boxsafe 1.0.0

package/core/auth/dasktop/cred/CRED.md

@@ -0,0 +1,112 @@
+# Credenciais Linux (credLinux)
+
+Módulo para gerenciar credenciais usando o **secret-tool** do Linux (keyring nativo).
+
+## Requisitos
+
+- Linux com `secret-tool` instalado (já vem na maioria das distros)
+- Funciona em qualquer desktop environment (GNOME, KDE, XFCE, etc.)
+
+## Importação
+
+```typescript
+import { saveCredLinux, getCredLinux, deleteCredLinux } from '@memo/desktop/pass';
+```
+
+## Funções
+
+### `saveCredLinux()`
+
+Salva uma credencial no keyring do sistema.
+
+```typescript
+const success = await saveCredLinux({
+  password: 'minha-senha-secreta',
+  label: 'GitHub Token',
+  account: 'gh-token',
+  service: 'meu-app' // opcional, default: 'box-safe'
+});
+
+// Retorna: true (sucesso) | false (erro)
+```
+
+### `getCredLinux()`
+
+Recupera uma credencial salva.
+
+```typescript
+const token = await getCredLinux({
+  account: 'gh-token',
+  service: 'meu-app' // opcional, default: 'box-safe'
+});
+
+// Retorna: string (senha) | null (não encontrada)
+```
+
+### `deleteCredLinux()`
+
+Remove uma credencial do keyring.
+
+```typescript
+const deleted = await deleteCredLinux({
+  account: 'gh-token',
+  service: 'meu-app' // opcional, default: 'box-safe'
+});
+
+// Retorna: true (sucesso) | false (erro)
+```
+
+## Exemplo Completo
+
+```typescript
+// Salvar API key
+await saveCredLinux({
+  password: 'sk-xxxxxxxxxxxxx',
+  label: 'OpenAI API Key',
+  account: 'openai-key'
+});
+
+// Usar depois
+const apiKey = await getCredLinux({ account: 'openai-key' });
+if (apiKey) {
+  console.log('Key encontrada:', apiKey);
+}
+
+// Limpar quando não precisar mais
+await deleteCredLinux({ account: 'openai-key' });
+```
+
+## Parâmetros
+
+### CredentialArgs (save)
+- `password`: senha/token a salvar
+- `label`: descrição amigável (aparece na GUI do keyring)
+- `account`: identificador único da credencial
+- `service`: (opcional) nome do app/serviço (default: `box-safe`)
+
+### LookupArgs (get/delete)
+- `account`: identificador da credencial
+- `service`: (opcional) nome do app/serviço (default: `box-safe`)
+
+## Onde ficam salvos?
+
+As credenciais são criptografadas e salvas em:
+```
+~/.local/share/keyrings/
+```
+
+Você pode visualizar usando `seahorse` (GNOME) ou a GUI do seu keyring.
+
+## Logs
+
+O módulo só loga erros no console. Se algo falhar:
+- `saveCredLinux`: retorna `false`
+- `getCredLinux`: retorna `null`
+- `deleteCredLinux`: retorna `false`
+
+Tratamento de erro fica por sua conta.
+
+
+## WINDOWS
+for windows we use keytar
+

package/core/auth/dasktop/cred/credLinux.ts

@@ -0,0 +1,82 @@
+/***
+ * @fileoverview
+ * Manages credentials using Linux secret-tool
+ * @module
+ * memo/desktop/pass
+ ***/
+import { exec } from 'child_process';
+import { promisify } from 'util';
+import { ANSI } from '@util/ANSI';
+import { Logger } from '@core/util/logger';
+
+const execAsync = promisify(exec);
+
+interface CredentialArgs {
+  password: string;
+  label: string;
+  account: string;
+  service?: string;
+}
+
+interface LookupArgs {
+  account: string;
+  service?: string;
+}
+
+const DEFAULT_SERVICE = 'box-safe';
+const logger = Logger.createModuleLogger('CredentialManager');
+
+/**
+ * Saves credential to the system keyring
+ */
+export async function setCredLinux({
+  password,
+  label,
+  account,
+  service = DEFAULT_SERVICE,
+}: CredentialArgs): Promise<boolean> {
+  try {
+    await execAsync(
+      `echo -n "${password}" | secret-tool store --label="${label}" service ${service} account ${account}`
+    );
+    return true;
+  } catch (err) {
+    logger.error(`Failed to save credential: ${err}`);
+    return false;
+  }
+}
+
+/**
+ * Retrieves credential from the keyring
+ */
+export async function getCredLinux({
+  account,
+  service = DEFAULT_SERVICE,
+}: LookupArgs): Promise<string | null> {
+  try {
+    const { stdout } = await execAsync(
+      `secret-tool lookup service ${service} account ${account}`
+    );
+    return stdout.trim();
+  } catch (err) {
+    logger.error(`Credential not found: ${account}`);
+    return null;
+  }
+}
+
+/**
+ * Deletes credential from the keyring
+ */
+export async function deleteCredLinux({
+  account,
+  service = DEFAULT_SERVICE,
+}: LookupArgs): Promise<boolean> {
+  try {
+    await execAsync(`secret-tool clear service ${service} account ${account}`);
+    return true;
+  } catch (err) {
+    logger.error(`Failed to delete credential: ${account}`);
+    return false;
+  }
+}
+

package/core/auth/dasktop/cred/credWin.ts

@@ -0,0 +1,2 @@
+
+// import keytar from 'keytar'; // use to set, get, delete credentials in windows  

package/core/config/defaults/boxsafeDefaults.ts

@@ -0,0 +1,67 @@
+// Types will be imported from loadConfig to avoid external dependencies
+
+export const DEFAULT_BOXSAFE_CONFIG = {
+  project: {
+    workspace: './',
+    testDir: './',
+    versionControl: {
+      before: false,
+      after: false,
+      generateNotes: false,
+    },
+  },
+  model: {
+    primary: {
+      provider: 'google',
+      name: 'gemini-2.5-flash',
+    },
+    fallback: [],
+    endpoint: null,
+    parameters: {},
+  },
+  smartRotation: {
+    enabled: false,
+    simple: [],
+    complex: [],
+  },
+  limits: {
+    tokens: 100000,
+    loops: 10,
+    timeout: {
+      enabled: false,
+      duration: '1h',
+      notify: true,
+    },
+  },
+  sandbox: {
+    enabled: true,
+    engine: 'docker',
+    memory: '512m',
+    cpu: 0.5,
+    network: 'none',
+  },
+  commands: {
+    setup: 'npm install',
+    run: 'echo OK',
+    test: null,
+    timeoutMs: 60_000,
+  },
+  interface: {
+    channel: 'terminal',
+    prompt: '',
+    notifications: {
+      whatsapp: false,
+      telegram: false,
+      slack: false,
+      email: false,
+    },
+  },
+  paths: {
+    generatedMarkdown: './memo/generated/codelog.md',
+    artifactOutput: './out.ts',
+  },
+  teach: {
+    urls: [],
+    files: [],
+  },
+};

package/core/config/defaults/index.ts

@@ -0,0 +1 @@
+export { DEFAULT_BOXSAFE_CONFIG } from './boxsafeDefaults';

package/core/config/loadConfig.ts

@@ -0,0 +1,133 @@
+import fs from 'node:fs';
+import path from 'node:path';
+import { DEFAULT_BOXSAFE_CONFIG } from '@core/config/defaults';
+
+// Local types to maintain core independence
+export interface BoxSafeConfig {
+  project?: {
+    workspace?: string;
+    testDir?: string;
+    versionControl?: {
+      before?: boolean;
+      after?: boolean;
+      autoPush?: boolean;
+      generateNotes?: boolean;
+    };
+  };
+  model?: {
+    primary?: {
+      provider?: string;
+      name?: string;
+    };
+    fallback?: any[];
+    endpoint?: any;
+    parameters?: Record<string, any>;
+  };
+  smartRotation?: {
+    enabled?: boolean;
+    simple?: any[];
+    complex?: any[];
+  };
+  limits?: {
+    tokens?: number;
+    loops?: number;
+    timeout?: {
+      enabled?: boolean;
+      duration?: string;
+      notify?: boolean;
+    };
+  };
+  sandbox?: {
+    enabled?: boolean;
+    engine?: string;
+    memory?: string;
+    cpu?: number;
+    network?: string;
+  };
+  commands?: {
+    setup?: string;
+    run?: string;
+    test?: string | null;
+    timeoutMs?: number;
+  };
+  interface?: {
+    channel?: string;
+    prompt?: string;
+    notifications?: {
+      whatsapp?: boolean;
+      telegram?: boolean;
+      slack?: boolean;
+      email?: boolean;
+    };
+  };
+  paths?: {
+    generatedMarkdown?: string;
+    artifactOutput?: string;
+  };
+  teach?: {
+    urls?: string[];
+    files?: string[];
+  };
+}
+
+export type NormalizedBoxSafeConfig = Omit<BoxSafeConfig, 'limits'> & {
+  limits?: Omit<NonNullable<BoxSafeConfig['limits']>, 'loops'> & {
+    loops?: number;
+  };
+};
+
+type LoadConfigResult = {
+  config: NormalizedBoxSafeConfig;
+  source: { path: string; loaded: boolean };
+};
+
+function isPlainObject(v: unknown): v is Record<string, unknown> {
+  return Boolean(v) && typeof v === 'object' && !Array.isArray(v);
+}
+
+function deepMerge<T>(base: T, override: unknown): T {
+  if (!isPlainObject(base) || !isPlainObject(override)) return (override ?? base) as T;
+
+  const out: Record<string, unknown> = { ...(base as any) };
+  for (const [k, v] of Object.entries(override)) {
+    const bv = (base as any)[k];
+    if (isPlainObject(bv) && isPlainObject(v)) out[k] = deepMerge(bv, v);
+    else out[k] = v;
+  }
+  return out as T;
+}
+
+function normalizeLoops(v: unknown, fallback: number): number {
+  if (typeof v === 'number' && Number.isFinite(v)) return v;
+  if (typeof v === 'string') {
+    const trimmed = v.trim().toLowerCase();
+    if (trimmed === 'infinity') return Number.MAX_SAFE_INTEGER;
+    const n = Number(trimmed);
+    if (Number.isFinite(n)) return n;
+  }
+  return fallback;
+}
+
+export function loadBoxSafeConfig(configPath?: string): LoadConfigResult {
+  const p = configPath ?? path.resolve(process.cwd(), 'boxsafe.config.json');
+
+  let rawConfig: unknown = null;
+  try {
+    if (fs.existsSync(p)) {
+      rawConfig = JSON.parse(fs.readFileSync(p, 'utf-8'));
+    }
+  } catch {
+    rawConfig = null;
+  }
+
+  const merged = deepMerge(DEFAULT_BOXSAFE_CONFIG, rawConfig ?? {});
+
+  const loopsFallback = typeof DEFAULT_BOXSAFE_CONFIG.limits?.loops === 'number' ? DEFAULT_BOXSAFE_CONFIG.limits.loops : 2;
+  if (!merged.limits) merged.limits = {} as any;
+  (merged.limits as any).loops = normalizeLoops((merged.limits as any).loops, loopsFallback);
+
+  return {
+    config: merged as NormalizedBoxSafeConfig,
+    source: { path: p, loaded: Boolean(rawConfig) },
+  };
+}

package/core/loop/about.md

@@ -0,0 +1,13 @@
+Execução
+  ↓
+[exit code]
+  ↓
+[stderr crítico]
+  ↓
+[contrato de saída]
+  ↓
+[testes]
+  ↓
+[verificações semânticas]
+  ↓
+✅ SUCESSO

package/core/loop/boxConfig.ts

@@ -0,0 +1,20 @@
+import { loadBoxSafeConfig } from '@core/config/loadConfig';
+import type { NormalizedBoxSafeConfig } from '@core/config/loadConfig';
+
+export function loadBoxConfig(configPath?: string): NormalizedBoxSafeConfig {
+  return loadBoxSafeConfig(configPath).config;
+}
+
+export function getVersionControlFlags(boxConfig: NormalizedBoxSafeConfig): {
+  vcBefore: boolean;
+  vcAfter: boolean;
+  vcGenerateNotes: boolean;
+  vcAutoPushConfig: boolean;
+} {
+  return {
+    vcBefore: Boolean(boxConfig.project?.versionControl?.before ?? false),
+    vcAfter: Boolean(boxConfig.project?.versionControl?.after ?? false),
+    vcGenerateNotes: Boolean(boxConfig.project?.versionControl?.generateNotes ?? false),
+    vcAutoPushConfig: Boolean(boxConfig.project?.versionControl?.autoPush ?? false),
+  };
+}

package/core/loop/buildExecCommand.ts

@@ -0,0 +1,76 @@
+import fs from 'node:fs';
+import path from 'node:path';
+import { Logger } from '@core/util/logger';
+import { ANSI } from '@util/ANSI';
+
+type AnsiLike = { Cyan: string; Yellow: string; Reset: string };
+
+type BuildExecCommandArgs = {
+  cmd: any;
+  lang: string;
+  pathOutput: string;
+};
+
+const logger = Logger.createModuleLogger('BuildExecCommand');
+
+export async function buildExecCommand({ cmd, lang, pathOutput }: BuildExecCommandArgs): Promise<any> {
+  // If caller left the default `echo OK`, automatically run the
+  // generated output file according to the requested language so the
+  // loop actually executes the produced artifact.
+  let execCmd = cmd;
+  if (typeof cmd === 'string' && cmd === 'echo OK') {
+    if (lang === 'ts') execCmd = ['tsx', [pathOutput]];
+    else if (lang === 'js') execCmd = ['node', [pathOutput]];
+    else if (lang === 'py' || lang === 'python') execCmd = ['python', [pathOutput]];
+    else if (lang === 'sh' || lang === 'bash' || lang === 'shell') execCmd = ['bash', [pathOutput]];
+    else execCmd = `${pathOutput}`;
+
+    const display = typeof execCmd === 'string' ? execCmd : Array.isArray(execCmd) ? `${execCmd[0]} ${execCmd[1].join(' ')}` : String(execCmd);
+    logger.info(`auto-executing generated file with: ${display}`);
+  }
+
+  // If executing JS: check for CommonJS usage (require) and project type=module.
+  try {
+    const isNodeExec =
+      lang === 'js' &&
+      ((typeof execCmd === 'string' && execCmd.trimStart().startsWith('node ')) ||
+        (Array.isArray(execCmd) && String(execCmd[0]) === 'node'));
+
+    if (isNodeExec) {
+      const pkgPath = path.join(process.cwd(), 'package.json');
+      let isModuleType = false;
+      try {
+        if (fs.existsSync(pkgPath)) {
+          const pkgRaw = fs.readFileSync(pkgPath, 'utf-8');
+          const pkg = JSON.parse(pkgRaw);
+          isModuleType = pkg.type === 'module';
+        }
+      } catch {
+        isModuleType = false;
+      }
+
+      const outContent = fs.readFileSync(pathOutput, 'utf-8');
+      if (isModuleType && /\brequire\s*\(/.test(outContent) && path.extname(pathOutput) === '.js') {
+        const newPath = pathOutput.replace(/\.js$/, '.cjs');
+        try {
+          await fs.promises.rename(pathOutput, newPath);
+          execCmd = ['node', [newPath]];
+          logger.info(`renamed output to ${newPath} for CommonJS compatibility`);
+          // create a minimal ESM wrapper at the original path so artifact exists
+          try {
+            const wrapper = `import { spawnSync } from 'node:child_process';\nimport path from 'node:path';\nconst target = path.join(path.dirname(new URL(import.meta.url).pathname), '${path.basename(newPath)}');\nconst res = spawnSync('node', [target], { stdio: 'inherit' });\nif (res.error) throw res.error;\nprocess.exit(res.status ?? 0);\n`;
+            await fs.promises.writeFile(pathOutput, wrapper, 'utf-8');
+          } catch {
+            // ignore
+          }
+        } catch {
+          logger.warn(`failed to rename file`);
+        }
+      }
+    }
+  } catch {
+    // non-fatal
+  }
+
+  return execCmd;
+}

package/core/loop/cmd/execode.ts

@@ -0,0 +1,121 @@
+import { spawn } from "node:child_process";
+import { mkdir, writeFile } from "node:fs/promises";
+import type { CommandRun } from "../../../types";
+import type { ExecResult } from "@core/loop/waterfall";
+import { STATES_LOGS_DIR, STATES_LOG_FILE } from "@core/paths/paths";
+
+type ExecodeOptions = {
+  timeoutMs?: number;
+  allowUnsafeShell?: boolean;
+};
+
+const DEFAULT_MAX_RUNTIME_MS = 60_000;
+
+function getEffectiveTimeoutMs(timeoutMs?: number): number {
+  const fromEnv = process.env.BOXSAFE_CMD_TIMEOUT_MS ? Number(process.env.BOXSAFE_CMD_TIMEOUT_MS) : NaN;
+  if (Number.isFinite(fromEnv) && fromEnv > 0) return fromEnv;
+  if (typeof timeoutMs === 'number' && Number.isFinite(timeoutMs) && timeoutMs > 0) return timeoutMs;
+  return DEFAULT_MAX_RUNTIME_MS;
+}
+
+function containsShellOperators(s: string): boolean {
+  return /[;&|`]|\$\(|\$\{|>>?|<\(|<|\n|\r/.test(s);
+}
+
+function isObviouslyDangerousCommand(s: string): boolean {
+  const x = s.toLowerCase();
+  return (
+    /\brm\s+-rf\b/.test(x) ||
+    /\bmkfs\b/.test(x) ||
+    /\bdd\b\s+if=/.test(x) ||
+    /\bshutdown\b/.test(x) ||
+    /\breboot\b/.test(x)
+  );
+}
+
+function shouldAllowUnsafeShell(options?: ExecodeOptions): boolean {
+  const fromEnv = process.env.BOXSAFE_ALLOW_UNSAFE_SHELL?.toLowerCase();
+  if (fromEnv === 'true' || fromEnv === '1' || fromEnv === 'yes') return true;
+  return Boolean(options?.allowUnsafeShell);
+}
+
+export async function execode(
+  command: CommandRun,
+  options?: ExecodeOptions
+): Promise<ExecResult> {
+  const maxRuntimeMs = getEffectiveTimeoutMs(options?.timeoutMs);
+  const normalized = normalizeCommand(command);
+  const { cmd, args, useShell } = normalized;
+
+  if (useShell) {
+    const allowUnsafe = shouldAllowUnsafeShell(options);
+    if (!allowUnsafe) {
+      if (containsShellOperators(cmd) || isObviouslyDangerousCommand(cmd)) {
+        const stderr = `Blocked potentially unsafe shell command: ${cmd}`;
+        await mkdir(STATES_LOGS_DIR, { recursive: true });
+        await writeFile(STATES_LOG_FILE, stderr, "utf8");
+        return { exitCode: 126, stdout: "", stderr };
+      }
+    }
+  }
+
+  await mkdir(STATES_LOGS_DIR, { recursive: true });
+
+  return new Promise<ExecResult>((resolve, reject) => {
+    const child = spawn(cmd, args, { shell: useShell });
+
+    let stdout = "";
+    let stderr = "";
+    let timedOut = false;
+
+    child.stdout?.on("data", (data) => {
+      stdout += data.toString();
+    });
+
+    child.stderr?.on("data", (data) => {
+      stderr += data.toString();
+    });
+
+    const timer = setTimeout(() => {
+      timedOut = true;
+      child.kill("SIGTERM");
+    }, maxRuntimeMs);
+
+    child.on("error", (err) => {
+      clearTimeout(timer);
+      reject(err);
+    });
+
+    child.on("close", async (code, signal) => {
+      clearTimeout(timer);
+
+      const log = [
+        `exitCode=${code ?? 0}`,
+        `signal=${signal ?? "none"}`,
+        `timedOut=${timedOut}`,
+        `stdout:`, stdout,
+        `stderr:`, stderr,
+      ].join("\n");
+
+      await writeFile(STATES_LOG_FILE, log, "utf8");
+
+      resolve({
+        exitCode: code ?? 0,
+        stdout,
+        stderr,
+      });
+    });
+  });
+}
+
+function normalizeCommand(
+  command: CommandRun
+): { cmd: string; args: string[]; useShell: boolean } {
+  if (typeof command === "string") {
+    return { cmd: command, args: [], useShell: true };
+  }
+
+  const [cmd, args] = command;
+  return { cmd, args, useShell: false };
+}
+

package/core/loop/cmd/test.js

@@ -0,0 +1,3 @@
+const { Logger } = require('@coreutil/logger');
+const logger = Logger.createModuleLogger('TestJS');
+logger.info("hello world");