@brutalist/mcp 0.6.0 → 0.6.2

package/dist/cli-agents.js

@@ -1,10 +1,18 @@
-import { spawn } from 'child_process';
+import { spawn, exec } from 'child_process';
+import { realpathSync, appendFileSync } from 'fs';
+import { promisify } from 'util';
 import { logger } from './logger.js';
 // Configurable timeouts and limits
 const DEFAULT_TIMEOUT = parseInt(process.env.BRUTALIST_TIMEOUT || '300000', 10); // 5 minutes default
 const CLI_CHECK_TIMEOUT = parseInt(process.env.BRUTALIST_CLI_CHECK_TIMEOUT || '5000', 10); // 5 seconds for CLI checks
 const MAX_BUFFER_SIZE = parseInt(process.env.BRUTALIST_MAX_BUFFER || String(10 * 1024 * 1024), 10); // 10MB default
 const MAX_CONCURRENT_CLIS = parseInt(process.env.BRUTALIST_MAX_CONCURRENT || '3', 10); // 3 concurrent CLIs
+// Resource limits for security
+const MAX_MEMORY_MB = parseInt(process.env.BRUTALIST_MAX_MEMORY || '2048', 10); // 2GB memory limit per process
+const MAX_CPU_TIME_SEC = parseInt(process.env.BRUTALIST_MAX_CPU_TIME || '1800', 10); // 30 minutes CPU time (should exceed default timeout)
+const MEMORY_CHECK_INTERVAL = 5000; // Check memory usage every 5 seconds
+// Process tracking for resource management
+const activeProcesses = new Map();
 // Available models for each CLI
 export const AVAILABLE_MODELS = {
     claude: {
@@ -21,22 +29,200 @@ export const AVAILABLE_MODELS = {
         models: ['gemini-2.5-flash', 'gemini-2.5-pro', 'gemini-2.5-flash-lite']
     }
 };
+// Security utilities for CLI execution
+// Only block actual injection vectors, not natural language punctuation
+const DANGEROUS_CHARS = /[;&|`\$\x00-\x1F\x7F]/;
+const MAX_ARG_LENGTH = 4096; // Maximum argument length
+const MAX_PATH_DEPTH = 10; // Maximum directory depth for paths
+// Validate and sanitize CLI arguments
+function validateArguments(args) {
+    for (const arg of args) {
+        // Check argument length
+        if (arg.length > MAX_ARG_LENGTH) {
+            throw new Error(`Argument too long: ${arg.length} > ${MAX_ARG_LENGTH} characters`);
+        }
+        // Check for dangerous characters that could enable injection
+        if (DANGEROUS_CHARS.test(arg)) {
+            throw new Error(`Argument contains dangerous characters: ${arg}`);
+        }
+        // Check for null bytes (common injection technique)
+        if (arg.includes('\0')) {
+            throw new Error('Argument contains null byte');
+        }
+    }
+}
+// Validate and canonicalize paths to prevent traversal attacks
+function validatePath(path, name) {
+    if (!path) {
+        throw new Error(`${name} cannot be empty`);
+    }
+    // Check for null bytes
+    if (path.includes('\0')) {
+        throw new Error(`${name} contains null byte`);
+    }
+    // Check for dangerous path traversal patterns
+    if (path.includes('../') || path.includes('..\\') || path.includes('/..') || path.includes('\\..')) {
+        throw new Error(`${name} contains path traversal attempt: ${path}`);
+    }
+    // Check path depth to prevent deeply nested attacks
+    const depth = path.split('/').length - 1;
+    if (depth > MAX_PATH_DEPTH) {
+        throw new Error(`${name} exceeds maximum depth: ${depth} > ${MAX_PATH_DEPTH}`);
+    }
+    // Canonicalize the path (this also validates it exists and resolves symlinks)
+    try {
+        return realpathSync(path);
+    }
+    catch (error) {
+        throw new Error(`Invalid ${name}: ${error instanceof Error ? error.message : String(error)}`);
+    }
+}
+// Create secure environment for CLI processes
+function createSecureEnvironment() {
+    // Minimal environment whitelist
+    const SAFE_ENV_VARS = [
+        'PATH',
+        'HOME',
+        'USER',
+        'SHELL',
+        'TERM',
+        'LANG',
+        'LC_ALL',
+        'TZ',
+        'NODE_ENV'
+    ];
+    const secureEnv = {};
+    // Copy only safe environment variables
+    for (const varName of SAFE_ENV_VARS) {
+        if (process.env[varName]) {
+            secureEnv[varName] = process.env[varName];
+        }
+    }
+    // Add security-focused environment variables
+    secureEnv.TERM = 'dumb'; // Disable terminal features
+    secureEnv.NO_COLOR = '1'; // Disable color output
+    secureEnv.CI = 'true'; // Indicate non-interactive environment
+    return secureEnv;
+}
+// Cross-platform memory usage monitoring
+async function getUnixMemoryUsage(pid) {
+    try {
+        const execAsync = promisify(exec);
+        // Use ps command to get memory usage in KB
+        const { stdout } = await execAsync(`ps -o rss= -p ${pid}`);
+        const memoryKB = parseInt(stdout.trim(), 10);
+        if (isNaN(memoryKB))
+            return null;
+        return { memoryMB: Math.round(memoryKB / 1024) };
+    }
+    catch {
+        return null;
+    }
+}
+async function getWindowsMemoryUsage(pid) {
+    try {
+        const execAsync = promisify(exec);
+        // Use wmic command to get memory usage
+        const { stdout } = await execAsync(`wmic process where "ProcessId=${pid}" get WorkingSetSize /value`);
+        const match = stdout.match(/WorkingSetSize=(\d+)/);
+        if (!match)
+            return null;
+        const memoryBytes = parseInt(match[1], 10);
+        return { memoryMB: Math.round(memoryBytes / (1024 * 1024)) };
+    }
+    catch {
+        return null;
+    }
+}
 // Safe command execution helper using spawn instead of exec to prevent command injection
 async function spawnAsync(command, args, options = {}) {
     return new Promise((resolve, reject) => {
-        // Use working directory as-is - let CLI tools handle their own sandboxing
-        const cwd = options.cwd || process.cwd();
+        // Validate command name (basic validation)
+        if (!command || command.length === 0) {
+            reject(new Error('Command cannot be empty'));
+            return;
+        }
+        // Validate arguments for injection attacks
+        try {
+            validateArguments(args);
+        }
+        catch (error) {
+            reject(error);
+            return;
+        }
+        // Validate and canonicalize working directory
+        let cwd;
+        try {
+            if (options.cwd) {
+                cwd = validatePath(options.cwd, 'working directory');
+            }
+            else {
+                cwd = process.cwd();
+            }
+        }
+        catch (error) {
+            reject(error);
+            return;
+        }
+        // Use secure environment
+        const secureEnv = options.env || createSecureEnvironment();
         const child = spawn(command, args, {
             cwd: cwd,
             stdio: ['pipe', 'pipe', 'pipe'],
             shell: false, // CRITICAL: disable shell to prevent injection
-            detached: command !== 'gemini', // Disable detached for Gemini CLI to fix macOS sandbox issue
-            env: options.env || process.env
+            detached: command !== 'gemini', // Disable detached for Gemini CLI to fix macOS issue
+            env: secureEnv,
+            // Additional security options
+            uid: process.getuid ? process.getuid() : undefined, // Maintain current user ID
+            gid: process.getgid ? process.getgid() : undefined // Maintain current group ID
         });
         let stdout = '';
         let stderr = '';
         let timedOut = false;
         let killed = false;
+        // Track process for resource monitoring
+        if (child.pid) {
+            activeProcesses.set(child.pid, {
+                startTime: Date.now(),
+                memoryChecks: 0
+            });
+        }
+        // Memory monitoring timer
+        let memoryTimer;
+        if (child.pid) {
+            memoryTimer = setInterval(async () => {
+                try {
+                    const pid = child.pid;
+                    const processInfo = activeProcesses.get(pid);
+                    if (!processInfo || killed) {
+                        if (memoryTimer)
+                            clearInterval(memoryTimer);
+                        return;
+                    }
+                    processInfo.memoryChecks++;
+                    // Check memory usage (cross-platform)
+                    const usage = process.platform === 'win32'
+                        ? await getWindowsMemoryUsage(pid)
+                        : await getUnixMemoryUsage(pid);
+                    if (usage && usage.memoryMB > MAX_MEMORY_MB) {
+                        child.kill('SIGTERM');
+                        reject(new Error(`Process exceeded memory limit: ${usage.memoryMB}MB > ${MAX_MEMORY_MB}MB`));
+                        return;
+                    }
+                    // Check CPU time limit
+                    const runtimeMs = Date.now() - processInfo.startTime;
+                    if (runtimeMs > MAX_CPU_TIME_SEC * 1000) {
+                        child.kill('SIGTERM');
+                        reject(new Error(`Process exceeded CPU time limit: ${runtimeMs}ms > ${MAX_CPU_TIME_SEC * 1000}ms`));
+                        return;
+                    }
+                }
+                catch (error) {
+                    // Memory check failed, but don't kill process for this
+                    logger.warn('Memory check failed:', error);
+                }
+            }, MEMORY_CHECK_INTERVAL);
+        }
         // Set up timeout with SIGKILL escalation
         const timeoutMs = options.timeout || DEFAULT_TIMEOUT;
         let killTimer;
@@ -98,6 +284,12 @@ async function spawnAsync(command, args, options = {}) {
             clearTimeout(timer);
             if (killTimer)
                 clearTimeout(killTimer);
+            if (memoryTimer)
+                clearInterval(memoryTimer);
+            // Clean up process tracking
+            if (child.pid) {
+                activeProcesses.delete(child.pid);
+            }
             if (!timedOut) {
                 if (code === 0) {
                     resolve({ stdout, stderr });
@@ -115,6 +307,12 @@ async function spawnAsync(command, args, options = {}) {
             clearTimeout(timer);
             if (killTimer)
                 clearTimeout(killTimer);
+            if (memoryTimer)
+                clearInterval(memoryTimer);
+            // Clean up process tracking
+            if (child.pid) {
+                activeProcesses.delete(child.pid);
+            }
             reject(error);
         });
         // Send input if provided
@@ -230,22 +428,25 @@ export class CLIAgentOrchestrator {
                 continue;
             try {
                 const event = JSON.parse(line);
+                // Codex --json outputs events with structure: {"type":"item.completed","item":{...}}
                 // Only extract agent_message type - this is the actual response
-                if (event.msg?.type === 'agent_message' && event.msg?.message) {
-                    agentMessages.push(event.msg.message);
-                }
-                else if (event.msg?.type === 'error' && event.msg?.message) {
-                    // Include error messages
-                    agentMessages.push(`Error: ${event.msg.message}`);
+                if (event.type === 'item.completed' && event.item) {
+                    if (event.item.type === 'agent_message' && event.item.text) {
+                        // Agent's actual response text
+                        agentMessages.push(event.item.text);
+                    }
+                    // Skip all other types:
+                    // - reasoning: internal thinking steps
+                    // - command_execution: file reads, bash commands
+                    // - error: will be in stderr
                 }
-                // Skip all other types: agent_reasoning, exec, token_count, task_started, etc.
             }
             catch {
                 // Skip non-JSON lines (config output, prompts, etc.)
                 continue;
             }
         }
-        return agentMessages.join('\n').trim();
+        return agentMessages.join('\n\n').trim();
     }
     emitThrottledStreamingEvent(agent, type, content, onStreamingEvent, options) {
         if (!onStreamingEvent)
@@ -258,7 +459,9 @@ export class CLIAgentOrchestrator {
                 return; // Skip non-content events
             processedContent = filtered;
         }
-        const key = `${agent}-${type}`;
+        // Use requestId to prevent buffer sharing between overlapping requests
+        const requestId = options?.requestId || 'default';
+        const key = `${agent}-${type}-${requestId}`;
         const now = Date.now();
         // Truncate content to prevent huge events
         const truncatedContent = processedContent.length > this.MAX_CHUNK_SIZE
@@ -284,7 +487,8 @@ export class CLIAgentOrchestrator {
                 type,
                 agent,
                 content: combinedContent,
-                timestamp: now
+                timestamp: now,
+                sessionId: options?.sessionId
             });
             // Reset buffer
             buffer.chunks = [];
@@ -406,16 +610,10 @@ export class CLIAgentOrchestrator {
                     type: 'agent_start',
                     agent: cliName,
                     content: `Starting ${cliName.toUpperCase()} analysis...`,
-                    timestamp: Date.now()
+                    timestamp: Date.now(),
+                    sessionId: options.sessionId
                 });
             }
-            // WARNING: Claude CLI does not have a native --sandbox flag. 
-            // If options.sandbox is true, it is assumed that the environment 
-            // running this Brutalist MCP server provides the sandboxing (e.g., Docker, VM).
-            // Running Claude without external sandboxing can be a security risk.
-            if (cliName === 'claude' && options.sandbox) {
-                logger.warn("⚠️ Claude CLI requested with sandbox: true, but Claude CLI does not support native sandboxing. Ensure external sandboxing is in place.");
-            }
             const { command, args, env, input } = commandBuilder(userPrompt, systemPromptSpec, options);
             logger.info(`📋 Command: ${command} ${args.join(' ')}`);
             logger.info(`📁 Working directory: ${workingDir}`);
@@ -450,7 +648,8 @@ export class CLIAgentOrchestrator {
                     type: 'agent_complete',
                     agent: cliName,
                     content: `${cliName.toUpperCase()} analysis completed (${Date.now() - startTime}ms)`,
-                    timestamp: Date.now()
+                    timestamp: Date.now(),
+                    sessionId: options.sessionId
                 });
             }
             // Post-process CLI output if needed
@@ -509,7 +708,8 @@ export class CLIAgentOrchestrator {
                     type: 'agent_error',
                     agent: cliName,
                     content: `${cliName.toUpperCase()} failed: ${error instanceof Error ? error.message : String(error)}`,
-                    timestamp: Date.now()
+                    timestamp: Date.now(),
+                    sessionId: options.sessionId
                 });
             }
             return {
@@ -550,16 +750,12 @@ export class CLIAgentOrchestrator {
         });
     }
     async executeCodex(userPrompt, systemPromptSpec, options = {}) {
-        return this._executeCLI('codex', userPrompt, systemPromptSpec, { ...options, sandbox: true }, // Ensure sandbox is always true for Codex
-        (userPrompt, systemPromptSpec, options) => {
+        return this._executeCLI('codex', userPrompt, systemPromptSpec, { ...options }, (userPrompt, systemPromptSpec, options) => {
             const combinedPrompt = `CONTEXT AND INSTRUCTIONS:\n${systemPromptSpec}\n\nANALYZE:\n${userPrompt}`;
             const args = ['exec'];
             // Use provided model or default to gpt-5
             const model = options.models?.codex || AVAILABLE_MODELS.codex.default;
             args.push('--model', model);
-            if (options.sandbox) {
-                args.push('--sandbox', 'read-only');
-            }
             // Add JSON flag to get structured output without verbose details
             args.push('--json');
             // Use stdin for the prompt instead of argv to avoid ARG_MAX limits
@@ -571,15 +767,11 @@ export class CLIAgentOrchestrator {
         });
     }
     async executeGemini(userPrompt, systemPromptSpec, options = {}) {
-        return this._executeCLI('gemini', userPrompt, systemPromptSpec, { ...options, sandbox: true }, // Ensure sandbox is always true for Gemini
-        (userPrompt, systemPromptSpec, options) => {
+        return this._executeCLI('gemini', userPrompt, systemPromptSpec, { ...options }, (userPrompt, systemPromptSpec, options) => {
             const args = [];
             // Use provided model or default to gemini-2.5-flash
             const modelName = options.models?.gemini || AVAILABLE_MODELS.gemini.default;
             args.push('--model', modelName);
-            if (options.sandbox) {
-                args.push('--sandbox');
-            }
             const combinedPrompt = `${systemPromptSpec}\n\n${userPrompt}`;
             args.push(combinedPrompt);
             return {
@@ -604,9 +796,9 @@ export class CLIAgentOrchestrator {
                 case 'claude':
                     return await this.executeClaudeCode(userPrompt, systemPromptSpec, options);
                 case 'codex':
-                    return await this.executeCodex(userPrompt, systemPromptSpec, { ...options, sandbox: true });
+                    return await this.executeCodex(userPrompt, systemPromptSpec, options);
                 case 'gemini':
-                    return await this.executeGemini(userPrompt, systemPromptSpec, { ...options, sandbox: true });
+                    return await this.executeGemini(userPrompt, systemPromptSpec, options);
                 default:
                     throw new Error(`Unknown CLI: ${cli}`);
             }
@@ -624,8 +816,76 @@ export class CLIAgentOrchestrator {
             waitTime = Math.min(waitTime * 2, 5000); // Exponential backoff, max 5 seconds
         }
     }
-    async executeBrutalistAnalysis(analysisType, targetPath, systemPromptSpec, context, options = {}) {
-        const userPrompt = this.constructUserPrompt(analysisType, targetPath, context);
+    async executeCLIAgents(cliAgents, systemPrompt, userPrompt, options = {}) {
+        const responses = [];
+        for (const agent of cliAgents) {
+            if (['claude', 'codex', 'gemini'].includes(agent)) {
+                try {
+                    const response = await this.executeCLIAgent(agent, systemPrompt, userPrompt, options);
+                    responses.push(response);
+                }
+                catch (error) {
+                    responses.push({
+                        agent: agent,
+                        success: false,
+                        output: '',
+                        error: error instanceof Error ? error.message : String(error),
+                        executionTime: 0,
+                        command: `${agent} execution failed`,
+                        workingDirectory: options.workingDirectory || process.cwd(),
+                        exitCode: -1
+                    });
+                }
+            }
+        }
+        return responses;
+    }
+    async executeCLIAgent(agent, systemPrompt, userPrompt, options = {}) {
+        if (!['claude', 'codex', 'gemini'].includes(agent)) {
+            throw new Error(`Unsupported CLI agent: ${agent}`);
+        }
+        return await this.executeSingleCLI(agent, userPrompt, systemPrompt, options);
+    }
+    async executeBrutalistAnalysis(analysisType, primaryContent, systemPromptSpec, context, options = {}) {
+        // Debug logging for path validation logic - write to file to avoid MCP stdio interference
+        const debugLog = `/tmp/brutalist-debug-${Date.now()}.log`;
+        const logMessage = (msg) => {
+            try {
+                appendFileSync(debugLog, `${new Date().toISOString()}: ${msg}\n`);
+            }
+            catch (e) {
+                // Ignore filesystem errors
+            }
+        };
+        logMessage(`🔧 VALIDATION DEBUG: analysisType="${analysisType}", primaryContent="${primaryContent}"`);
+        // Only validate filesystem paths for tools that actually operate on files/directories
+        const filesystemTools = ['codebase', 'file_structure', 'dependencies', 'git_history', 'test_coverage'];
+        logMessage(`🔧 VALIDATION DEBUG: filesystemTools.includes(analysisType)=${filesystemTools.includes(analysisType)}`);
+        logMessage(`🔧 VALIDATION DEBUG: primaryContent exists=${!!primaryContent}`);
+        logMessage(`🔧 VALIDATION DEBUG: primaryContent.trim() !== ''=${primaryContent ? primaryContent.trim() !== '' : false}`);
+        try {
+            if (filesystemTools.includes(analysisType) && primaryContent && primaryContent.trim() !== '') {
+                logMessage(`🔧 VALIDATION DEBUG: Calling validatePath for "${primaryContent}"`);
+                validatePath(primaryContent, 'targetPath');
+            }
+            else {
+                logMessage(`🔧 VALIDATION DEBUG: Skipping validatePath - not a filesystem tool`);
+            }
+        }
+        catch (error) {
+            logMessage(`🔧 VALIDATION DEBUG: validatePath failed with error: ${error}`);
+            throw new Error(`Security validation failed: ${error instanceof Error ? error.message : String(error)}`);
+        }
+        // Validate workingDirectory if provided
+        try {
+            if (options.workingDirectory) {
+                validatePath(options.workingDirectory, 'workingDirectory');
+            }
+        }
+        catch (error) {
+            throw new Error(`Security validation failed: ${error instanceof Error ? error.message : String(error)}`);
+        }
+        const userPrompt = this.constructUserPrompt(analysisType, primaryContent, context);
         // If preferred CLI is specified, use single CLI mode
         if (options.preferredCLI) {
             const selectedCLI = this.selectSingleCLI(options.preferredCLI, options.analysisType);
@@ -707,27 +967,27 @@ export class CLIAgentOrchestrator {
         }
         return synthesis.trim();
     }
-    constructUserPrompt(analysisType, targetPath, context) {
+    constructUserPrompt(analysisType, primaryContent, context) {
         // Trust CLI tools to handle their own security
-        const sanitizedTargetPath = targetPath;
+        const sanitizedContent = primaryContent;
         const sanitizedContext = context || 'No additional context provided';
         const prompts = {
-            code: `Analyze the codebase at ${sanitizedTargetPath} for issues. Context: ${sanitizedContext}`,
-            codebase: `Analyze the codebase directory at ${sanitizedTargetPath} for security vulnerabilities, performance issues, and architectural problems. Context: ${sanitizedContext}`,
-            architecture: `Review the architecture: ${sanitizedTargetPath}. Find every scaling failure and cost explosion.`,
-            idea: `Analyze this idea: ${sanitizedTargetPath}. Find where imagination fails to become reality.`,
-            research: `Review this research: ${sanitizedTargetPath}. Find every methodological flaw and reproducibility issue.`,
-            data: `Analyze this data/model: ${sanitizedTargetPath}. Find every overfitting issue, bias, and correlation fallacy.`,
-            security: `Security audit of: ${sanitizedTargetPath}. Find every attack vector and vulnerability.`,
-            product: `Product review: ${sanitizedTargetPath}. Find every UX disaster and adoption barrier.`,
-            infrastructure: `Infrastructure review: ${sanitizedTargetPath}. Find every single point of failure.`,
-            debate: `Debate topic: ${sanitizedTargetPath}. Take opposing positions and argue until truth emerges.`,
-            fileStructure: `Analyze the directory structure at ${sanitizedTargetPath}. Find organizational disasters and naming failures.`,
-            dependencies: `Analyze dependencies at ${sanitizedTargetPath}. Find version conflicts and security vulnerabilities.`,
-            gitHistory: `Analyze git history at ${sanitizedTargetPath}. Find commit disasters and workflow failures.`,
-            testCoverage: `Analyze test coverage at ${sanitizedTargetPath}. Find testing gaps and quality issues.`
+            code: `Analyze the codebase at ${sanitizedContent} for issues. Context: ${sanitizedContext}`,
+            codebase: `Analyze the codebase directory at ${sanitizedContent} for security vulnerabilities, performance issues, and architectural problems. Context: ${sanitizedContext}`,
+            architecture: `Review the architecture: ${sanitizedContent}. Find every scaling failure and cost explosion.`,
+            idea: `Analyze this idea: ${sanitizedContent}. Find where imagination fails to become reality.`,
+            research: `Review this research: ${sanitizedContent}. Find every methodological flaw and reproducibility issue.`,
+            data: `Analyze this data/model: ${sanitizedContent}. Find every overfitting issue, bias, and correlation fallacy.`,
+            security: `Security audit of: ${sanitizedContent}. Find every attack vector and vulnerability.`,
+            product: `Product review: ${sanitizedContent}. Find every UX disaster and adoption barrier.`,
+            infrastructure: `Infrastructure review: ${sanitizedContent}. Find every single point of failure.`,
+            debate: `Debate topic: ${sanitizedContent}. Take opposing positions and argue until truth emerges.`,
+            fileStructure: `Analyze the directory structure at ${sanitizedContent}. Find organizational disasters and naming failures.`,
+            dependencies: `Analyze dependencies at ${sanitizedContent}. Find version conflicts and security vulnerabilities.`,
+            gitHistory: `Analyze git history at ${sanitizedContent}. Find commit disasters and workflow failures.`,
+            testCoverage: `Analyze test coverage at ${sanitizedContent}. Find testing gaps and quality issues.`
         };
-        const specificPrompt = prompts[analysisType] || `Analyze ${sanitizedTargetPath} for ${analysisType} issues.`;
+        const specificPrompt = prompts[analysisType] || `Analyze ${sanitizedContent} for ${analysisType} issues.`;
         return `${specificPrompt} ${context ? `Context: ${sanitizedContext}` : ''}`;
     }
 }