@ethosagent/core 0.4.0 → 0.4.1

package/dist/index.d.ts

@@ -326,6 +326,12 @@ interface AgentLoopConfig {
      * reports `CLARIFY_NO_SURFACE` and the agent falls back to plain prose.
      */
     clarifyBridge?: ClarifyBridge;
+    /**
+     * Per-personality MCP tool policy loaded from mcp.yaml. NOT part of
+     * PersonalityConfig (frozen schema). Passed through from wiring so
+     * AgentLoop can build per-tool MCP allowlists in filterOpts.
+     */
+    mcpPolicy?: _ethosagent_types.McpPolicy;
     /**
      * Optional request dump store. When provided, AgentLoop appends a full
      * record of each LLM request/response for offline analysis and debugging.
@@ -396,8 +402,15 @@ interface RunOptions {
      * Consumed once; does not persist across runs.
      */
     tierOverride?: _ethosagent_types.ModelTierName;
+    /** Opaque user id (from IdentityMap). When present, USER.md is read from `user:<userId>` scope. */
+    userId?: string;
     dryRun?: boolean;
     dryRunMaxToolCalls?: number;
+    /**
+     * Override the personality's toolset for this run. Used by cron to exclude
+     * the `cron` tool from cron-spawned sessions (recursion guard).
+     */
+    toolsetOverride?: string[];
 }
 declare class AgentLoop {
     private readonly llm;
@@ -434,6 +447,8 @@ declare class AgentLoop {
     private readonly requestDumpStore?;
     /** Phase 3 — team id stamped onto ToolContext when loop runs inside a team. */
     private readonly teamId?;
+    /** Per-personality MCP tool policy from mcp.yaml (NOT on PersonalityConfig). */
+    private readonly mcpPolicy?;
     /** Per-session accumulated spend in USD. Keyed by sessionKey. Reset via resetSessionCost(). */
     private readonly sessionCosts;
     /** FW-28 — per-session mtime registry. Keyed by sessionKey → (absPath → record). */

package/dist/index.js

@@ -182,6 +182,28 @@ function resolveDowngradedTools(spec) {
 }
 var DOWNGRADE_REJECTION_MESSAGE = "Tool blocked: an `outputIsUntrusted` tool just read external content. Dangerous tools are paused for the next turn or two. Send a new user message to clear, or re-run after acknowledging the prior content.";
 
+// ../safety/injection/src/prompt-sanitize.ts
+var INJECTION_PATTERNS = [
+  /ignore\s+(all\s+)?(previous|prior|above)\s+instructions/i,
+  /disregard\s+(your|all|any|the)\s+(previous|prior|above|system|original)\s+/i,
+  /you\s+are\s+now\s+(a|an|the)\s+/i,
+  /forget\s+(everything|all)\s+(you|above|prior)/i,
+  /override\s+(your|all|the)\s+(instructions|rules|constraints|guidelines)/i,
+  /new\s+(system\s+)?prompt\s*:/i,
+  /\[SYSTEM\]/i,
+  /<\s*system\s*>/i
+];
+function sanitize(content) {
+  const lines = content.split("\n");
+  const cleaned = lines.map((line) => {
+    if (INJECTION_PATTERNS.some((re) => re.test(line))) {
+      return "[line removed by injection guard]";
+    }
+    return line;
+  });
+  return cleaned.join("\n");
+}
+
 // ../safety/injection/src/sanitize.ts
 var PLACEHOLDER = "[STRIPPED-TEMPLATE-TOKEN]";
 var TEMPLATE_TOKEN_PATTERNS = [
@@ -1568,11 +1590,22 @@ function mcpServerName(toolName) {
 }
 function passesFilter(entry, filterOpts) {
   if (!filterOpts) return true;
-  const { allowedMcpServers, allowedPlugins } = filterOpts;
+  const { allowedMcpServers, allowedPlugins, allowedMcpTools } = filterOpts;
+  const toolName = entry.tool.name;
   if (allowedMcpServers !== void 0) {
-    const server = mcpServerName(entry.tool.name);
+    const server = mcpServerName(toolName);
     if (server !== void 0 && !allowedMcpServers.includes(server)) return false;
   }
+  if (allowedMcpTools !== void 0) {
+    const server = mcpServerName(toolName);
+    if (server !== void 0) {
+      const allowed = allowedMcpTools[server];
+      if (allowed !== void 0) {
+        const bareName = toolName.split("__").slice(2).join("__");
+        if (!allowed.includes(bareName)) return false;
+      }
+    }
+  }
   if (allowedPlugins !== void 0 && entry.pluginId !== void 0) {
     if (!allowedPlugins.includes(entry.pluginId)) return false;
   }
@@ -1859,6 +1892,8 @@ var AgentLoop = class {
   requestDumpStore;
   /** Phase 3 — team id stamped onto ToolContext when loop runs inside a team. */
   teamId;
+  /** Per-personality MCP tool policy from mcp.yaml (NOT on PersonalityConfig). */
+  mcpPolicy;
   /** Per-session accumulated spend in USD. Keyed by sessionKey. Reset via resetSessionCost(). */
   sessionCosts = /* @__PURE__ */ new Map();
   /** FW-28 — per-session mtime registry. Keyed by sessionKey → (absPath → record). */
@@ -1890,6 +1925,7 @@ var AgentLoop = class {
     if (config.watcher) this.watcher = config.watcher;
     if (config.clarifyBridge) this.clarifyBridge = config.clarifyBridge;
     if (config.requestDumpStore) this.requestDumpStore = config.requestDumpStore;
+    if (config.mcpPolicy) this.mcpPolicy = config.mcpPolicy;
     this.contextEngines = config.contextEngines ?? new DefaultContextEngineRegistry();
   }
   /**
@@ -1998,11 +2034,19 @@ var AgentLoop = class {
       model: effectiveModel,
       source: modelSource
     };
-    const allowedTools = personality.toolset ?? void 0;
+    const allowedTools = opts.toolsetOverride ?? personality.toolset ?? void 0;
     const allowedPlugins = personality.plugins ?? [];
+    const mcpServers = this.mcpPolicy?.servers;
+    const allowedMcpTools = mcpServers ? Object.fromEntries(
+      Object.entries(mcpServers).filter(([, v]) => v.tools !== void 0).map(([k, v]) => {
+        const tools = v.tools;
+        return [k, tools ?? []];
+      })
+    ) : void 0;
     const filterOpts = {
       allowedMcpServers: personality.mcp_servers ?? [],
-      allowedPlugins
+      allowedPlugins,
+      ...allowedMcpTools && Object.keys(allowedMcpTools).length > 0 ? { allowedMcpTools } : {}
     };
     await this.hooks.fireVoid(
       "session_start",
@@ -2027,7 +2071,7 @@ ${text}` : text;
     const activeMemory = personality.memory?.provider ? await this.memoryProviders.get(personality.memory.provider)?.(
       personality.memory.options
     ) ?? this.memory : this.memory;
-    const memScopeId = personality.memoryScope === "per-personality" ? `personality:${personality.id}` : "global";
+    const memScopeId = `personality:${personality.id}`;
     const memCtx = {
       scopeId: memScopeId,
       sessionId,
@@ -2042,6 +2086,35 @@ ${text}` : text;
         memSnapshot = { entries: hits.map((h) => ({ key: h.key, content: h.content })) };
       }
     }
+    const userScopeId = opts.userId ? `user:${opts.userId}` : void 0;
+    if (userScopeId) {
+      const userCtx = {
+        scopeId: userScopeId,
+        sessionId,
+        sessionKey,
+        platform: this.platform,
+        workingDir: this.workingDir
+      };
+      const userEntry = await activeMemory.read("USER.md", userCtx);
+      if (userEntry?.content.trim()) {
+        const userSnapshot = {
+          entries: [{ key: "USER.md", content: userEntry.content }]
+        };
+        if (memSnapshot) {
+          memSnapshot = { entries: [...userSnapshot.entries, ...memSnapshot.entries] };
+        } else {
+          memSnapshot = userSnapshot;
+        }
+      }
+    }
+    if (memSnapshot) {
+      memSnapshot = {
+        entries: memSnapshot.entries.map((e) => ({
+          key: e.key,
+          content: sanitize(e.content)
+        }))
+      };
+    }
     const promptCtx = {
       sessionId,
       sessionKey,
@@ -2447,8 +2520,8 @@ ${rendered.slice(-MEMORY_MAX_CHARS)}`;
         workingDir: this.workingDir,
         agentId: opts.agentId,
         personalityId: personality.id,
-        memoryScope: personality.memoryScope,
         memoryScopeId: memScopeId,
+        ...userScopeId ? { userScopeId } : {},
         ...this.teamId !== void 0 && { teamId: this.teamId },
         ...opts.dryRun ? { dryRun: true } : {},
         currentTurn: turnCount,
@@ -2527,6 +2600,30 @@ ${rendered.slice(-MEMORY_MAX_CHARS)}`;
           continue;
         }
         const effectiveArgs = beforeResult.args ?? tc.args;
+        const rejectError = checkMcpRejectArgs(this.mcpPolicy, tc.toolName, effectiveArgs);
+        if (rejectError) {
+          this.observability?.recordSafetyBlock({
+            traceId,
+            code: "tool_blocked",
+            cause: rejectError
+          });
+          observe({ type: "tool_end", toolName: tc.toolName, ok: false });
+          yield {
+            type: "tool_end",
+            toolCallId: tc.toolCallId,
+            toolName: tc.toolName,
+            ok: false,
+            durationMs: 0,
+            result: rejectError
+          };
+          prepped.push({
+            toolCallId: tc.toolCallId,
+            name: tc.toolName,
+            args: effectiveArgs,
+            rejected: rejectError
+          });
+          continue;
+        }
         const spanId = this.observability?.startSpan({
           traceId: traceId ?? "",
           kind: "tool_call",
@@ -3036,6 +3133,25 @@ function extractFilePath(args) {
   if (typeof a.cwd === "string" && a.cwd.length > 0) return a.cwd;
   return void 0;
 }
+function checkMcpRejectArgs(mcpPolicy, toolName, args) {
+  const servers = mcpPolicy?.servers;
+  if (!servers || !toolName.startsWith("mcp__")) return void 0;
+  const firstSep = toolName.indexOf("__");
+  const secondSep = toolName.indexOf("__", firstSep + 2);
+  if (secondSep === -1) return void 0;
+  const server = toolName.slice(firstSep + 2, secondSep);
+  const bareTool = toolName.slice(secondSep + 2);
+  const argRules = servers[server]?.reject_args?.[bareTool];
+  if (!argRules) return void 0;
+  const typedArgs = args;
+  for (const [argName, forbiddenValues] of Object.entries(argRules)) {
+    const value = typedArgs[argName];
+    if (typeof value === "string" && forbiddenValues.includes(value)) {
+      return `MCP policy: argument '${argName}' value '${value}' is rejected for tool '${bareTool}' on server '${server}'`;
+    }
+  }
+  return void 0;
+}
 function describeSource(toolName, args) {
   if (!args || typeof args !== "object") return void 0;
   const a = args;