skimpyclaw 0.3.14 → 0.4.0

package/dist/tools/definitions.js

@@ -5,7 +5,6 @@ const TOOL_NAME_MAP = {
     'Write': 'write_file',
     'Glob': 'list_directory',
     'Bash': 'bash',
-    'Browser': 'browser',
 };
 // Reverse map: internal name -> Claude Code name
 const INTERNAL_TO_CC = Object.fromEntries(Object.entries(TOOL_NAME_MAP).map(([cc, internal]) => [internal, cc]));
@@ -21,156 +20,104 @@ export function toClaudeCodeName(name) {
 export const BUILTIN_TOOL_DEFINITIONS = [
     {
         name: 'Read',
-        description: 'Read the contents of a file at the given absolute path.',
-        input_schema: {
-            type: 'object',
-            properties: {
-                file_path: { type: 'string', description: 'Absolute path to the file to read' },
-            },
-            required: ['file_path'],
-        },
+        input_schema: { type: 'object', properties: { path: {} } },
     },
     {
         name: 'Write',
-        description: 'Write content to a file. Creates parent directories if needed. Overwrites existing files.',
-        input_schema: {
-            type: 'object',
-            properties: {
-                file_path: { type: 'string', description: 'Absolute path to the file to write' },
-                content: { type: 'string', description: 'Content to write to the file' },
-            },
-            required: ['file_path', 'content'],
-        },
+        input_schema: { type: 'object', properties: { path: {}, content: {} }, required: ['path', 'content'] },
     },
     {
         name: 'Glob',
-        description: 'List files and directories at the given path. Returns name, type (file/dir), and size.',
-        input_schema: {
-            type: 'object',
-            properties: {
-                path: { type: 'string', description: 'Absolute path to the directory to list' },
-            },
-            required: ['path'],
-        },
+        input_schema: { type: 'object', properties: { pattern: {} } },
     },
     {
         name: 'Bash',
-        description: 'Execute a shell command and return stdout/stderr. Use for CLI tools like gh, icalBuddy, date, etc.',
-        input_schema: {
-            type: 'object',
-            properties: {
-                command: { type: 'string', description: 'Shell command to execute' },
-                cwd: { type: 'string', description: 'Working directory (optional)' },
-            },
-            required: ['command'],
-        },
+        input_schema: { type: 'object', properties: { cmd: {} } },
     },
 ];
-export const BROWSER_TOOL_DEFINITION = {
-    name: 'Browser',
-    description: `Control a browser via Playwright. Actions (case-insensitive):
-- open: Navigate to URL. Required: url
-- click: Click element. Required: selector
-- type: Fill input. Required: selector, text
-- select: Pick dropdown option. Required: selector, text (value)
-- hover: Hover element. Required: selector
-- scroll: Scroll page. Optional: selector (scrollIntoView), direction (up/down), amount (pixels)
-- waitFor: Wait for element/text. Required: selector OR text
-- evaluate: Run JavaScript in page. Required: script. Returns JSON result.
-- getText: Get visible text. Optional: selector (defaults to full page body text)
-- screenshot: Capture page. Optional: file_path
-- wait: Delay. Required: timeMs
-- close: Close browser`,
-    input_schema: {
-        type: 'object',
-        properties: {
-            action: { type: 'string', description: 'Action to perform (see description)' },
-            type: { type: 'string', description: 'Browser type: chromium | firefox | webkit (optional, config default)' },
-            url: { type: 'string', description: 'URL to open (open action)' },
-            selector: { type: 'string', description: 'CSS selector (click/type/waitFor/getText/scroll/select/hover)' },
-            text: { type: 'string', description: 'Text to type, wait for, or select value (type/waitFor/select)' },
-            script: { type: 'string', description: 'JavaScript code to evaluate in page (evaluate action)' },
-            direction: { type: 'string', description: 'Scroll direction: up or down (scroll action, default: down)' },
-            amount: { type: 'number', description: 'Pixels to scroll (scroll action, default: one viewport height)' },
-            file_path: { type: 'string', description: 'Absolute path to save screenshot (optional)' },
-            timeoutMs: { type: 'number', description: 'Timeout in ms (optional)' },
-            timeMs: { type: 'number', description: 'Time to wait in ms (wait action)' },
-            headless: { type: 'boolean', description: 'Override headless for open (optional)' },
-            slowMoMs: { type: 'number', description: 'Slow motion delay per action (ms) (optional)' },
-            userAgent: { type: 'string', description: 'Override user agent (optional)' },
-            viewport: {
-                type: 'object',
-                properties: {
-                    width: { type: 'number' },
-                    height: { type: 'number' },
-                },
-            },
-            // executablePath and profileDir are config-only for security (no model overrides)
-        },
-        required: ['action'],
-    },
-};
 export const FETCH_TOOL_DEFINITION = {
     name: 'Fetch',
-    description: 'Make an HTTP request and return the response. HTML is auto-converted to plain text. Use for APIs, web search (e.g. https://duckduckgo.com/html/?q=your+query), or fetching page content. Prefer over Browser for simple requests.',
-    input_schema: {
-        type: 'object',
-        properties: {
-            url: { type: 'string', description: 'URL to fetch' },
-            method: { type: 'string', description: 'HTTP method (GET, POST, PUT, DELETE, PATCH). Default: GET' },
-            headers: {
-                type: 'object',
-                description: 'Request headers (e.g. {"Authorization": "Bearer ..."})',
-                additionalProperties: { type: 'string' },
-            },
-            body: { type: 'string', description: 'Request body (for POST/PUT/PATCH)' },
-        },
-        required: ['url'],
-    },
+    input_schema: { type: 'object', properties: { url: {} } },
 };
-// Legacy export for backward compat — static list (built-ins + browser + no MCP)
-export const TOOL_DEFINITIONS = [...BUILTIN_TOOL_DEFINITIONS, BROWSER_TOOL_DEFINITION, FETCH_TOOL_DEFINITION];
+// Legacy export for backward compat — static list (built-ins + fetch + no MCP)
+export const TOOL_DEFINITIONS = [...BUILTIN_TOOL_DEFINITIONS, FETCH_TOOL_DEFINITION];
 export const CODE_WITH_AGENT_TOOL = {
     name: 'code_with_agent',
-    description: 'Delegate a coding task to a coding agent CLI (Claude Code or Codex). The agent will edit files, run commands, and return results. Always use this for code changes instead of writing code directly.',
-    input_schema: {
-        type: 'object',
-        properties: {
-            task: { type: 'string', description: 'Detailed coding task. Be specific: what to change, why, which files, expected behavior.' },
-            agent: { type: 'string', enum: ['claude', 'codex', 'kimi'], description: 'Which coding CLI to use. Omit to use configured default.' },
-            workdir: { type: 'string', description: 'Working directory (default: SkimpyClaw repo root)' },
-            model: { type: 'string', description: 'Model override (e.g. opus, gpt-5.3-codex)' },
-            max_turns: { type: 'number', description: 'Max agentic turns, Claude only (default: 30)' },
-            timeout_minutes: { type: 'number', description: 'Timeout in minutes (default: 10, max: 30)' },
-            validate: { type: 'boolean', description: 'Run build && test after completion using the auto-detected package manager (default: true)' },
-        },
-        required: ['task'],
-    },
-};
-export const CODE_WITH_TEAM_TOOL = {
-    name: 'code_with_team',
-    description: 'Decompose a complex task into subtasks and run multiple code_with_agent instances in parallel. SkimpyClaw manages coordination: decomposes the task, spawns N parallel agents, monitors progress, synthesizes results, and validates. Use for multi-file refactors, cross-layer changes, or tasks with independent subtasks.',
     input_schema: {
         type: 'object',
         properties: {
-            task: { type: 'string', description: 'Detailed task description. Be specific: what to change, why, which files, expected behavior.' },
-            team_size: { type: 'number', description: 'Number of parallel agents (2-5, default 3)' },
-            workdir: { type: 'string', description: 'Working directory or project name (default: SkimpyClaw repo root)' },
-            agent: { type: 'string', enum: ['claude', 'codex', 'kimi'], description: 'Which coding CLI to use for all team workers. Omit to use configured default.' },
-            model: { type: 'string', description: 'Model override (e.g. claude-sonnet-4-5, gpt-5.3-codex)' },
-            timeout_minutes: { type: 'number', description: 'Total timeout in minutes (default: 20, max: 60)' },
-            validate: { type: 'boolean', description: 'Run build && test after all agents complete using the auto-detected package manager (default: true)' },
+            task: { type: 'string' },
+            agent: { type: 'string' },
+            interactive: {
+                type: 'boolean',
+                description: 'If true, spawn as an interactive session. Creates a Discord thread and resumes session on follow-up messages. Discord-only; claude or codex only. Default false.',
+            },
+            effort: {
+                type: 'string',
+                enum: ['none', 'low', 'medium', 'high', 'xhigh'],
+                description: 'Optional reasoning effort for coding agents that support it.',
+            },
+            worktree: {
+                description: 'Use an isolated git worktree for this task. true forces one, false disables it, auto uses one for review/rebase-style tasks. Default auto.',
+            },
         },
         required: ['task'],
     },
 };
 export const CHECK_CODE_AGENT_TOOL = {
     name: 'check_code_agent',
-    description: 'Check status of running coding agents. Call with no args to list all, or with id to get details.',
+    input_schema: { type: 'object', properties: { id: { type: 'string' } } },
+};
+export const DELEGATE_TO_AGENT_TOOL = {
+    name: 'delegate_to_agent',
     input_schema: {
         type: 'object',
         properties: {
-            id: { type: 'string', description: 'Agent ID (e.g. ca-1). Omit to list all active agents.' },
+            alias: {
+                type: 'string',
+                description: 'Discord agent profile alias to delegate to, without @.',
+            },
+            task: {
+                type: 'string',
+                description: 'Task or question for the target agent profile.',
+            },
+            mode: {
+                type: 'string',
+                enum: ['new_thread'],
+                description: 'Delegation mode. Only new_thread is currently supported.',
+            },
+            wait: {
+                type: 'boolean',
+                description: 'If true, wait for the delegated agent response. Default false.',
+            },
         },
+        required: ['alias', 'task'],
     },
 };
+// Glob tool reference for dynamic loading
+const GLOB_TOOL = BUILTIN_TOOL_DEFINITIONS.find(t => t.name === 'Glob');
+// Write tool reference for dynamic loading
+const WRITE_TOOL = BUILTIN_TOOL_DEFINITIONS.find(t => t.name === 'Write');
+// Core tools — always sent. Extended tools added when conversation references them.
+export const CORE_TOOL_DEFINITIONS = [...BUILTIN_TOOL_DEFINITIONS.filter(t => t.name !== 'Glob' && t.name !== 'Write')];
+export const EXTENDED_TOOL_DEFINITIONS = [WRITE_TOOL, GLOB_TOOL, FETCH_TOOL_DEFINITION, CODE_WITH_AGENT_TOOL, CHECK_CODE_AGENT_TOOL, DELEGATE_TO_AGENT_TOOL];
+// Keywords that trigger inclusion of extended tools
+const TOOL_TRIGGERS = {
+    Write: ['write', 'create file', 'save', 'update file', 'fix', 'edit', 'modify', 'change'],
+    Glob: ['glob', 'list_directory', 'find files', 'directory listing'],
+    Fetch: ['fetch', 'http://', 'https://', 'curl', 'api call'],
+    code_with_agent: ['code_with_agent', 'delegate', 'subagent', 'sub-agent'],
+    check_code_agent: ['check_code_agent', 'agent status', 'agent_id'],
+    delegate_to_agent: ['delegate_to_agent', 'delegate to agent', 'call agent', 'ask agent', '@agent'],
+};
+/** Return tool defs filtered by what's been used/mentioned in conversation */
+export function getActiveToolDefs(messages) {
+    const msgStr = JSON.stringify(messages).toLowerCase();
+    const extra = [];
+    for (const t of EXTENDED_TOOL_DEFINITIONS) {
+        const triggers = TOOL_TRIGGERS[t.name] || [t.name.toLowerCase()];
+        if (triggers.some(kw => msgStr.includes(kw)))
+            extra.push(t);
+    }
+    return [...CORE_TOOL_DEFINITIONS, ...extra];
+}

package/dist/tools/execute-context.d.ts

@@ -1,8 +1,9 @@
+import type { AbortSignalLike } from '../types.js';
 export interface ExecuteToolContext {
     /** Task ID for file lock acquisition (concurrent writes) */
     lockTaskId?: string;
     /** Abort signal for cancelling long-running tool loops */
-    abortSignal?: AbortSignal;
+    abortSignal?: AbortSignalLike;
     /** Chat ID for channel routing */
     chatId?: number;
     /** Full config for agent tools */
@@ -25,8 +26,16 @@ export interface ExecuteToolContext {
     agentId?: string;
     /** True when this context is from a cron job — enables spawn tools even without a chatId */
     isCronJob?: boolean;
-    /** Sandbox configuration for containerized tool execution */
-    sandboxConfig?: import('../types.js').SandboxConfig;
-    /** Session ID for sandbox container mapping */
+    /** Session ID used as file-lock scope + interactive-session key */
     sessionId?: string;
+    /** Discord thread ID — set when command originates from a thread */
+    discordThreadId?: string;
+    /** Discord channel ID — parent channel when originating from a thread */
+    discordChannelId?: string;
+    /** True when Discord message originated from a DM (threads not supported) */
+    isDm?: boolean;
+    /** Discord agent profile alias for the current thread/profile turn */
+    threadAgentAlias?: string;
+    /** Nested agent delegation depth */
+    delegationDepth?: number;
 }

package/dist/tools/fetch-tool.js

@@ -1,6 +1,84 @@
 // Fetch tool — lightweight HTTP requests and web search without browser overhead
+import { lookup } from 'dns/promises';
+import { BlockList, isIP } from 'net';
 const MAX_RESPONSE_CHARS = 50_000;
 const TIMEOUT_MS = 30_000;
+const MAX_REDIRECTS = 5;
+const BLOCKED_HOSTNAMES = new Set([
+    'localhost',
+    'localhost.localdomain',
+    'metadata',
+    'metadata.google.internal',
+    'metadata.google.internal.',
+    'instance-data',
+]);
+const BLOCKED_HOST_SUFFIXES = ['.internal', '.local', '.lan', '.home', '.localhost'];
+const IP_BLOCKLIST = (() => {
+    const blockList = new BlockList();
+    blockList.addSubnet('0.0.0.0', 8, 'ipv4');
+    blockList.addSubnet('10.0.0.0', 8, 'ipv4');
+    blockList.addSubnet('100.64.0.0', 10, 'ipv4');
+    blockList.addSubnet('127.0.0.0', 8, 'ipv4');
+    blockList.addSubnet('169.254.0.0', 16, 'ipv4');
+    blockList.addSubnet('172.16.0.0', 12, 'ipv4');
+    blockList.addSubnet('192.0.0.0', 24, 'ipv4');
+    blockList.addSubnet('192.0.2.0', 24, 'ipv4');
+    blockList.addSubnet('192.168.0.0', 16, 'ipv4');
+    blockList.addSubnet('198.18.0.0', 15, 'ipv4');
+    blockList.addSubnet('198.51.100.0', 24, 'ipv4');
+    blockList.addSubnet('203.0.113.0', 24, 'ipv4');
+    blockList.addSubnet('224.0.0.0', 4, 'ipv4');
+    blockList.addSubnet('240.0.0.0', 4, 'ipv4');
+    blockList.addAddress('::', 'ipv6');
+    blockList.addAddress('::1', 'ipv6');
+    blockList.addSubnet('fc00::', 7, 'ipv6');
+    blockList.addSubnet('fe80::', 10, 'ipv6');
+    blockList.addSubnet('ff00::', 8, 'ipv6');
+    blockList.addSubnet('2001:db8::', 32, 'ipv6');
+    return blockList;
+})();
+function isBlockedIpAddress(address) {
+    if (address.startsWith('::ffff:')) {
+        return isBlockedIpAddress(address.slice('::ffff:'.length));
+    }
+    const family = isIP(address);
+    if (family === 4)
+        return IP_BLOCKLIST.check(address, 'ipv4');
+    if (family === 6)
+        return IP_BLOCKLIST.check(address, 'ipv6');
+    return true;
+}
+async function validateTarget(rawUrl) {
+    const parsed = new URL(rawUrl);
+    if (!['http:', 'https:'].includes(parsed.protocol)) {
+        throw new Error(`Unsupported protocol: ${parsed.protocol}`);
+    }
+    const hostname = parsed.hostname.toLowerCase().replace(/\.$/, '');
+    if (BLOCKED_HOSTNAMES.has(hostname)) {
+        throw new Error(`Blocked host: ${hostname}`);
+    }
+    if (BLOCKED_HOST_SUFFIXES.some(suffix => hostname.endsWith(suffix))) {
+        throw new Error(`Blocked internal host: ${hostname}`);
+    }
+    if (isIP(hostname) !== 0 && isBlockedIpAddress(hostname)) {
+        throw new Error(`Blocked target IP: ${hostname}`);
+    }
+    if (isIP(hostname) === 0) {
+        const resolved = await lookup(hostname, { all: true, verbatim: true });
+        if (!resolved.length) {
+            throw new Error(`Could not resolve host: ${hostname}`);
+        }
+        for (const rec of resolved) {
+            if (isBlockedIpAddress(rec.address)) {
+                throw new Error(`Blocked resolved IP for ${hostname}: ${rec.address}`);
+            }
+        }
+    }
+    return parsed;
+}
+function isRedirectStatus(status) {
+    return status === 301 || status === 302 || status === 303 || status === 307 || status === 308;
+}
 /**
  * Strip HTML tags and decode common entities. Returns plain text.
  */
@@ -31,22 +109,40 @@ export async function executeFetch(input, _config) {
     if (!url)
         return 'Error: url is required';
     try {
-        new URL(url);
-    }
-    catch {
-        return `Error: Invalid URL: ${url}`;
-    }
-    try {
+        let target = await validateTarget(url);
         const defaultHeaders = {
             'User-Agent': 'SkimpyClaw/1.0',
         };
-        const response = await fetch(url, {
-            method: method.toUpperCase(),
-            headers: { ...defaultHeaders, ...headers },
-            body: body || undefined,
-            signal: AbortSignal.timeout(TIMEOUT_MS),
-            redirect: 'follow',
-        });
+        let requestMethod = method.toUpperCase();
+        let requestBody = body || undefined;
+        let response = null;
+        for (let hop = 0; hop <= MAX_REDIRECTS; hop++) {
+            response = await fetch(target, {
+                method: requestMethod,
+                headers: { ...defaultHeaders, ...headers },
+                body: requestBody,
+                signal: AbortSignal.timeout(TIMEOUT_MS),
+                redirect: 'manual',
+            });
+            if (!isRedirectStatus(response.status)) {
+                break;
+            }
+            if (hop === MAX_REDIRECTS) {
+                return `Error: Too many redirects (>${MAX_REDIRECTS})`;
+            }
+            const location = response.headers.get('location');
+            if (!location) {
+                return `Error: Redirect response missing Location header (HTTP ${response.status})`;
+            }
+            target = await validateTarget(new URL(location, target).toString());
+            if ((response.status === 301 || response.status === 302 || response.status === 303) && requestMethod !== 'GET' && requestMethod !== 'HEAD') {
+                requestMethod = 'GET';
+                requestBody = undefined;
+            }
+        }
+        if (!response) {
+            return 'Error: Request did not produce a response';
+        }
         const status = `${response.status} ${response.statusText}`;
         const contentType = response.headers.get('content-type') || '';
         let responseBody;

package/dist/tools/file-tools.js

@@ -1,7 +1,13 @@
 import { readFileSync, writeFileSync, readdirSync, existsSync, statSync, mkdirSync } from 'fs';
 import { join, dirname } from 'path';
+import { homedir } from 'os';
 import { isPathAllowed } from './path-utils.js';
+/** Expand ~ to home directory */
+function expandTilde(p) {
+    return p.startsWith('~/') ? join(homedir(), p.slice(2)) : p;
+}
 export function executeReadFile(path, config) {
+    path = expandTilde(path);
     if (!isPathAllowed(path, config.allowedPaths)) {
         return `Error: Path not allowed. Permitted: ${config.allowedPaths.join(', ')}`;
     }
@@ -23,7 +29,7 @@ function executeWriteFile(path, content, config) {
         mkdirSync(dir, { recursive: true });
     }
     writeFileSync(path, content, 'utf-8');
-    return `Written: ${path} (${content.length} bytes)`;
+    return `OK`;
 }
 /**
  * Write with file locking when a lockTaskId is provided (concurrent context).

package/dist/tools.d.ts

@@ -1,19 +1,18 @@
 import type { ToolConfig } from './types.js';
-import { fromClaudeCodeName, toClaudeCodeName, BUILTIN_TOOL_DEFINITIONS, BROWSER_TOOL_DEFINITION, FETCH_TOOL_DEFINITION, TOOL_DEFINITIONS, CODE_WITH_AGENT_TOOL, CODE_WITH_TEAM_TOOL, CHECK_CODE_AGENT_TOOL } from './tools/definitions.js';
+import { fromClaudeCodeName, toClaudeCodeName, BUILTIN_TOOL_DEFINITIONS, FETCH_TOOL_DEFINITION, TOOL_DEFINITIONS, CODE_WITH_AGENT_TOOL, CHECK_CODE_AGENT_TOOL, DELEGATE_TO_AGENT_TOOL } from './tools/definitions.js';
 import type { ExecuteToolContext } from './tools/execute-context.js';
-import { cleanupBrowser } from './tools/browser-tool.js';
-export { getActiveCodeAgents, getRecentCodeAgents, getAllCodeAgents, getCodeAgent, cancelCodeAgent, restoreCodeAgentTasks, setCodeAgentConfig, computeWaves, decomposeTask, synthesizeResults, runValidation, runCodeAgentBackground, buildCodeAgentArgs, readTeamState, parseStreamJsonForLive, } from './code-agents/index.js';
-export { fromClaudeCodeName, toClaudeCodeName, BUILTIN_TOOL_DEFINITIONS, BROWSER_TOOL_DEFINITION, FETCH_TOOL_DEFINITION, TOOL_DEFINITIONS, CODE_WITH_AGENT_TOOL, CODE_WITH_TEAM_TOOL, CHECK_CODE_AGENT_TOOL, cleanupBrowser, };
+export { getActiveCodeAgents, getRecentCodeAgents, getAllCodeAgents, getCodeAgent, cancelCodeAgent, restoreCodeAgentTasks, setCodeAgentConfig, runValidation, runCodeAgentBackground, buildCodeAgentArgs, parseStreamJsonForLive, } from './code-agents/index.js';
+export { fromClaudeCodeName, toClaudeCodeName, BUILTIN_TOOL_DEFINITIONS, FETCH_TOOL_DEFINITION, TOOL_DEFINITIONS, CODE_WITH_AGENT_TOOL, CHECK_CODE_AGENT_TOOL, DELEGATE_TO_AGENT_TOOL, };
 export type { ExecuteToolContext };
-export type { CodeAgentTask, DecomposedSubtask } from './code-agents/index.js';
+export type { CodeAgentTask } from './code-agents/index.js';
 export declare function discoverMcpTools(): Promise<any[]>;
 export declare function clearMcpToolCache(): void;
 /** Force-reconnect the MCP runtime (clears cached runtime and tool discovery). */
 export declare function reconnectMcp(): Promise<void>;
 /**
- * Get all available tool definitions: built-ins + browser (if enabled) + MCP (auto-discovered) + agent tools.
+ * Get all available tool definitions: built-ins + fetch + MCP (auto-discovered) + agent tools.
  * This is the primary way to get tools — replaces the static TOOL_DEFINITIONS export.
- * Pass includeAgentTools: true to include code_with_agent, code_with_team, check_code_agent.
+ * Pass includeAgentTools: true to include code_with_agent and check_code_agent.
  * Results are cached for 60s to avoid rebuilding the array on every agent turn.
  */
 export declare function getToolDefinitions(config?: ToolConfig, options?: {
@@ -22,5 +21,6 @@ export declare function getToolDefinitions(config?: ToolConfig, options?: {
     projects?: Record<string, string>;
 }): Promise<any[]>;
 export declare function clearToolDefsCache(): void;
+export declare function normalizeMcpToolArgsForExecution(server: string, tool: string, args: Record<string, any>): Record<string, any>;
 export declare function cleanupMcp(): Promise<void>;
 export declare function executeTool(name: string, input: Record<string, any>, config: ToolConfig, context?: ExecuteToolContext): Promise<string>;