skyloom 1.12.0 → 1.13.0

package/src/core/router.ts

@@ -1,124 +1,124 @@
-/**
- * Complexity router: classify a user goal into direct / single / orchestrate.
- *
- * Rules-first (no LLM), so classification stays under 1ms. The router exists
- * solely to keep simple goals from triggering Snow's full task-decomposition
- * LLM call when a single agent could answer in one shot.
- */
-
-export type Mode = 'direct' | 'single' | 'orchestrate';
-
-const MULTI_STEP_TOKENS = [
-  '先', '再', '然后', '接着', '之后', '其次', '最后',
-  '第一步', '第二步', '第三步', '步骤', '顺序', '依次', '首先',
-  'step 1', 'step 2', 'first,', 'then,', 'after that', 'finally',
-];
-
-const GREETING_TOKENS = [
-  '你好', '您好', 'hi', 'hello', 'hey', '在吗', '嗨',
-  '早上好', '晚安', '谢谢', 'thanks', 'thank you', '再见', 'bye',
-];
-
-const SINGLE_ACTION_HINTS = [
-  '解释', '什么是', '为什么', '如何', '怎么', '查询', '搜索',
-  '搜一下', '翻译', '总结', 'summarize', 'explain', 'what is', 'why', 'how do',
-];
-
-const ACTION_VERBS = [
-  '写', '帮我写', '生成', '创建', '实现', '做', '搜', '查',
-  '找', '审查', '审计', '翻译', '重构', '修改', '改', '部署',
-  '运行', '执行',
-  'write', 'create', 'generate', 'implement', 'search', 'find',
-  'review', 'translate', 'deploy', 'run',
-];
-
-const CODE_BLOCK = /```[\s\S]+?```/;
-const URL_PATTERN = /https?:\/\/\S+/;
-const PATH_PATTERN = /(?:[A-Za-z]:[\\/]|[\\/])[\w\-./\\]+/;
-const NUMBERED_LIST = /(?:^|\n)\s*(?:\d+[.)、]|[-*])\s+/gm;
-const INLINE_ENUMERATED = /\b\d+[.)、]\s*\S/g;
-
-/**
- * Decide the execution mode for a user goal.
- *
- * direct: short greeting / single factual question, no tools needed.
- * single: clear single-purpose task, one agent + tools.
- * orchestrate: multi-step plan worth decomposing into sub-tasks.
- */
-export function classify(goal: string): Mode {
-  if (!goal || !goal.trim()) return 'direct';
-
-  const text = goal.trim();
-  const lower = text.toLowerCase();
-  const length = text.length;
-
-  const hasCode = CODE_BLOCK.test(text);
-  const hasUrl = URL_PATTERN.test(text);
-  const hasPath = PATH_PATTERN.test(text);
-  const listMatches = (text.match(NUMBERED_LIST) || []).length;
-  const inlineEnumHits = (text.match(INLINE_ENUMERATED) || []).length;
-
-  const multiStepHits = MULTI_STEP_TOKENS.filter(t => lower.includes(t)).length;
-  const greetingHits = GREETING_TOKENS.filter(t => lower.includes(t)).length;
-  const singleHits = SINGLE_ACTION_HINTS.filter(t => lower.includes(t)).length;
-  const actionHits = ACTION_VERBS.filter(t => lower.includes(t)).length;
-
-  if (greetingHits >= 1 && length < 30 && multiStepHits === 0 && actionHits === 0) {
-    return 'direct';
-  }
-
-  if (multiStepHits >= 2 || listMatches >= 2 || inlineEnumHits >= 3) {
-    return 'orchestrate';
-  }
-
-  if (length > 200 && multiStepHits >= 1) {
-    return 'orchestrate';
-  }
-
-  if (hasCode && length > 150) {
-    return 'orchestrate';
-  }
-
-  // Tool-use signals push toward single, not direct
-  if (hasPath || hasUrl || actionHits >= 1) {
-    return 'single';
-  }
-
-  if (length < 50 && !hasCode) {
-    if (singleHits >= 1 || text.endsWith('?') || text.endsWith('？')) {
-      return 'direct';
-    }
-    if (multiStepHits === 0) {
-      return 'direct';
-    }
-  }
-
-  return 'single';
-}
-
-/**
- * Pick a single agent for a non-orchestrate goal, by keyword routing.
- *
- * Returns an agent name guaranteed to be in available, falling back to
- * rain (generation generalist) then to any available agent.
- */
-export function pickAgentForGoal(goal: string, available: Set<string>): string {
-  const lower = goal.toLowerCase();
-
-  // More specific buckets first
-  const buckets: Array<[string, string[]]> = [
-    ['frost', ['审查', 'review', '漏洞', '安全', '审计', 'lint', '重构建议', 'code smell']],
-    ['dew', ['部署', '运行', '执行命令', 'shell', 'deploy', 'ci', 'cd', '环境变量', '运维']],
-    ['fog', ['研究', '调研', '搜一下', '搜索', '查一下', '查资料', 'research', 'search', '调查', '找一下', '找资料']],
-    ['rain', ['写', '生成', '实现', 'create', 'generate', '写一段', '写个', '代码', '函数', '实现一个']],
-    ['fair', ['陪我', '聊天', '心情', '难过', '开心', '孤独', '倾诉', '你好', 'hi', 'hello', '嗨']],
-  ];
-
-  for (const [agent, hints] of buckets) {
-    if (!available.has(agent)) continue;
-    if (hints.some(h => lower.includes(h))) return agent;
-  }
-
-  if (available.has('rain')) return 'rain';
-  return Array.from(available)[0];
-}
+/**
+ * Complexity router: classify a user goal into direct / single / orchestrate.
+ *
+ * Rules-first (no LLM), so classification stays under 1ms. The router exists
+ * solely to keep simple goals from triggering Snow's full task-decomposition
+ * LLM call when a single agent could answer in one shot.
+ */
+
+export type Mode = 'direct' | 'single' | 'orchestrate';
+
+const MULTI_STEP_TOKENS = [
+  '先', '再', '然后', '接着', '之后', '其次', '最后',
+  '第一步', '第二步', '第三步', '步骤', '顺序', '依次', '首先',
+  'step 1', 'step 2', 'first,', 'then,', 'after that', 'finally',
+];
+
+const GREETING_TOKENS = [
+  '你好', '您好', 'hi', 'hello', 'hey', '在吗', '嗨',
+  '早上好', '晚安', '谢谢', 'thanks', 'thank you', '再见', 'bye',
+];
+
+const SINGLE_ACTION_HINTS = [
+  '解释', '什么是', '为什么', '如何', '怎么', '查询', '搜索',
+  '搜一下', '翻译', '总结', 'summarize', 'explain', 'what is', 'why', 'how do',
+];
+
+const ACTION_VERBS = [
+  '写', '帮我写', '生成', '创建', '实现', '做', '搜', '查',
+  '找', '审查', '审计', '翻译', '重构', '修改', '改', '部署',
+  '运行', '执行',
+  'write', 'create', 'generate', 'implement', 'search', 'find',
+  'review', 'translate', 'deploy', 'run',
+];
+
+const CODE_BLOCK = /```[\s\S]+?```/;
+const URL_PATTERN = /https?:\/\/\S+/;
+const PATH_PATTERN = /(?:[A-Za-z]:[\\/]|[\\/])[\w\-./\\]+/;
+const NUMBERED_LIST = /(?:^|\n)\s*(?:\d+[.)、]|[-*])\s+/gm;
+const INLINE_ENUMERATED = /\b\d+[.)、]\s*\S/g;
+
+/**
+ * Decide the execution mode for a user goal.
+ *
+ * direct: short greeting / single factual question, no tools needed.
+ * single: clear single-purpose task, one agent + tools.
+ * orchestrate: multi-step plan worth decomposing into sub-tasks.
+ */
+export function classify(goal: string): Mode {
+  if (!goal || !goal.trim()) return 'direct';
+
+  const text = goal.trim();
+  const lower = text.toLowerCase();
+  const length = text.length;
+
+  const hasCode = CODE_BLOCK.test(text);
+  const hasUrl = URL_PATTERN.test(text);
+  const hasPath = PATH_PATTERN.test(text);
+  const listMatches = (text.match(NUMBERED_LIST) || []).length;
+  const inlineEnumHits = (text.match(INLINE_ENUMERATED) || []).length;
+
+  const multiStepHits = MULTI_STEP_TOKENS.filter(t => lower.includes(t)).length;
+  const greetingHits = GREETING_TOKENS.filter(t => lower.includes(t)).length;
+  const singleHits = SINGLE_ACTION_HINTS.filter(t => lower.includes(t)).length;
+  const actionHits = ACTION_VERBS.filter(t => lower.includes(t)).length;
+
+  if (greetingHits >= 1 && length < 30 && multiStepHits === 0 && actionHits === 0) {
+    return 'direct';
+  }
+
+  if (multiStepHits >= 2 || listMatches >= 2 || inlineEnumHits >= 3) {
+    return 'orchestrate';
+  }
+
+  if (length > 200 && multiStepHits >= 1) {
+    return 'orchestrate';
+  }
+
+  if (hasCode && length > 150) {
+    return 'orchestrate';
+  }
+
+  // Tool-use signals push toward single, not direct
+  if (hasPath || hasUrl || actionHits >= 1) {
+    return 'single';
+  }
+
+  if (length < 50 && !hasCode) {
+    if (singleHits >= 1 || text.endsWith('?') || text.endsWith('？')) {
+      return 'direct';
+    }
+    if (multiStepHits === 0) {
+      return 'direct';
+    }
+  }
+
+  return 'single';
+}
+
+/**
+ * Pick a single agent for a non-orchestrate goal, by keyword routing.
+ *
+ * Returns an agent name guaranteed to be in available, falling back to
+ * rain (generation generalist) then to any available agent.
+ */
+export function pickAgentForGoal(goal: string, available: Set<string>): string {
+  const lower = goal.toLowerCase();
+
+  // More specific buckets first
+  const buckets: Array<[string, string[]]> = [
+    ['frost', ['审查', 'review', '漏洞', '安全', '审计', 'lint', '重构建议', 'code smell']],
+    ['dew', ['部署', '运行', '执行命令', 'shell', 'deploy', 'ci', 'cd', '环境变量', '运维']],
+    ['fog', ['研究', '调研', '搜一下', '搜索', '查一下', '查资料', 'research', 'search', '调查', '找一下', '找资料']],
+    ['rain', ['写', '生成', '实现', 'create', 'generate', '写一段', '写个', '代码', '函数', '实现一个']],
+    ['fair', ['陪我', '聊天', '心情', '难过', '开心', '孤独', '倾诉', '你好', 'hi', 'hello', '嗨']],
+  ];
+
+  for (const [agent, hints] of buckets) {
+    if (!available.has(agent)) continue;
+    if (hints.some(h => lower.includes(h))) return agent;
+  }
+
+  if (available.has('rain')) return 'rain';
+  return Array.from(available)[0];
+}

package/src/core/sandbox.ts

@@ -1,142 +1,142 @@
-/**
- * 沙箱隔离模块 — Shell execution sandbox with resource limits.
- *
- * All `run_bash` / `shell_exec` commands are wrapped through this module
- * to ensure: temp directory isolation, timeout enforcement, output size
- * limits, and dangerous command detection BEFORE execution.
- */
-
-import { execSync, exec } from "child_process";
-import * as fs from "fs";
-import * as path from "path";
-import * as os from "os";
-import { getLogger } from "./logger";
-import { REDLINE_PATTERNS, REDLINE_COMMANDS } from "./security";
-
-const log = getLogger("sandbox");
-
-/* ═══════════════════════════════════════
-   Configuration
-   ═══════════════════════════════════════ */
-const SANDBOX_DIR = path.join(os.homedir(), ".skyloom", "sandbox");
-const DEFAULT_TIMEOUT_MS = 30000;  // 30s max
-const MAX_OUTPUT_BYTES = 1024 * 1024; // 1MB max output
-const HARD_TIMEOUT_MS = 120000;      // 2min absolute max
-// Whitelist of safe commands that don't need sandbox
-const SAFE_COMMANDS = new Set(["echo", "pwd", "whoami", "date", "hostname", "uname", "ls", "dir", "cat", "head", "tail", "wc", "env", "printenv"]);
-
-/* ═══════════════════════════════════════
-   Sandbox lifecycle
-   ═══════════════════════════════════════ */
-function ensureSandbox(): string {
-  if (!fs.existsSync(SANDBOX_DIR)) fs.mkdirSync(SANDBOX_DIR, { recursive: true });
-  // Create named temp dir for this execution
-  const id = Date.now().toString(36) + Math.random().toString(36).slice(2, 6);
-  const dir = path.join(SANDBOX_DIR, `job_${id}`);
-  fs.mkdirSync(dir, { recursive: true });
-  return dir;
-}
-
-function cleanup(dir: string): void {
-  try { fs.rmSync(dir, { recursive: true, force: true }); } catch { /* ignore */ }
-}
-
-/* ═══════════════════════════════════════
-   Pre-execution check
-   ═══════════════════════════════════════ */
-function preflightCheck(command: string): string | null {
-  if (!command || !command.trim()) return "Empty command";
-
-  const lower = command.toLowerCase().trim();
-
-  // Red-line patterns
-  for (const pattern of REDLINE_PATTERNS) {
-    if (pattern.test(lower)) return `REDLINE: pattern '${pattern.source.slice(0, 40)}' detected`;
-  }
-  for (const forbidden of REDLINE_COMMANDS) {
-    if (lower.includes(forbidden)) return `REDLINE: forbidden command '${forbidden}'`;
-  }
-
-  // Network exfiltration attempts
-  if (/curl.*\|.*nc\s/.test(lower) || /wget.*-O.*>/.test(lower)) return "BLOCKED: potential data exfiltration";
-  if (/nc\s+\S+\s+\d+/.test(lower) && /\|/.test(lower)) return "BLOCKED: potential reverse shell";
-
-  return null;
-}
-
-/* ═══════════════════════════════════════
-   Execute in sandbox
-   ═══════════════════════════════════════ */
-export interface SandboxResult {
-  success: boolean;
-  stdout: string;
-  stderr: string;
-  exitCode: number;
-  killed: boolean;
-  durationMs: number;
-  sandboxDir: string;
-  checkFailed?: string;
-}
-
-export function runInSandbox(command: string, opts?: {
-  timeoutMs?: number;
-  cwd?: string;
-  env?: Record<string, string>;
-}): SandboxResult {
-  // Pre-flight
-  const check = preflightCheck(command);
-  if (check) {
-    return { success: false, stdout: "", stderr: check, exitCode: -1, killed: false, durationMs: 0, sandboxDir: "", checkFailed: check };
-  }
-
-  const dir = ensureSandbox();
-  const timeout = Math.min(opts?.timeoutMs ?? DEFAULT_TIMEOUT_MS, HARD_TIMEOUT_MS);
-  const t0 = Date.now();
-
-  try {
-    // For safe commands, run in-place without sandbox overhead
-    const firstWord = command.trim().split(/\s+/)[0].toLowerCase();
-    if (SAFE_COMMANDS.has(firstWord)) {
-      const result = execSync(command, { encoding: "utf-8", timeout, maxBuffer: MAX_OUTPUT_BYTES, cwd: opts?.cwd || dir, env: { ...process.env, ...(opts?.env || {}) } });
-      cleanup(dir);
-      return { success: true, stdout: result.slice(0, MAX_OUTPUT_BYTES), stderr: "", exitCode: 0, killed: false, durationMs: Date.now() - t0, sandboxDir: dir };
-    }
-
-    // Dangerous command — run in sandbox with isolation
-    const result = execSync(command, {
-      encoding: "utf-8",
-      timeout,
-      maxBuffer: MAX_OUTPUT_BYTES,
-      cwd: dir,                    // isolate to temp dir
-      env: { ...process.env, ...(opts?.env || {}), TMPDIR: dir, TEMP: dir },
-      windowsHide: true,
-    });
-
-    cleanup(dir);
-    return { success: true, stdout: result.slice(0, MAX_OUTPUT_BYTES), stderr: "", exitCode: 0, killed: false, durationMs: Date.now() - t0, sandboxDir: dir };
-
-  } catch (e: any) {
-    const durationMs = Date.now() - t0;
-    const killed = e.killed || e.signal !== undefined || durationMs >= timeout;
-    const stdout = (e.stdout || "").slice(0, MAX_OUTPUT_BYTES);
-    const stderr = (e.stderr || e.message || "").slice(0, MAX_OUTPUT_BYTES);
-    cleanup(dir);
-    return { success: false, stdout, stderr, exitCode: e.status || -1, killed, durationMs, sandboxDir: dir };
-  }
-}
-
-/* ═══════════════════════════════════════
-   Format result for display
-   ═══════════════════════════════════════ */
-export function formatSandboxResult(r: SandboxResult): string {
-  if (r.checkFailed) return `[BLOCKED] ${r.checkFailed}`;
-
-  const parts: string[] = [];
-  if (r.stdout) parts.push(r.stdout);
-  if (r.stderr) parts.push(`[stderr]\n${r.stderr}`);
-  if (r.killed) parts.push(`[killed after ${r.durationMs}ms]`);
-  if (r.exitCode !== 0) parts.push(`[exit code: ${r.exitCode}]`);
-
-  parts.push(`[sandbox: ${r.sandboxDir || "n/a"} · ${r.durationMs}ms]`);
-  return parts.join("\n");
-}
+/**
+ * 沙箱隔离模块 — Shell execution sandbox with resource limits.
+ *
+ * All `run_bash` / `shell_exec` commands are wrapped through this module
+ * to ensure: temp directory isolation, timeout enforcement, output size
+ * limits, and dangerous command detection BEFORE execution.
+ */
+
+import { execSync, exec } from "child_process";
+import * as fs from "fs";
+import * as path from "path";
+import * as os from "os";
+import { getLogger } from "./logger";
+import { REDLINE_PATTERNS, REDLINE_COMMANDS } from "./security";
+
+const log = getLogger("sandbox");
+
+/* ═══════════════════════════════════════
+   Configuration
+   ═══════════════════════════════════════ */
+const SANDBOX_DIR = path.join(os.homedir(), ".skyloom", "sandbox");
+const DEFAULT_TIMEOUT_MS = 30000;  // 30s max
+const MAX_OUTPUT_BYTES = 1024 * 1024; // 1MB max output
+const HARD_TIMEOUT_MS = 120000;      // 2min absolute max
+// Whitelist of safe commands that don't need sandbox
+const SAFE_COMMANDS = new Set(["echo", "pwd", "whoami", "date", "hostname", "uname", "ls", "dir", "cat", "head", "tail", "wc", "env", "printenv"]);
+
+/* ═══════════════════════════════════════
+   Sandbox lifecycle
+   ═══════════════════════════════════════ */
+function ensureSandbox(): string {
+  if (!fs.existsSync(SANDBOX_DIR)) fs.mkdirSync(SANDBOX_DIR, { recursive: true });
+  // Create named temp dir for this execution
+  const id = Date.now().toString(36) + Math.random().toString(36).slice(2, 6);
+  const dir = path.join(SANDBOX_DIR, `job_${id}`);
+  fs.mkdirSync(dir, { recursive: true });
+  return dir;
+}
+
+function cleanup(dir: string): void {
+  try { fs.rmSync(dir, { recursive: true, force: true }); } catch { /* ignore */ }
+}
+
+/* ═══════════════════════════════════════
+   Pre-execution check
+   ═══════════════════════════════════════ */
+function preflightCheck(command: string): string | null {
+  if (!command || !command.trim()) return "Empty command";
+
+  const lower = command.toLowerCase().trim();
+
+  // Red-line patterns
+  for (const pattern of REDLINE_PATTERNS) {
+    if (pattern.test(lower)) return `REDLINE: pattern '${pattern.source.slice(0, 40)}' detected`;
+  }
+  for (const forbidden of REDLINE_COMMANDS) {
+    if (lower.includes(forbidden)) return `REDLINE: forbidden command '${forbidden}'`;
+  }
+
+  // Network exfiltration attempts
+  if (/curl.*\|.*nc\s/.test(lower) || /wget.*-O.*>/.test(lower)) return "BLOCKED: potential data exfiltration";
+  if (/nc\s+\S+\s+\d+/.test(lower) && /\|/.test(lower)) return "BLOCKED: potential reverse shell";
+
+  return null;
+}
+
+/* ═══════════════════════════════════════
+   Execute in sandbox
+   ═══════════════════════════════════════ */
+export interface SandboxResult {
+  success: boolean;
+  stdout: string;
+  stderr: string;
+  exitCode: number;
+  killed: boolean;
+  durationMs: number;
+  sandboxDir: string;
+  checkFailed?: string;
+}
+
+export function runInSandbox(command: string, opts?: {
+  timeoutMs?: number;
+  cwd?: string;
+  env?: Record<string, string>;
+}): SandboxResult {
+  // Pre-flight
+  const check = preflightCheck(command);
+  if (check) {
+    return { success: false, stdout: "", stderr: check, exitCode: -1, killed: false, durationMs: 0, sandboxDir: "", checkFailed: check };
+  }
+
+  const dir = ensureSandbox();
+  const timeout = Math.min(opts?.timeoutMs ?? DEFAULT_TIMEOUT_MS, HARD_TIMEOUT_MS);
+  const t0 = Date.now();
+
+  try {
+    // For safe commands, run in-place without sandbox overhead
+    const firstWord = command.trim().split(/\s+/)[0].toLowerCase();
+    if (SAFE_COMMANDS.has(firstWord)) {
+      const result = execSync(command, { encoding: "utf-8", timeout, maxBuffer: MAX_OUTPUT_BYTES, cwd: opts?.cwd || dir, env: { ...process.env, ...(opts?.env || {}) } });
+      cleanup(dir);
+      return { success: true, stdout: result.slice(0, MAX_OUTPUT_BYTES), stderr: "", exitCode: 0, killed: false, durationMs: Date.now() - t0, sandboxDir: dir };
+    }
+
+    // Dangerous command — run in sandbox with isolation
+    const result = execSync(command, {
+      encoding: "utf-8",
+      timeout,
+      maxBuffer: MAX_OUTPUT_BYTES,
+      cwd: dir,                    // isolate to temp dir
+      env: { ...process.env, ...(opts?.env || {}), TMPDIR: dir, TEMP: dir },
+      windowsHide: true,
+    });
+
+    cleanup(dir);
+    return { success: true, stdout: result.slice(0, MAX_OUTPUT_BYTES), stderr: "", exitCode: 0, killed: false, durationMs: Date.now() - t0, sandboxDir: dir };
+
+  } catch (e: any) {
+    const durationMs = Date.now() - t0;
+    const killed = e.killed || e.signal !== undefined || durationMs >= timeout;
+    const stdout = (e.stdout || "").slice(0, MAX_OUTPUT_BYTES);
+    const stderr = (e.stderr || e.message || "").slice(0, MAX_OUTPUT_BYTES);
+    cleanup(dir);
+    return { success: false, stdout, stderr, exitCode: e.status || -1, killed, durationMs, sandboxDir: dir };
+  }
+}
+
+/* ═══════════════════════════════════════
+   Format result for display
+   ═══════════════════════════════════════ */
+export function formatSandboxResult(r: SandboxResult): string {
+  if (r.checkFailed) return `[BLOCKED] ${r.checkFailed}`;
+
+  const parts: string[] = [];
+  if (r.stdout) parts.push(r.stdout);
+  if (r.stderr) parts.push(`[stderr]\n${r.stderr}`);
+  if (r.killed) parts.push(`[killed after ${r.durationMs}ms]`);
+  if (r.exitCode !== 0) parts.push(`[exit code: ${r.exitCode}]`);
+
+  parts.push(`[sandbox: ${r.sandboxDir || "n/a"} · ${r.durationMs}ms]`);
+  return parts.join("\n");
+}