npm - @circuitwall/jarela - Versions diffs - 0.9.3 → 0.10.0 - Mend

@circuitwall/jarela 0.9.3 → 0.10.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (94) hide show

package/.next/standalone/.next/server/chunks/614.js CHANGED Viewed

@@ -1562,95 +1562,7 @@ function loadExternalTools(builtinNames) {
 /***/ }),
-/***/ 30685:
-/***/ ((__unused_webpack_module, __webpack_exports__, __webpack_require__) => {
-/* harmony export */ __webpack_require__.d(__webpack_exports__, {
-/* harmony export */   V: () => (/* binding */ collectStream)
-/* harmony export */ });
-// Shared collector for agent stream consumers.
-//
-// Previously three near-identical drain loops lived in:
-//   - app/api/v1/threads/[thread_id]/run/route.ts  (HTTP run)
-//   - lib/scheduler/index.ts                       (cron tasks)
-//   - lib/bridges/dispatcher.ts                    (WhatsApp / bridges)
-//
-// They all read `prepared.stream`, accumulate `text_delta` into a single
-// assistant string, record `tool_call`/`tool_result` events, stop on
-// `done`/`error`, and surface the terminal state. This helper unifies that.
-/** Drain an async stream of `StreamChunk` into a single `CollectedRun`. */ async function collectStream(stream, opts = {}) {
-    const result = {
-        assistantContent: "",
-        usedTools: [],
-        toolEvents: [],
-        terminal: "done"
-    };
-    try {
-        for await (const chunk of stream){
-            opts.onChunk?.(chunk);
-            switch(chunk.type){
-                case "text_delta":
-                    {
-                        result.assistantContent += chunk.data.delta ?? "";
-                        break;
-                    }
-                case "tool_call":
-                    {
-                        const d = chunk.data;
-                        if (d.name) result.usedTools.push(d.name);
-                        result.toolEvents.push({
-                            id: d.id ?? `call-${result.toolEvents.length}`,
-                            phase: "call",
-                            name: d.name ?? "",
-                            payload: d.arguments
-                        });
-                        break;
-                    }
-                case "tool_result":
-                    {
-                        const d = chunk.data;
-                        result.toolEvents.push({
-                            id: d.id ?? `result-${result.toolEvents.length}`,
-                            phase: "result",
-                            name: d.name ?? "",
-                            payload: d.result
-                        });
-                        break;
-                    }
-                case "error":
-                    {
-                        result.terminal = "error";
-                        const msg = chunk.data?.message;
-                        if (typeof msg === "string") result.errorMessage = msg;
-                        return result;
-                    }
-                case "done":
-                    {
-                        const d = chunk.data;
-                        if (d?.usage && d.provider && d.model_id && d.usage.source === "provider") {
-                            result.usage = {
-                                input_tokens: d.usage.input_tokens ?? 0,
-                                output_tokens: d.usage.output_tokens ?? 0,
-                                provider: d.provider,
-                                model_id: d.model_id,
-                                model_config_name: d.model_config_name ?? null
-                            };
-                        }
-                        return result;
-                    }
-            }
-        }
-    } catch (err) {
-        result.terminal = "error";
-        result.errorMessage = err instanceof Error ? err.message : String(err);
-    }
-    return result;
-}
-/***/ }),
-/***/ 33934:
+/***/ 23696:
 /***/ ((__unused_webpack_module, __webpack_exports__, __webpack_require__) => {
@@ -2037,12 +1949,211 @@ const documentsIndexUrl = (0,tools/* tool */.z6)(async ({ input })=>{
 var external_node_child_process_ = __webpack_require__(31421);
 // EXTERNAL MODULE: ./lib/env/allowlist.ts
 var allowlist = __webpack_require__(23593);
+;// ./lib/tools/safety.ts
+// Safety mode for destructive built-in tools (exec + filesystem writes).
+//
+// Resolved once per call from `JARELA_TOOL_SAFETY`. Three tiers:
+//
+//   "safe"        — read-only. Exec accepts only an allowlisted set of
+//                   inspection commands (ls, git status, …); filesystem
+//                   tools refuse every write, edit, move, copy, delete,
+//                   or mkdir. Per-call `allow_unsafe` is IGNORED.
+//   "mostly_safe" — default. Exec blocks the obviously-dangerous pattern
+//                   list (rm -rf /, shutdown, fork bomb, …); filesystem
+//                   tools refuse credential paths and the Jarela data dir.
+//                   Per-call `allow_unsafe=true` lifts the exec block for
+//                   that single call.
+//   "bypass"      — every guard off. For local development on a machine
+//                   you control and trust completely. NOT for use behind
+//                   a tunnel or with untrusted prompt sources.
+//
+// The mode is process-wide so prompt injection cannot escalate by
+// passing arguments — the LLM can only ever *downgrade* (via
+// `allow_unsafe=false` semantics, which is just "don't try to bypass").
+function resolveSafetyMode() {
+    const raw = (process.env.JARELA_TOOL_SAFETY ?? "").trim().toLowerCase();
+    if (raw === "safe") return "safe";
+    if (raw === "bypass" || raw === "unsafe") return "bypass";
+    return "mostly_safe";
+}
+// Inspection-only commands allowed in `safe` mode. Matched as the FIRST
+// token (after stripping leading whitespace) — pipelines, redirections,
+// command substitution, &&, ;, etc. are all rejected because we cannot
+// reason about what the right-hand side will do.
+const SAFE_EXEC_ALLOWLIST = new Set([
+    "ls",
+    "dir",
+    "pwd",
+    "cd",
+    "echo",
+    "cat",
+    "type",
+    "head",
+    "tail",
+    "wc",
+    "stat",
+    "file",
+    "which",
+    "where",
+    "whoami",
+    "hostname",
+    "date",
+    "uname",
+    "df",
+    "du",
+    "ps",
+    "env",
+    "printenv",
+    "git",
+    "node",
+    "npm",
+    "npx",
+    "deno",
+    "python",
+    "python3",
+    "pip",
+    "pip3"
+]);
+// Subcommands considered read-only for tools that take a verb. We only
+// need to enumerate the dangerous tools here — anything not listed falls
+// back to "the whole tool is read-only" (e.g. `cat`, `ls`).
+const SAFE_SUBCOMMANDS = {
+    git: new Set([
+        "status",
+        "log",
+        "diff",
+        "show",
+        "blame",
+        "branch",
+        "tag",
+        "remote",
+        "ls-files",
+        "ls-tree",
+        "config",
+        "rev-parse",
+        "describe",
+        "shortlog",
+        "reflog"
+    ]),
+    npm: new Set([
+        "ls",
+        "list",
+        "view",
+        "info",
+        "outdated",
+        "config",
+        "whoami",
+        "ping",
+        "doctor"
+    ]),
+    npx: new Set([]),
+    node: new Set([]),
+    python: new Set([]),
+    python3: new Set([]),
+    deno: new Set([
+        "info",
+        "doc"
+    ]),
+    pip: new Set([
+        "list",
+        "show",
+        "freeze",
+        "config"
+    ]),
+    pip3: new Set([
+        "list",
+        "show",
+        "freeze",
+        "config"
+    ])
+};
+// Shell metacharacters that compose commands or redirect IO. Their
+// presence in `safe` mode is grounds for rejection because the
+// allowlist check only inspects the first token.
+const COMPOSER_RE = /[|&;`$<>]|\$\(|\|\||&&/;
+function checkExecAllowed(command, opts) {
+    if (opts.mode === "bypass") return {
+        allowed: true
+    };
+    if (opts.mode === "mostly_safe") {
+        if (opts.blockedByPattern && !opts.allowUnsafe) {
+            return {
+                allowed: false,
+                reason: "Command blocked by safety policy (mode=mostly_safe). Pass allow_unsafe=true only when you fully trust the command."
+            };
+        }
+        return {
+            allowed: true
+        };
+    }
+    // safe mode
+    const trimmed = command.trim();
+    if (!trimmed) return {
+        allowed: false,
+        reason: "command is required"
+    };
+    if (COMPOSER_RE.test(trimmed)) {
+        return {
+            allowed: false,
+            reason: "safe mode rejects pipelines, redirection, command substitution, &&, and ;. " + "Set JARELA_TOOL_SAFETY=mostly_safe (or bypass) to allow composite commands."
+        };
+    }
+    const tokens = trimmed.split(/\s+/);
+    const head = tokens[0]?.toLowerCase();
+    if (!head || !SAFE_EXEC_ALLOWLIST.has(head)) {
+        return {
+            allowed: false,
+            reason: `safe mode allows only inspection commands (${[
+                ...SAFE_EXEC_ALLOWLIST
+            ].sort().join(", ")}). ` + "Set JARELA_TOOL_SAFETY=mostly_safe to enable the broader policy."
+        };
+    }
+    const subAllowlist = SAFE_SUBCOMMANDS[head];
+    if (subAllowlist) {
+        const sub = tokens[1]?.toLowerCase().replace(/^--?/, "");
+        // Allow bare invocations that are themselves read-only (e.g. `git`
+        // alone prints help). Reject if the subcommand is missing for tools
+        // that need one to be safe (node/python/npx → arbitrary code).
+        if (subAllowlist.size === 0) {
+            return {
+                allowed: false,
+                reason: `safe mode refuses '${head}' because it can execute arbitrary code. Use mostly_safe or bypass.`
+            };
+        }
+        if (sub && !subAllowlist.has(sub)) {
+            return {
+                allowed: false,
+                reason: `safe mode allows '${head}' only for: ${[
+                    ...subAllowlist
+                ].sort().join(", ")}. ` + "Use mostly_safe or bypass for other subcommands."
+            };
+        }
+    }
+    return {
+        allowed: true
+    };
+}
+function checkFsAllowed(op, opts) {
+    if (opts.mode === "bypass" || opts.mode === "mostly_safe") return {
+        allowed: true
+    };
+    // safe mode: reads are fine, writes are not.
+    if (op === "read") return {
+        allowed: true
+    };
+    return {
+        allowed: false,
+        reason: "safe mode refuses filesystem mutations (write/edit/move/copy/delete/mkdir). " + "Set JARELA_TOOL_SAFETY=mostly_safe to enable writes outside credential dirs."
+    };
+}
 ;// ./lib/tools/exec.ts
 const MAX_OUTPUT_BYTES = 8000;
 const DEFAULT_TIMEOUT_MS = 10000;
 const MAX_TIMEOUT_MS = 60000;
@@ -2074,10 +2185,17 @@ function runLocalCommand(command, options) {
         });
     }
     const timeout = Math.min(options.timeout_ms ?? DEFAULT_TIMEOUT_MS, MAX_TIMEOUT_MS);
-    if (!options.allow_unsafe && isBlockedCommand(command)) {
+    const mode = resolveSafetyMode();
+    const gate = checkExecAllowed(command, {
+        mode,
+        allowUnsafe: options.allow_unsafe,
+        blockedByPattern: isBlockedCommand(command)
+    });
+    if (!gate.allowed) {
         return JSON.stringify({
             exit_code: 126,
-            stderr: "Command blocked by safety policy. Pass allow_unsafe=true only when you fully trust the command."
+            stderr: gate.reason,
+            safety_mode: mode
         });
     }
     const cwd = options.cwd?.trim() ? options.cwd : process.cwd();
@@ -2169,6 +2287,7 @@ var external_node_os_default = /*#__PURE__*/__webpack_require__.n(external_node_
 // Dedicated file tools. Agents previously had to drive every edit through
 // `local_exec` / `shell_exec`, which works for "create a new file with this
 // content" (echo / Set-Content) but is hostile to in-place edits: quoting
@@ -2250,6 +2369,13 @@ function jarelaDataDir() {
     return process.env.JARELA_DB_DIR ? external_node_path_default().resolve(process.env.JARELA_DB_DIR) : external_node_path_default().join(external_node_os_default().homedir(), ".jarela");
 }
 function assertSafePath(abs, op) {
+    const mode = resolveSafetyMode();
+    const gate = checkFsAllowed(op, {
+        mode
+    });
+    if (!gate.allowed) throw new Error(gate.reason);
+    // bypass mode disables every guard, including the credential denylist.
+    if (mode === "bypass") return;
     if (process.env.JARELA_ALLOW_SENSITIVE_FILES === "1") return;
     for (const base of sensitiveBase()){
         if (isInside(abs, base)) {
@@ -5056,6 +5182,94 @@ function initTools() {
 }
+/***/ }),
+/***/ 30685:
+/***/ ((__unused_webpack_module, __webpack_exports__, __webpack_require__) => {
+/* harmony export */ __webpack_require__.d(__webpack_exports__, {
+/* harmony export */   V: () => (/* binding */ collectStream)
+/* harmony export */ });
+// Shared collector for agent stream consumers.
+//
+// Previously three near-identical drain loops lived in:
+//   - app/api/v1/threads/[thread_id]/run/route.ts  (HTTP run)
+//   - lib/scheduler/index.ts                       (cron tasks)
+//   - lib/bridges/dispatcher.ts                    (WhatsApp / bridges)
+//
+// They all read `prepared.stream`, accumulate `text_delta` into a single
+// assistant string, record `tool_call`/`tool_result` events, stop on
+// `done`/`error`, and surface the terminal state. This helper unifies that.
+/** Drain an async stream of `StreamChunk` into a single `CollectedRun`. */ async function collectStream(stream, opts = {}) {
+    const result = {
+        assistantContent: "",
+        usedTools: [],
+        toolEvents: [],
+        terminal: "done"
+    };
+    try {
+        for await (const chunk of stream){
+            opts.onChunk?.(chunk);
+            switch(chunk.type){
+                case "text_delta":
+                    {
+                        result.assistantContent += chunk.data.delta ?? "";
+                        break;
+                    }
+                case "tool_call":
+                    {
+                        const d = chunk.data;
+                        if (d.name) result.usedTools.push(d.name);
+                        result.toolEvents.push({
+                            id: d.id ?? `call-${result.toolEvents.length}`,
+                            phase: "call",
+                            name: d.name ?? "",
+                            payload: d.arguments
+                        });
+                        break;
+                    }
+                case "tool_result":
+                    {
+                        const d = chunk.data;
+                        result.toolEvents.push({
+                            id: d.id ?? `result-${result.toolEvents.length}`,
+                            phase: "result",
+                            name: d.name ?? "",
+                            payload: d.result
+                        });
+                        break;
+                    }
+                case "error":
+                    {
+                        result.terminal = "error";
+                        const msg = chunk.data?.message;
+                        if (typeof msg === "string") result.errorMessage = msg;
+                        return result;
+                    }
+                case "done":
+                    {
+                        const d = chunk.data;
+                        if (d?.usage && d.provider && d.model_id && d.usage.source === "provider") {
+                            result.usage = {
+                                input_tokens: d.usage.input_tokens ?? 0,
+                                output_tokens: d.usage.output_tokens ?? 0,
+                                provider: d.provider,
+                                model_id: d.model_id,
+                                model_config_name: d.model_config_name ?? null
+                            };
+                        }
+                        return result;
+                    }
+            }
+        }
+    } catch (err) {
+        result.terminal = "error";
+        result.errorMessage = err instanceof Error ? err.message : String(err);
+    }
+    return result;
+}
 /***/ }),
 /***/ 38710:
@@ -5081,8 +5295,8 @@ var dist_messages = __webpack_require__(12016);
 var providers = __webpack_require__(68866);
 // EXTERNAL MODULE: ./lib/stores/model-config.ts
 var model_config = __webpack_require__(80937);
-// EXTERNAL MODULE: ./lib/tools/index.ts + 18 modules
-var lib_tools = __webpack_require__(33934);
+// EXTERNAL MODULE: ./lib/tools/index.ts + 19 modules
+var lib_tools = __webpack_require__(23696);
 // EXTERNAL MODULE: ./node_modules/@langchain/core/dist/language_models/chat_models.js + 1 modules
 var chat_models = __webpack_require__(87233);
 // EXTERNAL MODULE: ./node_modules/@langchain/core/dist/outputs.js
@@ -6551,6 +6765,8 @@ var external_node_os_default = /*#__PURE__*/__webpack_require__.n(external_node_
 var user_profile = __webpack_require__(67308);
 // EXTERNAL MODULE: ./lib/stores/integrations.ts
 var integrations = __webpack_require__(78228);
+// EXTERNAL MODULE: ./lib/stores/document-sources.ts
+var document_sources = __webpack_require__(91441);
 // EXTERNAL MODULE: ./lib/agents/adaptive-persona-presets.ts
 var adaptive_persona_presets = __webpack_require__(66849);
 ;// ./lib/agents/adaptive-persona.ts
@@ -6875,6 +7091,7 @@ var app_config = __webpack_require__(48954);
 const APP_NAME = (0,app_config/* getAppName */.fj)();
 function buildSystemPrompt(ctx) {
     const { agentCfg, trimmedMessage, budget, recallCtx, warmSummaryCtx, factsCtx, experienceMode, delegateRosterLines } = ctx;
@@ -6894,6 +7111,7 @@ function buildSystemPrompt(ctx) {
         adaptivePersonaCtx,
         buildUserContext(),
         buildIntegrationsContext(),
+        buildDocumentsContext(),
         harnessParts.capabilities,
         harnessParts.plan_first,
         harnessParts.presentation,
@@ -7001,6 +7219,31 @@ function buildDelegatesContext(lines) {
         ...lines
     ].join("\n");
 }
+// Surface indexed Documents so the model knows the RAG corpus exists.
+// Without this nudge agents almost never call `documents_search` — they have
+// no signal that any local content is searchable. Gated on actually-indexed
+// chunks (not just configured sources) so an empty/erroring source doesn't
+// produce false advertising.
+function buildDocumentsContext() {
+    const sources = (0,document_sources/* listEnabledDocumentSources */.vU)();
+    if (sources.length === 0) return "";
+    let totalChunks = 0;
+    const lines = [];
+    for (const s of sources){
+        const stats = (0,document_sources/* getDocumentSourceStats */.Io)(s.id);
+        if (stats.chunk_count === 0) continue;
+        totalChunks += stats.chunk_count;
+        const label = s.label ?? s.path;
+        lines.push(`- ${label} (${s.kind}, ${stats.chunk_count} chunks)`);
+    }
+    if (totalChunks === 0) return "";
+    return [
+        "--- Indexed documents ---",
+        `The user has ${totalChunks} indexed chunks across ${lines.length} document source(s) available to you:`,
+        ...lines,
+        "Call `documents_search` whenever the user asks about local files, notes, project docs, or any content that sounds like it lives in one of these sources. Prefer it over guessing from training data. Use `documents_list_sources` to enumerate, and pass `source_id` to scope a search."
+    ].join("\n");
+}
 // EXTERNAL MODULE: ./lib/providers/known-context-windows.ts
 var known_context_windows = __webpack_require__(45552);