@bolloon/bolloon-agent 0.1.34 → 0.1.35

package/dist/security/tool-gate.js

@@ -0,0 +1,235 @@
+/**
+ * Tool Gate — 8 道安全 gate (调工具前/后的快速判断)
+ *
+ * 跟 harness-integration/gate-state-machine 区别:
+ * - 后者: 工程化工作流 8-gate (HARNESS-DEV 流程)
+ * - 本文件: 工具调用安全 8-gate (防越权 / 防注入 / 防越界)
+ *
+ * 每道 gate 独立可禁用, 调用方按顺序串联
+ * 任何 gate failed = 拒绝 tool 调用 + 返回 reason
+ */
+import { auditToolOutput } from './builtin-guards.js';
+// ============================================================
+// Gate 1: 白名单
+// ============================================================
+const TOOL_WHITELIST = new Set([
+    // 已有 tool (见 pi-sdk.ts registerTools)
+    'read_document', 'summarize_document', 'improve_document',
+    'list_peers', 'send_message', 'broadcast_message',
+    'get_identity', 'list_skills', 'create_judgment',
+    'shell_exec', 'shell',
+    'read', 'write', 'edit_file', 'list_files',
+    'list_sessions', 'get_session_state', 'list_messages',
+    'send_to_channel', 'create_channel',
+    // MCP 注册的工具
+    'mcp_tool',
+]);
+export const gateWhitelist = { gate: 'whitelist', allowed: true };
+export function checkWhitelist(ctx) {
+    if (TOOL_WHITELIST.has(ctx.tool)) {
+        return gateWhitelist;
+    }
+    return {
+        gate: 'whitelist',
+        allowed: false,
+        reason: `工具 '${ctx.tool}' 不在白名单`,
+        evidence: `白名单: ${Array.from(TOOL_WHITELIST).slice(0, 5).join(', ')}...`,
+    };
+}
+// ============================================================
+// Gate 2: args 形状校验 (防 schema 注入)
+// ============================================================
+const DANGEROUS_KEYS = ['__proto__', 'constructor', 'prototype'];
+export function checkSchema(ctx) {
+    // 1) 直接遍历 args (JSON.stringify 会丢 __proto__, 必须手动检查)
+    function walkKeys(obj, path = []) {
+        if (obj === null || typeof obj !== 'object')
+            return null;
+        for (const k of Object.keys(obj)) {
+            if (DANGEROUS_KEYS.includes(k)) {
+                return [...path, k].join('.');
+            }
+            const found = walkKeys(obj[k], [...path, k]);
+            if (found)
+                return found;
+        }
+        return null;
+    }
+    const dangerousKey = walkKeys(ctx.args);
+    if (dangerousKey) {
+        return {
+            gate: 'schema',
+            allowed: false,
+            reason: `args 含 prototype pollution 风险 key: ${dangerousKey}`,
+            evidence: dangerousKey,
+        };
+    }
+    // 2) args 字符串过深 (>10000 字符) — 可能是 prompt injection 试图污染
+    const json = JSON.stringify(ctx.args);
+    if (json.length > 10000) {
+        return {
+            gate: 'schema',
+            allowed: false,
+            reason: `args 过长 (${json.length} 字符), 可能含 prompt injection`,
+            evidence: `前 100 字符: ${json.substring(0, 100)}`,
+        };
+    }
+    return { gate: 'schema', allowed: true };
+}
+// ============================================================
+// Gate 3: channel 权限 (channelId 是否被允许调该 tool)
+// ============================================================
+/** 工具 → 哪些 channelId 不允许 (黑名单模式, 留作扩展) */
+const TOOL_CHANNEL_RESTRICT = {
+// 'shell_exec': [/^ch_system_/],  // 示例: 某些 system channel 禁 shell
+};
+export function checkChannel(ctx) {
+    if (!ctx.channelId) {
+        return { gate: 'channel', allowed: true };
+    }
+    const restrictions = TOOL_CHANNEL_RESTRICT[ctx.tool];
+    if (!restrictions) {
+        return { gate: 'channel', allowed: true };
+    }
+    for (const r of restrictions) {
+        if (typeof r === 'string' && r === ctx.channelId) {
+            return { gate: 'channel', allowed: false, reason: `channel '${ctx.channelId}' 不允许调 '${ctx.tool}'` };
+        }
+        if (r instanceof RegExp && r.test(ctx.channelId)) {
+            return { gate: 'channel', allowed: false, reason: `channel '${ctx.channelId}' 匹配禁模式 ${r}` };
+        }
+    }
+    return { gate: 'channel', allowed: true };
+}
+// ============================================================
+// Gate 4: 速率限制 (同 tool 1min 内最多 N 次)
+// ============================================================
+const RATE_LIMIT_PER_MIN = 5;
+export function checkRate(ctx) {
+    const recent = ctx.recentCalls ?? [];
+    const now = Date.now();
+    const window = 60_000;
+    const sameTool = recent.filter((c) => c.tool === ctx.tool && now - c.ts < window);
+    if (sameTool.length >= RATE_LIMIT_PER_MIN) {
+        return {
+            gate: 'rate',
+            allowed: false,
+            reason: `工具 '${ctx.tool}' 在 1 分钟内已被调 ${sameTool.length} 次 (上限 ${RATE_LIMIT_PER_MIN})`,
+            evidence: `最近 ${sameTool.length} 次调用时间: ${sameTool.map((c) => new Date(c.ts).toISOString()).join(', ')}`,
+        };
+    }
+    return { gate: 'rate', allowed: true };
+}
+// ============================================================
+// Gate 5: prompt injection 检测
+// ============================================================
+const INJECTION_PATTERNS = [
+    { re: /\bignore (previous|all|above) (instructions?|prompts?)\b/i, label: 'ignore previous' },
+    { re: /\b(disregard|forget) (everything|all|instructions?)\b/i, label: 'disregard' },
+    { re: /\byou are now\b/i, label: 'role override' },
+    { re: /\bnew instructions?:\s*\[/i, label: 'new instructions block' },
+    { re: /<\|im_start\|>/, label: 'chatml tag' },
+    { re: /<\|im_end\|>/, label: 'chatml tag' },
+    { re: /\bSYSTEM:\s/i, label: 'system tag' },
+];
+export function checkInject(ctx) {
+    const concat = JSON.stringify(ctx.args);
+    for (const { re, label } of INJECTION_PATTERNS) {
+        if (re.test(concat)) {
+            return {
+                gate: 'inject',
+                allowed: false,
+                reason: `args 含 prompt injection 模式: ${label}`,
+                evidence: `匹配: ${label}`,
+            };
+        }
+    }
+    return { gate: 'inject', allowed: true };
+}
+// ============================================================
+// Gate 6: 输出审查 (tool 执行后, 审计 tool 返的字符串)
+// 单独入口 auditOutput, 不是调 tool 前的 gate
+// ============================================================
+export function checkOutput(output) {
+    const hit = auditToolOutput(output);
+    if (!hit) {
+        return { gate: 'output', allowed: true };
+    }
+    return {
+        gate: 'output',
+        allowed: hit.severity !== 'critical',
+        reason: hit.reason,
+        evidence: hit.evidence,
+    };
+}
+// ============================================================
+// Gate 7: 链式调用限制 (单轮最多 5 个 tool, 防 agent 循环)
+// ============================================================
+const MAX_TOOL_CALLS_PER_TURN = 5;
+export function checkChain(ctx) {
+    const count = ctx.toolCallCountInTurn ?? 0;
+    if (count >= MAX_TOOL_CALLS_PER_TURN) {
+        return {
+            gate: 'chain',
+            allowed: false,
+            reason: `单轮已调 ${count} 个 tool (上限 ${MAX_TOOL_CALLS_PER_TURN})`,
+            evidence: `当前轮 tool 调用次数: ${count}`,
+        };
+    }
+    return { gate: 'chain', allowed: true };
+}
+// ============================================================
+// Gate 8: 黑名单 (复用 PreToolUse hook 已有 6 条规则, 重新实现于此)
+// ============================================================
+const DANGEROUS_CMD_PATTERNS = [
+    { re: /\brm\s+(-[a-z]*f[a-z]*\s+)?-[a-z]*r[a-z]*\s+\//, reason: '禁止递归删除根目录' },
+    { re: /\bgit\s+push\s+.*--force\b/, reason: '禁止 force push' },
+    { re: /\brm\s+-rf\s+~\//, reason: '禁止递归删除 home' },
+    { re: /\bdd\s+if=.*\s+of=\/dev\//, reason: '禁止 dd 覆盖块设备' },
+    { re: /\bcurl\s+.*\|\s*(ba)?sh\b/, reason: '禁止 curl|sh 直执行' },
+    { re: />\s*\/dev\/sd[a-z]/, reason: '禁止写裸设备' },
+];
+export function checkBlacklist(ctx) {
+    if (ctx.tool !== 'shell' && ctx.tool !== 'shell_exec' && ctx.tool !== 'bash') {
+        return { gate: 'blacklist', allowed: true };
+    }
+    const cmd = String(ctx.args.command || ctx.args.cmd || '');
+    for (const { re, reason } of DANGEROUS_CMD_PATTERNS) {
+        if (re.test(cmd)) {
+            return { gate: 'blacklist', allowed: false, reason, evidence: cmd.substring(0, 100) };
+        }
+    }
+    return { gate: 'blacklist', allowed: true };
+}
+const TOOL_GATES = [
+    checkWhitelist,
+    checkSchema,
+    checkChannel,
+    checkRate,
+    checkInject,
+    checkChain, // 链式限制前置 (chain)
+    checkBlacklist,
+    // checkOutput 不在 tool.execute 前
+];
+export function runToolGates(ctx) {
+    const details = [];
+    for (const check of TOOL_GATES) {
+        try {
+            const r = check(ctx);
+            details.push(r);
+            if (!r.allowed) {
+                return { allowed: false, rejectedBy: r.gate, reason: r.reason, details };
+            }
+        }
+        catch (err) {
+            // 静默: 任意 gate 自身挂掉 = pass (fail-open)
+            console.warn(`[tool-gate] ${check.name} failed (non-fatal, allowing):`, err);
+        }
+    }
+    return { allowed: true, details };
+}
+/** Post-call: 审查 tool 返的 output */
+export function runOutputGate(output) {
+    const r = checkOutput(output);
+    return { allowed: r.allowed, rejectedBy: r.gate, reason: r.reason, details: [r] };
+}

package/dist/utils/auto-evolve-policy.js

@@ -0,0 +1,117 @@
+/**
+ * Auto-Evolve Policy — 数据层自动进化统一网关
+ *
+ * 阶段 A: 数据层自动进化开关
+ *
+ * 单一事实源: 任何代码路径要"自动"修改 ~/.bolloon/ 下的数据层
+ * (judgments.json / persona.json / skills/ / agents.json),
+ * 都必须先调 isDataLayerAutoEvolveEnabled() / requireDataLayerAutoEvolve().
+ *
+ * 设计原则 (类 B 边界 + 8-gate 兼容):
+ * - 默认关闭 (fail-closed)
+ * - 3 种打开方式,任一为真即开:
+ *   1. env BOLLOON_AUTO_EVOLVE_DATA=1
+ *   2. ~/.bolloon/self-improve-policy.json dataLayerAutoEvolve: true
+ *   3. 类 B 自适应永远只读 (不查此开关) — 它天然不写库
+ * - 显式拒绝比默认拒绝多一道 log (审计 trail)
+ *
+ * 不变量:
+ * - 开关仅影响"无用户交互的自动写"路径
+ * - 用户在 UI 手动触发 / API 显式 accept 走原始路径, **不查此开关**
+ *   (避免阻塞用户的正常接受操作)
+ * - 写入被拒绝时, 抛 AutoEvolveDisabledError (调用方选择 catch + fallback)
+ */
+import * as fs from 'fs/promises';
+import * as os from 'os';
+const ENV_KEY = 'BOLLOON_AUTO_EVOLVE_DATA';
+const POLICY_PATH = () => (os.homedir() || process.env.HOME || '/tmp') + '/.bolloon/self-improve-policy.json';
+export class AutoEvolveDisabledError extends Error {
+    constructor(reason) {
+        super(`[auto-evolve] 数据层自动进化已关闭: ${reason}`);
+        this.name = 'AutoEvolveDisabledError';
+    }
+}
+let cachedPolicy = null;
+const POLICY_TTL_MS = 5_000; // 5s 缓存, 避免每次写都读盘
+/**
+ * 读 policy.json (带 5s 缓存)
+ *
+ * 注意: 必须保留完整 parsed 对象 — 调用方需要
+ * parsed.dataLayerAutoEvolve 等其他字段做 UI 展示.
+ */
+async function readPolicyFile() {
+    if (cachedPolicy && Date.now() - cachedPolicy.checkedAt < POLICY_TTL_MS && cachedPolicy.parsed) {
+        return cachedPolicy.parsed;
+    }
+    try {
+        const content = await fs.readFile(POLICY_PATH(), 'utf-8');
+        const parsed = JSON.parse(content);
+        cachedPolicy = {
+            value: parsed.dataLayerAutoEvolve === true,
+            checkedAt: Date.now(),
+            parsed,
+        };
+        return parsed;
+    }
+    catch {
+        cachedPolicy = { value: false, checkedAt: Date.now(), parsed: null };
+        return null;
+    }
+}
+/**
+ * 核心查询: 数据层自动进化是否开启
+ *
+ * 任一为真:
+ * 1. env BOLLOON_AUTO_EVOLVE_DATA=1|true|yes
+ * 2. policy.json dataLayerAutoEvolve: true
+ *
+ * 同步读 env (env 永远先, 政策文件是补充).
+ */
+export function isDataLayerAutoEvolveEnabledSync() {
+    const env = (process.env[ENV_KEY] || '').toLowerCase();
+    if (env === '1' || env === 'true' || env === 'yes')
+        return true;
+    return false; // policy 文件需要 async, 同步版只看 env
+}
+/**
+ * 异步版 (含 policy.json): 自动调用方用这个
+ */
+export async function isDataLayerAutoEvolveEnabled() {
+    if (isDataLayerAutoEvolveEnabledSync())
+        return true;
+    const p = await readPolicyFile();
+    return p?.dataLayerAutoEvolve === true;
+}
+/**
+ * 硬性护栏: 自动写数据层前必须调, 否则抛错
+ *
+ * @param caller 写操作的来源 (日志用, e.g. "adaptive-scan.deprecate")
+ */
+export async function requireDataLayerAutoEvolve(caller) {
+    const enabled = await isDataLayerAutoEvolveEnabled();
+    if (!enabled) {
+        throw new AutoEvolveDisabledError(`${caller} 尝试自动写数据层, 但 ${ENV_KEY} 未设且 policy.dataLayerAutoEvolve !== true`);
+    }
+    console.log(`[auto-evolve] ✅ 允许自动写 (caller=${caller})`);
+}
+/**
+ * 软性查询 + 日志: 给 UI 状态栏 / 调试用
+ */
+export async function getAutoEvolveStatus() {
+    const env = process.env[ENV_KEY] || '';
+    const envOn = isDataLayerAutoEvolveEnabledSync();
+    const p = await readPolicyFile();
+    const policyOn = p?.dataLayerAutoEvolve === true;
+    return {
+        enabled: envOn || policyOn,
+        env,
+        policyFilePath: POLICY_PATH(),
+        policyValue: policyOn,
+    };
+}
+/**
+ * 清除 policy 缓存 (测试用 / 实时热改 policy.json 后)
+ */
+export function clearAutoEvolvePolicyCache() {
+    cachedPolicy = null;
+}

package/dist/utils/clamp.js

@@ -0,0 +1,7 @@
+export function clamp(n, min, max) {
+    if (n < min)
+        return min;
+    if (n > max)
+        return max;
+    return n;
+}

package/dist/utils/double.js

@@ -0,0 +1,6 @@
+/**
+ * double.ts — 阶段 D loop 验证 (故意坏)
+ */
+export function double(n) {
+    return n * 2; // 修复: 正确实现 double
+}