pumuki-ast-hooks 5.3.16 → 5.3.18

package/scripts/hooks-system/application/services/RealtimeGuardService.js

@@ -1,6 +1,9 @@
 const fs = require('fs');
 const path = require('path');
 const { getGitTreeState, isTreeBeyondLimit } = require('./GitTreeState');
+const AuditLogger = require('./logging/AuditLogger');
+const { recordMetric } = require('../../infrastructure/telemetry/metrics-logger');
+const env = require('../../config/env');
 
 class RealtimeGuardService {
     /**
@@ -12,6 +15,12 @@ class RealtimeGuardService {
      * @param {Object} dependencies.config
      */
     constructor(dependencies = {}) {
+        this._initializeDependencies(dependencies);
+        this._initializeConfiguration();
+        this._initializeMonitors();
+    }
+
+    _initializeDependencies(dependencies = {}) {
         const {
             logger,
             notificationService,
@@ -30,39 +39,49 @@ class RealtimeGuardService {
         this.monitors = monitors || {};
         this.orchestration = orchestration;
         this.config = config || {};
+        this.auditLogger = dependencies.auditLogger || new AuditLogger({ repoRoot: process.cwd(), logger: this.logger });
+    }
 
+    _initializeConfiguration() {
         if (!this.config.debugLogPath) {
             this.config.debugLogPath = path.join(process.cwd(), '.audit-reports', 'guard-debug.log');
         }
 
-        this.evidencePath = this.config.evidencePath || path.join(process.cwd(), '.AI_EVIDENCE.json');
-        this.staleThresholdMs = Number(process.env.HOOK_GUARD_EVIDENCE_STALE_THRESHOLD || 60000);
-        this.reminderIntervalMs = Number(process.env.HOOK_GUARD_EVIDENCE_REMINDER_INTERVAL || 60000);
-        this.inactivityGraceMs = Number(process.env.HOOK_GUARD_INACTIVITY_GRACE_MS || 120000);
-        this.pollIntervalMs = Number(process.env.HOOK_GUARD_EVIDENCE_POLL_INTERVAL || 30000);
+        this.evidencePath = this.config.evidencePath || path.join(env.get('REPO_ROOT', process.cwd()), '.AI_EVIDENCE.json');
+        this.staleThresholdMs = env.getNumber('HOOK_GUARD_EVIDENCE_STALE_THRESHOLD', 60000);
+        this.reminderIntervalMs = env.getNumber('HOOK_GUARD_EVIDENCE_REMINDER_INTERVAL', 60000);
+        this.inactivityGraceMs = env.getNumber('HOOK_GUARD_INACTIVITY_GRACE_MS', 120000);
+        this.pollIntervalMs = env.getNumber('HOOK_GUARD_EVIDENCE_POLL_INTERVAL', 30000);
         this.pollTimer = null;
         this.lastStaleNotification = 0;
         this.lastUserActivityAt = 0;
 
-        this.gitTreeStagedThreshold = Number(process.env.HOOK_GUARD_DIRTY_TREE_STAGED_LIMIT || 10);
-        this.gitTreeUnstagedThreshold = Number(process.env.HOOK_GUARD_DIRTY_TREE_UNSTAGED_LIMIT || 15);
-        this.gitTreeTotalThreshold = Number(process.env.HOOK_GUARD_DIRTY_TREE_TOTAL_LIMIT || 20);
-        this.gitTreeCheckIntervalMs = Number(process.env.HOOK_GUARD_DIRTY_TREE_INTERVAL || 60000);
-        this.gitTreeReminderMs = Number(process.env.HOOK_GUARD_DIRTY_TREE_REMINDER || 300000);
+        this.gitTreeStagedThreshold = env.getNumber('HOOK_GUARD_DIRTY_TREE_STAGED_LIMIT', 10);
+        this.gitTreeUnstagedThreshold = env.getNumber('HOOK_GUARD_DIRTY_TREE_UNSTAGED_LIMIT', 15);
+        this.gitTreeTotalThreshold = env.getNumber('HOOK_GUARD_DIRTY_TREE_TOTAL_LIMIT', 20);
+        this.gitTreeCheckIntervalMs = env.getNumber('HOOK_GUARD_DIRTY_TREE_INTERVAL', 60000);
+        this.gitTreeReminderMs = env.getNumber('HOOK_GUARD_DIRTY_TREE_REMINDER', 300000);
         this.gitTreeTimer = null;
         this.lastDirtyTreeNotification = 0;
         this.dirtyTreeActive = false;
 
-        this.autoRefreshCooldownMs = Number(process.env.HOOK_GUARD_EVIDENCE_AUTO_REFRESH_COOLDOWN || 180000);
+        this.autoRefreshCooldownMs = env.getNumber('HOOK_GUARD_EVIDENCE_AUTO_REFRESH_COOLDOWN', 180000);
         this.lastAutoRefresh = 0;
         this.autoRefreshInFlight = false;
 
         this.watchers = [];
-        this.embedTokenMonitor = process.env.HOOK_GUARD_EMBEDDED_TOKEN_MONITOR === 'true';
+        this.embedTokenMonitor = env.getBool('HOOK_GUARD_EMBEDDED_TOKEN_MONITOR', false);
+    }
+
+    _initializeMonitors() {
+        // Monitors are configured but not started here
+        // They are started in the start() method to allow for proper initialization order
     }
 
     start() {
         this.logger.info('Starting RealtimeGuardService...');
+        this.auditLogger.record({ action: 'guard.realtime.start', resource: 'realtime_guard', status: 'success' });
+        recordMetric({ hook: 'realtime_guard', status: 'start' });
 
         // Start all monitors
         this._startEvidenceMonitoring();
@@ -82,6 +101,8 @@ class RealtimeGuardService {
 
     stop() {
         this.logger.info('Stopping RealtimeGuardService...');
+        this.auditLogger.record({ action: 'guard.realtime.stop', resource: 'realtime_guard', status: 'success' });
+        recordMetric({ hook: 'realtime_guard', status: 'stop' });
 
         this.watchers.forEach(w => w.close());
         this.watchers = [];
@@ -103,14 +124,27 @@ class RealtimeGuardService {
     }
 
     _startGitTreeMonitoring() {
-        if (process.env.HOOK_GUARD_DIRTY_TREE_DISABLED === 'true') return;
+        if (env.getBool('HOOK_GUARD_DIRTY_TREE_DISABLED', false)) return;
 
         this.monitors.gitTree.startMonitoring((state) => {
             if (state.isBeyondLimit) {
                 const message = `Git tree has too many files: ${state.total} total (${state.staged} staged, ${state.unstaged} unstaged)`;
                 this.notify(message, 'error', { forceDialog: true });
+                this.auditLogger.record({
+                    action: 'guard.git_tree.dirty',
+                    resource: 'git_tree',
+                    status: 'warning',
+                    meta: { total: state.total, staged: state.staged, unstaged: state.unstaged }
+                });
+                recordMetric({ hook: 'git_tree', status: 'dirty', total: state.total, staged: state.staged, unstaged: state.unstaged });
             } else {
                 this.notify('✅ Git tree is clean', 'success');
+                this.auditLogger.record({
+                    action: 'guard.git_tree.clean',
+                    resource: 'git_tree',
+                    status: 'success'
+                });
+                recordMetric({ hook: 'git_tree', status: 'clean' });
             }
         });
     }
@@ -124,22 +158,44 @@ class RealtimeGuardService {
         try {
             this.monitors.token.start();
             this.notify('🔋 Token monitor started', 'info');
+            this.auditLogger.record({
+                action: 'guard.token_monitor.start',
+                resource: 'token_monitor',
+                status: 'success'
+            });
+            recordMetric({ hook: 'token_monitor', status: 'start' });
         } catch (error) {
             this.notify(`Failed to start token monitor: ${error.message}`, 'error');
+            this.auditLogger.record({
+                action: 'guard.token_monitor.start',
+                resource: 'token_monitor',
+                status: 'fail',
+                meta: { message: error.message }
+            });
+            recordMetric({ hook: 'token_monitor', status: 'fail' });
         }
     }
 
     _startGitFlowSync() {
         if (!this.monitors.gitFlow.autoSyncEnabled) return;
 
+        this.auditLogger.record({
+            action: 'guard.gitflow.autosync.enabled',
+            resource: 'gitflow',
+            status: 'success',
+            meta: { intervalMs: env.getNumber('HOOK_GUARD_GITFLOW_AUTOSYNC_INTERVAL', 300000) }
+        });
+        recordMetric({ hook: 'gitflow_autosync', status: 'enabled' });
+
         const syncInterval = setInterval(() => {
             if (this.monitors.gitFlow.isClean()) {
                 const result = this.monitors.gitFlow.syncBranches();
                 if (result.success) {
                     this.notify('🔄 Branches synchronized', 'info');
+                    recordMetric({ hook: 'gitflow_autosync', status: 'sync_success' });
                 }
             }
-        }, Number(process.env.HOOK_GUARD_GITFLOW_AUTOSYNC_INTERVAL || 300000));
+        }, env.getNumber('HOOK_GUARD_GITFLOW_AUTOSYNC_INTERVAL', 300000));
 
         syncInterval.unref();
     }
@@ -247,11 +303,18 @@ class RealtimeGuardService {
         this.lastStaleNotification = now;
         const ageSec = Math.floor(ageMs / 1000);
         this.notify(`Evidence has been stale for ${ageSec}s (source: ${source}).`, 'warn', { forceDialog: true });
+        this.auditLogger.record({
+            action: 'guard.evidence.stale',
+            resource: 'evidence',
+            status: 'warning',
+            meta: { ageSec, source }
+        });
+        recordMetric({ hook: 'evidence', status: 'stale', ageSec, source });
         void this.attemptAutoRefresh('stale');
     }
 
     async attemptAutoRefresh(reason = 'manual') {
-        if (process.env.HOOK_GUARD_AUTO_REFRESH !== 'true') {
+        if (!env.getBool('HOOK_GUARD_AUTO_REFRESH', false)) {
             return;
         }
 
@@ -284,6 +347,13 @@ class RealtimeGuardService {
         try {
             await this.runDirectEvidenceRefresh(reason);
             this.lastAutoRefresh = now;
+            this.auditLogger.record({
+                action: 'guard.evidence.auto_refresh',
+                resource: 'evidence',
+                status: 'success',
+                meta: { reason }
+            });
+            recordMetric({ hook: 'evidence', status: 'auto_refresh_success', reason });
         } finally {
             this.autoRefreshInFlight = false;
         }

package/scripts/hooks-system/application/services/guard/GuardAutoManagerService.js

@@ -10,6 +10,9 @@ const GuardConfig = require('./GuardConfig');
 const GuardNotificationHandler = require('./GuardNotificationHandler');
 const GuardMonitorLoop = require('./GuardMonitorLoop');
 const GuardHealthReminder = require('./GuardHealthReminder');
+const AuditLogger = require('../logging/AuditLogger');
+const envHelper = require('../../../config/env');
+const { recordMetric } = require('../../../infrastructure/telemetry/metrics-logger');
 
 class GuardAutoManagerService {
     constructor({
@@ -19,9 +22,10 @@ class GuardAutoManagerService {
         fsModule = fs,
         childProcess = { spawnSync },
         timers = { setInterval, clearInterval },
-        env = process.env,
+        env = envHelper,
         processRef = process,
-        heartbeatMonitor = null
+        heartbeatMonitor = null,
+        auditLogger = null
     } = {}) {
         this.process = processRef;
 
@@ -30,6 +34,7 @@ class GuardAutoManagerService {
         this.eventLogger = new GuardEventLogger({ repoRoot, logger, fsModule });
         this.lockManager = new GuardLockManager({ repoRoot, logger, fsModule });
         this.processManager = new GuardProcessManager({ repoRoot, logger, fsModule, childProcess });
+        this.auditLogger = auditLogger || new AuditLogger({ repoRoot, logger });
 
         // Monitors & Handlers
         this.heartbeatMonitor = heartbeatMonitor || new GuardHeartbeatMonitor({
@@ -59,10 +64,14 @@ class GuardAutoManagerService {
     start() {
         if (!this.lockManager.acquireLock()) {
             this.eventLogger.log('Another guard auto manager instance detected. Exiting.');
+            this.auditLogger.record({ action: 'guard.lock.acquire', resource: 'guard_auto_manager', status: 'fail', meta: { reason: 'lock_exists' } });
+            recordMetric({ hook: 'guard_auto_manager', status: 'lock_fail' });
             return false;
         }
         this.lockManager.writePidFile();
         this.eventLogger.log('Guard auto manager started');
+        this.auditLogger.record({ action: 'guard.manager.start', resource: 'guard_auto_manager', status: 'success' });
+        recordMetric({ hook: 'guard_auto_manager', status: 'start' });
 
         this.ensureSupervisor('initial-start');
         this._startReminder();
@@ -94,6 +103,12 @@ class GuardAutoManagerService {
     handleMissingSupervisor() {
         this.lastHeartbeatState = { healthy: false, reason: 'missing-supervisor' };
         this.eventLogger.recordEvent('Guard supervisor no se encuentra en ejecución; reinicio automático.');
+        this.auditLogger.record({
+            action: 'guard.supervisor.missing',
+            resource: 'guard_supervisor',
+            status: 'fail',
+            meta: { reason: 'missing-supervisor' }
+        });
         this.ensureSupervisor('missing-supervisor');
     }
 
@@ -106,9 +121,21 @@ class GuardAutoManagerService {
                 this.eventLogger.log(`Heartbeat degraded (${heartbeat.reason}); attempting supervisor ensure.`);
                 this.lastHeartbeatRestart = now;
                 this.ensureSupervisor(`heartbeat-${heartbeat.reason}`);
+                this.auditLogger.record({
+                    action: 'guard.supervisor.ensure',
+                    resource: 'guard_supervisor',
+                    status: 'success',
+                    meta: { reason: heartbeat.reason }
+                });
             } else {
                 this.eventLogger.log(`Heartbeat degraded (${heartbeat.reason}); restart suppressed (cooldown).`);
                 this.eventLogger.recordEvent(`Heartbeat degradado (${heartbeat.reason}); reinicio omitido por cooldown.`);
+                this.auditLogger.record({
+                    action: 'guard.supervisor.ensure',
+                    resource: 'guard_supervisor',
+                    status: 'fail',
+                    meta: { reason: heartbeat.reason, suppressed: true }
+                });
             }
         } else {
             this.eventLogger.recordEvent(`Heartbeat en estado ${heartbeat.reason}; reinicio no requerido.`);
@@ -148,6 +175,8 @@ class GuardAutoManagerService {
         this.lockManager.removePidFile();
         this.lockManager.releaseLock();
         this.healthReminder.stop();
+        this.auditLogger.record({ action: 'guard.manager.stop', resource: 'guard_auto_manager', status: 'success' });
+        recordMetric({ hook: 'guard_auto_manager', status: 'stop' });
     }
 
     ensureSupervisor(reason) {

package/scripts/hooks-system/application/services/guard/GuardConfig.js

@@ -1,14 +1,22 @@
+const envHelper = require('../../../config/env');
+
 class GuardConfig {
-    constructor(env = process.env) {
-        this.healthyReminderIntervalMs = Number(env.GUARD_AUTOSTART_HEALTHY_INTERVAL || 0);
-        this.heartbeatNotifyCooldownMs = Number(env.GUARD_AUTOSTART_NOTIFY_COOLDOWN || 60000);
-        this.healthyReminderCooldownMs = Number(
-            env.GUARD_AUTOSTART_HEALTHY_COOLDOWN || (this.healthyReminderIntervalMs > 0 ? this.healthyReminderIntervalMs : 0)
+    constructor(env = envHelper) {
+        const getNumber = (name, def) =>
+            typeof env.getNumber === 'function' ? env.getNumber(name, def) : Number(env[name] || def);
+        const getBool = (name, def) =>
+            typeof env.getBool === 'function' ? env.getBool(name, def) : (env[name] !== 'false');
+
+        this.healthyReminderIntervalMs = getNumber('GUARD_AUTOSTART_HEALTHY_INTERVAL', 0);
+        this.heartbeatNotifyCooldownMs = getNumber('GUARD_AUTOSTART_NOTIFY_COOLDOWN', 60000);
+        this.healthyReminderCooldownMs = getNumber(
+            'GUARD_AUTOSTART_HEALTHY_COOLDOWN',
+            this.healthyReminderIntervalMs > 0 ? this.healthyReminderIntervalMs : 0
         );
-        this.heartbeatRestartCooldownMs = Number(env.GUARD_AUTOSTART_HEARTBEAT_COOLDOWN || 60000);
-        this.monitorIntervalMs = Number(env.GUARD_AUTOSTART_MONITOR_INTERVAL || 5000);
-        this.restartCooldownMs = Number(env.GUARD_AUTOSTART_RESTART_COOLDOWN || 2000);
-        this.stopSupervisorOnExit = env.GUARD_AUTOSTART_STOP_SUPERVISOR_ON_EXIT !== 'false';
+        this.heartbeatRestartCooldownMs = getNumber('GUARD_AUTOSTART_HEARTBEAT_COOLDOWN', 60000);
+        this.monitorIntervalMs = getNumber('GUARD_AUTOSTART_MONITOR_INTERVAL', 5000);
+        this.restartCooldownMs = getNumber('GUARD_AUTOSTART_RESTART_COOLDOWN', 2000);
+        this.stopSupervisorOnExit = getBool('GUARD_AUTOSTART_STOP_SUPERVISOR_ON_EXIT', true);
     }
 }
 

package/scripts/hooks-system/application/services/guard/GuardHeartbeatMonitor.js

@@ -1,29 +1,26 @@
 const fs = require('fs');
 const path = require('path');
+const env = require('../../../config/env');
 
 class GuardHeartbeatMonitor {
     constructor({
         repoRoot = process.cwd(),
         logger = console,
-        fsModule = fs,
-        env = process.env
+        fsModule = fs
     } = {}) {
         this.repoRoot = repoRoot;
         this.logger = logger;
         this.fs = fsModule;
-        this.env = env;
-
-        const heartbeatRelative = env.HOOK_GUARD_HEARTBEAT_PATH || path.join('.audit_tmp', 'guard-heartbeat.json');
+        const heartbeatRelative = env.get('HOOK_GUARD_HEARTBEAT_PATH', path.join('.audit_tmp', 'guard-heartbeat.json'));
         this.heartbeatPath = path.isAbsolute(heartbeatRelative)
             ? heartbeatRelative
             : path.join(this.repoRoot, heartbeatRelative);
 
-        this.heartbeatMaxAgeMs = Number(
-            env.GUARD_AUTOSTART_HEARTBEAT_MAX_AGE || env.HOOK_GUARD_HEARTBEAT_MAX_AGE || 60000
-        );
+        this.heartbeatMaxAgeMs = env.getNumber('GUARD_AUTOSTART_HEARTBEAT_MAX_AGE',
+            env.getNumber('HOOK_GUARD_HEARTBEAT_MAX_AGE', 60000));
 
         this.heartbeatRestartReasons = new Set(
-            (env.GUARD_AUTOSTART_HEARTBEAT_RESTART || 'missing,stale,invalid,degraded')
+            (env.get('GUARD_AUTOSTART_HEARTBEAT_RESTART', 'missing,stale,invalid,degraded'))
                 .split(',')
                 .map(entry => entry.trim().toLowerCase())
                 .filter(Boolean)

package/scripts/hooks-system/application/services/guard/GuardProcessManager.js

@@ -1,6 +1,9 @@
 const path = require('path');
 const { spawnSync } = require('child_process');
 
+// Import AuditLogger for logging critical operations
+const AuditLogger = require('../logging/AuditLogger');
+
 class GuardProcessManager {
     constructor({
         repoRoot = process.cwd(),
@@ -15,6 +18,10 @@ class GuardProcessManager {
 
         this.supervisorPidFile = path.join(this.repoRoot, '.guard-supervisor.pid');
         this.startScript = path.join(this.repoRoot, 'bin', 'start-guards.sh');
+        this.busy = false;
+
+        // Initialize audit logger
+        this.auditLogger = new AuditLogger({ repoRoot, logger: this.logger });
     }
 
     isSupervisorRunning() {
@@ -58,6 +65,15 @@ class GuardProcessManager {
     }
 
     startSupervisor() {
+        if (this.busy) {
+            return {
+                success: false,
+                error: new Error('bulkhead_busy'),
+                stdout: '',
+                stderr: 'bulkhead_busy'
+            };
+        }
+        this.busy = true;
         try {
             const result = this.childProcess.spawnSync(this.startScript, ['start'], {
                 cwd: this.repoRoot,
@@ -80,10 +96,21 @@ class GuardProcessManager {
                 stdout: '',
                 stderr: error.message
             };
+        } finally {
+            this.busy = false;
         }
     }
 
     stopSupervisor() {
+        if (this.busy) {
+            return {
+                success: false,
+                error: new Error('bulkhead_busy'),
+                stdout: '',
+                stderr: 'bulkhead_busy'
+            };
+        }
+        this.busy = true;
         try {
             const result = this.childProcess.spawnSync(this.startScript, ['stop'], {
                 cwd: this.repoRoot,
@@ -106,6 +133,8 @@ class GuardProcessManager {
                 stdout: '',
                 stderr: error.message
             };
+        } finally {
+            this.busy = false;
         }
     }
 }

package/scripts/hooks-system/application/services/installation/GitEnvironmentService.js

@@ -2,6 +2,9 @@ const fs = require('fs');
 const path = require('path');
 const { execSync, spawnSync } = require('child_process');
 
+// Import recordMetric for prometheus metrics
+const { recordMetric } = require('../../../infrastructure/telemetry/metrics-logger');
+
 const COLORS = {
   reset: '\x1b[0m',
   blue: '\x1b[34m',
@@ -110,7 +113,7 @@ fi
 
 # Try node_modules/.bin first (works with npm install)
 if [ -f "node_modules/.bin/ast-hooks" ]; then
-  OUTPUT=$(node_modules/.bin/ast-hooks ast 2>&1)
+  OUTPUT=$(node_modules/.bin/ast-hooks ast --staged 2>&1)
   EXIT_CODE=$?
   echo "$OUTPUT"
   if [ $EXIT_CODE -ne 0 ]; then

package/scripts/hooks-system/application/services/installation/McpConfigurator.js

@@ -3,6 +3,7 @@ const path = require('path');
 const { execSync } = require('child_process');
 const crypto = require('crypto');
 const os = require('os');
+const env = require('../../config/env');
 
 const COLORS = {
     reset: '\x1b[0m',
@@ -31,7 +32,7 @@ function computeRepoFingerprint(repoRoot) {
 
 function computeServerIdForRepo(repoRoot) {
     const legacyServerId = 'ast-intelligence-automation';
-    const forced = (process.env.MCP_SERVER_ID || '').trim();
+    const forced = (env.get('MCP_SERVER_ID', '') || '').trim();
     if (forced.length > 0) return forced;
 
     const repoName = path.basename(repoRoot || process.cwd());

package/scripts/hooks-system/application/services/logging/AuditLogger.js

@@ -0,0 +1,88 @@
+const fs = require('fs');
+const path = require('path');
+
+class AuditLogger {
+    /**
+     * @param {Object} options
+     * @param {string} [options.repoRoot=process.cwd()]
+     * @param {string} [options.filename='.audit_tmp/audit.log']
+     * @param {Object} [options.logger=console] - fallback logger for warnings
+     */
+    constructor({ repoRoot = process.cwd(), filename, logger = console } = {}) {
+        this.repoRoot = repoRoot;
+        this.logger = logger;
+        this.logPath = filename
+            ? (path.isAbsolute(filename) ? filename : path.join(repoRoot, filename))
+            : path.join(repoRoot, '.audit_tmp', 'audit.log');
+
+        this.ensureDir();
+    }
+
+    ensureDir() {
+        try {
+            const dir = path.dirname(this.logPath);
+            if (!fs.existsSync(dir)) {
+                fs.mkdirSync(dir, { recursive: true });
+            }
+            if (!fs.existsSync(this.logPath)) {
+                fs.writeFileSync(this.logPath, '', { encoding: 'utf8' });
+            }
+        } catch (error) {
+            this.warn('AUDIT_LOGGER_INIT_ERROR', error);
+        }
+    }
+
+    warn(message, error) {
+        if (this.logger?.warn) {
+            this.logger.warn(message, { error: error?.message });
+        } else {
+            console.warn(message, error?.message);
+        }
+    }
+
+    /**
+     * @param {Object} entry
+     * @param {string} entry.action 
+     * @param {string} [entry.resource]
+     * @param {string} [entry.status='success']
+     * @param {string|null} [entry.actor=null]
+     * @param {Object} [entry.meta={}]
+     * @param {string|null} [entry.correlationId=null]
+     */
+    record(entry = {}) {
+        if (!entry.action) return;
+        const safeMeta = this.sanitizeMeta(entry.meta || {});
+
+        const payload = {
+            ts: new Date().toISOString(),
+            action: entry.action,
+            resource: entry.resource || null,
+            status: entry.status || 'success',
+            actor: entry.actor || null,
+            correlationId: entry.correlationId || null,
+            meta: safeMeta
+        };
+
+        try {
+            fs.appendFileSync(this.logPath, `${JSON.stringify(payload)}\n`, { encoding: 'utf8' });
+        } catch (error) {
+            this.warn('AUDIT_LOGGER_WRITE_ERROR', error);
+        }
+    }
+
+    sanitizeMeta(meta) {
+        const forbidden = ['token', 'password', 'secret', 'authorization', 'auth', 'apiKey'];
+        const clone = {};
+        Object.entries(meta).forEach(([k, v]) => {
+            const lowered = k.toLowerCase();
+            if (forbidden.some(f => lowered.includes(f))) {
+                clone[k] = '[REDACTED]';
+            } else {
+                clone[k] = v;
+            }
+        });
+        return clone;
+    }
+}
+
+module.exports = AuditLogger;

package/scripts/hooks-system/application/services/logging/UnifiedLogger.js

@@ -97,10 +97,19 @@ class UnifiedLogger {
             this.rotateFileIfNeeded();
             fs.appendFileSync(this.fileConfig.path, `${JSON.stringify(entry)}\n`, 'utf8');
         } catch (error) {
-            if (process.env.DEBUG) {
-                console.error('[UnifiedLogger] Failed to write log file', {
-                    path: this.fileConfig.path,
-                    error: error.message
+            try {
+                const env = require('../../../config/env');
+                if (env.getBool('DEBUG', false)) {
+                    console.error('[UnifiedLogger] Failed to write log file', {
+                        path: this.fileConfig.path,
+                        error: error.message
+                    });
+                } else {
+                    console.warn('[UnifiedLogger] File logging skipped due to error');
+                }
+            } catch (secondaryError) {
+                console.error('[UnifiedLogger] Secondary logging failure', {
+                    error: secondaryError.message
                 });
             }
         }

package/scripts/hooks-system/application/services/monitoring/EvidenceMonitorService.js

@@ -1,6 +1,10 @@
 const fs = require('fs');
 const path = require('path');
 const { execSync } = require('child_process');
+const env = require('../../config/env');
+
+// Import recordMetric for prometheus metrics
+const { recordMetric } = require('../../../infrastructure/telemetry/metrics-logger');
 
 function resolveUpdateEvidenceScript(repoRoot) {
     const candidates = [
@@ -25,9 +29,9 @@ class EvidenceMonitorService {
         updateScriptPath = resolveUpdateEvidenceScript(repoRoot) || path.join(process.cwd(), 'scripts', 'hooks-system', 'bin', 'update-evidence.sh'),
         notifier = () => { },
         logger = console,
-        autoRefreshEnabled = process.env.HOOK_GUARD_AUTO_REFRESH !== 'false',
-        autoRefreshCooldownMs = Number(process.env.HOOK_GUARD_AUTO_REFRESH_COOLDOWN || 180000),
-        staleThresholdMs = Number(process.env.HOOK_GUARD_EVIDENCE_STALE_THRESHOLD || 10 * 60 * 1000),
+        autoRefreshEnabled = env.getBool('HOOK_GUARD_AUTO_REFRESH', true),
+        autoRefreshCooldownMs = env.getNumber('HOOK_GUARD_AUTO_REFRESH_COOLDOWN', 180000),
+        staleThresholdMs = env.getNumber('HOOK_GUARD_EVIDENCE_STALE_THRESHOLD', 10 * 60 * 1000),
         fsModule = fs,
         execFn = execSync
     } = {}) {

package/scripts/hooks-system/application/services/token/TokenMetricsService.js

@@ -1,5 +1,8 @@
 const { execSync } = require('child_process');
 
+// Import recordMetric for prometheus metrics
+const { recordMetric } = require('../../../infrastructure/telemetry/metrics-logger');
+
 class TokenMetricsService {
     constructor(cursorTokenService, thresholds, logger) {
         this.cursorTokenService = cursorTokenService;
@@ -54,7 +57,8 @@ class TokenMetricsService {
         if (untrusted) {
             level = 'ok';
         }
-        const forceLevel = (process.env.TOKEN_MONITOR_FORCE_LEVEL || '').toLowerCase();
+        const env = require('../../config/env');
+        const forceLevel = (env.get('TOKEN_MONITOR_FORCE_LEVEL', '') || '').toLowerCase();
         if (forceLevel === 'warning' || forceLevel === 'critical' || forceLevel === 'ok') {
             level = forceLevel;
         }
@@ -75,6 +79,15 @@ class TokenMetricsService {
             this.logger.debug('TOKEN_MONITOR_METRICS', metrics);
         }
 
+        // Record prometheus metrics
+        recordMetric({
+            hook: 'token_monitor',
+            status: 'collect',
+            tokensUsed,
+            percentUsed: Number(percentUsed.toFixed(0)),
+            level
+        });
+
         return metrics;
     }
 

package/scripts/hooks-system/bin/cli.js

@@ -121,7 +121,21 @@ const commands = {
   },
 
   ast: () => {
-    execSync(`node ${path.join(HOOKS_ROOT, 'infrastructure/ast/ast-intelligence.js')}`, { stdio: 'inherit' });
+    const env = { ...process.env };
+    const filteredArgs = [];
+
+    for (const arg of args) {
+      if (arg === '--staged') {
+        env.STAGING_ONLY_MODE = '1';
+      } else {
+        filteredArgs.push(arg);
+      }
+    }
+
+    execSync(
+      `node ${path.join(HOOKS_ROOT, 'infrastructure/ast/ast-intelligence.js')} ${filteredArgs.join(' ')}`,
+      { stdio: 'inherit', env }
+    );
   },
 
   install: () => {