chimera-sigil 0.1.0

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 Cody Mitchell
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -0,0 +1,112 @@
+# Chimera Sigil
+
+<p align="center">
+  <img src="assets/chimera-cover.gif" alt="Chimera Sigil animated cover" width="420" />
+</p>
+
+<p align="center">
+  Multi-model terminal harness for fast, local-first iteration.
+</p>
+
+Chimera Sigil gives you one terminal workflow across Grok, OpenAI, Anthropic, and local Ollama models. It is built for short feedback loops, visible tool use, and fast experimentation without depending on CI spend for every release artifact.
+
+## Mission
+
+Ship a practical multi-model harness that feels fast enough for daily use, clear enough to inspect, and flexible enough to evolve quickly.
+
+## What It Does
+
+- Runs a terminal agent with built-in file, search, edit, and shell tools
+- Supports primary models, collaborator models, and fallback chains
+- Persists sessions so single-prompt runs can resume later
+- Supports approval modes for safer noninteractive automation
+- Builds release artifacts locally on macOS, Windows, and Linux/WSL
+
+## Quick Start
+
+Install from npm:
+
+```bash
+npm install -g chimera-sigil
+chimera --help
+```
+
+Run from source:
+
+```bash
+cargo run -p chimera-sigil-cli -- --model grok-3
+```
+
+Single prompt mode:
+
+```bash
+cargo run -p chimera-sigil-cli -- --model sonnet --prompt "Summarize this codebase"
+```
+
+Collaborative mode:
+
+```bash
+cargo run -p chimera-sigil-cli -- --model grok-3 --collab sonnet,gpt-4o
+```
+
+Fallback mode:
+
+```bash
+cargo run -p chimera-sigil-cli -- --model grok-3 --fallback gpt-4o,sonnet
+```
+
+## Approval Modes
+
+- `--approval-mode prompt`: ask before writes and command execution
+- `--approval-mode approve`: allow workspace writes, deny shell execution
+- `--approval-mode full`: allow all tools
+- `--auto-approve`: compatibility shorthand for `--approval-mode full`
+
+## Environment
+
+Set whichever providers you want to use:
+
+```bash
+export XAI_API_KEY=...
+export OPENAI_API_KEY=...
+export ANTHROPIC_API_KEY=...
+export OLLAMA_BASE_URL=http://localhost:11434/v1
+```
+
+No provider keys are committed to this repository. Local machine and release credentials live outside the repo.
+
+## Fast Iteration
+
+- Prompt mode auto-saves sessions for later resume
+- Release builds can be produced locally instead of relying on GitHub Actions
+- The shipped CLI command stays short: `chimera`
+
+## Contributing
+
+Contributions are welcome. Keep changes small, tested, and easy to review.
+
+Start here:
+
+- [CONTRIBUTING.md](CONTRIBUTING.md)
+- [SECURITY.md](SECURITY.md)
+
+## Project Layout
+
+- `crates/chimera-core`: agent loop, config, sessions
+- `crates/chimera-providers`: model providers and streaming
+- `crates/chimera-tools`: built-in tools and permissions
+- `crates/chimera-cli`: CLI entrypoint
+- `scripts/`: packaging and local-first release tooling
+
+## Release Notes
+
+The npm package name is `chimera-sigil`. The installed command is `chimera`.
+
+Local-first release tooling currently supports:
+
+- `aarch64-apple-darwin`
+- `x86_64-apple-darwin`
+- `x86_64-pc-windows-msvc`
+- `x86_64-unknown-linux-gnu`
+
+For contributor setup and release workflow details, see [CONTRIBUTING.md](CONTRIBUTING.md).

package/bin/chimera.js

@@ -0,0 +1,54 @@
+#!/usr/bin/env node
+
+import { spawn } from "node:child_process";
+import { existsSync } from "node:fs";
+import path from "node:path";
+import process from "node:process";
+import { fileURLToPath } from "node:url";
+import { binaryNameForTriple, detectCurrentTarget } from "../scripts/npm-platform.mjs";
+
+const scriptDir = path.dirname(fileURLToPath(import.meta.url));
+const packageRoot = path.resolve(scriptDir, "..");
+
+function resolveBinaryPath() {
+  const target = detectCurrentTarget();
+  const binaryName = binaryNameForTriple(target.triple);
+  const localBinaryName = process.platform === "win32" ? "chimera.exe" : "chimera";
+  const override = process.env.CHIMERA_SIGIL_BIN || process.env.CHIMERA_HARNESS_BIN;
+
+  const candidates = [
+    override,
+    path.join(packageRoot, "target", "release", localBinaryName),
+    path.join(packageRoot, "target", "debug", localBinaryName),
+    path.join(packageRoot, "vendor", target.triple, binaryName)
+  ].filter(Boolean);
+
+  return candidates.find((candidate) => existsSync(candidate));
+}
+
+const binaryPath = resolveBinaryPath();
+
+if (!binaryPath) {
+  console.error("chimera binary is not installed for this package.");
+  console.error("Reinstall with `npm install -g chimera-sigil` or rerun `npm rebuild chimera-sigil`.");
+  console.error(
+    "For custom builds, set CHIMERA_SIGIL_BIN=/absolute/path/to/chimera (legacy CHIMERA_HARNESS_BIN also works)."
+  );
+  process.exit(1);
+}
+
+const child = spawn(binaryPath, process.argv.slice(2), { stdio: "inherit" });
+
+child.on("error", (error) => {
+  console.error(`Failed to launch chimera: ${error.message}`);
+  process.exit(1);
+});
+
+child.on("exit", (code, signal) => {
+  if (signal) {
+    process.kill(process.pid, signal);
+    return;
+  }
+
+  process.exit(code ?? 1);
+});

package/package.json

@@ -0,0 +1,48 @@
+{
+  "name": "chimera-sigil",
+  "version": "0.1.0",
+  "description": "Multi-model AI agent harness for the terminal",
+  "license": "MIT",
+  "type": "module",
+  "bin": {
+    "chimera": "bin/chimera.js"
+  },
+  "files": [
+    "LICENSE",
+    "README.md",
+    "assets/chimera-cover.png",
+    "assets/chimera-cover.gif",
+    "bin/",
+    "scripts/"
+  ],
+  "scripts": {
+    "build:release": "cargo build --release -p chimera-sigil-cli",
+    "dist:npm": "npm run build:release && node scripts/create-release-asset.mjs",
+    "release:doctor": "node scripts/release-local.mjs --doctor",
+    "release:local": "node scripts/release-local.mjs",
+    "postinstall": "node scripts/install.mjs"
+  },
+  "keywords": [
+    "ai",
+    "cli",
+    "terminal",
+    "agent",
+    "llm",
+    "rust"
+  ],
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/sproutseeds/chimera-sigil.git"
+  },
+  "bugs": {
+    "url": "https://github.com/sproutseeds/chimera-sigil/issues"
+  },
+  "homepage": "https://github.com/sproutseeds/chimera-sigil#readme",
+  "engines": {
+    "node": ">=18"
+  },
+  "preferGlobal": true,
+  "chimeraSigil": {
+    "releasesBaseUrl": "https://github.com/sproutseeds/chimera-sigil/releases/download"
+  }
+}

package/scripts/create-release-asset.mjs

@@ -0,0 +1,53 @@
+import { promises as fs } from "node:fs";
+import path from "node:path";
+import process from "node:process";
+import { fileURLToPath } from "node:url";
+import {
+  binaryNameForTriple,
+  releaseAssetFileName,
+  targetTripleFromEnvOrCurrent
+} from "./npm-platform.mjs";
+import { writeChecksumFile } from "./release-integrity.mjs";
+
+const scriptDir = path.dirname(fileURLToPath(import.meta.url));
+const packageRoot = path.resolve(scriptDir, "..");
+
+async function main() {
+  const packageJson = JSON.parse(
+    await fs.readFile(path.join(packageRoot, "package.json"), "utf8")
+  );
+  const version = packageJson.version;
+  const targetTriple = targetTripleFromEnvOrCurrent(process.env.TARGET_TRIPLE);
+  const binaryName = binaryNameForTriple(targetTriple);
+  const targetDir = process.env.TARGET_TRIPLE
+    ? path.join(packageRoot, "target", targetTriple, "release")
+    : path.join(packageRoot, "target", "release");
+  const sourceBinary = path.join(targetDir, binaryName);
+
+  try {
+    await fs.access(sourceBinary);
+  } catch {
+    throw new Error(
+      `Compiled binary not found at ${sourceBinary}. Run \`cargo build --release -p chimera-sigil-cli${process.env.TARGET_TRIPLE ? ` --target ${targetTriple}` : ""}\` first.`
+    );
+  }
+
+  const distDir = path.join(packageRoot, "dist");
+  await fs.mkdir(distDir, { recursive: true });
+
+  const outputPath = path.join(distDir, releaseAssetFileName(version, targetTriple));
+  await fs.copyFile(sourceBinary, outputPath);
+
+  if (!targetTriple.includes("windows")) {
+    await fs.chmod(outputPath, 0o755);
+  }
+
+  console.log(`Created release asset: ${outputPath}`);
+  const { checksumPath } = await writeChecksumFile(outputPath);
+  console.log(`Created checksum: ${checksumPath}`);
+}
+
+main().catch((error) => {
+  console.error(error.message);
+  process.exit(1);
+});

package/scripts/install.mjs

@@ -0,0 +1,142 @@
+import { createWriteStream } from "node:fs";
+import { promises as fs } from "node:fs";
+import os from "node:os";
+import path from "node:path";
+import process from "node:process";
+import { Readable } from "node:stream";
+import { pipeline } from "node:stream/promises";
+import { fileURLToPath } from "node:url";
+import {
+  binaryNameForTriple,
+  detectCurrentTarget,
+  releaseAssetFileName
+} from "./npm-platform.mjs";
+import {
+  checksumFileName,
+  parseChecksumContents,
+  sha256File
+} from "./release-integrity.mjs";
+
+const scriptDir = path.dirname(fileURLToPath(import.meta.url));
+const packageRoot = path.resolve(scriptDir, "..");
+const packageJsonPath = path.join(packageRoot, "package.json");
+
+function firstNonEmpty(...values) {
+  return values.find((value) => value !== undefined && value !== null && value !== "");
+}
+
+async function readPackageJson() {
+  return JSON.parse(await fs.readFile(packageJsonPath, "utf8"));
+}
+
+async function fileExists(filePath) {
+  try {
+    await fs.access(filePath);
+    return true;
+  } catch {
+    return false;
+  }
+}
+
+async function downloadFile(url, destination) {
+  const response = await fetch(url, {
+    headers: {
+      "user-agent": "chimera-sigil-npm-installer"
+    }
+  });
+
+  if (!response.ok || !response.body) {
+    throw new Error(`Download failed with status ${response.status} for ${url}`);
+  }
+
+  await pipeline(Readable.fromWeb(response.body), createWriteStream(destination));
+}
+
+async function main() {
+  const skipDownloadFlag = firstNonEmpty(
+    process.env.CHIMERA_SIGIL_SKIP_DOWNLOAD,
+    process.env.CHIMERA_HARNESS_SKIP_DOWNLOAD
+  );
+  if (skipDownloadFlag === "1") {
+    console.log(
+      "Skipping chimera binary download because CHIMERA_SIGIL_SKIP_DOWNLOAD=1."
+    );
+    return;
+  }
+
+  const pkg = await readPackageJson();
+  const version = pkg.version;
+  const releasesBaseUrl = firstNonEmpty(
+    process.env.CHIMERA_SIGIL_RELEASES_BASE_URL,
+    process.env.CHIMERA_HARNESS_RELEASES_BASE_URL,
+    pkg.chimeraSigil?.releasesBaseUrl,
+    pkg.chimeraHarness?.releasesBaseUrl
+  );
+
+  if (!releasesBaseUrl) {
+    throw new Error("No releases base URL configured for chimera-sigil.");
+  }
+
+  const { triple } = detectCurrentTarget();
+  const assetName = releaseAssetFileName(version, triple);
+  const checksumName = checksumFileName(assetName);
+  const binaryName = binaryNameForTriple(triple);
+  const installDir = path.join(packageRoot, "vendor", triple);
+  const binaryPath = path.join(installDir, binaryName);
+
+  if (await fileExists(binaryPath)) {
+    return;
+  }
+
+  await fs.mkdir(installDir, { recursive: true });
+
+  const tempPath = path.join(os.tmpdir(), `${assetName}.${process.pid}.tmp`);
+  const checksumTempPath = path.join(os.tmpdir(), `${checksumName}.${process.pid}.tmp`);
+  const assetUrl = `${releasesBaseUrl.replace(/\/$/, "")}/v${version}/${assetName}`;
+  const checksumUrl = `${releasesBaseUrl.replace(/\/$/, "")}/v${version}/${checksumName}`;
+  const skipVerify =
+    firstNonEmpty(
+      process.env.CHIMERA_SIGIL_SKIP_VERIFY,
+      process.env.CHIMERA_HARNESS_SKIP_VERIFY
+    ) === "1";
+
+  try {
+    console.log(`Downloading chimera ${version} for ${triple}...`);
+    await downloadFile(assetUrl, tempPath);
+    if (!skipVerify) {
+      await downloadFile(checksumUrl, checksumTempPath);
+      const checksum = parseChecksumContents(
+        await fs.readFile(checksumTempPath, "utf8")
+      );
+      if (checksum.assetName !== assetName) {
+        throw new Error(
+          `Checksum file referenced ${checksum.assetName}, expected ${assetName}`
+        );
+      }
+
+      const actualHash = await sha256File(tempPath);
+      if (actualHash !== checksum.hash) {
+        throw new Error(
+          `Checksum mismatch for ${assetName}: expected ${checksum.hash}, got ${actualHash}`
+        );
+      }
+    }
+    await fs.copyFile(tempPath, binaryPath);
+    if (!triple.includes("windows")) {
+      await fs.chmod(binaryPath, 0o755);
+    }
+    console.log(`Installed chimera to ${binaryPath}`);
+  } catch (error) {
+    throw new Error(
+      `Unable to install chimera from ${assetUrl}: ${error.message}`
+    );
+  } finally {
+    await fs.rm(tempPath, { force: true }).catch(() => {});
+    await fs.rm(checksumTempPath, { force: true }).catch(() => {});
+  }
+}
+
+main().catch((error) => {
+  console.error(error.message);
+  process.exit(1);
+});

package/scripts/npm-platform.mjs

@@ -0,0 +1,54 @@
+import process from "node:process";
+
+const TARGETS = {
+  "darwin-arm64": "aarch64-apple-darwin",
+  "darwin-x64": "x86_64-apple-darwin",
+  "linux-arm64-gnu": "aarch64-unknown-linux-gnu",
+  "linux-arm64-musl": "aarch64-unknown-linux-musl",
+  "linux-x64-gnu": "x86_64-unknown-linux-gnu",
+  "linux-x64-musl": "x86_64-unknown-linux-musl",
+  "win32-arm64": "aarch64-pc-windows-msvc",
+  "win32-x64": "x86_64-pc-windows-msvc"
+};
+
+function detectLinuxLibc() {
+  const report = process.report?.getReport?.();
+  return report?.header?.glibcVersionRuntime ? "gnu" : "musl";
+}
+
+export function detectCurrentTarget() {
+  if (process.platform === "linux") {
+    const libc = detectLinuxLibc();
+    const key = `${process.platform}-${process.arch}-${libc}`;
+    const triple = TARGETS[key];
+    if (!triple) {
+      throw new Error(`Unsupported platform/arch combination: ${key}`);
+    }
+    return { triple, key };
+  }
+
+  const key = `${process.platform}-${process.arch}`;
+  const triple = TARGETS[key];
+  if (!triple) {
+    throw new Error(`Unsupported platform/arch combination: ${key}`);
+  }
+
+  return { triple, key };
+}
+
+export function binaryNameForTriple(triple) {
+  return triple.includes("windows") ? "chimera.exe" : "chimera";
+}
+
+export function releaseAssetFileName(version, triple) {
+  const suffix = triple.includes("windows") ? ".exe" : "";
+  return `chimera-sigil-v${version}-${triple}${suffix}`;
+}
+
+export function targetTripleFromEnvOrCurrent(envValue) {
+  if (envValue) {
+    return envValue;
+  }
+
+  return detectCurrentTarget().triple;
+}

package/scripts/release-config.mjs

@@ -0,0 +1,108 @@
+import os from "node:os";
+import path from "node:path";
+import { promises as fs } from "node:fs";
+
+const homeDir = os.homedir();
+
+export function defaultGlobalConfigPaths() {
+  return [
+    path.join(homeDir, ".config", "orp", "chimera-sigil-release.json"),
+    path.join(homeDir, ".config", "chimera-sigil", "release.json"),
+    path.join(homeDir, ".config", "orp", "chimera-harness-release.json"),
+    path.join(homeDir, ".config", "chimera-harness", "release.json")
+  ];
+}
+
+async function fileExists(filePath) {
+  try {
+    await fs.access(filePath);
+    return true;
+  } catch {
+    return false;
+  }
+}
+
+export async function loadGlobalReleaseConfig() {
+  for (const configPath of defaultGlobalConfigPaths()) {
+    if (!(await fileExists(configPath))) {
+      continue;
+    }
+
+    const parsed = JSON.parse(await fs.readFile(configPath, "utf8"));
+    return {
+      source: configPath,
+      config: normalizeReleaseConfig(parsed)
+    };
+  }
+
+  return {
+    source: null,
+    config: normalizeReleaseConfig({})
+  };
+}
+
+export function normalizeReleaseConfig(config) {
+  return {
+    windowsHost: config.windowsHost ?? "",
+    windowsUser: config.windowsUser ?? "",
+    windowsRoot: config.windowsRoot ?? "",
+    wslDistro: config.wslDistro ?? "",
+    sshIdentityFile: config.sshIdentityFile ?? "",
+    sshPort:
+      config.sshPort === undefined || config.sshPort === null
+        ? ""
+        : String(config.sshPort)
+  };
+}
+
+export function mergeReleaseConfig(base, overlay) {
+  const result = { ...base };
+  for (const [key, value] of Object.entries(overlay)) {
+    if (value !== undefined && value !== null && value !== "") {
+      result[key] = value;
+    }
+  }
+  return normalizeReleaseConfig(result);
+}
+
+function looksLikePrivateHost(host) {
+  return (
+    /^10\./.test(host) ||
+    /^192\.168\./.test(host) ||
+    /^172\.(1[6-9]|2\d|3[0-1])\./.test(host) ||
+    host === "localhost"
+  );
+}
+
+export async function findKnownHostCandidates() {
+  const knownHostsPath = path.join(homeDir, ".ssh", "known_hosts");
+  if (!(await fileExists(knownHostsPath))) {
+    return [];
+  }
+
+  const contents = await fs.readFile(knownHostsPath, "utf8");
+  const seen = new Set();
+  const hosts = [];
+
+  for (const rawLine of contents.split(/\r?\n/)) {
+    const line = rawLine.trim();
+    if (!line || line.startsWith("|")) {
+      continue;
+    }
+
+    const hostField = line.split(/\s+/)[0];
+    if (!hostField) {
+      continue;
+    }
+
+    const host = hostField.replace(/^\[([^\]]+)\]:\d+$/, "$1");
+    if (!looksLikePrivateHost(host) || seen.has(host)) {
+      continue;
+    }
+
+    seen.add(host);
+    hosts.push(host);
+  }
+
+  return hosts;
+}

package/scripts/release-integrity.mjs

@@ -0,0 +1,36 @@
+import { createHash } from "node:crypto";
+import { promises as fs } from "node:fs";
+import path from "node:path";
+
+export async function sha256File(filePath) {
+  const bytes = await fs.readFile(filePath);
+  return createHash("sha256").update(bytes).digest("hex");
+}
+
+export function checksumFileName(assetName) {
+  return `${assetName}.sha256`;
+}
+
+export function formatChecksumContents(hash, assetName) {
+  return `${hash}  ${assetName}\n`;
+}
+
+export async function writeChecksumFile(assetPath) {
+  const hash = await sha256File(assetPath);
+  const assetName = path.basename(assetPath);
+  const checksumPath = `${assetPath}.sha256`;
+  await fs.writeFile(checksumPath, formatChecksumContents(hash, assetName), "utf8");
+  return { hash, checksumPath };
+}
+
+export function parseChecksumContents(contents) {
+  const match = contents.trim().match(/^([a-f0-9]{64})\s+\*?(.+)$/i);
+  if (!match) {
+    throw new Error("Invalid checksum file format.");
+  }
+
+  return {
+    hash: match[1].toLowerCase(),
+    assetName: match[2].trim()
+  };
+}