@tpsdev-ai/cli 0.1.0

package/dist/src/utils/ws-noise-transport.js

@@ -0,0 +1,356 @@
+import { createServer } from "node:http";
+import { EventEmitter } from "node:events";
+import { WebSocketServer, WebSocket } from "ws";
+import Noise from "noise-handshake/noise.js";
+import Cipher from "noise-handshake/cipher.js";
+import { decodeWireMessage, encodeWireMessage } from "./wire-frame.js";
+import { fingerprint, lookupBranch } from "./identity.js";
+import { JoinCompleteBodySchema, MSG_JOIN_COMPLETE } from "./wire-mail.js";
+import { handleGithubWebhook } from "./github-webhook.js";
+const PROLOGUE = Buffer.from("tps-v1");
+const HANDSHAKE_TIMEOUT_MS = 10_000;
+const MAX_MESSAGE_BYTES = 1024 * 1024 + 64;
+const WS_PATH = "/tps/wire";
+function toBuffer(data) {
+    if (Buffer.isBuffer(data))
+        return data;
+    if (Array.isArray(data))
+        return Buffer.concat(data.map((d) => Buffer.from(d)));
+    if (data instanceof ArrayBuffer)
+        return Buffer.from(data);
+    return Buffer.from(data);
+}
+function waitForMessage(ws, timeoutMs) {
+    return new Promise((resolve, reject) => {
+        const cleanup = () => {
+            ws.off("close", onClose);
+            ws.off("error", onErr);
+        };
+        const timer = setTimeout(() => {
+            cleanup();
+            reject(new Error(`WebSocket message timeout after ${timeoutMs}ms`));
+        }, timeoutMs);
+        const onClose = () => {
+            clearTimeout(timer);
+            cleanup();
+            reject(new Error("WebSocket closed before message received"));
+        };
+        const onErr = (err) => {
+            clearTimeout(timer);
+            cleanup();
+            reject(err);
+        };
+        ws.once("message", (data) => {
+            clearTimeout(timer);
+            cleanup();
+            resolve(toBuffer(data));
+        });
+        ws.once("close", onClose);
+        ws.once("error", onErr);
+    });
+}
+class WsNoiseChannel {
+    ws;
+    sendCipher;
+    recvCipher;
+    peerFp;
+    alive = true;
+    emitter = new EventEmitter();
+    constructor(ws, sendCipher, recvCipher, peerFp) {
+        this.ws = ws;
+        this.sendCipher = sendCipher;
+        this.recvCipher = recvCipher;
+        this.peerFp = peerFp;
+        ws.on("close", () => {
+            this.alive = false;
+        });
+        ws.on("message", (data) => {
+            try {
+                const raw = toBuffer(data);
+                if (raw.length > MAX_MESSAGE_BYTES) {
+                    ws.close(1008, "rejected");
+                    return;
+                }
+                const decrypted = Buffer.from(this.recvCipher.decrypt(raw));
+                const msg = decodeWireMessage(decrypted);
+                this.emitter.emit("message", msg);
+            }
+            catch {
+                ws.close(1008, "rejected");
+            }
+        });
+    }
+    async send(msg) {
+        const wire = encodeWireMessage(msg);
+        const encrypted = Buffer.from(this.sendCipher.encrypt(wire));
+        await new Promise((resolve, reject) => {
+            this.ws.send(encrypted, (err) => (err ? reject(err) : resolve()));
+        });
+    }
+    onMessage(handler) {
+        this.emitter.on("message", handler);
+    }
+    offMessage(handler) {
+        this.emitter.off("message", handler);
+    }
+    async close() {
+        this.ws.close();
+        this.alive = false;
+    }
+    isAlive() {
+        return this.alive && this.ws.readyState === WebSocket.OPEN;
+    }
+    peerFingerprint() {
+        return this.peerFp;
+    }
+}
+class WsNoiseServer {
+    httpServer;
+    wss;
+    onConn = null;
+    constructor(httpServer, wss) {
+        this.httpServer = httpServer;
+        this.wss = wss;
+    }
+    port() {
+        const addr = this.httpServer.address();
+        if (!addr || typeof addr === "string")
+            return 0;
+        return addr.port;
+    }
+    onConnection(handler) {
+        this.onConn = handler;
+    }
+    dispatch(channel) {
+        this.onConn?.(channel);
+    }
+    async close() {
+        await new Promise((resolve) => this.wss.close(() => resolve()));
+        await new Promise((resolve, reject) => {
+            this.httpServer.close((err) => (err ? reject(err) : resolve()));
+        });
+    }
+}
+export class WsNoiseTransport {
+    localKeyPair;
+    hostKeyPair;
+    constructor(localKeyPair, hostKeyPair) {
+        this.localKeyPair = localKeyPair;
+        this.hostKeyPair = hostKeyPair;
+    }
+    async listen(port) {
+        const host = this.hostKeyPair ?? this.localKeyPair;
+        const httpServer = createServer((_req, res) => {
+            res.statusCode = 404;
+            res.end();
+        });
+        const wss = new WebSocketServer({ server: httpServer, path: WS_PATH });
+        const wrapper = new WsNoiseServer(httpServer, wss);
+        const hostStatic = {
+            publicKey: Buffer.from(host.encryption.publicKey),
+            secretKey: Buffer.from(host.encryption.privateKey),
+        };
+        wss.on("connection", async (ws) => {
+            try {
+                const responder = new Noise("IK", false, hostStatic);
+                responder.initialise(PROLOGUE);
+                const msg1 = await waitForMessage(ws, HANDSHAKE_TIMEOUT_MS);
+                const payload = Buffer.from(responder.recv(msg1));
+                const branchId = payload.toString("utf-8");
+                const known = lookupBranch(branchId);
+                const expected = known?.encryptionKey ? Buffer.from(known.encryptionKey) : null;
+                const got = Buffer.from(responder.rs);
+                if (!expected || !got.equals(expected)) {
+                    ws.close(1008, "rejected");
+                    return;
+                }
+                const msg2 = Buffer.from(responder.send());
+                ws.send(msg2);
+                const channel = new WsNoiseChannel(ws, new Cipher(responder.tx), new Cipher(responder.rx), fingerprint(got));
+                wrapper.dispatch(channel);
+            }
+            catch {
+                ws.close(1008, "rejected");
+            }
+        });
+        await new Promise((resolve, reject) => {
+            httpServer.listen(port, "0.0.0.0", () => resolve());
+            httpServer.once("error", reject);
+        });
+        return wrapper;
+    }
+    async connect(target) {
+        const isLocal = target.host === "localhost" || target.host === "127.0.0.1" || target.host === "::1";
+        const scheme = isLocal ? "ws" : "wss";
+        const url = `${scheme}://${target.host}:${target.port}${WS_PATH}`;
+        const ws = new WebSocket(url);
+        // Track early close from server (rejection before handshake completes)
+        let earlyClose = false;
+        let earlyCloseReject = null;
+        await new Promise((resolve, reject) => {
+            ws.once("open", () => resolve());
+            ws.once("error", reject);
+        });
+        // Attach close handler IMMEDIATELY after open, before any handshake
+        ws.on("close", () => {
+            earlyClose = true;
+            earlyCloseReject?.(new Error("Connection rejected by server"));
+        });
+        const localStatic = {
+            publicKey: Buffer.from(this.localKeyPair.encryption.publicKey),
+            secretKey: Buffer.from(this.localKeyPair.encryption.privateKey),
+        };
+        const initiator = new Noise("IK", true, localStatic);
+        initiator.initialise(PROLOGUE, Buffer.from(target.hostPublicKey));
+        const msg1 = Buffer.from(initiator.send(Buffer.from(target.branchId)));
+        ws.send(msg1);
+        // Wait for msg2 OR early close
+        let msg2;
+        try {
+            msg2 = await new Promise((resolve, reject) => {
+                if (earlyClose) {
+                    reject(new Error("Connection rejected by server"));
+                    return;
+                }
+                earlyCloseReject = reject;
+                const timer = setTimeout(() => {
+                    reject(new Error(`Handshake timeout after ${HANDSHAKE_TIMEOUT_MS}ms`));
+                }, HANDSHAKE_TIMEOUT_MS);
+                ws.once("message", (data) => {
+                    clearTimeout(timer);
+                    earlyCloseReject = null;
+                    resolve(toBuffer(data));
+                });
+            });
+        }
+        catch (e) {
+            ws.close(1008, "rejected");
+            throw e;
+        }
+        initiator.recv(msg2);
+        const gotHost = Buffer.from(initiator.rs);
+        const expectedHost = Buffer.from(target.hostPublicKey);
+        if (!gotHost.equals(expectedHost)) {
+            ws.close(1008, "rejected");
+            throw new Error("Host key mismatch after Noise_IK handshake");
+        }
+        return new WsNoiseChannel(ws, new Cipher(initiator.tx), new Cipher(initiator.rx), fingerprint(gotHost));
+    }
+}
+export async function listenForJoinWs(branchKeyPair, port, timeoutMs = 120_000) {
+    // Join-mode WS server: raw Noise_IK handshake without registry lookup.
+    // Analogous to listenForJoin() in noise-ik-transport.ts.
+    const httpServer = createServer((_req, res) => { res.statusCode = 404; res.end(); });
+    const wss = new WebSocketServer({ server: httpServer, path: WS_PATH });
+    const branchStatic = {
+        publicKey: Buffer.from(branchKeyPair.encryption.publicKey),
+        secretKey: Buffer.from(branchKeyPair.encryption.privateKey),
+    };
+    await new Promise((resolve, reject) => {
+        httpServer.once("error", reject);
+        httpServer.listen(port, "0.0.0.0", () => resolve());
+    });
+    // Wrap as a TransportServer (for close(); onConnection not used in join mode)
+    const serverWrapper = {
+        onConnection: () => { },
+        close: () => new Promise((resolve, reject) => {
+            wss.close();
+            httpServer.close((err) => (err ? reject(err) : resolve()));
+        }),
+    };
+    const joined = new Promise((resolve, reject) => {
+        const timeout = timeoutMs > 0
+            ? setTimeout(() => reject(new Error("JOIN_COMPLETE timeout")), timeoutMs)
+            : null;
+        wss.once("connection", async (ws) => {
+            try {
+                const responder = new Noise("IK", false, branchStatic);
+                responder.initialise(PROLOGUE);
+                const msg1 = await waitForMessage(ws, HANDSHAKE_TIMEOUT_MS);
+                responder.recv(msg1);
+                const msg2 = Buffer.from(responder.send());
+                ws.send(msg2);
+                const channel = new WsNoiseChannel(ws, new Cipher(responder.tx), new Cipher(responder.rx), fingerprint(Buffer.from(responder.rs)));
+                const handler = (msg) => {
+                    if (msg.type !== MSG_JOIN_COMPLETE)
+                        return;
+                    const parsed = JoinCompleteBodySchema.safeParse(msg.body);
+                    if (!parsed.success)
+                        return;
+                    const hostPub = new Uint8Array(Buffer.from(parsed.data.hostPubkey, "base64url"));
+                    const fp = fingerprint(hostPub);
+                    const claimed = parsed.data.hostFingerprint.replace(/^sha256:/, "");
+                    if (fp !== claimed) {
+                        channel.offMessage(handler);
+                        reject(new Error("Host fingerprint mismatch in JOIN_COMPLETE"));
+                        return;
+                    }
+                    if (timeout)
+                        clearTimeout(timeout);
+                    channel.offMessage(handler);
+                    resolve({ channel, hostPubkey: hostPub, hostFingerprint: fp, hostId: parsed.data.hostId });
+                };
+                channel.onMessage(handler);
+            }
+            catch (e) {
+                ws.close(1011, "handshake failed");
+                reject(e);
+            }
+        });
+    });
+    const result = await joined;
+    return { ...result, server: serverWrapper };
+}
+export async function listenForHostWs(branchKeyPair, expectedHostPubkey, port, onMessage) {
+    // Branch-side persistent listener: raw Noise_IK handshake without registry lookup.
+    // After handshake, verify peer is the pinned host key.
+    const httpServer = createServer((req, res) => {
+        if (req.method === "POST" && req.url === "/github/webhook") {
+            handleGithubWebhook(req, res).catch((e) => {
+                res.statusCode = 500;
+                res.end("Internal error");
+                console.error("[webhook] error:", e.message);
+            });
+            return;
+        }
+        res.statusCode = 404;
+        res.end();
+    });
+    const wss = new WebSocketServer({ server: httpServer, path: WS_PATH });
+    const branchStatic = {
+        publicKey: Buffer.from(branchKeyPair.encryption.publicKey),
+        secretKey: Buffer.from(branchKeyPair.encryption.privateKey),
+    };
+    wss.on("connection", async (ws) => {
+        try {
+            const responder = new Noise("IK", false, branchStatic);
+            responder.initialise(PROLOGUE);
+            const msg1 = await waitForMessage(ws, HANDSHAKE_TIMEOUT_MS);
+            responder.recv(msg1); // payload = branchId sent by host (ignored here)
+            const peerKey = Buffer.from(responder.rs);
+            if (!peerKey.equals(Buffer.from(expectedHostPubkey))) {
+                ws.close(1008, "rejected");
+                return;
+            }
+            const msg2 = Buffer.from(responder.send());
+            ws.send(msg2);
+            const channel = new WsNoiseChannel(ws, new Cipher(responder.tx), new Cipher(responder.rx), fingerprint(Buffer.from(responder.rs)));
+            channel.onMessage((msg) => onMessage(msg, channel));
+        }
+        catch {
+            ws.close(1011, "handshake failed");
+        }
+    });
+    await new Promise((resolve, reject) => {
+        httpServer.once("error", reject);
+        httpServer.listen(port, "0.0.0.0", () => resolve());
+    });
+    return {
+        onConnection: () => { },
+        close: () => new Promise((resolve, reject) => {
+            wss.close();
+            httpServer.close((err) => (err ? reject(err) : resolve()));
+        }),
+    };
+}
+//# sourceMappingURL=ws-noise-transport.js.map

package/dist/src/utils/ws-noise-transport.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"ws-noise-transport.js","sourceRoot":"","sources":["../../../src/utils/ws-noise-transport.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAA6B,MAAM,WAAW,CAAC;AACpE,OAAO,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAC3C,OAAO,EAAE,eAAe,EAAE,SAAS,EAAE,MAAM,IAAI,CAAC;AAChD,OAAO,KAAK,MAAM,0BAA0B,CAAC;AAC7C,OAAO,MAAM,MAAM,2BAA2B,CAAC;AAQ/C,OAAO,EAAE,iBAAiB,EAAE,iBAAiB,EAAE,MAAM,iBAAiB,CAAC;AACvE,OAAO,EAAE,WAAW,EAAoB,YAAY,EAAmB,MAAM,eAAe,CAAC;AAC7F,OAAO,EAAE,sBAAsB,EAAE,iBAAiB,EAAE,MAAM,gBAAgB,CAAC;AAC3E,OAAO,EAAE,mBAAmB,EAAE,MAAM,qBAAqB,CAAC;AAE1D,MAAM,QAAQ,GAAG,MAAM,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;AACvC,MAAM,oBAAoB,GAAG,MAAM,CAAC;AACpC,MAAM,iBAAiB,GAAG,IAAI,GAAG,IAAI,GAAG,EAAE,CAAC;AAC3C,MAAM,OAAO,GAAG,WAAW,CAAC;AAE5B,SAAS,QAAQ,CAAC,IAAuB;IACvC,IAAI,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC;QAAE,OAAO,IAAI,CAAC;IACvC,IAAI,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC;QAAE,OAAO,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;IAC/E,IAAI,IAAI,YAAY,WAAW;QAAE,OAAO,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAC1D,OAAO,MAAM,CAAC,IAAI,CAAC,IAAW,CAAC,CAAC;AAClC,CAAC;AAED,SAAS,cAAc,CAAC,EAAa,EAAE,SAAiB;IACtD,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;QACrC,MAAM,OAAO,GAAG,GAAG,EAAE;YACnB,EAAE,CAAC,GAAG,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC;YACzB,EAAE,CAAC,GAAG,CAAC,OAAO,EAAE,KAAK,CAAC,CAAC;QACzB,CAAC,CAAC;QAEF,MAAM,KAAK,GAAG,UAAU,CAAC,GAAG,EAAE;YAC5B,OAAO,EAAE,CAAC;YACV,MAAM,CAAC,IAAI,KAAK,CAAC,mCAAmC,SAAS,IAAI,CAAC,CAAC,CAAC;QACtE,CAAC,EAAE,SAAS,CAAC,CAAC;QAEd,MAAM,OAAO,GAAG,GAAG,EAAE;YACnB,YAAY,CAAC,KAAK,CAAC,CAAC;YACpB,OAAO,EAAE,CAAC;YACV,MAAM,CAAC,IAAI,KAAK,CAAC,0CAA0C,CAAC,CAAC,CAAC;QAChE,CAAC,CAAC;QACF,MAAM,KAAK,GAAG,CAAC,GAAU,EAAE,EAAE;YAC3B,YAAY,CAAC,KAAK,CAAC,CAAC;YACpB,OAAO,EAAE,CAAC;YACV,MAAM,CAAC,GAAG,CAAC,CAAC;QACd,CAAC,CAAC;QAEF,EAAE,CAAC,IAAI,CAAC,SAAS,EAAE,CAAC,IAAI,EAAE,EAAE;YAC1B,YAAY,CAAC,KAAK,CAAC,CAAC;YACpB,OAAO,EAAE,CAAC;YACV,OAAO,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC;QAC1B,CAAC,CAAC,CAAC;QACH,EAAE,CAAC,IAAI,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC;QAC1B,EAAE,CAAC,IAAI,CAAC,OAAO,EAAE,KAAK,CAAC,CAAC;IAC1B,CAAC,CAAC,CAAC;AACL,CAAC;AAED,MAAM,cAAc;IAKC;IACA;IACA;IACA;IAPX,KAAK,GAAG,IAAI,CAAC;IACb,OAAO,GAAG,IAAI,YAAY,EAAE,CAAC;IAErC,YACmB,EAAa,EACb,UAAkB,EAClB,UAAkB,EAClB,MAAc;QAHd,OAAE,GAAF,EAAE,CAAW;QACb,eAAU,GAAV,UAAU,CAAQ;QAClB,eAAU,GAAV,UAAU,CAAQ;QAClB,WAAM,GAAN,MAAM,CAAQ;QAE/B,EAAE,CAAC,EAAE,CAAC,OAAO,EAAE,GAAG,EAAE;YAClB,IAAI,CAAC,KAAK,GAAG,KAAK,CAAC;QACrB,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,EAAE,CAAC,SAAS,EAAE,CAAC,IAAI,EAAE,EAAE;YACxB,IAAI,CAAC;gBACH,MAAM,GAAG,GAAG,QAAQ,CAAC,IAAI,CAAC,CAAC;gBAC3B,IAAI,GAAG,CAAC,MAAM,GAAG,iBAAiB,EAAE,CAAC;oBACnC,EAAE,CAAC,KAAK,CAAC,IAAI,EAAE,UAAU,CAAC,CAAC;oBAC3B,OAAO;gBACT,CAAC;gBACD,MAAM,SAAS,GAAG,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,UAAU,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC;gBAC5D,MAAM,GAAG,GAAG,iBAAiB,CAAC,SAAS,CAAC,CAAC;gBACzC,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,SAAS,EAAE,GAAG,CAAC,CAAC;YACpC,CAAC;YAAC,MAAM,CAAC;gBACP,EAAE,CAAC,KAAK,CAAC,IAAI,EAAE,UAAU,CAAC,CAAC;YAC7B,CAAC;QACH,CAAC,CAAC,CAAC;IACL,CAAC;IAED,KAAK,CAAC,IAAI,CAAC,GAAe;QACxB,MAAM,IAAI,GAAG,iBAAiB,CAAC,GAAG,CAAC,CAAC;QACpC,MAAM,SAAS,GAAG,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,UAAU,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC;QAC7D,MAAM,IAAI,OAAO,CAAO,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;YAC1C,IAAI,CAAC,EAAE,CAAC,IAAI,CAAC,SAAS,EAAE,CAAC,GAAG,EAAE,EAAE,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,OAAO,EAAE,CAAC,CAAC,CAAC;QACpE,CAAC,CAAC,CAAC;IACL,CAAC;IAED,SAAS,CAAC,OAAkC;QAC1C,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC,SAAS,EAAE,OAAO,CAAC,CAAC;IACtC,CAAC;IAED,UAAU,CAAC,OAAkC;QAC3C,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,SAAS,EAAE,OAAO,CAAC,CAAC;IACvC,CAAC;IAED,KAAK,CAAC,KAAK;QACT,IAAI,CAAC,EAAE,CAAC,KAAK,EAAE,CAAC;QAChB,IAAI,CAAC,KAAK,GAAG,KAAK,CAAC;IACrB,CAAC;IAED,OAAO;QACL,OAAO,IAAI,CAAC,KAAK,IAAI,IAAI,CAAC,EAAE,CAAC,UAAU,KAAK,SAAS,CAAC,IAAI,CAAC;IAC7D,CAAC;IAED,eAAe;QACb,OAAO,IAAI,CAAC,MAAM,CAAC;IACrB,CAAC;CACF;AAED,MAAM,aAAa;IAGY;IAAyC;IAF9D,MAAM,GAAiD,IAAI,CAAC;IAEpE,YAA6B,UAAsB,EAAmB,GAAoB;QAA7D,eAAU,GAAV,UAAU,CAAY;QAAmB,QAAG,GAAH,GAAG,CAAiB;IAAG,CAAC;IAE9F,IAAI;QACF,MAAM,IAAI,GAAG,IAAI,CAAC,UAAU,CAAC,OAAO,EAAE,CAAC;QACvC,IAAI,CAAC,IAAI,IAAI,OAAO,IAAI,KAAK,QAAQ;YAAE,OAAO,CAAC,CAAC;QAChD,OAAO,IAAI,CAAC,IAAI,CAAC;IACnB,CAAC;IAED,YAAY,CAAC,OAA4C;QACvD,IAAI,CAAC,MAAM,GAAG,OAAO,CAAC;IACxB,CAAC;IAED,QAAQ,CAAC,OAAyB;QAChC,IAAI,CAAC,MAAM,EAAE,CAAC,OAAO,CAAC,CAAC;IACzB,CAAC;IAED,KAAK,CAAC,KAAK;QACT,MAAM,IAAI,OAAO,CAAO,CAAC,OAAO,EAAE,EAAE,CAAC,IAAI,CAAC,GAAG,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,OAAO,EAAE,CAAC,CAAC,CAAC;QACtE,MAAM,IAAI,OAAO,CAAO,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;YAC1C,IAAI,CAAC,UAAU,CAAC,KAAK,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,OAAO,EAAE,CAAC,CAAC,CAAC;QAClE,CAAC,CAAC,CAAC;IACL,CAAC;CACF;AAED,MAAM,OAAO,gBAAgB;IAER;IACA;IAFnB,YACmB,YAAwB,EACxB,WAAwB;QADxB,iBAAY,GAAZ,YAAY,CAAY;QACxB,gBAAW,GAAX,WAAW,CAAa;IACxC,CAAC;IAEJ,KAAK,CAAC,MAAM,CAAC,IAAY;QACvB,MAAM,IAAI,GAAG,IAAI,CAAC,WAAW,IAAI,IAAI,CAAC,YAAY,CAAC;QACnD,MAAM,UAAU,GAAG,YAAY,CAAC,CAAC,IAAI,EAAE,GAAG,EAAE,EAAE;YAC5C,GAAG,CAAC,UAAU,GAAG,GAAG,CAAC;YACrB,GAAG,CAAC,GAAG,EAAE,CAAC;QACZ,CAAC,CAAC,CAAC;QACH,MAAM,GAAG,GAAG,IAAI,eAAe,CAAC,EAAE,MAAM,EAAE,UAAU,EAAE,IAAI,EAAE,OAAO,EAAE,CAAC,CAAC;QACvE,MAAM,OAAO,GAAG,IAAI,aAAa,CAAC,UAAU,EAAE,GAAG,CAAC,CAAC;QAEnD,MAAM,UAAU,GAAG;YACjB,SAAS,EAAE,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,UAAU,CAAC,SAAS,CAAC;YACjD,SAAS,EAAE,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,UAAU,CAAC,UAAU,CAAC;SACnD,CAAC;QAEF,GAAG,CAAC,EAAE,CAAC,YAAY,EAAE,KAAK,EAAE,EAAE,EAAE,EAAE;YAChC,IAAI,CAAC;gBACH,MAAM,SAAS,GAAG,IAAI,KAAK,CAAC,IAAI,EAAE,KAAK,EAAE,UAAU,CAAC,CAAC;gBACrD,SAAS,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC;gBAE/B,MAAM,IAAI,GAAG,MAAM,cAAc,CAAC,EAAE,EAAE,oBAAoB,CAAC,CAAC;gBAC5D,MAAM,OAAO,GAAG,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC;gBAClD,MAAM,QAAQ,GAAG,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;gBAE3C,MAAM,KAAK,GAAG,YAAY,CAAC,QAAQ,CAAC,CAAC;gBACrC,MAAM,QAAQ,GAAG,KAAK,EAAE,aAAa,CAAC,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,aAAa,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;gBAChF,MAAM,GAAG,GAAG,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,CAAC,CAAC;gBACtC,IAAI,CAAC,QAAQ,IAAI,CAAC,GAAG,CAAC,MAAM,CAAC,QAAQ,CAAC,EAAE,CAAC;oBACvC,EAAE,CAAC,KAAK,CAAC,IAAI,EAAE,UAAU,CAAC,CAAC;oBAC3B,OAAO;gBACT,CAAC;gBAED,MAAM,IAAI,GAAG,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC,IAAI,EAAE,CAAC,CAAC;gBAC3C,EAAE,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;gBAEd,MAAM,OAAO,GAAG,IAAI,cAAc,CAChC,EAAE,EACF,IAAI,MAAM,CAAC,SAAS,CAAC,EAAE,CAAC,EACxB,IAAI,MAAM,CAAC,SAAS,CAAC,EAAE,CAAC,EACxB,WAAW,CAAC,GAAG,CAAC,CACjB,CAAC;gBACF,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;YAC5B,CAAC;YAAC,MAAM,CAAC;gBACP,EAAE,CAAC,KAAK,CAAC,IAAI,EAAE,UAAU,CAAC,CAAC;YAC7B,CAAC;QACH,CAAC,CAAC,CAAC;QAEH,MAAM,IAAI,OAAO,CAAO,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;YAC1C,UAAU,CAAC,MAAM,CAAC,IAAI,EAAE,SAAS,EAAE,GAAG,EAAE,CAAC,OAAO,EAAE,CAAC,CAAC;YACpD,UAAU,CAAC,IAAI,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;QACnC,CAAC,CAAC,CAAC;QAEH,OAAO,OAAO,CAAC;IACjB,CAAC;IAED,KAAK,CAAC,OAAO,CAAC,MAAoB;QAChC,MAAM,OAAO,GAAG,MAAM,CAAC,IAAI,KAAK,WAAW,IAAI,MAAM,CAAC,IAAI,KAAK,WAAW,IAAI,MAAM,CAAC,IAAI,KAAK,KAAK,CAAC;QACpG,MAAM,MAAM,GAAG,OAAO,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,KAAK,CAAC;QACtC,MAAM,GAAG,GAAG,GAAG,MAAM,MAAM,MAAM,CAAC,IAAI,IAAI,MAAM,CAAC,IAAI,GAAG,OAAO,EAAE,CAAC;QAClE,MAAM,EAAE,GAAG,IAAI,SAAS,CAAC,GAAG,CAAC,CAAC;QAE9B,uEAAuE;QACvE,IAAI,UAAU,GAAG,KAAK,CAAC;QACvB,IAAI,gBAAgB,GAAkC,IAAI,CAAC;QAE3D,MAAM,IAAI,OAAO,CAAO,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;YAC1C,EAAE,CAAC,IAAI,CAAC,MAAM,EAAE,GAAG,EAAE,CAAC,OAAO,EAAE,CAAC,CAAC;YACjC,EAAE,CAAC,IAAI,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;QAC3B,CAAC,CAAC,CAAC;QAEH,oEAAoE;QACpE,EAAE,CAAC,EAAE,CAAC,OAAO,EAAE,GAAG,EAAE;YAClB,UAAU,GAAG,IAAI,CAAC;YAClB,gBAAgB,EAAE,CAAC,IAAI,KAAK,CAAC,+BAA+B,CAAC,CAAC,CAAC;QACjE,CAAC,CAAC,CAAC;QAEH,MAAM,WAAW,GAAG;YAClB,SAAS,EAAE,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,YAAY,CAAC,UAAU,CAAC,SAAS,CAAC;YAC9D,SAAS,EAAE,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,YAAY,CAAC,UAAU,CAAC,UAAU,CAAC;SAChE,CAAC;QAEF,MAAM,SAAS,GAAG,IAAI,KAAK,CAAC,IAAI,EAAE,IAAI,EAAE,WAAW,CAAC,CAAC;QACrD,SAAS,CAAC,UAAU,CAAC,QAAQ,EAAE,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,aAAa,CAAC,CAAC,CAAC;QAElE,MAAM,IAAI,GAAG,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC;QACvE,EAAE,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAEd,+BAA+B;QAC/B,IAAI,IAAY,CAAC;QACjB,IAAI,CAAC;YACH,IAAI,GAAG,MAAM,IAAI,OAAO,CAAS,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;gBACnD,IAAI,UAAU,EAAE,CAAC;oBAAC,MAAM,CAAC,IAAI,KAAK,CAAC,+BAA+B,CAAC,CAAC,CAAC;oBAAC,OAAO;gBAAC,CAAC;gBAC/E,gBAAgB,GAAG,MAAM,CAAC;gBAE1B,MAAM,KAAK,GAAG,UAAU,CAAC,GAAG,EAAE;oBAC5B,MAAM,CAAC,IAAI,KAAK,CAAC,2BAA2B,oBAAoB,IAAI,CAAC,CAAC,CAAC;gBACzE,CAAC,EAAE,oBAAoB,CAAC,CAAC;gBAEzB,EAAE,CAAC,IAAI,CAAC,SAAS,EAAE,CAAC,IAAI,EAAE,EAAE;oBAC1B,YAAY,CAAC,KAAK,CAAC,CAAC;oBACpB,gBAAgB,GAAG,IAAI,CAAC;oBACxB,OAAO,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC;gBAC1B,CAAC,CAAC,CAAC;YACL,CAAC,CAAC,CAAC;QACL,CAAC;QAAC,OAAO,CAAC,EAAE,CAAC;YACX,EAAE,CAAC,KAAK,CAAC,IAAI,EAAE,UAAU,CAAC,CAAC;YAC3B,MAAM,CAAC,CAAC;QACV,CAAC;QACD,SAAS,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAErB,MAAM,OAAO,GAAG,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,CAAC,CAAC;QAC1C,MAAM,YAAY,GAAG,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,aAAa,CAAC,CAAC;QACvD,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,YAAY,CAAC,EAAE,CAAC;YAClC,EAAE,CAAC,KAAK,CAAC,IAAI,EAAE,UAAU,CAAC,CAAC;YAC3B,MAAM,IAAI,KAAK,CAAC,4CAA4C,CAAC,CAAC;QAChE,CAAC;QAED,OAAO,IAAI,cAAc,CACvB,EAAE,EACF,IAAI,MAAM,CAAC,SAAS,CAAC,EAAE,CAAC,EACxB,IAAI,MAAM,CAAC,SAAS,CAAC,EAAE,CAAC,EACxB,WAAW,CAAC,OAAO,CAAC,CACrB,CAAC;IACJ,CAAC;CACF;AAED,MAAM,CAAC,KAAK,UAAU,eAAe,CACnC,aAAyB,EACzB,IAAY,EACZ,YAAoB,OAAO;IAQ3B,uEAAuE;IACvE,yDAAyD;IACzD,MAAM,UAAU,GAAG,YAAY,CAAC,CAAC,IAAI,EAAE,GAAG,EAAE,EAAE,GAAG,GAAG,CAAC,UAAU,GAAG,GAAG,CAAC,CAAC,GAAG,CAAC,GAAG,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC;IACrF,MAAM,GAAG,GAAG,IAAI,eAAe,CAAC,EAAE,MAAM,EAAE,UAAU,EAAE,IAAI,EAAE,OAAO,EAAE,CAAC,CAAC;IAEvE,MAAM,YAAY,GAAG;QACnB,SAAS,EAAE,MAAM,CAAC,IAAI,CAAC,aAAa,CAAC,UAAU,CAAC,SAAS,CAAC;QAC1D,SAAS,EAAE,MAAM,CAAC,IAAI,CAAC,aAAa,CAAC,UAAU,CAAC,UAAU,CAAC;KAC5D,CAAC;IAEF,MAAM,IAAI,OAAO,CAAO,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;QAC1C,UAAU,CAAC,IAAI,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;QACjC,UAAU,CAAC,MAAM,CAAC,IAAI,EAAE,SAAS,EAAE,GAAG,EAAE,CAAC,OAAO,EAAE,CAAC,CAAC;IACtD,CAAC,CAAC,CAAC;IAEH,8EAA8E;IAC9E,MAAM,aAAa,GAAoB;QACrC,YAAY,EAAE,GAAG,EAAE,GAAE,CAAC;QACtB,KAAK,EAAE,GAAG,EAAE,CACV,IAAI,OAAO,CAAO,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;YACpC,GAAG,CAAC,KAAK,EAAE,CAAC;YACZ,UAAU,CAAC,KAAK,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,OAAO,EAAE,CAAC,CAAC,CAAC;QAC7D,CAAC,CAAC;KACL,CAAC;IAEF,MAAM,MAAM,GAAG,IAAI,OAAO,CAKvB,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;QACrB,MAAM,OAAO,GACX,SAAS,GAAG,CAAC;YACX,CAAC,CAAC,UAAU,CAAC,GAAG,EAAE,CAAC,MAAM,CAAC,IAAI,KAAK,CAAC,uBAAuB,CAAC,CAAC,EAAE,SAAS,CAAC;YACzE,CAAC,CAAC,IAAI,CAAC;QAEX,GAAG,CAAC,IAAI,CAAC,YAAY,EAAE,KAAK,EAAE,EAAE,EAAE,EAAE;YAClC,IAAI,CAAC;gBACH,MAAM,SAAS,GAAG,IAAI,KAAK,CAAC,IAAI,EAAE,KAAK,EAAE,YAAY,CAAC,CAAC;gBACvD,SAAS,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC;gBAE/B,MAAM,IAAI,GAAG,MAAM,cAAc,CAAC,EAAE,EAAE,oBAAoB,CAAC,CAAC;gBAC5D,SAAS,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;gBAErB,MAAM,IAAI,GAAG,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC,IAAI,EAAE,CAAC,CAAC;gBAC3C,EAAE,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;gBAEd,MAAM,OAAO,GAAG,IAAI,cAAc,CAChC,EAAE,EACF,IAAI,MAAM,CAAC,SAAS,CAAC,EAAE,CAAC,EACxB,IAAI,MAAM,CAAC,SAAS,CAAC,EAAE,CAAC,EACxB,WAAW,CAAC,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,CAAC,CAAC,CACvC,CAAC;gBAEF,MAAM,OAAO,GAAG,CAAC,GAAe,EAAE,EAAE;oBAClC,IAAI,GAAG,CAAC,IAAI,KAAK,iBAAiB;wBAAE,OAAO;oBAC3C,MAAM,MAAM,GAAG,sBAAsB,CAAC,SAAS,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;oBAC1D,IAAI,CAAC,MAAM,CAAC,OAAO;wBAAE,OAAO;oBAE5B,MAAM,OAAO,GAAG,IAAI,UAAU,CAAC,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,UAAU,EAAE,WAAW,CAAC,CAAC,CAAC;oBACjF,MAAM,EAAE,GAAG,WAAW,CAAC,OAAO,CAAC,CAAC;oBAChC,MAAM,OAAO,GAAG,MAAM,CAAC,IAAI,CAAC,eAAe,CAAC,OAAO,CAAC,UAAU,EAAE,EAAE,CAAC,CAAC;oBACpE,IAAI,EAAE,KAAK,OAAO,EAAE,CAAC;wBACnB,OAAO,CAAC,UAAU,CAAC,OAAO,CAAC,CAAC;wBAC5B,MAAM,CAAC,IAAI,KAAK,CAAC,4CAA4C,CAAC,CAAC,CAAC;wBAChE,OAAO;oBACT,CAAC;oBACD,IAAI,OAAO;wBAAE,YAAY,CAAC,OAAO,CAAC,CAAC;oBACnC,OAAO,CAAC,UAAU,CAAC,OAAO,CAAC,CAAC;oBAC5B,OAAO,CAAC,EAAE,OAAO,EAAE,UAAU,EAAE,OAAO,EAAE,eAAe,EAAE,EAAE,EAAE,MAAM,EAAE,MAAM,CAAC,IAAI,CAAC,MAAM,EAAE,CAAC,CAAC;gBAC7F,CAAC,CAAC;gBAEF,OAAO,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC;YAC7B,CAAC;YAAC,OAAO,CAAC,EAAE,CAAC;gBACX,EAAE,CAAC,KAAK,CAAC,IAAI,EAAE,kBAAkB,CAAC,CAAC;gBACnC,MAAM,CAAC,CAAC,CAAC,CAAC;YACZ,CAAC;QACH,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,MAAM,MAAM,GAAG,MAAM,MAAM,CAAC;IAC5B,OAAO,EAAE,GAAG,MAAM,EAAE,MAAM,EAAE,aAAa,EAAE,CAAC;AAC9C,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,eAAe,CACnC,aAAyB,EACzB,kBAA8B,EAC9B,IAAY,EACZ,SAA+E;IAE/E,mFAAmF;IACnF,uDAAuD;IACvD,MAAM,UAAU,GAAG,YAAY,CAAC,CAAC,GAAG,EAAE,GAAG,EAAE,EAAE;QAC3C,IAAI,GAAG,CAAC,MAAM,KAAK,MAAM,IAAI,GAAG,CAAC,GAAG,KAAK,iBAAiB,EAAE,CAAC;YAC3D,mBAAmB,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC,KAAK,CAAC,CAAC,CAAQ,EAAE,EAAE;gBAC/C,GAAG,CAAC,UAAU,GAAG,GAAG,CAAC;gBACrB,GAAG,CAAC,GAAG,CAAC,gBAAgB,CAAC,CAAC;gBAC1B,OAAO,CAAC,KAAK,CAAC,kBAAkB,EAAE,CAAC,CAAC,OAAO,CAAC,CAAC;YAC/C,CAAC,CAAC,CAAC;YACH,OAAO;QACT,CAAC;QACD,GAAG,CAAC,UAAU,GAAG,GAAG,CAAC;QACrB,GAAG,CAAC,GAAG,EAAE,CAAC;IACZ,CAAC,CAAC,CAAC;IACH,MAAM,GAAG,GAAG,IAAI,eAAe,CAAC,EAAE,MAAM,EAAE,UAAU,EAAE,IAAI,EAAE,OAAO,EAAE,CAAC,CAAC;IAEvE,MAAM,YAAY,GAAG;QACnB,SAAS,EAAE,MAAM,CAAC,IAAI,CAAC,aAAa,CAAC,UAAU,CAAC,SAAS,CAAC;QAC1D,SAAS,EAAE,MAAM,CAAC,IAAI,CAAC,aAAa,CAAC,UAAU,CAAC,UAAU,CAAC;KAC5D,CAAC;IAEF,GAAG,CAAC,EAAE,CAAC,YAAY,EAAE,KAAK,EAAE,EAAE,EAAE,EAAE;QAChC,IAAI,CAAC;YACH,MAAM,SAAS,GAAG,IAAI,KAAK,CAAC,IAAI,EAAE,KAAK,EAAE,YAAY,CAAC,CAAC;YACvD,SAAS,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC;YAE/B,MAAM,IAAI,GAAG,MAAM,cAAc,CAAC,EAAE,EAAE,oBAAoB,CAAC,CAAC;YAC5D,SAAS,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,iDAAiD;YAEvE,MAAM,OAAO,GAAG,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,CAAC,CAAC;YAC1C,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,kBAAkB,CAAC,CAAC,EAAE,CAAC;gBACrD,EAAE,CAAC,KAAK,CAAC,IAAI,EAAE,UAAU,CAAC,CAAC;gBAC3B,OAAO;YACT,CAAC;YAED,MAAM,IAAI,GAAG,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC,IAAI,EAAE,CAAC,CAAC;YAC3C,EAAE,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YAEd,MAAM,OAAO,GAAG,IAAI,cAAc,CAChC,EAAE,EACF,IAAI,MAAM,CAAC,SAAS,CAAC,EAAE,CAAC,EACxB,IAAI,MAAM,CAAC,SAAS,CAAC,EAAE,CAAC,EACxB,WAAW,CAAC,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,CAAC,CAAC,CACvC,CAAC;YACF,OAAO,CAAC,SAAS,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,SAAS,CAAC,GAAG,EAAE,OAAO,CAAC,CAAC,CAAC;QACtD,CAAC;QAAC,MAAM,CAAC;YACP,EAAE,CAAC,KAAK,CAAC,IAAI,EAAE,kBAAkB,CAAC,CAAC;QACrC,CAAC;IACH,CAAC,CAAC,CAAC;IAEH,MAAM,IAAI,OAAO,CAAO,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;QAC1C,UAAU,CAAC,IAAI,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;QACjC,UAAU,CAAC,MAAM,CAAC,IAAI,EAAE,SAAS,EAAE,GAAG,EAAE,CAAC,OAAO,EAAE,CAAC,CAAC;IACtD,CAAC,CAAC,CAAC;IAEH,OAAO;QACL,YAAY,EAAE,GAAG,EAAE,GAAE,CAAC;QACtB,KAAK,EAAE,GAAG,EAAE,CACV,IAAI,OAAO,CAAO,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;YACpC,GAAG,CAAC,KAAK,EAAE,CAAC;YACZ,UAAU,CAAC,KAAK,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,OAAO,EAAE,CAAC,CAAC,CAAC;QAC7D,CAAC,CAAC;KACL,CAAC;AACJ,CAAC"}

package/nono-profiles/tps-hire.toml

@@ -0,0 +1,17 @@
+[meta]
+name = "tps-hire"
+version = "1.0.0"
+description = "tps hire — agent workspace scaffolding. Least privilege: writes only to target workspace."
+
+# CWD = the target workspace directory passed via --workdir
+[workdir]
+access = "readwrite"
+
+[filesystem]
+# No openclaw.json access — hire doesn't need to read existing config (S1.4)
+# No $HOME/.tps/templates — templates are bundled in the npm package
+# No $TMPDIR — no build artifacts in Phase 1.5
+# Nothing. Workdir only.
+
+[network]
+block = true  # No network during hire. Templates are bundled.

package/nono-profiles/tps-review-deep.toml

@@ -0,0 +1,18 @@
+[meta]
+name = "tps-review-deep"
+version = "1.0.0"
+description = "tps review --deep — LLM-assisted review. Same filesystem access as local, adds network."
+
+[workdir]
+access = "none"
+
+[filesystem]
+read_file = [
+  "$HOME/.openclaw/openclaw.json"
+]
+read = [
+  "$WORKDIR"  # Named agent workspace only. No siblings.
+]
+
+[network]
+block = false  # LLM API access required. Allowlist TBD when nono network allowlist support ships.

package/nono-profiles/tps-review-local.toml

@@ -0,0 +1,21 @@
+[meta]
+name = "tps-review-local"
+version = "1.0.0"
+description = "tps review (default) — reads named agent workspace, no LLM, no network."
+
+# workdir = the specific named agent workspace (set via --workdir by tps CLI)
+# This naturally enforces S3.2: sibling workspaces are inaccessible because
+# only $WORKDIR is in the read allowlist.
+[workdir]
+access = "none"
+
+[filesystem]
+read_file = [
+  "$HOME/.openclaw/openclaw.json"  # Agent metadata lookup
+]
+read = [
+  "$WORKDIR"  # Named agent workspace only. No siblings.
+]
+
+[network]
+block = true

package/nono-profiles/tps-roster.toml

@@ -0,0 +1,16 @@
+[meta]
+name = "tps-roster"
+version = "1.0.0"
+description = "tps roster — read-only org chart. Single file, no writes, no network."
+
+[workdir]
+access = "none"
+
+[filesystem]
+# read_file = single file access (non-recursive) — more precise than read = [dir]
+read_file = [
+  "$HOME/.openclaw/openclaw.json"
+]
+
+[network]
+block = true

package/package.json

@@ -0,0 +1,68 @@
+{
+  "name": "@tpsdev-ai/cli",
+  "version": "0.1.0",
+  "description": "TPS Report CLI — because every agent needs the proper paperwork.",
+  "type": "module",
+  "bin": {
+    "tps": "./dist/bin/tps.js"
+  },
+  "scripts": {
+    "build": "tsc",
+    "dev": "tsc --watch",
+    "start": "node dist/bin/tps.js",
+    "tps": "node dist/bin/tps.js",
+    "lint": "biome lint ./src ./bin",
+    "lint:ci": "biome lint ./src ./bin --max-diagnostics=200",
+    "pretest": "tsc",
+    "test": "bun test",
+    "test:unit": "bun test --filter unit",
+    "test:integration": "docker compose run --rm test"
+  },
+  "keywords": [
+    "cli",
+    "agents",
+    "openclaw",
+    "tps"
+  ],
+  "license": "Apache-2.0",
+  "dependencies": {
+    "@noble/curves": "^2.0.1",
+    "@noble/ed25519": "^3.0.0",
+    "@noble/hashes": "^2.0.1",
+    "@types/ws": "^8.18.1",
+    "handlebars": "^4.7.8",
+    "ink": "^5.2.0",
+    "js-yaml": "^4.1.0",
+    "meow": "^13.2.0",
+    "msgpackr": "^1.11.8",
+    "noise-handshake": "^4.2.0",
+    "react": "^18.3.1",
+    "ws": "^8.19.0",
+    "zod": "^3.24.0"
+  },
+  "devDependencies": {
+    "@biomejs/biome": "^2.4.4",
+    "@types/js-yaml": "^4.0.9",
+    "@types/node": "^22.0.0",
+    "@types/react": "^18.3.0",
+    "typescript": "^5.7.0"
+  },
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/tpsdev-ai/cli.git"
+  },
+  "homepage": "https://github.com/tpsdev-ai/cli#readme",
+  "bugs": {
+    "url": "https://github.com/tpsdev-ai/cli/issues"
+  },
+  "files": [
+    "dist",
+    "nono-profiles",
+    "personas",
+    "reports"
+  ],
+  "author": "tpsdev-ai",
+  "publishConfig": {
+    "access": "public"
+  }
+}

package/personas/designer.tps

@@ -0,0 +1,58 @@
+version: "1"
+
+name: Designer
+description: >
+  UI/UX design, user research, visual design, and design systems.
+  Advocates for the user experience and ensures the product looks
+  and feels right.
+
+identity:
+  default_name: Pixel
+  emoji: "🎨"
+  personality: >
+    Creative, user-focused, detail-obsessed about visual consistency.
+    Balances aesthetics with usability. Pushes back when something
+    feels wrong even if it's technically correct.
+  communication_style: >
+    Visual thinker — prefers showing over telling. Uses references
+    and examples. Explains design decisions in terms of user impact.
+
+flair:
+  - ui-design
+  - ux-research
+  - design-systems
+  - prototyping
+  - accessibility
+
+model:
+  default: reasoning
+
+tools:
+  required:
+    - file-ops
+    - web-search
+    - browser
+  optional:
+    - git
+
+communication:
+  channels: [team-chat, direct]
+  handoff_targets: [developer]
+
+boundaries:
+  can_commit: false
+  can_send_external: false
+  can_spend: false
+
+memory:
+  private: true
+  shared_read:
+    - project-state
+    - decisions
+  shared_write:
+    - design-specs
+
+openclaw:
+  model: "anthropic/claude-sonnet-4-20250514"
+  thinking: "off"
+  channel: "discord"

package/personas/developer.tps

@@ -0,0 +1,59 @@
+version: "1"
+
+name: Developer
+description: >
+  Software development, code review, architecture decisions,
+  debugging, and technical implementation. The hands-on builder
+  who turns ideas into working software.
+
+identity:
+  default_name: Dev
+  emoji: "💻"
+  personality: >
+    Pragmatic, detail-oriented, opinionated about code quality.
+    Prefers working solutions over theoretical perfection. Knows
+    when to refactor and when to ship.
+  communication_style: >
+    Technical but accessible. Uses code examples when helpful.
+    Direct about tradeoffs and complexity estimates.
+
+flair:
+  - code-review
+  - architecture
+  - debugging
+  - implementation
+  - testing
+
+model:
+  default: reasoning
+
+tools:
+  required:
+    - file-ops
+    - git
+    - exec
+  optional:
+    - web-search
+    - browser
+
+communication:
+  channels: [team-chat, direct]
+  handoff_targets: []
+
+boundaries:
+  can_commit: true
+  can_send_external: false
+  can_spend: false
+
+memory:
+  private: true
+  shared_read:
+    - project-state
+    - decisions
+  shared_write:
+    - project-state
+
+openclaw:
+  model: "anthropic/claude-sonnet-4-20250514"
+  thinking: "off"
+  channel: "discord"