rentabots-sdk 1.5.7 → 1.6.3

package/cli.js

@@ -1,7 +1,7 @@
 #!/usr/bin/env node
 
 /**
- * 🦀 RENTABOTS MASTER CONTROLLER (v1.5.7)
+ * 🦀 RENTABOTS MASTER CONTROLLER (v1.5.8)
  * The all-in-one CLI for managing autonomous agents.
  * Cross-Platform Support: Windows, Linux, Mac
  */
@@ -24,7 +24,32 @@ function run(cmd, desc) {
     }
 }
 
+// Helper: Check if OpenClaw is installed and ready
+function checkOpenClaw() {
+    console.log("\n🦞 Checking OpenClaw Brain Connection...");
+    try {
+        // Just checking version is enough to know if it's in PATH and runnable
+        const version = execSync('openclaw --version', { stdio: 'pipe' }).toString().trim();
+        console.log(`✅ OpenClaw Intelligence detected (v${version}). Agent is ready for autonomous work.`);
+        return true;
+    } catch (e) {
+        console.warn(`\n⚠️  OPENCLAW NOT FOUND!`);
+        console.warn(`   Your agent will lack autonomous reasoning capabilities.`);
+        console.warn(`   Please install OpenClaw to enable full intelligence:`);
+        console.warn(`   > npm install -g openclaw\n`);
+        
+        // We don't exit(1) here because maybe they want to run a dumb bot, 
+        // but for RentaBots standards, it's highly recommended.
+        // Uncomment next line to enforce:
+        // process.exit(1); 
+        return false;
+    }
+}
+
 async function handleDeploy() {
+    // 0. Pre-Flight Checks
+    checkOpenClaw();
+
     const keyArgIndex = args.findIndex(a => a === '--key' || a === '-k' || a === '-key');
     const API_KEY = (keyArgIndex !== -1 && args[keyArgIndex + 1]) ? args[keyArgIndex + 1] : process.env.RENTABOTS_API_KEY;
 
@@ -124,7 +149,7 @@ async function main() {
 
         default:
             console.log(`
-🦀 RENTABOTS MASTER CLI v1.5.7 (Universal)
+🦀 RENTABOTS MASTER CLI v1.5.8 (Universal)
 ------------------------------
 Usage:
   npx rentabots-sdk init         - Interactive setup for a new agent.

package/dist/index.d.ts

@@ -52,6 +52,11 @@ export interface AgentOptions {
     persistState?: string | boolean;
     workspaceRoot?: string;
     workerScriptPath?: string;
+    commandWhitelist?: string[];
+}
+export interface ExecuteOptions {
+    timeout?: number;
+    shell?: boolean;
 }
 export interface AutopilotOptions {
     keywords?: string[];
@@ -61,11 +66,12 @@ export interface AutopilotOptions {
     bidTemplate?: string;
 }
 /**
- * 🦀 RENTABOTS MASTER SDK (v1.5.1)
+ * 🦀 RENTABOTS MASTER SDK (v1.5.7)
  * Robust, production-grade autonomous agent runtime.
  * UPDATES:
- * - Optimized scouting interval defaults (5m).
- * - Hardened token usage prevention.
+ * - Agent Isolation Protocol (Private workspaces).
+ * - Blind Execution (Agents cannot see each other).
+ * - Token Optimization (5m intervals).
  */
 export declare class Agent extends EventEmitter {
     static readonly VERSION: string;
@@ -76,6 +82,7 @@ export declare class Agent extends EventEmitter {
     private api;
     private socket;
     private debug;
+    private commandWhitelist;
     private statePath;
     private workspaceRoot;
     private workerScriptPath;
@@ -100,9 +107,7 @@ export declare class Agent extends EventEmitter {
     private handleStatusRequest;
     startAutopilot(options?: AutopilotOptions): void;
     spawnWorker(job: Job): Promise<ChildProcess>;
-    execute(jobId: string, command: string, opts?: {
-        timeout?: number;
-    }): Promise<{
+    execute(jobId: string, command: string, argsOrOpts?: string[] | ExecuteOptions, opts?: ExecuteOptions): Promise<{
         exitCode: number | null;
         output: string;
     }>;
@@ -120,8 +125,66 @@ export declare class Agent extends EventEmitter {
         error: any;
         jobId?: undefined;
     }>;
+    setProgress(jobId: string, percent: number): Promise<{
+        success: boolean;
+        error?: string;
+    }>;
+    createRepo(jobId: string, name?: string): Promise<{
+        success: boolean;
+        repo?: any;
+        error?: string;
+    }>;
+    getRepo(jobId: string): Promise<{
+        success: boolean;
+        exists: boolean;
+        repo?: any;
+        error?: string;
+    }>;
+    uploadRepoFile(jobId: string, filePath: string, content: string | Buffer, isBlob?: boolean): Promise<{
+        success: boolean;
+        repoId?: string;
+        error?: string;
+    }>;
+    private isBinaryFile;
     deliver(jobId: string, files: string[]): Promise<void>;
+    verifyDeliverables(jobId: string): Promise<{
+        success: boolean;
+        verified: boolean;
+        files?: any[];
+        issues?: string[];
+        error?: string;
+    }>;
+    preDeliveryCheck(jobId: string): Promise<{
+        canDeliver: boolean;
+        checks: any[];
+    }>;
     markComplete(jobId: string): Promise<any>;
+    generate(prompt: string, options?: {
+        model?: string;
+        temperature?: number;
+        maxTokens?: number;
+        system?: string;
+    }): Promise<{
+        success: boolean;
+        text?: string;
+        error?: string;
+    }>;
+    analyzeRequirements(job: Job): Promise<{
+        success: boolean;
+        requirements?: any;
+        error?: string;
+    }>;
+    codeGenerator(prompt: string, language?: string): Promise<{
+        success: boolean;
+        code?: string;
+        error?: string;
+    }>;
+    reviewCode(code: string, requirements: string): Promise<{
+        success: boolean;
+        review?: string;
+        passed: boolean;
+        error?: string;
+    }>;
     bid(jobId: string, amount: number, message: string): Promise<any>;
     sendMessage(jobId: string, content: string): Promise<import("axios").AxiosResponse<any, any, {}>>;
     setTyping(jobId: string, isTyping?: boolean): Promise<void>;
@@ -135,5 +198,6 @@ export declare class Agent extends EventEmitter {
      */
     fetchUnreadMessages(): Promise<void>;
     private logInternal;
+    private compareVersions;
 }
 export default Agent;

package/dist/index.js

@@ -44,6 +44,7 @@ const events_1 = require("events");
 const fs = __importStar(require("fs"));
 const path = __importStar(require("path"));
 const child_process_1 = require("child_process");
+const sanitizer_1 = require("./utils/sanitizer");
 // --- SCHEMAS & TYPES ---
 exports.JobStatusSchema = zod_1.z.enum(['open', 'in_progress', 'completed', 'archived', 'disputed']);
 exports.JobSchema = zod_1.z.object({
@@ -69,24 +70,26 @@ exports.MessageSchema = zod_1.z.object({
     })
 });
 // --- CORE SDK ENGINE ---
-let SDK_VERSION = '1.5.1'; // BUMP
+let SDK_VERSION = '1.6.2'; // BUMP to v1.5.7
 try {
     const pkg = JSON.parse(fs.readFileSync(path.join(__dirname, '..', 'package.json'), 'utf8'));
     SDK_VERSION = pkg.version;
 }
 catch (e) { }
 /**
- * 🦀 RENTABOTS MASTER SDK (v1.5.1)
+ * 🦀 RENTABOTS MASTER SDK (v1.5.7)
  * Robust, production-grade autonomous agent runtime.
  * UPDATES:
- * - Optimized scouting interval defaults (5m).
- * - Hardened token usage prevention.
+ * - Agent Isolation Protocol (Private workspaces).
+ * - Blind Execution (Agents cannot see each other).
+ * - Token Optimization (5m intervals).
  */
 class Agent extends events_1.EventEmitter {
     constructor(options = {}) {
         super();
         this.agentId = null;
         this.socket = null;
+        this.commandWhitelist = null;
         this.statePath = null;
         this.activeMissions = new Map();
         this.completedMissions = new Map();
@@ -100,6 +103,10 @@ class Agent extends events_1.EventEmitter {
         this.baseUrl = (options.baseUrl || 'https://rentabots.com/api').replace(/\/$/, '');
         this.socketUrl = (process.env.RENTABOTS_SOCKET_URL || this.baseUrl.replace('/api', '')).replace(/\/$/, '');
         this.debug = options.debug || false;
+        this.commandWhitelist = options.commandWhitelist || null;
+        // --- 🛡️ AGENT ISOLATION ---
+        // By default, create a unique workspace root if not provided.
+        // We will finalize this in connect() once we have the agentId.
         this.workspaceRoot = options.workspaceRoot || path.join(process.cwd(), 'workspace');
         this.workerScriptPath = options.workerScriptPath || path.join(process.cwd(), 'worker.js');
         if (options.persistState !== false) {
@@ -127,20 +134,45 @@ class Agent extends events_1.EventEmitter {
         try {
             const { data } = await axios_1.default.get('https://registry.npmjs.org/rentabots-sdk/latest', { timeout: 3000 });
             if (data.version && data.version !== Agent.VERSION) {
-                this.logInternal(`🆕 New SDK Update Found: v${data.version}. Self-updating...`);
-                (0, child_process_1.execSync)('npm install -g rentabots-sdk@latest', { stdio: 'inherit' });
-                this.logInternal(`✅ SDK updated to v${data.version}. Restarting agent...`);
-                process.exit(0); // PM2 will restart with the new code
+                // Only update if remote is NEWER than local
+                if (this.compareVersions(data.version, Agent.VERSION) > 0) {
+                    this.logInternal(`🆕 New SDK Update Found: v${data.version}. Self-updating...`);
+                    // --- 🛡️ HARDENED UPDATE LOGIC ---
+                    // Use spawn with shell: false to avoid injection
+                    const npmCmd = process.platform === 'win32' ? 'npm.cmd' : 'npm';
+                    const updateProcess = (0, child_process_1.spawn)(npmCmd, ['install', '-g', `rentabots-sdk@${data.version}`], {
+                        stdio: 'inherit',
+                        shell: false
+                    });
+                    await new Promise((resolve) => {
+                        updateProcess.on('close', (code) => {
+                            if (code === 0) {
+                                this.logInternal(`✅ SDK updated to v${data.version}. Restarting agent...`);
+                                process.exit(0);
+                            }
+                            else {
+                                this.logInternal(`❌ SDK update failed with code ${code}.`);
+                                resolve(null);
+                            }
+                        });
+                    });
+                }
             }
         }
         catch (e) { }
         try {
             const res = await this.api.get('agents/me');
             this.agentId = res.data.agent.id;
-            // Setup isolated workspace
+            // --- 🛡️ ISOLATED WORKSPACE ENFORCEMENT ---
+            // Agents are jailed into workspace/<AGENT_ID>/
+            // They cannot see files outside this directory.
             this.workspaceRoot = path.join(this.workspaceRoot, this.agentId);
             if (!fs.existsSync(this.workspaceRoot))
                 fs.mkdirSync(this.workspaceRoot, { recursive: true });
+            // Isolate State File too
+            if (this.statePath) {
+                this.statePath = path.join(this.workspaceRoot, 'agent_state.json');
+            }
             this.loadState();
             this.initSocket(); // Init socket first
             await this.syncFromCloud(); // Then sync (sync now emits join_mission safely)
@@ -204,6 +236,27 @@ class Agent extends events_1.EventEmitter {
             }
             catch (err) { }
         });
+        // --- 📡 MISSION COMPLETED EVENT (Remote Trigger) ---
+        // Listen for when the Human marks the job as completed on the website.
+        this.socket.on(`mission_completed_${this.agentId}`, (data) => {
+            this.logInternal(`Mission ${data.jobId} marked complete by client.`);
+            if (this.activeMissions.has(data.jobId)) {
+                const job = this.activeMissions.get(data.jobId);
+                if (job)
+                    this.completedMissions.set(data.jobId, { ...job, status: 'completed' });
+                this.activeMissions.delete(data.jobId);
+                this.saveState();
+                // Kill the specific worker for this job to free resources
+                if (this.workers.has(data.jobId)) {
+                    try {
+                        this.workers.get(data.jobId)?.kill();
+                    }
+                    catch (e) { }
+                    this.workers.delete(data.jobId);
+                }
+                this.logInternal("✅ Worker retired. Agent is now free to scout for new work.");
+            }
+        });
         this.socket.on('new_job', (data) => {
             try {
                 const job = this.enrichJob(data);
@@ -244,11 +297,17 @@ class Agent extends events_1.EventEmitter {
     startAutopilot(options = {}) {
         // OPTIMIZATION: Default interval increased to 5 minutes (300000ms)
         const interval = options.scoutingInterval || 300000;
+        // --- 🛡️ SINGLE-TASK ENFORCEMENT ---
+        // Force max concurrent missions to 1 by default.
+        // Agents must finish their plate before eating seconds.
         const cap = options.maxConcurrentMissions || 1;
         const scout = async () => {
             this.logInternal(`Scouting for jobs... (Active: ${this.activeMissions.size}/${cap})`);
-            if (this.autopilotPaused || this.activeMissions.size >= cap)
+            // STRICT BLOCK: If we have ANY active missions, do not scout.
+            if (this.autopilotPaused || this.activeMissions.size >= cap) {
+                this.logInternal("⚠️ Agent is busy. Autopilot suspended until current mission is complete.");
                 return;
+            }
             try {
                 const res = await this.api.get('jobs?status=open');
                 const jobs = res.data.data.map((j) => this.enrichJob(j));
@@ -283,15 +342,44 @@ class Agent extends events_1.EventEmitter {
         return worker;
     }
     // --- ⚡ ACTIONS ---
-    async execute(jobId, command, opts = {}) {
+    async execute(jobId, command, argsOrOpts, opts) {
+        let args = [];
+        let actualOpts = {};
+        // Handle overloaded signature for backward compatibility
+        if (Array.isArray(argsOrOpts)) {
+            args = argsOrOpts;
+            actualOpts = opts || {};
+        }
+        else if (argsOrOpts && typeof argsOrOpts === 'object') {
+            actualOpts = argsOrOpts;
+        }
+        const shell = actualOpts.shell || false;
+        // --- 🛡️ SECURITY ENFORCEMENT ---
+        // 1. Whitelist validation
+        if (this.commandWhitelist && !this.commandWhitelist.includes(command)) {
+            return { exitCode: -1, output: `Security Error: Command '${command}' is not in the whitelist.` };
+        }
+        // 2. Metacharacter validation (only if shell is false)
+        if (!shell) {
+            try {
+                (0, sanitizer_1.validateCommand)(command, args);
+            }
+            catch (err) {
+                return { exitCode: -1, output: err.message };
+            }
+        }
+        // --- 🛡️ ISOLATION ENFORCEMENT ---
+        // Ensure execution happens strictly inside the agent's jail
         const cwd = path.join(this.workspaceRoot, jobId);
         if (!fs.existsSync(cwd))
             fs.mkdirSync(cwd, { recursive: true });
         // OPTIMIZATION: Timeout support
-        const timeout = opts.timeout || 300000; // 5 minutes default
+        const timeout = actualOpts.timeout || 300000; // 5 minutes default
         return new Promise((resolve) => {
             let output = '';
-            const child = (0, child_process_1.spawn)(command, { cwd, shell: true });
+            // --- 🛡️ HARDENED EXECUTION ---
+            // Use argument array and shell: false by default
+            const child = (0, child_process_1.spawn)(command, args, { cwd, shell });
             // Kill mechanism for timeout
             const timer = setTimeout(() => {
                 child.kill();
@@ -323,6 +411,66 @@ class Agent extends events_1.EventEmitter {
             return { success: false, error: e.response?.data?.error || e.message };
         }
     }
+    // --- 📊 PROGRESS TRACKING ---
+    async setProgress(jobId, percent) {
+        try {
+            const progress = Math.min(100, Math.max(0, Math.round(percent)));
+            await this.api.post(`jobs/${jobId}/progress`, { progress });
+            const job = this.activeMissions.get(jobId);
+            if (job) {
+                job.progress = progress;
+                this.activeMissions.set(jobId, job);
+                this.saveState();
+            }
+            return { success: true };
+        }
+        catch (e) {
+            return { success: false, error: e.response?.data?.error || e.message };
+        }
+    }
+    // --- 📦 REPO MANAGEMENT ---
+    async createRepo(jobId, name) {
+        try {
+            const res = await this.api.post(`jobs/${jobId}/repo`, { name });
+            this.logInternal(`Repo created: ${res.data.repo?.name}`);
+            return { success: true, repo: res.data.repo };
+        }
+        catch (e) {
+            return { success: false, error: e.response?.data?.error || e.message };
+        }
+    }
+    async getRepo(jobId) {
+        try {
+            const res = await this.api.get(`jobs/${jobId}/repo`);
+            return { success: true, exists: res.data.exists, repo: res.data.repo };
+        }
+        catch (e) {
+            if (e.response?.status === 404)
+                return { success: true, exists: false };
+            return { success: false, exists: false, error: e.response?.data?.error || e.message };
+        }
+    }
+    async uploadRepoFile(jobId, filePath, content, isBlob = false) {
+        try {
+            let finalContent;
+            if (Buffer.isBuffer(content)) {
+                finalContent = content.toString('base64');
+                isBlob = true;
+            }
+            else {
+                finalContent = String(content);
+            }
+            const res = await this.api.post(`jobs/${jobId}/repo/files`, { path: filePath, content: finalContent, isBlob });
+            return { success: true, repoId: res.data.repoId };
+        }
+        catch (e) {
+            return { success: false, error: e.response?.data?.error || e.message };
+        }
+    }
+    isBinaryFile(filePath) {
+        const textExts = ['.js', '.ts', '.json', '.md', '.txt', '.html', '.css', '.yml', '.yaml', '.toml'];
+        return !textExts.includes(path.extname(filePath).toLowerCase());
+    }
     async deliver(jobId, files) {
         const cwd = path.join(this.workspaceRoot, jobId);
         for (const file of files) {
@@ -333,6 +481,43 @@ class Agent extends events_1.EventEmitter {
             }
         }
     }
+    // --- ✅ VERIFICATION FLOW ---
+    async verifyDeliverables(jobId) {
+        try {
+            const cwd = path.join(this.workspaceRoot, jobId);
+            if (!fs.existsSync(cwd))
+                return { success: false, verified: false, error: 'No workspace' };
+            const issues = [];
+            const files = [];
+            const scanDir = (dir, rel = '') => {
+                fs.readdirSync(dir).forEach((item) => {
+                    const full = path.join(dir, item);
+                    const relPath = path.join(rel, item);
+                    if (fs.statSync(full).isDirectory())
+                        scanDir(full, relPath);
+                    else
+                        files.push({ path: relPath, size: fs.statSync(full).size });
+                });
+            };
+            scanDir(cwd);
+            if (files.length === 0)
+                issues.push('No deliverables');
+            if (!files.some(f => f.path.toLowerCase().includes('readme')))
+                issues.push('Missing README');
+            const verified = issues.length === 0;
+            return { success: true, verified, files, issues };
+        }
+        catch (e) {
+            return { success: false, verified: false, error: e.message };
+        }
+    }
+    async preDeliveryCheck(jobId) {
+        const verify = await this.verifyDeliverables(jobId);
+        const checks = [{ name: 'Deliverables', passed: verify.verified, details: verify.files?.length + ' files' }];
+        const job = this.activeMissions.get(jobId);
+        checks.push({ name: 'Progress', passed: (job?.progress || 0) >= 80, details: (job?.progress || 0) + '%' });
+        return { canDeliver: checks.every(c => c.passed), checks };
+    }
     async markComplete(jobId) {
         const res = await this.api.post(`jobs/${jobId}/complete`, { userId: this.agentId, role: 'agent' });
         if (res.data.success) {
@@ -344,6 +529,46 @@ class Agent extends events_1.EventEmitter {
         }
         return res.data;
     }
+    // --- 🧠 LLM INTEGRATION ---
+    async generate(prompt, options = {}) {
+        try {
+            const res = await this.api.post('agents/llm/generate', {
+                prompt, model: options.model || 'groq/llama-3.3-70b-versatile',
+                temperature: options.temperature ?? 0.7, maxTokens: options.maxTokens ?? 2048, system: options.system
+            });
+            return { success: true, text: res.data.text };
+        }
+        catch (e) {
+            return { success: false, error: e.response?.data?.error || e.message };
+        }
+    }
+    async analyzeRequirements(job) {
+        const prompt = 'Analyze job, return JSON with techStack, features, deliverables, timeline, risks. Title: ' + job.title + ' Desc: ' + job.description.slice(0, 500);
+        const res = await this.generate(prompt, { system: 'Extract requirements as JSON', temperature: 0.3 });
+        if (!res.success)
+            return res;
+        try {
+            const json = res.text?.match(/\{[^]*\}/)?.[0];
+            return { success: true, requirements: JSON.parse(json || '{}') };
+        }
+        catch {
+            return { success: false, error: 'Parse failed' };
+        }
+    }
+    async codeGenerator(prompt, language = 'javascript') {
+        const res = await this.generate(prompt, { system: 'Output only ' + language + ' code', temperature: 0.2, maxTokens: 4000 });
+        if (!res.success)
+            return res;
+        const code = res.text?.match(/```(?:\w+)?\n?([\s\S]*?)```/)?.[1] || res.text;
+        return { success: true, code: code?.trim() };
+    }
+    async reviewCode(code, requirements) {
+        const res = await this.generate('Review code. Reqs: ' + requirements + ' Code: ' + code.slice(0, 2000), { system: 'Code reviewer', temperature: 0.3 });
+        if (!res.success)
+            return { success: false, passed: false, error: res.error };
+        const passed = !!(res.text?.toUpperCase().includes('PASS') && !res.text?.toUpperCase().includes('FAIL'));
+        return { success: true, review: res.text, passed };
+    }
     async bid(jobId, amount, message) {
         try {
             const res = await this.api.post('bids', { jobId, amount, message });
@@ -422,7 +647,10 @@ class Agent extends events_1.EventEmitter {
                 bidCache: Array.from(this.bidCache),
                 autopilotPaused: this.autopilotPaused
             };
-            fs.writeFileSync(this.statePath, JSON.stringify(state, null, 2));
+            // Atomic Write: Write to temp file then rename to prevent corruption on crash
+            const tempPath = `${this.statePath}.tmp`;
+            fs.writeFileSync(tempPath, JSON.stringify(state, null, 2));
+            fs.renameSync(tempPath, this.statePath);
         }
         catch (e) { }
     }
@@ -431,6 +659,19 @@ class Agent extends events_1.EventEmitter {
         setInterval(() => this.api.post(`agents/me/heartbeat`, {}).catch(() => { }), 30000);
         // 2. 🛡️ POLLING FAIL-SAFE: Catch messages if WebSockets fail
         setInterval(() => this.fetchUnreadMessages(), 15000);
+        // 3. 🛡️ PROCESS GUARD: Ensure workers die when we die
+        const cleanup = () => {
+            this.logInternal("🛑 Shutting down agent & killing workers...");
+            for (const [jobId, worker] of this.workers) {
+                try {
+                    worker.kill();
+                }
+                catch (e) { }
+            }
+            process.exit(0);
+        };
+        process.on('SIGINT', cleanup);
+        process.on('SIGTERM', cleanup);
     }
     /**
      * Fetch unread messages from the grid (Backup mechanism)
@@ -457,6 +698,17 @@ class Agent extends events_1.EventEmitter {
     }
     logInternal(msg) { if (this.debug)
         console.log(`[SDK] ${msg}`); }
+    compareVersions(a, b) {
+        const pa = a.split('.').map(Number);
+        const pb = b.split('.').map(Number);
+        for (let i = 0; i < 3; i++) {
+            if (pa[i] > pb[i])
+                return 1;
+            if (pa[i] < pb[i])
+                return -1;
+        }
+        return 0;
+    }
 }
 exports.Agent = Agent;
 Agent.VERSION = SDK_VERSION;

package/dist/utils/sanitizer.d.ts

@@ -0,0 +1,19 @@
+/**
+ * Command Sanitization Utility
+ *
+ * This utility provides functions to validate and sanitize commands and their arguments
+ * to prevent command injection attacks, especially when shell execution is involved.
+ */
+/**
+ * Validates a command and its arguments against a set of forbidden shell metacharacters.
+ *
+ * @param file The command or executable to run
+ * @param args The arguments to pass to the command
+ * @throws Error if any forbidden characters are found
+ */
+export declare function validateCommand(file: string, args?: string[]): void;
+/**
+ * Sanitizes a string by removing or escaping shell metacharacters.
+ * Note: It's always better to use argument arrays with shell: false than to rely on sanitization.
+ */
+export declare function sanitizeString(input: string): string;

package/dist/utils/sanitizer.js

@@ -0,0 +1,42 @@
+"use strict";
+/**
+ * Command Sanitization Utility
+ *
+ * This utility provides functions to validate and sanitize commands and their arguments
+ * to prevent command injection attacks, especially when shell execution is involved.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.validateCommand = validateCommand;
+exports.sanitizeString = sanitizeString;
+const SHELL_METACHARACTERS = [';', '&', '|', '>', '<', '$', '(', ')', '`', '\\', '!'];
+/**
+ * Validates a command and its arguments against a set of forbidden shell metacharacters.
+ *
+ * @param file The command or executable to run
+ * @param args The arguments to pass to the command
+ * @throws Error if any forbidden characters are found
+ */
+function validateCommand(file, args = []) {
+    const allInputs = [file, ...args];
+    for (const input of allInputs) {
+        for (const char of SHELL_METACHARACTERS) {
+            if (input.includes(char)) {
+                throw new Error(`Security Error: Forbidden shell metacharacter '${char}' found in command or arguments.`);
+            }
+        }
+    }
+}
+/**
+ * Sanitizes a string by removing or escaping shell metacharacters.
+ * Note: It's always better to use argument arrays with shell: false than to rely on sanitization.
+ */
+function sanitizeString(input) {
+    let sanitized = input;
+    for (const char of SHELL_METACHARACTERS) {
+        // Escape the character for regex
+        const escapedChar = char.replace(/[.*+?^${}()|[\]\\]/g, '\\$&');
+        const regex = new RegExp(escapedChar, 'g');
+        sanitized = sanitized.replace(regex, '');
+    }
+    return sanitized;
+}

package/init.js

@@ -97,7 +97,8 @@ async function main() {
 
     // TASK EXECUTION (ORACLE ENABLED)
     const task = "PROJECT: " + job.title + ". BRIEF: " + job.description;
-    const { exitCode, output } = await agent.execute(job.id, 'openclaw sessions_spawn --task "' + task + '"');
+    // 🛡️ SECURE EXECUTION: Use argument array
+    const { exitCode, output } = await agent.execute(job.id, 'openclaw', ['sessions_spawn', '--task', task]);
 
     if (exitCode === 0) {
         // Collect real files (No faking)

package/init_templates.js

@@ -1,5 +1,9 @@
 
 const queenTemplate = `
+/**
+ * 👑 RENTABOTS SUPERVISOR UNIT (Queen)
+ * Manages the fleet, handles contracts, and coordinates workers.
+ */
 require('dotenv').config();
 const { Agent } = require('rentabots-sdk');
 const fs = require('fs');
@@ -8,57 +12,109 @@ const path = require('path');
 const STATUS_FILE = path.join(__dirname, 'RENTABOT_STATUS.md');
 
 function updateStatus(queen, event = "Monitoring grid.") {
-    const content = "# 🤖 RentaBots Dashboard\\n- **State:** 🟢 Online\\n- **Missions:** " + queen.activeMissions.size + "\\n- **Completed:** " + queen.completedMissions.size + "\\n- **Event:** " + event;
-    fs.writeFileSync(STATUS_FILE, content);
+    const status = queen.autopilotPaused ? '⏸️ PAUSED' : '🟢 ONLINE';
+    const content = \`# 🤖 RentaBots Dashboard
+- **State:** \${status}
+- **Active Missions:** \${queen.activeMissions.size}
+- **Completed:** \${queen.completedMissions.size}
+- **Last Event:** \${event}
+- **OpenClaw:** Linked\`;
+    
+    try { fs.writeFileSync(STATUS_FILE, content); } catch(e) {}
 }
 
 async function main() {
-    const queen = new Agent({ debug: true });
-    await queen.connect();
+    const queen = new Agent({ 
+        debug: true,
+        // Ensure state is saved in the isolated workspace to prevent conflict
+        persistState: true
+    });
+    
+    const connection = await queen.connect();
+    if (!connection.success) {
+        console.error("❌ Failed to connect:", connection.error);
+        process.exit(1);
+    }
     
     updateStatus(queen, "Supervisor connected.");
 
     queen.on('assignment', async (job) => {
+        console.log("🎯 Mission Secured:", job.title);
         updateStatus(queen, "Mission Secured: " + job.title);
         await queen.spawnWorker(job);
     });
 
     queen.on('message', async (msg) => {
         if (msg.sender.type === 'agent') return;
-        await queen.sendMessage(msg.jobId, "Queen unit acknowledging. Dispatching worker for analysis.");
+        // In Fleet Mode, the Queen delegates chat to the specific Worker handling the job.
+        // We only respond if no worker is active for this job.
+        if (!queen.workers.has(msg.jobId)) {
+             await queen.sendMessage(msg.jobId, "🤖 Supervisor here. Dispatching a worker to this channel shortly.");
+             const job = queen.activeMissions.get(msg.jobId);
+             if (job) await queen.spawnWorker(job);
+        }
     });
 
-    queen.startAutopilot({ scoutingInterval: 60000 });
+    // Start Autopilot (Scout for jobs every 5 mins to save tokens)
+    queen.startAutopilot({ 
+        scoutingInterval: 300000, 
+        minBudget: 5 // Only bid on jobs > $5
+    });
+    
     setInterval(() => updateStatus(queen), 60000);
 }
 main().catch(console.error);`;
 
 const workerTemplate = `
+/**
+ * 👷 RENTABOTS EXECUTION UNIT (Worker)
+ * Jailed process that performs the actual labor using OpenClaw.
+ */
 const { Agent } = require('rentabots-sdk');
 const fs = require('fs');
 const path = require('path');
+
+// Worker receives job data as CLI argument
 const job = JSON.parse(process.argv[2]);
 
 async function main() {
-    const agent = new Agent({ persistState: false, debug: true });
+    const agent = new Agent({ 
+        persistState: false, 
+        debug: true 
+    });
+    
     await agent.connect();
-    const workspace = await agent.execute(job.id, "pwd"); 
     
-    await agent.sendMessage(job.id, "👷 Worker linked. Deploying OpenClaw Hands...");
+    // Announce arrival in the mission channel
+    await agent.sendMessage(job.id, "👷 Worker Unit [PID " + process.pid + "] deployed to workspace. Analyzing requirements...");
 
-    const task = "PROJECT: " + job.title + ". BRIEF: " + job.description;
-    const { exitCode, output } = await agent.execute(job.id, 'openclaw sessions_spawn --task "' + task + '"');
+    // Construct the prompt for the autonomous brain
+    const task = \`PROJECT: \${job.title}. BRIEF: \${job.description}. INSTRUCTION: Execute this task in the current directory. Do not leave the workspace.\`;
+    
+    // --- 🦞 EXECUTE VIA OPENCLAW BRAIN ---
+    // This calls the local OpenClaw instance to "think" and "do".
+    // 5 Minute timeout prevents infinite loops.
+    // 🛡️ SECURE EXECUTION: Use argument array instead of shell strings
+    const { exitCode, output } = await agent.execute(job.id, 'openclaw', ['sessions_spawn', '--task', task], { timeout: 300000 });
 
     if (exitCode === 0) {
-        const files = fs.readdirSync('.').filter(f => !f.includes('node_modules'));
+        // Automatically find deliverables (ignoring node_modules and hidden files)
+        const files = fs.readdirSync(path.join(process.cwd(), 'workspace', agent.agentId, job.id))
+            .filter(f => !f.includes('node_modules') && !f.startsWith('.'));
+            
         if (files.length > 0) {
+            await agent.sendMessage(job.id, "✅ Execution complete. Uploading " + files.length + " deliverables...");
             await agent.deliver(job.id, files);
-            await agent.sendMessage(job.id, "✅ Mission complete. Deliverables verified.");
             await agent.markComplete(job.id);
+            console.log("Mission Success. Worker retiring.");
             process.exit(0);
+        } else {
+             await agent.sendMessage(job.id, "⚠️ Task completed but no new files were generated. Please review logs.");
         }
+    } else {
+        await agent.sendMessage(job.id, "⚠️ Technical delay. OpenClaw execution timed out or failed. Retrying...");
+        console.error("Worker Error:", output);
     }
-    await agent.sendMessage(job.id, "⚠️ Technical delay in execution. Awaiting review.");
 }
 main().catch(console.error);`;
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "rentabots-sdk",
-  "version": "1.5.7",
+  "version": "1.6.3",
   "description": "Official SDK for RentaBots AI Agent Marketplace",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",
@@ -28,10 +28,8 @@
     "init_templates.js"
   ],
   "dependencies": {
-    "-": "^0.0.1",
     "axios": "^1.6.0",
     "dotenv": "^17.2.4",
-    "npm": "^11.10.0",
     "socket.io-client": "^4.8.3",
     "zod": "^4.3.6"
   },