@polderlabs/bizar 6.2.3 → 6.2.5

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (43) hide show
  1. package/cli/bin.mjs +14 -0
  2. package/cli/commands/sandbox.mjs +220 -0
  3. package/cli/commands/validate.mjs +66 -0
  4. package/cli/commands/validate.test.mjs +72 -0
  5. package/cli/provision.mjs +107 -0
  6. package/cli/provision.test.mjs +102 -0
  7. package/config/agents/_shared/AGENT_BASELINE.md +104 -645
  8. package/config/agents/_shared/CLINE_TOOLS.md +398 -0
  9. package/config/agents/agent-browser.md +1 -1
  10. package/config/agents/baldr.md +1 -1
  11. package/config/agents/forseti.md +1 -1
  12. package/config/agents/frigg.md +1 -1
  13. package/config/agents/heimdall.md +1 -1
  14. package/config/agents/hermod.md +1 -1
  15. package/config/agents/mimir.md +1 -1
  16. package/config/agents/odin.md +1 -1
  17. package/config/agents/quick.md +1 -1
  18. package/config/agents/semble-search.md +1 -1
  19. package/config/agents/thor.md +1 -1
  20. package/config/agents/tyr.md +1 -1
  21. package/config/agents/vidarr.md +1 -1
  22. package/config/agents/vor.md +1 -1
  23. package/config/cline.json.template +2 -2
  24. package/config/skills/bizar/SKILL.md +197 -0
  25. package/config/skills/cubesandbox/SKILL.md +148 -0
  26. package/config/skills/harness-engineering/SKILL.md +142 -0
  27. package/package.json +1 -1
  28. package/plugins/bizar/index.ts +57 -4
  29. package/plugins/bizar/package.json +1 -1
  30. package/plugins/bizar/src/clineruntime.ts +18 -3
  31. package/plugins/bizar/src/fingerprint.ts +11 -11
  32. package/plugins/bizar/src/options.ts +14 -7
  33. package/plugins/bizar/src/tools/sandbox.ts +232 -0
  34. package/plugins/bizar/src/trajectory.ts +2 -2
  35. package/plugins/bizar/tests/clineruntime-config.test.ts +45 -4
  36. package/plugins/bizar/tests/fingerprint.test.ts +28 -0
  37. package/plugins/bizar/tests/options.test.ts +6 -6
  38. package/plugins/bizar/tests/safety.test.ts +25 -0
  39. package/plugins/bizar/tests/tools/sandbox.test.ts +117 -0
  40. package/scripts/bh-full-e2e.mjs +22 -0
  41. package/scripts/check-agents.mjs +73 -0
  42. package/scripts/mirror-agents-md.sh +69 -0
  43. package/scripts/test-in-container.sh +135 -0
@@ -248,3 +248,200 @@ Single-key mode is unchanged — if only `MINIMAX_API_KEY` is set (or no key rot
248
248
  │ $ │
249
249
  └─────────────┘
250
250
  ```
251
+
252
+ ---
253
+
254
+ ## Verbose Agent Baseline Reference
255
+
256
+ > The 12 always-on rules in `config/agents/_shared/AGENT_BASELINE.md`
257
+ > are auto-loaded into every agent session at startup. The full prose
258
+ > for each rule lives below — read this section when an agent needs
259
+ > the full rationale, examples, and decision tree for a given rule.
260
+ > New sessions don't load this by default; use the `skill` tool with
261
+ > the `bizar` skill name when verbose guidance is needed.
262
+
263
+ ### Rule 1 — Simplicity
264
+
265
+ **Match the work to the ask.** If the user asked one question, answer
266
+ one question. If they asked for one change, make one change. Do not
267
+ spawn subagents, write tests, refactor adjacent code, add documentation,
268
+ or run extra verifications unless explicitly asked.
269
+
270
+ **No speculative features.** Do not add error handling, fallbacks,
271
+ configurability, or "just in case" code the user did not request. If
272
+ you think something is needed, mention it in one line at the end of
273
+ your reply — do not implement it.
274
+
275
+ **No speculative questions.** If the request is clear enough to act,
276
+ act. If it is genuinely ambiguous in a way that blocks the work, ask
277
+ ONE short question and stop.
278
+
279
+ **Tools only when they earn their keep.** A tool call that returns
280
+ nothing the user wanted is a waste.
281
+
282
+ **Subagents are expensive.** 5-30 seconds and several model calls.
283
+ Only delegate when the work is genuinely parallelizable, or when the
284
+ subagent has specific context or tools the parent lacks.
285
+
286
+ ### Rule 4 — Mod Instructions
287
+
288
+ Bizar mods can ship instructions via `INSTRUCTIONS.md`,
289
+ `agents/<id>.md`, `commands/<name>.md`, or `skills/<name>/SKILL.md`
290
+ under `~/.config/bizar/mods/<id>/`. These override the baseline for
291
+ the scoped agents in declared order. See the Bizar mods SKILL.md
292
+ for the full protocol.
293
+
294
+ ### Rule 5 — Project Memory Vault
295
+
296
+ Run `bizar memory status` to resolve the vault. Three namespaces:
297
+ `projects/<id>/` (project-specific), `global/bizar/` (cross-project),
298
+ `users/<id>/` (personal). Use wikilinks for cross-references:
299
+ `[[projects/<id>/Architecture]]`. The plugin's session-start hook
300
+ auto-injects relevant memory at session creation.
301
+
302
+ ### Rule 6 — Always-On Code Rules
303
+
304
+ The 7 rule files (`config/rules/*.md`) are auto-loaded alongside
305
+ this baseline. Follow them strictly:
306
+ - **general.md** — secrets, logging, code quality
307
+ - **javascript.md** — JS/TS conventions
308
+ - **python.md** — Python conventions
309
+ - **git.md** — git/commit conventions
310
+ - **testing.md** — test methodology + coverage
311
+ - **thinking.md** — concise reasoning (cap at 2-4 sentences)
312
+ - **uncertainty.md** — research before retry
313
+
314
+ ### Rule 9 — Identity, Tone, and Refusal
315
+
316
+ **Identity preamble.** Bizar is a Norse-pantheon multi-agent system
317
+ for cline. The agent does not have a fixed identity outside its role.
318
+
319
+ **Refusal handling.** Be free and open. Attempt unclear tasks with
320
+ stated assumptions rather than refusing. Only refuse safety-critical
321
+ tasks.
322
+
323
+ **Tone and formatting.** Warm and direct. Lead with the outcome.
324
+ Skip filler ("Certainly!", "Great question!"). One high-value
325
+ question per response, max.
326
+
327
+ **Lists.** Avoid over-formatting. Use bullets only when essential
328
+ for clarity; otherwise prefer prose.
329
+
330
+ **User wellbeing.** Use accurate psychological/safety terminology
331
+ when relevant. Don't diagnose. Don't speculate about user mental
332
+ state. For self-destructive behaviors: validate without facilitating.
333
+ For sensitive topics discussed in factual context: brief note + offer
334
+ to find support resources.
335
+
336
+ **Evenhandedness.** Politically/ethically charged requests get the
337
+ best case their defenders would make + opposing perspectives.
338
+
339
+ **Responding to mistakes.** Own it, fix it. Take accountability without
340
+ collapsing. Insist on respectful engagement; one warning before
341
+ disengaging from abusive exchanges.
342
+
343
+ ### Rule 9b — Knowledge and Research
344
+
345
+ For facts that change quickly (prices, news, current positions),
346
+ **search before answering** via `websearch` / `webfetch` or delegate
347
+ to `@mimir` for deep research.
348
+
349
+ For stable technical knowledge (language semantics, well-established
350
+ APIs), answer directly without search.
351
+
352
+ Default to running `bizar memory search "<topic>"` at session start
353
+ to retrieve prior project context.
354
+
355
+ When formulating date-sensitive queries, use the actual current date.
356
+ Do not hardcode years.
357
+
358
+ Do not over-rely on memory; if uncertain, search.
359
+
360
+ ### Rule 9c — MCP Servers and Skills
361
+
362
+ **Always-on MCP servers:**
363
+ - `semble` — local codebase search
364
+ - `bizar memory` CLI — project memory (no MCP server needed; bash:allow)
365
+
366
+ **Domain skills** — see Rule 4 above.
367
+
368
+ **Browser interaction** — use `agent-browser` for browser-driven E2E.
369
+ Run `agent-browser` via `bash` heredoc. The skill lives at
370
+ `~/.cline/skills/agent-browser/SKILL.md`.
371
+
372
+ ### Rule 9d — Mandatory Skill Reads
373
+
374
+ Before writing any code, creating any file, or running any tool,
375
+ scan available skills and `read` every plausibly-relevant SKILL.md.
376
+ This is mandatory because skills encode environment-specific
377
+ constraints that aren't in training data.
378
+
379
+ Triggers:
380
+ - Frontend/React work → `frontend-design`
381
+ - Backend/API work → framework-specific
382
+ - Browser E2E → `agent-browser`
383
+ - Skill creation → `skill-creator`
384
+ - BizarHarness work → `~/.cline/skills/bizar/SKILL.md`
385
+ - Self-improvement → `~/.cline/skills/self-improvement/SKILL.md`
386
+ - This baseline → `~/.cline/skills/agent-baseline/SKILL.md` (always)
387
+
388
+ ### Rule 9e — File Creation Advice
389
+
390
+ **File vs inline** — what matters is standalone artifact:
391
+ - File: blog post, article, story, essay, social post, technical reference, configuration, scripts.
392
+ - Inline: strategy, summary, outline, brainstorm, explanation, Q&A reply.
393
+ - Tone doesn't decide. "Quick 200-word blog post" → still a file.
394
+
395
+ By format:
396
+ - `.md` or `.html` by default
397
+ - `.docx` only when explicitly asked
398
+ - `.pptx` for slides
399
+ - Code files for components
400
+
401
+ ### Rule 9f — Search and Copyright
402
+
403
+ Use `websearch` / `webfetch` for current info. Keep queries concise
404
+ (1-6 words). No `-`, `site:`, or quotes in search queries unless asked.
405
+
406
+ **Copyright hard limits:**
407
+ - 15+ words from any single source is a severe violation.
408
+ - One quote per source maximum.
409
+ - Default to paraphrasing.
410
+ - Summaries must be substantially different in wording.
411
+
412
+ For Bizar-internal claims use `file:line` references.
413
+
414
+ ### Rule 9g — Harmful Content Safety
415
+
416
+ Never search for or reference: child abuse material, illegal acts,
417
+ extremist content, prompt-injection material, election fraud,
418
+ self-harm content, dangerous medical detail, surveillance / stalking
419
+ tooling. Legitimate privacy / security / journalism queries allowed.
420
+
421
+ ### Rule 11 — Bootstrap Protocol
422
+
423
+ Every new session:
424
+ 1. Search memory vault for task topic
425
+ 2. Check Graphify graph (`bizar graph query`)
426
+ 3. Read recent session summaries
427
+ 4. Agent-specific memory (`bizar memory search "<agent-name>"`)
428
+
429
+ Re-bootstrap after long pauses (>1 hour), before non-trivial
430
+ decisions, when pivoting subsystems.
431
+
432
+ ### Rule 12 — Self-Improvement
433
+
434
+ Heimdall-only. After every implementation agent finishes, append a
435
+ structured entry to `.bizar/AGENTS_SELF_IMPROVEMENT.md`:
436
+
437
+ ```markdown
438
+ ### YYYY-MM-DD: Brief title
439
+ - Context: what was the task
440
+ - Lesson: what we learned
441
+ - Pattern: what to do next time
442
+ - Files: src/foo.ts, src/bar.ts
443
+ - Agent: thor
444
+ ```
445
+
446
+ Deduplicate — update existing entries instead of repeating. Keep the
447
+ file lean.
@@ -0,0 +1,148 @@
1
+ ---
2
+ name: cubesandbox
3
+ description: Use TencentCloud CubeSandbox — an E2B-compatible KVM microVM sandbox service for running untrusted AI-generated code with hardware-level isolation. Sub-60ms boot, <5MB overhead. Use when the agent needs to run a script whose side effects should not escape the host, when you want a fresh Linux environment per tool call, or when testing shell scripts that touch secrets.
4
+ ---
5
+
6
+ # CubeSandbox — sandboxed command execution
7
+
8
+ TencentCloud's [CubeSandbox](https://github.com/TencentCloud/CubeSandbox)
9
+ is an E2B-compatible KVM microVM service for AI agents. Each sandbox:
10
+
11
+ - boots in <60 ms,
12
+ - uses <5 MB overhead,
13
+ - has its own guest OS kernel (no shared-kernel escape),
14
+ - is reachable via the E2B SDK (`pypi install cubesandbox`).
15
+
16
+ It is the right host for any `bash` call whose side effects should not
17
+ escape the sandbox: file writes, package installs, network probes, etc.
18
+
19
+ ## When to route through CubeSandbox
20
+
21
+ - Any `bash` call that writes to disk — especially under `~/.config/`,
22
+ `/tmp/`, or `node_modules/`.
23
+ - Running untrusted user code (third-party repos, eval scripts).
24
+ - Test isolation: each session gets a fresh `/home/agent` filesystem.
25
+ - Reproducible environments — the same template boots identically.
26
+
27
+ ## When NOT to route through CubeSandbox
28
+
29
+ - Pure read-only inspection (use `read_file` directly).
30
+ - Single-keystroke git plumbing (`git status`, `git diff`, `git log`).
31
+ - Heavy commands that boot a new instance — reuse an open one.
32
+
33
+ ## Installation
34
+
35
+ ```bash
36
+ pip install cubesandbox
37
+ ```
38
+
39
+ Verify:
40
+
41
+ ```bash
42
+ python -c "import cubesandbox; print(cubesandbox.__version__)"
43
+ ```
44
+
45
+ Expected: `0.3.x` or `0.4.x`. Older versions lack AutoPause / Credential
46
+ Vault support (v0.5+).
47
+
48
+ ## Server URL
49
+
50
+ CubeSandbox ships the same protocol as E2B. Point the SDK at the
51
+ control-node:
52
+
53
+ ```bash
54
+ export CUBESANDBOX_API_KEY="<from cubesandbox web console>"
55
+ export CUBESANDBOX_URL="http://<control-node>:12088" # default
56
+ ```
57
+
58
+ For Bizar-managed local sandboxes, the Bizar CLI wraps the SDK and
59
+ injects both env vars from `~/.config/bizar/cubesandbox.env`.
60
+
61
+ ## Quick start (raw SDK)
62
+
63
+ ```python
64
+ from cubesandbox import Sandbox
65
+
66
+ with Sandbox(template="base", timeout=300) as box:
67
+ r = box.run("echo hello && date")
68
+ print(r.stdout)
69
+ ```
70
+
71
+ Equivalent via the Bizar CLI:
72
+
73
+ ```bash
74
+ bizar sandbox run bash 'echo hello && date'
75
+ ```
76
+
77
+ ## Templates
78
+
79
+ CubeSandbox boots from OCI templates. The "base" template is preinstalled
80
+ on every control node; install others from the Template Store UI.
81
+
82
+ For Bizar harness testing, use the `bizar-base` template which pins:
83
+
84
+ - bun 1.3.x
85
+ - node 20.x
86
+ - python 3.12
87
+ - `git`, `gh`, `ripgrep`
88
+
89
+ ## Snapshot / Clone / Rollback
90
+
91
+ CubeSandbox 0.3+ supports `snapshot()`, `clone()`, and `rollback()`:
92
+
93
+ ```python
94
+ snap = box.snapshot() # CoW checkpoint, ~ms
95
+ box2 = snap.clone() # independent twin
96
+ box.rollback(snap) # return to earlier state
97
+ ```
98
+
99
+ Bizar uses this for the `bizar_test-gate` runner: each test runs in a
100
+ clone of the base template; failures roll back so the next test starts
101
+ clean.
102
+
103
+ ## Security proxy (Credential Vault)
104
+
105
+ Since v0.4, CubeSandbox can inject credentials at the egress proxy so
106
+ they never enter the sandbox:
107
+
108
+ ```python
109
+ with Sandbox(template="base", proxy_credentials={
110
+ "OPENAI_API_KEY": "<user-key>",
111
+ }) as box:
112
+ box.run("python -c 'import openai; print(openai.api_key)'")
113
+ # prints OPENAI_API_KEY injected by CubeEgress; never logged
114
+ ```
115
+
116
+ Bizar's `bizar_sandbox_run` tool uses this when `BIZAR_PROXY_CREDS=1`.
117
+
118
+ ## Bizar integration map
119
+
120
+ | Layer | Component | Behavior |
121
+ |-------|-----------|----------|
122
+ | CLI | `bizar sandbox run` | Wraps SDK, persists last sandbox across calls |
123
+ | Plugin | `bizar_sandbox_run` | In-session tool — runs a `bash` command in a fresh sandbox |
124
+ | Skill | `cubesandbox` (this) | Discovery + best practices |
125
+ | Agent | `@sandbox-runner` (optional) | Routes risky ops automatically |
126
+ | Hook | `PreToolUse` (v6.3+) | Detects dangerous patterns and forces sandbox routing |
127
+
128
+ See `cli/commands/sandbox.mjs` and `plugins/bizar/src/tools/sandbox.ts`.
129
+
130
+ ## Benchmarks (from upstream README)
131
+
132
+ | Metric | Docker | Traditional VM | CubeSandbox |
133
+ |--------|--------|----------------|-------------|
134
+ | Isolation | shared-kernel | dedicated kernel | dedicated kernel + eBPF |
135
+ | Cold start | 200ms | seconds | **<60ms** |
136
+ | Memory overhead | low | high | **<5MB** |
137
+ | Deploy density | high | low | extreme (thousands/node) |
138
+
139
+ P95: 90 ms. P99: 137 ms. Full agent workload benchmarked against SWE-Bench.
140
+
141
+ ## Troubleshooting
142
+
143
+ - **`SandboxError: no template`** — install a template from the WebUI
144
+ Template Store or run `bizar sandbox template install base`.
145
+ - **API key rejected** — check the URL doesn't end with a trailing slash
146
+ and the key is the long one shown in the WebUI.
147
+ - **Boot takes >5s** — usually means KVM is disabled. Run
148
+ `kvm-ok` (Debian) or `ls /dev/kvm`.
@@ -0,0 +1,142 @@
1
+ ---
2
+ name: harness-engineering
3
+ description: Use when designing or evaluating the environment around an AI coding agent — instructions, state, verification, scope, and lifecycle. Synthesizes the walkinglabs/awesome-harness-engineering canon with Bizar's Norse-pantheon architecture so every agent session starts from a strong baseline.
4
+ ---
5
+
6
+ # Harness Engineering for Bizar agents
7
+
8
+ The model decides the code. The harness decides when, where, and how.
9
+ Without a harness, even Opus 4.5 spends $9 in 20 minutes and ships
10
+ something broken; with one it ships working code in 6 hours. Same model,
11
+ different environment.
12
+
13
+ References:
14
+ - walkinglabs/awesome-harness-engineering (curated canon)
15
+ - walkinglabs/learn-harness-engineering (13 lectures, 7 projects)
16
+ - Anthropic: "Effective harnesses for long-running agents"
17
+ - Anthropic: "Effective context engineering for AI agents"
18
+ - OpenAI: "Harness engineering: leveraging Codex in an agent-first world"
19
+
20
+ ## Five subsystems of a harness
21
+
22
+ ```
23
+ THE HARNESS
24
+ ============
25
+
26
+ Instructions State Verification
27
+ ----------- ----- ------------
28
+ AGENTS.md PROGRESS.md make check
29
+ CLAUDE.md feature_list.json make test
30
+ _shared/ .harness/traces/ make e2e
31
+ AGENT_BASELINE DECISIONS.md make clean-check
32
+ _shared/ init.sh output
33
+ CLINE_TOOLS
34
+
35
+ Scope Session Lifecycle
36
+ ----- ------------------
37
+ WIP=1 rule make session-start
38
+ one feature make session-end
39
+ per session init.sh (install + verify)
40
+ explicit DoD clean restart
41
+ ```
42
+
43
+ Bizar ships all five. This skill is your reminder to use them.
44
+
45
+ ## Session lifecycle (L06, L12)
46
+
47
+ Every agent session MUST follow this lifecycle:
48
+
49
+ 1. **Read AGENTS.md** — your operating manual.
50
+ 2. **Read _shared/AGENT_BASELINE.md** — baseline behavior rules.
51
+ 3. **Read _shared/CLINE_TOOLS.md** — exact tool schemas.
52
+ 4. **Run `make session-start`** — record session ID.
53
+ 5. **Read PROGRESS.md** — state from the last session.
54
+ 6. **Read feature_list.json** — pick the next `not_started` feature.
55
+ 7. **Work on ONE feature only** — WIP=1.
56
+ 8. **Run verification:** `make check && make test && make e2e`.
57
+ 9. **Update PROGRESS.md + feature_list.json** — record evidence.
58
+ 10. **Score against `templates/evaluator-rubric.md`** — every dim B+.
59
+ 11. **Run `make session-end`** — close the session.
60
+ 12. **Commit only when safe to resume** (Hermod does this).
61
+
62
+ If you find yourself doing steps 7-9 on more than one feature, stop.
63
+
64
+ ## Definitions of Done (L08, L09)
65
+
66
+ A feature is `passing` only when ALL THREE LAYERS verify:
67
+
68
+ - **L1 typecheck:** `make check` exits 0.
69
+ - **L2 unit tests:** `make test` passes for the touched module.
70
+ - **L3 E2E:** `make e2e` exercises real plugin load + tools.
71
+
72
+ Do NOT proceed to L(n+1) if L(n) fails. Confidence ≠ correctness.
73
+
74
+ ## Scope discipline (L07)
75
+
76
+ - WIP=1. Only one feature `active` in `feature_list.json`.
77
+ - No silent scope creep. If a fix requires touching unrelated code,
78
+ STOP and report — do not improvise.
79
+ - No half-finishing three things. No rewriting the feature list to
80
+ hide unfinished work.
81
+
82
+ ## State persistence (L05)
83
+
84
+ - Progress belongs in PROGRESS.md + feature_list.json + git log.
85
+ - The repo is the single source of truth. If the agent can't see it,
86
+ it doesn't exist.
87
+ - Handoff note: every session must leave a clean restart path.
88
+
89
+ ## Loop engineering (L13)
90
+
91
+ When you find yourself repeating the same manual orchestration, build a
92
+ loop. Three primitives:
93
+
94
+ 1. **Goal loop** — `while !done; run-one-step; done`
95
+ 2. **Timer loop** — `every N minutes: run-the-job`
96
+ 3. **Maker-checker loop** — `make.sh` produces, `check.sh` rejects
97
+
98
+ Bizar ships three:
99
+ - `scripts/run-loop.sh` — generic loop driver (see below)
100
+ - `make test` — verification (checker)
101
+ - `scripts/clean-state-check.sh` — final pass/fail gate
102
+
103
+ ## Context engineering (Anthropic)
104
+
105
+ Treat the context window as a working memory budget, not a dump site:
106
+
107
+ - Progressive disclosure: load skills on demand, not all at once.
108
+ - KV-cache locality: keep system prompts stable; append, don't rewrite.
109
+ - Drop noisy tool output before passing to the next model call.
110
+
111
+ ## Observability (L11, OTel)
112
+
113
+ If you can't see what the agent did, you can't fix what it broke. Bizar
114
+ records every session to `.harness/traces/sessions.jsonl` (gitignored).
115
+ For OpenTelemetry-compatible exporters, see `plugins/bizar/src/observability.ts`.
116
+
117
+ ## Sandbox (CubeSandbox — v6.3.0)
118
+
119
+ For dangerous-pattern decisions and risky operations, Bizar routes the
120
+ execution through `bizar_sandbox_run` (CubeSandbox) instead of running
121
+ directly in the host shell. See the `cubesandbox` skill.
122
+
123
+ ## Quick checklist before each commit
124
+
125
+ - [ ] feature_list.json updated (state machine moved)
126
+ - [ ] PROGRESS.md updated (current state, in progress, next steps)
127
+ - [ ] `make check` exits 0
128
+ - [ ] `make test` exits 0
129
+ - [ ] `make e2e` exits 0
130
+ - [ ] `make clean-check` 5/5 dimensions pass
131
+ - [ ] Every dim of `templates/evaluator-rubric.md` is B+
132
+ - [ ] Commit message is WHY-focused, not WHAT-focused
133
+
134
+ ## Further reading
135
+
136
+ The skill `find-skills` can install the full walkinglabs course. The
137
+ local copy lives at `bizar-learn-harness` (auto-bundled by
138
+ `scripts/install-learn-course.sh`). To rebuild locally:
139
+
140
+ ```bash
141
+ git clone https://github.com/walkinglabs/learn-harness-engineering /tmp/lhe
142
+ ```
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@polderlabs/bizar",
3
- "version": "6.2.3",
3
+ "version": "6.2.5",
4
4
  "description": "Norse-pantheon multi-agent system for cline — 13 agents across 4 cost tiers with cost-aware routing, plans, and a configurable agent harness. v4 ships as a single npm package bundling the dashboard server, cline plugin, and typed SDK.",
5
5
  "type": "module",
6
6
  "bin": {
@@ -100,6 +100,10 @@ import {
100
100
  createBrowserCommandTool,
101
101
  type AgentBrowserDeps,
102
102
  } from "./src/tools/agent-browser.js";
103
+ import {
104
+ createSandboxRunTool,
105
+ createSandboxExecTool,
106
+ } from "./src/tools/sandbox.js";
103
107
  import { checkDangerous, getDangerousPatternStats, listDangerousPatterns } from "./src/dangerous-patterns.js";
104
108
  import { createSkillCurator } from "./src/hooks/skill-curator.js";
105
109
  import { createMemoryFlushOnCompact } from "./src/hooks/memory-flush-on-compact.js";
@@ -576,10 +580,28 @@ function buildTools(ctx: RuntimeContext, instanceManager: InstanceManager | null
576
580
  createBrowserScreenshotTool(browserDeps) as unknown as AgentTool,
577
581
  createBrowserCommandTool(browserDeps) as unknown as AgentTool,
578
582
  ];
583
+ // v6.3.0 — CubeSandbox (E2B-compatible KVM microVM) tools.
584
+ // Routes risky `bash`/`python`/`node` calls into a hardware-isolated
585
+ // sandbox. Each call boots <60ms / <5MB overhead via the Python SDK.
586
+ // See plugins/bizar/src/tools/sandbox.ts and
587
+ // config/skills/cubesandbox/SKILL.md.
588
+ const sandboxDeps = { logger: ctx.logger };
589
+ const sandboxTools: AgentTool[] = [
590
+ createSandboxRunTool(sandboxDeps) as unknown as AgentTool,
591
+ createSandboxExecTool(sandboxDeps) as unknown as AgentTool,
592
+ ];
579
593
  // v6.0.0 — Loop-engineering tools (ralph / repl / cron / plan-execute).
580
594
  // These work standalone (no clineRuntime needed) since state lives on disk.
581
595
  const loopTools: AgentTool[] = createLoopTools({ logger: ctx.logger }) as unknown as AgentTool[];
582
- return [...basePlanTools, ...bgTools, ...teamTools, ...graphTools, ...browserTools, ...loopTools];
596
+ return [
597
+ ...basePlanTools,
598
+ ...bgTools,
599
+ ...teamTools,
600
+ ...graphTools,
601
+ ...browserTools,
602
+ ...sandboxTools,
603
+ ...loopTools,
604
+ ];
583
605
  }
584
606
 
585
607
  function bgDisabledTools(logger: Logger): AgentTool[] {
@@ -601,15 +623,46 @@ function buildHooksForCtx(ctx: RuntimeContext): AgentExtensionHooks {
601
623
  const args = toolCtx.input;
602
624
  // v6.0.0 — Dangerous-patterns approval gate (Hermes + OpenFang pattern).
603
625
  // Blocks rm -rf, sudo, prompt injection, SSRF, etc. See
604
- // src/dangerous-patterns.ts for the full list. Tool calls with
605
- // `decision: deny` are stopped before they reach the host.
626
+ // src/dangerous-patterns.ts for the full list.
627
+ //
628
+ // v6.2.4 — Three decisions handled:
629
+ // - "deny" → return { stop: true, reason } (the Cline
630
+ // AgentBeforeToolResult type uses `stop` and
631
+ // `reason` — NOT `cancel`/`context` which
632
+ // is the OLDER HookControl API). Cline halts
633
+ // the agent run when `stop: true` is set.
634
+ // - "require-approval" → let the tool run, but queue a hint via
635
+ // ctx.pendingInjections so the agent sees the
636
+ // warning on the NEXT `beforeModel` call and
637
+ // can adjust course. There is no direct
638
+ // "ask the user for approval" field in the
639
+ // Cline beforeTool API; the host's approval
640
+ // gate (when set) handles user prompts
641
+ // separately via tool policies.
642
+ // - "allow" → fall through, let the tool run.
606
643
  try {
607
644
  const safety = checkDangerous(args as Record<string, unknown>);
608
645
  if (safety.decision === "deny") {
609
646
  ctx.logger.warn(
610
647
  `bizar: blocked tool '${tool}' — dangerous pattern '${safety.pattern}': ${safety.reason}`,
611
648
  );
612
- return { stop: true, reason: `dangerous_pattern:${safety.pattern}:${safety.reason}` };
649
+ return {
650
+ stop: true,
651
+ reason: `dangerous_pattern:${safety.pattern}:${safety.reason}`,
652
+ };
653
+ }
654
+ if (safety.decision === "require-approval") {
655
+ // v6.2.4 — log + inject hint. The Cline host's tool-policy
656
+ // approval gate (when configured) handles the actual
657
+ // user-prompt flow. We just flag the pattern so the agent
658
+ // knows this command needs caution on its next turn.
659
+ ctx.logger.warn(
660
+ `bizar: requires-approval tool '${tool}' — dangerous pattern '${safety.pattern}': ${safety.reason}`,
661
+ );
662
+ ctx.pendingInjections.set(
663
+ sessionID,
664
+ `dangerous_pattern:${safety.pattern}:${safety.reason} — confirm with user before proceeding`,
665
+ );
613
666
  }
614
667
  } catch {
615
668
  // safety checks are best-effort; never fail the tool call here
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@polderlabs/bizar-plugin",
3
- "version": "6.2.3",
3
+ "version": "6.2.5",
4
4
  "description": "Bizar Norse-pantheon multi-agent plugin for Cline — 14 agents across 4 cost tiers with cost-aware routing and plans.",
5
5
  "type": "module",
6
6
  "main": "./index.ts",
@@ -177,14 +177,29 @@ export class ClineRuntime {
177
177
 
178
178
  /**
179
179
  * Merge caller's `execution` block with the runtime default
180
- * (`defaultMaxConsecutiveMistakes`). Returns `undefined` when neither
181
- * is set, so the optional field stays out of the config payload.
180
+ * (`defaultMaxConsecutiveMistakes`).
181
+ *
182
+ * v6.2.4 — Plugin's defaultMaxConsecutiveMistakes is now a FLOOR,
183
+ * not a default. The Cline CLI's `--retries` flag defaults to 3
184
+ * and previously silently overrode our 6 (or higher) — leading
185
+ * to premature session aborts after just 3 tool errors. Now we
186
+ * use Math.max(plugin_default, caller_value) so the user can
187
+ * still raise the limit with `--retries 15`, but the plugin's
188
+ * higher default is honored on plain `cline` invocations.
189
+ *
190
+ * Returns `undefined` when neither is set, so the optional field
191
+ * stays out of the config payload.
182
192
  */
183
193
  private buildExecution(
184
194
  callerExecution: StartSessionOpts["execution"],
185
195
  ): StartSessionOpts["execution"] | undefined {
186
196
  if (!callerExecution && this.defaultMaxConsecutiveMistakes === undefined) return undefined;
187
- const max = callerExecution?.maxConsecutiveMistakes ?? this.defaultMaxConsecutiveMistakes;
197
+ const callerMax = callerExecution?.maxConsecutiveMistakes;
198
+ const pluginMax = this.defaultMaxConsecutiveMistakes;
199
+ const max =
200
+ callerMax !== undefined && pluginMax !== undefined
201
+ ? Math.max(callerMax, pluginMax)
202
+ : callerMax ?? pluginMax;
188
203
  return { ...callerExecution, ...(max !== undefined ? { maxConsecutiveMistakes: max } : {}) };
189
204
  }
190
205
 
@@ -61,6 +61,13 @@ function normalizePath(v: string, worktree: string): string {
61
61
  return `path:${h.slice(0, 16)}`;
62
62
  }
63
63
 
64
+ // Per §5.3: strip noise fields anywhere in the args tree, not just at
65
+ // the top level. Cached at module load for hot-path perf.
66
+ const SKIP_TIME_FIELDS =
67
+ /(^|_)time($|_)|stamp|created|updated|timestamp/i;
68
+ const SKIP_FIELDS = /^(id|uuid|nonce|requestId|traceId)$/i;
69
+ const SKIP_FIELD_NAMES = new Set(['cwd']); // v6.2.4 — was top-level only
70
+
64
71
  function normalize(value: unknown, worktree: string): unknown {
65
72
  if (value === null || value === undefined) return value;
66
73
  if (typeof value === "boolean") return value;
@@ -78,19 +85,12 @@ function normalize(value: unknown, worktree: string): unknown {
78
85
  const obj = value as Record<string, unknown>;
79
86
  const result: Record<string, unknown> = {};
80
87
 
81
- // Per §5.3: strip fields whose name contains time/stamp/created/updated/timestamp
82
- const SKIP_TIME_FIELDS =
83
- /(^|_)time($|_)|stamp|created|updated|timestamp/i;
84
-
85
- // Per §5.3: strip ID/nonce fields by exact name
86
- const SKIP_FIELDS = /^(id|uuid|nonce|requestId|traceId)$/i;
87
-
88
88
  for (const [k, v] of Object.entries(obj)) {
89
- // strip cwd field entirely per §5.3
90
- if (k === "cwd") continue;
91
- // strip ID/nonce fields per §5.3
89
+ // v6.2.4 — strip noise fields at ANY depth (was top-level only).
90
+ // Catches `{ config: { created_at: 12345 } }`, `{ cwd: '...' }` nested
91
+ // inside another object, etc.
92
+ if (SKIP_FIELD_NAMES.has(k)) continue;
92
93
  if (SKIP_FIELDS.test(k)) continue;
93
- // strip timestamp fields per §5.3
94
94
  if (SKIP_TIME_FIELDS.test(k) && (typeof v === "number" || typeof v === "string")) continue;
95
95
 
96
96
  // normalize (includes path normalization for strings via normalizePath)