keystone-cli 0.5.1 → 0.6.1

package/src/runner/step-executor.test.ts

@@ -1,6 +1,19 @@
-import { afterAll, afterEach, beforeAll, beforeEach, describe, expect, it, mock } from 'bun:test';
+import {
+  afterAll,
+  afterEach,
+  beforeAll,
+  beforeEach,
+  describe,
+  expect,
+  it,
+  mock,
+  spyOn,
+} from 'bun:test';
+import * as dns from 'node:dns/promises';
 import { mkdirSync, rmSync } from 'node:fs';
+import { tmpdir } from 'node:os';
 import { join } from 'node:path';
+import type { MemoryDb } from '../db/memory-db';
 import type { ExpressionContext } from '../expression/evaluator';
 import type {
   FileStep,
@@ -10,6 +23,8 @@ import type {
   SleepStep,
   WorkflowStep,
 } from '../parser/schema';
+import type { SafeSandbox } from '../utils/sandbox';
+import type { getAdapter } from './llm-adapter';
 import { executeStep } from './step-executor';
 
 // Mock executeLlmStep
@@ -187,6 +202,224 @@ describe('step-executor', () => {
       expect(result.status).toBe('failed');
       expect(result.error).toContain('Unknown file operation');
     });
+
+    it('should allow file paths outside cwd when allowOutsideCwd is true', async () => {
+      const outsidePath = join(tmpdir(), `keystone-test-${Date.now()}.txt`);
+
+      const writeStep: FileStep = {
+        id: 'w-outside',
+        type: 'file',
+        needs: [],
+        op: 'write',
+        path: outsidePath,
+        content: 'outside',
+        allowOutsideCwd: true,
+      };
+
+      try {
+        const writeResult = await executeStep(writeStep, context);
+        expect(writeResult.status).toBe('success');
+
+        const content = await Bun.file(outsidePath).text();
+        expect(content).toBe('outside');
+      } finally {
+        try {
+          rmSync(outsidePath);
+        } catch (e) {
+          // Ignore cleanup errors
+        }
+      }
+    });
+
+    it('should block path traversal outside cwd by default', async () => {
+      const outsidePath = join(process.cwd(), '..', 'outside.txt');
+      const step: FileStep = {
+        id: 'f1',
+        type: 'file',
+        needs: [],
+        op: 'read',
+        path: outsidePath,
+      };
+
+      const result = await executeStep(step, context);
+      expect(result.status).toBe('failed');
+      expect(result.error).toContain('Access denied');
+    });
+
+    it('should block path traversal with .. inside path resolving outside', async () => {
+      const outsidePath = 'foo/../../passwd';
+      const step: FileStep = {
+        id: 'f1',
+        type: 'file',
+        needs: [],
+        op: 'read',
+        path: outsidePath,
+      };
+
+      const result = await executeStep(step, context);
+      expect(result.status).toBe('failed');
+      expect(result.error).toContain('Access denied');
+    });
+  });
+
+  describe('script', () => {
+    const mockSandbox = {
+      execute: mock((code) => {
+        if (code === 'fail') throw new Error('Script failed');
+        return Promise.resolve('script-result');
+      }),
+    };
+
+    it('should fail if allowInsecure is not set', async () => {
+      // @ts-ignore
+      const step = {
+        id: 's1',
+        type: 'script',
+        run: 'console.log("hello")',
+      };
+      const result = await executeStep(step, context, undefined, {
+        sandbox: mockSandbox as unknown as typeof SafeSandbox,
+      });
+      expect(result.status).toBe('failed');
+      expect(result.error).toContain('Script execution is disabled by default');
+    });
+
+    it('should execute script if allowInsecure is true', async () => {
+      // @ts-ignore
+      const step = {
+        id: 's1',
+        type: 'script',
+        run: 'console.log("hello")',
+        allowInsecure: true,
+      };
+      const result = await executeStep(step, context, undefined, {
+        sandbox: mockSandbox as unknown as typeof SafeSandbox,
+      });
+      expect(result.status).toBe('success');
+      expect(result.output).toBe('script-result');
+    });
+
+    it('should handle script failure', async () => {
+      // @ts-ignore
+      const step = {
+        id: 's1',
+        type: 'script',
+        run: 'fail',
+        allowInsecure: true,
+      };
+      const result = await executeStep(step, context, undefined, {
+        sandbox: mockSandbox as unknown as typeof SafeSandbox,
+      });
+      expect(result.status).toBe('failed');
+      expect(result.error).toBe('Script failed');
+    });
+  });
+
+  describe('memory', () => {
+    const mockMemoryDb = {
+      store: mock(() => Promise.resolve('mem-id')),
+      search: mock(() => Promise.resolve([{ content: 'found', similarity: 0.9 }])),
+    };
+
+    const mockGetAdapter = mock((model) => {
+      if (model === 'no-embed') return { adapter: {}, resolvedModel: model };
+      return {
+        adapter: {
+          embed: mock((text) => Promise.resolve([0.1, 0.2, 0.3])),
+        },
+        resolvedModel: model,
+      };
+    });
+
+    it('should fail if memoryDb is not provided', async () => {
+      // @ts-ignore
+      const step = { id: 'm1', type: 'memory', op: 'store', text: 'foo' };
+      const result = await executeStep(step, context, undefined, {
+        getAdapter: mockGetAdapter as unknown as typeof getAdapter,
+      });
+      expect(result.status).toBe('failed');
+      expect(result.error).toBe('Memory database not initialized');
+    });
+
+    it('should fail if adapter does not support embedding', async () => {
+      // @ts-ignore
+      const step = { id: 'm1', type: 'memory', op: 'store', text: 'foo', model: 'no-embed' };
+      // @ts-ignore
+      const result = await executeStep(step, context, undefined, {
+        memoryDb: mockMemoryDb as unknown as MemoryDb,
+        getAdapter: mockGetAdapter as unknown as typeof getAdapter,
+      });
+      expect(result.status).toBe('failed');
+      expect(result.error).toContain('does not support embeddings');
+    });
+
+    it('should store memory', async () => {
+      // @ts-ignore
+      const step = {
+        id: 'm1',
+        type: 'memory',
+        op: 'store',
+        text: 'foo',
+        metadata: { source: 'test' },
+      };
+      // @ts-ignore
+      const result = await executeStep(step, context, undefined, {
+        memoryDb: mockMemoryDb as unknown as MemoryDb,
+        getAdapter: mockGetAdapter as unknown as typeof getAdapter,
+      });
+      expect(result.status).toBe('success');
+      expect(result.output).toEqual({ id: 'mem-id', status: 'stored' });
+      expect(mockMemoryDb.store).toHaveBeenCalledWith('foo', [0.1, 0.2, 0.3], { source: 'test' });
+    });
+
+    it('should search memory', async () => {
+      // @ts-ignore
+      const step = { id: 'm1', type: 'memory', op: 'search', query: 'foo', limit: 5 };
+      // @ts-ignore
+      const result = await executeStep(step, context, undefined, {
+        memoryDb: mockMemoryDb as unknown as MemoryDb,
+        getAdapter: mockGetAdapter as unknown as typeof getAdapter,
+      });
+      expect(result.status).toBe('success');
+      expect(result.output).toEqual([{ content: 'found', similarity: 0.9 }]);
+      expect(mockMemoryDb.search).toHaveBeenCalledWith([0.1, 0.2, 0.3], 5);
+    });
+
+    it('should fail store if text is missing', async () => {
+      // @ts-ignore
+      const step = { id: 'm1', type: 'memory', op: 'store' };
+      // @ts-ignore
+      const result = await executeStep(step, context, undefined, {
+        memoryDb: mockMemoryDb as unknown as MemoryDb,
+        getAdapter: mockGetAdapter as unknown as typeof getAdapter,
+      });
+      expect(result.status).toBe('failed');
+      expect(result.error).toBe('Text is required for memory store operation');
+    });
+
+    it('should fail search if query is missing', async () => {
+      // @ts-ignore
+      const step = { id: 'm1', type: 'memory', op: 'search' };
+      // @ts-ignore
+      const result = await executeStep(step, context, undefined, {
+        memoryDb: mockMemoryDb as unknown as MemoryDb,
+        getAdapter: mockGetAdapter as unknown as typeof getAdapter,
+      });
+      expect(result.status).toBe('failed');
+      expect(result.error).toBe('Query is required for memory search operation');
+    });
+
+    it('should fail for unknown memory operation', async () => {
+      // @ts-ignore
+      const step = { id: 'm1', type: 'memory', op: 'unknown', text: 'foo' };
+      // @ts-ignore
+      const result = await executeStep(step, context, undefined, {
+        memoryDb: mockMemoryDb as unknown as MemoryDb,
+        getAdapter: mockGetAdapter as unknown as typeof getAdapter,
+      });
+      expect(result.status).toBe('failed');
+      expect(result.error).toContain('Unknown memory operation');
+    });
   });
 
   describe('sleep', () => {
@@ -207,14 +440,19 @@ describe('step-executor', () => {
 
   describe('request', () => {
     const originalFetch = global.fetch;
+    let lookupSpy: ReturnType<typeof spyOn>;
 
     beforeEach(() => {
       // @ts-ignore
       global.fetch = mock();
+      lookupSpy = spyOn(dns, 'lookup').mockResolvedValue([
+        { address: '93.184.216.34', family: 4 },
+      ] as unknown as Awaited<ReturnType<typeof dns.lookup>>);
     });
 
     afterEach(() => {
       global.fetch = originalFetch;
+      lookupSpy.mockRestore();
     });
 
     it('should perform an HTTP request', async () => {
@@ -472,7 +710,7 @@ describe('step-executor', () => {
       );
 
       // @ts-ignore
-      const result = await executeStep(step, context, undefined, executeWorkflowFn);
+      const result = await executeStep(step, context, undefined, { executeWorkflowFn });
       expect(result.status).toBe('success');
       expect(result.output).toBe('child-output');
       expect(executeWorkflowFn).toHaveBeenCalled();

package/src/runner/step-executor.ts

@@ -1,9 +1,11 @@
+import type { MemoryDb } from '../db/memory-db.ts';
 import type { ExpressionContext } from '../expression/evaluator.ts';
 import { ExpressionEvaluator } from '../expression/evaluator.ts';
 // Removed synchronous file I/O imports - using Bun's async file API instead
 import type {
   FileStep,
   HumanStep,
+  MemoryStep,
   RequestStep,
   ScriptStep,
   ShellStep,
@@ -11,12 +13,17 @@ import type {
   Step,
   WorkflowStep,
 } from '../parser/schema.ts';
+import { ConsoleLogger, type Logger } from '../utils/logger.ts';
+import { getAdapter } from './llm-adapter.ts';
 import { detectShellInjectionRisk, executeShell } from './shell-executor.ts';
-import type { Logger } from './workflow-runner.ts';
 
+import * as fs from 'node:fs';
+import * as os from 'node:os';
+import * as path from 'node:path';
 import * as readline from 'node:readline/promises';
 import { SafeSandbox } from '../utils/sandbox.ts';
 import { executeLlmStep } from './llm-executor.ts';
+import { validateRemoteUrl } from './mcp-client.ts';
 import type { MCPManager } from './mcp-manager.ts';
 
 export class WorkflowSuspendedError extends Error {
@@ -41,18 +48,39 @@ export interface StepResult {
   };
 }
 
+/**
+ * Execute a single step based on its type
+ */
+export interface StepExecutorOptions {
+  executeWorkflowFn?: (step: WorkflowStep, context: ExpressionContext) => Promise<StepResult>;
+  mcpManager?: MCPManager;
+  memoryDb?: MemoryDb;
+  workflowDir?: string;
+  dryRun?: boolean;
+  // Dependency injection for testing
+  getAdapter?: typeof getAdapter;
+  sandbox?: typeof SafeSandbox;
+}
+
 /**
  * Execute a single step based on its type
  */
 export async function executeStep(
   step: Step,
   context: ExpressionContext,
-  logger: Logger = console,
-  executeWorkflowFn?: (step: WorkflowStep, context: ExpressionContext) => Promise<StepResult>,
-  mcpManager?: MCPManager,
-  workflowDir?: string,
-  dryRun?: boolean
+  logger: Logger = new ConsoleLogger(),
+  options: StepExecutorOptions = {}
 ): Promise<StepResult> {
+  const {
+    executeWorkflowFn,
+    mcpManager,
+    memoryDb,
+    workflowDir,
+    dryRun,
+    getAdapter: injectedGetAdapter,
+    sandbox: injectedSandbox,
+  } = options;
+
   try {
     let result: StepResult;
     switch (step.type) {
@@ -75,12 +103,15 @@ export async function executeStep(
         result = await executeLlmStep(
           step,
           context,
-          (s, c) => executeStep(s, c, logger, executeWorkflowFn, mcpManager, workflowDir, dryRun),
+          (s, c) => executeStep(s, c, logger, options),
           logger,
           mcpManager,
           workflowDir
         );
         break;
+      case 'memory':
+        result = await executeMemoryStep(step, context, logger, memoryDb, injectedGetAdapter);
+        break;
       case 'workflow':
         if (!executeWorkflowFn) {
           throw new Error('Workflow executor not provided');
@@ -88,7 +119,7 @@ export async function executeStep(
         result = await executeWorkflowFn(step, context);
         break;
       case 'script':
-        result = await executeScriptStep(step, context, logger);
+        result = await executeScriptStep(step, context, logger, injectedSandbox);
         break;
       default:
         throw new Error(`Unknown step type: ${(step as Step).type}`);
@@ -150,44 +181,10 @@ async function executeShellStep(
   const command = ExpressionEvaluator.evaluateString(step.run, context);
   const isRisky = detectShellInjectionRisk(command);
 
-  if (isRisky) {
-    // Check if we have a resume approval
-    const stepInputs = context.inputs
-      ? (context.inputs as Record<string, unknown>)[step.id]
-      : undefined;
-    if (
-      stepInputs &&
-      typeof stepInputs === 'object' &&
-      '__approved' in stepInputs &&
-      stepInputs.__approved === true
-    ) {
-      // Already approved, proceed
-    } else {
-      const message = `Potentially risky shell command detected: ${command}`;
-
-      if (!process.stdin.isTTY) {
-        return {
-          output: null,
-          status: 'suspended',
-          error: `APPROVAL_REQUIRED: ${message}`,
-        };
-      }
-
-      const rl = readline.createInterface({
-        input: process.stdin,
-        output: process.stdout,
-      });
-
-      try {
-        logger.warn(`\n⚠️  ${message}`);
-        const answer = (await rl.question('Do you want to execute this command? (y/N): ')).trim();
-        if (answer.toLowerCase() !== 'y' && answer.toLowerCase() !== 'yes') {
-          throw new Error('Command execution denied by user');
-        }
-      } finally {
-        rl.close();
-      }
-    }
+  if (isRisky && !step.allowInsecure) {
+    throw new Error(
+      `Security Error: Command contains shell metacharacters that may indicate injection risk.\n   Command: ${command.substring(0, 100)}${command.length > 100 ? '...' : ''}\n   To execute this command, set 'allowInsecure: true' on the step definition.`
+    );
   }
 
   const result = await executeShell(step, context, logger);
@@ -227,22 +224,62 @@ async function executeFileStep(
   _logger: Logger,
   dryRun?: boolean
 ): Promise<StepResult> {
-  const path = ExpressionEvaluator.evaluateString(step.path, context);
+  const rawPath = ExpressionEvaluator.evaluateString(step.path, context);
+
+  // Security: Prevent path traversal
+  const cwd = process.cwd();
+  const resolvedPath = path.resolve(cwd, rawPath);
+  const realCwd = fs.realpathSync(cwd);
+  const isWithin = (target: string) => {
+    const relativePath = path.relative(realCwd, target);
+    return !(relativePath.startsWith('..') || path.isAbsolute(relativePath));
+  };
+  const getExistingAncestorRealPath = (start: string) => {
+    let current = start;
+    while (!fs.existsSync(current)) {
+      const parent = path.dirname(current);
+      if (parent === current) {
+        break;
+      }
+      current = parent;
+    }
+    if (!fs.existsSync(current)) {
+      return realCwd;
+    }
+    return fs.realpathSync(current);
+  };
+
+  if (!step.allowOutsideCwd) {
+    if (fs.existsSync(resolvedPath)) {
+      const realTarget = fs.realpathSync(resolvedPath);
+      if (!isWithin(realTarget)) {
+        throw new Error(`Access denied: Path '${rawPath}' resolves outside the working directory.`);
+      }
+    } else {
+      const realParent = getExistingAncestorRealPath(path.dirname(resolvedPath));
+      if (!isWithin(realParent)) {
+        throw new Error(`Access denied: Path '${rawPath}' resolves outside the working directory.`);
+      }
+    }
+  }
+
+  // Use resolved path for operations
+  const targetPath = resolvedPath;
 
   if (dryRun && step.op !== 'read') {
     const opVerb = step.op === 'write' ? 'write to' : 'append to';
-    _logger.log(`[DRY RUN] Would ${opVerb} file: ${path}`);
+    _logger.log(`[DRY RUN] Would ${opVerb} file: ${targetPath}`);
     return {
-      output: { path, bytes: 0 },
+      output: { path: targetPath, bytes: 0 },
       status: 'success',
     };
   }
 
   switch (step.op) {
     case 'read': {
-      const file = Bun.file(path);
+      const file = Bun.file(targetPath);
       if (!(await file.exists())) {
-        throw new Error(`File not found: ${path}`);
+        throw new Error(`File not found: ${targetPath}`);
       }
       const content = await file.text();
       return {
@@ -258,14 +295,14 @@ async function executeFileStep(
       const content = ExpressionEvaluator.evaluateString(step.content, context);
 
       // Ensure parent directory exists
-      const fs = await import('node:fs/promises');
-      const pathModule = await import('node:path');
-      const dir = pathModule.dirname(path);
-      await fs.mkdir(dir, { recursive: true });
+      const dir = path.dirname(targetPath);
+      if (!fs.existsSync(dir)) {
+        fs.mkdirSync(dir, { recursive: true });
+      }
 
-      const bytes = await Bun.write(path, content);
+      await Bun.write(targetPath, content);
       return {
-        output: { path, bytes },
+        output: { path: targetPath, bytes: content.length },
         status: 'success',
       };
     }
@@ -277,16 +314,15 @@ async function executeFileStep(
       const content = ExpressionEvaluator.evaluateString(step.content, context);
 
       // Ensure parent directory exists
-      const fs = await import('node:fs/promises');
-      const pathModule = await import('node:path');
-      const dir = pathModule.dirname(path);
-      await fs.mkdir(dir, { recursive: true });
+      const dir = path.dirname(targetPath);
+      if (!fs.existsSync(dir)) {
+        fs.mkdirSync(dir, { recursive: true });
+      }
 
-      // Use Node.js fs for efficient append operation
-      await fs.appendFile(path, content, 'utf-8');
+      fs.appendFileSync(targetPath, content);
 
       return {
-        output: { path, bytes: content.length },
+        output: { path: targetPath, bytes: content.length },
         status: 'success',
       };
     }
@@ -306,6 +342,9 @@ async function executeRequestStep(
 ): Promise<StepResult> {
   const url = ExpressionEvaluator.evaluateString(step.url, context);
 
+  // Validate URL to prevent SSRF
+  await validateRemoteUrl(url);
+
   // Evaluate headers
   const headers: Record<string, string> = {};
   if (step.headers) {
@@ -363,7 +402,7 @@ async function executeRequestStep(
     output: {
       status: response.status,
       statusText: response.statusText,
-      headers: Object.fromEntries(response.headers.entries()),
+      headers: Object.fromEntries(response.headers as unknown as Iterable<[string, string]>),
       data: responseData,
     },
     status: response.ok ? 'success' : 'failed',
@@ -483,10 +522,18 @@ async function executeSleepStep(
 async function executeScriptStep(
   step: ScriptStep,
   context: ExpressionContext,
-  _logger: Logger
+  _logger: Logger,
+  sandbox = SafeSandbox
 ): Promise<StepResult> {
   try {
-    const result = await SafeSandbox.execute(
+    if (!step.allowInsecure) {
+      throw new Error(
+        'Script execution is disabled by default because Bun uses an insecure VM sandbox. ' +
+          "Set 'allowInsecure: true' on the script step to run it anyway."
+      );
+    }
+
+    const result = await sandbox.execute(
       step.run,
       {
         inputs: context.inputs,
@@ -495,7 +542,7 @@ async function executeScriptStep(
         env: context.env,
       },
       {
-        allowInsecureFallback: step.allowInsecure,
+        timeout: step.timeout,
       }
     );
 
@@ -511,3 +558,71 @@ async function executeScriptStep(
     };
   }
 }
+
+/**
+ * Execute a memory operation (search or store)
+ */
+async function executeMemoryStep(
+  step: MemoryStep,
+  context: ExpressionContext,
+  logger: Logger,
+  memoryDb?: MemoryDb,
+  getAdapterFn = getAdapter
+): Promise<StepResult> {
+  if (!memoryDb) {
+    throw new Error('Memory database not initialized');
+  }
+
+  try {
+    const { adapter, resolvedModel } = getAdapterFn(step.model || 'local');
+    if (!adapter.embed) {
+      throw new Error(`Provider for model ${step.model || 'local'} does not support embeddings`);
+    }
+
+    if (step.op === 'store') {
+      const text = step.text ? ExpressionEvaluator.evaluateString(step.text, context) : '';
+      if (!text) {
+        throw new Error('Text is required for memory store operation');
+      }
+
+      logger.log(
+        `  💾 Storing in memory: ${text.substring(0, 50)}${text.length > 50 ? '...' : ''}`
+      );
+      const embedding = await adapter.embed(text, resolvedModel);
+      const metadata = step.metadata
+        ? // biome-ignore lint/suspicious/noExplicitAny: metadata typing
+          (ExpressionEvaluator.evaluateObject(step.metadata, context) as Record<string, any>)
+        : {};
+
+      const id = await memoryDb.store(text, embedding, metadata);
+      return {
+        output: { id, status: 'stored' },
+        status: 'success',
+      };
+    }
+
+    if (step.op === 'search') {
+      const query = step.query ? ExpressionEvaluator.evaluateString(step.query, context) : '';
+      if (!query) {
+        throw new Error('Query is required for memory search operation');
+      }
+
+      logger.log(`  🔍 Recalling memory: "${query}"`);
+      const embedding = await adapter.embed(query, resolvedModel);
+      const results = await memoryDb.search(embedding, step.limit);
+
+      return {
+        output: results,
+        status: 'success',
+      };
+    }
+
+    throw new Error(`Unknown memory operation: ${step.op}`);
+  } catch (error) {
+    return {
+      output: null,
+      status: 'failed',
+      error: error instanceof Error ? error.message : String(error),
+    };
+  }
+}