car-server-core 0.24.1

Transport-neutral library for the CAR daemon JSON-RPC dispatcher (used by car-server and tokhn-daemon)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67

//! Built-in coding agent ("CAR Coder").
//!
//! The user states an intent; the coder turns it into a **verifiable outcome
//! contract** (shell commands that must pass), gets it confirmed, then works in
//! a throwaway **git worktree** until every check is green — natively (CAR
//! inference + policy-gated tools) or by delegating to an installed external
//! CLI (Claude Code, Codex, Gemini), with CAR re-running the contract either
//! way. Results are published as a `car/coder/<id>` branch in the user's repo;
//! the user's checkout is never touched.
//!
//! ## Module map
//!
//! - [`contract`] — `OutcomeContract` derivation (inference, repair loop) and
//!   evaluation (runs checks through the policy-gated shell tool)
//! - [`session`] — session state machine, event stream (`CoderEvent`), JSON
//!   snapshots under `~/.car/coder/`
//! - [`shell_tool`] — `WorktreeExecutor`: file tools + a host `shell` tool,
//!   all rooted/clamped at the worktree and gated by the inspector chain
//! - [`policy`] — the coder inspector set (no pushes, no privilege escalation,
//!   no writes outside the worktree, …)
//! - [`native_loop`] — the plan→edit→verify→repair loop driving CAR inference
//! - [`router`] — engine selection between the native loop and external CLIs
//! - [`merge`] — squash-commit the worktree and publish a branch in the repo
//!
//! ## Security boundary (read this before extending)
//!
//! The shell tool executes on the **host** with the daemon's privileges and
//! (deliberately) the real toolchain + network. The inspector chain blocks the
//! known-dangerous verbs (git push, sudo, destructive ops outside the
//! worktree, credential reads) and the executor pins the working directory to
//! the worktree — but this is policy hardening, **not a sandbox**: a model
//! determined to misbehave can, e.g., pipe curl to sh inside the worktree.
//! The hard stops are the contract confirmation gate before any work starts
//! and the merge approval gate before anything reaches the user's repo.

#[cfg(test)]
mod bench;
pub mod config;
pub mod contract;
pub mod declarative;
pub mod external_loop;
pub mod foreman_loop;
pub mod rpc;
pub mod merge;
pub mod native_loop;
pub mod policy;
pub mod project;
pub mod router;
pub mod session;
pub mod shell_tool;
pub mod skill_memory;

pub use config::{config_path, CoderConfig, DEFAULT_MAX_ITERATIONS};
pub use contract::{evaluate_contract, ContractCheck, CheckResult, OutcomeContract};
pub use external_loop::{run_external_loop, ExternalLoopConfig};
pub use merge::{commit_to_main, publish_branch};
pub use project::{
    list_projects, resolve_or_create_project, slugify, CoderProject, ProjectKind,
};
pub use native_loop::{run_native_loop, LoopOutcome, NativeLoopConfig};
pub use router::{detect_ready_agents, resolve_engine, DetectedAgent, EngineChoice, ResolvedEngine};
pub use session::{
    adopt_orphaned_sessions, default_state_dir, AdoptionOutcome, CancelFlag, CoderEvent,
    CoderEventKind, CoderSession, CoderState, EventEmitter, EventSink,
};
pub use shell_tool::WorktreeExecutor;
pub use skill_memory::{FailureSignature, RepairMemory};