skyloom 1.14.5 → 1.14.6

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (55) hide show
  1. package/dist/cli/loom.d.ts +2 -0
  2. package/dist/cli/loom.d.ts.map +1 -1
  3. package/dist/cli/loom.js +76 -7
  4. package/dist/cli/loom.js.map +1 -1
  5. package/dist/cli/main.js +12 -3
  6. package/dist/cli/main.js.map +1 -1
  7. package/dist/core/agent/guard.js +4 -4
  8. package/dist/core/agent/guard.js.map +1 -1
  9. package/dist/core/agent.d.ts.map +1 -1
  10. package/dist/core/agent.js +12 -9
  11. package/dist/core/agent.js.map +1 -1
  12. package/dist/core/agent_helpers.d.ts +2 -2
  13. package/dist/core/agent_helpers.d.ts.map +1 -1
  14. package/dist/core/agent_helpers.js +7 -4
  15. package/dist/core/agent_helpers.js.map +1 -1
  16. package/dist/core/config.d.ts.map +1 -1
  17. package/dist/core/config.js +8 -2
  18. package/dist/core/config.js.map +1 -1
  19. package/dist/core/memory.d.ts.map +1 -1
  20. package/dist/core/memory.js +12 -2
  21. package/dist/core/memory.js.map +1 -1
  22. package/dist/core/model_config.d.ts.map +1 -1
  23. package/dist/core/model_config.js +7 -2
  24. package/dist/core/model_config.js.map +1 -1
  25. package/dist/plugins/loader.d.ts +7 -0
  26. package/dist/plugins/loader.d.ts.map +1 -1
  27. package/dist/plugins/loader.js +27 -0
  28. package/dist/plugins/loader.js.map +1 -1
  29. package/dist/tools/builtin.d.ts +6 -0
  30. package/dist/tools/builtin.d.ts.map +1 -1
  31. package/dist/tools/builtin.js +160 -17
  32. package/dist/tools/builtin.js.map +1 -1
  33. package/dist/tools/computer.d.ts.map +1 -1
  34. package/dist/tools/computer.js +18 -7
  35. package/dist/tools/computer.js.map +1 -1
  36. package/dist/web/server.d.ts.map +1 -1
  37. package/dist/web/server.js +35 -2
  38. package/dist/web/server.js.map +1 -1
  39. package/package.json +1 -1
  40. package/src/cli/loom.ts +66 -7
  41. package/src/cli/main.ts +6 -3
  42. package/src/core/agent/guard.ts +4 -4
  43. package/src/core/agent.ts +12 -8
  44. package/src/core/agent_helpers.ts +7 -4
  45. package/src/core/config.ts +5 -2
  46. package/src/core/memory.ts +9 -2
  47. package/src/core/model_config.ts +4 -2
  48. package/src/plugins/loader.ts +91 -66
  49. package/src/tools/builtin.ts +119 -16
  50. package/src/tools/computer.ts +279 -269
  51. package/src/web/server.ts +35 -2
  52. package/tests/fence_plugin.test.ts +52 -0
  53. package/tests/loom.test.ts +89 -0
  54. package/tests/ssrf.test.ts +38 -0
  55. package/tsconfig.json +1 -0
@@ -1,269 +1,279 @@
1
- /**
2
- * Computer-operation tools — cross-platform OS control for Skyloom.
3
- *
4
- * Launch apps, open files/URLs, inspect and diagnose the system, manage
5
- * processes and services, and install/uninstall software.
6
- */
7
-
8
- import { execSync, spawn } from 'child_process';
9
- import * as os from 'os';
10
- import * as fs from 'fs';
11
- import * as path from 'path';
12
- import type { ToolRegistry, ToolDefinition } from '../core/tool';
13
-
14
- const MAX_OUT = 8000;
15
-
16
- function truncate(text: string, limit = MAX_OUT): string {
17
- if (text.length <= limit) return text;
18
- return text.slice(0, limit) + `\n…(truncated, ${text.length - limit} more chars)`;
19
- }
20
-
21
- /**
22
- * Register computer-operation tools into the given registry.
23
- */
24
- export function registerComputerTools(registry: ToolRegistry): void {
25
- const platform = os.platform();
26
-
27
- // ── Launch App ──
28
- registry.register({
29
- name: 'launch_app',
30
- description: 'Launch a desktop application by name or path.',
31
- parameters: [
32
- { name: 'name', type: 'string', description: 'Application name or path', required: true },
33
- ],
34
- handler: async (params) => {
35
- const name = String(params.name || '').trim();
36
- if (!name) return 'Error: app name is required';
37
-
38
- try {
39
- if (platform === 'win32') {
40
- execSync(`start "" "${name}"`, { timeout: 10000 });
41
- return `Launched ${name}`;
42
- } else if (platform === 'darwin') {
43
- execSync(`open -a "${name.replace(/"/g, '\\"')}"`, { timeout: 10000 });
44
- return `Launched ${name}`;
45
- } else {
46
- // Linux - try xdg-open or direct exec
47
- try {
48
- execSync(`${name} &`, { timeout: 5000, shell: true as any });
49
- } catch {
50
- execSync(`xdg-open "${name}" 2>/dev/null || ${name}`, { timeout: 5000, shell: true as any });
51
- }
52
- return `Launched ${name}`;
53
- }
54
- } catch (e: any) {
55
- return `Error launching ${name}: ${e.message || e}`;
56
- }
57
- },
58
- });
59
-
60
- // ── Open Path ──
61
- registry.register({
62
- name: 'open_path',
63
- description: 'Open a file or folder in the default application.',
64
- parameters: [
65
- { name: 'target', type: 'string', description: 'File or folder path', required: true },
66
- ],
67
- handler: async (params) => {
68
- const target = String(params.target || '').trim();
69
- if (!target) return 'Error: target is required';
70
- const resolved = path.resolve(target);
71
- if (!fs.existsSync(resolved)) return `Error: path not found: ${resolved}`;
72
-
73
- try {
74
- if (platform === 'win32') {
75
- execSync(`explorer "${resolved}"`, { timeout: 5000 });
76
- } else if (platform === 'darwin') {
77
- execSync(`open "${resolved}"`, { timeout: 5000 });
78
- } else {
79
- execSync(`xdg-open "${resolved}"`, { timeout: 5000 });
80
- }
81
- return `Opened ${resolved}`;
82
- } catch (e: any) {
83
- return `Error opening ${resolved}: ${e.message || e}`;
84
- }
85
- },
86
- });
87
-
88
- // ── Browser Open ──
89
- registry.register({
90
- name: 'browser_open',
91
- description: 'Open a URL in the default web browser.',
92
- parameters: [
93
- { name: 'url', type: 'string', description: 'URL to open', required: true },
94
- ],
95
- handler: async (params) => {
96
- const url = String(params.url || '').trim();
97
- if (!url) return 'Error: url is required';
98
- try {
99
- if (platform === 'win32') {
100
- execSync(`start "" "${url}"`, { timeout: 10000 });
101
- } else if (platform === 'darwin') {
102
- execSync(`open "${url}"`, { timeout: 10000 });
103
- } else {
104
- execSync(`xdg-open "${url}"`, { timeout: 10000 });
105
- }
106
- return `Opened ${url} in browser`;
107
- } catch (e: any) {
108
- return `Error opening browser: ${e.message || e}`;
109
- }
110
- },
111
- });
112
-
113
- // ── System Info ──
114
- registry.register({
115
- name: 'system_info',
116
- description: 'Get system information (OS, CPU, memory, disk).',
117
- parameters: [],
118
- handler: async () => {
119
- const lines = [
120
- `OS: ${os.type()} ${os.release()}`,
121
- `Hostname: ${os.hostname()}`,
122
- `Platform: ${os.platform()} ${os.arch()}`,
123
- `CPUs: ${os.cpus().length} × ${os.cpus()[0]?.model || 'unknown'}`,
124
- `Memory: ${(os.totalmem() / 1024 / 1024 / 1024).toFixed(1)} GB total, ${(os.freemem() / 1024 / 1024 / 1024).toFixed(1)} GB free`,
125
- `Uptime: ${(os.uptime() / 3600).toFixed(1)} hours`,
126
- `Loadavg: ${os.loadavg().map(n => n.toFixed(2)).join(', ')}`,
127
- `User: ${os.userInfo().username}`,
128
- `Home: ${os.homedir()}`,
129
- `Temp: ${os.tmpdir()}`,
130
- ];
131
- return lines.join('\n');
132
- },
133
- });
134
-
135
- // ── List Processes ──
136
- registry.register({
137
- name: 'list_processes',
138
- description: 'List running processes.',
139
- parameters: [],
140
- handler: async () => {
141
- try {
142
- if (platform === 'win32') {
143
- const out = execSync('tasklist /FO CSV /NH', { encoding: 'utf-8', timeout: 10000 });
144
- return truncate(out, MAX_OUT);
145
- } else {
146
- const out = execSync('ps aux --no-headers 2>/dev/null || ps aux', { encoding: 'utf-8', timeout: 10000 });
147
- return truncate(out, MAX_OUT);
148
- }
149
- } catch (e: any) {
150
- return `Error listing processes: ${e.message || e}`;
151
- }
152
- },
153
- });
154
-
155
- // ── Kill Process ──
156
- registry.register({
157
- name: 'kill_process',
158
- description: 'Kill a process by PID or name.',
159
- parameters: [
160
- { name: 'target', type: 'string', description: 'PID number or process name', required: true },
161
- ],
162
- handler: async (params) => {
163
- const target = String(params.target || '').trim();
164
- if (!target) return 'Error: target is required';
165
-
166
- try {
167
- if (/^\d+$/.test(target)) {
168
- process.kill(parseInt(target), 'SIGTERM');
169
- return `Killed process ${target}`;
170
- } else {
171
- if (platform === 'win32') {
172
- execSync(`taskkill /F /IM "${target}" /T`, { timeout: 10000 });
173
- } else {
174
- execSync(`pkill -f "${target}"`, { timeout: 10000 });
175
- }
176
- return `Killed process ${target}`;
177
- }
178
- } catch (e: any) {
179
- return `Error killing ${target}: ${e.message || e}`;
180
- }
181
- },
182
- dangerous: true,
183
- });
184
-
185
- // ── Package Manager ──
186
- registry.register({
187
- name: 'package_manager',
188
- description: 'Install, uninstall, or upgrade software packages.',
189
- parameters: [
190
- { name: 'action', type: 'string', description: 'Action: install, uninstall, upgrade, search', required: true },
191
- { name: 'name', type: 'string', description: 'Package name', required: true },
192
- ],
193
- handler: async (params) => {
194
- const action = String(params.action || '').trim().toLowerCase();
195
- const name = String(params.name || '').trim();
196
- if (!action || !name) return 'Error: action and name are required';
197
-
198
- // Auto-detect package manager
199
- let pm: string;
200
- const has = (cmd: string) => {
201
- try { execSync(`${cmd} --version`, { stdio: 'ignore' }); return true; }
202
- catch { return false; }
203
- };
204
-
205
- if (platform === 'win32') {
206
- if (has('winget')) pm = 'winget';
207
- else if (has('scoop')) pm = 'scoop';
208
- else if (has('choco')) pm = 'choco';
209
- else return 'No package manager found (winget/scoop/choco)';
210
- } else if (platform === 'darwin') {
211
- pm = has('brew') ? 'brew' : 'No package manager found';
212
- } else {
213
- if (has('apt')) pm = 'apt';
214
- else if (has('dnf')) pm = 'dnf';
215
- else if (has('pacman')) pm = 'pacman';
216
- else return 'No package manager found (apt/dnf/pacman)';
217
- }
218
-
219
- const commands: Record<string, Record<string, string>> = {
220
- winget: { install: 'install', uninstall: 'uninstall', upgrade: 'upgrade', search: 'search' },
221
- scoop: { install: 'install', uninstall: 'uninstall', upgrade: 'update', search: 'search' },
222
- choco: { install: 'install', uninstall: 'uninstall', upgrade: 'upgrade', search: 'search' },
223
- brew: { install: 'install', uninstall: 'uninstall', upgrade: 'upgrade', search: 'search' },
224
- apt: { install: 'install -y', uninstall: 'remove -y', upgrade: 'upgrade -y', search: 'search' },
225
- dnf: { install: 'install -y', uninstall: 'remove -y', upgrade: 'upgrade -y', search: 'search' },
226
- pacman: { install: '-S --noconfirm', uninstall: '-R --noconfirm', upgrade: '-Syu --noconfirm', search: '-Ss' },
227
- };
228
-
229
- const cmdMap = commands[pm];
230
- if (!cmdMap || !cmdMap[action]) return `Unsupported action '${action}' for ${pm}`;
231
-
232
- try {
233
- const out = execSync(`${pm} ${cmdMap[action]} "${name}"`, { encoding: 'utf-8', timeout: 120000 });
234
- return truncate(out, MAX_OUT);
235
- } catch (e: any) {
236
- return `Error: ${e.message || e}`;
237
- }
238
- },
239
- dangerous: true,
240
- });
241
-
242
- // ── Service Control ──
243
- registry.register({
244
- name: 'service_control',
245
- description: 'Start, stop, restart, or check status of a system service.',
246
- parameters: [
247
- { name: 'action', type: 'string', description: 'Action: start, stop, restart, status', required: true },
248
- { name: 'name', type: 'string', description: 'Service name', required: true },
249
- ],
250
- handler: async (params) => {
251
- const action = String(params.action || '').trim().toLowerCase();
252
- const name = String(params.name || '').trim();
253
- if (!action || !name) return 'Error: action and name are required';
254
-
255
- try {
256
- if (platform === 'win32') {
257
- const out = execSync(`sc ${action} "${name}"`, { encoding: 'utf-8', timeout: 30000 });
258
- return truncate(out, MAX_OUT);
259
- } else {
260
- const out = execSync(`systemctl ${action} "${name}" 2>/dev/null || service "${name}" ${action}`, { encoding: 'utf-8', timeout: 30000 });
261
- return truncate(out, MAX_OUT);
262
- }
263
- } catch (e: any) {
264
- return `Error: ${e.message || e}`;
265
- }
266
- },
267
- dangerous: true,
268
- });
269
- }
1
+ /**
2
+ * Computer-operation tools — cross-platform OS control for Skyloom.
3
+ *
4
+ * Launch apps, open files/URLs, inspect and diagnose the system, manage
5
+ * processes and services, and install/uninstall software.
6
+ */
7
+
8
+ import { execSync, execFileSync, spawn } from 'child_process';
9
+ import * as os from 'os';
10
+ import * as fs from 'fs';
11
+ import * as path from 'path';
12
+ import type { ToolRegistry, ToolDefinition } from '../core/tool';
13
+
14
+ const MAX_OUT = 8000;
15
+
16
+ function truncate(text: string, limit = MAX_OUT): string {
17
+ if (text.length <= limit) return text;
18
+ return text.slice(0, limit) + `\n…(truncated, ${text.length - limit} more chars)`;
19
+ }
20
+
21
+ /**
22
+ * Register computer-operation tools into the given registry.
23
+ */
24
+ export function registerComputerTools(registry: ToolRegistry): void {
25
+ const platform = os.platform();
26
+
27
+ // ── Launch App ──
28
+ registry.register({
29
+ name: 'launch_app',
30
+ description: 'Launch a desktop application by name or path.',
31
+ parameters: [
32
+ { name: 'name', type: 'string', description: 'Application name or path', required: true },
33
+ ],
34
+ handler: async (params) => {
35
+ const name = String(params.name || '').trim();
36
+ if (!name) return 'Error: app name is required';
37
+
38
+ try {
39
+ if (platform === 'win32') {
40
+ execSync(`start "" "${name}"`, { timeout: 10000 });
41
+ return `Launched ${name}`;
42
+ } else if (platform === 'darwin') {
43
+ execSync(`open -a "${name.replace(/"/g, '\\"')}"`, { timeout: 10000 });
44
+ return `Launched ${name}`;
45
+ } else {
46
+ // Linux - try xdg-open or direct exec
47
+ try {
48
+ execSync(`${name} &`, { timeout: 5000, shell: true as any });
49
+ } catch {
50
+ execSync(`xdg-open "${name}" 2>/dev/null || ${name}`, { timeout: 5000, shell: true as any });
51
+ }
52
+ return `Launched ${name}`;
53
+ }
54
+ } catch (e: any) {
55
+ return `Error launching ${name}: ${e.message || e}`;
56
+ }
57
+ },
58
+ });
59
+
60
+ // ── Open Path ──
61
+ registry.register({
62
+ name: 'open_path',
63
+ description: 'Open a file or folder in the default application.',
64
+ parameters: [
65
+ { name: 'target', type: 'string', description: 'File or folder path', required: true },
66
+ ],
67
+ handler: async (params) => {
68
+ const target = String(params.target || '').trim();
69
+ if (!target) return 'Error: target is required';
70
+ const resolved = path.resolve(target);
71
+ if (!fs.existsSync(resolved)) return `Error: path not found: ${resolved}`;
72
+
73
+ try {
74
+ if (platform === 'win32') {
75
+ execSync(`explorer "${resolved}"`, { timeout: 5000 });
76
+ } else if (platform === 'darwin') {
77
+ execSync(`open "${resolved}"`, { timeout: 5000 });
78
+ } else {
79
+ execSync(`xdg-open "${resolved}"`, { timeout: 5000 });
80
+ }
81
+ return `Opened ${resolved}`;
82
+ } catch (e: any) {
83
+ return `Error opening ${resolved}: ${e.message || e}`;
84
+ }
85
+ },
86
+ });
87
+
88
+ // ── Browser Open ──
89
+ registry.register({
90
+ name: 'browser_open',
91
+ description: 'Open a URL in the default web browser.',
92
+ parameters: [
93
+ { name: 'url', type: 'string', description: 'URL to open', required: true },
94
+ ],
95
+ handler: async (params) => {
96
+ const url = String(params.url || '').trim();
97
+ if (!url) return 'Error: url is required';
98
+ try {
99
+ if (platform === 'win32') {
100
+ execSync(`start "" "${url}"`, { timeout: 10000 });
101
+ } else if (platform === 'darwin') {
102
+ execSync(`open "${url}"`, { timeout: 10000 });
103
+ } else {
104
+ execSync(`xdg-open "${url}"`, { timeout: 10000 });
105
+ }
106
+ return `Opened ${url} in browser`;
107
+ } catch (e: any) {
108
+ return `Error opening browser: ${e.message || e}`;
109
+ }
110
+ },
111
+ });
112
+
113
+ // ── System Info ──
114
+ registry.register({
115
+ name: 'system_info',
116
+ description: 'Get system information (OS, CPU, memory, disk).',
117
+ parameters: [],
118
+ handler: async () => {
119
+ const lines = [
120
+ `OS: ${os.type()} ${os.release()}`,
121
+ `Hostname: ${os.hostname()}`,
122
+ `Platform: ${os.platform()} ${os.arch()}`,
123
+ `CPUs: ${os.cpus().length} × ${os.cpus()[0]?.model || 'unknown'}`,
124
+ `Memory: ${(os.totalmem() / 1024 / 1024 / 1024).toFixed(1)} GB total, ${(os.freemem() / 1024 / 1024 / 1024).toFixed(1)} GB free`,
125
+ `Uptime: ${(os.uptime() / 3600).toFixed(1)} hours`,
126
+ `Loadavg: ${os.loadavg().map(n => n.toFixed(2)).join(', ')}`,
127
+ `User: ${os.userInfo().username}`,
128
+ `Home: ${os.homedir()}`,
129
+ `Temp: ${os.tmpdir()}`,
130
+ ];
131
+ return lines.join('\n');
132
+ },
133
+ });
134
+
135
+ // ── List Processes ──
136
+ registry.register({
137
+ name: 'list_processes',
138
+ description: 'List running processes.',
139
+ parameters: [],
140
+ handler: async () => {
141
+ try {
142
+ if (platform === 'win32') {
143
+ const out = execSync('tasklist /FO CSV /NH', { encoding: 'utf-8', timeout: 10000 });
144
+ return truncate(out, MAX_OUT);
145
+ } else {
146
+ const out = execSync('ps aux --no-headers 2>/dev/null || ps aux', { encoding: 'utf-8', timeout: 10000 });
147
+ return truncate(out, MAX_OUT);
148
+ }
149
+ } catch (e: any) {
150
+ return `Error listing processes: ${e.message || e}`;
151
+ }
152
+ },
153
+ });
154
+
155
+ // ── Kill Process ──
156
+ registry.register({
157
+ name: 'kill_process',
158
+ description: 'Kill a process by PID or name.',
159
+ parameters: [
160
+ { name: 'target', type: 'string', description: 'PID number or process name', required: true },
161
+ ],
162
+ handler: async (params) => {
163
+ const target = String(params.target || '').trim();
164
+ if (!target) return 'Error: target is required';
165
+
166
+ try {
167
+ if (/^\d+$/.test(target)) {
168
+ process.kill(parseInt(target), 'SIGTERM');
169
+ return `Killed process ${target}`;
170
+ } else {
171
+ if (platform === 'win32') {
172
+ execFileSync('taskkill', ['/F', '/IM', target, '/T'], { timeout: 10000 });
173
+ } else {
174
+ execFileSync('pkill', ['-f', target], { timeout: 10000 });
175
+ }
176
+ return `Killed process ${target}`;
177
+ }
178
+ } catch (e: any) {
179
+ return `Error killing ${target}: ${e.message || e}`;
180
+ }
181
+ },
182
+ dangerous: true,
183
+ });
184
+
185
+ // ── Package Manager ──
186
+ registry.register({
187
+ name: 'package_manager',
188
+ description: 'Install, uninstall, or upgrade software packages.',
189
+ parameters: [
190
+ { name: 'action', type: 'string', description: 'Action: install, uninstall, upgrade, search', required: true },
191
+ { name: 'name', type: 'string', description: 'Package name', required: true },
192
+ ],
193
+ handler: async (params) => {
194
+ const action = String(params.action || '').trim().toLowerCase();
195
+ const name = String(params.name || '').trim();
196
+ if (!action || !name) return 'Error: action and name are required';
197
+
198
+ // Auto-detect package manager
199
+ let pm: string;
200
+ const has = (cmd: string) => {
201
+ try { execFileSync(cmd, ['--version'], { stdio: 'ignore' }); return true; }
202
+ catch { return false; }
203
+ };
204
+
205
+ if (platform === 'win32') {
206
+ if (has('winget')) pm = 'winget';
207
+ else if (has('scoop')) pm = 'scoop';
208
+ else if (has('choco')) pm = 'choco';
209
+ else return 'No package manager found (winget/scoop/choco)';
210
+ } else if (platform === 'darwin') {
211
+ pm = has('brew') ? 'brew' : 'No package manager found';
212
+ } else {
213
+ if (has('apt')) pm = 'apt';
214
+ else if (has('dnf')) pm = 'dnf';
215
+ else if (has('pacman')) pm = 'pacman';
216
+ else return 'No package manager found (apt/dnf/pacman)';
217
+ }
218
+
219
+ const commands: Record<string, Record<string, string>> = {
220
+ winget: { install: 'install', uninstall: 'uninstall', upgrade: 'upgrade', search: 'search' },
221
+ scoop: { install: 'install', uninstall: 'uninstall', upgrade: 'update', search: 'search' },
222
+ choco: { install: 'install', uninstall: 'uninstall', upgrade: 'upgrade', search: 'search' },
223
+ brew: { install: 'install', uninstall: 'uninstall', upgrade: 'upgrade', search: 'search' },
224
+ apt: { install: 'install -y', uninstall: 'remove -y', upgrade: 'upgrade -y', search: 'search' },
225
+ dnf: { install: 'install -y', uninstall: 'remove -y', upgrade: 'upgrade -y', search: 'search' },
226
+ pacman: { install: '-S --noconfirm', uninstall: '-R --noconfirm', upgrade: '-Syu --noconfirm', search: '-Ss' },
227
+ };
228
+
229
+ const cmdMap = commands[pm];
230
+ if (!cmdMap || !cmdMap[action]) return `Unsupported action '${action}' for ${pm}`;
231
+
232
+ try {
233
+ // cmdMap entries may carry flags (e.g. 'install -y', '-S --noconfirm');
234
+ // split them into argv so the package name stays a single argument with
235
+ // no shell interpretation.
236
+ const pmArgs = cmdMap[action].split(/\s+/).filter(Boolean);
237
+ const out = execFileSync(pm, [...pmArgs, name], { encoding: 'utf-8', timeout: 120000 });
238
+ return truncate(out, MAX_OUT);
239
+ } catch (e: any) {
240
+ return `Error: ${e.message || e}`;
241
+ }
242
+ },
243
+ dangerous: true,
244
+ });
245
+
246
+ // ── Service Control ──
247
+ registry.register({
248
+ name: 'service_control',
249
+ description: 'Start, stop, restart, or check status of a system service.',
250
+ parameters: [
251
+ { name: 'action', type: 'string', description: 'Action: start, stop, restart, status', required: true },
252
+ { name: 'name', type: 'string', description: 'Service name', required: true },
253
+ ],
254
+ handler: async (params) => {
255
+ const action = String(params.action || '').trim().toLowerCase();
256
+ const name = String(params.name || '').trim();
257
+ if (!action || !name) return 'Error: action and name are required';
258
+
259
+ const allowed = ['start', 'stop', 'restart', 'status'];
260
+ if (!allowed.includes(action)) return `Unsupported action '${action}' (use: ${allowed.join('/')})`;
261
+ try {
262
+ if (platform === 'win32') {
263
+ const out = execFileSync('sc', [action, name], { encoding: 'utf-8', timeout: 30000 });
264
+ return truncate(out, MAX_OUT);
265
+ }
266
+ try {
267
+ const out = execFileSync('systemctl', [action, name], { encoding: 'utf-8', timeout: 30000 });
268
+ return truncate(out, MAX_OUT);
269
+ } catch {
270
+ const out = execFileSync('service', [name, action], { encoding: 'utf-8', timeout: 30000 });
271
+ return truncate(out, MAX_OUT);
272
+ }
273
+ } catch (e: any) {
274
+ return `Error: ${e.message || e}`;
275
+ }
276
+ },
277
+ dangerous: true,
278
+ });
279
+ }
package/src/web/server.ts CHANGED
@@ -72,8 +72,35 @@ const PIGMENTS: Record<string, {
72
72
  export async function startWebServer(port: number = 3000): Promise<void> {
73
73
  const ctx = createSystemContext();
74
74
 
75
+ // Bind to loopback by default: the chat API drives the agent (and its tools)
76
+ // with no authentication, so it must not be exposed to the network unless the
77
+ // operator explicitly opts in via SKYLOOM_WEB_HOST=0.0.0.0.
78
+ const host = process.env.SKYLOOM_WEB_HOST || "127.0.0.1";
79
+ const loopbackOnly = host === "127.0.0.1" || host === "localhost" || host === "::1";
80
+
81
+ // Reject cross-origin / rebound Host headers when bound to loopback. Without
82
+ // this, a malicious web page could POST to http://localhost:<port>/api/chat
83
+ // from the victim's browser and execute agent tools (CORS does not block the
84
+ // side effect, only the response read).
85
+ const hostAllowed = (h: string | undefined): boolean => {
86
+ if (!loopbackOnly) return true;
87
+ const name = (h || "").split(":")[0].toLowerCase();
88
+ return name === "localhost" || name === "127.0.0.1" || name === "[::1]" || name === "::1" || name === "";
89
+ };
90
+
75
91
  const server = createServer(async (req: IncomingMessage, res: ServerResponse) => {
76
- res.setHeader("Access-Control-Allow-Origin", "*");
92
+ if (!hostAllowed(req.headers.host)) {
93
+ res.writeHead(403, { "Content-Type": "application/json" }).end(JSON.stringify({ error: "Forbidden host" }));
94
+ return;
95
+ }
96
+ // Same-origin only when loopback-bound (no wildcard CORS that would invite
97
+ // cross-site requests to a credential-less, tool-executing endpoint).
98
+ if (loopbackOnly) {
99
+ res.setHeader("Access-Control-Allow-Origin", `http://${req.headers.host || `localhost:${port}`}`);
100
+ res.setHeader("Vary", "Origin");
101
+ } else {
102
+ res.setHeader("Access-Control-Allow-Origin", "*");
103
+ }
77
104
  res.setHeader("Access-Control-Allow-Methods", "GET, POST, OPTIONS");
78
105
  res.setHeader("Access-Control-Allow-Headers", "Content-Type");
79
106
  if (req.method === "OPTIONS") { res.writeHead(204); res.end(); return; }
@@ -87,7 +114,13 @@ export async function startWebServer(port: number = 3000): Promise<void> {
87
114
  } catch (e) { res.writeHead(500, { "Content-Type": "application/json" }).end(JSON.stringify({ error: String(e) })); }
88
115
  });
89
116
 
90
- return new Promise((resolve) => { server.listen(port, () => { console.log(`\n 水墨气象台 · Skyloom\n http://localhost:${port}\n`); resolve(); }); });
117
+ return new Promise((resolve) => {
118
+ server.listen(port, host, () => {
119
+ const shown = loopbackOnly ? "localhost" : host;
120
+ console.log(`\n 水墨气象台 · Skyloom\n http://${shown}:${port}${loopbackOnly ? " (仅本机 · 设 SKYLOOM_WEB_HOST=0.0.0.0 可对外开放)" : " ⚠ 已对外开放 · 无鉴权"}\n`);
121
+ resolve();
122
+ });
123
+ });
91
124
  }
92
125
 
93
126
  async function handleChat(req: IncomingMessage, res: ServerResponse, ctx: ReturnType<typeof createSystemContext>) {
@@ -0,0 +1,52 @@
1
+ import { describe, it, expect, afterEach } from "vitest";
2
+ import * as path from "path";
3
+ import * as os from "os";
4
+ import { fenceCheck, fenceRoot } from "../src/tools/builtin";
5
+ import { isSafePluginPath } from "../src/plugins/loader";
6
+
7
+ describe("workspace fence (opt-in)", () => {
8
+ afterEach(() => {
9
+ delete process.env.SKYLOOM_WORKSPACE_FENCE;
10
+ delete process.env.SKYLOOM_WORKSPACE_ROOT;
11
+ });
12
+
13
+ it("is disabled by default (no env)", () => {
14
+ expect(fenceRoot()).toBeNull();
15
+ expect(fenceCheck("/etc/passwd")).toBeNull();
16
+ });
17
+
18
+ it("confines paths to the root when enabled", () => {
19
+ const root = path.join(os.tmpdir(), "sky-fence-root");
20
+ process.env.SKYLOOM_WORKSPACE_FENCE = "1";
21
+ process.env.SKYLOOM_WORKSPACE_ROOT = root;
22
+ expect(fenceCheck(path.join(root, "a", "b.txt"))).toBeNull();
23
+ expect(fenceCheck(root)).toBeNull();
24
+ expect(fenceCheck("/etc/passwd")).toMatch(/路径越界/);
25
+ // sibling prefix must not slip past (root vs root-evil)
26
+ expect(fenceCheck(root + "-evil/x")).toMatch(/路径越界/);
27
+ // traversal out
28
+ expect(fenceCheck(path.join(root, "..", "secret"))).toMatch(/路径越界/);
29
+ });
30
+ });
31
+
32
+ describe("plugin path safety", () => {
33
+ it("allows owner-only paths, rejects world/group-writable (POSIX)", () => {
34
+ if (process.platform === "win32") return; // bits not meaningful on Windows
35
+ const fs = require("fs");
36
+ const dir = fs.mkdtempSync(path.join(os.tmpdir(), "sky-plugin-"));
37
+ const safe = path.join(dir, "safe.js"); fs.writeFileSync(safe, "", { mode: 0o644 }); fs.chmodSync(safe, 0o644);
38
+ const unsafe = path.join(dir, "unsafe.js"); fs.writeFileSync(unsafe, ""); fs.chmodSync(unsafe, 0o666);
39
+ expect(isSafePluginPath(safe)).toBe(true);
40
+ expect(isSafePluginPath(unsafe)).toBe(false);
41
+ });
42
+
43
+ it("honors the unsafe opt-out", () => {
44
+ if (process.platform === "win32") return;
45
+ const fs = require("fs");
46
+ const dir = fs.mkdtempSync(path.join(os.tmpdir(), "sky-plugin2-"));
47
+ const unsafe = path.join(dir, "x.js"); fs.writeFileSync(unsafe, ""); fs.chmodSync(unsafe, 0o666);
48
+ process.env.SKYLOOM_ALLOW_UNSAFE_PLUGINS = "1";
49
+ try { expect(isSafePluginPath(unsafe)).toBe(true); }
50
+ finally { delete process.env.SKYLOOM_ALLOW_UNSAFE_PLUGINS; }
51
+ });
52
+ });