agent.libx.js 0.94.12 → 0.94.14

package/README.md

@@ -103,7 +103,7 @@ agentx -c "keep going"      # continue the most recent session
 agentx --resume <id> "…"    # resume a specific session
 ```
 
-- **Filesystem + Shell** — by default the CLI has **full real-filesystem access like Claude Code** (root `/` is the machine root, the launch dir is the working dir, absolute host paths and above-cwd reach both work) with a **real `/bin/sh`** (`Shell` tool) so the agent can run git, bun, node, curl, and any installed binary. Secrets (`.env`, `.ssh`, keys, `.git`) stay hidden by the jail; env secrets are scrubbed from the child shell. `--sandbox` instead operates over an in-memory copy of the working dir with a VFS-only `bash` — the real disk is never touched. `--boddb <dir>` runs over a **persistent database workspace** (a bod-db store at `<dir>` — `meta.db` tree + `files/` bytes) that survives across runs while the real disk stays untouched; DB-native by default, or add `--seed` to hydrate it from cwd on the first run. `--no-shell` forces the VFS bash in disk mode. (`/sandbox` shows the active mode.)
+- **Filesystem + Shell** — by default the CLI has **full real-filesystem access like Claude Code** (root `/` is the machine root, the launch dir is the working dir, absolute host paths and above-cwd reach both work) with a **real `/bin/sh`** (`Shell` tool) so the agent can run git, bun, node, curl, and any installed binary. Secrets (`.env`, `.ssh`, keys, `.git`) stay hidden by the jail; env secrets are scrubbed from the child shell. `--sandbox` instead operates over an in-memory copy of the working dir with a VFS-only `bash` — the real disk is never touched. `--boddb <dir>` runs over a **persistent database workspace** (a bod-db store at `<dir>` — `meta.db` tree + `files/` bytes) that survives across runs while the real disk stays untouched; DB-native by default, or add `--seed` to hydrate it from cwd on the first run. `--no-shell` forces the VFS bash in disk mode. `--harden` OS-sandboxes the real shell (macOS `sandbox-exec` / Linux `bwrap`): writes confined to cwd+tmp, outbound network blocked (`--harden-net` keeps network); commands fail closed when no wrapper exists. (`/sandbox` shows the active mode.)
 - **Sessions** — every conversation persists to `./.agent/sessions/<id>.json`; `--continue`/`--resume` (and `/sessions`, `/resume`) pick it back up, *with memory across turns* — a REPL turn sees the previous one. A global symlink index at `~/.agent/sessions/` enables cross-project lookup: `--resume 090715-myproject` resolves from any directory, and `/sessions all` lists every project's sessions in one picker.
 - **Diffs** — every `Edit`/`Write`/`MultiEdit` renders a colorized `+/-` diff (TTY-gated; plain when piped).
 - **Slash commands** — `/help /tools /model /compact /memory /clear /sessions /resume /commands /init`; `/compact <focus>` preserves matching lines from the folded span; `/memory` opens the memory index in `$EDITOR`; user-defined `./.agent/commands/<name>.md` are invokable directly as `/<name>` (the same registry the model's `SlashCommand` tool uses).

package/dist/cli.d.ts

@@ -90,6 +90,8 @@ interface Args {
     print?: boolean;
     debug?: boolean;
     scratch?: boolean;
+    harden?: boolean;
+    hardenNet?: boolean;
 }
 declare function parseArgs(argv: string[]): Args;
 /** Synthetic task-event user messages ("[task t2 completed] <multi-KB worker dump>") aren't real user

package/dist/cli.js

@@ -1388,7 +1388,67 @@ var init_JailedFilesystem = __esm({
   }
 });
 
+// src/shell.sandbox.ts
+function writable(cwd, o, tmpDir) {
+  const set = /* @__PURE__ */ new Set([cwd, "/tmp", "/private/tmp", "/private/var/folders", "/dev", ...tmpDir ? [tmpDir] : [], ...o.writePaths]);
+  return [...set];
+}
+function seatbeltProfile(cwd, o, tmpDir) {
+  const allows = writable(cwd, o, tmpDir).map((p) => `(subpath ${sbQuote(p)})`).join(" ");
+  return [
+    "(version 1)",
+    "(allow default)",
+    ...o.network ? [] : ["(deny network*)"],
+    "(deny file-write*)",
+    `(allow file-write* ${allows})`
+  ].join("\n");
+}
+function sandboxArgv(command, cwd, opts = {}, platform2 = process.platform, tmpDir) {
+  const o = { ...new OsSandboxOptions(), ...opts };
+  if (platform2 === "darwin") {
+    return { bin: "/usr/bin/sandbox-exec", args: ["-p", seatbeltProfile(cwd, o, tmpDir), "/bin/sh", "-c", command] };
+  }
+  if (platform2 === "linux") {
+    const binds = writable(cwd, o, tmpDir).filter((p) => p !== "/dev" && !p.startsWith("/private")).flatMap((p) => ["--bind-try", p, p]);
+    return {
+      bin: "bwrap",
+      args: ["--ro-bind", "/", "/", ...binds, "--dev", "/dev", "--proc", "/proc", "--die-with-parent", ...o.network ? [] : ["--unshare-net"], "/bin/sh", "-c", command]
+    };
+  }
+  return null;
+}
+async function findSandboxWrapper(platform2 = process.platform) {
+  const { existsSync: existsSync9 } = await import("fs");
+  if (platform2 === "darwin") return existsSync9("/usr/bin/sandbox-exec") ? "/usr/bin/sandbox-exec" : null;
+  if (platform2 === "linux") {
+    for (const dir of (process.env.PATH ?? "/usr/bin:/bin").split(":")) if (dir && existsSync9(`${dir}/bwrap`)) return `${dir}/bwrap`;
+    return null;
+  }
+  return null;
+}
+var OsSandboxOptions, sbQuote;
+var init_shell_sandbox = __esm({
+  "src/shell.sandbox.ts"() {
+    "use strict";
+    OsSandboxOptions = class {
+      /** Allow outbound network. Default OFF (Tier-1: no network unless granted). */
+      network = false;
+      /** Extra absolute paths writable beyond cwd + tmp (e.g. a build cache). */
+      writePaths = [];
+    };
+    sbQuote = (p) => `"${p.replace(/(["\\])/g, "\\$1")}"`;
+  }
+});
+
 // src/tools.shell.ts
+async function spawnArgvFor(command, cwd, osSandbox) {
+  if (!osSandbox) return { bin: "/bin/sh", args: ["-c", command] };
+  const opts = osSandbox === true ? {} : osSandbox;
+  const wrapper = await findSandboxWrapper();
+  const wrapped = wrapper ? sandboxArgv(command, cwd, opts, process.platform, process.env.TMPDIR) : null;
+  if (!wrapped) throw new Error(`OS sandbox requested but no wrapper available on ${process.platform} (need sandbox-exec or bwrap)`);
+  return wrapped;
+}
 function childEnv(opts) {
   const base = {};
   const redact = opts.redactEnv !== false;
@@ -1421,6 +1481,14 @@ function makeRealShellTool(options) {
         return `Started background job ${id}. Poll output with ShellOutput({id:"${id}"}), check ShellStatus({id:"${id}"}), stop with ShellKill({id:"${id}"}).`;
       }
       const spawn3 = options.spawn ?? await nodeSpawn();
+      let argv = { bin: "/bin/sh", args: ["-c", cmd] };
+      if (options.osSandbox) {
+        try {
+          argv = await spawnArgvFor(cmd, options.cwd, options.osSandbox);
+        } catch (e) {
+          return `[exit 1] ${e?.message ?? e}`;
+        }
+      }
       const ctl = new AbortController();
       const onAbort = () => ctl.abort();
       if (ctx.signal) {
@@ -1455,7 +1523,7 @@ function makeRealShellTool(options) {
           };
           let proc;
           try {
-            proc = spawn3("/bin/sh", ["-c", cmd], { cwd: options.cwd, env: childEnv(options), signal: ctl.signal });
+            proc = spawn3(argv.bin, argv.args, { cwd: options.cwd, env: childEnv(options), signal: ctl.signal });
           } catch (e) {
             return finish(`[exit 1] failed to spawn shell: ${e?.message ?? e}`);
           }
@@ -1541,6 +1609,7 @@ var init_tools_shell = __esm({
     init_tools();
     init_redact();
     init_logging();
+    init_shell_sandbox();
     log12 = forComponent("shell");
     clean = (s) => truncateOutput(redactSecrets(s.replace(/\n+$/, "")));
     SECRET_ENV_RE = /(_API_KEY|_TOKEN|_SECRET|_PASSWORD|_PRIVATE_KEY|^AWS_|^GITHUB_TOKEN$|^OPENAI_|^ANTHROPIC_|^GOOGLE_|^GEMINI_|^GROQ_|^NPM_TOKEN$)/i;
@@ -1562,7 +1631,8 @@ var init_tools_shell = __esm({
         };
         try {
           const spawn3 = this.cfg.spawn ?? await nodeSpawn();
-          const proc = spawn3("/bin/sh", ["-c", command], { cwd: this.cfg.cwd, env: childEnv(this.cfg) });
+          const argv = this.cfg.osSandbox ? await spawnArgvFor(command, this.cfg.cwd, this.cfg.osSandbox) : { bin: "/bin/sh", args: ["-c", command] };
+          const proc = spawn3(argv.bin, argv.args, { cwd: this.cfg.cwd, env: childEnv(this.cfg) });
           job.proc = proc;
           proc.stdout?.on("data", append);
           proc.stderr?.on("data", append);
@@ -6082,8 +6152,8 @@ Reference files in them by their mount path (the left side).`;
   let realShell = [];
   const useRealShell = o.realShell ?? !virtual;
   if (useRealShell && !virtual) {
-    const jobs = new ShellJobRegistry({ cwd, killOnExit: true });
-    realShell = [makeRealShellTool({ cwd, registry: jobs }), ...makeShellJobTools(jobs)];
+    const jobs = new ShellJobRegistry({ cwd, killOnExit: true, osSandbox: o.osSandbox });
+    realShell = [makeRealShellTool({ cwd, registry: jobs, osSandbox: o.osSandbox }), ...makeShellJobTools(jobs)];
   }
   const scratchDir = o.scratch ? o.scratchDir ?? (virtual ? `${cwd}/.agent/scratch` : `${tmpdir()}/agentx-scratch-${process.pid}`) : void 0;
   const scratch = scratchDir ? new Scratch(fs, { dir: scratchDir }) : void 0;
@@ -8592,7 +8662,11 @@ function parseArgs(argv) {
     else if (x === "--seed") a.seed = true;
     else if (x === "--shell") a.shell = true;
     else if (x === "--no-shell") a.shell = false;
-    else if (x === "--subagents") a.subagents = true;
+    else if (x === "--harden") a.harden = true;
+    else if (x === "--harden-net") {
+      a.harden = true;
+      a.hardenNet = true;
+    } else if (x === "--subagents") a.subagents = true;
     else if (x === "--duplex") a.duplex = true;
     else if (x === "--conversational" || x === "--convo" || x === "--voice") {
       a.voice = true;
@@ -8647,6 +8721,8 @@ Flags:
                        surviving across runs \u2014 real disk is NEVER modified (DB-native; add --seed below)
   --seed               with --boddb: hydrate the store from cwd on the first run (empty DB) only
   --shell              force real /bin/sh on (default in disk mode); --no-shell to use VFS bash only
+  --harden             OS-sandbox the real shell (sandbox-exec/bwrap): writes confined to cwd+tmp,
+                       outbound network blocked; --harden-net keeps network allowed
   --plan               plan mode: edits blocked until you approve a plan
   --ask                confirm each mutating tool (bash/Shell/Write/Edit/\u2026)
   --yes, -y            auto-approve mutating tools (no prompts) \u2014 for trusted/unattended runs
@@ -9167,6 +9243,7 @@ function optsFor(args, ai, cfg = {}, extraTools = []) {
     seed: args.seed,
     realShell: args.shell,
     // undefined → core.ts defaults (on for disk, off for sandbox/boddb)
+    osSandbox: args.harden ? { network: !!args.hardenNet } : void 0,
     scratch: args.scratch,
     appendSystemPrompt: args.appendSystemPrompt,
     addDirs: args.addDirs,
@@ -9202,6 +9279,8 @@ async function makeAgent(args, ai, cfg, extraTools = []) {
   else if (args.boddb) err(dim(`  \u229D boddb: files live in a database at ${args.boddb}${args.seed ? " (seeded from cwd on first run)" : ""} \u2014 the real disk will not be modified
 `));
   else if (args.shell === false) err(dim("  \u2296 --no-shell: VFS bash only (no real /bin/sh)\n"));
+  if (args.harden && !virtual) err(dim(`  \u26E8 hardened shell: writes confined to cwd+tmp${args.hardenNet ? "" : ", network blocked"} (sandbox-exec/bwrap)
+`));
   const agent = await buildAgent(optsFor(args, ai, cfg, extraTools));
   const display = displayHooks(agent.options.fs);
   agent.options.hooks = cfg.hooks ? composeHooks(display, hooksFromConfig(cfg.hooks)) : display;