jinzd-ai-cli 0.1.8 → 0.1.10

package/dist/index.js

@@ -69,7 +69,13 @@ var ConfigSchema = z.object({
   // 启动时自动读取并注入 system prompt，类似 Claude Code 的 CLAUDE.md 机制
   // 默认按顺序查找：AICLI.md → CLAUDE.md → .aicli/context.md
   // 设为 false 可禁用此功能
-  contextFile: z.union([z.string(), z.literal(false)]).default("auto")
+  contextFile: z.union([z.string(), z.literal(false)]).default("auto"),
+  // 插件加载开关（安全控制）
+  // 默认 false：不自动加载 ~/.aicli/plugins/ 中的插件文件。
+  // 插件以完整 Node.js 权限在主进程中执行（可读写文件、访问网络、执行命令），
+  // 必须确认插件来源可信后，再设为 true 启用。
+  // 可通过 /config 命令或直接编辑 ~/.aicli/config.json 开启。
+  allowPlugins: z.boolean().default(false)
 });
 
 // src/config/env-loader.ts
@@ -104,7 +110,7 @@ var EnvLoader = class {
 };
 
 // src/core/constants.ts
-var VERSION = "0.1.8";
+var VERSION = "0.1.10";
 var CONFIG_DIR_NAME = ".aicli";
 var CONFIG_FILE_NAME = "config.json";
 var HISTORY_DIR_NAME = "history";
@@ -1333,7 +1339,7 @@ var SessionManager = class {
 // src/repl/repl.ts
 import * as readline from "readline";
 import { existsSync as existsSync13, readFileSync as readFileSync8 } from "fs";
-import { join as join8, resolve as resolve3, extname as extname3 } from "path";
+import { join as join8, resolve as resolve4, extname as extname3 } from "path";
 import chalk7 from "chalk";
 
 // src/repl/renderer.ts
@@ -1508,8 +1514,8 @@ var Renderer = class {
     }
     process.stdout.write("\n\n");
     if (fileStream) {
-      await new Promise((resolve4, reject) => {
-        fileStream.end((err) => err ? reject(err) : resolve4());
+      await new Promise((resolve5, reject) => {
+        fileStream.end((err) => err ? reject(err) : resolve5());
       });
       const kb = (Buffer.byteLength(fullContent, "utf-8") / 1024).toFixed(1);
       process.stdout.write(chalk.green(`  \u2705 \u5DF2\u4FDD\u5B58: ${options.saveToFile} (${kb} KB)
@@ -2134,7 +2140,7 @@ var IGNORE_ENTER_MS = 80;
 function selectFromList(prompt, items, initialIndex = 0) {
   if (items.length === 0) return Promise.resolve(null);
   const PAGE = 12;
-  return new Promise((resolve4) => {
+  return new Promise((resolve5) => {
     let selected = Math.max(0, Math.min(initialIndex, items.length - 1));
     let windowStart = Math.max(0, selected - Math.floor(PAGE / 2));
     let lastRenderedLines = 0;
@@ -2209,7 +2215,7 @@ function selectFromList(prompt, items, initialIndex = 0) {
         process.stdout.write(chalk3.dim(`  \u2714 ${result}
 `));
       }
-      resolve4(result);
+      resolve5(result);
     };
     const handleSequence = (seq) => {
       if (seq === "\x1B") {
@@ -2273,13 +2279,13 @@ function selectFromList(prompt, items, initialIndex = 0) {
       }
     };
     if (!process.stdin.isTTY) {
-      resolve4(items[0]?.value ?? null);
+      resolve5(items[0]?.value ?? null);
       return;
     }
     try {
       process.stdin.setRawMode(true);
     } catch {
-      resolve4(items[0]?.value ?? null);
+      resolve5(items[0]?.value ?? null);
       return;
     }
     savedDataListeners = process.stdin.rawListeners("data");
@@ -2332,7 +2338,8 @@ var bashTool = {
   },
   async execute(args) {
     const command = String(args["command"] ?? "");
-    const timeout = Number(args["timeout"] ?? 3e4);
+    const MAX_TIMEOUT = 3e5;
+    const timeout = Math.min(Math.max(Number(args["timeout"] ?? 3e4), 1e3), MAX_TIMEOUT);
     const cwdArg = args["cwd"] ? String(args["cwd"]) : void 0;
     if (!command.trim()) {
       throw new Error("command is required");
@@ -2398,15 +2405,16 @@ function fixWindowsDeleteCommand(command) {
         pathValue = pathMatch[2] ?? "";
       }
       if (!pathValue) return match;
-      return `cmd /c rmdir /s /q "${pathValue}"`;
+      const safePath = pathValue.replace(/"/g, '\\"');
+      return `cmd /c rmdir /s /q "${safePath}"`;
     }
   );
 }
 function updateCwdFromCommand(command, baseCwd) {
-  const cdMatches = [...command.matchAll(/(?:^|[;&|])\s*cd\s+([^\s;&|]+)/g)];
+  const cdMatches = [...command.matchAll(/(?:^|[;&|])\s*cd\s+(['"]?)([^\s;&|'"]+)\1/g)];
   if (cdMatches.length === 0) return;
   const lastMatch = cdMatches[cdMatches.length - 1];
-  const target = lastMatch?.[1];
+  const target = lastMatch?.[2];
   if (!target || target.startsWith("$") || target === "~") return;
   try {
     const newDir = resolve2(baseCwd, target);
@@ -2418,8 +2426,28 @@ function updateCwdFromCommand(command, baseCwd) {
 }
 
 // src/tools/builtin/read-file.ts
-import { readFileSync as readFileSync4, existsSync as existsSync5 } from "fs";
-import { extname } from "path";
+import { readFileSync as readFileSync4, existsSync as existsSync5, statSync } from "fs";
+import { extname, resolve as resolve3, basename, sep } from "path";
+import { homedir as homedir2 } from "os";
+var MAX_FILE_BYTES = 10 * 1024 * 1024;
+function getSensitiveWarning(normalizedPath) {
+  const home = homedir2();
+  const p = normalizedPath.toLowerCase();
+  const base = basename(normalizedPath).toLowerCase();
+  if (normalizedPath.startsWith(home) && p.includes(".aicli") && base === "config.json") {
+    return "[\u26A0 Security Warning: This file contains API keys. Be careful not to share this content.]\n\n";
+  }
+  if (base === ".env" || base.startsWith(".env.") || base.endsWith(".env")) {
+    return "[\u26A0 Security Warning: .env files may contain secrets and credentials.]\n\n";
+  }
+  if (normalizedPath.includes(`${sep}.ssh${sep}`) && (base.startsWith("id_") || base === "identity")) {
+    return "[\u26A0 Security Warning: This may be an SSH private key.]\n\n";
+  }
+  if (base === "credentials" && p.includes(".aws")) {
+    return "[\u26A0 Security Warning: This file contains AWS credentials.]\n\n";
+  }
+  return "";
+}
 var BINARY_EXTENSIONS = /* @__PURE__ */ new Set([
   ".pdf",
   ".doc",
@@ -2490,8 +2518,20 @@ var readFileTool = {
     const filePath = String(args["path"] ?? "");
     const encoding = args["encoding"] ?? "utf-8";
     if (!filePath) throw new Error("path is required");
-    if (!existsSync5(filePath)) throw new Error(`File not found: ${filePath}`);
-    const ext = extname(filePath).toLowerCase();
+    const normalizedPath = resolve3(filePath);
+    if (!existsSync5(normalizedPath)) throw new Error(`File not found: ${filePath}`);
+    const { size } = statSync(normalizedPath);
+    if (size > MAX_FILE_BYTES) {
+      const mb = (size / 1024 / 1024).toFixed(1);
+      return `[File too large: ${filePath} (${mb} MB)]
+\u8D85\u8FC7\u5355\u6B21\u8BFB\u53D6\u4E0A\u9650 ${MAX_FILE_BYTES / 1024 / 1024} MB\u3002
+\u8BF7\u4F7F\u7528 bash \u5DE5\u5177\u5206\u6BB5\u8BFB\u53D6\uFF0C\u4F8B\u5982\uFF1A
+  head -n 100 "${normalizedPath}"   # \u8BFB\u524D 100 \u884C
+  tail -n 100 "${normalizedPath}"   # \u8BFB\u672B 100 \u884C
+  sed -n '200,300p' "${normalizedPath}"  # \u8BFB 200-300 \u884C`;
+    }
+    const sensitiveWarning = getSensitiveWarning(normalizedPath);
+    const ext = extname(normalizedPath).toLowerCase();
     if (BINARY_EXTENSIONS.has(ext)) {
       return `[Binary file: ${filePath}]
 \u6B64\u6587\u4EF6\u4E3A\u4E8C\u8FDB\u5236\u683C\u5F0F\uFF08${ext}\uFF09\uFF0C\u65E0\u6CD5\u4F5C\u4E3A\u6587\u672C\u8BFB\u53D6\u3002
@@ -2500,7 +2540,7 @@ var readFileTool = {
   2. \u4F7F\u7528 bash \u5DE5\u5177\u8C03\u7528\u5916\u90E8\u8F6C\u6362\u7A0B\u5E8F\uFF08\u5982 pdftotext\u3001pandoc \u7B49\uFF09
   3. \u82E5\u6709\u5BF9\u5E94\u7684\u7EAF\u6587\u672C\u7248\u672C\uFF08.md / .txt\uFF09\uFF0C\u8BF7\u76F4\u63A5\u8BFB\u53D6\u90A3\u4E2A\u6587\u4EF6`;
     }
-    const buf = readFileSync4(filePath);
+    const buf = readFileSync4(normalizedPath);
     if (encoding === "base64") {
       return `[File: ${filePath} | base64]
 
@@ -2513,7 +2553,7 @@ ${buf.toString("base64")}`;
     }
     const content = buf.toString(encoding);
     const lines = content.split("\n").length;
-    return `[File: ${filePath} | ${lines} lines]
+    return `${sensitiveWarning}[File: ${filePath} | ${lines} lines]
 
 ${content}`;
   }
@@ -2698,7 +2738,7 @@ function truncatePreview(str, maxLen = 80) {
 }
 
 // src/tools/builtin/list-dir.ts
-import { readdirSync as readdirSync2, statSync, existsSync as existsSync7 } from "fs";
+import { readdirSync as readdirSync2, statSync as statSync2, existsSync as existsSync7 } from "fs";
 import { join as join3 } from "path";
 var listDirTool = {
   definition: {
@@ -2754,7 +2794,7 @@ function listRecursive(basePath, indent, recursive, lines) {
       }
     } else {
       try {
-        const stat = statSync(join3(basePath, entry.name));
+        const stat = statSync2(join3(basePath, entry.name));
         const size = formatSize(stat.size);
         lines.push(`${indent}\u{1F4C4} ${entry.name}  (${size})`);
       } catch {
@@ -2770,7 +2810,7 @@ function formatSize(bytes) {
 }
 
 // src/tools/builtin/grep-files.ts
-import { readdirSync as readdirSync3, readFileSync as readFileSync6, statSync as statSync2, existsSync as existsSync8 } from "fs";
+import { readdirSync as readdirSync3, readFileSync as readFileSync6, statSync as statSync3, existsSync as existsSync8 } from "fs";
 import { join as join4, relative } from "path";
 var grepFilesTool = {
   definition: {
@@ -2831,7 +2871,7 @@ var grepFilesTool = {
       regex = new RegExp(escaped, ignoreCase ? "gi" : "g");
     }
     const results = [];
-    const stat = statSync2(rootPath);
+    const stat = statSync3(rootPath);
     if (stat.isFile()) {
       searchInFile(rootPath, rootPath, regex, contextLines, maxResults, results);
     } else {
@@ -2940,8 +2980,8 @@ function searchInFile(fullPath, displayPath, regex, contextLines, maxResults, re
 }
 
 // src/tools/builtin/glob-files.ts
-import { readdirSync as readdirSync4, statSync as statSync3, existsSync as existsSync9 } from "fs";
-import { join as join5, relative as relative2, basename } from "path";
+import { readdirSync as readdirSync4, statSync as statSync4, existsSync as existsSync9 } from "fs";
+import { join as join5, relative as relative2, basename as basename2 } from "path";
 var globFilesTool = {
   definition: {
     name: "glob_files",
@@ -3057,9 +3097,9 @@ function collectMatchingFiles(dirPath, rootPath, regex, results, maxResults) {
       collectMatchingFiles(fullPath, rootPath, regex, results, maxResults);
     } else if (entry.isFile()) {
       const relPath = relative2(rootPath, fullPath).replace(/\\/g, "/");
-      if (regex.test(relPath) || regex.test(basename(relPath))) {
+      if (regex.test(relPath) || regex.test(basename2(relPath))) {
         try {
-          const stat = statSync3(fullPath);
+          const stat = statSync4(fullPath);
           results.push({ relPath, absPath: fullPath, mtime: stat.mtimeMs });
         } catch {
           results.push({ relPath, absPath: fullPath, mtime: 0 });
@@ -3133,7 +3173,7 @@ var runInteractiveTool = {
       PYTHONDONTWRITEBYTECODE: "1"
     };
     const prefixWarnings = [argsTypeWarning, stdinTypeWarning].filter(Boolean).join("");
-    return new Promise((resolve4) => {
+    return new Promise((resolve5) => {
       const child = spawn(executable, cmdArgs.map(String), {
         cwd: process.cwd(),
         env,
@@ -3163,22 +3203,22 @@ var runInteractiveTool = {
       setTimeout(writeNextLine, 400);
       const timer = setTimeout(() => {
         child.kill();
-        resolve4(`${prefixWarnings}[Timeout after ${timeout}ms]
+        resolve5(`${prefixWarnings}[Timeout after ${timeout}ms]
 ${buildOutput(stdout, stderr)}`);
       }, timeout);
       child.on("close", (code) => {
         clearTimeout(timer);
         const output = buildOutput(stdout, stderr);
         if (code !== 0 && code !== null) {
-          resolve4(`${prefixWarnings}Exit code ${code}:
+          resolve5(`${prefixWarnings}Exit code ${code}:
 ${output}`);
         } else {
-          resolve4(`${prefixWarnings}${output || "(no output)"}`);
+          resolve5(`${prefixWarnings}${output || "(no output)"}`);
         }
       });
       child.on("error", (err) => {
         clearTimeout(timer);
-        resolve4(
+        resolve5(
           `${prefixWarnings}Failed to start process "${executable}": ${err.message}
 Hint: On Windows, use the full path to the executable, e.g.:
   C:\\Users\\Jinzd\\anaconda3\\envs\\python312\\python.exe`
@@ -3235,6 +3275,22 @@ function extractDescription(html) {
   return m ? m[1].trim() : "";
 }
 var MAX_OUTPUT = 16e3;
+function isPrivateHost(hostname) {
+  const h = hostname.toLowerCase().replace(/^\[|\]$/g, "");
+  if (h === "localhost" || h === "0.0.0.0" || h === "::1") return true;
+  if (h.startsWith("fe80:")) return true;
+  const m = h.match(/^(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})$/);
+  if (m) {
+    const [o1, o2] = [Number(m[1]), Number(m[2])];
+    if (o1 === 127) return true;
+    if (o1 === 10) return true;
+    if (o1 === 172 && o2 >= 16 && o2 <= 31) return true;
+    if (o1 === 192 && o2 === 168) return true;
+    if (o1 === 169 && o2 === 254) return true;
+    if (o1 === 0) return true;
+  }
+  return false;
+}
 var webFetchTool = {
   definition: {
     name: "web_fetch",
@@ -3258,6 +3314,15 @@ var webFetchTool = {
     if (!url.startsWith("http://") && !url.startsWith("https://")) {
       throw new Error(`Invalid URL: "${url}". URL must start with http:// or https://`);
     }
+    try {
+      const parsedUrl = new URL(url);
+      if (isPrivateHost(parsedUrl.hostname)) {
+        throw new Error(`Blocked: "${url}" resolves to a private/internal address. web_fetch is restricted to public URLs.`);
+      }
+    } catch (e) {
+      if (e.message.startsWith("Blocked:")) throw e;
+      throw new Error(`Invalid URL: "${url}"`);
+    }
     const controller = new AbortController();
     const timeoutId = setTimeout(() => controller.abort(), 2e4);
     let rawHtml;
@@ -3276,6 +3341,14 @@ var webFetchTool = {
       clearTimeout(timeoutId);
       finalUrl = resp.url;
       contentType = resp.headers.get("content-type") ?? "";
+      try {
+        const finalParsed = new URL(finalUrl);
+        if (isPrivateHost(finalParsed.hostname)) {
+          throw new Error(`Blocked: redirect landed on private address "${finalUrl}".`);
+        }
+      } catch (e) {
+        if (e.message.startsWith("Blocked:")) throw e;
+      }
       if (!resp.ok) {
         throw new Error(`HTTP ${resp.status} ${resp.statusText}`);
       }
@@ -3450,10 +3523,10 @@ var streamToFileTool = {
           showProgress(false);
         }
       }
-      await new Promise((resolve4, reject) => {
+      await new Promise((resolve5, reject) => {
         writeStream.end((err) => {
           if (err) reject(err);
-          else resolve4();
+          else resolve5();
         });
       });
       process.stdout.write("\r\x1B[2K");
@@ -3505,10 +3578,17 @@ var ToolRegistry = class {
   }
   /**
    * Dynamically loads .js plugin files from pluginsDir.
+   *
+   * Security notes:
+   *   - Only loads when allowPlugins=true (must be explicitly enabled in config).
+   *   - Plugins run with FULL Node.js privileges in the main process.
+   *   - Prints a prominent warning listing every file before loading.
+   *   - Built-in tool names cannot be overridden by plugins.
+   *
    * Creates the dir if missing. Skips invalid plugins with a warning.
    * Returns the number of successfully loaded plugins.
    */
-  async loadPlugins(pluginsDir) {
+  async loadPlugins(pluginsDir, allowPlugins = false) {
     if (!existsSync10(pluginsDir)) {
       try {
         mkdirSync8(pluginsDir, { recursive: true });
@@ -3522,6 +3602,21 @@ var ToolRegistry = class {
     } catch {
       return 0;
     }
+    if (files.length === 0) return 0;
+    if (!allowPlugins) {
+      process.stderr.write(
+        `[plugins] Found ${files.length} plugin(s) in ${pluginsDir} but loading is disabled.
+  To enable, set "allowPlugins": true in ~/.aicli/config.json (or via /config).
+  \u26A0 Plugins run with full system privileges. Only enable for trusted sources.
+`
+      );
+      return 0;
+    }
+    process.stderr.write(
+      `
+[plugins] \u26A0 Loading ${files.length} plugin(s) with FULL system privileges:
+` + files.map((f) => `  + ${join6(pluginsDir, f)}`).join("\n") + "\n\n"
+    );
     let loaded = 0;
     for (const file of files) {
       try {
@@ -3541,6 +3636,8 @@ var ToolRegistry = class {
         this.register(tool);
         this.pluginToolNames.add(tool.definition.name);
         loaded++;
+        process.stderr.write(`[plugins] Loaded: ${tool.definition.name} (${file})
+`);
       } catch (err) {
         process.stderr.write(`[plugins] Failed to load ${file}: ${err.message}
 `);
@@ -3558,10 +3655,13 @@ import { existsSync as existsSync11, readFileSync as readFileSync7 } from "fs";
 function getDangerLevel(toolName, args) {
   if (toolName === "bash") {
     const cmd = String(args["command"] ?? "");
-    if (/\brm\s+(-\w*f\w*|-\w*r\w*f\w*)\b|\brmdir\b|\bformat\b|\bmkfs\b/.test(cmd)) return "destructive";
-    if (/\bRemove-Item\b|\bri\s+.*-Recurse\b|\brd\s+\/s\b|\brmdir\s+\/s\b/.test(cmd)) return "destructive";
-    if (/\bdel\s+\S/.test(cmd) && !/\bmkdir\b/.test(cmd)) return "destructive";
+    if (/\brm\s+[^\n]*(?:-\w*[rRfF]\w*|--recursive|--force)\b/.test(cmd)) return "destructive";
+    if (/\brm\s+\S/.test(cmd)) return "destructive";
+    if (/\brmdir\b|\bformat\b|\bmkfs\b/.test(cmd)) return "destructive";
+    if (/\bRemove-Item\b.*(?:-Recurse|-Force)|\bri\s+.*-(?:Recurse|Force)\b|\brd\s+\/s\b|\brmdir\s+\/s\b/i.test(cmd)) return "destructive";
+    if (/\bdel\s+\S/.test(cmd)) return "destructive";
     if (/\becho\b.*>>?|\btee\b|\bcp\b|\bmv\b/.test(cmd)) return "write";
+    if (/\bSet-Content\b|\bOut-File\b|\bAdd-Content\b|\bCopy-Item\b|\bMove-Item\b/i.test(cmd)) return "write";
     return "safe";
   }
   if (toolName === "write_file") return "write";
@@ -3787,7 +3887,18 @@ var ToolExecutor = class {
       };
     }
     const dangerLevel = getDangerLevel(call.name, call.arguments);
-    if (dangerLevel === "destructive") {
+    if (dangerLevel === "write") {
+      this.printToolCall(call);
+      this.printDiffPreview(call);
+      const confirmed = await this.confirm(call, dangerLevel);
+      if (!confirmed) {
+        return {
+          callId: call.id,
+          content: "User cancelled the operation.",
+          isError: false
+        };
+      }
+    } else if (dangerLevel === "destructive") {
       const confirmed = await this.confirm(call, dangerLevel);
       if (!confirmed) {
         return {
@@ -3796,9 +3907,10 @@ var ToolExecutor = class {
           isError: false
         };
       }
+      this.printToolCall(call);
+    } else {
+      this.printToolCall(call);
     }
-    this.printToolCall(call);
-    this.printDiffPreview(call);
     try {
       const rawContent = await tool.execute(call.arguments);
       const content = truncateOutput(rawContent, call.name);
@@ -3951,14 +4063,14 @@ var ToolExecutor = class {
     rl.resume();
     process.stdout.write(color("Proceed? [y/N] (type y + Enter to confirm) "));
     this.confirming = true;
-    return new Promise((resolve4) => {
+    return new Promise((resolve5) => {
       const cleanup = (answer) => {
         rl.removeListener("line", onLine);
         this.cancelConfirmFn = null;
         rl.pause();
         rlAny.output = savedOutput;
         this.confirming = false;
-        resolve4(answer === "y");
+        resolve5(answer === "y");
       };
       const onLine = (line) => cleanup(line.trim().toLowerCase());
       this.cancelConfirmFn = () => {
@@ -4236,7 +4348,7 @@ function parseAtReferences(input2, cwd) {
   let match;
   while ((match = atPattern.exec(input2)) !== null) {
     const rawPath = match[1] ?? match[2] ?? match[3] ?? "";
-    const absPath = resolve3(cwd, rawPath);
+    const absPath = resolve4(cwd, rawPath);
     const ext = extname3(rawPath).toLowerCase();
     const mime = IMAGE_MIME[ext];
     if (!existsSync13(absPath)) {
@@ -4406,7 +4518,8 @@ ${this.activeSystemPrompt}`;
       ctx?.content ?? null,
       gitContextStr
     );
-    const pluginCount = await this.toolRegistry.loadPlugins(this.config.getPluginsDir());
+    const allowPlugins = this.config.get("allowPlugins");
+    const pluginCount = await this.toolRegistry.loadPlugins(this.config.getPluginsDir(), allowPlugins);
     const welcomeProvider = this.providers.get(this.currentProvider);
     const welcomeModelInfo = welcomeProvider?.info.models.find((m) => m.id === this.currentModel);
     this.renderer.printWelcome(this.currentProvider, this.currentModel, welcomeModelInfo?.contextWindow);
@@ -4434,7 +4547,7 @@ ${this.activeSystemPrompt}`;
       this.handleExit();
     });
     this.showPrompt();
-    await new Promise((resolve4) => {
+    await new Promise((resolve5) => {
       let processing = false;
       this.rl.on("line", async (line) => {
         if (this.toolExecutor.confirming) return;
@@ -4469,12 +4582,12 @@ ${this.activeSystemPrompt}`;
           process.stdin.resume();
           this.showPrompt();
         } else {
-          resolve4();
+          resolve5();
         }
       });
       this.rl.on("close", () => {
         if (!processing) {
-          resolve4();
+          resolve5();
         }
       });
     });

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "jinzd-ai-cli",
-  "version": "0.1.8",
+  "version": "0.1.10",
   "description": "Cross-platform REPL-style AI CLI with multi-provider support",
   "type": "module",
   "main": "./dist/index.js",