salmon-loop 0.2.13 → 0.2.16

package/dist/core/tools/parallel/scheduler.js

@@ -1,3 +1,4 @@
+import { isRecoverableToolInputErrorCode } from '../recoverable-tool-errors.js';
 import { IsolationManager } from './isolation.js';
 import { resolveArgsWithResults } from './resolve-args.js';
 import { processResource, repoResource } from './resource-helpers.js';
@@ -20,6 +21,25 @@ export class ParallelScheduler {
         node.spec = spec;
         return spec;
     }
+    normalizeArgsForSpec(spec, args) {
+        if (!spec.inputSchema || typeof spec.inputSchema.safeParse !== 'function')
+            return args;
+        const parsed = spec.inputSchema.safeParse(args);
+        return parsed.success ? parsed.data : args;
+    }
+    shouldFallbackFromComputeResources(spec, args, error) {
+        const parsed = spec.inputSchema.safeParse(args);
+        if (parsed.success)
+            return false;
+        const issueCode = parsed.error.issues[0]?.code;
+        if (issueCode === 'invalid_type' || issueCode === 'invalid_union' || issueCode === 'custom') {
+            return true;
+        }
+        const errorCode = typeof error === 'object' && error !== null && 'code' in error
+            ? error.code
+            : undefined;
+        return isRecoverableToolInputErrorCode(errorCode);
+    }
     deriveDefaultResources(spec, ctx) {
         const writeEffects = new Set(['fs_write', 'git_write', 'snapshot_mutate']);
         const hasWrite = spec.sideEffects.some((effect) => writeEffects.has(effect));
@@ -163,13 +183,14 @@ export class ParallelScheduler {
                 }
                 // 1. Resolve Arguments
                 const resolvedArgs = resolveArgsWithResults(node.args, nodeResults);
+                const normalizedArgs = this.normalizeArgsForSpec(spec, resolvedArgs);
                 // 1.5 Deferred authorization preflight (avoid holding locks while waiting for user)
                 const preflight = typeof this.router.preflightDeferredAuthorization === 'function'
                     ? await this.router.preflightDeferredAuthorization({
                         id: nodeId,
                         phase: baseCtx.phase || 'execute',
                         toolName: node.toolName,
-                        args: resolvedArgs,
+                        args: normalizedArgs,
                         ctx: baseCtx,
                     })
                     : null;
@@ -205,8 +226,18 @@ export class ParallelScheduler {
                 }
                 // 2. Compute Resources (JIT)
                 const resources = node.resources ??
-                    spec.computeResources?.(resolvedArgs, baseCtx) ??
-                    this.deriveDefaultResources(spec, baseCtx);
+                    (() => {
+                        try {
+                            return (spec.computeResources?.(normalizedArgs, baseCtx) ??
+                                this.deriveDefaultResources(spec, baseCtx));
+                        }
+                        catch (error) {
+                            if (!this.shouldFallbackFromComputeResources(spec, normalizedArgs, error)) {
+                                throw error;
+                            }
+                            return this.deriveDefaultResources(spec, baseCtx);
+                        }
+                    })();
                 node.resources = resources;
                 // 3. Acquire Locks
                 const mode = lane === 'read' ? 'read' : 'write';
@@ -221,7 +252,7 @@ export class ParallelScheduler {
                         id: nodeId,
                         phase: baseCtx.phase || 'execute',
                         toolName: node.toolName,
-                        args: resolvedArgs,
+                        args: normalizedArgs,
                         ctx: isolatedEnv
                             ? { ...baseCtx, env: { ...baseCtx.env, ...isolatedEnv.env } }
                             : baseCtx,

package/dist/core/tools/permissions/permission-rules.js

@@ -1,6 +1,7 @@
 import { text } from '../../../locales/index.js';
 import { normalizeDiff, validateDiff } from '../../patch/diff.js';
 import { ArtifactStore } from '../../sub-agent/artifacts/store.js';
+import { normalizeRepoRelativePath } from '../../utils/path.js';
 const DEFAULT_TOOL_ALIASES = {
     bash: 'Bash',
     read: 'Read',
@@ -15,7 +16,7 @@ const ALIAS_TOOL_TO_INTERNAL_TOOL_NAMES = {
     Bash: ['shell.exec', 'test.run'],
     Read: ['fs.read', 'code.read', 'git.cat', 'artifact.read'],
     Edit: ['proposal.apply'],
-    LS: ['fs.list', 'git.status'],
+    LS: ['fs.list', 'fs.list_directory', 'fs.list_files', 'git.status'],
     Grep: ['code.search'],
     Glob: ['code.search'],
     WebFetch: [],
@@ -182,14 +183,6 @@ function compileBashMatcher(specifier) {
     };
     return { kind: 'pattern', rawSpecifier: specifier, matches, isExactMatch };
 }
-function normalizeRepoRelativePath(input) {
-    const raw = String(input ?? '')
-        .replace(/\\/g, '/')
-        .trim();
-    const withoutDot = raw.replace(/^\.\//, '');
-    const withoutLeadingSlash = withoutDot.replace(/^\/+/, '');
-    return withoutLeadingSlash.replace(/\/{2,}/g, '/');
-}
 function compilePathMatcher(specifier) {
     const spec = normalizeRepoRelativePath(String(specifier ?? '').trim());
     if (!spec || spec === '*') {
@@ -243,6 +236,8 @@ function compileRule(effect, parsed) {
         tool === 'code.read' ||
         tool === 'git.cat' ||
         tool === 'fs.list' ||
+        tool === 'fs.list_directory' ||
+        tool === 'fs.list_files' ||
         tool === 'artifact.read' ||
         asAlias === 'Read' ||
         asAlias === 'LS';
@@ -335,7 +330,7 @@ function extractPrimaryPathArg(toolName, args) {
         return typeof obj.file === 'string' ? obj.file : undefined;
     if (toolName === 'git.cat')
         return typeof obj.file === 'string' ? obj.file : undefined;
-    if (toolName === 'fs.list')
+    if (toolName === 'fs.list' || toolName === 'fs.list_directory' || toolName === 'fs.list_files')
         return typeof obj.path === 'string' ? obj.path : undefined;
     return undefined;
 }

package/dist/core/tools/policy.js

@@ -1,3 +1,4 @@
+import { resolveExecutionProfile } from '../runtime/execution-profile.js';
 import { Phase } from '../types/runtime.js';
 export class ToolPolicy {
     /**
@@ -15,6 +16,10 @@ export class ToolPolicy {
         const hasRuntimeWrite = spec.sideEffects.includes('runtime_write');
         const hasProcess = spec.sideEffects.includes('process');
         const hasNetwork = spec.sideEffects.includes('network');
+        const profile = ctx.flowMode ? resolveExecutionProfile(ctx.flowMode) : undefined;
+        const autopilotDirect = phase === Phase.AUTOPILOT &&
+            profile?.mode === 'autopilot' &&
+            profile.failurePolicy === 'preserve';
         // 3. APPLY phase is strictly for patch application, NO tool calls allowed
         if (phase === Phase.APPLY) {
             return {
@@ -32,7 +37,7 @@ export class ToolPolicy {
         }
         // 5. Worktree Requirement for Side Effects
         // Any repo-mutating tool or process/network execution MUST have a worktree.
-        if ((hasRepoWrite || hasProcess || hasNetwork) && !ctx.worktreeRoot) {
+        if ((hasRepoWrite || hasProcess || hasNetwork) && !ctx.worktreeRoot && !autopilotDirect) {
             return {
                 allowed: false,
                 denyReason: `Tool ${spec.name} has side effects [${spec.sideEffects.join(',')}] and requires worktree isolation`,

package/dist/core/tools/recoverable-tool-errors.js

@@ -0,0 +1,10 @@
+export const RECOVERABLE_TOOL_INPUT_ERROR_CODES = [
+    'INVALID_INPUT',
+    'INVALID_TOOL_ARGUMENTS_JSON',
+    'MALFORMED_TOOL_CALL',
+];
+const RECOVERABLE_TOOL_INPUT_ERROR_CODE_SET = new Set(RECOVERABLE_TOOL_INPUT_ERROR_CODES);
+export function isRecoverableToolInputErrorCode(code) {
+    return typeof code === 'string' && RECOVERABLE_TOOL_INPUT_ERROR_CODE_SET.has(code);
+}
+//# sourceMappingURL=recoverable-tool-errors.js.map

package/dist/core/tools/router.js

@@ -185,7 +185,7 @@ export class ToolRouter {
             }
             // 5. Budget Gating & Execution: Concurrency control, timeout, and execution
             const rawOutput = await this.budget.runWithGuards({
-                timeoutMs: LIMITS.defaultToolTimeoutMs,
+                timeoutMs: spec.defaultTimeoutMs ?? LIMITS.defaultToolTimeoutMs,
                 maxOutputBytes: LIMITS.maxToolOutputBytes,
                 phase: normalizedEnvelope.phase,
                 toolName: spec.name,
@@ -303,7 +303,7 @@ export class ToolRouter {
         if (permissionDecision.kind === 'allow') {
             return { kind: 'ready' };
         }
-        const cacheKey = this.buildAuthorizationKey(normalizedEnvelope);
+        const cacheKey = this.buildAuthorizationKey(normalizedEnvelope, spec);
         if (this.isAuthorizationCached(cacheKey)) {
             return { kind: 'ready' };
         }
@@ -370,8 +370,24 @@ export class ToolRouter {
             },
         };
     }
-    buildAuthorizationKey(envelope) {
-        return `${envelope.toolName}:${envelope.phase}`;
+    buildAuthorizationKey(envelope, spec) {
+        const base = `${envelope.toolName}:${envelope.phase}`;
+        if (this.isHighRiskTool(spec)) {
+            const argsHash = this.hashArgs(envelope.args);
+            return argsHash ? `${base}:${argsHash}` : base;
+        }
+        // Low-risk (read-only) tools use toolName:phase only — a single approval
+        // covers all argument variations since these tools have no dangerous side effects.
+        return base;
+    }
+    /**
+     * Determines whether a tool is high-risk based on its declared side effects.
+     * High-risk tools (process, fs_write, network) require stricter authorization
+     * cache scoping — see {@link buildAuthorizationKey}.
+     */
+    isHighRiskTool(spec) {
+        const HIGH_RISK_EFFECTS = ['process', 'fs_write', 'network'];
+        return (spec.sideEffects ?? []).some((e) => HIGH_RISK_EFFECTS.includes(e));
     }
     isAuthorizationCached(key) {
         const entry = this.authorizationCache.get(key);
@@ -401,6 +417,8 @@ export class ToolRouter {
             return undefined;
         try {
             const raw = JSON.stringify(args);
+            // Full SHA-256 hex digest (64 chars / 256-bit) for authorization cache keys.
+            // Truncation to 16 hex was insufficient collision resistance for security use.
             return crypto.createHash('sha256').update(raw).digest('hex');
         }
         catch {
@@ -410,7 +428,7 @@ export class ToolRouter {
     async authorizeToolCall(envelope, spec) {
         if (!this.authorization)
             return { kind: 'allow' };
-        const cacheKey = this.buildAuthorizationKey(envelope);
+        const cacheKey = this.buildAuthorizationKey(envelope, spec);
         if (this.isAuthorizationCached(cacheKey)) {
             this.audit.onAuthorization({
                 callId: envelope.id,
@@ -486,7 +504,7 @@ export class ToolRouter {
         }
         if (decision.outcome === 'allow_session' || decision.outcome === 'allow') {
             const expiresAt = typeof decision.ttlMs === 'number' ? Date.now() + decision.ttlMs : undefined;
-            const cacheKey = this.buildAuthorizationKey(envelope);
+            const cacheKey = this.buildAuthorizationKey(envelope, spec);
             this.authorizationCache.set(cacheKey, { expiresAt });
         }
         return { kind: 'allow' };