getprismo 0.1.10 → 0.1.13

package/README.md

@@ -33,6 +33,7 @@ after you code      npx getprismo cc timeline
 **doctor** diagnoses the repo, applies safe fixes, and shows the before/after score.
 **watch** monitors context pressure live and warns when things go wrong.
 **cc timeline** reconstructs what happened in the session so you learn from it.
+**shield** runs noisy commands without dumping full output back into the agent context.
 
 ---
 
@@ -41,6 +42,7 @@ after you code      npx getprismo cc timeline
 - missing `.claudeignore` / `.cursorignore` (the biggest single fix for most repos)
 - lockfiles entering context (`package-lock.json`, `yarn.lock`, `pnpm-lock.yaml`)
 - generated artifacts leaking in (`__pycache__`, `dist/`, `coverage/`, `.next/`)
+- operational source-stream dumps leaking in (`events/`, `source-streams/`, inbox/calendar/GitHub JSONL exports)
 - oversized instruction files (`CLAUDE.md` or `AGENTS.md` over 500 tokens)
 - tool output dominating sessions (repeated reads, large command output)
 - long-running sessions with stale context accumulation
@@ -136,6 +138,51 @@ watch caught lockfiles entering context, a file being read 286 times, and tool o
 
 ---
 
+## new: context shield
+
+if you know a command may dump huge output, run it through prismo:
+
+```bash
+npx getprismo shield -- npm test
+npx getprismo shield -- pytest -q
+npx getprismo shield -- npm run build
+```
+
+shield executes the command locally, stores full stdout/stderr under `.prismo/shield/runs/`, indexes the output in `.prismo/shield/shield.sqlite` using SQLite FTS5 when available, and prints only a compact summary plus useful error lines.
+
+this is the lightweight context-sandbox layer: the full output stays on disk until you explicitly inspect it, instead of being pasted into the model context and re-sent every turn.
+
+example:
+
+```text
+Prismo Shield
+
+Command: npm test
+Exit: 1
+Captured: 186 KB (~46,500 tokens kept out of chat)
+
+Full Output Stored:
+- .prismo/shield/runs/2026-05-20T.../stdout.txt
+- .prismo/shield/runs/2026-05-20T.../stderr.txt
+- .prismo/shield/shield.sqlite
+
+Summary Returned To Context:
+- ERROR: auth.test.ts expected 200 received 401
+- FAIL src/auth/session.test.ts
+```
+
+search previous shield output without reloading whole logs:
+
+```bash
+npx getprismo shield last
+npx getprismo shield search "auth expected 200"
+npx getprismo shield search "AUTH_FAILURE" --json
+```
+
+this is intentionally not magic interception yet. it is a safe local-first primitive you can tell agents to use for noisy commands.
+
+---
+
 ## new: live guardrails mode
 
 the easiest proactive mode is:
@@ -396,6 +443,8 @@ if an existing `.claudeignore` or `.cursorignore` already covers prismo's recomm
 
 backend and frontend summaries include load-bearing candidates ranked by import references, text-reference signals, recent git touches when available, and file size, not just directory listings.
 
+prismo also flags source-stream dumps separately from normal build artifacts. large inbox/calendar/github/event payload files are treated as operational noise because they often get summarized once, written near the repo, and then accidentally re-read by later coding sessions.
+
 what doctor never touches:
 
 - your real `CLAUDE.md`
@@ -482,6 +531,7 @@ no install needed. npx runs it directly.
 | `scan --ci` | fail CI when token-risk gates fail |
 | `optimize` | generate `.prismo/` context packs |
 | `context` | print paste-ready prompt for agents |
+| `shield` | run noisy commands while keeping full output out of chat |
 | `setup` | detect tools, logs, proxy readiness |
 | `usage` | show raw session token usage |
 | `init` | add npm scripts and .prismo/README.md |
@@ -523,6 +573,16 @@ npx getprismo watch codex                # only codex sessions
 npx getprismo watch claude               # only claude code sessions
 ```
 
+### shield mode
+
+```bash
+npx getprismo shield -- npm test
+npx getprismo shield -- pytest -q
+npx getprismo shield --json -- npm run build
+npx getprismo shield last
+npx getprismo shield search "auth failure"
+```
+
 ---
 
 ## cc modes
@@ -656,7 +716,7 @@ then your team can run `npm run ai:doctor` without remembering the full command.
 - openai codex
 - cursor
 - any tool that respects `.claudeignore` or `.cursorignore`
-- any repo (node, python, go, rust, monorepos, whatever)
+- any repo (node, python, go, rust, vue, svelte, astro, monorepos, whatever)
 
 ---
 

package/lib/prismo-dev/constants.js

@@ -84,6 +84,10 @@ const SOURCE_EXTENSIONS = new Set([
   ".html",
   ".vue",
   ".svelte",
+  ".mjs",
+  ".cjs",
+  ".mts",
+  ".cts",
 ]);
 
 const INSTRUCTION_FILES = [
@@ -120,8 +124,15 @@ const DEFAULT_CLAUDEIGNORE = [
   "package-lock.json",
   "yarn.lock",
   "pnpm-lock.yaml",
+  "bun.lockb",
   "test-results/",
   "playwright-report/",
+  "events/",
+  "event-dumps/",
+  "session-dumps/",
+  "source-streams/",
+  "inbox-dumps/",
+  "calendar-dumps/",
   "models/",
   "state-backups/",
   "backups/",
@@ -158,6 +169,7 @@ const GENERATED_ARTIFACT_PATTERNS = [
   /(^|\/)coverage\//,
   /(^|\/)playwright-report\//,
   /(^|\/)test-results\//,
+  /(^|\/)(events|event-dumps|session-dumps|source-streams|inbox-dumps|calendar-dumps)\//,
   /(^|\/)__pycache__\//,
   /(^|\/)\.pytest_cache\//,
   /(^|\/)\.cache\//,

package/lib/prismo-dev/context-optimize.js

@@ -26,6 +26,11 @@ function detectFrameworks(root, result) {
     const deps = { ...(pkg && pkg.dependencies), ...(pkg && pkg.devDependencies) };
     if (deps.next) frameworks.add("Next.js");
     if (deps.react) frameworks.add("React");
+    if (deps.vue || deps["@vue/runtime-core"]) frameworks.add("Vue");
+    if (deps.svelte || deps["@sveltejs/kit"]) frameworks.add(deps["@sveltejs/kit"] ? "SvelteKit" : "Svelte");
+    if (deps["solid-js"]) frameworks.add("Solid");
+    if (deps.astro) frameworks.add("Astro");
+    if (deps.nuxt) frameworks.add("Nuxt");
     if (deps.express) frameworks.add("Express");
     if (deps["@nestjs/core"]) frameworks.add("NestJS");
     if (deps.prisma || deps["@prisma/client"]) frameworks.add("Prisma");
@@ -75,6 +80,11 @@ function detectFrameworks(root, result) {
   if ([...textFiles.keys()].some((rel) => rel.includes("prisma/schema.prisma"))) frameworks.add("Prisma");
   if ([...textFiles.keys()].some((rel) => rel.includes("next.config."))) frameworks.add("Next.js");
   if ([...textFiles.keys()].some((rel) => rel.includes("vite.config."))) frameworks.add("Vite");
+  if ([...textFiles.keys()].some((rel) => rel.includes("svelte.config."))) frameworks.add("SvelteKit");
+  if ([...textFiles.keys()].some((rel) => rel.includes("astro.config."))) frameworks.add("Astro");
+  if ([...textFiles.keys()].some((rel) => rel.includes("nuxt.config."))) frameworks.add("Nuxt");
+  if ([...textFiles.keys()].some((rel) => rel.endsWith(".vue"))) frameworks.add("Vue");
+  if ([...textFiles.keys()].some((rel) => rel.endsWith(".svelte"))) frameworks.add("Svelte");
   if ([...textFiles.keys()].some((rel) => rel.includes("tailwind.config."))) frameworks.add("Tailwind");
   if ([...textFiles.keys()].some((rel) => rel.endsWith("tsconfig.json"))) frameworks.add("TypeScript");
   if ([...textFiles.keys()].some((rel) => rel.includes("alembic/") || rel.endsWith("alembic.ini"))) frameworks.add("Alembic");
@@ -109,6 +119,11 @@ function detectEntrypoints(result) {
     "src/app/page.tsx",
     "src/main.tsx",
     "src/index.tsx",
+    "src/App.vue",
+    "src/App.svelte",
+    "src/routes/+page.svelte",
+    "src/pages/index.astro",
+    "app.vue",
     "server.js",
     "index.js",
     "docker/docker-compose.yml",
@@ -173,12 +188,18 @@ function detectBackendPaths(result) {
 }
 
 function detectFrontendPaths(result) {
+  const appSurface = /(^|\/)(frontend\/)?src\/(app|pages|routes)\//;
+  const appFile = /(^|\/)(frontend\/)?src\/(App|main|index)\.(jsx?|tsx?|vue|svelte)$/;
+  const componentFile = /(^|\/)(frontend\/)?src\/(components|ui|widgets)\//;
+  const apiFile = /(^|\/)(frontend\/)?src\/(lib|hooks|composables|stores|services|api)\/.*(api|client|query|fetch|request|finops)/;
+  const stylingFile = /tailwind\.config|globals\.css|app\.css|\.module\.css|\.scss$|(^|\/)(frontend\/)?src\/styles?\//;
+  const stateFile = /providers?\.(tsx?|jsx?)|react-query|use[A-Z].*\.(ts|tsx|js|jsx)|(^|\/)(stores?|state|pinia|zustand|redux)\//;
   return {
-    app: findRepoFiles(result, (rel) => !isNonSourcePath(rel) && (/frontend\/src\/app\//.test(rel) || /frontend\/src\/App\.[jt]sx?$/.test(rel) || /src\/App\.[jt]sx?$/.test(rel) || /src\/app\//.test(rel) || /apps\/[^/]+\/app\//.test(rel) || /apps\/[^/]+\/src\/app\//.test(rel)), 24).map((f) => f.path),
-    components: findRepoFiles(result, (rel) => !isNonSourcePath(rel) && (/frontend\/src\/components\//.test(rel) || /src\/components\//.test(rel) || /apps\/[^/]+\/.*components\//.test(rel) || /packages\/[^/]+\/.*components\//.test(rel)), 20).map((f) => f.path),
-    apiClient: findRepoFiles(result, (rel) => !isNonSourcePath(rel) && (/frontend\/src\/(lib|hooks)\/.*(api|client|query|finops)/.test(rel) || /src\/(lib|hooks)\/.*(api|client|query)/.test(rel)), 20).map((f) => f.path),
-    styling: findRepoFiles(result, (rel) => !isNonSourcePath(rel) && (/tailwind\.config|globals\.css|\.module\.css|frontend\/src\/app\/globals/.test(rel)), 20).map((f) => f.path),
-    state: findRepoFiles(result, (rel) => !isNonSourcePath(rel) && (/providers\.tsx|react-query|use[A-Z].*\.ts/.test(rel)), 20).map((f) => f.path),
+    app: findRepoFiles(result, (rel) => !isNonSourcePath(rel) && (appSurface.test(rel) || appFile.test(rel) || /(^|\/)app\.vue$/.test(rel) || /apps\/[^/]+\/(app|pages|routes|src\/app|src\/pages|src\/routes)\//.test(rel)), 24).map((f) => f.path),
+    components: findRepoFiles(result, (rel) => !isNonSourcePath(rel) && (componentFile.test(rel) || /apps\/[^/]+\/.*(components|ui|widgets)\//.test(rel) || /packages\/[^/]+\/.*(components|ui|widgets)\//.test(rel)), 24).map((f) => f.path),
+    apiClient: findRepoFiles(result, (rel) => !isNonSourcePath(rel) && (apiFile.test(rel) || /apps\/[^/]+\/.*(lib|hooks|composables|services|api)\/.*(api|client|query|fetch|request)/.test(rel)), 24).map((f) => f.path),
+    styling: findRepoFiles(result, (rel) => !isNonSourcePath(rel) && stylingFile.test(rel), 24).map((f) => f.path),
+    state: findRepoFiles(result, (rel) => !isNonSourcePath(rel) && stateFile.test(rel), 24).map((f) => f.path),
   };
 }
 
@@ -194,7 +215,7 @@ function createOptimizeContext(rootDir = process.cwd(), scope = null) {
     frameworks.some((name) => ["FastAPI", "Django", "Flask"].includes(name)) ||
     Boolean(backend.api.length || backend.services.length || backend.db.length || backend.auth.length);
   const frontendDetected = folders.includes("frontend") ||
-    frameworks.some((name) => ["Next.js", "React", "Vite"].includes(name)) ||
+    frameworks.some((name) => ["Next.js", "React", "Vite", "Vue", "Svelte", "SvelteKit", "Solid", "Astro", "Nuxt"].includes(name)) ||
     Boolean(frontend.app.length || frontend.components.length || frontend.apiClient.length || frontend.state.length);
   const warnings = [];
   if (scan.exposedLargeFiles.length) warnings.push(`${scan.exposedLargeFiles.length} exposed large file(s) may bloat AI context.`);
@@ -321,7 +342,7 @@ function formatGitActivity(activity) {
 }
 
 function topLoadBearing(root, files, allFiles, gitActivity, limit = 8) {
-  const textFiles = (allFiles || []).filter((file) => !file.ignored && file.kind !== "binary" && /\.(py|tsx?|jsx?)$/.test(file.path));
+  const textFiles = (allFiles || []).filter((file) => !file.ignored && file.kind !== "binary" && /\.(py|tsx?|jsx?|mjs|cjs|vue|svelte)$/.test(file.path));
   const sourcePaths = new Set(textFiles.map((file) => file.path));
   const pythonModuleToPath = new Map();
   for (const file of textFiles.filter((candidate) => candidate.path.endsWith(".py"))) {
@@ -338,7 +359,7 @@ function topLoadBearing(root, files, allFiles, gitActivity, limit = 8) {
         const target = pythonModuleToPath.get(imported) || pythonModuleToPath.get(imported.split(".").pop());
         if (target && target !== file.path) importRefs.set(target, (importRefs.get(target) || 0) + 1);
       }
-    } else if (/\.(tsx?|jsx?)$/.test(file.path)) {
+    } else if (/\.(tsx?|jsx?|mjs|cjs|vue|svelte)$/.test(file.path)) {
       for (const target of extractJsImports(file.path, text, sourcePaths)) {
         if (target !== file.path) importRefs.set(target, (importRefs.get(target) || 0) + 1);
       }
@@ -520,7 +541,7 @@ function renderBackendSummary(ctx) {
 }
 
 function renderFrontendSummary(ctx) {
-  const frontendCandidates = topLoadBearing(ctx.root, ctx.scan.files.filter((file) => /\.(tsx?|jsx?)$/.test(file.path) && /(^|\/)(frontend|src|app|components|hooks)\//.test(file.path)), ctx.scan.files, ctx.gitActivity, 8);
+  const frontendCandidates = topLoadBearing(ctx.root, ctx.scan.files.filter((file) => /\.(tsx?|jsx?|mjs|cjs|vue|svelte)$/.test(file.path) && /(^|\/)(frontend|src|app|pages|routes|components|ui|hooks|composables|stores)\//.test(file.path)), ctx.scan.files, ctx.gitActivity, 8);
   return [
     "# Frontend Summary",
     "",

package/lib/prismo-dev/firewall.js

@@ -78,7 +78,15 @@ function buildBlockedContext(ctx) {
     "playwright-report/**",
     "test-results/**",
     "logs/**",
+    "events/**",
+    "event-dumps/**",
+    "session-dumps/**",
+    "source-streams/**",
+    "inbox-dumps/**",
+    "calendar-dumps/**",
     "**/*.log",
+    "**/*.jsonl",
+    "**/*.ndjson",
     "**/*.map",
     "**/__pycache__/**",
     "package-lock.json",

package/lib/prismo-dev/report.js

@@ -68,6 +68,13 @@ function renderTerminalReport(result, options = {}) {
   if (result.toolOutputRisk.exposedNoisyDirectories.length) lines.push(`- Exposed noisy dirs: ${result.toolOutputRisk.exposedNoisyDirectories.slice(0, 6).join(", ")}`);
   if (result.toolOutputRisk.exposedNoisyFiles.length) lines.push(`- Exposed noisy files: ${result.toolOutputRisk.exposedNoisyFiles.slice(0, 4).map((file) => file.path).join(", ")}`);
   lines.push("");
+  if (result.operationalNoise && result.operationalNoise.level !== "Low") {
+    lines.push(color("Operational Noise Risk", "bold", useColor));
+    lines.push(`- Level: ${result.operationalNoise.level}`);
+    lines.push(`- ${result.operationalNoise.summary}`);
+    result.operationalNoise.files.slice(0, 4).forEach((file) => lines.push(`- ${file.path}: ${file.signals.join(", ")}`));
+    lines.push("");
+  }
   lines.push(color("Prismo Proxy Tracking", "bold", useColor));
   lines.push("- Exact API tracking: available when traffic uses the Prismo OpenAI/Anthropic base URL");
   lines.push(`- Codex API/base-url mode: ${result.proxyTrackingReadiness.codingAgentBaseUrlMode.codex}`);
@@ -233,6 +240,18 @@ function renderMarkdownReport(result) {
     });
   }
   lines.push("");
+  lines.push("## Operational Source-Stream Noise");
+  lines.push("");
+  if (result.operationalNoise && result.operationalNoise.files.length) {
+    lines.push(`- Level: ${result.operationalNoise.level}`);
+    lines.push(`- ${result.operationalNoise.summary}`);
+    result.operationalNoise.files.slice(0, 20).forEach((file) => {
+      lines.push(`- \`${file.path}\` - ${formatBytes(file.sizeBytes)} - ${file.signals.join(", ")} - ~${file.estimatedTokensIfRead.toLocaleString()} tokens if read`);
+    });
+  } else {
+    lines.push("- No obvious inbox/calendar/GitHub/source-stream dumps detected.");
+  }
+  lines.push("");
   lines.push("## Prismo Proxy Tracking Readiness");
   lines.push("");
   lines.push("- Exact API tracking: available when app/tool traffic uses the Prismo OpenAI/Anthropic base URL.");

package/lib/prismo-dev/scan.js

@@ -364,6 +364,57 @@ function detectToolOutputRisk({ exposedLargeFiles, exposedHighRiskDirs, highRisk
   };
 }
 
+function detectOperationalNoise(files) {
+  const candidates = files
+    .filter((file) => !file.ignored && file.size >= 16 * 1024 && file.kind !== "binary")
+    .filter((file) => /\.(json|jsonl|ndjson|log|md|txt)$/i.test(file.path) || /(events?|inbox|calendar|github|issues?|heartbeat|poll|source-stream|session-dump|activity|notifications?)/i.test(file.path))
+    .slice(0, 120);
+  const findings = [];
+
+  for (const file of candidates) {
+    const text = readIfText(file.fullPath, 512 * 1024) || "";
+    if (!text) continue;
+    const signals = [];
+    const timestampCount = (text.match(/\b20\d{2}-\d{2}-\d{2}[T ][0-2]\d:/g) || []).length;
+    const emailCount = (text.match(/[A-Z0-9._%+-]+@[A-Z0-9.-]+\.[A-Z]{2,}/gi) || []).length;
+    const eventKeyCount = (text.match(/"(event|type|timestamp|created_at|updated_at|attendees|organizer|sender|subject|body|issue|pull_request|repository|payload)"\s*:/gi) || []).length;
+    const markdownEventCount = (text.match(/\b(calendar|inbox|email|github|issue|pull request|notification|attendee|heartbeat|poll(ed|ing)?)\b/gi) || []).length;
+    const repeatedObjectCount = (text.match(/^\s*\{.*\}\s*$/gm) || []).length;
+
+    if (timestampCount >= 12) signals.push(`${timestampCount} timestamps`);
+    if (emailCount >= 8) signals.push(`${emailCount} email-like strings`);
+    if (eventKeyCount >= 30) signals.push(`${eventKeyCount} event-shaped JSON keys`);
+    if (markdownEventCount >= 20) signals.push(`${markdownEventCount} operational keywords`);
+    if (repeatedObjectCount >= 15) signals.push(`${repeatedObjectCount} JSONL-style objects`);
+
+    if (signals.length >= 2 || eventKeyCount >= 60 || (timestampCount >= 20 && markdownEventCount >= 15)) {
+      findings.push({
+        path: file.path,
+        sizeBytes: file.size,
+        estimatedTokensIfRead: estimateTokens(file.size),
+        signals: signals.slice(0, 4),
+      });
+    }
+  }
+
+  const estimatedExposureTokens = findings.reduce((sum, item) => sum + item.estimatedTokensIfRead, 0);
+  let level = "Low";
+  if (findings.length >= 3 || estimatedExposureTokens >= 150000) level = "High";
+  else if (findings.length || estimatedExposureTokens >= 25000) level = "Medium";
+
+  return {
+    level,
+    files: findings.slice(0, 12),
+    estimatedExposureTokens,
+    summary:
+      level === "High"
+        ? "Operational source-stream dumps may be leaking inbox/calendar/GitHub-style noise back into coding context."
+        : level === "Medium"
+          ? "Possible operational source-stream dumps detected; these can become second-order context leaks."
+          : "No obvious operational source-stream dumps detected.",
+  };
+}
+
 function buildProxyTrackingReadiness({ codexConfig, claudeConfig, realUsage }) {
   return {
     exactApiTracking: {
@@ -578,7 +629,7 @@ function addIssue(issues, severity, category, title, description, recommendation
   });
 }
 
-function buildRecommendations({ hasClaudeIgnore, gitignorePatterns, exposedHighRiskDirs, largeFiles, instructionFiles, claudeConfig, toolOutputRisk, agentReadiness }) {
+function buildRecommendations({ hasClaudeIgnore, gitignorePatterns, exposedHighRiskDirs, largeFiles, instructionFiles, claudeConfig, toolOutputRisk, operationalNoise, agentReadiness }) {
   const recs = [];
   if (!hasClaudeIgnore) {
     recs.push("Create .claudeignore with generated/cache folders and large artifacts excluded.");
@@ -595,6 +646,9 @@ function buildRecommendations({ hasClaudeIgnore, gitignorePatterns, exposedHighR
   if (toolOutputRisk && toolOutputRisk.level !== "Low") {
     recs.push("Use command-output filtering or narrower shell commands for noisy tests, logs, diffs, and generated reports.");
   }
+  if (operationalNoise && operationalNoise.level !== "Low") {
+    recs.push("Keep inbox/calendar/GitHub polling dumps out of coding-agent context; summarize them outside the repo or add them to AI ignore files.");
+  }
   if (instructionFiles.some((file) => file.isClaude && file.tokens > 1500)) {
     recs.push("Review CLAUDE.md for content that could move to linked docs; keep persistent instructions focused on durable rules.");
   }
@@ -665,7 +719,7 @@ function calculateReductionPercent(beforeTokens, afterTokens) {
 
 function chooseRecommendedScope(ctx) {
   if (ctx.scope) return ctx.scope;
-  if (ctx.frameworks.some((name) => ["Next.js", "React", "Vite"].includes(name))) return "frontend";
+  if (ctx.frameworks.some((name) => ["Next.js", "React", "Vite", "Vue", "Svelte", "SvelteKit", "Solid", "Astro", "Nuxt"].includes(name))) return "frontend";
   if (ctx.frameworks.some((name) => ["FastAPI", "Django", "Flask", "Python"].includes(name))) return "backend";
   return null;
 }
@@ -720,6 +774,7 @@ function toJsonPayload(result) {
     agentReadiness: result.agentReadiness,
     optimizationStack: result.optimizationStack,
     toolOutputRisk: result.toolOutputRisk,
+    operationalNoise: result.operationalNoise,
     proxyTrackingReadiness: result.proxyTrackingReadiness,
     suggestedClaudeIgnore: result.recommendedClaudeIgnore,
     suggestedCursorIgnore: result.recommendedCursorIgnore,
@@ -1010,6 +1065,7 @@ function scanRepo(rootDir = process.cwd(), options = {}) {
   const optimizationStack = detectOptimizationStack(root, claudeConfig, codexConfig);
   const agentReadiness = detectAgentReadiness(root, claudeConfig, codexConfig, realUsage);
   const toolOutputRisk = detectToolOutputRisk({ exposedLargeFiles, exposedHighRiskDirs, highRiskDirs });
+  const operationalNoise = detectOperationalNoise(files);
   const proxyTrackingReadiness = buildProxyTrackingReadiness({ codexConfig, claudeConfig, realUsage });
 
   if (toolOutputRisk.level !== "Low") {
@@ -1026,6 +1082,20 @@ function scanRepo(rootDir = process.cwd(), options = {}) {
     );
   }
 
+  if (operationalNoise.level !== "Low") {
+    addIssue(
+      issues,
+      operationalNoise.level === "High" ? "high" : "medium",
+      "operational_noise",
+      `${operationalNoise.files.length} source-stream dump${operationalNoise.files.length === 1 ? "" : "s"} may leak into context`,
+      operationalNoise.files.slice(0, 5).map((file) => `${file.path} (${file.signals.join(", ")})`).join(", "),
+      "Do not feed raw inbox/calendar/GitHub/event dumps back into coding sessions; summarize externally or add them to .claudeignore/.cursorignore.",
+      operationalNoise.estimatedExposureTokens
+        ? `Likely avoidable token exposure: up to ~${operationalNoise.estimatedExposureTokens.toLocaleString()} tokens from operational noise files.`
+        : "Potential savings estimate: prevents source-stream dumps from becoming recurring context."
+    );
+  }
+
   if (optimizationStack.mcpServerTotal >= 8) {
     addIssue(
       issues,
@@ -1074,10 +1144,12 @@ function scanRepo(rootDir = process.cwd(), options = {}) {
   const largeFileSuggestions = exposedLargeFiles
     .filter((file) => file.size >= 1024 * 1024 || ["log", "json", "minified", "lock/generated"].includes(file.kind))
     .map((file) => file.path);
+  const operationalNoiseSuggestions = operationalNoise.files.map((file) => file.path);
   const recommendedClaudeIgnore = Array.from(new Set([
     ...DEFAULT_CLAUDEIGNORE,
     ...gitignorePatterns.filter((line) => !line.startsWith("!")),
     ...largeFileSuggestions,
+    ...operationalNoiseSuggestions,
   ]));
   const recommendedCursorIgnore = Array.from(new Set([
     ...recommendedClaudeIgnore,
@@ -1094,6 +1166,7 @@ function scanRepo(rootDir = process.cwd(), options = {}) {
     instructionFiles,
     claudeConfig,
     toolOutputRisk,
+    operationalNoise,
     agentReadiness,
   });
   buildRealUsageRecommendations(realUsage).forEach((rec) => recommendations.push(rec));
@@ -1109,6 +1182,7 @@ function scanRepo(rootDir = process.cwd(), options = {}) {
     agentReadiness,
     optimizationStack,
     toolOutputRisk,
+    operationalNoise,
     proxyTrackingReadiness,
     frameworks,
     files,

package/lib/prismo-dev/shield.js

@@ -0,0 +1,384 @@
+module.exports = function createShield(deps) {
+  const {
+    fs,
+    path,
+    estimateTokens,
+    formatBytes,
+    color,
+  } = deps;
+  const { spawnSync } = require("child_process");
+
+const SHIELD_SCHEMA_VERSION = 1;
+
+function nowId() {
+  return new Date().toISOString().replace(/[:.]/g, "-");
+}
+
+function ensureDir(dir) {
+  fs.mkdirSync(dir, { recursive: true });
+}
+
+function pickInterestingLines(text, limit = 24) {
+  const lines = String(text || "").split(/\r?\n/).filter(Boolean);
+  const interesting = [];
+  const patterns = [
+    /\b(error|failed|failure|exception|traceback|fatal|panic|segmentation fault)\b/i,
+    /\b(warn|warning|deprecated|timeout|denied|unauthorized|forbidden)\b/i,
+    /\b(assert|expected|received|diff|not found|cannot find|module not found)\b/i,
+  ];
+  for (const line of lines) {
+    if (patterns.some((pattern) => pattern.test(line))) interesting.push(line.slice(0, 500));
+    if (interesting.length >= limit) break;
+  }
+  if (interesting.length) return interesting;
+  return lines.slice(Math.max(0, lines.length - Math.min(limit, 12))).map((line) => line.slice(0, 500));
+}
+
+function summarizeOutput(stdout, stderr) {
+  const stdoutText = String(stdout || "");
+  const stderrText = String(stderr || "");
+  const combined = [stderrText, stdoutText].filter(Boolean).join("\n");
+  const totalBytes = Buffer.byteLength(stdoutText) + Buffer.byteLength(stderrText);
+  const totalTokens = estimateTokens(combined);
+  return {
+    stdoutBytes: Buffer.byteLength(stdoutText),
+    stderrBytes: Buffer.byteLength(stderrText),
+    totalBytes,
+    estimatedTokens: totalTokens,
+    interestingLines: pickInterestingLines(combined),
+  };
+}
+
+function renderStoredReadCommand(pathValue) {
+  return `sed -n '1,160p' ${JSON.stringify(pathValue)}`;
+}
+
+function shieldRoot(root) {
+  return path.join(root, ".prismo", "shield");
+}
+
+function shieldDbPath(root) {
+  return path.join(shieldRoot(root), "shield.sqlite");
+}
+
+function indexPath(root) {
+  return path.join(shieldRoot(root), "index.jsonl");
+}
+
+function sqlString(value) {
+  return `'${String(value == null ? "" : value).replace(/'/g, "''")}'`;
+}
+
+function sqliteAvailable() {
+  const result = spawnSync("sqlite3", ["--version"], { encoding: "utf8", stdio: ["ignore", "pipe", "ignore"] });
+  return result.status === 0;
+}
+
+function sqliteExec(dbPath, sql, json = false) {
+  const args = json ? ["-json", dbPath, sql] : [dbPath, sql];
+  const result = spawnSync("sqlite3", args, { encoding: "utf8", maxBuffer: 20 * 1024 * 1024 });
+  if (result.status !== 0) {
+    throw new Error((result.stderr || result.error?.message || "sqlite3 failed").trim());
+  }
+  if (!json) return null;
+  const out = String(result.stdout || "").trim();
+  return out ? JSON.parse(out) : [];
+}
+
+function ensureSqliteIndex(root) {
+  if (!sqliteAvailable()) return { available: false, reason: "sqlite3-not-found" };
+  ensureDir(shieldRoot(root));
+  const dbPath = shieldDbPath(root);
+  sqliteExec(dbPath, `
+    PRAGMA journal_mode=WAL;
+    CREATE TABLE IF NOT EXISTS shield_runs (
+      id TEXT PRIMARY KEY,
+      command TEXT NOT NULL,
+      cwd TEXT NOT NULL,
+      exit_code INTEGER NOT NULL,
+      started_at TEXT NOT NULL,
+      finished_at TEXT NOT NULL,
+      duration_ms INTEGER NOT NULL,
+      stdout_path TEXT NOT NULL,
+      stderr_path TEXT NOT NULL,
+      total_bytes INTEGER NOT NULL,
+      estimated_tokens INTEGER NOT NULL,
+      summary_json TEXT NOT NULL
+    );
+    CREATE VIRTUAL TABLE IF NOT EXISTS shield_output USING fts5(
+      run_id UNINDEXED,
+      command,
+      stream UNINDEXED,
+      content,
+      tokenize='unicode61'
+    );
+  `);
+  return { available: true, path: path.relative(root, dbPath).replace(/\\/g, "/") };
+}
+
+function indexShieldRun(root, payload, stdout, stderr) {
+  const sqlite = ensureSqliteIndex(root);
+  if (!sqlite.available) return { mode: "jsonl", sqlite };
+  const dbPath = shieldDbPath(root);
+  const runId = path.basename(payload.stored.directory);
+  sqliteExec(dbPath, `
+    INSERT OR REPLACE INTO shield_runs (
+      id, command, cwd, exit_code, started_at, finished_at, duration_ms,
+      stdout_path, stderr_path, total_bytes, estimated_tokens, summary_json
+    ) VALUES (
+      ${sqlString(runId)},
+      ${sqlString(payload.command)},
+      ${sqlString(payload.cwd)},
+      ${Number(payload.exitCode || 0)},
+      ${sqlString(payload.startedAt)},
+      ${sqlString(payload.finishedAt)},
+      ${Number(payload.durationMs || 0)},
+      ${sqlString(payload.stored.stdout)},
+      ${sqlString(payload.stored.stderr)},
+      ${Number(payload.output.totalBytes || 0)},
+      ${Number(payload.output.estimatedTokens || 0)},
+      ${sqlString(JSON.stringify(payload))}
+    );
+    DELETE FROM shield_output WHERE run_id = ${sqlString(runId)};
+    INSERT INTO shield_output (run_id, command, stream, content)
+      VALUES (${sqlString(runId)}, ${sqlString(payload.command)}, 'stdout', ${sqlString(stdout)});
+    INSERT INTO shield_output (run_id, command, stream, content)
+      VALUES (${sqlString(runId)}, ${sqlString(payload.command)}, 'stderr', ${sqlString(stderr)});
+  `);
+  return { mode: "sqlite-fts5", sqlite };
+}
+
+function readJsonlIndex(root) {
+  const filePath = indexPath(root);
+  if (!fs.existsSync(filePath)) return [];
+  return fs.readFileSync(filePath, "utf8")
+    .split(/\r?\n/)
+    .filter(Boolean)
+    .map((line) => {
+      try {
+        return JSON.parse(line);
+      } catch {
+        return null;
+      }
+    })
+    .filter(Boolean);
+}
+
+function readStoredText(root, relPath) {
+  const fullPath = path.join(root, relPath);
+  try {
+    return fs.readFileSync(fullPath, "utf8");
+  } catch {
+    return "";
+  }
+}
+
+function fallbackSearch(root, query, limit = 10) {
+  const needle = String(query || "").toLowerCase();
+  if (!needle) return [];
+  const rows = readJsonlIndex(root).reverse();
+  const results = [];
+  for (const row of rows) {
+    for (const stream of ["stderr", "stdout"]) {
+      const relPath = row.stored?.[stream];
+      const text = readStoredText(root, relPath || "");
+      const lower = text.toLowerCase();
+      const index = lower.indexOf(needle);
+      if (index < 0) continue;
+      const start = Math.max(0, index - 180);
+      const end = Math.min(text.length, index + needle.length + 320);
+      results.push({
+        runId: path.basename(row.stored.directory),
+        command: row.command,
+        stream,
+        path: relPath,
+        exitCode: row.exitCode,
+        finishedAt: row.finishedAt,
+        snippet: text.slice(start, end).replace(/\s+/g, " ").trim(),
+      });
+      if (results.length >= limit) return results;
+    }
+  }
+  return results;
+}
+
+function runShieldSearch(rootDir = process.cwd(), query = "", options = {}) {
+  const root = path.resolve(rootDir);
+  const limit = options.limit || 10;
+  if (!String(query || "").trim()) throw new Error("No search query provided. Use: prismo shield search \"error text\"");
+  const sqlite = ensureSqliteIndex(root);
+  if (sqlite.available && fs.existsSync(shieldDbPath(root))) {
+    try {
+      const phrase = `"${String(query).replace(/"/g, '""')}"`;
+      const rows = sqliteExec(shieldDbPath(root), `
+        SELECT
+          shield_output.run_id AS runId,
+          shield_output.command AS command,
+          shield_output.stream AS stream,
+          CASE shield_output.stream
+            WHEN 'stderr' THEN shield_runs.stderr_path
+            ELSE shield_runs.stdout_path
+          END AS path,
+          shield_runs.exit_code AS exitCode,
+          shield_runs.finished_at AS finishedAt,
+          snippet(shield_output, 3, '[', ']', ' ... ', 24) AS snippet
+        FROM shield_output
+        JOIN shield_runs ON shield_runs.id = shield_output.run_id
+        WHERE shield_output MATCH ${sqlString(phrase)}
+        ORDER BY rank
+        LIMIT ${Number(limit)};
+      `, true);
+      return { query, mode: "sqlite-fts5", results: rows };
+    } catch {
+      // FTS queries can reject punctuation-heavy input; fall back to JSONL/plain text scan.
+    }
+  }
+  return { query, mode: "jsonl-fallback", results: fallbackSearch(root, query, limit) };
+}
+
+function runShieldLast(rootDir = process.cwd(), options = {}) {
+  const root = path.resolve(rootDir);
+  const limit = options.limit || 5;
+  return {
+    mode: fs.existsSync(shieldDbPath(root)) ? "sqlite-fts5" : "jsonl-fallback",
+    runs: readJsonlIndex(root).reverse().slice(0, limit),
+  };
+}
+
+function runShield(rootDir = process.cwd(), commandArgs = [], options = {}) {
+  const root = path.resolve(rootDir);
+  if (!commandArgs.length) {
+    throw new Error("No command provided. Use: prismo shield -- npm test");
+  }
+
+  const startedAt = new Date();
+  const id = nowId();
+  const runsDir = path.join(root, ".prismo", "shield", "runs", id);
+  ensureDir(runsDir);
+
+  const command = commandArgs[0];
+  const args = commandArgs.slice(1);
+  const result = spawnSync(command, args, {
+    cwd: root,
+    encoding: "utf8",
+    maxBuffer: options.maxBuffer || 30 * 1024 * 1024,
+    shell: false,
+    env: process.env,
+  });
+
+  const finishedAt = new Date();
+  const stdout = result.stdout || "";
+  const stderr = result.stderr || "";
+  const stdoutPath = path.join(runsDir, "stdout.txt");
+  const stderrPath = path.join(runsDir, "stderr.txt");
+  const summary = summarizeOutput(stdout, stderr);
+  fs.writeFileSync(stdoutPath, stdout, "utf8");
+  fs.writeFileSync(stderrPath, stderr, "utf8");
+
+  const payload = {
+    schemaVersion: 1,
+    command: commandArgs.join(" "),
+    cwd: root,
+    exitCode: typeof result.status === "number" ? result.status : 1,
+    signal: result.signal || null,
+    error: result.error ? result.error.message : null,
+    startedAt: startedAt.toISOString(),
+    finishedAt: finishedAt.toISOString(),
+    durationMs: finishedAt.getTime() - startedAt.getTime(),
+    output: summary,
+    stored: {
+      stdout: path.relative(root, stdoutPath).replace(/\\/g, "/"),
+      stderr: path.relative(root, stderrPath).replace(/\\/g, "/"),
+      directory: path.relative(root, runsDir).replace(/\\/g, "/"),
+    },
+    next: [
+      "Feed the summary to the agent first; inspect full output only if needed.",
+      `Read stdout: ${renderStoredReadCommand(path.relative(root, stdoutPath).replace(/\\/g, "/"))}`,
+      `Read stderr: ${renderStoredReadCommand(path.relative(root, stderrPath).replace(/\\/g, "/"))}`,
+    ],
+  };
+  fs.writeFileSync(path.join(runsDir, "summary.json"), JSON.stringify(payload, null, 2), "utf8");
+  fs.mkdirSync(path.join(root, ".prismo", "shield"), { recursive: true });
+  fs.appendFileSync(path.join(root, ".prismo", "shield", "index.jsonl"), `${JSON.stringify(payload)}\n`, "utf8");
+  payload.index = indexShieldRun(root, payload, stdout, stderr);
+  fs.writeFileSync(path.join(runsDir, "summary.json"), JSON.stringify(payload, null, 2), "utf8");
+  return payload;
+}
+
+function renderShieldTerminal(result) {
+  const lines = [];
+  const exitTone = result.exitCode === 0 ? "green" : "red";
+  lines.push("");
+  lines.push(color("Prismo Shield", "bold"));
+  lines.push("");
+  lines.push(`Command: ${result.command}`);
+  lines.push(`Exit: ${color(String(result.exitCode), exitTone)}`);
+  lines.push(`Duration: ${result.durationMs}ms`);
+  lines.push(`Captured: ${formatBytes(result.output.totalBytes)} (~${result.output.estimatedTokens.toLocaleString()} tokens kept out of chat)`);
+  lines.push("");
+  lines.push("Full Output Stored:");
+  lines.push(`- ${result.stored.stdout}`);
+  lines.push(`- ${result.stored.stderr}`);
+  lines.push(`- ${result.stored.directory}/summary.json`);
+  lines.push("");
+  lines.push("Summary Returned To Context:");
+  result.output.interestingLines.slice(0, 24).forEach((line) => lines.push(`- ${line}`));
+  lines.push("");
+  lines.push("Next:");
+  lines.push("1. Give the agent this summary first.");
+  lines.push("2. Inspect the stored full output only if the summary is not enough.");
+  lines.push(`3. ${renderStoredReadCommand(result.stored.stderr)}`);
+  return lines.join("\n");
+}
+
+function renderShieldSearchTerminal(result) {
+  const lines = [];
+  lines.push("");
+  lines.push(color("Prismo Shield Search", "bold"));
+  lines.push("");
+  lines.push(`Query: ${result.query}`);
+  lines.push(`Index: ${result.mode}`);
+  lines.push(`Results: ${result.results.length}`);
+  lines.push("");
+  if (!result.results.length) {
+    lines.push("No matching shield output found.");
+    return lines.join("\n");
+  }
+  result.results.forEach((item, index) => {
+    lines.push(`${index + 1}. ${item.path} (${item.stream}, exit ${item.exitCode})`);
+    lines.push(`   ${item.command}`);
+    lines.push(`   ${String(item.snippet || "").slice(0, 700)}`);
+  });
+  lines.push("");
+  lines.push("Next:");
+  lines.push("Use the stored path above only if the snippet is not enough.");
+  return lines.join("\n");
+}
+
+function renderShieldLastTerminal(result) {
+  const lines = [];
+  lines.push("");
+  lines.push(color("Prismo Shield Last", "bold"));
+  lines.push("");
+  lines.push(`Index: ${result.mode}`);
+  if (!result.runs.length) {
+    lines.push("No shield runs found.");
+    return lines.join("\n");
+  }
+  result.runs.forEach((run, index) => {
+    lines.push(`${index + 1}. ${run.finishedAt}  exit ${run.exitCode}  ${run.command}`);
+    lines.push(`   ${run.stored.directory}/summary.json`);
+    lines.push(`   ${formatBytes(run.output.totalBytes)} (~${run.output.estimatedTokens.toLocaleString()} tokens kept out of chat)`);
+  });
+  return lines.join("\n");
+}
+
+  return {
+    renderShieldLastTerminal,
+    renderShieldSearchTerminal,
+    renderShieldTerminal,
+    runShieldLast,
+    runShieldSearch,
+    runShield,
+  };
+};

package/lib/prismo-dev-scan.js

@@ -267,6 +267,21 @@ const {
   writeGeneratedFile,
 });
 
+const {
+  renderShieldLastTerminal,
+  renderShieldSearchTerminal,
+  renderShieldTerminal,
+  runShieldLast,
+  runShieldSearch,
+  runShield,
+} = require("./prismo-dev/shield")({
+  fs,
+  path,
+  estimateTokens,
+  formatBytes: (...args) => formatBytes(...args),
+  color,
+});
+
 function printHelp() {
   console.log(`Prismo CLI
 
@@ -275,6 +290,9 @@ Usage:
   prismo init [--json] [--dry-run] [path]
   prismo doctor [--json] [--dry-run] [--apply-ignores-only] [--no-context-packs] [--limit N] [path]
   prismo firewall [task] [--json] [--dry-run] [path]
+  prismo shield [--json] [path] -- <command ...>
+  prismo shield last [--json] [--limit N] [path]
+  prismo shield search <query> [--json] [--limit N] [path]
   prismo setup [--json] [--proxy-url URL] [path]
   prismo scan [--fix] [--ci] [--json] [--usage] [--simple] [--no-report] [path]
   prismo optimize [scope] [--json] [path]
@@ -289,6 +307,7 @@ Commands:
   init        Add local PrismoDev helper docs and npm scripts when package.json exists.
   doctor      Diagnose, safely optimize, re-scan, and show before/after payoff.
   firewall    Generate allowed/blocked context policy files for an AI coding task.
+  shield      Run a noisy command, store full output locally, and return a compact summary.
   scan        Run PrismoDev for Claude Code, Codex, Cursor, and AI coding workflows.
   optimize    Generate lightweight AI-readable project context files in .prismo/.
   context     Print a copy-pasteable compact context prompt for AI coding tools.
@@ -475,6 +494,23 @@ Examples:
 Output:
   Writes .prismo/context-firewall.md, .prismo/allowed-context.txt, .prismo/blocked-context.txt, and .prismo/firewall-prompt.md.
   The firewall is a local policy file for the agent to follow before reading files; it does not enforce filesystem access by itself.`,
+    shield: `Prismo Shield
+
+Usage:
+  prismo shield [--json] [path] -- <command ...>
+  prismo shield last [--json] [--limit N] [path]
+  prismo shield search <query> [--json] [--limit N] [path]
+
+Examples:
+  prismo shield -- npm test
+  prismo shield -- pytest -q
+  prismo shield --json -- npm run build
+  prismo shield last
+  prismo shield search "auth failure"
+
+Output:
+  Runs the command locally, stores full stdout/stderr under .prismo/shield/runs/, indexes output in SQLite FTS5 when available, and prints only a compact summary plus useful error lines.
+  Search and last retrieve prior shield runs without re-feeding full output into agent context.`,
     ci: `Prismo CI
 
 Usage:
@@ -521,8 +557,8 @@ async function runCli(argv) {
     printCommandHelp(command);
     return;
   }
-  if (!["dev", "init", "doctor", "firewall", "setup", "scan", "optimize", "context", "cc", "usage", "watch", "demo"].includes(command)) {
-    throw new Error(`Unknown command: ${command}. Try: prismo doctor, prismo watch, prismo firewall, prismo init, prismo scan, prismo optimize, prismo context, prismo cc, or prismo usage`);
+  if (!["dev", "init", "doctor", "firewall", "shield", "setup", "scan", "optimize", "context", "cc", "usage", "watch", "demo"].includes(command)) {
+    throw new Error(`Unknown command: ${command}. Try: prismo doctor, prismo watch, prismo shield, prismo firewall, prismo init, prismo scan, prismo optimize, prismo context, prismo cc, or prismo usage`);
   }
 
   if (command === "demo") {
@@ -604,6 +640,40 @@ async function runCli(argv) {
     return;
   }
 
+  if (command === "shield") {
+    const json = rest.includes("--json");
+    const limitIndex = rest.indexOf("--limit");
+    const limit = parsePositiveInt(limitIndex >= 0 ? rest[limitIndex + 1] : null, 5);
+    const positional = getPositionals(rest, new Set(["--limit"]));
+    if (positional[0] === "last") {
+      const target = positional[1] || process.cwd();
+      const result = runShieldLast(target, { limit });
+      if (json) console.log(JSON.stringify(result, null, 2));
+      else console.log(renderShieldLastTerminal(result));
+      return;
+    }
+    if (positional[0] === "search") {
+      const query = positional[1];
+      const target = positional[2] || process.cwd();
+      const result = runShieldSearch(target, query, { limit });
+      if (json) console.log(JSON.stringify(result, null, 2));
+      else console.log(renderShieldSearchTerminal(result));
+      return;
+    }
+    const separatorIndex = rest.indexOf("--");
+    const beforeSeparator = separatorIndex >= 0 ? rest.slice(0, separatorIndex) : [];
+    const commandArgs = separatorIndex >= 0 ? rest.slice(separatorIndex + 1) : getPositionals(rest);
+    const target = getPositionals(beforeSeparator)[0] || process.cwd();
+    const result = runShield(target, commandArgs);
+    if (json) {
+      console.log(JSON.stringify(result, null, 2));
+    } else {
+      console.log(renderShieldTerminal(result));
+    }
+    process.exitCode = result.exitCode;
+    return;
+  }
+
   if (command === "setup") {
     const json = rest.includes("--json");
     const limitIndex = rest.indexOf("--limit");

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "getprismo",
-  "version": "0.1.10",
+  "version": "0.1.13",
   "description": "Local AI coding workflow scanner for Codex, Claude Code, Cursor, and token-waste diagnostics.",
   "license": "MIT",
   "homepage": "https://github.com/shanirsh/prismodev#readme",