@caupulican/pi-adaptative 0.80.65 → 0.80.67

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
@@ -31,6 +31,7 @@ import { createCoreDiagnosticsToolDefinitions } from "./extensions/builtin.js";
31
31
  import { ExtensionRunner, wrapRegisteredTools, } from "./extensions/index.js";
32
32
  import { disposeExtensionEventSubscriptions } from "./extensions/loader.js";
33
33
  import { emitSessionShutdownEvent } from "./extensions/runner.js";
34
+ import { GatewayRegistry } from "./gateways/channel-provider.js";
34
35
  import { decideDemand, ReflectionEngine, } from "./learning/reflection-engine.js";
35
36
  import { EffectivenessTracker } from "./memory/effectiveness-tracker.js";
36
37
  import { MemoryManager } from "./memory/memory-manager.js";
@@ -40,6 +41,7 @@ import { compactToolResultDetailsForRetention } from "./message-retention.js";
40
41
  import { resolveProfileModelSettings } from "./model-resolver.js";
41
42
  import { expandPromptTemplate } from "./prompt-templates.js";
42
43
  import { stripResourceProfileBlocks } from "./resource-profile-blocks.js";
44
+ import { classifyToolTrust, UNTRUSTED_BOUNDARY_SYSTEM_RULE, wrapUntrustedText } from "./security/untrusted-boundary.js";
43
45
  import { CURRENT_SESSION_VERSION, getLatestCompactionEntry } from "./session-manager.js";
44
46
  import { matchesResourceProfilePattern, } from "./settings-manager.js";
45
47
  import { createSyntheticSourceInfo } from "./source-info.js";
@@ -123,6 +125,8 @@ export class AgentSession {
123
125
  _memoryManager = new MemoryManager();
124
126
  /** R4: tracks whether injected recall is actually used, to adapt the recall gate. */
125
127
  _effectivenessTracker = new EffectivenessTracker();
128
+ /** R8: registry for deployment-supplied gateway channels + schedulers (lifecycle driven by the host runner). */
129
+ _gatewayRegistry = new GatewayRegistry();
126
130
  _isChildSession;
127
131
  /** Memory providers registered by extensions via pi.registerMemoryProvider, applied on (re)init. */
128
132
  _pendingMemoryProviders = [];
@@ -350,26 +354,37 @@ export class AgentSession {
350
354
  };
351
355
  this.agent.afterToolCall = async ({ toolCall, args, result, isError }) => {
352
356
  const runner = this._extensionRunner;
353
- if (!runner.hasHandlers("tool_result")) {
354
- return undefined;
357
+ let content = result.content;
358
+ let details = result.details;
359
+ let resolvedIsError = isError;
360
+ if (runner.hasHandlers("tool_result")) {
361
+ const hookResult = await runner.emitToolResult({
362
+ type: "tool_result",
363
+ toolName: toolCall.name,
364
+ toolCallId: toolCall.id,
365
+ input: args,
366
+ content,
367
+ details,
368
+ isError,
369
+ });
370
+ if (hookResult) {
371
+ content = hookResult.content ?? content;
372
+ details = hookResult.details;
373
+ resolvedIsError = hookResult.isError ?? isError;
374
+ }
355
375
  }
356
- const hookResult = await runner.emitToolResult({
357
- type: "tool_result",
358
- toolName: toolCall.name,
359
- toolCallId: toolCall.id,
360
- input: args,
361
- content: result.content,
362
- details: result.details,
363
- isError,
364
- });
365
- if (!hookResult) {
376
+ // Untrusted-content boundary: structurally fence output from attacker-controllable sources
377
+ // (web/search, subagents, recall, third-party tools) so injection payloads are framed as data.
378
+ // First-party tools (read/grep/find/ls/edit/write/bash) are trusted and pass through unchanged.
379
+ if (classifyToolTrust(toolCall.name) === "untrusted") {
380
+ const source = `tool:${toolCall.name}`;
381
+ const wrapped = content.map((block) => block.type === "text" ? { ...block, text: wrapUntrustedText(block.text, source) } : block);
382
+ content = wrapped;
383
+ }
384
+ if (content === result.content && details === result.details && resolvedIsError === isError) {
366
385
  return undefined;
367
386
  }
368
- return {
369
- content: hookResult.content,
370
- details: hookResult.details,
371
- isError: hookResult.isError ?? isError,
372
- };
387
+ return { content, details, isError: resolvedIsError };
373
388
  };
374
389
  }
375
390
  // =========================================================================
@@ -659,6 +674,8 @@ export class AgentSession {
659
674
  this.abortBranchSummary();
660
675
  this.abortBash();
661
676
  this.agent.abort();
677
+ // R8: stop any deployment-registered gateway channels / schedulers.
678
+ void this._gatewayRegistry.stop().catch(() => { });
662
679
  }
663
680
  catch {
664
681
  // Dispose must succeed even if an abort hook throws.
@@ -896,6 +913,8 @@ export class AgentSession {
896
913
  // R6: situational soul — the active profile's identity prefix, switched atomically with the
897
914
  // profile's capabilities/model. Most prominent, so it comes first.
898
915
  this._buildSituationSoulPrompt(),
916
+ // Always-on untrusted-content boundary contract (gives the <untrusted_content> fences meaning).
917
+ UNTRUSTED_BOUNDARY_SYSTEM_RULE,
899
918
  this._buildSelfModificationPrompt(),
900
919
  this._buildAutonomyPrompt(),
901
920
  // Memory subsystem: static, frozen-per-session block (e.g. file-store MEMORY.md/USER.md).
@@ -2301,6 +2320,18 @@ export class AgentSession {
2301
2320
  this._pendingMemoryProviders.push(provider);
2302
2321
  }
2303
2322
  }
2323
+ /** R8: the gateway/scheduler registry. A deployment runner registers providers and drives start/stop. */
2324
+ get gateways() {
2325
+ return this._gatewayRegistry;
2326
+ }
2327
+ /** R8: register a deployment-supplied transport channel (gateway). */
2328
+ registerChannelProvider(provider) {
2329
+ this._gatewayRegistry.registerChannel(provider);
2330
+ }
2331
+ /** R8: register a deployment-supplied job scheduler (cron). */
2332
+ registerJobScheduler(provider) {
2333
+ this._gatewayRegistry.registerScheduler(provider);
2334
+ }
2304
2335
  _refreshToolRegistry(options) {
2305
2336
  const previousRegistryNames = new Set(this._toolRegistry.keys());
2306
2337
  const previousActiveToolNames = this.getActiveToolNames();