@pheem49/mint 1.5.0 → 1.5.2

package/src/System/granular_automation.js

@@ -1,88 +1,157 @@
-const { exec } = require('child_process');
+const { execFile, spawnSync } = require('child_process');
 const { screen } = require('electron');
 
-/**
- * GranularAutomation handles low-level OS input via xdotool.
- * It uses a normalized coordinate system (0-1000).
- */
+function commandExists(command) {
+    const lookup = process.platform === 'win32' ? 'where' : 'which';
+    const result = spawnSync(lookup, [command], { encoding: 'utf8', shell: false });
+    return result.status === 0;
+}
+
+function run(command, args = []) {
+    return new Promise((resolve, reject) => {
+        execFile(command, args, (err, stdout, stderr) => {
+            if (err) {
+                err.stderr = stderr;
+                reject(err);
+                return;
+            }
+            resolve(stdout);
+        });
+    });
+}
+
+function unsupported(feature) {
+    throw new Error(`${feature} is not supported on ${process.platform} by the current input automation provider.`);
+}
+
+function escapePowerShellSingleQuoted(value) {
+    return String(value || '').replace(/'/g, "''");
+}
+
+function keyToMacKey(key) {
+    const value = String(key || '').trim();
+    const map = {
+        Enter: 'return',
+        Return: 'return',
+        Escape: 'escape',
+        Esc: 'escape',
+        Space: 'space',
+        Backspace: 'delete',
+        Delete: 'forward delete',
+        Tab: 'tab'
+    };
+    return map[value] || value;
+}
+
 class GranularAutomation {
     constructor() {
-        this.screenWidth = 1920; // Default fallback
+        this.screenWidth = 1920;
         this.screenHeight = 1080;
         this.updateScreenSize();
     }
 
     updateScreenSize() {
         try {
-            // In Electron main process, we can use the screen module
             const primaryDisplay = screen.getPrimaryDisplay();
             if (primaryDisplay && primaryDisplay.size) {
                 this.screenWidth = primaryDisplay.size.width;
                 this.screenHeight = primaryDisplay.size.height;
-                console.log(`[Automation] Screen detected: ${this.screenWidth}x${this.screenHeight}`);
             }
-        } catch (e) {
-            // Fallback for CLI or cases where screen module is unavailable
-            exec('xdpyinfo | grep dimensions', (err, stdout) => {
-                if (!err && stdout) {
-                    const match = stdout.match(/(\d+)x(\d+) pixels/);
-                    if (match) {
-                        this.screenWidth = parseInt(match[1]);
-                        this.screenHeight = parseInt(match[2]);
-                        console.log(`[Automation] Screen detected via xdpyinfo: ${this.screenWidth}x${this.screenHeight}`);
-                    }
-                }
-            });
+        } catch (_) {
+            // Electron screen can be unavailable in CLI-only contexts.
         }
     }
 
     scaleX(x) {
-        return Math.round((x / 1000) * this.screenWidth);
+        return Math.round((Number(x) / 1000) * this.screenWidth);
     }
 
     scaleY(y) {
-        return Math.round((y / 1000) * this.screenHeight);
+        return Math.round((Number(y) / 1000) * this.screenHeight);
     }
 
-    run(command) {
-        return new Promise((resolve, reject) => {
-            exec(command, (err, stdout, stderr) => {
-                if (err) {
-                    console.error(`[Automation] xdotool error: ${stderr}`);
-                    reject(err);
-                } else {
-                    resolve(stdout);
-                }
-            });
-        });
+    provider() {
+        if (process.platform === 'darwin') return macProvider;
+        if (process.platform === 'win32') return windowsProvider;
+        return linuxProvider;
     }
 
-    async mouseMove(x, y) {
-        const sx = this.scaleX(x);
-        const sy = this.scaleY(y);
-        console.log(`[Automation] Moving mouse to ${sx}, ${sy}`);
-        return this.run(`xdotool mousemove ${sx} ${sy}`);
+    mouseMove(x, y) {
+        return this.provider().mouseMove(this.scaleX(x), this.scaleY(y));
     }
 
-    async mouseClick(x, y, button = 1) {
-        const sx = this.scaleX(x);
-        const sy = this.scaleY(y);
-        console.log(`[Automation] Clicking ${button} at ${sx}, ${sy}`);
-        // move first then click to be safe
-        return this.run(`xdotool mousemove ${sx} ${sy} click ${button}`);
+    mouseClick(x, y, button = 1) {
+        return this.provider().mouseClick(this.scaleX(x), this.scaleY(y), button);
     }
 
-    async typeText(text) {
-        console.log(`[Automation] Typing: ${text}`);
-        // Escape double quotes for shell
-        const escaped = text.replace(/"/g, '\\"');
-        return this.run(`xdotool type "${escaped}"`);
+    typeText(text) {
+        return this.provider().typeText(String(text || ''));
     }
 
-    async keyTap(key) {
-        console.log(`[Automation] Key tap: ${key}`);
-        return this.run(`xdotool key "${key}"`);
+    keyTap(key) {
+        return this.provider().keyTap(String(key || ''));
     }
 }
 
-module.exports = new GranularAutomation();
+const linuxProvider = {
+    mouseMove: (x, y) => run('xdotool', ['mousemove', String(x), String(y)]),
+    mouseClick: (x, y, button = 1) => run('xdotool', ['mousemove', String(x), String(y), 'click', String(button)]),
+    typeText: (text) => run('xdotool', ['type', text]),
+    keyTap: (key) => run('xdotool', ['key', key])
+};
+
+const macProvider = {
+    mouseMove(x, y) {
+        if (!commandExists('cliclick')) return unsupported('Mouse move');
+        return run('cliclick', [`m:${x},${y}`]);
+    },
+    mouseClick(x, y) {
+        if (!commandExists('cliclick')) return unsupported('Mouse click');
+        return run('cliclick', [`c:${x},${y}`]);
+    },
+    typeText(text) {
+        if (commandExists('cliclick')) return run('cliclick', [`t:${text}`]);
+        return run('osascript', ['-e', `tell application "System Events" to keystroke ${JSON.stringify(text)}`]);
+    },
+    keyTap(key) {
+        const macKey = keyToMacKey(key);
+        if (commandExists('cliclick')) return run('cliclick', [`kp:${macKey}`]);
+        if (macKey.length === 1) {
+            return run('osascript', ['-e', `tell application "System Events" to keystroke ${JSON.stringify(macKey)}`]);
+        }
+        return unsupported('Special key tap without cliclick');
+    }
+};
+
+const windowsProvider = {
+    mouseMove(x, y) {
+        const script = `[void][Reflection.Assembly]::LoadWithPartialName('System.Windows.Forms'); [System.Windows.Forms.Cursor]::Position = New-Object System.Drawing.Point(${x}, ${y})`;
+        return run('powershell.exe', ['-NoProfile', '-NonInteractive', '-Command', script]);
+    },
+    mouseClick(x, y, button = 1) {
+        const down = Number(button) === 2 ? '0x0008' : '0x0002';
+        const up = Number(button) === 2 ? '0x0010' : '0x0004';
+        const script = [
+            "Add-Type -MemberDefinition '[DllImport(\"user32.dll\")] public static extern bool SetCursorPos(int X,int Y); [DllImport(\"user32.dll\")] public static extern void mouse_event(int dwFlags,int dx,int dy,int dwData,int dwExtraInfo);' -Name NativeMouse -Namespace Mint;",
+            `[Mint.NativeMouse]::SetCursorPos(${x}, ${y}) | Out-Null;`,
+            `[Mint.NativeMouse]::mouse_event(${down},0,0,0,0);`,
+            `[Mint.NativeMouse]::mouse_event(${up},0,0,0,0);`
+        ].join(' ');
+        return run('powershell.exe', ['-NoProfile', '-NonInteractive', '-Command', script]);
+    },
+    typeText(text) {
+        const safe = escapePowerShellSingleQuoted(text);
+        const script = `Add-Type -AssemblyName System.Windows.Forms; [System.Windows.Forms.SendKeys]::SendWait('${safe}')`;
+        return run('powershell.exe', ['-NoProfile', '-NonInteractive', '-Command', script]);
+    },
+    keyTap(key) {
+        const safe = escapePowerShellSingleQuoted(key);
+        const script = `Add-Type -AssemblyName System.Windows.Forms; [System.Windows.Forms.SendKeys]::SendWait('{${safe}}')`;
+        return run('powershell.exe', ['-NoProfile', '-NonInteractive', '-Command', script]);
+    }
+};
+
+const instance = new GranularAutomation();
+instance._providers = { linuxProvider, macProvider, windowsProvider, commandExists };
+
+module.exports = instance;

package/src/System/optional_require.js

@@ -0,0 +1,23 @@
+'use strict';
+
+/**
+ * Helper: ลอง require package แบบ dynamic
+ * ถ้าหาไม่เจอให้ throw Error พร้อม install guide
+ */
+function requireOptional(pkg, installHint) {
+    try {
+        return require(pkg);
+    } catch (e) {
+        if (e.code === 'MODULE_NOT_FOUND') {
+            const hint = installHint || `npm install ${pkg}`;
+            throw new Error(
+                `[Mint] Optional package "${pkg}" is not installed.\n` +
+                `To use this feature, run: ${hint}\n` +
+                `(This package is not bundled by default to keep Mint lightweight.)`
+            );
+        }
+        throw e;
+    }
+}
+
+module.exports = { requireOptional };

package/src/System/proactive_loop.js

@@ -1,10 +1,24 @@
 const { BrowserWindow, desktopCapturer, screen, powerMonitor } = require('electron');
 const path = require('path');
-const { analyzeAndSuggest } = require('../AI_Brain/proactive_engine');
-const { recordBehavior, getBehaviorSummary } = require('../AI_Brain/behavior_memory');
 
 const IDLE_THRESHOLD_SEC = 300;
 
+let proactiveEngine = null;
+function getProactiveEngine() {
+    if (!proactiveEngine) {
+        proactiveEngine = require('../AI_Brain/proactive_engine');
+    }
+    return proactiveEngine;
+}
+
+let behaviorMemory = null;
+function getBehaviorMemory() {
+    if (!behaviorMemory) {
+        behaviorMemory = require('../AI_Brain/behavior_memory');
+    }
+    return behaviorMemory;
+}
+
 function createProactiveLoop({ app, projectRoot, readConfig, getMainWindow }) {
     let proactiveGlowWindow = null;
     let proactiveIntervalHandle = null;
@@ -29,6 +43,8 @@ function createProactiveLoop({ app, projectRoot, readConfig, getMainWindow }) {
             if (!primarySource || !primarySource.thumbnail) return;
 
             const base64Image = primarySource.thumbnail.toJPEG(60).toString('base64');
+            const { analyzeAndSuggest } = getProactiveEngine();
+            const { recordBehavior, getBehaviorSummary } = getBehaviorMemory();
             const result = await analyzeAndSuggest(base64Image, getBehaviorSummary());
 
             if (result && result.message && Array.isArray(result.suggestions)) {
@@ -130,7 +146,7 @@ function createProactiveLoop({ app, projectRoot, readConfig, getMainWindow }) {
         stop,
         startIdleWatcher,
         isRunning: () => Boolean(proactiveIntervalHandle),
-        recordBehavior
+        recordBehavior: (...args) => getBehaviorMemory().recordBehavior(...args)
     };
 }
 

package/src/System/safety_manager.js

@@ -1,6 +1,7 @@
 const fs = require('fs');
 const os = require('os');
 const path = require('path');
+const { readConfig } = require('./config_manager');
 
 const TIERS = Object.freeze({
     SAFE: 'safe',
@@ -40,6 +41,7 @@ const SAFE_ACTIONS = new Set([
     'clipboard_write',
     'learn_file',
     'learn_folder',
+    'system_info',
     'mcp_tool',
     'mouse_move',
     'mouse_click',
@@ -56,6 +58,103 @@ function normalizeCommand(command) {
     return String(command || '').replace(/\s+/g, ' ').trim();
 }
 
+function expandHome(targetPath) {
+    const value = String(targetPath || '');
+    if (value === '~') return os.homedir();
+    if (value.startsWith('~/')) return path.join(os.homedir(), value.slice(2));
+    return value;
+}
+
+function normalizeRootList(paths) {
+    return (Array.isArray(paths) ? paths : [])
+        .filter(Boolean)
+        .map((entry) => path.resolve(expandHome(entry)));
+}
+
+function getPolicy(config = readConfig()) {
+    const enabled = config.safetyEnabled !== false;
+    const fallbackRead = [
+        os.homedir(),
+        process.cwd(),
+        path.join(os.homedir(), 'Desktop'),
+        path.join(os.homedir(), 'Documents'),
+        path.join(os.homedir(), 'Downloads'),
+        path.join(os.homedir(), 'Pictures'),
+        path.join(os.homedir(), 'Music'),
+        path.join(os.homedir(), 'Videos')
+    ];
+    const fallbackWrite = [
+        os.homedir(),
+        process.cwd(),
+        path.join(os.homedir(), 'Desktop'),
+        path.join(os.homedir(), 'Documents'),
+        path.join(os.homedir(), 'Downloads'),
+        path.join(os.homedir(), 'Pictures'),
+        path.join(os.homedir(), 'Music'),
+        path.join(os.homedir(), 'Videos')
+    ];
+
+    return {
+        enabled,
+        sandboxMode: ['off', 'prefer', 'enforce'].includes(config.sandboxMode) ? config.sandboxMode : 'prefer',
+        sandboxCommand: config.sandboxCommand || (process.platform === 'darwin' ? 'sandbox-exec' : process.platform === 'linux' ? 'bwrap' : ''),
+        allowedReadPaths: normalizeRootList(config.allowedReadPaths && config.allowedReadPaths.length ? config.allowedReadPaths : fallbackRead),
+        allowedWritePaths: normalizeRootList(config.allowedWritePaths && config.allowedWritePaths.length ? config.allowedWritePaths : fallbackWrite),
+        blockedPaths: normalizeRootList(config.blockedPaths || []),
+        blockedFileNames: new Set(Array.isArray(config.blockedFileNames) ? config.blockedFileNames : ['.env', 'id_rsa', 'id_ed25519'])
+    };
+}
+
+function isPathWithin(root, targetPath) {
+    const relative = path.relative(root, targetPath);
+    return relative === '' || (!relative.startsWith('..') && !path.isAbsolute(relative));
+}
+
+function resolveCapabilityPath(targetPath, options = {}) {
+    if (!targetPath) throw new Error('Target path is required.');
+
+    const expanded = expandHome(targetPath);
+    if (path.isAbsolute(expanded)) return path.resolve(expanded);
+
+    const firstPart = String(expanded).split(/[/\\]/)[0];
+    const commonHomeFolders = new Set(['Desktop', 'Documents', 'Downloads', 'Pictures', 'Music', 'Videos']);
+    if (commonHomeFolders.has(firstPart)) {
+        return path.resolve(os.homedir(), expanded);
+    }
+
+    const base = options.defaultBase || process.cwd();
+    return path.resolve(base, expanded);
+}
+
+function assertPathCapability(targetPath, capability = 'read', options = {}) {
+    const policy = getPolicy(options.config);
+    const resolved = resolveCapabilityPath(targetPath, options);
+
+    if (!policy.enabled) return resolved;
+
+    if (policy.blockedFileNames.has(path.basename(resolved))) {
+        throw new Error(`Blocked ${capability} access to sensitive file name: ${path.basename(resolved)}`);
+    }
+
+    const blockedRoot = policy.blockedPaths.find((root) => isPathWithin(root, resolved));
+    if (blockedRoot) {
+        throw new Error(`Blocked ${capability} access to protected path: ${resolved}`);
+    }
+
+    const allowedRoots = capability === 'write' ? policy.allowedWritePaths : policy.allowedReadPaths;
+    const allowed = allowedRoots.some((root) => isPathWithin(root, resolved));
+    if (!allowed) {
+        throw new Error(`Path ${capability} denied by capability policy: ${resolved}`);
+    }
+
+    return resolved;
+}
+
+function getAllowedRoots(capability = 'read', options = {}) {
+    const policy = getPolicy(options.config);
+    return capability === 'write' ? policy.allowedWritePaths : policy.allowedReadPaths;
+}
+
 function classifyShellCommand(command) {
     const normalized = normalizeCommand(command);
     if (!normalized) {
@@ -105,6 +204,7 @@ function classifyAction(action = {}) {
 function assertActionAllowed(action, options = {}) {
     const classification = classifyAction(action);
     const allowDangerous = options.allowDangerous === true;
+    const allowApproval = options.allowApproval === true;
 
     if (classification.tier === TIERS.BLOCKED) {
         throw new Error(`Blocked action (${classification.reason}): ${action.type}`);
@@ -114,6 +214,10 @@ function assertActionAllowed(action, options = {}) {
         throw new Error(`Dangerous action requires explicit permission (${classification.reason}): ${action.type}`);
     }
 
+    if (classification.tier === TIERS.APPROVAL && !allowApproval) {
+        throw new Error(`Action requires approval (${classification.reason}): ${action.type}`);
+    }
+
     return classification;
 }
 
@@ -156,10 +260,14 @@ function appendActionLog(entry, options = {}) {
 
 module.exports = {
     TIERS,
+    getPolicy,
+    getAllowedRoots,
     classifyShellCommand,
     assertShellCommandAllowed,
     classifyAction,
     assertActionAllowed,
+    assertPathCapability,
+    resolveCapabilityPath,
     resolveWithinRoot,
     appendActionLog
 };

package/src/System/sandbox_runner.js

@@ -0,0 +1,182 @@
+const { execFile, spawnSync } = require('child_process');
+const fs = require('fs');
+const os = require('os');
+const path = require('path');
+const safetyManager = require('./safety_manager');
+
+function commandExists(command) {
+    const lookup = process.platform === 'win32' ? 'where' : 'which';
+    const result = spawnSync(lookup, [command], { encoding: 'utf8', shell: false });
+    return result.status === 0;
+}
+
+function uniqueExistingRoots(roots) {
+    return Array.from(new Set((roots || [])
+        .filter(Boolean)
+        .map((root) => path.resolve(root))
+        .filter((root) => fs.existsSync(root))));
+}
+
+function buildBubblewrapArgs(command, options = {}) {
+    const cwd = path.resolve(options.cwd || process.cwd());
+    const readRoots = uniqueExistingRoots(safetyManager.getAllowedRoots('read'));
+    const writeRoots = uniqueExistingRoots(safetyManager.getAllowedRoots('write'));
+    const writableSet = new Set(writeRoots);
+    const bindRoots = uniqueExistingRoots([cwd, ...readRoots, ...writeRoots]);
+
+    const args = [
+        '--die-with-parent',
+        '--proc', '/proc',
+        '--dev', '/dev',
+        '--tmpfs', '/tmp',
+        '--ro-bind', '/usr', '/usr',
+        '--ro-bind', '/bin', '/bin',
+        '--ro-bind', '/etc', '/etc'
+    ];
+
+    for (const libPath of ['/lib', '/lib64']) {
+        if (fs.existsSync(libPath)) args.push('--ro-bind', libPath, libPath);
+    }
+
+    const parentDirs = new Set();
+    for (const root of bindRoots) {
+        let current = path.dirname(root);
+        while (current && current !== path.dirname(current)) {
+            parentDirs.add(current);
+            current = path.dirname(current);
+        }
+    }
+    for (const dir of Array.from(parentDirs).sort((a, b) => a.length - b.length)) {
+        if (!['/usr', '/bin', '/etc', '/lib', '/lib64'].includes(dir)) {
+            args.push('--dir', dir);
+        }
+    }
+
+    for (const root of bindRoots) {
+        const flag = writableSet.has(root) || root === cwd ? '--bind' : '--ro-bind';
+        args.push(flag, root, root);
+    }
+
+    args.push('--chdir', cwd, 'bash', '-lc', command);
+    return args;
+}
+
+function escapeSandboxProfileString(value) {
+    return String(value || '').replace(/\\/g, '\\\\').replace(/"/g, '\\"');
+}
+
+function buildMacSandboxProfile(options = {}) {
+    const cwd = path.resolve(options.cwd || process.cwd());
+    const readRoots = uniqueExistingRoots(safetyManager.getAllowedRoots('read'));
+    const writeRoots = uniqueExistingRoots(safetyManager.getAllowedRoots('write'));
+    const allowedRead = uniqueExistingRoots([
+        cwd,
+        '/bin',
+        '/sbin',
+        '/usr',
+        '/System',
+        '/Library',
+        ...readRoots,
+        ...writeRoots
+    ]);
+    const allowedWrite = uniqueExistingRoots([cwd, ...writeRoots]);
+
+    const readRules = allowedRead.map((root) => `  (subpath "${escapeSandboxProfileString(root)}")`).join('\n');
+    const writeRules = allowedWrite.map((root) => `  (subpath "${escapeSandboxProfileString(root)}")`).join('\n');
+
+    return [
+        '(version 1)',
+        '(deny default)',
+        '(allow process*)',
+        '(allow sysctl-read)',
+        '(allow signal (target self))',
+        '(allow file-read-metadata)',
+        '(allow file-read*',
+        readRules,
+        ')',
+        '(allow file-write*',
+        writeRules,
+        `  (subpath "${escapeSandboxProfileString(os.tmpdir())}")`,
+        ')'
+    ].join('\n');
+}
+
+function getShellInvocation(command) {
+    if (process.platform === 'win32') {
+        return {
+            command: 'powershell.exe',
+            args: ['-NoLogo', '-NoProfile', '-NonInteractive', '-ExecutionPolicy', 'Bypass', '-Command', command]
+        };
+    }
+    return {
+        command: 'bash',
+        args: ['-lc', command]
+    };
+}
+
+function execFilePromise(command, args, options = {}) {
+    return new Promise((resolve, reject) => {
+        execFile(command, args, options, (error, stdout, stderr) => {
+            if (error) {
+                error.stdout = stdout;
+                error.stderr = stderr;
+                reject(error);
+                return;
+            }
+            resolve({ stdout, stderr });
+        });
+    });
+}
+
+async function runShell(command, options = {}) {
+    const policy = safetyManager.getPolicy();
+    safetyManager.assertShellCommandAllowed(command);
+
+    const cwd = path.resolve(options.cwd || process.cwd());
+    const execOptions = {
+        cwd,
+        maxBuffer: options.maxBuffer || 1024 * 1024 * 4,
+        env: options.env || process.env
+    };
+
+    if (!policy.enabled || policy.sandboxMode === 'off') {
+        const shell = getShellInvocation(command);
+        return execFilePromise(shell.command, shell.args, execOptions);
+    }
+
+    const sandboxCommand = policy.sandboxCommand || 'bwrap';
+    if (process.platform === 'linux' && commandExists(sandboxCommand)) {
+        return execFilePromise(sandboxCommand, buildBubblewrapArgs(command, { cwd }), execOptions);
+    }
+
+    if (process.platform === 'darwin' && commandExists('sandbox-exec')) {
+        return execFilePromise('sandbox-exec', ['-p', buildMacSandboxProfile({ cwd }), 'bash', '-lc', command], execOptions);
+    }
+
+    if (policy.sandboxMode === 'enforce') {
+        const hint = process.platform === 'darwin'
+            ? "macOS sandbox-exec is not available."
+            : process.platform === 'win32'
+                ? 'Windows sandbox provider is not configured. Use WSL/containers or set sandboxMode to prefer.'
+                : `Sandbox command '${sandboxCommand}' is not available.`;
+        throw new Error(`Sandbox is enforced but no sandbox provider could run. ${hint}`);
+    }
+
+    safetyManager.appendActionLog({
+        source: options.source || 'sandbox_runner',
+        action: 'sandbox_fallback',
+        sandboxCommand,
+        platform: process.platform,
+        cwd
+    });
+    const shell = getShellInvocation(command);
+    return execFilePromise(shell.command, shell.args, execOptions);
+}
+
+module.exports = {
+    runShell,
+    buildBubblewrapArgs,
+    buildMacSandboxProfile,
+    getShellInvocation,
+    commandExists
+};