aiden-runtime 4.1.5 → 4.6.0

package/dist/tools/v4/browser/captchaCheck.js

@@ -57,10 +57,14 @@ exports.CAPTCHA_MARKERS = [
     'request unsuccessful',
     'reference number',
     'this website is using a security service',
-    // hCaptcha / reCAPTCHA explicit
+    // hCaptcha / reCAPTCHA / Turnstile explicit
     'hcaptcha.com',
     'recaptcha',
     'g-recaptcha',
+    // v4.3 Phase 3 — Cloudflare Turnstile (newer than Cloudflare's
+    // older "Just a moment" interstitial; uses its own widget).
+    'cf-turnstile',
+    'turnstile',
     // PerimeterX
     'press and hold',
     'human verification',

package/dist/tools/v4/executeCode.js

@@ -71,6 +71,7 @@ exports.executeCodeTool = {
     category: 'execute',
     mutates: false,
     toolset: 'execute',
+    riskTier: 'caution', // v4.4 Phase 1
     async execute(args) {
         const code = String(args.code ?? '');
         if (!code.trim()) {

package/dist/tools/v4/files/fileCopy.js

@@ -21,6 +21,7 @@ exports.fileCopyTool = void 0;
 const node_fs_1 = require("node:fs");
 const node_path_1 = __importDefault(require("node:path"));
 const paths_1 = require("../utils/paths");
+const sandboxFs_1 = require("../../../core/v4/sandboxFs");
 exports.fileCopyTool = {
     schema: {
         name: 'file_copy',
@@ -37,6 +38,42 @@ exports.fileCopyTool = {
     category: 'write',
     mutates: true,
     toolset: 'files',
+    riskTier: 'caution', // v4.4 Phase 1
+    // v4.4 Phase 4 — dry-run preview.
+    async buildPreview(args, ctx) {
+        const fromRaw = String(args.from ?? args.source ?? '').trim();
+        const toRaw = String(args.to ?? args.dest ?? args.destination ?? '').trim();
+        const src = (0, sandboxFs_1.isPathAllowed)(fromRaw, 'read', ctx.cwd);
+        const dst = (0, sandboxFs_1.isPathAllowed)(toRaw, 'write', ctx.cwd);
+        let srcExists = false;
+        try {
+            await node_fs_1.promises.stat(src.resolvedPath);
+            srcExists = true;
+        }
+        catch { /* missing */ }
+        if (!src.allowed) {
+            return {
+                tool: 'file_copy', args, riskTier: 'caution', detectedRisks: [],
+                sideEffects: [{ type: 'refuse', reason: src.violation.message }],
+                summary: `Refused (source): ${src.violation.code}`,
+            };
+        }
+        if (!dst.allowed) {
+            return {
+                tool: 'file_copy', args, riskTier: 'caution', detectedRisks: [],
+                sideEffects: [{ type: 'refuse', reason: dst.violation.message }],
+                summary: `Refused (dest): ${dst.violation.code}`,
+            };
+        }
+        return {
+            tool: 'file_copy',
+            args,
+            riskTier: 'caution',
+            sideEffects: [{ type: 'copy_path', from: src.resolvedPath, to: dst.resolvedPath, src_exists: srcExists }],
+            detectedRisks: [],
+            summary: `Would copy ${src.resolvedPath} → ${dst.resolvedPath}${srcExists ? '' : ' (source missing)'}`,
+        };
+    },
     async execute(args, ctx) {
         const fromRaw = String(args.from ?? args.source ?? '').trim();
         const toRaw = String(args.to ?? args.dest ?? args.destination ?? '').trim();
@@ -46,8 +83,25 @@ exports.fileCopyTool = {
         if ((0, paths_1.isProtectedPath)(fromRaw) || (0, paths_1.isProtectedPath)(toRaw)) {
             return { success: false, error: 'Access denied: protected path' };
         }
-        const from = (0, paths_1.expandPath)(fromRaw, ctx.cwd);
-        const to = (0, paths_1.expandPath)(toRaw, ctx.cwd);
+        // v4.4 Phase 2 — sandbox preflight (source = read, dest = write).
+        const srcPolicy = (0, sandboxFs_1.isPathAllowed)(fromRaw, 'read', ctx.cwd);
+        if (!srcPolicy.allowed) {
+            return {
+                success: false,
+                error: srcPolicy.violation.message,
+                sandbox_violation: (0, sandboxFs_1.violationEnvelope)(srcPolicy),
+            };
+        }
+        const dstPolicy = (0, sandboxFs_1.isPathAllowed)(toRaw, 'write', ctx.cwd);
+        if (!dstPolicy.allowed) {
+            return {
+                success: false,
+                error: dstPolicy.violation.message,
+                sandbox_violation: (0, sandboxFs_1.violationEnvelope)(dstPolicy),
+            };
+        }
+        const from = srcPolicy.resolvedPath;
+        const to = dstPolicy.resolvedPath;
         try {
             await node_fs_1.promises.mkdir(node_path_1.default.dirname(to), { recursive: true });
             await node_fs_1.promises.cp(from, to, { recursive: true });

package/dist/tools/v4/files/fileDelete.js

@@ -19,6 +19,7 @@ Object.defineProperty(exports, "__esModule", { value: true });
 exports.fileDeleteTool = void 0;
 const node_fs_1 = require("node:fs");
 const paths_1 = require("../utils/paths");
+const sandboxFs_1 = require("../../../core/v4/sandboxFs");
 exports.fileDeleteTool = {
     schema: {
         name: 'file_delete',
@@ -38,6 +39,33 @@ exports.fileDeleteTool = {
     category: 'write',
     mutates: true,
     toolset: 'files',
+    riskTier: 'dangerous', // v4.4 Phase 1 — irreversible filesystem mutation
+    // v4.4 Phase 4 — dry-run preview.
+    async buildPreview(args, ctx) {
+        const raw = String(args.path ?? args.file ?? '').trim();
+        const recursive = args.recursive === true;
+        const policy = (0, sandboxFs_1.isPathAllowed)(raw, 'delete', ctx.cwd);
+        const resolved = policy.resolvedPath;
+        let exists = false;
+        try {
+            await node_fs_1.promises.stat(resolved);
+            exists = true;
+        }
+        catch { /* missing */ }
+        const sideEffects = policy.allowed
+            ? [{ type: 'delete_file', path: resolved, exists, recursive }]
+            : [{ type: 'refuse', reason: policy.violation.message }];
+        return {
+            tool: 'file_delete',
+            args,
+            riskTier: 'dangerous',
+            sideEffects,
+            detectedRisks: policy.allowed && recursive ? ['recursive_delete'] : [],
+            summary: policy.allowed
+                ? `Would ${recursive ? 'recursively ' : ''}delete ${resolved}${exists ? '' : ' (does not exist)'}`
+                : `Refused: ${policy.violation.code}`,
+        };
+    },
     async execute(args, ctx) {
         const raw = String(args.path ?? args.file ?? '').trim();
         if (!raw)
@@ -45,7 +73,16 @@ exports.fileDeleteTool = {
         if ((0, paths_1.isProtectedPath)(raw)) {
             return { success: false, error: 'Access denied: protected path' };
         }
-        const resolved = (0, paths_1.expandPath)(raw, ctx.cwd);
+        // v4.4 Phase 2 — sandbox preflight (no-op when AIDEN_SANDBOX!=1).
+        const policy = (0, sandboxFs_1.isPathAllowed)(raw, 'delete', ctx.cwd);
+        if (!policy.allowed) {
+            return {
+                success: false,
+                error: policy.violation.message,
+                sandbox_violation: (0, sandboxFs_1.violationEnvelope)(policy),
+            };
+        }
+        const resolved = policy.resolvedPath;
         if ((0, paths_1.isFilesystemRoot)(resolved)) {
             return { success: false, error: 'Refusing to delete filesystem root' };
         }

package/dist/tools/v4/files/fileList.js

@@ -22,6 +22,7 @@ exports.fileListTool = void 0;
 const node_fs_1 = require("node:fs");
 const node_path_1 = __importDefault(require("node:path"));
 const node_os_1 = __importDefault(require("node:os"));
+const sandboxFs_1 = require("../../../core/v4/sandboxFs");
 function expandPath(input, cwd) {
     const home = node_os_1.default.homedir();
     let p = input;
@@ -54,9 +55,19 @@ exports.fileListTool = {
     category: 'read',
     mutates: false,
     toolset: 'files',
+    riskTier: 'safe', // v4.4 Phase 1
     async execute(args, ctx) {
         const raw = String(args.path ?? args.dir ?? ctx.cwd).trim();
-        const resolved = expandPath(raw || ctx.cwd, ctx.cwd);
+        // v4.4 Phase 2 — sandbox preflight (no-op when AIDEN_SANDBOX!=1).
+        const policy = (0, sandboxFs_1.isPathAllowed)(raw || ctx.cwd, 'read', ctx.cwd);
+        if (!policy.allowed) {
+            return {
+                success: false,
+                error: policy.violation.message,
+                sandbox_violation: (0, sandboxFs_1.violationEnvelope)(policy),
+            };
+        }
+        const resolved = policy.resolvedPath;
         try {
             const entries = await node_fs_1.promises.readdir(resolved, { withFileTypes: true });
             const items = entries.map((e) => ({

package/dist/tools/v4/files/fileMove.js

@@ -22,6 +22,7 @@ exports.fileMoveTool = void 0;
 const node_fs_1 = require("node:fs");
 const node_path_1 = __importDefault(require("node:path"));
 const paths_1 = require("../utils/paths");
+const sandboxFs_1 = require("../../../core/v4/sandboxFs");
 exports.fileMoveTool = {
     schema: {
         name: 'file_move',
@@ -38,6 +39,42 @@ exports.fileMoveTool = {
     category: 'write',
     mutates: true,
     toolset: 'files',
+    riskTier: 'caution', // v4.4 Phase 1
+    // v4.4 Phase 4 — dry-run preview.
+    async buildPreview(args, ctx) {
+        const fromRaw = String(args.from ?? args.source ?? '').trim();
+        const toRaw = String(args.to ?? args.dest ?? args.destination ?? '').trim();
+        const src = (0, sandboxFs_1.isPathAllowed)(fromRaw, 'write', ctx.cwd);
+        const dst = (0, sandboxFs_1.isPathAllowed)(toRaw, 'write', ctx.cwd);
+        let srcExists = false;
+        try {
+            await node_fs_1.promises.stat(src.resolvedPath);
+            srcExists = true;
+        }
+        catch { /* missing */ }
+        if (!src.allowed) {
+            return {
+                tool: 'file_move', args, riskTier: 'caution', detectedRisks: [],
+                sideEffects: [{ type: 'refuse', reason: src.violation.message }],
+                summary: `Refused (source): ${src.violation.code}`,
+            };
+        }
+        if (!dst.allowed) {
+            return {
+                tool: 'file_move', args, riskTier: 'caution', detectedRisks: [],
+                sideEffects: [{ type: 'refuse', reason: dst.violation.message }],
+                summary: `Refused (dest): ${dst.violation.code}`,
+            };
+        }
+        return {
+            tool: 'file_move',
+            args,
+            riskTier: 'caution',
+            sideEffects: [{ type: 'move_path', from: src.resolvedPath, to: dst.resolvedPath, src_exists: srcExists }],
+            detectedRisks: [],
+            summary: `Would move ${src.resolvedPath} → ${dst.resolvedPath}${srcExists ? '' : ' (source missing)'}`,
+        };
+    },
     async execute(args, ctx) {
         const fromRaw = String(args.from ?? args.source ?? '').trim();
         const toRaw = String(args.to ?? args.dest ?? args.destination ?? '').trim();
@@ -47,8 +84,28 @@ exports.fileMoveTool = {
         if ((0, paths_1.isProtectedPath)(fromRaw) || (0, paths_1.isProtectedPath)(toRaw)) {
             return { success: false, error: 'Access denied: protected path' };
         }
-        const from = (0, paths_1.expandPath)(fromRaw, ctx.cwd);
-        const to = (0, paths_1.expandPath)(toRaw, ctx.cwd);
+        // v4.4 Phase 2 — sandbox preflight. Move = read source + write dest;
+        // since the source is also being deleted, this could arguably be
+        // 'delete' on source — but delete and write share the same allowlist
+        // semantics in the policy. 'read' on source matches copy's shape.
+        const srcPolicy = (0, sandboxFs_1.isPathAllowed)(fromRaw, 'write', ctx.cwd);
+        if (!srcPolicy.allowed) {
+            return {
+                success: false,
+                error: srcPolicy.violation.message,
+                sandbox_violation: (0, sandboxFs_1.violationEnvelope)(srcPolicy),
+            };
+        }
+        const dstPolicy = (0, sandboxFs_1.isPathAllowed)(toRaw, 'write', ctx.cwd);
+        if (!dstPolicy.allowed) {
+            return {
+                success: false,
+                error: dstPolicy.violation.message,
+                sandbox_violation: (0, sandboxFs_1.violationEnvelope)(dstPolicy),
+            };
+        }
+        const from = srcPolicy.resolvedPath;
+        const to = dstPolicy.resolvedPath;
         try {
             await node_fs_1.promises.mkdir(node_path_1.default.dirname(to), { recursive: true });
             try {

package/dist/tools/v4/files/filePatch.js

@@ -19,6 +19,7 @@ Object.defineProperty(exports, "__esModule", { value: true });
 exports.filePatchTool = void 0;
 const node_fs_1 = require("node:fs");
 const paths_1 = require("../utils/paths");
+const sandboxFs_1 = require("../../../core/v4/sandboxFs");
 exports.filePatchTool = {
     schema: {
         name: 'file_patch',
@@ -40,6 +41,38 @@ exports.filePatchTool = {
     category: 'write',
     mutates: true,
     toolset: 'files',
+    riskTier: 'caution', // v4.4 Phase 1
+    // v4.4 Phase 4 — dry-run preview.
+    async buildPreview(args, ctx) {
+        const raw = String(args.path ?? args.file ?? '').trim();
+        const find = typeof args.find === 'string' ? args.find : '';
+        const replace = typeof args.replace === 'string' ? args.replace : '';
+        const policy = (0, sandboxFs_1.isPathAllowed)(raw, 'write', ctx.cwd);
+        const resolved = policy.resolvedPath;
+        let matches = 0;
+        let bytesDelta = 0;
+        if (policy.allowed && find) {
+            try {
+                const txt = await node_fs_1.promises.readFile(resolved, 'utf-8');
+                matches = txt.split(find).length - 1;
+                bytesDelta = matches * (Buffer.byteLength(replace, 'utf-8') - Buffer.byteLength(find, 'utf-8'));
+            }
+            catch { /* file may not exist — surfaced as 0 matches */ }
+        }
+        const sideEffects = policy.allowed
+            ? [{ type: 'patch_file', path: resolved, matches, bytes_delta: bytesDelta }]
+            : [{ type: 'refuse', reason: policy.violation.message }];
+        return {
+            tool: 'file_patch',
+            args,
+            riskTier: 'caution',
+            sideEffects,
+            detectedRisks: [],
+            summary: policy.allowed
+                ? `Would patch ${resolved} (${matches} match${matches === 1 ? '' : 'es'}, Δ ${bytesDelta} bytes)`
+                : `Refused: ${policy.violation.code}`,
+        };
+    },
     async execute(args, ctx) {
         const raw = String(args.path ?? args.file ?? '').trim();
         if (!raw)
@@ -47,12 +80,21 @@ exports.filePatchTool = {
         if ((0, paths_1.isProtectedPath)(raw)) {
             return { success: false, error: 'Access denied: protected path' };
         }
+        // v4.4 Phase 2 — sandbox preflight (no-op when AIDEN_SANDBOX!=1).
+        const policy = (0, sandboxFs_1.isPathAllowed)(raw, 'write', ctx.cwd);
+        if (!policy.allowed) {
+            return {
+                success: false,
+                error: policy.violation.message,
+                sandbox_violation: (0, sandboxFs_1.violationEnvelope)(policy),
+            };
+        }
         const find = typeof args.find === 'string' ? args.find : '';
         const replace = typeof args.replace === 'string' ? args.replace : '';
         if (!find)
             return { success: false, error: 'Empty find string' };
         const replaceAll = args.replace_all === true;
-        const resolved = (0, paths_1.expandPath)(raw, ctx.cwd);
+        const resolved = policy.resolvedPath;
         try {
             const original = await node_fs_1.promises.readFile(resolved, 'utf-8');
             const occurrences = original.split(find).length - 1;

package/dist/tools/v4/files/fileRead.js

@@ -24,6 +24,7 @@ exports.fileReadTool = void 0;
 const node_fs_1 = require("node:fs");
 const node_path_1 = __importDefault(require("node:path"));
 const node_os_1 = __importDefault(require("node:os"));
+const sandboxFs_1 = require("../../../core/v4/sandboxFs");
 const MAX_OUTPUT = 5000;
 const DENY_PATTERNS = [
     /[\\/]\.ssh[\\/]/i,
@@ -73,6 +74,7 @@ exports.fileReadTool = {
     category: 'read',
     mutates: false,
     toolset: 'files',
+    riskTier: 'safe', // v4.4 Phase 1
     async execute(args, ctx) {
         const raw = String(args.path ?? args.file ?? '').trim();
         if (!raw)
@@ -83,7 +85,16 @@ exports.fileReadTool = {
                 error: 'Access denied: protected path (credentials/keys/.env)',
             };
         }
-        const resolved = expandPath(raw, ctx.cwd);
+        // v4.4 Phase 2 — sandbox preflight (no-op when AIDEN_SANDBOX!=1).
+        const policy = (0, sandboxFs_1.isPathAllowed)(raw, 'read', ctx.cwd);
+        if (!policy.allowed) {
+            return {
+                success: false,
+                error: policy.violation.message,
+                sandbox_violation: (0, sandboxFs_1.violationEnvelope)(policy),
+            };
+        }
+        const resolved = policy.resolvedPath;
         try {
             const content = await node_fs_1.promises.readFile(resolved, 'utf-8');
             return {

package/dist/tools/v4/files/fileWrite.js

@@ -23,6 +23,8 @@ exports.fileWriteTool = void 0;
 const node_fs_1 = require("node:fs");
 const node_path_1 = __importDefault(require("node:path"));
 const paths_1 = require("../utils/paths");
+const sandboxFs_1 = require("../../../core/v4/sandboxFs");
+const dryRun_1 = require("../../../core/v4/dryRun");
 exports.fileWriteTool = {
     schema: {
         name: 'file_write',
@@ -39,6 +41,35 @@ exports.fileWriteTool = {
     category: 'write',
     mutates: true,
     toolset: 'files',
+    riskTier: 'caution', // v4.4 Phase 1
+    // v4.4 Phase 4 — dry-run preview.
+    async buildPreview(args, ctx) {
+        const raw = String(args.path ?? args.file ?? '').trim();
+        const content = typeof args.content === 'string' ? args.content : '';
+        const policy = (0, sandboxFs_1.isPathAllowed)(raw, 'write', ctx.cwd);
+        const resolved = policy.resolvedPath;
+        let prevBytes;
+        try {
+            prevBytes = (await node_fs_1.promises.stat(resolved)).size;
+        }
+        catch { /* didn't exist */ }
+        const newBytes = Buffer.byteLength(content, 'utf-8');
+        const sideEffects = policy.allowed
+            ? [prevBytes !== undefined
+                    ? { type: 'overwrite_file', path: resolved, prev_bytes: prevBytes, new_bytes: newBytes, preview: (0, dryRun_1.truncatePreview)(content) }
+                    : { type: 'create_file', path: resolved, bytes: newBytes, preview: (0, dryRun_1.truncatePreview)(content) }]
+            : [{ type: 'refuse', reason: policy.violation.message }];
+        return {
+            tool: 'file_write',
+            args,
+            riskTier: 'caution',
+            sideEffects,
+            detectedRisks: [],
+            summary: policy.allowed
+                ? `Would write ${newBytes} bytes to ${resolved}`
+                : `Refused: ${policy.violation.code}`,
+        };
+    },
     async execute(args, ctx) {
         const raw = String(args.path ?? args.file ?? '').trim();
         if (!raw)
@@ -46,8 +77,17 @@ exports.fileWriteTool = {
         if ((0, paths_1.isProtectedPath)(raw)) {
             return { success: false, error: 'Access denied: protected path' };
         }
+        // v4.4 Phase 2 — sandbox preflight (no-op when AIDEN_SANDBOX!=1).
+        const policy = (0, sandboxFs_1.isPathAllowed)(raw, 'write', ctx.cwd);
+        if (!policy.allowed) {
+            return {
+                success: false,
+                error: policy.violation.message,
+                sandbox_violation: (0, sandboxFs_1.violationEnvelope)(policy),
+            };
+        }
         const content = typeof args.content === 'string' ? args.content : '';
-        const resolved = (0, paths_1.expandPath)(raw, ctx.cwd);
+        const resolved = policy.resolvedPath;
         try {
             await node_fs_1.promises.mkdir(node_path_1.default.dirname(resolved), { recursive: true });
             await node_fs_1.promises.writeFile(resolved, content, 'utf-8');