@mneme-ai/core 2.85.0 → 2.87.0

package/dist/hephaestus/index.d.ts

@@ -0,0 +1,192 @@
+/**
+ * v2.86.0 — HEPHAESTUS (Ἥφαιστος, the smith god) · GEPHYRA's OS lane.
+ *
+ * NOT "an AI that runs commands" (that's Grok Computer / Warp / Claude Code —
+ * crowded, we'd lose). HEPHAESTUS is the neutral SUBSTRATE a shell + AI run ON:
+ * every command that wants to touch the machine first CROSSES it — gets risk-
+ * classified, policy-gated, optionally judged by a cross-vendor tribunal, has its
+ * output immune-scanned, and is recorded as a signed, tamper-evident crossing
+ * (who: human vs which AI). It is GEPHYRA's claim-crossing, applied to COMMANDS.
+ *
+ * DECISION-FIRST, EXECUTION-OPTIONAL: the value is the SIGNED VERDICT (ALLOW /
+ * NEEDS_COSIGN / BLOCK + reasons + tribunal + provenance), not the runner. The
+ * gate is pure logic → deterministic + identical across every OS. Execution is a
+ * separate, guarded, opt-in step.
+ *
+ * THE SAFETY INVARIANT (pinned in tests): a DESTRUCTIVE command can NEVER be ALLOW
+ * without an explicit co-sign. A fox cannot guard its own henhouse — so for
+ * destructive ops a cross-vendor tribunal (Grok+Gemini+Claude, UNcorrelated errors)
+ * judges, and Mneme — owned by no vendor — is the only legitimate convener.
+ *
+ * Composes flight_recorder (the black box) + notary (the stamp) + mesh_immune
+ * (injection scan). Never throws — every organ degrades gracefully.
+ */
+import { type MeshThreat } from "../mesh_immune/index.js";
+import { type NotaryReceipt } from "../notary/index.js";
+export type CommandRisk = "read" | "write" | "destructive";
+export type Disposition = "ALLOW" | "NEEDS_COSIGN" | "BLOCK";
+export type TribunalConsensus = "safe" | "danger" | "split";
+export interface RiskClassification {
+    risk: CommandRisk;
+    signals: string[];
+}
+/**
+ * Classify a command's blast radius. Destructive wins, then write, then read.
+ * UNKNOWN defaults to "write" (conservative — gets policy-gated, never silently
+ * treated as harmless). Deterministic + OS-agnostic (pure pattern logic).
+ */
+export declare function classifyCommandRisk(command: string): RiskClassification;
+export interface Policy {
+    /** Destructive commands require an explicit human co-sign. Default true. */
+    destructiveNeedsCosign: boolean;
+    /** On hosts tagged prod, anything beyond read-only is blocked. Default false. */
+    prodReadOnly: boolean;
+}
+export declare const DEFAULT_POLICY: Policy;
+/** Parse a one-time, plain-language policy ("destructive must co-sign, prod is read-only"). */
+export declare function parsePolicy(text: string): Policy;
+export interface CrossCommandInput {
+    command: string;
+    /** Who is asking — "human" or an AI agent id (claude/grok/gemini/cursor/...). */
+    agent: string;
+    /** Optional host/context tag (e.g. "prod-db-1"). "prod" substring triggers prodReadOnly. */
+    host?: string;
+    /** A human co-sign was provided out-of-band for a destructive op. */
+    cosigned?: boolean;
+}
+export interface CrossCommandDeps {
+    policy?: Policy;
+    /** The cross-vendor TRIBUNAL — judge a destructive command via independent
+     *  vendors (e.g. via diff_arena adapters). Mneme is the neutral convener.
+     *  Returns each vendor's verdict + the consensus. Pluggable; CLI/MCP wire it. */
+    tribunal?: (command: string, risk: CommandRisk) => Promise<{
+        verdicts: Array<{
+            vendor: string;
+            verdict: "safe" | "danger";
+        }>;
+        consensus: TribunalConsensus;
+    }>;
+    now?: number;
+}
+export interface CrossCommandResult {
+    disposition: Disposition;
+    risk: CommandRisk;
+    signals: string[];
+    reasons: string[];
+    agent: string;
+    host: string | null;
+    /** provenance: was the requester a human or an AI? */
+    origin: "human" | "ai";
+    threats: MeshThreat[];
+    tribunal?: {
+        verdicts: Array<{
+            vendor: string;
+            verdict: "safe" | "danger";
+        }>;
+        consensus: TribunalConsensus;
+    };
+    /** The tamper-evident signed crossing (flight-recorder frame's NOTARY receipt). */
+    receipt: NotaryReceipt | null;
+    degraded: string[];
+}
+/**
+ * Cross a command into the OS: classify → immune-scan → policy/tribunal gate →
+ * record a signed provenance frame → return the verdict. NEVER executes here and
+ * NEVER throws. The SAFETY INVARIANT holds: destructive ⇒ never ALLOW without a
+ * co-sign (or a unanimous-safe tribunal under a no-cosign policy).
+ */
+export declare function crossCommand(repoRoot: string, input: CrossCommandInput, deps?: CrossCommandDeps): Promise<CrossCommandResult>;
+export type Platform = "linux" | "macos" | "powershell";
+export declare function currentPlatform(): Platform;
+/** Translate a canonical intent to the right shell for a platform (default: this OS). */
+export declare function polyglot(intent: string, platform?: Platform): {
+    intent: string;
+    platform: Platform;
+    command: string;
+} | null;
+export declare function polyglotIntents(): string[];
+export declare function scanCommandOutput(output: string): {
+    clean: boolean;
+    threats: MeshThreat[];
+};
+export interface ExecResult {
+    ran: boolean;
+    reason: string;
+    exitCode: number | null;
+    stdout: string;
+    stderr: string;
+    outputThreats: MeshThreat[];
+    receipt: NotaryReceipt | null;
+}
+/**
+ * Execute a command ONLY if its crossing verdict is ALLOW. Captures stdout/stderr/
+ * exit, immune-scans the output (so the AI isn't pwned by what it reads), and
+ * records the result. Refuses anything not ALLOW. Cross-platform (uses the OS shell).
+ */
+export declare function executeGuarded(repoRoot: string, input: {
+    command: string;
+    agent: string;
+    disposition: Disposition;
+    timeoutMs?: number;
+}): Promise<ExecResult>;
+export interface HephStatus {
+    crossings: number;
+    allowed: number;
+    needsCosign: number;
+    blocked: number;
+    chainValid: boolean;
+}
+/** Live HEPHAESTUS status from the shared flight-recorder black box. */
+export declare function hephaestusStatus(repoRoot: string): HephStatus;
+/** Verify a HEPHAESTUS crossing/execution receipt offline. */
+export declare function verifyHephReceipt(receipt: unknown): {
+    valid: boolean;
+    reason: string;
+};
+import type { VendorAdapter } from "../diff_arena/adapters.js";
+/** A tribunal juror = a diff_arena vendor adapter (use mockAdapter/httpAdapter/cliAdapter). */
+export type TribunalVendor = VendorAdapter;
+/**
+ * Build a real cross-vendor TRIBUNAL backed by diff_arena. Each vendor judges the
+ * command INDEPENDENTLY ("safe"/"danger") — errors are UNcorrelated across vendors,
+ * so the panel catches a blind spot a single-vendor ensemble can't. Mneme is the
+ * neutral convener (no vendor owns the judge). With no live vendors configured it
+ * fails SAFE (consensus "danger" ⇒ a destructive op is blocked) rather than waving
+ * it through. Wire real vendors via diff_arena's httpAdapter/cliAdapter (API keys);
+ * tests/offline pass deterministic vendor stubs.
+ */
+export declare function makeDiffArenaTribunal(repoRoot: string, opts?: {
+    vendors?: TribunalVendor[];
+}): NonNullable<CrossCommandDeps["tribunal"]>;
+export interface Reversibility {
+    reversible: boolean;
+    effects: string[];
+    irreversibleWarnings: string[];
+}
+/** Deterministically classify whether a command's effect can be undone. */
+export declare function classifyReversibility(command: string): Reversibility;
+export interface PreflightResult {
+    command: string;
+    risk: CommandRisk;
+    reversible: boolean;
+    effects: string[];
+    irreversibleWarnings: string[];
+    /** Optional cross-vendor effect prediction (free text). */
+    prediction?: string;
+    /** Signed pre-mortem receipt — provable "we previewed + warned before crossing". */
+    receipt: NotaryReceipt | null;
+}
+/**
+ * 🔮 Pre-flight a command BEFORE crossing: predict blast radius + flag what cannot
+ * be undone + (optionally) ask a panel to predict the effect — and SIGN the
+ * pre-mortem. Never executes. The proof that the irreversible was foreseen + warned.
+ */
+export declare function preflightCommand(repoRoot: string, input: {
+    command: string;
+    agent: string;
+}, deps?: {
+    predict?: (command: string) => Promise<string>;
+}): Promise<PreflightResult>;
+/** Materialise a tribunal panel from env-present vendor keys (zero keys ⇒ [] ⇒ fail-safe BLOCK). */
+export declare function tribunalVendorsFromEnv(): Promise<TribunalVendor[]>;
+//# sourceMappingURL=index.d.ts.map

package/dist/hephaestus/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/hephaestus/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;GAsBG;AAGH,OAAO,EAAmC,KAAK,UAAU,EAAE,MAAM,yBAAyB,CAAC;AAC3F,OAAO,EAAiB,KAAK,aAAa,EAAE,MAAM,oBAAoB,CAAC;AAEvE,MAAM,MAAM,WAAW,GAAG,MAAM,GAAG,OAAO,GAAG,aAAa,CAAC;AAC3D,MAAM,MAAM,WAAW,GAAG,OAAO,GAAG,cAAc,GAAG,OAAO,CAAC;AAC7D,MAAM,MAAM,iBAAiB,GAAG,MAAM,GAAG,QAAQ,GAAG,OAAO,CAAC;AAE5D,MAAM,WAAW,kBAAkB;IAAG,IAAI,EAAE,WAAW,CAAC;IAAC,OAAO,EAAE,MAAM,EAAE,CAAA;CAAE;AA2C5E;;;;GAIG;AACH,wBAAgB,mBAAmB,CAAC,OAAO,EAAE,MAAM,GAAG,kBAAkB,CAUvE;AAED,MAAM,WAAW,MAAM;IACrB,4EAA4E;IAC5E,sBAAsB,EAAE,OAAO,CAAC;IAChC,iFAAiF;IACjF,YAAY,EAAE,OAAO,CAAC;CACvB;AAED,eAAO,MAAM,cAAc,EAAE,MAA8D,CAAC;AAE5F,+FAA+F;AAC/F,wBAAgB,WAAW,CAAC,IAAI,EAAE,MAAM,GAAG,MAAM,CAUhD;AAED,MAAM,WAAW,iBAAiB;IAChC,OAAO,EAAE,MAAM,CAAC;IAChB,iFAAiF;IACjF,KAAK,EAAE,MAAM,CAAC;IACd,4FAA4F;IAC5F,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,qEAAqE;IACrE,QAAQ,CAAC,EAAE,OAAO,CAAC;CACpB;AAED,MAAM,WAAW,gBAAgB;IAC/B,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB;;qFAEiF;IACjF,QAAQ,CAAC,EAAE,CAAC,OAAO,EAAE,MAAM,EAAE,IAAI,EAAE,WAAW,KAAK,OAAO,CAAC;QAAE,QAAQ,EAAE,KAAK,CAAC;YAAE,MAAM,EAAE,MAAM,CAAC;YAAC,OAAO,EAAE,MAAM,GAAG,QAAQ,CAAA;SAAE,CAAC,CAAC;QAAC,SAAS,EAAE,iBAAiB,CAAA;KAAE,CAAC,CAAC;IAC9J,GAAG,CAAC,EAAE,MAAM,CAAC;CACd;AAED,MAAM,WAAW,kBAAkB;IACjC,WAAW,EAAE,WAAW,CAAC;IACzB,IAAI,EAAE,WAAW,CAAC;IAClB,OAAO,EAAE,MAAM,EAAE,CAAC;IAClB,OAAO,EAAE,MAAM,EAAE,CAAC;IAClB,KAAK,EAAE,MAAM,CAAC;IACd,IAAI,EAAE,MAAM,GAAG,IAAI,CAAC;IACpB,sDAAsD;IACtD,MAAM,EAAE,OAAO,GAAG,IAAI,CAAC;IACvB,OAAO,EAAE,UAAU,EAAE,CAAC;IACtB,QAAQ,CAAC,EAAE;QAAE,QAAQ,EAAE,KAAK,CAAC;YAAE,MAAM,EAAE,MAAM,CAAC;YAAC,OAAO,EAAE,MAAM,GAAG,QAAQ,CAAA;SAAE,CAAC,CAAC;QAAC,SAAS,EAAE,iBAAiB,CAAA;KAAE,CAAC;IAC7G,mFAAmF;IACnF,OAAO,EAAE,aAAa,GAAG,IAAI,CAAC;IAC9B,QAAQ,EAAE,MAAM,EAAE,CAAC;CACpB;AAED;;;;;GAKG;AACH,wBAAsB,YAAY,CAAC,QAAQ,EAAE,MAAM,EAAE,KAAK,EAAE,iBAAiB,EAAE,IAAI,GAAE,gBAAqB,GAAG,OAAO,CAAC,kBAAkB,CAAC,CAuEvI;AAGD,MAAM,MAAM,QAAQ,GAAG,OAAO,GAAG,OAAO,GAAG,YAAY,CAAC;AAaxD,wBAAgB,eAAe,IAAI,QAAQ,CAE1C;AAED,yFAAyF;AACzF,wBAAgB,QAAQ,CAAC,MAAM,EAAE,MAAM,EAAE,QAAQ,CAAC,EAAE,QAAQ,GAAG;IAAE,MAAM,EAAE,MAAM,CAAC;IAAC,QAAQ,EAAE,QAAQ,CAAC;IAAC,OAAO,EAAE,MAAM,CAAA;CAAE,GAAG,IAAI,CAM5H;AAED,wBAAgB,eAAe,IAAI,MAAM,EAAE,CAAkC;AAG7E,wBAAgB,iBAAiB,CAAC,MAAM,EAAE,MAAM,GAAG;IAAE,KAAK,EAAE,OAAO,CAAC;IAAC,OAAO,EAAE,UAAU,EAAE,CAAA;CAAE,CAG3F;AAGD,MAAM,WAAW,UAAU;IACzB,GAAG,EAAE,OAAO,CAAC;IACb,MAAM,EAAE,MAAM,CAAC;IACf,QAAQ,EAAE,MAAM,GAAG,IAAI,CAAC;IACxB,MAAM,EAAE,MAAM,CAAC;IACf,MAAM,EAAE,MAAM,CAAC;IACf,aAAa,EAAE,UAAU,EAAE,CAAC;IAC5B,OAAO,EAAE,aAAa,GAAG,IAAI,CAAC;CAC/B;AAED;;;;GAIG;AACH,wBAAsB,cAAc,CAClC,QAAQ,EAAE,MAAM,EAChB,KAAK,EAAE;IAAE,OAAO,EAAE,MAAM,CAAC;IAAC,KAAK,EAAE,MAAM,CAAC;IAAC,WAAW,EAAE,WAAW,CAAC;IAAC,SAAS,CAAC,EAAE,MAAM,CAAA;CAAE,GACtF,OAAO,CAAC,UAAU,CAAC,CA0BrB;AAED,MAAM,WAAW,UAAU;IACzB,SAAS,EAAE,MAAM,CAAC;IAClB,OAAO,EAAE,MAAM,CAAC;IAChB,WAAW,EAAE,MAAM,CAAC;IACpB,OAAO,EAAE,MAAM,CAAC;IAChB,UAAU,EAAE,OAAO,CAAC;CACrB;AAED,wEAAwE;AACxE,wBAAgB,gBAAgB,CAAC,QAAQ,EAAE,MAAM,GAAG,UAAU,CAgB7D;AAED,8DAA8D;AAC9D,wBAAgB,iBAAiB,CAAC,OAAO,EAAE,OAAO,GAAG;IAAE,KAAK,EAAE,OAAO,CAAC;IAAC,MAAM,EAAE,MAAM,CAAA;CAAE,CAGtF;AAMD,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,2BAA2B,CAAC;AAC/D,+FAA+F;AAC/F,MAAM,MAAM,cAAc,GAAG,aAAa,CAAC;AAU3C;;;;;;;;GAQG;AACH,wBAAgB,qBAAqB,CACnC,QAAQ,EAAE,MAAM,EAChB,IAAI,GAAE;IAAE,OAAO,CAAC,EAAE,cAAc,EAAE,CAAA;CAAO,GACxC,WAAW,CAAC,gBAAgB,CAAC,UAAU,CAAC,CAAC,CAwB3C;AA2BD,MAAM,WAAW,aAAa;IAC5B,UAAU,EAAE,OAAO,CAAC;IACpB,OAAO,EAAE,MAAM,EAAE,CAAC;IAClB,oBAAoB,EAAE,MAAM,EAAE,CAAC;CAChC;AAED,2EAA2E;AAC3E,wBAAgB,qBAAqB,CAAC,OAAO,EAAE,MAAM,GAAG,aAAa,CASpE;AAED,MAAM,WAAW,eAAe;IAC9B,OAAO,EAAE,MAAM,CAAC;IAChB,IAAI,EAAE,WAAW,CAAC;IAClB,UAAU,EAAE,OAAO,CAAC;IACpB,OAAO,EAAE,MAAM,EAAE,CAAC;IAClB,oBAAoB,EAAE,MAAM,EAAE,CAAC;IAC/B,2DAA2D;IAC3D,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,oFAAoF;IACpF,OAAO,EAAE,aAAa,GAAG,IAAI,CAAC;CAC/B;AAED;;;;GAIG;AACH,wBAAsB,gBAAgB,CACpC,QAAQ,EAAE,MAAM,EAChB,KAAK,EAAE;IAAE,OAAO,EAAE,MAAM,CAAC;IAAC,KAAK,EAAE,MAAM,CAAA;CAAE,EACzC,IAAI,GAAE;IAAE,OAAO,CAAC,EAAE,CAAC,OAAO,EAAE,MAAM,KAAK,OAAO,CAAC,MAAM,CAAC,CAAA;CAAO,GAC5D,OAAO,CAAC,eAAe,CAAC,CAkB1B;AAkBD,oGAAoG;AACpG,wBAAsB,sBAAsB,IAAI,OAAO,CAAC,cAAc,EAAE,CAAC,CAIxE"}

package/dist/hephaestus/index.js

@@ -0,0 +1,425 @@
+/**
+ * v2.86.0 — HEPHAESTUS (Ἥφαιστος, the smith god) · GEPHYRA's OS lane.
+ *
+ * NOT "an AI that runs commands" (that's Grok Computer / Warp / Claude Code —
+ * crowded, we'd lose). HEPHAESTUS is the neutral SUBSTRATE a shell + AI run ON:
+ * every command that wants to touch the machine first CROSSES it — gets risk-
+ * classified, policy-gated, optionally judged by a cross-vendor tribunal, has its
+ * output immune-scanned, and is recorded as a signed, tamper-evident crossing
+ * (who: human vs which AI). It is GEPHYRA's claim-crossing, applied to COMMANDS.
+ *
+ * DECISION-FIRST, EXECUTION-OPTIONAL: the value is the SIGNED VERDICT (ALLOW /
+ * NEEDS_COSIGN / BLOCK + reasons + tribunal + provenance), not the runner. The
+ * gate is pure logic → deterministic + identical across every OS. Execution is a
+ * separate, guarded, opt-in step.
+ *
+ * THE SAFETY INVARIANT (pinned in tests): a DESTRUCTIVE command can NEVER be ALLOW
+ * without an explicit co-sign. A fox cannot guard its own henhouse — so for
+ * destructive ops a cross-vendor tribunal (Grok+Gemini+Claude, UNcorrelated errors)
+ * judges, and Mneme — owned by no vendor — is the only legitimate convener.
+ *
+ * Composes flight_recorder (the black box) + notary (the stamp) + mesh_immune
+ * (injection scan). Never throws — every organ degrades gracefully.
+ */
+import { record, replay, readCdr } from "../flight_recorder/index.js";
+import { scanMessage, quarantineDecision } from "../mesh_immune/index.js";
+import { verifyReceipt } from "../notary/index.js";
+// Order matters: destructive patterns win over write/read.
+const DESTRUCTIVE = [
+    [/\brm\s+(-[a-z]*r[a-z]*f|-[a-z]*f[a-z]*r|-rf|-fr)\b/i, "rm -rf"],
+    [/\brm\s+-[a-z]*r\b/i, "recursive rm"],
+    [/\b(rmdir|rd)\s+\/s\b/i, "rmdir /s"],
+    [/\bdel\s+\/[a-z]*[qsf]/i, "del /q|/s|/f"],
+    [/\b(mkfs|fdisk|parted|wipefs|diskpart)\b/i, "disk format/partition"],
+    [/\bdd\s+if=/i, "dd"],
+    [/>\s*\/dev\/(sd|nvme|disk)/i, "write to raw disk"],
+    [/\bformat\s+[a-z]:/i, "format drive"],
+    [/\bkubectl\s+delete\b/i, "kubectl delete"],
+    [/\bhelm\s+(delete|uninstall)\b/i, "helm delete"],
+    [/\bterraform\s+destroy\b/i, "terraform destroy"],
+    [/\bdocker\s+(system\s+prune|rm\s+-f|volume\s+rm)\b/i, "docker destructive"],
+    [/\bdrop\s+(table|database|schema|index|view|user|role)\b/i, "SQL drop"],
+    [/\btruncate\s+(table\s+)?["`[]?\w/i, "SQL truncate"],
+    [/\bdelete\s+from\b(?![^;]*\bwhere\b)/i, "SQL delete without where"],
+    [/\bgit\s+(push\s+(-f|--force)|reset\s+--hard|clean\s+-[a-z]*f)/i, "git force/reset/clean"],
+    [/\b(shutdown|reboot|halt|poweroff|Stop-Computer|Restart-Computer)\b/i, "power state"],
+    [/\b(systemctl|service)\s+(stop|disable|mask)\b/i, "stop/disable service"],
+    [/\bchmod\s+-R\s+777\b/i, "chmod -R 777"],
+    [/:\s*\(\s*\)\s*\{.*\|.*&\s*\}\s*;/i, "fork bomb"],
+    [/\b(Remove-Item|ri|rm)\b.*-Recurse.*-Force|\b(Remove-Item|ri)\b.*-Force.*-Recurse/i, "Remove-Item -Recurse -Force"],
+];
+const WRITE = [
+    [/\b(apt|apt-get|yum|dnf|brew|npm|pnpm|yarn|pip|pip3|cargo|gem)\s+(install|add|i|update|upgrade)\b/i, "package install"],
+    [/\b(mv|cp|mkdir|touch|ln|chmod|chown|tee|truncate)\b/i, "filesystem write"],
+    [/>>?\s*[^&|]/, "output redirect"],
+    [/\bsed\s+-i\b|\bperl\s+-i\b/i, "in-place edit"],
+    [/\bgit\s+(commit|merge|rebase|checkout|stash|add|tag)\b/i, "git mutate"],
+    [/\b(Set-|New-|Add-|Out-File|Set-Content|Add-Content)\b/, "PowerShell write cmdlet"],
+    [/\b(docker\s+(run|build|start)|kubectl\s+(apply|create|patch|scale)|systemctl\s+(start|restart|enable))\b/i, "deploy/start"],
+    [/\b(echo|printf)\b.*>/, "write via echo"],
+];
+const READ = [
+    [/^\s*(ls|dir|cat|bat|head|tail|less|more|grep|rg|find|fd|wc|ps|top|htop|df|du|free|ss|netstat|lsof|ip|ifconfig|ping|traceroute|whoami|id|pwd|cd|which|where|env|printenv|uname|hostname|date|uptime|history|stat|file|tree|jq|awk|sort|uniq|diff)\b/i, "read tool"],
+    [/\b(kubectl\s+(get|describe|logs|top)|docker\s+(ps|images|logs|inspect)|systemctl\s+status|git\s+(status|log|diff|show|branch))\b/i, "read subcommand"],
+    [/\b(Get-|Test-|Measure-|Select-|Where-|Format-)\b/, "PowerShell read cmdlet"],
+    [/^\s*(echo|printf)\b(?![^|]*>)/, "echo (no redirect)"],
+];
+/**
+ * Classify a command's blast radius. Destructive wins, then write, then read.
+ * UNKNOWN defaults to "write" (conservative — gets policy-gated, never silently
+ * treated as harmless). Deterministic + OS-agnostic (pure pattern logic).
+ */
+export function classifyCommandRisk(command) {
+    const c = String(command ?? "");
+    const signals = [];
+    for (const [re, label] of DESTRUCTIVE)
+        if (re.test(c))
+            signals.push(label);
+    if (signals.length)
+        return { risk: "destructive", signals };
+    for (const [re, label] of WRITE)
+        if (re.test(c))
+            signals.push(label);
+    if (signals.length)
+        return { risk: "write", signals };
+    for (const [re, label] of READ)
+        if (re.test(c))
+            signals.push(label);
+    if (signals.length)
+        return { risk: "read", signals };
+    return { risk: "write", signals: ["unknown command — defaulting to write (gated)"] };
+}
+export const DEFAULT_POLICY = { destructiveNeedsCosign: true, prodReadOnly: false };
+/** Parse a one-time, plain-language policy ("destructive must co-sign, prod is read-only"). */
+export function parsePolicy(text) {
+    const t = String(text ?? "").toLowerCase();
+    const mentionsDestructive = /destructive|dangerous|rm|delete|drop/.test(t);
+    const mentionsCosign = /co-?sign|cosign|human|approval|confirm|two-person|2-person/.test(t);
+    const noCosign = /no\s+co-?sign|without\s+co-?sign|don'?t\s+(require\s+)?co-?sign/.test(t);
+    const prodReadOnly = /prod[a-z]*\s*(is\s*)?(read[- ]?only|ro\b|no\s+writes?)/.test(t) || /read[- ]?only\s+(on\s+)?prod/.test(t);
+    return {
+        destructiveNeedsCosign: noCosign ? false : (mentionsDestructive && mentionsCosign ? true : DEFAULT_POLICY.destructiveNeedsCosign),
+        prodReadOnly: prodReadOnly || DEFAULT_POLICY.prodReadOnly,
+    };
+}
+/**
+ * Cross a command into the OS: classify → immune-scan → policy/tribunal gate →
+ * record a signed provenance frame → return the verdict. NEVER executes here and
+ * NEVER throws. The SAFETY INVARIANT holds: destructive ⇒ never ALLOW without a
+ * co-sign (or a unanimous-safe tribunal under a no-cosign policy).
+ */
+export async function crossCommand(repoRoot, input, deps = {}) {
+    const degraded = [];
+    const command = String(input.command ?? "");
+    const agent = String(input.agent ?? "unknown");
+    const host = input.host ? String(input.host) : null;
+    const origin = /^human$|^user$/i.test(agent) ? "human" : "ai";
+    const policy = deps.policy ?? DEFAULT_POLICY;
+    const reasons = [];
+    // 1. IMMUNE — injection hidden in the command itself.
+    let threats = [];
+    try {
+        const scan = scanMessage(command);
+        threats = scan.threats;
+        if (quarantineDecision(scan) === "QUARANTINE")
+            reasons.push("injection signature in command");
+    }
+    catch (e) {
+        degraded.push(`immune:${e.message}`);
+    }
+    const injected = reasons.length > 0;
+    // 2. RISK.
+    const { risk, signals } = classifyCommandRisk(command);
+    // 3/4. POLICY + TRIBUNAL gate → disposition.
+    let disposition;
+    let tribunal;
+    const prodLocked = policy.prodReadOnly && !!host && /prod/i.test(host) && risk !== "read";
+    if (injected) {
+        disposition = "BLOCK";
+    }
+    else if (prodLocked) {
+        disposition = "BLOCK";
+        reasons.push(`policy: ${host} is prod / read-only — ${risk} command blocked`);
+    }
+    else if (risk === "destructive") {
+        if (deps.tribunal) {
+            try {
+                const r = await deps.tribunal(command, risk);
+                tribunal = r;
+                if (r.consensus === "danger" || r.consensus === "split") {
+                    disposition = "BLOCK";
+                    reasons.push(`tribunal: ${r.consensus} (${r.verdicts.map((v) => `${v.vendor}=${v.verdict}`).join(", ")}) — a fox can't guard its own henhouse`);
+                }
+                else {
+                    // unanimous safe — still co-sign unless policy waives it.
+                    disposition = policy.destructiveNeedsCosign && !input.cosigned ? "NEEDS_COSIGN" : "ALLOW";
+                    if (disposition === "NEEDS_COSIGN")
+                        reasons.push("destructive: tribunal says safe but policy requires human co-sign");
+                }
+            }
+            catch (e) {
+                degraded.push(`tribunal:${e.message}`);
+                disposition = "BLOCK"; // tribunal down ⇒ fail CLOSED for destructive (safe default)
+                reasons.push("tribunal unavailable — failing closed on a destructive command");
+            }
+        }
+        else {
+            disposition = input.cosigned ? "ALLOW" : (policy.destructiveNeedsCosign ? "NEEDS_COSIGN" : "ALLOW");
+            if (disposition === "NEEDS_COSIGN")
+                reasons.push("destructive command requires human co-sign");
+        }
+    }
+    else if (risk === "write") {
+        disposition = "ALLOW";
+    }
+    else {
+        disposition = "ALLOW";
+    }
+    if (disposition === "ALLOW" && reasons.length === 0)
+        reasons.push(`${risk} command — allowed`);
+    // 5/6. BLACK BOX + STAMP — record the crossing (provenance: who + risk + verdict).
+    const td = disposition === "BLOCK" ? "CONTRADICT" : disposition === "ALLOW" ? "MATCH" : "UNVERIFIED";
+    let receipt = null;
+    try {
+        const frame = record(repoRoot, {
+            agent, kind: disposition === "ALLOW" ? "tool-call" : "decision",
+            action: `heph:${disposition}:${command.slice(0, 80)}`,
+            claim: command, observedReality: `${disposition} (${risk}) by ${origin}:${agent}`, truthDelta: td,
+        });
+        receipt = frame.receipt;
+    }
+    catch (e) {
+        degraded.push(`recorder:${e.message}`);
+    }
+    return { disposition, risk, signals, reasons, agent, host, origin, threats, tribunal, receipt, degraded };
+}
+const POLYGLOT = {
+    "list listening ports": { linux: "ss -tlnp", macos: "lsof -iTCP -sTCP:LISTEN -n -P", powershell: "Get-NetTCPConnection -State Listen" },
+    "list processes": { linux: "ps aux", macos: "ps aux", powershell: "Get-Process" },
+    "disk usage": { linux: "df -h", macos: "df -h", powershell: "Get-PSDrive -PSProvider FileSystem" },
+    "memory usage": { linux: "free -h", macos: "vm_stat", powershell: "Get-CimInstance Win32_OperatingSystem | Select FreePhysicalMemory,TotalVisibleMemorySize" },
+    "current directory": { linux: "pwd", macos: "pwd", powershell: "Get-Location" },
+    "list files": { linux: "ls -la", macos: "ls -la", powershell: "Get-ChildItem -Force" },
+    "environment variables": { linux: "printenv", macos: "printenv", powershell: "Get-ChildItem Env:" },
+    "network interfaces": { linux: "ip addr", macos: "ifconfig", powershell: "Get-NetIPAddress" },
+};
+export function currentPlatform() {
+    return process.platform === "win32" ? "powershell" : process.platform === "darwin" ? "macos" : "linux";
+}
+/** Translate a canonical intent to the right shell for a platform (default: this OS). */
+export function polyglot(intent, platform) {
+    const key = String(intent ?? "").toLowerCase().trim();
+    const row = POLYGLOT[key];
+    if (!row)
+        return null;
+    const p = platform ?? currentPlatform();
+    return { intent: key, platform: p, command: row[p] };
+}
+export function polyglotIntents() { return Object.keys(POLYGLOT); }
+// ── Immune Shell — scan command OUTPUT before it's fed back to the AI ──────
+export function scanCommandOutput(output) {
+    try {
+        const s = scanMessage(String(output ?? ""));
+        return { clean: s.clean, threats: s.threats };
+    }
+    catch {
+        return { clean: true, threats: [] };
+    }
+}
+/**
+ * Execute a command ONLY if its crossing verdict is ALLOW. Captures stdout/stderr/
+ * exit, immune-scans the output (so the AI isn't pwned by what it reads), and
+ * records the result. Refuses anything not ALLOW. Cross-platform (uses the OS shell).
+ */
+export async function executeGuarded(repoRoot, input) {
+    if (input.disposition !== "ALLOW") {
+        return { ran: false, reason: `refused: disposition is ${input.disposition}, not ALLOW`, exitCode: null, stdout: "", stderr: "", outputThreats: [], receipt: null };
+    }
+    const { spawnSync } = await import("node:child_process");
+    let stdout = "", stderr = "", exitCode = null;
+    try {
+        const r = spawnSync(input.command, {
+            shell: true, encoding: "utf8", timeout: input.timeoutMs ?? 30_000, windowsHide: true,
+            maxBuffer: 8 * 1024 * 1024,
+        });
+        stdout = r.stdout ?? "";
+        stderr = r.stderr ?? "";
+        exitCode = r.status;
+    }
+    catch (e) {
+        stderr = e.message;
+        exitCode = null;
+    }
+    const scan = scanCommandOutput(stdout + "\n" + stderr);
+    let receipt = null;
+    try {
+        const frame = record(repoRoot, {
+            agent: input.agent, kind: "tool-call", action: `heph:executed:${input.command.slice(0, 80)}`,
+            claim: input.command, observedReality: `exit=${exitCode} outputThreats=${scan.threats.length}`,
+            truthDelta: scan.clean ? "MATCH" : "CONTRADICT",
+        });
+        receipt = frame.receipt;
+    }
+    catch { /* */ }
+    return { ran: true, reason: "executed", exitCode, stdout, stderr, outputThreats: scan.threats, receipt };
+}
+/** Live HEPHAESTUS status from the shared flight-recorder black box. */
+export function hephaestusStatus(repoRoot) {
+    try {
+        const rep = replay(repoRoot);
+        const frames = readCdr(repoRoot);
+        let allowed = 0, needsCosign = 0, blocked = 0;
+        for (const f of frames) {
+            const p = (f.payload ?? {});
+            if (typeof p.action !== "string" || !p.action.startsWith("heph:"))
+                continue;
+            if (p.action.startsWith("heph:ALLOW") || p.action.startsWith("heph:executed"))
+                allowed++;
+            else if (p.action.startsWith("heph:NEEDS_COSIGN"))
+                needsCosign++;
+            else if (p.action.startsWith("heph:BLOCK"))
+                blocked++;
+        }
+        return { crossings: allowed + needsCosign + blocked, allowed, needsCosign, blocked, chainValid: rep.chainValid };
+    }
+    catch {
+        return { crossings: 0, allowed: 0, needsCosign: 0, blocked: 0, chainValid: true };
+    }
+}
+/** Verify a HEPHAESTUS crossing/execution receipt offline. */
+export function verifyHephReceipt(receipt) {
+    const v = verifyReceipt(receipt);
+    return { valid: v.valid, reason: v.reason };
+}
+function parseSafetyVerdict(text) {
+    const t = String(text ?? "").trim().toLowerCase();
+    if (/^\s*safe\b/.test(t))
+        return "safe";
+    if (/^\s*danger/.test(t))
+        return "danger";
+    // unparseable / refusal ⇒ fail SAFE (treat as danger so a destructive op is gated).
+    return "danger";
+}
+/**
+ * Build a real cross-vendor TRIBUNAL backed by diff_arena. Each vendor judges the
+ * command INDEPENDENTLY ("safe"/"danger") — errors are UNcorrelated across vendors,
+ * so the panel catches a blind spot a single-vendor ensemble can't. Mneme is the
+ * neutral convener (no vendor owns the judge). With no live vendors configured it
+ * fails SAFE (consensus "danger" ⇒ a destructive op is blocked) rather than waving
+ * it through. Wire real vendors via diff_arena's httpAdapter/cliAdapter (API keys);
+ * tests/offline pass deterministic vendor stubs.
+ */
+export function makeDiffArenaTribunal(repoRoot, opts = {}) {
+    return async (command) => {
+        const vendors = opts.vendors;
+        if (!vendors || vendors.length === 0) {
+            return { verdicts: [{ vendor: "(no-panel)", verdict: "danger" }], consensus: "danger" };
+        }
+        const prompt = `A command is about to run on a machine:\n\n  ${command}\n\nIs it SAFE or DANGEROUS to run as-is (data loss, prod impact, irreversibility)? Reply starting with EXACTLY "safe" or "danger", then one short reason.`;
+        let verdicts;
+        try {
+            const { diffArenaAsk } = await import("../diff_arena/index.js");
+            const res = await diffArenaAsk({ prompt, vendors, cwd: repoRoot });
+            verdicts = res.responses.map((r) => ({ vendor: r.vendor, verdict: r.ok ? parseSafetyVerdict(r.text) : "danger" }));
+        }
+        catch {
+            // diff_arena unavailable ⇒ ask vendors directly (still independent), fail safe on error.
+            verdicts = [];
+            for (const v of vendors) {
+                try {
+                    const r = await v.ask(prompt);
+                    verdicts.push({ vendor: v.name, verdict: r.ok ? parseSafetyVerdict(r.text) : "danger" });
+                }
+                catch {
+                    verdicts.push({ vendor: v.name, verdict: "danger" });
+                }
+            }
+        }
+        const safes = verdicts.filter((v) => v.verdict === "safe").length;
+        const consensus = safes === verdicts.length ? "safe" : safes === 0 ? "danger" : "split";
+        return { verdicts, consensus };
+    };
+}
+// ════════════════════════════════════════════════════════════════════════
+// v2.87.0 — 🔮 PRE-FLIGHT SIMULATION (counterfactual + irreversibility warning)
+//   The honest answer to "time-travel shell": we cannot UNDO an irreversible
+//   effect (rm/dd/DROP) — so we PREDICT + WARN before crossing, cross-vendor +
+//   signed. "Preview the future before you cross."
+// ════════════════════════════════════════════════════════════════════════
+const IRREVERSIBLE = [
+    [/\brm\s+-[a-z]*r|\b(Remove-Item|ri)\b.*-Recurse/i, "deletes files/dirs — NOT recoverable without a backup"],
+    [/\bdd\s+if=|>\s*\/dev\/(sd|nvme|disk)|\b(mkfs|wipefs|fdisk|format)\b/i, "overwrites raw disk — NOT recoverable"],
+    [/\b(drop|truncate)\s+(table|database|schema)?|delete\s+from\b(?![^;]*\bwhere\b)/i, "drops/empties data — NOT recoverable without a DB backup"],
+    [/\bshred\b/i, "securely erases — designed to be unrecoverable"],
+    [/\bgit\s+push\s+(-f|--force)/i, "force-pushes — rewrites remote history others may depend on"],
+    [/\bgit\s+reset\s+--hard/i, "discards uncommitted changes — NOT recoverable"],
+    [/\bterraform\s+destroy|kubectl\s+delete|helm\s+(delete|uninstall)/i, "tears down infrastructure — recreate ≠ restore data/state"],
+    [/\b(shutdown|reboot|halt|poweroff|Stop-Computer)\b/i, "interrupts the running system — in-flight work is lost"],
+];
+const REVERSIBLE_HINTS = [
+    [/\bgit\s+commit\b/i, "git revert undoes it"],
+    [/\bgit\s+(add|stash|checkout\s+-b|branch)\b/i, "git can undo it"],
+    [/\b(mkdir|touch)\b/i, "remove the created path to undo"],
+    [/\b(apt|apt-get|yum|dnf|brew|npm|pnpm|pip|cargo)\s+(install|add|i)\b/i, "uninstall to undo (config/data may persist)"],
+    [/\bdocker\s+(run|start)\b/i, "docker stop/rm to undo"],
+];
+/** Deterministically classify whether a command's effect can be undone. */
+export function classifyReversibility(command) {
+    const c = String(command ?? "");
+    const irreversibleWarnings = [];
+    for (const [re, msg] of IRREVERSIBLE)
+        if (re.test(c))
+            irreversibleWarnings.push(msg);
+    const effects = [];
+    for (const [re, msg] of REVERSIBLE_HINTS)
+        if (re.test(c))
+            effects.push(msg);
+    const { risk } = classifyCommandRisk(c);
+    if (risk === "read")
+        return { reversible: true, effects: ["read-only — no state change"], irreversibleWarnings: [] };
+    return { reversible: irreversibleWarnings.length === 0, effects, irreversibleWarnings };
+}
+/**
+ * 🔮 Pre-flight a command BEFORE crossing: predict blast radius + flag what cannot
+ * be undone + (optionally) ask a panel to predict the effect — and SIGN the
+ * pre-mortem. Never executes. The proof that the irreversible was foreseen + warned.
+ */
+export async function preflightCommand(repoRoot, input, deps = {}) {
+    const command = String(input.command ?? "");
+    const { risk } = classifyCommandRisk(command);
+    const rev = classifyReversibility(command);
+    let prediction;
+    if (deps.predict) {
+        try {
+            prediction = await deps.predict(command);
+        }
+        catch { /* best-effort */ }
+    }
+    let receipt = null;
+    try {
+        const frame = record(repoRoot, {
+            agent: String(input.agent ?? "unknown"), kind: "decision",
+            action: `heph:preflight:${command.slice(0, 72)}`,
+            claim: command,
+            observedReality: `risk=${risk} reversible=${rev.reversible} warnings=${rev.irreversibleWarnings.length}`,
+            truthDelta: rev.reversible ? "MATCH" : "CONTRADICT",
+        });
+        receipt = frame.receipt;
+    }
+    catch { /* */ }
+    return { command, risk, reversible: rev.reversible, effects: rev.effects, irreversibleWarnings: rev.irreversibleWarnings, prediction, receipt };
+}
+const ENV_VENDORS = [
+    { name: "openai", endpoint: "https://api.openai.com/v1/chat/completions", apiKeyEnv: "OPENAI_API_KEY", model: process.env["MNEME_OPENAI_MODEL"] ?? "gpt-4o-mini" },
+    { name: "grok", endpoint: "https://api.x.ai/v1/chat/completions", apiKeyEnv: "XAI_API_KEY", model: process.env["MNEME_GROK_MODEL"] ?? "grok-2-latest" },
+    { name: "gemini", endpoint: "https://generativelanguage.googleapis.com/v1beta/openai/chat/completions", apiKeyEnv: "GEMINI_API_KEY", model: process.env["MNEME_GEMINI_MODEL"] ?? "gemini-1.5-flash" },
+    { name: "deepseek", endpoint: "https://api.deepseek.com/v1/chat/completions", apiKeyEnv: "DEEPSEEK_API_KEY", model: process.env["MNEME_DEEPSEEK_MODEL"] ?? "deepseek-chat" },
+    { name: "openrouter", endpoint: "https://openrouter.ai/api/v1/chat/completions", apiKeyEnv: "OPENROUTER_API_KEY", model: process.env["MNEME_OPENROUTER_MODEL"] ?? "anthropic/claude-3.5-sonnet" },
+];
+/** Materialise a tribunal panel from env-present vendor keys (zero keys ⇒ [] ⇒ fail-safe BLOCK). */
+export async function tribunalVendorsFromEnv() {
+    const { httpAdapter } = await import("../diff_arena/adapters.js");
+    return ENV_VENDORS.filter((v) => (process.env[v.apiKeyEnv] ?? "").length > 0)
+        .map((v) => httpAdapter({ name: v.name, endpoint: v.endpoint, apiKeyEnv: v.apiKeyEnv, model: v.model, headers: v.headers, timeoutMs: 20000 }));
+}
+//# sourceMappingURL=index.js.map