npm - rivet-design - Versions diffs - 0.11.6 → 0.11.7 - Mend

rivet-design 0.11.6 → 0.11.7

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (40) hide show

package/dist/mcp/agent-variants/WorktreeOrchestrator.js CHANGED Viewed

@@ -42,7 +42,7 @@ const DESIGN_CONTEXT_VIEW_SEGMENT = 'view';
 // fast and legibly instead. Per-git-op hangs are already caught by simple-git's
 // block timeout in WorktreeManager; this is the cross-op backstop. Override via
 // env for unusually large repos.
-const DEFAULT_PROVISION_TIMEOUT_MS = 180_000;
+const DEFAULT_PROVISION_TIMEOUT_MS = 540_000;
 const PROVISION_TIMEOUT_MS = (() => {
     const raw = process.env.RIVET_VARIANTS_PROVISION_TIMEOUT_MS;
     const parsed = raw ? Number.parseInt(raw, 10) : NaN;
@@ -188,10 +188,18 @@ function copyAssetIntoWorktree(worktreePath, entry, assetSourceRoot) {
     if (!path_1.default.isAbsolute(assetSourceRoot)) {
         throw new errors_1.AgentVariantsError('RUNTIME_VALIDATION_FAILED', `assetSourceRoot must be an absolute path, got '${assetSourceRoot}'`);
     }
-    if (!path_1.default.isAbsolute(entry.source)) {
-        throw new errors_1.AgentVariantsError('RUNTIME_VALIDATION_FAILED', `assetPlan.source must be an absolute path, got '${entry.source}'`);
-    }
-    const ext = path_1.default.extname(entry.source).toLowerCase();
+    // A relative source is resolved against the approved asset root. The
+    // agent-facing protocol requires the source to live under that root but not
+    // to be absolute, and the root path is internal to Rivet (a staged context
+    // bundle) — so a relative name such as 'avatar.glb' is the natural, safe
+    // form. Every downstream guard (symlink, extension, within-root, sensitive
+    // segments) runs against this resolved absolute path, so the resolution
+    // cannot widen what is copyable: a relative `..` escape still fails the
+    // within-root check below.
+    const absoluteSource = path_1.default.isAbsolute(entry.source)
+        ? entry.source
+        : path_1.default.resolve(assetSourceRoot, entry.source);
+    const ext = path_1.default.extname(absoluteSource).toLowerCase();
     if (!ALLOWED_ASSET_EXTENSIONS.has(ext)) {
         throw new errors_1.AgentVariantsError('RUNTIME_VALIDATION_FAILED', `assetPlan.source extension '${ext || '(none)'}' is not on the allowlist (got '${entry.source}'). Only inert media/font/document assets may be copied.`);
     }
@@ -201,7 +209,7 @@ function copyAssetIntoWorktree(worktreePath, entry, assetSourceRoot) {
     // assetPlan entry is to name a concrete file.
     let lstat;
     try {
-        lstat = fs_1.default.lstatSync(entry.source);
+        lstat = fs_1.default.lstatSync(absoluteSource);
     }
     catch {
         throw new errors_1.AgentVariantsError('RUNTIME_VALIDATION_FAILED', `assetPlan.source not found on disk: ${entry.source}`);
@@ -217,7 +225,7 @@ function copyAssetIntoWorktree(worktreePath, entry, assetSourceRoot) {
     // file kind on the resolved path.
     let resolvedSource;
     try {
-        resolvedSource = fs_1.default.realpathSync(entry.source);
+        resolvedSource = fs_1.default.realpathSync(absoluteSource);
     }
     catch {
         throw new errors_1.AgentVariantsError('RUNTIME_VALIDATION_FAILED', `assetPlan.source could not be resolved: ${entry.source}`);
@@ -233,21 +241,28 @@ function copyAssetIntoWorktree(worktreePath, entry, assetSourceRoot) {
     if (!resolvedStat.isFile()) {
         throw new errors_1.AgentVariantsError('RUNTIME_VALIDATION_FAILED', `assetPlan.source resolved target must be a regular file: ${entry.source}`);
     }
-    // Symlinked parent directory defense: even though we rejected a symlink
-    // leaf and confirmed the resolved file is regular, an intermediate dir
-    // could have been a symlink that quietly forwards into a sensitive
-    // ancestor (e.g. `<asset-root>/avatar -> ~/.ssh`). Cross-check that
-    // NEITHER the user-supplied path NOR its realpath traverses a known
-    // sensitive segment such as `.ssh`, `.aws`, `credentials`, etc. Also
-    // re-verify the extension on the resolved path so a `.glb` symlink
-    // chain cannot smuggle in a `.json` realpath.
-    if (hasSensitivePathSegment(entry.source) ||
-        hasSensitivePathSegment(resolvedSource)) {
-        throw new errors_1.AgentVariantsError('RUNTIME_VALIDATION_FAILED', `assetPlan.source traverses a sensitive directory and is refused: ${entry.source}`);
-    }
+    // Containment is the security boundary and must be checked before any
+    // sensitive-segment scan. The approved asset root is system-chosen and
+    // trusted (a staged context bundle), and its realpath can legitimately
+    // pass through a "sensitive" segment that is NOT agent-controlled — on
+    // macOS `fs.realpathSync(os.tmpdir())` resolves to `/private/var/folders/...`,
+    // so the temp-staged root contains `private`. A symlinked intermediate dir
+    // that forwards into a sensitive ancestor (e.g. `<asset-root>/avatar -> ~/.ssh`)
+    // pushes the realpath OUTSIDE the root and is rejected here.
     if (!isPathWithinRoot(resolvedSource, resolvedAssetSourceRoot)) {
         throw new errors_1.AgentVariantsError('RUNTIME_VALIDATION_FAILED', `assetPlan.source must stay inside the approved asset root: ${entry.source}`);
     }
+    // Sensitive-segment defense, scoped to the agent-controlled portion BELOW
+    // the trusted root. Only this relative remainder is chosen by the agent's
+    // source plan, so a sensitive segment it introduces under the root (a real
+    // `<asset-root>/.ssh/key.glb`, or a within-root symlink that realpaths into
+    // one) is still refused, while the trusted root prefix is never scanned.
+    // `resolvedSource` is the fully symlink-resolved real path, so the scan
+    // covers what the file actually resolves to, not just its literal name.
+    const relativeResolvedSource = path_1.default.relative(resolvedAssetSourceRoot, resolvedSource);
+    if (hasSensitivePathSegment(relativeResolvedSource)) {
+        throw new errors_1.AgentVariantsError('RUNTIME_VALIDATION_FAILED', `assetPlan.source traverses a sensitive directory and is refused: ${entry.source}`);
+    }
     const resolvedExt = path_1.default.extname(resolvedSource).toLowerCase();
     if (!ALLOWED_ASSET_EXTENSIONS.has(resolvedExt)) {
         throw new errors_1.AgentVariantsError('RUNTIME_VALIDATION_FAILED', `assetPlan.source resolved extension '${resolvedExt || '(none)'}' is not on the allowlist (resolved from '${entry.source}').`);
@@ -2532,7 +2547,12 @@ class AgentVariantsOrchestrator {
             overall: qa.dimensionScores?.overall ?? null,
         });
         this.emitChange();
-        return result;
+        // Carry the requeue signal + critique so the tool layer can tell the agent
+        // to re-lease and regenerate. The store result is an opaque
+        // `waiting_for_results` (the variant is pending again); on its own that is
+        // indistinguishable from a sibling still in flight, so the agent would
+        // otherwise abandon the variant and the session would stall at ready:0.
+        return { ...result, requeuedForRegeneration: true, qa };
     }
     async startVariantDevServer(args) {
         if (args.record.port !== undefined && args.record.devServerProcess) {