@dexto/core 1.5.4 → 1.5.6

package/dist/filesystem/path-validator.cjs

@@ -1,250 +0,0 @@
-"use strict";
-var __create = Object.create;
-var __defProp = Object.defineProperty;
-var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
-var __getOwnPropNames = Object.getOwnPropertyNames;
-var __getProtoOf = Object.getPrototypeOf;
-var __hasOwnProp = Object.prototype.hasOwnProperty;
-var __export = (target, all) => {
-  for (var name in all)
-    __defProp(target, name, { get: all[name], enumerable: true });
-};
-var __copyProps = (to, from, except, desc) => {
-  if (from && typeof from === "object" || typeof from === "function") {
-    for (let key of __getOwnPropNames(from))
-      if (!__hasOwnProp.call(to, key) && key !== except)
-        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
-  }
-  return to;
-};
-var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(
-  // If the importer is in node compatibility mode or this is not an ESM
-  // file that has been converted to a CommonJS file using a Babel-
-  // compatible transform (i.e. "__esModule" has not been set), then set
-  // "default" to the CommonJS "module.exports" for node compatibility.
-  isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target,
-  mod
-));
-var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
-var path_validator_exports = {};
-__export(path_validator_exports, {
-  PathValidator: () => PathValidator
-});
-module.exports = __toCommonJS(path_validator_exports);
-var path = __toESM(require("node:path"), 1);
-var fs = __toESM(require("node:fs/promises"), 1);
-class PathValidator {
-  config;
-  normalizedAllowedPaths;
-  normalizedBlockedPaths;
-  normalizedBlockedExtensions;
-  logger;
-  directoryApprovalChecker;
-  constructor(config, logger) {
-    this.config = config;
-    this.logger = logger;
-    const workingDir = config.workingDirectory || process.cwd();
-    this.normalizedAllowedPaths = config.allowedPaths.map((p) => path.resolve(workingDir, p));
-    this.normalizedBlockedPaths = config.blockedPaths.map((p) => path.normalize(p));
-    this.normalizedBlockedExtensions = (config.blockedExtensions || []).map((ext) => {
-      const e = ext.startsWith(".") ? ext : `.${ext}`;
-      return e.toLowerCase();
-    });
-    this.logger.debug(
-      `PathValidator initialized with ${this.normalizedAllowedPaths.length} allowed paths`
-    );
-  }
-  /**
-   * Set a callback to check if a path is in an approved directory.
-   * This allows PathValidator to consult ApprovalManager without a direct dependency.
-   *
-   * @param checker Function that returns true if path is in an approved directory
-   */
-  setDirectoryApprovalChecker(checker) {
-    this.directoryApprovalChecker = checker;
-    this.logger.debug("Directory approval checker configured");
-  }
-  /**
-   * Validate a file path for security and policy compliance
-   */
-  async validatePath(filePath) {
-    if (!filePath || filePath.trim() === "") {
-      return {
-        isValid: false,
-        error: "Path cannot be empty"
-      };
-    }
-    const workingDir = this.config.workingDirectory || process.cwd();
-    let normalizedPath;
-    try {
-      normalizedPath = path.isAbsolute(filePath) ? path.resolve(filePath) : path.resolve(workingDir, filePath);
-      try {
-        normalizedPath = await fs.realpath(normalizedPath);
-      } catch {
-      }
-    } catch (error) {
-      return {
-        isValid: false,
-        error: `Failed to normalize path: ${error instanceof Error ? error.message : String(error)}`
-      };
-    }
-    if (this.hasPathTraversal(filePath, normalizedPath)) {
-      return {
-        isValid: false,
-        error: "Path traversal detected"
-      };
-    }
-    if (!this.isPathAllowed(normalizedPath)) {
-      return {
-        isValid: false,
-        error: `Path is not within allowed paths. Allowed: ${this.normalizedAllowedPaths.join(", ")}`
-      };
-    }
-    const blockedReason = this.isPathBlocked(normalizedPath);
-    if (blockedReason) {
-      return {
-        isValid: false,
-        error: `Path is blocked: ${blockedReason}`
-      };
-    }
-    const ext = path.extname(normalizedPath).toLowerCase();
-    if (ext && this.normalizedBlockedExtensions.includes(ext)) {
-      return {
-        isValid: false,
-        error: `File extension ${ext} is not allowed`
-      };
-    }
-    return {
-      isValid: true,
-      normalizedPath
-    };
-  }
-  /**
-   * Check if path contains traversal attempts
-   */
-  hasPathTraversal(originalPath, normalizedPath) {
-    if (originalPath.includes("../") || originalPath.includes("..\\")) {
-      const workingDir = this.config.workingDirectory || process.cwd();
-      const relative = path.relative(workingDir, normalizedPath);
-      if (relative.startsWith("..")) {
-        return true;
-      }
-    }
-    return false;
-  }
-  /**
-   * Check if path is within allowed paths (whitelist check)
-   * Also consults the directory approval checker if configured.
-   * Uses the sync version since the path is already normalized at this point.
-   */
-  isPathAllowed(normalizedPath) {
-    return this.isPathAllowedSync(normalizedPath);
-  }
-  /**
-   * Synchronous path allowed check (for already-normalized paths)
-   * This is used internally when we already have a canonicalized path
-   */
-  isPathAllowedSync(normalizedPath) {
-    if (this.normalizedAllowedPaths.length === 0) {
-      return true;
-    }
-    const isInConfigPaths = this.normalizedAllowedPaths.some((allowedPath) => {
-      const relative = path.relative(allowedPath, normalizedPath);
-      return !relative.startsWith("..") && !path.isAbsolute(relative);
-    });
-    if (isInConfigPaths) {
-      return true;
-    }
-    if (this.directoryApprovalChecker) {
-      return this.directoryApprovalChecker(normalizedPath);
-    }
-    return false;
-  }
-  /**
-   * Check if path matches blocked patterns (blacklist check)
-   */
-  isPathBlocked(normalizedPath) {
-    const roots = this.normalizedAllowedPaths.length > 0 ? this.normalizedAllowedPaths : [this.config.workingDirectory || process.cwd()];
-    for (const blocked of this.normalizedBlockedPaths) {
-      for (const root of roots) {
-        const blockedFull = path.isAbsolute(blocked) ? path.normalize(blocked) : path.resolve(root, blocked);
-        if (normalizedPath === blockedFull || normalizedPath.startsWith(blockedFull + path.sep)) {
-          return `Within blocked directory: ${blocked}`;
-        }
-      }
-    }
-    return null;
-  }
-  /**
-   * Quick check if a path is allowed (for internal use)
-   * Note: This assumes the path is already normalized/canonicalized
-   */
-  isPathAllowedQuick(normalizedPath) {
-    return this.isPathAllowedSync(normalizedPath) && !this.isPathBlocked(normalizedPath);
-  }
-  /**
-   * Check if a file path is within the configured allowed paths (from config only).
-   * This method does NOT consult ApprovalManager - it only checks the static config paths.
-   *
-   * This is used by ToolManager.checkDirectoryAccess() to determine if a path
-   * needs directory approval. Paths within config-allowed directories don't need
-   * directory approval prompts.
-   *
-   * @param filePath The file path to check (can be relative or absolute)
-   * @returns true if the path is within config-allowed paths, false otherwise
-   *
-   * @example
-   * ```typescript
-   * // Check if path needs directory approval
-   * if (!await pathValidator.isPathWithinAllowed('/external/project/file.ts')) {
-   *   // Request directory access approval
-   * }
-   * ```
-   */
-  async isPathWithinAllowed(filePath) {
-    if (!filePath || filePath.trim() === "") {
-      return false;
-    }
-    const workingDir = this.config.workingDirectory || process.cwd();
-    let normalizedPath;
-    try {
-      normalizedPath = path.isAbsolute(filePath) ? path.resolve(filePath) : path.resolve(workingDir, filePath);
-      try {
-        normalizedPath = await fs.realpath(normalizedPath);
-      } catch {
-      }
-    } catch {
-      return false;
-    }
-    return this.isInConfigAllowedPaths(normalizedPath);
-  }
-  /**
-   * Check if path is within config-allowed paths only (no approval checker).
-   * Used for prompting decisions.
-   */
-  isInConfigAllowedPaths(normalizedPath) {
-    if (this.normalizedAllowedPaths.length === 0) {
-      return true;
-    }
-    return this.normalizedAllowedPaths.some((allowedPath) => {
-      const relative = path.relative(allowedPath, normalizedPath);
-      return !relative.startsWith("..") && !path.isAbsolute(relative);
-    });
-  }
-  /**
-   * Get normalized allowed paths
-   */
-  getAllowedPaths() {
-    return [...this.normalizedAllowedPaths];
-  }
-  /**
-   * Get blocked paths
-   */
-  getBlockedPaths() {
-    return [...this.normalizedBlockedPaths];
-  }
-}
-// Annotate the CommonJS export names for ESM import in node:
-0 && (module.exports = {
-  PathValidator
-});

package/dist/filesystem/path-validator.d.ts

@@ -1,103 +0,0 @@
-/**
- * Path Validator
- *
- * Security-focused path validation for file system operations
- */
-import { FileSystemConfig, PathValidation } from './types.js';
-import type { IDextoLogger } from '../logger/v2/types.js';
-/**
- * Callback type for checking if a path is in an approved directory.
- * Used to consult ApprovalManager without creating a direct dependency.
- */
-export type DirectoryApprovalChecker = (filePath: string) => boolean;
-/**
- * PathValidator - Validates file paths for security and policy compliance
- *
- * Security checks:
- * 1. Path traversal detection (../, symbolic links)
- * 2. Allowed paths enforcement (whitelist + approved directories)
- * 3. Blocked paths detection (blacklist)
- * 4. File extension restrictions
- * 5. Absolute path normalization
- *
- * PathValidator can optionally consult an external approval checker (e.g., ApprovalManager)
- * to determine if paths outside the config's allowed paths are accessible.
- */
-export declare class PathValidator {
-    private config;
-    private normalizedAllowedPaths;
-    private normalizedBlockedPaths;
-    private normalizedBlockedExtensions;
-    private logger;
-    private directoryApprovalChecker;
-    constructor(config: FileSystemConfig, logger: IDextoLogger);
-    /**
-     * Set a callback to check if a path is in an approved directory.
-     * This allows PathValidator to consult ApprovalManager without a direct dependency.
-     *
-     * @param checker Function that returns true if path is in an approved directory
-     */
-    setDirectoryApprovalChecker(checker: DirectoryApprovalChecker): void;
-    /**
-     * Validate a file path for security and policy compliance
-     */
-    validatePath(filePath: string): Promise<PathValidation>;
-    /**
-     * Check if path contains traversal attempts
-     */
-    private hasPathTraversal;
-    /**
-     * Check if path is within allowed paths (whitelist check)
-     * Also consults the directory approval checker if configured.
-     * Uses the sync version since the path is already normalized at this point.
-     */
-    private isPathAllowed;
-    /**
-     * Synchronous path allowed check (for already-normalized paths)
-     * This is used internally when we already have a canonicalized path
-     */
-    private isPathAllowedSync;
-    /**
-     * Check if path matches blocked patterns (blacklist check)
-     */
-    private isPathBlocked;
-    /**
-     * Quick check if a path is allowed (for internal use)
-     * Note: This assumes the path is already normalized/canonicalized
-     */
-    isPathAllowedQuick(normalizedPath: string): boolean;
-    /**
-     * Check if a file path is within the configured allowed paths (from config only).
-     * This method does NOT consult ApprovalManager - it only checks the static config paths.
-     *
-     * This is used by ToolManager.checkDirectoryAccess() to determine if a path
-     * needs directory approval. Paths within config-allowed directories don't need
-     * directory approval prompts.
-     *
-     * @param filePath The file path to check (can be relative or absolute)
-     * @returns true if the path is within config-allowed paths, false otherwise
-     *
-     * @example
-     * ```typescript
-     * // Check if path needs directory approval
-     * if (!await pathValidator.isPathWithinAllowed('/external/project/file.ts')) {
-     *   // Request directory access approval
-     * }
-     * ```
-     */
-    isPathWithinAllowed(filePath: string): Promise<boolean>;
-    /**
-     * Check if path is within config-allowed paths only (no approval checker).
-     * Used for prompting decisions.
-     */
-    private isInConfigAllowedPaths;
-    /**
-     * Get normalized allowed paths
-     */
-    getAllowedPaths(): string[];
-    /**
-     * Get blocked paths
-     */
-    getBlockedPaths(): string[];
-}
-//# sourceMappingURL=path-validator.d.ts.map

package/dist/filesystem/path-validator.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"path-validator.d.ts","sourceRoot":"","sources":["../../src/filesystem/path-validator.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAIH,OAAO,EAAE,gBAAgB,EAAE,cAAc,EAAE,MAAM,YAAY,CAAC;AAC9D,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,uBAAuB,CAAC;AAE1D;;;GAGG;AACH,MAAM,MAAM,wBAAwB,GAAG,CAAC,QAAQ,EAAE,MAAM,KAAK,OAAO,CAAC;AAErE;;;;;;;;;;;;GAYG;AACH,qBAAa,aAAa;IACtB,OAAO,CAAC,MAAM,CAAmB;IACjC,OAAO,CAAC,sBAAsB,CAAW;IACzC,OAAO,CAAC,sBAAsB,CAAW;IACzC,OAAO,CAAC,2BAA2B,CAAW;IAC9C,OAAO,CAAC,MAAM,CAAe;IAC7B,OAAO,CAAC,wBAAwB,CAAuC;gBAE3D,MAAM,EAAE,gBAAgB,EAAE,MAAM,EAAE,YAAY;IAsB1D;;;;;OAKG;IACH,2BAA2B,CAAC,OAAO,EAAE,wBAAwB,GAAG,IAAI;IAKpE;;OAEG;IACG,YAAY,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,cAAc,CAAC;IAyE7D;;OAEG;IACH,OAAO,CAAC,gBAAgB;IAaxB;;;;OAIG;IACH,OAAO,CAAC,aAAa;IAIrB;;;OAGG;IACH,OAAO,CAAC,iBAAiB;IAyBzB;;OAEG;IACH,OAAO,CAAC,aAAa;IAyBrB;;;OAGG;IACH,kBAAkB,CAAC,cAAc,EAAE,MAAM,GAAG,OAAO;IAInD;;;;;;;;;;;;;;;;;;OAkBG;IACG,mBAAmB,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IA8B7D;;;OAGG;IACH,OAAO,CAAC,sBAAsB;IAY9B;;OAEG;IACH,eAAe,IAAI,MAAM,EAAE;IAI3B;;OAEG;IACH,eAAe,IAAI,MAAM,EAAE;CAG9B"}

package/dist/filesystem/path-validator.js

@@ -1,217 +0,0 @@
-import "../chunk-PTJYTZNU.js";
-import * as path from "node:path";
-import * as fs from "node:fs/promises";
-class PathValidator {
-  config;
-  normalizedAllowedPaths;
-  normalizedBlockedPaths;
-  normalizedBlockedExtensions;
-  logger;
-  directoryApprovalChecker;
-  constructor(config, logger) {
-    this.config = config;
-    this.logger = logger;
-    const workingDir = config.workingDirectory || process.cwd();
-    this.normalizedAllowedPaths = config.allowedPaths.map((p) => path.resolve(workingDir, p));
-    this.normalizedBlockedPaths = config.blockedPaths.map((p) => path.normalize(p));
-    this.normalizedBlockedExtensions = (config.blockedExtensions || []).map((ext) => {
-      const e = ext.startsWith(".") ? ext : `.${ext}`;
-      return e.toLowerCase();
-    });
-    this.logger.debug(
-      `PathValidator initialized with ${this.normalizedAllowedPaths.length} allowed paths`
-    );
-  }
-  /**
-   * Set a callback to check if a path is in an approved directory.
-   * This allows PathValidator to consult ApprovalManager without a direct dependency.
-   *
-   * @param checker Function that returns true if path is in an approved directory
-   */
-  setDirectoryApprovalChecker(checker) {
-    this.directoryApprovalChecker = checker;
-    this.logger.debug("Directory approval checker configured");
-  }
-  /**
-   * Validate a file path for security and policy compliance
-   */
-  async validatePath(filePath) {
-    if (!filePath || filePath.trim() === "") {
-      return {
-        isValid: false,
-        error: "Path cannot be empty"
-      };
-    }
-    const workingDir = this.config.workingDirectory || process.cwd();
-    let normalizedPath;
-    try {
-      normalizedPath = path.isAbsolute(filePath) ? path.resolve(filePath) : path.resolve(workingDir, filePath);
-      try {
-        normalizedPath = await fs.realpath(normalizedPath);
-      } catch {
-      }
-    } catch (error) {
-      return {
-        isValid: false,
-        error: `Failed to normalize path: ${error instanceof Error ? error.message : String(error)}`
-      };
-    }
-    if (this.hasPathTraversal(filePath, normalizedPath)) {
-      return {
-        isValid: false,
-        error: "Path traversal detected"
-      };
-    }
-    if (!this.isPathAllowed(normalizedPath)) {
-      return {
-        isValid: false,
-        error: `Path is not within allowed paths. Allowed: ${this.normalizedAllowedPaths.join(", ")}`
-      };
-    }
-    const blockedReason = this.isPathBlocked(normalizedPath);
-    if (blockedReason) {
-      return {
-        isValid: false,
-        error: `Path is blocked: ${blockedReason}`
-      };
-    }
-    const ext = path.extname(normalizedPath).toLowerCase();
-    if (ext && this.normalizedBlockedExtensions.includes(ext)) {
-      return {
-        isValid: false,
-        error: `File extension ${ext} is not allowed`
-      };
-    }
-    return {
-      isValid: true,
-      normalizedPath
-    };
-  }
-  /**
-   * Check if path contains traversal attempts
-   */
-  hasPathTraversal(originalPath, normalizedPath) {
-    if (originalPath.includes("../") || originalPath.includes("..\\")) {
-      const workingDir = this.config.workingDirectory || process.cwd();
-      const relative = path.relative(workingDir, normalizedPath);
-      if (relative.startsWith("..")) {
-        return true;
-      }
-    }
-    return false;
-  }
-  /**
-   * Check if path is within allowed paths (whitelist check)
-   * Also consults the directory approval checker if configured.
-   * Uses the sync version since the path is already normalized at this point.
-   */
-  isPathAllowed(normalizedPath) {
-    return this.isPathAllowedSync(normalizedPath);
-  }
-  /**
-   * Synchronous path allowed check (for already-normalized paths)
-   * This is used internally when we already have a canonicalized path
-   */
-  isPathAllowedSync(normalizedPath) {
-    if (this.normalizedAllowedPaths.length === 0) {
-      return true;
-    }
-    const isInConfigPaths = this.normalizedAllowedPaths.some((allowedPath) => {
-      const relative = path.relative(allowedPath, normalizedPath);
-      return !relative.startsWith("..") && !path.isAbsolute(relative);
-    });
-    if (isInConfigPaths) {
-      return true;
-    }
-    if (this.directoryApprovalChecker) {
-      return this.directoryApprovalChecker(normalizedPath);
-    }
-    return false;
-  }
-  /**
-   * Check if path matches blocked patterns (blacklist check)
-   */
-  isPathBlocked(normalizedPath) {
-    const roots = this.normalizedAllowedPaths.length > 0 ? this.normalizedAllowedPaths : [this.config.workingDirectory || process.cwd()];
-    for (const blocked of this.normalizedBlockedPaths) {
-      for (const root of roots) {
-        const blockedFull = path.isAbsolute(blocked) ? path.normalize(blocked) : path.resolve(root, blocked);
-        if (normalizedPath === blockedFull || normalizedPath.startsWith(blockedFull + path.sep)) {
-          return `Within blocked directory: ${blocked}`;
-        }
-      }
-    }
-    return null;
-  }
-  /**
-   * Quick check if a path is allowed (for internal use)
-   * Note: This assumes the path is already normalized/canonicalized
-   */
-  isPathAllowedQuick(normalizedPath) {
-    return this.isPathAllowedSync(normalizedPath) && !this.isPathBlocked(normalizedPath);
-  }
-  /**
-   * Check if a file path is within the configured allowed paths (from config only).
-   * This method does NOT consult ApprovalManager - it only checks the static config paths.
-   *
-   * This is used by ToolManager.checkDirectoryAccess() to determine if a path
-   * needs directory approval. Paths within config-allowed directories don't need
-   * directory approval prompts.
-   *
-   * @param filePath The file path to check (can be relative or absolute)
-   * @returns true if the path is within config-allowed paths, false otherwise
-   *
-   * @example
-   * ```typescript
-   * // Check if path needs directory approval
-   * if (!await pathValidator.isPathWithinAllowed('/external/project/file.ts')) {
-   *   // Request directory access approval
-   * }
-   * ```
-   */
-  async isPathWithinAllowed(filePath) {
-    if (!filePath || filePath.trim() === "") {
-      return false;
-    }
-    const workingDir = this.config.workingDirectory || process.cwd();
-    let normalizedPath;
-    try {
-      normalizedPath = path.isAbsolute(filePath) ? path.resolve(filePath) : path.resolve(workingDir, filePath);
-      try {
-        normalizedPath = await fs.realpath(normalizedPath);
-      } catch {
-      }
-    } catch {
-      return false;
-    }
-    return this.isInConfigAllowedPaths(normalizedPath);
-  }
-  /**
-   * Check if path is within config-allowed paths only (no approval checker).
-   * Used for prompting decisions.
-   */
-  isInConfigAllowedPaths(normalizedPath) {
-    if (this.normalizedAllowedPaths.length === 0) {
-      return true;
-    }
-    return this.normalizedAllowedPaths.some((allowedPath) => {
-      const relative = path.relative(allowedPath, normalizedPath);
-      return !relative.startsWith("..") && !path.isAbsolute(relative);
-    });
-  }
-  /**
-   * Get normalized allowed paths
-   */
-  getAllowedPaths() {
-    return [...this.normalizedAllowedPaths];
-  }
-  /**
-   * Get blocked paths
-   */
-  getBlockedPaths() {
-    return [...this.normalizedBlockedPaths];
-  }
-}
-export {
-  PathValidator
-};

package/dist/filesystem/types.cjs

@@ -1,16 +0,0 @@
-"use strict";
-var __defProp = Object.defineProperty;
-var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
-var __getOwnPropNames = Object.getOwnPropertyNames;
-var __hasOwnProp = Object.prototype.hasOwnProperty;
-var __copyProps = (to, from, except, desc) => {
-  if (from && typeof from === "object" || typeof from === "function") {
-    for (let key of __getOwnPropNames(from))
-      if (!__hasOwnProp.call(to, key) && key !== except)
-        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
-  }
-  return to;
-};
-var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
-var types_exports = {};
-module.exports = __toCommonJS(types_exports);