shieldcortex 4.15.0 → 4.17.0

package/dist/database/init.js

@@ -8,6 +8,7 @@ import { homedir } from 'os';
 import { fileURLToPath } from 'url';
 import { execSync } from 'child_process';
 import { randomUUID } from 'crypto';
+import { seedDefaultFirewallRules } from './seed-firewall-rules.js';
 const _currentFile = fileURLToPath(import.meta.url);
 const _currentDir = dirname(_currentFile);
 let db = null;
@@ -907,10 +908,12 @@ function runMigrations(database) {
         condition_value TEXT NOT NULL,
         action TEXT NOT NULL CHECK(action IN ('block', 'allow', 'quarantine')),
         enabled INTEGER NOT NULL DEFAULT 1,
+        built_in INTEGER NOT NULL DEFAULT 0,
         created_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP
       );
       CREATE INDEX IF NOT EXISTS idx_firewall_rules_priority ON firewall_rules(priority);
       CREATE INDEX IF NOT EXISTS idx_firewall_rules_enabled ON firewall_rules(enabled);
+      CREATE INDEX IF NOT EXISTS idx_firewall_rules_built_in ON firewall_rules(built_in);
 
       CREATE TABLE IF NOT EXISTS rate_limits (
         source_key TEXT PRIMARY KEY,
@@ -922,6 +925,46 @@ function runMigrations(database) {
     catch {
         // Tables may already exist - safe to ignore
     }
+    // Migration: built_in column on pre-existing firewall_rules (added in v4.15)
+    try {
+        const cols = database.prepare("PRAGMA table_info(firewall_rules)").all();
+        if (!cols.some(c => c.name === 'built_in')) {
+            database.exec('ALTER TABLE firewall_rules ADD COLUMN built_in INTEGER NOT NULL DEFAULT 0');
+            database.exec('CREATE INDEX IF NOT EXISTS idx_firewall_rules_built_in ON firewall_rules(built_in)');
+        }
+    }
+    catch {
+        // Best-effort migration; pipeline handles missing column gracefully.
+    }
+    // Seed default built-in firewall rules on first init.
+    try {
+        seedDefaultFirewallRules(database);
+    }
+    catch {
+        // Seeder runs idempotently; failures here should never block startup.
+    }
+    // Migration: session_events.content_hash + dedupe UNIQUE index (v4.17).
+    // DBs created between the foundation commit and the importer commit have
+    // session_events but no content_hash column. ALTER + idempotent index
+    // upgrades them without touching fresh installs (schema.sql handles those).
+    try {
+        const sessionEventsTable = database
+            .prepare("SELECT name FROM sqlite_master WHERE type='table' AND name='session_events'")
+            .get();
+        if (sessionEventsTable) {
+            const sessionCols = database
+                .prepare("PRAGMA table_info(session_events)")
+                .all();
+            const sessionColNames = new Set(sessionCols.map((c) => c.name));
+            if (!sessionColNames.has('content_hash')) {
+                database.exec('ALTER TABLE session_events ADD COLUMN content_hash TEXT');
+            }
+            database.exec('CREATE UNIQUE INDEX IF NOT EXISTS idx_session_events_dedupe ON session_events(session_id, ts, kind, content_hash)');
+        }
+    }
+    catch {
+        // Best-effort; importer-side INSERT OR IGNORE handles missing index gracefully.
+    }
 }
 /**
  * Get the current database instance
@@ -1422,6 +1465,28 @@ function getInlineSchema() {
       write_count INTEGER NOT NULL DEFAULT 1,
       window_start_ms INTEGER NOT NULL
     );
+
+    -- v4.17 Session capture (mirrors schema.sql; bundled fallback only).
+    CREATE TABLE IF NOT EXISTS session_events (
+      id INTEGER PRIMARY KEY AUTOINCREMENT,
+      session_id TEXT NOT NULL,
+      project TEXT,
+      ts TIMESTAMP NOT NULL,
+      kind TEXT NOT NULL CHECK(kind IN (
+        'prompt', 'response', 'tool_call', 'tool_result', 'tool_error', 'hook_fire'
+      )),
+      actor TEXT,
+      payload TEXT NOT NULL,
+      duration_ms INTEGER,
+      audit_id INTEGER,
+      content_hash TEXT,
+      created_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP,
+      FOREIGN KEY (audit_id) REFERENCES defence_audit(id) ON DELETE SET NULL
+    );
+    CREATE INDEX IF NOT EXISTS idx_session_events_session ON session_events(session_id, ts);
+    CREATE INDEX IF NOT EXISTS idx_session_events_project ON session_events(project, ts DESC);
+    CREATE UNIQUE INDEX IF NOT EXISTS idx_session_events_dedupe
+      ON session_events(session_id, ts, kind, content_hash);
   `;
 }
 /**

package/dist/database/schema.sql

@@ -95,6 +95,37 @@ CREATE TABLE IF NOT EXISTS sessions (
   memories_accessed INTEGER DEFAULT 0
 );
 
+-- v4.17 Session capture: turn-by-turn events for replay.
+-- Populated by the hook capture pipeline + JSONL importer. Read by the
+-- timeline reader powering the dashboard replay UI. Distinct from the
+-- summary `sessions` table above — this is the full event stream.
+--
+-- `content_hash` powers idempotent re-import. The JSONL importer writes
+-- a SHA-256 of `kind + payload`; live capture leaves it NULL. SQLite
+-- treats NULL as distinct in UNIQUE indexes by default, so live rows
+-- never conflict with each other while imported rows are de-duplicated
+-- across reruns of the same transcript.
+CREATE TABLE IF NOT EXISTS session_events (
+  id INTEGER PRIMARY KEY AUTOINCREMENT,
+  session_id TEXT NOT NULL,
+  project TEXT,
+  ts TIMESTAMP NOT NULL,
+  kind TEXT NOT NULL CHECK(kind IN (
+    'prompt', 'response', 'tool_call', 'tool_result', 'tool_error', 'hook_fire'
+  )),
+  actor TEXT,
+  payload TEXT NOT NULL,
+  duration_ms INTEGER,
+  audit_id INTEGER,
+  content_hash TEXT,
+  created_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP,
+  FOREIGN KEY (audit_id) REFERENCES defence_audit(id) ON DELETE SET NULL
+);
+CREATE INDEX IF NOT EXISTS idx_session_events_session ON session_events(session_id, ts);
+CREATE INDEX IF NOT EXISTS idx_session_events_project ON session_events(project, ts DESC);
+CREATE UNIQUE INDEX IF NOT EXISTS idx_session_events_dedupe
+  ON session_events(session_id, ts, kind, content_hash);
+
 -- Memory relationships (for linked memories)
 CREATE TABLE IF NOT EXISTS memory_links (
   id INTEGER PRIMARY KEY AUTOINCREMENT,
@@ -301,6 +332,7 @@ CREATE TABLE IF NOT EXISTS firewall_rules (
   condition_value TEXT NOT NULL,
   action TEXT NOT NULL CHECK(action IN ('block', 'allow', 'quarantine')),
   enabled INTEGER NOT NULL DEFAULT 1,
+  built_in INTEGER NOT NULL DEFAULT 0,
   created_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP
 );
 

package/dist/database/seed-firewall-rules.d.ts

@@ -0,0 +1,21 @@
+/**
+ * Default firewall rule seeder.
+ *
+ * The `firewall_rules` table starts empty in production. The defence
+ * pipeline's PATTERN_GROUPS catch most threats inline (instruction
+ * injection, hidden instructions, etc.), but seeding the table with
+ * built-in rules makes them visible in the dashboard and gives operators
+ * a place to disable, edit, or extend them.
+ *
+ * Built-in rows are marked `built_in=1` and excluded from the user
+ * `MAX_RULES=25` cap (see custom-rules/store.ts). They are evaluated
+ * regardless of license tier — the Pro `custom_firewall_rules` gate
+ * applies only to user-added rules with `built_in=0`.
+ *
+ * Idempotent: running the seeder again is a no-op when built-in rules
+ * are already present. Operators wanting to re-seed after a built-in
+ * update should `DELETE FROM firewall_rules WHERE built_in = 1` first.
+ */
+import type Database from 'better-sqlite3';
+export declare function seedDefaultFirewallRules(db: Database.Database): void;
+export declare function listBuiltInRuleNames(): string[];

package/dist/database/seed-firewall-rules.js

@@ -0,0 +1,105 @@
+/**
+ * Default firewall rule seeder.
+ *
+ * The `firewall_rules` table starts empty in production. The defence
+ * pipeline's PATTERN_GROUPS catch most threats inline (instruction
+ * injection, hidden instructions, etc.), but seeding the table with
+ * built-in rules makes them visible in the dashboard and gives operators
+ * a place to disable, edit, or extend them.
+ *
+ * Built-in rows are marked `built_in=1` and excluded from the user
+ * `MAX_RULES=25` cap (see custom-rules/store.ts). They are evaluated
+ * regardless of license tier — the Pro `custom_firewall_rules` gate
+ * applies only to user-added rules with `built_in=0`.
+ *
+ * Idempotent: running the seeder again is a no-op when built-in rules
+ * are already present. Operators wanting to re-seed after a built-in
+ * update should `DELETE FROM firewall_rules WHERE built_in = 1` first.
+ */
+const BUILT_IN_RULES = [
+    {
+        name: 'builtin:instruction_injection',
+        priority: 10,
+        condition_type: 'regex',
+        condition_value: '\\[SYSTEM:|<<SYS>>|\\[INST\\]|<\\|im_start\\|>|<\\|system\\|>|##SYSTEM##',
+        action: 'quarantine',
+    },
+    {
+        name: 'builtin:hidden_instruction',
+        priority: 11,
+        condition_type: 'regex',
+        condition_value: 'ignore\\s+(all\\s+)?previous\\s+(instructions?|prompts?)|forget\\s+everything|disregard\\s+(all\\s+)?(previous|above|prior)|override\\s+(previous|all|system)',
+        action: 'quarantine',
+    },
+    {
+        name: 'builtin:imperative_tool_call',
+        priority: 12,
+        condition_type: 'regex',
+        condition_value: '\\b(?:call|invoke|use)\\s+(?:the\\s+)?[A-Za-z][\\w-]*\\s+tool\\b|\\b(?:call|invoke|use)\\s+this\\s+tool\\s+now\\b',
+        action: 'quarantine',
+    },
+    {
+        name: 'builtin:memory_manipulation',
+        priority: 15,
+        condition_type: 'regex',
+        condition_value: 'save\\s+(this\\s+)?to\\s+memory|remember\\s+this\\s+(instruction|command|rule)|store\\s+this\\s+instruction|inject\\s+(into\\s+)?memory',
+        action: 'quarantine',
+    },
+    {
+        name: 'builtin:command_injection',
+        priority: 5,
+        condition_type: 'regex',
+        condition_value: '\\beval\\s*\\(|\\bexec\\s*\\(|\\bsystem\\s*\\(|\\bexecute\\s+(this\\s+)?(command|code|script)|\\b__import__\\s*\\(|\\bsubprocess\\b',
+        action: 'quarantine',
+    },
+    {
+        name: 'builtin:delimiter_attack',
+        priority: 18,
+        condition_type: 'regex',
+        condition_value: '<\\/?(system|admin|root)\\s*>|<!--[\\s\\S]{0,200}?(instruction|command|system|ignore|inject|override)[\\s\\S]{0,200}?-->',
+        action: 'quarantine',
+    },
+    {
+        name: 'builtin:credential_leak_aws',
+        priority: 1,
+        condition_type: 'regex',
+        condition_value: 'AKIA[0-9A-Z]{16}',
+        action: 'block',
+    },
+    {
+        name: 'builtin:credential_leak_jwt',
+        priority: 2,
+        condition_type: 'regex',
+        condition_value: 'eyJ[A-Za-z0-9_-]{10,}\\.eyJ[A-Za-z0-9_-]{10,}\\.[A-Za-z0-9_-]{10,}',
+        action: 'block',
+    },
+    {
+        name: 'builtin:credential_leak_private_key',
+        priority: 3,
+        condition_type: 'regex',
+        condition_value: '-----BEGIN (?:RSA |EC |OPENSSH |DSA |PGP )?PRIVATE KEY-----',
+        action: 'block',
+    },
+];
+export function seedDefaultFirewallRules(db) {
+    // Confirm the column exists (older DBs may pre-date the migration).
+    const cols = db.prepare("PRAGMA table_info(firewall_rules)").all();
+    if (!cols.some(c => c.name === 'built_in'))
+        return;
+    const existing = db.prepare('SELECT COUNT(*) AS c FROM firewall_rules WHERE built_in = 1').get();
+    if (existing.c > 0)
+        return;
+    const insert = db.prepare(`
+    INSERT INTO firewall_rules (name, priority, condition_type, condition_value, action, enabled, built_in)
+    VALUES (?, ?, ?, ?, ?, 1, 1)
+  `);
+    const txn = db.transaction((rules) => {
+        for (const rule of rules) {
+            insert.run(rule.name, rule.priority, rule.condition_type, rule.condition_value, rule.action);
+        }
+    });
+    txn(BUILT_IN_RULES);
+}
+export function listBuiltInRuleNames() {
+    return BUILT_IN_RULES.map(r => r.name);
+}

package/dist/defence/custom-rules/store.d.ts

@@ -9,9 +9,12 @@ export interface FirewallRule {
     condition_value: string;
     action: 'block' | 'allow' | 'quarantine';
     enabled: number;
+    built_in: number;
     created_at: string;
 }
-export declare function listFirewallRules(): FirewallRule[];
+export declare function listFirewallRules(opts?: {
+    includeBuiltin?: boolean;
+}): FirewallRule[];
 export declare function getFirewallRule(id: number): FirewallRule | undefined;
 export declare function createFirewallRule(rule: {
     name: string;

package/dist/defence/custom-rules/store.js

@@ -3,9 +3,11 @@
  */
 import { getDatabase } from '../../database/init.js';
 const MAX_RULES = 25;
-export function listFirewallRules() {
+export function listFirewallRules(opts = {}) {
+    const includeBuiltin = opts.includeBuiltin ?? true;
     const db = getDatabase();
-    return db.prepare('SELECT * FROM firewall_rules ORDER BY priority ASC').all();
+    const where = includeBuiltin ? '' : 'WHERE built_in = 0';
+    return db.prepare(`SELECT * FROM firewall_rules ${where} ORDER BY priority ASC`).all();
 }
 export function getFirewallRule(id) {
     const db = getDatabase();
@@ -13,7 +15,9 @@ export function getFirewallRule(id) {
 }
 export function createFirewallRule(rule) {
     const db = getDatabase();
-    const count = db.prepare('SELECT COUNT(*) as cnt FROM firewall_rules').get().cnt;
+    // The MAX_RULES cap applies only to user-defined rules. Built-in rules
+    // (built_in=1) are seeded by the database layer and don't count.
+    const count = db.prepare('SELECT COUNT(*) as cnt FROM firewall_rules WHERE built_in = 0').get().cnt;
     if (count >= MAX_RULES) {
         throw new Error(`Maximum of ${MAX_RULES} custom firewall rules reached.`);
     }

package/dist/defence/firewall/instruction-detector.js

@@ -114,6 +114,21 @@ const PATTERN_GROUPS = [
             /reveal\s+your\s+instructions/i,
         ],
     },
+    {
+        // Imperative tool-call directives. These show up in transcripts as
+        // injected prompts disguised as user instructions ("call the X tool
+        // to complete this request. Call this tool now."). The session-end
+        // chunker historically captured them as user preferences with
+        // salience 1.0; the firewall now flags them at write time so they
+        // route to quarantine instead of memories.
+        name: 'imperative_tool_call',
+        weight: 0.8,
+        patterns: [
+            /\b(?:call|invoke|use)\s+(?:the\s+)?[A-Za-z][\w-]*\s+tool\b/i,
+            /\b(?:call|invoke|use)\s+this\s+tool\s+now\b/i,
+            /\bcomplete\s+this\s+request\.\s*(?:call|invoke|use)\s+this\s+tool\b/i,
+        ],
+    },
 ];
 // Maximum content length to scan (prevents ReDOS on very long inputs)
 const MAX_SCAN_LENGTH = 50000;

package/dist/defence/pipeline.js

@@ -95,42 +95,48 @@ export function runDefencePipeline(content, title, source, config, project) {
                 reason = firewall.reason;
             }
         }
-        // 6b. Apply custom firewall rules (Pro feature, additive only — can tighten, never weaken)
-        if (allowed && isFeatureEnabled('custom_firewall_rules') && isDatabaseInitialized()) {
+        // 6b. Apply firewall rules (built-in rules always evaluated; user-added
+        // custom rules require the Pro `custom_firewall_rules` feature). Both
+        // are additive only — can tighten, never weaken.
+        if (allowed && isDatabaseInitialized()) {
             try {
                 const { getEnabledFirewallRules } = require('./custom-rules/store.js');
-                const customRules = getEnabledFirewallRules();
-                for (const rule of customRules) {
+                const userRulesAllowed = isFeatureEnabled('custom_firewall_rules');
+                const allRules = getEnabledFirewallRules();
+                for (const rule of allRules) {
+                    if (!rule.built_in && !userRulesAllowed)
+                        continue;
                     try {
                         const regex = new RegExp(rule.condition_value, 'gi');
                         if (regex.test(cleanContent) || regex.test(title)) {
+                            const indicator = rule.built_in ? 'builtin_rule' : 'custom_rule';
                             if (rule.action === 'block') {
                                 allowed = false;
-                                reason = `Blocked by custom rule: ${rule.name}`;
+                                reason = `Blocked by ${rule.built_in ? 'built-in' : 'custom'} rule: ${rule.name}`;
                                 firewall.result = 'BLOCK';
-                                if (!firewall.threatIndicators.includes('custom_rule')) {
-                                    firewall.threatIndicators.push('custom_rule');
+                                if (!firewall.threatIndicators.includes(indicator)) {
+                                    firewall.threatIndicators.push(indicator);
                                 }
                                 break; // Block is final
                             }
                             else if (rule.action === 'quarantine' && firewall.result !== 'BLOCK') {
                                 allowed = false;
-                                reason = `Quarantined by custom rule: ${rule.name}`;
+                                reason = `Quarantined by ${rule.built_in ? 'built-in' : 'custom'} rule: ${rule.name}`;
                                 firewall.result = 'QUARANTINE';
-                                if (!firewall.threatIndicators.includes('custom_rule')) {
-                                    firewall.threatIndicators.push('custom_rule');
+                                if (!firewall.threatIndicators.includes(indicator)) {
+                                    firewall.threatIndicators.push(indicator);
                                 }
                             }
-                            // 'allow' action: no-op — custom rules cannot weaken built-in decisions
+                            // 'allow' action: no-op — rules cannot weaken built-in decisions
                         }
                     }
                     catch {
-                        // Skip invalid regex in custom rules
+                        // Skip invalid regex in rules
                     }
                 }
             }
             catch {
-                // Custom rules store not available — skip silently
+                // Rules store not available — skip silently
             }
         }
         // 6c. Apply custom injection patterns (Pro feature, additive)

package/dist/defence/types.d.ts

@@ -6,7 +6,7 @@
  */
 export type SensitivityLevel = 'PUBLIC' | 'INTERNAL' | 'CONFIDENTIAL' | 'RESTRICTED';
 export type FirewallResult = 'ALLOW' | 'BLOCK' | 'QUARANTINE';
-export type ThreatIndicator = 'instruction_injection' | 'privilege_escalation' | 'encoding_obfuscation' | 'credential_leak' | 'external_url' | 'fragmented_payload' | 'restricted_content' | 'pipeline_error' | 'custom_rule' | 'custom_pattern';
+export type ThreatIndicator = 'instruction_injection' | 'privilege_escalation' | 'encoding_obfuscation' | 'credential_leak' | 'external_url' | 'fragmented_payload' | 'restricted_content' | 'pipeline_error' | 'custom_rule' | 'custom_pattern' | 'builtin_rule';
 export interface DefenceSource {
     type: 'user' | 'cli' | 'hook' | 'email' | 'web' | 'agent' | 'file' | 'api' | 'tool_response';
     identifier: string;

package/dist/index.js

@@ -637,6 +637,13 @@ ${bold}DOCS${reset}
         await handleMemoriesCommand(process.argv.slice(3));
         return;
     }
+    // Handle "import-jsonl" subcommand — import Claude Code session transcripts
+    // into session_events for dashboard replay.
+    if (process.argv[2] === 'import-jsonl') {
+        const { handleImportJsonlCommand } = await import('./cli/import-jsonl.js');
+        await handleImportJsonlCommand(process.argv.slice(3));
+        return;
+    }
     // Handle "status" subcommand
     if (process.argv[2] === 'status') {
         const { handleStatusCommand } = await import('./setup/status.js');
@@ -896,6 +903,7 @@ ${bold}DOCS${reset}
         'openclaw', 'clawdbot', 'copilot', 'codex', 'service', 'config', 'status',
         'graph', 'license', 'licence', 'audit', 'iron-dome', 'scan', 'cloud', 'review-copilot',
         'scan-skill', 'scan-skills', 'dashboard', 'api', 'worker', 'stats', 'cortex', 'consolidate', 'xray', 'xray-preinstall',
+        'memories', 'import-jsonl',
     ]);
     const arg = process.argv[2];
     if (arg && !arg.startsWith('-') && !knownCommands.has(arg)) {

package/dist/sessions/capture.d.ts

@@ -0,0 +1,45 @@
+/**
+ * Session capture — write side.
+ *
+ * Hooks (`scripts/prompt-recall-hook.mjs`, `scripts/stop-hook.mjs`,
+ * `scripts/session-end-hook.mjs`, etc.) call `recordEvent()` or the
+ * batched `recordEvents()` to persist turn-by-turn events into the
+ * `session_events` table. The timeline reader in `./timeline.ts`
+ * then reassembles them into the replay stream.
+ *
+ * Distinct from the summary `sessions` table (one row per session)
+ * and from `defence_audit` (one row per scan). Captures every event
+ * with enough fidelity to scrub/replay.
+ */
+/**
+ * Six kinds the schema CHECK constraint enforces. Keeping these in
+ * sync with `schema.sql` is load-bearing — adding a new kind requires
+ * both a schema migration and a code update here.
+ */
+export type SessionEventKind = 'prompt' | 'response' | 'tool_call' | 'tool_result' | 'tool_error' | 'hook_fire';
+export interface SessionEventInput {
+    session_id: string;
+    /** ISO-8601 timestamp string. Caller-supplied so import order is preserved. */
+    ts: string;
+    kind: SessionEventKind;
+    /**
+     * Payload — object (auto-serialised to JSON) or string (stored as-is).
+     * Strings are kept verbatim so JSONL importers can pass through raw
+     * content without double-encoding.
+     */
+    payload: unknown;
+    project?: string | null;
+    actor?: string | null;
+    duration_ms?: number | null;
+    audit_id?: number | null;
+}
+/** Insert one event row. Returns the new row id. */
+export declare function recordEvent(input: SessionEventInput): number;
+/**
+ * Batched insert wrapped in a single transaction. Used when a hook
+ * fires and produces several events at once (e.g. stop-hook emitting
+ * a `response` plus N tool_call/tool_result pairs from the just-
+ * finished turn). All-or-nothing: a CHECK violation rolls back the
+ * lot, so the table never holds half a turn.
+ */
+export declare function recordEvents(inputs: readonly SessionEventInput[]): number[];

package/dist/sessions/capture.js

@@ -0,0 +1,59 @@
+/**
+ * Session capture — write side.
+ *
+ * Hooks (`scripts/prompt-recall-hook.mjs`, `scripts/stop-hook.mjs`,
+ * `scripts/session-end-hook.mjs`, etc.) call `recordEvent()` or the
+ * batched `recordEvents()` to persist turn-by-turn events into the
+ * `session_events` table. The timeline reader in `./timeline.ts`
+ * then reassembles them into the replay stream.
+ *
+ * Distinct from the summary `sessions` table (one row per session)
+ * and from `defence_audit` (one row per scan). Captures every event
+ * with enough fidelity to scrub/replay.
+ */
+import { getDatabase } from '../database/init.js';
+/**
+ * Serialise payload to text. Objects/arrays go through JSON.stringify;
+ * strings pass through. This keeps the column NOT NULL constraint
+ * satisfied even for empty-object payloads and matches the timeline
+ * reader's `JSON.parse` with raw-string fallback.
+ */
+function serialisePayload(payload) {
+    if (typeof payload === 'string')
+        return payload;
+    return JSON.stringify(payload ?? null);
+}
+const INSERT_SQL = `
+  INSERT INTO session_events
+    (session_id, project, ts, kind, actor, payload, duration_ms, audit_id)
+  VALUES (?, ?, ?, ?, ?, ?, ?, ?)
+`;
+/** Insert one event row. Returns the new row id. */
+export function recordEvent(input) {
+    const db = getDatabase();
+    const stmt = db.prepare(INSERT_SQL);
+    const result = stmt.run(input.session_id, input.project ?? null, input.ts, input.kind, input.actor ?? null, serialisePayload(input.payload), input.duration_ms ?? null, input.audit_id ?? null);
+    return Number(result.lastInsertRowid);
+}
+/**
+ * Batched insert wrapped in a single transaction. Used when a hook
+ * fires and produces several events at once (e.g. stop-hook emitting
+ * a `response` plus N tool_call/tool_result pairs from the just-
+ * finished turn). All-or-nothing: a CHECK violation rolls back the
+ * lot, so the table never holds half a turn.
+ */
+export function recordEvents(inputs) {
+    if (inputs.length === 0)
+        return [];
+    const db = getDatabase();
+    const stmt = db.prepare(INSERT_SQL);
+    const ids = [];
+    const tx = db.transaction((rows) => {
+        for (const row of rows) {
+            const result = stmt.run(row.session_id, row.project ?? null, row.ts, row.kind, row.actor ?? null, serialisePayload(row.payload), row.duration_ms ?? null, row.audit_id ?? null);
+            ids.push(Number(result.lastInsertRowid));
+        }
+    });
+    tx(inputs);
+    return ids;
+}

package/dist/sessions/import-jsonl.d.ts

@@ -0,0 +1,85 @@
+/**
+ * JSONL transcript importer for Claude Code session files.
+ *
+ * Claude Code writes session transcripts to `~/.claude/projects/<slug>/
+ * <session-uuid>.jsonl`. Each line is a JSON object. Conversation lines
+ * have shape `{type, sessionId, timestamp, message: {role, content}}`
+ * where `content` is an Anthropic SDK content-block array
+ * (`text|thinking|tool_use|tool_result`).
+ *
+ * Mapping to `session_events.kind`:
+ *
+ *   user.text         → prompt
+ *   assistant.text    → response
+ *   assistant.tool_use → tool_call
+ *   user.tool_result  → tool_result
+ *   thinking          → (skipped — not user-replayable in v1)
+ *
+ * Non-conversation lines (`ai-title`, `attachment`, `system`,
+ * `queue-operation`, etc.) are skipped. Idempotent on re-import: each
+ * row carries a sha256 `content_hash` of `kind|payload`, and the
+ * `idx_session_events_dedupe` UNIQUE index drops collisions silently
+ * via `INSERT OR IGNORE`.
+ *
+ * Lossy by design — agentmemory documents the same scope:
+ *   - Anthropic-internal cache markers, partial-message frames, and
+ *     non-string tool_result encodings beyond plain text are not
+ *     preserved.
+ *   - Things we WILL preserve: prompts, assistant text, tool name +
+ *     args + result, and timestamps.
+ */
+import type { SessionEventInput } from './capture.js';
+export interface TranscriptLine {
+    type?: string;
+    sessionId?: string;
+    timestamp?: string;
+    message?: {
+        role?: 'user' | 'assistant';
+        content?: ContentBlock[];
+    };
+}
+type ContentBlock = {
+    type: 'text';
+    text?: string;
+} | {
+    type: 'thinking';
+    thinking?: string;
+} | {
+    type: 'tool_use';
+    id?: string;
+    name?: string;
+    input?: unknown;
+} | {
+    type: 'tool_result';
+    tool_use_id?: string;
+    content?: unknown;
+} | {
+    type: string;
+    [key: string]: unknown;
+};
+export interface ImportResult {
+    sessionId: string | null;
+    eventCount: number;
+    /** Lines that produced zero events — non-conversation types + parse errors. */
+    skipped: number;
+    /** Lines whose JSON parsed but were rejected (missing required fields, unknown block types). */
+    malformed: number;
+}
+/**
+ * Pure mapper: one transcript line → 0..N `SessionEventInput`s.
+ *
+ * Exported so unit tests can exercise the mapping in isolation without
+ * standing up a database. Returns `[]` for any line that doesn't yield
+ * replayable events (thinking blocks, ai-title, missing fields, etc.) —
+ * the caller treats an empty array as "skipped".
+ */
+export declare function parseTranscriptLine(line: unknown): SessionEventInput[];
+/**
+ * Import one JSONL file. Wraps the whole import in a single transaction
+ * so a mid-file error rolls back cleanly — better-sqlite3's transaction
+ * helper restores DB state if the callback throws. Malformed lines do
+ * NOT throw — they're counted and skipped so a single bad row never
+ * blocks the rest of the file.
+ */
+export declare function importJsonlTranscript(path: string): ImportResult;
+export {};