@aria-cli/tools 1.0.18 → 1.0.31

package/dist-cjs/outlook/desktop-session.js

@@ -0,0 +1,319 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.createOutlookDesktopClient = createOutlookDesktopClient;
+const node_os_1 = __importDefault(require("node:os"));
+const node_path_1 = __importDefault(require("node:path"));
+const node_fs_1 = require("node:fs");
+const OUTLOOK_SESSION_DIR = node_path_1.default.join(node_os_1.default.homedir(), ".aria", "outlook-session");
+const OUTLOOK_TOKEN_CACHE = node_path_1.default.join(node_os_1.default.homedir(), ".aria", "cache", "outlook-token.json");
+const OUTLOOK_WEB_URL = "https://outlook.office.com/mail/";
+// Outlook web uses outlook.office.com-scoped tokens, not graph.microsoft.com.
+// The Outlook REST v2 API at outlook.office.com/api/v2.0 accepts these tokens.
+const OUTLOOK_REST_API_BASE = "https://outlook.office.com/api/v2.0";
+const DEFAULT_BOOTSTRAP_TIMEOUT_MS = 60_000;
+async function loadCachedToken() {
+    try {
+        const raw = await node_fs_1.promises.readFile(OUTLOOK_TOKEN_CACHE, "utf-8");
+        const cached = JSON.parse(raw);
+        // Token valid if >5 min remaining
+        if (cached.bearerToken && cached.expiresAt > Date.now() + 5 * 60_000) {
+            return cached;
+        }
+    }
+    catch {
+        // no cache or invalid
+    }
+    return null;
+}
+async function saveCachedToken(token, email) {
+    // Decode JWT to get expiry
+    let exp = Date.now() + 60 * 60_000; // default 1h
+    try {
+        const part = token.split(".")[1];
+        if (!part)
+            throw new Error("no payload");
+        const payload = JSON.parse(Buffer.from(part, "base64").toString());
+        if (payload.exp)
+            exp = payload.exp * 1000;
+    }
+    catch {
+        /* best-effort */
+    }
+    const cached = { bearerToken: token, accountEmail: email, expiresAt: exp };
+    await node_fs_1.promises.mkdir(node_path_1.default.dirname(OUTLOOK_TOKEN_CACHE), { recursive: true });
+    await node_fs_1.promises.writeFile(OUTLOOK_TOKEN_CACHE, JSON.stringify(cached, null, 2));
+}
+// Outlook REST v2 returns PascalCase keys (Subject, From, EmailAddress)
+// while Graph API uses camelCase (subject, from, emailAddress).
+// Helper to read a field with either casing.
+function field(obj, camelKey) {
+    if (camelKey in obj)
+        return obj[camelKey];
+    const pascalKey = camelKey.charAt(0).toUpperCase() + camelKey.slice(1);
+    return obj[pascalKey];
+}
+function fieldStr(obj, camelKey) {
+    const v = field(obj, camelKey);
+    return typeof v === "string" ? v : "";
+}
+function parseRecipient(recipient) {
+    const emailAddress = field(recipient, "emailAddress") ?? null;
+    if (!emailAddress || typeof emailAddress !== "object")
+        return null;
+    return {
+        name: fieldStr(emailAddress, "name"),
+        email: fieldStr(emailAddress, "address"),
+    };
+}
+function parseRecipients(raw) {
+    if (!Array.isArray(raw))
+        return [];
+    return raw
+        .filter((r) => !!r && typeof r === "object")
+        .map(parseRecipient)
+        .filter((r) => r !== null);
+}
+function toMessageView(msg) {
+    const fromRaw = field(msg, "from");
+    const from = fromRaw && typeof fromRaw === "object"
+        ? parseRecipient(fromRaw)
+        : null;
+    return {
+        id: fieldStr(msg, "id") || fieldStr(msg, "Id"),
+        subject: fieldStr(msg, "subject"),
+        from: from ?? { name: "", email: "" },
+        toRecipients: parseRecipients(field(msg, "toRecipients")),
+        receivedDateTime: fieldStr(msg, "receivedDateTime"),
+        isRead: field(msg, "isRead") === true,
+        hasAttachments: field(msg, "hasAttachments") === true,
+        bodyPreview: fieldStr(msg, "bodyPreview"),
+        conversationId: fieldStr(msg, "conversationId"),
+    };
+}
+function toMessageDetail(msg) {
+    const view = toMessageView(msg);
+    const bodyRaw = field(msg, "body");
+    const body = bodyRaw && typeof bodyRaw === "object" ? bodyRaw : {};
+    return {
+        ...view,
+        body: {
+            contentType: fieldStr(body, "contentType") || "text",
+            content: fieldStr(body, "content"),
+        },
+        ccRecipients: parseRecipients(field(msg, "ccRecipients")),
+        importance: fieldStr(msg, "importance") || "normal",
+    };
+}
+async function waitForMailBearerToken(page, timeoutMs) {
+    return new Promise((resolve, reject) => {
+        const timer = setTimeout(() => {
+            page.off("request", handleRequest);
+            reject(new Error("Timed out waiting for a Mail-scoped bearer token. " +
+                "Ensure you are logged in to outlook.office.com."));
+        }, timeoutMs);
+        const seen = new Set();
+        const handleRequest = (request) => {
+            const authHeader = request.headers()["authorization"];
+            if (!authHeader || !authHeader.startsWith("Bearer "))
+                return;
+            const bearerToken = authHeader.slice(7);
+            const dedup = bearerToken.substring(0, 30);
+            if (seen.has(dedup))
+                return;
+            seen.add(dedup);
+            // Decode JWT payload to extract email and scopes
+            let accountEmail = "";
+            let scp = "";
+            try {
+                const payloadB64 = bearerToken.split(".")[1];
+                if (payloadB64) {
+                    const payload = JSON.parse(Buffer.from(payloadB64, "base64url").toString("utf8"));
+                    scp = typeof payload.scp === "string" ? payload.scp : "";
+                    accountEmail =
+                        typeof payload.upn === "string"
+                            ? payload.upn
+                            : typeof payload.preferred_username === "string"
+                                ? payload.preferred_username
+                                : typeof payload.unique_name === "string"
+                                    ? payload.unique_name
+                                    : "";
+                }
+            }
+            catch {
+                // JWT decode is best-effort
+            }
+            // Only accept tokens with Mail.Read scope (from outlook.cloud.microsoft)
+            if (!scp.includes("Mail.Read"))
+                return;
+            clearTimeout(timer);
+            page.off("request", handleRequest);
+            resolve({ bearerToken, accountEmail });
+        };
+        page.on("request", handleRequest);
+    });
+}
+// Stateless client using a cached bearer token (no Playwright needed)
+function createStatelessClient(bearerToken, accountEmail) {
+    const invokeApi = async (method, endpoint, body) => {
+        const url = `${OUTLOOK_REST_API_BASE}${endpoint}`;
+        const headers = {
+            Authorization: `Bearer ${bearerToken}`,
+            "Content-Type": "application/json",
+        };
+        const resp = await fetch(url, {
+            method,
+            headers,
+            body: body ? JSON.stringify(body) : undefined,
+        });
+        if (resp.status === 204)
+            return { status: 204 };
+        const text = await resp.text();
+        let json;
+        try {
+            json = JSON.parse(text);
+        }
+        catch {
+            throw new Error(`Outlook API ${method} ${endpoint} returned non-JSON (HTTP ${resp.status}).`);
+        }
+        if (resp.status >= 400) {
+            const error = json.error && typeof json.error === "object" ? json.error : {};
+            const code = typeof error.code === "string" ? error.code : `http_${resp.status}`;
+            const message = typeof error.message === "string" ? error.message : "Unknown error";
+            throw new Error(`Outlook API ${method} ${endpoint} failed: ${code} — ${message}`);
+        }
+        return json;
+    };
+    return buildClientMethods(invokeApi, accountEmail, async () => {
+        /* no-op close */
+    });
+}
+async function createOutlookDesktopClient(opts) {
+    const timeoutMs = opts?.bootstrapTimeoutMs ?? DEFAULT_BOOTSTRAP_TIMEOUT_MS;
+    // Strategy 1: Use cached token if still valid (no Playwright needed)
+    const cached = await loadCachedToken();
+    if (cached) {
+        return createStatelessClient(cached.bearerToken, cached.accountEmail);
+    }
+    // Strategy 2: Launch Playwright headful to get a fresh token via SSO
+    // Must be headful — Microsoft SSO blocks headless Chromium
+    await node_fs_1.promises.mkdir(OUTLOOK_SESSION_DIR, { recursive: true });
+    const playwright = await Promise.resolve().then(() => __importStar(require("playwright")));
+    const context = await playwright.chromium.launchPersistentContext(OUTLOOK_SESSION_DIR, {
+        headless: false,
+        args: ["--start-maximized"],
+        viewport: null,
+    });
+    const page = context.pages()[0] ?? (await context.newPage());
+    const bootstrapPromise = waitForMailBearerToken(page, timeoutMs);
+    await page.goto(OUTLOOK_WEB_URL, {
+        waitUntil: "domcontentloaded",
+        timeout: timeoutMs,
+    });
+    const { bearerToken, accountEmail } = await bootstrapPromise;
+    // Cache the token for subsequent calls (avoids launching Playwright)
+    await saveCachedToken(bearerToken, accountEmail);
+    // Close browser immediately — we have the token, use stateless client
+    await page.close().catch(() => undefined);
+    await context.close().catch(() => undefined);
+    return createStatelessClient(bearerToken, accountEmail);
+}
+function buildClientMethods(invokeApi, accountEmail, closeFn) {
+    return {
+        getAccountEmail: () => accountEmail,
+        listMessages: async ({ folder = "inbox", limit = 20, filter, search }) => {
+            const params = new URLSearchParams();
+            params.set("$top", String(Math.max(1, Math.min(limit, 50))));
+            params.set("$select", "Id,Subject,From,ToRecipients,ReceivedDateTime,IsRead,HasAttachments,BodyPreview,ConversationId");
+            params.set("$orderby", "ReceivedDateTime desc");
+            if (filter)
+                params.set("$filter", filter);
+            if (search)
+                params.set("$search", `"${search}"`);
+            const endpoint = `/me/mailFolders/${encodeURIComponent(folder)}/messages?${params.toString()}`;
+            const json = await invokeApi("GET", endpoint);
+            const rawMessages = Array.isArray(json.value) ? json.value : [];
+            const messages = rawMessages
+                .filter((m) => !!m && typeof m === "object")
+                .map(toMessageView);
+            return {
+                accountEmail,
+                folder,
+                messages,
+                totalCount: typeof json["@odata.count"] === "number" ? json["@odata.count"] : messages.length,
+            };
+        },
+        getMessage: async ({ messageId }) => {
+            const json = await invokeApi("GET", `/me/messages/${encodeURIComponent(messageId)}`);
+            return toMessageDetail(json);
+        },
+        sendMessage: async ({ to, cc, subject, body, bodyType = "text" }) => {
+            const toRecipients = to.map((email) => ({
+                EmailAddress: { Address: email },
+            }));
+            const ccRecipients = (cc ?? []).map((email) => ({
+                EmailAddress: { Address: email },
+            }));
+            await invokeApi("POST", "/me/sendMail", {
+                Message: {
+                    Subject: subject,
+                    Body: { ContentType: bodyType === "html" ? "HTML" : "Text", Content: body },
+                    ToRecipients: toRecipients,
+                    ...(ccRecipients.length > 0 ? { CcRecipients: ccRecipients } : {}),
+                },
+            });
+            return { accountEmail, status: "sent" };
+        },
+        replyMessage: async ({ messageId, body, bodyType = "text", replyAll = false }) => {
+            const replyMethod = replyAll ? "ReplyAll" : "Reply";
+            await invokeApi("POST", `/me/messages/${encodeURIComponent(messageId)}/${replyMethod}`, {
+                Comment: body,
+                ...(bodyType === "html"
+                    ? {
+                        Message: {
+                            Body: { ContentType: "HTML", Content: body },
+                        },
+                    }
+                    : {}),
+            });
+            return { accountEmail, status: "sent" };
+        },
+        close: closeFn,
+    };
+}
+//# sourceMappingURL=desktop-session.js.map

package/dist-cjs/policy.js

@@ -0,0 +1,156 @@
+"use strict";
+/**
+ * Tool Policy Engine
+ *
+ * Evaluates whether a tool is allowed based on allow/deny lists with group expansion.
+ * Supports layered policy merging (intersection semantics) for arion + RunOptions policies.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.TOOL_GROUPS = void 0;
+exports.expandGroups = expandGroups;
+exports.isToolAllowed = isToolAllowed;
+exports.mergePolicies = mergePolicies;
+/** Built-in tool groups */
+exports.TOOL_GROUPS = {
+    "group:memory": [
+        "remember",
+        "recall",
+        "forget",
+        "recall_knowledge",
+        "reflect",
+        "search",
+        "learn",
+        "session_history",
+    ],
+    "group:web": ["web_search", "web_fetch", "browse", "browser"],
+    "group:filesystem": ["read_file", "write_file", "edit_file", "glob", "grep", "ls", "apply_patch"],
+    "group:shell": [
+        "bash",
+        "exec",
+        "spawn",
+        "kill",
+        "list_processes",
+        "wait_process",
+        "write_stdin",
+        "process",
+    ],
+    "group:arion": [
+        "hatch_arion",
+        "wake_arion",
+        "rest_arion",
+        "retire_arion",
+        "delegate_arion",
+        "manage_network",
+        "list_clients",
+        "deploy",
+    ],
+    "group:meta": [
+        "ask_user",
+        "quest_update",
+        "quest_list",
+        "search",
+        "learn",
+        "learn_tool",
+        "learn_skill",
+        "create_tool",
+        "create_skill",
+        "use_skill",
+        "restart",
+        "spawn_worker",
+        "check_delegation",
+        "pause_delegation",
+        "resume_delegation",
+        "quest_report",
+        "self_diagnose",
+    ],
+};
+/**
+ * Expand group references in a policy list.
+ * "group:memory" → ["remember", "recall", "forget", "reflect"]
+ * Individual tool names pass through unchanged.
+ * Unknown group names are ignored (treated as empty).
+ */
+function expandGroups(names) {
+    const result = new Set();
+    for (const name of names) {
+        const lower = name.toLowerCase();
+        if (lower.startsWith("group:")) {
+            const members = exports.TOOL_GROUPS[lower];
+            if (members) {
+                for (const member of members) {
+                    result.add(member.toLowerCase());
+                }
+            }
+            // Unknown group names are silently ignored
+        }
+        else {
+            result.add(lower);
+        }
+    }
+    return result;
+}
+/**
+ * Evaluate whether a tool is allowed by a policy.
+ * Rules:
+ * 1. If allow is empty/undefined and restrictAllow is false/undefined
+ *    → all tools allowed (then check deny)
+ * 2. If allow is non-empty OR restrictAllow=true
+ *    → only listed tools/groups allowed (empty allow + restrictAllow=true denies all)
+ * 3. Deny always wins over allow
+ */
+function isToolAllowed(toolName, policy) {
+    const normalized = toolName.toLowerCase();
+    // Check allow list: when restricted, tool must be in allowed set.
+    const isAllowRestricted = policy.restrictAllow === true || (policy.allow !== undefined && policy.allow.length > 0);
+    if (isAllowRestricted) {
+        const allowed = expandGroups(policy.allow ?? []);
+        if (!allowed.has(normalized)) {
+            return false;
+        }
+    }
+    // Check deny list: deny always wins
+    if (policy.deny && policy.deny.length > 0) {
+        const denied = expandGroups(policy.deny);
+        if (denied.has(normalized)) {
+            return false;
+        }
+    }
+    return true;
+}
+/**
+ * Merge two policies (intersection). Used for layered evaluation:
+ * arion policy ∩ RunOptions policy = effective policy.
+ * A tool must be allowed by BOTH layers.
+ */
+function mergePolicies(a, b) {
+    // Merge deny: union of both deny lists
+    const mergedDeny = [...(a.deny ?? []), ...(b.deny ?? [])];
+    // Merge allow with restriction semantics:
+    // - both restricted: intersection (possibly empty = deny all)
+    // - one restricted: inherit that restriction
+    // - neither restricted: unrestricted
+    const aRestricts = a.restrictAllow === true || (a.allow?.length ?? 0) > 0;
+    const bRestricts = b.restrictAllow === true || (b.allow?.length ?? 0) > 0;
+    let mergedAllow;
+    let mergedRestrictAllow = false;
+    if (aRestricts && bRestricts) {
+        const expandedA = expandGroups(a.allow ?? []);
+        const expandedB = expandGroups(b.allow ?? []);
+        mergedAllow = [...expandedA].filter((name) => expandedB.has(name));
+        mergedRestrictAllow = true;
+    }
+    else if (aRestricts) {
+        mergedAllow = [...(a.allow ?? [])];
+        mergedRestrictAllow = true;
+    }
+    else if (bRestricts) {
+        mergedAllow = [...(b.allow ?? [])];
+        mergedRestrictAllow = true;
+    }
+    return {
+        ...(mergedAllow !== undefined ? { allow: mergedAllow } : {}),
+        ...(mergedRestrictAllow ? { restrictAllow: true } : {}),
+        ...(mergedDeny.length ? { deny: mergedDeny } : {}),
+    };
+}
+//# sourceMappingURL=policy.js.map

package/dist-cjs/providers/brave.js

@@ -0,0 +1,67 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.BraveSearchProvider = void 0;
+const search_provider_js_1 = require("./search-provider.js");
+class BraveSearchProvider {
+    env;
+    name = "brave";
+    requiresApiKey = true;
+    priority = 1;
+    constructor(env = process.env) {
+        this.env = env;
+    }
+    isAvailable() {
+        const apiKey = (0, search_provider_js_1.resolveSearchProviderEnv)(this.env).BRAVE_API_KEY;
+        return Boolean(apiKey && apiKey.trim().length > 0);
+    }
+    async search(query, options) {
+        const apiKey = (0, search_provider_js_1.resolveSearchProviderEnv)(this.env).BRAVE_API_KEY;
+        if (!apiKey) {
+            throw new Error("BRAVE_API_KEY environment variable is not set");
+        }
+        const limit = options?.limit ?? 5;
+        const url = new URL("https://api.search.brave.com/res/v1/web/search");
+        url.searchParams.set("q", query);
+        url.searchParams.set("count", String(limit));
+        // Handle timeRange option (map to Brave's freshness parameter)
+        if (options?.timeRange) {
+            const freshnessMap = {
+                day: "pd",
+                week: "pw",
+                month: "pm",
+                year: "py",
+            };
+            const freshness = freshnessMap[options.timeRange];
+            if (freshness) {
+                url.searchParams.set("freshness", freshness);
+            }
+        }
+        const { signal, cleanup } = (0, search_provider_js_1.createProviderAbortSignal)(30_000, options?.signal);
+        try {
+            const response = await fetch(url.toString(), {
+                method: "GET",
+                headers: {
+                    Accept: "application/json",
+                    "X-Subscription-Token": apiKey,
+                },
+                signal,
+            });
+            if (!response.ok) {
+                throw new Error(`Brave Search API error: ${response.status} ${response.statusText}`);
+            }
+            const json = await response.json();
+            const webResults = json.web?.results || [];
+            return webResults.map((r) => ({
+                title: r.title,
+                url: r.url,
+                content: r.description,
+                score: r.relevance_score,
+            }));
+        }
+        finally {
+            cleanup();
+        }
+    }
+}
+exports.BraveSearchProvider = BraveSearchProvider;
+//# sourceMappingURL=brave.js.map