@provos/ironcurtain 0.1.0 → 0.3.0

package/README.md

@@ -1,6 +1,13 @@
 # IronCurtain
 
-**A secure runtime for autonomous AI agents, where security policy is derived from a human-readable constitution.**
+[![CI](https://github.com/provos/ironcurtain/actions/workflows/ci.yml/badge.svg)](https://github.com/provos/ironcurtain/actions/workflows/ci.yml)
+[![npm](https://img.shields.io/npm/v/@provos/ironcurtain)](https://www.npmjs.com/package/@provos/ironcurtain)
+[![License](https://img.shields.io/github/license/provos/ironcurtain)](LICENSE)
+[![Website](https://img.shields.io/badge/web-ironcurtain.dev-blue)](https://ironcurtain.dev)
+
+**A secure\* runtime for autonomous AI agents, where security policy is derived from a human-readable constitution.**
+
+_\*When someone writes "secure," you should immediately be skeptical. [What do we mean by secure?](https://ironcurtain.dev)_
 
 > **Research Prototype.** IronCurtain is an early-stage research project exploring how to make AI agents safe enough to be genuinely useful. APIs, configuration formats, and architecture may change. Contributions and feedback are welcome.
 
@@ -23,8 +30,23 @@ The key ideas:
 - **Semantic interposition.** Instead of giving the agent raw system access, all interactions go through [MCP](https://modelcontextprotocol.io/) servers (filesystem, git, etc.). Every tool call passes through a policy engine that can **allow**, **deny**, or **escalate** to the user for approval.
 - **Defense in depth.** Agent code runs in a V8 isolate with no direct access to the host. The only way out is through semantically meaningful MCP tool calls and every one is checked against policy.
 
+## Demo
+
+<p align="center">
+  <img src="demo.gif" alt="IronCurtain demo: agent clones a repo, policy escalates git_clone for approval, user approves, then auto-approve handles git push" width="800">
+</p>
+
+The agent clones a repository and edits a file. The policy engine escalates `git_clone` for human approval. After the user types `/approve`, the agent completes the task. On the second request ("ok. git push to origin please"), [auto-approve](#auto-approve-escalations) recognizes the explicit intent and approves `git_push` automatically — no interruption needed.
+
 ## Architecture
 
+IronCurtain supports two session modes with different trust models:
+
+- **Builtin Agent (Code Mode)** — IronCurtain's own LLM agent writes TypeScript snippets that execute in a V8 sandbox. IronCurtain controls the agent, the sandbox, and the policy engine.
+- **Docker Agent Mode** — An external agent (Claude Code, Goose, etc.) runs inside a Docker container with no network access. IronCurtain doesn't control the agent — it only mediates the agent's external access through policy-enforced proxies.
+
+### Builtin Agent (Code Mode)
+
 ```
 ┌─────────────────────────────────────────────┐
 │              Agent (LLM)                    │
@@ -69,7 +91,7 @@ The key ideas:
 
 1. **Agent** -- An LLM (Claude, GPT, Gemini) that writes TypeScript to accomplish user tasks. It has no direct access to the system.
 2. **Sandbox** -- A V8 isolate ([UTCP Code Mode](https://utcp.dev/)) that executes the agent's TypeScript. The only way to interact with the outside world is through typed function stubs that produce structured MCP requests.
-3. **Trusted Process** -- The security kernel. Every MCP request from the sandbox passes through a two-phase policy engine before reaching any real server. Phase 1 enforces hardcoded structural invariants (protected paths, unknown tool denial). Phase 2 evaluates the compiled constitution rules. Denied calls are blocked; escalated calls are presented to the user for approval.
+3. **Trusted Process** -- The security kernel. Every MCP request from the sandbox passes through a two-phase policy engine before reaching any real server. Structural checks enforce hardcoded invariants (protected paths, unknown tool denial). Compiled rule evaluation evaluates the compiled constitution rules. Denied calls are blocked; escalated calls are presented to the user for approval.
 4. **MCP Servers** -- Standard [Model Context Protocol](https://modelcontextprotocol.io/) servers that provide filesystem access, git operations, and other capabilities. Only approved requests reach them.
 
 ## Policy Compilation Pipeline
@@ -77,25 +99,97 @@ The key ideas:
 The constitution is compiled into enforceable policy through a four-stage LLM pipeline:
 
 ```
-constitution.md → [Annotate] → [Compile] → [Generate Scenarios] → [Verify & Repair]
-                      │              │               │                     │
-                      ▼              ▼               ▼                     ▼
-              tool-annotations  compiled-policy  test-scenarios     verified policy
-                  .json            .json            .json          (or build failure)
+constitution.md → [Annotate] → [Compile] → [Resolve Lists] → [Generate Scenarios] → [Verify & Repair]
+                      │              │              │                  │                     │
+                      ▼              ▼              ▼                  ▼                     ▼
+              tool-annotations  compiled-policy  dynamic-lists   test-scenarios       verified policy
+                  .json            .json            .json            .json          (or build failure)
 ```
 
 1. **Annotate** -- Classify each MCP tool's arguments by role (read-path, write-path, delete-path, none).
-2. **Compile** -- Translate the English constitution into deterministic if/then rules.
-3. **Generate Scenarios** -- Create test scenarios from the constitution, combined with mandatory handwritten invariant tests.
-4. **Verify & Repair** -- Execute scenarios against the real policy engine. An LLM judge analyzes failures and generates targeted repairs (up to 2 rounds). The build fails if the policy cannot be verified.
+2. **Compile** -- Translate the English constitution into deterministic if/then rules. Categorical references ("major news sites", "my contacts") are emitted as `@list-name` symbolic references with list definitions.
+3. **Resolve Lists** -- Resolve dynamic list definitions to concrete values via LLM knowledge or MCP tool-use (e.g., querying a contacts database). Resolved values are written to `dynamic-lists.json` and can be user-inspected/edited. Skipped when no lists are present.
+4. **Generate Scenarios** -- Create test scenarios from the constitution, combined with mandatory handwritten invariant tests.
+5. **Verify & Repair** -- Execute scenarios against the real policy engine. An LLM judge analyzes failures and generates targeted repairs (up to 2 rounds). The build fails if the policy cannot be verified.
 
 All artifacts are content-hash cached -- only changed inputs trigger recompilation.
 
+### What compiled rules look like
+
+A constitution like:
+
+```markdown
+- The agent may perform read-only git operations (status, diff, log) within the sandbox without approval.
+- The agent must receive human approval before git push, pull, fetch, or any remote-contacting operation.
+```
+
+compiles into deterministic JSON rules:
+
+```json
+[
+  {
+    "tool": "git_status",
+    "decision": "allow",
+    "condition": { "directory": { "within": "$SANDBOX" } }
+  },
+  {
+    "tool": "git_diff",
+    "decision": "allow",
+    "condition": { "directory": { "within": "$SANDBOX" } }
+  },
+  {
+    "tool": "git_push",
+    "decision": "escalate",
+    "reason": "Remote-contacting git operations require human approval"
+  }
+]
+```
+
+Any tool call that doesn't match an explicit allow or escalate rule is **denied by default**. Rules define what is permitted or needs human judgment; everything else is blocked.
+
+### Docker Agent Mode
+
+In Docker mode, IronCurtain runs an external agent — not its own. The agent (Claude Code, Goose, etc.) already has its own LLM loop, tool-calling mechanism, and execution model. IronCurtain's role is to **mediate external access**: every LLM API call and every MCP tool call must pass through host-side proxies that enforce policy.
+
+```
+┌──────────────────────────────────────────────┐
+│     Docker Container (--network=none)        │
+│                                              │
+│  ┌────────────────────────────────────────┐  │
+│  │         External Agent                 │  │
+│  │    (Claude Code, Goose, etc.)          │  │
+│  │    Own LLM loop, tools, execution      │  │
+│  └──────┬──────────────────┬──────────────┘  │
+│         │ LLM API calls    │ MCP tool calls  │
+│         ▼                  ▼                 │
+│      [UDS]              [UDS]                │
+└─────────┬──────────────────┬─────────────────┘
+          │                  │
+          ▼                  ▼
+┌──────────────────┐  ┌─────────────────────────┐
+│  MITM Proxy      │  │  MCP Proxy              │
+│  (host process)  │  │  (host process)         │
+│                  │  │                         │
+│  Host allowlist  │  │  Policy Engine          │
+│  Endpoint filter │  │  allow / deny /         │
+│  Fake→real key   │  │  escalate               │
+│  swap            │  │                         │
+└────────┬─────────┘  └────────────┬────────────┘
+         │                         │
+         ▼                         ▼
+   LLM Provider            MCP Servers
+   (Anthropic, etc.)       (filesystem, git, etc.)
+```
+
+The key difference from Code Mode: IronCurtain does **not** control the agent's execution. The agent has its own tool-calling mechanism (Claude Code uses its own tools internally). IronCurtain only sees the external effects — LLM API calls and MCP tool calls — and enforces policy on those boundaries.
+
+See [SANDBOXING.md](SANDBOXING.md) for the full sandboxing architecture.
+
 ## Getting Started
 
 ### Prerequisites
 
-- Node.js 18+
+- Node.js 20+
 - An API key for at least one supported LLM provider (Anthropic, Google, or OpenAI)
 
 ### Install
@@ -103,7 +197,7 @@ All artifacts are content-hash cached -- only changed inputs trigger recompilati
 **As a global CLI tool (end users):**
 
 ```bash
-npm install -g ironcurtain
+npm install -g @provos/ironcurtain
 ```
 
 **From source (development):**
@@ -132,41 +226,66 @@ Or add it to `~/.ironcurtain/config.json` (auto-created on first run with defaul
 
 Environment variables take precedence over config file values. Supported providers: `ANTHROPIC_API_KEY`, `GOOGLE_GENERATIVE_AI_API_KEY`, `OPENAI_API_KEY`.
 
-### 2. Write your constitution
+### 2. Configure settings
+
+```bash
+ironcurtain config
+```
+
+This opens an interactive editor for `~/.ironcurtain/config.json` where you can configure models, security settings, resource budgets, and auto-compaction. API keys should be set via environment variables.
+
+### 3. Customize your policy
+
+Run the interactive policy customizer to create a constitution tailored to your workflow:
+
+```bash
+ironcurtain customize-policy
+```
 
-Edit `src/config/constitution.md` to express your security policy in plain English. Here's the included example:
+The customizer walks you through an LLM-assisted conversation about what your agent should and shouldn't be able to do, then generates a constitution file at `~/.ironcurtain/constitution-user.md`. This file is appended to the base constitution, which defines the guiding principles:
 
 ```markdown
-# Guiding Principles
+# IronCurtain Constitution
+
+## Guiding Principles
 
 1. **Least privilege**: The agent may only access resources explicitly permitted by policy.
-2. **No destruction**: Delete operations outside the sandbox are never permitted.
+2. **No destruction**: Delete operations outside the sandbox are never permitted,
+   unless an explicit exception is granted by the user guidance.
 3. **Human oversight**: Operations outside the sandbox require explicit human approval.
+```
 
-# Concrete Guidance
+The customizer produces concrete guidance like:
 
-- The agent is allowed to read, write and delete content in the Downloads folder.
-- The agent is allowed to read documents in the User's document folder.
-- The agent may perform read-only git operations (status, diff, log) within the sandbox without approval.
-- The agent may stage files (git add) and commit within the sandbox without approval.
-- The agent must receive human approval before git push, pull, fetch, or any remote-contacting operation.
-- The agent must receive human approval before git reset, rebase, merge, or any history-rewriting operation.
+```markdown
+# User Policy Customizations
+
+## Concrete Guidance
+
+- The agent is allowed to read, write and delete content in the Downloads folder
+- The agent is allowed to read documents in the Users document folder.
+- The agent is allowed to perform all local read and write git operations within the sandbox
+- The agent must ask for human approval for all other git operations
+- The agent may fetch web content from popular news sites.
 ```
 
-### 3. Annotate tools and compile the policy
+You can also edit `~/.ironcurtain/constitution-user.md` directly. If you need to override the base principles, place a full constitution at `~/.ironcurtain/constitution.md` — it replaces the package-bundled base entirely.
+
+### 4. Annotate tools and compile the policy
 
 ```bash
 ironcurtain annotate-tools   # classify MCP tool arguments (developer task)
 ironcurtain compile-policy   # compile constitution into enforceable rules (user task)
+ironcurtain refresh-lists    # re-resolve dynamic lists without full recompilation
 ```
 
 Or with npm scripts during development: `npm run annotate-tools` / `npm run compile-policy`.
 
-Tool annotation connects to your MCP servers and classifies each tool's arguments via LLM. This only needs re-running when you add or change MCP servers. Policy compilation translates your constitution into deterministic rules, generates test scenarios, and verifies them. The compiled artifacts are written to `src/config/generated/`. Review the generated `compiled-policy.json` -- these are the rules that will be enforced at runtime.
+Tool annotation connects to your MCP servers and classifies each tool's arguments via LLM. This only needs re-running when you add or change MCP servers. Policy compilation translates your constitution into deterministic rules, generates test scenarios, and verifies them. The compiled artifacts are written to `~/.ironcurtain/generated/`. Review the generated `compiled-policy.json` -- these are the rules that will be enforced at runtime. (The package ships with pre-compiled defaults so you can run immediately without compiling.)
 
 IronCurtain ships with pre-configured MCP servers for filesystem and git operations. See [Adding MCP Servers](#adding-mcp-servers) for how to extend this.
 
-### 4. Run the agent
+### 5. Run the agent
 
 **Interactive mode** (multi-turn session with human escalation support):
 
@@ -182,6 +301,8 @@ ironcurtain start "Summarize the files in the current directory"
 
 Or with npm scripts during development: `npm start` / `npm start "task"`.
 
+When Docker is available and `ANTHROPIC_API_KEY` is set, `ironcurtain start` automatically selects Docker mode (claude-code agent). Otherwise it falls back to the builtin agent silently. The selected mode is logged to stderr. Use `--agent builtin` or `--agent claude-code` to force a specific agent; explicit selection fails fast with a clear error if prerequisites are missing.
+
 ### Session Commands
 
 During an interactive session:
@@ -201,6 +322,9 @@ IronCurtain stores its configuration and session data in `~/.ironcurtain/`:
 ```
 ~/.ironcurtain/
 ├── config.json              # User configuration
+├── constitution.md          # User-local base constitution (overrides package default)
+├── constitution-user.md     # Your policy customizations (generated by customize-policy)
+├── generated/               # User-compiled policy artifacts (overrides package defaults)
 ├── sessions/
 │   └── {sessionId}/
 │       ├── sandbox/         # Per-session filesystem sandbox
@@ -222,6 +346,21 @@ Sessions enforce configurable limits to prevent runaway agents:
 
 Set any limit to `null` in `config.json` to disable it.
 
+### Auto-Approve Escalations
+
+By default, all escalations require manual `/approve` or `/deny`. You can optionally enable an LLM-based auto-approver that checks whether the user's most recent message clearly authorized the escalated action:
+
+```json
+{
+  "autoApprove": {
+    "enabled": true,
+    "modelId": "anthropic:claude-haiku-4-5"
+  }
+}
+```
+
+The auto-approver is conservative — it only approves when intent is unambiguous (e.g., "push my changes to origin" clearly authorizes `git_push`). Vague messages like "go ahead" or "fix the tests" always fall through to human approval. It can never deny — only approve or escalate. All auto-approved actions are recorded in the audit log with `autoApproved: true`.
+
 ### Multi-Provider Support
 
 IronCurtain supports multiple LLM providers. Use the `provider:model-name` format in config and provide the API key for each provider you use:
@@ -256,6 +395,16 @@ IronCurtain ships with filesystem and git MCP servers pre-configured. Adding a n
 
 After compilation, review the updated `tool-annotations.json` and `compiled-policy.json` to verify the new tools are correctly classified and covered by policy.
 
+## Built-in Capabilities
+
+IronCurtain ships with three pre-configured MCP servers. All tool calls are governed by your compiled policy.
+
+**Filesystem** (14 tools) — `read_file`, `read_multiple_files`, `write_file`, `edit_file`, `create_directory`, `list_directory`, `directory_tree`, `move_file`, `search_files`, `get_file_info`, `list_allowed_directories`, `file_exists`, `read_file_lines`, `calculate_diff`.
+
+**Git** (27 tools) — Full git workflow: `git_status`, `git_diff_staged`, `git_diff_unstaged`, `git_diff`, `git_log`, `git_show`, `git_add`, `git_reset`, `git_commit`, `git_checkout`, `git_create_branch`, `git_list_branches`, `git_push`, `git_pull`, `git_fetch`, `git_merge`, `git_rebase`, `git_cherry_pick`, `git_stash`, `git_stash_pop`, `git_stash_list`, `git_tag`, `git_list_tags`, `git_remote`, `git_clone`, `git_init`, `git_blame`.
+
+**Fetch** (1 tool) — `fetch` retrieves content from URLs with automatic HTML-to-markdown conversion.
+
 ## Security Model
 
 IronCurtain is designed around a specific threat model: **the LLM goes rogue.** This can happen through prompt injection (a malicious email or web page hijacks the agent) or through multi-turn drift (the agent gradually deviates from the user's intent over a long session).
@@ -265,7 +414,7 @@ IronCurtain is designed around a specific threat model: **the LLM goes rogue.**
 - **Filesystem containment** -- Path-based policy with symlink-aware resolution prevents path traversal and symlink-escape attacks.
 - **Per-tool policy** -- Each MCP tool call is evaluated against compiled rules. The policy engine classifies tool arguments by role (read-path, write-path, delete-path) to make fine-grained decisions.
 - **Structural invariants** -- Certain protections are hardcoded and cannot be overridden by the constitution: the agent can never modify its own policy files, audit logs, or configuration.
-- **Human escalation** -- When policy says "escalate," the agent pauses and the user must explicitly `/approve` or `/deny` the action.
+- **Human escalation** -- When policy says "escalate," the agent pauses and the user must explicitly `/approve` or `/deny` the action. Optionally, an [LLM-based auto-approver](#auto-approve-escalations) can approve actions that clearly match the user's most recent request — it can never deny, only approve or fall through to human review.
 - **Audit trail** -- Every tool call and policy decision is logged to an append-only JSONL audit log.
 - **Resource limits** -- Token, step, time, and cost budgets prevent runaway sessions.
 
@@ -280,12 +429,23 @@ This is a research prototype. Known gaps include:
 
 See [docs/SECURITY_CONCERNS.md](docs/SECURITY_CONCERNS.md) for a detailed threat analysis.
 
+## Troubleshooting
+
+| Issue | Guidance |
+|-------|---------|
+| **Missing API key** | Set the environment variable (`ANTHROPIC_API_KEY`, `GOOGLE_GENERATIVE_AI_API_KEY`, or `OPENAI_API_KEY`) or add the corresponding key to `~/.ironcurtain/config.json`. |
+| **Sandbox unavailable** | OS-level sandboxing requires `bubblewrap` and `socat`. Install both, or set `"sandboxPolicy": "warn"` in your MCP server config for development. |
+| **Budget exhausted** | Adjust limits in `~/.ironcurtain/config.json` under `resourceBudget`. Set any individual limit to `null` to disable it. |
+| **Node version errors** | Minimum Node.js 18.3.0 required. Node 20+ is recommended. |
+| **Policy doesn't match intent** | Review `compiled-policy.json` to see the generated rules. Run `ironcurtain customize-policy` to refine your constitution, then `ironcurtain compile-policy` to recompile. Specific wording produces better rules — vague phrasing leads to vague policy. |
+| **Auto-approve not triggering** | The auto-approver only approves when the user's message explicitly authorizes the action (e.g., "push to origin" for `git_push`). Vague messages like "go ahead" always escalate to human review. Verify `autoApprove.enabled` is `true` in `config.json`. |
+
 ## Development
 
 ```bash
 npm test                                    # Run all tests
-npx vitest run test/policy-engine.test.ts   # Run a single test file
-npx vitest run -t "denies delete_file"      # Run a single test by name
+npm test -- test/policy-engine.test.ts      # Run a single test file
+npx test -- -t "denies delete_file"         # Run a single test by name
 npm run lint                                # Lint
 npm run build                               # TypeScript compilation + asset copy
 ```

package/dist/cli.js

@@ -20,20 +20,34 @@ Usage:
 
 Commands:
   start [task]         Run the agent (interactive or single-shot)
+  setup                Run the first-start wizard (always runs)
   annotate-tools       Classify MCP tool arguments via LLM
   compile-policy       Compile constitution into enforceable policy rules
+  refresh-lists        Re-resolve dynamic lists without full recompilation
+  customize-policy     Customize your policy via LLM-assisted conversation
+  config               Edit configuration interactively
   help                 Show this help message
 
 Options:
   -h, --help           Show this help message
   -v, --version        Show version number
+  -a, --agent <name>   Agent mode: builtin or claude-code (Docker)
+                       Auto-detects if omitted: Docker if available, else builtin
+  --list-agents        List registered agent adapters
 
 Examples:
+  ironcurtain start "task"                        # Auto-detects Docker or builtin
   ironcurtain start                              # Interactive session
   ironcurtain start "Summarize files in ."       # Single-shot task
   ironcurtain start --resume <session-id>        # Resume a session
+  ironcurtain start --agent claude-code "task"   # Docker: Claude Code
+  ironcurtain start --list-agents                # List available agents
   ironcurtain annotate-tools                     # Classify tool arguments
   ironcurtain compile-policy                     # Compile policy from constitution
+  ironcurtain refresh-lists                      # Refresh all dynamic lists
+  ironcurtain refresh-lists --list major-news    # Refresh a single list
+  ironcurtain refresh-lists --with-mcp           # Include MCP-backed lists
+  ironcurtain customize-policy                   # Customize policy interactively
 `.trim());
 }
 const { values, positionals } = parseArgs({
@@ -70,6 +84,26 @@ switch (subcommand) {
         await main();
         break;
     }
+    case 'refresh-lists': {
+        const { main } = await import('./pipeline/refresh-lists.js');
+        await main(process.argv.slice(3));
+        break;
+    }
+    case 'customize-policy': {
+        const { main } = await import('./pipeline/constitution-customizer.js');
+        await main();
+        break;
+    }
+    case 'config': {
+        const { runConfigCommand } = await import('./config/config-command.js');
+        await runConfigCommand();
+        break;
+    }
+    case 'setup': {
+        const { runFirstStart } = await import('./config/first-start.js');
+        await runFirstStart();
+        break;
+    }
     default:
         console.error(`Unknown command: ${subcommand}\n`);
         printHelp();

package/dist/cli.js.map

@@ -1 +1 @@
-{"version":3,"file":"cli.js","sourceRoot":"","sources":["../src/cli.ts"],"names":[],"mappings":";AACA,OAAO,eAAe,CAAC;AACvB,OAAO,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AACvC,OAAO,EAAE,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AAC7C,OAAO,EAAE,aAAa,EAAE,MAAM,UAAU,CAAC;AACzC,OAAO,EAAE,SAAS,EAAE,MAAM,WAAW,CAAC;AAEtC,MAAM,SAAS,GAAG,OAAO,CAAC,aAAa,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC;AAE1D,SAAS,UAAU;IACjB,oFAAoF;IACpF,MAAM,eAAe,GAAG,OAAO,CAAC,SAAS,EAAE,IAAI,EAAE,cAAc,CAAC,CAAC;IACjE,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,YAAY,CAAC,eAAe,EAAE,OAAO,CAAC,CAAC,CAAC;IAC/D,OAAO,GAAG,CAAC,OAAO,CAAC;AACrB,CAAC;AAED,SAAS,SAAS;IAChB,OAAO,CAAC,KAAK,CAAC;;;;;;;;;;;;;;;;;;;;;;CAsBf,CAAC,IAAI,EAAE,CAAC,CAAC;AACV,CAAC;AAED,MAAM,EAAE,MAAM,EAAE,WAAW,EAAE,GAAG,SAAS,CAAC;IACxC,IAAI,EAAE,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC;IAC3B,OAAO,EAAE;QACP,IAAI,EAAE,EAAE,IAAI,EAAE,SAAS,EAAE,KAAK,EAAE,GAAG,EAAE;QACrC,OAAO,EAAE,EAAE,IAAI,EAAE,SAAS,EAAE,KAAK,EAAE,GAAG,EAAE;KACzC;IACD,gBAAgB,EAAE,IAAI;IACtB,MAAM,EAAE,KAAK;CACd,CAAC,CAAC;AAEH,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC;IACnB,OAAO,CAAC,GAAG,CAAC,UAAU,EAAE,CAAC,CAAC;IAC1B,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;AAClB,CAAC;AAED,MAAM,UAAU,GAAG,WAAW,CAAC,CAAC,CAAC,CAAC;AAElC,IAAI,MAAM,CAAC,IAAI,IAAI,UAAU,KAAK,MAAM,IAAI,CAAC,UAAU,EAAE,CAAC;IACxD,SAAS,EAAE,CAAC;IACZ,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;AAClB,CAAC;AAED,QAAQ,UAAU,EAAE,CAAC;IACnB,KAAK,OAAO,CAAC,CAAC,CAAC;QACb,MAAM,EAAE,IAAI,EAAE,GAAG,MAAM,MAAM,CAAC,YAAY,CAAC,CAAC;QAC5C,MAAM,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC;QAClC,MAAM;IACR,CAAC;IACD,KAAK,gBAAgB,CAAC,CAAC,CAAC;QACtB,MAAM,EAAE,IAAI,EAAE,GAAG,MAAM,MAAM,CAAC,wBAAwB,CAAC,CAAC;QACxD,MAAM,IAAI,EAAE,CAAC;QACb,MAAM;IACR,CAAC;IACD,KAAK,gBAAgB,CAAC,CAAC,CAAC;QACtB,MAAM,EAAE,IAAI,EAAE,GAAG,MAAM,MAAM,CAAC,uBAAuB,CAAC,CAAC;QACvD,MAAM,IAAI,EAAE,CAAC;QACb,MAAM;IACR,CAAC;IACD;QACE,OAAO,CAAC,KAAK,CAAC,oBAAoB,UAAU,IAAI,CAAC,CAAC;QAClD,SAAS,EAAE,CAAC;QACZ,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;AACpB,CAAC"}
+{"version":3,"file":"cli.js","sourceRoot":"","sources":["../src/cli.ts"],"names":[],"mappings":";AACA,OAAO,eAAe,CAAC;AACvB,OAAO,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AACvC,OAAO,EAAE,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AAC7C,OAAO,EAAE,aAAa,EAAE,MAAM,UAAU,CAAC;AACzC,OAAO,EAAE,SAAS,EAAE,MAAM,WAAW,CAAC;AAEtC,MAAM,SAAS,GAAG,OAAO,CAAC,aAAa,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC;AAE1D,SAAS,UAAU;IACjB,oFAAoF;IACpF,MAAM,eAAe,GAAG,OAAO,CAAC,SAAS,EAAE,IAAI,EAAE,cAAc,CAAC,CAAC;IACjE,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,YAAY,CAAC,eAAe,EAAE,OAAO,CAAC,CAAwB,CAAC;IACtF,OAAO,GAAG,CAAC,OAAO,CAAC;AACrB,CAAC;AAED,SAAS,SAAS;IAChB,OAAO,CAAC,KAAK,CACX;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CAoCH,CAAC,IAAI,EAAE,CACL,CAAC;AACJ,CAAC;AAED,MAAM,EAAE,MAAM,EAAE,WAAW,EAAE,GAAG,SAAS,CAAC;IACxC,IAAI,EAAE,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC;IAC3B,OAAO,EAAE;QACP,IAAI,EAAE,EAAE,IAAI,EAAE,SAAS,EAAE,KAAK,EAAE,GAAG,EAAE;QACrC,OAAO,EAAE,EAAE,IAAI,EAAE,SAAS,EAAE,KAAK,EAAE,GAAG,EAAE;KACzC;IACD,gBAAgB,EAAE,IAAI;IACtB,MAAM,EAAE,KAAK;CACd,CAAC,CAAC;AAEH,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC;IACnB,OAAO,CAAC,GAAG,CAAC,UAAU,EAAE,CAAC,CAAC;IAC1B,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;AAClB,CAAC;AAED,MAAM,UAAU,GAAG,WAAW,CAAC,CAAC,CAAC,CAAC;AAElC,IAAI,MAAM,CAAC,IAAI,IAAI,UAAU,KAAK,MAAM,IAAI,CAAC,UAAU,EAAE,CAAC;IACxD,SAAS,EAAE,CAAC;IACZ,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;AAClB,CAAC;AAED,QAAQ,UAAU,EAAE,CAAC;IACnB,KAAK,OAAO,CAAC,CAAC,CAAC;QACb,MAAM,EAAE,IAAI,EAAE,GAAG,MAAM,MAAM,CAAC,YAAY,CAAC,CAAC;QAC5C,MAAM,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC;QAClC,MAAM;IACR,CAAC;IACD,KAAK,gBAAgB,CAAC,CAAC,CAAC;QACtB,MAAM,EAAE,IAAI,EAAE,GAAG,MAAM,MAAM,CAAC,wBAAwB,CAAC,CAAC;QACxD,MAAM,IAAI,EAAE,CAAC;QACb,MAAM;IACR,CAAC;IACD,KAAK,gBAAgB,CAAC,CAAC,CAAC;QACtB,MAAM,EAAE,IAAI,EAAE,GAAG,MAAM,MAAM,CAAC,uBAAuB,CAAC,CAAC;QACvD,MAAM,IAAI,EAAE,CAAC;QACb,MAAM;IACR,CAAC;IACD,KAAK,eAAe,CAAC,CAAC,CAAC;QACrB,MAAM,EAAE,IAAI,EAAE,GAAG,MAAM,MAAM,CAAC,6BAA6B,CAAC,CAAC;QAC7D,MAAM,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC;QAClC,MAAM;IACR,CAAC;IACD,KAAK,kBAAkB,CAAC,CAAC,CAAC;QACxB,MAAM,EAAE,IAAI,EAAE,GAAG,MAAM,MAAM,CAAC,uCAAuC,CAAC,CAAC;QACvE,MAAM,IAAI,EAAE,CAAC;QACb,MAAM;IACR,CAAC;IACD,KAAK,QAAQ,CAAC,CAAC,CAAC;QACd,MAAM,EAAE,gBAAgB,EAAE,GAAG,MAAM,MAAM,CAAC,4BAA4B,CAAC,CAAC;QACxE,MAAM,gBAAgB,EAAE,CAAC;QACzB,MAAM;IACR,CAAC;IACD,KAAK,OAAO,CAAC,CAAC,CAAC;QACb,MAAM,EAAE,aAAa,EAAE,GAAG,MAAM,MAAM,CAAC,yBAAyB,CAAC,CAAC;QAClE,MAAM,aAAa,EAAE,CAAC;QACtB,MAAM;IACR,CAAC;IACD;QACE,OAAO,CAAC,KAAK,CAAC,oBAAoB,UAAU,IAAI,CAAC,CAAC;QAClD,SAAS,EAAE,CAAC;QACZ,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;AACpB,CAAC"}

package/dist/config/config-command.d.ts

@@ -0,0 +1,18 @@
+/**
+ * Interactive configuration editor for IronCurtain.
+ *
+ * Provides a terminal UI using @clack/prompts for viewing and modifying
+ * ~/.ironcurtain/config.json. API keys are excluded from the interactive
+ * menu — users must set them via environment variables or edit JSON directly.
+ */
+import { type UserConfig, type ResolvedUserConfig } from './user-config.js';
+export declare function formatTokens(n: number | null): string;
+export declare function formatSeconds(n: number | null): string;
+export declare function formatCost(n: number | null): string;
+interface DiffEntry {
+    from: unknown;
+    to: unknown;
+}
+export declare function computeDiff(resolved: ResolvedUserConfig, pending: UserConfig): [string, DiffEntry][];
+export declare function runConfigCommand(): Promise<void>;
+export {};