bare-agent 0.5.0 → 0.7.0

package/README.md

@@ -60,7 +60,7 @@ Every piece works alone — take what you need, ignore the rest.
 
 | Component | What it does |
 |---|---|
-| **Loop** | Think → act → observe → repeat. Calls any LLM, executes your tools, loops until done. Throws on error by default. Returns estimated USD cost per run |
+| **Loop** | Think → act → observe → repeat. Calls any LLM, executes your tools, loops until done. Throws on error by default. Returns estimated USD cost per run. Loop-level `policy(toolName, args, ctx)` + `audit` gate every tool call (native, MCP, browsing, mobile, user-defined) through one hook — `ctx` is a per-call opaque blob for multi-tenant routing. `maxCost` cap catches runaway loops before they burn budget. Unified `loop:error` + `onError` surface every previously silent failure (audit write, callback throw, Checkpoint timeout) |
 | **Planner** | Break a goal into a step DAG via LLM. Built-in caching (`cacheTTL`) |
 | **runPlan** | Execute steps in parallel waves. Dependency-aware, failure propagation, per-step retry |
 | **Retry** | Exponential/linear backoff with jitter. Respects `err.retryable` |
@@ -71,10 +71,12 @@ Every piece works alone — take what you need, ignore the rest.
 | **Checkpoint** | Human approval gate. You provide the transport — terminal, Telegram, Slack, whatever |
 | **Scheduler** | Cron (`0 9 * * 1-5`) or relative (`2h`, `30m`). Persisted jobs survive restarts |
 | **Stream** | Structured event emitter. Pipe as JSONL, subscribe in-process, or custom transport |
-| **Errors** | Typed hierarchy — `ProviderError`, `ToolError`, `TimeoutError`, `MaxRoundsError`, `CircuitOpenError` |
+| **Errors** | Typed hierarchy — `ProviderError`, `ToolError`, `TimeoutError`, `MaxRoundsError`, `MaxCostError`, `CircuitOpenError`, `ValidationError` |
+| **Policy helpers** | `pathAllowlist`, `commandAllowlist`, `combinePolicies` — composable predicates for `Loop({ policy })`. Home expansion, deny-wins, short-circuit combinator, argv-based safe allowlists. `require('bare-agent/policy')` |
 | **Browsing** | Web navigation, clicking, typing, reading via `barebrowse` (17 tools). Two modes: library tools (inline snapshots, pass to Loop) or CLI session (disk-based snapshots, token-efficient for multi-step flows). Optional `assess` tool (privacy scan) when `wearehere` is installed |
 | **Mobile** | Android + iOS device control via `baremobile`. Same two modes: library tools (`createMobileTools` — action tools auto-return snapshots) or CLI session (`baremobile` CLI — disk-based snapshots) |
-| **MCP Bridge** | Auto-discover MCP servers from IDE configs (Claude Code, Cursor, etc.), expose as bareagent tools. Allow/deny filtering, policy functions, `systemContext` for LLM awareness. Zero deps |
+| **Shell** | Cross-platform `shell_read`, `shell_grep`, `shell_run` (argv, no shell), `shell_exec` (raw shell). Pure Node — no `grep`/`rg`/`findstr` dependency. Injection-proof `shell_run` for policy-gated use |
+| **MCP Bridge** | Auto-discover MCP servers from IDE configs (Claude Code, Cursor, etc.), expose as bareagent tools. Static allow/deny via `.mcp-bridge.json`, `systemContext` for LLM awareness. Runtime policy lives in `Loop({ policy })` — one hook for MCP + native tools alike. Zero deps |
 
 **Providers:** OpenAI-compatible (OpenAI, OpenRouter, Groq, vLLM, LM Studio), Anthropic, Ollama, CLIPipe (any CLI tool via stdin/stdout with real-time streaming), Fallback, or bring your own (one method: `generate`). All return the same shape — swap freely.
 

package/index.js

@@ -18,6 +18,7 @@ const {
   ValidationError,
   CircuitOpenError,
   MaxRoundsError,
+  MaxCostError,
 } = require('./src/errors');
 
 module.exports = {
@@ -38,4 +39,5 @@ module.exports = {
   ValidationError,
   CircuitOpenError,
   MaxRoundsError,
+  MaxCostError,
 };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "bare-agent",
-  "version": "0.5.0",
+  "version": "0.7.0",
   "files": [
     "index.js",
     "src/",
@@ -24,7 +24,8 @@
     "./stores": "./src/stores.js",
     "./transports": "./src/transports.js",
     "./tools": "./src/tools.js",
-    "./mcp": "./src/mcp.js"
+    "./mcp": "./src/mcp.js",
+    "./policy": "./src/policy.js"
   },
   "engines": {
     "node": ">=18"

package/src/checkpoint.js

@@ -1,11 +1,24 @@
 'use strict';
 
+const { TimeoutError } = require('./errors');
+
+const DEFAULT_TIMEOUT_MS = 5 * 60 * 1000; // 5 minutes
+
 class Checkpoint {
+  /**
+   * @param {object} options
+   * @param {Array<string>} [options.tools] - Tool names that require approval (exact match).
+   * @param {Function} [options.shouldAsk] - Custom predicate `(toolName, args) => bool` — overrides tools list if set.
+   * @param {Function} options.send - Async `(question, context) => void` to deliver the question.
+   * @param {Function} options.waitForReply - Async `(context) => string` that resolves with the user's reply.
+   * @param {number} [options.timeout=300000] - Ms to wait before auto-denying. 0 disables.
+   */
   constructor(options = {}) {
     this.tools = new Set(options.tools || []);
     this.send = options.send || null;
     this.waitForReply = options.waitForReply || null;
-    this.shouldAskFn = options.shouldAsk || null; // custom predicate override
+    this.shouldAskFn = options.shouldAsk || null;
+    this.timeout = options.timeout !== undefined ? options.timeout : DEFAULT_TIMEOUT_MS;
   }
 
   shouldAsk(toolName, args) {
@@ -14,19 +27,40 @@ class Checkpoint {
   }
 
   /**
-   * Send a question and wait for a reply.
+   * Send a question and wait for a reply. Rejects with TimeoutError if `timeout` ms elapse
+   * without a reply — the Loop catches this, auto-denies the tool call, and routes the
+   * error through loop:error + onError. No silent hangs.
    * @param {string} question - The approval question to send.
    * @param {object} [context={}] - Context passed to send and waitForReply.
    * @returns {Promise<string|null>} The user's reply, or null.
    * @throws {Error} `[Checkpoint] send and waitForReply callbacks required` — when callbacks are missing.
+   * @throws {TimeoutError} When no reply arrives within `timeout` ms.
    */
   async ask(question, context = {}) {
     if (!this.send || !this.waitForReply) {
       throw new Error('[Checkpoint] send and waitForReply callbacks required');
     }
     await this.send(question, context);
-    const reply = await this.waitForReply(context);
-    return reply ?? null;
+    const waitPromise = Promise.resolve(this.waitForReply(context));
+    if (!this.timeout || this.timeout <= 0) {
+      const reply = await waitPromise;
+      return reply ?? null;
+    }
+    let timer;
+    const timeoutPromise = new Promise((_, reject) => {
+      timer = setTimeout(
+        () => reject(new TimeoutError(`[Checkpoint] no reply within ${this.timeout}ms — auto-denied`, {
+          context: { tool: context?.tool, timeout: this.timeout },
+        })),
+        this.timeout,
+      );
+    });
+    try {
+      const reply = await Promise.race([waitPromise, timeoutPromise]);
+      return reply ?? null;
+    } finally {
+      clearTimeout(timer);
+    }
   }
 }
 

package/src/errors.js

@@ -49,6 +49,12 @@ class MaxRoundsError extends BareAgentError {
   }
 }
 
+class MaxCostError extends BareAgentError {
+  constructor(message, opts = {}) {
+    super(message || 'Loop exceeded maximum cost cap', { code: 'MAX_COST', retryable: false, ...opts });
+  }
+}
+
 module.exports = {
   BareAgentError,
   ProviderError,
@@ -57,4 +63,5 @@ module.exports = {
   ValidationError,
   CircuitOpenError,
   MaxRoundsError,
+  MaxCostError,
 };

package/src/loop.js

@@ -1,6 +1,7 @@
 'use strict';
 
-const { ToolError, MaxRoundsError } = require('./errors');
+const fs = require('node:fs');
+const { ToolError, MaxRoundsError, MaxCostError } = require('./errors');
 
 // Average pricing per 1K tokens (USD). Adjust these to match your provider's rates.
 // Last updated: 2026-03-18. Source: public provider pricing pages.
@@ -39,6 +40,8 @@ class Loop {
    * @param {object} [options.retry] - Retry instance for backoff on failures.
    * @param {object} [options.stream] - Stream instance for event emission.
    * @param {object} [options.store] - Store instance for validate() health check.
+   * @param {Function} [options.policy] - Async (toolName, args) => true|false|string. Deny returns the string (or a generic message) to the LLM as tool result.
+   * @param {string} [options.audit] - File path for JSONL audit log. Each tool call appends one line: {ts, tool, args, decision, result|reason|error, durationMs}.
    * @throws {Error} `[Loop] requires a provider` — when options.provider is missing.
    */
   constructor(options = {}) {
@@ -54,8 +57,77 @@ class Loop {
     this.onError = options.onError || null;
     this.throwOnError = options.throwOnError !== undefined ? options.throwOnError : true;
     this.store = options.store || null;
+    if (options.policy != null && typeof options.policy !== 'function') {
+      throw new Error('[Loop] options.policy must be a function (toolName, args) => true | false | string');
+    }
+    this.policy = options.policy || null;
+    this.audit = options.audit || null;
+    this.maxCost = typeof options.maxCost === 'number' && options.maxCost > 0 ? options.maxCost : null;
     this._stopped = false;
     this._history = []; // for chat() stateful mode
+    this._auditInFlight = new Set();
+  }
+
+  // Unified error emitter — every silent-ish failure path routes through here so
+  // operators see audit writes, callback throws, checkpoint timeouts, stream listener
+  // errors in one place: loop:error stream event + onError callback.
+  _reportError(source, err, extra = {}) {
+    const message = err?.message || String(err);
+    this._safeEmit({ type: 'loop:error', data: { source, error: message, ...extra } });
+    if (this.onError) {
+      try {
+        this.onError(err, { source, ...extra });
+      } catch (cbErr) {
+        console.warn(`[Loop] onError callback threw: ${cbErr.message}`);
+      }
+    }
+  }
+
+  // Swallow-proof stream emit: a throwing listener must not corrupt Loop state.
+  _safeEmit(event) {
+    if (!this.stream) return;
+    try {
+      this.stream.emit(event);
+    } catch (err) {
+      console.warn(`[Loop] stream listener threw on ${event.type}: ${err.message}`);
+      if (this.onError && event.type !== 'loop:error') {
+        try { this.onError(err, { source: 'stream', eventType: event.type }); } catch { /* swallow */ }
+      }
+    }
+  }
+
+  // Fire a user callback without letting its throw kill the loop.
+  _safeCall(name, fn, ...args) {
+    if (!fn) return;
+    try {
+      fn(...args);
+    } catch (err) {
+      this._reportError(`callback:${name}`, err);
+    }
+  }
+
+  // Append one JSONL record. Returns nothing (fire-and-forget for callers)
+  // but tracks the in-flight promise so `flush()` and the end of `run()` can await it.
+  _writeAudit(record) {
+    if (!this.audit) return;
+    let line;
+    try {
+      line = JSON.stringify(record) + '\n';
+    } catch (err) {
+      this._reportError('audit:serialize', err, { tool: record?.tool });
+      return;
+    }
+    const p = fs.promises.appendFile(this.audit, line)
+      .catch(err => this._reportError('audit:write', err, { tool: record?.tool }))
+      .finally(() => this._auditInFlight.delete(p));
+    this._auditInFlight.add(p);
+  }
+
+  // Await any in-flight audit writes. Safe to call multiple times; resolves immediately
+  // when no writes are pending. Called automatically at the end of each `run()`.
+  async flush() {
+    if (this._auditInFlight.size === 0) return;
+    await Promise.all([...this._auditInFlight]);
   }
 
   /**
@@ -71,6 +143,7 @@ class Loop {
   async run(messages, tools = [], options = {}) {
     this._stopped = false;
     const system = options.system || this.system;
+    const ctx = options.ctx || null; // per-run opaque blob forwarded to policy
     const msgs = system
       ? [{ role: 'system', content: system }, ...messages]
       : [...messages];
@@ -92,7 +165,7 @@ class Loop {
       }
     }
 
-    this.stream?.emit({ type: 'loop:start', data: { messageCount: msgs.length } });
+    this._safeEmit({ type: 'loop:start', data: { messageCount: msgs.length } });
 
     let lastUsage = { inputTokens: 0, outputTokens: 0 };
     let totalCost = 0;
@@ -105,8 +178,8 @@ class Loop {
         const generate = () => this.provider.generate(msgs, tools, options);
         result = this.retry ? await this.retry.call(generate) : await generate();
       } catch (err) {
-        this.stream?.emit({ type: 'loop:error', data: { error: err.message, round } });
-        this.onError?.(err);
+        this._reportError('provider', err, { round });
+        await this.flush();
         if (this.throwOnError) throw err;
         return { text: '', toolCalls: [], usage: lastUsage, cost: totalCost, error: err.message };
       }
@@ -116,11 +189,22 @@ class Loop {
       const roundCost = estimateCost(model, lastUsage);
       if (roundCost !== null) totalCost += roundCost;
 
+      // Cost cap — fail fast before the next round costs more money.
+      if (this.maxCost !== null && totalCost > this.maxCost) {
+        const msg = `[Loop] cost ${totalCost.toFixed(4)} exceeded cap ${this.maxCost.toFixed(4)} after round ${round + 1}`;
+        const err = new MaxCostError(msg, { context: { cost: totalCost, maxCost: this.maxCost, round } });
+        this._reportError('cost-cap', err, { cost: totalCost, maxCost: this.maxCost });
+        await this.flush();
+        if (this.throwOnError) throw err;
+        return { text: '', toolCalls: [], usage: lastUsage, cost: totalCost, error: msg };
+      }
+
       // No tool calls — LLM gave a final text response
       if (!result.toolCalls || result.toolCalls.length === 0) {
-        this.stream?.emit({ type: 'loop:text', data: { text: result.text } });
-        this.onText?.(result.text);
-        this.stream?.emit({ type: 'loop:done', data: { text: result.text, usage: lastUsage, cost: totalCost } });
+        this._safeEmit({ type: 'loop:text', data: { text: result.text } });
+        this._safeCall('onText', this.onText, result.text);
+        await this.flush();
+        this._safeEmit({ type: 'loop:done', data: { text: result.text, usage: lastUsage, cost: totalCost } });
         return { text: result.text, toolCalls: [], usage: lastUsage, cost: totalCost, error: null };
       }
 
@@ -142,45 +226,100 @@ class Loop {
         if (!tool) {
           const errMsg = `[Loop] Unknown tool: ${tc.name}`;
           msgs.push({ role: 'tool', tool_call_id: tc.id, content: errMsg });
-          this.stream?.emit({ type: 'loop:tool_result', data: { tool: tc.name, error: errMsg } });
+          this._safeEmit({ type: 'loop:tool_result', data: { tool: tc.name, error: errMsg } });
           continue;
         }
 
         // Checkpoint — ask for approval before executing
         if (this.checkpoint?.shouldAsk(tc.name, tc.arguments)) {
-          this.stream?.emit({ type: 'checkpoint:ask', data: { tool: tc.name, args: tc.arguments } });
-          const reply = await this.checkpoint.ask(
-            `Approve ${tc.name}(${JSON.stringify(tc.arguments)})?`,
-            { tool: tc.name, args: tc.arguments }
-          );
-          this.stream?.emit({ type: 'checkpoint:reply', data: { reply } });
+          this._safeEmit({ type: 'checkpoint:ask', data: { tool: tc.name, args: tc.arguments } });
+          let reply;
+          try {
+            reply = await this.checkpoint.ask(
+              `Approve ${tc.name}(${JSON.stringify(tc.arguments)})?`,
+              { tool: tc.name, args: tc.arguments }
+            );
+          } catch (err) {
+            // Checkpoint errors (e.g. timeout, transport failure) auto-deny and
+            // get reported via loop:error + onError. The loop never hangs silently.
+            this._reportError('checkpoint', err, { tool: tc.name });
+            msgs.push({ role: 'tool', tool_call_id: tc.id, content: `[Loop] Checkpoint failed: ${err.message}. Action auto-denied.` });
+            continue;
+          }
+          this._safeEmit({ type: 'checkpoint:reply', data: { reply } });
           if (!reply || reply.toLowerCase() === 'no' || reply.toLowerCase() === 'n') {
             msgs.push({ role: 'tool', tool_call_id: tc.id, content: 'User denied this action.' });
             continue;
           }
         }
 
-        this.stream?.emit({ type: 'loop:tool_call', data: { tool: tc.name, args: tc.arguments } });
-        this.onToolCall?.(tc.name, tc.arguments);
+        this._safeEmit({ type: 'loop:tool_call', data: { tool: tc.name, args: tc.arguments } });
+        this._safeCall('onToolCall', this.onToolCall, tc.name, tc.arguments);
+
+        // Policy check — runs before execute. Fail-safe: only verdict === true allows;
+        // anything else (false, string, undefined, object, throw) denies. A string verdict
+        // is used verbatim as the deny reason. `ctx` (opaque blob passed via
+        // loop.run(msgs, tools, { ctx })) is forwarded as the third arg for per-caller gating.
+        if (this.policy) {
+          let verdict;
+          try {
+            verdict = await this.policy(tc.name, tc.arguments, ctx);
+          } catch (err) {
+            verdict = `[Loop] policy error: ${err.message}`;
+          }
+          if (verdict !== true) {
+            const reason = typeof verdict === 'string'
+              ? verdict
+              : `[Loop] Tool "${tc.name}" denied by policy`;
+            msgs.push({ role: 'tool', tool_call_id: tc.id, content: reason });
+            this._safeEmit({ type: 'loop:tool_result', data: { tool: tc.name, denied: true, reason } });
+            this._writeAudit({
+              ts: new Date().toISOString(),
+              tool: tc.name,
+              args: tc.arguments,
+              decision: 'deny',
+              reason,
+            });
+            continue;
+          }
+        }
 
+        const startedAt = Date.now();
         try {
           const execute = () => tool.execute(tc.arguments);
           const toolResult = this.retry ? await this.retry.call(execute) : await execute();
           const content = typeof toolResult === 'string' ? toolResult : JSON.stringify(toolResult);
           msgs.push({ role: 'tool', tool_call_id: tc.id, content });
-          this.stream?.emit({ type: 'loop:tool_result', data: { tool: tc.name, result: content } });
+          this._safeEmit({ type: 'loop:tool_result', data: { tool: tc.name, result: content } });
+          this._writeAudit({
+            ts: new Date().toISOString(),
+            tool: tc.name,
+            args: tc.arguments,
+            decision: 'allow',
+            result: content,
+            durationMs: Date.now() - startedAt,
+          });
         } catch (err) {
           const toolErr = err instanceof ToolError ? err : new ToolError(err.message, { context: { tool: tc.name } });
           const errMsg = `[Loop] Tool error: ${toolErr.message}`;
           msgs.push({ role: 'tool', tool_call_id: tc.id, content: errMsg });
-          this.stream?.emit({ type: 'loop:tool_result', data: { tool: tc.name, error: errMsg } });
+          this._safeEmit({ type: 'loop:tool_result', data: { tool: tc.name, error: errMsg } });
+          this._writeAudit({
+            ts: new Date().toISOString(),
+            tool: tc.name,
+            args: tc.arguments,
+            decision: 'allow',
+            error: toolErr.message,
+            durationMs: Date.now() - startedAt,
+          });
         }
       }
     }
 
     // maxRounds exceeded
     const warning = `[Loop] ended after ${this.maxRounds} rounds without final response`;
-    this.stream?.emit({ type: 'loop:done', data: { text: '', warning, cost: totalCost } });
+    await this.flush();
+    this._safeEmit({ type: 'loop:done', data: { text: '', warning, cost: totalCost } });
     if (this.throwOnError) throw new MaxRoundsError(warning);
     return { text: '', toolCalls: [], usage: lastUsage, cost: totalCost, error: warning };
   }

package/src/mcp-bridge.js

@@ -194,21 +194,15 @@ function unwrapContent(content) {
 
 // --- Tool wrapping ---
 
-function wrapTools(serverName, mcpTools, rpc, policy) {
+// Runtime arg-dependent policy has moved to Loop-level (new Loop({ policy })).
+// mcp-bridge retains only the static .mcp-bridge.json allow/deny filter below —
+// that decides which tools are exposed to the Loop in the first place.
+function wrapTools(serverName, mcpTools, rpc) {
   return mcpTools.map(t => ({
     name: `${serverName}_${t.name}`,
     description: t.description || '',
     parameters: t.inputSchema || { type: 'object', properties: {} },
     execute: async (args) => {
-      if (policy) {
-        const verdict = await policy(serverName, t.name, args);
-        if (verdict === false || typeof verdict === 'string') {
-          const reason = typeof verdict === 'string'
-            ? verdict
-            : `[GOVERNANCE] Tool "${serverName}_${t.name}" is not permitted by policy. Do not retry this tool.`;
-          throw new ToolError(reason, { context: { server: serverName, tool: t.name } });
-        }
-      }
       const result = await rpc('tools/call', { name: t.name, arguments: args });
       if (result.isError) {
         throw new ToolError(unwrapContent(result.content) || 'MCP tool error', {
@@ -327,11 +321,17 @@ function buildSystemContext(servers, tools, denied) {
  * @param {string[]} [opts.configPaths] - IDE config paths for discovery.
  * @param {string[]} [opts.servers] - Limit to these server names.
  * @param {number} [opts.timeout=15000] - Per-server init timeout in ms.
- * @param {Function} [opts.policy] - Async function(serverName, toolName, args) for runtime arg-dependent checks.
  * @param {boolean} [opts.refresh=false] - Force re-discovery regardless of TTL.
  * @returns {Promise<{tools: Array, servers: string[], systemContext: string, denied: Array, close: Function}>}
  */
 async function createMCPBridge(opts = {}) {
+  if ('policy' in opts) {
+    throw new Error(
+      '[MCP Bridge] The `policy` option was removed in v0.6.0. Runtime arg-dependent policy is now Loop-level: ' +
+      'pass `policy` to `new Loop({ policy })` instead — it gates MCP tools identically to native tools. ' +
+      'The static allow/deny filter in .mcp-bridge.json is unchanged.'
+    );
+  }
   const bridgePath = opts.bridgePath || DEFAULT_BRIDGE_PATH();
   const timeout = opts.timeout || 15000;
 
@@ -411,7 +411,7 @@ async function createMCPBridge(opts = {}) {
 
       // Only wrap tools that are allowed in config
       const allowed = mcpTools.filter(t => allowedToolNames.includes(t.name));
-      const wrapped = wrapTools(name, allowed, client.rpc, opts.policy);
+      const wrapped = wrapTools(name, allowed, client.rpc);
 
       tools.push(...wrapped);
       children.push(client.child);

package/src/policy.js

@@ -0,0 +1,132 @@
+'use strict';
+
+/**
+ * Policy helpers — composable predicates for `new Loop({ policy })`.
+ *
+ * Each helper returns an async function `(toolName, args, ctx) => true | string`
+ * matching bareagent's policy contract. `true` allows; anything else denies.
+ * A string is fed verbatim to the LLM as the deny reason.
+ *
+ * Compose multiple helpers with `combinePolicies(a, b, c)` — first non-`true`
+ * verdict wins, short-circuit semantics.
+ *
+ * Zero deps. Pure Node. Cross-platform.
+ */
+
+const path = require('node:path');
+
+function expandHome(p) {
+  if (!p || typeof p !== 'string') return p;
+  if (p === '~') return process.env.HOME || process.env.USERPROFILE || '';
+  if (p.startsWith('~/') || p.startsWith('~\\')) {
+    const home = process.env.HOME || process.env.USERPROFILE || '';
+    return path.join(home, p.slice(2));
+  }
+  return p;
+}
+
+function normalize(p) {
+  try {
+    return path.resolve(expandHome(p));
+  } catch {
+    return p;
+  }
+}
+
+/**
+ * Allow/deny file-system paths used by tools like shell_read, shell_grep.
+ *
+ * Deny wins over allow. Paths containing `..` after normalization are denied
+ * unconditionally (prevents traversal bypassing the allow list).
+ *
+ * @param {object} options
+ * @param {string[]} [options.allow] - Path prefixes users may access. `~` expands.
+ * @param {string[]} [options.deny] - Path prefixes hard-denied. `~` expands.
+ * @param {string[]} [options.toolNames] - Only check these tool names. If omitted, checks any tool with an `args.path` string.
+ * @param {string} [options.argKey='path'] - Name of the args field to inspect.
+ * @returns {Function} policy predicate `(toolName, args) => true | string`
+ */
+function pathAllowlist({ allow = [], deny = [], toolNames, argKey = 'path' } = {}) {
+  const allowNorm = allow.map(normalize);
+  const denyNorm = deny.map(normalize);
+  const gatedTools = toolNames ? new Set(toolNames) : null;
+
+  return async function pathPolicy(toolName, args) {
+    if (gatedTools && !gatedTools.has(toolName)) return true;
+    const raw = args?.[argKey];
+    if (typeof raw !== 'string') return true; // nothing to check
+    const target = normalize(raw);
+
+    for (const d of denyNorm) {
+      if (target === d || target.startsWith(d + path.sep) || target.startsWith(d + '/')) {
+        return `Path denied: ${raw} is under a denied root (${d}).`;
+      }
+    }
+    if (allowNorm.length === 0) return true;
+    for (const a of allowNorm) {
+      if (target === a || target.startsWith(a + path.sep) || target.startsWith(a + '/')) {
+        return true;
+      }
+    }
+    return `Path denied: ${raw} is not under any allowed root.`;
+  };
+}
+
+/**
+ * Allow/deny commands by their base name.
+ *
+ * For `shell_run` (argv-array): inspects `args.argv[0]`. Safe — no shell in path.
+ * For `shell_exec` (raw shell): inspects `args.command.split(/\s+/)[0]` BUT this
+ * is defeatable by shell metacharacters. Prefer gating `shell_run` with this helper
+ * and denying `shell_exec` entirely, or handling shell_exec with a custom policy
+ * that parses the command string carefully.
+ *
+ * Deny wins over allow.
+ *
+ * @param {object} options
+ * @param {string[]} [options.allow] - Base command names allowed.
+ * @param {string[]} [options.deny] - Base command names denied.
+ * @param {string} [options.toolName='shell_run'] - Which tool this helper gates.
+ * @returns {Function} policy predicate `(toolName, args) => true | string`
+ */
+function commandAllowlist({ allow = [], deny = [], toolName = 'shell_run' } = {}) {
+  const allowSet = new Set(allow);
+  const denySet = new Set(deny);
+
+  return async function commandPolicy(name, args) {
+    if (name !== toolName) return true;
+    let base;
+    if (name === 'shell_run') {
+      if (!Array.isArray(args?.argv) || typeof args.argv[0] !== 'string') return true;
+      base = args.argv[0];
+    } else {
+      if (typeof args?.command !== 'string') return true;
+      base = args.command.trim().split(/\s+/)[0];
+    }
+    if (denySet.has(base)) return `Command denied: ${base} is on the denylist.`;
+    if (allowSet.size > 0 && !allowSet.has(base)) {
+      return `Command denied: ${base} is not on the allowlist.`;
+    }
+    return true;
+  };
+}
+
+/**
+ * Compose multiple policy predicates into one. First non-true verdict wins.
+ * Short-circuits on first deny — later predicates are not called.
+ *
+ * @param {...Function} policies - Any number of policy predicates.
+ * @returns {Function} combined policy predicate `(toolName, args, ctx) => true | string`
+ */
+function combinePolicies(...policies) {
+  const list = policies.filter(p => typeof p === 'function');
+  return async function combined(toolName, args, ctx) {
+    for (const p of list) {
+      const verdict = await p(toolName, args, ctx);
+      if (verdict !== true) return verdict;
+    }
+    return true;
+  };
+}
+
+module.exports = { pathAllowlist, commandAllowlist, combinePolicies };

package/src/tools.js

@@ -2,5 +2,6 @@
 
 const { createBrowsingTools } = require('../tools/browse');
 const { createMobileTools } = require('../tools/mobile');
+const { createShellTools } = require('../tools/shell');
 
-module.exports = { createBrowsingTools, createMobileTools };
+module.exports = { createBrowsingTools, createMobileTools, createShellTools };

package/tools/shell.js

@@ -0,0 +1,286 @@
+'use strict';
+
+/**
+ * Pure-Node shell tools — cross-platform (linux, macOS, Windows), no external binaries.
+ *
+ * Three primitives:
+ *   shell_read  — read a file or list a directory
+ *   shell_grep  — regex search across files (JS regex, no grep/rg/findstr)
+ *   shell_exec  — run a shell command with timeout + max buffer
+ *
+ * All three run through Loop's policy hook when wired via `new Loop({ policy })`.
+ * Library ships zero baked-in allowlist — gating is the agent author's responsibility.
+ */
+
+const fs = require('node:fs/promises');
+const path = require('node:path');
+const { exec, execFile } = require('node:child_process');
+
+const DEFAULT_READ_MAX_BYTES = 256 * 1024;       // 256 KB
+const DEFAULT_GREP_MAX_MATCHES = 200;
+const DEFAULT_EXEC_TIMEOUT_MS = 30_000;
+const DEFAULT_EXEC_MAX_BUFFER = 1024 * 1024;     // 1 MB
+
+function expandHome(p) {
+  if (!p) return p;
+  if (p.startsWith('~/') || p === '~') {
+    const home = process.env.HOME || process.env.USERPROFILE || '';
+    return path.join(home, p.slice(1));
+  }
+  return p;
+}
+
+async function readEntry(rawPath, maxBytes) {
+  const resolved = path.resolve(expandHome(rawPath));
+  const stat = await fs.stat(resolved);
+  if (stat.isDirectory()) {
+    const entries = await fs.readdir(resolved, { withFileTypes: true });
+    const lines = entries.map(e => {
+      const kind = e.isDirectory() ? 'dir' : e.isSymbolicLink() ? 'link' : 'file';
+      return `${kind}\t${e.name}`;
+    });
+    return `dir ${resolved}\n${lines.join('\n')}`;
+  }
+  const cap = maxBytes || DEFAULT_READ_MAX_BYTES;
+  if (stat.size > cap) {
+    const fh = await fs.open(resolved, 'r');
+    try {
+      const buf = Buffer.alloc(cap);
+      await fh.read(buf, 0, cap, 0);
+      return buf.toString('utf8') + `\n\n[truncated: ${stat.size - cap} more bytes not shown]`;
+    } finally {
+      await fh.close();
+    }
+  }
+  return fs.readFile(resolved, 'utf8');
+}
+
+// Probe the first 1KB for NUL bytes to skip binary files in grep walks.
+async function isProbablyText(filePath) {
+  try {
+    const fh = await fs.open(filePath, 'r');
+    try {
+      const buf = Buffer.alloc(1024);
+      const { bytesRead } = await fh.read(buf, 0, 1024, 0);
+      for (let i = 0; i < bytesRead; i++) {
+        if (buf[i] === 0) return false;
+      }
+      return true;
+    } finally {
+      await fh.close();
+    }
+  } catch {
+    return false;
+  }
+}
+
+async function* walk(dir, recursive) {
+  let entries;
+  try {
+    entries = await fs.readdir(dir, { withFileTypes: true });
+  } catch {
+    return;
+  }
+  for (const entry of entries) {
+    const full = path.join(dir, entry.name);
+    if (entry.isDirectory()) {
+      if (recursive) yield* walk(full, true);
+    } else if (entry.isFile()) {
+      yield full;
+    }
+  }
+}
+
+async function grepPath({ pattern, path: rawPath, recursive = true, maxMatches, flags = 'i' }) {
+  const resolved = path.resolve(expandHome(rawPath));
+  const cap = maxMatches || DEFAULT_GREP_MAX_MATCHES;
+  let re;
+  try {
+    re = new RegExp(pattern, flags);
+  } catch (err) {
+    throw new Error(`shell_grep: invalid regex — ${err.message}`);
+  }
+
+  const hits = [];
+  const stat = await fs.stat(resolved).catch(() => null);
+  if (!stat) throw new Error(`shell_grep: path not found — ${rawPath}`);
+
+  const files = [];
+  if (stat.isFile()) {
+    files.push(resolved);
+  } else if (stat.isDirectory()) {
+    for await (const f of walk(resolved, recursive)) files.push(f);
+  }
+
+  for (const file of files) {
+    if (hits.length >= cap) break;
+    if (!(await isProbablyText(file))) continue;
+    let content;
+    try {
+      content = await fs.readFile(file, 'utf8');
+    } catch {
+      continue;
+    }
+    const lines = content.split(/\r?\n/);
+    for (let i = 0; i < lines.length; i++) {
+      if (hits.length >= cap) break;
+      if (re.test(lines[i])) {
+        hits.push({ file, line: i + 1, text: lines[i].slice(0, 500) });
+      }
+    }
+  }
+
+  const truncated = hits.length >= cap;
+  return { hits, truncated, fileCount: files.length };
+}
+
+function runArgv({ argv, cwd, timeout, maxBuffer, env }) {
+  if (!Array.isArray(argv) || argv.length === 0 || typeof argv[0] !== 'string') {
+    return Promise.reject(new Error('shell_run: argv must be a non-empty array of strings, starting with the command'));
+  }
+  const [file, ...args] = argv;
+  return new Promise((resolve) => {
+    execFile(
+      file,
+      args,
+      {
+        cwd: cwd ? expandHome(cwd) : undefined,
+        timeout: timeout || DEFAULT_EXEC_TIMEOUT_MS,
+        maxBuffer: maxBuffer || DEFAULT_EXEC_MAX_BUFFER,
+        env: env ? { ...process.env, ...env } : process.env,
+        windowsHide: true,
+        shell: false,
+      },
+      (err, stdout, stderr) => {
+        if (err) {
+          if (err.killed) {
+            resolve({ stdout: stdout || '', stderr: stderr || '', code: null, timedOut: true });
+            return;
+          }
+          if (err.code === 'ENOENT') {
+            resolve({ stdout: '', stderr: `shell_run: command not found: ${file}`, code: null, timedOut: false });
+            return;
+          }
+          resolve({
+            stdout: stdout || '',
+            stderr: stderr || '',
+            code: typeof err.code === 'number' ? err.code : null,
+            timedOut: false,
+          });
+          return;
+        }
+        resolve({ stdout: stdout || '', stderr: stderr || '', code: 0, timedOut: false });
+      }
+    );
+  });
+}
+
+function execCommand({ command, cwd, timeout, maxBuffer, env }) {
+  return new Promise((resolve) => {
+    exec(
+      command,
+      {
+        cwd: cwd ? expandHome(cwd) : undefined,
+        timeout: timeout || DEFAULT_EXEC_TIMEOUT_MS,
+        maxBuffer: maxBuffer || DEFAULT_EXEC_MAX_BUFFER,
+        env: env ? { ...process.env, ...env } : process.env,
+        windowsHide: true,
+      },
+      (err, stdout, stderr) => {
+        if (err) {
+          if (err.killed) {
+            resolve({ stdout: stdout || '', stderr: stderr || '', code: null, timedOut: true });
+            return;
+          }
+          resolve({
+            stdout: stdout || '',
+            stderr: stderr || '',
+            code: typeof err.code === 'number' ? err.code : null,
+            timedOut: false,
+          });
+          return;
+        }
+        resolve({ stdout: stdout || '', stderr: stderr || '', code: 0, timedOut: false });
+      }
+    );
+  });
+}
+
+/**
+ * Create the three shell tools. No options — configuration is per-call via tool args,
+ * gating is the caller's responsibility via `new Loop({ policy })`.
+ *
+ * @returns {{tools: Array}}
+ */
+function createShellTools() {
+  const tools = [
+    {
+      name: 'shell_read',
+      description: 'Read a file or list a directory. Returns file contents (truncated at 256KB) or a tab-separated directory listing.',
+      parameters: {
+        type: 'object',
+        properties: {
+          path: { type: 'string', description: 'File or directory path. ~ expands to home.' },
+          maxBytes: { type: 'integer', description: 'Optional cap for file reads (default 262144).' },
+        },
+        required: ['path'],
+      },
+      execute: async ({ path: p, maxBytes }) => readEntry(p, maxBytes),
+    },
+    {
+      name: 'shell_grep',
+      description: 'Search for a JavaScript regex pattern across files. Skips binary files. Returns matching lines with file paths and line numbers.',
+      parameters: {
+        type: 'object',
+        properties: {
+          pattern: { type: 'string', description: 'JavaScript regex (without surrounding slashes).' },
+          path: { type: 'string', description: 'File or directory to search. ~ expands to home.' },
+          recursive: { type: 'boolean', description: 'Recurse into subdirectories (default true).' },
+          maxMatches: { type: 'integer', description: 'Stop after this many hits (default 200).' },
+          flags: { type: 'string', description: 'Regex flags, e.g. "i" or "gim" (default "i").' },
+        },
+        required: ['pattern', 'path'],
+      },
+      execute: async (args) => grepPath(args),
+    },
+    {
+      name: 'shell_run',
+      description: 'Run a command with an argv array (no shell, no interpolation) and return {stdout, stderr, code, timedOut}. Use this when a policy allowlist needs to match on argv[0] — no shell metacharacter injection is possible. Default timeout 30s, max output 1MB.',
+      parameters: {
+        type: 'object',
+        properties: {
+          argv: {
+            type: 'array',
+            items: { type: 'string' },
+            description: 'Non-empty array of strings: argv[0] is the command, argv[1..] are its arguments. Spawned via child_process.execFile (shell: false).',
+          },
+          cwd: { type: 'string', description: 'Working directory. ~ expands to home.' },
+          timeout: { type: 'integer', description: 'Kill after this many ms (default 30000).' },
+          maxBuffer: { type: 'integer', description: 'Max stdout/stderr bytes (default 1048576).' },
+          env: { type: 'object', description: 'Additional env vars merged over process.env.' },
+        },
+        required: ['argv'],
+      },
+      execute: async (args) => runArgv(args),
+    },
+    {
+      name: 'shell_exec',
+      description: 'Run a raw shell command string via /bin/sh -c (or cmd.exe) and return {stdout, stderr, code, timedOut}. SECURITY: shell metacharacters (;, &&, |, `, $(), etc.) are interpreted — a naive base-command allowlist like `command.split(/\\s+/)[0]` is bypassable via "ls;rm -rf". Prefer shell_run for policy-gated use cases. Default timeout 30s, max output 1MB.',
+      parameters: {
+        type: 'object',
+        properties: {
+          command: { type: 'string', description: 'Raw shell command string. Goes through the system shell.' },
+          cwd: { type: 'string', description: 'Working directory. ~ expands to home.' },
+          timeout: { type: 'integer', description: 'Kill after this many ms (default 30000).' },
+          maxBuffer: { type: 'integer', description: 'Max stdout/stderr bytes (default 1048576).' },
+          env: { type: 'object', description: 'Additional env vars merged over process.env.' },
+        },
+        required: ['command'],
+      },
+      execute: async (args) => execCommand(args),
+    },
+  ];
+  return { tools };
+}
+
+module.exports = { createShellTools };