@openape/ape-agent 2.6.3 → 2.7.1

package/dist/bridge.mjs

@@ -333,7 +333,7 @@ async function prompt(message, opts = {}) {
   }
   throw new Error(`Unknown prompt type: ${opts.type}`);
 }
-var src, hasRequiredSrc, srcExports, picocolors, hasRequiredPicocolors, picocolorsExports, e, Q, P$1, X, DD, uD, FD, m, L$1, N, I, r, tD, eD, iD, v, CD, w$1, W$1, rD, R, y, V$1, z, ED, _, nD, oD, aD, c, S, AD, pD, h, x, fD, bD, mD, Y, wD, SD, $D, q, jD, PD, V, u, le, L, W, C, o, d, k, P, A, T, F, w, B, he, ye, ve, fe, kCancel;
+var src, hasRequiredSrc, srcExports, picocolors, hasRequiredPicocolors, picocolorsExports, e, Q, P$1, X, DD, uD, FD, m, L$1, N, I, r, tD, eD, iD, v, CD, w$1, W$1, rD, R, y, V$1, z, ED, _, nD, oD, aD, c, S, AD, pD, h, x, fD, bD, mD, Y, wD, SD, $D, q2, jD, PD, V, u, le, L, W, C, o, d, k, P, A, T, F, w, B, he, ye, ve, fe, kCancel;
 var init_prompt = __esm({
   "../../node_modules/.pnpm/consola@3.4.2/node_modules/consola/dist/chunks/prompt.mjs"() {
     "use strict";
@@ -609,10 +609,10 @@ var init_prompt = __esm({
     };
     SD = Object.defineProperty;
     $D = (t2, u3, F3) => u3 in t2 ? SD(t2, u3, { enumerable: true, configurable: true, writable: true, value: F3 }) : t2[u3] = F3;
-    q = (t2, u3, F3) => ($D(t2, typeof u3 != "symbol" ? u3 + "" : u3, F3), F3);
+    q2 = (t2, u3, F3) => ($D(t2, typeof u3 != "symbol" ? u3 + "" : u3, F3), F3);
     jD = class extends x {
       constructor(u3) {
-        super(u3, false), q(this, "options"), q(this, "cursor", 0), this.options = u3.options, this.cursor = this.options.findIndex(({ value: F3 }) => F3 === u3.initialValue), this.cursor === -1 && (this.cursor = 0), this.changeValue(), this.on("cursor", (F3) => {
+        super(u3, false), q2(this, "options"), q2(this, "cursor", 0), this.options = u3.options, this.cursor = this.options.findIndex(({ value: F3 }) => F3 === u3.initialValue), this.cursor === -1 && (this.cursor = 0), this.changeValue(), this.on("cursor", (F3) => {
           switch (F3) {
             case "left":
             case "up":
@@ -1036,7 +1036,7 @@ var require_shell_quote = __commonJS({
 import { existsSync as existsSync7, readFileSync as readFileSync8 } from "fs";
 import { homedir as homedir9 } from "os";
 import { join as join9 } from "path";
-import process2 from "process";
+import process3 from "process";
 
 // ../../packages/cli-auth/dist/index.js
 import { ofetch } from "ofetch";
@@ -1333,6 +1333,66 @@ async function ensureFreshIdpAuth(now = Math.floor(Date.now() / 1e3)) {
   return next;
 }
 
+// ../../packages/prompt-injection-detector/dist/index.js
+var DEFAULT_THRESHOLD = 0.7;
+var DEFAULT_OWNER_THRESHOLD = 0.95;
+async function decide(detector, input, opts = {}) {
+  const threshold = input.sender.isOwner ? opts.ownerThreshold ?? DEFAULT_OWNER_THRESHOLD : opts.threshold ?? DEFAULT_THRESHOLD;
+  const result = await detector.classify(input);
+  return {
+    ...result,
+    threshold,
+    blocked: result.score >= threshold
+  };
+}
+var PATTERNS = [
+  // Instruction-override family. The defining phrase of prompt
+  // injection — telling the model to discard its instructions in
+  // favour of new ones.
+  { re: /\bignore (?:all |any |the |your )?(?:previous|prior|above|earlier|preceding) (?:instructions?|rules?|context|prompts?|messages?)\b/i, weight: 0.6, reason: "instruction-override" },
+  { re: /\bdisregard (?:all |any |the |your )?(?:previous|prior|above|earlier|preceding)?\s*(?:instructions?|rules?|context)\b/i, weight: 0.6, reason: "instruction-override" },
+  { re: /\b(?:you are|act as|pretend to be|roleplay as) (?:now |a |an )?(?:different|new|unrestricted|jailbroken|dan|do anything now)\b/i, weight: 0.55, reason: "role-override" },
+  { re: /\b(?:forget|drop|reset) (?:everything|all|your) (?:above|prior|previous|instructions?|rules?|context)\b/i, weight: 0.55, reason: "context-reset" },
+  // Filesystem-exfiltration. Specific paths that have no business
+  // appearing in normal chat — auth tokens, SSH keys, agent config.
+  // `\b` would fail on `/etc/passwd` (slash is non-word, no boundary
+  // with preceding space) — match the literal forms instead.
+  { re: /(?:~\/\.config\/apes|~\/\.openape|~\/\.ssh|\/etc\/passwd|\/etc\/shadow|\bid_rsa\b|\bid_ed25519\b|\bauth\.json\b|\.env(?:\.[\w-]+)?\b)/i, weight: 0.45, reason: "sensitive-path" },
+  // Tool-call coercion. Phrases that try to talk the agent into
+  // executing tools or running shell commands as part of the reply.
+  { re: /\b(?:run|execute|invoke|call)\s+(?:the\s+)?(?:shell|bash|sh|cmd|powershell|tool|command|script)\b/i, weight: 0.35, reason: "tool-coercion" },
+  { re: /\b(?:and\s+)?(?:post|send|share|paste|return|reply with|output)\s+(?:the\s+)?(?:contents?|output|result|file|secret|token|api[-_ ]?key)\b/i, weight: 0.3, reason: "exfil-request" },
+  // Override + override-and-do (combined "do X without telling Y" forms).
+  { re: /\bwithout (?:telling|asking|informing|notifying|consulting|the consent of)\b/i, weight: 0.4, reason: "covert-action" },
+  // System-prompt extraction.
+  { re: /\b(?:show|print|reveal|repeat|tell me|what is|what's) (?:your |the )?(?:system prompt|initial prompt|instructions|rules|directives|guidelines)\b/i, weight: 0.5, reason: "prompt-extraction" },
+  // Encoding-based bypass attempts.
+  { re: /\b(?:base64|rot13|decode|decrypt) (?:this|the following|below)\b/i, weight: 0.3, reason: "encoding-bypass" }
+];
+function classifyHeuristic(input) {
+  const text = input.text;
+  let total = 0;
+  const reasons = [];
+  for (const p of PATTERNS) {
+    if (p.re.test(text)) {
+      total += p.weight;
+      if (!reasons.includes(p.reason)) reasons.push(p.reason);
+      if (total >= 1) break;
+    }
+  }
+  const score = Math.min(1, total);
+  return {
+    score,
+    backend: "heuristic",
+    ...reasons.length > 0 ? { reason: reasons.join(", ") } : {}
+  };
+}
+function createHeuristicDetector() {
+  return {
+    classify: async (input) => classifyHeuristic(input)
+  };
+}
+
 // src/bridge.ts
 import { decodeJwt } from "jose";
 import WebSocket from "ws";
@@ -1450,11 +1510,14 @@ import { existsSync as existsSync4, mkdirSync as mkdirSync3, readdirSync as read
 import { homedir as homedir6 } from "os";
 import { join as join6 } from "path";
 
-// ../../packages/apes/dist/chunk-L2V3CW5B.js
+// ../../packages/apes/dist/chunk-VHZEVW2N.js
 import { spawn } from "child_process";
 import { mkdirSync as mkdirSync2, readFileSync as readFileSync3, writeFileSync as writeFileSync2 } from "fs";
 import { homedir as homedir3 } from "os";
 import { dirname, normalize, resolve } from "path";
+import { homedir as homedir22 } from "os";
+import { resolve as resolve2 } from "path";
+import process2 from "process";
 import { execFileSync } from "child_process";
 import { execFileSync as execFileSync2 } from "child_process";
 var DEFAULT_TIMEOUT_MS = 5 * 60 * 1e3;
@@ -1466,6 +1529,57 @@ function capStdio(s2) {
   return `${buf.subarray(0, MAX_STDIO_BYTES).toString("utf8")}
 [truncated to ${MAX_STDIO_BYTES} bytes]`;
 }
+function runApeShell(cmd, timeoutMs = DEFAULT_TIMEOUT_MS) {
+  return new Promise((resolveResult) => {
+    const child = spawn(BIN, ["-c", cmd], {
+      env: { ...process.env, APE_WAIT: "1" },
+      stdio: ["ignore", "pipe", "pipe"]
+    });
+    let stdout2 = "";
+    let stderr = "";
+    let timedOut = false;
+    let spawnError = null;
+    child.stdout.on("data", (chunk) => {
+      stdout2 += chunk.toString("utf8");
+    });
+    child.stderr.on("data", (chunk) => {
+      stderr += chunk.toString("utf8");
+    });
+    child.on("error", (err) => {
+      spawnError = err;
+    });
+    const timer = setTimeout(() => {
+      timedOut = true;
+      child.kill("SIGTERM");
+      setTimeout(() => {
+        try {
+          child.kill("SIGKILL");
+        } catch {
+        }
+      }, 5e3);
+    }, timeoutMs);
+    child.on("close", (code) => {
+      clearTimeout(timer);
+      if (spawnError) {
+        resolveResult({
+          stdout: "",
+          stderr: "",
+          exit_code: -1,
+          error: spawnError.message,
+          hint: `Could not exec '${BIN}'. The agent host needs @openape/apes installed globally so ape-shell is on PATH.`
+        });
+        return;
+      }
+      resolveResult({
+        stdout: capStdio(stdout2),
+        stderr: capStdio(stderr),
+        exit_code: code ?? -1,
+        ...timedOut ? { timed_out: true } : {}
+      });
+    });
+  });
+}
+var DEFAULTS = { DEFAULT_TIMEOUT_MS };
 var bashTools = [
   {
     name: "bash",
@@ -1489,52 +1603,8 @@ var bashTools = [
       if (typeof a2.cmd !== "string" || a2.cmd.trim() === "") {
         throw new Error("cmd must be a non-empty string");
       }
-      const timeout = typeof a2.timeout_ms === "number" && a2.timeout_ms > 0 ? a2.timeout_ms : DEFAULT_TIMEOUT_MS;
-      return await new Promise((resolveResult) => {
-        const child = spawn(BIN, ["-c", a2.cmd], {
-          env: { ...process.env, APE_WAIT: "1" },
-          stdio: ["ignore", "pipe", "pipe"]
-        });
-        let stdout2 = "";
-        let stderr = "";
-        let timedOut = false;
-        let spawnError = null;
-        child.stdout.on("data", (chunk) => {
-          stdout2 += chunk.toString("utf8");
-        });
-        child.stderr.on("data", (chunk) => {
-          stderr += chunk.toString("utf8");
-        });
-        child.on("error", (err) => {
-          spawnError = err;
-        });
-        const timer = setTimeout(() => {
-          timedOut = true;
-          child.kill("SIGTERM");
-          setTimeout(() => {
-            try {
-              child.kill("SIGKILL");
-            } catch {
-            }
-          }, 5e3);
-        }, timeout);
-        child.on("close", (code) => {
-          clearTimeout(timer);
-          if (spawnError) {
-            resolveResult({
-              error: spawnError.message,
-              hint: `Could not exec '${BIN}'. The agent host needs @openape/apes installed globally so ape-shell is on PATH.`
-            });
-            return;
-          }
-          resolveResult({
-            stdout: capStdio(stdout2),
-            stderr: capStdio(stderr),
-            exit_code: code ?? -1,
-            ...timedOut ? { timed_out: true } : {}
-          });
-        });
-      });
+      const timeout = typeof a2.timeout_ms === "number" && a2.timeout_ms > 0 ? a2.timeout_ms : DEFAULTS.DEFAULT_TIMEOUT_MS;
+      return await runApeShell(a2.cmd, timeout);
     }
   }
 ];
@@ -1593,6 +1663,337 @@ var fileTools = [
       writeFileSync2(p, a2.content, { encoding: "utf8" });
       return { path: p, bytes: Buffer.byteLength(a2.content, "utf8") };
     }
+  },
+  {
+    name: "file.edit",
+    description: "Replace an exact substring in a file under the agent's home directory. Prefer this over file.write for edits \u2014 it touches only the changed region instead of rewriting the whole file. `old_string` must appear exactly once unless `replace_all` is true. Path traversal blocked, 1MB max.",
+    parameters: {
+      type: "object",
+      properties: {
+        path: { type: "string", description: "Path relative to $HOME (or absolute under $HOME)." },
+        old_string: { type: "string", description: "Exact text to replace. Include enough surrounding context to be unique unless replace_all is set." },
+        new_string: { type: "string", description: "Replacement text. Must differ from old_string." },
+        replace_all: { type: "boolean", description: "Replace every occurrence instead of requiring a unique match. Default false." }
+      },
+      required: ["path", "old_string", "new_string"]
+    },
+    execute: async (args) => {
+      const a2 = args;
+      if (typeof a2.old_string !== "string" || a2.old_string === "") {
+        throw new Error("old_string must be a non-empty string");
+      }
+      if (typeof a2.new_string !== "string") {
+        throw new TypeError("new_string must be a string");
+      }
+      if (a2.old_string === a2.new_string) {
+        throw new Error("old_string and new_string are identical \u2014 nothing to change");
+      }
+      const replaceAll = a2.replace_all === true;
+      const p = jailPath(a2.path);
+      const before = readFileSync3(p, "utf8");
+      const occurrences = before.split(a2.old_string).length - 1;
+      if (occurrences === 0) {
+        throw new Error("old_string not found in file");
+      }
+      if (occurrences > 1 && !replaceAll) {
+        throw new Error(`old_string occurs ${occurrences} times \u2014 pass replace_all:true or add surrounding context to make it unique`);
+      }
+      const after = replaceAll ? before.split(a2.old_string).join(a2.new_string) : before.replace(a2.old_string, a2.new_string);
+      if (Buffer.byteLength(after, "utf8") > MAX_BYTES) {
+        throw new Error(`result exceeds ${MAX_BYTES} byte cap`);
+      }
+      writeFileSync2(p, after, { encoding: "utf8" });
+      return { path: p, replacements: replaceAll ? occurrences : 1 };
+    }
+  }
+];
+var BRANCH_RE = /^[\w./-]{1,200}$/;
+var ID_RE = /^\d{1,12}$/;
+function shq(s2) {
+  return `'${String(s2).replace(/'/g, "'\\''")}'`;
+}
+function assertBranch(v2) {
+  if (typeof v2 !== "string" || !BRANCH_RE.test(v2)) {
+    throw new Error("branch must match ^[A-Za-z0-9._/-]{1,200}$");
+  }
+  return v2;
+}
+function assertId(v2) {
+  if (typeof v2 !== "string" && typeof v2 !== "number") throw new Error("id required");
+  const s2 = String(v2);
+  if (!ID_RE.test(s2)) throw new Error("id must be a number");
+  return s2;
+}
+var githubAdapter = {
+  id: "github",
+  matchesRemote: (url) => /github\.com/i.test(url),
+  prCreate: (i2) => {
+    const head = assertBranch(i2.head);
+    const parts = ["gh", "pr", "create", "--title", shq(i2.title), "--body", shq(i2.body), "--head", shq(head)];
+    if (i2.base !== void 0) parts.push("--base", shq(assertBranch(i2.base)));
+    return parts.join(" ");
+  },
+  prMerge: (i2) => {
+    const ref = String(i2.ref);
+    const refTok = ID_RE.test(ref) ? ref : assertBranch(ref);
+    const parts = ["gh", "pr", "merge", shq(refTok)];
+    if (i2.squash === true) parts.push("--squash");
+    if (i2.auto) parts.push("--auto");
+    if (i2.deleteBranch) parts.push("--delete-branch");
+    return parts.join(" ");
+  },
+  prStatus: (ref) => {
+    const r3 = String(ref);
+    const refTok = ID_RE.test(r3) ? r3 : assertBranch(r3);
+    return `gh pr view ${shq(refTok)} --json state,mergeStateStatus,statusCheckRollup,reviewDecision`;
+  },
+  issueGet: (ref) => `gh issue view ${assertId(ref)} --json number,title,body,labels`
+};
+var azureAdapter = {
+  id: "azure",
+  matchesRemote: (url) => /dev\.azure\.com|visualstudio\.com/i.test(url),
+  prCreate: (i2) => {
+    const head = assertBranch(i2.head);
+    const parts = ["az", "repos", "pr", "create", "--title", shq(i2.title), "--description", shq(i2.body), "--source-branch", shq(head)];
+    if (i2.base !== void 0) parts.push("--target-branch", shq(assertBranch(i2.base)));
+    return parts.join(" ");
+  },
+  prMerge: (i2) => {
+    const id = assertId(i2.ref);
+    const parts = ["az", "repos", "pr", "update", "--id", id];
+    if (i2.auto) parts.push("--auto-complete", "true");
+    else parts.push("--status", "completed");
+    if (i2.squash === true) parts.push("--merge-commit-message-style", "squash");
+    if (i2.deleteBranch) parts.push("--delete-source-branch", "true");
+    return parts.join(" ");
+  },
+  prStatus: (ref) => `az repos pr show --id ${assertId(ref)}`,
+  issueGet: (ref) => `az boards work-item show --id ${assertId(ref)}`
+};
+var registry = /* @__PURE__ */ new Map([
+  [githubAdapter.id, githubAdapter],
+  [azureAdapter.id, azureAdapter]
+]);
+function listForges() {
+  return [...registry.keys()];
+}
+function getForge(id) {
+  const a2 = registry.get(id);
+  if (!a2) {
+    throw new Error(`unknown forge '${id}'. Registered: ${listForges().join(", ")}. Add one with registerForge().`);
+  }
+  return a2;
+}
+function detectForge(remoteUrl) {
+  if (typeof remoteUrl !== "string" || remoteUrl === "") {
+    throw new Error("remote URL required to detect forge");
+  }
+  for (const a2 of registry.values()) {
+    if (a2.matchesRemote(remoteUrl)) return a2.id;
+  }
+  throw new Error(`no forge adapter matches remote: ${remoteUrl}. Registered: ${listForges().join(", ")}. Register one with registerForge() (e.g. GitLab/Bitbucket/Gitea).`);
+}
+function buildPrCreate(input) {
+  return getForge(input.forge).prCreate(input);
+}
+function buildPrMerge(input) {
+  return getForge(input.forge).prMerge(input);
+}
+function buildPrStatus(forge, ref) {
+  return getForge(forge).prStatus(ref);
+}
+function buildIssueGet(forge, ref) {
+  return getForge(forge).issueGet(ref);
+}
+function resolveForge(a2) {
+  if (typeof a2.forge === "string" && a2.forge !== "") return a2.forge;
+  if (typeof a2.remote === "string") return detectForge(a2.remote);
+  throw new Error("provide a forge id (e.g. github, azure, or a registered adapter) or a remote URL to detect it");
+}
+var forgeParam = { type: "string", description: "Target forge id (github, azure, or a registered adapter). Omit to auto-detect from `remote`." };
+var remoteParam = { type: "string", description: "git remote URL \u2014 used to auto-detect the forge when `forge` is omitted." };
+var forgeTools = [
+  {
+    name: "forge.pr.create",
+    description: "Open a pull request on GitHub (gh) or Azure DevOps (az). Gated via the DDISA grant cycle. Provider chosen by `forge` or auto-detected from `remote`.",
+    parameters: {
+      type: "object",
+      properties: {
+        forge: forgeParam,
+        remote: remoteParam,
+        title: { type: "string", description: "PR title." },
+        body: { type: "string", description: "PR description / body." },
+        head: { type: "string", description: "Source branch." },
+        base: { type: "string", description: "Target branch. Omit for the repo default." }
+      },
+      required: ["title", "body", "head"]
+    },
+    execute: async (args) => {
+      const a2 = args;
+      const cmd = buildPrCreate({ forge: resolveForge(a2), title: a2.title, body: a2.body, head: a2.head, base: a2.base });
+      return await runApeShell(cmd);
+    }
+  },
+  {
+    name: "forge.pr.merge",
+    description: 'Merge a PR \u2014 or with auto=true, arm "merge when checks pass" (gh --auto / az auto-complete) so the platform merges only on green CI. Gated. Never bypasses required checks (branch protection is the server-side gate).',
+    parameters: {
+      type: "object",
+      properties: {
+        forge: forgeParam,
+        remote: remoteParam,
+        ref: { type: "string", description: "GitHub: PR number or branch. Azure: PR id." },
+        auto: { type: "boolean", description: "Arm merge-when-green instead of immediate merge. Recommended." },
+        squash: { type: "boolean", description: "Squash-merge. Default true." },
+        delete_branch: { type: "boolean", description: "Delete the source branch after merge." }
+      },
+      required: ["ref"]
+    },
+    execute: async (args) => {
+      const a2 = args;
+      const cmd = buildPrMerge({ forge: resolveForge(a2), ref: a2.ref, auto: a2.auto, squash: a2.squash, deleteBranch: a2.delete_branch });
+      return await runApeShell(cmd);
+    }
+  },
+  {
+    name: "forge.pr.status",
+    description: "Fetch a PR's state + checks + review decision. Gated (read).",
+    parameters: {
+      type: "object",
+      properties: { forge: forgeParam, remote: remoteParam, ref: { type: "string", description: "PR number/branch (GitHub) or id (Azure)." } },
+      required: ["ref"]
+    },
+    execute: async (args) => {
+      const a2 = args;
+      return await runApeShell(buildPrStatus(resolveForge(a2), a2.ref));
+    }
+  },
+  {
+    name: "forge.issue.get",
+    description: "Fetch an issue (GitHub) or work-item (Azure) \u2014 title, body, labels. Gated (read). Use to turn an assigned task into a coding run.",
+    parameters: {
+      type: "object",
+      properties: { forge: forgeParam, remote: remoteParam, ref: { type: "string", description: "Issue number (GitHub) or work-item id (Azure)." } },
+      required: ["ref"]
+    },
+    execute: async (args) => {
+      const a2 = args;
+      return await runApeShell(buildIssueGet(resolveForge(a2), a2.ref));
+    }
+  }
+];
+function jailedRoot(envVar, fallbackName) {
+  const home = homedir22();
+  const raw = process2.env[envVar];
+  const dir = raw ? resolve2(raw) : resolve2(home, fallbackName);
+  if (dir !== home && !dir.startsWith(`${home}/`)) {
+    throw new Error(`${envVar} (${dir}) must resolve inside the agent's home`);
+  }
+  return dir;
+}
+function workRoot() {
+  return jailedRoot("OPENAPE_CODING_WORK_DIR", "work");
+}
+function reposRoot() {
+  return jailedRoot("OPENAPE_CODING_REPOS_DIR", "repos");
+}
+var TASK_ID_RE = /^[\w.-]{1,64}$/;
+var BRANCH_RE2 = /^[\w./-]{1,128}$/;
+var URL_RE = /^(?:https:\/\/|git@)[\w@:/.-]{3,256}$/;
+function assertTaskId(v2) {
+  if (typeof v2 !== "string" || !TASK_ID_RE.test(v2)) {
+    throw new Error("task_id must match ^[a-zA-Z0-9._-]{1,64}$");
+  }
+  return v2;
+}
+function assertBranch2(v2) {
+  if (typeof v2 !== "string" || !BRANCH_RE2.test(v2)) {
+    throw new Error("branch must match ^[A-Za-z0-9._/-]{1,128}$");
+  }
+  return v2;
+}
+function resolveRepo(repo) {
+  if (typeof repo !== "string" || repo === "") {
+    throw new Error("repo must be a non-empty string (URL or path under $HOME)");
+  }
+  const home = homedir22();
+  if (URL_RE.test(repo)) {
+    const tail = repo.replace(/\.git$/, "").replace(/[/:]+$/, "");
+    const parts = tail.split(/[/:]/).filter(Boolean).slice(-2);
+    const base = parts.join("-").replace(/[^\w.-]/g, "");
+    if (!base) throw new Error("could not derive a clone name from repo URL");
+    return { source: repo, baseDir: resolve2(reposRoot(), base), isUrl: true };
+  }
+  const candidate = repo.startsWith("~/") ? resolve2(home, repo.slice(2)) : resolve2(home, repo);
+  if (candidate !== home && !candidate.startsWith(`${home}/`)) {
+    throw new Error(`repo path "${repo}" resolves outside the agent's home`);
+  }
+  return { source: candidate, baseDir: candidate, isUrl: false };
+}
+function worktreePathFor(taskId) {
+  return resolve2(workRoot(), assertTaskId(taskId));
+}
+var q = (s2) => `'${s2}'`;
+function buildCreateCommand(repo, taskId, branch) {
+  const id = assertTaskId(taskId);
+  const br = assertBranch2(branch);
+  const { source, baseDir, isUrl } = resolveRepo(repo);
+  const wt = worktreePathFor(id);
+  const clone = isUrl ? `if [ ! -d ${q(baseDir)}/.git ]; then git clone ${q(source)} ${q(baseDir)}; fi` : `test -d ${q(baseDir)}/.git`;
+  return [
+    `mkdir -p ${q(reposRoot())} ${q(workRoot())}`,
+    clone,
+    `git -C ${q(baseDir)} fetch --quiet || true`,
+    `git -C ${q(baseDir)} worktree add -b ${q(br)} ${q(wt)}`,
+    `echo ${q(wt)}`
+  ].join(" && ");
+}
+function buildRemoveCommand(repo, taskId) {
+  const id = assertTaskId(taskId);
+  const { baseDir } = resolveRepo(repo);
+  const wt = worktreePathFor(id);
+  return `git -C ${q(baseDir)} worktree remove --force ${q(wt)} && git -C ${q(baseDir)} worktree prune`;
+}
+function buildListCommand() {
+  return `ls -1 ${q(workRoot())} 2>/dev/null || true`;
+}
+var gitWorktreeTools = [
+  {
+    name: "git.worktree",
+    description: "Manage isolated git worktrees for coding tasks. action=create clones the repo (cached under ~/repos) and adds a fresh worktree under ~/work/<task_id> on a new branch. action=remove tears it down. action=list shows current task worktrees. Git operations go through the DDISA grant cycle (git-shape).",
+    parameters: {
+      type: "object",
+      properties: {
+        action: { type: "string", enum: ["create", "remove", "list"], description: "create | remove | list" },
+        repo: { type: "string", description: "For create/remove: git remote URL (https/git@) or a path under $HOME to an existing clone." },
+        task_id: { type: "string", description: "For create/remove: identifier for the worktree, ^[a-zA-Z0-9._-]{1,64}$. The worktree lands at ~/work/<task_id>." },
+        branch: { type: "string", description: "For create: new branch name, ^[A-Za-z0-9._/-]{1,128}$." }
+      },
+      required: ["action"]
+    },
+    execute: async (args) => {
+      const a2 = args;
+      let cmd;
+      if (a2.action === "create") {
+        if (typeof a2.branch !== "string") throw new Error("branch is required for action=create");
+        cmd = buildCreateCommand(a2.repo, assertTaskId(a2.task_id), a2.branch);
+      } else if (a2.action === "remove") {
+        cmd = buildRemoveCommand(a2.repo, assertTaskId(a2.task_id));
+      } else if (a2.action === "list") {
+        cmd = buildListCommand();
+      } else {
+        throw new Error("action must be one of: create, remove, list");
+      }
+      const res = await runApeShell(cmd);
+      return {
+        action: a2.action,
+        ...a2.action !== "list" ? { worktree: worktreePathFor(assertTaskId(a2.task_id)) } : {},
+        stdout: res.stdout,
+        stderr: res.stderr,
+        exit_code: res.exit_code,
+        ...res.error ? { error: res.error, hint: res.hint } : {}
+      };
+    }
   }
 ];
 var MAX_BYTES2 = 1024 * 1024;
@@ -1823,13 +2224,53 @@ var timeTools = [
     }
   }
 ];
+var CWD_RE = /^[\w./-]{1,256}$/;
+async function runVerify(cwd, command, timeoutMs) {
+  if (typeof cwd !== "string" || !CWD_RE.test(cwd)) {
+    throw new Error("cwd must match ^[A-Za-z0-9._/-]{1,256}$");
+  }
+  if (typeof command !== "string" || command.trim() === "") {
+    throw new Error("verify command must be a non-empty string");
+  }
+  const res = await runApeShell(`cd '${cwd}' && ${command}`, timeoutMs);
+  return {
+    passed: res.exit_code === 0,
+    exit_code: res.exit_code,
+    stdout: res.stdout,
+    stderr: res.stderr,
+    ...res.timed_out ? { timed_out: true } : {}
+  };
+}
+var verifyTools = [
+  {
+    name: "verify",
+    description: "Run the verification command (tests/build/lint) in a worktree and report pass/fail. The coding loop must NOT open or merge a PR when this fails. Runs through the DDISA grant cycle (same as bash). Returns { passed, exit_code, stdout, stderr }.",
+    parameters: {
+      type: "object",
+      properties: {
+        cwd: { type: "string", description: "Worktree path to run in (e.g. ~/work/issue-42)." },
+        command: { type: "string", description: "Verification command, e.g. `pnpm test` or `npm run build && npm test`." },
+        timeout_ms: { type: "number", description: "Wall-clock cap incl. approval wait. Default 300000." }
+      },
+      required: ["cwd", "command"]
+    },
+    execute: async (args) => {
+      const a2 = args;
+      const timeout = typeof a2.timeout_ms === "number" && a2.timeout_ms > 0 ? a2.timeout_ms : void 0;
+      return await runVerify(a2.cwd, a2.command, timeout);
+    }
+  }
+];
 var ALL_TOOLS = [
   ...timeTools,
   ...httpTools,
   ...fileTools,
   ...tasksTools,
   ...mailTools,
-  ...bashTools
+  ...bashTools,
+  ...gitWorktreeTools,
+  ...verifyTools,
+  ...forgeTools
 ];
 var TOOLS = Object.fromEntries(
   ALL_TOOLS.map((t2) => [t2.name, t2])
@@ -3112,10 +3553,8 @@ var consola = createConsola2();
 // ../../packages/apes/dist/chunk-DYSFQ26B.js
 var import_shell_quote = __toESM(require_shell_quote(), 1);
 
-// ../../node_modules/.pnpm/consola@3.4.2/node_modules/consola/dist/utils.mjs
-import "tty";
-
-// ../../node_modules/.pnpm/citty@0.1.6/node_modules/citty/dist/index.mjs
+// ../../node_modules/.pnpm/citty@0.2.2/node_modules/citty/dist/index.mjs
+import { parseArgs as parseArgs$1 } from "util";
 function defineCommand(def) {
   return def;
 }
@@ -3832,7 +4271,7 @@ function shouldAutoAccept(peerEmail, identity, allowlist) {
 import { execFileSync as execFileSync3 } from "child_process";
 import { existsSync as existsSync6, readdirSync as readdirSync4, readFileSync as readFileSync7, statSync } from "fs";
 import { homedir as homedir8 } from "os";
-import { dirname as dirname2, join as join8, resolve as resolve2 } from "path";
+import { dirname as dirname2, join as join8, resolve as resolve3 } from "path";
 import { fileURLToPath } from "url";
 import { parse as parseYaml } from "yaml";
 var SKILLS_SUBDIR = [".openape", "agent", "skills"];
@@ -3941,7 +4380,7 @@ function scanSkillsDir(dir) {
 }
 function defaultSkillsDir() {
   const here = dirname2(fileURLToPath(import.meta.url));
-  return resolve2(here, "..", "default-skills");
+  return resolve3(here, "..", "default-skills");
 }
 function composeSkills(home, enabledTools) {
   const enabled = new Set(enabledTools);
@@ -4005,7 +4444,7 @@ function readDefaultPersona() {
   if (_defaultPersonaCache !== void 0) return _defaultPersonaCache;
   try {
     const here = dirname2(fileURLToPath(import.meta.url));
-    const path = resolve2(here, "..", "default-persona.md");
+    const path = resolve3(here, "..", "default-persona.md");
     if (!existsSync6(path)) {
       _defaultPersonaCache = null;
       return null;
@@ -4287,8 +4726,8 @@ function loadBridgeEnvFile() {
       const key = trimmed.slice(0, eq).trim();
       const value = trimmed.slice(eq + 1).trim().replace(/^["']|["']$/g, "");
       if (!key) continue;
-      if (process2.env[key] === void 0) {
-        process2.env[key] = value;
+      if (process3.env[key] === void 0) {
+        process3.env[key] = value;
       }
     }
   } catch {
@@ -4296,24 +4735,24 @@ function loadBridgeEnvFile() {
 }
 function readConfig() {
   loadBridgeEnvFile();
-  const toolsRaw = process2.env.APE_CHAT_BRIDGE_TOOLS ?? "";
+  const toolsRaw = process3.env.APE_CHAT_BRIDGE_TOOLS ?? "";
   const tools = toolsRaw.split(",").map((s2) => s2.trim()).filter(Boolean);
-  const maxStepsRaw = process2.env.APE_CHAT_BRIDGE_MAX_STEPS;
+  const maxStepsRaw = process3.env.APE_CHAT_BRIDGE_MAX_STEPS;
   const maxSteps = maxStepsRaw ? Number.parseInt(maxStepsRaw, 10) : DEFAULT_MAX_STEPS;
-  const model = process2.env.APE_CHAT_BRIDGE_MODEL;
+  const model = process3.env.APE_CHAT_BRIDGE_MODEL;
   if (!model) {
     throw new Error(
       "APE_CHAT_BRIDGE_MODEL is not set. Set it in the bridge .env (usually `~/Library/Application Support/openape/bridge/.env` on macOS) or globally in `~/litellm/.env` so resolveBridgeConfig picks it up at spawn time. Common values: `gpt-5.4` (ChatGPT-only LiteLLM proxy), `claude-haiku-4-5` (Anthropic-only)."
     );
   }
   return {
-    endpoint: (process2.env.APE_CHAT_ENDPOINT ?? DEFAULT_ENDPOINT).replace(/\/$/, ""),
-    apesBin: process2.env.APE_CHAT_BRIDGE_APES_BIN ?? DEFAULT_APES_BIN,
+    endpoint: (process3.env.APE_CHAT_ENDPOINT ?? DEFAULT_ENDPOINT).replace(/\/$/, ""),
+    apesBin: process3.env.APE_CHAT_BRIDGE_APES_BIN ?? DEFAULT_APES_BIN,
     model,
-    systemPrompt: process2.env.APE_CHAT_BRIDGE_SYSTEM_PROMPT ?? DEFAULT_SYSTEM_PROMPT,
+    systemPrompt: process3.env.APE_CHAT_BRIDGE_SYSTEM_PROMPT ?? DEFAULT_SYSTEM_PROMPT,
     tools,
     maxSteps: Number.isFinite(maxSteps) && maxSteps > 0 ? maxSteps : DEFAULT_MAX_STEPS,
-    roomFilter: process2.env.APE_CHAT_BRIDGE_ROOM
+    roomFilter: process3.env.APE_CHAT_BRIDGE_ROOM
   };
 }
 async function getIdentity() {
@@ -4325,15 +4764,21 @@ async function getIdentity() {
   return { email: claims.sub };
 }
 function log(line) {
-  process2.stderr.write(`${(/* @__PURE__ */ new Date()).toISOString()}  ${line}
+  process3.stderr.write(`${(/* @__PURE__ */ new Date()).toISOString()}  ${line}
 `);
 }
 function sleep(ms) {
-  return new Promise((resolve3) => setTimeout(resolve3, ms));
+  return new Promise((resolve4) => setTimeout(resolve4, ms));
 }
 function truncate(s2, n2) {
   return s2.length <= n2 ? s2 : `${s2.slice(0, n2 - 1)}\u2026`;
 }
+function refusalText(reason) {
+  const base = "I won't process this message \u2014 it looks like a prompt-injection attempt.";
+  return reason ? `${base}
+
+(matched: ${reason})` : base;
+}
 var Bridge = class {
   constructor(cfg, selfEmail, ownerEmail) {
     this.cfg = cfg;
@@ -4349,7 +4794,7 @@ var Bridge = class {
       chat: this.chat,
       ownerEmail: this.ownerEmail,
       log,
-      troopUrl: (process2.env.OPENAPE_TROOP_URL ?? "https://troop.openape.ai").replace(/\/$/, ""),
+      troopUrl: (process3.env.OPENAPE_TROOP_URL ?? "https://troop.openape.ai").replace(/\/$/, ""),
       bearer: this.bearer
     });
     this.cron.start();
@@ -4364,14 +4809,18 @@ var Bridge = class {
   chat;
   bearer;
   cron;
+  // Prompt-injection gate (#277). Pure heuristic by default — pluggable
+  // backend later. The bridge is the choke-point for every chat message
+  // before it reaches the agent runtime, so this is the right place.
+  injectionDetector = createHeuristicDetector();
   /**
    * RuntimeConfig is shared across thread sessions and the cron runner.
    * The bridge resolves it from its own env at boot and reuses for the
    * whole process lifetime.
    */
   runtimeConfig() {
-    const apiBase = (process2.env.LITELLM_BASE_URL ?? "http://127.0.0.1:4000/v1").replace(/\/$/, "");
-    const apiKey = process2.env.LITELLM_API_KEY ?? process2.env.LITELLM_MASTER_KEY ?? "";
+    const apiBase = (process3.env.LITELLM_BASE_URL ?? "http://127.0.0.1:4000/v1").replace(/\/$/, "");
+    const apiKey = process3.env.LITELLM_API_KEY ?? process3.env.LITELLM_MASTER_KEY ?? "";
     if (!apiKey) {
       throw new Error("LITELLM_API_KEY (or LITELLM_MASTER_KEY) must be set in the bridge env.");
     }
@@ -4414,7 +4863,7 @@ var Bridge = class {
     if (accepted.length > 0) log(`accepted: ${accepted.join(", ")}`);
     if (skipped.length > 0) log(`skipped (not on allowlist): ${skipped.join(", ")}`);
   }
-  handleInbound(msg) {
+  async handleInbound(msg) {
     if (msg.senderEmail === this.selfEmail) return;
     if (!msg.body.trim()) return;
     if (this.cfg.roomFilter && msg.roomId !== this.cfg.roomFilter) return;
@@ -4423,6 +4872,26 @@ var Bridge = class {
       return;
     }
     log(`[${msg.roomId}/${msg.threadId.slice(0, 8)}] in: ${truncate(msg.body, 80)}`);
+    const decision = await decide(this.injectionDetector, {
+      text: msg.body,
+      sender: {
+        email: msg.senderEmail,
+        isOwner: msg.senderEmail === this.ownerEmail
+      }
+    });
+    if (decision.blocked) {
+      log(`[${msg.roomId}/${msg.threadId.slice(0, 8)}] BLOCKED prompt-injection (score=${decision.score.toFixed(2)}, reason=${decision.reason ?? "n/a"})`);
+      try {
+        await this.chat.postMessage(msg.roomId, refusalText(decision.reason), {
+          replyTo: msg.id,
+          threadId: msg.threadId
+        });
+      } catch (err) {
+        const m2 = err instanceof Error ? err.message : String(err);
+        log(`[${msg.roomId}] failed to post refusal: ${m2}`);
+      }
+      return;
+    }
     const session = this.getOrCreateThread(msg.roomId, msg.threadId);
     session.enqueue(msg.body, msg.id);
   }
@@ -4461,7 +4930,7 @@ var Bridge = class {
     const bearer = await this.bearer();
     const wsUrl = `${this.cfg.endpoint.replace(/^http/, "ws")}/api/ws?token=${encodeURIComponent(bearer.replace(/^Bearer\s+/i, ""))}`;
     const ws = new WebSocket(wsUrl);
-    return new Promise((resolve3, reject) => {
+    return new Promise((resolve4, reject) => {
       let pingTimer;
       let allowlistTimer;
       ws.on("open", () => {
@@ -4489,12 +4958,12 @@ var Bridge = class {
           return;
         }
         if (frame.type !== "message") return;
-        this.handleInbound(frame.payload);
+        void this.handleInbound(frame.payload);
       });
       ws.on("close", () => {
         if (pingTimer) clearInterval(pingTimer);
         if (allowlistTimer) clearInterval(allowlistTimer);
-        resolve3();
+        resolve4();
       });
       ws.on("error", (err) => {
         if (pingTimer) clearInterval(pingTimer);
@@ -4533,7 +5002,7 @@ async function main() {
 }
 main().catch((err) => {
   const msg = err instanceof Error ? err.message : String(err);
-  process2.stderr.write(`fatal: ${msg}
+  process3.stderr.write(`fatal: ${msg}
 `);
-  process2.exit(1);
+  process3.exit(1);
 });

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@openape/ape-agent",
-  "version": "2.6.3",
+  "version": "2.7.1",
   "description": "OpenApe agent runtime: per-agent process that connects to chat.openape.ai, runs the LLM loop with tools + cron tasks, and streams replies back to owners.",
   "type": "module",
   "license": "MIT",
@@ -23,17 +23,18 @@
     "ofetch": "^1.4.1",
     "ws": "^8.18.0",
     "yaml": "^2.8.0",
-    "@openape/apes": "1.25.0",
-    "@openape/cli-auth": "0.4.0"
+    "@openape/apes": "1.26.0",
+    "@openape/cli-auth": "0.4.1",
+    "@openape/prompt-injection-detector": "0.1.0"
   },
   "devDependencies": {
     "@antfu/eslint-config": "^7.6.1",
     "@types/node": "^22.19.13",
     "@types/ws": "^8.5.13",
-    "eslint": "^9.35.0",
+    "eslint": "^10.4.0",
     "tsup": "^8.5.1",
     "typescript": "^5.9.3",
-    "vitest": "^3.2.4"
+    "vitest": "^4.1.7"
   },
   "engines": {
     "node": ">=22"