kernelbot 1.0.33 → 1.0.34

package/src/tools/os.js

@@ -2,12 +2,24 @@ import { exec } from 'child_process';
 import { readFileSync, writeFileSync, mkdirSync, readdirSync, statSync } from 'fs';
 import { dirname, resolve, join } from 'path';
 import { homedir } from 'os';
+import { getLogger } from '../utils/logger.js';
 
+/**
+ * Expand a file path, resolving `~` to the user's home directory.
+ * @param {string} p - The path to expand.
+ * @returns {string} The resolved absolute path.
+ */
 function expandPath(p) {
   if (p.startsWith('~')) return join(homedir(), p.slice(1));
   return resolve(p);
 }
 
+/**
+ * Check whether a file path falls within any blocked path defined in config.
+ * @param {string} filePath - The path to check.
+ * @param {object} config - The bot configuration object.
+ * @returns {boolean} True if the path is blocked.
+ */
 function isBlocked(filePath, config) {
   const expanded = expandPath(filePath);
   const blockedPaths = config.security?.blocked_paths || [];
@@ -94,14 +106,25 @@ export const definitions = [
   },
 ];
 
-function listRecursive(dirPath, base = '') {
+/** Maximum recursion depth for directory listing to prevent stack overflow. */
+const MAX_RECURSIVE_DEPTH = 10;
+
+/**
+ * Recursively list all files and directories under a given path.
+ * @param {string} dirPath - Absolute path to the directory to list.
+ * @param {string} [base=''] - Relative path prefix for nested entries.
+ * @param {number} [depth=0] - Current recursion depth (internal).
+ * @returns {Array<{name: string, type: string}>} Flat array of entries.
+ */
+function listRecursive(dirPath, base = '', depth = 0) {
+  if (depth >= MAX_RECURSIVE_DEPTH) return [];
   const entries = [];
   for (const entry of readdirSync(dirPath, { withFileTypes: true })) {
     const rel = base ? `${base}/${entry.name}` : entry.name;
     const type = entry.isDirectory() ? 'directory' : 'file';
     entries.push({ name: rel, type });
     if (entry.isDirectory()) {
-      entries.push(...listRecursive(join(dirPath, entry.name), rel));
+      entries.push(...listRecursive(join(dirPath, entry.name), rel, depth + 1));
     }
   }
   return entries;
@@ -109,6 +132,7 @@ function listRecursive(dirPath, base = '') {
 
 export const handlers = {
   execute_command: async (params, context) => {
+    const logger = getLogger();
     const { command, timeout_seconds = 30 } = params;
     const { config } = context;
     const blockedPaths = config.security?.blocked_paths || [];
@@ -117,10 +141,13 @@ export const handlers = {
     for (const bp of blockedPaths) {
       const expanded = expandPath(bp);
       if (command.includes(expanded)) {
+        logger.warn(`execute_command blocked: command references restricted path ${bp}`);
         return { error: `Blocked: command references restricted path ${bp}` };
       }
     }
 
+    logger.debug(`execute_command: ${command.slice(0, 120)}`);
+
     return new Promise((res) => {
       let abortHandler = null;
 
@@ -164,8 +191,10 @@ export const handlers = {
   },
 
   read_file: async (params, context) => {
+    const logger = getLogger();
     const { path: filePath, max_lines } = params;
     if (isBlocked(filePath, context.config)) {
+      logger.warn(`read_file blocked: access to ${filePath} is restricted`);
       return { error: `Blocked: access to ${filePath} is restricted` };
     }
 
@@ -184,8 +213,10 @@ export const handlers = {
   },
 
   write_file: async (params, context) => {
+    const logger = getLogger();
     const { path: filePath, content } = params;
     if (isBlocked(filePath, context.config)) {
+      logger.warn(`write_file blocked: access to ${filePath} is restricted`);
       return { error: `Blocked: access to ${filePath} is restricted` };
     }
 
@@ -193,15 +224,19 @@ export const handlers = {
       const expanded = expandPath(filePath);
       mkdirSync(dirname(expanded), { recursive: true });
       writeFileSync(expanded, content, 'utf-8');
+      logger.debug(`write_file: wrote ${content.length} bytes to ${expanded}`);
       return { success: true, path: expanded };
     } catch (err) {
+      logger.error(`write_file error for ${filePath}: ${err.message}`);
       return { error: err.message };
     }
   },
 
   list_directory: async (params, context) => {
+    const logger = getLogger();
     const { path: dirPath, recursive = false } = params;
     if (isBlocked(dirPath, context.config)) {
+      logger.warn(`list_directory blocked: access to ${dirPath} is restricted`);
       return { error: `Blocked: access to ${dirPath} is restricted` };
     }
 

package/src/tools/process.js

@@ -1,13 +1,4 @@
-import { exec } from 'child_process';
-
-function run(cmd, timeout = 10000) {
-  return new Promise((resolve) => {
-    exec(cmd, { timeout }, (error, stdout, stderr) => {
-      if (error) return resolve({ error: stderr || error.message });
-      resolve({ output: stdout.trim() });
-    });
-  });
-}
+import { shellRun as run, shellEscape } from '../utils/shell.js';
 
 export const definitions = [
   {
@@ -52,22 +43,24 @@ export const definitions = [
 export const handlers = {
   process_list: async (params) => {
     const filter = params.filter;
-    const cmd = filter ? `ps aux | head -1 && ps aux | grep -i "${filter}" | grep -v grep` : 'ps aux';
+    const cmd = filter ? `ps aux | head -1 && ps aux | grep -i ${shellEscape(filter)} | grep -v grep` : 'ps aux';
     return await run(cmd);
   },
 
   kill_process: async (params) => {
     if (params.pid) {
-      return await run(`kill ${params.pid}`);
+      const pid = parseInt(params.pid, 10);
+      if (!Number.isFinite(pid) || pid <= 0) return { error: 'Invalid PID' };
+      return await run(`kill ${pid}`);
     }
     if (params.name) {
-      return await run(`pkill -f "${params.name}"`);
+      return await run(`pkill -f ${shellEscape(params.name)}`);
     }
     return { error: 'Provide either pid or name' };
   },
 
   service_control: async (params) => {
     const { service, action } = params;
-    return await run(`systemctl ${action} ${service}`);
+    return await run(`systemctl ${shellEscape(action)} ${shellEscape(service)}`);
   },
 };

package/src/utils/config.js

@@ -270,6 +270,65 @@ export function saveClaudeCodeAuth(config, mode, value) {
   // mode === 'system' — no credentials to save
 }
 
+/**
+ * Full interactive flow: change orchestrator model + optionally enter API key.
+ */
+export async function changeOrchestratorModel(config, rl) {
+  const { createProvider } = await import('../providers/index.js');
+  const { providerKey, modelId } = await promptProviderSelection(rl);
+
+  const providerDef = PROVIDERS[providerKey];
+
+  // Resolve API key
+  const envKey = providerDef.envKey;
+  let apiKey = process.env[envKey];
+  if (!apiKey) {
+    const key = await ask(rl, chalk.cyan(`\n  ${providerDef.name} API key (${envKey}): `));
+    if (!key.trim()) {
+      console.log(chalk.yellow('\n  No API key provided. Orchestrator not changed.\n'));
+      return config;
+    }
+    apiKey = key.trim();
+  }
+
+  // Validate the new provider before saving anything
+  console.log(chalk.dim(`\n  Verifying ${providerDef.name} / ${modelId}...`));
+  const testConfig = {
+    brain: {
+      provider: providerKey,
+      model: modelId,
+      max_tokens: config.orchestrator.max_tokens,
+      temperature: config.orchestrator.temperature,
+      api_key: apiKey,
+    },
+  };
+  try {
+    const testProvider = createProvider(testConfig);
+    await testProvider.ping();
+  } catch (err) {
+    console.log(chalk.red(`\n  ✖ Verification failed: ${err.message}`));
+    console.log(chalk.yellow(`  Orchestrator not changed. Keeping current model.\n`));
+    return config;
+  }
+
+  // Validation passed — save everything
+  const savedPath = saveOrchestratorToYaml(providerKey, modelId);
+  console.log(chalk.dim(`  Saved to ${savedPath}`));
+
+  config.orchestrator.provider = providerKey;
+  config.orchestrator.model = modelId;
+  config.orchestrator.api_key = apiKey;
+
+  // Save the key if it was newly entered
+  if (!process.env[envKey]) {
+    saveCredential(config, envKey, apiKey);
+    console.log(chalk.dim('  API key saved.\n'));
+  }
+
+  console.log(chalk.green(`  ✔ Orchestrator switched to ${providerDef.name} / ${modelId}\n`));
+  return config;
+}
+
 /**
  * Full interactive flow: change brain model + optionally enter API key.
  */

package/src/utils/shell.js

@@ -0,0 +1,31 @@
+import { exec } from 'child_process';
+
+/**
+ * Escape a string for safe use as a shell argument.
+ * Wraps the value in single quotes and escapes any embedded single quotes.
+ *
+ * @param {string} arg - The value to escape
+ * @returns {string} Shell-safe quoted string
+ */
+export function shellEscape(arg) {
+  if (arg === undefined || arg === null) return "''";
+  return "'" + String(arg).replace(/'/g, "'\\''") + "'";
+}
+
+/**
+ * Run a shell command and return { output } on success or { error } on failure.
+ * Resolves (never rejects) so callers can handle errors via the result object.
+ *
+ * @param {string} cmd - The shell command to execute
+ * @param {number} [timeout=10000] - Max execution time in milliseconds
+ * @param {{ maxBuffer?: number }} [opts] - Optional exec options
+ * @returns {Promise<{ output: string } | { error: string }>}
+ */
+export function shellRun(cmd, timeout = 10000, opts = {}) {
+  return new Promise((resolve) => {
+    exec(cmd, { timeout, maxBuffer: opts.maxBuffer, ...opts }, (error, stdout, stderr) => {
+      if (error) return resolve({ error: stderr || error.message });
+      resolve({ output: stdout.trim() });
+    });
+  });
+}

package/src/utils/truncate.js

@@ -0,0 +1,42 @@
+/**
+ * Shared tool-result truncation logic.
+ * Used by both OrchestratorAgent and WorkerAgent to cap tool outputs
+ * before feeding them back into the LLM context window.
+ */
+
+const MAX_RESULT_LENGTH = 3000;
+
+const LARGE_FIELDS = [
+  'stdout', 'stderr', 'content', 'diff', 'output',
+  'body', 'html', 'text', 'log', 'logs',
+];
+
+/**
+ * Truncate a serialized tool result to fit within the context budget.
+ *
+ * Strategy:
+ *   1. If JSON.stringify(result) fits, return it as-is.
+ *   2. Otherwise, trim known large string fields to 500 chars each and retry.
+ *   3. If still too large, hard-slice the serialized string.
+ *
+ * @param {string} _name - Tool name (reserved for future per-tool limits)
+ * @param {any} result - Raw tool result object
+ * @returns {string} JSON string, guaranteed ≤ MAX_RESULT_LENGTH (+tail note)
+ */
+export function truncateToolResult(_name, result) {
+  let str = JSON.stringify(result);
+  if (str.length <= MAX_RESULT_LENGTH) return str;
+
+  if (result && typeof result === 'object') {
+    const truncated = { ...result };
+    for (const field of LARGE_FIELDS) {
+      if (typeof truncated[field] === 'string' && truncated[field].length > 500) {
+        truncated[field] = truncated[field].slice(0, 500) + `\n... [truncated ${truncated[field].length - 500} chars]`;
+      }
+    }
+    str = JSON.stringify(truncated);
+    if (str.length <= MAX_RESULT_LENGTH) return str;
+  }
+
+  return str.slice(0, MAX_RESULT_LENGTH) + `\n... [truncated, total ${str.length} chars]`;
+}

package/src/worker.js

@@ -5,9 +5,7 @@ import { getMissingCredential } from './utils/config.js';
 import { getWorkerPrompt } from './prompts/workers.js';
 import { getUnifiedSkillById } from './skills/custom.js';
 import { getLogger } from './utils/logger.js';
-
-const MAX_RESULT_LENGTH = 3000;
-const LARGE_FIELDS = ['stdout', 'stderr', 'content', 'diff', 'output', 'body', 'html', 'text', 'log', 'logs'];
+import { truncateToolResult } from './utils/truncate.js';
 
 /**
  * WorkerAgent — runs a scoped agent loop in the background.
@@ -371,21 +369,7 @@ export class WorkerAgent {
   }
 
   _truncateResult(name, result) {
-    let str = JSON.stringify(result);
-    if (str.length <= MAX_RESULT_LENGTH) return str;
-
-    if (result && typeof result === 'object') {
-      const truncated = { ...result };
-      for (const field of LARGE_FIELDS) {
-        if (typeof truncated[field] === 'string' && truncated[field].length > 500) {
-          truncated[field] = truncated[field].slice(0, 500) + `\n... [truncated ${truncated[field].length - 500} chars]`;
-        }
-      }
-      str = JSON.stringify(truncated);
-      if (str.length <= MAX_RESULT_LENGTH) return str;
-    }
-
-    return str.slice(0, MAX_RESULT_LENGTH) + `\n... [truncated, total ${str.length} chars]`;
+    return truncateToolResult(name, result);
   }
 
   _formatToolSummary(name, input) {