@wrongstack/core 0.264.0 → 0.265.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/{agent-bridge-D8sa1vtv.d.ts → agent-bridge-DrkBxszZ.d.ts} +1 -1
- package/dist/{agent-subagent-runner-c9DLkaas.d.ts → agent-subagent-runner-DM2pP-B6.d.ts} +113 -11
- package/dist/{brain-O1IdKPaK.d.ts → brain-BXd_61kQ.d.ts} +31 -2
- package/dist/{compactor-BBy0rCtB.d.ts → compactor-B8pOf45Y.d.ts} +1 -1
- package/dist/{config-Dz2F3H2K.d.ts → config-BMCj_XDs.d.ts} +80 -12
- package/dist/{context-BGSpZNSE.d.ts → context-MRk5PhNv.d.ts} +26 -12
- package/dist/coordination/index.d.ts +77 -21
- package/dist/coordination/index.js +557 -159
- package/dist/coordination/index.js.map +1 -1
- package/dist/{default-config-CXsDvOmP.d.ts → default-config-B0cj-Hry.d.ts} +11 -1
- package/dist/defaults/index.d.ts +28 -28
- package/dist/defaults/index.js +609 -195
- package/dist/defaults/index.js.map +1 -1
- package/dist/execution/index.d.ts +16 -16
- package/dist/execution/index.js +394 -155
- package/dist/execution/index.js.map +1 -1
- package/dist/execution/prompt-enhancer.d.ts +2 -2
- package/dist/execution/prompt-enhancer.js +1 -1
- package/dist/execution/prompt-enhancer.js.map +1 -1
- package/dist/extension/index.d.ts +6 -6
- package/dist/{goal-preamble-DzjFuN3p.d.ts → goal-preamble-DvHDSKSe.d.ts} +14 -10
- package/dist/{goal-store-CxWmCGbH.d.ts → goal-store-DtLMySNb.d.ts} +1 -1
- package/dist/{index-CYIQrXVF.d.ts → index-B-ch8K9C.d.ts} +8 -8
- package/dist/{index-CbLSI66_.d.ts → index-CEDeNodM.d.ts} +5 -5
- package/dist/index.d.ts +183 -52
- package/dist/index.js +1779 -673
- package/dist/index.js.map +1 -1
- package/dist/infrastructure/index.d.ts +6 -6
- package/dist/infrastructure/index.js +12 -8
- package/dist/infrastructure/index.js.map +1 -1
- package/dist/kernel/index.d.ts +9 -9
- package/dist/kernel/index.js +1 -1
- package/dist/kernel/index.js.map +1 -1
- package/dist/{llm-selector-DzxuZnNz.d.ts → llm-selector-C0tfTCUe.d.ts} +14 -2
- package/dist/{mcp-servers-DC4QRPUI.d.ts → mcp-servers-2x4w6Jn9.d.ts} +3 -3
- package/dist/models/index.d.ts +5 -5
- package/dist/models/index.js +74 -30
- package/dist/models/index.js.map +1 -1
- package/dist/{models-registry-B_siPxqN.d.ts → models-registry-DmJlKuNp.d.ts} +1 -1
- package/dist/{multi-agent-coordinator-CK5Jdj9K.d.ts → multi-agent-coordinator-DyCkCZnU.d.ts} +1 -1
- package/dist/{null-fleet-bus-DgvD4SCO.d.ts → null-fleet-bus-CG9QY2aP.d.ts} +6 -6
- package/dist/observability/index.d.ts +2 -2
- package/dist/{parallel-eternal-engine-bK0JQBR_.d.ts → parallel-eternal-engine-Jw9uhEoT.d.ts} +9 -9
- package/dist/{path-resolver-BPEDlN38.d.ts → path-resolver-Dy2ej-gE.d.ts} +3 -3
- package/dist/{permission-4yvGmMRB.d.ts → permission-B9SB45lp.d.ts} +1 -1
- package/dist/{permission-policy-C6XpsBOy.d.ts → permission-policy-CkjSXabK.d.ts} +2 -2
- package/dist/{pipeline-CXCeMz8J.d.ts → pipeline-DPDxH_7m.d.ts} +3 -3
- package/dist/{plan-templates-BvzRBkJc.d.ts → plan-templates-CzD9GnAU.d.ts} +32 -8
- package/dist/{provider-runner-C5aQpDWE.d.ts → provider-runner-DMa70ODu.d.ts} +3 -3
- package/dist/{retry-policy-CFhdtRzz.d.ts → retry-policy-CN0khdlj.d.ts} +1 -1
- package/dist/sdd/index.d.ts +8 -8
- package/dist/sdd/index.js +274 -93
- package/dist/sdd/index.js.map +1 -1
- package/dist/{secret-vault-CxiVLbt1.d.ts → secret-vault-B2yw84VT.d.ts} +43 -4
- package/dist/secret-vault-BAKpgFw_.d.ts +57 -0
- package/dist/security/index.d.ts +5 -5
- package/dist/security/index.js +204 -23
- package/dist/security/index.js.map +1 -1
- package/dist/{selector-gIuhRTkN.d.ts → selector-CzHh_igB.d.ts} +1 -1
- package/dist/{session-event-bridge-DkvvrpDt.d.ts → session-event-bridge-BUI6Jf-4.d.ts} +1 -1
- package/dist/{session-reader-KdfVwkKP.d.ts → session-reader-CMgdMSRP.d.ts} +1 -1
- package/dist/storage/index.d.ts +112 -15
- package/dist/storage/index.js +419 -81
- package/dist/storage/index.js.map +1 -1
- package/dist/tools/index.d.ts +2 -2
- package/dist/types/index.d.ts +21 -21
- package/dist/types/index.js +261 -53
- package/dist/types/index.js.map +1 -1
- package/dist/utils/index.d.ts +3 -3
- package/dist/utils/index.js +3 -5
- package/dist/utils/index.js.map +1 -1
- package/dist/{wstack-paths-CJjEwPXn.d.ts → wstack-paths-hOpNLmvf.d.ts} +2 -0
- package/package.json +1 -1
- package/skills/api-design/SKILL.md +1 -1
- package/skills/audit-log/SKILL.md +6 -6
- package/skills/bug-hunter/SKILL.md +5 -5
- package/skills/chimera/SKILL.md +4 -4
- package/skills/docker-deploy/SKILL.md +1 -1
- package/skills/git-flow/SKILL.md +3 -3
- package/skills/multi-agent/SKILL.md +3 -3
- package/skills/node-modern/SKILL.md +1 -0
- package/skills/observability/SKILL.md +2 -2
- package/skills/output-standards/SKILL.md +51 -28
- package/skills/refactor-planner/SKILL.md +3 -3
- package/skills/security-scanner/SKILL.md +4 -3
- package/skills/tech-stack/SKILL.md +1 -2
- package/dist/secret-vault-BJDY28ev.d.ts +0 -25
package/dist/tools/index.d.ts
CHANGED
|
@@ -1,5 +1,5 @@
|
|
|
1
|
-
import { T as Tool } from '../context-
|
|
2
|
-
import { c as MCPServerConfig, h as Config } from '../config-
|
|
1
|
+
import { T as Tool } from '../context-MRk5PhNv.js';
|
|
2
|
+
import { c as MCPServerConfig, h as Config } from '../config-BMCj_XDs.js';
|
|
3
3
|
import '../dispatcher-types.d-BBeXBQgS.js';
|
|
4
4
|
import 'node:https';
|
|
5
5
|
import 'undici';
|
package/dist/types/index.d.ts
CHANGED
|
@@ -1,34 +1,34 @@
|
|
|
1
|
-
export { A as AgentError, k as Capabilities, u as ConfigError, g as ContentBlock, C as Context, v as ContextInit, E as ERROR_CODES, w as ErrorCode, x as ErrorSeverity, y as ErrorSubsystem, F as FileSnapshot, z as FsError, I as ImageBlock, J as JSONSchema, M as Message, B as MessageRole, f as Permission, D as PluginError, P as Provider, e as ProviderError, G as ProviderErrorBody, R as Request, b as Response, p as ResumedSession, K as RiskTier, o as RunOptions, N as SddError, q as SessionData, O as SessionError, S as SessionEvent, h as SessionMetadata, i as SessionStore, r as SessionSummary, a as SessionWriter, W as StopReason, X as StreamEvent, Y as StreamHangError, n as TextBlock, Z as ThinkingBlock, s as TodoItem, T as Tool, _ as ToolCallContext, $ as ToolError, a0 as ToolFinalEvent, j as ToolProgressEvent, m as ToolResultBlock,
|
|
2
|
-
export { P as ProviderRunner, R as RunProviderOptions } from '../provider-runner-
|
|
3
|
-
export { A as AutonomyConfig, n as CONTEXT_WINDOW_MODES, h as Config, j as ConfigLoader, i as ConfigStore,
|
|
4
|
-
export { a as CompactReport, C as Compactor } from '../compactor-
|
|
5
|
-
export { a as PermissionDecision, P as PermissionPolicy, T as TrustPolicy } from '../permission-
|
|
1
|
+
export { A as AgentError, k as Capabilities, u as ConfigError, g as ContentBlock, C as Context, v as ContextInit, E as ERROR_CODES, w as ErrorCode, x as ErrorSeverity, y as ErrorSubsystem, F as FileSnapshot, z as FsError, I as ImageBlock, J as JSONSchema, M as Message, B as MessageRole, f as Permission, D as PluginError, P as Provider, e as ProviderError, G as ProviderErrorBody, R as Request, b as Response, p as ResumedSession, K as RiskTier, o as RunOptions, N as SddError, q as SessionData, O as SessionError, S as SessionEvent, h as SessionMetadata, i as SessionStore, r as SessionSummary, a as SessionWriter, W as StopReason, X as StreamEvent, Y as StreamHangError, n as TextBlock, Z as ThinkingBlock, s as TodoItem, T as Tool, _ as ToolCallContext, $ as ToolError, a0 as ToolFinalEvent, a1 as ToolIconId, j as ToolProgressEvent, m as ToolResultBlock, a2 as ToolStreamEvent, l as ToolUseBlock, U as Usage, a3 as WrongStackError, a4 as asBlocks, a5 as asText, a7 as isAgentError, a8 as isConfigError, a9 as isFsError, aa as isImageBlock, ab as isPluginError, ac as isSddError, ad as isSessionError, ae as isTextBlock, af as isThinkingBlock, ag as isToolError, ah as isToolResultBlock, ai as isToolUseBlock, aj as isWrongStackError, ak as toWrongStackError } from '../context-MRk5PhNv.js';
|
|
2
|
+
export { P as ProviderRunner, R as RunProviderOptions } from '../provider-runner-DMa70ODu.js';
|
|
3
|
+
export { A as AutonomyConfig, n as CONTEXT_WINDOW_MODES, o as CircuitBreakerRuntimeConfig, h as Config, j as ConfigLoader, i as ConfigStore, p as ContextConfig, C as ContextWindowAggressiveOn, q as ContextWindowConfigLike, r as ContextWindowMode, s as ContextWindowModeId, g as ContextWindowPolicy, t as ContextWindowThresholds, u as CustomModelDefinition, D as DEFAULT_CONTEXT_WINDOW_MODE_ID, F as FeaturesConfig, f as HookEntry, H as HookEvent, l as HookInput, e as HookMatcher, m as HookOutcome, I as InProcessHook, v as IndexingConfig, L as LaunchConfig, w as LogConfig, c as MCPServerConfig, d as ModelMatrixEntry, x as ModelsDevModel, a as ModelsDevPayload, y as ModelsDevProvider, M as ModelsRegistry, z as PluginConfig, B as ProviderApiKey, P as ProviderConfig, b as ResolvedModel, R as ResolvedProvider, E as SessionLoggingConfig, S as ShellHook, G as SyncCategory, k as SyncConfig, T as TokenSavingTier, J as ToolsConfig, W as WireFamily, K as formatContextWindowModeList, N as getContextWindowMode, O as isContextWindowModeId, Q as listContextWindowModes, U as normalizeTokenSavingTier, V as resolveContextWindowPolicy } from '../config-BMCj_XDs.js';
|
|
4
|
+
export { a as CompactReport, C as Compactor } from '../compactor-B8pOf45Y.js';
|
|
5
|
+
export { a as PermissionDecision, P as PermissionPolicy, T as TrustPolicy } from '../permission-B9SB45lp.js';
|
|
6
6
|
export { C as CheckpointInfo, R as RewindResult, a as RewindResultExtended, S as SessionRewinder } from '../session-rewinder-C9HnMkhP.js';
|
|
7
|
-
export { a as AddAttachmentInput, c as Attachment, d as AttachmentKind, e as AttachmentMeta, b as AttachmentRef, A as AttachmentStore, D as DefaultSessionReader } from '../session-reader-
|
|
8
|
-
export { D as DEFAULT_AUTONOMY_CONFIG, a as
|
|
9
|
-
export { D as DefaultSecretScrubber, a as DefaultSecretVault, S as SecretVaultOptions, d as decryptConfigSecrets, e as encryptConfigSecrets, i as isSecretField, m as migratePlaintextSecrets, r as rewriteConfigEncrypted } from '../secret-vault-
|
|
7
|
+
export { a as AddAttachmentInput, c as Attachment, d as AttachmentKind, e as AttachmentMeta, b as AttachmentRef, A as AttachmentStore, D as DefaultSessionReader } from '../session-reader-CMgdMSRP.js';
|
|
8
|
+
export { D as DEFAULT_AUTONOMY_CONFIG, a as DEFAULT_CIRCUIT_BREAKER_CONFIG, b as DEFAULT_CONTEXT_CONFIG, c as DEFAULT_SESSION_LOGGING_CONFIG, d as DEFAULT_SESSION_PRUNE_DAYS, e as DEFAULT_TOOLS_CONFIG } from '../default-config-B0cj-Hry.js';
|
|
9
|
+
export { D as DefaultSecretScrubber, a as DefaultSecretVault, S as SecretVaultOptions, d as decryptConfigSecrets, e as encryptConfigSecrets, i as isSecretField, m as migratePlaintextSecrets, r as rewriteConfigEncrypted, b as rotateConfigKeys } from '../secret-vault-B2yw84VT.js';
|
|
10
10
|
export { D as DefaultLogger, a as DefaultLoggerOptions, L as LogFormat, n as noOpLogger } from '../logger-DmmQhf4P.js';
|
|
11
|
-
export { D as DefaultPathResolver, a as DefaultTokenCounter } from '../path-resolver-
|
|
12
|
-
export { o as MEMORY_TYPE_LABELS, p as MemoryClearedPayload, q as MemoryConsolidatedPayload, b as MemoryEntry, r as MemoryForgottenPayload, s as MemoryPriority, d as MemoryRelevanceContext, t as MemoryRememberedPayload, M as MemoryScope, c as MemoryStore, u as MemoryType, S as ScoredEntry } from '../brain-
|
|
13
|
-
import { I as IterationStage, g as ParallelIterationStage } from '../parallel-eternal-engine-
|
|
14
|
-
export { C as CompactorOptions, D as DEFAULT_RECOVERY_STRATEGIES, a as DefaultErrorHandler, b as DefaultRetryPolicy, H as HybridCompactor, R as RecoveryStrategy, T as ToolExecutor, h as buildRecoveryStrategies } from '../parallel-eternal-engine-
|
|
11
|
+
export { D as DefaultPathResolver, a as DefaultTokenCounter } from '../path-resolver-Dy2ej-gE.js';
|
|
12
|
+
export { o as MEMORY_TYPE_LABELS, p as MemoryClearedPayload, q as MemoryConsolidatedPayload, b as MemoryEntry, r as MemoryForgottenPayload, s as MemoryPriority, d as MemoryRelevanceContext, t as MemoryRememberedPayload, M as MemoryScope, c as MemoryStore, u as MemoryType, S as ScoredEntry } from '../brain-BXd_61kQ.js';
|
|
13
|
+
import { I as IterationStage, g as ParallelIterationStage } from '../parallel-eternal-engine-Jw9uhEoT.js';
|
|
14
|
+
export { C as CompactorOptions, D as DEFAULT_RECOVERY_STRATEGIES, a as DefaultErrorHandler, b as DefaultRetryPolicy, H as HybridCompactor, R as RecoveryStrategy, T as ToolExecutor, h as buildRecoveryStrategies } from '../parallel-eternal-engine-Jw9uhEoT.js';
|
|
15
15
|
export { b as SkillEntry, S as SkillLoader, a as SkillManifest } from '../skill-DGIXCtdv.js';
|
|
16
|
-
export { B as BuildContext, b as ModelCapabilities, a as Renderer, S as SystemPromptBuilder } from '../pipeline-
|
|
16
|
+
export { B as BuildContext, b as ModelCapabilities, a as Renderer, S as SystemPromptBuilder } from '../pipeline-DPDxH_7m.js';
|
|
17
17
|
export { I as InputReader, P as PromptOption } from '../input-reader-E-ffP2ee.js';
|
|
18
|
-
export {
|
|
19
|
-
export { D as DefaultModelsRegistry, a as DefaultModelsRegistryOptions, c as classifyFamily } from '../models-registry-
|
|
18
|
+
export { K as CoordinatorEvents, C as CoordinatorStatus, D as DoneCondition, o as MCPRegistryView, r as MetricsSinkView, c as MultiAgentConfig, M as MultiAgentCoordinator, u as Plugin, P as PluginAPI, s as PluginCapabilities, t as PluginDependency, l as PluginPipelines, a1 as ProviderFactory, n as ProviderRegistryView, q as SessionWriterView, k as SlashCommand, p as SlashCommandRegistryView, e as SpawnResult, S as SubagentConfig, R as SubagentContext, U as SubagentError, V as SubagentErrorKind, W as SubagentRunContext, X as SubagentRunOutcome, d as SubagentRunner, _ as TaskDelegation, f as TaskResult, T as TaskSpec, m as ToolRegistryView } from '../agent-subagent-runner-DM2pP-B6.js';
|
|
19
|
+
export { D as DefaultModelsRegistry, a as DefaultModelsRegistryOptions, c as classifyFamily } from '../models-registry-DmJlKuNp.js';
|
|
20
20
|
export { D as DEFAULT_MODES, b as Mode, a as ModeConfig, c as ModeManifest, M as ModeStore } from '../mode-CZlO9iU1.js';
|
|
21
|
-
export { I as InMemoryAgentBridge, a as InMemoryBridgeTransport, c as createMessage } from '../agent-bridge-
|
|
21
|
+
export { I as InMemoryAgentBridge, a as InMemoryBridgeTransport, c as createMessage } from '../agent-bridge-DrkBxszZ.js';
|
|
22
22
|
export { D as DEFAULT_SPEC_TEMPLATE, S as SpecAnalysis, a as SpecApiEndpoint, b as SpecRequirement, c as SpecSection, d as SpecSectionType, e as SpecStatus, f as SpecTemplate, g as SpecValidationResult, h as Specification } from '../spec-TBi3Jr6T.js';
|
|
23
23
|
export { C as CriticalPathResult, f as TaskAssignment, g as TaskDependency, h as TaskEdge, i as TaskFilter, d as TaskGraph, e as TaskNode, a as TaskPriority, c as TaskProgress, j as TaskSort, b as TaskStatus, T as TaskType, k as computeTaskProgress, l as findCriticalPath, t as topologicalSort } from '../task-graph-u1q9Jkyk.js';
|
|
24
24
|
export { A as AggregateHealth, a as HealthCheck, b as HealthCheckResult, H as HealthRegistry, c as HealthStatus, d as MetricLabels, e as MetricSeries, M as MetricsSink, f as MetricsSnapshot, S as Span, T as Tracer } from '../observability-D-HZN_mF.js';
|
|
25
|
-
export { S as SystemPromptContributor } from '../index-
|
|
25
|
+
export { S as SystemPromptContributor } from '../index-CEDeNodM.js';
|
|
26
26
|
import '../logger-B63L5bTg.js';
|
|
27
|
-
import '../retry-policy-
|
|
28
|
-
import '../secret-vault-
|
|
27
|
+
import '../retry-policy-CN0khdlj.js';
|
|
28
|
+
import '../secret-vault-BAKpgFw_.js';
|
|
29
29
|
import '../path-resolver-CPRj4bFY.js';
|
|
30
|
-
import '../goal-store-
|
|
31
|
-
import '../multi-agent-coordinator-
|
|
30
|
+
import '../goal-store-DtLMySNb.js';
|
|
31
|
+
import '../multi-agent-coordinator-DyCkCZnU.js';
|
|
32
32
|
import 'node:events';
|
|
33
33
|
|
|
34
34
|
/** Union of serial and parallel autonomy engine stage types (from EternalAutonomyEngine / ParallelEternalEngine). */
|
package/dist/types/index.js
CHANGED
|
@@ -280,12 +280,9 @@ function getCachedEstimate(key, compute) {
|
|
|
280
280
|
const existing = ESTIMATE_CACHE.get(key);
|
|
281
281
|
if (existing !== void 0) return existing;
|
|
282
282
|
if (ESTIMATE_CACHE.size >= ESTIMATE_CACHE_MAX_SIZE) {
|
|
283
|
-
let evicted = 0;
|
|
284
|
-
const maxEvict = Math.floor(ESTIMATE_CACHE_MAX_SIZE / 4);
|
|
285
283
|
for (const k of ESTIMATE_CACHE.keys()) {
|
|
286
|
-
if (
|
|
284
|
+
if (ESTIMATE_CACHE.size <= Math.floor(ESTIMATE_CACHE_MAX_SIZE / 2)) break;
|
|
287
285
|
ESTIMATE_CACHE.delete(k);
|
|
288
|
-
evicted++;
|
|
289
286
|
}
|
|
290
287
|
}
|
|
291
288
|
const estimate = compute(key);
|
|
@@ -998,6 +995,20 @@ function providerStatusToCode(status, type) {
|
|
|
998
995
|
return ERROR_CODES.PROVIDER_INVALID_REQUEST;
|
|
999
996
|
}
|
|
1000
997
|
|
|
998
|
+
// src/types/config.ts
|
|
999
|
+
function normalizeTokenSavingTier(val) {
|
|
1000
|
+
if (val === void 0) return "off";
|
|
1001
|
+
if (typeof val === "boolean") return val ? "medium" : "off";
|
|
1002
|
+
const validTiers = /* @__PURE__ */ new Set([
|
|
1003
|
+
"off",
|
|
1004
|
+
"minimal",
|
|
1005
|
+
"light",
|
|
1006
|
+
"medium",
|
|
1007
|
+
"aggressive"
|
|
1008
|
+
]);
|
|
1009
|
+
return validTiers.has(val) ? val : "off";
|
|
1010
|
+
}
|
|
1011
|
+
|
|
1001
1012
|
// src/types/default-config.ts
|
|
1002
1013
|
var DEFAULT_TOOLS_CONFIG = Object.freeze({
|
|
1003
1014
|
defaultExecutionStrategy: "smart",
|
|
@@ -1005,7 +1016,8 @@ var DEFAULT_TOOLS_CONFIG = Object.freeze({
|
|
|
1005
1016
|
iterationTimeoutMs: 3e5,
|
|
1006
1017
|
sessionTimeoutMs: 18e5,
|
|
1007
1018
|
perIterationOutputCapBytes: 1e5,
|
|
1008
|
-
autoExtendLimit: true
|
|
1019
|
+
autoExtendLimit: true,
|
|
1020
|
+
restrictToProjectRoot: false
|
|
1009
1021
|
});
|
|
1010
1022
|
var DEFAULT_CONTEXT_CONFIG = Object.freeze({
|
|
1011
1023
|
preserveK: 10,
|
|
@@ -1014,6 +1026,10 @@ var DEFAULT_CONTEXT_CONFIG = Object.freeze({
|
|
|
1014
1026
|
var DEFAULT_AUTONOMY_CONFIG = Object.freeze({
|
|
1015
1027
|
autoProceedDelayMs: 45e3
|
|
1016
1028
|
});
|
|
1029
|
+
var DEFAULT_CIRCUIT_BREAKER_CONFIG = Object.freeze({
|
|
1030
|
+
enabled: false,
|
|
1031
|
+
autoKillResetMs: 6e4
|
|
1032
|
+
});
|
|
1017
1033
|
var DEFAULT_SESSION_LOGGING_CONFIG = Object.freeze({
|
|
1018
1034
|
auditLevel: "standard",
|
|
1019
1035
|
sampling: {
|
|
@@ -1025,7 +1041,10 @@ var DEFAULT_SESSION_LOGGING_CONFIG = Object.freeze({
|
|
|
1025
1041
|
var DEFAULT_SESSION_PRUNE_DAYS = 30;
|
|
1026
1042
|
|
|
1027
1043
|
// src/types/secret-vault.ts
|
|
1028
|
-
var
|
|
1044
|
+
var ENCRYPTED_PREFIX_PATTERN = /^enc:v(\d+):/;
|
|
1045
|
+
function encryptedPrefixForVersion(version) {
|
|
1046
|
+
return `enc:v${version}:`;
|
|
1047
|
+
}
|
|
1029
1048
|
|
|
1030
1049
|
// src/security/secret-vault.ts
|
|
1031
1050
|
var KEY_BYTES = 32;
|
|
@@ -1033,6 +1052,8 @@ var IV_BYTES = 12;
|
|
|
1033
1052
|
var TAG_BYTES = 16;
|
|
1034
1053
|
var ALGO = "aes-256-gcm";
|
|
1035
1054
|
var KEY_FILE_MODE = 384;
|
|
1055
|
+
var KEY_FILE_MAGIC = Buffer.from("WSKV", "ascii");
|
|
1056
|
+
var VERSIONED_KEY_FILE_SIZE = KEY_FILE_MAGIC.length + 1 + KEY_BYTES;
|
|
1036
1057
|
function checkKeyFilePermissions(keyFile) {
|
|
1037
1058
|
if (process.platform === "win32") return;
|
|
1038
1059
|
try {
|
|
@@ -1055,11 +1076,17 @@ function checkKeyFilePermissions(keyFile) {
|
|
|
1055
1076
|
var DefaultSecretVault = class {
|
|
1056
1077
|
keyFile;
|
|
1057
1078
|
key;
|
|
1079
|
+
_keyVersion = 1;
|
|
1058
1080
|
constructor(opts) {
|
|
1059
1081
|
this.keyFile = opts.keyFile;
|
|
1060
1082
|
}
|
|
1083
|
+
/** Current key version. Starts at 1; incremented by rotateKey(). */
|
|
1084
|
+
get keyVersion() {
|
|
1085
|
+
if (!this.key) this.loadOrCreateKey();
|
|
1086
|
+
return this._keyVersion;
|
|
1087
|
+
}
|
|
1061
1088
|
isEncrypted(value) {
|
|
1062
|
-
return typeof value === "string" &&
|
|
1089
|
+
return typeof value === "string" && ENCRYPTED_PREFIX_PATTERN.test(value);
|
|
1063
1090
|
}
|
|
1064
1091
|
encrypt(plaintext) {
|
|
1065
1092
|
if (this.isEncrypted(plaintext)) return plaintext;
|
|
@@ -1068,11 +1095,20 @@ var DefaultSecretVault = class {
|
|
|
1068
1095
|
const cipher = createCipheriv(ALGO, key, iv);
|
|
1069
1096
|
const ct = Buffer.concat([cipher.update(plaintext, "utf8"), cipher.final()]);
|
|
1070
1097
|
const tag = cipher.getAuthTag();
|
|
1071
|
-
|
|
1098
|
+
const prefix = encryptedPrefixForVersion(this._keyVersion);
|
|
1099
|
+
return `${prefix}${iv.toString("base64")}:${tag.toString("base64")}:${ct.toString("base64")}`;
|
|
1072
1100
|
}
|
|
1073
1101
|
decrypt(value) {
|
|
1074
1102
|
if (!this.isEncrypted(value)) return value;
|
|
1075
|
-
const
|
|
1103
|
+
const prefixMatch = value.match(ENCRYPTED_PREFIX_PATTERN);
|
|
1104
|
+
if (!prefixMatch) {
|
|
1105
|
+
throw new ConfigError({
|
|
1106
|
+
message: "SecretVault: malformed encrypted value",
|
|
1107
|
+
code: ERROR_CODES.CONFIG_PARSE_FAILED,
|
|
1108
|
+
context: { field: "encrypted_value" }
|
|
1109
|
+
});
|
|
1110
|
+
}
|
|
1111
|
+
const rest = value.slice(prefixMatch[0].length);
|
|
1076
1112
|
const parts = rest.split(":");
|
|
1077
1113
|
if (parts.length !== 3) {
|
|
1078
1114
|
throw new ConfigError({
|
|
@@ -1101,20 +1137,64 @@ var DefaultSecretVault = class {
|
|
|
1101
1137
|
const pt = Buffer.concat([decipher.update(ct), decipher.final()]);
|
|
1102
1138
|
return pt.toString("utf8");
|
|
1103
1139
|
}
|
|
1140
|
+
/**
|
|
1141
|
+
* Generate a new encryption key, write it to disk, and increment the key version.
|
|
1142
|
+
* After rotation, encrypt() emits the new version prefix (e.g. enc:v2:).
|
|
1143
|
+
* The caller must re-encrypt existing config values (see rotateConfigKeys()).
|
|
1144
|
+
*/
|
|
1145
|
+
rotateKey() {
|
|
1146
|
+
const oldVersion = this._keyVersion;
|
|
1147
|
+
const newKey = randomBytes(KEY_BYTES);
|
|
1148
|
+
const newVersion = oldVersion + 1;
|
|
1149
|
+
const keyFileBuf = Buffer.alloc(VERSIONED_KEY_FILE_SIZE);
|
|
1150
|
+
KEY_FILE_MAGIC.copy(keyFileBuf, 0);
|
|
1151
|
+
keyFileBuf[KEY_FILE_MAGIC.length] = newVersion;
|
|
1152
|
+
newKey.copy(keyFileBuf, KEY_FILE_MAGIC.length + 1);
|
|
1153
|
+
fs2.mkdirSync(path4.dirname(this.keyFile), { recursive: true });
|
|
1154
|
+
fs2.writeFileSync(this.keyFile, keyFileBuf, { mode: 384 });
|
|
1155
|
+
checkKeyFilePermissions(this.keyFile);
|
|
1156
|
+
this.key = newKey;
|
|
1157
|
+
this._keyVersion = newVersion;
|
|
1158
|
+
return { oldVersion, newVersion };
|
|
1159
|
+
}
|
|
1104
1160
|
loadOrCreateKey() {
|
|
1105
1161
|
if (this.key) return this.key;
|
|
1106
1162
|
try {
|
|
1107
1163
|
const buf = fs2.readFileSync(this.keyFile);
|
|
1108
|
-
if (buf.length
|
|
1109
|
-
|
|
1110
|
-
|
|
1111
|
-
|
|
1112
|
-
|
|
1113
|
-
|
|
1164
|
+
if (buf.length === KEY_BYTES) {
|
|
1165
|
+
this.key = buf;
|
|
1166
|
+
this._keyVersion = 1;
|
|
1167
|
+
checkKeyFilePermissions(this.keyFile);
|
|
1168
|
+
return this.key;
|
|
1169
|
+
}
|
|
1170
|
+
if (buf.length === VERSIONED_KEY_FILE_SIZE) {
|
|
1171
|
+
const magic = buf.subarray(0, KEY_FILE_MAGIC.length);
|
|
1172
|
+
if (!magic.equals(KEY_FILE_MAGIC)) {
|
|
1173
|
+
throw new ConfigError({
|
|
1174
|
+
message: `SecretVault: key file ${this.keyFile} has invalid magic header`,
|
|
1175
|
+
code: ERROR_CODES.CONFIG_INVALID,
|
|
1176
|
+
context: { keyFile: this.keyFile }
|
|
1177
|
+
});
|
|
1178
|
+
}
|
|
1179
|
+
const version = buf[KEY_FILE_MAGIC.length];
|
|
1180
|
+
const key2 = buf.subarray(KEY_FILE_MAGIC.length + 1);
|
|
1181
|
+
if (key2.length !== KEY_BYTES) {
|
|
1182
|
+
throw new ConfigError({
|
|
1183
|
+
message: `SecretVault: key file ${this.keyFile} has wrong key size (${key2.length} bytes, expected ${KEY_BYTES})`,
|
|
1184
|
+
code: ERROR_CODES.CONFIG_INVALID,
|
|
1185
|
+
context: { keyFile: this.keyFile, expectedBytes: KEY_BYTES, actualBytes: key2.length }
|
|
1186
|
+
});
|
|
1187
|
+
}
|
|
1188
|
+
this.key = Buffer.from(key2);
|
|
1189
|
+
this._keyVersion = version;
|
|
1190
|
+
checkKeyFilePermissions(this.keyFile);
|
|
1191
|
+
return this.key;
|
|
1114
1192
|
}
|
|
1115
|
-
|
|
1116
|
-
|
|
1117
|
-
|
|
1193
|
+
throw new ConfigError({
|
|
1194
|
+
message: `SecretVault: key file ${this.keyFile} is ${buf.length} bytes (expected ${KEY_BYTES} for v1 or ${VERSIONED_KEY_FILE_SIZE} for v2+). Remove it manually to generate a new key.`,
|
|
1195
|
+
code: ERROR_CODES.CONFIG_INVALID,
|
|
1196
|
+
context: { keyFile: this.keyFile, expectedBytes: KEY_BYTES, actualBytes: buf.length }
|
|
1197
|
+
});
|
|
1118
1198
|
} catch (err) {
|
|
1119
1199
|
if (err.code !== "ENOENT") throw err;
|
|
1120
1200
|
}
|
|
@@ -1125,18 +1205,36 @@ var DefaultSecretVault = class {
|
|
|
1125
1205
|
} catch (err) {
|
|
1126
1206
|
if (err.code !== "EEXIST") throw err;
|
|
1127
1207
|
const buf = fs2.readFileSync(this.keyFile);
|
|
1128
|
-
if (buf.length
|
|
1129
|
-
|
|
1130
|
-
|
|
1131
|
-
|
|
1132
|
-
|
|
1133
|
-
|
|
1208
|
+
if (buf.length === KEY_BYTES) {
|
|
1209
|
+
this.key = buf;
|
|
1210
|
+
this._keyVersion = 1;
|
|
1211
|
+
checkKeyFilePermissions(this.keyFile);
|
|
1212
|
+
return this.key;
|
|
1213
|
+
}
|
|
1214
|
+
if (buf.length === VERSIONED_KEY_FILE_SIZE) {
|
|
1215
|
+
const magic = buf.subarray(0, KEY_FILE_MAGIC.length);
|
|
1216
|
+
if (!magic.equals(KEY_FILE_MAGIC)) {
|
|
1217
|
+
throw new ConfigError({
|
|
1218
|
+
message: `SecretVault: key file ${this.keyFile} has invalid magic header`,
|
|
1219
|
+
code: ERROR_CODES.CONFIG_INVALID,
|
|
1220
|
+
context: { keyFile: this.keyFile }
|
|
1221
|
+
});
|
|
1222
|
+
}
|
|
1223
|
+
const version = buf[KEY_FILE_MAGIC.length];
|
|
1224
|
+
const winnerKey = buf.subarray(KEY_FILE_MAGIC.length + 1);
|
|
1225
|
+
this.key = Buffer.from(winnerKey);
|
|
1226
|
+
this._keyVersion = version;
|
|
1227
|
+
checkKeyFilePermissions(this.keyFile);
|
|
1228
|
+
return this.key;
|
|
1134
1229
|
}
|
|
1135
|
-
|
|
1136
|
-
|
|
1137
|
-
|
|
1230
|
+
throw new ConfigError({
|
|
1231
|
+
message: `SecretVault: key file ${this.keyFile} is ${buf.length} bytes (expected ${KEY_BYTES} for v1 or ${VERSIONED_KEY_FILE_SIZE} for v2+). Remove it manually to generate a new key.`,
|
|
1232
|
+
code: ERROR_CODES.CONFIG_INVALID,
|
|
1233
|
+
context: { keyFile: this.keyFile, expectedBytes: KEY_BYTES, actualBytes: buf.length }
|
|
1234
|
+
});
|
|
1138
1235
|
}
|
|
1139
1236
|
this.key = key;
|
|
1237
|
+
this._keyVersion = 1;
|
|
1140
1238
|
return key;
|
|
1141
1239
|
}
|
|
1142
1240
|
};
|
|
@@ -1217,6 +1315,80 @@ async function migratePlaintextSecrets(configPath, vault, logger) {
|
|
|
1217
1315
|
);
|
|
1218
1316
|
return { migrated: counter.n, file: configPath };
|
|
1219
1317
|
}
|
|
1318
|
+
async function rotateConfigKeys(configPath, vault, logger) {
|
|
1319
|
+
const log = logger?.info ?? (() => {
|
|
1320
|
+
});
|
|
1321
|
+
const warn = logger?.warn ?? ((msg) => console.warn(msg));
|
|
1322
|
+
let raw;
|
|
1323
|
+
try {
|
|
1324
|
+
raw = await fs.readFile(configPath, "utf8");
|
|
1325
|
+
} catch {
|
|
1326
|
+
const { oldVersion: oldVersion2, newVersion: newVersion2 } = vault.rotateKey();
|
|
1327
|
+
log(`[secret-vault] Key rotated (v${oldVersion2} \u2192 v${newVersion2}) \u2014 no config file to re-encrypt`);
|
|
1328
|
+
return { rotated: 0, oldVersion: oldVersion2, newVersion: newVersion2, file: configPath };
|
|
1329
|
+
}
|
|
1330
|
+
let parsed;
|
|
1331
|
+
try {
|
|
1332
|
+
parsed = JSON.parse(raw);
|
|
1333
|
+
} catch {
|
|
1334
|
+
warn(`[secret-vault] Config file ${configPath} is not valid JSON \u2014 skipping rotation`);
|
|
1335
|
+
return { rotated: 0, oldVersion: vault.keyVersion, newVersion: vault.keyVersion, file: configPath };
|
|
1336
|
+
}
|
|
1337
|
+
const counter = { n: 0 };
|
|
1338
|
+
const decrypted = walkDecryptCount(parsed, vault, counter);
|
|
1339
|
+
if (counter.n === 0) {
|
|
1340
|
+
const { oldVersion: oldVersion2, newVersion: newVersion2 } = vault.rotateKey();
|
|
1341
|
+
log(`[secret-vault] Key rotated (v${oldVersion2} \u2192 v${newVersion2}) \u2014 no encrypted fields to re-encrypt`);
|
|
1342
|
+
return { rotated: 0, oldVersion: oldVersion2, newVersion: newVersion2, file: configPath };
|
|
1343
|
+
}
|
|
1344
|
+
const { oldVersion, newVersion } = vault.rotateKey();
|
|
1345
|
+
const reencrypted = walkReencrypt(decrypted, vault);
|
|
1346
|
+
await atomicWrite(configPath, JSON.stringify(reencrypted, null, 2), { mode: 384 });
|
|
1347
|
+
await restrictFilePermissions(configPath, { warn });
|
|
1348
|
+
log(`[secret-vault] Key rotated (v${oldVersion} \u2192 v${newVersion}) \u2014 re-encrypted ${counter.n} field(s)`);
|
|
1349
|
+
return { rotated: counter.n, oldVersion, newVersion, file: configPath };
|
|
1350
|
+
}
|
|
1351
|
+
function walkDecryptCount(node, vault, counter) {
|
|
1352
|
+
if (node === null || node === void 0) return node;
|
|
1353
|
+
if (typeof node !== "object") return node;
|
|
1354
|
+
if (Array.isArray(node)) {
|
|
1355
|
+
return node.map((item) => walkDecryptCount(item, vault, counter));
|
|
1356
|
+
}
|
|
1357
|
+
const out = /* @__PURE__ */ Object.create(null);
|
|
1358
|
+
for (const [k, v] of Object.entries(node)) {
|
|
1359
|
+
if (typeof v === "string" && vault.isEncrypted(v)) {
|
|
1360
|
+
try {
|
|
1361
|
+
out[k] = vault.decrypt(v);
|
|
1362
|
+
counter.n++;
|
|
1363
|
+
} catch {
|
|
1364
|
+
out[k] = v;
|
|
1365
|
+
}
|
|
1366
|
+
} else if (typeof v === "object" && v !== null) {
|
|
1367
|
+
out[k] = walkDecryptCount(v, vault, counter);
|
|
1368
|
+
} else {
|
|
1369
|
+
out[k] = v;
|
|
1370
|
+
}
|
|
1371
|
+
}
|
|
1372
|
+
return out;
|
|
1373
|
+
}
|
|
1374
|
+
function walkReencrypt(node, vault) {
|
|
1375
|
+
if (node === null || node === void 0) return node;
|
|
1376
|
+
if (typeof node !== "object") return node;
|
|
1377
|
+
if (Array.isArray(node)) {
|
|
1378
|
+
return node.map((item) => walkReencrypt(item, vault));
|
|
1379
|
+
}
|
|
1380
|
+
const out = /* @__PURE__ */ Object.create(null);
|
|
1381
|
+
for (const [k, v] of Object.entries(node)) {
|
|
1382
|
+
if (typeof v === "string" && isSecretField(k) && v.length > 0 && !vault.isEncrypted(v)) {
|
|
1383
|
+
out[k] = vault.encrypt(v);
|
|
1384
|
+
} else if (typeof v === "object" && v !== null) {
|
|
1385
|
+
out[k] = walkReencrypt(v, vault);
|
|
1386
|
+
} else {
|
|
1387
|
+
out[k] = v;
|
|
1388
|
+
}
|
|
1389
|
+
}
|
|
1390
|
+
return out;
|
|
1391
|
+
}
|
|
1220
1392
|
async function restrictFilePermissions(filePath, opts) {
|
|
1221
1393
|
const warn = opts?.warn ?? ((msg) => console.warn(msg));
|
|
1222
1394
|
if (process.platform === "win32") {
|
|
@@ -1567,7 +1739,11 @@ var MEMORY_TYPE_LABELS = {
|
|
|
1567
1739
|
};
|
|
1568
1740
|
|
|
1569
1741
|
// src/execution/compaction-core.ts
|
|
1742
|
+
function compactionDebugEnabled() {
|
|
1743
|
+
return process.env["NODE_ENV"] === "development" || process.env["WRONGSTACK_DEBUG"] === "1";
|
|
1744
|
+
}
|
|
1570
1745
|
function emitCompactionMetrics(event, metrics) {
|
|
1746
|
+
if (!compactionDebugEnabled()) return;
|
|
1571
1747
|
console.log(
|
|
1572
1748
|
JSON.stringify({
|
|
1573
1749
|
level: "debug",
|
|
@@ -1622,18 +1798,20 @@ function findPreserveStart(messages, preserveK) {
|
|
|
1622
1798
|
}
|
|
1623
1799
|
}
|
|
1624
1800
|
}
|
|
1625
|
-
|
|
1626
|
-
|
|
1627
|
-
|
|
1628
|
-
|
|
1629
|
-
|
|
1630
|
-
|
|
1631
|
-
|
|
1632
|
-
|
|
1633
|
-
|
|
1634
|
-
|
|
1635
|
-
|
|
1636
|
-
|
|
1801
|
+
if (compactionDebugEnabled()) {
|
|
1802
|
+
console.log(
|
|
1803
|
+
JSON.stringify({
|
|
1804
|
+
level: "debug",
|
|
1805
|
+
event: "compaction.find_preserve_start.ended",
|
|
1806
|
+
messageCount: messages.length,
|
|
1807
|
+
preserveK,
|
|
1808
|
+
preserveStart,
|
|
1809
|
+
forwardWalkIterations,
|
|
1810
|
+
forwardWalkInnerIterations,
|
|
1811
|
+
forwardWalkInnerPerOuter: forwardWalkIterations > 0 ? forwardWalkInnerIterations / forwardWalkIterations : 0
|
|
1812
|
+
})
|
|
1813
|
+
);
|
|
1814
|
+
}
|
|
1637
1815
|
return preserveStart;
|
|
1638
1816
|
}
|
|
1639
1817
|
function eliseOldToolResults(messages, opts) {
|
|
@@ -1700,7 +1878,7 @@ function eliseOldToolResults(messages, opts) {
|
|
|
1700
1878
|
changed = true;
|
|
1701
1879
|
}
|
|
1702
1880
|
fullPassInnerIterations += original.length;
|
|
1703
|
-
if (
|
|
1881
|
+
if (compactionDebugEnabled()) {
|
|
1704
1882
|
const ratio = fullPassInnerIterations / fullPassIterations;
|
|
1705
1883
|
if (ratio > 10) {
|
|
1706
1884
|
console.error(
|
|
@@ -2234,6 +2412,27 @@ var PATTERNS = [
|
|
|
2234
2412
|
{ type: "postgres_uri", regex: /postgres(?:ql)?:\/\/[^\s"'`]+/g },
|
|
2235
2413
|
{ type: "mysql_uri", regex: /mysql:\/\/[^\s"'`]+/g },
|
|
2236
2414
|
{ type: "redis_uri", regex: /redis:\/\/[^\s"'`]+/g },
|
|
2415
|
+
// AI/ML provider keys — modern LLM services with well-known prefixes
|
|
2416
|
+
{
|
|
2417
|
+
type: "huggingface_token",
|
|
2418
|
+
// HuggingFace tokens: hf_ followed by 34 alphanumeric chars
|
|
2419
|
+
regex: /(?<![A-Za-z0-9])hf_[A-Za-z0-9]{34}(?![A-Za-z0-9])/g
|
|
2420
|
+
},
|
|
2421
|
+
{
|
|
2422
|
+
type: "replicate_token",
|
|
2423
|
+
// Replicate tokens: r8_ followed by 40+ alphanumeric chars
|
|
2424
|
+
regex: /(?<![A-Za-z0-9])r8_[A-Za-z0-9]{40,}(?![A-Za-z0-9])/g
|
|
2425
|
+
},
|
|
2426
|
+
{
|
|
2427
|
+
type: "perplexity_key",
|
|
2428
|
+
// Perplexity API keys: pplx- followed by 40+ alphanumeric chars
|
|
2429
|
+
regex: /(?<![A-Za-z0-9])pplx-[A-Za-z0-9]{40,}(?![A-Za-z0-9])/g
|
|
2430
|
+
},
|
|
2431
|
+
{
|
|
2432
|
+
type: "groq_key",
|
|
2433
|
+
// Groq API keys: gsk_ followed by 40+ alphanumeric chars
|
|
2434
|
+
regex: /(?<![A-Za-z0-9])gsk_[A-Za-z0-9]{40,}(?![A-Za-z0-9])/g
|
|
2435
|
+
},
|
|
2237
2436
|
{
|
|
2238
2437
|
type: "bearer_token",
|
|
2239
2438
|
// Anchored with alternation instead of negative lookahead — avoids V8
|
|
@@ -2267,6 +2466,10 @@ function hasCredentialAnchors(text) {
|
|
|
2267
2466
|
text.includes("xox") || // Slack token (xoxa/xoxb/xoxp/xoxo/xoxs)
|
|
2268
2467
|
text.includes("Bearer ") || // Bearer token (space suffix reduces false positives)
|
|
2269
2468
|
text.includes("/bot") || // Telegram bot token (URL path pattern)
|
|
2469
|
+
text.includes("hf_") || // HuggingFace token
|
|
2470
|
+
text.includes("r8_") || // Replicate token
|
|
2471
|
+
text.includes("pplx-") || // Perplexity API key
|
|
2472
|
+
text.includes("gsk_") || // Groq API key
|
|
2270
2473
|
text.includes("_KEY=") || // High-entropy env vars: API_KEY=, SECRET_KEY=, ...
|
|
2271
2474
|
text.includes("_TOKEN=") || // ACCESS_TOKEN=, AUTH_TOKEN=, ...
|
|
2272
2475
|
text.includes("_SECRET=") || // API_SECRET=, CLIENT_SECRET=, ...
|
|
@@ -3905,6 +4108,13 @@ var Context = class {
|
|
|
3905
4108
|
projectRoot;
|
|
3906
4109
|
/** Mutable working directory — starts as `cwd`. Change via `setWorkingDir()`. */
|
|
3907
4110
|
workingDir;
|
|
4111
|
+
/**
|
|
4112
|
+
* When true, file tools (via `_util.ts`) and `setWorkingDir()` reject paths
|
|
4113
|
+
* outside `projectRoot`. When false, those boundary checks are bypassed so
|
|
4114
|
+
* tools may reach paths outside the project (still gated by permission
|
|
4115
|
+
* tiers). Mutable so `/settings` can toggle it live on the running session.
|
|
4116
|
+
*/
|
|
4117
|
+
allowOutsideProjectRoot;
|
|
3908
4118
|
model;
|
|
3909
4119
|
tools = [];
|
|
3910
4120
|
meta = {};
|
|
@@ -3918,11 +4128,6 @@ var Context = class {
|
|
|
3918
4128
|
* so storage operations can include it in `storage.*` events.
|
|
3919
4129
|
*/
|
|
3920
4130
|
traceId;
|
|
3921
|
-
/**
|
|
3922
|
-
* When true, tools can access any path on the filesystem.
|
|
3923
|
-
* When false or undefined, tools are restricted to the project root.
|
|
3924
|
-
*/
|
|
3925
|
-
allowOutsideProjectRoot;
|
|
3926
4131
|
/** Callbacks fired when `setWorkingDir()` changes the working directory. */
|
|
3927
4132
|
_onWorkingDirChanged = [];
|
|
3928
4133
|
/**
|
|
@@ -3954,12 +4159,13 @@ var Context = class {
|
|
|
3954
4159
|
this.cwd = init.cwd;
|
|
3955
4160
|
this.projectRoot = init.projectRoot;
|
|
3956
4161
|
this.workingDir = init.workingDir ?? init.cwd;
|
|
4162
|
+
this.allowOutsideProjectRoot = init.allowOutsideProjectRoot ?? false;
|
|
3957
4163
|
this.model = init.model;
|
|
3958
4164
|
this.tools = init.tools ?? [];
|
|
3959
4165
|
this.agentId = init.agentId ?? "unknown";
|
|
3960
4166
|
this.agentName = init.agentName ?? "Unknown Agent";
|
|
3961
4167
|
this.traceId = init.traceId;
|
|
3962
|
-
this.allowOutsideProjectRoot = init.allowOutsideProjectRoot ??
|
|
4168
|
+
this.allowOutsideProjectRoot = init.allowOutsideProjectRoot ?? false;
|
|
3963
4169
|
this.session.traceId = init.traceId;
|
|
3964
4170
|
}
|
|
3965
4171
|
/**
|
|
@@ -4025,12 +4231,14 @@ var Context = class {
|
|
|
4025
4231
|
*/
|
|
4026
4232
|
setWorkingDir(dir) {
|
|
4027
4233
|
const resolved = path4.isAbsolute(dir) ? path4.resolve(dir) : path4.resolve(this.projectRoot, dir);
|
|
4028
|
-
|
|
4029
|
-
|
|
4030
|
-
|
|
4031
|
-
|
|
4032
|
-
|
|
4033
|
-
|
|
4234
|
+
if (!this.allowOutsideProjectRoot) {
|
|
4235
|
+
const root = path4.resolve(this.projectRoot);
|
|
4236
|
+
const rel = path4.relative(root, resolved);
|
|
4237
|
+
if (rel.startsWith("..") || path4.isAbsolute(rel)) {
|
|
4238
|
+
throw new Error(
|
|
4239
|
+
`Working directory "${resolved}" is outside project root "${root}"`
|
|
4240
|
+
);
|
|
4241
|
+
}
|
|
4034
4242
|
}
|
|
4035
4243
|
const old = this.workingDir;
|
|
4036
4244
|
this.workingDir = resolved;
|
|
@@ -4336,6 +4544,6 @@ function renderPlainText(meta, events) {
|
|
|
4336
4544
|
return lines.join("\n");
|
|
4337
4545
|
}
|
|
4338
4546
|
|
|
4339
|
-
export { AgentError, CONTEXT_WINDOW_MODES, ConfigError, Context, DEFAULT_AUTONOMY_CONFIG, DEFAULT_CONTEXT_CONFIG, DEFAULT_CONTEXT_WINDOW_MODE_ID, DEFAULT_MODES, DEFAULT_RECOVERY_STRATEGIES, DEFAULT_SESSION_LOGGING_CONFIG, DEFAULT_SESSION_PRUNE_DAYS, DEFAULT_SPEC_TEMPLATE, DEFAULT_TOOLS_CONFIG, DefaultErrorHandler, DefaultLogger, DefaultModelsRegistry, DefaultPathResolver, DefaultRetryPolicy, DefaultSecretScrubber, DefaultSecretVault, DefaultSessionReader, DefaultTokenCounter, ERROR_CODES, FsError, HybridCompactor, InMemoryAgentBridge, InMemoryBridgeTransport, MEMORY_TYPE_LABELS, PluginError, ProviderError, SddError, SessionError, StreamHangError, ToolError, ToolExecutor, WrongStackError, asBlocks, asText, buildRecoveryStrategies, classifyFamily, computeTaskProgress, createMessage, decryptConfigSecrets, encryptConfigSecrets, findCriticalPath, formatContextWindowModeList, getContextWindowMode, isAgentError, isConfigError, isContextWindowModeId, isFsError, isImageBlock, isPluginError, isSddError, isSecretField, isSessionError, isTextBlock, isThinkingBlock, isToolError, isToolResultBlock, isToolUseBlock, isWrongStackError, listContextWindowModes, migratePlaintextSecrets, noOpLogger, resolveContextWindowPolicy, rewriteConfigEncrypted, toWrongStackError, topologicalSort };
|
|
4547
|
+
export { AgentError, CONTEXT_WINDOW_MODES, ConfigError, Context, DEFAULT_AUTONOMY_CONFIG, DEFAULT_CIRCUIT_BREAKER_CONFIG, DEFAULT_CONTEXT_CONFIG, DEFAULT_CONTEXT_WINDOW_MODE_ID, DEFAULT_MODES, DEFAULT_RECOVERY_STRATEGIES, DEFAULT_SESSION_LOGGING_CONFIG, DEFAULT_SESSION_PRUNE_DAYS, DEFAULT_SPEC_TEMPLATE, DEFAULT_TOOLS_CONFIG, DefaultErrorHandler, DefaultLogger, DefaultModelsRegistry, DefaultPathResolver, DefaultRetryPolicy, DefaultSecretScrubber, DefaultSecretVault, DefaultSessionReader, DefaultTokenCounter, ERROR_CODES, FsError, HybridCompactor, InMemoryAgentBridge, InMemoryBridgeTransport, MEMORY_TYPE_LABELS, PluginError, ProviderError, SddError, SessionError, StreamHangError, ToolError, ToolExecutor, WrongStackError, asBlocks, asText, buildRecoveryStrategies, classifyFamily, computeTaskProgress, createMessage, decryptConfigSecrets, encryptConfigSecrets, findCriticalPath, formatContextWindowModeList, getContextWindowMode, isAgentError, isConfigError, isContextWindowModeId, isFsError, isImageBlock, isPluginError, isSddError, isSecretField, isSessionError, isTextBlock, isThinkingBlock, isToolError, isToolResultBlock, isToolUseBlock, isWrongStackError, listContextWindowModes, migratePlaintextSecrets, noOpLogger, normalizeTokenSavingTier, resolveContextWindowPolicy, rewriteConfigEncrypted, rotateConfigKeys, toWrongStackError, topologicalSort };
|
|
4340
4548
|
//# sourceMappingURL=index.js.map
|
|
4341
4549
|
//# sourceMappingURL=index.js.map
|