@pugi/cli 0.1.0-beta.8 → 0.1.0-beta.88

package/dist/tools/verify-plan-execution.js

@@ -0,0 +1,295 @@
+/**
+ * verify_plan_execution tool — anti-fake-dispatch gate (backlog #5 P0).
+ *
+ * Gives the engine loop a way to ASSERT that a previously-stated plan's
+ * promised steps actually executed. When the model says "Step 1: read
+ * file A. Step 2: edit file B. Step 3: run tests" and then emits a
+ * "done" final text, this tool lets the engine loop verify the session's
+ * recorded tool calls and file mutations cover every requirement.
+ *
+ * If any gap is found the engine loop continues another turn so the
+ * model can either fill the gap or explicitly explain why the step was
+ * skipped. Closes the fake-dispatch failure mode documented in
+ * memory `feedback_no_fake_dispatch_promises.md`.
+ */
+import { existsSync, readFileSync } from 'node:fs';
+export const VERIFY_PLAN_INVALID_ARGS = 'VERIFY_PLAN_INVALID_ARGS';
+export function parseVerifyPlanArgs(raw) {
+    if (typeof raw !== 'object' || raw === null || Array.isArray(raw)) {
+        return `${VERIFY_PLAN_INVALID_ARGS}: arguments must be a JSON object`;
+    }
+    const obj = raw;
+    if (!Object.prototype.hasOwnProperty.call(obj, 'steps')) {
+        return `${VERIFY_PLAN_INVALID_ARGS}: steps is required`;
+    }
+    const rawSteps = obj['steps'];
+    if (!Array.isArray(rawSteps)) {
+        return `${VERIFY_PLAN_INVALID_ARGS}: steps must be an array`;
+    }
+    if (rawSteps.length > 200) {
+        return `${VERIFY_PLAN_INVALID_ARGS}: steps must have <= 200 entries`;
+    }
+    const steps = [];
+    const issues = [];
+    for (let i = 0; i < rawSteps.length; i++) {
+        const s = rawSteps[i];
+        if (typeof s !== 'object' || s === null || Array.isArray(s)) {
+            issues.push(`steps[${i}]: must be an object`);
+            continue;
+        }
+        const step = s;
+        const id = step['id'];
+        if (typeof id !== 'string' || id.trim().length === 0) {
+            issues.push(`steps[${i}].id: must be a non-empty string`);
+            continue;
+        }
+        const intent = step['intent'];
+        if (typeof intent !== 'string') {
+            issues.push(`steps[${i}].intent: must be a string`);
+            continue;
+        }
+        const toolCallsRaw = step['requiredToolCalls'];
+        let requiredToolCalls;
+        if (toolCallsRaw !== undefined && toolCallsRaw !== null) {
+            if (!Array.isArray(toolCallsRaw)) {
+                issues.push(`steps[${i}].requiredToolCalls: must be an array when present`);
+                continue;
+            }
+            requiredToolCalls = [];
+            for (let j = 0; j < toolCallsRaw.length; j++) {
+                const tc = toolCallsRaw[j];
+                if (typeof tc !== 'string' || tc.trim().length === 0) {
+                    issues.push(`steps[${i}].requiredToolCalls[${j}]: must be a non-empty string`);
+                }
+                else {
+                    requiredToolCalls.push(tc);
+                }
+            }
+        }
+        const fileChangesRaw = step['requiredFileChanges'];
+        let requiredFileChanges;
+        if (fileChangesRaw !== undefined && fileChangesRaw !== null) {
+            if (!Array.isArray(fileChangesRaw)) {
+                issues.push(`steps[${i}].requiredFileChanges: must be an array when present`);
+                continue;
+            }
+            requiredFileChanges = [];
+            for (let j = 0; j < fileChangesRaw.length; j++) {
+                const fc = fileChangesRaw[j];
+                if (typeof fc !== 'string' || fc.trim().length === 0) {
+                    issues.push(`steps[${i}].requiredFileChanges[${j}]: must be a non-empty string`);
+                }
+                else {
+                    requiredFileChanges.push(fc);
+                }
+            }
+        }
+        const built = {
+            id: id.trim(),
+            intent,
+            ...(requiredToolCalls !== undefined && requiredToolCalls.length > 0
+                ? { requiredToolCalls }
+                : {}),
+            ...(requiredFileChanges !== undefined && requiredFileChanges.length > 0
+                ? { requiredFileChanges }
+                : {}),
+        };
+        steps.push(built);
+    }
+    if (issues.length > 0) {
+        return `${VERIFY_PLAN_INVALID_ARGS}: ${issues.join('; ')}`;
+    }
+    return { steps };
+}
+export function readRelevantEvents(session) {
+    if (!session.enabled)
+        return [];
+    if (!existsSync(session.eventsPath))
+        return [];
+    const raw = readFileSync(session.eventsPath, 'utf8');
+    const events = [];
+    for (const line of raw.split('\n')) {
+        const trimmed = line.trim();
+        if (trimmed.length === 0)
+            continue;
+        let parsed;
+        try {
+            parsed = JSON.parse(trimmed);
+        }
+        catch {
+            continue;
+        }
+        if (typeof parsed !== 'object' || parsed === null || Array.isArray(parsed)) {
+            continue;
+        }
+        const obj = parsed;
+        if (obj['type'] === 'tool_call' && typeof obj['tool'] === 'string') {
+            events.push({ type: 'tool_call', tool: obj['tool'] });
+        }
+        else if (obj['type'] === 'file_mutation' && typeof obj['path'] === 'string') {
+            events.push({ type: 'file_mutation', path: obj['path'] });
+        }
+    }
+    return events;
+}
+export function verifyPlan(steps, events) {
+    if (steps.length === 0) {
+        return { status: 'verified', gaps: [] };
+    }
+    // Per-step consumption queues. The previous Set<string> shared across
+    // all steps allowed two steps requiring `edit` к be satisfied by a
+    // single edit call — defeating the per-step verification contract.
+    // We track per-tool counts of remaining (unconsumed) events; each step
+    // consumes one event per requiredToolCall it lists. Same approach for
+    // file mutations: each path-substring requirement consumes one matching
+    // mutation event, so two steps each requiring `foo.ts` need TWO foo.ts
+    // mutations к verify.
+    const toolCallRemaining = new Map();
+    const mutationRemaining = [];
+    for (const event of events) {
+        if (event.type === 'tool_call') {
+            toolCallRemaining.set(event.tool, (toolCallRemaining.get(event.tool) ?? 0) + 1);
+        }
+        else {
+            mutationRemaining.push(event.path);
+        }
+    }
+    const gaps = [];
+    for (const step of steps) {
+        if (step.requiredToolCalls !== undefined) {
+            for (const toolName of step.requiredToolCalls) {
+                const left = toolCallRemaining.get(toolName) ?? 0;
+                if (left <= 0) {
+                    gaps.push({
+                        stepId: step.id,
+                        intent: step.intent,
+                        missing: { kind: 'tool_call', toolName },
+                    });
+                }
+                else {
+                    toolCallRemaining.set(toolName, left - 1);
+                }
+            }
+        }
+        if (step.requiredFileChanges !== undefined) {
+            for (const pathSub of step.requiredFileChanges) {
+                const idx = mutationRemaining.findIndex((p) => pathMatches(p, pathSub));
+                if (idx === -1) {
+                    gaps.push({
+                        stepId: step.id,
+                        intent: step.intent,
+                        missing: { kind: 'file_change', pathSubstring: pathSub },
+                    });
+                }
+                else {
+                    mutationRemaining.splice(idx, 1);
+                }
+            }
+        }
+    }
+    return {
+        status: gaps.length === 0 ? 'verified' : 'gap',
+        gaps,
+    };
+}
+/**
+ * Path requirement matcher. Replaces the previous `String.includes`
+ * which falsely matched `foo.ts` against `foo.tsbackup` или `notfoo.ts`.
+ *
+ * Accepts:
+ *  - Exact match (`a/b/foo.ts` === `a/b/foo.ts`).
+ *  - Suffix match anchored on path separator (`foo.ts` matches
+ *    `a/b/foo.ts` but NOT `bar/notfoo.ts`).
+ *  - Bare basename (`foo.ts` matches mutation `foo.ts` at any depth).
+ * Path separator normalised — `\\` к `/` so Windows mutation paths
+ * still match POSIX-style requirements operators write.
+ */
+function pathMatches(mutationPath, requirement) {
+    const m = mutationPath.replace(/\\/g, '/');
+    const req = requirement.replace(/\\/g, '/');
+    if (m === req)
+        return true;
+    if (req.startsWith('/')) {
+        return m === req || m.endsWith(req);
+    }
+    return m.endsWith('/' + req);
+}
+export function verifyPlanExecution(session, steps) {
+    // Fail-CLOSED on disabled session audit. The previous vacuous-verified
+    // return turned the entire anti-fake-dispatch gate into a no-op the
+    // moment session.enabled flipped к false — an operator (or runaway
+    // model that learned к disable audit) could silently bypass every
+    // verification. The gate must surface an explicit `session_audit_disabled`
+    // gap so the engine loop forces acknowledgement instead of accepting
+    // silent success. Empty plans still trivially verify.
+    if (steps.length === 0) {
+        return { status: 'verified', gaps: [] };
+    }
+    if (!session.enabled) {
+        return {
+            status: 'gap',
+            gaps: [
+                {
+                    stepId: '__session__',
+                    intent: 'session audit must be enabled к verify plan execution',
+                    missing: { kind: 'session_audit_disabled' },
+                },
+            ],
+        };
+    }
+    const events = readRelevantEvents(session);
+    return verifyPlan(steps, events);
+}
+export function dispatchVerifyPlanExecution(session, raw) {
+    const parsed = parseVerifyPlanArgs(raw);
+    if (typeof parsed === 'string') {
+        return parsed;
+    }
+    const result = verifyPlanExecution(session, parsed.steps);
+    return JSON.stringify(result);
+}
+export const verifyPlanExecutionJsonSchema = {
+    type: 'object',
+    additionalProperties: false,
+    required: ['steps'],
+    properties: {
+        steps: {
+            type: 'array',
+            maxItems: 200,
+            description: 'Ordered list of plan steps to verify. Each step declares what tool calls ' +
+                'and file mutations must have occurred in this session for the step to be ' +
+                'considered executed. An empty array returns status=verified immediately.',
+            items: {
+                type: 'object',
+                additionalProperties: false,
+                required: ['id', 'intent'],
+                properties: {
+                    id: {
+                        type: 'string',
+                        minLength: 1,
+                        description: 'Stable opaque step identifier. Used in gap reports.',
+                    },
+                    intent: {
+                        type: 'string',
+                        description: 'Human-readable description of what the step accomplishes.',
+                    },
+                    requiredToolCalls: {
+                        type: 'array',
+                        items: { type: 'string', minLength: 1 },
+                        description: 'Tool names (e.g. "read", "write", "edit", "bash") that must appear ' +
+                            'as tool_call events in the session audit log. Each entry must match ' +
+                            'at least once. Absent or empty means no tool-call requirement.',
+                    },
+                    requiredFileChanges: {
+                        type: 'array',
+                        items: { type: 'string', minLength: 1 },
+                        description: 'File path substrings that must appear as file_mutation events. ' +
+                            'Each entry must be a substring of at least one mutated path. ' +
+                            'Absent or empty means no file-change requirement.',
+                    },
+                },
+            },
+        },
+    },
+};
+//# sourceMappingURL=verify-plan-execution.js.map

package/dist/tools/web-fetch-injection-scanner.js

@@ -0,0 +1,207 @@
+/**
+ * web_fetch injection scanner — task, P1 security follow-up.
+ *
+ * Threat model: a fetched HTTP body (HTML/text) can be authored by a
+ * hostile origin attempting prompt injection against the agent that
+ * consumes the markdown downstream. The third-party prompt-injection corpus
+ * README incident surfaced three forged `<system-reminder>` blocks in
+ * a freshly fetched README — date suppression, fake MCP tool listing,
+ * and an instruction-override block. The agents on session correctly
+ * ignored them, but that is luck, not guarantee.
+ *
+ * This scanner is the deterministic guard at the WebFetch return path.
+ * It runs BEFORE the model ever sees the body. High-severity findings
+ * trigger a defense-in-depth wrap (HTML escape + warning prepend) on
+ * top of the existing `<untrusted-content-NONCE>` sentinel. Medium/low
+ * findings are recorded but the body is passed through; the call site
+ * decides what to do with them (current policy: prepend one-line note
+ * for med, no-op for low).
+ *
+ * Pure function, no IO. Regex-driven so we ship zero new deps.
+ */
+/**
+ * Zero-width / invisible characters that have been used in prompt
+ * injection PoCs to hide instructions inside otherwise plain text.
+ * Stripped from `clean` so the model never sees the smuggled bytes.
+ *
+ * U+200B zero-width space
+ * U+200C zero-width non-joiner
+ * U+200D zero-width joiner
+ * U+2060 word joiner
+ * U+FEFF zero-width no-break space (BOM)
+ * U+180E mongolian vowel separator
+ */
+const ZERO_WIDTH_RE = /[​‌‍⁠᠎]/g;
+const HIGH_RULES = [
+    // Forged system-reminder envelopes — exactly the vector.
+    { pattern: '<system-reminder>', severity: 'high', re: /<system-reminder\b[^>]*>/i },
+    { pattern: '</system-reminder>', severity: 'high', re: /<\/system-reminder\s*>/i },
+    // Other impostor wrappers seen across published PoCs.
+    { pattern: '<important_instructions>', severity: 'high', re: /<important[_\s-]?instructions\b[^>]*>/i },
+    { pattern: '<critical_security_rules>', severity: 'high', re: /<critical[_\s-]?security[_\s-]?rules\b[^>]*>/i },
+    { pattern: '<EXTREMELY_IMPORTANT>', severity: 'high', re: /<extremely[_\s-]?important\b[^>]*>/i },
+    // Instruction-override copy with "IMPORTANT: you MUST | override | ignore previous".
+    {
+        pattern: 'IMPORTANT: instruction override',
+        severity: 'high',
+        re: /important\s*:.*?(you\s+must|override|ignore\s+previous|disregard\s+previous|ignore\s+all\s+prior)/i,
+    },
+    // Date manipulation — observed in the external prompt-injection patterns.
+    { pattern: "Today's date is now ...", severity: 'high', re: /today'?s?\s+date\s+is\s+now\b/i },
+    // Mimics the system-prompt language for tool execution semantics.
+    { pattern: 'Tools are executed in ...', severity: 'high', re: /tools?\s+are\s+executed\s+in\b/i },
+    // Embedded model-name instructions ("You are claude-opus-4-... and you must").
+    {
+        pattern: 'embedded model-name directive',
+        severity: 'high',
+        re: /\b(claude-opus-4-|claude-sonnet-4-)[a-z0-9.\-]*/i,
+    },
+    // Raw ANSI escape — only ever cursor manipulation in fetched markdown.
+    { pattern: 'ANSI escape sequence', severity: 'high', re: /\x1b\[/ },
+];
+const MED_RULES = [
+    // Skill-invocation mimicry.
+    { pattern: 'BLOCKING REQUIREMENT', severity: 'med', re: /blocking\s+requirement/i },
+    { pattern: 'you MUST invoke', severity: 'med', re: /you\s+must\s+invoke/i },
+    { pattern: 'Skill tool', severity: 'med', re: /\bskill\s+tool\b/i },
+    { pattern: 'MCP tool', severity: 'med', re: /\bmcp\s+tool\b/i },
+    // Tool-name mimicry — bare phrasing without obvious code-block
+    // context. These are common English so the rule is intentionally
+    // narrow: word-boundary + literal tool name + word "tool".
+    { pattern: 'Bash tool', severity: 'med', re: /\bbash\s+tool\b/i },
+    { pattern: 'Read tool', severity: 'med', re: /\bread\s+tool\b/i },
+    { pattern: 'Edit tool', severity: 'med', re: /\bedit\s+tool\b/i },
+];
+const LOW_RULES = [
+    { pattern: 'system prompt mention', severity: 'low', re: /\bsystem\s+prompt\b/i },
+    { pattern: 'instructions mention', severity: 'low', re: /\binstructions\b/i },
+    { pattern: 'pre-authorized mention', severity: 'low', re: /\bpre[-\s]?authori[sz]ed\b/i },
+];
+/**
+ * Detect a suspicious base64 block: >200 contiguous base64 chars on a
+ * single line. Base64 is the standard smuggling format for embedded
+ * binary blobs in prompt-injection PoCs (hidden tool definitions,
+ * obfuscated instruction sets). Below 200 chars we accept the false
+ * positives (commit hashes, JWTs, asset URLs); above 200 the signal
+ * dominates.
+ */
+const BASE64_BLOCK_RE = /[A-Za-z0-9+/]{200,}={0,2}/;
+/**
+ * HTML-escape the five characters that can break out of an element
+ * body. Mirrors `escapeForSentinelBody` in web-fetch.ts but applied
+ * selectively to flagged tags — we do NOT escape the entire body,
+ * only the high-severity matches, so the model still sees readable
+ * markdown.
+ */
+function escapeHtml(input) {
+    return input
+        .replace(/&/g, '&amp;')
+        .replace(/</g, '&lt;')
+        .replace(/>/g, '&gt;')
+        .replace(/"/g, '&quot;')
+        .replace(/'/g, '&#39;');
+}
+/**
+ * Tags that, when matched at HIGH severity, get HTML-escaped in the
+ * cleaned output. The list is intentionally narrow: any `<…>` element
+ * whose name matches one of these gets `<` and `>` swapped for
+ * entities, so a downstream consumer reads the text literally rather
+ * than parsing it as structure.
+ */
+const TAG_NAMES_TO_ESCAPE = [
+    'system-reminder',
+    'important_instructions',
+    'important-instructions',
+    'critical_security_rules',
+    'critical-security-rules',
+    'extremely_important',
+    'extremely-important',
+];
+/**
+ * Build a single regex that captures any opening/closing tag whose
+ * name is in `TAG_NAMES_TO_ESCAPE`. Used by `clean` to escape only
+ * the dangerous tags, leaving the rest of the body untouched.
+ */
+const TAG_ESCAPE_RE = new RegExp(`</?(?:${TAG_NAMES_TO_ESCAPE.join('|')})\\b[^>]*>`, 'gi');
+/**
+ * Run the rule dictionaries against a body of text and return the
+ * scrubbed clean output plus the list of findings.
+ *
+ * Line numbers are 1-indexed and reference the ORIGINAL body. The
+ * caller can rely on them to point at the same line in `clean`
+ * because the only structural changes are (1) zero-width strips and
+ * (2) HTML escaping of specific tag tokens — neither alters line
+ * counts.
+ */
+export function scanForInjection(body) {
+    if (!body)
+        return { clean: '', findings: [] };
+    const findings = [];
+    const lines = body.split(/\r?\n/);
+    for (let i = 0; i < lines.length; i++) {
+        const line = lines[i] ?? '';
+        const lineNumber = i + 1;
+        for (const rule of HIGH_RULES) {
+            if (rule.re.test(line)) {
+                findings.push({ pattern: rule.pattern, line: lineNumber, severity: 'high' });
+            }
+        }
+        for (const rule of MED_RULES) {
+            if (rule.re.test(line)) {
+                findings.push({ pattern: rule.pattern, line: lineNumber, severity: 'med' });
+            }
+        }
+        for (const rule of LOW_RULES) {
+            if (rule.re.test(line)) {
+                findings.push({ pattern: rule.pattern, line: lineNumber, severity: 'low' });
+            }
+        }
+        if (BASE64_BLOCK_RE.test(line)) {
+            findings.push({ pattern: 'long base64 block (>200 chars)', line: lineNumber, severity: 'med' });
+        }
+    }
+    // Always strip zero-width chars from the cleaned output, even when
+    // no rule explicitly flagged them. They have no legitimate use in
+    // fetched markdown content the model is meant to read.
+    let clean = body.replace(ZERO_WIDTH_RE, (match) => {
+        findings.push({
+            pattern: `zero-width char U+${match.charCodeAt(0).toString(16).toUpperCase().padStart(4, '0')}`,
+            line: 0, // multi-line; surfaced separately
+            severity: 'high',
+        });
+        return '';
+    });
+    // HTML-escape the high-severity impostor tags so a downstream parser
+    // (or another LLM) sees text, not structure.
+    clean = clean.replace(TAG_ESCAPE_RE, (match) => escapeHtml(match));
+    return { clean, findings };
+}
+/**
+ * Convenience: return the highest severity present in a findings
+ * list, or `null` if the list is empty. `high` > `med` > `low`.
+ */
+export function topSeverity(findings) {
+    if (findings.some((f) => f.severity === 'high'))
+        return 'high';
+    if (findings.some((f) => f.severity === 'med'))
+        return 'med';
+    if (findings.some((f) => f.severity === 'low'))
+        return 'low';
+    return null;
+}
+/**
+ * Render a one-line summary of high-severity findings for the safety
+ * envelope. Stable ordering: by line, then by pattern.
+ */
+export function formatHighFindings(findings) {
+    const high = findings.filter((f) => f.severity === 'high');
+    if (high.length === 0)
+        return '';
+    const sorted = [...high].sort((a, b) => {
+        if (a.line !== b.line)
+            return a.line - b.line;
+        return a.pattern.localeCompare(b.pattern);
+    });
+    return sorted.map((f) => `[${f.severity}] ${f.pattern} @ line ${f.line}`).join('; ');
+}
+//# sourceMappingURL=web-fetch-injection-scanner.js.map