rivet-design 0.11.6 → 0.11.8

package/dist/mcp/agent-variants/WorktreeOrchestrator.js

@@ -42,7 +42,7 @@ const DESIGN_CONTEXT_VIEW_SEGMENT = 'view';
 // fast and legibly instead. Per-git-op hangs are already caught by simple-git's
 // block timeout in WorktreeManager; this is the cross-op backstop. Override via
 // env for unusually large repos.
-const DEFAULT_PROVISION_TIMEOUT_MS = 180_000;
+const DEFAULT_PROVISION_TIMEOUT_MS = 540_000;
 const PROVISION_TIMEOUT_MS = (() => {
     const raw = process.env.RIVET_VARIANTS_PROVISION_TIMEOUT_MS;
     const parsed = raw ? Number.parseInt(raw, 10) : NaN;
@@ -188,10 +188,18 @@ function copyAssetIntoWorktree(worktreePath, entry, assetSourceRoot) {
     if (!path_1.default.isAbsolute(assetSourceRoot)) {
         throw new errors_1.AgentVariantsError('RUNTIME_VALIDATION_FAILED', `assetSourceRoot must be an absolute path, got '${assetSourceRoot}'`);
     }
-    if (!path_1.default.isAbsolute(entry.source)) {
-        throw new errors_1.AgentVariantsError('RUNTIME_VALIDATION_FAILED', `assetPlan.source must be an absolute path, got '${entry.source}'`);
-    }
-    const ext = path_1.default.extname(entry.source).toLowerCase();
+    // A relative source is resolved against the approved asset root. The
+    // agent-facing protocol requires the source to live under that root but not
+    // to be absolute, and the root path is internal to Rivet (a staged context
+    // bundle) — so a relative name such as 'avatar.glb' is the natural, safe
+    // form. Every downstream guard (symlink, extension, within-root, sensitive
+    // segments) runs against this resolved absolute path, so the resolution
+    // cannot widen what is copyable: a relative `..` escape still fails the
+    // within-root check below.
+    const absoluteSource = path_1.default.isAbsolute(entry.source)
+        ? entry.source
+        : path_1.default.resolve(assetSourceRoot, entry.source);
+    const ext = path_1.default.extname(absoluteSource).toLowerCase();
     if (!ALLOWED_ASSET_EXTENSIONS.has(ext)) {
         throw new errors_1.AgentVariantsError('RUNTIME_VALIDATION_FAILED', `assetPlan.source extension '${ext || '(none)'}' is not on the allowlist (got '${entry.source}'). Only inert media/font/document assets may be copied.`);
     }
@@ -201,7 +209,7 @@ function copyAssetIntoWorktree(worktreePath, entry, assetSourceRoot) {
     // assetPlan entry is to name a concrete file.
     let lstat;
     try {
-        lstat = fs_1.default.lstatSync(entry.source);
+        lstat = fs_1.default.lstatSync(absoluteSource);
     }
     catch {
         throw new errors_1.AgentVariantsError('RUNTIME_VALIDATION_FAILED', `assetPlan.source not found on disk: ${entry.source}`);
@@ -217,7 +225,7 @@ function copyAssetIntoWorktree(worktreePath, entry, assetSourceRoot) {
     // file kind on the resolved path.
     let resolvedSource;
     try {
-        resolvedSource = fs_1.default.realpathSync(entry.source);
+        resolvedSource = fs_1.default.realpathSync(absoluteSource);
     }
     catch {
         throw new errors_1.AgentVariantsError('RUNTIME_VALIDATION_FAILED', `assetPlan.source could not be resolved: ${entry.source}`);
@@ -233,21 +241,28 @@ function copyAssetIntoWorktree(worktreePath, entry, assetSourceRoot) {
     if (!resolvedStat.isFile()) {
         throw new errors_1.AgentVariantsError('RUNTIME_VALIDATION_FAILED', `assetPlan.source resolved target must be a regular file: ${entry.source}`);
     }
-    // Symlinked parent directory defense: even though we rejected a symlink
-    // leaf and confirmed the resolved file is regular, an intermediate dir
-    // could have been a symlink that quietly forwards into a sensitive
-    // ancestor (e.g. `<asset-root>/avatar -> ~/.ssh`). Cross-check that
-    // NEITHER the user-supplied path NOR its realpath traverses a known
-    // sensitive segment such as `.ssh`, `.aws`, `credentials`, etc. Also
-    // re-verify the extension on the resolved path so a `.glb` symlink
-    // chain cannot smuggle in a `.json` realpath.
-    if (hasSensitivePathSegment(entry.source) ||
-        hasSensitivePathSegment(resolvedSource)) {
-        throw new errors_1.AgentVariantsError('RUNTIME_VALIDATION_FAILED', `assetPlan.source traverses a sensitive directory and is refused: ${entry.source}`);
-    }
+    // Containment is the security boundary and must be checked before any
+    // sensitive-segment scan. The approved asset root is system-chosen and
+    // trusted (a staged context bundle), and its realpath can legitimately
+    // pass through a "sensitive" segment that is NOT agent-controlled — on
+    // macOS `fs.realpathSync(os.tmpdir())` resolves to `/private/var/folders/...`,
+    // so the temp-staged root contains `private`. A symlinked intermediate dir
+    // that forwards into a sensitive ancestor (e.g. `<asset-root>/avatar -> ~/.ssh`)
+    // pushes the realpath OUTSIDE the root and is rejected here.
     if (!isPathWithinRoot(resolvedSource, resolvedAssetSourceRoot)) {
         throw new errors_1.AgentVariantsError('RUNTIME_VALIDATION_FAILED', `assetPlan.source must stay inside the approved asset root: ${entry.source}`);
     }
+    // Sensitive-segment defense, scoped to the agent-controlled portion BELOW
+    // the trusted root. Only this relative remainder is chosen by the agent's
+    // source plan, so a sensitive segment it introduces under the root (a real
+    // `<asset-root>/.ssh/key.glb`, or a within-root symlink that realpaths into
+    // one) is still refused, while the trusted root prefix is never scanned.
+    // `resolvedSource` is the fully symlink-resolved real path, so the scan
+    // covers what the file actually resolves to, not just its literal name.
+    const relativeResolvedSource = path_1.default.relative(resolvedAssetSourceRoot, resolvedSource);
+    if (hasSensitivePathSegment(relativeResolvedSource)) {
+        throw new errors_1.AgentVariantsError('RUNTIME_VALIDATION_FAILED', `assetPlan.source traverses a sensitive directory and is refused: ${entry.source}`);
+    }
     const resolvedExt = path_1.default.extname(resolvedSource).toLowerCase();
     if (!ALLOWED_ASSET_EXTENSIONS.has(resolvedExt)) {
         throw new errors_1.AgentVariantsError('RUNTIME_VALIDATION_FAILED', `assetPlan.source resolved extension '${resolvedExt || '(none)'}' is not on the allowlist (resolved from '${entry.source}').`);
@@ -2532,7 +2547,12 @@ class AgentVariantsOrchestrator {
             overall: qa.dimensionScores?.overall ?? null,
         });
         this.emitChange();
-        return result;
+        // Carry the requeue signal + critique so the tool layer can tell the agent
+        // to re-lease and regenerate. The store result is an opaque
+        // `waiting_for_results` (the variant is pending again); on its own that is
+        // indistinguishable from a sibling still in flight, so the agent would
+        // otherwise abandon the variant and the session would stall at ready:0.
+        return { ...result, requeuedForRegeneration: true, qa };
     }
     async startVariantDevServer(args) {
         if (args.record.port !== undefined && args.record.devServerProcess) {