bare-agent 0.4.3 → 0.6.2

package/README.md

@@ -60,7 +60,7 @@ Every piece works alone — take what you need, ignore the rest.
 
 | Component | What it does |
 |---|---|
-| **Loop** | Think → act → observe → repeat. Calls any LLM, executes your tools, loops until done. Throws on error by default. Returns estimated USD cost per run |
+| **Loop** | Think → act → observe → repeat. Calls any LLM, executes your tools, loops until done. Throws on error by default. Returns estimated USD cost per run. Loop-level `policy` + `audit` gate every tool call (native, MCP, browsing, mobile, user-defined) through one hook, JSONL audit to disk |
 | **Planner** | Break a goal into a step DAG via LLM. Built-in caching (`cacheTTL`) |
 | **runPlan** | Execute steps in parallel waves. Dependency-aware, failure propagation, per-step retry |
 | **Retry** | Exponential/linear backoff with jitter. Respects `err.retryable` |
@@ -74,6 +74,8 @@ Every piece works alone — take what you need, ignore the rest.
 | **Errors** | Typed hierarchy — `ProviderError`, `ToolError`, `TimeoutError`, `MaxRoundsError`, `CircuitOpenError` |
 | **Browsing** | Web navigation, clicking, typing, reading via `barebrowse` (17 tools). Two modes: library tools (inline snapshots, pass to Loop) or CLI session (disk-based snapshots, token-efficient for multi-step flows). Optional `assess` tool (privacy scan) when `wearehere` is installed |
 | **Mobile** | Android + iOS device control via `baremobile`. Same two modes: library tools (`createMobileTools` — action tools auto-return snapshots) or CLI session (`baremobile` CLI — disk-based snapshots) |
+| **Shell** | Cross-platform `shell_read`, `shell_grep`, `shell_run` (argv, no shell), `shell_exec` (raw shell). Pure Node — no `grep`/`rg`/`findstr` dependency. Injection-proof `shell_run` for policy-gated use |
+| **MCP Bridge** | Auto-discover MCP servers from IDE configs (Claude Code, Cursor, etc.), expose as bareagent tools. Static allow/deny via `.mcp-bridge.json`, `systemContext` for LLM awareness. Runtime policy lives in `Loop({ policy })` — one hook for MCP + native tools alike. Zero deps |
 
 **Providers:** OpenAI-compatible (OpenAI, OpenRouter, Groq, vLLM, LM Studio), Anthropic, Ollama, CLIPipe (any CLI tool via stdin/stdout with real-time streaming), Fallback, or bring your own (one method: `generate`). All return the same shape — swap freely.
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "bare-agent",
-  "version": "0.4.3",
+  "version": "0.6.2",
   "files": [
     "index.js",
     "src/",
@@ -23,7 +23,8 @@
     "./providers": "./src/providers.js",
     "./stores": "./src/stores.js",
     "./transports": "./src/transports.js",
-    "./tools": "./src/tools.js"
+    "./tools": "./src/tools.js",
+    "./mcp": "./src/mcp.js"
   },
   "engines": {
     "node": ">=18"

package/src/loop.js

@@ -1,5 +1,6 @@
 'use strict';
 
+const fs = require('node:fs');
 const { ToolError, MaxRoundsError } = require('./errors');
 
 // Average pricing per 1K tokens (USD). Adjust these to match your provider's rates.
@@ -39,6 +40,8 @@ class Loop {
    * @param {object} [options.retry] - Retry instance for backoff on failures.
    * @param {object} [options.stream] - Stream instance for event emission.
    * @param {object} [options.store] - Store instance for validate() health check.
+   * @param {Function} [options.policy] - Async (toolName, args) => true|false|string. Deny returns the string (or a generic message) to the LLM as tool result.
+   * @param {string} [options.audit] - File path for JSONL audit log. Each tool call appends one line: {ts, tool, args, decision, result|reason|error, durationMs}.
    * @throws {Error} `[Loop] requires a provider` — when options.provider is missing.
    */
   constructor(options = {}) {
@@ -54,8 +57,38 @@ class Loop {
     this.onError = options.onError || null;
     this.throwOnError = options.throwOnError !== undefined ? options.throwOnError : true;
     this.store = options.store || null;
+    if (options.policy != null && typeof options.policy !== 'function') {
+      throw new Error('[Loop] options.policy must be a function (toolName, args) => true | false | string');
+    }
+    this.policy = options.policy || null;
+    this.audit = options.audit || null;
     this._stopped = false;
     this._history = []; // for chat() stateful mode
+    this._auditInFlight = new Set();
+  }
+
+  // Append one JSONL record. Returns nothing (fire-and-forget for callers)
+  // but tracks the in-flight promise so `flush()` and the end of `run()` can await it.
+  _writeAudit(record) {
+    if (!this.audit) return;
+    let line;
+    try {
+      line = JSON.stringify(record) + '\n';
+    } catch (err) {
+      console.warn(`[Loop] audit serialize failed: ${err.message}`);
+      return;
+    }
+    const p = fs.promises.appendFile(this.audit, line)
+      .catch(err => console.warn(`[Loop] audit write failed: ${err.message}`))
+      .finally(() => this._auditInFlight.delete(p));
+    this._auditInFlight.add(p);
+  }
+
+  // Await any in-flight audit writes. Safe to call multiple times; resolves immediately
+  // when no writes are pending. Called automatically at the end of each `run()`.
+  async flush() {
+    if (this._auditInFlight.size === 0) return;
+    await Promise.all([...this._auditInFlight]);
   }
 
   /**
@@ -107,6 +140,7 @@ class Loop {
       } catch (err) {
         this.stream?.emit({ type: 'loop:error', data: { error: err.message, round } });
         this.onError?.(err);
+        await this.flush();
         if (this.throwOnError) throw err;
         return { text: '', toolCalls: [], usage: lastUsage, cost: totalCost, error: err.message };
       }
@@ -120,6 +154,7 @@ class Loop {
       if (!result.toolCalls || result.toolCalls.length === 0) {
         this.stream?.emit({ type: 'loop:text', data: { text: result.text } });
         this.onText?.(result.text);
+        await this.flush();
         this.stream?.emit({ type: 'loop:done', data: { text: result.text, usage: lastUsage, cost: totalCost } });
         return { text: result.text, toolCalls: [], usage: lastUsage, cost: totalCost, error: null };
       }
@@ -163,23 +198,68 @@ class Loop {
         this.stream?.emit({ type: 'loop:tool_call', data: { tool: tc.name, args: tc.arguments } });
         this.onToolCall?.(tc.name, tc.arguments);
 
+        // Policy check — runs before execute. Fail-safe: only verdict === true allows;
+        // anything else (false, string, undefined, object, throw) denies. A string verdict
+        // is used verbatim as the deny reason.
+        if (this.policy) {
+          let verdict;
+          try {
+            verdict = await this.policy(tc.name, tc.arguments);
+          } catch (err) {
+            verdict = `[Loop] policy error: ${err.message}`;
+          }
+          if (verdict !== true) {
+            const reason = typeof verdict === 'string'
+              ? verdict
+              : `[Loop] Tool "${tc.name}" denied by policy`;
+            msgs.push({ role: 'tool', tool_call_id: tc.id, content: reason });
+            this.stream?.emit({ type: 'loop:tool_result', data: { tool: tc.name, denied: true, reason } });
+            this._writeAudit({
+              ts: new Date().toISOString(),
+              tool: tc.name,
+              args: tc.arguments,
+              decision: 'deny',
+              reason,
+            });
+            continue;
+          }
+        }
+
+        const startedAt = Date.now();
         try {
           const execute = () => tool.execute(tc.arguments);
           const toolResult = this.retry ? await this.retry.call(execute) : await execute();
           const content = typeof toolResult === 'string' ? toolResult : JSON.stringify(toolResult);
           msgs.push({ role: 'tool', tool_call_id: tc.id, content });
           this.stream?.emit({ type: 'loop:tool_result', data: { tool: tc.name, result: content } });
+          this._writeAudit({
+            ts: new Date().toISOString(),
+            tool: tc.name,
+            args: tc.arguments,
+            decision: 'allow',
+            result: content,
+            durationMs: Date.now() - startedAt,
+          });
         } catch (err) {
           const toolErr = err instanceof ToolError ? err : new ToolError(err.message, { context: { tool: tc.name } });
           const errMsg = `[Loop] Tool error: ${toolErr.message}`;
           msgs.push({ role: 'tool', tool_call_id: tc.id, content: errMsg });
           this.stream?.emit({ type: 'loop:tool_result', data: { tool: tc.name, error: errMsg } });
+          this._writeAudit({
+            ts: new Date().toISOString(),
+            tool: tc.name,
+            args: tc.arguments,
+            decision: 'allow',
+            error: toolErr.message,
+            durationMs: Date.now() - startedAt,
+          });
         }
       }
     }
 
     // maxRounds exceeded
     const warning = `[Loop] ended after ${this.maxRounds} rounds without final response`;
+    await this.flush();
     this.stream?.emit({ type: 'loop:done', data: { text: '', warning, cost: totalCost } });
     if (this.throwOnError) throw new MaxRoundsError(warning);
     return { text: '', toolCalls: [], usage: lastUsage, cost: totalCost, error: warning };

package/src/mcp-bridge.js

@@ -0,0 +1,450 @@
+'use strict';
+
+const { spawn } = require('node:child_process');
+const { readFileSync, writeFileSync, existsSync } = require('node:fs');
+const { join } = require('node:path');
+const { homedir } = require('node:os');
+const { ToolError } = require('./errors');
+
+// --- Config discovery (from IDE configs) ---
+
+const DEFAULT_CONFIG_PATHS = [
+  () => join(process.cwd(), '.mcp.json'),                              // project
+  () => join(homedir(), '.mcp.json'),                                  // home
+  () => join(homedir(), '.claude', 'mcp_servers.json'),                // Claude Code
+  () => join(homedir(), '.config', 'Claude', 'claude_desktop_config.json'), // Claude Desktop
+  () => join(homedir(), '.cursor', 'mcp.json'),                        // Cursor
+];
+
+function discoverServers(configPaths) {
+  const paths = configPaths || DEFAULT_CONFIG_PATHS.map(fn => fn());
+  const servers = new Map();
+
+  for (const p of paths) {
+    let raw;
+    try { raw = readFileSync(p, 'utf8'); } catch { continue; }
+    let parsed;
+    try { parsed = JSON.parse(raw); } catch { continue; }
+
+    const entries = parsed.mcpServers || {};
+    for (const [name, def] of Object.entries(entries)) {
+      if (!servers.has(name)) servers.set(name, def);
+    }
+  }
+
+  return servers;
+}
+
+// --- Bridge config file (.mcp-bridge.json) ---
+
+const DEFAULT_BRIDGE_PATH = () => join(process.cwd(), '.mcp-bridge.json');
+const DEFAULT_TTL = '24h';
+
+function parseTTL(ttl) {
+  const match = (ttl || DEFAULT_TTL).match(/^(\d+)(s|m|h|d)$/);
+  if (!match) return 24 * 60 * 60 * 1000;
+  const n = parseInt(match[1]);
+  const unit = { s: 1000, m: 60000, h: 3600000, d: 86400000 }[match[2]];
+  return n * unit;
+}
+
+function readBridgeConfig(filePath) {
+  try {
+    return JSON.parse(readFileSync(filePath, 'utf8'));
+  } catch {
+    return null;
+  }
+}
+
+function writeBridgeConfig(filePath, config) {
+  writeFileSync(filePath, JSON.stringify(config, null, 2) + '\n');
+}
+
+function isExpired(config) {
+  if (!config || !config.discovered) return true;
+  const ttlMs = parseTTL(config.ttl);
+  return Date.now() - new Date(config.discovered).getTime() > ttlMs;
+}
+
+/**
+ * Merge fresh discovery into existing config.
+ * - New servers: added with all tools "allow"
+ * - Removed servers: removed from config
+ * - New tools on existing server: added as "allow"
+ * - Removed tools on existing server: removed from config
+ * - Existing tools: user's allow/deny preserved
+ */
+function mergeBridgeConfig(existing, discovered, freshTools) {
+  const merged = {
+    discovered: new Date().toISOString(),
+    ttl: existing?.ttl || DEFAULT_TTL,
+    servers: {},
+  };
+
+  for (const [name, def] of discovered) {
+    const serverTools = freshTools.get(name) || [];
+    const existingServer = existing?.servers?.[name];
+    const existingTools = existingServer?.tools || {};
+
+    const tools = {};
+    for (const t of serverTools) {
+      tools[t.name] = existingTools[t.name] || 'allow';
+    }
+
+    merged.servers[name] = {
+      command: def.command,
+      args: def.args || [],
+      ...(def.env && { env: def.env }),
+      ...(def.cwd && { cwd: def.cwd }),
+      tools,
+    };
+  }
+
+  return merged;
+}
+
+// --- Env resolution ---
+
+function resolveEnv(env) {
+  if (!env) return {};
+  const resolved = {};
+  for (const [k, v] of Object.entries(env)) {
+    resolved[k] = typeof v === 'string'
+      ? v.replace(/\$\{(\w+)\}/g, (_, name) => process.env[name] || '')
+      : v;
+  }
+  return resolved;
+}
+
+// --- JSON-RPC stdio client ---
+
+function createRpcClient(name, def) {
+  const { command, args = [], env, cwd } = def;
+  const mergedEnv = { ...process.env, ...resolveEnv(env) };
+
+  const child = spawn(command, args, {
+    stdio: ['pipe', 'pipe', 'pipe'],
+    env: mergedEnv,
+    ...(cwd && { cwd }),
+  });
+
+  const pending = new Map();
+  let nextId = 1;
+  let buffer = '';
+
+  child.stdout.setEncoding('utf8');
+  child.stdout.on('data', (chunk) => {
+    buffer += chunk;
+    let idx;
+    while ((idx = buffer.indexOf('\n')) !== -1) {
+      const line = buffer.slice(0, idx).trim();
+      buffer = buffer.slice(idx + 1);
+      if (!line) continue;
+      let msg;
+      try { msg = JSON.parse(line); } catch { continue; }
+      if (!msg.id) continue;
+      const p = pending.get(msg.id);
+      if (!p) continue;
+      pending.delete(msg.id);
+      if (msg.error) {
+        p.reject(new ToolError(`MCP server "${name}": ${msg.error.message}`, {
+          context: { code: msg.error.code },
+        }));
+      } else {
+        p.resolve(msg.result);
+      }
+    }
+  });
+
+  let stderrBuf = '';
+  child.stderr?.setEncoding('utf8');
+  child.stderr?.on('data', (chunk) => { stderrBuf += chunk; });
+
+  child.on('close', (code) => {
+    for (const [id, { reject }] of pending) {
+      reject(new ToolError(`MCP server "${name}" exited (code ${code}). stderr: ${stderrBuf.slice(-500)}`));
+    }
+    pending.clear();
+  });
+
+  function rpc(method, params = {}) {
+    const id = nextId++;
+    return new Promise((resolve, reject) => {
+      pending.set(id, { resolve, reject });
+      const msg = JSON.stringify({ jsonrpc: '2.0', id, method, params }) + '\n';
+      child.stdin.write(msg);
+    });
+  }
+
+  function notify(method, params = {}) {
+    const msg = JSON.stringify({ jsonrpc: '2.0', method, params }) + '\n';
+    child.stdin.write(msg);
+  }
+
+  return { rpc, notify, child, get stderr() { return stderrBuf; } };
+}
+
+// --- Content unwrapping ---
+
+function unwrapContent(content) {
+  if (!Array.isArray(content) || content.length === 0) return '';
+  if (content.length === 1 && content[0].type === 'text') return content[0].text;
+  return content;
+}
+
+// --- Tool wrapping ---
+
+// Runtime arg-dependent policy has moved to Loop-level (new Loop({ policy })).
+// mcp-bridge retains only the static .mcp-bridge.json allow/deny filter below —
+// that decides which tools are exposed to the Loop in the first place.
+function wrapTools(serverName, mcpTools, rpc) {
+  return mcpTools.map(t => ({
+    name: `${serverName}_${t.name}`,
+    description: t.description || '',
+    parameters: t.inputSchema || { type: 'object', properties: {} },
+    execute: async (args) => {
+      const result = await rpc('tools/call', { name: t.name, arguments: args });
+      if (result.isError) {
+        throw new ToolError(unwrapContent(result.content) || 'MCP tool error', {
+          context: { server: serverName, tool: t.name },
+        });
+      }
+      return unwrapContent(result.content);
+    },
+  }));
+}
+
+// --- Server lifecycle ---
+
+async function killServer(child) {
+  if (child.exitCode !== null) return;
+
+  child.stdin?.destroy();
+  child.stdout?.destroy();
+  child.stderr?.destroy();
+
+  await new Promise(resolve => {
+    const onClose = () => resolve();
+    child.once('close', onClose);
+    setTimeout(() => {
+      child.removeListener('close', onClose);
+      resolve();
+    }, 700);
+  });
+
+  if (child.exitCode === null) {
+    child.kill('SIGTERM');
+    await new Promise(resolve => {
+      const onClose = () => resolve();
+      child.once('close', onClose);
+      setTimeout(() => {
+        child.removeListener('close', onClose);
+        resolve();
+      }, 700);
+    });
+  }
+
+  if (child.exitCode === null) {
+    child.kill('SIGKILL');
+  }
+
+  child.unref();
+}
+
+// --- Connect + list tools from a server ---
+
+async function connectAndListTools(name, def, timeout = 15000) {
+  const client = createRpcClient(name, def);
+
+  const init = client.rpc('initialize', {
+    protocolVersion: '2024-11-05',
+    capabilities: {},
+    clientInfo: { name: 'bare-agent', version: '0.5.0' },
+  });
+
+  const timer = new Promise((_, reject) =>
+    setTimeout(() => reject(new ToolError(`MCP server "${name}" init timed out after ${timeout}ms`)), timeout)
+  );
+
+  await Promise.race([init, timer]);
+  client.notify('notifications/initialized');
+
+  const { tools: mcpTools } = await client.rpc('tools/list');
+
+  return { mcpTools, client };
+}
+
+// --- System context for LLM ---
+
+function buildSystemContext(servers, tools, denied) {
+  const lines = [];
+  lines.push(`MCP Bridge: ${tools.length} tools available from ${servers.length} server(s): ${servers.join(', ')}.`);
+
+  const byServer = {};
+  for (const t of tools) {
+    const parts = t.name.split('_');
+    const server = parts[0];
+    (byServer[server] = byServer[server] || []).push(t.name.replace(`${server}_`, ''));
+  }
+  for (const [server, toolNames] of Object.entries(byServer)) {
+    lines.push(`  ${server}: ${toolNames.join(', ')}`);
+  }
+
+  if (denied.length > 0) {
+    lines.push(`Restricted tools (${denied.length}, not available to you):`);
+    for (const d of denied) {
+      lines.push(`  - ${d.server}_${d.tool}: ${d.description.slice(0, 80)} [denied]`);
+    }
+    lines.push('If you need a restricted tool, explain what you need and why to the user.');
+  }
+
+  const governance = denied.length > 0 ? 'filtered' : 'open (all tools exposed)';
+  lines.push(`Governance: ${governance}.`);
+
+  if (denied.length === 0) {
+    lines.push('To restrict tools, edit .mcp-bridge.json and set tools to "deny".');
+  }
+
+  return lines.join('\n');
+}
+
+// --- Main entry point ---
+
+/**
+ * Create an MCP bridge. On first run, discovers MCP servers from IDE configs,
+ * connects, lists tools, and writes .mcp-bridge.json with all tools set to "allow".
+ * On subsequent runs, reads .mcp-bridge.json and respects allow/deny per tool.
+ * Re-discovers when TTL expires (default: 24h).
+ *
+ * @param {object} [opts]
+ * @param {string} [opts.bridgePath] - Path to .mcp-bridge.json. Default: .mcp-bridge.json in cwd.
+ * @param {string[]} [opts.configPaths] - IDE config paths for discovery.
+ * @param {string[]} [opts.servers] - Limit to these server names.
+ * @param {number} [opts.timeout=15000] - Per-server init timeout in ms.
+ * @param {boolean} [opts.refresh=false] - Force re-discovery regardless of TTL.
+ * @returns {Promise<{tools: Array, servers: string[], systemContext: string, denied: Array, close: Function}>}
+ */
+async function createMCPBridge(opts = {}) {
+  if ('policy' in opts) {
+    throw new Error(
+      '[MCP Bridge] The `policy` option was removed in v0.6.0. Runtime arg-dependent policy is now Loop-level: ' +
+      'pass `policy` to `new Loop({ policy })` instead — it gates MCP tools identically to native tools. ' +
+      'The static allow/deny filter in .mcp-bridge.json is unchanged.'
+    );
+  }
+  const bridgePath = opts.bridgePath || DEFAULT_BRIDGE_PATH();
+  const timeout = opts.timeout || 15000;
+
+  let config = readBridgeConfig(bridgePath);
+  const needsRefresh = opts.refresh || !config || isExpired(config);
+
+  if (needsRefresh) {
+    // Discover from IDE configs
+    const discovered = discoverServers(opts.configPaths);
+    if (discovered.size === 0 && !config) {
+      return { tools: [], servers: [], systemContext: '', denied: [], close: async () => {} };
+    }
+
+    // Connect to all discovered servers and list their tools
+    const freshTools = new Map();
+    const connectResults = new Map();
+    const errors = [];
+
+    const toDiscover = opts.servers
+      ? [...discovered.entries()].filter(([n]) => opts.servers.includes(n))
+      : [...discovered.entries()];
+
+    await Promise.all(toDiscover.map(async ([name, def]) => {
+      try {
+        const result = await connectAndListTools(name, def, timeout);
+        freshTools.set(name, result.mcpTools);
+        connectResults.set(name, result.client);
+      } catch (err) {
+        errors.push({ server: name, error: err.message });
+      }
+    }));
+
+    if (errors.length > 0) {
+      console.warn('[MCP Bridge] Some servers failed to connect:', errors);
+    }
+
+    // Merge with existing config (preserves user's allow/deny)
+    config = mergeBridgeConfig(config, new Map(toDiscover), freshTools);
+
+    // Write the config file
+    writeBridgeConfig(bridgePath, config);
+    console.log(`[MCP Bridge] Wrote ${bridgePath}`);
+
+    // Close the discovery connections — we'll reconnect below using the config
+    for (const client of connectResults.values()) {
+      await killServer(client.child);
+    }
+  }
+
+  // Filter to requested servers
+  const serverNames = opts.servers
+    ? opts.servers.filter(n => config.servers[n])
+    : Object.keys(config.servers);
+
+  if (serverNames.length === 0) {
+    return { tools: [], servers: [], systemContext: '', denied: [], close: async () => {} };
+  }
+
+  // Connect to servers and wrap only allowed tools
+  const tools = [];
+  const children = [];
+  const connected = [];
+  const denied = [];
+  const errors = [];
+
+  await Promise.all(serverNames.map(async (name) => {
+    const serverConf = config.servers[name];
+    const allowedToolNames = Object.entries(serverConf.tools)
+      .filter(([, perm]) => perm === 'allow')
+      .map(([t]) => t);
+    const deniedToolNames = Object.entries(serverConf.tools)
+      .filter(([, perm]) => perm !== 'allow')
+      .map(([t]) => t);
+
+    try {
+      const { mcpTools, client } = await connectAndListTools(name, serverConf, timeout);
+
+      // Only wrap tools that are allowed in config
+      const allowed = mcpTools.filter(t => allowedToolNames.includes(t.name));
+      const wrapped = wrapTools(name, allowed, client.rpc);
+
+      tools.push(...wrapped);
+      children.push(client.child);
+      connected.push(name);
+
+      // Track denied tools with descriptions from the server
+      for (const t of mcpTools) {
+        if (deniedToolNames.includes(t.name)) {
+          denied.push({ server: name, tool: t.name, description: t.description || '' });
+        }
+      }
+    } catch (err) {
+      errors.push({ server: name, error: err.message });
+    }
+  }));
+
+  if (errors.length > 0) {
+    console.warn('[MCP Bridge] Some servers failed to connect:', errors);
+  }
+
+  const systemContext = buildSystemContext(connected, tools, denied);
+  if (connected.length > 0) console.log(systemContext);
+
+  return {
+    tools,
+    servers: connected,
+    denied,
+    systemContext,
+    errors,
+    close: async () => {
+      await Promise.all(children.map(killServer));
+    },
+  };
+}
+
+module.exports = { createMCPBridge, discoverServers };

package/src/mcp.js

@@ -0,0 +1,5 @@
+'use strict';
+
+const { createMCPBridge, discoverServers } = require('./mcp-bridge');
+
+module.exports = { createMCPBridge, discoverServers };

package/src/tools.js

@@ -2,5 +2,6 @@
 
 const { createBrowsingTools } = require('../tools/browse');
 const { createMobileTools } = require('../tools/mobile');
+const { createShellTools } = require('../tools/shell');
 
-module.exports = { createBrowsingTools, createMobileTools };
+module.exports = { createBrowsingTools, createMobileTools, createShellTools };

package/tools/shell.js

@@ -0,0 +1,286 @@
+'use strict';
+
+/**
+ * Pure-Node shell tools — cross-platform (linux, macOS, Windows), no external binaries.
+ *
+ * Three primitives:
+ *   shell_read  — read a file or list a directory
+ *   shell_grep  — regex search across files (JS regex, no grep/rg/findstr)
+ *   shell_exec  — run a shell command with timeout + max buffer
+ *
+ * All three run through Loop's policy hook when wired via `new Loop({ policy })`.
+ * Library ships zero baked-in allowlist — gating is the agent author's responsibility.
+ */
+
+const fs = require('node:fs/promises');
+const path = require('node:path');
+const { exec, execFile } = require('node:child_process');
+
+const DEFAULT_READ_MAX_BYTES = 256 * 1024;       // 256 KB
+const DEFAULT_GREP_MAX_MATCHES = 200;
+const DEFAULT_EXEC_TIMEOUT_MS = 30_000;
+const DEFAULT_EXEC_MAX_BUFFER = 1024 * 1024;     // 1 MB
+
+function expandHome(p) {
+  if (!p) return p;
+  if (p.startsWith('~/') || p === '~') {
+    const home = process.env.HOME || process.env.USERPROFILE || '';
+    return path.join(home, p.slice(1));
+  }
+  return p;
+}
+
+async function readEntry(rawPath, maxBytes) {
+  const resolved = path.resolve(expandHome(rawPath));
+  const stat = await fs.stat(resolved);
+  if (stat.isDirectory()) {
+    const entries = await fs.readdir(resolved, { withFileTypes: true });
+    const lines = entries.map(e => {
+      const kind = e.isDirectory() ? 'dir' : e.isSymbolicLink() ? 'link' : 'file';
+      return `${kind}\t${e.name}`;
+    });
+    return `dir ${resolved}\n${lines.join('\n')}`;
+  }
+  const cap = maxBytes || DEFAULT_READ_MAX_BYTES;
+  if (stat.size > cap) {
+    const fh = await fs.open(resolved, 'r');
+    try {
+      const buf = Buffer.alloc(cap);
+      await fh.read(buf, 0, cap, 0);
+      return buf.toString('utf8') + `\n\n[truncated: ${stat.size - cap} more bytes not shown]`;
+    } finally {
+      await fh.close();
+    }
+  }
+  return fs.readFile(resolved, 'utf8');
+}
+
+// Probe the first 1KB for NUL bytes to skip binary files in grep walks.
+async function isProbablyText(filePath) {
+  try {
+    const fh = await fs.open(filePath, 'r');
+    try {
+      const buf = Buffer.alloc(1024);
+      const { bytesRead } = await fh.read(buf, 0, 1024, 0);
+      for (let i = 0; i < bytesRead; i++) {
+        if (buf[i] === 0) return false;
+      }
+      return true;
+    } finally {
+      await fh.close();
+    }
+  } catch {
+    return false;
+  }
+}
+
+async function* walk(dir, recursive) {
+  let entries;
+  try {
+    entries = await fs.readdir(dir, { withFileTypes: true });
+  } catch {
+    return;
+  }
+  for (const entry of entries) {
+    const full = path.join(dir, entry.name);
+    if (entry.isDirectory()) {
+      if (recursive) yield* walk(full, true);
+    } else if (entry.isFile()) {
+      yield full;
+    }
+  }
+}
+
+async function grepPath({ pattern, path: rawPath, recursive = true, maxMatches, flags = 'i' }) {
+  const resolved = path.resolve(expandHome(rawPath));
+  const cap = maxMatches || DEFAULT_GREP_MAX_MATCHES;
+  let re;
+  try {
+    re = new RegExp(pattern, flags);
+  } catch (err) {
+    throw new Error(`shell_grep: invalid regex — ${err.message}`);
+  }
+
+  const hits = [];
+  const stat = await fs.stat(resolved).catch(() => null);
+  if (!stat) throw new Error(`shell_grep: path not found — ${rawPath}`);
+
+  const files = [];
+  if (stat.isFile()) {
+    files.push(resolved);
+  } else if (stat.isDirectory()) {
+    for await (const f of walk(resolved, recursive)) files.push(f);
+  }
+
+  for (const file of files) {
+    if (hits.length >= cap) break;
+    if (!(await isProbablyText(file))) continue;
+    let content;
+    try {
+      content = await fs.readFile(file, 'utf8');
+    } catch {
+      continue;
+    }
+    const lines = content.split(/\r?\n/);
+    for (let i = 0; i < lines.length; i++) {
+      if (hits.length >= cap) break;
+      if (re.test(lines[i])) {
+        hits.push({ file, line: i + 1, text: lines[i].slice(0, 500) });
+      }
+    }
+  }
+
+  const truncated = hits.length >= cap;
+  return { hits, truncated, fileCount: files.length };
+}
+
+function runArgv({ argv, cwd, timeout, maxBuffer, env }) {
+  if (!Array.isArray(argv) || argv.length === 0 || typeof argv[0] !== 'string') {
+    return Promise.reject(new Error('shell_run: argv must be a non-empty array of strings, starting with the command'));
+  }
+  const [file, ...args] = argv;
+  return new Promise((resolve) => {
+    execFile(
+      file,
+      args,
+      {
+        cwd: cwd ? expandHome(cwd) : undefined,
+        timeout: timeout || DEFAULT_EXEC_TIMEOUT_MS,
+        maxBuffer: maxBuffer || DEFAULT_EXEC_MAX_BUFFER,
+        env: env ? { ...process.env, ...env } : process.env,
+        windowsHide: true,
+        shell: false,
+      },
+      (err, stdout, stderr) => {
+        if (err) {
+          if (err.killed) {
+            resolve({ stdout: stdout || '', stderr: stderr || '', code: null, timedOut: true });
+            return;
+          }
+          if (err.code === 'ENOENT') {
+            resolve({ stdout: '', stderr: `shell_run: command not found: ${file}`, code: null, timedOut: false });
+            return;
+          }
+          resolve({
+            stdout: stdout || '',
+            stderr: stderr || '',
+            code: typeof err.code === 'number' ? err.code : null,
+            timedOut: false,
+          });
+          return;
+        }
+        resolve({ stdout: stdout || '', stderr: stderr || '', code: 0, timedOut: false });
+      }
+    );
+  });
+}
+
+function execCommand({ command, cwd, timeout, maxBuffer, env }) {
+  return new Promise((resolve) => {
+    exec(
+      command,
+      {
+        cwd: cwd ? expandHome(cwd) : undefined,
+        timeout: timeout || DEFAULT_EXEC_TIMEOUT_MS,
+        maxBuffer: maxBuffer || DEFAULT_EXEC_MAX_BUFFER,
+        env: env ? { ...process.env, ...env } : process.env,
+        windowsHide: true,
+      },
+      (err, stdout, stderr) => {
+        if (err) {
+          if (err.killed) {
+            resolve({ stdout: stdout || '', stderr: stderr || '', code: null, timedOut: true });
+            return;
+          }
+          resolve({
+            stdout: stdout || '',
+            stderr: stderr || '',
+            code: typeof err.code === 'number' ? err.code : null,
+            timedOut: false,
+          });
+          return;
+        }
+        resolve({ stdout: stdout || '', stderr: stderr || '', code: 0, timedOut: false });
+      }
+    );
+  });
+}
+
+/**
+ * Create the three shell tools. No options — configuration is per-call via tool args,
+ * gating is the caller's responsibility via `new Loop({ policy })`.
+ *
+ * @returns {{tools: Array}}
+ */
+function createShellTools() {
+  const tools = [
+    {
+      name: 'shell_read',
+      description: 'Read a file or list a directory. Returns file contents (truncated at 256KB) or a tab-separated directory listing.',
+      parameters: {
+        type: 'object',
+        properties: {
+          path: { type: 'string', description: 'File or directory path. ~ expands to home.' },
+          maxBytes: { type: 'integer', description: 'Optional cap for file reads (default 262144).' },
+        },
+        required: ['path'],
+      },
+      execute: async ({ path: p, maxBytes }) => readEntry(p, maxBytes),
+    },
+    {
+      name: 'shell_grep',
+      description: 'Search for a JavaScript regex pattern across files. Skips binary files. Returns matching lines with file paths and line numbers.',
+      parameters: {
+        type: 'object',
+        properties: {
+          pattern: { type: 'string', description: 'JavaScript regex (without surrounding slashes).' },
+          path: { type: 'string', description: 'File or directory to search. ~ expands to home.' },
+          recursive: { type: 'boolean', description: 'Recurse into subdirectories (default true).' },
+          maxMatches: { type: 'integer', description: 'Stop after this many hits (default 200).' },
+          flags: { type: 'string', description: 'Regex flags, e.g. "i" or "gim" (default "i").' },
+        },
+        required: ['pattern', 'path'],
+      },
+      execute: async (args) => grepPath(args),
+    },
+    {
+      name: 'shell_run',
+      description: 'Run a command with an argv array (no shell, no interpolation) and return {stdout, stderr, code, timedOut}. Use this when a policy allowlist needs to match on argv[0] — no shell metacharacter injection is possible. Default timeout 30s, max output 1MB.',
+      parameters: {
+        type: 'object',
+        properties: {
+          argv: {
+            type: 'array',
+            items: { type: 'string' },
+            description: 'Non-empty array of strings: argv[0] is the command, argv[1..] are its arguments. Spawned via child_process.execFile (shell: false).',
+          },
+          cwd: { type: 'string', description: 'Working directory. ~ expands to home.' },
+          timeout: { type: 'integer', description: 'Kill after this many ms (default 30000).' },
+          maxBuffer: { type: 'integer', description: 'Max stdout/stderr bytes (default 1048576).' },
+          env: { type: 'object', description: 'Additional env vars merged over process.env.' },
+        },
+        required: ['argv'],
+      },
+      execute: async (args) => runArgv(args),
+    },
+    {
+      name: 'shell_exec',
+      description: 'Run a raw shell command string via /bin/sh -c (or cmd.exe) and return {stdout, stderr, code, timedOut}. SECURITY: shell metacharacters (;, &&, |, `, $(), etc.) are interpreted — a naive base-command allowlist like `command.split(/\\s+/)[0]` is bypassable via "ls;rm -rf". Prefer shell_run for policy-gated use cases. Default timeout 30s, max output 1MB.',
+      parameters: {
+        type: 'object',
+        properties: {
+          command: { type: 'string', description: 'Raw shell command string. Goes through the system shell.' },
+          cwd: { type: 'string', description: 'Working directory. ~ expands to home.' },
+          timeout: { type: 'integer', description: 'Kill after this many ms (default 30000).' },
+          maxBuffer: { type: 'integer', description: 'Max stdout/stderr bytes (default 1048576).' },
+          env: { type: 'object', description: 'Additional env vars merged over process.env.' },
+        },
+        required: ['command'],
+      },
+      execute: async (args) => execCommand(args),
+    },
+  ];
+  return { tools };
+}
+
+module.exports = { createShellTools };