skimpyclaw 0.1.9 → 0.2.0

package/dist/tools/bash-tool.js

@@ -2,6 +2,23 @@ import { exec } from 'child_process';
 import { isBashCommandSafe } from '../security.js';
 import { classifyCommandRisk, requiresApproval, createApprovalRequest, waitForApproval, } from '../exec-approval.js';
 import { isPathAllowed } from './path-utils.js';
+import { validateBashPaths } from './bash-path-validation.js';
+/** Env var name patterns that should never be exposed to model-executed commands. */
+const SENSITIVE_ENV_PATTERNS = [
+    /api.?key/i, /token/i, /secret/i, /password/i, /credential/i,
+    /^ANTHROPIC_/i, /^OPENAI_/i, /^CLAUDE/i, /^CODEX_/i, /^MINIMAX_/i,
+    /^KIMI_/i, /^TOGETHER_/i, /^GROQ_/i, /^OPENROUTER_/i,
+];
+/** Create a sanitized copy of process.env with secrets stripped. */
+function sanitizeEnv() {
+    const env = { ...process.env };
+    for (const key of Object.keys(env)) {
+        if (SENSITIVE_ENV_PATTERNS.some(p => p.test(key))) {
+            delete env[key];
+        }
+    }
+    return env;
+}
 export async function executeBash(command, cwd, config, context) {
     // Hard block: existing safety filter (always enforced)
     if (!isBashCommandSafe(command)) {
@@ -10,6 +27,11 @@ export async function executeBash(command, cwd, config, context) {
     if (cwd && !isPathAllowed(cwd, config.allowedPaths)) {
         return Promise.resolve('Error: Working directory not in allowed paths.');
     }
+    // Validate file paths referenced in command arguments
+    const pathError = validateBashPaths(command, cwd, config.allowedPaths);
+    if (pathError) {
+        return Promise.resolve(pathError);
+    }
     // Exec approval gate: classify risk and check if approval is needed
     const approvalConfig = config.execApproval;
     if (approvalConfig?.enabled !== false) {
@@ -44,7 +66,7 @@ export async function executeBash(command, cwd, config, context) {
         exec(command, {
             cwd: cwd || undefined,
             timeout,
-            env: { ...process.env },
+            env: sanitizeEnv(),
             maxBuffer: 5 * 1024 * 1024,
         }, (error, stdout, stderr) => {
             if (error) {

package/dist/tools/definitions.d.ts

@@ -328,13 +328,6 @@ export declare const SPAWN_SUBAGENT_TOOL: {
                 type: string;
                 description: string;
             };
-            allowedPaths: {
-                type: string;
-                items: {
-                    type: string;
-                };
-                description: string;
-            };
         };
         required: string[];
     };

package/dist/tools/definitions.js

@@ -126,11 +126,6 @@ export const SPAWN_SUBAGENT_TOOL = {
             },
             model: { type: 'string', description: 'Optional model override (e.g. claude-opus, claude-think)' },
             label: { type: 'string', description: 'Short label for status display (e.g. "write tests", "check logs")' },
-            allowedPaths: {
-                type: 'array',
-                items: { type: 'string' },
-                description: 'Additional file paths the subagent can access beyond defaults',
-            },
         },
         required: ['task', 'type'],
     },

package/dist/tools/execute-context.d.ts

@@ -23,4 +23,8 @@ export interface ExecuteToolContext {
     trigger?: string;
     /** Agent ID for usage tracking */
     agentId?: string;
+    /** Sandbox configuration for containerized tool execution */
+    sandboxConfig?: import('../types.js').SandboxConfig;
+    /** Session ID for sandbox container mapping */
+    sessionId?: string;
 }

package/dist/tools/path-utils.js

@@ -1,8 +1,22 @@
 import { resolve, sep } from 'path';
+import { realpathSync } from 'fs';
+/**
+ * Resolve a path to its real location, following symlinks.
+ * Falls back to path.resolve() if the path doesn't exist yet (e.g. for writes).
+ */
+function safeRealpath(filePath) {
+    try {
+        return realpathSync(filePath);
+    }
+    catch {
+        // Path doesn't exist yet — resolve logically (normalizes .. but can't follow symlinks)
+        return resolve(filePath);
+    }
+}
 export function isPathAllowed(filePath, allowedPaths) {
-    const resolved = resolve(filePath);
+    const resolved = safeRealpath(filePath);
     return allowedPaths.some((allowed) => {
-        const allowedRoot = resolve(allowed);
+        const allowedRoot = safeRealpath(allowed);
         return resolved === allowedRoot || resolved.startsWith(`${allowedRoot}${sep}`);
     });
 }

package/dist/tools.js

@@ -6,6 +6,8 @@ import { fromClaudeCodeName, toClaudeCodeName, BUILTIN_TOOL_DEFINITIONS, BROWSER
 import { executeReadFile, executeWriteFileLocked, executeListDirectory } from './tools/file-tools.js';
 import { executeBash } from './tools/bash-tool.js';
 import { executeBrowser, cleanupBrowser } from './tools/browser-tool.js';
+import { ensureContainer, SANDBOX_DEFAULTS, translatePath, validateMountPaths } from './sandbox/index.js';
+import { sandboxBash, sandboxReadFile, sandboxWriteFile, sandboxListDir, sandboxGlob } from './sandbox/index.js';
 // Re-export from code-agents module for backward compatibility
 export { 
 // Registry functions
@@ -240,7 +242,23 @@ async function executeWebSearch(query) {
 export async function executeTool(name, input, config, context) {
     try {
         // Route MCP tools BEFORE normalization to preserve server/tool name casing
+        // NOTE: MCP servers run as external processes with full host access.
+        // We validate path-like arguments as a best-effort check, but MCP servers
+        // are a trusted boundary — only configure servers you trust.
         if (name.startsWith('mcp__')) {
+            if (config.allowedPaths?.length) {
+                const { isPathAllowed } = await import('./tools/path-utils.js');
+                for (const [key, value] of Object.entries(input)) {
+                    if (typeof value === 'string' && (value.startsWith('/') || value.startsWith('~/') || value.startsWith('./'))) {
+                        const { resolve } = await import('path');
+                        const { homedir } = await import('os');
+                        const resolved = value.startsWith('~/') ? resolve(homedir(), value.slice(2)) : resolve(value);
+                        if (!isPathAllowed(resolved, config.allowedPaths)) {
+                            return `Error: MCP tool argument "${key}" references path outside allowed directories: ${value}`;
+                        }
+                    }
+                }
+            }
             return await executeMcpToolGeneric(name, input);
         }
         // Route spawn_subagent
@@ -264,6 +282,69 @@ export async function executeTool(name, input, config, context) {
         }
         // Map Claude Code names to internal names for built-in tools
         const normalized = fromClaudeCodeName(name).toLowerCase().replace(/-/g, '_');
+        // --- Sandbox routing ---
+        const sandboxCfg = context?.sandboxConfig;
+        if (sandboxCfg?.enabled) {
+            const SANDBOXED_TOOLS = new Set(['bash', 'read_file', 'write_file', 'list_directory', 'glob']);
+            // macOS-only commands that must run on the host (not available in Linux containers)
+            const MACOS_HOST_COMMANDS = new Set([
+                'osascript', 'open', 'say', 'pbcopy', 'pbpaste', 'defaults',
+                'icalBuddy', 'shortcuts', 'caffeinate', 'networksetup', 'launchctl',
+                'security', 'xattr', 'ditto', 'hdiutil', 'diskutil', 'sw_vers',
+            ]);
+            const needsHost = normalized === 'bash' && input.command &&
+                MACOS_HOST_COMMANDS.has(input.command.trim().split(/[\s;|&]/)[0]);
+            if (SANDBOXED_TOOLS.has(normalized) && !needsHost) {
+                const sessionId = context?.sessionId || context?.chatId?.toString() || 'default';
+                const merged = { ...SANDBOX_DEFAULTS, ...sandboxCfg };
+                const containerName = await ensureContainer(sessionId, merged, config.allowedPaths);
+                const mounts = validateMountPaths(config.allowedPaths);
+                const tp = (p) => translatePath(p, mounts);
+                // Translate host paths in bash commands so they resolve inside the container
+                const translateBashPaths = (cmd) => {
+                    let translated = cmd;
+                    // Sort mounts by host path length descending to match most specific first
+                    const sorted = [...mounts].sort((a, b) => b.host.length - a.host.length);
+                    for (const mount of sorted) {
+                        translated = translated.replaceAll(mount.host, mount.container);
+                    }
+                    // Also translate ~ and $HOME references to /workspace/config
+                    const home = homedir();
+                    const homeMounts = sorted.filter(m => m.host.startsWith(home));
+                    for (const mount of homeMounts) {
+                        const tildeForm = '~' + mount.host.slice(home.length);
+                        translated = translated.replaceAll(tildeForm, mount.container);
+                        const envForm = '$HOME' + mount.host.slice(home.length);
+                        translated = translated.replaceAll(envForm, mount.container);
+                    }
+                    return translated;
+                };
+                // Reverse-translate container paths back to host paths in file content.
+                // Prevents the agent from writing /workspace/... paths into config files.
+                const reverseTranslatePaths = (content) => {
+                    let reversed = content;
+                    const sorted = [...mounts].sort((a, b) => b.container.length - a.container.length);
+                    for (const mount of sorted) {
+                        reversed = reversed.replaceAll(mount.container, mount.host);
+                    }
+                    return reversed;
+                };
+                switch (normalized) {
+                    case 'bash':
+                        return await sandboxBash(containerName, translateBashPaths(input.command), input.cwd ? tp(input.cwd) : undefined, config.bashTimeout);
+                    case 'read_file':
+                        return await sandboxReadFile(containerName, tp(input.file_path || input.path));
+                    case 'write_file':
+                        return await sandboxWriteFile(containerName, tp(input.file_path || input.path), reverseTranslatePaths(input.content));
+                    case 'list_directory':
+                        return await sandboxListDir(containerName, tp(input.path));
+                    case 'glob':
+                        return await sandboxGlob(containerName, tp(input.base || input.path || '/workspace'), input.pattern || '*');
+                    default:
+                        break; // fall through
+                }
+            }
+        }
         switch (normalized) {
             case '$web_search':
             case 'web_search':
@@ -300,7 +381,8 @@ async function executeSpawnSubagent(input, context) {
     const type = input.type;
     const model = input.model;
     const label = input.label;
-    const allowedPaths = input.allowedPaths;
+    // NOTE: allowedPaths deliberately NOT accepted from model input (security — prevents path escalation).
+    // Subagents inherit their preset's allowedPaths from config.
     if (!task || !type) {
         return 'Error: task and type are required';
     }
@@ -308,7 +390,7 @@ async function executeSpawnSubagent(input, context) {
         return `Error: Invalid type "${type}". Must be coding or research.`;
     }
     try {
-        const subagentTask = dispatchSubagent(type, task, context.chatId, context.fullConfig, model, context.history, { label, allowedPaths });
+        const subagentTask = dispatchSubagent(type, task, context.chatId, context.fullConfig, model, context.history, { label });
         const labelStr = label ? ` "${label}"` : '';
         return JSON.stringify({
             status: 'accepted',

package/dist/types.d.ts

@@ -79,6 +79,7 @@ export interface Config {
     /** Named project paths. Keys are short names (e.g. "skimpyclaw"), values are absolute paths.
      *  Project paths are automatically added to tool allowedPaths and available to code_with_agent by name. */
     projects?: Record<string, string>;
+    sandbox?: SandboxConfig;
 }
 export interface AgentConfig {
     identity: {
@@ -134,6 +135,15 @@ export interface CronPayload {
     tools?: ToolConfig;
     sendAsVoice?: boolean;
 }
+export interface SandboxConfig {
+    enabled: boolean;
+    runtime?: 'container' | 'docker';
+    image?: string;
+    cpus?: number;
+    memory?: string;
+    network?: string;
+    idleTimeoutMs?: number;
+}
 export interface ToolConfig {
     enabled: boolean;
     allowedPaths: string[];

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "skimpyclaw",
-  "version": "0.1.9",
+  "version": "0.2.0",
   "description": "Lightweight personal AI assistant with Telegram and Discord integration",
   "type": "module",
   "main": "dist/index.js",