@poncho-ai/harness 0.34.1 → 0.36.0

package/src/config.ts

@@ -1,12 +1,13 @@
 import { access } from "node:fs/promises";
 import { resolve } from "node:path";
 import { createJiti } from "jiti";
+import type { JsonSchema } from "@poncho-ai/sdk";
 import type { MemoryConfig } from "./memory.js";
 import type { McpConfig } from "./mcp.js";
 import type { StateConfig } from "./state.js";
 
 export interface StorageConfig {
-  provider?: "local" | "memory" | "redis" | "upstash" | "dynamodb";
+  provider?: "local" | "memory" | "sqlite" | "postgresql" | "redis" | "upstash" | "dynamodb";
   urlEnv?: string;
   tokenEnv?: string;
   table?: string;
@@ -21,6 +22,10 @@ export interface StorageConfig {
     enabled?: boolean;
     maxRecallConversations?: number;
   };
+  limits?: {
+    maxFileSize?: number;
+    maxTotalStorage?: number;
+  };
 }
 
 export interface UploadsConfig {
@@ -68,6 +73,97 @@ export interface MessagingChannelConfig {
   allowedUserIds?: number[];
 }
 
+export interface IsolateBinding {
+  description: string;
+  inputSchema: JsonSchema;
+  handler: (input: Record<string, unknown>) => Promise<unknown> | unknown;
+}
+
+/**
+ * Network access configuration for the bash sandbox (curl, wget).
+ * Network access is disabled by default — you must explicitly allow URLs.
+ */
+export interface NetworkConfig {
+  /**
+   * List of allowed URL prefixes. Each entry must be a full origin (scheme + host),
+   * optionally followed by a path prefix.
+   *
+   * Examples:
+   * - `"https://api.example.com"` — allows all paths on this origin
+   * - `"https://api.example.com/v1/"` — allows only paths starting with /v1/
+   *
+   * Entries can be plain strings or objects with header transforms for credentials brokering:
+   * ```
+   * { url: "https://api.example.com", transform: [{ headers: { "Authorization": "Bearer ..." } }] }
+   * ```
+   */
+  allowedUrls?: (string | { url: string; transform?: { headers: Record<string, string> }[] })[];
+  /** Allowed HTTP methods. Defaults to `["GET", "HEAD"]`. */
+  allowedMethods?: ("GET" | "HEAD" | "POST" | "PUT" | "DELETE" | "PATCH" | "OPTIONS")[];
+  /** Bypass the allow-list and permit all URLs and methods. Only use in trusted environments. */
+  dangerouslyAllowAll?: boolean;
+  /** Maximum number of redirects to follow. Default: 20. */
+  maxRedirects?: number;
+  /** Request timeout in milliseconds. Default: 30000. */
+  timeoutMs?: number;
+  /** Maximum response body size in bytes. Default: 10MB. */
+  maxResponseSize?: number;
+  /** Reject URLs resolving to private/loopback IPs (SSRF protection). Default: false. */
+  denyPrivateRanges?: boolean;
+}
+
+export interface BashExecutionLimits {
+  /** Maximum function call/recursion depth. Default: 100. */
+  maxCallDepth?: number;
+  /** Maximum number of commands to execute. Default: 10000. */
+  maxCommandCount?: number;
+  /** Maximum loop iterations for while/for/until. Default: 10000. */
+  maxLoopIterations?: number;
+  /** Maximum total output size (stdout + stderr) in bytes. Default: 10MB. */
+  maxOutputSize?: number;
+  /** Maximum string length in bytes. Default: 10MB. */
+  maxStringLength?: number;
+  /** Maximum array elements. Default: 100000. */
+  maxArrayElements?: number;
+}
+
+export interface BashConfig {
+  /**
+   * Whitelist of allowed commands. When set, only these commands are available.
+   * Omit to allow all built-in commands.
+   *
+   * @example ["cat", "grep", "jq", "echo", "ls", "head", "tail", "wc", "sort"]
+   */
+  commands?: string[];
+  /** Execution limits to prevent runaway scripts. */
+  executionLimits?: BashExecutionLimits;
+  /** Enable python3/python commands in the sandbox. Default: false. */
+  python?: boolean;
+  /** Enable js-exec/node commands via QuickJS in the sandbox. Default: false. */
+  javascript?: boolean;
+  /** Environment variables injected into every bash session. */
+  env?: Record<string, string>;
+}
+
+export interface IsolateConfig {
+  /** V8 isolate memory limit in MB. Default: 128 */
+  memoryLimit?: number;
+  /** Execution timeout in ms. Default: 10000 */
+  timeLimit?: number;
+  /** Max combined stdout+stderr in bytes. Default: 65536 */
+  outputLimit?: number;
+  /** Max code input size in bytes. Default: 102400 (100KB) */
+  codeLimit?: number;
+  /** npm packages to bundle and make available via require() */
+  libraries?: string[];
+  /** External API access */
+  apis?: {
+    fetch?: { allowedDomains: string[] };
+  };
+  /** Builder-defined custom bindings injected into the isolate */
+  bindings?: Record<string, IsolateBinding>;
+}
+
 export interface PonchoConfig extends McpConfig {
   harness?: string;
   messaging?: MessagingChannelConfig[];
@@ -134,8 +230,23 @@ export interface PonchoConfig extends McpConfig {
     /** Cron expression controlling how often the reminder poll runs (local and serverless). Default: every 10 minutes. */
     pollSchedule?: string;
   };
+  /**
+   * Declare env var names that tenants can self-manage via the web UI or API.
+   * Key = env var name, value = human-readable label shown in the settings panel.
+   * Example: { LINEAR_API_KEY: "Linear API Key", STRIPE_KEY: "Stripe Secret Key" }
+   */
+  tenantSecrets?: Record<string, string>;
   /** Set to `false` to disable the built-in web UI (headless / API-only mode). */
   webUi?: false;
+  /** Enable sandboxed V8 isolate code execution. */
+  isolate?: IsolateConfig;
+  /**
+   * Network access for sandboxed tools (bash curl/wget, isolate fetch).
+   * Disabled by default — you must explicitly allow URLs.
+   */
+  network?: NetworkConfig;
+  /** Bash sandbox configuration. */
+  bash?: BashConfig;
   /** Enable browser automation tools. Set `true` for defaults, or provide config. */
   browser?:
     | boolean