cowork-harness 0.1.0

package/dist/hostloop/provenance.js

@@ -0,0 +1,110 @@
+/**
+ * #30 — web_fetch URL provenance. Faithful port of Cowork's per-session `webFetchAllowedUrls` set
+ * + URL extractors (binary-verified, app.asar 1.12603.1):
+ *   - normalize:  `zG(A){ new URL(A); http/https only; hash=""; strip one trailing slash; → .href }`
+ *   - extract:    `Ien` over gen=/https?:\/\/…/ , len=/www\.…/ , uen=/bare domain.tld/, each ZHA-trimmed
+ *   - membership: `set.has(zG(url))` (exact, normalized)
+ *
+ * The harness has no WebSearch tool, so the WebSearch-result seed path (`Een`) is N/A; we seed from
+ * user-turn text and tool-result text — the faithful subset for this harness (see the plan).
+ */
+/** Port of `zG`: parse + http/https-only + drop fragment + strip one trailing slash → normalized href. */
+export function normalizeUrl(raw) {
+    let u;
+    try {
+        u = new URL(raw);
+    }
+    catch {
+        return null;
+    }
+    if (u.protocol !== "http:" && u.protocol !== "https:")
+        return null;
+    u.hash = "";
+    if (u.pathname !== "/" && u.pathname.endsWith("/"))
+        u.pathname = u.pathname.slice(0, -1);
+    return u.href;
+}
+const GEN = /https?:\/\/[^\s<>"'`]+/g; // full URLs
+const LEN = /www\.[^\s<>"'`]+/g; // www.-prefixed bare hosts
+// bare `domain.tld(/path)?` at a token boundary (conservative port of `uen`)
+const UEN = /(?<![\w@.])(?:[a-zA-Z0-9](?:[a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?\.)+[a-zA-Z]{2,}(?:\/[^\s<>"'`]*)?/g;
+const TRAIL = new Set([".", ",", ";", ":", "!", "?", "'", '"', "`"]);
+const CLOSERS = { ")": "(", "]": "[", "}": "{" };
+/** Port of `ZHA`: strip trailing punctuation; drop an unbalanced trailing closing bracket. */
+function trimMatch(m) {
+    let e = m.length;
+    while (e > 0) {
+        const ch = m[e - 1];
+        if (TRAIL.has(ch)) {
+            e--;
+            continue;
+        }
+        const open = CLOSERS[ch];
+        if (open) {
+            const seg = m.slice(0, e);
+            const closes = seg.split(ch).length - 1;
+            const opens = seg.split(open).length - 1;
+            if (closes > opens) {
+                e--;
+                continue;
+            }
+        }
+        break;
+    }
+    return m.slice(0, e);
+}
+/** Port of `Ien`: extract+normalize all URL-shaped tokens from free text. */
+export function extractUrls(text) {
+    const out = [];
+    const push = (s) => {
+        if (s)
+            out.push(s);
+    };
+    for (const m of text.matchAll(GEN))
+        push(normalizeUrl(trimMatch(m[0])));
+    for (const m of text.matchAll(LEN))
+        push(normalizeUrl(`https://${trimMatch(m[0])}`));
+    for (const m of text.matchAll(UEN))
+        push(normalizeUrl(`https://${trimMatch(m[0])}`));
+    return out;
+}
+/** Per-session provenance set (mirrors Cowork's `session.webFetchAllowedUrls`). */
+export class ProvenanceTracker {
+    seen = new Set();
+    /** Membership on the normalized URL (the `set.has(zG(url))` check). */
+    has(url) {
+        const n = normalizeUrl(url);
+        return n !== null && this.seen.has(n);
+    }
+    /** Add the normalized URL (after approval, or when seeded). */
+    add(url) {
+        const n = normalizeUrl(url);
+        if (n)
+            this.seen.add(n);
+    }
+    /** Seed from user-turn / tool-result text; returns how many NEW URLs were added. */
+    seedFromText(text) {
+        let added = 0;
+        for (const u of extractUrls(text)) {
+            if (!this.seen.has(u)) {
+                this.seen.add(u);
+                added++;
+            }
+        }
+        return added;
+    }
+    /** Tool results are seeded the same way (the harness has no structured WebSearch results). */
+    seedFromToolResult(text) {
+        return this.seedFromText(text);
+    }
+    /** Serialize for session persistence (mirrors Cowork's save/load), if ever needed. */
+    snapshot() {
+        return [...this.seen];
+    }
+    static restore(urls) {
+        const t = new ProvenanceTracker();
+        for (const u of urls)
+            t.add(u);
+        return t;
+    }
+}

package/dist/hostloop/workspace-handler.js

@@ -0,0 +1,226 @@
+import { execFile } from "node:child_process";
+import { promisify } from "node:util";
+import { compile } from "../egress/proxy.js";
+const pexec = promisify(execFile);
+const MAX_REDIRECTS = 5; // Cowork's RZe redirect cap (Path B re-checks U1t per hop)
+/** Port of Cowork's `XwA`: is the host a local / private / link-local address (SSRF backstop)? */
+export function isLocalOrPrivate(host) {
+    const h = host.toLowerCase().replace(/^\[|\]$/g, "");
+    if (h === "localhost" || h.endsWith(".localhost") || h.endsWith(".local"))
+        return true;
+    if (h === "::1" || h.startsWith("fe80:") || h.startsWith("fc") || h.startsWith("fd"))
+        return true; // IPv6 loopback/ULA/link-local
+    const m = h.match(/^(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})$/);
+    if (m) {
+        const a = Number(m[1]);
+        const b = Number(m[2]);
+        if (a === 0 || a === 127 || a === 10)
+            return true; // this-host / loopback / private
+        if (a === 192 && b === 168)
+            return true; // private
+        if (a === 172 && b >= 16 && b <= 31)
+            return true; // private
+        if (a === 169 && b === 254)
+            return true; // link-local (incl. cloud metadata 169.254.169.254)
+    }
+    return false;
+}
+/** Port of Cowork's `U1t` (Path B domain gate): scheme + private-address + the egress domain allowlist
+ *  (the SAME `wen()`/`compile()` matcher the container egress uses). Returns a deny reason, or null = allow. */
+export function u1t(u, allow, matcher) {
+    if (u.protocol !== "http:" && u.protocol !== "https:")
+        return `URL scheme "${u.protocol}" is not allowed. Use http or https.`;
+    if (isLocalOrPrivate(u.hostname))
+        return `Host "${u.hostname}" is a local or private address.`;
+    if (!allow.length)
+        return "No network allowlist is configured for this session. The web_fetch tool is disabled.";
+    if (!matcher(u.hostname))
+        return `Web fetch was not allowed: ${u.hostname} is not in the session web-fetch allowlist. Ask to add this domain.`;
+    return null;
+}
+const defaultRawFetch = async (url) => {
+    const r = await fetch(url, { redirect: "manual", signal: AbortSignal.timeout(30000) });
+    return { status: r.status, location: r.headers.get("location") ?? undefined, text: () => r.text() };
+};
+const BASH_DESC = "Run a shell command in the session's isolated Linux workspace. Your connected folders are mounted under {{mnt}}/ — the Shell access section of your system prompt lists the exact path for each folder. Each bash call is independent (no cwd/env carryover). Use absolute paths.";
+const FETCH_DESC = "Fetch a URL from the session network (subject to the egress allowlist). web_fetch can only retrieve URLs that appeared in a user message or a prior result.";
+export function makeWorkspaceHandler(containerName, vmMnt, runner = "docker", webFetchAllow = ["*"], onEgress, provenanceRef, // #30: Run fills this before the stream starts
+rawFetch = defaultRawFetch) {
+    // Per-handler (per-spawn) latch for the provenance-unenforced warning — was module-level, which
+    // silenced the gap after the first run in a long-lived process. Each fresh handler warns once.
+    const provWarned = { value: false };
+    const tools = [
+        {
+            name: "bash",
+            description: BASH_DESC.replace("{{mnt}}", vmMnt),
+            inputSchema: { type: "object", properties: { command: { type: "string" }, timeout_ms: { type: "number" } }, required: ["command"] },
+        },
+        {
+            name: "web_fetch",
+            description: FETCH_DESC,
+            inputSchema: { type: "object", properties: { url: { type: "string" } }, required: ["url"] },
+        },
+    ];
+    return async (server, jr) => {
+        const method = jr.method;
+        if (method === "initialize")
+            return {
+                result: {
+                    protocolVersion: (jr.params && jr.params.protocolVersion) || "2025-06-18",
+                    capabilities: { tools: {} },
+                    serverInfo: { name: "workspace", version: "1.0.0" },
+                },
+            };
+        if (method === "tools/list")
+            return { result: { tools } };
+        if (method === "tools/call") {
+            const name = jr.params?.name;
+            const a = jr.params?.arguments ?? {};
+            if (name === "bash")
+                return { result: await execInContainer(runner, containerName, vmMnt, String(a.command ?? ""), clampTimeout(a.timeout_ms)) };
+            if (name === "web_fetch")
+                return {
+                    result: await fetchViaHost(String(a.url ?? ""), webFetchAllow, onEgress, provenanceRef?.current, provWarned, rawFetch),
+                };
+            return { error: { code: -32602, message: `unknown tool: ${name}` } };
+        }
+        return { result: {} }; // ping / notifications
+    };
+}
+function textResult(text, isError = false) {
+    const r = { content: [{ type: "text", text }] };
+    if (isError)
+        r.isError = true;
+    return r;
+}
+// #29: clamp a model-requested bash timeout into a sane range. Guards NaN/negative/missing → the
+// 120s default; floors at 1s and caps at 10min. This is INFERRED-parity for the bash tool — Cowork's
+// binary-verified timeout_ms honoring is for web_fetch, not bash — but the bash inputSchema advertises
+// timeout_ms, so we honor it rather than silently ignoring the requested value.
+export function clampTimeout(ms) {
+    return Math.min(Math.max(Number(ms) || 120000, 1000), 600000);
+}
+async function execInContainer(runner, container, cwd, command, timeoutMs = 120000) {
+    if (!command)
+        return textResult("error: missing 'command'", true);
+    // Async (execFile, not spawnSync) so the awaited MCP handler yields the event loop while the subprocess
+    // runs — a slow `docker exec` no longer blocks all protocol I/O. Each call independent (fresh sh).
+    try {
+        const { stdout, stderr } = await pexec(runner, ["exec", "-w", cwd, container, "sh", "-c", command], {
+            encoding: "utf8",
+            timeout: timeoutMs, // #29: honor the model-requested timeout_ms (clamped at the call site)
+            maxBuffer: 8 * 1024 * 1024,
+        });
+        const out = (stdout ?? "") + (stderr ?? "");
+        return textResult(out.length ? out : "(no output)");
+    }
+    catch (e) {
+        const out = (e.stdout ?? "") + (e.stderr ?? "");
+        return textResult(`[exit ${e.code ?? 1}]\n${out}`, true);
+    }
+}
+// Cowork routes web_fetch through the HOST API (gate 1978029737 `coworkWebFetchViaApi:true` →
+// `POST /api/organizations/<org>/cowork/web_fetch`), NOT the container egress path that `bash` uses
+// (binary-verified 2026-06-13, app.asar 1.12603.1). It is gated by a SEPARATE web-fetch hostname
+// allowlist (`getWebFetchAllowedUrls`, `*` = unrestricted) plus a URL-provenance rule (#30). We mirror
+// that: fetch host-side (so a reachable URL is not falsely egress-denied), gated by both.
+/** Path A per-hop gate: scheme + private-address only — NO hostname allowlist (Path A is decoupled
+ *  from the egress domain list per SPEC §6; the provenance set gates the initial URL). The SSRF
+ *  backstop still applies on every hop so an approved/redirected URL can't reach `file://` or a
+ *  private/metadata host (#43/#44). */
+function schemePrivateGate(u) {
+    if (u.protocol !== "http:" && u.protocol !== "https:")
+        return `URL scheme "${u.protocol}" is not allowed. Use http or https.`;
+    if (isLocalOrPrivate(u.hostname))
+        return `Host "${u.hostname}" is a local or private address.`;
+    return null;
+}
+/**
+ * Follow redirects manually (cap MAX_REDIRECTS), re-running `gate` on EVERY hop. A redirect to a
+ * gate-blocked host (private address, bad scheme, or off-allowlist on Path B) is refused — the SSRF
+ * protection that `curl -L` lacked. Emits one egress allow/deny on the terminal decision. Shared by
+ * both web_fetch paths; the gate is the only difference (Path A: scheme+private; Path B: full u1t).
+ */
+async function followWithRedirects(startUrl, rawFetch, gate, onEgress) {
+    let cur;
+    try {
+        cur = new URL(startUrl);
+    }
+    catch {
+        return textResult("web_fetch failed: invalid URL", true);
+    }
+    for (let hop = 0; hop <= MAX_REDIRECTS; hop++) {
+        const blocked = gate(cur);
+        if (blocked) {
+            onEgress?.({ host: cur.hostname, decision: "deny" });
+            return textResult(hop === 0 ? blocked : `Redirect to ${cur.href} blocked: ${blocked}`, true);
+        }
+        let resp;
+        try {
+            resp = await rawFetch(cur.href);
+        }
+        catch (e) {
+            return textResult(`Fetch failed: ${e?.message ?? String(e)}`, true);
+        }
+        if (resp.status >= 300 && resp.status < 400) {
+            if (!resp.location)
+                return textResult(`Redirect ${resp.status} from ${cur.href} had no Location header.`, true);
+            try {
+                cur = new URL(resp.location, cur);
+            }
+            catch {
+                return textResult(`Redirect to an invalid URL: ${resp.location}`, true);
+            }
+            continue; // re-check the gate on the new host
+        }
+        onEgress?.({ host: cur.hostname, decision: "allow" });
+        return textResult((await resp.text()).slice(0, 200000));
+    }
+    return textResult(`web_fetch failed: too many redirects (> ${MAX_REDIRECTS}).`, true);
+}
+async function fetchViaHost(url, allow, onEgress, prov, warned, rawFetch = defaultRawFetch) {
+    if (!url)
+        return textResult("error: missing 'url'", true);
+    let host;
+    try {
+        host = new URL(url).hostname;
+    }
+    catch {
+        return textResult("web_fetch failed: invalid URL", true);
+    }
+    // Two paths (binary-verified G1t/U1t, app.asar 1.12603.1), selected by whether provenance is engaged:
+    //  • PATH A (prov present ⇒ coworkWebFetchViaApi on): the exact-URL provenance SET is the ONLY gate —
+    //    NO hostname allowlist. A miss → the per-domain approval (coworkWebFetchPrompt) via the Decider.
+    //  • PATH B (prov absent ⇒ gate off): the fall-through hostname allowlist (the egress domain list).
+    if (prov) {
+        if (prov.permissiveMode)
+            prov.markAllowed(url); // `cre` bypass: pre-add, skip the check
+        if (!prov.isAllowed(url)) {
+            if (prov.requestApproval && prov.promptGateOn) {
+                if (await prov.requestApproval(host, url))
+                    prov.markAllowed(url);
+                else {
+                    onEgress?.({ host, decision: "deny" });
+                    return textResult("Web fetch was not allowed.", true);
+                }
+            }
+            else {
+                onEgress?.({ host, decision: "deny" });
+                return textResult("URL not in provenance set. web_fetch can only retrieve URLs that appeared in a user message " +
+                    "or a prior web_fetch result. Ask the user to include the URL in a message first.", true);
+            }
+        }
+        // Provenance satisfied. Cowork fetches server-side (host API); the hostname allowlist does NOT apply
+        // here (decoupled from egress — the #30 conflation). But scheme + private-address ARE enforced per
+        // hop (#43/#44): follow redirects manually instead of `curl -L`, blocking file:// / SSRF targets.
+        return followWithRedirects(url, rawFetch, schemePrivateGate, onEgress);
+    }
+    // PATH B (provenance not enforced — coworkWebFetchViaApi off). Faithful port of U1t re-checked on EVERY
+    // redirect hop (a redirect to a denied or private host is blocked — the SSRF false-green `curl -L` had).
+    if (warned && !warned.value) {
+        warned.value = true;
+        process.stderr.write("::warning:: web_fetch provenance is NOT enforced (fidelity gap vs Cowork)\n");
+    }
+    const matcher = compile(allow);
+    return followWithRedirects(url, rawFetch, (u) => u1t(u, allow, matcher), onEgress);
+}

package/dist/loop-decision.js

@@ -0,0 +1,62 @@
+/**
+ * #30 — read a GrowthBook gate sub-flag (e.g. `coworkWebFetchPrompt`) from the baseline's
+ * provenance.gates. Handles BOTH shapes: the committed prose string ("on(force) coworkWebFetchPrompt=true …")
+ * and a #39-decoded structured entry ({on, source, value:{coworkWebFetchPrompt:true}}). CRITICAL: the
+ * baseline key is prefixed ("coworkRuntimeConfig:1978029737") — try the prefixed key, then bare id
+ * (mirrors decideLoopFromBaseline's `gates["hostLoop:…"] ?? gates["…"]`). A missing gate ⇒ false.
+ */
+export function readGateFlag(baseline, id, flag) {
+    const gates = baseline.provenance?.gates ?? {};
+    let entry = gates[id];
+    if (entry === undefined) {
+        for (const k of Object.keys(gates)) {
+            if (k.endsWith(":" + id)) {
+                entry = gates[k];
+                break;
+            }
+        }
+    }
+    if (entry == null)
+        return false;
+    if (typeof entry === "string")
+        return new RegExp(`\\b${flag}=true\\b`).test(entry);
+    if (typeof entry === "object") {
+        const v = entry.value;
+        if (v && typeof v === "object")
+            return v[flag] === true;
+        return entry[flag] === true;
+    }
+    return false;
+}
+export function decideLoop(inputs) {
+    if (inputs.requireFullVmSandbox === true)
+        return "vm"; // HeA()
+    if (inputs.forceDisableHostLoop === true)
+        return "vm"; // iX()
+    if (inputs.devForceHostLoop === true)
+        return "host"; // dev override
+    return inputs.gateHostLoopOn ? "host" : "vm"; // cPt()
+}
+/** Derive loop inputs from the baseline's synced gate state + env, then decide. */
+export function decideLoopFromBaseline(baseline, over = {}) {
+    const p = baseline;
+    const gates = p.provenance?.gates ?? {};
+    const gateRaw = gates["hostLoop:1143815894"] ?? gates["1143815894"];
+    // Gate value may be a synced structured entry ({on,source,value}, post-#39), an authored prose
+    // string ("on(force) …"), or absent. Read `.on` for objects (a bare `!!obj` would be true even for
+    // an OFF gate); the on/true/force test for strings.
+    const gateHostLoopOn = gateRaw && typeof gateRaw === "object"
+        ? !!gateRaw.on
+        : typeof gateRaw === "string"
+            ? /on|true|force/i.test(gateRaw)
+            : !!gateRaw;
+    return decideLoop({
+        // BUG FIX: a locked-down-org baseline (requireFullVmSandbox:true) must force VM-loop — this was
+        // previously ignored, so such a baseline would wrongly run host-loop.
+        requireFullVmSandbox: p.requireFullVmSandbox === true,
+        forceDisableHostLoop: p.forceDisableHostLoop === true,
+        gateHostLoopOn,
+        devForceHostLoop: process.env.CLAUDE_FORCE_HOST_LOOP === "1",
+        ...over,
+    });
+}

package/dist/prompt.js

@@ -0,0 +1,43 @@
+import { readFileSync, existsSync } from "node:fs";
+import { join } from "node:path";
+import { fileURLToPath } from "node:url";
+const BASELINES_DIR = join(fileURLToPath(new URL("..", import.meta.url)), "baselines");
+export function renderPrompts(baseline, session, sessionId) {
+    const spawn = baseline.spawn;
+    if (!spawn)
+        return {};
+    const sessionRoot = `/sessions/${sessionId}`;
+    const mntRoot = `${sessionRoot}/mnt`;
+    const firstFolder = session.folders[0]?.to ?? (session.folders[0]?.from ? basenameish(session.folders[0].from) : undefined);
+    const workspaceFolder = firstFolder ? `${mntRoot}/.projects/${firstFolder}` : `${mntRoot}/outputs`;
+    const tokens = {
+        "{{cwd}}": sessionRoot,
+        "{{skillsDir}}": `${mntRoot}/.claude`,
+        "{{workspaceFolder}}": workspaceFolder,
+        "{{folderSelected}}": firstFolder ? "true" : "false",
+        "{{modelName}}": session.model ?? "Claude",
+    };
+    const subst = (s) => Object.entries(tokens).reduce((acc, [k, v]) => acc.split(k).join(v), s);
+    const read = (rel) => {
+        if (!rel)
+            return undefined; // no asset configured — not a drift, just absent
+        const p = join(BASELINES_DIR, rel);
+        if (!existsSync(p)) {
+            // #35: a baseline that REFERENCES a prompt asset which is absent must not silently degrade — the
+            // run would proceed without key Cowork framing. Warn loudly, consistent with the host-loop path (#34).
+            process.stderr.write(`::warning:: [prompt] referenced asset not found: ${p} — running WITHOUT this prompt section (fidelity gap)\n`);
+            return undefined;
+        }
+        return subst(stripComments(readFileSync(p, "utf8"))).trim();
+    };
+    return {
+        systemPromptAppend: read(spawn.promptTemplate),
+        subagentAppend: read(spawn.subagentAppend),
+    };
+}
+function stripComments(s) {
+    return s.replace(/<!--[\s\S]*?-->/g, "");
+}
+function basenameish(p) {
+    return p.replace(/\/+$/, "").split("/").pop() ?? p;
+}