npm - @qlucent/fishi-core - Versions diffs - 0.6.0 → 0.7.0 - Mend

@qlucent/fishi-core 0.6.0 → 0.7.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/dist/index.d.ts CHANGED Viewed

@@ -568,6 +568,62 @@ declare function getAgentSummary(projectDir: string): Record<string, {
     filesChanged: number;
 }>;
+type SandboxMode = 'docker' | 'process';
+interface SandboxConfig {
+    mode: SandboxMode;
+    dockerAvailable: boolean;
+}
+interface SandboxPolicy {
+    networkAllow: string[];
+    envPassthrough: string[];
+    timeout: number;
+    memory: string;
+    cpus: number;
+}
+interface SandboxRunResult {
+    stdout: string;
+    stderr: string;
+    exitCode: number;
+    timedOut: boolean;
+}
+/**
+ * Detect if Docker is installed and running.
+ */
+declare function detectDocker(): boolean;
+/**
+ * Read sandbox config from .fishi/fishi.yaml
+ */
+declare function readSandboxConfig(projectDir: string): SandboxConfig;
+/**
+ * Read sandbox policy from .fishi/sandbox-policy.yaml, or return defaults.
+ */
+declare function readSandboxPolicy(projectDir: string): SandboxPolicy;
+/**
+ * Build a restricted env object for process mode.
+ * Strips all env vars except explicitly allowed ones + essentials.
+ */
+declare function buildSandboxEnv(policy: SandboxPolicy): Record<string, string>;
+/**
+ * Run a command in process-mode sandbox.
+ */
+declare function runInProcessSandbox(command: string, args: string[], worktreePath: string, policy: SandboxPolicy): SandboxRunResult;
+/**
+ * Run a command in Docker sandbox.
+ */
+declare function runInDockerSandbox(command: string, args: string[], worktreePath: string, policy: SandboxPolicy, options?: {
+    nodeModulesPath?: string;
+}): SandboxRunResult;
+/**
+ * Run a command in the configured sandbox mode.
+ */
+declare function runInSandbox(command: string, args: string[], worktreePath: string, projectDir: string, options?: {
+    nodeModulesPath?: string;
+}): SandboxRunResult;
+declare function getSandboxPolicyTemplate(): string;
+declare function getDockerfileTemplate(): string;
 declare function getDashboardHtml(): string;
-export { type AgentDefinition, type AgentRole, type AgentTemplate, type BackupManifest, type BrownfieldAnalysisData, type ClaudeMdOptions, type CommandTemplate, type ConflictCategory, type ConflictMap, type ConflictResolution, type CostMode, type DetectionCheck, type DetectionResult, type DynamicAgent, type DynamicAgentConfig, type ExecutionConfig, type FileConflict, type FileResolutionMap, type FishiConfig, type FishiYamlOptions, type GateConfig, type GateStatus, type GitConfig, type HookTemplate, type InitOptions, type McpConfig, type McpServerConfig, type ModelRoutingConfig, type ModelTier, type MonitorEvent, type MonitorState, type MonitorSummary, type ProjectConfig, type ProjectType, type ProjectYamlOptions, type ScaffoldOptions, type ScaffoldResult, type SkillTemplate, type StateConfig, type TaskStatus, type TaskboardConfig, type TemplateContext, architectAgentTemplate, backendAgentTemplate, createBackup, detectConflicts, devLeadTemplate, devopsAgentTemplate, docsAgentTemplate, emitEvent, frontendAgentTemplate, fullstackAgentTemplate, generateScaffold, getAdaptiveTaskGraphSkill, getAgentCompleteHook, getAgentFactoryTemplate, getAgentRegistryTemplate, getAgentSummary, getApiDesignSkill, getAutoCheckpointHook, getBoardCommand, getBrainstormingSkill, getBrownfieldAnalysisSkill, getBrownfieldDiscoverySkill, getClaudeMdTemplate, getCodeGenSkill, getCoordinatorFactoryTemplate, getDashboardHtml, getDebuggingSkill, getDeploymentSkill, getDocCheckerScript, getDocumentationSkill, getFishiYamlTemplate, getGateCommand, getGateManagerScript, getGitignoreAdditions, getInitCommand, getLearningsManagerScript, getMasterOrchestratorTemplate, getMcpJsonTemplate, getMemoryManagerScript, getModelRoutingReference, getMonitorEmitterScript, getPhaseRunnerScript, getPostEditHook, getPrdCommand, getPrdSkill, getProjectYamlTemplate, getResetCommand, getResumeCommand, getSafetyCheckHook, getSessionStartHook, getSettingsJsonTemplate, getSprintCommand, getStatusCommand, getTaskboardOpsSkill, getTaskboardUpdateHook, getTestingSkill, getTodoManagerScript, getValidateScaffoldScript, getWorktreeManagerScript, getWorktreeSetupHook, marketingAgentTemplate, mergeClaudeMd, mergeClaudeMdTop, mergeGitignore, mergeMcpJson, mergeSettingsJson, opsLeadTemplate, planningAgentTemplate, planningLeadTemplate, qualityLeadTemplate, readMonitorState, researchAgentTemplate, securityAgentTemplate, testingAgentTemplate, uiuxAgentTemplate, writingAgentTemplate };
+export { type AgentDefinition, type AgentRole, type AgentTemplate, type BackupManifest, type BrownfieldAnalysisData, type ClaudeMdOptions, type CommandTemplate, type ConflictCategory, type ConflictMap, type ConflictResolution, type CostMode, type DetectionCheck, type DetectionResult, type DynamicAgent, type DynamicAgentConfig, type ExecutionConfig, type FileConflict, type FileResolutionMap, type FishiConfig, type FishiYamlOptions, type GateConfig, type GateStatus, type GitConfig, type HookTemplate, type InitOptions, type McpConfig, type McpServerConfig, type ModelRoutingConfig, type ModelTier, type MonitorEvent, type MonitorState, type MonitorSummary, type ProjectConfig, type ProjectType, type ProjectYamlOptions, type SandboxConfig, type SandboxMode, type SandboxPolicy, type SandboxRunResult, type ScaffoldOptions, type ScaffoldResult, type SkillTemplate, type StateConfig, type TaskStatus, type TaskboardConfig, type TemplateContext, architectAgentTemplate, backendAgentTemplate, buildSandboxEnv, createBackup, detectConflicts, detectDocker, devLeadTemplate, devopsAgentTemplate, docsAgentTemplate, emitEvent, frontendAgentTemplate, fullstackAgentTemplate, generateScaffold, getAdaptiveTaskGraphSkill, getAgentCompleteHook, getAgentFactoryTemplate, getAgentRegistryTemplate, getAgentSummary, getApiDesignSkill, getAutoCheckpointHook, getBoardCommand, getBrainstormingSkill, getBrownfieldAnalysisSkill, getBrownfieldDiscoverySkill, getClaudeMdTemplate, getCodeGenSkill, getCoordinatorFactoryTemplate, getDashboardHtml, getDebuggingSkill, getDeploymentSkill, getDocCheckerScript, getDockerfileTemplate, getDocumentationSkill, getFishiYamlTemplate, getGateCommand, getGateManagerScript, getGitignoreAdditions, getInitCommand, getLearningsManagerScript, getMasterOrchestratorTemplate, getMcpJsonTemplate, getMemoryManagerScript, getModelRoutingReference, getMonitorEmitterScript, getPhaseRunnerScript, getPostEditHook, getPrdCommand, getPrdSkill, getProjectYamlTemplate, getResetCommand, getResumeCommand, getSafetyCheckHook, getSandboxPolicyTemplate, getSessionStartHook, getSettingsJsonTemplate, getSprintCommand, getStatusCommand, getTaskboardOpsSkill, getTaskboardUpdateHook, getTestingSkill, getTodoManagerScript, getValidateScaffoldScript, getWorktreeManagerScript, getWorktreeSetupHook, marketingAgentTemplate, mergeClaudeMd, mergeClaudeMdTop, mergeGitignore, mergeMcpJson, mergeSettingsJson, opsLeadTemplate, planningAgentTemplate, planningLeadTemplate, qualityLeadTemplate, readMonitorState, readSandboxConfig, readSandboxPolicy, researchAgentTemplate, runInDockerSandbox, runInProcessSandbox, runInSandbox, securityAgentTemplate, testingAgentTemplate, uiuxAgentTemplate, writingAgentTemplate };

package/dist/index.js CHANGED Viewed

@@ -11111,7 +11111,7 @@ async function createBackup(targetDir, conflictingFiles) {
       manifestFiles.push({ path: relPath, size: stat.size });
     }
   }
-  const fishiVersion = "0.6.0";
+  const fishiVersion = "0.7.0";
   const manifest = {
     timestamp: now.toISOString(),
     fishi_version: fishiVersion,
@@ -11218,6 +11218,204 @@ function getAgentSummary(projectDir) {
   return agents;
 }
+// src/generators/sandbox.ts
+import { execSync, execFileSync } from "child_process";
+import { existsSync as existsSync5, readFileSync as readFileSync2 } from "fs";
+import { join as join5 } from "path";
+var DEFAULT_POLICY = {
+  networkAllow: ["registry.npmjs.org", "localhost", "127.0.0.1"],
+  envPassthrough: [],
+  timeout: 600,
+  // 10 minutes
+  memory: "2g",
+  cpus: 2
+};
+function detectDocker() {
+  try {
+    execSync("docker info", { stdio: "pipe", timeout: 5e3 });
+    return true;
+  } catch {
+    return false;
+  }
+}
+function readSandboxConfig(projectDir) {
+  const yamlPath = join5(projectDir, ".fishi", "fishi.yaml");
+  if (!existsSync5(yamlPath)) {
+    return { mode: "process", dockerAvailable: false };
+  }
+  const content = readFileSync2(yamlPath, "utf-8");
+  const modeMatch = content.match(/^\s*mode:\s*(docker|process)/m);
+  const dockerMatch = content.match(/^\s*docker_available:\s*(true|false)/m);
+  return {
+    mode: modeMatch?.[1] || "process",
+    dockerAvailable: dockerMatch?.[1] === "true"
+  };
+}
+function readSandboxPolicy(projectDir) {
+  const policyPath = join5(projectDir, ".fishi", "sandbox-policy.yaml");
+  if (!existsSync5(policyPath)) return { ...DEFAULT_POLICY };
+  const content = readFileSync2(policyPath, "utf-8");
+  const networkAllow = extractYamlList(content, "network_allow") || DEFAULT_POLICY.networkAllow;
+  const envPassthrough = extractYamlList(content, "env_passthrough") || DEFAULT_POLICY.envPassthrough;
+  const timeoutMatch = content.match(/^\s*timeout:\s*(\d+)/m);
+  const memoryMatch = content.match(/^\s*memory:\s*["']?(\S+?)["']?\s*$/m);
+  const cpusMatch = content.match(/^\s*cpus:\s*(\d+)/m);
+  return {
+    networkAllow,
+    envPassthrough,
+    timeout: timeoutMatch ? parseInt(timeoutMatch[1], 10) : DEFAULT_POLICY.timeout,
+    memory: memoryMatch?.[1] || DEFAULT_POLICY.memory,
+    cpus: cpusMatch ? parseInt(cpusMatch[1], 10) : DEFAULT_POLICY.cpus
+  };
+}
+function extractYamlList(content, key) {
+  const regex = new RegExp(`^\\s*${key}:\\s*\\n((?:\\s+-\\s*.+\\n?)*)`, "m");
+  const match = content.match(regex);
+  if (!match) return null;
+  return match[1].split("\n").map((line) => {
+    const m = line.match(/^\s*-\s*["']?(.+?)["']?\s*$/);
+    return m ? m[1] : "";
+  }).filter(Boolean);
+}
+function buildSandboxEnv(policy) {
+  const env = {
+    PATH: process.env.PATH || "",
+    HOME: process.env.HOME || process.env.USERPROFILE || "",
+    NODE_ENV: "development",
+    FISHI_SANDBOX: "true"
+  };
+  for (const key of policy.envPassthrough) {
+    if (process.env[key]) {
+      env[key] = process.env[key];
+    }
+  }
+  return env;
+}
+function runInProcessSandbox(command, args, worktreePath, policy) {
+  const env = buildSandboxEnv(policy);
+  try {
+    const stdout = execFileSync(command, args, {
+      cwd: worktreePath,
+      encoding: "utf-8",
+      timeout: policy.timeout * 1e3,
+      env,
+      stdio: "pipe",
+      maxBuffer: 10 * 1024 * 1024
+      // 10MB
+    });
+    return { stdout, stderr: "", exitCode: 0, timedOut: false };
+  } catch (e) {
+    if (e.killed || e.signal === "SIGTERM") {
+      return { stdout: e.stdout || "", stderr: e.stderr || "", exitCode: 1, timedOut: true };
+    }
+    return {
+      stdout: e.stdout || "",
+      stderr: e.stderr || "",
+      exitCode: e.status ?? 1,
+      timedOut: false
+    };
+  }
+}
+function runInDockerSandbox(command, args, worktreePath, policy, options = {}) {
+  const dockerArgs = [
+    "run",
+    "--rm",
+    "--workdir",
+    "/workspace",
+    "-v",
+    `${worktreePath}:/workspace`
+  ];
+  if (options.nodeModulesPath && existsSync5(options.nodeModulesPath)) {
+    dockerArgs.push("-v", `${options.nodeModulesPath}:/workspace/node_modules:ro`);
+  }
+  dockerArgs.push("--memory", policy.memory);
+  dockerArgs.push("--cpus", String(policy.cpus));
+  dockerArgs.push("-e", "FISHI_SANDBOX=true");
+  dockerArgs.push("-e", "NODE_ENV=development");
+  for (const key of policy.envPassthrough) {
+    if (process.env[key]) {
+      dockerArgs.push("-e", `${key}=${process.env[key]}`);
+    }
+  }
+  dockerArgs.push("--network", "host");
+  dockerArgs.push("fishi-sandbox:latest", command, ...args);
+  try {
+    const stdout = execFileSync("docker", dockerArgs, {
+      encoding: "utf-8",
+      timeout: policy.timeout * 1e3,
+      stdio: "pipe",
+      maxBuffer: 10 * 1024 * 1024
+    });
+    return { stdout, stderr: "", exitCode: 0, timedOut: false };
+  } catch (e) {
+    if (e.killed || e.signal === "SIGTERM") {
+      return { stdout: e.stdout || "", stderr: e.stderr || "", exitCode: 1, timedOut: true };
+    }
+    return {
+      stdout: e.stdout || "",
+      stderr: e.stderr || "",
+      exitCode: e.status ?? 1,
+      timedOut: false
+    };
+  }
+}
+function runInSandbox(command, args, worktreePath, projectDir, options = {}) {
+  const config = readSandboxConfig(projectDir);
+  const policy = readSandboxPolicy(projectDir);
+  if (config.mode === "docker" && config.dockerAvailable) {
+    return runInDockerSandbox(command, args, worktreePath, policy, options);
+  }
+  return runInProcessSandbox(command, args, worktreePath, policy);
+}
+// src/templates/configs/sandbox-policy.ts
+function getSandboxPolicyTemplate() {
+  return `# FISHI Sandbox Policy
+# Controls what agents can access inside their sandboxed worktrees
+# Network domains agents are allowed to reach
+network_allow:
+  - registry.npmjs.org
+  - localhost
+  - 127.0.0.1
+# Environment variables passed into the sandbox
+# Add secrets your agents need (e.g., DATABASE_URL, API_KEY)
+env_passthrough: []
+# Maximum time (seconds) a single agent command can run
+timeout: 600
+# Docker resource limits (only applies in docker mode)
+memory: "2g"
+cpus: 2
+`;
+}
+// src/templates/docker/Dockerfile.ts
+function getDockerfileTemplate() {
+  return `# FISHI Sandbox Runtime
+# Minimal Node.js image for agent execution
+FROM node:22-slim
+# Install git and common build tools
+RUN apt-get update && apt-get install -y --no-install-recommends \\
+    git \\
+    ca-certificates \\
+    && rm -rf /var/lib/apt/lists/*
+# Set working directory
+WORKDIR /workspace
+# Non-root user for additional safety
+RUN groupadd -r fishi && useradd -r -g fishi -m fishi
+USER fishi
+# Default command
+CMD ["node"]
+`;
+}
 // src/templates/dashboard/index-html.ts
 function getDashboardHtml() {
   return `<!DOCTYPE html>
@@ -11564,8 +11762,10 @@ function getDashboardHtml() {
 export {
   architectAgentTemplate,
   backendAgentTemplate,
+  buildSandboxEnv,
   createBackup,
   detectConflicts,
+  detectDocker,
   devLeadTemplate,
   devopsAgentTemplate,
   docsAgentTemplate,
@@ -11591,6 +11791,7 @@ export {
   getDebuggingSkill,
   getDeploymentSkill,
   getDocCheckerScript,
+  getDockerfileTemplate,
   getDocumentationSkill,
   getFishiYamlTemplate,
   getGateCommand,
@@ -11611,6 +11812,7 @@ export {
   getResetCommand,
   getResumeCommand,
   getSafetyCheckHook,
+  getSandboxPolicyTemplate,
   getSessionStartHook,
   getSettingsJsonTemplate,
   getSprintCommand,
@@ -11633,7 +11835,12 @@ export {
   planningLeadTemplate,
   qualityLeadTemplate,
   readMonitorState,
+  readSandboxConfig,
+  readSandboxPolicy,
   researchAgentTemplate,
+  runInDockerSandbox,
+  runInProcessSandbox,
+  runInSandbox,
   securityAgentTemplate,
   testingAgentTemplate,
   uiuxAgentTemplate,

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@qlucent/fishi-core",
-  "version": "0.6.0",
+  "version": "0.7.0",
   "description": "Shared templates, types, and generators for the FISHI framework",
   "license": "MIT",
   "type": "module",