@botbotgo/runtime 1.0.1 → 1.0.2

package/src/state/workspaceState.ts

@@ -20,7 +20,12 @@ export interface AgentWorkspaceState {
   todosFile: string;
   runStateFile: string;
   artifactFiles: Record<string, string>;
-  prepareRun(params: { prompt: string; fallbackThreadId?: string; resumeHint: string }): Promise<PreparedWorkspaceRun>;
+  prepareRun(params: {
+    prompt: string;
+    resumeInterruptedRun?: boolean;
+    fallbackThreadId?: string;
+    resumeHint: string;
+  }): Promise<PreparedWorkspaceRun>;
   readRunState(): Promise<AgentRunState | null>;
   getThreadId(previousState: AgentRunState | null, fallbackThreadId: string): string;
   buildResumePrompt(basePrompt: string, previousState: AgentRunState | null, resumeHint: string): string;
@@ -89,22 +94,24 @@ export class AgentWorkspaceStateManager implements AgentWorkspaceState {
 
   public async prepareRun(params: {
     prompt: string;
+    resumeInterruptedRun?: boolean;
     fallbackThreadId?: string;
     resumeHint: string;
   }): Promise<PreparedWorkspaceRun> {
     const previousState = await this.runState.read();
-    const threadId = this.runState.getThreadId(previousState, params.fallbackThreadId ?? `t-${Date.now()}`);
+    const effectivePreviousState = params.resumeInterruptedRun ? previousState : null;
+    const threadId = this.runState.getThreadId(effectivePreviousState, params.fallbackThreadId ?? `t-${Date.now()}`);
     this.events?.emit({
       name: "agent.runtime2.workspace.prepare",
       from: "agent-runtime2.runtime",
       to: "agent-runtime2.workspace",
-      payload: { threadId, previousState },
+      payload: { threadId, previousState: effectivePreviousState },
     });
-    await this.resetForFreshRun(previousState);
+    await this.resetForFreshRun(effectivePreviousState);
     return WorkspaceRunSessionFactory.create({
       prompt: params.prompt,
       threadId,
-      previousState,
+      previousState: effectivePreviousState,
       resumeHint: params.resumeHint,
       runState: this.runState,
       events: this.events,
@@ -176,13 +183,14 @@ export class AgentWorkspaceStateManager implements AgentWorkspaceState {
   }
 
   public async resetForFreshRun(previousState: AgentRunState | null): Promise<void> {
-    if (previousState?.status !== "running") return;
-    if (!this.legacyOutputState) {
-      await Promise.all([
-        unlink(this.legacyTodosFile).catch(() => {}),
+    if (previousState?.status === "running") return;
+    await Promise.all([
+      unlink(this.todosFile).catch(() => {}),
+      unlink(this.legacyTodosFile).catch(() => {}),
+      ...(!this.legacyOutputState ? [
         unlink(this.legacyRunStateFile).catch(() => {}),
-      ]);
-    }
+      ] : []),
+    ]);
   }
 
   public async persistTodos(todos: unknown): Promise<void> {

package/test/unit/config/loader.test.ts

@@ -95,6 +95,12 @@ spec:
   malformedToolCallMaxRetries: 1
   idleTimeoutMaxRetries: 1
   heartbeatIntervalMs: 10000
+  middleware:
+    forbidScriptSourceRead: true
+    forbidAbsolutePathsOutsideWorkspace: true
+    commandPolicy:
+      blockDirectNetworkFetch: true
+      blockShellDashLc: true
   debug:
     run: true
     workspace: true
@@ -130,6 +136,8 @@ describe("config/loader", () => {
     assert.strictEqual(r.spec.systemPrompt, "You are a runtime test agent.");
     assert.strictEqual(r.spec.backend?.type, "local_shell");
     assert.strictEqual(r.spec.malformedToolCallMaxRetries, 1);
+    assert.strictEqual(r.spec.middleware?.forbidScriptSourceRead, true);
+    assert.strictEqual(r.spec.middleware?.commandPolicy?.blockDirectNetworkFetch, true);
     assert.strictEqual(r.spec.debug?.toolCall, true);
     assert.strictEqual(r.spec.debug?.stream, false);
     assert.strictEqual(r.spec.eventLogLevel, "tools");
@@ -331,6 +339,8 @@ describe("deepagents", () => {
     assert.strictEqual(resolved.runtime.systemPrompt, "You are a runtime test agent.");
     assert.strictEqual(resolved.runtime.llmIdleTimeoutMs, 300000);
     assert.strictEqual(resolved.runtime.heartbeatIntervalMs, 10000);
+    assert.strictEqual(resolved.runtime.middleware?.forbidScriptSourceRead, true);
+    assert.strictEqual(resolved.runtime.middleware?.commandPolicy?.blockShellDashLc, true);
     assert.strictEqual(resolved.runtime.debug?.run, true);
     assert.strictEqual(resolved.runtime.debug?.stream, false);
     assert.strictEqual(resolved.runtime.eventLogLevel, "tools");

package/test/unit/runtime/agentToolMiddleware.test.ts

@@ -0,0 +1,51 @@
+import test from "node:test";
+import assert from "node:assert/strict";
+import { AgentToolMiddlewareFactory } from "../../../src/runtime/middleware/agentToolMiddleware.ts";
+
+class FakeToolMessage {
+  public readonly content: string;
+  public readonly tool_call_id: string;
+
+  public constructor(fields: { content: string; tool_call_id: string }) {
+    this.content = fields.content;
+    this.tool_call_id = fields.tool_call_id;
+  }
+}
+
+test("AgentToolMiddleware emits blocked error details for policy violations", async () => {
+  const events: Array<{ name: string; payload?: Record<string, unknown> }> = [];
+  const middleware = new AgentToolMiddlewareFactory({
+    rootDir: "/workspace",
+    createMiddleware: (definition) => definition,
+    ToolMessage: FakeToolMessage,
+    events: {
+      emit: (event) => {
+        events.push(event);
+      },
+    },
+  }).create() as {
+    wrapToolCall: (request: unknown, handler: (request: unknown) => unknown) => Promise<unknown>;
+  };
+
+  const result = await middleware.wrapToolCall(
+    {
+      toolCall: {
+        id: "call-1",
+        name: "read_file",
+        args: { path: "/tmp/outside-workspace.sh" },
+      },
+      threadId: "thread-1",
+    },
+    async () => {
+      throw new Error("handler should not be called");
+    },
+  );
+
+  assert.ok(result instanceof FakeToolMessage);
+  assert.match(result.content, /Do not use absolute filesystem paths outside workspace root/);
+
+  const blocked = events.find((event) => event.name === "agent.runtime2.tool.call.blocked");
+  assert.ok(blocked);
+  assert.equal(blocked.payload?.reason, "policy_violation");
+  assert.match(String(blocked.payload?.error ?? ""), /Do not use absolute filesystem paths outside workspace root/);
+});

package/test/unit/runtime/toolArgsNormalizer.test.ts

@@ -76,6 +76,7 @@ test("FrameworkPrompt includes active skill mapping in framework system prompt",
   assert.match(prompt, /other-skill => \/cache\/skills\/other-skill/);
   assert.match(prompt, /\$\{SKILL_PATH:<skill-id>\}/);
   assert.match(prompt, /\$\{WORKSPACE\}/);
+  assert.doesNotMatch(prompt, /\bls\b|\bglob\b/);
 });
 
 test("buildSkillPathMap expands skills root directories into named skill paths", async () => {
@@ -134,3 +135,36 @@ test("ToolArgsNormalizer expands unnamed SKILL_PATH to the only active skill dir
 
   await rm(root, { recursive: true, force: true });
 });
+
+test("ToolArgsNormalizer strips workspace path prefixes from mistaken repo-relative file and command paths", async () => {
+  const root = join(tmpdir(), `agent-runtime2-workspace-paths-${Date.now()}`, "framework", "runtime", "example");
+  const skillRoot = join(root, ".agent", "cache", "skills", "company-report");
+  await mkdir(join(skillRoot, "scripts"), { recursive: true });
+  await writeFile(join(skillRoot, "scripts", "merge-report.mjs"), "export {};\n", "utf8");
+
+  const normalizedWrite = ToolArgsNormalizer.normalizeToolArgs(
+    root,
+    [skillRoot],
+    "write_file",
+    {
+      file_path: "runtime/example/output/company-report.json",
+      content: "{}",
+    },
+  );
+  assert.equal(normalizedWrite.file_path, "output/company-report.json");
+
+  const normalizedExecute = ToolArgsNormalizer.normalizeToolArgs(
+    root,
+    [skillRoot],
+    "execute",
+    {
+      command: "node scripts/merge-report.mjs runtime/example/output/company-report.json runtime/example/output/company-report.html",
+    },
+  );
+  assert.equal(
+    normalizedExecute.command,
+    "node .agent/cache/skills/company-report/scripts/merge-report.mjs output/company-report.json output/company-report.html",
+  );
+
+  await rm(root, { recursive: true, force: true });
+});

package/test/unit/runtime/toolCallGuard.test.ts

@@ -0,0 +1,71 @@
+import test from "node:test";
+import assert from "node:assert/strict";
+import { ToolCallGuard } from "../../../src/runtime/middleware/toolCallGuard.ts";
+
+class FakeToolMessage {
+  public readonly content: string;
+  public readonly tool_call_id: string;
+
+  public constructor(fields: { content: string; tool_call_id: string }) {
+    this.content = fields.content;
+    this.tool_call_id = fields.tool_call_id;
+  }
+}
+
+test("ToolCallGuard blocks script source reads by default", () => {
+  const result = ToolCallGuard.maybeBlock(
+    "read_file",
+    { path: "skills/company-report/scripts/merge-report.mjs" },
+    "call-1",
+    FakeToolMessage,
+    "/workspace",
+  );
+
+  assert.ok(result instanceof FakeToolMessage);
+  assert.match(result.content, /Do not inspect script source files/);
+});
+
+test("ToolCallGuard respects runtime middleware policy overrides", () => {
+  const readAllowed = ToolCallGuard.maybeBlock(
+    "read_file",
+    { path: "skills/company-report/scripts/merge-report.mjs" },
+    "call-2",
+    FakeToolMessage,
+    "/workspace",
+    undefined,
+    [],
+    {
+      forbidScriptSourceRead: false,
+    },
+  );
+  assert.equal(readAllowed, null);
+
+  const executeAllowed = ToolCallGuard.maybeBlock(
+    "execute",
+    { command: "curl https://example.com/data.json" },
+    "call-3",
+    FakeToolMessage,
+    "/workspace",
+    undefined,
+    [],
+    {
+      commandPolicy: {
+        blockDirectNetworkFetch: false,
+      },
+    },
+  );
+  assert.equal(executeAllowed, null);
+});
+
+test("ToolCallGuard blocks reads of internal runtime state files", () => {
+  const result = ToolCallGuard.maybeBlock(
+    "read_file",
+    { path: ".agent/run-state.json" },
+    "call-4",
+    FakeToolMessage,
+    "/workspace",
+  );
+
+  assert.ok(result instanceof FakeToolMessage);
+  assert.match(result.content, /Do not inspect internal runtime state files under \.agent\//);
+});

package/test/unit/runtime/workspaceState.test.ts

@@ -0,0 +1,94 @@
+import test from "node:test";
+import assert from "node:assert/strict";
+import { mkdir, readFile, rm, writeFile } from "node:fs/promises";
+import { tmpdir } from "node:os";
+import { join } from "node:path";
+import { createAgentWorkspaceState } from "../../../src/state/workspaceState.ts";
+
+test("workspace prepareRun starts fresh when resumeInterruptedRun is disabled", async () => {
+  const rootDir = join(tmpdir(), `agent-runtime2-workspace-${Date.now()}`);
+  const outputDir = join(rootDir, "output");
+  const agentDir = join(rootDir, ".agent");
+  await mkdir(outputDir, { recursive: true });
+  await mkdir(agentDir, { recursive: true });
+  await writeFile(
+    join(agentDir, "run-state.json"),
+    JSON.stringify({
+      prompt: "old",
+      threadId: "t-old",
+      status: "running",
+      startedAt: new Date().toISOString(),
+      updatedAt: new Date().toISOString(),
+      stepCount: 3,
+      lastSummary: "old summary",
+      artifacts: {},
+    }),
+    "utf8",
+  );
+  await writeFile(join(agentDir, "todos.json"), "[]\n", "utf8");
+  await writeFile(join(outputDir, "company-report.json"), "{\"stale\":true}\n", "utf8");
+
+  const workspace = createAgentWorkspaceState({
+    rootDir,
+    artifacts: [{ key: "companyReport", path: "output/company-report.json" }],
+  });
+  const prepared = await workspace.prepareRun({
+    prompt: "new prompt",
+    resumeInterruptedRun: false,
+    resumeHint: "resume",
+  });
+
+  assert.notEqual(prepared.threadId, "t-old");
+  assert.equal(prepared.input.messages[0]?.content, "new prompt");
+  await assert.rejects(readFile(join(agentDir, "todos.json"), "utf8"));
+
+  await rm(rootDir, { recursive: true, force: true });
+});
+
+test("workspace prepareRun can explicitly resume an interrupted run with checkpoint context", async () => {
+  const rootDir = join(tmpdir(), `agent-runtime2-workspace-resume-${Date.now()}`);
+  const outputDir = join(rootDir, "output");
+  const agentDir = join(rootDir, ".agent");
+  await mkdir(outputDir, { recursive: true });
+  await mkdir(agentDir, { recursive: true });
+  await writeFile(
+    join(agentDir, "run-state.json"),
+    JSON.stringify({
+      prompt: "old",
+      threadId: "t-old",
+      status: "running",
+      startedAt: new Date().toISOString(),
+      updatedAt: new Date().toISOString(),
+      stepCount: 3,
+      lastSummary: "Tool call: yahooFinanceNews",
+      artifacts: {
+        companyReportPresent: true,
+        companyReportHtmlPresent: false,
+      },
+    }),
+    "utf8",
+  );
+
+  const workspace = createAgentWorkspaceState({
+    rootDir,
+    artifacts: [
+      { key: "companyReport", path: "output/company-report.json" },
+      { key: "companyReportHtml", path: "output/company-report.html" },
+    ],
+  });
+  const prepared = await workspace.prepareRun({
+    prompt: "new prompt",
+    resumeInterruptedRun: true,
+    resumeHint: "Continue from the checkpoint instead of restarting.",
+  });
+
+  assert.equal(prepared.threadId, "t-old");
+  assert.match(prepared.input.messages[0]?.content ?? "", /RESUME_CHECKPOINT/);
+  assert.match(prepared.input.messages[0]?.content ?? "", /"threadId": "t-old"/);
+  assert.match(prepared.input.messages[0]?.content ?? "", /"lastSummary": "Tool call: yahooFinanceNews"/);
+  assert.match(prepared.input.messages[0]?.content ?? "", /"companyReport": "ready"/);
+  assert.match(prepared.input.messages[0]?.content ?? "", /"companyReportHtml": "missing"/);
+  assert.match(prepared.input.messages[0]?.content ?? "", /Do not read \.agent\/\*/);
+
+  await rm(rootDir, { recursive: true, force: true });
+});