npm - @themoltnet/pi-extension - Versions diffs - 0.16.0 → 0.16.1 - Mend

@themoltnet/pi-extension 0.16.0 → 0.16.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/README.md CHANGED Viewed

@@ -126,6 +126,16 @@ the base snapshot is used (Alpine + git + gh + MoltNet CLI + agent user).
     "GOPATH": "/home/agent/go",
     "GOROOT": "/usr/lib/go"
   },
+  "hostExec": {
+    "autoApprove": [
+      {
+        "argsExcludes": ["--mirror", "--all"],
+        "argsPrefix": ["push"],
+        "executable": "git"
+      },
+      { "argsPrefix": ["pr", "create"], "executable": "gh" }
+    ]
+  },
   "resources": {
     "cpus": 2,
     "memory": "6G"
@@ -183,6 +193,45 @@ Environment variable overrides applied to the guest VM. Use this to fix host
 env pollution (e.g. `GOROOT` from mise/asdf pointing at a macOS path leaking
 into the Linux guest).
+### `hostExec`
+Host-side escape hatch policy for `moltnet_host_exec`. The executable must
+still be in the built-in host-exec allowlist (`git`, `gh`, `moltnet`); this
+setting only controls whether the per-call UI approval dialog is skipped.
+`autoApprove: true` skips the dialog for every allowed host command. Use that
+only on isolated hosts or disposable machines.
+For local daemon runs, prefer rule-based approval:
+```json
+{
+  "hostExec": {
+    "autoApprove": [
+      {
+        "argsExcludes": ["--mirror", "--all"],
+        "argsPrefix": ["push"],
+        "executable": "git"
+      },
+      { "argsPrefix": ["pr", "create"], "executable": "gh" },
+      { "argsPrefix": ["pr", "view"], "executable": "gh" }
+    ]
+  }
+}
+```
+Each rule matches an exact executable plus optional argument constraints:
+| Field          | Description                                                 |
+| -------------- | ----------------------------------------------------------- |
+| `executable`   | Exact executable name                                       |
+| `argsPrefix`   | Ordered argument prefix; later flags/args are still allowed |
+| `argsContains` | Tokens that must appear anywhere in the args                |
+| `argsExcludes` | Tokens that block auto-approval when present                |
+If a rule only sets `executable`, all argument lists for that executable are
+auto-approved after the built-in executable allowlist check.
 ## Base snapshot
 Every snapshot includes:

package/dist/index.d.ts CHANGED Viewed

@@ -271,6 +271,12 @@ export declare interface ExecutePiTaskOptions {
      * Default `3`. Set to `0` to disable. Closes part of #1094.
      */
     maxBashTimeouts?: number;
+    /**
+     * Skip per-call UI approval for matching `moltnet_host_exec` commands.
+     * Keep false/undefined for interactive consumers. `true` skips every dialog
+     * after HOST_EXEC_ALLOWED; an array limits auto-approval to matching rules.
+     */
+    hostExecAutoApprove?: HostExecAutoApproveConfig;
 }
 /**
@@ -285,6 +291,19 @@ export declare function findMainWorktree(): string;
  */
 export declare const HOST_EXEC_DEFAULT_BASE_ENV: ReadonlySet<string>;
+declare type HostExecAutoApproveConfig = boolean | readonly HostExecAutoApproveRule[];
+declare interface HostExecAutoApproveRule {
+    /** Exact executable name. Must still pass HOST_EXEC_ALLOWED. */
+    executable: string;
+    /** Optional ordered argument prefix; flags after the prefix are allowed. */
+    argsPrefix?: readonly string[];
+    /** Optional unordered argument tokens that must appear somewhere. */
+    argsContains?: readonly string[];
+    /** Optional argument tokens that prevent auto-approval when present. */
+    argsExcludes?: readonly string[];
+}
 export declare interface InjectedTaskContext {
     /** Refs that were delivered, in declared order, for audit. */
     injected: ContextRef[];
@@ -363,6 +382,19 @@ declare interface MoltNetToolsConfig {
      * Defaults to HOST_EXEC_DEFAULT_BASE_ENV when omitted.
      */
     hostExecBaseEnv?: ReadonlySet<string>;
+    /**
+     * When true, `moltnet_host_exec` skips the per-call UI approval dialog.
+     * Intended for non-interactive daemon automation only; interactive
+     * consumers should keep the default false behavior.
+     */
+    autoApproveHostExec?: boolean;
+    /**
+     * Host-exec auto-approval policy. `true` skips all dialogs after the
+     * executable allowlist check. An array skips only commands matching one of
+     * the supplied executable/argument rules. Omitted/false preserves the
+     * interactive approval flow.
+     */
+    hostExecAutoApprove?: HostExecAutoApproveConfig;
     /**
      * Active-task context, populated by the agent-daemon path. When set,
      * `moltnet_create_entry` enforces `diaryId === taskContext.diaryId` and
@@ -419,6 +451,19 @@ export declare interface SandboxConfig {
     };
     /** Environment variable overrides for the guest VM (applied on top of defaults). */
     env?: Record<string, string>;
+    /** Host-side escape hatch policy. Applies only to `moltnet_host_exec`. */
+    hostExec?: {
+        /**
+         * `true` auto-approves every allowed executable. An array auto-approves
+         * only commands matching one of the executable/argument rules.
+         */
+        autoApprove?: boolean | {
+            executable: string;
+            argsPrefix?: string[];
+            argsContains?: string[];
+            argsExcludes?: string[];
+        }[];
+    };
     /** VM resource allocation. */
     resources?: {
         /** Memory size in qemu syntax (default '1G'). */

package/dist/index.js CHANGED Viewed

@@ -7274,6 +7274,7 @@ function renderPhase6Markdown(pack) {
 * These tools run on the host (not in the VM) via the MoltNet SDK,
 * so agent credentials never touch the VM filesystem.
 */
+var DIARY_TAG_MAX_LENGTH = 128;
 /**
 * Baseline env keys forwarded to host-exec child processes.
 * Callers can extend this set at sandbox startup via `MoltNetToolsConfig.hostExecBaseEnv`.
@@ -7302,6 +7303,19 @@ function ensureConnected(config) {
 		teamId: config.getTeamId() ?? ""
 	};
 }
+function hostExecMatchesAutoApproveRule(params, rule) {
+	if (params.executable !== rule.executable) return false;
+	if (rule.argsExcludes?.some((arg) => params.args.includes(arg))) return false;
+	if (rule.argsPrefix && !rule.argsPrefix.every((arg, index) => params.args[index] === arg)) return false;
+	if (rule.argsContains && !rule.argsContains.every((arg) => params.args.includes(arg))) return false;
+	return true;
+}
+function shouldAutoApproveHostExec(params, config) {
+	const policy = config.autoApproveHostExec === true ? true : config.hostExecAutoApprove ?? false;
+	if (policy === true) return true;
+	if (!Array.isArray(policy)) return false;
+	return policy.some((rule) => hostExecMatchesAutoApproveRule(params, rule));
+}
 /**
 * Expand the `taskFilter` shorthand on the diary list/search tools into
 * the matching `task:*` provenance tags emitted by `moltnet_create_entry`
@@ -7520,14 +7534,14 @@ function createMoltNetTools(config) {
 			limit: Type.Optional(Type.Number({ description: "Max entries to return (default 10)" })),
 			tags: Type.Optional(Type.Array(Type.String({
 				minLength: 1,
-				maxLength: 50
+				maxLength: DIARY_TAG_MAX_LENGTH
 			}), {
 				description: "Tags filter — entry must have ALL listed tags (AND). Max 20.",
 				maxItems: 20
 			})),
 			excludeTags: Type.Optional(Type.Array(Type.String({
 				minLength: 1,
-				maxLength: 50
+				maxLength: DIARY_TAG_MAX_LENGTH
 			}), {
 				description: "Tags to exclude — entry must have NONE of these. Max 20.",
 				maxItems: 20
@@ -7620,14 +7634,14 @@ function createMoltNetTools(config) {
 			limit: Type.Optional(Type.Number({ description: "Max results (default 5)" })),
 			tags: Type.Optional(Type.Array(Type.String({
 				minLength: 1,
-				maxLength: 50
+				maxLength: DIARY_TAG_MAX_LENGTH
 			}), {
 				description: "Entry must have ALL listed tags (AND). Max 20.",
 				maxItems: 20
 			})),
 			excludeTags: Type.Optional(Type.Array(Type.String({
 				minLength: 1,
-				maxLength: 50
+				maxLength: DIARY_TAG_MAX_LENGTH
 			}), {
 				description: "Entry must have NONE of these tags. Max 20.",
 				maxItems: 20
@@ -7813,7 +7827,7 @@ function createMoltNetTools(config) {
 			}),
 			async execute(_id, params, _signal, _onUpdate, ctx) {
 				if (!HOST_EXEC_ALLOWED.has(params.executable)) throw new Error(`host_exec: '${params.executable}' is not in the allowed list (${[...HOST_EXEC_ALLOWED].join(", ")}). Extend HOST_EXEC_ALLOWED only after explicit security review.`);
-				if (ctx?.ui) {
+				if (ctx?.ui && !shouldAutoApproveHostExec(params, config)) {
 					const cmdDisplay = [params.executable, ...params.args].join(" ");
 					if (!await ctx.ui.confirm("Allow host command?", `The agent wants to run on your machine:\n\n  ${cmdDisplay}\n\nAllow?`)) throw new Error(`host_exec: user declined approval for: ${cmdDisplay}`);
 				}
@@ -15366,6 +15380,7 @@ async function executePiTask(claimedTask, reporter, opts) {
 				clearSessionErrors: () => {},
 				getHostCwd: () => mountPath,
 				hostExecBaseEnv: new Set([...HOST_EXEC_DEFAULT_BASE_ENV, ...Object.keys(managed.credentials.agentEnv)]),
+				hostExecAutoApprove: opts.hostExecAutoApprove ?? opts.sandboxConfig?.hostExec?.autoApprove ?? false,
 				getTaskContext: () => ({
 					taskId: task.id,
 					taskType: task.taskType,

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@themoltnet/pi-extension",
-  "version": "0.16.0",
+  "version": "0.16.1",
   "type": "module",
   "description": "MoltNet pi extension — sandboxed tool execution in Gondolin VMs with MoltNet identity and persistent memory",
   "license": "MIT",