Module shim 

The $PATH shim adapter.

When a directory of symlinks (rm, git, terraform, …) all pointing at the kintsugi-shim binary is prepended to $PATH, every matching shell-out lands here first. The shim:

1. recovers the command name from argv[0] (or argv[1] if invoked directly),
2. captures argv + cwd into a ProposedCommand tagged agent = "shim",
3. asks the daemon for a Verdict and enforces it, then
4. on allow, execs the real binary so exit code, stdio, and signals are forwarded with perfect fidelity (on Unix the shim becomes the real process).

Fail-open by default (record-but-don’t-block when the daemon is down), which matches the honest guarantee — “nothing unrecoverable”, not “nothing un-warned”. Set KINTSUGI_FAIL_CLOSED=1 to block instead.

Constants

EXIT_BLOCKED

Exit code used when Kintsugi refuses to run a command (mirrors shell “cannot execute”: 126).

EXIT_NOT_FOUND

Exit code when the real binary cannot be found (mirrors shell 127).

Functions

resolve_real_binary

Resolve the real binary for name by walking $PATH, skipping the shim’s own directory and any entry that resolves back to the shim itself.

run

Entry point for the kintsugi-shim binary.