codebot-ai 1.7.0 → 1.9.0

package/dist/agent.d.ts

@@ -2,6 +2,8 @@ import { Message, AgentEvent, LLMProvider } from './types';
 import { AuditLogger } from './audit';
 import { PolicyEnforcer } from './policy';
 import { TokenTracker } from './telemetry';
+import { MetricsCollector } from './metrics';
+import { RiskScorer } from './risk';
 export declare class Agent {
     private provider;
     private tools;
@@ -15,6 +17,9 @@ export declare class Agent {
     private auditLogger;
     private policyEnforcer;
     private tokenTracker;
+    private metricsCollector;
+    private riskScorer;
+    private branchCreated;
     private askPermission;
     private onMessage?;
     constructor(opts: {
@@ -43,6 +48,10 @@ export declare class Agent {
     getPolicyEnforcer(): PolicyEnforcer;
     /** Get the audit logger for verification */
     getAuditLogger(): AuditLogger;
+    /** Get the metrics collector for session metrics */
+    getMetrics(): MetricsCollector;
+    /** Get the risk scorer for risk assessment history */
+    getRiskScorer(): RiskScorer;
     /**
      * Validate and repair message history to prevent OpenAI 400 errors.
      * Handles three types of corruption:
@@ -54,6 +63,15 @@ export declare class Agent {
      * or session resume corruption.
      */
     private repairToolCallMessages;
+    /**
+     * Auto-create a feature branch when always_branch is enabled and on main/master.
+     * Called before the first write/edit operation. Fail-open: if branching fails, continue.
+     */
+    private ensureBranch;
+    /** Sanitize user message into a branch-safe slug. */
+    private sanitizeSlug;
+    /** Check capability-based restrictions before tool execution. Returns reason string or null. */
+    private checkToolCapabilities;
     private buildSystemPrompt;
 }
 //# sourceMappingURL=agent.d.ts.map

package/dist/agent.js

@@ -48,6 +48,8 @@ const rate_limiter_1 = require("./rate-limiter");
 const audit_1 = require("./audit");
 const policy_1 = require("./policy");
 const telemetry_1 = require("./telemetry");
+const metrics_1 = require("./metrics");
+const risk_1 = require("./risk");
 /** Lightweight schema validation — returns error string or null if valid */
 function validateToolArgs(args, schema) {
     const props = schema.properties;
@@ -104,15 +106,18 @@ class Agent {
     auditLogger;
     policyEnforcer;
     tokenTracker;
+    metricsCollector;
+    riskScorer;
+    branchCreated = false;
     askPermission;
     onMessage;
     constructor(opts) {
         this.provider = opts.provider;
         this.model = opts.model;
-        this.tools = new tools_1.ToolRegistry(process.cwd());
-        this.context = new manager_1.ContextManager(opts.model, opts.provider);
-        // Load policy
+        // Load policy FIRST — tools need it for filesystem/git enforcement
         this.policyEnforcer = new policy_1.PolicyEnforcer((0, policy_1.loadPolicy)(process.cwd()), process.cwd());
+        this.tools = new tools_1.ToolRegistry(process.cwd(), this.policyEnforcer);
+        this.context = new manager_1.ContextManager(opts.model, opts.provider);
         // Use policy-defined max iterations as default, CLI overrides
         this.maxIterations = opts.maxIterations || this.policyEnforcer.getMaxIterations();
         this.autoApprove = opts.autoApprove || false;
@@ -123,6 +128,8 @@ class Agent {
         this.auditLogger = new audit_1.AuditLogger();
         // Token & cost tracking
         this.tokenTracker = new telemetry_1.TokenTracker(opts.model, opts.providerName || 'unknown');
+        this.metricsCollector = new metrics_1.MetricsCollector();
+        this.riskScorer = new risk_1.RiskScorer();
         const costLimit = this.policyEnforcer.getCostLimitUsd();
         if (costLimit > 0)
             this.tokenTracker.setCostLimit(costLimit);
@@ -195,6 +202,9 @@ class Agent {
                             // Track tokens and cost
                             if (event.usage) {
                                 this.tokenTracker.recordUsage(event.usage.inputTokens || 0, event.usage.outputTokens || 0);
+                                this.metricsCollector.increment('llm_requests_total');
+                                this.metricsCollector.increment('llm_tokens_total', { direction: 'input' }, event.usage.inputTokens || 0);
+                                this.metricsCollector.increment('llm_tokens_total', { direction: 'output' }, event.usage.outputTokens || 0);
                             }
                             yield { type: 'usage', usage: event.usage };
                             break;
@@ -281,10 +291,17 @@ class Agent {
                     prepared.push({ tc, tool, args, denied: false, error: `Error: ${validationError} for ${toolName}` });
                     continue;
                 }
-                yield { type: 'tool_call', toolCall: { name: toolName, args } };
-                // Permission check: policy override > tool default
+                // Compute risk score before execution
                 const policyPermission = this.policyEnforcer.getToolPermission(toolName);
                 const effectivePermission = policyPermission || tool.permission;
+                const riskAssessment = this.riskScorer.assess(toolName, args, effectivePermission);
+                yield { type: 'tool_call', toolCall: { name: toolName, args }, risk: { score: riskAssessment.score, level: riskAssessment.level } };
+                // Log risk breakdown for high-risk calls
+                if (riskAssessment.score > 50) {
+                    const breakdown = riskAssessment.factors.map(f => `${f.name}=${f.rawScore}`).join(', ');
+                    this.auditLogger.log({ tool: toolName, action: 'execute', args, result: `risk:${riskAssessment.score}`, reason: breakdown });
+                }
+                // Permission check: policy override > tool default
                 const needsPermission = effectivePermission === 'always-ask' ||
                     (effectivePermission === 'prompt' && !this.autoApprove);
                 let denied = false;
@@ -293,6 +310,7 @@ class Agent {
                     if (!approved) {
                         denied = true;
                         this.auditLogger.log({ tool: toolName, action: 'deny', args, reason: 'User denied permission' });
+                        this.metricsCollector.increment('permission_denials_total', { tool: toolName });
                     }
                 }
                 prepared.push({ tc, tool, args, denied });
@@ -323,27 +341,53 @@ class Agent {
                     parallelBatch.push(item);
                 }
             }
-            // Helper to execute a single tool with cache + rate limiting
+            // Helper to execute a single tool with cache + rate limiting + metrics
             const executeTool = async (prep) => {
                 const toolName = prep.tc.function.name;
+                const toolStartTime = Date.now();
+                // Auto-branch on first write/edit when always_branch is enabled (v1.8.0)
+                if (toolName === 'write_file' || toolName === 'edit_file' || toolName === 'batch_edit') {
+                    const branchName = await this.ensureBranch();
+                    if (branchName) {
+                        this.auditLogger.log({ tool: 'git', action: 'execute', args: { branch: branchName }, result: 'auto-branch' });
+                    }
+                }
+                // Capability check: fine-grained resource restrictions (v1.8.0)
+                const capBlock = this.checkToolCapabilities(toolName, prep.args);
+                if (capBlock) {
+                    this.auditLogger.log({ tool: toolName, action: 'capability_block', args: prep.args, reason: capBlock });
+                    this.metricsCollector.increment('security_blocks_total', { tool: toolName, type: 'capability' });
+                    return { content: `Error: ${capBlock}`, is_error: true };
+                }
                 // Check cache first
                 if (prep.tool.cacheable) {
                     const cacheKey = cache_1.ToolCache.key(toolName, prep.args);
                     const cached = this.cache.get(cacheKey);
                     if (cached !== null) {
+                        this.metricsCollector.increment('cache_hits_total', { tool: toolName });
                         return { content: cached };
                     }
+                    this.metricsCollector.increment('cache_misses_total', { tool: toolName });
                 }
                 // Rate limit
                 await this.rateLimiter.throttle(toolName);
                 try {
                     const output = await prep.tool.execute(prep.args);
+                    // Record tool latency
+                    const latencyMs = Date.now() - toolStartTime;
+                    this.metricsCollector.observe('tool_latency_seconds', latencyMs / 1000, { tool: toolName });
+                    this.metricsCollector.increment('tool_calls_total', { tool: toolName });
                     // Audit log: successful execution
                     this.auditLogger.log({ tool: toolName, action: 'execute', args: prep.args, result: 'success' });
                     // Telemetry: track tool calls and file modifications
                     this.tokenTracker.recordToolCall();
                     if ((toolName === 'write_file' || toolName === 'edit_file' || toolName === 'batch_edit') && prep.args.path) {
                         this.tokenTracker.recordFileModified(prep.args.path);
+                        this.metricsCollector.increment('files_written_total', { tool: toolName });
+                    }
+                    // Track commands executed
+                    if (toolName === 'execute') {
+                        this.metricsCollector.increment('commands_executed_total');
                     }
                     // Store in cache for cacheable tools
                     if (prep.tool.cacheable) {
@@ -359,11 +403,16 @@ class Agent {
                     // Audit log: check if tool returned a security block
                     if (output.startsWith('Error: Blocked:') || output.startsWith('Error: CWD')) {
                         this.auditLogger.log({ tool: toolName, action: 'security_block', args: prep.args, reason: output });
+                        this.metricsCollector.increment('security_blocks_total', { tool: toolName, type: 'security' });
                     }
                     return { content: output };
                 }
                 catch (err) {
                     const errMsg = err instanceof Error ? err.message : String(err);
+                    // Record latency even on error
+                    const latencyMs = Date.now() - toolStartTime;
+                    this.metricsCollector.observe('tool_latency_seconds', latencyMs / 1000, { tool: toolName });
+                    this.metricsCollector.increment('errors_total', { tool: toolName });
                     // Audit log: error
                     this.auditLogger.log({ tool: toolName, action: 'error', args: prep.args, result: 'error', reason: errMsg });
                     return { content: `Error: ${errMsg}`, is_error: true };
@@ -434,6 +483,14 @@ class Agent {
     getAuditLogger() {
         return this.auditLogger;
     }
+    /** Get the metrics collector for session metrics */
+    getMetrics() {
+        return this.metricsCollector;
+    }
+    /** Get the risk scorer for risk assessment history */
+    getRiskScorer() {
+        return this.riskScorer;
+    }
     /**
      * Validate and repair message history to prevent OpenAI 400 errors.
      * Handles three types of corruption:
@@ -501,6 +558,78 @@ class Agent {
             }
         }
     }
+    /**
+     * Auto-create a feature branch when always_branch is enabled and on main/master.
+     * Called before the first write/edit operation. Fail-open: if branching fails, continue.
+     */
+    async ensureBranch() {
+        if (this.branchCreated)
+            return null;
+        if (!this.policyEnforcer.shouldAlwaysBranch())
+            return null;
+        try {
+            const { execSync } = require('child_process');
+            const cwd = process.cwd();
+            const currentBranch = execSync('git rev-parse --abbrev-ref HEAD', {
+                cwd, encoding: 'utf-8', timeout: 5000,
+            }).trim();
+            if (currentBranch !== 'main' && currentBranch !== 'master') {
+                this.branchCreated = true;
+                return null; // Already on a feature branch
+            }
+            // Generate branch name from first user message
+            const firstUserMsg = this.messages.find(m => m.role === 'user');
+            const prefix = this.policyEnforcer.getBranchPrefix();
+            const timestamp = new Date().toISOString().replace(/[:.]/g, '-').substring(0, 19);
+            const slug = this.sanitizeSlug(firstUserMsg?.content || 'task');
+            const branchName = `${prefix}${timestamp}-${slug}`;
+            execSync(`git checkout -b "${branchName}"`, {
+                cwd, encoding: 'utf-8', timeout: 10000,
+            });
+            this.branchCreated = true;
+            return branchName;
+        }
+        catch {
+            // Don't block the operation if branching fails (not in a git repo, etc.)
+            this.branchCreated = true; // Don't retry
+            return null;
+        }
+    }
+    /** Sanitize user message into a branch-safe slug. */
+    sanitizeSlug(message) {
+        return message
+            .toLowerCase()
+            .replace(/[^a-z0-9\s-]/g, '')
+            .replace(/\s+/g, '-')
+            .substring(0, 30)
+            .replace(/-+$/, '') || 'task';
+    }
+    /** Check capability-based restrictions before tool execution. Returns reason string or null. */
+    checkToolCapabilities(toolName, args) {
+        // fs_write check for write/edit tools
+        if ((toolName === 'write_file' || toolName === 'edit_file' || toolName === 'batch_edit') && args.path) {
+            const check = this.policyEnforcer.checkCapability(toolName, 'fs_write', args.path);
+            if (!check.allowed)
+                return check.reason || 'Capability blocked';
+        }
+        // shell_commands check for execute tool
+        if (toolName === 'execute' && args.command) {
+            const check = this.policyEnforcer.checkCapability(toolName, 'shell_commands', args.command);
+            if (!check.allowed)
+                return check.reason || 'Capability blocked';
+        }
+        // net_access check for web tools
+        if ((toolName === 'web_fetch' || toolName === 'http_client') && args.url) {
+            try {
+                const domain = new URL(args.url).hostname;
+                const check = this.policyEnforcer.checkCapability(toolName, 'net_access', domain);
+                if (!check.allowed)
+                    return check.reason || 'Capability blocked';
+            }
+            catch { /* invalid URL handled by the tool itself */ }
+        }
+        return null;
+    }
     buildSystemPrompt(supportsTools) {
         let repoMap = '';
         try {

package/dist/audit.d.ts

@@ -15,7 +15,7 @@ export interface AuditEntry {
     sessionId: string;
     sequence: number;
     tool: string;
-    action: 'execute' | 'deny' | 'error' | 'security_block' | 'policy_block';
+    action: 'execute' | 'deny' | 'error' | 'security_block' | 'policy_block' | 'capability_block';
     args: Record<string, unknown>;
     result?: string;
     reason?: string;

package/dist/capabilities.d.ts

@@ -0,0 +1,48 @@
+/**
+ * Capability-Based Tool Permissions for CodeBot v1.8.0
+ *
+ * Fine-grained, per-tool resource restrictions.
+ * Configured via .codebot/policy.json → tools.capabilities.
+ *
+ * Example:
+ * {
+ *   "execute": {
+ *     "shell_commands": ["npm", "node", "git", "tsc"],
+ *     "max_output_kb": 500
+ *   },
+ *   "write_file": {
+ *     "fs_write": ["./src/**", "./tests/**"]
+ *   }
+ * }
+ */
+export interface ToolCapabilities {
+    fs_read?: string[];
+    fs_write?: string[];
+    net_access?: string[];
+    shell_commands?: string[];
+    max_output_kb?: number;
+}
+export type CapabilityConfig = Record<string, ToolCapabilities>;
+export declare class CapabilityChecker {
+    private capabilities;
+    private projectRoot;
+    constructor(capabilities: CapabilityConfig, projectRoot: string);
+    /** Get capabilities for a tool. undefined = no restrictions. */
+    getToolCapabilities(toolName: string): ToolCapabilities | undefined;
+    /** Check if a specific capability is allowed. */
+    checkCapability(toolName: string, capabilityType: keyof ToolCapabilities, value: string | number): {
+        allowed: boolean;
+        reason?: string;
+    };
+    /** Check if a path matches any of the allowed glob patterns. */
+    private checkGlobs;
+    /** Check if a domain is in the allowed list. */
+    private checkDomain;
+    /** Check if a command starts with an allowed prefix. */
+    private checkCommandPrefix;
+    /** Check if output size is within the cap. */
+    private checkOutputSize;
+    /** Simple glob matching (** = any depth, * = one segment). */
+    private matchGlob;
+}
+//# sourceMappingURL=capabilities.d.ts.map

package/dist/capabilities.js

@@ -0,0 +1,187 @@
+"use strict";
+/**
+ * Capability-Based Tool Permissions for CodeBot v1.8.0
+ *
+ * Fine-grained, per-tool resource restrictions.
+ * Configured via .codebot/policy.json → tools.capabilities.
+ *
+ * Example:
+ * {
+ *   "execute": {
+ *     "shell_commands": ["npm", "node", "git", "tsc"],
+ *     "max_output_kb": 500
+ *   },
+ *   "write_file": {
+ *     "fs_write": ["./src/**", "./tests/**"]
+ *   }
+ * }
+ */
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.CapabilityChecker = void 0;
+const path = __importStar(require("path"));
+// ── Capability Checker ──
+class CapabilityChecker {
+    capabilities;
+    projectRoot;
+    constructor(capabilities, projectRoot) {
+        this.capabilities = capabilities;
+        this.projectRoot = projectRoot;
+    }
+    /** Get capabilities for a tool. undefined = no restrictions. */
+    getToolCapabilities(toolName) {
+        return this.capabilities[toolName];
+    }
+    /** Check if a specific capability is allowed. */
+    checkCapability(toolName, capabilityType, value) {
+        const caps = this.capabilities[toolName];
+        if (!caps)
+            return { allowed: true }; // No caps defined = unrestricted
+        switch (capabilityType) {
+            case 'fs_read':
+                return this.checkGlobs(caps.fs_read, value, 'fs_read', toolName);
+            case 'fs_write':
+                return this.checkGlobs(caps.fs_write, value, 'fs_write', toolName);
+            case 'net_access':
+                return this.checkDomain(caps.net_access, value, toolName);
+            case 'shell_commands':
+                return this.checkCommandPrefix(caps.shell_commands, value, toolName);
+            case 'max_output_kb':
+                return this.checkOutputSize(caps.max_output_kb, value, toolName);
+            default:
+                return { allowed: true };
+        }
+    }
+    /** Check if a path matches any of the allowed glob patterns. */
+    checkGlobs(patterns, filePath, capName, toolName) {
+        if (!patterns || patterns.length === 0)
+            return { allowed: true };
+        const resolved = path.resolve(filePath);
+        const relative = path.relative(this.projectRoot, resolved);
+        // Don't restrict paths outside the project (those are handled by security.ts)
+        if (relative.startsWith('..'))
+            return { allowed: true };
+        for (const pattern of patterns) {
+            if (this.matchGlob(relative, pattern)) {
+                return { allowed: true };
+            }
+        }
+        return {
+            allowed: false,
+            reason: `Tool "${toolName}" ${capName} capability blocks "${relative}" (allowed: ${patterns.join(', ')})`,
+        };
+    }
+    /** Check if a domain is in the allowed list. */
+    checkDomain(allowed, domain, toolName) {
+        if (allowed === undefined)
+            return { allowed: true }; // undefined = unrestricted
+        if (allowed.length === 0) {
+            // Empty array = no network access allowed
+            return {
+                allowed: false,
+                reason: `Tool "${toolName}" has no allowed network domains`,
+            };
+        }
+        if (allowed.includes('*'))
+            return { allowed: true };
+        const normalizedDomain = domain.toLowerCase();
+        for (const d of allowed) {
+            const nd = d.toLowerCase();
+            if (normalizedDomain === nd)
+                return { allowed: true };
+            if (normalizedDomain.endsWith('.' + nd))
+                return { allowed: true };
+        }
+        return {
+            allowed: false,
+            reason: `Tool "${toolName}" cannot access domain "${domain}" (allowed: ${allowed.join(', ')})`,
+        };
+    }
+    /** Check if a command starts with an allowed prefix. */
+    checkCommandPrefix(allowed, command, toolName) {
+        if (!allowed || allowed.length === 0)
+            return { allowed: true };
+        const cmd = command.trim();
+        for (const prefix of allowed) {
+            if (cmd === prefix || cmd.startsWith(prefix + ' ')) {
+                return { allowed: true };
+            }
+        }
+        // Extract first word for the error message
+        const firstWord = cmd.split(/\s+/)[0] || cmd.substring(0, 30);
+        return {
+            allowed: false,
+            reason: `Tool "${toolName}" cannot run "${firstWord}" (allowed commands: ${allowed.join(', ')})`,
+        };
+    }
+    /** Check if output size is within the cap. */
+    checkOutputSize(maxKb, actualKb, toolName) {
+        if (maxKb === undefined || maxKb <= 0)
+            return { allowed: true };
+        if (actualKb <= maxKb)
+            return { allowed: true };
+        return {
+            allowed: false,
+            reason: `Tool "${toolName}" output ${actualKb}KB exceeds cap of ${maxKb}KB`,
+        };
+    }
+    /** Simple glob matching (** = any depth, * = one segment). */
+    matchGlob(relativePath, pattern) {
+        const cleanPattern = pattern.replace(/^\.\//, '');
+        const cleanPath = relativePath.replace(/^\.\//, '');
+        // Exact match
+        if (cleanPath === cleanPattern)
+            return true;
+        // Prefix match (directory)
+        if (cleanPath.startsWith(cleanPattern + '/'))
+            return true;
+        if (cleanPath.startsWith(cleanPattern + path.sep))
+            return true;
+        // Glob expansion
+        if (pattern.includes('*')) {
+            const regex = new RegExp('^' +
+                cleanPattern
+                    .replace(/[.+^${}()|[\]\\]/g, '\\$&')
+                    .replace(/\*\*/g, '<<GLOBSTAR>>')
+                    .replace(/\*/g, '[^/]*')
+                    .replace(/<<GLOBSTAR>>/g, '.*') +
+                '$');
+            return regex.test(cleanPath);
+        }
+        return false;
+    }
+}
+exports.CapabilityChecker = CapabilityChecker;
+//# sourceMappingURL=capabilities.js.map