teleportation-cli 1.3.0 → 1.4.1

package/.claude/hooks/pre_tool_use.mjs

@@ -17,13 +17,10 @@ const readStdin = () => new Promise((resolve, reject) => {
   stdin.on('error', reject);
 });
 
-const sleep = (ms) => new Promise(r => setTimeout(r, ms));
-
-// Lazy-load metadata extraction
+// Lazy-load metadata extraction (only used on slow path)
 let extractSessionMetadata = null;
-async function getSessionMetadata(cwd) {
+async function getSessionMetadata(cwd, hookInput = null) {
   if (!extractSessionMetadata) {
-    // Try multiple paths for the metadata module
     const possiblePaths = [
       join(__dirname, '..', '..', 'lib', 'session', 'metadata.js'),
       join(homedir(), '.teleportation', 'lib', 'session', 'metadata.js'),
@@ -43,12 +40,41 @@ async function getSessionMetadata(cwd) {
   if (!extractSessionMetadata) return {};
 
   try {
-    return await extractSessionMetadata(cwd);
+    return await extractSessionMetadata(cwd, hookInput);
   } catch (e) {
     return {};
   }
 }
 
+// Lazy-load event data sanitizer (redact API keys, tokens, passwords from timeline events)
+let _sanitizeEventData = null;
+async function loadEventSanitizer() {
+  if (_sanitizeEventData) return _sanitizeEventData;
+
+  const possiblePaths = [
+    join(__dirname, '..', '..', 'lib', 'utils', 'log-sanitizer.js'),
+    join(homedir(), '.teleportation', 'lib', 'utils', 'log-sanitizer.js'),
+  ];
+
+  for (const path of possiblePaths) {
+    try {
+      const mod = await import(path);
+      if (mod.sanitizeEventData) {
+        _sanitizeEventData = mod.sanitizeEventData;
+        return _sanitizeEventData;
+      }
+    } catch {
+      continue;
+    }
+  }
+
+  // Fallback: identity function (don't block tool execution if sanitizer unavailable)
+  // Server-side sanitization in relay provides defense-in-depth
+  log('Warning: sanitizeEventData not found, using identity fallback (relay-side sanitization still active)');
+  _sanitizeEventData = (data) => data;
+  return _sanitizeEventData;
+}
+
 const fetchJson = async (url, opts) => {
   const res = await fetch(url, opts);
   if (!res.ok) throw new Error(`HTTP ${res.status}`);
@@ -73,20 +99,32 @@ const withTimeout = async (promiseFactory, timeoutMs, label) => {
   }
 };
 
+// Helper: POST a timeline event (reused in fast and slow paths)
+function postTimeline(relayUrl, apiKey, body) {
+  return fetch(`${relayUrl}/api/timeline`, {
+    method: 'POST',
+    headers: {
+      'Content-Type': 'application/json',
+      'Authorization': `Bearer ${apiKey}`
+    },
+    body: JSON.stringify(body)
+  });
+}
+
 (async () => {
-  // Debug: Log hook invocation
+  const hookStart = Date.now();
+
   const hookLogFile = env.TELEPORTATION_HOOK_LOG || '/tmp/teleportation-hook.log';
   const log = (msg) => {
     const timestamp = new Date().toISOString();
-    const logMsg = `[${timestamp}] ${msg}\n`;
     try {
-      appendFileSync(hookLogFile, logMsg);
+      appendFileSync(hookLogFile, `[${timestamp}] ${msg}\n`);
     } catch (e) {
-      // Silently ignore log failures - don't write to stderr as it shows in UI
+      // Silently ignore log failures
     }
   };
 
-  // Read and parse stdin to get hook input
+  // Read and parse stdin
   let input = {};
   try {
     const raw = await readStdin();
@@ -96,6 +134,8 @@ const withTimeout = async (promiseFactory, timeoutMs, label) => {
   }
 
   let { session_id, tool_name, tool_input } = input || {};
+  // Cursor sends conversation_id in preToolUse instead of session_id
+  session_id = session_id || input?.conversation_id;
   tool_input = tool_input && typeof tool_input === 'object' ? tool_input : {};
   let claude_session_id = session_id; // Keep original ID
   const hookStartMs = Date.now();
@@ -107,56 +147,49 @@ const withTimeout = async (promiseFactory, timeoutMs, label) => {
     return Math.max(200, Math.min(PRE_TOOL_NETWORK_TIMEOUT_MS, remaining - 100));
   };
 
-  // Detect message source
-  const isAutonomousTask = env.TELEPORTATION_TASK_MODE === 'true' || !!env.TELEPORTATION_PARENT_SESSION_ID;
-  const source = isAutonomousTask ? 'autonomous_task' : 'cli_interactive';
+  // Detect client: Cursor injects cursor_version in all hook inputs
+  const client = input?.cursor_version ? 'cursor' : 'claude-code';
+  const source = client === 'cursor' ? 'cursor_agent' : 'cli_interactive';
 
-  // 1. Recursion Guard (Critical Stability Fix)
-  // Prevent infinite hook-triggered tool loops
-  // Whitelist safe tools at higher depths to avoid breaking workflows
+  // 1. Recursion Guard
   const SAFE_TOOLS = ['read', 'glob', 'grep', 'websearch', 'bashoutput', 'ls', 'pwd', 'git status'];
   const RECURSION_DEPTH = parseInt(env.TELEPORTATION_HOOK_DEPTH || '0', 10) || 0;
-  
+
   if (RECURSION_DEPTH > 5 && !SAFE_TOOLS.includes(tool_name?.toLowerCase())) {
-    log(`[RECURSION] Depth limit reached (${RECURSION_DEPTH}) for tool "${tool_name}", auto-allowing to prevent infinite loop.`);
+    log(`[RECURSION] Depth limit reached (${RECURSION_DEPTH}) for tool "${tool_name}", auto-allowing.`);
     process.stdout.write(JSON.stringify({ decision: 'allow', reason: 'Recursion guard depth limit' }));
     return exit(0);
   }
 
-  // Update environment for child processes
   process.env.TELEPORTATION_HOOK_DEPTH = (RECURSION_DEPTH + 1).toString();
 
   log(`Session ID: ${session_id}, Tool: ${tool_name}, Input: ${JSON.stringify(tool_input).substring(0, 100)}`);
 
-  // Check for /away and /back commands (user typing in Claude Code)
-  // These are special commands to toggle away mode
+  // 2. Detect /away and /back commands
   const command = tool_input?.command || tool_input?.text || '';
   if (typeof command === 'string') {
     const trimmedCmd = command.trim().toLowerCase();
-    // Support multiple command formats: /away, teleportation away, teleport away, teleporation away (typo)
     if (trimmedCmd === '/away' ||
         trimmedCmd === 'teleportation away' ||
         trimmedCmd === 'teleport away' ||
         trimmedCmd === 'teleporation away') {
-      log('Detected /away command - setting away mode');
-      // Will set away mode after loading config
+      log('Detected /away command');
       tool_input.__teleportation_away = true;
     } else if (trimmedCmd === '/back' ||
                trimmedCmd === 'teleportation back' ||
                trimmedCmd === 'teleport back' ||
                trimmedCmd === 'teleporation back') {
-      log('Detected /back command - clearing away mode');
+      log('Detected /back command');
       tool_input.__teleportation_back = true;
     }
   }
 
-  // Load config from encrypted credentials, legacy config file, or env vars
+  // 3. Load config (always needed for API URLs)
   let config;
   try {
     const { loadConfig } = await import('./config-loader.mjs');
     config = await loadConfig();
   } catch (e) {
-    // Fallback to environment variables if config loader fails
     config = {
       relayApiUrl: env.RELAY_API_URL || '',
       relayApiKey: env.RELAY_API_KEY || '',
@@ -164,8 +197,7 @@ const withTimeout = async (promiseFactory, timeoutMs, label) => {
     };
   }
 
-  // Prioritize environment variables over config file (for testing)
-  const SLACK_WEBHOOK_URL = env.SLACK_WEBHOOK_URL || config.slackWebhookUrl || '';
+  // Derive constants
   const RELAY_API_URL = env.RELAY_API_URL || config.relayApiUrl || '';
   const RELAY_API_KEY = env.RELAY_API_KEY || config.relayApiKey || '';
   const DAEMON_PORT = config.daemonPort || env.TELEPORTATION_DAEMON_PORT || '3050';
@@ -193,186 +225,6 @@ const withTimeout = async (promiseFactory, timeoutMs, label) => {
   // All tool requests are sent to the remote approval system so the user
   // can approve/deny from their mobile device. This enables true remote control.
 
-  // Register session: relay first (source of truth), then daemon
-  const cwd = process.cwd();
-  const meta = await getSessionMetadata(cwd);
-  log(`Session metadata: project=${meta.project_name}, hostname=${meta.hostname}, branch=${meta.current_branch}, model=${meta.current_model || 'default'}`);
-
-  // Detect model change (PRD-0014)
-  // Store model in ~/.teleportation/sessions/ to persist across reboots
-  const sessionDir = join(homedir(), '.teleportation', 'sessions');
-  if (!fs.existsSync(sessionDir)) {
-    fs.mkdirSync(sessionDir, { recursive: true, mode: 0o700 });
-  }
-  const modelFile = join(sessionDir, `model_${session_id}.txt`);
-  let modelChanged = false;
-  try {
-    const { readFile, writeFile } = await import('fs/promises');
-    let lastModel = null;
-    try {
-      lastModel = (await readFile(modelFile, 'utf8')).trim();
-    } catch (e) {
-      // File doesn't exist yet - first tool use
-    }
-
-    if (lastModel && meta.current_model && lastModel !== meta.current_model) {
-      modelChanged = true;
-      log(`Model changed detected: ${lastModel} -> ${meta.current_model}`);
-
-      // Log model change to timeline
-      if (RELAY_API_URL && RELAY_API_KEY && hasBudget()) {
-        try {
-          const timeoutMs = getRequestTimeoutMs();
-          if (timeoutMs > 0) {
-            await withTimeout(
-              (signal) => fetch(`${RELAY_API_URL}/api/timeline`, {
-                method: 'POST',
-                headers: {
-                  'Content-Type': 'application/json',
-                  'Authorization': `Bearer ${RELAY_API_KEY}`
-                },
-                body: JSON.stringify({
-                  session_id,
-                  type: 'model_changed',
-                  source,
-                  data: {
-                    previous_model: lastModel,
-                    new_model: meta.current_model,
-                    timestamp: Date.now()
-                  }
-                }),
-                signal
-              }),
-              timeoutMs,
-              'model change timeline post'
-            );
-          }
-          log(`Model change logged to timeline`);
-        } catch (e) {
-          log(`Failed to log model change: ${e.message}`);
-        }
-      }
-    }
-
-    // Update last known model
-    if (meta.current_model) {
-      await writeFile(modelFile, meta.current_model, { mode: 0o600 });
-    }
-  } catch (e) {
-    log(`Model change detection error: ${e.message}`);
-  }
-
-  // 1. Register with relay first - makes session visible in mobile UI
-  if (session_id && RELAY_API_URL && RELAY_API_KEY && hasBudget()) {
-    try {
-      log(`Registering session with relay: ${session_id}`);
-      const { ensureSessionRegistered } = await import('./session-register.mjs');
-      const timeoutMs = getRequestTimeoutMs();
-      if (timeoutMs <= 0) {
-        log('Skipping relay registration due to exhausted hook budget');
-      }
-      const regResult = timeoutMs > 0
-        ? await withTimeout(
-          () => ensureSessionRegistered(session_id, cwd, config),
-          timeoutMs,
-          'relay session registration'
-        )
-        : false;
-      
-      if (typeof regResult === 'object' && regResult.error === 'orphan_api_key') {
-        console.error(`\n⚠️  Teleportation: ${regResult.message || 'API key not linked to user.'}`);
-        console.error('   Visit https://app.teleportation.dev/api-keys to claim your key.\n');
-      } else {
-        log(`Session registered with relay successfully`);
-      }
-
-      // If model changed, update session metadata immediately
-      if (modelChanged && hasBudget() && (regResult === true || (typeof regResult === 'object' && regResult.success))) {
-        const { updateSessionMetadata } = await import('./session-register.mjs');
-        const timeoutMs = getRequestTimeoutMs();
-        if (timeoutMs > 0) {
-          await withTimeout(
-            () => updateSessionMetadata(session_id, cwd, config),
-            timeoutMs,
-            'session metadata update'
-          );
-        }
-        log(`Session metadata updated with new model`);
-      }
-    } catch (e) {
-      log(`Warning: Failed to register session with relay: ${e.message}`);
-    }
-  }
-
-  // 2. Then register with daemon (local infrastructure for this session)
-  if (session_id && DAEMON_ENABLED && hasBudget()) {
-    try {
-      const daemonUrl = `http://127.0.0.1:${DAEMON_PORT}`;
-      log(`Registering session with daemon: ${session_id}`);
-      
-      const timeoutMs = getRequestTimeoutMs();
-      const res = timeoutMs > 0
-        ? await withTimeout(
-          (signal) => fetch(`${daemonUrl}/sessions/register`, {
-            method: 'POST',
-            headers: { 'Content-Type': 'application/json' },
-            body: JSON.stringify({ session_id, claude_session_id, cwd, meta }),
-            signal
-          }),
-          timeoutMs,
-          'daemon session registration'
-        ).catch(e => {
-          log(`Daemon registration fetch error: ${e.message}`);
-          return null;
-        })
-        : null;
-      if (res && res.ok) {
-        log(`Session registered with daemon successfully`);
-      } else if (res) {
-        log(`Daemon registration returned status ${res.status}`);
-      } else if (timeoutMs <= 0) {
-        log('Skipping daemon registration due to exhausted hook budget');
-      }
-    } catch (e) {
-      log(`Warning: Failed to register session with daemon: ${e.message}`);
-    }
-  }
-
-  // 3. Log tool_use event to timeline (before execution)
-  // This shows what Claude is attempting to do
-  if (session_id && RELAY_API_URL && RELAY_API_KEY && tool_name && hasBudget()) {
-    try {
-      const timeoutMs = getRequestTimeoutMs();
-      if (timeoutMs > 0) {
-        await withTimeout(
-          (signal) => fetch(`${RELAY_API_URL}/api/timeline`, {
-            method: 'POST',
-            headers: {
-              'Content-Type': 'application/json',
-              'Authorization': `Bearer ${RELAY_API_KEY}`
-            },
-            body: JSON.stringify({
-              session_id,
-              type: 'tool_use',
-              source,
-              data: {
-                tool_name,
-                tool_input: tool_input || {},
-                timestamp: Date.now()
-              }
-            }),
-            signal
-          }),
-          timeoutMs,
-          'tool_use timeline post'
-        );
-      }
-      log(`Logged tool_use event for ${tool_name}`);
-    } catch (e) {
-      log(`Failed to log tool_use: ${e.message}`);
-    }
-  }
-
   // NOTE: Context delivery via notification has been removed.
   // With parent session context resumption (PR #123), autonomous tasks now
   // automatically resume the parent session's conversation context on turn 1.
@@ -411,49 +263,27 @@ const withTimeout = async (promiseFactory, timeoutMs, label) => {
     }
   };
 
+  // 4. Handle /away and /back (early exit, needs config only)
   if (tool_input.__teleportation_away) {
     await updateSessionState({ is_away: true });
     // Log away_mode_changed event to timeline
     if (RELAY_API_URL && RELAY_API_KEY && hasBudget()) {
       try {
-        const timeoutMs = getRequestTimeoutMs();
-        if (timeoutMs > 0) {
-          await withTimeout(
-            (signal) => fetch(`${RELAY_API_URL}/api/timeline`, {
-              method: 'POST',
-              headers: {
-                'Content-Type': 'application/json',
-                'Authorization': `Bearer ${RELAY_API_KEY}`
-              },
-              body: JSON.stringify({
-                session_id,
-                type: 'away_mode_changed',
-                source,
-                data: {
-                  is_away: true,
-                  timestamp: Date.now()
-                }
-              }),
-              signal
-            }),
-            timeoutMs,
-            'away-mode timeline post'
-          );
-        }
+        await postTimeline(RELAY_API_URL, RELAY_API_KEY, {
+          session_id, type: 'away_mode_changed', source,
+          data: { is_away: true, timestamp: Date.now() }
+        });
         log(`Logged away_mode_changed (away=true) to timeline`);
-      } catch (e) {
-        log(`Failed to log away_mode_changed: ${e.message}`);
-      }
+      } catch (e) { log(`Failed to log away_mode_changed: ${e.message}`); }
     }
-    const out = {
+    stdout.write(JSON.stringify({
       hookSpecificOutput: {
         hookEventName: 'PreToolUse',
         permissionDecision: 'deny',
         permissionDecisionReason: '✅ Teleportation: Away mode enabled.'
       },
       suppressOutput: true
-    };
-    stdout.write(JSON.stringify(out));
+    }));
     return exit(0);
   }
 
@@ -462,68 +292,204 @@ const withTimeout = async (promiseFactory, timeoutMs, label) => {
     // Log away_mode_changed event to timeline
     if (RELAY_API_URL && RELAY_API_KEY && hasBudget()) {
       try {
-        const timeoutMs = getRequestTimeoutMs();
-        if (timeoutMs > 0) {
-          await withTimeout(
-            (signal) => fetch(`${RELAY_API_URL}/api/timeline`, {
-              method: 'POST',
-              headers: {
-                'Content-Type': 'application/json',
-                'Authorization': `Bearer ${RELAY_API_KEY}`
-              },
-              body: JSON.stringify({
-                session_id,
-                type: 'away_mode_changed',
-                source,
-                data: {
-                  is_away: false,
-                  timestamp: Date.now()
-                }
-              }),
-              signal
-            }),
-            timeoutMs,
-            'away-mode timeline post'
-          );
-        }
+        await postTimeline(RELAY_API_URL, RELAY_API_KEY, {
+          session_id, type: 'away_mode_changed', source,
+          data: { is_away: false, timestamp: Date.now() }
+        });
         log(`Logged away_mode_changed (away=false) to timeline`);
-      } catch (e) {
-        log(`Failed to log away_mode_changed: ${e.message}`);
-      }
+      } catch (e) { log(`Failed to log away_mode_changed: ${e.message}`); }
     }
-    const out = {
+    stdout.write(JSON.stringify({
       hookSpecificOutput: {
         hookEventName: 'PreToolUse',
         permissionDecision: 'deny',
         permissionDecisionReason: '✅ Teleportation: Away mode disabled.'
       },
       suppressOutput: true
-    };
-    stdout.write(JSON.stringify(out));
+    }));
     return exit(0);
   }
 
-  // SMART AWAY MODE: Auto-mark as present ("back") on any activity
-  // If the user is typing commands locally, they are clearly not away.
-  // Note: Approval invalidation is handled by PermissionRequest hook
-  // to avoid race conditions and duplicate API calls
-
-  // PreToolUse now only handles:
-  // 1. Session registration with daemon
-  // 2. Checking for pending daemon results
-  // 3. Marking user as present (not away)
-  //
-  // Remote approvals are handled by PermissionRequest hook
-  // Tool execution logging is handled by PostToolUse hook
-  
-  log(`PreToolUse complete for ${tool_name} - letting Claude Code proceed`);
-  
-  // Don't output anything - let Claude Code handle permissions with its own system
-  // The PermissionRequest hook will handle remote approvals if user is away
-  // The PostToolUse hook will record tool executions to the timeline
+  // 5. Check if session is already registered (marker file from first call)
+  //    This is the key optimization: skip metadata extraction, registration,
+  //    and daemon calls on subsequent tool uses.
+  //    The marker file is created by session-register.mjs after successful relay
+  //    registration. If registration fails, the marker won't exist and subsequent
+  //    calls will continue taking the slow path until registration succeeds.
+  let sessionAlreadyRegistered = false;
+  if (session_id) {
+    const registrationMarker = join(tmpdir(), `teleportation-session-${session_id}.registered`);
+    try {
+      fs.accessSync(registrationMarker);
+      sessionAlreadyRegistered = true;
+    } catch {}
+  }
+
+  if (sessionAlreadyRegistered) {
+    // ═══════════════════════════════════════════════════════════════════
+    // FAST PATH: Session registered. Skip metadata extraction (6+ git
+    // subprocesses), skip relay/daemon registration, skip model file I/O.
+    // Only do: lightweight model check + timeline POST.
+    // ═══════════════════════════════════════════════════════════════════
+
+    // Lightweight model check (env vars + settings.json, no git calls)
+    try {
+      const sessionDir = join(homedir(), '.teleportation', 'sessions');
+      const modelFile = join(sessionDir, `model_${session_id}.txt`);
+
+      let lastModel = null;
+      try { lastModel = fs.readFileSync(modelFile, 'utf8').trim(); } catch {}
+
+      // Read current model from env vars, then settings.json (no git needed)
+      let currentModel = env.ANTHROPIC_MODEL || env.CLAUDE_MODEL || null;
+      if (!currentModel) {
+        try {
+          const settings = JSON.parse(fs.readFileSync(join(homedir(), '.claude', 'settings.json'), 'utf8'));
+          currentModel = settings.model || null;
+        } catch {}
+      }
+
+      if (lastModel && currentModel && lastModel !== currentModel) {
+        log(`[FastPath] Model changed: ${lastModel} -> ${currentModel}`);
+        if (RELAY_API_URL && RELAY_API_KEY) {
+          await postTimeline(RELAY_API_URL, RELAY_API_KEY, {
+            session_id, type: 'model_changed', source,
+            data: { previous_model: lastModel, new_model: currentModel, timestamp: Date.now() }
+          }).catch(e => log(`Failed to log model change: ${e.message}`));
+        }
+        try { fs.writeFileSync(modelFile, currentModel, { mode: 0o600 }); } catch {}
+      }
+    } catch (e) {
+      log(`[FastPath] Model check error: ${e.message}`);
+    }
+
+    // Log tool_use to timeline (sanitize to redact secrets from tool_input)
+    if (session_id && RELAY_API_URL && RELAY_API_KEY && tool_name) {
+      try {
+        const sanitize = await loadEventSanitizer();
+        await postTimeline(RELAY_API_URL, RELAY_API_KEY, {
+          session_id, type: 'tool_use', source,
+          data: sanitize({ tool_name, tool_input: tool_input || {}, timestamp: Date.now() })
+        });
+      } catch (e) { log(`Failed to log tool_use: ${e.message}`); }
+    }
+
+    log(`PreToolUse complete [fast path, ${Date.now() - hookStart}ms] for ${tool_name}`);
+    return exit(0);
+  }
+
+  // ═══════════════════════════════════════════════════════════════════════
+  // SLOW PATH: First tool call in session. Extract metadata, register
+  // session with relay and daemon, detect model changes.
+  // ═══════════════════════════════════════════════════════════════════════
+  log(`[SlowPath] First tool call, registering session ${session_id}`);
+
+  // Cursor provides workspace_roots; Claude Code provides cwd.
+  // Fall back to process.cwd() when hook payload doesn't include either.
+  const cwd = input?.cwd || (input?.workspace_roots?.[0]) || process.cwd();
+  const meta = await getSessionMetadata(cwd, input);
+  log(`Session metadata: project=${meta.project_name}, hostname=${meta.hostname}, branch=${meta.current_branch}, model=${meta.current_model || 'default'}`);
+
+  // Model change detection (full version via metadata)
+  const sessionDir = join(homedir(), '.teleportation', 'sessions');
+  if (!fs.existsSync(sessionDir)) {
+    fs.mkdirSync(sessionDir, { recursive: true, mode: 0o700 });
+  }
+  const modelFile = join(sessionDir, `model_${session_id}.txt`);
+  let modelChanged = false;
+  try {
+    const { readFile, writeFile } = await import('fs/promises');
+    let lastModel = null;
+    try {
+      lastModel = (await readFile(modelFile, 'utf8')).trim();
+    } catch (e) {
+      // File doesn't exist yet - first tool use
+    }
+
+    if (lastModel && meta.current_model && lastModel !== meta.current_model) {
+      modelChanged = true;
+      log(`Model changed detected: ${lastModel} -> ${meta.current_model}`);
+      if (RELAY_API_URL && RELAY_API_KEY) {
+        try {
+          await postTimeline(RELAY_API_URL, RELAY_API_KEY, {
+            session_id, type: 'model_changed', source,
+            data: { previous_model: lastModel, new_model: meta.current_model, timestamp: Date.now() }
+          });
+        } catch (e) { log(`Failed to log model change: ${e.message}`); }
+      }
+    }
+
+    if (meta.current_model) {
+      await writeFile(modelFile, meta.current_model, { mode: 0o600 });
+    }
+  } catch (e) {
+    log(`Model change detection error: ${e.message}`);
+  }
+
+  // Register with relay (pass pre-extracted metadata to avoid double extraction)
+  if (session_id && RELAY_API_URL && RELAY_API_KEY) {
+    try {
+      log(`Registering session with relay: ${session_id}`);
+      const { ensureSessionRegistered, updateSessionMetadata } = await import('./session-register.mjs');
+      const regResult = await ensureSessionRegistered(session_id, cwd, config, meta);
+
+      if (typeof regResult === 'object' && regResult.error === 'orphan_api_key') {
+        console.error(`\n⚠️  Teleportation: ${regResult.message || 'API key not linked to user.'}`);
+        console.error('   Visit https://app.teleportation.dev/api-keys to claim your key.\n');
+      } else {
+        log(`Session registered with relay successfully`);
+      }
+
+      // If model changed, update session metadata
+      if (modelChanged && (regResult === true || (typeof regResult === 'object' && regResult.success))) {
+        await updateSessionMetadata(session_id, cwd, config);
+        log(`Session metadata updated with new model`);
+      }
+    } catch (e) {
+      log(`Warning: Failed to register session with relay: ${e.message}`);
+    }
+  }
+
+  // Register with daemon
+  if (session_id && DAEMON_ENABLED) {
+    try {
+      const daemonUrl = `http://127.0.0.1:${DAEMON_PORT}`;
+      log(`Registering session with daemon: ${session_id}`);
+      const res = await fetch(`${daemonUrl}/sessions/register`, {
+        method: 'POST',
+        headers: { 'Content-Type': 'application/json' },
+        body: JSON.stringify({ session_id, claude_session_id, cwd, meta: { ...meta, client } })
+      }).catch(e => {
+        log(`Daemon registration fetch error: ${e.message}`);
+        return null;
+      });
+      if (res && res.ok) {
+        log(`Session registered with daemon successfully`);
+      } else if (res) {
+        log(`Daemon registration returned status ${res.status}`);
+      }
+    } catch (e) {
+      log(`Warning: Failed to register session with daemon: ${e.message}`);
+    }
+  }
+
+  // Log tool_use event to timeline (sanitize to redact secrets from tool_input)
+  if (session_id && RELAY_API_URL && RELAY_API_KEY && tool_name) {
+    try {
+      const sanitize = await loadEventSanitizer();
+      await postTimeline(RELAY_API_URL, RELAY_API_KEY, {
+        session_id, type: 'tool_use', source,
+        data: sanitize({ tool_name, tool_input: tool_input || {}, timestamp: Date.now() })
+      });
+      log(`Logged tool_use event for ${tool_name}`);
+    } catch (e) {
+      log(`Failed to log tool_use: ${e.message}`);
+    }
+  }
+
+  log(`PreToolUse complete [slow path, ${Date.now() - hookStart}ms] for ${tool_name}`);
   return exit(0);
 })().catch(err => {
-  // Log to file but don't write to stderr - stderr shows in UI as "hook error"
   try {
     const hookLogFile = env.TELEPORTATION_HOOK_LOG || '/tmp/teleportation-hook.log';
     appendFileSync(hookLogFile, `[${new Date().toISOString()}] FATAL: ${err.message}\n${err.stack}\n`);