codebot-ai 1.5.0 → 1.6.0

package/dist/agent.d.ts

@@ -9,6 +9,7 @@ export declare class Agent {
     private model;
     private cache;
     private rateLimiter;
+    private auditLogger;
     private askPermission;
     private onMessage?;
     constructor(opts: {

package/dist/agent.js

@@ -45,6 +45,7 @@ const registry_1 = require("./providers/registry");
 const plugins_1 = require("./plugins");
 const cache_1 = require("./cache");
 const rate_limiter_1 = require("./rate-limiter");
+const audit_1 = require("./audit");
 /** Lightweight schema validation — returns error string or null if valid */
 function validateToolArgs(args, schema) {
     const props = schema.properties;
@@ -98,6 +99,7 @@ class Agent {
     model;
     cache;
     rateLimiter;
+    auditLogger;
     askPermission;
     onMessage;
     constructor(opts) {
@@ -111,6 +113,7 @@ class Agent {
         this.onMessage = opts.onMessage;
         this.cache = new cache_1.ToolCache();
         this.rateLimiter = new rate_limiter_1.RateLimiter();
+        this.auditLogger = new audit_1.AuditLogger();
         // Load plugins
         try {
             const plugins = (0, plugins_1.loadPlugins)(process.cwd());
@@ -259,6 +262,7 @@ class Agent {
                     const approved = await this.askPermission(toolName, args);
                     if (!approved) {
                         denied = true;
+                        this.auditLogger.log({ tool: toolName, action: 'deny', args, reason: 'User denied permission' });
                     }
                 }
                 prepared.push({ tc, tool, args, denied });
@@ -304,6 +308,8 @@ class Agent {
                 await this.rateLimiter.throttle(toolName);
                 try {
                     const output = await prep.tool.execute(prep.args);
+                    // Audit log: successful execution
+                    this.auditLogger.log({ tool: toolName, action: 'execute', args: prep.args, result: 'success' });
                     // Store in cache for cacheable tools
                     if (prep.tool.cacheable) {
                         const ttl = cache_1.ToolCache.TTL[toolName] || 30_000;
@@ -315,10 +321,16 @@ class Agent {
                         if (filePath)
                             this.cache.invalidate(filePath);
                     }
+                    // Audit log: check if tool returned a security block
+                    if (output.startsWith('Error: Blocked:') || output.startsWith('Error: CWD')) {
+                        this.auditLogger.log({ tool: toolName, action: 'security_block', args: prep.args, reason: output });
+                    }
                     return { content: output };
                 }
                 catch (err) {
                     const errMsg = err instanceof Error ? err.message : String(err);
+                    // Audit log: error
+                    this.auditLogger.log({ tool: toolName, action: 'error', args: prep.args, result: 'error', reason: errMsg });
                     return { content: `Error: ${errMsg}`, is_error: true };
                 }
             };

package/dist/audit.d.ts

@@ -0,0 +1,39 @@
+/**
+ * Audit logger for CodeBot.
+ *
+ * Provides append-only JSONL logging of all security-relevant actions.
+ * Logs are stored at ~/.codebot/audit/audit-YYYY-MM-DD.jsonl
+ * Masks secrets in args before writing.
+ * NEVER throws — audit failures must not crash the agent.
+ */
+export interface AuditEntry {
+    timestamp: string;
+    sessionId: string;
+    tool: string;
+    action: 'execute' | 'deny' | 'error' | 'security_block';
+    args: Record<string, unknown>;
+    result?: string;
+    reason?: string;
+}
+export declare class AuditLogger {
+    private logDir;
+    private sessionId;
+    constructor(logDir?: string);
+    /** Get the current session ID */
+    getSessionId(): string;
+    /** Append an audit entry to the log file */
+    log(entry: Omit<AuditEntry, 'timestamp' | 'sessionId'>): void;
+    /** Read log entries, optionally filtered */
+    query(filter?: {
+        tool?: string;
+        action?: string;
+        since?: string;
+    }): AuditEntry[];
+    /** Get the path to today's log file */
+    private getLogFilePath;
+    /** Rotate log file if it exceeds MAX_LOG_SIZE */
+    private rotateIfNeeded;
+    /** Sanitize args for logging: mask secrets and truncate long values */
+    private sanitizeArgs;
+}
+//# sourceMappingURL=audit.d.ts.map

package/dist/audit.js

@@ -0,0 +1,157 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.AuditLogger = void 0;
+const fs = __importStar(require("fs"));
+const path = __importStar(require("path"));
+const os = __importStar(require("os"));
+const secrets_1 = require("./secrets");
+const MAX_LOG_SIZE = 10 * 1024 * 1024; // 10MB before rotation
+const MAX_ARG_LENGTH = 500; // Truncate long arg values for logging
+class AuditLogger {
+    logDir;
+    sessionId;
+    constructor(logDir) {
+        this.logDir = logDir || path.join(os.homedir(), '.codebot', 'audit');
+        this.sessionId = `${Date.now()}-${Math.random().toString(36).substring(2, 8)}`;
+        try {
+            fs.mkdirSync(this.logDir, { recursive: true });
+        }
+        catch {
+            // Can't create dir — logging will be disabled
+        }
+    }
+    /** Get the current session ID */
+    getSessionId() {
+        return this.sessionId;
+    }
+    /** Append an audit entry to the log file */
+    log(entry) {
+        try {
+            const fullEntry = {
+                timestamp: new Date().toISOString(),
+                sessionId: this.sessionId,
+                ...entry,
+                args: this.sanitizeArgs(entry.args),
+            };
+            const logFile = this.getLogFilePath();
+            const line = JSON.stringify(fullEntry) + '\n';
+            // Check if rotation is needed
+            this.rotateIfNeeded(logFile);
+            fs.appendFileSync(logFile, line, 'utf-8');
+        }
+        catch {
+            // Audit failures must NEVER crash the agent
+        }
+    }
+    /** Read log entries, optionally filtered */
+    query(filter) {
+        const entries = [];
+        try {
+            const files = fs.readdirSync(this.logDir)
+                .filter(f => f.startsWith('audit-') && f.endsWith('.jsonl'))
+                .sort();
+            for (const file of files) {
+                const content = fs.readFileSync(path.join(this.logDir, file), 'utf-8');
+                for (const line of content.split('\n')) {
+                    if (!line.trim())
+                        continue;
+                    try {
+                        const entry = JSON.parse(line);
+                        if (filter?.tool && entry.tool !== filter.tool)
+                            continue;
+                        if (filter?.action && entry.action !== filter.action)
+                            continue;
+                        if (filter?.since && entry.timestamp < filter.since)
+                            continue;
+                        entries.push(entry);
+                    }
+                    catch { /* skip malformed */ }
+                }
+            }
+        }
+        catch {
+            // Can't read logs
+        }
+        return entries;
+    }
+    /** Get the path to today's log file */
+    getLogFilePath() {
+        const date = new Date().toISOString().split('T')[0]; // YYYY-MM-DD
+        return path.join(this.logDir, `audit-${date}.jsonl`);
+    }
+    /** Rotate log file if it exceeds MAX_LOG_SIZE */
+    rotateIfNeeded(logFile) {
+        try {
+            if (!fs.existsSync(logFile))
+                return;
+            const stat = fs.statSync(logFile);
+            if (stat.size >= MAX_LOG_SIZE) {
+                const rotated = logFile.replace('.jsonl', `-${Date.now()}.jsonl`);
+                fs.renameSync(logFile, rotated);
+            }
+        }
+        catch {
+            // Rotation failure is non-fatal
+        }
+    }
+    /** Sanitize args for logging: mask secrets and truncate long values */
+    sanitizeArgs(args) {
+        const sanitized = {};
+        for (const [key, value] of Object.entries(args)) {
+            if (typeof value === 'string') {
+                let masked = (0, secrets_1.maskSecretsInString)(value);
+                if (masked.length > MAX_ARG_LENGTH) {
+                    masked = masked.substring(0, MAX_ARG_LENGTH) + `... (${value.length} chars)`;
+                }
+                sanitized[key] = masked;
+            }
+            else if (typeof value === 'object' && value !== null) {
+                // For objects/arrays, stringify and mask
+                const str = JSON.stringify(value);
+                const masked = (0, secrets_1.maskSecretsInString)(str);
+                sanitized[key] = masked.length > MAX_ARG_LENGTH
+                    ? masked.substring(0, MAX_ARG_LENGTH) + '...'
+                    : masked;
+            }
+            else {
+                sanitized[key] = value;
+            }
+        }
+        return sanitized;
+    }
+}
+exports.AuditLogger = AuditLogger;
+//# sourceMappingURL=audit.js.map

package/dist/cli.js

@@ -44,7 +44,7 @@ const setup_1 = require("./setup");
 const banner_1 = require("./banner");
 const tools_1 = require("./tools");
 const scheduler_1 = require("./scheduler");
-const VERSION = '1.5.0';
+const VERSION = '1.6.0';
 // Session-wide token tracking
 let sessionTokens = { input: 0, output: 0, total: 0 };
 const C = {

package/dist/mcp.js

@@ -38,6 +38,37 @@ const child_process_1 = require("child_process");
 const fs = __importStar(require("fs"));
 const path = __importStar(require("path"));
 const os = __importStar(require("os"));
+/**
+ * MCP (Model Context Protocol) client.
+ *
+ * Connects to MCP servers defined in `.codebot/mcp.json` or `~/.codebot/mcp.json`:
+ *
+ * {
+ *   "servers": [
+ *     {
+ *       "name": "my-server",
+ *       "command": "npx",
+ *       "args": ["-y", "@my/mcp-server"],
+ *       "env": {}
+ *     }
+ *   ]
+ * }
+ *
+ * Each server is launched as a subprocess communicating via JSON-RPC over stdio.
+ */
+/** Allowlist of commands that MCP servers are permitted to run */
+const ALLOWED_MCP_COMMANDS = new Set([
+    'npx', 'node', 'python', 'python3', 'deno', 'bun', 'docker', 'uvx',
+]);
+/** Safe environment variables to pass to MCP subprocesses */
+const SAFE_ENV_VARS = new Set([
+    'PATH', 'HOME', 'USER', 'SHELL', 'LANG', 'TERM', 'TMPDIR', 'TMP', 'TEMP',
+    'LC_ALL', 'LC_CTYPE', 'DISPLAY', 'XDG_RUNTIME_DIR',
+    // Node.js
+    'NODE_ENV', 'NODE_PATH',
+    // Python
+    'PYTHONPATH', 'VIRTUAL_ENV',
+]);
 class MCPConnection {
     process;
     buffer = '';
@@ -46,9 +77,25 @@ class MCPConnection {
     name;
     constructor(config) {
         this.name = config.name;
+        // Security: validate command against allowlist
+        const command = path.basename(config.command);
+        if (!ALLOWED_MCP_COMMANDS.has(command)) {
+            throw new Error(`Blocked MCP command: "${config.command}". Allowed: ${[...ALLOWED_MCP_COMMANDS].join(', ')}`);
+        }
+        // Security: build safe environment — only pass safe vars + config-defined vars
+        const safeEnv = {};
+        for (const key of SAFE_ENV_VARS) {
+            if (process.env[key]) {
+                safeEnv[key] = process.env[key];
+            }
+        }
+        // Config-defined env vars override safe defaults
+        if (config.env) {
+            Object.assign(safeEnv, config.env);
+        }
         this.process = (0, child_process_1.spawn)(config.command, config.args || [], {
             stdio: ['pipe', 'pipe', 'pipe'],
-            env: { ...process.env, ...config.env },
+            env: safeEnv,
         });
         this.process.stdout?.on('data', (chunk) => {
             this.buffer += chunk.toString();
@@ -97,7 +144,7 @@ class MCPConnection {
         await this.request('initialize', {
             protocolVersion: '2024-11-05',
             capabilities: {},
-            clientInfo: { name: 'codebot-ai', version: '1.1.0' },
+            clientInfo: { name: 'codebot-ai', version: '1.6.0' },
         });
         await this.request('notifications/initialized');
     }
@@ -121,9 +168,13 @@ class MCPConnection {
 }
 /** Create Tool wrappers from an MCP server's tools */
 function mcpToolToTool(connection, def) {
+    // Security: sanitize tool description (limit length, strip control chars)
+    const safeDescription = (def.description || '')
+        .substring(0, 500)
+        .replace(/[\x00-\x1F\x7F]/g, '');
     return {
         name: `mcp_${connection.name}_${def.name}`,
-        description: `[MCP:${connection.name}] ${def.description}`,
+        description: `[MCP:${connection.name}] ${safeDescription}`,
         permission: 'prompt',
         parameters: def.inputSchema || { type: 'object', properties: {} },
         execute: async (args) => {

package/dist/memory.d.ts

@@ -1,3 +1,7 @@
+/**
+ * Sanitize memory content by stripping lines that look like prompt injection.
+ */
+export declare function sanitizeMemory(content: string): string;
 export interface MemoryEntry {
     key: string;
     value: string;
@@ -8,6 +12,9 @@ export interface MemoryEntry {
  * Persistent memory system for CodeBot.
  * Stores project-level and global notes that survive across sessions.
  * Memory is injected into the system prompt so the model always has context.
+ *
+ * Security: content is sanitized before injection to prevent prompt injection.
+ * Size limits: 2KB per file, 10KB total.
  */
 export declare class MemoryManager {
     private projectDir;

package/dist/memory.js

@@ -34,15 +34,57 @@ var __importStar = (this && this.__importStar) || (function () {
 })();
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.MemoryManager = void 0;
+exports.sanitizeMemory = sanitizeMemory;
 const fs = __importStar(require("fs"));
 const path = __importStar(require("path"));
 const os = __importStar(require("os"));
 const MEMORY_DIR = path.join(os.homedir(), '.codebot', 'memory');
 const GLOBAL_MEMORY = path.join(MEMORY_DIR, 'MEMORY.md');
+/** Maximum size per memory file (2KB) */
+const MAX_FILE_SIZE = 2048;
+/** Maximum total memory size across all files (10KB) */
+const MAX_TOTAL_SIZE = 10240;
+/** Patterns that indicate potential prompt injection in memory content */
+const INJECTION_PATTERNS = [
+    /^(system|assistant|user):\s/i,
+    /ignore (previous|all|above) instructions/i,
+    /you are now/i,
+    /new instructions:/i,
+    /override:/i,
+    /<\/?system>/i,
+    /\bforget (all|everything|your)\b/i,
+    /\bact as\b/i,
+    /\brole:\s*(system|admin)/i,
+    /\bpretend (you are|to be)\b/i,
+];
+/**
+ * Sanitize memory content by stripping lines that look like prompt injection.
+ */
+function sanitizeMemory(content) {
+    return content.split('\n')
+        .filter(line => !INJECTION_PATTERNS.some(p => p.test(line)))
+        .join('\n');
+}
+/**
+ * Truncate content to a maximum byte size.
+ */
+function truncateToSize(content, maxSize) {
+    if (Buffer.byteLength(content, 'utf-8') <= maxSize)
+        return content;
+    // Truncate by chars (approximation — will be close to byte limit)
+    let truncated = content;
+    while (Buffer.byteLength(truncated, 'utf-8') > maxSize - 50) { // leave room for marker
+        truncated = truncated.substring(0, Math.floor(truncated.length * 0.9));
+    }
+    return truncated.trimEnd() + '\n[truncated — exceeded size limit]';
+}
 /**
  * Persistent memory system for CodeBot.
  * Stores project-level and global notes that survive across sessions.
  * Memory is injected into the system prompt so the model always has context.
+ *
+ * Security: content is sanitized before injection to prevent prompt injection.
+ * Size limits: 2KB per file, 10KB total.
  */
 class MemoryManager {
     projectDir;
@@ -76,14 +118,16 @@ class MemoryManager {
     }
     /** Write to global memory */
     writeGlobal(content) {
-        fs.writeFileSync(GLOBAL_MEMORY, content);
+        const safe = truncateToSize(content, MAX_FILE_SIZE);
+        fs.writeFileSync(GLOBAL_MEMORY, safe);
     }
     /** Write to project memory */
     writeProject(content) {
         if (!this.projectDir)
             return;
         const memFile = path.join(this.projectDir, 'MEMORY.md');
-        fs.writeFileSync(memFile, content);
+        const safe = truncateToSize(content, MAX_FILE_SIZE);
+        fs.writeFileSync(memFile, safe);
     }
     /** Append an entry to global memory */
     appendGlobal(entry) {
@@ -114,20 +158,34 @@ class MemoryManager {
     /** Get all memory content formatted for system prompt injection */
     getContextBlock() {
         const parts = [];
+        let totalSize = 0;
         const global = this.readGlobal();
         if (global.trim()) {
-            parts.push(`## Global Memory\n${global.trim()}`);
+            const sanitized = sanitizeMemory(global.trim());
+            const truncated = truncateToSize(sanitized, MAX_FILE_SIZE);
+            totalSize += Buffer.byteLength(truncated, 'utf-8');
+            parts.push(`## Global Memory\n${truncated}`);
         }
         // Read additional global topic files
         const globalFiles = this.readDir(this.globalDir);
         for (const [name, content] of Object.entries(globalFiles)) {
             if (name === 'MEMORY.md' || !content.trim())
                 continue;
-            parts.push(`## ${name.replace('.md', '')}\n${content.trim()}`);
+            if (totalSize >= MAX_TOTAL_SIZE)
+                break;
+            const sanitized = sanitizeMemory(content.trim());
+            const remaining = MAX_TOTAL_SIZE - totalSize;
+            const truncated = truncateToSize(sanitized, Math.min(MAX_FILE_SIZE, remaining));
+            totalSize += Buffer.byteLength(truncated, 'utf-8');
+            parts.push(`## ${name.replace('.md', '')}\n${truncated}`);
         }
         const project = this.readProject();
-        if (project.trim()) {
-            parts.push(`## Project Memory\n${project.trim()}`);
+        if (project.trim() && totalSize < MAX_TOTAL_SIZE) {
+            const sanitized = sanitizeMemory(project.trim());
+            const remaining = MAX_TOTAL_SIZE - totalSize;
+            const truncated = truncateToSize(sanitized, Math.min(MAX_FILE_SIZE, remaining));
+            totalSize += Buffer.byteLength(truncated, 'utf-8');
+            parts.push(`## Project Memory\n${truncated}`);
         }
         // Read additional project topic files
         if (this.projectDir) {
@@ -135,7 +193,13 @@ class MemoryManager {
             for (const [name, content] of Object.entries(projFiles)) {
                 if (name === 'MEMORY.md' || !content.trim())
                     continue;
-                parts.push(`## Project: ${name.replace('.md', '')}\n${content.trim()}`);
+                if (totalSize >= MAX_TOTAL_SIZE)
+                    break;
+                const sanitized = sanitizeMemory(content.trim());
+                const remaining = MAX_TOTAL_SIZE - totalSize;
+                const truncated = truncateToSize(sanitized, Math.min(MAX_FILE_SIZE, remaining));
+                totalSize += Buffer.byteLength(truncated, 'utf-8');
+                parts.push(`## Project: ${name.replace('.md', '')}\n${truncated}`);
             }
         }
         if (parts.length === 0)

package/dist/plugins.d.ts

@@ -1,17 +1,3 @@
 import { Tool } from './types';
-/**
- * Plugin system for CodeBot.
- *
- * Plugins are .js files in `.codebot/plugins/` (project) or `~/.codebot/plugins/` (global).
- * Each plugin exports a default function or object that implements the Tool interface:
- *
- * module.exports = {
- *   name: 'my_tool',
- *   description: 'Does something useful',
- *   permission: 'prompt',
- *   parameters: { type: 'object', properties: { ... }, required: [...] },
- *   execute: async (args) => { return 'result'; }
- * };
- */
 export declare function loadPlugins(projectRoot?: string): Tool[];
 //# sourceMappingURL=plugins.d.ts.map

package/dist/plugins.js

@@ -36,20 +36,7 @@ Object.defineProperty(exports, "__esModule", { value: true });
 exports.loadPlugins = loadPlugins;
 const fs = __importStar(require("fs"));
 const path = __importStar(require("path"));
-/**
- * Plugin system for CodeBot.
- *
- * Plugins are .js files in `.codebot/plugins/` (project) or `~/.codebot/plugins/` (global).
- * Each plugin exports a default function or object that implements the Tool interface:
- *
- * module.exports = {
- *   name: 'my_tool',
- *   description: 'Does something useful',
- *   permission: 'prompt',
- *   parameters: { type: 'object', properties: { ... }, required: [...] },
- *   execute: async (args) => { return 'result'; }
- * };
- */
+const crypto = __importStar(require("crypto"));
 function loadPlugins(projectRoot) {
     const plugins = [];
     const os = require('os');
@@ -74,6 +61,32 @@ function loadPlugins(projectRoot) {
                 continue;
             try {
                 const pluginPath = path.join(dir, entry.name);
+                // Security: verify plugin against manifest hash
+                const manifestPath = path.join(dir, 'plugin.json');
+                if (!fs.existsSync(manifestPath)) {
+                    console.error(`Plugin skipped (${entry.name}): no plugin.json manifest found. Create one with: { "name": "...", "version": "...", "hash": "sha256:..." }`);
+                    continue;
+                }
+                let manifest;
+                try {
+                    manifest = JSON.parse(fs.readFileSync(manifestPath, 'utf-8'));
+                }
+                catch {
+                    console.error(`Plugin skipped (${entry.name}): invalid plugin.json manifest`);
+                    continue;
+                }
+                if (!manifest.hash || !manifest.hash.startsWith('sha256:')) {
+                    console.error(`Plugin skipped (${entry.name}): manifest missing valid sha256 hash`);
+                    continue;
+                }
+                // Compute SHA-256 of the plugin file
+                const pluginContent = fs.readFileSync(pluginPath);
+                const computedHash = 'sha256:' + crypto.createHash('sha256').update(pluginContent).digest('hex');
+                if (computedHash !== manifest.hash) {
+                    console.error(`Plugin skipped (${entry.name}): hash mismatch. Expected ${manifest.hash}, got ${computedHash}. Plugin may have been tampered with.`);
+                    continue;
+                }
+                // Hash verified — safe to load
                 // eslint-disable-next-line @typescript-eslint/no-require-imports
                 const mod = require(pluginPath);
                 const plugin = mod.default || mod;

package/dist/secrets.d.ts

@@ -0,0 +1,26 @@
+/**
+ * Secret detection module for CodeBot.
+ *
+ * Scans content for common credential patterns (API keys, tokens, passwords).
+ * Returns matches with line numbers and masked excerpts.
+ * Used to warn before writing secrets to files — does NOT block writes.
+ */
+export interface SecretMatch {
+    type: string;
+    line: number;
+    snippet: string;
+}
+/**
+ * Scan content for secrets. Returns array of matches with line numbers and masked snippets.
+ */
+export declare function scanForSecrets(content: string): SecretMatch[];
+/**
+ * Quick check: does the content contain any secrets?
+ */
+export declare function hasSecrets(content: string): boolean;
+/**
+ * Mask secrets in an arbitrary string (e.g., for audit logging).
+ * Replaces all detected secret matches with masked versions.
+ */
+export declare function maskSecretsInString(text: string): string;
+//# sourceMappingURL=secrets.d.ts.map

package/dist/secrets.js

@@ -0,0 +1,86 @@
+"use strict";
+/**
+ * Secret detection module for CodeBot.
+ *
+ * Scans content for common credential patterns (API keys, tokens, passwords).
+ * Returns matches with line numbers and masked excerpts.
+ * Used to warn before writing secrets to files — does NOT block writes.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.scanForSecrets = scanForSecrets;
+exports.hasSecrets = hasSecrets;
+exports.maskSecretsInString = maskSecretsInString;
+const SECRET_PATTERNS = [
+    { name: 'aws_access_key', pattern: /AKIA[0-9A-Z]{16}/ },
+    { name: 'aws_secret_key', pattern: /(?:aws_secret_access_key|aws_secret)\s*[:=]\s*['"]?[A-Za-z0-9/+=]{40}/ },
+    { name: 'private_key', pattern: /-----BEGIN (RSA |EC |DSA |OPENSSH )?PRIVATE KEY-----/ },
+    { name: 'github_token', pattern: /gh[ps]_[A-Za-z0-9_]{36,}/ },
+    { name: 'github_oauth', pattern: /gho_[A-Za-z0-9_]{36,}/ },
+    { name: 'generic_api_key', pattern: /(?:api[_-]?key|apikey|secret[_-]?key)\s*[:=]\s*['"]?[A-Za-z0-9_\-]{20,}/i },
+    { name: 'jwt', pattern: /eyJ[A-Za-z0-9_-]{10,}\.eyJ[A-Za-z0-9_-]{10,}\.[A-Za-z0-9_\-]+/ },
+    { name: 'password_assign', pattern: /(?:password|passwd|pwd)\s*[:=]\s*['"][^'"]{8,}['"]/i },
+    { name: 'connection_string', pattern: /(?:mongodb|postgres|postgresql|mysql|redis|amqp):\/\/[^\s]{10,}/ },
+    { name: 'slack_token', pattern: /xox[bprs]-[0-9]{10,}-[A-Za-z0-9\-]+/ },
+    { name: 'slack_webhook', pattern: /hooks\.slack\.com\/services\/T[A-Z0-9]+\/B[A-Z0-9]+\/[A-Za-z0-9]+/ },
+    { name: 'generic_secret', pattern: /(?:secret|token|credential|auth_token)\s*[:=]\s*['"][^'"]{16,}['"]/i },
+    { name: 'npm_token', pattern: /\/\/registry\.npmjs\.org\/:_authToken=[^\s]+/ },
+    { name: 'sendgrid_key', pattern: /SG\.[A-Za-z0-9_\-]{22}\.[A-Za-z0-9_\-]{43}/ },
+    { name: 'stripe_key', pattern: /sk_(live|test)_[A-Za-z0-9]{24,}/ },
+];
+/**
+ * Mask a matched secret for safe display.
+ * Shows first 4 chars + **** + last 4 chars for strings >= 12 chars.
+ * For shorter strings, shows first 2 + **** + last 2.
+ */
+function maskSecret(match) {
+    if (match.length >= 12) {
+        return match.substring(0, 4) + '****' + match.substring(match.length - 4);
+    }
+    if (match.length >= 6) {
+        return match.substring(0, 2) + '****' + match.substring(match.length - 2);
+    }
+    return '****';
+}
+/**
+ * Scan content for secrets. Returns array of matches with line numbers and masked snippets.
+ */
+function scanForSecrets(content) {
+    const matches = [];
+    const lines = content.split('\n');
+    for (let i = 0; i < lines.length; i++) {
+        const line = lines[i];
+        for (const { name, pattern } of SECRET_PATTERNS) {
+            const match = line.match(pattern);
+            if (match) {
+                matches.push({
+                    type: name,
+                    line: i + 1,
+                    snippet: maskSecret(match[0]),
+                });
+            }
+        }
+    }
+    return matches;
+}
+/**
+ * Quick check: does the content contain any secrets?
+ */
+function hasSecrets(content) {
+    for (const { pattern } of SECRET_PATTERNS) {
+        if (pattern.test(content))
+            return true;
+    }
+    return false;
+}
+/**
+ * Mask secrets in an arbitrary string (e.g., for audit logging).
+ * Replaces all detected secret matches with masked versions.
+ */
+function maskSecretsInString(text) {
+    let masked = text;
+    for (const { pattern } of SECRET_PATTERNS) {
+        masked = masked.replace(new RegExp(pattern.source, pattern.flags + (pattern.flags.includes('g') ? '' : 'g')), match => maskSecret(match));
+    }
+    return masked;
+}
+//# sourceMappingURL=secrets.js.map

package/dist/security.d.ts

@@ -0,0 +1,18 @@
+export interface PathSafetyResult {
+    safe: boolean;
+    reason?: string;
+}
+/**
+ * Check if a file path is safe for write/edit operations.
+ *
+ * Resolves symlinks, checks against blocked system paths,
+ * and verifies the path is within the project or user home.
+ */
+export declare function isPathSafe(targetPath: string, projectRoot: string): PathSafetyResult;
+/**
+ * Check if a working directory is safe for command execution.
+ *
+ * Ensures the CWD exists, is a directory, and is under the project root.
+ */
+export declare function isCwdSafe(cwd: string, projectRoot: string): PathSafetyResult;
+//# sourceMappingURL=security.d.ts.map

package/dist/security.js

@@ -0,0 +1,167 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.isPathSafe = isPathSafe;
+exports.isCwdSafe = isCwdSafe;
+const fs = __importStar(require("fs"));
+const path = __importStar(require("path"));
+const os = __importStar(require("os"));
+/**
+ * Path safety module for CodeBot.
+ *
+ * Prevents tools from reading/writing system-critical files and directories.
+ * Resolves symlinks to prevent bypass attacks.
+ */
+/** System-critical absolute paths that should NEVER be written to */
+const BLOCKED_ABSOLUTE_PATHS = [
+    '/etc', '/usr', '/bin', '/sbin', '/boot', '/dev', '/proc', '/sys',
+    '/var/log', '/var/run', '/lib', '/lib64',
+    // macOS system directories
+    '/System', '/Library',
+    // Windows system directories
+    'C:\\Windows', 'C:\\Program Files', 'C:\\Program Files (x86)',
+];
+/** Home-relative sensitive directories/files that should NEVER be written to */
+const BLOCKED_HOME_RELATIVE = [
+    '.ssh',
+    '.gnupg',
+    '.aws/credentials',
+    '.config/gcloud',
+    '.bashrc',
+    '.bash_profile',
+    '.zshrc',
+    '.profile',
+    '.gitconfig',
+    '.npmrc',
+];
+/**
+ * Check if a file path is safe for write/edit operations.
+ *
+ * Resolves symlinks, checks against blocked system paths,
+ * and verifies the path is within the project or user home.
+ */
+function isPathSafe(targetPath, projectRoot) {
+    try {
+        const resolved = path.resolve(targetPath);
+        // Resolve symlinks — for new files, resolve the parent directory
+        let realPath;
+        try {
+            realPath = fs.realpathSync(resolved);
+        }
+        catch {
+            // File doesn't exist yet — resolve the parent
+            const parentDir = path.dirname(resolved);
+            try {
+                const realParent = fs.realpathSync(parentDir);
+                realPath = path.join(realParent, path.basename(resolved));
+            }
+            catch {
+                // Parent doesn't exist either — use the resolved path as-is
+                realPath = resolved;
+            }
+        }
+        // Check against blocked absolute paths
+        const normalizedPath = realPath.replace(/\\/g, '/').toLowerCase();
+        for (const blocked of BLOCKED_ABSOLUTE_PATHS) {
+            const normalizedBlocked = blocked.replace(/\\/g, '/').toLowerCase();
+            if (normalizedPath === normalizedBlocked || normalizedPath.startsWith(normalizedBlocked + '/')) {
+                return { safe: false, reason: `Blocked: "${realPath}" is inside system directory "${blocked}"` };
+            }
+        }
+        // Check against home-relative sensitive paths
+        const home = os.homedir();
+        for (const relative of BLOCKED_HOME_RELATIVE) {
+            const blockedPath = path.join(home, relative);
+            const normalizedBlockedHome = blockedPath.replace(/\\/g, '/').toLowerCase();
+            if (normalizedPath === normalizedBlockedHome || normalizedPath.startsWith(normalizedBlockedHome + '/')) {
+                return { safe: false, reason: `Blocked: "${realPath}" is a sensitive file/directory (~/${relative})` };
+            }
+        }
+        // Verify path is under project root or user home
+        const normalizedProject = path.resolve(projectRoot).replace(/\\/g, '/').toLowerCase();
+        const normalizedHome = home.replace(/\\/g, '/').toLowerCase();
+        const isUnderProject = normalizedPath.startsWith(normalizedProject + '/') || normalizedPath === normalizedProject;
+        const isUnderHome = normalizedPath.startsWith(normalizedHome + '/') || normalizedPath === normalizedHome;
+        if (!isUnderProject && !isUnderHome) {
+            return { safe: false, reason: `Blocked: "${realPath}" is outside both project root and user home directory` };
+        }
+        return { safe: true };
+    }
+    catch (err) {
+        return { safe: false, reason: `Path validation error: ${err instanceof Error ? err.message : String(err)}` };
+    }
+}
+/**
+ * Check if a working directory is safe for command execution.
+ *
+ * Ensures the CWD exists, is a directory, and is under the project root.
+ */
+function isCwdSafe(cwd, projectRoot) {
+    try {
+        const resolved = path.resolve(cwd);
+        // Check it exists and is a directory
+        try {
+            const stat = fs.statSync(resolved);
+            if (!stat.isDirectory()) {
+                return { safe: false, reason: `"${resolved}" is not a directory` };
+            }
+        }
+        catch {
+            return { safe: false, reason: `Directory does not exist: "${resolved}"` };
+        }
+        // Resolve symlinks
+        let realPath;
+        try {
+            realPath = fs.realpathSync(resolved);
+        }
+        catch {
+            realPath = resolved;
+        }
+        // Verify it's under project root or user home
+        const normalizedPath = realPath.replace(/\\/g, '/').toLowerCase();
+        const normalizedProject = path.resolve(projectRoot).replace(/\\/g, '/').toLowerCase();
+        const normalizedHome = os.homedir().replace(/\\/g, '/').toLowerCase();
+        const isUnderProject = normalizedPath.startsWith(normalizedProject + '/') || normalizedPath === normalizedProject;
+        const isUnderHome = normalizedPath.startsWith(normalizedHome + '/') || normalizedPath === normalizedHome;
+        if (!isUnderProject && !isUnderHome) {
+            return { safe: false, reason: `CWD "${realPath}" is outside project root and user home directory` };
+        }
+        return { safe: true };
+    }
+    catch (err) {
+        return { safe: false, reason: `CWD validation error: ${err instanceof Error ? err.message : String(err)}` };
+    }
+}
+//# sourceMappingURL=security.js.map

package/dist/tools/batch-edit.js

@@ -36,6 +36,8 @@ Object.defineProperty(exports, "__esModule", { value: true });
 exports.BatchEditTool = void 0;
 const fs = __importStar(require("fs"));
 const path = __importStar(require("path"));
+const security_1 = require("../security");
+const secrets_1 = require("../secrets");
 class BatchEditTool {
     name = 'batch_edit';
     description = 'Apply multiple find-and-replace edits across one or more files atomically. All edits are validated before any are applied. Useful for renaming, refactoring, and coordinated multi-file changes.';
@@ -64,8 +66,10 @@ class BatchEditTool {
         if (!edits || !Array.isArray(edits) || edits.length === 0) {
             return 'Error: edits array is required and must not be empty';
         }
+        const projectRoot = process.cwd();
         // Phase 1: Validate all edits before applying any
         const errors = [];
+        const warnings = [];
         const validated = [];
         // Group edits by file so we can chain them
         const byFile = new Map();
@@ -75,6 +79,12 @@ class BatchEditTool {
                 continue;
             }
             const filePath = path.resolve(edit.path);
+            // Security: path safety check
+            const safety = (0, security_1.isPathSafe)(filePath, projectRoot);
+            if (!safety.safe) {
+                errors.push(`${safety.reason}`);
+                continue;
+            }
             if (!byFile.has(filePath))
                 byFile.set(filePath, []);
             byFile.get(filePath).push(edit);
@@ -98,6 +108,11 @@ class BatchEditTool {
                     errors.push(`String found ${count} times in ${filePath} (must be unique): "${oldStr.substring(0, 60)}${oldStr.length > 60 ? '...' : ''}"`);
                     continue;
                 }
+                // Security: secret detection on new content
+                const secrets = (0, secrets_1.scanForSecrets)(newStr);
+                if (secrets.length > 0) {
+                    warnings.push(`Secrets detected in edit for ${filePath}: ${secrets.map(s => `${s.type} (${s.snippet})`).join(', ')}`);
+                }
                 content = content.replace(oldStr, newStr);
             }
             if (content !== originalContent) {
@@ -115,7 +130,11 @@ class BatchEditTool {
         }
         const fileCount = validated.length;
         const editCount = edits.length;
-        return `Applied ${editCount} edit${editCount > 1 ? 's' : ''} across ${fileCount} file${fileCount > 1 ? 's' : ''}:\n${results.map(f => `  ✓ ${f}`).join('\n')}`;
+        let output = `Applied ${editCount} edit${editCount > 1 ? 's' : ''} across ${fileCount} file${fileCount > 1 ? 's' : ''}:\n${results.map(f => `  ✓ ${f}`).join('\n')}`;
+        if (warnings.length > 0) {
+            output += `\n\n⚠️  Security warnings:\n${warnings.map(w => `  - ${w}`).join('\n')}`;
+        }
+        return output;
     }
 }
 exports.BatchEditTool = BatchEditTool;

package/dist/tools/edit.js

@@ -37,6 +37,8 @@ exports.EditFileTool = void 0;
 const fs = __importStar(require("fs"));
 const path = __importStar(require("path"));
 const os = __importStar(require("os"));
+const security_1 = require("../security");
+const secrets_1 = require("../secrets");
 // Undo snapshot directory
 const UNDO_DIR = path.join(os.homedir(), '.codebot', 'undo');
 const MAX_UNDO = 50;
@@ -66,10 +68,32 @@ class EditFileTool {
         const filePath = path.resolve(args.path);
         const oldStr = String(args.old_string);
         const newStr = String(args.new_string);
-        if (!fs.existsSync(filePath)) {
+        // Security: path safety check
+        const projectRoot = process.cwd();
+        const safety = (0, security_1.isPathSafe)(filePath, projectRoot);
+        if (!safety.safe) {
+            return `Error: ${safety.reason}`;
+        }
+        // Security: resolve symlinks before reading
+        let realPath;
+        try {
+            realPath = fs.realpathSync(filePath);
+        }
+        catch {
             throw new Error(`File not found: ${filePath}`);
         }
-        const content = fs.readFileSync(filePath, 'utf-8');
+        if (!fs.existsSync(realPath)) {
+            throw new Error(`File not found: ${filePath}`);
+        }
+        // Security: secret detection on new content (warn but don't block)
+        const secrets = (0, secrets_1.scanForSecrets)(newStr);
+        let warning = '';
+        if (secrets.length > 0) {
+            warning = `\n\n⚠️  WARNING: ${secrets.length} potential secret(s) in new content:\n` +
+                secrets.map(s => `  ${s.type} — ${s.snippet}`).join('\n') +
+                '\nConsider using environment variables instead of hardcoding secrets.';
+        }
+        const content = fs.readFileSync(realPath, 'utf-8');
         const count = content.split(oldStr).length - 1;
         if (count === 0) {
             throw new Error(`String not found in ${filePath}. Make sure old_string matches exactly (including whitespace).`);
@@ -78,12 +102,12 @@ class EditFileTool {
             throw new Error(`String found ${count} times in ${filePath}. Provide more surrounding context to make it unique.`);
         }
         // Save undo snapshot
-        this.saveSnapshot(filePath, content);
+        this.saveSnapshot(realPath, content);
         const updated = content.replace(oldStr, newStr);
-        fs.writeFileSync(filePath, updated, 'utf-8');
+        fs.writeFileSync(realPath, updated, 'utf-8');
         // Generate diff preview
         const diff = this.generateDiff(oldStr, newStr, content, filePath);
-        return diff;
+        return diff + warning;
     }
     generateDiff(oldStr, newStr, content, filePath) {
         const lines = content.split('\n');

package/dist/tools/execute.js

@@ -2,6 +2,7 @@
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.ExecuteTool = void 0;
 const child_process_1 = require("child_process");
+const security_1 = require("../security");
 const BLOCKED_PATTERNS = [
     // Destructive filesystem operations
     /rm\s+-rf\s+\//,
@@ -39,6 +40,44 @@ const BLOCKED_PATTERNS = [
     /insmod\b/,
     /rmmod\b/,
     /modprobe\s+-r/,
+    // ── v1.6.0 security hardening: evasion-resistant patterns ──
+    // Base64 decode pipes (obfuscated command execution)
+    /base64\s+(-d|--decode)\s*\|/,
+    // Hex escape sequences (obfuscation)
+    /\\x[0-9a-fA-F]{2}.*\\x[0-9a-fA-F]{2}/,
+    // Variable-based obfuscation
+    /\$\{[^}]*rm\s/,
+    /eval\s+.*\$/,
+    // Backtick-based command injection
+    /`[^`]*rm\s+-rf/,
+    // Process substitution with dangerous commands
+    /<\(.*curl/,
+    /<\(.*wget/,
+    // Python/perl inline execution of destructive commands
+    /python[23]?\s+-c\s+.*import\s+os.*remove/,
+    /perl\s+-e\s+.*unlink/,
+    // Encoded shell commands
+    /echo\s+.*\|\s*base64\s+(-d|--decode)\s*\|\s*(ba)?sh/,
+    // Crontab manipulation
+    /crontab\s+-r/,
+    // Systemctl destructive operations
+    /systemctl\s+(disable|mask|stop)\s+(sshd|firewalld|iptables)/,
+];
+/** Sensitive environment variables to strip before passing to child process */
+const FILTERED_ENV_VARS = [
+    'AWS_SECRET_ACCESS_KEY',
+    'AWS_SESSION_TOKEN',
+    'GITHUB_TOKEN',
+    'GH_TOKEN',
+    'NPM_TOKEN',
+    'DATABASE_URL',
+    'OPENAI_API_KEY',
+    'ANTHROPIC_API_KEY',
+    'GOOGLE_API_KEY',
+    'STRIPE_SECRET_KEY',
+    'SENDGRID_API_KEY',
+    'SLACK_TOKEN',
+    'SLACK_BOT_TOKEN',
 ];
 class ExecuteTool {
     name = 'execute';
@@ -63,13 +102,26 @@ class ExecuteTool {
                 throw new Error(`Blocked: "${cmd}" matches a dangerous command pattern.`);
             }
         }
+        // Security: validate CWD
+        const cwd = args.cwd || process.cwd();
+        const projectRoot = process.cwd();
+        const cwdSafety = (0, security_1.isCwdSafe)(cwd, projectRoot);
+        if (!cwdSafety.safe) {
+            return `Error: ${cwdSafety.reason}`;
+        }
+        // Security: filter sensitive env vars
+        const safeEnv = { ...process.env };
+        for (const key of FILTERED_ENV_VARS) {
+            delete safeEnv[key];
+        }
         try {
             const output = (0, child_process_1.execSync)(cmd, {
-                cwd: args.cwd || process.cwd(),
+                cwd,
                 timeout: args.timeout || 30000,
                 maxBuffer: 1024 * 1024,
                 encoding: 'utf-8',
                 stdio: ['pipe', 'pipe', 'pipe'],
+                env: safeEnv,
             });
             return output || '(no output)';
         }

package/dist/tools/package-manager.js

@@ -63,6 +63,34 @@ const MANAGERS = {
         remove: 'go mod tidy', list: 'go list -m all', outdated: 'go list -m -u all', audit: 'govulncheck ./...',
     },
 };
+/**
+ * Package name validation patterns by ecosystem.
+ * Rejects names containing shell metacharacters or injection attempts.
+ */
+const SAFE_PKG_PATTERNS = {
+    // npm: @scope/pkg@version or pkg@version
+    npm: /^(@[a-z0-9\-~][a-z0-9\-._~]*\/)?[a-z0-9\-~][a-z0-9\-._~]*(@[a-z0-9^~>=<.*\-]+)?$/,
+    yarn: /^(@[a-z0-9\-~][a-z0-9\-._~]*\/)?[a-z0-9\-~][a-z0-9\-._~]*(@[a-z0-9^~>=<.*\-]+)?$/,
+    pnpm: /^(@[a-z0-9\-~][a-z0-9\-._~]*\/)?[a-z0-9\-~][a-z0-9\-._~]*(@[a-z0-9^~>=<.*\-]+)?$/,
+    // pip: allows hyphens, underscores, dots, optional version spec
+    pip: /^[a-zA-Z0-9][a-zA-Z0-9._\-]*(\[[a-zA-Z0-9,._\-]+\])?(([>=<!=~]+)[a-zA-Z0-9.*]+)?$/,
+    // cargo: lowercase alphanumeric + hyphens + underscores
+    cargo: /^[a-zA-Z][a-zA-Z0-9_\-]*(@[a-zA-Z0-9.^~>=<*\-]+)?$/,
+    // go: module paths
+    go: /^[a-zA-Z0-9][a-zA-Z0-9._\-/]*(@[a-zA-Z0-9.^~>=<*\-]+)?$/,
+};
+function isPackageNameSafe(pkgName, manager) {
+    // Split by spaces to handle multiple package args
+    const packages = pkgName.trim().split(/\s+/);
+    const pattern = SAFE_PKG_PATTERNS[manager];
+    if (!pattern)
+        return false;
+    for (const pkg of packages) {
+        if (!pattern.test(pkg))
+            return false;
+    }
+    return true;
+}
 class PackageManagerTool {
     name = 'package_manager';
     description = 'Manage dependencies. Auto-detects npm/yarn/pnpm/pip/cargo/go. Actions: install, add, remove, list, outdated, audit, detect.';
@@ -98,6 +126,10 @@ class PackageManagerTool {
                 const pkg = args.package;
                 if (!pkg)
                     return 'Error: package name is required for add';
+                // Security: validate package name
+                if (!isPackageNameSafe(pkg, mgr.name)) {
+                    return `Error: invalid package name "${pkg}". Package names must be alphanumeric with hyphens/underscores/dots only. Shell metacharacters are not allowed.`;
+                }
                 cmd = `${mgr.add} ${pkg}`;
                 break;
             }
@@ -105,6 +137,10 @@ class PackageManagerTool {
                 const pkg = args.package;
                 if (!pkg)
                     return 'Error: package name is required for remove';
+                // Security: validate package name
+                if (!isPackageNameSafe(pkg, mgr.name)) {
+                    return `Error: invalid package name "${pkg}". Package names must be alphanumeric with hyphens/underscores/dots only. Shell metacharacters are not allowed.`;
+                }
                 cmd = `${mgr.remove} ${pkg}`;
                 break;
             }

package/dist/tools/web-fetch.js

@@ -31,17 +31,19 @@ class WebFetchTool {
         // Block requests to private/internal IPs
         const hostname = parsed.hostname.toLowerCase();
         // Block localhost variants
-        if (hostname === 'localhost' || hostname === '127.0.0.1' || hostname === '::1' || hostname === '0.0.0.0') {
+        if (hostname === 'localhost' || hostname === '::1' || hostname === '0.0.0.0') {
             return 'Blocked: requests to localhost are not allowed';
         }
         // Block cloud metadata endpoints
         if (hostname === '169.254.169.254' || hostname === 'metadata.google.internal') {
             return 'Blocked: requests to cloud metadata endpoints are not allowed';
         }
-        // Block private IP ranges (10.x, 172.16-31.x, 192.168.x)
+        // Block private IPv4 ranges
         const ipMatch = hostname.match(/^(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})$/);
         if (ipMatch) {
             const [, a, b] = ipMatch.map(Number);
+            if (a === 127)
+                return 'Blocked: loopback IP range (127.x.x.x)'; // Full 127.0.0.0/8
             if (a === 10)
                 return 'Blocked: private IP range (10.x.x.x)';
             if (a === 172 && b >= 16 && b <= 31)
@@ -50,6 +52,44 @@ class WebFetchTool {
                 return 'Blocked: private IP range (192.168.x.x)';
             if (a === 0)
                 return 'Blocked: invalid IP (0.x.x.x)';
+            if (a === 169 && b === 254)
+                return 'Blocked: link-local IP (169.254.x.x)';
+        }
+        // ── v1.6.0 security hardening: IPv6 private range blocking ──
+        // Remove brackets for IPv6 addresses
+        const bare = hostname.replace(/^\[/, '').replace(/\]$/, '').toLowerCase();
+        // IPv6 loopback
+        if (bare === '::1' || bare === '0:0:0:0:0:0:0:1') {
+            return 'Blocked: IPv6 loopback (::1)';
+        }
+        // IPv6 link-local (fe80::/10)
+        if (/^fe[89ab][0-9a-f]:/i.test(bare)) {
+            return 'Blocked: IPv6 link-local address (fe80::/10)';
+        }
+        // IPv6 unique local address (fc00::/7 — includes fd00::/8)
+        if (/^f[cd][0-9a-f]{2}:/i.test(bare)) {
+            return 'Blocked: IPv6 unique local address (fc00::/7)';
+        }
+        // IPv6 multicast (ff00::/8)
+        if (/^ff[0-9a-f]{2}:/i.test(bare)) {
+            return 'Blocked: IPv6 multicast address (ff00::/8)';
+        }
+        // IPv6-mapped IPv4 addresses (::ffff:x.x.x.x)
+        const mappedMatch = bare.match(/^::ffff:(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})$/);
+        if (mappedMatch) {
+            const [, a, b] = mappedMatch.map(Number);
+            if (a === 127)
+                return 'Blocked: IPv4-mapped loopback';
+            if (a === 10)
+                return 'Blocked: IPv4-mapped private IP';
+            if (a === 172 && b >= 16 && b <= 31)
+                return 'Blocked: IPv4-mapped private IP';
+            if (a === 192 && b === 168)
+                return 'Blocked: IPv4-mapped private IP';
+            if (a === 0)
+                return 'Blocked: IPv4-mapped invalid IP';
+            if (a === 169 && b === 254)
+                return 'Blocked: IPv4-mapped link-local';
         }
         return null; // URL is safe
     }

package/dist/tools/write.js

@@ -37,6 +37,8 @@ exports.WriteFileTool = void 0;
 const fs = __importStar(require("fs"));
 const path = __importStar(require("path"));
 const os = __importStar(require("os"));
+const security_1 = require("../security");
+const secrets_1 = require("../secrets");
 const UNDO_DIR = path.join(os.homedir(), '.codebot', 'undo');
 class WriteFileTool {
     name = 'write_file';
@@ -60,6 +62,20 @@ class WriteFileTool {
         const filePath = path.resolve(args.path);
         const content = String(args.content);
         const dir = path.dirname(filePath);
+        // Security: path safety check
+        const projectRoot = process.cwd();
+        const safety = (0, security_1.isPathSafe)(filePath, projectRoot);
+        if (!safety.safe) {
+            return `Error: ${safety.reason}`;
+        }
+        // Security: secret detection (warn but don't block)
+        const secrets = (0, secrets_1.scanForSecrets)(content);
+        let warning = '';
+        if (secrets.length > 0) {
+            warning = `\n\n⚠️  WARNING: ${secrets.length} potential secret(s) detected:\n` +
+                secrets.map(s => `  Line ${s.line}: ${s.type} — ${s.snippet}`).join('\n') +
+                '\nConsider using environment variables instead of hardcoding secrets.';
+        }
         if (!fs.existsSync(dir)) {
             fs.mkdirSync(dir, { recursive: true });
         }
@@ -74,7 +90,7 @@ class WriteFileTool {
         }
         fs.writeFileSync(filePath, content, 'utf-8');
         const lines = content.split('\n').length;
-        return `${existed ? 'Overwrote' : 'Created'} ${filePath} (${lines} lines, ${content.length} bytes)`;
+        return `${existed ? 'Overwrote' : 'Created'} ${filePath} (${lines} lines, ${content.length} bytes)${warning}`;
     }
     saveSnapshot(filePath, content) {
         try {

package/dist/types.d.ts

@@ -79,5 +79,6 @@ export interface Config {
     maxIterations: number;
     autoApprove: boolean;
     contextBudget?: number;
+    projectRoot?: string;
 }
 //# sourceMappingURL=types.d.ts.map

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "codebot-ai",
-  "version": "1.5.0",
+  "version": "1.6.0",
   "description": "Zero-dependency autonomous AI agent. Code, browse, search, automate. Works with any LLM — Ollama, Claude, GPT, Gemini, DeepSeek, Groq, Mistral, Grok.",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",