@pellux/goodvibes-agent 0.1.11 → 0.1.13

package/CHANGELOG.md

@@ -2,6 +2,15 @@
 
 All notable changes to GoodVibes Agent will be recorded here.
 
+## 0.1.13 - 2026-05-31
+
+- 989b048 Block local coding tools in agent runtime
+
+## 0.1.12 - 2026-05-31
+
+- 1843a77 Handle external daemon SDK mismatch in live verification
+- 2b1a3f4 Align agent-owned test paths
+
 ## 0.1.11 - 2026-05-31
 
 - d20a93e Allow explicit recall review without yes

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@pellux/goodvibes-agent",
-  "version": "0.1.11",
+  "version": "0.1.13",
   "private": false,
   "description": "Near-fork GoodVibes operator assistant with the GoodVibes TUI shell, renderer, input, fullscreen workspace, and daemon-connected Agent product brain.",
   "type": "module",

package/src/tools/wrfc-agent-guard.ts

@@ -10,6 +10,8 @@ type AgentToolPolicyGuardOptions = {
   readonly getLastUserMessage?: () => string | null;
 };
 
+const BLOCKED_MAIN_CONVERSATION_TOOL_NAMES = ['write', 'edit', 'workflow', 'repl'] as const;
+
 const READ_ONLY_AGENT_TOOL_MODES = [
   'status',
   'list',
@@ -23,6 +25,7 @@ const READ_ONLY_AGENT_TOOL_MODES = [
 ] as const;
 
 const READ_ONLY_AGENT_TOOL_MODE_SET = new Set<string>(READ_ONLY_AGENT_TOOL_MODES);
+const BLOCKED_MAIN_CONVERSATION_TOOL_NAME_SET = new Set<string>(BLOCKED_MAIN_CONVERSATION_TOOL_NAMES);
 
 const LOCAL_AGENT_DENIAL = [
   'GoodVibes Agent does not spawn local Engineer/Reviewer/Tester/Verifier roots or run local WRFC chains.',
@@ -30,10 +33,21 @@ const LOCAL_AGENT_DENIAL = [
   'For explicit build/fix/review work, delegate one request to GoodVibes TUI through the public shared-session/build-delegation contract with the full original user ask.',
 ].join(' ');
 
+const LOCAL_CODING_TOOL_DENIAL = [
+  'GoodVibes Agent does not perform direct local file mutation, local WRFC workflow execution, or local sandbox/REPL execution from the main conversation.',
+  'For explicit build/fix/review/code execution work, delegate one request to GoodVibes TUI through the public shared-session/build-delegation contract with the full original user ask.',
+  'For durable Agent memory, skills, personas, routines, and knowledge, use the Agent-owned commands and isolated Agent Knowledge routes.',
+].join(' ');
+
 export function installAgentToolPolicyGuard(registry: ToolRegistry, options: AgentToolPolicyGuardOptions = {}): void {
   const agentTool = registry.list().find((tool) => tool.definition.name === 'agent');
   if (!agentTool) throw new Error('Agent tool policy guard could not find the agent tool.');
   wrapAgentToolForAgentPolicy(agentTool, options);
+  for (const tool of registry.list()) {
+    if (BLOCKED_MAIN_CONVERSATION_TOOL_NAME_SET.has(tool.definition.name)) {
+      wrapBlockedMainConversationToolForAgentPolicy(tool);
+    }
+  }
 }
 
 export function wrapAgentToolForAgentPolicy(tool: Tool, _options: AgentToolPolicyGuardOptions = {}): void {
@@ -55,8 +69,20 @@ export function normalizeAgentToolInvocationForAgentPolicy(args: AgentToolArgs):
   return args;
 }
 
+export function wrapBlockedMainConversationToolForAgentPolicy(tool: Tool): void {
+  tool.definition.description = [
+    `Blocked in GoodVibes Agent main conversation: ${tool.definition.name}.`,
+    'Use explicit GoodVibes TUI build delegation for build/fix/review/code execution work.',
+    'Use Agent-owned local registries and isolated Agent Knowledge routes for Agent memory and knowledge work.',
+  ].join(' ');
+  tool.definition.sideEffects = [];
+  tool.execute = async () => ({ success: false, error: LOCAL_CODING_TOOL_DENIAL });
+}
+
 export const AGENT_LOCAL_SPAWN_DENIAL_MESSAGE = LOCAL_AGENT_DENIAL;
 export const AGENT_READ_ONLY_TOOL_MODES = READ_ONLY_AGENT_TOOL_MODES;
+export const AGENT_BLOCKED_MAIN_CONVERSATION_TOOL_NAMES = BLOCKED_MAIN_CONVERSATION_TOOL_NAMES;
+export const AGENT_MAIN_CONVERSATION_TOOL_DENIAL_MESSAGE = LOCAL_CODING_TOOL_DENIAL;
 
 function isRecord(value: unknown): value is Record<string, unknown> {
   return typeof value === 'object' && value !== null && !Array.isArray(value);

package/src/verification/live-verifier.ts

@@ -3,6 +3,7 @@ import { join, resolve } from 'node:path';
 import { spawn } from 'node:child_process';
 import { auditGoodVibesHome } from '../config/goodvibes-home-audit.ts';
 import { buildVerificationLedger } from './verification-ledger.ts';
+import { SDK_VERSION } from '../version.ts';
 
 export type LiveVerificationStatus = 'pass' | 'warn' | 'fail' | 'skip';
 
@@ -271,6 +272,25 @@ function countStatuses(checks: readonly LiveVerificationCheck[]): Record<LiveVer
   );
 }
 
+export function buildAgentKnowledgeLiveSkipCheck(
+  id: string,
+  title: string,
+  daemonVersion: string,
+  expectedSdkVersion = SDK_VERSION,
+): LiveVerificationCheck {
+  return {
+    id,
+    title,
+    status: 'skip',
+    summary: `Skipped because external daemon SDK ${daemonVersion} does not match Agent SDK pin ${expectedSdkVersion}.`,
+    detail: [
+      'Agent Knowledge is intentionally isolated under /api/goodvibes-agent/knowledge/*.',
+      'An older daemon cannot validate those routes, and Agent must not fall back to default Knowledge/Wiki or HomeGraph.',
+      'Update/restart the external daemon, then rerun live verification.',
+    ].join('\n'),
+  };
+}
+
 export async function buildLiveVerificationReport(options: LiveVerificationOptions): Promise<LiveVerificationReport> {
   const homeDir = resolve(options.homeDir);
   const projectRoot = resolve(options.projectRoot);
@@ -278,6 +298,7 @@ export async function buildLiveVerificationReport(options: LiveVerificationOptio
   const daemonBaseUrl = resolveDaemonBaseUrl(homeDir, options.daemonBaseUrl);
   const token = options.token ?? readDaemonToken(homeDir);
   const checks: LiveVerificationCheck[] = [];
+  let daemonSdkVersion: string | null = null;
 
   const ledger = buildVerificationLedger(projectRoot);
   checks.push({
@@ -328,7 +349,7 @@ export async function buildLiveVerificationReport(options: LiveVerificationOptio
       'Agent CLI compatibility JSON command',
       await runCommand(binaryPath, ['compat', '--json'], projectRoot),
       'Agent CLI compatibility returned parseable JSON.',
-      { parseJson: true },
+      { parseJson: true, warnOnNonZero: true },
     ));
     checks.push(commandCheck(
       'cli-agent-knowledge-status',
@@ -392,6 +413,7 @@ export async function buildLiveVerificationReport(options: LiveVerificationOptio
         const version = typeof parsed.sdkVersion === 'string'
           ? parsed.sdkVersion
           : typeof parsed.version === 'string' ? parsed.version : 'unknown';
+        daemonSdkVersion = version;
         return { status: 'pass', summary: `/status returned 200, version ${version}.` };
       } catch {
         return { status: 'warn', summary: '/status returned 200 but was not parseable JSON.' };
@@ -438,78 +460,88 @@ export async function buildLiveVerificationReport(options: LiveVerificationOptio
     },
   ));
 
-  checks.push(await fetchJsonCheck(
-    'agent-knowledge-status',
-    'Agent Knowledge isolated /status',
-    `${daemonBaseUrl}/api/goodvibes-agent/knowledge/status`,
-    token,
-    {
-      validate: (status, body) => {
-        if (status !== 200) return { status: 'fail', summary: `/api/goodvibes-agent/knowledge/status returned ${status}.` };
-        try {
-          JSON.parse(body);
-          return { status: 'pass', summary: 'Agent Knowledge status route returned parseable JSON.' };
-        } catch {
-          return { status: 'fail', summary: 'Agent Knowledge status was not parseable JSON.' };
-        }
+  const daemonVersionMismatch = daemonSdkVersion !== null && daemonSdkVersion !== 'unknown' && daemonSdkVersion !== SDK_VERSION;
+  if (daemonVersionMismatch) {
+    const mismatchedDaemonVersion = daemonSdkVersion ?? 'unknown';
+    checks.push(
+      buildAgentKnowledgeLiveSkipCheck('agent-knowledge-status', 'Agent Knowledge isolated /status', mismatchedDaemonVersion),
+      buildAgentKnowledgeLiveSkipCheck('agent-knowledge-ask-isolated', 'Agent Knowledge isolated ask', mismatchedDaemonVersion),
+      buildAgentKnowledgeLiveSkipCheck('agent-knowledge-search-isolated', 'Agent Knowledge isolated search', mismatchedDaemonVersion),
+    );
+  } else {
+    checks.push(await fetchJsonCheck(
+      'agent-knowledge-status',
+      'Agent Knowledge isolated /status',
+      `${daemonBaseUrl}/api/goodvibes-agent/knowledge/status`,
+      token,
+      {
+        validate: (status, body) => {
+          if (status !== 200) return { status: 'fail', summary: `/api/goodvibes-agent/knowledge/status returned ${status}.` };
+          try {
+            JSON.parse(body);
+            return { status: 'pass', summary: 'Agent Knowledge status route returned parseable JSON.' };
+          } catch {
+            return { status: 'fail', summary: 'Agent Knowledge status was not parseable JSON.' };
+          }
+        },
       },
-    },
-  ));
+    ));
 
-  checks.push(await fetchJsonCheck(
-    'agent-knowledge-ask-isolated',
-    'Agent Knowledge isolated ask',
-    `${daemonBaseUrl}/api/goodvibes-agent/knowledge/ask`,
-    token,
-    {
-      method: 'POST',
-      body: {
-        query: 'What is GoodVibes Agent?',
-        limit: 5,
-        mode: 'concise',
-        includeSources: true,
-        includeConfidence: true,
-        includeLinkedObjects: true,
+    checks.push(await fetchJsonCheck(
+      'agent-knowledge-ask-isolated',
+      'Agent Knowledge isolated ask',
+      `${daemonBaseUrl}/api/goodvibes-agent/knowledge/ask`,
+      token,
+      {
+        method: 'POST',
+        body: {
+          query: 'What is GoodVibes Agent?',
+          limit: 5,
+          mode: 'concise',
+          includeSources: true,
+          includeConfidence: true,
+          includeLinkedObjects: true,
+        },
+        validate: (status, body) => {
+          if (status !== 200) return { status: 'fail', summary: `/api/goodvibes-agent/knowledge/ask returned ${status}.` };
+          try {
+            JSON.parse(body);
+          } catch {
+            return { status: 'fail', summary: 'Agent Knowledge ask was not parseable JSON.' };
+          }
+          const lower = body.toLowerCase();
+          if (lower.includes('home assistant') || lower.includes('homegraph') || lower.includes('home graph')) {
+            return { status: 'fail', summary: 'Agent Knowledge ask returned HomeGraph/Home Assistant contamination.' };
+          }
+          return { status: 'pass', summary: 'Agent Knowledge ask stayed on the isolated Agent route.' };
+        },
       },
-      validate: (status, body) => {
-        if (status !== 200) return { status: 'fail', summary: `/api/goodvibes-agent/knowledge/ask returned ${status}.` };
-        try {
-          JSON.parse(body);
-        } catch {
-          return { status: 'fail', summary: 'Agent Knowledge ask was not parseable JSON.' };
-        }
-        const lower = body.toLowerCase();
-        if (lower.includes('home assistant') || lower.includes('homegraph') || lower.includes('home graph')) {
-          return { status: 'fail', summary: 'Agent Knowledge ask returned HomeGraph/Home Assistant contamination.' };
-        }
-        return { status: 'pass', summary: 'Agent Knowledge ask stayed on the isolated Agent route.' };
-      },
-    },
-  ));
+    ));
 
-  checks.push(await fetchJsonCheck(
-    'agent-knowledge-search-isolated',
-    'Agent Knowledge isolated search',
-    `${daemonBaseUrl}/api/goodvibes-agent/knowledge/search`,
-    token,
-    {
-      method: 'POST',
-      body: { query: 'What is GoodVibes Agent?', limit: 5 },
-      validate: (status, body) => {
-        if (status !== 200) return { status: 'fail', summary: `/api/goodvibes-agent/knowledge/search returned ${status}.` };
-        try {
-          JSON.parse(body);
-        } catch {
-          return { status: 'fail', summary: 'Agent Knowledge search was not parseable JSON.' };
-        }
-        const lower = body.toLowerCase();
-        if (lower.includes('home assistant') || lower.includes('homegraph') || lower.includes('home graph')) {
-          return { status: 'fail', summary: 'Agent Knowledge search returned HomeGraph/Home Assistant contamination.' };
-        }
-        return { status: 'pass', summary: 'Agent Knowledge search stayed on the isolated Agent route.' };
+    checks.push(await fetchJsonCheck(
+      'agent-knowledge-search-isolated',
+      'Agent Knowledge isolated search',
+      `${daemonBaseUrl}/api/goodvibes-agent/knowledge/search`,
+      token,
+      {
+        method: 'POST',
+        body: { query: 'What is GoodVibes Agent?', limit: 5 },
+        validate: (status, body) => {
+          if (status !== 200) return { status: 'fail', summary: `/api/goodvibes-agent/knowledge/search returned ${status}.` };
+          try {
+            JSON.parse(body);
+          } catch {
+            return { status: 'fail', summary: 'Agent Knowledge search was not parseable JSON.' };
+          }
+          const lower = body.toLowerCase();
+          if (lower.includes('home assistant') || lower.includes('homegraph') || lower.includes('home graph')) {
+            return { status: 'fail', summary: 'Agent Knowledge search returned HomeGraph/Home Assistant contamination.' };
+          }
+          return { status: 'pass', summary: 'Agent Knowledge search stayed on the isolated Agent route.' };
+        },
       },
-    },
-  ));
+    ));
+  }
 
   const counts = countStatuses(checks);
   const ok = counts.fail === 0 && (!options.strict || counts.warn === 0);

package/src/version.ts

@@ -6,7 +6,7 @@ import { join } from 'node:path';
 // The prebuild script updates the fallback value before compilation.
 // Uses import.meta.dir (Bun) to locate package.json relative to this file,
 // which is correct regardless of the process working directory.
-let _version = '0.1.11';
+let _version = '0.1.13';
 let _sdkVersion = '0.33.35';
 try {
   const pkg = JSON.parse(readFileSync(join(import.meta.dir, '..', 'package.json'), 'utf-8')) as {