npm - nemoris - Versions diffs - 0.1.0 - Mend

nemoris 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (223) hide show

package/.env.example +49 -0
package/LICENSE +21 -0
package/README.md +209 -0
package/SECURITY.md +119 -0
package/bin/nemoris +46 -0
package/config/agents/agent.toml.example +28 -0
package/config/agents/default.toml +22 -0
package/config/agents/orchestrator.toml +18 -0
package/config/delivery.toml +73 -0
package/config/embeddings.toml +5 -0
package/config/identity/default-purpose.md +1 -0
package/config/identity/default-soul.md +3 -0
package/config/identity/orchestrator-purpose.md +1 -0
package/config/identity/orchestrator-soul.md +1 -0
package/config/improvement-targets.toml +15 -0
package/config/jobs/heartbeat-check.toml +30 -0
package/config/jobs/memory-rollup.toml +46 -0
package/config/jobs/workspace-health.toml +63 -0
package/config/mcp.toml +16 -0
package/config/output-contracts.toml +17 -0
package/config/peers.toml +32 -0
package/config/peers.toml.example +32 -0
package/config/policies/memory-default.toml +10 -0
package/config/policies/memory-heartbeat.toml +5 -0
package/config/policies/memory-ops.toml +10 -0
package/config/policies/tools-heartbeat-minimal.toml +8 -0
package/config/policies/tools-interactive-safe.toml +8 -0
package/config/policies/tools-ops-bounded.toml +8 -0
package/config/policies/tools-orchestrator.toml +7 -0
package/config/providers/anthropic.toml +15 -0
package/config/providers/ollama.toml +5 -0
package/config/providers/openai-codex.toml +9 -0
package/config/providers/openrouter.toml +5 -0
package/config/router.toml +22 -0
package/config/runtime.toml +114 -0
package/config/skills/self-improvement.toml +15 -0
package/config/skills/telegram-onboarding-spec.md +240 -0
package/config/skills/workspace-monitor.toml +15 -0
package/config/task-router.toml +42 -0
package/install.sh +50 -0
package/package.json +90 -0
package/src/auth/auth-profiles.js +169 -0
package/src/auth/openai-codex-oauth.js +285 -0
package/src/battle.js +449 -0
package/src/cli/help.js +265 -0
package/src/cli/output-filter.js +49 -0
package/src/cli/runtime-control.js +704 -0
package/src/cli-main.js +2763 -0
package/src/cli.js +78 -0
package/src/config/loader.js +332 -0
package/src/config/schema-validator.js +214 -0
package/src/config/toml-lite.js +8 -0
package/src/daemon/action-handlers.js +71 -0
package/src/daemon/healing-tick.js +87 -0
package/src/daemon/health-probes.js +90 -0
package/src/daemon/notifier.js +57 -0
package/src/daemon/nurse.js +218 -0
package/src/daemon/repair-log.js +106 -0
package/src/daemon/rule-staging.js +90 -0
package/src/daemon/rules.js +29 -0
package/src/daemon/telegram-commands.js +54 -0
package/src/daemon/updater.js +85 -0
package/src/jobs/job-runner.js +78 -0
package/src/mcp/consumer.js +129 -0
package/src/memory/active-recall.js +171 -0
package/src/memory/backend-manager.js +97 -0
package/src/memory/backends/file-backend.js +38 -0
package/src/memory/backends/qmd-backend.js +219 -0
package/src/memory/embedding-guards.js +24 -0
package/src/memory/embedding-index.js +118 -0
package/src/memory/embedding-service.js +179 -0
package/src/memory/file-index.js +177 -0
package/src/memory/memory-signature.js +5 -0
package/src/memory/memory-store.js +648 -0
package/src/memory/retrieval-planner.js +66 -0
package/src/memory/scoring.js +145 -0
package/src/memory/simhash.js +78 -0
package/src/memory/sqlite-active-store.js +824 -0
package/src/memory/write-policy.js +36 -0
package/src/onboarding/aliases.js +33 -0
package/src/onboarding/auth/api-key.js +224 -0
package/src/onboarding/auth/ollama-detect.js +42 -0
package/src/onboarding/clack-prompter.js +77 -0
package/src/onboarding/doctor.js +530 -0
package/src/onboarding/lock.js +42 -0
package/src/onboarding/model-catalog.js +344 -0
package/src/onboarding/phases/auth.js +589 -0
package/src/onboarding/phases/build.js +130 -0
package/src/onboarding/phases/choose.js +82 -0
package/src/onboarding/phases/detect.js +98 -0
package/src/onboarding/phases/hatch.js +216 -0
package/src/onboarding/phases/identity.js +79 -0
package/src/onboarding/phases/ollama.js +345 -0
package/src/onboarding/phases/scaffold.js +99 -0
package/src/onboarding/phases/telegram.js +377 -0
package/src/onboarding/phases/validate.js +204 -0
package/src/onboarding/phases/verify.js +206 -0
package/src/onboarding/platform.js +482 -0
package/src/onboarding/status-bar.js +95 -0
package/src/onboarding/templates.js +794 -0
package/src/onboarding/toml-writer.js +38 -0
package/src/onboarding/tui.js +250 -0
package/src/onboarding/uninstall.js +153 -0
package/src/onboarding/wizard.js +499 -0
package/src/providers/anthropic.js +168 -0
package/src/providers/base.js +247 -0
package/src/providers/circuit-breaker.js +136 -0
package/src/providers/ollama.js +163 -0
package/src/providers/openai-codex.js +149 -0
package/src/providers/openrouter.js +136 -0
package/src/providers/registry.js +36 -0
package/src/providers/router.js +16 -0
package/src/runtime/bootstrap-cache.js +47 -0
package/src/runtime/capabilities-prompt.js +25 -0
package/src/runtime/completion-ping.js +99 -0
package/src/runtime/config-validator.js +121 -0
package/src/runtime/context-ledger.js +360 -0
package/src/runtime/cutover-readiness.js +42 -0
package/src/runtime/daemon.js +729 -0
package/src/runtime/delivery-ack.js +195 -0
package/src/runtime/delivery-adapters/local-file.js +41 -0
package/src/runtime/delivery-adapters/openclaw-cli.js +94 -0
package/src/runtime/delivery-adapters/openclaw-peer.js +98 -0
package/src/runtime/delivery-adapters/shadow.js +13 -0
package/src/runtime/delivery-adapters/standalone-http.js +98 -0
package/src/runtime/delivery-adapters/telegram.js +104 -0
package/src/runtime/delivery-adapters/tui.js +128 -0
package/src/runtime/delivery-manager.js +807 -0
package/src/runtime/delivery-store.js +168 -0
package/src/runtime/dependency-health.js +118 -0
package/src/runtime/envelope.js +114 -0
package/src/runtime/evaluation.js +1089 -0
package/src/runtime/exec-approvals.js +216 -0
package/src/runtime/executor.js +500 -0
package/src/runtime/failure-ping.js +67 -0
package/src/runtime/flows.js +83 -0
package/src/runtime/guards.js +45 -0
package/src/runtime/handoff.js +51 -0
package/src/runtime/identity-cache.js +28 -0
package/src/runtime/improvement-engine.js +109 -0
package/src/runtime/improvement-harness.js +581 -0
package/src/runtime/input-sanitiser.js +72 -0
package/src/runtime/interaction-contract.js +347 -0
package/src/runtime/lane-readiness.js +226 -0
package/src/runtime/migration.js +323 -0
package/src/runtime/model-resolution.js +78 -0
package/src/runtime/network.js +64 -0
package/src/runtime/notification-store.js +97 -0
package/src/runtime/notifier.js +256 -0
package/src/runtime/orchestrator.js +53 -0
package/src/runtime/orphan-reaper.js +41 -0
package/src/runtime/output-contract-schema.js +139 -0
package/src/runtime/output-contract-validator.js +439 -0
package/src/runtime/peer-readiness.js +69 -0
package/src/runtime/peer-registry.js +133 -0
package/src/runtime/pilot-status.js +108 -0
package/src/runtime/prompt-builder.js +261 -0
package/src/runtime/provider-attempt.js +582 -0
package/src/runtime/report-fallback.js +71 -0
package/src/runtime/result-normalizer.js +183 -0
package/src/runtime/retention.js +74 -0
package/src/runtime/review.js +244 -0
package/src/runtime/route-job.js +15 -0
package/src/runtime/run-store.js +38 -0
package/src/runtime/schedule.js +88 -0
package/src/runtime/scheduler-state.js +434 -0
package/src/runtime/scheduler.js +656 -0
package/src/runtime/session-compactor.js +182 -0
package/src/runtime/session-search.js +155 -0
package/src/runtime/slack-inbound.js +249 -0
package/src/runtime/ssrf.js +102 -0
package/src/runtime/status-aggregator.js +330 -0
package/src/runtime/task-contract.js +140 -0
package/src/runtime/task-packet.js +107 -0
package/src/runtime/task-router.js +140 -0
package/src/runtime/telegram-inbound.js +1565 -0
package/src/runtime/token-counter.js +134 -0
package/src/runtime/token-estimator.js +59 -0
package/src/runtime/tool-loop.js +200 -0
package/src/runtime/transport-server.js +311 -0
package/src/runtime/tui-server.js +411 -0
package/src/runtime/ulid.js +44 -0
package/src/security/ssrf-check.js +197 -0
package/src/setup.js +369 -0
package/src/shadow/bridge.js +303 -0
package/src/skills/loader.js +84 -0
package/src/tools/catalog.json +49 -0
package/src/tools/cli-delegate.js +44 -0
package/src/tools/mcp-client.js +106 -0
package/src/tools/micro/cancel-task.js +6 -0
package/src/tools/micro/complete-task.js +6 -0
package/src/tools/micro/fail-task.js +6 -0
package/src/tools/micro/http-fetch.js +74 -0
package/src/tools/micro/index.js +36 -0
package/src/tools/micro/lcm-recall.js +60 -0
package/src/tools/micro/list-dir.js +17 -0
package/src/tools/micro/list-skills.js +46 -0
package/src/tools/micro/load-skill.js +38 -0
package/src/tools/micro/memory-search.js +45 -0
package/src/tools/micro/read-file.js +11 -0
package/src/tools/micro/session-search.js +54 -0
package/src/tools/micro/shell-exec.js +43 -0
package/src/tools/micro/trigger-job.js +79 -0
package/src/tools/micro/web-search.js +58 -0
package/src/tools/micro/workspace-paths.js +39 -0
package/src/tools/micro/write-file.js +14 -0
package/src/tools/micro/write-memory.js +41 -0
package/src/tools/registry.js +348 -0
package/src/tools/tool-result-contract.js +36 -0
package/src/tui/chat.js +835 -0
package/src/tui/renderer.js +175 -0
package/src/tui/socket-client.js +217 -0
package/src/utils/canonical-json.js +29 -0
package/src/utils/compaction.js +30 -0
package/src/utils/env-loader.js +5 -0
package/src/utils/errors.js +80 -0
package/src/utils/fs.js +101 -0
package/src/utils/ids.js +5 -0
package/src/utils/model-context-limits.js +30 -0
package/src/utils/token-budget.js +74 -0
package/src/utils/usage-cost.js +25 -0
package/src/utils/usage-metrics.js +14 -0
package/vendor/smol-toml-1.5.2.tgz +0 -0

package/src/runtime/exec-approvals.js ADDED Viewed

@@ -0,0 +1,216 @@
+import crypto from "node:crypto";
+/**
+ * ExecApprovalGate — pauses dangerous tool calls and requires
+ * Telegram approval before they proceed.
+ *
+ * Opt-in per agent via `exec_approvals = true` in agent config.
+ */
+const DANGEROUS_TOOLS = new Set(["shell_exec", "write_file"]);
+const DANGEROUS_HTTP_METHODS = new Set(["POST", "PUT", "DELETE", "PATCH"]);
+const LOG_CAP = 1000;
+function getExecApprovalSettings(agentConfig) {
+  const config = agentConfig?.execApprovals ?? agentConfig?.exec_approvals ?? false;
+  if (!config) {
+    return { enabled: false, allowTools: new Set() };
+  }
+  if (config === true) {
+    return { enabled: true, allowTools: new Set() };
+  }
+  const allowTools = config.allowTools
+    || config.allow_tools
+    || config.allowedTools
+    || config.allowed_tools
+    || [];
+  return {
+    enabled: config.enabled !== false,
+    allowTools: new Set((Array.isArray(allowTools) ? allowTools : []).map((toolName) => String(toolName)))
+  };
+}
+export class ExecApprovalGate {
+  /**
+   * @param {object} opts
+   * @param {function} opts.sendFn — async (text) => void, sends a Telegram message
+   * @param {number}   [opts.timeoutMs=300000] — auto-deny timeout (5 min default)
+   */
+  constructor({ sendFn, timeoutMs = 300_000 }) {
+    this._sendFn = sendFn;
+    this._timeoutMs = timeoutMs;
+    /** @type {Map<string, { resolve: Function, timer: ReturnType<typeof setTimeout>, toolName: string, toolInput: any, jobId: string, agentId: string, createdAt: string }>} */
+    this._pending = new Map();
+    /** @type {Array<object>} */
+    this._log = [];
+  }
+  /**
+   * Check whether a tool call requires human approval.
+   * @param {string} toolName
+   * @param {object} toolInput
+   * @param {object} agentConfig — parsed agent TOML
+   * @returns {boolean}
+   */
+  requiresApproval(toolName, toolInput, agentConfig) {
+    const settings = getExecApprovalSettings(agentConfig);
+    if (!settings.enabled) return false;
+    if (settings.allowTools.has(toolName)) return false;
+    if (DANGEROUS_TOOLS.has(toolName)) return true;
+    if (toolName === "http_fetch") {
+      const method = (toolInput?.method || "GET").toUpperCase();
+      return DANGEROUS_HTTP_METHODS.has(method);
+    }
+    if (toolName.startsWith("mcp:")) return true;
+    return false;
+  }
+  /**
+   * Request human approval for a tool call.
+   * Sends a Telegram message and returns a promise that resolves
+   * when /exec_approve or /exec_deny is called (or times out).
+   *
+   * @param {object} opts
+   * @param {string} opts.toolName
+   * @param {object} opts.toolInput
+   * @param {string} opts.jobId
+   * @param {string} opts.agentId
+   * @returns {Promise<{ approved: boolean, approvedBy?: string }>}
+   */
+  requestApproval({ toolName, toolInput, jobId, agentId, skipNotify = false }) {
+    const approvalId = crypto.randomUUID();
+    const approvalPromise = new Promise((resolve) => {
+      const timer = setTimeout(() => {
+        if (this._pending.has(approvalId)) {
+          this._pending.delete(approvalId);
+          this._logDecision({
+            approvalId,
+            toolName,
+            action: "auto_deny",
+            approved: false,
+            approvedBy: "timeout",
+            timestamp: new Date().toISOString(),
+          });
+          if (!skipNotify) {
+            this._sendFn(`Approval ${approvalId} auto-denied (timed out after ${this._timeoutMs / 1000}s).`).catch(() => {});
+          }
+          resolve({ approved: false });
+        }
+      }, this._timeoutMs);
+      timer.unref?.();
+      this._pending.set(approvalId, {
+        resolve,
+        timer,
+        toolName,
+        toolInput,
+        jobId,
+        agentId,
+        createdAt: new Date().toISOString(),
+      });
+      // Build detail string for the message
+      let detail = "";
+      if (toolName === "shell_exec") {
+        detail = `Command: ${toolInput?.command || JSON.stringify(toolInput)}`;
+      } else if (toolName === "write_file") {
+        detail = `Path: ${toolInput?.path || toolInput?.file_path || JSON.stringify(toolInput)}`;
+      } else if (toolName === "http_fetch") {
+        detail = `${toolInput?.method || "?"} ${toolInput?.url || "?"}`;
+      } else {
+        detail = JSON.stringify(toolInput || {}).slice(0, 200);
+      }
+      const msg = [
+        `\u{1F512} Approval needed`,
+        ``,
+        `Tool: ${toolName}`,
+        `${detail}`,
+        `Requester: interactive turn (job #${jobId})`,
+        ``,
+        `Reply /exec_approve ${approvalId} or /exec_deny ${approvalId}`,
+        `Auto-denied in ${Math.floor(this._timeoutMs / 60000)} minutes if no response.`,
+      ].join("\n");
+      if (!skipNotify) {
+        this._sendFn(msg).catch(() => {});
+      }
+    });
+    approvalPromise.approvalId = approvalId;
+    return approvalPromise;
+  }
+  /**
+   * Resolve a pending approval.
+   * @param {string} approvalId
+   * @param {boolean} approved
+   * @param {string} [approvedBy]
+   * @returns {boolean} — true if the approval was found and resolved
+   */
+  resolve(approvalId, approved, approvedBy) {
+    const entry = this._pending.get(approvalId);
+    if (!entry) return false;
+    clearTimeout(entry.timer);
+    this._pending.delete(approvalId);
+    this._logDecision({
+      approvalId,
+      toolName: entry.toolName,
+      action: approved ? "approved" : "denied",
+      approved,
+      approvedBy: approvedBy || "unknown",
+      timestamp: new Date().toISOString(),
+    });
+    entry.resolve({ approved, approvedBy });
+    return true;
+  }
+  /**
+   * Get all pending approvals for status display.
+   * @returns {Array<{ approvalId: string, toolName: string, toolInput: any, jobId: string, agentId: string, createdAt: string }>}
+   */
+  getPending() {
+    const results = [];
+    for (const [approvalId, entry] of this._pending) {
+      results.push({
+        approvalId,
+        toolName: entry.toolName,
+        toolInput: entry.toolInput,
+        jobId: entry.jobId,
+        agentId: entry.agentId,
+        createdAt: entry.createdAt,
+      });
+    }
+    return results;
+  }
+  /**
+   * Append a decision to the in-memory audit log (capped at LOG_CAP).
+   * @param {object} decision
+   */
+  _logDecision(decision) {
+    this._log.push(decision);
+    if (this._log.length > LOG_CAP) {
+      this._log = this._log.slice(this._log.length - LOG_CAP);
+    }
+  }
+  /**
+   * Return the full decision log (for debugging / admin).
+   * @returns {Array<object>}
+   */
+  getLog() {
+    return this._log;
+  }
+}