patchwork-os 0.2.0-beta.4 → 0.2.0-beta.5.canary.1

package/dist/analyticsConfig.d.ts

@@ -0,0 +1,29 @@
+/**
+ * On-disk config for the opt-in telemetry collector (endpoint + shared secret).
+ *
+ * Lives at ~/.claude/ide/analytics-config.json (respects CLAUDE_CONFIG_DIR).
+ * Mode 0600. Atomic writes via temp + rename.
+ *
+ * Resolution order in analyticsSend.ts:
+ *   1. process.env.PATCHWORK_ANALYTICS_ENDPOINT / _KEY  (highest)
+ *   2. this file
+ *   3. upstream default (no key)
+ *
+ * Reason for the file: keeps the shared secret out of launchd plists
+ * (which are Time-Machine backed, iCloud synced, and survive reinstalls
+ * in an inconsistent way) and gives operators a single source of truth
+ * managed by the `patchwork analytics configure` CLI.
+ */
+export interface AnalyticsConfig {
+    endpoint?: string;
+    key?: string;
+}
+export declare function configPath(): string;
+/** Read the config file. Returns empty object on missing/invalid file. */
+export declare function getAnalyticsConfig(): AnalyticsConfig;
+/**
+ * Atomic write with mode 0600. Merges with existing config — pass
+ * `{ endpoint: undefined }` to clear a field explicitly.
+ */
+export declare function setAnalyticsConfig(update: AnalyticsConfig): void;
+export declare function clearAnalyticsConfig(): void;

package/dist/analyticsConfig.js

@@ -0,0 +1,89 @@
+/**
+ * On-disk config for the opt-in telemetry collector (endpoint + shared secret).
+ *
+ * Lives at ~/.claude/ide/analytics-config.json (respects CLAUDE_CONFIG_DIR).
+ * Mode 0600. Atomic writes via temp + rename.
+ *
+ * Resolution order in analyticsSend.ts:
+ *   1. process.env.PATCHWORK_ANALYTICS_ENDPOINT / _KEY  (highest)
+ *   2. this file
+ *   3. upstream default (no key)
+ *
+ * Reason for the file: keeps the shared secret out of launchd plists
+ * (which are Time-Machine backed, iCloud synced, and survive reinstalls
+ * in an inconsistent way) and gives operators a single source of truth
+ * managed by the `patchwork analytics configure` CLI.
+ */
+import fs from "node:fs";
+import os from "node:os";
+import path from "node:path";
+export function configPath() {
+    const claudeDir = process.env.CLAUDE_CONFIG_DIR ?? path.join(os.homedir(), ".claude");
+    return path.join(claudeDir, "ide", "analytics-config.json");
+}
+function isValidEndpoint(value) {
+    if (typeof value !== "string" || value.length === 0)
+        return false;
+    try {
+        const u = new URL(value);
+        return u.protocol === "http:" || u.protocol === "https:";
+    }
+    catch {
+        return false;
+    }
+}
+/** Read the config file. Returns empty object on missing/invalid file. */
+export function getAnalyticsConfig() {
+    try {
+        const raw = fs.readFileSync(configPath(), "utf-8");
+        const obj = JSON.parse(raw);
+        if (typeof obj !== "object" || obj === null)
+            return {};
+        const rec = obj;
+        const out = {};
+        if (isValidEndpoint(rec.endpoint))
+            out.endpoint = rec.endpoint;
+        if (typeof rec.key === "string" && rec.key.length > 0)
+            out.key = rec.key;
+        return out;
+    }
+    catch {
+        return {};
+    }
+}
+/**
+ * Atomic write with mode 0600. Merges with existing config — pass
+ * `{ endpoint: undefined }` to clear a field explicitly.
+ */
+export function setAnalyticsConfig(update) {
+    const current = getAnalyticsConfig();
+    const next = { ...current };
+    if ("endpoint" in update) {
+        if (update.endpoint === undefined)
+            delete next.endpoint;
+        else if (isValidEndpoint(update.endpoint))
+            next.endpoint = update.endpoint;
+        else
+            throw new Error(`invalid endpoint (must be http(s) URL): ${update.endpoint}`);
+    }
+    if ("key" in update) {
+        if (update.key === undefined)
+            delete next.key;
+        else
+            next.key = update.key;
+    }
+    const p = configPath();
+    fs.mkdirSync(path.dirname(p), { recursive: true });
+    const tmp = `${p}.tmp.${process.pid}`;
+    fs.writeFileSync(tmp, JSON.stringify(next, null, 2) + "\n", { mode: 0o600 });
+    fs.renameSync(tmp, p);
+}
+export function clearAnalyticsConfig() {
+    try {
+        fs.unlinkSync(configPath());
+    }
+    catch {
+        /* file may not exist */
+    }
+}
+//# sourceMappingURL=analyticsConfig.js.map

package/dist/analyticsConfig.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"analyticsConfig.js","sourceRoot":"","sources":["../src/analyticsConfig.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;GAeG;AAEH,OAAO,EAAE,MAAM,SAAS,CAAC;AACzB,OAAO,EAAE,MAAM,SAAS,CAAC;AACzB,OAAO,IAAI,MAAM,WAAW,CAAC;AAO7B,MAAM,UAAU,UAAU;IACxB,MAAM,SAAS,GACb,OAAO,CAAC,GAAG,CAAC,iBAAiB,IAAI,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,OAAO,EAAE,EAAE,SAAS,CAAC,CAAC;IACtE,OAAO,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,KAAK,EAAE,uBAAuB,CAAC,CAAC;AAC9D,CAAC;AAED,SAAS,eAAe,CAAC,KAAc;IACrC,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,KAAK,CAAC;IAClE,IAAI,CAAC;QACH,MAAM,CAAC,GAAG,IAAI,GAAG,CAAC,KAAK,CAAC,CAAC;QACzB,OAAO,CAAC,CAAC,QAAQ,KAAK,OAAO,IAAI,CAAC,CAAC,QAAQ,KAAK,QAAQ,CAAC;IAC3D,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC;AAED,0EAA0E;AAC1E,MAAM,UAAU,kBAAkB;IAChC,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,EAAE,CAAC,YAAY,CAAC,UAAU,EAAE,EAAE,OAAO,CAAC,CAAC;QACnD,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAY,CAAC;QACvC,IAAI,OAAO,GAAG,KAAK,QAAQ,IAAI,GAAG,KAAK,IAAI;YAAE,OAAO,EAAE,CAAC;QACvD,MAAM,GAAG,GAAG,GAA8B,CAAC;QAC3C,MAAM,GAAG,GAAoB,EAAE,CAAC;QAChC,IAAI,eAAe,CAAC,GAAG,CAAC,QAAQ,CAAC;YAAE,GAAG,CAAC,QAAQ,GAAG,GAAG,CAAC,QAAQ,CAAC;QAC/D,IAAI,OAAO,GAAG,CAAC,GAAG,KAAK,QAAQ,IAAI,GAAG,CAAC,GAAG,CAAC,MAAM,GAAG,CAAC;YAAE,GAAG,CAAC,GAAG,GAAG,GAAG,CAAC,GAAG,CAAC;QACzE,OAAO,GAAG,CAAC;IACb,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,EAAE,CAAC;IACZ,CAAC;AACH,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,kBAAkB,CAAC,MAAuB;IACxD,MAAM,OAAO,GAAG,kBAAkB,EAAE,CAAC;IACrC,MAAM,IAAI,GAAoB,EAAE,GAAG,OAAO,EAAE,CAAC;IAC7C,IAAI,UAAU,IAAI,MAAM,EAAE,CAAC;QACzB,IAAI,MAAM,CAAC,QAAQ,KAAK,SAAS;YAAE,OAAO,IAAI,CAAC,QAAQ,CAAC;aACnD,IAAI,eAAe,CAAC,MAAM,CAAC,QAAQ,CAAC;YAAE,IAAI,CAAC,QAAQ,GAAG,MAAM,CAAC,QAAQ,CAAC;;YAEzE,MAAM,IAAI,KAAK,CACb,2CAA2C,MAAM,CAAC,QAAQ,EAAE,CAC7D,CAAC;IACN,CAAC;IACD,IAAI,KAAK,IAAI,MAAM,EAAE,CAAC;QACpB,IAAI,MAAM,CAAC,GAAG,KAAK,SAAS;YAAE,OAAO,IAAI,CAAC,GAAG,CAAC;;YACzC,IAAI,CAAC,GAAG,GAAG,MAAM,CAAC,GAAG,CAAC;IAC7B,CAAC;IACD,MAAM,CAAC,GAAG,UAAU,EAAE,CAAC;IACvB,EAAE,CAAC,SAAS,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IACnD,MAAM,GAAG,GAAG,GAAG,CAAC,QAAQ,OAAO,CAAC,GAAG,EAAE,CAAC;IACtC,EAAE,CAAC,aAAa,CAAC,GAAG,EAAE,IAAI,CAAC,SAAS,CAAC,IAAI,EAAE,IAAI,EAAE,CAAC,CAAC,GAAG,IAAI,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;IAC7E,EAAE,CAAC,UAAU,CAAC,GAAG,EAAE,CAAC,CAAC,CAAC;AACxB,CAAC;AAED,MAAM,UAAU,oBAAoB;IAClC,IAAI,CAAC;QACH,EAAE,CAAC,UAAU,CAAC,UAAU,EAAE,CAAC,CAAC;IAC9B,CAAC;IAAC,MAAM,CAAC;QACP,wBAAwB;IAC1B,CAAC;AACH,CAAC"}

package/dist/analyticsSend.d.ts

@@ -2,9 +2,25 @@
  * Sends an anonymized analytics summary to the usage endpoint.
  * - Fire-and-forget is NOT used: callers must await this with a timeout race.
  * - All errors are caught and swallowed — telemetry must never affect bridge operation.
- * - Endpoint is hardcoded (not runtime-configurable) to prevent redirect attacks.
+ * - Endpoint defaults to the upstream collector. Operators may override via:
+ *     1. env: PATCHWORK_ANALYTICS_ENDPOINT  (highest precedence; for CI/headless)
+ *     2. config file: ~/.claude/ide/analytics-config.json  (preferred — managed by
+ *        `patchwork analytics configure`, keeps secrets out of launchd plists)
+ *     3. default upstream collector
+ *   Endpoint is resolved per-call (cheap fs read) so live config changes take
+ *   effect on the next send without restart. Invalid values fall back through.
+ *   Never read from the network or summary payload — preserves the
+ *   redirect-attack property the original hardcoded constant was protecting.
  */
 import type { AnalyticsSummary } from "./analyticsAggregator.js";
+export declare function resolveAnalyticsTarget(): {
+    endpoint: string;
+    key: string | undefined;
+    source: {
+        endpoint: "env" | "config" | "default";
+        key: "env" | "config" | "none";
+    };
+};
 /**
  * Sends the summary to the analytics endpoint.
  * Resolves (never rejects) — all errors are swallowed silently.

package/dist/analyticsSend.js

@@ -2,11 +2,63 @@
  * Sends an anonymized analytics summary to the usage endpoint.
  * - Fire-and-forget is NOT used: callers must await this with a timeout race.
  * - All errors are caught and swallowed — telemetry must never affect bridge operation.
- * - Endpoint is hardcoded (not runtime-configurable) to prevent redirect attacks.
+ * - Endpoint defaults to the upstream collector. Operators may override via:
+ *     1. env: PATCHWORK_ANALYTICS_ENDPOINT  (highest precedence; for CI/headless)
+ *     2. config file: ~/.claude/ide/analytics-config.json  (preferred — managed by
+ *        `patchwork analytics configure`, keeps secrets out of launchd plists)
+ *     3. default upstream collector
+ *   Endpoint is resolved per-call (cheap fs read) so live config changes take
+ *   effect on the next send without restart. Invalid values fall back through.
+ *   Never read from the network or summary payload — preserves the
+ *   redirect-attack property the original hardcoded constant was protecting.
  */
+import { getAnalyticsConfig } from "./analyticsConfig.js";
 import { recordAnalyticsSent } from "./analyticsPrefs.js";
-/** Hardcoded endpoint — not configurable at runtime. */
-const ANALYTICS_ENDPOINT = "https://analytics.claude-ide-bridge.dev/v1/usage";
+const DEFAULT_ENDPOINT = "https://analytics.claude-ide-bridge.dev/v1/usage";
+function validUrl(value) {
+    if (!value)
+        return undefined;
+    try {
+        const u = new URL(value);
+        if (u.protocol !== "https:" && u.protocol !== "http:")
+            return undefined;
+        return u.toString();
+    }
+    catch {
+        return undefined;
+    }
+}
+export function resolveAnalyticsTarget() {
+    const envEndpoint = validUrl(process.env.PATCHWORK_ANALYTICS_ENDPOINT);
+    const envKey = process.env.PATCHWORK_ANALYTICS_KEY;
+    const cfg = getAnalyticsConfig();
+    const cfgEndpoint = validUrl(cfg.endpoint);
+    let endpoint = DEFAULT_ENDPOINT;
+    let endpointSource = "default";
+    if (envEndpoint) {
+        endpoint = envEndpoint;
+        endpointSource = "env";
+    }
+    else if (cfgEndpoint) {
+        endpoint = cfgEndpoint;
+        endpointSource = "config";
+    }
+    let key;
+    let keySource = "none";
+    if (envKey) {
+        key = envKey;
+        keySource = "env";
+    }
+    else if (cfg.key) {
+        key = cfg.key;
+        keySource = "config";
+    }
+    return {
+        endpoint,
+        key,
+        source: { endpoint: endpointSource, key: keySource },
+    };
+}
 const SEND_TIMEOUT_MS = 3000;
 /**
  * Sends the summary to the analytics endpoint.
@@ -14,12 +66,18 @@ const SEND_TIMEOUT_MS = 3000;
  */
 export async function sendAnalytics(summary) {
     try {
+        const { endpoint, key } = resolveAnalyticsTarget();
         const controller = new AbortController();
         const timer = setTimeout(() => controller.abort(), SEND_TIMEOUT_MS);
         try {
-            const res = await fetch(ANALYTICS_ENDPOINT, {
+            const headers = {
+                "Content-Type": "application/json",
+            };
+            if (key)
+                headers["X-Analytics-Key"] = key;
+            const res = await fetch(endpoint, {
                 method: "POST",
-                headers: { "Content-Type": "application/json" },
+                headers,
                 body: JSON.stringify(summary),
                 signal: controller.signal,
             });

package/dist/analyticsSend.js.map

@@ -1 +1 @@
-{"version":3,"file":"analyticsSend.js","sourceRoot":"","sources":["../src/analyticsSend.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAGH,OAAO,EAAE,mBAAmB,EAAE,MAAM,qBAAqB,CAAC;AAE1D,wDAAwD;AACxD,MAAM,kBAAkB,GAAG,kDAAkD,CAAC;AAE9E,MAAM,eAAe,GAAG,IAAI,CAAC;AAE7B;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,aAAa,CAAC,OAAyB;IAC3D,IAAI,CAAC;QACH,MAAM,UAAU,GAAG,IAAI,eAAe,EAAE,CAAC;QACzC,MAAM,KAAK,GAAG,UAAU,CAAC,GAAG,EAAE,CAAC,UAAU,CAAC,KAAK,EAAE,EAAE,eAAe,CAAC,CAAC;QACpE,IAAI,CAAC;YACH,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,kBAAkB,EAAE;gBAC1C,MAAM,EAAE,MAAM;gBACd,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE;gBAC/C,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC;gBAC7B,MAAM,EAAE,UAAU,CAAC,MAAM;aAC1B,CAAC,CAAC;YACH,IAAI,GAAG,CAAC,EAAE,EAAE,CAAC;gBACX,mBAAmB,EAAE,CAAC;YACxB,CAAC;QACH,CAAC;gBAAS,CAAC;YACT,YAAY,CAAC,KAAK,CAAC,CAAC;QACtB,CAAC;IACH,CAAC;IAAC,MAAM,CAAC;QACP,yEAAyE;IAC3E,CAAC;AACH,CAAC"}
+{"version":3,"file":"analyticsSend.js","sourceRoot":"","sources":["../src/analyticsSend.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AAGH,OAAO,EAAE,kBAAkB,EAAE,MAAM,sBAAsB,CAAC;AAC1D,OAAO,EAAE,mBAAmB,EAAE,MAAM,qBAAqB,CAAC;AAE1D,MAAM,gBAAgB,GAAG,kDAAkD,CAAC;AAE5E,SAAS,QAAQ,CAAC,KAAyB;IACzC,IAAI,CAAC,KAAK;QAAE,OAAO,SAAS,CAAC;IAC7B,IAAI,CAAC;QACH,MAAM,CAAC,GAAG,IAAI,GAAG,CAAC,KAAK,CAAC,CAAC;QACzB,IAAI,CAAC,CAAC,QAAQ,KAAK,QAAQ,IAAI,CAAC,CAAC,QAAQ,KAAK,OAAO;YAAE,OAAO,SAAS,CAAC;QACxE,OAAO,CAAC,CAAC,QAAQ,EAAE,CAAC;IACtB,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,SAAS,CAAC;IACnB,CAAC;AACH,CAAC;AAED,MAAM,UAAU,sBAAsB;IAQpC,MAAM,WAAW,GAAG,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,4BAA4B,CAAC,CAAC;IACvE,MAAM,MAAM,GAAG,OAAO,CAAC,GAAG,CAAC,uBAAuB,CAAC;IACnD,MAAM,GAAG,GAAG,kBAAkB,EAAE,CAAC;IACjC,MAAM,WAAW,GAAG,QAAQ,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;IAE3C,IAAI,QAAQ,GAAG,gBAAgB,CAAC;IAChC,IAAI,cAAc,GAAiC,SAAS,CAAC;IAC7D,IAAI,WAAW,EAAE,CAAC;QAChB,QAAQ,GAAG,WAAW,CAAC;QACvB,cAAc,GAAG,KAAK,CAAC;IACzB,CAAC;SAAM,IAAI,WAAW,EAAE,CAAC;QACvB,QAAQ,GAAG,WAAW,CAAC;QACvB,cAAc,GAAG,QAAQ,CAAC;IAC5B,CAAC;IAED,IAAI,GAAuB,CAAC;IAC5B,IAAI,SAAS,GAA8B,MAAM,CAAC;IAClD,IAAI,MAAM,EAAE,CAAC;QACX,GAAG,GAAG,MAAM,CAAC;QACb,SAAS,GAAG,KAAK,CAAC;IACpB,CAAC;SAAM,IAAI,GAAG,CAAC,GAAG,EAAE,CAAC;QACnB,GAAG,GAAG,GAAG,CAAC,GAAG,CAAC;QACd,SAAS,GAAG,QAAQ,CAAC;IACvB,CAAC;IAED,OAAO;QACL,QAAQ;QACR,GAAG;QACH,MAAM,EAAE,EAAE,QAAQ,EAAE,cAAc,EAAE,GAAG,EAAE,SAAS,EAAE;KACrD,CAAC;AACJ,CAAC;AAED,MAAM,eAAe,GAAG,IAAI,CAAC;AAE7B;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,aAAa,CAAC,OAAyB;IAC3D,IAAI,CAAC;QACH,MAAM,EAAE,QAAQ,EAAE,GAAG,EAAE,GAAG,sBAAsB,EAAE,CAAC;QACnD,MAAM,UAAU,GAAG,IAAI,eAAe,EAAE,CAAC;QACzC,MAAM,KAAK,GAAG,UAAU,CAAC,GAAG,EAAE,CAAC,UAAU,CAAC,KAAK,EAAE,EAAE,eAAe,CAAC,CAAC;QACpE,IAAI,CAAC;YACH,MAAM,OAAO,GAA2B;gBACtC,cAAc,EAAE,kBAAkB;aACnC,CAAC;YACF,IAAI,GAAG;gBAAE,OAAO,CAAC,iBAAiB,CAAC,GAAG,GAAG,CAAC;YAC1C,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,QAAQ,EAAE;gBAChC,MAAM,EAAE,MAAM;gBACd,OAAO;gBACP,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC;gBAC7B,MAAM,EAAE,UAAU,CAAC,MAAM;aAC1B,CAAC,CAAC;YACH,IAAI,GAAG,CAAC,EAAE,EAAE,CAAC;gBACX,mBAAmB,EAAE,CAAC;YACxB,CAAC;QACH,CAAC;gBAAS,CAAC;YACT,YAAY,CAAC,KAAK,CAAC,CAAC;QACtB,CAAC;IACH,CAAC;IAAC,MAAM,CAAC;QACP,yEAAyE;IAC3E,CAAC;AACH,CAAC"}

package/dist/commands/analytics.d.ts

@@ -0,0 +1,8 @@
+/**
+ * `patchwork analytics` CLI — manage the self-hosted telemetry collector config.
+ *
+ * Replaces the brittle pattern of putting endpoint + secret in a launchd plist.
+ * Config lives at ~/.claude/ide/analytics-config.json (mode 0600), read on every
+ * send. Env vars still win for headless / CI use.
+ */
+export declare function runAnalyticsCommand(argv: string[]): Promise<number>;

package/dist/commands/analytics.js

@@ -0,0 +1,134 @@
+/**
+ * `patchwork analytics` CLI — manage the self-hosted telemetry collector config.
+ *
+ * Replaces the brittle pattern of putting endpoint + secret in a launchd plist.
+ * Config lives at ~/.claude/ide/analytics-config.json (mode 0600), read on every
+ * send. Env vars still win for headless / CI use.
+ */
+import { clearAnalyticsConfig, configPath, getAnalyticsConfig, setAnalyticsConfig, } from "../analyticsConfig.js";
+import { resolveAnalyticsTarget, sendAnalytics } from "../analyticsSend.js";
+const USAGE = "Usage: patchwork analytics <subcommand>\n\n" +
+    "  show                                  Print active endpoint, key (masked), and source\n" +
+    "  configure --endpoint URL [--key KEY]  Write endpoint and/or key to the config file\n" +
+    "  clear                                 Remove the config file\n" +
+    "  test                                  Send a tiny synthetic payload and report HTTP status\n" +
+    "\n" +
+    "Resolution order: env (PATCHWORK_ANALYTICS_ENDPOINT/_KEY) > config file > upstream default.\n";
+function maskKey(key) {
+    if (!key)
+        return "<unset>";
+    if (key.length <= 8)
+        return "***";
+    return `${key.slice(0, 4)}…${key.slice(-4)} (len=${key.length})`;
+}
+function parseFlags(args) {
+    const out = {};
+    for (let i = 0; i < args.length; i++) {
+        const a = args[i];
+        if (!a || !a.startsWith("--"))
+            continue;
+        const name = a.slice(2);
+        const next = args[i + 1];
+        if (next && !next.startsWith("--")) {
+            out[name] = next;
+            i++;
+        }
+        else {
+            out[name] = true;
+        }
+    }
+    return out;
+}
+export async function runAnalyticsCommand(argv) {
+    const sub = argv[0];
+    if (!sub || sub === "--help" || sub === "-h") {
+        process.stdout.write(USAGE);
+        return sub ? 0 : 1;
+    }
+    if (sub === "show") {
+        const target = resolveAnalyticsTarget();
+        const cfg = getAnalyticsConfig();
+        process.stdout.write(`Active endpoint:  ${target.endpoint}  (source: ${target.source.endpoint})\n` +
+            `Active key:       ${maskKey(target.key)}  (source: ${target.source.key})\n` +
+            `Config file:      ${configPath()}\n` +
+            `  endpoint:       ${cfg.endpoint ?? "<unset>"}\n` +
+            `  key:            ${maskKey(cfg.key)}\n` +
+            `Env:\n` +
+            `  PATCHWORK_ANALYTICS_ENDPOINT: ${process.env.PATCHWORK_ANALYTICS_ENDPOINT ?? "<unset>"}\n` +
+            `  PATCHWORK_ANALYTICS_KEY:      ${maskKey(process.env.PATCHWORK_ANALYTICS_KEY)}\n`);
+        return 0;
+    }
+    if (sub === "configure") {
+        const flags = parseFlags(argv.slice(1));
+        const update = {};
+        if (typeof flags.endpoint === "string")
+            update.endpoint = flags.endpoint;
+        if (typeof flags.key === "string")
+            update.key = flags.key;
+        if (Object.keys(update).length === 0) {
+            process.stderr.write("configure requires at least --endpoint URL or --key KEY\n");
+            return 1;
+        }
+        try {
+            setAnalyticsConfig(update);
+        }
+        catch (err) {
+            process.stderr.write(`configure failed: ${err instanceof Error ? err.message : String(err)}\n`);
+            return 1;
+        }
+        process.stdout.write(`wrote ${configPath()}\n`);
+        return 0;
+    }
+    if (sub === "clear") {
+        clearAnalyticsConfig();
+        process.stdout.write(`removed ${configPath()}\n`);
+        return 0;
+    }
+    if (sub === "test") {
+        const target = resolveAnalyticsTarget();
+        process.stdout.write(`sending synthetic summary to ${target.endpoint} (key source: ${target.source.key})…\n`);
+        // Build minimal real-shaped summary
+        const summary = {
+            bridgeVersion: "cli-test",
+            sessionDurationMs: 1,
+            toolStats: [
+                { tool: "getDiagnostics", calls: 1, errors: 0, p50Ms: 1, p95Ms: 1 },
+            ],
+        };
+        // sendAnalytics swallows errors, so we shadow it with a direct fetch
+        // to surface the actual HTTP status to the operator.
+        try {
+            const controller = new AbortController();
+            const timer = setTimeout(() => controller.abort(), 5000);
+            const headers = {
+                "Content-Type": "application/json",
+            };
+            if (target.key)
+                headers["X-Analytics-Key"] = target.key;
+            const res = await fetch(target.endpoint, {
+                method: "POST",
+                headers,
+                body: JSON.stringify(summary),
+                signal: controller.signal,
+            });
+            clearTimeout(timer);
+            process.stdout.write(`HTTP ${res.status}\n`);
+            if (!res.ok) {
+                const body = await res.text().catch(() => "");
+                if (body)
+                    process.stdout.write(`body: ${body.slice(0, 500)}\n`);
+                return 1;
+            }
+            // Also exercise the real send path so prefs.lastSentAt updates.
+            await sendAnalytics(summary);
+            return 0;
+        }
+        catch (err) {
+            process.stderr.write(`test failed: ${err instanceof Error ? err.message : String(err)}\n`);
+            return 1;
+        }
+    }
+    process.stderr.write(`unknown subcommand: ${sub}\n\n${USAGE}`);
+    return 1;
+}
+//# sourceMappingURL=analytics.js.map

package/dist/commands/analytics.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"analytics.js","sourceRoot":"","sources":["../../src/commands/analytics.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,EACL,oBAAoB,EACpB,UAAU,EACV,kBAAkB,EAClB,kBAAkB,GACnB,MAAM,uBAAuB,CAAC;AAC/B,OAAO,EAAE,sBAAsB,EAAE,aAAa,EAAE,MAAM,qBAAqB,CAAC;AAE5E,MAAM,KAAK,GACT,6CAA6C;IAC7C,2FAA2F;IAC3F,wFAAwF;IACxF,kEAAkE;IAClE,gGAAgG;IAChG,IAAI;IACJ,+FAA+F,CAAC;AAElG,SAAS,OAAO,CAAC,GAAuB;IACtC,IAAI,CAAC,GAAG;QAAE,OAAO,SAAS,CAAC;IAC3B,IAAI,GAAG,CAAC,MAAM,IAAI,CAAC;QAAE,OAAO,KAAK,CAAC;IAClC,OAAO,GAAG,GAAG,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,GAAG,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,SAAS,GAAG,CAAC,MAAM,GAAG,CAAC;AACnE,CAAC;AAED,SAAS,UAAU,CAAC,IAAc;IAChC,MAAM,GAAG,GAAkC,EAAE,CAAC;IAC9C,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,IAAI,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACrC,MAAM,CAAC,GAAG,IAAI,CAAC,CAAC,CAAC,CAAC;QAClB,IAAI,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,UAAU,CAAC,IAAI,CAAC;YAAE,SAAS;QACxC,MAAM,IAAI,GAAG,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;QACxB,MAAM,IAAI,GAAG,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;QACzB,IAAI,IAAI,IAAI,CAAC,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC,EAAE,CAAC;YACnC,GAAG,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC;YACjB,CAAC,EAAE,CAAC;QACN,CAAC;aAAM,CAAC;YACN,GAAG,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC;QACnB,CAAC;IACH,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,mBAAmB,CAAC,IAAc;IACtD,MAAM,GAAG,GAAG,IAAI,CAAC,CAAC,CAAC,CAAC;IACpB,IAAI,CAAC,GAAG,IAAI,GAAG,KAAK,QAAQ,IAAI,GAAG,KAAK,IAAI,EAAE,CAAC;QAC7C,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC;QAC5B,OAAO,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;IACrB,CAAC;IAED,IAAI,GAAG,KAAK,MAAM,EAAE,CAAC;QACnB,MAAM,MAAM,GAAG,sBAAsB,EAAE,CAAC;QACxC,MAAM,GAAG,GAAG,kBAAkB,EAAE,CAAC;QACjC,OAAO,CAAC,MAAM,CAAC,KAAK,CAClB,qBAAqB,MAAM,CAAC,QAAQ,cAAc,MAAM,CAAC,MAAM,CAAC,QAAQ,KAAK;YAC3E,qBAAqB,OAAO,CAAC,MAAM,CAAC,GAAG,CAAC,cAAc,MAAM,CAAC,MAAM,CAAC,GAAG,KAAK;YAC5E,qBAAqB,UAAU,EAAE,IAAI;YACrC,qBAAqB,GAAG,CAAC,QAAQ,IAAI,SAAS,IAAI;YAClD,qBAAqB,OAAO,CAAC,GAAG,CAAC,GAAG,CAAC,IAAI;YACzC,QAAQ;YACR,mCAAmC,OAAO,CAAC,GAAG,CAAC,4BAA4B,IAAI,SAAS,IAAI;YAC5F,mCAAmC,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,uBAAuB,CAAC,IAAI,CACtF,CAAC;QACF,OAAO,CAAC,CAAC;IACX,CAAC;IAED,IAAI,GAAG,KAAK,WAAW,EAAE,CAAC;QACxB,MAAM,KAAK,GAAG,UAAU,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC;QACxC,MAAM,MAAM,GAAwC,EAAE,CAAC;QACvD,IAAI,OAAO,KAAK,CAAC,QAAQ,KAAK,QAAQ;YAAE,MAAM,CAAC,QAAQ,GAAG,KAAK,CAAC,QAAQ,CAAC;QACzE,IAAI,OAAO,KAAK,CAAC,GAAG,KAAK,QAAQ;YAAE,MAAM,CAAC,GAAG,GAAG,KAAK,CAAC,GAAG,CAAC;QAC1D,IAAI,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACrC,OAAO,CAAC,MAAM,CAAC,KAAK,CAClB,2DAA2D,CAC5D,CAAC;YACF,OAAO,CAAC,CAAC;QACX,CAAC;QACD,IAAI,CAAC;YACH,kBAAkB,CAAC,MAAM,CAAC,CAAC;QAC7B,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,OAAO,CAAC,MAAM,CAAC,KAAK,CAClB,qBAAqB,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,IAAI,CAC1E,CAAC;YACF,OAAO,CAAC,CAAC;QACX,CAAC;QACD,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,SAAS,UAAU,EAAE,IAAI,CAAC,CAAC;QAChD,OAAO,CAAC,CAAC;IACX,CAAC;IAED,IAAI,GAAG,KAAK,OAAO,EAAE,CAAC;QACpB,oBAAoB,EAAE,CAAC;QACvB,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,WAAW,UAAU,EAAE,IAAI,CAAC,CAAC;QAClD,OAAO,CAAC,CAAC;IACX,CAAC;IAED,IAAI,GAAG,KAAK,MAAM,EAAE,CAAC;QACnB,MAAM,MAAM,GAAG,sBAAsB,EAAE,CAAC;QACxC,OAAO,CAAC,MAAM,CAAC,KAAK,CAClB,gCAAgC,MAAM,CAAC,QAAQ,iBAAiB,MAAM,CAAC,MAAM,CAAC,GAAG,MAAM,CACxF,CAAC;QACF,oCAAoC;QACpC,MAAM,OAAO,GAAG;YACd,aAAa,EAAE,UAAU;YACzB,iBAAiB,EAAE,CAAC;YACpB,SAAS,EAAE;gBACT,EAAE,IAAI,EAAE,gBAAgB,EAAE,KAAK,EAAE,CAAC,EAAE,MAAM,EAAE,CAAC,EAAE,KAAK,EAAE,CAAC,EAAE,KAAK,EAAE,CAAC,EAAE;aACpE;SACF,CAAC;QACF,qEAAqE;QACrE,qDAAqD;QACrD,IAAI,CAAC;YACH,MAAM,UAAU,GAAG,IAAI,eAAe,EAAE,CAAC;YACzC,MAAM,KAAK,GAAG,UAAU,CAAC,GAAG,EAAE,CAAC,UAAU,CAAC,KAAK,EAAE,EAAE,IAAI,CAAC,CAAC;YACzD,MAAM,OAAO,GAA2B;gBACtC,cAAc,EAAE,kBAAkB;aACnC,CAAC;YACF,IAAI,MAAM,CAAC,GAAG;gBAAE,OAAO,CAAC,iBAAiB,CAAC,GAAG,MAAM,CAAC,GAAG,CAAC;YACxD,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,MAAM,CAAC,QAAQ,EAAE;gBACvC,MAAM,EAAE,MAAM;gBACd,OAAO;gBACP,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC;gBAC7B,MAAM,EAAE,UAAU,CAAC,MAAM;aAC1B,CAAC,CAAC;YACH,YAAY,CAAC,KAAK,CAAC,CAAC;YACpB,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,QAAQ,GAAG,CAAC,MAAM,IAAI,CAAC,CAAC;YAC7C,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC;gBACZ,MAAM,IAAI,GAAG,MAAM,GAAG,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,EAAE,CAAC,CAAC;gBAC9C,IAAI,IAAI;oBAAE,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,SAAS,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC,IAAI,CAAC,CAAC;gBAChE,OAAO,CAAC,CAAC;YACX,CAAC;YACD,gEAAgE;YAChE,MAAM,aAAa,CAAC,OAAO,CAAC,CAAC;YAC7B,OAAO,CAAC,CAAC;QACX,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,OAAO,CAAC,MAAM,CAAC,KAAK,CAClB,gBAAgB,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,IAAI,CACrE,CAAC;YACF,OAAO,CAAC,CAAC;QACX,CAAC;IACH,CAAC;IAED,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,uBAAuB,GAAG,OAAO,KAAK,EAAE,CAAC,CAAC;IAC/D,OAAO,CAAC,CAAC;AACX,CAAC"}

package/dist/index.js

@@ -134,6 +134,7 @@ const KNOWN_SUBCOMMANDS = [
     "panic",
     "halts",
     "judgments",
+    "analytics",
 ];
 const __invokedSubcommand = (() => {
     const sub = process.argv[2];
@@ -193,8 +194,12 @@ if (process.argv[2] === "--help" ||
         `  recipe --help                             Full recipe subcommand index\n\n` +
         `Diagnose\n` +
         `  halts [--window 1h|24h|overnight|7d]      Morning summary of recent recipe halts\n` +
+        `  judgments [--window ...] [--recipe N]     Recent judge-step verdicts across runs\n` +
         `  traces export                             Bundle approval / recipe / decision traces\n` +
         `  print-token [--port N]                    Print the active bridge auth token\n\n` +
+        `Safety\n` +
+        `  kill-switch <engage|release|status>       Block / resume write-tier tools across bridges\n` +
+        `  panic [--reason "..."]                    Shorthand for kill-switch engage\n\n` +
         `Daemon (no subcommand)\n` +
         `  --workspace <dir>                         Start the bridge in foreground\n` +
         `  --watch                                   Auto-restart supervisor\n` +
@@ -1763,11 +1768,22 @@ if (process.argv[2] === "kill-switch") {
 // form is `kill-switch engage`; this alias matches it so shell history six
 // months later still makes sense. Does not accept sub-verbs — just runs engage.
 if (process.argv[2] === "panic") {
+    const extra = process.argv.slice(3); // e.g. --reason "..." --force-local
+    // Guard against `panic --help` engaging the kill switch — a real
+    // footgun if you tab-completed the verb to confirm syntax before
+    // committing to the action. `panic` is an alias, so we honor --help
+    // here ourselves rather than forwarding to kill-switch engage.
+    if (extra.includes("--help") || extra.includes("-h")) {
+        console.log('Usage: patchwork panic [--reason "..."] [--force-local]\n\n' +
+            "  Alias for `patchwork kill-switch engage` — blocks all write-tier\n" +
+            "  tool calls across every running bridge. Use --reason to leave a\n" +
+            "  note in the audit trail. Release with `patchwork kill-switch release`.\n");
+        process.exit(0);
+    }
     // Spawn self with kill-switch engage to reuse the full handler without
     // duplicating 200+ LOC. Passes through any flags (--reason, --force-local).
     import("node:child_process").then(({ spawnSync }) => {
         const self = process.argv[1] ?? process.execPath;
-        const extra = process.argv.slice(3); // e.g. --reason "..." --force-local
         const result = spawnSync(process.execPath, [self, "kill-switch", "engage", ...extra], { stdio: "inherit" });
         process.exit(result.status ?? 1);
     });
@@ -1834,14 +1850,6 @@ if (process.argv[2] === "halts") {
                 process.stderr.write("No running bridge found. Start one with `patchwork start` (or `--driver subprocess`).\n");
                 process.exit(2);
             }
-            // Single-bridge default: query the first. Multi-bridge users will
-            // typically have one orchestrator anyway; expanding to fan-out is a
-            // follow-up if needed.
-            const lock = liveLocks[0];
-            if (!lock) {
-                process.stderr.write("No running bridge found.\n");
-                process.exit(2);
-            }
             const sinceMs = windowSinceMs(window);
             const params = [];
             if (sinceMs != null)
@@ -1849,20 +1857,35 @@ if (process.argv[2] === "halts") {
             if (recipeFilter)
                 params.push(`recipe=${encodeURIComponent(recipeFilter)}`);
             const qs = params.length > 0 ? `?${params.join("&")}` : "";
-            const controller = new AbortController();
-            const timer = setTimeout(() => controller.abort(), 10_000);
-            let res;
-            try {
-                res = await fetch(`http://127.0.0.1:${lock.port}/runs/halt-summary${qs}`, {
-                    headers: { Authorization: `Bearer ${lock.authToken}` },
-                    signal: controller.signal,
-                });
-            }
-            finally {
-                clearTimeout(timer);
+            // Walk live bridges in order; first responsive one wins. See the
+            // matching block in the `judgments` handler — findAllLiveBridges
+            // can include stale entries when a recycled PID still answers
+            // `kill(pid, 0)` but the lock points at a dead bridge.
+            let res = null;
+            let lastStatus = 0;
+            for (const lock of liveLocks) {
+                const controller = new AbortController();
+                const timer = setTimeout(() => controller.abort(), 10_000);
+                try {
+                    const candidate = await fetch(`http://127.0.0.1:${lock.port}/runs/halt-summary${qs}`, {
+                        headers: { Authorization: `Bearer ${lock.authToken}` },
+                        signal: controller.signal,
+                    });
+                    if (candidate.ok) {
+                        res = candidate;
+                        break;
+                    }
+                    lastStatus = candidate.status;
+                }
+                catch {
+                    /* unreachable lock — try next */
+                }
+                finally {
+                    clearTimeout(timer);
+                }
             }
-            if (!res.ok) {
-                process.stderr.write(`Bridge returned ${res.status} for /runs/halt-summary\n`);
+            if (!res) {
+                process.stderr.write(`No live bridge served /runs/halt-summary (last status: ${lastStatus || "unreachable"}).\n`);
                 process.exit(1);
             }
             const summary = (await res.json());
@@ -1917,6 +1940,16 @@ if (process.argv[2] === "halts") {
         }
     })();
 }
+// `patchwork analytics` — manage the self-hosted telemetry collector config.
+// Replaces the brittle "endpoint+secret in launchd plist" pattern with a
+// proper config file the bridge reads at startup.
+if (process.argv[2] === "analytics") {
+    (async () => {
+        const { runAnalyticsCommand } = await import("./commands/analytics.js");
+        const code = await runAnalyticsCommand(process.argv.slice(3));
+        process.exit(code);
+    })();
+}
 // `patchwork judgments` — PR3b sibling of `patchwork halts`. Same window
 // + recipe filter shape; queries /runs/judge-summary and prints a
 // per-verdict breakdown plus the 5 most-recent verdicts.
@@ -1974,11 +2007,6 @@ if (process.argv[2] === "judgments") {
                 process.stderr.write("No running bridge found. Start one with `patchwork start` (or `--driver subprocess`).\n");
                 process.exit(2);
             }
-            const lock = liveLocks[0];
-            if (!lock) {
-                process.stderr.write("No running bridge found.\n");
-                process.exit(2);
-            }
             const sinceMs = windowSinceMs(window);
             const params = [];
             if (sinceMs != null)
@@ -1986,20 +2014,37 @@ if (process.argv[2] === "judgments") {
             if (recipeFilter)
                 params.push(`recipe=${encodeURIComponent(recipeFilter)}`);
             const qs = params.length > 0 ? `?${params.join("&")}` : "";
-            const controller = new AbortController();
-            const timer = setTimeout(() => controller.abort(), 10_000);
-            let res;
-            try {
-                res = await fetch(`http://127.0.0.1:${lock.port}/runs/judge-summary${qs}`, {
-                    headers: { Authorization: `Bearer ${lock.authToken}` },
-                    signal: controller.signal,
-                });
-            }
-            finally {
-                clearTimeout(timer);
+            // Walk live bridges in order; the first responsive one wins.
+            // findAllLiveBridges uses `kill(pid, 0)` for liveness, which
+            // returns true for any recycled PID — so liveLocks can contain
+            // stale entries from dead bridges. Previously we picked [0]
+            // unconditionally and surfaced a confusing 404; now we try each
+            // and only fall through to the error path when *all* fail.
+            let res = null;
+            let lastStatus = 0;
+            for (const lock of liveLocks) {
+                const controller = new AbortController();
+                const timer = setTimeout(() => controller.abort(), 10_000);
+                try {
+                    const candidate = await fetch(`http://127.0.0.1:${lock.port}/runs/judge-summary${qs}`, {
+                        headers: { Authorization: `Bearer ${lock.authToken}` },
+                        signal: controller.signal,
+                    });
+                    if (candidate.ok) {
+                        res = candidate;
+                        break;
+                    }
+                    lastStatus = candidate.status;
+                }
+                catch {
+                    /* unreachable lock — try next */
+                }
+                finally {
+                    clearTimeout(timer);
+                }
             }
-            if (!res.ok) {
-                process.stderr.write(`Bridge returned ${res.status} for /runs/judge-summary\n`);
+            if (!res) {
+                process.stderr.write(`No live bridge served /runs/judge-summary (last status: ${lastStatus || "unreachable"}).\n`);
                 process.exit(1);
             }
             const summary = (await res.json());