{"id":31665300,"url":"https://github.com/n-engine/devit","last_synced_at":"2025-10-07T21:54:11.884Z","repository":{"id":314604485,"uuid":"1056119314","full_name":"n-engine/devit","owner":"n-engine","description":"Rust CLI dev agent — patch-only, sandboxed, with local LLMs (Ollama/LM Studio).","archived":false,"fork":false,"pushed_at":"2025-09-20T15:40:38.000Z","size":16864,"stargazers_count":1,"open_issues_count":0,"forks_count":1,"subscribers_count":0,"default_branch":"main","last_synced_at":"2025-09-20T16:16:00.482Z","etag":null,"topics":["ai-agent","ai-agents","approval-policy","cli","code-generation","developer-tools","git","llama-cpp","lm-studio","ollama","patch-only","rust","sandbox","testing","unified-diff","wasm"],"latest_commit_sha":null,"homepage":"","language":"Rust","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/n-engine.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"SECURITY.md","support":null,"governance":null,"roadmap":"ROADMAP.md","authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2025-09-13T12:32:38.000Z","updated_at":"2025-09-20T15:19:32.000Z","dependencies_parsed_at":"2025-09-13T15:36:36.429Z","dependency_job_id":"6a9455be-a990-420a-8123-3555bf3b1593","html_url":"https://github.com/n-engine/devit","commit_stats":null,"previous_names":["n-engine/devit"],"tags_count":8,"template":false,"template_full_name":null,"purl":"pkg:github/n-engine/devit","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/n-engine%2Fdevit","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/n-engine%2Fdevit/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/n-engine%2Fdevit/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/n-engine%2Fdevit/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/n-engine","download_url":"https://codeload.github.com/n-engine/devit/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/n-engine%2Fdevit/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":278854216,"owners_count":26057418,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-10-07T02:00:06.786Z","response_time":59,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["ai-agent","ai-agents","approval-policy","cli","code-generation","developer-tools","git","llama-cpp","lm-studio","ollama","patch-only","rust","sandbox","testing","unified-diff","wasm"],"created_at":"2025-10-07T21:54:09.406Z","updated_at":"2025-10-07T21:54:11.871Z","avatar_url":"https://github.com/n-engine.png","language":"Rust","funding_links":[],"categories":[],"sub_categories":[],"readme":"# DevIt\nRust CLI dev agent — patch-only, sandboxed, with local LLMs (Ollama/LM Studio).\n\n![Status](https://img.shields.io/badge/status-alpha-orange)\n![License](https://img.shields.io/badge/license-Apache--2.0-blue)\n![CI](https://github.com/n-engine/devit/actions/workflows/ci.yml/badge.svg)\n\nAuthors: naskel and GPT‑5 Thinking (ChatGPT)\n\nExperimental\n- The optional binary `devit-mcp` (stdio MCP client) is feature-gated and not included in release archives.\n- Build/run locally with:\n  - `cargo run -p devit-cli --features experimental --bin devit-mcp -- --help`\n- Status: prototype for tooling interop; API and behavior may change.\n\nv0.2‑rc highlights (Confiance \u0026 interop)\n- Tools JSON I/O: `devit tool list` and `echo '{\"name\":...,\"args\":{...}}' | devit tool call -`\n- Sandboxed `shell_exec`: safe‑list + best‑effort `net=off`, output returned as JSON\n- `fs_patch_apply`: precommit gate (lint/format) + `check_only` and `mode: index|worktree`\n  - Integrated pipeline: optional impacted tests after apply; auto revert on fail (configurable)\n  - Commit stage: Conventional Commits auto-message and commit (profile/flags)\n- Context map: `devit context map .` → `.devit/index.json` (respects .gitignore; ignores `.devit/`, `target/`, `bench/`)\n- Journal JSONL signé (HMAC) sous `.devit/journal.jsonl`; option `git.use_notes`\n  - Provenance (footer/notes): activer le footer via `[provenance] footer=true`; ajouter des notes via `[git] use_notes=true`.\n- Experimental (feature-gated): `devit-mcp` (MCP stdio client). Build/run with:\n  - `cargo run -p devit-cli --features experimental --bin devit-mcp -- --help`\n\nPlugins (WASM/WASI)\n- Experimental, feature-gated. Run with `--features experimental`.\n- Registry: `.devit/plugins/\u003cid\u003e/devit-plugin.toml` (or `DEVIT_PLUGINS_DIR`).\n- Manifest example (`devit-plugin.toml`):\n  - `id = \"echo_sum\"`\n  - `name = \"Echo Sum\"`\n  - `wasm = \"echo_sum.wasm\"`\n  - `version = \"0.1.0\"`\n  - `allowed_dirs = []` (optional preopened dirs)\n  - `env = []` (optional `KEY=VALUE` entries)\n- Build example plugin:\n  - Install WASI target (new naming): `rustup target add wasm32-wasip1` (or `wasm32-wasi` on older toolchains)\n  - `cargo build -p devit-plugin-echo-sum --target wasm32-wasip1 --release` (from `examples/plugins/echo_sum`)\n  - Copy to registry: `mkdir -p .devit/plugins/echo_sum \u0026\u0026 cp examples/plugins/echo_sum/target/wasm32-wasip1/release/echo_sum.wasm .devit/plugins/echo_sum/`\n  - Write manifest per above.\n- CLI usage (JSON I/O):\n  - List: `cargo run -p devit-cli --features experimental --bin devit-plugin -- list`\n  - Invoke by id: `echo '{\"a\":1,\"b\":2}' | cargo run -p devit-cli --features experimental --bin devit-plugin -- invoke --id echo_sum`\n  - Or by manifest: `echo '{\"a\":1,\"b\":2}' | cargo run -p devit-cli --features experimental --bin devit-plugin -- invoke --manifest .devit/plugins/echo_sum/devit-plugin.toml`\n  - Timeouts: `DEVIT_TIMEOUT_SECS` (default 30s). Timeout exit code: 124.\n\nEnglish (EN)\nSecurity \u0026 Supply‑chain (v0.4)\n- Secrets redaction (MCP): enable `--secrets-scan` (or `[secrets].scan=true`), configure `placeholder` and `patterns` in `.devit/devit.toml`.\n- Sandbox: `--sandbox bwrap|none`, `--net off|full`, `--cpu-secs`, `--mem-mb` (recommended defaults: bwrap + net off when available).\n- SBOM CycloneDX: `devit sbom gen --out .devit/sbom.cdx.json` (audit sha256 in `.devit/journal.jsonl`).\n- Attestation (SLSA‑lite): JSONL under `.devit/attestations/YYYYMMDD/attest.jsonl`; CLI `--attest-diff|--no-attest-diff`.\n- Robust JSON I/O: `devit tool call - --json-only`; MCPD parses the last valid JSON and exposes `child_invalid_json` when needed; raw dumps via `--child-dump-dir`.\n- Quickstart\n  - Start a local OpenAI‑compatible LLM (LM Studio endpoint, or Ollama /v1).\n  - Keep `devit.toml` (defaults: approval=untrusted, sandbox=read-only, net off).\n  - Three commands:\n    1. `devit suggest --goal \"add a smoke test\" . \u003e PATCH.diff`\n    2. `devit apply PATCH.diff --yes` (read‑only defaults will refuse; switch to workspace‑write to allow)\n    3. `devit run --goal \"...\" --yes` (OnRequest requires `--yes`)\n- Installation\n  - Requirements: Rust stable, `git`\n  - Build: `cargo build --workspace`\n  - Makefile shortcuts: `make build`, `make test`, `make fmt-check`, `make smoke`\n- Configuration (`devit.toml`)\n  - `[backend]`: `kind`, `base_url`, `model`, `api_key`\n  - `[policy]`: `approval = untrusted|on-request|on-failure|never`, `sandbox = read-only|workspace-write|danger-full-access`\n  - `[sandbox]`: limits (MVP informational)\n  - `[git]`: conventions\n  - `[precommit]`: pre‑apply checks (Rust/JS/Python/extra) and bypass policy\n  - `[quality]`: thresholds for tests/lint in CI; `max_test_failures`, `max_lint_errors`, `allow_lint_warnings`, `fail_on_missing_reports`\n  - `[commit]`: Conventional Commits (max_subject, scopes_alias, default_type, template_body)\n- Useful global flags\n  - `--backend-url` / `--model` to override backend on the fly\n  - `--no-sandbox` disables isolation (danger)\n  - `--tui` enables TUI (preview/approval)\n- Commands\n  - `devit suggest --goal \"...\" [PATH]` → print a unified diff\n  - `devit apply [-|PATCH.diff] [--yes] [--force]` → apply + commit (respects policy)\n  - `devit run --goal \"...\" [PATH] [--yes] [--force]` → suggest→apply→commit→test\n  - `devit test` → run tests (auto‑detected stack)\n  - `devit test impacted [--changed-from \u003cref\u003e] [--framework auto|cargo|npm|pytest|ctest]` → run only impacted tests\n  - `devit commit-msg [--from-staged|--from-ref \u003cref\u003e] [--type \u003ct\u003e] [--scope \u003cs\u003e] [--with-template] [--write]` → Conventional Commit subject\n  - `devit commit-msg [--from-staged|--from-ref \u003cref\u003e] [--type \u003ct\u003e] [--scope \u003cs\u003e] [--with-template] [--write]` → Conventional Commit subject\n  - `devit report sarif|junit|summary` → ensure/export reports; `summary` writes `.devit/reports/summary.md`\n  - `devit quality gate --junit .devit/reports/junit.xml --sarif .devit/reports/sarif.json --json` → aggregate + thresholds\n  \nFs Patch Apply — integrated commit\n\n- JSON flags via `devit tool call -` (fs_patch_apply):\n  - `commit`: `auto|on|off` (default auto; safe/std=on, danger=auto)\n  - `commit_type`, `commit_scope`, `commit_body_template`, `commit_dry_run`, `signoff`, `no_provenance_footer`\n- Outputs:\n  - Success with commit: `{ ok:true, committed:true, commit_sha, type, scope, subject, msg_path }`\n  - Success without commit (off/dry-run): `{ ok:true, committed:false, type, scope, subject, msg_path }`\n  - Errors: `approval_required` (commit stage) or `git_commit_failed`\n- Provenance: adds “DevIt-Attest: …” footer if enabled (can be disabled per-call).\n\nRun — commit message\n\n- `devit run` uses the same generator (auto scope + alias, heuristic type) and preserves provenance footer when enabled.\n  - `devit tool list` → JSON description of tools\n  - `echo '{\"name\":\"shell_exec\",\"args\":{\"cmd\":\"ls -1 | head\"}}' | devit tool call -` → sandboxed shell (JSON I/O)\n  - `echo '{\"name\":\"fs_patch_apply\",\"args\":{\"patch\":\"\u003cDIFF\u003e\",\"check_only\":true}}' | devit tool call -` → dry‑run patch\n  - `devit context map .` → writes `.devit/index.json`\n  - Experimental: `devit-mcp` (stdio MCP client)\n    - `cargo run -p devit-cli --features experimental --bin devit-mcp -- --cmd '\u003cserver cmd\u003e' --handshake-only`\n    - `cargo run -p devit-cli --features experimental --bin devit-mcp -- --cmd '\u003cserver cmd\u003e' --echo \"hello\"`\n  - `devit plan` → list `update_plan.yaml`\n  - `devit watch [--diff PATCH.diff]` → continuous TUI (Plan | Diff | Logs)\n- Approval policies\n  - untrusted: always prompt (ignores `--yes`)\n  - on-request: `run` fails without `--yes`; otherwise prompts unless `--yes`\n  - on-failure: prompts unless `--yes`; tests allowed\n  - never: never prompt\n- Sandbox\n  - Modes: read‑only (refuses apply/run/test), workspace‑write (OK), danger‑full‑access\n  - Safe‑list in read‑only: `git`, `cargo`, `npm`, `ctest`\n  - Timeouts via `DEVIT_TIMEOUT_SECS` (kill + message)\n  - If `bwrap` is available: network off (`--unshare-net`)\n- Logs \u0026 plan\n  - JSONL: `~/.devit/logs/log.jsonl`: ToolCall, Diff, AskApproval, Info\n  - `update_plan.yaml` maintained by `run` (done/failed + JUnit summary + tail)\n - Quality gate\n   - Aggregates `.devit/reports/junit.xml` and `.devit/reports/sarif.json` with thresholds from `[quality]`\n   - CLI: `devit quality gate --json`; Summary: `devit report summary`\n   - Flaky tests: list patterns in `.devit/flaky_tests.txt` to ignore in threshold (reported separately)\n- TUI\n  - `--tui` for run/apply: interactive approval (y/n/q), live logs\n    - Navigation: arrows or h/j/k/l; PgUp/PgDn; 1/2/3 to select column\n    - Diff colors: + green, − red\n  - `devit watch`: continuous TUI (plan yaml / optional diff / JSONL logs)\n- MVP limitations\n  - OpenAI‑like backend (configurable URL)\n  - Non‑streaming diff generation (one‑shot preview)\n\nFrançais (FR)\n- Quickstart\n  - Démarrez un LLM local compatible OpenAI (LM Studio, ou Ollama /v1).\n  - Gardez `devit.toml` (défauts: approval=untrusted, sandbox=read-only, net off).\n  - Trois commandes:\n    1. `devit suggest --goal \"add a smoke test\" . \u003e PATCH.diff`\n    2. `devit apply PATCH.diff --yes` (en read‑only, refusera sans assouplir la policy)\n    3. `devit run --goal \"...\" --yes` (en OnRequest, `--yes` requis)\n- Installation\n  - Prérequis: Rust stable, `git`\n  - Build: `cargo build --workspace`\n  - Raccourcis Makefile: `make build`, `make test`, `make fmt-check`, `make smoke`\n- Configuration (`devit.toml`)\n  - `[backend]`: `kind`, `base_url`, `model`, `api_key`\n  - `[policy]`: `approval = untrusted|on-request|on-failure|never`, `sandbox = read-only|workspace-write|danger-full-access`\n  - `[sandbox]`: limites (MVP informatif)\n  - `[git]`: conventions\n  - `[precommit]`: vérifs pré‑apply (Rust/JS/Python/extra) et bypass\n  - `[quality]`: seuils tests/lint pour CI; `max_test_failures`, `max_lint_errors`, `allow_lint_warnings`, `fail_on_missing_reports`\n- Flags globaux utiles\n  - `--backend-url` / `--model` pour override ponctuel\n  - `--no-sandbox` désactive l’isolation (danger)\n  - `--tui` active les TUI (aperçu/approbation)\n- Commandes\n  - `devit suggest --goal \"...\" [PATH]` → imprime un diff\n  - `devit apply [-|PATCH.diff] [--yes] [--force]` → applique + commit (respecte policy)\n  - `devit run --goal \"...\" [PATH] [--yes] [--force]` → suggest→apply→commit→test\n  - `devit test` → exécute les tests (stack auto)\n  - `devit test impacted [--changed-from \u003cref\u003e] [--framework auto|cargo|npm|pytest|ctest]` → tests impactés uniquement\n  - `devit commit-msg [--from-staged|--from-ref \u003cref\u003e] [--type \u003ct\u003e] [--scope \u003cs\u003e] [--with-template] [--write]` → Conventional Commits\n  - `devit report sarif|junit|summary` → export; `summary` écrit `.devit/reports/summary.md`\n  - `devit quality gate --junit .devit/reports/junit.xml --sarif .devit/reports/sarif.json --json` → agrégat + seuils\n  - `devit tool list` → description JSON des outils\n  - `echo '{\"name\":\"shell_exec\",\"args\":{\"cmd\":\"ls -1 | head\"}}' | devit tool call -` → shell sandboxé (I/O JSON)\n  - `echo '{\"name\":\"fs_patch_apply\",\"args\":{\"patch\":\"\u003cDIFF\u003e\",\"check_only\":true}}' | devit tool call -` → dry‑run du patch\n  - Porte pré‑commit: DevIt exécute des checks (Rust/JS/Python) avant d’appliquer; échec → apply refusé.\n  - `devit context map .` → écrit `.devit/index.json`\n  - Expérimental: `devit-mcp` (client MCP stdio)\n    - `cargo run -p devit-cli --features experimental --bin devit-mcp -- --cmd '\u003cserveur MCP\u003e' --handshake-only`\n    - `cargo run -p devit-cli --features experimental --bin devit-mcp -- --cmd '\u003cserveur MCP\u003e' --echo \"hello\"`\n\n### DevIt TUI (ratatui) — démarrage rapide\n\n- Préparer un journal : `devit run --goal \"...\" --yes` produit `.devit/journal.jsonl` (ou utilisez les rapports générés par la CI).\n- Lancer l’interface : `cargo run -p devit-tui -- --open-log .devit/journal.jsonl`.\n- Navigation principale :\n  - `↑/↓` pour parcourir la timeline, `F` active/désactive le suivi des nouveaux events.\n  - `R` ouvre le panneau “Recipes” (sélection `↑/↓`, `Enter` pour dry-run, `O` pour afficher le diff, `A` pour appliquer, `Esc` pour revenir).\n  - Si un diff est ouvert : `j/k` changent de hunk, `h/H` changent de fichier, `Esc` ferme la vue diff.\n  - `F1` affiche l’aide contextuelle, `q` quitte.\n- Mode headless : `DEVIT_TUI_HEADLESS=1 devit-tui --open-log .devit/journal.jsonl` imprime l’event sélectionné (compatible CI/scripts).\n\nRecettes (TUI ↔ CLI)\n- Lister les recettes (headless‑friendly):\n  - `DEVIT_TUI_HEADLESS=1 cargo run -p devit-tui -- --list-recipes | jq`\n- Exécuter une recette en dry‑run (headless):\n  - `DEVIT_TUI_HEADLESS=1 cargo run -p devit-tui -- --run-recipe add-ci --dry-run`\n  - Codes de sortie: 0 = succès, 2 = `approval_required` (rejouer après approbation)\n  - Erreurs normalisées sur stderr: `{ error: { recipe_integration_failed:true, reason:\"list_failed|run_failed|no_patch\" } }`\n- Interactif:\n  - `R` → liste des recettes → `Enter` lance un dry‑run\n  - Si un patch est généré, le viewer diff s’ouvre (puis `A` pour appliquer)\n  - `--run-recipe \u003cid\u003e --dry-run` ouvre directement la preview du diff si disponible\n\nPlugins (WASM/WASI)\n- Expérimental (feature-gated). Utiliser `--features experimental`.\n- Registry: `.devit/plugins/\u003cid\u003e/devit-plugin.toml` (ou `DEVIT_PLUGINS_DIR`).\n- Exemple de manifeste (`devit-plugin.toml`) :\n  - `id = \"echo_sum\"`, `name = \"Echo Sum\"`, `wasm = \"echo_sum.wasm\"`, `version = \"0.1.0\"`\n  - `allowed_dirs = []` (répertoires pré-ouverts facultatifs), `env = []` (variables `KEY=VALUE`).\n- Construire l’exemple:\n  - Installer la cible WASI (nouvelle dénomination): `rustup target add wasm32-wasip1` (ou `wasm32-wasi`)\n  - `cargo build -p devit-plugin-echo-sum --target wasm32-wasip1 --release` (depuis `examples/plugins/echo_sum`)\n  - Copier: `mkdir -p .devit/plugins/echo_sum \u0026\u0026 cp examples/plugins/echo_sum/target/wasm32-wasip1/release/echo_sum.wasm .devit/plugins/echo_sum/`\n  - Écrire le manifeste comme ci-dessus.\n- CLI (I/O JSON):\n  - Lister: `cargo run -p devit-cli --features experimental --bin devit-plugin -- list`\n  - Invoquer par id: `echo '{\"a\":1,\"b\":2}' | cargo run -p devit-cli --features experimental --bin devit-plugin -- invoke --id echo_sum`\n  - Ou par manifeste: `echo '{\"a\":1,\"b\":2}' | cargo run -p devit-cli --features experimental --bin devit-plugin -- invoke --manifest .devit/plugins/echo_sum/devit-plugin.toml`\n  - Timeout: `DEVIT_TIMEOUT_SECS` (défaut 30s). Code sortie timeout: 124.\n  - `devit plan` → liste `update_plan.yaml`\n  - `devit watch [--diff PATCH.diff]` → TUI continu (Plan | Diff | Logs)\n- Policies d’approbation\n  - untrusted: demande toujours (ignore `--yes`)\n  - on-request: `run` échoue sans `--yes`; sinon demande sauf `--yes`\n  - on-failure: demande sauf `--yes`; tests libres\n  - never: ne demande jamais\n- Sandbox\n  - Modes: read-only (refuse apply/run/test), workspace-write (OK), danger-full-access\n  - Safe‑list en read‑only: `git`, `cargo`, `npm`, `ctest`\n  - Timeouts via `DEVIT_TIMEOUT_SECS` (kill + message)\n  - Si `bwrap` disponible: réseau coupé (`--unshare-net`)\n- Journal \u0026 plan\n  - JSONL: `~/.devit/logs/log.jsonl`: ToolCall, Diff, AskApproval, Info\n  - `update_plan.yaml` maintenu par `run` (status done/failed + résumé JUnit + tail)\n- TUI\n  - `--tui` pendant run/apply: approbation interactive (y/n/q), logs en live\n    - Navigation: flèches ou h/j/k/l; PgUp/PgDn; 1/2/3 sélection de colonne\n    - Diff colorisé: lignes + en vert, − en rouge\n  - `devit watch`: TUI continu (plan yaml / diff optionnel / logs JSONL)\n- Limitations MVP\n  - Backend OpenAI‑like (URL configurable)\n  - TUI non‑streaming pour la génération de diff (aperçu ponctuel)\n## MCP (expérimental)\n\nBinaire client : `devit-mcp`\n\nBinaire serveur : `devit-mcpd`\n\nOutils exposés (server):\n\n- `server.policy` — état effectif (approvals, limites, audit)\n- `server.health` — uptime + dépendances (devit, devit-plugin, wasmtime)\n- `server.stats` — compteurs d’appels par outil\n- `devit.tool_list` — proxy de `devit tool list`\n- `devit.tool_call` — proxy de `devit tool call -` (JSON stdin → JSON stdout)\n- `plugin.invoke` — proxy de `devit-plugin invoke --id \u003cid\u003e` (JSON stdin → JSON stdout)\n- `echo` — outil de test\n\nProfils d'approbation (server)\n\n- Config (`.devit/devit.toml`):\n\n```\n[mcp]\nprofile = \"safe\" # ou \"std\" | \"danger\"\n[mcp.approvals]\n# overrides spécifiques par outil (facultatif)\n\"server.stats.reset\" = \"never\"\n```\n\n- Presets:\n  - safe: `devit.tool_call=on_request`, `plugin.invoke=on_request`, `server.*=never`\n  - std: `devit.tool_call=on_failure`, `plugin.invoke=on_request`, `server.*=never`\n  - danger: `devit.tool_call=never`, `plugin.invoke=on_failure`, `server.*=never`\n- Inspecter la politique effective:\n\n```\ndevit-mcp --cmd 'devit-mcpd --yes' --policy | jq\n# JSON inclut: { \"profile\": \"safe|std|danger|none\", \"tools\": { ... } }\n```\n\nFlags utiles (client) :\n\n- `--policy`, `--health`, `--stats`, `--call \u003cname\u003e --json '\u003cpayload\u003e'`\n\nFlags utiles (serveur) :\n\n- `--yes` (auto-approve), `--policy-dump`, `--no-audit`\n- `--max-calls-per-min`, `--max-json-kb`, `--cooldown-ms`\n- `--devit-bin`, `--devit-plugin-bin`, `--timeout-secs`\n- `--max-runtime-secs` (watchdog global: arrêt propre au bout de N secondes)\n\nExemples :\n\nHandshake :\n\n```\ndevit-mcp --cmd 'devit-mcpd --yes' --handshake-only\n```\n\nPolitique côté serveur :\n\n```\ndevit-mcp --cmd 'devit-mcpd --yes' --policy | jq\n```\n\nLancer mcpd avec des flags typiques (profil/réseau/limites):\n\n```\ndevit-mcpd --yes --profile safe --sandbox bwrap --net off --cpu-secs 30 --mem-mb 1024\n```\n\nApprovals rapides (outer/inner) — voir `docs/approvals.md` pour les détails hiérarchiques:\n\n```\n# Accorder une fois pour shell_exec (inner)\ndevit-mcp --cmd 'devit-mcpd --yes' --call server.approve --json '{\"name\":\"devit.tool_call:shell_exec\",\"scope\":\"once\"}'\n\n# Accorder pour la session entière (outer)\ndevit-mcp --cmd 'devit-mcpd --yes' --call server.approve --json '{\"name\":\"devit.tool_call\",\"scope\":\"session\"}'\n```\n\nSanté et stats :\n\n```\ndevit-mcp --cmd 'devit-mcpd --yes' --health | jq\ndevit-mcp --cmd 'devit-mcpd --yes' --stats | jq\n\nRéinitialiser les compteurs (server.stats.reset) :\n\n```\n# Après quelques appels, remets les compteurs à zéro\ndevit-mcp --cmd 'devit-mcpd --yes' --stats-reset | jq\n# Vérifier\ndevit-mcp --cmd 'devit-mcpd --yes' --stats | jq '.payload.stats.totals'\n```\n\nWatchdog global (arrêt après N secondes) :\n\n```\n# Le serveur s'arrête proprement après 1s (exit 2), message clair sur stderr\ndevit-mcp --cmd 'devit-mcpd --yes --max-runtime-secs 1' --policy || echo \"exit=$?\"\n```\n\n## Dépannage mcpd (rapide)\n\n- Mémoire insuffisante (\"Cannot allocate memory\" / \"memory allocation ... failed\")\n  - Augmenter la limite: `devit-mcpd --yes --mem-mb 2048` (ou plus selon l’environnement)\n- Délai trop court\n  - Allonger: `devit-mcpd --yes --timeout-secs 60` ou `DEVIT_TIMEOUT_SECS=60 devit-mcpd --yes`\n- bwrap absent (sandbox_unavailable)\n  - Installer bubblewrap, ou lancer sans bwrap: `--sandbox none` (les limites CPU/Mémoire restent actives via rlimits)\n- child_invalid_json (sortie enfant non JSON)\n  - Activer les dumps: `--child-dump-dir .devit/reports` puis inspecter `child_*.stdout.log` / `child_*.stderr.log`\n- Approvals trop fréquents\n  - Accorder côté outer/inner: `server.approve` (ex.: `devit.tool_call:shell_exec` ou `devit.tool_call`) — voir `docs/approvals.md`\n- Réseau bloqué en sandbox bwrap\n  - Par défaut `--net off` (isolé). Activer: `--net full` si nécessaire\n- Proxy server.* refusé depuis devit.tool_call\n  - Message `server_tool_proxy_denied`: appelez directement l’outil `server.*` souhaité\n- Variables d’environnement refusées\n  - `secrets_env_denied`: variable non autorisée. Utiliser l’allowlist adéquate dans la config, ou éviter `args.env`\n\nConfig d'exemple\n\n- Un fichier complet d'exemple est disponible: `examples/devit.sample.toml`.\n- Copiez-le à la racine sous le nom `devit.toml` et adaptez:\n  - `[provenance] footer=true` pour ajouter un trailer \"DevIt-Attest\" dans les commits\n  - `[git] use_notes=true` pour ajouter des `git notes` d'attestation\n  - `[mcp] profile = \"safe|std|danger\"` et éventuels overrides `[mcp.approvals]`\n\nAppel de tool :\n\n```\ndevit-mcp --cmd 'devit-mcpd --yes' --call devit.tool_list --json '{}'\n```\n\nPlugin WASI (si echo_sum.wasm installé) :\n\n```\necho '{\"id\":\"echo_sum\",\"payload\":{\"a\":2,\"b\":40}}' | devit-mcp --cmd 'devit-mcpd --yes' --call plugin.invoke --json @-\n```\nsmoke llm 2025-09-15T16:19:26+02:00\nsmoke llm 2025-09-15T16:41:50+02:00\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fn-engine%2Fdevit","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fn-engine%2Fdevit","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fn-engine%2Fdevit/lists"}