@polpo-ai/tools 0.2.4

package/dist/safe-env.js

@@ -0,0 +1,76 @@
+/**
+ * Safe environment variable filtering for child processes.
+ *
+ * Instead of passing the full `process.env` (which leaks API keys, tokens,
+ * and secrets to every subprocess), this module provides a filtered env
+ * containing only system-essential variables plus an explicit allowlist.
+ *
+ * Security motivation:
+ *   - Bash tool commands can read env vars via `env`, `echo $SECRET`, etc.
+ *   - Any subprocess with full env access has all API keys and credentials.
+ */
+/**
+ * System-essential env vars that are always included.
+ * These are required for basic shell/process functionality.
+ */
+const SYSTEM_VARS = [
+    // Core system
+    "PATH", "HOME", "USER", "SHELL", "TERM", "LANG", "LC_ALL", "LC_CTYPE",
+    // Temp directories
+    "TMPDIR", "TMP", "TEMP",
+    // Node.js
+    "NODE_ENV", "NODE_PATH", "NODE_OPTIONS",
+    // Editor (for interactive tools)
+    "EDITOR", "VISUAL",
+    // XDG base directories
+    "XDG_DATA_HOME", "XDG_CONFIG_HOME", "XDG_CACHE_HOME", "XDG_RUNTIME_DIR",
+    // Platform-specific
+    "DISPLAY", "WAYLAND_DISPLAY", "DBUS_SESSION_BUS_ADDRESS", // Linux
+    "SYSTEMROOT", "COMSPEC", "PATHEXT", "APPDATA", "LOCALAPPDATA", "PROGRAMFILES", "WINDIR", // Windows
+    // SSH (for git operations)
+    "SSH_AUTH_SOCK", "SSH_AGENT_PID",
+    // Git
+    "GIT_AUTHOR_NAME", "GIT_AUTHOR_EMAIL", "GIT_COMMITTER_NAME", "GIT_COMMITTER_EMAIL",
+    // Proxy (for network access)
+    "HTTP_PROXY", "HTTPS_PROXY", "NO_PROXY", "http_proxy", "https_proxy", "no_proxy",
+    // Timezone
+    "TZ",
+];
+/**
+ * Create a filtered copy of process.env containing only safe variables.
+ *
+ * @param extra - Additional env vars to include (e.g. from MCP config).
+ *                These take precedence over process.env values.
+ * @param allowVars - Additional var names to pass through from process.env.
+ *                    Use this for specific Polpo env vars agents need.
+ */
+export function safeEnv(extra, allowVars) {
+    const result = {};
+    // Include system essentials from process.env
+    for (const key of SYSTEM_VARS) {
+        if (process.env[key] !== undefined) {
+            result[key] = process.env[key];
+        }
+    }
+    // Include explicitly allowed vars
+    if (allowVars) {
+        for (const key of allowVars) {
+            if (process.env[key] !== undefined) {
+                result[key] = process.env[key];
+            }
+        }
+    }
+    // Override/add extra vars (from config)
+    if (extra) {
+        Object.assign(result, extra);
+    }
+    return result;
+}
+/**
+ * Convenience: create safe env for bash tool.
+ * Includes system vars only — no API keys, no secrets.
+ */
+export function bashSafeEnv() {
+    return safeEnv();
+}
+//# sourceMappingURL=safe-env.js.map

package/dist/safe-env.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"safe-env.js","sourceRoot":"","sources":["../src/safe-env.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAEH;;;GAGG;AACH,MAAM,WAAW,GAAG;IAClB,cAAc;IACd,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,QAAQ,EAAE,UAAU;IACrE,mBAAmB;IACnB,QAAQ,EAAE,KAAK,EAAE,MAAM;IACvB,UAAU;IACV,UAAU,EAAE,WAAW,EAAE,cAAc;IACvC,iCAAiC;IACjC,QAAQ,EAAE,QAAQ;IAClB,uBAAuB;IACvB,eAAe,EAAE,iBAAiB,EAAE,gBAAgB,EAAE,iBAAiB;IACvE,oBAAoB;IACpB,SAAS,EAAE,iBAAiB,EAAE,0BAA0B,EAAG,QAAQ;IACnE,YAAY,EAAE,SAAS,EAAE,SAAS,EAAE,SAAS,EAAE,cAAc,EAAE,cAAc,EAAE,QAAQ,EAAG,UAAU;IACpG,2BAA2B;IAC3B,eAAe,EAAE,eAAe;IAChC,MAAM;IACN,iBAAiB,EAAE,kBAAkB,EAAE,oBAAoB,EAAE,qBAAqB;IAClF,6BAA6B;IAC7B,YAAY,EAAE,aAAa,EAAE,UAAU,EAAE,YAAY,EAAE,aAAa,EAAE,UAAU;IAChF,WAAW;IACX,IAAI;CACL,CAAC;AAEF;;;;;;;GAOG;AACH,MAAM,UAAU,OAAO,CACrB,KAA8B,EAC9B,SAAoB;IAEpB,MAAM,MAAM,GAA2B,EAAE,CAAC;IAE1C,6CAA6C;IAC7C,KAAK,MAAM,GAAG,IAAI,WAAW,EAAE,CAAC;QAC9B,IAAI,OAAO,CAAC,GAAG,CAAC,GAAG,CAAC,KAAK,SAAS,EAAE,CAAC;YACnC,MAAM,CAAC,GAAG,CAAC,GAAG,OAAO,CAAC,GAAG,CAAC,GAAG,CAAE,CAAC;QAClC,CAAC;IACH,CAAC;IAED,kCAAkC;IAClC,IAAI,SAAS,EAAE,CAAC;QACd,KAAK,MAAM,GAAG,IAAI,SAAS,EAAE,CAAC;YAC5B,IAAI,OAAO,CAAC,GAAG,CAAC,GAAG,CAAC,KAAK,SAAS,EAAE,CAAC;gBACnC,MAAM,CAAC,GAAG,CAAC,GAAG,OAAO,CAAC,GAAG,CAAC,GAAG,CAAE,CAAC;YAClC,CAAC;QACH,CAAC;IACH,CAAC;IAED,wCAAwC;IACxC,IAAI,KAAK,EAAE,CAAC;QACV,MAAM,CAAC,MAAM,CAAC,MAAM,EAAE,KAAK,CAAC,CAAC;IAC/B,CAAC;IAED,OAAO,MAAM,CAAC;AAChB,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,WAAW;IACzB,OAAO,OAAO,EAAE,CAAC;AACnB,CAAC"}

package/dist/search-tools.d.ts

@@ -0,0 +1,22 @@
+/**
+ * Web search tools powered by Exa (exa.ai).
+ *
+ * Provides semantic web search with optional content extraction.
+ * Requires EXA_API_KEY in vault or environment.
+ *
+ * Tools:
+ * - search_web: Search the web with a natural language query
+ * - search_find_similar: Find pages similar to a given URL
+ */
+import type { AgentTool } from "@mariozechner/pi-agent-core";
+import type { ResolvedVault } from "./types.js";
+export type SearchToolName = "search_web" | "search_find_similar";
+export declare const ALL_SEARCH_TOOL_NAMES: readonly SearchToolName[];
+/**
+ * Create Exa-powered web search tools.
+ *
+ * @param vault - Resolved vault credentials (looks for EXA_API_KEY)
+ * @param allowedTools - Optional filter
+ */
+export declare function createSearchTools(vault?: ResolvedVault, allowedTools?: string[]): AgentTool<any>[];
+//# sourceMappingURL=search-tools.d.ts.map

package/dist/search-tools.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"search-tools.d.ts","sourceRoot":"","sources":["../src/search-tools.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAGH,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,6BAA6B,CAAC;AAC7D,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,YAAY,CAAC;AAuNhD,MAAM,MAAM,cAAc,GAAG,YAAY,GAAG,qBAAqB,CAAC;AAElE,eAAO,MAAM,qBAAqB,EAAE,SAAS,cAAc,EAA0C,CAAC;AAEtG;;;;;GAKG;AACH,wBAAgB,iBAAiB,CAC/B,KAAK,CAAC,EAAE,aAAa,EACrB,YAAY,CAAC,EAAE,MAAM,EAAE,GACtB,SAAS,CAAC,GAAG,CAAC,EAAE,CAWlB"}

package/dist/search-tools.js

@@ -0,0 +1,205 @@
+/**
+ * Web search tools powered by Exa (exa.ai).
+ *
+ * Provides semantic web search with optional content extraction.
+ * Requires EXA_API_KEY in vault or environment.
+ *
+ * Tools:
+ * - search_web: Search the web with a natural language query
+ * - search_find_similar: Find pages similar to a given URL
+ */
+import { Type } from "@sinclair/typebox";
+const EXA_BASE = "https://api.exa.ai";
+const DEFAULT_NUM_RESULTS = 5;
+const DEFAULT_TIMEOUT = 15_000;
+// ─── Helpers ───
+function getExaApiKey(vault) {
+    // Try vault first (service "exa", key "key"), then environment
+    return vault?.getKey("exa", "key") ?? process.env.EXA_API_KEY;
+}
+function ok(text, details) { return { content: [{ type: "text", text }], details: details ?? {} }; }
+function err(text) { return { content: [{ type: "text", text }], details: { error: true } }; }
+function formatResults(results, withContent) {
+    if (results.length === 0)
+        return "(no results)";
+    return results.map((r, i) => {
+        const parts = [`${i + 1}. **${r.title}**`, `   ${r.url}`];
+        if (r.publishedDate)
+            parts.push(`   Published: ${r.publishedDate}`);
+        if (r.author)
+            parts.push(`   Author: ${r.author}`);
+        if (r.summary) {
+            parts.push(`   Summary: ${r.summary}`);
+        }
+        else if (withContent && r.text) {
+            // Truncate content to avoid token bloat
+            const text = r.text.length > 1500 ? r.text.slice(0, 1500) + "..." : r.text;
+            parts.push(`   Content: ${text}`);
+        }
+        if (r.highlights?.length) {
+            parts.push(`   Highlights:`);
+            for (const h of r.highlights.slice(0, 3)) {
+                parts.push(`     - ${h}`);
+            }
+        }
+        return parts.join("\n");
+    }).join("\n\n");
+}
+// ─── Tool: search_web ───
+const SearchWebSchema = Type.Object({
+    query: Type.String({ description: "Natural language search query. Be descriptive — Exa uses semantic search, not keywords." }),
+    numResults: Type.Optional(Type.Number({ description: `Number of results to return (default: ${DEFAULT_NUM_RESULTS}, max: 20)` })),
+    includeContent: Type.Optional(Type.Boolean({ description: "Include page content/summary in results (default: true). Costs more but saves a follow-up http_fetch." })),
+    includeDomains: Type.Optional(Type.Array(Type.String(), { description: "Only return results from these domains (e.g. ['github.com', 'docs.python.org'])" })),
+    excludeDomains: Type.Optional(Type.Array(Type.String(), { description: "Exclude results from these domains" })),
+    startPublishedDate: Type.Optional(Type.String({ description: "Only results published after this date (ISO format, e.g. '2024-01-01')" })),
+    category: Type.Optional(Type.String({ description: "Filter by category: company, research_paper, news, pdf, github, tweet, personal_site, linkedin_profile" })),
+});
+function createSearchWebTool(vault) {
+    return {
+        name: "search_web",
+        label: "Web Search",
+        description: "Search the web using Exa's semantic search. Returns relevant pages with titles, URLs, and optionally content/summaries. " +
+            "Use natural language queries — Exa understands meaning, not just keywords. " +
+            "Example: 'how to implement OAuth2 with Better Auth in Next.js'",
+        parameters: SearchWebSchema,
+        async execute(_id, params, signal) {
+            const apiKey = getExaApiKey(vault);
+            if (!apiKey) {
+                return err("Error: EXA_API_KEY not found. Add it to vault (service: exa, key: key) or set as environment variable.");
+            }
+            const numResults = Math.min(params.numResults ?? DEFAULT_NUM_RESULTS, 20);
+            const includeContent = params.includeContent ?? true;
+            const body = {
+                query: params.query,
+                numResults,
+                type: "auto",
+            };
+            if (includeContent) {
+                body.contents = {
+                    text: { maxCharacters: 2000 },
+                    highlights: { numSentences: 3 },
+                    summary: { query: params.query },
+                };
+            }
+            if (params.includeDomains?.length)
+                body.includeDomains = params.includeDomains;
+            if (params.excludeDomains?.length)
+                body.excludeDomains = params.excludeDomains;
+            if (params.startPublishedDate)
+                body.startPublishedDate = params.startPublishedDate;
+            if (params.category)
+                body.category = params.category;
+            try {
+                const controller = new AbortController();
+                const timeout = setTimeout(() => controller.abort(), DEFAULT_TIMEOUT);
+                if (signal)
+                    signal.addEventListener("abort", () => controller.abort());
+                const response = await fetch(`${EXA_BASE}/search`, {
+                    method: "POST",
+                    headers: {
+                        "x-api-key": apiKey,
+                        "Content-Type": "application/json",
+                    },
+                    body: JSON.stringify(body),
+                    signal: controller.signal,
+                });
+                clearTimeout(timeout);
+                if (!response.ok) {
+                    const errText = await response.text().catch(() => "");
+                    return err(`Error: Exa API returned ${response.status}: ${errText}`);
+                }
+                const data = (await response.json());
+                const formatted = formatResults(data.results, includeContent);
+                const header = `Found ${data.results.length} result(s) for: "${params.query}"`;
+                return ok(`${header}\n\n${formatted}`);
+            }
+            catch (e) {
+                const message = e.name === "AbortError" ? "Search timed out" : e.message;
+                return err(`Error: Web search failed — ${message}`);
+            }
+        },
+    };
+}
+// ─── Tool: search_find_similar ───
+const FindSimilarSchema = Type.Object({
+    url: Type.String({ description: "URL of a page to find similar content for" }),
+    numResults: Type.Optional(Type.Number({ description: `Number of results (default: ${DEFAULT_NUM_RESULTS}, max: 20)` })),
+    includeContent: Type.Optional(Type.Boolean({ description: "Include page content/summary (default: false)" })),
+    excludeDomains: Type.Optional(Type.Array(Type.String(), { description: "Exclude results from these domains" })),
+});
+function createFindSimilarTool(vault) {
+    return {
+        name: "search_find_similar",
+        label: "Find Similar Pages",
+        description: "Find web pages similar to a given URL. Useful for finding alternatives, competitors, or related resources. " +
+            "Example: give it a GitHub repo URL to find similar projects.",
+        parameters: FindSimilarSchema,
+        async execute(_id, params, signal) {
+            const apiKey = getExaApiKey(vault);
+            if (!apiKey) {
+                return err("Error: EXA_API_KEY not found. Add it to vault or set as environment variable.");
+            }
+            const numResults = Math.min(params.numResults ?? DEFAULT_NUM_RESULTS, 20);
+            const includeContent = params.includeContent ?? false;
+            const body = {
+                url: params.url,
+                numResults,
+            };
+            if (includeContent) {
+                body.contents = {
+                    text: { maxCharacters: 2000 },
+                    highlights: { numSentences: 3 },
+                };
+            }
+            if (params.excludeDomains?.length)
+                body.excludeDomains = params.excludeDomains;
+            try {
+                const controller = new AbortController();
+                const timeout = setTimeout(() => controller.abort(), DEFAULT_TIMEOUT);
+                if (signal)
+                    signal.addEventListener("abort", () => controller.abort());
+                const response = await fetch(`${EXA_BASE}/findSimilar`, {
+                    method: "POST",
+                    headers: {
+                        "x-api-key": apiKey,
+                        "Content-Type": "application/json",
+                    },
+                    body: JSON.stringify(body),
+                    signal: controller.signal,
+                });
+                clearTimeout(timeout);
+                if (!response.ok) {
+                    const errText = await response.text().catch(() => "");
+                    return err(`Error: Exa API returned ${response.status}: ${errText}`);
+                }
+                const data = (await response.json());
+                const formatted = formatResults(data.results, includeContent);
+                const header = `Found ${data.results.length} page(s) similar to: ${params.url}`;
+                return ok(`${header}\n\n${formatted}`);
+            }
+            catch (e) {
+                const message = e.name === "AbortError" ? "Search timed out" : e.message;
+                return err(`Error: Find similar failed — ${message}`);
+            }
+        },
+    };
+}
+export const ALL_SEARCH_TOOL_NAMES = ["search_web", "search_find_similar"];
+/**
+ * Create Exa-powered web search tools.
+ *
+ * @param vault - Resolved vault credentials (looks for EXA_API_KEY)
+ * @param allowedTools - Optional filter
+ */
+export function createSearchTools(vault, allowedTools) {
+    const factories = {
+        search_web: () => createSearchWebTool(vault),
+        search_find_similar: () => createFindSimilarTool(vault),
+    };
+    const names = allowedTools
+        ? ALL_SEARCH_TOOL_NAMES.filter(n => allowedTools.some(a => a.toLowerCase() === n))
+        : [...ALL_SEARCH_TOOL_NAMES];
+    return names.map(n => factories[n]());
+}
+//# sourceMappingURL=search-tools.js.map

package/dist/search-tools.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"search-tools.js","sourceRoot":"","sources":["../src/search-tools.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAEH,OAAO,EAAE,IAAI,EAAE,MAAM,mBAAmB,CAAC;AAIzC,MAAM,QAAQ,GAAG,oBAAoB,CAAC;AACtC,MAAM,mBAAmB,GAAG,CAAC,CAAC;AAC9B,MAAM,eAAe,GAAG,MAAM,CAAC;AAE/B,kBAAkB;AAElB,SAAS,YAAY,CAAC,KAAqB;IACzC,+DAA+D;IAC/D,OAAO,KAAK,EAAE,MAAM,CAAC,KAAK,EAAE,KAAK,CAAC,IAAI,OAAO,CAAC,GAAG,CAAC,WAAW,CAAC;AAChE,CAAC;AAED,SAAS,EAAE,CAAC,IAAY,EAAE,OAAiC,IAAI,OAAO,EAAE,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAe,EAAE,IAAI,EAAE,CAAC,EAAE,OAAO,EAAE,OAAO,IAAI,EAAE,EAAE,CAAC,CAAC,CAAC;AAC/I,SAAS,GAAG,CAAC,IAAY,IAAI,OAAO,EAAE,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAe,EAAE,IAAI,EAAE,CAAC,EAAE,OAAO,EAAE,EAAE,KAAK,EAAE,IAAI,EAAE,EAAE,CAAC,CAAC,CAAC;AAkB/G,SAAS,aAAa,CAAC,OAA0B,EAAE,WAAoB;IACrE,IAAI,OAAO,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,cAAc,CAAC;IAEhD,OAAO,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE;QAC1B,MAAM,KAAK,GAAG,CAAC,GAAG,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,KAAK,IAAI,EAAE,MAAM,CAAC,CAAC,GAAG,EAAE,CAAC,CAAC;QAC1D,IAAI,CAAC,CAAC,aAAa;YAAE,KAAK,CAAC,IAAI,CAAC,iBAAiB,CAAC,CAAC,aAAa,EAAE,CAAC,CAAC;QACpE,IAAI,CAAC,CAAC,MAAM;YAAE,KAAK,CAAC,IAAI,CAAC,cAAc,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC;QACnD,IAAI,CAAC,CAAC,OAAO,EAAE,CAAC;YACd,KAAK,CAAC,IAAI,CAAC,eAAe,CAAC,CAAC,OAAO,EAAE,CAAC,CAAC;QACzC,CAAC;aAAM,IAAI,WAAW,IAAI,CAAC,CAAC,IAAI,EAAE,CAAC;YACjC,wCAAwC;YACxC,MAAM,IAAI,GAAG,CAAC,CAAC,IAAI,CAAC,MAAM,GAAG,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,IAAI,CAAC,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;YAC3E,KAAK,CAAC,IAAI,CAAC,eAAe,IAAI,EAAE,CAAC,CAAC;QACpC,CAAC;QACD,IAAI,CAAC,CAAC,UAAU,EAAE,MAAM,EAAE,CAAC;YACzB,KAAK,CAAC,IAAI,CAAC,gBAAgB,CAAC,CAAC;YAC7B,KAAK,MAAM,CAAC,IAAI,CAAC,CAAC,UAAU,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,EAAE,CAAC;gBACzC,KAAK,CAAC,IAAI,CAAC,UAAU,CAAC,EAAE,CAAC,CAAC;YAC5B,CAAC;QACH,CAAC;QACD,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAC1B,CAAC,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;AAClB,CAAC;AAED,2BAA2B;AAE3B,MAAM,eAAe,GAAG,IAAI,CAAC,MAAM,CAAC;IAClC,KAAK,EAAE,IAAI,CAAC,MAAM,CAAC,EAAE,WAAW,EAAE,yFAAyF,EAAE,CAAC;IAC9H,UAAU,EAAE,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,MAAM,CAAC,EAAE,WAAW,EAAE,yCAAyC,mBAAmB,YAAY,EAAE,CAAC,CAAC;IACjI,cAAc,EAAE,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,WAAW,EAAE,uGAAuG,EAAE,CAAC,CAAC;IACrK,cAAc,EAAE,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,MAAM,EAAE,EAAE,EAAE,WAAW,EAAE,iFAAiF,EAAE,CAAC,CAAC;IAC5J,cAAc,EAAE,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,MAAM,EAAE,EAAE,EAAE,WAAW,EAAE,oCAAoC,EAAE,CAAC,CAAC;IAC/G,kBAAkB,EAAE,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,MAAM,CAAC,EAAE,WAAW,EAAE,wEAAwE,EAAE,CAAC,CAAC;IACzI,QAAQ,EAAE,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,MAAM,CAAC,EAAE,WAAW,EAAE,wGAAwG,EAAE,CAAC,CAAC;CAChK,CAAC,CAAC;AAEH,SAAS,mBAAmB,CAAC,KAAqB;IAChD,OAAO;QACL,IAAI,EAAE,YAAY;QAClB,KAAK,EAAE,YAAY;QACnB,WAAW,EACT,0HAA0H;YAC1H,6EAA6E;YAC7E,gEAAgE;QAClE,UAAU,EAAE,eAAe;QAC3B,KAAK,CAAC,OAAO,CAAC,GAAG,EAAE,MAAM,EAAE,MAAM;YAC/B,MAAM,MAAM,GAAG,YAAY,CAAC,KAAK,CAAC,CAAC;YACnC,IAAI,CAAC,MAAM,EAAE,CAAC;gBACZ,OAAO,GAAG,CAAC,wGAAwG,CAAC,CAAC;YACvH,CAAC;YAED,MAAM,UAAU,GAAG,IAAI,CAAC,GAAG,CAAC,MAAM,CAAC,UAAU,IAAI,mBAAmB,EAAE,EAAE,CAAC,CAAC;YAC1E,MAAM,cAAc,GAAG,MAAM,CAAC,cAAc,IAAI,IAAI,CAAC;YAErD,MAAM,IAAI,GAA4B;gBACpC,KAAK,EAAE,MAAM,CAAC,KAAK;gBACnB,UAAU;gBACV,IAAI,EAAE,MAAM;aACb,CAAC;YAEF,IAAI,cAAc,EAAE,CAAC;gBACnB,IAAI,CAAC,QAAQ,GAAG;oBACd,IAAI,EAAE,EAAE,aAAa,EAAE,IAAI,EAAE;oBAC7B,UAAU,EAAE,EAAE,YAAY,EAAE,CAAC,EAAE;oBAC/B,OAAO,EAAE,EAAE,KAAK,EAAE,MAAM,CAAC,KAAK,EAAE;iBACjC,CAAC;YACJ,CAAC;YAED,IAAI,MAAM,CAAC,cAAc,EAAE,MAAM;gBAAE,IAAI,CAAC,cAAc,GAAG,MAAM,CAAC,cAAc,CAAC;YAC/E,IAAI,MAAM,CAAC,cAAc,EAAE,MAAM;gBAAE,IAAI,CAAC,cAAc,GAAG,MAAM,CAAC,cAAc,CAAC;YAC/E,IAAI,MAAM,CAAC,kBAAkB;gBAAE,IAAI,CAAC,kBAAkB,GAAG,MAAM,CAAC,kBAAkB,CAAC;YACnF,IAAI,MAAM,CAAC,QAAQ;gBAAE,IAAI,CAAC,QAAQ,GAAG,MAAM,CAAC,QAAQ,CAAC;YAErD,IAAI,CAAC;gBACH,MAAM,UAAU,GAAG,IAAI,eAAe,EAAE,CAAC;gBACzC,MAAM,OAAO,GAAG,UAAU,CAAC,GAAG,EAAE,CAAC,UAAU,CAAC,KAAK,EAAE,EAAE,eAAe,CAAC,CAAC;gBACtE,IAAI,MAAM;oBAAE,MAAM,CAAC,gBAAgB,CAAC,OAAO,EAAE,GAAG,EAAE,CAAC,UAAU,CAAC,KAAK,EAAE,CAAC,CAAC;gBAEvE,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,GAAG,QAAQ,SAAS,EAAE;oBACjD,MAAM,EAAE,MAAM;oBACd,OAAO,EAAE;wBACP,WAAW,EAAE,MAAM;wBACnB,cAAc,EAAE,kBAAkB;qBACnC;oBACD,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC;oBAC1B,MAAM,EAAE,UAAU,CAAC,MAAM;iBAC1B,CAAC,CAAC;gBAEH,YAAY,CAAC,OAAO,CAAC,CAAC;gBAEtB,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;oBACjB,MAAM,OAAO,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,EAAE,CAAC,CAAC;oBACtD,OAAO,GAAG,CAAC,2BAA2B,QAAQ,CAAC,MAAM,KAAK,OAAO,EAAE,CAAC,CAAC;gBACvE,CAAC;gBAED,MAAM,IAAI,GAAG,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAgB,CAAC;gBACpD,MAAM,SAAS,GAAG,aAAa,CAAC,IAAI,CAAC,OAAO,EAAE,cAAc,CAAC,CAAC;gBAC9D,MAAM,MAAM,GAAG,SAAS,IAAI,CAAC,OAAO,CAAC,MAAM,oBAAoB,MAAM,CAAC,KAAK,GAAG,CAAC;gBAC/E,OAAO,EAAE,CAAC,GAAG,MAAM,OAAO,SAAS,EAAE,CAAC,CAAC;YACzC,CAAC;YAAC,OAAO,CAAM,EAAE,CAAC;gBAChB,MAAM,OAAO,GAAG,CAAC,CAAC,IAAI,KAAK,YAAY,CAAC,CAAC,CAAC,kBAAkB,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC;gBACzE,OAAO,GAAG,CAAC,8BAA8B,OAAO,EAAE,CAAC,CAAC;YACtD,CAAC;QACH,CAAC;KACF,CAAC;AACJ,CAAC;AAED,oCAAoC;AAEpC,MAAM,iBAAiB,GAAG,IAAI,CAAC,MAAM,CAAC;IACpC,GAAG,EAAE,IAAI,CAAC,MAAM,CAAC,EAAE,WAAW,EAAE,2CAA2C,EAAE,CAAC;IAC9E,UAAU,EAAE,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,MAAM,CAAC,EAAE,WAAW,EAAE,+BAA+B,mBAAmB,YAAY,EAAE,CAAC,CAAC;IACvH,cAAc,EAAE,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,WAAW,EAAE,+CAA+C,EAAE,CAAC,CAAC;IAC7G,cAAc,EAAE,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,MAAM,EAAE,EAAE,EAAE,WAAW,EAAE,oCAAoC,EAAE,CAAC,CAAC;CAChH,CAAC,CAAC;AAEH,SAAS,qBAAqB,CAAC,KAAqB;IAClD,OAAO;QACL,IAAI,EAAE,qBAAqB;QAC3B,KAAK,EAAE,oBAAoB;QAC3B,WAAW,EACT,6GAA6G;YAC7G,8DAA8D;QAChE,UAAU,EAAE,iBAAiB;QAC7B,KAAK,CAAC,OAAO,CAAC,GAAG,EAAE,MAAM,EAAE,MAAM;YAC/B,MAAM,MAAM,GAAG,YAAY,CAAC,KAAK,CAAC,CAAC;YACnC,IAAI,CAAC,MAAM,EAAE,CAAC;gBACZ,OAAO,GAAG,CAAC,+EAA+E,CAAC,CAAC;YAC9F,CAAC;YAED,MAAM,UAAU,GAAG,IAAI,CAAC,GAAG,CAAC,MAAM,CAAC,UAAU,IAAI,mBAAmB,EAAE,EAAE,CAAC,CAAC;YAC1E,MAAM,cAAc,GAAG,MAAM,CAAC,cAAc,IAAI,KAAK,CAAC;YAEtD,MAAM,IAAI,GAA4B;gBACpC,GAAG,EAAE,MAAM,CAAC,GAAG;gBACf,UAAU;aACX,CAAC;YAEF,IAAI,cAAc,EAAE,CAAC;gBACnB,IAAI,CAAC,QAAQ,GAAG;oBACd,IAAI,EAAE,EAAE,aAAa,EAAE,IAAI,EAAE;oBAC7B,UAAU,EAAE,EAAE,YAAY,EAAE,CAAC,EAAE;iBAChC,CAAC;YACJ,CAAC;YAED,IAAI,MAAM,CAAC,cAAc,EAAE,MAAM;gBAAE,IAAI,CAAC,cAAc,GAAG,MAAM,CAAC,cAAc,CAAC;YAE/E,IAAI,CAAC;gBACH,MAAM,UAAU,GAAG,IAAI,eAAe,EAAE,CAAC;gBACzC,MAAM,OAAO,GAAG,UAAU,CAAC,GAAG,EAAE,CAAC,UAAU,CAAC,KAAK,EAAE,EAAE,eAAe,CAAC,CAAC;gBACtE,IAAI,MAAM;oBAAE,MAAM,CAAC,gBAAgB,CAAC,OAAO,EAAE,GAAG,EAAE,CAAC,UAAU,CAAC,KAAK,EAAE,CAAC,CAAC;gBAEvE,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,GAAG,QAAQ,cAAc,EAAE;oBACtD,MAAM,EAAE,MAAM;oBACd,OAAO,EAAE;wBACP,WAAW,EAAE,MAAM;wBACnB,cAAc,EAAE,kBAAkB;qBACnC;oBACD,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC;oBAC1B,MAAM,EAAE,UAAU,CAAC,MAAM;iBAC1B,CAAC,CAAC;gBAEH,YAAY,CAAC,OAAO,CAAC,CAAC;gBAEtB,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;oBACjB,MAAM,OAAO,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,EAAE,CAAC,CAAC;oBACtD,OAAO,GAAG,CAAC,2BAA2B,QAAQ,CAAC,MAAM,KAAK,OAAO,EAAE,CAAC,CAAC;gBACvE,CAAC;gBAED,MAAM,IAAI,GAAG,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAgB,CAAC;gBACpD,MAAM,SAAS,GAAG,aAAa,CAAC,IAAI,CAAC,OAAO,EAAE,cAAc,CAAC,CAAC;gBAC9D,MAAM,MAAM,GAAG,SAAS,IAAI,CAAC,OAAO,CAAC,MAAM,wBAAwB,MAAM,CAAC,GAAG,EAAE,CAAC;gBAChF,OAAO,EAAE,CAAC,GAAG,MAAM,OAAO,SAAS,EAAE,CAAC,CAAC;YACzC,CAAC;YAAC,OAAO,CAAM,EAAE,CAAC;gBAChB,MAAM,OAAO,GAAG,CAAC,CAAC,IAAI,KAAK,YAAY,CAAC,CAAC,CAAC,kBAAkB,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC;gBACzE,OAAO,GAAG,CAAC,gCAAgC,OAAO,EAAE,CAAC,CAAC;YACxD,CAAC;QACH,CAAC;KACF,CAAC;AACJ,CAAC;AAMD,MAAM,CAAC,MAAM,qBAAqB,GAA8B,CAAC,YAAY,EAAE,qBAAqB,CAAC,CAAC;AAEtG;;;;;GAKG;AACH,MAAM,UAAU,iBAAiB,CAC/B,KAAqB,EACrB,YAAuB;IAEvB,MAAM,SAAS,GAAiD;QAC9D,UAAU,EAAE,GAAG,EAAE,CAAC,mBAAmB,CAAC,KAAK,CAAC;QAC5C,mBAAmB,EAAE,GAAG,EAAE,CAAC,qBAAqB,CAAC,KAAK,CAAC;KACxD,CAAC;IAEF,MAAM,KAAK,GAAG,YAAY;QACxB,CAAC,CAAC,qBAAqB,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,YAAY,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,WAAW,EAAE,KAAK,CAAC,CAAC,CAAC;QAClF,CAAC,CAAC,CAAC,GAAG,qBAAqB,CAAC,CAAC;IAE/B,OAAO,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,SAAS,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC;AACxC,CAAC"}

package/dist/ssrf-guard.d.ts

@@ -0,0 +1,17 @@
+/**
+ * SSRF guard — blocks HTTP requests to internal/private network addresses.
+ *
+ * Prevents agents from making requests to:
+ * - localhost (127.0.0.0/8, ::1, 0.0.0.0, localhost)
+ * - RFC1918 private ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16)
+ * - Link-local / cloud metadata (169.254.0.0/16, metadata.google.internal)
+ */
+/**
+ * Assert that a URL does not point to a private/internal network address.
+ * Throws an Error if the URL is blocked.
+ *
+ * @param urlString - The URL to check
+ * @throws Error with descriptive message if the URL targets an internal address
+ */
+export declare function assertUrlAllowed(urlString: string): void;
+//# sourceMappingURL=ssrf-guard.d.ts.map

package/dist/ssrf-guard.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"ssrf-guard.d.ts","sourceRoot":"","sources":["../src/ssrf-guard.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAiCH;;;;;;GAMG;AACH,wBAAgB,gBAAgB,CAAC,SAAS,EAAE,MAAM,GAAG,IAAI,CAsDxD"}

package/dist/ssrf-guard.js

@@ -0,0 +1,95 @@
+/**
+ * SSRF guard — blocks HTTP requests to internal/private network addresses.
+ *
+ * Prevents agents from making requests to:
+ * - localhost (127.0.0.0/8, ::1, 0.0.0.0, localhost)
+ * - RFC1918 private ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16)
+ * - Link-local / cloud metadata (169.254.0.0/16, metadata.google.internal)
+ */
+/** Hostnames that are always blocked. */
+const BLOCKED_HOSTNAMES = new Set([
+    "localhost",
+    "metadata.google.internal",
+]);
+/**
+ * Parse an IPv4 address string into a 32-bit number.
+ * Returns undefined if not a valid IPv4 address.
+ */
+function parseIPv4(host) {
+    const parts = host.split(".");
+    if (parts.length !== 4)
+        return undefined;
+    let num = 0;
+    for (const part of parts) {
+        const octet = Number(part);
+        if (!Number.isInteger(octet) || octet < 0 || octet > 255)
+            return undefined;
+        num = (num << 8) | octet;
+    }
+    return num >>> 0; // unsigned 32-bit
+}
+/**
+ * Check whether an IPv4 address (as 32-bit number) falls within a CIDR range.
+ */
+function inRange(ip, base, bits) {
+    const mask = bits === 0 ? 0 : (~0 << (32 - bits)) >>> 0;
+    return (ip & mask) === (base & mask);
+}
+/**
+ * Assert that a URL does not point to a private/internal network address.
+ * Throws an Error if the URL is blocked.
+ *
+ * @param urlString - The URL to check
+ * @throws Error with descriptive message if the URL targets an internal address
+ */
+export function assertUrlAllowed(urlString) {
+    let parsed;
+    try {
+        parsed = new URL(urlString);
+    }
+    catch {
+        throw new Error(`Invalid URL: ${urlString}`);
+    }
+    const hostname = parsed.hostname.toLowerCase();
+    // Strip IPv6 brackets
+    const bareHost = hostname.startsWith("[") && hostname.endsWith("]")
+        ? hostname.slice(1, -1)
+        : hostname;
+    // Block known hostnames
+    if (BLOCKED_HOSTNAMES.has(bareHost)) {
+        throw new Error(`SSRF blocked: requests to ${bareHost} are not allowed`);
+    }
+    // Block IPv6 loopback
+    if (bareHost === "::1" || bareHost === "::0" || bareHost === "0:0:0:0:0:0:0:1" || bareHost === "0:0:0:0:0:0:0:0") {
+        throw new Error(`SSRF blocked: requests to ${bareHost} are not allowed`);
+    }
+    // Block 0.0.0.0
+    if (bareHost === "0.0.0.0") {
+        throw new Error(`SSRF blocked: requests to 0.0.0.0 are not allowed`);
+    }
+    // Check IPv4 ranges
+    const ipv4 = parseIPv4(bareHost);
+    if (ipv4 !== undefined) {
+        // 127.0.0.0/8 — loopback
+        if (inRange(ipv4, 0x7f000000, 8)) {
+            throw new Error(`SSRF blocked: requests to ${bareHost} (loopback) are not allowed`);
+        }
+        // 10.0.0.0/8 — RFC1918
+        if (inRange(ipv4, 0x0a000000, 8)) {
+            throw new Error(`SSRF blocked: requests to ${bareHost} (private network) are not allowed`);
+        }
+        // 172.16.0.0/12 — RFC1918
+        if (inRange(ipv4, 0xac100000, 12)) {
+            throw new Error(`SSRF blocked: requests to ${bareHost} (private network) are not allowed`);
+        }
+        // 192.168.0.0/16 — RFC1918
+        if (inRange(ipv4, 0xc0a80000, 16)) {
+            throw new Error(`SSRF blocked: requests to ${bareHost} (private network) are not allowed`);
+        }
+        // 169.254.0.0/16 — link-local / cloud metadata
+        if (inRange(ipv4, 0xa9fe0000, 16)) {
+            throw new Error(`SSRF blocked: requests to ${bareHost} (link-local/metadata) are not allowed`);
+        }
+    }
+}
+//# sourceMappingURL=ssrf-guard.js.map

package/dist/ssrf-guard.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"ssrf-guard.js","sourceRoot":"","sources":["../src/ssrf-guard.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,yCAAyC;AACzC,MAAM,iBAAiB,GAAG,IAAI,GAAG,CAAC;IAChC,WAAW;IACX,0BAA0B;CAC3B,CAAC,CAAC;AAEH;;;GAGG;AACH,SAAS,SAAS,CAAC,IAAY;IAC7B,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAC9B,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,SAAS,CAAC;IAEzC,IAAI,GAAG,GAAG,CAAC,CAAC;IACZ,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;QACzB,MAAM,KAAK,GAAG,MAAM,CAAC,IAAI,CAAC,CAAC;QAC3B,IAAI,CAAC,MAAM,CAAC,SAAS,CAAC,KAAK,CAAC,IAAI,KAAK,GAAG,CAAC,IAAI,KAAK,GAAG,GAAG;YAAE,OAAO,SAAS,CAAC;QAC3E,GAAG,GAAG,CAAC,GAAG,IAAI,CAAC,CAAC,GAAG,KAAK,CAAC;IAC3B,CAAC;IACD,OAAO,GAAG,KAAK,CAAC,CAAC,CAAC,kBAAkB;AACtC,CAAC;AAED;;GAEG;AACH,SAAS,OAAO,CAAC,EAAU,EAAE,IAAY,EAAE,IAAY;IACrD,MAAM,IAAI,GAAG,IAAI,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,EAAE,GAAG,IAAI,CAAC,CAAC,KAAK,CAAC,CAAC;IACxD,OAAO,CAAC,EAAE,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,GAAG,IAAI,CAAC,CAAC;AACvC,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,gBAAgB,CAAC,SAAiB;IAChD,IAAI,MAAW,CAAC;IAChB,IAAI,CAAC;QACH,MAAM,GAAG,IAAI,GAAG,CAAC,SAAS,CAAC,CAAC;IAC9B,CAAC;IAAC,MAAM,CAAC;QACP,MAAM,IAAI,KAAK,CAAC,gBAAgB,SAAS,EAAE,CAAC,CAAC;IAC/C,CAAC;IAED,MAAM,QAAQ,GAAG,MAAM,CAAC,QAAQ,CAAC,WAAW,EAAE,CAAC;IAE/C,sBAAsB;IACtB,MAAM,QAAQ,GAAG,QAAQ,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,QAAQ,CAAC,QAAQ,CAAC,GAAG,CAAC;QACjE,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC;QACvB,CAAC,CAAC,QAAQ,CAAC;IAEb,wBAAwB;IACxB,IAAI,iBAAiB,CAAC,GAAG,CAAC,QAAQ,CAAC,EAAE,CAAC;QACpC,MAAM,IAAI,KAAK,CAAC,6BAA6B,QAAQ,kBAAkB,CAAC,CAAC;IAC3E,CAAC;IAED,sBAAsB;IACtB,IAAI,QAAQ,KAAK,KAAK,IAAI,QAAQ,KAAK,KAAK,IAAI,QAAQ,KAAK,iBAAiB,IAAI,QAAQ,KAAK,iBAAiB,EAAE,CAAC;QACjH,MAAM,IAAI,KAAK,CAAC,6BAA6B,QAAQ,kBAAkB,CAAC,CAAC;IAC3E,CAAC;IAED,gBAAgB;IAChB,IAAI,QAAQ,KAAK,SAAS,EAAE,CAAC;QAC3B,MAAM,IAAI,KAAK,CAAC,mDAAmD,CAAC,CAAC;IACvE,CAAC;IAED,oBAAoB;IACpB,MAAM,IAAI,GAAG,SAAS,CAAC,QAAQ,CAAC,CAAC;IACjC,IAAI,IAAI,KAAK,SAAS,EAAE,CAAC;QACvB,yBAAyB;QACzB,IAAI,OAAO,CAAC,IAAI,EAAE,UAAU,EAAE,CAAC,CAAC,EAAE,CAAC;YACjC,MAAM,IAAI,KAAK,CAAC,6BAA6B,QAAQ,6BAA6B,CAAC,CAAC;QACtF,CAAC;QACD,uBAAuB;QACvB,IAAI,OAAO,CAAC,IAAI,EAAE,UAAU,EAAE,CAAC,CAAC,EAAE,CAAC;YACjC,MAAM,IAAI,KAAK,CAAC,6BAA6B,QAAQ,oCAAoC,CAAC,CAAC;QAC7F,CAAC;QACD,0BAA0B;QAC1B,IAAI,OAAO,CAAC,IAAI,EAAE,UAAU,EAAE,EAAE,CAAC,EAAE,CAAC;YAClC,MAAM,IAAI,KAAK,CAAC,6BAA6B,QAAQ,oCAAoC,CAAC,CAAC;QAC7F,CAAC;QACD,2BAA2B;QAC3B,IAAI,OAAO,CAAC,IAAI,EAAE,UAAU,EAAE,EAAE,CAAC,EAAE,CAAC;YAClC,MAAM,IAAI,KAAK,CAAC,6BAA6B,QAAQ,oCAAoC,CAAC,CAAC;QAC7F,CAAC;QACD,+CAA+C;QAC/C,IAAI,OAAO,CAAC,IAAI,EAAE,UAAU,EAAE,EAAE,CAAC,EAAE,CAAC;YAClC,MAAM,IAAI,KAAK,CAAC,6BAA6B,QAAQ,wCAAwC,CAAC,CAAC;QACjG,CAAC;IACH,CAAC;AACH,CAAC"}

package/dist/types.d.ts

@@ -0,0 +1,21 @@
+/**
+ * Types used by tools — local definitions to avoid importing from polpo-ai root.
+ */
+/** Resolved vault credentials for an agent. */
+export interface ResolvedVault {
+    get(service: string): Record<string, string> | undefined;
+    getSmtp(): Record<string, any> | undefined;
+    getImap(): Record<string, any> | undefined;
+    getKey(service: string, key: string): string | undefined;
+    has(service: string): boolean;
+    list(): Array<{
+        service: string;
+        type: string;
+        keys: string[];
+    }>;
+}
+/** WhatsApp message store interface. Uses any for maximum compatibility. */
+export interface WhatsAppStore {
+    [method: string]: (...args: any[]) => any;
+}
+//# sourceMappingURL=types.d.ts.map

package/dist/types.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../src/types.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,+CAA+C;AAC/C,MAAM,WAAW,aAAa;IAC5B,GAAG,CAAC,OAAO,EAAE,MAAM,GAAG,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,GAAG,SAAS,CAAC;IACzD,OAAO,IAAI,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,GAAG,SAAS,CAAC;IAC3C,OAAO,IAAI,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,GAAG,SAAS,CAAC;IAC3C,MAAM,CAAC,OAAO,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM,GAAG,MAAM,GAAG,SAAS,CAAC;IACzD,GAAG,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC;IAC9B,IAAI,IAAI,KAAK,CAAC;QAAE,OAAO,EAAE,MAAM,CAAC;QAAC,IAAI,EAAE,MAAM,CAAC;QAAC,IAAI,EAAE,MAAM,EAAE,CAAA;KAAE,CAAC,CAAC;CAClE;AAED,4EAA4E;AAC5E,MAAM,WAAW,aAAa;IAC5B,CAAC,MAAM,EAAE,MAAM,GAAG,CAAC,GAAG,IAAI,EAAE,GAAG,EAAE,KAAK,GAAG,CAAC;CAC3C"}

package/dist/types.js

@@ -0,0 +1,5 @@
+/**
+ * Types used by tools — local definitions to avoid importing from polpo-ai root.
+ */
+export {};
+//# sourceMappingURL=types.js.map

package/dist/types.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.js","sourceRoot":"","sources":["../src/types.ts"],"names":[],"mappings":"AAAA;;GAEG"}

package/dist/vault-tools.d.ts

@@ -0,0 +1,26 @@
+/**
+ * Vault tools for agents to access their own credentials at runtime.
+ *
+ * Provides read-only access to the agent's resolved vault:
+ * - vault_get: retrieve credentials for a specific service
+ * - vault_list: list available services (keys only, values masked)
+ *
+ * The vault is pre-resolved at spawn time — ${ENV_VAR} references are already
+ * replaced with actual values. Agents can only see their own credentials.
+ */
+import type { AgentTool } from "@mariozechner/pi-agent-core";
+import type { ResolvedVault } from "./types.js";
+export declare const ALL_VAULT_TOOL_NAMES: readonly ["vault_get", "vault_list"];
+export type VaultToolName = (typeof ALL_VAULT_TOOL_NAMES)[number];
+/**
+ * Create vault tools (core — always included when vault is available).
+ * Vault tools are core tools: they are always available to every agent
+ * that has a resolved vault, regardless of allowedTools configuration.
+ */
+export declare function createVaultToolsCore(vault: ResolvedVault): AgentTool<any>[];
+/**
+ * Create vault tools for an agent, filtered by allowedTools.
+ * @deprecated Use createVaultToolsCore() — vault tools are now core tools (always available).
+ */
+export declare function createVaultTools(vault: ResolvedVault, allowedTools?: string[]): AgentTool<any>[];
+//# sourceMappingURL=vault-tools.d.ts.map

package/dist/vault-tools.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"vault-tools.d.ts","sourceRoot":"","sources":["../src/vault-tools.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAGH,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,6BAA6B,CAAC;AAC7D,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,YAAY,CAAC;AAIhD,eAAO,MAAM,oBAAoB,sCAAuC,CAAC;AACzE,MAAM,MAAM,aAAa,GAAG,CAAC,OAAO,oBAAoB,CAAC,CAAC,MAAM,CAAC,CAAC;AA4DlE;;;;GAIG;AACH,wBAAgB,oBAAoB,CAAC,KAAK,EAAE,aAAa,GAAG,SAAS,CAAC,GAAG,CAAC,EAAE,CAE3E;AAED;;;GAGG;AACH,wBAAgB,gBAAgB,CAAC,KAAK,EAAE,aAAa,EAAE,YAAY,CAAC,EAAE,MAAM,EAAE,GAAG,SAAS,CAAC,GAAG,CAAC,EAAE,CAQhG"}

package/dist/vault-tools.js

@@ -0,0 +1,86 @@
+/**
+ * Vault tools for agents to access their own credentials at runtime.
+ *
+ * Provides read-only access to the agent's resolved vault:
+ * - vault_get: retrieve credentials for a specific service
+ * - vault_list: list available services (keys only, values masked)
+ *
+ * The vault is pre-resolved at spawn time — ${ENV_VAR} references are already
+ * replaced with actual values. Agents can only see their own credentials.
+ */
+import { Type } from "@sinclair/typebox";
+// ─── Tool names ───
+export const ALL_VAULT_TOOL_NAMES = ["vault_get", "vault_list"];
+// ─── Tool: vault_get ───
+const VaultGetSchema = Type.Object({
+    service: Type.String({ description: "Service name to retrieve credentials for (e.g. 'smtp', 'openai', 'stripe')" }),
+});
+function createVaultGetTool(vault) {
+    return {
+        name: "vault_get",
+        label: "Get Vault Credentials",
+        description: "Retrieve credentials for a specific service from your vault. Returns all credential key-value pairs for the requested service. Use vault_list first to see available services.",
+        parameters: VaultGetSchema,
+        async execute(_toolCallId, params) {
+            const creds = vault.get(params.service);
+            if (!creds) {
+                return {
+                    content: [{ type: "text", text: `No vault entry found for service "${params.service}". Use vault_list to see available services.` }],
+                    details: { service: params.service, found: false },
+                };
+            }
+            const lines = Object.entries(creds).map(([key, value]) => `  ${key}: ${value}`);
+            return {
+                content: [{ type: "text", text: `Credentials for "${params.service}":\n${lines.join("\n")}` }],
+                details: { service: params.service, found: true, keys: Object.keys(creds) },
+            };
+        },
+    };
+}
+// ─── Tool: vault_list ───
+const VaultListSchema = Type.Object({});
+function createVaultListTool(vault) {
+    return {
+        name: "vault_list",
+        label: "List Vault Services",
+        description: "List all available services in your vault. Shows service names, types, and credential key names (values are not shown). Use vault_get to retrieve actual credential values.",
+        parameters: VaultListSchema,
+        async execute() {
+            const services = vault.list();
+            if (services.length === 0) {
+                return {
+                    content: [{ type: "text", text: "No vault entries configured for this agent." }],
+                    details: { count: 0, services: [] },
+                };
+            }
+            const lines = services.map(s => `  - ${s.service} (${s.type}): keys=[${s.keys.join(", ")}]`);
+            return {
+                content: [{ type: "text", text: `${services.length} vault service(s):\n${lines.join("\n")}` }],
+                details: { count: services.length, services: services.map(s => s.service) },
+            };
+        },
+    };
+}
+// ─── Factory ───
+/**
+ * Create vault tools (core — always included when vault is available).
+ * Vault tools are core tools: they are always available to every agent
+ * that has a resolved vault, regardless of allowedTools configuration.
+ */
+export function createVaultToolsCore(vault) {
+    return [createVaultGetTool(vault), createVaultListTool(vault)];
+}
+/**
+ * Create vault tools for an agent, filtered by allowedTools.
+ * @deprecated Use createVaultToolsCore() — vault tools are now core tools (always available).
+ */
+export function createVaultTools(vault, allowedTools) {
+    const tools = [];
+    const allowed = (name) => !allowedTools || allowedTools.includes(name);
+    if (allowed("vault_get"))
+        tools.push(createVaultGetTool(vault));
+    if (allowed("vault_list"))
+        tools.push(createVaultListTool(vault));
+    return tools;
+}
+//# sourceMappingURL=vault-tools.js.map

package/dist/vault-tools.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"vault-tools.js","sourceRoot":"","sources":["../src/vault-tools.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAEH,OAAO,EAAE,IAAI,EAAE,MAAM,mBAAmB,CAAC;AAIzC,qBAAqB;AAErB,MAAM,CAAC,MAAM,oBAAoB,GAAG,CAAC,WAAW,EAAE,YAAY,CAAU,CAAC;AAGzE,0BAA0B;AAE1B,MAAM,cAAc,GAAG,IAAI,CAAC,MAAM,CAAC;IACjC,OAAO,EAAE,IAAI,CAAC,MAAM,CAAC,EAAE,WAAW,EAAE,4EAA4E,EAAE,CAAC;CACpH,CAAC,CAAC;AAEH,SAAS,kBAAkB,CAAC,KAAoB;IAC9C,OAAO;QACL,IAAI,EAAE,WAAW;QACjB,KAAK,EAAE,uBAAuB;QAC9B,WAAW,EAAE,gLAAgL;QAC7L,UAAU,EAAE,cAAc;QAC1B,KAAK,CAAC,OAAO,CAAC,WAAW,EAAE,MAAM;YAC/B,MAAM,KAAK,GAAG,KAAK,CAAC,GAAG,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;YACxC,IAAI,CAAC,KAAK,EAAE,CAAC;gBACX,OAAO;oBACL,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,qCAAqC,MAAM,CAAC,OAAO,8CAA8C,EAAE,CAAC;oBACpI,OAAO,EAAE,EAAE,OAAO,EAAE,MAAM,CAAC,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE;iBACnD,CAAC;YACJ,CAAC;YACD,MAAM,KAAK,GAAG,MAAM,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,GAAG,EAAE,KAAK,CAAC,EAAE,EAAE,CAAC,KAAK,GAAG,KAAK,KAAK,EAAE,CAAC,CAAC;YAChF,OAAO;gBACL,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,oBAAoB,MAAM,CAAC,OAAO,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,EAAE,CAAC;gBAC9F,OAAO,EAAE,EAAE,OAAO,EAAE,MAAM,CAAC,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,IAAI,EAAE,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,EAAE;aAC5E,CAAC;QACJ,CAAC;KACF,CAAC;AACJ,CAAC;AAED,2BAA2B;AAE3B,MAAM,eAAe,GAAG,IAAI,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC;AAExC,SAAS,mBAAmB,CAAC,KAAoB;IAC/C,OAAO;QACL,IAAI,EAAE,YAAY;QAClB,KAAK,EAAE,qBAAqB;QAC5B,WAAW,EAAE,6KAA6K;QAC1L,UAAU,EAAE,eAAe;QAC3B,KAAK,CAAC,OAAO;YACX,MAAM,QAAQ,GAAG,KAAK,CAAC,IAAI,EAAE,CAAC;YAC9B,IAAI,QAAQ,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;gBAC1B,OAAO;oBACL,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,6CAA6C,EAAE,CAAC;oBAChF,OAAO,EAAE,EAAE,KAAK,EAAE,CAAC,EAAE,QAAQ,EAAE,EAAE,EAAE;iBACpC,CAAC;YACJ,CAAC;YACD,MAAM,KAAK,GAAG,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,OAAO,CAAC,CAAC,OAAO,KAAK,CAAC,CAAC,IAAI,YAAY,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;YAC7F,OAAO;gBACL,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,GAAG,QAAQ,CAAC,MAAM,uBAAuB,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,EAAE,CAAC;gBAC9F,OAAO,EAAE,EAAE,KAAK,EAAE,QAAQ,CAAC,MAAM,EAAE,QAAQ,EAAE,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,EAAE;aAC5E,CAAC;QACJ,CAAC;KACF,CAAC;AACJ,CAAC;AAED,kBAAkB;AAElB;;;;GAIG;AACH,MAAM,UAAU,oBAAoB,CAAC,KAAoB;IACvD,OAAO,CAAC,kBAAkB,CAAC,KAAK,CAAC,EAAE,mBAAmB,CAAC,KAAK,CAAC,CAAC,CAAC;AACjE,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,gBAAgB,CAAC,KAAoB,EAAE,YAAuB;IAC5E,MAAM,KAAK,GAAqB,EAAE,CAAC;IACnC,MAAM,OAAO,GAAG,CAAC,IAAY,EAAE,EAAE,CAAC,CAAC,YAAY,IAAI,YAAY,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC;IAE/E,IAAI,OAAO,CAAC,WAAW,CAAC;QAAE,KAAK,CAAC,IAAI,CAAC,kBAAkB,CAAC,KAAK,CAAC,CAAC,CAAC;IAChE,IAAI,OAAO,CAAC,YAAY,CAAC;QAAE,KAAK,CAAC,IAAI,CAAC,mBAAmB,CAAC,KAAK,CAAC,CAAC,CAAC;IAElE,OAAO,KAAK,CAAC;AACf,CAAC"}

package/dist/whatsapp-tools.d.ts

@@ -0,0 +1,18 @@
+/**
+ * WhatsApp tools — agent-level tools for reading, sending, and searching
+ * WhatsApp messages via the Baileys bridge.
+ *
+ * Requires an active WhatsApp bridge connection (configured in polpo.json).
+ * Messages are stored locally in `.polpo/whatsapp.db`.
+ */
+import type { AgentTool } from "@mariozechner/pi-agent-core";
+import type { WhatsAppStore } from "./types.js";
+interface WhatsAppToolDeps {
+    store: WhatsAppStore;
+    sendMessage: (jid: string, text: string) => Promise<string | undefined>;
+}
+export type WhatsAppToolName = "whatsapp_list" | "whatsapp_read" | "whatsapp_send" | "whatsapp_search" | "whatsapp_contacts";
+export declare const ALL_WHATSAPP_TOOL_NAMES: WhatsAppToolName[];
+export declare function createWhatsAppTools(deps: WhatsAppToolDeps, allowedTools?: string[]): AgentTool<any>[];
+export {};
+//# sourceMappingURL=whatsapp-tools.d.ts.map

package/dist/whatsapp-tools.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"whatsapp-tools.d.ts","sourceRoot":"","sources":["../src/whatsapp-tools.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAGH,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,6BAA6B,CAAC;AAC7D,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,YAAY,CAAC;AAmDhD,UAAU,gBAAgB;IACxB,KAAK,EAAE,aAAa,CAAC;IACrB,WAAW,EAAE,CAAC,GAAG,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,KAAK,OAAO,CAAC,MAAM,GAAG,SAAS,CAAC,CAAC;CACzE;AAqKD,MAAM,MAAM,gBAAgB,GACxB,eAAe,GACf,eAAe,GACf,eAAe,GACf,iBAAiB,GACjB,mBAAmB,CAAC;AAExB,eAAO,MAAM,uBAAuB,EAAE,gBAAgB,EAMrD,CAAC;AAEF,wBAAgB,mBAAmB,CACjC,IAAI,EAAE,gBAAgB,EACtB,YAAY,CAAC,EAAE,MAAM,EAAE,GACtB,SAAS,CAAC,GAAG,CAAC,EAAE,CAclB"}