typeclaw 0.1.2 → 0.1.4

package/src/init/auto-upgrade.ts

@@ -0,0 +1,368 @@
+import { existsSync, readFileSync } from 'node:fs'
+import { readFile, writeFile } from 'node:fs/promises'
+import { join } from 'node:path'
+
+import { resolveScaffoldVersion } from './cli-version'
+
+const PACKAGE_FILE = 'package.json'
+const TYPECLAW = 'typeclaw'
+
+// Two semver quirks drive every branch in this module:
+//
+// 1. Pre-1.0 caret: `^0.1.0` resolves to `>=0.1.0 <0.2.0`. A CLI bump from
+//    0.1.x to 0.2.0 falls OUT of the agent's range, so we must rewrite the
+//    spec for those crossings.
+//
+// 2. `bun install` honors the lockfile: when the lockfile entry already
+//    satisfies the declared spec, `bun install` is a no-op even if a newer
+//    in-range version exists upstream. To actually upgrade an in-range dep
+//    we MUST use `bun update <pkg> --latest`. See src/init/run-bun-install.ts.
+//
+// The decision matrix anchors on the INSTALLED version (the truth), not the
+// declared range floor (a promise the agent may not yet have kept).
+
+export type AutoUpgradeOutcome =
+  | { kind: 'skipped-dev-mode' }
+  | { kind: 'skipped-no-dep' }
+  | { kind: 'skipped-non-release-spec'; declared: string }
+  | { kind: 'skipped-already-running' }
+  | { kind: 'up-to-date'; installedVersion: string }
+  | { kind: 'exact-pin-respected'; declared: string; cliVersion: string }
+  | { kind: 'spec-rewritten'; from: string; to: string; cliVersion: string }
+  | { kind: 'reinstall-needed'; from: string; to: string }
+
+export type AutoUpgradeOptions = {
+  cwd: string
+  // Test seam: lets tests simulate dev-mode (null) and arbitrary release
+  // versions without depending on the test runner's actual CLI version.
+  scaffoldVersion?: string | null
+}
+
+export async function autoUpgradeTypeclawDep(options: AutoUpgradeOptions): Promise<AutoUpgradeOutcome> {
+  const { cwd } = options
+  const scaffold = options.scaffoldVersion !== undefined ? options.scaffoldVersion : resolveScaffoldVersion()
+  if (scaffold === null) return { kind: 'skipped-dev-mode' }
+
+  const cliVersion = stripCaret(scaffold)
+  if (cliVersion === null) return { kind: 'skipped-dev-mode' }
+
+  const pkg = await readAgentPackageJson(cwd)
+  if (pkg === null) return { kind: 'skipped-no-dep' }
+
+  const declared = pkg.parsed.dependencies?.[TYPECLAW]
+  if (typeof declared !== 'string') return { kind: 'skipped-no-dep' }
+
+  const declaredKind = classifyDepSpec(declared)
+  if (declaredKind.kind === 'non-release') {
+    return { kind: 'skipped-non-release-spec', declared }
+  }
+
+  const installed = readInstalledTypeclawVersion(cwd)
+
+  // "Upgrade only, never downgrade" — anchored on the INSTALLED version
+  // (the truth), with the declared range floor used ONLY when nothing is
+  // installed yet (best proxy for "what would land if bun install ran").
+  //
+  // Anchoring on `installed` first closes the half-applied-rewrite hole:
+  // a previous start may have written ^0.2.0 to package.json but failed
+  // its install, leaving node_modules at 0.1.x. The declared floor would
+  // wrongly say "up-to-date"; the installed version correctly says "retry."
+  if (installed !== null && compareReleaseVersions(installed, cliVersion) >= 0) {
+    return { kind: 'up-to-date', installedVersion: installed }
+  }
+  if (installed === null && declaredKind.kind !== 'exact') {
+    const declaredFloor = formatTriple(declaredKind.version)
+    if (compareReleaseVersions(declaredFloor, cliVersion) >= 0) {
+      return { kind: 'up-to-date', installedVersion: declaredFloor }
+    }
+  }
+
+  if (declaredKind.kind === 'exact') {
+    const declaredVersion = formatTriple(declaredKind.version)
+    // Exact pin matches CLI but installed is stale (or missing): we still
+    // need to install. The user wrote the right spec — they just haven't
+    // materialized it yet. Return reinstall-needed; caller will run
+    // `bun update typeclaw --latest` against that exact spec.
+    if (declaredVersion === cliVersion) {
+      return { kind: 'reinstall-needed', from: installed ?? '<missing>', to: cliVersion }
+    }
+    // Exact pin diverges from CLI. User intent wins; we warn but never
+    // rewrite. If installed is ALSO ahead of CLI (e.g. exact pin 0.1.5,
+    // CLI 0.1.2), the up-to-date check above already returned.
+    return { kind: 'exact-pin-respected', declared, cliVersion }
+  }
+
+  if (!rangeSatisfies(declaredKind, cliVersion)) {
+    const newSpec = `^${cliVersion}`
+    await writeDepSpec(cwd, pkg.raw, pkg.parsed, newSpec)
+    return { kind: 'spec-rewritten', from: declared, to: newSpec, cliVersion }
+  }
+
+  // Declared range includes CLI. Three sub-cases:
+  //   - installed === null: fresh agent, nothing on disk yet. ensureDeps
+  //     will install for the missing-dep reason; nothing for us to add.
+  //   - installed > CLI but in range: we already returned up-to-date above.
+  //   - installed < CLI: force an upgrade via `bun update typeclaw --latest`.
+  if (installed === null) {
+    return { kind: 'up-to-date', installedVersion: cliVersion }
+  }
+  return { kind: 'reinstall-needed', from: installed, to: cliVersion }
+}
+
+export function outcomeForcesInstall(outcome: AutoUpgradeOutcome): boolean {
+  return outcome.kind === 'spec-rewritten' || outcome.kind === 'reinstall-needed'
+}
+
+// The version we expect to find in node_modules/typeclaw after the
+// auto-upgrade-triggered install completes. Callers use this to verify
+// the install actually moved the on-disk version (not just resolved the
+// lockfile). Returns null when no install was forced — verification is
+// skipped on no-op outcomes.
+export function expectedInstalledAfterUpgrade(outcome: AutoUpgradeOutcome): string | null {
+  if (outcome.kind === 'spec-rewritten') return outcome.cliVersion
+  if (outcome.kind === 'reinstall-needed') return outcome.to
+  return null
+}
+
+export function describeAutoUpgrade(outcome: AutoUpgradeOutcome): string {
+  switch (outcome.kind) {
+    case 'spec-rewritten':
+      return `Upgrading agent typeclaw ${outcome.from} → ${outcome.to} to match CLI`
+    case 'reinstall-needed':
+      return `Upgrading agent typeclaw ${outcome.from} → ${outcome.to} to match CLI`
+    case 'exact-pin-respected':
+      return `Agent typeclaw is exact-pinned to ${outcome.declared}; CLI is ${outcome.cliVersion}. Not upgrading (remove the exact pin to allow auto-upgrade).`
+    default:
+      return ''
+  }
+}
+
+export function readInstalledTypeclawVersionFromAgent(cwd: string): string | null {
+  return readInstalledTypeclawVersion(cwd)
+}
+
+type ParsedPackage = {
+  raw: string
+  parsed: { dependencies?: Record<string, string> } & Record<string, unknown>
+}
+
+async function readAgentPackageJson(cwd: string): Promise<ParsedPackage | null> {
+  const path = join(cwd, PACKAGE_FILE)
+  if (!existsSync(path)) return null
+  let raw: string
+  try {
+    raw = await readFile(path, 'utf8')
+  } catch {
+    return null
+  }
+  let parsed: unknown
+  try {
+    parsed = JSON.parse(raw)
+  } catch {
+    return null
+  }
+  if (parsed === null || typeof parsed !== 'object' || Array.isArray(parsed)) return null
+  return { raw, parsed: parsed as ParsedPackage['parsed'] }
+}
+
+function readInstalledTypeclawVersion(cwd: string): string | null {
+  const path = join(cwd, 'node_modules', TYPECLAW, PACKAGE_FILE)
+  if (!existsSync(path)) return null
+  let raw: string
+  try {
+    raw = readFileSync(path, 'utf8')
+  } catch {
+    return null
+  }
+  try {
+    const parsed = JSON.parse(raw) as { version?: string }
+    if (typeof parsed.version === 'string' && isReleaseVersion(parsed.version)) return parsed.version
+  } catch {}
+  return null
+}
+
+type DepSpecKind =
+  | { kind: 'exact'; version: [number, number, number]; raw: string }
+  | { kind: 'caret'; version: [number, number, number] }
+  | { kind: 'tilde'; version: [number, number, number] }
+  | { kind: 'non-release' }
+
+function classifyDepSpec(spec: string): DepSpecKind {
+  const trimmed = spec.trim()
+  const exactMatch = trimmed.match(/^=?(\d+)\.(\d+)\.(\d+)$/)
+  if (exactMatch) {
+    const [, a, b, c] = exactMatch
+    return { kind: 'exact', version: parseTriple(a!, b!, c!), raw: trimmed }
+  }
+  const caretMatch = trimmed.match(/^\^(\d+)\.(\d+)\.(\d+)$/)
+  if (caretMatch) {
+    const [, a, b, c] = caretMatch
+    return { kind: 'caret', version: parseTriple(a!, b!, c!) }
+  }
+  const tildeMatch = trimmed.match(/^~(\d+)\.(\d+)\.(\d+)$/)
+  if (tildeMatch) {
+    const [, a, b, c] = tildeMatch
+    return { kind: 'tilde', version: parseTriple(a!, b!, c!) }
+  }
+  return { kind: 'non-release' }
+}
+
+function parseTriple(a: string, b: string, c: string): [number, number, number] {
+  return [Number.parseInt(a, 10), Number.parseInt(b, 10), Number.parseInt(c, 10)]
+}
+
+function formatTriple(v: [number, number, number]): string {
+  return `${v[0]}.${v[1]}.${v[2]}`
+}
+
+// npm/bun caret+tilde semantics, narrowed to plain X.Y.Z bases:
+//   ^0.1.2 → >=0.1.2 <0.2.0   (pre-1.0 caret pins minor — the bug we fix)
+//   ^1.2.3 → >=1.2.3 <2.0.0
+//   ~0.1.2 → >=0.1.2 <0.2.0
+//   ~1.2.3 → >=1.2.3 <1.3.0
+function rangeSatisfies(range: Exclude<DepSpecKind, { kind: 'exact' | 'non-release' }>, version: string): boolean {
+  const v = parseVersion(version)
+  if (v === null) return false
+  const [base, ceiling] = rangeBounds(range)
+  return compareTriples(v, base) >= 0 && compareTriples(v, ceiling) < 0
+}
+
+function rangeBounds(
+  range: Exclude<DepSpecKind, { kind: 'exact' | 'non-release' }>,
+): [[number, number, number], [number, number, number]] {
+  const [maj, min, pat] = range.version
+  if (range.kind === 'caret') {
+    if (maj > 0)
+      return [
+        [maj, min, pat],
+        [maj + 1, 0, 0],
+      ]
+    if (min > 0)
+      return [
+        [maj, min, pat],
+        [maj, min + 1, 0],
+      ]
+    return [
+      [maj, min, pat],
+      [maj, min, pat + 1],
+    ]
+  }
+  return [
+    [maj, min, pat],
+    [maj, min + 1, 0],
+  ]
+}
+
+function parseVersion(version: string): [number, number, number] | null {
+  const m = version.match(/^(\d+)\.(\d+)\.(\d+)$/)
+  if (!m) return null
+  const [, a, b, c] = m
+  return parseTriple(a!, b!, c!)
+}
+
+function compareTriples(a: [number, number, number], b: [number, number, number]): number {
+  for (let i = 0; i < 3; i++) {
+    const ai = a[i]!
+    const bi = b[i]!
+    if (ai !== bi) return ai - bi
+  }
+  return 0
+}
+
+function compareReleaseVersions(a: string, b: string): number {
+  const av = parseVersion(a)
+  const bv = parseVersion(b)
+  if (av === null || bv === null) return 0
+  return compareTriples(av, bv)
+}
+
+function stripCaret(scaffold: string): string | null {
+  const m = scaffold.match(/^\^?(\d+\.\d+\.\d+)$/)
+  return m ? (m[1] ?? null) : null
+}
+
+function isReleaseVersion(version: string): boolean {
+  return /^\d+\.\d+\.\d+$/.test(version)
+}
+
+async function writeDepSpec(cwd: string, raw: string, parsed: ParsedPackage['parsed'], newSpec: string): Promise<void> {
+  // Scoped edit: replace the typeclaw spec ONLY inside the dependencies
+  // object. The previous implementation used `raw.replace(/"typeclaw":.../)`
+  // unscoped, which would silently rewrite devDependencies.typeclaw if it
+  // appeared before dependencies.typeclaw in the file (the original spec
+  // never moves). We slice the dependencies object's textual range, edit
+  // inside it, then splice back to preserve whitespace, key order, and
+  // trailing newline. If the slice fails (unusual JSON shape), fall back
+  // to a full JSON round-trip — formatting churn is acceptable; silently
+  // updating the wrong key is not.
+  const scoped = sliceDependenciesRange(raw, parsed)
+  if (scoped !== null) {
+    const { start, end } = scoped
+    const block = raw.slice(start, end)
+    const replaced = block.replace(
+      /("typeclaw"\s*:\s*)"[^"]+"/,
+      (_m, prefix: string) => `${prefix}${JSON.stringify(newSpec)}`,
+    )
+    if (replaced !== block) {
+      await writeFile(join(cwd, PACKAGE_FILE), `${raw.slice(0, start)}${replaced}${raw.slice(end)}`)
+      return
+    }
+  }
+  const deps = { ...parsed.dependencies, [TYPECLAW]: newSpec }
+  const next = { ...parsed, dependencies: deps }
+  const indent = detectIndent(raw)
+  await writeFile(join(cwd, PACKAGE_FILE), `${JSON.stringify(next, null, indent)}\n`)
+}
+
+// Returns the [start, end) byte range of the "dependencies" object's value
+// in `raw`, or null if it can't be located unambiguously. Uses a brace-
+// counting tokenizer that respects string literals so a `dependencies` key
+// inside a string value (e.g. inside a `description`) cannot fool it.
+function sliceDependenciesRange(raw: string, parsed: ParsedPackage['parsed']): { start: number; end: number } | null {
+  if (parsed.dependencies === undefined || parsed.dependencies === null) return null
+  const keyMatch = raw.match(/"dependencies"\s*:\s*\{/)
+  if (!keyMatch || keyMatch.index === undefined) return null
+  const startOfOpenBrace = keyMatch.index + keyMatch[0].length - 1
+  const closeBrace = findMatchingCloseBrace(raw, startOfOpenBrace)
+  if (closeBrace === null) return null
+  return { start: startOfOpenBrace, end: closeBrace + 1 }
+}
+
+function findMatchingCloseBrace(raw: string, openIndex: number): number | null {
+  let depth = 0
+  let inString = false
+  let escape = false
+  for (let i = openIndex; i < raw.length; i++) {
+    const ch = raw[i]
+    if (escape) {
+      escape = false
+      continue
+    }
+    if (inString) {
+      if (ch === '\\') escape = true
+      else if (ch === '"') inString = false
+      continue
+    }
+    if (ch === '"') {
+      inString = true
+      continue
+    }
+    if (ch === '{') depth++
+    else if (ch === '}') {
+      depth--
+      if (depth === 0) return i
+    }
+  }
+  return null
+}
+
+function detectIndent(raw: string): number | string {
+  // Default to 2 — matches `JSON.stringify(_, _, 2)` behavior and the
+  // project's existing scaffold style. Only override when we can see a
+  // clear non-2 indent on the first indented line.
+  const match = raw.match(/\n([\t ]+)\S/)
+  if (!match) return 2
+  const sample = match[1]!
+  if (sample.startsWith('\t')) return '\t'
+  return sample.length
+}

package/src/init/dockerfile.ts

@@ -89,11 +89,13 @@ export const NETWORK_BLOCK_IPV6_NETS = ['fc00::/7', 'fe80::/10', 'ff00::/8', '::
 // Renders the shell script that runs as PID 1 inside the container. Two
 // modes, picked at boot time from `$TYPECLAW_NETWORK_BLOCK_INTERNAL`:
 //
-//   off (default, blockInternal=false or env unset): no rules installed,
-//   no setpriv. Just exec `bun run typeclaw "$@"`. Identical observable
-//   behavior to the pre-feature container.
+//   off (env unset or != "1"): no rules installed, no setpriv. Just exec
+//   `bun run typeclaw "$@"`. Identical observable behavior to a container
+//   without this feature. This is the opt-out path for users who set
+//   `network.blockInternal: false` in their `typeclaw.json`.
 //
-//   on (blockInternal=true): walks IPv4 + IPv6 block lists and installs
+//   on (default, env = "1" via `network.blockInternal: true`): walks IPv4 +
+//   IPv6 block lists and installs
 //   REJECT rules in the OUTPUT chain. Loopback (`-o lo`) is ACCEPT'd first
 //   so dev-server dogfooding still works. The hostd HTTP control port on
 //   `host.docker.internal` is re-allowed at runtime — narrowly, single
@@ -130,6 +132,44 @@ export const NETWORK_BLOCK_IPV6_NETS = ['fc00::/7', 'fe80::/10', 'ff00::/8', '::
 // `set -eu` propagates rule-install failures up to PID 1 exit, which kills
 // the container. Failing closed is the right thing: an unenforced
 // blockInternal=true is worse than blockInternal=false.
+//
+// Carve-out ordering is load-bearing. iptables OUTPUT is first-match-wins,
+// and we use -A (append). So the order written into the shim is the order
+// rules will be evaluated:
+//   1. loopback ACCEPT
+//   2. hostd port ACCEPT (narrow: tcp + single dport on the host gateway)
+//   3. resolver ACCEPT (narrow: udp/tcp dport 53 to each /etc/resolv.conf
+//      nameserver) — gated on TYPECLAW_NETWORK_AUTO_ALLOW_RESOLVERS=1
+//   4. user-supplied allowlist ACCEPT (wholesale: -d <cidr>) — driven by
+//      TYPECLAW_NETWORK_ALLOW comma-separated env
+//   5. RFC1918 + link-local + CGNAT + multicast + reserved REJECTs
+// A resolver at 10.0.0.2 hits (3) and ACCEPTs before (5) DROPs it.
+//
+// The resolver carve-out reads /etc/resolv.conf inside the container, NOT
+// on the host. Docker propagates the host's resolver into the container by
+// default (Docker Desktop and OrbStack rewrite it to the embedded DNS
+// proxy at 127.0.0.11; Docker on Linux copies the host's resolv.conf
+// verbatim unless --dns is passed). On Docker Desktop / OrbStack the
+// nameserver is loopback and the rule is a no-op (loopback is already
+// ACCEPT'd by rule 1). On native Linux + EC2/GCE/Azure VMs, the
+// nameserver is the VPC resolver inside RFC1918 — exactly the case this
+// carve-out targets.
+//
+// `awk '/^nameserver/{print $2}'` extracts only the IP, skipping
+// comments, `search`, `options`, and malformed lines. We don't validate
+// the IP further: a malformed nameserver line would have crashed glibc's
+// resolver long before the shim ran, so we trust resolv.conf's contents.
+// IPv6 nameservers (rare in practice, never the case on EC2/GCE/Azure)
+// are skipped by `grep -v ':'` to avoid feeding a v6 address to iptables.
+// `iptables -C` (check) is intentionally NOT used to dedupe — duplicate
+// ACCEPT rules are harmless (still first-match-wins), and the check
+// flag's exit code is hard to reason about under `set -e`.
+//
+// The user-supplied allowlist (TYPECLAW_NETWORK_ALLOW) is splat on
+// commas. Each entry is fed directly to iptables -d, which accepts both
+// bare IPs and CIDR notation. Validation already happened in config.ts at
+// parse time, so the shim trusts the env. Empty env → loop body never
+// runs, zero ACCEPT rules added.
 export function buildEntrypointShim(): string {
   const ipv4Rules = NETWORK_BLOCK_IPV4_NETS.map(
     (net) => `iptables -A OUTPUT -d ${net} -j REJECT --reject-with icmp-port-unreachable`,
@@ -160,6 +200,26 @@ if [ -n "\${hostd_port:-}" ]; then
     iptables -A OUTPUT -p tcp -d "$host_gw_ip" --dport "$hostd_port" -j ACCEPT
   fi
 fi
+
+# Resolver carve-out: parse /etc/resolv.conf nameservers and ACCEPT
+# udp+tcp dport 53 to each. Gated on TYPECLAW_NETWORK_AUTO_ALLOW_RESOLVERS=1.
+if [ "\${TYPECLAW_NETWORK_AUTO_ALLOW_RESOLVERS:-0}" = "1" ] && [ -r /etc/resolv.conf ]; then
+  for ns in $(awk '/^[[:space:]]*nameserver[[:space:]]+/{print $2}' /etc/resolv.conf | grep -v ':' || true); do
+    iptables -A OUTPUT -p udp -d "$ns" --dport 53 -j ACCEPT
+    iptables -A OUTPUT -p tcp -d "$ns" --dport 53 -j ACCEPT
+  done
+fi
+
+# User-supplied allowlist carve-out: comma-separated CIDRs/IPs from
+# TYPECLAW_NETWORK_ALLOW. Already validated at config-parse time.
+if [ -n "\${TYPECLAW_NETWORK_ALLOW:-}" ]; then
+  IFS=','
+  for cidr in $TYPECLAW_NETWORK_ALLOW; do
+    [ -z "$cidr" ] && continue
+    iptables -A OUTPUT -d "$cidr" -j ACCEPT
+  done
+  unset IFS
+fi
 ${ipv4Rules.join('\n')}
 
 ip6tables -A OUTPUT -o lo -j ACCEPT
@@ -264,13 +324,10 @@ ${fromAndHeavyLayers}
 
 ENV NODE_ENV=production
 
-# Pin agent-messenger's config dir into the agent's workspace/ so KakaoTalk
-# (and any future agent-messenger-backed channel) reads/writes credentials
-# inside the bind-mounted agent folder. Without this, the SDK would default
-# to /root/.config/agent-messenger inside the container, which doesn't
-# survive container restarts and isn't visible from the host. The agent
-# folder's bind-mount maps /agent → host's agent dir, so the credentials
-# end up at <agentDir>/workspace/.agent-messenger/ on the host.
+# Keep agent-messenger's fallback config dir inside workspace/ for any future
+# SDK fallback paths. TypeClaw's KakaoTalk adapter does not write there:
+# credentials live in secrets.json#channels.kakaotalk and container writes go
+# through hostd's secrets-patch RPC.
 ENV AGENT_MESSENGER_CONFIG_DIR=/agent/workspace/.agent-messenger
 
 ${customLines}ENTRYPOINT ["${TYPECLAW_ENTRYPOINT_PATH}"]
@@ -282,8 +339,18 @@ CMD ["run"]
 // layers (apt baseline, Chrome runtime libs, curl-impersonate, agent-browser,
 // Chrome for Testing) are already in that image, so the per-agent head only
 // re-runs the toggle apt install and (optionally) the gh keyring bootstrap.
-// When no toggle adds packages, the head is empty after the FROM/WORKDIR/ARG
-// trio — rebuild cost ≈ zero for users who don't change typeclaw.json#dockerfile.
+//
+// The entrypoint shim is ALSO re-emitted here, even though the base image
+// already carries it. Two reasons: (1) older base images published before
+// the shim landed (or before a shim source edit) don't have the up-to-date
+// binary at TYPECLAW_ENTRYPOINT_PATH, and the per-agent ENTRYPOINT line
+// would crash on startup with `stat: no such file or directory`. Re-emitting
+// is ~1KB of image and keeps the contract local: whatever per-agent
+// Dockerfile we emit guarantees the shim path exists, regardless of which
+// base-image vintage we FROM. (2) Edits to `buildEntrypointShim()` ship via
+// npm + `typeclaw start --build` immediately, instead of being blocked on a
+// fresh base-image release. The base image's copy is harmlessly overwritten
+// by this RUN — same path, same chmod.
 function renderVersionedHead(baseImageVersion: string, ghKeyringLayer: string, toggleAptArgs: string[]): string {
   const toggleAptLayer = toggleAptArgs.length === 0 ? '' : `${renderToggleAptInstallLayer(toggleAptArgs)}\n\n`
   return `FROM ${GHCR_BASE_IMAGE_REPO}:${baseImageVersion}
@@ -292,7 +359,9 @@ WORKDIR /agent
 
 ARG TARGETARCH
 
-${ghKeyringLayer}${toggleAptLayer}`
+${ghKeyringLayer}${toggleAptLayer}${renderEntrypointShimLayer()}
+
+`
 }
 
 // FROMs oven/bun:1-slim and rebuilds the full heavy stack inline. Used by