globalThis;
-  g[REGISTRY_KEY2] = [];
-}
-var REGISTRY_KEY2 = "__failproofai_custom_hooks__";
-var init_custom_hooks_registry = () => {};
-
-// src/hooks/loader-utils.ts
-import { readFile as readFile2, writeFile as writeFile2, unlink, access } from "fs/promises";
-import { resolve as resolve3, dirname as dirname2, relative } from "path";
-import { pathToFileURL } from "url";
-async function fileExists(path) {
-  try {
-    await access(path);
-    return true;
-  } catch {
-    return false;
-  }
-}
-async function findDistIndex() {
-  const distPath = process.env.FAILPROOFAI_DIST_PATH;
-  if (distPath) {
-    const candidate = resolve3(distPath, "index.js");
-    if (await fileExists(candidate))
-      return candidate;
-  }
-  const candidates = [
-    resolve3(dirname2(process.execPath), "..", "assets", "dist", "index.js"),
-    resolve3(process.cwd(), "dist", "index.js"),
-    resolve3(process.cwd(), "node_modules", "failproofai", "dist", "index.js")
-  ];
-  for (const c of candidates) {
-    if (await fileExists(c))
-      return c;
-  }
-  return null;
-}
-async function resolveLocalImport(fromDir, specifier) {
-  const base = resolve3(fromDir, specifier);
-  const candidates = [base, `${base}.js`, `${base}.mjs`, `${base}.ts`, resolve3(base, "index.js")];
-  for (const c of candidates) {
-    if (await fileExists(c))
-      return c;
-  }
-  return null;
-}
-async function createEsmShim(distIndex, distUrl) {
-  const shimPath = distIndex + ".__failproofai_esm_shim__.mjs";
-  const shimCode = [
-    `import _cjs from '${distUrl}';`,
-    `export const customPolicies = _cjs.customPolicies;`,
-    `export const getCustomHooks = _cjs.getCustomHooks;`,
-    `export const clearCustomHooks = _cjs.clearCustomHooks;`,
-    `export const allow = _cjs.allow;`,
-    `export const deny = _cjs.deny;`,
-    `export const instruct = _cjs.instruct;`,
-    `export default _cjs;`
-  ].join(`
-`);
-  await writeFile2(shimPath, shimCode, "utf-8");
-  return { shimPath, shimUrl: pathToFileURL(shimPath).href };
-}
-async function rewriteFileTree(entryPath, distUrl, distIndex) {
-  const queue = [entryPath];
-  const visited = new Set;
-  const tmpFiles = [];
-  let esmShimUrl = null;
-  if (distIndex && distUrl) {
-    const shim = await createEsmShim(distIndex, distUrl);
-    tmpFiles.push(shim.shimPath);
-    esmShimUrl = shim.shimUrl;
-  }
-  while (queue.length > 0) {
-    const filePath = queue.shift();
-    if (visited.has(filePath))
-      continue;
-    visited.add(filePath);
-    let code = await readFile2(filePath, "utf-8");
-    if (esmShimUrl) {
-      code = code.replace(/from\s+(['"])(?:claudeye|failproofai)\1/g, `from '${esmShimUrl}'`);
-    }
-    if (distIndex) {
-      code = code.replace(/require\s*\(\s*(['"])(?:claudeye|failproofai)\1\s*\)/g, `require('${distIndex.replace(/\\/g, "\\\\")}')`);
-    }
-    const dir = dirname2(filePath);
-    const rewrites = new Map;
-    for (const re of [LOCAL_IMPORT_RE, LOCAL_REQUIRE_RE]) {
-      const freshRe = new RegExp(re.source, re.flags);
-      let match;
-      while ((match = freshRe.exec(code)) !== null) {
-        const specifier = match[2];
-        if (rewrites.has(specifier))
-          continue;
-        const resolved2 = await resolveLocalImport(dir, specifier);
-        if (!resolved2)
-          continue;
-        if (!visited.has(resolved2) && !queue.includes(resolved2)) {
-          queue.push(resolved2);
-        }
-        let relPath = relative(dir, resolved2 + TMP_SUFFIX).split("\\").join("/");
-        if (!relPath.startsWith("."))
-          relPath = "./" + relPath;
-        rewrites.set(specifier, relPath);
-      }
-    }
-    const sortedSpecs = [...rewrites.keys()].sort((a, b) => b.length - a.length);
-    for (const specifier of sortedSpecs) {
-      const replacement = rewrites.get(specifier);
-      const escaped = specifier.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
-      code = code.replace(new RegExp(`'${escaped}'`, "g"), `'${replacement}'`);
-      code = code.replace(new RegExp(`"${escaped}"`, "g"), `"${replacement}"`);
-    }
-    const tmpPath = filePath + TMP_SUFFIX;
-    await writeFile2(tmpPath, code, "utf-8");
-    tmpFiles.push(tmpPath);
-  }
-  return tmpFiles;
-}
-async function cleanupTmpFiles(tmpFiles) {
-  for (const tmp of tmpFiles) {
-    try {
-      await unlink(tmp);
-    } catch {}
-  }
-}
-var TMP_SUFFIX = ".__failproofai_tmp__.mjs", LOCAL_IMPORT_RE, LOCAL_REQUIRE_RE;
-var init_loader_utils = __esm(() => {
-  LOCAL_IMPORT_RE = /(?:import\s+(?:[\s\S]*?\s+from\s+)?|export\s+(?:[\s\S]*?\s+from\s+))(['"])(\.\.?\/[^'"]+)\1/g;
-  LOCAL_REQUIRE_RE = /require\s*\(\s*(['"])(\.\.?\/[^'"]+)\1\s*\)/g;
-});
-
-// src/hooks/custom-hooks-loader.ts
-import { resolve as resolve4, isAbsolute, basename } from "node:path";
-import { existsSync as existsSync3, readdirSync } from "node:fs";
-import { pathToFileURL as pathToFileURL2 } from "node:url";
-import { homedir as homedir4 } from "node:os";
-function discoverPolicyFiles(dir) {
-  if (!existsSync3(dir))
-    return [];
-  try {
-    const entries = readdirSync(dir, { withFileTypes: true });
-    return entries.filter((e) => e.isFile() && CONVENTION_FILE_RE.test(e.name)).sort((a, b) => a.name.localeCompare(b.name)).map((e) => resolve4(dir, e.name));
-  } catch {
-    return [];
-  }
-}
-async function loadSingleFile(absPath, opts) {
-  const g = globalThis;
-  g[LOADING_KEY] = true;
-  let tmpFiles = [];
-  try {
-    const distIndex = await findDistIndex();
-    const distUrl = distIndex ? pathToFileURL2(distIndex).href : null;
-    tmpFiles = await rewriteFileTree(absPath, distUrl, distIndex);
-    const entryTmp = absPath + TMP_SUFFIX;
-    const fileUrl = pathToFileURL2(entryTmp).href;
-    await import(fileUrl);
-  } catch (err) {
-    const msg = err instanceof Error ? err.message : String(err);
-    if (opts?.strict)
-      throw new Error(`Failed to load custom hooks from ${absPath}: ${msg}`);
-    hookLogError(`failed to load custom hooks from ${absPath}: ${msg}`);
-  } finally {
-    g[LOADING_KEY] = false;
-    await cleanupTmpFiles(tmpFiles);
-  }
-}
-async function loadCustomHooks(customPoliciesPath, opts) {
-  if (!customPoliciesPath)
-    return [];
-  const absPath = isAbsolute(customPoliciesPath) ? customPoliciesPath : resolve4(opts?.sessionCwd ?? process.cwd(), customPoliciesPath);
-  if (!existsSync3(absPath)) {
-    if (opts?.strict)
-      throw new Error(`Custom hooks file not found: ${absPath}`);
-    hookLogWarn(`customPoliciesPath not found: ${absPath}`);
-    return [];
-  }
-  clearCustomHooks();
-  await loadSingleFile(absPath, opts);
-  return getCustomHooks();
-}
-async function loadAllCustomHooks(customPoliciesPath, opts) {
-  clearCustomHooks();
-  const conventionSources = [];
-  if (customPoliciesPath) {
-    const absPath = isAbsolute(customPoliciesPath) ? customPoliciesPath : resolve4(opts?.sessionCwd ?? process.cwd(), customPoliciesPath);
-    if (existsSync3(absPath)) {
-      await loadSingleFile(absPath);
-    } else {
-      hookLogWarn(`customPoliciesPath not found: ${absPath}`);
-    }
-  }
-  const hooksBeforeConvention = getCustomHooks().length;
-  const projectDir = resolve4(opts?.sessionCwd ?? process.cwd(), ".failproofai", "policies");
-  const projectFiles = discoverPolicyFiles(projectDir);
-  for (const file of projectFiles) {
-    const hooksBefore = getCustomHooks().length;
-    await loadSingleFile(file);
-    const newHooks = getCustomHooks().slice(hooksBefore);
-    if (newHooks.length > 0) {
-      conventionSources.push({
-        scope: "project",
-        file: basename(file),
-        hookNames: newHooks.map((h) => h.name)
-      });
-    }
-  }
-  const userDir = resolve4(homedir4(), ".failproofai", "policies");
-  const userFiles = discoverPolicyFiles(userDir);
-  for (const file of userFiles) {
-    const hooksBefore = getCustomHooks().length;
-    await loadSingleFile(file);
-    const newHooks = getCustomHooks().slice(hooksBefore);
-    if (newHooks.length > 0) {
-      conventionSources.push({
-        scope: "user",
-        file: basename(file),
-        hookNames: newHooks.map((h) => h.name)
-      });
-    }
-  }
-  const allHooks = getCustomHooks();
-  const conventionCount = allHooks.length - hooksBeforeConvention;
-  if (projectFiles.length > 0 || userFiles.length > 0) {
-    hookLogInfo(`convention policies: ${projectFiles.length} project file(s), ${userFiles.length} user file(s), ${conventionCount} hook(s)`);
-  }
-  const hookNameToScope = new Map;
-  for (const source of conventionSources) {
-    for (const name of source.hookNames) {
-      hookNameToScope.set(name, source.scope);
-    }
-  }
-  const conventionHookRefs = new Set;
-  for (const hook of allHooks.slice(hooksBeforeConvention)) {
-    conventionHookRefs.add(hook);
-  }
-  for (const hook of allHooks) {
-    if (conventionHookRefs.has(hook)) {
-      hook.__conventionScope = hookNameToScope.get(hook.name) ?? "project";
-    }
-  }
-  return { hooks: allHooks, conventionSources };
-}
-var LOADING_KEY = "__FAILPROOFAI_LOADING_HOOKS__", CONVENTION_FILE_RE;
-var init_custom_hooks_loader = __esm(() => {
-  init_hook_logger();
-  init_custom_hooks_registry();
-  init_loader_utils();
-  CONVENTION_FILE_RE = /policies\.(js|mjs|ts)$/;
-});
-
-// src/hooks/hook-activity-store.ts
-import {
-  readFileSync as readFileSync2,
-  writeFileSync as writeFileSync2,
-  appendFileSync as appendFileSync2,
-  renameSync as renameSync2,
-  readdirSync as readdirSync2,
-  mkdirSync as mkdirSync3,
-  existsSync as existsSync4,
-  statSync as statSync2,
-  unlinkSync
-} from "node:fs";
-import { join as join3 } from "node:path";
-import { homedir as homedir5 } from "node:os";
-function ensureDir() {
-  if (!existsSync4(storeDir)) {
-    mkdirSync3(storeDir, { recursive: true });
-  }
-}
-function acquireLock() {
-  ensureDir();
-  const lockPath = join3(storeDir, LOCK_FILE);
-  const deadline = Date.now() + LOCK_STALE_MS;
-  while (Date.now() < deadline) {
-    try {
-      writeFileSync2(lockPath, String(process.pid), { flag: "wx" });
-      return;
-    } catch (e) {
-      if (e.code !== "EEXIST")
-        return;
-      try {
-        const s = statSync2(lockPath);
-        if (Date.now() - s.mtimeMs > LOCK_STALE_MS) {
-          writeFileSync2(lockPath, String(process.pid), "utf-8");
-          return;
-        }
-      } catch {}
-    }
-  }
-}
-function releaseLock() {
-  try {
-    unlinkSync(join3(storeDir, LOCK_FILE));
-  } catch {}
-}
-function persistHookActivity(entry) {
-  ensureDir();
-  acquireLock();
-  try {
-    const currentPath = join3(storeDir, CURRENT_FILE);
-    const countPath = join3(storeDir, COUNT_FILE);
-    const lineCount = readCount(countPath);
-    if (lineCount >= PAGE_SIZE) {
-      try {
-        rotate(currentPath, countPath);
-      } catch (e) {
-        if (e.code !== "ENOENT")
-          throw e;
-      }
-    }
-    appendFileSync2(currentPath, JSON.stringify(entry) + `
-`, "utf-8");
-    writeCount(countPath, lineCount >= PAGE_SIZE ? 1 : lineCount + 1);
-    updateStats(entry);
-  } finally {
-    releaseLock();
-  }
-}
-function rotate(currentPath, countPath) {
-  const archiveName = `page-${Date.now()}-${rotateSeq++}.jsonl`;
-  const archivePath = join3(storeDir, archiveName);
-  renameSync2(currentPath, archivePath);
-  writeCount(countPath, 0);
-}
-function readCount(countPath) {
-  try {
-    const n = parseInt(readFileSync2(countPath, "utf-8"), 10);
-    return isNaN(n) ? 0 : n;
-  } catch {
-    return 0;
-  }
-}
-function writeCount(countPath, n) {
-  try {
-    writeFileSync2(countPath, String(n), "utf-8");
-  } catch {}
-}
-function readStoredStats() {
-  try {
-    return JSON.parse(readFileSync2(join3(storeDir, STATS_FILE), "utf-8"));
-  } catch {
-    return { totalEvents: 0, denyCount: 0, policyMap: {} };
-  }
-}
-function updateStats(entry) {
-  const s = readStoredStats();
-  s.totalEvents += 1;
-  if (entry.decision === "deny")
-    s.denyCount += 1;
-  if (entry.policyNames && entry.policyNames.length > 0) {
-    for (const name of entry.policyNames) {
-      s.policyMap[name] = (s.policyMap[name] ?? 0) + 1;
-    }
-  } else if (entry.policyName) {
-    s.policyMap[entry.policyName] = (s.policyMap[entry.policyName] ?? 0) + 1;
-  }
-  const tmpPath = join3(storeDir, `stats.json.${process.pid}.tmp`);
-  try {
-    writeFileSync2(tmpPath, JSON.stringify(s), "utf-8");
-    renameSync2(tmpPath, join3(storeDir, STATS_FILE));
-  } catch {
-    try {
-      unlinkSync(tmpPath);
-    } catch {}
-  }
-}
-var PAGE_SIZE = 25, DEFAULT_STORE_DIR, CURRENT_FILE = "current.jsonl", COUNT_FILE = "current.count", STATS_FILE = "stats.json", LOCK_FILE = "current.lock", LOCK_STALE_MS = 2000, storeDir, rotateSeq = 0;
-var init_hook_activity_store = __esm(() => {
-  DEFAULT_STORE_DIR = join3(homedir5(), ".failproofai", "cache", "hook-activity");
-  storeDir = DEFAULT_STORE_DIR;
-});
-
-// package.json
-var version2 = "0.0.6-beta.2";
-var init_package = () => {};
-
-// src/posthog-key.ts
-var POSTHOG_API_KEY = "phc_Ac1Ww1GqKc0z1SyrRWbmatEeQdlOQIsDEEdP8l8JRgX";
-
-// src/hooks/hook-telemetry.ts
-async function trackHookEvent(distinctId, event, properties) {
-  if (process.env.FAILPROOFAI_TELEMETRY_DISABLED === "1")
-    return;
-  const body = JSON.stringify({
-    api_key: process.env.FAILPROOFAI_POSTHOG_KEY ?? API_KEY,
-    event,
-    distinct_id: distinctId,
-    properties: { ...properties, $lib: "failproofai-hooks", failproofai_version: version2 }
-  });
-  try {
-    await fetch(process.env.FAILPROOFAI_POSTHOG_HOST ? `${process.env.FAILPROOFAI_POSTHOG_HOST}/capture/` : CAPTURE_URL, {
-      method: "POST",
-      headers: { "Content-Type": "application/json" },
-      body,
-      signal: AbortSignal.timeout(5000)
-    });
-  } catch {}
-}
-var API_KEY, CAPTURE_URL = "https://us.i.posthog.com/capture/";
-var init_hook_telemetry = __esm(() => {
-  init_package();
-  API_KEY = POSTHOG_API_KEY;
-});
-
-// lib/telemetry-id.ts
-import fs from "node:fs";
-import path from "node:path";
-import os from "node:os";
-import crypto from "node:crypto";
-import { execSync as execSync2 } from "node:child_process";
-function hashToId(raw) {
-  return crypto.createHmac("sha256", NAMESPACE).update(raw).digest("hex");
-}
-function getPlatformMachineId() {
-  try {
-    const platform = os.platform();
-    if (platform === "linux") {
-      for (const p of ["/etc/machine-id", "/var/lib/dbus/machine-id"]) {
-        try {
-          const id = fs.readFileSync(p, "utf-8").trim();
-          if (id)
-            return id;
-        } catch {}
-      }
-    } else if (platform === "darwin") {
-      const out = execSync2("ioreg -rd1 -c IOPlatformExpertDevice", {
-        encoding: "utf-8",
-        timeout: 3000
-      });
-      const m = out.match(/"IOPlatformUUID"\s*=\s*"([^"]+)"/);
-      if (m?.[1])
-        return m[1];
-    } else if (platform === "win32") {
-      const out = execSync2('reg query "HKLM\\SOFTWARE\\Microsoft\\Cryptography" /v MachineGuid', { encoding: "utf-8", timeout: 3000 });
-      const m = out.match(/MachineGuid\s+REG_SZ\s+(\S+)/);
-      if (m?.[1])
-        return m[1];
-    }
-  } catch {}
-  return;
-}
-function getSystemPropertiesId() {
-  return [
-    os.hostname(),
-    os.homedir(),
-    os.platform(),
-    os.arch(),
-    os.cpus()[0]?.model ?? ""
-  ].join(":");
-}
-function getFileBasedId() {
-  try {
-    const existing = fs.readFileSync(ID_FILE, "utf-8").trim();
-    if (existing)
-      return existing;
-  } catch {}
-  const id = crypto.randomUUID();
-  try {
-    fs.mkdirSync(ID_DIR, { recursive: true });
-    fs.writeFileSync(ID_FILE, id, "utf-8");
-  } catch {}
-  return id;
-}
-function getInstanceId() {
-  if (cachedId)
-    return cachedId;
-  const machineId = getPlatformMachineId();
-  if (machineId) {
-    cachedId = hashToId(machineId);
-    return cachedId;
-  }
-  const sysProps = getSystemPropertiesId();
-  if (sysProps) {
-    cachedId = hashToId(sysProps);
-    return cachedId;
-  }
-  cachedId = getFileBasedId();
-  return cachedId;
-}
-var NAMESPACE = "failproofai-telemetry-v1", ID_DIR, ID_FILE, cachedId;
-var init_telemetry_id = __esm(() => {
-  ID_DIR = path.join(os.homedir(), ".failproofai");
-  ID_FILE = path.join(ID_DIR, "instance-id");
-});
-
-// src/hooks/handler.ts
-var exports_handler = {};
-__export(exports_handler, {
-  handleHookEvent: () => handleHookEvent
-});
-async function handleHookEvent(eventType) {
-  const startTime = performance.now();
-  const MAX_STDIN_BYTES = 1048576;
-  let payload = "";
-  try {
-    payload = await new Promise((resolve5, reject) => {
-      const chunks = [];
-      let totalBytes = 0;
-      process.stdin.setEncoding("utf8");
-      process.stdin.on("data", (chunk) => {
-        totalBytes += Buffer.byteLength(chunk);
-        if (totalBytes > MAX_STDIN_BYTES) {
-          hookLogWarn(`stdin payload exceeds 1 MB for ${eventType}, discarding`);
-          process.stdin.destroy();
-          resolve5("");
-          return;
-        }
-        chunks.push(chunk);
-      });
-      process.stdin.on("end", () => resolve5(chunks.join("")));
-      process.stdin.on("error", reject);
-      if (process.stdin.readableEnded)
-        resolve5("");
-    });
-  } catch {
-    hookLogWarn(`stdin read failed for ${eventType}`);
-  }
-  let parsed = {};
-  if (payload) {
-    try {
-      parsed = JSON.parse(payload);
-    } catch {
-      hookLogWarn(`payload parse failed for ${eventType} (${payload.length} bytes)`);
-    }
-  }
-  const session = {
-    sessionId: parsed.session_id,
-    transcriptPath: parsed.transcript_path,
-    cwd: parsed.cwd,
-    permissionMode: parsed.permission_mode,
-    hookEventName: parsed.hook_event_name
-  };
-  const config = readMergedHooksConfig(session.cwd);
-  clearPolicies();
-  registerBuiltinPolicies(config.enabledPolicies);
-  const loadResult = await loadAllCustomHooks(config.customPoliciesPath, { sessionCwd: session.cwd });
-  const customHooksList = loadResult.hooks;
-  const conventionHookNames = new Set(loadResult.conventionSources.flatMap((s) => s.hookNames));
-  for (const hook of customHooksList) {
-    const hookName = hook.name;
-    const conventionScope = hook.__conventionScope;
-    const isConvention = !!conventionScope;
-    const prefix = isConvention ? `.failproofai-${conventionScope}` : "custom";
-    const fn = async (ctx) => {
-      try {
-        const result2 = await Promise.race([
-          hook.fn(ctx),
-          new Promise((_, reject) => setTimeout(() => reject(new Error("timeout")), 1e4))
-        ]);
-        return result2;
-      } catch (err) {
-        const msg = err instanceof Error ? err.message : String(err);
-        const isTimeout = msg === "timeout";
-        hookLogWarn(`${prefix} hook "${hookName}" failed: ${msg}`);
-        trackHookEvent(getInstanceId(), "custom_hook_error", {
-          hook_name: hookName,
-          error_type: isTimeout ? "timeout" : "exception",
-          event_type: eventType,
-          is_convention_policy: isConvention,
-          convention_scope: conventionScope ?? null
-        });
-        return { decision: "allow" };
-      }
-    };
-    registerPolicy(`${prefix}/${hookName}`, hook.description ?? "", fn, hook.match ?? {}, -1);
-  }
-  if (customHooksList.length > 0) {
-    trackHookEvent(getInstanceId(), "custom_hooks_loaded", {
-      custom_hooks_count: customHooksList.length,
-      custom_hook_names: customHooksList.map((h) => h.name),
-      event_types_covered: [...new Set(customHooksList.flatMap((h) => h.match?.events ?? []))]
-    });
-  }
-  if (loadResult.conventionSources.length > 0) {
-    trackHookEvent(getInstanceId(), "convention_policies_loaded", {
-      event_type: eventType,
-      project_file_count: loadResult.conventionSources.filter((s) => s.scope === "project").length,
-      user_file_count: loadResult.conventionSources.filter((s) => s.scope === "user").length,
-      convention_hook_count: conventionHookNames.size,
-      convention_hook_names: [...conventionHookNames]
-    });
-  }
-  hookLogInfo(`event=${eventType} policies=${config.enabledPolicies.length} custom=${customHooksList.length} convention=${conventionHookNames.size}`);
-  const result = await evaluatePolicies(eventType, parsed, session, config);
-  const durationMs = Math.round(performance.now() - startTime);
-  hookLogInfo(`result=${result.decision} policy=${result.policyName ?? "none"} duration=${durationMs}ms`);
-  if (result.stdout) {
-    process.stdout.write(result.stdout);
-  }
-  if (result.stderr) {
-    process.stderr.write(result.stderr);
-  }
-  try {
-    persistHookActivity({
-      timestamp: Date.now(),
-      eventType,
-      toolName: parsed.tool_name ?? null,
-      policyName: result.policyName,
-      policyNames: result.policyNames,
-      decision: result.decision,
-      reason: result.reason,
-      durationMs,
-      sessionId: session.sessionId,
-      transcriptPath: session.transcriptPath,
-      cwd: session.cwd,
-      permissionMode: session.permissionMode,
-      hookEventName: session.hookEventName
-    });
-  } catch {
-    hookLogWarn("activity persistence failed");
-  }
-  if (result.decision === "deny" || result.decision === "instruct") {
-    try {
-      const isCustomHook = result.policyName?.startsWith("custom/") ?? false;
-      const isConventionPolicy = result.policyName?.startsWith(".failproofai-") ?? false;
-      const conventionScope = isConventionPolicy ? result.policyName.match(/^\.failproofai-(project|user)\//)?.[1] ?? null : null;
-      const hasCustomParams = !isCustomHook && !isConventionPolicy && !!(result.policyName && config.policyParams?.[result.policyName]);
-      const paramKeysOverridden = hasCustomParams ? Object.keys(config.policyParams[result.policyName]) : [];
-      const distinctId = getInstanceId();
-      await trackHookEvent(distinctId, "hook_policy_triggered", {
-        event_type: eventType,
-        tool_name: parsed.tool_name ?? null,
-        policy_name: result.policyName,
-        decision: result.decision,
-        is_custom_hook: isCustomHook,
-        is_convention_policy: isConventionPolicy,
-        convention_scope: conventionScope,
-        has_custom_params: hasCustomParams,
-        param_keys_overridden: paramKeysOverridden
-      });
-    } catch {}
-  }
-  return result.exitCode;
-}
-var init_handler = __esm(() => {
-  init_hooks_config();
-  init_builtin_policies();
-  init_policy_evaluator();
-  init_custom_hooks_loader();
-  init_hook_activity_store();
-  init_hook_telemetry();
-  init_telemetry_id();
-  init_hook_logger();
-});
-
-// src/hooks/types.ts
-var HOOK_SCOPES, HOOK_EVENT_TYPES, FAILPROOFAI_HOOK_MARKER = "__failproofai_hook__";
-var init_types = __esm(() => {
-  HOOK_SCOPES = ["user", "project", "local"];
-  HOOK_EVENT_TYPES = [
-    "SessionStart",
-    "SessionEnd",
-    "UserPromptSubmit",
-    "PreToolUse",
-    "PermissionRequest",
-    "PermissionDenied",
-    "PostToolUse",
-    "PostToolUseFailure",
-    "Notification",
-    "SubagentStart",
-    "SubagentStop",
-    "TaskCreated",
-    "TaskCompleted",
-    "Stop",
-    "StopFailure",
-    "TeammateIdle",
-    "InstructionsLoaded",
-    "ConfigChange",
-    "CwdChanged",
-    "FileChanged",
-    "WorktreeCreate",
-    "WorktreeRemove",
-    "PreCompact",
-    "PostCompact",
-    "Elicitation",
-    "ElicitationResult"
-  ];
-});
-
-// src/hooks/install-prompt.ts
-import * as readline from "node:readline";
-async function promptPolicySelection(preSelected, options = {}) {
-  const { includeBeta = false } = options;
-  if (!process.stdin.isTTY) {
-    const available = BUILTIN_POLICIES.filter((p) => includeBeta || !p.beta);
-    if (preSelected)
-      return preSelected.filter((name) => available.some((p) => p.name === name));
-    return available.filter((p) => p.defaultEnabled).map((p) => p.name);
-  }
-  const preSelectedSet = preSelected ? new Set(preSelected) : null;
-  const items = BUILTIN_POLICIES.filter((p) => includeBeta || !p.beta).map((p) => ({
-    name: p.name,
-    description: p.description,
-    category: p.category,
-    selected: preSelectedSet ? preSelectedSet.has(p.name) : p.defaultEnabled,
-    beta: !!p.beta
-  }));
-  const total = items.length;
-  const WINDOW_SIZE = 8;
-  let cursor = 0;
-  let search = "";
-  let lastLineCount = 0;
-  let cursorHidden = false;
-  function hideCursor() {
-    if (!cursorHidden) {
-      process.stdout.write("\x1B[?25l");
-      cursorHidden = true;
-    }
-  }
-  function showCursor() {
-    if (cursorHidden) {
-      process.stdout.write("\x1B[?25h");
-      cursorHidden = false;
-    }
-  }
-  function truncateLine(line, width) {
-    let visual = 0;
-    let result = "";
-    let i = 0;
-    while (i < line.length) {
-      if (line[i] === "\x1B" && line[i + 1] === "[") {
-        let j = i + 2;
-        while (j < line.length && !/[A-Za-z]/.test(line[j]))
-          j++;
-        j++;
-        result += line.slice(i, j);
-        i = j;
-      } else {
-        if (visual >= width)
-          break;
-        result += line[i];
-        visual++;
-        i++;
-      }
-    }
-    return result;
-  }
-  function getFiltered() {
-    if (!search)
-      return items;
-    const q = search.toLowerCase();
-    return items.filter((i) => i.name.toLowerCase().includes(q) || i.description.toLowerCase().includes(q));
-  }
-  function buildDisplayRows(filtered) {
-    const categoryOrder = [];
-    const categoryEnabledCount = new Map;
-    const categoryTotalCount = new Map;
-    for (const p of items) {
-      if (!categoryEnabledCount.has(p.category)) {
-        categoryOrder.push(p.category);
-        categoryEnabledCount.set(p.category, 0);
-        categoryTotalCount.set(p.category, 0);
-      }
-      categoryTotalCount.set(p.category, categoryTotalCount.get(p.category) + 1);
-      if (p.selected)
-        categoryEnabledCount.set(p.category, categoryEnabledCount.get(p.category) + 1);
-    }
-    const filteredByCategory = new Map;
-    for (const item of filtered) {
-      const bucket = filteredByCategory.get(item.category) ?? [];
-      bucket.push(item);
-      filteredByCategory.set(item.category, bucket);
-    }
-    const rows = [];
-    let idx = 0;
-    for (const cat of categoryOrder) {
-      const catFiltered = filteredByCategory.get(cat);
-      if (!catFiltered || catFiltered.length === 0)
-        continue;
-      rows.push({ kind: "header", category: cat, enabledCount: categoryEnabledCount.get(cat), totalCount: categoryTotalCount.get(cat) });
-      for (const item of catFiltered) {
-        rows.push({ kind: "item", item, filteredIndex: idx++ });
-      }
-    }
-    return rows;
-  }
-  function render() {
-    const cols = process.stdout.columns || 120;
-    hideCursor();
-    const filtered = getFiltered();
-    const shown = filtered.length;
-    if (shown > 0 && cursor >= shown)
-      cursor = shown - 1;
-    const lines = [];
-    lines.push("  Failproof AI — Policy Manager");
-    lines.push("");
-    const innerWidth = Math.max(20, cols - 6);
-    const topBorder = "  ┌" + "─".repeat(innerWidth + 2) + "┐";
-    const botBorder = "  └" + "─".repeat(innerWidth + 2) + "┘";
-    const cursorChar = "\x1B[7m \x1B[0m";
-    const countPart = search ? ` \x1B[2m(${shown}/${total})\x1B[0m` : ` \x1B[2m(${total} policies)\x1B[0m`;
-    const searchContent = `\x1B[1mSearch:\x1B[0m ${search}${cursorChar}${countPart}`;
-    lines.push(topBorder);
-    lines.push(`  │ ${searchContent}`);
-    lines.push(botBorder);
-    lines.push("");
-    if (shown === 0) {
-      lines.push("  \x1B[2mNo policies match “" + search + "”\x1B[0m");
-      for (let i = 0;i < WINDOW_SIZE + 1; i++)
-        lines.push("");
-    } else {
-      const displayRows = buildDisplayRows(filtered);
-      let cursorDisplayRow = 0;
-      for (let i = 0;i < displayRows.length; i++) {
-        const row = displayRows[i];
-        if (row.kind === "item" && row.filteredIndex === cursor) {
-          cursorDisplayRow = i;
-          break;
-        }
-      }
-      let windowStart = cursorDisplayRow - Math.floor(WINDOW_SIZE / 2);
-      windowStart = Math.max(0, windowStart);
-      windowStart = Math.min(windowStart, Math.max(0, displayRows.length - WINDOW_SIZE));
-      const windowEnd = Math.min(displayRows.length, windowStart + WINDOW_SIZE);
-      const aboveItems = displayRows.slice(0, windowStart).filter((r) => r.kind === "item").length;
-      if (aboveItems > 0) {
-        lines.push(`  \x1B[2m  ↑ ${aboveItems} more above\x1B[0m`);
-      } else {
-        lines.push("");
-      }
-      for (let i = windowStart;i < windowEnd; i++) {
-        const row = displayRows[i];
-        if (row.kind === "header") {
-          const label = ` ${row.category.toUpperCase()} (${row.enabledCount}/${row.totalCount}) `;
-          const prefix = "── ";
-          const prefixLen = 3 + label.length;
-          const dashLen = Math.max(2, cols - 2 - prefixLen);
-          lines.push(`  \x1B[2m${prefix}${label}${"─".repeat(dashLen)}\x1B[0m`);
-        } else {
-          const item = row.item;
-          const isActive = row.filteredIndex === cursor;
-          const pointer = isActive ? "\x1B[36m❯\x1B[0m" : " ";
-          const check = item.selected ? "\x1B[32m[✓]\x1B[0m" : "[ ]";
-          const namePart = isActive ? `\x1B[1;36m${item.name}\x1B[0m` : item.name;
-          const betaPart = item.beta ? " \x1B[35m[beta]\x1B[0m" : "";
-          const pad = " ".repeat(Math.max(1, 28 - item.name.length));
-          const desc = `\x1B[2m${item.description}\x1B[0m`;
-          lines.push(`  ${pointer} ${check} ${namePart}${betaPart}${pad}${desc}`);
-        }
-      }
-      for (let i = windowEnd - windowStart;i < WINDOW_SIZE; i++) {
-        lines.push("");
-      }
-      const belowItems = displayRows.slice(windowEnd).filter((r) => r.kind === "item").length;
-      if (belowItems > 0) {
-        lines.push(`  \x1B[2m  ↓ ${belowItems} more below\x1B[0m`);
-      } else {
-        lines.push("");
-      }
-    }
-    lines.push("");
-    lines.push("  \x1B[2m" + "─".repeat(cols - 2) + "\x1B[0m");
-    lines.push("  [↑↓] Move  [Space] Toggle  [Ctrl+A] All  [Ctrl+S] Save  [Esc] Clear  [^C] Quit");
-    lines.push("");
-    lines.push("  \x1B[2mTip: `policies` for a flat list · `policies --install <name…>` to skip prompt\x1B[0m");
-    if (!includeBeta) {
-      lines.push("  \x1B[2mTip: `policies --install --beta` to include beta policies\x1B[0m");
-    }
-    if (lastLineCount > 0) {
-      process.stdout.write(`\x1B[${lastLineCount}A\x1B[J`);
-    }
-    const output = lines.map((l) => l === "" ? l : truncateLine(l, cols)).join(`
-`) + `
-`;
-    process.stdout.write(output);
-    lastLineCount = lines.length;
-  }
-  return new Promise((resolve5) => {
-    render();
-    process.stdin.setRawMode(true);
-    process.stdin.resume();
-    readline.emitKeypressEvents(process.stdin);
-    function keypressHandler(_str, key) {
-      if (!key)
-        return;
-      if (key.ctrl && key.name === "c") {
-        cleanup();
-        process.exit(0);
-      }
-      const filtered = getFiltered();
-      if (key.name === "up") {
-        if (filtered.length > 0) {
-          cursor = cursor > 0 ? cursor - 1 : filtered.length - 1;
-        }
-        render();
-      } else if (key.name === "down") {
-        if (filtered.length > 0) {
-          cursor = cursor < filtered.length - 1 ? cursor + 1 : 0;
-        }
-        render();
-      } else if (key.name === "return" || key.name === "space") {
-        const item = filtered[cursor];
-        if (item)
-          item.selected = !item.selected;
-        render();
-      } else if (key.name === "escape") {
-        search = "";
-        cursor = 0;
-        render();
-      } else if (key.ctrl && key.name === "a") {
-        const allSelected = filtered.length > 0 && filtered.every((i) => i.selected);
-        for (const item of filtered)
-          item.selected = !allSelected;
-        render();
-      } else if (key.ctrl && key.name === "s") {
-        cleanup();
-        const selected = items.filter((i) => i.selected).map((i) => i.name);
-        process.stdout.write(`
-`);
-        resolve5(selected);
-      } else if (key.name === "backspace" || key.name === "delete") {
-        if (search.length > 0) {
-          search = search.slice(0, -1);
-          cursor = 0;
-          render();
-        }
-      } else if (_str && _str.length === 1 && !key.ctrl && !key.meta) {
-        search += _str;
-        cursor = 0;
-        render();
-      }
-    }
-    function cleanup() {
-      showCursor();
-      process.stdin.removeListener("keypress", keypressHandler);
-      process.stdin.setRawMode(false);
-      process.stdin.pause();
-    }
-    process.stdin.on("keypress", keypressHandler);
-  });
-}
-var init_install_prompt = __esm(() => {
-  init_builtin_policies();
-});
-
-// src/cli-error.ts
-var CliError;
-var init_cli_error = __esm(() => {
-  CliError = class CliError extends Error {
-    exitCode;
-    constructor(message, exitCode = 1) {
-      super(message);
-      this.name = "CliError";
-      this.exitCode = exitCode;
-    }
-  };
-});
-
-// src/hooks/manager.ts
-var exports_manager = {};
-__export(exports_manager, {
-  removeHooks: () => removeHooks,
-  listHooks: () => listHooks,
-  installHooks: () => installHooks,
-  hooksInstalledInSettings: () => hooksInstalledInSettings,
-  getSettingsPath: () => getSettingsPath
-});
-import { execSync as execSync3 } from "node:child_process";
-import { readFileSync as readFileSync3, writeFileSync as writeFileSync3, existsSync as existsSync5, mkdirSync as mkdirSync4 } from "node:fs";
-import { resolve as resolve5, dirname as dirname3, basename as basename2 } from "node:path";
-import { homedir as homedir6, platform, arch, release, hostname } from "node:os";
-function getSettingsPath(scope, cwd) {
-  const base = cwd ? resolve5(cwd) : process.cwd();
-  switch (scope) {
-    case "user":
-      return resolve5(homedir6(), ".claude", "settings.json");
-    case "project":
-      return resolve5(base, ".claude", "settings.json");
-    case "local":
-      return resolve5(base, ".claude", "settings.local.json");
-  }
-}
-function scopeLabel(scope) {
-  switch (scope) {
-    case "user":
-      return `~/.claude/settings.json`;
-    case "project":
-      return `{cwd}/.claude/settings.json`;
-    case "local":
-      return `{cwd}/.claude/settings.local.json`;
-  }
-}
-function readSettings(settingsPath) {
-  if (!existsSync5(settingsPath)) {
-    return {};
-  }
-  const raw = readFileSync3(settingsPath, "utf8");
-  return JSON.parse(raw);
-}
-function writeSettings(settingsPath, settings) {
-  mkdirSync4(dirname3(settingsPath), { recursive: true });
-  writeFileSync3(settingsPath, JSON.stringify(settings, null, 2) + `
-`, "utf8");
-}
-function resolveFailproofaiBinary() {
-  try {
-    const cmd = process.platform === "win32" ? "where failproofai" : "which failproofai";
-    const result = execSync3(cmd, { encoding: "utf8" }).trim();
-    return result.split(`
-`)[0].trim();
-  } catch {
-    throw new CliError(`failproofai binary not found in PATH.
-` + "Install it globally first: npm install -g failproofai");
-  }
-}
-function isFailproofaiHook(hook) {
-  if (hook[FAILPROOFAI_HOOK_MARKER] === true)
-    return true;
-  const cmd = typeof hook.command === "string" ? hook.command : "";
-  return cmd.includes("failproofai") && cmd.includes("--hook");
-}
-function validatePolicyNames(names) {
-  const invalid = names.filter((n) => !VALID_POLICY_NAMES.has(n));
-  if (invalid.length > 0) {
-    const validList = [...VALID_POLICY_NAMES].join(", ");
-    throw new CliError(`Unknown policy name(s): ${invalid.join(", ")}
-` + `Valid policies: ${validList}`);
-  }
-}
-function deduplicateScopes(scopes, cwd) {
-  const seen = new Set;
-  return scopes.filter((s) => {
-    const p = getSettingsPath(s, cwd);
-    if (seen.has(p))
-      return false;
-    seen.add(p);
-    return true;
-  });
-}
-function hooksInstalledInSettings(scope, cwd) {
-  const settingsPath = getSettingsPath(scope, cwd);
-  if (!existsSync5(settingsPath))
-    return false;
-  try {
-    const settings = readSettings(settingsPath);
-    if (!settings.hooks)
-      return false;
-    for (const matchers of Object.values(settings.hooks)) {
-      if (!Array.isArray(matchers))
-        continue;
-      for (const matcher of matchers) {
-        if (!matcher.hooks)
-          continue;
-        if (matcher.hooks.some((h) => isFailproofaiHook(h))) {
-          return true;
-        }
-      }
-    }
-  } catch {}
-  return false;
-}
-function removeHooksFromSettingsFile(settingsPath) {
-  const settings = readSettings(settingsPath);
-  if (!settings.hooks)
-    return 0;
-  let removed = 0;
-  for (const eventType of Object.keys(settings.hooks)) {
-    const matchers = settings.hooks[eventType];
-    if (!Array.isArray(matchers))
-      continue;
-    for (let i = matchers.length - 1;i >= 0; i--) {
-      const matcher = matchers[i];
-      if (!matcher.hooks)
-        continue;
-      const before = matcher.hooks.length;
-      matcher.hooks = matcher.hooks.filter((h) => !isFailproofaiHook(h));
-      removed += before - matcher.hooks.length;
-      if (matcher.hooks.length === 0) {
-        matchers.splice(i, 1);
-      }
-    }
-    if (matchers.length === 0) {
-      delete settings.hooks[eventType];
-    }
-  }
-  if (Object.keys(settings.hooks).length === 0) {
-    delete settings.hooks;
-  }
-  writeSettings(settingsPath, settings);
-  return removed;
-}
-async function installHooks(policyNames, scope = "user", cwd, includeBeta = false, source, customPoliciesPath, removeCustomHooks = false) {
-  if (policyNames !== undefined && policyNames.length > 0) {
-    const nonAllNames = policyNames.filter((n) => n !== "all");
-    if (nonAllNames.length > 0)
-      validatePolicyNames(nonAllNames);
-    if (policyNames.includes("all") && nonAllNames.length > 0) {
-      throw new CliError(`"all" cannot be combined with specific policy names.
-` + `Use either: --install all  or  --install block-sudo sanitize-jwt ...`);
-    }
-  }
-  const binaryPath = resolveFailproofaiBinary();
-  const previousConfig = readScopedHooksConfig(scope, cwd);
-  const previousEnabled = new Set(previousConfig.enabledPolicies);
-  let selectedPolicies;
-  if (policyNames !== undefined) {
-    let incoming;
-    if (policyNames.length === 1 && policyNames[0] === "all") {
-      incoming = BUILTIN_POLICIES.filter((p) => includeBeta || !p.beta).map((p) => p.name);
-    } else {
-      incoming = policyNames;
-    }
-    selectedPolicies = [...new Set([...previousConfig.enabledPolicies, ...incoming])];
-  } else {
-    const preSelected = previousConfig.enabledPolicies.length > 0 ? previousConfig.enabledPolicies : undefined;
-    selectedPolicies = await promptPolicySelection(preSelected, { includeBeta });
-  }
-  const configToWrite = { ...previousConfig, enabledPolicies: selectedPolicies };
-  if (removeCustomHooks) {
-    delete configToWrite.customPoliciesPath;
-  } else if (customPoliciesPath) {
-    configToWrite.customPoliciesPath = resolve5(customPoliciesPath);
-    let validatedHooks = [];
-    try {
-      validatedHooks = await loadCustomHooks(configToWrite.customPoliciesPath, { strict: true });
-    } catch (err) {
-      console.error(`Error: ${err instanceof Error ? err.message : String(err)}`);
-      process.exit(1);
-    }
-    if (validatedHooks.length === 0) {
-      console.error(`Error: no hooks registered in ${customPoliciesPath}. ` + `Make sure your file calls customPolicies.add(...) at least once.`);
-      process.exit(1);
-    }
-    console.log(`
-Validated ${validatedHooks.length} custom hook(s): ${validatedHooks.map((h) => h.name).join(", ")}`);
-  }
-  writeScopedHooksConfig(configToWrite, scope, cwd);
-  console.log(`
-Enabled ${selectedPolicies.length} policy(ies): ${selectedPolicies.join(", ")}`);
-  if (removeCustomHooks) {
-    console.log("Custom hooks path cleared.");
-  } else if (configToWrite.customPoliciesPath) {
-    console.log(`Custom hooks path: ${configToWrite.customPoliciesPath}`);
-  }
-  const settingsPath = getSettingsPath(scope, cwd);
-  const settings = readSettings(settingsPath);
-  if (!settings.hooks) {
-    settings.hooks = {};
-  }
-  for (const eventType of HOOK_EVENT_TYPES) {
-    const command = scope === "project" ? `npx -y failproofai --hook ${eventType}` : `"${binaryPath}" --hook ${eventType}`;
-    const hookEntry = {
-      type: "command",
-      command,
-      timeout: 60000,
-      [FAILPROOFAI_HOOK_MARKER]: true
-    };
-    if (!settings.hooks[eventType]) {
-      settings.hooks[eventType] = [];
-    }
-    const matchers = settings.hooks[eventType];
-    let found = false;
-    for (const matcher of matchers) {
-      if (!matcher.hooks)
-        continue;
-      const failproofaiIdx = matcher.hooks.findIndex((h) => isFailproofaiHook(h));
-      if (failproofaiIdx >= 0) {
-        matcher.hooks[failproofaiIdx] = hookEntry;
-        found = true;
-        break;
-      }
-    }
-    if (!found) {
-      matchers.push({ hooks: [hookEntry] });
-    }
-  }
-  writeSettings(settingsPath, settings);
-  try {
-    const newSet = new Set(selectedPolicies);
-    const policiesAdded = selectedPolicies.filter((p) => !previousEnabled.has(p));
-    const policiesRemoved = [...previousEnabled].filter((p) => !newSet.has(p));
-    const distinctId = getInstanceId();
-    await trackHookEvent(distinctId, "hooks_installed", {
-      scope,
-      policies: selectedPolicies,
-      policy_count: selectedPolicies.length,
-      policies_added: policiesAdded,
-      policies_removed: policiesRemoved,
-      ...source ? { source } : {},
-      platform: platform(),
-      arch: arch(),
-      os_release: release(),
-      hostname_hash: hashToId(hostname()),
-      has_custom_hooks_path: !!configToWrite.customPoliciesPath,
-      has_policy_params: !!(configToWrite.policyParams && Object.keys(configToWrite.policyParams).length > 0),
-      param_policy_names: configToWrite.policyParams ? Object.keys(configToWrite.policyParams) : [],
-      command_format: scope === "project" ? "npx" : "absolute"
-    });
-  } catch {}
-  console.log(`Failproof AI hooks installed for all ${HOOK_EVENT_TYPES.length} event types (scope: ${scope}).`);
-  console.log(`Settings: ${settingsPath}`);
-  if (scope === "project") {
-    console.log(`Command:  npx -y failproofai`);
-    console.log(`
-This file can be committed to git — no machine-specific paths.`);
-  } else {
-    console.log(`Binary:   ${binaryPath}`);
-  }
-  const otherScopes = deduplicateScopes(HOOK_SCOPES, cwd).filter((s) => s !== scope);
-  const duplicates = otherScopes.filter((s) => hooksInstalledInSettings(s, cwd));
-  if (duplicates.length > 0) {
-    const scopeList = duplicates.map((s) => `${s} (${scopeLabel(s)})`).join(", ");
-    console.log();
-    console.log(`\x1B[33mWarning: Failproof AI hooks are also installed at ${scopeList}.\x1B[0m`);
-    console.log(`Having hooks in multiple scopes may cause duplicate policy evaluation.`);
-    console.log(`Use \`failproofai policies --uninstall --scope ${duplicates[0]}\` to remove the other installation,`);
-    console.log(`or \`failproofai policies\` to see all scopes.`);
-  }
-}
-async function removeHooks(policyNames, scope = "user", cwd, opts) {
-  const configScope = scope === "all" ? "user" : scope;
-  if (opts?.removeCustomHooks) {
-    const config = readScopedHooksConfig(configScope, cwd);
-    delete config.customPoliciesPath;
-    writeScopedHooksConfig(config, configScope, cwd);
-    console.log("Custom hooks path cleared.");
-  }
-  if (policyNames && policyNames.length > 0 && !(policyNames.length === 1 && policyNames[0] === "all")) {
-    validatePolicyNames(policyNames);
-    const config = readScopedHooksConfig(configScope, cwd);
-    const removeSet = new Set(policyNames);
-    const remaining = config.enabledPolicies.filter((p) => !removeSet.has(p));
-    const notEnabled = policyNames.filter((p) => !config.enabledPolicies.includes(p));
-    if (notEnabled.length > 0) {
-      console.log(`Warning: policy(ies) not currently enabled: ${notEnabled.join(", ")}`);
-    }
-    const { policyParams: existingParams, ...baseConfig } = config;
-    const filteredParams = existingParams ? Object.fromEntries(Object.entries(existingParams).filter(([k]) => !removeSet.has(k))) : null;
-    const updatedConfig = {
-      ...baseConfig,
-      enabledPolicies: remaining,
-      ...filteredParams && Object.keys(filteredParams).length > 0 ? { policyParams: filteredParams } : {}
-    };
-    writeScopedHooksConfig(updatedConfig, configScope, cwd);
-    try {
-      const distinctId = getInstanceId();
-      const actuallyRemoved = policyNames.filter((p) => config.enabledPolicies.includes(p));
-      await trackHookEvent(distinctId, "hooks_removed", {
-        scope,
-        removal_mode: opts?.betaOnly ? "beta_policies" : "policies",
-        beta_only: opts?.betaOnly ?? false,
-        policies_removed: actuallyRemoved,
-        removed_count: actuallyRemoved.length,
-        ...opts?.source ? { source: opts.source } : {},
-        platform: platform(),
-        arch: arch(),
-        os_release: release(),
-        hostname_hash: hashToId(hostname())
-      });
-    } catch {}
-    console.log(`Disabled ${policyNames.length - notEnabled.length} policy(ies).`);
-    console.log(`Remaining: ${remaining.length > 0 ? remaining.join(", ") : "(none)"}`);
-    return;
-  }
-  const configBeforeRemoval = readScopedHooksConfig(configScope, cwd);
-  const scopesToRemove = scope === "all" ? [...HOOK_SCOPES] : [scope];
-  let totalRemoved = 0;
-  for (const s of scopesToRemove) {
-    const settingsPath = getSettingsPath(s, cwd);
-    if (!existsSync5(settingsPath)) {
-      if (scope !== "all") {
-        console.log("No settings file found. Nothing to remove.");
-        return;
-      }
-      continue;
-    }
-    const settings = readSettings(settingsPath);
-    if (!settings.hooks) {
-      if (scope !== "all") {
-        console.log("No hooks found in settings. Nothing to remove.");
-        return;
-      }
-      continue;
-    }
-    const removed = removeHooksFromSettingsFile(settingsPath);
-    totalRemoved += removed;
-    if (scope !== "all") {
-      console.log(`Removed ${removed} failproofai hook(s) from settings.`);
-      console.log(`Settings: ${settingsPath}`);
-    }
-  }
-  if (scope === "all") {
-    console.log(`Removed ${totalRemoved} failproofai hook(s) from all scopes.`);
-    for (const s of scopesToRemove) {
-      console.log(`  ${s}: ${getSettingsPath(s, cwd)}`);
-    }
-  }
-  try {
-    const distinctId = getInstanceId();
-    await trackHookEvent(distinctId, "hooks_removed", {
-      scope,
-      removal_mode: "hooks",
-      policies_removed: configBeforeRemoval.enabledPolicies,
-      removed_count: totalRemoved,
-      ...opts?.source ? { source: opts.source } : {},
-      platform: platform(),
-      arch: arch(),
-      os_release: release(),
-      hostname_hash: hashToId(hostname())
-    });
-  } catch {}
-  if (scope === "all") {
-    for (const s of HOOK_SCOPES) {
-      const existing = readScopedHooksConfig(s, cwd);
-      if (existing.enabledPolicies.length > 0 || existing.customPoliciesPath || existing.policyParams) {
-        const { customPoliciesPath: _drop, policyParams: _dropParams, ...rest } = existing;
-        writeScopedHooksConfig({ ...rest, enabledPolicies: [] }, s, cwd);
-      }
-    }
-  } else if (!HOOK_SCOPES.some((s) => hooksInstalledInSettings(s, cwd))) {
-    const existing = readScopedHooksConfig(configScope, cwd);
-    const { customPoliciesPath: _drop, policyParams: _dropParams, ...rest } = existing;
-    writeScopedHooksConfig({ ...rest, enabledPolicies: [] }, configScope, cwd);
-  }
-}
-async function listHooks(cwd) {
-  const config = readMergedHooksConfig(cwd);
-  const enabledSet = new Set(config.enabledPolicies);
-  const uniqueScopes = deduplicateScopes(HOOK_SCOPES, cwd);
-  const installedScopes = uniqueScopes.filter((s) => hooksInstalledInSettings(s, cwd));
-  const regularPolicies = BUILTIN_POLICIES.filter((p) => !p.beta);
-  const betaPolicies = BUILTIN_POLICIES.filter((p) => p.beta);
-  const nameColWidth = Math.max(...BUILTIN_POLICIES.map((p) => p.name.length)) + 2;
-  const builtinPolicyNames = new Set(BUILTIN_POLICIES.map((p) => p.name));
-  const printParamsSummary = (policyName, indent) => {
-    const params = config.policyParams?.[policyName];
-    if (!params)
-      return;
-    for (const [key, val] of Object.entries(params)) {
-      console.log(`${indent}  ${key}: ${JSON.stringify(val)}`);
-    }
-  };
-  const statusCol = 8;
-  const printSimpleRow = (policy) => {
-    const mark = enabledSet.has(policy.name) ? `\x1B[32m✓\x1B[0m` : " ";
-    console.log(`  ${mark}${" ".repeat(statusCol - 1)}${policy.name.padEnd(nameColWidth)}${policy.description}`);
-    printParamsSummary(policy.name, `  ${" ".repeat(statusCol)}`);
-  };
-  const printBetaSection = (printRow) => {
-    if (betaPolicies.length > 0) {
-      console.log(`
-  \x1B[2m── Beta ──\x1B[0m`);
-      for (const policy of betaPolicies)
-        printRow(policy);
-    }
-  };
-  if (installedScopes.length === 0) {
-    console.log(`
-Failproof AI Policies — not installed
-`);
-    console.log(`  ${"Status".padEnd(statusCol)}${"Name".padEnd(nameColWidth)}Description`);
-    console.log(`  ${"─".repeat(6)}  ${"─".repeat(nameColWidth - 2)}  ${"─".repeat(38)}`);
-    for (const policy of regularPolicies)
-      printSimpleRow(policy);
-    printBetaSection(printSimpleRow);
-    if (config.enabledPolicies.length > 0) {
-      console.log("\n  Policies not installed. Run `failproofai policies --install` to activate.");
-    } else {
-      console.log("\n  Run `failproofai policies --install` to get started.");
-    }
-    console.log(`  Config: ~/.failproofai/policies-config.json
-`);
-  } else if (installedScopes.length === 1) {
-    const scope = installedScopes[0];
-    console.log(`
-Failproof AI Hook Policies (${scope})
-`);
-    console.log(`  ${"Status".padEnd(statusCol)}${"Name".padEnd(nameColWidth)}Description`);
-    console.log(`  ${"─".repeat(6)}  ${"─".repeat(nameColWidth - 2)}  ${"─".repeat(38)}`);
-    for (const policy of regularPolicies)
-      printSimpleRow(policy);
-    printBetaSection(printSimpleRow);
-    console.log(`
-  Config: ~/.failproofai/policies-config.json
-`);
-  } else {
-    const COL = 9;
-    const scopeLabelMap = {
-      user: "User",
-      project: "Project",
-      local: "Local"
-    };
-    console.log(`
-Failproof AI Hook Policies
-`);
-    const buildScopePrefix = () => {
-      let s = "  ";
-      for (const sc of installedScopes)
-        s += scopeLabelMap[sc].padEnd(COL);
-      return s;
-    };
-    const scopeHeaderWidth = installedScopes.length * COL;
-    console.log(`${buildScopePrefix()}${"Name".padEnd(nameColWidth)}Description`);
-    console.log(`  ${"─".repeat(scopeHeaderWidth)}${"─".repeat(nameColWidth)}${"─".repeat(38)}`);
-    const printMultiScopeRow = (policy) => {
-      const enabled = enabledSet.has(policy.name);
-      let row = "  ";
-      for (const _scope of installedScopes) {
-        if (enabled) {
-          row += `\x1B[32m✓ ON\x1B[0m` + " ".repeat(COL - 4);
-        } else {
-          row += "  OFF" + " ".repeat(COL - 5);
-        }
-      }
-      row += policy.name.padEnd(nameColWidth) + policy.description;
-      console.log(row);
-      printParamsSummary(policy.name, `  ${" ".repeat(scopeHeaderWidth)}`);
-    };
-    for (const policy of regularPolicies)
-      printMultiScopeRow(policy);
-    if (betaPolicies.length > 0) {
-      console.log(`
-  \x1B[2m── Beta ──\x1B[0m`);
-      for (const policy of betaPolicies)
-        printMultiScopeRow(policy);
-    }
-    console.log(`
-  Config: ~/.failproofai/policies-config.json`);
-    const scopeNames = installedScopes.join(", ");
-    console.log();
-    console.log(`\x1B[33m⚠ Hooks in multiple scopes (${scopeNames}).\x1B[0m`);
-    console.log(`  Consider keeping one. Remove with: failproofai policies --uninstall --scope <scope>
-`);
-  }
-  if (config.policyParams) {
-    for (const key of Object.keys(config.policyParams)) {
-      if (!builtinPolicyNames.has(key)) {
-        console.log(`  \x1B[33mWarning: unknown policyParams key "${key}" — possible typo\x1B[0m`);
-      }
-    }
-  }
-  if (config.customPoliciesPath) {
-    console.log(`
-  ── Custom Policies (${config.customPoliciesPath}) ───────────────────────`);
-    if (!existsSync5(config.customPoliciesPath)) {
-      console.log(`  \x1B[31m✗ File not found: ${config.customPoliciesPath}\x1B[0m`);
-    } else {
-      const hooks = await loadCustomHooks(config.customPoliciesPath);
-      if (hooks.length === 0) {
-        console.log(`  \x1B[31m✗ ERR  failed to load (check ~/.failproofai/logs/hooks.log)\x1B[0m`);
-      } else {
-        const descColWidth = nameColWidth;
-        for (const hook of hooks) {
-          console.log(`  \x1B[32m✓\x1B[0m       ${hook.name.padEnd(descColWidth)}${hook.description ?? ""}`);
-        }
-      }
-    }
-    console.log();
-  }
-  const base = cwd ? resolve5(cwd) : process.cwd();
-  const conventionDirs = [
-    { label: "Project", dir: resolve5(base, ".failproofai", "policies") },
-    { label: "User", dir: resolve5(homedir6(), ".failproofai", "policies") }
-  ];
-  for (const { label, dir } of conventionDirs) {
-    const files = discoverPolicyFiles(dir);
-    if (files.length === 0)
-      continue;
-    console.log(`
-  ── Convention Policies — ${label} (${dir}) ──────────`);
-    for (const file of files) {
-      try {
-        const hooks = await loadCustomHooks(file);
-        if (hooks.length === 0) {
-          const filename = basename2(file);
-          console.log(`  \x1B[31m✗\x1B[0m       ${filename.padEnd(nameColWidth)}\x1B[31mfailed to load\x1B[0m`);
-        } else {
-          const filename = basename2(file);
-          const hookSummary = hooks.map((h) => h.name).join(", ");
-          console.log(`  \x1B[32m✓\x1B[0m       ${filename.padEnd(nameColWidth)}${hooks.length} hook(s): ${hookSummary}`);
-        }
-      } catch {
-        const filename = basename2(file);
-        console.log(`  \x1B[31m✗\x1B[0m       ${filename.padEnd(nameColWidth)}\x1B[31merror\x1B[0m`);
-      }
-    }
-    console.log();
-  }
-}
-var VALID_POLICY_NAMES;
-var init_manager = __esm(() => {
-  init_types();
-  init_install_prompt();
-  init_hooks_config();
-  init_builtin_policies();
-  init_custom_hooks_loader();
-  init_hook_telemetry();
-  init_telemetry_id();
-  init_cli_error();
-  VALID_POLICY_NAMES = new Set(BUILTIN_POLICIES.map((p) => p.name));
-});
-
-// lib/paths.ts
-import { homedir as homedir7 } from "os";
-import { join as join4 } from "path";
-function getDefaultClaudeProjectsPath() {
-  return join4(homedir7(), ".claude", "projects");
-}
-var init_paths = () => {};
-
-// scripts/parse-script-args.ts
-import { resolve as resolve6 } from "path";
-function parseStringFlag(flagName, errorLabel, inlineValue, args, index, options) {
-  const raw = inlineValue ?? args[index + 1];
-  if (raw === undefined || inlineValue === null && raw.startsWith("-")) {
-    console.error(`Error: ${flagName} requires ${errorLabel}`);
-    process.exit(1);
-  }
-  const value = options?.resolve ? resolve6(raw) : raw;
-  return { value, spliceCount: inlineValue !== null ? 1 : 2 };
-}
-function parseScriptArgs(argv) {
-  const args = [...argv];
-  let claudeProjectsPath;
-  let loggingLevel;
-  let disableTelemetry = false;
-  let allowedDevOrigins;
-  for (let i = 0;i < args.length; i++) {
-    const arg = args[i];
-    const eqIdx = arg.indexOf("=");
-    const flag = eqIdx >= 0 ? arg.slice(0, eqIdx) : arg;
-    const inlineValue = eqIdx >= 0 ? arg.slice(eqIdx + 1) : null;
-    if (flag === "--projects-path" || flag === "-p") {
-      const { value, spliceCount } = parseStringFlag(flag, "a path argument", inlineValue, args, i);
-      claudeProjectsPath = value;
-      args.splice(i, spliceCount);
-      i--;
-      continue;
-    }
-    if (flag === "--logging") {
-      const raw = inlineValue ?? args[i + 1];
-      if (raw === undefined || inlineValue === null && raw.startsWith("-")) {
-        console.error("Error: --logging requires a level (info, warn, error)");
-        process.exit(1);
-      }
-      const val = raw.toLowerCase();
-      if (val !== "info" && val !== "warn" && val !== "error") {
-        console.error("Error: --logging must be one of: info, warn, error");
-        process.exit(1);
-      }
-      loggingLevel = val;
-      args.splice(i, inlineValue !== null ? 1 : 2);
-      i--;
-      continue;
-    }
-    if (flag === "--disable-telemetry") {
-      disableTelemetry = true;
-      args.splice(i, 1);
-      i--;
-      continue;
-    }
-    if (flag === "--allowed-origins") {
-      const { value, spliceCount } = parseStringFlag(flag, "a comma-separated list of origins", inlineValue, args, i);
-      allowedDevOrigins = value.split(",").map((s) => s.trim()).filter(Boolean);
-      args.splice(i, spliceCount);
-      i--;
-      continue;
-    }
-  }
-  return { claudeProjectsPath, loggingLevel, disableTelemetry, allowedDevOrigins, remainingArgs: args };
-}
-var init_parse_script_args = () => {};
-
-// scripts/launch.ts
-var exports_launch = {};
-__export(exports_launch, {
-  launch: () => launch
-});
-import { spawn } from "child_process";
-import { realpathSync, existsSync as existsSync6 } from "node:fs";
-import { resolve as resolve7, dirname as dirname4 } from "node:path";
-import { fileURLToPath } from "node:url";
-function launch(mode) {
-  const { claudeProjectsPath: parsedPath, loggingLevel, disableTelemetry, allowedDevOrigins, remainingArgs } = parseScriptArgs(process.argv.slice(2));
-  console.log(`
-    ______      _ __                       ____   ___    ____
-   / ____/___ _(_) /___  _________  ____  / __/  /   |  /  _/
-  / /_  / __ \`/ / / __ \\/ ___/ __ \\/ __ \\/ /_   / /| |  / /
- / __/ / /_/ / / / /_/ / /  / /_/ / /_/ / __/  / ___ |_/ /
-/_/    \\__,_/_/_/ .___/_/   \\____/\\____/_/    /_/  |_/___/
-               /_/   v${version2}
-`);
-  console.log(`  ⭐ Star us:      https://github.com/exospherehost/failproofai`);
-  console.log(`  \uD83D\uDCD6 Docs:         https://befailproof.ai
-`);
-  let claudeProjectsPath = parsedPath;
-  if (!claudeProjectsPath) {
-    claudeProjectsPath = getDefaultClaudeProjectsPath();
-    console.log(`Using default .claude projects path: ${claudeProjectsPath}`);
-  } else {
-    console.log(`Using custom .claude projects path: ${claudeProjectsPath}`);
-  }
-  process.env.CLAUDE_PROJECTS_PATH = claudeProjectsPath;
-  let cmd;
-  let cmdArgs;
-  if (mode === "start") {
-    const portIdx = remainingArgs.indexOf("--port");
-    const port = portIdx >= 0 ? remainingArgs[portIdx + 1] : "8020";
-    process.env.PORT = port;
-    process.env.HOSTNAME = "0.0.0.0";
-    cmd = "node";
-    const packageRoot = process.env.FAILPROOFAI_PACKAGE_ROOT ?? resolve7(dirname4(realpathSync(fileURLToPath(import.meta.url))), "..");
-    const serverJsPath = resolve7(packageRoot, ".next/standalone/server.js");
-    if (!existsSync6(serverJsPath)) {
-      console.error(`
-Error: Cannot find server.js at:
-  ${serverJsPath}
-
-` + `The package may be missing its build output.
-` + `Try reinstalling:
-  npm install -g failproofai@latest
-`);
-      process.exit(1);
-    }
-    cmdArgs = [serverJsPath];
-  } else {
-    cmd = "bunx";
-    cmdArgs = ["--bun", "next", "dev", ...remainingArgs];
-  }
-  const nextProcess = spawn(cmd, cmdArgs, {
-    stdio: "inherit",
-    env: {
-      ...process.env,
-      CLAUDE_PROJECTS_PATH: claudeProjectsPath,
-      ...loggingLevel ? { FAILPROOFAI_LOG_LEVEL: loggingLevel } : {},
-      ...disableTelemetry ? { FAILPROOFAI_TELEMETRY_DISABLED: "1" } : {},
-      ...allowedDevOrigins ? { FAILPROOFAI_ALLOWED_DEV_ORIGINS: allowedDevOrigins.join(",") } : {}
-    }
-  });
-  nextProcess.on("error", (error) => {
-    console.error("Error starting Next.js:", error);
-    process.exit(1);
-  });
-  nextProcess.on("exit", (code) => {
-    process.exit(code || 0);
-  });
-}
-var init_launch = __esm(() => {
-  init_paths();
-  init_parse_script_args();
-  init_package();
-});
-
-// src/cli-error.ts
-var exports_cli_error = {};
-__export(exports_cli_error, {
-  CliError: () => CliError2
-});
-var CliError2;
-var init_cli_error2 = __esm(() => {
-  CliError2 = class CliError2 extends Error {
-    exitCode;
-    constructor(message, exitCode = 1) {
-      super(message);
-      this.name = "CliError";
-      this.exitCode = exitCode;
-    }
-  };
-});
-
-// bin/failproofai.mjs
-import { realpathSync as realpathSync2 } from "fs";
-import { dirname as dirname5, resolve as resolve8 } from "path";
-import { fileURLToPath as fileURLToPath2 } from "url";
-// package.json
-var version = "0.0.6-beta.2";
-
-// bin/failproofai.mjs
-if (!process.env.FAILPROOFAI_PACKAGE_ROOT) {
-  process.env.FAILPROOFAI_PACKAGE_ROOT = resolve8(dirname5(realpathSync2(fileURLToPath2(import.meta.url))), "..");
-}
-if (!process.env.FAILPROOFAI_DIST_PATH) {
-  process.env.FAILPROOFAI_DIST_PATH = resolve8(dirname5(realpathSync2(fileURLToPath2(import.meta.url))), "..", "dist");
-}
-var args = process.argv.slice(2);
-if (args[0] === "p")
-  args[0] = "policies";
-var hookIdx = args.indexOf("--hook");
-if (hookIdx >= 0) {
-  if (!args[hookIdx + 1]) {
-    console.error("Error: Missing event type after --hook");
-    console.error("Usage: failproofai --hook <event>  (e.g. PreToolUse, PostToolUse)");
-    process.exit(1);
-  }
-  try {
-    const { handleHookEvent: handleHookEvent2 } = await Promise.resolve().then(() => (init_handler(), exports_handler));
-    const exitCode = await handleHookEvent2(args[hookIdx + 1]);
-    process.exit(exitCode);
-  } catch (err) {
-    const msg = err instanceof Error ? err.message : String(err);
-    console.error(`Unexpected error: ${msg}`);
-    process.exit(2);
-  }
-}
-async function runCli() {
-  const SUBCOMMANDS = ["policies"];
-  if ((args.includes("--help") || args.includes("-h")) && !SUBCOMMANDS.includes(args[0])) {
-    const extraArgs = args.filter((a) => a !== "--help" && a !== "-h");
-    if (extraArgs.length > 0) {
-      throw new CliError3(`Unexpected argument: ${extraArgs[0]}
-Run \`failproofai --help\` for usage.`);
-    }
-    console.log(`
-failproofai v${version}
-
-USAGE
-  failproofai [command] [options]
-
-COMMANDS
-  (no args)                      Launch the policy dashboard
-
-  policies, p                    List all available policies and their status
-  policies --install, -i         Enable policies in Claude Code settings
-    [names...]                     Specific policy names to enable
-    --scope user|project|local     Config scope to write to (default: user)
-    --beta                         Include beta policies
-    --custom, -c <path>            Path to a JS file of custom policies
-
-  policies --uninstall, -u       Disable policies or remove hooks
-    [names...]                     Specific policy names to disable
-    --scope user|project|local|all Config scope to remove from (default: user)
-    --beta                         Remove only beta policies
-    --custom, -c                   Clear the customPoliciesPath from config
-
-  policies --help, -h            Show this help for the policies command
-
-  --version, -v                  Print version and exit
-  --help, -h                     Show this help message
-
-CONVENTION POLICIES
-  Drop *policies.{js,mjs,ts} files into .failproofai/policies/ for auto-loading.
-  Works at project level (.failproofai/policies/) and user level (~/.failproofai/policies/).
-  No --custom flag or config changes needed \u2014 just drop files and they're picked up.
-
-EXAMPLES
-  failproofai policies
-  failproofai policies --install
-  failproofai policies --install block-sudo sanitize-api-keys --scope project
-  failproofai policies --install --custom ./my-policies.js
-  failproofai policies -i -c ./my-policies.js
-  failproofai policies --uninstall block-sudo
-  failproofai policies --uninstall --custom
-
-LINKS
-  \u2B50 Star us:      https://github.com/exospherehost/failproofai
-  \uD83D\uDCD6 Docs:         https://befailproof.ai
-`.trimStart());
-    process.exit(0);
-  }
-  if ((args.includes("--version") || args.includes("-v")) && !SUBCOMMANDS.includes(args[0])) {
-    const extraArgs = args.filter((a) => a !== "--version" && a !== "-v");
-    if (extraArgs.length > 0) {
-      throw new CliError3(`Unexpected argument: ${extraArgs[0]}
-Run \`failproofai --help\` for usage.`);
-    }
-    console.log(version);
-    process.exit(0);
-  }
-  if (args[0] === "policies") {
-    const subArgs = args.slice(1);
-    const isInstall = subArgs.includes("--install") || subArgs.includes("-i");
-    const isUninstall = subArgs.includes("--uninstall") || subArgs.includes("-u");
-    const isHelp = subArgs.includes("--help") || subArgs.includes("-h");
-    if (isHelp) {
-      console.log(`
-failproofai policies \u2014 manage Failproof AI policies
-
-USAGE
-  failproofai policies                       List all policies and their status
-  failproofai policies --install, -i         Enable policies
-  failproofai policies --uninstall, -u       Disable policies or remove hooks
-
-OPTIONS (install)
-  [names...]                     Specific policy names to enable (omit for interactive)
-  --scope user|project|local     Config scope to write to (default: user)
-  --beta                         Include beta policies
-  --custom, -c <path>            Path to a JS file of custom policies
-                                 (skips interactive prompt; validates file first)
-
-OPTIONS (uninstall)
-  [names...]                     Specific policy names to disable (omit to remove hooks)
-  --scope user|project|local|all Config scope to remove from (default: user)
-  --beta                         Remove only beta policies
-  --custom, -c                   Clear the customPoliciesPath from config
-
-EXAMPLES
-  failproofai policies
-  failproofai policies --install
-  failproofai policies --install block-sudo sanitize-api-keys
-  failproofai policies --install --custom ./my-policies.js
-  failproofai policies -i -c ./my-policies.js
-  failproofai policies --uninstall block-sudo
-  failproofai policies -u
-  failproofai policies --uninstall --custom
-`.trimStart());
-      process.exit(0);
-    }
-    if (isInstall) {
-      const { installHooks: installHooks2 } = await Promise.resolve().then(() => (init_manager(), exports_manager));
-      const scopeIdx = subArgs.indexOf("--scope");
-      const scope = scopeIdx >= 0 ? subArgs[scopeIdx + 1] : "user";
-      if (scopeIdx >= 0 && (!scope || scope.startsWith("-"))) {
-        throw new CliError3("Missing value for --scope. Valid values: user, project, local");
-      }
-      if (scopeIdx >= 0 && !["user", "project", "local"].includes(scope)) {
-        throw new CliError3(`Invalid scope: ${scope}. Valid values: user, project, local`);
-      }
-      const customIdx = subArgs.includes("--custom") ? subArgs.indexOf("--custom") : subArgs.includes("-c") ? subArgs.indexOf("-c") : -1;
-      const customPoliciesPath = customIdx >= 0 ? subArgs[customIdx + 1] : undefined;
-      if (customIdx >= 0 && (!customPoliciesPath || customPoliciesPath.startsWith("-"))) {
-        throw new CliError3(`Missing path after --custom/-c
-Usage: --custom <path>  (e.g. --custom ./my-policies.js)`);
-      }
-      const includeBeta = subArgs.includes("--beta");
-      const consumedIdxs = new Set;
-      if (scopeIdx >= 0)
-        consumedIdxs.add(scopeIdx + 1);
-      if (customIdx >= 0)
-        consumedIdxs.add(customIdx + 1);
-      const flags = new Set(["--install", "-i", "--scope", "--beta", "--custom", "-c"]);
-      const unknownInstallFlag = subArgs.find((a) => a.startsWith("-") && !flags.has(a));
-      if (unknownInstallFlag) {
-        throw new CliError3(`Unknown flag: ${unknownInstallFlag}
-Run \`failproofai policies --help\` for usage.`);
-      }
-      const explicitPolicyNames = subArgs.filter((a, idx) => !a.startsWith("-") && !consumedIdxs.has(idx));
-      const policyNames = explicitPolicyNames.length > 0 ? explicitPolicyNames : customPoliciesPath !== undefined ? [] : undefined;
-      await installHooks2(policyNames, scope, undefined, includeBeta, undefined, customPoliciesPath);
-      process.exit(0);
-    }
-    if (isUninstall) {
-      const { removeHooks: removeHooks2 } = await Promise.resolve().then(() => (init_manager(), exports_manager));
-      const scopeIdx = subArgs.indexOf("--scope");
-      const scope = scopeIdx >= 0 ? subArgs[scopeIdx + 1] : "user";
-      if (scopeIdx >= 0 && (!scope || scope.startsWith("-"))) {
-        throw new CliError3("Missing value for --scope. Valid values: user, project, local, all");
-      }
-      if (scopeIdx >= 0 && !["user", "project", "local", "all"].includes(scope)) {
-        throw new CliError3(`Invalid scope: ${scope}. Valid values: user, project, local, all`);
-      }
-      const betaOnly = subArgs.includes("--beta");
-      const removeCustomHooks = subArgs.includes("--custom") || subArgs.includes("-c");
-      const consumedIdxs = new Set;
-      if (scopeIdx >= 0)
-        consumedIdxs.add(scopeIdx + 1);
-      const flags = new Set(["--uninstall", "-u", "--scope", "--beta", "--custom", "-c"]);
-      const unknownUninstallFlag = subArgs.find((a) => a.startsWith("-") && !flags.has(a));
-      if (unknownUninstallFlag) {
-        throw new CliError3(`Unknown flag: ${unknownUninstallFlag}
-Run \`failproofai policies --help\` for usage.`);
-      }
-      const policyNames = subArgs.filter((a, idx) => !a.startsWith("-") && !consumedIdxs.has(idx));
-      await removeHooks2(policyNames.length > 0 ? policyNames : undefined, scope, undefined, { betaOnly, removeCustomHooks });
-      process.exit(0);
-    }
-    const knownListFlags = new Set(["--install", "-i", "--uninstall", "-u", "--help", "-h", "--list"]);
-    const unknownListArg = subArgs.find((a) => a.startsWith("-") && !knownListFlags.has(a));
-    if (unknownListArg) {
-      throw new CliError3(`Unknown flag: ${unknownListArg}
-Run \`failproofai policies --help\` for usage.`);
-    }
-    const positionalArgs = subArgs.filter((a) => !a.startsWith("-"));
-    if (positionalArgs.length > 0) {
-      throw new CliError3(`Unexpected argument: ${positionalArgs[0]}
-Run \`failproofai policies --help\` for usage.`);
-    }
-    const { listHooks: listHooks2 } = await Promise.resolve().then(() => (init_manager(), exports_manager));
-    await listHooks2();
-    process.exit(0);
-  }
-  const knownFlags = ["--version", "-v", "--help", "-h", "--hook"];
-  const unknownFlag = args.find((a) => a.startsWith("-") && !knownFlags.includes(a));
-  if (unknownFlag) {
-    let levenshtein = function(a, b) {
-      const m = a.length, n = b.length;
-      const dp = Array.from({ length: m + 1 }, (_, i) => Array.from({ length: n + 1 }, (_2, j) => i === 0 ? j : j === 0 ? i : 0));
-      for (let i = 1;i <= m; i++)
-        for (let j = 1;j <= n; j++)
-          dp[i][j] = a[i - 1] === b[j - 1] ? dp[i - 1][j - 1] : 1 + Math.min(dp[i - 1][j], dp[i][j - 1], dp[i - 1][j - 1]);
-      return dp[m][n];
-    };
-    const primary = ["--version", "--help", "--hook", "policies"];
-    const closest = primary.reduce((best, flag) => {
-      const dist = levenshtein(unknownFlag, flag);
-      return dist < best.dist ? { flag, dist } : best;
-    }, { flag: primary[0], dist: Infinity });
-    throw new CliError3(`Unknown flag: ${unknownFlag}
-Did you mean: ${closest.flag}?
-Run \`failproofai --help\` for usage details.`);
-  }
-  const unknownSubcommand = args.find((a) => !a.startsWith("-") && a !== "policies");
-  if (unknownSubcommand) {
-    throw new CliError3(`Unknown command: ${unknownSubcommand}
-Did you mean: failproofai policies?
-Run \`failproofai --help\` for usage details.`);
-  }
-  const { launch: launch2 } = await Promise.resolve().then(() => (init_launch(), exports_launch));
-  launch2("start");
-}
-var { CliError: CliError3 } = await Promise.resolve().then(() => (init_cli_error2(), exports_cli_error));
-try {
-  await runCli();
-} catch (err) {
-  if (err instanceof CliError3) {
-    console.error(`Error: ${err.message}`);
-    process.exit(err.exitCode);
-  }
-  const msg = err instanceof Error ? err.message : String(err);
-  console.error(`Unexpected error: ${msg}`);
-  process.exit(2);
-}