hematite-cli 0.8.1

Senior SysAdmin, Network Admin, Data Analyst, and Software Engineer living in your terminal. A high-precision local AI agent harness for LM Studio, Ollama, and other local OpenAI-compatible runtimes that runs 100% on your own silicon. Reads repos, edits files, runs builds, inspects full network state and workstation telemetry, and runs real Python/JS for data analysis.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528

# Hematite Prompt Library

A collection of prompts designed to get the most out of Hematite's native capabilities. Copy and paste these directly into the input field.

---

## Workstation Health and Diagnostics

**Full workstation audit**
> "Audit my workstation: check for malfunctioning hardware (Yellow Bangs), show me the BIOS and virtualization DNA, and run a disk benchmark on the current binary."

**Environment doctor**
> "Run an environment doctor on this machine. I want to see PATH health, package manager states, and any dev environment conflicts like Node or Python version ambiguity."

**Device and driver triage**
> "Audit my workstation: check for malfunctioning PnP devices, list active kernel drivers, and show me everything set to run at startup."

**Disk benchmark**
> "Run an I/O intensity report on the binary in `target/release`. Report the average and max disk queue depth and give me a verdict: LIGHT / MODERATE / CRITICAL."

**System health report**
> "Give me a health report on this machine — disk, RAM, tools, and recent error events. Flag anything that needs action."

**Security posture**
> "Check my security posture: Defender state, last scan age, firewall profiles, Windows activation, and UAC level."

**Silicon Deep-Sense**
> "How's my silicon health looking? I want to see real-time GPU clocks, power draw, fan speed, and high-fidelity CPU frequency averages."
> *(Triggers Zero-Shot Redirection to: overclocker)*

**Crash and reboot history**
> "Show me any BSOD or unexpected shutdown events from the last week, and tell me if a reboot is currently pending and why."

**Application crash triage**
> "What applications have been crashing on this machine? Show me the faulting module and exception code for each."

**Per-app crash history**
> "Has Chrome been crashing recently? Show me the faulting module and exception code."
> *(Hematite calls: `inspect_host(topic='app_crashes', process='chrome.exe')`)*

**WER archive and crash frequency**
> "How many Windows Error Reporting archives do I have, and which application crashes the most?"

---

## Network Admin

**Connectivity triage**
> "Check my internet connectivity, Wi-Fi signal strength, and VPN status. If I'm on a VPN, tell me which adapter is handling the tunnel."

**Network map**
> "Show me my routing table, ARP table, and DNS cache. Map out the devices this machine is currently aware of on the local network."

**Open ports and active connections**
> "Show me all listening TCP and UDP ports with their owning processes, and list any established outbound connections."

**DNS and proxy audit**
> "Show me my configured DNS nameservers per adapter and any system proxy settings — WinHTTP, Internet Options, and environment variables."

**Plain-English DNS lookup**
> "What is the IP address of google.com"

**A record lookup**
> "Show me the A record for github.com"

**Browser health**
> "Check browser health on this machine. Tell me if Chrome, Edge, Firefox, or WebView2 look broken, bloated, or policy-constrained."

**Browser policy or proxy interference**
> "Check whether browser policy or proxy settings are interfering with web apps."

**Outlook health**
> "Check Outlook health on this machine."

**Outlook slowness or crash triage**
> "Why is Outlook so slow or broken?"

**Outlook profiles, OST/PST, and add-in audit**
> "Audit Outlook profiles, OST/PST files, and add-in pressure."

**Teams health**
> "Check Teams health on this machine."

**Teams slowness or crash triage**
> "Why is Microsoft Teams so slow or broken?"

**Teams cache and device audit**
> "Audit Teams cache size, WebView2 dependency, and audio/video device binding."

**Windows backup health**
> "Is this machine being backed up?"

**Windows backup status and restore points**
> "Check Windows backup health — File History, wbadmin last backup, and System Restore status."

**Full backup posture audit**
> "Show me my File History configuration, last wbadmin backup, available System Restore points, and whether OneDrive Known Folder Move is protecting my Desktop and Documents."

**Hyper-V VM inventory**
> "List all virtual machines on this machine with their state, RAM, and CPU usage."

**Hyper-V health check**
> "Check Hyper-V health — VM states, network switches, and any checkpoints I should clean up."

**Hyper-V RAM pressure**
> "How much RAM are my VMs using compared to my host machine's physical memory?"

**Firewall rules**
> "List all active inbound firewall rules that allow traffic. Flag anything that looks non-default."

**Traceroute**
> "Trace the network path to 8.8.8.8 and tell me where the latency spikes are."

**Latency and reachability**
> "Check ping RTT and packet loss to my gateway, Cloudflare, and Google DNS. Flag anything unreachable or high latency."

**NIC diagnostics**
> "Audit my network adapter settings — link speed, offload capabilities (LSO/RSS/checksum), error counters, and wake-on-LAN state."

**DHCP lease**
> "Show me my DHCP lease details — which server assigned my IP, when does it expire, and what DNS servers did it hand me?"

**MTU and fragmentation**
> "Check my MTU settings per adapter and run a path MTU discovery test to 8.8.8.8. I think VPN fragmentation is causing issues."

**IPv6 status**
> "Show my IPv6 addresses — am I using SLAAC or DHCPv6? Check for a global unicast address and tell me if privacy extensions are enabled."

**TCP tuning**
> "Show TCP autotuning level, congestion provider, and ECN state on this machine."

**Saved WiFi profiles audit**
> "List all saved wireless profiles with their authentication type. Flag anything using WEP or open auth."

**IPSec tunnel state**
> "Check for active IPSec security associations and IKE tunnel state. Is the Policy Agent service running?"

---

## Developer Tooling

**Toolchain inventory**
> "Show me all installed developer tools with versions — Rust, Node, Python, Go, Docker, Git, and anything else you detect."

**Git config audit**
> "Audit my global git config: identity, signing, push/pull defaults, credential helper, and any local repo overrides."

**Docker state**
> "Show me my Docker daemon state, running containers, local images, and any active Compose projects."

**Database detection**
> "Detect any running local database engines on this machine — PostgreSQL, MySQL, MongoDB, Redis, SQLite, SQL Server, and others."

**SSH inventory**
> "Show me my SSH client version, sshd state, what's in `~/.ssh`, and any host entries in `~/.ssh/config`."

**Dev environment conflicts**
> "Check this machine for cross-tool environment conflicts: Node version managers, Python 2/3 ambiguity, conda shadowing, Rust toolchain path issues, and duplicate PATH entries."

---

## Sandboxed Code Execution

**Verify a calculation**
> "Compute the compound interest on $10,000 at 4.5% annual rate compounded monthly for 3 years. Use `run_code` — do not guess."

**SHA-256 hash**
> "Compute the SHA-256 hash of the string 'Hematite' using the Web Crypto API."

**Date arithmetic**
> "How many days are between 2024-03-15 and 2026-09-01? Run the code and give me the exact number."

**Regex verification**
> "Test this regex against these five strings and tell me which ones match: [your regex here]. Run the actual code."

**Algorithm check**
> "Write and run a quicksort implementation in JavaScript, sort this array: [5, 2, 8, 1, 9, 3], and return the sorted result."

**Hardware-aware implementation**
> "Check the virtualization DNA of this machine before generating this sandbox-heavy execution logic. Make sure the execution timeout reflects the current system load."

---

## Coding and Repo Work

**Read-only architecture trace**
> "Read-only mode. Trace exactly how a user message travels from TUI input to the model and back. Name real channels, functions, and file references — do not guess."

**Targeted implementation**
> "Read-only mode first. Inspect `src/agent/conversation.rs` around the tool dispatch loop, then propose the minimal change needed to [describe goal]."

**Proof before edit**
> "/code Read `src/ui/tui.rs` lines 1–50, then make the following change: [describe change]. Verify the build after."

**Architect then implement**
> "/architect Redesign [component] so that [goal]. Give me a plan with target files, ordered steps, verification, and risks before touching any code."
> *(After reviewing the plan, run:)* `/implement-plan`

**Code review — read only**
> "/ask Review `src/agent/inference.rs`. Identify any error paths that silently swallow errors, any retry logic that could loop indefinitely, and any place where context could be corrupted. Do not propose edits — just report."

**Git workflow**
> "Show me the diff of everything uncommitted, summarize what changed and why it matters, then write a conventional commit message for it."

**Branch audit**
> "Check the current branch state: uncommitted changes, commits ahead of main, and whether anything looks risky to merge. Use `repo_doctor`."

**LSP diagnostics**
> "/lsp — then read the active diagnostic errors and tell me which ones are real bugs versus noise, and which file is the highest priority to fix."

**Performance verification**
> "Implement [feature], then run a disk benchmark to verify it hasn't introduced significant disk queue spikes compared to the baseline."

**Fix plan**
> "I'm seeing [describe error or symptom]. Run a fix plan — inspect the relevant machine state first, then give me a numbered remediation checklist grounded in what you actually observe."

---

## Session and Memory

**Session handoff**
> "Summarize the key decisions and open questions from the last few sessions. What is the current working focus?"

**Retrieve past decisions**
> "Search session memory for any architectural decisions we made about [topic]. I want the reasoning, not just the outcome."

**Find past bugs**
> "Search session memory for any reported bugs or problems related to [component]. Did we resolve them or are they still open?"

**Imported knowledge retrieval**
> "Analyze the imported chat history in `.hematite/imports`. Are there any recurring patterns or unresolved bugs across sessions?"

**Workspace profile**
> "/workspace-profile"

**Vein memory inspection**
> "/vein-inspect"

**View active behavioral rules**
> "/rules view"

**Edit project-wide rules**
> "/rules edit shared — then add simplicity-first and surgical-edit guidelines"

**Edit personal local rules**
> "/rules edit — personal overrides, gitignored, apply on next turn"

**Repo doctor**
> "Run a repo doctor on this workspace. Check git status, uncommitted changes, branch state, remote tracking, and whether the build files look healthy."

---

## Think Mode

**Complex architectural trade-off**
> "/think Should [component A] own [responsibility] or should it live in [component B]? Walk me through the trade-offs — coupling, testability, context cost — before recommending."

**Multi-step debugging**
> "/think I'm seeing [symptom] only under [condition]. Think through what execution paths could produce this — don't jump to a fix until you've ruled out at least three causes."

**Design review**
> "/think Read `src/agent/conversation.rs` and `src/agent/inference.rs`. Is the current ownership boundary between them correct, or is there cohesion that belongs in one file bleeding into the other?"

**Risk assessment before a big change**
> "/think Before we refactor [component], think through what could go wrong: hidden callers, shared state, serialisation format changes, test coverage gaps. Give me a risk list."

---

## Document and Image Attachments

**Attach a spec or doc**
> *(Press `Ctrl+O` or type)* `/attach path/to/spec.pdf`
> "I've attached a spec. Read it and tell me which parts map to existing code in this repo and which parts are not yet implemented."

**Attach a PDF that's failing extraction**
> "The PDF I need to reference has custom fonts that break text extraction. I'll send it as an image instead."
> *(Then press `Ctrl+I` or type)* `/image path/to/screenshot.png`

**Screenshot a bug**
> *(Press `Ctrl+I` or type)* `/image path/to/screenshot.png`
> "This is a screenshot of the error I'm seeing. Read it and tell me what's wrong."

**Architecture diagram**
> *(Attach diagram image, then:)*
> "I've attached an architecture diagram. Map the components in it to actual files in this repo."

---

## Worktree

**Isolated feature branch**
> "/worktree feature/my-new-feature — set up an isolated worktree so I can work on this without touching main."

**Safe experiment**
> "/worktree experiment/try-this-refactor — I want to try a destructive refactor without risking the main working tree."

---

## MCP Server and Privacy Gateway

*These prompts are for operators running `hematite --mcp-server` from a cloud agent like Claude Desktop.*

**Quick start — Claude Desktop config**
> Add to `~/.claude/claude_desktop_config.json`:
> ```json
> { "mcpServers": { "hematite": { "command": "hematite", "args": ["--mcp-server"] } } }
> ```
> Then ask Claude: "Use hematite to show me a full workstation health report."

**Enterprise mode — Tier 1 regex redaction**
> Start with: `hematite --mcp-server --edge-redact`
> Then ask Claude: "Run a network audit — adapters, connectivity, DNS, and any active VPN."
> *(Usernames, MACs, serials, and hostnames are stripped before Claude sees the output.)*

**Enterprise mode — Tier 2 semantic redaction**
> Start with: `hematite --mcp-server --semantic-redact`
> Then ask Claude: "Check the health of this machine and give me a plain-English verdict."
> *(The local model produces an anonymous diagnostic summary first; Tier 1 runs after as a safety net.)*

**Block sensitive topics via policy file**
> Create `.hematite/redact_policy.json`:
> ```json
> { "blocked_topics": ["user_accounts", "credentials", "audit_policy"] }
> ```
> Any blocked topic returns a policy error to the cloud model — the inspection never runs.

**Per-topic redaction level**
> Create `.hematite/redact_policy.json`:
> ```json
> { "topic_redaction_level": { "network": "semantic", "hardware": "regex", "storage": "regex" } }
> ```
> Network output goes through the local model summarizer; others use fast regex only.

**Whitelist mode — only allow safe topics**
> ```json
> { "allowed_topics": ["processes", "services", "ports", "connectivity", "disk_health"] }
> ```
> Only these five topics are served; all others return a policy block error.

**Read the audit trail**
> After running in `--edge-redact` or `--semantic-redact` mode:
> "Read `~/.hematite/redact_audit.jsonl` and tell me which topics produced the most substitutions and whether the semantic shrink ratios look healthy."

---

## Windows Admin Deep-Dives

**Storage overview**
> "Show me all drives with capacity and usage bars, flag any developer cache directories that are growing large, and give me the current real-time disk queue depth."

**BitLocker and encryption**
> "Check BitLocker status on all drives — protection state, encryption percentage, and any volumes that are unprotected."

**Certificates audit**
> "List my local personal certificates with subjects, thumbprints, and expiry dates. Flag anything expiring within 30 days."

**Shadow copies and restore points**
> "Show me my VSS snapshot history, storage allocation for shadow copies, and recent system restore points."

**Page file and virtual memory**
> "Show me the page file configuration, current usage, and peak usage. Tell me if the sizing looks healthy relative to my RAM."

**RDP and remote access**
> "Check whether RDP is enabled on this machine, what port it's on, whether NLA is required, and whether the firewall rule is active."

**Shares and SMB**
> "Show me every SMB share this machine is exposing, flag any non-admin custom shares, and tell me whether SMB1 is enabled."

**User accounts and sessions**
> "List all local user accounts, their enabled state, last logon, and which ones are in the Administrators group. Also show me any active logon sessions."

**Audit policy**
> "Show me which Windows audit policy categories are currently logging Success or Failure events. Flag if nothing is being audited."

**Scheduled tasks**
> "List all non-disabled scheduled tasks with their last run time and executable path. Flag anything that looks non-standard."

**Installed software**
> "Show me all installed programs on this machine with versions. Flag anything that looks outdated or unexpected."

---

## Teacher Mode

**Driver install walkthrough**
> "/teach How do I install a specific device driver on Windows without breaking anything? Inspect the machine state first."

**WSL setup**
> "/teach Walk me through setting up WSL2 and installing Ubuntu on this machine."

**SSH key generation**
> "/teach How do I generate an SSH key, add it to ssh-agent, and configure it for GitHub on this machine?"

**Firewall rule**
> "/teach Show me how to create an inbound Windows Firewall rule to allow traffic on port 8080."

**Service configuration**
> "/teach How do I configure a Windows service to restart automatically on failure? Inspect what's currently running first."

---

## SysAdmin & Network Engineering

**NTFS Permissions Audit**
> "Audit the permissions for the Downloads folder and tell me if any non-admin users have write access."

**Authentication & Login History**
> "Who logged into this machine over the last 48 hours? Flag any failed logon attempts if you find them."

**Network Share Accessibility**
> "Can I reach the network share `\\backup-server\archives` right now? Test connectivity and readability."

**Persistence & Security Audit**
> "Audit my registry for persistence hijacks (IFEO, Winlogon Shell, BootExecute) and verify if any debuggers are attached to system processes."

**Accurate Resource Telemetry**
> "Which processes are using the most CPU % right now? Show me real-time Task Manager style metrics, not cumulative seconds."

**Network Throughput (Rate-based)**
> "Show me my current network throughput in Mbps for the active adapter. I want to see the current RX/TX rate, not just totals since boot."

**Full network stack triage**
> "Run a complete network stack triage: latency to gateway and internet, DHCP lease status, MTU per adapter, DNS nameservers, and active TCP connections."
> *(Harness pre-runs: latency, dhcp, mtu, dns_servers, connections)*

**IPv6 deep-dive**
> "Give me a full IPv6 diagnostic: addresses per adapter, SLAAC vs DHCPv6, default gateway, privacy extension state, and any tunnel adapters."
> *(Harness runs: ipv6)*

**TCP stack health**
> "Audit TCP stack settings: autotuning level, congestion algorithm, ECN capability, chimney offload, and dynamic port range."
> *(Harness runs: tcp_params)*

**Wireless security audit**
> "Audit all saved wireless profiles for weak authentication (WEP, open). Show me what's currently connected and at what signal strength."
> *(Harness runs: wlan_profiles, wifi)*

**VPN and tunnel audit**
> "Check for active VPN adapters, IPSec security associations, and IKE tunnel state. Is anything tunneling traffic right now?"
> *(Harness runs: vpn, ipsec)*

**Time-Windowed Log Analysis**
> "Show me all System errors from the Event Log that occurred in the last 4 hours."
> "Show me Event ID 4625 failures from the Security log in the last 24 hours."
> "Search the System log for Event ID 7034 service crashes in the last 6 hours."

**Microsoft 365 Identity Audit**
> "Check Microsoft 365 sign-in health on this machine."
> "Audit token broker, Web Account Manager, and device registration."
> "Why won't Outlook sign in and why does Teams keep asking me to authenticate?"

**Diagnostic Analysis and Performance**
> "Why is my laptop slow? Check if it is overheating, throttling, under heavy I/O pressure, or if my silicon clocks are fluctuating."
> *(Harness automatically runs: thermal, resource_load, storage, overclocker)*

**Licensing & Patch Audit**
> "Is my Windows license valid? Check activation status and license details."
> "What changed in the last 48 hours? Show me the patch history and recently installed hotfixes (KBs)."

---

## IT Pro Plus Diagnostics

**Active Directory User Identity Investigation**
> "Analyze this domain user identity: show me their SID, enabled status, password expiration date, and all group memberships. Flag if the account is expired or disabled."
> *(Harness runs: ad_user)*

**Service Discovery via DNS SRV/MX**
> "Perform a high-precision DNS lookup for our domain controllers and mail servers. I want to see the SRV, MX, and TXT records to verify service discovery is working correctly."
> *(Harness runs: dns_lookup)*

**Hyper-V VM Inventory and Load**
> "Audit my local Hyper-V environment: list all virtual machines, their current execution state, uptime, and real-time CPU/Memory load stats."
> *(Harness runs: hyperv)*

**Precision Network Triage (IP/DHCP)**
> "Give me a deep-dive IP configuration report for all active adapters. I need to see DHCP server addresses, lease acquisition/expiry times, and any secondary IP aliases."
> *(Harness runs: ip_config)*

**Service Account Audit**
> "List all running Windows services and tell me which service accounts they are logging on as. Flag any services running as actual local users instead of System/NetworkService/LocalService."
> *(Harness refined: services)*

**Scheduled Task Failure Triage**
> "Audit all scheduled tasks. I want to see the Last Run Time and the numeric Result Code for each. Flag any task that has a non-zero exit result."
> *(Harness refined: scheduled_tasks)*

**High-Performance Silicon Audit**
> "Run a high-fidelity silicon performance audit. I need the 2-second average for CPU clock stability and deep NVIDIA metrics for voltage and power limits."
> *(Harness runs: overclocker)*

---

## Swarm

**Multi-file refactor**
> "/swarm Rename the `loop_intervention` field to `turn_injection` across all files in `src/agent/`. Each worker should handle one file."

**Parallel diagnostics**
> "/swarm Run a read-only audit of the top five architecturally important files in this repo. Each worker should summarize one file's role and flag anything that looks out of place."

---

## Research and Technical Verification

**Latest version and breaking changes**
> "What is the latest version of `tokio`? Search for the major breaking changes since v1.30 and tell me if my current project is affected."

**SysAdmin troubleshooting (Event ID)**
> "Search for Event ID 7034 on Windows 11. Are there any recent reports of this being linked to a specific Windows Update (KB) or driver release? Inspect my recent logs first."

**Network security triage**
> "Search for recent security vulnerabilities or CVEs related to `nginx` v1.24. Then audit my current config and running services to see if I'm at risk."

**"Are you sure?" Technical Verification**
> "I'm about to apply this change to the registry: [describe change]. Search for any reports of this causing system instability, boot loops, or performance regressions on Windows 11 before we proceed."

**API grounding (Are you sure?)**
> "Are you sure this is the correct way to call the `aws-sdk-rust` S3 client in v1? Search for the latest online documentation and verify the syntax before we edit the file."

**Technical concept grounding (2024/2025 specs)**
> "Explain the latest HTTP/3 prioritization specifications based on 2024 RFC drafts. Don't answer from training data—search for the authoritative source first."

**Framework issue discovery**
> "I'm seeing `Error: [message]` in my Next.js project. Search for any recent GitHub issues or tech blogs discussing this specific error since the last major release."

**Release tracking**
> "Search for the last 3 releases of the Rust compiler and summarize the key features and 'ready for prime time' stabilized features in each."