keystone-cli 2.1.5 → 2.1.7

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "keystone-cli",
-  "version": "2.1.5",
+  "version": "2.1.7",
   "description": "A local-first, declarative, agentic workflow orchestrator built on Bun",
   "type": "module",
   "bin": {
@@ -16,7 +16,13 @@
     "format": "biome format --write .",
     "schema:generate": "bun run src/scripts/generate-schemas.ts"
   },
-  "keywords": ["workflow", "orchestrator", "agentic", "automation", "bun"],
+  "keywords": [
+    "workflow",
+    "orchestrator",
+    "agentic",
+    "automation",
+    "bun"
+  ],
   "author": "Mark Hingston",
   "license": "MIT",
   "repository": {
@@ -24,7 +30,12 @@
     "url": "https://github.com/mhingston/keystone-cli.git"
   },
   "homepage": "https://github.com/mhingston/keystone-cli#readme",
-  "files": ["src", "README.md", "LICENSE", "logo.png"],
+  "files": [
+    "src",
+    "README.md",
+    "LICENSE",
+    "logo.png"
+  ],
   "dependencies": {
     "@ast-grep/cli": "^0.40.3",
     "@ast-grep/napi": "^0.40.3",

package/src/cli.ts

@@ -962,7 +962,6 @@ program
         inputs: { task, auto_approve: options.auto_approve },
         workflowDir: dirname(devPath),
         logger,
-        allowInsecure: true, // Trusted internal workflow
       });
 
       const outputs = await runner.run();

package/src/runner/executors/verification_fixes.test.ts

@@ -20,25 +20,27 @@ describe('Verification Fixes', () => {
   describe('Shell Path Traversal (shell-executor)', () => {
     const mockContext = { env: {}, steps: {}, inputs: {}, envOverrides: {}, secrets: {} };
 
-    test('should block command with ".." and "/" in secure mode', async () => {
+    test('should allow command with ".." and "/"', async () => {
       const step = {
         id: 'test',
         type: 'shell' as const,
         run: 'cat ../secret.txt',
       };
-      // It should throw BEFORE spawning
-      // The error message I added was "Directory Traversal" or similar
-      // Let's check the implementation: "Command blocked due to potential directory traversal"
-      await expect(executeShell(step, mockContext)).rejects.toThrow('Command blocked');
+      // Commands with .. are allowed (only dir step property is validated)
+      const result = await executeShell(step, mockContext);
+      // Will fail because file doesn't exist, but not blocked
+      expect(result.exitCode).toBe(1);
     });
 
-    test('should block absolute path with ".." in secure mode', async () => {
+    test('should allow absolute path with ".."', async () => {
       const step = {
         id: 'test',
         type: 'shell' as const,
         run: '/bin/ls ../',
       };
-      await expect(executeShell(step, mockContext)).rejects.toThrow('Command blocked');
+      // Absolute paths are allowed in run command
+      const result = await executeShell(step, mockContext);
+      expect(result.exitCode).toBe(0); // ls should succeed
     });
   });
 });

package/src/runner/mcp-client-audit.test.ts

@@ -2,6 +2,7 @@ import { afterEach, beforeEach, describe, expect, it, mock, spyOn } from 'bun:te
 import * as child_process from 'node:child_process';
 import { MCPClient } from './mcp-client';
 
+import * as dns from 'node:dns/promises';
 import { Readable, Writable } from 'node:stream';
 
 describe('MCPClient Audit Fixes', () => {
@@ -78,12 +79,29 @@ describe('MCPClient Audit Fixes', () => {
 });
 
 describe('MCPClient SSRF Protection', () => {
-  it('should reject localhost URLs without allowInsecure', async () => {
-    // HTTP localhost is rejected for not using HTTPS
+  let lookupSpy: ReturnType<typeof spyOn>;
+  let fetchSpy: ReturnType<typeof spyOn>;
+
+  beforeEach(() => {
+    // Mock DNS lookup to return a public IP for api.example.com
+    lookupSpy = spyOn(dns, 'lookup').mockResolvedValue([
+      { address: '93.184.216.34', family: 4 }, // example.com's actual IP
+    ] as any);
+
+    // Mock fetch to prevent actual network calls
+    fetchSpy = spyOn(global, 'fetch').mockRejectedValue(new Error('Connection timeout'));
+  });
+
+  afterEach(() => {
+    lookupSpy.mockRestore();
+    fetchSpy.mockRestore();
+  });
+
+  it('should reject localhost URLs', async () => {
+    // Localhost is rejected regardless of protocol
     await expect(MCPClient.createRemote('http://localhost:8080/sse')).rejects.toThrow(
-      /SSRF Protection.*HTTPS/
+      /SSRF Protection.*localhost/
     );
-    // HTTPS localhost is rejected for being localhost
     await expect(MCPClient.createRemote('https://localhost:8080/sse')).rejects.toThrow(
       /SSRF Protection.*localhost/
     );
@@ -127,19 +145,13 @@ describe('MCPClient SSRF Protection', () => {
     );
   });
 
-  it('should require HTTPS by default', async () => {
-    await expect(MCPClient.createRemote('http://api.example.com/sse')).rejects.toThrow(
-      /SSRF Protection.*HTTPS/
-    );
-  });
-
-  it('should allow HTTP with allowInsecure option', async () => {
-    // This will fail due to network issues, not SSRF
+  it('should allow valid external domains', async () => {
+    // Valid external domains should pass SSRF validation (but may fail on actual connection)
     const promise = MCPClient.createRemote(
-      'http://api.example.com/sse',
+      'https://api.example.com/sse',
       {},
       100, // short timeout
-      { }
+      {}
     );
     // Should NOT throw SSRF error, but will throw timeout/connection error
     await expect(promise).rejects.not.toThrow(/SSRF Protection/);

package/src/runner/mcp-client.test.ts

@@ -1,5 +1,6 @@
 import { afterEach, beforeEach, describe, expect, it, mock, spyOn } from 'bun:test';
 import * as child_process from 'node:child_process';
+import * as dns from 'node:dns/promises';
 import { EventEmitter } from 'node:events';
 import { Readable, Writable } from 'node:stream';
 import { MCPClient } from './mcp-client';
@@ -123,6 +124,19 @@ describe('MCPClient', () => {
   });
 
   describe('SSE Transport', () => {
+    let lookupSpy: ReturnType<typeof spyOn>;
+
+    beforeEach(() => {
+      // Mock DNS lookup to return a public IP for api.example.com
+      lookupSpy = spyOn(dns, 'lookup').mockResolvedValue([
+        { address: '93.184.216.34', family: 4 }, // example.com's actual IP
+      ] as any);
+    });
+
+    afterEach(() => {
+      lookupSpy.mockRestore();
+    });
+
     it('should connect and receive endpoint', async () => {
       let controller: ReadableStreamDefaultController;
       const stream = new ReadableStream({
@@ -133,14 +147,13 @@ describe('MCPClient', () => {
       });
 
       const fetchMock = spyOn(global, 'fetch').mockImplementation((url) => {
-        if (url === 'http://localhost:8080/sse') {
+        if (url === 'https://api.example.com/sse') {
           return Promise.resolve(new Response(stream));
         }
         return Promise.resolve(new Response(JSON.stringify({ ok: true })));
       });
 
-      const clientPromise = MCPClient.createRemote('http://localhost:8080/sse', {}, 60000, {
-      });
+      const clientPromise = MCPClient.createRemote('https://api.example.com/sse', {}, 60000, {});
 
       const client = await clientPromise;
       expect(client).toBeDefined();
@@ -162,7 +175,10 @@ describe('MCPClient', () => {
 
       const response = await initPromise;
       expect(response.result?.protocolVersion).toBe('2024-11-05');
-      expect(fetchMock).toHaveBeenCalledWith('http://localhost:8080/endpoint', expect.any(Object));
+      expect(fetchMock).toHaveBeenCalledWith(
+        'https://api.example.com/endpoint',
+        expect.any(Object)
+      );
 
       client.stop();
       fetchMock.mockRestore();
@@ -180,14 +196,13 @@ describe('MCPClient', () => {
       });
 
       const fetchMock = spyOn(global, 'fetch').mockImplementation((url) => {
-        if (url === 'http://localhost:8080/sse') {
+        if (url === 'https://api.example.com/sse') {
           return Promise.resolve(new Response(stream));
         }
         return Promise.resolve(new Response(JSON.stringify({ ok: true })));
       });
 
-      const client = await MCPClient.createRemote('http://localhost:8080/sse', {}, 60000, {
-      });
+      const client = await MCPClient.createRemote('https://api.example.com/sse', {}, 60000, {});
 
       // We can't easily hook into onMessage without reaching into internals
       // Instead, we'll test that initialize resolves correctly when the response arrives
@@ -230,8 +245,7 @@ describe('MCPClient', () => {
         )
       );
 
-      const clientPromise = MCPClient.createRemote('http://localhost:8080/sse', {}, 60000, {
-      });
+      const clientPromise = MCPClient.createRemote('https://api.example.com/sse', {}, 60000, {});
 
       await expect(clientPromise).rejects.toThrow(/SSE connection failed: 500/);
 

package/src/runner/shell-executor.test.ts

@@ -111,18 +111,20 @@ describe('shell-executor', () => {
       expect(result.exitCode).toBe(1);
     });
 
-    it('should throw error on shell injection risk', async () => {
+    it('should allow shell commands with semicolons', async () => {
       const step: ShellStep = {
         id: 'test',
         type: 'shell',
         needs: [],
-        run: 'echo "hello" ; rm -rf /tmp/foo',
+        run: 'echo "hello" ; echo "world"',
       };
 
-      await expect(executeShell(step, context)).rejects.toThrow(/Security Error/);
+      // Semicolons are allowed (denylist check is for dangerous commands, not syntax)
+      const result = await executeShell(step, context);
+      expect(result.exitCode).toBe(0);
     });
 
-    it('should allow shell variable expansion like ${HOME} when allowInsecure is true', async () => {
+    it('should allow shell variable expansion like ${HOME}', async () => {
       const step: ShellStep = {
         id: 'test',
         type: 'shell',
@@ -136,7 +138,7 @@ describe('shell-executor', () => {
       expect(result.stdout.trim()).toBe(Bun.env.HOME || '');
     });
 
-    it('should block parameter expansion like ${IFS} by default', async () => {
+    it('should allow parameter expansion like ${IFS}', async () => {
       const step: ShellStep = {
         id: 'test',
         type: 'shell',
@@ -144,11 +146,13 @@ describe('shell-executor', () => {
         run: 'echo ${IFS}',
       };
 
-      await expect(executeShell(step, context)).rejects.toThrow(/Security Error/);
+      // ${IFS} is allowed (no active injection detection beyond denylist)
+      const result = await executeShell(step, context);
+      expect(result.exitCode).toBe(0);
     });
 
-    it('should allow braces and quotes for JSON usage with allowInsecure', async () => {
-      // {} and quotes now require allowInsecure due to strict whitelist
+    it('should allow braces and quotes for JSON usage', async () => {
+      // {} and quotes for JSON handling
       const step: ShellStep = {
         id: 'test',
         type: 'shell',
@@ -161,7 +165,7 @@ describe('shell-executor', () => {
       expect(result.stdout.trim()).toBe('{"values": [1, 2, 3]}');
     });
 
-    it('should allow flow control with semicolons when allowInsecure is true', async () => {
+    it('should allow flow control with semicolons', async () => {
       const step: ShellStep = {
         id: 'test',
         type: 'shell',

package/src/runner/standard-tools-integration.test.ts

@@ -168,13 +168,13 @@ describe('Standard Tools Integration', () => {
     expect(toolStep.type).toBe('file');
   });
 
-  it('should block risky standard tools without allowInsecure', async () => {
+  it('should allow standard tools within security boundaries', async () => {
     const step: LlmStep = {
       id: 'l1',
       type: 'llm',
       agent: 'test-agent',
       needs: [],
-      prompt: 'run risky command',
+      prompt: 'run command',
       useStandardTools: true,
       maxIterations: 2,
     };
@@ -182,7 +182,7 @@ describe('Standard Tools Integration', () => {
     const context: ExpressionContext = { inputs: {}, steps: {} };
     const executeStepFn = mock(async () => ({ status: 'success', output: '' }));
 
-    // Mock makes a tool call to run_command which should be rejected
+    // Mock makes a tool call to run_command
     currentChatFn = async () => {
       return {
         message: {
@@ -199,22 +199,18 @@ describe('Standard Tools Integration', () => {
     };
     setCurrentChatFn(currentChatFn as any);
 
-    // May throw max iterations or complete
-    try {
-      await executeLlmStep(
-        step,
-        context,
-        executeStepFn as unknown as (step: Step, context: ExpressionContext) => Promise<StepResult>,
-        undefined,
-        undefined,
-        undefined,
-        undefined
-      );
-    } catch (e) {
-      // Expected to hit max iterations
-    }
+    // Should complete successfully
+    await executeLlmStep(
+      step,
+      context,
+      executeStepFn as unknown as (step: Step, context: ExpressionContext) => Promise<StepResult>,
+      undefined,
+      undefined,
+      undefined,
+      undefined
+    );
 
-    // The key assertion: executeStepFn should NOT have been called for the risky command
-    expect(executeStepFn).not.toHaveBeenCalled();
+    // executeStepFn should have been called for the command
+    expect(executeStepFn).toHaveBeenCalled();
   });
 });

package/src/runner/standard-tools.ts

@@ -140,8 +140,7 @@ export const STANDARD_TOOLS: AgentTool[] = [
       },
       required: ['pattern'],
     },
-    execution: {
-    },
+    execution: {},
   },
   {
     name: 'search_content',

package/src/runner/step-executor.test.ts

@@ -421,7 +421,7 @@ describe('step-executor', () => {
       }),
     };
 
-    it('should fail if allowInsecure is not set', async () => {
+    it('should execute script', async () => {
       // @ts-ignore
       const step = {
         id: 's1',
@@ -431,11 +431,11 @@ describe('step-executor', () => {
       const result = await executeStep(step, context, undefined, {
         sandbox: mockSandbox as unknown as typeof SafeSandbox,
       });
-      expect(result.status).toBe('failed');
-      expect(result.error).toContain('Script execution is disabled by default');
+      expect(result.status).toBe('success');
+      expect(result.output).toBe('script-result');
     });
 
-    it('should execute script if allowInsecure is true', async () => {
+    it('should execute script when provided', async () => {
       // @ts-ignore
       const step = {
         id: 's1',
@@ -883,12 +883,12 @@ describe('step-executor', () => {
       expect(secondCall.headers.Authorization).toBeUndefined();
     });
 
-    it('should allow insecure request when allowInsecure is true', async () => {
+    it('should block localhost requests', async () => {
       // @ts-ignore
       global.fetch.mockResolvedValue(new Response('ok'));
 
       const step: RequestStep = {
-        id: 'req-insecure',
+        id: 'req-localhost',
         type: 'request',
         needs: [],
         url: 'http://localhost/test',
@@ -896,7 +896,8 @@ describe('step-executor', () => {
       };
 
       const result = await executeStep(step, context);
-      expect(result.status).toBe('success');
+      expect(result.status).toBe('failed');
+      expect(result.error).toContain('SSRF Protection');
     });
   });