cli4ai 1.0.2 → 1.0.4

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "cli4ai",
-  "version": "1.0.2",
+  "version": "1.0.4",
   "description": "The package manager for AI CLI tools - cli4ai.com",
   "type": "module",
   "bin": {

package/src/cli.ts

@@ -94,6 +94,8 @@ export function createProgram(): Command {
     .command('run <package> [command] [args...]')
     .description('Run a tool command')
     .option('-e, --env <vars...>', 'Environment variables (KEY=value)')
+    .option('--scope <level>', 'Permission scope: read, write, or full (default: full)')
+    .option('--sandbox', 'Run in sandboxed environment with restricted file system access')
     // Allow passing tool flags through (e.g. `cli4ai run chrome screenshot --full-page`)
     .allowUnknownOption(true)
     .addHelpText('after', `
@@ -101,10 +103,18 @@ export function createProgram(): Command {
 Examples:
   cli4ai run github trending
   cli4ai run chrome screenshot https://example.com --full-page
+  cli4ai run github list-issues --scope read
+  cli4ai run untrusted-pkg process --sandbox
 
 Pass-through:
   Use "--" to pass flags that would otherwise be parsed by cli4ai:
   cli4ai run <pkg> <cmd> -- --help
+
+Security:
+  --scope read    Only allow read operations (no mutations)
+  --scope write   Allow write operations
+  --scope full    Full access (default)
+  --sandbox       Restrict file system access to temp directories
 `)
     .action(withErrorHandling(runCommand));
 

package/src/commands/add.ts

@@ -16,9 +16,8 @@ import {
   LOCAL_PACKAGES_DIR,
   loadConfig
 } from '../core/config.js';
-import { lockPackage, computeDirectoryIntegrity, type LockedPackage } from '../core/lockfile.js';
+import { lockPackage, type LockedPackage } from '../core/lockfile.js';
 import { linkPackageDirect, isBinInPath, getPathInstructions } from '../core/link.js';
-import { getRegistryIntegrity, verifyPackageIntegrity } from '../core/registry.js';
 
 interface AddOptions {
   local?: boolean;
@@ -417,27 +416,6 @@ export async function addCommand(packages: string[], options: AddOptions): Promi
         await installNpmDependencies(result.path, plan.manifest.dependencies);
       }
 
-      // SECURITY: Verify integrity against registry
-      let integrity: string | undefined;
-      try {
-        const verification = await verifyPackageIntegrity(result.name, result.path);
-        integrity = verification.actual;
-
-        if (verification.expected) {
-          if (verification.valid) {
-            log(`  integrity: ${integrity.slice(0, 20)}... ✓`);
-          } else {
-            log(`  ⚠️  Integrity mismatch!`);
-            log(`     Expected: ${verification.expected.slice(0, 30)}...`);
-            log(`     Actual:   ${verification.actual.slice(0, 30)}...`);
-          }
-        } else {
-          log(`  integrity: ${integrity.slice(0, 20)}...`);
-        }
-      } catch (err) {
-        log(`  warning: could not compute integrity hash`);
-      }
-
       // Link to PATH for global installs
       if (options.global) {
         result.binPath = linkPackageDirect(plan.manifest, result.path);
@@ -449,8 +427,7 @@ export async function addCommand(packages: string[], options: AddOptions): Promi
         const lockedPkg: LockedPackage = {
           name: result.name,
           version: result.version,
-          resolved: result.source === 'local' ? result.path : result.path,
-          integrity
+          resolved: result.source === 'local' ? result.path : result.path
         };
         lockPackage(projectDir, lockedPkg);
       }

package/src/commands/run.ts

@@ -3,10 +3,12 @@
  */
 
 import { outputError } from '../lib/cli.js';
-import { executeTool, ExecuteToolError } from '../core/execute.js';
+import { executeTool, ExecuteToolError, type ScopeLevel } from '../core/execute.js';
 
 interface RunOptions {
   env?: string[];
+  scope?: string;
+  sandbox?: boolean;
 }
 
 export async function runCommand(
@@ -26,6 +28,19 @@ export async function runCommand(
     }
   }
 
+  // Validate scope option
+  let scope: ScopeLevel = 'full';
+  if (options.scope) {
+    const validScopes: ScopeLevel[] = ['read', 'write', 'full'];
+    if (!validScopes.includes(options.scope as ScopeLevel)) {
+      outputError('INVALID_INPUT', `Invalid scope: ${options.scope}`, {
+        validScopes,
+        hint: 'Use --scope read, --scope write, or --scope full'
+      });
+    }
+    scope = options.scope as ScopeLevel;
+  }
+
   try {
     const result = await executeTool({
       packageName,
@@ -33,7 +48,9 @@ export async function runCommand(
       args,
       cwd: process.cwd(),
       env: extraEnv,
-      capture: 'inherit'
+      capture: 'inherit',
+      scope,
+      sandbox: options.sandbox ?? false
     });
     process.exitCode = result.exitCode;
     return;

package/src/core/config.ts

@@ -104,6 +104,12 @@ export interface Config {
     port: number;
   };
 
+  // Audit logging configuration
+  audit: {
+    /** Enable audit logging for MCP tool calls */
+    enabled: boolean;
+  };
+
   // Telemetry (future)
   telemetry: boolean;
 }
@@ -128,6 +134,9 @@ export const DEFAULT_CONFIG: Config = {
     transport: 'stdio',
     port: 3100
   },
+  audit: {
+    enabled: true
+  },
   telemetry: false
 };
 
@@ -197,6 +206,12 @@ function deepMerge(target: Config, source: Partial<Config>): Config {
       port: source.mcp.port ?? target.mcp.port
     };
   }
+  // Deep merge audit config
+  if (source.audit !== undefined) {
+    result.audit = {
+      enabled: source.audit.enabled ?? target.audit.enabled
+    };
+  }
 
   return result;
 }

package/src/core/execute.ts

@@ -15,7 +15,6 @@ import { log } from '../lib/cli.js';
 import { findPackage } from './config.js';
 import { loadManifest, type Manifest } from './manifest.js';
 import { getSecret } from './secrets.js';
-import { checkPackageIntegrity } from './lockfile.js';
 
 /**
  * Expand ~ to home directory in paths
@@ -32,6 +31,14 @@ function expandTilde(path: string): string {
 
 export type ExecuteCaptureMode = 'inherit' | 'pipe';
 
+/**
+ * Permission scope levels for tool execution
+ * - read: Only allow read operations (no mutations)
+ * - write: Allow write operations but no destructive actions
+ * - full: Full access (default)
+ */
+export type ScopeLevel = 'read' | 'write' | 'full';
+
 export interface ExecuteToolOptions {
   packageName: string;
   command?: string;
@@ -42,6 +49,10 @@ export interface ExecuteToolOptions {
   capture: ExecuteCaptureMode;
   timeoutMs?: number;
   teeStderr?: boolean;
+  /** Permission scope for the tool */
+  scope?: ScopeLevel;
+  /** Run in sandboxed environment with restricted file system access */
+  sandbox?: boolean;
 }
 
 export interface ExecuteToolResult {
@@ -349,6 +360,39 @@ function buildRuntimeCommand(entryPath: string, cmdArgs: string[]): { execCmd: s
   return { execCmd: 'node', execArgs: [entryPath, ...cmdArgs], runtime: 'node' };
 }
 
+/**
+ * Build security environment variables for scope and sandbox restrictions
+ */
+function buildSecurityEnv(
+  scope: ScopeLevel,
+  sandbox: boolean,
+  cwd: string
+): Record<string, string> {
+  const env: Record<string, string> = {};
+
+  // Set scope environment variable for tools to respect
+  env.CLI4AI_SCOPE = scope;
+
+  // Sandbox restrictions
+  if (sandbox) {
+    env.CLI4AI_SANDBOX = '1';
+
+    // Restrict file system access to temp directories and package directory
+    // Tools should check these env vars and restrict their operations
+    const tmpDir = process.env.TMPDIR || process.env.TMP || process.env.TEMP || '/tmp';
+    env.CLI4AI_SANDBOX_ALLOWED_PATHS = [
+      tmpDir,
+      cwd,  // Allow access to current working directory
+    ].join(':');
+
+    // Restrict network access in sandbox mode
+    // Tools should check this and limit network operations
+    env.CLI4AI_SANDBOX_NETWORK = 'restricted';
+  }
+
+  return env;
+}
+
 async function ensureRuntimeAvailable(): Promise<void> {
   if (!commandExists('node')) {
     log('⚠️  Node.js is required to run this tool\n');
@@ -389,27 +433,6 @@ export async function executeTool(options: ExecuteToolOptions): Promise<ExecuteT
 
   const manifest = loadManifest(pkg.path);
 
-  const integrityCheck = checkPackageIntegrity(invocationDir, options.packageName, pkg.path);
-  if (!integrityCheck.valid) {
-    log(`\n⚠️  SECURITY WARNING: Package integrity check failed for ${options.packageName}`);
-    if (integrityCheck.error) log(`   ${integrityCheck.error}`);
-    if (integrityCheck.expected && integrityCheck.actual) {
-      log(`   Expected: ${integrityCheck.expected.slice(0, 30)}...`);
-      log(`   Actual:   ${integrityCheck.actual.slice(0, 30)}...`);
-    }
-    log(`\n   The package may have been tampered with or modified since installation.`);
-    log(`   To fix: reinstall with "cli4ai remove ${options.packageName} && cli4ai add ${options.packageName}"\n`);
-
-    const shouldContinue = await confirm('Continue anyway? (NOT RECOMMENDED)');
-    if (!shouldContinue) {
-      throw new ExecuteToolError('INTEGRITY_ERROR', 'Package integrity verification failed', {
-        package: options.packageName,
-        hint: `Reinstall the package with: cli4ai remove ${options.packageName} && cli4ai add ${options.packageName}`
-      });
-    }
-    log('');
-  }
-
   await ensureRuntimeAvailable();
 
   await checkPeerDependencies(pkg.path);
@@ -431,6 +454,19 @@ export async function executeTool(options: ExecuteToolOptions): Promise<ExecuteT
 
   const teeStderr = options.teeStderr ?? true;
 
+  // Build security environment for scope and sandbox
+  const scope = options.scope ?? 'full';
+  const sandbox = options.sandbox ?? false;
+  const securityEnv = buildSecurityEnv(scope, sandbox, invocationDir);
+
+  // Log security restrictions if active
+  if (scope !== 'full' || sandbox) {
+    const restrictions: string[] = [];
+    if (scope !== 'full') restrictions.push(`scope=${scope}`);
+    if (sandbox) restrictions.push('sandbox=enabled');
+    log(`🔒 Security: ${restrictions.join(', ')}`);
+  }
+
   if (options.capture === 'inherit') {
     const proc = spawn(execCmd, execArgs, {
       stdio: 'inherit',
@@ -443,6 +479,7 @@ export async function executeTool(options: ExecuteToolOptions): Promise<ExecuteT
         C4AI_PACKAGE_NAME: pkg.name,
         C4AI_ENTRY: entryPath,
         ...secretsEnv,
+        ...securityEnv,
         ...(options.env ?? {})
       }
     });
@@ -475,6 +512,7 @@ export async function executeTool(options: ExecuteToolOptions): Promise<ExecuteT
       C4AI_PACKAGE_NAME: pkg.name,
       C4AI_ENTRY: entryPath,
       ...secretsEnv,
+      ...securityEnv,
       ...(options.env ?? {})
     }
   });

package/src/core/lockfile.ts

@@ -3,14 +3,10 @@
  *
  * Tracks installed packages with exact versions and sources
  * for reproducible installations.
- *
- * SECURITY: Includes SRI (Subresource Integrity) hash verification
- * to detect tampered packages.
  */
 
-import { readFileSync, writeFileSync, renameSync, existsSync, readdirSync, statSync } from 'fs';
-import { resolve, join, relative } from 'path';
-import { createHash } from 'crypto';
+import { readFileSync, writeFileSync, renameSync, existsSync } from 'fs';
+import { resolve } from 'path';
 
 // ═══════════════════════════════════════════════════════════════════════════
 // TYPES
@@ -36,125 +32,6 @@ export interface Lockfile {
 export const LOCKFILE_NAME = 'cli4ai.lock';
 export const LOCKFILE_VERSION = 1;
 
-// ═══════════════════════════════════════════════════════════════════════════
-// INTEGRITY HASHING (SRI - Subresource Integrity)
-// ═══════════════════════════════════════════════════════════════════════════
-
-/**
- * Compute SHA-512 hash of a file and return SRI format string
- */
-export function computeFileIntegrity(filePath: string): string {
-  const content = readFileSync(filePath);
-  const hash = createHash('sha512').update(content).digest('base64');
-  return `sha512-${hash}`;
-}
-
-/**
- * Compute SHA-512 hash of a directory's contents (deterministic).
- * Hashes all files in sorted order to produce a reproducible hash.
- */
-export function computeDirectoryIntegrity(dirPath: string): string {
-  const hash = createHash('sha512');
-  const files: string[] = [];
-
-  // Recursively collect all files
-  function collectFiles(dir: string): void {
-    const entries = readdirSync(dir, { withFileTypes: true });
-    for (const entry of entries) {
-      // Skip node_modules and hidden directories
-      if (entry.name === 'node_modules' || entry.name.startsWith('.')) continue;
-
-      const fullPath = join(dir, entry.name);
-      if (entry.isDirectory()) {
-        collectFiles(fullPath);
-      } else if (entry.isFile()) {
-        files.push(fullPath);
-      }
-    }
-  }
-
-  collectFiles(dirPath);
-
-  // Sort files for deterministic ordering
-  files.sort();
-
-  // Hash each file's relative path and content
-  for (const filePath of files) {
-    const relativePath = relative(dirPath, filePath);
-    const content = readFileSync(filePath);
-
-    // Include path in hash for structural integrity
-    hash.update(relativePath);
-    hash.update(content);
-  }
-
-  return `sha512-${hash.digest('base64')}`;
-}
-
-/**
- * Verify a package's integrity against stored hash
- */
-export function verifyIntegrity(dirPath: string, expectedIntegrity: string): boolean {
-  if (!expectedIntegrity) return true; // No integrity check if not stored
-
-  try {
-    const actualIntegrity = computeDirectoryIntegrity(dirPath);
-    return actualIntegrity === expectedIntegrity;
-  } catch {
-    return false;
-  }
-}
-
-/**
- * Result of integrity verification
- */
-export interface IntegrityCheckResult {
-  valid: boolean;
-  expected?: string;
-  actual?: string;
-  error?: string;
-}
-
-/**
- * Check integrity of a locked package
- */
-export function checkPackageIntegrity(
-  projectDir: string,
-  packageName: string,
-  packagePath: string
-): IntegrityCheckResult {
-  const locked = getLockedPackage(projectDir, packageName);
-
-  if (!locked) {
-    return { valid: true }; // No lock entry, can't verify
-  }
-
-  if (!locked.integrity) {
-    return { valid: true }; // No integrity hash stored
-  }
-
-  try {
-    const actualIntegrity = computeDirectoryIntegrity(packagePath);
-
-    if (actualIntegrity === locked.integrity) {
-      return { valid: true, expected: locked.integrity, actual: actualIntegrity };
-    }
-
-    return {
-      valid: false,
-      expected: locked.integrity,
-      actual: actualIntegrity,
-      error: 'Integrity mismatch - package may have been tampered with'
-    };
-  } catch (err) {
-    return {
-      valid: false,
-      expected: locked.integrity,
-      error: `Failed to compute integrity: ${err instanceof Error ? err.message : String(err)}`
-    };
-  }
-}
-
 // ═══════════════════════════════════════════════════════════════════════════
 // FUNCTIONS
 // ═══════════════════════════════════════════════════════════════════════════

package/src/mcp/server.ts

@@ -17,6 +17,7 @@ import { homedir } from 'os';
 import { type Manifest } from '../core/manifest.js';
 import { manifestToMcpTools, type McpTool } from './adapter.js';
 import { getSecret } from '../core/secrets.js';
+import { loadConfig } from '../core/config.js';
 
 // ═══════════════════════════════════════════════════════════════════════════
 // SECURITY: Audit logging and rate limiting
@@ -33,6 +34,7 @@ interface RateLimitEntry {
 
 /**
  * Audit log an MCP tool call for security tracking
+ * Can be disabled via `cli4ai config set audit.enabled false`
  */
 function auditLog(
   packageName: string,
@@ -42,6 +44,12 @@ function auditLog(
   errorMessage?: string
 ): void {
   try {
+    // Check if audit logging is enabled
+    const config = loadConfig();
+    if (!config.audit?.enabled) {
+      return;
+    }
+
     if (!existsSync(AUDIT_LOG_DIR)) {
       mkdirSync(AUDIT_LOG_DIR, { recursive: true });
     }