@dreb/coding-agent 2.16.0 → 2.17.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (28) hide show
  1. package/README.md +4 -3
  2. package/dist/core/agent-session.d.ts +3 -0
  3. package/dist/core/agent-session.d.ts.map +1 -1
  4. package/dist/core/agent-session.js +11 -0
  5. package/dist/core/agent-session.js.map +1 -1
  6. package/dist/core/sdk.d.ts.map +1 -1
  7. package/dist/core/sdk.js +1 -1
  8. package/dist/core/sdk.js.map +1 -1
  9. package/dist/core/tools/index.d.ts +5 -0
  10. package/dist/core/tools/index.d.ts.map +1 -1
  11. package/dist/core/tools/index.js +8 -0
  12. package/dist/core/tools/index.js.map +1 -1
  13. package/dist/core/tools/suggest-next.d.ts +19 -0
  14. package/dist/core/tools/suggest-next.d.ts.map +1 -0
  15. package/dist/core/tools/suggest-next.js +72 -0
  16. package/dist/core/tools/suggest-next.js.map +1 -0
  17. package/dist/core/tools/tmp-read.d.ts.map +1 -1
  18. package/dist/core/tools/tmp-read.js +14 -1
  19. package/dist/core/tools/tmp-read.js.map +1 -1
  20. package/dist/modes/interactive/interactive-mode.d.ts.map +1 -1
  21. package/dist/modes/interactive/interactive-mode.js +13 -0
  22. package/dist/modes/interactive/interactive-mode.js.map +1 -1
  23. package/docs/extensions.md +2 -2
  24. package/docs/json.md +2 -1
  25. package/docs/rpc.md +30 -0
  26. package/docs/session.md +24 -0
  27. package/docs/tui.md +8 -0
  28. package/package.json +1 -1
package/dist/core/tools/tmp-read.js CHANGED
@@ -11,12 +11,25 @@ import { resolveToCwd } from "./path-utils.js";
11
11
  import { createReadToolDefinition } from "./read.js";
12
12
  const ALLOWED_PREFIX = "/tmp";
13
13
  const SANDBOX_CWD = "/tmp";
14
+ // On macOS, /tmp is a symlink to /private/tmp. Resolve it once at startup
15
+ // so that realpathSync results (which follow symlinks) can be correctly matched.
16
+ let resolvedAllowedPrefix;
17
+ try {
18
+ resolvedAllowedPrefix = realpathSync(ALLOWED_PREFIX);
19
+ }
20
+ catch {
21
+ resolvedAllowedPrefix = ALLOWED_PREFIX;
22
+ }
14
23
  /**
15
24
  * Check whether a resolved absolute path is under /tmp.
16
25
  * Handles exact "/tmp" match and "/tmp/..." paths, rejects "/tmpevil" etc.
26
+ * Also handles macOS where /tmp resolves to /private/tmp.
17
27
  */
18
28
  function isUnderTmp(absolutePath) {
19
- return absolutePath === ALLOWED_PREFIX || absolutePath.startsWith(`${ALLOWED_PREFIX}/`);
29
+ return (absolutePath === ALLOWED_PREFIX ||
30
+ absolutePath.startsWith(`${ALLOWED_PREFIX}/`) ||
31
+ absolutePath === resolvedAllowedPrefix ||
32
+ absolutePath.startsWith(`${resolvedAllowedPrefix}/`));
20
33
  }
21
34
  export function createTmpReadToolDefinition(options) {
22
35
  // Create a real read tool definition anchored to /tmp
package/dist/core/tools/tmp-read.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"tmp-read.js","sourceRoot":"","sources":["../../../src/core/tools/tmp-read.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AACvC,OAAO,EAAE,OAAO,IAAI,aAAa,EAAE,MAAM,WAAW,CAAC;AAErD,OAAO,EAAE,YAAY,EAAE,MAAM,iBAAiB,CAAC;AAC/C,OAAO,EAAE,wBAAwB,EAAwB,MAAM,WAAW,CAAC;AAE3E,MAAM,cAAc,GAAG,MAAM,CAAC;AAC9B,MAAM,WAAW,GAAG,MAAM,CAAC;AAE3B;;;GAGG;AACH,SAAS,UAAU,CAAC,YAAoB,EAAW;IAClD,OAAO,YAAY,KAAK,cAAc,IAAI,YAAY,CAAC,UAAU,CAAC,GAAG,cAAc,GAAG,CAAC,CAAC;AAAA,CACxF;AAED,MAAM,UAAU,2BAA2B,CAAC,OAAyB,EAA4B;IAChG,sDAAsD;IACtD,MAAM,KAAK,GAAG,wBAAwB,CAAC,WAAW,EAAE,OAAO,CAAC,CAAC;IAE7D,OAAO;QACN,GAAG,KAAK;QACR,IAAI,EAAE,UAAU;QAChB,KAAK,EAAE,UAAU;QACjB,WAAW,EAAE,+BAA+B,KAAK,CAAC,WAAW,EAAE;QAC/D,aAAa,EAAE,4BAA4B;QAC3C,gBAAgB,EAAE;YACjB,4EAA0E;YAC1E,wEAAwE;SACxE;QAED,KAAK,CAAC,OAAO,CAAC,UAAU,EAAE,MAAM,EAAE,MAAM,EAAE,QAAQ,EAAE,GAAG,EAAE;YACxD,iFAAiF;YACjF,qFAAmF;YACnF,4EAA4E;YAC5E,sEAAsE;YACtE,MAAM,OAAO,GAAG,aAAa,CAAC,YAAY,CAAC,MAAM,CAAC,IAAI,EAAE,WAAW,CAAC,CAAC,CAAC;YACtE,IAAI,QAAgB,CAAC;YACrB,IAAI,CAAC;gBACJ,QAAQ,GAAG,YAAY,CAAC,OAAO,CAAC,CAAC;YAClC,CAAC;YAAC,MAAM,CAAC;gBACR,iFAA+E;gBAC/E,QAAQ,GAAG,OAAO,CAAC;YACpB,CAAC;YACD,IAAI,CAAC,UAAU,CAAC,QAAQ,CAAC,EAAE,CAAC;gBAC3B,OAAO;oBACN,OAAO,EAAE;wBACR;4BACC,IAAI,EAAE,MAAe;4BACrB,IAAI,EAAE,iFAAiF,QAAQ,EAAE;yBACjG;qBACD;oBACD,OAAO,EAAE,SAAS;iBAClB,CAAC;YACH,CAAC;YAED,OAAO,KAAK,CAAC,OAAO,CAAC,UAAU,EAAE,MAAM,EAAE,MAAM,EAAE,QAAQ,EAAE,GAAG,CAAC,CAAC;QAAA,CAChE;KACD,CAAC;AAAA,CACF","sourcesContent":["/**\n * tmp-read — A path-restricted read tool that only allows access to /tmp.\n *\n * Used by the Sandbox agent to enforce filesystem isolation. Unlike the\n * regular read tool where /tmp is merely a system-prompt suggestion,\n * this tool rejects any path that resolves outside /tmp at the tool level.\n */\n\nimport { realpathSync } from \"node:fs\";\nimport { resolve as normalizePath } from \"node:path\";\nimport type { ToolDefinition } from \"../extensions/types.js\";\nimport { resolveToCwd } from \"./path-utils.js\";\nimport { createReadToolDefinition, type ReadToolOptions } from \"./read.js\";\n\nconst ALLOWED_PREFIX = \"/tmp\";\nconst SANDBOX_CWD = \"/tmp\";\n\n/**\n * Check whether a resolved absolute path is under /tmp.\n * Handles exact \"/tmp\" match and \"/tmp/...\" paths, rejects \"/tmpevil\" etc.\n */\nfunction isUnderTmp(absolutePath: string): boolean {\n\treturn absolutePath === ALLOWED_PREFIX || absolutePath.startsWith(`${ALLOWED_PREFIX}/`);\n}\n\nexport function createTmpReadToolDefinition(options?: ReadToolOptions): ToolDefinition<any, any> {\n\t// Create a real read tool definition anchored to /tmp\n\tconst inner = createReadToolDefinition(SANDBOX_CWD, options);\n\n\treturn {\n\t\t...inner,\n\t\tname: \"tmp_read\",\n\t\tlabel: \"tmp_read\",\n\t\tdescription: `Read files under /tmp only. ${inner.description}`,\n\t\tpromptSnippet: \"Read files under /tmp only\",\n\t\tpromptGuidelines: [\n\t\t\t\"tmp_read can ONLY read files under /tmp/ — all other paths are rejected.\",\n\t\t\t\"Use relative paths (resolved against /tmp) or absolute /tmp/... paths.\",\n\t\t],\n\n\t\tasync execute(toolCallId, params, signal, onUpdate, ctx) {\n\t\t\t// Validate the path resolves under /tmp BEFORE delegating to the real read tool.\n\t\t\t// normalizePath collapses \"..\" components (e.g. /tmp/../etc/passwd → /etc/passwd).\n\t\t\t// realpathSync dereferences symlinks so /tmp/evil -> /etc/passwd is caught.\n\t\t\t// Falls back to lexical check if the file doesn't exist yet (ENOENT).\n\t\t\tconst lexical = normalizePath(resolveToCwd(params.path, SANDBOX_CWD));\n\t\t\tlet resolved: string;\n\t\t\ttry {\n\t\t\t\tresolved = realpathSync(lexical);\n\t\t\t} catch {\n\t\t\t\t// File doesn't exist — use lexical path (read will fail with ENOENT naturally)\n\t\t\t\tresolved = lexical;\n\t\t\t}\n\t\t\tif (!isUnderTmp(resolved)) {\n\t\t\t\treturn {\n\t\t\t\t\tcontent: [\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\ttype: \"text\" as const,\n\t\t\t\t\t\t\ttext: `Error: Access denied. tmp_read can only read files under /tmp. Resolved path: ${resolved}`,\n\t\t\t\t\t\t},\n\t\t\t\t\t],\n\t\t\t\t\tdetails: undefined,\n\t\t\t\t};\n\t\t\t}\n\n\t\t\treturn inner.execute(toolCallId, params, signal, onUpdate, ctx);\n\t\t},\n\t};\n}\n"]}
1
+ {"version":3,"file":"tmp-read.js","sourceRoot":"","sources":["../../../src/core/tools/tmp-read.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AACvC,OAAO,EAAE,OAAO,IAAI,aAAa,EAAE,MAAM,WAAW,CAAC;AAErD,OAAO,EAAE,YAAY,EAAE,MAAM,iBAAiB,CAAC;AAC/C,OAAO,EAAE,wBAAwB,EAAwB,MAAM,WAAW,CAAC;AAE3E,MAAM,cAAc,GAAG,MAAM,CAAC;AAC9B,MAAM,WAAW,GAAG,MAAM,CAAC;AAE3B,0EAA0E;AAC1E,iFAAiF;AACjF,IAAI,qBAA6B,CAAC;AAClC,IAAI,CAAC;IACJ,qBAAqB,GAAG,YAAY,CAAC,cAAc,CAAC,CAAC;AACtD,CAAC;AAAC,MAAM,CAAC;IACR,qBAAqB,GAAG,cAAc,CAAC;AACxC,CAAC;AAED;;;;GAIG;AACH,SAAS,UAAU,CAAC,YAAoB,EAAW;IAClD,OAAO,CACN,YAAY,KAAK,cAAc;QAC/B,YAAY,CAAC,UAAU,CAAC,GAAG,cAAc,GAAG,CAAC;QAC7C,YAAY,KAAK,qBAAqB;QACtC,YAAY,CAAC,UAAU,CAAC,GAAG,qBAAqB,GAAG,CAAC,CACpD,CAAC;AAAA,CACF;AAED,MAAM,UAAU,2BAA2B,CAAC,OAAyB,EAA4B;IAChG,sDAAsD;IACtD,MAAM,KAAK,GAAG,wBAAwB,CAAC,WAAW,EAAE,OAAO,CAAC,CAAC;IAE7D,OAAO;QACN,GAAG,KAAK;QACR,IAAI,EAAE,UAAU;QAChB,KAAK,EAAE,UAAU;QACjB,WAAW,EAAE,+BAA+B,KAAK,CAAC,WAAW,EAAE;QAC/D,aAAa,EAAE,4BAA4B;QAC3C,gBAAgB,EAAE;YACjB,4EAA0E;YAC1E,wEAAwE;SACxE;QAED,KAAK,CAAC,OAAO,CAAC,UAAU,EAAE,MAAM,EAAE,MAAM,EAAE,QAAQ,EAAE,GAAG,EAAE;YACxD,iFAAiF;YACjF,qFAAmF;YACnF,4EAA4E;YAC5E,sEAAsE;YACtE,MAAM,OAAO,GAAG,aAAa,CAAC,YAAY,CAAC,MAAM,CAAC,IAAI,EAAE,WAAW,CAAC,CAAC,CAAC;YACtE,IAAI,QAAgB,CAAC;YACrB,IAAI,CAAC;gBACJ,QAAQ,GAAG,YAAY,CAAC,OAAO,CAAC,CAAC;YAClC,CAAC;YAAC,MAAM,CAAC;gBACR,iFAA+E;gBAC/E,QAAQ,GAAG,OAAO,CAAC;YACpB,CAAC;YACD,IAAI,CAAC,UAAU,CAAC,QAAQ,CAAC,EAAE,CAAC;gBAC3B,OAAO;oBACN,OAAO,EAAE;wBACR;4BACC,IAAI,EAAE,MAAe;4BACrB,IAAI,EAAE,iFAAiF,QAAQ,EAAE;yBACjG;qBACD;oBACD,OAAO,EAAE,SAAS;iBAClB,CAAC;YACH,CAAC;YAED,OAAO,KAAK,CAAC,OAAO,CAAC,UAAU,EAAE,MAAM,EAAE,MAAM,EAAE,QAAQ,EAAE,GAAG,CAAC,CAAC;QAAA,CAChE;KACD,CAAC;AAAA,CACF","sourcesContent":["/**\n * tmp-read — A path-restricted read tool that only allows access to /tmp.\n *\n * Used by the Sandbox agent to enforce filesystem isolation. Unlike the\n * regular read tool where /tmp is merely a system-prompt suggestion,\n * this tool rejects any path that resolves outside /tmp at the tool level.\n */\n\nimport { realpathSync } from \"node:fs\";\nimport { resolve as normalizePath } from \"node:path\";\nimport type { ToolDefinition } from \"../extensions/types.js\";\nimport { resolveToCwd } from \"./path-utils.js\";\nimport { createReadToolDefinition, type ReadToolOptions } from \"./read.js\";\n\nconst ALLOWED_PREFIX = \"/tmp\";\nconst SANDBOX_CWD = \"/tmp\";\n\n// On macOS, /tmp is a symlink to /private/tmp. Resolve it once at startup\n// so that realpathSync results (which follow symlinks) can be correctly matched.\nlet resolvedAllowedPrefix: string;\ntry {\n\tresolvedAllowedPrefix = realpathSync(ALLOWED_PREFIX);\n} catch {\n\tresolvedAllowedPrefix = ALLOWED_PREFIX;\n}\n\n/**\n * Check whether a resolved absolute path is under /tmp.\n * Handles exact \"/tmp\" match and \"/tmp/...\" paths, rejects \"/tmpevil\" etc.\n * Also handles macOS where /tmp resolves to /private/tmp.\n */\nfunction isUnderTmp(absolutePath: string): boolean {\n\treturn (\n\t\tabsolutePath === ALLOWED_PREFIX ||\n\t\tabsolutePath.startsWith(`${ALLOWED_PREFIX}/`) ||\n\t\tabsolutePath === resolvedAllowedPrefix ||\n\t\tabsolutePath.startsWith(`${resolvedAllowedPrefix}/`)\n\t);\n}\n\nexport function createTmpReadToolDefinition(options?: ReadToolOptions): ToolDefinition<any, any> {\n\t// Create a real read tool definition anchored to /tmp\n\tconst inner = createReadToolDefinition(SANDBOX_CWD, options);\n\n\treturn {\n\t\t...inner,\n\t\tname: \"tmp_read\",\n\t\tlabel: \"tmp_read\",\n\t\tdescription: `Read files under /tmp only. ${inner.description}`,\n\t\tpromptSnippet: \"Read files under /tmp only\",\n\t\tpromptGuidelines: [\n\t\t\t\"tmp_read can ONLY read files under /tmp/ — all other paths are rejected.\",\n\t\t\t\"Use relative paths (resolved against /tmp) or absolute /tmp/... paths.\",\n\t\t],\n\n\t\tasync execute(toolCallId, params, signal, onUpdate, ctx) {\n\t\t\t// Validate the path resolves under /tmp BEFORE delegating to the real read tool.\n\t\t\t// normalizePath collapses \"..\" components (e.g. /tmp/../etc/passwd → /etc/passwd).\n\t\t\t// realpathSync dereferences symlinks so /tmp/evil -> /etc/passwd is caught.\n\t\t\t// Falls back to lexical check if the file doesn't exist yet (ENOENT).\n\t\t\tconst lexical = normalizePath(resolveToCwd(params.path, SANDBOX_CWD));\n\t\t\tlet resolved: string;\n\t\t\ttry {\n\t\t\t\tresolved = realpathSync(lexical);\n\t\t\t} catch {\n\t\t\t\t// File doesn't exist — use lexical path (read will fail with ENOENT naturally)\n\t\t\t\tresolved = lexical;\n\t\t\t}\n\t\t\tif (!isUnderTmp(resolved)) {\n\t\t\t\treturn {\n\t\t\t\t\tcontent: [\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\ttype: \"text\" as const,\n\t\t\t\t\t\t\ttext: `Error: Access denied. tmp_read can only read files under /tmp. Resolved path: ${resolved}`,\n\t\t\t\t\t\t},\n\t\t\t\t\t],\n\t\t\t\t\tdetails: undefined,\n\t\t\t\t};\n\t\t\t}\n\n\t\t\treturn inner.execute(toolCallId, params, signal, onUpdate, ctx);\n\t\t},\n\t};\n}\n"]}