codebot-ai 1.6.0 → 1.8.0

package/dist/agent.d.ts

@@ -1,4 +1,7 @@
 import { Message, AgentEvent, LLMProvider } from './types';
+import { AuditLogger } from './audit';
+import { PolicyEnforcer } from './policy';
+import { TokenTracker } from './telemetry';
 export declare class Agent {
     private provider;
     private tools;
@@ -10,11 +13,15 @@ export declare class Agent {
     private cache;
     private rateLimiter;
     private auditLogger;
+    private policyEnforcer;
+    private tokenTracker;
+    private branchCreated;
     private askPermission;
     private onMessage?;
     constructor(opts: {
         provider: LLMProvider;
         model: string;
+        providerName?: string;
         maxIterations?: number;
         autoApprove?: boolean;
         askPermission?: (tool: string, args: Record<string, unknown>) => Promise<boolean>;
@@ -31,6 +38,12 @@ export declare class Agent {
         after: number;
     };
     getMessages(): Message[];
+    /** Get the token tracker for session summary / CLI display */
+    getTokenTracker(): TokenTracker;
+    /** Get the policy enforcer for inspection */
+    getPolicyEnforcer(): PolicyEnforcer;
+    /** Get the audit logger for verification */
+    getAuditLogger(): AuditLogger;
     /**
      * Validate and repair message history to prevent OpenAI 400 errors.
      * Handles three types of corruption:
@@ -42,6 +55,15 @@ export declare class Agent {
      * or session resume corruption.
      */
     private repairToolCallMessages;
+    /**
+     * Auto-create a feature branch when always_branch is enabled and on main/master.
+     * Called before the first write/edit operation. Fail-open: if branching fails, continue.
+     */
+    private ensureBranch;
+    /** Sanitize user message into a branch-safe slug. */
+    private sanitizeSlug;
+    /** Check capability-based restrictions before tool execution. Returns reason string or null. */
+    private checkToolCapabilities;
     private buildSystemPrompt;
 }
 //# sourceMappingURL=agent.d.ts.map

package/dist/agent.js

@@ -46,6 +46,8 @@ const plugins_1 = require("./plugins");
 const cache_1 = require("./cache");
 const rate_limiter_1 = require("./rate-limiter");
 const audit_1 = require("./audit");
+const policy_1 = require("./policy");
+const telemetry_1 = require("./telemetry");
 /** Lightweight schema validation — returns error string or null if valid */
 function validateToolArgs(args, schema) {
     const props = schema.properties;
@@ -100,20 +102,31 @@ class Agent {
     cache;
     rateLimiter;
     auditLogger;
+    policyEnforcer;
+    tokenTracker;
+    branchCreated = false;
     askPermission;
     onMessage;
     constructor(opts) {
         this.provider = opts.provider;
         this.model = opts.model;
-        this.tools = new tools_1.ToolRegistry(process.cwd());
+        // Load policy FIRST — tools need it for filesystem/git enforcement
+        this.policyEnforcer = new policy_1.PolicyEnforcer((0, policy_1.loadPolicy)(process.cwd()), process.cwd());
+        this.tools = new tools_1.ToolRegistry(process.cwd(), this.policyEnforcer);
         this.context = new manager_1.ContextManager(opts.model, opts.provider);
-        this.maxIterations = opts.maxIterations || 25;
+        // Use policy-defined max iterations as default, CLI overrides
+        this.maxIterations = opts.maxIterations || this.policyEnforcer.getMaxIterations();
         this.autoApprove = opts.autoApprove || false;
         this.askPermission = opts.askPermission || defaultAskPermission;
         this.onMessage = opts.onMessage;
         this.cache = new cache_1.ToolCache();
         this.rateLimiter = new rate_limiter_1.RateLimiter();
         this.auditLogger = new audit_1.AuditLogger();
+        // Token & cost tracking
+        this.tokenTracker = new telemetry_1.TokenTracker(opts.model, opts.providerName || 'unknown');
+        const costLimit = this.policyEnforcer.getCostLimitUsd();
+        if (costLimit > 0)
+            this.tokenTracker.setCostLimit(costLimit);
         // Load plugins
         try {
             const plugins = (0, plugins_1.loadPlugins)(process.cwd());
@@ -180,6 +193,10 @@ class Agent {
                             }
                             break;
                         case 'usage':
+                            // Track tokens and cost
+                            if (event.usage) {
+                                this.tokenTracker.recordUsage(event.usage.inputTokens || 0, event.usage.outputTokens || 0);
+                            }
                             yield { type: 'usage', usage: event.usage };
                             break;
                         case 'error':
@@ -231,6 +248,11 @@ class Agent {
                 yield { type: 'done' };
                 return;
             }
+            // Cost budget check: stop if over limit
+            if (this.tokenTracker.isOverBudget()) {
+                yield { type: 'error', error: `Cost limit exceeded ($${this.tokenTracker.getTotalCost().toFixed(4)} / $${this.policyEnforcer.getCostLimitUsd().toFixed(2)}). Stopping.` };
+                return;
+            }
             const prepared = [];
             for (const tc of toolCalls) {
                 const toolName = tc.function.name;
@@ -239,6 +261,13 @@ class Agent {
                     prepared.push({ tc, tool: null, args: {}, denied: false, error: `Error: Unknown tool "${toolName}"` });
                     continue;
                 }
+                // Policy check: is this tool allowed?
+                const policyCheck = this.policyEnforcer.isToolAllowed(toolName);
+                if (!policyCheck.allowed) {
+                    this.auditLogger.log({ tool: toolName, action: 'policy_block', args: {}, reason: policyCheck.reason });
+                    prepared.push({ tc, tool, args: {}, denied: false, error: `Error: ${policyCheck.reason}` });
+                    continue;
+                }
                 let args;
                 try {
                     args = JSON.parse(tc.function.arguments);
@@ -254,9 +283,11 @@ class Agent {
                     continue;
                 }
                 yield { type: 'tool_call', toolCall: { name: toolName, args } };
-                // Permission check (sequential — needs user interaction)
-                const needsPermission = tool.permission === 'always-ask' ||
-                    (tool.permission === 'prompt' && !this.autoApprove);
+                // Permission check: policy override > tool default
+                const policyPermission = this.policyEnforcer.getToolPermission(toolName);
+                const effectivePermission = policyPermission || tool.permission;
+                const needsPermission = effectivePermission === 'always-ask' ||
+                    (effectivePermission === 'prompt' && !this.autoApprove);
                 let denied = false;
                 if (needsPermission) {
                     const approved = await this.askPermission(toolName, args);
@@ -296,6 +327,19 @@ class Agent {
             // Helper to execute a single tool with cache + rate limiting
             const executeTool = async (prep) => {
                 const toolName = prep.tc.function.name;
+                // Auto-branch on first write/edit when always_branch is enabled (v1.8.0)
+                if (toolName === 'write_file' || toolName === 'edit_file' || toolName === 'batch_edit') {
+                    const branchName = await this.ensureBranch();
+                    if (branchName) {
+                        this.auditLogger.log({ tool: 'git', action: 'execute', args: { branch: branchName }, result: 'auto-branch' });
+                    }
+                }
+                // Capability check: fine-grained resource restrictions (v1.8.0)
+                const capBlock = this.checkToolCapabilities(toolName, prep.args);
+                if (capBlock) {
+                    this.auditLogger.log({ tool: toolName, action: 'capability_block', args: prep.args, reason: capBlock });
+                    return { content: `Error: ${capBlock}`, is_error: true };
+                }
                 // Check cache first
                 if (prep.tool.cacheable) {
                     const cacheKey = cache_1.ToolCache.key(toolName, prep.args);
@@ -310,6 +354,11 @@ class Agent {
                     const output = await prep.tool.execute(prep.args);
                     // Audit log: successful execution
                     this.auditLogger.log({ tool: toolName, action: 'execute', args: prep.args, result: 'success' });
+                    // Telemetry: track tool calls and file modifications
+                    this.tokenTracker.recordToolCall();
+                    if ((toolName === 'write_file' || toolName === 'edit_file' || toolName === 'batch_edit') && prep.args.path) {
+                        this.tokenTracker.recordFileModified(prep.args.path);
+                    }
                     // Store in cache for cacheable tools
                     if (prep.tool.cacheable) {
                         const ttl = cache_1.ToolCache.TTL[toolName] || 30_000;
@@ -387,6 +436,18 @@ class Agent {
     getMessages() {
         return [...this.messages];
     }
+    /** Get the token tracker for session summary / CLI display */
+    getTokenTracker() {
+        return this.tokenTracker;
+    }
+    /** Get the policy enforcer for inspection */
+    getPolicyEnforcer() {
+        return this.policyEnforcer;
+    }
+    /** Get the audit logger for verification */
+    getAuditLogger() {
+        return this.auditLogger;
+    }
     /**
      * Validate and repair message history to prevent OpenAI 400 errors.
      * Handles three types of corruption:
@@ -454,6 +515,78 @@ class Agent {
             }
         }
     }
+    /**
+     * Auto-create a feature branch when always_branch is enabled and on main/master.
+     * Called before the first write/edit operation. Fail-open: if branching fails, continue.
+     */
+    async ensureBranch() {
+        if (this.branchCreated)
+            return null;
+        if (!this.policyEnforcer.shouldAlwaysBranch())
+            return null;
+        try {
+            const { execSync } = require('child_process');
+            const cwd = process.cwd();
+            const currentBranch = execSync('git rev-parse --abbrev-ref HEAD', {
+                cwd, encoding: 'utf-8', timeout: 5000,
+            }).trim();
+            if (currentBranch !== 'main' && currentBranch !== 'master') {
+                this.branchCreated = true;
+                return null; // Already on a feature branch
+            }
+            // Generate branch name from first user message
+            const firstUserMsg = this.messages.find(m => m.role === 'user');
+            const prefix = this.policyEnforcer.getBranchPrefix();
+            const timestamp = new Date().toISOString().replace(/[:.]/g, '-').substring(0, 19);
+            const slug = this.sanitizeSlug(firstUserMsg?.content || 'task');
+            const branchName = `${prefix}${timestamp}-${slug}`;
+            execSync(`git checkout -b "${branchName}"`, {
+                cwd, encoding: 'utf-8', timeout: 10000,
+            });
+            this.branchCreated = true;
+            return branchName;
+        }
+        catch {
+            // Don't block the operation if branching fails (not in a git repo, etc.)
+            this.branchCreated = true; // Don't retry
+            return null;
+        }
+    }
+    /** Sanitize user message into a branch-safe slug. */
+    sanitizeSlug(message) {
+        return message
+            .toLowerCase()
+            .replace(/[^a-z0-9\s-]/g, '')
+            .replace(/\s+/g, '-')
+            .substring(0, 30)
+            .replace(/-+$/, '') || 'task';
+    }
+    /** Check capability-based restrictions before tool execution. Returns reason string or null. */
+    checkToolCapabilities(toolName, args) {
+        // fs_write check for write/edit tools
+        if ((toolName === 'write_file' || toolName === 'edit_file' || toolName === 'batch_edit') && args.path) {
+            const check = this.policyEnforcer.checkCapability(toolName, 'fs_write', args.path);
+            if (!check.allowed)
+                return check.reason || 'Capability blocked';
+        }
+        // shell_commands check for execute tool
+        if (toolName === 'execute' && args.command) {
+            const check = this.policyEnforcer.checkCapability(toolName, 'shell_commands', args.command);
+            if (!check.allowed)
+                return check.reason || 'Capability blocked';
+        }
+        // net_access check for web tools
+        if ((toolName === 'web_fetch' || toolName === 'http_client') && args.url) {
+            try {
+                const domain = new URL(args.url).hostname;
+                const check = this.policyEnforcer.checkCapability(toolName, 'net_access', domain);
+                if (!check.allowed)
+                    return check.reason || 'Capability blocked';
+            }
+            catch { /* invalid URL handled by the tool itself */ }
+        }
+        return null;
+    }
     buildSystemPrompt(supportsTools) {
         let repoMap = '';
         try {

package/dist/audit.d.ts

@@ -1,39 +1,61 @@
 /**
- * Audit logger for CodeBot.
+ * Audit logger for CodeBot v1.7.0
  *
  * Provides append-only JSONL logging of all security-relevant actions.
  * Logs are stored at ~/.codebot/audit/audit-YYYY-MM-DD.jsonl
- * Masks secrets in args before writing.
+ *
+ * v1.7.0: Hash-chained entries for tamper detection.
+ * Each entry includes a SHA-256 hash of (prevHash + entry content).
+ * Verification walks the chain and detects any modifications.
+ *
  * NEVER throws — audit failures must not crash the agent.
  */
 export interface AuditEntry {
     timestamp: string;
     sessionId: string;
+    sequence: number;
     tool: string;
-    action: 'execute' | 'deny' | 'error' | 'security_block';
+    action: 'execute' | 'deny' | 'error' | 'security_block' | 'policy_block' | 'capability_block';
     args: Record<string, unknown>;
     result?: string;
     reason?: string;
+    prevHash: string;
+    hash: string;
+}
+/** Result of verifying an audit chain */
+export interface VerifyResult {
+    valid: boolean;
+    entriesChecked: number;
+    firstInvalidAt?: number;
+    reason?: string;
 }
 export declare class AuditLogger {
     private logDir;
     private sessionId;
+    private sequence;
+    private prevHash;
     constructor(logDir?: string);
-    /** Get the current session ID */
     getSessionId(): string;
-    /** Append an audit entry to the log file */
-    log(entry: Omit<AuditEntry, 'timestamp' | 'sessionId'>): void;
+    /** Append a hash-chained audit entry to the log file */
+    log(entry: Omit<AuditEntry, 'timestamp' | 'sessionId' | 'sequence' | 'prevHash' | 'hash'>): void;
     /** Read log entries, optionally filtered */
     query(filter?: {
         tool?: string;
         action?: string;
         since?: string;
+        sessionId?: string;
     }): AuditEntry[];
-    /** Get the path to today's log file */
+    /**
+     * Verify the hash chain integrity of audit entries.
+     * Walks through entries for a given session and checks each hash.
+     */
+    static verify(entries: AuditEntry[]): VerifyResult;
+    /**
+     * Verify all entries for a given session.
+     */
+    verifySession(sessionId?: string): VerifyResult;
     private getLogFilePath;
-    /** Rotate log file if it exceeds MAX_LOG_SIZE */
     private rotateIfNeeded;
-    /** Sanitize args for logging: mask secrets and truncate long values */
     private sanitizeArgs;
 }
 //# sourceMappingURL=audit.d.ts.map

package/dist/audit.js

@@ -37,12 +37,16 @@ exports.AuditLogger = void 0;
 const fs = __importStar(require("fs"));
 const path = __importStar(require("path"));
 const os = __importStar(require("os"));
+const crypto = __importStar(require("crypto"));
 const secrets_1 = require("./secrets");
 const MAX_LOG_SIZE = 10 * 1024 * 1024; // 10MB before rotation
-const MAX_ARG_LENGTH = 500; // Truncate long arg values for logging
+const MAX_ARG_LENGTH = 500;
+const GENESIS_HASH = 'genesis';
 class AuditLogger {
     logDir;
     sessionId;
+    sequence = 0;
+    prevHash = GENESIS_HASH;
     constructor(logDir) {
         this.logDir = logDir || path.join(os.homedir(), '.codebot', 'audit');
         this.sessionId = `${Date.now()}-${Math.random().toString(36).substring(2, 8)}`;
@@ -53,22 +57,32 @@ class AuditLogger {
             // Can't create dir — logging will be disabled
         }
     }
-    /** Get the current session ID */
     getSessionId() {
         return this.sessionId;
     }
-    /** Append an audit entry to the log file */
+    /** Append a hash-chained audit entry to the log file */
     log(entry) {
         try {
-            const fullEntry = {
+            this.sequence++;
+            // Build entry without hash first (hash is computed over the other fields)
+            const partial = {
                 timestamp: new Date().toISOString(),
                 sessionId: this.sessionId,
-                ...entry,
+                sequence: this.sequence,
+                tool: entry.tool,
+                action: entry.action,
                 args: this.sanitizeArgs(entry.args),
+                result: entry.result,
+                reason: entry.reason,
+                prevHash: this.prevHash,
             };
+            // Compute hash: SHA-256 of (prevHash + JSON of partial entry)
+            const hashInput = this.prevHash + JSON.stringify(partial);
+            const hash = crypto.createHash('sha256').update(hashInput).digest('hex');
+            const fullEntry = { ...partial, hash };
+            this.prevHash = hash;
             const logFile = this.getLogFilePath();
             const line = JSON.stringify(fullEntry) + '\n';
-            // Check if rotation is needed
             this.rotateIfNeeded(logFile);
             fs.appendFileSync(logFile, line, 'utf-8');
         }
@@ -96,6 +110,8 @@ class AuditLogger {
                             continue;
                         if (filter?.since && entry.timestamp < filter.since)
                             continue;
+                        if (filter?.sessionId && entry.sessionId !== filter.sessionId)
+                            continue;
                         entries.push(entry);
                     }
                     catch { /* skip malformed */ }
@@ -107,12 +123,72 @@ class AuditLogger {
         }
         return entries;
     }
-    /** Get the path to today's log file */
+    /**
+     * Verify the hash chain integrity of audit entries.
+     * Walks through entries for a given session and checks each hash.
+     */
+    static verify(entries) {
+        if (entries.length === 0) {
+            return { valid: true, entriesChecked: 0 };
+        }
+        // Sort by sequence
+        const sorted = [...entries].sort((a, b) => a.sequence - b.sequence);
+        for (let i = 0; i < sorted.length; i++) {
+            const entry = sorted[i];
+            // Check sequence continuity
+            if (i === 0 && entry.prevHash !== GENESIS_HASH) {
+                // First entry should reference genesis (unless it's a continuation)
+                // Allow non-genesis for continuation of previous sessions
+            }
+            // Recompute hash
+            const partial = {
+                timestamp: entry.timestamp,
+                sessionId: entry.sessionId,
+                sequence: entry.sequence,
+                tool: entry.tool,
+                action: entry.action,
+                args: entry.args,
+                result: entry.result,
+                reason: entry.reason,
+                prevHash: entry.prevHash,
+            };
+            const hashInput = entry.prevHash + JSON.stringify(partial);
+            const expectedHash = crypto.createHash('sha256').update(hashInput).digest('hex');
+            if (entry.hash !== expectedHash) {
+                return {
+                    valid: false,
+                    entriesChecked: i + 1,
+                    firstInvalidAt: entry.sequence,
+                    reason: `Hash mismatch at sequence ${entry.sequence}: expected ${expectedHash.substring(0, 16)}..., got ${entry.hash.substring(0, 16)}...`,
+                };
+            }
+            // Check chain continuity (sequence i+1 should reference sequence i's hash)
+            if (i < sorted.length - 1) {
+                const next = sorted[i + 1];
+                if (next.prevHash !== entry.hash) {
+                    return {
+                        valid: false,
+                        entriesChecked: i + 2,
+                        firstInvalidAt: next.sequence,
+                        reason: `Chain break at sequence ${next.sequence}: prevHash doesn't match previous entry's hash`,
+                    };
+                }
+            }
+        }
+        return { valid: true, entriesChecked: sorted.length };
+    }
+    /**
+     * Verify all entries for a given session.
+     */
+    verifySession(sessionId) {
+        const sid = sessionId || this.sessionId;
+        const entries = this.query({ sessionId: sid });
+        return AuditLogger.verify(entries);
+    }
     getLogFilePath() {
-        const date = new Date().toISOString().split('T')[0]; // YYYY-MM-DD
+        const date = new Date().toISOString().split('T')[0];
         return path.join(this.logDir, `audit-${date}.jsonl`);
     }
-    /** Rotate log file if it exceeds MAX_LOG_SIZE */
     rotateIfNeeded(logFile) {
         try {
             if (!fs.existsSync(logFile))
@@ -127,7 +203,6 @@ class AuditLogger {
             // Rotation failure is non-fatal
         }
     }
-    /** Sanitize args for logging: mask secrets and truncate long values */
     sanitizeArgs(args) {
         const sanitized = {};
         for (const [key, value] of Object.entries(args)) {
@@ -139,7 +214,6 @@ class AuditLogger {
                 sanitized[key] = masked;
             }
             else if (typeof value === 'object' && value !== null) {
-                // For objects/arrays, stringify and mask
                 const str = JSON.stringify(value);
                 const masked = (0, secrets_1.maskSecretsInString)(str);
                 sanitized[key] = masked.length > MAX_ARG_LENGTH

package/dist/capabilities.d.ts

@@ -0,0 +1,48 @@
+/**
+ * Capability-Based Tool Permissions for CodeBot v1.8.0
+ *
+ * Fine-grained, per-tool resource restrictions.
+ * Configured via .codebot/policy.json → tools.capabilities.
+ *
+ * Example:
+ * {
+ *   "execute": {
+ *     "shell_commands": ["npm", "node", "git", "tsc"],
+ *     "max_output_kb": 500
+ *   },
+ *   "write_file": {
+ *     "fs_write": ["./src/**", "./tests/**"]
+ *   }
+ * }
+ */
+export interface ToolCapabilities {
+    fs_read?: string[];
+    fs_write?: string[];
+    net_access?: string[];
+    shell_commands?: string[];
+    max_output_kb?: number;
+}
+export type CapabilityConfig = Record<string, ToolCapabilities>;
+export declare class CapabilityChecker {
+    private capabilities;
+    private projectRoot;
+    constructor(capabilities: CapabilityConfig, projectRoot: string);
+    /** Get capabilities for a tool. undefined = no restrictions. */
+    getToolCapabilities(toolName: string): ToolCapabilities | undefined;
+    /** Check if a specific capability is allowed. */
+    checkCapability(toolName: string, capabilityType: keyof ToolCapabilities, value: string | number): {
+        allowed: boolean;
+        reason?: string;
+    };
+    /** Check if a path matches any of the allowed glob patterns. */
+    private checkGlobs;
+    /** Check if a domain is in the allowed list. */
+    private checkDomain;
+    /** Check if a command starts with an allowed prefix. */
+    private checkCommandPrefix;
+    /** Check if output size is within the cap. */
+    private checkOutputSize;
+    /** Simple glob matching (** = any depth, * = one segment). */
+    private matchGlob;
+}
+//# sourceMappingURL=capabilities.d.ts.map