skyloom 1.13.6 → 1.13.8

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (193) hide show
  1. package/.github/workflows/ci.yml +36 -36
  2. package/README.md +220 -159
  3. package/config/providers.yaml +39 -39
  4. package/config/skills/api_integrator/SKILL.md +15 -15
  5. package/config/skills/arch_designer/SKILL.md +13 -13
  6. package/config/skills/ci_cd_manager/SKILL.md +14 -14
  7. package/config/skills/code_analysis/SKILL.md +13 -13
  8. package/config/skills/code_generator/SKILL.md +12 -12
  9. package/config/skills/code_reviewer/SKILL.md +13 -13
  10. package/config/skills/content_writer/SKILL.md +14 -14
  11. package/config/skills/data_transformer/SKILL.md +15 -15
  12. package/config/skills/document_analysis/SKILL.md +13 -13
  13. package/config/skills/emotional_companion/SKILL.md +15 -15
  14. package/config/skills/performance_checker/SKILL.md +14 -14
  15. package/config/skills/security_auditor/SKILL.md +14 -14
  16. package/config/skills/self_evolve/SKILL.md +13 -13
  17. package/config/skills/sys_operator/SKILL.md +15 -15
  18. package/config/skills/task_planner/SKILL.md +14 -14
  19. package/config/skills/web_research/SKILL.md +14 -14
  20. package/config/skills/workflow_designer/SKILL.md +13 -13
  21. package/dist/agents/dew.js +52 -52
  22. package/dist/agents/fair.js +84 -84
  23. package/dist/agents/fog.js +30 -30
  24. package/dist/agents/frost.js +32 -32
  25. package/dist/agents/rain.js +32 -32
  26. package/dist/agents/snow.js +68 -68
  27. package/dist/cli/commands_md.d.ts +41 -0
  28. package/dist/cli/commands_md.d.ts.map +1 -0
  29. package/dist/cli/commands_md.js +140 -0
  30. package/dist/cli/commands_md.js.map +1 -0
  31. package/dist/cli/input_macros.d.ts +28 -0
  32. package/dist/cli/input_macros.d.ts.map +1 -0
  33. package/dist/cli/input_macros.js +120 -0
  34. package/dist/cli/input_macros.js.map +1 -0
  35. package/dist/cli/loom.d.ts +220 -0
  36. package/dist/cli/loom.d.ts.map +1 -0
  37. package/dist/cli/loom.js +1094 -0
  38. package/dist/cli/loom.js.map +1 -0
  39. package/dist/cli/loom_chat.d.ts +20 -0
  40. package/dist/cli/loom_chat.d.ts.map +1 -0
  41. package/dist/cli/loom_chat.js +685 -0
  42. package/dist/cli/loom_chat.js.map +1 -0
  43. package/dist/cli/main.js +310 -14
  44. package/dist/cli/main.js.map +1 -1
  45. package/dist/cli/tui.d.ts.map +1 -1
  46. package/dist/cli/tui.js +7 -1
  47. package/dist/cli/tui.js.map +1 -1
  48. package/dist/core/agent.d.ts +20 -0
  49. package/dist/core/agent.d.ts.map +1 -1
  50. package/dist/core/agent.js +199 -16
  51. package/dist/core/agent.js.map +1 -1
  52. package/dist/core/factory.d.ts.map +1 -1
  53. package/dist/core/factory.js +34 -2
  54. package/dist/core/factory.js.map +1 -1
  55. package/dist/core/file_checkpoint.d.ts +57 -0
  56. package/dist/core/file_checkpoint.d.ts.map +1 -0
  57. package/dist/core/file_checkpoint.js +162 -0
  58. package/dist/core/file_checkpoint.js.map +1 -0
  59. package/dist/core/hooks.d.ts +43 -0
  60. package/dist/core/hooks.d.ts.map +1 -0
  61. package/dist/core/hooks.js +110 -0
  62. package/dist/core/hooks.js.map +1 -0
  63. package/dist/core/llm.d.ts.map +1 -1
  64. package/dist/core/llm.js +15 -9
  65. package/dist/core/llm.js.map +1 -1
  66. package/dist/core/longdoc.js +5 -5
  67. package/dist/core/mcp.d.ts +16 -0
  68. package/dist/core/mcp.d.ts.map +1 -1
  69. package/dist/core/mcp.js +55 -0
  70. package/dist/core/mcp.js.map +1 -1
  71. package/dist/core/model_config.d.ts +40 -0
  72. package/dist/core/model_config.d.ts.map +1 -0
  73. package/dist/core/model_config.js +191 -0
  74. package/dist/core/model_config.js.map +1 -0
  75. package/dist/core/skill.d.ts +7 -0
  76. package/dist/core/skill.d.ts.map +1 -1
  77. package/dist/core/skill.js +47 -0
  78. package/dist/core/skill.js.map +1 -1
  79. package/dist/core/skymd.d.ts +39 -0
  80. package/dist/core/skymd.d.ts.map +1 -0
  81. package/dist/core/skymd.js +177 -0
  82. package/dist/core/skymd.js.map +1 -0
  83. package/dist/core/tool.d.ts +12 -0
  84. package/dist/core/tool.d.ts.map +1 -1
  85. package/dist/core/tool.js +30 -0
  86. package/dist/core/tool.js.map +1 -1
  87. package/dist/core/verify.d.ts +27 -0
  88. package/dist/core/verify.d.ts.map +1 -0
  89. package/dist/core/verify.js +62 -0
  90. package/dist/core/verify.js.map +1 -0
  91. package/dist/skills/loader.d.ts +22 -2
  92. package/dist/skills/loader.d.ts.map +1 -1
  93. package/dist/skills/loader.js +45 -15
  94. package/dist/skills/loader.js.map +1 -1
  95. package/dist/tools/builtin.d.ts.map +1 -1
  96. package/dist/tools/builtin.js +13 -3
  97. package/dist/tools/builtin.js.map +1 -1
  98. package/dist/tools/model_tool.d.ts +11 -0
  99. package/dist/tools/model_tool.d.ts.map +1 -0
  100. package/dist/tools/model_tool.js +71 -0
  101. package/dist/tools/model_tool.js.map +1 -0
  102. package/dist/tools/todo.d.ts +30 -0
  103. package/dist/tools/todo.d.ts.map +1 -0
  104. package/dist/tools/todo.js +78 -0
  105. package/dist/tools/todo.js.map +1 -0
  106. package/docs/AESTHETIC_DESIGN.md +152 -144
  107. package/docs/OPTIMIZATION_PLAN.md +178 -178
  108. package/package.json +68 -68
  109. package/scripts/install.js +48 -48
  110. package/scripts/link.js +10 -10
  111. package/setup.bat +79 -79
  112. package/skill-test-ty2fOA/test.md +10 -10
  113. package/src/agents/dew.ts +70 -70
  114. package/src/agents/fair.ts +102 -102
  115. package/src/agents/fog.ts +48 -48
  116. package/src/agents/frost.ts +50 -50
  117. package/src/agents/rain.ts +50 -50
  118. package/src/agents/snow.ts +239 -239
  119. package/src/cli/commands_md.ts +112 -0
  120. package/src/cli/input_macros.ts +83 -0
  121. package/src/cli/loom.ts +982 -0
  122. package/src/cli/loom_chat.ts +598 -0
  123. package/src/cli/main.ts +255 -9
  124. package/src/cli/mode.ts +58 -58
  125. package/src/cli/tui.ts +228 -222
  126. package/src/core/agent/guard.ts +134 -134
  127. package/src/core/agent/task.ts +100 -100
  128. package/src/core/agent.ts +195 -16
  129. package/src/core/arbitrate.ts +162 -162
  130. package/src/core/catalog.ts +178 -178
  131. package/src/core/checkpoint.ts +94 -94
  132. package/src/core/estimate.ts +104 -104
  133. package/src/core/evolve.ts +191 -191
  134. package/src/core/factory.ts +31 -2
  135. package/src/core/file_checkpoint.ts +136 -0
  136. package/src/core/filter.ts +103 -103
  137. package/src/core/graph.ts +156 -156
  138. package/src/core/hooks.ts +126 -0
  139. package/src/core/icons.ts +53 -53
  140. package/src/core/index.ts +37 -37
  141. package/src/core/learn.ts +146 -146
  142. package/src/core/llm.ts +15 -9
  143. package/src/core/longdoc.ts +155 -155
  144. package/src/core/mcp.ts +48 -0
  145. package/src/core/mcp_server.ts +176 -176
  146. package/src/core/model_config.ts +157 -0
  147. package/src/core/profile.ts +255 -255
  148. package/src/core/router.ts +124 -124
  149. package/src/core/sandbox.ts +142 -142
  150. package/src/core/security.ts +243 -243
  151. package/src/core/skill.ts +42 -0
  152. package/src/core/skymd.ts +143 -0
  153. package/src/core/theme.ts +65 -65
  154. package/src/core/tool.ts +30 -0
  155. package/src/core/tool_router.ts +193 -193
  156. package/src/core/vector.ts +152 -152
  157. package/src/core/verify.ts +71 -0
  158. package/src/core/workspace.ts +150 -150
  159. package/src/plugins/loader.ts +66 -66
  160. package/src/skills/loader.ts +45 -16
  161. package/src/sql.js.d.ts +29 -29
  162. package/src/tools/builtin.ts +13 -3
  163. package/src/tools/computer.ts +269 -269
  164. package/src/tools/delegate.ts +49 -49
  165. package/src/tools/model_tool.ts +74 -0
  166. package/src/tools/todo.ts +76 -0
  167. package/src/web/tts.ts +93 -93
  168. package/tests/agent.test.ts +159 -159
  169. package/tests/agent_helpers.test.ts +48 -48
  170. package/tests/bus.test.ts +121 -121
  171. package/tests/catalog.test.ts +86 -86
  172. package/tests/checkpoint_commands.test.ts +124 -0
  173. package/tests/claude_compat.test.ts +110 -0
  174. package/tests/config.test.ts +41 -41
  175. package/tests/guard.test.ts +75 -75
  176. package/tests/icons.test.ts +45 -45
  177. package/tests/loom.test.ts +248 -0
  178. package/tests/memory.test.ts +170 -170
  179. package/tests/model_config.test.ts +109 -0
  180. package/tests/router.test.ts +86 -86
  181. package/tests/schemas.test.ts +51 -51
  182. package/tests/semantic.test.ts +83 -83
  183. package/tests/setup.ts +10 -10
  184. package/tests/skill.test.ts +172 -172
  185. package/tests/skymd.test.ts +146 -0
  186. package/tests/task.test.ts +60 -60
  187. package/tests/todo_toolstats.test.ts +94 -0
  188. package/tests/tool.test.ts +108 -108
  189. package/tests/tool_router.test.ts +71 -71
  190. package/tests/tui.test.ts +67 -67
  191. package/vitest.config.ts +17 -17
  192. package/=12 +0 -0
  193. package/=8 +0 -0
@@ -1,243 +1,243 @@
1
- /**
2
- * 安全与对齐模块 — Security & Alignment
3
- *
4
- * Danger level grading, red-line enforcement, audit trail, human-in-the-loop.
5
- * All security decisions flow through this module before tool execution.
6
- */
7
-
8
- import { getLogger } from "./logger";
9
-
10
- const log = getLogger("security");
11
-
12
- /* ── Danger levels ── */
13
- export enum DangerLevel {
14
- /** Read-only, no side effects — auto-approved */
15
- SAFE = 0,
16
- /** Minor side effects (write single file, git status) — logged */
17
- LOW = 1,
18
- /** Significant side effects (overwrite, delete, git push) — notify */
19
- MEDIUM = 2,
20
- /** Dangerous (sudo, remote deploy, mass delete) — confirm */
21
- HIGH = 3,
22
- /** Red-line — NEVER execute without human-in-the-loop */
23
- CRITICAL = 4,
24
- }
25
-
26
- /* ═══════════════════════════════════════
27
- Red-line list: operations that are NEVER auto-approved
28
- ═══════════════════════════════════════ */
29
- const REDLINE_PATTERNS = [
30
- /rm\s+-rf/, /format\s+\w:/, /dd\s+if=/,
31
- />\s*\/dev\/sd/, /mkfs\./, /:(){ :\|:& };:/,
32
- /sudo\s+rm/, /chmod\s+777\s+\//, /wget.*\|.*sh/,
33
- /curl.*\|.*bash/, /eval\s+\$/, /exec\s+\$/,
34
- /subprocess\.call.*rm/, /os\.system.*rm/,
35
- ];
36
-
37
- const REDLINE_COMMANDS = [
38
- "shutdown", "reboot", "init 0", "init 6",
39
- "del /f /s /q C:\\*", "rd /s /q C:\\",
40
- ];
41
-
42
- /* ═══════════════════════════════════════
43
- Per-tool danger level mapping
44
- ═══════════════════════════════════════ */
45
- const TOOL_DANGER_MAP: Record<string, DangerLevel> = {
46
- read_file: DangerLevel.SAFE,
47
- list_directory: DangerLevel.SAFE,
48
- tree: DangerLevel.SAFE,
49
- file_search: DangerLevel.SAFE,
50
- code_search: DangerLevel.SAFE,
51
- grep: DangerLevel.SAFE,
52
- git_status: DangerLevel.SAFE,
53
- git_diff: DangerLevel.SAFE,
54
- git_log: DangerLevel.SAFE,
55
- system_info: DangerLevel.SAFE,
56
- system_diagnose: DangerLevel.SAFE,
57
- list_processes: DangerLevel.SAFE,
58
- list_installed_apps: DangerLevel.SAFE,
59
- list_skills: DangerLevel.SAFE,
60
- recall_facts: DangerLevel.SAFE,
61
- mcp_list_servers: DangerLevel.SAFE,
62
-
63
- write_file: DangerLevel.LOW,
64
- edit_file: DangerLevel.LOW,
65
- copy_file: DangerLevel.LOW,
66
- move_file: DangerLevel.LOW,
67
- http_get: DangerLevel.LOW,
68
- fetch_page: DangerLevel.LOW,
69
- web_search: DangerLevel.LOW,
70
- remember_fact: DangerLevel.LOW,
71
- use_skill: DangerLevel.LOW,
72
- task_done: DangerLevel.LOW,
73
-
74
- delete_file: DangerLevel.MEDIUM,
75
- git_add: DangerLevel.MEDIUM,
76
- git_commit: DangerLevel.MEDIUM,
77
- git_checkout: DangerLevel.MEDIUM,
78
- http_post: DangerLevel.MEDIUM,
79
- mcp_add_server: DangerLevel.MEDIUM,
80
- mcp_remove_server: DangerLevel.MEDIUM,
81
- launch_app: DangerLevel.MEDIUM,
82
- open_path: DangerLevel.MEDIUM,
83
- browser_open: DangerLevel.MEDIUM,
84
-
85
- run_bash: DangerLevel.HIGH,
86
- shell_exec: DangerLevel.HIGH,
87
- kill_process: DangerLevel.HIGH,
88
- package_manager: DangerLevel.HIGH,
89
- service_control: DangerLevel.HIGH,
90
- delegate_to: DangerLevel.HIGH,
91
- mcp_scaffold_server: DangerLevel.HIGH,
92
- };
93
-
94
- /* ═══════════════════════════════════════
95
- Audit trail entry
96
- ═══════════════════════════════════════ */
97
- export interface AuditEntry {
98
- ts: string;
99
- agent: string;
100
- tool: string;
101
- args: Record<string, any>;
102
- dangerLevel: DangerLevel;
103
- approved: boolean;
104
- result: string;
105
- durationMs: number;
106
- traceId: string;
107
- }
108
-
109
- /* ═══════════════════════════════════════
110
- Security context — per-session security state
111
- ═══════════════════════════════════════ */
112
- export class SecurityContext {
113
- public auditLog: AuditEntry[] = [];
114
- public deniedCount = 0;
115
- public autoApprovedCount = 0;
116
- public manualApprovedCount = 0;
117
- public approvalMode: "auto" | "interactive" | "strict" = "auto";
118
-
119
- private approvalCallback: ((tool: string, args: Record<string, any>, level: DangerLevel) => Promise<boolean>) | null = null;
120
-
121
- constructor(opts?: { mode?: "auto" | "interactive" | "strict"; onApprove?: (tool: string, args: Record<string, any>, level: DangerLevel) => Promise<boolean> }) {
122
- if (opts?.mode) this.approvalMode = opts.mode;
123
- if (opts?.onApprove) this.approvalCallback = opts.onApprove;
124
- }
125
-
126
- /** Get the danger level for a tool. Defaults to SAFE for unknown tools. */
127
- getDangerLevel(toolName: string): DangerLevel {
128
- return TOOL_DANGER_MAP[toolName] ?? DangerLevel.SAFE;
129
- }
130
-
131
- /** Check if arguments contain red-line patterns (critical danger). */
132
- checkRedline(toolName: string, args: Record<string, any>): string | null {
133
- if (toolName !== "run_bash" && toolName !== "shell_exec") return null;
134
- const cmd = String(args.command || args.cmd || "").toLowerCase();
135
- for (const pattern of REDLINE_PATTERNS) {
136
- if (pattern.test(cmd)) return `Red-line pattern detected: ${pattern.source.slice(0, 40)}`;
137
- }
138
- for (const forbidden of REDLINE_COMMANDS) {
139
- if (cmd.includes(forbidden)) return `Red-line command: ${forbidden}`;
140
- }
141
- return null;
142
- }
143
-
144
- /** Determine whether a tool call is permitted. Returns [approved, reason]. */
145
- async checkApproval(toolName: string, args: Record<string, any>, agentName: string): Promise<[boolean, string]> {
146
- const level = this.getDangerLevel(toolName);
147
-
148
- // Red-line check
149
- const redline = this.checkRedline(toolName, args);
150
- if (redline) {
151
- log.warn("redline_blocked", { agent: agentName, tool: toolName, reason: redline });
152
- return [false, redline];
153
- }
154
-
155
- // Safe — always allow
156
- if (level === DangerLevel.SAFE) return [true, "safe"];
157
-
158
- // Strict mode — deny all non-safe
159
- if (this.approvalMode === "strict") {
160
- return [false, `Strict mode: tool '${toolName}' (level ${level}) requires manual approval`];
161
- }
162
-
163
- // Auto mode — allow LOW, prompt for MEDIUM+, deny CRITICAL
164
- if (this.approvalMode === "auto") {
165
- if (level <= DangerLevel.LOW) return [true, "auto-low"];
166
- if (level === DangerLevel.CRITICAL) return [false, `CRITICAL tool '${toolName}' requires explicit human approval`];
167
- // MEDIUM/HIGH with auto mode => need callback
168
- if (this.approvalCallback) {
169
- const approved = await this.approvalCallback(toolName, args, level);
170
- return [approved, approved ? "user-approved" : "user-denied"];
171
- }
172
- return [true, "auto-med"]; // no callback → auto-allow but log
173
- }
174
-
175
- // Interactive mode — prompt for LOW+
176
- if (this.approvalCallback) {
177
- const approved = await this.approvalCallback(toolName, args, level);
178
- return [approved, approved ? "user-approved" : "user-denied"];
179
- }
180
- return [true, "no-callback"];
181
- }
182
-
183
- /** Record an audit entry. */
184
- recordAudit(tool: string, agent: string, args: Record<string, any>, dangerLevel: DangerLevel, approved: boolean, resultPreview: string, durationMs: number, traceId: string): void {
185
- const entry: AuditEntry = {
186
- ts: new Date().toISOString(),
187
- agent, tool, args, dangerLevel, approved,
188
- result: resultPreview.slice(0, 500),
189
- durationMs, traceId,
190
- };
191
- this.auditLog.push(entry);
192
- if (this.auditLog.length > 5000) this.auditLog.shift();
193
-
194
- if (approved) {
195
- if (dangerLevel >= DangerLevel.HIGH) this.manualApprovedCount++;
196
- else this.autoApprovedCount++;
197
- } else {
198
- this.deniedCount++;
199
- }
200
-
201
- log.info(dangerLevel >= DangerLevel.HIGH ? "dangerous_tool_executed" : "tool_executed", {
202
- tool, agent, level: dangerLevel, approved,
203
- });
204
- }
205
-
206
- /** Get summary statistics. */
207
- getStats() {
208
- return {
209
- total: this.auditLog.length,
210
- denied: this.deniedCount,
211
- autoApproved: this.autoApprovedCount,
212
- manualApproved: this.manualApprovedCount,
213
- byLevel: {
214
- safe: this.auditLog.filter(e => e.dangerLevel === DangerLevel.SAFE).length,
215
- low: this.auditLog.filter(e => e.dangerLevel === DangerLevel.LOW).length,
216
- medium: this.auditLog.filter(e => e.dangerLevel === DangerLevel.MEDIUM).length,
217
- high: this.auditLog.filter(e => e.dangerLevel === DangerLevel.HIGH).length,
218
- critical: this.auditLog.filter(e => e.dangerLevel === DangerLevel.CRITICAL).length,
219
- },
220
- lastDenied: this.auditLog.filter(e => !e.approved).slice(-5).map(e => `${e.tool}: ${e.result}`),
221
- };
222
- }
223
-
224
- /** Install approval callback for interactive mode. */
225
- setApprovalCallback(fn: (tool: string, args: Record<string, any>, level: DangerLevel) => Promise<boolean>) {
226
- this.approvalCallback = fn;
227
- }
228
- }
229
-
230
- /* ── Global security context ── */
231
- let globalSecurity: SecurityContext | null = null;
232
-
233
- export function getSecurity(): SecurityContext {
234
- if (!globalSecurity) globalSecurity = new SecurityContext();
235
- return globalSecurity;
236
- }
237
-
238
- export function resetSecurity(): void {
239
- globalSecurity = null;
240
- }
241
-
242
- /** Red-line patterns for reference (used by tools to self-check). */
243
- export { REDLINE_PATTERNS, REDLINE_COMMANDS };
1
+ /**
2
+ * 安全与对齐模块 — Security & Alignment
3
+ *
4
+ * Danger level grading, red-line enforcement, audit trail, human-in-the-loop.
5
+ * All security decisions flow through this module before tool execution.
6
+ */
7
+
8
+ import { getLogger } from "./logger";
9
+
10
+ const log = getLogger("security");
11
+
12
+ /* ── Danger levels ── */
13
+ export enum DangerLevel {
14
+ /** Read-only, no side effects — auto-approved */
15
+ SAFE = 0,
16
+ /** Minor side effects (write single file, git status) — logged */
17
+ LOW = 1,
18
+ /** Significant side effects (overwrite, delete, git push) — notify */
19
+ MEDIUM = 2,
20
+ /** Dangerous (sudo, remote deploy, mass delete) — confirm */
21
+ HIGH = 3,
22
+ /** Red-line — NEVER execute without human-in-the-loop */
23
+ CRITICAL = 4,
24
+ }
25
+
26
+ /* ═══════════════════════════════════════
27
+ Red-line list: operations that are NEVER auto-approved
28
+ ═══════════════════════════════════════ */
29
+ const REDLINE_PATTERNS = [
30
+ /rm\s+-rf/, /format\s+\w:/, /dd\s+if=/,
31
+ />\s*\/dev\/sd/, /mkfs\./, /:(){ :\|:& };:/,
32
+ /sudo\s+rm/, /chmod\s+777\s+\//, /wget.*\|.*sh/,
33
+ /curl.*\|.*bash/, /eval\s+\$/, /exec\s+\$/,
34
+ /subprocess\.call.*rm/, /os\.system.*rm/,
35
+ ];
36
+
37
+ const REDLINE_COMMANDS = [
38
+ "shutdown", "reboot", "init 0", "init 6",
39
+ "del /f /s /q C:\\*", "rd /s /q C:\\",
40
+ ];
41
+
42
+ /* ═══════════════════════════════════════
43
+ Per-tool danger level mapping
44
+ ═══════════════════════════════════════ */
45
+ const TOOL_DANGER_MAP: Record<string, DangerLevel> = {
46
+ read_file: DangerLevel.SAFE,
47
+ list_directory: DangerLevel.SAFE,
48
+ tree: DangerLevel.SAFE,
49
+ file_search: DangerLevel.SAFE,
50
+ code_search: DangerLevel.SAFE,
51
+ grep: DangerLevel.SAFE,
52
+ git_status: DangerLevel.SAFE,
53
+ git_diff: DangerLevel.SAFE,
54
+ git_log: DangerLevel.SAFE,
55
+ system_info: DangerLevel.SAFE,
56
+ system_diagnose: DangerLevel.SAFE,
57
+ list_processes: DangerLevel.SAFE,
58
+ list_installed_apps: DangerLevel.SAFE,
59
+ list_skills: DangerLevel.SAFE,
60
+ recall_facts: DangerLevel.SAFE,
61
+ mcp_list_servers: DangerLevel.SAFE,
62
+
63
+ write_file: DangerLevel.LOW,
64
+ edit_file: DangerLevel.LOW,
65
+ copy_file: DangerLevel.LOW,
66
+ move_file: DangerLevel.LOW,
67
+ http_get: DangerLevel.LOW,
68
+ fetch_page: DangerLevel.LOW,
69
+ web_search: DangerLevel.LOW,
70
+ remember_fact: DangerLevel.LOW,
71
+ use_skill: DangerLevel.LOW,
72
+ task_done: DangerLevel.LOW,
73
+
74
+ delete_file: DangerLevel.MEDIUM,
75
+ git_add: DangerLevel.MEDIUM,
76
+ git_commit: DangerLevel.MEDIUM,
77
+ git_checkout: DangerLevel.MEDIUM,
78
+ http_post: DangerLevel.MEDIUM,
79
+ mcp_add_server: DangerLevel.MEDIUM,
80
+ mcp_remove_server: DangerLevel.MEDIUM,
81
+ launch_app: DangerLevel.MEDIUM,
82
+ open_path: DangerLevel.MEDIUM,
83
+ browser_open: DangerLevel.MEDIUM,
84
+
85
+ run_bash: DangerLevel.HIGH,
86
+ shell_exec: DangerLevel.HIGH,
87
+ kill_process: DangerLevel.HIGH,
88
+ package_manager: DangerLevel.HIGH,
89
+ service_control: DangerLevel.HIGH,
90
+ delegate_to: DangerLevel.HIGH,
91
+ mcp_scaffold_server: DangerLevel.HIGH,
92
+ };
93
+
94
+ /* ═══════════════════════════════════════
95
+ Audit trail entry
96
+ ═══════════════════════════════════════ */
97
+ export interface AuditEntry {
98
+ ts: string;
99
+ agent: string;
100
+ tool: string;
101
+ args: Record<string, any>;
102
+ dangerLevel: DangerLevel;
103
+ approved: boolean;
104
+ result: string;
105
+ durationMs: number;
106
+ traceId: string;
107
+ }
108
+
109
+ /* ═══════════════════════════════════════
110
+ Security context — per-session security state
111
+ ═══════════════════════════════════════ */
112
+ export class SecurityContext {
113
+ public auditLog: AuditEntry[] = [];
114
+ public deniedCount = 0;
115
+ public autoApprovedCount = 0;
116
+ public manualApprovedCount = 0;
117
+ public approvalMode: "auto" | "interactive" | "strict" = "auto";
118
+
119
+ private approvalCallback: ((tool: string, args: Record<string, any>, level: DangerLevel) => Promise<boolean>) | null = null;
120
+
121
+ constructor(opts?: { mode?: "auto" | "interactive" | "strict"; onApprove?: (tool: string, args: Record<string, any>, level: DangerLevel) => Promise<boolean> }) {
122
+ if (opts?.mode) this.approvalMode = opts.mode;
123
+ if (opts?.onApprove) this.approvalCallback = opts.onApprove;
124
+ }
125
+
126
+ /** Get the danger level for a tool. Defaults to SAFE for unknown tools. */
127
+ getDangerLevel(toolName: string): DangerLevel {
128
+ return TOOL_DANGER_MAP[toolName] ?? DangerLevel.SAFE;
129
+ }
130
+
131
+ /** Check if arguments contain red-line patterns (critical danger). */
132
+ checkRedline(toolName: string, args: Record<string, any>): string | null {
133
+ if (toolName !== "run_bash" && toolName !== "shell_exec") return null;
134
+ const cmd = String(args.command || args.cmd || "").toLowerCase();
135
+ for (const pattern of REDLINE_PATTERNS) {
136
+ if (pattern.test(cmd)) return `Red-line pattern detected: ${pattern.source.slice(0, 40)}`;
137
+ }
138
+ for (const forbidden of REDLINE_COMMANDS) {
139
+ if (cmd.includes(forbidden)) return `Red-line command: ${forbidden}`;
140
+ }
141
+ return null;
142
+ }
143
+
144
+ /** Determine whether a tool call is permitted. Returns [approved, reason]. */
145
+ async checkApproval(toolName: string, args: Record<string, any>, agentName: string): Promise<[boolean, string]> {
146
+ const level = this.getDangerLevel(toolName);
147
+
148
+ // Red-line check
149
+ const redline = this.checkRedline(toolName, args);
150
+ if (redline) {
151
+ log.warn("redline_blocked", { agent: agentName, tool: toolName, reason: redline });
152
+ return [false, redline];
153
+ }
154
+
155
+ // Safe — always allow
156
+ if (level === DangerLevel.SAFE) return [true, "safe"];
157
+
158
+ // Strict mode — deny all non-safe
159
+ if (this.approvalMode === "strict") {
160
+ return [false, `Strict mode: tool '${toolName}' (level ${level}) requires manual approval`];
161
+ }
162
+
163
+ // Auto mode — allow LOW, prompt for MEDIUM+, deny CRITICAL
164
+ if (this.approvalMode === "auto") {
165
+ if (level <= DangerLevel.LOW) return [true, "auto-low"];
166
+ if (level === DangerLevel.CRITICAL) return [false, `CRITICAL tool '${toolName}' requires explicit human approval`];
167
+ // MEDIUM/HIGH with auto mode => need callback
168
+ if (this.approvalCallback) {
169
+ const approved = await this.approvalCallback(toolName, args, level);
170
+ return [approved, approved ? "user-approved" : "user-denied"];
171
+ }
172
+ return [true, "auto-med"]; // no callback → auto-allow but log
173
+ }
174
+
175
+ // Interactive mode — prompt for LOW+
176
+ if (this.approvalCallback) {
177
+ const approved = await this.approvalCallback(toolName, args, level);
178
+ return [approved, approved ? "user-approved" : "user-denied"];
179
+ }
180
+ return [true, "no-callback"];
181
+ }
182
+
183
+ /** Record an audit entry. */
184
+ recordAudit(tool: string, agent: string, args: Record<string, any>, dangerLevel: DangerLevel, approved: boolean, resultPreview: string, durationMs: number, traceId: string): void {
185
+ const entry: AuditEntry = {
186
+ ts: new Date().toISOString(),
187
+ agent, tool, args, dangerLevel, approved,
188
+ result: resultPreview.slice(0, 500),
189
+ durationMs, traceId,
190
+ };
191
+ this.auditLog.push(entry);
192
+ if (this.auditLog.length > 5000) this.auditLog.shift();
193
+
194
+ if (approved) {
195
+ if (dangerLevel >= DangerLevel.HIGH) this.manualApprovedCount++;
196
+ else this.autoApprovedCount++;
197
+ } else {
198
+ this.deniedCount++;
199
+ }
200
+
201
+ log.info(dangerLevel >= DangerLevel.HIGH ? "dangerous_tool_executed" : "tool_executed", {
202
+ tool, agent, level: dangerLevel, approved,
203
+ });
204
+ }
205
+
206
+ /** Get summary statistics. */
207
+ getStats() {
208
+ return {
209
+ total: this.auditLog.length,
210
+ denied: this.deniedCount,
211
+ autoApproved: this.autoApprovedCount,
212
+ manualApproved: this.manualApprovedCount,
213
+ byLevel: {
214
+ safe: this.auditLog.filter(e => e.dangerLevel === DangerLevel.SAFE).length,
215
+ low: this.auditLog.filter(e => e.dangerLevel === DangerLevel.LOW).length,
216
+ medium: this.auditLog.filter(e => e.dangerLevel === DangerLevel.MEDIUM).length,
217
+ high: this.auditLog.filter(e => e.dangerLevel === DangerLevel.HIGH).length,
218
+ critical: this.auditLog.filter(e => e.dangerLevel === DangerLevel.CRITICAL).length,
219
+ },
220
+ lastDenied: this.auditLog.filter(e => !e.approved).slice(-5).map(e => `${e.tool}: ${e.result}`),
221
+ };
222
+ }
223
+
224
+ /** Install approval callback for interactive mode. */
225
+ setApprovalCallback(fn: (tool: string, args: Record<string, any>, level: DangerLevel) => Promise<boolean>) {
226
+ this.approvalCallback = fn;
227
+ }
228
+ }
229
+
230
+ /* ── Global security context ── */
231
+ let globalSecurity: SecurityContext | null = null;
232
+
233
+ export function getSecurity(): SecurityContext {
234
+ if (!globalSecurity) globalSecurity = new SecurityContext();
235
+ return globalSecurity;
236
+ }
237
+
238
+ export function resetSecurity(): void {
239
+ globalSecurity = null;
240
+ }
241
+
242
+ /** Red-line patterns for reference (used by tools to self-check). */
243
+ export { REDLINE_PATTERNS, REDLINE_COMMANDS };
package/src/core/skill.ts CHANGED
@@ -303,6 +303,48 @@ export class SkillRegistry {
303
303
  }
304
304
  }
305
305
 
306
+ /**
307
+ * Load folder-style skills: `<root>/<skill-name>/SKILL.md` (the Claude
308
+ * Code layout). Only SKILL.md is parsed — sibling files (reference.md,
309
+ * scripts/…) are the skill's resources, not separate skills. The skill's
310
+ * resourceDir is its own folder so relative references resolve.
311
+ */
312
+ loadSkillFolders(rootDir: string): Skill[] {
313
+ const loaded: Skill[] = [];
314
+ let root: string;
315
+ try {
316
+ root = path.resolve(rootDir.replace(/^~/, process.env.HOME || process.env.USERPROFILE || ''));
317
+ } catch {
318
+ return loaded;
319
+ }
320
+ if (!fs.existsSync(root)) return loaded;
321
+
322
+ let entries: string[];
323
+ try {
324
+ entries = fs.readdirSync(root);
325
+ } catch {
326
+ return loaded;
327
+ }
328
+ for (const entry of entries.sort()) {
329
+ if (entry.startsWith('.') || entry.startsWith('_')) continue;
330
+ const skillDir = path.join(root, entry);
331
+ try {
332
+ if (!fs.statSync(skillDir).isDirectory()) continue;
333
+ } catch {
334
+ continue;
335
+ }
336
+ const skillFile = path.join(skillDir, 'SKILL.md');
337
+ if (!fs.existsSync(skillFile)) continue;
338
+ const skill = Skill.fromMarkdown(skillFile);
339
+ if (skill) {
340
+ skill.resourceDir = skillDir;
341
+ this.register(skill);
342
+ loaded.push(skill);
343
+ }
344
+ }
345
+ return loaded;
346
+ }
347
+
306
348
  /**
307
349
  * Load all .md skill files from a directory (Anthropic format).
308
350
  */