kernelbot 1.0.38 → 1.0.40

package/src/skills/loader.js

@@ -0,0 +1,382 @@
+/**
+ * Skills loader — parses markdown skill files with YAML frontmatter.
+ * Replaces catalog.js as the primary skill source.
+ * Uses js-yaml (already a dependency) instead of gray-matter.
+ */
+
+import { readFileSync, writeFileSync, readdirSync, existsSync, mkdirSync, unlinkSync, renameSync } from 'fs';
+import { join, basename, extname } from 'path';
+import { homedir } from 'os';
+import { fileURLToPath } from 'url';
+import { dirname } from 'path';
+import yaml from 'js-yaml';
+import { getLogger as _getLogger } from '../utils/logger.js';
+
+/** Safe logger that falls back to console if logger not initialized. */
+function getLogger() {
+  try {
+    return _getLogger();
+  } catch {
+    return console;
+  }
+}
+
+const __dirname = dirname(fileURLToPath(import.meta.url));
+const BUILTIN_DIR = join(__dirname, '..', '..', 'skills');
+const CUSTOM_DIR = join(homedir(), '.kernelbot', 'skills');
+
+/** Category metadata for display purposes. */
+export const SKILL_CATEGORIES = {
+  engineering: { name: 'Engineering', emoji: '⚙️' },
+  design: { name: 'Design', emoji: '🎨' },
+  marketing: { name: 'Marketing', emoji: '📣' },
+  business: { name: 'Business', emoji: '💼' },
+  writing: { name: 'Writing', emoji: '✍️' },
+  data: { name: 'Data & AI', emoji: '📊' },
+  finance: { name: 'Finance', emoji: '💰' },
+  legal: { name: 'Legal', emoji: '⚖️' },
+  education: { name: 'Education', emoji: '📚' },
+  healthcare: { name: 'Healthcare', emoji: '🏥' },
+  creative: { name: 'Creative', emoji: '🎬' },
+};
+
+/** In-memory cache. Map<id, Skill> */
+let skillCache = null;
+
+/**
+ * Parse a markdown file with YAML frontmatter.
+ * Returns { data: {frontmatter}, body: string } or null on failure.
+ */
+function parseFrontmatter(content) {
+  const trimmed = content.trim();
+  if (!trimmed.startsWith('---')) return null;
+
+  const endIdx = trimmed.indexOf('---', 3);
+  if (endIdx === -1) return null;
+
+  const yamlStr = trimmed.slice(3, endIdx).trim();
+  const body = trimmed.slice(endIdx + 3).trim();
+
+  try {
+    const data = yaml.load(yamlStr) || {};
+    return { data, body };
+  } catch {
+    return null;
+  }
+}
+
+/**
+ * Load a single .md skill file into a Skill object.
+ * @returns {object|null} Skill object or null if invalid
+ */
+function loadSkillFile(filePath) {
+  try {
+    const content = readFileSync(filePath, 'utf-8');
+    const parsed = parseFrontmatter(content);
+    if (!parsed) return null;
+
+    const { data, body } = parsed;
+    if (!data.id || !data.name) return null;
+
+    return {
+      id: data.id,
+      name: data.name,
+      emoji: data.emoji || '🛠️',
+      category: data.category || 'custom',
+      description: data.description || '',
+      worker_affinity: data.worker_affinity || null,
+      tags: data.tags || [],
+      body, // raw markdown body = the full prompt
+      filePath,
+      isCustom: filePath.startsWith(CUSTOM_DIR),
+    };
+  } catch {
+    return null;
+  }
+}
+
+/**
+ * Scan a directory recursively for .md files and load them as skills.
+ * @returns {Map<string, object>} Map of id → skill
+ */
+function scanDirectory(dir) {
+  const results = new Map();
+  if (!existsSync(dir)) return results;
+
+  function walk(current) {
+    const entries = readdirSync(current, { withFileTypes: true });
+    for (const entry of entries) {
+      const fullPath = join(current, entry.name);
+      if (entry.isDirectory()) {
+        walk(fullPath);
+      } else if (entry.isFile() && extname(entry.name) === '.md') {
+        const skill = loadSkillFile(fullPath);
+        if (skill) {
+          results.set(skill.id, skill);
+        }
+      }
+    }
+  }
+
+  walk(dir);
+  return results;
+}
+
+/**
+ * Load all skills from built-in and custom directories.
+ * Custom skills override built-in skills with the same ID.
+ * @param {boolean} force - Force reload even if cached
+ * @returns {Map<string, object>} Map of id → skill
+ */
+export function loadAllSkills(force = false) {
+  if (skillCache && !force) return skillCache;
+
+  const logger = getLogger();
+  skillCache = new Map();
+
+  // Load built-in skills first
+  const builtins = scanDirectory(BUILTIN_DIR);
+  for (const [id, skill] of builtins) {
+    skillCache.set(id, skill);
+  }
+
+  // Load custom skills (override built-ins with same ID)
+  const customs = scanDirectory(CUSTOM_DIR);
+  for (const [id, skill] of customs) {
+    skillCache.set(id, skill);
+  }
+
+  logger.debug(`Skills loaded: ${builtins.size} built-in, ${customs.size} custom, ${skillCache.size} total`);
+  return skillCache;
+}
+
+/** Get a skill by ID. Custom-first lookup (custom dir overrides built-in). */
+export function getSkillById(id) {
+  const skills = loadAllSkills();
+  return skills.get(id) || null;
+}
+
+/** Return all skills in a given category. */
+export function getSkillsByCategory(categoryKey) {
+  const skills = loadAllSkills();
+  return [...skills.values()].filter(s => s.category === categoryKey);
+}
+
+/** Return an array of { key, name, emoji, count } for all categories that have skills. */
+export function getCategoryList() {
+  const skills = loadAllSkills();
+  const counts = new Map();
+
+  for (const skill of skills.values()) {
+    counts.set(skill.category, (counts.get(skill.category) || 0) + 1);
+  }
+
+  const result = [];
+  // Built-in categories first (in defined order)
+  for (const [key, cat] of Object.entries(SKILL_CATEGORIES)) {
+    const count = counts.get(key) || 0;
+    if (count > 0) {
+      result.push({ key, name: cat.name, emoji: cat.emoji, count });
+    }
+  }
+
+  // Custom category if any custom skills exist
+  const customSkills = [...skills.values()].filter(s => s.isCustom && s.category === 'custom');
+  if (customSkills.length > 0 && !result.find(r => r.key === 'custom')) {
+    result.push({ key: 'custom', name: 'Custom', emoji: '🛠️', count: customSkills.length });
+  }
+
+  return result;
+}
+
+/**
+ * Build a combined prompt string from multiple skill IDs.
+ * Each skill gets a header and its full body.
+ * @param {string[]} skillIds - Array of skill IDs
+ * @param {number} charBudget - Max characters (default ~16000 ≈ 4000 tokens)
+ * @returns {string|null} Combined prompt or null if no valid skills
+ */
+export function buildSkillPrompt(skillIds, charBudget = 16000) {
+  if (!skillIds || skillIds.length === 0) return null;
+
+  const skills = loadAllSkills();
+  const sections = [];
+
+  for (const id of skillIds) {
+    const skill = skills.get(id);
+    if (!skill) continue;
+    sections.push(`### Skill: ${skill.emoji} ${skill.name}\n${skill.body}`);
+  }
+
+  if (sections.length === 0) return null;
+
+  let combined = sections.join('\n\n');
+
+  // Truncate from end if over budget
+  if (combined.length > charBudget) {
+    combined = combined.slice(0, charBudget) + '\n\n[...truncated due to token budget]';
+  }
+
+  return combined;
+}
+
+/**
+ * Filter skill IDs by worker affinity.
+ * Skills with null worker_affinity pass through (available to all workers).
+ * @param {string[]} skillIds - All active skill IDs
+ * @param {string} workerType - The worker type (coding, browser, system, etc.)
+ * @returns {string[]} Filtered skill IDs
+ */
+export function filterSkillsForWorker(skillIds, workerType) {
+  if (!skillIds || skillIds.length === 0) return [];
+
+  const skills = loadAllSkills();
+  return skillIds.filter(id => {
+    const skill = skills.get(id);
+    if (!skill) return false;
+    // null affinity = available to all workers
+    if (!skill.worker_affinity) return true;
+    return skill.worker_affinity.includes(workerType);
+  });
+}
+
+/**
+ * Save a custom skill as a .md file.
+ * @param {{ name: string, emoji?: string, category?: string, body: string, description?: string }} opts
+ * @returns {object} The saved skill object
+ */
+export function saveCustomSkill({ name, emoji, category, body, description }) {
+  mkdirSync(CUSTOM_DIR, { recursive: true });
+
+  const slug = name.toLowerCase().replace(/[^a-z0-9]+/g, '-').replace(/^-|-$/g, '');
+  let id = `custom_${slug}`;
+
+  // Check for collision
+  const existing = loadAllSkills();
+  if (existing.has(id)) {
+    let n = 2;
+    while (existing.has(`${id}-${n}`)) n++;
+    id = `${id}-${n}`;
+  }
+
+  const frontmatter = {
+    id,
+    name,
+    emoji: emoji || '🛠️',
+    category: category || 'custom',
+    description: description || `Custom skill: ${name}`,
+  };
+
+  const yamlStr = yaml.dump(frontmatter, { lineWidth: -1 }).trim();
+  const content = `---\n${yamlStr}\n---\n\n${body}`;
+
+  const filePath = join(CUSTOM_DIR, `${id}.md`);
+  writeFileSync(filePath, content, 'utf-8');
+
+  // Invalidate cache
+  skillCache = null;
+
+  return loadSkillFile(filePath);
+}
+
+/**
+ * Delete a custom skill by ID.
+ * @returns {boolean} true if found and deleted
+ */
+export function deleteCustomSkill(id) {
+  const skill = getSkillById(id);
+  if (!skill || !skill.isCustom) return false;
+
+  try {
+    unlinkSync(skill.filePath);
+    skillCache = null; // invalidate cache
+    return true;
+  } catch {
+    return false;
+  }
+}
+
+/** Get all custom skills. */
+export function getCustomSkills() {
+  const skills = loadAllSkills();
+  return [...skills.values()].filter(s => s.isCustom);
+}
+
+/**
+ * Migrate old custom_skills.json to .md files.
+ * Called once on startup if the old file exists.
+ */
+export function migrateOldCustomSkills() {
+  const oldFile = join(homedir(), '.kernelbot', 'custom_skills.json');
+  if (!existsSync(oldFile)) return;
+
+  const logger = getLogger();
+  try {
+    const raw = readFileSync(oldFile, 'utf-8');
+    const oldSkills = JSON.parse(raw);
+    if (!Array.isArray(oldSkills) || oldSkills.length === 0) return;
+
+    mkdirSync(CUSTOM_DIR, { recursive: true });
+    let migrated = 0;
+
+    for (const old of oldSkills) {
+      if (!old.name || !old.systemPrompt) continue;
+
+      const slug = old.id || old.name.toLowerCase().replace(/[^a-z0-9]+/g, '-').replace(/^-|-$/g, '');
+      const id = slug.startsWith('custom_') ? slug : `custom_${slug}`;
+      const filePath = join(CUSTOM_DIR, `${id}.md`);
+
+      // Don't overwrite if already migrated
+      if (existsSync(filePath)) continue;
+
+      const frontmatter = {
+        id,
+        name: old.name,
+        emoji: old.emoji || '🛠️',
+        category: 'custom',
+        description: old.description || `Custom skill: ${old.name}`,
+      };
+
+      const yamlStr = yaml.dump(frontmatter, { lineWidth: -1 }).trim();
+      const content = `---\n${yamlStr}\n---\n\n${old.systemPrompt}`;
+      writeFileSync(filePath, content, 'utf-8');
+      migrated++;
+    }
+
+    if (migrated > 0) {
+      logger.info(`Migrated ${migrated} custom skills from JSON to .md files`);
+    }
+
+    // Rename old file to mark as migrated
+    renameSync(oldFile, oldFile + '.bak');
+    logger.info('Renamed custom_skills.json to custom_skills.json.bak');
+  } catch (err) {
+    logger.warn(`Failed to migrate old custom skills: ${err.message}`);
+  }
+}
+
+// ── Backward-compatible aliases ──────────────────────────────────────────
+// These maintain the same API surface that custom.js exported,
+// so existing imports keep working during the transition.
+
+/** Unified skill lookup (same as getSkillById — customs already override). */
+export const getUnifiedSkillById = getSkillById;
+
+/** Unified category list (same as getCategoryList — already includes custom). */
+export const getUnifiedCategoryList = getCategoryList;
+
+/** Unified skills by category (same as getSkillsByCategory). */
+export const getUnifiedSkillsByCategory = getSkillsByCategory;
+
+/** Backward-compat: load custom skills from disk (now a no-op, auto-loaded). */
+export function loadCustomSkills() {
+  loadAllSkills();
+}
+
+/**
+ * Backward-compat: add a custom skill.
+ * @param {{ name: string, systemPrompt: string, description?: string }} opts
+ */
+export function addCustomSkill({ name, systemPrompt, description }) {
+  return saveCustomSkill({ name, body: systemPrompt, description });
+}

package/src/swarm/worker-registry.js

@@ -24,7 +24,7 @@ export const WORKER_TYPES = {
     emoji: '🖥️',
     categories: ['core', 'process', 'monitor', 'network'],
     description: 'OS operations, monitoring, network',
-    timeout: 600,    // 10 minutes
+    timeout: 86400,  // 24 hours
   },
   devops: {
     label: 'DevOps Worker',
@@ -38,7 +38,7 @@ export const WORKER_TYPES = {
     emoji: '🔍',
     categories: ['browser', 'core'],
     description: 'Deep web research and analysis',
-    timeout: 600,    // 10 minutes
+    timeout: 86400,  // 24 hours
   },
   social: {
     label: 'Social Worker',

package/src/tools/browser.js

@@ -665,9 +665,16 @@ async function handleInteract(params, context) {
 
   for (const action of params.actions) {
     if (action.type === 'evaluate' && action.script) {
-      const blocked = /fetch\s*\(|XMLHttpRequest|window\.location\s*=|document\.cookie|localStorage|sessionStorage/i;
-      if (blocked.test(action.script)) {
-        return { error: 'Script contains blocked patterns (network requests, cookie access, storage access, or redirects)' };
+      // Block dangerous APIs using both direct access and bracket notation bypass patterns
+      const blocked = /fetch\s*\(|XMLHttpRequest|document\.cookie|localStorage|sessionStorage/i;
+      // Also detect bracket notation bypasses like window['location'], globalThis['fetch']
+      const bracketBypass = /\[\s*['"`](location|cookie|fetch|XMLHttpRequest|localStorage|sessionStorage|eval|Function)['"`]\s*\]/i;
+      // Block window.location assignment (direct or bracket)
+      const locationAssign = /window\s*(\.\s*location\s*=|\[\s*['"`]location['"`]\s*\]\s*=)/i;
+      // Block eval and Function constructor
+      const evalPattern = /\beval\s*\(|\bnew\s+Function\s*\(/i;
+      if (blocked.test(action.script) || bracketBypass.test(action.script) || locationAssign.test(action.script) || evalPattern.test(action.script)) {
+        return { error: 'Script contains blocked patterns (network requests, cookie access, storage access, eval, or redirects)' };
       }
     }
   }

package/src/tools/coding.js

@@ -34,6 +34,10 @@ export const definitions = [
           type: 'number',
           description: 'Max turns for Claude Code (optional, default from config)',
         },
+        timeout_seconds: {
+          type: 'number',
+          description: 'Override timeout in seconds for this invocation (optional, default from config)',
+        },
       },
       required: ['working_directory', 'prompt'],
     },
@@ -46,6 +50,17 @@ export const handlers = {
     const onUpdate = context.onUpdate || null;
     const dir = resolve(params.working_directory);
 
+    // Validate working_directory against blocked paths
+    const blockedPaths = context.config?.security?.blocked_paths || [];
+    for (const bp of blockedPaths) {
+      const expandedBp = resolve(bp.startsWith('~') ? bp.replace('~', process.env.HOME || '') : bp);
+      if (dir.startsWith(expandedBp) || dir === expandedBp) {
+        const msg = `Blocked: working directory is within restricted path ${bp}`;
+        logger.warn(`spawn_claude_code: ${msg}`);
+        return { error: msg };
+      }
+    }
+
     // Validate directory exists
     if (!existsSync(dir)) {
       const msg = `Directory not found: ${dir}`;
@@ -60,6 +75,7 @@ export const handlers = {
         workingDirectory: dir,
         prompt: params.prompt,
         maxTurns: params.max_turns,
+        timeoutMs: params.timeout_seconds ? params.timeout_seconds * 1000 : undefined,
         onOutput: onUpdate,
         signal: context.signal || null,
       });

package/src/tools/docker.js

@@ -94,6 +94,19 @@ export const handlers = {
   docker_compose: async (params) => {
     const logger = getLogger();
     const dir = params.project_dir ? `-f ${shellEscape(params.project_dir + '/docker-compose.yml')}` : '';
+
+    // Sanitize action: only allow known compose subcommands and safe flags
+    const ALLOWED_ACTIONS = ['up', 'down', 'build', 'logs', 'ps', 'restart', 'stop', 'start', 'pull', 'config', 'exec', 'run', 'top', 'images'];
+    const actionParts = params.action.trim().split(/\s+/);
+    const subcommand = actionParts[0];
+    if (!ALLOWED_ACTIONS.includes(subcommand)) {
+      return { error: `Invalid compose action: "${subcommand}". Allowed: ${ALLOWED_ACTIONS.join(', ')}` };
+    }
+    // Reject shell metacharacters in the action string to prevent injection
+    if (/[;&|`$(){}]/.test(params.action)) {
+      return { error: 'Invalid characters in compose action' };
+    }
+
     logger.debug(`docker_compose: ${params.action}`);
     const result = await run(`docker compose ${dir} ${params.action}`, 120000);
     if (result.error) logger.error(`docker_compose '${params.action}' failed: ${result.error}`);

package/src/tools/git.js

@@ -10,22 +10,29 @@ function getWorkspaceDir(config) {
   return dir;
 }
 
-function injectToken(url, config) {
+/**
+ * Get the auth header value for GitHub HTTPS operations.
+ * Uses extraheader instead of embedding credentials in the URL,
+ * preventing token leaks in git remote -v, error messages, and process listings.
+ */
+function getGitAuthEnv(config) {
   const token = config.github?.token || process.env.GITHUB_TOKEN;
-  if (!token) return url;
+  if (!token) return null;
+  const base64 = Buffer.from(`x-access-token:${token}`).toString('base64');
+  return `AUTHORIZATION: basic ${base64}`;
+}
 
-  // Inject token into HTTPS GitHub URLs for auth-free push/pull
-  try {
-    const parsed = new URL(url);
-    if (parsed.hostname === 'github.com' && parsed.protocol === 'https:') {
-      parsed.username = token;
-      parsed.password = 'x-oauth-basic';
-      return parsed.toString();
-    }
-  } catch {
-    // Not a parseable URL (e.g. org/repo shorthand before expansion)
+/**
+ * Configure a simple-git instance with auth via extraheader (not URL embedding).
+ */
+function configureGitAuth(git, config) {
+  const authHeader = getGitAuthEnv(config);
+  if (authHeader) {
+    git.env('GIT_CONFIG_COUNT', '1');
+    git.env('GIT_CONFIG_KEY_0', 'http.extraheader');
+    git.env('GIT_CONFIG_VALUE_0', authHeader);
   }
-  return url;
+  return git;
 }
 
 export const definitions = [
@@ -107,15 +114,19 @@ export const handlers = {
       url = `https://github.com/${repo}.git`;
     }
 
-    // Inject GitHub token for authenticated clone (enables push later)
-    const authUrl = injectToken(url, context.config);
-
     const repoName = dest || repo.split('/').pop().replace('.git', '');
+    // Prevent path traversal — dest must not escape workspace directory
+    if (repoName.includes('..') || repoName.startsWith('/')) {
+      return { error: 'Invalid destination: path traversal is not allowed' };
+    }
     const targetDir = join(workspaceDir, repoName);
+    if (!targetDir.startsWith(workspaceDir)) {
+      return { error: 'Invalid destination: path escapes workspace directory' };
+    }
 
     try {
-      const git = simpleGit();
-      await git.clone(authUrl, targetDir);
+      const git = configureGitAuth(simpleGit(), context.config);
+      await git.clone(url, targetDir);
       return { success: true, path: targetDir };
     } catch (err) {
       getLogger().error(`git_clone failed for ${params.repo}: ${err.message}`);
@@ -155,17 +166,8 @@ export const handlers = {
   git_push: async (params, context) => {
     const { dir, force = false } = params;
     try {
-      const git = simpleGit(dir);
-
-      // Ensure remote URL has auth token for push
-      const remotes = await git.getRemotes(true);
-      const origin = remotes.find((r) => r.name === 'origin');
-      if (origin) {
-        const authUrl = injectToken(origin.refs.push || origin.refs.fetch, context.config);
-        if (authUrl !== (origin.refs.push || origin.refs.fetch)) {
-          await git.remote(['set-url', 'origin', authUrl]);
-        }
-      }
+      // Use extraheader auth instead of modifying remote URLs
+      const git = configureGitAuth(simpleGit(dir), context.config);
 
       const branch = (await git.branchLocal()).current;
       const options = ['-u'];

package/src/tools/jira.js

@@ -186,7 +186,11 @@ export const handlers = {
       const client = getJiraClient(context.config);
       const assignee = params.assignee || 'currentUser()';
       const maxResults = params.max_results || 20;
-      const jql = `assignee = ${assignee} ORDER BY updated DESC`;
+      // Sanitize assignee to prevent JQL injection — allow currentUser() or quote the value
+      const safeAssignee = assignee === 'currentUser()'
+        ? 'currentUser()'
+        : `"${assignee.replace(/["\\]/g, '')}"`;
+      const jql = `assignee = ${safeAssignee} ORDER BY updated DESC`;
 
       const { data } = await client.get('/search', {
         params: {
@@ -215,7 +219,12 @@ export const handlers = {
     try {
       const client = getJiraClient(context.config);
       const maxResults = params.max_results || 20;
-      const jql = `project = ${params.project_key} ORDER BY updated DESC`;
+      // Sanitize project_key to prevent JQL injection — only allow alphanumeric and underscore
+      const safeProjectKey = params.project_key.replace(/[^a-zA-Z0-9_]/g, '');
+      if (safeProjectKey !== params.project_key) {
+        return { error: `Invalid project key: "${params.project_key}". Only alphanumeric characters and underscores are allowed.` };
+      }
+      const jql = `project = "${safeProjectKey}" ORDER BY updated DESC`;
 
       const { data } = await client.get('/search', {
         params: {

package/src/tools/monitor.js

@@ -75,7 +75,15 @@ export const handlers = {
       return await run(`journalctl -n ${finalLines}${filterArg} --no-pager`);
     }
 
-    // Reading a log file
+    // Reading a log file — restrict to known safe directories
+    const { resolve: resolvePath } = await import('path');
+    const resolvedSource = resolvePath(source);
+    const ALLOWED_LOG_DIRS = ['/var/log', process.cwd(), process.env.HOME || ''];
+    const isAllowed = ALLOWED_LOG_DIRS.some(dir => dir && resolvedSource.startsWith(dir));
+    if (!isAllowed) {
+      return { error: `Blocked: log source must be within /var/log, the project directory, or home directory` };
+    }
+
     const filterCmd = filter ? ` | grep -i ${shellEscape(filter)}` : '';
     return await run(`tail -n ${finalLines} ${shellEscape(source)}${filterCmd}`);
   },

package/src/tools/network.js

@@ -37,6 +37,25 @@ export const definitions = [
   },
 ];
 
+// SSRF protection: block requests to internal/cloud metadata addresses
+const BLOCKED_HOSTS = [
+  /^127\./,
+  /^10\./,
+  /^172\.(1[6-9]|2\d|3[01])\./,
+  /^192\.168\./,
+  /^169\.254\./,       // AWS/cloud metadata endpoint
+  /^0\./,
+  /^localhost$/i,
+  /^metadata\.google\.internal$/i,
+  /^\[::1\]$/,
+  /^\[fd/i,            // IPv6 private
+  /^\[fe80:/i,         // IPv6 link-local
+];
+
+function isBlockedHost(host) {
+  return BLOCKED_HOSTS.some(pattern => pattern.test(host));
+}
+
 export const handlers = {
   check_port: async (params) => {
     const logger = getLogger();
@@ -44,6 +63,11 @@ export const handlers = {
     const port = parseInt(params.port, 10);
     if (!Number.isFinite(port) || port <= 0 || port > 65535) return { error: 'Invalid port number' };
 
+    // SSRF protection: block internal network probing
+    if (host !== 'localhost' && isBlockedHost(host)) {
+      return { error: 'Blocked: cannot probe internal or cloud metadata addresses' };
+    }
+
     logger.debug(`check_port: checking ${host}:${port}`);
     // Use nc (netcat) for port check — works on both macOS and Linux
     const result = await run(`nc -z -w 3 ${shellEscape(host)} ${port} 2>&1 && echo "OPEN" || echo "CLOSED"`, 5000);
@@ -60,6 +84,16 @@ export const handlers = {
   curl_url: async (params) => {
     const { url, method = 'GET', headers, body } = params;
 
+    // SSRF protection: block requests to internal networks and cloud metadata
+    try {
+      const parsed = new URL(url);
+      if (isBlockedHost(parsed.hostname)) {
+        return { error: 'Blocked: cannot access internal or cloud metadata addresses' };
+      }
+    } catch {
+      return { error: 'Invalid URL' };
+    }
+
     let cmd = `curl -s -w "\\n---HTTP_STATUS:%{http_code}" -X ${shellEscape(method)}`;
 
     if (headers) {

package/src/tools/orchestrator-tools.js

@@ -770,7 +770,8 @@ export async function executeOrchestratorTool(name, input, context) {
       if (!conversationManager) return { error: 'Conversation system not available.' };
 
       const { query, chat_id } = input;
-      const targetChatId = chat_id || chatId;
+      // Prevent cross-chat history access — only allow searching own chat
+      const targetChatId = chatId;
       logger.info(`[search_conversations] Searching chat ${targetChatId} for: "${query}"`);
 
       const history = conversationManager.getHistory(targetChatId);