grokcodecli 0.1.0

package/src/tools/websearch.ts

@@ -0,0 +1,219 @@
+import { ToolResult } from './registry.js';
+import chalk from 'chalk';
+
+export interface WebSearchToolParams {
+  query: string;
+  num_results?: number;
+}
+
+interface SearchResult {
+  title: string;
+  url: string;
+  snippet: string;
+}
+
+// DuckDuckGo HTML search (no API key needed)
+async function searchDuckDuckGo(query: string, numResults: number = 10): Promise<SearchResult[]> {
+  const results: SearchResult[] = [];
+
+  try {
+    // Use DuckDuckGo HTML version
+    const searchUrl = `https://html.duckduckgo.com/html/?q=${encodeURIComponent(query)}`;
+
+    const response = await fetch(searchUrl, {
+      headers: {
+        'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36',
+        'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
+        'Accept-Language': 'en-US,en;q=0.5',
+      },
+    });
+
+    if (!response.ok) {
+      throw new Error(`Search failed: ${response.status} ${response.statusText}`);
+    }
+
+    const html = await response.text();
+
+    // Parse results from HTML
+    // DuckDuckGo HTML results are in <a class="result__a"> tags
+    const resultPattern = /<a[^>]*class="result__a"[^>]*href="([^"]*)"[^>]*>([^<]*)<\/a>/gi;
+    const snippetPattern = /<a[^>]*class="result__snippet"[^>]*>([^<]*(?:<[^>]*>[^<]*)*)<\/a>/gi;
+
+    // Alternative: Parse result blocks
+    const resultBlocks = html.split('<div class="result results_links results_links_deep web-result');
+
+    for (let i = 1; i < resultBlocks.length && results.length < numResults; i++) {
+      const block = resultBlocks[i];
+
+      // Extract URL
+      const urlMatch = block.match(/href="([^"]+)"/);
+      // Extract title
+      const titleMatch = block.match(/class="result__a"[^>]*>([^<]+)</);
+      // Extract snippet
+      const snippetMatch = block.match(/class="result__snippet"[^>]*>([^<]+)/);
+
+      if (urlMatch && titleMatch) {
+        let url = urlMatch[1];
+        // DuckDuckGo uses redirect URLs, try to extract actual URL
+        if (url.includes('uddg=')) {
+          const actualUrl = url.match(/uddg=([^&]+)/);
+          if (actualUrl) {
+            url = decodeURIComponent(actualUrl[1]);
+          }
+        }
+
+        results.push({
+          title: decodeHtmlEntities(titleMatch[1].trim()),
+          url: url,
+          snippet: snippetMatch ? decodeHtmlEntities(snippetMatch[1].trim()) : '',
+        });
+      }
+    }
+
+    // If no results found with block parsing, try simpler approach
+    if (results.length === 0) {
+      const links = html.matchAll(/<a[^>]*class="result__a"[^>]*href="([^"]*)"[^>]*>([^<]*)<\/a>/gi);
+      for (const match of links) {
+        if (results.length >= numResults) break;
+        let url = match[1];
+        if (url.includes('uddg=')) {
+          const actualUrl = url.match(/uddg=([^&]+)/);
+          if (actualUrl) {
+            url = decodeURIComponent(actualUrl[1]);
+          }
+        }
+        results.push({
+          title: decodeHtmlEntities(match[2].trim()),
+          url: url,
+          snippet: '',
+        });
+      }
+    }
+
+  } catch (error) {
+    // Fallback: try alternative search
+    return await searchWithAlternative(query, numResults);
+  }
+
+  return results;
+}
+
+// Fallback using a simple web scraping approach
+async function searchWithAlternative(query: string, numResults: number): Promise<SearchResult[]> {
+  const results: SearchResult[] = [];
+
+  try {
+    // Try using DuckDuckGo Lite
+    const searchUrl = `https://lite.duckduckgo.com/lite/?q=${encodeURIComponent(query)}`;
+
+    const response = await fetch(searchUrl, {
+      headers: {
+        'User-Agent': 'Mozilla/5.0 (compatible; GrokCode/1.0)',
+        'Accept': 'text/html',
+      },
+    });
+
+    if (!response.ok) {
+      return results;
+    }
+
+    const html = await response.text();
+
+    // Parse lite version results
+    const linkMatches = html.matchAll(/<a[^>]*rel="nofollow"[^>]*href="([^"]+)"[^>]*>([^<]+)<\/a>/gi);
+
+    for (const match of linkMatches) {
+      if (results.length >= numResults) break;
+      const url = match[1];
+      const title = match[2];
+
+      // Skip DuckDuckGo internal links
+      if (url.startsWith('/') || url.includes('duckduckgo.com')) continue;
+
+      results.push({
+        title: decodeHtmlEntities(title.trim()),
+        url: url,
+        snippet: '',
+      });
+    }
+  } catch {
+    // Return empty results if all methods fail
+  }
+
+  return results;
+}
+
+function decodeHtmlEntities(text: string): string {
+  return text
+    .replace(/&amp;/g, '&')
+    .replace(/&lt;/g, '<')
+    .replace(/&gt;/g, '>')
+    .replace(/&quot;/g, '"')
+    .replace(/&#39;/g, "'")
+    .replace(/&nbsp;/g, ' ')
+    .replace(/&#x27;/g, "'")
+    .replace(/&#x2F;/g, '/')
+    .replace(/&apos;/g, "'");
+}
+
+export async function webSearchTool(params: WebSearchToolParams): Promise<ToolResult> {
+  try {
+    const query = params.query.trim();
+    const numResults = Math.min(params.num_results ?? 10, 20);
+
+    if (!query) {
+      return {
+        success: false,
+        output: '',
+        error: 'Search query cannot be empty',
+      };
+    }
+
+    if (query.length > 500) {
+      return {
+        success: false,
+        output: '',
+        error: 'Search query too long (maximum 500 characters)',
+      };
+    }
+
+    const results = await searchDuckDuckGo(query, numResults);
+
+    if (results.length === 0) {
+      return {
+        success: true,
+        output: `${chalk.yellow('No results found for:')} "${query}"\n\nTry:\n  • Using different keywords\n  • Checking spelling\n  • Using fewer, more general terms`,
+      };
+    }
+
+    let output = `${chalk.cyan('🔍 Search Results for:')} "${query}"\n`;
+    output += `${chalk.gray(`Found ${results.length} results`)}\n\n`;
+
+    results.forEach((result, index) => {
+      output += `${chalk.bold(`${index + 1}. ${result.title}`)}\n`;
+      output += `   ${chalk.blue(result.url)}\n`;
+      if (result.snippet) {
+        output += `   ${chalk.gray(result.snippet)}\n`;
+      }
+      output += '\n';
+    });
+
+    // Add sources section like Claude Code
+    output += `${chalk.cyan('Sources:')}\n`;
+    results.forEach((result) => {
+      output += `  • [${result.title}](${result.url})\n`;
+    });
+
+    return {
+      success: true,
+      output,
+    };
+  } catch (error) {
+    const err = error as Error;
+    return {
+      success: false,
+      output: '',
+      error: `Search failed: ${err.message}`,
+    };
+  }
+}

package/src/tools/write.ts

@@ -0,0 +1,94 @@
+import * as fs from 'fs/promises';
+import * as path from 'path';
+import { ToolResult } from './registry.js';
+import { validatePath } from '../utils/security.js';
+import chalk from 'chalk';
+
+export interface WriteToolParams {
+  file_path: string;
+  content: string;
+}
+
+// Maximum file size to write (50MB)
+const MAX_CONTENT_SIZE = 50 * 1024 * 1024;
+
+export async function writeTool(params: WriteToolParams): Promise<ToolResult> {
+  try {
+    const filePath = path.resolve(params.file_path);
+
+    // Security validation
+    const security = validatePath(filePath);
+    if (!security.allowed) {
+      return {
+        success: false,
+        output: '',
+        error: `Security: ${security.reason}`,
+      };
+    }
+
+    // Check content size
+    if (params.content.length > MAX_CONTENT_SIZE) {
+      return {
+        success: false,
+        output: '',
+        error: `Content too large (${(params.content.length / 1024 / 1024).toFixed(1)}MB). Maximum is ${MAX_CONTENT_SIZE / 1024 / 1024}MB.`,
+      };
+    }
+
+    // Check if file exists (for backup/warning)
+    let wasExisting = false;
+    let previousSize = 0;
+    try {
+      const stats = await fs.stat(filePath);
+      wasExisting = true;
+      previousSize = stats.size;
+    } catch {
+      // File doesn't exist, that's fine
+    }
+
+    // Ensure directory exists
+    const dir = path.dirname(filePath);
+    await fs.mkdir(dir, { recursive: true });
+
+    // Write the file
+    await fs.writeFile(filePath, params.content, 'utf-8');
+
+    const lines = params.content.split('\n').length;
+    const size = params.content.length;
+
+    let output = `${chalk.green('✓')} File written: ${filePath}\n`;
+    output += `  ${chalk.gray('Lines:')} ${lines}\n`;
+    output += `  ${chalk.gray('Size:')} ${formatSize(size)}`;
+
+    if (wasExisting) {
+      const diff = size - previousSize;
+      const diffStr = diff >= 0 ? `+${formatSize(diff)}` : `-${formatSize(Math.abs(diff))}`;
+      output += ` (${diffStr} from previous)`;
+    }
+
+    // Security warning if applicable
+    if (security.severity === 'medium') {
+      output = chalk.yellow(`⚠️ ${security.suggestion}\n`) + output;
+    }
+
+    return {
+      success: true,
+      output,
+    };
+  } catch (error) {
+    const err = error as NodeJS.ErrnoException;
+    if (err.code === 'EACCES') {
+      return { success: false, output: '', error: `Permission denied: ${params.file_path}` };
+    }
+    if (err.code === 'ENOSPC') {
+      return { success: false, output: '', error: 'No space left on device' };
+    }
+    return { success: false, output: '', error: `Error writing file: ${err.message}` };
+  }
+}
+
+function formatSize(bytes: number): string {
+  if (bytes < 1024) return `${bytes}B`;
+  if (bytes < 1024 * 1024) return `${(bytes / 1024).toFixed(1)}KB`;
+  return `${(bytes / 1024 / 1024).toFixed(1)}MB`;
+}

package/src/utils/security.ts

@@ -0,0 +1,259 @@
+/**
+ * Security Utilities
+ *
+ * Provides input validation, path traversal prevention, and security checks.
+ */
+
+import * as path from 'path';
+import * as os from 'os';
+
+// Dangerous patterns that should be flagged
+const DANGEROUS_COMMANDS = [
+  /rm\s+-rf\s+[\/~]/i,          // rm -rf with root or home
+  /rm\s+-rf\s+\*/,               // rm -rf *
+  />\s*\/dev\/sd/,               // Writing to disk devices
+  /mkfs\./,                       // Formatting filesystems
+  /dd\s+if=.*of=\/dev/,          // dd to device
+  /chmod\s+-R\s+777/,            // Recursive 777
+  /curl.*\|\s*sh/,               // Curl pipe to shell
+  /wget.*\|\s*sh/,               // Wget pipe to shell
+  /curl.*\|\s*bash/,
+  /wget.*\|\s*bash/,
+  /:(){.*};:/,                   // Fork bomb pattern
+  />\s*\/etc\//,                 // Writing to /etc
+  />\s*\/boot\//,                // Writing to /boot
+  />\s*\/proc\//,                // Writing to /proc
+  />\s*\/sys\//,                 // Writing to /sys
+];
+
+// Sensitive file patterns
+const SENSITIVE_FILES = [
+  /\.env$/,
+  /\.env\./,
+  /credentials/i,
+  /secret/i,
+  /password/i,
+  /private_key/,
+  /\.pem$/,
+  /\.key$/,
+  /id_rsa/,
+  /id_ed25519/,
+  /\.ssh\/config/,
+  /\.netrc/,
+  /\.npmrc/,
+  /\.pypirc/,
+];
+
+// Blocked paths (never allow access)
+const BLOCKED_PATHS = [
+  '/etc/passwd',
+  '/etc/shadow',
+  '/etc/sudoers',
+  '/etc/ssh/',
+  '/root/.ssh/',
+  '/proc/',
+  '/sys/',
+  '/dev/',
+];
+
+export interface SecurityCheckResult {
+  allowed: boolean;
+  reason?: string;
+  severity?: 'low' | 'medium' | 'high' | 'critical';
+  suggestion?: string;
+}
+
+/**
+ * Validate a file path for security issues
+ */
+export function validatePath(filePath: string, allowedRoots?: string[]): SecurityCheckResult {
+  // Resolve to absolute path
+  const resolved = path.resolve(filePath);
+  const normalized = path.normalize(resolved);
+
+  // Check for path traversal attempts
+  if (filePath.includes('..')) {
+    // Allow if the resolved path is still within allowed roots
+    if (allowedRoots && allowedRoots.length > 0) {
+      const isWithinRoots = allowedRoots.some(root =>
+        normalized.startsWith(path.resolve(root))
+      );
+      if (!isWithinRoots) {
+        return {
+          allowed: false,
+          reason: 'Path traversal detected - path escapes allowed directories',
+          severity: 'high',
+        };
+      }
+    }
+  }
+
+  // Check blocked paths
+  for (const blocked of BLOCKED_PATHS) {
+    if (normalized.startsWith(blocked) || normalized === blocked.slice(0, -1)) {
+      return {
+        allowed: false,
+        reason: `Access to ${blocked} is blocked for security`,
+        severity: 'critical',
+      };
+    }
+  }
+
+  // Check for sensitive files (warning only)
+  for (const pattern of SENSITIVE_FILES) {
+    if (pattern.test(normalized)) {
+      return {
+        allowed: true,  // Allow but warn
+        reason: 'This appears to be a sensitive file',
+        severity: 'medium',
+        suggestion: 'Be careful with files containing credentials or secrets',
+      };
+    }
+  }
+
+  return { allowed: true };
+}
+
+/**
+ * Validate a bash command for dangerous patterns
+ */
+export function validateCommand(command: string): SecurityCheckResult {
+  // Check for dangerous patterns
+  for (const pattern of DANGEROUS_COMMANDS) {
+    if (pattern.test(command)) {
+      return {
+        allowed: false,
+        reason: 'Command matches a dangerous pattern',
+        severity: 'critical',
+        suggestion: 'This command could cause system damage. Please review carefully.',
+      };
+    }
+  }
+
+  // Check for commands that modify critical paths
+  if (/>\s*(\/etc|\/boot|\/root|\/var\/log)/i.test(command)) {
+    return {
+      allowed: false,
+      reason: 'Writing to system directories is blocked',
+      severity: 'high',
+    };
+  }
+
+  // Check for privilege escalation
+  if (/sudo\s+-s|su\s+-|sudo\s+su/.test(command)) {
+    return {
+      allowed: true,
+      reason: 'Command requires elevated privileges',
+      severity: 'medium',
+      suggestion: 'This command will prompt for sudo password',
+    };
+  }
+
+  return { allowed: true };
+}
+
+/**
+ * Validate a URL for security issues
+ */
+export function validateUrl(url: string): SecurityCheckResult {
+  try {
+    const parsed = new URL(url);
+
+    // Only allow http/https
+    if (!['http:', 'https:'].includes(parsed.protocol)) {
+      return {
+        allowed: false,
+        reason: `Protocol ${parsed.protocol} is not allowed`,
+        severity: 'medium',
+      };
+    }
+
+    // Block localhost/internal IPs (SSRF prevention)
+    const hostname = parsed.hostname.toLowerCase();
+    const blockedHosts = ['localhost', '127.0.0.1', '0.0.0.0', '::1'];
+    const internalPatterns = [
+      /^10\./,
+      /^172\.(1[6-9]|2[0-9]|3[0-1])\./,
+      /^192\.168\./,
+      /^169\.254\./,
+    ];
+
+    if (blockedHosts.includes(hostname)) {
+      return {
+        allowed: false,
+        reason: 'Localhost access is blocked',
+        severity: 'high',
+      };
+    }
+
+    for (const pattern of internalPatterns) {
+      if (pattern.test(hostname)) {
+        return {
+          allowed: false,
+          reason: 'Internal network access is blocked',
+          severity: 'high',
+        };
+      }
+    }
+
+    return { allowed: true };
+  } catch {
+    return {
+      allowed: false,
+      reason: 'Invalid URL format',
+      severity: 'low',
+    };
+  }
+}
+
+/**
+ * Sanitize output for display (prevent terminal escape sequences)
+ */
+export function sanitizeOutput(output: string): string {
+  // Remove potentially dangerous escape sequences but keep basic formatting
+  return output
+    // Remove cursor manipulation
+    .replace(/\x1b\[\d*[ABCDJK]/g, '')
+    // Remove window title changes
+    .replace(/\x1b\]0;[^\x07]*\x07/g, '')
+    // Remove scrolling region changes
+    .replace(/\x1b\[\d*;\d*r/g, '')
+    // Keep basic colors (safe)
+    .replace(/\x1b\[(\d+;)*\d*[mK]/g, (match) => {
+      // Only allow color codes 0-107
+      const nums = match.slice(2, -1).split(';').map(Number);
+      if (nums.every(n => n >= 0 && n <= 107)) {
+        return match;
+      }
+      return '';
+    });
+}
+
+/**
+ * Get safe environment variables (filter out sensitive ones)
+ */
+export function getSafeEnv(): Record<string, string> {
+  const sensitive = [
+    'API_KEY', 'SECRET', 'TOKEN', 'PASSWORD', 'CREDENTIAL',
+    'AWS_', 'GITHUB_TOKEN', 'NPM_TOKEN', 'PRIVATE_KEY',
+  ];
+
+  const result: Record<string, string> = {};
+
+  for (const [key, value] of Object.entries(process.env)) {
+    const isSensitive = sensitive.some(s => key.toUpperCase().includes(s));
+    if (!isSensitive && value !== undefined) {
+      result[key] = value;
+    }
+  }
+
+  return result;
+}
+
+/**
+ * Generate a safe temporary path
+ */
+export function getSafeTempPath(filename: string): string {
+  const sanitized = filename.replace(/[^a-zA-Z0-9._-]/g, '_');
+  return path.join(os.tmpdir(), 'grokcode', sanitized);
+}