icopilot 2.2.0

package/dist/providers/local-model.js

@@ -0,0 +1,121 @@
+import OpenAI from 'openai';
+const DEFAULT_API_KEY = 'air-gapped-local';
+export const LOCAL_PROVIDER_DEFAULTS = {
+    ollama: {
+        baseUrl: 'http://127.0.0.1:11434/v1',
+        model: 'llama3.2',
+    },
+    vllm: {
+        baseUrl: 'http://127.0.0.1:8000/v1',
+        model: 'local-model',
+    },
+    lmstudio: {
+        baseUrl: 'http://127.0.0.1:1234/v1',
+        model: 'local-model',
+    },
+    custom: {
+        baseUrl: 'http://127.0.0.1:8000/v1',
+        model: 'local-model',
+    },
+};
+export function isLocalProviderName(value) {
+    return value === 'ollama' || value === 'vllm' || value === 'lmstudio' || value === 'custom';
+}
+export function resolveLocalModelConfig(provider, overrides = {}) {
+    const defaults = LOCAL_PROVIDER_DEFAULTS[provider];
+    return {
+        provider,
+        baseUrl: normalizeBaseUrl(overrides.baseUrl ?? defaults.baseUrl),
+        model: overrides.model?.trim() || defaults.model,
+        apiKey: overrides.apiKey?.trim() || undefined,
+    };
+}
+export class LocalModelProvider {
+    current = null;
+    currentKey = '';
+    currentClient = null;
+    configure(config) {
+        const normalized = resolveLocalModelConfig(config.provider, config);
+        const nextKey = JSON.stringify(normalized);
+        if (!this.currentClient || this.currentKey !== nextKey) {
+            this.currentClient = new OpenAI({
+                apiKey: normalized.apiKey || DEFAULT_API_KEY,
+                baseURL: normalized.baseUrl,
+            });
+            this.currentKey = nextKey;
+        }
+        this.current = normalized;
+        return normalized;
+    }
+    getConfig() {
+        return this.current ? { ...this.current } : null;
+    }
+    getClient() {
+        if (!this.current) {
+            throw new Error('Local model provider is not configured.');
+        }
+        if (!this.currentClient) {
+            this.configure(this.current);
+        }
+        return this.currentClient;
+    }
+    async isAvailable() {
+        try {
+            if ((await this.listModels()).length > 0) {
+                return true;
+            }
+            const cfg = this.requireConfig();
+            const response = await fetch(stripV1Suffix(cfg.baseUrl), { method: 'GET' });
+            return response.ok;
+        }
+        catch {
+            return false;
+        }
+    }
+    async listModels() {
+        const cfg = this.requireConfig();
+        try {
+            const response = await this.getClient().models.list();
+            const ids = response.data
+                .map((item) => item.id)
+                .filter((id) => typeof id === 'string' && id.trim().length > 0);
+            if (ids.length > 0) {
+                return [...new Set(ids)].sort((a, b) => a.localeCompare(b));
+            }
+        }
+        catch {
+            // fall through to provider-specific probing
+        }
+        if (cfg.provider === 'ollama') {
+            try {
+                const response = await fetch(`${stripV1Suffix(cfg.baseUrl)}/api/tags`);
+                if (response.ok) {
+                    const payload = (await response.json());
+                    const ids = (payload.models ?? [])
+                        .map((entry) => entry.name)
+                        .filter((name) => typeof name === 'string' && name.trim().length > 0);
+                    if (ids.length > 0) {
+                        return [...new Set(ids)].sort((a, b) => a.localeCompare(b));
+                    }
+                }
+            }
+            catch {
+                // ignore and fall through
+            }
+        }
+        return [];
+    }
+    requireConfig() {
+        if (!this.current) {
+            throw new Error('Local model provider is not configured.');
+        }
+        return this.current;
+    }
+}
+export const localModelProvider = new LocalModelProvider();
+function normalizeBaseUrl(value) {
+    return value.trim().replace(/\/+$/, '');
+}
+function stripV1Suffix(value) {
+    return normalizeBaseUrl(value).replace(/\/v1$/i, '');
+}

package/dist/routing/profiles.js

@@ -0,0 +1,44 @@
+const gpt4oMini = 'gpt-4o-mini';
+const gpt4o = 'gpt-4o';
+export const PROFILES = {
+    cheap: {
+        plan: gpt4oMini,
+        chat: gpt4oMini,
+        edit: gpt4oMini,
+        review: gpt4oMini,
+        commit: gpt4oMini,
+        summarize: gpt4oMini,
+    },
+    balanced: {
+        plan: gpt4oMini,
+        chat: gpt4oMini,
+        edit: gpt4o,
+        review: gpt4o,
+        commit: gpt4oMini,
+        summarize: gpt4oMini,
+    },
+    strong: {
+        plan: gpt4oMini,
+        chat: gpt4o,
+        edit: gpt4o,
+        review: gpt4o,
+        commit: gpt4o,
+        summarize: gpt4oMini,
+    },
+    fixed: {
+        plan: '',
+        chat: '',
+        edit: '',
+        review: '',
+        commit: '',
+        summarize: '',
+    },
+};
+export function profileFor(name) {
+    return PROFILES[toProfile(name) ?? 'balanced'];
+}
+export function toProfile(name) {
+    return name === 'cheap' || name === 'balanced' || name === 'strong' || name === 'fixed'
+        ? name
+        : undefined;
+}

package/dist/routing/router.js

@@ -0,0 +1,18 @@
+import { PROFILES, toProfile } from './profiles.js';
+const envProfile = toProfile(process.env.ICOPILOT_ROUTING);
+const routingState = { profile: envProfile || 'fixed' };
+export function setProfile(name) {
+    const profile = toProfile(name);
+    if (!profile) {
+        throw new Error(`Unknown routing profile: ${name}`);
+    }
+    routingState.profile = profile;
+}
+export function getProfile() {
+    return routingState.profile;
+}
+export function pickModel(sessionDefault, task) {
+    const profile = routingState.profile;
+    const routed = PROFILES[profile]?.[task];
+    return profile === 'fixed' || !routed ? sessionDefault : routed;
+}

package/dist/sandbox/container.js

@@ -0,0 +1,151 @@
+import path from 'node:path';
+import { exec } from 'node:child_process';
+const DEFAULT_IMAGE = process.env.ICOPILOT_SANDBOX_IMAGE?.trim() || 'node:20-alpine';
+const DEFAULT_TIMEOUT_MS = 30_000;
+const DEFAULT_WORKDIR = '/workspace';
+const SANDBOX_LABEL = 'icopilot.sandbox=1';
+const MAX_BUFFER = 10 * 1024 * 1024;
+export class ContainerSandbox {
+    projectRoot;
+    containers = new Map();
+    constructor(projectRoot = process.cwd()) {
+        this.projectRoot = path.resolve(projectRoot);
+    }
+    getDefaultImage() {
+        return DEFAULT_IMAGE;
+    }
+    async isDockerAvailable() {
+        try {
+            const result = await this.runDocker(['docker', 'version', '--format', '{{.Server.Version}}']);
+            return result.code === 0 && result.stdout.trim().length > 0;
+        }
+        catch {
+            return false;
+        }
+    }
+    async create(config) {
+        const normalized = this.normalizeConfig(config);
+        const args = [
+            'docker',
+            'run',
+            '-d',
+            '--rm',
+            '--init',
+            '--label',
+            SANDBOX_LABEL,
+            '--workdir',
+            normalized.workDir,
+        ];
+        for (const mount of normalized.mounts) {
+            const mode = mount.readonly ? 'ro' : 'rw';
+            args.push('-v', `${path.resolve(mount.source)}:${mount.target}:${mode}`);
+        }
+        for (const [key, value] of Object.entries(normalized.env)) {
+            args.push('-e', `${key}=${value}`);
+        }
+        if (normalized.memory) {
+            args.push('--memory', normalized.memory);
+        }
+        if (typeof normalized.cpus === 'number' &&
+            Number.isFinite(normalized.cpus) &&
+            normalized.cpus > 0) {
+            args.push('--cpus', String(normalized.cpus));
+        }
+        args.push(normalized.image, 'sh', '-lc', 'trap exit TERM INT; while :; do sleep 1000; done');
+        const result = await this.runDocker(args, normalized.timeout);
+        const containerId = result.stdout.trim();
+        if (!containerId) {
+            throw new Error(result.stderr.trim() || 'docker did not return a container id');
+        }
+        this.containers.set(containerId, normalized);
+        return containerId;
+    }
+    async exec(containerId, command) {
+        const normalizedId = containerId.trim();
+        if (!normalizedId) {
+            throw new Error('container id is required');
+        }
+        const knownConfig = this.containers.get(normalizedId);
+        return this.runDocker(['docker', 'exec', normalizedId, 'sh', '-lc', command], knownConfig?.timeout);
+    }
+    async destroy(containerId) {
+        const normalizedId = containerId.trim();
+        if (!normalizedId) {
+            return;
+        }
+        try {
+            await this.runDocker(['docker', 'rm', '-f', normalizedId]);
+        }
+        finally {
+            this.containers.delete(normalizedId);
+        }
+    }
+    async listRunning() {
+        const result = await this.runDocker([
+            'docker',
+            'ps',
+            '--filter',
+            `label=${SANDBOX_LABEL}`,
+            '--format',
+            '{{.ID}}\t{{.Image}}\t{{.Status}}\t{{.Names}}',
+        ]);
+        return result.stdout
+            .split(/\r?\n/u)
+            .map((line) => line.trim())
+            .filter(Boolean)
+            .map((line) => {
+            const [id = '', image = '', status = '', name = ''] = line.split('\t');
+            return { id, image, status, name };
+        });
+    }
+    normalizeConfig(config) {
+        const workDir = config.workDir?.trim() || DEFAULT_WORKDIR;
+        const mounts = [...(config.mounts || [])];
+        const hasProjectMount = mounts.some((mount) => path.resolve(mount.source) === this.projectRoot || mount.target === workDir);
+        if (!hasProjectMount) {
+            mounts.unshift({
+                source: this.projectRoot,
+                target: workDir,
+                readonly: true,
+            });
+        }
+        return {
+            ...config,
+            image: config.image?.trim() || this.getDefaultImage(),
+            workDir,
+            mounts,
+            env: { ...(config.env || {}) },
+            timeout: config.timeout ?? DEFAULT_TIMEOUT_MS,
+        };
+    }
+    async runDocker(args, timeout = DEFAULT_TIMEOUT_MS) {
+        const command = args.map((arg) => quoteForShell(arg)).join(' ');
+        return new Promise((resolve, reject) => {
+            exec(command, {
+                timeout,
+                maxBuffer: MAX_BUFFER,
+                shell: process.platform === 'win32' ? 'powershell.exe' : '/bin/sh',
+            }, (error, stdout, stderr) => {
+                const code = typeof error?.code === 'number'
+                    ? Number(error.code)
+                    : 0;
+                const outcome = { stdout, stderr, code };
+                if (error && code === 0) {
+                    reject(error);
+                    return;
+                }
+                if (error) {
+                    reject(Object.assign(new Error(stderr.trim() || error.message), outcome));
+                    return;
+                }
+                resolve(outcome);
+            });
+        });
+    }
+}
+function quoteForShell(value) {
+    if (process.platform === 'win32') {
+        return `'${value.replace(/'/g, "''")}'`;
+    }
+    return `'${value.replace(/'/g, `'\\''`)}'`;
+}

package/dist/security/audit.js

@@ -0,0 +1,237 @@
+import fs from 'node:fs';
+import os from 'node:os';
+import path from 'node:path';
+import crypto from 'node:crypto';
+const DEFAULT_MAX_AGE_MS = 30 * 24 * 60 * 60 * 1000;
+export function auditLogPath() {
+    return process.env.ICOPILOT_AUDIT_PATH || path.join(os.homedir(), '.icopilot', 'audit.log');
+}
+export class AuditLogger {
+    filePath;
+    constructor(filePath = auditLogPath()) {
+        this.filePath = filePath;
+    }
+    log(entry) {
+        const normalized = normalizeEntry(entry);
+        fs.mkdirSync(path.dirname(this.filePath), { recursive: true });
+        fs.appendFileSync(this.filePath, `${JSON.stringify(normalized)}\n`, 'utf8');
+        return normalized;
+    }
+    query(filter = {}) {
+        return this.readEntries().filter((entry) => matchesFilter(entry, filter));
+    }
+    getRecent(n = 20) {
+        const limit = normalizeLimit(n, 20);
+        return this.readEntries().slice(-limit).reverse();
+    }
+    export(targetPath, format = 'jsonl') {
+        const resolvedFormat = normalizeFormat(format, targetPath);
+        const resolvedPath = path.resolve(targetPath || defaultExportPath(resolvedFormat));
+        const entries = this.readEntries();
+        const body = resolvedFormat === 'json'
+            ? `${JSON.stringify(entries, null, 2)}\n`
+            : entries.map((entry) => JSON.stringify(entry)).join('\n') + (entries.length ? '\n' : '');
+        fs.mkdirSync(path.dirname(resolvedPath), { recursive: true });
+        fs.writeFileSync(resolvedPath, body, 'utf8');
+        return resolvedPath;
+    }
+    rotate(maxAge = DEFAULT_MAX_AGE_MS) {
+        const entries = this.readEntries();
+        if (entries.length === 0)
+            return 0;
+        const cutoff = Date.now() - normalizeMaxAge(maxAge);
+        const kept = entries.filter((entry) => {
+            const timestamp = Date.parse(entry.timestamp);
+            return Number.isFinite(timestamp) && timestamp >= cutoff;
+        });
+        const removed = entries.length - kept.length;
+        if (removed === 0)
+            return 0;
+        fs.mkdirSync(path.dirname(this.filePath), { recursive: true });
+        const nextBody = kept.map((entry) => JSON.stringify(entry)).join('\n');
+        fs.writeFileSync(this.filePath, nextBody ? `${nextBody}\n` : '', 'utf8');
+        return removed;
+    }
+    getStats() {
+        const entries = this.readEntries();
+        const byAction = {};
+        const byTool = {};
+        let success = 0;
+        let failure = 0;
+        let denied = 0;
+        let durationTotal = 0;
+        let durationCount = 0;
+        for (const entry of entries) {
+            increment(byAction, entry.action);
+            if (entry.tool)
+                increment(byTool, entry.tool);
+            if (entry.result === 'success')
+                success += 1;
+            else if (entry.result === 'failure')
+                failure += 1;
+            else
+                denied += 1;
+            if (typeof entry.duration === 'number' &&
+                Number.isFinite(entry.duration) &&
+                entry.duration >= 0) {
+                durationTotal += entry.duration;
+                durationCount += 1;
+            }
+        }
+        return {
+            total: entries.length,
+            success,
+            failure,
+            denied,
+            firstEntry: entries[0]?.timestamp,
+            lastEntry: entries[entries.length - 1]?.timestamp,
+            avgDuration: durationCount ? Math.round(durationTotal / durationCount) : undefined,
+            byAction,
+            byTool,
+        };
+    }
+    readEntries() {
+        if (!fs.existsSync(this.filePath))
+            return [];
+        const raw = fs.readFileSync(this.filePath, 'utf8');
+        return raw
+            .split(/\r?\n/u)
+            .map((line) => line.trim())
+            .filter((line) => line.length > 0)
+            .flatMap((line) => {
+            try {
+                return [normalizeStoredEntry(JSON.parse(line))];
+            }
+            catch {
+                return [];
+            }
+        });
+    }
+}
+function normalizeEntry(entry) {
+    return {
+        id: typeof entry.id === 'string' && entry.id.trim().length > 0 ? entry.id : crypto.randomUUID(),
+        timestamp: normalizeTimestamp(entry.timestamp),
+        action: String(entry.action || 'tool.execute').trim() || 'tool.execute',
+        tool: normalizeOptionalString(entry.tool),
+        command: normalizeOptionalString(entry.command),
+        args: sanitizeArgs(entry.args),
+        result: normalizeResult(entry.result),
+        user: normalizeOptionalString(entry.user) || defaultUser(),
+        duration: normalizeDuration(entry.duration),
+        details: normalizeOptionalString(entry.details),
+    };
+}
+function normalizeStoredEntry(entry) {
+    const source = (entry && typeof entry === 'object' ? entry : {});
+    return normalizeEntry({
+        id: source.id,
+        timestamp: source.timestamp,
+        action: typeof source.action === 'string' ? source.action : 'tool.execute',
+        tool: source.tool,
+        command: source.command,
+        args: source.args,
+        result: normalizeResult(source.result),
+        user: source.user,
+        duration: source.duration,
+        details: source.details,
+    });
+}
+function normalizeTimestamp(value) {
+    if (value instanceof Date && !Number.isNaN(value.getTime()))
+        return value.toISOString();
+    if (typeof value === 'string') {
+        const parsed = Date.parse(value);
+        if (Number.isFinite(parsed))
+            return new Date(parsed).toISOString();
+    }
+    return new Date().toISOString();
+}
+function normalizeResult(value) {
+    return value === 'success' || value === 'failure' || value === 'denied' ? value : 'failure';
+}
+function normalizeDuration(value) {
+    return typeof value === 'number' && Number.isFinite(value) && value >= 0
+        ? Math.round(value)
+        : undefined;
+}
+function normalizeOptionalString(value) {
+    if (typeof value !== 'string')
+        return undefined;
+    const trimmed = value.trim();
+    return trimmed.length > 0 ? trimmed : undefined;
+}
+function defaultUser() {
+    return normalizeOptionalString(process.env.ICOPILOT_AUDIT_USER || process.env.USERNAME || process.env.USER);
+}
+function sanitizeArgs(value, depth = 0) {
+    if (value === undefined || value === null)
+        return value;
+    if (depth >= 4)
+        return '[truncated depth]';
+    if (typeof value === 'string') {
+        return value.length > 4000
+            ? `${value.slice(0, 4000)}…[truncated ${value.length - 4000} chars]`
+            : value;
+    }
+    if (typeof value === 'number' || typeof value === 'boolean')
+        return value;
+    if (Array.isArray(value)) {
+        return value.slice(0, 50).map((item) => sanitizeArgs(item, depth + 1));
+    }
+    if (typeof value === 'object') {
+        return Object.fromEntries(Object.entries(value)
+            .slice(0, 50)
+            .map(([key, item]) => [key, sanitizeArgs(item, depth + 1)]));
+    }
+    return String(value);
+}
+function matchesFilter(entry, filter) {
+    const from = toTimestamp(filter.from);
+    const to = toTimestamp(filter.to);
+    const entryTime = Date.parse(entry.timestamp);
+    if (from !== undefined && (!Number.isFinite(entryTime) || entryTime < from))
+        return false;
+    if (to !== undefined && (!Number.isFinite(entryTime) || entryTime > to))
+        return false;
+    if (filter.result && entry.result !== filter.result)
+        return false;
+    if (filter.action && entry.action.toLowerCase() !== filter.action.toLowerCase())
+        return false;
+    if (filter.tool && (entry.tool || '').toLowerCase() !== filter.tool.toLowerCase())
+        return false;
+    return true;
+}
+function toTimestamp(value) {
+    if (value instanceof Date)
+        return value.getTime();
+    if (typeof value === 'string') {
+        const parsed = Date.parse(value);
+        return Number.isFinite(parsed) ? parsed : undefined;
+    }
+    return undefined;
+}
+function normalizeLimit(value, fallback) {
+    if (!Number.isFinite(value) || value <= 0)
+        return fallback;
+    return Math.max(1, Math.floor(value));
+}
+function normalizeMaxAge(value) {
+    if (!Number.isFinite(value) || value <= 0)
+        return DEFAULT_MAX_AGE_MS;
+    return Math.floor(value);
+}
+function normalizeFormat(format, targetPath) {
+    if (targetPath?.toLowerCase().endsWith('.json'))
+        return 'json';
+    return format === 'json' ? 'json' : 'jsonl';
+}
+function defaultExportPath(format) {
+    const stamp = new Date().toISOString().replace(/[:.]/gu, '-');
+    return path.join(process.cwd(), `icopilot-audit-${stamp}.${format === 'json' ? 'json' : 'log'}`);
+}
+function increment(target, key) {
+    if (!key)
+        return;
+    target[key] = (target[key] || 0) + 1;
+}