codebot-ai 1.4.3 → 1.6.0

package/dist/history.js

@@ -54,31 +54,57 @@ class SessionManager {
     }
     /** Append a message to the session file */
     save(message) {
-        const line = JSON.stringify({
-            ...message,
-            _ts: new Date().toISOString(),
-            _model: this.model,
-        });
-        fs.appendFileSync(this.filePath, line + '\n');
+        try {
+            const line = JSON.stringify({
+                ...message,
+                _ts: new Date().toISOString(),
+                _model: this.model,
+            });
+            fs.appendFileSync(this.filePath, line + '\n');
+        }
+        catch {
+            // Don't crash on write failure — session persistence is best-effort
+        }
     }
-    /** Save all messages (overwrite) */
+    /** Save all messages (atomic overwrite via temp file + rename) */
     saveAll(messages) {
-        const lines = messages.map(m => JSON.stringify({ ...m, _ts: new Date().toISOString(), _model: this.model }));
-        fs.writeFileSync(this.filePath, lines.join('\n') + '\n');
+        try {
+            const lines = messages.map(m => JSON.stringify({ ...m, _ts: new Date().toISOString(), _model: this.model }));
+            const tmpPath = this.filePath + '.tmp';
+            fs.writeFileSync(tmpPath, lines.join('\n') + '\n');
+            fs.renameSync(tmpPath, this.filePath);
+        }
+        catch {
+            // Don't crash — session persistence is best-effort
+        }
     }
-    /** Load messages from a session file */
+    /** Load messages from a session file (skips malformed lines) */
     load() {
         if (!fs.existsSync(this.filePath))
             return [];
-        const content = fs.readFileSync(this.filePath, 'utf-8').trim();
+        let content;
+        try {
+            content = fs.readFileSync(this.filePath, 'utf-8').trim();
+        }
+        catch {
+            return [];
+        }
         if (!content)
             return [];
-        return content.split('\n').map(line => {
-            const obj = JSON.parse(line);
-            delete obj._ts;
-            delete obj._model;
-            return obj;
-        });
+        const messages = [];
+        for (const line of content.split('\n')) {
+            try {
+                const obj = JSON.parse(line);
+                delete obj._ts;
+                delete obj._model;
+                messages.push(obj);
+            }
+            catch {
+                // Skip malformed line — don't crash the whole load
+                continue;
+            }
+        }
+        return messages;
     }
     /** List recent sessions */
     static list(limit = 10) {

package/dist/mcp.js

@@ -38,6 +38,37 @@ const child_process_1 = require("child_process");
 const fs = __importStar(require("fs"));
 const path = __importStar(require("path"));
 const os = __importStar(require("os"));
+/**
+ * MCP (Model Context Protocol) client.
+ *
+ * Connects to MCP servers defined in `.codebot/mcp.json` or `~/.codebot/mcp.json`:
+ *
+ * {
+ *   "servers": [
+ *     {
+ *       "name": "my-server",
+ *       "command": "npx",
+ *       "args": ["-y", "@my/mcp-server"],
+ *       "env": {}
+ *     }
+ *   ]
+ * }
+ *
+ * Each server is launched as a subprocess communicating via JSON-RPC over stdio.
+ */
+/** Allowlist of commands that MCP servers are permitted to run */
+const ALLOWED_MCP_COMMANDS = new Set([
+    'npx', 'node', 'python', 'python3', 'deno', 'bun', 'docker', 'uvx',
+]);
+/** Safe environment variables to pass to MCP subprocesses */
+const SAFE_ENV_VARS = new Set([
+    'PATH', 'HOME', 'USER', 'SHELL', 'LANG', 'TERM', 'TMPDIR', 'TMP', 'TEMP',
+    'LC_ALL', 'LC_CTYPE', 'DISPLAY', 'XDG_RUNTIME_DIR',
+    // Node.js
+    'NODE_ENV', 'NODE_PATH',
+    // Python
+    'PYTHONPATH', 'VIRTUAL_ENV',
+]);
 class MCPConnection {
     process;
     buffer = '';
@@ -46,9 +77,25 @@ class MCPConnection {
     name;
     constructor(config) {
         this.name = config.name;
+        // Security: validate command against allowlist
+        const command = path.basename(config.command);
+        if (!ALLOWED_MCP_COMMANDS.has(command)) {
+            throw new Error(`Blocked MCP command: "${config.command}". Allowed: ${[...ALLOWED_MCP_COMMANDS].join(', ')}`);
+        }
+        // Security: build safe environment — only pass safe vars + config-defined vars
+        const safeEnv = {};
+        for (const key of SAFE_ENV_VARS) {
+            if (process.env[key]) {
+                safeEnv[key] = process.env[key];
+            }
+        }
+        // Config-defined env vars override safe defaults
+        if (config.env) {
+            Object.assign(safeEnv, config.env);
+        }
         this.process = (0, child_process_1.spawn)(config.command, config.args || [], {
             stdio: ['pipe', 'pipe', 'pipe'],
-            env: { ...process.env, ...config.env },
+            env: safeEnv,
         });
         this.process.stdout?.on('data', (chunk) => {
             this.buffer += chunk.toString();
@@ -97,7 +144,7 @@ class MCPConnection {
         await this.request('initialize', {
             protocolVersion: '2024-11-05',
             capabilities: {},
-            clientInfo: { name: 'codebot-ai', version: '1.1.0' },
+            clientInfo: { name: 'codebot-ai', version: '1.6.0' },
         });
         await this.request('notifications/initialized');
     }
@@ -121,9 +168,13 @@ class MCPConnection {
 }
 /** Create Tool wrappers from an MCP server's tools */
 function mcpToolToTool(connection, def) {
+    // Security: sanitize tool description (limit length, strip control chars)
+    const safeDescription = (def.description || '')
+        .substring(0, 500)
+        .replace(/[\x00-\x1F\x7F]/g, '');
     return {
         name: `mcp_${connection.name}_${def.name}`,
-        description: `[MCP:${connection.name}] ${def.description}`,
+        description: `[MCP:${connection.name}] ${safeDescription}`,
         permission: 'prompt',
         parameters: def.inputSchema || { type: 'object', properties: {} },
         execute: async (args) => {

package/dist/memory.d.ts

@@ -1,3 +1,7 @@
+/**
+ * Sanitize memory content by stripping lines that look like prompt injection.
+ */
+export declare function sanitizeMemory(content: string): string;
 export interface MemoryEntry {
     key: string;
     value: string;
@@ -8,6 +12,9 @@ export interface MemoryEntry {
  * Persistent memory system for CodeBot.
  * Stores project-level and global notes that survive across sessions.
  * Memory is injected into the system prompt so the model always has context.
+ *
+ * Security: content is sanitized before injection to prevent prompt injection.
+ * Size limits: 2KB per file, 10KB total.
  */
 export declare class MemoryManager {
     private projectDir;

package/dist/memory.js

@@ -34,15 +34,57 @@ var __importStar = (this && this.__importStar) || (function () {
 })();
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.MemoryManager = void 0;
+exports.sanitizeMemory = sanitizeMemory;
 const fs = __importStar(require("fs"));
 const path = __importStar(require("path"));
 const os = __importStar(require("os"));
 const MEMORY_DIR = path.join(os.homedir(), '.codebot', 'memory');
 const GLOBAL_MEMORY = path.join(MEMORY_DIR, 'MEMORY.md');
+/** Maximum size per memory file (2KB) */
+const MAX_FILE_SIZE = 2048;
+/** Maximum total memory size across all files (10KB) */
+const MAX_TOTAL_SIZE = 10240;
+/** Patterns that indicate potential prompt injection in memory content */
+const INJECTION_PATTERNS = [
+    /^(system|assistant|user):\s/i,
+    /ignore (previous|all|above) instructions/i,
+    /you are now/i,
+    /new instructions:/i,
+    /override:/i,
+    /<\/?system>/i,
+    /\bforget (all|everything|your)\b/i,
+    /\bact as\b/i,
+    /\brole:\s*(system|admin)/i,
+    /\bpretend (you are|to be)\b/i,
+];
+/**
+ * Sanitize memory content by stripping lines that look like prompt injection.
+ */
+function sanitizeMemory(content) {
+    return content.split('\n')
+        .filter(line => !INJECTION_PATTERNS.some(p => p.test(line)))
+        .join('\n');
+}
+/**
+ * Truncate content to a maximum byte size.
+ */
+function truncateToSize(content, maxSize) {
+    if (Buffer.byteLength(content, 'utf-8') <= maxSize)
+        return content;
+    // Truncate by chars (approximation — will be close to byte limit)
+    let truncated = content;
+    while (Buffer.byteLength(truncated, 'utf-8') > maxSize - 50) { // leave room for marker
+        truncated = truncated.substring(0, Math.floor(truncated.length * 0.9));
+    }
+    return truncated.trimEnd() + '\n[truncated — exceeded size limit]';
+}
 /**
  * Persistent memory system for CodeBot.
  * Stores project-level and global notes that survive across sessions.
  * Memory is injected into the system prompt so the model always has context.
+ *
+ * Security: content is sanitized before injection to prevent prompt injection.
+ * Size limits: 2KB per file, 10KB total.
  */
 class MemoryManager {
     projectDir;
@@ -76,14 +118,16 @@ class MemoryManager {
     }
     /** Write to global memory */
     writeGlobal(content) {
-        fs.writeFileSync(GLOBAL_MEMORY, content);
+        const safe = truncateToSize(content, MAX_FILE_SIZE);
+        fs.writeFileSync(GLOBAL_MEMORY, safe);
     }
     /** Write to project memory */
     writeProject(content) {
         if (!this.projectDir)
             return;
         const memFile = path.join(this.projectDir, 'MEMORY.md');
-        fs.writeFileSync(memFile, content);
+        const safe = truncateToSize(content, MAX_FILE_SIZE);
+        fs.writeFileSync(memFile, safe);
     }
     /** Append an entry to global memory */
     appendGlobal(entry) {
@@ -114,20 +158,34 @@ class MemoryManager {
     /** Get all memory content formatted for system prompt injection */
     getContextBlock() {
         const parts = [];
+        let totalSize = 0;
         const global = this.readGlobal();
         if (global.trim()) {
-            parts.push(`## Global Memory\n${global.trim()}`);
+            const sanitized = sanitizeMemory(global.trim());
+            const truncated = truncateToSize(sanitized, MAX_FILE_SIZE);
+            totalSize += Buffer.byteLength(truncated, 'utf-8');
+            parts.push(`## Global Memory\n${truncated}`);
         }
         // Read additional global topic files
         const globalFiles = this.readDir(this.globalDir);
         for (const [name, content] of Object.entries(globalFiles)) {
             if (name === 'MEMORY.md' || !content.trim())
                 continue;
-            parts.push(`## ${name.replace('.md', '')}\n${content.trim()}`);
+            if (totalSize >= MAX_TOTAL_SIZE)
+                break;
+            const sanitized = sanitizeMemory(content.trim());
+            const remaining = MAX_TOTAL_SIZE - totalSize;
+            const truncated = truncateToSize(sanitized, Math.min(MAX_FILE_SIZE, remaining));
+            totalSize += Buffer.byteLength(truncated, 'utf-8');
+            parts.push(`## ${name.replace('.md', '')}\n${truncated}`);
         }
         const project = this.readProject();
-        if (project.trim()) {
-            parts.push(`## Project Memory\n${project.trim()}`);
+        if (project.trim() && totalSize < MAX_TOTAL_SIZE) {
+            const sanitized = sanitizeMemory(project.trim());
+            const remaining = MAX_TOTAL_SIZE - totalSize;
+            const truncated = truncateToSize(sanitized, Math.min(MAX_FILE_SIZE, remaining));
+            totalSize += Buffer.byteLength(truncated, 'utf-8');
+            parts.push(`## Project Memory\n${truncated}`);
         }
         // Read additional project topic files
         if (this.projectDir) {
@@ -135,7 +193,13 @@ class MemoryManager {
             for (const [name, content] of Object.entries(projFiles)) {
                 if (name === 'MEMORY.md' || !content.trim())
                     continue;
-                parts.push(`## Project: ${name.replace('.md', '')}\n${content.trim()}`);
+                if (totalSize >= MAX_TOTAL_SIZE)
+                    break;
+                const sanitized = sanitizeMemory(content.trim());
+                const remaining = MAX_TOTAL_SIZE - totalSize;
+                const truncated = truncateToSize(sanitized, Math.min(MAX_FILE_SIZE, remaining));
+                totalSize += Buffer.byteLength(truncated, 'utf-8');
+                parts.push(`## Project: ${name.replace('.md', '')}\n${truncated}`);
             }
         }
         if (parts.length === 0)

package/dist/plugins.d.ts

@@ -1,17 +1,3 @@
 import { Tool } from './types';
-/**
- * Plugin system for CodeBot.
- *
- * Plugins are .js files in `.codebot/plugins/` (project) or `~/.codebot/plugins/` (global).
- * Each plugin exports a default function or object that implements the Tool interface:
- *
- * module.exports = {
- *   name: 'my_tool',
- *   description: 'Does something useful',
- *   permission: 'prompt',
- *   parameters: { type: 'object', properties: { ... }, required: [...] },
- *   execute: async (args) => { return 'result'; }
- * };
- */
 export declare function loadPlugins(projectRoot?: string): Tool[];
 //# sourceMappingURL=plugins.d.ts.map

package/dist/plugins.js

@@ -36,20 +36,7 @@ Object.defineProperty(exports, "__esModule", { value: true });
 exports.loadPlugins = loadPlugins;
 const fs = __importStar(require("fs"));
 const path = __importStar(require("path"));
-/**
- * Plugin system for CodeBot.
- *
- * Plugins are .js files in `.codebot/plugins/` (project) or `~/.codebot/plugins/` (global).
- * Each plugin exports a default function or object that implements the Tool interface:
- *
- * module.exports = {
- *   name: 'my_tool',
- *   description: 'Does something useful',
- *   permission: 'prompt',
- *   parameters: { type: 'object', properties: { ... }, required: [...] },
- *   execute: async (args) => { return 'result'; }
- * };
- */
+const crypto = __importStar(require("crypto"));
 function loadPlugins(projectRoot) {
     const plugins = [];
     const os = require('os');
@@ -74,6 +61,32 @@ function loadPlugins(projectRoot) {
                 continue;
             try {
                 const pluginPath = path.join(dir, entry.name);
+                // Security: verify plugin against manifest hash
+                const manifestPath = path.join(dir, 'plugin.json');
+                if (!fs.existsSync(manifestPath)) {
+                    console.error(`Plugin skipped (${entry.name}): no plugin.json manifest found. Create one with: { "name": "...", "version": "...", "hash": "sha256:..." }`);
+                    continue;
+                }
+                let manifest;
+                try {
+                    manifest = JSON.parse(fs.readFileSync(manifestPath, 'utf-8'));
+                }
+                catch {
+                    console.error(`Plugin skipped (${entry.name}): invalid plugin.json manifest`);
+                    continue;
+                }
+                if (!manifest.hash || !manifest.hash.startsWith('sha256:')) {
+                    console.error(`Plugin skipped (${entry.name}): manifest missing valid sha256 hash`);
+                    continue;
+                }
+                // Compute SHA-256 of the plugin file
+                const pluginContent = fs.readFileSync(pluginPath);
+                const computedHash = 'sha256:' + crypto.createHash('sha256').update(pluginContent).digest('hex');
+                if (computedHash !== manifest.hash) {
+                    console.error(`Plugin skipped (${entry.name}): hash mismatch. Expected ${manifest.hash}, got ${computedHash}. Plugin may have been tampered with.`);
+                    continue;
+                }
+                // Hash verified — safe to load
                 // eslint-disable-next-line @typescript-eslint/no-require-imports
                 const mod = require(pluginPath);
                 const plugin = mod.default || mod;

package/dist/rate-limiter.d.ts

@@ -0,0 +1,23 @@
+/**
+ * Per-tool Rate Limiter
+ *
+ * Simple sliding-window throttle that enforces minimum intervals between
+ * calls to the same tool. Prevents hammering web services and self-DOS.
+ *
+ * @since v1.5.0
+ */
+export declare class RateLimiter {
+    private lastCall;
+    /** Minimum interval (ms) between calls per tool */
+    private limits;
+    constructor(overrides?: Record<string, number>);
+    /** Wait if needed to respect the tool's rate limit */
+    throttle(toolName: string): Promise<void>;
+    /** Get the configured limit for a tool (0 = no limit) */
+    getLimit(toolName: string): number;
+    /** Update a tool's rate limit at runtime */
+    setLimit(toolName: string, intervalMs: number): void;
+    /** Reset all tracking (useful for tests) */
+    reset(): void;
+}
+//# sourceMappingURL=rate-limiter.d.ts.map

package/dist/rate-limiter.js

@@ -0,0 +1,52 @@
+"use strict";
+/**
+ * Per-tool Rate Limiter
+ *
+ * Simple sliding-window throttle that enforces minimum intervals between
+ * calls to the same tool. Prevents hammering web services and self-DOS.
+ *
+ * @since v1.5.0
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.RateLimiter = void 0;
+class RateLimiter {
+    lastCall = new Map();
+    /** Minimum interval (ms) between calls per tool */
+    limits = {
+        browser: 200,
+        web_fetch: 500,
+        web_search: 1000,
+        execute: 100,
+    };
+    constructor(overrides) {
+        if (overrides) {
+            Object.assign(this.limits, overrides);
+        }
+    }
+    /** Wait if needed to respect the tool's rate limit */
+    async throttle(toolName) {
+        const limit = this.limits[toolName];
+        if (!limit)
+            return; // no limit for this tool
+        const last = this.lastCall.get(toolName) || 0;
+        const elapsed = Date.now() - last;
+        if (elapsed < limit) {
+            await new Promise(resolve => setTimeout(resolve, limit - elapsed));
+        }
+        this.lastCall.set(toolName, Date.now());
+    }
+    /** Get the configured limit for a tool (0 = no limit) */
+    getLimit(toolName) {
+        return this.limits[toolName] || 0;
+    }
+    /** Update a tool's rate limit at runtime */
+    setLimit(toolName, intervalMs) {
+        this.limits[toolName] = intervalMs;
+    }
+    /** Reset all tracking (useful for tests) */
+    reset() {
+        this.lastCall.clear();
+    }
+}
+exports.RateLimiter = RateLimiter;
+//# sourceMappingURL=rate-limiter.js.map

package/dist/secrets.d.ts

@@ -0,0 +1,26 @@
+/**
+ * Secret detection module for CodeBot.
+ *
+ * Scans content for common credential patterns (API keys, tokens, passwords).
+ * Returns matches with line numbers and masked excerpts.
+ * Used to warn before writing secrets to files — does NOT block writes.
+ */
+export interface SecretMatch {
+    type: string;
+    line: number;
+    snippet: string;
+}
+/**
+ * Scan content for secrets. Returns array of matches with line numbers and masked snippets.
+ */
+export declare function scanForSecrets(content: string): SecretMatch[];
+/**
+ * Quick check: does the content contain any secrets?
+ */
+export declare function hasSecrets(content: string): boolean;
+/**
+ * Mask secrets in an arbitrary string (e.g., for audit logging).
+ * Replaces all detected secret matches with masked versions.
+ */
+export declare function maskSecretsInString(text: string): string;
+//# sourceMappingURL=secrets.d.ts.map

package/dist/secrets.js

@@ -0,0 +1,86 @@
+"use strict";
+/**
+ * Secret detection module for CodeBot.
+ *
+ * Scans content for common credential patterns (API keys, tokens, passwords).
+ * Returns matches with line numbers and masked excerpts.
+ * Used to warn before writing secrets to files — does NOT block writes.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.scanForSecrets = scanForSecrets;
+exports.hasSecrets = hasSecrets;
+exports.maskSecretsInString = maskSecretsInString;
+const SECRET_PATTERNS = [
+    { name: 'aws_access_key', pattern: /AKIA[0-9A-Z]{16}/ },
+    { name: 'aws_secret_key', pattern: /(?:aws_secret_access_key|aws_secret)\s*[:=]\s*['"]?[A-Za-z0-9/+=]{40}/ },
+    { name: 'private_key', pattern: /-----BEGIN (RSA |EC |DSA |OPENSSH )?PRIVATE KEY-----/ },
+    { name: 'github_token', pattern: /gh[ps]_[A-Za-z0-9_]{36,}/ },
+    { name: 'github_oauth', pattern: /gho_[A-Za-z0-9_]{36,}/ },
+    { name: 'generic_api_key', pattern: /(?:api[_-]?key|apikey|secret[_-]?key)\s*[:=]\s*['"]?[A-Za-z0-9_\-]{20,}/i },
+    { name: 'jwt', pattern: /eyJ[A-Za-z0-9_-]{10,}\.eyJ[A-Za-z0-9_-]{10,}\.[A-Za-z0-9_\-]+/ },
+    { name: 'password_assign', pattern: /(?:password|passwd|pwd)\s*[:=]\s*['"][^'"]{8,}['"]/i },
+    { name: 'connection_string', pattern: /(?:mongodb|postgres|postgresql|mysql|redis|amqp):\/\/[^\s]{10,}/ },
+    { name: 'slack_token', pattern: /xox[bprs]-[0-9]{10,}-[A-Za-z0-9\-]+/ },
+    { name: 'slack_webhook', pattern: /hooks\.slack\.com\/services\/T[A-Z0-9]+\/B[A-Z0-9]+\/[A-Za-z0-9]+/ },
+    { name: 'generic_secret', pattern: /(?:secret|token|credential|auth_token)\s*[:=]\s*['"][^'"]{16,}['"]/i },
+    { name: 'npm_token', pattern: /\/\/registry\.npmjs\.org\/:_authToken=[^\s]+/ },
+    { name: 'sendgrid_key', pattern: /SG\.[A-Za-z0-9_\-]{22}\.[A-Za-z0-9_\-]{43}/ },
+    { name: 'stripe_key', pattern: /sk_(live|test)_[A-Za-z0-9]{24,}/ },
+];
+/**
+ * Mask a matched secret for safe display.
+ * Shows first 4 chars + **** + last 4 chars for strings >= 12 chars.
+ * For shorter strings, shows first 2 + **** + last 2.
+ */
+function maskSecret(match) {
+    if (match.length >= 12) {
+        return match.substring(0, 4) + '****' + match.substring(match.length - 4);
+    }
+    if (match.length >= 6) {
+        return match.substring(0, 2) + '****' + match.substring(match.length - 2);
+    }
+    return '****';
+}
+/**
+ * Scan content for secrets. Returns array of matches with line numbers and masked snippets.
+ */
+function scanForSecrets(content) {
+    const matches = [];
+    const lines = content.split('\n');
+    for (let i = 0; i < lines.length; i++) {
+        const line = lines[i];
+        for (const { name, pattern } of SECRET_PATTERNS) {
+            const match = line.match(pattern);
+            if (match) {
+                matches.push({
+                    type: name,
+                    line: i + 1,
+                    snippet: maskSecret(match[0]),
+                });
+            }
+        }
+    }
+    return matches;
+}
+/**
+ * Quick check: does the content contain any secrets?
+ */
+function hasSecrets(content) {
+    for (const { pattern } of SECRET_PATTERNS) {
+        if (pattern.test(content))
+            return true;
+    }
+    return false;
+}
+/**
+ * Mask secrets in an arbitrary string (e.g., for audit logging).
+ * Replaces all detected secret matches with masked versions.
+ */
+function maskSecretsInString(text) {
+    let masked = text;
+    for (const { pattern } of SECRET_PATTERNS) {
+        masked = masked.replace(new RegExp(pattern.source, pattern.flags + (pattern.flags.includes('g') ? '' : 'g')), match => maskSecret(match));
+    }
+    return masked;
+}
+//# sourceMappingURL=secrets.js.map

package/dist/security.d.ts

@@ -0,0 +1,18 @@
+export interface PathSafetyResult {
+    safe: boolean;
+    reason?: string;
+}
+/**
+ * Check if a file path is safe for write/edit operations.
+ *
+ * Resolves symlinks, checks against blocked system paths,
+ * and verifies the path is within the project or user home.
+ */
+export declare function isPathSafe(targetPath: string, projectRoot: string): PathSafetyResult;
+/**
+ * Check if a working directory is safe for command execution.
+ *
+ * Ensures the CWD exists, is a directory, and is under the project root.
+ */
+export declare function isCwdSafe(cwd: string, projectRoot: string): PathSafetyResult;
+//# sourceMappingURL=security.d.ts.map