skimpyclaw 0.1.9 → 0.2.0

package/dist/doctor/checks.js

@@ -341,6 +341,53 @@ export async function checkSkimpyclawDirWritable() {
         return fail(name, category, `Directory not writable: ${base}`, 'Fix permissions for ~/.skimpyclaw.');
     }
 }
+export async function checkSandboxAvailable(config) {
+    const name = 'sandbox_available';
+    const category = 'runtime';
+    if (!config.sandbox?.enabled) {
+        return ok(name, category, 'Sandbox disabled');
+    }
+    // Determine which runtime to check
+    const explicit = config.sandbox.runtime;
+    let rt = null;
+    if (explicit) {
+        const check = spawnSync(explicit, ['--version'], { encoding: 'utf-8' });
+        if (check.status !== 0) {
+            return fail(name, category, `${explicit} CLI not found`, `Install ${explicit} or change sandbox.runtime in config.`);
+        }
+        rt = explicit;
+    }
+    else {
+        // Auto-detect: prefer container, fall back to docker
+        const containerCheck = spawnSync('container', ['--version'], { encoding: 'utf-8' });
+        if (containerCheck.status === 0) {
+            rt = 'container';
+        }
+        else {
+            const dockerCheck = spawnSync('docker', ['--version'], { encoding: 'utf-8' });
+            if (dockerCheck.status === 0) {
+                rt = 'docker';
+            }
+        }
+        if (!rt) {
+            return fail(name, category, 'No container runtime found', 'Install Apple Containers or Docker, or disable sandbox in config.');
+        }
+    }
+    // For Apple Containers, check system is running
+    if (rt === 'container') {
+        const systemCheck = spawnSync('container', ['system', 'status'], { encoding: 'utf-8' });
+        if (systemCheck.status !== 0) {
+            return fail(name, category, 'Container system not running', 'Run "container system start" to start the container runtime.');
+        }
+    }
+    // Check if sandbox image exists
+    const image = config.sandbox.image || 'skimpyclaw-sandbox';
+    const imageCheck = spawnSync(rt, ['image', 'inspect', image], { encoding: 'utf-8' });
+    if (imageCheck.status !== 0) {
+        return fail(name, category, `Sandbox image "${image}" not found`, `Build it: ${rt} build -t ${image} sandbox/`);
+    }
+    return ok(name, category, `Runtime: ${rt}, image "${image}" available`);
+}
 export async function checkPortAvailability(port) {
     const name = 'gateway_port_available';
     const category = 'runtime';

package/dist/doctor/runner.js

@@ -1,5 +1,5 @@
 import { loadConfig } from '../config.js';
-import { checkNodeVersion, checkPackageManagerAvailable, checkTypeScriptCompile, checkConfigExistsAndValidJson, checkRequiredEnvVars, checkEnvVarPatterns, checkAllowedPathsWritable, checkProviderAuth, checkTelegramToken, checkDiscordToken, checkBrowserBinaryIfEnabled, checkVoiceDependencies, checkMcpConfig, checkGatewayHostBindable, checkSkimpyclawDirWritable, checkPortAvailability, } from './checks.js';
+import { checkNodeVersion, checkPackageManagerAvailable, checkTypeScriptCompile, checkConfigExistsAndValidJson, checkRequiredEnvVars, checkEnvVarPatterns, checkAllowedPathsWritable, checkProviderAuth, checkTelegramToken, checkDiscordToken, checkBrowserBinaryIfEnabled, checkVoiceDependencies, checkMcpConfig, checkGatewayHostBindable, checkSkimpyclawDirWritable, checkPortAvailability, checkSandboxAvailable, } from './checks.js';
 export function computeExitCode(report) {
     if (report.checks.some((check) => !check.ok && check.fatal)) {
         return 2;
@@ -104,6 +104,7 @@ export async function runDoctor() {
     checks.push(await runSafe('gateway_host_bindable', 'runtime', () => checkGatewayHostBindable(config.gateway.host ?? '127.0.0.1')));
     checks.push(await runSafe('skimpyclaw_dirs_writable', 'runtime', () => checkSkimpyclawDirWritable()));
     checks.push(await runSafe('gateway_port_available', 'runtime', () => checkPortAvailability(config.gateway.port)));
+    checks.push(await runSafe('sandbox_available', 'runtime', () => checkSandboxAvailable(config)));
     const report = buildReport(startedAt, checks);
     return { report, exitCode: report.exitCode };
 }

package/dist/exec-approval.d.ts

@@ -3,6 +3,10 @@ export interface RiskClassification {
     tier: RiskTier;
     reason: string;
 }
+export declare function tokenizeShellCommand(command: string): string[];
+export declare function getCommandSegments(command: string): string[][];
+export declare function getSegmentCommandIndex(segment: string[]): number;
+export declare function getExecutableName(token: string): string;
 /**
  * Classify the risk tier of a shell command.
  * Returns the highest-tier match found.

package/dist/exec-approval.js

@@ -1,7 +1,7 @@
 // Exec Approval Gate — risk classification and pending approval registry for Bash commands
 import { randomUUID } from 'crypto';
 import { EventEmitter } from 'events';
-function tokenizeShellCommand(command) {
+export function tokenizeShellCommand(command) {
     const tokens = [];
     let current = '';
     let quote = null;
@@ -71,7 +71,7 @@ function tokenizeShellCommand(command) {
 function isCommandSeparator(token) {
     return token === '&&' || token === '||' || token === '|' || token === ';';
 }
-function getCommandSegments(command) {
+export function getCommandSegments(command) {
     const tokens = tokenizeShellCommand(command);
     const segments = [];
     let start = 0;
@@ -135,14 +135,14 @@ function isGitForcePushSegment(segment) {
     }
     return false;
 }
-function getSegmentCommandIndex(segment) {
+export function getSegmentCommandIndex(segment) {
     let idx = 0;
     while (idx < segment.length && segment[idx].includes('=') && !segment[idx].startsWith('-')) {
         idx++;
     }
     return idx;
 }
-function getExecutableName(token) {
+export function getExecutableName(token) {
     const normalized = token.toLowerCase();
     const slash = normalized.lastIndexOf('/');
     return slash >= 0 ? normalized.slice(slash + 1) : normalized;

package/dist/gateway.js

@@ -3,6 +3,7 @@ import Fastify from 'fastify';
 import { existsSync } from 'fs';
 import { fileURLToPath } from 'url';
 import { join } from 'path';
+import { timingSafeEqual } from 'crypto';
 import { runAgentTurn } from './agent.js';
 import { getCronJobs, runCronJob } from './cron.js';
 import { registerDashboardAPI } from './api.js';
@@ -32,6 +33,15 @@ export async function createGateway(cfg) {
             level: 'info',
         },
     });
+    // Block cross-origin requests — deny all CORS preflight and tag responses
+    fastify.addHook('onRequest', async (request, reply) => {
+        if (request.method === 'OPTIONS') {
+            return reply.code(403).send({ error: 'CORS not allowed' });
+        }
+    });
+    fastify.addHook('onSend', async (_request, reply) => {
+        reply.header('Access-Control-Allow-Origin', 'null'); // deny all origins
+    });
     // Health check
     fastify.get('/health', async () => {
         return { status: 'ok', uptime: Date.now() - startTime.getTime() };
@@ -96,10 +106,31 @@ export async function createGateway(cfg) {
     fastify.post('/reload', async () => {
         return { status: 'ok', note: 'Restart required for config changes' };
     });
-    // Ensure dashboard token exists and print it
+    // Ensure dashboard token exists
     const dashboardToken = ensureDashboardToken(config);
-    console.log(`[dashboard] Access token: ${dashboardToken}`);
     console.log(`[dashboard] URL: http://localhost:${config.gateway.port}/dashboard`);
+    // Auth guard for gateway write endpoints (same token as dashboard)
+    const PROTECTED_ROUTES = new Set(['/message', '/model', '/reload']);
+    fastify.addHook('onRequest', async (request, reply) => {
+        const url = request.url;
+        // Protect write endpoints + cron trigger
+        if (!PROTECTED_ROUTES.has(url) && !url.startsWith('/cron/'))
+            return;
+        if (request.method === 'GET')
+            return; // GET /health, GET /status are fine
+        if (!dashboardToken)
+            return; // No token configured, allow access
+        const authHeader = request.headers.authorization;
+        if (!authHeader || !authHeader.startsWith('Bearer ')) {
+            return reply.code(401).send({ error: 'Unauthorized: Bearer token required' });
+        }
+        const provided = authHeader.slice(7);
+        const tokenBuf = Buffer.from(dashboardToken, 'utf8');
+        const providedBuf = Buffer.from(provided, 'utf8');
+        if (tokenBuf.length !== providedBuf.length || !timingSafeEqual(tokenBuf, providedBuf)) {
+            return reply.code(401).send({ error: 'Unauthorized: Invalid token' });
+        }
+    });
     // Register dashboard API routes (includes auth hook)
     registerDashboardAPI(fastify, config);
     // Register dashboard frontend (framework app)

package/dist/heartbeat.js

@@ -6,6 +6,7 @@
 import { join } from 'path';
 import { homedir } from 'os';
 import { runAgentTurn } from './agent.js';
+import { pruneIdle, SANDBOX_DEFAULTS } from './sandbox/index.js';
 import { getActiveChannelId, isActiveChannelSilenced, sendActiveChannelProactiveMessage, } from './channels.js';
 let heartbeatTimer = null;
 let running = false;
@@ -78,6 +79,8 @@ export function stopHeartbeat() {
     }
 }
 export async function runHeartbeatCheck(config) {
+    // Prune idle sandbox containers
+    pruneIdle(config.sandbox?.idleTimeoutMs ?? SANDBOX_DEFAULTS.idleTimeoutMs ?? 3_600_000).catch(() => { });
     if (running) {
         console.log('[heartbeat] Skipping — previous check still running');
         return 'Skipped — previous check still running';

package/dist/providers/openai.js

@@ -33,7 +33,7 @@ function recordOpenAIUsage(params) {
     let inputTokens = typeof usage?.prompt_tokens === 'number'
         ? usage.prompt_tokens
         : (typeof usage?.input_tokens === 'number' ? usage.input_tokens : 0);
-    let outputTokens = typeof usage?.completion_tokens === 'number'
+    const outputTokens = typeof usage?.completion_tokens === 'number'
         ? usage.completion_tokens
         : (typeof usage?.output_tokens === 'number' ? usage.output_tokens : 0);
     // Some OpenAI-compatible providers only return total_tokens.

package/dist/sandbox/bridge.d.ts

@@ -0,0 +1,5 @@
+export declare function sandboxBash(containerName: string, command: string, cwd?: string, timeout?: number): Promise<string>;
+export declare function sandboxReadFile(containerName: string, path: string): Promise<string>;
+export declare function sandboxWriteFile(containerName: string, path: string, content: string): Promise<string>;
+export declare function sandboxListDir(containerName: string, path: string): Promise<string>;
+export declare function sandboxGlob(containerName: string, base: string, pattern: string): Promise<string>;

package/dist/sandbox/bridge.js

@@ -0,0 +1,63 @@
+import { execInContainer } from './runtime.js';
+const MAX_BASH_OUTPUT = 50 * 1024; // 50KB
+const MAX_READ_OUTPUT = 100 * 1024; // 100KB
+function truncate(s, maxBytes) {
+    if (Buffer.byteLength(s) <= maxBytes)
+        return s;
+    const truncated = Buffer.from(s).subarray(0, maxBytes).toString('utf-8');
+    return truncated + '\n... (output truncated)';
+}
+/**
+ * Shell-escape a string for use inside sh -c '...'
+ * NOTE: execInContainer already wraps in sh -c, so callers pass
+ * args as individual tokens. The runtime joins them with spaces
+ * and does basic single-quote escaping. For bash commands we pass
+ * the whole command as a single arg string.
+ */
+function shellEscape(s) {
+    return "'" + s.replace(/'/g, "'\\''") + "'";
+}
+export async function sandboxBash(containerName, command, cwd, timeout) {
+    // Pass the full command as a single string so sh -c runs it verbatim
+    const shellCmd = cwd
+        ? `cd ${shellEscape(cwd)} && ${command}`
+        : command;
+    const result = await execInContainer(containerName, [shellCmd], { timeout: timeout ?? 30_000 });
+    let output = [result.stdout, result.stderr].filter(Boolean).join('\n');
+    output = truncate(output, MAX_BASH_OUTPUT);
+    if (result.exitCode !== 0) {
+        output += `\n[exit code: ${result.exitCode}]`;
+    }
+    return output || '(no output)';
+}
+export async function sandboxReadFile(containerName, path) {
+    // Pass as a single command string to avoid double-escaping
+    const result = await execInContainer(containerName, [`cat -- ${shellEscape(path)}`]);
+    if (result.exitCode !== 0) {
+        throw new Error(`Failed to read ${path}: ${result.stderr}`);
+    }
+    return truncate(result.stdout, MAX_READ_OUTPUT);
+}
+export async function sandboxWriteFile(containerName, path, content) {
+    // mkdir -p for parent dir, then write via stdin
+    const result = await execInContainer(containerName, [`mkdir -p $(dirname ${shellEscape(path)}) && cat > ${shellEscape(path)}`], { stdin: content });
+    if (result.exitCode !== 0) {
+        throw new Error(`Failed to write ${path}: ${result.stderr}`);
+    }
+    const bytes = Buffer.byteLength(content);
+    return `Written: ${path} (${bytes} bytes)`;
+}
+export async function sandboxListDir(containerName, path) {
+    const result = await execInContainer(containerName, [`ls -la ${shellEscape(path)}`]);
+    if (result.exitCode !== 0) {
+        throw new Error(`Failed to list ${path}: ${result.stderr}`);
+    }
+    return result.stdout;
+}
+export async function sandboxGlob(containerName, base, pattern) {
+    const result = await execInContainer(containerName, [`find ${shellEscape(base)} -name ${shellEscape(pattern)} -maxdepth 10 -type f`]);
+    if (result.exitCode !== 0) {
+        throw new Error(`Failed to glob ${base}/${pattern}: ${result.stderr}`);
+    }
+    return result.stdout;
+}

package/dist/sandbox/index.d.ts

@@ -0,0 +1,5 @@
+export { createContainer, execInContainer, removeContainer, isContainerRunning, cleanupOrphans, setRuntime, getRuntime, resetRuntime } from './runtime.js';
+export type { ContainerOpts, ExecOpts, ExecResult } from './runtime.js';
+export { ensureContainer, releaseContainer, pruneIdle, releaseAll, SANDBOX_DEFAULTS } from './manager.js';
+export { sandboxBash, sandboxReadFile, sandboxWriteFile, sandboxListDir, sandboxGlob } from './bridge.js';
+export { validateMountPaths, isBlockedPath, translatePath } from './mount-security.js';

package/dist/sandbox/index.js

@@ -0,0 +1,4 @@
+export { createContainer, execInContainer, removeContainer, isContainerRunning, cleanupOrphans, setRuntime, getRuntime, resetRuntime } from './runtime.js';
+export { ensureContainer, releaseContainer, pruneIdle, releaseAll, SANDBOX_DEFAULTS } from './manager.js';
+export { sandboxBash, sandboxReadFile, sandboxWriteFile, sandboxListDir, sandboxGlob } from './bridge.js';
+export { validateMountPaths, isBlockedPath, translatePath } from './mount-security.js';

package/dist/sandbox/manager.d.ts

@@ -0,0 +1,7 @@
+import type { SandboxConfig } from '../types.js';
+export declare const SANDBOX_DEFAULTS: SandboxConfig;
+export declare function ensureContainer(sessionId: string, config: SandboxConfig, allowedPaths: string[]): Promise<string>;
+export declare function releaseContainer(sessionId: string): Promise<void>;
+export declare function pruneIdle(maxIdleMs: number): Promise<number>;
+export declare function releaseAll(): Promise<void>;
+export declare function resetForTesting(): void;

package/dist/sandbox/manager.js

@@ -0,0 +1,89 @@
+import { createContainer, removeContainer, isContainerRunning } from './runtime.js';
+import { validateMountPaths } from './mount-security.js';
+export const SANDBOX_DEFAULTS = {
+    enabled: false,
+    image: 'skimpyclaw-sandbox',
+    cpus: 2,
+    memory: '2G',
+    network: 'bridge',
+    idleTimeoutMs: 3_600_000,
+};
+const activeContainers = new Map();
+export async function ensureContainer(sessionId, config, allowedPaths) {
+    const name = `skimpyclaw-sbx-${sessionId}`;
+    const existing = activeContainers.get(sessionId);
+    if (existing) {
+        const running = await isContainerRunning(existing.name);
+        if (running) {
+            existing.lastUsed = Date.now();
+            return existing.name;
+        }
+        // Container died — remove from map, recreate
+        activeContainers.delete(sessionId);
+    }
+    // Process restarts clear in-memory state; adopt or clean an existing named
+    // container so a duplicate-name create does not fail.
+    const alreadyRunning = await isContainerRunning(name);
+    if (alreadyRunning) {
+        activeContainers.set(sessionId, {
+            name,
+            sessionId,
+            lastUsed: Date.now(),
+        });
+        return name;
+    }
+    // Best effort cleanup for stopped or half-created containers with same name.
+    await removeContainer(name);
+    const mounts = validateMountPaths(allowedPaths);
+    const uid = process.getuid?.() ?? 501;
+    const gid = process.getgid?.() ?? 20;
+    const merged = { ...SANDBOX_DEFAULTS, ...config };
+    const opts = {
+        image: merged.image,
+        cpus: merged.cpus,
+        memory: merged.memory,
+        network: merged.network,
+        mounts: mounts.map((m) => ({
+            host: m.host,
+            container: m.container,
+            readOnly: m.readOnly,
+        })),
+        user: `${uid}:${gid}`,
+    };
+    await createContainer(name, opts);
+    activeContainers.set(sessionId, {
+        name,
+        sessionId,
+        lastUsed: Date.now(),
+    });
+    return name;
+}
+export async function releaseContainer(sessionId) {
+    const entry = activeContainers.get(sessionId);
+    if (!entry)
+        return;
+    activeContainers.delete(sessionId);
+    await removeContainer(entry.name);
+}
+export async function pruneIdle(maxIdleMs) {
+    const now = Date.now();
+    let pruned = 0;
+    for (const [sessionId, entry] of activeContainers) {
+        if (now - entry.lastUsed > maxIdleMs) {
+            activeContainers.delete(sessionId);
+            await removeContainer(entry.name);
+            pruned++;
+        }
+    }
+    return pruned;
+}
+export async function releaseAll() {
+    const entries = Array.from(activeContainers.values());
+    activeContainers.clear();
+    for (const entry of entries) {
+        await removeContainer(entry.name);
+    }
+}
+export function resetForTesting() {
+    activeContainers.clear();
+}

package/dist/sandbox/mount-security.d.ts

@@ -0,0 +1,12 @@
+export interface MountSpec {
+    host: string;
+    container: string;
+    readOnly: boolean;
+}
+export declare function isBlockedPath(resolvedPath: string): boolean;
+export declare function validateMountPaths(allowedPaths: string[]): MountSpec[];
+/**
+ * Translate a host path to its container equivalent using mount specs.
+ * Returns the original path if no mount matches (will likely fail inside container).
+ */
+export declare function translatePath(hostPath: string, mounts: MountSpec[]): string;

package/dist/sandbox/mount-security.js

@@ -0,0 +1,118 @@
+import { realpathSync, existsSync } from 'fs';
+import { resolve, basename } from 'path';
+import { homedir } from 'os';
+const BLOCKED_PATTERNS = [
+    '.ssh',
+    '.gnupg',
+    '.gpg',
+    '.aws',
+    '.azure',
+    '.gcloud',
+    'credentials',
+    '.env',
+    '.npmrc',
+    '.pypirc',
+    '.docker/config.json',
+    '.kube',
+];
+export function isBlockedPath(resolvedPath) {
+    const segments = resolvedPath.split('/');
+    for (const segment of segments) {
+        if (BLOCKED_PATTERNS.includes(segment)) {
+            return true;
+        }
+    }
+    // Also check for compound patterns like .docker/config.json
+    for (const pattern of BLOCKED_PATTERNS) {
+        if (pattern.includes('/') && resolvedPath.includes(pattern)) {
+            return true;
+        }
+    }
+    return false;
+}
+export function validateMountPaths(allowedPaths) {
+    const home = homedir();
+    const mounts = [];
+    const usedBaseNames = new Map();
+    for (const rawPath of allowedPaths) {
+        const expanded = rawPath.startsWith('~')
+            ? resolve(home, rawPath.slice(2))
+            : resolve(rawPath);
+        let resolved;
+        try {
+            if (!existsSync(expanded)) {
+                continue; // Skip missing paths
+            }
+            resolved = realpathSync(expanded);
+        }
+        catch {
+            continue; // Skip paths that can't be resolved
+        }
+        if (isBlockedPath(resolved)) {
+            throw new Error(`Blocked path: ${resolved} matches security exclusion pattern`);
+        }
+        let base = basename(resolved);
+        const count = usedBaseNames.get(base) ?? 0;
+        usedBaseNames.set(base, count + 1);
+        if (count > 0) {
+            base = `${base}_${count}`;
+        }
+        mounts.push({
+            host: resolved,
+            container: `/workspace/${base}`,
+            readOnly: false,
+        });
+    }
+    // Always add ~/.skimpyclaw at /workspace/config
+    const skimpyclawDir = resolve(home, '.skimpyclaw');
+    if (existsSync(skimpyclawDir)) {
+        const resolved = realpathSync(skimpyclawDir);
+        // Only add if not already included
+        if (!mounts.some((m) => m.host === resolved)) {
+            mounts.push({
+                host: resolved,
+                container: '/workspace/config',
+                readOnly: false,
+            });
+        }
+    }
+    return mounts;
+}
+/**
+ * Translate a host path to its container equivalent using mount specs.
+ * Returns the original path if no mount matches (will likely fail inside container).
+ */
+export function translatePath(hostPath, mounts) {
+    const candidates = getPathCandidates(hostPath);
+    // Sort by host path length descending so we match the most specific mount first
+    const sorted = [...mounts].sort((a, b) => b.host.length - a.host.length);
+    for (const candidate of candidates) {
+        for (const mount of sorted) {
+            if (candidate === mount.host || candidate.startsWith(mount.host + '/')) {
+                const relative = candidate.slice(mount.host.length);
+                return mount.container + relative;
+            }
+        }
+    }
+    return hostPath;
+}
+function getPathCandidates(hostPath) {
+    const set = new Set();
+    const resolved = resolve(hostPath);
+    set.add(resolved);
+    try {
+        set.add(realpathSync(resolved));
+    }
+    catch {
+        // Path may not exist yet (e.g. write targets); keep resolved form.
+    }
+    for (const p of Array.from(set)) {
+        if (p.startsWith('/Users/')) {
+            set.add(`/System/Volumes/Data${p}`);
+        }
+        else if (p.startsWith('/System/Volumes/Data/Users/')) {
+            set.add(p.replace('/System/Volumes/Data', ''));
+        }
+    }
+    return Array.from(set);
+}

package/dist/sandbox/runtime.d.ts

@@ -0,0 +1,33 @@
+export interface ContainerOpts {
+    image: string;
+    cpus?: number;
+    memory?: string;
+    network?: string;
+    mounts?: Array<{
+        host: string;
+        container: string;
+        readOnly?: boolean;
+    }>;
+    user?: string;
+}
+export interface ExecOpts {
+    stdin?: string;
+    timeout?: number;
+    env?: Record<string, string>;
+}
+export interface ExecResult {
+    stdout: string;
+    stderr: string;
+    exitCode: number;
+}
+/** Set the container runtime binary ('container' or 'docker'). */
+export declare function setRuntime(runtime: 'container' | 'docker'): void;
+/** Get the container runtime binary, auto-detecting if not explicitly set. */
+export declare function getRuntime(): string;
+/** Reset runtime detection (for testing). */
+export declare function resetRuntime(): void;
+export declare function createContainer(name: string, opts: ContainerOpts): Promise<void>;
+export declare function execInContainer(name: string, args: string[], opts?: ExecOpts): Promise<ExecResult>;
+export declare function removeContainer(name: string): Promise<void>;
+export declare function isContainerRunning(name: string): Promise<boolean>;
+export declare function cleanupOrphans(): Promise<number>;