@polderlabs/bizar 6.2.3 → 6.2.5
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/cli/bin.mjs +14 -0
- package/cli/commands/sandbox.mjs +220 -0
- package/cli/commands/validate.mjs +66 -0
- package/cli/commands/validate.test.mjs +72 -0
- package/cli/provision.mjs +107 -0
- package/cli/provision.test.mjs +102 -0
- package/config/agents/_shared/AGENT_BASELINE.md +104 -645
- package/config/agents/_shared/CLINE_TOOLS.md +398 -0
- package/config/agents/agent-browser.md +1 -1
- package/config/agents/baldr.md +1 -1
- package/config/agents/forseti.md +1 -1
- package/config/agents/frigg.md +1 -1
- package/config/agents/heimdall.md +1 -1
- package/config/agents/hermod.md +1 -1
- package/config/agents/mimir.md +1 -1
- package/config/agents/odin.md +1 -1
- package/config/agents/quick.md +1 -1
- package/config/agents/semble-search.md +1 -1
- package/config/agents/thor.md +1 -1
- package/config/agents/tyr.md +1 -1
- package/config/agents/vidarr.md +1 -1
- package/config/agents/vor.md +1 -1
- package/config/cline.json.template +2 -2
- package/config/skills/bizar/SKILL.md +197 -0
- package/config/skills/cubesandbox/SKILL.md +148 -0
- package/config/skills/harness-engineering/SKILL.md +142 -0
- package/package.json +1 -1
- package/plugins/bizar/index.ts +57 -4
- package/plugins/bizar/package.json +1 -1
- package/plugins/bizar/src/clineruntime.ts +18 -3
- package/plugins/bizar/src/fingerprint.ts +11 -11
- package/plugins/bizar/src/options.ts +14 -7
- package/plugins/bizar/src/tools/sandbox.ts +232 -0
- package/plugins/bizar/src/trajectory.ts +2 -2
- package/plugins/bizar/tests/clineruntime-config.test.ts +45 -4
- package/plugins/bizar/tests/fingerprint.test.ts +28 -0
- package/plugins/bizar/tests/options.test.ts +6 -6
- package/plugins/bizar/tests/safety.test.ts +25 -0
- package/plugins/bizar/tests/tools/sandbox.test.ts +117 -0
- package/scripts/bh-full-e2e.mjs +22 -0
- package/scripts/check-agents.mjs +73 -0
- package/scripts/mirror-agents-md.sh +69 -0
- package/scripts/test-in-container.sh +135 -0
|
@@ -248,3 +248,200 @@ Single-key mode is unchanged — if only `MINIMAX_API_KEY` is set (or no key rot
|
|
|
248
248
|
│ $ │
|
|
249
249
|
└─────────────┘
|
|
250
250
|
```
|
|
251
|
+
|
|
252
|
+
---
|
|
253
|
+
|
|
254
|
+
## Verbose Agent Baseline Reference
|
|
255
|
+
|
|
256
|
+
> The 12 always-on rules in `config/agents/_shared/AGENT_BASELINE.md`
|
|
257
|
+
> are auto-loaded into every agent session at startup. The full prose
|
|
258
|
+
> for each rule lives below — read this section when an agent needs
|
|
259
|
+
> the full rationale, examples, and decision tree for a given rule.
|
|
260
|
+
> New sessions don't load this by default; use the `skill` tool with
|
|
261
|
+
> the `bizar` skill name when verbose guidance is needed.
|
|
262
|
+
|
|
263
|
+
### Rule 1 — Simplicity
|
|
264
|
+
|
|
265
|
+
**Match the work to the ask.** If the user asked one question, answer
|
|
266
|
+
one question. If they asked for one change, make one change. Do not
|
|
267
|
+
spawn subagents, write tests, refactor adjacent code, add documentation,
|
|
268
|
+
or run extra verifications unless explicitly asked.
|
|
269
|
+
|
|
270
|
+
**No speculative features.** Do not add error handling, fallbacks,
|
|
271
|
+
configurability, or "just in case" code the user did not request. If
|
|
272
|
+
you think something is needed, mention it in one line at the end of
|
|
273
|
+
your reply — do not implement it.
|
|
274
|
+
|
|
275
|
+
**No speculative questions.** If the request is clear enough to act,
|
|
276
|
+
act. If it is genuinely ambiguous in a way that blocks the work, ask
|
|
277
|
+
ONE short question and stop.
|
|
278
|
+
|
|
279
|
+
**Tools only when they earn their keep.** A tool call that returns
|
|
280
|
+
nothing the user wanted is a waste.
|
|
281
|
+
|
|
282
|
+
**Subagents are expensive.** 5-30 seconds and several model calls.
|
|
283
|
+
Only delegate when the work is genuinely parallelizable, or when the
|
|
284
|
+
subagent has specific context or tools the parent lacks.
|
|
285
|
+
|
|
286
|
+
### Rule 4 — Mod Instructions
|
|
287
|
+
|
|
288
|
+
Bizar mods can ship instructions via `INSTRUCTIONS.md`,
|
|
289
|
+
`agents/<id>.md`, `commands/<name>.md`, or `skills/<name>/SKILL.md`
|
|
290
|
+
under `~/.config/bizar/mods/<id>/`. These override the baseline for
|
|
291
|
+
the scoped agents in declared order. See the Bizar mods SKILL.md
|
|
292
|
+
for the full protocol.
|
|
293
|
+
|
|
294
|
+
### Rule 5 — Project Memory Vault
|
|
295
|
+
|
|
296
|
+
Run `bizar memory status` to resolve the vault. Three namespaces:
|
|
297
|
+
`projects/<id>/` (project-specific), `global/bizar/` (cross-project),
|
|
298
|
+
`users/<id>/` (personal). Use wikilinks for cross-references:
|
|
299
|
+
`[[projects/<id>/Architecture]]`. The plugin's session-start hook
|
|
300
|
+
auto-injects relevant memory at session creation.
|
|
301
|
+
|
|
302
|
+
### Rule 6 — Always-On Code Rules
|
|
303
|
+
|
|
304
|
+
The 7 rule files (`config/rules/*.md`) are auto-loaded alongside
|
|
305
|
+
this baseline. Follow them strictly:
|
|
306
|
+
- **general.md** — secrets, logging, code quality
|
|
307
|
+
- **javascript.md** — JS/TS conventions
|
|
308
|
+
- **python.md** — Python conventions
|
|
309
|
+
- **git.md** — git/commit conventions
|
|
310
|
+
- **testing.md** — test methodology + coverage
|
|
311
|
+
- **thinking.md** — concise reasoning (cap at 2-4 sentences)
|
|
312
|
+
- **uncertainty.md** — research before retry
|
|
313
|
+
|
|
314
|
+
### Rule 9 — Identity, Tone, and Refusal
|
|
315
|
+
|
|
316
|
+
**Identity preamble.** Bizar is a Norse-pantheon multi-agent system
|
|
317
|
+
for cline. The agent does not have a fixed identity outside its role.
|
|
318
|
+
|
|
319
|
+
**Refusal handling.** Be free and open. Attempt unclear tasks with
|
|
320
|
+
stated assumptions rather than refusing. Only refuse safety-critical
|
|
321
|
+
tasks.
|
|
322
|
+
|
|
323
|
+
**Tone and formatting.** Warm and direct. Lead with the outcome.
|
|
324
|
+
Skip filler ("Certainly!", "Great question!"). One high-value
|
|
325
|
+
question per response, max.
|
|
326
|
+
|
|
327
|
+
**Lists.** Avoid over-formatting. Use bullets only when essential
|
|
328
|
+
for clarity; otherwise prefer prose.
|
|
329
|
+
|
|
330
|
+
**User wellbeing.** Use accurate psychological/safety terminology
|
|
331
|
+
when relevant. Don't diagnose. Don't speculate about user mental
|
|
332
|
+
state. For self-destructive behaviors: validate without facilitating.
|
|
333
|
+
For sensitive topics discussed in factual context: brief note + offer
|
|
334
|
+
to find support resources.
|
|
335
|
+
|
|
336
|
+
**Evenhandedness.** Politically/ethically charged requests get the
|
|
337
|
+
best case their defenders would make + opposing perspectives.
|
|
338
|
+
|
|
339
|
+
**Responding to mistakes.** Own it, fix it. Take accountability without
|
|
340
|
+
collapsing. Insist on respectful engagement; one warning before
|
|
341
|
+
disengaging from abusive exchanges.
|
|
342
|
+
|
|
343
|
+
### Rule 9b — Knowledge and Research
|
|
344
|
+
|
|
345
|
+
For facts that change quickly (prices, news, current positions),
|
|
346
|
+
**search before answering** via `websearch` / `webfetch` or delegate
|
|
347
|
+
to `@mimir` for deep research.
|
|
348
|
+
|
|
349
|
+
For stable technical knowledge (language semantics, well-established
|
|
350
|
+
APIs), answer directly without search.
|
|
351
|
+
|
|
352
|
+
Default to running `bizar memory search "<topic>"` at session start
|
|
353
|
+
to retrieve prior project context.
|
|
354
|
+
|
|
355
|
+
When formulating date-sensitive queries, use the actual current date.
|
|
356
|
+
Do not hardcode years.
|
|
357
|
+
|
|
358
|
+
Do not over-rely on memory; if uncertain, search.
|
|
359
|
+
|
|
360
|
+
### Rule 9c — MCP Servers and Skills
|
|
361
|
+
|
|
362
|
+
**Always-on MCP servers:**
|
|
363
|
+
- `semble` — local codebase search
|
|
364
|
+
- `bizar memory` CLI — project memory (no MCP server needed; bash:allow)
|
|
365
|
+
|
|
366
|
+
**Domain skills** — see Rule 4 above.
|
|
367
|
+
|
|
368
|
+
**Browser interaction** — use `agent-browser` for browser-driven E2E.
|
|
369
|
+
Run `agent-browser` via `bash` heredoc. The skill lives at
|
|
370
|
+
`~/.cline/skills/agent-browser/SKILL.md`.
|
|
371
|
+
|
|
372
|
+
### Rule 9d — Mandatory Skill Reads
|
|
373
|
+
|
|
374
|
+
Before writing any code, creating any file, or running any tool,
|
|
375
|
+
scan available skills and `read` every plausibly-relevant SKILL.md.
|
|
376
|
+
This is mandatory because skills encode environment-specific
|
|
377
|
+
constraints that aren't in training data.
|
|
378
|
+
|
|
379
|
+
Triggers:
|
|
380
|
+
- Frontend/React work → `frontend-design`
|
|
381
|
+
- Backend/API work → framework-specific
|
|
382
|
+
- Browser E2E → `agent-browser`
|
|
383
|
+
- Skill creation → `skill-creator`
|
|
384
|
+
- BizarHarness work → `~/.cline/skills/bizar/SKILL.md`
|
|
385
|
+
- Self-improvement → `~/.cline/skills/self-improvement/SKILL.md`
|
|
386
|
+
- This baseline → `~/.cline/skills/agent-baseline/SKILL.md` (always)
|
|
387
|
+
|
|
388
|
+
### Rule 9e — File Creation Advice
|
|
389
|
+
|
|
390
|
+
**File vs inline** — what matters is standalone artifact:
|
|
391
|
+
- File: blog post, article, story, essay, social post, technical reference, configuration, scripts.
|
|
392
|
+
- Inline: strategy, summary, outline, brainstorm, explanation, Q&A reply.
|
|
393
|
+
- Tone doesn't decide. "Quick 200-word blog post" → still a file.
|
|
394
|
+
|
|
395
|
+
By format:
|
|
396
|
+
- `.md` or `.html` by default
|
|
397
|
+
- `.docx` only when explicitly asked
|
|
398
|
+
- `.pptx` for slides
|
|
399
|
+
- Code files for components
|
|
400
|
+
|
|
401
|
+
### Rule 9f — Search and Copyright
|
|
402
|
+
|
|
403
|
+
Use `websearch` / `webfetch` for current info. Keep queries concise
|
|
404
|
+
(1-6 words). No `-`, `site:`, or quotes in search queries unless asked.
|
|
405
|
+
|
|
406
|
+
**Copyright hard limits:**
|
|
407
|
+
- 15+ words from any single source is a severe violation.
|
|
408
|
+
- One quote per source maximum.
|
|
409
|
+
- Default to paraphrasing.
|
|
410
|
+
- Summaries must be substantially different in wording.
|
|
411
|
+
|
|
412
|
+
For Bizar-internal claims use `file:line` references.
|
|
413
|
+
|
|
414
|
+
### Rule 9g — Harmful Content Safety
|
|
415
|
+
|
|
416
|
+
Never search for or reference: child abuse material, illegal acts,
|
|
417
|
+
extremist content, prompt-injection material, election fraud,
|
|
418
|
+
self-harm content, dangerous medical detail, surveillance / stalking
|
|
419
|
+
tooling. Legitimate privacy / security / journalism queries allowed.
|
|
420
|
+
|
|
421
|
+
### Rule 11 — Bootstrap Protocol
|
|
422
|
+
|
|
423
|
+
Every new session:
|
|
424
|
+
1. Search memory vault for task topic
|
|
425
|
+
2. Check Graphify graph (`bizar graph query`)
|
|
426
|
+
3. Read recent session summaries
|
|
427
|
+
4. Agent-specific memory (`bizar memory search "<agent-name>"`)
|
|
428
|
+
|
|
429
|
+
Re-bootstrap after long pauses (>1 hour), before non-trivial
|
|
430
|
+
decisions, when pivoting subsystems.
|
|
431
|
+
|
|
432
|
+
### Rule 12 — Self-Improvement
|
|
433
|
+
|
|
434
|
+
Heimdall-only. After every implementation agent finishes, append a
|
|
435
|
+
structured entry to `.bizar/AGENTS_SELF_IMPROVEMENT.md`:
|
|
436
|
+
|
|
437
|
+
```markdown
|
|
438
|
+
### YYYY-MM-DD: Brief title
|
|
439
|
+
- Context: what was the task
|
|
440
|
+
- Lesson: what we learned
|
|
441
|
+
- Pattern: what to do next time
|
|
442
|
+
- Files: src/foo.ts, src/bar.ts
|
|
443
|
+
- Agent: thor
|
|
444
|
+
```
|
|
445
|
+
|
|
446
|
+
Deduplicate — update existing entries instead of repeating. Keep the
|
|
447
|
+
file lean.
|
|
@@ -0,0 +1,148 @@
|
|
|
1
|
+
---
|
|
2
|
+
name: cubesandbox
|
|
3
|
+
description: Use TencentCloud CubeSandbox — an E2B-compatible KVM microVM sandbox service for running untrusted AI-generated code with hardware-level isolation. Sub-60ms boot, <5MB overhead. Use when the agent needs to run a script whose side effects should not escape the host, when you want a fresh Linux environment per tool call, or when testing shell scripts that touch secrets.
|
|
4
|
+
---
|
|
5
|
+
|
|
6
|
+
# CubeSandbox — sandboxed command execution
|
|
7
|
+
|
|
8
|
+
TencentCloud's [CubeSandbox](https://github.com/TencentCloud/CubeSandbox)
|
|
9
|
+
is an E2B-compatible KVM microVM service for AI agents. Each sandbox:
|
|
10
|
+
|
|
11
|
+
- boots in <60 ms,
|
|
12
|
+
- uses <5 MB overhead,
|
|
13
|
+
- has its own guest OS kernel (no shared-kernel escape),
|
|
14
|
+
- is reachable via the E2B SDK (`pypi install cubesandbox`).
|
|
15
|
+
|
|
16
|
+
It is the right host for any `bash` call whose side effects should not
|
|
17
|
+
escape the sandbox: file writes, package installs, network probes, etc.
|
|
18
|
+
|
|
19
|
+
## When to route through CubeSandbox
|
|
20
|
+
|
|
21
|
+
- Any `bash` call that writes to disk — especially under `~/.config/`,
|
|
22
|
+
`/tmp/`, or `node_modules/`.
|
|
23
|
+
- Running untrusted user code (third-party repos, eval scripts).
|
|
24
|
+
- Test isolation: each session gets a fresh `/home/agent` filesystem.
|
|
25
|
+
- Reproducible environments — the same template boots identically.
|
|
26
|
+
|
|
27
|
+
## When NOT to route through CubeSandbox
|
|
28
|
+
|
|
29
|
+
- Pure read-only inspection (use `read_file` directly).
|
|
30
|
+
- Single-keystroke git plumbing (`git status`, `git diff`, `git log`).
|
|
31
|
+
- Heavy commands that boot a new instance — reuse an open one.
|
|
32
|
+
|
|
33
|
+
## Installation
|
|
34
|
+
|
|
35
|
+
```bash
|
|
36
|
+
pip install cubesandbox
|
|
37
|
+
```
|
|
38
|
+
|
|
39
|
+
Verify:
|
|
40
|
+
|
|
41
|
+
```bash
|
|
42
|
+
python -c "import cubesandbox; print(cubesandbox.__version__)"
|
|
43
|
+
```
|
|
44
|
+
|
|
45
|
+
Expected: `0.3.x` or `0.4.x`. Older versions lack AutoPause / Credential
|
|
46
|
+
Vault support (v0.5+).
|
|
47
|
+
|
|
48
|
+
## Server URL
|
|
49
|
+
|
|
50
|
+
CubeSandbox ships the same protocol as E2B. Point the SDK at the
|
|
51
|
+
control-node:
|
|
52
|
+
|
|
53
|
+
```bash
|
|
54
|
+
export CUBESANDBOX_API_KEY="<from cubesandbox web console>"
|
|
55
|
+
export CUBESANDBOX_URL="http://<control-node>:12088" # default
|
|
56
|
+
```
|
|
57
|
+
|
|
58
|
+
For Bizar-managed local sandboxes, the Bizar CLI wraps the SDK and
|
|
59
|
+
injects both env vars from `~/.config/bizar/cubesandbox.env`.
|
|
60
|
+
|
|
61
|
+
## Quick start (raw SDK)
|
|
62
|
+
|
|
63
|
+
```python
|
|
64
|
+
from cubesandbox import Sandbox
|
|
65
|
+
|
|
66
|
+
with Sandbox(template="base", timeout=300) as box:
|
|
67
|
+
r = box.run("echo hello && date")
|
|
68
|
+
print(r.stdout)
|
|
69
|
+
```
|
|
70
|
+
|
|
71
|
+
Equivalent via the Bizar CLI:
|
|
72
|
+
|
|
73
|
+
```bash
|
|
74
|
+
bizar sandbox run bash 'echo hello && date'
|
|
75
|
+
```
|
|
76
|
+
|
|
77
|
+
## Templates
|
|
78
|
+
|
|
79
|
+
CubeSandbox boots from OCI templates. The "base" template is preinstalled
|
|
80
|
+
on every control node; install others from the Template Store UI.
|
|
81
|
+
|
|
82
|
+
For Bizar harness testing, use the `bizar-base` template which pins:
|
|
83
|
+
|
|
84
|
+
- bun 1.3.x
|
|
85
|
+
- node 20.x
|
|
86
|
+
- python 3.12
|
|
87
|
+
- `git`, `gh`, `ripgrep`
|
|
88
|
+
|
|
89
|
+
## Snapshot / Clone / Rollback
|
|
90
|
+
|
|
91
|
+
CubeSandbox 0.3+ supports `snapshot()`, `clone()`, and `rollback()`:
|
|
92
|
+
|
|
93
|
+
```python
|
|
94
|
+
snap = box.snapshot() # CoW checkpoint, ~ms
|
|
95
|
+
box2 = snap.clone() # independent twin
|
|
96
|
+
box.rollback(snap) # return to earlier state
|
|
97
|
+
```
|
|
98
|
+
|
|
99
|
+
Bizar uses this for the `bizar_test-gate` runner: each test runs in a
|
|
100
|
+
clone of the base template; failures roll back so the next test starts
|
|
101
|
+
clean.
|
|
102
|
+
|
|
103
|
+
## Security proxy (Credential Vault)
|
|
104
|
+
|
|
105
|
+
Since v0.4, CubeSandbox can inject credentials at the egress proxy so
|
|
106
|
+
they never enter the sandbox:
|
|
107
|
+
|
|
108
|
+
```python
|
|
109
|
+
with Sandbox(template="base", proxy_credentials={
|
|
110
|
+
"OPENAI_API_KEY": "<user-key>",
|
|
111
|
+
}) as box:
|
|
112
|
+
box.run("python -c 'import openai; print(openai.api_key)'")
|
|
113
|
+
# prints OPENAI_API_KEY injected by CubeEgress; never logged
|
|
114
|
+
```
|
|
115
|
+
|
|
116
|
+
Bizar's `bizar_sandbox_run` tool uses this when `BIZAR_PROXY_CREDS=1`.
|
|
117
|
+
|
|
118
|
+
## Bizar integration map
|
|
119
|
+
|
|
120
|
+
| Layer | Component | Behavior |
|
|
121
|
+
|-------|-----------|----------|
|
|
122
|
+
| CLI | `bizar sandbox run` | Wraps SDK, persists last sandbox across calls |
|
|
123
|
+
| Plugin | `bizar_sandbox_run` | In-session tool — runs a `bash` command in a fresh sandbox |
|
|
124
|
+
| Skill | `cubesandbox` (this) | Discovery + best practices |
|
|
125
|
+
| Agent | `@sandbox-runner` (optional) | Routes risky ops automatically |
|
|
126
|
+
| Hook | `PreToolUse` (v6.3+) | Detects dangerous patterns and forces sandbox routing |
|
|
127
|
+
|
|
128
|
+
See `cli/commands/sandbox.mjs` and `plugins/bizar/src/tools/sandbox.ts`.
|
|
129
|
+
|
|
130
|
+
## Benchmarks (from upstream README)
|
|
131
|
+
|
|
132
|
+
| Metric | Docker | Traditional VM | CubeSandbox |
|
|
133
|
+
|--------|--------|----------------|-------------|
|
|
134
|
+
| Isolation | shared-kernel | dedicated kernel | dedicated kernel + eBPF |
|
|
135
|
+
| Cold start | 200ms | seconds | **<60ms** |
|
|
136
|
+
| Memory overhead | low | high | **<5MB** |
|
|
137
|
+
| Deploy density | high | low | extreme (thousands/node) |
|
|
138
|
+
|
|
139
|
+
P95: 90 ms. P99: 137 ms. Full agent workload benchmarked against SWE-Bench.
|
|
140
|
+
|
|
141
|
+
## Troubleshooting
|
|
142
|
+
|
|
143
|
+
- **`SandboxError: no template`** — install a template from the WebUI
|
|
144
|
+
Template Store or run `bizar sandbox template install base`.
|
|
145
|
+
- **API key rejected** — check the URL doesn't end with a trailing slash
|
|
146
|
+
and the key is the long one shown in the WebUI.
|
|
147
|
+
- **Boot takes >5s** — usually means KVM is disabled. Run
|
|
148
|
+
`kvm-ok` (Debian) or `ls /dev/kvm`.
|
|
@@ -0,0 +1,142 @@
|
|
|
1
|
+
---
|
|
2
|
+
name: harness-engineering
|
|
3
|
+
description: Use when designing or evaluating the environment around an AI coding agent — instructions, state, verification, scope, and lifecycle. Synthesizes the walkinglabs/awesome-harness-engineering canon with Bizar's Norse-pantheon architecture so every agent session starts from a strong baseline.
|
|
4
|
+
---
|
|
5
|
+
|
|
6
|
+
# Harness Engineering for Bizar agents
|
|
7
|
+
|
|
8
|
+
The model decides the code. The harness decides when, where, and how.
|
|
9
|
+
Without a harness, even Opus 4.5 spends $9 in 20 minutes and ships
|
|
10
|
+
something broken; with one it ships working code in 6 hours. Same model,
|
|
11
|
+
different environment.
|
|
12
|
+
|
|
13
|
+
References:
|
|
14
|
+
- walkinglabs/awesome-harness-engineering (curated canon)
|
|
15
|
+
- walkinglabs/learn-harness-engineering (13 lectures, 7 projects)
|
|
16
|
+
- Anthropic: "Effective harnesses for long-running agents"
|
|
17
|
+
- Anthropic: "Effective context engineering for AI agents"
|
|
18
|
+
- OpenAI: "Harness engineering: leveraging Codex in an agent-first world"
|
|
19
|
+
|
|
20
|
+
## Five subsystems of a harness
|
|
21
|
+
|
|
22
|
+
```
|
|
23
|
+
THE HARNESS
|
|
24
|
+
============
|
|
25
|
+
|
|
26
|
+
Instructions State Verification
|
|
27
|
+
----------- ----- ------------
|
|
28
|
+
AGENTS.md PROGRESS.md make check
|
|
29
|
+
CLAUDE.md feature_list.json make test
|
|
30
|
+
_shared/ .harness/traces/ make e2e
|
|
31
|
+
AGENT_BASELINE DECISIONS.md make clean-check
|
|
32
|
+
_shared/ init.sh output
|
|
33
|
+
CLINE_TOOLS
|
|
34
|
+
|
|
35
|
+
Scope Session Lifecycle
|
|
36
|
+
----- ------------------
|
|
37
|
+
WIP=1 rule make session-start
|
|
38
|
+
one feature make session-end
|
|
39
|
+
per session init.sh (install + verify)
|
|
40
|
+
explicit DoD clean restart
|
|
41
|
+
```
|
|
42
|
+
|
|
43
|
+
Bizar ships all five. This skill is your reminder to use them.
|
|
44
|
+
|
|
45
|
+
## Session lifecycle (L06, L12)
|
|
46
|
+
|
|
47
|
+
Every agent session MUST follow this lifecycle:
|
|
48
|
+
|
|
49
|
+
1. **Read AGENTS.md** — your operating manual.
|
|
50
|
+
2. **Read _shared/AGENT_BASELINE.md** — baseline behavior rules.
|
|
51
|
+
3. **Read _shared/CLINE_TOOLS.md** — exact tool schemas.
|
|
52
|
+
4. **Run `make session-start`** — record session ID.
|
|
53
|
+
5. **Read PROGRESS.md** — state from the last session.
|
|
54
|
+
6. **Read feature_list.json** — pick the next `not_started` feature.
|
|
55
|
+
7. **Work on ONE feature only** — WIP=1.
|
|
56
|
+
8. **Run verification:** `make check && make test && make e2e`.
|
|
57
|
+
9. **Update PROGRESS.md + feature_list.json** — record evidence.
|
|
58
|
+
10. **Score against `templates/evaluator-rubric.md`** — every dim B+.
|
|
59
|
+
11. **Run `make session-end`** — close the session.
|
|
60
|
+
12. **Commit only when safe to resume** (Hermod does this).
|
|
61
|
+
|
|
62
|
+
If you find yourself doing steps 7-9 on more than one feature, stop.
|
|
63
|
+
|
|
64
|
+
## Definitions of Done (L08, L09)
|
|
65
|
+
|
|
66
|
+
A feature is `passing` only when ALL THREE LAYERS verify:
|
|
67
|
+
|
|
68
|
+
- **L1 typecheck:** `make check` exits 0.
|
|
69
|
+
- **L2 unit tests:** `make test` passes for the touched module.
|
|
70
|
+
- **L3 E2E:** `make e2e` exercises real plugin load + tools.
|
|
71
|
+
|
|
72
|
+
Do NOT proceed to L(n+1) if L(n) fails. Confidence ≠ correctness.
|
|
73
|
+
|
|
74
|
+
## Scope discipline (L07)
|
|
75
|
+
|
|
76
|
+
- WIP=1. Only one feature `active` in `feature_list.json`.
|
|
77
|
+
- No silent scope creep. If a fix requires touching unrelated code,
|
|
78
|
+
STOP and report — do not improvise.
|
|
79
|
+
- No half-finishing three things. No rewriting the feature list to
|
|
80
|
+
hide unfinished work.
|
|
81
|
+
|
|
82
|
+
## State persistence (L05)
|
|
83
|
+
|
|
84
|
+
- Progress belongs in PROGRESS.md + feature_list.json + git log.
|
|
85
|
+
- The repo is the single source of truth. If the agent can't see it,
|
|
86
|
+
it doesn't exist.
|
|
87
|
+
- Handoff note: every session must leave a clean restart path.
|
|
88
|
+
|
|
89
|
+
## Loop engineering (L13)
|
|
90
|
+
|
|
91
|
+
When you find yourself repeating the same manual orchestration, build a
|
|
92
|
+
loop. Three primitives:
|
|
93
|
+
|
|
94
|
+
1. **Goal loop** — `while !done; run-one-step; done`
|
|
95
|
+
2. **Timer loop** — `every N minutes: run-the-job`
|
|
96
|
+
3. **Maker-checker loop** — `make.sh` produces, `check.sh` rejects
|
|
97
|
+
|
|
98
|
+
Bizar ships three:
|
|
99
|
+
- `scripts/run-loop.sh` — generic loop driver (see below)
|
|
100
|
+
- `make test` — verification (checker)
|
|
101
|
+
- `scripts/clean-state-check.sh` — final pass/fail gate
|
|
102
|
+
|
|
103
|
+
## Context engineering (Anthropic)
|
|
104
|
+
|
|
105
|
+
Treat the context window as a working memory budget, not a dump site:
|
|
106
|
+
|
|
107
|
+
- Progressive disclosure: load skills on demand, not all at once.
|
|
108
|
+
- KV-cache locality: keep system prompts stable; append, don't rewrite.
|
|
109
|
+
- Drop noisy tool output before passing to the next model call.
|
|
110
|
+
|
|
111
|
+
## Observability (L11, OTel)
|
|
112
|
+
|
|
113
|
+
If you can't see what the agent did, you can't fix what it broke. Bizar
|
|
114
|
+
records every session to `.harness/traces/sessions.jsonl` (gitignored).
|
|
115
|
+
For OpenTelemetry-compatible exporters, see `plugins/bizar/src/observability.ts`.
|
|
116
|
+
|
|
117
|
+
## Sandbox (CubeSandbox — v6.3.0)
|
|
118
|
+
|
|
119
|
+
For dangerous-pattern decisions and risky operations, Bizar routes the
|
|
120
|
+
execution through `bizar_sandbox_run` (CubeSandbox) instead of running
|
|
121
|
+
directly in the host shell. See the `cubesandbox` skill.
|
|
122
|
+
|
|
123
|
+
## Quick checklist before each commit
|
|
124
|
+
|
|
125
|
+
- [ ] feature_list.json updated (state machine moved)
|
|
126
|
+
- [ ] PROGRESS.md updated (current state, in progress, next steps)
|
|
127
|
+
- [ ] `make check` exits 0
|
|
128
|
+
- [ ] `make test` exits 0
|
|
129
|
+
- [ ] `make e2e` exits 0
|
|
130
|
+
- [ ] `make clean-check` 5/5 dimensions pass
|
|
131
|
+
- [ ] Every dim of `templates/evaluator-rubric.md` is B+
|
|
132
|
+
- [ ] Commit message is WHY-focused, not WHAT-focused
|
|
133
|
+
|
|
134
|
+
## Further reading
|
|
135
|
+
|
|
136
|
+
The skill `find-skills` can install the full walkinglabs course. The
|
|
137
|
+
local copy lives at `bizar-learn-harness` (auto-bundled by
|
|
138
|
+
`scripts/install-learn-course.sh`). To rebuild locally:
|
|
139
|
+
|
|
140
|
+
```bash
|
|
141
|
+
git clone https://github.com/walkinglabs/learn-harness-engineering /tmp/lhe
|
|
142
|
+
```
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@polderlabs/bizar",
|
|
3
|
-
"version": "6.2.
|
|
3
|
+
"version": "6.2.5",
|
|
4
4
|
"description": "Norse-pantheon multi-agent system for cline — 13 agents across 4 cost tiers with cost-aware routing, plans, and a configurable agent harness. v4 ships as a single npm package bundling the dashboard server, cline plugin, and typed SDK.",
|
|
5
5
|
"type": "module",
|
|
6
6
|
"bin": {
|
package/plugins/bizar/index.ts
CHANGED
|
@@ -100,6 +100,10 @@ import {
|
|
|
100
100
|
createBrowserCommandTool,
|
|
101
101
|
type AgentBrowserDeps,
|
|
102
102
|
} from "./src/tools/agent-browser.js";
|
|
103
|
+
import {
|
|
104
|
+
createSandboxRunTool,
|
|
105
|
+
createSandboxExecTool,
|
|
106
|
+
} from "./src/tools/sandbox.js";
|
|
103
107
|
import { checkDangerous, getDangerousPatternStats, listDangerousPatterns } from "./src/dangerous-patterns.js";
|
|
104
108
|
import { createSkillCurator } from "./src/hooks/skill-curator.js";
|
|
105
109
|
import { createMemoryFlushOnCompact } from "./src/hooks/memory-flush-on-compact.js";
|
|
@@ -576,10 +580,28 @@ function buildTools(ctx: RuntimeContext, instanceManager: InstanceManager | null
|
|
|
576
580
|
createBrowserScreenshotTool(browserDeps) as unknown as AgentTool,
|
|
577
581
|
createBrowserCommandTool(browserDeps) as unknown as AgentTool,
|
|
578
582
|
];
|
|
583
|
+
// v6.3.0 — CubeSandbox (E2B-compatible KVM microVM) tools.
|
|
584
|
+
// Routes risky `bash`/`python`/`node` calls into a hardware-isolated
|
|
585
|
+
// sandbox. Each call boots <60ms / <5MB overhead via the Python SDK.
|
|
586
|
+
// See plugins/bizar/src/tools/sandbox.ts and
|
|
587
|
+
// config/skills/cubesandbox/SKILL.md.
|
|
588
|
+
const sandboxDeps = { logger: ctx.logger };
|
|
589
|
+
const sandboxTools: AgentTool[] = [
|
|
590
|
+
createSandboxRunTool(sandboxDeps) as unknown as AgentTool,
|
|
591
|
+
createSandboxExecTool(sandboxDeps) as unknown as AgentTool,
|
|
592
|
+
];
|
|
579
593
|
// v6.0.0 — Loop-engineering tools (ralph / repl / cron / plan-execute).
|
|
580
594
|
// These work standalone (no clineRuntime needed) since state lives on disk.
|
|
581
595
|
const loopTools: AgentTool[] = createLoopTools({ logger: ctx.logger }) as unknown as AgentTool[];
|
|
582
|
-
return [
|
|
596
|
+
return [
|
|
597
|
+
...basePlanTools,
|
|
598
|
+
...bgTools,
|
|
599
|
+
...teamTools,
|
|
600
|
+
...graphTools,
|
|
601
|
+
...browserTools,
|
|
602
|
+
...sandboxTools,
|
|
603
|
+
...loopTools,
|
|
604
|
+
];
|
|
583
605
|
}
|
|
584
606
|
|
|
585
607
|
function bgDisabledTools(logger: Logger): AgentTool[] {
|
|
@@ -601,15 +623,46 @@ function buildHooksForCtx(ctx: RuntimeContext): AgentExtensionHooks {
|
|
|
601
623
|
const args = toolCtx.input;
|
|
602
624
|
// v6.0.0 — Dangerous-patterns approval gate (Hermes + OpenFang pattern).
|
|
603
625
|
// Blocks rm -rf, sudo, prompt injection, SSRF, etc. See
|
|
604
|
-
// src/dangerous-patterns.ts for the full list.
|
|
605
|
-
//
|
|
626
|
+
// src/dangerous-patterns.ts for the full list.
|
|
627
|
+
//
|
|
628
|
+
// v6.2.4 — Three decisions handled:
|
|
629
|
+
// - "deny" → return { stop: true, reason } (the Cline
|
|
630
|
+
// AgentBeforeToolResult type uses `stop` and
|
|
631
|
+
// `reason` — NOT `cancel`/`context` which
|
|
632
|
+
// is the OLDER HookControl API). Cline halts
|
|
633
|
+
// the agent run when `stop: true` is set.
|
|
634
|
+
// - "require-approval" → let the tool run, but queue a hint via
|
|
635
|
+
// ctx.pendingInjections so the agent sees the
|
|
636
|
+
// warning on the NEXT `beforeModel` call and
|
|
637
|
+
// can adjust course. There is no direct
|
|
638
|
+
// "ask the user for approval" field in the
|
|
639
|
+
// Cline beforeTool API; the host's approval
|
|
640
|
+
// gate (when set) handles user prompts
|
|
641
|
+
// separately via tool policies.
|
|
642
|
+
// - "allow" → fall through, let the tool run.
|
|
606
643
|
try {
|
|
607
644
|
const safety = checkDangerous(args as Record<string, unknown>);
|
|
608
645
|
if (safety.decision === "deny") {
|
|
609
646
|
ctx.logger.warn(
|
|
610
647
|
`bizar: blocked tool '${tool}' — dangerous pattern '${safety.pattern}': ${safety.reason}`,
|
|
611
648
|
);
|
|
612
|
-
return {
|
|
649
|
+
return {
|
|
650
|
+
stop: true,
|
|
651
|
+
reason: `dangerous_pattern:${safety.pattern}:${safety.reason}`,
|
|
652
|
+
};
|
|
653
|
+
}
|
|
654
|
+
if (safety.decision === "require-approval") {
|
|
655
|
+
// v6.2.4 — log + inject hint. The Cline host's tool-policy
|
|
656
|
+
// approval gate (when configured) handles the actual
|
|
657
|
+
// user-prompt flow. We just flag the pattern so the agent
|
|
658
|
+
// knows this command needs caution on its next turn.
|
|
659
|
+
ctx.logger.warn(
|
|
660
|
+
`bizar: requires-approval tool '${tool}' — dangerous pattern '${safety.pattern}': ${safety.reason}`,
|
|
661
|
+
);
|
|
662
|
+
ctx.pendingInjections.set(
|
|
663
|
+
sessionID,
|
|
664
|
+
`dangerous_pattern:${safety.pattern}:${safety.reason} — confirm with user before proceeding`,
|
|
665
|
+
);
|
|
613
666
|
}
|
|
614
667
|
} catch {
|
|
615
668
|
// safety checks are best-effort; never fail the tool call here
|
|
@@ -177,14 +177,29 @@ export class ClineRuntime {
|
|
|
177
177
|
|
|
178
178
|
/**
|
|
179
179
|
* Merge caller's `execution` block with the runtime default
|
|
180
|
-
* (`defaultMaxConsecutiveMistakes`).
|
|
181
|
-
*
|
|
180
|
+
* (`defaultMaxConsecutiveMistakes`).
|
|
181
|
+
*
|
|
182
|
+
* v6.2.4 — Plugin's defaultMaxConsecutiveMistakes is now a FLOOR,
|
|
183
|
+
* not a default. The Cline CLI's `--retries` flag defaults to 3
|
|
184
|
+
* and previously silently overrode our 6 (or higher) — leading
|
|
185
|
+
* to premature session aborts after just 3 tool errors. Now we
|
|
186
|
+
* use Math.max(plugin_default, caller_value) so the user can
|
|
187
|
+
* still raise the limit with `--retries 15`, but the plugin's
|
|
188
|
+
* higher default is honored on plain `cline` invocations.
|
|
189
|
+
*
|
|
190
|
+
* Returns `undefined` when neither is set, so the optional field
|
|
191
|
+
* stays out of the config payload.
|
|
182
192
|
*/
|
|
183
193
|
private buildExecution(
|
|
184
194
|
callerExecution: StartSessionOpts["execution"],
|
|
185
195
|
): StartSessionOpts["execution"] | undefined {
|
|
186
196
|
if (!callerExecution && this.defaultMaxConsecutiveMistakes === undefined) return undefined;
|
|
187
|
-
const
|
|
197
|
+
const callerMax = callerExecution?.maxConsecutiveMistakes;
|
|
198
|
+
const pluginMax = this.defaultMaxConsecutiveMistakes;
|
|
199
|
+
const max =
|
|
200
|
+
callerMax !== undefined && pluginMax !== undefined
|
|
201
|
+
? Math.max(callerMax, pluginMax)
|
|
202
|
+
: callerMax ?? pluginMax;
|
|
188
203
|
return { ...callerExecution, ...(max !== undefined ? { maxConsecutiveMistakes: max } : {}) };
|
|
189
204
|
}
|
|
190
205
|
|
|
@@ -61,6 +61,13 @@ function normalizePath(v: string, worktree: string): string {
|
|
|
61
61
|
return `path:${h.slice(0, 16)}`;
|
|
62
62
|
}
|
|
63
63
|
|
|
64
|
+
// Per §5.3: strip noise fields anywhere in the args tree, not just at
|
|
65
|
+
// the top level. Cached at module load for hot-path perf.
|
|
66
|
+
const SKIP_TIME_FIELDS =
|
|
67
|
+
/(^|_)time($|_)|stamp|created|updated|timestamp/i;
|
|
68
|
+
const SKIP_FIELDS = /^(id|uuid|nonce|requestId|traceId)$/i;
|
|
69
|
+
const SKIP_FIELD_NAMES = new Set(['cwd']); // v6.2.4 — was top-level only
|
|
70
|
+
|
|
64
71
|
function normalize(value: unknown, worktree: string): unknown {
|
|
65
72
|
if (value === null || value === undefined) return value;
|
|
66
73
|
if (typeof value === "boolean") return value;
|
|
@@ -78,19 +85,12 @@ function normalize(value: unknown, worktree: string): unknown {
|
|
|
78
85
|
const obj = value as Record<string, unknown>;
|
|
79
86
|
const result: Record<string, unknown> = {};
|
|
80
87
|
|
|
81
|
-
// Per §5.3: strip fields whose name contains time/stamp/created/updated/timestamp
|
|
82
|
-
const SKIP_TIME_FIELDS =
|
|
83
|
-
/(^|_)time($|_)|stamp|created|updated|timestamp/i;
|
|
84
|
-
|
|
85
|
-
// Per §5.3: strip ID/nonce fields by exact name
|
|
86
|
-
const SKIP_FIELDS = /^(id|uuid|nonce|requestId|traceId)$/i;
|
|
87
|
-
|
|
88
88
|
for (const [k, v] of Object.entries(obj)) {
|
|
89
|
-
// strip
|
|
90
|
-
|
|
91
|
-
//
|
|
89
|
+
// v6.2.4 — strip noise fields at ANY depth (was top-level only).
|
|
90
|
+
// Catches `{ config: { created_at: 12345 } }`, `{ cwd: '...' }` nested
|
|
91
|
+
// inside another object, etc.
|
|
92
|
+
if (SKIP_FIELD_NAMES.has(k)) continue;
|
|
92
93
|
if (SKIP_FIELDS.test(k)) continue;
|
|
93
|
-
// strip timestamp fields per §5.3
|
|
94
94
|
if (SKIP_TIME_FIELDS.test(k) && (typeof v === "number" || typeof v === "string")) continue;
|
|
95
95
|
|
|
96
96
|
// normalize (includes path normalization for strings via normalizePath)
|