hematite-cli 0.5.4

Local AI coding harness for LM Studio with TUI, voice, retrieval, and grounded workstation tooling
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325

//! Sandboxed code execution tool.
//!
//! Lets the model write and run code in a restricted subprocess — no network,
//! no filesystem escape, hard timeout. Supports JavaScript/TypeScript (Deno)
//! and Python. Neither runtime is bundled; we detect what's available and
//! report clearly when nothing is found.

use serde_json::Value;
use std::io::Write;
use std::process::{Command, Stdio};
use std::time::Duration;

const DEFAULT_TIMEOUT_SECS: u64 = 10;
const MAX_TIMEOUT_SECS: u64 = 60;
const MAX_OUTPUT_BYTES: usize = 16_384; // 16 KB — enough for any reasonable script result

pub async fn execute(args: &Value) -> Result<String, String> {
    let language = args
        .get("language")
        .and_then(|v| v.as_str())
        .unwrap_or("javascript")
        .to_lowercase();

    let code = args
        .get("code")
        .and_then(|v| v.as_str())
        .ok_or("Missing required argument: 'code'")?;

    let timeout_secs = args
        .get("timeout_seconds")
        .and_then(|v| v.as_u64())
        .unwrap_or(DEFAULT_TIMEOUT_SECS)
        .min(MAX_TIMEOUT_SECS);

    match language.as_str() {
        "javascript" | "typescript" | "js" | "ts" => run_deno(code, timeout_secs),
        "python" | "python3" | "py" => run_python(code, timeout_secs),
        other => Err(format!(
            "Unsupported language: '{}'. Supported: javascript, typescript, python.",
            other
        )),
    }
}

/// Run code via Deno with strict permission flags.
/// Uses stdin so no temp file is needed.
fn run_deno(code: &str, timeout_secs: u64) -> Result<String, String> {
    let deno = find_deno().ok_or_else(|| {
        "Deno not found. Hematite checks (in order): settings.json `deno_path`, \
         LM Studio's bundled copy (~/.lmstudio/.internal/utils/deno.exe), system PATH. \
         To install Deno globally: `winget install DenoLand.Deno` (Windows) or see https://deno.com. \
         Or set `deno_path` in .hematite/settings.json to point to any Deno binary."
            .to_string()
    })?;

    let mut child = Command::new(&deno)
        .args([
            "run",
            "--allow-read=.",  // workspace only
            "--allow-write=.", // workspace only
            "--deny-net",      // no outbound network
            "--deny-sys",      // no OS info
            "--deny-env",      // no environment variable access
            "--deny-run",      // no spawning other processes
            "--deny-ffi",      // no native library calls (FFI escape vector)
            "--no-prompt",     // never ask for permissions interactively
            "-",               // read from stdin — no temp file needed
        ])
        .env("NO_COLOR", "true") // clean output, no ANSI codes in results
        .stdin(Stdio::piped())
        .stdout(Stdio::piped())
        .stderr(Stdio::piped())
        .spawn()
        .map_err(|e| format!("Failed to spawn Deno: {e}"))?;

    write_stdin(&mut child, code)?;
    collect_output(child, "deno", timeout_secs)
}

/// Run code via Python with network and subprocess access blocked at env level.
/// Python has no built-in permission flags like Deno, so we restrict the
/// environment and use a short timeout as the primary safety net.
fn run_python(code: &str, timeout_secs: u64) -> Result<String, String> {
    let python = find_executable(&["python3", "python"])
        .ok_or_else(|| "Python is not installed or not on PATH.".to_string())?;

    let child = Command::new(&python)
        .args([
            "-c",
            // Wrap the code: block network imports and dangerous builtins before running.
            &wrap_python(code),
        ])
        .stdin(Stdio::null())
        .stdout(Stdio::piped())
        .stderr(Stdio::piped())
        // Strip PATH so the script can't find other executables easily
        .env_clear()
        .env("PYTHONDONTWRITEBYTECODE", "1")
        .env("PYTHONIOENCODING", "utf-8")
        .spawn()
        .map_err(|e| format!("Failed to spawn Python: {e}"))?;

    collect_output(child, "python", timeout_secs)
}

/// Wraps the user's Python in a minimal sandbox: blocks socket, subprocess,
/// os.system, and __import__ to prevent the most obvious escapes.
fn wrap_python(code: &str) -> String {
    format!(
        r#"
import sys

# Block network access
import socket as _socket
_socket.socket = None  # type: ignore

# Block subprocess and os.system
import os as _os
_os.system = lambda *a, **k: (_ for _ in ()).throw(PermissionError("os.system blocked in sandbox"))
_popen_orig = _os.popen
_os.popen = lambda *a, **k: (_ for _ in ()).throw(PermissionError("os.popen blocked in sandbox"))

# Block __import__ for subprocess
_real_import = __builtins__.__import__ if hasattr(__builtins__, '__import__') else __import__
def _safe_import(name, *args, **kwargs):
    if name in ('subprocess', 'multiprocessing', 'pty', 'telnetlib', 'ftplib', 'smtplib', 'http', 'urllib', 'requests', 'httpx'):
        raise ImportError(f"Module '{{name}}' is blocked in the sandbox.")
    return _real_import(name, *args, **kwargs)
import builtins
builtins.__import__ = _safe_import

# Run the actual code
exec(compile(r"""{code}""", "<sandbox>", "exec"))
"#,
        code = code.replace(r#"""""#, r#"\" \" \""#)
    )
}

fn write_stdin(child: &mut std::process::Child, code: &str) -> Result<(), String> {
    let mut stdin = child
        .stdin
        .take()
        .ok_or("Failed to open stdin for sandbox process")?;
    stdin
        .write_all(code.as_bytes())
        .map_err(|e| format!("Failed to write to sandbox stdin: {e}"))?;
    drop(stdin); // signal EOF so the process starts
    Ok(())
}

fn collect_output(
    child: std::process::Child,
    runtime: &str,
    timeout_secs: u64,
) -> Result<String, String> {
    let timeout = Duration::from_secs(timeout_secs);
    let start = std::time::Instant::now();

    // Poll with wait_with_output — use a thread so we can enforce a timeout.
    let output = std::thread::scope(|s| {
        let handle = s.spawn(|| child.wait_with_output());
        loop {
            if start.elapsed() >= timeout {
                return Err(format!(
                    "Sandbox timeout: process exceeded {}s and was killed.",
                    timeout_secs
                ));
            }
            std::thread::sleep(Duration::from_millis(50));
            if handle.is_finished() {
                return handle
                    .join()
                    .map_err(|_| "Sandbox thread panicked.".to_string())?
                    .map_err(|e| format!("Failed to collect {runtime} output: {e}"));
            }
        }
    })?;

    let stdout = truncate(
        &String::from_utf8_lossy(&output.stdout),
        MAX_OUTPUT_BYTES / 2,
    );
    let stderr = truncate(
        &String::from_utf8_lossy(&output.stderr),
        MAX_OUTPUT_BYTES / 2,
    );

    if output.status.success() {
        if stdout.trim().is_empty() && stderr.trim().is_empty() {
            Ok("(no output)".to_string())
        } else if stderr.trim().is_empty() {
            Ok(stdout)
        } else {
            Ok(format!("{stdout}\n[stderr]\n{stderr}"))
        }
    } else {
        let code = output
            .status
            .code()
            .map(|c| c.to_string())
            .unwrap_or_else(|| "?".to_string());
        Err(format!(
            "Exit code {code}\n{}\n{}",
            stdout.trim(),
            stderr.trim()
        ))
    }
}

fn truncate(s: &str, max: usize) -> String {
    if s.len() <= max {
        s.to_string()
    } else {
        format!("{}\n... [truncated]", &s[..max])
    }
}

/// Locate Deno with a priority-ordered search:
/// 1. `deno_path` in .hematite/settings.json (explicit user pin)
/// 2. Standard deno install location (~/.deno/bin/deno.exe)
/// 3. WinGet package location (winget doesn't always add to PATH correctly)
/// 4. System PATH via where/which
/// 5. LM Studio's bundled copy — automatic fallback for all LM Studio users
fn find_deno() -> Option<String> {
    // 1. settings.json override
    let config = crate::agent::config::load_config();
    if let Some(path) = config.deno_path {
        if std::path::Path::new(&path).exists() {
            return Some(path);
        }
    }

    let exe = if cfg!(windows) { "deno.exe" } else { "deno" };

    // 2. Standard deno install path (deno's own installer puts it here)
    if let Ok(home) = std::env::var("USERPROFILE").or_else(|_| std::env::var("HOME")) {
        let standard = std::path::Path::new(&home)
            .join(".deno")
            .join("bin")
            .join(exe);
        if standard.exists() {
            return Some(standard.to_string_lossy().into_owned());
        }
    }

    // 3. WinGet package location — winget installs Deno here but doesn't always
    //    wire PATH correctly for non-PowerShell processes
    if cfg!(windows) {
        if let Ok(local_app) = std::env::var("LOCALAPPDATA") {
            let winget_base = std::path::Path::new(&local_app)
                .join("Microsoft")
                .join("WinGet")
                .join("Packages");
            if let Ok(entries) = std::fs::read_dir(&winget_base) {
                for entry in entries.flatten() {
                    let name = entry.file_name();
                    if name.to_string_lossy().starts_with("DenoLand.Deno") {
                        let candidate = entry.path().join("deno.exe");
                        if candidate.exists() {
                            return Some(candidate.to_string_lossy().into_owned());
                        }
                    }
                }
            }
        }
    }

    // 4. System PATH
    let check = if cfg!(windows) {
        Command::new("where").arg("deno").output()
    } else {
        Command::new("which").arg("deno").output()
    };
    if let Ok(out) = check {
        if out.status.success() {
            // Use the resolved path, not just "deno", to avoid shim ambiguity
            let resolved = String::from_utf8_lossy(&out.stdout)
                .trim()
                .lines()
                .next()
                .unwrap_or("deno")
                .to_string();
            return Some(resolved);
        }
    }

    // 5. LM Studio bundled copy — last resort
    find_lmstudio_deno()
}

/// Find the first available executable from a list of candidates.
fn find_executable(candidates: &[&str]) -> Option<String> {
    for name in candidates {
        let check = if cfg!(windows) {
            Command::new("where").arg(name).output()
        } else {
            Command::new("which").arg(name).output()
        };
        if check.map(|o| o.status.success()).unwrap_or(false) {
            return Some(name.to_string());
        }
    }
    None
}

/// Returns the path to Deno bundled inside LM Studio's internal utils folder.
/// LM Studio ships Deno at `~/.lmstudio/.internal/utils/deno[.exe]` on all platforms.
fn find_lmstudio_deno() -> Option<String> {
    let home = std::env::var("USERPROFILE")
        .or_else(|_| std::env::var("HOME"))
        .ok()?;

    let exe = if cfg!(windows) { "deno.exe" } else { "deno" };
    let path = std::path::Path::new(&home)
        .join(".lmstudio")
        .join(".internal")
        .join("utils")
        .join(exe);

    if path.exists() {
        Some(path.to_string_lossy().into_owned())
    } else {
        None
    }
}