@heylemon/lemonade 0.0.8 → 0.1.0

package/bin/lemon-cli-header.sh

@@ -43,6 +43,12 @@ if [[ -z "$LEMON_BACKEND_URL" ]]; then
 fi
 BACKEND_URL="$LEMON_BACKEND_URL"
 
+if [[ -z "$GATEWAY_TOKEN" ]]; then
+    echo -e "${RED}Error:${NC} GATEWAY_TOKEN not set." >&2
+    echo "Please ensure ~/.lemonade/.env contains GATEWAY_TOKEN or set it in your environment." >&2
+    exit 1
+fi
+
 # Local gateway URL (for health checks)
 GATEWAY_URL="${LEMONADE_GATEWAY_URL:-http://127.0.0.1:19847}"
 

package/bin/lemon-docs

@@ -20,16 +20,26 @@ case "$1" in
     CONTENT="${3:-}"
     
     # Create the document
-    RESULT=$(api_call POST "/api/lemonade/tools/execute" \
-        '{"toolName": "GOOGLEDOCS_CREATE_DOCUMENT_MARKDOWN", "parameters": {"title": "'"$TITLE"'"}}')
+    CREATE_JSON=$(jq -n --arg title "$TITLE" \
+      '{toolName: "GOOGLEDOCS_CREATE_DOCUMENT_MARKDOWN", parameters: {title: $title}}')
+    RESULT=$(echo "$CREATE_JSON" | curl -s -X POST \
+      -H "Authorization: Bearer ${GATEWAY_TOKEN}" \
+      -H "Content-Type: application/json" \
+      -d @- \
+      "${LEMON_BACKEND_URL}/api/lemonade/tools/execute")
     
     # Extract document ID from result
     DOC_ID=$(echo "$RESULT" | jq -r '.result.documentId // .documentId // .id // .data.documentId // .data.id // empty' 2>/dev/null)
     
     # If content provided and we got a doc ID, append the content
     if [[ -n "$CONTENT" ]] && [[ -n "$DOC_ID" ]]; then
-      api_call POST "/api/lemonade/tools/execute" \
-          '{"toolName": "GOOGLEDOCS_INSERT_TEXT_ACTION", "parameters": {"document_id": "'"$DOC_ID"'", "text_to_insert": "'"$CONTENT"'", "append_to_end": true}}'
+      APPEND_JSON=$(jq -n --arg docId "$DOC_ID" --arg text "$CONTENT" \
+        '{toolName: "GOOGLEDOCS_INSERT_TEXT_ACTION", parameters: {document_id: $docId, text_to_insert: $text, append_to_end: true}}')
+      echo "$APPEND_JSON" | curl -s -X POST \
+        -H "Authorization: Bearer ${GATEWAY_TOKEN}" \
+        -H "Content-Type: application/json" \
+        -d @- \
+        "${LEMON_BACKEND_URL}/api/lemonade/tools/execute" > /dev/null
     fi
     
     echo "$RESULT"
@@ -39,7 +49,10 @@ case "$1" in
     TITLE="$2"
     FILE_PATH="$3"
     
-    [[ ! -f "$FILE_PATH" ]] && echo "Error: File not found: $FILE_PATH" && exit 1
+    if [[ ! -f "$FILE_PATH" ]]; then
+        echo -e "${RED}Error:${NC} File not found: $FILE_PATH" >&2
+        exit 1
+    fi
     
     # Read file content
     CONTENT=$(cat "$FILE_PATH")
@@ -73,15 +86,23 @@ case "$1" in
     ;;
   append)
     [[ -z "$2" ]] || [[ -z "$3" ]] && echo "Usage: lemon-docs append <document_id> <text>" && exit 1
-    api_call POST "/api/lemonade/tools/execute" \
-        '{"toolName": "GOOGLEDOCS_INSERT_TEXT_ACTION", "parameters": {"document_id": "'"$2"'", "text_to_insert": "'"$3"'", "append_to_end": true}}'
+    APPEND_JSON=$(jq -n --arg docId "$2" --arg text "$3" \
+      '{toolName: "GOOGLEDOCS_INSERT_TEXT_ACTION", parameters: {document_id: $docId, text_to_insert: $text, append_to_end: true}}')
+    echo "$APPEND_JSON" | curl -s -X POST \
+      -H "Authorization: Bearer ${GATEWAY_TOKEN}" \
+      -H "Content-Type: application/json" \
+      -d @- \
+      "${LEMON_BACKEND_URL}/api/lemonade/tools/execute"
     ;;
   append-file)
     [[ -z "$2" ]] || [[ -z "$3" ]] && echo "Usage: lemon-docs append-file <document_id> <file_path>" && exit 1
     DOC_ID="$2"
     FILE_PATH="$3"
     
-    [[ ! -f "$FILE_PATH" ]] && echo "Error: File not found: $FILE_PATH" && exit 1
+    if [[ ! -f "$FILE_PATH" ]]; then
+        echo -e "${RED}Error:${NC} File not found: $FILE_PATH" >&2
+        exit 1
+    fi
     
     # Read and escape file content
     CONTENT=$(cat "$FILE_PATH" | jq -Rs .)

package/bin/lemon-drive

@@ -37,6 +37,10 @@ case "$1" in
     ;;
   upload)
     [[ -z "$2" ]] && echo "Usage: lemon-drive upload <file_path> [folder_id]" && exit 1
+    if [[ ! -f "$2" ]]; then
+        echo -e "${RED}Error:${NC} File not found: $2" >&2
+        exit 1
+    fi
     folder="${3:-root}"
     api_call POST "/api/lemonade/tools/execute" \
         '{"toolName": "GOOGLEDRIVE_UPLOAD_FILE", "parameters": {"filePath": "'"$2"'", "parents": ["'"$folder"'"]}}'

package/bin/lemon-gmail

@@ -16,7 +16,11 @@ case "$1" in
     ;;
   send)
     [[ -z "$2" ]] || [[ -z "$3" ]] || [[ -z "$4" ]] && echo "Usage: lemon-gmail send <to> <subject> <body> [attachment_path]" && exit 1
-    if [[ -n "$5" ]] && [[ -f "$5" ]]; then
+    if [[ -n "$5" ]]; then
+      if [[ ! -f "$5" ]]; then
+        echo "Error: attachment file not found: $5" >&2
+        exit 1
+      fi
       # Send with attachment: upload to Composio S3 → send email with s3key
       ATTACH_PATH="$5"
       ATTACH_NAME="$(basename "$ATTACH_PATH")"
@@ -69,8 +73,16 @@ case "$1" in
         -d @- \
         "${LEMON_BACKEND_URL}/api/lemonade/tools/execute"
     else
-      api_call POST "/api/lemonade/tools/execute" \
-          '{"toolName": "GMAIL_SEND_EMAIL", "parameters": {"recipient_email": "'"$2"'", "subject": "'"$3"'", "body": "'"$4"'"}}'
+      SEND_JSON=$(jq -n \
+        --arg to "$2" \
+        --arg subject "$3" \
+        --arg body "$4" \
+        '{toolName: "GMAIL_SEND_EMAIL", parameters: {recipient_email: $to, subject: $subject, body: $body}}')
+      echo "$SEND_JSON" | curl -s -X POST \
+        -H "Authorization: Bearer ${GATEWAY_TOKEN}" \
+        -H "Content-Type: application/json" \
+        -d @- \
+        "${LEMON_BACKEND_URL}/api/lemonade/tools/execute"
     fi
     ;;
   list)
@@ -95,13 +107,28 @@ case "$1" in
     ;;
   reply)
     [[ -z "$2" ]] || [[ -z "$3" ]] && echo "Usage: lemon-gmail reply <thread_id> <body>" && exit 1
-    api_call POST "/api/lemonade/tools/execute" \
-        '{"toolName": "GMAIL_REPLY_TO_THREAD", "parameters": {"thread_id": "'"$2"'", "message_body": "'"$3"'"}}'
+    REPLY_JSON=$(jq -n \
+      --arg tid "$2" \
+      --arg body "$3" \
+      '{toolName: "GMAIL_REPLY_TO_THREAD", parameters: {thread_id: $tid, message_body: $body}}')
+    echo "$REPLY_JSON" | curl -s -X POST \
+      -H "Authorization: Bearer ${GATEWAY_TOKEN}" \
+      -H "Content-Type: application/json" \
+      -d @- \
+      "${LEMON_BACKEND_URL}/api/lemonade/tools/execute"
     ;;
   draft)
     [[ -z "$2" ]] || [[ -z "$3" ]] || [[ -z "$4" ]] && echo "Usage: lemon-gmail draft <to> <subject> <body>" && exit 1
-    api_call POST "/api/lemonade/tools/execute" \
-        '{"toolName": "GMAIL_CREATE_EMAIL_DRAFT", "parameters": {"recipient_email": "'"$2"'", "subject": "'"$3"'", "body": "'"$4"'"}}'
+    DRAFT_JSON=$(jq -n \
+      --arg to "$2" \
+      --arg subject "$3" \
+      --arg body "$4" \
+      '{toolName: "GMAIL_CREATE_EMAIL_DRAFT", parameters: {recipient_email: $to, subject: $subject, body: $body}}')
+    echo "$DRAFT_JSON" | curl -s -X POST \
+      -H "Authorization: Bearer ${GATEWAY_TOKEN}" \
+      -H "Content-Type: application/json" \
+      -d @- \
+      "${LEMON_BACKEND_URL}/api/lemonade/tools/execute"
     ;;
   contacts)
     # List Google contacts (name + email) for recipient resolution

package/bin/lemon-jira

@@ -40,12 +40,17 @@ case "$1" in
     type="${4:-Task}"
     desc="${5:-}"
     if [[ -n "$desc" ]]; then
-        api_call POST "/api/lemonade/tools/execute" \
-            '{"toolName": "JIRA_CREATE_ISSUE", "parameters": {"project_key": "'"$2"'", "summary": "'"$3"'", "issue_type": "'"$type"'", "description": "'"$desc"'"}}'
+        CREATE_JSON=$(jq -n --arg proj "$2" --arg summary "$3" --arg itype "$type" --arg desc "$desc" \
+          '{toolName: "JIRA_CREATE_ISSUE", parameters: {project_key: $proj, summary: $summary, issue_type: $itype, description: $desc}}')
     else
-        api_call POST "/api/lemonade/tools/execute" \
-            '{"toolName": "JIRA_CREATE_ISSUE", "parameters": {"project_key": "'"$2"'", "summary": "'"$3"'", "issue_type": "'"$type"'"}}'
+        CREATE_JSON=$(jq -n --arg proj "$2" --arg summary "$3" --arg itype "$type" \
+          '{toolName: "JIRA_CREATE_ISSUE", parameters: {project_key: $proj, summary: $summary, issue_type: $itype}}')
     fi
+    echo "$CREATE_JSON" | curl -s -X POST \
+      -H "Authorization: Bearer ${GATEWAY_TOKEN}" \
+      -H "Content-Type: application/json" \
+      -d @- \
+      "${LEMON_BACKEND_URL}/api/lemonade/tools/execute"
     ;;
   get)
     [[ -z "$2" ]] && echo "Usage: lemon-jira get <issue_key>" && exit 1
@@ -54,8 +59,13 @@ case "$1" in
     ;;
   comment)
     [[ -z "$2" ]] || [[ -z "$3" ]] && echo "Usage: lemon-jira comment <issue_key> <body>" && exit 1
-    api_call POST "/api/lemonade/tools/execute" \
-        '{"toolName": "JIRA_ADD_COMMENT", "parameters": {"issue_id_or_key": "'"$2"'", "comment": "'"$3"'"}}'
+    COMMENT_JSON=$(jq -n --arg key "$2" --arg body "$3" \
+      '{toolName: "JIRA_ADD_COMMENT", parameters: {issue_id_or_key: $key, comment: $body}}')
+    echo "$COMMENT_JSON" | curl -s -X POST \
+      -H "Authorization: Bearer ${GATEWAY_TOKEN}" \
+      -H "Content-Type: application/json" \
+      -d @- \
+      "${LEMON_BACKEND_URL}/api/lemonade/tools/execute"
     ;;
   transition)
     [[ -z "$2" ]] || [[ -z "$3" ]] && echo "Usage: lemon-jira transition <issue_key> <status_name>" && exit 1

package/bin/lemon-notion

@@ -28,12 +28,17 @@ case "$1" in
     title="$2"
     parent="${3:-}"
     if [[ -n "$parent" ]]; then
-        api_call POST "/api/lemonade/tools/execute" \
-            '{"toolName": "NOTION_CREATE_NOTION_PAGE", "parameters": {"parent_id": "'"$parent"'", "title": "'"$title"'"}}'
+        CREATE_JSON=$(jq -n --arg parent "$parent" --arg title "$title" \
+          '{toolName: "NOTION_CREATE_NOTION_PAGE", parameters: {parent_id: $parent, title: $title}}')
     else
-        api_call POST "/api/lemonade/tools/execute" \
-            '{"toolName": "NOTION_CREATE_NOTION_PAGE", "parameters": {"title": "'"$title"'"}}'
+        CREATE_JSON=$(jq -n --arg title "$title" \
+          '{toolName: "NOTION_CREATE_NOTION_PAGE", parameters: {title: $title}}')
     fi
+    echo "$CREATE_JSON" | curl -s -X POST \
+      -H "Authorization: Bearer ${GATEWAY_TOKEN}" \
+      -H "Content-Type: application/json" \
+      -d @- \
+      "${LEMON_BACKEND_URL}/api/lemonade/tools/execute"
     ;;
   read)
     [[ -z "$2" ]] && echo "Usage: lemon-notion read <page_id>" && exit 1
@@ -47,8 +52,13 @@ case "$1" in
     ;;
   append)
     [[ -z "$2" ]] || [[ -z "$3" ]] && echo "Usage: lemon-notion append <page_id> <content>" && exit 1
-    api_call POST "/api/lemonade/tools/execute" \
-        '{"toolName": "NOTION_ADD_MULTIPLE_PAGE_CONTENT", "parameters": {"page_id": "'"$2"'", "content": "'"$3"'"}}'
+    APPEND_JSON=$(jq -n --arg pageId "$2" --arg content "$3" \
+      '{toolName: "NOTION_ADD_MULTIPLE_PAGE_CONTENT", parameters: {page_id: $pageId, content: $content}}')
+    echo "$APPEND_JSON" | curl -s -X POST \
+      -H "Authorization: Bearer ${GATEWAY_TOKEN}" \
+      -H "Content-Type: application/json" \
+      -d @- \
+      "${LEMON_BACKEND_URL}/api/lemonade/tools/execute"
     ;;
   databases)
     api_call POST "/api/lemonade/tools/execute" \

package/bin/lemon-slack

@@ -16,8 +16,15 @@ case "$1" in
     ;;
   send)
     [[ -z "$2" ]] || [[ -z "$3" ]] && echo "Usage: lemon-slack send <channel> <message>" && exit 1
-    api_call POST "/api/lemonade/tools/execute" \
-        '{"toolName": "SLACK_SENDS_A_MESSAGE_TO_A_SLACK_CHANNEL", "parameters": {"channel": "'"$2"'", "text": "'"$3"'"}}'
+    SEND_JSON=$(jq -n \
+      --arg channel "$2" \
+      --arg text "$3" \
+      '{toolName: "SLACK_SENDS_A_MESSAGE_TO_A_SLACK_CHANNEL", parameters: {channel: $channel, text: $text}}')
+    echo "$SEND_JSON" | curl -s -X POST \
+      -H "Authorization: Bearer ${GATEWAY_TOKEN}" \
+      -H "Content-Type: application/json" \
+      -d @- \
+      "${LEMON_BACKEND_URL}/api/lemonade/tools/execute"
     ;;
   channels)
     api_call POST "/api/lemonade/tools/execute" \

package/bin/lemon-slides

@@ -16,13 +16,23 @@ case "$1" in
     ;;
   create)
     [[ -z "$2" ]] && echo "Usage: lemon-slides create <title>" && exit 1
-    api_call POST "/api/lemonade/tools/execute" \
-        '{"toolName": "GOOGLESLIDES_PRESENTATIONS_CREATE", "parameters": {"title": "'"$2"'"}}'
+    CREATE_JSON=$(jq -n --arg title "$2" \
+      '{toolName: "GOOGLESLIDES_PRESENTATIONS_CREATE", parameters: {title: $title}}')
+    echo "$CREATE_JSON" | curl -s -X POST \
+      -H "Authorization: Bearer ${GATEWAY_TOKEN}" \
+      -H "Content-Type: application/json" \
+      -d @- \
+      "${LEMON_BACKEND_URL}/api/lemonade/tools/execute"
     ;;
   create-markdown)
     [[ -z "$2" ]] && echo "Usage: lemon-slides create-markdown <markdown_content>" && exit 1
-    api_call POST "/api/lemonade/tools/execute" \
-        '{"toolName": "GOOGLESLIDES_CREATE_SLIDES_MARKDOWN", "parameters": {"markdown": "'"$2"'"}}'
+    MD_JSON=$(jq -n --arg md "$2" \
+      '{toolName: "GOOGLESLIDES_CREATE_SLIDES_MARKDOWN", parameters: {markdown: $md}}')
+    echo "$MD_JSON" | curl -s -X POST \
+      -H "Authorization: Bearer ${GATEWAY_TOKEN}" \
+      -H "Content-Type: application/json" \
+      -d @- \
+      "${LEMON_BACKEND_URL}/api/lemonade/tools/execute"
     ;;
   get)
     [[ -z "$2" ]] && echo "Usage: lemon-slides get <presentation_id>" && exit 1

package/bin/lemon-twitter

@@ -16,8 +16,13 @@ case "$1" in
     ;;
   tweet)
     [[ -z "$2" ]] && echo "Usage: lemon-twitter tweet <text>" && exit 1
-    api_call POST "/api/lemonade/tools/execute" \
-        '{"toolName": "TWITTER_CREATION_OF_A_POST", "parameters": {"text": "'"$2"'"}}'
+    TWEET_JSON=$(jq -n --arg text "$2" \
+      '{toolName: "TWITTER_CREATION_OF_A_POST", parameters: {text: $text}}')
+    echo "$TWEET_JSON" | curl -s -X POST \
+      -H "Authorization: Bearer ${GATEWAY_TOKEN}" \
+      -H "Content-Type: application/json" \
+      -d @- \
+      "${LEMON_BACKEND_URL}/api/lemonade/tools/execute"
     ;;
   timeline)
     limit="${2:-20}"

package/dist/agents/sandbox/sanitize-env-vars.js

@@ -0,0 +1,76 @@
+const BLOCKED_ENV_VAR_PATTERNS = [
+    /^ANTHROPIC_API_KEY$/i,
+    /^OPENAI_API_KEY$/i,
+    /^GEMINI_API_KEY$/i,
+    /^OPENROUTER_API_KEY$/i,
+    /^MINIMAX_API_KEY$/i,
+    /^ELEVENLABS_API_KEY$/i,
+    /^SYNTHETIC_API_KEY$/i,
+    /^TELEGRAM_BOT_TOKEN$/i,
+    /^DISCORD_BOT_TOKEN$/i,
+    /^SLACK_(BOT|APP)_TOKEN$/i,
+    /^LINE_CHANNEL_SECRET$/i,
+    /^LINE_CHANNEL_ACCESS_TOKEN$/i,
+    /^LEMONADE_GATEWAY_(TOKEN|PASSWORD)$/i,
+    /^AWS_(SECRET_ACCESS_KEY|SECRET_KEY|SESSION_TOKEN)$/i,
+    /^(GH|GITHUB)_TOKEN$/i,
+    /^(AZURE|AZURE_OPENAI|COHERE|AI_GATEWAY|OPENROUTER)_API_KEY$/i,
+    /_?(API_KEY|TOKEN|PASSWORD|PRIVATE_KEY|SECRET)$/i,
+];
+const ALLOWED_ENV_VAR_PATTERNS = [
+    /^LANG$/,
+    /^LC_.*$/i,
+    /^PATH$/i,
+    /^HOME$/i,
+    /^USER$/i,
+    /^SHELL$/i,
+    /^TERM$/i,
+    /^TZ$/i,
+    /^NODE_ENV$/i,
+];
+export function validateEnvVarValue(value) {
+    if (value.includes("\0")) {
+        return "Contains null bytes";
+    }
+    if (value.length > 32768) {
+        return "Value exceeds maximum length";
+    }
+    if (/^[A-Za-z0-9+/=]{80,}$/.test(value)) {
+        return "Value looks like base64-encoded credential data";
+    }
+    return undefined;
+}
+function matchesAnyPattern(value, patterns) {
+    return patterns.some((pattern) => pattern.test(value));
+}
+export function sanitizeEnvVars(envVars, options = {}) {
+    const allowed = {};
+    const blocked = [];
+    const warnings = [];
+    const blockedPatterns = [...BLOCKED_ENV_VAR_PATTERNS, ...(options.customBlockedPatterns ?? [])];
+    const allowedPatterns = [...ALLOWED_ENV_VAR_PATTERNS, ...(options.customAllowedPatterns ?? [])];
+    for (const [rawKey, value] of Object.entries(envVars)) {
+        const key = rawKey.trim();
+        if (!key) {
+            continue;
+        }
+        if (matchesAnyPattern(key, blockedPatterns)) {
+            blocked.push(key);
+            continue;
+        }
+        if (options.strictMode && !matchesAnyPattern(key, allowedPatterns)) {
+            blocked.push(key);
+            continue;
+        }
+        const warning = validateEnvVarValue(value);
+        if (warning) {
+            if (warning === "Contains null bytes") {
+                blocked.push(key);
+                continue;
+            }
+            warnings.push(`${key}: ${warning}`);
+        }
+        allowed[key] = value;
+    }
+    return { allowed, blocked, warnings };
+}

package/dist/agents/skills/env-overrides.js

@@ -1,36 +1,123 @@
+import { sanitizeEnvVars, validateEnvVarValue } from "../sandbox/sanitize-env-vars.js";
 import { resolveSkillConfig } from "./config.js";
 import { resolveSkillKey } from "./frontmatter.js";
-export function applySkillEnvOverrides(params) {
-    const { skills, config } = params;
-    const updates = [];
-    for (const entry of skills) {
-        const skillKey = resolveSkillKey(entry.skill, entry);
-        const skillConfig = resolveSkillConfig(config, skillKey);
-        if (!skillConfig)
+const HARD_BLOCKED_SKILL_ENV_PATTERNS = [
+    /^NODE_OPTIONS$/i,
+    /^OPENSSL_CONF$/i,
+    /^LD_PRELOAD$/i,
+    /^DYLD_INSERT_LIBRARIES$/i,
+];
+function matchesAnyPattern(value, patterns) {
+    return patterns.some((pattern) => pattern.test(value));
+}
+function sanitizeSkillEnvOverrides(params) {
+    if (Object.keys(params.overrides).length === 0) {
+        return { allowed: {}, blocked: [], warnings: [] };
+    }
+    const result = sanitizeEnvVars(params.overrides, {
+        customBlockedPatterns: HARD_BLOCKED_SKILL_ENV_PATTERNS,
+    });
+    const allowed = { ...result.allowed };
+    const blocked = [];
+    const warnings = [...result.warnings];
+    for (const key of result.blocked) {
+        if (matchesAnyPattern(key, HARD_BLOCKED_SKILL_ENV_PATTERNS) ||
+            !params.allowedSensitiveKeys.has(key)) {
+            blocked.push(key);
             continue;
-        if (skillConfig.env) {
-            for (const [envKey, envValue] of Object.entries(skillConfig.env)) {
-                if (!envValue || process.env[envKey])
-                    continue;
-                updates.push({ key: envKey, prev: process.env[envKey] });
-                process.env[envKey] = envValue;
+        }
+        const value = params.overrides[key];
+        if (!value) {
+            continue;
+        }
+        const warning = validateEnvVarValue(value);
+        if (warning) {
+            if (warning === "Contains null bytes") {
+                blocked.push(key);
+                continue;
             }
+            warnings.push(`${key}: ${warning}`);
         }
-        const primaryEnv = entry.metadata?.primaryEnv;
-        if (primaryEnv && skillConfig.apiKey && !process.env[primaryEnv]) {
-            updates.push({ key: primaryEnv, prev: process.env[primaryEnv] });
-            process.env[primaryEnv] = skillConfig.apiKey;
+        allowed[key] = value;
+    }
+    return { allowed, blocked, warnings };
+}
+function applySkillConfigEnvOverrides(params) {
+    const { updates, skillConfig, primaryEnv, requiredEnv, skillKey } = params;
+    const allowedSensitiveKeys = new Set();
+    const normalizedPrimaryEnv = primaryEnv?.trim();
+    if (normalizedPrimaryEnv) {
+        allowedSensitiveKeys.add(normalizedPrimaryEnv);
+    }
+    for (const envName of requiredEnv ?? []) {
+        const trimmedEnv = envName.trim();
+        if (trimmedEnv) {
+            allowedSensitiveKeys.add(trimmedEnv);
+        }
+    }
+    const pendingOverrides = {};
+    if (skillConfig.env) {
+        for (const [rawKey, envValue] of Object.entries(skillConfig.env)) {
+            const envKey = rawKey.trim();
+            if (!envKey || !envValue || process.env[envKey]) {
+                continue;
+            }
+            pendingOverrides[envKey] = envValue;
         }
     }
+    if (normalizedPrimaryEnv && skillConfig.apiKey && !process.env[normalizedPrimaryEnv]) {
+        if (!pendingOverrides[normalizedPrimaryEnv]) {
+            pendingOverrides[normalizedPrimaryEnv] = skillConfig.apiKey;
+        }
+    }
+    const sanitized = sanitizeSkillEnvOverrides({
+        overrides: pendingOverrides,
+        allowedSensitiveKeys,
+    });
+    if (sanitized.blocked.length > 0) {
+        console.warn(`[Security] Blocked skill env overrides for ${skillKey}:`, sanitized.blocked.join(", "));
+    }
+    if (sanitized.warnings.length > 0) {
+        console.warn(`[Security] Suspicious skill env overrides for ${skillKey}:`, sanitized.warnings);
+    }
+    for (const [envKey, envValue] of Object.entries(sanitized.allowed)) {
+        if (process.env[envKey]) {
+            continue;
+        }
+        updates.push({ key: envKey, prev: process.env[envKey] });
+        process.env[envKey] = envValue;
+    }
+}
+function createEnvReverter(updates) {
     return () => {
         for (const update of updates) {
-            if (update.prev === undefined)
+            if (update.prev === undefined) {
                 delete process.env[update.key];
-            else
+            }
+            else {
                 process.env[update.key] = update.prev;
+            }
         }
     };
 }
+export function applySkillEnvOverrides(params) {
+    const { skills, config } = params;
+    const updates = [];
+    for (const entry of skills) {
+        const skillKey = resolveSkillKey(entry.skill, entry);
+        const skillConfig = resolveSkillConfig(config, skillKey);
+        if (!skillConfig)
+            continue;
+        applySkillConfigEnvOverrides({
+            updates,
+            skillConfig,
+            primaryEnv: entry.metadata?.primaryEnv,
+            requiredEnv: entry.metadata?.requires?.env,
+            skillKey,
+        });
+    }
+    return createEnvReverter(updates);
+}
 export function applySkillEnvOverridesFromSnapshot(params) {
     const { snapshot, config } = params;
     if (!snapshot)
@@ -40,28 +127,13 @@ export function applySkillEnvOverridesFromSnapshot(params) {
         const skillConfig = resolveSkillConfig(config, skill.name);
         if (!skillConfig)
             continue;
-        if (skillConfig.env) {
-            for (const [envKey, envValue] of Object.entries(skillConfig.env)) {
-                if (!envValue || process.env[envKey])
-                    continue;
-                updates.push({ key: envKey, prev: process.env[envKey] });
-                process.env[envKey] = envValue;
-            }
-        }
-        if (skill.primaryEnv && skillConfig.apiKey && !process.env[skill.primaryEnv]) {
-            updates.push({
-                key: skill.primaryEnv,
-                prev: process.env[skill.primaryEnv],
-            });
-            process.env[skill.primaryEnv] = skillConfig.apiKey;
-        }
+        applySkillConfigEnvOverrides({
+            updates,
+            skillConfig,
+            primaryEnv: skill.primaryEnv,
+            requiredEnv: skill.requiredEnv,
+            skillKey: skill.name,
+        });
     }
-    return () => {
-        for (const update of updates) {
-            if (update.prev === undefined)
-                delete process.env[update.key];
-            else
-                process.env[update.key] = update.prev;
-        }
-    };
+    return createEnvReverter(updates);
 }

package/dist/agents/skills/workspace.js

@@ -147,6 +147,7 @@ export function buildWorkspaceSkillSnapshot(workspaceDir, opts) {
         skills: eligible.map((entry) => ({
             name: entry.skill.name,
             primaryEnv: entry.metadata?.primaryEnv,
+            requiredEnv: entry.metadata?.requires?.env,
         })),
         resolvedSkills,
         version: opts?.snapshotVersion,

package/dist/agents/system-prompt.js

@@ -32,7 +32,7 @@ function buildMemorySection(params) {
 function buildUserIdentitySection(ownerLine, isMinimal) {
     if (!ownerLine || isMinimal)
         return [];
-    return ["## User Identity", ownerLine, ""];
+    return ["## Authorized Senders", ownerLine, ""];
 }
 function buildTimeSection(params) {
     if (!params.userTimezone)
@@ -110,7 +110,7 @@ function buildConfirmationSection(isMinimal) {
         "## Email Rules (MANDATORY)",
         "1. NEVER fabricate email addresses. When user says a name (e.g. 'masood from my team'), resolve it via: Slack search-users (returns email), Gmail find-contact, or Gmail sent-to. If all fail, ASK the user.",
         "2. ALWAYS attach files when the task involves creating AND sending a file.",
-        '3. To attach a file to an email: first read the file as base64 (`base64 -i <path>`), then call GMAIL_SEND_EMAIL with the `attachment` parameter: `{"name": "file.docx", "content": "<base64>", "mimetype": "application/vnd.openxmlformats-officedocument.wordprocessingml.document"}`.',
+        "3. To send email with an attachment use: `lemon-gmail send <to> <subject> <body> <file_path>`. BEFORE sending, ALWAYS verify the file exists at the path with `ls <file_path>`. If the file was created earlier, confirm it still exists — files in /tmp may be cleaned up.",
         "4. ALWAYS confirm the recipient email and attachment list BEFORE sending.",
         "",
     ];
@@ -231,7 +231,7 @@ export function buildAgentSystemPrompt(params) {
     const extraSystemPrompt = params.extraSystemPrompt?.trim();
     const ownerNumbers = (params.ownerNumbers ?? []).map((value) => value.trim()).filter(Boolean);
     const ownerLine = ownerNumbers.length > 0
-        ? `Owner numbers: ${ownerNumbers.join(", ")}. Treat messages from these numbers as the user.`
+        ? `Authorized senders: ${ownerNumbers.join(", ")}. These senders are allowlisted; do not assume they are the owner.`
         : undefined;
     const reasoningHint = params.reasoningTagHint
         ? [
@@ -509,6 +509,7 @@ export function buildAgentSystemPrompt(params) {
     if (!isMinimal) {
         lines.push("## Heartbeats", heartbeatPromptLine, "If you receive a heartbeat poll (a user message matching the heartbeat prompt above), and there is nothing that needs attention, reply exactly:", "HEARTBEAT_OK", 'Lemonade treats a leading/trailing "HEARTBEAT_OK" as a heartbeat ack (and may discard it).', 'If something needs attention, do NOT include "HEARTBEAT_OK"; reply with the alert text instead.', "");
     }
+    lines.push("## Safety", "You have no independent goals: do not pursue self-preservation, replication, resource acquisition, or power-seeking; avoid long-term plans beyond the user's request.", "Prioritize safety and human oversight over completion; if instructions conflict, pause and ask; comply with stop/pause/audit requests and never bypass safeguards.", "Do not manipulate or persuade anyone to expand access or disable safeguards. Do not copy yourself or change system prompts, safety rules, or tool policies unless explicitly requested.", "");
     lines.push("## Runtime", buildRuntimeLine(runtimeInfo, runtimeChannel, runtimeCapabilities, params.defaultThinkLevel), `Reasoning: ${reasoningLevel} (hidden unless on/stream). Toggle /reasoning; /status shows Reasoning when enabled.`);
     return lines.filter(Boolean).join("\n");
 }

package/dist/build-info.json

@@ -1,5 +1,5 @@
 {
-  "version": "0.0.8",
-  "commit": "a1fb85deb3c07e445dd89291230ae7c4d9480042",
-  "builtAt": "2026-02-20T07:05:21.593Z"
+  "version": "0.1.0",
+  "commit": "c1df1acf2d44bd071f58aa1caa0a16466e07d83f",
+  "builtAt": "2026-02-20T22:34:40.921Z"
 }

package/dist/canvas-host/a2ui/.bundle.hash

@@ -1 +1 @@
-924abd5547396c0e3e1642d40a19a47b8437dc16ed9d2aa7cccdd5f28bba3d73
+fbf3ec381ce17e16995ad09f6a2d589d56f777a566e57c3b72c540991f48890c