@ouro.bot/cli 0.1.0-alpha.7 → 0.1.0-alpha.71

package/dist/repertoire/guardrails.js

@@ -0,0 +1,279 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.OURO_CLI_TRUST_MANIFEST = void 0;
+exports.guardInvocation = guardInvocation;
+const fs = __importStar(require("node:fs"));
+const os = __importStar(require("node:os"));
+const types_1 = require("../mind/friends/types");
+const runtime_1 = require("../nerves/runtime");
+const deny = (reason) => ({ allowed: false, reason });
+const allow = { allowed: true };
+// --- reason templates ---
+// Structural reasons (always-on, apply to everyone)
+const REASONS = {
+    readBeforeEdit: "i need to read that file first before i can edit it.",
+    readBeforeOverwrite: "i need to read that file first before i can overwrite it.",
+    protectedPath: "that path is protected — i can read it but not modify it.",
+    destructiveCommand: "that command is too dangerous to run — it could cause irreversible damage.",
+    compoundCommand: "i can only run simple commands for you — no chaining with && or ;",
+    // Trust reasons (vary by relationship)
+    needsTrust: "i'd need a closer friend to vouch for you before i can do that.",
+    needsTrustForWrite: "i'd need a closer friend to vouch for you before i can write files outside my home.",
+};
+// --- read-only tools that never need guardrails ---
+const READ_ONLY_TOOLS = new Set(["read_file", "glob", "grep"]);
+// --- protected path detection ---
+const PROTECTED_PATH_SEGMENTS = [".git/"];
+function getProtectedAbsolutePrefixes() {
+    return [`${os.homedir()}/.agentsecrets/`];
+}
+function isProtectedPath(filePath) {
+    for (const segment of PROTECTED_PATH_SEGMENTS) {
+        if (filePath.includes(`/${segment}`) || filePath.startsWith(segment))
+            return true;
+    }
+    for (const prefix of getProtectedAbsolutePrefixes()) {
+        if (filePath.startsWith(prefix))
+            return true;
+    }
+    return false;
+}
+// --- destructive shell patterns ---
+const DESTRUCTIVE_PATTERNS = [
+    /\brm\s+(-\w*\s+)*-\w*r\w*\s+(-\w+\s+)*[/~]/, // rm -rf / or rm -rf ~
+    /\bchmod\s+(-\w*\s+)*-\w*R\w*\s+\d+\s+\//, // chmod -R 777 /
+    /\bmkfs\b/, // mkfs.*
+    /\bdd\s+if=/, // dd if=
+];
+function isDestructiveShellCommand(command) {
+    return DESTRUCTIVE_PATTERNS.some((p) => p.test(command));
+}
+// --- compound command splitting ---
+// Shell operators that chain commands: &&, ||, ;, |, $(), backticks
+const COMPOUND_SEPARATORS = /\s*(?:&&|\|\||;|\|)\s*/;
+const SUBSHELL_PATTERN = /\$\(|`/;
+function splitShellCommands(command) {
+    if (SUBSHELL_PATTERN.test(command))
+        return [command];
+    return command.split(COMPOUND_SEPARATORS).filter(Boolean);
+}
+function isCompoundCommand(command) {
+    return SUBSHELL_PATTERN.test(command) || splitShellCommands(command).length > 1;
+}
+// --- shell commands that write to protected paths ---
+function shellWritesToProtectedPath(command) {
+    const redirectMatch = command.match(/>\s*(\S+)/);
+    if (redirectMatch && isProtectedPath(redirectMatch[1]))
+        return true;
+    const teeMatch = command.match(/tee\s+(?:-\w+\s+)*(\S+)/);
+    if (teeMatch && isProtectedPath(teeMatch[1]))
+        return true;
+    return false;
+}
+// --- structural guardrail checks (always on, all trust levels) ---
+function checkReadBeforeWrite(toolName, args, context) {
+    if (toolName === "edit_file") {
+        const filePath = args.path || "";
+        if (!context.readPaths.has(filePath))
+            return deny(REASONS.readBeforeEdit);
+    }
+    if (toolName === "write_file") {
+        const filePath = args.path || "";
+        if (context.readPaths.has(filePath))
+            return allow;
+        if (!fs.existsSync(filePath))
+            return allow;
+        return deny(REASONS.readBeforeOverwrite);
+    }
+    return allow;
+}
+function checkDestructiveShellPatterns(toolName, args) {
+    if (toolName !== "shell")
+        return allow;
+    const command = args.command || "";
+    // Check each subcommand in compound commands for destructive patterns
+    for (const sub of splitShellCommands(command)) {
+        if (isDestructiveShellCommand(sub))
+            return deny(REASONS.destructiveCommand);
+    }
+    return allow;
+}
+function checkProtectedPaths(toolName, args) {
+    if (toolName === "write_file" || toolName === "edit_file") {
+        const filePath = args.path || "";
+        if (isProtectedPath(filePath))
+            return deny(REASONS.protectedPath);
+    }
+    if (toolName === "shell") {
+        const command = args.command || "";
+        if (shellWritesToProtectedPath(command))
+            return deny(REASONS.protectedPath);
+    }
+    return allow;
+}
+function checkStructuralGuardrails(toolName, args, context) {
+    const protectedResult = checkProtectedPaths(toolName, args);
+    if (!protectedResult.allowed)
+        return protectedResult;
+    const destructiveResult = checkDestructiveShellPatterns(toolName, args);
+    if (!destructiveResult.allowed)
+        return destructiveResult;
+    return checkReadBeforeWrite(toolName, args, context);
+}
+// --- ouro CLI trust manifest ---
+/** Minimum trust level required for each ouro CLI subcommand. */
+exports.OURO_CLI_TRUST_MANIFEST = {
+    whoami: "acquaintance",
+    changelog: "acquaintance",
+    "session list": "acquaintance",
+    "task board": "friend",
+    "task create": "friend",
+    "task update": "friend",
+    "task show": "friend",
+    "task actionable": "friend",
+    "task deps": "friend",
+    "task sessions": "friend",
+    "friend list": "friend",
+    "friend show": "friend",
+    "friend create": "friend",
+    "reminder create": "friend",
+    "mcp list": "acquaintance",
+    "mcp call": "friend",
+    auth: "family",
+    "auth verify": "family",
+    "auth switch": "family",
+};
+// --- trust level comparison ---
+const LEVEL_ORDER = {
+    stranger: 0,
+    acquaintance: 1,
+    friend: 2,
+    family: 3,
+};
+function trustLevelSatisfied(required, actual) {
+    return LEVEL_ORDER[actual] >= LEVEL_ORDER[required];
+}
+// --- general CLI allowlists for acquaintance ---
+const ACQUAINTANCE_SHELL_ALLOWLIST = new Set([
+    "cat", "ls", "head", "tail", "wc", "file", "stat", "which", "echo",
+    "pwd", "env", "printenv", "whoami", "date", "uname",
+]);
+const ACQUAINTANCE_GIT_ALLOWLIST = new Set([
+    "status", "log", "show", "diff", "branch",
+]);
+// --- trust-level shell guardrails ---
+function resolveOuroSubcommand(command) {
+    const afterOuro = command.replace(/^ouro\s+/, "").trim();
+    /* v8 ignore next -- bare "ouro" is caught upstream by checkShellTrustGuardrails @preserve */
+    if (!afterOuro)
+        return null;
+    const tokens = afterOuro.split(/\s+/);
+    const twoWord = tokens.length >= 2 ? `${tokens[0]} ${tokens[1]}` : null;
+    // Two-word match first (e.g. "task board"), then one-word (e.g. "whoami")
+    if (twoWord && exports.OURO_CLI_TRUST_MANIFEST[twoWord])
+        return twoWord;
+    if (exports.OURO_CLI_TRUST_MANIFEST[tokens[0]])
+        return tokens[0];
+    return null;
+}
+function checkSingleShellCommandTrust(command, trustLevel) {
+    const trimmed = command.trim();
+    const tokens = trimmed.split(/\s+/);
+    const firstToken = tokens[0] || "";
+    // ouro CLI — check per-subcommand trust manifest
+    if (firstToken === "ouro") {
+        const subcommand = resolveOuroSubcommand(trimmed);
+        const requiredLevel = subcommand ? exports.OURO_CLI_TRUST_MANIFEST[subcommand] : "friend";
+        if (trustLevelSatisfied(requiredLevel, trustLevel))
+            return allow;
+        return deny(REASONS.needsTrust);
+    }
+    // git — check subcommand allowlist
+    if (firstToken === "git") {
+        const gitSub = tokens[1] || "";
+        if (ACQUAINTANCE_GIT_ALLOWLIST.has(gitSub))
+            return allow;
+        return deny(REASONS.needsTrust);
+    }
+    // General CLI — check allowlist
+    if (ACQUAINTANCE_SHELL_ALLOWLIST.has(firstToken))
+        return allow;
+    return deny(REASONS.needsTrust);
+}
+function checkShellTrustGuardrails(command, trustLevel) {
+    // Compound commands: for untrusted users, reject entirely.
+    // This prevents "ouro whoami && rm -rf /" from smuggling dangerous commands.
+    if (isCompoundCommand(command))
+        return deny(REASONS.compoundCommand);
+    return checkSingleShellCommandTrust(command, trustLevel);
+}
+function checkWriteTrustGuardrails(toolName, args, context) {
+    if (toolName !== "write_file" && toolName !== "edit_file")
+        return allow;
+    const filePath = args.path || "";
+    if (context.agentRoot && filePath.startsWith(context.agentRoot))
+        return allow;
+    if (!context.agentRoot)
+        return allow;
+    return deny(REASONS.needsTrustForWrite);
+}
+function checkTrustLevelGuardrails(toolName, args, context) {
+    // Trusted levels (family/friend) — no trust guardrails. Undefined defaults to friend.
+    if ((0, types_1.isTrustedLevel)(context.trustLevel))
+        return allow;
+    if (toolName === "shell") {
+        return checkShellTrustGuardrails(args.command || "", context.trustLevel);
+    }
+    return checkWriteTrustGuardrails(toolName, args, context);
+}
+// --- main entry point ---
+function guardInvocation(toolName, args, context) {
+    (0, runtime_1.emitNervesEvent)({
+        component: "tools",
+        event: "tools.guard_check",
+        message: "guardrail check",
+        meta: { toolName },
+    });
+    // Read-only tools are always allowed (no structural or trust guardrails)
+    if (READ_ONLY_TOOLS.has(toolName))
+        return allow;
+    // Layer 1: structural guardrails (always on)
+    const structuralResult = checkStructuralGuardrails(toolName, args, context);
+    if (!structuralResult.allowed)
+        return structuralResult;
+    // Layer 2: trust-level guardrails (varies by friend's trust)
+    return checkTrustLevelGuardrails(toolName, args, context);
+}

package/dist/repertoire/mcp-client.js

@@ -0,0 +1,254 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.McpClient = void 0;
+const child_process_1 = require("child_process");
+const readline_1 = require("readline");
+const runtime_1 = require("../nerves/runtime");
+const MCP_PROTOCOL_VERSION = "2024-11-05";
+const DEFAULT_TOOL_CALL_TIMEOUT = 30_000;
+class McpClient {
+    config;
+    process = null;
+    nextId = 1;
+    pending = new Map();
+    connected = false;
+    cachedTools = null;
+    onCloseCallback = null;
+    constructor(config) {
+        this.config = config;
+    }
+    async connect() {
+        (0, runtime_1.emitNervesEvent)({
+            event: "mcp.connect_start",
+            component: "repertoire",
+            message: "starting MCP server connection",
+            meta: { command: this.config.command },
+        });
+        const env = { ...process.env, ...this.config.env };
+        this.process = (0, child_process_1.spawn)(this.config.command, this.config.args ?? [], {
+            env,
+            stdio: ["pipe", "pipe", "pipe"],
+        });
+        this.setupLineReader();
+        this.setupProcessHandlers();
+        try {
+            await this.initialize();
+            this.connected = true;
+            (0, runtime_1.emitNervesEvent)({
+                event: "mcp.connect_end",
+                component: "repertoire",
+                message: "MCP server connected",
+                meta: { command: this.config.command },
+            });
+        }
+        catch (error) {
+            this.connected = false;
+            (0, runtime_1.emitNervesEvent)({
+                level: "error",
+                event: "mcp.connect_error",
+                component: "repertoire",
+                message: "MCP server connection failed",
+                meta: {
+                    command: this.config.command,
+                    /* v8 ignore next -- defensive: spawn errors are always Error instances @preserve */
+                    reason: error instanceof Error ? error.message : String(error),
+                },
+            });
+            throw error;
+        }
+    }
+    async listTools() {
+        if (this.cachedTools) {
+            return this.cachedTools;
+        }
+        const allTools = [];
+        let cursor;
+        do {
+            const params = {};
+            if (cursor) {
+                params.cursor = cursor;
+            }
+            const result = await this.sendRequest("tools/list", params);
+            allTools.push(...result.tools);
+            cursor = result.nextCursor;
+        } while (cursor);
+        this.cachedTools = allTools;
+        return allTools;
+    }
+    async callTool(name, args, timeout = DEFAULT_TOOL_CALL_TIMEOUT) {
+        (0, runtime_1.emitNervesEvent)({
+            event: "mcp.tool_call_start",
+            component: "repertoire",
+            message: `calling MCP tool: ${name}`,
+            meta: { tool: name },
+        });
+        try {
+            const result = await this.sendRequest("tools/call", {
+                name,
+                arguments: args,
+            }, timeout);
+            (0, runtime_1.emitNervesEvent)({
+                event: "mcp.tool_call_end",
+                component: "repertoire",
+                message: `MCP tool call completed: ${name}`,
+                meta: { tool: name },
+            });
+            return result;
+        }
+        catch (error) {
+            (0, runtime_1.emitNervesEvent)({
+                level: "error",
+                event: "mcp.tool_call_error",
+                component: "repertoire",
+                message: `MCP tool call failed: ${name}`,
+                meta: {
+                    tool: name,
+                    /* v8 ignore next -- defensive: callTool errors are always Error instances @preserve */
+                    reason: error instanceof Error ? error.message : String(error),
+                },
+            });
+            throw error;
+        }
+    }
+    shutdown() {
+        this.connected = false;
+        this.rejectAllPending(new Error("Client shutdown"));
+        /* v8 ignore next -- defensive: process always exists during normal shutdown @preserve */
+        if (this.process && !this.process.killed) {
+            this.process.kill();
+        }
+        this.process = null;
+    }
+    isConnected() {
+        return this.connected;
+    }
+    onClose(callback) {
+        this.onCloseCallback = callback;
+    }
+    async initialize() {
+        const result = await this.sendRequest("initialize", {
+            protocolVersion: MCP_PROTOCOL_VERSION,
+            clientInfo: { name: "ouroboros", version: "1.0" },
+            capabilities: {},
+        });
+        // Send initialized notification (no id, no response expected)
+        this.writeMessage({
+            jsonrpc: "2.0",
+            method: "initialized",
+        });
+        return result;
+    }
+    sendRequest(method, params, timeout) {
+        return new Promise((resolve, reject) => {
+            if (!this.process || !this.connected && method !== "initialize") {
+                reject(new Error("MCP client is disconnected"));
+                return;
+            }
+            const id = this.nextId++;
+            const pending = { resolve, reject };
+            if (timeout) {
+                pending.timer = setTimeout(() => {
+                    this.pending.delete(id);
+                    reject(new Error(`MCP request timeout after ${timeout}ms: ${method}`));
+                }, timeout);
+            }
+            this.pending.set(id, pending);
+            const request = {
+                jsonrpc: "2.0",
+                id,
+                method,
+                params,
+            };
+            this.writeMessage(request);
+        });
+    }
+    writeMessage(message) {
+        /* v8 ignore next -- defensive: stdin always writable during active connection @preserve */
+        if (this.process?.stdin?.writable) {
+            this.process.stdin.write(JSON.stringify(message) + "\n");
+        }
+    }
+    setupLineReader() {
+        /* v8 ignore next -- defensive: stdout always exists after spawn @preserve */
+        if (!this.process?.stdout)
+            return;
+        const rl = (0, readline_1.createInterface)({ input: this.process.stdout });
+        rl.on("line", (line) => {
+            this.handleLine(line);
+        });
+    }
+    handleLine(line) {
+        let response;
+        try {
+            response = JSON.parse(line);
+        }
+        catch {
+            (0, runtime_1.emitNervesEvent)({
+                level: "warn",
+                event: "mcp.connect_error",
+                component: "repertoire",
+                message: "received malformed JSON from MCP server",
+                meta: { line },
+            });
+            return;
+        }
+        if (response.id === undefined || response.id === null) {
+            // Notification or invalid — ignore
+            return;
+        }
+        const pending = this.pending.get(response.id);
+        if (!pending)
+            return;
+        this.pending.delete(response.id);
+        if (pending.timer) {
+            clearTimeout(pending.timer);
+        }
+        if (response.error) {
+            pending.reject(new Error(response.error.message));
+        }
+        else {
+            pending.resolve(response.result);
+        }
+    }
+    setupProcessHandlers() {
+        /* v8 ignore next -- defensive: process always exists after spawn @preserve */
+        if (!this.process)
+            return;
+        this.process.on("error", (error) => {
+            (0, runtime_1.emitNervesEvent)({
+                level: "error",
+                event: "mcp.connect_error",
+                component: "repertoire",
+                message: "MCP server process error",
+                meta: { reason: error.message },
+            });
+        });
+        this.process.on("close", (code) => {
+            const wasConnected = this.connected;
+            this.connected = false;
+            this.rejectAllPending(new Error(`MCP server process closed with code ${code}`));
+            if (wasConnected) {
+                (0, runtime_1.emitNervesEvent)({
+                    level: "error",
+                    event: "mcp.connect_error",
+                    component: "repertoire",
+                    message: "MCP server process exited unexpectedly",
+                    meta: { exitCode: code },
+                });
+            }
+            if (this.onCloseCallback) {
+                this.onCloseCallback();
+            }
+        });
+    }
+    rejectAllPending(error) {
+        for (const [id, pending] of this.pending) {
+            if (pending.timer) {
+                clearTimeout(pending.timer);
+            }
+            pending.reject(error);
+            this.pending.delete(id);
+        }
+    }
+}
+exports.McpClient = McpClient;