@ethosagent/core 0.3.9 → 0.3.11

package/dist/index.d.ts

@@ -1,5 +1,5 @@
 import * as _ethosagent_types from '@ethosagent/types';
-import { ClarifyStore, PendingClarify, ClarifyResponse, ClarifyAnswerableBy, ClarifySurfaceType, PersonalityObservabilityConfig, SpanKind, EventSeverity, HookRegistry, LLMProvider, ToolRegistry, PersonalityRegistry, MemoryProvider, SessionStore, ContextInjector, Storage, ContextEngineRegistry, RequestDumpStore, SteerSink, Attachment, KeyValueStore, SecretRef, ToolCapabilities, ToolContext, Tool, PersonalityConfig, ContextEngine, ContextEngineCompactInput, ContextEngineCompactOutput, Message, Session, SessionFilter, StoredMessage, SessionUsage, SearchResult, CompressionEvent, MemoryContext, MemorySnapshot, MemoryEntry, SearchOpts, MemoryUpdate, ListOpts, MemoryEntryRef, ToolResult, VoidHooks, ModifyingHooks, ClaimingHooks, ToolDefinitionLite, CompletionOptions, CompletionChunk, LLMProviderRegistry, LLMProviderFactory, MemoryProviderRegistry, MemoryProviderFactory, RequestDumpRecord, ScopedFetch, ScopedFs, ScopedFsEntry, ScopedProcess, SpawnOpts, ProcessResult, ScopedSecretsResolver, ToolFilterOpts } from '@ethosagent/types';
+import { ClarifyStore, PendingClarify, ClarifyResponse, ClarifyAnswerableBy, ClarifySurfaceType, PersonalityObservabilityConfig, SpanKind, EventSeverity, HookRegistry, LLMProvider, ToolRegistry, PersonalityRegistry, MemoryProvider, SessionStore, ContextInjector, Storage, ContextEngineRegistry, RequestDumpStore, SteerSink, Attachment, KeyValueStore, SecretRef, ToolCapabilities, ToolContext, Tool, PersonalityConfig, ContextEngine, ContextEngineCompactInput, ContextEngineCompactOutput, Message, Session, SessionFilter, StoredMessage, SessionUsage, SearchResult, CompressionEvent, MemoryContext, MemorySnapshot, MemoryEntry, SearchOpts, MemoryUpdate, ListOpts, MemoryEntryRef, ToolResult, VoidHooks, ModifyingHooks, ClaimingHooks, ToolDefinitionLite, CompletionOptions, CompletionChunk, LLMProviderRegistry, LLMProviderFactory, MemoryProviderRegistry, MemoryProviderFactory, RequestDumpRecord, ScopedFetch, ScopedFs, ScopedFsEntry, ScopedProcess, SpawnOpts, ProcessResult, ScopedSecretsResolver, ToolResultReducerRegistry, ToolResultReducer, ToolFilterOpts } from '@ethosagent/types';
 export { MemoryConflictError } from '@ethosagent/types';
 import * as _ethosagent_safety_watcher from '@ethosagent/safety-watcher';
 import { InjectionClassifier } from '@ethosagent/safety-injection';
@@ -597,6 +597,8 @@ declare class InMemorySessionStore implements SessionStore {
     search(query: string, options?: {
         limit?: number;
         sessionId?: string;
+        since?: Date;
+        until?: Date;
     }): Promise<SearchResult[]>;
     recordCompression(event: Omit<CompressionEvent, 'id' | 'createdAt'>): Promise<CompressionEvent>;
     listCompressions(sessionId: string): Promise<CompressionEvent[]>;
@@ -950,10 +952,24 @@ declare class ScopedSecretsImpl implements ScopedSecretsResolver {
     get(ref: SecretRef): Promise<string>;
 }
 
+declare function parseTemporalBound(input: string): Date | undefined;
+declare function toJournalKey(date: Date): string;
+declare function applyTemporalDecay(results: SearchResult[], options?: {
+    halfLifeMs?: number;
+    now?: Date;
+}): SearchResult[];
+
+declare class DefaultToolResultReducerRegistry implements ToolResultReducerRegistry {
+    private readonly byName;
+    register(reducer: ToolResultReducer): () => void;
+    get(toolName: string): ToolResultReducer | undefined;
+}
+
 declare class DefaultToolRegistry implements ToolRegistry {
     private readonly tools;
     private readonly backends?;
-    constructor(backends?: CapabilityBackends);
+    private readonly reducers?;
+    constructor(backends?: CapabilityBackends, reducers?: ToolResultReducerRegistry);
     register(tool: Tool, opts?: {
         pluginId?: string;
     }): void;
@@ -1020,4 +1036,4 @@ declare class SsrfError extends Error {
  */
 declare function validateUrl(urlStr: string, opts?: ValidateUrlOptions): URL;
 
-export { type AgentEvent, AgentLoop, type AgentLoopConfig, type AgentLoopObservability, BoundaryEscapeError, type CapabilityBackends, type CapabilityScopeIds, type CapabilityValidationError, ChainedProvider, type ChainedProviderOptions, ClarifyBridge, ClarifyBusyError, ClarifyNoSurfaceError, type ClarifyPresenter, type ClarifyRequestInput, type ClarifyResolvedListener, ClarifyTimedOutNoDefaultError, DefaultContextEngineRegistry, type DefaultContextEngineRegistryOptions, DefaultHookRegistry, DefaultLLMProviderRegistry, DefaultMemoryProviderRegistry, DefaultPersonalityRegistry, DefaultToolRegistry, DropOldestEngine, type DryRunToolPlan, EagerPrefetchPolicy, FileClarifyStore, InMemoryRequestDumpStore, InMemorySessionStore, type InMemoryToolContextOptions, KNOWN_AGENT_EVENT_TYPES, type KnownAgentEventType, LastWriteWinsPolicy, LazyOnDemandPolicy, NoopMemoryProvider, type PluginFactory, PluginRegistry, ReferencePreservingEngine, type RunOptions, ScopedFetchImpl, ScopedFsImpl, ScopedProcessImpl, ScopedSecretsImpl, type SecretsBackend, SemanticSummaryEngine, SsrfError, type SummarizerFn, type ValidateUrlOptions, assertWithinBase, buildAttachmentAnnotation, deriveBotKey, estimateMessageTokens, estimateMessagesTokens, estimateTokens, isKnownAgentEvent, makeTestToolContext, redactArgs, resolveCapabilities, stripAnsiEscapes, synthesizeDryRunCapResult, synthesizeDryRunResult, validateRegistration, validateUrl };
+export { type AgentEvent, AgentLoop, type AgentLoopConfig, type AgentLoopObservability, BoundaryEscapeError, type CapabilityBackends, type CapabilityScopeIds, type CapabilityValidationError, ChainedProvider, type ChainedProviderOptions, ClarifyBridge, ClarifyBusyError, ClarifyNoSurfaceError, type ClarifyPresenter, type ClarifyRequestInput, type ClarifyResolvedListener, ClarifyTimedOutNoDefaultError, DefaultContextEngineRegistry, type DefaultContextEngineRegistryOptions, DefaultHookRegistry, DefaultLLMProviderRegistry, DefaultMemoryProviderRegistry, DefaultPersonalityRegistry, DefaultToolRegistry, DefaultToolResultReducerRegistry, DropOldestEngine, type DryRunToolPlan, EagerPrefetchPolicy, FileClarifyStore, InMemoryRequestDumpStore, InMemorySessionStore, type InMemoryToolContextOptions, KNOWN_AGENT_EVENT_TYPES, type KnownAgentEventType, LastWriteWinsPolicy, LazyOnDemandPolicy, NoopMemoryProvider, type PluginFactory, PluginRegistry, ReferencePreservingEngine, type RunOptions, ScopedFetchImpl, ScopedFsImpl, ScopedProcessImpl, ScopedSecretsImpl, type SecretsBackend, SemanticSummaryEngine, SsrfError, type SummarizerFn, type ValidateUrlOptions, applyTemporalDecay, assertWithinBase, buildAttachmentAnnotation, deriveBotKey, estimateMessageTokens, estimateMessagesTokens, estimateTokens, isKnownAgentEvent, makeTestToolContext, parseTemporalBound, redactArgs, resolveCapabilities, stripAnsiEscapes, synthesizeDryRunCapResult, synthesizeDryRunResult, toJournalKey, validateRegistration, validateUrl };

package/dist/index.js

@@ -248,11 +248,15 @@ function wrapUntrusted({ content, toolName, source }) {
   const { content: sanitized, strippedCount } = sanitizeTemplateTokens(content);
   const sourceAttr = encodeAttr(source ?? "unknown");
   const toolAttr = encodeAttr(toolName);
+  const escaped = escapeBodyTags(sanitized);
   const wrapped = `<untrusted source="${sourceAttr}" tool="${toolAttr}">
-${sanitized}
+${escaped}
 </untrusted>`;
   return { content: wrapped, strippedTokens: strippedCount };
 }
+function escapeBodyTags(body) {
+  return body.replace(/<(\/?untrusted)/g, "&lt;$1");
+}
 function encodeAttr(value) {
   return value.replace(/[\r\n]+/g, " ").replace(/[<>]/g, "").replace(/"/g, "'").slice(0, 256);
 }
@@ -275,6 +279,8 @@ function defaultAlwaysDeny() {
     `${home}/.psql_history`,
     `${home}/.mysql_history`,
     `${home}/.npmrc`,
+    `${home}/.ethos/keys.json`,
+    `${home}/.ethos/secrets`,
     `${home}/Library/Keychains`,
     "/etc/passwd",
     "/etc/shadow",
@@ -283,7 +289,9 @@ function defaultAlwaysDeny() {
     "/root",
     "/boot",
     "/sys",
-    "/proc/sys"
+    "/proc/sys",
+    "/proc/self/environ",
+    "/proc/self/cmdline"
   ];
 }
 
@@ -342,7 +350,11 @@ import { createHash as createHash2 } from "crypto";
 // ../storage-fs/src/in-memory-storage.ts
 import { dirname } from "path";
 
+// ../storage-fs/src/path-safety.ts
+import { resolve as resolve2 } from "path";
+
 // ../storage-fs/src/scoped-storage.ts
+import { resolve as resolve3 } from "path";
 import {
   BoundaryError
 } from "@ethosagent/types";
@@ -357,7 +369,8 @@ var ScopedStorage = class {
   readPrefixes;
   writePrefixes;
   denyPrefixes;
-  check(path, kind) {
+  check(rawPath, kind) {
+    const path = resolve3(rawPath);
     if (isPathAllowed(path, this.denyPrefixes)) {
       throw new BoundaryError(kind, path, this.denyPrefixes, "always-deny floor");
     }
@@ -714,6 +727,8 @@ var InMemorySessionStore = class {
     for (const [sessionId, msgs] of this.messages.entries()) {
       if (options?.sessionId && sessionId !== options.sessionId) continue;
       for (const msg of msgs) {
+        if (options?.since && msg.timestamp < options.since) continue;
+        if (options?.until && msg.timestamp > options.until) continue;
         const idx = msg.content.toLowerCase().indexOf(lower);
         if (idx >= 0) {
           results.push({
@@ -828,8 +843,8 @@ init_dry_run();
 
 // src/hook-registry.ts
 function isAllowed(h, allowedPlugins) {
-  if (allowedPlugins === void 0) return true;
   if (!h.pluginId) return true;
+  if (allowedPlugins === void 0) return false;
   return allowedPlugins.includes(h.pluginId);
 }
 var DefaultHookRegistry = class {
@@ -949,6 +964,12 @@ var ScopedAttachmentsImpl = class {
     if (!this.attachments.some((a) => a.ref === att.ref)) {
       throw new Error(`Attachment ref "${att.ref}" is not in the scoped list for this tool`);
     }
+    const scoped = this.attachments.find((a) => a.ref === att.ref);
+    if (scoped && scoped.url !== att.url) {
+      throw new Error(
+        `Attachment URL mismatch: caller supplied "${att.url}" but scoped list has "${scoped.url}"`
+      );
+    }
     if (att.url.startsWith("file://")) {
       return { path: this.cache.resolveLocalPath(att.url) };
     }
@@ -984,7 +1005,7 @@ var CLOUD_METADATA_HOSTS = /* @__PURE__ */ new Set([
   "169.254.0.23"
 ]);
 function isCloudMetadataHost(hostname) {
-  const normalized = hostname.toLowerCase().replace(/^\[|\]$/g, "");
+  const normalized = hostname.toLowerCase().replace(/^\[|\]$/g, "").replace(/\.$/, "");
   return CLOUD_METADATA_HOSTS.has(normalized);
 }
 
@@ -1161,6 +1182,8 @@ function isPrivateIpv6(ip) {
     const d = low & 255;
     return isPrivateIpv4(`${a}.${b}.${c}.${d}`);
   }
+  const compat = lower.match(/^::(\d+\.\d+\.\d+\.\d+)$/);
+  if (compat) return isPrivateIpv4(compat[1]);
   return false;
 }
 function isPrivateIp(ip) {
@@ -1269,13 +1292,13 @@ var ScopedFetchImpl = class {
 };
 
 // src/scoped/scoped-fs.ts
-import { normalize, resolve as resolve2 } from "path";
+import { normalize, resolve as resolve4 } from "path";
 var ScopedFsImpl = class {
   constructor(storage, readPaths, writePaths) {
     this.storage = storage;
     this.readPaths = readPaths;
     this.writePaths = writePaths;
-    this.denyPaths = defaultAlwaysDeny().map((p) => normalize(resolve2(p)));
+    this.denyPaths = defaultAlwaysDeny().map((p) => normalize(resolve4(p)));
   }
   storage;
   readPaths;
@@ -1318,14 +1341,14 @@ var ScopedFsImpl = class {
     return this.storage.listEntries(dir);
   }
   checkReach(path, allowed, kind) {
-    const canonical = normalize(resolve2(path));
+    const canonical = normalize(resolve4(path));
     for (const deny of this.denyPaths) {
       if (canonical === deny || canonical.startsWith(deny.endsWith("/") ? deny : `${deny}/`)) {
         throw new Error(`PATH_NOT_REACHABLE: ${kind} of "${path}" hits the always-deny floor`);
       }
     }
     for (const prefix of allowed) {
-      const canonicalPrefix = normalize(resolve2(prefix));
+      const canonicalPrefix = normalize(resolve4(prefix));
       if (canonical === canonicalPrefix || canonical.startsWith(
         canonicalPrefix.endsWith("/") ? canonicalPrefix : `${canonicalPrefix}/`
       ))
@@ -1346,7 +1369,7 @@ var ScopedProcessImpl = class {
     if (!this.allowedBinaries.has("*") && !this.allowedBinaries.has(binary)) {
       throw new Error(`BINARY_NOT_ALLOWED: ${binary} is not in the declared allowedBinaries`);
     }
-    return new Promise((resolve4, reject) => {
+    return new Promise((resolve6, reject) => {
       const child = nodeSpawn(binary, args, {
         cwd: opts?.cwd,
         env: opts?.env ? { ...process.env, ...opts.env } : process.env,
@@ -1359,7 +1382,7 @@ var ScopedProcessImpl = class {
       child.stderr.on("data", (chunk) => stderr.push(chunk));
       child.on("error", reject);
       child.on("close", (exitCode) => {
-        resolve4({
+        resolve6({
           exitCode: exitCode ?? 1,
           stdout: Buffer.concat(stdout).toString(),
           stderr: Buffer.concat(stderr).toString()
@@ -1555,11 +1578,20 @@ function passesFilter(entry, filterOpts) {
   }
   return true;
 }
+function safeReduce(r, result, ctx) {
+  try {
+    return r.reduce(result, ctx);
+  } catch {
+    return result;
+  }
+}
 var DefaultToolRegistry = class {
   tools = /* @__PURE__ */ new Map();
   backends;
-  constructor(backends) {
+  reducers;
+  constructor(backends, reducers) {
     this.backends = backends;
+    this.reducers = reducers;
   }
   register(tool, opts) {
     this.tools.set(tool.name, { tool, pluginId: opts?.pluginId });
@@ -1731,7 +1763,9 @@ var DefaultToolRegistry = class {
             );
             Object.assign(toolCtx, resolved);
           }
-          const result = await entry.tool.execute(call.args, toolCtx);
+          const rawResult = await entry.tool.execute(call.args, toolCtx);
+          const reducer = this.reducers?.get(call.name);
+          const result = reducer ? safeReduce(reducer, rawResult, { args: call.args, turnCount: ctx.currentTurn ?? 0 }) : rawResult;
           if (result.ok && result.value.length > budget) {
             return {
               toolCallId: call.toolCallId,
@@ -3116,11 +3150,11 @@ var ClarifyBridge = class {
       defaultDeadlineAt: deadline.toISOString()
     };
     await this.store.add(row);
-    return new Promise((resolve4, reject) => {
+    return new Promise((resolve6, reject) => {
       const timer = setTimeout(() => {
         void this.fireTimeout(requestId);
       }, input.timeoutMs);
-      this.pending.set(requestId, { row, resolve: resolve4, reject, timer });
+      this.pending.set(requestId, { row, resolve: resolve6, reject, timer });
       if (input.abortSignal) {
         if (input.abortSignal.aborted) {
           void this.respond({ requestId, answer: "", source: "cancel" });
@@ -3470,10 +3504,10 @@ var LastWriteWinsPolicy = class {
 };
 
 // src/path-boundary.ts
-import { resolve as resolve3, sep as sep2 } from "path";
+import { resolve as resolve5, sep as sep2 } from "path";
 function assertWithinBase(base, target) {
-  const resolvedBase = resolve3(base);
-  const resolvedTarget = resolve3(target);
+  const resolvedBase = resolve5(base);
+  const resolvedTarget = resolve5(target);
   if (resolvedTarget === resolvedBase) return;
   if (!resolvedTarget.startsWith(resolvedBase + sep2)) {
     throw new BoundaryEscapeError(resolvedBase, resolvedTarget);
@@ -3696,10 +3730,57 @@ var ANSI_RE = new RegExp(
   `${ESC}\\[[?!>]?[0-9;]*[A-Za-z~]|${ESC}\\][^${BEL}${ESC}]*(?:${BEL}|${ESC}\\\\)|${ESC}\\([A-B0-2]|${ESC}[DME78HNO=>cfn]`,
   "g"
 );
+var MAX_STRIP_ITERATIONS = 10;
 function stripAnsiEscapes(input) {
-  return input.replace(ANSI_RE, "");
+  let result = input;
+  for (let i = 0; i < MAX_STRIP_ITERATIONS; i++) {
+    const next = result.replace(ANSI_RE, "");
+    if (next === result) return next;
+    result = next;
+  }
+  return result;
+}
+
+// src/temporal.ts
+function parseTemporalBound(input) {
+  const d = new Date(input);
+  return Number.isNaN(d.getTime()) ? void 0 : d;
+}
+function toJournalKey(date) {
+  const y = date.getUTCFullYear();
+  const m = String(date.getUTCMonth() + 1).padStart(2, "0");
+  const d = String(date.getUTCDate()).padStart(2, "0");
+  return `${y}-${m}-${d}`;
+}
+var DEFAULT_HALF_LIFE_MS = 6048e5;
+function applyTemporalDecay(results, options) {
+  const halfLifeMs = options?.halfLifeMs ?? DEFAULT_HALF_LIFE_MS;
+  const now = options?.now ?? /* @__PURE__ */ new Date();
+  const nowMs = now.getTime();
+  return results.map((r) => {
+    const ageMs = nowMs - r.timestamp.getTime();
+    const decayFactor = ageMs < 0 ? 1 : 0.5 ** (ageMs / halfLifeMs);
+    return { ...r, score: r.score * decayFactor };
+  }).sort((a, b) => b.score - a.score);
 }
 
+// src/tool-reducer-registry.ts
+var DefaultToolResultReducerRegistry = class {
+  byName = /* @__PURE__ */ new Map();
+  register(reducer) {
+    if (this.byName.has(reducer.toolName)) {
+      throw new Error(`Reducer already registered for tool '${reducer.toolName}'`);
+    }
+    this.byName.set(reducer.toolName, reducer);
+    return () => {
+      this.byName.delete(reducer.toolName);
+    };
+  }
+  get(toolName) {
+    return this.byName.get(toolName);
+  }
+};
+
 // src/url-validator.ts
 import { isIP } from "net";
 var IPV4_RE2 = /^(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})$/;
@@ -3733,6 +3814,18 @@ function isPrivateIpv62(ip) {
   if (lower.startsWith("ff")) return true;
   const mapped = lower.match(/^::ffff:(\d+\.\d+\.\d+\.\d+)$/);
   if (mapped) return isPrivateIpv42(mapped[1]);
+  const hexMapped = lower.match(/^::ffff:([0-9a-f]{1,4}):([0-9a-f]{1,4})$/);
+  if (hexMapped) {
+    const high = Number.parseInt(hexMapped[1], 16);
+    const low = Number.parseInt(hexMapped[2], 16);
+    const a = high >> 8 & 255;
+    const b = high & 255;
+    const c = low >> 8 & 255;
+    const d = low & 255;
+    return isPrivateIpv42(`${a}.${b}.${c}.${d}`);
+  }
+  const compat = lower.match(/^::(\d+\.\d+\.\d+\.\d+)$/);
+  if (compat) return isPrivateIpv42(compat[1]);
   return false;
 }
 function isPrivateIp2(ip) {
@@ -3814,6 +3907,7 @@ export {
   DefaultMemoryProviderRegistry,
   DefaultPersonalityRegistry,
   DefaultToolRegistry,
+  DefaultToolResultReducerRegistry,
   DropOldestEngine,
   EagerPrefetchPolicy,
   FileClarifyStore,
@@ -3832,6 +3926,7 @@ export {
   ScopedSecretsImpl,
   SemanticSummaryEngine,
   SsrfError,
+  applyTemporalDecay,
   assertWithinBase,
   buildAttachmentAnnotation,
   deriveBotKey,
@@ -3840,11 +3935,13 @@ export {
   estimateTokens,
   isKnownAgentEvent,
   makeTestToolContext,
+  parseTemporalBound,
   redactArgs,
   resolveCapabilities,
   stripAnsiEscapes,
   synthesizeDryRunCapResult,
   synthesizeDryRunResult,
+  toJournalKey,
   validateRegistration,
   validateUrl2 as validateUrl
 };