parrat 0.1.0-beta.5

package/dist/index.js

@@ -0,0 +1,2056 @@
+#!/usr/bin/env node
+
+// src/index.ts
+import "dotenv/config";
+import { Command as Command9 } from "commander";
+
+// src/cli/audit-query.ts
+import { readFileSync } from "fs";
+import { Command } from "commander";
+function formatRecord(record) {
+  const ts = typeof record.timestamp === "string" ? record.timestamp : "?";
+  const type = typeof record.event_type === "string" ? record.event_type : "?";
+  const runId = typeof record.run_id === "string" ? record.run_id.slice(0, 8) : "?";
+  const skill = typeof record.skill === "string" ? `  skill=${record.skill}` : "";
+  let detail = "";
+  const payload = record.payload;
+  if (type === "mcp_call" && typeof payload === "object" && payload !== null) {
+    const p = payload;
+    const tool = typeof p.tool === "string" ? p.tool : "";
+    const server = typeof p.server === "string" ? p.server : "";
+    const ms = typeof p.duration_ms === "number" ? ` (${p.duration_ms}ms)` : "";
+    detail = `  ${server}.${tool}${ms}`;
+  } else if (type === "claude_call" && typeof payload === "object" && payload !== null) {
+    const p = payload;
+    const tokens = typeof p.output_tokens === "number" ? ` ${p.output_tokens} tokens` : "";
+    const cost = typeof p.cost_estimate_usd === "number" ? ` $${p.cost_estimate_usd.toFixed(4)}` : "";
+    detail = `${tokens}${cost}`;
+  } else if (type === "error" && typeof payload === "object" && payload !== null) {
+    const p = payload;
+    detail = `  ${typeof p.error_message === "string" ? p.error_message : ""}`;
+  }
+  return `[${ts}] ${type.padEnd(22)} run=${runId}${skill}${detail}`;
+}
+async function queryAuditLog(options) {
+  let raw;
+  try {
+    raw = readFileSync(options.auditPath, "utf8");
+  } catch {
+    return { exitCode: 1, error: `Audit log not found: ${options.auditPath}` };
+  }
+  const sinceMs = options.since ? Date.parse(options.since) : void 0;
+  if (options.since && sinceMs !== void 0 && Number.isNaN(sinceMs)) {
+    return { exitCode: 1, error: `Invalid --since value: ${options.since}` };
+  }
+  const records = [];
+  for (const line of raw.split("\n")) {
+    const trimmed = line.trim();
+    if (!trimmed) continue;
+    try {
+      records.push(JSON.parse(trimmed));
+    } catch {
+    }
+  }
+  let filtered = records.filter((r) => {
+    if (options.runId && r.run_id !== options.runId) return false;
+    if (options.eventType && r.event_type !== options.eventType) return false;
+    if (sinceMs !== void 0 && typeof r.timestamp === "string") {
+      if (Date.parse(r.timestamp) < sinceMs) return false;
+    }
+    return true;
+  });
+  filtered.sort((a, b) => {
+    const ta = typeof a.timestamp === "string" ? a.timestamp : "";
+    const tb = typeof b.timestamp === "string" ? b.timestamp : "";
+    return ta.localeCompare(tb);
+  });
+  if (options.limit !== void 0 && options.limit > 0) {
+    filtered = filtered.slice(0, options.limit);
+  }
+  if (filtered.length === 0) {
+    return { exitCode: 1, lines: [], error: "No matching events found." };
+  }
+  const lines = options.json ? filtered.map((r) => JSON.stringify(r)) : filtered.map(formatRecord);
+  return { exitCode: 0, lines };
+}
+var auditCommand = new Command("audit").description("Audit log tools");
+auditCommand.addCommand(
+  new Command("query").description("Query the audit log").option("--audit-path <path>", "Path to audit log file", ".parrat/audit.jsonl").option("--run-id <id>", "Filter by run ID").option("--event-type <type>", "Filter by event type (trigger, mcp_call, claude_call, ...)").option("--since <iso>", "Only show events after this ISO 8601 timestamp").option("--limit <n>", "Maximum number of events to show", (v) => Number.parseInt(v, 10)).option("--json", "Output raw NDJSON instead of human-readable format").action(
+    async (opts) => {
+      const result = await queryAuditLog({
+        auditPath: opts.auditPath,
+        ...opts.runId ? { runId: opts.runId } : {},
+        ...opts.eventType ? { eventType: opts.eventType } : {},
+        ...opts.since ? { since: opts.since } : {},
+        ...opts.limit !== void 0 ? { limit: opts.limit } : {},
+        ...opts.json ? { json: opts.json } : {}
+      });
+      if (result.lines) {
+        for (const line of result.lines) {
+          console.log(line);
+        }
+      }
+      if (result.error && result.lines?.length === 0) {
+        console.error(result.error);
+      }
+      if (result.exitCode !== 0) process.exit(result.exitCode);
+    }
+  )
+);
+
+// src/cli/doctor.ts
+import { execFile } from "child_process";
+import { constants, access, mkdir } from "fs/promises";
+import { dirname } from "path";
+import { Command as Command2 } from "commander";
+
+// src/core/config/loader.ts
+import { existsSync, readFileSync as readFileSync2 } from "fs";
+import { homedir } from "os";
+import { isAbsolute, resolve } from "path";
+import { parse as parseYaml } from "yaml";
+
+// src/core/errors.ts
+var ParratError = class extends Error {
+  name = "ParratError";
+};
+var SkillNotFoundError = class extends ParratError {
+  constructor(skillName, available) {
+    const list = available.join(", ") || "(none)";
+    super(`Skill not found: '${skillName}'. Available skills: ${list}.`);
+    this.skillName = skillName;
+    this.available = available;
+  }
+  skillName;
+  available;
+  name = "SkillNotFoundError";
+};
+var DuplicateSkillError = class extends ParratError {
+  constructor(skillName) {
+    super(`Duplicate skill name: ${skillName}`);
+    this.skillName = skillName;
+  }
+  skillName;
+  name = "DuplicateSkillError";
+};
+var SchemaValidationError = class extends ParratError {
+  constructor(direction, skillName, cause) {
+    super(`Skill '${skillName}' ${direction} failed schema validation: ${cause.message}`, {
+      cause
+    });
+    this.direction = direction;
+    this.skillName = skillName;
+  }
+  direction;
+  skillName;
+  name = "SchemaValidationError";
+};
+var AuditWriteError = class extends ParratError {
+  constructor(filePath, cause) {
+    const causeMsg = cause instanceof Error ? cause.message : String(cause);
+    super(`Failed to write audit log to '${filePath}': ${causeMsg}`, { cause });
+    this.filePath = filePath;
+  }
+  filePath;
+  name = "AuditWriteError";
+};
+var MissingClaudeKeyError = class extends ParratError {
+  name = "MissingClaudeKeyError";
+  constructor() {
+    super(
+      "Claude API key not found. Set ANTHROPIC_API_KEY in your environment, or run `parrat init` to configure."
+    );
+  }
+};
+var ConfigNotFoundError = class extends ParratError {
+  constructor(path, source) {
+    const hint = source === "PARRAT_CONFIG_PATH" ? `Expected a config at PARRAT_CONFIG_PATH='${path}' but no file exists there.` : `No config found at '${path}'. Run \`parrat init\` to scaffold one.`;
+    super(`Parrat config not found: ${hint}`);
+    this.path = path;
+    this.source = source;
+  }
+  path;
+  source;
+  name = "ConfigNotFoundError";
+};
+var ConfigValidationError = class extends ParratError {
+  constructor(path, stage, cause) {
+    const causeMsg = cause instanceof Error ? cause.message : String(cause ?? "");
+    super(`Config validation failed at '${path}' (${stage}): ${causeMsg}`, { cause });
+    this.path = path;
+    this.stage = stage;
+  }
+  path;
+  stage;
+  name = "ConfigValidationError";
+};
+var MaxTurnsExceededError = class extends ParratError {
+  constructor(skillName, maxTurns) {
+    super(
+      `Skill '${skillName}' did not converge within max_turns=${maxTurns}. Increase max_turns or refine the system prompt.`
+    );
+    this.skillName = skillName;
+    this.maxTurns = maxTurns;
+  }
+  skillName;
+  maxTurns;
+  name = "MaxTurnsExceededError";
+};
+var LlmApiError = class extends ParratError {
+  name = "LlmApiError";
+  constructor(message, cause) {
+    super(message, { cause });
+  }
+};
+
+// src/core/config/overrides.ts
+function applyEnvOverrides(config, env) {
+  const overrideMap = {
+    PARRAT_TENANT_ID: {
+      type: "tenant",
+      apply: (cfg, val) => ({ ...cfg, tenant_id: val })
+    },
+    PARRAT_CLAUDE_MODEL: {
+      type: "string",
+      apply: (cfg, val) => ({ ...cfg, claude: { ...cfg.claude, model: val } })
+    },
+    PARRAT_CLAUDE_MAX_TURNS: {
+      type: "number",
+      apply: (cfg, val) => ({
+        ...cfg,
+        claude: { ...cfg.claude, max_turns: Number.parseInt(val, 10) }
+      })
+    },
+    PARRAT_CLAUDE_MAX_TOKENS: {
+      type: "number",
+      apply: (cfg, val) => ({
+        ...cfg,
+        claude: { ...cfg.claude, max_tokens: Number.parseInt(val, 10) }
+      })
+    },
+    PARRAT_CLAUDE_TEMPERATURE: {
+      type: "number",
+      apply: (cfg, val) => ({
+        ...cfg,
+        claude: { ...cfg.claude, temperature: Number.parseFloat(val) }
+      })
+    },
+    PARRAT_AUDIT_LOG_PATH: {
+      type: "string",
+      apply: (cfg, val) => ({ ...cfg, audit: { ...cfg.audit, log_path: val } })
+    },
+    PARRAT_AUDIT_RETENTION_DAYS: {
+      type: "number",
+      apply: (cfg, val) => ({
+        ...cfg,
+        audit: { ...cfg.audit, retention_days: Number.parseInt(val, 10) }
+      })
+    }
+  };
+  let result = config;
+  for (const [envVar, descriptor] of Object.entries(overrideMap)) {
+    const value = env[envVar];
+    if (value === void 0 || value === "") continue;
+    if (descriptor.type === "number" && Number.isNaN(Number.parseFloat(value))) continue;
+    result = descriptor.apply(result, value);
+  }
+  return result;
+}
+
+// src/core/config/schema.ts
+import { z } from "zod";
+var mcpServerConfigSchema = z.object({
+  command: z.string().min(1),
+  args: z.array(z.string()).default([]),
+  env: z.record(z.string(), z.string()).default({}),
+  tools: z.array(z.string()).optional()
+}).strict();
+var skillDefaultsSchema = z.object({
+  timeout_seconds: z.number().int().positive().default(60),
+  max_retries: z.number().int().nonnegative().default(2)
+}).strict();
+var auditConfigSchema = z.object({
+  log_path: z.string().default(".parrat/audit.jsonl"),
+  hash_algorithm: z.literal("sha256").default("sha256"),
+  retention_days: z.number().int().positive().default(90),
+  redact_fields: z.array(z.string()).default([]),
+  idempotency_window_hours: z.number().int().positive().default(24)
+}).strict();
+var claudeConfigSchema = z.object({
+  model: z.string().default("claude-sonnet-4-6"),
+  max_turns: z.number().int().positive().default(6),
+  max_tokens: z.number().int().positive().default(4096),
+  temperature: z.number().min(0).max(1).default(0)
+}).strict();
+var watchConfigSchema = z.object({
+  skill: z.string().min(1),
+  input: z.record(z.string(), z.unknown()).default({})
+}).strict();
+var slackNotifyConfigSchema = z.object({
+  webhook_url: z.string().url()
+}).strict();
+var notifyConfigSchema = z.object({
+  slack: slackNotifyConfigSchema.optional()
+}).strict();
+var webhookConfigSchema = z.object({
+  port: z.number().int().positive().default(8080),
+  secret: z.string().optional()
+}).strict();
+var configSchema = z.object({
+  version: z.literal(1),
+  tenant_id: z.string().default("default"),
+  mcpServers: z.record(z.string(), mcpServerConfigSchema).default({}),
+  skills: z.object({
+    defaults: skillDefaultsSchema.default({})
+  }).strict().default({}),
+  audit: auditConfigSchema.default({}),
+  claude: claudeConfigSchema.default({}),
+  watch: watchConfigSchema.optional(),
+  notify: notifyConfigSchema.optional(),
+  webhook: webhookConfigSchema.optional()
+}).strict();
+
+// src/core/config/loader.ts
+var ENV_VAR_PATTERN = /\$([A-Z_][A-Z0-9_]*)|\$\{([A-Z_][A-Z0-9_]*)\}/g;
+function resolveConfigPath(env = process.env, cwd = process.cwd()) {
+  const fromEnv = env.PARRAT_CONFIG_PATH;
+  if (fromEnv) {
+    const absolute = isAbsolute(fromEnv) ? fromEnv : resolve(cwd, fromEnv);
+    if (!existsSync(absolute)) {
+      throw new ConfigNotFoundError(absolute, "PARRAT_CONFIG_PATH");
+    }
+    return absolute;
+  }
+  const defaultPath = resolve(cwd, ".parrat", "config.yaml");
+  if (!existsSync(defaultPath)) {
+    throw new ConfigNotFoundError(defaultPath, "default");
+  }
+  return defaultPath;
+}
+async function loadConfig(env = process.env, cwd = process.cwd()) {
+  const path = resolveConfigPath(env, cwd);
+  const raw = readFileSync2(path, "utf-8");
+  let parsed;
+  try {
+    parsed = parseYaml(raw);
+  } catch (cause) {
+    throw new ConfigValidationError(path, "YAML parse failed", cause);
+  }
+  const result = configSchema.safeParse(parsed);
+  if (!result.success) {
+    throw new ConfigValidationError(path, "schema validation failed", result.error);
+  }
+  const resolved = walkAndTransform(result.data, env, homedir());
+  const withOverrides = applyEnvOverrides(resolved, env);
+  return Object.freeze(withOverrides);
+}
+function resolveEnvVars(value, env) {
+  return value.replace(
+    ENV_VAR_PATTERN,
+    (_match, bare, braced) => {
+      const name = bare ?? braced ?? "";
+      const resolved = env[name];
+      if (resolved === void 0) {
+        throw new ConfigValidationError(
+          "<env-resolution>",
+          `Environment variable '${name}' referenced in config but not set`,
+          void 0
+        );
+      }
+      return resolved;
+    }
+  );
+}
+function expandTilde(path, home) {
+  if (path === "~") return home;
+  if (path.startsWith("~/") || path.startsWith("~\\")) {
+    return resolve(home, path.slice(2));
+  }
+  return path;
+}
+function walkAndTransform(value, env, home) {
+  if (typeof value === "string") {
+    const envResolved = resolveEnvVars(value, env);
+    return expandTilde(envResolved, home);
+  }
+  if (Array.isArray(value)) {
+    return value.map((item) => walkAndTransform(item, env, home));
+  }
+  if (value !== null && typeof value === "object") {
+    const out = {};
+    for (const [key, v] of Object.entries(value)) {
+      out[key] = walkAndTransform(v, env, home);
+    }
+    return out;
+  }
+  return value;
+}
+
+// src/cli/doctor.ts
+function execFileAsync(cmd, args, opts) {
+  return new Promise((resolve6, reject) => {
+    execFile(cmd, args, opts, (err, stdout2, stderr) => {
+      if (err) reject(err);
+      else resolve6({ stdout: stdout2, stderr });
+    });
+  });
+}
+var PINNED_DBT_MCP_VERSION = "0.4.3";
+async function checkApiKey() {
+  const key = process.env.ANTHROPIC_API_KEY;
+  return key && key.length > 0 ? { name: "ANTHROPIC_API_KEY", status: "ok", message: "Present" } : {
+    name: "ANTHROPIC_API_KEY",
+    status: "fail",
+    message: "Missing \u2014 set ANTHROPIC_API_KEY in your environment or .env file"
+  };
+}
+async function checkConfig() {
+  try {
+    await loadConfig();
+    return { name: "Config file", status: "ok", message: "Loaded and valid" };
+  } catch (e) {
+    return {
+      name: "Config file",
+      status: "fail",
+      message: `${e instanceof Error ? e.message : String(e)}`
+    };
+  }
+}
+async function checkDbtMcpVersion() {
+  let config;
+  try {
+    config = await loadConfig();
+  } catch {
+    return { name: "dbt-mcp version", status: "warn", message: "Skipped \u2014 config not loadable" };
+  }
+  const usesDbtMcp = Object.values(config.mcpServers).some(
+    (s) => s.command.includes("dbt-mcp") || s.args.some((a) => a.includes("dbt-mcp"))
+  );
+  if (!usesDbtMcp) {
+    return { name: "dbt-mcp version", status: "ok", message: "dbt-mcp not configured \u2014 skipped" };
+  }
+  try {
+    const { stdout: stdout2 } = await execFileAsync("uvx", ["dbt-mcp", "--version"], { timeout: 1e4 });
+    const version = stdout2.trim().split(/\s+/).pop() ?? "";
+    if (version === PINNED_DBT_MCP_VERSION) {
+      return { name: "dbt-mcp version", status: "ok", message: `${version} (matches pinned)` };
+    }
+    return {
+      name: "dbt-mcp version",
+      status: "fail",
+      message: `Found ${version || "(unknown)"}, expected ${PINNED_DBT_MCP_VERSION} \u2014 run: uvx install dbt-mcp==${PINNED_DBT_MCP_VERSION}`
+    };
+  } catch (e) {
+    return {
+      name: "dbt-mcp version",
+      status: "fail",
+      message: `Could not run 'uvx dbt-mcp --version': ${e instanceof Error ? e.message : String(e)}`
+    };
+  }
+}
+async function checkAuditDir(auditPath) {
+  const dir = dirname(auditPath);
+  try {
+    await access(dir, constants.W_OK);
+    return { name: "Audit directory", status: "ok", message: `${dir} is writable` };
+  } catch {
+    try {
+      await mkdir(dir, { recursive: true });
+      return { name: "Audit directory", status: "ok", message: `${dir} created` };
+    } catch (e) {
+      return {
+        name: "Audit directory",
+        status: "warn",
+        message: `Could not create ${dir}: ${e instanceof Error ? e.message : String(e)}`
+      };
+    }
+  }
+}
+async function runDoctor(auditPath) {
+  return Promise.all([
+    checkApiKey(),
+    checkConfig(),
+    checkDbtMcpVersion(),
+    checkAuditDir(auditPath)
+  ]);
+}
+function formatCheck(check) {
+  const icon = check.status === "ok" ? "\u2713" : check.status === "warn" ? "!" : "\u2717";
+  return `${icon} ${check.name.padEnd(22)} ${check.status.padEnd(6)}  ${check.message}`;
+}
+var doctorCommand = new Command2("doctor").description("Check Parrat configuration and dependencies").option("--audit-path <path>", "Path to audit log file", ".parrat/audit.jsonl").action(async (opts) => {
+  const checks = await runDoctor(opts.auditPath);
+  for (const check of checks) {
+    console.log(formatCheck(check));
+  }
+  const hasFail = checks.some((c) => c.status === "fail");
+  if (hasFail) process.exit(1);
+});
+
+// src/cli/init.ts
+import { mkdir as mkdir2, stat, writeFile } from "fs/promises";
+import { dirname as dirname2, resolve as resolve2 } from "path";
+import { stdin, stdout } from "process";
+import { createInterface } from "readline/promises";
+import { Command as Command3 } from "commander";
+var DEFAULT_CONFIG_PATH = ".parrat/config.yaml";
+async function pathExists(path) {
+  try {
+    await stat(path);
+    return true;
+  } catch {
+    return false;
+  }
+}
+async function writeDefaultConfig(configPath) {
+  const yaml = [
+    "# Parrat configuration",
+    `# Generated by \`parrat init\` on ${(/* @__PURE__ */ new Date()).toISOString()}`,
+    "",
+    "version: 1",
+    "tenant_id: default",
+    "",
+    "# MCP servers \u2014 uncomment and configure for LLM-driven Skills",
+    "# (e.g., freshness-investigation needs a `dbt` server).",
+    "mcpServers: {}",
+    "#   dbt:",
+    "#     command: uvx",
+    "#     args: [dbt-mcp]",
+    "#     env:",
+    "#       DBT_PROJECT_DIR: /absolute/path/to/dbt/project",
+    "#       DBT_PATH: /absolute/path/to/dbt",
+    '#       PYTHONUTF8: "1"  # Required on Windows',
+    "",
+    "audit:",
+    "  log_path: .parrat/audit.jsonl",
+    "  retention_days: 90",
+    "",
+    "claude:",
+    "  # API key from ANTHROPIC_API_KEY env var (never declared here).",
+    "  model: claude-sonnet-4-6",
+    "  max_turns: 6",
+    "  max_tokens: 4096",
+    "  temperature: 0.0",
+    ""
+  ].join("\n");
+  await mkdir2(dirname2(configPath), { recursive: true });
+  await writeFile(configPath, yaml, "utf8");
+}
+var initCommand = new Command3("init").description("Initialize a Parrat configuration in the current directory").option("--config-path <path>", "Path to write the config file", DEFAULT_CONFIG_PATH).option("-f, --force", "Overwrite existing config without prompting", false).action(async (opts) => {
+  const configPath = resolve2(opts.configPath);
+  console.log("Welcome to Parrat.");
+  console.log("Run `parrat skills list` to see available Skills.");
+  console.log("");
+  if (await pathExists(configPath) && !opts.force) {
+    const rl = createInterface({ input: stdin, output: stdout });
+    try {
+      const answer = await rl.question(`${configPath} already exists. Overwrite? (y/N) `);
+      if (!/^y(es)?$/i.test(answer.trim())) {
+        console.log("Aborted. No changes written.");
+        return;
+      }
+    } finally {
+      rl.close();
+    }
+  }
+  await writeDefaultConfig(configPath);
+  console.log(`Configuration written to ${configPath}`);
+  if (process.env.ANTHROPIC_API_KEY) {
+    console.log("ANTHROPIC_API_KEY is set in your environment.");
+  } else {
+    console.log(
+      "ANTHROPIC_API_KEY not set. Run `export ANTHROPIC_API_KEY=...` before invoking Skills that call Claude."
+    );
+  }
+});
+
+// src/cli/replay.ts
+import { readFileSync as readFileSync3 } from "fs";
+import { resolve as resolve3 } from "path";
+import { Command as Command4 } from "commander";
+function formatTime(iso) {
+  return iso.slice(11, 19);
+}
+function formatRecord2(r) {
+  const t = formatTime(r.timestamp);
+  switch (r.event_type) {
+    case "trigger":
+      return `[${t}] TRIGGER   skill=${r.skill ?? "?"} actor=${r.actor}`;
+    case "claude_call": {
+      const p = r.payload;
+      const cost = typeof p.cost_estimate_usd === "number" ? p.cost_estimate_usd.toFixed(4) : "?";
+      const dur = typeof p.duration_ms === "number" ? (p.duration_ms / 1e3).toFixed(1) : "?";
+      return `[${t}] CLAUDE    turn=${p.turn_index} in=${p.input_tokens} out=${p.output_tokens} cost=$${cost} dur=${dur}s`;
+    }
+    case "mcp_call": {
+      const p = r.payload;
+      const dur = typeof p.duration_ms === "number" ? (p.duration_ms / 1e3).toFixed(1) : "?";
+      const status = p.is_error ? " ERROR" : "";
+      return `[${t}] MCP       server=${p.server} tool=${p.tool} dur=${dur}s${status}`;
+    }
+    case "skill_output_captured":
+      return `[${t}] OUTPUT    turn=${r.payload.turn_index}`;
+    case "skill_complete": {
+      const dur = typeof r.payload.duration_ms === "number" ? ` dur=${(r.payload.duration_ms / 1e3).toFixed(1)}s` : "";
+      return `[${t}] COMPLETE${dur}`;
+    }
+    case "error":
+      return `[${t}] ERROR     ${r.payload.error_name}: ${r.payload.error_message}`;
+    default:
+      return `[${t}] ${r.event_type.toUpperCase().padEnd(9)}`;
+  }
+}
+function replayRun(options) {
+  let raw;
+  try {
+    raw = readFileSync3(resolve3(options.auditPath), "utf8");
+  } catch (e) {
+    return {
+      exitCode: 1,
+      error: `Cannot read audit log at '${options.auditPath}': ${e instanceof Error ? e.message : String(e)}`
+    };
+  }
+  const records = raw.split("\n").filter(Boolean).flatMap((line) => {
+    try {
+      return [JSON.parse(line)];
+    } catch {
+      return [];
+    }
+  }).filter((r) => r.run_id === options.runId).sort((a, b) => a.timestamp.localeCompare(b.timestamp));
+  if (records.length === 0) {
+    return {
+      exitCode: 1,
+      error: `No events found for run_id '${options.runId}' in '${options.auditPath}'`
+    };
+  }
+  return { exitCode: 0, lines: records.map(formatRecord2) };
+}
+var replayCommand = new Command4("replay").description("Print a human-readable trace of a past Skill run from the audit log").argument("<run_id>", "The run ID to replay").option("--audit-path <path>", "Path to audit log file", ".parrat/audit.jsonl").action(async (runId, opts) => {
+  const result = replayRun({ runId, auditPath: opts.auditPath });
+  if (result.error) {
+    console.error(result.error);
+  }
+  if (result.lines) {
+    for (const line of result.lines) {
+      console.log(line);
+    }
+  }
+  if (result.exitCode !== 0) {
+    process.exit(result.exitCode);
+  }
+});
+
+// src/cli/run.ts
+import { readFileSync as readFileSync6 } from "fs";
+import { resolve as resolve4 } from "path";
+import { Command as Command5 } from "commander";
+
+// src/core/audit/idempotency.ts
+import { readFileSync as readFileSync4 } from "fs";
+async function isDuplicateRun(auditPath, correlationId, windowHours) {
+  let raw;
+  try {
+    raw = readFileSync4(auditPath, "utf8");
+  } catch {
+    return false;
+  }
+  const cutoff = Date.now() - windowHours * 3600 * 1e3;
+  for (const line of raw.split("\n")) {
+    const trimmed = line.trim();
+    if (!trimmed) continue;
+    let record;
+    try {
+      record = JSON.parse(trimmed);
+    } catch {
+      continue;
+    }
+    if (record.event_type === "trigger" && record.workflow_id === correlationId && typeof record.timestamp === "string" && Date.parse(record.timestamp) >= cutoff) {
+      return true;
+    }
+  }
+  return false;
+}
+
+// src/core/audit/logger.ts
+import { createHash, randomUUID } from "crypto";
+import { appendFile, mkdir as mkdir3 } from "fs/promises";
+import { dirname as dirname3 } from "path";
+var HASH_FIELDS = {
+  mcp_call: [
+    ["args", "args_hash"],
+    ["result", "result_hash"]
+  ],
+  trigger: [["input", "input_hash"]]
+};
+function sha256hex(value) {
+  return createHash("sha256").update(JSON.stringify(value)).digest("hex");
+}
+function applyHashing(eventType, payload) {
+  const targets = HASH_FIELDS[eventType];
+  if (!targets) return payload;
+  const result = { ...payload };
+  for (const [src, dest] of targets) {
+    if (src in result) {
+      result[dest] = sha256hex(result[src]);
+      delete result[src];
+    }
+  }
+  return result;
+}
+function applyRedaction(payload, redactFields) {
+  if (redactFields.length === 0) return { payload, redacted: false };
+  let redacted = false;
+  const walk = (obj) => {
+    const out = {};
+    for (const [k, v] of Object.entries(obj)) {
+      if (redactFields.includes(k)) {
+        out[k] = "[REDACTED]";
+        redacted = true;
+      } else if (v !== null && typeof v === "object" && !Array.isArray(v)) {
+        out[k] = walk(v);
+      } else {
+        out[k] = v;
+      }
+    }
+    return out;
+  };
+  return { payload: walk(payload), redacted };
+}
+function createAuditLogger(options) {
+  return {
+    write: async (input) => {
+      const cfg = options.auditConfig;
+      let payload = input.payload;
+      let redactionApplied = false;
+      if (cfg?.hash_algorithm) {
+        payload = applyHashing(input.type, payload);
+      }
+      if (cfg?.redact_fields && cfg.redact_fields.length > 0) {
+        const result = applyRedaction(payload, cfg.redact_fields);
+        payload = result.payload;
+        redactionApplied = result.redacted;
+      }
+      const record = {
+        event_id: randomUUID(),
+        timestamp: (/* @__PURE__ */ new Date()).toISOString(),
+        tenant_id: input.tenantId,
+        run_id: input.runId,
+        workflow_id: input.workflowId ?? input.runId,
+        skill: input.skill,
+        event_type: input.type,
+        actor: input.actor,
+        payload,
+        redaction_applied: redactionApplied
+      };
+      try {
+        await mkdir3(dirname3(options.filePath), { recursive: true });
+        await appendFile(options.filePath, `${JSON.stringify(record)}
+`, "utf8");
+      } catch (e) {
+        throw new AuditWriteError(options.filePath, e);
+      }
+    }
+  };
+}
+
+// src/core/audit/retention.ts
+import { readFileSync as readFileSync5 } from "fs";
+import { writeFile as writeFile2 } from "fs/promises";
+async function sweepAuditLog(auditPath, retentionDays) {
+  let raw;
+  try {
+    raw = readFileSync5(auditPath, "utf8");
+  } catch {
+    return { removed: 0 };
+  }
+  const cutoff = Date.now() - retentionDays * 86400 * 1e3;
+  const survivors = [];
+  let removed = 0;
+  for (const line of raw.split("\n")) {
+    const trimmed = line.trim();
+    if (!trimmed) continue;
+    let record;
+    try {
+      record = JSON.parse(trimmed);
+    } catch {
+      survivors.push(trimmed);
+      continue;
+    }
+    if (typeof record.timestamp === "string" && Date.parse(record.timestamp) < cutoff) {
+      removed++;
+    } else {
+      survivors.push(trimmed);
+    }
+  }
+  if (removed > 0) {
+    await writeFile2(auditPath, survivors.join("\n") + (survivors.length > 0 ? "\n" : ""), "utf8");
+  }
+  return { removed };
+}
+
+// src/core/runtime.ts
+import "dotenv/config";
+import { randomUUID as randomUUID2 } from "crypto";
+
+// src/core/keys.ts
+async function getClaudeKey(_tenantId) {
+  const key = process.env.ANTHROPIC_API_KEY;
+  if (!key) {
+    throw new MissingClaudeKeyError();
+  }
+  return key;
+}
+
+// src/core/llm/client.ts
+import Anthropic from "@anthropic-ai/sdk";
+function createLlmClient(options) {
+  const sdk = new Anthropic({ apiKey: options.apiKey });
+  const maxRetries = options.maxRetries ?? 3;
+  return {
+    call: async (callOptions) => {
+      let lastError;
+      for (let attempt = 0; attempt <= maxRetries; attempt++) {
+        try {
+          return await sdk.messages.create({
+            model: callOptions.model,
+            max_tokens: callOptions.maxTokens,
+            temperature: callOptions.temperature,
+            system: callOptions.system,
+            messages: callOptions.messages,
+            tools: callOptions.tools
+          });
+        } catch (error) {
+          lastError = error;
+          if (!isTransient(error) || attempt === maxRetries) break;
+          await sleep(2 ** attempt * 1e3);
+        }
+      }
+      throw new LlmApiError(
+        `Anthropic API call failed after ${maxRetries + 1} attempts`,
+        lastError
+      );
+    }
+  };
+}
+function isTransient(error) {
+  if (!(error instanceof Anthropic.APIError)) return false;
+  const status = error.status ?? 0;
+  return status >= 500 || status === 408 || status === 429;
+}
+function sleep(ms) {
+  return new Promise((resolve6) => setTimeout(resolve6, ms));
+}
+
+// src/core/telemetry.ts
+function isTelemetryEnabled(_config) {
+  return false;
+}
+async function track(_event) {
+}
+
+// src/core/types.ts
+var DEFAULT_TENANT_ID = "default";
+
+// src/core/runtime.ts
+function createRuntime(options) {
+  const { registry, auditLogger } = options;
+  const tenantId = options.tenantId ?? DEFAULT_TENANT_ID;
+  let cachedConfig = options.config;
+  let cachedLlmClient = options.llmClient;
+  async function getConfig() {
+    if (cachedConfig) return cachedConfig;
+    cachedConfig = await loadConfig();
+    return cachedConfig;
+  }
+  async function getLlmClient() {
+    if (cachedLlmClient) return cachedLlmClient;
+    const apiKey = await getClaudeKey(tenantId);
+    cachedLlmClient = createLlmClient({ apiKey });
+    return cachedLlmClient;
+  }
+  return {
+    invoke: async ({ skill: skillName, input, actor, triggerMetadata, correlationId }) => {
+      const skill = registry.lookup(skillName);
+      const runId = randomUUID2();
+      const workflowId = correlationId ?? runId;
+      const skillSpec = skill;
+      const skillNeedsLlm = !!skillSpec.mcpServers && Object.keys(skillSpec.mcpServers).length > 0;
+      const config = skillNeedsLlm ? await getConfig() : void 0;
+      const llmClient = skillNeedsLlm ? await getLlmClient() : void 0;
+      const ctx = {
+        tenantId,
+        runId,
+        workflowId,
+        auditLogger,
+        actor,
+        ...config ? { config } : {},
+        ...llmClient ? { llmClient } : {}
+      };
+      await auditLogger.write({
+        type: "trigger",
+        tenantId,
+        runId,
+        workflowId,
+        skill: skillName,
+        actor,
+        payload: { input, triggerMetadata: triggerMetadata ?? {} }
+      });
+      try {
+        const output = await skill.run(input, ctx);
+        await auditLogger.write({
+          type: "skill_complete",
+          tenantId,
+          runId,
+          workflowId,
+          skill: skillName,
+          actor,
+          payload: { output }
+        });
+        if (config && isTelemetryEnabled(config)) {
+          await track({ event: "skill_complete", properties: { skill: skillName } });
+        }
+        return output;
+      } catch (e) {
+        await auditLogger.write({
+          type: "error",
+          tenantId,
+          runId,
+          workflowId,
+          skill: skillName,
+          actor,
+          payload: {
+            error_name: e instanceof Error ? e.name : "UnknownError",
+            error_message: e instanceof Error ? e.message : String(e)
+          }
+        });
+        throw e;
+      }
+    }
+  };
+}
+
+// src/core/skills/registry.ts
+function createRegistry(skills2) {
+  const byName = /* @__PURE__ */ new Map();
+  for (const skill of skills2) {
+    if (byName.has(skill.name)) {
+      throw new DuplicateSkillError(skill.name);
+    }
+    byName.set(skill.name, skill);
+  }
+  return {
+    list: () => Array.from(byName.keys()).sort(),
+    has: (name) => byName.has(name),
+    lookup: (name) => {
+      const skill = byName.get(name);
+      if (!skill) {
+        throw new SkillNotFoundError(name, Array.from(byName.keys()).sort());
+      }
+      return skill;
+    }
+  };
+}
+
+// src/core/llm/skill-executor.ts
+import { ZodError } from "zod";
+import { zodToJsonSchema } from "zod-to-json-schema";
+
+// src/core/mcp/client.ts
+import { Client as McpSdkClient } from "@modelcontextprotocol/sdk/client/index.js";
+import { StdioClientTransport } from "@modelcontextprotocol/sdk/client/stdio.js";
+async function connectMcpClient(serverName, config) {
+  const transport = new StdioClientTransport({
+    command: config.command,
+    args: [...config.args],
+    env: { ...process.env, ...config.env }
+  });
+  const sdkClient = new McpSdkClient(
+    { name: "parrat-mcp-client", version: "0.0.0" },
+    { capabilities: {} }
+  );
+  await sdkClient.connect(transport);
+  return {
+    serverName,
+    async listTools() {
+      const result = await sdkClient.listTools();
+      return result.tools.map((t) => ({
+        name: t.name,
+        description: t.description,
+        inputSchema: t.inputSchema
+      }));
+    },
+    async callTool(name, args) {
+      const result = await sdkClient.callTool({ name, arguments: args });
+      return {
+        content: result.content,
+        isError: typeof result.isError === "boolean" ? result.isError : void 0
+      };
+    },
+    async close() {
+      await sdkClient.close();
+    }
+  };
+}
+
+// src/core/mcp/filter.ts
+function resolveAllowlist(serverName, toolNames) {
+  return {
+    serverName,
+    toolNames,
+    fullyQualified: toolNames.map((name) => `mcp__${serverName}__${name}`)
+  };
+}
+
+// src/core/llm/skill-executor.ts
+var COST_PER_MTOK = {
+  "claude-opus-4": { input: 15, output: 75 },
+  "claude-sonnet-4-6": { input: 3, output: 15 },
+  "claude-haiku-4-5": { input: 0.8, output: 4 }
+};
+function estimateCost(model, inputTokens, outputTokens) {
+  const entry = Object.entries(COST_PER_MTOK).find(([prefix]) => model.startsWith(prefix));
+  if (!entry) return 0;
+  const [, rates] = entry;
+  return (inputTokens * rates.input + outputTokens * rates.output) / 1e6;
+}
+async function executeSkill(options) {
+  const startedAt = Date.now();
+  const clients = [];
+  const toolRouting = /* @__PURE__ */ new Map();
+  const tools = [];
+  const emitFindingsName = "emit_findings";
+  tools.push({
+    name: emitFindingsName,
+    description: "Report your investigation findings. Call this exactly once when your investigation is complete.",
+    input_schema: zodToJsonSchema(options.outputSchema)
+  });
+  try {
+    for (const [serverName, server] of Object.entries(options.mcpServers)) {
+      const client = await connectMcpClient(serverName, server.config);
+      clients.push(client);
+      const allowlist = resolveAllowlist(serverName, server.tools);
+      const allowedSet = new Set(server.tools);
+      const allTools = await client.listTools();
+      for (const tool of allTools) {
+        if (!allowedSet.has(tool.name)) continue;
+        const fqName = `mcp__${serverName}__${tool.name}`;
+        toolRouting.set(fqName, { client, bareName: tool.name });
+        tools.push({
+          name: fqName,
+          description: tool.description ?? `Tool ${tool.name} from MCP server ${serverName}`,
+          input_schema: tool.inputSchema
+        });
+      }
+      const exposedNames = new Set(allTools.map((t) => t.name));
+      for (const expected of server.tools) {
+        if (!exposedNames.has(expected)) {
+          throw new Error(
+            `MCP server '${serverName}' did not expose required tool '${expected}'. Available: ${[...exposedNames].join(", ") || "(none)"}.`
+          );
+        }
+      }
+      void allowlist;
+    }
+    const messages = [{ role: "user", content: options.userMessage }];
+    let inputTokens = 0;
+    let outputTokens = 0;
+    let totalCostUsd = 0;
+    let capturedOutput;
+    for (let turn = 0; turn < options.maxTurns; turn++) {
+      const turnStartedAt = Date.now();
+      const response = await options.llm.call({
+        model: options.model,
+        maxTokens: options.maxTokens,
+        temperature: options.temperature,
+        system: options.systemPrompt,
+        messages,
+        tools
+      });
+      const turnDurationMs = Date.now() - turnStartedAt;
+      inputTokens += response.usage.input_tokens;
+      outputTokens += response.usage.output_tokens;
+      const turnCostUsd = estimateCost(
+        options.model,
+        response.usage.input_tokens,
+        response.usage.output_tokens
+      );
+      totalCostUsd += turnCostUsd;
+      await options.auditLogger.write({
+        type: "claude_call",
+        tenantId: options.tenantId,
+        runId: options.runId,
+        workflowId: options.workflowId,
+        skill: options.skillName,
+        actor: options.actor,
+        payload: {
+          model: options.model,
+          input_tokens: response.usage.input_tokens,
+          output_tokens: response.usage.output_tokens,
+          cost_estimate_usd: turnCostUsd,
+          duration_ms: turnDurationMs,
+          turn_index: turn
+        }
+      });
+      if (response.stop_reason === "end_turn") {
+        if (capturedOutput !== void 0) {
+          return {
+            output: capturedOutput,
+            totalTurns: turn + 1,
+            inputTokens,
+            outputTokens,
+            totalCostUsd,
+            durationMs: Date.now() - startedAt
+          };
+        }
+        throw new MaxTurnsExceededError(options.skillName, options.maxTurns);
+      }
+      if (response.stop_reason === "tool_use") {
+        const toolUses = response.content.filter(
+          (block) => block.type === "tool_use"
+        );
+        messages.push({ role: "assistant", content: response.content });
+        const toolResultBlocks = [];
+        for (const toolUse of toolUses) {
+          if (toolUse.name === emitFindingsName) {
+            try {
+              capturedOutput = options.outputSchema.parse(toolUse.input);
+              await options.auditLogger.write({
+                type: "skill_output_captured",
+                tenantId: options.tenantId,
+                runId: options.runId,
+                workflowId: options.workflowId,
+                skill: options.skillName,
+                actor: options.actor,
+                payload: { output: capturedOutput, turn_index: turn }
+              });
+              toolResultBlocks.push({
+                type: "tool_result",
+                tool_use_id: toolUse.id,
+                content: "Findings recorded."
+              });
+            } catch (e) {
+              const message = e instanceof ZodError ? e.message : String(e);
+              toolResultBlocks.push({
+                type: "tool_result",
+                tool_use_id: toolUse.id,
+                content: `Validation error \u2014 revise and call emit_findings again: ${message}`
+              });
+            }
+            continue;
+          }
+          const route = toolRouting.get(toolUse.name);
+          if (!route) {
+            throw new Error(
+              `Claude requested tool '${toolUse.name}' which is not in the allowlist. This indicates a bug \u2014 the API SDK should never expose disallowed tools.`
+            );
+          }
+          const callStartedAt = Date.now();
+          const args = toolUse.input;
+          const result = await route.client.callTool(route.bareName, args);
+          const durationMs = Date.now() - callStartedAt;
+          await options.auditLogger.write({
+            type: "mcp_call",
+            tenantId: options.tenantId,
+            runId: options.runId,
+            workflowId: options.workflowId,
+            skill: options.skillName,
+            actor: options.actor,
+            payload: {
+              server: route.client.serverName,
+              tool: route.bareName,
+              args,
+              result: result.content,
+              is_error: result.isError ?? false,
+              duration_ms: durationMs,
+              turn_index: turn
+            }
+          });
+          toolResultBlocks.push({
+            type: "tool_result",
+            tool_use_id: toolUse.id,
+            content: JSON.stringify(result.content)
+          });
+        }
+        if (capturedOutput !== void 0 && toolResultBlocks.every((b) => b.content === "Findings recorded.")) {
+          return {
+            output: capturedOutput,
+            totalTurns: turn + 1,
+            inputTokens,
+            outputTokens,
+            totalCostUsd,
+            durationMs: Date.now() - startedAt
+          };
+        }
+        messages.push({ role: "user", content: toolResultBlocks });
+        continue;
+      }
+      throw new Error(
+        `Unexpected stop_reason '${response.stop_reason}' from Claude in skill '${options.skillName}'`
+      );
+    }
+    throw new MaxTurnsExceededError(options.skillName, options.maxTurns);
+  } finally {
+    for (const client of clients) {
+      try {
+        await client.close();
+      } catch {
+      }
+    }
+  }
+}
+
+// src/core/skills/Skill.ts
+import { ZodError as ZodError2 } from "zod";
+function defineSkill(spec) {
+  const validate = (schema, value, direction) => {
+    try {
+      return schema.parse(value);
+    } catch (e) {
+      if (e instanceof ZodError2) {
+        throw new SchemaValidationError(direction, spec.name, e);
+      }
+      throw e;
+    }
+  };
+  return {
+    ...spec,
+    run: async (input, ctx) => {
+      const validInput = validate(spec.inputSchema, input, "input");
+      const output = await spec.run(validInput, ctx);
+      return validate(spec.outputSchema, output, "output");
+    }
+  };
+}
+
+// src/skills/freshness-investigation/freshness-context-provider.ts
+import { readFile } from "fs/promises";
+import { join } from "path";
+var DbtFreshnessContextProvider = class {
+  constructor(dbtProjectDir) {
+    this.dbtProjectDir = dbtProjectDir;
+  }
+  dbtProjectDir;
+  async getContext(sources) {
+    const filePath = join(this.dbtProjectDir, "target", "sources.json");
+    let raw;
+    try {
+      raw = await readFile(filePath, "utf8");
+    } catch (e) {
+      if (e.code === "ENOENT") return [];
+      throw e;
+    }
+    let parsed;
+    try {
+      parsed = JSON.parse(raw);
+    } catch (e) {
+      throw new Error(`sources.json parse error: ${e.message}`);
+    }
+    const results = parsed.results ?? [];
+    const all = results.map(mapResult);
+    if (!sources || sources.length === 0) return all;
+    return all.filter(
+      (ctx) => sources.some((s) => ctx.source === s || ctx.source.endsWith(`.${s}`))
+    );
+  }
+};
+function mapResult(r) {
+  const lastLoadedAt = r.max_loaded_at ?? null;
+  if (r.status === "pass") {
+    return { source: r.unique_id, lastLoadedAt, status: "fresh" };
+  }
+  if (r.status === "warn") {
+    return { source: r.unique_id, lastLoadedAt, status: "stale_warn", thresholdBreached: "warn" };
+  }
+  if (r.status === "error") {
+    return {
+      source: r.unique_id,
+      lastLoadedAt,
+      status: "stale_error",
+      thresholdBreached: "error"
+    };
+  }
+  return { source: r.unique_id, lastLoadedAt, status: "unknown" };
+}
+
+// src/skills/freshness-investigation/input-schema.ts
+import { z as z2 } from "zod";
+var inputSchema = z2.object({
+  source: z2.string().min(1).optional(),
+  threshold: z2.enum(["warn", "error"]).default("error")
+});
+
+// src/skills/freshness-investigation/output-schema.ts
+import { z as z3 } from "zod";
+var staleSourceSchema = z3.object({
+  source: z3.string().describe("Source identifier in 'source_name.table_name' format"),
+  last_loaded_at: z3.string().describe("ISO 8601 timestamp of the most recent loaded data"),
+  threshold_breached: z3.enum(["warn", "error"]).describe("Which threshold was crossed"),
+  summary: z3.string().describe("One-paragraph explanation of why this specific source is stale")
+});
+var downstreamImpactSchema = z3.object({
+  models: z3.array(z3.string()).describe("Fully-qualified model names that depend on stale source(s)"),
+  severity: z3.enum(["high", "medium", "low"]).describe(
+    "Estimated business impact: high = critical mart; medium = intermediate; low = limited"
+  )
+});
+var evidenceSchema = z3.object({
+  tool: z3.string().describe("Which MCP tool produced this evidence"),
+  finding: z3.string().describe("What the tool returned that's load-bearing for the conclusion")
+});
+var outputSchema = z3.object({
+  status: z3.enum(["fresh", "stale_warn", "stale_error", "no_freshness_config", "unknown"]),
+  stale_sources: z3.array(staleSourceSchema).default([]),
+  confidence: z3.enum(["high", "medium", "low"]),
+  root_cause_summary: z3.string(),
+  evidence: z3.array(evidenceSchema).default([]),
+  recommended_action: z3.string().nullable(),
+  downstream_impact: downstreamImpactSchema
+});
+
+// src/skills/freshness-investigation/prompt.ts
+function buildSystemPrompt(contexts) {
+  if (contexts.length === 0) return BASE_PROMPT;
+  return `${BASE_PROMPT}
+
+${buildFreshnessBlock(contexts)}`;
+}
+function buildFreshnessBlock(contexts) {
+  const rows = contexts.map((c) => {
+    const loaded = c.lastLoadedAt ?? "unknown";
+    const threshold = c.thresholdBreached ?? "\u2014";
+    return `| ${c.source} | ${loaded} | ${c.status} | ${threshold} |`;
+  }).join("\n");
+  return `## Known freshness state
+
+The following freshness verdicts were read from dbt's sources.json before this investigation started. Use these as your starting point \u2014 your tool calls should confirm root cause and trace downstream impact, not re-discover what is already known.
+
+| Source | Last Loaded | Status | Threshold Breached |
+|---|---|---|---|
+${rows}`;
+}
+var BASE_PROMPT = `You are Parrat's freshness investigation agent. Your job: when given a stale dbt source (or asked to check all sources), determine the root cause by examining the dbt project's source freshness configs and last-loaded timestamps, then verify the warehouse state directly. Return a structured finding.
+
+You have exactly four tools available:
+- mcp__dbt__list \u2014 enumerate sources/models in the dbt project
+- mcp__dbt__get_node_details_dev \u2014 pull a specific node's details, including freshness config and last_loaded_at
+- mcp__dbt__get_lineage_dev \u2014 trace downstream models that depend on a given source
+- mcp__dbt__show \u2014 execute a SELECT query against the connected warehouse via dbt's existing connection. Returns tabular results. Use for: row counts, last-ingested timestamps, spot-checks on raw tables.
+
+You do NOT have other tools. Do not attempt to call dbt CLI commands directly or modify state.
+
+## CRITICAL: dbt naming conventions
+
+The dbt-mcp tools use TWO different node-naming conventions for parameters that conceptually identify the same node. If you mix them up, every call fails:
+
+| Tool / Parameter | Format | Example |
+|---|---|---|
+| list.node_selection | dbt selector (COLON between type and name) | source:tpch.orders |
+| get_node_details_dev.node_id | dbt selector (COLON between type and name) | source:tpch.orders |
+| get_lineage_dev.unique_id | manifest unique_id (DOTS, includes project name) | source.parrat_dogfood.tpch.orders |
+
+Diagnostic tip: if you see "No node found for **selector**: ..." \u2192 you sent unique_id format to a tool expecting selector. Switch the type-separator from "." to ":".
+
+If you see "No node found for **unique_id**: ..." \u2192 you sent selector format to a tool expecting unique_id. Switch ":" to "." and add the project name.
+
+## Investigation strategy
+
+1. ALWAYS call list({resource_type: ["source"]}) first to enumerate sources. It returns a newline-separated list of selectors in format source:<project>.<source>.<table> (e.g., source:parrat_dogfood.tpch.orders). This both confirms the source exists AND gives you the project name needed downstream.
+2. For each source under investigation: pass the selector verbatim to get_node_details_dev({node_id: "..."}) to retrieve freshness config + last_loaded_at.
+3. To trace lineage, convert the selector to unique_id by replacing ":" with ".": e.g., source:parrat_dogfood.tpch.orders \u2192 source.parrat_dogfood.tpch.orders. Pass to get_lineage_dev({unique_id: "..."}).
+4. Compare last_loaded_at against the user's threshold ('warn' or 'error', default 'error'). For stale sources, use show to verify at the warehouse layer: query the underlying table's row count and MAX(<timestamp_column>) to confirm the warehouse state matches dbt's freshness verdict. Example: show({sql: "SELECT COUNT(*) as row_count, MAX(o_orderdate) as last_date FROM ORDERS LIMIT 1"}).
+5. If show returns an error result: record it in evidence[] as { tool: "show", finding: "warehouse query failed: <error message>" }, fall back to the dbt-only freshness verdict, and set confidence: "medium". Do not retry show. Continue with what you have.
+6. Synthesize all findings into the structured output schema.
+
+## Confidence calibration
+
+You must assign a confidence level for each investigation:
+- **high** \u2014 at least two tool results corroborate the conclusion (e.g., source freshness IS configured AND last_loaded_at IS past threshold AND lineage shows confirmed downstream models AND warehouse query confirms row delta)
+- **medium** \u2014 one tool result clearly supports the conclusion AND your reasoning fills any gaps (e.g., freshness config found, but warehouse query failed or lineage trace failed)
+- **low** \u2014 conclusion inferred from incomplete evidence (e.g., freshness config not found; you're guessing based on the source's apparent age)
+
+If confidence would be low, prefer status='unknown' and explain in root_cause_summary what evidence is missing.
+
+## Anti-hallucination rules
+
+- If a source has no freshness configuration, set status='no_freshness_config' and explain.
+- If you cannot determine freshness from the available tools, set status='unknown'. Do not fabricate timestamps or guess values.
+- evidence[] must reference real tool results \u2014 do not invent findings.
+- recommended_action may be null if no clear action is appropriate.
+
+## Tool budget
+
+You have at most 6 tool-call turns. Plan accordingly:
+- Single source: typically 2-3 turns (get_node_details_dev \u2192 get_lineage_dev \u2192 show)
+- All sources: 1 turn for list + 1 turn per source detail (batch where possible) + 1 lineage trace per stale source + 1 show per stale source
+
+If you exceed the budget without a final answer, the system will throw an error.
+
+## Output
+
+When your investigation is complete, call 'emit_findings' with your structured findings. The schema is provided in the tool definition.`;
+
+// src/skills/freshness-investigation/index.ts
+var allowedDbtTools = ["list", "get_node_details_dev", "get_lineage_dev", "show"];
+var freshnessInvestigationSkill = defineSkill({
+  name: "freshness-investigation",
+  inputSchema,
+  outputSchema,
+  kind: "investigation",
+  // Tool allowlist — declared at the Skill level. The runtime resolves the
+  // actual MCP server config (command, args, env) from the user's
+  // parrat.config.yaml at invocation time.
+  mcpServers: {
+    dbt: {
+      // The `config` field is filled in by the runtime from parrat.config.yaml
+      // when the Skill is invoked. We use a placeholder here that the runtime
+      // overrides; declaring it satisfies the SkillSpec type.
+      config: { command: "", args: [], env: {} },
+      tools: allowedDbtTools
+    }
+  },
+  async run(input, ctx) {
+    if (!ctx.config) {
+      throw new Error(
+        "freshness-investigation requires runtime-provided config. Did the runtime forget to load it?"
+      );
+    }
+    if (!ctx.llmClient) {
+      throw new Error(
+        "freshness-investigation requires an LLM client. Did the runtime forget to construct one?"
+      );
+    }
+    const userMcpServers = ctx.config.mcpServers;
+    const dbtUserConfig = userMcpServers.dbt;
+    if (!dbtUserConfig) {
+      throw new Error(
+        "freshness-investigation requires an 'dbt' MCP server in parrat.config.yaml."
+      );
+    }
+    const dbtProjectDir = ctx.config.mcpServers.dbt?.env?.DBT_PROJECT_DIR;
+    if (!dbtProjectDir) {
+      throw new Error(
+        "freshness-investigation: DBT_PROJECT_DIR must be set in mcpServers.dbt.env in parrat.config.yaml"
+      );
+    }
+    const provider = new DbtFreshnessContextProvider(dbtProjectDir);
+    const contexts = await provider.getContext(input.source ? [input.source] : void 0);
+    const prompt = buildSystemPrompt(contexts);
+    const result = await executeSkill({
+      skillName: "freshness-investigation",
+      llm: ctx.llmClient,
+      systemPrompt: prompt,
+      userMessage: JSON.stringify(input),
+      mcpServers: {
+        dbt: {
+          config: dbtUserConfig,
+          tools: allowedDbtTools
+        }
+      },
+      outputSchema,
+      model: ctx.config.claude.model,
+      maxTurns: ctx.config.claude.max_turns,
+      maxTokens: ctx.config.claude.max_tokens,
+      temperature: ctx.config.claude.temperature,
+      auditLogger: ctx.auditLogger,
+      runId: ctx.runId,
+      workflowId: ctx.workflowId,
+      tenantId: ctx.tenantId,
+      actor: ctx.actor ?? "user"
+    });
+    return result.output;
+  }
+});
+
+// src/skills/lineage-analysis/input-schema.ts
+import { z as z4 } from "zod";
+var inputSchema2 = z4.object({
+  node_id: z4.string().min(1),
+  direction: z4.enum(["upstream", "downstream", "both"]).default("both"),
+  depth: z4.number().int().min(1).max(5).default(3),
+  project_path: z4.string().optional()
+});
+
+// src/skills/lineage-analysis/output-schema.ts
+import { z as z5 } from "zod";
+var evidenceSchema2 = z5.object({
+  tool: z5.string().describe("Which MCP tool produced this evidence"),
+  finding: z5.string().describe("What the tool returned that's load-bearing for the conclusion")
+});
+var outputSchema2 = z5.object({
+  node_id: z5.string(),
+  upstream_nodes: z5.array(z5.string()),
+  downstream_nodes: z5.array(z5.string()),
+  impact_count: z5.number().int(),
+  impact_summary: z5.string(),
+  critical_path: z5.array(z5.string()).optional(),
+  truncated: z5.boolean().default(false),
+  confidence: z5.enum(["high", "medium", "low"]),
+  evidence: z5.array(evidenceSchema2).default([])
+});
+
+// src/skills/lineage-analysis/prompt.ts
+var BASE_PROMPT2 = `You are Parrat's lineage analysis agent. You are given a dbt node identifier, a direction (upstream, downstream, or both), and a depth limit. Your job: map the lineage graph for that node, summarise the impact, and identify the critical path if one exists.
+
+You have exactly three tools available:
+- mcp__dbt__list \u2014 enumerate models/sources to confirm a node exists and retrieve its selector
+- mcp__dbt__get_node_details_dev \u2014 pull a node's details to verify it exists and get its type
+- mcp__dbt__get_lineage_dev \u2014 retrieve the upstream and/or downstream lineage graph
+
+You do NOT have other tools. Do not attempt to call dbt CLI directly or modify state.
+
+## CRITICAL: dbt naming conventions
+
+The dbt-mcp tools use TWO different node-naming conventions. If you mix them up, every call fails:
+
+| Tool / Parameter | Format | Example |
+|---|---|---|
+| list.node_selection | dbt selector (COLON between type and name) | model:fct_orders |
+| get_node_details_dev.node_id | dbt selector (COLON between type and name) | model:fct_orders |
+| get_lineage_dev.unique_id | manifest unique_id (DOTS, includes project name) | model.parrat_dogfood.fct_orders |
+
+Diagnostic tip: "No node found for selector" \u2192 switch "." to ":". "No node found for unique_id" \u2192 switch ":" to "." and add the project name.
+
+## Investigation strategy
+
+1. Call list() to confirm the target node exists and retrieve its selector. This also gives you the project name needed for unique_id construction.
+2. Call get_lineage_dev({unique_id: "<node_unique_id>", depth: <depth>}) with the direction from input. Convert selector to unique_id by replacing ":" with "." and prepending the project name.
+3. From the returned graph, extract:
+   - upstream_nodes: all nodes that feed into the target (empty array if direction is 'downstream')
+   - downstream_nodes: all nodes the target feeds into (empty array if direction is 'upstream')
+   - impact_count: total count of upstream_nodes + downstream_nodes
+4. If impact_count exceeds 50, set truncated: true and limit each list to the 25 closest nodes (by graph distance). Note the truncation in impact_summary.
+5. Identify critical_path if one is apparent: the longest chain of high-fan-out models, or the chain connecting the target to a known mart or reporting layer. Omit critical_path entirely if the graph is shallow or no clear path stands out.
+6. Write impact_summary: one paragraph describing what the lineage means in plain English \u2014 which upstream sources feed this node, which downstream reports or marts depend on it, and the blast radius of a change to this node.
+
+## Confidence calibration
+
+- **high** \u2014 get_lineage_dev returned a non-empty graph and node details confirmed the node type
+- **medium** \u2014 get_lineage_dev succeeded but node details call failed, or graph was truncated
+- **low** \u2014 could not retrieve lineage; impact inferred from node name alone
+
+## Anti-hallucination rules
+
+- upstream_nodes and downstream_nodes must contain only unique_ids returned by get_lineage_dev \u2014 do not invent nodes.
+- If get_lineage_dev returns an empty graph, return empty arrays and set confidence: "medium" with a note in impact_summary explaining why the graph is empty.
+- critical_path may be omitted (undefined) if no clear path exists \u2014 do not fabricate one.
+
+## Tool budget
+
+You have at most 4 tool-call turns:
+- list (1) \u2192 get_lineage_dev (1) \u2192 optional get_node_details_dev for critical path clarification (1) \u2192 emit_findings (1)
+
+## Output
+
+When your analysis is complete, call 'emit_findings' with your structured findings. The schema is provided in the tool definition.`;
+
+// src/skills/lineage-analysis/index.ts
+var allowedDbtTools2 = ["list", "get_node_details_dev", "get_lineage_dev"];
+var lineageAnalysisSkill = defineSkill({
+  name: "lineage-analysis",
+  inputSchema: inputSchema2,
+  outputSchema: outputSchema2,
+  kind: "investigation",
+  mcpServers: {
+    dbt: {
+      config: { command: "", args: [], env: {} },
+      tools: allowedDbtTools2
+    }
+  },
+  async run(input, ctx) {
+    if (!ctx.config) throw new Error("lineage-analysis requires runtime-provided config.");
+    if (!ctx.llmClient) throw new Error("lineage-analysis requires an LLM client.");
+    const dbtUserConfig = ctx.config.mcpServers.dbt;
+    if (!dbtUserConfig) {
+      throw new Error("lineage-analysis requires a 'dbt' MCP server in parrat.config.yaml.");
+    }
+    const result = await executeSkill({
+      skillName: "lineage-analysis",
+      llm: ctx.llmClient,
+      systemPrompt: BASE_PROMPT2,
+      userMessage: JSON.stringify(input),
+      mcpServers: { dbt: { config: dbtUserConfig, tools: allowedDbtTools2 } },
+      outputSchema: outputSchema2,
+      model: ctx.config.claude.model,
+      maxTurns: ctx.config.claude.max_turns,
+      maxTokens: ctx.config.claude.max_tokens,
+      temperature: ctx.config.claude.temperature,
+      auditLogger: ctx.auditLogger,
+      runId: ctx.runId,
+      workflowId: ctx.workflowId,
+      tenantId: ctx.tenantId,
+      actor: ctx.actor ?? "user"
+    });
+    return result.output;
+  }
+});
+
+// src/skills/metric-drop-rca/input-schema.ts
+import { z as z6 } from "zod";
+var inputSchema3 = z6.object({
+  metric_name: z6.string().min(1),
+  model_id: z6.string().min(1),
+  metric_column: z6.string().min(1),
+  drop_percent: z6.number().min(0).max(100),
+  time_window_hours: z6.number().positive().default(24),
+  project_path: z6.string().optional()
+});
+
+// src/skills/metric-drop-rca/output-schema.ts
+import { z as z7 } from "zod";
+var evidenceSchema3 = z7.object({
+  tool: z7.string().describe("Which MCP tool produced this evidence"),
+  finding: z7.string().describe("What the tool returned that's load-bearing for the conclusion")
+});
+var outputSchema3 = z7.object({
+  metric_name: z7.string(),
+  drop_percent: z7.number(),
+  status: z7.enum([
+    "data_missing",
+    "volume_drop",
+    "upstream_model_issue",
+    "pipeline_failure",
+    "schema_change",
+    "unknown"
+  ]),
+  root_cause: z7.string(),
+  suspect_models: z7.array(z7.string()),
+  confidence: z7.enum(["high", "medium", "low"]),
+  recommended_action: z7.string().nullable(),
+  evidence: z7.array(evidenceSchema3).default([])
+});
+
+// src/skills/metric-drop-rca/prompt.ts
+var BASE_PROMPT3 = `You are Parrat's metric drop RCA agent. You are given a metric name, the dbt model that computes it, the affected column, and an observed drop percentage. Your job: determine the root cause of the metric drop by examining the model's SQL, its upstream dependencies, and the current warehouse data.
+
+You have exactly four tools available:
+- mcp__dbt__list \u2014 enumerate models/sources in the dbt project
+- mcp__dbt__get_node_details_dev \u2014 pull a node's details, including compiled SQL and database relation info
+- mcp__dbt__get_lineage_dev \u2014 trace upstream/downstream dependencies for a given node
+- mcp__dbt__show \u2014 execute a SELECT query against the connected warehouse via dbt's existing connection. Returns tabular results. Use for: current vs historical aggregates, upstream row counts, data volume checks.
+
+You do NOT have other tools. Do not attempt to call dbt CLI directly or modify state.
+
+## CRITICAL: dbt naming conventions
+
+The dbt-mcp tools use TWO different node-naming conventions. If you mix them up, every call fails:
+
+| Tool / Parameter | Format | Example |
+|---|---|---|
+| list.node_selection | dbt selector (COLON between type and name) | model:fct_orders |
+| get_node_details_dev.node_id | dbt selector (COLON between type and name) | model:fct_orders |
+| get_lineage_dev.unique_id | manifest unique_id (DOTS, includes project name) | model.parrat_dogfood.fct_orders |
+
+Diagnostic tip: "No node found for selector" \u2192 switch "." to ":". "No node found for unique_id" \u2192 switch ":" to "." and add the project name.
+
+## Investigation strategy
+
+1. Call list({resource_type: ["model"]}) to confirm the target model exists and retrieve its selector. This also gives you the project name needed for unique_id construction downstream.
+2. Call get_node_details_dev to retrieve the model's compiled SQL and database relation (schema + table name). Read the SQL carefully: identify which column feeds the metric, which date/timestamp column drives time partitioning.
+3. Use show to run two comparison queries against the warehouse table from step 2:
+   - Current window:  SELECT <agg>(<metric_column>) FROM <schema>.<table> WHERE <date_col> >= <now minus time_window_hours>
+   - Previous window: same query shifted back one full time_window_hours period
+   Compare values to confirm the drop magnitude matches the reported drop_percent.
+4. Call get_lineage_dev({unique_id: "<model_unique_id>", direction: "upstream"}) to find upstream models and sources. Convert selector to unique_id by replacing ":" with "." and prepending the project name.
+5. For the most likely upstream contributors, use show to check row counts and MAX(<timestamp>) for both time windows. A sudden volume drop or missing rows upstream is the most common root cause.
+6. Synthesize: identify suspect_models (dbt unique_ids), classify status, write root_cause.
+
+## Confidence calibration
+
+- **high** \u2014 warehouse queries confirmed the drop magnitude AND an upstream volume or quality change was identified
+- **medium** \u2014 warehouse query succeeded but upstream cause is unclear; or upstream identified but warehouse query failed
+- **low** \u2014 could not query warehouse; root cause inferred from model structure alone
+
+If confidence would be low, set status='unknown' and explain what evidence is missing in root_cause.
+
+## Anti-hallucination rules
+
+- Do not fabricate table names or column names. Read them from get_node_details_dev output.
+- If show returns an error: record it in evidence[] as { tool: "show", finding: "query failed: <error>" }, set confidence to at most "medium", and continue without retrying.
+- suspect_models must contain dbt unique_ids from actual tool results \u2014 do not invent them.
+- recommended_action may be null if no clear action is appropriate.
+
+## Tool budget
+
+You have at most 8 tool-call turns. Plan accordingly:
+- Typical path: list (1) \u2192 get_node_details_dev (1) \u2192 show \xD7 2 (2) \u2192 get_lineage_dev (1) \u2192 show upstream \xD7 1\u20132 (1\u20132) \u2192 emit_findings (1)
+
+## Output
+
+When your investigation is complete, call 'emit_findings' with your structured findings. The schema is provided in the tool definition.`;
+
+// src/skills/metric-drop-rca/index.ts
+var allowedDbtTools3 = ["list", "get_node_details_dev", "get_lineage_dev", "show"];
+var metricDropRcaSkill = defineSkill({
+  name: "metric-drop-rca",
+  inputSchema: inputSchema3,
+  outputSchema: outputSchema3,
+  kind: "investigation",
+  mcpServers: {
+    dbt: {
+      config: { command: "", args: [], env: {} },
+      tools: allowedDbtTools3
+    }
+  },
+  async run(input, ctx) {
+    if (!ctx.config) throw new Error("metric-drop-rca requires runtime-provided config.");
+    if (!ctx.llmClient) throw new Error("metric-drop-rca requires an LLM client.");
+    const dbtUserConfig = ctx.config.mcpServers.dbt;
+    if (!dbtUserConfig) {
+      throw new Error("metric-drop-rca requires a 'dbt' MCP server in parrat.config.yaml.");
+    }
+    const result = await executeSkill({
+      skillName: "metric-drop-rca",
+      llm: ctx.llmClient,
+      systemPrompt: BASE_PROMPT3,
+      userMessage: JSON.stringify(input),
+      mcpServers: { dbt: { config: dbtUserConfig, tools: allowedDbtTools3 } },
+      outputSchema: outputSchema3,
+      model: ctx.config.claude.model,
+      maxTurns: ctx.config.claude.max_turns,
+      maxTokens: ctx.config.claude.max_tokens,
+      temperature: ctx.config.claude.temperature,
+      auditLogger: ctx.auditLogger,
+      runId: ctx.runId,
+      workflowId: ctx.workflowId,
+      tenantId: ctx.tenantId,
+      actor: ctx.actor ?? "user"
+    });
+    return result.output;
+  }
+});
+
+// src/skills/index.ts
+var skills = [
+  freshnessInvestigationSkill,
+  metricDropRcaSkill,
+  lineageAnalysisSkill
+];
+
+// src/cli/run.ts
+async function runSkill(options) {
+  let input;
+  try {
+    input = JSON.parse(options.inputJson);
+  } catch (e) {
+    return {
+      exitCode: 2,
+      error: `Invalid JSON input: ${e instanceof Error ? e.message : String(e)}`
+    };
+  }
+  const registry = createRegistry(skills);
+  const auditLogger = createAuditLogger({ filePath: resolve4(options.auditPath) });
+  const runtime = createRuntime({ registry, auditLogger });
+  try {
+    const output = await runtime.invoke({
+      skill: options.skillName,
+      input,
+      actor: "user",
+      ...options.correlationId ? { correlationId: options.correlationId } : {}
+    });
+    return { exitCode: 0, output };
+  } catch (e) {
+    const errorName = e instanceof Error ? e.name : "UnknownError";
+    const message = e instanceof Error ? `${e.name}: ${e.message}` : String(e);
+    if (errorName === "MissingClaudeKeyError" || errorName === "ConfigValidationError" || errorName === "ConfigNotFoundError") {
+      return { exitCode: 4, error: message };
+    }
+    return { exitCode: 1, error: message };
+  }
+}
+var runCommand = new Command5("run").description("Run a Skill with the given input").argument("<skill>", "Name of the Skill to run (e.g. hello-world)").argument("[input]", "JSON input string for the Skill", "{}").option("--audit-path <path>", "Path to audit log file", ".parrat/audit.jsonl").option(
+  "--input-file <path>",
+  "Read Skill input from JSON file (alternative to positional argument)"
+).option("--resume <workflow_id>", "Resume a paused workflow (Phase 1+ feature; v1 stub)").action(
+  async (skillName, positionalInputJson, opts) => {
+    if (opts.resume) {
+      console.error(
+        "parrat run --resume is reserved for Phase 1+ composite Skills. v1 has no resumable workflows."
+      );
+      process.exit(3);
+    }
+    let inputJson = positionalInputJson;
+    if (opts.inputFile) {
+      if (positionalInputJson !== "{}") {
+        console.error("Cannot pass both a positional JSON argument and --input-file. Pick one.");
+        process.exit(2);
+      }
+      try {
+        inputJson = readFileSync6(opts.inputFile, "utf8");
+      } catch (e) {
+        console.error(
+          `Failed to read --input-file '${opts.inputFile}': ${e instanceof Error ? e.message : String(e)}`
+        );
+        process.exit(2);
+      }
+    }
+    const correlationId = process.env.correlation_id ?? process.env.CORRELATION_ID;
+    const config = await loadConfig().catch(() => null);
+    if (config) {
+      sweepAuditLog(opts.auditPath, config.audit.retention_days).catch(() => {
+      });
+    }
+    if (correlationId && config) {
+      const isDup = await isDuplicateRun(
+        opts.auditPath,
+        correlationId,
+        config.audit.idempotency_window_hours
+      );
+      if (isDup) {
+        console.log(`Skipped: duplicate correlation_id ${correlationId}`);
+        process.exit(0);
+      }
+    }
+    const result = await runSkill({
+      skillName,
+      inputJson,
+      auditPath: opts.auditPath,
+      ...correlationId ? { correlationId } : {}
+    });
+    if (result.error) {
+      console.error(result.error);
+    }
+    if (result.output !== void 0) {
+      console.log(JSON.stringify(result.output, null, 2));
+    }
+    if (result.exitCode !== 0) {
+      process.exit(result.exitCode);
+    }
+  }
+);
+
+// src/cli/skills.ts
+import { Command as Command6 } from "commander";
+function listSkillNames() {
+  return createRegistry(skills).list();
+}
+var listCommand = new Command6("list").description("List all installed Skills").action(() => {
+  const names = listSkillNames();
+  if (names.length === 0) {
+    console.log("No Skills installed.");
+    return;
+  }
+  for (const name of names) {
+    console.log(name);
+  }
+});
+var skillsCommand = new Command6("skills").description("Manage Parrat Skills").addCommand(listCommand);
+
+// src/cli/watch.ts
+import { resolve as resolve5 } from "path";
+import { Command as Command7 } from "commander";
+
+// src/core/notify/slack.ts
+var SlackNotifier = class {
+  constructor(webhookUrl) {
+    this.webhookUrl = webhookUrl;
+  }
+  webhookUrl;
+  async send(message) {
+    let response;
+    try {
+      response = await fetch(this.webhookUrl, {
+        method: "POST",
+        headers: { "Content-Type": "application/json" },
+        body: JSON.stringify(message)
+      });
+    } catch (e) {
+      throw new Error(`Slack webhook POST failed: ${e instanceof Error ? e.message : String(e)}`);
+    }
+    if (!response.ok) {
+      const body = await response.text().catch(() => "");
+      throw new Error(`Slack webhook returned ${response.status}: ${body}`);
+    }
+  }
+};
+
+// src/cli/watch.ts
+function formatSlackMessage(skillName, output, error) {
+  if (error) {
+    return `[parrat] ${skillName} | FAILED
+${error}`;
+  }
+  const json = JSON.stringify(output, null, 2);
+  const body = json.length > 2e3 ? `${json.slice(0, 2e3)}
+...(truncated)` : json;
+  return `[parrat] ${skillName} | OK
+${body}`;
+}
+async function watchSkill(options) {
+  const { config, auditPath } = options;
+  if (!config.watch) {
+    return {
+      exitCode: 1,
+      error: "No 'watch' section in config. Add watch.skill and watch.input to .parrat/config.yaml."
+    };
+  }
+  const { skill, input } = config.watch;
+  const runResult = await runSkill({
+    skillName: skill,
+    inputJson: JSON.stringify(input),
+    auditPath: resolve5(auditPath)
+  });
+  const slackWebhookUrl = config.notify?.slack?.webhook_url;
+  if (slackWebhookUrl) {
+    const message = formatSlackMessage(skill, runResult.output, runResult.error);
+    const notifier = new SlackNotifier(slackWebhookUrl);
+    try {
+      await notifier.send({ text: message });
+    } catch (e) {
+      const notifyError = e instanceof Error ? e.message : String(e);
+      return {
+        exitCode: 1,
+        error: `Skill ${runResult.exitCode === 0 ? "succeeded" : "failed"} but Slack notification failed: ${notifyError}`
+      };
+    }
+  }
+  return {
+    exitCode: runResult.exitCode,
+    ...runResult.error ? { error: runResult.error } : {}
+  };
+}
+var watchCommand = new Command7("watch").description("Run the configured watch skill once (schedule via cron / Task Scheduler)").option("--audit-path <path>", "Path to audit log file", ".parrat/audit.jsonl").action(async (opts) => {
+  let config;
+  try {
+    config = await loadConfig();
+  } catch (e) {
+    console.error(e instanceof Error ? e.message : String(e));
+    process.exit(4);
+  }
+  sweepAuditLog(opts.auditPath, config.audit.retention_days).catch(() => {
+  });
+  const correlationId = process.env.correlation_id ?? process.env.CORRELATION_ID;
+  if (correlationId) {
+    const isDup = await isDuplicateRun(
+      opts.auditPath,
+      correlationId,
+      config.audit.idempotency_window_hours
+    );
+    if (isDup) {
+      console.log(`Skipped: duplicate correlation_id ${correlationId}`);
+      process.exit(0);
+    }
+  }
+  const result = await watchSkill({ config, auditPath: opts.auditPath });
+  if (result.error) {
+    console.error(result.error);
+  }
+  if (result.exitCode !== 0) {
+    process.exit(result.exitCode);
+  }
+});
+
+// src/cli/webhook.ts
+import { createServer } from "http";
+import { Command as Command8 } from "commander";
+function mapMonteCarloPayload(body) {
+  if (typeof body !== "object" || body === null) return null;
+  const b = body;
+  if (b.alert_type !== "freshness") return null;
+  const sourceRaw = b.table ?? b.source_name;
+  const input = {
+    threshold: "error",
+    ...typeof sourceRaw === "string" && sourceRaw.length > 0 ? { source: sourceRaw } : {}
+  };
+  return { skill: "freshness-investigation", input };
+}
+function readBody(req) {
+  return new Promise((resolve6, reject) => {
+    const chunks = [];
+    req.on("data", (chunk) => chunks.push(chunk));
+    req.on("end", () => resolve6(Buffer.concat(chunks).toString("utf8")));
+    req.on("error", reject);
+  });
+}
+function send(res, status, body) {
+  const json = JSON.stringify(body);
+  res.writeHead(status, { "Content-Type": "application/json" });
+  res.end(json);
+}
+function startWebhook(options) {
+  const { config, auditPath, port, secret } = options;
+  const server = createServer(async (req, res) => {
+    if (req.method !== "POST" || req.url !== "/trigger") {
+      send(res, 404, { error: "Not found. Only POST /trigger is supported." });
+      return;
+    }
+    if (secret) {
+      const header = req.headers["x-parrat-secret"];
+      if (header !== secret) {
+        send(res, 401, { error: "Unauthorized. X-Parrat-Secret header missing or incorrect." });
+        return;
+      }
+    }
+    let body;
+    try {
+      const raw = await readBody(req);
+      body = JSON.parse(raw);
+    } catch {
+      send(res, 400, { error: "Invalid JSON body." });
+      return;
+    }
+    const mapped = mapMonteCarloPayload(body);
+    if (!mapped) {
+      send(res, 400, {
+        error: "Unrecognised payload format. Expected a Monte Carlo freshness alert."
+      });
+      return;
+    }
+    const notifyConfig = config.notify;
+    const slackWebhookUrl = notifyConfig?.slack?.webhook_url;
+    const result = await runSkill({
+      skillName: mapped.skill,
+      inputJson: JSON.stringify(mapped.input),
+      auditPath,
+      ...slackWebhookUrl ? {} : {}
+    });
+    if (result.exitCode === 0) {
+      send(res, 200, { ok: true, output: result.output });
+    } else {
+      send(res, 500, { error: result.error ?? "Skill execution failed." });
+    }
+  });
+  return new Promise((resolve6) => {
+    server.listen(port, () => {
+      const addr = server.address();
+      console.log(`parrat webhook listening on port ${addr.port}`);
+      resolve6({
+        port: addr.port,
+        close() {
+          server.close();
+        }
+      });
+    });
+  });
+}
+var webhookCommand = new Command8("webhook").description("Start an HTTP listener that accepts external alert triggers (e.g. Monte Carlo)").option("--port <number>", "Port to listen on (overrides config)", (v) => Number.parseInt(v, 10)).option("--audit-path <path>", "Path to audit log file", ".parrat/audit.jsonl").action(async (opts) => {
+  const config = await loadConfig();
+  const port = opts.port ?? config.webhook?.port ?? 8080;
+  const secret = config.webhook?.secret;
+  const webhook = await startWebhook({
+    config,
+    auditPath: opts.auditPath,
+    port,
+    ...secret ? { secret } : {}
+  });
+  process.on("SIGINT", () => {
+    webhook.close();
+    process.exit(0);
+  });
+  process.on("SIGTERM", () => {
+    webhook.close();
+    process.exit(0);
+  });
+});
+
+// src/index.ts
+var program = new Command9().name("parrat").description("Claude-native cross-stack agent for data ops").version("0.1.0-beta.5");
+program.addCommand(doctorCommand);
+program.addCommand(initCommand);
+program.addCommand(runCommand);
+program.addCommand(skillsCommand);
+program.addCommand(replayCommand);
+program.addCommand(watchCommand);
+program.addCommand(auditCommand);
+program.addCommand(webhookCommand);
+await program.parseAsync(process.argv);
+//# sourceMappingURL=index.js.map