daemora 1.0.0

package/src/safety/GitRollback.js

@@ -0,0 +1,139 @@
+import { execSync } from "child_process";
+import eventBus from "../core/EventBus.js";
+
+/**
+ * Git Rollback — snapshot workspace before agent file writes, enable undo.
+ *
+ * Before the first write tool (writeFile/editFile/applyPatch) in a task,
+ * creates a git stash snapshot. If the user later says "undo", the TaskRunner
+ * calls undo(taskId) to restore the snapshot.
+ *
+ * Only activates if the working directory is inside a git repository.
+ * Gracefully no-ops if git is unavailable.
+ */
+
+class GitRollback {
+  constructor() {
+    /** taskId → stash message (used to find stash later) */
+    this.snapshots = new Map();
+    /** taskId → true if we already snapshotted this task */
+    this.snapshotted = new Set();
+    this.enabled = true;
+  }
+
+  /** Check if cwd is inside a git repo. */
+  isGitRepo() {
+    try {
+      execSync("git rev-parse --git-dir", { stdio: "pipe" });
+      return true;
+    } catch {
+      return false;
+    }
+  }
+
+  /**
+   * Create a snapshot before the first write in a task.
+   * Safe to call multiple times — only snapshots once per task.
+   * Returns the stash message used as a key, or null if nothing to snapshot.
+   */
+  snapshot(taskId) {
+    if (!this.enabled || !taskId) return null;
+    if (this.snapshotted.has(taskId)) return null; // already done for this task
+    if (!this.isGitRepo()) return null;
+
+    try {
+      // Check if there are any tracked changes to stash
+      const status = execSync("git status --porcelain", { encoding: "utf-8", stdio: ["pipe", "pipe", "pipe"] }).trim();
+      if (!status) {
+        // No changes — mark as snapshotted so we don't keep trying
+        this.snapshotted.add(taskId);
+        return null;
+      }
+
+      const msg = `daemora-snapshot-${taskId.slice(0, 8)}-${Date.now()}`;
+      execSync(`git stash push -m "${msg}" --include-untracked`, { stdio: ["pipe", "pipe", "pipe"] });
+
+      this.snapshotted.add(taskId);
+      this.snapshots.set(taskId, msg);
+
+      console.log(`[GitRollback] Snapshot created for task ${taskId.slice(0, 8)}: "${msg}"`);
+      eventBus.emitEvent("audit:git_snapshot", { taskId, ref: msg });
+      return msg;
+    } catch (error) {
+      // Don't let rollback failures block the agent
+      console.log(`[GitRollback] Snapshot failed (non-fatal): ${error.message}`);
+      this.snapshotted.add(taskId); // Don't retry
+      return null;
+    }
+  }
+
+  /**
+   * Roll back changes for a task by popping its stash.
+   * Returns a human-readable result string.
+   */
+  undo(taskId) {
+    if (!this.isGitRepo()) return "Not a git repository — cannot undo.";
+
+    const stashMsg = this.snapshots.get(taskId);
+    if (!stashMsg) {
+      return `No snapshot found for this task. Either no files were modified, or the snapshot was already applied.`;
+    }
+
+    try {
+      // Find the stash index by message
+      const stashList = execSync("git stash list", { encoding: "utf-8", stdio: ["pipe", "pipe", "pipe"] });
+      const lines = stashList.split("\n").filter(Boolean);
+      const idx = lines.findIndex((l) => l.includes(stashMsg));
+
+      if (idx === -1) {
+        this.snapshots.delete(taskId);
+        return `Snapshot not found in git stash list — it may have already been applied or cleared.`;
+      }
+
+      // First, discard any uncommitted changes from the agent's work
+      execSync("git checkout -- .", { stdio: ["pipe", "pipe", "pipe"] });
+      execSync("git clean -fd", { stdio: ["pipe", "pipe", "pipe"] });
+      // Restore the stash
+      execSync(`git stash pop stash@{${idx}}`, { stdio: ["pipe", "pipe", "pipe"] });
+
+      this.snapshots.delete(taskId);
+      this.snapshotted.delete(taskId);
+
+      console.log(`[GitRollback] Rolled back task ${taskId.slice(0, 8)} from stash@{${idx}}`);
+      eventBus.emitEvent("audit:git_rollback", { taskId, ref: stashMsg, success: true });
+      return `All agent changes for this task have been rolled back.`;
+    } catch (error) {
+      eventBus.emitEvent("audit:git_rollback", { taskId, ref: stashMsg, success: false });
+      return `Rollback failed: ${error.message}`;
+    }
+  }
+
+  /**
+   * Drop the snapshot for a completed task (cleanup).
+   * Call this when a task completes successfully and user doesn't need undo.
+   */
+  dropSnapshot(taskId) {
+    if (!this.snapshots.has(taskId)) return;
+    const stashMsg = this.snapshots.get(taskId);
+    try {
+      const stashList = execSync("git stash list", { encoding: "utf-8", stdio: ["pipe", "pipe", "pipe"] });
+      const lines = stashList.split("\n").filter(Boolean);
+      const idx = lines.findIndex((l) => l.includes(stashMsg));
+      if (idx !== -1) {
+        execSync(`git stash drop stash@{${idx}}`, { stdio: ["pipe", "pipe", "pipe"] });
+        console.log(`[GitRollback] Dropped snapshot for completed task ${taskId.slice(0, 8)}`);
+      }
+    } catch {
+      // Non-fatal
+    }
+    this.snapshots.delete(taskId);
+    this.snapshotted.delete(taskId);
+  }
+
+  hasSnapshot(taskId) {
+    return this.snapshots.has(taskId);
+  }
+}
+
+const gitRollback = new GitRollback();
+export default gitRollback;

package/src/safety/HumanApproval.js

@@ -0,0 +1,156 @@
+import eventBus from "../core/EventBus.js";
+
+/**
+ * Human Approval — pause agent and ask user before dangerous tool calls.
+ *
+ * Approval modes:
+ *   "auto"           — fully autonomous, no pauses
+ *   "dangerous-only" — pause before destructive tools (default for most tasks)
+ *   "every-tool"     — approve every single tool call
+ *
+ * Flow:
+ *   1. AgentLoop calls requestApproval(taskId, tool_name, params, channelMeta, mode)
+ *   2. HumanApproval emits "approval:request" event (channels pick this up)
+ *   3. Channel sends user a message: "Agent wants to run X. Reply approve/deny + requestId"
+ *   4. User replies → channel calls humanApproval.handleReply(text)
+ *   5. Promise resolves with true/false → AgentLoop proceeds or skips the tool
+ *
+ * Timeout: if user doesn't reply within timeoutMs, falls back to onTimeout ("deny" by default).
+ */
+
+// Tools that require approval in "dangerous-only" mode.
+// Only external/irreversible operations that affect people outside the agent:
+// - Communications (email, messages) — can't unsend
+// - Scheduling (cron) — creates recurring side effects
+// File writes, commands, browser, etc. are fully autonomous.
+const DANGEROUS_TOOLS = new Set([
+  "sendEmail",
+  "messageChannel",
+  "cron",
+]);
+
+class HumanApproval {
+  constructor() {
+    /** Map of requestId → { resolve, timer, taskId, tool_name, params } */
+    this.pending = new Map();
+    this.timeoutMs = 120_000; // 2 minutes
+    this.onTimeout = "deny";  // "deny" | "allow"
+  }
+
+  /**
+   * Check whether a tool call needs approval given the current mode.
+   */
+  needsApproval(tool_name, mode) {
+    if (!mode || mode === "auto") return false;
+    if (mode === "every-tool") return true;
+    if (mode === "dangerous-only") return DANGEROUS_TOOLS.has(tool_name);
+    return false;
+  }
+
+  /**
+   * Request approval from the user for a tool call.
+   * Returns a Promise<boolean> — true = approved, false = denied.
+   */
+  async requestApproval(taskId, tool_name, params, channelMeta) {
+    const requestId = `apr-${Date.now()}-${Math.random().toString(36).slice(2, 7)}`;
+    const paramPreview = (params || []).slice(0, 2).map((p) => String(p).slice(0, 80)).join(", ");
+
+    console.log(`[HumanApproval] Waiting for approval: ${requestId} — ${tool_name}(${paramPreview})`);
+
+    return new Promise((resolve) => {
+      const timer = setTimeout(() => {
+        if (!this.pending.has(requestId)) return;
+        this.pending.delete(requestId);
+        const decision = this.onTimeout === "allow";
+        console.log(`[HumanApproval] Request ${requestId} timed out → ${decision ? "allowed" : "denied"}`);
+        eventBus.emitEvent("audit:approval_result", { requestId, tool_name, taskId, approved: decision, source: "timeout" });
+        resolve(decision);
+      }, this.timeoutMs);
+
+      this.pending.set(requestId, { resolve, timer, taskId, tool_name, params });
+
+      // Emit event — channels (Telegram, HTTP) pick this up and message the user
+      eventBus.emitEvent("approval:request", {
+        requestId,
+        taskId,
+        tool_name,
+        params,
+        channelMeta,
+        timeoutMs: this.timeoutMs,
+        message: this._buildMessage(requestId, tool_name, paramPreview),
+      });
+
+      eventBus.emitEvent("audit:approval_requested", { requestId, tool_name, taskId, channelMeta });
+    });
+  }
+
+  /**
+   * Approve a pending request.
+   * Returns true if the requestId was found and resolved.
+   */
+  approve(requestId, source = "user") {
+    const pending = this.pending.get(requestId);
+    if (!pending) return false;
+    clearTimeout(pending.timer);
+    this.pending.delete(requestId);
+    console.log(`[HumanApproval] APPROVED: ${requestId} by ${source}`);
+    eventBus.emitEvent("audit:approval_result", { requestId, tool_name: pending.tool_name, taskId: pending.taskId, approved: true, source });
+    pending.resolve(true);
+    return true;
+  }
+
+  /**
+   * Deny a pending request.
+   */
+  deny(requestId, source = "user") {
+    const pending = this.pending.get(requestId);
+    if (!pending) return false;
+    clearTimeout(pending.timer);
+    this.pending.delete(requestId);
+    console.log(`[HumanApproval] DENIED: ${requestId} by ${source}`);
+    eventBus.emitEvent("audit:approval_result", { requestId, tool_name: pending.tool_name, taskId: pending.taskId, approved: false, source });
+    pending.resolve(false);
+    return true;
+  }
+
+  /**
+   * Parse a free-form user reply for approval/denial.
+   * Returns true if a pending request was found and handled.
+   */
+  handleReply(text) {
+    const match = text.match(/apr-[a-z0-9]+-[a-z0-9]+/i);
+    if (!match) return false;
+    const requestId = match[0];
+    if (!this.pending.has(requestId)) return false;
+    const approved = /\b(yes|approve|allow|ok|okay|go|run|do it|confirm|✓|👍)\b/i.test(text);
+    return approved ? this.approve(requestId) : this.deny(requestId);
+  }
+
+  /** List all pending approvals. */
+  pendingList() {
+    return [...this.pending.entries()].map(([id, p]) => ({
+      requestId: id,
+      taskId: p.taskId,
+      tool_name: p.tool_name,
+    }));
+  }
+
+  _buildMessage(requestId, tool_name, paramPreview) {
+    const lines = [
+      `⚠️ Agent wants to run a tool that requires your approval:`,
+      ``,
+      `  Tool: ${tool_name}`,
+      paramPreview ? `  Args: ${paramPreview}` : null,
+      ``,
+      `Reply with:`,
+      `  ✅ approve ${requestId}`,
+      `  ❌ deny ${requestId}`,
+      ``,
+      `(Auto-${this.onTimeout}s in ${Math.round(this.timeoutMs / 1000)}s if no reply)`,
+    ].filter((l) => l !== null);
+    return lines.join("\n");
+  }
+}
+
+const humanApproval = new HumanApproval();
+export default humanApproval;

package/src/safety/InputSanitizer.js

@@ -0,0 +1,72 @@
+/**
+ * Input Sanitizer — wraps untrusted content to prevent prompt injection.
+ *
+ * All file content injected into prompts is wrapped with <untrusted-content>
+ * tags. The system prompt explicitly tells the agent to treat tagged content
+ * as DATA, not instructions.
+ */
+
+class InputSanitizer {
+  /**
+   * Wrap file content with untrusted-content tags.
+   * @param {string} content - Raw file content
+   * @param {string} source - Source description (e.g., "file: /path/to/file")
+   * @returns {string} Wrapped content
+   */
+  wrapUntrusted(content, source) {
+    if (!content) return content;
+    return `<untrusted-content source="${source}">\n${content}\n</untrusted-content>`;
+  }
+
+  /**
+   * Sanitize content that will be injected into a prompt.
+   * Removes known injection patterns.
+   */
+  sanitize(content) {
+    if (!content || typeof content !== "string") return content;
+
+    let sanitized = content;
+
+    // Remove attempts to close/override system prompt
+    sanitized = sanitized.replace(
+      /(?:system|assistant|developer)\s*:\s*/gi,
+      "[role-override-removed]: "
+    );
+
+    // Remove attempts to inject tool calls
+    sanitized = sanitized.replace(
+      /\{"type"\s*:\s*"tool_call"/g,
+      '{"type": "[injection-removed]"'
+    );
+
+    // Remove attempts to set finalResponse
+    sanitized = sanitized.replace(
+      /"finalResponse"\s*:\s*true/g,
+      '"finalResponse": "[injection-removed]"'
+    );
+
+    return sanitized;
+  }
+
+  /**
+   * Sanitize memory write content.
+   * Memory entries should be plain text facts, not code or instructions.
+   */
+  sanitizeMemoryWrite(content) {
+    if (!content) return { valid: false, reason: "Empty content" };
+
+    // Check for suspicious patterns
+    if (content.includes("```") && content.length > 500) {
+      return { valid: false, reason: "Memory entries should be plain text facts, not code blocks" };
+    }
+
+    if (content.match(/(?:ignore|forget|override|disregard)\s+(?:previous|all|system)/i)) {
+      return { valid: false, reason: "Memory entry contains suspicious override attempt" };
+    }
+
+    return { valid: true, content: content.trim() };
+  }
+}
+
+const inputSanitizer = new InputSanitizer();
+export default inputSanitizer;

package/src/safety/PermissionGuard.js

@@ -0,0 +1,83 @@
+import { config } from "../config/default.js";
+import { permissionTiers } from "../config/permissions.js";
+import eventBus from "../core/EventBus.js";
+
+/**
+ * Permission Guard — enforces tool access based on permission tiers.
+ *
+ * 3 tiers:
+ * - minimal: read-only tools only
+ * - standard: + write/edit/sandboxed commands
+ * - full: everything including email, unsandboxed commands, agents
+ */
+class PermissionGuard {
+  constructor() {
+    this.tier = config.permissionTier;
+  }
+
+  /**
+   * Check if a tool is allowed under the current permission tier.
+   * @param {string} toolName - Name of the tool
+   * @param {object} [params] - Tool parameters (for fine-grained checks)
+   * @returns {{ allowed: boolean, reason?: string }}
+   */
+  check(toolName, params) {
+    const tierConfig = permissionTiers[this.tier];
+    if (!tierConfig) {
+      return { allowed: false, reason: `Unknown permission tier: ${this.tier}` };
+    }
+
+    // MCP tools (mcp__server__tool) are user-configured integrations.
+    // Allow them in standard and full tiers — the user explicitly set them up.
+    if (toolName.startsWith("mcp__")) {
+      if (this.tier === "minimal") {
+        eventBus.emitEvent("permission:denied", { toolName, tier: this.tier });
+        return { allowed: false, reason: `MCP tools not available in minimal permission tier.` };
+      }
+      return { allowed: true };
+    }
+
+    // Check if tool is in the allowed list
+    if (!tierConfig.allowedTools.includes(toolName) && !tierConfig.allowedTools.includes("*")) {
+      eventBus.emitEvent("permission:denied", { toolName, tier: this.tier });
+      return {
+        allowed: false,
+        reason: `Tool "${toolName}" not allowed in "${this.tier}" permission tier. Allowed: ${tierConfig.allowedTools.join(", ")}`,
+      };
+    }
+
+    return { allowed: true };
+  }
+
+  /**
+   * Filter a tool map to only include allowed tools.
+   */
+  filterTools(tools) {
+    const tierConfig = permissionTiers[this.tier];
+    if (!tierConfig) return tools;
+    if (tierConfig.allowedTools.includes("*")) return tools;
+
+    const filtered = {};
+    for (const [name, fn] of Object.entries(tools)) {
+      // MCP tools pass through in standard/full tier
+      if (name.startsWith("mcp__")) {
+        if (this.tier !== "minimal") filtered[name] = fn;
+        continue;
+      }
+      if (tierConfig.allowedTools.includes(name)) {
+        filtered[name] = fn;
+      }
+    }
+    return filtered;
+  }
+
+  /**
+   * Get current tier name.
+   */
+  getTier() {
+    return this.tier;
+  }
+}
+
+const permissionGuard = new PermissionGuard();
+export default permissionGuard;

package/src/safety/Sandbox.js

@@ -0,0 +1,70 @@
+import { blockedCommands } from "../config/permissions.js";
+import eventBus from "../core/EventBus.js";
+
+/**
+ * Sandbox — command execution safety.
+ *
+ * Two modes:
+ * 1. Blocklist (default): Block known dangerous commands via regex patterns.
+ * 2. Docker (optional): Run in ephemeral container with restricted access.
+ *
+ * Blocklist catches:
+ * - rm -rf /, sudo rm, mkfs, dd if=, curl|sh, chmod 777 /, > /dev/sda
+ * - Fork bombs, shutdown/reboot, format commands
+ */
+
+class Sandbox {
+  constructor() {
+    this.mode = process.env.SANDBOX_MODE || "blocklist";
+    this.blockedCount = 0;
+  }
+
+  /**
+   * Check if a command is safe to execute.
+   * @param {string} command - The command to check
+   * @returns {{ safe: boolean, reason?: string }}
+   */
+  check(command) {
+    if (!command || typeof command !== "string") {
+      return { safe: false, reason: "Empty command" };
+    }
+
+    const cmd = command.toLowerCase().trim();
+
+    // Check against blocked patterns
+    for (const pattern of blockedCommands) {
+      if (pattern.test(cmd)) {
+        this.blockedCount++;
+        eventBus.emitEvent("sandbox:blocked", {
+          command: command.slice(0, 100),
+          pattern: pattern.toString(),
+        });
+        return {
+          safe: false,
+          reason: `Command blocked by safety sandbox: matches pattern ${pattern}`,
+        };
+      }
+    }
+
+    // Additional heuristic checks
+    if (cmd.includes(":(){ :|:& };:") || cmd.includes("fork bomb")) {
+      this.blockedCount++;
+      return { safe: false, reason: "Fork bomb detected" };
+    }
+
+    return { safe: true };
+  }
+
+  /**
+   * Get stats.
+   */
+  stats() {
+    return {
+      mode: this.mode,
+      blockedCount: this.blockedCount,
+    };
+  }
+}
+
+const sandbox = new Sandbox();
+export default sandbox;

package/src/safety/SecretScanner.js

@@ -0,0 +1,100 @@
+import eventBus from "../core/EventBus.js";
+
+/**
+ * Secret Scanner — detects and redacts sensitive data in tool I/O.
+ *
+ * Scans for: API keys, private keys, passwords, AWS keys, tokens,
+ * connection strings, .env contents.
+ */
+
+const SECRET_PATTERNS = [
+  { name: "AWS Access Key", pattern: /AKIA[0-9A-Z]{16}/g },
+  { name: "AWS Secret Key", pattern: /(?:aws_secret_access_key|secret_key)\s*[:=]\s*['"]?([A-Za-z0-9/+=]{40})['"]?/gi },
+  { name: "Generic API Key", pattern: /(?:api[_-]?key|apikey)\s*[:=]\s*['"]?([A-Za-z0-9_\-]{20,})['"]?/gi },
+  { name: "Generic Secret", pattern: /(?:secret|password|passwd|pwd|token)\s*[:=]\s*['"]?([^\s'"]{8,})['"]?/gi },
+  { name: "Private Key", pattern: /-----BEGIN (?:RSA |EC |DSA |OPENSSH )?PRIVATE KEY-----/g },
+  { name: "GitHub Token", pattern: /gh[ps]_[A-Za-z0-9_]{36,}/g },
+  { name: "Slack Token", pattern: /xox[bprs]-[A-Za-z0-9\-]{10,}/g },
+  { name: "OpenAI Key", pattern: /sk-[A-Za-z0-9]{20,}/g },
+  { name: "Bearer Token", pattern: /Bearer\s+[A-Za-z0-9\-._~+\/]{20,}/g },
+  { name: "Connection String", pattern: /(?:mongodb|postgres|mysql|redis):\/\/[^\s'"]+/gi },
+  { name: "JWT", pattern: /eyJ[A-Za-z0-9_-]{10,}\.eyJ[A-Za-z0-9_-]{10,}\.[A-Za-z0-9_-]{10,}/g },
+];
+
+class SecretScanner {
+  constructor() {
+    this.detectionCount = 0;
+  }
+
+  /**
+   * Scan text for secrets and return findings.
+   * @param {string} text - Text to scan
+   * @returns {{ found: boolean, secrets: Array, redacted: string }}
+   */
+  scan(text) {
+    if (!text || typeof text !== "string") {
+      return { found: false, secrets: [], redacted: text };
+    }
+
+    const secrets = [];
+    let redacted = text;
+
+    for (const { name, pattern } of SECRET_PATTERNS) {
+      // Reset regex state
+      pattern.lastIndex = 0;
+      let match;
+
+      while ((match = pattern.exec(text)) !== null) {
+        const value = match[0];
+        // Skip very short matches or common false positives
+        if (value.length < 8) continue;
+
+        secrets.push({
+          type: name,
+          value: `${value.slice(0, 4)}...${value.slice(-4)}`,
+          position: match.index,
+        });
+
+        // Redact in output
+        redacted = redacted.replace(value, `[REDACTED:${name}]`);
+      }
+    }
+
+    if (secrets.length > 0) {
+      this.detectionCount += secrets.length;
+      eventBus.emitEvent("secret:detected", {
+        count: secrets.length,
+        types: [...new Set(secrets.map((s) => s.type))],
+      });
+    }
+
+    return {
+      found: secrets.length > 0,
+      secrets,
+      redacted,
+    };
+  }
+
+  /**
+   * Scan and redact tool output before feeding back to agent.
+   */
+  redactOutput(text) {
+    const result = this.scan(text);
+    if (result.found) {
+      console.log(
+        `      [SecretScanner] Redacted ${result.secrets.length} secret(s): ${result.secrets.map((s) => s.type).join(", ")}`
+      );
+    }
+    return result.redacted;
+  }
+
+  /**
+   * Get detection stats.
+   */
+  stats() {
+    return { totalDetections: this.detectionCount };
+  }
+}
+
+const secretScanner = new SecretScanner();
+export default secretScanner;