@semalt-ai/code 1.8.5 → 1.19.0

package/lib/config.js

@@ -4,7 +4,11 @@ const fs = require('fs');
 const path = require('path');
 const { URL } = require('url');
 
-const { CONFIG_PATH, DEFAULT_CONFIG } = require('./constants');
+const { CONFIG_PATH, DEFAULT_CONFIG, DEFAULT_MAX_ITERATIONS, DEFAULT_WEB_MAX_CONTENT_TOKENS, DEFAULT_USER_AGENT, DEFAULT_MCP_MAX_RESULT_TOKENS, DEFAULT_SUBAGENT_MAX_RESULT_TOKENS } = require('./constants');
+const { normalizeHooks, loadHookLayers } = require('./hooks');
+const { normalizeVerify, loadVerifyLayers } = require('./verify');
+const { normalizeCheckpoints } = require('./checkpoints');
+const { normalizeSandbox } = require('./sandbox');
 
 let _apiKeyAnyWarned = false;
 const _LOCAL_HOSTS = new Set(['127.0.0.1', 'localhost', '[::1]', '::1']);
@@ -12,6 +16,13 @@ const _LOCAL_HOSTS = new Set(['127.0.0.1', 'localhost', '[::1]', '::1']);
 function _maybeWarnApiKeyAny(cfg) {
   if (_apiKeyAnyWarned) return;
   if (cfg.api_key !== 'any') return;
+  // A real key from SEMALT_API_KEY or the OS keychain overrides config.api_key,
+  // so the 'any' placeholder here is harmless — don't warn in that case.
+  try {
+    const { apiKeySource } = require('./secrets');
+    const src = apiKeySource(cfg);
+    if (src === 'env' || src === 'keychain') return;
+  } catch {}
   let host = '';
   try {
     host = new URL(cfg.api_base).hostname;
@@ -27,6 +38,25 @@ function _maybeWarnApiKeyAny(cfg) {
   );
 }
 
+// Canonicalize a raw max_iterations value (from config or a flag layer) to the
+// stored form: a positive integer, or 0 for "unlimited". Invalid input falls
+// back to the default. Kept JSON-serializable — Infinity is never stored.
+function normalizeMaxIterations(raw) {
+  if (raw === 'unlimited') return 0;
+  const n = typeof raw === 'number' ? raw : parseInt(raw, 10);
+  if (n === 0) return 0;
+  if (Number.isInteger(n) && n > 0) return n;
+  return DEFAULT_MAX_ITERATIONS;
+}
+
+// Convert a normalized config max_iterations value into the numeric cap the
+// agent loop consumes. The 0 sentinel maps to Infinity (deliberately unbounded);
+// a positive integer is the cap; anything unexpected falls back to the default.
+function resolveMaxIterations(value) {
+  const n = normalizeMaxIterations(value);
+  return n === 0 ? Infinity : n;
+}
+
 function normalizeConfig(cfg = {}) {
   const merged = { ...DEFAULT_CONFIG, ...cfg };
   // Ensure every DEFAULT_CONFIG key is present without overwriting existing values
@@ -56,6 +86,103 @@ function normalizeConfig(cfg = {}) {
     ? cfg.dashboard_model_id
     : null;
   merged.repair_malformed_tool_xml = cfg.repair_malformed_tool_xml === true;
+  // Max agent-loop iterations per turn (Pre-Task 4.0a). Canonical form is a
+  // number: a positive integer caps the loop; 0 is the "unlimited" sentinel
+  // (config.json cannot store Infinity). Accept 'unlimited'/'0' strings and
+  // numeric strings; anything else (negative, fractional, garbage) falls back to
+  // the documented default.
+  merged.max_iterations = normalizeMaxIterations(cfg.max_iterations);
+  // Proxy intent (Task 2.2): carried through as strings; sourced from the env
+  // config layer (HTTPS_PROXY/HTTP_PROXY). '' means none.
+  merged.https_proxy = typeof merged.https_proxy === 'string' ? merged.https_proxy : '';
+  merged.http_proxy = typeof merged.http_proxy === 'string' ? merged.http_proxy : '';
+  // Cost price overrides (Task 2.6): a plain object map of model → { input, output }.
+  merged.pricing = (cfg.pricing && typeof cfg.pricing === 'object' && !Array.isArray(cfg.pricing))
+    ? cfg.pricing
+    : {};
+  // Multimodal image input (Task 5.4). `image_max_bytes` is a positive integer
+  // byte cap (raw bytes, pre-base64); anything invalid falls back to the default.
+  // `image_format` forces the provider content-part shape; only 'anthropic' /
+  // 'openai' are honored, else '' (heuristic selection).
+  merged.image_max_bytes = (Number.isInteger(cfg.image_max_bytes) && cfg.image_max_bytes > 0)
+    ? cfg.image_max_bytes
+    : DEFAULT_CONFIG.image_max_bytes;
+  merged.image_format = (cfg.image_format === 'anthropic' || cfg.image_format === 'openai')
+    ? cfg.image_format
+    : '';
+  // Task 2.7 payload flags.
+  merged.prompt_caching = cfg.prompt_caching === true;
+  merged.reasoning_effort_force = cfg.reasoning_effort_force === true;
+  merged.reasoning_effort = ['minimal', 'low', 'medium', 'high'].includes(cfg.reasoning_effort)
+    ? cfg.reasoning_effort
+    : '';
+  // MCP config scaffold (Task 3.2). Always normalized to an object with a
+  // `servers` object map, so Task 3.3 can read `cfg.mcp.servers` unconditionally.
+  const mcpIn = (cfg.mcp && typeof cfg.mcp === 'object' && !Array.isArray(cfg.mcp)) ? cfg.mcp : {};
+  // max_result_tokens (Task W.8): the STRICTER token cap applied to an MCP tool
+  // result before it enters context (third-party / untrusted). A positive integer
+  // wins; anything else falls back to the default.
+  let _mcpResultTok = parseInt(mcpIn.max_result_tokens, 10);
+  if (!Number.isInteger(_mcpResultTok) || _mcpResultTok < 1) _mcpResultTok = DEFAULT_MCP_MAX_RESULT_TOKENS;
+  merged.mcp = {
+    servers: (mcpIn.servers && typeof mcpIn.servers === 'object' && !Array.isArray(mcpIn.servers))
+      ? mcpIn.servers
+      : {},
+    max_result_tokens: _mcpResultTok,
+  };
+  // Lifecycle hooks (Task 3.4). Always normalized to a map with one array per
+  // known event, so dispatch in lib/agent.js / lib/hooks.js can read
+  // cfg.hooks[event] unconditionally. Empty by default.
+  merged.hooks = normalizeHooks(cfg.hooks);
+  // Subagents (Task 3.6). Always normalized to an object carrying the bounded
+  // parallel-execution cap, so lib/subagents.js can read it unconditionally.
+  const subIn = (cfg.subagents && typeof cfg.subagents === 'object' && !Array.isArray(cfg.subagents)) ? cfg.subagents : {};
+  let _maxConc = parseInt(subIn.max_concurrency, 10);
+  if (!Number.isInteger(_maxConc) || _maxConc < 1) _maxConc = 3;
+  if (_maxConc > 16) _maxConc = 16;
+  // max_result_tokens (Task W.8): the GENEROUS token cap on a subagent's final
+  // text before it enters the parent context (our own child's synthesized answer
+  // — a safety net against a verbose child, strictly larger than the MCP cap).
+  let _subResultTok = parseInt(subIn.max_result_tokens, 10);
+  if (!Number.isInteger(_subResultTok) || _subResultTok < 1) _subResultTok = DEFAULT_SUBAGENT_MAX_RESULT_TOKENS;
+  merged.subagents = { max_concurrency: _maxConc, max_result_tokens: _subResultTok };
+  // Per-pattern permission rules (Task 4.1). Normalized to a shape-only
+  // `{ rules: [...] }` here — the security-critical per-LAYER validation and
+  // compilation lives in lib/permission-rules.js (loadRuleLayers), which reads
+  // the user/project files independently so the project layer can only narrow.
+  const permIn = (cfg.permissions && typeof cfg.permissions === 'object' && !Array.isArray(cfg.permissions)) ? cfg.permissions : {};
+  merged.permissions = { rules: Array.isArray(permIn.rules) ? permIn.rules : [] };
+  // Self-verification (Task 4.2). Always normalized to a complete verify spec so
+  // lib/verify.js / lib/agent.js can read cfg.verify unconditionally. Empty
+  // command by default → the feature is a no-op until the user configures one.
+  merged.verify = normalizeVerify(cfg.verify);
+  // Checkpoints & rewind (Task 4.3). Always normalized to a complete spec so
+  // lib/checkpoints.js can read cfg.checkpoints unconditionally. Enabled by
+  // default; bounded by a per-file size cap and a per-session retention cap.
+  merged.checkpoints = normalizeCheckpoints(cfg.checkpoints);
+  // OS sandbox (Task 4.4). Always normalized so lib/sandbox.js / lib/tools.js can
+  // read cfg.sandbox unconditionally. `auto` by default; `off` is a human-only
+  // opt-out (no model-reachable path can set it — config files are human-edited).
+  merged.sandbox = normalizeSandbox(cfg.sandbox);
+  // Web-fetch pipeline (Task W.1). Always normalized so http_get can read
+  // cfg.web unconditionally. `summarize` defaults ON (the big token win); only
+  // an explicit `false` opts out. `summary_model` is a trimmed string ('' →
+  // current model). `max_content_tokens` is a sane positive integer (clamped),
+  // the cap on extracted content fed to the summarizer / context.
+  const webIn = (cfg.web && typeof cfg.web === 'object' && !Array.isArray(cfg.web)) ? cfg.web : {};
+  let _webMaxTok = parseInt(webIn.max_content_tokens, 10);
+  if (!Number.isInteger(_webMaxTok) || _webMaxTok < 256) _webMaxTok = DEFAULT_WEB_MAX_CONTENT_TOKENS;
+  if (_webMaxTok > 200000) _webMaxTok = 200000;
+  merged.web = {
+    summarize: webIn.summarize === false ? false : true,
+    summary_model: typeof webIn.summary_model === 'string' ? webIn.summary_model.trim() : '',
+    max_content_tokens: _webMaxTok,
+    // User-Agent for http_get/download (Task W.3 Part 2). A trimmed operator
+    // override; empty/missing → the fixed DEFAULT_USER_AGENT. Human-only — the
+    // agent has no way to set it (no UA parameter in the tool spec).
+    user_agent: typeof webIn.user_agent === 'string' && webIn.user_agent.trim()
+      ? webIn.user_agent.trim() : DEFAULT_USER_AGENT,
+  };
   merged.models = Array.isArray(cfg.models)
     ? cfg.models
         .filter((entry) => entry &&
@@ -79,22 +206,188 @@ function normalizeConfig(cfg = {}) {
           // native_tools defaults to true; only explicit false/0/"false"/"0" opts out.
           const nt = entry.native_tools;
           normalized.native_tools = !(nt === false || nt === 0 || nt === '0' || nt === 'false');
+          // Multimodal image input (Task 5.4). `vision` (only when an explicit
+          // boolean) marks the profile vision-capable or text-only; a text-only
+          // profile makes an image attach fail LOUD rather than silently drop.
+          // `image_format` forces this profile's provider content-part shape.
+          if (typeof entry.vision === 'boolean') normalized.vision = entry.vision;
+          if (entry.image_format === 'anthropic' || entry.image_format === 'openai') {
+            normalized.image_format = entry.image_format;
+          }
           return normalized;
         })
     : [];
   return merged;
 }
 
-function loadConfig() {
+// ---------------------------------------------------------------------------
+// Layered configuration (Task 2.2)
+// ---------------------------------------------------------------------------
+//
+// Precedence, lowest to highest:
+//   1. user config    ~/.semalt-ai/config.json
+//   2. project config .semalt/config.json (nearest, found by walking up to the
+//                     repo root from the current working directory)
+//   3. environment    SEMALT_API_BASE, SEMALT_MODEL, HTTPS_PROXY/HTTP_PROXY
+//   4. CLI flags      --api-base, --api-key, --dashboard-url, --default-model
+//
+// The merge itself is a pure function (mergeConfigLayers) so each combination is
+// unit-testable. API-key sourcing is intentionally NOT part of this merge — it
+// stays in lib/secrets.js (SEMALT_API_KEY env → OS keychain → config.api_key),
+// preserving the Phase 0 precedence.
+
+// Raw read of the user config file (or null). Ensures the config dir exists so
+// first-run save paths keep working.
+function readUserConfig() {
   fs.mkdirSync(path.dirname(CONFIG_PATH), { recursive: true });
-  let cfg;
-  if (fs.existsSync(CONFIG_PATH)) {
-    try {
-      const data = JSON.parse(fs.readFileSync(CONFIG_PATH, 'utf8'));
-      cfg = normalizeConfig(data);
-    } catch {}
+  if (!fs.existsSync(CONFIG_PATH)) return null;
+  try { return JSON.parse(fs.readFileSync(CONFIG_PATH, 'utf8')); } catch { return null; }
+}
+
+// The user-file layer ONLY (no project/env/flags overlay). Persistence is based
+// on this so transient overrides are never written back to config.json.
+function loadUserConfig() {
+  return normalizeConfig(readUserConfig() || {});
+}
+
+// Walk up from startDir looking for .semalt/config.json. Bounded by the repo
+// root: the directory holding .git is the last one checked. Returns the path of
+// the nearest project config, or null.
+function findProjectConfigPath(startDir) {
+  let dir = startDir;
+  while (true) {
+    const candidate = path.join(dir, '.semalt', 'config.json');
+    try { if (fs.existsSync(candidate)) return candidate; } catch {}
+    let atRepoRoot = false;
+    try { atRepoRoot = fs.existsSync(path.join(dir, '.git')); } catch {}
+    if (atRepoRoot) break;
+    const parent = path.dirname(dir);
+    if (parent === dir) break; // filesystem root
+    dir = parent;
+  }
+  return null;
+}
+
+function loadProjectConfig(startDir) {
+  const p = findProjectConfigPath(startDir);
+  if (!p) return null;
+  try { return JSON.parse(fs.readFileSync(p, 'utf8')); } catch { return null; }
+}
+
+// Environment → partial config layer. Pure: takes the env object. SEMALT_API_KEY
+// is deliberately absent (owned by secrets.js).
+function envConfigLayer(env = process.env) {
+  const layer = {};
+  if (typeof env.SEMALT_API_BASE === 'string' && env.SEMALT_API_BASE.trim()) {
+    layer.api_base = env.SEMALT_API_BASE.trim();
+  }
+  if (typeof env.SEMALT_MODEL === 'string' && env.SEMALT_MODEL.trim()) {
+    layer.default_model = env.SEMALT_MODEL.trim();
+  }
+  const httpsProxy = env.HTTPS_PROXY || env.https_proxy;
+  const httpProxy = env.HTTP_PROXY || env.http_proxy;
+  if (typeof httpsProxy === 'string' && httpsProxy.trim()) layer.https_proxy = httpsProxy.trim();
+  if (typeof httpProxy === 'string' && httpProxy.trim()) layer.http_proxy = httpProxy.trim();
+  return layer;
+}
+
+// CLI flags → partial config layer. Pure: takes argv (the args after the
+// subcommand). Only config-bearing flags are mapped; everything else is ignored.
+function flagsConfigLayer(argv = []) {
+  const layer = {};
+  const MAP = {
+    '--api-base': 'api_base',
+    '--api-key': 'api_key',
+    '--dashboard-url': 'dashboard_url',
+    '--default-model': 'default_model',
+    '--reasoning-effort': 'reasoning_effort', // Task 2.7
+    '--max-iterations': 'max_iterations', // Pre-Task 4.0a
+  };
+  const BOOL = {
+    '--prompt-caching': 'prompt_caching', // Task 2.7
+  };
+  for (let i = 0; i < argv.length; i++) {
+    if (BOOL[argv[i]]) { layer[BOOL[argv[i]]] = true; continue; }
+    const key = MAP[argv[i]];
+    if (!key) continue;
+    const val = argv[i + 1];
+    if (val === undefined || val.startsWith('-')) continue;
+    layer[key] = val;
+    i++;
+  }
+  return layer;
+}
+
+// Pure precedence engine: shallow-merge the given partial layers (lowest first),
+// skipping nullish layers and undefined values, then normalize. Exported and
+// unit-tested across every layer combination.
+function mergeConfigLayers(layers) {
+  const merged = {};
+  for (const layer of layers || []) {
+    if (!layer || typeof layer !== 'object') continue;
+    for (const [k, v] of Object.entries(layer)) {
+      if (v === undefined) continue;
+      merged[k] = v;
+    }
+  }
+  return normalizeConfig(merged);
+}
+
+// Pure: given the merged config a caller wants to persist, the previous merged
+// view, and the current user-file object, return the object to write to the user
+// config file. Only keys the caller actually CHANGED (vs the previous merged
+// view) are layered onto the user file — so env/project/flag overrides merely
+// carried along in `next` are never baked into config.json.
+function userLayerForPersist(next, prevMerged, userFile) {
+  const out = { ...(userFile || {}) };
+  const prev = prevMerged || {};
+  for (const k of Object.keys(next || {})) {
+    if (JSON.stringify(next[k]) !== JSON.stringify(prev[k])) out[k] = next[k];
+  }
+  return out;
+}
+
+// SECURITY (Pre-Task 5.0a): hooks/verify are EXECUTABLE surfaces, and a project
+// .semalt/config.json is attacker-controllable in a cloned repo. The shallow
+// merge above lets a project layer introduce a command-type hook or a
+// verify.command that would then run with host privileges. Mirroring how
+// permission rules are loaded (loadRuleLayers reads the layers SEPARATELY so the
+// project layer can only narrow), we re-resolve hooks/verify from the RAW user
+// and project layers and quarantine project-introduced executables — keeping
+// project PROMPT hooks (text injection only, already untrusted). The warning
+// fires once so the user knows a project executable was ignored.
+let _quarantineWarned = false;
+function applyExecutableQuarantine(cfg, userRaw, projectRaw) {
+  const hookLayers = loadHookLayers(userRaw && userRaw.hooks, projectRaw && projectRaw.hooks);
+  cfg.hooks = hookLayers.hooks;
+  const verifyLayers = loadVerifyLayers(userRaw && userRaw.verify, projectRaw && projectRaw.verify);
+  cfg.verify = verifyLayers.verify;
+  if (!_quarantineWarned && (hookLayers.quarantined.length || verifyLayers.quarantinedCommand)) {
+    _quarantineWarned = true;
+    for (const q of hookLayers.quarantined) {
+      // audit: allowed — pre-UI startup warning, fires once before the TUI initialises.
+      process.stderr.write(`⚠ Ignored project-layer ${q.event} command hook (executable hooks from .semalt/config.json are quarantined): ${q.command}\n`);
+    }
+    if (verifyLayers.quarantinedCommand) {
+      process.stderr.write(`⚠ Ignored project-layer verify.command (quarantined; executable verify from .semalt/config.json is not honored): ${verifyLayers.quarantinedCommand}\n`);
+    }
   }
-  if (!cfg) cfg = normalizeConfig();
+  return cfg;
+}
+
+// The merged runtime config. `argv` defaults to the process args after the node
+// binary + script; callers that already parsed args may pass the relevant slice.
+function loadConfig(argv) {
+  const flagsArgv = Array.isArray(argv) ? argv : process.argv.slice(2);
+  const userRaw = readUserConfig();
+  const projectRaw = loadProjectConfig(process.cwd());
+  const cfg = mergeConfigLayers([
+    userRaw,
+    projectRaw,
+    envConfigLayer(process.env),
+    flagsConfigLayer(flagsArgv),
+  ]);
+  applyExecutableQuarantine(cfg, userRaw, projectRaw);
   _maybeWarnApiKeyAny(cfg);
   return cfg;
 }
@@ -105,7 +398,9 @@ function saveConfig(cfg) {
 }
 
 function configSet(key, value) {
-  const cfg = loadConfig();
+  // Operate on the USER file only — never the merged view — so a `config set`
+  // never bakes a project/env/flag override into config.json.
+  const cfg = loadUserConfig();
   cfg[key] = value;
   saveConfig(cfg);
   return cfg;
@@ -129,9 +424,26 @@ function configShow(systemPromptOverride = null) {
   const cfg = loadConfig();
   const lines = ['Config:'];
   for (const [key, val] of Object.entries(cfg)) {
-    const display = REDACTED_KEYS.has(key) && val ? '****' : JSON.stringify(val);
+    let display;
+    if (REDACTED_KEYS.has(key) && val) {
+      display = '****';
+    } else if (key === 'models' && Array.isArray(val)) {
+      // Per-profile api_key values are secrets too — redact them before display.
+      display = JSON.stringify(val.map((m) => (
+        m && typeof m === 'object' && 'api_key' in m ? { ...m, api_key: m.api_key ? '****' : m.api_key } : m
+      )));
+    } else {
+      display = JSON.stringify(val);
+    }
     lines.push(`  ${key}: ${display}`);
   }
+  // Surface WHERE the active API key resolves from (env / keychain / config /
+  // none) without ever printing the key itself. Keys from env/keychain are not
+  // stored in config.json, so this is the only signal the user gets.
+  try {
+    const { apiKeySource } = require('./secrets');
+    lines.push(`  api_key_source: ${apiKeySource(cfg)}`);
+  } catch {}
   if (systemPromptOverride) {
     lines.push(`  system_prompt: [override from ${systemPromptOverride}]`);
   } else {
@@ -146,6 +458,16 @@ module.exports = {
   configShow,
   isNativeToolsActive,
   loadConfig,
+  loadUserConfig,
   normalizeConfig,
+  resolveMaxIterations,
   saveConfig,
+  // Layered-config building blocks (Task 2.2) — pure and individually testable.
+  mergeConfigLayers,
+  envConfigLayer,
+  flagsConfigLayer,
+  findProjectConfigPath,
+  loadProjectConfig,
+  readUserConfig,
+  userLayerForPersist,
 };