@aria-cli/tools 1.0.12 → 1.0.14

package/dist/outlook/desktop-session.js

@@ -1,279 +0,0 @@
-import os from "node:os";
-import path from "node:path";
-import { promises as fs } from "node:fs";
-const OUTLOOK_SESSION_DIR = path.join(os.homedir(), ".aria", "outlook-session");
-const OUTLOOK_TOKEN_CACHE = path.join(os.homedir(), ".aria", "cache", "outlook-token.json");
-const OUTLOOK_WEB_URL = "https://outlook.office.com/mail/";
-// Outlook web uses outlook.office.com-scoped tokens, not graph.microsoft.com.
-// The Outlook REST v2 API at outlook.office.com/api/v2.0 accepts these tokens.
-const OUTLOOK_REST_API_BASE = "https://outlook.office.com/api/v2.0";
-const DEFAULT_BOOTSTRAP_TIMEOUT_MS = 60_000;
-async function loadCachedToken() {
-    try {
-        const raw = await fs.readFile(OUTLOOK_TOKEN_CACHE, "utf-8");
-        const cached = JSON.parse(raw);
-        // Token valid if >5 min remaining
-        if (cached.bearerToken && cached.expiresAt > Date.now() + 5 * 60_000) {
-            return cached;
-        }
-    }
-    catch {
-        // no cache or invalid
-    }
-    return null;
-}
-async function saveCachedToken(token, email) {
-    // Decode JWT to get expiry
-    let exp = Date.now() + 60 * 60_000; // default 1h
-    try {
-        const part = token.split(".")[1];
-        if (!part)
-            throw new Error("no payload");
-        const payload = JSON.parse(Buffer.from(part, "base64").toString());
-        if (payload.exp)
-            exp = payload.exp * 1000;
-    }
-    catch {
-        /* best-effort */
-    }
-    const cached = { bearerToken: token, accountEmail: email, expiresAt: exp };
-    await fs.mkdir(path.dirname(OUTLOOK_TOKEN_CACHE), { recursive: true });
-    await fs.writeFile(OUTLOOK_TOKEN_CACHE, JSON.stringify(cached, null, 2));
-}
-// Outlook REST v2 returns PascalCase keys (Subject, From, EmailAddress)
-// while Graph API uses camelCase (subject, from, emailAddress).
-// Helper to read a field with either casing.
-function field(obj, camelKey) {
-    if (camelKey in obj)
-        return obj[camelKey];
-    const pascalKey = camelKey.charAt(0).toUpperCase() + camelKey.slice(1);
-    return obj[pascalKey];
-}
-function fieldStr(obj, camelKey) {
-    const v = field(obj, camelKey);
-    return typeof v === "string" ? v : "";
-}
-function parseRecipient(recipient) {
-    const emailAddress = field(recipient, "emailAddress") ?? null;
-    if (!emailAddress || typeof emailAddress !== "object")
-        return null;
-    return {
-        name: fieldStr(emailAddress, "name"),
-        email: fieldStr(emailAddress, "address"),
-    };
-}
-function parseRecipients(raw) {
-    if (!Array.isArray(raw))
-        return [];
-    return raw
-        .filter((r) => !!r && typeof r === "object")
-        .map(parseRecipient)
-        .filter((r) => r !== null);
-}
-function toMessageView(msg) {
-    const fromRaw = field(msg, "from");
-    const from = fromRaw && typeof fromRaw === "object"
-        ? parseRecipient(fromRaw)
-        : null;
-    return {
-        id: fieldStr(msg, "id") || fieldStr(msg, "Id"),
-        subject: fieldStr(msg, "subject"),
-        from: from ?? { name: "", email: "" },
-        toRecipients: parseRecipients(field(msg, "toRecipients")),
-        receivedDateTime: fieldStr(msg, "receivedDateTime"),
-        isRead: field(msg, "isRead") === true,
-        hasAttachments: field(msg, "hasAttachments") === true,
-        bodyPreview: fieldStr(msg, "bodyPreview"),
-        conversationId: fieldStr(msg, "conversationId"),
-    };
-}
-function toMessageDetail(msg) {
-    const view = toMessageView(msg);
-    const bodyRaw = field(msg, "body");
-    const body = bodyRaw && typeof bodyRaw === "object" ? bodyRaw : {};
-    return {
-        ...view,
-        body: {
-            contentType: fieldStr(body, "contentType") || "text",
-            content: fieldStr(body, "content"),
-        },
-        ccRecipients: parseRecipients(field(msg, "ccRecipients")),
-        importance: fieldStr(msg, "importance") || "normal",
-    };
-}
-async function waitForMailBearerToken(page, timeoutMs) {
-    return new Promise((resolve, reject) => {
-        const timer = setTimeout(() => {
-            page.off("request", handleRequest);
-            reject(new Error("Timed out waiting for a Mail-scoped bearer token. " +
-                "Ensure you are logged in to outlook.office.com."));
-        }, timeoutMs);
-        const seen = new Set();
-        const handleRequest = (request) => {
-            const authHeader = request.headers()["authorization"];
-            if (!authHeader || !authHeader.startsWith("Bearer "))
-                return;
-            const bearerToken = authHeader.slice(7);
-            const dedup = bearerToken.substring(0, 30);
-            if (seen.has(dedup))
-                return;
-            seen.add(dedup);
-            // Decode JWT payload to extract email and scopes
-            let accountEmail = "";
-            let scp = "";
-            try {
-                const payloadB64 = bearerToken.split(".")[1];
-                if (payloadB64) {
-                    const payload = JSON.parse(Buffer.from(payloadB64, "base64url").toString("utf8"));
-                    scp = typeof payload.scp === "string" ? payload.scp : "";
-                    accountEmail =
-                        typeof payload.upn === "string"
-                            ? payload.upn
-                            : typeof payload.preferred_username === "string"
-                                ? payload.preferred_username
-                                : typeof payload.unique_name === "string"
-                                    ? payload.unique_name
-                                    : "";
-                }
-            }
-            catch {
-                // JWT decode is best-effort
-            }
-            // Only accept tokens with Mail.Read scope (from outlook.cloud.microsoft)
-            if (!scp.includes("Mail.Read"))
-                return;
-            clearTimeout(timer);
-            page.off("request", handleRequest);
-            resolve({ bearerToken, accountEmail });
-        };
-        page.on("request", handleRequest);
-    });
-}
-// Stateless client using a cached bearer token (no Playwright needed)
-function createStatelessClient(bearerToken, accountEmail) {
-    const invokeApi = async (method, endpoint, body) => {
-        const url = `${OUTLOOK_REST_API_BASE}${endpoint}`;
-        const headers = {
-            Authorization: `Bearer ${bearerToken}`,
-            "Content-Type": "application/json",
-        };
-        const resp = await fetch(url, {
-            method,
-            headers,
-            body: body ? JSON.stringify(body) : undefined,
-        });
-        if (resp.status === 204)
-            return { status: 204 };
-        const text = await resp.text();
-        let json;
-        try {
-            json = JSON.parse(text);
-        }
-        catch {
-            throw new Error(`Outlook API ${method} ${endpoint} returned non-JSON (HTTP ${resp.status}).`);
-        }
-        if (resp.status >= 400) {
-            const error = json.error && typeof json.error === "object" ? json.error : {};
-            const code = typeof error.code === "string" ? error.code : `http_${resp.status}`;
-            const message = typeof error.message === "string" ? error.message : "Unknown error";
-            throw new Error(`Outlook API ${method} ${endpoint} failed: ${code} — ${message}`);
-        }
-        return json;
-    };
-    return buildClientMethods(invokeApi, accountEmail, async () => {
-        /* no-op close */
-    });
-}
-export async function createOutlookDesktopClient(opts) {
-    const timeoutMs = opts?.bootstrapTimeoutMs ?? DEFAULT_BOOTSTRAP_TIMEOUT_MS;
-    // Strategy 1: Use cached token if still valid (no Playwright needed)
-    const cached = await loadCachedToken();
-    if (cached) {
-        return createStatelessClient(cached.bearerToken, cached.accountEmail);
-    }
-    // Strategy 2: Launch Playwright headful to get a fresh token via SSO
-    // Must be headful — Microsoft SSO blocks headless Chromium
-    await fs.mkdir(OUTLOOK_SESSION_DIR, { recursive: true });
-    const playwright = await import("playwright");
-    const context = await playwright.chromium.launchPersistentContext(OUTLOOK_SESSION_DIR, {
-        headless: false,
-        args: ["--start-maximized"],
-        viewport: null,
-    });
-    const page = context.pages()[0] ?? (await context.newPage());
-    const bootstrapPromise = waitForMailBearerToken(page, timeoutMs);
-    await page.goto(OUTLOOK_WEB_URL, {
-        waitUntil: "domcontentloaded",
-        timeout: timeoutMs,
-    });
-    const { bearerToken, accountEmail } = await bootstrapPromise;
-    // Cache the token for subsequent calls (avoids launching Playwright)
-    await saveCachedToken(bearerToken, accountEmail);
-    // Close browser immediately — we have the token, use stateless client
-    await page.close().catch(() => undefined);
-    await context.close().catch(() => undefined);
-    return createStatelessClient(bearerToken, accountEmail);
-}
-function buildClientMethods(invokeApi, accountEmail, closeFn) {
-    return {
-        getAccountEmail: () => accountEmail,
-        listMessages: async ({ folder = "inbox", limit = 20, filter, search }) => {
-            const params = new URLSearchParams();
-            params.set("$top", String(Math.max(1, Math.min(limit, 50))));
-            params.set("$select", "Id,Subject,From,ToRecipients,ReceivedDateTime,IsRead,HasAttachments,BodyPreview,ConversationId");
-            params.set("$orderby", "ReceivedDateTime desc");
-            if (filter)
-                params.set("$filter", filter);
-            if (search)
-                params.set("$search", `"${search}"`);
-            const endpoint = `/me/mailFolders/${encodeURIComponent(folder)}/messages?${params.toString()}`;
-            const json = await invokeApi("GET", endpoint);
-            const rawMessages = Array.isArray(json.value) ? json.value : [];
-            const messages = rawMessages
-                .filter((m) => !!m && typeof m === "object")
-                .map(toMessageView);
-            return {
-                accountEmail,
-                folder,
-                messages,
-                totalCount: typeof json["@odata.count"] === "number" ? json["@odata.count"] : messages.length,
-            };
-        },
-        getMessage: async ({ messageId }) => {
-            const json = await invokeApi("GET", `/me/messages/${encodeURIComponent(messageId)}`);
-            return toMessageDetail(json);
-        },
-        sendMessage: async ({ to, cc, subject, body, bodyType = "text" }) => {
-            const toRecipients = to.map((email) => ({
-                EmailAddress: { Address: email },
-            }));
-            const ccRecipients = (cc ?? []).map((email) => ({
-                EmailAddress: { Address: email },
-            }));
-            await invokeApi("POST", "/me/sendMail", {
-                Message: {
-                    Subject: subject,
-                    Body: { ContentType: bodyType === "html" ? "HTML" : "Text", Content: body },
-                    ToRecipients: toRecipients,
-                    ...(ccRecipients.length > 0 ? { CcRecipients: ccRecipients } : {}),
-                },
-            });
-            return { accountEmail, status: "sent" };
-        },
-        replyMessage: async ({ messageId, body, bodyType = "text", replyAll = false }) => {
-            const replyMethod = replyAll ? "ReplyAll" : "Reply";
-            await invokeApi("POST", `/me/messages/${encodeURIComponent(messageId)}/${replyMethod}`, {
-                Comment: body,
-                ...(bodyType === "html"
-                    ? {
-                        Message: {
-                            Body: { ContentType: "HTML", Content: body },
-                        },
-                    }
-                    : {}),
-            });
-            return { accountEmail, status: "sent" };
-        },
-        close: closeFn,
-    };
-}

package/dist/policy.js

@@ -1,149 +0,0 @@
-/**
- * Tool Policy Engine
- *
- * Evaluates whether a tool is allowed based on allow/deny lists with group expansion.
- * Supports layered policy merging (intersection semantics) for arion + RunOptions policies.
- */
-/** Built-in tool groups */
-export const TOOL_GROUPS = {
-    "group:memory": [
-        "remember",
-        "recall",
-        "forget",
-        "recall_knowledge",
-        "reflect",
-        "search",
-        "learn",
-        "session_history",
-    ],
-    "group:web": ["web_search", "web_fetch", "browse", "browser"],
-    "group:filesystem": ["read_file", "write_file", "edit_file", "glob", "grep", "ls", "apply_patch"],
-    "group:shell": [
-        "bash",
-        "exec",
-        "spawn",
-        "kill",
-        "list_processes",
-        "wait_process",
-        "write_stdin",
-        "process",
-    ],
-    "group:arion": [
-        "hatch_arion",
-        "wake_arion",
-        "rest_arion",
-        "retire_arion",
-        "delegate_arion",
-        "manage_network",
-        "list_clients",
-        "deploy",
-    ],
-    "group:meta": [
-        "ask_user",
-        "quest_update",
-        "quest_list",
-        "search",
-        "learn",
-        "learn_tool",
-        "learn_skill",
-        "create_tool",
-        "create_skill",
-        "use_skill",
-        "restart",
-        "spawn_worker",
-        "check_delegation",
-        "pause_delegation",
-        "resume_delegation",
-        "quest_report",
-        "self_diagnose",
-    ],
-};
-/**
- * Expand group references in a policy list.
- * "group:memory" → ["remember", "recall", "forget", "reflect"]
- * Individual tool names pass through unchanged.
- * Unknown group names are ignored (treated as empty).
- */
-export function expandGroups(names) {
-    const result = new Set();
-    for (const name of names) {
-        const lower = name.toLowerCase();
-        if (lower.startsWith("group:")) {
-            const members = TOOL_GROUPS[lower];
-            if (members) {
-                for (const member of members) {
-                    result.add(member.toLowerCase());
-                }
-            }
-            // Unknown group names are silently ignored
-        }
-        else {
-            result.add(lower);
-        }
-    }
-    return result;
-}
-/**
- * Evaluate whether a tool is allowed by a policy.
- * Rules:
- * 1. If allow is empty/undefined and restrictAllow is false/undefined
- *    → all tools allowed (then check deny)
- * 2. If allow is non-empty OR restrictAllow=true
- *    → only listed tools/groups allowed (empty allow + restrictAllow=true denies all)
- * 3. Deny always wins over allow
- */
-export function isToolAllowed(toolName, policy) {
-    const normalized = toolName.toLowerCase();
-    // Check allow list: when restricted, tool must be in allowed set.
-    const isAllowRestricted = policy.restrictAllow === true || (policy.allow !== undefined && policy.allow.length > 0);
-    if (isAllowRestricted) {
-        const allowed = expandGroups(policy.allow ?? []);
-        if (!allowed.has(normalized)) {
-            return false;
-        }
-    }
-    // Check deny list: deny always wins
-    if (policy.deny && policy.deny.length > 0) {
-        const denied = expandGroups(policy.deny);
-        if (denied.has(normalized)) {
-            return false;
-        }
-    }
-    return true;
-}
-/**
- * Merge two policies (intersection). Used for layered evaluation:
- * arion policy ∩ RunOptions policy = effective policy.
- * A tool must be allowed by BOTH layers.
- */
-export function mergePolicies(a, b) {
-    // Merge deny: union of both deny lists
-    const mergedDeny = [...(a.deny ?? []), ...(b.deny ?? [])];
-    // Merge allow with restriction semantics:
-    // - both restricted: intersection (possibly empty = deny all)
-    // - one restricted: inherit that restriction
-    // - neither restricted: unrestricted
-    const aRestricts = a.restrictAllow === true || (a.allow?.length ?? 0) > 0;
-    const bRestricts = b.restrictAllow === true || (b.allow?.length ?? 0) > 0;
-    let mergedAllow;
-    let mergedRestrictAllow = false;
-    if (aRestricts && bRestricts) {
-        const expandedA = expandGroups(a.allow ?? []);
-        const expandedB = expandGroups(b.allow ?? []);
-        mergedAllow = [...expandedA].filter((name) => expandedB.has(name));
-        mergedRestrictAllow = true;
-    }
-    else if (aRestricts) {
-        mergedAllow = [...(a.allow ?? [])];
-        mergedRestrictAllow = true;
-    }
-    else if (bRestricts) {
-        mergedAllow = [...(b.allow ?? [])];
-        mergedRestrictAllow = true;
-    }
-    return {
-        ...(mergedAllow !== undefined ? { allow: mergedAllow } : {}),
-        ...(mergedRestrictAllow ? { restrictAllow: true } : {}),
-        ...(mergedDeny.length ? { deny: mergedDeny } : {}),
-    };
-}

package/dist/providers/brave.js

@@ -1,62 +0,0 @@
-import { createProviderAbortSignal, resolveSearchProviderEnv } from "./search-provider.js";
-export class BraveSearchProvider {
-    env;
-    name = "brave";
-    requiresApiKey = true;
-    priority = 1;
-    constructor(env = process.env) {
-        this.env = env;
-    }
-    isAvailable() {
-        const apiKey = resolveSearchProviderEnv(this.env).BRAVE_API_KEY;
-        return Boolean(apiKey && apiKey.trim().length > 0);
-    }
-    async search(query, options) {
-        const apiKey = resolveSearchProviderEnv(this.env).BRAVE_API_KEY;
-        if (!apiKey) {
-            throw new Error("BRAVE_API_KEY environment variable is not set");
-        }
-        const limit = options?.limit ?? 5;
-        const url = new URL("https://api.search.brave.com/res/v1/web/search");
-        url.searchParams.set("q", query);
-        url.searchParams.set("count", String(limit));
-        // Handle timeRange option (map to Brave's freshness parameter)
-        if (options?.timeRange) {
-            const freshnessMap = {
-                day: "pd",
-                week: "pw",
-                month: "pm",
-                year: "py",
-            };
-            const freshness = freshnessMap[options.timeRange];
-            if (freshness) {
-                url.searchParams.set("freshness", freshness);
-            }
-        }
-        const { signal, cleanup } = createProviderAbortSignal(30_000, options?.signal);
-        try {
-            const response = await fetch(url.toString(), {
-                method: "GET",
-                headers: {
-                    Accept: "application/json",
-                    "X-Subscription-Token": apiKey,
-                },
-                signal,
-            });
-            if (!response.ok) {
-                throw new Error(`Brave Search API error: ${response.status} ${response.statusText}`);
-            }
-            const json = await response.json();
-            const webResults = json.web?.results || [];
-            return webResults.map((r) => ({
-                title: r.title,
-                url: r.url,
-                content: r.description,
-                score: r.relevance_score,
-            }));
-        }
-        finally {
-            cleanup();
-        }
-    }
-}

package/dist/providers/duckduckgo.js

@@ -1,176 +0,0 @@
-import { createProviderAbortSignal } from "./search-provider.js";
-export class DuckDuckGoSearchProvider {
-    name = "duckduckgo";
-    requiresApiKey = false;
-    priority = 6;
-    isAvailable() {
-        // DuckDuckGo is always available (no API key required)
-        return true;
-    }
-    async search(query, options) {
-        const limit = options?.limit ?? 5;
-        // DuckDuckGo HTML search endpoint (we'll parse the HTML response)
-        // The Instant Answer API doesn't provide web search results, only factoids
-        const url = new URL("https://html.duckduckgo.com/html/");
-        url.searchParams.set("q", query);
-        const { signal, cleanup } = createProviderAbortSignal(30_000, options?.signal);
-        try {
-            const response = await fetch(url.toString(), {
-                method: "GET",
-                signal,
-                headers: {
-                    "User-Agent": "Mozilla/5.0 (compatible; ARIA/1.0)",
-                },
-            });
-            if (!response.ok) {
-                throw new Error(`DuckDuckGo Search error: ${response.status} ${response.statusText}`);
-            }
-            const html = await response.text();
-            // Parse HTML to extract search results
-            // DuckDuckGo HTML results have result__a (title/url) and result__snippet (description)
-            const results = [];
-            // First pass: extract all result__a links (title + url)
-            const linkMap = new Map();
-            const linkRegex = /<a(?=[^>]*\bclass=(["'])[^"']*\bresult__a\b[^"']*\1)(?=[^>]*\bhref=(["'])(.*?)\2)[^>]*>([\s\S]*?)<\/a>/gi;
-            let match;
-            let resultAnchorCount = 0;
-            while ((match = linkRegex.exec(html)) !== null) {
-                const rawHref = match[3];
-                const rawTitle = match[4];
-                if (!rawHref || !rawTitle) {
-                    continue;
-                }
-                resultAnchorCount++;
-                const url = this.resolveDuckDuckGoResultUrl(rawHref);
-                if (!url) {
-                    continue;
-                }
-                const title = this.stripHtmlTags(rawTitle);
-                if (!title) {
-                    continue;
-                }
-                linkMap.set(url, { title, url });
-            }
-            // If DDG returned result anchors but we extracted zero usable URLs, parsing is stale.
-            // Throw to allow router fallback rather than silently returning empty results.
-            if (resultAnchorCount > 0 && linkMap.size === 0) {
-                throw new Error("Could not resolve any result URLs from DuckDuckGo response");
-            }
-            // Second pass: extract snippets
-            const snippetRegex = /<(?:a|div|span)(?=[^>]*\bclass=(["'])[^"']*\bresult__snippet\b[^"']*\1)[^>]*>([\s\S]*?)<\/(?:a|div|span)>/gi;
-            const snippets = [];
-            while ((match = snippetRegex.exec(html)) !== null) {
-                const rawSnippet = match[2];
-                snippets.push(this.stripHtmlTags(rawSnippet ?? ""));
-            }
-            // Combine results (matching by order, which should align)
-            const linkEntries = Array.from(linkMap.values());
-            for (let i = 0; i < Math.min(linkEntries.length, limit); i++) {
-                const link = linkEntries[i];
-                if (!link) {
-                    continue;
-                }
-                const snippet = snippets[i] || link.title;
-                results.push({
-                    title: link.title,
-                    url: link.url,
-                    content: snippet,
-                });
-            }
-            return results;
-        }
-        finally {
-            cleanup();
-        }
-    }
-    /**
-     * Strip HTML tags from a string
-     */
-    stripHtmlTags(html) {
-        return html
-            .replace(/<[^>]*>/g, "")
-            .replace(/&nbsp;/g, " ")
-            .replace(/&amp;/g, "&")
-            .replace(/&lt;/g, "<")
-            .replace(/&gt;/g, ">")
-            .replace(/&quot;/g, '"')
-            .replace(/&#39;/g, "'")
-            .trim();
-    }
-    /**
-     * Decode HTML entities in URLs
-     */
-    decodeHtmlEntities(text) {
-        return text
-            .replace(/&amp;/g, "&")
-            .replace(/&lt;/g, "<")
-            .replace(/&gt;/g, ">")
-            .replace(/&quot;/g, '"')
-            .replace(/&#39;/g, "'");
-    }
-    resolveDuckDuckGoResultUrl(rawHref) {
-        const decodedHref = this.decodeHtmlEntities(rawHref).trim();
-        if (!decodedHref) {
-            return null;
-        }
-        let absoluteHref = decodedHref;
-        if (absoluteHref.startsWith("//")) {
-            absoluteHref = `https:${absoluteHref}`;
-        }
-        else if (absoluteHref.startsWith("/")) {
-            absoluteHref = `https://duckduckgo.com${absoluteHref}`;
-        }
-        let parsed;
-        try {
-            parsed = new URL(absoluteHref);
-        }
-        catch {
-            return null;
-        }
-        const hostname = parsed.hostname.toLowerCase();
-        if (hostname === "duckduckgo.com" || hostname.endsWith(".duckduckgo.com")) {
-            const redirected = parsed.searchParams.get("uddg");
-            if (!redirected) {
-                return null;
-            }
-            return this.normalizeResultUrl(redirected);
-        }
-        return this.normalizeResultUrl(absoluteHref);
-    }
-    normalizeResultUrl(candidate) {
-        let value = candidate.trim();
-        if (!value) {
-            return null;
-        }
-        if (value.startsWith("//")) {
-            value = `https:${value}`;
-        }
-        // Some uddg values are encoded multiple times; decode at most twice.
-        for (let i = 0; i < 2; i++) {
-            try {
-                const decoded = decodeURIComponent(value);
-                if (decoded === value) {
-                    break;
-                }
-                value = decoded;
-            }
-            catch {
-                break;
-            }
-        }
-        try {
-            const parsed = new URL(value);
-            if (parsed.protocol !== "http:" && parsed.protocol !== "https:") {
-                return null;
-            }
-            const hostname = parsed.hostname.toLowerCase();
-            if (hostname === "duckduckgo.com" || hostname.endsWith(".duckduckgo.com")) {
-                return null;
-            }
-            return parsed.toString();
-        }
-        catch {
-            return null;
-        }
-    }
-}