@oyasmi/pipiclaw 0.5.5 → 0.5.7

package/dist/tools/index.js

@@ -1,13 +1,38 @@
+import { APP_HOME_DIR } from "../paths.js";
+import { loadSecurityConfig } from "../security/config.js";
 import { createSubAgentTool } from "../subagents/tool.js";
 import { createBashTool } from "./bash.js";
 import { createEditTool } from "./edit.js";
 import { createReadTool } from "./read.js";
 import { createWriteTool } from "./write.js";
-export function createPipiclawBaseTools(executor) {
-    return [createReadTool(executor), createBashTool(executor), createEditTool(executor), createWriteTool(executor)];
+export function createPipiclawBaseTools(executor, options = {}) {
+    const hasSecurityOptions = options.securityConfig || options.securityContext || options.channelId;
+    const toolOptions = hasSecurityOptions
+        ? {
+            securityConfig: options.securityConfig,
+            securityContext: options.securityContext,
+            channelId: options.channelId,
+        }
+        : undefined;
+    return [
+        createReadTool(executor, toolOptions),
+        createBashTool(executor, toolOptions),
+        createEditTool(executor, toolOptions),
+        createWriteTool(executor, toolOptions),
+    ];
 }
 export function createPipiclawTools(options) {
-    const baseTools = createPipiclawBaseTools(options.executor);
+    const securityConfig = loadSecurityConfig(APP_HOME_DIR);
+    const securityContext = {
+        workspaceDir: options.workspaceDir,
+        workspacePath: options.workspacePath,
+        cwd: process.cwd(),
+    };
+    const baseTools = createPipiclawBaseTools(options.executor, {
+        securityConfig,
+        securityContext,
+        channelId: options.channelId,
+    });
     return [
         ...baseTools,
         createSubAgentTool({
@@ -19,6 +44,7 @@ export function createPipiclawTools(options) {
             channelDir: options.channelDir,
             getSubAgentDiscovery: options.getSubAgentDiscovery,
             getMemoryRecallSettings: options.getMemoryRecallSettings,
+            securityConfig,
             runtimeContext: {
                 workspacePath: options.workspacePath,
                 channelId: options.channelId,

package/dist/tools/read.d.ts

@@ -1,10 +1,16 @@
 import type { AgentTool } from "@mariozechner/pi-agent-core";
 import type { Executor } from "../sandbox.js";
+import type { SecurityConfig, SecurityRuntimeContext } from "../security/types.js";
 declare const readSchema: import("@sinclair/typebox").TObject<{
     label: import("@sinclair/typebox").TString;
     path: import("@sinclair/typebox").TString;
     offset: import("@sinclair/typebox").TOptional<import("@sinclair/typebox").TNumber>;
     limit: import("@sinclair/typebox").TOptional<import("@sinclair/typebox").TNumber>;
 }>;
-export declare function createReadTool(executor: Executor): AgentTool<typeof readSchema>;
+export interface ReadToolOptions {
+    securityConfig?: SecurityConfig;
+    securityContext?: SecurityRuntimeContext;
+    channelId?: string;
+}
+export declare function createReadTool(executor: Executor, options?: ReadToolOptions): AgentTool<typeof readSchema>;
 export {};

package/dist/tools/read.js

@@ -1,5 +1,8 @@
 import { Type } from "@sinclair/typebox";
 import { extname } from "path";
+import { DEFAULT_SECURITY_CONFIG } from "../security/config.js";
+import { logSecurityEvent } from "../security/logger.js";
+import { guardPath } from "../security/path-guard.js";
 import { shellEscape } from "../shared/shell-escape.js";
 import { DEFAULT_MAX_BYTES, DEFAULT_MAX_LINES, formatSize, truncateHead } from "./truncate.js";
 /**
@@ -25,13 +28,45 @@ const readSchema = Type.Object({
     offset: Type.Optional(Type.Number({ description: "Line number to start reading from (1-indexed)" })),
     limit: Type.Optional(Type.Number({ description: "Maximum number of lines to read" })),
 });
-export function createReadTool(executor) {
+function formatPathBlockMessage(resolvedPath, category, reason) {
+    const lines = [`Path blocked${category ? ` [${category}]` : ""}`];
+    if (reason) {
+        lines.push(`Reason: ${reason}`);
+    }
+    if (resolvedPath) {
+        lines.push(`Resolved path: ${resolvedPath}`);
+    }
+    return lines.join("\n");
+}
+export function createReadTool(executor, options = {}) {
+    const securityConfig = options.securityConfig ?? DEFAULT_SECURITY_CONFIG;
+    const securityContext = options.securityContext ?? {
+        workspaceDir: process.cwd(),
+        workspacePath: process.cwd(),
+        cwd: process.cwd(),
+    };
     return {
         name: "read",
         label: "read",
         description: `Read the contents of a file. Supports text files and images (jpg, png, gif, webp). Images are sent as attachments. For text files, output is truncated to ${DEFAULT_MAX_LINES} lines or ${DEFAULT_MAX_BYTES / 1024}KB (whichever is hit first). Use offset/limit for large files.`,
         parameters: readSchema,
         execute: async (_toolCallId, { path, offset, limit }, signal) => {
+            if (securityConfig.enabled && securityConfig.pathGuard.enabled) {
+                const guardResult = guardPath(path, "read", { ...securityContext, config: securityConfig.pathGuard });
+                if (!guardResult.allowed) {
+                    logSecurityEvent(securityContext.workspaceDir, securityConfig, {
+                        type: "path",
+                        tool: "read",
+                        channelId: options.channelId,
+                        rawPath: path,
+                        operation: "read",
+                        resolvedPath: guardResult.resolvedPath,
+                        category: guardResult.category,
+                        reason: guardResult.reason,
+                    });
+                    throw new Error(formatPathBlockMessage(guardResult.resolvedPath, guardResult.category, guardResult.reason));
+                }
+            }
             const mimeType = isImageFile(path);
             if (mimeType) {
                 // Read as image (binary) - use base64

package/dist/tools/write-content.d.ts

@@ -1,4 +1,9 @@
 import type { Executor } from "../sandbox.js";
+import type { SecurityConfig, SecurityRuntimeContext } from "../security/types.js";
 export declare function writeContent(executor: Executor, path: string, content: string, signal: AbortSignal | undefined, options?: {
     createParentDir?: boolean;
+    securityConfig?: SecurityConfig;
+    securityContext?: SecurityRuntimeContext;
+    channelId?: string;
+    toolName?: string;
 }): Promise<void>;

package/dist/tools/write-content.js

@@ -1,11 +1,10 @@
+import { DEFAULT_SECURITY_CONFIG } from "../security/config.js";
+import { logSecurityEvent } from "../security/logger.js";
+import { guardPath } from "../security/path-guard.js";
 import { shellEscape } from "../shared/shell-escape.js";
-const INLINE_WRITE_MAX_BYTES = 64 * 1024;
 function getDir(path) {
     return path.includes("/") ? path.substring(0, path.lastIndexOf("/")) : ".";
 }
-function isInlineSafe(content) {
-    return Buffer.byteLength(content, "utf-8") <= INLINE_WRITE_MAX_BYTES;
-}
 function ensureSuccess(result, path) {
     if (result.code !== 0) {
         throw new Error(result.stderr || `Failed to write file: ${path}`);
@@ -13,14 +12,36 @@ function ensureSuccess(result, path) {
 }
 export async function writeContent(executor, path, content, signal, options) {
     const createParentDir = options?.createParentDir ?? false;
-    const dirPrefix = createParentDir ? `mkdir -p ${shellEscape(getDir(path))} && ` : "";
-    if (isInlineSafe(content)) {
-        const result = await executor.exec(`${dirPrefix}printf '%s' ${shellEscape(content)} > ${shellEscape(path)}`, {
-            signal,
-        });
-        ensureSuccess(result, path);
-        return;
+    const securityConfig = options?.securityConfig ?? DEFAULT_SECURITY_CONFIG;
+    const securityContext = options?.securityContext ?? {
+        workspaceDir: process.cwd(),
+        workspacePath: process.cwd(),
+        cwd: process.cwd(),
+    };
+    if (securityConfig.enabled && securityConfig.pathGuard.enabled) {
+        const guardResult = guardPath(path, "write", { ...securityContext, config: securityConfig.pathGuard });
+        if (!guardResult.allowed) {
+            logSecurityEvent(securityContext.workspaceDir, securityConfig, {
+                type: "path",
+                tool: options?.toolName ?? "write",
+                channelId: options?.channelId,
+                rawPath: path,
+                operation: "write",
+                resolvedPath: guardResult.resolvedPath,
+                category: guardResult.category,
+                reason: guardResult.reason,
+            });
+            const lines = [`Path blocked${guardResult.category ? ` [${guardResult.category}]` : ""}`];
+            if (guardResult.reason) {
+                lines.push(`Reason: ${guardResult.reason}`);
+            }
+            if (guardResult.resolvedPath) {
+                lines.push(`Resolved path: ${guardResult.resolvedPath}`);
+            }
+            throw new Error(lines.join("\n"));
+        }
     }
+    const dirPrefix = createParentDir ? `mkdir -p ${shellEscape(getDir(path))} && ` : "";
     const result = await executor.exec(`${dirPrefix}cat > ${shellEscape(path)}`, {
         signal,
         stdin: content,

package/dist/tools/write.d.ts

@@ -1,9 +1,15 @@
 import type { AgentTool } from "@mariozechner/pi-agent-core";
 import type { Executor } from "../sandbox.js";
+import type { SecurityConfig, SecurityRuntimeContext } from "../security/types.js";
 declare const writeSchema: import("@sinclair/typebox").TObject<{
     label: import("@sinclair/typebox").TString;
     path: import("@sinclair/typebox").TString;
     content: import("@sinclair/typebox").TString;
 }>;
-export declare function createWriteTool(executor: Executor): AgentTool<typeof writeSchema>;
+export interface WriteToolOptions {
+    securityConfig?: SecurityConfig;
+    securityContext?: SecurityRuntimeContext;
+    channelId?: string;
+}
+export declare function createWriteTool(executor: Executor, options?: WriteToolOptions): AgentTool<typeof writeSchema>;
 export {};

package/dist/tools/write.js

@@ -5,16 +5,23 @@ const writeSchema = Type.Object({
     path: Type.String({ description: "Path to the file to write (relative or absolute)" }),
     content: Type.String({ description: "Content to write to the file" }),
 });
-export function createWriteTool(executor) {
+export function createWriteTool(executor, options = {}) {
     return {
         name: "write",
         label: "write",
         description: "Write content to a file. Creates the file if it doesn't exist, overwrites if it does. Automatically creates parent directories.",
         parameters: writeSchema,
         execute: async (_toolCallId, { path, content }, signal) => {
-            await writeContent(executor, path, content, signal, { createParentDir: true });
+            await writeContent(executor, path, content, signal, {
+                createParentDir: true,
+                securityConfig: options.securityConfig,
+                securityContext: options.securityContext,
+                channelId: options.channelId,
+                toolName: "write",
+            });
+            const bytesWritten = Buffer.byteLength(content, "utf-8");
             return {
-                content: [{ type: "text", text: `Successfully wrote ${content.length} bytes to ${path}` }],
+                content: [{ type: "text", text: `Successfully wrote ${bytesWritten} bytes to ${path}` }],
                 details: undefined,
             };
         },

package/package.json

@@ -1,6 +1,6 @@
 {
 	"name": "@oyasmi/pipiclaw",
-	"version": "0.5.5",
+	"version": "0.5.7",
 	"description": "An AI assistant runtime for coding and team workflows, with DingTalk AI Cards, sub-agents, memory, and scheduled events.",
 	"type": "module",
 	"bin": {
@@ -27,6 +27,7 @@
 		"lint": "biome check .",
 		"typecheck": "tsc --noEmit -p tsconfig.json",
 		"test": "vitest --run",
+		"test:e2e": "vitest --run --config vitest.config.e2e.ts",
 		"test:coverage": "vitest --run --coverage",
 		"check": "npm run lint && npm run typecheck && npm run test",
 		"prepublishOnly": "npm run clean && npm run build && npm run check"