// VS CODE / DEVTOOLS QUICK ACTION
DIRENV INSTALL POPUP
A compact control panel that talks to a localhost helper and runs only the whitelisted direnv installer.
LOCAL HELPER OFFLINE
SAFE WHITELIST
PRIMARY ACTION
Install direnv from the popup
Start the localhost helper in VS Code terminal, then press the button. If sudo asks for a password, run the copied script in terminal.
Allowed tools: direnv only. No freeform command input.
COMMAND OUTPUT
http://127.0.0.1:8787/run[boot] DevTool popup loaded [guard] whitelist active: direnv only [hint] start local helper, then press INSTALL DIRENV [3:55:34 PM] [status] local helper offline. Start node devtool-server.js first.
INSTALL SCRIPT
#!/bin/bash
set -e
echo "[*] Installing direnv..."
if command -v direnv >/dev/null 2>&1; then
echo "[OK] direnv already installed"
direnv --version
exit 0
fi
sudo apt update
sudo apt install -y software-properties-common
sudo add-apt-repository -y ppa:direnv/direnv
sudo apt update
sudo apt install -y direnv
echo "[OK] done"LOCAL HELPER SERVER
const http = require("http");
const { exec } = require("child_process");
const allowed = {
direnv: [
"#!/bin/bash",
"set -e",
"echo \"[*] Installing direnv...\"",
"if command -v direnv >/dev/null 2>&1; then",
" echo \"[OK] direnv already installed\"",
" direnv --version",
" exit 0",
"fi",
"sudo apt update",
"sudo apt install -y software-properties-common",
"sudo add-apt-repository -y ppa:direnv/direnv",
"sudo apt update",
"sudo apt install -y direnv",
"echo \"[OK] done\""
].join("\n")
};
const send = (res, status, body) => {
res.writeHead(status, {
"Content-Type": "application/json",
"Access-Control-Allow-Origin": "*",
"Access-Control-Allow-Headers": "Content-Type",
"Access-Control-Allow-Methods": "GET,POST,OPTIONS"
});
res.end(JSON.stringify(body));
};
const server = http.createServer((req, res) => {
if (req.method === "OPTIONS") return send(res, 200, { ok: true });
if (req.method === "GET" && req.url === "/status") {
return send(res, 200, { status: "online", allowed_tools: Object.keys(allowed) });
}
if (req.method !== "POST" || req.url !== "/run") {
return send(res, 404, { error: "Route not found" });
}
let raw = "";
req.on("data", chunk => { raw += chunk; });
req.on("end", () => {
try {
const { tool } = JSON.parse(raw || "{}");
if (!allowed[tool]) return send(res, 403, { error: "Command not allowed" });
exec(allowed[tool], { timeout: 600000, maxBuffer: 1024 * 1024 }, (err, stdout, stderr) => {
send(res, 200, {
tool,
success: !err,
output: (stdout || "") + (stderr || "") || "done",
exit_code: err && typeof err.code === "number" ? err.code : 0
});
});
} catch (error) {
send(res, 400, { error: "Bad JSON" });
}
});
});
server.listen(8787, "127.0.0.1", () => {
console.log("DevTool running on http://127.0.0.1:8787");
});VS CODE QUICK START
cd /app/local-devtool
node devtool-server.js
# manual fallback if sudo password is needed:
chmod +x install-direnv.sh
./install-direnv.shDEVTOOLS / EXTENSION PACK
FreezeGuardian + Smart Search run on normal sites
The browser extension package now injects a lightweight SubZer0 runtime into active http/https tabs, then runs Freeze or Smart Replace from the popup.
[OK] Freeze Guardian script added[OK] Smart Search/Replace script added[OK] Browser extension can inject runtime on normal sites[OK] VS Code helper panel pack created[INFO] Uploaded icon checked, not embedded in current build
FREEZE GUARDIAN AGENT
(() => {
const main = window.__SUBZER0_MAIN__;
if (!main) throw new Error('SubZer0 main must load before freeze-guardian-agent');
main.registerAgent({
id: 'freeze-guardian',
name: 'Freeze Guardian Agent',
description: 'Turns on freeze with DOM lock so live page updates are restored back to the frozen snapshot.',
run(payload, api) {
if (payload.unfreeze) return api.unfreeze();
return api.freeze({ lock: payload.lock !== false });
}
});
})();SMART SEARCH / REPLACE AGENT
(() => {
const main = window.__SUBZER0_MAIN__;
if (!main) throw new Error('SubZer0 main must load before smart-replace-agent');
main.registerAgent({
id: 'smart-replace',
name: 'Smart Replace Agent',
description: 'Runs wide search/replace across visible text, hidden text, attributes, forms, comments, and optional code.',
async run(payload, api) {
return api.searchReplace({
scope: payload.scope || 'everything',
s: payload.s ?? payload.find ?? '',
r: payload.r ?? payload.replace ?? '',
visibleOnly: Boolean(payload.visibleOnly),
smart: payload.smart !== false,
caseSensitive: Boolean(payload.caseSensitive),
includeAttributes: payload.includeAttributes !== false,
includeForms: payload.includeForms !== false,
includeComments: payload.includeComments !== false,
includeCode: Boolean(payload.includeCode),
backendSmart: Boolean(payload.backendSmart),
backendUrl: payload.backendUrl
});
}
});
})();PACKAGE LOCATIONS
BEST ACCESS PATH
1) Browser extension for normal websites:
- Use /app/browser-extension
- Open any normal http/https site
- Press SETUP RUNTIME
- Then use FREEZE PAGE or SMART REPLACE
2) Current web popup + local helper:
- Use this page for direnv/local machine install flow
- Start node /app/local-devtool/devtool-server.js first
3) VS Code helper panel:
- Use /app/vscode-helper for copyable agent scripts
NOTES
- Does not run on chrome://, browser store pages, or restricted browser pages
- Uploaded icon checked but not embedded, keeping package lighter
PACKAGE LOCATIONS
Browser extension pack: /app/browser-extension
VS Code helper panel: /app/vscode-helper
Included scripts:
- subzer0-runtime.js
- freeze-guardian.js
- smart-search-replace.js
SECURITY GUARDRAILS
[01] Whitelist blocks anything except tool: direnv.[02] Browser button targets localhost 127.0.0.1:8787.[03] Sudo password prompts stay in your terminal, not the browser.[04] Only fixed whitelist commands are accepted. Arbitrary shell input is blocked.