miladyai 2.0.0-alpha.27

package/dist/config/zod-schema.session.js

@@ -0,0 +1,73 @@
+import { GroupChatSchema, InboundDebounceSchema, MessagePolicySchema, NativeCommandsSettingSchema, QueueSchema, TtsConfigSchema } from "./zod-schema.core.js";
+import { z } from "zod";
+
+//#region src/config/zod-schema.session.ts
+const SessionResetConfigSchema = z.object({
+	mode: z.union([z.literal("daily"), z.literal("idle")]).optional(),
+	atHour: z.number().int().min(0).max(23).optional(),
+	idleMinutes: z.number().int().positive().optional()
+}).strict();
+const SessionSendPolicySchema = MessagePolicySchema;
+const SessionSchema = z.object({
+	scope: z.union([z.literal("per-sender"), z.literal("global")]).optional(),
+	dmScope: z.union([
+		z.literal("main"),
+		z.literal("per-peer"),
+		z.literal("per-channel-peer"),
+		z.literal("per-account-channel-peer")
+	]).optional(),
+	identityLinks: z.record(z.string(), z.array(z.string())).optional(),
+	resetTriggers: z.array(z.string()).optional(),
+	idleMinutes: z.number().int().positive().optional(),
+	reset: SessionResetConfigSchema.optional(),
+	resetByType: z.object({
+		dm: SessionResetConfigSchema.optional(),
+		group: SessionResetConfigSchema.optional(),
+		thread: SessionResetConfigSchema.optional()
+	}).strict().optional(),
+	resetByChannel: z.record(z.string(), SessionResetConfigSchema).optional(),
+	store: z.string().optional(),
+	typingIntervalSeconds: z.number().int().positive().optional(),
+	typingMode: z.union([
+		z.literal("never"),
+		z.literal("instant"),
+		z.literal("thinking"),
+		z.literal("message")
+	]).optional(),
+	mainKey: z.string().optional(),
+	sendPolicy: SessionSendPolicySchema.optional(),
+	agentToAgent: z.object({ maxPingPongTurns: z.number().int().min(0).max(5).optional() }).strict().optional()
+}).strict().optional();
+const MessagesSchema = z.object({
+	messagePrefix: z.string().optional(),
+	responsePrefix: z.string().optional(),
+	groupChat: GroupChatSchema,
+	queue: QueueSchema,
+	inbound: InboundDebounceSchema,
+	ackReaction: z.string().optional(),
+	ackReactionScope: z.enum([
+		"group-mentions",
+		"group-all",
+		"direct",
+		"all"
+	]).optional(),
+	removeAckAfterReply: z.boolean().optional(),
+	tts: TtsConfigSchema
+}).strict().optional();
+const CommandsSchema = z.object({
+	native: NativeCommandsSettingSchema.optional().default("auto"),
+	nativeSkills: NativeCommandsSettingSchema.optional().default("auto"),
+	text: z.boolean().optional(),
+	bash: z.boolean().optional(),
+	bashForegroundMs: z.number().int().min(0).max(3e4).optional(),
+	config: z.boolean().optional(),
+	debug: z.boolean().optional(),
+	restart: z.boolean().optional(),
+	useAccessGroups: z.boolean().optional()
+}).strict().optional().default({
+	native: "auto",
+	nativeSkills: "auto"
+});
+
+//#endregion
+export { CommandsSchema, MessagesSchema, SessionSchema, SessionSendPolicySchema };

package/dist/core-plugins.js

@@ -0,0 +1,37 @@
+//#region src/runtime/core-plugins.ts
+/**
+* Core plugin package lists shared by runtime startup and the API server.
+*
+* Keeping this in a standalone module avoids a circular dependency between
+* `api/server.ts` and `runtime/eliza.ts`.
+*/
+/** Core plugins that should always be loaded. */
+const CORE_PLUGINS = [
+	"@elizaos/plugin-sql",
+	"@elizaos/plugin-local-embedding",
+	"@elizaos/plugin-secrets-manager",
+	"@elizaos/plugin-form",
+	"@elizaos/plugin-knowledge",
+	"@elizaos/plugin-rolodex",
+	"@elizaos/plugin-trajectory-logger",
+	"@elizaos/plugin-agent-orchestrator",
+	"@elizaos/plugin-cron",
+	"@elizaos/plugin-shell",
+	"@elizaos/plugin-plugin-manager",
+	"@elizaos/plugin-agent-skills",
+	"@elizaos/plugin-pdf"
+];
+/**
+* Plugins that can be enabled from the admin panel.
+* Not loaded by default — kept separate due to packaging or spec issues.
+*/
+const OPTIONAL_CORE_PLUGINS = [
+	"@elizaos/plugin-cua",
+	"@elizaos/plugin-obsidian",
+	"@elizaos/plugin-code",
+	"@elizaos/plugin-repoprompt",
+	"@milaidy/plugin-claude-code-workbench"
+];
+
+//#endregion
+export { CORE_PLUGINS, OPTIONAL_CORE_PLUGINS };

package/dist/custom-actions.js

@@ -0,0 +1,250 @@
+import { loadMiladyConfig } from "./config/config.js";
+import { isBlockedPrivateOrLinkLocalIp, normalizeHostLike } from "./security/network-policy.js";
+import { lookup } from "node:dns/promises";
+import net from "node:net";
+
+//#region src/runtime/custom-actions.ts
+/**
+* Custom Actions runtime loader.
+*
+* Converts `CustomActionDef[]` from config into ElizaOS `Action[]` objects
+* so the agent can use them in conversations.
+*
+* @module runtime/custom-actions
+*/
+/** Cached runtime reference for hot-registration of new actions. */
+let _runtime = null;
+/**
+* Store the runtime reference so we can hot-register actions later.
+* Called once from plugin.init().
+*/
+function setCustomActionsRuntime(runtime) {
+	_runtime = runtime;
+}
+/**
+* Hot-register a CustomActionDef into the running agent.
+* Returns the ElizaOS Action that was registered, or null if no runtime.
+*/
+function registerCustomActionLive(def) {
+	if (!_runtime) return null;
+	const action = defToAction(def);
+	_runtime.registerAction(action);
+	return action;
+}
+/** API port for shell handler requests. */
+const API_PORT = process.env.API_PORT || process.env.SERVER_PORT || "2138";
+/** Valid handler types that we actually support. */
+const VALID_HANDLER_TYPES = new Set([
+	"http",
+	"shell",
+	"code"
+]);
+let vmRunner = null;
+function resolveFetchInputUrl(input) {
+	if (typeof input === "string") return input;
+	if (input instanceof URL) return input.toString();
+	if (typeof Request !== "undefined" && input instanceof Request) return input.url;
+	return null;
+}
+async function safeCodeFetch(input, init) {
+	const url = resolveFetchInputUrl(input);
+	if (!url || await isBlockedUrl(url)) throw new Error("Blocked: cannot make requests to internal network addresses");
+	const response = await fetch(input, {
+		...init,
+		redirect: "manual"
+	});
+	if (response.status >= 300 && response.status < 400) throw new Error("Blocked: redirects are not allowed for code custom actions");
+	return response;
+}
+async function runCodeHandler(code, params) {
+	if (typeof process === "undefined" || !process.versions?.node) throw new Error("Code actions are only supported in Node runtimes.");
+	if (!vmRunner) vmRunner = await import("node:vm");
+	const script = `(async () => { ${code} })();`;
+	const context = {
+		params,
+		fetch: safeCodeFetch
+	};
+	return await vmRunner.runInNewContext(`"use strict"; ${script}`, context, {
+		filename: "milady-custom-action",
+		timeout: 3e4
+	});
+}
+/**
+* Shell-escape a value so it can be safely interpolated into a shell command.
+* Wraps in single quotes and escapes any embedded single quotes.
+*/
+function shellEscape(value) {
+	return `'${value.replace(/'/g, "'\\''")}'`;
+}
+function isBlockedIp(ip) {
+	return isBlockedPrivateOrLinkLocalIp(ip);
+}
+/**
+* Check whether a URL targets a private/internal network (SSRF guard).
+* Blocks loopback, link-local, and RFC-1918 ranges except our own API.
+* Resolves hostnames to concrete IPs to prevent DNS-alias bypasses.
+*/
+async function isBlockedUrl(url) {
+	try {
+		const parsed = new URL(url);
+		const hostname = normalizeHostLike(parsed.hostname);
+		if ((hostname === "localhost" || hostname === "127.0.0.1" || hostname === "::1") && parsed.port === String(API_PORT)) return false;
+		if (hostname === "localhost" || hostname === "127.0.0.1" || hostname === "::1" || hostname === "0.0.0.0" || hostname.endsWith(".local") || hostname === "[::1]" || hostname === "metadata.google.internal" || hostname === "169.254.169.254") return true;
+		if (net.isIP(hostname)) return isBlockedIp(hostname);
+		const records = await lookup(hostname, { all: true });
+		const addresses = Array.isArray(records) ? records : [records];
+		for (const entry of addresses) if (isBlockedIp(entry.address)) return true;
+		return false;
+	} catch {
+		return true;
+	}
+}
+/**
+* Build an async handler function from a CustomActionHandler definition.
+*/
+function buildHandler(handler, paramDefs) {
+	if (!VALID_HANDLER_TYPES.has(handler.type)) return async () => ({
+		ok: false,
+		output: `Unsupported handler type: ${handler.type}`
+	});
+	switch (handler.type) {
+		case "http": return async (params) => {
+			let url = handler.url;
+			let body = handler.bodyTemplate ?? "";
+			const headers = { ...handler.headers };
+			for (const p of paramDefs) {
+				const value = params[p.name] ?? "";
+				url = url.replaceAll(`{{${p.name}}}`, encodeURIComponent(value));
+				body = body.replaceAll(`{{${p.name}}}`, value);
+			}
+			if (await isBlockedUrl(url)) return {
+				ok: false,
+				output: "Blocked: cannot make requests to internal network addresses"
+			};
+			if (!headers["Content-Type"] && body) headers["Content-Type"] = "application/json";
+			const fetchOpts = {
+				method: handler.method || "GET",
+				headers,
+				redirect: "manual"
+			};
+			if (body && handler.method !== "GET" && handler.method !== "HEAD") fetchOpts.body = body;
+			const response = await fetch(url, fetchOpts);
+			if (response.status >= 300 && response.status < 400) return {
+				ok: false,
+				output: "Blocked: redirects are not allowed for HTTP custom actions"
+			};
+			const text = await response.text();
+			return {
+				ok: response.ok,
+				output: text.slice(0, 4e3)
+			};
+		};
+		case "shell": return async (params) => {
+			let command = handler.command;
+			for (const p of paramDefs) {
+				const value = params[p.name] ?? "";
+				command = command.replaceAll(`{{${p.name}}}`, shellEscape(value));
+			}
+			const response = await fetch(`http://localhost:${API_PORT}/api/terminal/run`, {
+				method: "POST",
+				headers: (() => {
+					const headers = { "Content-Type": "application/json" };
+					const token = process.env.MILADY_API_TOKEN?.trim();
+					if (token) headers.Authorization = /^Bearer\s+/i.test(token) ? token : `Bearer ${token}`;
+					return headers;
+				})(),
+				body: JSON.stringify({
+					command,
+					clientId: "runtime-shell-action"
+				})
+			});
+			if (!response.ok) return {
+				ok: false,
+				output: `Terminal request failed: HTTP ${response.status}`
+			};
+			return {
+				ok: true,
+				output: `Executed: ${command}`
+			};
+		};
+		case "code": return async (params) => {
+			const result = await runCodeHandler(handler.code, params);
+			return {
+				ok: true,
+				output: (result !== void 0 ? String(result) : "Done").slice(0, 4e3)
+			};
+		};
+		default: return async () => ({
+			ok: false,
+			output: "Unknown handler type"
+		});
+	}
+}
+/**
+* Convert a single CustomActionDef into an ElizaOS Action.
+*/
+function defToAction(def) {
+	const handler = buildHandler(def.handler, def.parameters);
+	return {
+		name: def.name,
+		similes: def.similes ?? [],
+		description: def.description,
+		validate: async () => true,
+		handler: async (_runtime, _message, _state, options) => {
+			try {
+				const opts = options;
+				const params = {};
+				for (const p of def.parameters) {
+					const value = opts?.parameters?.[p.name];
+					if (typeof value === "string") params[p.name] = value;
+					else if (value !== void 0 && value !== null) params[p.name] = String(value);
+					else if (p.required) return {
+						text: `Missing required parameter: ${p.name}`,
+						success: false
+					};
+				}
+				const result = await handler(params);
+				return {
+					text: result.output,
+					success: result.ok,
+					data: {
+						actionId: def.id,
+						params
+					}
+				};
+			} catch (err) {
+				return {
+					text: `Action failed: ${err instanceof Error ? err.message : String(err)}`,
+					success: false
+				};
+			}
+		},
+		parameters: def.parameters.map((p) => ({
+			name: p.name,
+			description: p.description,
+			required: p.required,
+			schema: { type: "string" }
+		}))
+	};
+}
+/**
+* Load custom actions from config and convert them to ElizaOS Action objects.
+* Only returns enabled actions.
+*/
+function loadCustomActions() {
+	try {
+		return (loadMiladyConfig().customActions ?? []).filter((d) => d.enabled).map(defToAction);
+	} catch {
+		return [];
+	}
+}
+/**
+* Build a temporary handler for testing a custom action definition.
+* Used by the test endpoint to execute an action with sample params.
+*/
+function buildTestHandler(def) {
+	return buildHandler(def.handler, def.parameters);
+}
+
+//#endregion
+export { buildTestHandler, loadCustomActions, registerCustomActionLive, setCustomActionsRuntime };