aiden-runtime 4.8.1 → 4.9.0

package/dist/core/v4/hooks/runtime/subprocessRunner.js

@@ -0,0 +1,188 @@
+"use strict";
+/**
+ * Copyright (c) 2026 Shiva Deore (Taracod).
+ * Licensed under AGPL-3.0. See LICENSE for details.
+ *
+ * Aiden — local-first agent.
+ */
+/**
+ * core/v4/hooks/runtime/subprocessRunner.ts — v4.9.0 Slice 12a.
+ *
+ * Spawn a hook entrypoint in a child process with a scrubbed
+ * environment, pipe JSON to stdin, capture stdout (≤64 KB) and
+ * stderr (≤16 KB), enforce a timeout via SIGKILL, parse the JSON
+ * response, and return a structured outcome envelope.
+ *
+ * `shell: false` always — no shell expansion, the manifest argv is
+ * exec'd directly. Only a curated allowlist of env vars is exported
+ * to the child; Aiden's API keys, OAuth tokens, and AIDEN_* config
+ * vars are NEVER inherited.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.runHookSubprocess = runHookSubprocess;
+const node_child_process_1 = require("node:child_process");
+const node_crypto_1 = require("node:crypto");
+const STDOUT_CAP = 64 * 1024;
+const STDERR_CAP = 16 * 1024;
+/**
+ * Env keys that are SAFE to pass through to a hook subprocess. Anything
+ * not on this list is dropped. PATH is whitelisted but reset to the
+ * system PATH (no Aiden-prepended dirs). The four AIDEN_* keys are the
+ * minimal correlation identifiers the hook needs; api keys / oauth
+ * tokens / model config never reach the subprocess.
+ */
+const SAFE_ENV_KEYS = new Set([
+    'PATH', 'SystemRoot', 'COMSPEC', 'TEMP', 'TMP', 'TMPDIR',
+    'HOME', 'USERPROFILE', 'LANG', 'LC_ALL', 'LC_CTYPE', 'LC_MESSAGES',
+    // Allowed but populated by the runner, not inherited:
+    // AIDEN_HOOK_EVENT, AIDEN_HOOK_ID, AIDEN_RUN_ID,
+    // AIDEN_TRACE_ID, AIDEN_PARENT_SPAN_ID
+]);
+/**
+ * Build the env block the child sees. Whitelist-only — anything not
+ * in `SAFE_ENV_KEYS` is dropped. The 5 AIDEN_HOOK_* keys are stamped
+ * fresh from `input` (NOT read from `process.env`, so a parent-leaked
+ * AIDEN_API_KEY can never propagate).
+ */
+function buildChildEnv(input) {
+    const out = {};
+    for (const k of Object.keys(process.env)) {
+        if (SAFE_ENV_KEYS.has(k))
+            out[k] = process.env[k];
+    }
+    if (input.event)
+        out.AIDEN_HOOK_EVENT = input.event;
+    if (input.hookId)
+        out.AIDEN_HOOK_ID = input.hookId;
+    if (input.runId)
+        out.AIDEN_RUN_ID = input.runId;
+    if (input.traceId)
+        out.AIDEN_TRACE_ID = input.traceId;
+    if (input.parentSpanId)
+        out.AIDEN_PARENT_SPAN_ID = input.parentSpanId;
+    return out;
+}
+function clip(s, cap) {
+    return s.length <= cap ? s : s.slice(0, cap) + `…(${s.length - cap} bytes elided)`;
+}
+/** SHA-256 hex of a UTF-8 string. */
+function sha256(s) {
+    return (0, node_crypto_1.createHash)('sha256').update(s, 'utf8').digest('hex');
+}
+/**
+ * Execute one hook invocation. Resolves with a structured outcome —
+ * never throws. The dispatcher branches on `status` to apply the
+ * subscription's `on_error` / `on_timeout` policy.
+ */
+function runHookSubprocess(input) {
+    return new Promise((resolve) => {
+        const stdinJson = JSON.stringify(input.payload);
+        const started = Date.now();
+        const payloadHash = sha256(stdinJson);
+        let stdout = '';
+        let stderr = '';
+        let timedOut = false;
+        const child = (0, node_child_process_1.spawn)(input.argv[0], input.argv.slice(1), {
+            cwd: input.cwd,
+            env: buildChildEnv(input),
+            shell: false,
+            stdio: ['pipe', 'pipe', 'pipe'],
+        });
+        const timer = setTimeout(() => {
+            timedOut = true;
+            try {
+                child.kill('SIGKILL');
+            }
+            catch { /* noop */ }
+        }, input.timeoutMs);
+        if (typeof timer.unref === 'function')
+            timer.unref();
+        child.stdout?.on('data', (b) => {
+            if (stdout.length < STDOUT_CAP)
+                stdout += b.toString('utf8');
+        });
+        child.stderr?.on('data', (b) => {
+            if (stderr.length < STDERR_CAP)
+                stderr += b.toString('utf8');
+        });
+        child.on('error', (e) => {
+            clearTimeout(timer);
+            resolve({
+                status: 'crash',
+                exitCode: null,
+                stdoutPreview: clip(stdout, STDOUT_CAP),
+                stderrPreview: clip(stderr, STDERR_CAP),
+                elapsedMs: Date.now() - started,
+                payloadHash,
+                errorKind: 'SpawnError',
+                errorMessage: e.message,
+            });
+        });
+        child.on('exit', (code) => {
+            clearTimeout(timer);
+            const elapsed = Date.now() - started;
+            if (timedOut) {
+                resolve({
+                    status: 'timeout', exitCode: code, elapsedMs: elapsed, payloadHash,
+                    stdoutPreview: clip(stdout, STDOUT_CAP),
+                    stderrPreview: clip(stderr, STDERR_CAP),
+                    errorKind: 'HookTimeout', errorMessage: `exceeded ${input.timeoutMs}ms`,
+                });
+                return;
+            }
+            if (code !== 0) {
+                resolve({
+                    status: 'crash', exitCode: code, elapsedMs: elapsed, payloadHash,
+                    stdoutPreview: clip(stdout, STDOUT_CAP),
+                    stderrPreview: clip(stderr, STDERR_CAP),
+                    errorKind: 'NonZeroExit', errorMessage: `exit code ${code}`,
+                });
+                return;
+            }
+            // exit 0 — parse stdout as JSON.
+            const trimmed = stdout.trim();
+            if (trimmed.length === 0) {
+                // Empty stdout treated as `{}` — "no opinion".
+                resolve({
+                    status: 'ok', exitCode: code, elapsedMs: elapsed, payloadHash,
+                    response: { decision: 'none' },
+                    stdoutPreview: '', stderrPreview: clip(stderr, STDERR_CAP),
+                    responseHash: sha256(''),
+                });
+                return;
+            }
+            try {
+                const parsed = JSON.parse(trimmed);
+                resolve({
+                    status: 'ok', exitCode: code, elapsedMs: elapsed, payloadHash,
+                    response: parsed ?? { decision: 'none' },
+                    stdoutPreview: clip(stdout, STDOUT_CAP),
+                    stderrPreview: clip(stderr, STDERR_CAP),
+                    responseHash: sha256(trimmed),
+                });
+            }
+            catch (e) {
+                resolve({
+                    status: 'malformed_output', exitCode: code, elapsedMs: elapsed, payloadHash,
+                    stdoutPreview: clip(stdout, STDOUT_CAP),
+                    stderrPreview: clip(stderr, STDERR_CAP),
+                    errorKind: 'JSONParseError',
+                    errorMessage: e instanceof Error ? e.message : String(e),
+                });
+            }
+        });
+        // Write payload then close stdin.
+        try {
+            child.stdin?.write(stdinJson);
+            child.stdin?.end();
+        }
+        catch (e) {
+            clearTimeout(timer);
+            resolve({
+                status: 'crash', exitCode: null, elapsedMs: Date.now() - started, payloadHash,
+                stdoutPreview: '', stderrPreview: '',
+                errorKind: 'StdinError', errorMessage: e instanceof Error ? e.message : String(e),
+            });
+        }
+    });
+}

package/dist/core/v4/hooks/toolHookGate.js

@@ -0,0 +1,76 @@
+"use strict";
+/**
+ * Copyright (c) 2026 Shiva Deore (Taracod).
+ * Licensed under AGPL-3.0. See LICENSE for details.
+ *
+ * Aiden — local-first agent.
+ */
+/**
+ * core/v4/hooks/toolHookGate.ts — v4.9.0 Slice 12a Phase 3.
+ *
+ * Bridge between the tool dispatcher and the hook subsystem. Wraps a
+ * tool call with:
+ *
+ *   1. `tool.call.pre` dispatch — if any `mandatory_policy` block
+ *      decision lands, the handler is NOT executed and a
+ *      `HookBlockedError` is thrown so the executor's catch path
+ *      surfaces it as a structured `ToolCallResult.error`.
+ *   2. Input transform — patches from `transform_input` hooks merge
+ *      into the args before the handler runs.
+ *   3. Handler execution — caller-supplied async fn.
+ *   4. `tool.call.post` dispatch — fires informational + output
+ *      transform hooks. `transform_output` patches the result.
+ *      A post-hook block is recorded in `hook_executions` but the
+ *      tool result still returns (the handler already side-effected;
+ *      block-after-the-fact would just hide that from the model).
+ *
+ * If `db` is null (e.g. the headless CLI mode without a daemon),
+ * runs the handler directly — no audit, no hooks. Keeps test paths
+ * that don't open a database fully working.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.HookBlockedError = void 0;
+exports.runToolWithHooks = runToolWithHooks;
+const dispatcher_1 = require("./dispatcher");
+/**
+ * Thrown when a `mandatory_policy` hook blocks `tool.call.pre`.
+ * The tool dispatcher's outer catch maps this to a structured
+ * `ToolCallResult.error` so the model sees the rejection.
+ */
+class HookBlockedError extends Error {
+    constructor(reason, userMessage, modelMessage) {
+        super(reason);
+        this.name = 'HookBlocked';
+        this.userMessage = userMessage;
+        this.modelMessage = modelMessage;
+    }
+}
+exports.HookBlockedError = HookBlockedError;
+/**
+ * Wrap a tool handler call with pre/post hook dispatch. Returns
+ * the (possibly transformed) handler result. Throws `HookBlockedError`
+ * if a pre-hook with `mandatory_policy` decides block.
+ */
+async function runToolWithHooks(opts, runHandler) {
+    if (!opts.db) {
+        // No daemon DB → no hook subsystem. Pass-through.
+        return runHandler(opts.args);
+    }
+    const baseCtx = { ...opts.ctx, toolName: opts.toolName, toolCallId: opts.toolCallId };
+    // ── tool.call.pre ───────────────────────────────────────────────
+    const pre = await (0, dispatcher_1.dispatchHook)(opts.db, 'tool.call.pre', opts.args, baseCtx);
+    if (pre.decision === 'block') {
+        throw new HookBlockedError(pre.reason ?? 'tool call blocked by pre-hook', pre.user_message, pre.model_message);
+    }
+    const finalArgs = pre.payload;
+    // ── handler ─────────────────────────────────────────────────────
+    const result = await runHandler(finalArgs);
+    // ── tool.call.post ──────────────────────────────────────────────
+    // Wrap the output in a stable envelope so transform_output hooks
+    // have a known field name to patch. We discard the post-hook's
+    // block decision (the handler already ran — see file header).
+    const postPayload = { input: finalArgs, output: result };
+    const post = await (0, dispatcher_1.dispatchHook)(opts.db, 'tool.call.post', postPayload, baseCtx);
+    const patched = post.payload;
+    return ('output' in patched) ? patched.output : result;
+}

package/dist/core/v4/hooks/trust.js

@@ -0,0 +1,14 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.markTrusted = markTrusted;
+exports.markRevoked = markRevoked;
+exports.markUntrusted = markUntrusted;
+function markTrusted(db, hookId) {
+    db.prepare(`UPDATE hooks SET trust_state='trusted', enabled=1, updated_at=? WHERE hook_id = ?`).run(new Date().toISOString(), hookId);
+}
+function markRevoked(db, hookId) {
+    db.prepare(`UPDATE hooks SET trust_state='revoked', enabled=0, updated_at=? WHERE hook_id = ?`).run(new Date().toISOString(), hookId);
+}
+function markUntrusted(db, hookId) {
+    db.prepare(`UPDATE hooks SET trust_state='untrusted', enabled=0, updated_at=? WHERE hook_id = ?`).run(new Date().toISOString(), hookId);
+}

package/dist/core/v4/identity/contextManager.js

@@ -0,0 +1,83 @@
+"use strict";
+/**
+ * Copyright (c) 2026 Shiva Deore (Taracod).
+ * Licensed under AGPL-3.0. See LICENSE for details.
+ *
+ * Aiden — local-first agent.
+ */
+/**
+ * core/v4/identity/contextManager.ts — v4.9.0 Slice 4.
+ *
+ * Thin wrapper over `node:async_hooks`' `AsyncLocalStorage` exposing
+ * three primitives:
+ *
+ *   - `runWithContext(ctx, fn)` — entry point; installs the context
+ *     for the duration of `fn` (and every awaited continuation it
+ *     spawns). Returns whatever `fn` returns. Synchronous closures
+ *     and async functions both work.
+ *
+ *   - `currentContext()` — returns the ambient context or `undefined`
+ *     when called outside any `runWithContext` frame. Cheap; safe to
+ *     call from anywhere (logger sinks, tool handlers, hooks).
+ *
+ *   - `requireContext(kind?)` — same as `currentContext()` but throws
+ *     when no context is active. Use this at boundaries that should
+ *     never run un-contexted (e.g. inside a tool handler that depends
+ *     on the runId for idempotency). The optional `kind` hint goes
+ *     into the error message for easier debugging.
+ *
+ * Slice 4 only INSTALLS the storage + primitives. It does NOT wrap
+ * existing call sites — that's later-slice work. The logger picks up
+ * `currentContext()` automatically; if you don't enter a
+ * `runWithContext` frame, you get the pre-Slice-4 log shape exactly.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.runWithContext = runWithContext;
+exports.currentContext = currentContext;
+exports.requireContext = requireContext;
+const node_async_hooks_1 = require("node:async_hooks");
+const als = new node_async_hooks_1.AsyncLocalStorage();
+/**
+ * Install `ctx` as the ambient context for the synchronous and async
+ * lifetime of `fn`. Any code reached via `await` within `fn` (or via
+ * timer callbacks scheduled from inside `fn`) sees the same context.
+ *
+ * The store unwinds when `fn` completes (or throws). Use a sibling
+ * `runWithContext` call to switch contexts; `als.enterWith(...)` is
+ * deliberately NOT exposed — it leaks across boundaries and we want
+ * the scoping discipline.
+ */
+function runWithContext(ctx, fn) {
+    return als.run(ctx, fn);
+}
+/**
+ * Read the ambient context. Returns `undefined` outside a
+ * `runWithContext` frame.
+ *
+ * Never throws — by the project rule "no log formatter throws because
+ * context is missing", callers in the logging path consume the
+ * undefined and degrade gracefully.
+ */
+function currentContext() {
+    return als.getStore();
+}
+/**
+ * Read the ambient context, throwing when none is active. Use this in
+ * code paths that depend on having an id (e.g. tool dispatch for
+ * idempotency, hook firing). The `kind` argument is purely diagnostic;
+ * it shows up in the error message so you can tell which call site
+ * was un-contexted.
+ *
+ * Slice 4 does NOT add `requireContext()` to any existing call site;
+ * the function is here for future slices to opt in. The additive-only
+ * constraint is intentional — Slice 4 must not break existing call
+ * sites that have no ambient context.
+ */
+function requireContext(kind) {
+    const ctx = als.getStore();
+    if (!ctx) {
+        const where = kind ? ` (required by: ${kind})` : '';
+        throw new Error(`requireContext: no ambient ExecutionContext${where}`);
+    }
+    return ctx;
+}

package/dist/core/v4/identity/daemonId.js

@@ -0,0 +1,85 @@
+"use strict";
+/**
+ * Copyright (c) 2026 Shiva Deore (Taracod).
+ * Licensed under AGPL-3.0. See LICENSE for details.
+ *
+ * Aiden — local-first agent.
+ */
+/**
+ * core/v4/identity/daemonId.ts — v4.9.0 Slice 4.
+ *
+ * The `daemonId` is the *persistent* identity of an Aiden install. It
+ * survives daemon restarts, schema migrations, and crashes — only a
+ * hard reset (deleting the file) gives a new identity. Each daemon
+ * process gets a fresh `incarnationId` per boot; the pair (daemon,
+ * incarnation) is what callers correlate against.
+ *
+ * Storage: a single-line file at `<aidenRoot>/daemon/daemon_id`. The
+ * file's content is exactly the ID string (e.g. `dmn_<32-hex>\n`).
+ *
+ * Atomic write semantics: tmp + rename. SQLite-style — if the rename
+ * crashes mid-flight the prior file is untouched. We don't fsync the
+ * containing directory (Windows doesn't support directory fsync via
+ * Node, and our acceptable failure mode is "one boot might generate a
+ * new id"; the next boot picks up the persisted one).
+ */
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.daemonIdFilePath = daemonIdFilePath;
+exports.loadOrCreateDaemonId = loadOrCreateDaemonId;
+const node_fs_1 = require("node:fs");
+const node_path_1 = __importDefault(require("node:path"));
+const ids_1 = require("./ids");
+/** Filesystem path the daemon id lives at, given an aiden root. */
+function daemonIdFilePath(aidenRoot) {
+    return node_path_1.default.join(aidenRoot, 'daemon', 'daemon_id');
+}
+/**
+ * Read the persisted daemon id, or generate + write a fresh one on
+ * first boot. Returns the canonical `dmn_<hex>` string.
+ *
+ * Defensive: if the file exists but is unparseable (corrupted /
+ * truncated), we treat it as missing and write a new one. The old
+ * content is saved to `daemon_id.broken-<ts>` for postmortem.
+ */
+function loadOrCreateDaemonId(aidenRoot) {
+    const filePath = daemonIdFilePath(aidenRoot);
+    const dir = node_path_1.default.dirname(filePath);
+    if ((0, node_fs_1.existsSync)(filePath)) {
+        try {
+            const raw = (0, node_fs_1.readFileSync)(filePath, 'utf8').trim();
+            const parsed = (0, ids_1.parseId)(raw);
+            if (parsed && parsed.prefix === 'dmn') {
+                return raw;
+            }
+            // Corrupted — quarantine + fall through to regenerate.
+            try {
+                (0, node_fs_1.renameSync)(filePath, `${filePath}.broken-${Date.now()}`);
+            }
+            catch { /* best effort */ }
+        }
+        catch {
+            /* permission / IO — fall through to regenerate */
+        }
+    }
+    // Generate + persist atomically.
+    if (!(0, node_fs_1.existsSync)(dir))
+        (0, node_fs_1.mkdirSync)(dir, { recursive: true });
+    const id = (0, ids_1.newDaemonId)();
+    const tmp = `${filePath}.tmp-${process.pid}`;
+    (0, node_fs_1.writeFileSync)(tmp, `${id}\n`, { encoding: 'utf8', mode: 0o600 });
+    try {
+        const fd = (0, node_fs_1.openSync)(tmp, 'r+');
+        try {
+            (0, node_fs_1.fsyncSync)(fd);
+        }
+        finally {
+            (0, node_fs_1.closeSync)(fd);
+        }
+    }
+    catch { /* fsync best-effort */ }
+    (0, node_fs_1.renameSync)(tmp, filePath);
+    return id;
+}

package/dist/core/v4/identity/enforcement.js

@@ -0,0 +1,103 @@
+"use strict";
+/**
+ * Copyright (c) 2026 Shiva Deore (Taracod).
+ * Licensed under AGPL-3.0. See LICENSE for details.
+ *
+ * Aiden — local-first agent.
+ */
+/**
+ * core/v4/identity/enforcement.ts — v4.9.0 Slice 8.
+ *
+ * Wires the "context missing" event from Slices 6 + 7 into an
+ * observable + tunable layer. Default mode is `'warn'` — every
+ * fall-through path that today silently no-ops now logs a single
+ * warning per kind (deduplicated by a small in-process cooldown) and
+ * increments a telemetry counter. `'strict'` mode throws so a dev
+ * shaking down a new code path can find missing `runWithContext`
+ * frames; `'silent'` mode is the production knob for callers that
+ * legitimately operate outside the daemon (CLI one-shots, scripts).
+ *
+ * Read from env at module load:
+ *   AIDEN_CONTEXT_ENFORCEMENT             — default 'warn'
+ *   AIDEN_CONTEXT_ENFORCEMENT_TOOL        — per-kind override
+ *   AIDEN_CONTEXT_ENFORCEMENT_LLM
+ *   AIDEN_CONTEXT_ENFORCEMENT_HTTP_OUTBOUND
+ *   AIDEN_CONTEXT_ENFORCEMENT_SUBPROCESS
+ *   AIDEN_CONTEXT_ENFORCEMENT_MEMORY_WRITE
+ *   AIDEN_CONTEXT_ENFORCEMENT_HOOK
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.ContextMissingError = void 0;
+exports.getEnforcementMode = getEnforcementMode;
+exports.getContextMissingCounter = getContextMissingCounter;
+exports.getAllContextMissingCounters = getAllContextMissingCounters;
+exports._resetContextMissingCountersForTests = _resetContextMissingCountersForTests;
+exports.reportMissingContext = reportMissingContext;
+const VALID = new Set(['strict', 'warn', 'silent']);
+function readMode(envVal, fallback) {
+    if (!envVal)
+        return fallback;
+    const v = envVal.toLowerCase();
+    return VALID.has(v) ? v : fallback;
+}
+function kindEnvKey(kind) {
+    return `AIDEN_CONTEXT_ENFORCEMENT_${kind.toUpperCase()}`;
+}
+/** Resolve the effective mode for a kind. Re-reads env per call so test envs work. */
+function getEnforcementMode(kind) {
+    const global = readMode(process.env.AIDEN_CONTEXT_ENFORCEMENT, 'warn');
+    return readMode(process.env[kindEnvKey(kind)], global);
+}
+/**
+ * Telemetry counter `context_missing_total{kind}` — incremented on
+ * every report regardless of mode. Exposed via the daemon's
+ * `/metrics` endpoint (Slice 3 + the existing telemetry surface).
+ */
+const _counters = Object.create(null);
+function getContextMissingCounter(kind) {
+    return _counters[kind] ?? 0;
+}
+function getAllContextMissingCounters() {
+    return { ..._counters };
+}
+function _resetContextMissingCountersForTests() {
+    for (const k of Object.keys(_counters))
+        delete _counters[k];
+}
+/** Warn-mode dedup so a tight loop with no context doesn't spam. */
+const _lastWarnAt = Object.create(null);
+const WARN_DEDUP_MS = 30000;
+class ContextMissingError extends Error {
+    constructor(kind, hint) {
+        super(`[context-enforcement] ${kind}: no ambient ExecutionContext` + (hint ? ` (${hint})` : ''));
+        this.name = 'ContextMissingError';
+        this.kind = kind;
+    }
+}
+exports.ContextMissingError = ContextMissingError;
+/**
+ * Record a "context missing" event. Behaviour per resolved mode:
+ *   'strict' — throws ContextMissingError
+ *   'warn'   — increments counter; logs via sinks.warn (dedup'd)
+ *   'silent' — increments counter only
+ */
+function reportMissingContext(kind, hint, sinks = {}) {
+    _counters[kind] = (_counters[kind] ?? 0) + 1;
+    const mode = getEnforcementMode(kind);
+    if (mode === 'strict') {
+        throw new ContextMissingError(kind, hint);
+    }
+    if (mode === 'warn') {
+        const now = Date.now();
+        if ((now - (_lastWarnAt[kind] ?? 0)) > WARN_DEDUP_MS) {
+            _lastWarnAt[kind] = now;
+            if (sinks.warn) {
+                try {
+                    sinks.warn(`[context-enforcement] ${kind} missing context` + (hint ? ` (${hint})` : ''));
+                }
+                catch { /* noop */ }
+            }
+        }
+    }
+    // silent: counter only.
+}