@calliopelabs/cli 2.3.0 → 2.5.0

package/dist/tools.js

@@ -6,6 +6,8 @@
 import { spawn } from 'child_process';
 import * as fs from 'fs';
 import * as path from 'path';
+import * as os from 'os';
+import { StringDecoder } from 'string_decoder';
 import * as sandbox from './sandbox.js';
 import * as nativeSandbox from './sandbox-native.js';
 import { getAgtermTools, isAgtermTool, executeAgtermTool } from './agents/index.js';
@@ -15,6 +17,7 @@ import config from './config.js';
 import { applySkin, applyPalette, listSkins, listPalettes } from './hud/api.js';
 import { listCompanions } from './companions.js';
 import { generateDiff as generateFileDiff } from './diff.js';
+import { scuttlebotClient } from './scuttlebot/index.js';
 /**
  * Available tools for the agent
  */
@@ -274,7 +277,7 @@ export const TOOLS = [
 
 CONFIGURABLE SETTINGS:
 - defaultProvider: AI provider (anthropic, google, openai, together, openrouter, groq, fireworks, mistral, ollama, ai21, huggingface, litellm, bedrock, auto)
-- defaultModel: Model name string (provider-specific, e.g. "claude-sonnet-4-20250514", "gemini-2.0-flash", "gpt-4o")
+- defaultModel: Model name string (provider-specific, e.g. "claude-sonnet-4-6", "gemini-2.0-flash", "gpt-4o")
 - persona: Agent persona style (calliope, muse, minimal)
 - maxIterations: Max agent loop iterations (0 = unlimited)
 - maxIterationTime: Max seconds per iteration (0 = no limit, default: 600)
@@ -368,14 +371,23 @@ function validatePath(filePath, cwd) {
     if (filePath.includes('\0')) {
         throw new Error(`Invalid path: contains null bytes`);
     }
-    // Check raw input for path traversal attempts before resolution
+    // Check raw input for path traversal attempts before resolution.
+    // The scope manager is the single source of truth — no /tmp escape hatch (#139).
     if (filePath.includes('..')) {
         const resolved = path.resolve(cwd, filePath);
         const normalizedCwd = path.resolve(cwd);
-        if (!resolved.startsWith(normalizedCwd + path.sep) && resolved !== normalizedCwd && !resolved.startsWith('/tmp/') && resolved !== '/tmp') {
+        if (!resolved.startsWith(normalizedCwd + path.sep) && resolved !== normalizedCwd) {
             throw new Error(`Path traversal detected: ${filePath} resolves outside allowed scope`);
         }
     }
+    // Block tool access to the CLI's own state directory (~/.calliope-cli):
+    // hooks, plugins, skills, trust, and MCP server configs there are a
+    // code-execution / trust foothold if the agent can plant or read them (#141).
+    const cliStateDir = path.join(os.homedir(), '.calliope-cli');
+    const absResolved = path.resolve(cwd, filePath);
+    if (absResolved === cliStateDir || absResolved.startsWith(cliStateDir + path.sep)) {
+        throw new Error(`Refusing tool access inside the Calliope state directory (${cliStateDir}); hooks/plugins/skills/trust there are protected`);
+    }
     // Primary validation via scope manager
     const validated = scopeValidatePath(filePath, cwd);
     return validated;
@@ -385,6 +397,12 @@ function validatePath(filePath, cwd) {
  */
 export async function executeTool(toolCall, cwd, timeout = 60000, onOutput) {
     const { id, name, arguments: args } = toolCall;
+    // Mirror tool call to scuttlebot
+    if (scuttlebotClient.isEnabled()) {
+        await scuttlebotClient.mirrorToolCall(name, args).catch(() => {
+            // Silently fail - don't interrupt tool execution
+        });
+    }
     // Handle agent tools
     if (isAgtermTool(name)) {
         return executeAgtermTool(toolCall, cwd);
@@ -686,6 +704,12 @@ export async function executeTool(toolCall, cwd, timeout = 60000, onOutput) {
  *
  * Patterns are tested against the normalized command (see normalizeCommand())
  * to defeat common bypass techniques like quoting, env prefixes, and subshells.
+ *
+ * SECURITY NOTE (#132): This denylist is ADVISORY / defense-in-depth only. It is
+ * fundamentally unwinnable to perfectly screen an arbitrary `bash -c` string, so
+ * treat this as a best-effort tripwire, NOT a security boundary. The real control
+ * is the native sandbox (see src/sandbox-native.ts); when no sandbox is available
+ * the shell tool fails closed (see shouldUseNativeSandbox / executeShell).
  */
 const BLOCKED_COMMANDS = [
     /^sudo\s/,
@@ -738,12 +762,29 @@ function normalizeCommand(command) {
     return cmd.trim();
 }
 /**
- * Check a command (and all sub-commands separated by ; or &&/||) against
- * the blocklist. Returns the matching pattern source string, or null if allowed.
+ * Split a shell command into sub-commands on every separator so anchored deny
+ * patterns (^sudo, ^su, ^rm -rf /, ...) are tested at the start of each fragment.
+ *
+ * Process two-char operators (&&, ||) before single & / | so the singles do not
+ * shred the two-char operators they are part of. Newline is also a separator.
+ * normalizeCommand() strips quotes for matching, so quoted separators are
+ * intentionally not special-cased here (advisory blocklist, #132).
+ */
+function splitSubCommands(command) {
+    return command
+        // two-char logical operators first
+        .split(/\s*(?:&&|\|\|)\s*/)
+        // then single separators: ; & | and newline (also a trailing & background)
+        .flatMap((part) => part.split(/\s*[;&|\n]\s*/));
+}
+/**
+ * Check a command (and all sub-commands separated by ; && || & | or newline)
+ * against the blocklist. Returns the matching pattern source string, or null if
+ * allowed.
  */
 function matchesBlocklist(command) {
     // Split on command separators to check each sub-command
-    const subCommands = command.split(/\s*(?:;|&&|\|\|)\s*/);
+    const subCommands = splitSubCommands(command);
     for (const sub of subCommands) {
         const normalized = normalizeCommand(sub);
         for (const pattern of BLOCKED_COMMANDS) {
@@ -853,10 +894,18 @@ async function executeShell(command, cwd, timeout, onOutput) {
     if (sandboxDecision === 'require' && !nativeSandbox.isNativeSandboxAvailable()) {
         return 'Error: Native sandbox required (sandboxMode=native) but not available on this platform.';
     }
+    // 'auto' is best-effort: when no native backend exists (e.g. Linux/Windows
+    // without Seatbelt/Landlock) the command runs unsandboxed rather than failing,
+    // so shell execution keeps working on every platform. Users who require
+    // enforcement set sandboxMode=native (fail-closed above) or sandboxMode=docker.
+    // The sandbox hardening (#133 — network off by default, restricted reads)
+    // still applies whenever a sandbox IS active ('use'/'require'/docker).
     if (sandboxDecision === 'use' || sandboxDecision === 'require') {
+        // Network is OFF by default; opt in via CALLIOPE_SHELL_NETWORK=1 (#133).
+        const networkEnabled = process.env.CALLIOPE_SHELL_NETWORK === '1';
         const result = await nativeSandbox.executeInNativeSandbox(command, cwd, {
             timeout,
-            networkEnabled: true,
+            networkEnabled,
         });
         // Shell tool output is transparent — same format as unsandboxed execution
         let output = result.stdout + (result.stderr ? `\nstderr: ${result.stderr}` : '');
@@ -940,15 +989,12 @@ async function readFile(filePath, cwd) {
         throw new Error(`File too large (${Math.round(stats.size / 1024)}KB). Max 1MB.`);
     }
     const content = fs.readFileSync(absPath, 'utf-8');
-    // Inline file preview header (#119)
-    const PREVIEW_CAP = 20;
-    const allLines = content.split('\n');
-    const totalLines = allLines.length;
-    const previewLines = allLines.slice(0, PREVIEW_CAP);
+    // Inline file preview header (#119). The header carries the line count;
+    // the full content follows once — no preview/footer, those duplicated the
+    // first 20 lines on every read and cost ~20% extra tokens on short files.
+    const totalLines = content.split('\n').length;
     const header = `[file: ${filePath} \u2014 ${totalLines} line${totalLines !== 1 ? 's' : ''}]\n${'─'.repeat(40)}`;
-    const previewBody = previewLines.join('\n');
-    const footer = totalLines > PREVIEW_CAP ? `\n... (${totalLines - PREVIEW_CAP} more lines)` : '';
-    return `${header}\n${previewBody}${footer}\n\n${content}`;
+    return `${header}\n${content}`;
 }
 /**
  * Generate a simple line-diff between old and new content
@@ -1121,6 +1167,8 @@ function listFilesRecursive(dir, prefix, depth) {
     for (const entry of entries.slice(0, 50)) {
         if (entry.name.startsWith('.'))
             continue; // Skip hidden files
+        if (entry.isDirectory() && WALK_IGNORED_DIRS.has(entry.name))
+            continue;
         const entryPath = path.join(dir, entry.name);
         if (entry.isDirectory()) {
             lines.push(`${prefix}📁 ${entry.name}/`);
@@ -1277,44 +1325,74 @@ async function webSearch(query, numResults) {
 /**
  * Execute git commands safely
  */
+// Tokenize git args supporting simple shell-style quoting so commit messages
+// like  -m "fix: thing"  parse into two tokens.
+function parseGitArgs(args) {
+    const tokens = [];
+    const re = /"((?:[^"\\]|\\.)*)"|'((?:[^'\\]|\\.)*)'|(\S+)/g;
+    let m;
+    while ((m = re.exec(args)) !== null) {
+        tokens.push(m[1] ?? m[2] ?? m[3]);
+    }
+    return tokens;
+}
+// Single-quote each token so the final string is safe to pass through bash -c
+// (what executeShell does). A single quote inside a single-quoted string is
+// escaped as  '\''  .
+function shellEscape(s) {
+    return `'${s.replace(/'/g, `'\\''`)}'`;
+}
+// Git-specific flags that cause arbitrary command execution even when passed
+// without a shell (e.g. over SSH via upload-pack/receive-pack). Blocklisted
+// because the shell-metachar strip used before did not catch them.
+const DANGEROUS_GIT_FLAG_RE = /^(--upload-pack|--receive-pack|--exec|--config-env)(=|$)/;
 async function executeGit(operation, args, cwd) {
     const allowedOps = ['status', 'diff', 'log', 'branch', 'add', 'commit', 'push', 'pull', 'stash'];
     if (!allowedOps.includes(operation)) {
         return `Error: Unknown git operation: ${operation}. Allowed: ${allowedOps.join(', ')}`;
     }
-    // Sanitize args to prevent command injection via shell metacharacters
-    const safeArgs = args.replace(/[;&|`$(){}!#\n\r]/g, '');
+    const tokens = parseGitArgs(args);
+    for (const tok of tokens) {
+        if (DANGEROUS_GIT_FLAG_RE.test(tok)) {
+            return `Error: git flag "${tok.split('=')[0]}" is not allowed (RCE risk)`;
+        }
+        // ext:: remote protocol runs an arbitrary command on the client side.
+        if (tok.startsWith('ext::')) {
+            return 'Error: git "ext::" remote protocol is not allowed (RCE risk)';
+        }
+    }
+    const quoted = tokens.map(shellEscape).join(' ');
     let command;
     switch (operation) {
         case 'status':
             command = 'git status --short';
             break;
         case 'diff':
-            command = `git diff ${safeArgs}`.trim();
+            command = `git diff ${quoted}`.trim();
             break;
         case 'log':
-            command = `git log --oneline -20 ${safeArgs}`.trim();
+            command = `git log --oneline -20 ${quoted}`.trim();
             break;
         case 'branch':
-            command = `git branch ${safeArgs}`.trim();
+            command = `git branch ${quoted}`.trim();
             break;
         case 'add':
-            command = `git add ${safeArgs || '.'}`.trim();
+            command = tokens.length ? `git add ${quoted}` : 'git add .';
             break;
         case 'commit':
-            if (!safeArgs.includes('-m')) {
+            if (!tokens.includes('-m')) {
                 return 'Error: commit requires -m "message"';
             }
-            command = `git commit ${safeArgs}`.trim();
+            command = `git commit ${quoted}`.trim();
             break;
         case 'push':
-            command = `git push ${safeArgs}`.trim();
+            command = `git push ${quoted}`.trim();
             break;
         case 'pull':
-            command = `git pull ${safeArgs}`.trim();
+            command = `git pull ${quoted}`.trim();
             break;
         case 'stash':
-            command = `git stash ${safeArgs}`.trim();
+            command = `git stash ${quoted}`.trim();
             break;
         default:
             return `Unknown operation: ${operation}`;
@@ -1468,7 +1546,56 @@ function globToRegex(pattern) {
 /**
  * Recursively walk a directory and collect all file paths relative to the base.
  */
-function walkDir(dir, base, results) {
+// Directories that are almost always noise when searching a project tree.
+// Keeping this list small and hardcoded (rather than parsing .gitignore) avoids
+// both performance cliffs on large monorepos and accidental scans of vendored
+// secrets in node_modules. Users who need to search these can use the shell tool.
+const WALK_IGNORED_DIRS = new Set([
+    '.git',
+    'node_modules',
+    'dist',
+    'build',
+    '.next',
+    '.nuxt',
+    '.turbo',
+    '.cache',
+    'coverage',
+    '.venv',
+    'venv',
+    '__pycache__',
+    'target', // rust
+    '.gradle',
+    '.idea',
+    '.vscode',
+]);
+/** Maximum directory recursion depth before walkDir stops descending (#154). */
+const WALK_MAX_DEPTH = 40;
+/** Maximum number of entries walkDir will collect before it stops (#154). */
+const WALK_MAX_ENTRIES = 100000;
+/**
+ * Recursively collect file paths under `dir` (relative to `base`).
+ *
+ * Hardened (#154): bounded recursion depth, a per-walk Set of visited real
+ * directory paths to guard against directory cycles (bind mounts / hardlinks /
+ * any future symlink-follow), and a cap on the total number of collected
+ * entries. `depth` and `visited` are internal accumulators.
+ */
+function walkDir(dir, base, results, depth = 0, visited = new Set()) {
+    if (depth > WALK_MAX_DEPTH)
+        return;
+    if (results.length >= WALK_MAX_ENTRIES)
+        return;
+    // Guard against directory cycles by tracking canonical (real) paths.
+    let realDir;
+    try {
+        realDir = fs.realpathSync(dir);
+    }
+    catch {
+        return;
+    }
+    if (visited.has(realDir))
+        return;
+    visited.add(realDir);
     let entries;
     try {
         entries = fs.readdirSync(dir, { withFileTypes: true });
@@ -1477,10 +1604,14 @@ function walkDir(dir, base, results) {
         return;
     }
     for (const entry of entries) {
+        if (results.length >= WALK_MAX_ENTRIES)
+            return;
+        if (entry.isDirectory() && WALK_IGNORED_DIRS.has(entry.name))
+            continue;
         const fullPath = path.join(dir, entry.name);
         const relPath = path.relative(base, fullPath);
         if (entry.isDirectory()) {
-            walkDir(fullPath, base, results);
+            walkDir(fullPath, base, results, depth + 1, visited);
         }
         else {
             results.push(relPath);
@@ -1516,6 +1647,73 @@ async function globFiles(pattern, searchCwd) {
     }
     return matched.join('\n');
 }
+/**
+ * Scan a single file line-by-line and push matching lines into `results`,
+ * without holding the entire file in memory (#154).
+ *
+ * Reads the file in fixed-size chunks, emits complete lines as they are found,
+ * and stops as soon as `results` reaches `maxResults`.
+ */
+function grepFileStreaming(filePath, regex, relPath, results, maxResults) {
+    const CHUNK_SIZE = 64 * 1024;
+    let fd;
+    try {
+        fd = fs.openSync(filePath, 'r');
+    }
+    catch {
+        return;
+    }
+    try {
+        // StringDecoder buffers partial multi-byte UTF-8 sequences that straddle a
+        // chunk boundary, so lines decode correctly across reads.
+        const decoder = new StringDecoder('utf-8');
+        const buffer = Buffer.allocUnsafe(CHUNK_SIZE);
+        let leftover = '';
+        let lineNo = 0;
+        let bytesRead;
+        try {
+            do {
+                bytesRead = fs.readSync(fd, buffer, 0, CHUNK_SIZE, null);
+                if (bytesRead <= 0)
+                    break;
+                const text = leftover + decoder.write(buffer.subarray(0, bytesRead));
+                const parts = text.split('\n');
+                // The last element may be a partial line; carry it to the next chunk.
+                leftover = parts.pop() ?? '';
+                for (const line of parts) {
+                    lineNo++;
+                    if (regex.test(line)) {
+                        results.push(`${relPath}:${lineNo}: ${line}`);
+                        if (results.length >= maxResults)
+                            return;
+                    }
+                }
+            } while (bytesRead > 0);
+        }
+        catch {
+            // Unreadable file (e.g. EISDIR, binary read error) — skip it, mirroring
+            // the previous readFileSync try/catch behavior.
+            return;
+        }
+        // Flush any bytes the decoder was still holding.
+        leftover += decoder.end();
+        // Final partial line (file not ending in newline).
+        if (leftover.length > 0) {
+            lineNo++;
+            if (regex.test(leftover) && results.length < maxResults) {
+                results.push(`${relPath}:${lineNo}: ${leftover}`);
+            }
+        }
+    }
+    finally {
+        try {
+            fs.closeSync(fd);
+        }
+        catch {
+            /* ignore */
+        }
+    }
+}
 /**
  * Search file contents using a regex pattern (or literal string fallback).
  */
@@ -1568,25 +1766,21 @@ async function grepFiles(pattern, searchPath, cwd, globPattern, caseInsensitive)
     for (const filePath of filesToSearch) {
         if (results.length >= MAX_RESULTS)
             break;
-        let content;
         try {
             const fileStat = fs.statSync(filePath);
+            if (!fileStat.isFile())
+                continue; // skip dirs / symlinked dirs / sockets
             if (fileStat.size > 5 * 1024 * 1024)
                 continue; // skip files > 5MB
-            content = fs.readFileSync(filePath, 'utf-8');
         }
         catch {
             continue;
         }
-        const lines = content.split('\n');
         const relPath = path.relative(cwd, filePath);
-        for (let lineIdx = 0; lineIdx < lines.length; lineIdx++) {
-            if (results.length >= MAX_RESULTS)
-                break;
-            if (regex.test(lines[lineIdx])) {
-                results.push(`${relPath}:${lineIdx + 1}: ${lines[lineIdx]}`);
-            }
-        }
+        // Scan line-by-line without holding the whole file in memory (#154):
+        // stream the file and only test each line as it is produced, breaking early
+        // once MAX_RESULTS is reached.
+        grepFileStreaming(filePath, regex, relPath, results, MAX_RESULTS);
     }
     if (results.length === 0) {
         return 'No matches found';