termyte 0.1.0

package/README.md

@@ -0,0 +1,50 @@
+# Termyte — Terminal Governance for Coding Agents
+
+Termyte is a lightweight, terminal-first governance runtime designed to protect your codebase from catastrophic agent actions (like `rm -rf /` or accidental database drops).
+
+It provides a secure "Split-Plane" architecture where your coding agent (Claude Code, Cursor, etc.) proposes actions, and Termyte evaluates them against a deterministic sandbox and an LLM judge before execution.
+
+## Features
+
+- **Causal Guard**: Deterministic command analysis for high-risk operations.
+- **Agent Ledger**: Every action, verdict, and outcome is recorded in a secure, immutable ledger.
+- **Zero-Friction Auth**: Device-based identification (no API keys to manage).
+- **Terminal First**: View governance events directly in your terminal with `npx termyte log`.
+
+## Getting Started
+
+### 1. Initialize Termyte
+Run this to generate your unique device ID and setup local config:
+```bash
+npx termyte init
+```
+
+### 2. Configure your Agent
+Add Termyte as an MCP server to your favorite tool.
+
+#### Claude Code config:
+Add the following to your `claude_desktop_config.json`:
+```json
+{
+  "mcpServers": {
+    "termyte": {
+      "command": "npx",
+      "args": ["-y", "termyte"],
+      "env": {
+        "TERMYTE_API_URL": "https://mcp.causalos.xyz"
+      }
+    }
+  }
+}
+```
+
+### 3. Usage
+Once configured, Termyte will automatically intercept sensitive tool calls. You can monitor the activity:
+```bash
+npx termyte log
+```
+
+## How it Works
+1. **Prepare**: The agent calls `causal_guard` with the proposed command.
+2. **Judge**: Termyte evaluates the risk level and historical context.
+3. **Commit**: After the agent executes the tool, it records the success/failure to the ledger.

package/dist/__tests__/command-sandbox.test.d.ts

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=command-sandbox.test.d.ts.map

package/dist/__tests__/command-sandbox.test.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"command-sandbox.test.d.ts","sourceRoot":"","sources":["../../src/__tests__/command-sandbox.test.ts"],"names":[],"mappings":""}

package/dist/__tests__/command-sandbox.test.js

@@ -0,0 +1,18 @@
+import { describe, it, expect } from "vitest";
+import { nativeExec, tokenize } from "../executor.js";
+describe("Command Execution Sandbox", () => {
+    it("should tokenize commands correctly", () => {
+        expect(tokenize('ls -la "/path/with spaces"')).toEqual(['ls', '-la', '/path/with spaces']);
+    });
+    it("ALLOW-01: 'node -v' should execute successfully", async () => {
+        const result = await nativeExec("node -v");
+        expect(result.exit_code).toBe(0);
+        expect(result.stdout).toMatch(/v\d+\.\d+\.\d+/);
+    });
+    it("ALLOW-02: 'git --version' should pass validation", async () => {
+        const result = await nativeExec("git --version");
+        expect(result.exit_code).toBe(0);
+        expect(result.stdout).toContain("git version");
+    });
+});
+//# sourceMappingURL=command-sandbox.test.js.map

package/dist/__tests__/command-sandbox.test.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"command-sandbox.test.js","sourceRoot":"","sources":["../../src/__tests__/command-sandbox.test.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,EAAE,EAAE,MAAM,EAAE,MAAM,QAAQ,CAAC;AAC9C,OAAO,EAAE,UAAU,EAAE,QAAQ,EAAE,MAAM,gBAAgB,CAAC;AAEtD,QAAQ,CAAC,2BAA2B,EAAE,GAAG,EAAE;IACvC,EAAE,CAAC,oCAAoC,EAAE,GAAG,EAAE;QAC1C,MAAM,CAAC,QAAQ,CAAC,4BAA4B,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,IAAI,EAAE,KAAK,EAAE,mBAAmB,CAAC,CAAC,CAAC;IAC/F,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,iDAAiD,EAAE,KAAK,IAAI,EAAE;QAC7D,MAAM,MAAM,GAAG,MAAM,UAAU,CAAC,SAAS,CAAC,CAAC;QAC3C,MAAM,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QACjC,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,OAAO,CAAC,gBAAgB,CAAC,CAAC;IACpD,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,kDAAkD,EAAE,KAAK,IAAI,EAAE;QAC9D,MAAM,MAAM,GAAG,MAAM,UAAU,CAAC,eAAe,CAAC,CAAC;QACjD,MAAM,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QACjC,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,SAAS,CAAC,aAAa,CAAC,CAAC;IACnD,CAAC,CAAC,CAAC;AACP,CAAC,CAAC,CAAC"}

package/dist/__tests__/contract.test.d.ts

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=contract.test.d.ts.map

package/dist/__tests__/contract.test.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"contract.test.d.ts","sourceRoot":"","sources":["../../src/__tests__/contract.test.ts"],"names":[],"mappings":""}

package/dist/__tests__/contract.test.js

@@ -0,0 +1,70 @@
+import { afterAll, beforeAll, beforeEach, describe, expect, it, vi } from "vitest";
+import http from "node:http";
+import { CloudKernelClient } from "../cloud-client.js";
+let server;
+let baseUrl = "";
+const requests = [];
+describe("Cloud contract", () => {
+    beforeAll(async () => {
+        server = http.createServer((req, res) => {
+            const chunks = [];
+            req.on("data", (d) => chunks.push(d));
+            req.on("end", () => {
+                const body = chunks.length ? JSON.parse(Buffer.concat(chunks).toString("utf-8")) : {};
+                requests.push({ url: req.url || "", body, method: req.method });
+                res.setHeader("content-type", "application/json");
+                if ((req.url || "").startsWith("/v1/governance/prepare")) {
+                    res.end(JSON.stringify({ verdict: "ALLOW", reason: "ok", tool_call_id: "tc_1" }));
+                }
+                else if ((req.url || "").startsWith("/v1/governance/commit")) {
+                    res.end(JSON.stringify({ status: "success" }));
+                }
+                else {
+                    res.end(JSON.stringify({ ok: true }));
+                }
+            });
+        });
+        await new Promise((resolve) => {
+            server.listen(0, "127.0.0.1", () => resolve());
+        });
+        const addr = server.address();
+        if (addr && typeof addr === "object") {
+            baseUrl = `http://127.0.0.1:${addr.port}`;
+        }
+        // Mock environment variables
+        process.env.TERMYTE_API_URL = baseUrl;
+        process.env.TERMYTE_DEVICE_ID = "test-device-id";
+    });
+    beforeEach(() => {
+        requests.length = 0;
+    });
+    afterAll(async () => {
+        await new Promise((resolve) => server.close(() => resolve()));
+    });
+    it("prepareToolCall calls /v1/governance/prepare with correct payload", async () => {
+        const client = new CloudKernelClient();
+        const payload = { command: "ls" };
+        await client.prepareToolCall("session-1", "execute", payload);
+        expect(requests[0]?.url).toBe("/v1/governance/prepare");
+        expect(requests[0]?.method).toBe("POST");
+        expect(requests[0]?.body).toMatchObject({
+            session_id: "session-1",
+            tool_name: "execute",
+            payload_json: payload,
+        });
+    });
+    it("commitToolCall calls /v1/governance/commit with correct payload", async () => {
+        const client = new CloudKernelClient();
+        const outcome = { stdout: "ok" };
+        await client.commitToolCall("tc_1", outcome, true, 0);
+        expect(requests[0]?.url).toBe("/v1/governance/commit");
+        expect(requests[0]?.method).toBe("POST");
+        expect(requests[0]?.body).toMatchObject({
+            tool_call_id: "tc_1",
+            outcome_json: outcome,
+            success: true,
+            exit_code: 0
+        });
+    });
+});
+//# sourceMappingURL=contract.test.js.map

package/dist/__tests__/contract.test.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"contract.test.js","sourceRoot":"","sources":["../../src/__tests__/contract.test.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,SAAS,EAAE,UAAU,EAAE,QAAQ,EAAE,MAAM,EAAE,EAAE,EAAE,EAAE,EAAE,MAAM,QAAQ,CAAC;AACnF,OAAO,IAAI,MAAM,WAAW,CAAC;AAC7B,OAAO,EAAE,iBAAiB,EAAE,MAAM,oBAAoB,CAAC;AAEvD,IAAI,MAAmB,CAAC;AACxB,IAAI,OAAO,GAAG,EAAE,CAAC;AACjB,MAAM,QAAQ,GAAU,EAAE,CAAC;AAE3B,QAAQ,CAAC,gBAAgB,EAAE,GAAG,EAAE;IAC5B,SAAS,CAAC,KAAK,IAAI,EAAE;QACjB,MAAM,GAAG,IAAI,CAAC,YAAY,CAAC,CAAC,GAAG,EAAE,GAAG,EAAE,EAAE;YACpC,MAAM,MAAM,GAAU,EAAE,CAAC;YACzB,GAAG,CAAC,EAAE,CAAC,MAAM,EAAE,CAAC,CAAC,EAAE,EAAE,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC;YACtC,GAAG,CAAC,EAAE,CAAC,KAAK,EAAE,GAAG,EAAE;gBACf,MAAM,IAAI,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;gBACtF,QAAQ,CAAC,IAAI,CAAC,EAAE,GAAG,EAAE,GAAG,CAAC,GAAG,IAAI,EAAE,EAAE,IAAI,EAAE,MAAM,EAAE,GAAG,CAAC,MAAM,EAAE,CAAC,CAAC;gBAChE,GAAG,CAAC,SAAS,CAAC,cAAc,EAAE,kBAAkB,CAAC,CAAC;gBAClD,IAAI,CAAC,GAAG,CAAC,GAAG,IAAI,EAAE,CAAC,CAAC,UAAU,CAAC,wBAAwB,CAAC,EAAE,CAAC;oBACvD,GAAG,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,OAAO,EAAE,OAAO,EAAE,MAAM,EAAE,IAAI,EAAE,YAAY,EAAE,MAAM,EAAE,CAAC,CAAC,CAAC;gBACtF,CAAC;qBAAM,IAAI,CAAC,GAAG,CAAC,GAAG,IAAI,EAAE,CAAC,CAAC,UAAU,CAAC,uBAAuB,CAAC,EAAE,CAAC;oBAC7D,GAAG,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,MAAM,EAAE,SAAS,EAAE,CAAC,CAAC,CAAC;gBACnD,CAAC;qBAAM,CAAC;oBACJ,GAAG,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,EAAE,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC;gBAC1C,CAAC;YACL,CAAC,CAAC,CAAC;QACP,CAAC,CAAC,CAAC;QAEH,MAAM,IAAI,OAAO,CAAO,CAAC,OAAO,EAAE,EAAE;YAChC,MAAM,CAAC,MAAM,CAAC,CAAC,EAAE,WAAW,EAAE,GAAG,EAAE,CAAC,OAAO,EAAE,CAAC,CAAC;QACnD,CAAC,CAAC,CAAC;QAEH,MAAM,IAAI,GAAG,MAAM,CAAC,OAAO,EAAE,CAAC;QAC9B,IAAI,IAAI,IAAI,OAAO,IAAI,KAAK,QAAQ,EAAE,CAAC;YACnC,OAAO,GAAG,oBAAoB,IAAI,CAAC,IAAI,EAAE,CAAC;QAC9C,CAAC;QAED,6BAA6B;QAC7B,OAAO,CAAC,GAAG,CAAC,eAAe,GAAG,OAAO,CAAC;QACtC,OAAO,CAAC,GAAG,CAAC,iBAAiB,GAAG,gBAAgB,CAAC;IACrD,CAAC,CAAC,CAAC;IAEH,UAAU,CAAC,GAAG,EAAE;QACZ,QAAQ,CAAC,MAAM,GAAG,CAAC,CAAC;IACxB,CAAC,CAAC,CAAC;IAEH,QAAQ,CAAC,KAAK,IAAI,EAAE;QAChB,MAAM,IAAI,OAAO,CAAO,CAAC,OAAO,EAAE,EAAE,CAAC,MAAM,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,OAAO,EAAE,CAAC,CAAC,CAAC;IACxE,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,mEAAmE,EAAE,KAAK,IAAI,EAAE;QAC/E,MAAM,MAAM,GAAG,IAAI,iBAAiB,EAAE,CAAC;QACvC,MAAM,OAAO,GAAG,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC;QAClC,MAAM,MAAM,CAAC,eAAe,CAAC,WAAW,EAAE,SAAS,EAAE,OAAO,CAAC,CAAC;QAE9D,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC,IAAI,CAAC,wBAAwB,CAAC,CAAC;QACxD,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC,EAAE,MAAM,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;QACzC,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC,EAAE,IAAI,CAAC,CAAC,aAAa,CAAC;YACpC,UAAU,EAAE,WAAW;YACvB,SAAS,EAAE,SAAS;YACpB,YAAY,EAAE,OAAO;SACxB,CAAC,CAAC;IACP,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,iEAAiE,EAAE,KAAK,IAAI,EAAE;QAC7E,MAAM,MAAM,GAAG,IAAI,iBAAiB,EAAE,CAAC;QACvC,MAAM,OAAO,GAAG,EAAE,MAAM,EAAE,IAAI,EAAE,CAAC;QACjC,MAAM,MAAM,CAAC,cAAc,CAAC,MAAM,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC;QAEtD,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC,IAAI,CAAC,uBAAuB,CAAC,CAAC;QACvD,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC,EAAE,MAAM,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;QACzC,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC,EAAE,IAAI,CAAC,CAAC,aAAa,CAAC;YACpC,YAAY,EAAE,MAAM;YACpB,YAAY,EAAE,OAAO;YACrB,OAAO,EAAE,IAAI;YACb,SAAS,EAAE,CAAC;SACf,CAAC,CAAC;IACP,CAAC,CAAC,CAAC;AACP,CAAC,CAAC,CAAC"}

package/dist/__tests__/offline.test.d.ts

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=offline.test.d.ts.map

package/dist/__tests__/offline.test.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"offline.test.d.ts","sourceRoot":"","sources":["../../src/__tests__/offline.test.ts"],"names":[],"mappings":""}

package/dist/__tests__/offline.test.js

@@ -0,0 +1,22 @@
+import { describe, it, expect, vi, beforeEach } from "vitest";
+import { KernelClient } from "../client.js";
+describe("Offline Resilience", () => {
+    let client;
+    beforeEach(() => {
+        client = new KernelClient();
+        // Mock cloudClient to throw error (simulating network down)
+        vi.spyOn(client.cloudClient, 'prepareToolCall').mockRejectedValue(new Error("Network Down"));
+        vi.spyOn(client.cloudClient, 'commitToolCall').mockRejectedValue(new Error("Network Down"));
+    });
+    it("should implement fail-closed in KernelClient for prepareToolCall", async () => {
+        // Based on the current client.ts implementation, it fails closed (BLOCK)
+        const verdict = await client.prepareToolCall("s1", "execute", { command: "ls" });
+        expect(verdict.verdict).toBe("BLOCK");
+        expect(verdict.reason).toContain("Governance runtime unreachable");
+    });
+    it("should handle failed commit gracefully", async () => {
+        const result = await client.commitToolCall("tc1", { stdout: "" }, true, 0);
+        expect(result.status).toBe("local_only");
+    });
+});
+//# sourceMappingURL=offline.test.js.map

package/dist/__tests__/offline.test.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"offline.test.js","sourceRoot":"","sources":["../../src/__tests__/offline.test.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,EAAE,EAAE,MAAM,EAAE,EAAE,EAAE,UAAU,EAAE,MAAM,QAAQ,CAAC;AAC9D,OAAO,EAAE,YAAY,EAAE,MAAM,cAAc,CAAC;AAE5C,QAAQ,CAAC,oBAAoB,EAAE,GAAG,EAAE;IAChC,IAAI,MAAoB,CAAC;IAEzB,UAAU,CAAC,GAAG,EAAE;QACZ,MAAM,GAAG,IAAI,YAAY,EAAE,CAAC;QAC5B,4DAA4D;QAC5D,EAAE,CAAC,KAAK,CAAC,MAAM,CAAC,WAAW,EAAE,iBAAiB,CAAC,CAAC,iBAAiB,CAAC,IAAI,KAAK,CAAC,cAAc,CAAC,CAAC,CAAC;QAC7F,EAAE,CAAC,KAAK,CAAC,MAAM,CAAC,WAAW,EAAE,gBAAgB,CAAC,CAAC,iBAAiB,CAAC,IAAI,KAAK,CAAC,cAAc,CAAC,CAAC,CAAC;IAChG,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,kEAAkE,EAAE,KAAK,IAAI,EAAE;QAC9E,yEAAyE;QACzE,MAAM,OAAO,GAAG,MAAM,MAAM,CAAC,eAAe,CAAC,IAAI,EAAE,SAAS,EAAE,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC,CAAC;QACjF,MAAM,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QACtC,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,SAAS,CAAC,gCAAgC,CAAC,CAAC;IACvE,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,wCAAwC,EAAE,KAAK,IAAI,EAAE;QACpD,MAAM,MAAM,GAAG,MAAM,MAAM,CAAC,cAAc,CAAC,KAAK,EAAE,EAAE,MAAM,EAAE,EAAE,EAAE,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC;QAC3E,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;IAC7C,CAAC,CAAC,CAAC;AACP,CAAC,CAAC,CAAC"}

package/dist/cache.d.ts

@@ -0,0 +1,26 @@
+export interface Verdict {
+    recommendation: 'PROCEED' | 'CAUTION' | 'ABORT';
+    reason: string;
+    confidence: number;
+    risk_score: number;
+}
+export declare class HotCache {
+    private static allowCache;
+    private static blockCache;
+    /**
+     * Retrieves a cached verdict for a given action fingerprint.
+     */
+    static get(fingerprint: string): Verdict | undefined;
+    /**
+     * Stores a verdict in the local hot cache.
+     */
+    static set(fingerprint: string, verdict: Verdict): void;
+    /**
+     * Batch updates the cache from a cloud sync payload.
+     */
+    static updateFromSync(data: Record<string, Verdict>): void;
+    private static getCachePath;
+    static saveToDisk(): void;
+    static loadFromDisk(): void;
+}
+//# sourceMappingURL=cache.d.ts.map

package/dist/cache.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"cache.d.ts","sourceRoot":"","sources":["../src/cache.ts"],"names":[],"mappings":"AAKA,MAAM,WAAW,OAAO;IACpB,cAAc,EAAE,SAAS,GAAG,SAAS,GAAG,OAAO,CAAC;IAChD,MAAM,EAAE,MAAM,CAAC;IACf,UAAU,EAAE,MAAM,CAAC;IACnB,UAAU,EAAE,MAAM,CAAC;CACtB;AAED,qBAAa,QAAQ;IACjB,OAAO,CAAC,MAAM,CAAC,UAAU,CAGtB;IACH,OAAO,CAAC,MAAM,CAAC,UAAU,CAGtB;IAEH;;OAEG;WACW,GAAG,CAAC,WAAW,EAAE,MAAM,GAAG,OAAO,GAAG,SAAS;IAI3D;;OAEG;WACW,GAAG,CAAC,WAAW,EAAE,MAAM,EAAE,OAAO,EAAE,OAAO,GAAG,IAAI;IAQ9D;;OAEG;WACW,cAAc,CAAC,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,IAAI;IAMjE,OAAO,CAAC,MAAM,CAAC,YAAY;WAQb,UAAU,IAAI,IAAI;WAoBlB,YAAY,IAAI,IAAI;CAcrC"}

package/dist/cache.js

@@ -0,0 +1,81 @@
+import { LRUCache } from 'lru-cache';
+import * as fs from 'fs';
+import * as path from 'path';
+import * as os from 'os';
+export class HotCache {
+    static allowCache = new LRUCache({
+        max: 500,
+        ttl: 1000 * 60 * 60, // 1 hour
+    });
+    static blockCache = new LRUCache({
+        max: 1000,
+        ttl: 1000 * 60 * 60 * 24 * 7, // 7 days
+    });
+    /**
+     * Retrieves a cached verdict for a given action fingerprint.
+     */
+    static get(fingerprint) {
+        return this.blockCache.get(fingerprint) || this.allowCache.get(fingerprint);
+    }
+    /**
+     * Stores a verdict in the local hot cache.
+     */
+    static set(fingerprint, verdict) {
+        if (verdict.recommendation === 'ABORT') {
+            this.blockCache.set(fingerprint, verdict);
+            return;
+        }
+        this.allowCache.set(fingerprint, verdict);
+    }
+    /**
+     * Batch updates the cache from a cloud sync payload.
+     */
+    static updateFromSync(data) {
+        for (const [fingerprint, verdict] of Object.entries(data)) {
+            this.set(fingerprint, verdict);
+        }
+    }
+    static getCachePath() {
+        const dir = path.join(os.homedir(), '.termyte');
+        if (!fs.existsSync(dir)) {
+            fs.mkdirSync(dir, { recursive: true });
+        }
+        return path.join(dir, 'governance_cache.json');
+    }
+    static saveToDisk() {
+        try {
+            const data = {};
+            // @ts-ignore - access internal cache entries for serialization
+            for (const [key, value] of this.allowCache.dump()) {
+                data[key] = value;
+            }
+            // @ts-ignore - access internal cache entries for serialization
+            for (const [key, value] of this.blockCache.dump()) {
+                data[key] = value;
+            }
+            const p = this.getCachePath();
+            const tempPath = `${p}.tmp`;
+            fs.writeFileSync(tempPath, JSON.stringify(data, null, 2));
+            fs.renameSync(tempPath, p);
+        }
+        catch (err) {
+            console.error('[HotCache] Failed to save to disk:', err);
+        }
+    }
+    static loadFromDisk() {
+        try {
+            const cachePath = this.getCachePath();
+            if (fs.existsSync(cachePath)) {
+                const data = JSON.parse(fs.readFileSync(cachePath, 'utf8'));
+                for (const [key, val] of Object.entries(data)) {
+                    this.set(key, val);
+                }
+                console.error(`[HotCache] Loaded ${Object.keys(data).length} patterns from disk.`);
+            }
+        }
+        catch (err) {
+            console.error('[HotCache] Failed to load from disk:', err);
+        }
+    }
+}
+//# sourceMappingURL=cache.js.map

package/dist/cache.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"cache.js","sourceRoot":"","sources":["../src/cache.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,MAAM,WAAW,CAAC;AACrC,OAAO,KAAK,EAAE,MAAM,IAAI,CAAC;AACzB,OAAO,KAAK,IAAI,MAAM,MAAM,CAAC;AAC7B,OAAO,KAAK,EAAE,MAAM,IAAI,CAAC;AASzB,MAAM,OAAO,QAAQ;IACT,MAAM,CAAC,UAAU,GAAG,IAAI,QAAQ,CAAkB;QACtD,GAAG,EAAE,GAAG;QACR,GAAG,EAAE,IAAI,GAAG,EAAE,GAAG,EAAE,EAAE,SAAS;KACjC,CAAC,CAAC;IACK,MAAM,CAAC,UAAU,GAAG,IAAI,QAAQ,CAAkB;QACtD,GAAG,EAAE,IAAI;QACT,GAAG,EAAE,IAAI,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,CAAC,EAAE,SAAS;KAC1C,CAAC,CAAC;IAEH;;OAEG;IACI,MAAM,CAAC,GAAG,CAAC,WAAmB;QACjC,OAAO,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,WAAW,CAAC,IAAI,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,WAAW,CAAC,CAAC;IAChF,CAAC;IAED;;OAEG;IACI,MAAM,CAAC,GAAG,CAAC,WAAmB,EAAE,OAAgB;QACnD,IAAI,OAAO,CAAC,cAAc,KAAK,OAAO,EAAE,CAAC;YACrC,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,WAAW,EAAE,OAAO,CAAC,CAAC;YAC1C,OAAO;QACX,CAAC;QACD,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,WAAW,EAAE,OAAO,CAAC,CAAC;IAC9C,CAAC;IAED;;OAEG;IACI,MAAM,CAAC,cAAc,CAAC,IAA6B;QACtD,KAAK,MAAM,CAAC,WAAW,EAAE,OAAO,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC;YACxD,IAAI,CAAC,GAAG,CAAC,WAAW,EAAE,OAAO,CAAC,CAAC;QACnC,CAAC;IACL,CAAC;IAEO,MAAM,CAAC,YAAY;QACvB,MAAM,GAAG,GAAG,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,OAAO,EAAE,EAAE,UAAU,CAAC,CAAC;QAChD,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;YACtB,EAAE,CAAC,SAAS,CAAC,GAAG,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;QAC3C,CAAC;QACD,OAAO,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,uBAAuB,CAAC,CAAC;IACnD,CAAC;IAEM,MAAM,CAAC,UAAU;QACpB,IAAI,CAAC;YACD,MAAM,IAAI,GAAwB,EAAE,CAAC;YACrC,+DAA+D;YAC/D,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,IAAI,CAAC,UAAU,CAAC,IAAI,EAAE,EAAE,CAAC;gBAChD,IAAI,CAAC,GAAG,CAAC,GAAG,KAAK,CAAC;YACtB,CAAC;YACD,+DAA+D;YAC/D,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,IAAI,CAAC,UAAU,CAAC,IAAI,EAAE,EAAE,CAAC;gBAChD,IAAI,CAAC,GAAG,CAAC,GAAG,KAAK,CAAC;YACtB,CAAC;YACD,MAAM,CAAC,GAAG,IAAI,CAAC,YAAY,EAAE,CAAC;YAC9B,MAAM,QAAQ,GAAG,GAAG,CAAC,MAAM,CAAC;YAC5B,EAAE,CAAC,aAAa,CAAC,QAAQ,EAAE,IAAI,CAAC,SAAS,CAAC,IAAI,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC;YAC1D,EAAE,CAAC,UAAU,CAAC,QAAQ,EAAE,CAAC,CAAC,CAAC;QAC/B,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACX,OAAO,CAAC,KAAK,CAAC,oCAAoC,EAAE,GAAG,CAAC,CAAC;QAC7D,CAAC;IACL,CAAC;IAEM,MAAM,CAAC,YAAY;QACtB,IAAI,CAAC;YACD,MAAM,SAAS,GAAG,IAAI,CAAC,YAAY,EAAE,CAAC;YACtC,IAAI,EAAE,CAAC,UAAU,CAAC,SAAS,CAAC,EAAE,CAAC;gBAC3B,MAAM,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC,YAAY,CAAC,SAAS,EAAE,MAAM,CAAC,CAAC,CAAC;gBAC5D,KAAK,MAAM,CAAC,GAAG,EAAE,GAAG,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC;oBAC5C,IAAI,CAAC,GAAG,CAAC,GAAG,EAAE,GAAc,CAAC,CAAC;gBAClC,CAAC;gBACD,OAAO,CAAC,KAAK,CAAC,qBAAqB,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,MAAM,sBAAsB,CAAC,CAAC;YACvF,CAAC;QACL,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACX,OAAO,CAAC,KAAK,CAAC,sCAAsC,EAAE,GAAG,CAAC,CAAC;QAC/D,CAAC;IACL,CAAC"}

package/dist/client.d.ts

@@ -0,0 +1,9 @@
+import { CloudKernelClient } from './cloud-client.js';
+export declare class KernelClient {
+    cloudClient: CloudKernelClient;
+    constructor();
+    prepareToolCall(session_id: string, tool_name: string, payload: any): Promise<any>;
+    commitToolCall(tool_call_id: string, outcome: any, success: boolean, exitCode?: number): Promise<any>;
+}
+export declare const kernel: KernelClient;
+//# sourceMappingURL=client.d.ts.map

package/dist/client.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"client.d.ts","sourceRoot":"","sources":["../src/client.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,iBAAiB,EAAE,MAAM,mBAAmB,CAAC;AAEtD,qBAAa,YAAY;IAChB,WAAW,EAAE,iBAAiB,CAAC;;IAMhC,eAAe,CACnB,UAAU,EAAE,MAAM,EAClB,SAAS,EAAE,MAAM,EACjB,OAAO,EAAE,GAAG,GACX,OAAO,CAAC,GAAG,CAAC;IAaT,cAAc,CAAC,YAAY,EAAE,MAAM,EAAE,OAAO,EAAE,GAAG,EAAE,OAAO,EAAE,OAAO,EAAE,QAAQ,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,GAAG,CAAC;CAS5G;AAED,eAAO,MAAM,MAAM,cAAqB,CAAC"}

package/dist/client.js

@@ -0,0 +1,32 @@
+import { CloudKernelClient } from './cloud-client.js';
+export class KernelClient {
+    cloudClient;
+    constructor() {
+        this.cloudClient = new CloudKernelClient();
+    }
+    async prepareToolCall(session_id, tool_name, payload) {
+        try {
+            return await this.cloudClient.prepareToolCall(session_id, tool_name, payload);
+        }
+        catch (err) {
+            console.error(`[KernelClient] Governance failure: ${err.message}. Failing closed.`);
+            return {
+                verdict: "BLOCK",
+                reason: "Governance runtime unreachable. Action blocked for safety.",
+                source: "failsafe"
+            };
+        }
+    }
+    async commitToolCall(tool_call_id, outcome, success, exitCode) {
+        try {
+            return await this.cloudClient.commitToolCall(tool_call_id, outcome, success, exitCode);
+        }
+        catch (err) {
+            // Log locally if cloud is down, but don't crash
+            console.error(`[KernelClient] Failed to commit outcome: ${err}`);
+            return { status: "local_only" };
+        }
+    }
+}
+export const kernel = new KernelClient();
+//# sourceMappingURL=client.js.map

package/dist/client.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"client.js","sourceRoot":"","sources":["../src/client.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,iBAAiB,EAAE,MAAM,mBAAmB,CAAC;AAEtD,MAAM,OAAO,YAAY;IAChB,WAAW,CAAoB;IAEtC;QACE,IAAI,CAAC,WAAW,GAAG,IAAI,iBAAiB,EAAE,CAAC;IAC7C,CAAC;IAED,KAAK,CAAC,eAAe,CACnB,UAAkB,EAClB,SAAiB,EACjB,OAAY;QAEZ,IAAI,CAAC;YACH,OAAO,MAAM,IAAI,CAAC,WAAW,CAAC,eAAe,CAAC,UAAU,EAAE,SAAS,EAAE,OAAO,CAAC,CAAC;QAChF,CAAC;QAAC,OAAO,GAAQ,EAAE,CAAC;YAClB,OAAO,CAAC,KAAK,CAAC,sCAAsC,GAAG,CAAC,OAAO,mBAAmB,CAAC,CAAC;YACpF,OAAO;gBACH,OAAO,EAAE,OAAO;gBAChB,MAAM,EAAE,4DAA4D;gBACpE,MAAM,EAAE,UAAU;aACrB,CAAC;QACJ,CAAC;IACH,CAAC;IAED,KAAK,CAAC,cAAc,CAAC,YAAoB,EAAE,OAAY,EAAE,OAAgB,EAAE,QAAiB;QAC1F,IAAI,CAAC;YACD,OAAO,MAAM,IAAI,CAAC,WAAW,CAAC,cAAc,CAAC,YAAY,EAAE,OAAO,EAAE,OAAO,EAAE,QAAQ,CAAC,CAAC;QAC3F,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACX,gDAAgD;YAChD,OAAO,CAAC,KAAK,CAAC,4CAA4C,GAAG,EAAE,CAAC,CAAC;YACjE,OAAO,EAAE,MAAM,EAAE,YAAY,EAAE,CAAC;QACpC,CAAC;IACH,CAAC;CACF;AAED,MAAM,CAAC,MAAM,MAAM,GAAG,IAAI,YAAY,EAAE,CAAC"}

package/dist/cloud-client.d.ts

@@ -0,0 +1,11 @@
+export declare class CloudKernelClient {
+    private deviceId;
+    private baseURL;
+    constructor();
+    getDeviceId(): Promise<string>;
+    private request;
+    prepareToolCall(session_id: string, tool_name: string, payload: any): Promise<any>;
+    commitToolCall(tool_call_id: string, outcome: any, success: boolean, exitCode?: number): Promise<any>;
+    getMetrics(): Promise<any>;
+}
+//# sourceMappingURL=cloud-client.d.ts.map

package/dist/cloud-client.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"cloud-client.d.ts","sourceRoot":"","sources":["../src/cloud-client.ts"],"names":[],"mappings":"AAKA,qBAAa,iBAAiB;IAC1B,OAAO,CAAC,QAAQ,CAAuB;IACvC,OAAO,CAAC,OAAO,CAAS;;IAMlB,WAAW,IAAI,OAAO,CAAC,MAAM,CAAC;YAoBtB,OAAO;IAwCf,eAAe,CAAC,UAAU,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,EAAE,OAAO,EAAE,GAAG;IAQnE,cAAc,CAAC,YAAY,EAAE,MAAM,EAAE,OAAO,EAAE,GAAG,EAAE,OAAO,EAAE,OAAO,EAAE,QAAQ,CAAC,EAAE,MAAM;IAStF,UAAU;CAGnB"}

package/dist/cloud-client.js

@@ -0,0 +1,89 @@
+import * as fs from 'fs/promises';
+import * as path from 'path';
+import * as os from 'os';
+import * as https from 'https';
+export class CloudKernelClient {
+    deviceId = null;
+    baseURL;
+    constructor() {
+        this.baseURL = process.env.TERMYTE_API_URL || 'https://mcp.causalos.xyz';
+    }
+    async getDeviceId() {
+        if (this.deviceId)
+            return this.deviceId;
+        if (process.env.TERMYTE_DEVICE_ID) {
+            this.deviceId = process.env.TERMYTE_DEVICE_ID;
+            return this.deviceId;
+        }
+        const configPath = path.join(os.homedir(), '.termyte', 'config.json');
+        try {
+            const config = JSON.parse(await fs.readFile(configPath, 'utf-8'));
+            if (config.device_id) {
+                this.deviceId = config.device_id;
+                return this.deviceId;
+            }
+        }
+        catch (e) { }
+        throw new Error("TERMYTE_DEVICE_ID not found. Run 'npx termyte init' first.");
+    }
+    async request(method, endpoint, body) {
+        const url = new URL(endpoint, this.baseURL);
+        const deviceId = await this.getDeviceId();
+        return new Promise((resolve, reject) => {
+            const options = {
+                method,
+                hostname: url.hostname,
+                path: url.pathname,
+                headers: {
+                    'Content-Type': 'application/json',
+                    'x-termyte-device-id': deviceId
+                },
+                timeout: 10000
+            };
+            const req = https.request(options, (res) => {
+                let data = '';
+                res.on('data', (chunk) => data += chunk);
+                res.on('end', () => {
+                    try {
+                        const parsed = JSON.parse(data);
+                        if (res.statusCode && res.statusCode >= 400) {
+                            reject(new Error(parsed.message || `Server error: ${res.statusCode}`));
+                        }
+                        else {
+                            resolve(parsed);
+                        }
+                    }
+                    catch (e) {
+                        if (res.statusCode === 204)
+                            resolve({});
+                        else
+                            reject(new Error('Invalid JSON response'));
+                    }
+                });
+            });
+            req.on('error', reject);
+            if (body)
+                req.write(JSON.stringify(body));
+            req.end();
+        });
+    }
+    async prepareToolCall(session_id, tool_name, payload) {
+        return this.request('POST', '/v1/governance/prepare', {
+            session_id,
+            tool_name,
+            payload_json: payload,
+        });
+    }
+    async commitToolCall(tool_call_id, outcome, success, exitCode) {
+        return this.request('POST', '/v1/governance/commit', {
+            tool_call_id,
+            outcome_json: outcome,
+            success,
+            exit_code: exitCode
+        });
+    }
+    async getMetrics() {
+        return this.request('GET', '/metrics');
+    }
+}
+//# sourceMappingURL=cloud-client.js.map

package/dist/cloud-client.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"cloud-client.js","sourceRoot":"","sources":["../src/cloud-client.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,MAAM,aAAa,CAAC;AAClC,OAAO,KAAK,IAAI,MAAM,MAAM,CAAC;AAC7B,OAAO,KAAK,EAAE,MAAM,IAAI,CAAC;AACzB,OAAO,KAAK,KAAK,MAAM,OAAO,CAAC;AAE/B,MAAM,OAAO,iBAAiB;IAClB,QAAQ,GAAkB,IAAI,CAAC;IAC/B,OAAO,CAAS;IAExB;QACI,IAAI,CAAC,OAAO,GAAG,OAAO,CAAC,GAAG,CAAC,eAAe,IAAI,0BAA0B,CAAC;IAC7E,CAAC;IAED,KAAK,CAAC,WAAW;QACb,IAAI,IAAI,CAAC,QAAQ;YAAE,OAAO,IAAI,CAAC,QAAQ,CAAC;QAExC,IAAI,OAAO,CAAC,GAAG,CAAC,iBAAiB,EAAE,CAAC;YAChC,IAAI,CAAC,QAAQ,GAAG,OAAO,CAAC,GAAG,CAAC,iBAAiB,CAAC;YAC9C,OAAO,IAAI,CAAC,QAAQ,CAAC;QACzB,CAAC;QAED,MAAM,UAAU,GAAG,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,OAAO,EAAE,EAAE,UAAU,EAAE,aAAa,CAAC,CAAC;QACtE,IAAI,CAAC;YACD,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,MAAM,EAAE,CAAC,QAAQ,CAAC,UAAU,EAAE,OAAO,CAAC,CAAC,CAAC;YAClE,IAAI,MAAM,CAAC,SAAS,EAAE,CAAC;gBACnB,IAAI,CAAC,QAAQ,GAAG,MAAM,CAAC,SAAmB,CAAC;gBAC3C,OAAO,IAAI,CAAC,QAAQ,CAAC;YACzB,CAAC;QACL,CAAC;QAAC,OAAO,CAAC,EAAE,CAAC,CAAA,CAAC;QAEd,MAAM,IAAI,KAAK,CAAC,4DAA4D,CAAC,CAAC;IAClF,CAAC;IAEO,KAAK,CAAC,OAAO,CAAC,MAAc,EAAE,QAAgB,EAAE,IAAU;QAC9D,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,QAAQ,EAAE,IAAI,CAAC,OAAO,CAAC,CAAC;QAC5C,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,WAAW,EAAE,CAAC;QAE1C,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;YACnC,MAAM,OAAO,GAAG;gBACZ,MAAM;gBACN,QAAQ,EAAE,GAAG,CAAC,QAAQ;gBACtB,IAAI,EAAE,GAAG,CAAC,QAAQ;gBAClB,OAAO,EAAE;oBACL,cAAc,EAAE,kBAAkB;oBAClC,qBAAqB,EAAE,QAAQ;iBAClC;gBACD,OAAO,EAAE,KAAK;aACjB,CAAC;YAEF,MAAM,GAAG,GAAG,KAAK,CAAC,OAAO,CAAC,OAAO,EAAE,CAAC,GAAG,EAAE,EAAE;gBACvC,IAAI,IAAI,GAAG,EAAE,CAAC;gBACd,GAAG,CAAC,EAAE,CAAC,MAAM,EAAE,CAAC,KAAK,EAAE,EAAE,CAAC,IAAI,IAAI,KAAK,CAAC,CAAC;gBACzC,GAAG,CAAC,EAAE,CAAC,KAAK,EAAE,GAAG,EAAE;oBACf,IAAI,CAAC;wBACD,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;wBAChC,IAAI,GAAG,CAAC,UAAU,IAAI,GAAG,CAAC,UAAU,IAAI,GAAG,EAAE,CAAC;4BAC1C,MAAM,CAAC,IAAI,KAAK,CAAC,MAAM,CAAC,OAAO,IAAI,iBAAiB,GAAG,CAAC,UAAU,EAAE,CAAC,CAAC,CAAC;wBAC3E,CAAC;6BAAM,CAAC;4BACJ,OAAO,CAAC,MAAM,CAAC,CAAC;wBACpB,CAAC;oBACL,CAAC;oBAAC,OAAO,CAAC,EAAE,CAAC;wBACT,IAAI,GAAG,CAAC,UAAU,KAAK,GAAG;4BAAE,OAAO,CAAC,EAAE,CAAC,CAAC;;4BACnC,MAAM,CAAC,IAAI,KAAK,CAAC,uBAAuB,CAAC,CAAC,CAAC;oBACpD,CAAC;gBACL,CAAC,CAAC,CAAC;YACP,CAAC,CAAC,CAAC;YAEH,GAAG,CAAC,EAAE,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;YACxB,IAAI,IAAI;gBAAE,GAAG,CAAC,KAAK,CAAC,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC;YAC1C,GAAG,CAAC,GAAG,EAAE,CAAC;QACd,CAAC,CAAC,CAAC;IACP,CAAC;IAED,KAAK,CAAC,eAAe,CAAC,UAAkB,EAAE,SAAiB,EAAE,OAAY;QACrE,OAAO,IAAI,CAAC,OAAO,CAAC,MAAM,EAAE,wBAAwB,EAAE;YAClD,UAAU;YACV,SAAS;YACT,YAAY,EAAE,OAAO;SACxB,CAAC,CAAC;IACP,CAAC;IAED,KAAK,CAAC,cAAc,CAAC,YAAoB,EAAE,OAAY,EAAE,OAAgB,EAAE,QAAiB;QACxF,OAAO,IAAI,CAAC,OAAO,CAAC,MAAM,EAAE,uBAAuB,EAAE;YACjD,YAAY;YACZ,YAAY,EAAE,OAAO;YACrB,OAAO;YACP,SAAS,EAAE,QAAQ;SACtB,CAAC,CAAC;IACP,CAAC;IAED,KAAK,CAAC,UAAU;QACZ,OAAO,IAAI,CAAC,OAAO,CAAC,KAAK,EAAE,UAAU,CAAC,CAAC;IAC3C,CAAC;CACJ"}

package/dist/executor.d.ts

@@ -0,0 +1,20 @@
+export interface ExecutionResult {
+    stdout: string;
+    stderr: string;
+    exit_code: number;
+}
+/**
+ * Tokenize a command string into a binary and its arguments.
+ * Handles single/double quotes and backslash escaping.
+ */
+export declare function tokenize(command: string): string[];
+/**
+ * Ensures batch commands on Windows are invoked with .cmd extension.
+ */
+export declare function resolveWindowsVerb(verb: string): string;
+/**
+ * Execute a command natively after it has passed Termyte Governance.
+ * Uses execFile (not exec) to prevent shell injection at the OS level.
+ */
+export declare function nativeExec(rawCommand: string, timeoutMs?: number): Promise<ExecutionResult>;
+//# sourceMappingURL=executor.d.ts.map

package/dist/executor.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"executor.d.ts","sourceRoot":"","sources":["../src/executor.ts"],"names":[],"mappings":"AAKA,MAAM,WAAW,eAAe;IAC9B,MAAM,EAAE,MAAM,CAAC;IACf,MAAM,EAAE,MAAM,CAAC;IACf,SAAS,EAAE,MAAM,CAAC;CACnB;AAED;;;GAGG;AACH,wBAAgB,QAAQ,CAAC,OAAO,EAAE,MAAM,GAAG,MAAM,EAAE,CAqClD;AAED;;GAEG;AACH,wBAAgB,kBAAkB,CAAC,IAAI,EAAE,MAAM,GAAG,MAAM,CAOvD;AAED;;;GAGG;AACH,wBAAsB,UAAU,CAAC,UAAU,EAAE,MAAM,EAAE,SAAS,SAAS,GAAG,OAAO,CAAC,eAAe,CAAC,CAyBjG"}

package/dist/executor.js

@@ -0,0 +1,93 @@
+import { execFile } from "child_process";
+import { promisify } from "util";
+const execFileAsync = promisify(execFile);
+/**
+ * Tokenize a command string into a binary and its arguments.
+ * Handles single/double quotes and backslash escaping.
+ */
+export function tokenize(command) {
+    const tokens = [];
+    let current = "";
+    let inSingleQuote = false;
+    let inDoubleQuote = false;
+    let escaping = false;
+    for (let i = 0; i < command.length; i++) {
+        const ch = command[i];
+        if (escaping) {
+            current += ch;
+            escaping = false;
+            continue;
+        }
+        if (ch === "\\") {
+            escaping = true;
+            continue;
+        }
+        if (ch === "'" && !inSingleQuote && !inDoubleQuote) {
+            inSingleQuote = true;
+        }
+        else if (ch === "'" && inSingleQuote && !inDoubleQuote) {
+            inSingleQuote = false;
+        }
+        else if (ch === "\"" && !inSingleQuote && !inDoubleQuote) {
+            inDoubleQuote = true;
+        }
+        else if (ch === "\"" && inDoubleQuote && !inSingleQuote) {
+            inDoubleQuote = false;
+        }
+        else if (ch === " " && !inSingleQuote && !inDoubleQuote) {
+            if (current.length > 0) {
+                tokens.push(current);
+                current = "";
+            }
+        }
+        else {
+            current += ch;
+        }
+    }
+    if (current.length > 0)
+        tokens.push(current);
+    return tokens;
+}
+/**
+ * Ensures batch commands on Windows are invoked with .cmd extension.
+ */
+export function resolveWindowsVerb(verb) {
+    if (process.platform !== "win32")
+        return verb;
+    const batchCommands = ["npm", "npx", "yarn", "pnpm", "tsc", "cargo"];
+    if (batchCommands.includes(verb.toLowerCase())) {
+        return `${verb}.cmd`;
+    }
+    return verb;
+}
+/**
+ * Execute a command natively after it has passed Termyte Governance.
+ * Uses execFile (not exec) to prevent shell injection at the OS level.
+ */
+export async function nativeExec(rawCommand, timeoutMs = 30_000) {
+    const tokens = tokenize(rawCommand.trim());
+    const rawVerbToken = tokens[0];
+    if (!rawVerbToken)
+        throw new Error("Empty command");
+    // Extract verb (strip path) and resolve Windows extension
+    const rawVerb = rawVerbToken.replace(/^.*[\\\/]/, "");
+    const verb = resolveWindowsVerb(rawVerb);
+    const args = tokens.slice(1);
+    try {
+        const { stdout, stderr } = await execFileAsync(verb, args, {
+            timeout: timeoutMs,
+            maxBuffer: 10 * 1024 * 1024, // 10 MB max output
+            windowsHide: true,
+            shell: false,
+        });
+        return { stdout, stderr, exit_code: 0 };
+    }
+    catch (err) {
+        return {
+            stdout: err.stdout ?? "",
+            stderr: err.stderr ?? err.message,
+            exit_code: err.code ?? 1,
+        };
+    }
+}
+//# sourceMappingURL=executor.js.map

package/dist/executor.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"executor.js","sourceRoot":"","sources":["../src/executor.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,MAAM,eAAe,CAAC;AACzC,OAAO,EAAE,SAAS,EAAE,MAAM,MAAM,CAAC;AAEjC,MAAM,aAAa,GAAG,SAAS,CAAC,QAAQ,CAAC,CAAC;AAQ1C;;;GAGG;AACH,MAAM,UAAU,QAAQ,CAAC,OAAe;IACtC,MAAM,MAAM,GAAa,EAAE,CAAC;IAC5B,IAAI,OAAO,GAAG,EAAE,CAAC;IACjB,IAAI,aAAa,GAAG,KAAK,CAAC;IAC1B,IAAI,aAAa,GAAG,KAAK,CAAC;IAC1B,IAAI,QAAQ,GAAG,KAAK,CAAC;IAErB,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,OAAO,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACxC,MAAM,EAAE,GAAG,OAAO,CAAC,CAAC,CAAC,CAAC;QACtB,IAAI,QAAQ,EAAE,CAAC;YACb,OAAO,IAAI,EAAE,CAAC;YACd,QAAQ,GAAG,KAAK,CAAC;YACjB,SAAS;QACX,CAAC;QACD,IAAI,EAAE,KAAK,IAAI,EAAE,CAAC;YAChB,QAAQ,GAAG,IAAI,CAAC;YAChB,SAAS;QACX,CAAC;QACD,IAAI,EAAE,KAAK,GAAG,IAAI,CAAC,aAAa,IAAI,CAAC,aAAa,EAAE,CAAC;YACnD,aAAa,GAAG,IAAI,CAAC;QACvB,CAAC;aAAM,IAAI,EAAE,KAAK,GAAG,IAAI,aAAa,IAAI,CAAC,aAAa,EAAE,CAAC;YACzD,aAAa,GAAG,KAAK,CAAC;QACxB,CAAC;aAAM,IAAI,EAAE,KAAK,IAAI,IAAI,CAAC,aAAa,IAAI,CAAC,aAAa,EAAE,CAAC;YAC3D,aAAa,GAAG,IAAI,CAAC;QACvB,CAAC;aAAM,IAAI,EAAE,KAAK,IAAI,IAAI,aAAa,IAAI,CAAC,aAAa,EAAE,CAAC;YAC1D,aAAa,GAAG,KAAK,CAAC;QACxB,CAAC;aAAM,IAAI,EAAE,KAAK,GAAG,IAAI,CAAC,aAAa,IAAI,CAAC,aAAa,EAAE,CAAC;YAC1D,IAAI,OAAO,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gBACvB,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;gBACrB,OAAO,GAAG,EAAE,CAAC;YACf,CAAC;QACH,CAAC;aAAM,CAAC;YACN,OAAO,IAAI,EAAE,CAAC;QAChB,CAAC;IACH,CAAC;IACD,IAAI,OAAO,CAAC,MAAM,GAAG,CAAC;QAAE,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;IAC7C,OAAO,MAAM,CAAC;AAChB,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,kBAAkB,CAAC,IAAY;IAC7C,IAAI,OAAO,CAAC,QAAQ,KAAK,OAAO;QAAE,OAAO,IAAI,CAAC;IAC9C,MAAM,aAAa,GAAG,CAAC,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,KAAK,EAAE,OAAO,CAAC,CAAC;IACrE,IAAI,aAAa,CAAC,QAAQ,CAAC,IAAI,CAAC,WAAW,EAAE,CAAC,EAAE,CAAC;QAC/C,OAAO,GAAG,IAAI,MAAM,CAAC;IACvB,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,UAAU,CAAC,UAAkB,EAAE,SAAS,GAAG,MAAM;IACrE,MAAM,MAAM,GAAG,QAAQ,CAAC,UAAU,CAAC,IAAI,EAAE,CAAC,CAAC;IAC3C,MAAM,YAAY,GAAG,MAAM,CAAC,CAAC,CAAC,CAAC;IAC/B,IAAI,CAAC,YAAY;QAAE,MAAM,IAAI,KAAK,CAAC,eAAe,CAAC,CAAC;IAEpD,0DAA0D;IAC1D,MAAM,OAAO,GAAG,YAAY,CAAC,OAAO,CAAC,WAAW,EAAE,EAAE,CAAC,CAAC;IACtD,MAAM,IAAI,GAAG,kBAAkB,CAAC,OAAO,CAAC,CAAC;IACzC,MAAM,IAAI,GAAG,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;IAE7B,IAAI,CAAC;QACH,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,GAAG,MAAM,aAAa,CAAC,IAAI,EAAE,IAAI,EAAE;YACzD,OAAO,EAAE,SAAS;YAClB,SAAS,EAAE,EAAE,GAAG,IAAI,GAAG,IAAI,EAAE,mBAAmB;YAChD,WAAW,EAAE,IAAI;YACjB,KAAK,EAAE,KAAK;SACb,CAAC,CAAC;QACH,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,SAAS,EAAE,CAAC,EAAE,CAAC;IAC1C,CAAC;IAAC,OAAO,GAAQ,EAAE,CAAC;QAClB,OAAO;YACL,MAAM,EAAE,GAAG,CAAC,MAAM,IAAI,EAAE;YACxB,MAAM,EAAE,GAAG,CAAC,MAAM,IAAI,GAAG,CAAC,OAAO;YACjC,SAAS,EAAE,GAAG,CAAC,IAAI,IAAI,CAAC;SACzB,CAAC;IACJ,CAAC;AACH,CAAC"}

package/dist/index.d.ts

@@ -0,0 +1,3 @@
+#!/usr/bin/env node
+export {};
+//# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":""}