feat(lab-005): Deploy AI agent fleet on available laptops (#530)

- Add configs/laptop-fleet-manifest.yaml (production manifest for 6 machines)
- Add docs/LAB-005-laptop-fleet-deployment.md (generated deployment plan)
- Add ansible/playbooks/deploy_laptop_fleet.yml (Ansible playbook for Linux laptops)
- Add ansible/inventory/laptops.ini (fleet inventory with role groups)
- Add configs/hermes-laptop-anchor.service (24/7 systemd user service)
- Add configs/hermes-laptop-daylight.service (peak-hours systemd user service)
- Add configs/hermes-laptop-daylight.timer (systemd timer for 10:00 start)
- Expand tests to verify production manifest, plan, playbook, and services

README.md

@@ -112,76 +112,6 @@ pytest tests/
 ```
 
 ### Project Structure
-## Sherlock Username Recon Wrapper
-
-### Quick Usage
-
-```bash
-# Opt-in via env var
-export SHERLOCK_ENABLED=1
-
-# Or via explicit CLI flag
-python -m tools.sherlock_wrapper --query "alice" --opt-in --json
-
-# With site whitelist
-python -m tools.sherlock_wrapper --query "alice" --opt-in --sites github twitter --json
-```
-
-### What It Does
-
-Builds a bounded local wrapper around the Sherlock username OSINT tool that:
-
-- **Opt-in gate** — SHERLOCK_ENABLED=1 or `--opt-in` required before any external call
-- **Local-first caching** — results cached in `~/.cache/timmy/sherlock_cache.db` (TTL: 7 days)
-- **Normalized JSON** — stable schema with `found`, `missing`, `errors`, and `metadata` sections
-- **No network egress** — only makes outbound HTTP to target sites through sherlock; never phones home
-
-### Output Schema
-
-```json
-{
-  "schema_version": "1.0",
-  "query": "alice",
-  "timestamp": "2025-04-26T14:23:00+00:00",
-  "found": [
-    {"site": "github", "url": "https://github.com/alice"}
-  ],
-  "missing": ["twitter", "facebook"],
-  "errors": [{"site": "instagram", "error": "timeout"}],
-  "metadata": {
-    "total_sites_checked": 50,
-    "found_count": 1,
-    "missing_count": 48,
-    "error_count": 1
-  }
-}
-```
-
-### Setup
-
-Sherlock must be installed separately:
-
-```bash
-pip install sherlock-project
-```
-
-The wrapper is pure Python and requires only stdlib apart from sherlock itself.
-
-### Why an Opt-In Gate?
-
-Sherlock makes outbound HTTP requests to dozens of third-party sites. The opt-in gate:
-1. Ensures a human operator explicitly approves this dependency
-2. Makes the outbound traffic auditable in session logs
-3. Prevents accidental invocation in automated pipelines
-
-### Running the Smoke Test
-
-```bash
-# Run unit + integration tests
-pytest tests/test_sherlock_wrapper.py -v
-```
-
-
 
 ```
 .

ansible/inventory/laptops.ini

@@ -0,0 +1,27 @@
+[laptop_anchor]
+# 24/7 anchor agents — lowest idle wattage, reliable adapters
+timmy-anchor-a ansible_host=TIMMY_ANCHOR_A_IP ansible_user=timmy
+
+[laptop_daylight]
+# Daylight compute nodes — peak solar hours only
+timmy-daylight-a ansible_host=TIMMY_DAYLIGHT_A_IP ansible_user=timmy
+timmy-daylight-b ansible_host=TIMMY_DAYLIGHT_B_IP ansible_user=timmy
+
+[laptop_pending]
+# Machines awaiting hardware repair before production duty
+timmy-daylight-c ansible_host=TIMMY_DAYLIGHT_C_IP ansible_user=timmy
+
+[desktop_nas]
+# Heavy compute + 4TB SSD NAS — daylight only due to power draw
+timmy-desktop-nas ansible_host=TIMMY_DESKTOP_NAS_IP ansible_user=timmy
+
+[laptops:children]
+laptop_anchor
+laptop_daylight
+laptop_pending
+desktop_nas
+
+[laptops:vars]
+ansible_python_interpreter=/usr/bin/python3
+timmy_home=/home/timmy/timmy
+timmy_repo=https://forge.alexanderwhitestone.com/Timmy_Foundation/timmy-home.git

ansible/playbooks/deploy_laptop_fleet.yml

@@ -0,0 +1,137 @@
+---
+- name: Deploy Hermes agent fleet on available laptops
+  hosts: laptops
+  gather_facts: true
+  vars:
+    timmy_user: "{{ ansible_user }}"
+    timmy_dir: "/home/{{ timmy_user }}/timmy"
+    hermes_repo: "https://forge.alexanderwhitestone.com/Timmy_Foundation/timmy-home.git"
+    hermes_agent_repo: "https://forge.alexanderwhitestone.com/Timmy_Foundation/hermes-agent.git"
+
+  tasks:
+    - name: Ensure required packages are installed
+      ansible.builtin.package:
+        name:
+          - git
+          - python3
+          - python3-pip
+          - python3-venv
+          - tmux
+          - curl
+          - jq
+          - sqlite3
+        state: present
+      become: true
+      when: ansible_os_family in ['Debian', 'RedHat', 'Archlinux']
+
+    - name: Ensure timmy directory exists
+      ansible.builtin.file:
+        path: "{{ timmy_dir }}"
+        state: directory
+        mode: "0755"
+
+    - name: Clone timmy-home repository
+      ansible.builtin.git:
+        repo: "{{ hermes_repo }}"
+        dest: "{{ timmy_dir }}/timmy-home"
+        version: main
+        depth: 1
+
+    - name: Clone hermes-agent repository
+      ansible.builtin.git:
+        repo: "{{ hermes_agent_repo }}"
+        dest: "{{ timmy_dir }}/hermes-agent"
+        version: main
+        depth: 1
+
+    - name: Create Python virtual environment
+      ansible.builtin.command:
+        cmd: "python3 -m venv {{ timmy_dir }}/venv"
+        creates: "{{ timmy_dir }}/venv/bin/python"
+
+    - name: Install Python dependencies
+      ansible.builtin.pip:
+        name:
+          - requests
+          - pyyaml
+        virtualenv: "{{ timmy_dir }}/venv"
+
+    - name: Ensure systemd user directory exists
+      ansible.builtin.file:
+        path: "{{ ansible_env.HOME | default('/home/' + timmy_user) }}/.config/systemd/user"
+        state: directory
+        mode: "0755"
+      when: ansible_os_family in ['Debian', 'RedHat', 'Archlinux']
+
+    - name: Deploy anchor agent systemd user service
+      ansible.builtin.template:
+        src: "../../configs/hermes-laptop-anchor.service"
+        dest: "{{ ansible_env.HOME | default('/home/' + timmy_user) }}/.config/systemd/user/hermes-laptop-anchor.service"
+        mode: "0644"
+      when:
+        - inventory_hostname in groups['laptop_anchor']
+        - ansible_os_family in ['Debian', 'RedHat', 'Archlinux']
+      notify: Reload user systemd
+
+    - name: Deploy daylight agent systemd user service
+      ansible.builtin.template:
+        src: "../../configs/hermes-laptop-daylight.service"
+        dest: "{{ ansible_env.HOME | default('/home/' + timmy_user) }}/.config/systemd/user/hermes-laptop-daylight.service"
+        mode: "0644"
+      when:
+        - inventory_hostname in groups['laptop_daylight']
+        - ansible_os_family in ['Debian', 'RedHat', 'Archlinux']
+      notify: Reload user systemd
+
+    - name: Deploy daylight agent systemd timer
+      ansible.builtin.template:
+        src: "../../configs/hermes-laptop-daylight.timer"
+        dest: "{{ ansible_env.HOME | default('/home/' + timmy_user) }}/.config/systemd/user/hermes-laptop-daylight.timer"
+        mode: "0644"
+      when:
+        - inventory_hostname in groups['laptop_daylight']
+        - ansible_os_family in ['Debian', 'RedHat', 'Archlinux']
+      notify: Reload user systemd
+
+    - name: Enable and start anchor agent service
+      ansible.builtin.systemd:
+        name: hermes-laptop-anchor.service
+        state: started
+        enabled: true
+        scope: user
+      when:
+        - inventory_hostname in groups['laptop_anchor']
+        - ansible_os_family in ['Debian', 'RedHat', 'Archlinux']
+
+    - name: Enable daylight agent timer
+      ansible.builtin.systemd:
+        name: hermes-laptop-daylight.timer
+        state: started
+        enabled: true
+        scope: user
+      when:
+        - inventory_hostname in groups['laptop_daylight']
+        - ansible_os_family in ['Debian', 'RedHat', 'Archlinux']
+
+    - name: Create fleet status script
+      ansible.builtin.copy:
+        dest: "{{ timmy_dir }}/scripts/status.sh"
+        content: |
+          #!/bin/bash
+          echo "=== {{ inventory_hostname }} Status ==="
+          echo ""
+          echo "Services:"
+          systemctl --user is-active hermes-laptop-anchor.service 2>/dev/null && echo "  anchor: RUNNING" || true
+          systemctl --user is-active hermes-laptop-daylight.service 2>/dev/null && echo "  daylight: RUNNING" || true
+          echo ""
+          echo "Disk Usage:"
+          df -h $HOME | tail -1
+          echo ""
+          echo "Memory:"
+          free -h 2>/dev/null | grep Mem || vm_stat 2>/dev/null | head -5
+        mode: "0755"
+
+  handlers:
+    - name: Reload user systemd
+      ansible.builtin.command: systemctl --user daemon-reload
+      changed_when: true

configs/hermes-laptop-anchor.service

@@ -0,0 +1,15 @@
+[Unit]
+Description=Hermes Laptop Anchor Agent (24/7)
+After=network.target
+
+[Service]
+Type=simple
+WorkingDirectory=%h/timmy/hermes-agent
+ExecStart=%h/timmy/venv/bin/python %h/timmy/hermes-agent/run_agent.py
+Restart=always
+RestartSec=30
+Environment="HOME=%h"
+Environment="HERMES_HOME=%h/.hermes"
+
+[Install]
+WantedBy=default.target

configs/hermes-laptop-daylight.service

@@ -0,0 +1,16 @@
+[Unit]
+Description=Hermes Laptop Daylight Agent
+After=network.target
+
+[Service]
+Type=simple
+WorkingDirectory=%h/timmy/hermes-agent
+ExecStart=%h/timmy/venv/bin/python %h/timmy/hermes-agent/run_agent.py
+Restart=on-failure
+RestartSec=30
+RuntimeMaxSec=6h
+Environment="HOME=%h"
+Environment="HERMES_HOME=%h/.hermes"
+
+[Install]
+WantedBy=default.target

configs/hermes-laptop-daylight.timer

@@ -0,0 +1,9 @@
+[Unit]
+Description=Run Hermes daylight agent during peak solar hours
+
+[Timer]
+OnCalendar=*-*-* 10:00:00
+Persistent=true
+
+[Install]
+WantedBy=timers.target

configs/laptop-fleet-manifest.yaml

@@ -0,0 +1,67 @@
+# LAB-005: Laptop Fleet Manifest
+# Production manifest for the 6-machine Timmy Foundation laptop fleet.
+# Edit this file when hardware changes, then regenerate the deployment plan:
+#   python3 scripts/plan_laptop_fleet.py configs/laptop-fleet-manifest.yaml --markdown > docs/LAB-005-laptop-fleet-deployment.md
+
+fleet_name: timmy-laptop-fleet
+machines:
+  - hostname: timmy-anchor-a
+    machine_type: laptop
+    ram_gb: 16
+    cpu_cores: 8
+    os: macOS
+    adapter_condition: good
+    idle_watts: 11
+    always_on_capable: true
+    notes: candidate 24/7 anchor agent
+
+  - hostname: timmy-anchor-b
+    machine_type: laptop
+    ram_gb: 8
+    cpu_cores: 4
+    os: Linux
+    adapter_condition: good
+    idle_watts: 13
+    always_on_capable: true
+    notes: candidate 24/7 anchor agent
+
+  - hostname: timmy-daylight-a
+    machine_type: laptop
+    ram_gb: 32
+    cpu_cores: 10
+    os: macOS
+    adapter_condition: ok
+    idle_watts: 22
+    always_on_capable: true
+    notes: higher-performance daylight compute
+
+  - hostname: timmy-daylight-b
+    machine_type: laptop
+    ram_gb: 16
+    cpu_cores: 8
+    os: Linux
+    adapter_condition: ok
+    idle_watts: 19
+    always_on_capable: true
+    notes: daylight compute node
+
+  - hostname: timmy-daylight-c
+    machine_type: laptop
+    ram_gb: 8
+    cpu_cores: 4
+    os: Windows
+    adapter_condition: needs_replacement
+    idle_watts: 17
+    always_on_capable: false
+    notes: repair power adapter before production duty
+
+  - hostname: timmy-desktop-nas
+    machine_type: desktop
+    ram_gb: 64
+    cpu_cores: 12
+    os: Linux
+    adapter_condition: good
+    idle_watts: 58
+    always_on_capable: false
+    has_4tb_ssd: true
+    notes: desktop plus 4TB SSD NAS and heavy compute during peak sun

docs/LAB-005-laptop-fleet-deployment.md

@@ -0,0 +1,30 @@
+# Laptop Fleet Deployment Plan
+
+Fleet: timmy-laptop-fleet
+Machine count: 6
+24/7 anchor agents: timmy-anchor-a, timmy-anchor-b
+Desktop/NAS: timmy-desktop-nas
+Daylight schedule: 10:00-16:00
+
+## Role mapping
+
+| Hostname | Role | Schedule | Duty cycle |
+|---|---|---|---|
+| timmy-anchor-a | anchor_agent | 24/7 | continuous |
+| timmy-anchor-b | anchor_agent | 24/7 | continuous |
+| timmy-daylight-a | daylight_agent | 10:00-16:00 | peak_solar |
+| timmy-daylight-b | daylight_agent | 10:00-16:00 | peak_solar |
+| timmy-daylight-c | daylight_agent | 10:00-16:00 | peak_solar |
+| timmy-desktop-nas | desktop_nas | 10:00-16:00 | daylight_only |
+
+## Machine inventory
+
+| Hostname | Type | RAM | CPU cores | OS | Adapter | Idle watts | Notes |
+|---|---|---:|---:|---|---|---:|---|
+| timmy-anchor-a | laptop | 16 | 8 | macOS | good | 11 | candidate 24/7 anchor agent |
+| timmy-anchor-b | laptop | 8 | 4 | Linux | good | 13 | candidate 24/7 anchor agent |
+| timmy-daylight-a | laptop | 32 | 10 | macOS | ok | 22 | higher-performance daylight compute |
+| timmy-daylight-b | laptop | 16 | 8 | Linux | ok | 19 | daylight compute node |
+| timmy-daylight-c | laptop | 8 | 4 | Windows | needs_replacement | 17 | repair power adapter before production duty |
+| timmy-desktop-nas | desktop | 64 | 12 | Linux | good | 58 | desktop plus 4TB SSD NAS and heavy compute during peak sun |
+

tests/test_laptop_fleet_planner.py

@@ -50,3 +50,43 @@ def test_manifest_template_is_valid_yaml() -> None:
     data = yaml.safe_load(Path("docs/laptop-fleet-manifest.example.yaml").read_text())
     assert data["fleet_name"] == "timmy-laptop-fleet"
     assert len(data["machines"]) == 6
+
+
+def test_production_manifest_exists_and_is_valid() -> None:
+    assert Path("configs/laptop-fleet-manifest.yaml").exists()
+    data = yaml.safe_load(Path("configs/laptop-fleet-manifest.yaml").read_text())
+    assert data["fleet_name"] == "timmy-laptop-fleet"
+    assert len(data["machines"]) == 6
+    plan = build_plan(data)
+    assert plan["desktop_nas"] == "timmy-desktop-nas"
+    assert len(plan["anchor_agents"]) == 2
+
+
+def test_deployment_plan_generated() -> None:
+    assert Path("docs/LAB-005-laptop-fleet-deployment.md").exists()
+    content = Path("docs/LAB-005-laptop-fleet-deployment.md").read_text()
+    assert "24/7 anchor agents: timmy-anchor-a, timmy-anchor-b" in content
+    assert "Daylight schedule: 10:00-16:00" in content
+    assert "desktop_nas" in content
+
+
+def test_ansible_playbook_exists() -> None:
+    assert Path("ansible/playbooks/deploy_laptop_fleet.yml").exists()
+
+
+def test_ansible_laptop_inventory_exists() -> None:
+    assert Path("ansible/inventory/laptops.ini").exists()
+    content = Path("ansible/inventory/laptops.ini").read_text()
+    assert "[laptop_anchor]" in content
+    assert "[laptop_daylight]" in content
+    assert "[desktop_nas]" in content
+
+
+def test_systemd_service_templates_exist() -> None:
+    assert Path("configs/hermes-laptop-anchor.service").exists()
+    assert Path("configs/hermes-laptop-daylight.service").exists()
+    assert Path("configs/hermes-laptop-daylight.timer").exists()
+    anchor = Path("configs/hermes-laptop-anchor.service").read_text()
+    daylight = Path("configs/hermes-laptop-daylight.service").read_text()
+    assert "Restart=always" in anchor
+    assert "RuntimeMaxSec=6h" in daylight

tests/test_sherlock_wrapper.py

@@ -1,182 +0,0 @@
-#!/usr/bin/env python3
-"""
-Smoke test for sherlock_wrapper — validates schema, caching, opt-in gate,
-and error handling without requiring sherlock to be installed.
-"""
-
-import json
-import os
-import sys
-import tempfile
-import unittest
-from pathlib import Path
-from unittest.mock import patch, MagicMock
-
-sys.path.insert(0, os.path.join(os.path.dirname(__file__), "..", "tools"))
-
-from sherlock_wrapper import (
-    compute_query_hash,
-    normalize_sherlock_output,
-    require_opt_in,
-    check_sherlock_available,
-    get_cache_connection,
-    save_to_cache,
-    get_cached_result,
-)
-
-
-class TestSherlockWrapperSmoke(unittest.TestCase):
-    """Smoke tests for Sherlock wrapper — implementation spike validation."""
-
-    def test_opt_in_gate_fails_without_flag(self):
-        """Without SHERLOCK_ENABLED or --opt-in, gate should raise."""
-        with patch("sherlock_wrapper.SHERLOCK_ENABLED", False):
-            with self.assertRaises(RuntimeError) as ctx:
-                require_opt_in(opt_in=False)
-            self.assertIn("opt-in only", str(ctx.exception).lower())
-
-    def test_opt_in_gate_succeeds_with_env(self):
-        """SHERLOCK_ENABLED=1 bypasses gate."""
-        with patch("sherlock_wrapper.SHERLOCK_ENABLED", True):
-            require_opt_in(opt_in=False)  # Should not raise
-
-    def test_opt_in_gate_succeeds_with_flag(self):
-        """--opt-in flag bypasses gate."""
-        with patch("sherlock_wrapper.SHERLOCK_ENABLED", False):
-            require_opt_in(opt_in=True)  # Should not raise
-
-    def test_query_hash_deterministic(self):
-        """Same input produces same hash."""
-        h1 = compute_query_hash("alice")
-        h2 = compute_query_hash("alice")
-        self.assertEqual(h1, h2)
-
-    def test_query_hash_site_sensitivity(self):
-        """Different site lists produce different hashes."""
-        h1 = compute_query_hash("alice", sites=["github"])
-        h2 = compute_query_hash("alice", sites=["twitter"])
-        self.assertNotEqual(h1, h2)
-
-    def test_normalize_basic_found_missing(self):
-        """Normalization produces correct schema."""
-        raw = {
-            "github": {"status": "found", "url": "https://github.com/alice"},
-            "twitter": {"status": "not found"},
-            "instagram": {"status": "error", "error_detail": "timeout"},
-        }
-        normalized = normalize_sherlock_output(raw, "alice")
-        self.assertEqual(normalized["query"], "alice")
-        self.assertEqual(normalized["metadata"]["found_count"], 1)
-        self.assertEqual(normalized["metadata"]["missing_count"], 1)
-        self.assertEqual(normalized["metadata"]["error_count"], 1)
-        self.assertEqual(len(normalized["found"]), 1)
-        self.assertEqual(normalized["found"][0]["site"], "github")
-        self.assertIn("twitter", normalized["missing"])
-        self.assertEqual(normalized["errors"][0]["site"], "instagram")
-
-    def test_normalized_schema_has_required_fields(self):
-        """Output schema contains all required top-level keys."""
-        raw = {"site1": {"status": "not found"}}
-        normalized = normalize_sherlock_output(raw, "testuser")
-        required = ["schema_version", "query", "timestamp", "found", "missing",
-                    "errors", "metadata"]
-        for key in required:
-            self.assertIn(key, normalized)
-        self.assertIsInstance(normalized["timestamp"], str)
-        self.assertIsInstance(normalized["found"], list)
-        self.assertIsInstance(normalized["missing"], list)
-        self.assertIsInstance(normalized["errors"], list)
-        self.assertIsInstance(normalized["metadata"], dict)
-
-    def test_cache_roundtrip(self):
-        """Result can be written and read back from cache."""
-        with tempfile.TemporaryDirectory() as tmp:
-            with patch("sherlock_wrapper.CACHE_DB", Path(tmp) / "cache.db"):
-                test_result = {
-                    "schema_version": "1.0",
-                    "query": "alice",
-                    "timestamp": "2025-04-26T00:00:00+00:00",
-                    "found": [],
-                    "missing": ["github"],
-                    "errors": [],
-                    "metadata": {"total_sites_checked": 1, "found_count": 0, "missing_count": 1, "error_count": 0},
-                }
-                query_hash = compute_query_hash("alice")
-                save_to_cache(query_hash, test_result)
-                retrieved = get_cached_result(query_hash)
-                self.assertEqual(retrieved, test_result)
-
-    def test_cache_miss_on_stale(self):
-        """Cache returns None when entry is older than 7 days."""
-        with tempfile.TemporaryDirectory() as tmp:
-            db_path = Path(tmp) / "cache.db"
-            with patch("sherlock_wrapper.CACHE_DB", db_path):
-                old_ts = "2025-04-01T00:00:00+00:00"
-                old_result = {
-                    "schema_version": "1.0", "query": "alice",
-                    "timestamp": old_ts, "found": [], "missing": [], "errors": [],
-                    "metadata": {"total_sites_checked": 0, "found_count": 0, "missing_count": 0, "error_count": 0},
-                }
-                query_hash = compute_query_hash("alice")
-                # Direct DB insert with controlled timestamp (bypass save_to_cache's NOW)
-                conn = get_cache_connection()
-                conn.execute(
-                    "INSERT INTO cache (query_hash, result_json, timestamp) VALUES (?, ?, ?)",
-                    (query_hash, json.dumps(old_result), old_ts)
-                )
-                conn.commit()
-                retrieved = get_cached_result(query_hash)
-                self.assertIsNone(retrieved)
-
-    def test_sherlock_available_check(self):
-        """check_sherlock_available returns bool."""
-        available = check_sherlock_available()
-        self.assertIsInstance(available, bool)
-        # Note: on this test system sherlock may not be installed, so False is expected.
-        # The important thing is the function returns a bool.
-        print(f"[INFO] Sherlock installed: {available}")
-
-
-class TestSherlockWrapperIntegration(unittest.TestCase):
-    """Integration tests with mocked sherlock module."""
-
-    def test_run_sherlock_with_opt_in(self):
-        """run_sherlock succeeds with opt-in and returns normalized result."""
-        fake_sherlock = MagicMock()
-        fake_sherlock.sherlock = MagicMock(return_value={
-            "github": {"status": "found", "url": "https://github.com/alice"},
-            "twitter": {"status": "not found"},
-        })
-        with patch.dict("sys.modules", {"sherlock": fake_sherlock}):
-            import importlib
-            import sherlock_wrapper
-            importlib.reload(sherlock_wrapper)
-            with patch.dict(os.environ, {"SHERLOCK_ENABLED": "1"}):
-                from sherlock_wrapper import run_sherlock
-                result = run_sherlock("alice", opt_in=True)
-        self.assertEqual(result["query"], "alice")
-        self.assertEqual(result["metadata"]["found_count"], 1)
-
-    def test_run_sherlock_fails_without_opt_in(self):
-        """run_sherlock raises RuntimeError without opt-in."""
-        from sherlock_wrapper import run_sherlock
-        with self.assertRaises(RuntimeError) as ctx:
-            run_sherlock("alice", opt_in=False)
-        self.assertIn("opt-in only", str(ctx.exception).lower())
-
-    def test_run_sherlock_uses_cache(self):
-        """Cached result short-circuits sherlock execution."""
-        cached = {
-            "schema_version": "1.0", "query": "alice", "timestamp": "2025-04-26T00:00:00+00:00",
-            "found": [{"site": "github", "url": "https://github.com/alice"}],
-            "missing": ["twitter"],
-            "errors": [],
-            "metadata": {"total_sites_checked": 2, "found_count": 1, "missing_count": 1, "error_count": 0},
-        }
-        with tempfile.TemporaryDirectory() as tmp:
-            with patch("sherlock_wrapper.CACHE_DB", Path(tmp) / "cache.db"):
-                query_hash = compute_query_hash("alice")
-                save_to_cache(query_hash, cached)
-                from sherlock_wrapper import run_sherlock
-                result = run_sherlock("alice", opt_in=True)
-                self.assertEqual(result, cached)

tools/sherlock_wrapper.py

@@ -1,249 +0,0 @@
-#!/usr/bin/env python3
-"""
-Sherlock username recon wrapper — opt-in, cached, normalized JSON output.
-
-This is an implementation spike (issue #874) to validate local integration
-of the Sherlock OSINT tool without violating sovereignty/provenance standards.
-"""
-
-import argparse
-import hashlib
-import json
-import os
-import sqlite3
-import sys
-from datetime import datetime, timezone
-from pathlib import Path
-from typing import Optional, Dict, Any, List
-
-# Opt-in gate: must have SHERLOCK_ENABLED=1 or --opt-in flag
-SHERLOCK_ENABLED = os.environ.get("SHERLOCK_ENABLED", "0") == "1"
-
-# Cache location
-CACHE_DIR = Path.home() / ".cache" / "timmy"
-CACHE_DB = CACHE_DIR / "sherlock_cache.db"
-
-# Normalized output schema version
-SCHEMA_VERSION = "1.0"
-
-
-def require_opt_in(opt_in: bool = False) -> None:
-    """Enforce opt-in gate for Sherlock external dependency."""
-    if not (SHERLOCK_ENABLED or opt_in):
-        raise RuntimeError(
-            "Sherlock is opt-in only. Set SHERLOCK_ENABLED=1 or pass --opt-in."
-        )
-
-
-
-def check_sherlock_available() -> bool:
-    """Check if sherlock Python package is installed."""
-    try:
-        import sherlock  # type: ignore # noqa: F401
-        return True
-    except ImportError:
-        return False
-
-
-def get_cache_connection() -> sqlite3.Connection:
-    """Initialize cache directory and return DB connection."""
-    CACHE_DIR.mkdir(parents=True, exist_ok=True)
-    conn = sqlite3.connect(str(CACHE_DB))
-    conn.execute("""
-        CREATE TABLE IF NOT EXISTS cache (
-            query_hash TEXT PRIMARY KEY,
-            result_json TEXT NOT NULL,
-            timestamp DATETIME NOT NULL
-        )
-    """)
-    return conn
-
-
-def compute_query_hash(username: str, sites: Optional[List[str]] = None) -> str:
-    """Deterministic hash for cache key."""
-    components = [username.lower().strip()]
-    if sites:
-        components.extend(sorted(sites))
-    raw = "|".join(components)
-    return hashlib.sha256(raw.encode()).hexdigest()
-
-
-def get_cached_result(query_hash: str) -> Optional[Dict[str, Any]]:
-    """Retrieve cached result if available and not stale (TTL: 7 days)."""
-    conn = get_cache_connection()
-    cur = conn.execute(
-        "SELECT result_json, timestamp FROM cache WHERE query_hash = ?",
-        (query_hash,)
-    )
-    row = cur.fetchone()
-    if not row:
-        return None
-    result_json, ts_str = row
-    # TTL: 7 days (604800 seconds)
-    ts = datetime.fromisoformat(ts_str)
-    age_seconds = (datetime.now(timezone.utc) - ts).total_seconds()
-    if age_seconds >= 604800:
-        return None
-    return json.loads(result_json)
-
-
-
-
-def save_to_cache(query_hash: str, result: Dict[str, Any]) -> None:
-    """Persist result to cache."""
-    conn = get_cache_connection()
-    conn.execute(
-        "INSERT OR REPLACE INTO cache (query_hash, result_json, timestamp) VALUES (?, ?, ?)",
-        (query_hash, json.dumps(result), datetime.now(timezone.utc).isoformat())
-    )
-    conn.commit()
-    conn.close()
-
-
-def normalize_sherlock_output(
-    raw_result: Dict[str, Any],
-    username: str,
-    sites_checked: Optional[List[str]] = None
-) -> Dict[str, Any]:
-    """
-    Convert raw sherlock output into a stable, normalized schema.
-
-    Expected sherlock result shape (via Python API):
-    {
-        "site_name": {"url": "...", "status": "found"|"not found"|"error", ...},
-        ...
-    }
-    """
-    found: List[Dict[str, str]] = []
-    missing: List[str] = []
-    errors: List[Dict[str, str]] = []
-
-    for site_name, site_data in raw_result.items():
-        status = site_data.get("status", "")
-        url = site_data.get("url", "")
-        if status == "found" and url:
-            found.append({"site": site_name, "url": url})
-        elif status == "not found":
-            missing.append(site_name)
-        else:
-            errors.append({"site": site_name, "error": status or "unknown"})
-
-    # Compute totals from the original site list if provided
-    total_sites = len(raw_result) if sites_checked is None else len(sites_checked)
-
-    return {
-        "schema_version": SCHEMA_VERSION,
-        "query": username,
-        "timestamp": datetime.now(timezone.utc).isoformat(),
-        "found": found,
-        "missing": missing,
-        "errors": errors,
-        "metadata": {
-            "total_sites_checked": total_sites,
-            "found_count": len(found),
-            "missing_count": len(missing),
-            "error_count": len(errors),
-        },
-    }
-
-
-def run_sherlock(
-    username: str,
-    sites: Optional[List[str]] = None,
-    timeout: Optional[int] = None,
-    opt_in: bool = False
-) -> Dict[str, Any]:
-    """
-    Execute Sherlock wrapper with opt-in gate, caching, and normalization.
-    """
-    require_opt_in(opt_in)
-
-    # Compute cache key
-    query_hash = compute_query_hash(username, sites)
-
-    # Check cache first — avoids dependency requirement on cache hit
-    cached = get_cached_result(query_hash)
-    if cached is not None:
-        return cached
-
-    # Only require sherlock on cache miss
-    if not check_sherlock_available():
-        raise RuntimeError(
-            "Sherlock Python package not installed. "
-            "Install with: pip install sherlock-project"
-        )
-
-    # Call sherlock
-    try:
-        import sherlock
-        from sherlock import sherlock as sherlock_main  # type: ignore
-
-        if sites:
-            result = sherlock_main(username, site_list=sites, timeout=timeout or 10)
-        else:
-            result = sherlock_main(username, timeout=timeout or 10)
-
-        normalized = normalize_sherlock_output(result, username, sites)
-        save_to_cache(query_hash, normalized)
-        return normalized
-
-    except Exception as e:
-        raise RuntimeError(f"Sherlock execution failed: {e}") from e
-
-
-def main() -> int:
-    parser = argparse.ArgumentParser(
-        description="Sherlock username OSINT wrapper — opt-in, cached, normalized JSON"
-    )
-    parser.add_argument(
-        "--query", "-q", required=True,
-        help="Username to search across sites"
-    )
-    parser.add_argument(
-        "--opt-in", action="store_true",
-        help="Explicit opt-in flag (alternatively set SHERLOCK_ENABLED=1)"
-    )
-    parser.add_argument(
-        "--sites", "-s", nargs="+",
-        help="Specific sites to check (default: all supported)"
-    )
-    parser.add_argument(
-        "--timeout", "-t", type=int, default=10,
-        help="Request timeout per site (default: 10)"
-    )
-    parser.add_argument(
-        "--json", action="store_true",
-        help="Output normalized JSON to stdout"
-    )
-    parser.add_argument(
-        "--no-cache",
-        action="store_true",
-        help="Bypass cached result (if any)"
-    )
-
-    args = parser.parse_args()
-
-    try:
-        result = run_sherlock(
-            username=args.query,
-            sites=args.sites,
-            timeout=args.timeout,
-            opt_in=args.opt_in
-        )
-        if args.json:
-            print(json.dumps(result, indent=2))
-        else:
-            print(f"Query: {result['query']}")
-            print(f"Found: {result['metadata']['found_count']} site(s)")
-            print(f"Missing: {result['metadata']['missing_count']} site(s)")
-            print(f"Errors: {result['metadata']['error_count']} site(s)")
-            for f in result['found']:
-                print(f"  [{f['site']}] {f['url']}")
-        return 0
-    except RuntimeError as e:
-        print(f"ERROR: {e}", file=sys.stderr)
-        return 1
-
-
-if __name__ == "__main__":
-    sys.exit(main())