codebot-ai 1.9.0 → 2.0.0

package/README.md

@@ -4,7 +4,7 @@
 [![license](https://img.shields.io/npm/l/codebot-ai.svg)](https://github.com/zanderone1980/codebot-ai/blob/main/LICENSE)
 [![node](https://img.shields.io/node/v/codebot-ai.svg)](https://nodejs.org)
 
-**Zero-dependency autonomous AI agent.** Works with any LLM — local or cloud. Code, browse the web, run commands, search, automate routines, and more.
+**Zero-dependency autonomous AI coding agent with enterprise security.** Works with any LLM — local or cloud. Code, browse the web, run commands, search, automate routines, and more. Includes VS Code extension, GitHub Action, policy engine, risk scoring, and hash-chained audit trail.
 
 Built by [Ascendral Software Development & Innovation](https://github.com/AscendralSoftware).
 
@@ -22,6 +22,27 @@ That's it. The setup wizard launches on first run — pick your model, paste an
 npx codebot-ai
 ```
 
+### VS Code Extension
+
+Install from the VS Code Marketplace: search for **CodeBot AI**, or:
+
+```bash
+code --install-extension codebot-ai-vscode-2.0.0.vsix
+```
+
+Features: sidebar chat panel, inline diff preview, status bar (tokens, cost, risk level), and full theme integration.
+
+### GitHub Action
+
+```yaml
+- uses: zanderone1980/codebot-ai/actions/codebot@v2
+  with:
+    task: review    # or: fix, scan
+    api-key: ${{ secrets.ANTHROPIC_API_KEY }}
+```
+
+Tasks: `review` (PR code review), `fix` (auto-fix CI failures), `scan` (security scan with SARIF upload).
+
 ## What Can It Do?
 
 - **Write & edit code** — reads your codebase, makes targeted edits, runs tests
@@ -101,6 +122,8 @@ echo "explain this error" | codebot            # Pipe mode
 /usage      Show token usage for this session
 /clear      Clear conversation
 /compact    Force context compaction
+/metrics    Show session metrics (token counts, latency, costs)
+/risk       Show risk assessment history
 /config     Show configuration
 /quit       Exit
 ```
@@ -217,16 +240,31 @@ Connect external tool servers via [Model Context Protocol](https://modelcontextp
 
 MCP tools appear automatically with the `mcp_<server>_<tool>` prefix.
 
+## Security
+
+CodeBot v2.0.0 is built with security as a core architectural principle:
+
+- **Policy engine** — declarative JSON policies control tool access, filesystem scope, and execution limits
+- **Risk scoring** — every tool call receives a 0-100 risk score based on 6 weighted factors
+- **Secret detection** — scans for AWS keys, GitHub tokens, JWTs, private keys before writing
+- **Sandbox execution** — Docker-based sandboxing with network, CPU, and memory limits
+- **Audit trail** — hash-chained JSONL log with `--verify-audit` integrity check
+- **SARIF export** — `--export-audit sarif` for GitHub Code Scanning integration
+- **SSRF protection** — blocks localhost, private IPs, cloud metadata endpoints
+- **Path safety** — blocks writes to system directories, detects path traversal
+
+See [SECURITY.md](SECURITY.md) and [docs/HARDENING.md](docs/HARDENING.md) for the full security model.
+
 ## Stability
 
-CodeBot v1.3.0 is hardened for continuous operation:
+CodeBot is hardened for continuous operation:
 
 - **Automatic retry** — network errors, rate limits (429), and server errors (5xx) retry with exponential backoff
 - **Stream recovery** — if the LLM connection drops mid-response, the agent loop retries on the next iteration
 - **Context compaction** — when the conversation exceeds the model's context window, messages are intelligently summarized
 - **Process resilience** — unhandled exceptions and rejections are caught, logged, and the REPL keeps running
 - **Routine timeouts** — scheduled tasks are capped at 5 minutes to prevent the scheduler from hanging
-- **99 tests** — comprehensive suite covering error recovery, retry logic, tool execution, and edge cases
+- **483 tests** — comprehensive suite covering core agent, security, extension, and action
 
 ## Programmatic API
 
@@ -245,6 +283,7 @@ const agent = new Agent({
   provider,
   model: 'claude-sonnet-4-6',
   autoApprove: true,
+  projectRoot: '/path/to/project', // optional, defaults to cwd
 });
 
 for await (const event of agent.run('list all TypeScript files')) {

package/dist/agent.d.ts

@@ -19,6 +19,7 @@ export declare class Agent {
     private tokenTracker;
     private metricsCollector;
     private riskScorer;
+    private projectRoot;
     private branchCreated;
     private askPermission;
     private onMessage?;
@@ -28,6 +29,7 @@ export declare class Agent {
         providerName?: string;
         maxIterations?: number;
         autoApprove?: boolean;
+        projectRoot?: string;
         askPermission?: (tool: string, args: Record<string, unknown>) => Promise<boolean>;
         onMessage?: (message: Message) => void;
     });

package/dist/agent.js

@@ -108,15 +108,17 @@ class Agent {
     tokenTracker;
     metricsCollector;
     riskScorer;
+    projectRoot;
     branchCreated = false;
     askPermission;
     onMessage;
     constructor(opts) {
         this.provider = opts.provider;
         this.model = opts.model;
+        this.projectRoot = opts.projectRoot || process.cwd();
         // Load policy FIRST — tools need it for filesystem/git enforcement
-        this.policyEnforcer = new policy_1.PolicyEnforcer((0, policy_1.loadPolicy)(process.cwd()), process.cwd());
-        this.tools = new tools_1.ToolRegistry(process.cwd(), this.policyEnforcer);
+        this.policyEnforcer = new policy_1.PolicyEnforcer((0, policy_1.loadPolicy)(this.projectRoot), this.projectRoot);
+        this.tools = new tools_1.ToolRegistry(this.projectRoot, this.policyEnforcer);
         this.context = new manager_1.ContextManager(opts.model, opts.provider);
         // Use policy-defined max iterations as default, CLI overrides
         this.maxIterations = opts.maxIterations || this.policyEnforcer.getMaxIterations();
@@ -135,7 +137,7 @@ class Agent {
             this.tokenTracker.setCostLimit(costLimit);
         // Load plugins
         try {
-            const plugins = (0, plugins_1.loadPlugins)(process.cwd());
+            const plugins = (0, plugins_1.loadPlugins)(this.projectRoot);
             for (const plugin of plugins) {
                 this.tools.register(plugin);
             }
@@ -569,9 +571,8 @@ class Agent {
             return null;
         try {
             const { execSync } = require('child_process');
-            const cwd = process.cwd();
             const currentBranch = execSync('git rev-parse --abbrev-ref HEAD', {
-                cwd, encoding: 'utf-8', timeout: 5000,
+                cwd: this.projectRoot, encoding: 'utf-8', timeout: 5000,
             }).trim();
             if (currentBranch !== 'main' && currentBranch !== 'master') {
                 this.branchCreated = true;
@@ -584,7 +585,7 @@ class Agent {
             const slug = this.sanitizeSlug(firstUserMsg?.content || 'task');
             const branchName = `${prefix}${timestamp}-${slug}`;
             execSync(`git checkout -b "${branchName}"`, {
-                cwd, encoding: 'utf-8', timeout: 10000,
+                cwd: this.projectRoot, encoding: 'utf-8', timeout: 10000,
             });
             this.branchCreated = true;
             return branchName;
@@ -633,7 +634,7 @@ class Agent {
     buildSystemPrompt(supportsTools) {
         let repoMap = '';
         try {
-            repoMap = (0, repo_map_1.buildRepoMap)(process.cwd());
+            repoMap = (0, repo_map_1.buildRepoMap)(this.projectRoot);
         }
         catch {
             repoMap = 'Project structure: (unable to scan)';
@@ -641,7 +642,7 @@ class Agent {
         // Load persistent memory
         let memoryBlock = '';
         try {
-            const memory = new memory_1.MemoryManager(process.cwd());
+            const memory = new memory_1.MemoryManager(this.projectRoot);
             memoryBlock = memory.getContextBlock();
         }
         catch {

package/dist/cli.js

@@ -52,7 +52,7 @@ const sandbox_1 = require("./sandbox");
 const replay_1 = require("./replay");
 const risk_1 = require("./risk");
 const sarif_1 = require("./sarif");
-const VERSION = '1.9.0';
+const VERSION = '2.0.0';
 const C = {
     reset: '\x1b[0m',
     bold: '\x1b[1m',

package/dist/index.d.ts

@@ -1,3 +1,4 @@
+export declare const VERSION = "2.0.0";
 export { Agent } from './agent';
 export { OpenAIProvider } from './providers/openai';
 export { AnthropicProvider } from './providers/anthropic';

package/dist/index.js

@@ -14,7 +14,8 @@ var __exportStar = (this && this.__exportStar) || function(m, exports) {
     for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
 };
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.sarifToString = exports.exportSarif = exports.RiskScorer = exports.MetricsCollector = exports.listReplayableSessions = exports.compareOutputs = exports.loadSessionForReplay = exports.ReplayProvider = exports.verifyMessages = exports.verifyMessage = exports.signMessage = exports.deriveSessionKey = exports.CapabilityChecker = exports.detectProvider = exports.getModelInfo = exports.PROVIDER_DEFAULTS = exports.MODEL_REGISTRY = exports.loadMCPTools = exports.loadPlugins = exports.parseToolCalls = exports.MemoryManager = exports.SessionManager = exports.buildRepoMap = exports.ContextManager = exports.ToolRegistry = exports.AnthropicProvider = exports.OpenAIProvider = exports.Agent = void 0;
+exports.sarifToString = exports.exportSarif = exports.RiskScorer = exports.MetricsCollector = exports.listReplayableSessions = exports.compareOutputs = exports.loadSessionForReplay = exports.ReplayProvider = exports.verifyMessages = exports.verifyMessage = exports.signMessage = exports.deriveSessionKey = exports.CapabilityChecker = exports.detectProvider = exports.getModelInfo = exports.PROVIDER_DEFAULTS = exports.MODEL_REGISTRY = exports.loadMCPTools = exports.loadPlugins = exports.parseToolCalls = exports.MemoryManager = exports.SessionManager = exports.buildRepoMap = exports.ContextManager = exports.ToolRegistry = exports.AnthropicProvider = exports.OpenAIProvider = exports.Agent = exports.VERSION = void 0;
+exports.VERSION = '2.0.0';
 var agent_1 = require("./agent");
 Object.defineProperty(exports, "Agent", { enumerable: true, get: function () { return agent_1.Agent; } });
 var openai_1 = require("./providers/openai");

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "codebot-ai",
-  "version": "1.9.0",
+  "version": "2.0.0",
   "description": "Zero-dependency autonomous AI agent. Code, browse, search, automate. Works with any LLM — Ollama, Claude, GPT, Gemini, DeepSeek, Groq, Mistral, Grok.",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",