skimpyclaw 0.1.8 → 0.2.0

package/dist/tools/bash-path-validation.js

@@ -0,0 +1,130 @@
+// Bash argument path validation — extracts file paths from command tokens
+// and validates them against the allowedPaths list.
+import { resolve } from 'path';
+import { homedir } from 'os';
+import { getCommandSegments, getSegmentCommandIndex, getExecutableName, } from '../exec-approval.js';
+import { isPathAllowed } from './path-utils.js';
+// --- Path-like token detection ---
+/**
+ * Returns true if a shell token looks like a file/directory path.
+ * Matches: /foo, ./foo, ../foo, ~/foo
+ * Does NOT match: flags (-f, --file), bare words (foo), URLs (https://...)
+ */
+export function isPathLikeToken(token) {
+    const t = token.trim();
+    if (!t || t === '-' || t === '--')
+        return false;
+    // Absolute path
+    if (t.startsWith('/'))
+        return true;
+    // Relative paths
+    if (t.startsWith('./') || t.startsWith('../') || t === '.' || t === '..')
+        return true;
+    // Home-relative path
+    if (t.startsWith('~/') || t === '~')
+        return true;
+    return false;
+}
+// --- Interpreter script target extraction ---
+const INTERPRETERS = new Set([
+    'python', 'python3', 'python3.11', 'python3.12', 'python3.13',
+    'node', 'deno', 'bun',
+    'perl', 'ruby', 'php', 'lua',
+    'bash', 'sh', 'zsh', 'fish',
+]);
+/** Flags that consume the next argument (so it's not a script path). */
+const INTERPRETER_FLAGS_WITH_VALUE = new Set([
+    '-c', '-e', '-m', '-W', '-X', '-O',
+    '--eval', '--execute', '--require',
+]);
+/** Flags that mean "read from stdin" or "inline code follows" — stop looking for script path. */
+const INTERPRETER_INLINE_FLAGS = new Set([
+    '-c', '-e', '--eval', '--execute', '-r', '-Command',
+]);
+/**
+ * For an interpreter command segment, extract the script file path if present.
+ * Returns null if the command uses inline execution (-c, -e) or reads from stdin.
+ */
+export function extractScriptTarget(segment) {
+    const cmdIdx = getSegmentCommandIndex(segment);
+    if (cmdIdx >= segment.length)
+        return null;
+    const cmd = getExecutableName(segment[cmdIdx]);
+    if (!INTERPRETERS.has(cmd))
+        return null;
+    const args = segment.slice(cmdIdx + 1);
+    for (let i = 0; i < args.length; i++) {
+        const arg = args[i];
+        // Inline execution — no script file to validate
+        if (INTERPRETER_INLINE_FLAGS.has(arg))
+            return null;
+        // Flag that consumes next arg — skip both
+        if (INTERPRETER_FLAGS_WITH_VALUE.has(arg)) {
+            i++;
+            continue;
+        }
+        // Skip other flags (single or double dash)
+        if (arg.startsWith('-'))
+            continue;
+        // First non-flag argument is the script path
+        return arg;
+    }
+    return null;
+}
+// --- Path extraction from full command ---
+/**
+ * Extract all file-path-like tokens from a shell command.
+ * Handles piped/chained commands. Resolves ~ and relative paths using cwd.
+ * Also extracts script targets from interpreter commands.
+ */
+export function extractPathsFromCommand(command, cwd) {
+    const segments = getCommandSegments(command);
+    const paths = [];
+    const baseCwd = cwd || process.cwd();
+    for (const segment of segments) {
+        const cmdIdx = getSegmentCommandIndex(segment);
+        // Check for interpreter script target
+        const scriptTarget = extractScriptTarget(segment);
+        if (scriptTarget) {
+            paths.push(resolvePath(scriptTarget, baseCwd));
+        }
+        // Check all non-command tokens for path-like values
+        for (let i = cmdIdx + 1; i < segment.length; i++) {
+            const token = segment[i];
+            if (isPathLikeToken(token)) {
+                paths.push(resolvePath(token, baseCwd));
+            }
+        }
+    }
+    // Deduplicate
+    return [...new Set(paths)];
+}
+/**
+ * Resolve a token to an absolute path, expanding ~ and relative paths.
+ */
+function resolvePath(token, cwd) {
+    if (token.startsWith('~/') || token === '~') {
+        return resolve(homedir(), token.slice(2) || '.');
+    }
+    return resolve(cwd, token);
+}
+// --- Validation ---
+/**
+ * Validate that all file paths in a bash command are within allowedPaths.
+ * Returns null if all paths are valid, or an error message string if any are outside.
+ */
+export function validateBashPaths(command, cwd, allowedPaths) {
+    // If no allowedPaths configured, skip validation (permissive mode)
+    if (!allowedPaths || allowedPaths.length === 0)
+        return null;
+    const paths = extractPathsFromCommand(command, cwd);
+    const blocked = [];
+    for (const p of paths) {
+        if (!isPathAllowed(p, allowedPaths)) {
+            blocked.push(p);
+        }
+    }
+    if (blocked.length === 0)
+        return null;
+    return `Error: Command references paths outside allowed directories: ${blocked.join(', ')}`;
+}

package/dist/tools/bash-tool.js

@@ -2,6 +2,23 @@ import { exec } from 'child_process';
 import { isBashCommandSafe } from '../security.js';
 import { classifyCommandRisk, requiresApproval, createApprovalRequest, waitForApproval, } from '../exec-approval.js';
 import { isPathAllowed } from './path-utils.js';
+import { validateBashPaths } from './bash-path-validation.js';
+/** Env var name patterns that should never be exposed to model-executed commands. */
+const SENSITIVE_ENV_PATTERNS = [
+    /api.?key/i, /token/i, /secret/i, /password/i, /credential/i,
+    /^ANTHROPIC_/i, /^OPENAI_/i, /^CLAUDE/i, /^CODEX_/i, /^MINIMAX_/i,
+    /^KIMI_/i, /^TOGETHER_/i, /^GROQ_/i, /^OPENROUTER_/i,
+];
+/** Create a sanitized copy of process.env with secrets stripped. */
+function sanitizeEnv() {
+    const env = { ...process.env };
+    for (const key of Object.keys(env)) {
+        if (SENSITIVE_ENV_PATTERNS.some(p => p.test(key))) {
+            delete env[key];
+        }
+    }
+    return env;
+}
 export async function executeBash(command, cwd, config, context) {
     // Hard block: existing safety filter (always enforced)
     if (!isBashCommandSafe(command)) {
@@ -10,6 +27,11 @@ export async function executeBash(command, cwd, config, context) {
     if (cwd && !isPathAllowed(cwd, config.allowedPaths)) {
         return Promise.resolve('Error: Working directory not in allowed paths.');
     }
+    // Validate file paths referenced in command arguments
+    const pathError = validateBashPaths(command, cwd, config.allowedPaths);
+    if (pathError) {
+        return Promise.resolve(pathError);
+    }
     // Exec approval gate: classify risk and check if approval is needed
     const approvalConfig = config.execApproval;
     if (approvalConfig?.enabled !== false) {
@@ -44,7 +66,7 @@ export async function executeBash(command, cwd, config, context) {
         exec(command, {
             cwd: cwd || undefined,
             timeout,
-            env: { ...process.env },
+            env: sanitizeEnv(),
             maxBuffer: 5 * 1024 * 1024,
         }, (error, stdout, stderr) => {
             if (error) {

package/dist/tools/definitions.d.ts

@@ -328,13 +328,6 @@ export declare const SPAWN_SUBAGENT_TOOL: {
                 type: string;
                 description: string;
             };
-            allowedPaths: {
-                type: string;
-                items: {
-                    type: string;
-                };
-                description: string;
-            };
         };
         required: string[];
     };

package/dist/tools/definitions.js

@@ -126,11 +126,6 @@ export const SPAWN_SUBAGENT_TOOL = {
             },
             model: { type: 'string', description: 'Optional model override (e.g. claude-opus, claude-think)' },
             label: { type: 'string', description: 'Short label for status display (e.g. "write tests", "check logs")' },
-            allowedPaths: {
-                type: 'array',
-                items: { type: 'string' },
-                description: 'Additional file paths the subagent can access beyond defaults',
-            },
         },
         required: ['task', 'type'],
     },

package/dist/tools/execute-context.d.ts

@@ -23,4 +23,8 @@ export interface ExecuteToolContext {
     trigger?: string;
     /** Agent ID for usage tracking */
     agentId?: string;
+    /** Sandbox configuration for containerized tool execution */
+    sandboxConfig?: import('../types.js').SandboxConfig;
+    /** Session ID for sandbox container mapping */
+    sessionId?: string;
 }

package/dist/tools/path-utils.js

@@ -1,8 +1,22 @@
 import { resolve, sep } from 'path';
+import { realpathSync } from 'fs';
+/**
+ * Resolve a path to its real location, following symlinks.
+ * Falls back to path.resolve() if the path doesn't exist yet (e.g. for writes).
+ */
+function safeRealpath(filePath) {
+    try {
+        return realpathSync(filePath);
+    }
+    catch {
+        // Path doesn't exist yet — resolve logically (normalizes .. but can't follow symlinks)
+        return resolve(filePath);
+    }
+}
 export function isPathAllowed(filePath, allowedPaths) {
-    const resolved = resolve(filePath);
+    const resolved = safeRealpath(filePath);
     return allowedPaths.some((allowed) => {
-        const allowedRoot = resolve(allowed);
+        const allowedRoot = safeRealpath(allowed);
         return resolved === allowedRoot || resolved.startsWith(`${allowedRoot}${sep}`);
     });
 }

package/dist/tools.js

@@ -6,6 +6,8 @@ import { fromClaudeCodeName, toClaudeCodeName, BUILTIN_TOOL_DEFINITIONS, BROWSER
 import { executeReadFile, executeWriteFileLocked, executeListDirectory } from './tools/file-tools.js';
 import { executeBash } from './tools/bash-tool.js';
 import { executeBrowser, cleanupBrowser } from './tools/browser-tool.js';
+import { ensureContainer, SANDBOX_DEFAULTS, translatePath, validateMountPaths } from './sandbox/index.js';
+import { sandboxBash, sandboxReadFile, sandboxWriteFile, sandboxListDir, sandboxGlob } from './sandbox/index.js';
 // Re-export from code-agents module for backward compatibility
 export { 
 // Registry functions
@@ -240,7 +242,23 @@ async function executeWebSearch(query) {
 export async function executeTool(name, input, config, context) {
     try {
         // Route MCP tools BEFORE normalization to preserve server/tool name casing
+        // NOTE: MCP servers run as external processes with full host access.
+        // We validate path-like arguments as a best-effort check, but MCP servers
+        // are a trusted boundary — only configure servers you trust.
         if (name.startsWith('mcp__')) {
+            if (config.allowedPaths?.length) {
+                const { isPathAllowed } = await import('./tools/path-utils.js');
+                for (const [key, value] of Object.entries(input)) {
+                    if (typeof value === 'string' && (value.startsWith('/') || value.startsWith('~/') || value.startsWith('./'))) {
+                        const { resolve } = await import('path');
+                        const { homedir } = await import('os');
+                        const resolved = value.startsWith('~/') ? resolve(homedir(), value.slice(2)) : resolve(value);
+                        if (!isPathAllowed(resolved, config.allowedPaths)) {
+                            return `Error: MCP tool argument "${key}" references path outside allowed directories: ${value}`;
+                        }
+                    }
+                }
+            }
             return await executeMcpToolGeneric(name, input);
         }
         // Route spawn_subagent
@@ -264,6 +282,69 @@ export async function executeTool(name, input, config, context) {
         }
         // Map Claude Code names to internal names for built-in tools
         const normalized = fromClaudeCodeName(name).toLowerCase().replace(/-/g, '_');
+        // --- Sandbox routing ---
+        const sandboxCfg = context?.sandboxConfig;
+        if (sandboxCfg?.enabled) {
+            const SANDBOXED_TOOLS = new Set(['bash', 'read_file', 'write_file', 'list_directory', 'glob']);
+            // macOS-only commands that must run on the host (not available in Linux containers)
+            const MACOS_HOST_COMMANDS = new Set([
+                'osascript', 'open', 'say', 'pbcopy', 'pbpaste', 'defaults',
+                'icalBuddy', 'shortcuts', 'caffeinate', 'networksetup', 'launchctl',
+                'security', 'xattr', 'ditto', 'hdiutil', 'diskutil', 'sw_vers',
+            ]);
+            const needsHost = normalized === 'bash' && input.command &&
+                MACOS_HOST_COMMANDS.has(input.command.trim().split(/[\s;|&]/)[0]);
+            if (SANDBOXED_TOOLS.has(normalized) && !needsHost) {
+                const sessionId = context?.sessionId || context?.chatId?.toString() || 'default';
+                const merged = { ...SANDBOX_DEFAULTS, ...sandboxCfg };
+                const containerName = await ensureContainer(sessionId, merged, config.allowedPaths);
+                const mounts = validateMountPaths(config.allowedPaths);
+                const tp = (p) => translatePath(p, mounts);
+                // Translate host paths in bash commands so they resolve inside the container
+                const translateBashPaths = (cmd) => {
+                    let translated = cmd;
+                    // Sort mounts by host path length descending to match most specific first
+                    const sorted = [...mounts].sort((a, b) => b.host.length - a.host.length);
+                    for (const mount of sorted) {
+                        translated = translated.replaceAll(mount.host, mount.container);
+                    }
+                    // Also translate ~ and $HOME references to /workspace/config
+                    const home = homedir();
+                    const homeMounts = sorted.filter(m => m.host.startsWith(home));
+                    for (const mount of homeMounts) {
+                        const tildeForm = '~' + mount.host.slice(home.length);
+                        translated = translated.replaceAll(tildeForm, mount.container);
+                        const envForm = '$HOME' + mount.host.slice(home.length);
+                        translated = translated.replaceAll(envForm, mount.container);
+                    }
+                    return translated;
+                };
+                // Reverse-translate container paths back to host paths in file content.
+                // Prevents the agent from writing /workspace/... paths into config files.
+                const reverseTranslatePaths = (content) => {
+                    let reversed = content;
+                    const sorted = [...mounts].sort((a, b) => b.container.length - a.container.length);
+                    for (const mount of sorted) {
+                        reversed = reversed.replaceAll(mount.container, mount.host);
+                    }
+                    return reversed;
+                };
+                switch (normalized) {
+                    case 'bash':
+                        return await sandboxBash(containerName, translateBashPaths(input.command), input.cwd ? tp(input.cwd) : undefined, config.bashTimeout);
+                    case 'read_file':
+                        return await sandboxReadFile(containerName, tp(input.file_path || input.path));
+                    case 'write_file':
+                        return await sandboxWriteFile(containerName, tp(input.file_path || input.path), reverseTranslatePaths(input.content));
+                    case 'list_directory':
+                        return await sandboxListDir(containerName, tp(input.path));
+                    case 'glob':
+                        return await sandboxGlob(containerName, tp(input.base || input.path || '/workspace'), input.pattern || '*');
+                    default:
+                        break; // fall through
+                }
+            }
+        }
         switch (normalized) {
             case '$web_search':
             case 'web_search':
@@ -300,7 +381,8 @@ async function executeSpawnSubagent(input, context) {
     const type = input.type;
     const model = input.model;
     const label = input.label;
-    const allowedPaths = input.allowedPaths;
+    // NOTE: allowedPaths deliberately NOT accepted from model input (security — prevents path escalation).
+    // Subagents inherit their preset's allowedPaths from config.
     if (!task || !type) {
         return 'Error: task and type are required';
     }
@@ -308,7 +390,7 @@ async function executeSpawnSubagent(input, context) {
         return `Error: Invalid type "${type}". Must be coding or research.`;
     }
     try {
-        const subagentTask = dispatchSubagent(type, task, context.chatId, context.fullConfig, model, context.history, { label, allowedPaths });
+        const subagentTask = dispatchSubagent(type, task, context.chatId, context.fullConfig, model, context.history, { label });
         const labelStr = label ? ` "${label}"` : '';
         return JSON.stringify({
             status: 'accepted',

package/dist/types.d.ts

@@ -79,6 +79,7 @@ export interface Config {
     /** Named project paths. Keys are short names (e.g. "skimpyclaw"), values are absolute paths.
      *  Project paths are automatically added to tool allowedPaths and available to code_with_agent by name. */
     projects?: Record<string, string>;
+    sandbox?: SandboxConfig;
 }
 export interface AgentConfig {
     identity: {
@@ -134,6 +135,15 @@ export interface CronPayload {
     tools?: ToolConfig;
     sendAsVoice?: boolean;
 }
+export interface SandboxConfig {
+    enabled: boolean;
+    runtime?: 'container' | 'docker';
+    image?: string;
+    cpus?: number;
+    memory?: string;
+    network?: string;
+    idleTimeoutMs?: number;
+}
 export interface ToolConfig {
     enabled: boolean;
     allowedPaths: string[];

package/dist/voice.js

@@ -191,7 +191,8 @@ function getSTTProvider(config) {
         if (!provider)
             return false;
         // macOS voice provider is TTS-only and must never be used for transcription.
-        if (name === 'macos')
+        const normalizedName = name.trim().toLowerCase();
+        if (normalizedName === 'macos')
             return false;
         return Boolean(provider.stt || provider.apiKey);
     };
@@ -275,6 +276,9 @@ export async function transcribeAudio(audioPath, config) {
     // No local whisper — try API provider directly
     const sttProvider = getSTTProvider(config);
     if (!sttProvider) {
+        if (config.providers?.macos) {
+            throw new Error('No voice transcription provider configured. "macos" is TTS-only. Install local whisper or configure an API STT provider (e.g. openai.stt).');
+        }
         throw new Error('No voice transcription available. Install whisper (pip install openai-whisper) or configure an API provider.');
     }
     return transcribeWithAPI(audioPath, sttProvider.name, sttProvider.provider);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "skimpyclaw",
-  "version": "0.1.8",
+  "version": "0.2.0",
   "description": "Lightweight personal AI assistant with Telegram and Discord integration",
   "type": "module",
   "main": "dist/index.js",