aienvmp 0.1.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +7 -0
- package/CONTRIBUTING.md +18 -0
- package/LICENSE +134 -0
- package/README.md +298 -0
- package/ROADMAP.md +44 -0
- package/SECURITY.md +22 -0
- package/action.yml +42 -0
- package/bin/aienvmp.js +7 -0
- package/examples/github-action.yml +17 -0
- package/package.json +51 -0
- package/src/cli.js +81 -0
- package/src/commands/compile.js +41 -0
- package/src/commands/context.js +33 -0
- package/src/commands/dash.js +35 -0
- package/src/commands/diff.js +23 -0
- package/src/commands/doctor.js +34 -0
- package/src/commands/init.js +19 -0
- package/src/commands/intent.js +26 -0
- package/src/commands/record.js +26 -0
- package/src/commands/resolve.js +35 -0
- package/src/commands/scan.js +28 -0
- package/src/diff.js +23 -0
- package/src/doctor.js +38 -0
- package/src/fsutil.js +51 -0
- package/src/manifest.js +130 -0
- package/src/paths.js +33 -0
- package/src/policy.js +74 -0
- package/src/render.js +259 -0
- package/src/shell.js +33 -0
- package/src/timeline.js +46 -0
package/CHANGELOG.md
ADDED
package/CONTRIBUTING.md
ADDED
|
@@ -0,0 +1,18 @@
|
|
|
1
|
+
# Contributing
|
|
2
|
+
|
|
3
|
+
Thanks for helping improve `aienvmp`.
|
|
4
|
+
|
|
5
|
+
## Development
|
|
6
|
+
|
|
7
|
+
```bash
|
|
8
|
+
node --test
|
|
9
|
+
node bin/aienvmp.js scan --dir sample-app
|
|
10
|
+
node bin/aienvmp.js context --dir sample-app
|
|
11
|
+
```
|
|
12
|
+
|
|
13
|
+
## Design Principles
|
|
14
|
+
|
|
15
|
+
- AI agents are the primary consumers.
|
|
16
|
+
- Human dashboards are derived views.
|
|
17
|
+
- Environment-changing actions should be visible in an append-only ledger.
|
|
18
|
+
- Scanner failures should degrade gracefully unless the manifest would become misleading.
|
package/LICENSE
ADDED
|
@@ -0,0 +1,134 @@
|
|
|
1
|
+
Apache License
|
|
2
|
+
Version 2.0, January 2004
|
|
3
|
+
https://www.apache.org/licenses/
|
|
4
|
+
|
|
5
|
+
TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
|
|
6
|
+
|
|
7
|
+
1. Definitions.
|
|
8
|
+
|
|
9
|
+
"License" shall mean the terms and conditions for use, reproduction,
|
|
10
|
+
and distribution as defined by Sections 1 through 9 of this document.
|
|
11
|
+
|
|
12
|
+
"Licensor" shall mean the copyright owner or entity authorized by
|
|
13
|
+
the copyright owner that is granting the License.
|
|
14
|
+
|
|
15
|
+
"Legal Entity" shall mean the union of the acting entity and all
|
|
16
|
+
other entities that control, are controlled by, or are under common
|
|
17
|
+
control with that entity. For the purposes of this definition,
|
|
18
|
+
"control" means (i) the power, direct or indirect, to cause the
|
|
19
|
+
direction or management of such entity, whether by contract or
|
|
20
|
+
otherwise, or (ii) ownership of fifty percent (50%) or more of the
|
|
21
|
+
outstanding shares, or (iii) beneficial ownership of such entity.
|
|
22
|
+
|
|
23
|
+
"You" (or "Your") shall mean an individual or Legal Entity
|
|
24
|
+
exercising permissions granted by this License.
|
|
25
|
+
|
|
26
|
+
"Source" form shall mean the preferred form for making modifications,
|
|
27
|
+
including but not limited to software source code, documentation
|
|
28
|
+
source, and configuration files.
|
|
29
|
+
|
|
30
|
+
"Object" form shall mean any form resulting from mechanical
|
|
31
|
+
transformation or translation of a Source form, including but
|
|
32
|
+
not limited to compiled object code, generated documentation,
|
|
33
|
+
and conversions to other media types.
|
|
34
|
+
|
|
35
|
+
"Work" shall mean the work of authorship, whether in Source or
|
|
36
|
+
Object form, made available under the License, as indicated by a
|
|
37
|
+
copyright notice that is included in or attached to the work.
|
|
38
|
+
|
|
39
|
+
"Derivative Works" shall mean any work, whether in Source or Object
|
|
40
|
+
form, that is based on (or derived from) the Work and for which the
|
|
41
|
+
editorial revisions, annotations, elaborations, or other modifications
|
|
42
|
+
represent, as a whole, an original work of authorship. For the purposes
|
|
43
|
+
of this License, Derivative Works shall not include works that remain
|
|
44
|
+
separable from, or merely link (or bind by name) to the interfaces of,
|
|
45
|
+
the Work and Derivative Works thereof.
|
|
46
|
+
|
|
47
|
+
"Contribution" shall mean any work of authorship, including
|
|
48
|
+
the original version of the Work and any modifications or additions
|
|
49
|
+
to that Work or Derivative Works thereof, that is intentionally
|
|
50
|
+
submitted to Licensor for inclusion in the Work by the copyright owner
|
|
51
|
+
or by an individual or Legal Entity authorized to submit on behalf of
|
|
52
|
+
the copyright owner. For the purposes of this definition, "submitted"
|
|
53
|
+
means any form of electronic, verbal, or written communication sent
|
|
54
|
+
to the Licensor or its representatives, including but not limited to
|
|
55
|
+
communication on electronic mailing lists, source code control systems,
|
|
56
|
+
and issue tracking systems that are managed by, or on behalf of, the
|
|
57
|
+
Licensor for the purpose of discussing and improving the Work, but
|
|
58
|
+
excluding communication that is conspicuously marked or otherwise
|
|
59
|
+
designated in writing by the copyright owner as "Not a Contribution."
|
|
60
|
+
|
|
61
|
+
"Contributor" shall mean Licensor and any individual or Legal Entity
|
|
62
|
+
on behalf of whom a Contribution has been received by Licensor and
|
|
63
|
+
subsequently incorporated within the Work.
|
|
64
|
+
|
|
65
|
+
2. Grant of Copyright License. Subject to the terms and conditions of
|
|
66
|
+
this License, each Contributor hereby grants to You a perpetual,
|
|
67
|
+
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
|
|
68
|
+
copyright license to reproduce, prepare Derivative Works of,
|
|
69
|
+
publicly display, publicly perform, sublicense, and distribute the
|
|
70
|
+
Work and such Derivative Works in Source or Object form.
|
|
71
|
+
|
|
72
|
+
3. Grant of Patent License. Subject to the terms and conditions of
|
|
73
|
+
this License, each Contributor hereby grants to You a perpetual,
|
|
74
|
+
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
|
|
75
|
+
patent license to make, have made, use, offer to sell, sell, import,
|
|
76
|
+
and otherwise transfer the Work.
|
|
77
|
+
|
|
78
|
+
4. Redistribution. You may reproduce and distribute copies of the
|
|
79
|
+
Work or Derivative Works thereof in any medium, with or without
|
|
80
|
+
modifications, and in Source or Object form, provided that You
|
|
81
|
+
meet the following conditions:
|
|
82
|
+
|
|
83
|
+
(a) You must give any other recipients of the Work or
|
|
84
|
+
Derivative Works a copy of this License; and
|
|
85
|
+
|
|
86
|
+
(b) You must cause any modified files to carry prominent notices
|
|
87
|
+
stating that You changed the files; and
|
|
88
|
+
|
|
89
|
+
(c) You must retain, in the Source form of any Derivative Works
|
|
90
|
+
that You distribute, all copyright, patent, trademark, and
|
|
91
|
+
attribution notices from the Source form of the Work,
|
|
92
|
+
excluding those notices that do not pertain to any part of
|
|
93
|
+
the Derivative Works; and
|
|
94
|
+
|
|
95
|
+
(d) If the Work includes a "NOTICE" text file as part of its
|
|
96
|
+
distribution, then any Derivative Works that You distribute must
|
|
97
|
+
include a readable copy of the attribution notices contained
|
|
98
|
+
within such NOTICE file.
|
|
99
|
+
|
|
100
|
+
5. Submission of Contributions. Unless You explicitly state otherwise,
|
|
101
|
+
any Contribution intentionally submitted for inclusion in the Work
|
|
102
|
+
by You to the Licensor shall be under the terms and conditions of
|
|
103
|
+
this License, without any additional terms or conditions.
|
|
104
|
+
|
|
105
|
+
6. Trademarks. This License does not grant permission to use the trade
|
|
106
|
+
names, trademarks, service marks, or product names of the Licensor,
|
|
107
|
+
except as required for reasonable and customary use in describing the
|
|
108
|
+
origin of the Work and reproducing the content of the NOTICE file.
|
|
109
|
+
|
|
110
|
+
7. Disclaimer of Warranty. Unless required by applicable law or
|
|
111
|
+
agreed to in writing, Licensor provides the Work on an "AS IS"
|
|
112
|
+
BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express
|
|
113
|
+
or implied, including, without limitation, any warranties or conditions
|
|
114
|
+
of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
|
|
115
|
+
PARTICULAR PURPOSE. You are solely responsible for determining the
|
|
116
|
+
appropriateness of using or redistributing the Work and assume any
|
|
117
|
+
risks associated with Your exercise of permissions under this License.
|
|
118
|
+
|
|
119
|
+
8. Limitation of Liability. In no event and under no legal theory,
|
|
120
|
+
whether in tort (including negligence), contract, or otherwise,
|
|
121
|
+
unless required by applicable law (such as deliberate and grossly
|
|
122
|
+
negligent acts) or agreed to in writing, shall any Contributor be
|
|
123
|
+
liable to You for damages, including any direct, indirect, special,
|
|
124
|
+
incidental, or consequential damages of any character arising as a
|
|
125
|
+
result of this License or out of the use or inability to use the
|
|
126
|
+
Work, even if such Contributor has been advised of the possibility
|
|
127
|
+
of such damages.
|
|
128
|
+
|
|
129
|
+
9. Accepting Warranty or Additional Liability. While redistributing
|
|
130
|
+
the Work or Derivative Works thereof, You may choose to offer,
|
|
131
|
+
and charge a fee for, acceptance of support, warranty, indemnity,
|
|
132
|
+
or other liability obligations and/or rights consistent with this
|
|
133
|
+
License. However, in accepting such obligations, You may act only
|
|
134
|
+
on Your own behalf and on Your sole responsibility.
|
package/README.md
ADDED
|
@@ -0,0 +1,298 @@
|
|
|
1
|
+
# aienvmp
|
|
2
|
+
|
|
3
|
+
[](https://github.com/soovwv/aienvmp/actions/workflows/ci.yml)
|
|
4
|
+
[](LICENSE)
|
|
5
|
+
[](package.json)
|
|
6
|
+
|
|
7
|
+
**aienvmp = AI Environment Map**
|
|
8
|
+
|
|
9
|
+
`aienvmp` is an AI-first environment map and change ledger for shared AI coding workspaces.
|
|
10
|
+
|
|
11
|
+
It helps multiple AI coding agents read the same runtime state, avoid installing or using conflicting software versions, declare environment-changing intent, record what changed, and keep humans informed through a lightweight dashboard.
|
|
12
|
+
|
|
13
|
+
It is intentionally small: use it beside SBOM scanners, vulnerability scanners, version managers, and CI systems.
|
|
14
|
+
|
|
15
|
+
## Why
|
|
16
|
+
|
|
17
|
+
Shared development machines drift.
|
|
18
|
+
|
|
19
|
+
One person upgrades Node. Another AI agent installs a global Python tool. A different agent assumes Docker is available. A third agent uses the wrong package manager because it did not see the project lockfile.
|
|
20
|
+
|
|
21
|
+
After a few sessions, nobody is quite sure which runtime is safe to use.
|
|
22
|
+
|
|
23
|
+
`aienvmp` is designed to prevent that kind of AI-driven version drift.
|
|
24
|
+
|
|
25
|
+
It is also designed to stay out of the operator's way. By default, `aienvmp` reports warnings and review-required states instead of taking locks, blocking commands, or changing the machine.
|
|
26
|
+
|
|
27
|
+
`aienvmp` turns that machine state into:
|
|
28
|
+
|
|
29
|
+
- `AIENV.md`: an AI-readable environment protocol
|
|
30
|
+
- `.aienvmp/manifest.json`: a lightweight runtime SBOM
|
|
31
|
+
- `.aienvmp/timeline.jsonl`: an append-only environment change ledger
|
|
32
|
+
- `.aienvmp/intents.jsonl`: planned and resolved environment-changing actions
|
|
33
|
+
- `.aienvmp/dashboard.html`: a small human-readable dashboard
|
|
34
|
+
|
|
35
|
+
## Core Idea
|
|
36
|
+
|
|
37
|
+
Before an AI changes the environment, it should know the environment.
|
|
38
|
+
|
|
39
|
+
Before an AI installs or uses a runtime, it should check the shared policy.
|
|
40
|
+
|
|
41
|
+
The policy is advisory by default. It should guide AI agents and humans, not unexpectedly interrupt production or shared workspace operations.
|
|
42
|
+
|
|
43
|
+
```bash
|
|
44
|
+
aienvmp context
|
|
45
|
+
aienvmp intent --actor agent:codex --action "install pnpm" --target pnpm
|
|
46
|
+
# make the change
|
|
47
|
+
aienvmp scan
|
|
48
|
+
aienvmp compile
|
|
49
|
+
aienvmp record --actor agent:codex --summary "installed pnpm" --target pnpm --evidence "pnpm --version"
|
|
50
|
+
aienvmp resolve --actor human:you --id int_abc123
|
|
51
|
+
```
|
|
52
|
+
|
|
53
|
+
## Quickstart
|
|
54
|
+
|
|
55
|
+
Install with npm:
|
|
56
|
+
|
|
57
|
+
```bash
|
|
58
|
+
npm install -g aienvmp
|
|
59
|
+
```
|
|
60
|
+
|
|
61
|
+
Or run without installing:
|
|
62
|
+
|
|
63
|
+
```bash
|
|
64
|
+
npx aienvmp init
|
|
65
|
+
npx aienvmp scan
|
|
66
|
+
npx aienvmp context
|
|
67
|
+
npx aienvmp compile --agents all
|
|
68
|
+
npx aienvmp dash
|
|
69
|
+
```
|
|
70
|
+
|
|
71
|
+
Run locally from this repository while developing:
|
|
72
|
+
|
|
73
|
+
```bash
|
|
74
|
+
node bin/aienvmp.js init
|
|
75
|
+
node bin/aienvmp.js scan
|
|
76
|
+
node bin/aienvmp.js context
|
|
77
|
+
node bin/aienvmp.js compile --agents all
|
|
78
|
+
node bin/aienvmp.js dash
|
|
79
|
+
```
|
|
80
|
+
|
|
81
|
+
Try the included sample app:
|
|
82
|
+
|
|
83
|
+
```bash
|
|
84
|
+
node bin/aienvmp.js scan --dir sample-app
|
|
85
|
+
node bin/aienvmp.js context --dir sample-app
|
|
86
|
+
node bin/aienvmp.js dash --dir sample-app
|
|
87
|
+
```
|
|
88
|
+
|
|
89
|
+
## AI Agent Workflow
|
|
90
|
+
|
|
91
|
+
1. Read `AIENV.md` or run `aienvmp context`.
|
|
92
|
+
2. Prefer project-local version files such as `.nvmrc`, `.python-version`, `mise.toml`, and `.tool-versions`.
|
|
93
|
+
3. Do not install or switch to a different runtime version when it conflicts with `.aienvmp/policy.yml`.
|
|
94
|
+
4. Ask the user before changing global runtimes, global packages, Docker settings, or package managers.
|
|
95
|
+
5. Record planned environment changes with `aienvmp intent`.
|
|
96
|
+
6. After changes, run `aienvmp scan && aienvmp compile`.
|
|
97
|
+
7. Record what changed with `aienvmp record`.
|
|
98
|
+
8. Resolve the intent with `aienvmp resolve`.
|
|
99
|
+
|
|
100
|
+
Agent files can be injected automatically:
|
|
101
|
+
|
|
102
|
+
```bash
|
|
103
|
+
aienvmp compile --agents codex,claude,gemini
|
|
104
|
+
```
|
|
105
|
+
|
|
106
|
+
Generated agent targets:
|
|
107
|
+
|
|
108
|
+
- `AGENTS.md`
|
|
109
|
+
- `CLAUDE.md`
|
|
110
|
+
- `GEMINI.md`
|
|
111
|
+
|
|
112
|
+
## What AI Agents See
|
|
113
|
+
|
|
114
|
+
`aienvmp context` returns a compact preflight brief:
|
|
115
|
+
|
|
116
|
+
```text
|
|
117
|
+
# AI Preflight Context
|
|
118
|
+
|
|
119
|
+
Status: clear
|
|
120
|
+
Node: 24.14.1
|
|
121
|
+
Python: 3.11.0
|
|
122
|
+
Docker: available
|
|
123
|
+
|
|
124
|
+
Must follow:
|
|
125
|
+
- Ask the user before global runtime, package manager, Docker, or global package changes.
|
|
126
|
+
- Prefer project-local version files and local environments.
|
|
127
|
+
- Before planned env changes, run `aienvmp intent --actor <agent:id> --action <planned-change>`.
|
|
128
|
+
- After env changes, run `aienvmp scan && aienvmp compile`.
|
|
129
|
+
- Then run `aienvmp record --actor <agent:id> --summary <what-changed>`.
|
|
130
|
+
```
|
|
131
|
+
|
|
132
|
+
For tool integrations:
|
|
133
|
+
|
|
134
|
+
```bash
|
|
135
|
+
aienvmp context --json
|
|
136
|
+
aienvmp doctor --json
|
|
137
|
+
aienvmp doctor --ci
|
|
138
|
+
```
|
|
139
|
+
|
|
140
|
+
`doctor --ci` is the explicit strict path. Normal `doctor` output is advisory and exits successfully so it does not disrupt shared operations.
|
|
141
|
+
|
|
142
|
+
## Commands
|
|
143
|
+
|
|
144
|
+
| Command | Purpose |
|
|
145
|
+
| --- | --- |
|
|
146
|
+
| `init` | Create `.aienvmp/` |
|
|
147
|
+
| `scan` | Collect runtime/tooling versions and write `.aienvmp/manifest.json` |
|
|
148
|
+
| `context` | Print short AI preflight context |
|
|
149
|
+
| `intent` | Record a planned environment-impacting action |
|
|
150
|
+
| `resolve` | Mark an intent as resolved or cancelled |
|
|
151
|
+
| `record` | Append an agent/human environment change to the ledger |
|
|
152
|
+
| `compile` | Write `AIENV.md` and optionally inject agent files |
|
|
153
|
+
| `diff` | Compare current and previous manifests |
|
|
154
|
+
| `doctor` | Report environment warnings |
|
|
155
|
+
| `dash` | Generate `.aienvmp/dashboard.html` |
|
|
156
|
+
|
|
157
|
+
Intent IDs are short and prefix-matchable, so `aienvmp resolve --id int_mabc` works when it matches one open intent.
|
|
158
|
+
|
|
159
|
+
## What It Scans Today
|
|
160
|
+
|
|
161
|
+
- OS: platform, release, arch, hostname, shell
|
|
162
|
+
- Runtimes: Node.js, Python, Go, Java, Rust
|
|
163
|
+
- Package managers and version managers: npm, pnpm, yarn, uv, pip, pipx, mise, asdf, pyenv, nvm, fnm, volta
|
|
164
|
+
- Containers: Docker and Docker Compose
|
|
165
|
+
- Project hints: `.nvmrc`, `.python-version`, `mise.toml`, `.tool-versions`, lockfiles, `package.json`, `pyproject.toml`, `Dockerfile`
|
|
166
|
+
- Agent integration files: Codex, Claude, Gemini, Cursor, Copilot targets
|
|
167
|
+
|
|
168
|
+
## Version Drift Prevention
|
|
169
|
+
|
|
170
|
+
The highest-priority use case is preventing multiple AI agents from installing or using different software versions in the same workspace.
|
|
171
|
+
|
|
172
|
+
`aienvmp` checks project hints and policy against the currently detected environment.
|
|
173
|
+
|
|
174
|
+
Example `.aienvmp/policy.yml`:
|
|
175
|
+
|
|
176
|
+
```yaml
|
|
177
|
+
node: 24
|
|
178
|
+
python: 3.11
|
|
179
|
+
packageManager: npm
|
|
180
|
+
globalInstalls: ask-first
|
|
181
|
+
runtimeChanges: ask-first
|
|
182
|
+
```
|
|
183
|
+
|
|
184
|
+
If an AI tries to use Node 22 when policy requires Node 24, `aienvmp doctor` and `aienvmp context` should surface that mismatch before work continues.
|
|
185
|
+
|
|
186
|
+
Example warning:
|
|
187
|
+
|
|
188
|
+
```text
|
|
189
|
+
.aienvmp/policy.yml requires node 24, but detected 22.11.0.
|
|
190
|
+
```
|
|
191
|
+
|
|
192
|
+
Normal commands remain non-blocking. Use CI/strict mode only when you explicitly want a warning to fail automation.
|
|
193
|
+
|
|
194
|
+
## Output Layout
|
|
195
|
+
|
|
196
|
+
```text
|
|
197
|
+
.aienvmp/
|
|
198
|
+
manifest.json
|
|
199
|
+
timeline.jsonl
|
|
200
|
+
intents.jsonl
|
|
201
|
+
dashboard.html
|
|
202
|
+
AIENV.md
|
|
203
|
+
AGENTS.md
|
|
204
|
+
CLAUDE.md
|
|
205
|
+
GEMINI.md
|
|
206
|
+
```
|
|
207
|
+
|
|
208
|
+
## Dashboard
|
|
209
|
+
|
|
210
|
+
The dashboard is a static HTML file. It is derived from the manifest, warnings, intents, and ledger.
|
|
211
|
+
|
|
212
|
+
```bash
|
|
213
|
+
aienvmp dash
|
|
214
|
+
```
|
|
215
|
+
|
|
216
|
+
Open:
|
|
217
|
+
|
|
218
|
+
```text
|
|
219
|
+
.aienvmp/dashboard.html
|
|
220
|
+
```
|
|
221
|
+
|
|
222
|
+
## GitHub Action
|
|
223
|
+
|
|
224
|
+
Use `aienvmp` in CI without making it disruptive by default:
|
|
225
|
+
|
|
226
|
+
```yaml
|
|
227
|
+
- uses: soovwv/aienvmp@main
|
|
228
|
+
with:
|
|
229
|
+
directory: "."
|
|
230
|
+
agents: "codex,claude,gemini"
|
|
231
|
+
strict: "false"
|
|
232
|
+
```
|
|
233
|
+
|
|
234
|
+
Set `strict: "true"` only when you want policy warnings to fail automation.
|
|
235
|
+
|
|
236
|
+
See [examples/github-action.yml](examples/github-action.yml).
|
|
237
|
+
|
|
238
|
+
## How This Differs From SBOM Tools
|
|
239
|
+
|
|
240
|
+
`aienvmp` is not trying to replace full SBOM or security scanners.
|
|
241
|
+
|
|
242
|
+
Tools like Syft, Trivy, Dependency-Track, and osquery are excellent for component inventory, vulnerability scanning, and system instrumentation.
|
|
243
|
+
|
|
244
|
+
`aienvmp` focuses on a narrower AI workflow:
|
|
245
|
+
|
|
246
|
+
- What environment should this AI agent assume?
|
|
247
|
+
- What must it avoid changing globally?
|
|
248
|
+
- What changed recently?
|
|
249
|
+
- Which agent planned or performed the change?
|
|
250
|
+
- What should the next agent read before continuing?
|
|
251
|
+
|
|
252
|
+
Think of it as an **AI coordination layer over a lightweight runtime SBOM**.
|
|
253
|
+
|
|
254
|
+
## Why It Is Different
|
|
255
|
+
|
|
256
|
+
- **AI-first**: the primary consumer is an AI coding agent, not only a human operator.
|
|
257
|
+
- **Version drift prevention**: policy warnings are designed to stop agents from silently using different Node, Python, Docker, or package manager assumptions.
|
|
258
|
+
- **Change intent before change**: agents can declare intent before touching shared environment state.
|
|
259
|
+
- **Append-only ledger**: environment-impacting changes are recorded for the next agent.
|
|
260
|
+
- **Non-blocking operations**: normal warnings do not lock or break the machine; strict mode is opt-in.
|
|
261
|
+
- **Small surface area**: no daemon, no database, no hosted service required.
|
|
262
|
+
|
|
263
|
+
## Project Links
|
|
264
|
+
|
|
265
|
+
- [Roadmap](ROADMAP.md)
|
|
266
|
+
- [Security policy](SECURITY.md)
|
|
267
|
+
- [Contributing](CONTRIBUTING.md)
|
|
268
|
+
|
|
269
|
+
## Status
|
|
270
|
+
|
|
271
|
+
This is an early prototype.
|
|
272
|
+
|
|
273
|
+
Good fit today:
|
|
274
|
+
|
|
275
|
+
- shared development servers
|
|
276
|
+
- AI coding workspaces
|
|
277
|
+
- local projects using Codex, Claude, Gemini, Cursor, or Copilot
|
|
278
|
+
- self-hosted runner experiments
|
|
279
|
+
|
|
280
|
+
Planned next:
|
|
281
|
+
|
|
282
|
+
- deeper policy enforcement
|
|
283
|
+
- deeper nvm/fnm/volta/pyenv/mise/asdf scans
|
|
284
|
+
- global npm, pipx, and uv tool inventory
|
|
285
|
+
|
|
286
|
+
See [ROADMAP.md](ROADMAP.md) for the longer plan.
|
|
287
|
+
|
|
288
|
+
## Development
|
|
289
|
+
|
|
290
|
+
```bash
|
|
291
|
+
node --test
|
|
292
|
+
npm pack --dry-run
|
|
293
|
+
npm run smoke
|
|
294
|
+
```
|
|
295
|
+
|
|
296
|
+
## License
|
|
297
|
+
|
|
298
|
+
Apache-2.0
|
package/ROADMAP.md
ADDED
|
@@ -0,0 +1,44 @@
|
|
|
1
|
+
# Roadmap
|
|
2
|
+
|
|
3
|
+
`aienvmp` focuses on AI coding workspace operations: helping multiple AI agents avoid runtime/version drift while keeping humans in control.
|
|
4
|
+
|
|
5
|
+
## Near Term
|
|
6
|
+
|
|
7
|
+
- Policy checks for Node, Python, and package manager drift
|
|
8
|
+
- Intent lifecycle: open, resolve, cancel
|
|
9
|
+
- JSON output for AI/tool integrations
|
|
10
|
+
- Non-blocking by default, strict only with `--ci`
|
|
11
|
+
- Dashboard improvements for policy and agent coordination
|
|
12
|
+
|
|
13
|
+
## Next
|
|
14
|
+
|
|
15
|
+
- Deeper runtime discovery:
|
|
16
|
+
- nvm, fnm, volta
|
|
17
|
+
- pyenv, uv, conda
|
|
18
|
+
- mise, asdf
|
|
19
|
+
- Global tool inventory:
|
|
20
|
+
- `npm -g`
|
|
21
|
+
- `pipx list`
|
|
22
|
+
- `uv tool list`
|
|
23
|
+
- Conflict detection:
|
|
24
|
+
- multiple open intents for the same target
|
|
25
|
+
- stale unresolved intents
|
|
26
|
+
- package manager policy vs lockfile mismatch
|
|
27
|
+
- CI mode:
|
|
28
|
+
- stable exit codes
|
|
29
|
+
- GitHub Action example
|
|
30
|
+
|
|
31
|
+
## Later
|
|
32
|
+
|
|
33
|
+
- CycloneDX/SPDX export
|
|
34
|
+
- Optional Syft/Trivy integration
|
|
35
|
+
- Team dashboard mode
|
|
36
|
+
- Signed/attested environment snapshots
|
|
37
|
+
- Policy presets for common AI coding workspaces
|
|
38
|
+
|
|
39
|
+
## Non-goals
|
|
40
|
+
|
|
41
|
+
- Replacing full SBOM generators
|
|
42
|
+
- Replacing vulnerability scanners
|
|
43
|
+
- Taking hard locks on shared machines by default
|
|
44
|
+
- Installing or modifying runtime versions automatically
|
package/SECURITY.md
ADDED
|
@@ -0,0 +1,22 @@
|
|
|
1
|
+
# Security Policy
|
|
2
|
+
|
|
3
|
+
`aienvmp` is designed to be non-invasive by default.
|
|
4
|
+
|
|
5
|
+
It scans local environment metadata, writes local project files, and does not intentionally upload environment data to a remote service.
|
|
6
|
+
|
|
7
|
+
## Reporting a Vulnerability
|
|
8
|
+
|
|
9
|
+
Please report security issues through GitHub Security Advisories if available, or open a private contact channel with the maintainer.
|
|
10
|
+
|
|
11
|
+
Do not include secrets, private environment dumps, access tokens, or production hostnames in public issues.
|
|
12
|
+
|
|
13
|
+
## Operational Safety
|
|
14
|
+
|
|
15
|
+
- Normal warnings are advisory and non-blocking.
|
|
16
|
+
- `aienvmp doctor --ci` is the explicit strict mode for automation.
|
|
17
|
+
- `aienvmp` should not install, upgrade, downgrade, or remove software by itself.
|
|
18
|
+
- Generated files should be reviewed before committing in sensitive repositories.
|
|
19
|
+
|
|
20
|
+
## Sensitive Data
|
|
21
|
+
|
|
22
|
+
Current manifests may include local paths, hostnames, shell paths, and runtime versions. Treat generated `.aienvmp/` outputs as workspace metadata and decide whether they belong in your repository.
|
package/action.yml
ADDED
|
@@ -0,0 +1,42 @@
|
|
|
1
|
+
name: aienvmp
|
|
2
|
+
description: AI-first environment map and policy check for coding workspaces
|
|
3
|
+
author: soovwv
|
|
4
|
+
|
|
5
|
+
inputs:
|
|
6
|
+
directory:
|
|
7
|
+
description: Workspace directory to scan
|
|
8
|
+
required: false
|
|
9
|
+
default: "."
|
|
10
|
+
agents:
|
|
11
|
+
description: Agent files to inject during compile
|
|
12
|
+
required: false
|
|
13
|
+
default: ""
|
|
14
|
+
strict:
|
|
15
|
+
description: Fail when doctor reports warnings
|
|
16
|
+
required: false
|
|
17
|
+
default: "false"
|
|
18
|
+
|
|
19
|
+
runs:
|
|
20
|
+
using: composite
|
|
21
|
+
steps:
|
|
22
|
+
- name: Scan environment
|
|
23
|
+
shell: bash
|
|
24
|
+
run: node "$GITHUB_ACTION_PATH/bin/aienvmp.js" scan --dir "${{ inputs.directory }}"
|
|
25
|
+
|
|
26
|
+
- name: Compile agent context
|
|
27
|
+
shell: bash
|
|
28
|
+
run: |
|
|
29
|
+
if [ -n "${{ inputs.agents }}" ]; then
|
|
30
|
+
node "$GITHUB_ACTION_PATH/bin/aienvmp.js" compile --dir "${{ inputs.directory }}" --agents "${{ inputs.agents }}"
|
|
31
|
+
else
|
|
32
|
+
node "$GITHUB_ACTION_PATH/bin/aienvmp.js" compile --dir "${{ inputs.directory }}"
|
|
33
|
+
fi
|
|
34
|
+
|
|
35
|
+
- name: Doctor
|
|
36
|
+
shell: bash
|
|
37
|
+
run: |
|
|
38
|
+
if [ "${{ inputs.strict }}" = "true" ]; then
|
|
39
|
+
node "$GITHUB_ACTION_PATH/bin/aienvmp.js" doctor --dir "${{ inputs.directory }}" --ci
|
|
40
|
+
else
|
|
41
|
+
node "$GITHUB_ACTION_PATH/bin/aienvmp.js" doctor --dir "${{ inputs.directory }}"
|
|
42
|
+
fi
|
package/bin/aienvmp.js
ADDED
|
@@ -0,0 +1,17 @@
|
|
|
1
|
+
name: Environment Map
|
|
2
|
+
|
|
3
|
+
on:
|
|
4
|
+
pull_request:
|
|
5
|
+
workflow_dispatch:
|
|
6
|
+
|
|
7
|
+
jobs:
|
|
8
|
+
aienvmp:
|
|
9
|
+
runs-on: ubuntu-latest
|
|
10
|
+
steps:
|
|
11
|
+
- uses: actions/checkout@v4
|
|
12
|
+
|
|
13
|
+
- uses: soovwv/aienvmp@main
|
|
14
|
+
with:
|
|
15
|
+
directory: "."
|
|
16
|
+
agents: "codex,claude,gemini"
|
|
17
|
+
strict: "false"
|
package/package.json
ADDED
|
@@ -0,0 +1,51 @@
|
|
|
1
|
+
{
|
|
2
|
+
"name": "aienvmp",
|
|
3
|
+
"version": "0.1.0",
|
|
4
|
+
"description": "AI-first environment maps and lightweight runtime SBOMs for shared development machines.",
|
|
5
|
+
"type": "module",
|
|
6
|
+
"bin": {
|
|
7
|
+
"aienvmp": "bin/aienvmp.js"
|
|
8
|
+
},
|
|
9
|
+
"repository": {
|
|
10
|
+
"type": "git",
|
|
11
|
+
"url": "git+https://github.com/soovwv/aienvmp.git"
|
|
12
|
+
},
|
|
13
|
+
"bugs": {
|
|
14
|
+
"url": "https://github.com/soovwv/aienvmp/issues"
|
|
15
|
+
},
|
|
16
|
+
"homepage": "https://github.com/soovwv/aienvmp#readme",
|
|
17
|
+
"files": [
|
|
18
|
+
"bin",
|
|
19
|
+
"src",
|
|
20
|
+
"README.md",
|
|
21
|
+
"LICENSE",
|
|
22
|
+
"CHANGELOG.md",
|
|
23
|
+
"CONTRIBUTING.md",
|
|
24
|
+
"SECURITY.md",
|
|
25
|
+
"ROADMAP.md",
|
|
26
|
+
"action.yml",
|
|
27
|
+
"examples"
|
|
28
|
+
],
|
|
29
|
+
"scripts": {
|
|
30
|
+
"test": "node --test",
|
|
31
|
+
"pack:dry": "npm pack --dry-run",
|
|
32
|
+
"smoke": "node bin/aienvmp.js --version && node bin/aienvmp.js --help"
|
|
33
|
+
},
|
|
34
|
+
"keywords": [
|
|
35
|
+
"ai",
|
|
36
|
+
"environment",
|
|
37
|
+
"env-map",
|
|
38
|
+
"sbom",
|
|
39
|
+
"runtime",
|
|
40
|
+
"agent",
|
|
41
|
+
"agentic",
|
|
42
|
+
"devops",
|
|
43
|
+
"codex",
|
|
44
|
+
"claude",
|
|
45
|
+
"gemini"
|
|
46
|
+
],
|
|
47
|
+
"license": "Apache-2.0",
|
|
48
|
+
"engines": {
|
|
49
|
+
"node": ">=18"
|
|
50
|
+
}
|
|
51
|
+
}
|