memory-journal-mcp 6.1.2 → 6.2.1

package/src/codemode/types.ts

@@ -1,228 +0,0 @@
-/**
- * memory-journal-mcp - Code Mode Types
- *
- * Type definitions for the sandboxed code execution environment.
- */
-
-import type { ToolGroup } from '../types/index.js'
-
-// =============================================================================
-// Sandbox Configuration
-// =============================================================================
-
-/**
- * Options for sandbox execution
- */
-export interface SandboxOptions {
-    /** Memory limit in MB (default: 128) */
-    memoryLimitMb?: number
-    /** Execution timeout in milliseconds (default: 30000) */
-    timeoutMs?: number
-    /** CPU time limit in milliseconds (default: 10000) */
-    cpuLimitMs?: number
-}
-
-/**
- * Options for the sandbox pool
- */
-export interface PoolOptions {
-    /** Minimum instances to keep warm (default: 2) */
-    minInstances?: number
-    /** Maximum instances in pool (default: 10) */
-    maxInstances?: number
-    /** Idle timeout before disposing instance (default: 60000ms) */
-    idleTimeoutMs?: number
-}
-
-/**
- * Default sandbox configuration
- */
-export const DEFAULT_SANDBOX_OPTIONS: Required<SandboxOptions> = {
-    memoryLimitMb: 128,
-    timeoutMs: 30000,
-    cpuLimitMs: 10000,
-}
-
-/**
- * Default pool configuration
- */
-export const DEFAULT_POOL_OPTIONS: Required<PoolOptions> = {
-    minInstances: 2,
-    maxInstances: 10,
-    idleTimeoutMs: 60000,
-}
-
-// =============================================================================
-// Execution Results
-// =============================================================================
-
-/**
- * Metrics collected during sandbox execution
- */
-export interface ExecutionMetrics {
-    /** Wall clock time in milliseconds */
-    wallTimeMs: number
-    /** CPU time consumed in milliseconds */
-    cpuTimeMs: number
-    /** Peak memory usage in MB */
-    memoryUsedMb: number
-}
-
-/**
- * Result of sandbox code execution
- */
-export interface SandboxResult {
-    /** Whether execution completed successfully */
-    success: boolean
-    /** Return value from the code (if successful) */
-    result?: unknown
-    /** Error message (if failed) */
-    error?: string | undefined
-    /** Stack trace (if failed) */
-    stack?: string | undefined
-    /** Execution metrics */
-    metrics: ExecutionMetrics
-}
-
-// =============================================================================
-// Security Configuration
-// =============================================================================
-
-/**
- * Security configuration for code validation
- */
-export interface SecurityConfig {
-    /** Maximum code length in bytes (default: 50KB) */
-    maxCodeLength: number
-    /** Maximum executions per minute per client (default: 60) */
-    maxExecutionsPerMinute: number
-    /** Maximum result size in bytes (default: 10MB) */
-    maxResultSize: number
-    /** Patterns to block in code */
-    blockedPatterns: RegExp[]
-}
-
-/**
- * Default security configuration
- */
-export const DEFAULT_SECURITY_CONFIG: SecurityConfig = {
-    maxCodeLength: 50 * 1024, // 50KB
-    maxExecutionsPerMinute: 60,
-    maxResultSize: 10 * 1024 * 1024, // 10MB
-    blockedPatterns: [
-        /\brequire\s*\(/, // No require()
-        /\bimport\s*\(/, // No dynamic import()
-        /\bprocess\./, // No process access
-        /\bglobal\./, // No global access
-        /\bglobalThis\./, // No globalThis access
-        /\beval\s*\(/, // No eval()
-        /\bFunction\s*\(/, // No Function constructor
-        /\b__proto__\b/, // No prototype pollution
-        /\bconstructor\.constructor/, // No constructor chaining
-        /\[['"]constructor['"]\]/i, // No bracket-notation constructor access
-        /\bReflect\s*\.\s*construct/i, // No Reflect.construct bypass
-        /\bchild_process/, // No child processes
-        /\bfs\./, // No filesystem
-        /\bnet\./, // No networking
-        /\bhttp\./, // No HTTP
-        /\bhttps\./, // No HTTPS
-    ],
-}
-
-/**
- * Validation result from security checks
- */
-export interface ValidationResult {
-    /** Whether the code passed validation */
-    valid: boolean
-    /** Validation errors (if any) */
-    errors: string[]
-}
-
-/**
- * Execution record for audit logging
- */
-export interface ExecutionRecord {
-    /** Unique execution ID */
-    id: string
-    /** Client identifier (for rate limiting) */
-    clientId?: string | undefined
-    /** Timestamp of execution start */
-    timestamp: Date
-    /** Code that was executed (truncated for logging) */
-    codePreview: string
-    /** Execution result */
-    result: SandboxResult
-    /** Whether code was in readonly mode */
-    readonly: boolean
-}
-
-// =============================================================================
-// API Types
-// =============================================================================
-
-/**
- * Tool group API interface — each group exposes its tools as methods
- */
-export interface GroupApi {
-    /** Tool group name */
-    readonly groupName: ToolGroup
-}
-
-/**
- * Options passed to mj_execute_code tool
- */
-export interface ExecuteCodeOptions {
-    /** JavaScript code to execute */
-    code: string
-    /** Timeout in milliseconds (max 30000) */
-    timeout?: number
-    /** Restrict to read-only operations */
-    readonly?: boolean
-}
-
-/**
- * Result returned by mj_execute_code tool
- */
-export interface ExecuteCodeResult {
-    /** Whether execution succeeded */
-    success: boolean
-    /** Return value from the code */
-    result?: unknown
-    /** Error message (if failed) */
-    error?: string
-    /** Execution metrics */
-    metrics: ExecutionMetrics
-}
-
-// =============================================================================
-// Worker RPC Types
-// =============================================================================
-
-/**
- * RPC request from worker thread to main thread.
- * Sent over the MessagePort to invoke API methods on the main thread.
- */
-export interface RpcRequest {
-    /** Unique request ID for correlating responses */
-    id: number
-    /** API group name (e.g., "core", "search") */
-    group: string
-    /** Method name within the group (e.g., "createEntry") */
-    method: string
-    /** Arguments to pass to the method */
-    args: unknown[]
-}
-
-/**
- * RPC response from main thread to worker thread.
- * Sent back over the MessagePort with the result or error.
- */
-export interface RpcResponse {
-    /** Matching request ID */
-    id: number
-    /** Return value from the method (if successful) */
-    result?: unknown
-    /** Error message (if failed) */
-    error?: string
-}

package/src/codemode/worker-sandbox.ts

@@ -1,277 +0,0 @@
-/**
- * memory-journal-mcp - Worker Sandbox (worker_threads)
- *
- * Production-grade sandboxed execution using `node:worker_threads`.
- * Provides true V8 isolate boundary with resource limits,
- * hard timeouts, and MessagePort RPC bridge.
- */
-
-import { Worker, MessageChannel, type ResourceLimits } from 'node:worker_threads'
-import * as crypto from 'node:crypto'
-import { fileURLToPath } from 'node:url'
-import * as path from 'node:path'
-import {
-    DEFAULT_SANDBOX_OPTIONS,
-    DEFAULT_POOL_OPTIONS,
-    type SandboxOptions,
-    type PoolOptions,
-    type SandboxResult,
-    type RpcRequest,
-    type RpcResponse,
-} from './types.js'
-
-// =============================================================================
-// Worker Script Path Resolution
-// =============================================================================
-
-/**
- * Resolve the worker script path relative to this module.
- * The worker-script.ts compiles to worker-script.js in the dist/ directory.
- */
-function getWorkerScriptPath(): string {
-    const currentDir = path.dirname(fileURLToPath(import.meta.url))
-    return path.join(currentDir, 'worker-script.js')
-}
-
-// =============================================================================
-// Worker Sandbox
-// =============================================================================
-
-/**
- * Worker-thread sandbox for secure code execution.
- * Each execution spawns a fresh worker for clean state.
- */
-export class WorkerSandbox {
-    private readonly options: Required<SandboxOptions>
-
-    constructor(options?: SandboxOptions) {
-        this.options = { ...DEFAULT_SANDBOX_OPTIONS, ...options }
-    }
-
-    /**
-     * Execute code in a worker thread with RPC bridge.
-     *
-     * @param code - JavaScript code to execute
-     * @param apiBindings - Map of group → method record for RPC dispatch
-     */
-    async execute(
-        code: string,
-        apiBindings: Record<string, unknown>,
-        timeoutMs?: number
-    ): Promise<SandboxResult> {
-        const effectiveTimeout = timeoutMs ?? this.options.timeoutMs
-        const startTime = performance.now()
-        const startRss = process.memoryUsage.rss()
-
-        return new Promise<SandboxResult>((resolve) => {
-            // Serialize bindings: group objects → method name arrays,
-            // top-level functions → collected under '_topLevel'
-            const methodList: Record<string, string[]> = {}
-            const topLevel: string[] = []
-
-            for (const [key, value] of Object.entries(apiBindings)) {
-                if (typeof value === 'function') {
-                    topLevel.push(key)
-                } else if (typeof value === 'object' && value !== null) {
-                    const methods: string[] = []
-                    for (const [methodName, methodValue] of Object.entries(
-                        value as Record<string, unknown>
-                    )) {
-                        if (typeof methodValue === 'function') {
-                            methods.push(methodName)
-                        }
-                    }
-                    if (methods.length > 0) {
-                        methodList[key] = methods
-                    }
-                }
-            }
-
-            if (topLevel.length > 0) {
-                methodList['_topLevel'] = topLevel
-            }
-
-            // Create MessageChannel for RPC
-            const { port1: hostPort, port2: workerPort } = new MessageChannel()
-
-            // Resource limits
-            const resourceLimits: ResourceLimits = {
-                maxOldGenerationSizeMb: this.options.memoryLimitMb,
-                maxYoungGenerationSizeMb: Math.max(8, Math.floor(this.options.memoryLimitMb / 8)),
-            }
-
-            const worker = new Worker(getWorkerScriptPath(), {
-                workerData: {
-                    code,
-                    methodList,
-                    timeoutMs: effectiveTimeout,
-                    rpcPort: workerPort,
-                },
-                transferList: [workerPort],
-                resourceLimits,
-            })
-
-            // Hard timeout — terminate worker if it runs too long
-            const timeoutHandle = setTimeout(() => {
-                worker.terminate().catch(() => {
-                    // Worker already dead
-                })
-            }, effectiveTimeout + 1000) // +1s grace for cleanup
-
-            // Handle RPC requests from the worker (via MessageChannel)
-            hostPort.on('message', (msg: RpcRequest) => {
-                void handleRpcRequest(msg, apiBindings, hostPort)
-            })
-
-            // Handle worker completion (results sent via parentPort)
-            worker.on('message', (msg: SandboxResult) => {
-                clearTimeout(timeoutHandle)
-                hostPort.close()
-
-                const endTime = performance.now()
-                const endRss = process.memoryUsage.rss()
-                const result = msg
-                result.metrics = {
-                    wallTimeMs: Math.round(endTime - startTime),
-                    cpuTimeMs: result.metrics.cpuTimeMs,
-                    memoryUsedMb: Math.round((endRss - startRss) / 1024 / 1024),
-                }
-
-                resolve(result)
-            })
-
-            // Handle worker errors and exit
-            worker.on('error', (err: Error) => {
-                clearTimeout(timeoutHandle)
-                hostPort.close()
-
-                const endTime = performance.now()
-                const endRss = process.memoryUsage.rss()
-                const errorMessage: string = err.message
-                const errorStack: string | undefined = err.stack
-                resolve({
-                    success: false,
-                    error: errorMessage,
-                    stack: errorStack,
-                    metrics: {
-                        wallTimeMs: Math.round(endTime - startTime),
-                        cpuTimeMs: 0,
-                        memoryUsedMb: Math.round((endRss - startRss) / 1024 / 1024),
-                    },
-                })
-            })
-
-            worker.on('exit', (exitCode) => {
-                clearTimeout(timeoutHandle)
-                hostPort.close()
-
-                if (exitCode !== 0) {
-                    const endTime = performance.now()
-                    const endRss = process.memoryUsage.rss()
-                    resolve({
-                        success: false,
-                        error: `Worker exited with code ${String(exitCode)} (likely timeout or OOM)`,
-                        metrics: {
-                            wallTimeMs: Math.round(endTime - startTime),
-                            cpuTimeMs: 0,
-                            memoryUsedMb: Math.round((endRss - startRss) / 1024 / 1024),
-                        },
-                    })
-                }
-            })
-        })
-    }
-}
-
-// =============================================================================
-// RPC Handler (Main Thread)
-// =============================================================================
-
-/**
- * Handle an RPC request from the worker thread.
- * Looks up the method in apiBindings and sends the response back.
- */
-async function handleRpcRequest(
-    req: RpcRequest,
-    apiBindings: Record<string, unknown>,
-    hostPort: MessagePort
-): Promise<void> {
-    const response: RpcResponse = { id: req.id }
-
-    try {
-        // _topLevel methods are direct keys on apiBindings
-        let target: unknown
-        if (req.group === '_topLevel') {
-            target = apiBindings[req.method]
-        } else {
-            const groupApi = apiBindings[req.group]
-            if (groupApi !== undefined && groupApi !== null && typeof groupApi === 'object') {
-                target = (groupApi as Record<string, unknown>)[req.method]
-            }
-        }
-
-        if (typeof target === 'function') {
-            response.result = await (target as (...args: unknown[]) => Promise<unknown>)(
-                ...req.args
-            )
-        } else {
-            response.error = `Unknown method: ${req.group}.${req.method}`
-        }
-    } catch (err) {
-        response.error = err instanceof Error ? err.message : String(err)
-    }
-
-    hostPort.postMessage(response)
-}
-
-// =============================================================================
-// Worker Sandbox Pool
-// =============================================================================
-
-/**
- * Pool of worker-thread sandboxes for concurrent execution.
- * Creates a fresh worker for every execution to guarantee clean state.
- */
-export class WorkerSandboxPool {
-    private readonly options: Required<PoolOptions>
-    private readonly sandboxOptions: SandboxOptions
-    private activeCount = 0
-
-    constructor(sandboxOptions?: SandboxOptions, poolOptions?: PoolOptions) {
-        this.sandboxOptions = sandboxOptions ?? {}
-        this.options = { ...DEFAULT_POOL_OPTIONS, ...poolOptions }
-    }
-
-    /**
-     * Execute code in a pooled worker sandbox.
-     */
-    async execute(
-        code: string,
-        apiBindings: Record<string, unknown>,
-        timeoutMs?: number
-    ): Promise<SandboxResult> {
-        if (this.activeCount >= this.options.maxInstances) {
-            return {
-                success: false,
-                error: `Sandbox pool exhausted (max ${String(this.options.maxInstances)} concurrent executions)`,
-                metrics: { wallTimeMs: 0, cpuTimeMs: 0, memoryUsedMb: 0 },
-            }
-        }
-
-        this.activeCount++
-        try {
-            const sandbox = new WorkerSandbox(this.sandboxOptions)
-            return await sandbox.execute(code, apiBindings, timeoutMs)
-        } finally {
-            this.activeCount--
-        }
-    }
-
-    /** Get the current active execution count */
-    getActiveCount(): number {
-        return this.activeCount
-    }
-
-    /** Unique pool identifier */
-    readonly poolId = crypto.randomUUID()
-}