kimiflare 0.9.1 → 0.10.0

package/dist/index.js

@@ -172,7 +172,7 @@ function isRetryable(err, attempt) {
 async function* runKimi(opts2) {
   const url = `https://api.cloudflare.com/client/v4/accounts/${opts2.accountId}/ai/run/${opts2.model}`;
   const body = {
-    messages: opts2.messages,
+    messages: sanitizeMessagesForApi(opts2.messages),
     ...opts2.tools && opts2.tools.length ? { tools: opts2.tools, tool_choice: "auto", parallel_tool_calls: true } : {},
     stream: true,
     temperature: opts2.temperature ?? 0.2,
@@ -294,6 +294,30 @@ async function* parseStream(body, signal) {
   }
   yield { type: "done", finishReason, usage: lastUsage };
 }
+function sanitizeMessagesForApi(messages) {
+  return messages.map((m) => {
+    if (!m.tool_calls || m.tool_calls.length === 0) return m;
+    return {
+      ...m,
+      tool_calls: m.tool_calls.map((tc) => ({
+        ...tc,
+        function: {
+          name: tc.function.name,
+          arguments: validateJsonArguments(tc.function.arguments)
+        }
+      }))
+    };
+  });
+}
+function validateJsonArguments(raw) {
+  if (!raw || !raw.trim()) return "{}";
+  try {
+    JSON.parse(raw);
+    return raw;
+  } catch {
+    return "{}";
+  }
+}
 function extractCloudflareError(parsed) {
   if (!parsed || typeof parsed !== "object") return null;
   const cf = parsed;
@@ -387,10 +411,11 @@ async function runAgentTurn(opts2) {
           opts2.callbacks.onToolCallArgs?.(ev.index, ev.argsDelta);
           break;
         case "tool_call_complete": {
+          const safeArgs = validateToolArguments(ev.arguments);
           const call = {
             id: ev.id,
             type: "function",
-            function: { name: ev.name, arguments: ev.arguments }
+            function: { name: ev.name, arguments: safeArgs }
           };
           toolCalls.push(call);
           opts2.callbacks.onToolCallFinalized?.(call);
@@ -438,6 +463,15 @@ async function runAgentTurn(opts2) {
   }
   throw new Error(`kimiflare: tool iteration limit reached (${opts2.maxToolIterations ?? 50})`);
 }
+function validateToolArguments(raw) {
+  if (!raw || !raw.trim()) return "{}";
+  try {
+    JSON.parse(raw);
+    return raw;
+  } catch {
+    return "{}";
+  }
+}
 var init_loop = __esm({
   "src/agent/loop.ts"() {
     "use strict";
@@ -455,21 +489,209 @@ function nextMode(m) {
 function isBlockedInPlanMode(toolName) {
   return MUTATING_TOOLS.has(toolName);
 }
+function tokenizeCommand(command) {
+  const tokens = [];
+  let current = "";
+  let inQuote = null;
+  for (const ch of command) {
+    if (inQuote) {
+      if (ch === inQuote) {
+        inQuote = null;
+      } else {
+        current += ch;
+      }
+    } else if (ch === '"' || ch === "'") {
+      inQuote = ch;
+    } else if (/\s/.test(ch)) {
+      if (current) {
+        tokens.push(current);
+        current = "";
+      }
+    } else {
+      current += ch;
+    }
+  }
+  if (current) tokens.push(current);
+  return tokens;
+}
+function isReadOnlyBash(command) {
+  const trimmed = command.trim();
+  if (!trimmed) return false;
+  if (DANGEROUS_PATTERNS.test(trimmed)) return false;
+  const tokens = tokenizeCommand(trimmed);
+  if (tokens.length === 0) return false;
+  const first = tokens[0];
+  let cmdIndex = 0;
+  if (first === "cd" && tokens.length >= 3 && tokens[1] && tokens[2] === "&&") {
+    cmdIndex = 3;
+  }
+  const cmd = tokens[cmdIndex];
+  if (!cmd) return false;
+  const args = tokens.slice(cmdIndex + 1);
+  if (cmd === "git") {
+    const sub = args[0] ?? "";
+    const allowed = GIT_READONLY_SUBCOMMANDS[sub];
+    if (allowed === void 0) return false;
+    if (allowed === true) return true;
+    switch (sub) {
+      case "branch":
+        return !args.some((a) => /^-[dDmMcC]/.test(a));
+      case "stash":
+        return args[1] === "list";
+      case "remote":
+        return args[1] === "-v" || args[1] === "--verbose" || args.length === 1;
+      case "tag":
+        return args[1] === "-l" || args[1] === "--list" || args.length === 1;
+      case "config":
+        return args[1] === "--list" || args[1]?.startsWith("--get") === true || args.length === 1;
+      default:
+        return false;
+    }
+  }
+  const argCheck = COMMANDS_NEEDING_ARG_CHECK[cmd];
+  if (argCheck) {
+    return argCheck(args);
+  }
+  return READONLY_COMMANDS.has(cmd);
+}
 function systemPromptForMode(m) {
   if (m === "plan") {
-    return "\n\nPLAN MODE is active. The user wants you to investigate and produce a plan WITHOUT making any changes. Do not call write, edit, or bash. Only use read/glob/grep/web-fetch. At the end, present a concise plan (bullets, files to change, approach). The user will review and then exit plan mode to execute.";
+    return "\n\nPLAN MODE is active. The user wants you to investigate and produce a plan WITHOUT making any changes. Do not call write, edit, or mutating bash commands. You may use read-only bash commands (e.g., git log, git diff, ls, cat) along with read/glob/grep/web-fetch. At the end, present a concise plan (bullets, files to change, approach). The user will review and then exit plan mode to execute.";
   }
   if (m === "auto") {
     return "\n\nAUTO MODE is active. The user has opted into autonomous execution \u2014 every tool call will be auto-approved. Work efficiently, but do not take irreversible destructive actions (rm -rf, git push --force, dropping tables, etc.) without pausing to describe them in chat first. Prefer smaller reversible steps.";
   }
   return "";
 }
-var MODES, MUTATING_TOOLS;
+var MODES, MUTATING_TOOLS, DANGEROUS_PATTERNS, GIT_READONLY_SUBCOMMANDS, READONLY_COMMANDS, COMMANDS_NEEDING_ARG_CHECK;
 var init_mode = __esm({
   "src/mode.ts"() {
     "use strict";
     MODES = ["edit", "plan", "auto"];
     MUTATING_TOOLS = /* @__PURE__ */ new Set(["write", "edit", "bash"]);
+    DANGEROUS_PATTERNS = /[<>|;&`$]|\$\(|\$\{|&&|\|\||\b&\s*$/;
+    GIT_READONLY_SUBCOMMANDS = {
+      log: true,
+      diff: true,
+      status: true,
+      show: true,
+      blame: true,
+      describe: true,
+      "rev-parse": true,
+      "ls-files": true,
+      reflog: true,
+      shortlog: true,
+      whatchanged: true,
+      grep: true,
+      branch: false,
+      // needs check: block -d/-D/-m/-M/-c/-C
+      stash: false,
+      // needs check: only allow "list"
+      remote: false,
+      // needs check: only allow -v
+      tag: false,
+      // needs check: only allow -l
+      config: false
+      // needs check: only allow --list/--get
+    };
+    READONLY_COMMANDS = /* @__PURE__ */ new Set([
+      // File system
+      "ls",
+      "cat",
+      "head",
+      "tail",
+      "pwd",
+      "echo",
+      "file",
+      "stat",
+      "readlink",
+      "realpath",
+      "dirname",
+      "basename",
+      "wc",
+      "sort",
+      "uniq",
+      "diff",
+      "cmp",
+      // Search
+      "grep",
+      "rg",
+      "ag",
+      "fd",
+      // System info
+      "ps",
+      "df",
+      "du",
+      "env",
+      "printenv",
+      "which",
+      "whereis",
+      "uname",
+      "hostname",
+      "uptime",
+      "free",
+      "date",
+      "id",
+      "whoami",
+      "groups",
+      // Dev tools (version/info only)
+      "node",
+      "npx",
+      "python3",
+      "ruby",
+      "perl",
+      // Utilities
+      "jq",
+      "yq",
+      "awk",
+      "cut",
+      "tr",
+      "base64",
+      "sha256sum",
+      "md5sum",
+      "shasum",
+      "hexdump",
+      "xxd",
+      "strings",
+      "less",
+      "more",
+      "man",
+      "clear",
+      "history",
+      // Archive inspection
+      "zipinfo",
+      // Network
+      "ping",
+      "netstat",
+      "ss",
+      "lsof"
+    ]);
+    COMMANDS_NEEDING_ARG_CHECK = {
+      find: (args) => !args.some((a) => a === "-delete" || a === "-exec"),
+      sed: (args) => !args.some((a) => a === "-i" || a.startsWith("-i")),
+      tar: (args) => args[0] === "-tf" || args[0] === "--list",
+      unzip: (args) => args[0] === "-l",
+      curl: (args) => !args.some((a) => a === "-o" || a === "-O" || a === "-d" || a === "--data" || a.startsWith("-X")),
+      wget: (args) => !args.some((a) => a === "-O" || a === "--output-document" || a.startsWith("--post")),
+      npm: (args) => ["list", "view", "config"].includes(args[0] ?? "") && !(args[0] === "config" && args[1] && !args[1].startsWith("get") && args[1] !== "list"),
+      tsc: (args) => args.every(
+        (a) => ["--noEmit", "--version", "--showConfig", "--help", "-h", "--init"].includes(a)
+      ),
+      eslint: (args) => args.every(
+        (a) => ["--version", "--print-config", "--help", "-h"].includes(a) || !a.startsWith("-")
+      ),
+      prettier: (args) => args.every(
+        (a) => ["--version", "--check", "--help", "-h"].includes(a) || !a.startsWith("-")
+      ),
+      jest: (args) => args.every(
+        (a) => ["--version", "--listTests", "--showConfig", "--help", "-h"].includes(a) || !a.startsWith("-")
+      ),
+      vitest: (args) => args.every(
+        (a) => ["--version", "--help", "-h"].includes(a) || !a.startsWith("-")
+      ),
+      go: (args) => ["version", "env", "list", "mod"].includes(args[0] ?? "") && !(args[0] === "mod" && args[1] && !["graph", "download", "why", "verify"].includes(args[1])),
+      cargo: (args) => ["--version", "-V", "check", "test", "metadata"].includes(args[0] ?? "") && !(args[0] === "test" && args.includes("--no-run") === false)
+    };
   }
 });
 
@@ -3677,7 +3899,26 @@ function App({ initialCfg, initialUpdateResult }) {
             setUsage(u);
           },
           askPermission: (req) => new Promise((resolve2) => {
-            if (modeRef.current === "auto") return resolve2("allow");
+            if (modeRef.current === "auto") {
+              resolve2("allow");
+              return;
+            }
+            if (modeRef.current === "plan" && isBlockedInPlanMode(req.tool.name)) {
+              if (req.tool.name === "bash" && typeof req.args.command === "string" && isReadOnlyBash(req.args.command)) {
+                resolve2("allow");
+                return;
+              }
+              setEvents((e) => [
+                ...e,
+                {
+                  kind: "info",
+                  key: mkKey(),
+                  text: `plan mode blocked ${req.tool.name}; exit plan mode to execute`
+                }
+              ]);
+              resolve2("deny");
+              return;
+            }
             setPerm({ tool: req.tool, args: req.args, resolve: resolve2 });
           })
         }
@@ -4072,6 +4313,10 @@ use: /thinking low | medium | high`
                 return;
               }
               if (modeRef.current === "plan" && isBlockedInPlanMode(req.tool.name)) {
+                if (req.tool.name === "bash" && typeof req.args.command === "string" && isReadOnlyBash(req.args.command)) {
+                  resolve2("allow");
+                  return;
+                }
                 setEvents((e) => [
                   ...e,
                   {
@@ -4092,10 +4337,23 @@ use: /thinking low | medium | high`
         if (e.name === "AbortError") {
           setEvents((es) => [...es, { kind: "info", key: mkKey(), text: "(aborted)" }]);
         } else {
-          setEvents((es) => [
-            ...es,
-            { kind: "error", key: mkKey(), text: e.message ?? String(e) }
-          ]);
+          const isInvalidJson400 = e instanceof KimiApiError && e.httpStatus === 400 && e.message.includes("invalid escaped character");
+          if (isInvalidJson400) {
+            messagesRef.current.pop();
+            setEvents((es) => [
+              ...es,
+              {
+                kind: "error",
+                key: mkKey(),
+                text: "API rejected request (invalid JSON in conversation history). Retrying may work; run /clear to reset if it persists."
+              }
+            ]);
+          } else {
+            setEvents((es) => [
+              ...es,
+              { kind: "error", key: mkKey(), text: e.message ?? String(e) }
+            ]);
+          }
         }
       } finally {
         setBusy(false);
@@ -4273,6 +4531,7 @@ var init_app = __esm({
     init_compact();
     init_executor();
     init_messages();
+    init_errors();
     init_chat();
     init_status();
     init_permission();