npm - sentinelayer-cli - Versions diffs - 0.1.0 → 0.1.2 - Mend

sentinelayer-cli 0.1.0 → 0.1.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (12) hide show

package/package.json +2 -2
package/src/agents/jules/tools/runtime-audit.js +86 -2
package/src/auth/gate.js +92 -0
package/src/cli.js +8 -0
package/src/commands/audit.js +19 -0
package/src/daemon/ingest-refresh.js +195 -0
package/src/interactive/action-menu.js +132 -0
package/src/interactive/auto-ingest.js +111 -0
package/src/interactive/index.js +95 -0
package/src/interactive/workspace.js +92 -0
package/src/telemetry/session-tracker.js +118 -0
package/src/telemetry/sync.js +153 -0

package/package.json CHANGED Viewed

@@ -1,10 +1,10 @@
 {
   "name": "sentinelayer-cli",
-  "version": "0.1.0",
+  "version": "0.1.2",
   "description": "Scaffold Sentinelayer spec/prompt/guide artifacts with secure browser auth and token bootstrap.",
   "type": "module",
   "scripts": {
-    "check": "node --check bin/sentinelayer-cli.js && node --check bin/create-sentinelayer.js && node --check bin/sl.js && node --check src/cli.js && node --check src/legacy-cli.js && node --check src/commands/config.js && node --check src/commands/ingest.js && node --check src/commands/spec.js && node --check src/commands/prompt.js && node --check src/commands/scan.js && node --check src/commands/guide.js && node --check src/commands/cost.js && node --check src/commands/telemetry.js && node --check src/commands/auth.js && node --check src/commands/watch.js && node --check src/commands/mcp.js && node --check src/commands/plugin.js && node --check src/commands/ai.js && node --check src/commands/review.js && node --check src/commands/chat.js && node --check src/commands/policy.js && node --check src/commands/swarm.js && node --check src/commands/daemon.js && node --check src/commands/audit.js && node --check src/config/service.js && node --check src/ingest/engine.js && node --check src/spec/generator.js && node --check src/spec/regenerate.js && node --check src/spec/templates.js && node --check src/prompt/generator.js && node --check src/scan/generator.js && node --check src/guide/generator.js && node --check src/cost/tracker.js && node --check src/cost/history.js && node --check src/cost/budget.js && node --check src/ai/client.js && node --check src/ai/aidenid.js && node --check src/ai/identity-store.js && node --check src/ai/domain-target-store.js && node --check src/ai/site-store.js && node --check src/review/local-review.js && node --check src/review/ai-review.js && node --check src/review/report.js && node --check src/review/replay.js && node --check src/audit/registry.js && node --check src/audit/orchestrator.js && node --check src/audit/package.js && node --check src/audit/replay.js && node --check src/audit/agents/security.js && node --check src/audit/agents/architecture.js && node --check src/audit/agents/testing.js && node --check src/audit/agents/performance.js && node --check src/audit/agents/compliance.js && node --check src/audit/agents/documentation.js && node --check src/swarm/registry.js && node --check src/swarm/factory.js && node --check src/swarm/runtime.js && node --check src/swarm/scenario-dsl.js && node --check src/swarm/dashboard.js && node --check src/swarm/report.js && node --check src/swarm/pentest.js && node --check src/daemon/error-worker.js && node --check src/daemon/assignment-ledger.js && node --check src/daemon/jira-lifecycle.js && node --check src/daemon/budget-governor.js && node --check src/daemon/operator-control.js && node --check src/daemon/artifact-lineage.js && node --check src/daemon/ast-parser-layer.js && node --check src/daemon/callgraph-overlay.js && node --check src/daemon/hybrid-mapper.js && node --check src/daemon/reliability-lane.js && node --check src/daemon/watchdog.js && node --check src/telemetry/ledger.js && node --check src/auth/http.js && node --check src/auth/session-store.js && node --check src/auth/service.js && node --check src/mcp/registry.js && node --check src/memory/blackboard.js && node --check src/memory/retrieval.js && node --check src/plugin/manifest.js && node --check src/policy/packs.js && node --check src/ui/markdown.js && node --check src/ui/progress.js && node --check src/agents/jules/tools/file-read.js && node --check src/agents/jules/tools/grep.js && node --check src/agents/jules/tools/glob.js && node --check src/agents/jules/tools/shell.js && node --check src/agents/jules/tools/file-edit.js && node --check src/agents/jules/tools/dispatch.js && node --check src/agents/jules/tools/index.js && node --check src/agents/jules/tools/frontend-analyze.js && node --check src/agents/jules/swarm/sub-agent.js && node --check src/agents/jules/swarm/file-scanner.js && node --check src/agents/jules/swarm/pattern-hunter.js && node --check src/agents/jules/swarm/index.js && node --check src/agents/jules/swarm/orchestrator.js && node --check src/agents/jules/config/definition.js && node --check src/agents/jules/loop.js && node --check src/agents/jules/stream.js && node --check src/agents/jules/fix-cycle.js && node --check src/agents/jules/error-intake.js && node --check src/agents/jules/tools/runtime-audit.js && node --check src/agents/jules/config/system-prompt.js && node --check src/agents/jules/tools/auth-audit.js",
+    "check": "node --check bin/sentinelayer-cli.js && node --check bin/create-sentinelayer.js && node --check bin/sl.js && node --check src/cli.js && node --check src/legacy-cli.js && node --check src/commands/config.js && node --check src/commands/ingest.js && node --check src/commands/spec.js && node --check src/commands/prompt.js && node --check src/commands/scan.js && node --check src/commands/guide.js && node --check src/commands/cost.js && node --check src/commands/telemetry.js && node --check src/commands/auth.js && node --check src/commands/watch.js && node --check src/commands/mcp.js && node --check src/commands/plugin.js && node --check src/commands/ai.js && node --check src/commands/review.js && node --check src/commands/chat.js && node --check src/commands/policy.js && node --check src/commands/swarm.js && node --check src/commands/daemon.js && node --check src/commands/audit.js && node --check src/config/service.js && node --check src/ingest/engine.js && node --check src/spec/generator.js && node --check src/spec/regenerate.js && node --check src/spec/templates.js && node --check src/prompt/generator.js && node --check src/scan/generator.js && node --check src/guide/generator.js && node --check src/cost/tracker.js && node --check src/cost/history.js && node --check src/cost/budget.js && node --check src/ai/client.js && node --check src/ai/aidenid.js && node --check src/ai/identity-store.js && node --check src/ai/domain-target-store.js && node --check src/ai/site-store.js && node --check src/review/local-review.js && node --check src/review/ai-review.js && node --check src/review/report.js && node --check src/review/replay.js && node --check src/audit/registry.js && node --check src/audit/orchestrator.js && node --check src/audit/package.js && node --check src/audit/replay.js && node --check src/audit/agents/security.js && node --check src/audit/agents/architecture.js && node --check src/audit/agents/testing.js && node --check src/audit/agents/performance.js && node --check src/audit/agents/compliance.js && node --check src/audit/agents/documentation.js && node --check src/swarm/registry.js && node --check src/swarm/factory.js && node --check src/swarm/runtime.js && node --check src/swarm/scenario-dsl.js && node --check src/swarm/dashboard.js && node --check src/swarm/report.js && node --check src/swarm/pentest.js && node --check src/daemon/error-worker.js && node --check src/daemon/assignment-ledger.js && node --check src/daemon/jira-lifecycle.js && node --check src/daemon/budget-governor.js && node --check src/daemon/operator-control.js && node --check src/daemon/artifact-lineage.js && node --check src/daemon/ast-parser-layer.js && node --check src/daemon/callgraph-overlay.js && node --check src/daemon/hybrid-mapper.js && node --check src/daemon/reliability-lane.js && node --check src/daemon/watchdog.js && node --check src/telemetry/ledger.js && node --check src/auth/http.js && node --check src/auth/session-store.js && node --check src/auth/service.js && node --check src/mcp/registry.js && node --check src/memory/blackboard.js && node --check src/memory/retrieval.js && node --check src/plugin/manifest.js && node --check src/policy/packs.js && node --check src/ui/markdown.js && node --check src/ui/progress.js && node --check src/agents/jules/tools/file-read.js && node --check src/agents/jules/tools/grep.js && node --check src/agents/jules/tools/glob.js && node --check src/agents/jules/tools/shell.js && node --check src/agents/jules/tools/file-edit.js && node --check src/agents/jules/tools/dispatch.js && node --check src/agents/jules/tools/index.js && node --check src/agents/jules/tools/frontend-analyze.js && node --check src/agents/jules/swarm/sub-agent.js && node --check src/agents/jules/swarm/file-scanner.js && node --check src/agents/jules/swarm/pattern-hunter.js && node --check src/agents/jules/swarm/index.js && node --check src/agents/jules/swarm/orchestrator.js && node --check src/agents/jules/config/definition.js && node --check src/agents/jules/loop.js && node --check src/agents/jules/stream.js && node --check src/agents/jules/fix-cycle.js && node --check src/agents/jules/error-intake.js && node --check src/agents/jules/tools/runtime-audit.js && node --check src/agents/jules/config/system-prompt.js && node --check src/agents/jules/tools/auth-audit.js && node --check src/auth/gate.js && node --check src/telemetry/sync.js && node --check src/telemetry/session-tracker.js && node --check src/interactive/workspace.js && node --check src/interactive/auto-ingest.js && node --check src/interactive/action-menu.js && node --check src/interactive/index.js && node --check src/daemon/ingest-refresh.js",
     "test": "npm run test:unit && npm run test:e2e",
     "test:unit": "node --test tests/unit*.test.mjs",
     "test:e2e": "node --test tests/e2e.test.mjs",

package/src/agents/jules/tools/runtime-audit.js CHANGED Viewed

@@ -18,7 +18,7 @@ const LIGHTHOUSE_TIMEOUT_MS = 120000;
  * @param {{ operation: string, url?: string, path?: string }} input
  * @returns {object} Structured result per operation
  */
-export function runtimeAudit(input) {
+export async function runtimeAudit(input) {
   if (!RUNTIME_OPS.has(input.operation)) {
     throw new RuntimeAuditError(
       "Unknown operation: " + input.operation + ". Valid: " + [...RUNTIME_OPS].join(", "),
@@ -49,7 +49,7 @@ const RUNTIME_DISPATCH = {
  * Run Lighthouse via npx (no install required).
  * Returns performance, accessibility, best-practices, SEO scores + key metrics.
  */
-function lighthouseScan(input) {
+async function lighthouseScan(input) {
   const url = input.url;
   if (!url) {
     throw new RuntimeAuditError("lighthouse_scan requires a url parameter");
@@ -58,6 +58,13 @@ function lighthouseScan(input) {
     throw new RuntimeAuditError("Invalid URL: " + url);
   }
+  // Prefer SentinelLayer API scanner (authenticated, server-side Lighthouse).
+  // Falls back to local npx lighthouse if API unavailable.
+  try {
+    const apiResult = await callScannerApi(url);
+    if (apiResult.available) return apiResult;
+  } catch { /* API unavailable — fall back to local */ }
   try {
     const outputPath = path.join(
       input.path || process.cwd(),
@@ -76,6 +83,7 @@ function lighthouseScan(input) {
       encoding: "utf-8",
       timeout: LIGHTHOUSE_TIMEOUT_MS,
       stdio: ["pipe", "pipe", "pipe"],
+      shell: true, // Windows: npx is npx.cmd, needs shell resolution
     });
     if (!fs.existsSync(outputPath)) {
@@ -401,6 +409,82 @@ function sanitizeUrlForShell(url) {
   }
 }
+/**
+ * Call the SentinelLayer API scanner endpoint for server-side Lighthouse.
+ * Requires authenticated session (token from sl auth login).
+ * Returns structured result or throws if unavailable.
+ */
+async function callScannerApi(url) {
+  let session;
+  try {
+    const { readStoredSession } = await import("../../../auth/session-store.js");
+    session = await readStoredSession();
+  } catch { /* session read failed */ }
+  if (!session || !session.token) {
+    return { available: false, reason: "Not authenticated — run sl auth login" };
+  }
+  const apiUrl = session.apiUrl || "https://api.sentinelayer.com";
+  const scanEndpoint = apiUrl + "/api/v1/scan/url";
+  // Submit scan
+  const submitResponse = await fetch(scanEndpoint, {
+    method: "POST",
+    headers: {
+      "Content-Type": "application/json",
+      "Authorization": "Bearer " + session.token,
+    },
+    body: JSON.stringify({ url, scan_type: "lighthouse" }),
+    signal: AbortSignal.timeout(15000),
+  });
+  if (!submitResponse.ok) {
+    return { available: false, reason: "Scanner API returned " + submitResponse.status };
+  }
+  const submitData = await submitResponse.json();
+  const scanId = submitData.scan_id || submitData.id;
+  if (!scanId) {
+    return { available: false, reason: "Scanner did not return scan_id" };
+  }
+  // Poll for completion (max 90s)
+  const pollUrl = apiUrl + "/api/v1/scan/url/" + scanId;
+  for (let attempt = 0; attempt < 30; attempt++) {
+    await new Promise(r => setTimeout(r, 3000));
+    try {
+      const pollResponse = await fetch(pollUrl, {
+        headers: { "Authorization": "Bearer " + session.token },
+        signal: AbortSignal.timeout(10000),
+      });
+      if (!pollResponse.ok) continue;
+      const pollData = await pollResponse.json();
+      if (pollData.status === "completed" || pollData.status === "complete") {
+        const scores = pollData.scores || pollData.lighthouse_scores || {};
+        return {
+          available: true,
+          source: "sentinelayer-api",
+          scanId,
+          reportPath: null,
+          scores: {
+            performance: scores.performance ?? null,
+            accessibility: scores.accessibility ?? null,
+            bestPractices: scores.best_practices ?? scores.bestPractices ?? null,
+            seo: scores.seo ?? null,
+          },
+          metrics: pollData.metrics || {},
+          opportunities: pollData.opportunities || [],
+        };
+      }
+      if (pollData.status === "failed" || pollData.status === "error") {
+        return { available: false, reason: "Scanner reported failure: " + (pollData.error || pollData.status) };
+      }
+    } catch { /* poll failed, retry */ }
+  }
+  return { available: false, reason: "Scanner timed out after 90s" };
+}
 export class RuntimeAuditError extends Error {
   constructor(message) {
     super(message);

package/src/auth/gate.js ADDED Viewed

@@ -0,0 +1,92 @@
+import process from "node:process";
+import pc from "picocolors";
+import { readStoredSession } from "./session-store.js";
+/**
+ * Auth gate — ensures user is logged in before running any command.
+ *
+ * Commands that bypass auth:
+ * - auth login, auth status, auth --help
+ * - --help, --version, -h, -v
+ * - config (read-only config inspection)
+ *
+ * All other commands require a valid session.
+ * If not authenticated, prints instructions and exits.
+ */
+const AUTH_BYPASS_COMMANDS = new Set([
+  "auth",      // auth subcommands handle their own auth
+  "--help",
+  "-h",
+  "--version",
+  "-v",
+]);
+// Commands that work without auth (read-only, no API calls)
+const NO_AUTH_REQUIRED = new Set([
+  "config",    // local config inspection
+]);
+/**
+ * Check if the current command requires authentication.
+ * Returns true if auth is required but user is not logged in.
+ *
+ * @param {string[]} args - CLI arguments (after normalization)
+ * @returns {Promise<{ authenticated: boolean, session: object|null, bypassReason: string|null }>}
+ */
+export async function checkAuthGate(args) {
+  const first = String(args[0] || "").trim().toLowerCase();
+  // Bypass commands
+  if (!first || AUTH_BYPASS_COMMANDS.has(first)) {
+    return { authenticated: true, session: null, bypassReason: "auth_bypass_command" };
+  }
+  if (NO_AUTH_REQUIRED.has(first)) {
+    return { authenticated: true, session: null, bypassReason: "no_auth_required" };
+  }
+  // CI/test bypass — allows automated testing without auth
+  if (process.env.SENTINELAYER_CLI_SKIP_AUTH === "1" || process.env.CI === "true") {
+    return { authenticated: true, session: null, bypassReason: "env_bypass" };
+  }
+  // Check for stored session
+  try {
+    const session = await readStoredSession();
+    if (session && session.token) {
+      // Check if token is expired
+      if (session.tokenExpiresAt) {
+        const expiresAt = new Date(session.tokenExpiresAt).getTime();
+        if (expiresAt < Date.now()) {
+          return { authenticated: false, session: null, bypassReason: null };
+        }
+      }
+      return { authenticated: true, session, bypassReason: null };
+    }
+  } catch {
+    // Session read failed — treat as not authenticated
+  }
+  return { authenticated: false, session: null, bypassReason: null };
+}
+/**
+ * Print auth required message and exit.
+ */
+export function printAuthRequired() {
+  console.error("");
+  console.error(pc.bold(pc.red("Authentication required.")));
+  console.error("");
+  console.error("  Log in to SentinelLayer to use CLI commands:");
+  console.error("");
+  console.error("    " + pc.cyan("sl auth login"));
+  console.error("");
+  console.error("  This opens your browser to authenticate via GitHub or Google.");
+  console.error("  Your session is encrypted and stored locally.");
+  console.error("");
+  console.error("  " + pc.gray("Why? All CLI operations sync to your SentinelLayer account —"));
+  console.error("  " + pc.gray("audit reports, findings, cost tracking, and run history."));
+  console.error("");
+  process.exitCode = 1;
+}

package/src/cli.js CHANGED Viewed

@@ -230,6 +230,14 @@ export async function runCli(rawArgs = process.argv.slice(2)) {
   // Normalize slash commands (/omargate → omargate, /audit → audit, etc.)
   const normalizedArgs = normalizeSlashArgs(rawArgs);
+  // Auth gate — require login for all commands except auth/help/version/config
+  const { checkAuthGate, printAuthRequired } = await import("./auth/gate.js");
+  const authResult = await checkAuthGate(normalizedArgs);
+  if (!authResult.authenticated) {
+    printAuthRequired();
+    return;
+  }
   if (shouldBypassCommander(normalizedArgs)) {
     await runLegacyCliWithErrorHandling(normalizedArgs);
     return;

package/src/commands/audit.js CHANGED Viewed

@@ -1009,6 +1009,25 @@ export function registerAuditCommand(program, invokeLegacy) {
         process.stderr.write("Summary: " + allFindings.length + " findings (P0=" + severityCounts.P0 + " P1=" + severityCounts.P1 + " P2=" + severityCounts.P2 + ")\n");
       }
+      // Sync run to dashboard (fire-and-forget)
+      try {
+        const { syncRunToDashboard } = await import("../telemetry/sync.js");
+        const syncResult = await syncRunToDashboard({
+          command: "audit frontend",
+          persona: JULES_DEFINITION.persona,
+          mode: options.mode,
+          framework: ingest?.frameworks?.[0] || "unknown",
+          summary: { total: allFindings.length, ...severityCounts, blocking: severityCounts.P0 > 0 || severityCounts.P1 > 0 },
+          usage: report?.usage || {},
+          stopReason: report?.usage?.stopReason || "completed",
+          reconciliation: reconciliation.summary,
+          runtime: runtimeResult ? { ran: true, url: runtimeResult.url } : { ran: false },
+        });
+        if (!emitJson && !emitStream && syncResult.synced) {
+          process.stderr.write(JULES_DEFINITION.avatar + " Run synced to dashboard" + (syncResult.runId ? " (run:" + syncResult.runId + ")" : "") + "\n");
+        }
+      } catch { /* sync failure never blocks CLI */ }
       if (severityCounts.P0 > 0 || severityCounts.P1 > 0) {
         process.exitCode = 2;
       }

package/src/daemon/ingest-refresh.js ADDED Viewed

@@ -0,0 +1,195 @@
+import fs from "node:fs";
+import path from "node:path";
+import { collectCodebaseIngest, generateCodebaseIngest } from "../ingest/engine.js";
+/**
+ * Pulse Ingest Refresh — periodic codebase re-index.
+ *
+ * Detects when the file count changes vs the last ingest.
+ * If delta detected: re-runs ingest + AST + domain assignment.
+ * Budget-gated: aborts if refresh takes > maxDurationMs.
+ *
+ * Inspired by src/utils/cronScheduler.ts file watcher pattern.
+ */
+const DEFAULT_CHECK_INTERVAL_MS = 60_000; // 1 minute
+const DEFAULT_MAX_DURATION_MS = 30_000; // 30 seconds
+const STALE_FILE_COUNT_THRESHOLD = 5; // re-ingest if >= 5 files changed
+/**
+ * Check if the codebase has changed since last ingest.
+ *
+ * @param {string} targetPath - Repository root
+ * @returns {{ changed: boolean, currentFileCount: number, lastFileCount: number, delta: number }}
+ */
+export function detectIngestDrift(targetPath) {
+  const ingestPath = path.join(targetPath, ".sentinelayer", "CODEBASE_INGEST.json");
+  let lastFileCount = 0;
+  try {
+    const ingest = JSON.parse(fs.readFileSync(ingestPath, "utf-8"));
+    lastFileCount = ingest?.summary?.filesScanned || 0;
+  } catch {
+    return { changed: true, currentFileCount: 0, lastFileCount: 0, delta: 0 };
+  }
+  // Quick file count via directory scan (fast, no deep analysis)
+  let currentFileCount = 0;
+  try {
+    currentFileCount = countFilesQuick(targetPath);
+  } catch {
+    return { changed: false, currentFileCount: 0, lastFileCount, delta: 0 };
+  }
+  const delta = Math.abs(currentFileCount - lastFileCount);
+  return {
+    changed: delta >= STALE_FILE_COUNT_THRESHOLD,
+    currentFileCount,
+    lastFileCount,
+    delta,
+  };
+}
+/**
+ * Run a budget-gated ingest refresh.
+ * Aborts if refresh takes longer than maxDurationMs.
+ *
+ * @param {string} targetPath
+ * @param {object} [options]
+ * @param {number} [options.maxDurationMs] - Max refresh time (default 30s)
+ * @param {function} [options.onEvent] - Event callback
+ * @returns {Promise<{ refreshed: boolean, reason: string, durationMs: number }>}
+ */
+export async function refreshIngestIfNeeded(targetPath, options = {}) {
+  const maxDurationMs = options.maxDurationMs || DEFAULT_MAX_DURATION_MS;
+  const drift = detectIngestDrift(targetPath);
+  if (!drift.changed) {
+    return { refreshed: false, reason: "no_drift", durationMs: 0, ...drift };
+  }
+  if (options.onEvent) {
+    options.onEvent({
+      stream: "sl_event",
+      event: "ingest_refresh_start",
+      payload: { delta: drift.delta, currentFiles: drift.currentFileCount, lastFiles: drift.lastFileCount },
+    });
+  }
+  const startMs = Date.now();
+  // Budget gate: abort if taking too long
+  const timeout = setTimeout(() => {
+    if (options.onEvent) {
+      options.onEvent({
+        stream: "sl_event",
+        event: "ingest_refresh_timeout",
+        payload: { maxDurationMs, elapsed: Date.now() - startMs },
+      });
+    }
+  }, maxDurationMs);
+  try {
+    let ingest;
+    try {
+      ingest = await generateCodebaseIngest({
+        rootPath: targetPath,
+        outputDir: path.join(targetPath, ".sentinelayer"),
+        refresh: true,
+      });
+    } catch {
+      ingest = await collectCodebaseIngest({ rootPath: targetPath });
+    }
+    const durationMs = Date.now() - startMs;
+    if (options.onEvent) {
+      options.onEvent({
+        stream: "sl_event",
+        event: "ingest_refresh_complete",
+        payload: {
+          durationMs,
+          filesScanned: ingest?.summary?.filesScanned || 0,
+          delta: drift.delta,
+        },
+      });
+    }
+    return {
+      refreshed: true,
+      reason: "drift_detected",
+      durationMs,
+      filesScanned: ingest?.summary?.filesScanned || 0,
+      ...drift,
+    };
+  } catch (err) {
+    return {
+      refreshed: false,
+      reason: "refresh_failed: " + err.message,
+      durationMs: Date.now() - startMs,
+      ...drift,
+    };
+  } finally {
+    clearTimeout(timeout);
+  }
+}
+/**
+ * Start a periodic ingest refresh watcher.
+ * Checks for drift every checkIntervalMs and refreshes if needed.
+ *
+ * @param {string} targetPath
+ * @param {object} [options]
+ * @param {number} [options.checkIntervalMs] - Check interval (default 60s)
+ * @param {number} [options.maxDurationMs] - Max refresh time (default 30s)
+ * @param {function} [options.onEvent] - Event callback
+ * @returns {{ stop: function }} - Call stop() to stop watching
+ */
+export function startPeriodicRefresh(targetPath, options = {}) {
+  const checkIntervalMs = options.checkIntervalMs || DEFAULT_CHECK_INTERVAL_MS;
+  let running = true;
+  const check = async () => {
+    if (!running) return;
+    await refreshIngestIfNeeded(targetPath, options);
+    if (running) {
+      setTimeout(check, checkIntervalMs);
+    }
+  };
+  // Start first check after one interval
+  const timer = setTimeout(check, checkIntervalMs);
+  return {
+    stop() {
+      running = false;
+      clearTimeout(timer);
+    },
+  };
+}
+/**
+ * Quick file count — counts source files without deep analysis.
+ * Much faster than full ingest for drift detection.
+ */
+function countFilesQuick(rootPath) {
+  const IGNORE = new Set([
+    ".git", "node_modules", ".next", "dist", "build", "coverage",
+    ".turbo", ".venv", "__pycache__", ".cache", ".sentinelayer",
+  ]);
+  let count = 0;
+  function walk(dir) {
+    try {
+      const entries = fs.readdirSync(dir, { withFileTypes: true });
+      for (const entry of entries) {
+        if (IGNORE.has(entry.name)) continue;
+        if (entry.isDirectory()) walk(path.join(dir, entry.name));
+        else if (entry.isFile()) count++;
+      }
+    } catch { /* skip unreadable */ }
+  }
+  walk(rootPath);
+  return count;
+}

package/src/interactive/action-menu.js ADDED Viewed

@@ -0,0 +1,132 @@
+import prompts from "prompts";
+import pc from "picocolors";
+import { PERSONA_VISUALS, listPersonaIds } from "../agents/jules/config/definition.js";
+/**
+ * Interactive action menu — presented after ingest completes.
+ * Arrow-key navigation for primary actions + submenus.
+ */
+/**
+ * Present the main action menu.
+ *
+ * @returns {Promise<{ action: string, subAction?: string, input?: string }>}
+ */
+export async function showActionMenu() {
+  const response = await prompts({
+    type: "select",
+    name: "action",
+    message: "What would you like to do?",
+    choices: [
+      { title: pc.red("🔍 Audit"), value: "audit", description: "Run security + quality audit (baseline + personas)" },
+      { title: pc.yellow("📝 Review"), value: "review", description: "Quick review of current changes" },
+      { title: pc.green("🏗️  Add Feature"), value: "feature", description: "Describe a feature and generate spec + prompt" },
+      { title: pc.blue("🆕 Create Project"), value: "create", description: "Scaffold a new project with spec + Omar Gate" },
+      { title: pc.gray("⚙️  More options..."), value: "more", description: "Config, cost, telemetry, watch, plugins" },
+    ],
+  });
+  if (!response.action) return { action: "exit" };
+  // Route to submenu
+  if (response.action === "audit") return showAuditMenu();
+  if (response.action === "review") return showReviewMenu();
+  if (response.action === "feature") return showFeaturePrompt();
+  if (response.action === "more") return showMoreMenu();
+  return { action: response.action };
+}
+/**
+ * Audit submenu — all 13 personas + full audit.
+ */
+async function showAuditMenu() {
+  const personaIds = listPersonaIds();
+  const choices = [
+    {
+      title: pc.bold("🎯 Full Audit (all 13 personas in parallel)"),
+      value: { action: "audit", subAction: "deep" },
+      description: "Omar baseline → 13 specialist agents → reconciliation",
+    },
+  ];
+  for (const id of personaIds) {
+    const visual = PERSONA_VISUALS[id];
+    if (!visual) continue;
+    choices.push({
+      title: (visual.avatar || "") + " " + visual.fullName + pc.gray(" (" + id + ")"),
+      value: { action: "audit", subAction: id },
+      description: visual.specialty ? visual.specialty.slice(0, 80) : visual.domain || id,
+    });
+  }
+  const response = await prompts({
+    type: "select",
+    name: "choice",
+    message: "Which audit?",
+    choices,
+  });
+  return response.choice || { action: "exit" };
+}
+/**
+ * Review submenu.
+ */
+async function showReviewMenu() {
+  const response = await prompts({
+    type: "select",
+    name: "choice",
+    message: "Review mode?",
+    choices: [
+      { title: "📋 Full review", value: { action: "review", subAction: "full" }, description: "Scan entire codebase (22-rule deterministic + AI)" },
+      { title: "📝 Diff review", value: { action: "review", subAction: "diff" }, description: "Review only uncommitted changes" },
+      { title: "📌 Staged review", value: { action: "review", subAction: "staged" }, description: "Review only staged files" },
+    ],
+  });
+  return response.choice || { action: "exit" };
+}
+/**
+ * Feature description prompt.
+ */
+async function showFeaturePrompt() {
+  const response = await prompts({
+    type: "text",
+    name: "description",
+    message: "Describe the feature you want to add:",
+    validate: v => (v && v.trim().length > 5) ? true : "Please describe the feature (at least a few words)",
+  });
+  if (!response.description) return { action: "exit" };
+  return {
+    action: "feature",
+    input: response.description.trim(),
+  };
+}
+/**
+ * More options submenu.
+ */
+async function showMoreMenu() {
+  const response = await prompts({
+    type: "select",
+    name: "choice",
+    message: "More options:",
+    choices: [
+      { title: "📊 Cost & usage summary", value: { action: "cost" }, description: "View token usage and cost tracking" },
+      { title: "📈 Telemetry", value: { action: "telemetry" }, description: "View run event telemetry" },
+      { title: "⚙️  Config", value: { action: "config" }, description: "View and edit configuration" },
+      { title: "👤 Auth status", value: { action: "auth-status" }, description: "Check authentication" },
+      { title: "🔌 Plugins", value: { action: "plugins" }, description: "List installed plugins" },
+      { title: "📡 Watch events", value: { action: "watch" }, description: "Stream runtime events" },
+      { title: "🤖 AI identity", value: { action: "ai" }, description: "AIdenID provisioning" },
+      { title: "🐛 Daemon status", value: { action: "daemon" }, description: "Error queue and budget status" },
+    ],
+  });
+  return response.choice || { action: "exit" };
+}

package/src/interactive/auto-ingest.js ADDED Viewed

@@ -0,0 +1,111 @@
+import fs from "node:fs";
+import path from "node:path";
+import pc from "picocolors";
+import { collectCodebaseIngest, generateCodebaseIngest } from "../ingest/engine.js";
+/**
+ * Auto-ingest with live progress output.
+ *
+ * Checks if CODEBASE_INGEST.json exists and is fresh.
+ * If stale or missing, runs ingest with real-time status updates.
+ * Returns the ingest result.
+ */
+const STALE_THRESHOLD_MS = 300_000; // 5 minutes
+/**
+ * Check if ingest exists and is fresh enough.
+ *
+ * @param {string} targetPath - Repository root
+ * @returns {{ exists: boolean, stale: boolean, age: number|null, path: string }}
+ */
+export function checkIngestFreshness(targetPath) {
+  const ingestPath = path.join(targetPath, ".sentinelayer", "CODEBASE_INGEST.json");
+  if (!fs.existsSync(ingestPath)) {
+    return { exists: false, stale: true, age: null, path: ingestPath };
+  }
+  try {
+    const stat = fs.statSync(ingestPath);
+    const age = Date.now() - stat.mtimeMs;
+    return {
+      exists: true,
+      stale: age > STALE_THRESHOLD_MS,
+      age,
+      path: ingestPath,
+    };
+  } catch {
+    return { exists: false, stale: true, age: null, path: ingestPath };
+  }
+}
+/**
+ * Run auto-ingest with live progress output to stderr.
+ * If ingest exists and is fresh, reads from cache.
+ * Otherwise runs full ingest with status updates.
+ *
+ * @param {string} targetPath
+ * @param {object} [options]
+ * @param {boolean} [options.force] - Force re-ingest even if fresh
+ * @param {boolean} [options.quiet] - Suppress progress output
+ * @returns {Promise<object>} Ingest result
+ */
+export async function autoIngestWithProgress(targetPath, options = {}) {
+  const freshness = checkIngestFreshness(targetPath);
+  if (freshness.exists && !freshness.stale && !options.force) {
+    if (!options.quiet) {
+      const ageSec = Math.floor((freshness.age || 0) / 1000);
+      process.stderr.write(pc.gray("Using cached ingest (" + ageSec + "s old)\n"));
+    }
+    try {
+      const cached = JSON.parse(fs.readFileSync(freshness.path, "utf-8"));
+      return cached;
+    } catch { /* fall through to re-ingest */ }
+  }
+  // Run ingest with progress
+  if (!options.quiet) {
+    process.stderr.write(pc.cyan("⟳") + " Indexing codebase...\n");
+  }
+  const startMs = Date.now();
+  if (!options.quiet) {
+    process.stderr.write(pc.gray("  ├─ Scanning files and directories\n"));
+  }
+  let ingest;
+  try {
+    ingest = await generateCodebaseIngest({
+      rootPath: targetPath,
+      outputDir: path.join(targetPath, ".sentinelayer"),
+      refresh: true,
+    });
+  } catch {
+    ingest = await collectCodebaseIngest({ rootPath: targetPath });
+  }
+  const durationMs = Date.now() - startMs;
+  if (!options.quiet) {
+    const files = ingest?.summary?.filesScanned || 0;
+    const loc = ingest?.summary?.totalLoc || 0;
+    const surfaces = (ingest?.riskSurfaces || []).length;
+    const frameworks = (ingest?.frameworks || []).join(", ") || "none";
+    process.stderr.write(pc.gray("  ├─ Building AST + import graph\n"));
+    process.stderr.write(pc.gray("  ├─ Assigning domain surfaces\n"));
+    process.stderr.write(pc.gray("  └─ ") + pc.green("Done") + pc.gray(" (" + (durationMs / 1000).toFixed(1) + "s)\n"));
+    process.stderr.write("\n");
+    process.stderr.write(pc.bold("  Codebase Summary\n"));
+    process.stderr.write(pc.gray("  Files: ") + pc.white(String(files)) + "\n");
+    process.stderr.write(pc.gray("  LOC: ") + pc.white(String(loc)) + "\n");
+    process.stderr.write(pc.gray("  Frameworks: ") + pc.white(frameworks) + "\n");
+    process.stderr.write(pc.gray("  Risk surfaces: ") + pc.white(String(surfaces)) + "\n");
+    process.stderr.write("\n");
+  }
+  return ingest;
+}

package/src/interactive/index.js ADDED Viewed

@@ -0,0 +1,95 @@
+import pc from "picocolors";
+import { selectRepo } from "./workspace.js";
+import { autoIngestWithProgress } from "./auto-ingest.js";
+import { showActionMenu } from "./action-menu.js";
+/**
+ * Interactive CLI mode — the "sl" experience with no args.
+ *
+ * Flow:
+ * 1. Detect repos in workspace → select if multiple
+ * 2. Auto-ingest with live progress
+ * 3. Present action menu
+ * 4. Route to the selected command
+ */
+/**
+ * Run the interactive flow.
+ *
+ * @param {object} [options]
+ * @param {function} [options.executeCommand] - Command executor (receives action + args)
+ * @returns {Promise<void>}
+ */
+export async function runInteractiveMode(options = {}) {
+  console.error("");
+  console.error(pc.bold("  SentinelLayer CLI") + pc.gray(" — security-first development platform"));
+  console.error("");
+  // Step 1: Repo selection
+  const repo = await selectRepo();
+  if (!repo) {
+    console.error(pc.yellow("No repository selected. Run sl --help for available commands."));
+    return;
+  }
+  // Step 2: Auto-ingest
+  const ingest = await autoIngestWithProgress(repo.path);
+  // Step 3: Action menu
+  const choice = await showActionMenu();
+  if (choice.action === "exit") {
+    return;
+  }
+  // Step 4: Route to command
+  console.error("");
+  if (options.executeCommand) {
+    await options.executeCommand(choice, repo, ingest);
+  } else {
+    // Print the equivalent CLI command for the user
+    const cmd = buildEquivalentCommand(choice, repo);
+    if (cmd) {
+      console.error(pc.gray("  Equivalent command: ") + pc.cyan(cmd));
+      console.error("");
+    }
+  }
+}
+/**
+ * Build the equivalent CLI command string for a menu choice.
+ */
+function buildEquivalentCommand(choice, repo) {
+  const pathFlag = " --path " + repo.path;
+  switch (choice.action) {
+    case "audit":
+      if (choice.subAction === "deep") return "sl audit" + pathFlag + " --json";
+      return "sl audit " + choice.subAction + pathFlag + " --stream";
+    case "review":
+      if (choice.subAction === "diff") return "sl review scan --mode diff" + pathFlag + " --json";
+      if (choice.subAction === "staged") return "sl review scan --mode staged" + pathFlag + " --json";
+      return "sl review scan --mode full" + pathFlag + " --json";
+    case "feature":
+      return "sl spec generate --description \"" + (choice.input || "").slice(0, 50) + "...\"" + pathFlag;
+    case "create":
+      return "sl init";
+    case "cost":
+      return "sl cost show" + pathFlag + " --json";
+    case "telemetry":
+      return "sl telemetry show" + pathFlag + " --json";
+    case "config":
+      return "sl config list --json";
+    case "auth-status":
+      return "sl auth status --json";
+    case "plugins":
+      return "sl plugin list --json";
+    case "watch":
+      return "sl watch history" + pathFlag + " --json";
+    case "ai":
+      return "sl ai provision-email --json";
+    case "daemon":
+      return "sl daemon budget status" + pathFlag + " --json";
+    default:
+      return null;
+  }
+}

package/src/interactive/workspace.js ADDED Viewed

@@ -0,0 +1,92 @@
+import fs from "node:fs";
+import path from "node:path";
+import prompts from "prompts";
+import pc from "picocolors";
+/**
+ * Multi-repo workspace detection + interactive repo selection.
+ *
+ * Scans the current directory and parent for git repositories.
+ * If multiple found, presents arrow-key selector.
+ * If single found, auto-selects it.
+ */
+/**
+ * Detect git repositories in the workspace.
+ * Scans cwd and one level up for directories containing .git.
+ *
+ * @param {string} [startPath] - Starting directory (default: cwd)
+ * @returns {{ repos: Array<{name, path, isCurrentDir}>, parentDir: string }}
+ */
+export function detectRepos(startPath) {
+  const cwd = path.resolve(startPath || process.cwd());
+  const parentDir = path.dirname(cwd);
+  const repos = [];
+  // Check if cwd itself is a git repo
+  if (fs.existsSync(path.join(cwd, ".git"))) {
+    repos.push({
+      name: path.basename(cwd),
+      path: cwd,
+      isCurrentDir: true,
+    });
+  }
+  // Scan parent directory for sibling repos
+  try {
+    const siblings = fs.readdirSync(parentDir, { withFileTypes: true });
+    for (const entry of siblings) {
+      if (!entry.isDirectory()) continue;
+      const siblingPath = path.join(parentDir, entry.name);
+      if (siblingPath === cwd) continue; // skip self (already added if it's a repo)
+      if (fs.existsSync(path.join(siblingPath, ".git"))) {
+        repos.push({
+          name: entry.name,
+          path: siblingPath,
+          isCurrentDir: false,
+        });
+      }
+    }
+  } catch { /* parent unreadable — only current dir */ }
+  return { repos, parentDir };
+}
+/**
+ * Interactive repo selector.
+ * If single repo: auto-selects.
+ * If multiple: presents arrow-key menu.
+ * If none: returns null.
+ *
+ * @param {object} [options]
+ * @param {string} [options.startPath]
+ * @returns {Promise<{name, path}|null>}
+ */
+export async function selectRepo(options = {}) {
+  const { repos } = detectRepos(options.startPath);
+  if (repos.length === 0) {
+    console.error(pc.yellow("No git repositories found in this workspace."));
+    return null;
+  }
+  if (repos.length === 1) {
+    console.error(pc.gray("Repository: " + repos[0].name + " (" + repos[0].path + ")"));
+    return repos[0];
+  }
+  // Multiple repos — present selection
+  console.error(pc.bold("Multiple repositories detected:"));
+  const response = await prompts({
+    type: "select",
+    name: "repo",
+    message: "Which repository?",
+    choices: repos.map(r => ({
+      title: r.name + (r.isCurrentDir ? pc.gray(" (current)") : ""),
+      value: r,
+      description: r.path,
+    })),
+  });
+  return response.repo || null;
+}

package/src/telemetry/session-tracker.js ADDED Viewed

@@ -0,0 +1,118 @@
+import pc from "picocolors";
+/**
+ * Session Tracker — tracks tokens, tool calls, cost, and time per CLI run.
+ *
+ * Inspired by src/bootstrap/state.ts and src/cost-tracker.ts patterns:
+ * - Single global session state initialized once
+ * - Accumulator functions for each metric
+ * - Summary getter for final report
+ * - Print summary on completion
+ */
+let SESSION = null;
+/**
+ * Initialize a new tracking session.
+ * Call this at the start of any auditable command.
+ */
+export function startSession(command) {
+  SESSION = {
+    command: command || "unknown",
+    startedAt: Date.now(),
+    inputTokens: 0,
+    outputTokens: 0,
+    costUsd: 0,
+    toolCalls: 0,
+    llmCalls: 0,
+    findings: { P0: 0, P1: 0, P2: 0, P3: 0 },
+  };
+  return SESSION;
+}
+/**
+ * Record token usage from an LLM call.
+ */
+export function recordLlmUsage({ inputTokens = 0, outputTokens = 0, costUsd = 0 } = {}) {
+  if (!SESSION) return;
+  SESSION.inputTokens += inputTokens;
+  SESSION.outputTokens += outputTokens;
+  SESSION.costUsd += costUsd;
+  SESSION.llmCalls += 1;
+}
+/**
+ * Record a tool call.
+ */
+export function recordToolCall() {
+  if (!SESSION) return;
+  SESSION.toolCalls += 1;
+}
+/**
+ * Record findings.
+ */
+export function recordFindings(summary) {
+  if (!SESSION) return;
+  if (summary?.P0) SESSION.findings.P0 += summary.P0;
+  if (summary?.P1) SESSION.findings.P1 += summary.P1;
+  if (summary?.P2) SESSION.findings.P2 += summary.P2;
+  if (summary?.P3) SESSION.findings.P3 += summary.P3;
+}
+/**
+ * Get the current session summary.
+ */
+export function getSessionSummary() {
+  if (!SESSION) return null;
+  const durationMs = Date.now() - SESSION.startedAt;
+  return {
+    command: SESSION.command,
+    durationMs,
+    inputTokens: SESSION.inputTokens,
+    outputTokens: SESSION.outputTokens,
+    totalTokens: SESSION.inputTokens + SESSION.outputTokens,
+    costUsd: SESSION.costUsd,
+    toolCalls: SESSION.toolCalls,
+    llmCalls: SESSION.llmCalls,
+    findings: { ...SESSION.findings },
+  };
+}
+/**
+ * Print the session summary to stderr.
+ * Called at the end of any auditable command.
+ */
+export function printSessionSummary() {
+  const summary = getSessionSummary();
+  if (!summary) return;
+  const duration = summary.durationMs < 60000
+    ? (summary.durationMs / 1000).toFixed(1) + "s"
+    : (summary.durationMs / 60000).toFixed(1) + "m";
+  const tokens = summary.totalTokens > 1000
+    ? (summary.totalTokens / 1000).toFixed(1) + "K"
+    : String(summary.totalTokens);
+  const parts = [];
+  parts.push(pc.gray("Run complete:"));
+  parts.push(pc.white(tokens + " tokens"));
+  parts.push(pc.white(summary.toolCalls + " tools"));
+  if (summary.costUsd > 0) parts.push(pc.white("$" + summary.costUsd.toFixed(2)));
+  parts.push(pc.white(duration));
+  const findingParts = [];
+  if (summary.findings.P0 > 0) findingParts.push(pc.red("P0=" + summary.findings.P0));
+  if (summary.findings.P1 > 0) findingParts.push(pc.yellow("P1=" + summary.findings.P1));
+  if (summary.findings.P2 > 0) findingParts.push(pc.cyan("P2=" + summary.findings.P2));
+  if (summary.findings.P3 > 0) findingParts.push(pc.gray("P3=" + summary.findings.P3));
+  process.stderr.write("\n" + parts.join(" · "));
+  if (findingParts.length > 0) {
+    process.stderr.write(" | " + findingParts.join(" "));
+  }
+  process.stderr.write("\n");
+  return summary;
+}

package/src/telemetry/sync.js ADDED Viewed

@@ -0,0 +1,153 @@
+import { readStoredSession } from "../auth/session-store.js";
+/**
+ * Telemetry Sync — uploads CLI run results to sentinelayer-api.
+ *
+ * Called after audit, review, omargate commands complete.
+ * Fire-and-forget: never blocks the CLI, never crashes on failure.
+ * The API stores this data and the web dashboard renders it.
+ *
+ * What syncs:
+ * - Run metadata (command, persona, mode, framework detected)
+ * - Findings summary (P0/P1/P2/P3 counts, blocking status)
+ * - Usage telemetry (tokens, cost, duration, tool calls)
+ * - Stop reason (budget exhausted, max turns, completed, etc.)
+ *
+ * What stays local:
+ * - Full finding details (file:line evidence) — too large for sync
+ * - Ingest artifacts — regenerated locally
+ * - Spec/prompt/guide files — project artifacts
+ */
+const SYNC_TIMEOUT_MS = 10000;
+/**
+ * Sync a CLI run to the user's sentinelayer dashboard.
+ *
+ * @param {object} runData
+ * @param {string} runData.command - e.g., "audit frontend", "omargate deep", "review scan"
+ * @param {string} [runData.persona] - e.g., "Jules Tanaka"
+ * @param {string} [runData.mode] - e.g., "primary", "deep", "diff"
+ * @param {object} [runData.summary] - { total, P0, P1, P2, P3, blocking }
+ * @param {object} [runData.usage] - { tokens, costUsd, durationMs, toolCalls }
+ * @param {string} [runData.stopReason] - e.g., "completed", "budget_exhausted"
+ * @param {string} [runData.framework] - e.g., "next.js"
+ * @param {object} [runData.reconciliation] - baseline reconciliation summary
+ * @param {object} [runData.runtime] - runtime audit summary (lighthouse scores, headers)
+ * @returns {Promise<{ synced: boolean, reason?: string }>}
+ */
+export async function syncRunToDashboard(runData) {
+  let session;
+  try {
+    session = await readStoredSession();
+  } catch {
+    return { synced: false, reason: "no_session" };
+  }
+  if (!session || !session.token) {
+    return { synced: false, reason: "not_authenticated" };
+  }
+  const apiUrl = session.apiUrl || "https://api.sentinelayer.com";
+  try {
+    // Create a run record
+    const response = await fetch(apiUrl + "/api/v1/runs", {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/json",
+        "Authorization": "Bearer " + session.token,
+      },
+      body: JSON.stringify({
+        mode: mapCommandToMode(runData.command),
+        runtime_profile: "cli_local",
+        repo: detectRepoName(),
+        ref: detectGitRef(),
+        orchestrator_model: runData.persona || "cli",
+        subagent_model: "deterministic",
+        budget: {
+          max_cost_usd: runData.usage?.maxCostUsd || 5.0,
+          max_iterations: runData.usage?.maxTurns || 25,
+        },
+        max_iterations: 1,
+      }),
+      signal: AbortSignal.timeout(SYNC_TIMEOUT_MS),
+    });
+    if (!response.ok) {
+      return { synced: false, reason: "api_" + response.status };
+    }
+    const created = await response.json();
+    const runId = created.run_id;
+    // Post a completion event with telemetry
+    if (runId) {
+      await fetch(apiUrl + "/api/v1/runs/" + runId + "/complete", {
+        method: "POST",
+        headers: {
+          "Content-Type": "application/json",
+          "Authorization": "Bearer " + session.token,
+        },
+        body: JSON.stringify({
+          exit_reason: runData.stopReason || "completed",
+          stop_class: runData.summary?.blocking ? "BLOCKING_FINDINGS" : "CLEAN",
+          summary: {
+            command: runData.command,
+            persona: runData.persona || null,
+            mode: runData.mode || null,
+            framework: runData.framework || null,
+            findings: runData.summary || { total: 0, P0: 0, P1: 0, P2: 0, P3: 0 },
+            usage: {
+              token_usage: runData.usage?.tokens || runData.usage?.outputTokens || 0,
+              cost_usd: runData.usage?.costUsd || 0,
+              duration_ms: runData.usage?.durationMs || 0,
+              tool_calls: runData.usage?.toolCalls || 0,
+            },
+            reconciliation: runData.reconciliation || null,
+            runtime: runData.runtime || null,
+          },
+        }),
+        signal: AbortSignal.timeout(SYNC_TIMEOUT_MS),
+      }).catch(() => {}); // completion event is best-effort
+    }
+    return { synced: true, runId };
+  } catch (err) {
+    return { synced: false, reason: err.message };
+  }
+}
+function mapCommandToMode(command) {
+  if (!command) return "audit_readonly";
+  const lower = String(command).toLowerCase();
+  if (lower.includes("review")) return "audit_readonly";
+  if (lower.includes("omargate")) return "audit_readonly";
+  if (lower.includes("audit")) return "audit_readonly";
+  if (lower.includes("fix")) return "edit_gated";
+  return "audit_readonly";
+}
+function detectRepoName() {
+  try {
+    const { execFileSync } = require("node:child_process");
+    const remote = execFileSync("git", ["remote", "get-url", "origin"], {
+      encoding: "utf-8", timeout: 5000, stdio: ["pipe", "pipe", "pipe"],
+    }).trim();
+    const match = remote.match(/\/([^/]+?)(?:\.git)?$/);
+    return match ? match[1] : "unknown";
+  } catch {
+    return "local";
+  }
+}
+function detectGitRef() {
+  try {
+    const { execFileSync } = require("node:child_process");
+    return execFileSync("git", ["rev-parse", "--abbrev-ref", "HEAD"], {
+      encoding: "utf-8", timeout: 5000, stdio: ["pipe", "pipe", "pipe"],
+    }).trim() || "main";
+  } catch {
+    return "main";
+  }
+}