@caupulican/pi-adaptative 0.80.65 → 0.80.67
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +12 -0
- package/dist/core/agent-session.d.ts +9 -0
- package/dist/core/agent-session.d.ts.map +1 -1
- package/dist/core/agent-session.js +48 -17
- package/dist/core/agent-session.js.map +1 -1
- package/dist/core/gateways/channel-provider.d.ts +73 -0
- package/dist/core/gateways/channel-provider.d.ts.map +1 -0
- package/dist/core/gateways/channel-provider.js +79 -0
- package/dist/core/gateways/channel-provider.js.map +1 -0
- package/dist/core/security/untrusted-boundary.d.ts +31 -0
- package/dist/core/security/untrusted-boundary.d.ts.map +1 -0
- package/dist/core/security/untrusted-boundary.js +60 -0
- package/dist/core/security/untrusted-boundary.js.map +1 -0
- package/examples/extensions/custom-provider-anthropic/package-lock.json +2 -2
- package/examples/extensions/custom-provider-anthropic/package.json +1 -1
- package/examples/extensions/custom-provider-gitlab-duo/package.json +1 -1
- package/examples/extensions/sandbox/package-lock.json +2 -2
- package/examples/extensions/sandbox/package.json +1 -1
- package/examples/extensions/with-deps/package-lock.json +2 -2
- package/examples/extensions/with-deps/package.json +1 -1
- package/npm-shrinkwrap.json +12 -12
- package/package.json +4 -4
|
@@ -31,6 +31,7 @@ import { createCoreDiagnosticsToolDefinitions } from "./extensions/builtin.js";
|
|
|
31
31
|
import { ExtensionRunner, wrapRegisteredTools, } from "./extensions/index.js";
|
|
32
32
|
import { disposeExtensionEventSubscriptions } from "./extensions/loader.js";
|
|
33
33
|
import { emitSessionShutdownEvent } from "./extensions/runner.js";
|
|
34
|
+
import { GatewayRegistry } from "./gateways/channel-provider.js";
|
|
34
35
|
import { decideDemand, ReflectionEngine, } from "./learning/reflection-engine.js";
|
|
35
36
|
import { EffectivenessTracker } from "./memory/effectiveness-tracker.js";
|
|
36
37
|
import { MemoryManager } from "./memory/memory-manager.js";
|
|
@@ -40,6 +41,7 @@ import { compactToolResultDetailsForRetention } from "./message-retention.js";
|
|
|
40
41
|
import { resolveProfileModelSettings } from "./model-resolver.js";
|
|
41
42
|
import { expandPromptTemplate } from "./prompt-templates.js";
|
|
42
43
|
import { stripResourceProfileBlocks } from "./resource-profile-blocks.js";
|
|
44
|
+
import { classifyToolTrust, UNTRUSTED_BOUNDARY_SYSTEM_RULE, wrapUntrustedText } from "./security/untrusted-boundary.js";
|
|
43
45
|
import { CURRENT_SESSION_VERSION, getLatestCompactionEntry } from "./session-manager.js";
|
|
44
46
|
import { matchesResourceProfilePattern, } from "./settings-manager.js";
|
|
45
47
|
import { createSyntheticSourceInfo } from "./source-info.js";
|
|
@@ -123,6 +125,8 @@ export class AgentSession {
|
|
|
123
125
|
_memoryManager = new MemoryManager();
|
|
124
126
|
/** R4: tracks whether injected recall is actually used, to adapt the recall gate. */
|
|
125
127
|
_effectivenessTracker = new EffectivenessTracker();
|
|
128
|
+
/** R8: registry for deployment-supplied gateway channels + schedulers (lifecycle driven by the host runner). */
|
|
129
|
+
_gatewayRegistry = new GatewayRegistry();
|
|
126
130
|
_isChildSession;
|
|
127
131
|
/** Memory providers registered by extensions via pi.registerMemoryProvider, applied on (re)init. */
|
|
128
132
|
_pendingMemoryProviders = [];
|
|
@@ -350,26 +354,37 @@ export class AgentSession {
|
|
|
350
354
|
};
|
|
351
355
|
this.agent.afterToolCall = async ({ toolCall, args, result, isError }) => {
|
|
352
356
|
const runner = this._extensionRunner;
|
|
353
|
-
|
|
354
|
-
|
|
357
|
+
let content = result.content;
|
|
358
|
+
let details = result.details;
|
|
359
|
+
let resolvedIsError = isError;
|
|
360
|
+
if (runner.hasHandlers("tool_result")) {
|
|
361
|
+
const hookResult = await runner.emitToolResult({
|
|
362
|
+
type: "tool_result",
|
|
363
|
+
toolName: toolCall.name,
|
|
364
|
+
toolCallId: toolCall.id,
|
|
365
|
+
input: args,
|
|
366
|
+
content,
|
|
367
|
+
details,
|
|
368
|
+
isError,
|
|
369
|
+
});
|
|
370
|
+
if (hookResult) {
|
|
371
|
+
content = hookResult.content ?? content;
|
|
372
|
+
details = hookResult.details;
|
|
373
|
+
resolvedIsError = hookResult.isError ?? isError;
|
|
374
|
+
}
|
|
355
375
|
}
|
|
356
|
-
|
|
357
|
-
|
|
358
|
-
|
|
359
|
-
|
|
360
|
-
|
|
361
|
-
content:
|
|
362
|
-
|
|
363
|
-
|
|
364
|
-
|
|
365
|
-
if (!hookResult) {
|
|
376
|
+
// Untrusted-content boundary: structurally fence output from attacker-controllable sources
|
|
377
|
+
// (web/search, subagents, recall, third-party tools) so injection payloads are framed as data.
|
|
378
|
+
// First-party tools (read/grep/find/ls/edit/write/bash) are trusted and pass through unchanged.
|
|
379
|
+
if (classifyToolTrust(toolCall.name) === "untrusted") {
|
|
380
|
+
const source = `tool:${toolCall.name}`;
|
|
381
|
+
const wrapped = content.map((block) => block.type === "text" ? { ...block, text: wrapUntrustedText(block.text, source) } : block);
|
|
382
|
+
content = wrapped;
|
|
383
|
+
}
|
|
384
|
+
if (content === result.content && details === result.details && resolvedIsError === isError) {
|
|
366
385
|
return undefined;
|
|
367
386
|
}
|
|
368
|
-
return {
|
|
369
|
-
content: hookResult.content,
|
|
370
|
-
details: hookResult.details,
|
|
371
|
-
isError: hookResult.isError ?? isError,
|
|
372
|
-
};
|
|
387
|
+
return { content, details, isError: resolvedIsError };
|
|
373
388
|
};
|
|
374
389
|
}
|
|
375
390
|
// =========================================================================
|
|
@@ -659,6 +674,8 @@ export class AgentSession {
|
|
|
659
674
|
this.abortBranchSummary();
|
|
660
675
|
this.abortBash();
|
|
661
676
|
this.agent.abort();
|
|
677
|
+
// R8: stop any deployment-registered gateway channels / schedulers.
|
|
678
|
+
void this._gatewayRegistry.stop().catch(() => { });
|
|
662
679
|
}
|
|
663
680
|
catch {
|
|
664
681
|
// Dispose must succeed even if an abort hook throws.
|
|
@@ -896,6 +913,8 @@ export class AgentSession {
|
|
|
896
913
|
// R6: situational soul — the active profile's identity prefix, switched atomically with the
|
|
897
914
|
// profile's capabilities/model. Most prominent, so it comes first.
|
|
898
915
|
this._buildSituationSoulPrompt(),
|
|
916
|
+
// Always-on untrusted-content boundary contract (gives the <untrusted_content> fences meaning).
|
|
917
|
+
UNTRUSTED_BOUNDARY_SYSTEM_RULE,
|
|
899
918
|
this._buildSelfModificationPrompt(),
|
|
900
919
|
this._buildAutonomyPrompt(),
|
|
901
920
|
// Memory subsystem: static, frozen-per-session block (e.g. file-store MEMORY.md/USER.md).
|
|
@@ -2301,6 +2320,18 @@ export class AgentSession {
|
|
|
2301
2320
|
this._pendingMemoryProviders.push(provider);
|
|
2302
2321
|
}
|
|
2303
2322
|
}
|
|
2323
|
+
/** R8: the gateway/scheduler registry. A deployment runner registers providers and drives start/stop. */
|
|
2324
|
+
get gateways() {
|
|
2325
|
+
return this._gatewayRegistry;
|
|
2326
|
+
}
|
|
2327
|
+
/** R8: register a deployment-supplied transport channel (gateway). */
|
|
2328
|
+
registerChannelProvider(provider) {
|
|
2329
|
+
this._gatewayRegistry.registerChannel(provider);
|
|
2330
|
+
}
|
|
2331
|
+
/** R8: register a deployment-supplied job scheduler (cron). */
|
|
2332
|
+
registerJobScheduler(provider) {
|
|
2333
|
+
this._gatewayRegistry.registerScheduler(provider);
|
|
2334
|
+
}
|
|
2304
2335
|
_refreshToolRegistry(options) {
|
|
2305
2336
|
const previousRegistryNames = new Set(this._toolRegistry.keys());
|
|
2306
2337
|
const previousActiveToolNames = this.getActiveToolNames();
|