runewall 1.0.0__tar.gz

runewall-1.0.0/.gitattributes

@@ -0,0 +1,2 @@
+examples/community-maps/*.json text eol=lf
+examples/community-maps/**/*.json text eol=lf

runewall-1.0.0/.github/workflows/ci.yml

@@ -0,0 +1,26 @@
+name: Runewall CI
+
+on:
+  push:
+  pull_request:
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Check out repository
+        uses: actions/checkout@v4
+
+      - name: Set up Python 3.13
+        uses: actions/setup-python@v5
+        with:
+          python-version: "3.13"
+
+      - name: Install dependencies
+        run: |
+          python -m pip install --upgrade pip
+          python -m pip install -e ".[dev]"
+
+      - name: Run tests
+        run: python -m pytest tests -v

runewall-1.0.0/.github/workflows/community-map-verify-example.yml

@@ -0,0 +1,18 @@
+# Example workflow for local community map package verification.
+# This is a documentation-style example and can be adapted per repository.
+name: Community Map Verify Example
+
+on:
+  pull_request:
+  push:
+
+jobs:
+  verify-community-maps:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-python@v5
+        with:
+          python-version: "3.13"
+      - run: python -m pip install -e ".[dev]"
+      - run: runewall maps community package verify examples/community-maps --json

runewall-1.0.0/.gitignore

@@ -0,0 +1,17 @@
+.venv/
+.runewall/
+.pytest_cache/
+__pycache__/
+*.pyc
+.coverage
+dist/
+build/
+*.egg-info/
+
+demo.txt
+
+# Python cache files
+__pycache__/
+*.py[cod]
+*$py.class
+.pytest_cache/

runewall-1.0.0/AGENTS.md

@@ -0,0 +1,193 @@
+# AGENTS.md
+
+Behavioral guidelines for Codex while building Runewall.
+
+These instructions reduce common LLM coding mistakes. Follow them together with the project brain and technical spec.
+
+Before coding, always read:
+
+* `brain/runewall-brain-bundle.md`
+* `brain/runewall-technical-spec.md`
+
+Runewall is local-first, open-source, Python-first, CLI-first, and safety-first.
+
+Do not build everything at once.
+
+---
+
+## 1. Think Before Coding
+
+**Don't assume. Don't hide confusion. Surface tradeoffs.**
+
+Before implementing:
+
+* State your assumptions explicitly.
+* If uncertain, ask or explain the uncertainty.
+* If multiple interpretations exist, present them instead of silently choosing.
+* If a simpler approach exists, say so.
+* Push back when the request would make the system overcomplicated.
+* If something is unclear, stop and name what is confusing.
+
+---
+
+## 2. Simplicity First
+
+**Minimum code that solves the current task. Nothing speculative.**
+
+* No features beyond what was asked.
+* No abstractions for single-use code.
+* No dashboard unless explicitly requested.
+* No TypeScript SDK unless explicitly requested.
+* No Playwright/browser translation unless explicitly requested.
+* No website maps unless explicitly requested.
+* No auth/credential layer unless explicitly requested.
+* No agent-native protocol unless explicitly requested.
+* No "future flexibility" unless the current task needs it.
+* If you write 200 lines and it could be 50, rewrite it.
+
+Ask yourself:
+
+> Would a senior engineer say this is overcomplicated?
+
+If yes, simplify.
+
+---
+
+## 3. Surgical Changes
+
+**Touch only what you must. Clean up only your own mess.**
+
+When editing existing code:
+
+* Do not improve adjacent code, comments, or formatting unless needed.
+* Do not refactor things that are not broken.
+* Match the existing style.
+* If you notice unrelated dead code, mention it but do not delete it.
+* Remove imports, variables, or functions only if your changes made them unused.
+
+Every changed line should directly trace to the current request.
+
+---
+
+## 4. Goal-Driven Execution
+
+**Define success criteria. Loop until verified.**
+
+Transform tasks into verifiable goals.
+
+Examples:
+
+* "Add validation" means: write tests for invalid inputs, then make them pass.
+* "Fix the bug" means: write a test that reproduces it, then make it pass.
+* "Refactor X" means: ensure tests pass before and after.
+
+For multi-step tasks, state a brief plan:
+
+```txt
+1. [Step] → verify: [check]
+2. [Step] → verify: [check]
+3. [Step] → verify: [check]
+```
+
+Do not stop after writing code. Run or explain the verification.
+
+---
+
+## 5. Runewall Build Order
+
+Build Runewall in this order:
+
+```txt
+1. Python package skeleton
+2. Core models
+3. SQLite schema
+4. Action log
+5. CLI init/log
+6. Rules engine
+7. File snapshot engine
+8. File rollback engine
+9. Interceptor
+10. Universal read mode
+11. Maps
+12. Auth
+13. Protocol
+14. Dashboard
+15. TypeScript SDK
+```
+
+Do not skip ahead.
+
+Current priority:
+
+```txt
+Core models → SQLite schema → Action log → CLI init/log
+```
+
+---
+
+## 6. Runewall Non-Negotiables
+
+Runewall must remain:
+
+* Local-first
+* Open-source
+* No required hosted backend
+* No required API key
+* No vendor lock-in
+* Python-first
+* CLI-first
+* Framework-agnostic
+* Safety-first
+* Rollback-focused
+
+Do not add external services.
+
+Do not require internet except for websites agents intentionally visit.
+
+Do not log secrets.
+
+Do not hardcode credentials.
+
+---
+
+## 7. Testing Rules
+
+For every feature:
+
+* Add tests.
+* Keep tests small and focused.
+* Prefer temp directories for file-system tests.
+* Do not depend on real websites in core tests.
+* Do not require external API keys.
+* Do not require network access for core tests.
+
+Before finishing, run:
+
+```bash
+pytest tests/ -v
+```
+
+If tests fail, fix only the failing area.
+
+---
+
+## 8. Git / Diff Discipline
+
+Before final response:
+
+* Summarize changed files.
+* Summarize tests run.
+* Mention any tests not run.
+* Mention any known limitations.
+* Do not claim something works unless it was tested.
+
+---
+
+## 9. These Guidelines Are Working If
+
+* Diffs are small.
+* No unnecessary files are touched.
+* No speculative systems are added.
+* Tests exist for new behavior.
+* Clarifying questions happen before wrong implementation.
+* Runewall grows one safe layer at a time.

runewall-1.0.0/CHANGELOG.md

@@ -0,0 +1,58 @@
+# Changelog
+
+## Unreleased
+
+- Pending changes for the next release.
+
+## v1.0.0
+
+- Stable release after rc1 validation.
+- No new features or behavior changes from rc1.
+
+## v1.0.0-rc1
+
+- Release candidate hardening.
+- Public README and announcement polish.
+- Install, quickstart, packaging, and release checklist docs stabilized.
+- No new runtime features.
+
+## v0.9.0
+
+- Added PyPI/public packaging readiness.
+- Added local build artifact verification.
+
+## v0.8.6
+
+- Pending release checklist polish.
+
+## v0.8.4
+
+- Added release checklist command.
+- Added release checklist documentation.
+- Added packaging/release workflow guidance.
+
+## v0.8.3
+
+- Added local packaging documentation.
+- Documented local wheel and sdist build flow.
+
+## v0.8.2
+
+- Added package build readiness check.
+
+## v0.8.1
+
+- Added package readiness status.
+
+## v0.8.0
+
+- Added public README, install, quickstart, and demo polish.
+- Added 60-second local demo.
+
+## v0.7.3
+
+- Polished community package verify docs.
+
+## v0.7.0
+
+- Added community package verify command.

runewall-1.0.0/CONTRIBUTING.md

@@ -0,0 +1,33 @@
+# Contributing
+
+Runewall is a local-first, open-source, CLI-first project. Please keep contributions small, focused, and easy to review.
+
+## Local workflow
+
+Run tests before commit:
+
+```bash
+python -m pytest tests -v
+```
+
+Run release checks:
+
+```bash
+runewall config profile safe
+runewall release check
+runewall release json-check
+```
+
+Maps must pass strict lint:
+
+```bash
+runewall maps lint --strict
+```
+
+## Project guardrails
+
+- do not print, store, or log tokens
+- do not add browser automation, Playwright, a dashboard, TypeScript, or a hosted backend unless that work is explicitly scheduled
+- keep diffs small and directly related to the task
+- add tests for CLI behavior when changing CLI behavior
+- prefer local-first behavior and safe defaults

runewall-1.0.0/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 Runewall Contributors
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

runewall-1.0.0/PKG-INFO

@@ -0,0 +1,206 @@
+Metadata-Version: 2.4
+Name: runewall
+Version: 1.0.0
+Summary: Local-first runtime for logging and protecting agent actions.
+Author: Runewall Contributors
+License-Expression: MIT
+License-File: LICENSE
+Keywords: agents,ai,cli,rollback,sqlite
+Classifier: Development Status :: 3 - Alpha
+Classifier: Environment :: Console
+Classifier: Intended Audience :: Developers
+Classifier: License :: OSI Approved :: MIT License
+Classifier: Programming Language :: Python :: 3
+Classifier: Programming Language :: Python :: 3.10
+Classifier: Programming Language :: Python :: 3.11
+Classifier: Programming Language :: Python :: 3.12
+Classifier: Programming Language :: Python :: 3.13
+Classifier: Topic :: Software Development :: Libraries
+Requires-Python: >=3.10
+Requires-Dist: beautifulsoup4>=4.12
+Requires-Dist: httpx>=0.27
+Provides-Extra: dev
+Requires-Dist: pytest>=8.0; extra == 'dev'
+Description-Content-Type: text/markdown
+
+# Runewall
+
+[![Python 3.13](https://img.shields.io/badge/python-3.13-blue.svg)](https://www.python.org/)
+[![License: MIT](https://img.shields.io/badge/license-MIT-green.svg)](LICENSE)
+![Local-first](https://img.shields.io/badge/local--first-yes-lightgrey.svg)
+![CLI-first](https://img.shields.io/badge/cli--first-yes-lightgrey.svg)
+![MCP-ready](https://img.shields.io/badge/MCP-ready-orange.svg)
+![Tests](https://img.shields.io/badge/tests-local-blueviolet.svg)
+
+Runewall is a local-first safety/runtime layer for AI agents before they take real-world actions.
+
+## Why Runewall?
+
+Agents are moving from answering to acting. Once agents touch files, APIs, tools, or external systems, developers need a boundary layer that can preview actions, explain policy decisions, block risky behavior, log what happened, and rollback where possible.
+
+## What is it?
+
+Runewall is a local-first CLI and developer tool that sits between an agent and a real action. It helps you inspect what an agent is about to do before you let it touch the outside world.
+
+## Why does it matter?
+
+When agents move beyond chat and start acting on files, services, and tools, mistakes get more expensive. A local safety/runtime layer gives you a clearer review point before that action happens.
+
+## Architecture flow
+
+`Agent -> Runewall -> policy check -> dry-run -> review/execute/block -> log/audit`
+
+## How do I try it?
+
+Start with the five-minute quickstart below, or run the 60-second local demo in [demos/README.md](demos/README.md).
+
+## What Runewall can do now
+
+- CLI-first safety runtime
+- dry-run before mutation
+- local SQLite action log
+- `policy explain`, `policy test`, and `policy audit`
+- snapshots and rollback
+- guarded real execution for selected services
+- local MCP stdio surface
+- Python SDK preview
+- community map package verification
+
+## 5-minute quickstart
+
+```powershell
+python -m pip install -e ".[dev]"
+runewall version
+runewall config profile safe
+runewall policy audit
+runewall act github create_issue --dry-run --json --input repo=user/repo --input title="Bug"
+runewall maps community package verify examples/community-maps --json
+runewall mcp status --json
+runewall sdk status --json
+```
+
+What this gives you:
+
+- confirms the CLI is installed
+- applies safe local defaults
+- audits current policy settings
+- previews a mapped action without mutating anything
+- verifies a local community package without importing it
+- shows local MCP status
+- shows local SDK status
+
+## Status
+
+Runewall is currently a local-first CLI/devtool with:
+
+- core safety runtime
+- MCP stdio surface
+- Python SDK preview
+- community package verification
+
+## Safe by default
+
+- real execution is disabled by default
+- dry-run does not call external APIs
+- tokens only come from environment variables
+- tokens are never printed, stored, or logged
+- community maps are non-executable
+- package verify does not import or execute maps
+- no hosted backend is required
+
+## What is not included yet?
+
+- hosted service
+- dashboard
+- remote registry
+- real signature verification
+- community map execution
+
+## Install
+
+See [docs/INSTALL.md](docs/INSTALL.md) for Windows PowerShell-first setup.
+
+## Install status
+
+- local editable install is supported
+- PyPI publishing is future work
+- use [docs/INSTALL.md](docs/INSTALL.md) for setup
+- see [docs/PACKAGING.md](docs/PACKAGING.md) for local packaging notes
+- `runewall package pypi-check` is a local readiness check only
+- `runewall package dist-check` is a local artifact presence check only
+
+## Quickstart
+
+See [docs/QUICKSTART.md](docs/QUICKSTART.md) for a safe first walkthrough.
+
+## Demo
+
+See [demos/README.md](demos/README.md) for a 60-second local-only, token-free demo.
+
+## 60-second demo
+
+Run the local demo with:
+
+```powershell
+.\demos\runewall_60_second_demo.ps1
+```
+
+It shows:
+
+- version
+- safe profile
+- policy audit
+- dry-run
+- community package verify
+- MCP status
+- SDK status
+
+## MCP
+
+Runewall includes a local MCP stdio surface for agent safety checks.
+
+```powershell
+runewall mcp status
+runewall mcp serve --once
+runewall mcp serve
+```
+
+See [docs/MCP_CLIENT_EXAMPLES.md](docs/MCP_CLIENT_EXAMPLES.md) for more MCP examples.
+
+## Python SDK preview
+
+```python
+from runewall.sdk import policy_test, dry_run
+
+print(policy_test("map.execute"))
+print(dry_run("github", "create_issue", {"repo": "user/repo", "title": "Bug"}))
+```
+
+- `runewall sdk status`
+- `runewall sdk status --json`
+- SDK is local-only
+- `execute` is not exposed yet
+- `dry_run` does not call external APIs
+
+## Community package verify
+
+Use community package verify as the recommended local gate before community map import or review.
+
+```powershell
+runewall maps community package verify examples/community-maps
+runewall maps community package verify examples/community-maps --json
+```
+
+Verify checks manifest validation, SHA-256 checksums, signing status, trusted key status, and execution safety posture.
+
+Verify does not import maps, execute maps, download remote files, or call external APIs.
+
+## More docs
+
+- [docs/INSTALL.md](docs/INSTALL.md)
+- [docs/PACKAGING.md](docs/PACKAGING.md)
+- [docs/QUICKSTART.md](docs/QUICKSTART.md)
+- [docs/ROADMAP.md](docs/ROADMAP.md)
+- [demos/README.md](demos/README.md)
+- [docs/COMMUNITY_MAPS.md](docs/COMMUNITY_MAPS.md)
+- [docs/PYTHON_SDK_EXAMPLES.md](docs/PYTHON_SDK_EXAMPLES.md)

runewall-1.0.0/README-START-HERE.md

@@ -0,0 +1,42 @@
+# Runewall Starter Folder
+
+Open this folder in VS Code and ask Codex to build one slice at a time.
+
+Start with this prompt:
+
+```text
+You are building Runewall.
+
+Read:
+- brain/runewall-brain-bundle.md
+- brain/runewall-technical-spec.md
+
+Build ONLY the initial Python package skeleton from the technical spec.
+
+Do not build dashboard.
+Do not build Playwright/browser translation.
+Do not build maps yet.
+Do not build TypeScript yet.
+Do not add extra features.
+
+Create:
+- pyproject.toml
+- LICENSE with MIT
+- README.md placeholder
+- runewall/__init__.py
+- runewall/core/__init__.py
+- runewall/core/models.py
+- runewall/core/db.py
+- runewall/core/log.py
+- runewall/cli/__init__.py
+- runewall/cli/main.py
+- tests/conftest.py
+- tests/core/test_log.py
+
+Goal:
+- `runewall init` creates `.runewall/runewall.db`
+- SQLite schema includes actions, snapshots, rules, checkpoints
+- A test can create an Action, save it, and list it back
+
+Keep the implementation small, clean, typed, and tested.
+```