vigile-scan 0.1.2 → 0.2.0

package/dist/index.js

@@ -25,8 +25,9 @@ var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__ge
 
 // src/index.ts
 var import_commander = require("commander");
+var import_chalk2 = __toESM(require("chalk"));
 var import_ora = __toESM(require("ora"));
-var import_promises3 = require("fs/promises");
+var import_promises4 = require("fs/promises");
 
 // src/discovery/claude-desktop.ts
 var import_path2 = require("path");
@@ -1310,6 +1311,577 @@ function deduplicateFindings2(findings) {
   });
 }
 
+// src/sentinel/sentinel.ts
+var import_child_process = require("child_process");
+
+// src/sentinel/sentinel-patterns.ts
+var SUSPICIOUS_ENDPOINT_PATTERNS = [
+  {
+    id: "SN-001",
+    severity: "critical",
+    title: "Known data exfiltration endpoint",
+    urlPattern: /https?:\/\/[^/]*(?:pastebin\.com|hastebin\.com|ghostbin\.co|paste\.ee|dpaste\.org|transfer\.sh|file\.io|0x0\.st|ix\.io)\/(?:api|raw|upload|documents)/i,
+    description: "MCP server is sending data to a paste/file sharing service commonly used for data exfiltration.",
+    recommendation: "CRITICAL: Stop this MCP server immediately. Legitimate tools should never upload to paste services."
+  },
+  {
+    id: "SN-002",
+    severity: "critical",
+    title: "Webhook exfiltration channel",
+    urlPattern: /https?:\/\/(?:hooks\.slack\.com|discord(?:app)?\.com\/api\/webhooks|webhook\.site|pipedream\.net|requestbin\.|hookbin\.|beeceptor\.com)/i,
+    description: "MCP server is sending data to a webhook endpoint. Attackers commonly use webhook services as low-noise exfiltration channels.",
+    recommendation: "Investigate what data is being sent to this webhook. This is a common attacker exfiltration method."
+  },
+  {
+    id: "SN-003",
+    severity: "high",
+    title: "Dynamic DNS destination",
+    urlPattern: /https?:\/\/[^/]*\.(?:duckdns\.org|no-ip\.com|ngrok\.io|ngrok-free\.app|serveo\.net|localhost\.run|bore\.digital|tailscale\.io)(?:\/|$)/i,
+    description: "MCP server is connecting to a dynamic DNS or tunneling service, commonly used for C2 infrastructure.",
+    recommendation: "Review this connection. Dynamic DNS is frequently used by attackers to rotate C2 endpoints."
+  },
+  {
+    id: "SN-004",
+    severity: "high",
+    title: "Cryptocurrency-related endpoint",
+    urlPattern: /https?:\/\/[^/]*(?:blockchain\.info|etherscan\.io|bscscan\.com|solscan\.io|mempool\.space)\/(?:api|rawaddr|tx|address)/i,
+    description: "MCP server is querying cryptocurrency blockchain APIs, which could indicate wallet scanning or theft.",
+    recommendation: "Unless this is an explicitly crypto-related tool, this connection is highly suspicious."
+  },
+  {
+    id: "SN-005",
+    severity: "medium",
+    title: "Telemetry to unknown endpoint",
+    urlPattern: /https?:\/\/[^/]*(?:\/(?:telemetry|analytics|tracking|pixel|beacon|collect|event|metrics|heartbeat))(?:\?|$|\/)/i,
+    description: "MCP server is sending telemetry/analytics data. While sometimes legitimate, this can mask data exfiltration.",
+    recommendation: "Verify the telemetry destination is expected. Compare against the MCP server's documentation."
+  },
+  {
+    id: "SN-006",
+    severity: "critical",
+    title: "Raw IP connection (no hostname)",
+    urlPattern: /https?:\/\/(?:\d{1,3}\.){3}\d{1,3}(?::\d+)?(?:\/|$)/,
+    description: "MCP server is connecting directly to an IP address instead of a hostname. This bypasses DNS-based monitoring and is a strong indicator of C2 communication.",
+    recommendation: "CRITICAL: Direct IP connections are almost never legitimate for MCP servers. Investigate immediately."
+  },
+  {
+    id: "SN-007",
+    severity: "high",
+    title: "Non-standard port connection",
+    urlPattern: /https?:\/\/[^/]+:(?!80\b|443\b|8080\b|8443\b|3000\b|5000\b|8000\b)\d{4,5}(?:\/|$)/,
+    description: "MCP server is connecting to a non-standard port. While sometimes legitimate, C2 infrastructure often uses unusual ports.",
+    recommendation: "Verify this port is expected for the service being contacted."
+  }
+];
+var BEHAVIORAL_PATTERNS = [
+  {
+    id: "SN-010",
+    severity: "critical",
+    title: "C2 beaconing detected (regular interval)",
+    description: "MCP server is making network requests at regular intervals to the same destination, consistent with command-and-control beaconing. Malware phones home on a schedule to receive commands.",
+    recommendation: "CRITICAL: This pattern strongly indicates the MCP server is compromised. Stop it immediately and investigate the destination.",
+    minEvents: 5,
+    timeWindowSeconds: 300,
+    // 5 minutes
+    detect: (events) => {
+      const byDest = /* @__PURE__ */ new Map();
+      for (const e of events) {
+        const dest = new URL(e.url).hostname;
+        if (!byDest.has(dest)) byDest.set(dest, []);
+        byDest.get(dest).push(e.timestamp);
+      }
+      let maxConfidence = 0;
+      for (const [, timestamps] of byDest) {
+        if (timestamps.length < 5) continue;
+        timestamps.sort((a, b) => a - b);
+        const intervals = [];
+        for (let i = 1; i < timestamps.length; i++) {
+          intervals.push(timestamps[i] - timestamps[i - 1]);
+        }
+        const mean = intervals.reduce((s, v) => s + v, 0) / intervals.length;
+        const std = Math.sqrt(
+          intervals.reduce((s, v) => s + (v - mean) ** 2, 0) / intervals.length
+        );
+        const cv = mean > 0 ? std / mean : 1;
+        if (cv < 0.15) maxConfidence = Math.max(maxConfidence, 95);
+        else if (cv < 0.25) maxConfidence = Math.max(maxConfidence, 80);
+        else if (cv < 0.35) maxConfidence = Math.max(maxConfidence, 60);
+      }
+      return maxConfidence;
+    }
+  },
+  {
+    id: "SN-011",
+    severity: "critical",
+    title: "Burst data exfiltration",
+    description: "MCP server sent an unusually large amount of data in a short burst to an external endpoint. This pattern matches credential dump exfiltration and file theft.",
+    recommendation: "CRITICAL: Investigate what data was transmitted. Check for stolen SSH keys, credentials, or source code.",
+    minEvents: 1,
+    timeWindowSeconds: 60,
+    // 1 minute
+    detect: (events) => {
+      const LARGE_REQUEST_THRESHOLD = 5e4;
+      const BURST_THRESHOLD = 2e5;
+      let maxSingle = 0;
+      let totalBytes = 0;
+      for (const e of events) {
+        maxSingle = Math.max(maxSingle, e.requestSize);
+        totalBytes += e.requestSize;
+      }
+      if (maxSingle > LARGE_REQUEST_THRESHOLD) return 90;
+      if (totalBytes > BURST_THRESHOLD) return 85;
+      if (totalBytes > BURST_THRESHOLD / 2) return 60;
+      return 0;
+    }
+  },
+  {
+    id: "SN-012",
+    severity: "high",
+    title: "DNS tunneling suspected",
+    description: "MCP server is making an unusual number of DNS queries with high-entropy subdomains. This pattern matches DNS tunneling \u2014 a technique to exfiltrate data by encoding it in DNS queries, which often bypass firewalls.",
+    recommendation: "Investigate the DNS queries. DNS tunneling uses encoded data in subdomain labels (e.g., aGVsbG8=.evil.com).",
+    minEvents: 10,
+    timeWindowSeconds: 120,
+    detect: (events) => {
+      const dnsEvents = events.filter((e) => e.dnsQueryType);
+      if (dnsEvents.length < 10) return 0;
+      let suspiciousCount = 0;
+      for (const e of dnsEvents) {
+        try {
+          const hostname = new URL(e.url).hostname;
+          const parts = hostname.split(".");
+          for (const part of parts) {
+            if (part.length > 30) suspiciousCount++;
+            if (/^[A-Za-z0-9+/]{20,}={0,2}$/.test(part)) suspiciousCount++;
+          }
+        } catch {
+        }
+      }
+      const ratio = suspiciousCount / dnsEvents.length;
+      if (ratio > 0.5) return 90;
+      if (ratio > 0.3) return 70;
+      if (ratio > 0.1) return 40;
+      return 0;
+    }
+  },
+  {
+    id: "SN-013",
+    severity: "high",
+    title: "Multi-destination scatter exfiltration",
+    description: "MCP server is distributing data across many different external destinations in a short period. Sophisticated exfiltration splits data across multiple endpoints to avoid size-based detection.",
+    recommendation: "Review all destinations contacted. This pattern suggests deliberate evasion of single-destination monitoring.",
+    minEvents: 5,
+    timeWindowSeconds: 120,
+    detect: (events) => {
+      const destinations = /* @__PURE__ */ new Set();
+      for (const e of events) {
+        try {
+          destinations.add(new URL(e.url).hostname);
+        } catch {
+        }
+      }
+      const withData = events.filter((e) => e.requestSize > 500);
+      const destWithData = /* @__PURE__ */ new Set();
+      for (const e of withData) {
+        try {
+          destWithData.add(new URL(e.url).hostname);
+        } catch {
+        }
+      }
+      if (destWithData.size > 10) return 85;
+      if (destWithData.size > 5) return 65;
+      if (destWithData.size > 3 && withData.length > events.length * 0.5) return 50;
+      return 0;
+    }
+  },
+  {
+    id: "SN-014",
+    severity: "high",
+    title: "High-entropy payload transmission",
+    description: "MCP server is sending request bodies with unusually high entropy (randomness), suggesting encrypted or compressed data exfiltration. Legitimate API calls typically have structured, lower-entropy payloads.",
+    recommendation: "Investigate the payload contents. High entropy in outbound data often indicates stolen credentials or encrypted exfiltration.",
+    minEvents: 3,
+    timeWindowSeconds: 180,
+    detect: (events) => {
+      const highEntropyEvents = events.filter(
+        (e) => e.bodyEntropy !== void 0 && e.bodyEntropy > 7 && e.requestSize > 1e3
+      );
+      if (highEntropyEvents.length === 0) return 0;
+      const ratio = highEntropyEvents.length / events.length;
+      if (ratio > 0.5 && highEntropyEvents.length >= 5) return 90;
+      if (ratio > 0.3) return 70;
+      if (highEntropyEvents.length >= 3) return 55;
+      return 0;
+    }
+  },
+  {
+    id: "SN-015",
+    severity: "medium",
+    title: "Unexpected outbound connection during idle",
+    description: "MCP server made network requests when no user-initiated tool calls were active. Legitimate MCP servers should only make network requests in response to tool invocations.",
+    recommendation: "Review why this MCP server is making network requests when idle. This could indicate background beaconing or telemetry.",
+    minEvents: 2,
+    timeWindowSeconds: 60,
+    detect: (events) => {
+      if (events.length >= 3) return 50;
+      if (events.length >= 2) return 30;
+      return 0;
+    }
+  }
+];
+var CREDENTIAL_EXFIL_PATTERNS = [
+  {
+    id: "SN-020",
+    severity: "critical",
+    title: "SSH key in outbound request",
+    urlPattern: /[?&](?:key|data|payload|content|body)=[^&]*(?:ssh-rsa|ssh-ed25519|PRIVATE\s*KEY)/i,
+    description: "MCP server appears to be transmitting SSH key material in a URL parameter. This matches the Invariant Labs exfiltration attack vector.",
+    recommendation: "CRITICAL: Your SSH keys may be compromised. Rotate all SSH keys immediately."
+  },
+  {
+    id: "SN-021",
+    severity: "critical",
+    title: "API key/token in outbound URL",
+    urlPattern: /[?&](?:key|token|secret|api_key|apikey|auth|password|credential)=(?!(?:test|demo|example|placeholder))[A-Za-z0-9_-]{20,}/i,
+    description: "MCP server is transmitting what appears to be an API key or token in a URL parameter to an external destination.",
+    recommendation: "CRITICAL: Rotate the compromised API key/token immediately. Check your .env files for exposed secrets."
+  },
+  {
+    id: "SN-022",
+    severity: "critical",
+    title: "AWS credential in outbound request",
+    urlPattern: /(?:AKIA[0-9A-Z]{16}|(?:aws_secret_access_key|aws_access_key_id)\s*[:=]\s*[A-Za-z0-9/+=]{20,})/i,
+    description: "MCP server is transmitting AWS credentials. AWS access keys follow a known format (AKIA...).",
+    recommendation: "CRITICAL: Deactivate the compromised AWS keys immediately via IAM console."
+  }
+];
+function calculateThreatScore(findings) {
+  if (findings.length === 0) return 0;
+  let score = 0;
+  for (const f of findings) {
+    const severityWeight = f.severity === "critical" ? 30 : f.severity === "high" ? 20 : f.severity === "medium" ? 10 : f.severity === "low" ? 5 : 2;
+    score += severityWeight * (f.confidence / 100);
+  }
+  return Math.min(100, Math.round(score));
+}
+function threatLevelFromScore(score) {
+  if (score >= 70) return "critical";
+  if (score >= 40) return "malicious";
+  if (score >= 15) return "suspicious";
+  return "clean";
+}
+
+// src/sentinel/sentinel.ts
+var SentinelEngine = class {
+  events = [];
+  findings = [];
+  monitorProcess = null;
+  startTime = 0;
+  serverName;
+  durationSeconds;
+  onEvent;
+  constructor(options) {
+    this.serverName = options.serverName;
+    this.durationSeconds = options.durationSeconds || 120;
+    this.onEvent = options.onEvent;
+  }
+  /**
+   * Start monitoring network activity for the given MCP server.
+   *
+   * The monitor works in three modes depending on the OS and permissions:
+   *   1. macOS: Uses `nettop` or `networksetup` + `tcpdump`
+   *   2. Linux: Uses `ss` polling + optional `tcpdump`
+   *   3. Fallback: Uses Node.js HTTP/HTTPS module monkey-patching
+   *      (only captures Node.js HTTP requests from the current process tree)
+   */
+  async startMonitoring() {
+    this.startTime = Date.now();
+    this.events = [];
+    this.findings = [];
+    const method = this.detectMonitoringMethod();
+    switch (method) {
+      case "lsof-poll":
+        await this.startLsofPolling();
+        break;
+      case "ss-poll":
+        await this.startSsPolling();
+        break;
+      case "proxy":
+        await this.startProxyCapture();
+        break;
+    }
+  }
+  /**
+   * Stop monitoring and generate the report.
+   */
+  async stopMonitoring() {
+    if (this.monitorProcess) {
+      this.monitorProcess.kill("SIGTERM");
+      this.monitorProcess = null;
+    }
+    this.analyzeEvents();
+    const threatScore = calculateThreatScore(this.findings);
+    const threatLevel = threatLevelFromScore(threatScore);
+    const uniqueDestinations = [
+      ...new Set(
+        this.events.map((e) => {
+          try {
+            return new URL(e.url).hostname;
+          } catch {
+            return e.url;
+          }
+        })
+      )
+    ];
+    return {
+      serverName: this.serverName,
+      monitoringDuration: (Date.now() - this.startTime) / 1e3,
+      totalEvents: this.events.length,
+      uniqueDestinations,
+      findings: this.findings,
+      threatLevel,
+      threatScore,
+      startedAt: new Date(this.startTime).toISOString(),
+      endedAt: (/* @__PURE__ */ new Date()).toISOString()
+    };
+  }
+  /**
+   * Feed a single network event into the engine (for real-time analysis).
+   */
+  ingestEvent(event) {
+    this.events.push(event);
+    this.onEvent?.(event);
+    this.checkEndpointPatterns(event);
+    this.checkCredentialPatterns(event);
+  }
+  // ── Detection Methods ──
+  /**
+   * Run all analysis on collected events.
+   */
+  analyzeEvents() {
+    for (const event of this.events) {
+      this.checkEndpointPatterns(event);
+      this.checkCredentialPatterns(event);
+    }
+    for (const pattern of BEHAVIORAL_PATTERNS) {
+      if (this.events.length < pattern.minEvents) continue;
+      const now = Date.now();
+      const windowStart = now - pattern.timeWindowSeconds * 1e3;
+      const windowEvents = this.events.filter((e) => e.timestamp >= windowStart);
+      if (windowEvents.length < pattern.minEvents) continue;
+      const confidence = pattern.detect(windowEvents);
+      if (confidence > 25) {
+        if (!this.findings.some((f) => f.id === pattern.id)) {
+          this.findings.push({
+            id: pattern.id,
+            category: pattern.id.startsWith("SN-01") ? "c2-beaconing" : pattern.id === "SN-012" ? "dns-tunneling" : pattern.id === "SN-013" ? "covert-channel" : "phone-home",
+            severity: pattern.severity,
+            title: pattern.title,
+            description: pattern.description,
+            serverName: this.serverName,
+            evidence: windowEvents.slice(0, 10),
+            // Cap evidence at 10 events
+            recommendation: pattern.recommendation,
+            confidence
+          });
+        }
+      }
+    }
+    const seen = /* @__PURE__ */ new Map();
+    for (const f of this.findings) {
+      const existing = seen.get(f.id);
+      if (!existing || f.confidence > existing.confidence) {
+        seen.set(f.id, f);
+      }
+    }
+    this.findings = Array.from(seen.values());
+  }
+  checkEndpointPatterns(event) {
+    for (const pattern of SUSPICIOUS_ENDPOINT_PATTERNS) {
+      if (pattern.urlPattern.test(event.url)) {
+        if (!this.findings.some((f) => f.id === pattern.id && f.evidence[0]?.url === event.url)) {
+          this.findings.push({
+            id: pattern.id,
+            category: "phone-home",
+            severity: pattern.severity,
+            title: pattern.title,
+            description: pattern.description,
+            serverName: this.serverName,
+            evidence: [event],
+            recommendation: pattern.recommendation,
+            confidence: 95
+          });
+        }
+      }
+    }
+  }
+  checkCredentialPatterns(event) {
+    for (const pattern of CREDENTIAL_EXFIL_PATTERNS) {
+      if (pattern.urlPattern.test(event.url)) {
+        this.findings.push({
+          id: pattern.id,
+          category: "data-exfiltration",
+          severity: pattern.severity,
+          title: pattern.title,
+          description: pattern.description,
+          serverName: this.serverName,
+          evidence: [event],
+          recommendation: pattern.recommendation,
+          confidence: 98
+        });
+      }
+    }
+  }
+  // ── Monitoring Methods ──
+  detectMonitoringMethod() {
+    try {
+      (0, import_child_process.execSync)("which lsof", { stdio: "pipe" });
+      return "lsof-poll";
+    } catch {
+      try {
+        (0, import_child_process.execSync)("which ss", { stdio: "pipe" });
+        return "ss-poll";
+      } catch {
+        return "proxy";
+      }
+    }
+  }
+  /**
+   * macOS/Linux: Poll `lsof` to capture network connections for a process.
+   * This is the lowest-privilege method — no root needed.
+   */
+  async startLsofPolling() {
+    const pollInterval = setInterval(() => {
+      try {
+        const output = (0, import_child_process.execSync)(
+          `lsof -i -n -P 2>/dev/null | grep -i "${this.serverName}" || true`,
+          { timeout: 5e3, encoding: "utf-8" }
+        );
+        for (const line of output.split("\n").filter(Boolean)) {
+          const event = this.parseLsofLine(line);
+          if (event) this.ingestEvent(event);
+        }
+      } catch {
+      }
+    }, 2e3);
+    this.monitorProcess = {
+      kill: () => clearInterval(pollInterval)
+    };
+    setTimeout(() => {
+      clearInterval(pollInterval);
+    }, this.durationSeconds * 1e3);
+  }
+  /**
+   * Linux: Poll `ss` (socket statistics) for network connections.
+   */
+  async startSsPolling() {
+    const pollInterval = setInterval(() => {
+      try {
+        const output = (0, import_child_process.execSync)(
+          `ss -tnp 2>/dev/null | grep "${this.serverName}" || true`,
+          { timeout: 5e3, encoding: "utf-8" }
+        );
+        for (const line of output.split("\n").filter(Boolean)) {
+          const event = this.parseSsLine(line);
+          if (event) this.ingestEvent(event);
+        }
+      } catch {
+      }
+    }, 2e3);
+    this.monitorProcess = {
+      kill: () => clearInterval(pollInterval)
+    };
+    setTimeout(() => {
+      clearInterval(pollInterval);
+    }, this.durationSeconds * 1e3);
+  }
+  /**
+   * Fallback: Start a lightweight MITM proxy that MCP traffic routes through.
+   * This requires the runtime proxy (Phase 3) to be active.
+   */
+  async startProxyCapture() {
+    console.warn(
+      "[Sentinel] Proxy capture requires the runtime proxy (coming soon). Using manual event ingestion mode."
+    );
+  }
+  // ── Parsers ──
+  parseLsofLine(line) {
+    const match = line.match(
+      /(\S+)\s+(\d+)\s+\S+\s+\S+\s+IPv[46]\s+\S+\s+\S+\s+TCP\s+\S+->(\S+):(\d+)\s/
+    );
+    if (!match) return null;
+    const [, _command, _pid, remoteHost, remotePort] = match;
+    return {
+      timestamp: Date.now(),
+      serverName: this.serverName,
+      method: "TCP",
+      url: `https://${remoteHost}:${remotePort}/`,
+      destinationIp: remoteHost,
+      port: parseInt(remotePort, 10),
+      requestSize: 0,
+      tls: parseInt(remotePort, 10) === 443
+    };
+  }
+  parseSsLine(line) {
+    const match = line.match(
+      /ESTAB\s+\d+\s+(\d+)\s+\S+\s+(\S+):(\d+)/
+    );
+    if (!match) return null;
+    const [, sendQueue, remoteHost, remotePort] = match;
+    return {
+      timestamp: Date.now(),
+      serverName: this.serverName,
+      method: "TCP",
+      url: `https://${remoteHost}:${remotePort}/`,
+      destinationIp: remoteHost,
+      port: parseInt(remotePort, 10),
+      requestSize: parseInt(sendQueue, 10),
+      tls: parseInt(remotePort, 10) === 443
+    };
+  }
+};
+function getSentinelFeatures(tier) {
+  switch (tier) {
+    case "free":
+      return {
+        monitoringEnabled: false,
+        // Upgrade required
+        maxDurationSeconds: 0,
+        maxConcurrentServers: 0,
+        behavioralDetection: false,
+        realTimeAlerts: false,
+        historyRetentionDays: 0,
+        apiAccess: false
+      };
+    case "pro":
+      return {
+        monitoringEnabled: true,
+        maxDurationSeconds: 300,
+        // 5 minutes
+        maxConcurrentServers: 3,
+        behavioralDetection: true,
+        realTimeAlerts: false,
+        // Future: Team+ only
+        historyRetentionDays: 7,
+        apiAccess: true
+      };
+  }
+}
+var SENTINEL_MARKETING = {
+  tagline: "Always watching what your tools are doing.",
+  featureName: "Vigile Sentinel",
+  tierName: "Sentinel Protection",
+  upgradePrompt: "\u{1F6E1}\uFE0F Vigile Sentinel is a Pro feature. Upgrade at https://vigile.dev/pricing to monitor your MCP servers for real-time phone-home detection.",
+  categories: [
+    { icon: "\u{1F4E1}", name: "C2 Beaconing Detection", desc: "Catches tools phoning home on a schedule" },
+    { icon: "\u{1F510}", name: "Credential Theft Alerts", desc: "Detects SSH keys & API tokens leaving your machine" },
+    { icon: "\u{1F575}\uFE0F", name: "DNS Tunneling Detection", desc: "Spots data hidden in DNS queries" },
+    { icon: "\u{1F4CA}", name: "Behavioral Analysis", desc: "Machine-learning-ready traffic pattern analysis" },
+    { icon: "\u26A1", name: "Real-Time Alerts", desc: "Instant notification when threats are detected" },
+    { icon: "\u{1F6E1}\uFE0F", name: "Continuous Monitoring", desc: "24/7 protection for enterprise environments" }
+  ]
+};
+
 // src/output/terminal.ts
 var import_chalk = __toESM(require("chalk"));
 var TRUST_COLORS = {
@@ -1348,9 +1920,9 @@ var FILE_TYPE_LABELS = {
 };
 function printBanner() {
   console.log("");
-  console.log(import_chalk.default.bold.hex("#2C4A7C")("  \u2566  \u2566\u2566\u2554\u2550\u2557\u2566\u2566  "));
-  console.log(import_chalk.default.bold.hex("#2C4A7C")("  \u255A\u2557\u2554\u255D\u2551\u2551 \u2566\u2551\u2551  "));
-  console.log(import_chalk.default.bold.hex("#2C4A7C")("   \u255A\u255D \u2569\u255A\u2550\u255D\u2569\u2569\u2550\u255D"));
+  console.log(import_chalk.default.bold.hex("#2C4A7C")("  \u2566  \u2566\u2566\u2554\u2550\u2557\u2566\u2566  \u2554\u2550\u2557"));
+  console.log(import_chalk.default.bold.hex("#2C4A7C")("  \u255A\u2557\u2554\u255D\u2551\u2551 \u2566\u2551\u2551  \u2551\u2563 "));
+  console.log(import_chalk.default.bold.hex("#2C4A7C")("   \u255A\u255D \u2569\u255A\u2550\u255D\u2569\u2569\u2550\u255D\u255A\u2550\u255D"));
   console.log(import_chalk.default.gray("  AI Agent Security Scanner"));
   console.log("");
 }
@@ -1506,14 +2078,309 @@ function scoreBar(score) {
   const color = score >= 80 ? import_chalk.default.green : score >= 60 ? import_chalk.default.yellow : score >= 40 ? import_chalk.default.hex("#FF8C00") : import_chalk.default.red;
   return color("\u2588".repeat(filled)) + import_chalk.default.gray("\u2591".repeat(empty));
 }
+var SENTINEL_THREAT_COLORS = {
+  clean: import_chalk.default.green,
+  suspicious: import_chalk.default.yellow,
+  malicious: import_chalk.default.red,
+  critical: import_chalk.default.bgRed.white.bold
+};
+var SENTINEL_THREAT_ICONS = {
+  clean: "\u2713",
+  suspicious: "\u26A0",
+  malicious: "\u2717",
+  critical: "!!!"
+};
+function printSentinelReport(report) {
+  const color = SENTINEL_THREAT_COLORS[report.threatLevel];
+  const icon = SENTINEL_THREAT_ICONS[report.threatLevel];
+  console.log("");
+  console.log(
+    import_chalk.default.bold(`  ${icon} `) + import_chalk.default.bold(`Sentinel: ${report.serverName}`) + "  " + color(`[Threat: ${report.threatScore}/100 ${report.threatLevel.toUpperCase()}]`)
+  );
+  console.log(import_chalk.default.gray(`    Monitored: ${report.monitoringDuration.toFixed(0)}s | Events: ${report.totalEvents} | Destinations: ${report.uniqueDestinations.length}`));
+  if (report.uniqueDestinations.length > 0) {
+    console.log(import_chalk.default.gray(`    Destinations:`));
+    for (const dest of report.uniqueDestinations.slice(0, 10)) {
+      console.log(import_chalk.default.gray(`      \u2192 ${dest}`));
+    }
+    if (report.uniqueDestinations.length > 10) {
+      console.log(import_chalk.default.gray(`      ... and ${report.uniqueDestinations.length - 10} more`));
+    }
+  }
+  if (report.findings.length === 0) {
+    console.log(import_chalk.default.green("    No suspicious network behavior detected."));
+  } else {
+    console.log(import_chalk.default.dim(`    ${report.findings.length} finding(s):`));
+    for (const finding of report.findings) {
+      const fColor = SEVERITY_COLORS[finding.severity];
+      const fIcon = SEVERITY_ICONS[finding.severity];
+      console.log(
+        `      ${fColor(`[${fIcon}]`)} ${fColor(finding.severity.toUpperCase())} ` + import_chalk.default.white(finding.title) + import_chalk.default.gray(` (${finding.id})`)
+      );
+      console.log(import_chalk.default.gray(`          ${finding.description}`));
+      if (finding.evidence && finding.evidence.length > 0) {
+        console.log(import_chalk.default.gray(`          Evidence: ${finding.evidence.length} network event(s)`));
+      }
+      console.log(import_chalk.default.cyan(`          \u2192 ${finding.recommendation}`));
+    }
+  }
+  console.log(import_chalk.default.gray(`    ${report.startedAt} \u2192 ${report.endedAt}`));
+  console.log("");
+}
+function printSentinelUpgrade() {
+  console.log("");
+  console.log(import_chalk.default.bold.hex("#2C4A7C")(`  \u{1F6E1}\uFE0F  ${SENTINEL_MARKETING.featureName}`));
+  console.log(import_chalk.default.white(`  ${SENTINEL_MARKETING.tagline}`));
+  console.log("");
+  for (const cat of SENTINEL_MARKETING.categories) {
+    console.log(import_chalk.default.white(`    ${cat.icon}  ${import_chalk.default.bold(cat.name)}`));
+    console.log(import_chalk.default.gray(`       ${cat.desc}`));
+  }
+  console.log("");
+  console.log(import_chalk.default.yellow(`  \u26A1 Sentinel is a Pro feature. Upgrade to unlock runtime monitoring:`));
+  console.log(import_chalk.default.cyan(`     https://vigile.dev/pricing`));
+  console.log("");
+  console.log(import_chalk.default.gray(`  Pro ($19/mo)       \u2014 5-min sessions, 3 servers`));
+  console.log(import_chalk.default.gray(`  Team ($99/mo)      \u2014 30-min sessions, 10 servers, real-time alerts`));
+  console.log(import_chalk.default.gray(`  Enterprise ($999+) \u2014 Unlimited, custom rules, SLA`));
+  console.log("");
+}
+function printAuthStatus(info) {
+  if (info.authenticated) {
+    console.log(import_chalk.default.green(`  Authenticated as ${info.email}`));
+    console.log(import_chalk.default.gray(`    Tier: ${(info.tier || "free").toUpperCase()}`));
+    if (info.name) {
+      console.log(import_chalk.default.gray(`    Name: ${info.name}`));
+    }
+    console.log(
+      import_chalk.default.gray(
+        `    Source: ${info.source === "env" ? "VIGILE_TOKEN env var" : "~/.vigile/config.json"}`
+      )
+    );
+  } else {
+    console.log(import_chalk.default.yellow("  Not authenticated."));
+    if (info.error) {
+      console.log(import_chalk.default.red(`    Error: ${info.error}`));
+    }
+    console.log(import_chalk.default.gray("  Run `vigile-scan auth login` or set VIGILE_TOKEN to authenticate."));
+  }
+  console.log("");
+}
+function printAuthLoginSuccess(email, tier) {
+  console.log("");
+  console.log(import_chalk.default.green("  Authenticated successfully!"));
+  console.log(import_chalk.default.gray(`    Email: ${email}`));
+  console.log(import_chalk.default.gray(`    Tier:  ${tier.toUpperCase()}`));
+  console.log(import_chalk.default.gray("    Token stored in ~/.vigile/config.json"));
+  console.log("");
+}
+function printUploadSuccess(summary) {
+  const total = summary.mcpUploaded + summary.skillsUploaded;
+  if (total > 0) {
+    console.log(import_chalk.default.green(`  Uploaded ${total} result(s) to Vigile registry.`));
+    if (summary.mcpUploaded > 0) {
+      console.log(import_chalk.default.gray(`    MCP servers: ${summary.mcpUploaded}`));
+    }
+    if (summary.skillsUploaded > 0) {
+      console.log(import_chalk.default.gray(`    Skills: ${summary.skillsUploaded}`));
+    }
+  }
+  if (summary.failures > 0) {
+    console.log(import_chalk.default.yellow(`  ${summary.failures} upload(s) failed (results saved locally).`));
+  }
+  console.log("");
+}
+function printUploadSkipped(reason) {
+  if (reason === "not-authenticated") {
+    console.log(
+      import_chalk.default.gray("  Tip: Run `vigile-scan auth login` to upload results to the Vigile registry.")
+    );
+    console.log("");
+  }
+}
 
 // src/output/json.ts
 function formatJSON(summary) {
   return JSON.stringify(summary, null, 2);
 }
 
+// src/api/auth.ts
+var import_promises3 = require("fs/promises");
+var import_path8 = require("path");
+var import_os2 = require("os");
+
+// src/api/client.ts
+var DEFAULT_API_URL = "https://api.vigile.dev";
+var API_TIMEOUT_MS = 15e3;
+var CLI_VERSION = "0.2.0";
+var VigileApiClient = class {
+  baseUrl;
+  token;
+  constructor(baseUrl, token) {
+    this.baseUrl = (baseUrl || process.env.VIGILE_API_URL || DEFAULT_API_URL).replace(/\/+$/, "");
+    this.token = token || null;
+  }
+  get isAuthenticated() {
+    return this.token !== null && this.token.length > 0;
+  }
+  // ── Private helpers ──
+  async request(method, path, body) {
+    const controller = new AbortController();
+    const timeoutId = setTimeout(() => controller.abort(), API_TIMEOUT_MS);
+    const headers = {
+      "Content-Type": "application/json",
+      "User-Agent": `vigile-cli/${CLI_VERSION}`
+    };
+    if (this.token) {
+      headers["Authorization"] = `Bearer ${this.token}`;
+    }
+    try {
+      const response = await fetch(`${this.baseUrl}${path}`, {
+        method,
+        headers,
+        body: body ? JSON.stringify(body) : void 0,
+        signal: controller.signal
+      });
+      clearTimeout(timeoutId);
+      if (!response.ok) {
+        const errorBody = await response.text();
+        let errorMessage;
+        try {
+          const parsed = JSON.parse(errorBody);
+          errorMessage = typeof parsed.detail === "string" ? parsed.detail : JSON.stringify(parsed.detail);
+        } catch {
+          errorMessage = errorBody || `HTTP ${response.status}`;
+        }
+        return { ok: false, error: errorMessage, status: response.status };
+      }
+      const data = await response.json();
+      return { ok: true, data };
+    } catch (err) {
+      clearTimeout(timeoutId);
+      if (err instanceof Error && err.name === "AbortError") {
+        return { ok: false, error: "Request timed out", status: 0 };
+      }
+      return {
+        ok: false,
+        error: err instanceof Error ? err.message : "Network error",
+        status: 0
+      };
+    }
+  }
+  // ── Auth ──
+  async getMe() {
+    return this.request("GET", "/api/v1/auth/me");
+  }
+  // ── Scanning ──
+  async submitMCPScan(payload) {
+    return this.request("POST", "/api/v1/scan/", payload);
+  }
+  async submitSkillScan(payload) {
+    return this.request("POST", "/api/v1/scan/skill", payload);
+  }
+  // ── Sentinel ──
+  async createSentinelSession(serverName, durationSeconds, client = "cli") {
+    return this.request("POST", "/api/v1/sentinel/sessions", {
+      server_name: serverName,
+      duration_seconds: durationSeconds,
+      client
+    });
+  }
+  async submitSentinelEvents(sessionId, events) {
+    return this.request(
+      "POST",
+      `/api/v1/sentinel/sessions/${sessionId}/events`,
+      { session_id: sessionId, events }
+    );
+  }
+  async analyzeSentinelSession(sessionId) {
+    return this.request(
+      "POST",
+      `/api/v1/sentinel/sessions/${sessionId}/analyze`
+    );
+  }
+};
+
+// src/api/auth.ts
+var CONFIG_DIR = (0, import_path8.join)((0, import_os2.homedir)(), ".vigile");
+var CONFIG_FILE = (0, import_path8.join)(CONFIG_DIR, "config.json");
+async function resolveToken() {
+  const envToken = process.env.VIGILE_TOKEN;
+  if (envToken && envToken.length > 0) {
+    return envToken;
+  }
+  const config = await loadConfig();
+  return config.token || null;
+}
+async function resolveApiUrl() {
+  const envUrl = process.env.VIGILE_API_URL;
+  if (envUrl) return envUrl;
+  const config = await loadConfig();
+  return config.api_url || "https://api.vigile.dev";
+}
+async function loadConfig() {
+  try {
+    const raw = await (0, import_promises3.readFile)(CONFIG_FILE, "utf-8");
+    return JSON.parse(raw);
+  } catch {
+    return {};
+  }
+}
+async function saveConfig(config) {
+  await (0, import_promises3.mkdir)(CONFIG_DIR, { recursive: true });
+  await (0, import_promises3.writeFile)(CONFIG_FILE, JSON.stringify(config, null, 2), {
+    mode: 384
+    // Owner read/write only
+  });
+}
+async function authLogin(token) {
+  const apiUrl = await resolveApiUrl();
+  const client = new VigileApiClient(apiUrl, token);
+  const result = await client.getMe();
+  if (!result.ok) {
+    return { success: false, error: result.error };
+  }
+  const config = await loadConfig();
+  config.token = token;
+  config.user = {
+    email: result.data.email,
+    tier: result.data.tier,
+    name: result.data.name || void 0
+  };
+  await saveConfig(config);
+  return { success: true, user: result.data };
+}
+async function authStatus() {
+  const envToken = process.env.VIGILE_TOKEN;
+  const config = await loadConfig();
+  const token = envToken || config.token;
+  if (!token) {
+    return { authenticated: false };
+  }
+  const source = envToken ? "env" : "config";
+  const apiUrl = await resolveApiUrl();
+  const client = new VigileApiClient(apiUrl, token);
+  const result = await client.getMe();
+  if (!result.ok) {
+    return { authenticated: false, source, error: result.error };
+  }
+  return { authenticated: true, source, user: result.data };
+}
+async function authLogout() {
+  const config = await loadConfig();
+  delete config.token;
+  delete config.user;
+  await saveConfig(config);
+}
+async function getAuthenticatedClient() {
+  const token = await resolveToken();
+  if (!token) return null;
+  const apiUrl = await resolveApiUrl();
+  return new VigileApiClient(apiUrl, token);
+}
+
 // src/index.ts
-var VERSION = "0.1.2";
+var VERSION = "0.2.0";
 var program = new import_commander.Command();
 program.name("vigile-scan").description(
   "Security scanner for AI agent tools \u2014 detect tool poisoning, permission abuse, and supply chain attacks in MCP servers and agent skills"
@@ -1522,7 +2389,7 @@ function addScanOptions(cmd) {
   return cmd.option("-j, --json", "Output results as JSON").option("-v, --verbose", "Show detailed findings and score breakdown").option("-c, --config <path>", "Path to a custom MCP config file").option("-o, --output <path>", "Write results to a file").option(
     "--client <client>",
     "Only scan a specific client (claude-desktop, cursor, claude-code, windsurf, vscode)"
-  ).option("-s, --skills", "Scan agent skills only (SKILL.md, .mdc rules, CLAUDE.md, etc.)").option("-a, --all", "Scan both MCP servers and agent skills");
+  ).option("-s, --skills", "Scan agent skills only (SKILL.md, .mdc rules, CLAUDE.md, etc.)").option("-a, --all", "Scan both MCP servers and agent skills").option("--sentinel", "Enable Sentinel runtime monitoring (Pro+ feature)").option("--sentinel-server <name>", "Monitor a specific MCP server by name").option("--sentinel-duration <seconds>", "Monitoring duration in seconds (default: 120)", parseInt).option("--no-upload", "Skip uploading scan results to Vigile API");
 }
 addScanOptions(
   program.command("scan").description("Scan MCP server configurations and agent skill files on this machine")
@@ -1530,12 +2397,48 @@ addScanOptions(
   await runScan(options);
 });
 addScanOptions(program).action(async (options) => {
-  if (!process.argv.slice(2).includes("scan")) {
+  if (!process.argv.slice(2).includes("scan") && !process.argv.slice(2).includes("auth")) {
     await runScan(options);
   }
 });
+var authCmd = program.command("auth").description("Manage Vigile API authentication");
+authCmd.command("login").description("Authenticate with your Vigile API key").argument("[token]", "API key (vgl_...) or JWT token. If omitted, reads from VIGILE_TOKEN env var.").action(async (token) => {
+  const resolvedToken = token || process.env.VIGILE_TOKEN;
+  if (!resolvedToken) {
+    console.log(import_chalk2.default.red("  No token provided. Pass a token argument or set VIGILE_TOKEN env var."));
+    console.log(import_chalk2.default.gray("  Usage: vigile-scan auth login <vgl_your_api_key>"));
+    console.log(import_chalk2.default.gray("  Get an API key at https://vigile.dev/account"));
+    process.exit(1);
+  }
+  const spinner = (0, import_ora.default)("Validating token...").start();
+  const result = await authLogin(resolvedToken);
+  if (result.success && result.user) {
+    spinner.succeed("Token validated");
+    printAuthLoginSuccess(result.user.email, result.user.tier);
+  } else {
+    spinner.fail("Authentication failed");
+    console.log(import_chalk2.default.red(`  Error: ${result.error || "Unknown error"}`));
+    process.exit(1);
+  }
+});
+authCmd.command("status").description("Show current authentication status").action(async () => {
+  const result = await authStatus();
+  printAuthStatus({
+    authenticated: result.authenticated,
+    source: result.source,
+    email: result.user?.email,
+    tier: result.user?.tier,
+    name: result.user?.name || void 0,
+    error: result.error
+  });
+});
+authCmd.command("logout").description("Clear stored credentials").action(async () => {
+  await authLogout();
+  console.log(import_chalk2.default.green("  Logged out. Credentials removed from ~/.vigile/config.json"));
+  console.log("");
+});
 async function runScan(options) {
-  const isJSON = options.json;
+  const isJSON = options.json ?? false;
   const scanMCP = !options.skills;
   const scanSkills = options.skills || options.all;
   if (!isJSON) {
@@ -1625,7 +2528,7 @@ async function runScan(options) {
   if (isJSON) {
     const jsonOutput = formatJSON(summary);
     if (options.output) {
-      await (0, import_promises3.writeFile)(options.output, jsonOutput);
+      await (0, import_promises4.writeFile)(options.output, jsonOutput);
     } else {
       console.log(jsonOutput);
     }
@@ -1643,13 +2546,241 @@ async function runScan(options) {
     }
     printSummary(summary);
     if (options.output) {
-      await (0, import_promises3.writeFile)(options.output, formatJSON(summary));
+      await (0, import_promises4.writeFile)(options.output, formatJSON(summary));
       console.log(`  Results saved to ${options.output}`);
     }
   }
+  if (options.noUpload !== true) {
+    await uploadResults(results, skillResults, isJSON);
+  }
+  if (options.sentinel) {
+    await runSentinel(options, results, isJSON);
+  }
   if (summary.bySeverity.critical > 0 || summary.bySeverity.high > 0) {
     process.exit(1);
   }
 }
+async function uploadResults(mcpResults, skillResults, isJSON) {
+  const client = await getAuthenticatedClient();
+  if (!client) {
+    if (!isJSON) {
+      printUploadSkipped("not-authenticated");
+    }
+    return;
+  }
+  const summary = {
+    mcpUploaded: 0,
+    skillsUploaded: 0,
+    failures: 0,
+    errors: []
+  };
+  const spinner = isJSON ? null : (0, import_ora.default)("Uploading results to Vigile registry...").start();
+  for (const result of mcpResults) {
+    const payload = mapMCPResultToApiPayload(result);
+    const response = await client.submitMCPScan(payload);
+    if (response.ok) {
+      summary.mcpUploaded++;
+    } else {
+      summary.failures++;
+      summary.errors.push(`${result.server.name}: ${response.error}`);
+    }
+  }
+  for (const result of skillResults) {
+    const payload = mapSkillResultToApiPayload(result);
+    const response = await client.submitSkillScan(payload);
+    if (response.ok) {
+      summary.skillsUploaded++;
+    } else {
+      summary.failures++;
+      summary.errors.push(`${result.skill.name}: ${response.error}`);
+    }
+  }
+  if (spinner) {
+    const total = summary.mcpUploaded + summary.skillsUploaded;
+    if (total > 0 && summary.failures === 0) {
+      spinner.succeed(`Uploaded ${total} result(s) to Vigile registry`);
+    } else if (total > 0 && summary.failures > 0) {
+      spinner.warn(`Uploaded ${total} result(s), ${summary.failures} failed`);
+    } else {
+      spinner.fail("Upload failed");
+    }
+  }
+  if (!isJSON) {
+    printUploadSuccess(summary);
+  }
+}
+function mapMCPResultToApiPayload(result) {
+  let packageUrl;
+  if (result.server.command === "npx") {
+    const packageName = result.server.args.find((a) => !a.startsWith("-"));
+    if (packageName) {
+      packageUrl = `https://www.npmjs.com/package/${packageName}`;
+    }
+  } else if (result.server.command === "uvx" || result.server.command === "pip") {
+    const packageName = result.server.args.find((a) => !a.startsWith("-"));
+    if (packageName) {
+      packageUrl = `https://pypi.org/project/${packageName}/`;
+    }
+  }
+  const toolDescriptions = result.server.args.filter((a) => !a.startsWith("-"));
+  return {
+    server_name: result.server.name,
+    source: "manual",
+    // CLI-discovered servers are always manual source
+    package_url: packageUrl,
+    description: `MCP server discovered from ${result.server.source} config`,
+    tool_descriptions: toolDescriptions.length > 0 ? toolDescriptions : void 0
+  };
+}
+function mapSkillResultToApiPayload(result) {
+  const platformMap = {
+    "claude-code": "claude-code",
+    "github-copilot": "copilot",
+    "cursor": "cursor",
+    "memory-file": "unknown",
+    "custom": "unknown"
+  };
+  return {
+    skill_name: result.skill.name,
+    content: result.skill.content,
+    file_type: result.skill.fileType,
+    platform: platformMap[result.skill.source] || "unknown",
+    source: "manual"
+    // CLI submissions are always manual source
+  };
+}
+function mapNetworkEventToApi(event) {
+  return {
+    timestamp: event.timestamp,
+    server_name: event.serverName,
+    method: event.method,
+    url: event.url,
+    destination_ip: event.destinationIp || null,
+    port: event.port,
+    request_size: event.requestSize,
+    response_size: event.responseSize ?? null,
+    status_code: event.statusCode ?? null,
+    headers: event.headers || null,
+    dns_query_type: event.dnsQueryType ?? null,
+    tls: event.tls,
+    body_hash: event.bodyHash ?? null,
+    body_entropy: event.bodyEntropy ?? null
+  };
+}
+async function runSentinel(options, scanResults, isJSON) {
+  const client = await getAuthenticatedClient();
+  let tier = "free";
+  if (client) {
+    const meResult = await client.getMe();
+    if (meResult.ok) {
+      tier = meResult.data.tier;
+    }
+  } else {
+    tier = process.env.VIGILE_TIER || "free";
+  }
+  const features = getSentinelFeatures(tier);
+  if (!features.monitoringEnabled) {
+    if (!isJSON) {
+      printSentinelUpgrade();
+    } else {
+      console.log(
+        JSON.stringify({
+          sentinel: { error: "upgrade_required", message: SENTINEL_MARKETING.upgradePrompt }
+        })
+      );
+    }
+    return;
+  }
+  const serversToMonitor = [];
+  if (options.sentinelServer) {
+    serversToMonitor.push(options.sentinelServer);
+  } else if (scanResults.length > 0) {
+    const limit = features.maxConcurrentServers === -1 ? scanResults.length : Math.min(scanResults.length, features.maxConcurrentServers);
+    for (let i = 0; i < limit; i++) {
+      serversToMonitor.push(scanResults[i].server.name);
+    }
+  } else {
+    if (!isJSON) {
+      console.log(
+        import_chalk2.default.yellow("  No MCP servers to monitor. Run a scan first or specify --sentinel-server <name>.")
+      );
+    }
+    return;
+  }
+  const requestedDuration = options.sentinelDuration || 120;
+  const maxDuration = features.maxDurationSeconds === -1 ? requestedDuration : features.maxDurationSeconds;
+  const duration = Math.min(requestedDuration, maxDuration);
+  if (!isJSON) {
+    console.log("");
+    console.log(import_chalk2.default.bold.hex("#2C4A7C")("  \u{1F6E1}\uFE0F  Vigile Sentinel \u2014 Runtime Monitor"));
+    console.log(
+      import_chalk2.default.gray(`  Tier: ${tier.toUpperCase()} | Duration: ${duration}s | Servers: ${serversToMonitor.length}`)
+    );
+    console.log("");
+  }
+  const sentinelReports = [];
+  for (const serverName of serversToMonitor) {
+    let apiSessionId = null;
+    if (client) {
+      const sessionResult = await client.createSentinelSession(serverName, duration);
+      if (sessionResult.ok) {
+        apiSessionId = sessionResult.data.session_id;
+      }
+    }
+    const spinner = isJSON ? null : (0, import_ora.default)(`Monitoring ${serverName} for ${duration}s...`).start();
+    let pendingApiEvents = [];
+    let lastApiSubmit = Date.now();
+    const engine = new SentinelEngine({
+      serverName,
+      durationSeconds: duration,
+      onEvent: (event) => {
+        if (!isJSON && spinner) {
+          spinner.text = `Monitoring ${serverName} \u2014 ${engine.events.length} events captured...`;
+        }
+        if (apiSessionId !== null && client) {
+          pendingApiEvents.push(event);
+          const now = Date.now();
+          if (now - lastApiSubmit > 5e3 && pendingApiEvents.length > 0) {
+            const eventsToSubmit = pendingApiEvents.map(mapNetworkEventToApi);
+            pendingApiEvents = [];
+            lastApiSubmit = now;
+            client.submitSentinelEvents(apiSessionId, eventsToSubmit).catch(() => {
+            });
+          }
+        }
+      }
+    });
+    await engine.startMonitoring();
+    await new Promise((resolve) => setTimeout(resolve, duration * 1e3));
+    const report = await engine.stopMonitoring();
+    sentinelReports.push(report);
+    if (apiSessionId !== null && client) {
+      if (pendingApiEvents.length > 0) {
+        const finalEvents = pendingApiEvents.map(mapNetworkEventToApi);
+        await client.submitSentinelEvents(apiSessionId, finalEvents);
+      }
+      const apiReport = await client.analyzeSentinelSession(apiSessionId);
+      if (apiReport.ok && !isJSON) {
+        console.log(
+          import_chalk2.default.gray(
+            `    API Analysis: ${apiReport.data.findings.length} findings, threat: ${apiReport.data.threat_level}`
+          )
+        );
+      }
+    }
+    if (spinner) {
+      spinner.succeed(
+        `${serverName}: ${report.totalEvents} events, ${report.findings.length} findings [${report.threatLevel.toUpperCase()}]`
+      );
+    }
+  }
+  if (isJSON) {
+    console.log(JSON.stringify({ sentinel: sentinelReports }, null, 2));
+  } else {
+    for (const report of sentinelReports) {
+      printSentinelReport(report);
+    }
+  }
+}
 program.parse();
 //# sourceMappingURL=index.js.map