Add Claude observability tracing and diagnostics UI

tests/security-middleware.test.ts

@@ -155,3 +155,41 @@ test("secure executor runs with explicit env policy", async () => {
   assert.equal(result.stdout, "ok|\n");
   assert.equal(streamedStdout, result.stdout);
 });
+
+test("rules engine carries session context in tool audit events", () => {
+  const events: Array<Record<string, unknown>> = [];
+  const rules = new SecurityRulesEngine(
+    {
+      allowedBinaries: ["git"],
+      worktreeRoot: "/tmp",
+      protectedPaths: [],
+      requireCwdWithinWorktree: true,
+      rejectRelativePathTraversal: true,
+      enforcePathBoundaryOnArguments: true,
+      allowedEnvAssignments: [],
+      blockedEnvAssignments: [],
+    },
+    (event) => {
+      events.push(event as unknown as Record<string, unknown>);
+    },
+  );
+
+  rules.assertToolInvocationAllowed({
+    tool: "git",
+    toolClearance: {
+      allowlist: ["git"],
+      banlist: [],
+    },
+    context: {
+      sessionId: "session-ctx",
+      nodeId: "node-ctx",
+      attempt: 2,
+    },
+  });
+
+  const allowedEvent = events.find((event) => event.type === "tool.invocation_allowed");
+  assert.ok(allowedEvent);
+  assert.equal(allowedEvent.sessionId, "session-ctx");
+  assert.equal(allowedEvent.nodeId, "node-ctx");
+  assert.equal(allowedEvent.attempt, 2);
+});