natureco-cli 2.23.28 → 2.23.30

package/src/utils/approvals.js

@@ -0,0 +1,297 @@
+const fs = require('fs');
+const path = require('path');
+const os = require('os');
+const net = require('net');
+const chalk = require('chalk');
+const inquirer = require('./inquirer-wrapper');
+const { NatureCoError } = require('./errors');
+
+const APPROVALS_FILE = path.join(os.homedir(), '.natureco', 'exec-approvals.json');
+const APPROVALS_SOCKET_PATH = path.join(os.homedir(), '.natureco', 'exec-approvals.sock');
+const DEFAULT_TIMEOUT_MS = 1800000; // 30 min
+
+class ExecApprovalError extends NatureCoError {
+  constructor(message, options = {}) {
+    super(message, options);
+    this.command = options.command || null;
+  }
+}
+
+// -- Data types --
+
+/**
+ * @typedef {'deny'|'allowlist'|'full'} ExecSecurity
+ * @typedef {'off'|'on-miss'|'always'} ExecAsk
+ * @typedef {'deny'|'allowlist'|'ask'|'auto'|'full'} ExecMode
+ * @typedef {{ id?: string, pattern: string, argPattern?: string, source?: string, lastUsedAt?: string, lastUsedCommand?: string }} AllowlistEntry
+ * @typedef {{ version: 1, defaults?: { security?: ExecSecurity, ask?: ExecAsk }, agents?: Record<string, { security?: ExecSecurity, ask?: ExecAsk, allowlist?: AllowlistEntry[] }> }} ApprovalsFile
+ * @typedef {'allow-once'|'allow-always'|'deny'} ApprovalDecision
+ */
+
+function getApprovalsPath() {
+  return APPROVALS_FILE;
+}
+
+function loadApprovals() {
+  if (!fs.existsSync(APPROVALS_FILE)) {
+    return { version: 1, defaults: { security: 'full', ask: 'off' }, agents: {} };
+  }
+  try {
+    return JSON.parse(fs.readFileSync(APPROVALS_FILE, 'utf8'));
+  } catch {
+    return { version: 1, defaults: { security: 'full', ask: 'off' }, agents: {} };
+  }
+}
+
+function saveApprovals(data) {
+  const dir = path.dirname(APPROVALS_FILE);
+  if (!fs.existsSync(dir)) fs.mkdirSync(dir, { recursive: true });
+  fs.writeFileSync(APPROVALS_FILE, JSON.stringify(data, null, 2), 'utf8');
+}
+
+function resolveEffectivePolicy(agentId) {
+  const file = loadApprovals();
+  const defaults = file.defaults || { security: 'full', ask: 'off' };
+  if (!agentId || !file.agents?.[agentId]) {
+    return { security: defaults.security || 'full', ask: defaults.ask || 'off', allowlist: [] };
+  }
+  const agent = file.agents[agentId];
+  return {
+    security: agent.security || defaults.security || 'full',
+    ask: agent.ask || defaults.ask || 'off',
+    allowlist: agent.allowlist || [],
+  };
+}
+
+function resolveMode(security, ask) {
+  if (security === 'deny') return 'deny';
+  if (security === 'allowlist' && ask === 'always') return 'ask';
+  if (security === 'allowlist') return 'allowlist';
+  if (security === 'full') return 'full';
+  return 'full';
+}
+
+function matchAllowlist(entries, command) {
+  if (!entries || !command) return null;
+  for (const entry of entries) {
+    try {
+      const pattern = new RegExp(entry.pattern, 'i');
+      if (pattern.test(command)) {
+        if (entry.argPattern) {
+          const argRe = new RegExp(entry.argPattern, 'i');
+          const args = command.split(/\s+/).slice(1).join(' ');
+          if (!argRe.test(args)) continue;
+        }
+        return entry;
+      }
+    } catch {}
+  }
+  return null;
+}
+
+function requiresApproval({ command, agentId, security, ask }) {
+  const policy = resolveEffectivePolicy(agentId);
+  const mode = resolveMode(security || policy.security, ask || policy.ask);
+
+  if (mode === 'deny') return { required: true, reason: 'deny' };
+  if (mode === 'full') return { required: false, reason: 'full' };
+
+  // Check allowlist
+  const match = matchAllowlist(policy.allowlist, command);
+  if (match) return { required: false, reason: 'allowlist', entry: match };
+
+  if (mode === 'allowlist') return { required: true, reason: 'not-in-allowlist' };
+  if (mode === 'ask') return { required: true, reason: 'ask' };
+
+  return { required: true, reason: 'unknown' };
+}
+
+// Built-in safe commands that never need approval
+const SAFE_COMMANDS = new Set([
+  'ls', 'cat', 'head', 'tail', 'echo', 'pwd', 'date', 'whoami',
+  'node -e', 'node -v', 'npm -v', 'git status', 'git diff', 'git log',
+]);
+
+function isSafeCommand(command) {
+  if (SAFE_COMMANDS.has(command.trim())) return true;
+  for (const safe of SAFE_COMMANDS) {
+    if (command.trim().startsWith(safe)) return true;
+  }
+  return false;
+}
+
+// Known dangerous patterns that should always warn
+const DANGEROUS_PATTERNS = [
+  /^rm\s+-rf\s+\/\s*$/,
+  /^mkfs/,
+  /^dd\s+if=.*\s+of=\/dev/,
+  /^:\(\)\s*\{.*:\(\)\s*;\s*\};/,
+  /^chmod\s+-R\s+777\s+\//,
+  /^chown\s+-R/,
+  /^>\/dev\/sda/,
+  /^\|.*sh$/,
+  /^curl.*\|.*sh$/,
+  /^wget.*\|.*sh$/,
+];
+
+function isDangerousCommand(command) {
+  for (const pattern of DANGEROUS_PATTERNS) {
+    if (pattern.test(command.trim())) return true;
+  }
+  return false;
+}
+
+async function requestUserApproval(command, options = {}) {
+  const { timeoutMs = DEFAULT_TIMEOUT_MS, agentId } = options;
+
+  console.log('');
+  console.log(chalk.yellow('  ⚠️  Command requires approval'));
+  console.log(chalk.gray('  ─'.repeat(30)));
+  console.log(chalk.white('  ') + command);
+  console.log(chalk.gray('  ─'.repeat(30)));
+
+  const choices = [
+    { value: 'allow-once', name: 'Allow once' },
+    { value: 'allow-always', name: 'Always allow this command' },
+    { value: 'deny', name: 'Deny' },
+  ];
+
+  // Add edit option if command is dangerous
+  if (options.isDangerous) {
+    choices.push({ value: 'edit', name: 'Edit command' });
+  }
+
+  process.stdin.resume();
+  const { decision } = await inquirer.prompt([{
+    type: 'list',
+    name: 'decision',
+    message: 'What would you like to do?',
+    choices,
+  }]);
+
+  if (decision === 'edit') {
+    const { edited } = await inquirer.prompt([{
+      type: 'input',
+      name: 'edited',
+      message: 'Edit command:',
+      default: command,
+    }]);
+    return { decision: 'allow-once', command: edited };
+  }
+
+  if (decision === 'allow-always') {
+    addAllowlistEntry(agentId, command);
+  }
+
+  return { decision, command };
+}
+
+function addAllowlistEntry(agentId, command) {
+  const file = loadApprovals();
+  if (!file.agents) file.agents = {};
+  if (!file.agents[agentId]) file.agents[agentId] = { allowlist: [] };
+
+  // Escape special regex chars in the command for pattern matching
+  const escaped = command.replace(/[.*+?^${}()|[\]\\]/g, '\\$&');
+  const entry = {
+    id: `auto-${Date.now()}`,
+    pattern: `^${escaped}$`,
+    source: 'allow-always',
+    lastUsedAt: new Date().toISOString(),
+    lastUsedCommand: command,
+  };
+
+  file.agents[agentId].allowlist.push(entry);
+  saveApprovals(file);
+}
+
+function setSecurityPolicy(agentId, options = {}) {
+  const file = loadApprovals();
+  if (!file.agents) file.agents = {};
+  if (!file.agents[agentId]) file.agents[agentId] = {};
+
+  if (options.security) file.agents[agentId].security = options.security;
+  if (options.ask !== undefined) file.agents[agentId].ask = options.ask;
+
+  saveApprovals(file);
+}
+
+async function checkCommand(command, options = {}) {
+  const { agentId = 'default' } = options;
+
+  // Empty command
+  if (!command || !command.trim()) {
+    return { allowed: false, reason: 'empty' };
+  }
+
+  // Check if safe
+  if (isSafeCommand(command)) {
+    return { allowed: true, reason: 'safe-command' };
+  }
+
+  // Check if dangerous
+  const dangerous = isDangerousCommand(command);
+  const policy = resolveEffectivePolicy(agentId);
+  const mode = resolveMode(policy.security, policy.ask);
+
+  if (mode === 'deny') {
+    return { allowed: false, reason: 'denied-by-policy', policy };
+  }
+
+  // Check allowlist
+  const match = matchAllowlist(policy.allowlist, command);
+  if (match) {
+    return { allowed: true, reason: 'allowlist', entry: match };
+  }
+
+  if (mode === 'allowlist') {
+    return { allowed: false, reason: 'not-in-allowlist', policy };
+  }
+
+  if (mode === 'ask') {
+    const result = await requestUserApproval(command, { ...options, isDangerous: dangerous });
+    return {
+      allowed: result.decision === 'allow-once' || result.decision === 'allow-always',
+      reason: result.decision,
+      editedCommand: result.command,
+    };
+  }
+
+  // Full mode - always allow
+  return { allowed: true, reason: 'full-mode' };
+}
+
+function listAllowlist(agentId) {
+  const policy = resolveEffectivePolicy(agentId);
+  return policy.allowlist || [];
+}
+
+function removeAllowlistEntry(agentId, entryId) {
+  const file = loadApprovals();
+  if (!file.agents?.[agentId]?.allowlist) return false;
+  const before = file.agents[agentId].allowlist.length;
+  file.agents[agentId].allowlist = file.agents[agentId].allowlist.filter(e => e.id !== entryId);
+  saveApprovals(file);
+  return file.agents[agentId].allowlist.length < before;
+}
+
+module.exports = {
+  ExecApprovalError,
+  loadApprovals,
+  saveApprovals,
+  resolveEffectivePolicy,
+  resolveMode,
+  matchAllowlist,
+  requiresApproval,
+  isSafeCommand,
+  isDangerousCommand,
+  requestUserApproval,
+  addAllowlistEntry,
+  setSecurityPolicy,
+  checkCommand,
+  listAllowlist,
+  removeAllowlistEntry,
+  getApprovalsPath,
+  DANGEROUS_PATTERNS,
+  SAFE_COMMANDS,
+};

package/src/utils/background.js

@@ -1,66 +1,223 @@
-const fs = require('fs');
-const path = require('path');
-const os = require('os');
-
-const BACKGROUND_TASKS_FILE = path.join(os.homedir(), '.natureco', 'background-tasks.json');
-
-function ensureBackgroundDir() {
-  const dir = path.dirname(BACKGROUND_TASKS_FILE);
-  if (!fs.existsSync(dir)) {
-    fs.mkdirSync(dir, { recursive: true });
-  }
-}
-
-function loadBackgroundTasks() {
-  ensureBackgroundDir();
-  if (!fs.existsSync(BACKGROUND_TASKS_FILE)) {
-    return [];
-  }
-  try {
-    const data = fs.readFileSync(BACKGROUND_TASKS_FILE, 'utf-8');
-    return JSON.parse(data);
-  } catch {
-    return [];
-  }
-}
-
-function saveBackgroundTasks(tasks) {
-  ensureBackgroundDir();
-  fs.writeFileSync(BACKGROUND_TASKS_FILE, JSON.stringify(tasks, null, 2), 'utf-8');
-}
-
-function addBackgroundTask(task) {
-  const tasks = loadBackgroundTasks();
-  const id = Date.now().toString(36) + Math.random().toString(36).slice(2);
-  const newTask = {
-    id,
-    ...task,
-    status: 'pending',
-    createdAt: new Date().toISOString(),
-  };
-  tasks.push(newTask);
-  saveBackgroundTasks(tasks);
-  return newTask;
-}
-
-function updateBackgroundTask(id, updates) {
-  const tasks = loadBackgroundTasks();
-  const index = tasks.findIndex(t => t.id === id);
-  if (index === -1) return false;
-  tasks[index] = { ...tasks[index], ...updates };
-  saveBackgroundTasks(tasks);
-  return true;
-}
-
-function getBackgroundTask(id) {
-  const tasks = loadBackgroundTasks();
-  return tasks.find(t => t.id === id);
-}
-
-module.exports = {
-  loadBackgroundTasks,
-  saveBackgroundTasks,
-  addBackgroundTask,
-  updateBackgroundTask,
-  getBackgroundTask,
-};
+const fs = require('fs');
+const path = require('path');
+const os = require('os');
+
+const TASKS_FILE = path.join(os.homedir(), '.natureco', 'tasks.json');
+const TASK_RETENTION_MS = 7 * 24 * 60 * 60 * 1000;
+const STALE_QUEUED_MS = 10 * 60 * 1000;
+const STALE_RUNNING_MS = 30 * 60 * 1000;
+const LOST_GRACE_MS = 5 * 60 * 1000;
+
+const TASK_STATUSES = ['queued', 'running', 'succeeded', 'failed', 'timed_out', 'cancelled', 'lost'];
+const TERMINAL_STATUSES = ['succeeded', 'failed', 'timed_out', 'cancelled', 'lost'];
+const RUNTIME_TYPES = ['cli', 'cron', 'subagent', 'acp'];
+const NOTIFY_POLICIES = ['done_only', 'state_changes', 'silent'];
+
+function ensureDir() {
+  const dir = path.dirname(TASKS_FILE);
+  if (!fs.existsSync(dir)) fs.mkdirSync(dir, { recursive: true });
+}
+
+function loadTasks() {
+  ensureDir();
+  if (!fs.existsSync(TASKS_FILE)) return [];
+  try {
+    return JSON.parse(fs.readFileSync(TASKS_FILE, 'utf-8'));
+  } catch {
+    return [];
+  }
+}
+
+function saveTasks(tasks) {
+  ensureDir();
+  fs.writeFileSync(TASKS_FILE, JSON.stringify(tasks, null, 2), 'utf-8');
+}
+
+function generateId() {
+  return Date.now().toString(36) + Math.random().toString(36).slice(2, 8);
+}
+
+function nowISO() {
+  return new Date().toISOString();
+}
+
+function createTask(data) {
+  const tasks = loadTasks();
+  const task = {
+    id: generateId(),
+    status: 'queued',
+    runtime: data.runtime || 'cli',
+    message: data.message || '',
+    botName: data.botName || 'default',
+    childSessionKey: data.childSessionKey || null,
+    requesterSessionKey: data.requesterSessionKey || null,
+    runId: data.runId || null,
+    notifyPolicy: data.notifyPolicy || 'done_only',
+    createdAt: nowISO(),
+    startedAt: null,
+    endedAt: null,
+    error: null,
+    result: null,
+    cleanupAfter: null,
+    metadata: data.metadata || {},
+  };
+  tasks.push(task);
+  saveTasks(tasks);
+  return task;
+}
+
+function updateTask(id, updates) {
+  const tasks = loadTasks();
+  const idx = tasks.findIndex(t => t.id === id);
+  if (idx === -1) return null;
+
+  const now = nowISO();
+  if (updates.status === 'running' && !tasks[idx].startedAt) {
+    updates.startedAt = now;
+  }
+  if (updates.status && TERMINAL_STATUSES.includes(updates.status) && !tasks[idx].endedAt) {
+    updates.endedAt = now;
+    updates.cleanupAfter = new Date(Date.now() + TASK_RETENTION_MS).toISOString();
+  }
+
+  tasks[idx] = { ...tasks[idx], ...updates };
+  saveTasks(tasks);
+  return tasks[idx];
+}
+
+function getTask(id) {
+  const tasks = loadTasks();
+  return tasks.find(t => t.id === id) || null;
+}
+
+function getTasksBySession(sessionKey) {
+  const tasks = loadTasks();
+  return tasks.filter(t => t.requesterSessionKey === sessionKey || t.childSessionKey === sessionKey);
+}
+
+function cancelTask(id) {
+  const task = getTask(id);
+  if (!task) return null;
+  if (TERMINAL_STATUSES.includes(task.status)) return task;
+  return updateTask(id, { status: 'cancelled' });
+}
+
+function listTasks(options = {}) {
+  let tasks = loadTasks();
+
+  if (options.runtime) {
+    tasks = tasks.filter(t => t.runtime === options.runtime);
+  }
+  if (options.status) {
+    tasks = tasks.filter(t => t.status === options.status);
+  }
+  if (options.limit) {
+    tasks = tasks.slice(0, options.limit);
+  }
+
+  return tasks.sort((a, b) => new Date(b.createdAt) - new Date(a.createdAt));
+}
+
+function auditTasks() {
+  const tasks = loadTasks();
+  const now = Date.now();
+  const findings = [];
+
+  tasks.forEach(t => {
+    const createdAt = new Date(t.createdAt).getTime();
+
+    if (t.status === 'queued' && (now - createdAt) > STALE_QUEUED_MS) {
+      findings.push({ id: t.id, severity: 'warn', code: 'stale_queued', message: `${Math.round((now - createdAt) / 1000)}s boyunca kuyrukta bekliyor` });
+    }
+
+    if (t.status === 'running' && t.startedAt) {
+      const startedAt = new Date(t.startedAt).getTime();
+      if ((now - startedAt) > STALE_RUNNING_MS) {
+        findings.push({ id: t.id, severity: 'error', code: 'stale_running', message: `${Math.round((now - startedAt) / 1000)}s boyunca çalışıyor` });
+      }
+    }
+
+    if (t.status === 'lost') {
+      const sev = t.cleanupAfter && new Date(t.cleanupAfter).getTime() > now ? 'warn' : 'error';
+      findings.push({ id: t.id, severity: sev, code: 'lost', message: `Runtime backing kayboldu` });
+    }
+
+    if (TERMINAL_STATUSES.includes(t.status) && !t.cleanupAfter) {
+      findings.push({ id: t.id, severity: 'warn', code: 'missing_cleanup', message: 'Terminal task has no cleanup timestamp' });
+    }
+
+    if (t.endedAt && t.startedAt && new Date(t.endedAt) < new Date(t.startedAt)) {
+      findings.push({ id: t.id, severity: 'warn', code: 'inconsistent_timestamps', message: 'Bitiş zamanı başlangıçtan önce' });
+    }
+  });
+
+  return findings;
+}
+
+function maintenanceTasks(dryRun = true) {
+  const tasks = loadTasks();
+  const now = Date.now();
+  const stats = { pruned: 0, reconciled: 0, cleaned: 0 };
+
+  const remaining = tasks.filter(t => {
+    if (t.cleanupAfter && new Date(t.cleanupAfter).getTime() < now) {
+      if (!dryRun) stats.pruned++;
+      return dryRun;
+    }
+
+    if (t.status === 'queued' && (now - new Date(t.createdAt).getTime()) > LOST_GRACE_MS) {
+      if (!dryRun) {
+        t.status = 'lost';
+        t.endedAt = nowISO();
+        t.cleanupAfter = new Date(now + TASK_RETENTION_MS).toISOString();
+      }
+      stats.reconciled++;
+    }
+
+    if (t.status === 'running' && t.startedAt && (now - new Date(t.startedAt).getTime()) > (STALE_RUNNING_MS + LOST_GRACE_MS)) {
+      if (!dryRun) {
+        t.status = 'lost';
+        t.endedAt = nowISO();
+        t.cleanupAfter = new Date(now + TASK_RETENTION_MS).toISOString();
+      }
+      stats.reconciled++;
+    }
+
+    if (TERMINAL_STATUSES.includes(t.status) && !t.cleanupAfter) {
+      if (!dryRun) {
+        t.cleanupAfter = new Date(now + TASK_RETENTION_MS).toISOString();
+      }
+      stats.cleaned++;
+    }
+
+    return true;
+  });
+
+  if (!dryRun) saveTasks(remaining);
+  return { ...stats, remaining: dryRun ? remaining.length : remaining.length };
+}
+
+function getTaskSummary() {
+  const tasks = loadTasks();
+  const active = tasks.filter(t => t.status === 'queued' || t.status === 'running').length;
+  const failures = tasks.filter(t => ['failed', 'timed_out', 'lost'].includes(t.status)).length;
+  const byRuntime = {};
+  RUNTIME_TYPES.forEach(r => { byRuntime[r] = tasks.filter(t => t.runtime === r).length; });
+  return { active, failures, byRuntime, total: tasks.length };
+}
+
+module.exports = {
+  createTask,
+  updateTask,
+  getTask,
+  getTasksBySession,
+  cancelTask,
+  listTasks,
+  auditTasks,
+  maintenanceTasks,
+  getTaskSummary,
+  TASK_STATUSES,
+  TERMINAL_STATUSES,
+  RUNTIME_TYPES,
+  NOTIFY_POLICIES,
+};

package/src/utils/baileys.js

@@ -0,0 +1,21 @@
+let _makeWASocket, _useMultiFileAuthState, _DisconnectReason, _fetchLatestBaileysVersion, _Browsers;
+
+function loadBaileys() {
+  if (!_makeWASocket) {
+    const baileys = require('@whiskeysockets/baileys');
+    _makeWASocket = baileys.default;
+    _useMultiFileAuthState = baileys.useMultiFileAuthState;
+    _DisconnectReason = baileys.DisconnectReason;
+    _fetchLatestBaileysVersion = baileys.fetchLatestBaileysVersion;
+    _Browsers = baileys.Browsers;
+  }
+  return {
+    makeWASocket: _makeWASocket,
+    useMultiFileAuthState: _useMultiFileAuthState,
+    DisconnectReason: _DisconnectReason,
+    fetchLatestBaileysVersion: _fetchLatestBaileysVersion,
+    Browsers: _Browsers,
+  };
+}
+
+module.exports = { loadBaileys };