cli4ai 1.0.3 → 1.0.4

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "cli4ai",
-  "version": "1.0.3",
+  "version": "1.0.4",
   "description": "The package manager for AI CLI tools - cli4ai.com",
   "type": "module",
   "bin": {

package/src/cli.ts

@@ -94,6 +94,8 @@ export function createProgram(): Command {
     .command('run <package> [command] [args...]')
     .description('Run a tool command')
     .option('-e, --env <vars...>', 'Environment variables (KEY=value)')
+    .option('--scope <level>', 'Permission scope: read, write, or full (default: full)')
+    .option('--sandbox', 'Run in sandboxed environment with restricted file system access')
     // Allow passing tool flags through (e.g. `cli4ai run chrome screenshot --full-page`)
     .allowUnknownOption(true)
     .addHelpText('after', `
@@ -101,10 +103,18 @@ export function createProgram(): Command {
 Examples:
   cli4ai run github trending
   cli4ai run chrome screenshot https://example.com --full-page
+  cli4ai run github list-issues --scope read
+  cli4ai run untrusted-pkg process --sandbox
 
 Pass-through:
   Use "--" to pass flags that would otherwise be parsed by cli4ai:
   cli4ai run <pkg> <cmd> -- --help
+
+Security:
+  --scope read    Only allow read operations (no mutations)
+  --scope write   Allow write operations
+  --scope full    Full access (default)
+  --sandbox       Restrict file system access to temp directories
 `)
     .action(withErrorHandling(runCommand));
 

package/src/commands/run.ts

@@ -3,10 +3,12 @@
  */
 
 import { outputError } from '../lib/cli.js';
-import { executeTool, ExecuteToolError } from '../core/execute.js';
+import { executeTool, ExecuteToolError, type ScopeLevel } from '../core/execute.js';
 
 interface RunOptions {
   env?: string[];
+  scope?: string;
+  sandbox?: boolean;
 }
 
 export async function runCommand(
@@ -26,6 +28,19 @@ export async function runCommand(
     }
   }
 
+  // Validate scope option
+  let scope: ScopeLevel = 'full';
+  if (options.scope) {
+    const validScopes: ScopeLevel[] = ['read', 'write', 'full'];
+    if (!validScopes.includes(options.scope as ScopeLevel)) {
+      outputError('INVALID_INPUT', `Invalid scope: ${options.scope}`, {
+        validScopes,
+        hint: 'Use --scope read, --scope write, or --scope full'
+      });
+    }
+    scope = options.scope as ScopeLevel;
+  }
+
   try {
     const result = await executeTool({
       packageName,
@@ -33,7 +48,9 @@ export async function runCommand(
       args,
       cwd: process.cwd(),
       env: extraEnv,
-      capture: 'inherit'
+      capture: 'inherit',
+      scope,
+      sandbox: options.sandbox ?? false
     });
     process.exitCode = result.exitCode;
     return;

package/src/core/config.ts

@@ -104,6 +104,12 @@ export interface Config {
     port: number;
   };
 
+  // Audit logging configuration
+  audit: {
+    /** Enable audit logging for MCP tool calls */
+    enabled: boolean;
+  };
+
   // Telemetry (future)
   telemetry: boolean;
 }
@@ -128,6 +134,9 @@ export const DEFAULT_CONFIG: Config = {
     transport: 'stdio',
     port: 3100
   },
+  audit: {
+    enabled: true
+  },
   telemetry: false
 };
 
@@ -197,6 +206,12 @@ function deepMerge(target: Config, source: Partial<Config>): Config {
       port: source.mcp.port ?? target.mcp.port
     };
   }
+  // Deep merge audit config
+  if (source.audit !== undefined) {
+    result.audit = {
+      enabled: source.audit.enabled ?? target.audit.enabled
+    };
+  }
 
   return result;
 }

package/src/core/execute.ts

@@ -31,6 +31,14 @@ function expandTilde(path: string): string {
 
 export type ExecuteCaptureMode = 'inherit' | 'pipe';
 
+/**
+ * Permission scope levels for tool execution
+ * - read: Only allow read operations (no mutations)
+ * - write: Allow write operations but no destructive actions
+ * - full: Full access (default)
+ */
+export type ScopeLevel = 'read' | 'write' | 'full';
+
 export interface ExecuteToolOptions {
   packageName: string;
   command?: string;
@@ -41,6 +49,10 @@ export interface ExecuteToolOptions {
   capture: ExecuteCaptureMode;
   timeoutMs?: number;
   teeStderr?: boolean;
+  /** Permission scope for the tool */
+  scope?: ScopeLevel;
+  /** Run in sandboxed environment with restricted file system access */
+  sandbox?: boolean;
 }
 
 export interface ExecuteToolResult {
@@ -348,6 +360,39 @@ function buildRuntimeCommand(entryPath: string, cmdArgs: string[]): { execCmd: s
   return { execCmd: 'node', execArgs: [entryPath, ...cmdArgs], runtime: 'node' };
 }
 
+/**
+ * Build security environment variables for scope and sandbox restrictions
+ */
+function buildSecurityEnv(
+  scope: ScopeLevel,
+  sandbox: boolean,
+  cwd: string
+): Record<string, string> {
+  const env: Record<string, string> = {};
+
+  // Set scope environment variable for tools to respect
+  env.CLI4AI_SCOPE = scope;
+
+  // Sandbox restrictions
+  if (sandbox) {
+    env.CLI4AI_SANDBOX = '1';
+
+    // Restrict file system access to temp directories and package directory
+    // Tools should check these env vars and restrict their operations
+    const tmpDir = process.env.TMPDIR || process.env.TMP || process.env.TEMP || '/tmp';
+    env.CLI4AI_SANDBOX_ALLOWED_PATHS = [
+      tmpDir,
+      cwd,  // Allow access to current working directory
+    ].join(':');
+
+    // Restrict network access in sandbox mode
+    // Tools should check this and limit network operations
+    env.CLI4AI_SANDBOX_NETWORK = 'restricted';
+  }
+
+  return env;
+}
+
 async function ensureRuntimeAvailable(): Promise<void> {
   if (!commandExists('node')) {
     log('⚠️  Node.js is required to run this tool\n');
@@ -409,6 +454,19 @@ export async function executeTool(options: ExecuteToolOptions): Promise<ExecuteT
 
   const teeStderr = options.teeStderr ?? true;
 
+  // Build security environment for scope and sandbox
+  const scope = options.scope ?? 'full';
+  const sandbox = options.sandbox ?? false;
+  const securityEnv = buildSecurityEnv(scope, sandbox, invocationDir);
+
+  // Log security restrictions if active
+  if (scope !== 'full' || sandbox) {
+    const restrictions: string[] = [];
+    if (scope !== 'full') restrictions.push(`scope=${scope}`);
+    if (sandbox) restrictions.push('sandbox=enabled');
+    log(`🔒 Security: ${restrictions.join(', ')}`);
+  }
+
   if (options.capture === 'inherit') {
     const proc = spawn(execCmd, execArgs, {
       stdio: 'inherit',
@@ -421,6 +479,7 @@ export async function executeTool(options: ExecuteToolOptions): Promise<ExecuteT
         C4AI_PACKAGE_NAME: pkg.name,
         C4AI_ENTRY: entryPath,
         ...secretsEnv,
+        ...securityEnv,
         ...(options.env ?? {})
       }
     });
@@ -453,6 +512,7 @@ export async function executeTool(options: ExecuteToolOptions): Promise<ExecuteT
       C4AI_PACKAGE_NAME: pkg.name,
       C4AI_ENTRY: entryPath,
       ...secretsEnv,
+      ...securityEnv,
       ...(options.env ?? {})
     }
   });

package/src/mcp/server.ts

@@ -17,6 +17,7 @@ import { homedir } from 'os';
 import { type Manifest } from '../core/manifest.js';
 import { manifestToMcpTools, type McpTool } from './adapter.js';
 import { getSecret } from '../core/secrets.js';
+import { loadConfig } from '../core/config.js';
 
 // ═══════════════════════════════════════════════════════════════════════════
 // SECURITY: Audit logging and rate limiting
@@ -33,6 +34,7 @@ interface RateLimitEntry {
 
 /**
  * Audit log an MCP tool call for security tracking
+ * Can be disabled via `cli4ai config set audit.enabled false`
  */
 function auditLog(
   packageName: string,
@@ -42,6 +44,12 @@ function auditLog(
   errorMessage?: string
 ): void {
   try {
+    // Check if audit logging is enabled
+    const config = loadConfig();
+    if (!config.audit?.enabled) {
+      return;
+    }
+
     if (!existsSync(AUDIT_LOG_DIR)) {
       mkdirSync(AUDIT_LOG_DIR, { recursive: true });
     }