npm - @maintainabilityai/research-runner - Versions diffs - 0.1.45 → 0.1.46 - Mend

@maintainabilityai/research-runner 0.1.45 → 0.1.46

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (2) hide show

package/dist/runner/skills.js +52 -3
package/package.json +1 -1

package/dist/runner/skills.js CHANGED Viewed

@@ -1338,6 +1338,15 @@ const handleKnowledgeCode = async (input) => {
         // Workflow gate consumes this to validate cited paths.
         inventory_paths: inventoryPaths,
     };
+    // Bug-R / R6 (Codex round-3) — persist inventory to the clone
+    // cache so knowledge-code-read can strict-mode validate requested
+    // paths against the same list that lands in the audit chain.
+    // Without this, the agent could ask knowledge-code-read for
+    // arbitrary paths inside the clone that the chain never advertised.
+    try {
+        fs.writeFileSync(path.join(cloneTarget, '.knowledge-code-inventory.json'), JSON.stringify({ inventory_paths: inventoryPaths, sha, cachedAt: new Date().toISOString() }), 'utf8');
+    }
+    catch { /* inventory persist failure is non-fatal — read skill will fall back to cache-only check */ }
     return {
         ok: true,
         mode: 'brownfield',
@@ -1407,9 +1416,26 @@ const handleKnowledgeCodeRead = async (input) => {
     if (normalized.startsWith('..') || normalized === '..' || normalized.includes(`${path.sep}..${path.sep}`)) {
         return { ok: false, reason: `path-rejected: path-traversal segments forbidden (${filePath} -> ${normalized})` };
     }
-    // Reuse the cached clone from knowledge-code; clone fresh if missing
-    // (e.g. agent called knowledge-code-read without calling knowledge-
-    // code first — supported but slower).
+    // Bug-R / R6 (Codex round-3) — auth tightening. A prior knowledge-
+    // code call for this (runId, owner, name) MUST have populated the
+    // cache before knowledge-code-read can return content. Closes two
+    // gaps Codex flagged: (1) skill could read any public GitHub repo
+    // by URL alone, (2) audit chain didn't prove the standard
+    // brownfield-grounding pipeline ran before the file read. Test
+    // mode (KNOWLEDGE_CODE_READ_ALLOW_UNCACHED=1) bypasses this for
+    // unit tests that drive the skill directly.
+    const cacheDir = knowledgeCodeCacheDir(runId, gh.owner, gh.name);
+    const metaPath = path.join(cacheDir, '.cache-meta.json');
+    const allowUncached = process.env.KNOWLEDGE_CODE_READ_ALLOW_UNCACHED === '1';
+    if (!allowUncached && !fs.existsSync(metaPath)) {
+        return {
+            ok: false,
+            reason: `no-prior-knowledge-code: knowledge-code-read requires a prior knowledge-code call for ${gh.owner}/${gh.name} in run ${runId}. Call knowledge-code first to clone + classify the repo, then knowledge-code-read can return file contents from the cached clone.`,
+            remediation: "Call `knowledge-code` with the same repoUrl + runId before invoking knowledge-code-read. The audit chain then proves the agent went through brownfield grounding before reading files.",
+        };
+    }
+    // Reuse the cached clone from knowledge-code; clone fresh only in
+    // test mode (allowUncached).
     const cloneResult = ensureClone(runId, repoUrl, ref ?? 'HEAD', gh.owner, gh.name);
     if (!cloneResult.ok) {
         return {
@@ -1419,6 +1445,29 @@ const handleKnowledgeCodeRead = async (input) => {
             remediation: `Could not access clone for ${repoUrl}. Underlying error: ${cloneResult.error ?? 'unknown'}`,
         };
     }
+    // Bug-R / R6 (strict mode part 2) — validate the requested path
+    // against the inventory persisted by knowledge-code. Only paths
+    // that knowledge-code already advertised in `inventory_paths` are
+    // readable — closes the gap where the agent could ask for any
+    // file inside the clone, including files not visible in the
+    // bounded walk. Test mode bypasses (see allowUncached).
+    if (!allowUncached) {
+        const inventoryPath = path.join(cloneResult.path, '.knowledge-code-inventory.json');
+        if (fs.existsSync(inventoryPath)) {
+            try {
+                const inv = JSON.parse(fs.readFileSync(inventoryPath, 'utf8'));
+                const allowed = new Set(inv.inventory_paths ?? []);
+                if (allowed.size > 0 && !allowed.has(normalized)) {
+                    return {
+                        ok: false,
+                        reason: `path-not-in-inventory: ${normalized} is not in the knowledge-code inventory_paths for ${gh.owner}/${gh.name}. The agent can only read files knowledge-code advertised in the chain.`,
+                        remediation: "If the file is real but missed by the bounded walk (default maxFiles=200), call knowledge-code with a higher maxFiles before retrying.",
+                    };
+                }
+            }
+            catch { /* malformed inventory; fall through (cache-only check still applied) */ }
+        }
+    }
     const absPath = path.join(cloneResult.path, normalized);
     // Final paranoia check — resolve the real path and verify it's still
     // a child of the clone root. Defends against symlink-shaped escapes

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@maintainabilityai/research-runner",
-  "version": "0.1.45",
+  "version": "0.1.46",
   "description": "Research + PRD agent runner — orchestrates the Archeologist and PRD pipelines for the MaintainabilityAI governance mesh",
   "license": "MIT",
   "author": "MaintainabilityAI",