@tpsdev-ai/cli 0.1.0 → 0.3.0

package/dist/src/utils/noise-ik-transport.js

@@ -1,357 +0,0 @@
-/**
- * Noise_IK encrypted transport — mutual authentication + encrypted channel.
- * Uses X25519 static keys from TPS identity for IK pattern.
- */
-import net from "node:net";
-import { EventEmitter } from "node:events";
-import Noise from "noise-handshake/noise.js";
-import Cipher from "noise-handshake/cipher.js";
-import { decodeWireMessage, encodeWireMessage } from "./wire-frame.js";
-import { fingerprint, loadHostIdentity, lookupBranch } from "./identity.js";
-import { JoinCompleteBodySchema, MSG_JOIN_COMPLETE } from "./wire-mail.js";
-const PROLOGUE = Buffer.from("tps-v1");
-const MAX_HANDSHAKE_BYTES = 512;
-const HANDSHAKE_TIMEOUT_MS = 10_000;
-const MAX_ENCRYPTED_FRAME = 1024 * 1024 + 64;
-function withTimeout(p, ms, onTimeout) {
-    return new Promise((resolve, reject) => {
-        const t = setTimeout(() => {
-            try {
-                onTimeout();
-            }
-            catch { }
-            reject(new Error(`Handshake timeout after ${ms}ms`));
-        }, ms);
-        p.then((v) => {
-            clearTimeout(t);
-            resolve(v);
-        }).catch((e) => {
-            clearTimeout(t);
-            reject(e);
-        });
-    });
-}
-// 2-byte BE length prefix + payload
-async function writeFrame(socket, data) {
-    if (data.length > 0xffff) {
-        throw new Error(`Frame too large for 2-byte length prefix: ${data.length}`);
-    }
-    const header = Buffer.alloc(2);
-    header.writeUInt16BE(data.length, 0);
-    await new Promise((resolve, reject) => {
-        socket.write(Buffer.concat([header, data]), (err) => (err ? reject(err) : resolve()));
-    });
-}
-async function readFrame(socket, maxBytes = MAX_HANDSHAKE_BYTES) {
-    return new Promise((resolve, reject) => {
-        let buf = Buffer.alloc(0);
-        const cleanup = () => {
-            socket.off("data", onData);
-            socket.off("error", onErr);
-            socket.off("close", onClose);
-            socket.off("end", onClose);
-        };
-        const onErr = (err) => {
-            cleanup();
-            reject(err);
-        };
-        const onClose = () => {
-            cleanup();
-            reject(new Error("Socket closed before complete frame"));
-        };
-        const onData = (chunk) => {
-            buf = Buffer.concat([buf, chunk]);
-            if (buf.length >= 2) {
-                const len = buf.readUInt16BE(0);
-                if (len > maxBytes) {
-                    cleanup();
-                    socket.destroy();
-                    reject(new Error(`Frame too large: ${len} > ${maxBytes}`));
-                    return;
-                }
-                if (buf.length >= 2 + len) {
-                    const frame = buf.subarray(2, 2 + len);
-                    cleanup();
-                    resolve(frame);
-                }
-            }
-        };
-        socket.on("data", onData);
-        socket.once("error", onErr);
-        socket.once("close", onClose);
-        socket.once("end", onClose);
-    });
-}
-class NoiseIkChannel {
-    socket;
-    sendCipher;
-    recvCipher;
-    peerFp;
-    alive = true;
-    emitter = new EventEmitter();
-    rxBuffer = Buffer.alloc(0);
-    constructor(socket, sendCipher, recvCipher, peerFp) {
-        this.socket = socket;
-        this.sendCipher = sendCipher;
-        this.recvCipher = recvCipher;
-        this.peerFp = peerFp;
-        this.socket.on("close", () => {
-            this.alive = false;
-        });
-        this.socket.on("data", (chunk) => {
-            try {
-                this.rxBuffer = Buffer.concat([this.rxBuffer, chunk]);
-                if (this.rxBuffer.length > MAX_ENCRYPTED_FRAME) {
-                    this.socket.destroy();
-                    return;
-                }
-                let offset = 0;
-                while (offset + 2 <= this.rxBuffer.length) {
-                    const len = this.rxBuffer.readUInt16BE(offset);
-                    if (len > MAX_ENCRYPTED_FRAME) {
-                        this.socket.destroy();
-                        return;
-                    }
-                    if (offset + 2 + len > this.rxBuffer.length)
-                        break;
-                    const encrypted = this.rxBuffer.subarray(offset + 2, offset + 2 + len);
-                    const decrypted = Buffer.from(this.recvCipher.decrypt(encrypted));
-                    const msg = decodeWireMessage(decrypted);
-                    this.emitter.emit("message", msg);
-                    offset += 2 + len;
-                }
-                this.rxBuffer = this.rxBuffer.subarray(offset);
-            }
-            catch {
-                this.socket.destroy();
-            }
-        });
-    }
-    async send(msg) {
-        const wireFrame = encodeWireMessage(msg);
-        const encrypted = Buffer.from(this.sendCipher.encrypt(wireFrame));
-        await writeFrame(this.socket, encrypted);
-    }
-    onMessage(handler) {
-        this.emitter.on("message", handler);
-    }
-    offMessage(handler) {
-        this.emitter.off("message", handler);
-    }
-    async close() {
-        this.socket.end();
-        this.alive = false;
-    }
-    isAlive() {
-        return this.alive && !this.socket.destroyed;
-    }
-    peerFingerprint() {
-        return this.peerFp;
-    }
-}
-class NoiseIkServer {
-    server;
-    onConn = null;
-    constructor(server) {
-        this.server = server;
-    }
-    port() {
-        const addr = this.server.address();
-        if (!addr || typeof addr === "string")
-            return 0;
-        return addr.port;
-    }
-    onConnection(handler) {
-        this.onConn = handler;
-    }
-    dispatch(channel) {
-        this.onConn?.(channel);
-    }
-    async close() {
-        await new Promise((resolve, reject) => {
-            this.server.close((err) => (err ? reject(err) : resolve()));
-        });
-    }
-}
-export async function listenForJoin(branchKeyPair, port, timeoutMs = 120_000) {
-    const server = net.createServer();
-    const wrapper = new NoiseIkServer(server);
-    const branchStatic = {
-        publicKey: Buffer.from(branchKeyPair.encryption.publicKey),
-        secretKey: Buffer.from(branchKeyPair.encryption.privateKey),
-    };
-    const joined = new Promise((resolve, reject) => {
-        server.on("connection", async (socket) => {
-            try {
-                const responder = new Noise("IK", false, branchStatic);
-                responder.initialise(PROLOGUE);
-                const msg1 = await withTimeout(readFrame(socket), HANDSHAKE_TIMEOUT_MS, () => socket.destroy());
-                responder.recv(msg1);
-                const msg2 = Buffer.from(responder.send());
-                await withTimeout(writeFrame(socket, msg2), HANDSHAKE_TIMEOUT_MS, () => socket.destroy());
-                const channel = new NoiseIkChannel(socket, new Cipher(responder.tx), new Cipher(responder.rx), fingerprint(Buffer.from(responder.rs)));
-                const timer = timeoutMs > 0
-                    ? setTimeout(() => {
-                        socket.destroy();
-                        reject(new Error("JOIN_COMPLETE timeout"));
-                    }, timeoutMs)
-                    : null;
-                const handler = (msg) => {
-                    if (msg.type !== MSG_JOIN_COMPLETE)
-                        return;
-                    const parsed = JoinCompleteBodySchema.safeParse(msg.body);
-                    if (!parsed.success)
-                        return;
-                    const hostPub = new Uint8Array(Buffer.from(parsed.data.hostPubkey, "base64url"));
-                    const fp = fingerprint(hostPub);
-                    const claimed = parsed.data.hostFingerprint.replace(/^sha256:/, "");
-                    if (fp !== claimed) {
-                        if (timer)
-                            clearTimeout(timer);
-                        channel.offMessage(handler);
-                        socket.destroy();
-                        reject(new Error("Host fingerprint mismatch in JOIN_COMPLETE"));
-                        return;
-                    }
-                    if (timer)
-                        clearTimeout(timer);
-                    channel.offMessage(handler);
-                    resolve({
-                        channel,
-                        hostPubkey: hostPub,
-                        hostFingerprint: fp,
-                        hostId: parsed.data.hostId,
-                    });
-                };
-                channel.onMessage(handler);
-            }
-            catch (e) {
-                socket.destroy();
-                reject(e);
-            }
-        });
-    });
-    await new Promise((resolve, reject) => {
-        server.listen(port, "0.0.0.0", () => resolve());
-        server.once("error", reject);
-    });
-    const timeoutP = timeoutMs > 0
-        ? new Promise((_, reject) => {
-            setTimeout(() => {
-                try {
-                    server.close();
-                }
-                catch { }
-                reject(new Error("Join listener timeout"));
-            }, timeoutMs);
-        })
-        : null;
-    const result = timeoutP ? await Promise.race([joined, timeoutP]) : await joined;
-    wrapper.dispatch(result.channel);
-    return { ...result, server: wrapper };
-}
-export async function listenForHost(branchKeyPair, expectedHostPubkey, port, onMessage) {
-    const server = net.createServer();
-    const wrapper = new NoiseIkServer(server);
-    const branchStatic = {
-        publicKey: Buffer.from(branchKeyPair.encryption.publicKey),
-        secretKey: Buffer.from(branchKeyPair.encryption.privateKey),
-    };
-    server.on("connection", async (socket) => {
-        try {
-            const responder = new Noise("IK", false, branchStatic);
-            responder.initialise(PROLOGUE);
-            const msg1 = await withTimeout(readFrame(socket), HANDSHAKE_TIMEOUT_MS, () => socket.destroy());
-            responder.recv(msg1);
-            const got = Buffer.from(responder.rs);
-            const expected = Buffer.from(expectedHostPubkey);
-            if (!got.equals(expected)) {
-                socket.destroy();
-                return;
-            }
-            const msg2 = Buffer.from(responder.send());
-            await withTimeout(writeFrame(socket, msg2), HANDSHAKE_TIMEOUT_MS, () => socket.destroy());
-            const channel = new NoiseIkChannel(socket, new Cipher(responder.tx), new Cipher(responder.rx), fingerprint(got));
-            channel.onMessage((msg) => onMessage(msg, channel));
-            wrapper.dispatch(channel);
-        }
-        catch {
-            socket.destroy();
-        }
-    });
-    await new Promise((resolve, reject) => {
-        server.listen(port, "0.0.0.0", () => resolve());
-        server.once("error", reject);
-    });
-    return wrapper;
-}
-export class NoiseIkTransport {
-    branchKeyPair;
-    hostKeyPair;
-    constructor(branchKeyPair, hostKeyPair) {
-        this.branchKeyPair = branchKeyPair;
-        this.hostKeyPair = hostKeyPair;
-    }
-    async listen(port) {
-        const host = this.hostKeyPair ?? loadHostIdentity();
-        const server = net.createServer();
-        const wrapper = new NoiseIkServer(server);
-        const hostStatic = {
-            publicKey: Buffer.from(host.encryption.publicKey),
-            secretKey: Buffer.from(host.encryption.privateKey),
-        };
-        server.on("connection", async (socket) => {
-            try {
-                const responder = new Noise("IK", false, hostStatic);
-                responder.initialise(PROLOGUE);
-                const msg1 = await withTimeout(readFrame(socket), HANDSHAKE_TIMEOUT_MS, () => socket.destroy());
-                const payload = Buffer.from(responder.recv(msg1));
-                const branchId = payload.toString("utf-8");
-                const known = lookupBranch(branchId);
-                const expected = known?.encryptionKey ? Buffer.from(known.encryptionKey) : null;
-                const got = Buffer.from(responder.rs);
-                if (!expected || !got.equals(expected)) {
-                    socket.destroy();
-                    return;
-                }
-                const msg2 = Buffer.from(responder.send());
-                await withTimeout(writeFrame(socket, msg2), HANDSHAKE_TIMEOUT_MS, () => socket.destroy());
-                const channel = new NoiseIkChannel(socket, new Cipher(responder.tx), new Cipher(responder.rx), fingerprint(got));
-                wrapper.dispatch(channel);
-            }
-            catch {
-                socket.destroy();
-            }
-        });
-        await new Promise((resolve, reject) => {
-            server.listen(port, "0.0.0.0", () => resolve());
-            server.once("error", reject);
-        });
-        return wrapper;
-    }
-    async connect(target) {
-        const socket = net.createConnection({ host: target.host, port: target.port });
-        await new Promise((resolve, reject) => {
-            socket.once("connect", () => resolve());
-            socket.once("error", reject);
-        });
-        const branchStatic = {
-            publicKey: Buffer.from(this.branchKeyPair.encryption.publicKey),
-            secretKey: Buffer.from(this.branchKeyPair.encryption.privateKey),
-        };
-        const initiator = new Noise("IK", true, branchStatic);
-        initiator.initialise(PROLOGUE, Buffer.from(target.hostPublicKey));
-        const msg1 = Buffer.from(initiator.send(Buffer.from(target.branchId)));
-        await withTimeout(writeFrame(socket, msg1), HANDSHAKE_TIMEOUT_MS, () => socket.destroy());
-        const msg2 = await withTimeout(readFrame(socket), HANDSHAKE_TIMEOUT_MS, () => socket.destroy());
-        initiator.recv(msg2);
-        const gotHost = Buffer.from(initiator.rs);
-        const expectedHost = Buffer.from(target.hostPublicKey);
-        if (!gotHost.equals(expectedHost)) {
-            socket.destroy();
-            throw new Error("Host key mismatch after Noise_IK handshake");
-        }
-        return new NoiseIkChannel(socket, new Cipher(initiator.tx), new Cipher(initiator.rx), fingerprint(gotHost));
-    }
-}
-//# sourceMappingURL=noise-ik-transport.js.map

package/dist/src/utils/noise-ik-transport.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"noise-ik-transport.js","sourceRoot":"","sources":["../../../src/utils/noise-ik-transport.ts"],"names":[],"mappings":"AAAA;;;GAGG;AACH,OAAO,GAAiC,MAAM,UAAU,CAAC;AACzD,OAAO,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAC3C,OAAO,KAAK,MAAM,0BAA0B,CAAC;AAC7C,OAAO,MAAM,MAAM,2BAA2B,CAAC;AAQ/C,OAAO,EAAE,iBAAiB,EAAE,iBAAiB,EAAE,MAAM,iBAAiB,CAAC;AACvE,OAAO,EAAE,WAAW,EAAE,gBAAgB,EAAE,YAAY,EAAmB,MAAM,eAAe,CAAC;AAC7F,OAAO,EAAE,sBAAsB,EAAE,iBAAiB,EAAE,MAAM,gBAAgB,CAAC;AAE3E,MAAM,QAAQ,GAAG,MAAM,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;AACvC,MAAM,mBAAmB,GAAG,GAAG,CAAC;AAChC,MAAM,oBAAoB,GAAG,MAAM,CAAC;AACpC,MAAM,mBAAmB,GAAG,IAAI,GAAG,IAAI,GAAG,EAAE,CAAC;AAE7C,SAAS,WAAW,CAAI,CAAa,EAAE,EAAU,EAAE,SAAqB;IACtE,OAAO,IAAI,OAAO,CAAI,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;QACxC,MAAM,CAAC,GAAG,UAAU,CAAC,GAAG,EAAE;YACxB,IAAI,CAAC;gBACH,SAAS,EAAE,CAAC;YACd,CAAC;YAAC,MAAM,CAAC,CAAA,CAAC;YACV,MAAM,CAAC,IAAI,KAAK,CAAC,2BAA2B,EAAE,IAAI,CAAC,CAAC,CAAC;QACvD,CAAC,EAAE,EAAE,CAAC,CAAC;QAEP,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE;YACX,YAAY,CAAC,CAAC,CAAC,CAAC;YAChB,OAAO,CAAC,CAAC,CAAC,CAAC;QACb,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,EAAE;YACb,YAAY,CAAC,CAAC,CAAC,CAAC;YAChB,MAAM,CAAC,CAAC,CAAC,CAAC;QACZ,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;AACL,CAAC;AAED,oCAAoC;AACpC,KAAK,UAAU,UAAU,CAAC,MAAc,EAAE,IAAY;IACpD,IAAI,IAAI,CAAC,MAAM,GAAG,MAAM,EAAE,CAAC;QACzB,MAAM,IAAI,KAAK,CAAC,6CAA6C,IAAI,CAAC,MAAM,EAAE,CAAC,CAAC;IAC9E,CAAC;IACD,MAAM,MAAM,GAAG,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;IAC/B,MAAM,CAAC,aAAa,CAAC,IAAI,CAAC,MAAM,EAAE,CAAC,CAAC,CAAC;IACrC,MAAM,IAAI,OAAO,CAAO,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;QAC1C,MAAM,CAAC,KAAK,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,MAAM,EAAE,IAAI,CAAC,CAAC,EAAE,CAAC,GAAG,EAAE,EAAE,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,OAAO,EAAE,CAAC,CAAC,CAAC;IACxF,CAAC,CAAC,CAAC;AACL,CAAC;AAED,KAAK,UAAU,SAAS,CAAC,MAAc,EAAE,QAAQ,GAAG,mBAAmB;IACrE,OAAO,IAAI,OAAO,CAAS,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;QAC7C,IAAI,GAAG,GAAG,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;QAE1B,MAAM,OAAO,GAAG,GAAG,EAAE;YACnB,MAAM,CAAC,GAAG,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;YAC3B,MAAM,CAAC,GAAG,CAAC,OAAO,EAAE,KAAK,CAAC,CAAC;YAC3B,MAAM,CAAC,GAAG,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC;YAC7B,MAAM,CAAC,GAAG,CAAC,KAAK,EAAE,OAAO,CAAC,CAAC;QAC7B,CAAC,CAAC;QACF,MAAM,KAAK,GAAG,CAAC,GAAU,EAAE,EAAE;YAC3B,OAAO,EAAE,CAAC;YACV,MAAM,CAAC,GAAG,CAAC,CAAC;QACd,CAAC,CAAC;QACF,MAAM,OAAO,GAAG,GAAG,EAAE;YACnB,OAAO,EAAE,CAAC;YACV,MAAM,CAAC,IAAI,KAAK,CAAC,qCAAqC,CAAC,CAAC,CAAC;QAC3D,CAAC,CAAC;QACF,MAAM,MAAM,GAAG,CAAC,KAAa,EAAE,EAAE;YAC/B,GAAG,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,GAAG,EAAE,KAAK,CAAC,CAAC,CAAC;YAElC,IAAI,GAAG,CAAC,MAAM,IAAI,CAAC,EAAE,CAAC;gBACpB,MAAM,GAAG,GAAG,GAAG,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;gBAChC,IAAI,GAAG,GAAG,QAAQ,EAAE,CAAC;oBACnB,OAAO,EAAE,CAAC;oBACV,MAAM,CAAC,OAAO,EAAE,CAAC;oBACjB,MAAM,CAAC,IAAI,KAAK,CAAC,oBAAoB,GAAG,MAAM,QAAQ,EAAE,CAAC,CAAC,CAAC;oBAC3D,OAAO;gBACT,CAAC;gBAED,IAAI,GAAG,CAAC,MAAM,IAAI,CAAC,GAAG,GAAG,EAAE,CAAC;oBAC1B,MAAM,KAAK,GAAG,GAAG,CAAC,QAAQ,CAAC,CAAC,EAAE,CAAC,GAAG,GAAG,CAAC,CAAC;oBACvC,OAAO,EAAE,CAAC;oBACV,OAAO,CAAC,KAAK,CAAC,CAAC;gBACjB,CAAC;YACH,CAAC;QACH,CAAC,CAAC;QAEF,MAAM,CAAC,EAAE,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;QAC1B,MAAM,CAAC,IAAI,CAAC,OAAO,EAAE,KAAK,CAAC,CAAC;QAC5B,MAAM,CAAC,IAAI,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC;QAC9B,MAAM,CAAC,IAAI,CAAC,KAAK,EAAE,OAAO,CAAC,CAAC;IAC9B,CAAC,CAAC,CAAC;AACL,CAAC;AAED,MAAM,cAAc;IAMC;IACA;IACA;IACA;IARX,KAAK,GAAG,IAAI,CAAC;IACb,OAAO,GAAG,IAAI,YAAY,EAAE,CAAC;IAC7B,QAAQ,GAAW,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;IAE3C,YACmB,MAAc,EACd,UAAkB,EAClB,UAAkB,EAClB,MAAc;QAHd,WAAM,GAAN,MAAM,CAAQ;QACd,eAAU,GAAV,UAAU,CAAQ;QAClB,eAAU,GAAV,UAAU,CAAQ;QAClB,WAAM,GAAN,MAAM,CAAQ;QAE/B,IAAI,CAAC,MAAM,CAAC,EAAE,CAAC,OAAO,EAAE,GAAG,EAAE;YAC3B,IAAI,CAAC,KAAK,GAAG,KAAK,CAAC;QACrB,CAAC,CAAC,CAAC;QAEH,IAAI,CAAC,MAAM,CAAC,EAAE,CAAC,MAAM,EAAE,CAAC,KAAa,EAAE,EAAE;YACvC,IAAI,CAAC;gBACH,IAAI,CAAC,QAAQ,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,QAAQ,EAAE,KAAK,CAAC,CAAC,CAAC;gBACtD,IAAI,IAAI,CAAC,QAAQ,CAAC,MAAM,GAAG,mBAAmB,EAAE,CAAC;oBAC/C,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC;oBACtB,OAAO;gBACT,CAAC;gBAED,IAAI,MAAM,GAAG,CAAC,CAAC;gBACf,OAAO,MAAM,GAAG,CAAC,IAAI,IAAI,CAAC,QAAQ,CAAC,MAAM,EAAE,CAAC;oBAC1C,MAAM,GAAG,GAAG,IAAI,CAAC,QAAQ,CAAC,YAAY,CAAC,MAAM,CAAC,CAAC;oBAC/C,IAAI,GAAG,GAAG,mBAAmB,EAAE,CAAC;wBAC9B,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC;wBACtB,OAAO;oBACT,CAAC;oBACD,IAAI,MAAM,GAAG,CAAC,GAAG,GAAG,GAAG,IAAI,CAAC,QAAQ,CAAC,MAAM;wBAAE,MAAM;oBAEnD,MAAM,SAAS,GAAG,IAAI,CAAC,QAAQ,CAAC,QAAQ,CAAC,MAAM,GAAG,CAAC,EAAE,MAAM,GAAG,CAAC,GAAG,GAAG,CAAC,CAAC;oBACvE,MAAM,SAAS,GAAG,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,UAAU,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC,CAAC;oBAClE,MAAM,GAAG,GAAG,iBAAiB,CAAC,SAAS,CAAC,CAAC;oBACzC,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,SAAS,EAAE,GAAG,CAAC,CAAC;oBAElC,MAAM,IAAI,CAAC,GAAG,GAAG,CAAC;gBACpB,CAAC;gBAED,IAAI,CAAC,QAAQ,GAAG,IAAI,CAAC,QAAQ,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;YACjD,CAAC;YAAC,MAAM,CAAC;gBACP,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC;YACxB,CAAC;QACH,CAAC,CAAC,CAAC;IACL,CAAC;IAED,KAAK,CAAC,IAAI,CAAC,GAAe;QACxB,MAAM,SAAS,GAAG,iBAAiB,CAAC,GAAG,CAAC,CAAC;QACzC,MAAM,SAAS,GAAG,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,UAAU,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC,CAAC;QAClE,MAAM,UAAU,CAAC,IAAI,CAAC,MAAM,EAAE,SAAS,CAAC,CAAC;IAC3C,CAAC;IAED,SAAS,CAAC,OAAkC;QAC1C,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC,SAAS,EAAE,OAAO,CAAC,CAAC;IACtC,CAAC;IAED,UAAU,CAAC,OAAkC;QAC3C,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,SAAS,EAAE,OAAO,CAAC,CAAC;IACvC,CAAC;IAED,KAAK,CAAC,KAAK;QACT,IAAI,CAAC,MAAM,CAAC,GAAG,EAAE,CAAC;QAClB,IAAI,CAAC,KAAK,GAAG,KAAK,CAAC;IACrB,CAAC;IAED,OAAO;QACL,OAAO,IAAI,CAAC,KAAK,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,SAAS,CAAC;IAC9C,CAAC;IAED,eAAe;QACb,OAAO,IAAI,CAAC,MAAM,CAAC;IACrB,CAAC;CACF;AAED,MAAM,aAAa;IAGY;IAFrB,MAAM,GAAiD,IAAI,CAAC;IAEpE,YAA6B,MAAc;QAAd,WAAM,GAAN,MAAM,CAAQ;IAAG,CAAC;IAE/C,IAAI;QACF,MAAM,IAAI,GAAG,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC;QACnC,IAAI,CAAC,IAAI,IAAI,OAAO,IAAI,KAAK,QAAQ;YAAE,OAAO,CAAC,CAAC;QAChD,OAAO,IAAI,CAAC,IAAI,CAAC;IACnB,CAAC;IAED,YAAY,CAAC,OAA4C;QACvD,IAAI,CAAC,MAAM,GAAG,OAAO,CAAC;IACxB,CAAC;IAED,QAAQ,CAAC,OAAyB;QAChC,IAAI,CAAC,MAAM,EAAE,CAAC,OAAO,CAAC,CAAC;IACzB,CAAC;IAED,KAAK,CAAC,KAAK;QACT,MAAM,IAAI,OAAO,CAAO,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;YAC1C,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,OAAO,EAAE,CAAC,CAAC,CAAC;QAC9D,CAAC,CAAC,CAAC;IACL,CAAC;CACF;AAED,MAAM,CAAC,KAAK,UAAU,aAAa,CACjC,aAAyB,EACzB,IAAY,EACZ,YAAoB,OAAO;IAQ3B,MAAM,MAAM,GAAG,GAAG,CAAC,YAAY,EAAE,CAAC;IAClC,MAAM,OAAO,GAAG,IAAI,aAAa,CAAC,MAAM,CAAC,CAAC;IAE1C,MAAM,YAAY,GAAG;QACnB,SAAS,EAAE,MAAM,CAAC,IAAI,CAAC,aAAa,CAAC,UAAU,CAAC,SAAS,CAAC;QAC1D,SAAS,EAAE,MAAM,CAAC,IAAI,CAAC,aAAa,CAAC,UAAU,CAAC,UAAU,CAAC;KAC5D,CAAC;IAEF,MAAM,MAAM,GAAG,IAAI,OAAO,CAKvB,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;QACrB,MAAM,CAAC,EAAE,CAAC,YAAY,EAAE,KAAK,EAAE,MAAM,EAAE,EAAE;YACvC,IAAI,CAAC;gBACH,MAAM,SAAS,GAAG,IAAI,KAAK,CAAC,IAAI,EAAE,KAAK,EAAE,YAAY,CAAC,CAAC;gBACvD,SAAS,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC;gBAE/B,MAAM,IAAI,GAAG,MAAM,WAAW,CAAC,SAAS,CAAC,MAAM,CAAC,EAAE,oBAAoB,EAAE,GAAG,EAAE,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC,CAAC;gBAChG,SAAS,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;gBAErB,MAAM,IAAI,GAAG,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC,IAAI,EAAE,CAAC,CAAC;gBAC3C,MAAM,WAAW,CAAC,UAAU,CAAC,MAAM,EAAE,IAAI,CAAC,EAAE,oBAAoB,EAAE,GAAG,EAAE,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC,CAAC;gBAE1F,MAAM,OAAO,GAAG,IAAI,cAAc,CAChC,MAAM,EACN,IAAI,MAAM,CAAC,SAAS,CAAC,EAAE,CAAC,EACxB,IAAI,MAAM,CAAC,SAAS,CAAC,EAAE,CAAC,EACxB,WAAW,CAAC,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,CAAC,CAAC,CACvC,CAAC;gBAEF,MAAM,KAAK,GACT,SAAS,GAAG,CAAC;oBACX,CAAC,CAAC,UAAU,CAAC,GAAG,EAAE;wBACd,MAAM,CAAC,OAAO,EAAE,CAAC;wBACjB,MAAM,CAAC,IAAI,KAAK,CAAC,uBAAuB,CAAC,CAAC,CAAC;oBAC7C,CAAC,EAAE,SAAS,CAAC;oBACf,CAAC,CAAC,IAAI,CAAC;gBAEX,MAAM,OAAO,GAAG,CAAC,GAAe,EAAE,EAAE;oBAClC,IAAI,GAAG,CAAC,IAAI,KAAK,iBAAiB;wBAAE,OAAO;oBAC3C,MAAM,MAAM,GAAG,sBAAsB,CAAC,SAAS,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;oBAC1D,IAAI,CAAC,MAAM,CAAC,OAAO;wBAAE,OAAO;oBAE5B,MAAM,OAAO,GAAG,IAAI,UAAU,CAAC,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,UAAU,EAAE,WAAW,CAAC,CAAC,CAAC;oBACjF,MAAM,EAAE,GAAG,WAAW,CAAC,OAAO,CAAC,CAAC;oBAChC,MAAM,OAAO,GAAG,MAAM,CAAC,IAAI,CAAC,eAAe,CAAC,OAAO,CAAC,UAAU,EAAE,EAAE,CAAC,CAAC;oBACpE,IAAI,EAAE,KAAK,OAAO,EAAE,CAAC;wBACnB,IAAI,KAAK;4BAAE,YAAY,CAAC,KAAK,CAAC,CAAC;wBAC/B,OAAO,CAAC,UAAU,CAAC,OAAO,CAAC,CAAC;wBAC5B,MAAM,CAAC,OAAO,EAAE,CAAC;wBACjB,MAAM,CAAC,IAAI,KAAK,CAAC,4CAA4C,CAAC,CAAC,CAAC;wBAChE,OAAO;oBACT,CAAC;oBAED,IAAI,KAAK;wBAAE,YAAY,CAAC,KAAK,CAAC,CAAC;oBAC/B,OAAO,CAAC,UAAU,CAAC,OAAO,CAAC,CAAC;oBAC5B,OAAO,CAAC;wBACN,OAAO;wBACP,UAAU,EAAE,OAAO;wBACnB,eAAe,EAAE,EAAE;wBACnB,MAAM,EAAE,MAAM,CAAC,IAAI,CAAC,MAAM;qBAC3B,CAAC,CAAC;gBACL,CAAC,CAAC;gBAEF,OAAO,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC;YAC7B,CAAC;YAAC,OAAO,CAAC,EAAE,CAAC;gBACX,MAAM,CAAC,OAAO,EAAE,CAAC;gBACjB,MAAM,CAAC,CAAC,CAAC,CAAC;YACZ,CAAC;QACH,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,MAAM,IAAI,OAAO,CAAO,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;QAC1C,MAAM,CAAC,MAAM,CAAC,IAAI,EAAE,SAAS,EAAE,GAAG,EAAE,CAAC,OAAO,EAAE,CAAC,CAAC;QAChD,MAAM,CAAC,IAAI,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;IAC/B,CAAC,CAAC,CAAC;IAEH,MAAM,QAAQ,GACZ,SAAS,GAAG,CAAC;QACX,CAAC,CAAC,IAAI,OAAO,CAAQ,CAAC,CAAC,EAAE,MAAM,EAAE,EAAE;YAC/B,UAAU,CAAC,GAAG,EAAE;gBACd,IAAI,CAAC;oBACH,MAAM,CAAC,KAAK,EAAE,CAAC;gBACjB,CAAC;gBAAC,MAAM,CAAC,CAAA,CAAC;gBACV,MAAM,CAAC,IAAI,KAAK,CAAC,uBAAuB,CAAC,CAAC,CAAC;YAC7C,CAAC,EAAE,SAAS,CAAC,CAAC;QAChB,CAAC,CAAC;QACJ,CAAC,CAAC,IAAI,CAAC;IAEX,MAAM,MAAM,GAAG,QAAQ,CAAC,CAAC,CAAC,MAAM,OAAO,CAAC,IAAI,CAAC,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC,MAAM,MAAM,CAAC;IAChF,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;IACjC,OAAO,EAAE,GAAG,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,CAAC;AACxC,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,aAAa,CACjC,aAAyB,EACzB,kBAA8B,EAC9B,IAAY,EACZ,SAA+D;IAE/D,MAAM,MAAM,GAAG,GAAG,CAAC,YAAY,EAAE,CAAC;IAClC,MAAM,OAAO,GAAG,IAAI,aAAa,CAAC,MAAM,CAAC,CAAC;IAE1C,MAAM,YAAY,GAAG;QACnB,SAAS,EAAE,MAAM,CAAC,IAAI,CAAC,aAAa,CAAC,UAAU,CAAC,SAAS,CAAC;QAC1D,SAAS,EAAE,MAAM,CAAC,IAAI,CAAC,aAAa,CAAC,UAAU,CAAC,UAAU,CAAC;KAC5D,CAAC;IAEF,MAAM,CAAC,EAAE,CAAC,YAAY,EAAE,KAAK,EAAE,MAAM,EAAE,EAAE;QACvC,IAAI,CAAC;YACH,MAAM,SAAS,GAAG,IAAI,KAAK,CAAC,IAAI,EAAE,KAAK,EAAE,YAAY,CAAC,CAAC;YACvD,SAAS,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC;YAE/B,MAAM,IAAI,GAAG,MAAM,WAAW,CAAC,SAAS,CAAC,MAAM,CAAC,EAAE,oBAAoB,EAAE,GAAG,EAAE,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC,CAAC;YAChG,SAAS,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YAErB,MAAM,GAAG,GAAG,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,CAAC,CAAC;YACtC,MAAM,QAAQ,GAAG,MAAM,CAAC,IAAI,CAAC,kBAAkB,CAAC,CAAC;YACjD,IAAI,CAAC,GAAG,CAAC,MAAM,CAAC,QAAQ,CAAC,EAAE,CAAC;gBAC1B,MAAM,CAAC,OAAO,EAAE,CAAC;gBACjB,OAAO;YACT,CAAC;YAED,MAAM,IAAI,GAAG,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC,IAAI,EAAE,CAAC,CAAC;YAC3C,MAAM,WAAW,CAAC,UAAU,CAAC,MAAM,EAAE,IAAI,CAAC,EAAE,oBAAoB,EAAE,GAAG,EAAE,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC,CAAC;YAE1F,MAAM,OAAO,GAAG,IAAI,cAAc,CAChC,MAAM,EACN,IAAI,MAAM,CAAC,SAAS,CAAC,EAAE,CAAC,EACxB,IAAI,MAAM,CAAC,SAAS,CAAC,EAAE,CAAC,EACxB,WAAW,CAAC,GAAG,CAAC,CACjB,CAAC;YAEF,OAAO,CAAC,SAAS,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,SAAS,CAAC,GAAG,EAAE,OAAO,CAAC,CAAC,CAAC;YACpD,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;QAC5B,CAAC;QAAC,MAAM,CAAC;YACP,MAAM,CAAC,OAAO,EAAE,CAAC;QACnB,CAAC;IACH,CAAC,CAAC,CAAC;IAEH,MAAM,IAAI,OAAO,CAAO,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;QAC1C,MAAM,CAAC,MAAM,CAAC,IAAI,EAAE,SAAS,EAAE,GAAG,EAAE,CAAC,OAAO,EAAE,CAAC,CAAC;QAChD,MAAM,CAAC,IAAI,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;IAC/B,CAAC,CAAC,CAAC;IAEH,OAAO,OAAO,CAAC;AACjB,CAAC;AAED,MAAM,OAAO,gBAAgB;IAER;IACA;IAFnB,YACmB,aAAyB,EACzB,WAAwB;QADxB,kBAAa,GAAb,aAAa,CAAY;QACzB,gBAAW,GAAX,WAAW,CAAa;IACxC,CAAC;IAEJ,KAAK,CAAC,MAAM,CAAC,IAAY;QACvB,MAAM,IAAI,GAAG,IAAI,CAAC,WAAW,IAAI,gBAAgB,EAAE,CAAC;QACpD,MAAM,MAAM,GAAG,GAAG,CAAC,YAAY,EAAE,CAAC;QAClC,MAAM,OAAO,GAAG,IAAI,aAAa,CAAC,MAAM,CAAC,CAAC;QAE1C,MAAM,UAAU,GAAG;YACjB,SAAS,EAAE,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,UAAU,CAAC,SAAS,CAAC;YACjD,SAAS,EAAE,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,UAAU,CAAC,UAAU,CAAC;SACnD,CAAC;QAEF,MAAM,CAAC,EAAE,CAAC,YAAY,EAAE,KAAK,EAAE,MAAM,EAAE,EAAE;YACvC,IAAI,CAAC;gBACH,MAAM,SAAS,GAAG,IAAI,KAAK,CAAC,IAAI,EAAE,KAAK,EAAE,UAAU,CAAC,CAAC;gBACrD,SAAS,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC;gBAE/B,MAAM,IAAI,GAAG,MAAM,WAAW,CAAC,SAAS,CAAC,MAAM,CAAC,EAAE,oBAAoB,EAAE,GAAG,EAAE,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC,CAAC;gBAChG,MAAM,OAAO,GAAG,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC;gBAClD,MAAM,QAAQ,GAAG,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;gBAE3C,MAAM,KAAK,GAAG,YAAY,CAAC,QAAQ,CAAC,CAAC;gBACrC,MAAM,QAAQ,GAAG,KAAK,EAAE,aAAa,CAAC,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,aAAa,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;gBAChF,MAAM,GAAG,GAAG,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,CAAC,CAAC;gBACtC,IAAI,CAAC,QAAQ,IAAI,CAAC,GAAG,CAAC,MAAM,CAAC,QAAQ,CAAC,EAAE,CAAC;oBACvC,MAAM,CAAC,OAAO,EAAE,CAAC;oBACjB,OAAO;gBACT,CAAC;gBAED,MAAM,IAAI,GAAG,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC,IAAI,EAAE,CAAC,CAAC;gBAC3C,MAAM,WAAW,CAAC,UAAU,CAAC,MAAM,EAAE,IAAI,CAAC,EAAE,oBAAoB,EAAE,GAAG,EAAE,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC,CAAC;gBAE1F,MAAM,OAAO,GAAG,IAAI,cAAc,CAChC,MAAM,EACN,IAAI,MAAM,CAAC,SAAS,CAAC,EAAE,CAAC,EACxB,IAAI,MAAM,CAAC,SAAS,CAAC,EAAE,CAAC,EACxB,WAAW,CAAC,GAAG,CAAC,CACjB,CAAC;gBACF,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;YAC5B,CAAC;YAAC,MAAM,CAAC;gBACP,MAAM,CAAC,OAAO,EAAE,CAAC;YACnB,CAAC;QACH,CAAC,CAAC,CAAC;QAEH,MAAM,IAAI,OAAO,CAAO,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;YAC1C,MAAM,CAAC,MAAM,CAAC,IAAI,EAAE,SAAS,EAAE,GAAG,EAAE,CAAC,OAAO,EAAE,CAAC,CAAC;YAChD,MAAM,CAAC,IAAI,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;QAC/B,CAAC,CAAC,CAAC;QAEH,OAAO,OAAO,CAAC;IACjB,CAAC;IAED,KAAK,CAAC,OAAO,CAAC,MAAoB;QAChC,MAAM,MAAM,GAAG,GAAG,CAAC,gBAAgB,CAAC,EAAE,IAAI,EAAE,MAAM,CAAC,IAAI,EAAE,IAAI,EAAE,MAAM,CAAC,IAAI,EAAE,CAAC,CAAC;QAC9E,MAAM,IAAI,OAAO,CAAO,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;YAC1C,MAAM,CAAC,IAAI,CAAC,SAAS,EAAE,GAAG,EAAE,CAAC,OAAO,EAAE,CAAC,CAAC;YACxC,MAAM,CAAC,IAAI,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;QAC/B,CAAC,CAAC,CAAC;QAEH,MAAM,YAAY,GAAG;YACnB,SAAS,EAAE,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,aAAa,CAAC,UAAU,CAAC,SAAS,CAAC;YAC/D,SAAS,EAAE,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,aAAa,CAAC,UAAU,CAAC,UAAU,CAAC;SACjE,CAAC;QAEF,MAAM,SAAS,GAAG,IAAI,KAAK,CAAC,IAAI,EAAE,IAAI,EAAE,YAAY,CAAC,CAAC;QACtD,SAAS,CAAC,UAAU,CAAC,QAAQ,EAAE,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,aAAa,CAAC,CAAC,CAAC;QAElE,MAAM,IAAI,GAAG,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC;QACvE,MAAM,WAAW,CAAC,UAAU,CAAC,MAAM,EAAE,IAAI,CAAC,EAAE,oBAAoB,EAAE,GAAG,EAAE,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC,CAAC;QAE1F,MAAM,IAAI,GAAG,MAAM,WAAW,CAAC,SAAS,CAAC,MAAM,CAAC,EAAE,oBAAoB,EAAE,GAAG,EAAE,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC,CAAC;QAChG,SAAS,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAErB,MAAM,OAAO,GAAG,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,CAAC,CAAC;QAC1C,MAAM,YAAY,GAAG,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,aAAa,CAAC,CAAC;QACvD,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,YAAY,CAAC,EAAE,CAAC;YAClC,MAAM,CAAC,OAAO,EAAE,CAAC;YACjB,MAAM,IAAI,KAAK,CAAC,4CAA4C,CAAC,CAAC;QAChE,CAAC;QAED,OAAO,IAAI,cAAc,CACvB,MAAM,EACN,IAAI,MAAM,CAAC,SAAS,CAAC,EAAE,CAAC,EACxB,IAAI,MAAM,CAAC,SAAS,CAAC,EAAE,CAAC,EACxB,WAAW,CAAC,OAAO,CAAC,CACrB,CAAC;IACJ,CAAC;CACF"}

package/dist/src/utils/nono.d.ts

@@ -1,72 +0,0 @@
-/**
- * nono integration — wraps TPS CLI commands in nono process isolation.
- *
- * When nono is available on PATH, TPS commands run with kernel-level
- * filesystem and network restrictions defined by per-command TOML profiles.
- *
- * If nono is not installed:
- *   - Default (warn) mode: logs a warning and runs unprotected
- *   - Strict mode (TPS_NONO_STRICT=1): exits non-zero immediately
- *
- * Profile locations (searched in order):
- *   1. ~/.config/nono/profiles/<name>.toml
- *   2. <tps-install-dir>/nono-profiles/<name>.toml
- *
- * Usage:
- *   import { withNono } from "./nono.js";
- *   await withNono("tps-hire", { workdir: targetWorkspace }, async () => {
- *     // ... perform hire logic ...
- *   });
- */
-export type NonoProfile = "tps-hire" | "tps-roster" | "tps-review-local" | "tps-review-deep";
-export interface NonoOptions {
-    /** Override workdir for the nono sandbox (--workdir flag) */
-    workdir?: string;
-    /** Extra read-only paths to allow */
-    read?: string[];
-    /** Extra read-write paths to allow */
-    allow?: string[];
-}
-/**
- * Find the nono binary on PATH. Returns the resolved path or null.
- */
-export declare function findNono(): string | null;
-/**
- * Check if strict mode is enabled (TPS_NONO_STRICT=1).
- * In strict mode, TPS exits if nono is not available.
- */
-export declare function isNonoStrict(): boolean;
-/**
- * Build the nono command args for a given profile and subcommand.
- *
- * Returns: ["nono", "run", "--profile", name, ...options, "--", ...cmd]
- */
-export declare function buildNonoArgs(profile: NonoProfile, options: NonoOptions, cmd: string[]): string[];
-/**
- * Run a function wrapped in nono isolation.
- *
- * If nono is unavailable:
- *   - strict mode → throws (exits non-zero)
- *   - warn mode (default) → logs warning and runs fn directly
- *
- * The callback receives the nono binary path (or null if unavailable).
- * In most cases you won't need it — this wrapper handles invocation.
- *
- * Note: This wrapper is for use when TPS itself is the process being
- * sandboxed. The more common case is calling `runUnderNono()` to spawn
- * a subprocess under nono.
- */
-export declare function withNono(profile: NonoProfile, options: NonoOptions, fn: () => Promise<void>): Promise<void>;
-/**
- * Spawn an external command under nono isolation.
- *
- * Returns the exit code of the wrapped command.
- * Throws if nono is unavailable and strict mode is on.
- */
-export declare function runCommandUnderNono(profile: NonoProfile, options: NonoOptions, cmd: string[]): number;
-/**
- * Install nono profiles to ~/.config/nono/profiles/.
- * Called during `tps install` or first-run setup.
- */
-export declare function installNonoProfiles(targetDir?: string, silent?: boolean): void;
-//# sourceMappingURL=nono.d.ts.map

package/dist/src/utils/nono.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"nono.d.ts","sourceRoot":"","sources":["../../../src/utils/nono.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;GAmBG;AAUH,MAAM,MAAM,WAAW,GACnB,UAAU,GACV,YAAY,GACZ,kBAAkB,GAClB,iBAAiB,CAAC;AAEtB,MAAM,WAAW,WAAW;IAC1B,6DAA6D;IAC7D,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,qCAAqC;IACrC,IAAI,CAAC,EAAE,MAAM,EAAE,CAAC;IAChB,sCAAsC;IACtC,KAAK,CAAC,EAAE,MAAM,EAAE,CAAC;CAClB;AAED;;GAEG;AACH,wBAAgB,QAAQ,IAAI,MAAM,GAAG,IAAI,CAUxC;AAED;;;GAGG;AACH,wBAAgB,YAAY,IAAI,OAAO,CAEtC;AAED;;;;GAIG;AACH,wBAAgB,aAAa,CAC3B,OAAO,EAAE,WAAW,EACpB,OAAO,EAAE,WAAW,EACpB,GAAG,EAAE,MAAM,EAAE,GACZ,MAAM,EAAE,CAiBV;AAED;;;;;;;;;;;;;GAaG;AACH,wBAAsB,QAAQ,CAC5B,OAAO,EAAE,WAAW,EACpB,OAAO,EAAE,WAAW,EACpB,EAAE,EAAE,MAAM,OAAO,CAAC,IAAI,CAAC,GACtB,OAAO,CAAC,IAAI,CAAC,CAqBf;AAED;;;;;GAKG;AACH,wBAAgB,mBAAmB,CACjC,OAAO,EAAE,WAAW,EACpB,OAAO,EAAE,WAAW,EACpB,GAAG,EAAE,MAAM,EAAE,GACZ,MAAM,CA4BR;AAaD;;;GAGG;AACH,wBAAgB,mBAAmB,CAAC,SAAS,CAAC,EAAE,MAAM,EAAE,MAAM,CAAC,EAAE,OAAO,GAAG,IAAI,CAwB9E"}

package/dist/src/utils/nono.js

@@ -1,166 +0,0 @@
-/**
- * nono integration — wraps TPS CLI commands in nono process isolation.
- *
- * When nono is available on PATH, TPS commands run with kernel-level
- * filesystem and network restrictions defined by per-command TOML profiles.
- *
- * If nono is not installed:
- *   - Default (warn) mode: logs a warning and runs unprotected
- *   - Strict mode (TPS_NONO_STRICT=1): exits non-zero immediately
- *
- * Profile locations (searched in order):
- *   1. ~/.config/nono/profiles/<name>.toml
- *   2. <tps-install-dir>/nono-profiles/<name>.toml
- *
- * Usage:
- *   import { withNono } from "./nono.js";
- *   await withNono("tps-hire", { workdir: targetWorkspace }, async () => {
- *     // ... perform hire logic ...
- *   });
- */
-import { spawnSync } from "node:child_process";
-import { existsSync, mkdirSync, copyFileSync, readdirSync } from "node:fs";
-import { join, dirname } from "node:path";
-import { fileURLToPath } from "node:url";
-import { homedir } from "node:os";
-const __dirname = dirname(fileURLToPath(import.meta.url));
-/**
- * Find the nono binary on PATH. Returns the resolved path or null.
- */
-export function findNono() {
-    if (process.env.TPS_FORCE_NO_NONO === "1")
-        return null;
-    const result = spawnSync("which", ["nono"], {
-        encoding: "utf-8",
-        env: process.env, // explicitly pass so PATH mutations in tests are respected
-    });
-    if (result.status === 0 && result.stdout.trim()) {
-        return result.stdout.trim();
-    }
-    return null;
-}
-/**
- * Check if strict mode is enabled (TPS_NONO_STRICT=1).
- * In strict mode, TPS exits if nono is not available.
- */
-export function isNonoStrict() {
-    return process.env.TPS_NONO_STRICT === "1";
-}
-/**
- * Build the nono command args for a given profile and subcommand.
- *
- * Returns: ["nono", "run", "--profile", name, ...options, "--", ...cmd]
- */
-export function buildNonoArgs(profile, options, cmd) {
-    const args = ["run", "--profile", profile, "--allow-cwd"];
-    if (options.workdir) {
-        args.push("--workdir", options.workdir);
-    }
-    for (const p of options.read ?? []) {
-        args.push("--read", p);
-    }
-    for (const p of options.allow ?? []) {
-        args.push("--allow", p);
-    }
-    args.push("--", ...cmd);
-    return args;
-}
-/**
- * Run a function wrapped in nono isolation.
- *
- * If nono is unavailable:
- *   - strict mode → throws (exits non-zero)
- *   - warn mode (default) → logs warning and runs fn directly
- *
- * The callback receives the nono binary path (or null if unavailable).
- * In most cases you won't need it — this wrapper handles invocation.
- *
- * Note: This wrapper is for use when TPS itself is the process being
- * sandboxed. The more common case is calling `runUnderNono()` to spawn
- * a subprocess under nono.
- */
-export async function withNono(profile, options, fn) {
-    const nono = findNono();
-    if (!nono) {
-        if (isNonoStrict()) {
-            console.error(`❌ nono is not installed but TPS_NONO_STRICT=1. Install nono from https://nono.sh`);
-            process.exit(1);
-        }
-        else {
-            console.warn(`⚠️  nono not found — running ${profile} WITHOUT isolation. Install nono for security: https://nono.sh`);
-            return fn();
-        }
-    }
-    // nono is available — run the callback directly (the current process IS already
-    // being run via nono by the calling shell, or we re-exec under nono).
-    // For TPS's architecture, we use runCommandUnderNono() for subprocess isolation.
-    return fn();
-}
-/**
- * Spawn an external command under nono isolation.
- *
- * Returns the exit code of the wrapped command.
- * Throws if nono is unavailable and strict mode is on.
- */
-export function runCommandUnderNono(profile, options, cmd) {
-    const nono = findNono();
-    if (!nono) {
-        if (isNonoStrict()) {
-            console.error(`❌ nono is not installed but TPS_NONO_STRICT=1. Install nono from https://nono.sh`);
-            return 1;
-        }
-        console.warn(`⚠️  nono not found — running WITHOUT isolation: ${cmd.join(" ")}`);
-        const result = spawnSync(cmd[0], cmd.slice(1), {
-            stdio: "inherit",
-            encoding: "utf-8",
-            env: process.env,
-        });
-        return result.status ?? 1;
-    }
-    const args = buildNonoArgs(profile, options, cmd);
-    const result = spawnSync(nono, args, {
-        stdio: "inherit",
-        encoding: "utf-8",
-        env: process.env,
-    });
-    return result.status ?? 1;
-}
-function findBundledProfilesDir() {
-    const candidates = [
-        join(__dirname, "..", "..", "nono-profiles"), // dist/src/utils -> nono-profiles
-        join(__dirname, "..", "..", "..", "nono-profiles"), // deeper nesting
-    ];
-    for (const c of candidates) {
-        if (existsSync(c))
-            return c;
-    }
-    return join(__dirname, "..", "..", "nono-profiles"); // fallback
-}
-/**
- * Install nono profiles to ~/.config/nono/profiles/.
- * Called during `tps install` or first-run setup.
- */
-export function installNonoProfiles(targetDir, silent) {
-    const home = process.env.HOME || homedir() || "/tmp";
-    const profilesDir = targetDir ?? join(home, ".config", "nono", "profiles");
-    // Source: bundled profiles shipped with TPS
-    const bundledDir = findBundledProfilesDir();
-    if (!existsSync(bundledDir)) {
-        if (!silent)
-            console.warn(`⚠️  No bundled nono profiles found at ${bundledDir}`);
-        return;
-    }
-    mkdirSync(profilesDir, { recursive: true });
-    for (const file of readdirSync(bundledDir)) {
-        if (file.endsWith(".toml")) {
-            const src = join(bundledDir, file);
-            const dst = join(profilesDir, file);
-            if (!existsSync(dst)) {
-                copyFileSync(src, dst);
-                if (!silent)
-                    console.log(`  ✓ Installed nono profile: ${file}`);
-            }
-        }
-    }
-}
-//# sourceMappingURL=nono.js.map

package/dist/src/utils/nono.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"nono.js","sourceRoot":"","sources":["../../../src/utils/nono.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;GAmBG;AAEH,OAAO,EAAE,SAAS,EAAyB,MAAM,oBAAoB,CAAC;AACtE,OAAO,EAAE,UAAU,EAAE,SAAS,EAAE,YAAY,EAAE,WAAW,EAAE,MAAM,SAAS,CAAC;AAC3E,OAAO,EAAE,IAAI,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AAC1C,OAAO,EAAE,aAAa,EAAE,MAAM,UAAU,CAAC;AACzC,OAAO,EAAE,OAAO,EAAE,MAAM,SAAS,CAAC;AAElC,MAAM,SAAS,GAAG,OAAO,CAAC,aAAa,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC;AAiB1D;;GAEG;AACH,MAAM,UAAU,QAAQ;IACtB,IAAI,OAAO,CAAC,GAAG,CAAC,iBAAiB,KAAK,GAAG;QAAE,OAAO,IAAI,CAAC;IACvD,MAAM,MAAM,GAAG,SAAS,CAAC,OAAO,EAAE,CAAC,MAAM,CAAC,EAAE;QAC1C,QAAQ,EAAE,OAAO;QACjB,GAAG,EAAE,OAAO,CAAC,GAAG,EAAE,2DAA2D;KAC9E,CAAC,CAAC;IACH,IAAI,MAAM,CAAC,MAAM,KAAK,CAAC,IAAI,MAAM,CAAC,MAAM,CAAC,IAAI,EAAE,EAAE,CAAC;QAChD,OAAO,MAAM,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC;IAC9B,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,YAAY;IAC1B,OAAO,OAAO,CAAC,GAAG,CAAC,eAAe,KAAK,GAAG,CAAC;AAC7C,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,aAAa,CAC3B,OAAoB,EACpB,OAAoB,EACpB,GAAa;IAEb,MAAM,IAAI,GAAG,CAAC,KAAK,EAAE,WAAW,EAAE,OAAO,EAAE,aAAa,CAAC,CAAC;IAE1D,IAAI,OAAO,CAAC,OAAO,EAAE,CAAC;QACpB,IAAI,CAAC,IAAI,CAAC,WAAW,EAAE,OAAO,CAAC,OAAO,CAAC,CAAC;IAC1C,CAAC;IAED,KAAK,MAAM,CAAC,IAAI,OAAO,CAAC,IAAI,IAAI,EAAE,EAAE,CAAC;QACnC,IAAI,CAAC,IAAI,CAAC,QAAQ,EAAE,CAAC,CAAC,CAAC;IACzB,CAAC;IAED,KAAK,MAAM,CAAC,IAAI,OAAO,CAAC,KAAK,IAAI,EAAE,EAAE,CAAC;QACpC,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,CAAC,CAAC,CAAC;IAC1B,CAAC;IAED,IAAI,CAAC,IAAI,CAAC,IAAI,EAAE,GAAG,GAAG,CAAC,CAAC;IACxB,OAAO,IAAI,CAAC;AACd,CAAC;AAED;;;;;;;;;;;;;GAaG;AACH,MAAM,CAAC,KAAK,UAAU,QAAQ,CAC5B,OAAoB,EACpB,OAAoB,EACpB,EAAuB;IAEvB,MAAM,IAAI,GAAG,QAAQ,EAAE,CAAC;IAExB,IAAI,CAAC,IAAI,EAAE,CAAC;QACV,IAAI,YAAY,EAAE,EAAE,CAAC;YACnB,OAAO,CAAC,KAAK,CACX,kFAAkF,CACnF,CAAC;YACF,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAClB,CAAC;aAAM,CAAC;YACN,OAAO,CAAC,IAAI,CACV,gCAAgC,OAAO,gEAAgE,CACxG,CAAC;YACF,OAAO,EAAE,EAAE,CAAC;QACd,CAAC;IACH,CAAC;IAED,gFAAgF;IAChF,sEAAsE;IACtE,iFAAiF;IACjF,OAAO,EAAE,EAAE,CAAC;AACd,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,mBAAmB,CACjC,OAAoB,EACpB,OAAoB,EACpB,GAAa;IAEb,MAAM,IAAI,GAAG,QAAQ,EAAE,CAAC;IAExB,IAAI,CAAC,IAAI,EAAE,CAAC;QACV,IAAI,YAAY,EAAE,EAAE,CAAC;YACnB,OAAO,CAAC,KAAK,CACX,kFAAkF,CACnF,CAAC;YACF,OAAO,CAAC,CAAC;QACX,CAAC;QACD,OAAO,CAAC,IAAI,CACV,mDAAmD,GAAG,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CACnE,CAAC;QACF,MAAM,MAAM,GAAG,SAAS,CAAC,GAAG,CAAC,CAAC,CAAE,EAAE,GAAG,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE;YAC9C,KAAK,EAAE,SAAS;YAChB,QAAQ,EAAE,OAAO;YACjB,GAAG,EAAE,OAAO,CAAC,GAAG;SACjB,CAAC,CAAC;QACH,OAAO,MAAM,CAAC,MAAM,IAAI,CAAC,CAAC;IAC5B,CAAC;IAED,MAAM,IAAI,GAAG,aAAa,CAAC,OAAO,EAAE,OAAO,EAAE,GAAG,CAAC,CAAC;IAClD,MAAM,MAAM,GAAG,SAAS,CAAC,IAAI,EAAE,IAAI,EAAE;QACnC,KAAK,EAAE,SAAS;QAChB,QAAQ,EAAE,OAAO;QACjB,GAAG,EAAE,OAAO,CAAC,GAAG;KACjB,CAAC,CAAC;IACH,OAAO,MAAM,CAAC,MAAM,IAAI,CAAC,CAAC;AAC5B,CAAC;AAED,SAAS,sBAAsB;IAC7B,MAAM,UAAU,GAAG;QACjB,IAAI,CAAC,SAAS,EAAE,IAAI,EAAE,IAAI,EAAE,eAAe,CAAC,EAAW,kCAAkC;QACzF,IAAI,CAAC,SAAS,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,eAAe,CAAC,EAAM,iBAAiB;KAC1E,CAAC;IACF,KAAK,MAAM,CAAC,IAAI,UAAU,EAAE,CAAC;QAC3B,IAAI,UAAU,CAAC,CAAC,CAAC;YAAE,OAAO,CAAC,CAAC;IAC9B,CAAC;IACD,OAAO,IAAI,CAAC,SAAS,EAAE,IAAI,EAAE,IAAI,EAAE,eAAe,CAAC,CAAC,CAAC,WAAW;AAClE,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,mBAAmB,CAAC,SAAkB,EAAE,MAAgB;IACtE,MAAM,IAAI,GAAG,OAAO,CAAC,GAAG,CAAC,IAAI,IAAI,OAAO,EAAE,IAAI,MAAM,CAAC;IACrD,MAAM,WAAW,GAAG,SAAS,IAAI,IAAI,CAAC,IAAI,EAAE,SAAS,EAAE,MAAM,EAAE,UAAU,CAAC,CAAC;IAE3E,4CAA4C;IAC5C,MAAM,UAAU,GAAG,sBAAsB,EAAE,CAAC;IAE5C,IAAI,CAAC,UAAU,CAAC,UAAU,CAAC,EAAE,CAAC;QAC5B,IAAI,CAAC,MAAM;YAAE,OAAO,CAAC,IAAI,CAAC,yCAAyC,UAAU,EAAE,CAAC,CAAC;QACjF,OAAO;IACT,CAAC;IAED,SAAS,CAAC,WAAW,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IAE5C,KAAK,MAAM,IAAI,IAAI,WAAW,CAAC,UAAU,CAAC,EAAE,CAAC;QAC3C,IAAI,IAAI,CAAC,QAAQ,CAAC,OAAO,CAAC,EAAE,CAAC;YAC3B,MAAM,GAAG,GAAG,IAAI,CAAC,UAAU,EAAE,IAAI,CAAC,CAAC;YACnC,MAAM,GAAG,GAAG,IAAI,CAAC,WAAW,EAAE,IAAI,CAAC,CAAC;YACpC,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;gBACrB,YAAY,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC;gBACvB,IAAI,CAAC,MAAM;oBAAE,OAAO,CAAC,GAAG,CAAC,+BAA+B,IAAI,EAAE,CAAC,CAAC;YAClE,CAAC;QACH,CAAC;IACH,CAAC;AACH,CAAC"}

package/dist/src/utils/outbox.d.ts

@@ -1,10 +0,0 @@
-export interface OutboxMessage {
-    id: string;
-    to: string;
-    from: string;
-    body: string;
-    timestamp: string;
-}
-export declare function queueOutboxMessage(to: string, body: string, from: string): void;
-export declare function drainOutbox(): OutboxMessage[];
-//# sourceMappingURL=outbox.d.ts.map

package/dist/src/utils/outbox.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"outbox.d.ts","sourceRoot":"","sources":["../../../src/utils/outbox.ts"],"names":[],"mappings":"AAKA,MAAM,WAAW,aAAa;IAC5B,EAAE,EAAE,MAAM,CAAC;IACX,EAAE,EAAE,MAAM,CAAC;IACX,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,MAAM,CAAC;IACb,SAAS,EAAE,MAAM,CAAC;CACnB;AAMD,wBAAgB,kBAAkB,CAAC,EAAE,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,GAAG,IAAI,CAO/E;AAED,wBAAgB,WAAW,IAAI,aAAa,EAAE,CAa7C"}