flowent 0.1.4 → 0.2.0

package/backend/src/flowent/patch.py

@@ -3,6 +3,7 @@ from __future__ import annotations
 import json
 from dataclasses import dataclass
 from pathlib import Path
+from typing import Literal
 
 
 class PatchError(RuntimeError):
@@ -16,6 +17,12 @@ class PatchChange:
     move_path: Path | None = None
 
 
+@dataclass(frozen=True)
+class PatchLine:
+    kind: Literal["context", "remove", "add"]
+    text: str
+
+
 def affected_paths(patch: str, cwd: Path) -> list[Path]:
     paths: list[Path] = []
     for line in patch.splitlines():
@@ -73,24 +80,29 @@ def parse_patch(patch: str, cwd: Path) -> list[dict[str, object]]:
                     strict=False
                 )
                 index += 1
-            chunks: list[dict[str, list[str]]] = []
-            current: dict[str, list[str]] | None = None
+            chunks: list[dict[str, list[PatchLine]]] = []
+            current: dict[str, list[PatchLine]] | None = None
             while index < len(lines) - 1 and not lines[index].startswith("*** "):
                 content_line = lines[index]
                 if content_line.startswith("@@"):
-                    current = {"remove": [], "add": []}
+                    current = {"lines": []}
                     chunks.append(current)
                 elif content_line.startswith("-"):
                     if current is None:
-                        current = {"remove": [], "add": []}
+                        current = {"lines": []}
                         chunks.append(current)
-                    current["remove"].append(content_line[1:])
+                    current["lines"].append(PatchLine("remove", content_line[1:]))
                 elif content_line.startswith("+"):
                     if current is None:
-                        current = {"remove": [], "add": []}
+                        current = {"lines": []}
                         chunks.append(current)
-                    current["add"].append(content_line[1:])
-                elif content_line.startswith(" ") or content_line == "*** End of File":
+                    current["lines"].append(PatchLine("add", content_line[1:]))
+                elif content_line.startswith(" "):
+                    if current is None:
+                        current = {"lines": []}
+                        chunks.append(current)
+                    current["lines"].append(PatchLine("context", content_line[1:]))
+                elif content_line == "*** End of File":
                     pass
                 else:
                     raise PatchError(
@@ -113,30 +125,42 @@ def parse_patch(patch: str, cwd: Path) -> list[dict[str, object]]:
     return operations
 
 
-def apply_update(original: str, chunks: list[dict[str, list[str]]]) -> str:
-    content = original
+def find_lines(haystack: list[str], needle: list[str], start: int) -> int:
+    if not needle:
+        return len(haystack)
+    last_start = len(haystack) - len(needle)
+    for index in range(start, last_start + 1):
+        if haystack[index : index + len(needle)] == needle:
+            return index
+    return -1
+
+
+def apply_update(original: str, chunks: list[dict[str, list[PatchLine]]]) -> str:
+    lines = original.splitlines()
+    trailing_newline = original.endswith("\n")
+    cursor = 0
     for chunk in chunks:
-        remove = "\n".join(chunk["remove"])
-        add = "\n".join(chunk["add"])
-        if remove:
-            candidates = [remove, remove + "\n"]
-            for candidate in candidates:
-                if candidate in content:
-                    replacement = add + (
-                        "\n" if candidate.endswith("\n") and add else ""
-                    )
-                    content = content.replace(candidate, replacement, 1)
-                    break
-            else:
-                raise PatchError("Patch context was not found.")
-        elif add:
-            content = (
-                content
-                + ("" if content.endswith("\n") or not content else "\n")
-                + add
-                + "\n"
-            )
-    return content
+        patch_lines = chunk["lines"]
+        old_lines = [
+            line.text for line in patch_lines if line.kind in {"context", "remove"}
+        ]
+        new_lines = [
+            line.text for line in patch_lines if line.kind in {"context", "add"}
+        ]
+        if not old_lines:
+            lines.extend(new_lines)
+            cursor = len(lines)
+            if new_lines:
+                trailing_newline = True
+            continue
+        match_index = find_lines(lines, old_lines, cursor)
+        if match_index == -1:
+            raise PatchError("Patch context was not found.")
+        lines[match_index : match_index + len(old_lines)] = new_lines
+        cursor = match_index + len(new_lines)
+    if not lines:
+        return ""
+    return "\n".join(lines) + ("\n" if trailing_newline else "")
 
 
 def apply_patch(patch: str, cwd: Path) -> dict[str, object]:

package/backend/src/flowent/permissions.py

@@ -2,12 +2,14 @@ from __future__ import annotations
 
 import json
 import sys
-from collections.abc import Awaitable, Callable
 from pathlib import Path
 from typing import Literal
 
-from pydantic import BaseModel, ConfigDict
-
+from flowent.approval import (
+    ApprovalReviewDecision,
+    ApprovalReviewer,
+    ApprovalReviewRequest,
+)
 from flowent.patch import affected_paths
 from flowent.sandbox import SandboxError, SandboxRunner, path_is_within
 from flowent.tools import (
@@ -22,16 +24,6 @@ from flowent.tools import (
 SANDBOX_WITH_ADDITIONAL_PERMISSIONS = "with_additional_permissions"
 
 
-class WritablePathDecision(BaseModel):
-    model_config = ConfigDict(extra="forbid")
-
-    decision: Literal["allow_once", "always_allow", "deny"]
-    path: Path
-
-
-WritablePathRequest = Callable[[Path, str], Awaitable[WritablePathDecision]]
-
-
 def normalize_path(path: Path | str, cwd: Path) -> Path:
     resolved = Path(path).expanduser()
     if not resolved.is_absolute():
@@ -83,6 +75,15 @@ def validate_additional_permissions(arguments: dict[str, object]) -> ToolResult
     return None
 
 
+def approval_denial_content(decision: ApprovalReviewDecision) -> str:
+    return (
+        "Automatic approval review denied this action as high risk: "
+        f"{decision.reason} The agent must not work around this denial; choose a "
+        "safer alternative or ask the user for explicit approval after explaining "
+        "the concrete risk."
+    )
+
+
 def approved_writable_roots(
     context: ToolContext, writable_paths: list[Path]
 ) -> list[Path]:
@@ -94,33 +95,51 @@ def approved_writable_roots(
     return roots
 
 
-async def request_missing_write_paths(
+async def review_missing_write_paths(
     paths: list[Path],
     context: ToolContext,
     *,
-    request_writable_path: WritablePathRequest,
+    arguments: dict[str, object],
+    action: Literal["additional_permissions", "edit"],
+    review_approval: ApprovalReviewer,
+    tool_name: str,
     writable_paths: list[Path],
-    reason: str,
-) -> tuple[list[Path], ToolResult | None]:
+) -> tuple[list[Path], ToolResult | None, dict[str, object] | None]:
     effective_paths = [
         path.expanduser().resolve(strict=False) for path in writable_paths
     ]
     approved_roots = approved_writable_roots(context, effective_paths)
-    for path in paths:
-        if path_is_within(path, approved_roots):
-            continue
-        decision = await request_writable_path(path, reason)
-        if decision.decision == "deny":
-            return effective_paths, ToolResult(
-                content=f"Permission denied for {decision.path}",
-                data={"path": str(decision.path)},
+    missing_paths = [
+        path.expanduser().resolve(strict=False)
+        for path in paths
+        if not path_is_within(path, approved_roots)
+    ]
+    if not missing_paths:
+        return effective_paths, None, None
+    review_request = ApprovalReviewRequest(
+        action=action,
+        arguments=arguments,
+        cwd=context.cwd,
+        tool_name=tool_name,
+        write_paths=missing_paths,
+    )
+    decision = await review_approval(review_request)
+    review_data = approval_result_data(review_request, decision)
+    if decision.decision == "denied":
+        return (
+            effective_paths,
+            ToolResult(
+                content=approval_denial_content(decision),
+                data=review_data,
                 ok=False,
-                title=f"Denied {decision.path}",
-            )
-        approved_path = decision.path.expanduser().resolve(strict=False)
+                title="Denied by reviewer",
+            ),
+            review_data,
+        )
+    for approved_path in missing_paths:
         effective_paths.append(approved_path)
         approved_roots.append(approved_path)
-    return effective_paths, None
+    return effective_paths, None, review_data
 
 
 async def run_tool_with_path_permissions(
@@ -128,21 +147,21 @@ async def run_tool_with_path_permissions(
     arguments: dict[str, object],
     context: ToolContext,
     *,
-    request_writable_path: WritablePathRequest,
+    review_approval: ApprovalReviewer,
     writable_paths: list[Path],
 ) -> ToolResult:
     if name == "shell_command":
         return await run_shell_command_with_permissions(
             arguments,
             context,
-            request_writable_path=request_writable_path,
+            review_approval=review_approval,
             writable_paths=writable_paths,
         )
     if name == "apply_patch":
         return await run_apply_patch_with_permissions(
             arguments,
             context,
-            request_writable_path=request_writable_path,
+            review_approval=review_approval,
             writable_paths=writable_paths,
         )
     return await run_tool_async(name, arguments, context)
@@ -152,7 +171,7 @@ async def run_shell_command_with_permissions(
     arguments: dict[str, object],
     context: ToolContext,
     *,
-    request_writable_path: WritablePathRequest,
+    review_approval: ApprovalReviewer,
     writable_paths: list[Path],
 ) -> ToolResult:
     validation_error = validate_additional_permissions(arguments)
@@ -160,41 +179,72 @@ async def run_shell_command_with_permissions(
         return validation_error
 
     declared_paths = additional_write_paths(arguments, context.cwd)
-    effective_paths, denied = await request_missing_write_paths(
+    effective_paths, denied, approval_data = await review_missing_write_paths(
         declared_paths,
         context,
-        request_writable_path=request_writable_path,
+        action="additional_permissions",
+        arguments=arguments,
+        review_approval=review_approval,
+        tool_name="shell_command",
         writable_paths=writable_paths,
-        reason="The shell command needs to write this path.",
     )
     if denied is not None:
         return denied
 
-    return await shell_command_with_writable_paths(arguments, context, effective_paths)
+    result = await shell_command_with_writable_paths(
+        arguments, context, effective_paths
+    )
+    if approval_data is not None:
+        result = tool_result_with_data(result, approval_data)
+    if result.ok or not is_likely_sandbox_denied_result(result):
+        return result
+    review_request = ApprovalReviewRequest(
+        action="sandbox_failure",
+        arguments=arguments,
+        cwd=context.cwd,
+        tool_name="shell_command",
+        tool_result=tool_failure_text(result),
+    )
+    decision = await review_approval(review_request)
+    review_data = approval_result_data(review_request, decision)
+    if decision.decision == "denied":
+        return ToolResult(
+            content=approval_denial_content(decision),
+            data={**result.data, **review_data},
+            ok=False,
+            title="Denied by reviewer",
+        )
+    retry_result = await shell_command_without_sandbox(arguments, context)
+    return tool_result_with_data(retry_result, review_data)
 
 
 async def run_apply_patch_with_permissions(
     arguments: dict[str, object],
     context: ToolContext,
     *,
-    request_writable_path: WritablePathRequest,
+    review_approval: ApprovalReviewer,
     writable_paths: list[Path],
 ) -> ToolResult:
     patch = str(arguments["patch"])
     paths = [
         writable_root_for_path(path) for path in affected_paths(patch, context.cwd)
     ]
-    effective_paths, denied = await request_missing_write_paths(
+    effective_paths, denied, approval_data = await review_missing_write_paths(
         paths,
         context,
-        request_writable_path=request_writable_path,
+        action="edit",
+        arguments=arguments,
+        review_approval=review_approval,
+        tool_name="apply_patch",
         writable_paths=writable_paths,
-        reason="The edit needs to write this path.",
     )
     if denied is not None:
         return denied
 
-    return await apply_patch_with_writable_paths(arguments, context, effective_paths)
+    result = await apply_patch_with_writable_paths(arguments, context, effective_paths)
+    if approval_data is not None:
+        result = tool_result_with_data(result, approval_data)
+    return result
 
 
 async def apply_patch_with_writable_paths(
@@ -257,3 +307,96 @@ async def shell_command_with_writable_paths(
         ok=ok,
         title=f"Ran {command}",
     )
+
+
+def is_likely_sandbox_denied_result(result: ToolResult) -> bool:
+    data = result.data
+    exit_code = int_result_field(data.get("exit_code"))
+    if exit_code == 0:
+        return False
+    output = "\n".join(
+        str(data.get(name, "") or "") for name in ["stderr", "stdout"]
+    ).lower()
+    return any(
+        keyword in output
+        for keyword in [
+            "operation not permitted",
+            "permission denied",
+            "read-only file system",
+            "seccomp",
+            "sandbox",
+            "landlock",
+            "failed to write file",
+        ]
+    )
+
+
+def int_result_field(value: object) -> int:
+    if isinstance(value, int):
+        return value
+    if isinstance(value, str):
+        try:
+            return int(value)
+        except ValueError:
+            return 0
+    return 0
+
+
+def tool_failure_text(result: ToolResult) -> str:
+    stderr = str(result.data.get("stderr", "") or "").strip()
+    stdout = str(result.data.get("stdout", "") or "").strip()
+    content = result.content.strip()
+    return "\n".join(part for part in [stderr, stdout, content] if part)
+
+
+async def shell_command_without_sandbox(
+    arguments: dict[str, object],
+    context: ToolContext,
+) -> ToolResult:
+    command = str(arguments["command"])
+    timeout_seconds = number_argument(arguments, "timeout_seconds", 30)
+    result = await SandboxRunner(cwd=context.cwd).run_unsandboxed_async(
+        ["/bin/sh", "-c", command], timeout_seconds=timeout_seconds
+    )
+    ok = result.exit_code == 0
+    content = result.stdout or result.stderr
+    return ToolResult(
+        content=content,
+        data={
+            "command": command,
+            "exit_code": result.exit_code,
+            "stderr": result.stderr,
+            "stdout": result.stdout,
+        },
+        ok=ok,
+        title=f"Ran {command}",
+    )
+
+
+def approval_result_data(
+    request: ApprovalReviewRequest,
+    decision: ApprovalReviewDecision,
+) -> dict[str, object]:
+    approval: dict[str, object] = {
+        "action": request.action,
+        "decision": decision.decision,
+        "reason": decision.reason,
+        "tool_name": request.tool_name,
+        "tool_result": request.tool_result,
+        "write_paths": [str(path) for path in request.write_paths],
+    }
+    if decision.risk_level is not None:
+        approval["risk_level"] = decision.risk_level
+    if decision.risk_score is not None:
+        approval["risk_score"] = decision.risk_score
+    if decision.evidence:
+        approval["evidence"] = [item.model_dump() for item in decision.evidence]
+    return {
+        "approval": approval,
+    }
+
+
+def tool_result_with_data(
+    result: ToolResult, extra_data: dict[str, object]
+) -> ToolResult:
+    return result.model_copy(update={"data": {**result.data, **extra_data}})

package/backend/src/flowent/sandbox.py

@@ -261,7 +261,8 @@ class SandboxRunner:
         for root in self.writable_roots:
             if root == self.cwd:
                 continue
-            root.mkdir(mode=0o700, parents=True, exist_ok=True)
+            if not root.exists():
+                root.mkdir(mode=0o700, parents=True, exist_ok=True)
             args.extend(["--bind", str(root), str(root)])
         args.extend(
             [
@@ -327,6 +328,59 @@ class SandboxRunner:
             stdout=completed.stdout[: self.output_limit],
         )
 
+    async def run_unsandboxed_async(
+        self,
+        command: list[str],
+        *,
+        env: dict[str, str] | None = None,
+        input_text: str | None = None,
+        timeout_seconds: float | None = None,
+    ) -> CommandResult:
+        process_env = build_shell_environment(env)
+        process = await asyncio.create_subprocess_exec(
+            *command,
+            cwd=self.cwd,
+            env=process_env,
+            start_new_session=True,
+            stdin=asyncio.subprocess.PIPE if input_text is not None else None,
+            stdout=asyncio.subprocess.PIPE,
+            stderr=asyncio.subprocess.PIPE,
+        )
+        try:
+            stdout, stderr = await asyncio.wait_for(
+                process.communicate(
+                    input_text.encode() if input_text is not None else None
+                ),
+                timeout=timeout_seconds or self.timeout_seconds,
+            )
+        except TimeoutError as error:
+            with suppress(ProcessLookupError):
+                os.killpg(process.pid, signal.SIGKILL)
+            stdout, stderr = await process.communicate()
+            return CommandResult(
+                command=" ".join(command),
+                exit_code=124,
+                stderr=str(error) or "Command timed out.",
+                stdout=self._text_output(stdout)[: self.output_limit],
+            )
+        except asyncio.CancelledError:
+            with suppress(ProcessLookupError):
+                os.killpg(process.pid, signal.SIGTERM)
+            try:
+                await asyncio.wait_for(process.wait(), timeout=1)
+            except TimeoutError:
+                with suppress(ProcessLookupError):
+                    os.killpg(process.pid, signal.SIGKILL)
+                await process.wait()
+            raise
+
+        return CommandResult(
+            command=" ".join(command),
+            exit_code=process.returncode or 0,
+            stderr=self._text_output(stderr)[: self.output_limit],
+            stdout=self._text_output(stdout)[: self.output_limit],
+        )
+
     async def run_async(
         self,
         command: list[str],