codebot-ai 1.7.0 → 1.8.0

package/dist/tools/edit.js

@@ -46,6 +46,10 @@ class EditFileTool {
     name = 'edit_file';
     description = 'Edit a file by replacing an exact string match with new content. The old_string must appear exactly once in the file. Shows a diff preview and creates an undo snapshot.';
     permission = 'prompt';
+    policyEnforcer;
+    constructor(policyEnforcer) {
+        this.policyEnforcer = policyEnforcer;
+    }
     parameters = {
         type: 'object',
         properties: {
@@ -74,6 +78,13 @@ class EditFileTool {
         if (!safety.safe) {
             return `Error: ${safety.reason}`;
         }
+        // Policy: filesystem restrictions (denied paths, read-only, writable scope)
+        if (this.policyEnforcer) {
+            const policyCheck = this.policyEnforcer.isPathWritable(filePath);
+            if (!policyCheck.allowed) {
+                return `Error: Blocked by policy — ${policyCheck.reason}`;
+            }
+        }
         // Security: resolve symlinks before reading
         let realPath;
         try {

package/dist/tools/git.d.ts

@@ -1,8 +1,10 @@
 import { Tool } from '../types';
+import { PolicyEnforcer } from '../policy';
 export declare class GitTool implements Tool {
     name: string;
     description: string;
     permission: Tool['permission'];
+    private policyEnforcer?;
     parameters: {
         type: string;
         properties: {
@@ -21,6 +23,9 @@ export declare class GitTool implements Tool {
         };
         required: string[];
     };
+    constructor(policyEnforcer?: PolicyEnforcer);
     execute(args: Record<string, unknown>): Promise<string>;
+    /** Get current git branch name. */
+    private getCurrentBranch;
 }
 //# sourceMappingURL=git.d.ts.map

package/dist/tools/git.js

@@ -10,6 +10,7 @@ class GitTool {
     name = 'git';
     description = 'Run git operations. Actions: status, diff, log, commit, branch, checkout, stash, push, pull, merge, blame, tag, add, reset.';
     permission = 'prompt';
+    policyEnforcer;
     parameters = {
         type: 'object',
         properties: {
@@ -19,6 +20,9 @@ class GitTool {
         },
         required: ['action'],
     };
+    constructor(policyEnforcer) {
+        this.policyEnforcer = policyEnforcer;
+    }
     async execute(args) {
         const action = args.action;
         if (!action)
@@ -36,6 +40,20 @@ class GitTool {
         if (/clean\s+-[a-z]*f/i.test(fullCmd)) {
             return 'Error: git clean -f is blocked for safety.';
         }
+        // Policy: block push to main/master when never_push_main=true
+        if (action === 'push' && this.policyEnforcer?.isMainPushBlocked()) {
+            const currentBranch = this.getCurrentBranch(cwd);
+            if (currentBranch === 'main' || currentBranch === 'master') {
+                return 'Error: Pushing to main/master is blocked by policy (git.never_push_main=true). Create a feature branch first.';
+            }
+        }
+        // Policy: block commit on main/master when always_branch=true
+        if (action === 'commit' && this.policyEnforcer?.shouldAlwaysBranch()) {
+            const currentBranch = this.getCurrentBranch(cwd);
+            if (currentBranch === 'main' || currentBranch === 'master') {
+                return 'Error: Committing to main/master is blocked by policy (git.always_branch=true). Create a feature branch first.';
+            }
+        }
         try {
             const output = (0, child_process_1.execSync)(fullCmd, {
                 cwd,
@@ -53,6 +71,19 @@ class GitTool {
             return `Exit ${e.status || 1}${stdout ? `\n${stdout}` : ''}${stderr ? `\nError: ${stderr}` : ''}`;
         }
     }
+    /** Get current git branch name. */
+    getCurrentBranch(cwd) {
+        try {
+            return (0, child_process_1.execSync)('git rev-parse --abbrev-ref HEAD', {
+                cwd,
+                encoding: 'utf-8',
+                timeout: 5000,
+            }).trim();
+        }
+        catch {
+            return '';
+        }
+    }
 }
 exports.GitTool = GitTool;
 //# sourceMappingURL=git.js.map

package/dist/tools/index.d.ts

@@ -1,8 +1,9 @@
 import { Tool, ToolSchema } from '../types';
+import { PolicyEnforcer } from '../policy';
 export { EditFileTool } from './edit';
 export declare class ToolRegistry {
     private tools;
-    constructor(projectRoot?: string);
+    constructor(projectRoot?: string, policyEnforcer?: PolicyEnforcer);
     register(tool: Tool): void;
     get(name: string): Tool | undefined;
     getSchemas(): ToolSchema[];

package/dist/tools/index.js

@@ -34,12 +34,12 @@ var edit_2 = require("./edit");
 Object.defineProperty(exports, "EditFileTool", { enumerable: true, get: function () { return edit_2.EditFileTool; } });
 class ToolRegistry {
     tools = new Map();
-    constructor(projectRoot) {
-        // Core file tools
+    constructor(projectRoot, policyEnforcer) {
+        // Core file tools — policy-enforced tools receive the enforcer
         this.register(new read_1.ReadFileTool());
-        this.register(new write_1.WriteFileTool());
-        this.register(new edit_1.EditFileTool());
-        this.register(new batch_edit_1.BatchEditTool());
+        this.register(new write_1.WriteFileTool(policyEnforcer));
+        this.register(new edit_1.EditFileTool(policyEnforcer));
+        this.register(new batch_edit_1.BatchEditTool(policyEnforcer));
         this.register(new execute_1.ExecuteTool());
         this.register(new glob_1.GlobTool());
         this.register(new grep_1.GrepTool());
@@ -51,7 +51,7 @@ class ToolRegistry {
         this.register(new browser_1.BrowserTool());
         this.register(new routine_1.RoutineTool());
         // v1.4.0 — intelligence & dev tools
-        this.register(new git_1.GitTool());
+        this.register(new git_1.GitTool(policyEnforcer));
         this.register(new code_analysis_1.CodeAnalysisTool());
         this.register(new multi_search_1.MultiSearchTool());
         this.register(new task_planner_1.TaskPlannerTool());

package/dist/tools/write.d.ts

@@ -1,8 +1,11 @@
 import { Tool } from '../types';
+import { PolicyEnforcer } from '../policy';
 export declare class WriteFileTool implements Tool {
     name: string;
     description: string;
     permission: Tool['permission'];
+    private policyEnforcer?;
+    constructor(policyEnforcer?: PolicyEnforcer);
     parameters: {
         type: string;
         properties: {

package/dist/tools/write.js

@@ -44,6 +44,10 @@ class WriteFileTool {
     name = 'write_file';
     description = 'Create a new file or overwrite an existing file with the given content. Automatically saves an undo snapshot for existing files.';
     permission = 'prompt';
+    policyEnforcer;
+    constructor(policyEnforcer) {
+        this.policyEnforcer = policyEnforcer;
+    }
     parameters = {
         type: 'object',
         properties: {
@@ -68,6 +72,13 @@ class WriteFileTool {
         if (!safety.safe) {
             return `Error: ${safety.reason}`;
         }
+        // Policy: filesystem restrictions (denied paths, read-only, writable scope)
+        if (this.policyEnforcer) {
+            const policyCheck = this.policyEnforcer.isPathWritable(filePath);
+            if (!policyCheck.allowed) {
+                return `Error: Blocked by policy — ${policyCheck.reason}`;
+            }
+        }
         // Security: secret detection (warn but don't block)
         const secrets = (0, secrets_1.scanForSecrets)(content);
         let warning = '';

package/dist/types.d.ts

@@ -33,6 +33,7 @@ export interface ProviderConfig {
 }
 export interface LLMProvider {
     name: string;
+    temperature?: number;
     chat(messages: Message[], tools?: ToolSchema[]): AsyncGenerator<StreamEvent>;
     listModels?(): Promise<string[]>;
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "codebot-ai",
-  "version": "1.7.0",
+  "version": "1.8.0",
   "description": "Zero-dependency autonomous AI agent. Code, browse, search, automate. Works with any LLM — Ollama, Claude, GPT, Gemini, DeepSeek, Groq, Mistral, Grok.",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",