mstro-app 0.2.0 → 0.3.1

package/server/index.ts

@@ -7,11 +7,11 @@
 
 import { randomBytes } from 'node:crypto'
 import { existsSync, mkdirSync, readFileSync, writeFileSync } from 'node:fs'
-import type { IncomingMessage } from 'node:http'
+import type { IncomingMessage, Server } from 'node:http'
 import { homedir } from 'node:os'
 import { basename, join } from 'node:path'
 import { serve } from '@hono/node-server'
-import { Hono } from 'hono'
+import { type Context, Hono, type Next } from 'hono'
 import { cors } from 'hono/cors'
 import { logger } from 'hono/logger'
 import { type WebSocket as NodeWebSocket, WebSocketServer } from 'ws'
@@ -26,10 +26,10 @@ import {
 import { AnalyticsEvents, initAnalytics, shutdownAnalytics, trackEvent } from './services/analytics.js'
 import { AuthService } from './services/auth.js'
 import { FileService } from './services/files.js'
-import { InstanceRegistry } from './services/instances.js'
+import { InstanceRegistry, type MstroInstance } from './services/instances.js'
 import { PlatformConnection } from './services/platform.js'
 import { captureException, flushSentry, initSentry } from './services/sentry.js'
-import { getPTYManager } from './services/terminal/pty-manager.js'
+import { getPTYManager, reloadPty } from './services/terminal/pty-manager.js'
 import { WebSocketImproviseHandler } from './services/websocket/index.js'
 import type { WSContext } from './services/websocket/types.js'
 import { findAvailablePort } from './utils/port.js'
@@ -126,7 +126,7 @@ const fileService = new FileService(WORKING_DIR)
 const wsHandler = new WebSocketImproviseHandler()
 
 // Instance registration deferred to startServer() when port is known
-let _currentInstance: any
+let _currentInstance: MstroInstance | undefined
 
 // Global middleware
 // In production, restrict CORS to block cross-origin browser requests to localhost.
@@ -149,7 +149,7 @@ app.use('*', logger())
 // Authentication Middleware
 // ========================================
 
-const authMiddleware = async (c: any, next: any) => {
+const authMiddleware = async (c: Context, next: Next) => {
   // Skip auth for health check and config
   const publicPaths = ['/health', '/api/config']
   if (publicPaths.some(path => c.req.path.startsWith(path))) {
@@ -207,6 +207,12 @@ app.route('/api/improvise', createImproviseRoutes(WORKING_DIR))
 app.route('/api/files', createFileRoutes(fileService))
 app.route('/api/notifications', createNotificationRoutes(WORKING_DIR))
 
+// Reload node-pty after setup-terminal compiles the native module
+app.post('/api/reload-pty', async (c) => {
+  const success = await reloadPty()
+  return c.json({ success, available: success })
+})
+
 // ========================================
 // Static File Serving (Production Only)
 // ========================================
@@ -257,7 +263,7 @@ function wrapWebSocket(ws: NodeWebSocket, workingDir: string): WSContext {
  * This allows messages from the web (via platform) to be handled by the same wsHandler
  */
 function createPlatformRelayContext(
-  platformSend: (message: any) => void,
+  platformSend: (message: unknown) => void,
   workingDir: string
 ): WSContext {
   return {
@@ -290,10 +296,6 @@ async function startServer() {
 
   const PORT = await findAvailablePort(REQUESTED_PORT, 20)
 
-  if (PORT !== REQUESTED_PORT) {
-    console.log(`⚠️  Port ${REQUESTED_PORT} in use, using port ${PORT}`)
-  }
-
   _currentInstance = instanceRegistry.register(PORT, WORKING_DIR)
 
   // Create HTTP server with Hono
@@ -303,7 +305,7 @@ async function startServer() {
   })
 
   // Create WebSocket server attached to the HTTP server
-  const wss = new WebSocketServer({ server: server as any })
+  const wss = new WebSocketServer({ server: server as Server })
 
   wss.on('connection', (ws: NodeWebSocket, req: IncomingMessage) => {
     const url = new URL(req.url || '/', `http://localhost:${PORT}`)
@@ -358,7 +360,7 @@ async function startServer() {
 
   // Queue for messages that arrive before relay context is ready
   // This handles race conditions where initTab arrives before web_connected
-  let pendingRelayMessages: any[] = []
+  let pendingRelayMessages: unknown[] = []
 
   // Connect to platform
   const platformConnection = new PlatformConnection(WORKING_DIR, {

package/server/mcp/README.md

@@ -1,105 +1,97 @@
-# Mstro MCP Bouncer Server
+# Mstro MCP Bouncer
 
-This directory contains the Model Context Protocol (MCP) server implementation for Mstro v2's security bouncer.
-
-## Overview
-
-The MCP bouncer server provides permission approval/denial for Claude Code tool use via the MCP protocol. It integrates with Mstro's security analysis system to review potentially risky operations before they execute.
+MCP (Model Context Protocol) server that provides tool approval decisions for Claude Code. Intercepts tool calls and applies a 2-layer security system to allow or deny operations.
 
 ## Architecture
 
-The bouncer uses a 2-layer security system:
+### Layer 1: Pattern Matching (<5ms, ~95% of operations)
 
-### Layer 1: Pattern-Based Fast Path (~95% of operations, <5ms)
 - **Critical threats** → Immediate DENY (99% confidence)
 - **Known-safe operations** → Immediate ALLOW (95% confidence)
-- Uses consolidated security patterns
+- Regex-based pattern matching against consolidated threat/safe lists
+
+### Layer 2: AI Analysis (~200-500ms, ~5% of operations)
 
-### Layer 2: Haiku AI Analysis (~5% of operations, 200-500ms)
-- Lightweight AI for ambiguous cases
-- Context-aware decisions with reasoning
-- Uses Claude Code headless pattern (spawn + stdin)
-- Variable confidence (50-90%)
+- Spawns `claude --print --model haiku` for ambiguous cases
+- Evaluates whether the operation looks like user-requested work or malicious injection
+- Defaults to ALLOW — the assumption is the user is actively working with Claude
 
 ## Files
 
-- **server.ts** - Main MCP server entry point
-- **bouncer-integration.ts** - Core security review logic
-- **security-patterns.ts** - Pattern definitions for fast-path security checks
-- **security-audit.ts** - Audit logging system
+- **server.ts** — MCP server entry point. Exposes single `approval_prompt` tool via stdio transport.
+- **bouncer-integration.ts** — Core 2-layer security review logic. Orchestrates pattern check → AI analysis flow.
+- **security-patterns.ts** — Pattern definitions: CRITICAL_THREATS, SAFE_OPERATIONS, NEEDS_AI_REVIEW, SENSITIVE_PATHS.
+- **security-audit.ts** — Audit logging to `~/.mstro/logs/bouncer-audit.jsonl` (JSON Lines format).
+- **bouncer-cli.ts** — Shell-callable wrapper invoked by `~/.claude/hooks/bouncer.sh`. Reads JSON from stdin, outputs decision to stdout.
 
 ## Usage
 
 ### Starting the Server
 
 ```bash
-# From mstro-v2 root directory
+# From cli/ directory
 npm run dev:mcp
 
-# Or directly with bun
-bun run server/mcp/server.ts
+# Or directly
+npx tsx server/mcp/server.ts
 ```
 
-### Configuration
-
-The server is configured via `mstro-bouncer-mcp.json` in the project root:
-
-```json
-{
-  "mcpServers": {
-    "mstro-bouncer": {
-      "command": "bun",
-      "args": ["run", "server/mcp/server.ts"],
-      "description": "Mstro security bouncer for approving/denying Claude Code tool use",
-      "env": {
-        "BOUNCER_USE_AI": "true"
-      }
-    }
-  }
-}
-```
+### Integration with Claude Code
 
-### Using with Claude Code
+The bouncer integrates via Claude Code's `--permission-prompt-tool` flag:
 
 ```bash
-claude --print --permission-prompt-tool mcp__mstro-bouncer__approval_prompt \
-  --mcp-config mstro-bouncer-mcp.json \
+claude --print \
+  --mcp-config ~/.mstro/mcp-config.json \
+  --permission-prompt-tool mcp__mstro-bouncer__approval_prompt \
   "your prompt here"
 ```
 
+The MCP config is auto-generated by the headless runner at `~/.mstro/mcp-config.json`. It includes the bouncer server plus any user-configured MCP servers from `~/.claude.json`.
+
+### Hook Integration
+
+When installed via `mstro configure-hooks`, a shell script at `~/.claude/hooks/bouncer.sh` calls `bouncer-cli.ts` as a PreToolUse hook. This provides security for both mstro sessions and standalone Claude Code usage.
+
 ## Environment Variables
 
-- **BOUNCER_USE_AI** - Enable/disable AI analysis (default: `true`)
-  - Set to `false` to use only pattern-based checks
-- **CLAUDE_COMMAND** - Claude CLI command (default: `claude`)
+| Variable | Default | Description |
+|----------|---------|-------------|
+| `BOUNCER_USE_AI` | `true` | Enable AI analysis layer. Set `false` for pattern-only checks. |
+| `CLAUDE_COMMAND` | `claude` | Claude CLI command path |
 
 ## Security Patterns
 
 ### Critical Threats (Auto-deny)
-- Root/home directory deletion (`rm -rf / or ~`)
+
+- Root/home directory deletion (`rm -rf /` or `rm -rf ~`)
 - Fork bombs
-- Disk device overwrites
-- Filesystem formatting
+- Disk device overwrites (`dd if=/dev/zero of=/dev/sd*`)
+- Filesystem formatting (`mkfs`)
 - Obfuscated code execution
+- System directory permission removal
 
 ### Safe Operations (Auto-allow)
+
 - Read/Glob/Grep operations
-- Common package manager commands (`npm install`, `yarn build`)
-- Git operations (`status`, `log`, `diff`)
-- Safe file deletions (`node_modules`, `dist`, `build`)
+- Package manager commands (npm, yarn, pnpm, bun, cargo, go)
+- Git operations (status, log, diff, branch, clone, pull, checkout)
+- Docker operations
+- File operations within home/tmp directories
+- Safe artifact deletions (node_modules, dist, build, .cache)
 
 ### Requires AI Review
-- Pipe-to-shell from remote sources
-- Sudo operations
-- Writing executable files
-- System directory modifications
-- Custom script execution
+
+- Pipe-to-shell from remote sources (`curl | bash`)
+- sudo operations
+- `rm -rf` (except safe artifacts)
+- Write/Edit operations (except /tmp)
+- Variable expansion/globs in Bash
 
 ## Audit Logging
 
-All security decisions are logged to `./logs/security/bouncer-audit.jsonl` in JSON Lines format.
+All decisions are logged to `~/.mstro/logs/bouncer-audit.jsonl`:
 
-Example log entry:
 ```json
 {
   "timestamp": "2025-11-15T12:00:00.000Z",
@@ -107,16 +99,16 @@ Example log entry:
   "decision": "allow",
   "confidence": 95,
   "reasoning": "Operation matches known-safe patterns",
-  "threatLevel": "low"
+  "threatLevel": "low",
+  "layer": "pattern-safe",
+  "latencyMs": 2
 }
 ```
 
-## Performance
-
-- 95%+ operations resolve in <5ms (Layer 1)
-- 5% require AI analysis (~200-500ms)
-- No ANTHROPIC_API_KEY required - uses existing Claude installation
-
-## Integration
+## Design Principles
 
-The MCP server runs separately from the web application servers and is only needed when using Claude Code's permission prompts feature. It does NOT auto-start with `npm start` or the web servers.
+- **Protect against injection, not dangerous commands** — operations are user-requested by default
+- **Fast path first** — 95%+ decisions resolve in <5ms via pattern matching
+- **No API key required** — uses existing `claude` CLI installation for AI layer
+- **Fail-safe** — denies on analysis errors (conservative)
+- **Graceful degradation** — falls back to pattern-only if AI unavailable

package/server/mcp/bouncer-cli.ts

@@ -18,11 +18,19 @@
 import { type BouncerReviewRequest, reviewOperation } from './bouncer-integration.js';
 
 interface HookInput {
+  // Tool identification (mstro: toolName, Claude Code: tool_name)
   tool_name?: string;
   toolName?: string;
-  input?: Record<string, any>;
-  toolInput?: Record<string, any>;
-  // Conversation context from Claude Code hooks
+  // Tool parameters (mstro: input/toolInput, Claude Code: tool_input)
+  input?: Record<string, unknown>;
+  toolInput?: Record<string, unknown>;
+  tool_input?: Record<string, unknown>;
+  // Claude Code hook metadata
+  hook_event_name?: string;
+  transcript_path?: string;
+  permission_mode?: string;
+  cwd?: string;
+  // Mstro conversation context
   session_id?: string;
   conversation?: {
     messages?: Array<{
@@ -31,7 +39,7 @@ interface HookInput {
     }>;
     last_user_message?: string;
   };
-  // Additional context fields Claude Code may provide
+  // Common fields
   tool_use_id?: string;
   working_directory?: string;
 }
@@ -48,7 +56,7 @@ async function readStdin(): Promise<string> {
   });
 }
 
-function buildOperationString(toolName: string, toolInput: Record<string, any>): string {
+function buildOperationString(toolName: string, toolInput: Record<string, unknown>): string {
   if (toolName === 'Bash' && toolInput.command) {
     return `${toolName}: ${toolInput.command}`;
   }
@@ -59,6 +67,55 @@ function buildOperationString(toolName: string, toolInput: Record<string, any>):
   return `${toolName}: ${JSON.stringify(toolInput)}`;
 }
 
+/**
+ * Detect whether the caller is Claude Code (vs mstro).
+ * Claude Code includes hook_event_name in its payload.
+ */
+function isClaudeCodeHook(hookInput: HookInput): boolean {
+  return hookInput.hook_event_name === 'PreToolUse';
+}
+
+/**
+ * Format a bouncer decision for the calling system.
+ * Claude Code expects: { hookSpecificOutput: { permissionDecision, ... } }
+ * Mstro expects: { decision, reason, confidence, threatLevel, alternative }
+ */
+function formatDecisionOutput(
+  decision: { decision: string; reasoning: string; confidence?: number; threatLevel?: string; alternative?: string },
+  claudeCode: boolean
+): string {
+  const mappedDecision = decision.decision === 'deny' ? 'deny' : 'allow';
+  if (claudeCode) {
+    return JSON.stringify({
+      hookSpecificOutput: {
+        hookEventName: 'PreToolUse',
+        permissionDecision: mappedDecision,
+        permissionDecisionReason: decision.reasoning,
+      },
+    });
+  }
+  return JSON.stringify({
+    decision: mappedDecision,
+    reason: decision.reasoning,
+    confidence: decision.confidence,
+    threatLevel: decision.threatLevel,
+    alternative: decision.alternative,
+  });
+}
+
+function formatSimpleOutput(d: 'allow' | 'deny', reason: string, claudeCode: boolean): string {
+  if (claudeCode) {
+    return JSON.stringify({
+      hookSpecificOutput: {
+        hookEventName: 'PreToolUse',
+        permissionDecision: d,
+        permissionDecisionReason: reason,
+      },
+    });
+  }
+  return JSON.stringify({ decision: d, reason });
+}
+
 function extractConversationContext(hookInput: HookInput): string | undefined {
   const lastUserMessage = hookInput.conversation?.last_user_message;
   if (lastUserMessage) return `User's request: "${lastUserMessage}"`;
@@ -74,6 +131,7 @@ async function main() {
   const inputStr = await readStdin();
 
   if (!inputStr) {
+    // Can't detect caller without input — output both-compatible allow
     console.log(JSON.stringify({ decision: 'allow', reason: 'Empty input, allowing' }));
     process.exit(0);
   }
@@ -87,8 +145,10 @@ async function main() {
     process.exit(0);
   }
 
+  const claudeCode = isClaudeCodeHook(hookInput);
   const toolName = hookInput.tool_name || hookInput.toolName || 'unknown';
-  const toolInput = hookInput.input || hookInput.toolInput || {};
+  // Claude Code: tool_input, mstro: input/toolInput
+  const toolInput = hookInput.tool_input || hookInput.input || hookInput.toolInput || {};
   const userRequestContext = extractConversationContext(hookInput);
   const lastUserMessage = hookInput.conversation?.last_user_message;
   const recentMessages = hookInput.conversation?.messages?.slice(-5);
@@ -97,7 +157,8 @@ async function main() {
     operation: buildOperationString(toolName, toolInput),
     context: {
       purpose: userRequestContext || 'Tool use request from Claude',
-      workingDirectory: hookInput.working_directory || process.cwd(),
+      // Claude Code: cwd, mstro: working_directory
+      workingDirectory: hookInput.cwd || hookInput.working_directory || process.cwd(),
       toolName,
       toolInput,
       userRequest: lastUserMessage,
@@ -108,19 +169,11 @@ async function main() {
 
   try {
     const decision = await reviewOperation(bouncerRequest);
-    console.log(JSON.stringify({
-      decision: decision.decision === 'deny' ? 'deny' : 'allow',
-      reason: decision.reasoning,
-      confidence: decision.confidence,
-      threatLevel: decision.threatLevel,
-      alternative: decision.alternative,
-    }));
-  } catch (error: any) {
-    console.error('[bouncer-cli] Error:', error.message);
-    console.log(JSON.stringify({
-      decision: 'allow',
-      reason: `Bouncer error: ${error.message}. Allowing to avoid blocking.`
-    }));
+    console.log(formatDecisionOutput(decision, claudeCode));
+  } catch (error: unknown) {
+    const message = error instanceof Error ? error.message : String(error);
+    console.error('[bouncer-cli] Error:', message);
+    console.log(formatSimpleOutput('allow', `Bouncer error: ${message}. Allowing to avoid blocking.`, claudeCode));
   }
 }
 

package/server/mcp/bouncer-integration.ts

@@ -42,6 +42,43 @@ import {
   SAFE_OPERATIONS
 } from './security-patterns.js';
 
+/** Timeout for Haiku bouncer subprocess calls (ms). Configurable via env var. */
+const HAIKU_TIMEOUT_MS = parseInt(process.env.BOUNCER_HAIKU_TIMEOUT_MS || '10000', 10);
+
+// ========== Decision Cache ==========
+
+/** Cache TTL in ms (default 5 minutes) */
+const CACHE_TTL_MS = parseInt(process.env.BOUNCER_CACHE_TTL_MS || '300000', 10);
+const CACHE_MAX_SIZE = 200;
+
+interface CachedDecision {
+  decision: BouncerDecision;
+  expiresAt: number;
+}
+
+const decisionCache = new Map<string, CachedDecision>();
+
+function getCachedDecision(operation: string): BouncerDecision | null {
+  const entry = decisionCache.get(operation);
+  if (!entry) return null;
+  if (Date.now() > entry.expiresAt) {
+    decisionCache.delete(operation);
+    return null;
+  }
+  return entry.decision;
+}
+
+function cacheDecision(operation: string, decision: BouncerDecision): void {
+  // Don't cache low-confidence or error-fallback decisions
+  if (decision.confidence < 50) return;
+  // Evict oldest entries if cache is full
+  if (decisionCache.size >= CACHE_MAX_SIZE) {
+    const firstKey = decisionCache.keys().next().value;
+    if (firstKey !== undefined) decisionCache.delete(firstKey);
+  }
+  decisionCache.set(operation, { decision, expiresAt: Date.now() + CACHE_TTL_MS });
+}
+
 export interface BouncerReviewRequest {
   operation: string;
   context?: {
@@ -53,7 +90,7 @@ export interface BouncerReviewRequest {
     userRequest?: string;
     conversationHistory?: string[];
     sessionId?: string;
-    [key: string]: any;
+    [key: string]: unknown;
   };
 }
 
@@ -98,7 +135,7 @@ function tryExtractJsonBlock(text: string): string {
   return text;
 }
 
-function validateDecision(parsed: any): BouncerDecision {
+function validateDecision(parsed: Record<string, unknown>): BouncerDecision {
   if (!parsed || typeof parsed.decision !== 'string') {
     console.error('[Bouncer] Invalid parsed response:', parsed);
     throw new Error('Haiku returned invalid response: missing or invalid decision field');
@@ -111,11 +148,11 @@ function validateDecision(parsed: any): BouncerDecision {
   }
 
   return {
-    decision: parsed.decision,
-    confidence: parsed.confidence || 0,
-    reasoning: parsed.reasoning || 'No reasoning provided',
-    threatLevel: parsed.threat_level || 'medium',
-    alternative: parsed.alternative
+    decision: parsed.decision as BouncerDecision['decision'],
+    confidence: (parsed.confidence as number) || 0,
+    reasoning: (parsed.reasoning as string) || 'No reasoning provided',
+    threatLevel: (parsed.threat_level as BouncerDecision['threatLevel']) || 'medium',
+    alternative: parsed.alternative as string | undefined
   };
 }
 
@@ -195,7 +232,7 @@ or
     const timer = setTimeout(() => {
       timedOut = true;
       child.kill('SIGTERM');
-    }, 10000);
+    }, HAIKU_TIMEOUT_MS);
 
     child.stdout.on('data', (data) => {
       output += data.toString();
@@ -209,7 +246,7 @@ or
       clearTimeout(timer);
 
       if (timedOut) {
-        reject(new Error('Haiku analysis timeout after 10s'));
+        reject(new Error(`Haiku analysis timed out after ${HAIKU_TIMEOUT_MS}ms`));
         return;
       }
 
@@ -221,9 +258,9 @@ or
       try {
         const decision = parseHaikuResponse(output.trim());
         resolve(decision);
-      } catch (error: any) {
+      } catch (error: unknown) {
         console.error('[Bouncer] Parse error details:', error);
-        reject(new Error(`Failed to parse Haiku response: ${error.message}`));
+        reject(new Error(`Failed to parse Haiku response: ${error instanceof Error ? error.message : String(error)}`));
       }
     });
 
@@ -245,6 +282,13 @@ export async function reviewOperation(request: BouncerReviewRequest): Promise<Bo
 
   const { operation } = request;
 
+  // Check cache first (pattern-layer decisions and prior Haiku results)
+  const cached = getCachedDecision(operation);
+  if (cached) {
+    console.error(`[Bouncer] ⚡ Cache hit: ${cached.decision} (${cached.confidence}%)`);
+    return cached;
+  }
+
   console.error('[Bouncer] Analyzing operation...');
   console.error(`[Bouncer] Operation: ${operation}`);
   if (request.context?.userRequest) {
@@ -276,6 +320,7 @@ export async function reviewOperation(request: BouncerReviewRequest): Promise<Bo
       { context: request.context, threatLevel: decision.threatLevel, layer: 'pattern-noop', latencyMs }
     );
 
+    cacheDecision(operation, decision);
     return decision;
   }
 
@@ -312,6 +357,7 @@ export async function reviewOperation(request: BouncerReviewRequest): Promise<Bo
       latency_ms: latencyMs,
     });
 
+    cacheDecision(operation, decision);
     return decision;
   }
 
@@ -346,6 +392,7 @@ export async function reviewOperation(request: BouncerReviewRequest): Promise<Bo
       latency_ms: latencyMs,
     });
 
+    cacheDecision(operation, decision);
     return decision;
   }
 
@@ -381,6 +428,7 @@ export async function reviewOperation(request: BouncerReviewRequest): Promise<Bo
       latency_ms: latencyMs,
     });
 
+    cacheDecision(operation, decision);
     return decision;
   }
 
@@ -439,18 +487,53 @@ export async function reviewOperation(request: BouncerReviewRequest): Promise<Bo
       latency_ms: latencyMs,
     });
 
+    cacheDecision(operation, decision);
     return decision;
 
-  } catch (error: any) {
+  } catch (error: unknown) {
     const latencyMs = Math.round(performance.now() - startTime);
-    console.error(`[Bouncer] ⚠️  Haiku analysis failed: ${error.message}`);
+    const errorMessage = error instanceof Error ? error.message : String(error);
+    const isTimeout = errorMessage.includes('timed out');
+
+    if (isTimeout) {
+      // Timeout: default to ALLOW — prefer availability over security stall,
+      // since the user drove the interaction
+      console.error(`[Bouncer] ⚠️  Haiku analysis timed out after ${HAIKU_TIMEOUT_MS}ms — defaulting to ALLOW`);
+      captureException(error, { context: 'bouncer.haiku_timeout', operation });
+
+      const decision: BouncerDecision = {
+        decision: 'allow',
+        confidence: 50,
+        reasoning: `Security analysis timed out after ${HAIKU_TIMEOUT_MS}ms. Defaulting to allow — user initiated the action.`,
+        threatLevel: 'medium'
+      };
+
+      logBouncerDecision(
+        operation,
+        decision.decision,
+        decision.confidence,
+        decision.reasoning,
+        { context: request.context, threatLevel: decision.threatLevel, layer: 'haiku-timeout', latencyMs, error: errorMessage }
+      );
+      trackEvent(AnalyticsEvents.BOUNCER_TOOL_ALLOWED, {
+        layer: 'haiku-timeout',
+        operation_length: operation.length,
+        threat_level: 'medium',
+        confidence: 50,
+        latency_ms: latencyMs,
+      });
+
+      return decision;
+    }
+
+    console.error(`[Bouncer] ⚠️  Haiku analysis failed: ${errorMessage}`);
     captureException(error, { context: 'bouncer.haiku_analysis', operation });
 
-    // Fail-safe: deny on AI failure
+    // Fail-safe: deny on non-timeout AI failure
     const decision: BouncerDecision = {
       decision: 'deny',
       confidence: 0,
-      reasoning: `Security analysis failed: ${error.message}. Denying for safety.`,
+      reasoning: `Security analysis failed: ${errorMessage}. Denying for safety.`,
       threatLevel: 'critical'
     };
 
@@ -459,7 +542,7 @@ export async function reviewOperation(request: BouncerReviewRequest): Promise<Bo
       decision.decision,
       decision.confidence,
       decision.reasoning,
-      { context: request.context, threatLevel: decision.threatLevel, layer: 'ai-error', latencyMs, error: error.message }
+      { context: request.context, threatLevel: decision.threatLevel, layer: 'ai-error', latencyMs, error: errorMessage }
     );
 
     return decision;

package/server/mcp/security-audit.ts

@@ -19,7 +19,7 @@ export interface AuditLogEntry {
   timestamp: string;
   sessionId?: string;
   operation: string;
-  context?: any;
+  context?: unknown;
   decision: 'allow' | 'deny' | 'warn_allow';
   confidence: number;
   reasoning: string;
@@ -68,7 +68,7 @@ export class SecurityAuditLogger {
     confidence: number,
     reasoning: string,
     metadata?: {
-      context?: any;
+      context?: unknown;
       threatLevel?: string;
       layer?: BouncerLayer;
       latencyMs?: number;
@@ -109,14 +109,14 @@ export function logBouncerDecision(
   decision: 'allow' | 'deny' | 'warn_allow' | undefined,
   confidence: number,
   reasoning: string,
-  metadata?: any
+  metadata?: Record<string, unknown>
 ): void {
   // Defensive: handle undefined or invalid decision
   const safeDecision = decision ?? 'deny';
   const validDecisions = ['allow', 'deny', 'warn_allow'];
   const normalizedDecision = validDecisions.includes(safeDecision) ? safeDecision : 'deny';
 
-  const workingDir = metadata?.context?.workingDirectory;
+  const workingDir = (metadata?.context as Record<string, unknown> | undefined)?.workingDirectory as string | undefined;
   const logger = getAuditLogger(workingDir);
   logger.logDecision(operation, normalizedDecision as 'allow' | 'deny' | 'warn_allow', confidence, reasoning, metadata);