moflo 4.8.57 → 4.8.59

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "moflo",
-  "version": "4.8.57",
+  "version": "4.8.59",
   "description": "MoFlo — AI agent orchestration for Claude Code. Forked from ruflo/claude-flow with patches applied to source, plus feature-level orchestration.",
   "main": "dist/index.js",
   "type": "module",
@@ -111,7 +111,7 @@
     "@types/js-yaml": "^4.0.9",
     "@types/node": "^20.19.37",
     "eslint": "^8.0.0",
-    "moflo": "^4.8.56",
+    "moflo": "^4.8.58",
     "tsx": "^4.21.0",
     "typescript": "^5.9.3",
     "vitest": "^4.0.0"

package/src/modules/cli/dist/src/config/moflo-config.js

@@ -78,7 +78,7 @@ const DEFAULT_CONFIG = {
         helpers: true,
     },
     sandbox: {
-        enabled: true,
+        enabled: false,
         tier: 'auto',
     },
     epic: {
@@ -359,7 +359,7 @@ auto_update:
 # OS-level sandbox for spell bash steps
 # Denylist always runs regardless of this setting
 sandbox:
-  enabled: true                  # false to disable OS sandbox (keeps denylist)
+  enabled: false                 # true to enable OS sandbox (denylist runs either way)
   tier: auto                     # auto | denylist-only | full
                                  # auto = best available, graceful fallback
                                  # denylist-only = skip OS sandbox

package/src/modules/cli/dist/src/version.js

@@ -2,5 +2,5 @@
  * Auto-generated by build. Do not edit manually.
  * Source of truth: root package.json → scripts/sync-version.mjs
  */
-export const VERSION = '4.8.57';
+export const VERSION = '4.8.59';
 //# sourceMappingURL=version.js.map

package/src/modules/cli/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@moflo/cli",
-  "version": "4.8.57",
+  "version": "4.8.59",
   "type": "module",
   "main": "dist/src/index.js",
   "types": "dist/src/index.d.ts",

package/src/modules/spells/dist/commands/bash-command.js

@@ -146,10 +146,14 @@ export const bashCommand = {
                 const projectRoot = context.variables.projectRoot || process.cwd();
                 const caps = context.effectiveCaps ?? [];
                 if (tool === 'sandbox-exec') {
-                    sandboxWrap = wrapWithSandboxExec(command, caps, projectRoot);
+                    sandboxWrap = wrapWithSandboxExec(command, caps, projectRoot, {
+                        permissionLevel: context.permissionLevel,
+                    });
                 }
                 else if (tool === 'bwrap') {
-                    sandboxWrap = wrapWithBwrap(command, caps, projectRoot);
+                    sandboxWrap = wrapWithBwrap(command, caps, projectRoot, {
+                        permissionLevel: context.permissionLevel,
+                    });
                 }
             }
             catch (err) {

package/src/modules/spells/dist/core/bwrap-sandbox.js

@@ -9,7 +9,44 @@
  *
  * @see https://github.com/eric-cielo/moflo/issues/411
  */
+import { homedir } from 'node:os';
+import { posix } from 'node:path';
 import { resolveScopePath } from './sandbox-utils.js';
+/**
+ * Home-directory paths that common CLI tools need writable to persist state.
+ * These are bound via `--bind-try` so missing entries are silently skipped.
+ *
+ * Rationale: `elevated`/`autonomous` steps routinely spawn tools like `claude`,
+ * `gh`, `git`, and `npm` that write config/credentials/cache under $HOME. A
+ * pure `--ro-bind / /` makes those tools fail with EROFS. We narrow the bind
+ * set to well-known config paths so the sandbox still protects system dirs
+ * (/etc, /usr, /var) and the rest of $HOME.
+ */
+const TOOL_HOME_PATHS = [
+    // Claude Code
+    '.claude',
+    '.claude.json',
+    // GitHub CLI
+    '.config/gh',
+    // git
+    '.gitconfig',
+    '.git-credentials',
+    // npm
+    '.npmrc',
+    '.npm',
+    // Shared XDG locations
+    '.config',
+    '.cache',
+    '.local/share',
+    '.local/state',
+];
+/**
+ * Permission levels that spawn arbitrary CLI tools and therefore need tool
+ * home paths bound writable.
+ */
+function needsToolHomeAccess(level) {
+    return level === 'elevated' || level === 'autonomous';
+}
 /**
  * Build bwrap CLI arguments from step capabilities.
  *
@@ -20,8 +57,12 @@ import { resolveScopePath } from './sandbox-utils.js';
  *   - fs:write scoped  -> --bind (read-write) for each scope path
  *   - fs:write unscoped -> --bind (read-write) for projectRoot
  *   - net              -> omit --unshare-net
+ *
+ * When `options.permissionLevel` is `elevated` or `autonomous`, also bind a
+ * narrow allowlist of CLI-tool home paths writable via `--bind-try` so that
+ * spawned subcommands (claude, gh, git, npm) can persist their state.
  */
-export function buildBwrapArgs(command, capabilities, projectRoot) {
+export function buildBwrapArgs(command, capabilities, projectRoot, options = {}) {
     const args = [];
     // ── Root filesystem (read-only by default) ──────────────────────────
     args.push('--ro-bind', '/', '/');
@@ -32,16 +73,35 @@ export function buildBwrapArgs(command, capabilities, projectRoot) {
     args.push('--tmpfs', '/tmp');
     // ── fs:write — grant read-write bind mounts ─────────────────────────
     const fsWrite = capabilities.find(c => c.type === 'fs:write');
+    const writableScopes = new Set();
     if (fsWrite) {
         if (fsWrite.scope && fsWrite.scope.length > 0) {
             for (const scopePath of fsWrite.scope) {
                 const resolved = resolveScopePath(scopePath, projectRoot);
                 args.push('--bind', resolved, resolved);
+                writableScopes.add(resolved);
             }
         }
         else {
             // Unscoped fs:write -> writable project root
             args.push('--bind', projectRoot, projectRoot);
+            writableScopes.add(projectRoot);
+        }
+    }
+    // ── Tool home paths (elevated/autonomous only) ──────────────────────
+    // Bind well-known CLI-tool config/cache paths writable so spawned
+    // subcommands (claude, gh, git, npm) can persist their state. Uses
+    // --bind-try so missing paths are ignored instead of erroring.
+    if (needsToolHomeAccess(options.permissionLevel)) {
+        const home = options.homeDir ?? homedir();
+        if (home) {
+            for (const rel of TOOL_HOME_PATHS) {
+                const resolved = posix.join(home, rel);
+                if (writableScopes.has(resolved))
+                    continue;
+                args.push('--bind-try', resolved, resolved);
+                writableScopes.add(resolved);
+            }
         }
     }
     // ── fs:read scoped — explicit read-only bind mounts ─────────────────
@@ -50,9 +110,8 @@ export function buildBwrapArgs(command, capabilities, projectRoot) {
     if (fsRead && fsRead.scope && fsRead.scope.length > 0) {
         for (const scopePath of fsRead.scope) {
             const resolved = resolveScopePath(scopePath, projectRoot);
-            // Only add if not already covered by an fs:write --bind for same path
-            const alreadyWritable = fsWrite?.scope?.some(wp => resolveScopePath(wp, projectRoot) === resolved);
-            if (!alreadyWritable) {
+            // Only add if not already covered by a writable bind for same path
+            if (!writableScopes.has(resolved)) {
                 args.push('--ro-bind', resolved, resolved);
             }
         }
@@ -77,8 +136,8 @@ export function buildBwrapArgs(command, capabilities, projectRoot) {
  * Unlike sandbox-exec, bwrap uses CLI args only — no temp files are created,
  * so `cleanup()` is a no-op.
  */
-export function wrapWithBwrap(command, capabilities, projectRoot) {
-    const args = buildBwrapArgs(command, capabilities, projectRoot);
+export function wrapWithBwrap(command, capabilities, projectRoot, options = {}) {
+    const args = buildBwrapArgs(command, capabilities, projectRoot, options);
     return {
         bin: 'bwrap',
         args,

package/src/modules/spells/dist/core/platform-sandbox.js

@@ -15,7 +15,7 @@ import { execSync } from 'node:child_process';
 import { existsSync } from 'node:fs';
 import { platform } from 'node:os';
 export const DEFAULT_SANDBOX_CONFIG = {
-    enabled: true,
+    enabled: false,
     tier: 'auto',
 };
 // ============================================================================

package/src/modules/spells/dist/core/sandbox-profile.js

@@ -7,10 +7,42 @@
  * @see https://github.com/eric-cielo/moflo/issues/410
  */
 import { writeFileSync, unlinkSync } from 'node:fs';
-import { join } from 'node:path';
-import { tmpdir } from 'node:os';
+import { join, posix } from 'node:path';
+import { tmpdir, homedir } from 'node:os';
 import { randomBytes } from 'node:crypto';
 import { resolveScopePath } from './sandbox-utils.js';
+/**
+ * Home-directory paths that common CLI tools need writable to persist state.
+ * Rationale matches the Linux bwrap wrapper: `elevated`/`autonomous` steps
+ * spawn tools (claude, gh, git, npm) that write under $HOME; a pure
+ * deny-default profile makes those tools fail. System dirs (/etc, /usr,
+ * /private/var/root, etc.) remain denied.
+ */
+const TOOL_HOME_PATHS = [
+    // Claude Code (dotfile + Application Support on macOS)
+    '.claude',
+    '.claude.json',
+    'Library/Application Support/Claude',
+    'Library/Application Support/claude-cli-nodejs',
+    'Library/Caches/Claude',
+    'Library/Preferences',
+    // GitHub CLI
+    '.config/gh',
+    // git
+    '.gitconfig',
+    '.git-credentials',
+    // npm
+    '.npmrc',
+    '.npm',
+    // Shared XDG locations
+    '.config',
+    '.cache',
+    '.local/share',
+    '.local/state',
+];
+function needsToolHomeAccess(level) {
+    return level === 'elevated' || level === 'autonomous';
+}
 // ============================================================================
 // Profile Generation
 // ============================================================================
@@ -28,7 +60,7 @@ import { resolveScopePath } from './sandbox-utils.js';
  *   - net capability → allow network*
  *   - No net capability → network denied (default deny covers it)
  */
-export function generateSandboxProfile(capabilities, projectRoot) {
+export function generateSandboxProfile(capabilities, projectRoot, options = {}) {
     const lines = [
         '(version 1)',
         '(deny default)',
@@ -85,6 +117,23 @@ export function generateSandboxProfile(capabilities, projectRoot) {
             lines.push(`(allow file-write* (subpath "${escapeSbPath(projectRoot)}"))`);
         }
     }
+    // ── Tool home paths (elevated/autonomous only) ──────────────────────
+    // Allow writes to well-known CLI-tool home paths so spawned subcommands
+    // (claude, gh, git, npm) can persist config/credentials/cache. Uses
+    // `(subpath ...)` so non-existent paths are simply unmatched — no error.
+    if (needsToolHomeAccess(options.permissionLevel)) {
+        const home = options.homeDir ?? homedir();
+        if (home) {
+            lines.push('');
+            lines.push('; Tool home paths (elevated)');
+            for (const rel of TOOL_HOME_PATHS) {
+                // sandbox-exec is macOS-only → always POSIX paths
+                const resolved = posix.join(home, rel);
+                lines.push(`(allow file-read* (subpath "${escapeSbPath(resolved)}"))`);
+                lines.push(`(allow file-write* (subpath "${escapeSbPath(resolved)}"))`);
+            }
+        }
+    }
     // ── net ──────────────────────────────────────────────────────────────
     const hasNet = capabilities.some(c => c.type === 'net');
     if (hasNet) {
@@ -104,8 +153,8 @@ export function generateSandboxProfile(capabilities, projectRoot) {
  * Writes a temporary `.sb` profile and returns the sandbox-exec invocation.
  * The caller MUST call `cleanup()` after the process exits.
  */
-export function wrapWithSandboxExec(command, capabilities, projectRoot) {
-    const profile = generateSandboxProfile(capabilities, projectRoot);
+export function wrapWithSandboxExec(command, capabilities, projectRoot, options = {}) {
+    const profile = generateSandboxProfile(capabilities, projectRoot, options);
     const profilePath = join(tmpdir(), `moflo-sandbox-${randomBytes(8).toString('hex')}.sb`);
     writeFileSync(profilePath, profile, 'utf8');
     return {