codebot-ai 1.6.0 → 1.7.0

package/dist/cli.js

@@ -35,6 +35,8 @@ var __importStar = (this && this.__importStar) || (function () {
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.main = main;
 const readline = __importStar(require("readline"));
+const fs = __importStar(require("fs"));
+const path = __importStar(require("path"));
 const agent_1 = require("./agent");
 const openai_1 = require("./providers/openai");
 const anthropic_1 = require("./providers/anthropic");
@@ -44,9 +46,10 @@ const setup_1 = require("./setup");
 const banner_1 = require("./banner");
 const tools_1 = require("./tools");
 const scheduler_1 = require("./scheduler");
-const VERSION = '1.6.0';
-// Session-wide token tracking
-let sessionTokens = { input: 0, output: 0, total: 0 };
+const audit_1 = require("./audit");
+const policy_1 = require("./policy");
+const sandbox_1 = require("./sandbox");
+const VERSION = '1.7.0';
 const C = {
     reset: '\x1b[0m',
     bold: '\x1b[1m',
@@ -86,12 +89,89 @@ async function main() {
         await (0, setup_1.runSetup)();
         return;
     }
+    // ── v1.7.0: New standalone commands ──
+    // --init-policy: Generate default policy file
+    if (args['init-policy']) {
+        const policyPath = path.join(process.cwd(), '.codebot', 'policy.json');
+        const policyDir = path.dirname(policyPath);
+        if (!fs.existsSync(policyDir))
+            fs.mkdirSync(policyDir, { recursive: true });
+        if (fs.existsSync(policyPath)) {
+            console.log(c(`Policy file already exists at ${policyPath}`, 'yellow'));
+            console.log(c('Delete it first if you want to regenerate.', 'dim'));
+        }
+        else {
+            fs.writeFileSync(policyPath, (0, policy_1.generateDefaultPolicyFile)(), 'utf-8');
+            console.log(c(`Created default policy at ${policyPath}`, 'green'));
+        }
+        return;
+    }
+    // --verify-audit: Verify audit chain integrity
+    if (args['verify-audit']) {
+        const logger = new audit_1.AuditLogger();
+        const sessionId = typeof args['verify-audit'] === 'string' ? args['verify-audit'] : undefined;
+        if (sessionId) {
+            const entries = logger.query({ sessionId });
+            if (entries.length === 0) {
+                console.log(c(`No audit entries found for session ${sessionId}`, 'yellow'));
+                return;
+            }
+            const result = audit_1.AuditLogger.verify(entries);
+            if (result.valid) {
+                console.log(c(`Audit chain valid (${result.entriesChecked} entries checked)`, 'green'));
+            }
+            else {
+                console.log(c(`Audit chain INVALID at sequence ${result.firstInvalidAt}`, 'red'));
+                console.log(c(`Reason: ${result.reason}`, 'red'));
+            }
+        }
+        else {
+            // Verify all entries from today's log
+            const entries = logger.query();
+            if (entries.length === 0) {
+                console.log(c('No audit entries found.', 'yellow'));
+                return;
+            }
+            // Group by session and verify each
+            const sessions = new Map();
+            for (const e of entries) {
+                if (!sessions.has(e.sessionId))
+                    sessions.set(e.sessionId, []);
+                sessions.get(e.sessionId).push(e);
+            }
+            let allValid = true;
+            for (const [sid, sessionEntries] of sessions) {
+                const result = audit_1.AuditLogger.verify(sessionEntries);
+                const shortId = sid.substring(0, 12);
+                if (result.valid) {
+                    console.log(c(`  ${shortId}  ${result.entriesChecked} entries  valid`, 'green'));
+                }
+                else {
+                    console.log(c(`  ${shortId}  INVALID at seq ${result.firstInvalidAt}: ${result.reason}`, 'red'));
+                    allValid = false;
+                }
+            }
+            console.log(allValid
+                ? c(`\nAll ${sessions.size} session chains verified.`, 'green')
+                : c(`\nSome chains are invalid — possible tampering detected.`, 'red'));
+        }
+        return;
+    }
+    // --sandbox-info: Show sandbox status
+    if (args['sandbox-info']) {
+        const info = (0, sandbox_1.getSandboxInfo)();
+        console.log(c('Sandbox Status:', 'bold'));
+        console.log(`  Docker: ${info.available ? c('available', 'green') : c('not available', 'yellow')}`);
+        console.log(`  Image:  ${info.image}`);
+        console.log(`  CPU:    ${info.defaults.cpus} cores max`);
+        console.log(`  Memory: ${info.defaults.memoryMb}MB max`);
+        console.log(`  Network: ${info.defaults.network ? 'enabled' : 'disabled'} by default`);
+        return;
+    }
     // First run: auto-launch setup if nothing is configured
     if ((0, setup_1.isFirstRun)() && process.stdin.isTTY && !args.message) {
         console.log(c('Welcome! No configuration found — launching setup...', 'cyan'));
         await (0, setup_1.runSetup)();
-        // If setup saved a config, continue to main flow
-        // Otherwise exit
         if ((0, setup_1.isFirstRun)())
             return;
     }
@@ -118,6 +198,7 @@ async function main() {
     const agent = new agent_1.Agent({
         provider,
         model: config.model,
+        providerName: config.provider,
         maxIterations: config.maxIterations,
         autoApprove: config.autoApprove,
         onMessage: (msg) => session.save(msg),
@@ -133,6 +214,7 @@ async function main() {
     // Non-interactive: single message from CLI args
     if (typeof args.message === 'string') {
         await runOnce(agent, args.message);
+        printSessionSummary(agent);
         return;
     }
     // Non-interactive: piped stdin
@@ -140,6 +222,7 @@ async function main() {
         const input = await readStdin();
         if (input.trim()) {
             await runOnce(agent, input.trim());
+            printSessionSummary(agent);
         }
         return;
     }
@@ -151,6 +234,22 @@ async function main() {
     // Cleanup scheduler on exit
     scheduler.stop();
 }
+/** Print session summary with tokens, cost, tool calls, files modified */
+function printSessionSummary(agent) {
+    const tracker = agent.getTokenTracker();
+    tracker.saveUsage();
+    const summary = tracker.getSummary();
+    const duration = (new Date(summary.endTime).getTime() - new Date(summary.startTime).getTime()) / 1000;
+    const mins = Math.floor(duration / 60);
+    const secs = Math.floor(duration % 60);
+    console.log(c('\n── Session Summary ──', 'dim'));
+    console.log(`  Duration:  ${mins}m ${secs}s`);
+    console.log(`  Model:     ${summary.model} via ${summary.provider}`);
+    console.log(`  Tokens:    ${summary.totalInputTokens.toLocaleString()} in / ${summary.totalOutputTokens.toLocaleString()} out (${tracker.formatCost()})`);
+    console.log(`  Requests:  ${summary.requestCount}`);
+    console.log(`  Tools:     ${summary.toolCalls} calls`);
+    console.log(`  Files:     ${summary.filesModified} modified`);
+}
 function createProvider(config) {
     if (config.provider === 'anthropic') {
         return new anthropic_1.AnthropicProvider({
@@ -159,7 +258,6 @@ function createProvider(config) {
             model: config.model,
         });
     }
-    // All other providers use OpenAI-compatible format
     return new openai_1.OpenAIProvider({
         baseUrl: config.baseUrl,
         apiKey: config.apiKey,
@@ -186,7 +284,7 @@ async function repl(agent, config, session) {
         }
         try {
             for await (const event of agent.run(input)) {
-                renderEvent(event);
+                renderEvent(event, agent);
             }
         }
         catch (err) {
@@ -197,18 +295,19 @@ async function repl(agent, config, session) {
         rl.prompt();
     });
     rl.on('close', () => {
+        printSessionSummary(agent);
         console.log(c('\nBye!', 'dim'));
         process.exit(0);
     });
 }
 async function runOnce(agent, message) {
     for await (const event of agent.run(message)) {
-        renderEvent(event);
+        renderEvent(event, agent);
     }
     console.log();
 }
 let isThinking = false;
-function renderEvent(event) {
+function renderEvent(event, agent) {
     switch (event.type) {
         case 'thinking':
             if (!isThinking) {
@@ -248,20 +347,15 @@ function renderEvent(event) {
             }
             break;
         case 'usage':
-            if (event.usage) {
-                if (event.usage.inputTokens)
-                    sessionTokens.input += event.usage.inputTokens;
-                if (event.usage.outputTokens)
-                    sessionTokens.output += event.usage.outputTokens;
-                if (event.usage.totalTokens)
-                    sessionTokens.total += event.usage.totalTokens;
+            if (event.usage && agent) {
+                const tracker = agent.getTokenTracker();
                 const parts = [];
                 if (event.usage.inputTokens)
                     parts.push(`in: ${event.usage.inputTokens}`);
                 if (event.usage.outputTokens)
                     parts.push(`out: ${event.usage.outputTokens}`);
                 if (parts.length > 0) {
-                    console.log(c(`  [${parts.join(', ')} tokens]`, 'dim'));
+                    console.log(c(`  [${parts.join(', ')} tokens | ${tracker.formatCost()}]`, 'dim'));
                 }
             }
             break;
@@ -306,7 +400,10 @@ function handleSlashCommand(input, agent, config) {
   /auto      Toggle autonomous mode
   /routines  List scheduled routines
   /undo      Undo last file edit (/undo [path])
-  /usage     Show token usage for this session
+  /usage     Show token usage & cost for this session
+  /cost      Show running cost
+  /policy    Show current security policy
+  /audit     Verify audit chain for this session
   /config    Show current config
   /quit      Exit`);
             break;
@@ -365,10 +462,41 @@ function handleSlashCommand(input, agent, config) {
             break;
         }
         case '/usage': {
-            console.log(c('\nToken Usage (this session):', 'bold'));
-            console.log(`  Input:  ${sessionTokens.input.toLocaleString()} tokens`);
-            console.log(`  Output: ${sessionTokens.output.toLocaleString()} tokens`);
-            console.log(`  Total:  ${(sessionTokens.input + sessionTokens.output).toLocaleString()} tokens`);
+            const tracker = agent.getTokenTracker();
+            const summary = tracker.getSummary();
+            console.log(c('\nSession Usage:', 'bold'));
+            console.log(`  Input:    ${summary.totalInputTokens.toLocaleString()} tokens`);
+            console.log(`  Output:   ${summary.totalOutputTokens.toLocaleString()} tokens`);
+            console.log(`  Cost:     ${tracker.formatCost()}`);
+            console.log(`  Requests: ${summary.requestCount}`);
+            console.log(`  Tools:    ${summary.toolCalls} calls`);
+            console.log(`  Files:    ${summary.filesModified} modified`);
+            break;
+        }
+        case '/cost': {
+            const tracker = agent.getTokenTracker();
+            console.log(c(`  ${tracker.formatStatusLine()}`, 'dim'));
+            break;
+        }
+        case '/policy': {
+            const policy = agent.getPolicyEnforcer().getPolicy();
+            console.log(c('\nCurrent Policy:', 'bold'));
+            console.log(JSON.stringify(policy, null, 2));
+            break;
+        }
+        case '/audit': {
+            const auditLogger = agent.getAuditLogger();
+            const result = auditLogger.verifySession();
+            if (result.entriesChecked === 0) {
+                console.log(c('No audit entries yet.', 'dim'));
+            }
+            else if (result.valid) {
+                console.log(c(`Audit chain valid (${result.entriesChecked} entries)`, 'green'));
+            }
+            else {
+                console.log(c(`Audit chain INVALID at sequence ${result.firstInvalidAt}`, 'red'));
+                console.log(c(`  ${result.reason}`, 'red'));
+            }
             break;
         }
         case '/routines': {
@@ -409,7 +537,6 @@ function showModels() {
     }
 }
 async function resolveConfig(args) {
-    // Load saved config (CLI args override saved config)
     const saved = (0, setup_1.loadConfig)();
     const model = args.model || process.env.CODEBOT_MODEL || saved.model || 'qwen2.5-coder:32b';
     const detected = (0, registry_1.detectProvider)(model);
@@ -421,7 +548,6 @@ async function resolveConfig(args) {
         maxIterations: parseInt(args['max-iterations'] || String(saved.maxIterations || 50), 10),
         autoApprove: !!args['auto-approve'] || !!args.autonomous || !!args.auto || !!saved.autoApprove,
     };
-    // Auto-resolve base URL and API key from provider
     if (!config.baseUrl || !config.apiKey) {
         const defaults = registry_1.PROVIDER_DEFAULTS[config.provider];
         if (defaults) {
@@ -431,14 +557,12 @@ async function resolveConfig(args) {
                 config.apiKey = process.env[defaults.envKey] || process.env.CODEBOT_API_KEY || '';
         }
     }
-    // Fallback: try saved config API key, then generic env vars
     if (!config.apiKey && saved.apiKey) {
         config.apiKey = saved.apiKey;
     }
     if (!config.apiKey) {
         config.apiKey = process.env.CODEBOT_API_KEY || process.env.OPENAI_API_KEY || '';
     }
-    // If still no base URL, auto-detect local provider
     if (!config.baseUrl) {
         config.baseUrl = await autoDetectProvider();
     }
@@ -494,6 +618,25 @@ function parseArgs(argv) {
             result.setup = true;
             continue;
         }
+        if (arg === '--init-policy') {
+            result['init-policy'] = true;
+            continue;
+        }
+        if (arg === '--sandbox-info') {
+            result['sandbox-info'] = true;
+            continue;
+        }
+        if (arg === '--verify-audit') {
+            const next = argv[i + 1];
+            if (next && !next.startsWith('--')) {
+                result['verify-audit'] = next;
+                i++;
+            }
+            else {
+                result['verify-audit'] = true;
+            }
+            continue;
+        }
         if (arg.startsWith('--')) {
             const key = arg.slice(2);
             const next = argv[i + 1];
@@ -540,9 +683,15 @@ ${c('Options:', 'bold')}
   --resume <id>        Resume a previous session by ID
   --continue, -c       Resume the most recent session
   --max-iterations <n> Max agent loop iterations (default: 50)
+  --sandbox <mode>     Execution sandbox: docker, host, auto (default: auto)
   -h, --help           Show this help
   -v, --version        Show version
 
+${c('Security & Policy:', 'bold')}
+  --init-policy        Generate default .codebot/policy.json
+  --verify-audit [id]  Verify audit log hash chain integrity
+  --sandbox-info       Show Docker sandbox status
+
 ${c('Supported Providers:', 'bold')}
   Local:      Ollama, LM Studio, vLLM (auto-detected)
   Anthropic:  Claude Opus/Sonnet/Haiku (ANTHROPIC_API_KEY)
@@ -560,6 +709,8 @@ ${c('Examples:', 'bold')}
   codebot --model deepseek-chat            Uses DeepSeek API
   codebot --model qwen2.5-coder:32b        Uses local Ollama
   codebot --autonomous "refactor src/"     Full auto, no prompts
+  codebot --init-policy                    Create security policy
+  codebot --verify-audit                   Check audit integrity
 
 ${c('Interactive Commands:', 'bold')}
   /help      Show commands
@@ -569,6 +720,10 @@ ${c('Interactive Commands:', 'bold')}
   /auto      Toggle autonomous mode
   /clear     Clear conversation
   /compact   Force context compaction
+  /usage     Show token usage & cost
+  /cost      Show running cost
+  /policy    Show security policy
+  /audit     Verify session audit chain
   /config    Show configuration
   /quit      Exit`);
 }

package/dist/policy.d.ts

@@ -0,0 +1,123 @@
+/**
+ * Policy Engine for CodeBot v1.7.0
+ *
+ * Loads, validates, and enforces declarative security policies.
+ * Policy files: .codebot/policy.json (project) + ~/.codebot/policy.json (global)
+ * Project policy overrides global policy where specified.
+ */
+export interface PolicyExecution {
+    sandbox?: 'docker' | 'host' | 'auto';
+    network?: boolean;
+    timeout_seconds?: number;
+    max_memory_mb?: number;
+}
+export interface PolicyFilesystem {
+    writable_paths?: string[];
+    read_only_paths?: string[];
+    denied_paths?: string[];
+    allow_outside_project?: boolean;
+}
+export interface PolicyToolPermission {
+    [toolName: string]: 'auto' | 'prompt' | 'always-ask';
+}
+export interface PolicyTools {
+    enabled?: string[];
+    disabled?: string[];
+    permissions?: PolicyToolPermission;
+}
+export interface PolicySecrets {
+    block_on_detect?: boolean;
+    scan_on_write?: boolean;
+    allowed_patterns?: string[];
+}
+export interface PolicyGit {
+    always_branch?: boolean;
+    branch_prefix?: string;
+    require_tests_before_commit?: boolean;
+    never_push_main?: boolean;
+}
+export interface PolicyMcp {
+    allowed_servers?: string[];
+    blocked_servers?: string[];
+}
+export interface PolicyLimits {
+    max_iterations?: number;
+    max_file_size_kb?: number;
+    max_files_per_operation?: number;
+    cost_limit_usd?: number;
+}
+export interface Policy {
+    version?: string;
+    execution?: PolicyExecution;
+    filesystem?: PolicyFilesystem;
+    tools?: PolicyTools;
+    secrets?: PolicySecrets;
+    git?: PolicyGit;
+    mcp?: PolicyMcp;
+    limits?: PolicyLimits;
+}
+export declare const DEFAULT_POLICY: Required<Policy>;
+/**
+ * Load and merge policies from project + global locations.
+ * Project policy overrides global where specified.
+ */
+export declare function loadPolicy(projectRoot?: string): Policy;
+export declare class PolicyEnforcer {
+    private policy;
+    private projectRoot;
+    constructor(policy?: Policy, projectRoot?: string);
+    getPolicy(): Policy;
+    /** Check if a tool is enabled by policy. Returns { allowed, reason }. */
+    isToolAllowed(toolName: string): {
+        allowed: boolean;
+        reason?: string;
+    };
+    /** Get the permission level for a tool (policy override or null for default). */
+    getToolPermission(toolName: string): 'auto' | 'prompt' | 'always-ask' | null;
+    /** Check if a path is writable according to policy. */
+    isPathWritable(filePath: string): {
+        allowed: boolean;
+        reason?: string;
+    };
+    /** Get sandbox mode. */
+    getSandboxMode(): 'docker' | 'host' | 'auto';
+    /** Check if network is allowed for executed commands. */
+    isNetworkAllowed(): boolean;
+    /** Get execution timeout in milliseconds. */
+    getTimeoutMs(): number;
+    /** Get max memory in MB for sandbox. */
+    getMaxMemoryMb(): number;
+    /** Check if agent should always work on a branch. */
+    shouldAlwaysBranch(): boolean;
+    /** Get branch prefix for auto-created branches. */
+    getBranchPrefix(): string;
+    /** Check if pushing to main/master is blocked. */
+    isMainPushBlocked(): boolean;
+    /** Should secrets block writes (vs just warn)? */
+    shouldBlockSecrets(): boolean;
+    /** Should scan for secrets on write? */
+    shouldScanSecrets(): boolean;
+    /** Check if an MCP server is allowed. */
+    isMcpServerAllowed(serverName: string): {
+        allowed: boolean;
+        reason?: string;
+    };
+    /** Get max iterations for the agent loop. */
+    getMaxIterations(): number;
+    /** Get max file size in bytes for write operations. */
+    getMaxFileSizeBytes(): number;
+    /** Get cost limit in USD (0 = no limit). */
+    getCostLimitUsd(): number;
+    /**
+     * Simple glob-like pattern matching:
+     * - `*` matches any single path component
+     * - `**` matches any number of path components
+     * - `.env` matches exact filename
+     */
+    private matchesPattern;
+}
+/**
+ * Generate a default policy file content for `codebot --init-policy`.
+ */
+export declare function generateDefaultPolicyFile(): string;
+//# sourceMappingURL=policy.d.ts.map