npm - @hybridaione/hybridclaw - Versions diffs - 0.2.12 → 0.3.1 - Mend

@hybridaione/hybridclaw 0.2.12 → 0.3.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (113) hide show

package/CHANGELOG.md +22 -0
package/README.md +11 -14
package/config.example.json +8 -2
package/container/dist/approval-policy.js +1183 -0
package/container/dist/approval-policy.js.map +1 -0
package/container/dist/browser-tools.js +1523 -0
package/container/dist/browser-tools.js.map +1 -0
package/container/dist/extensions.js +114 -0
package/container/dist/extensions.js.map +1 -0
package/container/dist/hybridai-client.js +256 -0
package/container/dist/hybridai-client.js.map +1 -0
package/container/dist/index.js +866 -0
package/container/dist/index.js.map +1 -0
package/container/dist/ipc.js +32 -0
package/container/dist/ipc.js.map +1 -0
package/container/dist/model-retry.js +18 -0
package/container/dist/model-retry.js.map +1 -0
package/container/dist/runtime-paths.js +79 -0
package/container/dist/runtime-paths.js.map +1 -0
package/container/dist/token-usage.js +168 -0
package/container/dist/token-usage.js.map +1 -0
package/container/dist/tools.js +2265 -0
package/container/dist/tools.js.map +1 -0
package/container/dist/types.js +2 -0
package/container/dist/types.js.map +1 -0
package/container/dist/web-fetch.js +396 -0
package/container/dist/web-fetch.js.map +1 -0
package/container/package-lock.json +2 -2
package/container/package.json +1 -1
package/container/src/browser-tools.ts +20 -23
package/container/src/index.ts +19 -29
package/container/src/ipc.ts +1 -1
package/container/src/runtime-paths.ts +116 -0
package/container/src/tools.ts +32 -47
package/dist/agent.d.ts.map +1 -1
package/dist/agent.js +20 -8
package/dist/agent.js.map +1 -1
package/dist/audit-cli.d.ts.map +1 -1
package/dist/audit-cli.js +25 -31
package/dist/audit-cli.js.map +1 -1
package/dist/cli-flags.d.ts +12 -0
package/dist/cli-flags.d.ts.map +1 -0
package/dist/cli-flags.js +75 -0
package/dist/cli-flags.js.map +1 -0
package/dist/cli.js +81 -62
package/dist/cli.js.map +1 -1
package/dist/config.d.ts +12 -2
package/dist/config.d.ts.map +1 -1
package/dist/config.js +76 -6
package/dist/config.js.map +1 -1
package/dist/container-runner.d.ts +25 -0
package/dist/container-runner.d.ts.map +1 -1
package/dist/container-runner.js +31 -6
package/dist/container-runner.js.map +1 -1
package/dist/container-setup.d.ts.map +1 -1
package/dist/container-setup.js +49 -70
package/dist/container-setup.js.map +1 -1
package/dist/executor.d.ts +45 -0
package/dist/executor.d.ts.map +1 -0
package/dist/executor.js +87 -0
package/dist/executor.js.map +1 -0
package/dist/gateway-service.d.ts.map +1 -1
package/dist/gateway-service.js +8 -5
package/dist/gateway-service.js.map +1 -1
package/dist/gateway-types.d.ts +15 -0
package/dist/gateway-types.d.ts.map +1 -1
package/dist/gateway-types.js.map +1 -1
package/dist/gateway.js +2 -2
package/dist/gateway.js.map +1 -1
package/dist/health.d.ts.map +1 -1
package/dist/health.js +2 -1
package/dist/health.js.map +1 -1
package/dist/host-runner.d.ts +43 -0
package/dist/host-runner.d.ts.map +1 -0
package/dist/host-runner.js +284 -0
package/dist/host-runner.js.map +1 -0
package/dist/install-root.d.ts +4 -0
package/dist/install-root.d.ts.map +1 -0
package/dist/install-root.js +74 -0
package/dist/install-root.js.map +1 -0
package/dist/instruction-approval-audit.d.ts.map +1 -1
package/dist/instruction-approval-audit.js +3 -3
package/dist/instruction-approval-audit.js.map +1 -1
package/dist/instruction-integrity.d.ts +27 -16
package/dist/instruction-integrity.d.ts.map +1 -1
package/dist/instruction-integrity.js +74 -93
package/dist/instruction-integrity.js.map +1 -1
package/dist/onboarding.d.ts.map +1 -1
package/dist/onboarding.js +17 -56
package/dist/onboarding.js.map +1 -1
package/dist/prompt-hooks.d.ts.map +1 -1
package/dist/prompt-hooks.js +2 -4
package/dist/prompt-hooks.js.map +1 -1
package/dist/runtime-config.d.ts +6 -1
package/dist/runtime-config.d.ts.map +1 -1
package/dist/runtime-config.js +71 -180
package/dist/runtime-config.js.map +1 -1
package/dist/runtime-secrets.d.ts +7 -0
package/dist/runtime-secrets.d.ts.map +1 -0
package/dist/runtime-secrets.js +132 -0
package/dist/runtime-secrets.js.map +1 -0
package/dist/tui.js +4 -4
package/dist/tui.js.map +1 -1
package/dist/workspace.d.ts.map +1 -1
package/dist/workspace.js +3 -2
package/dist/workspace.js.map +1 -1
package/docs/index.html +36 -36
package/package.json +4 -4
package/.env.example +0 -14
package/dist/env.d.ts +0 -6
package/dist/env.d.ts.map +0 -1
package/dist/env.js +0 -36
package/dist/env.js.map +0 -1

package/CHANGELOG.md CHANGED Viewed

@@ -2,12 +2,34 @@
 ## [Unreleased]
+## [0.3.1](https://github.com/HybridAIOne/hybridclaw/tree/v0.3.1)
+### Changed
+- **Home-only runtime state**: Runtime config, credentials, and data now stay under `~/.hybridclaw` exclusively; onboarding writes `credentials.json`, existing `./.env` secrets are imported into that file for compatibility, and the CLI stops probing legacy `./config.json` / `./data` runtime files.
+- **Container image state handling**: Container image fingerprint/state recording is now centralized, missing files are tolerated during fingerprint collection, and build/pull status lines use the invoking command name for clearer operator output.
+### Fixed
+- **Gateway lifecycle flag parsing**: `hybridclaw gateway start --sandbox=host` and `hybridclaw gateway restart --sandbox=host` no longer trip the top-level unsupported-flag guard, while non-lifecycle gateway subcommands still reject misplaced `--sandbox` / `--foreground` flags.
+## [0.3.0](https://github.com/HybridAIOne/hybridclaw/tree/v0.3.0)
 ### Added
+- **Configurable sandbox modes**: Gateway start/restart now accept `--sandbox=container|host`, runtime config adds `container.sandboxMode`, and gateway/TUI status surfaces show the active sandbox mode so operators can avoid Docker-in-Docker when HybridClaw itself already runs inside a container.
 ### Changed
+- **Container runtime hardening**: Container execution now drops Linux capabilities, disables privilege escalation, enforces a PID limit, uses a sized `/tmp` tmpfs, and adds `container.memorySwap` / `container.network` tuning alongside GHCR-first image pulls before the optional Docker Hub mirror.
+- **Packaged host runtime**: Root builds now compile and ship `container/dist/` so host sandbox mode can launch the bundled agent runtime from installed npm packages.
+- **Instruction sync workflow**: `hybridclaw audit instructions` now compares runtime copies in `~/.hybridclaw/instructions/` to installed package sources and uses `--sync` to restore shipped defaults instead of maintaining a local approval-hash baseline.
 ### Fixed
+- **Release container publishing resilience**: Release-tag container publishing now always publishes GHCR even when Docker Hub credentials are absent, instead of failing before any registry push occurs.
+- **Install-root asset resolution**: Runtime docs/templates/instructions now resolve from the actual install root, so onboarding, prompt guardrails, workspace bootstrap files, and the built-in site no longer depend on `process.cwd()`.
 ## [0.2.12](https://github.com/HybridAIOne/hybridclaw/tree/v0.2.12)
 ### Added

package/README.md CHANGED Viewed

@@ -11,13 +11,7 @@ npm install -g @hybridaione/hybridclaw
 hybridclaw onboarding
 ```
-Latest release: [v0.2.12](https://github.com/HybridAIOne/hybridclaw/releases/tag/v0.2.12)
-## Release highlights (v0.2.12)
-- Runtime config/data now default to `~/.hybridclaw`, with automatic migration from legacy `./config.json` and `./data`.
-- HybridClaw now auto-pulls prebuilt runtime images (Docker Hub first, GHCR fallback) before trying a local build.
-- Discord slash command registration now removes duplicate guild `/status` entries and keeps global-only commands clean.
+Latest release: [v0.3.1](https://github.com/HybridAIOne/hybridclaw/releases/tag/v0.3.1)
 ## HybridAI Advantage
@@ -42,7 +36,6 @@ Latest release: [v0.2.12](https://github.com/HybridAIOne/hybridclaw/releases/tag
 npm install
 # Run onboarding (also auto-runs on first `gateway`/`tui` start if API key is missing)
-# On first run, it creates `.env` from `.env.example` automatically if needed.
 hybridclaw onboarding
 # Onboarding flow:
@@ -51,7 +44,7 @@ hybridclaw onboarding
 # 3) open /register in browser (optional) and confirm in terminal
 # 4) open /login?next=/admin_api_keys in browser and get an API key
 # 5) paste API key (or URL containing it) back into the CLI
-# 6) choose the default bot (saved to ~/.hybridclaw/config.json) and save secrets to `.env`
+# 6) choose the default bot (saved to ~/.hybridclaw/config.json) and save secrets to ~/.hybridclaw/credentials.json
 # Start gateway backend (default)
 hybridclaw gateway
@@ -74,6 +67,8 @@ Runtime model:
 - If `DISCORD_TOKEN` is set, Discord runs inside gateway automatically.
 - `hybridclaw tui` is a thin client that connects to the gateway.
 - `hybridclaw gateway` and `hybridclaw tui` validate the container image at startup.
+- `container.sandboxMode` defaults to `container`, but if HybridClaw is already running inside a container and the setting is not explicitly pinned, the gateway auto-switches to `host` to avoid Docker-in-Docker.
+- Use `hybridclaw gateway start --sandbox=host` or `hybridclaw gateway restart --sandbox=host` to force host execution for a given launch.
 - On first run, HybridClaw automatically prepares that image (pulls a prebuilt image first, then falls back to local build if needed).
 - If container setup fails, run `npm run build:container` in the project root and retry.
@@ -82,9 +77,10 @@ Runtime model:
 HybridClaw creates `~/.hybridclaw/config.json` on first run and hot-reloads most runtime settings.
 - Start from `config.example.json` (reference).
-- Runtime data is stored in `~/.hybridclaw/` by default (`config.json`, `data/hybridclaw.db`, audit/session files).
-- On upgrade, legacy `./config.json` and `./data` are migrated to `~/.hybridclaw` automatically; backups are kept in `~/.hybridclaw/migration-backups/` when needed.
-- Keep secrets in `.env` (`HYBRIDAI_API_KEY` required, `DISCORD_TOKEN` optional).
+- Runtime state lives under `~/.hybridclaw/` (`config.json`, `credentials.json`, `data/hybridclaw.db`, audit/session files).
+- HybridClaw does not keep runtime state in the current working directory. If `./.env` exists, supported secrets are migrated once into `~/.hybridclaw/credentials.json`.
+- `container.*` controls execution isolation, including `sandboxMode`, `memory`, `memorySwap`, `cpus`, `network`, and additional mounts.
+- Keep secrets in `~/.hybridclaw/credentials.json` (`HYBRIDAI_API_KEY` required, `DISCORD_TOKEN` optional).
 - Trust-model acceptance is stored in `~/.hybridclaw/config.json` under `security.*` and is required before runtime starts.
 - See [TRUST_MODEL.md](./TRUST_MODEL.md) for onboarding acceptance policy and [SECURITY.md](./SECURITY.md) for technical security guidelines.
 - For advanced configuration, audit/observability details, skills internals, agent tools, and developer docs, see [CONTRIBUTING.md](./CONTRIBUTING.md).
@@ -94,8 +90,8 @@ HybridClaw creates `~/.hybridclaw/config.json` on first run and hot-reloads most
 CLI runtime commands:
 - `hybridclaw --version` / `-v` — Print installed HybridClaw version
-- `hybridclaw gateway start [--foreground]` — Start gateway (backend by default; foreground with flag)
-- `hybridclaw gateway restart [--foreground]` — Restart managed gateway backend process
+- `hybridclaw gateway start [--foreground] [--sandbox=container|host]` — Start gateway (backend by default; foreground with flag)
+- `hybridclaw gateway restart [--foreground] [--sandbox=container|host]` — Restart managed gateway backend process
 - `hybridclaw gateway stop` — Stop managed gateway backend process
 - `hybridclaw gateway status` — Show lifecycle/API status
 - `hybridclaw gateway <command...>` — Send a command to a running gateway (for example `sessions`, `bot info`)
@@ -103,6 +99,7 @@ CLI runtime commands:
 - `hybridclaw onboarding` — Run HybridAI account/API key onboarding
 - `hybridclaw update [status|--check] [--yes]` — Check for updates and upgrade global npm installs (source checkouts get git-based update instructions)
 - `hybridclaw audit ...` — Verify and inspect structured audit trail (`recent`, `search`, `approvals`, `verify`, `instructions`)
+- `hybridclaw audit instructions [--sync]` — Compare runtime instruction copies under `~/.hybridclaw/instructions/` against installed sources and restore shipped defaults when needed
 In Discord, use `!claw help` to see all commands. Key ones:

package/config.example.json CHANGED Viewed

@@ -1,5 +1,5 @@
 {
-  "version": 5,
+  "version": 6,
   "security": {
     "trustModelAccepted": false,
     "trustModelAcceptedAt": "",
@@ -69,9 +69,12 @@
     "models": ["gpt-5-nano", "gpt-5-mini", "gpt-5"]
   },
   "container": {
+    "sandboxMode": "container",
     "image": "hybridclaw-agent",
     "memory": "512m",
+    "memorySwap": "",
     "cpus": "1",
+    "network": "bridge",
     "timeoutMs": 300000,
     "additionalMounts": "",
     "maxOutputBytes": 10485760,
@@ -158,6 +161,8 @@
         "description": "Runs standup summary every weekday at 9am.",
         "schedule": {
           "kind": "cron",
+          "at": null,
+          "everyMs": null,
           "expr": "0 9 * * 1-5",
           "tz": "America/New_York"
         },
@@ -168,7 +173,8 @@
         "delivery": {
           "kind": "channel",
           "channel": "discord",
-          "to": "123456789012345678"
+          "to": "123456789012345678",
+          "webhookUrl": ""
         },
         "enabled": false
       }