@puukis/core 0.1.0

package/dist/server/index.js

@@ -0,0 +1,389 @@
+import { createServer } from 'node:http';
+import { WebSocketServer, WebSocket } from 'ws';
+import { spawnSync } from 'node:child_process';
+import path from 'node:path';
+import { promises as fs } from 'node:fs';
+import { Gateway } from '../gateway/index.js';
+import { normalizeWebMessage, BaseChannel } from '../pipeline/index.js';
+import { allBuiltinTools } from '../tools/index.js';
+import 'dotenv/config';
+/**
+ * WebSocket Channel adapter
+ */
+class WebSocketChannel extends BaseChannel {
+    type = 'web';
+    ws;
+    sessionId;
+    pendingConfirmation = null;
+    constructor(ws, sessionId) {
+        super();
+        this.ws = ws;
+        this.sessionId = sessionId;
+    }
+    async send(content) {
+        this.ws.send(JSON.stringify({
+            type: 'message',
+            sessionId: this.sessionId,
+            content,
+        }));
+    }
+    async sendStream(stream) {
+        for await (const chunk of stream) {
+            this.ws.send(JSON.stringify({
+                type: 'chunk',
+                sessionId: this.sessionId,
+                content: chunk,
+            }));
+        }
+        this.ws.send(JSON.stringify({
+            type: 'stream_end',
+            sessionId: this.sessionId,
+        }));
+    }
+    async requestConfirmation(prompt) {
+        return new Promise((resolve) => {
+            this.pendingConfirmation = resolve;
+            this.ws.send(JSON.stringify({
+                type: 'confirm_request',
+                sessionId: this.sessionId,
+                prompt,
+            }));
+            // Timeout after 60 seconds
+            setTimeout(() => {
+                if (this.pendingConfirmation) {
+                    this.pendingConfirmation(false);
+                    this.pendingConfirmation = null;
+                }
+            }, 60000);
+        });
+    }
+    handleConfirmResponse(confirmed) {
+        if (this.pendingConfirmation) {
+            this.pendingConfirmation(confirmed);
+            this.pendingConfirmation = null;
+        }
+    }
+}
+/**
+ * Start the WebSocket server
+ */
+export function startWebServer(config, options = {}) {
+    const gateway = Gateway.getInstance(config);
+    const staticAssetsDir = options.staticAssetsDir;
+    // Register all built-in tools
+    for (const tool of allBuiltinTools) {
+        gateway.toolExecutor.registerTool(tool);
+    }
+    const server = createServer((req, res) => {
+        // CORS headers
+        res.setHeader('Access-Control-Allow-Origin', '*');
+        res.setHeader('Access-Control-Allow-Methods', 'GET, POST, OPTIONS');
+        res.setHeader('Access-Control-Allow-Headers', 'Content-Type');
+        if (req.method === 'OPTIONS') {
+            res.writeHead(204);
+            res.end();
+            return;
+        }
+        const url = new URL(req.url ?? '/', 'http://localhost');
+        // Simple REST endpoints
+        if (url.pathname === '/api/status') {
+            res.writeHead(200, { 'Content-Type': 'application/json' });
+            res.end(JSON.stringify({
+                status: 'ok',
+                mode: gateway.getSecurityMode(),
+                spicyEnabled: config.security.spicyModeEnabled,
+                llm: gateway.getLLMState(),
+            }));
+            return;
+        }
+        if (staticAssetsDir && req.method && ['GET', 'HEAD'].includes(req.method)) {
+            void serveStaticAsset(res, staticAssetsDir, url.pathname, req.method === 'HEAD');
+            return;
+        }
+        res.writeHead(404);
+        res.end('Not Found');
+    });
+    const wss = new WebSocketServer({ server });
+    const channels = new Map();
+    wss.on('connection', (ws) => {
+        const sessionId = crypto.randomUUID();
+        const channel = new WebSocketChannel(ws, sessionId);
+        channels.set(sessionId, channel);
+        const llmState = gateway.getLLMState();
+        console.log(`Client connected: ${sessionId}`);
+        // Send initial state
+        ws.send(JSON.stringify({
+            type: 'connected',
+            sessionId,
+            mode: gateway.getSecurityMode(),
+            spicyEnabled: config.security.spicyModeEnabled,
+            llm: llmState,
+        }));
+        void sendModels(ws, gateway, llmState.provider);
+        ws.on('message', async (data) => {
+            try {
+                const msg = JSON.parse(data.toString());
+                switch (msg.type) {
+                    case 'message': {
+                        const content = msg.content?.trim();
+                        if (!content)
+                            return;
+                        const normalized = normalizeWebMessage(sessionId, 'web-user', content, channel);
+                        // Send acknowledgment
+                        ws.send(JSON.stringify({ type: 'message_received', sessionId }));
+                        await gateway.processMessage(normalized);
+                        break;
+                    }
+                    case 'confirm_response': {
+                        channel.handleConfirmResponse(msg.confirmed ?? false);
+                        break;
+                    }
+                    case 'set_mode': {
+                        if (msg.mode) {
+                            try {
+                                gateway.setSecurityMode(msg.mode);
+                                ws.send(JSON.stringify({
+                                    type: 'mode_changed',
+                                    mode: msg.mode,
+                                }));
+                            }
+                            catch (error) {
+                                ws.send(JSON.stringify({
+                                    type: 'error',
+                                    error: error instanceof Error ? error.message : 'Failed to change mode',
+                                }));
+                            }
+                        }
+                        break;
+                    }
+                    case 'clear_session': {
+                        gateway.clearSession(`web:${sessionId}`);
+                        ws.send(JSON.stringify({ type: 'session_cleared', sessionId }));
+                        break;
+                    }
+                    case 'get_models': {
+                        await sendModels(ws, gateway, msg.provider ?? gateway.getLLMState().provider);
+                        break;
+                    }
+                    case 'set_model': {
+                        const provider = msg.provider ?? gateway.getLLMState().provider;
+                        const model = msg.model?.trim();
+                        const reasoningEffort = provider === 'openai-codex'
+                            ? normalizeCodexReasoningEffort(msg.reasoningEffort)
+                            : undefined;
+                        if (!model) {
+                            ws.send(JSON.stringify({
+                                type: 'error',
+                                error: 'Model is required',
+                            }));
+                            break;
+                        }
+                        if (provider === 'openai-codex' && typeof msg.reasoningEffort === 'string' && !reasoningEffort) {
+                            ws.send(JSON.stringify({
+                                type: 'error',
+                                error: 'Invalid reasoning effort. Expected low, medium, high, or xhigh.',
+                            }));
+                            break;
+                        }
+                        if (provider === 'openai-codex' && !isCodexInstalled()) {
+                            ws.send(JSON.stringify({
+                                type: 'codex_install_required',
+                                provider,
+                                message: 'Codex CLI is not installed. Run `keygate onboard --auth-choice openai-codex`.',
+                            }));
+                            break;
+                        }
+                        try {
+                            await gateway.setLLMSelection(provider, model, reasoningEffort);
+                            const state = gateway.getLLMState();
+                            ws.send(JSON.stringify({
+                                type: 'model_changed',
+                                llm: state,
+                            }));
+                            await sendModels(ws, gateway, state.provider);
+                        }
+                        catch (error) {
+                            ws.send(JSON.stringify({
+                                type: 'error',
+                                error: error instanceof Error ? error.message : 'Failed to switch model',
+                            }));
+                        }
+                        break;
+                    }
+                }
+            }
+            catch (error) {
+                console.error('WebSocket message error:', error);
+                ws.send(JSON.stringify({
+                    type: 'error',
+                    error: 'Invalid message format',
+                }));
+            }
+        });
+        ws.on('close', () => {
+            console.log(`Client disconnected: ${sessionId}`);
+            channels.delete(sessionId);
+        });
+    });
+    // Forward gateway events to all connected clients
+    gateway.on('tool:start', (event) => {
+        broadcast(wss, { type: 'tool_start', ...event });
+    });
+    gateway.on('tool:end', (event) => {
+        broadcast(wss, { type: 'tool_end', ...event });
+    });
+    gateway.on('mode:changed', (event) => {
+        broadcast(wss, { type: 'mode_changed', ...event });
+    });
+    gateway.on('provider:event', (event) => {
+        broadcast(wss, { type: 'provider_event', ...event });
+    });
+    server.listen(config.server.port, () => {
+        console.log(`🌐 Keygate Web Server running on http://localhost:${config.server.port}`);
+        if (options.onListening) {
+            void Promise.resolve(options.onListening()).catch((error) => {
+                console.error('Startup hook failed:', error);
+            });
+        }
+    });
+}
+function broadcast(wss, data) {
+    const msg = JSON.stringify(data);
+    wss.clients.forEach((client) => {
+        if (client.readyState === WebSocket.OPEN) {
+            client.send(msg);
+        }
+    });
+}
+export { WebSocketChannel };
+async function sendModels(ws, gateway, provider) {
+    try {
+        const models = await gateway.listAvailableModels(provider);
+        ws.send(JSON.stringify({
+            type: 'models',
+            provider,
+            models,
+        }));
+    }
+    catch (error) {
+        ws.send(JSON.stringify({
+            type: 'models',
+            provider,
+            models: [],
+            error: error instanceof Error ? error.message : 'Failed to fetch models',
+        }));
+    }
+}
+function isCodexInstalled() {
+    const result = spawnSync('codex', ['--version'], {
+        stdio: 'pipe',
+    });
+    return result.status === 0;
+}
+function normalizeCodexReasoningEffort(value) {
+    if (typeof value !== 'string') {
+        return undefined;
+    }
+    const normalized = value.trim().toLowerCase();
+    switch (normalized) {
+        case 'low':
+        case 'medium':
+        case 'high':
+            return normalized;
+        case 'xhigh':
+        case 'extra-high':
+        case 'extra_high':
+        case 'extra high':
+            return 'xhigh';
+        default:
+            return undefined;
+    }
+}
+async function serveStaticAsset(res, staticAssetsDir, requestPath, headOnly) {
+    const normalizedPath = sanitizePathname(requestPath);
+    const resolvedAssetsDir = path.resolve(staticAssetsDir);
+    const tryPaths = normalizedPath === '/'
+        ? [path.join(resolvedAssetsDir, 'index.html')]
+        : [path.join(resolvedAssetsDir, normalizedPath.slice(1))];
+    // SPA fallback for routes without extension.
+    if (!path.extname(normalizedPath)) {
+        tryPaths.push(path.join(resolvedAssetsDir, 'index.html'));
+    }
+    for (const filePath of tryPaths) {
+        const resolved = path.resolve(filePath);
+        if (!resolved.startsWith(resolvedAssetsDir + path.sep) && resolved !== path.join(resolvedAssetsDir, 'index.html')) {
+            continue;
+        }
+        try {
+            const stats = await fs.stat(resolved);
+            if (!stats.isFile()) {
+                continue;
+            }
+            const contentType = getContentType(resolved);
+            res.writeHead(200, {
+                'Content-Type': contentType,
+                'Cache-Control': getCacheControl(resolved),
+            });
+            if (headOnly) {
+                res.end();
+                return;
+            }
+            const content = await fs.readFile(resolved);
+            res.end(content);
+            return;
+        }
+        catch {
+            // Try next path candidate.
+        }
+    }
+    res.writeHead(404);
+    res.end('Not Found');
+}
+function sanitizePathname(input) {
+    const decoded = decodeURIComponent(input);
+    const normalized = path.posix.normalize(decoded);
+    if (!normalized.startsWith('/')) {
+        return `/${normalized}`;
+    }
+    return normalized;
+}
+function getContentType(filePath) {
+    const ext = path.extname(filePath).toLowerCase();
+    switch (ext) {
+        case '.html':
+            return 'text/html; charset=utf-8';
+        case '.js':
+            return 'application/javascript; charset=utf-8';
+        case '.mjs':
+            return 'application/javascript; charset=utf-8';
+        case '.css':
+            return 'text/css; charset=utf-8';
+        case '.json':
+            return 'application/json; charset=utf-8';
+        case '.svg':
+            return 'image/svg+xml';
+        case '.png':
+            return 'image/png';
+        case '.jpg':
+        case '.jpeg':
+            return 'image/jpeg';
+        case '.gif':
+            return 'image/gif';
+        case '.webp':
+            return 'image/webp';
+        case '.ico':
+            return 'image/x-icon';
+        case '.txt':
+            return 'text/plain; charset=utf-8';
+        default:
+            return 'application/octet-stream';
+    }
+}
+function getCacheControl(filePath) {
+    const base = path.basename(filePath);
+    if (base === 'index.html') {
+        return 'no-cache';
+    }
+    return 'public, max-age=31536000, immutable';
+}
+//# sourceMappingURL=index.js.map

package/dist/server/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/server/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAAE,MAAM,WAAW,CAAC;AACzC,OAAO,EAAE,eAAe,EAAE,SAAS,EAAE,MAAM,IAAI,CAAC;AAChD,OAAO,EAAE,SAAS,EAAE,MAAM,oBAAoB,CAAC;AAC/C,OAAO,IAAI,MAAM,WAAW,CAAC;AAC7B,OAAO,EAAE,QAAQ,IAAI,EAAE,EAAE,MAAM,SAAS,CAAC;AACzC,OAAO,EAAE,OAAO,EAAE,MAAM,qBAAqB,CAAC;AAC9C,OAAO,EAAE,mBAAmB,EAAE,WAAW,EAAE,MAAM,sBAAsB,CAAC;AACxE,OAAO,EAAE,eAAe,EAAE,MAAM,mBAAmB,CAAC;AAEpD,OAAO,eAAe,CAAC;AAkBvB;;GAEG;AACH,MAAM,gBAAiB,SAAQ,WAAW;IACxC,IAAI,GAAG,KAAc,CAAC;IACd,EAAE,CAAY;IACd,SAAS,CAAS;IAClB,mBAAmB,GAA0C,IAAI,CAAC;IAE1E,YAAY,EAAa,EAAE,SAAiB;QAC1C,KAAK,EAAE,CAAC;QACR,IAAI,CAAC,EAAE,GAAG,EAAE,CAAC;QACb,IAAI,CAAC,SAAS,GAAG,SAAS,CAAC;IAC7B,CAAC;IAED,KAAK,CAAC,IAAI,CAAC,OAAe;QACxB,IAAI,CAAC,EAAE,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC;YAC1B,IAAI,EAAE,SAAS;YACf,SAAS,EAAE,IAAI,CAAC,SAAS;YACzB,OAAO;SACR,CAAC,CAAC,CAAC;IACN,CAAC;IAED,KAAK,CAAC,UAAU,CAAC,MAA6B;QAC5C,IAAI,KAAK,EAAE,MAAM,KAAK,IAAI,MAAM,EAAE,CAAC;YACjC,IAAI,CAAC,EAAE,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC;gBAC1B,IAAI,EAAE,OAAO;gBACb,SAAS,EAAE,IAAI,CAAC,SAAS;gBACzB,OAAO,EAAE,KAAK;aACf,CAAC,CAAC,CAAC;QACN,CAAC;QACD,IAAI,CAAC,EAAE,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC;YAC1B,IAAI,EAAE,YAAY;YAClB,SAAS,EAAE,IAAI,CAAC,SAAS;SAC1B,CAAC,CAAC,CAAC;IACN,CAAC;IAED,KAAK,CAAC,mBAAmB,CAAC,MAAc;QACtC,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,EAAE;YAC7B,IAAI,CAAC,mBAAmB,GAAG,OAAO,CAAC;YACnC,IAAI,CAAC,EAAE,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC;gBAC1B,IAAI,EAAE,iBAAiB;gBACvB,SAAS,EAAE,IAAI,CAAC,SAAS;gBACzB,MAAM;aACP,CAAC,CAAC,CAAC;YAEJ,2BAA2B;YAC3B,UAAU,CAAC,GAAG,EAAE;gBACd,IAAI,IAAI,CAAC,mBAAmB,EAAE,CAAC;oBAC7B,IAAI,CAAC,mBAAmB,CAAC,KAAK,CAAC,CAAC;oBAChC,IAAI,CAAC,mBAAmB,GAAG,IAAI,CAAC;gBAClC,CAAC;YACH,CAAC,EAAE,KAAK,CAAC,CAAC;QACZ,CAAC,CAAC,CAAC;IACL,CAAC;IAED,qBAAqB,CAAC,SAAkB;QACtC,IAAI,IAAI,CAAC,mBAAmB,EAAE,CAAC;YAC7B,IAAI,CAAC,mBAAmB,CAAC,SAAS,CAAC,CAAC;YACpC,IAAI,CAAC,mBAAmB,GAAG,IAAI,CAAC;QAClC,CAAC;IACH,CAAC;CACF;AAED;;GAEG;AACH,MAAM,UAAU,cAAc,CAAC,MAAqB,EAAE,UAAiC,EAAE;IACvF,MAAM,OAAO,GAAG,OAAO,CAAC,WAAW,CAAC,MAAM,CAAC,CAAC;IAC5C,MAAM,eAAe,GAAG,OAAO,CAAC,eAAe,CAAC;IAEhD,8BAA8B;IAC9B,KAAK,MAAM,IAAI,IAAI,eAAe,EAAE,CAAC;QACnC,OAAO,CAAC,YAAY,CAAC,YAAY,CAAC,IAAI,CAAC,CAAC;IAC1C,CAAC;IAED,MAAM,MAAM,GAAG,YAAY,CAAC,CAAC,GAAG,EAAE,GAAG,EAAE,EAAE;QACvC,eAAe;QACf,GAAG,CAAC,SAAS,CAAC,6BAA6B,EAAE,GAAG,CAAC,CAAC;QAClD,GAAG,CAAC,SAAS,CAAC,8BAA8B,EAAE,oBAAoB,CAAC,CAAC;QACpE,GAAG,CAAC,SAAS,CAAC,8BAA8B,EAAE,cAAc,CAAC,CAAC;QAE9D,IAAI,GAAG,CAAC,MAAM,KAAK,SAAS,EAAE,CAAC;YAC7B,GAAG,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC;YACnB,GAAG,CAAC,GAAG,EAAE,CAAC;YACV,OAAO;QACT,CAAC;QAED,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,GAAG,IAAI,GAAG,EAAE,kBAAkB,CAAC,CAAC;QAExD,wBAAwB;QACxB,IAAI,GAAG,CAAC,QAAQ,KAAK,aAAa,EAAE,CAAC;YACnC,GAAG,CAAC,SAAS,CAAC,GAAG,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE,CAAC,CAAC;YAC3D,GAAG,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC;gBACrB,MAAM,EAAE,IAAI;gBACZ,IAAI,EAAE,OAAO,CAAC,eAAe,EAAE;gBAC/B,YAAY,EAAE,MAAM,CAAC,QAAQ,CAAC,gBAAgB;gBAC9C,GAAG,EAAE,OAAO,CAAC,WAAW,EAAE;aAC3B,CAAC,CAAC,CAAC;YACJ,OAAO;QACT,CAAC;QAED,IAAI,eAAe,IAAI,GAAG,CAAC,MAAM,IAAI,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC,QAAQ,CAAC,GAAG,CAAC,MAAM,CAAC,EAAE,CAAC;YAC1E,KAAK,gBAAgB,CAAC,GAAG,EAAE,eAAe,EAAE,GAAG,CAAC,QAAQ,EAAE,GAAG,CAAC,MAAM,KAAK,MAAM,CAAC,CAAC;YACjF,OAAO;QACT,CAAC;QAED,GAAG,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC;QACnB,GAAG,CAAC,GAAG,CAAC,WAAW,CAAC,CAAC;IACvB,CAAC,CAAC,CAAC;IAEH,MAAM,GAAG,GAAG,IAAI,eAAe,CAAC,EAAE,MAAM,EAAE,CAAC,CAAC;IAC5C,MAAM,QAAQ,GAAG,IAAI,GAAG,EAA4B,CAAC;IAErD,GAAG,CAAC,EAAE,CAAC,YAAY,EAAE,CAAC,EAAE,EAAE,EAAE;QAC1B,MAAM,SAAS,GAAG,MAAM,CAAC,UAAU,EAAE,CAAC;QACtC,MAAM,OAAO,GAAG,IAAI,gBAAgB,CAAC,EAAE,EAAE,SAAS,CAAC,CAAC;QACpD,QAAQ,CAAC,GAAG,CAAC,SAAS,EAAE,OAAO,CAAC,CAAC;QACjC,MAAM,QAAQ,GAAG,OAAO,CAAC,WAAW,EAAE,CAAC;QAEvC,OAAO,CAAC,GAAG,CAAC,qBAAqB,SAAS,EAAE,CAAC,CAAC;QAE9C,qBAAqB;QACrB,EAAE,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC;YACrB,IAAI,EAAE,WAAW;YACjB,SAAS;YACT,IAAI,EAAE,OAAO,CAAC,eAAe,EAAE;YAC/B,YAAY,EAAE,MAAM,CAAC,QAAQ,CAAC,gBAAgB;YAC9C,GAAG,EAAE,QAAQ;SACd,CAAC,CAAC,CAAC;QAEJ,KAAK,UAAU,CAAC,EAAE,EAAE,OAAO,EAAE,QAAQ,CAAC,QAAQ,CAAC,CAAC;QAEhD,EAAE,CAAC,EAAE,CAAC,SAAS,EAAE,KAAK,EAAE,IAAI,EAAE,EAAE;YAC9B,IAAI,CAAC;gBACH,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,QAAQ,EAAE,CAAc,CAAC;gBAErD,QAAQ,GAAG,CAAC,IAAI,EAAE,CAAC;oBACjB,KAAK,SAAS,CAAC,CAAC,CAAC;wBACf,MAAM,OAAO,GAAG,GAAG,CAAC,OAAO,EAAE,IAAI,EAAE,CAAC;wBACpC,IAAI,CAAC,OAAO;4BAAE,OAAO;wBAErB,MAAM,UAAU,GAAG,mBAAmB,CACpC,SAAS,EACT,UAAU,EACV,OAAO,EACP,OAAO,CACR,CAAC;wBAEF,sBAAsB;wBACtB,EAAE,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,IAAI,EAAE,kBAAkB,EAAE,SAAS,EAAE,CAAC,CAAC,CAAC;wBAEjE,MAAM,OAAO,CAAC,cAAc,CAAC,UAAU,CAAC,CAAC;wBACzC,MAAM;oBACR,CAAC;oBAED,KAAK,kBAAkB,CAAC,CAAC,CAAC;wBACxB,OAAO,CAAC,qBAAqB,CAAC,GAAG,CAAC,SAAS,IAAI,KAAK,CAAC,CAAC;wBACtD,MAAM;oBACR,CAAC;oBAED,KAAK,UAAU,CAAC,CAAC,CAAC;wBAChB,IAAI,GAAG,CAAC,IAAI,EAAE,CAAC;4BACb,IAAI,CAAC;gCACH,OAAO,CAAC,eAAe,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;gCAClC,EAAE,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC;oCACrB,IAAI,EAAE,cAAc;oCACpB,IAAI,EAAE,GAAG,CAAC,IAAI;iCACf,CAAC,CAAC,CAAC;4BACN,CAAC;4BAAC,OAAO,KAAK,EAAE,CAAC;gCACf,EAAE,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC;oCACrB,IAAI,EAAE,OAAO;oCACb,KAAK,EAAE,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,uBAAuB;iCACxE,CAAC,CAAC,CAAC;4BACN,CAAC;wBACH,CAAC;wBACD,MAAM;oBACR,CAAC;oBAED,KAAK,eAAe,CAAC,CAAC,CAAC;wBACrB,OAAO,CAAC,YAAY,CAAC,OAAO,SAAS,EAAE,CAAC,CAAC;wBACzC,EAAE,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,IAAI,EAAE,iBAAiB,EAAE,SAAS,EAAE,CAAC,CAAC,CAAC;wBAChE,MAAM;oBACR,CAAC;oBAED,KAAK,YAAY,CAAC,CAAC,CAAC;wBAClB,MAAM,UAAU,CAAC,EAAE,EAAE,OAAO,EAAE,GAAG,CAAC,QAAQ,IAAI,OAAO,CAAC,WAAW,EAAE,CAAC,QAAQ,CAAC,CAAC;wBAC9E,MAAM;oBACR,CAAC;oBAED,KAAK,WAAW,CAAC,CAAC,CAAC;wBACjB,MAAM,QAAQ,GAAG,GAAG,CAAC,QAAQ,IAAI,OAAO,CAAC,WAAW,EAAE,CAAC,QAAQ,CAAC;wBAChE,MAAM,KAAK,GAAG,GAAG,CAAC,KAAK,EAAE,IAAI,EAAE,CAAC;wBAChC,MAAM,eAAe,GAAG,QAAQ,KAAK,cAAc;4BACjD,CAAC,CAAC,6BAA6B,CAAC,GAAG,CAAC,eAAe,CAAC;4BACpD,CAAC,CAAC,SAAS,CAAC;wBAEd,IAAI,CAAC,KAAK,EAAE,CAAC;4BACX,EAAE,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC;gCACrB,IAAI,EAAE,OAAO;gCACb,KAAK,EAAE,mBAAmB;6BAC3B,CAAC,CAAC,CAAC;4BACJ,MAAM;wBACR,CAAC;wBAED,IAAI,QAAQ,KAAK,cAAc,IAAI,OAAO,GAAG,CAAC,eAAe,KAAK,QAAQ,IAAI,CAAC,eAAe,EAAE,CAAC;4BAC/F,EAAE,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC;gCACrB,IAAI,EAAE,OAAO;gCACb,KAAK,EAAE,iEAAiE;6BACzE,CAAC,CAAC,CAAC;4BACJ,MAAM;wBACR,CAAC;wBAED,IAAI,QAAQ,KAAK,cAAc,IAAI,CAAC,gBAAgB,EAAE,EAAE,CAAC;4BACvD,EAAE,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC;gCACrB,IAAI,EAAE,wBAAwB;gCAC9B,QAAQ;gCACR,OAAO,EAAE,+EAA+E;6BACzF,CAAC,CAAC,CAAC;4BACJ,MAAM;wBACR,CAAC;wBAED,IAAI,CAAC;4BACH,MAAM,OAAO,CAAC,eAAe,CAAC,QAAQ,EAAE,KAAK,EAAE,eAAe,CAAC,CAAC;4BAChE,MAAM,KAAK,GAAG,OAAO,CAAC,WAAW,EAAE,CAAC;4BACpC,EAAE,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC;gCACrB,IAAI,EAAE,eAAe;gCACrB,GAAG,EAAE,KAAK;6BACX,CAAC,CAAC,CAAC;4BACJ,MAAM,UAAU,CAAC,EAAE,EAAE,OAAO,EAAE,KAAK,CAAC,QAAQ,CAAC,CAAC;wBAChD,CAAC;wBAAC,OAAO,KAAK,EAAE,CAAC;4BACf,EAAE,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC;gCACrB,IAAI,EAAE,OAAO;gCACb,KAAK,EAAE,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,wBAAwB;6BACzE,CAAC,CAAC,CAAC;wBACN,CAAC;wBACD,MAAM;oBACR,CAAC;gBACH,CAAC;YACH,CAAC;YAAC,OAAO,KAAK,EAAE,CAAC;gBACf,OAAO,CAAC,KAAK,CAAC,0BAA0B,EAAE,KAAK,CAAC,CAAC;gBACjD,EAAE,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC;oBACrB,IAAI,EAAE,OAAO;oBACb,KAAK,EAAE,wBAAwB;iBAChC,CAAC,CAAC,CAAC;YACN,CAAC;QACH,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,EAAE,CAAC,OAAO,EAAE,GAAG,EAAE;YAClB,OAAO,CAAC,GAAG,CAAC,wBAAwB,SAAS,EAAE,CAAC,CAAC;YACjD,QAAQ,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;QAC7B,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,kDAAkD;IAClD,OAAO,CAAC,EAAE,CAAC,YAAY,EAAE,CAAC,KAAK,EAAE,EAAE;QACjC,SAAS,CAAC,GAAG,EAAE,EAAE,IAAI,EAAE,YAAY,EAAE,GAAG,KAAK,EAAE,CAAC,CAAC;IACnD,CAAC,CAAC,CAAC;IAEH,OAAO,CAAC,EAAE,CAAC,UAAU,EAAE,CAAC,KAAK,EAAE,EAAE;QAC/B,SAAS,CAAC,GAAG,EAAE,EAAE,IAAI,EAAE,UAAU,EAAE,GAAG,KAAK,EAAE,CAAC,CAAC;IACjD,CAAC,CAAC,CAAC;IAEH,OAAO,CAAC,EAAE,CAAC,cAAc,EAAE,CAAC,KAAK,EAAE,EAAE;QACnC,SAAS,CAAC,GAAG,EAAE,EAAE,IAAI,EAAE,cAAc,EAAE,GAAG,KAAK,EAAE,CAAC,CAAC;IACrD,CAAC,CAAC,CAAC;IAEH,OAAO,CAAC,EAAE,CAAC,gBAAgB,EAAE,CAAC,KAAK,EAAE,EAAE;QACrC,SAAS,CAAC,GAAG,EAAE,EAAE,IAAI,EAAE,gBAAgB,EAAE,GAAG,KAAK,EAAE,CAAC,CAAC;IACvD,CAAC,CAAC,CAAC;IAEH,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,IAAI,EAAE,GAAG,EAAE;QACrC,OAAO,CAAC,GAAG,CAAC,qDAAqD,MAAM,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC,CAAC;QAEvF,IAAI,OAAO,CAAC,WAAW,EAAE,CAAC;YACxB,KAAK,OAAO,CAAC,OAAO,CAAC,OAAO,CAAC,WAAW,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,KAAK,EAAE,EAAE;gBAC1D,OAAO,CAAC,KAAK,CAAC,sBAAsB,EAAE,KAAK,CAAC,CAAC;YAC/C,CAAC,CAAC,CAAC;QACL,CAAC;IACH,CAAC,CAAC,CAAC;AACL,CAAC;AAED,SAAS,SAAS,CAAC,GAAoB,EAAE,IAAY;IACnD,MAAM,GAAG,GAAG,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC;IACjC,GAAG,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC,MAAM,EAAE,EAAE;QAC7B,IAAI,MAAM,CAAC,UAAU,KAAK,SAAS,CAAC,IAAI,EAAE,CAAC;YACzC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QACnB,CAAC;IACH,CAAC,CAAC,CAAC;AACL,CAAC;AAED,OAAO,EAAE,gBAAgB,EAAE,CAAC;AAE5B,KAAK,UAAU,UAAU,CACvB,EAAa,EACb,OAAgB,EAChB,QAA0C;IAE1C,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,MAAM,OAAO,CAAC,mBAAmB,CAAC,QAAQ,CAAC,CAAC;QAC3D,EAAE,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC;YACrB,IAAI,EAAE,QAAQ;YACd,QAAQ;YACR,MAAM;SACP,CAAC,CAAC,CAAC;IACN,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,EAAE,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC;YACrB,IAAI,EAAE,QAAQ;YACd,QAAQ;YACR,MAAM,EAAE,EAAE;YACV,KAAK,EAAE,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,wBAAwB;SACzE,CAAC,CAAC,CAAC;IACN,CAAC;AACH,CAAC;AAED,SAAS,gBAAgB;IACvB,MAAM,MAAM,GAAG,SAAS,CAAC,OAAO,EAAE,CAAC,WAAW,CAAC,EAAE;QAC/C,KAAK,EAAE,MAAM;KACd,CAAC,CAAC;IAEH,OAAO,MAAM,CAAC,MAAM,KAAK,CAAC,CAAC;AAC7B,CAAC;AAED,SAAS,6BAA6B,CAAC,KAAc;IACnD,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;QAC9B,OAAO,SAAS,CAAC;IACnB,CAAC;IAED,MAAM,UAAU,GAAG,KAAK,CAAC,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC;IAE9C,QAAQ,UAAU,EAAE,CAAC;QACnB,KAAK,KAAK,CAAC;QACX,KAAK,QAAQ,CAAC;QACd,KAAK,MAAM;YACT,OAAO,UAAU,CAAC;QACpB,KAAK,OAAO,CAAC;QACb,KAAK,YAAY,CAAC;QAClB,KAAK,YAAY,CAAC;QAClB,KAAK,YAAY;YACf,OAAO,OAAO,CAAC;QACjB;YACE,OAAO,SAAS,CAAC;IACrB,CAAC;AACH,CAAC;AAED,KAAK,UAAU,gBAAgB,CAC7B,GAAuC,EACvC,eAAuB,EACvB,WAAmB,EACnB,QAAiB;IAEjB,MAAM,cAAc,GAAG,gBAAgB,CAAC,WAAW,CAAC,CAAC;IACrD,MAAM,iBAAiB,GAAG,IAAI,CAAC,OAAO,CAAC,eAAe,CAAC,CAAC;IAExD,MAAM,QAAQ,GAAG,cAAc,KAAK,GAAG;QACrC,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,iBAAiB,EAAE,YAAY,CAAC,CAAC;QAC9C,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,iBAAiB,EAAE,cAAc,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;IAE5D,6CAA6C;IAC7C,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,cAAc,CAAC,EAAE,CAAC;QAClC,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,iBAAiB,EAAE,YAAY,CAAC,CAAC,CAAC;IAC5D,CAAC;IAED,KAAK,MAAM,QAAQ,IAAI,QAAQ,EAAE,CAAC;QAChC,MAAM,QAAQ,GAAG,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC;QAExC,IAAI,CAAC,QAAQ,CAAC,UAAU,CAAC,iBAAiB,GAAG,IAAI,CAAC,GAAG,CAAC,IAAI,QAAQ,KAAK,IAAI,CAAC,IAAI,CAAC,iBAAiB,EAAE,YAAY,CAAC,EAAE,CAAC;YAClH,SAAS;QACX,CAAC;QAED,IAAI,CAAC;YACH,MAAM,KAAK,GAAG,MAAM,EAAE,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;YACtC,IAAI,CAAC,KAAK,CAAC,MAAM,EAAE,EAAE,CAAC;gBACpB,SAAS;YACX,CAAC;YAED,MAAM,WAAW,GAAG,cAAc,CAAC,QAAQ,CAAC,CAAC;YAC7C,GAAG,CAAC,SAAS,CAAC,GAAG,EAAE;gBACjB,cAAc,EAAE,WAAW;gBAC3B,eAAe,EAAE,eAAe,CAAC,QAAQ,CAAC;aAC3C,CAAC,CAAC;YAEH,IAAI,QAAQ,EAAE,CAAC;gBACb,GAAG,CAAC,GAAG,EAAE,CAAC;gBACV,OAAO;YACT,CAAC;YAED,MAAM,OAAO,GAAG,MAAM,EAAE,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;YAC5C,GAAG,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;YACjB,OAAO;QACT,CAAC;QAAC,MAAM,CAAC;YACP,2BAA2B;QAC7B,CAAC;IACH,CAAC;IAED,GAAG,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC;IACnB,GAAG,CAAC,GAAG,CAAC,WAAW,CAAC,CAAC;AACvB,CAAC;AAED,SAAS,gBAAgB,CAAC,KAAa;IACrC,MAAM,OAAO,GAAG,kBAAkB,CAAC,KAAK,CAAC,CAAC;IAC1C,MAAM,UAAU,GAAG,IAAI,CAAC,KAAK,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC;IACjD,IAAI,CAAC,UAAU,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;QAChC,OAAO,IAAI,UAAU,EAAE,CAAC;IAC1B,CAAC;IACD,OAAO,UAAU,CAAC;AACpB,CAAC;AAED,SAAS,cAAc,CAAC,QAAgB;IACtC,MAAM,GAAG,GAAG,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC,WAAW,EAAE,CAAC;IACjD,QAAQ,GAAG,EAAE,CAAC;QACZ,KAAK,OAAO;YACV,OAAO,0BAA0B,CAAC;QACpC,KAAK,KAAK;YACR,OAAO,uCAAuC,CAAC;QACjD,KAAK,MAAM;YACT,OAAO,uCAAuC,CAAC;QACjD,KAAK,MAAM;YACT,OAAO,yBAAyB,CAAC;QACnC,KAAK,OAAO;YACV,OAAO,iCAAiC,CAAC;QAC3C,KAAK,MAAM;YACT,OAAO,eAAe,CAAC;QACzB,KAAK,MAAM;YACT,OAAO,WAAW,CAAC;QACrB,KAAK,MAAM,CAAC;QACZ,KAAK,OAAO;YACV,OAAO,YAAY,CAAC;QACtB,KAAK,MAAM;YACT,OAAO,WAAW,CAAC;QACrB,KAAK,OAAO;YACV,OAAO,YAAY,CAAC;QACtB,KAAK,MAAM;YACT,OAAO,cAAc,CAAC;QACxB,KAAK,MAAM;YACT,OAAO,2BAA2B,CAAC;QACrC;YACE,OAAO,0BAA0B,CAAC;IACtC,CAAC;AACH,CAAC;AAED,SAAS,eAAe,CAAC,QAAgB;IACvC,MAAM,IAAI,GAAG,IAAI,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;IACrC,IAAI,IAAI,KAAK,YAAY,EAAE,CAAC;QAC1B,OAAO,UAAU,CAAC;IACpB,CAAC;IACD,OAAO,qCAAqC,CAAC;AAC/C,CAAC"}

package/dist/tools/ToolExecutor.d.ts

@@ -0,0 +1,68 @@
+import type { SecurityMode, Tool, ToolCall, ToolResult, Channel } from '../types.js';
+import type { Gateway } from '../gateway/Gateway.js';
+/**
+ * ToolExecutor - Mode-switching security middleware
+ *
+ * Safe Mode:
+ * - Path jail to workspace directory
+ * - Command allowlist (git, ls, npm, cat, node)
+ * - Human-in-the-loop confirmation for write/execute
+ *
+ * Spicy Mode:
+ * - Full host access
+ * - Unrestricted shell
+ * - Autonomous execution
+ */
+export declare class ToolExecutor {
+    private mode;
+    private workspacePath;
+    private allowedBinaries;
+    private toolRegistry;
+    private gateway;
+    constructor(mode: SecurityMode, workspacePath: string, allowedBinaries: string[], gateway: Gateway);
+    /**
+     * Register a tool
+     */
+    registerTool(tool: Tool): void;
+    /**
+     * Get all registered tool definitions (for LLM)
+     */
+    getToolDefinitions(): Tool[];
+    /**
+     * Set security mode
+     */
+    setMode(mode: SecurityMode): void;
+    /**
+     * Execute a tool call with security checks
+     */
+    execute(call: ToolCall, channel: Channel): Promise<ToolResult>;
+    /**
+     * Apply safety checks for Safe Mode
+     */
+    private applySafetyChecks;
+    /**
+     * Assert that a path is within the workspace (jail)
+     */
+    private assertPathInWorkspace;
+    /**
+     * Assert that a command uses an allowed binary
+     */
+    private assertBinaryAllowed;
+    /**
+     * Request human confirmation for a tool call
+     */
+    private requestConfirmation;
+    /**
+     * Expand ~ to home directory
+     */
+    private expandPath;
+    /**
+     * Get the resolved workspace path
+     */
+    getWorkspacePath(): string;
+    /**
+     * Get current mode
+     */
+    getMode(): SecurityMode;
+}
+//# sourceMappingURL=ToolExecutor.d.ts.map

package/dist/tools/ToolExecutor.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"ToolExecutor.d.ts","sourceRoot":"","sources":["../../src/tools/ToolExecutor.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EACV,YAAY,EACZ,IAAI,EACJ,QAAQ,EACR,UAAU,EACV,OAAO,EACR,MAAM,aAAa,CAAC;AACrB,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,uBAAuB,CAAC;AAErD;;;;;;;;;;;;GAYG;AACH,qBAAa,YAAY;IACvB,OAAO,CAAC,IAAI,CAAe;IAC3B,OAAO,CAAC,aAAa,CAAS;IAC9B,OAAO,CAAC,eAAe,CAAc;IACrC,OAAO,CAAC,YAAY,CAA2B;IAC/C,OAAO,CAAC,OAAO,CAAU;gBAGvB,IAAI,EAAE,YAAY,EAClB,aAAa,EAAE,MAAM,EACrB,eAAe,EAAE,MAAM,EAAE,EACzB,OAAO,EAAE,OAAO;IAQlB;;OAEG;IACH,YAAY,CAAC,IAAI,EAAE,IAAI,GAAG,IAAI;IAI9B;;OAEG;IACH,kBAAkB,IAAI,IAAI,EAAE;IAI5B;;OAEG;IACH,OAAO,CAAC,IAAI,EAAE,YAAY,GAAG,IAAI;IAIjC;;OAEG;IACG,OAAO,CAAC,IAAI,EAAE,QAAQ,EAAE,OAAO,EAAE,OAAO,GAAG,OAAO,CAAC,UAAU,CAAC;IAqDpE;;OAEG;YACW,iBAAiB;IA8B/B;;OAEG;IACH,OAAO,CAAC,qBAAqB;IAY7B;;OAEG;IACH,OAAO,CAAC,mBAAmB;IAoB3B;;OAEG;YACW,mBAAmB;IAQjC;;OAEG;IACH,OAAO,CAAC,UAAU;IAOlB;;OAEG;IACH,gBAAgB,IAAI,MAAM;IAI1B;;OAEG;IACH,OAAO,IAAI,YAAY;CAGxB"}

package/dist/tools/ToolExecutor.js

@@ -0,0 +1,177 @@
+import * as path from 'node:path';
+import * as os from 'node:os';
+/**
+ * ToolExecutor - Mode-switching security middleware
+ *
+ * Safe Mode:
+ * - Path jail to workspace directory
+ * - Command allowlist (git, ls, npm, cat, node)
+ * - Human-in-the-loop confirmation for write/execute
+ *
+ * Spicy Mode:
+ * - Full host access
+ * - Unrestricted shell
+ * - Autonomous execution
+ */
+export class ToolExecutor {
+    mode;
+    workspacePath;
+    allowedBinaries;
+    toolRegistry = new Map();
+    gateway;
+    constructor(mode, workspacePath, allowedBinaries, gateway) {
+        this.mode = mode;
+        this.workspacePath = this.expandPath(workspacePath);
+        this.allowedBinaries = new Set(allowedBinaries);
+        this.gateway = gateway;
+    }
+    /**
+     * Register a tool
+     */
+    registerTool(tool) {
+        this.toolRegistry.set(tool.name, tool);
+    }
+    /**
+     * Get all registered tool definitions (for LLM)
+     */
+    getToolDefinitions() {
+        return Array.from(this.toolRegistry.values());
+    }
+    /**
+     * Set security mode
+     */
+    setMode(mode) {
+        this.mode = mode;
+    }
+    /**
+     * Execute a tool call with security checks
+     */
+    async execute(call, channel) {
+        const tool = this.toolRegistry.get(call.name);
+        if (!tool) {
+            return {
+                success: false,
+                output: '',
+                error: `Unknown tool: ${call.name}`,
+            };
+        }
+        // Emit tool:start event
+        this.gateway.emit('tool:start', {
+            sessionId: 'current', // TODO: Pass session context
+            tool: call.name,
+            args: call.arguments,
+        });
+        try {
+            // Apply security checks in Safe Mode
+            if (this.mode === 'safe') {
+                await this.applySafetyChecks(tool, call, channel);
+            }
+            // Execute the tool
+            const result = await tool.handler(call.arguments);
+            // Emit tool:end event
+            this.gateway.emit('tool:end', {
+                sessionId: 'current',
+                tool: call.name,
+                result,
+            });
+            return result;
+        }
+        catch (error) {
+            const errorMessage = error instanceof Error ? error.message : 'Unknown error';
+            const result = {
+                success: false,
+                output: '',
+                error: errorMessage,
+            };
+            this.gateway.emit('tool:end', {
+                sessionId: 'current',
+                tool: call.name,
+                result,
+            });
+            return result;
+        }
+    }
+    /**
+     * Apply safety checks for Safe Mode
+     */
+    async applySafetyChecks(tool, call, channel) {
+        // Path validation for filesystem tools
+        if (tool.type === 'filesystem') {
+            const targetPath = call.arguments['path'];
+            if (targetPath) {
+                this.assertPathInWorkspace(targetPath);
+            }
+        }
+        // Command validation for shell tools
+        if (tool.type === 'shell') {
+            const command = call.arguments['command'];
+            if (command) {
+                this.assertBinaryAllowed(command);
+            }
+        }
+        // Human-in-the-loop confirmation for dangerous operations
+        if (tool.requiresConfirmation) {
+            const confirmed = await this.requestConfirmation(call, channel);
+            if (!confirmed) {
+                throw new Error('Action cancelled by user');
+            }
+        }
+    }
+    /**
+     * Assert that a path is within the workspace (jail)
+     */
+    assertPathInWorkspace(targetPath) {
+        const resolvedPath = path.resolve(this.workspacePath, targetPath);
+        const normalizedWorkspace = path.normalize(this.workspacePath);
+        if (!resolvedPath.startsWith(normalizedWorkspace)) {
+            throw new Error(`Access denied: Path "${targetPath}" is outside the workspace. ` +
+                `Only paths within "${this.workspacePath}" are allowed in Safe Mode.`);
+        }
+    }
+    /**
+     * Assert that a command uses an allowed binary
+     */
+    assertBinaryAllowed(command) {
+        // Extract the binary name from the command
+        const parts = command.trim().split(/\s+/);
+        const binary = parts[0];
+        if (!binary) {
+            throw new Error('Empty command');
+        }
+        // Handle absolute paths
+        const binaryName = path.basename(binary);
+        if (!this.allowedBinaries.has(binaryName)) {
+            throw new Error(`Access denied: Binary "${binaryName}" is not in the allowlist. ` +
+                `Allowed binaries: ${Array.from(this.allowedBinaries).join(', ')}`);
+        }
+    }
+    /**
+     * Request human confirmation for a tool call
+     */
+    async requestConfirmation(call, channel) {
+        const prompt = `🔐 Confirm action:\n\`${call.name}(${JSON.stringify(call.arguments)})\`\n\nProceed? [Y/n]`;
+        return channel.requestConfirmation(prompt);
+    }
+    /**
+     * Expand ~ to home directory
+     */
+    expandPath(inputPath) {
+        if (inputPath.startsWith('~')) {
+            return path.join(os.homedir(), inputPath.slice(1));
+        }
+        return inputPath;
+    }
+    /**
+     * Get the resolved workspace path
+     */
+    getWorkspacePath() {
+        return this.workspacePath;
+    }
+    /**
+     * Get current mode
+     */
+    getMode() {
+        return this.mode;
+    }
+}
+//# sourceMappingURL=ToolExecutor.js.map

package/dist/tools/ToolExecutor.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"ToolExecutor.js","sourceRoot":"","sources":["../../src/tools/ToolExecutor.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,IAAI,MAAM,WAAW,CAAC;AAClC,OAAO,KAAK,EAAE,MAAM,SAAS,CAAC;AAU9B;;;;;;;;;;;;GAYG;AACH,MAAM,OAAO,YAAY;IACf,IAAI,CAAe;IACnB,aAAa,CAAS;IACtB,eAAe,CAAc;IAC7B,YAAY,GAAG,IAAI,GAAG,EAAgB,CAAC;IACvC,OAAO,CAAU;IAEzB,YACE,IAAkB,EAClB,aAAqB,EACrB,eAAyB,EACzB,OAAgB;QAEhB,IAAI,CAAC,IAAI,GAAG,IAAI,CAAC;QACjB,IAAI,CAAC,aAAa,GAAG,IAAI,CAAC,UAAU,CAAC,aAAa,CAAC,CAAC;QACpD,IAAI,CAAC,eAAe,GAAG,IAAI,GAAG,CAAC,eAAe,CAAC,CAAC;QAChD,IAAI,CAAC,OAAO,GAAG,OAAO,CAAC;IACzB,CAAC;IAED;;OAEG;IACH,YAAY,CAAC,IAAU;QACrB,IAAI,CAAC,YAAY,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,EAAE,IAAI,CAAC,CAAC;IACzC,CAAC;IAED;;OAEG;IACH,kBAAkB;QAChB,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,YAAY,CAAC,MAAM,EAAE,CAAC,CAAC;IAChD,CAAC;IAED;;OAEG;IACH,OAAO,CAAC,IAAkB;QACxB,IAAI,CAAC,IAAI,GAAG,IAAI,CAAC;IACnB,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,OAAO,CAAC,IAAc,EAAE,OAAgB;QAC5C,MAAM,IAAI,GAAG,IAAI,CAAC,YAAY,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAE9C,IAAI,CAAC,IAAI,EAAE,CAAC;YACV,OAAO;gBACL,OAAO,EAAE,KAAK;gBACd,MAAM,EAAE,EAAE;gBACV,KAAK,EAAE,iBAAiB,IAAI,CAAC,IAAI,EAAE;aACpC,CAAC;QACJ,CAAC;QAED,wBAAwB;QACxB,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,YAAY,EAAE;YAC9B,SAAS,EAAE,SAAS,EAAE,6BAA6B;YACnD,IAAI,EAAE,IAAI,CAAC,IAAI;YACf,IAAI,EAAE,IAAI,CAAC,SAAS;SACrB,CAAC,CAAC;QAEH,IAAI,CAAC;YACH,qCAAqC;YACrC,IAAI,IAAI,CAAC,IAAI,KAAK,MAAM,EAAE,CAAC;gBACzB,MAAM,IAAI,CAAC,iBAAiB,CAAC,IAAI,EAAE,IAAI,EAAE,OAAO,CAAC,CAAC;YACpD,CAAC;YAED,mBAAmB;YACnB,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;YAElD,sBAAsB;YACtB,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,UAAU,EAAE;gBAC5B,SAAS,EAAE,SAAS;gBACpB,IAAI,EAAE,IAAI,CAAC,IAAI;gBACf,MAAM;aACP,CAAC,CAAC;YAEH,OAAO,MAAM,CAAC;QAChB,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,MAAM,YAAY,GAAG,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,eAAe,CAAC;YAC9E,MAAM,MAAM,GAAe;gBACzB,OAAO,EAAE,KAAK;gBACd,MAAM,EAAE,EAAE;gBACV,KAAK,EAAE,YAAY;aACpB,CAAC;YAEF,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,UAAU,EAAE;gBAC5B,SAAS,EAAE,SAAS;gBACpB,IAAI,EAAE,IAAI,CAAC,IAAI;gBACf,MAAM;aACP,CAAC,CAAC;YAEH,OAAO,MAAM,CAAC;QAChB,CAAC;IACH,CAAC;IAED;;OAEG;IACK,KAAK,CAAC,iBAAiB,CAC7B,IAAU,EACV,IAAc,EACd,OAAgB;QAEhB,uCAAuC;QACvC,IAAI,IAAI,CAAC,IAAI,KAAK,YAAY,EAAE,CAAC;YAC/B,MAAM,UAAU,GAAG,IAAI,CAAC,SAAS,CAAC,MAAM,CAAuB,CAAC;YAChE,IAAI,UAAU,EAAE,CAAC;gBACf,IAAI,CAAC,qBAAqB,CAAC,UAAU,CAAC,CAAC;YACzC,CAAC;QACH,CAAC;QAED,qCAAqC;QACrC,IAAI,IAAI,CAAC,IAAI,KAAK,OAAO,EAAE,CAAC;YAC1B,MAAM,OAAO,GAAG,IAAI,CAAC,SAAS,CAAC,SAAS,CAAuB,CAAC;YAChE,IAAI,OAAO,EAAE,CAAC;gBACZ,IAAI,CAAC,mBAAmB,CAAC,OAAO,CAAC,CAAC;YACpC,CAAC;QACH,CAAC;QAED,0DAA0D;QAC1D,IAAI,IAAI,CAAC,oBAAoB,EAAE,CAAC;YAC9B,MAAM,SAAS,GAAG,MAAM,IAAI,CAAC,mBAAmB,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC;YAChE,IAAI,CAAC,SAAS,EAAE,CAAC;gBACf,MAAM,IAAI,KAAK,CAAC,0BAA0B,CAAC,CAAC;YAC9C,CAAC;QACH,CAAC;IACH,CAAC;IAED;;OAEG;IACK,qBAAqB,CAAC,UAAkB;QAC9C,MAAM,YAAY,GAAG,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,aAAa,EAAE,UAAU,CAAC,CAAC;QAClE,MAAM,mBAAmB,GAAG,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC;QAE/D,IAAI,CAAC,YAAY,CAAC,UAAU,CAAC,mBAAmB,CAAC,EAAE,CAAC;YAClD,MAAM,IAAI,KAAK,CACb,wBAAwB,UAAU,8BAA8B;gBAChE,sBAAsB,IAAI,CAAC,aAAa,6BAA6B,CACtE,CAAC;QACJ,CAAC;IACH,CAAC;IAED;;OAEG;IACK,mBAAmB,CAAC,OAAe;QACzC,2CAA2C;QAC3C,MAAM,KAAK,GAAG,OAAO,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC;QAC1C,MAAM,MAAM,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;QAExB,IAAI,CAAC,MAAM,EAAE,CAAC;YACZ,MAAM,IAAI,KAAK,CAAC,eAAe,CAAC,CAAC;QACnC,CAAC;QAED,wBAAwB;QACxB,MAAM,UAAU,GAAG,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;QAEzC,IAAI,CAAC,IAAI,CAAC,eAAe,CAAC,GAAG,CAAC,UAAU,CAAC,EAAE,CAAC;YAC1C,MAAM,IAAI,KAAK,CACb,0BAA0B,UAAU,6BAA6B;gBACjE,qBAAqB,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,eAAe,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CACnE,CAAC;QACJ,CAAC;IACH,CAAC;IAED;;OAEG;IACK,KAAK,CAAC,mBAAmB,CAC/B,IAAc,EACd,OAAgB;QAEhB,MAAM,MAAM,GAAG,yBAAyB,IAAI,CAAC,IAAI,IAAI,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,SAAS,CAAC,uBAAuB,CAAC;QAC3G,OAAO,OAAO,CAAC,mBAAmB,CAAC,MAAM,CAAC,CAAC;IAC7C,CAAC;IAED;;OAEG;IACK,UAAU,CAAC,SAAiB;QAClC,IAAI,SAAS,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;YAC9B,OAAO,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,OAAO,EAAE,EAAE,SAAS,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC;QACrD,CAAC;QACD,OAAO,SAAS,CAAC;IACnB,CAAC;IAED;;OAEG;IACH,gBAAgB;QACd,OAAO,IAAI,CAAC,aAAa,CAAC;IAC5B,CAAC;IAED;;OAEG;IACH,OAAO;QACL,OAAO,IAAI,CAAC,IAAI,CAAC;IACnB,CAAC;CACF"}