bone-agent 1.4.0 → 2.0.1

package/src/utils/safe_commands.py

@@ -1,243 +0,0 @@
-"""Structured command safety system for auto-approval.
-
-Replaces the flat ALLOWED_COMMANDS whitelist with a command+subcommand
-granularity system that distinguishes read-only operations from mutations.
-
-Design principles:
-- No args = not safe (for commands with subcommand variants)
-- Gate anything that has potential to be unsafe
-- Deny-by-default: commands not in the dict require approval
-- Compound flags use longest-prefix matching
-"""
-
-import os
-import shlex
-from utils.validation import CHAINING_OPERATORS
-
-
-# ---------------------------------------------------------------------------
-# SAFE_COMMAND_RULES
-# ---------------------------------------------------------------------------
-# Maps command names to their safety profile:
-#   None  → always safe (inherently read-only, e.g., ps, pwd)
-#   set() → only safe for listed subcommands/flags
-#
-# Platform normalization strips .exe suffix and lowercases before lookup.
-
-SAFE_COMMAND_RULES: dict[str, frozenset | None] = {
-    # --- Always safe (truly read-only, no mutating subcommands) ---
-    "pwd": None,
-    "which": None,
-    "whereis": None,
-    "uname": None,
-    "hostname": None,
-    "uptime": None,
-    "date": None,
-    "cal": None,
-    "whoami": None,
-    "id": None,
-    "env": frozenset({"--version", "--help"}),
-    "printenv": frozenset({"--version", "--help"}),
-    "lscpu": None,
-    "lsblk": None,
-    "file": None,
-    "stat": None,
-    "md5sum": None,
-    "sha256sum": None,
-    "free": None,
-    "df": None,
-    "du": None,
-    "dmesg": None,
-    "ltrace": None,
-    "ps": None,
-    "pgrep": None,
-    "pidof": None,
-    "lsof": None,
-    "ping": None,
-    "nslookup": None,
-    "dig": None,
-    "ss": None,
-    "ifconfig": None,
-    "netstat": None,
-    "journalctl": None,
-    "apt-cache": None,
-    "apt-show": None,
-    "dpkg-query": None,
-
-    # --- Subcommand-gated (safe only for specific read-only operations) ---
-    "git": frozenset({
-        "status", "log", "diff", "show", "branch",
-        "remote", "tag",
-        "rev-parse", "shortlog", "describe", "symbolic-ref",
-        "reflog", "name-rev", "blame", "annotate",
-        "for-each-ref", "ls-files", "ls-tree", "ls-remote",
-    }),
-    "pip": frozenset({"show", "list", "--version", "check", "debug", "index", "inspect"}),
-    "pip3": frozenset({"show", "list", "--version", "check", "debug", "index", "inspect"}),
-    "npm": frozenset({"list", "ls", "view", "version", "outdated", "pack", "info", "doctor", "audit"}),
-    "node": frozenset({"--version"}),
-    "python": frozenset({"--version"}),
-    "python3": frozenset({"--version"}),
-    "pacman": frozenset({
-        "-Q", "-Qi", "-Ql", "-Qo", "-Qs", "-Qt",
-        "-F", "-Si", "-Ss", "-Fl", "-G",
-    }),
-    "dpkg": frozenset({"-l", "-s", "-S", "-L", "-p", "--verify", "--audit"}),
-    "rpm": frozenset({"-q", "-qa", "-qi", "-ql", "-qf", "--queryformat"}),
-    "dnf": frozenset({"list", "info", "search", "check-update", "repoquery"}),
-    "yum": frozenset({"list", "info", "search", "check-update"}),
-    "systemctl": frozenset({
-        "status", "list-units", "list-unit-files", "show",
-        "is-active", "is-enabled", "cat", "list-timers",
-        "list-sockets", "list-jobs",
-    }),
-    "service": frozenset({"--status-all"}),  # "service <name> status" handled by _is_safe_service_command
-    "ip": frozenset({"addr", "address", "link", "route", "neigh", "maddr", "rule", "netns"}),
-
-    # --- Windows equivalents ---
-    "where": None,
-    "systeminfo": None,
-    "Get-Process": None,
-    "Get-Service": None,
-    "Get-ChildItem": None,
-    "Get-Content": None,
-    "Get-Location": None,
-    "Test-Connection": None,
-    "Get-NetIPAddress": None,
-}
-
-
-# Sub-subcommand deny lists for commands where the first arg passes safety
-# but later args can be mutating. Checked AFTER first-arg matching.
-# If any token appears in the deny list, the command is rejected.
-_IP_MUTATING_VERBS = frozenset({
-    "set", "add", "delete", "replace", "flush", "change",
-})
-
-# Commands that need deep token scanning mapped to their deny sets.
-_DEEP_SCAN_RULES: dict[str, frozenset] = {
-    "ip": _IP_MUTATING_VERBS,
-}
-
-
-def _tokenize(command: str) -> list[str]:
-    """Tokenize a command string using platform-appropriate splitting."""
-    use_posix = os.name != "nt"
-    try:
-        return shlex.split(command, posix=use_posix)
-    except ValueError:
-        return command.split()
-
-
-def _normalize_command_name(name: str) -> str:
-    """Normalize a command name for lookup.
-
-    Strips .exe suffix and lowercases. Does NOT normalize PowerShell
-    cmdlet casing (case-insensitive lookup handles that).
-    """
-    if name.lower().endswith(".exe"):
-        name = name[:-4]
-    return name.lower()
-
-
-def _matches_safe_subcommand(arg: str, safe_set: frozenset) -> bool:
-    """Check if an argument matches any entry in the safe subcommand set.
-
-    Uses longest-prefix matching for flag-style arguments:
-    e.g., if '-Qi' is safe, then '-Qil' also matches.
-    For word-style subcommands (e.g., git 'status'), exact match only.
-
-    Comparison is case-insensitive.
-    """
-    arg_lower = arg.lower()
-
-    # Build lowercase version of safe_set for case-insensitive comparison
-    safe_lower = {s.lower() for s in safe_set}
-
-    # Exact match
-    if arg_lower in safe_lower:
-        return True
-
-    # Longest-prefix match for flags (arguments starting with -)
-    if arg_lower.startswith("-"):
-        # Try progressively shorter prefixes
-        for length in range(len(arg_lower) - 1, 1, -1):
-            prefix = arg_lower[:length]
-            if prefix in safe_lower:
-                return True
-
-    return False
-
-
-def is_safe_command(command: str) -> bool:
-    """Check if a command should be auto-approved (safe, read-only).
-
-    A command is auto-approved when:
-    1. It contains no chaining/redirection operators
-    2. The command name is in SAFE_COMMAND_RULES
-    3. If gated (has a set of safe subcommands), the first argument
-       matches an entry in the set
-    4. If always-safe (None), it's approved with or without args
-
-    Args:
-        command: Command string to validate
-
-    Returns:
-        bool: True if the command is safe to auto-approve
-    """
-    command = command.strip()
-    if not command:
-        return False
-
-    # Strip "powershell " prefix if present (legacy support for Windows users)
-    if command.lower().startswith("powershell "):
-        command = command[len("powershell "):].strip()
-
-    # Reject any command containing chaining/redirection operators
-    if CHAINING_OPERATORS.search(command):
-        return False
-
-    # Tokenize and get command name
-    tokens = _tokenize(command)
-    if not tokens:
-        return False
-
-    cmd_name = _normalize_command_name(tokens[0])
-
-    # Look up in rules (deny-by-default)
-    if cmd_name not in SAFE_COMMAND_RULES:
-        # Unknown command — require approval
-        return False
-
-    rule = SAFE_COMMAND_RULES[cmd_name]
-    if rule is None:
-        # Always-safe command (e.g., ps, pwd)
-        return True
-
-    if not rule:
-        # Empty frozenset — no safe subcommands defined, deny
-        return False
-
-    # Gated command — need at least one subcommand arg
-    if len(tokens) < 2:
-        return False
-
-    # Check first argument against safe subcommand set
-    first_arg = tokens[1]
-
-    # Special case: "service <name> status" — the safe subcommand is the LAST arg
-    if cmd_name == "service" and len(tokens) >= 3 and tokens[-1].lower() == "status":
-        return True
-
-    if not _matches_safe_subcommand(first_arg, rule):
-        return False
-
-    # Deep scan: for commands with known mutating sub-subcommands,
-    # reject if any remaining token matches the deny list.
-    deny_set = _DEEP_SCAN_RULES.get(cmd_name)
-    if deny_set and len(tokens) > 2:
-        for tok in tokens[2:]:
-            if tok.lower() in deny_set:
-                return False
-
-    return True

package/src/utils/settings.py

@@ -1,195 +0,0 @@
-"""Centralized configuration for bone-agent."""
-import re
-from dataclasses import dataclass, field
-from pathlib import Path
-from typing import Set
-
-# Load config from llm.config
-# Note: src/ is added to sys.path in main.py, so we can import directly
-from llm.config import _CONFIG
-
-# Styles and themes
-from pygments.styles.monokai import MonokaiStyle
-
-
-class MonokaiDarkBGStyle(MonokaiStyle):
-    """Monokai style with dark background for code highlighting."""
-    background_color = "#141414"
-
-
-_HEADING_RE = re.compile(r'^(#{1,6})\s+(.+)$', re.MULTILINE)
-
-
-def left_align_headings(text: str) -> str:
-    """Strip markdown heading markers to avoid Rich's centering."""
-    return _HEADING_RE.sub(lambda m: m.group(2), text)
-
-
-@dataclass
-class ServerSettings:
-    """Local llama-server configuration."""
-    ngl_layers: int = field(default_factory=lambda: _CONFIG.get("SERVER_SETTINGS", {}).get("ngl_layers", 99))
-    ctx_size: int = field(default_factory=lambda: _CONFIG.get("SERVER_SETTINGS", {}).get("ctx_size", 8192))
-    n_predict: int = field(default_factory=lambda: _CONFIG.get("SERVER_SETTINGS", {}).get("n_predict", 8192))
-    rope_scale: float = field(default_factory=lambda: _CONFIG.get("SERVER_SETTINGS", {}).get("rope_scale", 1.0))
-    threads: int = field(default_factory=lambda: _CONFIG.get("SERVER_SETTINGS", {}).get("threads", 4))
-    batch_size: int = field(default_factory=lambda: _CONFIG.get("SERVER_SETTINGS", {}).get("batch_size", 2048))
-    ubatch_size: int = field(default_factory=lambda: _CONFIG.get("SERVER_SETTINGS", {}).get("ubatch_size", 512))
-    flash_attn: bool = field(default_factory=lambda: _CONFIG.get("SERVER_SETTINGS", {}).get("flash_attn", True))
-    health_check_timeout_sec: int = field(default_factory=lambda: _CONFIG.get("SERVER_SETTINGS", {}).get("health_check_timeout_sec", 120))
-    health_check_interval_sec: float = field(default_factory=lambda: _CONFIG.get("SERVER_SETTINGS", {}).get("health_check_interval_sec", 1.0))
-
-
-@dataclass
-class ToolSettings:
-    """Tool execution limits and defaults."""
-    max_tool_calls: int = field(default_factory=lambda: _CONFIG.get("TOOL_SETTINGS", {}).get("max_tool_calls", 100))
-    command_timeout_sec: int = field(default_factory=lambda: _CONFIG.get("TOOL_SETTINGS", {}).get("command_timeout_sec", 30))
-    enable_parallel_execution: bool = field(default_factory=lambda: _CONFIG.get("TOOL_SETTINGS", {}).get("enable_parallel_execution", True))
-    max_parallel_workers: int = field(default_factory=lambda: _CONFIG.get("TOOL_SETTINGS", {}).get("max_parallel_workers", 10))
-    max_command_output_lines: int = field(default_factory=lambda: _CONFIG.get("TOOL_SETTINGS", {}).get("max_command_output_lines", 100))
-    max_shell_output_lines: int = field(default_factory=lambda: _CONFIG.get("TOOL_SETTINGS", {}).get("max_shell_output_lines", 200))
-    max_file_preview_lines: int = field(default_factory=lambda: _CONFIG.get("TOOL_SETTINGS", {}).get("max_file_preview_lines", 200))
-    disabled_tools: list = field(default_factory=lambda: _CONFIG.get("TOOL_SETTINGS", {}).get("disabled_tools", []))
-    hidden_skills: list = field(default_factory=lambda: _CONFIG.get("TOOL_SETTINGS", {}).get("hidden_skills", []))
-
-@dataclass
-class FileSettings:
-    """File scanning and reading limits."""
-    max_file_bytes: int = field(default_factory=lambda: _CONFIG.get("FILE_SETTINGS", {}).get("max_file_bytes", 200_000))
-    max_total_bytes: int = field(default_factory=lambda: _CONFIG.get("FILE_SETTINGS", {}).get("max_total_bytes", 1_500_000))
-    exclude_dirs: Set[str] = None
-
-    def __post_init__(self):
-        if self.exclude_dirs is None:
-            config_exclude = _CONFIG.get("FILE_SETTINGS", {}).get("exclude_dirs")
-            if config_exclude:
-                self.exclude_dirs = set(config_exclude)
-            else:
-                self.exclude_dirs = {".git", ".venv", "llama.cpp", "bin", "__pycache__"}
-
-
-@dataclass
-class ToolCompactionSettings:
-    """Per-message tool result compaction settings."""
-    enable_per_message_compaction: bool = field(default_factory=lambda: _CONFIG.get("CONTEXT_SETTINGS", {}).get("tool_compaction", {}).get("enable_per_message_compaction", True))
-    uncompacted_tail_tokens: int = field(default_factory=lambda: _CONFIG.get("CONTEXT_SETTINGS", {}).get("tool_compaction", {}).get("uncompacted_tail_tokens", 40_000))
-    min_tool_blocks: int = field(default_factory=lambda: _CONFIG.get("CONTEXT_SETTINGS", {}).get("tool_compaction", {}).get("min_tool_blocks", 5))
-    compact_failed_tools: bool = field(default_factory=lambda: _CONFIG.get("CONTEXT_SETTINGS", {}).get("tool_compaction", {}).get("compact_failed_tools", True))
-
-
-@dataclass
-class SubAgentSettings:
-    """Sub-agent token limits and behavior configuration."""
-    soft_limit_tokens: int = field(default_factory=lambda: _CONFIG.get("SUB_AGENT_SETTINGS", {}).get("soft_limit_tokens", 100_000))
-    hard_limit_tokens: int = field(default_factory=lambda: _CONFIG.get("SUB_AGENT_SETTINGS", {}).get("hard_limit_tokens", 150_000))
-    billed_warning_tokens: int = field(default_factory=lambda: _CONFIG.get("SUB_AGENT_SETTINGS", {}).get("billed_warning_tokens", 200_000))
-    billed_hard_limit_tokens: int = field(default_factory=lambda: _CONFIG.get("SUB_AGENT_SETTINGS", {}).get("billed_hard_limit_tokens", 500_000))
-    enable_compaction: bool = field(default_factory=lambda: _CONFIG.get("SUB_AGENT_SETTINGS", {}).get("enable_compaction", True))
-    compact_trigger_tokens: int = field(default_factory=lambda: _CONFIG.get("SUB_AGENT_SETTINGS", {}).get("compact_trigger_tokens", 50_000))
-    allowed_tools: list = field(default_factory=lambda: _CONFIG.get("SUB_AGENT_SETTINGS", {}).get("allowed_tools", ["rg", "read_file", "list_directory", "web_search"]))
-    allow_active_plugins: bool = field(default_factory=lambda: _CONFIG.get("SUB_AGENT_SETTINGS", {}).get("allow_active_plugins", False))
-    dump_context_on_hard_limit: bool = field(default_factory=lambda: _CONFIG.get("SUB_AGENT_SETTINGS", {}).get("dump_context_on_hard_limit", True))
-
-
-# Context compaction settings
-@dataclass
-class ContextSettings:
-    """Context compaction thresholds and defaults."""
-    compact_trigger_tokens: int = field(default_factory=lambda: _CONFIG.get("CONTEXT_SETTINGS", {}).get("compact_trigger_tokens", 100_000))
-    max_context_window: int = field(default_factory=lambda: _CONFIG.get("CONTEXT_SETTINGS", {}).get("max_context_window", 200_000))
-    log_conversations: bool = field(default_factory=lambda: _CONFIG.get("CONTEXT_SETTINGS", {}).get("log_conversations", False))
-    conversations_dir: str = field(default_factory=lambda: _CONFIG.get("CONTEXT_SETTINGS", {}).get("conversations_dir", "conversations"))
-    notify_auto_compaction: bool = field(default_factory=lambda: _CONFIG.get("CONTEXT_SETTINGS", {}).get("notify_auto_compaction", True))
-    tool_compaction: ToolCompactionSettings = field(default_factory=ToolCompactionSettings)
-    hard_limit_tokens: int = field(init=False, repr=False)
-
-    def __post_init__(self):
-        _ctx = _CONFIG.get("CONTEXT_SETTINGS", {})
-        if "hard_limit_tokens" in _ctx:
-            self.hard_limit_tokens = _ctx["hard_limit_tokens"]
-        else:
-            self.hard_limit_tokens = int(self.max_context_window * 0.9)
-
-
-@dataclass
-class PromptSettings:
-    """Prompt variant selection."""
-    variant: str = field(default_factory=lambda: _CONFIG.get("PROMPT_SETTINGS", {}).get("variant", "micro"))
-
-
-@dataclass
-class DreamSettings:
-    """Dream memory consolidation settings."""
-    enabled: bool = field(default_factory=lambda: _CONFIG.get("DREAM_SETTINGS", {}).get("enabled", True))
-
-
-@dataclass
-class ObsidianSettings:
-    """Obsidian vault integration settings.
-
-    Supports runtime updates via update() method for /obsidian commands.
-    """
-    vault_path: str = field(default_factory=lambda: _CONFIG.get("OBSIDIAN_SETTINGS", {}).get("vault_path", ""))
-    enabled: bool = field(default_factory=lambda: _CONFIG.get("OBSIDIAN_SETTINGS", {}).get("enabled", False))
-    exclude_folders: str = field(default_factory=lambda: _CONFIG.get("OBSIDIAN_SETTINGS", {}).get("exclude_folders", ".obsidian,.trash,node_modules,.git,__pycache__"))
-    project_base: str = field(default_factory=lambda: _CONFIG.get("OBSIDIAN_SETTINGS", {}).get("project_base", "Dev"))
-
-    def update(self, **kwargs):
-        """Update settings fields at runtime.
-
-        Args:
-            **kwargs: Field names and values to update
-        """
-        from dataclasses import fields
-        valid_keys = {f.name for f in fields(self)}
-        for key, value in kwargs.items():
-            if key in valid_keys:
-                setattr(self, key, value)
-
-    def is_configured(self) -> bool:
-        """Check if Obsidian integration is configured in settings.
-
-        Returns:
-            True if enabled and vault_path is set (does NOT validate disk)
-        """
-        return self.enabled and bool(self.vault_path)
-
-    def is_active(self) -> bool:
-        """Check if Obsidian integration is fully operational.
-
-        Validates the vault path exists on disk and contains .obsidian/.
-
-        Returns:
-            True if enabled, vault_path is set, and vault is valid on disk
-        """
-        if not self.enabled or not self.vault_path:
-            return False
-        root = Path(self.vault_path).resolve()
-        if not root.is_dir():
-            return False
-        return (root / ".obsidian").is_dir()
-
-    @property
-    def exclude_folders_list(self) -> list:
-        """Return exclude_folders as a pre-parsed list of strings.
-
-        Avoids repeated str.split(",") on every rg call.
-        """
-        return [f.strip() for f in self.exclude_folders.split(",") if f.strip()]
-
-
-# Global instances
-server_settings = ServerSettings()
-tool_settings = ToolSettings()
-file_settings = FileSettings()
-context_settings = ContextSettings()
-sub_agent_settings = SubAgentSettings()
-dream_settings = DreamSettings()
-obsidian_settings = ObsidianSettings()
-prompt_settings = PromptSettings()
-# Tool execution constants
-MAX_TOOL_CALLS = tool_settings.max_tool_calls
-MAX_COMMAND_OUTPUT_LINES = tool_settings.max_command_output_lines
-MAX_SHELL_OUTPUT_LINES = tool_settings.max_shell_output_lines
-MAX_FILE_PREVIEW_LINES = tool_settings.max_file_preview_lines

package/src/utils/user_message_logger.py

@@ -1,120 +0,0 @@
-"""Lightweight user-message logger for the dream memory system.
-
-Appends one JSONL line per user message, one file per day per project.
-Always on by default — no toggle needed.
-"""
-
-import hashlib
-import json
-import logging
-from datetime import datetime, timedelta
-from pathlib import Path
-
-logger = logging.getLogger(__name__)
-
-# Base directory for daily message logs
-CONVERSATIONS_DIR = Path.home() / ".bone" / "conversations"
-RETENTION_DAYS = 7
-
-
-def _project_suffix(project_dir: Path) -> str:
-    """Generate a short suffix from a project directory path.
-
-    Format: {dirname}_{first 6 chars of SHA256(path)}
-    Avoids collisions between repos with the same folder name.
-    """
-    path_str = str(project_dir.resolve())
-    h = hashlib.sha256(path_str.encode()).hexdigest()[:6]
-    return f"{project_dir.name}_{h}"
-
-
-PROJECT_INDEX_FILE = CONVERSATIONS_DIR / ".project_index.jsonl"
-
-
-def _register_project(key: str, project_dir: Path) -> None:
-    """Append a key→path mapping to the project index if not already present."""
-    resolved = str(project_dir.resolve())
-    # Check if this key already maps to this path
-    if PROJECT_INDEX_FILE.exists():
-        with open(PROJECT_INDEX_FILE, "r", encoding="utf-8") as f:
-            for line in f:
-                try:
-                    entry = json.loads(line)
-                except json.JSONDecodeError:
-                    continue
-                if entry.get("key") == key and entry.get("path") == resolved:
-                    return  # Already indexed
-    PROJECT_INDEX_FILE.parent.mkdir(parents=True, exist_ok=True)
-    with open(PROJECT_INDEX_FILE, "a", encoding="utf-8") as f:
-        f.write(json.dumps({"key": key, "path": resolved}) + "\n")
-
-
-class UserMessageLogger:
-    """Logs user messages to daily JSONL files for later dream processing.
-
-    When a project_dir is provided, messages go to a per-project file:
-        {date}__{dirname}_{hash}.jsonl
-    Without a project_dir, messages go to the catch-all:
-        {date}.jsonl
-    """
-
-    def __init__(self, conversations_dir: Path | None = None):
-        self._dir = conversations_dir or CONVERSATIONS_DIR
-        self._dir.mkdir(parents=True, exist_ok=True)
-
-    def log_user_message(self, content: str, project_dir: Path | None = None) -> None:
-        """Append a single user message to today's JSONL file.
-
-        Args:
-            content: The user message text.
-            project_dir: Optional project root directory. If provided,
-                messages are written to a per-project file.
-
-        Opens in append mode and flushes immediately for crash safety.
-        Each message is one self-contained JSON line.
-        """
-        today = datetime.now().strftime("%Y-%m-%d")
-        if project_dir:
-            suffix = _project_suffix(project_dir)
-            _register_project(suffix, project_dir)
-            filepath = self._dir / f"{today}__{suffix}.jsonl"
-        else:
-            filepath = self._dir / f"{today}.jsonl"
-        entry = {"ts": datetime.now().isoformat(), "msg": content}
-        with open(filepath, "a", encoding="utf-8") as f:
-            f.write(json.dumps(entry, ensure_ascii=False) + "\n")
-
-    @staticmethod
-    def cleanup_old_files(directory: Path | None = None, retention_days: int = RETENTION_DAYS) -> int:
-        """Delete JSONL files older than retention_days. Returns count of files removed."""
-        target_dir = directory or CONVERSATIONS_DIR
-        if not target_dir.exists():
-            return 0
-
-        cutoff = datetime.now() - timedelta(days=retention_days)
-        removed = 0
-        surviving = set()
-        for f in target_dir.glob("*.jsonl"):
-            if f.stat().st_mtime < cutoff.timestamp():
-                f.unlink()
-                removed += 1
-                logger.debug("Removed old conversation log: %s", f.name)
-            else:
-                surviving.add(f.name)
-
-        # Prune stale entries from the project index
-        index_file = target_dir / ".project_index.jsonl"
-        if index_file.exists():
-            kept: list[str] = []
-            for line in index_file.read_text(encoding="utf-8").splitlines():
-                try:
-                    entry = json.loads(line)
-                except json.JSONDecodeError:
-                    continue
-                key = entry.get("key", "")
-                # Keep entry if any file matching its key still exists
-                if any(key in name for name in surviving):
-                    kept.append(line)
-            index_file.write_text("\n".join(kept) + ("\n" if kept else ""), encoding="utf-8")
-
-        return removed