{"id":51246622,"url":"https://github.com/arthurpanhku/dvalincode","last_synced_at":"2026-07-02T09:01:18.675Z","repository":{"id":363990293,"uuid":"1244737953","full_name":"arthurpanhku/dvalincode","owner":"arthurpanhku","description":"Local-first CLI agent for coding workflows. Provider-neutral, zero runtime deps, typed tools. Named after Dvalin, the Nordic myth dwarven smith.","archived":false,"fork":false,"pushed_at":"2026-06-30T05:58:22.000Z","size":7588,"stargazers_count":45,"open_issues_count":0,"forks_count":5,"subscribers_count":4,"default_branch":"main","last_synced_at":"2026-06-30T06:12:28.295Z","etag":null,"topics":["ai","ai-agent","claude","cli","coding-agent","coding-assistant","deepseek","developer-tools","llm","local-first","ollama","terminal","tui","typescript"],"latest_commit_sha":null,"homepage":null,"language":"TypeScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/arthurpanhku.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":".github/CODEOWNERS","security":"SECURITY.md","support":null,"governance":"docs/governance/AI-CHANGE-IMPACT-ASSESSMENT.md","roadmap":"docs/roadmap.md","authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-05-20T14:48:17.000Z","updated_at":"2026-06-30T05:58:26.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/arthurpanhku/dvalincode","commit_stats":null,"previous_names":["arthurpanhku/dvalincode"],"tags_count":15,"template":false,"template_full_name":null,"purl":"pkg:github/arthurpanhku/dvalincode","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/arthurpanhku%2Fdvalincode","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/arthurpanhku%2Fdvalincode/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/arthurpanhku%2Fdvalincode/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/arthurpanhku%2Fdvalincode/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/arthurpanhku","download_url":"https://codeload.github.com/arthurpanhku/dvalincode/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/arthurpanhku%2Fdvalincode/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":35040024,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-07-02T02:00:06.368Z","response_time":173,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["ai","ai-agent","claude","cli","coding-agent","coding-assistant","deepseek","developer-tools","llm","local-first","ollama","terminal","tui","typescript"],"created_at":"2026-06-29T05:00:20.540Z","updated_at":"2026-07-02T09:01:18.668Z","avatar_url":"https://github.com/arthurpanhku.png","language":"TypeScript","funding_links":[],"categories":["Terminal-native coding agents"],"sub_categories":["Open Source"],"readme":"\u003cp align=\"center\"\u003e\n  \u003cimg src=\"assets/logo.png\" alt=\"DvalinCode\" width=\"480\"\u003e\n\u003c/p\u003e\n\n\u003cp align=\"center\"\u003e\n  \u003cb\u003eEnglish\u003c/b\u003e · \u003ca href=\"README.zh-CN.md\"\u003e中文\u003c/a\u003e\n\u003c/p\u003e\n\n\u003cp align=\"center\"\u003e\n  \u003ca href=\"https://github.com/arthurpanhku/dvalincode/releases/latest\"\u003e\u003cimg src=\"https://img.shields.io/github/v/release/arthurpanhku/dvalincode?style=for-the-badge\u0026color=818cf8\u0026label=Release\" alt=\"Release\"\u003e\u003c/a\u003e\n  \u003ca href=\"https://github.com/arthurpanhku/dvalincode/releases\"\u003e\u003cimg src=\"https://img.shields.io/github/downloads/arthurpanhku/dvalincode/total?style=for-the-badge\u0026color=blue\u0026label=Downloads\" alt=\"Downloads\"\u003e\u003c/a\u003e\n  \u003ca href=\"#-tests\"\u003e\u003cimg src=\"https://img.shields.io/badge/Tests-183%20%2F%20183%20%E2%9C%93-success?style=for-the-badge\" alt=\"Tests\"\u003e\u003c/a\u003e\n  \u003ca href=\"LICENSE\"\u003e\u003cimg src=\"https://img.shields.io/badge/License-MIT-green?style=for-the-badge\" alt=\"License\"\u003e\u003c/a\u003e\n  \u003ca href=\"https://scorecard.dev/viewer/?uri=github.com/arthurpanhku/dvalincode\"\u003e\u003cimg src=\"https://api.scorecard.dev/projects/github.com/arthurpanhku/dvalincode/badge\" alt=\"OpenSSF Scorecard\"\u003e\u003c/a\u003e\n  \u003ca href=\"#-quick-install\"\u003e\u003cimg src=\"https://img.shields.io/badge/Platforms-macOS%20·%20Windows%20·%20Linux-blue?style=for-the-badge\" alt=\"Platforms\"\u003e\u003c/a\u003e\n  \u003ca href=\"#-providers\"\u003e\u003cimg src=\"https://img.shields.io/badge/LLM-OpenAI%20·%20Claude%20·%20DeepSeek%20·%20Ollama%20·%20Groq-7C3AED?style=for-the-badge\" alt=\"LLM Support\"\u003e\u003c/a\u003e\n  \u003ca href=\"README.zh-CN.md\"\u003e\u003cimg src=\"https://img.shields.io/badge/i18n-EN%20·%20中文-orange?style=for-the-badge\" alt=\"English / 中文\"\u003e\u003c/a\u003e\n\u003c/p\u003e\n\n\u003cp align=\"center\"\u003e\n  \u003cb\u003eThe approvable coding agent for regulated teams.\u003c/b\u003e\u003cbr\u003e\n  \u003cb\u003eBuilt for finance, healthcare, and security-sensitive engineering where AI coding must be controllable, transparent, and auditable.\u003c/b\u003e\n\u003c/p\u003e\n\n\u003cp align=\"center\"\u003e\n  \u003cb\u003e🔑 Any model · local-first · policy-bound · audit-ready — the agent your security team can actually approve.\u003c/b\u003e\n\u003c/p\u003e\n\n\u003cp align=\"center\"\u003e\n  Bring your own model — DeepSeek, OpenAI, Claude (via OpenRouter), Groq, Ollama, or any OpenAI-compatible endpoint. Switch with one click, no code changes, no lock-in.\n\u003c/p\u003e\n\n---\n\n## ⏱️ 60 seconds to proof\n\nDon't take the claims on trust — verify them on your own machine:\n\n```sh\ncurl -fsSL https://raw.githubusercontent.com/arthurpanhku/dvalincode/main/scripts/install.sh | bash\ndvalincode trust\n```\n\n`trust` prints this install's **live security posture**: the resolved org policy and its hash, per-boundary network enforcement (provider · shell · MCP), and the tamper-evident audit status — the exact evidence a security reviewer needs, straight from the tool itself.\n\n\u003cp align=\"center\"\u003e\n  \u003cimg src=\"assets/cli-trust.gif\" alt=\"dvalincode trust — live security posture under an org policy\" width=\"100%\"\u003e\n\u003c/p\u003e\n\nThen let the agent work, and prove what it did after the fact:\n\n```sh\ndvalincode report verify    # re-derive the hash chain of the last run's audit log\n```\n\n---\n\n\u003ctable\u003e\n\u003ctr\u003e\u003ctd\u003e\u003cb\u003e🗨️ Chat mode\u003c/b\u003e\u003c/td\u003e\u003ctd\u003eRead-only Q\u0026A with one-click prompt templates — explain a codebase, find TODOs, review changes, write tests. The agent can read files and search, but never writes.\u003c/td\u003e\u003c/tr\u003e\n\u003ctr\u003e\u003ctd\u003e\u003cb\u003e👥 Cowork mode\u003c/b\u003e\u003c/td\u003e\u003ctd\u003ePlan-then-execute. The agent drafts a numbered plan, you click \u003cb\u003eProceed\u003c/b\u003e, and every file write asks for explicit approval — with an inline red/green diff before you say yes.\u003c/td\u003e\u003c/tr\u003e\n\u003ctr\u003e\u003ctd\u003e\u003cb\u003e⚡ Code mode\u003c/b\u003e\u003c/td\u003e\u003ctd\u003eAutonomous agent with full tool access. Run tests, type-check, build, lint — one click via the \u003cb\u003eRoutines\u003c/b\u003e panel. macOS shell calls run inside a \u003ccode\u003esandbox-exec\u003c/code\u003e profile with network denied.\u003c/td\u003e\u003c/tr\u003e\n\u003ctr\u003e\u003ctd\u003e\u003cb\u003e🏦 Regulated teams\u003c/b\u003e\u003c/td\u003e\u003ctd\u003eDesigned for finance, healthcare, security-sensitive SaaS, and internal platform teams that need AI coding under policy, audit, data minimization, and supply-chain review — not just developer convenience.\u003c/td\u003e\u003c/tr\u003e\n\u003ctr\u003e\u003ctd\u003e\u003cb\u003e🛡️ Secure remediation\u003c/b\u003e\u003c/td\u003e\u003ctd\u003eRun a local security scan or import SARIF from CodeQL, GitHub Code Scanning, Semgrep, or compatible scanners, then create an isolated remediation worktree and turn findings into focused repair tasks with source context and PR-ready reporting. \u003ca href=\"docs/SECURE-REMEDIATION.md\"\u003eWorkflow →\u003c/a\u003e\u003c/td\u003e\u003c/tr\u003e\n\u003ctr\u003e\u003ctd\u003e\u003cb\u003e📚 Skills\u003c/b\u003e\u003c/td\u003e\u003ctd\u003eUpload, download, and inspect local skill bundles. DvalinCode ships built-in secure-code-scan and secure-code-remediation skills, plus agent tools for listing skills, reading skill instructions, scanning, listing cases, and preparing remediation worktrees. \u003ca href=\"docs/SKILLS.md\"\u003eFormat →\u003c/a\u003e\u003c/td\u003e\u003c/tr\u003e\n\u003ctr\u003e\u003ctd\u003e\u003cb\u003e🛡️ Audit trail\u003c/b\u003e\u003c/td\u003e\u003ctd\u003eEvery run emits a tamper-evident, hash-chained JSONL log — every file read/written, every command, every approval. A Run Report renders it as Markdown; \u003ccode\u003edvalincode report verify\u003c/code\u003e proves the chain is intact. \u003ca href=\"docs/AUDIT-TRAIL.md\"\u003eThreat model →\u003c/a\u003e\u003c/td\u003e\u003c/tr\u003e\n\u003ctr\u003e\u003ctd\u003e\u003cb\u003e🔒 Org policy \u0026amp; \u003ccode\u003etrust\u003c/code\u003e\u003c/b\u003e\u003c/td\u003e\u003ctd\u003eA company — not the developer — bounds the agent. A \u003ccode\u003edvalin.policy.json\u003c/code\u003e constrains modes, shell commands, file paths, tools, and models; a repo policy can only ever \u003ci\u003enarrow\u003c/i\u003e the machine-level one, never widen it. Each run records the governing policy's hash. \u003ccode\u003edvalincode trust\u003c/code\u003e prints the install's live security posture — active policy + hashes, audit status, runtime — so a reviewer can verify it directly. \u003ca href=\"docs/APPROVABILITY-PLAN.md\"\u003eApprovability plan →\u003c/a\u003e\u003c/td\u003e\u003c/tr\u003e\n\u003ctr\u003e\u003ctd\u003e\u003cb\u003e🏛️ Governance evidence\u003c/b\u003e\u003c/td\u003e\u003ctd\u003eOpenSSF Scorecard, CodeQL, Dependabot, pinned GitHub Actions, CODEOWNERS, and ISO/IEC 42001 AIMS alignment docs are maintained as reviewable project evidence. \u003ca href=\"docs/security/OPENSSF-SCORECARD.md\"\u003eScorecard map →\u003c/a\u003e · \u003ca href=\"docs/governance/ISO-42001-AIMS.md\"\u003eISO 42001 alignment →\u003c/a\u003e\u003c/td\u003e\u003c/tr\u003e\n\u003ctr\u003e\u003ctd\u003e\u003cb\u003e🖥️ First-class GUI\u003c/b\u003e\u003c/td\u003e\u003ctd\u003eModern web UI with code highlighting, file \u003ccode\u003e@\u003c/code\u003e-references, \u003ccode\u003e/\u003c/code\u003e slash commands, Git branch indicator, live token + cost counter, multi-profile LLM config, and a dark / light / system theme switcher.\u003c/td\u003e\u003c/tr\u003e\n\u003ctr\u003e\u003ctd\u003e\u003cb\u003e🖥️ Terminal or web — one binary\u003c/b\u003e\u003c/td\u003e\u003ctd\u003eRun it bare for an interactive \u003cb\u003eterminal agent\u003c/b\u003e (like Claude Code — streaming, inline approvals, red/green diffs), or \u003ccode\u003edvalincode serve\u003c/code\u003e to host the \u003cb\u003eweb GUI\u003c/b\u003e for browser/remote use. Both frontends drive the same agent core.\u003c/td\u003e\u003c/tr\u003e\n\u003ctr\u003e\u003ctd\u003e\u003cb\u003e🪶 Zero-dependency binary\u003c/b\u003e\u003c/td\u003e\u003ctd\u003eSingle ~25MB executable per platform. No Node, no Python, no Docker.\u003c/td\u003e\u003c/tr\u003e\n\u003ctr\u003e\u003ctd\u003e\u003cb\u003e🔐 Local-first\u003c/b\u003e\u003c/td\u003e\u003ctd\u003eSessions, config, profiles, and audit logs live in \u003ccode\u003e~/.dvalincode/\u003c/code\u003e. \u003ccode\u003e.dvalincodeignore\u003c/code\u003e blocks the agent from reading sensitive files. \u003ccode\u003eAGENTS.md\u003c/code\u003e in your repo becomes persistent project instructions.\u003c/td\u003e\u003c/tr\u003e\n\u003ctr\u003e\u003ctd\u003e\u003cb\u003e💾 Portable \u0026 exportable\u003c/b\u003e\u003c/td\u003e\u003ctd\u003eExport \u003cb\u003eall\u003c/b\u003e local data (memory, sessions, config, audit) to one file and import it on another machine — your setup moves with you. Any conversation downloads as a clean \u003cb\u003eMarkdown\u003c/b\u003e transcript.\u003c/td\u003e\u003c/tr\u003e\n\u003c/table\u003e\n\n---\n\n## 🎯 Core Goal\n\n\u003e **Make AI coding approvable for regulated and security-sensitive teams.**\n\nDvalinCode is built as an **approvable agent runtime**, not just another coding\nagent app. The core product is not only \"AI writes code\"; it is the evidence a\nsecurity, compliance, or platform team needs to safely allow AI coding in\nfinancial services, healthcare, internal enterprise platforms, and other\nconfidential codebases.\n\n- **Any model** — every OpenAI-compatible endpoint is a first-class citizen, local models included. Your workflow should never be hostage to one vendor's pricing, rate limits, or quality swings.\n- **Safe by default** — three-tier approvals with diff preview, an undo stack, and sandboxed shell execution. An agent you can trust on full-auto.\n- **Small enough to audit** — one ~25MB binary, a handful of runtime dependencies, a codebase you can read in a weekend. Trust through inspection, not promises. As of v0.5, **every agent run is auditable too**: a tamper-evident, hash-chained log of every action, verifiable after the fact.\n- **Open enough to embed** — the agent core speaks a clean REST + WebSocket API, ready to be wired into your own product, CI, or internal tools.\n- **Approvable by any company** — governance is built in, not bolted on. An org policy bounds the blast radius (**controllable**), `dvalincode trust` makes the posture self-verifiable (**transparent**), and the hash-chained log proves what every run did (**auditable**). Those three together are exactly what a security review needs to say yes — and what cloud, closed, mutable-log agents structurally struggle to provide. [Approvability plan →](docs/APPROVABILITY-PLAN.md)\n\nThe bundled **web GUI is the runtime's reference implementation and showcase** — the first consumer of that public API, demonstrating everything the runtime can do.\n\n---\n\n## ✅ Why Teams Pick DvalinCode\n\nDvalinCode is differentiated by **approvability**. It is built for teams that\nneed AI coding to pass security, compliance, and data-governance review before\nit can touch production repositories.\n\n- **Closed-loop secure remediation** — scan locally or import SARIF from\n  CodeQL, GitHub Code Scanning, Semgrep, or compatible scanners; persist\n  findings as local remediation cases; create an isolated\n  `dvalin/remediate/...` worktree; then send a focused repair prompt with\n  source context and verification instructions.\n- **Skills as governed operating procedures** — upload, download, and inspect\n  local skill bundles. Built-in secure scanning and remediation skills tell\n  agents which tools to use and keep workflows portable across machines.\n- **Model freedom without policy drift** — use DeepSeek, OpenAI, Claude via\n  OpenRouter, Groq, Ollama, or any OpenAI-compatible endpoint while keeping\n  tool permissions, audit, and workspace policy consistent.\n- **Security evidence, not just security claims** — OpenSSF Scorecard support,\n  CodeQL, Dependabot, pinned Actions, CODEOWNERS, ISO/IEC 42001 alignment docs,\n  AI change-impact records, and hash-chained run logs are part of the project.\n- **Local-first by default** — sessions, config, profiles, memory, and audit\n  logs stay under `~/.dvalincode/`; `.dvalincodeignore` and policy controls\n  bound what the agent can read, write, or execute.\n\n---\n\n## 🛡️ Security \u0026 Governance\n\nDvalinCode maintains project-level governance evidence for open-source and\nenterprise review. This is the differentiator for teams where AI coding must\npass security approval before it can reach production repositories:\n\n- **Threat model** — the full attack surface of an agentic coding runtime\n  (malicious `AGENTS.md`, poisoned MCP servers, prompt-injection escalation,\n  egress, audit tampering, supply chain, sandbox escape), each mapped to the\n  control that defends it and the honest residual gap. [Threat model →](docs/THREAT-MODEL.md)\n- **OpenSSF Scorecard support** — scheduled Scorecard workflow, SARIF upload,\n  CodeQL, Dependabot, CODEOWNERS, least-privilege workflow permissions, and\n  SHA-pinned GitHub Actions. [Control map →](docs/security/OPENSSF-SCORECARD.md)\n- **ISO/IEC 42001 alignment** — an AI management system scope, AI policy, role\n  map, risk register, AI change classification, required records, and review\n  cadence. [AIMS alignment →](docs/governance/ISO-42001-AIMS.md)\n- **AI change impact assessment** — a reusable template for changes that affect\n  model/provider behavior, prompts, permissions, tools, audit logs, or release\n  security. [Template →](docs/governance/AI-CHANGE-IMPACT-ASSESSMENT.md)\n- **Regulated-use posture** — local-first data handling, policy-controlled\n  autonomy, minimized audit records, and release supply-chain evidence for\n  finance, healthcare, security-sensitive SaaS, and internal enterprise use.\n- **Secure remediation workflow** — local scan and SARIF import turn built-in,\n  CodeQL, GitHub Code Scanning, Semgrep, and compatible scanner findings into\n  local remediation cases and isolated worktree repair tasks with source\n  context and verification/reporting instructions.\n  [Workflow →](docs/SECURE-REMEDIATION.md)\n\nThese documents are implementation evidence and operating procedures; they do\nnot claim third-party ISO certification.\n\n---\n\n## ⭐ What's New in v0.9.0 — 🛡️ Secure remediation · Skills · CodeQL hardening\n\n- **🛡️ Secure remediation workflow** — run a built-in local scan or import SARIF\n  from CodeQL, GitHub Code Scanning, Semgrep, and compatible scanners; findings\n  become local remediation cases with source context, verification guidance, and\n  isolated worktree repair tasks.\n- **📚 Skills** — upload, download, inspect, and reuse local skill bundles.\n  DvalinCode now ships built-in secure-code-scan and secure-code-remediation\n  skills, plus agent tools for listing skills, reading instructions, scanning,\n  listing remediation cases, and preparing remediation worktrees.\n- **🔐 CodeQL path hardening** — user-controlled workspace, remediation, and\n  skill paths now go through explicit root-containment checks, with regression\n  tests covering traversal-safe resolution and skill import boundaries.\n- **🎨 App icons** — dark and light theme application icons now ship with the web\n  bundle and desktop build inputs.\n\n\u003cdetails\u003e\n\u003csummary\u003ev0.8.0 — 🔒 Governance: controllable · transparent · auditable\u003c/summary\u003e\n\n- **🔒 Org policy** — a `dvalin.policy.json` lets a *company*, not the developer, bound the agent: which modes, shell commands, file paths, tools, and models are allowed. Two layers (machine `~/.dvalincode/policy.json` + repo) resolve by **narrowing** — a repo policy can only ever make the machine policy stricter, never widen it. With no policy file, behavior is identical to before. Enforced at a single chokepoint; every denial is an inline `⛔ Blocked by policy` plus a `policy_violation` audit event.\n- **🔎 `dvalincode trust`** — prints this install's live security posture in one command — active policy + source hashes, audit status, runtime, dependencies — so a reviewer can verify what the agent may and may not do directly, instead of taking claims on trust. `--json` for tooling.\n- **🧾 Policy-aware audit** — every run records the hash of the governing policy (and which files contributed) in `run_start`, so the tamper-evident log proves *which* rules were in force.\n- **📐 Approvability plan** — the through-line is documented in [docs/APPROVABILITY-PLAN.md](docs/APPROVABILITY-PLAN.md): make DvalinCode trivially approvable by any company — controllable, transparent, auditable.\n\n\u003c/details\u003e\n\n\u003cdetails\u003e\n\u003csummary\u003ev0.7.0 — 🧪 Desktop app (beta)\u003c/summary\u003e\n\n- **🧠 Portable memory \u0026 full data export/import** — the upgraded local memory mechanism, plus every session, config, profile, and audit log, can now be bundled into a single file and restored on another machine. Migrate your whole setup in one step: `dvalincode export` / `dvalincode import`, or the **Export / Import** buttons in the GUI Settings panel.\n- **📝 Download any AI interaction as Markdown** — every conversation can be saved as a clean Markdown transcript (user turns, assistant replies, tool calls + results, decisions — all inline). Use the download icon on any session in the sidebar, `dvalincode session md \u003cid\u003e`, or `GET /api/sessions/:id/markdown`.\n- **🖥️ Native desktop app** — a real application window (not a browser tab) over the same engine: `DvalinCode.app` on macOS, plus Windows/Linux builds. Built with [webview-bun](https://github.com/tr1ckydev/webview-bun) using the OS-native webview (WKWebView / WebView2 / WebKitGTK) — no Electron, stays a small self-contained binary.\n- **🧩 A third frontend, one core** — the desktop app, terminal UI, and web GUI all drive the same shared turn-runner. The current `dvalincode` binary is now positioned purely as the **CLI** (terminal + `serve`).\n- **Status:** the desktop binaries are **experimental / unverified** — grab them from the latest **pre-release** and please report how the window behaves on your OS.\n\n\u003c/details\u003e\n\n\u003cdetails\u003e\n\u003csummary\u003ev0.6.0 — terminal agent · \u003ccode\u003eserve\u003c/code\u003e · shared turn-runner\u003c/summary\u003e\n\n- **🖥️ Terminal agent** — run `dvalincode` bare for an interactive terminal coding agent, Claude-Code-style: streaming responses, inline `[y/N]` write approvals with red/green diffs, `/mode` · `/clear` · `/git` · `/plan` · `/compact` · `/undo` · `/help`, Ctrl-C to interrupt, and a guided first-run provider setup. Defaults to read-only **Chat**, switchable live.\n- **🌐 `dvalincode serve`** — the web GUI now lives behind a command, so the *same* binary deploys headless on a server: `dvalincode serve --host 0.0.0.0 --no-open`.\n- **🧩 One engine, two frontends** — the terminal UI and web GUI both drive a shared, transport-agnostic turn-runner (`src/agent/session.ts`), keeping them at feature parity.\n\n\u003c/details\u003e\n\n\u003cdetails\u003e\n\u003csummary\u003ev0.5.0 — security-grade audit trail · Run Report · theme switcher\u003c/summary\u003e\n\n- **🛡️ Security-grade audit trail** — every Cowork/Code run writes a tamper-evident, hash-chained JSONL log to `~/.dvalincode/audit/` (`run_start`, every `tool_call` / `file_*` / `shell_exec` / `approval`, `run_end`). The hash chain makes any after-the-fact edit detectable. No local coding agent ships verifiable behavior logs. [Format + threat model →](docs/AUDIT-TRAIL.md)\n- **📋 Run Report + `dvalincode report` CLI** — a Markdown summary of each run (files read/changed, commands, decisions, test result), rendered as a collapsible card in the GUI and from the CLI:\n  ```sh\n  dvalincode report --last           # render the most recent run\n  dvalincode report \u003crun-id\u003e --format json\n  dvalincode report verify \u003crun-id\u003e  # ✓ chain intact / ✗ broken at seq N\n  ```\n- **🎨 Theme switcher** — choose **dark / light / system** in Settings. `system` follows your OS live; the choice persists across sessions.\n\n\u003c/details\u003e\n\n\u003cdetails\u003e\n\u003csummary\u003ev0.4.0 — \u003ccode\u003e/compact\u003c/code\u003e · \u003ccode\u003edvalin.json\u003c/code\u003e team playbook · self-contained binaries\u003c/summary\u003e\n\n- **`/compact`** — LLM-based context compaction: replaces conversation history with a structured five-section summary (Goal / Completed / Decisions / Current State / Pending). A divider in the chat thread shows the token reduction (e.g. `8,412 → 1,203 tokens −85%`).\n- **`dvalin.json` team playbook** — commit a shared set of automation prompts to your repo. The sidebar loads them automatically and lets teammates run the same one-click routines without any manual setup. Export button converts your personal routines to `dvalin.json` in one click.\n- **Self-contained binaries** — single ~25 MB executable per platform; no Node, no Python, no Docker. Auto-opens your browser on launch. Built with `bun --compile` so the web UI is bundled alongside the server binary.\n\n\u003c/details\u003e\n\n\u003cdetails\u003e\n\u003csummary\u003ev0.3.0 — Mode-aware sidebar · one-line installer · multi-profile LLM config\u003c/summary\u003e\n\n- **Mode-aware sidebar** — Chat shows quick-prompt **Templates**, Cowork shows a **Projects** folder tree, Code shows custom **Routines** (one-click commands like \"Run tests\" / \"Git status\" / \"Type check\"). Add your own routines from the sidebar — they persist in `localStorage`.\n- **One-line installer** — `curl … | bash` auto-detects your OS + arch, drops the binary into `~/.dvalincode/`, and patches your `PATH`. No package manager dependencies.\n- **Multi-profile LLM config** — save named (provider, model, API key) sets and switch in one click from the sidebar; live per-session cost counter in the topbar so you can compare providers on the fly.\n\n\u003c/details\u003e\n\n---\n\n## 📸 Preview\n\n\u003cp align=\"center\"\u003e\n  \u003cimg src=\"assets/hero.png\" alt=\"DvalinCode UI\" width=\"100%\"\u003e\n\u003c/p\u003e\n\n**Switching modes — each mode has its own sidebar:**\n\n\u003cp align=\"center\"\u003e\n  \u003cimg src=\"assets/modes.gif\" alt=\"Mode switching\" width=\"100%\"\u003e\n\u003c/p\u003e\n\n**Slash commands \u0026 file references in the composer:**\n\n\u003cp align=\"center\"\u003e\n  \u003cimg src=\"assets/slash.gif\" alt=\"Slash commands and @ file references\" width=\"100%\"\u003e\n\u003c/p\u003e\n\n### 🔒 Governance, from the command line\n\n**`dvalincode trust` — the install's live security posture (resolved policy, per-boundary enforcement, audit status) that a security review can read directly:**\n\n\u003cp align=\"center\"\u003e\n  \u003cimg src=\"assets/cli-trust.gif\" alt=\"dvalincode trust — live security posture under an org policy\" width=\"100%\"\u003e\n\u003c/p\u003e\n\n**Tamper-evident audit — every agent run is a hash-chained, minimized report you can verify offline:**\n\n\u003cp align=\"center\"\u003e\n  \u003cimg src=\"assets/cli-audit.gif\" alt=\"dvalincode report verify — tamper-evident audit trail and run report\" width=\"100%\"\u003e\n\u003c/p\u003e\n\n**Project intelligence — `dvalincode scan` maps the workspace before the agent touches it:**\n\n\u003cp align=\"center\"\u003e\n  \u003cimg src=\"assets/cli-scan.gif\" alt=\"dvalincode scan — project intelligence\" width=\"100%\"\u003e\n\u003c/p\u003e\n\n---\n\n## 🆚 When to choose DvalinCode\n\n| If you need… | DvalinCode's answer |\n|---|---|\n| **An agent your security team can approve** | Policy-bound tools, explicit approval modes, `dvalincode trust`, audit logs, OpenSSF evidence, and ISO/IEC 42001 alignment docs. |\n| **AI coding for regulated repositories** — finance, healthcare, enterprise data, customer-confidential code | Local-first runtime, bring-your-own-model, `.dvalincodeignore`, governed egress, and minimized audit records. |\n| **A safer alternative to generic autonomous coding agents** | The product thesis is controllable / transparent / auditable, not only \"the model can edit files\". |\n| **Cline / Cursor** — IDE-locked, huge install, privacy concerns | Zero-dep binary (~25 MB). Runs anywhere, no IDE required. macOS shell is sandboxed by default — network denied, writes capped to `cwd`. |\n| **Claude Code / Aider** — pure terminal, diff output is a wall of text, env setup is painful | CLI start → auto-opens a modern Web UI with code highlighting and red/green diff approval. One install command, nothing else needed. |\n| **Any cloud agent** — vendor lock-in, rate limits, can't use a local model | Every OpenAI-compatible endpoint is a first-class citizen. Run Ollama with Qwen2.5-Coder: no key, no internet, no per-token cost. |\n| **Any agent** — new teammate can't reproduce your AI setup, routines are stuck in your IDE | `AGENTS.md` committed to the repo ships AI context to every clone. `dvalin.json` ships the team's automation commands the same way — export from the sidebar, commit, done. |\n\n---\n\n## 🚀 Quick Install\n\n### macOS / Linux (one-liner)\n\n```sh\ncurl -fsSL https://raw.githubusercontent.com/arthurpanhku/dvalincode/main/scripts/install.sh | bash\n```\n\nDetects your OS + arch, downloads the right binary, installs to `~/.dvalincode/`, and adds it to your `PATH`. After reload:\n\n```sh\nsource ~/.zshrc    # or ~/.bashrc\ndvalincode                       # interactive terminal agent (like Claude Code)\ndvalincode serve                 # start the web GUI, open the browser\ndvalincode serve --host 0.0.0.0 --no-open   # host it on a server for remote/browser use\n```\n\n### Windows\n\nDownload `dvalincode-v*-windows-x64.zip` from [Releases](https://github.com/arthurpanhku/dvalincode/releases/latest), unzip, then double-click `start.bat`.\n\n### Manual download\n\nGrab the archive for your platform from the [Releases page](https://github.com/arthurpanhku/dvalincode/releases/latest):\n\n| Platform | Archive |\n|---|---|\n| macOS Apple Silicon (M1/M2/M3) | `dvalincode-v*-macos-arm64.tar.gz` |\n| macOS Intel | `dvalincode-v*-macos-x64.tar.gz` |\n| Windows x64 | `dvalincode-v*-windows-x64.zip` |\n| Linux ARM64 | `dvalincode-v*-linux-arm64.tar.gz` |\n| Linux x64 | `dvalincode-v*-linux-x64.tar.gz` |\n\nVerify against `SHA256SUMS.txt` (included in each release).\n\n\u003e **macOS Gatekeeper:** binaries are unsigned. On first run, either clear the quarantine flag with `xattr -dr com.apple.quarantine ~/.dvalincode`, or right-click the binary in Finder → Open → confirm.\n\n---\n\n## 🎬 First-time setup\n\n**Terminal (default):** run `dvalincode`. On first launch it walks you through a one-time provider setup (pick a provider, paste your API key, choose a model) and saves it to `~/.dvalincode/config.json`. Then you're at the prompt — type to chat, `/mode` to switch between Chat / Cowork / Code, `/help` for commands.\n\n**Web GUI:** run `dvalincode serve` and:\n\n1. The server starts on `http://localhost:3000` and your browser opens automatically.\n2. Click **LLM Configuration** in the sidebar (bottom-left).\n3. Pick a provider, paste your API key, choose a model, hit **Save**.\n4. Optional: save the current config as a named profile (e.g. `fast`, `cheap`, `local-ollama`) to switch quickly later.\n\nBoth share the same config and sessions in `~/.dvalincode/`.\n\n---\n\n## ✨ Features\n\n| Category | Feature | Notes |\n|---|---|---|\n| **Modes** | Chat / Cowork / Code | Each with a distinct sidebar (Templates / Projects / Routines) and tool-access policy |\n| **Code permissions** | Ask Permissions / Plan Mode / Auto Mode / Bypass permissions | Verified behavior: Ask requests approval before writes/commands, Plan is read-only and does not write files, Auto runs operations automatically, Bypass runs without confirmation prompts |\n| **Workspaces** | Open folder / Import Git / Add worktree | Cowork and Code can switch to a local folder, clone a Git project, or create a Git worktree from the UI |\n| **Governance** | OpenSSF Scorecard / ISO 42001 AIMS alignment | Scorecard, CodeQL, Dependabot, pinned Actions, AI impact assessment, risk register, and review cadence are documented under `docs/security/` and `docs/governance/` |\n| **Secure remediation** | Local scan / SARIF import / case queue / remediation worktree | Code mode can scan common local risks, import SARIF findings, persist local cases, and create isolated `dvalin/remediate/...` worktrees with repair prompts |\n| **Skills** | Upload / download / built-in security skills | Skills live under `~/.dvalincode/skills`; built-ins guide security scanning and remediation with dedicated agent tools. [Format →](docs/SKILLS.md) |\n| **Composer** | `@` file references | Type `@` for a fuzzy file search; selected files get inlined into the prompt |\n| | `/` slash commands | `/clear` `/compact` `/git` `/plan` `/undo` `/help` |\n| | Multiline + interrupt | \u003ckbd\u003eShift\u003c/kbd\u003e+\u003ckbd\u003eEnter\u003c/kbd\u003e for newline, stop button to abort mid-stream |\n| **Tool UI** | Inline diffs | `edit_file` and `write_file` results render as red/green unified diff, default folded |\n| | Approval dialog with diff | Cowork mode shows the diff *before* the change is applied |\n| | Live tool counter + token + cost | Topbar shows session totals in real time |\n| **Agent** | LLM-based context compaction | `/compact` summarises into Goal / Completed / Decisions / Pending |\n| | Persistent undo stack | `/undo [N]` reverses the last N tool calls |\n| | Run Report | Markdown summary per run (files, commands, decisions, test result) — GUI card + `dvalincode report` |\n| | Git awareness | Branch name in topbar; `git_status` tool; git context auto-injected into prompt |\n| | `AGENTS.md` project memory | Per-repo persistent instructions, auto-loaded each turn |\n| **Security** | Tamper-evident audit trail | Hash-chained JSONL per run in `~/.dvalincode/audit/`; `dvalincode report verify` detects edits |\n| | macOS shell sandbox | `sandbox-exec` denies network; allows writes only inside cwd + `/tmp` |\n| | `.dvalincodeignore` | gitignore-style exclusion; blocks `read_file` / `list_files` / `search_text` |\n| | Per-action approval | Approve/deny each write / delete / shell call in Cowork mode |\n| **Appearance** | Theme switcher | Dark / light / system, persisted; `system` follows the OS live |\n| **Providers** | OpenAI-compatible endpoints | DeepSeek · OpenAI · Groq · OpenRouter · Ollama · custom |\n| | Multi-profile config | Save and switch between named (provider, model, API key) sets |\n| **Sessions** | Auto-save + restore | All sessions persisted to `~/.dvalincode/sessions/` as JSON |\n| | LLM summary memory | Cross-session summary keeps the agent oriented after restart |\n| **Memory** | Local user/project memory | Searchable facts, preferences, and decisions in `~/.dvalincode/memory/`; import from Claude/Hermes/Markdown |\n| **Data portability** | Export / import all data | One bundle of memory + sessions + config + audit — `dvalincode export` / `import`, or GUI Settings → Export / Import |\n| | Markdown transcript | Download any conversation as Markdown — sidebar download icon, `dvalincode session md \u003cid\u003e`, or `/api/sessions/:id/markdown` |\n\n---\n\n## ⌨️ Slash Commands\n\n| Command | Description |\n|---|---|\n| `/clear` | Clear the current conversation (client-side, starts a fresh session) |\n| `/compact` | LLM-based context compaction — replaces history with a structured summary |\n| `/undo [N]` | Reverse the last N tool calls (default 1) |\n| `/git` | Run `git_status` and show branch, recent commits, changed files |\n| `/plan \u003ctask\u003e` | Ask the agent to plan the task step-by-step *without* executing |\n| `/help` | Show all available slash commands |\n\n---\n\n## 🛠️ Architecture\n\n```\n┌───────────────────────────┐   ┌─────────────────────────┐\n│  Terminal UI (readline)   │   │  Browser GUI (React/Vite)│\n│  streaming · approvals    │   │  ChatThread · DiffViewer │\n└─────────────┬─────────────┘   └────────────┬────────────┘\n              │ in-process          HTTP / WebSocket\n              │                ┌───────────────▼─────────────┐\n              │                │  Express + ws server         │\n              │                │  /api/* · `dvalincode serve` │\n              │                └───────────────┬─────────────┘\n              └──────────────┬─────────────────┘\n┌────────────────────────────▼────────────────────────────┐\n│  runAgentTurn — shared turn-runner (src/agent/session)   │\n│  provider · prompt (mode · git · AGENTS.md) · session    │\n└────────────────────────────┬────────────────────────────┘\n                             │\n┌────────────────────────────▼────────────────────────────┐\n│                    Agent Engine                          │\n│  AgentLoop (8-state machine) → AgentRunner              │\n│  Streaming · Interrupt · Undo stack · LLM compaction    │\n│  run_start / run_end → AuditSink (hash-chained JSONL)   │\n└──────────────────────────┬──────────────────────────────┘\n                           │ run()\n┌──────────────────────────▼──────────────────────────────┐\n│  ToolRegistry — Zod schemas + permission gating         │\n│  + audit taps: tool_call · file_* · shell_exec          │\n│  read_file · list_files · search_text · git_status ·    │\n│  write_file · edit_file · delete_file · shell           │\n└─────────────────────────────────────────────────────────┘\n```\n\n### Agent Loop — 8 States\n\n```\nRESTORE → COMPACT → COMMAND → BUILD → RUN → SAVE → RESPOND → DONE\n```\n\n1. **RESTORE** — Load session from `~/.dvalincode/sessions/`\n2. **COMPACT** — If context near the limit, compress history (LLM summary)\n3. **COMMAND** — Handle built-in slash commands\n4. **BUILD** — Assemble system prompt (mode prompt + project + git + AGENTS.md)\n5. **RUN** — Delegate to `AgentRunner` for the LLM tool-calling loop\n6. **SAVE** — Persist session\n7. **RESPOND** — Generate cross-session summary memory\n8. **DONE**\n\n---\n\n## 🧪 Tests\n\n```sh\nnpm test\n```\n\n**162 tests · 30 files · all green.**\n\n---\n\n## 🏗️ Build from source\n\nRequires [Bun](https://bun.sh) (`curl -fsSL https://bun.sh/install | bash`).\n\n```sh\ngit clone https://github.com/arthurpanhku/dvalincode\ncd dvalincode\nnpm install\nnpm run dev:all                 # start backend (3001) + Vite (5173)\n```\n\nBuild release binaries for every platform:\n\n```sh\nbash scripts/build-release.sh   # → release/ with tar.gz / zip + SHA256SUMS.txt\nbash scripts/build-release.sh darwin    # macOS only\nbash scripts/build-release.sh windows   # Windows only\n```\n\nBefore publishing a release:\n\n```sh\n(cd release \u0026\u0026 shasum -a 256 -c SHA256SUMS.txt)\nunzip -l release/dvalincode-v*-windows-x64.zip | grep 'web/dist/index.html'\ntar tzf release/dvalincode-v*-macos-arm64.tar.gz | grep 'DvalinCode.app/Contents/Resources/AppIcon.icns'\n```\n\nWindows smoke test: unzip `dvalincode-v*-windows-x64.zip` on Windows and run `start.bat` from the extracted folder. The server should open `http://localhost:3000`. If it reports an `ENOENT` path under `B:\\~BUN\\root\\web\\dist`, the compiled Bun virtual path detection has regressed; the packaged binary must resolve `web/dist` beside the extracted executable.\n\nNote: Bun only allows Windows `.exe` icon/metadata injection when compiling on Windows. macOS/Linux cross-builds still produce a valid Windows archive, but without an embedded `.exe` icon.\n\n---\n\n## 🌐 Providers\n\nDvalinCode supports any OpenAI-compatible endpoint. Built-in presets, sorted by cost:\n\n| Provider | Cheapest model | Input / Output | Notes |\n|---|---|---|---|\n| **Groq** | `llama-3.1-8b-instant` | Free tier | Fastest open models — Llama 3.3 70B, Mixtral |\n| **Ollama** | `qwen2.5-coder` | $0 (local) | No API key needed, runs on your machine |\n| **DeepSeek** | `deepseek-chat` | $0.14 / $0.28 per 1M | Cheap and strong; v3 nearly matches GPT-4 quality |\n| **OpenRouter** | `google/gemini-2.0-flash-001` | $0.10 / $0.40 per 1M | 200+ models including Claude, Gemini, Llama |\n| **OpenAI** | `gpt-4o-mini` | $0.15 / $0.60 per 1M | Reliable; `o1` available for deep reasoning |\n| **Custom** | — | depends | Any OpenAI-compatible base URL |\n\nDvalinCode shows the per-session cost live in the topbar — flip between providers in the **LLM Configuration** modal, save named profiles, and compare on the fly.\n\n---\n\n## ❓ FAQ\n\n\u003cdetails\u003e\n\u003csummary\u003e\u003cb\u003eDoes it send my code to a third party?\u003c/b\u003e\u003c/summary\u003e\n\u003cbr\u003e\nOnly what the agent sends to the LLM you configured. Sessions, configs, and profiles all live on your machine in \u003ccode\u003e~/.dvalincode/\u003c/code\u003e. To exclude sensitive files from the agent's view, drop a \u003ccode\u003e.dvalincodeignore\u003c/code\u003e in your repo root (gitignore-style patterns).\n\u003c/details\u003e\n\n\u003cdetails\u003e\n\u003csummary\u003e\u003cb\u003eCan I run this without an API key?\u003c/b\u003e\u003c/summary\u003e\n\u003cbr\u003e\nYes — use Ollama. Pull a model (\u003ccode\u003eollama pull qwen2.5-coder\u003c/code\u003e), then in the LLM Configuration modal pick the \u003cb\u003eOllama\u003c/b\u003e provider. No key, no internet, no per-token cost.\n\u003c/details\u003e\n\n\u003cdetails\u003e\n\u003csummary\u003e\u003cb\u003eWhy three modes? Can't I just use one?\u003c/b\u003e\u003c/summary\u003e\n\u003cbr\u003e\nEach mode has different \u003cb\u003etool access\u003c/b\u003e and \u003cb\u003esafety\u003c/b\u003e defaults: Chat is read-only, Cowork requires approval per write, Code is full-auto. Each also has a different sidebar (Templates / Projects / Routines) optimized for that workflow. You can switch any time — the conversation continues.\n\u003c/details\u003e\n\n\u003cdetails\u003e\n\u003csummary\u003e\u003cb\u003eIs the shell tool sandboxed?\u003c/b\u003e\u003c/summary\u003e\n\u003cbr\u003e\nOn macOS, yes — every \u003ccode\u003eshell\u003c/code\u003e tool invocation is wrapped in \u003ccode\u003esandbox-exec\u003c/code\u003e with a profile that \u003ci\u003edenies network access\u003c/i\u003e and allows file writes only inside \u003ccode\u003ecwd\u003c/code\u003e, \u003ccode\u003e/tmp\u003c/code\u003e, and \u003ccode\u003e/var\u003c/code\u003e. Linux and Windows sandboxing is planned.\n\u003c/details\u003e\n\n\u003cdetails\u003e\n\u003csummary\u003e\u003cb\u003eHow do I see what the agent actually did — and is the log trustworthy?\u003c/b\u003e\u003c/summary\u003e\n\u003cbr\u003e\nEvery run writes a JSONL audit log to \u003ccode\u003e~/.dvalincode/audit/run-\u0026lt;timestamp\u0026gt;-\u0026lt;id\u0026gt;.jsonl\u003c/code\u003e. Render it with \u003ccode\u003edvalincode report --last\u003c/code\u003e (or see the collapsible Run Report card in the GUI). Each record is chained to the previous one with a SHA-256 hash, so any after-the-fact edit is detectable — \u003ccode\u003edvalincode report verify \u0026lt;run-id\u0026gt;\u003c/code\u003e reports \u003ccode\u003e✓ chain intact\u003c/code\u003e or the exact position of a break. It's tamper-\u003cb\u003eevident\u003c/b\u003e, not tamper-\u003cb\u003eproof\u003c/b\u003e: a local attacker who can rewrite the whole file could recompute the chain. The value is forensic/accountability. See \u003ca href=\"docs/AUDIT-TRAIL.md\"\u003edocs/AUDIT-TRAIL.md\u003c/a\u003e for the full threat model.\n\u003c/details\u003e\n\n\u003cdetails\u003e\n\u003csummary\u003e\u003cb\u003eWill it overwrite my files without asking?\u003c/b\u003e\u003c/summary\u003e\n\u003cbr\u003e\nDepends on the mode. \u003cb\u003eChat\u003c/b\u003e never writes. \u003cb\u003eCowork\u003c/b\u003e requires approval per file (with inline red/green diff before you click Allow). \u003cb\u003eCode\u003c/b\u003e is full-auto — use it for trusted tasks or in a feature branch.\n\u003c/details\u003e\n\n\u003cdetails\u003e\n\u003csummary\u003e\u003cb\u003eThe macOS binary won't open — \"unverified developer\"\u003c/b\u003e\u003c/summary\u003e\n\u003cbr\u003e\nThe binary is unsigned. Run this once to clear the quarantine flag:\n\u003cpre\u003e\u003ccode\u003exattr -dr com.apple.quarantine ~/.dvalincode\u003c/code\u003e\u003c/pre\u003e\nOr right-click the binary in Finder → Open → confirm once.\n\u003c/details\u003e\n\n\u003cdetails\u003e\n\u003csummary\u003e\u003cb\u003eHow do I save a routine in Code mode?\u003c/b\u003e\u003c/summary\u003e\n\u003cbr\u003e\nSwitch to Code mode, click the \u003cb\u003e+\u003c/b\u003e next to \"ROUTINES\" in the sidebar. Enter a name (e.g. \"Deploy preview\") and a prompt or slash command (e.g. \"\u003ccode\u003e/git\u003c/code\u003e\" or \"Build the project and deploy to staging\"). Routines persist in your browser's \u003ccode\u003elocalStorage\u003c/code\u003e.\n\u003c/details\u003e\n\n\u003cdetails\u003e\n\u003csummary\u003e\u003cb\u003eDoes \u003ccode\u003eAGENTS.md\u003c/code\u003e get sent every turn?\u003c/b\u003e\u003c/summary\u003e\n\u003cbr\u003e\nYes — DvalinCode reads \u003ccode\u003eAGENTS.md\u003c/code\u003e from the project root before each turn and injects it under \u003ccode\u003e=== PROJECT INSTRUCTIONS ===\u003c/code\u003e in the system prompt. Keep it focused — it counts toward your token budget.\n\u003c/details\u003e\n\n---\n\n## 🤝 Contributing\n\nContributions welcome. The codebase is intentionally small and surgical — see [CONTRIBUTING.md](CONTRIBUTING.md).\n\n```sh\ngit clone https://github.com/arthurpanhku/dvalincode\ncd dvalincode \u0026\u0026 npm install\nnpm test                # 65/65 ✅\nnpm run typecheck\n```\n\n---\n\n## 📄 License\n\nMIT — see [LICENSE](LICENSE).\n\n---\n\n## 🔗 Independence \u0026 Attribution\n\nDvalinCode is **not affiliated** with Anthropic, Claude, OpenAI, or any other vendor.\n\nThe design process included studying common patterns in modern coding agents for architectural learning. The `TurnState` state-machine design was informed by [HKUDS/nanobot](https://github.com/HKUDS/nanobot) (MIT). The agent loop follows the [ReAct paradigm](https://arxiv.org/abs/2210.03629) (Yao et al., 2022), and the tool-calling interface follows the OpenAI `tool_calls` format. The implementation — state machine, UI, tool schemas, module layout — is otherwise original; no source code, prompts, or UI text from other projects is copied.\n\nFull source references: [docs/REFERENCES.md](docs/REFERENCES.md)\n\n---\n\n## ⭐ Star Growth\n\n\u003cp align=\"center\"\u003e\n  \u003ca href=\"https://www.star-history.com/#arthurpanhku/dvalincode\u0026Date\"\u003e\n    \u003cpicture\u003e\n      \u003csource media=\"(prefers-color-scheme: dark)\" srcset=\"https://api.star-history.com/svg?repos=arthurpanhku/dvalincode\u0026type=Date\u0026theme=dark\"\u003e\n      \u003csource media=\"(prefers-color-scheme: light)\" srcset=\"https://api.star-history.com/svg?repos=arthurpanhku/dvalincode\u0026type=Date\"\u003e\n      \u003cimg alt=\"DvalinCode Star History Chart\" src=\"https://api.star-history.com/svg?repos=arthurpanhku/dvalincode\u0026type=Date\"\u003e\n    \u003c/picture\u003e\n  \u003c/a\u003e\n\u003c/p\u003e\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Farthurpanhku%2Fdvalincode","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Farthurpanhku%2Fdvalincode","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Farthurpanhku%2Fdvalincode/lists"}