npm - @ottocode/server - Versions diffs - 0.1.207 → 0.1.208 - Mend

@ottocode/server 0.1.207 → 0.1.208

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

package/package.json +3 -3
package/src/routes/sessions.ts +1 -1
package/src/runtime/message/service.ts +1 -1
package/src/runtime/tools/guards.ts +159 -0
package/src/tools/adapter.ts +40 -2

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
 	"name": "@ottocode/server",
-	"version": "0.1.207",
+	"version": "0.1.208",
 	"description": "HTTP API server for ottocode",
 	"type": "module",
 	"main": "./src/index.ts",
@@ -49,8 +49,8 @@
 		"typecheck": "tsc --noEmit"
 	},
 	"dependencies": {
-		"@ottocode/sdk": "0.1.207",
-		"@ottocode/database": "0.1.207",
+		"@ottocode/sdk": "0.1.208",
+		"@ottocode/database": "0.1.208",
 		"drizzle-orm": "^0.44.5",
 		"hono": "^4.9.9",
 		"zod": "^4.1.8"

package/src/routes/sessions.ts CHANGED Viewed

@@ -800,7 +800,7 @@ export function registerSessionsRoutes(app: Hono) {
 			);
 			const { runSessionLoop } = await import('../runtime/agent/runner.ts');
-			const toolApprovalMode = cfg.defaults.toolApproval ?? 'auto';
+			const toolApprovalMode = cfg.defaults.toolApproval ?? 'dangerous';
 			enqueueAssistantRun(
 				{

package/src/runtime/message/service.ts CHANGED Viewed

@@ -168,7 +168,7 @@ export async function dispatchAssistantMessage(
 		);
 	}
-	const toolApprovalMode = cfg.defaults.toolApproval ?? 'auto';
+	const toolApprovalMode = cfg.defaults.toolApproval ?? 'dangerous';
 	enqueueAssistantRun(
 		{

package/src/runtime/tools/guards.ts ADDED Viewed

@@ -0,0 +1,159 @@
+export type GuardAction =
+	| { type: 'block'; reason: string }
+	| { type: 'approve'; reason: string }
+	| { type: 'allow' };
+export function guardToolCall(toolName: string, args: unknown): GuardAction {
+	const a = (args ?? {}) as Record<string, unknown>;
+	switch (toolName) {
+		case 'bash':
+			return guardBashCommand(String(a.cmd ?? ''));
+		case 'terminal':
+			return guardTerminal(a);
+		case 'read':
+			return guardReadPath(String(a.path ?? ''));
+		case 'write':
+		case 'edit':
+		case 'multiedit':
+			return guardWritePath(toolName, a);
+		default:
+			return { type: 'allow' };
+	}
+}
+function guardBashCommand(cmd: string): GuardAction {
+	const n = cmd.trim();
+	if (!n) return { type: 'allow' };
+	const blocked = checkBlockedCommand(n);
+	if (blocked) return { type: 'block', reason: blocked };
+	const approval = checkApprovalCommand(n);
+	if (approval) return { type: 'approve', reason: approval };
+	return { type: 'allow' };
+}
+function checkBlockedCommand(cmd: string): string | null {
+	if (isRecursiveDeleteRoot(cmd)) return 'Recursive delete of root filesystem';
+	if (isRecursiveDeleteHome(cmd)) return 'Recursive delete of home directory';
+	if (isForkBomb(cmd)) return 'Fork bomb detected';
+	if (isFilesystemFormat(cmd)) return 'Filesystem format command';
+	if (isRawDiskWrite(cmd)) return 'Raw disk write operation';
+	return null;
+}
+function isRecursiveDeleteRoot(cmd: string): boolean {
+	if (!/\brm\b/.test(cmd)) return false;
+	if (!hasRecursiveFlag(cmd)) return false;
+	return /\s\/(\s*$|\s*\*|\s*;|\s*&|\s*\|)/.test(cmd);
+}
+function isRecursiveDeleteHome(cmd: string): boolean {
+	if (!/\brm\b/.test(cmd)) return false;
+	if (!hasRecursiveFlag(cmd)) return false;
+	return /\s~\/?\s*($|\*|;|&|\|)/.test(cmd);
+}
+function hasRecursiveFlag(cmd: string): boolean {
+	return /-\w*[rR]|--recursive/.test(cmd);
+}
+function isForkBomb(cmd: string): boolean {
+	return /:\(\)\s*\{[^}]*:\s*\|\s*:/.test(cmd);
+}
+function isFilesystemFormat(cmd: string): boolean {
+	return /\bmkfs(\.\w+)?\s/.test(cmd);
+}
+function isRawDiskWrite(cmd: string): boolean {
+	if (/\bdd\b/.test(cmd) && /\bof=\/dev\//.test(cmd)) return true;
+	if (/>\s*\/dev\/[sv]d/.test(cmd)) return true;
+	return false;
+}
+function checkApprovalCommand(cmd: string): string | null {
+	if (/\brm\b/.test(cmd) && hasRecursiveFlag(cmd)) {
+		return 'Recursive delete command';
+	}
+	if (/\bsudo\b/.test(cmd)) {
+		return 'Privilege escalation (sudo)';
+	}
+	if (/\b(chmod|chown)\b/.test(cmd) && /(-\w*R|--recursive)/.test(cmd)) {
+		return 'Recursive permission/ownership change';
+	}
+	if (/\b(curl|wget)\b/.test(cmd) && /\|\s*(bash|sh|zsh)\b/.test(cmd)) {
+		return 'Remote code execution via pipe to shell';
+	}
+	if (/\bgit\s+push\b.*--force/.test(cmd)) {
+		return 'Force push to remote';
+	}
+	return null;
+}
+function guardTerminal(args: Record<string, unknown>): GuardAction {
+	const op = String(args.operation ?? '');
+	if (op === 'start' && typeof args.command === 'string') {
+		return guardBashCommand(args.command);
+	}
+	return { type: 'allow' };
+}
+const BLOCKED_READ_PATHS: Array<{ pattern: RegExp; reason: string }> = [
+	{ pattern: /^~?\/?\.ssh\/id_/, reason: 'SSH private key access' },
+	{ pattern: /^\/etc\/shadow$/, reason: 'System password hashes' },
+];
+const SENSITIVE_READ_PATHS: Array<{ pattern: RegExp; reason: string }> = [
+	{ pattern: /^\/etc\/passwd$/, reason: 'System password file' },
+	{ pattern: /^~?\/?\.ssh\//, reason: 'SSH directory access' },
+	{ pattern: /^~?\/?\.aws\//, reason: 'AWS credentials' },
+	{ pattern: /^~?\/?\.gnupg\//, reason: 'GPG keyring' },
+	{ pattern: /^~?\/?\.config\/gh\//, reason: 'GitHub CLI tokens' },
+	{ pattern: /^~?\/?\.npmrc$/, reason: 'npm auth tokens' },
+	{ pattern: /^~?\/?\.netrc$/, reason: 'Network credentials' },
+	{ pattern: /^~?\/?\.kube\//, reason: 'Kubernetes config' },
+	{ pattern: /^~?\/?\.docker\/config\.json$/, reason: 'Docker credentials' },
+];
+function guardReadPath(path: string): GuardAction {
+	if (!path) return { type: 'allow' };
+	const p = path.trim();
+	for (const { pattern, reason } of BLOCKED_READ_PATHS) {
+		if (pattern.test(p)) return { type: 'block', reason };
+	}
+	for (const { pattern, reason } of SENSITIVE_READ_PATHS) {
+		if (pattern.test(p)) return { type: 'approve', reason };
+	}
+	if (p.startsWith('/') || p.startsWith('~')) {
+		return { type: 'approve', reason: 'Reading path outside project root' };
+	}
+	return { type: 'allow' };
+}
+const SENSITIVE_WRITE_PATHS: Array<{ pattern: RegExp; reason: string }> = [
+	{ pattern: /(^|\/)\.env($|\.)/, reason: 'Writing to environment file' },
+	{ pattern: /(^|\/)\.git\/hooks\//, reason: 'Writing to git hooks' },
+];
+function guardWritePath(
+	toolName: string,
+	args: Record<string, unknown>,
+): GuardAction {
+	const path =
+		typeof args.path === 'string'
+			? args.path
+			: typeof args.filePath === 'string'
+				? args.filePath
+				: '';
+	if (!path) return { type: 'allow' };
+	const p = path.trim();
+	for (const { pattern, reason } of SENSITIVE_WRITE_PATHS) {
+		if (pattern.test(p)) return { type: 'approve', reason };
+	}
+	return { type: 'allow' };
+}

package/src/tools/adapter.ts CHANGED Viewed

@@ -17,6 +17,7 @@ import {
 	requiresApproval,
 	requestApproval,
 } from '../runtime/tools/approval.ts';
+import { guardToolCall } from '../runtime/tools/guards.ts';
 export type { ToolAdapterContext } from '../runtime/tools/context.ts';
@@ -38,6 +39,8 @@ type PendingCallMeta = {
 	stepIndex?: number;
 	args?: unknown;
 	approvalPromise?: Promise<boolean>;
+	blocked?: boolean;
+	blockReason?: string;
 };
 function getPendingQueue(
@@ -336,6 +339,19 @@ export function adaptTools(
 						args,
 					);
 				}
+				const guard = guardToolCall(name, args);
+				if (guard.type === 'block') {
+					meta.blocked = true;
+					meta.blockReason = guard.reason;
+				} else if (guard.type === 'approve' && !meta.approvalPromise) {
+					meta.approvalPromise = requestApproval(
+						ctx.sessionId,
+						ctx.messageId,
+						callId,
+						name,
+						args,
+					);
+				}
 				if (typeof base.onInputAvailable === 'function') {
 					// biome-ignore lint/suspicious/noExplicitAny: AI SDK types are complex
 					await base.onInputAvailable(options as any);
@@ -367,14 +383,36 @@ export function adaptTools(
 				const executeWithGuards = async (): Promise<ToolExecuteReturn> => {
 					try {
+						if (meta?.blocked) {
+							const blockedResult = {
+								ok: false,
+								error: `Blocked: ${meta.blockReason}`,
+								details: { reason: 'safety_guard' },
+							};
+							await persistToolErrorResult(blockedResult, {
+								callId: callIdFromQueue,
+								startTs: startTsFromQueue,
+								stepIndexForEvent,
+								args: meta?.args,
+							});
+							return blockedResult as ToolExecuteReturn;
+						}
 						// Await approval if it was requested in onInputAvailable
 						if (meta?.approvalPromise) {
 							const approved = await meta.approvalPromise;
 							if (!approved) {
-								return {
+								const rejectedResult = {
 									ok: false,
 									error: 'Tool execution rejected by user',
-								} as ToolExecuteReturn;
+									details: { reason: 'user_rejected' },
+								};
+								await persistToolErrorResult(rejectedResult, {
+									callId: callIdFromQueue,
+									startTs: startTsFromQueue,
+									stepIndexForEvent,
+									args: meta?.args,
+								});
+								return rejectedResult as ToolExecuteReturn;
 							}
 						}
 						// Handle session-relative paths and cwd tools