@kinqs/brainrouter-cli 0.3.5 → 0.3.6

package/dist/runtime/dangerousCommand.js

@@ -0,0 +1,105 @@
+/**
+ * Single source of truth for "is this shell command destructive enough that we
+ * must confirm even in /mode fast?"
+ *
+ * Used by:
+ *   - agent.ts `run_command`: in `executionMode === 'fast'` we skip the
+ *     `askYesNo` prompt for everyday commands, but route through askYesNo
+ *     anyway when this returns true.
+ *   - tests: invariant that fast mode ≠ unconditional auto-approve.
+ *
+ * Heuristic, not a sandbox. The real blast-radius limiter is
+ * `BRAINROUTER_SANDBOX=on`. This list exists so that a typo
+ * (`rm -rf /` instead of `rm -rf ./build`) doesn't get auto-approved
+ * because the user happened to be in fast mode.
+ *
+ * Patterns are conservative on purpose: false-positives cost one extra y/N
+ * prompt; false-negatives cost a wiped disk. Add a pattern when you spot one
+ * — do not remove existing entries without a replacement.
+ */
+const DANGEROUS_PATTERNS = [
+    // Recursive / forced deletions
+    /\brm\s+(?:-[a-zA-Z]*[rRfF][a-zA-Z]*|--recursive\b|--force\b)/,
+    // Anything piped/awk'd into a shell — too easy to hide an `rm` inside.
+    /\|\s*(?:sh|bash|zsh|fish)\b/,
+    // Disk imaging / zeroing
+    /\bdd\s+(?:if|of|bs|count)=/,
+    /\bmkfs(?:\.[a-z0-9]+)?\b/,
+    /\bfdisk\b/,
+    /\bshred\b/,
+    // Wide-open permission flips
+    /\bchmod\s+(?:-R\s+)?(?:[0-7]*[7]{2,3}|a\+w)\b/,
+    /\bchown\s+-R\b/,
+    // Privilege escalation
+    /\bsudo\b/,
+    /\bsu\s+-/,
+    // Forced or destructive git operations
+    /\bgit\s+push\s+(?:-f|--force)/,
+    /\bgit\s+reset\s+--hard/,
+    /\bgit\s+clean\s+-[a-zA-Z]*[fF]/,
+    /\bgit\s+checkout\s+--\s/,
+    /\bgit\s+branch\s+-D\b/,
+    // Package-manager mutators that touch the global tree or remove deps
+    /\bnpm\s+(?:uninstall|unpublish)\b/,
+    /\b(?:yarn|pnpm)\s+remove\b/,
+    // Process / system control
+    /\bkillall\b/,
+    /\bkill\s+-9\b/,
+    /\b(?:shutdown|reboot|halt|poweroff)\b/,
+    // Outbound exec-from-network — the classic curl|sh exfil/exec pattern
+    /\b(?:curl|wget|fetch)\b[^|]*\|\s*(?:sh|bash|zsh)\b/,
+    // Database wipes
+    /\bDROP\s+(?:DATABASE|TABLE|SCHEMA)\b/i,
+    /\bTRUNCATE\s+TABLE\b/i,
+    // Docker / k8s wipes
+    /\bdocker\s+system\s+prune\b/,
+    /\bdocker\s+(?:rm|rmi)\s+-f/,
+    /\bkubectl\s+delete\b/,
+];
+/**
+ * Returns true when the command matches any pattern that fast mode should
+ * still gate through `askYesNo`. The check is a single-pass regex sweep
+ * against the literal command string — no shell parsing, no env expansion.
+ *
+ * The trailing wildcard semantics matter: `rm -rf foo` matches, `rm-rf` does
+ * not (word boundary), `rmdir` does not (different keyword). When in doubt,
+ * lean toward returning true: the cost of an extra y/N is much smaller than
+ * the cost of accidentally letting a destructive command through.
+ */
+export function isDangerousCommand(command) {
+    if (!command)
+        return false;
+    const normalized = command.trim();
+    if (!normalized)
+        return false;
+    return DANGEROUS_PATTERNS.some((pattern) => pattern.test(normalized));
+}
+/**
+ * Pure decision for "what should happen when the agent calls `run_command`?"
+ * Split out of `agent.ts` so the policy is unit-testable without TTY mocking.
+ *
+ *   - Silent children cannot answer a y/N prompt. We auto-approve only when
+ *     the parent has opted in via `executionMode === 'fast'` AND the command
+ *     is not in the dangerous set. Dangerous commands in silent children are
+ *     always denied — there is no human to confirm the blast radius.
+ *   - Interactive parents in `fast` mode skip the prompt for safe commands
+ *     and still gate dangerous ones through `askYesNo`. In `planning` mode
+ *     every command routes through `askYesNo`.
+ *
+ * The `executionMode === 'fast'` check is the single source of truth for
+ * "yolo-ish" behavior — the legacy `autoApproveShell` flag is migrated into
+ * `executionMode === 'fast'` on first read of `preferencesStore` so new
+ * callers do not need to consult both.
+ */
+export function resolveRunCommandApproval(prefs, command, opts) {
+    const fastMode = prefs.executionMode === 'fast';
+    const dangerous = isDangerousCommand(command);
+    if (opts.silent) {
+        if (dangerous)
+            return 'deny-silent';
+        return fastMode ? 'auto-approve' : 'deny-silent';
+    }
+    if (fastMode && !dangerous)
+        return 'auto-approve';
+    return 'ask';
+}

package/dist/runtime/mcpClient.d.ts

@@ -10,10 +10,31 @@ export declare class McpClientWrapper {
      * blowing up, which the agent's existing try/catch wrappers already handle.
      */
     private connected;
+    /**
+     * 10a: cached identity. Set once by `detectMcpIdentity` after the first
+     * successful `listTools()` (or by `connect` if the config + URL gave us
+     * a clear signal). The value drives status surfaces and the brain-offline
+     * prompt swap — distinguishes "our brain went down" from "a random
+     * third-party MCP went down" once item 11's multi-MCP support lands.
+     */
+    private identity;
+    private serverName?;
     constructor();
     /** Whether this wrapper has an active MCP transport. */
     isConnected(): boolean;
-    connect(serverConfig: ServerConfig, llmConfig?: LLMConfig): Promise<void>;
+    /** 10a: who is this MCP? Set by `detectMcpIdentity`; 'unknown' before first list. */
+    getIdentity(): 'brainrouter' | 'third-party' | 'unknown';
+    /** 10a: profile name passed at connect (`brainrouter` / `local-http` / etc.). */
+    getServerName(): string | undefined;
+    /**
+     * 10a: connect with an optional `name` so the wrapper can render identity
+     * tags ("BrainRouter MCP offline" vs "third-party MCP offline") without
+     * the caller threading it through every error path. The pre-10a single-
+     * arg form remains supported — callers that don't pass a name fall back
+     * to URL-pattern detection.
+     */
+    connect(serverConfig: ServerConfig, llmConfig?: LLMConfig, name?: string): Promise<void>;
+    private _connect;
     listTools(): Promise<{
         [x: string]: unknown;
         tools: {
@@ -154,3 +175,19 @@ export declare class McpClientWrapper {
     }>;
     close(): Promise<void>;
 }
+/**
+ * 10a: figure out who an MCP profile belongs to from config metadata + name
+ * + URL alone, before any network call. Explicit `identity` wins; otherwise
+ * we check name prefix and URL host. Returns 'unknown' when nothing matches
+ * — the caller (currently `listTools`) falls back to tool-signature
+ * detection after the first successful enumeration.
+ *
+ * Detection cases:
+ *   - explicit `identity: 'brainrouter'` or `identity: 'third-party'` → that.
+ *   - profile name (case-insensitive) starts with `brainrouter` → brainrouter.
+ *   - http URL hostname matches `*.brainrouter.cloud` / `*.brainrouter.dev`
+ *     / `*.brainrouter.io` / `*.kinqs.brainrouter.*` → brainrouter.
+ *   - stdio command basename matches `brainrouter` / `brainrouter-mcp` → brainrouter.
+ *   - otherwise → unknown (let the tool-signature fallback decide).
+ */
+export declare function resolveIdentityFromConfig(serverConfig: ServerConfig, name?: string): 'brainrouter' | 'third-party' | 'unknown';

package/dist/runtime/mcpClient.js

@@ -13,6 +13,15 @@ export class McpClientWrapper {
      * blowing up, which the agent's existing try/catch wrappers already handle.
      */
     connected = false;
+    /**
+     * 10a: cached identity. Set once by `detectMcpIdentity` after the first
+     * successful `listTools()` (or by `connect` if the config + URL gave us
+     * a clear signal). The value drives status surfaces and the brain-offline
+     * prompt swap — distinguishes "our brain went down" from "a random
+     * third-party MCP went down" once item 11's multi-MCP support lands.
+     */
+    identity = 'unknown';
+    serverName;
     constructor() {
         this.client = new Client({ name: 'brainrouter-cli', version: '0.3.5' }, { capabilities: {} });
     }
@@ -20,7 +29,30 @@ export class McpClientWrapper {
     isConnected() {
         return this.connected;
     }
-    async connect(serverConfig, llmConfig) {
+    /** 10a: who is this MCP? Set by `detectMcpIdentity`; 'unknown' before first list. */
+    getIdentity() {
+        return this.identity;
+    }
+    /** 10a: profile name passed at connect (`brainrouter` / `local-http` / etc.). */
+    getServerName() {
+        return this.serverName;
+    }
+    /**
+     * 10a: connect with an optional `name` so the wrapper can render identity
+     * tags ("BrainRouter MCP offline" vs "third-party MCP offline") without
+     * the caller threading it through every error path. The pre-10a single-
+     * arg form remains supported — callers that don't pass a name fall back
+     * to URL-pattern detection.
+     */
+    async connect(serverConfig, llmConfig, name) {
+        this.serverName = name;
+        // Resolve identity upfront from config metadata + name/URL patterns.
+        // The tool-signature fallback (memory_recall + list_skills) runs after
+        // the first successful `listTools` in `refreshIdentityFromTools`.
+        this.identity = resolveIdentityFromConfig(serverConfig, name);
+        return this._connect(serverConfig, llmConfig);
+    }
+    async _connect(serverConfig, llmConfig) {
         if (serverConfig.type === 'stdio') {
             if (!serverConfig.command) {
                 throw new Error('Stdio server configuration missing "command".');
@@ -178,7 +210,22 @@ export class McpClientWrapper {
         // with only local tools instead of crashing when it tries to enumerate.
         if (!this.connected)
             return { tools: [] };
-        return this.client.listTools({});
+        const res = await this.client.listTools({});
+        // 10a: tool-signature fallback for identity detection. If the config +
+        // URL didn't already pin the identity, the BrainRouter MCP exposes a
+        // distinctive pair (`memory_recall` AND `list_skills`) that no neutral
+        // third-party MCP will. Cache the result so the next list doesn't
+        // re-probe — identity is stable for the lifetime of a connection.
+        if (this.identity === 'unknown' && Array.isArray(res?.tools)) {
+            const names = new Set(res.tools.map((t) => t?.name));
+            if (names.has('memory_recall') && names.has('list_skills')) {
+                this.identity = 'brainrouter';
+            }
+            else {
+                this.identity = 'third-party';
+            }
+        }
+        return res;
     }
     async callTool(name, args) {
         // Offline mode: synthesize an error envelope that downstream consumers
@@ -232,3 +279,44 @@ export class McpClientWrapper {
         this.connected = false;
     }
 }
+/**
+ * 10a: figure out who an MCP profile belongs to from config metadata + name
+ * + URL alone, before any network call. Explicit `identity` wins; otherwise
+ * we check name prefix and URL host. Returns 'unknown' when nothing matches
+ * — the caller (currently `listTools`) falls back to tool-signature
+ * detection after the first successful enumeration.
+ *
+ * Detection cases:
+ *   - explicit `identity: 'brainrouter'` or `identity: 'third-party'` → that.
+ *   - profile name (case-insensitive) starts with `brainrouter` → brainrouter.
+ *   - http URL hostname matches `*.brainrouter.cloud` / `*.brainrouter.dev`
+ *     / `*.brainrouter.io` / `*.kinqs.brainrouter.*` → brainrouter.
+ *   - stdio command basename matches `brainrouter` / `brainrouter-mcp` → brainrouter.
+ *   - otherwise → unknown (let the tool-signature fallback decide).
+ */
+export function resolveIdentityFromConfig(serverConfig, name) {
+    if (serverConfig.identity === 'brainrouter' || serverConfig.identity === 'third-party') {
+        return serverConfig.identity;
+    }
+    if (name && /^brainrouter/i.test(name.trim())) {
+        return 'brainrouter';
+    }
+    if (serverConfig.type === 'http' && serverConfig.url) {
+        try {
+            const url = new URL(serverConfig.url);
+            if (/\.brainrouter\.(cloud|dev|io|com|app)$/i.test(url.hostname)) {
+                return 'brainrouter';
+            }
+        }
+        catch {
+            // Malformed URL; let later code surface the connection error.
+        }
+    }
+    if (serverConfig.type === 'stdio' && serverConfig.command) {
+        const base = serverConfig.command.split(/[/\\]/).pop() ?? '';
+        if (/^brainrouter(-mcp)?$/i.test(base)) {
+            return 'brainrouter';
+        }
+    }
+    return 'unknown';
+}

package/dist/state/goalStore.d.ts

@@ -24,12 +24,20 @@
  *                      "you ran out of room" from "user paused" from
  *                      "agent gave up."
  *
- * Storage (per-session bucket):
- *   ~/.brainrouter/workspaces/<encoded>/cli/sessions/<encodedKey>/goal.json
+ * Storage (priority chain — see `resolveGoalScope`):
+ *   1. Workflow bound: `<workspace>/.brainrouter/workflows/<slug>/goal.json`
+ *      (lives in the committable workflow folder so the goal travels with
+ *      the spec / tasks / walkthrough).
+ *   2. No workflow, session-scoped:
+ *      `~/.brainrouter/workspaces/<encoded>/cli/sessions/<encodedKey>/goal.json`
+ *   3. Back-compat (no workflow, no sessionKey):
+ *      `~/.brainrouter/workspaces/<encoded>/cli/goal.json`
  *
- * Legacy fallback paths exist for sessions created before per-session
- * goal isolation was added. normalize() fills missing fields with defaults
- * so resumed sessions don't crash on first read.
+ * Session-scoped reads stay isolated (Item 1 invariant — never fall back to
+ * a prior session's goal). Workflow-bound reads stay isolated by workflow
+ * (Item 3 invariant — switching workflows swaps which goal you see).
+ * normalize() fills missing fields with defaults so resumed sessions don't
+ * crash on first read.
  */
 export type GoalStatus = 'active' | 'paused' | 'complete' | 'blocked' | 'usage_limited';
 /** A pausing status is one where continuation is halted but resumable. */
@@ -57,7 +65,25 @@ export interface Goal {
     completedAt?: string;
     blockedReason?: string;
 }
-export declare const DEFAULT_GOAL_BUDGET = 10;
+/**
+ * Default iteration cap when the user doesn't pass one.
+ *
+ * Set to a very high number (effectively "unlimited" for any real task)
+ * rather than a tight 10. Rationale: the goal lifecycle has three
+ * independent safety nets that already prevent runaway loops —
+ *   1. Anti-spin   — a turn that made zero tool calls doesn't continue
+ *   2. Repeat-loop — calling the same tool with identical args 3× errors
+ *   3. Manual stop — Ctrl-C, /goal pause, /goal clear
+ *
+ * A hard iteration cap on top of those is overly paternalistic for users
+ * running local models (no $ cost) and is easily lifted with /goal budget
+ * <n> when wanted. Display layers should treat any value >= UNLIMITED_THRESHOLD
+ * as "unlimited" for friendlier UX.
+ */
+export declare const DEFAULT_GOAL_BUDGET = 1000000;
+export declare const UNLIMITED_BUDGET_THRESHOLD = 100000;
+/** Format helper — used by REPL display + status output. */
+export declare function formatBudget(maxIterations: number): string;
 /**
  * Hard cap on the goal text length. A goal is supposed to be a 1–3 sentence
  * outcome statement; multi-thousand-character pastes (e.g. full chat logs)
@@ -82,6 +108,55 @@ export declare class GoalConflictError extends Error {
     readonly existing: Goal;
     constructor(existing: Goal);
 }
+/**
+ * Where the agent's goal lives RIGHT NOW. The priority chain — adapted from
+ * openSrc/agentmemory's fallback-provider walk (guard clauses that early-
+ * return per layer rather than a single flat loop) — is:
+ *
+ *   1. workflow scope — a workflow is bound via `current-workflow.json`
+ *      (the per-user CLI pointer). Goal lives at `<workflow>/goal.json`
+ *      next to spec.md / tasks.md / meta.json. Switching workflows carries
+ *      the goal with the folder.
+ *   2. session scope — no workflow bound but a sessionKey is supplied
+ *      (the post-Item-1 default). Goal lives at
+ *      `<cliStateDir>/sessions/<encodedKey>/goal.json` — strictly per
+ *      session, never falls back to a different session's file.
+ *   3. legacy scope — no workflow, no sessionKey. Used by the very-old
+ *      single-process call sites that haven't been migrated yet (and by
+ *      back-compat reads of pre-0.3.5 workspace-level goal.json files).
+ *
+ * Every read/write entrypoint routes through this single resolver so the
+ * priority chain has exactly one decision point. Callers don't decide where
+ * to look; they get a path + scope tag and act on it.
+ */
+export type GoalScope = {
+    scope: 'session';
+    sessionKey: string;
+    path: string;
+} | {
+    scope: 'legacy';
+    path: string;
+};
+/**
+ * Resolve the on-disk location where the active goal for this CLI process
+ * lives.
+ *
+ * **Design (0.3.6 decouple-goal-from-workflow, supersedes Item 3):** goal
+ * is **always per-session**. Workflows are durable artifact folders
+ * (spec.md, tasks.md, walkthrough.md, meta.json) that have nothing to do
+ * with the agent's autonomy primitive. The earlier Item 3 design coupled
+ * the two by storing goal state inside `<workflow>/goal.json`, which
+ * meant any two CLI sessions in the same workspace that happened to land
+ * on the same workflow shared a goal — silently reintroducing the
+ * cross-session leak PR #26 had fixed. We removed that coupling
+ * entirely: workflows are storage, goals are runtime, no overlap.
+ *
+ * Priority chain:
+ *   1. Session-scoped — `<session>/goal.json`. The normal case.
+ *   2. Legacy — `<cli-state>/goal.json`. Only hit by callers without a
+ *      sessionKey (rare; mostly tooling paths that pre-date Item 1).
+ */
+export declare function resolveGoalScope(workspaceRoot: string, sessionKey?: string): GoalScope;
 export declare function readGoal(workspaceRoot: string, sessionKey?: string): Goal | null;
 /**
  * Set a new active goal. Refuses to overwrite an in-progress goal (active,
@@ -158,17 +233,23 @@ export declare function goalHasBudgetLeft(goal: Goal): boolean;
  * decision. We detect that ahead of time by checking before the tick.
  */
 export declare function goalIsOnFinalBudgetTurn(goal: Goal): boolean;
+export interface FormatGoalBlockOptions {
+    /**
+     * Override the auto-detected final-budget-turn state. Useful for tests
+     * and for callers that want to force-render the wrap-up directive. When
+     * omitted, `formatGoalBlock` calls `goalIsOnFinalBudgetTurn(goal)` itself.
+     */
+    finalBudgetTurn?: boolean;
+}
+export declare function formatGoalBlock(goal: Goal, options?: FormatGoalBlockOptions): string;
 /**
- * Wrap-up steering message injected on the final-budget turn. The agent
- * loop pushes this into the chat history as a system message so the model
- * pivots from "continue investigating" to "consolidate and report." Plain
- * directive, no role-play.
+ * Drift / ready check used by the goal-continuation prompt. Compressed
+ * from the prose-heavy 4-paragraph form into a 2-line checklist as part
+ * of 9d's prompt deduplication — the goal text, status, and budget are
+ * now owned by the goal-anchor system message; the continuation prompt
+ * carries only the per-turn drift check + a pointer to the anchor.
  *
- * The message specifically reports WHICH cap is tight (iterations, tokens,
- * or both) so the model doesn't get told "one turn left" when it actually
- * has many iterations remaining but is near the token cap, or vice versa.
- * Earlier versions hardcoded the iteration framing even when only the
- * token heuristic tripped, which misled the model on token-budgeted runs.
+ * Distinct from `buildGoalKickoffPrompt` (in `commands/_helpers.ts`),
+ * which is the FIRST-turn prompt fired by `/goal <text>` and `/goal resume`.
  */
-export declare function buildBudgetSteeringMessage(goal: Goal): string;
-export declare function formatGoalBlock(goal: Goal): string;
+export declare function buildGoalContinuationPrompt(goal: Goal, lastPrompt: string, lastAnswer: string): string;