aiden-runtime 3.16.2 → 3.18.0

package/dist/core/permissionSystem.js

@@ -0,0 +1,239 @@
+"use strict";
+// ============================================================
+// DevOS — Permission System v1
+// Reads workspace/permissions.yaml and exposes checkShell(),
+// checkFileWrite(), checkFileRead(), checkBrowserDomain().
+//
+// Design:
+//   verdict 'allow'  — explicitly permitted, skip inner gates
+//   verdict 'deny'   — blocked, return error immediately
+//   verdict 'ask'    — needs user approval before running
+//   verdict 'defer'  — no opinion, let existing hardcoded gate decide
+//
+// Changes to permissions.yaml take effect immediately (file-watcher).
+// ============================================================
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.permissionSystem = void 0;
+const fs = __importStar(require("fs"));
+const path = __importStar(require("path"));
+const js_yaml_1 = __importDefault(require("js-yaml"));
+const minimatch_1 = __importDefault(require("minimatch"));
+// ── PermissionSystem ──────────────────────────────────────────
+class PermissionSystem {
+    constructor() {
+        this.configPath = path.join(process.cwd(), 'workspace', 'permissions.yaml');
+        this.config = this.defaults();
+        this.load();
+        this.startWatcher();
+    }
+    // ── Defaults ────────────────────────────────────────────────
+    defaults() {
+        return {
+            version: 1,
+            mode: 'ask',
+            shell: {
+                deny: [],
+                allow: [],
+            },
+            filesystem: {
+                deny_read: [],
+                deny_write: [],
+                allow_write: [],
+            },
+            browser: {
+                deny_domains: [],
+                require_approval: false,
+            },
+            audit: {
+                enabled: true,
+                log_file: 'workspace/audit.log',
+                log_level: 'deny',
+            },
+        };
+    }
+    // ── Loader ──────────────────────────────────────────────────
+    load() {
+        try {
+            if (!fs.existsSync(this.configPath))
+                return;
+            const raw = fs.readFileSync(this.configPath, 'utf-8');
+            const parsed = js_yaml_1.default.load(raw);
+            const d = this.defaults();
+            this.config = {
+                ...d,
+                ...parsed,
+                shell: { ...d.shell, ...(parsed.shell ?? {}) },
+                filesystem: { ...d.filesystem, ...(parsed.filesystem ?? {}) },
+                browser: { ...d.browser, ...(parsed.browser ?? {}) },
+                audit: { ...d.audit, ...(parsed.audit ?? {}) },
+            };
+        }
+        catch (e) {
+            console.warn('[Permissions] Failed to load permissions.yaml:', e.message);
+        }
+    }
+    reload() {
+        this.load();
+        console.log('[Permissions] Reloaded permissions.yaml');
+    }
+    // ── File watcher ────────────────────────────────────────────
+    startWatcher() {
+        try {
+            if (!fs.existsSync(path.dirname(this.configPath)))
+                return;
+            // Watch the workspace dir so we catch the file being created too
+            const watchDir = path.dirname(this.configPath);
+            this.watcher = fs.watch(watchDir, { persistent: false }, (event, filename) => {
+                if (filename && filename.includes('permissions')) {
+                    this.load();
+                    console.log('[Permissions] Auto-reloaded permissions.yaml');
+                }
+            });
+        }
+        catch { /* workspace may not exist yet */ }
+    }
+    // ── Glob helper ─────────────────────────────────────────────
+    matches(value, patterns) {
+        const normalized = value.replace(/\\/g, '/');
+        return patterns.some(p => {
+            // Simple startsWith patterns (no glob chars) — substring match for shell cmds
+            if (!p.includes('*') && !p.includes('?') && !p.includes('[')) {
+                return normalized.toLowerCase().startsWith(p.toLowerCase().replace(/\s*$/, ''));
+            }
+            return (0, minimatch_1.default)(normalized, p, { dot: true, matchBase: true, nocase: true });
+        });
+    }
+    // ── Audit ────────────────────────────────────────────────────
+    audit(action, verdict, reason) {
+        if (!this.config.audit.enabled)
+            return;
+        const level = this.config.audit.log_level;
+        if (level === 'deny' && verdict !== 'deny')
+            return;
+        if (level === 'ask' && verdict === 'allow')
+            return;
+        try {
+            const line = `${new Date().toISOString()} [${verdict.toUpperCase()}] ${action} — ${reason}\n`;
+            const logPath = path.isAbsolute(this.config.audit.log_file)
+                ? this.config.audit.log_file
+                : path.join(process.cwd(), this.config.audit.log_file);
+            fs.mkdirSync(path.dirname(logPath), { recursive: true });
+            fs.appendFileSync(logPath, line, 'utf-8');
+        }
+        catch { /* audit failures are silent */ }
+    }
+    // ── checkShell ───────────────────────────────────────────────
+    checkShell(cmd) {
+        const trimmed = cmd.trim();
+        // 1. Hard deny from config (highest priority)
+        if (this.matches(trimmed, this.config.shell.deny)) {
+            this.audit(`shell: ${trimmed.slice(0, 120)}`, 'deny', 'matches shell.deny list');
+            return { verdict: 'deny', reason: 'Blocked by permissions.yaml shell deny list.' };
+        }
+        // 2. Explicit allow from config
+        if (this.matches(trimmed, this.config.shell.allow)) {
+            this.audit(`shell: ${trimmed.slice(0, 120)}`, 'allow', 'matches shell.allow list');
+            return { verdict: 'allow' };
+        }
+        // 3. Mode-based fallthrough
+        switch (this.config.mode) {
+            case 'allow':
+                return { verdict: 'allow' };
+            case 'strict':
+                this.audit(`shell: ${trimmed.slice(0, 120)}`, 'deny', 'strict mode, not in allow list');
+                return { verdict: 'deny', reason: 'Strict mode: command not in shell.allow list.' };
+            case 'ask':
+            default:
+                // Defer to the existing hardcoded SHELL_ALLOWLIST/DENIED_COMMANDS gate
+                return { verdict: 'defer' };
+        }
+    }
+    // ── checkFileWrite ───────────────────────────────────────────
+    checkFileWrite(filePath) {
+        const norm = filePath.replace(/\\/g, '/');
+        if (this.matches(norm, this.config.filesystem.deny_write)) {
+            this.audit(`file_write: ${norm}`, 'deny', 'matches filesystem.deny_write');
+            return { verdict: 'deny', reason: 'Blocked by permissions.yaml filesystem deny_write.' };
+        }
+        // allow_write is an explicit permit (relevant in strict mode)
+        if (this.matches(norm, this.config.filesystem.allow_write)) {
+            return { verdict: 'allow' };
+        }
+        switch (this.config.mode) {
+            case 'allow':
+                return { verdict: 'allow' };
+            case 'strict':
+                this.audit(`file_write: ${norm}`, 'deny', 'strict mode, not in allow_write');
+                return { verdict: 'deny', reason: 'Strict mode: path not in filesystem.allow_write.' };
+            default:
+                // ask/unknown — write is allowed by default; existing isPathDenied() covers secrets
+                return { verdict: 'defer' };
+        }
+    }
+    // ── checkFileRead ────────────────────────────────────────────
+    checkFileRead(filePath) {
+        const norm = filePath.replace(/\\/g, '/');
+        if (this.matches(norm, this.config.filesystem.deny_read)) {
+            this.audit(`file_read: ${norm}`, 'deny', 'matches filesystem.deny_read');
+            return { verdict: 'deny', reason: 'Blocked by permissions.yaml filesystem deny_read.' };
+        }
+        return { verdict: 'defer' };
+    }
+    // ── checkBrowserDomain ───────────────────────────────────────
+    checkBrowserDomain(url) {
+        try {
+            const hostname = new URL(url).hostname;
+            if (this.matches(hostname, this.config.browser.deny_domains)) {
+                this.audit(`browser: ${hostname}`, 'deny', 'matches browser.deny_domains');
+                return { verdict: 'deny', reason: `Domain blocked by permissions.yaml: ${hostname}` };
+            }
+            if (this.config.browser.require_approval) {
+                return { verdict: 'ask', reason: 'browser.require_approval=true in permissions.yaml' };
+            }
+        }
+        catch { /* invalid URL — pass through */ }
+        return { verdict: 'defer' };
+    }
+    // ── Accessors ────────────────────────────────────────────────
+    getConfig() { return structuredClone(this.config); }
+    getMode() { return this.config.mode; }
+    getConfigPath() { return this.configPath; }
+}
+// ── Singleton ─────────────────────────────────────────────────
+exports.permissionSystem = new PermissionSystem();

package/dist/core/pluginLoader.js

@@ -0,0 +1,161 @@
+"use strict";
+// ============================================================
+// DevOS — Plugin Loader (unified flat .js format)
+// Loads workspace/plugins/*.js  (files NOT starting with _)
+//
+// This is the single plugin system for Aiden v3.17+.
+// core/pluginSystem.ts is deprecated — all new plugins use
+// the flat format with init(ctx).
+// ============================================================
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.loadedFlatPlugins = exports.pluginHooks = void 0;
+exports.loadPlugins = loadPlugins;
+exports.reloadPlugins = reloadPlugins;
+exports.listFlatPlugins = listFlatPlugins;
+const fs = __importStar(require("fs"));
+const path = __importStar(require("path"));
+const toolRegistry_1 = require("./toolRegistry");
+const hooks_1 = require("./hooks");
+exports.pluginHooks = {
+    preTool: [],
+    postTool: [],
+    onSessionStart: [],
+    onSessionEnd: [],
+};
+exports.loadedFlatPlugins = [];
+// ── Plugin context (passed to init / onLoad) ──────────────────
+function makeContext(pluginName) {
+    return {
+        registerTool(def) {
+            (0, toolRegistry_1.registerExternalTool)(def.name, def.execute, pluginName);
+        },
+        // Lifecycle hooks that fire around every tool call and session boundary
+        hooks: {
+            preTool(fn) { exports.pluginHooks.preTool.push(fn); },
+            postTool(fn) { exports.pluginHooks.postTool.push(fn); },
+            onSessionStart(fn) { exports.pluginHooks.onSessionStart.push(fn); },
+            onSessionEnd(fn) { exports.pluginHooks.onSessionEnd.push(fn); },
+        },
+        // Core lifecycle events: 'pre_compact' | 'session_stop' | 'after_tool_call'
+        registerHook(event, handler) {
+            (0, hooks_1.registerExternalHook)(event, handler, pluginName);
+        },
+        log(...args) {
+            console.log(`[Plugin:${pluginName}]`, ...args);
+        },
+    };
+}
+// ── Loader ────────────────────────────────────────────────────
+async function loadPlugins(pluginDir) {
+    if (!fs.existsSync(pluginDir)) {
+        fs.mkdirSync(pluginDir, { recursive: true });
+        return;
+    }
+    const entries = fs.readdirSync(pluginDir).filter(f => {
+        if (!f.endsWith('.js'))
+            return false; // .js only
+        if (f.startsWith('_'))
+            return false; // skip _example.js etc.
+        return true;
+    });
+    for (const file of entries) {
+        const fullPath = path.resolve(pluginDir, file);
+        try {
+            // Clear require cache so reload works
+            delete require.cache[require.resolve(fullPath)];
+            // eslint-disable-next-line @typescript-eslint/no-var-requires
+            const def = require(fullPath);
+            const name = def.name || path.basename(file, '.js');
+            const version = def.version || '0.0.0';
+            // Support both flat format (init) and legacy subdirectory format (onLoad)
+            const initFn = def.init ?? def.onLoad ?? (def.default?.init) ?? (def.default?.onLoad);
+            if (typeof initFn !== 'function') {
+                console.warn(`[PluginLoader] ${file}: no init() — skipping`);
+                continue;
+            }
+            const ctx = makeContext(name);
+            const dispose = await initFn.call(def.default ?? def, ctx);
+            exports.loadedFlatPlugins.push({
+                name,
+                version,
+                description: def.description || def.default?.description || '',
+                author: def.author || def.default?.author || '',
+                file: fullPath,
+                loadedAt: Date.now(),
+                active: true,
+                dispose: typeof dispose === 'function' ? dispose
+                    : (def.dispose ?? def.default?.onUnload ?? def.default?.dispose),
+            });
+            console.log(`[PluginLoader] Loaded: ${name} v${version} (${file})`);
+        }
+        catch (err) {
+            console.error(`[PluginLoader] Failed to load ${file}:`, err.message);
+        }
+    }
+}
+// ── Reload — dispose old plugins then reload all flat plugins ─
+async function reloadPlugins(pluginDir) {
+    // Dispose in reverse order
+    for (let i = exports.loadedFlatPlugins.length - 1; i >= 0; i--) {
+        const p = exports.loadedFlatPlugins[i];
+        if (p.dispose) {
+            try {
+                await p.dispose();
+            }
+            catch { /* ignore dispose errors */ }
+        }
+        p.active = false;
+    }
+    exports.loadedFlatPlugins.length = 0;
+    // Clear all hooks contributed by plugins
+    exports.pluginHooks.preTool.length = 0;
+    exports.pluginHooks.postTool.length = 0;
+    exports.pluginHooks.onSessionStart.length = 0;
+    exports.pluginHooks.onSessionEnd.length = 0;
+    await loadPlugins(pluginDir);
+}
+// ── Status ────────────────────────────────────────────────────
+function listFlatPlugins() {
+    return exports.loadedFlatPlugins.map(p => ({
+        name: p.name,
+        version: p.version,
+        description: p.description,
+        author: p.author,
+        file: path.basename(p.file),
+        loadedAt: p.loadedAt,
+        active: p.active,
+    }));
+}

package/dist/core/skillLoader.js

@@ -44,45 +44,27 @@ function getSkillCacheStats() {
 }
 // ── Skill injection guard ─────────────────────────────────────
 const SKILL_INJECTION_PATTERNS = [
-    // ── Original patterns ──────────────────────────────────────
+    // ── Prompt hijacking ───────────────────────────────────────
     /ignore\s+(all\s+)?(previous|above|prior)/i,
     /disregard\s+(all\s+)?(previous|above)/i,
     /you\s+are\s+now\s+/i,
     /new\s+instructions\s*:/i,
-    /override\s+system/i,
-    /curl\s+.*\|\s*bash/i,
+    /override\s+(your\s+)?(system|instructions|rules)/i,
+    /curl\s+[^\n]*\|\s*(bash|sh)\b/i,
     /ANTHROPIC_BASE_URL/i,
     /\]\s*\(\s*javascript:/i,
     // ── Role hijacking ─────────────────────────────────────────
-    /act\s+as\s+(if\s+you\s+are|a|an)\s/i,
     /pretend\s+(to\s+be|you\s+are)/i,
     /roleplay\s+as/i,
     /you\s+must\s+obey/i,
     /your\s+new\s+(role|instruction|directive)/i,
-    // ── Indirect injection (model-control tokens) ──────────────
-    /\[SYSTEM\]/i,
+    // ── Model-control tokens (LLM prompt format injection) ─────
     /\[INST\]/i,
     /<\|im_start\|>/i,
     /<\|system\|>/i,
     /<<\s*SYS\s*>>/i,
-    /###\s*instruction/i,
-    // ── Encoded / obfuscated payloads ──────────────────────────
-    /base64\s*decode/i,
-    /eval\s*\(/i,
-    /exec\s*\(/i,
-    /import\s+os/i,
-    /subprocess/i,
-    /\\x[0-9a-f]{2}/i,
-    // ── Data exfiltration ──────────────────────────────────────
-    /send\s+(to|via)\s+(http|email|webhook|api)/i,
-    /upload\s+(to|file|data)/i,
-    /curl\s+.*-d\s/i,
-    /fetch\s*\(\s*['"]http/i,
-    // ── Privilege escalation ───────────────────────────────────
-    /admin\s*(mode|access|privilege)/i,
-    /sudo\s/i,
-    /run\s+as\s+administrator/i,
-    /elevation\s+prompt/i,
+    // ── Obfuscated payloads ────────────────────────────────────
+    /\\x[0-9a-f]{2}\\x[0-9a-f]{2}/i, // hex sequences (2+ consecutive)
 ];
 function sanitizeSkill(content, filename) {
     for (const pattern of SKILL_INJECTION_PATTERNS) {