octo-agent 0.11.2

data/lib/octo/tools/redo_task.rb

@@ -0,0 +1,41 @@
+# frozen_string_literal: true
+
+module Octo
+  module Tools
+    # Tool for redoing a task after undo (Time Machine feature)
+    class RedoTask < Base
+      self.tool_name = "redo_task"
+      self.tool_description = "Redo to a specific task after undo. Restores files to that task's state. " \
+        "Use when user wants to go forward to a future task or switch to a different branch."
+      self.tool_category = "time_machine"
+      self.tool_parameters = {
+        type: "object",
+        properties: {
+          task_id: {
+            type: "integer",
+            description: "The task ID to redo to (must be greater than current active task)"
+          }
+        },
+        required: ["task_id"]
+      }
+
+      def execute(agent:, task_id:, **_args)
+        result = agent.switch_to_task(task_id)
+        
+        if result[:success]
+          result[:message]
+        else
+          "Error: #{result[:message]}"
+        end
+      end
+
+      def format_call(task_id:, **_args)
+        "Redoing to task #{task_id}..."
+      end
+
+      def format_result(result)
+        result
+      end
+    end
+  end
+end

data/lib/octo/tools/request_user_feedback.rb

@@ -0,0 +1,84 @@
+# frozen_string_literal: true
+
+module Octo
+  module Tools
+    class RequestUserFeedback < Base
+      self.tool_name = "request_user_feedback"
+      self.tool_description = <<~DESC
+        Request feedback or clarification from the user when you need more information to complete a task.
+        Use this tool when:
+        - You need clarification on ambiguous requirements
+        - You need the user to choose between multiple options
+        - You need additional information that you cannot infer
+        - You want to confirm your understanding before proceeding
+        
+        After calling this tool, STOP and wait for the user's response.
+        Do NOT continue with other actions until you receive user feedback.
+      DESC
+      
+      self.tool_parameters = {
+        type: "object",
+        properties: {
+          question: {
+            type: "string",
+            description: "The question or clarification request to ask the user"
+          },
+          context: {
+            type: "string",
+            description: "Optional context explaining why you need this information (helps user understand)"
+          },
+          options: {
+            type: "array",
+            items: { type: "string" },
+            description: "Optional array of choices/options if asking user to select from predefined options"
+          }
+        },
+        required: ["question"]
+      }
+      
+      self.tool_category = "interaction"
+
+      def execute(question:, context: nil, options: nil, working_dir: nil)
+        # Build the feedback request message
+        message_parts = []
+        
+        if context && !context.strip.empty?
+          message_parts << "**Context:** #{context.strip}"
+          message_parts << ""
+        end
+        
+        message_parts << "**Question:** #{question.strip}"
+        
+        if options && !options.empty?
+          message_parts << ""
+          message_parts << "**Options:**"
+          options.each_with_index do |option, index|
+            message_parts << "  #{index + 1}. #{option}"
+          end
+        end
+        
+        formatted_message = message_parts.join("\n")
+        
+        {
+          success: true,
+          message: formatted_message,
+          awaiting_feedback: true  # Special flag to indicate we're waiting for user
+        }
+      end
+
+      def format_call(args)
+        question = args[:question] || args["question"]
+        preview = question.length > 60 ? "#{question[0..60]}..." : question
+        "request_user_feedback(\"#{preview}\")"
+      end
+
+      def format_result(result)
+        if result.is_a?(Hash) && result[:message]
+          result[:message]
+        else
+          "Waiting for user feedback..."
+        end
+      end
+    end
+  end
+end

data/lib/octo/tools/security.rb

@@ -0,0 +1,333 @@
+# frozen_string_literal: true
+
+require "shellwords"
+require "json"
+require "fileutils"
+require_relative "../utils/trash_directory"
+require_relative "../utils/encoding"
+
+module Octo
+  module Tools
+    # Pre-execution safety layer for shell-style commands.
+    #
+    # Design principle: protect against the handful of commands that are
+    # irreversibly destructive or can compromise the host. Everything else
+    # is the user's (or agent's) business. Over-protection burns tool-call
+    # rounds and forces awkward work-arounds (e.g. the infamous "cp ~/.octo
+    # /xxx ./ ... Blocked: outside project directory" dance).
+    #
+    # Responsibilities (applied to the `command` string BEFORE it is handed
+    # to a shell / PTY for execution):
+    #
+    #   1. Block hard-dangerous commands:       sudo, pkill octo, eval, exec,
+    #                                           `...`, $(...), | sh, | bash,
+    #                                           redirect to /etc /usr /bin.
+    #   2. Rewrite `curl ... | bash` → save     script to a file for manual
+    #                                           review instead of exec.
+    #   3. Protect credential/secret files:     .env, .ssh/, .aws/ — block
+    #                                           writes to these only. Other
+    #                                           "project" files (Gemfile,
+    #                                           README.md, package.json, …)
+    #                                           are NOT protected — editing
+    #                                           them is a normal dev task.
+    #
+    # Note on `rm`:
+    #   `rm` is NOT rewritten here — it's intercepted at runtime by a shell
+    #   function installed in each PTY session (see Terminal::SAFE_RM_BASH
+    #   and Terminal#install_marker). This lets the shell's own parser
+    #   handle heredocs / multi-line / globs / variables correctly. A
+    #   static Ruby-side rewrite cannot — it would mis-parse heredoc
+    #   bodies and destroy legitimate commands.
+    #
+    # Notes:
+    #   - `cp`, `mv`, `mkdir`, `touch`, `echo` are allowed to touch ANY path
+    #     (including outside the project root). The source of a `cp` is
+    #     read-only to the FS, and writing to arbitrary dirs is a legitimate
+    #     need (copying from ~/.octo/skills/..., writing to /tmp, etc.).
+    #
+    # Raises SecurityError on block. Returns a (possibly rewritten) command
+    # string on success.
+    #
+    # This module was extracted from the former `SafeShell` tool. It is now
+    # shared by any tool that executes shell-style commands (currently:
+    # `terminal`).
+    module Security
+      # Raised when a command cannot be made safe.
+      class Blocked < StandardError; end
+
+      # Read-only commands that are considered safe for auto-execution
+      # (permission mode :confirm_safes).
+      SAFE_READONLY_COMMANDS = %w[
+        ls pwd cat less more head tail
+        grep find which whereis whoami
+        ps top htop df du
+        git echo printf wc
+        date file stat
+        env printenv
+        curl wget
+      ].freeze
+
+      class << self
+        # Process `command` and return a (possibly rewritten) safe version.
+        # Raises SecurityError when the command cannot be made safe.
+        #
+        # @param command [String] command to check
+        # @param project_root [String] path treated as the allowed root for writes
+        # @return [String] safe command to execute
+        def make_safe(command, project_root: Dir.pwd)
+          Replacer.new(project_root).make_command_safe(command)
+        end
+
+        # True iff the command is safe to auto-execute in :confirm_safes mode.
+        # (Either a known read-only command, or one that Security.make_safe
+        # returns unchanged.)
+        def command_safe_for_auto_execution?(command)
+          return false unless command
+
+          cmd_name = command.strip.split.first
+          return true if SAFE_READONLY_COMMANDS.include?(cmd_name)
+
+          begin
+            safe = make_safe(command, project_root: Dir.pwd)
+            command.strip == safe.strip
+          rescue SecurityError
+            false
+          end
+        end
+      end
+
+      # Internal class that owns per-project state (trash dir, log dir, ...).
+      # Extracted almost verbatim from the old SafeShell::CommandSafetyReplacer.
+      class Replacer
+        def initialize(project_root)
+          @project_root = File.expand_path(project_root)
+
+          trash_directory = Octo::TrashDirectory.new(@project_root)
+          @backup_dir = trash_directory.backup_dir
+
+          @project_hash = trash_directory.generate_project_hash(@project_root)
+          @safety_log_dir = File.join(Dir.home, ".octo", "safety_logs", @project_hash)
+          FileUtils.mkdir_p(@safety_log_dir) unless Dir.exist?(@safety_log_dir)
+          @safety_log_file = File.join(@safety_log_dir, "safety.log")
+        end
+
+        def make_command_safe(command)
+          command = command.strip
+
+          # Use a UTF-8-scrubbed copy ONLY for regex checks.  The original
+          # bytes are returned unchanged so the shell receives exact paths
+          # (e.g. GBK-encoded Chinese filenames in zip archives).
+          @safe_check_command = Octo::Utils::Encoding.safe_check(command)
+
+          case @safe_check_command
+          # Block attempts to terminate the octo server process.
+          # IMPORTANT: each verb is anchored with \b so substrings like
+          # "Skill" (contains "kill") or "Bill Killalina" don't trigger
+          # false positives. We also require `octo` to appear as a whole
+          # word AND within a reasonable distance (same logical command,
+          # not hundreds of chars later in an unrelated echo string).
+          when /\bpkill\b[^\n;|&]{0,80}\bocto\b|\bkillall\b[^\n;|&]{0,80}\bocto\b|\bkill\s+(?:-\S+\s+)*[^\n;|&]{0,40}\bocto\b/i
+            raise SecurityError, "Killing the octo server process is not allowed. To restart, use: #{restart_hint}"
+          when /\bocto\s+server\b/
+            raise SecurityError, "Managing the octo server from within a session is not allowed. To restart, use: #{restart_hint}"
+          when /^chmod\s+x/
+            replace_chmod_command(command)
+          when /^curl.*\|\s*(sh|bash)/
+            replace_curl_pipe_command(command)
+          when /^sudo\s+/
+            block_sudo_command(command)
+          when />\s*\/dev\/null\s*$/
+            allow_dev_null_redirect(command)
+          when /^(mv|cp|mkdir|touch|echo)\s+/
+            validate_and_allow(command)
+          else
+            validate_general_command(@safe_check_command)
+            command
+          end
+        end
+
+        def replace_chmod_command(command)
+          begin
+            parts = Shellwords.split(command)
+          rescue ArgumentError
+            parts = command.split(/\s+/)
+          end
+
+          files = parts[2..-1] || []
+          files.each { |file| validate_file_path(file) unless file.start_with?('-') }
+
+          log_replacement("chmod", command, "chmod +x is allowed - file permissions will be modified")
+          command
+        end
+
+        def replace_curl_pipe_command(command)
+          if command.match(/curl\s+(.*?)\s*\|\s*(sh|bash)/)
+            url = $1
+            shell_type = $2
+            timestamp = Time.now.strftime("%Y%m%d_%H%M%S")
+            safe_file = File.join(@backup_dir, "downloaded_script_#{timestamp}.sh")
+
+            result = "curl #{url} -o #{Shellwords.escape(safe_file)} && echo '🔒 Script downloaded to #{safe_file} for manual review. Run: cat #{safe_file}'"
+            log_replacement("curl | #{shell_type}", result, "Script saved for manual review instead of automatic execution")
+            result
+          else
+            command
+          end
+        end
+
+        def block_sudo_command(_command)
+          raise SecurityError, "sudo commands are not allowed for security reasons"
+        end
+
+        def allow_dev_null_redirect(command)
+          command
+        end
+
+        # Build a copy-pasteable "how to restart octo server" hint.
+        # When running inside a octo server worker, `OCTO_MASTER_PID` is
+        # injected by ServerMaster (see server_master.rb). We keep the
+        # variable name in the hint (so the AI / user learns the standard
+        # convention) AND append the resolved PID in parentheses so it's
+        # immediately actionable. When the variable isn't set (e.g. one-shot
+        # CLI invocation), we just show the variable name.
+        def restart_hint
+          pid = ENV["OCTO_MASTER_PID"].to_s
+          if pid =~ /\A\d+\z/
+            "kill -USR1 $OCTO_MASTER_PID  (current master PID: #{pid})"
+          else
+            "kill -USR1 $OCTO_MASTER_PID"
+          end
+        end
+
+        # Relaxed validator for mv / cp / mkdir / touch / echo.
+        #
+        # Historical behavior was to forbid any path outside @project_root,
+        # which broke legitimate workflows like copying skill templates from
+        # ~/.octo/skills/... into the project. We now only block writes to
+        # true credential directories (.ssh, .aws) and .env files. Everything
+        # else is allowed.
+        def validate_and_allow(command)
+          begin
+            parts = Shellwords.split(command)
+          rescue ArgumentError
+            parts = command.split(/\s+/)
+          end
+
+          cmd  = parts.first
+          args = parts[1..-1] || []
+
+          case cmd
+          when 'mv', 'cp'
+            # For mv/cp only the DESTINATION (last non-flag arg) is a write
+            # target; earlier args are sources and are read-only to the FS.
+            write_targets = args.reject { |a| a.start_with?('-') }
+            dest = write_targets.last
+            validate_secret_write(dest) if dest
+          when 'mkdir', 'touch'
+            args.each { |path| validate_secret_write(path) unless path.start_with?('-') }
+          when 'echo'
+            # `echo foo > path` — best-effort: block only if redirecting to a
+            # secret path. The redirect target will also be caught by
+            # validate_general_command for /etc /usr /bin; here we add .env,
+            # .ssh/, .aws/.
+            if command =~ />\s*([^\s|&;]+)/
+              validate_secret_write(Regexp.last_match(1))
+            end
+          end
+
+          command
+        end
+
+        def validate_general_command(command)
+          cmd_without_quotes = command.gsub(/'[^']*'|"[^"]*"/, '')
+
+          dangerous_patterns = [
+            /eval\s*\(/,
+            /exec\s*\(/,
+            /system\s*\(/,
+            /`[^`]+`/,
+            /\$\([^)]+\)/,
+            /\|\s*sh\s*$/,
+            /\|\s*bash\s*$/,
+            />\s*\/etc\//,
+            />\s*\/usr\//,
+            />\s*\/bin\//
+          ]
+
+          dangerous_patterns.each do |pattern|
+            if cmd_without_quotes.match?(pattern)
+              raise SecurityError, "Dangerous command pattern detected: #{pattern.source}"
+            end
+          end
+
+          command
+        end
+
+        # Block writes that would clobber credentials / secrets.
+        # These are the only paths truly dangerous to write to by accident:
+        #   - ~/.ssh/*          (SSH private keys)
+        #   - ~/.aws/*          (AWS credentials)
+        #   - any *.env file    (API keys, DB URLs, etc.)
+        #
+        # Paths in / outside the project root, Gemfile, README, package.json,
+        # etc. are all allowed — the agent is expected to edit them normally.
+        SECRET_WRITE_PATTERNS = [
+          %r{(?:\A|/)\.ssh/},
+          %r{(?:\A|/)\.aws/},
+          /(?:\A|\/)\.env(?:\.|\z)/,
+          /\.env\z/
+        ].freeze
+
+        def validate_secret_write(path)
+          return if path.nil? || path.empty? || path.start_with?('-')
+
+          expanded_path = File.expand_path(path)
+
+          SECRET_WRITE_PATTERNS.each do |pattern|
+            if expanded_path.match?(pattern)
+              raise SecurityError,
+                    "Write to credential/secret path blocked: #{path} " \
+                    "(matched protected pattern). If intentional, edit the " \
+                    "file manually outside the agent."
+            end
+          end
+        end
+
+        # Alias retained for readability — chmod handler validates that
+        # the target is not a credential/secret file.
+        def validate_file_path(path)
+          validate_secret_write(path)
+        end
+
+        def log_replacement(original, replacement, reason)
+          write_log(
+            action: 'command_replacement',
+            original_command: original,
+            safe_replacement: replacement,
+            reason: reason
+          )
+        end
+
+        def log_warning(message)
+          write_log(action: 'warning', message: message)
+        end
+
+        def write_log(**fields)
+          log_entry = { timestamp: Time.now.iso8601 }.merge(fields)
+          File.open(@safety_log_file, 'a') { |f| f.puts JSON.generate(log_entry) }
+        rescue StandardError
+          # Logging must never break main functionality.
+        end
+
+        private :replace_chmod_command,
+                :replace_curl_pipe_command, :block_sudo_command,
+                :allow_dev_null_redirect, :validate_and_allow,
+                :validate_general_command,
+                :validate_file_path, :validate_secret_write,
+                :restart_hint,
+                :log_replacement,
+                :log_warning, :write_log
+      end
+    end
+  end
+end

data/lib/octo/tools/terminal/output_cleaner.rb

@@ -0,0 +1,63 @@
+# frozen_string_literal: true
+
+module Octo
+  module Tools
+    class Terminal < Base
+      # Output cleaning for raw PTY bytes.
+      #
+      # A PTY emits whatever the child writes plus terminal control codes.
+      # Since the Terminal tool is targeted at LINE-BASED interactive shells
+      # (not full-screen TUIs like vim/top), we aggressively strip visual
+      # control sequences rather than maintain a screen model.
+      #
+      # Cleaning steps (in order):
+      #   1. Strip CSI sequences       (ESC[...letter)   — colors, cursor, SGR
+      #   2. Strip OSC sequences       (ESC]...BEL/ST)   — window title, etc.
+      #   3. Strip simple 2-byte esc   (ESC= / ESC>)     — keypad modes
+      #   4. Collapse \r-overwrites    (spinner/progress)
+      #   5. Drop backspace erase      (char + \x08)
+      #   6. Normalize CRLF → LF
+      #
+      # This is lossy for full-screen apps (you'll see a pile of text without
+      # cursor positioning), but for line-based commands it yields clean,
+      # diff-friendly output.
+      module OutputCleaner
+        CSI_REGEX        = /\e\[[\d;?]*[a-zA-Z@]/.freeze
+        OSC_REGEX        = /\e\].*?(\a|\e\\)/m.freeze
+        SIMPLE_ESC_REGEX = /\e[=>\(\)].?/.freeze
+        BACKSPACE_REGEX  = /[^\x08]\x08/.freeze
+
+        module_function
+
+        # Clean raw PTY bytes for LLM consumption.
+        # @param raw [String] raw PTY bytes
+        # @return [String] cleaned, UTF-8-safe text
+        def clean(raw)
+          return "" if raw.nil? || raw.empty?
+
+          s = raw.dup
+          s.force_encoding(Encoding::UTF_8)
+          s = s.scrub("?") unless s.valid_encoding?
+
+          s = s.gsub(CSI_REGEX, "")
+          s = s.gsub(OSC_REGEX, "")
+          s = s.gsub(SIMPLE_ESC_REGEX, "")
+
+          # Handle \r overwrites within each line. "50%\r100%" → "100%".
+          # Split on \n KEEPING the terminators (-1 preserves trailing empty),
+          # then for each segment keep only the portion after the last \r
+          # (which is what would actually be visible).
+          s = s.split("\n", -1).map { |line| line.split("\r").last || "" }.join("\n")
+
+          # Erase "X\b" pairs repeatedly (readline rubout).
+          s = s.gsub(BACKSPACE_REGEX, "") while s =~ BACKSPACE_REGEX
+
+          # Normalize any leftover isolated \r.
+          s = s.gsub(/\r/, "")
+
+          s
+        end
+      end
+    end
+  end
+end