@botbotgo/agent-harness 0.0.33 → 0.0.35

package/dist/contracts/types.d.ts

@@ -174,6 +174,7 @@ export type CompiledAgentBinding = {
     deepAgentParams?: DeepAgentParams;
     harnessRuntime: {
         runRoot: string;
+        workspaceRoot?: string;
         hostFacing: boolean;
         checkpointer?: Record<string, unknown>;
         store?: Record<string, unknown>;

package/dist/package-version.d.ts

@@ -1 +1 @@
-export declare const AGENT_HARNESS_VERSION = "0.0.32";
+export declare const AGENT_HARNESS_VERSION = "0.0.34";

package/dist/package-version.js

@@ -1 +1 @@
-export const AGENT_HARNESS_VERSION = "0.0.32";
+export const AGENT_HARNESS_VERSION = "0.0.34";

package/dist/runtime/agent-runtime-adapter.js

@@ -367,7 +367,7 @@ export class AgentRuntimeAdapter {
             if (!compiledTool) {
                 return resolvedTool;
             }
-            const wrappedTool = wrapToolForExecution(resolvedTool, compiledTool);
+            const wrappedTool = wrapToolForExecution(resolvedTool, compiledTool, binding);
             const modelFacingName = toolNameMapping.originalToModelFacing.get(compiledTool.name) ?? compiledTool.name;
             const structuredTool = asStructuredExecutableTool(wrappedTool, modelFacingName, compiledTool.description);
             if (structuredTool !== wrappedTool) {

package/dist/runtime/tool-hitl.d.ts

@@ -1,5 +1,6 @@
 import type { CompiledTool } from "../contracts/types.js";
+import type { CompiledAgentBinding } from "../contracts/types.js";
 type InterruptFn = <I = unknown, R = unknown>(value: I) => R;
 export declare function wrapToolForHumanInTheLoop<T>(resolvedTool: T, compiledTool: CompiledTool, interruptFn?: InterruptFn): T;
-export declare function wrapToolForExecution<T>(resolvedTool: T, compiledTool: CompiledTool, interruptFn?: InterruptFn): T;
+export declare function wrapToolForExecution<T>(resolvedTool: T, compiledTool: CompiledTool, binding?: CompiledAgentBinding, interruptFn?: InterruptFn): T;
 export {};

package/dist/runtime/tool-hitl.js

@@ -1,5 +1,7 @@
 import { interrupt } from "@langchain/langgraph";
+import path from "node:path";
 const DEDUPED_REMOTE_TOOL_NAMES = new Set(["builtin.fetch_url", "builtin.web_search"]);
+const PATH_LIKE_INPUT_KEYS = new Set(["path", "root", "dir", "directory", "cwd"]);
 function toInputPreview(input) {
     if (typeof input === "object" && input && !Array.isArray(input)) {
         return input;
@@ -103,6 +105,52 @@ function wrapToolWithDedupe(resolvedTool, compiledTool) {
         },
     });
 }
-export function wrapToolForExecution(resolvedTool, compiledTool, interruptFn = interrupt) {
-    return wrapToolWithDedupe(wrapToolForHumanInTheLoop(resolvedTool, compiledTool, interruptFn), compiledTool);
+function shouldConstrainWorkspacePaths(compiledTool) {
+    const normalized = `${compiledTool.name} ${compiledTool.description}`.toLowerCase();
+    if (/(web[_ .-]?search|fetch[_ .-]?url|https?:\/\/|\burl\b)/.test(normalized)) {
+        return false;
+    }
+    return /(workspace|repo|repository|sandbox|filesystem|file|directory|folder|path|memory|source[- ]control|code search|context search|rag|index|grep|glob|read|write|edit)/.test(normalized);
+}
+function guardWorkspaceBoundToolInput(input, compiledTool, binding) {
+    const workspaceRoot = binding?.harnessRuntime.workspaceRoot;
+    if (!workspaceRoot || typeof input !== "object" || !input || Array.isArray(input) || !shouldConstrainWorkspacePaths(compiledTool)) {
+        return input;
+    }
+    const record = { ...input };
+    for (const [key, value] of Object.entries(record)) {
+        if (!PATH_LIKE_INPUT_KEYS.has(key) || typeof value !== "string") {
+            continue;
+        }
+        const candidate = value.trim();
+        if (!candidate || /^[a-z]+:\/\//i.test(candidate)) {
+            continue;
+        }
+        const absolute = path.resolve(workspaceRoot, candidate);
+        const relative = path.relative(workspaceRoot, absolute);
+        if (relative.startsWith("..") || path.isAbsolute(relative)) {
+            throw new Error(`Tool ${compiledTool.name} input ${key} resolves outside the workspace root`);
+        }
+    }
+    return record;
+}
+export function wrapToolForExecution(resolvedTool, compiledTool, binding, interruptFn = interrupt) {
+    const guardedTool = typeof resolvedTool === "object" && resolvedTool !== null
+        ? new Proxy(resolvedTool, {
+            get(obj, prop, receiver) {
+                const value = Reflect.get(obj, prop, receiver);
+                if (prop === "invoke" && typeof value === "function") {
+                    return (input, config) => obj.invoke(guardWorkspaceBoundToolInput(input, compiledTool, binding), config);
+                }
+                if (prop === "call" && typeof value === "function") {
+                    return (input, config) => obj.call(guardWorkspaceBoundToolInput(input, compiledTool, binding), config);
+                }
+                if (prop === "func" && typeof value === "function") {
+                    return (input, config) => obj.func(guardWorkspaceBoundToolInput(input, compiledTool, binding), config);
+                }
+                return value;
+            },
+        })
+        : resolvedTool;
+    return wrapToolWithDedupe(wrapToolForHumanInTheLoop(guardedTool, compiledTool, interruptFn), compiledTool);
 }

package/dist/workspace/agent-binding-compiler.js

@@ -3,6 +3,9 @@ import { getSkillInheritancePolicy, resolveToolTargets } from "../extensions.js"
 import { compileModel, compileTool } from "./resource-compilers.js";
 import { discoverSkillPaths } from "./support/discovery.js";
 import { compileAgentMemories, getRuntimeDefaults, resolvePromptValue, resolveRefId } from "./support/workspace-ref-utils.js";
+const WORKSPACE_BOUNDARY_GUIDANCE = "Keep repository and file exploration bounded to the current workspace root unless the user explicitly asks for broader host or filesystem access. " +
+    "Do not inspect absolute paths outside the workspace, system directories, or unrelated repos by default. " +
+    "Prefer workspace-local tools, relative paths, and the current repository checkout when analyzing code.";
 function requireSkills(pathEntries, workspaceRoot) {
     return Array.from(new Set(discoverSkillPaths(pathEntries, workspaceRoot)));
 }
@@ -79,7 +82,7 @@ function buildSubagent(agent, workspaceRoot, models, tools, parentSkills, parent
     return {
         name: resolveAgentRuntimeName(agent),
         description: agent.description,
-        systemPrompt: resolvePromptValue(agent.deepAgentConfig?.systemPrompt) ?? "",
+        systemPrompt: [resolvePromptValue(agent.deepAgentConfig?.systemPrompt), WORKSPACE_BOUNDARY_GUIDANCE].filter(Boolean).join("\n\n"),
         tools: requireTools(tools, agent.toolRefs, agent.id),
         model: agent.modelRef ? requireModel(models, agent.modelRef, agent.id) : parentModel,
         interruptOn: agent.deepAgentConfig?.interruptOn,
@@ -98,10 +101,7 @@ function resolveSystemPrompt(agent) {
         return resolveDirectPrompt(agent);
     }
     const deepagentPrompt = resolvePromptValue(agent.deepAgentConfig?.systemPrompt);
-    if (deepagentPrompt) {
-        return deepagentPrompt;
-    }
-    return resolveDirectPrompt(agent);
+    return [deepagentPrompt ?? resolveDirectPrompt(agent), WORKSPACE_BOUNDARY_GUIDANCE].filter(Boolean).join("\n\n");
 }
 function resolveInterruptOn(agent) {
     if (agent.executionMode !== "deepagent") {
@@ -154,6 +154,7 @@ export function compileBinding(workspaceRoot, agent, agents, referencedSubagentI
         agent,
         harnessRuntime: {
             runRoot,
+            workspaceRoot,
             hostFacing: !internalSubagent,
             ...(checkpointer ? { checkpointer: checkpointer.config } : {}),
             ...(store ? { store: store.config } : {}),

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@botbotgo/agent-harness",
-  "version": "0.0.33",
+  "version": "0.0.35",
   "description": "Agent Harness framework package",
   "type": "module",
   "packageManager": "npm@10.9.2",