habi-agent 0.1.0

package/dist/context.js

@@ -0,0 +1,172 @@
+"use strict";
+/**
+ * HABI Project Context File Loader
+ *
+ * The Project Context File is the source of truth for what is authorized
+ * on this machine for this project. It lives OUTSIDE version control.
+ *
+ * The SHA-256 hash of the file is computed on load and included in every
+ * session fingerprint. Tampering with the file invalidates active sessions.
+ */
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.findContextFile = findContextFile;
+exports.loadContext = loadContext;
+exports.assertOperation = assertOperation;
+exports.assertMachineAuthorized = assertMachineAuthorized;
+const fs = __importStar(require("fs"));
+const path = __importStar(require("path"));
+const crypto = __importStar(require("crypto"));
+const CONTEXT_FILE_NAMES = [
+    'habi-context.json',
+    '.habi-context.json',
+    'habi.context.json',
+];
+/**
+ * Locates the context file by walking up from cwd.
+ * Searches: cwd → parent → grandparent → $HOME
+ */
+function findContextFile(startDir = process.cwd()) {
+    let dir = path.resolve(startDir);
+    const home = os_homedir();
+    while (true) {
+        for (const name of CONTEXT_FILE_NAMES) {
+            const candidate = path.join(dir, name);
+            if (fs.existsSync(candidate))
+                return candidate;
+        }
+        const parent = path.dirname(dir);
+        if (parent === dir)
+            break; // filesystem root
+        if (dir === home)
+            break; // don't go above home
+        dir = parent;
+    }
+    return null;
+}
+function os_homedir() {
+    return process.env.HOME || process.env.USERPROFILE || '/';
+}
+/**
+ * Loads and validates a Project Context File.
+ *
+ * Validation:
+ * 1. File exists and is valid JSON
+ * 2. Required fields are present
+ * 3. Recomputed hash matches stored contextHash
+ *    (if mismatch → file was tampered with → reject)
+ */
+function loadContext(filePath) {
+    if (!fs.existsSync(filePath)) {
+        throw new Error(`HABI: Context file not found: ${filePath}`);
+    }
+    const raw = fs.readFileSync(filePath, 'utf8');
+    let context;
+    try {
+        context = JSON.parse(raw);
+    }
+    catch {
+        throw new Error(`HABI: Context file is not valid JSON: ${filePath}`);
+    }
+    // Validate required fields
+    const required = ['project', 'version', 'owner', 'allowedMachines', 'allowedOperations', 'deniedOperations'];
+    for (const field of required) {
+        if (!(field in context)) {
+            throw new Error(`HABI: Context file missing required field: ${field}`);
+        }
+    }
+    // Compute hash of file contents excluding the contextHash field itself
+    const { contextHash: _stored, ...rest } = context;
+    const computedHash = crypto
+        .createHash('sha256')
+        .update(JSON.stringify(rest, null, 2))
+        .digest('hex');
+    // If contextHash is set, verify it matches
+    if (_stored && _stored !== computedHash) {
+        throw new Error(`HABI: Context file integrity check FAILED.\n` +
+            `  Stored hash:   ${_stored}\n` +
+            `  Computed hash: ${computedHash}\n` +
+            `  File may have been tampered with: ${filePath}`);
+    }
+    return {
+        context,
+        contextHash: computedHash,
+        filePath,
+    };
+}
+/**
+ * Checks whether a proposed operation is authorized under the loaded context.
+ *
+ * Returns: { allowed: true } or { allowed: false, reason: string }
+ */
+function assertOperation(operation, context) {
+    const opLower = operation.toLowerCase();
+    // ── Check denied list first (deny wins) ────────────────────────────────────
+    for (const denied of context.deniedOperations) {
+        if (opLower.includes(denied.toLowerCase())) {
+            return {
+                allowed: false,
+                reason: `Operation matches denied pattern: "${denied}"`,
+            };
+        }
+    }
+    // ── Check allowed paths ─────────────────────────────────────────────────────
+    const ops = context.allowedOperations;
+    if (ops.commands && ops.commands.length > 0) {
+        const commandAllowed = ops.commands.some(cmd => opLower.startsWith(cmd.toLowerCase()));
+        if (!commandAllowed) {
+            return {
+                allowed: false,
+                reason: `Operation not in allowedOperations.commands list`,
+            };
+        }
+    }
+    return { allowed: true };
+}
+/**
+ * Checks whether this machine's hardware ID is authorized in the context file.
+ */
+function assertMachineAuthorized(hardwareId, context) {
+    const allowed = context.allowedMachines.some(m => m.toUpperCase() === hardwareId.toUpperCase());
+    if (!allowed) {
+        return {
+            allowed: false,
+            reason: `Hardware ID ${hardwareId} is not in allowedMachines list. ` +
+                `Authorized machines: ${context.allowedMachines.join(', ')}`,
+        };
+    }
+    return { allowed: true };
+}
+//# sourceMappingURL=context.js.map

package/dist/context.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"context.js","sourceRoot":"","sources":["../src/context.ts"],"names":[],"mappings":";AAAA;;;;;;;;GAQG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAwCH,0CAeC;AAeD,kCA4CC;AAOD,0CAiCC;AAKD,0DAkBC;AA/KD,uCAAyB;AACzB,2CAA6B;AAC7B,+CAAiC;AA0BjC,MAAM,kBAAkB,GAAG;IACzB,mBAAmB;IACnB,oBAAoB;IACpB,mBAAmB;CACpB,CAAC;AAEF;;;GAGG;AACH,SAAgB,eAAe,CAAC,WAAmB,OAAO,CAAC,GAAG,EAAE;IAC9D,IAAI,GAAG,GAAG,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC;IACjC,MAAM,IAAI,GAAG,UAAU,EAAE,CAAC;IAE1B,OAAO,IAAI,EAAE,CAAC;QACZ,KAAK,MAAM,IAAI,IAAI,kBAAkB,EAAE,CAAC;YACtC,MAAM,SAAS,GAAG,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,IAAI,CAAC,CAAC;YACvC,IAAI,EAAE,CAAC,UAAU,CAAC,SAAS,CAAC;gBAAE,OAAO,SAAS,CAAC;QACjD,CAAC;QACD,MAAM,MAAM,GAAG,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;QACjC,IAAI,MAAM,KAAK,GAAG;YAAE,MAAM,CAAO,kBAAkB;QACnD,IAAI,GAAG,KAAK,IAAI;YAAE,MAAM,CAAS,sBAAsB;QACvD,GAAG,GAAG,MAAM,CAAC;IACf,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED,SAAS,UAAU;IACjB,OAAO,OAAO,CAAC,GAAG,CAAC,IAAI,IAAI,OAAO,CAAC,GAAG,CAAC,WAAW,IAAI,GAAG,CAAC;AAC5D,CAAC;AAED;;;;;;;;GAQG;AACH,SAAgB,WAAW,CAAC,QAAgB;IAC1C,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,QAAQ,CAAC,EAAE,CAAC;QAC7B,MAAM,IAAI,KAAK,CAAC,iCAAiC,QAAQ,EAAE,CAAC,CAAC;IAC/D,CAAC;IAED,MAAM,GAAG,GAAG,EAAE,CAAC,YAAY,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC;IAE9C,IAAI,OAAuB,CAAC;IAC5B,IAAI,CAAC;QACH,OAAO,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAmB,CAAC;IAC9C,CAAC;IAAC,MAAM,CAAC;QACP,MAAM,IAAI,KAAK,CAAC,yCAAyC,QAAQ,EAAE,CAAC,CAAC;IACvE,CAAC;IAED,2BAA2B;IAC3B,MAAM,QAAQ,GAAG,CAAC,SAAS,EAAE,SAAS,EAAE,OAAO,EAAE,iBAAiB,EAAE,mBAAmB,EAAE,kBAAkB,CAAC,CAAC;IAC7G,KAAK,MAAM,KAAK,IAAI,QAAQ,EAAE,CAAC;QAC7B,IAAI,CAAC,CAAC,KAAK,IAAI,OAAO,CAAC,EAAE,CAAC;YACxB,MAAM,IAAI,KAAK,CAAC,8CAA8C,KAAK,EAAE,CAAC,CAAC;QACzE,CAAC;IACH,CAAC;IAED,uEAAuE;IACvE,MAAM,EAAE,WAAW,EAAE,OAAO,EAAE,GAAG,IAAI,EAAE,GAAG,OAAO,CAAC;IAClD,MAAM,YAAY,GAAG,MAAM;SACxB,UAAU,CAAC,QAAQ,CAAC;SACpB,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC,IAAI,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC;SACrC,MAAM,CAAC,KAAK,CAAC,CAAC;IAEjB,2CAA2C;IAC3C,IAAI,OAAO,IAAI,OAAO,KAAK,YAAY,EAAE,CAAC;QACxC,MAAM,IAAI,KAAK,CACb,8CAA8C;YAC9C,oBAAoB,OAAO,IAAI;YAC/B,oBAAoB,YAAY,IAAI;YACpC,uCAAuC,QAAQ,EAAE,CAClD,CAAC;IACJ,CAAC;IAED,OAAO;QACL,OAAO;QACP,WAAW,EAAE,YAAY;QACzB,QAAQ;KACT,CAAC;AACJ,CAAC;AAED;;;;GAIG;AACH,SAAgB,eAAe,CAC7B,SAAiB,EACjB,OAAuB;IAGvB,MAAM,OAAO,GAAG,SAAS,CAAC,WAAW,EAAE,CAAC;IAExC,8EAA8E;IAC9E,KAAK,MAAM,MAAM,IAAI,OAAO,CAAC,gBAAgB,EAAE,CAAC;QAC9C,IAAI,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAC,WAAW,EAAE,CAAC,EAAE,CAAC;YAC3C,OAAO;gBACL,OAAO,EAAE,KAAK;gBACd,MAAM,EAAE,sCAAsC,MAAM,GAAG;aACxD,CAAC;QACJ,CAAC;IACH,CAAC;IAED,+EAA+E;IAC/E,MAAM,GAAG,GAAG,OAAO,CAAC,iBAAiB,CAAC;IAEtC,IAAI,GAAG,CAAC,QAAQ,IAAI,GAAG,CAAC,QAAQ,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC5C,MAAM,cAAc,GAAG,GAAG,CAAC,QAAQ,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAC7C,OAAO,CAAC,UAAU,CAAC,GAAG,CAAC,WAAW,EAAE,CAAC,CACtC,CAAC;QACF,IAAI,CAAC,cAAc,EAAE,CAAC;YACpB,OAAO;gBACL,OAAO,EAAE,KAAK;gBACd,MAAM,EAAE,kDAAkD;aAC3D,CAAC;QACJ,CAAC;IACH,CAAC;IAED,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC;AAC3B,CAAC;AAED;;GAEG;AACH,SAAgB,uBAAuB,CACrC,UAAkB,EAClB,OAAuB;IAEvB,MAAM,OAAO,GAAG,OAAO,CAAC,eAAe,CAAC,IAAI,CAC1C,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,WAAW,EAAE,KAAK,UAAU,CAAC,WAAW,EAAE,CAClD,CAAC;IAEF,IAAI,CAAC,OAAO,EAAE,CAAC;QACb,OAAO;YACL,OAAO,EAAE,KAAK;YACd,MAAM,EACJ,eAAe,UAAU,mCAAmC;gBAC5D,wBAAwB,OAAO,CAAC,eAAe,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE;SAC/D,CAAC;IACJ,CAAC;IAED,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC;AAC3B,CAAC"}

package/dist/hardware.d.ts

@@ -0,0 +1,38 @@
+/**
+ * HABI Hardware Identity Reader
+ * Reads MAC address (physical) or IPv6 link-local (container/VM)
+ * This is the foundation primitive of the entire HABI system.
+ *
+ * On physical machines: returns MAC via os.networkInterfaces()
+ * On containers/VMs:    returns IPv6 link-local (fe80::/10) — auto-generated
+ *                       per virtual NIC, stable for container lifetime,
+ *                       non-routable externally
+ */
+export type FingerprintType = 'mac' | 'ipv6_link_local';
+export interface HardwareIdentity {
+    fingerprint: string;
+    type: FingerprintType;
+    iface: string;
+    platform: string;
+    hostname: string;
+}
+/**
+ * Reads network interfaces and returns the primary hardware identifier.
+ * Priority: real MAC → IPv6 link-local → error
+ *
+ * Excludes loopback and virtual/docker interfaces.
+ * Returns the most stable, unique identifier available on this machine.
+ */
+export declare function readHardwareIdentity(): HardwareIdentity;
+/**
+ * Generates a session fingerprint from hardware identity + context hash + timestamp.
+ * This fingerprint is signed into every audit log entry.
+ *
+ * fingerprint = SHA-256(hardware_id + ":" + context_hash + ":" + timestamp_ms)
+ */
+export declare function generateSessionFingerprint(hardwareId: string, contextHash: string, timestampMs?: number): string;
+/**
+ * Computes SHA-256 of arbitrary input — used for operation hashing in audit log.
+ */
+export declare function sha256(input: string): string;
+//# sourceMappingURL=hardware.d.ts.map

package/dist/hardware.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"hardware.d.ts","sourceRoot":"","sources":["../src/hardware.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAKH,MAAM,MAAM,eAAe,GAAG,KAAK,GAAG,iBAAiB,CAAC;AAExD,MAAM,WAAW,gBAAgB;IAC/B,WAAW,EAAE,MAAM,CAAC;IACpB,IAAI,EAAE,eAAe,CAAC;IACtB,KAAK,EAAE,MAAM,CAAC;IACd,QAAQ,EAAE,MAAM,CAAC;IACjB,QAAQ,EAAE,MAAM,CAAC;CAClB;AAED;;;;;;GAMG;AACH,wBAAgB,oBAAoB,IAAI,gBAAgB,CA0DvD;AAED;;;;;GAKG;AACH,wBAAgB,0BAA0B,CACxC,UAAU,EAAE,MAAM,EAClB,WAAW,EAAE,MAAM,EACnB,WAAW,GAAE,MAAmB,GAC/B,MAAM,CAKR;AAED;;GAEG;AACH,wBAAgB,MAAM,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,CAE5C"}

package/dist/hardware.js

@@ -0,0 +1,130 @@
+"use strict";
+/**
+ * HABI Hardware Identity Reader
+ * Reads MAC address (physical) or IPv6 link-local (container/VM)
+ * This is the foundation primitive of the entire HABI system.
+ *
+ * On physical machines: returns MAC via os.networkInterfaces()
+ * On containers/VMs:    returns IPv6 link-local (fe80::/10) — auto-generated
+ *                       per virtual NIC, stable for container lifetime,
+ *                       non-routable externally
+ */
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.readHardwareIdentity = readHardwareIdentity;
+exports.generateSessionFingerprint = generateSessionFingerprint;
+exports.sha256 = sha256;
+const os = __importStar(require("os"));
+const crypto = __importStar(require("crypto"));
+/**
+ * Reads network interfaces and returns the primary hardware identifier.
+ * Priority: real MAC → IPv6 link-local → error
+ *
+ * Excludes loopback and virtual/docker interfaces.
+ * Returns the most stable, unique identifier available on this machine.
+ */
+function readHardwareIdentity() {
+    const ifaces = os.networkInterfaces();
+    const platform = os.platform();
+    const hostname = os.hostname();
+    // ── Pass 1: Find a real MAC address ────────────────────────────────────────
+    // Exclude loopback (lo, lo0) and known virtual prefixes
+    const VIRTUAL_PREFIXES = ['docker', 'br-', 'veth', 'virbr', 'vmnet', 'vbox'];
+    for (const [name, addrs] of Object.entries(ifaces)) {
+        if (!addrs)
+            continue;
+        // Skip loopback
+        if (addrs.some(a => a.internal))
+            continue;
+        // Skip known virtual interfaces
+        const ifaceLower = name.toLowerCase();
+        if (VIRTUAL_PREFIXES.some(prefix => ifaceLower.startsWith(prefix)))
+            continue;
+        for (const addr of addrs) {
+            const mac = addr.mac;
+            // Validate: real MAC is not all-zeros, not broadcast
+            if (mac && mac !== '00:00:00:00:00:00' && mac !== 'ff:ff:ff:ff:ff:ff') {
+                return {
+                    fingerprint: mac.toUpperCase(),
+                    type: 'mac',
+                    iface: name,
+                    platform,
+                    hostname,
+                };
+            }
+        }
+    }
+    // ── Pass 2: IPv6 link-local (fe80::/10) — container/VM fallback ───────────
+    for (const [name, addrs] of Object.entries(ifaces)) {
+        if (!addrs)
+            continue;
+        if (addrs.some(a => a.internal))
+            continue;
+        for (const addr of addrs) {
+            if (addr.family === 'IPv6' && addr.address.toLowerCase().startsWith('fe80')) {
+                return {
+                    fingerprint: addr.address.toLowerCase(),
+                    type: 'ipv6_link_local',
+                    iface: name,
+                    platform,
+                    hostname,
+                };
+            }
+        }
+    }
+    // ── Fail loudly — never silently return a fake identity ───────────────────
+    throw new Error('HABI: No stable hardware identifier found. ' +
+        'Physical machines require a non-virtual network interface with a MAC address. ' +
+        'Containers require an IPv6 link-local address (fe80::/10).');
+}
+/**
+ * Generates a session fingerprint from hardware identity + context hash + timestamp.
+ * This fingerprint is signed into every audit log entry.
+ *
+ * fingerprint = SHA-256(hardware_id + ":" + context_hash + ":" + timestamp_ms)
+ */
+function generateSessionFingerprint(hardwareId, contextHash, timestampMs = Date.now()) {
+    return crypto
+        .createHash('sha256')
+        .update(`${hardwareId}:${contextHash}:${timestampMs}`)
+        .digest('hex');
+}
+/**
+ * Computes SHA-256 of arbitrary input — used for operation hashing in audit log.
+ */
+function sha256(input) {
+    return crypto.createHash('sha256').update(input).digest('hex');
+}
+//# sourceMappingURL=hardware.js.map

package/dist/hardware.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"hardware.js","sourceRoot":"","sources":["../src/hardware.ts"],"names":[],"mappings":";AAAA;;;;;;;;;GASG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAsBH,oDA0DC;AAQD,gEASC;AAKD,wBAEC;AAtGD,uCAAyB;AACzB,+CAAiC;AAYjC;;;;;;GAMG;AACH,SAAgB,oBAAoB;IAClC,MAAM,MAAM,GAAG,EAAE,CAAC,iBAAiB,EAAE,CAAC;IACtC,MAAM,QAAQ,GAAG,EAAE,CAAC,QAAQ,EAAE,CAAC;IAC/B,MAAM,QAAQ,GAAG,EAAE,CAAC,QAAQ,EAAE,CAAC;IAE/B,8EAA8E;IAC9E,wDAAwD;IACxD,MAAM,gBAAgB,GAAG,CAAC,QAAQ,EAAE,KAAK,EAAE,MAAM,EAAE,OAAO,EAAE,OAAO,EAAE,MAAM,CAAC,CAAC;IAE7E,KAAK,MAAM,CAAC,IAAI,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,EAAE,CAAC;QACnD,IAAI,CAAC,KAAK;YAAE,SAAS;QAErB,gBAAgB;QAChB,IAAI,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC;YAAE,SAAS;QAE1C,gCAAgC;QAChC,MAAM,UAAU,GAAG,IAAI,CAAC,WAAW,EAAE,CAAC;QACtC,IAAI,gBAAgB,CAAC,IAAI,CAAC,MAAM,CAAC,EAAE,CAAC,UAAU,CAAC,UAAU,CAAC,MAAM,CAAC,CAAC;YAAE,SAAS;QAE7E,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;YACzB,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,CAAC;YACrB,qDAAqD;YACrD,IAAI,GAAG,IAAI,GAAG,KAAK,mBAAmB,IAAI,GAAG,KAAK,mBAAmB,EAAE,CAAC;gBACtE,OAAO;oBACL,WAAW,EAAE,GAAG,CAAC,WAAW,EAAE;oBAC9B,IAAI,EAAE,KAAK;oBACX,KAAK,EAAE,IAAI;oBACX,QAAQ;oBACR,QAAQ;iBACT,CAAC;YACJ,CAAC;QACH,CAAC;IACH,CAAC;IAED,6EAA6E;IAC7E,KAAK,MAAM,CAAC,IAAI,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,EAAE,CAAC;QACnD,IAAI,CAAC,KAAK;YAAE,SAAS;QACrB,IAAI,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC;YAAE,SAAS;QAE1C,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;YACzB,IAAI,IAAI,CAAC,MAAM,KAAK,MAAM,IAAI,IAAI,CAAC,OAAO,CAAC,WAAW,EAAE,CAAC,UAAU,CAAC,MAAM,CAAC,EAAE,CAAC;gBAC5E,OAAO;oBACL,WAAW,EAAE,IAAI,CAAC,OAAO,CAAC,WAAW,EAAE;oBACvC,IAAI,EAAE,iBAAiB;oBACvB,KAAK,EAAE,IAAI;oBACX,QAAQ;oBACR,QAAQ;iBACT,CAAC;YACJ,CAAC;QACH,CAAC;IACH,CAAC;IAED,6EAA6E;IAC7E,MAAM,IAAI,KAAK,CACb,6CAA6C;QAC7C,gFAAgF;QAChF,4DAA4D,CAC7D,CAAC;AACJ,CAAC;AAED;;;;;GAKG;AACH,SAAgB,0BAA0B,CACxC,UAAkB,EAClB,WAAmB,EACnB,cAAsB,IAAI,CAAC,GAAG,EAAE;IAEhC,OAAO,MAAM;SACV,UAAU,CAAC,QAAQ,CAAC;SACpB,MAAM,CAAC,GAAG,UAAU,IAAI,WAAW,IAAI,WAAW,EAAE,CAAC;SACrD,MAAM,CAAC,KAAK,CAAC,CAAC;AACnB,CAAC;AAED;;GAEG;AACH,SAAgB,MAAM,CAAC,KAAa;IAClC,OAAO,MAAM,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;AACjE,CAAC"}

package/dist/index.d.ts

@@ -0,0 +1,6 @@
+export { HabiLocalServer } from './server';
+export { readHardwareIdentity, generateSessionFingerprint, sha256 } from './hardware';
+export { findContextFile, loadContext, assertOperation, assertMachineAuthorized } from './context';
+export type { HardwareIdentity, FingerprintType } from './hardware';
+export type { ProjectContext, LoadedContext, AllowedOperations } from './context';
+//# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,eAAe,EAAE,MAAM,UAAU,CAAC;AAC3C,OAAO,EAAE,oBAAoB,EAAE,0BAA0B,EAAE,MAAM,EAAE,MAAM,YAAY,CAAC;AACtF,OAAO,EAAE,eAAe,EAAE,WAAW,EAAE,eAAe,EAAE,uBAAuB,EAAE,MAAM,WAAW,CAAC;AACnG,YAAY,EAAE,gBAAgB,EAAE,eAAe,EAAE,MAAM,YAAY,CAAC;AACpE,YAAY,EAAE,cAAc,EAAE,aAAa,EAAE,iBAAiB,EAAE,MAAM,WAAW,CAAC"}

package/dist/index.js

@@ -0,0 +1,15 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.assertMachineAuthorized = exports.assertOperation = exports.loadContext = exports.findContextFile = exports.sha256 = exports.generateSessionFingerprint = exports.readHardwareIdentity = exports.HabiLocalServer = void 0;
+var server_1 = require("./server");
+Object.defineProperty(exports, "HabiLocalServer", { enumerable: true, get: function () { return server_1.HabiLocalServer; } });
+var hardware_1 = require("./hardware");
+Object.defineProperty(exports, "readHardwareIdentity", { enumerable: true, get: function () { return hardware_1.readHardwareIdentity; } });
+Object.defineProperty(exports, "generateSessionFingerprint", { enumerable: true, get: function () { return hardware_1.generateSessionFingerprint; } });
+Object.defineProperty(exports, "sha256", { enumerable: true, get: function () { return hardware_1.sha256; } });
+var context_1 = require("./context");
+Object.defineProperty(exports, "findContextFile", { enumerable: true, get: function () { return context_1.findContextFile; } });
+Object.defineProperty(exports, "loadContext", { enumerable: true, get: function () { return context_1.loadContext; } });
+Object.defineProperty(exports, "assertOperation", { enumerable: true, get: function () { return context_1.assertOperation; } });
+Object.defineProperty(exports, "assertMachineAuthorized", { enumerable: true, get: function () { return context_1.assertMachineAuthorized; } });
+//# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":";;;AAAA,mCAA2C;AAAlC,yGAAA,eAAe,OAAA;AACxB,uCAAsF;AAA7E,gHAAA,oBAAoB,OAAA;AAAE,sHAAA,0BAA0B,OAAA;AAAE,kGAAA,MAAM,OAAA;AACjE,qCAAmG;AAA1F,0GAAA,eAAe,OAAA;AAAE,sGAAA,WAAW,OAAA;AAAE,0GAAA,eAAe,OAAA;AAAE,kHAAA,uBAAuB,OAAA"}

package/dist/server.d.ts

@@ -0,0 +1,25 @@
+/**
+ * HABI Local Identity Server
+ * Runs on localhost:7432 exclusively — never binds to 0.0.0.0
+ *
+ * Pure Node.js http — zero external dependencies.
+ * Security: localhost-only binding is the enforced hardware boundary.
+ */
+export declare class HabiLocalServer {
+    private hardware;
+    private context;
+    private session;
+    private server;
+    private isLocalhost;
+    private handleHealth;
+    private handleIdentity;
+    private handleVerify;
+    private handleAssertContext;
+    private handleAudit;
+    private getHardware;
+    private getContext;
+    private getOrCreateSession;
+    start(): Promise<void>;
+    stop(): void;
+}
+//# sourceMappingURL=server.d.ts.map

package/dist/server.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"server.d.ts","sourceRoot":"","sources":["../src/server.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAoCH,qBAAa,eAAe;IAC1B,OAAO,CAAC,QAAQ,CAAiC;IACjD,OAAO,CAAC,OAAO,CAA8B;IAC7C,OAAO,CAAC,OAAO,CAA6B;IAC5C,OAAO,CAAC,MAAM,CAA4B;IAG1C,OAAO,CAAC,WAAW;IAMnB,OAAO,CAAC,YAAY;IAIpB,OAAO,CAAC,cAAc;IA0BtB,OAAO,CAAC,YAAY;YAwBN,mBAAmB;YAiCnB,WAAW;IAmBzB,OAAO,CAAC,WAAW;IAQnB,OAAO,CAAC,UAAU;IAWlB,OAAO,CAAC,kBAAkB;IAqB1B,KAAK,IAAI,OAAO,CAAC,IAAI,CAAC;IAiDtB,IAAI,IAAI,IAAI;CAIb"}