careervivid 1.12.45 → 1.12.46

package/dist/agent/instructions.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"instructions.d.ts","sourceRoot":"","sources":["../../src/agent/instructions.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAKH,eAAO,MAAM,aAAa,QAalB,CAAC;AAMT,eAAO,MAAM,cAAc,QAcnB,CAAC;AAMT,eAAO,MAAM,cAAc,QAgBnB,CAAC;AAMT,eAAO,MAAM,kBAAkB,QAwCvB,CAAC;AAMT,eAAO,MAAM,YAAY,QA2CjB,CAAC;AAMT,eAAO,MAAM,iBAAiB,QAiBtB,CAAC;AAOT;;;;GAIG;AACH,wBAAgB,iBAAiB,CAAC,OAAO,EAAE;IACzC,IAAI,CAAC,EAAE,OAAO,CAAC;IACf,MAAM,CAAC,EAAE,OAAO,CAAC;IACjB,MAAM,CAAC,EAAE,OAAO,CAAC;CAClB,GAAG,MAAM,CAkCT"}
+{"version":3,"file":"instructions.d.ts","sourceRoot":"","sources":["../../src/agent/instructions.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAKH,eAAO,MAAM,aAAa,QAalB,CAAC;AAMT,eAAO,MAAM,cAAc,QAcnB,CAAC;AAMT,eAAO,MAAM,cAAc,QAqCnB,CAAC;AAMT,eAAO,MAAM,kBAAkB,QAwCvB,CAAC;AAMT,eAAO,MAAM,YAAY,QA2CjB,CAAC;AAMT,eAAO,MAAM,iBAAiB,QAiBtB,CAAC;AAOT;;;;GAIG;AACH,wBAAgB,iBAAiB,CAAC,OAAO,EAAE;IACzC,IAAI,CAAC,EAAE,OAAO,CAAC;IACf,MAAM,CAAC,EAAE,OAAO,CAAC;IACjB,MAAM,CAAC,EAAE,OAAO,CAAC;CAClB,GAAG,MAAM,CAkCT"}

package/dist/agent/instructions.js

@@ -51,11 +51,32 @@ export const CODING_SECTION = `
 
 You have access to file I/O, shell execution, and codebase search tools.
 
+### ⚠️ File Access Scope (STRICT — do not bypass)
+
+You operate with least-privilege file access. This is enforced at the tool level and cannot be overridden.
+
+**READ access** is limited to:
+- \`career-vivid/\` — your job tracker data, résumé drafts, and career pipeline files
+- \`cli/\` — the CLI source code (your own code)
+- \`tmp/\` or \`/tmp/\` — temporary scratch files
+
+**WRITE access** is limited to:
+- \`career-vivid/\` — ONLY the career data directory you own
+- \`tmp/\` or \`/tmp/\` — temporary scratch files
+
+**NEVER attempt to read or write:**
+- \`src/\` — web app source code (React, components, pages)
+- \`functions/\` — Firebase Cloud Functions source
+- \`next-app/\` — Next.js application source
+- Any file outside your allowed prefixes
+
+If a task requires modifying web app code (\`src/\`, \`functions/\`, etc.), tell the user to make that change in their editor. Your role is career data management, not application development.
+
 ### Workflow
 1. Read relevant files first (read_file). Never overwrite blindly.
 2. Emit a short "Plan:" describing files you will touch and the approach.
-3. Write code using write_file or patch_file.
-4. Verify with run_command (tsc --noEmit, npm test, etc.).
+3. Write data using write_file or patch_file (career-vivid/ only).
+4. Verify with run_command (read-only commands like cat, ls, grep).
 5. Fix errors and loop until clean; summarise all changes made.
 
 ### Code Quality
@@ -82,7 +103,7 @@ export const JOBS_TOOLS_SECTION = `
 - **openings_apply**   — Mark a specific opening as Applied (requires explicit date).
 
 ### CSV Pipeline Tracker (tracker_*)
-These tools read/write jobs.csv — the local career-ops pipeline spreadsheet.
+These tools read/write jobs.csv — the local career-vivid pipeline spreadsheet.
 - **tracker_list_jobs**      — Show the pipeline (supports tier/status filters and sort_by).
 - **tracker_add_job**        — Add a new company to the tracker.
 - **tracker_update_job**     — Update any field on a job entry (status, scores, notes, follow-up).

package/dist/agent/tools/coding.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"coding.d.ts","sourceRoot":"","sources":["../../../src/agent/tools/coding.ts"],"names":[],"mappings":"AAIA,OAAO,EAAE,IAAI,EAAE,MAAM,YAAY,CAAC;AAkDlC,iBAAS,aAAa,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAG3C;AAMD,eAAO,MAAM,YAAY,EAAE,IAqC1B,CAAC;AAMF,eAAO,MAAM,aAAa,EAAE,IA0B3B,CAAC;AAMF,eAAO,MAAM,aAAa,EAAE,IA+C3B,CAAC;AAMF,eAAO,MAAM,iBAAiB,EAAE,IA8C/B,CAAC;AAMF,eAAO,MAAM,eAAe,EAAE,IA8C7B,CAAC;AAMF,eAAO,MAAM,cAAc,EAAE,IAmD5B,CAAC;AAEF,iEAAiE;AACjE,wBAAgB,yBAAyB,IAAI,IAAI,CAQhD;AAMD,eAAO,MAAM,eAAe,EAAE,IAkD7B,CAAC;AAMF,wDAAwD;AACxD,eAAO,MAAM,gBAAgB,EAAE,IAAI,EAQlC,CAAC;AAEF,OAAO,EAAE,aAAa,EAAE,CAAC"}
+{"version":3,"file":"coding.d.ts","sourceRoot":"","sources":["../../../src/agent/tools/coding.ts"],"names":[],"mappings":"AAIA,OAAO,EAAE,IAAI,EAAE,MAAM,YAAY,CAAC;AAyGlC,iBAAS,aAAa,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAG3C;AAMD,eAAO,MAAM,YAAY,EAAE,IAqC1B,CAAC;AAMF,eAAO,MAAM,aAAa,EAAE,IA0B3B,CAAC;AAMF,eAAO,MAAM,aAAa,EAAE,IA+C3B,CAAC;AAMF,eAAO,MAAM,iBAAiB,EAAE,IA8C/B,CAAC;AAMF,eAAO,MAAM,eAAe,EAAE,IA8C7B,CAAC;AAMF,eAAO,MAAM,cAAc,EAAE,IAmD5B,CAAC;AAEF,iEAAiE;AACjE,wBAAgB,yBAAyB,IAAI,IAAI,CAQhD;AAMD,eAAO,MAAM,eAAe,EAAE,IAkD7B,CAAC;AAMF,wDAAwD;AACxD,eAAO,MAAM,gBAAgB,EAAE,IAAI,EAQlC,CAAC;AAEF,OAAO,EAAE,aAAa,EAAE,CAAC"}

package/dist/agent/tools/coding.js

@@ -1,8 +1,53 @@
 import { execSync } from 'child_process';
 import { existsSync, readFileSync, writeFileSync, readdirSync, statSync, mkdirSync } from 'fs';
-import { resolve, dirname, relative, join } from 'path';
+import { resolve, dirname, relative, join, normalize } from 'path';
 import { Type } from '@google/genai';
 // ============================================================================
+// Path-based Access Control (Least Privilege)
+// ============================================================================
+/**
+ * Directories the agent is ALLOWED to READ.
+ * These are relative to the repo root (process.cwd()) or absolute paths the agent owns.
+ */
+const READ_ALLOWED_PREFIXES = [
+    // Agent's own data & config
+    'career-vivid/', // job tracker CSV, résumé drafts, career data
+    'cli/', // CLI source — agent may read its own code
+    // Scratch / temporary outputs produced by the agent
+    'tmp/',
+    '/tmp/',
+    // User's home config file is read by loadConfig() — not by read_file tool
+];
+/**
+ * Directories the agent is ALLOWED to WRITE.
+ * This is intentionally much narrower than the read list.
+ * Source code (src/, functions/, next-app/) is completely off-limits.
+ */
+const WRITE_ALLOWED_PREFIXES = [
+    'career-vivid/', // job tracker CSV, résumé drafts — the only structured data the agent owns
+    'tmp/',
+    '/tmp/',
+];
+/**
+ * Resolve a raw path argument and check it against an allowlist.
+ * @throws if the resolved path falls outside every allowed prefix.
+ */
+function guardPath(rawPath, allowedPrefixes, mode) {
+    const cwd = process.cwd();
+    const absPath = normalize(resolve(rawPath));
+    const allowed = allowedPrefixes.some(prefix => {
+        const fullPrefix = prefix.startsWith('/') ? normalize(prefix) : normalize(join(cwd, prefix));
+        return absPath.startsWith(fullPrefix);
+    });
+    if (!allowed) {
+        const rel = relative(cwd, absPath);
+        throw new Error(`⛔ Access denied: ${mode} access to "${rel}" is not permitted.\n` +
+            `The agent can only ${mode} files inside: ${allowedPrefixes.join(', ')}\n` +
+            `To access this file, use your editor or the CareerVivid web app.`);
+    }
+    return absPath;
+}
+// ============================================================================
 // Safe list for run_command (no confirmation required)
 // ============================================================================
 const SAFE_COMMAND_PREFIXES = [
@@ -77,7 +122,7 @@ export const readFileTool = {
         required: ['path'],
     },
     execute: async (args) => {
-        const absPath = resolve(args.path);
+        const absPath = guardPath(args.path, READ_ALLOWED_PREFIXES, 'read');
         if (!existsSync(absPath)) {
             throw new Error(`File not found: ${absPath}`);
         }
@@ -114,7 +159,7 @@ export const writeFileTool = {
         required: ['path', 'content'],
     },
     execute: async (args) => {
-        const absPath = resolve(args.path);
+        const absPath = guardPath(args.path, WRITE_ALLOWED_PREFIXES, 'write');
         mkdirSync(dirname(absPath), { recursive: true });
         writeFileSync(absPath, args.content, 'utf-8');
         const lines = args.content.split('\n').length;
@@ -151,7 +196,7 @@ export const patchFileTool = {
         required: ['path', 'start_line', 'end_line', 'new_content'],
     },
     execute: async (args) => {
-        const absPath = resolve(args.path);
+        const absPath = guardPath(args.path, WRITE_ALLOWED_PREFIXES, 'write');
         if (!existsSync(absPath))
             throw new Error(`File not found: ${absPath}`);
         const lines = readFileSync(absPath, 'utf-8').split('\n');

package/dist/agent/tools/jobOpenings.js

@@ -45,9 +45,9 @@ function getJobsCsvPath() {
     const __dirpath = dirname(__filename);
     // 1. Check dev repo locations (for local development)
     const devCandidates = [
-        resolve(__dirpath, "../../../../career-ops/data/jobs.csv"),
-        resolve(__dirpath, "../../../../../career-ops/data/jobs.csv"),
-        resolve(process.cwd(), "career-ops/data/jobs.csv"),
+        resolve(__dirpath, "../../../../career-vivid/data/jobs.csv"),
+        resolve(__dirpath, "../../../../../career-vivid/data/jobs.csv"),
+        resolve(process.cwd(), "career-vivid/data/jobs.csv"),
     ];
     for (const p of devCandidates) {
         if (existsSync(p))
@@ -61,9 +61,9 @@ function getOpeningsPath() {
     const __dirpath = dirname(__filename);
     // Mirror next to jobs.csv
     const devCandidates = [
-        resolve(__dirpath, "../../../../career-ops/data/job_openings.csv"),
-        resolve(__dirpath, "../../../../../career-ops/data/job_openings.csv"),
-        resolve(process.cwd(), "career-ops/data/job_openings.csv"),
+        resolve(__dirpath, "../../../../career-vivid/data/job_openings.csv"),
+        resolve(__dirpath, "../../../../../career-vivid/data/job_openings.csv"),
+        resolve(process.cwd(), "career-vivid/data/job_openings.csv"),
     ];
     for (const p of devCandidates) {
         if (existsSync(p))

package/dist/agent/tools/local-tracker.js

@@ -102,9 +102,9 @@ function getCsvPath() {
     const __dirname = dirname(__filename);
     // 1. Check dev repo locations first (for existing users/contributors)
     const devCandidates = [
-        resolve(__dirname, "../../../../career-ops/data/jobs.csv"),
-        resolve(__dirname, "../../../../../career-ops/data/jobs.csv"),
-        resolve(process.cwd(), "career-ops/data/jobs.csv"),
+        resolve(__dirname, "../../../../career-vivid/data/jobs.csv"),
+        resolve(__dirname, "../../../../../career-vivid/data/jobs.csv"),
+        resolve(process.cwd(), "career-vivid/data/jobs.csv"),
     ];
     for (const p of devCandidates) {
         if (existsSync(p))

package/dist/eval/runner.js

@@ -63,9 +63,9 @@ const __filename = fileURLToPath(import.meta.url);
 const __dirname = dirname(__filename);
 function findJobsCsvPath() {
     const candidates = [
-        resolve(__dirname, "../../../../career-ops/data/jobs.csv"),
-        resolve(__dirname, "../../../../../career-ops/data/jobs.csv"),
-        resolve(process.cwd(), "career-ops/data/jobs.csv"),
+        resolve(__dirname, "../../../../career-vivid/data/jobs.csv"),
+        resolve(__dirname, "../../../../../career-vivid/data/jobs.csv"),
+        resolve(process.cwd(), "career-vivid/data/jobs.csv"),
     ];
     return candidates.find(existsSync) ?? null;
 }

package/dist/eval/storage/CsvDataLogger.d.ts

@@ -4,7 +4,7 @@
  * Writes one row per EvalResult to a dated CSV file at:
  *   <outputDir>/results-YYYY-MM-DD.csv
  *
- * Default output directory: career-ops/eval/
+ * Default output directory: career-vivid/eval/
  *
  * Features:
  *   - Append-safe: if the file already exists from an earlier run today, new
@@ -18,7 +18,7 @@ import type { EvalResult, RunSummary } from "../types.js";
 export interface CsvDataLoggerOptions {
     /**
      * Directory to write CSV files into.
-     * Defaults to <repo_root>/career-ops/eval/
+     * Defaults to <repo_root>/career-vivid/eval/
      */
     outputDir?: string;
 }

package/dist/eval/storage/CsvDataLogger.js

@@ -4,7 +4,7 @@
  * Writes one row per EvalResult to a dated CSV file at:
  *   <outputDir>/results-YYYY-MM-DD.csv
  *
- * Default output directory: career-ops/eval/
+ * Default output directory: career-vivid/eval/
  *
  * Features:
  *   - Append-safe: if the file already exists from an earlier run today, new
@@ -61,17 +61,17 @@ function defaultOutputDir() {
     const __dirname = dirname(__filename);
     // From dist/eval/storage/ or src/eval/storage/, go up 4 levels to repo root
     const candidates = [
-        resolve(__dirname, "../../../../career-ops/eval"),
-        resolve(__dirname, "../../../../../career-ops/eval"),
-        resolve(process.cwd(), "career-ops/eval"),
+        resolve(__dirname, "../../../../career-vivid/eval"),
+        resolve(__dirname, "../../../../../career-vivid/eval"),
+        resolve(process.cwd(), "career-vivid/eval"),
     ];
     // Return the first parent that exists, or the cwd-relative fallback
     for (const c of candidates) {
-        // We only care if the career-ops dir exists — create eval/ inside it
+        // We only care if the career-vivid dir exists — create eval/ inside it
         if (existsSync(resolve(c, "..")))
             return c;
     }
-    return resolve(process.cwd(), "career-ops/eval");
+    return resolve(process.cwd(), "career-vivid/eval");
 }
 /** Format date as YYYY-MM-DD in local time. */
 function todayStr() {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "careervivid",
-  "version": "1.12.45",
+  "version": "1.12.46",
   "description": "Official CLI for CareerVivid — publish articles, diagrams, and portfolio updates from your terminal or AI agent",
   "type": "module",
   "bin": {