@yeyuan98/opencode-bioresearcher-plugin 1.5.1 → 1.5.2-alpha.2

package/dist/skills/long-table-summary/SKILL.md

@@ -1,19 +1,19 @@
 ---
 name: long-table-summary
 description: Batch-process large tables using parallel subagents for summarization
-allowedTools:
-  - Bash
-  - Read
-  - Write
-  - Question
-  - Task
-  - tableListSheets
-  - tableGetSheetPreview
-  - tableGetHeaders
-  - tableGetRange
-  - jsonValidate
-  - jsonInfer
----
+allowedTools:
+  - Bash
+  - Read
+  - Write
+  - Question
+  - Task
+  - tableListSheets
+  - tableGetSheetPreview
+  - tableGetHeaders
+  - tableGetRange
+  - jsonValidate
+  - jsonInfer
+---
 
 # Long Table Summary
 
@@ -112,70 +112,70 @@ If user selects "Yes, I want to modify":
 - Update the JSON accordingly
 - Repeat the approval question
 
-Continue until user explicitly confirms that the instruction JSON is correct.
-
-### Step 6.5: Generate Output JSON Schema
-
-Generate a JSON Schema that defines the exact output structure. All fields are required.
-
-**Default value for unavailable data:** Use `"NA"` (string) for any field where data cannot be extracted.
-
-**Construct example output:**
-
-1. Start with the base structure:
-```json
-{
-  "batch_number": 1,
-  "row_count": 30,
-  "summaries": [
-    {
-      "row_number": 2
-    }
-  ]
-}
-```
-
-2. Add each user-specified field with an example value (use `"NA"` if the field might be empty):
-
-For example, if user provided:
-```json
-{
-  "species": "Species classification: Tier1/Tier2/NA",
-  "topic": "Main topic: Oncology/Immunology/Other"
-}
-```
-
-Construct the example output:
-```json
-{
-  "batch_number": 1,
-  "row_count": 30,
-  "summaries": [
-    {
-      "row_number": 2,
-      "species": "Tier1",
-      "topic": "Oncology"
-    }
-  ]
-}
-```
-
-**Generate schema with strict mode:**
-
-```typescript
-jsonInfer data='<example_output_json>' strict=true
-```
-
-**Save the returned schema to:**
-
-```bash
-Write file: .long-table-summary/{topic}/schema.json
-Content: <schema_from_jsonInfer>
-```
-
-This schema file will be used by all subagents to validate their outputs before writing.
-
-### Step 7: Autogenerate Topic Name
+Continue until user explicitly confirms that the instruction JSON is correct.
+
+### Step 6.5: Generate Output JSON Schema
+
+Generate a JSON Schema that defines the exact output structure. All fields are required.
+
+**Default value for unavailable data:** Use `"NA"` (string) for any field where data cannot be extracted.
+
+**Construct example output:**
+
+1. Start with the base structure:
+```json
+{
+  "batch_number": 1,
+  "row_count": 30,
+  "summaries": [
+    {
+      "row_number": 2
+    }
+  ]
+}
+```
+
+2. Add each user-specified field with an example value (use `"NA"` if the field might be empty):
+
+For example, if user provided:
+```json
+{
+  "species": "Species classification: Tier1/Tier2/NA",
+  "topic": "Main topic: Oncology/Immunology/Other"
+}
+```
+
+Construct the example output:
+```json
+{
+  "batch_number": 1,
+  "row_count": 30,
+  "summaries": [
+    {
+      "row_number": 2,
+      "species": "Tier1",
+      "topic": "Oncology"
+    }
+  ]
+}
+```
+
+**Generate schema with strict mode:**
+
+```typescript
+jsonInfer data='<example_output_json>' strict=true
+```
+
+**Save the returned schema to:**
+
+```bash
+Write file: .long-table-summary/{topic}/schema.json
+Content: <schema_from_jsonInfer>
+```
+
+This schema file will be used by all subagents to validate their outputs before writing.
+
+### Step 7: Autogenerate Topic Name
 
 Generate the topic name by combining:
 - Base filename (without extension)
@@ -216,77 +216,77 @@ Example for 90 rows with 30 per batch:
 
 **Note:** Row 1 is the header, data starts at row 2.
 
-### Step 10: Create Subagent Prompt Template
-
-Create a template with `{placeholder}` format (single braces):
-
-```markdown
-# Batch Data Summarization Task
-
-## Input File
-- Path: `{file_path}`
-- Sheet: `{sheet_name}`
-
-## Row Range
-- Batch: {batch_number}
-- Rows: {row_start} to {row_end}
-
-## Summarization Instructions
-
-For each row, extract these fields:
-
-{instructions_json}
-
-**Default for unavailable data:** If a field cannot be extracted, use `"NA"` as the value.
-
-## Output Structure
-
-```json
-{
-  "batch_number": {batch_number},
-  "row_count": <number_of_rows_in_this_batch>,
-  "summaries": [
-    {
-      "row_number": <row_number>,
-      "<field_1>": "<value_or_NA>",
-      "<field_2>": "<value_or_NA>"
-    }
-  ]
-}
-```
-
-## Output Schema
-
-Your output must conform to this schema: `{schema_path}`
-
-All fields are required. Use `"NA"` for unavailable values.
-
-## Mandatory Workflow
-
-**Step 1:** Read rows using `tableGetRange`:
-```typescript
-tableGetRange file_path="{file_path}" sheet_name="{sheet_name}" range="A{row_start}:Z{row_end}"
-```
-
-**Step 2:** Build JSON in memory with all required fields
-
-**Step 3:** Validate BEFORE writing:
-```typescript
-jsonValidate data='<your_complete_json>' schema="{schema_path}"
-```
-
-**Step 4:** Check result:
-- If `valid: true` → Go to Step 5
-- If `valid: false` → Fix errors listed in `errors` array, return to Step 3
-
-**Step 5:** Write validated JSON to `{output_file}`
-
-Output file should contain ONLY the JSON object (no markdown, no extra text).
-
-## Output Path
-`{output_file}`
-```
-```
+### Step 10: Create Subagent Prompt Template
+
+Create a template with `{placeholder}` format (single braces):
+
+```markdown
+# Batch Data Summarization Task
+
+## Input File
+- Path: `{file_path}`
+- Sheet: `{sheet_name}`
+
+## Row Range
+- Batch: {batch_number}
+- Rows: {row_start} to {row_end}
+
+## Summarization Instructions
+
+For each row, extract these fields:
+
+{instructions_json}
+
+**Default for unavailable data:** If a field cannot be extracted, use `"NA"` as the value.
+
+## Output Structure
+
+```json
+{
+  "batch_number": {batch_number},
+  "row_count": <number_of_rows_in_this_batch>,
+  "summaries": [
+    {
+      "row_number": <row_number>,
+      "<field_1>": "<value_or_NA>",
+      "<field_2>": "<value_or_NA>"
+    }
+  ]
+}
+```
+
+## Output Schema
+
+Your output must conform to this schema: `{schema_path}`
+
+All fields are required. Use `"NA"` for unavailable values.
+
+## Mandatory Workflow
+
+**Step 1:** Read rows using `tableGetRange`:
+```typescript
+tableGetRange file_path="{file_path}" sheet_name="{sheet_name}" range="A{row_start}:Z{row_end}"
+```
+
+**Step 2:** Build JSON in memory with all required fields
+
+**Step 3:** Validate BEFORE writing:
+```typescript
+jsonValidate data='<your_complete_json>' schema="{schema_path}"
+```
+
+**Step 4:** Check result:
+- If `valid: true` → Go to Step 5
+- If `valid: false` → Fix errors listed in `errors` array, return to Step 3
+
+**Step 5:** Write validated JSON to `{output_file}`
+
+Output file should contain ONLY the JSON object (no markdown, no extra text).
+
+## Output Path
+`{output_file}`
+```
+```
 
 ### Step 11: Create Directory Structure
 
@@ -305,33 +305,33 @@ Use `generate_prompts.py`:
 
 **Before Step 13 and Step 17:** Extract the full path to the skill directory from the `<skill_files>` section in the skill tool output. Use this path as `<skill_path>` in the commands below.
 
-**Unix-like shells:**
-```bash
-uv run python <skill_path>/generate_prompts.py \
-  --template .long-table-summary/{topic}/subagent_template.md \
-  --output-dir .long-table-summary/{topic}/prompts \
-  --num-batches {num_batches} \
-  --sheet-name "{sheet_name}" \
-  --file-path "{input_file}" \
-  --start-row 2 \
-  --batch-size {batch_size} \
-  --instructions '{instructions_json}' \
-  --schema-path ".long-table-summary/{topic}/schema.json"
-```
-
-**For Windows cmd.exe:**
-```bash
-uv.exe run python <skill_path>\generate_prompts.py ^
-  --template .long-table-summary\{topic}\subagent_template.md ^
-  --output-dir .long-table-summary\{topic}\prompts ^
-  --num-batches {num_batches} ^
-  --sheet-name "{sheet_name}" ^
-  --file-path "{input_file}" ^
-  --start-row 2 ^
-  --batch-size {batch_size} ^
-  --instructions "{instructions_json}" ^
-  --schema-path ".long-table-summary\{topic}\schema.json"
-```
+**Unix-like shells:**
+```bash
+uv run python <skill_path>/generate_prompts.py \
+  --template .long-table-summary/{topic}/subagent_template.md \
+  --output-dir .long-table-summary/{topic}/prompts \
+  --num-batches {num_batches} \
+  --sheet-name "{sheet_name}" \
+  --file-path "{input_file}" \
+  --start-row 2 \
+  --batch-size {batch_size} \
+  --instructions '{instructions_json}' \
+  --schema-path ".long-table-summary/{topic}/schema.json"
+```
+
+**For Windows cmd.exe:**
+```bash
+uv.exe run python <skill_path>\generate_prompts.py ^
+  --template .long-table-summary\{topic}\subagent_template.md ^
+  --output-dir .long-table-summary\{topic}\prompts ^
+  --num-batches {num_batches} ^
+  --sheet-name "{sheet_name}" ^
+  --file-path "{input_file}" ^
+  --start-row 2 ^
+  --batch-size {batch_size} ^
+  --instructions "{instructions_json}" ^
+  --schema-path ".long-table-summary\{topic}\schema.json"
+```
 
 **Note:** The `{instructions_json}` is the user-confirmed JSON from Step 6.
 
@@ -374,31 +374,31 @@ For example:
 
 Do NOT inspect individual subagent outputs midway.
 
-### Step 16: Check for Missing Outputs
-
-After all batches are done, check for missing outputs:
-
-```bash
-ls .long-table-summary/{topic}/outputs/
-```
-
-Missing files indicate subagent failure. If any are missing:
-
-1. Ask user using the `question` tool:
-   - "{number} batches failed. Retry failed batches or proceed with available outputs?"
-
-2. **Options:**
-   - "Retry failed batches"
-   - "Proceed with available outputs"
-
-3. **If user selects "Retry":**
-   - Re-launch subagent with same prompt file for each failed batch
-
-4. **If user selects "Proceed":**
-   - Continue to Step 17 with available outputs
-
-Note: Since subagents validate their outputs before writing, existing files should contain valid JSON.
-
+### Step 16: Check for Missing Outputs
+
+After all batches are done, check for missing outputs:
+
+```bash
+ls .long-table-summary/{topic}/outputs/
+```
+
+Missing files indicate subagent failure. If any are missing:
+
+1. Ask user using the `question` tool:
+   - "{number} batches failed. Retry failed batches or proceed with available outputs?"
+
+2. **Options:**
+   - "Retry failed batches"
+   - "Proceed with available outputs"
+
+3. **If user selects "Retry":**
+   - Re-launch subagent with same prompt file for each failed batch
+
+4. **If user selects "Proceed":**
+   - Continue to Step 17 with available outputs
+
+Note: Since subagents validate their outputs before writing, existing files should contain valid JSON.
+
 
 ### Step 17: Combine All JSON Outputs
 
@@ -444,30 +444,30 @@ Provide user with:
 
 ## Python Scripts
 
-### Script 1: `generate_prompts.py`
-
-**Arguments:**
-- `--template`: Path to subagent_template.md
-- `--output-dir`: Directory for generated prompts
-- `--num-batches`: Total number of batches
-- `--sheet-name`: Sheet name
-- `--file-path`: Full path to the input table file
-- `--start-row`: Starting data row (default: 2)
-- `--batch-size`: Rows per batch (default: 30)
-- `--instructions`: User-confirmed JSON with summarization fields
-- `--schema-path`: Path to output JSON Schema file (required)
-- `--dry-run`: Validate without creating files (optional)
-- `--verbose`: Enable verbose output for debugging (optional)
-
-**Placeholders to replace:**
-- `{file_path}` → Absolute input file path
-- `{sheet_name}` → Sheet name
-- `{batch_number}` → Batch number (001, 002, etc.)
-- `{row_start}` → Start row
-- `{row_end}` → End row
-- `{output_file}` → Output file path
-- `{instructions_json}` → User's JSON instruction (properly escaped for markdown code block)
-- `{schema_path}` → Path to output JSON Schema file
+### Script 1: `generate_prompts.py`
+
+**Arguments:**
+- `--template`: Path to subagent_template.md
+- `--output-dir`: Directory for generated prompts
+- `--num-batches`: Total number of batches
+- `--sheet-name`: Sheet name
+- `--file-path`: Full path to the input table file
+- `--start-row`: Starting data row (default: 2)
+- `--batch-size`: Rows per batch (default: 30)
+- `--instructions`: User-confirmed JSON with summarization fields
+- `--schema-path`: Path to output JSON Schema file (required)
+- `--dry-run`: Validate without creating files (optional)
+- `--verbose`: Enable verbose output for debugging (optional)
+
+**Placeholders to replace:**
+- `{file_path}` → Absolute input file path
+- `{sheet_name}` → Sheet name
+- `{batch_number}` → Batch number (001, 002, etc.)
+- `{row_start}` → Start row
+- `{row_end}` → End row
+- `{output_file}` → Output file path
+- `{instructions_json}` → User's JSON instruction (properly escaped for markdown code block)
+- `{schema_path}` → Path to output JSON Schema file
 
 ### Script 2: `combine_outputs.py`
 

package/dist/tools/sandbox/bash-parser.d.ts

@@ -0,0 +1,17 @@
+/**
+ * Bash Command Path Parser
+ *
+ * Extracts potential file paths from bash commands for sandbox validation.
+ * Uses heuristics to identify path-like strings.
+ */
+import type { BashPathExtractionResult } from './types';
+/**
+ * Extract potential file paths from a bash command string.
+ */
+export declare function extractPathsFromBashCommand(command: string): BashPathExtractionResult;
+/**
+ * Extract ALL arguments from file operation commands.
+ * Includes variables ($VAR), command substitutions ($(cmd)), etc.
+ * These will be expanded and validated before command execution.
+ */
+export declare function extractAllPathArgs(command: string): string[];

package/dist/tools/sandbox/bash-parser.js

@@ -0,0 +1,166 @@
+/**
+ * Bash Command Path Parser
+ *
+ * Extracts potential file paths from bash commands for sandbox validation.
+ * Uses heuristics to identify path-like strings.
+ */
+import { isAbsolutePath, looksLikePath } from './validator';
+/**
+ * Regular expressions for extracting paths from bash commands.
+ */
+const PATH_PATTERNS = {
+    // Double-quoted strings
+    doubleQuoted: /"([^"]+)"/g,
+    // Single-quoted strings
+    singleQuoted: /'([^']+)'/g,
+    // Common file operation commands with their path arguments
+    fileCommands: /\b(?:cat|head|tail|less|more|rm|cp|mv|touch|mkdir|rmdir|ls|find|chmod|chown|ln|tar|unzip|zip|gzip|gunzip)\s+((?:-[a-zA-Z]+\s+)*)([^\s;|&><(){}]+)/gi,
+    // Input/output redirection
+    redirection: /(?:<|>|>>|2>|&>|&>>)\s*([^\s;|&]+)/g,
+    // Python/Node script execution
+    scriptExecution: /\b(?:python|python3|node|uv\s+run\s+python)\s+((?:-[a-zA-Z]+\s+)*)([^\s;|&]+\.py(?:[^\s;|&]*)?)/gi,
+    // Source/dot command
+    sourceCommand: /(?:^|\s)(?:source|\.)\s+([^\s;|&]+)/g,
+    // Here-document markers (skip these)
+    heredoc: /<<\s*['"]?(\w+)['"]?/g,
+};
+/**
+ * Extract potential file paths from a bash command string.
+ */
+export function extractPathsFromBashCommand(command) {
+    const paths = new Set();
+    const absolutePaths = new Set();
+    // Track heredoc markers to exclude them
+    const heredocMarkers = new Set();
+    let match;
+    // Find heredoc markers first
+    while ((match = PATH_PATTERNS.heredoc.exec(command)) !== null) {
+        heredocMarkers.add(match[1]);
+    }
+    // Extract from double-quoted strings
+    PATH_PATTERNS.doubleQuoted.lastIndex = 0;
+    while ((match = PATH_PATTERNS.doubleQuoted.exec(command)) !== null) {
+        const content = match[1];
+        if (content && !heredocMarkers.has(content) && looksLikePath(content)) {
+            paths.add(content);
+            if (isAbsolutePath(content)) {
+                absolutePaths.add(content);
+            }
+        }
+    }
+    // Extract from single-quoted strings
+    PATH_PATTERNS.singleQuoted.lastIndex = 0;
+    while ((match = PATH_PATTERNS.singleQuoted.exec(command)) !== null) {
+        const content = match[1];
+        if (content && !heredocMarkers.has(content) && looksLikePath(content)) {
+            paths.add(content);
+            if (isAbsolutePath(content)) {
+                absolutePaths.add(content);
+            }
+        }
+    }
+    // Extract from file operation commands
+    PATH_PATTERNS.fileCommands.lastIndex = 0;
+    while ((match = PATH_PATTERNS.fileCommands.exec(command)) !== null) {
+        // match[2] is the path after any flags
+        const filePath = match[2];
+        if (filePath && looksLikePath(filePath)) {
+            paths.add(filePath);
+            if (isAbsolutePath(filePath)) {
+                absolutePaths.add(filePath);
+            }
+        }
+    }
+    // Extract from redirections
+    PATH_PATTERNS.redirection.lastIndex = 0;
+    while ((match = PATH_PATTERNS.redirection.exec(command)) !== null) {
+        const filePath = match[1];
+        if (filePath && looksLikePath(filePath)) {
+            paths.add(filePath);
+            if (isAbsolutePath(filePath)) {
+                absolutePaths.add(filePath);
+            }
+        }
+    }
+    // Extract from script execution
+    PATH_PATTERNS.scriptExecution.lastIndex = 0;
+    while ((match = PATH_PATTERNS.scriptExecution.exec(command)) !== null) {
+        // match[2] is the script path after any flags
+        const scriptPath = match[2];
+        if (scriptPath && looksLikePath(scriptPath)) {
+            paths.add(scriptPath);
+            if (isAbsolutePath(scriptPath)) {
+                absolutePaths.add(scriptPath);
+            }
+        }
+    }
+    // Extract from source commands
+    PATH_PATTERNS.sourceCommand.lastIndex = 0;
+    while ((match = PATH_PATTERNS.sourceCommand.exec(command)) !== null) {
+        const sourcePath = match[1];
+        if (sourcePath && looksLikePath(sourcePath)) {
+            paths.add(sourcePath);
+            if (isAbsolutePath(sourcePath)) {
+                absolutePaths.add(sourcePath);
+            }
+        }
+    }
+    return {
+        paths: Array.from(paths),
+        hasAbsolutePath: absolutePaths.size > 0,
+        absolutePaths: Array.from(absolutePaths)
+    };
+}
+/**
+ * Extract ALL arguments from file operation commands.
+ * Includes variables ($VAR), command substitutions ($(cmd)), etc.
+ * These will be expanded and validated before command execution.
+ */
+export function extractAllPathArgs(command) {
+    const args = new Set();
+    // File commands that take path arguments
+    const fileCommands = [
+        'cat', 'head', 'tail', 'less', 'more', 'rm', 'cp', 'mv',
+        'touch', 'mkdir', 'rmdir', 'ls', 'find', 'chmod', 'chown',
+        'ln', 'tar', 'unzip', 'zip', 'gzip', 'gunzip', 'dd',
+        'sh', 'bash', 'python', 'python3', 'node'
+    ];
+    // Pattern to find command names
+    const cmdPattern = new RegExp(`\\b(${fileCommands.join('|')})\\b`, 'gi');
+    // Find all command occurrences
+    let cmdMatch;
+    const commandPositions = [];
+    while ((cmdMatch = cmdPattern.exec(command)) !== null) {
+        commandPositions.push({
+            cmd: cmdMatch[1].toLowerCase(),
+            index: cmdMatch.index
+        });
+    }
+    // For each command, extract all following arguments until next command or shell operator
+    for (const { cmd, index } of commandPositions) {
+        // Get the substring after the command
+        const afterCmd = command.substring(index + cmd.length);
+        // Split by shell operators and whitespace to get individual arguments
+        // This is a simplified approach - doesn't handle quotes perfectly but catches most cases
+        const parts = afterCmd.split(/[\s;|&><]+/).filter(p => p.length > 0);
+        for (const part of parts) {
+            // Skip flags (start with -)
+            if (part.startsWith('-'))
+                continue;
+            // Stop if we hit another command
+            if (fileCommands.includes(part.toLowerCase()))
+                break;
+            // This looks like a path argument
+            args.add(part);
+        }
+    }
+    // Extract redirection targets: > file, < file, >> file, 2> file
+    // Allow { } ( } for consistency
+    const redirPattern = /(?:<|>|>>|2>|&>|&>>)\s*([^\s;|&><]+)/g;
+    let match;
+    while ((match = redirPattern.exec(command)) !== null) {
+        if (match[1])
+            args.add(match[1]);
+    }
+    return Array.from(args);
+}

package/dist/tools/sandbox/escape-scenarios.test.d.ts

@@ -0,0 +1,7 @@
+/**
+ * Real-World Escape Scenario Tests
+ *
+ * Tests the actual escape vectors discovered during security analysis
+ * to verify they are properly blocked by the sandbox.
+ */
+export {};