@semalt-ai/code 1.8.4 → 1.19.0

package/lib/ui/web-activity.js

@@ -0,0 +1,218 @@
+'use strict';
+
+// Web-activity process summary (Task W.3, Part 1).
+//
+// A web task runs `web_search` (find candidate pages) then targeted `http_get`
+// (read the relevant ones). By default each operation printed its own tool line
+// (one "tool · web_search" / "net · GET …" row per call), which reads as a noisy
+// list rather than one coherent process. This module collapses a run of
+// consecutive web operations into a SINGLE compact process-summary line —
+//
+//     ✓ web · search "коррупционные скандалы…" · 2 queries · 3 sources read · 1 blocked
+//
+// — while `--debug` keeps the full per-operation lines (in debug mode chat-turn.js
+// bypasses this collapser and renders each op the normal way).
+//
+// Display only: the audit log still records every individual operation (that
+// happens in the executors, untouched here), and NON-web tools render exactly as
+// before. Scope: `web_search` + `http_get`. `download` is a file-save, not a page
+// read for the search→fetch flow, so it keeps its own line.
+
+const { UI_THEME, UI_ICONS } = require('./theme');
+const { RST, DIM } = require('./ansi');
+const { formatDuration } = require('./format');
+
+// The tools collapsed into the web-activity summary.
+const WEB_TOOLS = new Set(['web_search', 'http_get']);
+
+function isWebTool(tag) { return WEB_TOOLS.has(tag); }
+
+function _truncate(text, max) {
+  const s = String(text == null ? '' : text).replace(/\s+/g, ' ').trim();
+  if (s.length <= max) return s;
+  return s.slice(0, Math.max(0, max - 1)) + '…';
+}
+
+// Whether a finished web op counts as a success. A `web_search` is ok unless the
+// executor flagged an error (backend down). An `http_get` is ok only when it both
+// avoided a transport error (timeout/DNS — surfaced as `op.error`) AND the server
+// answered < 400: a 403/406 is a real "blocked" even though the fetch itself
+// completed and returned a status code.
+function opSucceeded(op) {
+  if (!op) return false;
+  if (op.error) return false;
+  if (op.tag === 'http_get' && typeof op.status === 'number' && op.status >= 400) return false;
+  return true;
+}
+
+// Pure: fold the recorded op list into the counts the summary needs.
+function aggregateWebOps(ops) {
+  const state = {
+    searchCount: 0, searchFailed: 0, queries: [],
+    fetchCount: 0, fetchOk: 0, fetchFailed: 0,
+  };
+  for (const op of (ops || [])) {
+    if (!op) continue;
+    const ok = opSucceeded(op);
+    if (op.tag === 'web_search') {
+      state.searchCount += 1;
+      if (!ok) state.searchFailed += 1;
+      if (op.query) state.queries.push(op.query);
+    } else if (op.tag === 'http_get') {
+      state.fetchCount += 1;
+      if (ok) state.fetchOk += 1; else state.fetchFailed += 1;
+    }
+  }
+  return state;
+}
+
+// Pure: the plain-text segments of the summary (no ANSI). Each segment is tagged
+// with a `kind` so the styled renderer can colour failures distinctly. Exposed
+// for tests and reused by the styled renderer. Failures (a blocked source / a
+// failed search) are ALWAYS represented so the compact view never silently drops
+// a source that didn't load.
+function webSummarySegments(state) {
+  const segs = [];
+  if (state.searchCount > 0) {
+    const q = state.queries[0] ? `"${_truncate(state.queries[0], 48)}"` : '';
+    segs.push({ kind: 'lead', text: `search ${q}`.trim() });
+    if (state.searchCount > 1) segs.push({ kind: 'count', text: `${state.searchCount} queries` });
+    if (state.searchFailed > 0) {
+      segs.push({ kind: 'fail', text: `${state.searchFailed} search${state.searchFailed === 1 ? '' : 'es'} failed` });
+    }
+  }
+  if (state.fetchCount > 0) {
+    segs.push({ kind: state.searchCount > 0 ? 'count' : 'lead', text: `${state.fetchOk} ${state.fetchOk === 1 ? 'source' : 'sources'} read` });
+    if (state.fetchFailed > 0) segs.push({ kind: 'fail', text: `${state.fetchFailed} blocked` });
+  }
+  if (segs.length === 0) segs.push({ kind: 'lead', text: 'web' });
+  return segs;
+}
+
+// Plain-text one-liner (no ANSI). The text the tests assert on.
+function webSummaryText(state) {
+  return webSummarySegments(state).map((s) => s.text).join(' · ');
+}
+
+// Styled, chrome-consistent line for the writer's activity region / scrollback.
+// Mirrors formatToolLine's "<glyph> <category> · <segments…>" layout so the
+// summary reads as a peer of the other tool lines, not a foreign widget.
+function formatWebSummaryLine(state, opts) {
+  const { pending = false, durationMs = 0 } = opts || {};
+  const glyph = pending ? UI_ICONS.pending : UI_ICONS.success;
+  const glyphColor = pending ? UI_THEME.muted : UI_THEME.success;
+  const cat = 'web'.padEnd(5);
+  const catColor = (UI_THEME.categories && UI_THEME.categories.web) || UI_THEME.accent;
+  const sep = ` ${DIM}·${RST} `;
+
+  const out = [`  ${glyphColor}${glyph}${RST} ${catColor}${cat}${RST}`];
+  for (const seg of webSummarySegments(state)) {
+    let color = UI_THEME.subtle;
+    if (seg.kind === 'lead') color = UI_THEME.default;
+    else if (seg.kind === 'fail') color = UI_THEME.warning;
+    out.push(`${color}${seg.text}${RST}`);
+  }
+  if (pending) out.push(`${UI_THEME.muted}${formatDuration(durationMs)}…${RST}`);
+  return out.join(sep);
+}
+
+// Batch renderer / policy seam (used by tests, and documents the runtime split):
+//   debug   → one full per-operation tool line per op (nothing hidden), built
+//             with the SAME formatToolLine the runtime uses.
+//   default → a single collapsed summary line.
+function renderWebActivity(ops, opts) {
+  const { debug = false, formatToolLine } = opts || {};
+  if (debug) {
+    return (ops || []).map((op) => formatToolLine({
+      status: opSucceeded(op) ? 'success' : 'failure',
+      tag: op.tag,
+      arg: op.query || op.url || '',
+      attrs: op.tag === 'web_search' ? { query: op.query } : { url: op.url },
+      durationMs: op.durationMs,
+      meta: op.tag === 'http_get' ? { status_code: op.status, bytes: op.bytes } : null,
+      error: op.error ? { message: String(op.error) } : null,
+    }));
+  }
+  return [formatWebSummaryLine(aggregateWebOps(ops), { pending: false })];
+}
+
+// Stateful runtime collapser. Owns one writer "activity" entry per group of
+// consecutive web ops, updating it in place as ops complete and committing a
+// single final summary line to scrollback on flush(). Tools run sequentially in
+// the agent loop, so at most one group is ever open and there is no concurrency.
+function createWebActivityTracker(deps) {
+  const { writerModule } = deps || {};
+  let groupId = null;
+  let seq = 0;
+  let ended = [];
+  let current = null; // the in-flight op, shown in the pending line before it ends
+
+  function _render(durationMs) {
+    const state = aggregateWebOps(current ? ended.concat([current]) : ended);
+    return formatWebSummaryLine(state, { pending: true, durationMs });
+  }
+
+  function _refresh() {
+    if (groupId === null) return;
+    writerModule.updateActivity(groupId, (elapsedMs) => _render(elapsedMs));
+  }
+
+  return {
+    isWeb: isWebTool,
+    isOpen() { return groupId !== null; },
+
+    start(tag, input) {
+      current = {
+        tag,
+        query: tag === 'web_search' ? input : undefined,
+        url: tag === 'http_get' ? input : undefined,
+      };
+      if (groupId === null) {
+        groupId = `web-${seq++}`;
+        writerModule.startActivity(groupId, (elapsedMs) => _render(elapsedMs));
+      } else {
+        _refresh();
+      }
+    },
+
+    end(tag, result, durationMs, toolCtx) {
+      const meta = toolCtx && toolCtx.meta;
+      const attrs = toolCtx && toolCtx.attrs;
+      ended.push({
+        tag,
+        durationMs,
+        query: (attrs && attrs.query) || (current && current.query),
+        url: (attrs && attrs.url) || (current && current.url),
+        status: meta && typeof meta.status_code === 'number' ? meta.status_code : undefined,
+        bytes: meta && typeof meta.bytes === 'number' ? meta.bytes : undefined,
+        error: toolCtx && toolCtx.error ? (toolCtx.error.message || String(toolCtx.error)) : undefined,
+      });
+      current = null;
+      _refresh();
+    },
+
+    // Commit the collapsed summary for the current group to scrollback and reset.
+    // A no-op when no group is open.
+    flush() {
+      if (groupId === null) return;
+      const id = groupId;
+      const line = formatWebSummaryLine(aggregateWebOps(ended), { pending: false });
+      groupId = null;
+      ended = [];
+      current = null;
+      writerModule.endActivity(id, line);
+    },
+  };
+}
+
+module.exports = {
+  WEB_TOOLS,
+  isWebTool,
+  opSucceeded,
+  aggregateWebOps,
+  webSummarySegments,
+  webSummaryText,
+  formatWebSummaryLine,
+  renderWebActivity,
+  createWebActivityTracker,
+};

package/lib/ui/writer.js

@@ -29,6 +29,7 @@
 // can't interleave with another task's writes.
 
 const { stripAnsi, termWidth, truncateVisible } = require('./utils');
+const dbg = require('../debug');
 
 let _queue = Promise.resolve();
 let _liveLines = [];
@@ -228,16 +229,13 @@ function setLive(lines, caret) {
     // The input row's visible position is relative to the bottom of the
     // viewport; it stays still only while the live region keeps a stable
     // height. If a code path sneaks in a different-height setLive call the
-    // input jumps one row. Log under DEBUG_TUI so future drift is visible
-    // without leaking into the TUI itself.
-    if (process.env.DEBUG_TUI &&
-        _previousLiveLineCount !== undefined &&
+    // input jumps one row. Log to the debug file (extended trace) so future
+    // drift is visible without leaking into the TUI itself.
+    if (_previousLiveLineCount !== undefined &&
         _previousLiveLineCount !== _liveLines.length) {
-      try {
-        process.stderr.write(
-          `live region height changed: ${_previousLiveLineCount} → ${_liveLines.length}\n`
-        );
-      } catch {}
+      dbg.logExtended(
+        `[writer] live region height changed: ${_previousLiveLineCount} → ${_liveLines.length}`
+      );
     }
     _previousLiveLineCount = _liveLines.length;
     _writeSync(_HIDE + eraseSeq + _drawLiveSeq() + _positionCaretSeq() + _caretShowSeq());

package/lib/verify.js

@@ -0,0 +1,229 @@
+'use strict';
+
+// ---------------------------------------------------------------------------
+// Self-verification (Task 4.2)
+// ---------------------------------------------------------------------------
+//
+// When the agent declares a task done, optionally run a configured verification
+// command (e.g. `npm test`, `cargo check`) and feed the result back into the
+// loop. Configured under `config.verify`:
+//
+//   "verify": {
+//     "mode": "advisory" | "enforcing",   // default advisory
+//     "command": "npm test",              // empty → feature is a no-op
+//     "timeout_ms": 120000,
+//     "expected_exit_code": 0,
+//     "max_attempts": 3
+//   }
+//
+// Two modes (orchestration lives in lib/agent.js — this module only RUNS the
+// command and reports the outcome):
+//   * advisory (default): run once when the agent finishes; feed the result into
+//     context as information. The turn ends regardless of pass/fail — advisory
+//     NEVER blocks.
+//   * enforcing: verify must pass before "done" is accepted. A failing verify
+//     returns the agent to the loop with the fenced result; after `max_attempts`
+//     failures the loop terminates with stopReason `verify_failed` — a precise
+//     bound distinct from (and far below) the coarse iteration cap.
+//
+// Load-bearing properties (mirror lib/hooks.js — verify is shell, treat it like
+// a hook):
+//   * Success is EXIT-CODE based — exit == expected_exit_code is a pass. stdout
+//     is never parsed for success patterns (avoids brittleness).
+//   * Deny-list FIRST — the verify command passes through the Phase 0 deny-list
+//     (lib/deny.js) before running; a hit is refused (never run) and reported as
+//     a non-passing verify.
+//   * OS sandbox — after the deny-list, the verify command is wrapped by the SAME
+//     OS sandbox as every other shell call (Pre-Task 5.0a, resolveSandboxedSpawn),
+//     with the identical fail-safe fallback (failIfUnavailable hard error / human
+//     approval / refuse). A refusal is reported as a non-passing verify — never a
+//     silent unsandboxed run.
+//   * Project-layer (.semalt/config.json) verify.command is QUARANTINED before it
+//     reaches the runner (loadVerifyLayers, consumed by lib/config.js): a cloned
+//     repo cannot introduce an executable verify command. User verify is trusted.
+//   * Timeout — a hung verify must not hang the agent. On timeout the command is
+//     killed and the result is a (non-passing) verify, never an exception.
+//   * Untrusted output — the command output (a failing test name could carry an
+//     injection) is fenced in the same <<<UNTRUSTED_EXTERNAL_CONTENT>>> delimiter
+//     as hook/MCP/http_get output before it ever enters the model's context.
+//   * Contained — a spawn failure is reported as a non-passing verify, never a
+//     crash.
+
+const { spawnSync } = require('child_process');
+const { checkShellDenylist } = require('./deny');
+const { wrapUntrusted } = require('./hooks');
+const { resolveSandboxedSpawn } = require('./sandbox');
+const { DEFAULT_VERIFY_TIMEOUT_MS, DEFAULT_VERIFY_MAX_ATTEMPTS } = require('./constants');
+
+const VERIFY_MODES = ['advisory', 'enforcing'];
+const MAX_VERIFY_OUTPUT_BYTES = 1024 * 1024;
+
+// Validate + canonicalize the `config.verify` section. Pure; consumed by
+// lib/config.js normalizeConfig. Unknown/invalid fields fall back to defaults so
+// a malformed config can never produce an unbounded or mode-confused verify.
+function normalizeVerify(raw) {
+  const out = {
+    mode: 'advisory',
+    command: '',
+    timeout_ms: DEFAULT_VERIFY_TIMEOUT_MS,
+    expected_exit_code: 0,
+    max_attempts: DEFAULT_VERIFY_MAX_ATTEMPTS,
+  };
+  if (!raw || typeof raw !== 'object' || Array.isArray(raw)) return out;
+  if (raw.mode === 'enforcing') out.mode = 'enforcing';
+  if (typeof raw.command === 'string' && raw.command.trim()) out.command = raw.command.trim();
+  if (Number.isInteger(raw.timeout_ms) && raw.timeout_ms > 0) out.timeout_ms = raw.timeout_ms;
+  if (Number.isInteger(raw.expected_exit_code) && raw.expected_exit_code >= 0) {
+    out.expected_exit_code = raw.expected_exit_code;
+  }
+  if (Number.isInteger(raw.max_attempts) && raw.max_attempts > 0) out.max_attempts = raw.max_attempts;
+  return out;
+}
+
+// Build the verify runner. `getConfig` supplies the live config (read per-run so
+// a config change takes effect immediately). `spawn` and `log` are injectable for
+// tests. Returns:
+//   {
+//     config()  → the normalized verify config (for the orchestrator),
+//     run(opts) → { skipped, ran, passed, mode, command, exitCode,
+//                   expectedExitCode, timedOut, denied, maxAttempts,
+//                   output, fenced }
+//   }
+// run() NEVER throws for an ordinary failure — a nonzero exit, timeout, deny-list
+// hit, or spawn failure are all reported as a non-passing result. `opts.noVerify`
+// (the --no-verify flag) short-circuits to a skipped result, as does an empty
+// command.
+function createVerifyRunner({ getConfig, spawn = spawnSync, log, onUnsandboxed = null, sandbox } = {}) {
+  const warn = typeof log === 'function' ? log : () => {};
+  // OS-sandbox resolver shared with agentExecShell / hooks (Pre-Task 5.0a).
+  // Injectable for tests; otherwise resolveSandboxedSpawn reading the live config
+  // + the human-typed CLI flags. `onUnsandboxed` (human approval) is threaded from
+  // the executor owner so an unavailable sandbox can be approved interactively;
+  // with no approver it refuses (reported as a non-passing verify).
+  const sandboxResolve = typeof sandbox === 'function'
+    ? sandbox
+    : (command) => resolveSandboxedSpawn({ command, getConfig, onUnsandboxed });
+
+  function config() {
+    let cfg = {};
+    try { cfg = (getConfig ? getConfig() : {}) || {}; } catch { cfg = {}; }
+    return normalizeVerify(cfg.verify);
+  }
+
+  async function run({ noVerify = false } = {}) {
+    const v = config();
+    const base = {
+      skipped: false,
+      ran: false,
+      passed: false,
+      mode: v.mode,
+      command: v.command,
+      exitCode: null,
+      expectedExitCode: v.expected_exit_code,
+      timedOut: false,
+      denied: null,
+      maxAttempts: v.max_attempts,
+      output: '',
+      fenced: '',
+    };
+
+    // --no-verify (one-off skip) or no command configured → feature is a no-op.
+    if (noVerify || !v.command) return { ...base, skipped: true };
+
+    // Deny-list FIRST — verify is shell and must not be able to run a destructive
+    // command any more than the agent can. A hit is refused (never run) and
+    // reported as a non-passing verify (it cannot pass).
+    const denied = checkShellDenylist(v.command);
+    if (denied) {
+      warn(`Verify command blocked by deny-list (${denied.label}); not run: ${v.command}`);
+      const output = `Verify command was refused by the deny-list (${denied.label}) and did not run — treated as a failed verification.`;
+      return { ...base, ran: false, passed: false, denied: denied.label, output, fenced: wrapUntrusted(output, '[verify]') };
+    }
+
+    // OS sandbox (Pre-Task 5.0a). After the deny-list, route the verify command
+    // through the SAME shared shim as agentExecShell so it runs jailed. A refusal
+    // (failIfUnavailable, or no/declined human approval) is reported as a
+    // non-passing verify — never a silent unsandboxed run.
+    let resolution;
+    try {
+      resolution = await sandboxResolve(v.command);
+    } catch (err) {
+      warn(`Verify command sandbox resolution failed: ${err.message}`);
+      const output = `Verify command sandbox resolution failed: ${err.message} — treated as a failed verification.`;
+      return { ...base, ran: false, passed: false, output, fenced: wrapUntrusted(output, '[verify]') };
+    }
+    if (!resolution.run) {
+      warn(`Verify command not run — ${resolution.message}`);
+      return { ...base, ran: false, passed: false, output: resolution.message, fenced: wrapUntrusted(resolution.message, '[verify]') };
+    }
+
+    const spawnOpts = {
+      timeout: v.timeout_ms,
+      encoding: 'utf8',
+      env: { ...process.env, SEMALT_VERIFY: '1' },
+      maxBuffer: MAX_VERIFY_OUTPUT_BYTES,
+    };
+    let proc;
+    try {
+      proc = resolution.useShell
+        ? spawn(resolution.file, { shell: true, ...spawnOpts })
+        : spawn(resolution.file, resolution.args, spawnOpts);
+    } catch (err) {
+      // A spawn that throws (rare) must never crash the loop.
+      warn(`Verify command failed to spawn: ${err.message}`);
+      const output = `Verify command failed to spawn: ${err.message} — treated as a failed verification.`;
+      return { ...base, ran: false, passed: false, output, fenced: wrapUntrusted(output, '[verify]') };
+    }
+
+    const timedOut = !!(proc.error && (proc.error.code === 'ETIMEDOUT' || proc.signal === 'SIGTERM'));
+    const exitCode = (typeof proc.status === 'number') ? proc.status : -1;
+    const stdout = (proc.stdout != null ? String(proc.stdout) : '').trim();
+    const stderr = (proc.stderr != null ? String(proc.stderr) : '').trim();
+    const combined = [stdout, stderr].filter(Boolean).join('\n');
+
+    // Timeout: a hung verify is killed and treated as a failed verification —
+    // it never blocks indefinitely.
+    if (timedOut) {
+      warn(`Verify command timed out after ${v.timeout_ms}ms: ${v.command}`);
+      const output = `Verification timed out after ${v.timeout_ms}ms running \`${v.command}\` — treated as a failed verification.`
+        + (combined ? `\n${combined}` : '');
+      return { ...base, ran: true, passed: false, timedOut: true, exitCode: null, output, fenced: wrapUntrusted(output, '[verify output]') };
+    }
+
+    // Success is exit-code based — never parse stdout for success patterns.
+    const passed = exitCode === v.expected_exit_code;
+    const header = passed
+      ? `Verification PASSED — \`${v.command}\` exited ${exitCode} (expected ${v.expected_exit_code}).`
+      : `Verification FAILED — \`${v.command}\` exited ${exitCode} (expected ${v.expected_exit_code}).`;
+    const output = combined ? `${header}\n${combined}` : header;
+    return { ...base, ran: true, passed, exitCode, output, fenced: wrapUntrusted(output, '[verify output]') };
+  }
+
+  return { run, config };
+}
+
+// Resolve the effective verify config from the user and project layers,
+// QUARANTINING a project-introduced verify.command (executable, host-privileged).
+// Mirrors loadRuleLayers / loadHookLayers: a project (.semalt/config.json,
+// attacker-controllable in a cloned repo) can NEVER introduce or change the
+// command that the verify step runs. The effective verify is the USER layer's,
+// full stop — project verify settings are ignored. The two layers are read
+// SEPARATELY (raw config objects, NOT the shallow-merged view); that separation
+// is the security boundary. Returns { verify, quarantinedCommand }.
+function loadVerifyLayers(userVerify, projectVerify) {
+  const user = normalizeVerify(userVerify);
+  const project = normalizeVerify(projectVerify);
+  // A project command that the user did not already declare is the dangerous
+  // case — quarantine it. (An identical command is the user's own, no-op.)
+  const quarantinedCommand = (project.command && project.command !== user.command)
+    ? project.command
+    : null;
+  return { verify: user, quarantinedCommand };
+}
+
+module.exports = {
+  VERIFY_MODES,
+  normalizeVerify,
+  loadVerifyLayers,
+  createVerifyRunner,
+};