rivet-design 0.11.5 → 0.11.7

package/dist/mcp/agent-variants/WorktreeOrchestrator.js

@@ -42,7 +42,7 @@ const DESIGN_CONTEXT_VIEW_SEGMENT = 'view';
 // fast and legibly instead. Per-git-op hangs are already caught by simple-git's
 // block timeout in WorktreeManager; this is the cross-op backstop. Override via
 // env for unusually large repos.
-const DEFAULT_PROVISION_TIMEOUT_MS = 180_000;
+const DEFAULT_PROVISION_TIMEOUT_MS = 540_000;
 const PROVISION_TIMEOUT_MS = (() => {
     const raw = process.env.RIVET_VARIANTS_PROVISION_TIMEOUT_MS;
     const parsed = raw ? Number.parseInt(raw, 10) : NaN;
@@ -188,10 +188,18 @@ function copyAssetIntoWorktree(worktreePath, entry, assetSourceRoot) {
     if (!path_1.default.isAbsolute(assetSourceRoot)) {
         throw new errors_1.AgentVariantsError('RUNTIME_VALIDATION_FAILED', `assetSourceRoot must be an absolute path, got '${assetSourceRoot}'`);
     }
-    if (!path_1.default.isAbsolute(entry.source)) {
-        throw new errors_1.AgentVariantsError('RUNTIME_VALIDATION_FAILED', `assetPlan.source must be an absolute path, got '${entry.source}'`);
-    }
-    const ext = path_1.default.extname(entry.source).toLowerCase();
+    // A relative source is resolved against the approved asset root. The
+    // agent-facing protocol requires the source to live under that root but not
+    // to be absolute, and the root path is internal to Rivet (a staged context
+    // bundle) — so a relative name such as 'avatar.glb' is the natural, safe
+    // form. Every downstream guard (symlink, extension, within-root, sensitive
+    // segments) runs against this resolved absolute path, so the resolution
+    // cannot widen what is copyable: a relative `..` escape still fails the
+    // within-root check below.
+    const absoluteSource = path_1.default.isAbsolute(entry.source)
+        ? entry.source
+        : path_1.default.resolve(assetSourceRoot, entry.source);
+    const ext = path_1.default.extname(absoluteSource).toLowerCase();
     if (!ALLOWED_ASSET_EXTENSIONS.has(ext)) {
         throw new errors_1.AgentVariantsError('RUNTIME_VALIDATION_FAILED', `assetPlan.source extension '${ext || '(none)'}' is not on the allowlist (got '${entry.source}'). Only inert media/font/document assets may be copied.`);
     }
@@ -201,7 +209,7 @@ function copyAssetIntoWorktree(worktreePath, entry, assetSourceRoot) {
     // assetPlan entry is to name a concrete file.
     let lstat;
     try {
-        lstat = fs_1.default.lstatSync(entry.source);
+        lstat = fs_1.default.lstatSync(absoluteSource);
     }
     catch {
         throw new errors_1.AgentVariantsError('RUNTIME_VALIDATION_FAILED', `assetPlan.source not found on disk: ${entry.source}`);
@@ -217,7 +225,7 @@ function copyAssetIntoWorktree(worktreePath, entry, assetSourceRoot) {
     // file kind on the resolved path.
     let resolvedSource;
     try {
-        resolvedSource = fs_1.default.realpathSync(entry.source);
+        resolvedSource = fs_1.default.realpathSync(absoluteSource);
     }
     catch {
         throw new errors_1.AgentVariantsError('RUNTIME_VALIDATION_FAILED', `assetPlan.source could not be resolved: ${entry.source}`);
@@ -233,21 +241,28 @@ function copyAssetIntoWorktree(worktreePath, entry, assetSourceRoot) {
     if (!resolvedStat.isFile()) {
         throw new errors_1.AgentVariantsError('RUNTIME_VALIDATION_FAILED', `assetPlan.source resolved target must be a regular file: ${entry.source}`);
     }
-    // Symlinked parent directory defense: even though we rejected a symlink
-    // leaf and confirmed the resolved file is regular, an intermediate dir
-    // could have been a symlink that quietly forwards into a sensitive
-    // ancestor (e.g. `<asset-root>/avatar -> ~/.ssh`). Cross-check that
-    // NEITHER the user-supplied path NOR its realpath traverses a known
-    // sensitive segment such as `.ssh`, `.aws`, `credentials`, etc. Also
-    // re-verify the extension on the resolved path so a `.glb` symlink
-    // chain cannot smuggle in a `.json` realpath.
-    if (hasSensitivePathSegment(entry.source) ||
-        hasSensitivePathSegment(resolvedSource)) {
-        throw new errors_1.AgentVariantsError('RUNTIME_VALIDATION_FAILED', `assetPlan.source traverses a sensitive directory and is refused: ${entry.source}`);
-    }
+    // Containment is the security boundary and must be checked before any
+    // sensitive-segment scan. The approved asset root is system-chosen and
+    // trusted (a staged context bundle), and its realpath can legitimately
+    // pass through a "sensitive" segment that is NOT agent-controlled — on
+    // macOS `fs.realpathSync(os.tmpdir())` resolves to `/private/var/folders/...`,
+    // so the temp-staged root contains `private`. A symlinked intermediate dir
+    // that forwards into a sensitive ancestor (e.g. `<asset-root>/avatar -> ~/.ssh`)
+    // pushes the realpath OUTSIDE the root and is rejected here.
     if (!isPathWithinRoot(resolvedSource, resolvedAssetSourceRoot)) {
         throw new errors_1.AgentVariantsError('RUNTIME_VALIDATION_FAILED', `assetPlan.source must stay inside the approved asset root: ${entry.source}`);
     }
+    // Sensitive-segment defense, scoped to the agent-controlled portion BELOW
+    // the trusted root. Only this relative remainder is chosen by the agent's
+    // source plan, so a sensitive segment it introduces under the root (a real
+    // `<asset-root>/.ssh/key.glb`, or a within-root symlink that realpaths into
+    // one) is still refused, while the trusted root prefix is never scanned.
+    // `resolvedSource` is the fully symlink-resolved real path, so the scan
+    // covers what the file actually resolves to, not just its literal name.
+    const relativeResolvedSource = path_1.default.relative(resolvedAssetSourceRoot, resolvedSource);
+    if (hasSensitivePathSegment(relativeResolvedSource)) {
+        throw new errors_1.AgentVariantsError('RUNTIME_VALIDATION_FAILED', `assetPlan.source traverses a sensitive directory and is refused: ${entry.source}`);
+    }
     const resolvedExt = path_1.default.extname(resolvedSource).toLowerCase();
     if (!ALLOWED_ASSET_EXTENSIONS.has(resolvedExt)) {
         throw new errors_1.AgentVariantsError('RUNTIME_VALIDATION_FAILED', `assetPlan.source resolved extension '${resolvedExt || '(none)'}' is not on the allowlist (resolved from '${entry.source}').`);
@@ -913,49 +928,16 @@ class AgentVariantsOrchestrator {
             return undefined;
         if (!requestedPath || requestedPath.length === 0)
             return undefined;
-        // Express has already URL-decoded `req.params.assetPath` for us — calling
-        // decodeURIComponent again would mangle filenames that legitimately
-        // contain `%` (e.g. `100%25.png` on disk → `100%.png` after the second
-        // pass, 404). Use the path as Express delivered it.
-        //
-        // `record.assetBase` is already a realpath'd, within-workspace directory
-        // (see `resolveStaticPreviewAssetBase`). Resolve the requested target
-        // through `realpathSync` too — without this, an attacker who manages to
-        // plant a symlink under the base (e.g. via a follow-up Write tool call)
-        // could pivot outside the sandbox.
-        const target = path_1.default.resolve(record.assetBase, '.' + path_1.default.sep + requestedPath);
-        if (target !== record.assetBase &&
-            !target.startsWith(record.assetBase + path_1.default.sep)) {
-            return undefined;
-        }
-        let realTarget;
-        try {
-            realTarget = fs_1.default.realpathSync(target);
-        }
-        catch {
-            return undefined;
-        }
-        if (realTarget !== record.assetBase &&
-            !realTarget.startsWith(record.assetBase + path_1.default.sep)) {
-            return undefined;
-        }
-        try {
-            const stat = fs_1.default.statSync(realTarget);
-            if (!stat.isFile())
-                return undefined;
-            // Hardlinks aren't dereferenced by `realpath` — they ARE the file from
-            // a path-resolution perspective, so the realpath check above can't
-            // detect them. An agent could `ln /path/to/.env assetBase/x.glb`
-            // (hardlink, not symlink) and the resolver would happily serve the
-            // secret. Reject anything with multiple links — legitimate
-            // agent-generated assets always have nlink === 1.
-            if (stat.nlink !== 1)
-                return undefined;
-            return realTarget;
-        }
-        catch {
-            return undefined;
-        }
+        // Resolve against the variant's own directory first so any asset the agent
+        // actually wrote/modified wins. Only when the worktree clone lacks the file
+        // do we fall back to the host project root — that recovers git-ignored or
+        // binary assets the worktree provisioning couldn't carry over, which the
+        // original preview already serves (see `assetFallbackBase`). Both roots are
+        // held to the identical traversal/realpath/hardlink sandbox.
+        return (resolveAssetWithinBase(record.assetBase, requestedPath) ??
+            (record.assetFallbackBase
+                ? resolveAssetWithinBase(record.assetFallbackBase, requestedPath)
+                : undefined));
     }
     getStaticPreviewByBriefId(sessionId, briefId) {
         const resources = this.resources.get(sessionId);
@@ -2565,7 +2547,12 @@ class AgentVariantsOrchestrator {
             overall: qa.dimensionScores?.overall ?? null,
         });
         this.emitChange();
-        return result;
+        // Carry the requeue signal + critique so the tool layer can tell the agent
+        // to re-lease and regenerate. The store result is an opaque
+        // `waiting_for_results` (the variant is pending again); on its own that is
+        // indistinguishable from a sibling still in flight, so the agent would
+        // otherwise abandon the variant and the session would stall at ready:0.
+        return { ...result, requeuedForRegeneration: true, qa };
     }
     async startVariantDevServer(args) {
         if (args.record.port !== undefined && args.record.devServerProcess) {
@@ -2992,6 +2979,22 @@ class AgentVariantsOrchestrator {
             // sandbox symlink-normalization is skipped.
             dir = projectCwd;
         }
+        // Host project root, used as a read-only fallback for assets the worktree
+        // clone is missing (git-ignored or binary files that `git worktree add` +
+        // text-patch + untracked-copy can't carry). Without this the original
+        // preview shows such an asset while the variant 404s. Realpath'd so the
+        // sandbox containment check in `resolveAssetWithinBase` lines up.
+        let assetFallbackBase;
+        try {
+            const hostRealRoot = fs_1.default.realpathSync(env.projectPath);
+            // Skip the fallback if it would collapse onto the worktree root (can't
+            // happen in practice, but keeps the two roots genuinely distinct).
+            if (hostRealRoot !== dir)
+                assetFallbackBase = hostRealRoot;
+        }
+        catch {
+            // No host root resolvable — serve worktree assets only.
+        }
         resources.staticPreviews.set(workItemId, {
             workItemId,
             briefId: input.briefId,
@@ -2999,6 +3002,7 @@ class AgentVariantsOrchestrator {
             // Existing-mode static projects are real multi-file sites — assume
             // sibling assets so the preview route resolves relative URLs.
             hasAssets: true,
+            ...(assetFallbackBase ? { assetFallbackBase } : {}),
         });
         log.info(`Variant ${workItemId} served as a static preview (existing/static, no dev server; root ${projectCwd})`);
         return true;
@@ -3840,6 +3844,50 @@ function isStrictlyInside(child, parent) {
     const p = path_1.default.resolve(parent);
     return c !== p && c.startsWith(p + path_1.default.sep);
 }
+/**
+ * Resolve `requestedPath` to an absolute, sandboxed file under `base`, or
+ * `undefined` if it escapes the base, doesn't exist, isn't a regular file, or
+ * is a hardlink. Shared by `resolveStaticPreviewAssetPath` across the variant's
+ * own directory and the host-root fallback so both get identical containment.
+ *
+ * `base` is expected to be realpath'd by the caller. The requested target is
+ * realpath'd here too — without it, a symlink planted under the base (e.g. via
+ * a follow-up Write tool call) could pivot outside the sandbox. `requestedPath`
+ * is used as Express delivered it (already URL-decoded); decoding again would
+ * mangle filenames that legitimately contain `%` (e.g. `100%25.png` on disk).
+ */
+function resolveAssetWithinBase(base, requestedPath) {
+    const target = path_1.default.resolve(base, '.' + path_1.default.sep + requestedPath);
+    if (target !== base && !target.startsWith(base + path_1.default.sep)) {
+        return undefined;
+    }
+    let realTarget;
+    try {
+        realTarget = fs_1.default.realpathSync(target);
+    }
+    catch {
+        return undefined;
+    }
+    if (realTarget !== base && !realTarget.startsWith(base + path_1.default.sep)) {
+        return undefined;
+    }
+    try {
+        const stat = fs_1.default.statSync(realTarget);
+        if (!stat.isFile())
+            return undefined;
+        // Hardlinks aren't dereferenced by `realpath` — they ARE the file from a
+        // path-resolution perspective, so the realpath check above can't detect
+        // them. An agent could `ln /path/to/.env base/x.glb` (hardlink, not
+        // symlink) and the resolver would happily serve the secret. Reject
+        // anything with multiple links — legitimate assets always have nlink === 1.
+        if (stat.nlink !== 1)
+            return undefined;
+        return realTarget;
+    }
+    catch {
+        return undefined;
+    }
+}
 /**
  * Sandbox the agent's `output.assetBase` to a path inside the session
  * workspace. Accepts either an absolute path (used as-is after the