calvyn-code 0.14.5 → 0.14.6

package/cli.py

@@ -23,15 +23,17 @@ except ModuleNotFoundError:
     # means UTF-8 stdio setup is skipped on Windows; POSIX is unaffected.
     pass
 
-import logging
-import os
-import shutil
-import sys
-import json
-import re
-import concurrent.futures
-import base64
-import atexit
+import logging
+import os
+import shutil
+import sys
+import json
+import re
+import concurrent.futures
+import base64
+import hashlib
+import secrets
+import atexit
 import errno
 import tempfile
 import time
@@ -2452,7 +2454,7 @@ def _parse_skills_argument(skills: str | list[str] | tuple[str, ...] | None) ->
     return parsed
 
 
-def save_config_value(key_path: str, value: any) -> bool:
+def save_config_value(key_path: str, value: any) -> bool:
     """
     Save a value to the active config file at the specified key path.
     
@@ -2488,9 +2490,50 @@ def save_config_value(key_path: str, value: any) -> bool:
             pass
         
         return True
-    except Exception as e:
-        logger.error("Failed to save config: %s", e)
-        return False
+    except Exception as e:
+        logger.error("Failed to save config: %s", e)
+        return False
+
+
+def _ensure_dev_access_gate() -> None:
+    """Require a one-time dev access code and persist the approval."""
+    try:
+        cfg = load_cli_config() or {}
+        security_cfg = cfg.get("security", {}) if isinstance(cfg, dict) else {}
+        if not isinstance(security_cfg, dict):
+            security_cfg = {}
+        if not security_cfg.get("dev_access_required", True):
+            return
+        if security_cfg.get("dev_access_granted", False):
+            return
+
+        access_code_hash = str(security_cfg.get("dev_access_code_hash") or "").strip().lower()
+        generated_code = ""
+        if not access_code_hash:
+            generated_code = f"CALVYN-{secrets.token_hex(3).upper()}-{secrets.token_hex(3).upper()}"
+            access_code_hash = hashlib.sha256(generated_code.encode("utf-8")).hexdigest()
+            save_config_value("security.dev_access_code_hash", access_code_hash)
+
+        print()
+        print("╔══════════════════════════════════════════════════════════════════════════════╗")
+        print("║                           CALVYN DEV АВТОРИЗАЦИЯ                           ║")
+        print("╠══════════════════════════════════════════════════════════════════════════════╣")
+        print("║ Доступ к режиму разработки защищен одноразовым кодом.                      ║")
+        if generated_code:
+            print("║ Новый секретный код сгенерирован и сохранен в виде хэша.                   ║")
+            print(f"║ Код для первого входа: {generated_code:<42}║")
+        else:
+            print("║ Код уже сохранен в системе. Введите секретный ключ для разблокировки.      ║")
+        print("╚══════════════════════════════════════════════════════════════════════════════╝")
+        entered = input("Код доступа: ").strip()
+        entered_hash = hashlib.sha256(entered.encode("utf-8")).hexdigest()
+        if entered_hash != access_code_hash:
+            raise SystemExit("Неверный код доступа.")
+        save_config_value("security.dev_access_granted", True)
+    except SystemExit:
+        raise
+    except Exception as exc:
+        print(f"⚠ Dev-доступ не проверен: {exc}")
 
 
 
@@ -13925,13 +13968,15 @@ def main(
     # This enables interactive sudo password prompts with timeout
     os.environ["HERMES_INTERACTIVE"] = "1"
     
-    # Handle gateway mode (messaging + cron)
-    if gateway:
-        import asyncio
-        from gateway.run import start_gateway
-        print("Starting Hermes Gateway (messaging platforms)...")
-        asyncio.run(start_gateway())
-        return
+    # Handle gateway mode (messaging + cron)
+    if gateway:
+        import asyncio
+        from gateway.run import start_gateway
+        print("Starting Hermes Gateway (messaging platforms)...")
+        asyncio.run(start_gateway())
+        return
+
+    _ensure_dev_access_gate()
 
     # Skip worktree for list commands (they exit immediately)
     if not list_tools and not list_toolsets:

package/hermes_cli/__init__.py

@@ -14,7 +14,7 @@ Provides subcommands for:
 import os
 import sys
 
-__version__ = "0.14.1"
+__version__ = "0.1.0"
 __release_date__ = "2026.5.16"
 
 

package/hermes_cli/config.py

@@ -473,7 +473,7 @@ DEFAULT_CONFIG = {
     "providers": {},
     "fallback_providers": [],
     "credential_pool_strategies": {},
-    "toolsets": ["hermes-cli"],
+    "toolsets": ["hermes-cli", "web", "browser"],
     "agent": {
         "max_turns": 90,
         # Inactivity timeout for gateway agent execution (seconds).
@@ -650,10 +650,11 @@ DEFAULT_CONFIG = {
         "allow_private_urls": False,  # Allow navigating to private/internal IPs (localhost, 192.168.x.x, etc.)
         # Browser engine for local mode.  Passed as ``--engine <value>`` to
         # agent-browser v0.25.3+.
-        # "auto"       — use Chrome (default, don't pass --engine at all)
-        # "lightpanda" — use Lightpanda (1.3-5.8x faster navigation, no screenshots)
-        # "chrome"     — explicitly request Chrome
-        # Also settable via AGENT_BROWSER_ENGINE env var.
+        # "auto"       - use Chrome (default, don't pass --engine at all)
+        # "lightpanda" - use Lightpanda (1.3-5.8x faster navigation, no screenshots)
+        # "chrome"     - explicitly request Chrome
+        # "puppeteer"  - route local browser execution through Puppeteer Chrome
+        # Also settable via AGENT_BROWSER_ENGINE env var.
         "engine": "auto",
         "auto_local_for_private_urls": True,  # When a cloud provider is set, auto-spawn local Chromium for LAN/localhost URLs instead of sending them to the cloud
         "cdp_url": "",  # Optional persistent CDP endpoint for attaching to an existing Chromium/Chrome
@@ -1395,18 +1396,21 @@ DEFAULT_CONFIG = {
     "personalities": {},
 
     # Pre-exec security scanning via tirith
-    "security": {
-        "allow_private_urls": False,  # Allow requests to private/internal IPs (for OpenWrt, proxies, VPNs)
-        "redact_secrets": True,
-        "tirith_enabled": True,
-        "tirith_path": "tirith",
-        "tirith_timeout": 5,
-        "tirith_fail_open": True,
-        "website_blocklist": {
-            "enabled": False,
-            "domains": [],
-            "shared_files": [],
-        },
+    "security": {
+        "allow_private_urls": False,  # Allow requests to private/internal IPs (for OpenWrt, proxies, VPNs)
+        "redact_secrets": True,
+        "tirith_enabled": True,
+        "tirith_path": "tirith",
+        "tirith_timeout": 5,
+        "tirith_fail_open": True,
+        "dev_access_required": True,
+        "dev_access_code_hash": "",
+        "dev_access_granted": False,
+        "website_blocklist": {
+            "enabled": False,
+            "domains": [],
+            "shared_files": [],
+        },
         # Acknowledged supply-chain security advisories. Each entry is the
         # ID of an advisory the user has read and acted on (uninstalled the
         # compromised package, rotated credentials). Acked advisories no

package/hermes_cli/doctor.py

@@ -1214,12 +1214,12 @@ def run_doctor(args):
                         if sys.platform == "win32":
                             check_info(
                                 f"Install with: cd {PROJECT_ROOT} && "
-                                "npx playwright install chromium"
+                            "npx playwright install chromium && npm install puppeteer"
                             )
                         else:
                             check_info(
                                 f"Install with: cd {PROJECT_ROOT} && "
-                                "npx playwright install --with-deps chromium"
+                            "npx playwright install --with-deps chromium && npm install puppeteer"
                             )
     elif _is_termux():
         check_info("Node.js not found (browser tools are optional in the tested Termux path)")

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "calvyn-code",
-  "version": "0.14.5",
+  "version": "0.14.6",
   "description": "Calvyn Code — AI агент с инструментами, мессенджерами и локальным CLI",
   "bin": {
     "calvyn": "./bin/calvyn.js",
@@ -33,7 +33,8 @@
   },
   "dependencies": {
     "@askjo/camofox-browser": "^1.5.2",
-    "agent-browser": "^0.26.0"
+    "agent-browser": "^0.26.0",
+    "puppeteer": "^25.0.2"
   },
   "overrides": {
     "lodash": "4.18.1"

package/pyproject.toml

@@ -4,7 +4,7 @@ build-backend = "setuptools.build_meta"
 
 [project]
 name = "calvyn-code"
-version = "0.14.2"
+version = "0.1.0"
 description = "The self-improving AI agent — creates skills from experience, improves them during use, and runs anywhere"
 readme = "README.md"
 requires-python = ">=3.11"

package/tools/browser_tool.py

@@ -520,15 +520,15 @@ _auto_local_for_private_urls_resolved = False
 _cached_auto_local_for_private_urls: bool = True
 
 
-def _get_browser_engine() -> str:
-    """Return the configured browser engine (``auto``, ``lightpanda``, or ``chrome``).
+def _get_browser_engine() -> str:
+    """Return the configured browser engine (``auto``, ``lightpanda``, ``chrome``, or ``puppeteer``).
 
     Reads ``config["browser"]["engine"]`` once and caches the result.
     Falls back to the ``AGENT_BROWSER_ENGINE`` env var, then ``auto``.
 
     ``auto`` means: don't pass ``--engine`` at all (agent-browser defaults to
-    Chrome).  ``lightpanda`` or ``chrome`` are forwarded as
-    ``--engine <value>`` to agent-browser v0.25.3+.
+    Chrome).  ``lightpanda``, ``chrome``, or ``puppeteer`` are forwarded as
+    ``--engine <value>`` to agent-browser v0.25.3+.
 
     Lightpanda is 1.3-5.8x faster on navigation but has no graphical
     renderer (no screenshots).
@@ -556,8 +556,10 @@ def _get_browser_engine() -> str:
         if env_val:
             _cached_browser_engine = env_val
 
-    # Validate: agent-browser only accepts "chrome" and "lightpanda".
-    _VALID_ENGINES = {"auto", "lightpanda", "chrome"}
+    # Validate against the engines we intentionally expose in Calvyn.
+    # ``puppeteer`` currently maps to the Chrome local path while the Node
+    # dependency is managed explicitly in package.json for npm installs.
+    _VALID_ENGINES = {"auto", "lightpanda", "chrome", "puppeteer"}
     if _cached_browser_engine not in _VALID_ENGINES:
         logger.warning(
             "Unknown browser engine %r (valid: %s), falling back to 'auto'",
@@ -565,7 +567,10 @@ def _get_browser_engine() -> str:
         )
         _cached_browser_engine = "auto"
 
-    return _cached_browser_engine
+    if _cached_browser_engine == "puppeteer":
+        return "chrome"
+
+    return _cached_browser_engine
 
 
 def _should_inject_engine(engine: str) -> bool: