comisai 1.0.19 → 1.0.23
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/cli-entry.js +0 -0
- package/node_modules/@comis/agent/dist/context-engine/context-engine.js +43 -2
- package/node_modules/@comis/agent/dist/context-engine/signature-replay-scrubber.d.ts +51 -0
- package/node_modules/@comis/agent/dist/context-engine/signature-replay-scrubber.js +110 -0
- package/node_modules/@comis/agent/dist/context-engine/signature-surrogate-guard.d.ts +54 -0
- package/node_modules/@comis/agent/dist/context-engine/signature-surrogate-guard.js +145 -0
- package/node_modules/@comis/agent/dist/context-engine/types-core.d.ts +17 -0
- package/node_modules/@comis/agent/dist/executor/error-classifier.d.ts +11 -1
- package/node_modules/@comis/agent/dist/executor/error-classifier.js +13 -0
- package/node_modules/@comis/agent/dist/executor/executor-context-engine-setup.d.ts +1 -0
- package/node_modules/@comis/agent/dist/executor/executor-context-engine-setup.js +55 -0
- package/node_modules/@comis/agent/dist/executor/executor-prompt-runner.js +106 -5
- package/node_modules/@comis/agent/dist/executor/executor-tool-assembly.js +1 -0
- package/node_modules/@comis/agent/dist/executor/pi-executor.d.ts +1 -4
- package/node_modules/@comis/agent/dist/executor/pi-executor.js +30 -3
- package/node_modules/@comis/agent/dist/executor/replay-drift-detector.d.ts +85 -0
- package/node_modules/@comis/agent/dist/executor/replay-drift-detector.js +92 -0
- package/node_modules/@comis/agent/dist/executor/signature-block-scrubber.d.ts +34 -0
- package/node_modules/@comis/agent/dist/executor/signature-block-scrubber.js +69 -0
- package/node_modules/@comis/agent/dist/executor/signed-replay-detector.d.ts +39 -0
- package/node_modules/@comis/agent/dist/executor/signed-replay-detector.js +72 -0
- package/node_modules/@comis/agent/package.json +1 -1
- package/node_modules/@comis/channels/package.json +1 -1
- package/node_modules/@comis/cli/dist/cli.js +0 -0
- package/node_modules/@comis/cli/package.json +1 -1
- package/node_modules/@comis/core/dist/config/git-manager.js +10 -4
- package/node_modules/@comis/core/dist/config/index.d.ts +1 -0
- package/node_modules/@comis/core/dist/config/index.js +2 -0
- package/node_modules/@comis/core/dist/config/managed-sections.d.ts +67 -0
- package/node_modules/@comis/core/dist/config/managed-sections.js +124 -0
- package/node_modules/@comis/core/dist/config/schema-agent.d.ts +28 -10
- package/node_modules/@comis/core/dist/config/schema-agent.js +6 -0
- package/node_modules/@comis/core/dist/config/schema-gateway.d.ts +2 -2
- package/node_modules/@comis/core/dist/config/schema.d.ts +65 -64
- package/node_modules/@comis/core/dist/event-bus/events-messaging.d.ts +16 -0
- package/node_modules/@comis/core/dist/exports/config.d.ts +1 -1
- package/node_modules/@comis/core/dist/exports/config.js +1 -1
- package/node_modules/@comis/core/package.json +1 -1
- package/node_modules/@comis/daemon/bundled-skills/skill-creator/scripts/init-skill.py +0 -0
- package/node_modules/@comis/daemon/bundled-skills/skill-creator/scripts/validate-skill.py +0 -0
- package/node_modules/@comis/daemon/dist/daemon.js +11 -4
- package/node_modules/@comis/daemon/dist/rpc/config-handlers.js +20 -7
- package/node_modules/@comis/daemon/dist/rpc/session-handlers.js +27 -1
- package/node_modules/@comis/daemon/dist/wiring/setup-gateway.d.ts +22 -0
- package/node_modules/@comis/daemon/dist/wiring/setup-gateway.js +34 -8
- package/node_modules/@comis/daemon/dist/wiring/setup-tools.js +14 -1
- package/node_modules/@comis/daemon/package.json +1 -1
- package/node_modules/@comis/gateway/package.json +1 -1
- package/node_modules/@comis/infra/dist/logging/log-fields.d.ts +2 -2
- package/node_modules/@comis/infra/package.json +1 -1
- package/node_modules/@comis/memory/package.json +1 -1
- package/node_modules/@comis/scheduler/package.json +1 -1
- package/node_modules/@comis/shared/package.json +1 -1
- package/node_modules/@comis/skills/dist/bridge/tool-metadata-registry.js +23 -8
- package/node_modules/@comis/skills/dist/builtin/platform/gateway-tool.d.ts +1 -1
- package/node_modules/@comis/skills/dist/builtin/platform/gateway-tool.js +18 -14
- package/node_modules/@comis/skills/dist/builtin/platform/unified-session-tool.js +1 -1
- package/node_modules/@comis/skills/dist/builtin/sandbox/detect-provider.d.ts +1 -0
- package/node_modules/@comis/skills/dist/builtin/sandbox/detect-provider.js +78 -5
- package/node_modules/@comis/skills/package.json +1 -1
- package/node_modules/@comis/web/package.json +1 -1
- package/package.json +24 -26
- package/node_modules/@comis/agent/dist/provider/response/strip-minimax-xml.d.ts +0 -9
- package/node_modules/@comis/agent/dist/provider/response/strip-minimax-xml.js +0 -17
- package/node_modules/@comis/agent/dist/provider/response/strip-model-tokens.d.ts +0 -13
- package/node_modules/@comis/agent/dist/provider/response/strip-model-tokens.js +0 -19
- package/node_modules/@comis/agent/dist/provider/response/strip-tool-text.d.ts +0 -11
- package/node_modules/@comis/agent/dist/provider/response/strip-tool-text.js +0 -32
- package/node_modules/@comis/agent/dist/safety/follow-through-detector.d.ts +0 -46
- package/node_modules/@comis/agent/dist/safety/follow-through-detector.js +0 -76
- package/node_modules/@comis/agent/dist/safety/post-compaction-safety.d.ts +0 -30
- package/node_modules/@comis/agent/dist/safety/post-compaction-safety.js +0 -51
- package/node_modules/@comis/agent/dist/safety/schema-normalizer.d.ts +0 -37
- package/node_modules/@comis/agent/dist/safety/schema-normalizer.js +0 -137
- package/node_modules/@comis/agent/dist/safety/schema-pruning.d.ts +0 -50
- package/node_modules/@comis/agent/dist/safety/schema-pruning.js +0 -112
- package/node_modules/@comis/agent/dist/safety/tool-image-sanitizer.d.ts +0 -43
- package/node_modules/@comis/agent/dist/safety/tool-image-sanitizer.js +0 -96
- package/node_modules/@comis/agent/dist/safety/tool-sanitizer.d.ts +0 -44
- package/node_modules/@comis/agent/dist/safety/tool-sanitizer.js +0 -94
- package/node_modules/@comis/channels/dist/shared/thinking-tag-filter.d.ts +0 -28
- package/node_modules/@comis/channels/dist/shared/thinking-tag-filter.js +0 -206
- package/node_modules/@comis/cli/dist/wizard/config-writer.d.ts +0 -25
- package/node_modules/@comis/cli/dist/wizard/config-writer.js +0 -144
- package/node_modules/@comis/cli/dist/wizard/flow-types.d.ts +0 -48
- package/node_modules/@comis/cli/dist/wizard/flow-types.js +0 -70
- package/node_modules/@comis/cli/dist/wizard/manual-flow.d.ts +0 -21
- package/node_modules/@comis/cli/dist/wizard/manual-flow.js +0 -345
- package/node_modules/@comis/cli/dist/wizard/quickstart-flow.d.ts +0 -21
- package/node_modules/@comis/cli/dist/wizard/quickstart-flow.js +0 -116
- package/node_modules/@comis/core/dist/config/schema-agent-model.d.ts +0 -135
- package/node_modules/@comis/core/dist/config/schema-agent-model.js +0 -114
- package/node_modules/@comis/core/dist/config/schema-agent-session.d.ts +0 -177
- package/node_modules/@comis/core/dist/config/schema-agent-session.js +0 -116
- package/node_modules/@comis/core/dist/config/schema-context-engine.d.ts +0 -92
- package/node_modules/@comis/core/dist/config/schema-context-engine.js +0 -92
- package/node_modules/@comis/core/dist/config/schema-context-guard.d.ts +0 -34
- package/node_modules/@comis/core/dist/config/schema-context-guard.js +0 -32
- package/node_modules/@comis/core/dist/config/schema-delivery-mirror.d.ts +0 -27
- package/node_modules/@comis/core/dist/config/schema-delivery-mirror.js +0 -26
- package/node_modules/@comis/core/dist/config/schema-delivery-queue.d.ts +0 -31
- package/node_modules/@comis/core/dist/config/schema-delivery-queue.js +0 -30
- package/node_modules/@comis/core/dist/config/schema-delivery-timing.d.ts +0 -41
- package/node_modules/@comis/core/dist/config/schema-delivery-timing.js +0 -31
- package/node_modules/@comis/core/dist/config/schema-monitoring.d.ts +0 -105
- package/node_modules/@comis/core/dist/config/schema-monitoring.js +0 -67
- package/node_modules/@comis/core/dist/ports/media-ports.d.ts +0 -278
- package/node_modules/@comis/core/dist/ports/media-ports.js +0 -1
- package/node_modules/@comis/core/dist/security/input-guard.d.ts +0 -46
- package/node_modules/@comis/core/dist/security/input-guard.js +0 -166
- package/node_modules/@comis/core/dist/security/scoped-secret-manager.d.ts +0 -38
- package/node_modules/@comis/core/dist/security/scoped-secret-manager.js +0 -94
- package/node_modules/@comis/daemon/dist/observability/delivery-context.d.ts +0 -37
- package/node_modules/@comis/daemon/dist/observability/delivery-context.js +0 -1
- package/node_modules/@comis/daemon/dist/observability/log-level-manager.d.ts +0 -23
- package/node_modules/@comis/daemon/dist/observability/log-level-manager.js +0 -34
- package/node_modules/@comis/daemon/dist/observability/log-transport.d.ts +0 -44
- package/node_modules/@comis/daemon/dist/observability/log-transport.js +0 -74
- package/node_modules/@comis/daemon/dist/observability/obs-write-buffer.d.ts +0 -53
- package/node_modules/@comis/daemon/dist/observability/obs-write-buffer.js +0 -68
- package/node_modules/@comis/daemon/dist/observability/types.d.ts +0 -6
- package/node_modules/@comis/daemon/dist/observability/types.js +0 -1
- package/node_modules/@comis/daemon/dist/wiring/seed-bundled-skills.d.ts +0 -41
- package/node_modules/@comis/daemon/dist/wiring/seed-bundled-skills.js +0 -84
- package/node_modules/@comis/daemon/dist/wiring/setup-delivery-mirror.d.ts +0 -24
- package/node_modules/@comis/daemon/dist/wiring/setup-delivery-mirror.js +0 -88
- package/node_modules/@comis/daemon/dist/wiring/setup-delivery-queue.d.ts +0 -31
- package/node_modules/@comis/daemon/dist/wiring/setup-delivery-queue.js +0 -132
- package/node_modules/@comis/daemon/dist/wiring/setup-monitoring.d.ts +0 -38
- package/node_modules/@comis/daemon/dist/wiring/setup-monitoring.js +0 -100
- package/node_modules/@comis/daemon/dist/wiring/setup-rpc-bridge.d.ts +0 -34
- package/node_modules/@comis/daemon/dist/wiring/setup-rpc-bridge.js +0 -52
- package/node_modules/@comis/daemon/dist/wiring/setup-task-extraction.d.ts +0 -41
- package/node_modules/@comis/daemon/dist/wiring/setup-task-extraction.js +0 -86
- package/node_modules/@comis/memory/dist/embedding-cache.d.ts +0 -36
- package/node_modules/@comis/memory/dist/embedding-cache.js +0 -94
- package/node_modules/@comis/skills/dist/bridge/tool-output-schemas.d.ts +0 -17
- package/node_modules/@comis/skills/dist/bridge/tool-output-schemas.js +0 -125
- package/node_modules/@comis/skills/dist/bridge/tool-parallelism-metadata.d.ts +0 -14
- package/node_modules/@comis/skills/dist/bridge/tool-parallelism-metadata.js +0 -92
- package/node_modules/@comis/skills/dist/bridge/tool-result-caps.d.ts +0 -14
- package/node_modules/@comis/skills/dist/bridge/tool-result-caps.js +0 -36
- package/node_modules/@comis/skills/dist/bridge/tool-search-hints.d.ts +0 -15
- package/node_modules/@comis/skills/dist/bridge/tool-search-hints.js +0 -68
- package/node_modules/@comis/skills/dist/bridge/tool-validators.d.ts +0 -11
- package/node_modules/@comis/skills/dist/bridge/tool-validators.js +0 -105
- package/node_modules/@comis/skills/dist/builtin/file/find-sort-wrapper.d.ts +0 -22
- package/node_modules/@comis/skills/dist/builtin/file/find-sort-wrapper.js +0 -95
- package/node_modules/@comis/skills/dist/builtin/file/grep-output-mode-wrapper.d.ts +0 -24
- package/node_modules/@comis/skills/dist/builtin/file/grep-output-mode-wrapper.js +0 -167
- package/node_modules/@comis/skills/dist/builtin/task-plan-tool.d.ts +0 -25
- package/node_modules/@comis/skills/dist/builtin/task-plan-tool.js +0 -67
- package/node_modules/@comis/skills/dist/integrations/mcp-tool-bridge.d.ts +0 -75
- package/node_modules/@comis/skills/dist/integrations/mcp-tool-bridge.js +0 -235
|
@@ -281,6 +281,22 @@ export interface MessagingEvents {
|
|
|
281
281
|
escalatedMaxTokens: number;
|
|
282
282
|
timestamp: number;
|
|
283
283
|
};
|
|
284
|
+
/** Signed-replay self-heal fired: provider rejected stored signed thinking /
|
|
285
|
+
* reasoning state on the latest assistant turn (Anthropic `cannot be
|
|
286
|
+
* modified`, Gemini `thought_signature mismatch`, OpenAI Responses
|
|
287
|
+
* `reasoning_item not found`, OpenAI Completions `reasoning_id expired`,
|
|
288
|
+
* Mistral `encrypted_content verification failed`, etc.). The runner in
|
|
289
|
+
* `executor-prompt-runner.ts` scrubbed signed thinking state from the
|
|
290
|
+
* in-memory message array and re-entered the model retry chain. `succeeded`
|
|
291
|
+
* reports whether the retry produced a non-empty response. */
|
|
292
|
+
"execution:signed_replay_recovered": {
|
|
293
|
+
agentId: string;
|
|
294
|
+
sessionKey: string;
|
|
295
|
+
blocksRemoved: number;
|
|
296
|
+
thoughtSignaturesStripped: number;
|
|
297
|
+
succeeded: boolean;
|
|
298
|
+
timestamp: number;
|
|
299
|
+
};
|
|
284
300
|
/** Failed announcement persisted to dead-letter queue */
|
|
285
301
|
"announcement:dead_lettered": {
|
|
286
302
|
runId: string;
|
|
@@ -1,2 +1,2 @@
|
|
|
1
|
-
export { AppConfigSchema, AgentConfigSchema, AgentsMapSchema, BudgetConfigSchema, CircuitBreakerConfigSchema, DmScopeConfigSchema, ElevatedReplyConfigSchema, ModelRoutesSchema, HeartbeatConfigSchema, HeartbeatTargetSchema, PerAgentConfigSchema, PerAgentCronConfigSchema, PerAgentHeartbeatConfigSchema, PerAgentSchedulerConfigSchema, PruningConfigSchema, RagConfigSchema, ResetPolicyOverrideSchema, RoutingBindingSchema, RoutingConfigSchema, SessionResetPolicySchema, TracingConfigSchema, ChannelConfigSchema, ChannelEntrySchema, ChannelHealthCheckSchema, MemoryConfigSchema, CompactionConfigSchema, RetentionConfigSchema, SecurityConfigSchema, PermissionConfigSchema, ActionConfirmationConfigSchema, AgentToAgentConfigSchema, SkillsConfigSchema, DaemonConfigSchema, LoggingConfigSchema, TracingDefaultsSchema, ConfigWebhookSchema, SchedulerConfigSchema, GatewayConfigSchema, GatewayTlsConfigSchema, GatewayTokenSchema, GatewayRateLimitSchema, IntegrationsConfigSchema, BraveSearchConfigSchema, McpServerEntrySchema, McpConfigSchema, TranscriptionConfigSchema, TtsConfigSchema, TtsAutoModeSchema, ElevenLabsVoiceSettingsSchema, TtsOutputFormatSchema, ImageAnalysisConfigSchema, VisionScopeRuleSchema, VisionConfigSchema, LinkUnderstandingConfigSchema, MediaConfigSchema, DOCUMENT_MIME_WHITELIST, FileExtractionConfigSchema, AutoReplyRuleSchema, AutoReplyConfigSchema, MonitoringConfigSchema, PluginsConfigSchema, PluginEntrySchema, QueueConfigSchema, QueueModeSchema, OverflowPolicySchema, PerChannelQueueConfigSchema, OverflowConfigSchema, DebounceBufferConfigSchema, FollowupConfigSchema, PriorityLaneConfigSchema, LaneAssignmentConfigSchema, StreamingConfigSchema, PerChannelStreamingConfigSchema, TypingModeSchema, ChunkModeSchema, DeliveryMirrorConfigSchema, DeliveryQueueConfigSchema, DeliveryTimingConfigSchema, DeliveryTimingModeSchema, CoalescerConfigSchema, AutoReplyEngineConfigSchema, GroupActivationModeSchema, SendPolicyConfigSchema, SendPolicyRuleSchema, SendActionSchema, EnvelopeConfigSchema, RetryConfigSchema, WebhooksConfigSchema, WebhookMappingConfigSchema, WebhookMappingMatchSchema, AgentSecretsConfigSchema, SecretsConfigSchema, DocumentationConfigSchema, DocumentationLinkSchema, ImageGenerationConfigSchema, NotificationConfigSchema, VerbosityConfigSchema, VerbosityLevelSchema, VerbosityOverrideSchema, ContextEngineConfigSchema, BackgroundTasksConfigSchema, MemoryReviewConfigSchema, UserModelSchema, ModelCostSchema, OperationModelEntrySchema, OperationModelsSchema, substituteEnvVars, warnSuspiciousEnvValues, loadConfigFile, validateConfig, deepMerge, mergeLayered, loadLayered, IMMUTABLE_CONFIG_PREFIXES, MUTABLE_CONFIG_OVERRIDES, isImmutableConfigPath, matchesOverridePattern, getMutableOverridesForSection, getConfigSchema, getConfigSections, getFieldMetadata, validatePartial, createConfigGitManager, checkApprovalsConfig, } from "../config/index.js";
|
|
1
|
+
export { AppConfigSchema, AgentConfigSchema, AgentsMapSchema, BudgetConfigSchema, CircuitBreakerConfigSchema, DmScopeConfigSchema, ElevatedReplyConfigSchema, ModelRoutesSchema, HeartbeatConfigSchema, HeartbeatTargetSchema, PerAgentConfigSchema, PerAgentCronConfigSchema, PerAgentHeartbeatConfigSchema, PerAgentSchedulerConfigSchema, PruningConfigSchema, RagConfigSchema, ResetPolicyOverrideSchema, RoutingBindingSchema, RoutingConfigSchema, SessionResetPolicySchema, TracingConfigSchema, ChannelConfigSchema, ChannelEntrySchema, ChannelHealthCheckSchema, MemoryConfigSchema, CompactionConfigSchema, RetentionConfigSchema, SecurityConfigSchema, PermissionConfigSchema, ActionConfirmationConfigSchema, AgentToAgentConfigSchema, SkillsConfigSchema, DaemonConfigSchema, LoggingConfigSchema, TracingDefaultsSchema, ConfigWebhookSchema, SchedulerConfigSchema, GatewayConfigSchema, GatewayTlsConfigSchema, GatewayTokenSchema, GatewayRateLimitSchema, IntegrationsConfigSchema, BraveSearchConfigSchema, McpServerEntrySchema, McpConfigSchema, TranscriptionConfigSchema, TtsConfigSchema, TtsAutoModeSchema, ElevenLabsVoiceSettingsSchema, TtsOutputFormatSchema, ImageAnalysisConfigSchema, VisionScopeRuleSchema, VisionConfigSchema, LinkUnderstandingConfigSchema, MediaConfigSchema, DOCUMENT_MIME_WHITELIST, FileExtractionConfigSchema, AutoReplyRuleSchema, AutoReplyConfigSchema, MonitoringConfigSchema, PluginsConfigSchema, PluginEntrySchema, QueueConfigSchema, QueueModeSchema, OverflowPolicySchema, PerChannelQueueConfigSchema, OverflowConfigSchema, DebounceBufferConfigSchema, FollowupConfigSchema, PriorityLaneConfigSchema, LaneAssignmentConfigSchema, StreamingConfigSchema, PerChannelStreamingConfigSchema, TypingModeSchema, ChunkModeSchema, DeliveryMirrorConfigSchema, DeliveryQueueConfigSchema, DeliveryTimingConfigSchema, DeliveryTimingModeSchema, CoalescerConfigSchema, AutoReplyEngineConfigSchema, GroupActivationModeSchema, SendPolicyConfigSchema, SendPolicyRuleSchema, SendActionSchema, EnvelopeConfigSchema, RetryConfigSchema, WebhooksConfigSchema, WebhookMappingConfigSchema, WebhookMappingMatchSchema, AgentSecretsConfigSchema, SecretsConfigSchema, DocumentationConfigSchema, DocumentationLinkSchema, ImageGenerationConfigSchema, NotificationConfigSchema, VerbosityConfigSchema, VerbosityLevelSchema, VerbosityOverrideSchema, ContextEngineConfigSchema, BackgroundTasksConfigSchema, MemoryReviewConfigSchema, UserModelSchema, ModelCostSchema, OperationModelEntrySchema, OperationModelsSchema, substituteEnvVars, warnSuspiciousEnvValues, loadConfigFile, validateConfig, deepMerge, mergeLayered, loadLayered, IMMUTABLE_CONFIG_PREFIXES, MUTABLE_CONFIG_OVERRIDES, isImmutableConfigPath, matchesOverridePattern, getMutableOverridesForSection, MANAGED_SECTIONS, getManagedSectionRedirect, formatRedirectHint, getConfigSchema, getConfigSections, getFieldMetadata, validatePartial, createConfigGitManager, checkApprovalsConfig, } from "../config/index.js";
|
|
2
2
|
export type { AppConfig, AgentConfig, BudgetConfig, CircuitBreakerConfig, DmScopeConfig, ElevatedReplyConfig, ModelRoutes, PruningConfig, HeartbeatConfig, HeartbeatTarget, PerAgentConfig, PerAgentCronConfig, PerAgentHeartbeatConfig, PerAgentSchedulerConfig, RagConfig, ResetPolicyOverride, RoutingBinding, RoutingConfig, SessionResetPolicyConfig, TracingConfig, ChannelConfig, ChannelEntry, ChannelHealthCheckConfig, AckReactionConfig, MemoryConfig, CompactionConfig, RetentionConfig, SecurityConfig, PermissionConfig, ActionConfirmationConfig, AgentToAgentConfig, SkillsConfig, DaemonConfig, LoggingConfig, TracingDefaults, ConfigWebhook, SchedulerConfig, GatewayConfig, GatewayTlsConfig, GatewayToken, GatewayRateLimit, IntegrationsConfig, BraveSearchConfig, McpServerEntry, McpConfig, TranscriptionConfig, TtsConfig, TtsAutoMode, ElevenLabsVoiceSettings, TtsOutputFormat, ImageAnalysisConfig, VisionScopeRule, VisionConfig, LinkUnderstandingConfig, MediaConfig, FileExtractionConfig, AutoReplyRule, AutoReplyConfig, MonitoringConfig, DiskMonitorConfig, ResourceMonitorConfig, SystemdMonitorConfig, SecurityUpdateMonitorConfig, GitMonitorConfig, PluginsConfig, PluginEntry, QueueConfig, PerChannelQueueConfig, QueueMode, OverflowPolicy, OverflowConfig, DebounceBufferConfig, FollowupConfig, PriorityLaneConfig, LaneAssignmentConfig, StreamingConfig, PerChannelStreamingConfig, TypingMode, ChunkMode, DeliveryMirrorConfig, DeliveryQueueConfig, DeliveryTimingConfig, DeliveryTimingMode, CoalescerConfig, AutoReplyEngineConfig, GroupActivationMode, SendPolicyConfig, SendPolicyRule, SendAction, EnvelopeConfig, RetryConfig, WebhooksConfig, WebhookMappingConfig, AgentSecretsConfig, SecretsConfig, ConfigError, ConfigErrorCode, FieldMetadata, PartialValidationResult, ConfigGitManager, GitCommitMetadata, HistoryEntry, GitManagerDeps, ExecGitFn, EnvValueWarning, LifecycleReactionsConfig, LifecycleReactionsTimingConfig, SenderTrustDisplayConfig, DocumentationConfig, DocumentationLink, ImageGenerationConfig, NotificationConfig, VerbosityConfig, VerbosityLevel, VerbosityOverride, ContextEngineConfig, BackgroundTasksConfig, MemoryReviewConfig, UserModel, ModelCost, OperationModelEntry, OperationModels, ModelOperationType, } from "../config/index.js";
|
|
@@ -1,3 +1,3 @@
|
|
|
1
1
|
// SPDX-License-Identifier: Apache-2.0
|
|
2
2
|
// @comis/core exports — Config (layered configuration with Zod validation)
|
|
3
|
-
export { AppConfigSchema, AgentConfigSchema, AgentsMapSchema, BudgetConfigSchema, CircuitBreakerConfigSchema, DmScopeConfigSchema, ElevatedReplyConfigSchema, ModelRoutesSchema, HeartbeatConfigSchema, HeartbeatTargetSchema, PerAgentConfigSchema, PerAgentCronConfigSchema, PerAgentHeartbeatConfigSchema, PerAgentSchedulerConfigSchema, PruningConfigSchema, RagConfigSchema, ResetPolicyOverrideSchema, RoutingBindingSchema, RoutingConfigSchema, SessionResetPolicySchema, TracingConfigSchema, ChannelConfigSchema, ChannelEntrySchema, ChannelHealthCheckSchema, MemoryConfigSchema, CompactionConfigSchema, RetentionConfigSchema, SecurityConfigSchema, PermissionConfigSchema, ActionConfirmationConfigSchema, AgentToAgentConfigSchema, SkillsConfigSchema, DaemonConfigSchema, LoggingConfigSchema, TracingDefaultsSchema, ConfigWebhookSchema, SchedulerConfigSchema, GatewayConfigSchema, GatewayTlsConfigSchema, GatewayTokenSchema, GatewayRateLimitSchema, IntegrationsConfigSchema, BraveSearchConfigSchema, McpServerEntrySchema, McpConfigSchema, TranscriptionConfigSchema, TtsConfigSchema, TtsAutoModeSchema, ElevenLabsVoiceSettingsSchema, TtsOutputFormatSchema, ImageAnalysisConfigSchema, VisionScopeRuleSchema, VisionConfigSchema, LinkUnderstandingConfigSchema, MediaConfigSchema, DOCUMENT_MIME_WHITELIST, FileExtractionConfigSchema, AutoReplyRuleSchema, AutoReplyConfigSchema, MonitoringConfigSchema, PluginsConfigSchema, PluginEntrySchema, QueueConfigSchema, QueueModeSchema, OverflowPolicySchema, PerChannelQueueConfigSchema, OverflowConfigSchema, DebounceBufferConfigSchema, FollowupConfigSchema, PriorityLaneConfigSchema, LaneAssignmentConfigSchema, StreamingConfigSchema, PerChannelStreamingConfigSchema, TypingModeSchema, ChunkModeSchema, DeliveryMirrorConfigSchema, DeliveryQueueConfigSchema, DeliveryTimingConfigSchema, DeliveryTimingModeSchema, CoalescerConfigSchema, AutoReplyEngineConfigSchema, GroupActivationModeSchema, SendPolicyConfigSchema, SendPolicyRuleSchema, SendActionSchema, EnvelopeConfigSchema, RetryConfigSchema, WebhooksConfigSchema, WebhookMappingConfigSchema, WebhookMappingMatchSchema, AgentSecretsConfigSchema, SecretsConfigSchema, DocumentationConfigSchema, DocumentationLinkSchema, ImageGenerationConfigSchema, NotificationConfigSchema, VerbosityConfigSchema, VerbosityLevelSchema, VerbosityOverrideSchema, ContextEngineConfigSchema, BackgroundTasksConfigSchema, MemoryReviewConfigSchema, UserModelSchema, ModelCostSchema, OperationModelEntrySchema, OperationModelsSchema, substituteEnvVars, warnSuspiciousEnvValues, loadConfigFile, validateConfig, deepMerge, mergeLayered, loadLayered, IMMUTABLE_CONFIG_PREFIXES, MUTABLE_CONFIG_OVERRIDES, isImmutableConfigPath, matchesOverridePattern, getMutableOverridesForSection, getConfigSchema, getConfigSections, getFieldMetadata, validatePartial, createConfigGitManager, checkApprovalsConfig, } from "../config/index.js";
|
|
3
|
+
export { AppConfigSchema, AgentConfigSchema, AgentsMapSchema, BudgetConfigSchema, CircuitBreakerConfigSchema, DmScopeConfigSchema, ElevatedReplyConfigSchema, ModelRoutesSchema, HeartbeatConfigSchema, HeartbeatTargetSchema, PerAgentConfigSchema, PerAgentCronConfigSchema, PerAgentHeartbeatConfigSchema, PerAgentSchedulerConfigSchema, PruningConfigSchema, RagConfigSchema, ResetPolicyOverrideSchema, RoutingBindingSchema, RoutingConfigSchema, SessionResetPolicySchema, TracingConfigSchema, ChannelConfigSchema, ChannelEntrySchema, ChannelHealthCheckSchema, MemoryConfigSchema, CompactionConfigSchema, RetentionConfigSchema, SecurityConfigSchema, PermissionConfigSchema, ActionConfirmationConfigSchema, AgentToAgentConfigSchema, SkillsConfigSchema, DaemonConfigSchema, LoggingConfigSchema, TracingDefaultsSchema, ConfigWebhookSchema, SchedulerConfigSchema, GatewayConfigSchema, GatewayTlsConfigSchema, GatewayTokenSchema, GatewayRateLimitSchema, IntegrationsConfigSchema, BraveSearchConfigSchema, McpServerEntrySchema, McpConfigSchema, TranscriptionConfigSchema, TtsConfigSchema, TtsAutoModeSchema, ElevenLabsVoiceSettingsSchema, TtsOutputFormatSchema, ImageAnalysisConfigSchema, VisionScopeRuleSchema, VisionConfigSchema, LinkUnderstandingConfigSchema, MediaConfigSchema, DOCUMENT_MIME_WHITELIST, FileExtractionConfigSchema, AutoReplyRuleSchema, AutoReplyConfigSchema, MonitoringConfigSchema, PluginsConfigSchema, PluginEntrySchema, QueueConfigSchema, QueueModeSchema, OverflowPolicySchema, PerChannelQueueConfigSchema, OverflowConfigSchema, DebounceBufferConfigSchema, FollowupConfigSchema, PriorityLaneConfigSchema, LaneAssignmentConfigSchema, StreamingConfigSchema, PerChannelStreamingConfigSchema, TypingModeSchema, ChunkModeSchema, DeliveryMirrorConfigSchema, DeliveryQueueConfigSchema, DeliveryTimingConfigSchema, DeliveryTimingModeSchema, CoalescerConfigSchema, AutoReplyEngineConfigSchema, GroupActivationModeSchema, SendPolicyConfigSchema, SendPolicyRuleSchema, SendActionSchema, EnvelopeConfigSchema, RetryConfigSchema, WebhooksConfigSchema, WebhookMappingConfigSchema, WebhookMappingMatchSchema, AgentSecretsConfigSchema, SecretsConfigSchema, DocumentationConfigSchema, DocumentationLinkSchema, ImageGenerationConfigSchema, NotificationConfigSchema, VerbosityConfigSchema, VerbosityLevelSchema, VerbosityOverrideSchema, ContextEngineConfigSchema, BackgroundTasksConfigSchema, MemoryReviewConfigSchema, UserModelSchema, ModelCostSchema, OperationModelEntrySchema, OperationModelsSchema, substituteEnvVars, warnSuspiciousEnvValues, loadConfigFile, validateConfig, deepMerge, mergeLayered, loadLayered, IMMUTABLE_CONFIG_PREFIXES, MUTABLE_CONFIG_OVERRIDES, isImmutableConfigPath, matchesOverridePattern, getMutableOverridesForSection, MANAGED_SECTIONS, getManagedSectionRedirect, formatRedirectHint, getConfigSchema, getConfigSections, getFieldMetadata, validatePartial, createConfigGitManager, checkApprovalsConfig, } from "../config/index.js";
|
|
File without changes
|
|
File without changes
|
|
@@ -182,13 +182,20 @@ export async function main(overrides = {}) {
|
|
|
182
182
|
// better-sqlite3 'bindings' module fails fast with a clear repair hint
|
|
183
183
|
// instead of cascading into a systemd restart loop.
|
|
184
184
|
await _preflightDoctor(exitFn);
|
|
185
|
-
// 0.
|
|
186
|
-
|
|
187
|
-
|
|
188
|
-
//
|
|
185
|
+
// 0. Resolve data directory, then load secrets from <dataDir>/.env.
|
|
186
|
+
// The env file always lives alongside the data dir, so it follows
|
|
187
|
+
// COMIS_DATA_DIR — set to /data inside the Docker container (matches
|
|
188
|
+
// the compose mount of ${COMIS_ENV_FILE:-~/.comis/.env}:/data/.env:ro),
|
|
189
|
+
// unset on bare-metal so it falls back to ~/.comis/.env. This is what
|
|
190
|
+
// makes the legacy "credentials in a flat .env file" workflow the
|
|
191
|
+
// default for both deployment modes; secrets.db is opt-in via
|
|
192
|
+
// SECRETS_MASTER_KEY.
|
|
189
193
|
// eslint-disable-next-line no-restricted-syntax -- process.env access needed before SecretManager is initialized
|
|
190
194
|
const dataDir = process.env["COMIS_DATA_DIR"]
|
|
191
195
|
?? safePath(os.homedir(), ".comis");
|
|
196
|
+
const envPath = safePath(dataDir, ".env");
|
|
197
|
+
loadEnvFile(envPath);
|
|
198
|
+
// 0.5. Decrypt secrets, merge with env, scrub process.env
|
|
192
199
|
// Scan and correct permissions on known sensitive files
|
|
193
200
|
const permissionCorrections = hardenDataDirPermissions(dataDir);
|
|
194
201
|
const secretsBootResult = _setupSecrets({
|
|
@@ -8,7 +8,7 @@
|
|
|
8
8
|
* Extracted from daemon.ts rpcCallInner switch block
|
|
9
9
|
* @module
|
|
10
10
|
*/
|
|
11
|
-
import { isImmutableConfigPath, getConfigSchema, getConfigSections, deepMerge, AppConfigSchema, redactConfigSecrets, warnSuspiciousEnvValues, } from "@comis/core";
|
|
11
|
+
import { isImmutableConfigPath, getConfigSchema, getConfigSections, deepMerge, AppConfigSchema, redactConfigSecrets, warnSuspiciousEnvValues, getManagedSectionRedirect, formatRedirectHint, } from "@comis/core";
|
|
12
12
|
import { suppressError } from "@comis/shared";
|
|
13
13
|
import { stringify as yamlStringify } from "yaml";
|
|
14
14
|
import { existsSync, readFileSync, writeFileSync, mkdirSync, renameSync } from "node:fs";
|
|
@@ -406,10 +406,18 @@ export function createConfigHandlers(deps) {
|
|
|
406
406
|
const coercedValue = coerceConfigValue(value, subSchema);
|
|
407
407
|
const ctx = params._context;
|
|
408
408
|
try {
|
|
409
|
-
// Check immutable paths
|
|
409
|
+
// Check immutable paths.
|
|
410
|
+
// Backstop for direct-RPC clients (web UI, CLI). The gateway tool
|
|
411
|
+
// pre-flight and bridge metadata validator catch this earlier for
|
|
412
|
+
// LLM tool calls -- this path is reached when those layers are
|
|
413
|
+
// bypassed. Emit the same redirect hint so all clients see
|
|
414
|
+
// identical, model-agnostic recovery instructions (quick-260425-t40).
|
|
410
415
|
if (isImmutableConfigPath(section, key)) {
|
|
411
|
-
|
|
412
|
-
|
|
416
|
+
const redirect = getManagedSectionRedirect(section, key);
|
|
417
|
+
const suffix = redirect
|
|
418
|
+
? ` ${formatRedirectHint(redirect)}`
|
|
419
|
+
: " This setting requires manual operator intervention via config files.";
|
|
420
|
+
throw new Error(`Config path "${key ? `${section}.${key}` : section}" is immutable and cannot be modified at runtime.${suffix}`);
|
|
413
421
|
}
|
|
414
422
|
// Build patch object (use coerced value for the actual data, keep original for audit)
|
|
415
423
|
let patch;
|
|
@@ -582,10 +590,15 @@ export function createConfigHandlers(deps) {
|
|
|
582
590
|
if (!(section in deps.container.config)) {
|
|
583
591
|
throw new Error(`Unknown config section: "${section}". Valid sections: ${getConfigSections().join(", ")}.`);
|
|
584
592
|
}
|
|
585
|
-
// Check immutable paths -- entire section is being replaced
|
|
593
|
+
// Check immutable paths -- entire section is being replaced.
|
|
594
|
+
// Backstop for direct-RPC clients; LLM tool calls hit the same redirect
|
|
595
|
+
// earlier via gateway-tool / bridge validator (quick-260425-t40).
|
|
586
596
|
if (isImmutableConfigPath(section)) {
|
|
587
|
-
|
|
588
|
-
|
|
597
|
+
const redirect = getManagedSectionRedirect(section);
|
|
598
|
+
const suffix = redirect
|
|
599
|
+
? ` ${formatRedirectHint(redirect)}`
|
|
600
|
+
: " This section requires manual operator intervention via config files.";
|
|
601
|
+
throw new Error(`Config section "${section}" is immutable and cannot be replaced at runtime.${suffix}`);
|
|
589
602
|
}
|
|
590
603
|
// Build replacement: replace the section entirely (NOT deep merge)
|
|
591
604
|
const currentConfig = structuredClone(deps.container.config);
|
|
@@ -181,6 +181,28 @@ function loadJsonlSession(filePath) {
|
|
|
181
181
|
}
|
|
182
182
|
}
|
|
183
183
|
// ---------------------------------------------------------------------------
|
|
184
|
+
// Helpers
|
|
185
|
+
// ---------------------------------------------------------------------------
|
|
186
|
+
/**
|
|
187
|
+
* Collect available session keys from all sources (SQLite, JSONL, workspace)
|
|
188
|
+
* for inclusion in "session not found" error messages.
|
|
189
|
+
*/
|
|
190
|
+
function collectAvailableSessionKeys(deps) {
|
|
191
|
+
const keys = [];
|
|
192
|
+
for (const s of deps.sessionStore.listDetailed()) {
|
|
193
|
+
keys.push(s.sessionKey);
|
|
194
|
+
}
|
|
195
|
+
if (deps.defaultWorkspaceDir) {
|
|
196
|
+
const existing = new Set(keys);
|
|
197
|
+
for (const ws of scanWorkspaceSessions(deps.defaultWorkspaceDir)) {
|
|
198
|
+
if (!existing.has(ws.sessionKey)) {
|
|
199
|
+
keys.push(ws.sessionKey);
|
|
200
|
+
}
|
|
201
|
+
}
|
|
202
|
+
}
|
|
203
|
+
return keys;
|
|
204
|
+
}
|
|
205
|
+
// ---------------------------------------------------------------------------
|
|
184
206
|
// Factory
|
|
185
207
|
// ---------------------------------------------------------------------------
|
|
186
208
|
/**
|
|
@@ -428,7 +450,11 @@ export function createSessionHandlers(deps) {
|
|
|
428
450
|
}
|
|
429
451
|
}
|
|
430
452
|
if (!data) {
|
|
431
|
-
|
|
453
|
+
const available = collectAvailableSessionKeys(deps);
|
|
454
|
+
const hint = available.length > 0
|
|
455
|
+
? `. Available session keys: ${available.join(", ")}`
|
|
456
|
+
: ". Use action 'list' to discover available session keys";
|
|
457
|
+
throw new Error(`Session not found: ${sessionKey}${hint}`);
|
|
432
458
|
}
|
|
433
459
|
// Parse session key for metadata
|
|
434
460
|
const parsed = parseFormattedSessionKey(sessionKey);
|
|
@@ -14,6 +14,28 @@ import type { MemoryApi, SqliteMemoryAdapter, createEmbeddingQueue, createSessio
|
|
|
14
14
|
import type { RpcCall } from "@comis/skills";
|
|
15
15
|
import { createGatewayServer, WsConnectionManager, type GatewayServerHandle } from "@comis/gateway";
|
|
16
16
|
import type { RpcDispatchDeps } from "../rpc/rpc-dispatch.js";
|
|
17
|
+
/**
|
|
18
|
+
* Build the structured log fields for the gateway "Agent execution requested"
|
|
19
|
+
* INFO line. Replaces the previous behavior of logging the first 200 chars
|
|
20
|
+
* of the raw user message, which violated AGENTS.md §2.2 (no message bodies
|
|
21
|
+
* in logs at any level). Emits message length plus a short SHA-256 prefix
|
|
22
|
+
* for correlation, never the body itself.
|
|
23
|
+
*
|
|
24
|
+
* @param input.agentId Resolved agent ID (already trust-derived).
|
|
25
|
+
* @param input.message Raw user message (may be empty / undefined).
|
|
26
|
+
* @param input.connectionId Optional WebSocket connection ID.
|
|
27
|
+
* @returns Object suitable for `logger.info(obj, "Agent execution requested")`.
|
|
28
|
+
*/
|
|
29
|
+
export declare function buildExecutionRequestedLogFields(input: {
|
|
30
|
+
agentId: string;
|
|
31
|
+
message: string | undefined;
|
|
32
|
+
connectionId: string | undefined;
|
|
33
|
+
}): {
|
|
34
|
+
agentId: string;
|
|
35
|
+
messageLen: number;
|
|
36
|
+
messageHash?: string;
|
|
37
|
+
connectionId?: string;
|
|
38
|
+
};
|
|
17
39
|
/** All services produced by the RPC bridge setup phase. */
|
|
18
40
|
export interface RpcBridgeResult {
|
|
19
41
|
/** The rpcCall function usable immediately (delegates to inner dispatch once wired). */
|
|
@@ -15,10 +15,39 @@ import { suppressError } from "@comis/shared";
|
|
|
15
15
|
import { readFileSync, existsSync } from "node:fs";
|
|
16
16
|
import { parseSlashCommand, createCommandHandler, createGreetingGenerator, } from "@comis/agent";
|
|
17
17
|
import { createDynamicMethodRouter, createRpcAdapters, createTokenStore, WsConnectionManager, } from "@comis/gateway";
|
|
18
|
-
import { randomUUID } from "node:crypto";
|
|
18
|
+
import { createHash, randomUUID } from "node:crypto";
|
|
19
19
|
import { dirname, join, resolve } from "node:path";
|
|
20
20
|
import { fileURLToPath } from "node:url";
|
|
21
21
|
import { createRpcDispatch, classifyRpcError } from "../rpc/rpc-dispatch.js";
|
|
22
|
+
// ===========================================================================
|
|
23
|
+
// Execution-request log redaction helper
|
|
24
|
+
// ===========================================================================
|
|
25
|
+
/**
|
|
26
|
+
* Build the structured log fields for the gateway "Agent execution requested"
|
|
27
|
+
* INFO line. Replaces the previous behavior of logging the first 200 chars
|
|
28
|
+
* of the raw user message, which violated AGENTS.md §2.2 (no message bodies
|
|
29
|
+
* in logs at any level). Emits message length plus a short SHA-256 prefix
|
|
30
|
+
* for correlation, never the body itself.
|
|
31
|
+
*
|
|
32
|
+
* @param input.agentId Resolved agent ID (already trust-derived).
|
|
33
|
+
* @param input.message Raw user message (may be empty / undefined).
|
|
34
|
+
* @param input.connectionId Optional WebSocket connection ID.
|
|
35
|
+
* @returns Object suitable for `logger.info(obj, "Agent execution requested")`.
|
|
36
|
+
*/
|
|
37
|
+
export function buildExecutionRequestedLogFields(input) {
|
|
38
|
+
const raw = input.message ?? "";
|
|
39
|
+
const fields = {
|
|
40
|
+
agentId: input.agentId,
|
|
41
|
+
messageLen: raw.length,
|
|
42
|
+
};
|
|
43
|
+
if (raw.length > 0) {
|
|
44
|
+
fields.messageHash = createHash("sha256").update(raw).digest("hex").slice(0, 12);
|
|
45
|
+
}
|
|
46
|
+
if (input.connectionId !== undefined) {
|
|
47
|
+
fields.connectionId = input.connectionId;
|
|
48
|
+
}
|
|
49
|
+
return fields;
|
|
50
|
+
}
|
|
22
51
|
/**
|
|
23
52
|
* Create the rpcCall wrapper and deferred dispatch mechanism.
|
|
24
53
|
* The returned rpcCall can be passed to setupTools immediately. After
|
|
@@ -296,14 +325,11 @@ export async function setupGateway(deps) {
|
|
|
296
325
|
// Admin scope or wildcard -> admin trust; otherwise -> user trust (fail-closed).
|
|
297
326
|
const trustLevel = deriveTrustLevel(params.scopes);
|
|
298
327
|
gatewayLogger.debug({ scopes: params.scopes, trustLevel, agentId: execAgentId }, "Trust level derived from token scopes");
|
|
299
|
-
|
|
300
|
-
const truncated = rawMsg.length > 200;
|
|
301
|
-
gatewayLogger.info({
|
|
328
|
+
gatewayLogger.info(buildExecutionRequestedLogFields({
|
|
302
329
|
agentId: execAgentId,
|
|
303
|
-
message:
|
|
304
|
-
|
|
305
|
-
|
|
306
|
-
}, "Agent execution requested");
|
|
330
|
+
message: params.message,
|
|
331
|
+
connectionId,
|
|
332
|
+
}), "Agent execution requested");
|
|
307
333
|
// Link understanding preprocessing: enrich message text with fetched URL content
|
|
308
334
|
const enrichedText = await preprocessMessageText(params.message);
|
|
309
335
|
const msg = {
|
|
@@ -28,6 +28,11 @@ export function setupTools(deps) {
|
|
|
28
28
|
const { rpcCall, agents, defaultAgentId, workspaceDirs, defaultWorkspaceDir, dataDir, secretManager, platformSecretNames, eventBus, skillsLogger, linkRunner, approvalGate, subprocessEnv, credentialMappingStore, onSuspiciousContent, mcpClientManager, sandboxProvider, sessionTrackerRegistry, } = deps;
|
|
29
29
|
/** Per-agent ProcessRegistry instances for background process lifecycle management. */
|
|
30
30
|
const processRegistries = new Map();
|
|
31
|
+
/** Agents we've already logged the no-sandbox WARN for. Per-agent assembly
|
|
32
|
+
* runs on every session/heartbeat/cron tick; without this guard the WARN
|
|
33
|
+
* repeats on every LLM call even though the underlying state is fixed at
|
|
34
|
+
* daemon startup (detectSandboxProvider runs once). */
|
|
35
|
+
const warnedNoSandboxAgents = new Set();
|
|
31
36
|
function getOrCreateRegistry(agentId) {
|
|
32
37
|
let registry = processRegistries.get(agentId);
|
|
33
38
|
if (!registry) {
|
|
@@ -238,7 +243,15 @@ export function setupTools(deps) {
|
|
|
238
243
|
}
|
|
239
244
|
: undefined;
|
|
240
245
|
if (!sandboxCfg && skillsConfig.execSandbox.enabled === "always") {
|
|
241
|
-
|
|
246
|
+
if (warnedNoSandboxAgents.has(agentId)) {
|
|
247
|
+
// Already warned for this agent at WARN level — drop to DEBUG so
|
|
248
|
+
// every per-call assembly doesn't re-log the same fact.
|
|
249
|
+
skillsLogger.debug({ agentId }, "Exec tool running without OS sandbox (already warned at startup; per-call DEBUG)");
|
|
250
|
+
}
|
|
251
|
+
else {
|
|
252
|
+
skillsLogger.warn({ agentId, hint: "Sandbox enabled in config but no provider available -- exec tool will run without OS sandbox", errorKind: "config" }, "Exec tool running without OS sandbox");
|
|
253
|
+
warnedNoSandboxAgents.add(agentId);
|
|
254
|
+
}
|
|
242
255
|
}
|
|
243
256
|
// Exec tool -- always instantiated; builtinTools ceiling applied after profile filtering
|
|
244
257
|
{
|
|
@@ -119,10 +119,10 @@ export interface LogFields {
|
|
|
119
119
|
closeReason: string;
|
|
120
120
|
/** Semantic categorization of the WebSocket close code (e.g., "normal", "abnormal", "no-status"). */
|
|
121
121
|
closeType: string;
|
|
122
|
-
/** Whether the logged message text was truncated from the original. */
|
|
123
|
-
messageTruncated: boolean;
|
|
124
122
|
/** Input message character length. */
|
|
125
123
|
messageLen: number;
|
|
124
|
+
/** First 12 hex chars of SHA-256 of input message; omitted when empty. Stable per content. */
|
|
125
|
+
messageHash: string;
|
|
126
126
|
/** Output response character length. */
|
|
127
127
|
responseLen: number;
|
|
128
128
|
/** Flat input token count for easy aggregation. */
|
|
@@ -11,7 +11,7 @@
|
|
|
11
11
|
*
|
|
12
12
|
* @module
|
|
13
13
|
*/
|
|
14
|
-
import { registerToolMetadata, isImmutableConfigPath, getMutableOverridesForSection } from "@comis/core";
|
|
14
|
+
import { registerToolMetadata, isImmutableConfigPath, getMutableOverridesForSection, getManagedSectionRedirect, formatRedirectHint, } from "@comis/core";
|
|
15
15
|
import { validateExecCommand } from "../builtin/exec-security.js";
|
|
16
16
|
import { GATEWAY_ACTIONS } from "../builtin/platform/gateway-tool.js";
|
|
17
17
|
export function registerAllToolMetadata() {
|
|
@@ -149,25 +149,40 @@ export function registerAllToolMetadata() {
|
|
|
149
149
|
return undefined;
|
|
150
150
|
},
|
|
151
151
|
});
|
|
152
|
-
// Gateway tool -- action enum + immutable path rejection for patch.
|
|
152
|
+
// Gateway tool -- action enum + immutable path rejection for patch and apply.
|
|
153
153
|
// Whitelist is derived from the tool's exported GATEWAY_ACTIONS tuple so
|
|
154
154
|
// bridge + handler cannot drift (quick-260420-iv2 regression fix).
|
|
155
|
+
// When the rejected section has a dedicated *_manage tool, the message
|
|
156
|
+
// includes a parameter-correct redirect via formatRedirectHint() so any
|
|
157
|
+
// LLM (Opus/Sonnet/Haiku, GPT-5, Gemini, Mistral, etc.) can self-recover
|
|
158
|
+
// without model-specific prompting (quick-260425-t40).
|
|
155
159
|
registerToolMetadata("gateway", {
|
|
156
160
|
validateInput: (params) => {
|
|
157
161
|
const action = typeof params.action === "string" ? params.action : undefined;
|
|
158
162
|
if (!action || !GATEWAY_ACTIONS.includes(action)) {
|
|
159
163
|
return `Invalid action: "${action ?? ""}". Valid: ${GATEWAY_ACTIONS.join(", ")}`;
|
|
160
164
|
}
|
|
161
|
-
|
|
165
|
+
const section = typeof params.section === "string" ? params.section : undefined;
|
|
166
|
+
// Only check immutability for mutating actions (reads must succeed on immutable paths).
|
|
162
167
|
if (action === "patch") {
|
|
163
|
-
const section = typeof params.section === "string" ? params.section : undefined;
|
|
164
168
|
const key = typeof params.key === "string" ? params.key : undefined;
|
|
165
169
|
if (section && isImmutableConfigPath(section, key)) {
|
|
166
170
|
const mutablePaths = getMutableOverridesForSection(section, key);
|
|
167
|
-
const
|
|
168
|
-
|
|
169
|
-
|
|
170
|
-
|
|
171
|
+
const redirect = getManagedSectionRedirect(section, key);
|
|
172
|
+
const fullPath = `${section}${key ? "." + key : ""}`;
|
|
173
|
+
const suffix = redirect
|
|
174
|
+
? ` ${formatRedirectHint(redirect, mutablePaths)}`
|
|
175
|
+
: mutablePaths.length > 0
|
|
176
|
+
? ` Patchable: ${mutablePaths.join(", ")}.`
|
|
177
|
+
: "";
|
|
178
|
+
return `Cannot patch immutable config path: ${fullPath}.${suffix}`;
|
|
179
|
+
}
|
|
180
|
+
}
|
|
181
|
+
if (action === "apply") {
|
|
182
|
+
if (section && isImmutableConfigPath(section)) {
|
|
183
|
+
const redirect = getManagedSectionRedirect(section);
|
|
184
|
+
const suffix = redirect ? ` ${formatRedirectHint(redirect)}` : "";
|
|
185
|
+
return `Cannot apply to immutable config section: ${section}.${suffix}`;
|
|
171
186
|
}
|
|
172
187
|
}
|
|
173
188
|
return undefined;
|
|
@@ -21,7 +21,7 @@ import type { RpcCall } from "./cron-tool.js";
|
|
|
21
21
|
export declare const GATEWAY_ACTIONS: readonly ["read", "patch", "apply", "restart", "schema", "status", "history", "diff", "rollback", "env_set", "env_list"];
|
|
22
22
|
export type GatewayAction = typeof GATEWAY_ACTIONS[number];
|
|
23
23
|
declare const GatewayToolParams: import("@sinclair/typebox").TObject<{
|
|
24
|
-
action: import("@sinclair/typebox").TUnion<import("@sinclair/typebox").TLiteral<"status" | "read" | "patch" | "
|
|
24
|
+
action: import("@sinclair/typebox").TUnion<import("@sinclair/typebox").TLiteral<"status" | "read" | "patch" | "diff" | "apply" | "restart" | "schema" | "history" | "rollback" | "env_set" | "env_list">[]>;
|
|
25
25
|
section: import("@sinclair/typebox").TOptional<import("@sinclair/typebox").TString>;
|
|
26
26
|
key: import("@sinclair/typebox").TOptional<import("@sinclair/typebox").TString>;
|
|
27
27
|
value: import("@sinclair/typebox").TOptional<import("@sinclair/typebox").TUnknown>;
|
|
@@ -10,7 +10,7 @@
|
|
|
10
10
|
* @module
|
|
11
11
|
*/
|
|
12
12
|
import { Type } from "@sinclair/typebox";
|
|
13
|
-
import { tryGetContext, isImmutableConfigPath, MUTABLE_CONFIG_OVERRIDES, matchesOverridePattern, getMutableOverridesForSection } from "@comis/core";
|
|
13
|
+
import { tryGetContext, isImmutableConfigPath, MUTABLE_CONFIG_OVERRIDES, matchesOverridePattern, getMutableOverridesForSection, getManagedSectionRedirect, formatRedirectHint, } from "@comis/core";
|
|
14
14
|
import { readStringParam, throwToolError, createActionGate, } from "./tool-helpers.js";
|
|
15
15
|
import { createMultiActionDispatchTool } from "./messaging-factory.js";
|
|
16
16
|
// ---------------------------------------------------------------------------
|
|
@@ -123,19 +123,18 @@ export function createGatewayTool(rpcCall) {
|
|
|
123
123
|
case "patch": {
|
|
124
124
|
const section = readStringParam(p, "section");
|
|
125
125
|
const key = readStringParam(p, "key");
|
|
126
|
-
// Pre-gate immutability check: reject before asking for confirmation
|
|
126
|
+
// Pre-gate immutability check: reject before asking for confirmation.
|
|
127
|
+
// When the section has a dedicated *_manage tool, redirect there with
|
|
128
|
+
// a parameter-correct example call so the LLM can self-recover without
|
|
129
|
+
// needing model-specific prompting.
|
|
127
130
|
if (isImmutableConfigPath(section, key)) {
|
|
128
131
|
const mutablePaths = getMutableOverridesForSection(section, key);
|
|
129
|
-
|
|
130
|
-
|
|
131
|
-
|
|
132
|
-
|
|
133
|
-
|
|
134
|
-
|
|
135
|
-
}
|
|
136
|
-
else {
|
|
137
|
-
hint = "This section has no runtime-patchable paths.";
|
|
138
|
-
}
|
|
132
|
+
const redirect = getManagedSectionRedirect(section, key);
|
|
133
|
+
const hint = redirect
|
|
134
|
+
? formatRedirectHint(redirect, mutablePaths)
|
|
135
|
+
: mutablePaths.length > 0
|
|
136
|
+
? `Patchable paths under "${section}": ${mutablePaths.join(", ")}.`
|
|
137
|
+
: "This section has no runtime-patchable paths and no dedicated management tool.";
|
|
139
138
|
throwToolError("permission_denied", `Cannot patch immutable config path: ${section}.${key}.`, { hint });
|
|
140
139
|
}
|
|
141
140
|
// Skip confirmation gate for known mutable override paths (no round-trip needed)
|
|
@@ -183,9 +182,14 @@ export function createGatewayTool(rpcCall) {
|
|
|
183
182
|
}
|
|
184
183
|
case "apply": {
|
|
185
184
|
const section = readStringParam(p, "section");
|
|
186
|
-
// Pre-gate immutability check: reject before asking for confirmation
|
|
185
|
+
// Pre-gate immutability check: reject before asking for confirmation.
|
|
186
|
+
// Redirect to the dedicated *_manage tool when one exists for this section.
|
|
187
187
|
if (isImmutableConfigPath(section)) {
|
|
188
|
-
|
|
188
|
+
const redirect = getManagedSectionRedirect(section);
|
|
189
|
+
const hint = redirect
|
|
190
|
+
? formatRedirectHint(redirect)
|
|
191
|
+
: "Security-sensitive sections cannot be replaced at runtime.";
|
|
192
|
+
throwToolError("permission_denied", `Cannot apply to immutable config section: ${section}.`, { hint });
|
|
189
193
|
}
|
|
190
194
|
const gate = applyGate(p);
|
|
191
195
|
if (gate.requiresConfirmation) {
|
|
@@ -36,7 +36,7 @@ const UnifiedSessionParams = Type.Object({
|
|
|
36
36
|
], { description: "Filter by message role: 'all' (default), 'user', 'assistant', 'tool' (action: search)" })),
|
|
37
37
|
summarize: Type.Optional(Type.Boolean({ description: "Summarize matched sessions using LLM (default: true when query provided) (action: search)" })),
|
|
38
38
|
// history params
|
|
39
|
-
session_key: Type.Optional(Type.String({ description: "
|
|
39
|
+
session_key: Type.Optional(Type.String({ description: "Session key for action: history. Use action 'list' first to discover available keys. Format: {tenantId}:{filename}, e.g. 'default:678314278~peer~678314278'" })),
|
|
40
40
|
offset: Type.Optional(Type.Integer({ description: "Pagination offset (default: 0) (action: history)" })),
|
|
41
41
|
// shared params
|
|
42
42
|
limit: Type.Optional(Type.Integer({ description: "Maximum results to return (action: search default 10 max 30, action: history default 20)" })),
|
|
@@ -10,6 +10,7 @@
|
|
|
10
10
|
import type { SandboxProvider } from "./types.js";
|
|
11
11
|
/** Minimal logger interface for sandbox detection. */
|
|
12
12
|
export interface DetectLogger {
|
|
13
|
+
info(obj: Record<string, unknown>, msg: string): void;
|
|
13
14
|
warn(obj: Record<string, unknown>, msg: string): void;
|
|
14
15
|
}
|
|
15
16
|
/**
|