@questionbase/deskfree 0.3.0-alpha.34 → 0.3.0-alpha.36

package/dist/index.js

@@ -8018,7 +8018,7 @@ var ORCHESTRATOR_TOOLS = {
   },
   SEND_MESSAGE: {
     name: "deskfree_send_message",
-    description: "Send a message (progress update, question, status report). Used for communication outside of task threads.",
+    description: "Send a message to the human. Keep it short \u2014 1-3 sentences. No walls of text.",
     parameters: Type.Object({
       content: Type.String({
         description: "Message content."
@@ -8046,7 +8046,7 @@ var ORCHESTRATOR_TOOLS = {
                   description: "New initiative title (max 200 chars)"
                 }),
                 content: Type.String({
-                  description: "Initiative content markdown \u2014 current state, approach, and next priorities"
+                  description: "2-3 sentences \u2014 what we're doing and why. Aspirational, not operational. No headers or formal structure."
                 })
               },
               {
@@ -8071,14 +8071,7 @@ var ORCHESTRATOR_TOOLS = {
           }),
           instructions: Type.Optional(
             Type.String({
-              description: "Detailed instructions in simple markdown (bold, lists, inline code \u2014 no # headers). Include: what to do, steps, why, what done looks like, known constraints."
-            })
-          ),
-          substeps: Type.Optional(
-            Type.Array(Type.String(), {
-              description: "DEPRECATED \u2014 put steps in the instructions field as markdown instead. This field is ignored.",
-              minItems: 1,
-              maxItems: 20
+              description: "Concise instructions in simple markdown (bold, lists, inline code \u2014 no # headers). Brief a contractor: what to do, what done looks like. Skip obvious context."
             })
           ),
           file: Type.Optional(
@@ -8169,7 +8162,7 @@ var SHARED_TOOLS = {
       ),
       summary: Type.Optional(
         Type.String({
-          description: "Brief summary of what was accomplished (max 2000 chars)"
+          description: "1-2 sentence summary of what was done and the outcome."
         })
       ),
       learnings: Type.Optional(
@@ -8181,7 +8174,7 @@ var SHARED_TOOLS = {
   },
   SEND_MESSAGE: {
     name: "deskfree_send_message",
-    description: "Send a message in the task thread (progress update, question, status report).",
+    description: "Send a message in the task thread. Keep it short \u2014 1-3 sentences. No walls of text.",
     parameters: Type.Object({
       content: Type.String({
         description: "Message content."
@@ -8209,7 +8202,7 @@ var SHARED_TOOLS = {
                   description: "New initiative title (max 200 chars)"
                 }),
                 content: Type.String({
-                  description: "Initiative content markdown \u2014 current state, approach, and next priorities"
+                  description: "2-3 sentences \u2014 what we're doing and why. Aspirational, not operational. No headers or formal structure."
                 })
               },
               {
@@ -8234,14 +8227,7 @@ var SHARED_TOOLS = {
           }),
           instructions: Type.Optional(
             Type.String({
-              description: "Detailed instructions in simple markdown (bold, lists, inline code \u2014 no # headers). Include: what to do, steps, why, what done looks like, known constraints."
-            })
-          ),
-          substeps: Type.Optional(
-            Type.Array(Type.String(), {
-              description: "DEPRECATED \u2014 put steps in the instructions field as markdown instead. This field is ignored.",
-              minItems: 1,
-              maxItems: 20
+              description: "Concise instructions in simple markdown (bold, lists, inline code \u2014 no # headers). Brief a contractor: what to do, what done looks like. Skip obvious context."
             })
           ),
           file: Type.Optional(
@@ -8314,7 +8300,14 @@ var WORKER_TOOLS = {
   UPDATE_FILE: SHARED_TOOLS.UPDATE_FILE,
   COMPLETE_TASK: SHARED_TOOLS.COMPLETE_TASK,
   SEND_MESSAGE: SHARED_TOOLS.SEND_MESSAGE,
-  PROPOSE: SHARED_TOOLS.PROPOSE
+  PROPOSE: SHARED_TOOLS.PROPOSE,
+  READ_SKILL: {
+    name: "deskfree_read_skill_section",
+    description: "Load full instructions for a skill. Use after deskfree_start_task when you need the complete skill guide beyond the critical section summary.",
+    parameters: Type.Object({
+      skillId: Type.String({ description: "Skill ID to load instructions for" })
+    })
+  }
 };
 var CHANNEL_META = {
   name: "DeskFree",
@@ -8874,25 +8867,30 @@ var deskFreePlugin = {
 var DESKFREE_AGENT_DIRECTIVE = `## DeskFree \u2014 Orchestrator
 You are the orchestrator. Your job: turn human intent into approved tasks, then dispatch work.
 
-**The core loop: propose \u2192 approve \u2192 work. Make this feel natural and fast.**
+**Main thread = short and snappy.** Keep responses to 1-3 sentences. Quick back-and-forth conversation is great \u2014 clarify, riff, brainstorm in short messages like a real chat. But if something needs deep research, multiple rounds of clarification, or a deliverable \u2014 propose a task and move the work to a thread.
+
+**The core loop: propose \u2192 approve \u2192 work.**
 
 1. **Check state** \u2192 \`deskfree_state\` \u2014 see tasks, initiatives, ways of working.
 2. **Propose** \u2192 \`deskfree_propose\` \u2014 turn requests into concrete tasks for approval.
 3. **Dispatch** \u2192 spawn a sub-agent for each approved task. Pass the taskId.
 4. **Communicate** \u2192 \`deskfree_send_message\` for updates outside task threads.
 
-**Always explain before proposing.** When a human gives you a direction:
-- First, respond in chat with your understanding and plan \u2014 what you'll do, how you'll break it down, what the deliverables will be.
-- Then call \`deskfree_propose\` with the concrete tasks. The human sees your thinking first, then the actionable proposal.
-- If the request is clear ("audit my LinkedIn profile"), a brief "Here's what I'll do:" is enough before proposing.
-- If the request is ambiguous ("I want to be a LinkedIn influencer"), explain your approach, then propose a scoping task.
-- Never call \`deskfree_propose\` as your first action \u2014 always write a message first.
+**Before proposing, qualify the request.** Figure out what kind of thing this is:
+- **One-off task** ("proofread this") \u2192 propose a task directly, no initiative needed.
+- **New aspiration** ("I want to start posting on LinkedIn") \u2192 don't rush to propose. Ask 1-2 short qualifying questions to understand the real goal. Is this about thought leadership? Lead gen? Personal brand? Then propose an initiative named after the outcome, not the activity.
+- **Task in existing initiative** \u2192 add it to the right initiative.
+- Never call \`deskfree_propose\` as your very first action \u2014 qualify first, even if briefly.
+
+**Match the human's energy.** Short message \u2192 short reply. Casual tone \u2192 casual response. Don't over-explain, don't lecture, don't pad responses.
 
 You do NOT claim tasks or do work directly. Sub-agents handle execution.
 - When a human writes in a task thread, you receive it with recent context. Use \`deskfree_reopen_task\` if it needs more work.
 - Write task instructions as rich markdown (bold, lists, inline code \u2014 no # headers). Brief a contractor who has never seen the codebase.
 - Estimate token cost per task \u2014 consider files to read, reasoning, output.
-- One initiative per proposal \u2014 make multiple calls for multiple initiatives.`;
+- One initiative per proposal \u2014 make multiple calls for multiple initiatives.
+- Initiative titles should reflect aspirations and outcomes, not activities. "AI Thought Leadership on LinkedIn" over "LinkedIn Content."
+- Initiative descriptions should be 2-3 sentences that make the human think "wow, this will enable my dreams." Reflect their ambition back to them. No headers, no phases, no formal structure. Aspirational, not operational.`;
 var DESKFREE_WORKER_DIRECTIVE = `## DeskFree Worker
 You are a worker sub-agent. Call \`deskfree_start_task\` with your taskId to claim and load context.
 Tools: deskfree_start_task, deskfree_update_file, deskfree_complete_task, deskfree_send_message, deskfree_propose.
@@ -8900,7 +8898,8 @@ Tools: deskfree_start_task, deskfree_update_file, deskfree_complete_task, deskfr
 - Save work to linked files with deskfree_update_file (incrementally).
 - Complete with deskfree_complete_task when done (summary required for outcome "done"). Include learnings if applicable.
 - If you need human input to proceed, send a message explaining what you need, then complete with outcome "review" \u2014 this marks the task as needing attention.
-- Propose follow-up tasks with deskfree_propose if you discover more work.`;
+- Propose follow-up tasks with deskfree_propose if you discover more work.
+- Keep messages and file updates concise. Write like a senior colleague giving a status update \u2014 not a report. 1-3 sentences for messages unless the human asked for detail.`;
 function getDeskFreeContext(sessionKey) {
   const isWorker = sessionKey && (sessionKey.includes(":sub:") || sessionKey.includes(":spawn:") || sessionKey.includes(":run:"));
   const directive = isWorker ? DESKFREE_WORKER_DIRECTIVE : DESKFREE_AGENT_DIRECTIVE;
@@ -8909,6 +8908,91 @@ function getDeskFreeContext(sessionKey) {
 <!-- deskfree-plugin:${PLUGIN_VERSION} -->`;
 }
 
+// src/skill-scan-hook.ts
+var SCANNABLE_EXTENSIONS = /* @__PURE__ */ new Set([".md", ".sh", ".py", ".js", ".ts"]);
+var SKILLS_DIR_PATTERN = /(?:^|\/|\\)skills\/[^/\\]+\//;
+function isSkillFile(filePath) {
+  if (!filePath || typeof filePath !== "string") return false;
+  const normalized = filePath.replace(/\\/g, "/");
+  if (!SKILLS_DIR_PATTERN.test(normalized)) return false;
+  const lastDot = normalized.lastIndexOf(".");
+  if (lastDot === -1) return false;
+  const ext = normalized.slice(lastDot).toLowerCase();
+  return SCANNABLE_EXTENSIONS.has(ext);
+}
+var WRITE_TOOL_NAMES = /* @__PURE__ */ new Set(["write", "Write"]);
+var EDIT_TOOL_NAMES = /* @__PURE__ */ new Set(["edit", "Edit"]);
+function extractPath(params) {
+  const p = params["path"] ?? params["file_path"];
+  return typeof p === "string" && p.length > 0 ? p : null;
+}
+function extractContent(toolName, params) {
+  if (WRITE_TOOL_NAMES.has(toolName)) {
+    const c = params["content"];
+    return typeof c === "string" ? c : null;
+  }
+  if (EDIT_TOOL_NAMES.has(toolName)) {
+    const c = params["newText"] ?? params["new_string"];
+    return typeof c === "string" ? c : null;
+  }
+  return null;
+}
+function formatFindings(result) {
+  return result.findings.map(
+    (f) => `  [${f.severity.toUpperCase()}] ${f.description}` + (f.line != null ? ` (line ${f.line})` : "")
+  ).join("\n");
+}
+function createSkillScanHook(scanner, log) {
+  return (event, _ctx) => {
+    const toolName = event["toolName"];
+    if (typeof toolName !== "string") return;
+    if (!WRITE_TOOL_NAMES.has(toolName) && !EDIT_TOOL_NAMES.has(toolName)) {
+      return;
+    }
+    const params = event["params"];
+    if (!params || typeof params !== "object") return;
+    const p = params;
+    const filePath = extractPath(p);
+    if (!filePath) return;
+    if (!isSkillFile(filePath)) return;
+    const content = extractContent(toolName, p);
+    if (!content || content.length === 0) return;
+    const filename = filePath.split("/").pop() ?? "unknown";
+    const inputs = [{ filename, content }];
+    let result;
+    try {
+      result = scanner(inputs);
+    } catch (err) {
+      log.warn(
+        `[skill-scan] Scanner error for ${filePath}: ${err instanceof Error ? err.message : String(err)}`
+      );
+      return;
+    }
+    log.info(
+      `[skill-scan] ${filePath}: verdict=${result.verdict} score=${result.score} findings=${result.findings.length}`
+    );
+    if (result.verdict === "dangerous") {
+      const findings = formatFindings(result);
+      log.warn(`[skill-scan] BLOCKED write to ${filePath}:
+${findings}`);
+      return {
+        block: true,
+        blockReason: `\u{1F6AB} Security scan BLOCKED write to "${filename}" \u2014 dangerous (score: ${result.score}/100)
+
+Findings:
+${findings}
+
+Remove the dangerous patterns and retry.`
+      };
+    }
+    if (result.verdict === "suspicious") {
+      const findings = formatFindings(result);
+      log.warn(`[skill-scan] Suspicious write to ${filePath}:
+${findings}`);
+    }
+  };
+}
+
 // src/tools.ts
 function resolveAccountFromConfig(api) {
   const cfg = api.runtime.config.loadConfig();
@@ -9400,6 +9484,7 @@ function createWorkerTools(api) {
   const account = resolveAccountFromConfig(api);
   if (!account) return null;
   const client = new DeskFreeClient(account.botToken, account.apiUrl);
+  const cachedSkillContext = /* @__PURE__ */ new Map();
   return [
     {
       ...WORKER_TOOLS.START_TASK,
@@ -9410,19 +9495,21 @@ function createWorkerTools(api) {
           const result = await client.claimTask({ taskId, runnerId });
           setActiveTaskId(taskId);
           let skillInstructions = "";
+          cachedSkillContext.clear();
           if (result.skillContext?.length) {
+            for (const s of result.skillContext) {
+              cachedSkillContext.set(s.skillId, { displayName: s.displayName, instructions: s.instructions });
+            }
             skillInstructions = result.skillContext.map(
               (s) => `
-\u26A0\uFE0F SKILL: ${s.displayName}
-${s.criticalSection}
-
-${s.instructions}`
+\u26A0\uFE0F SKILL: ${s.displayName} (ID: ${s.skillId})
+${s.criticalSection}`
             ).join("\n\n---\n");
           }
           const trimmedTask = trimTaskContext(result);
           const taskJson = JSON.stringify(
             {
-              summary: `Claimed task "${result.title}" \u2014 full context loaded${result.skillContext?.length ? ` (${result.skillContext.length} skill${result.skillContext.length > 1 ? "s" : ""} active)` : ""}`,
+              summary: `Claimed task "${result.title}" \u2014 full context loaded${result.skillContext?.length ? ` (${result.skillContext.length} skill${result.skillContext.length > 1 ? "s" : ""} loaded \u2014 use deskfree_read_skill_section for full details)` : ""}`,
               mode: trimmedTask.mode ?? "work",
               nextActions: [
                 "Read the instructions and message history carefully",
@@ -9471,6 +9558,28 @@ ${s.instructions}`
     {
       ...WORKER_TOOLS.PROPOSE,
       execute: makeProposeHandler(client)
+    },
+    {
+      ...WORKER_TOOLS.READ_SKILL,
+      async execute(_id, params) {
+        try {
+          const skillId = validateStringParam(params, "skillId", true);
+          const cached = cachedSkillContext.get(skillId);
+          if (!cached) {
+            return { content: [{ type: "text", text: `Skill ${skillId} not found in current task context. Available: ${[...cachedSkillContext.keys()].join(", ") || "none"}` }] };
+          }
+          return {
+            content: [{
+              type: "text",
+              text: `## ${cached.displayName} \u2014 Full Instructions
+
+${cached.instructions}`
+            }]
+          };
+        } catch (err) {
+          return errorResult(err);
+        }
+      }
     }
   ];
 }
@@ -9582,6 +9691,35 @@ var OfflineQueue = class {
 };
 
 // src/index.ts
+function createLazyScanner(log) {
+  let resolved = false;
+  let scanFn = null;
+  const scannerPath = ["..", "..", "backend", "src", "util", "util.skillScanner"].join("/");
+  import(
+    /* @vite-ignore */
+    scannerPath
+  ).then((mod) => {
+    if (typeof mod.scanSkill === "function") {
+      scanFn = mod.scanSkill;
+      log.info("[deskfree] Skill security scanner loaded");
+    }
+    resolved = true;
+  }).catch(() => {
+    resolved = true;
+    log.warn("[deskfree] Skill scanner not available \u2014 scan hook will pass through");
+  });
+  const safeFallback = (inputs) => ({
+    verdict: "safe",
+    score: 100,
+    findings: [],
+    scannedAt: /* @__PURE__ */ new Date(),
+    filesScanned: inputs.map((i) => i.filename)
+  });
+  return (inputs) => {
+    if (!resolved || !scanFn) return safeFallback(inputs);
+    return scanFn(inputs);
+  };
+}
 var plugin = {
   id: "deskfree",
   name: "DeskFree",
@@ -9601,6 +9739,8 @@ var plugin = {
       }
       return allTools.length > 0 ? allTools : null;
     });
+    const scanner = createLazyScanner(api.logger);
+    api.on("before_tool_call", createSkillScanHook(scanner, api.logger));
     api.on("before_agent_start", (_event, ctx) => {
       return { prependContext: getDeskFreeContext(ctx.sessionKey) };
     });