@pentoshi/clai 0.6.0 → 0.7.2

package/README.md

@@ -69,11 +69,10 @@ clai -y "list the 10 largest files in my home directory"
 - **`/agent` mode** — Agentic. AI plans, then executes shell commands, edits files, installs missing tools, parses output, and continues until the goal is met.
 - **7 LLM providers** — Groq, Google Gemini, OpenRouter, OpenAI, Anthropic, NVIDIA NIM, and Ollama (local). All with streaming.
 - **10 built-in tools** — `shell.exec`, `fs.read`, `fs.write`, `fs.list`, `fs.search`, `pkg.install`, `net.scan`, `http.fetch`, `sysinfo`, `pentest.recon`.
-- **Smart safety gate** — Low-risk commands auto-execute; mutating, network, secret-touching, or shell-control commands require confirmation; destructive patterns are blocked.
-- **Bounded tool output** — Long scan output is streamed lightly while running, saved to artifacts when needed, and reduced before it reaches the model.
+- **Smart safety gate** — Read-only commands auto-execute; mutating commands require confirmation; destructive patterns are blocked.
 - **Cross-platform** — macOS, Linux, and Windows. Detects OS-native package managers (brew, apt, dnf, pacman, winget, choco).
 - **Pentest-aware** — nmap, nikto, sqlmap, gobuster, ffuf, hydra, masscan, whois, dig, netcat, tshark.
-- **Manual update checks** — Run `/update` or `clai update` to check for new releases.
+- **Auto-update** — Checks for new versions on startup; run `/update` or `clai update` to upgrade.
 - **Persistent history** — Session history with automatic key redaction in logs.
 
 ## Provider Setup
@@ -90,8 +89,6 @@ clai supports 7 LLM providers with free tiers:
 | NVIDIA NIM  | `meta/llama-3.3-70b-instruct`                | ✓     | `nvapi-`       |
 | Ollama      | `llama3.1:8b`                                | ✓     | (local URL)    |
 
-`freeOnly` mode is enabled by default. Paid providers are excluded from fallback unless you explicitly opt in by disabling `freeOnly` in config or setting `CLAI_ALLOW_PAID=1`.
-
 ```sh
 # Store an API key
 clai set groq gsk_xxxxxxxxxxxxxxxx
@@ -145,41 +142,45 @@ export OLLAMA_HOST=http://localhost:11434
 | `/set <provider> [key]` | Store API key (masked input if key omitted)        |
 | `/unset <provider>`     | Remove stored key                                  |
 | `/keys`                 | List configured providers, masked                  |
+| `/variants [on|off|low|medium|high]` | Toggle model thinking/reasoning variants |
 | `/think`                | Show hidden thinking from last response            |
+| `/output [last|id|list]`| Toggle full saved tool output                      |
 | `/clear`                | Clear conversation context                         |
 | `/history`              | Show past sessions                                 |
 | `/save <name>`          | Save current session                               |
 | `/cwd <path>`           | Change working directory                           |
 | `/allow <tool>`         | Whitelist a tool for the session                   |
-| `/output [last]`        | Toggle full output from the last tool               |
+| `/scope add <targets>`  | Add authorized pentest targets                     |
+| `/fallback [on|off]`    | Try other configured providers after a failure     |
 | `/update`               | Check for updates                                  |
 | `/exit`                 | Quit                                               |
 | `/help`                 | List commands                                      |
 | `Ctrl+C`                | Abort current response (second Ctrl+C exits)       |
+| `Ctrl+O`                | Toggle full tool output (same keys on all OSes)    |
 
 ## Built-in Tools (Agent Mode)
 
 | Tool             | Description                                                        | Risk Level |
 |------------------|--------------------------------------------------------------------|------------|
-| `shell.exec`     | Run shell commands with bounded capture and live progress          | smart*     |
+| `shell.exec`     | Run shell commands via execa (120s timeout, streams output)        | smart*     |
 | `fs.read`        | Read files (sandboxed to approved roots)                           | safe       |
 | `fs.write`       | Write files (sandboxed)                                            | confirm    |
 | `fs.list`        | List directory contents                                            | safe       |
 | `fs.search`      | Search files with ripgrep (falls back to grep)                     | safe       |
 | `pkg.install`    | Install packages via detected OS package manager                   | confirm    |
 | `net.scan`       | Nmap wrapper for port scanning                                     | confirm    |
-| `http.fetch`     | HTTP GET/HEAD with streaming response limits                       | safe*      |
+| `http.fetch`     | HTTP GET/POST with response size limits                            | safe       |
 | `sysinfo`        | OS, architecture, shell, and working directory info                | safe       |
 | `pentest.recon`  | Composite: whois + dig + nmap top-100 ports                       | confirm    |
 
-> \* **smart** = only low-risk commands such as `ls`, `whoami`, and `uname` auto-execute. Network scanners, shell control syntax, secret paths, mutating commands, and non-GET HTTP methods require confirmation.
+> \* **smart** = read-only commands (`curl`, `ls`, `whoami`, `gobuster`, `dirb`, etc.) auto-execute; mutating commands require confirmation.
 
 ## Safety Gate
 
 Every tool call passes through a 3-tier classifier:
 
-- **`safe`** — Auto-run: sandboxed read-only fs, sysinfo, GET/HEAD http.fetch, and low-risk shell info commands.
-- **`confirm`** — User prompt: mutating shell commands, fs.write, pkg.install, net.scan, network/private HTTP targets, scanner tools, and commands touching possible secrets.
+- **`safe`** — Auto-run: read-only fs, sysinfo, http.fetch, read-only shell commands (`curl`, `ls`, `whoami`, `ifconfig`, `gobuster`, `dirb`, `ffuf`, `nikto`, etc.)
+- **`confirm`** — User prompt: mutating shell commands, fs.write, pkg.install, net.scan
 - **`block`** — Refuse with explanation: `rm -rf /`, fork bombs, public IP scans without authorization, exfiltration patterns
 
 ### Pentest Authorization
@@ -190,15 +191,17 @@ Security tools require a one-time acknowledgment:
 clai authorize-pentest AGREE
 ```
 
-Public target scanning is blocked unless the target is private/local or the tool call carries explicit structured ownership confirmation.
+Public targets do not require a stored scope, but keeping one helps clai remember what you are authorized to test. Add targets with:
 
-### Tool Output
+```sh
+clai scope add --targets example.com,10.0.0.0/24
+```
 
-During long tool runs, clai shows live output in dim text so you can see progress. After the AI summarizes the result, raw output is collapsed. Press `Ctrl+O` on macOS, Linux, or Windows to toggle full output for the last tool. In non-interactive terminals, use `/output last` or open the saved artifact path.
+Inside the REPL, use `/scope add example.com`. If the agent proposes a public recon target that is not covered, clai shows a scope suggestion and still lets you continue through the normal confirmation flow.
 
 ## Updates
 
-clai does not call GitHub automatically by default. Check manually:
+clai checks for updates automatically on startup (every 4 hours, non-blocking). You can also check manually:
 
 ```sh
 # CLI command

package/dist/agent/context-manager.d.ts

@@ -0,0 +1,27 @@
+import type { ChatMessage } from "../types.js";
+/**
+ * Crude per-char token estimator. Production-grade tokenization differs by
+ * provider, but for budgeting an order-of-magnitude heuristic ("chars / 4")
+ * is enough to decide when to compact. We deliberately err on the side of
+ * over-estimating — better to compact one turn too early than to lose state
+ * to a provider context-window error.
+ */
+export declare function estimateTokens(text: string): number;
+export declare function estimateMessagesTokens(messages: ChatMessage[]): number;
+export interface CompactOptions {
+    /** Soft budget (tokens). When estimated tokens exceed this, compact. */
+    budgetTokens?: number | undefined;
+    /** Keep this many trailing messages (system + user/assistant pairs). */
+    keepRecent?: number | undefined;
+}
+/**
+ * Replace older messages with a single condensed "memory" message while
+ * preserving the system prompt and the most recent N messages.
+ *
+ * We do not call the LLM here — that's a future enhancement. The current
+ * compaction is mechanical: keep the system prompt; replace the prefix of
+ * older turns with a bullet list of the assistant's last lines and the
+ * tool calls that produced output. This is conservative and reversible
+ * (the artifact files still hold the raw outputs).
+ */
+export declare function compactMessages(messages: ChatMessage[], options?: CompactOptions): ChatMessage[];

package/dist/agent/context-manager.js

@@ -0,0 +1,75 @@
+/**
+ * Crude per-char token estimator. Production-grade tokenization differs by
+ * provider, but for budgeting an order-of-magnitude heuristic ("chars / 4")
+ * is enough to decide when to compact. We deliberately err on the side of
+ * over-estimating — better to compact one turn too early than to lose state
+ * to a provider context-window error.
+ */
+export function estimateTokens(text) {
+    return Math.ceil(text.length / 4);
+}
+export function estimateMessagesTokens(messages) {
+    let sum = 0;
+    for (const message of messages) {
+        sum += estimateTokens(message.content) + 4; // role overhead
+    }
+    return sum;
+}
+const DEFAULT_BUDGET_TOKENS = 24_000;
+const DEFAULT_KEEP_RECENT = 8;
+/**
+ * Replace older messages with a single condensed "memory" message while
+ * preserving the system prompt and the most recent N messages.
+ *
+ * We do not call the LLM here — that's a future enhancement. The current
+ * compaction is mechanical: keep the system prompt; replace the prefix of
+ * older turns with a bullet list of the assistant's last lines and the
+ * tool calls that produced output. This is conservative and reversible
+ * (the artifact files still hold the raw outputs).
+ */
+export function compactMessages(messages, options = {}) {
+    const budget = options.budgetTokens ?? DEFAULT_BUDGET_TOKENS;
+    const keepRecent = Math.max(2, options.keepRecent ?? DEFAULT_KEEP_RECENT);
+    if (messages.length <= keepRecent + 1)
+        return messages;
+    if (estimateMessagesTokens(messages) <= budget)
+        return messages;
+    // Always keep the system prompt (index 0 if it's a system message).
+    const head = [];
+    let start = 0;
+    if (messages[0]?.role === "system") {
+        head.push(messages[0]);
+        start = 1;
+    }
+    const tail = messages.slice(Math.max(start, messages.length - keepRecent));
+    const middle = messages.slice(start, messages.length - tail.length);
+    if (middle.length === 0)
+        return messages;
+    const bullets = [];
+    for (const msg of middle) {
+        if (msg.role === "user") {
+            bullets.push(`- user asked: ${oneLine(msg.content, 200)}`);
+        }
+        else if (msg.role === "assistant") {
+            const line = oneLine(msg.content, 200);
+            if (line)
+                bullets.push(`- assistant: ${line}`);
+        }
+        else if (msg.role === "tool") {
+            bullets.push(`- tool result: ${oneLine(msg.content, 200)}`);
+        }
+    }
+    const memo = {
+        role: "system",
+        content: `Earlier turns in this session, summarized to fit the context budget. Full artifacts (when produced) are saved on disk and can be expanded with /output.\n\n` +
+            bullets.join("\n"),
+    };
+    return [...head, memo, ...tail];
+}
+function oneLine(text, maxChars) {
+    const cleaned = text.replace(/\s+/g, " ").trim();
+    if (cleaned.length <= maxChars)
+        return cleaned;
+    return `${cleaned.slice(0, maxChars - 1)}…`;
+}
+//# sourceMappingURL=context-manager.js.map

package/dist/agent/context-manager.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"context-manager.js","sourceRoot":"","sources":["../../src/agent/context-manager.ts"],"names":[],"mappings":"AAEA;;;;;;GAMG;AACH,MAAM,UAAU,cAAc,CAAC,IAAY;IACzC,OAAO,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC;AACpC,CAAC;AAED,MAAM,UAAU,sBAAsB,CAAC,QAAuB;IAC5D,IAAI,GAAG,GAAG,CAAC,CAAC;IACZ,KAAK,MAAM,OAAO,IAAI,QAAQ,EAAE,CAAC;QAC/B,GAAG,IAAI,cAAc,CAAC,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,gBAAgB;IAC9D,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC;AASD,MAAM,qBAAqB,GAAG,MAAM,CAAC;AACrC,MAAM,mBAAmB,GAAG,CAAC,CAAC;AAE9B;;;;;;;;;GASG;AACH,MAAM,UAAU,eAAe,CAC7B,QAAuB,EACvB,UAA0B,EAAE;IAE5B,MAAM,MAAM,GAAG,OAAO,CAAC,YAAY,IAAI,qBAAqB,CAAC;IAC7D,MAAM,UAAU,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,OAAO,CAAC,UAAU,IAAI,mBAAmB,CAAC,CAAC;IAC1E,IAAI,QAAQ,CAAC,MAAM,IAAI,UAAU,GAAG,CAAC;QAAE,OAAO,QAAQ,CAAC;IACvD,IAAI,sBAAsB,CAAC,QAAQ,CAAC,IAAI,MAAM;QAAE,OAAO,QAAQ,CAAC;IAEhE,oEAAoE;IACpE,MAAM,IAAI,GAAkB,EAAE,CAAC;IAC/B,IAAI,KAAK,GAAG,CAAC,CAAC;IACd,IAAI,QAAQ,CAAC,CAAC,CAAC,EAAE,IAAI,KAAK,QAAQ,EAAE,CAAC;QACnC,IAAI,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC;QACvB,KAAK,GAAG,CAAC,CAAC;IACZ,CAAC;IAED,MAAM,IAAI,GAAG,QAAQ,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,KAAK,EAAE,QAAQ,CAAC,MAAM,GAAG,UAAU,CAAC,CAAC,CAAC;IAC3E,MAAM,MAAM,GAAG,QAAQ,CAAC,KAAK,CAAC,KAAK,EAAE,QAAQ,CAAC,MAAM,GAAG,IAAI,CAAC,MAAM,CAAC,CAAC;IACpE,IAAI,MAAM,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,QAAQ,CAAC;IAEzC,MAAM,OAAO,GAAa,EAAE,CAAC;IAC7B,KAAK,MAAM,GAAG,IAAI,MAAM,EAAE,CAAC;QACzB,IAAI,GAAG,CAAC,IAAI,KAAK,MAAM,EAAE,CAAC;YACxB,OAAO,CAAC,IAAI,CAAC,iBAAiB,OAAO,CAAC,GAAG,CAAC,OAAO,EAAE,GAAG,CAAC,EAAE,CAAC,CAAC;QAC7D,CAAC;aAAM,IAAI,GAAG,CAAC,IAAI,KAAK,WAAW,EAAE,CAAC;YACpC,MAAM,IAAI,GAAG,OAAO,CAAC,GAAG,CAAC,OAAO,EAAE,GAAG,CAAC,CAAC;YACvC,IAAI,IAAI;gBAAE,OAAO,CAAC,IAAI,CAAC,gBAAgB,IAAI,EAAE,CAAC,CAAC;QACjD,CAAC;aAAM,IAAI,GAAG,CAAC,IAAI,KAAK,MAAM,EAAE,CAAC;YAC/B,OAAO,CAAC,IAAI,CAAC,kBAAkB,OAAO,CAAC,GAAG,CAAC,OAAO,EAAE,GAAG,CAAC,EAAE,CAAC,CAAC;QAC9D,CAAC;IACH,CAAC;IAED,MAAM,IAAI,GAAgB;QACxB,IAAI,EAAE,QAAQ;QACd,OAAO,EACL,6JAA6J;YAC7J,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC;KACrB,CAAC;IAEF,OAAO,CAAC,GAAG,IAAI,EAAE,IAAI,EAAE,GAAG,IAAI,CAAC,CAAC;AAClC,CAAC;AAED,SAAS,OAAO,CAAC,IAAY,EAAE,QAAgB;IAC7C,MAAM,OAAO,GAAG,IAAI,CAAC,OAAO,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC,IAAI,EAAE,CAAC;IACjD,IAAI,OAAO,CAAC,MAAM,IAAI,QAAQ;QAAE,OAAO,OAAO,CAAC;IAC/C,OAAO,GAAG,OAAO,CAAC,KAAK,CAAC,CAAC,EAAE,QAAQ,GAAG,CAAC,CAAC,GAAG,CAAC;AAC9C,CAAC"}

package/dist/agent/runner.d.ts

@@ -1,4 +1,13 @@
 import type { ChatMessage, ProviderId, ToolCall, ToolResult } from "../types.js";
+export interface SessionPolicy {
+    /** Tools the user authorized once during this REPL session. Not persisted. */
+    allow: Set<string>;
+    /** Mutable flag so the runner can flip pentest auth for this session only. */
+    pentestAuthorized: {
+        value: boolean;
+    };
+}
+export declare function createSessionPolicy(): SessionPolicy;
 export interface AgentRunOptions {
     provider?: ProviderId | undefined;
     model?: string | undefined;
@@ -8,6 +17,17 @@ export interface AgentRunOptions {
     signal?: AbortSignal | undefined;
     onToolStart?: ((call: ToolCall) => void) | undefined;
     onToolResult?: ((call: ToolCall, result: ToolResult) => void) | undefined;
+    session?: SessionPolicy | undefined;
+}
+export interface ParseToolCallOptions {
+    /**
+     * When true, only formats that are explicitly tool-call delimited are
+     * accepted: ```tool fenced JSON, <tool_call> XML, and the Kimi sentinel
+     * token format. Loose formats (any fenced block, heading-prefix, trailing
+     * JSON) are dropped — useful when models routinely emit JSON examples in
+     * prose. Default is `false` so existing free-tier models keep working.
+     */
+    strict?: boolean | undefined;
 }
-export declare function parseToolCall(text: string): ToolCall | undefined;
+export declare function parseToolCall(text: string, options?: ParseToolCallOptions): ToolCall | undefined;
 export declare function runAgentLoop(prompt: string, options?: AgentRunOptions): Promise<string>;