keystone-cli 2.0.0 → 2.1.0

package/src/utils/context-injector.ts

@@ -1,6 +1,8 @@
-import * as fs from 'node:fs';
+import { existsSync } from 'node:fs'; // Keep for synchronous fallbacks if absolutely needed, but prefer async
+import * as fs from 'node:fs/promises';
 import * as path from 'node:path';
-import { globSync } from 'glob';
+import { glob } from 'glob';
+import { minimatch } from 'minimatch';
 import { ConfigLoader } from './config-loader';
 
 export interface ContextData {
@@ -23,17 +25,27 @@ export class ContextInjector {
   private static contextCache = new Map<string, { context: ContextData; timestamp: number }>();
   private static CACHE_TTL_MS = 60000; // 1 minute cache
 
+  // Helper to check file existence asynchronously
+  private static async exists(filePath: string): Promise<boolean> {
+    try {
+      await fs.access(filePath);
+      return true;
+    } catch {
+      return false;
+    }
+  }
+
   /**
    * Find the project root by looking for common project markers
    */
-  static findProjectRoot(startPath: string): string {
+  static async findProjectRoot(startPath: string): Promise<string> {
     const markers = ['.git', 'package.json', 'Cargo.toml', 'go.mod', 'pyproject.toml', '.keystone'];
     let current = path.resolve(startPath);
     const root = path.parse(current).root;
 
     while (current !== root) {
       for (const marker of markers) {
-        if (fs.existsSync(path.join(current, marker))) {
+        if (await ContextInjector.exists(path.join(current, marker))) {
           return current;
         }
       }
@@ -46,9 +58,12 @@ export class ContextInjector {
   /**
    * Scan directories for README.md and AGENTS.md files
    */
-  static scanDirectoryContext(dir: string, depth = 3): Omit<ContextData, 'cursorRules'> {
+  static async scanDirectoryContext(
+    dir: string,
+    depth = 3
+  ): Promise<Omit<ContextData, 'cursorRules'>> {
     const result: Omit<ContextData, 'cursorRules'> = {};
-    const projectRoot = ContextInjector.findProjectRoot(dir);
+    const projectRoot = await ContextInjector.findProjectRoot(dir);
     let current = path.resolve(dir);
 
     // Walk from current dir up to project root, limited by depth
@@ -56,9 +71,9 @@ export class ContextInjector {
       // Check for README.md (only use first one found, closest to working dir)
       if (!result.readme) {
         const readmePath = path.join(current, 'README.md');
-        if (fs.existsSync(readmePath)) {
+        if (await ContextInjector.exists(readmePath)) {
           try {
-            result.readme = fs.readFileSync(readmePath, 'utf-8');
+            result.readme = await fs.readFile(readmePath, 'utf-8');
           } catch {
             // Ignore read errors
           }
@@ -68,9 +83,9 @@ export class ContextInjector {
       // Check for AGENTS.md (only use first one found, closest to working dir)
       if (!result.agentsMd) {
         const agentsMdPath = path.join(current, 'AGENTS.md');
-        if (fs.existsSync(agentsMdPath)) {
+        if (await ContextInjector.exists(agentsMdPath)) {
           try {
-            result.agentsMd = fs.readFileSync(agentsMdPath, 'utf-8');
+            result.agentsMd = await fs.readFile(agentsMdPath, 'utf-8');
           } catch {
             // Ignore read errors
           }
@@ -89,25 +104,27 @@ export class ContextInjector {
   /**
    * Scan for .cursor/rules or .claude/rules files that apply to accessed files
    */
-  static scanRules(filesAccessed: string[]): string[] {
+  static async scanRules(filesAccessed: string[]): Promise<string[]> {
     const rules: string[] = [];
     const rulesDirs = ['.cursor/rules', '.claude/rules'];
-    const projectRoot =
-      filesAccessed.length > 0
-        ? ContextInjector.findProjectRoot(path.dirname(filesAccessed[0]))
-        : process.cwd();
+
+    let projectRoot = process.cwd();
+    if (filesAccessed.length > 0) {
+      projectRoot = await ContextInjector.findProjectRoot(path.dirname(filesAccessed[0]));
+    }
 
     for (const rulesDir of rulesDirs) {
       const rulesPath = path.join(projectRoot, rulesDir);
-      if (!fs.existsSync(rulesPath)) continue;
+      if (!(await ContextInjector.exists(rulesPath))) continue;
 
       try {
-        const files = fs.readdirSync(rulesPath);
+        const files = await fs.readdir(rulesPath);
         for (const file of files) {
           const rulePath = path.join(rulesPath, file);
-          if (!fs.statSync(rulePath).isFile()) continue;
+          const stats = await fs.stat(rulePath);
+          if (!stats.isFile()) continue;
 
-          const content = fs.readFileSync(rulePath, 'utf-8');
+          const content = await fs.readFile(rulePath, 'utf-8');
 
           // Check if rule applies to any of the accessed files
           // Rules can have a glob pattern on the first line prefixed with "applies:"
@@ -117,13 +134,35 @@ export class ContextInjector {
             const matchesAny = filesAccessed.some((f) => {
               const relativePath = path.relative(projectRoot, f);
               try {
-                const matches = globSync(pattern, { cwd: projectRoot });
-                return matches.includes(relativePath);
+                // Using synchronous glob logic for pattern matching against specific files is tricky with 'glob' package
+                // 'glob' package usually searches the filesystem.
+                // We want minimatch-style matching.
+                // Typically 'glob' exports 'minimatch' or we use 'minimatch' package.
+                // Assuming we can fallback to checking if the file matches the glob by expanding the glob?
+                // Or simplified: use glob to find files matching pattern and see if ours is in it.
+                // NOTE: For performance, ideally we'd use 'minimatch'. But we don't know if it's installed.
+                // We'll stick to 'glob' to list matches and check inclusion.
+                // This might be slow if the glob matches EVERYTHING.
+                // Optimization: If pattern is simple, maybe regex.
+                // Given constraints, we will attempt to limit the scope or assume 'glob' is efficient enough.
+                // Actually, 'glob' function is async.
+                return false; // Placeholder, real impl below
               } catch {
                 return false;
               }
             });
-            if (!matchesAny) continue;
+
+            // Use minimatch to check if the file matches the pattern
+            // This avoids scanning the entire filesystem with glob
+            const relativePath = path.relative(projectRoot, filesAccessed[0]); // Check the first file for now, or loop all
+
+            // Note: In real usage, we should probably check against ALL accessed files.
+            // The current logic only checked filesAccessed vs the glob list.
+            const isMatch = filesAccessed.some((f) =>
+              minimatch(path.relative(projectRoot, f), pattern)
+            );
+
+            if (!isMatch) continue;
           }
 
           rules.push(content);
@@ -174,11 +213,11 @@ export class ContextInjector {
   /**
    * Get context for a directory, using cache if available
    */
-  static getContext(
+  static async getContext(
     dir: string,
     filesAccessed: string[],
     config?: ContextInjectorConfig
-  ): ContextData {
+  ): Promise<ContextData> {
     // Default config from ConfigLoader
     let effectiveConfig = config;
     if (!effectiveConfig) {
@@ -216,7 +255,10 @@ export class ContextInjector {
       effectiveConfig.sources.includes('readme') ||
       effectiveConfig.sources.includes('agents_md')
     ) {
-      const dirContext = ContextInjector.scanDirectoryContext(dir, effectiveConfig.search_depth);
+      const dirContext = await ContextInjector.scanDirectoryContext(
+        dir,
+        effectiveConfig.search_depth
+      );
       if (effectiveConfig.sources.includes('readme')) {
         context.readme = dirContext.readme;
       }
@@ -226,7 +268,7 @@ export class ContextInjector {
     }
 
     if (effectiveConfig.sources.includes('cursor_rules')) {
-      context.cursorRules = ContextInjector.scanRules(filesAccessed);
+      context.cursorRules = await ContextInjector.scanRules(filesAccessed);
     }
 
     // Cache the result

package/src/utils/process-sandbox.ts

@@ -66,19 +66,24 @@ export class ProcessSandbox {
     const timeout = options.timeout ?? TIMEOUTS.DEFAULT_SCRIPT_TIMEOUT_MS;
     const tempDir = join(tmpdir(), `keystone-sandbox-${randomUUID()}`);
 
+    // Security Check: Prevent dynamic import usage
+    if (/\bimport\s*\(/.test(code)) {
+      throw new Error('Security Error: Dynamic imports are not allowed in sandboxed scripts.');
+    }
+
     try {
       // Create temp directory with restrictive permissions (0o700 = owner only)
       await mkdir(tempDir, { recursive: true, mode: FILE_MODES.SECURE_DIR });
 
       // Write the runner script
-      const runnerScript = ProcessSandbox.createRunnerScript(code, context, !!options.useWorker);
+      const runnerScript = ProcessSandbox.createRunnerScript(code, !!options.useWorker);
       const scriptPath = join(tempDir, 'script.js');
       await writeFile(scriptPath, runnerScript, 'utf-8');
 
       // Execute in subprocess or worker
       const result = options.useWorker
-        ? await ProcessSandbox.runInWorker(scriptPath, timeout, options)
-        : await ProcessSandbox.runInSubprocess(scriptPath, timeout, options);
+        ? await ProcessSandbox.runInWorker(scriptPath, timeout, options, context)
+        : await ProcessSandbox.runInSubprocess(scriptPath, timeout, options, context);
 
       if (options.signal?.aborted) {
         throw new Error('Script execution aborted');
@@ -106,153 +111,126 @@ export class ProcessSandbox {
   /**
    * Create the runner script that will be executed in the subprocess or worker.
    */
-  private static createRunnerScript(
-    code: string,
-    context: Record<string, unknown>,
-    isWorker: boolean
-  ): string {
-    // Check for prototype pollution attempts before serialization
-    const dangerousKeys = ['__proto__', 'constructor', 'prototype'];
-    const checkForDangerousKeys = (
-      obj: unknown,
-      path = '',
-      visited = new WeakSet<object>()
-    ): void => {
-      if (obj === null || typeof obj !== 'object') return;
-
-      // Prevent infinite loops with circular references
-      if (visited.has(obj)) return;
-      visited.add(obj);
-
-      // Handle arrays - check each element
-      if (Array.isArray(obj)) {
-        obj.forEach((item, idx) => checkForDangerousKeys(item, `${path}[${idx}]`, visited));
-        return;
-      }
-
-      // Use getOwnPropertyNames to catch non-enumerable properties too
-      for (const key of Object.getOwnPropertyNames(obj)) {
-        if (dangerousKeys.includes(key)) {
-          throw new Error(
-            `Security Error: Context contains forbidden key "${key}"${path ? ` at path "${path}"` : ''}. This may indicate a prototype pollution attack.`
-          );
-        }
-        checkForDangerousKeys(
-          (obj as Record<string, unknown>)[key],
-          path ? `${path}.${key}` : key,
-          visited
-        );
-      }
-    };
-    checkForDangerousKeys(context);
-
-    // Sanitize context and handle circular references
-    const safeStringify = (obj: unknown) => {
-      const seen = new WeakSet();
-      return JSON.stringify(obj, (key, value) => {
-        if (typeof value === 'object' && value !== null) {
-          if (seen.has(value)) return '[Circular]';
-          seen.add(value);
-        }
-        return value;
-      });
-    };
-
-    // We still want to parse/stringify to strip non-serializable values and ensure clean state
-    // but now we handle cycles safely
-    const contextJson = safeStringify(context);
-
+  private static createRunnerScript(code: string, isWorker: boolean): string {
     return `
-// Minimal sandbox environment
-// Context is sanitized through JSON parse/stringify to prevent prototype pollution
-const context = ${contextJson};
-
-// Use explicit flag passed from host
-const isWorker = ${isWorker};
-
-// Capture essential functions before deleting dangerous globals
-const __write = !isWorker ? process.stdout.write.bind(process.stdout) : null;
-const __post = isWorker ? self.postMessage.bind(self) : null;
-
-// Remove dangerous globals to prevent sandbox escape
-const dangerousGlobals = [
-  'process',
-  'require',
-  'module',
-  'exports',
-  '__dirname',
-  '__filename',
-  'Bun',
-  'fetch',
-  'crypto',
-  'Worker',
-  'navigator',
-  'performance',
-  'alert',
-  'confirm',
-  'prompt',
-  'addEventListener',
-  'dispatchEvent',
-  'removeEventListener',
-  'onmessage',
-  'onerror',
-  'ErrorEvent',
-];
-
-for (const g of dangerousGlobals) {
-  try {
-    delete globalThis[g];
-  } catch (e) {
-    // Ignore errors for non-deletable properties
+(async () => {
+  const isWorker = ${isWorker};
+  let context = {};
+
+  if (isWorker) {
+    await new Promise((resolve) => {
+      const handler = (e) => {
+        if (e.data && e.data.type === 'context') {
+          context = e.data.context;
+          self.removeEventListener('message', handler);
+          resolve();
+        }
+      };
+      self.addEventListener('message', handler);
+    });
+  } else {
+    const fs = require('node:fs');
+    try {
+      const contextData = fs.readFileSync(0, 'utf-8');
+      context = JSON.parse(contextData);
+    } catch (e) {
+      throw new Error('Failed to load sandbox context from stdin: ' + e.message);
+    }
   }
-}
-
-// Make context variables available
-Object.assign(globalThis, context);
 
-// Custom console that prefixes logs for the runner to intercept
-const __keystone_console = {
-  log: (...args) => {
-    if (isWorker) {
-      __post({ type: 'log', message: args.join(' ') });
-    } else {
-      __write('__SANDBOX_LOG__:' + args.join(' ') + '\\n');
+  // Security: Prevent prototype pollution check on loaded context
+  const dangerousKeys = ['__proto__', 'constructor', 'prototype'];
+  const checkKeys = (obj) => {
+    if (!obj || typeof obj !== 'object') return;
+    for (const key of Object.getOwnPropertyNames(obj)) {
+      if (dangerousKeys.includes(key)) throw new Error('Security Error: Forbidden key in context: ' + key);
+      checkKeys(obj[key]);
     }
-  },
-  error: (...args) => {
-    if (isWorker) {
-      __post({ type: 'log', message: 'ERROR: ' + args.join(' ') });
-    } else {
-      __write('__SANDBOX_LOG__:ERROR: ' + args.join(' ') + '\\n');
-    }
-  },
-  warn: (...args) => {
-    if (isWorker) {
-      __post({ type: 'log', message: 'WARN: ' + args.join(' ') });
-    } else {
-      __write('__SANDBOX_LOG__:WARN: ' + args.join(' ') + '\\n');
-    }
-  },
-  info: (...args) => {
-    if (isWorker) {
-      __post({ type: 'log', message: 'INFO: ' + args.join(' ') });
-    } else {
-      __write('__SANDBOX_LOG__:INFO: ' + args.join(' ') + '\\n');
+  };
+  checkKeys(context);
+
+  // Capture essential functions before deleting dangerous globals
+  const __write = !isWorker ? process.stdout.write.bind(process.stdout) : null;
+  const __post = isWorker ? self.postMessage.bind(self) : null;
+
+  // Custom console that prefixes logs for the runner to intercept
+  const __keystone_console = {
+    log: (...args) => {
+      if (isWorker) {
+        __post({ type: 'log', message: args.join(' ') });
+      } else {
+        __write('__SANDBOX_LOG__:' + args.join(' ') + '\\n');
+      }
+    },
+    error: (...args) => {
+      if (isWorker) {
+        __post({ type: 'log', message: 'ERROR: ' + args.join(' ') });
+      } else {
+        __write('__SANDBOX_LOG__:ERROR: ' + args.join(' ') + '\\n');
+      }
+    },
+    warn: (...args) => {
+      if (isWorker) {
+        __post({ type: 'log', message: 'WARN: ' + args.join(' ') });
+      } else {
+        __write('__SANDBOX_LOG__:WARN: ' + args.join(' ') + '\\n');
+      }
+    },
+    info: (...args) => {
+      if (isWorker) {
+        __post({ type: 'log', message: 'INFO: ' + args.join(' ') });
+      } else {
+        __write('__SANDBOX_LOG__:INFO: ' + args.join(' ') + '\\n');
+      }
+    },
+    debug: (...args) => {
+      if (isWorker) {
+        __post({ type: 'log', message: 'DEBUG: ' + args.join(' ') });
+      } else {
+        __write('__SANDBOX_LOG__:DEBUG: ' + args.join(' ') + '\\n');
+      }
     }
-  },
-  debug: (...args) => {
-    if (isWorker) {
-      __post({ type: 'log', message: 'DEBUG: ' + args.join(' ') });
-    } else {
-      __write('__SANDBOX_LOG__:DEBUG: ' + args.join(' ') + '\\n');
+  };
+
+  // Remove dangerous globals to prevent sandbox escape
+  const dangerousGlobals = [
+    'process',
+    'require',
+    'module',
+    'exports',
+    '__dirname',
+    '__filename',
+    'Bun',
+    'fetch',
+    'crypto',
+    'Worker',
+    'navigator',
+    'performance',
+    'alert',
+    'confirm',
+    'prompt',
+    'addEventListener',
+    'dispatchEvent',
+    'removeEventListener',
+    'onmessage',
+    'onerror',
+    'ErrorEvent',
+  ];
+
+  for (const g of dangerousGlobals) {
+    try {
+      delete globalThis[g];
+    } catch (e) {
+      // Ignore errors for non-deletable properties
     }
   }
-};
 
-// Replace global console
-globalThis.console = __keystone_console;
+  // Make context variables available
+  Object.assign(globalThis, context);
+
+  // Replace global console
+  globalThis.console = __keystone_console;
 
-(async () => {
   try {
     // Execute the user code (wrap in async to support await)
     const __result = await (async () => {
@@ -282,12 +260,15 @@ globalThis.console = __keystone_console;
   private static runInWorker(
     scriptPath: string,
     timeout: number,
-    options: ProcessSandboxOptions
+    options: ProcessSandboxOptions,
+    context: Record<string, unknown>
   ): Promise<ProcessSandboxResult> {
     return new Promise((resolve) => {
       let timedOut = false;
       const worker = new Worker(scriptPath);
 
+      worker.postMessage({ type: 'context', context });
+
       const timeoutHandle = setTimeout(() => {
         timedOut = true;
         worker.terminate();
@@ -339,7 +320,8 @@ globalThis.console = __keystone_console;
   private static runInSubprocess(
     scriptPath: string,
     timeout: number,
-    options: ProcessSandboxOptions
+    options: ProcessSandboxOptions,
+    context: Record<string, unknown>
   ): Promise<ProcessSandboxResult> {
     return new Promise((resolve) => {
       let stdout = '';
@@ -352,15 +334,17 @@ globalThis.console = __keystone_console;
       let args = ['run', scriptPath];
 
       if (useMemoryLimit) {
-        if (isWindows) {
-          options.logger?.warn?.(
-            'ProcessSandbox: memoryLimit is not supported on Windows; running without a limit.'
-          );
-        } else {
+        if (process.platform === 'linux') {
           const limitKb = Math.max(1, Math.floor((options.memoryLimit as number) / 1024));
           const escapedPath = scriptPath.replace(/'/g, "'\\''");
           command = 'sh';
           args = ['-c', `ulimit -v ${limitKb}; exec bun run '${escapedPath}'`];
+        } else {
+          // On macOS/Windows, ulimit -v is often ignored or causes crashes with V8/JSC
+          // due to high virtual memory reservation. We log a warning but proceed without hard limit.
+          options.logger?.warn?.(
+            `ProcessSandbox: memoryLimit is not effectively enforced on ${process.platform}. Security Warning: Scripts may consume excessive memory.`
+          );
         }
       }
 
@@ -376,6 +360,12 @@ globalThis.console = __keystone_console;
         stdio: ['pipe', 'pipe', 'pipe'],
       });
 
+      // Write context to stdin
+      if (child.stdin) {
+        child.stdin.write(JSON.stringify(context));
+        child.stdin.end();
+      }
+
       // Set up timeout
       const timeoutHandle = setTimeout(() => {
         timedOut = true;

package/src/utils/redactor.ts

@@ -16,6 +16,7 @@ export interface RedactorOptions {
 }
 
 export class Redactor {
+  public static readonly REDACTED_PLACEHOLDER = '***REDACTED***';
   private patterns: RegExp[] = [];
   private combinedPattern: RegExp | null = null;
   public readonly maxSecretLength: number;
@@ -115,6 +116,8 @@ export class Redactor {
 
     // Build regex patterns
     // Optimization: Group secrets into a single combined regex where possible
+    // ReDoS Safety: We escape all special characters, so the regex consists purely of literal strings (alternations).
+    // This avoids backtracking issues common in ReDoS attacks.
     const parts: string[] = [];
 
     for (const secret of uniqueSecrets) {
@@ -134,6 +137,8 @@ export class Redactor {
     }
 
     if (parts.length > 0) {
+      // Note: If thousands of secrets are present, this regex compilation might be slow,
+      // but it remains safe from catastrophic backtracking due to being a simple alternation of literals.
       this.combinedPattern = new RegExp(parts.join('|'), 'g');
     }
 
@@ -163,7 +168,7 @@ export class Redactor {
       return strText;
     }
 
-    return strText.replace(this.combinedPattern, '***REDACTED***');
+    return strText.replace(this.combinedPattern, Redactor.REDACTED_PLACEHOLDER);
   }
 
   /**
@@ -178,25 +183,50 @@ export class Redactor {
    * This is the recommended method for redacting complex data structures like
    * step outputs before storage, as it preserves JSON serializability.
    */
-  redactValue(value: unknown): unknown {
+  redactValue(value: unknown, visited = new WeakSet<object>()): unknown {
     if (typeof value === 'string') {
       return this.redact(value);
     }
 
-    if (Array.isArray(value)) {
-      return value.map((item) => this.redactValue(item));
+    if (value === null || typeof value !== 'object') {
+      return value;
     }
 
-    if (value !== null && typeof value === 'object') {
+    // Handle circular references
+    if (visited.has(value)) {
+      return '[Circular]';
+    }
+    visited.add(value);
+
+    try {
+      if (Array.isArray(value)) {
+        return value.map((item) => this.redactValue(item, visited));
+      }
+
       const redacted: Record<string, unknown> = {};
       for (const [key, val] of Object.entries(value)) {
-        redacted[key] = this.redactValue(val);
+        redacted[key] = this.redactValue(val, visited);
       }
       return redacted;
+    } finally {
+      // Optional: remove from visited if we want to allow the same object
+      // in different branches of the tree (DAG), but strictly strictly strictly
+      // to prevent infinite recursion, keeping it in visited is safer and faster.
+      // However, JSON.stringify behavior is to only block ancestors.
+      // For deep recursion protection, consistent with JSON.stringify's cycle detection,
+      // we should arguably NOT remove it if we want to blocking *any* recurrence,
+      // but to match JSON.stringify "circular" error, strictly it's ancestors.
+      // However, for a Redactor, reusing the same object instance in multiple places is fine.
+      // The issue is strictly CYCLES.
+      // So we should remove it from visited on exit to support DAGs?
+      // Actually, JSON.stringify throws on cycles. We want to return "[Circular]".
+      // Let's stick to safe cycle detection which requires tracking the current stack.
+      // BUT, `visited` is passed down. If we don't remove it, we block non-circular DAGs (diamond problem).
+      // e.g. A -> B, A -> C, B -> D, C -> D. D is visited twice.
+      // So we SHOULD remove it.
+      // wait, WeakSet doesn't have .delete? Yes it does.
+      visited.delete(value);
     }
-
-    // Primitives (numbers, booleans, null, undefined) pass through unchanged
-    return value;
   }
 }