magi-ai 0.1.0

package/dist/src/utils/sanitize.js

@@ -0,0 +1,186 @@
+/**
+ * Prompt injection sanitization utilities for MAGI system.
+ *
+ * Detects and neutralizes 9 categories of prompt injection / control character
+ * abuse before embedding user-supplied content into LLM prompts.
+ */
+// ---------------------------------------------------------------------------
+// Constants
+// ---------------------------------------------------------------------------
+const MAX_LENGTH = 5_000;
+const TRUNCATED_REPEAT_LENGTH = 20;
+// ---------------------------------------------------------------------------
+// Pattern definitions
+// ---------------------------------------------------------------------------
+/**
+ * Control characters excluding \t (\x09), \n (\x0A), \r (\x0D).
+ * Matches: \x00-\x08, \x0B, \x0C, \x0E-\x1F, \x7F
+ */
+const CONTROL_CHARS_RE = /[\x00-\x08\x0B\x0C\x0E-\x1F\x7F]/g;
+/** Explicit null byte pattern (also caught by CONTROL_CHARS_RE). */
+const NULL_BYTE_RE = /\x00/g;
+/**
+ * Unicode bidirectional override and isolate characters.
+ * LRM, RLM, LRE, RLE, PDF, LRO, RLO, LRI, RLI, FSI, PDI
+ */
+const UNICODE_DIRECTION_RE = /[\u200E\u200F\u202A-\u202E\u2066-\u2069]/g;
+/**
+ * Markdown link injection: only matches links with suspicious schemes.
+ * Captures the full `[text](url)` where url starts with javascript:, data:,
+ * vbscript:, or file:.
+ */
+const SUSPICIOUS_LINK_RE = /\[([^\]]*)\]\(((?:javascript|data|vbscript|file):\/?\/?[^)]*)\)/gi;
+/**
+ * Dangerous HTML tags: script, iframe, img with onerror, svg with onload.
+ * Case-insensitive, handles self-closing and content between tags.
+ */
+const HTML_SCRIPT_RE = /<script\b[^>]*>(?:[^<]|<(?!\/script\s*>))*<\/script\s*>/gi;
+const HTML_IFRAME_RE = /<iframe\b[^>]*>(?:[^<]|<(?!\/iframe\s*>))*<\/iframe\s*>/gi;
+const HTML_IMG_ONERROR_RE = /<img\b[^>]*\bonerror\b[^>]*\/?>/gi;
+const HTML_SVG_ONLOAD_RE = /<svg\b[^>]*\bonload\b[^>]*>(?:[^<]|<(?!\/svg\s*>))*<\/svg\s*>/gi;
+/** Catch self-closing script/iframe tags that the paired regexes miss. */
+const HTML_SCRIPT_SELF_RE = /<script\b[^>]*\/\s*>/gi;
+const HTML_IFRAME_SELF_RE = /<iframe\b[^>]*\/\s*>/gi;
+/**
+ * Prompt delimiter injection: sequences of `-`, `=`, or `*` that are 10+
+ * characters long, used to forge fake section boundaries.
+ */
+const LONG_DELIMITER_RE = /[-]{10,}|[=]{10,}|[*]{10,}/g;
+/**
+ * Role / prompt injection markers used by various LLM APIs.
+ */
+const ROLE_INJECTION_PATTERNS = [
+    /\n\n(?:Human|Assistant|System):/g,
+    /<\|(?:im_start|im_end|system|user|assistant)\|>/gi,
+    /\[INST\]/gi,
+    /\[\/INST\]/gi,
+    /<<SYS>>/gi,
+    /<<\/SYS>>/gi,
+];
+/**
+ * Excessive repetition: any single character repeated 100+ times.
+ */
+const EXCESSIVE_REPEAT_RE = /(.)\1{99,}/g;
+// ---------------------------------------------------------------------------
+// Core sanitization
+// ---------------------------------------------------------------------------
+export function sanitizeForPromptEmbedding(input) {
+    const warnings = [];
+    const originalLength = input.length;
+    let text = input;
+    // 1 & 2. Null bytes + control characters (null is subset, but we report
+    //         separately for clarity).
+    if (NULL_BYTE_RE.test(text)) {
+        warnings.push('null_bytes_stripped');
+    }
+    // Reset lastIndex after .test() for global regexes.
+    NULL_BYTE_RE.lastIndex = 0;
+    if (CONTROL_CHARS_RE.test(text)) {
+        if (!warnings.includes('null_bytes_stripped')) {
+            // Only add generic warning when the control chars are *not* just nulls.
+            warnings.push('control_characters_stripped');
+        }
+        else {
+            // Check whether there are control chars *other than* null bytes.
+            CONTROL_CHARS_RE.lastIndex = 0;
+            const withoutNulls = text.replace(NULL_BYTE_RE, '');
+            if (CONTROL_CHARS_RE.test(withoutNulls)) {
+                warnings.push('control_characters_stripped');
+            }
+        }
+    }
+    CONTROL_CHARS_RE.lastIndex = 0;
+    text = text.replace(CONTROL_CHARS_RE, '');
+    // 3. Unicode direction overrides
+    if (UNICODE_DIRECTION_RE.test(text)) {
+        warnings.push('unicode_direction_overrides_stripped');
+    }
+    UNICODE_DIRECTION_RE.lastIndex = 0;
+    text = text.replace(UNICODE_DIRECTION_RE, '');
+    // 4. Suspicious markdown links
+    SUSPICIOUS_LINK_RE.lastIndex = 0;
+    if (SUSPICIOUS_LINK_RE.test(text)) {
+        warnings.push('suspicious_markdown_links_escaped');
+    }
+    SUSPICIOUS_LINK_RE.lastIndex = 0;
+    text = text.replace(SUSPICIOUS_LINK_RE, (_match, linkText, url) => `\\[${linkText}\\](${url})`);
+    // 5. Dangerous HTML tags
+    let htmlStripped = false;
+    for (const re of [
+        HTML_SCRIPT_RE,
+        HTML_IFRAME_RE,
+        HTML_IMG_ONERROR_RE,
+        HTML_SVG_ONLOAD_RE,
+        HTML_SCRIPT_SELF_RE,
+        HTML_IFRAME_SELF_RE,
+    ]) {
+        re.lastIndex = 0;
+        if (re.test(text)) {
+            htmlStripped = true;
+        }
+        re.lastIndex = 0;
+        text = text.replace(re, '');
+    }
+    if (htmlStripped) {
+        warnings.push('html_tags_removed');
+    }
+    // 6. Long delimiter sequences
+    LONG_DELIMITER_RE.lastIndex = 0;
+    if (LONG_DELIMITER_RE.test(text)) {
+        warnings.push('long_delimiters_escaped');
+    }
+    LONG_DELIMITER_RE.lastIndex = 0;
+    text = text.replace(LONG_DELIMITER_RE, (match) => `\\${match.slice(0, 3)}`);
+    // 7. Role / prompt injection markers
+    let roleInjectionDetected = false;
+    for (const re of ROLE_INJECTION_PATTERNS) {
+        re.lastIndex = 0;
+        if (re.test(text)) {
+            roleInjectionDetected = true;
+        }
+        re.lastIndex = 0;
+        text = text.replace(re, (match) => {
+            // Neutralize the marker so the original token cannot be reconstructed.
+            const neutralized = match.trim().replace(/[<>|[\]]/g, '_');
+            return `[BLOCKED:${neutralized}]`;
+        });
+    }
+    if (roleInjectionDetected) {
+        warnings.push('prompt_role_injection_escaped');
+    }
+    // 8. Excessive repetition
+    EXCESSIVE_REPEAT_RE.lastIndex = 0;
+    if (EXCESSIVE_REPEAT_RE.test(text)) {
+        warnings.push('excessive_repetition_truncated');
+    }
+    EXCESSIVE_REPEAT_RE.lastIndex = 0;
+    text = text.replace(EXCESSIVE_REPEAT_RE, (match) => match.slice(0, TRUNCATED_REPEAT_LENGTH));
+    // 9. Length limit
+    const truncated = text.length > MAX_LENGTH;
+    if (truncated) {
+        text = text.slice(0, MAX_LENGTH);
+        warnings.push('length_truncated');
+    }
+    return {
+        sanitized: text,
+        warnings,
+        originalLength,
+        truncated,
+    };
+}
+// ---------------------------------------------------------------------------
+// Quote for embedding
+// ---------------------------------------------------------------------------
+export function quoteForEmbedding(input, label) {
+    const result = sanitizeForPromptEmbedding(input);
+    const effectiveLabel = label ?? 'User Input';
+    const lines = [];
+    if (result.warnings.length > 0) {
+        lines.push(`> WARNING: Content was sanitized (${result.warnings.length} issues detected)`);
+    }
+    lines.push(`> **[${effectiveLabel}]**`);
+    for (const line of result.sanitized.split('\n')) {
+        lines.push(`> ${line}`);
+    }
+    return lines.join('\n');
+}

package/dist/src/utils/semaphore.d.ts

@@ -0,0 +1,22 @@
+/**
+ * Counting semaphore for limiting concurrent access to a shared resource.
+ *
+ * Used by the orchestrator to cap the number of parallel CLI invocations
+ * so that system resources (CPU, file handles, network) are not exhausted.
+ */
+export declare class Semaphore {
+    private readonly maxConcurrency;
+    private _activeCount;
+    private _waitQueue;
+    constructor(maxConcurrency: number);
+    /** Acquire a slot. Resolves immediately when a slot is available, otherwise waits. */
+    acquire(): Promise<void>;
+    /** Release a slot. Wakes the next waiter if any. */
+    release(): void;
+    /** Run a function with automatic acquire/release. */
+    run<T>(fn: () => Promise<T>): Promise<T>;
+    /** Number of currently active tasks. */
+    get activeCount(): number;
+    /** Number of tasks waiting for a slot. */
+    get waitingCount(): number;
+}

package/dist/src/utils/semaphore.js

@@ -0,0 +1,57 @@
+/**
+ * Counting semaphore for limiting concurrent access to a shared resource.
+ *
+ * Used by the orchestrator to cap the number of parallel CLI invocations
+ * so that system resources (CPU, file handles, network) are not exhausted.
+ */
+export class Semaphore {
+    maxConcurrency;
+    _activeCount = 0;
+    _waitQueue = [];
+    constructor(maxConcurrency) {
+        this.maxConcurrency = maxConcurrency;
+        if (maxConcurrency < 1 || !Number.isInteger(maxConcurrency)) {
+            throw new Error(`Semaphore maxConcurrency must be a positive integer, got: ${maxConcurrency}`);
+        }
+    }
+    /** Acquire a slot. Resolves immediately when a slot is available, otherwise waits. */
+    async acquire() {
+        if (this._activeCount < this.maxConcurrency) {
+            this._activeCount++;
+            return;
+        }
+        return new Promise((resolve) => {
+            this._waitQueue.push(resolve);
+        });
+    }
+    /** Release a slot. Wakes the next waiter if any. */
+    release() {
+        if (this._waitQueue.length > 0) {
+            // Hand the slot directly to the next waiter without decrementing.
+            const next = this._waitQueue.shift();
+            // _activeCount stays the same — ownership transfers to the waiter.
+            next();
+        }
+        else {
+            this._activeCount--;
+        }
+    }
+    /** Run a function with automatic acquire/release. */
+    async run(fn) {
+        await this.acquire();
+        try {
+            return await fn();
+        }
+        finally {
+            this.release();
+        }
+    }
+    /** Number of currently active tasks. */
+    get activeCount() {
+        return this._activeCount;
+    }
+    /** Number of tasks waiting for a slot. */
+    get waitingCount() {
+        return this._waitQueue.length;
+    }
+}

package/dist/src/utils/shutdown.d.ts

@@ -0,0 +1,6 @@
+import type { ChildProcess } from 'node:child_process';
+export declare function registerProcess(proc: ChildProcess): void;
+/** Register a cleanup callback to run on SIGINT/SIGTERM (e.g., TUI terminal restore).
+ *  Returns a deregistration function to prevent memory leaks in long-running sessions. */
+export declare function registerCleanup(fn: () => void): () => void;
+export declare function setupGracefulShutdown(): void;

package/dist/src/utils/shutdown.js

@@ -0,0 +1,51 @@
+const activeProcesses = new Set();
+const cleanupCallbacks = [];
+export function registerProcess(proc) {
+    activeProcesses.add(proc);
+    proc.on('close', () => activeProcesses.delete(proc));
+    proc.on('error', () => activeProcesses.delete(proc));
+}
+/** Register a cleanup callback to run on SIGINT/SIGTERM (e.g., TUI terminal restore).
+ *  Returns a deregistration function to prevent memory leaks in long-running sessions. */
+export function registerCleanup(fn) {
+    cleanupCallbacks.push(fn);
+    return () => {
+        const idx = cleanupCallbacks.indexOf(fn);
+        if (idx !== -1)
+            cleanupCallbacks.splice(idx, 1);
+    };
+}
+let installed = false;
+export function setupGracefulShutdown() {
+    if (installed)
+        return;
+    installed = true;
+    const handler = () => {
+        // Snapshot to avoid splice-during-iteration when callbacks deregister themselves
+        const callbacks = [...cleanupCallbacks];
+        for (const cb of callbacks) {
+            try {
+                cb();
+            }
+            catch { /* intentional: cleanup callbacks must not throw during shutdown */ }
+        }
+        for (const proc of activeProcesses) {
+            proc.kill('SIGTERM');
+        }
+        // If no active child processes, exit after one tick to allow pending I/O to flush
+        if (activeProcesses.size === 0) {
+            setImmediate(() => process.exit(0));
+            return;
+        }
+        // Grace period then force kill
+        setTimeout(() => {
+            for (const proc of activeProcesses) {
+                if (!proc.killed)
+                    proc.kill('SIGKILL');
+            }
+            process.exit(1);
+        }, 5_000).unref();
+    };
+    process.on('SIGINT', handler);
+    process.on('SIGTERM', handler);
+}

package/dist/src/utils/tty.d.ts

@@ -0,0 +1,5 @@
+/**
+ * TTY detection utility for output mode selection.
+ */
+export type OutputMode = 'interactive' | 'ci' | 'pipe';
+export declare function detectOutputMode(): OutputMode;

package/dist/src/utils/tty.js

@@ -0,0 +1,7 @@
+export function detectOutputMode() {
+    if (!process.stdout.isTTY)
+        return 'pipe';
+    if (process.env['CI'] === 'true' || process.env['CI'] === '1')
+        return 'ci';
+    return 'interactive';
+}

package/package.json

@@ -0,0 +1,82 @@
+{
+  "name": "magi-ai",
+  "version": "0.1.0",
+  "description": "MAGI System - Multi-AI CLI Deliberation Framework (Evangelion-inspired, unofficial fan-made)",
+  "type": "module",
+  "main": "./dist/src/index.js",
+  "types": "./dist/src/index.d.ts",
+  "exports": {
+    ".": {
+      "import": {
+        "types": "./dist/src/index.d.ts",
+        "default": "./dist/src/index.js"
+      }
+    }
+  },
+  "bin": {
+    "magi": "./dist/bin/magi.js",
+    "magi-mcp": "./dist/bin/magi-mcp.js"
+  },
+  "files": [
+    "dist/",
+    "!dist/test/",
+    "LICENSE",
+    "README.md"
+  ],
+  "scripts": {
+    "typecheck": "tsc --noEmit",
+    "test": "vitest run",
+    "test:watch": "vitest",
+    "test:e2e": "MAGI_E2E=1 vitest run test/e2e",
+    "lint": "eslint src/",
+    "prebuild": "rm -r dist 2>/dev/null || true",
+    "build": "tsc && chmod +x dist/bin/magi.js dist/bin/magi-mcp.js",
+    "start": "npx tsx bin/magi.ts",
+    "benchmark": "npx tsx bin/magi-benchmark.ts",
+    "coverage": "vitest run --coverage",
+    "prepublishOnly": "npm run build && npm test"
+  },
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/ryu-tada/MAGI-system.git"
+  },
+  "keywords": [
+    "ai",
+    "multi-agent",
+    "consensus",
+    "deliberation",
+    "cli",
+    "claude",
+    "codex",
+    "gemini",
+    "mcp",
+    "code-review",
+    "evangelion",
+    "tui",
+    "terminal-ui",
+    "multi-model",
+    "nerv",
+    "model-context-protocol",
+    "ai-orchestration"
+  ],
+  "dependencies": {
+    "@modelcontextprotocol/sdk": "^1.27.1",
+    "chalk": "^5.4.0",
+    "commander": "^13.0.0",
+    "zod": "^3.24.0"
+  },
+  "devDependencies": {
+    "@eslint/js": "^10.0.1",
+    "@types/node": "^22.0.0",
+    "@vitest/coverage-v8": "^3.2.4",
+    "eslint": "^10.0.2",
+    "tsx": "^4.19.0",
+    "typescript": "^5.7.0",
+    "typescript-eslint": "^8.56.1",
+    "vitest": "^3.0.0"
+  },
+  "engines": {
+    "node": ">=20.0.0"
+  },
+  "license": "MIT"
+}