verybot 0.1.3

package/dist/security/command-validator.js

@@ -0,0 +1,160 @@
+/**
+ * Command validation for bash tool security.
+ *
+ * Blocks dangerous shell syntax (quote-aware) and checks executables
+ * against safe-bin and allowlist rules.
+ */
+/** Shell tokens blocked outside of quotes. */
+const BLOCKED_CHARS = new Set(["`", ">", "<", "(", ")"]);
+/** Default read-only commands that always pass in allowlist mode. */
+export const DEFAULT_SAFE_BINS = new Set([
+    "ls",
+    "cat",
+    "head",
+    "tail",
+    "grep",
+    "rg",
+    "find",
+    "wc",
+    "sort",
+    "uniq",
+    "cut",
+    "tr",
+    "jq",
+    "date",
+    "whoami",
+    "pwd",
+    "echo",
+    "which",
+    "file",
+    "stat",
+    "du",
+    "df",
+    "uname",
+    "env",
+    "printenv",
+    "ps",
+    "curl",
+    "wget",
+]);
+/**
+ * Check for dangerous shell syntax (quote-aware).
+ *
+ * Blocks backticks, command substitution `$(...)`, redirects `> <`,
+ * and subshells `( )` when they appear outside of quotes.
+ */
+export function validateCommand(command) {
+    let inSingle = false;
+    let inDouble = false;
+    for (let i = 0; i < command.length; i++) {
+        const ch = command[i];
+        // Track quote state
+        if (ch === "'" && !inDouble) {
+            inSingle = !inSingle;
+            continue;
+        }
+        if (ch === '"' && !inSingle) {
+            inDouble = !inDouble;
+            continue;
+        }
+        // Skip chars inside quotes
+        if (inSingle || inDouble)
+            continue;
+        // Check for $( command substitution
+        if (ch === "$" && i + 1 < command.length && command[i + 1] === "(") {
+            return { ok: false, reason: "command substitution $(...) is not allowed" };
+        }
+        if (BLOCKED_CHARS.has(ch)) {
+            const names = {
+                "`": "backtick execution",
+                ">": "output redirect",
+                "<": "input redirect",
+                "(": "subshell",
+                ")": "subshell",
+            };
+            return { ok: false, reason: `${names[ch] ?? ch} is not allowed` };
+        }
+    }
+    return { ok: true };
+}
+/**
+ * Extract the executable name from a command string.
+ * Handles env-prefix patterns like `VAR=val cmd` and paths like `/usr/bin/python3`.
+ */
+function extractExecutable(segment) {
+    const trimmed = segment.trim();
+    const tokens = trimmed.split(/\s+/);
+    // Skip leading env assignments (KEY=VALUE)
+    let idx = 0;
+    while (idx < tokens.length && /^[A-Za-z_]\w*=/.test(tokens[idx])) {
+        idx++;
+    }
+    const raw = tokens[idx] ?? "";
+    // Strip path: /usr/bin/python3 -> python3
+    const slashIdx = raw.lastIndexOf("/");
+    return slashIdx >= 0 ? raw.slice(slashIdx + 1) : raw;
+}
+/** Split a command into segments on `&&`, `||`, `;`, and `|`. */
+function splitSegments(command) {
+    // Split on && || ; | while respecting quotes
+    const segments = [];
+    let current = "";
+    let inSingle = false;
+    let inDouble = false;
+    for (let i = 0; i < command.length; i++) {
+        const ch = command[i];
+        if (ch === "'" && !inDouble) {
+            inSingle = !inSingle;
+            current += ch;
+            continue;
+        }
+        if (ch === '"' && !inSingle) {
+            inDouble = !inDouble;
+            current += ch;
+            continue;
+        }
+        if (inSingle || inDouble) {
+            current += ch;
+            continue;
+        }
+        // Check for && or ||
+        if ((ch === "&" || ch === "|") && i + 1 < command.length && command[i + 1] === ch) {
+            segments.push(current);
+            current = "";
+            i++; // skip second char
+            continue;
+        }
+        // Check for ; or single |
+        if (ch === ";" || ch === "|") {
+            segments.push(current);
+            current = "";
+            continue;
+        }
+        current += ch;
+    }
+    if (current.trim())
+        segments.push(current);
+    return segments.filter((s) => s.trim().length > 0);
+}
+/** Check if ALL segments of a command use only safe bins. */
+function isSafeBin(command, safeBins) {
+    const segments = splitSegments(command);
+    return segments.every((seg) => safeBins.has(extractExecutable(seg)));
+}
+/** Convert a simple glob pattern to a RegExp (`*` -> `.*`). */
+function globToRegExp(pattern) {
+    const escaped = pattern.replace(/[.+^${}()|[\]\\]/g, "\\$&").replace(/\*/g, ".*");
+    return new RegExp(`^${escaped}$`);
+}
+/** Check if an executable matches any allowlist glob pattern. */
+function matchesAllowlist(executable, patterns) {
+    return patterns.some((pat) => globToRegExp(pat).test(executable));
+}
+/** Check if ALL segments of a command match the allowlist. */
+export function isAllowed(command, safeBins, allowlist) {
+    const segments = splitSegments(command);
+    return segments.every((seg) => {
+        const exe = extractExecutable(seg);
+        return safeBins.has(exe) || matchesAllowlist(exe, allowlist);
+    });
+}

package/dist/security/docker-sandbox.d.ts

@@ -0,0 +1,48 @@
+/**
+ * Docker sandbox for bash tool execution.
+ *
+ * Commands run inside isolated Docker containers with:
+ * - Read-only root filesystem
+ * - No network access
+ * - All capabilities dropped
+ * - Resource limits (memory, pids)
+ * - Workspace mounted at /workspace (read-write)
+ *
+ * Containers are created lazily per session and reused for subsequent commands.
+ * Idle containers are pruned after a configurable timeout.
+ *
+ * If Docker is not available at startup, the sandbox polls in the background
+ * and returns an error to the user until Docker comes online.
+ */
+export interface SandboxConfig {
+    image: string;
+    memoryLimit: string;
+    pidsLimit: number;
+    idleTimeoutMs: number;
+}
+export declare class DockerSandbox {
+    private containers;
+    private config;
+    private ready;
+    constructor(config: SandboxConfig);
+    /**
+     * Execute a command in the sandbox container for the given session.
+     * Checks Docker availability on first use (and after losing connection).
+     */
+    exec(sessionKey: string, command: string): string;
+    /** Remove container for a session. */
+    cleanup(sessionKey: string): void;
+    /** Remove all containers (call on shutdown). */
+    cleanupAll(): void;
+    private getOrCreateContainer;
+    private resetIdleTimer;
+    private onIdle;
+    private removeContainer;
+    private containerName;
+    /**
+     * Distinguish Docker daemon errors (connection lost, daemon stopped) from
+     * normal command failures inside the container (non-zero exit code).
+     */
+    private isDockerError;
+    private pruneOrphans;
+}

package/dist/security/docker-sandbox.js

@@ -0,0 +1,218 @@
+/**
+ * Docker sandbox for bash tool execution.
+ *
+ * Commands run inside isolated Docker containers with:
+ * - Read-only root filesystem
+ * - No network access
+ * - All capabilities dropped
+ * - Resource limits (memory, pids)
+ * - Workspace mounted at /workspace (read-write)
+ *
+ * Containers are created lazily per session and reused for subsequent commands.
+ * Idle containers are pruned after a configurable timeout.
+ *
+ * If Docker is not available at startup, the sandbox polls in the background
+ * and returns an error to the user until Docker comes online.
+ */
+import { execFileSync } from "child_process";
+import { createHash } from "crypto";
+import { mkdirSync } from "fs";
+import { resolve } from "path";
+import { logger } from "../logger.js";
+import { SANDBOX_WORKSPACE } from "../paths.js";
+const CONTAINER_PREFIX = "verybot-sandbox";
+const LABEL = "verybot-sandbox=1";
+const EXEC_TIMEOUT = 30_000;
+const MAX_OUTPUT = 10_000;
+const MAX_ERROR = 5_000;
+/** Check if Docker is available by running `docker info`. */
+function checkDocker() {
+    try {
+        execFileSync("docker", ["info"], { stdio: "ignore", timeout: 5_000 });
+        return true;
+    }
+    catch {
+        return false;
+    }
+}
+export class DockerSandbox {
+    containers = new Map();
+    config;
+    ready = false;
+    constructor(config) {
+        this.config = config;
+        mkdirSync(resolve(SANDBOX_WORKSPACE), { recursive: true });
+        logger.info(`Docker sandbox: configured (image=${config.image}, memory=${config.memoryLimit}, ` +
+            `pids=${config.pidsLimit}, workspace=${SANDBOX_WORKSPACE}, idle=${config.idleTimeoutMs}ms)`);
+    }
+    /**
+     * Execute a command in the sandbox container for the given session.
+     * Checks Docker availability on first use (and after losing connection).
+     */
+    exec(sessionKey, command) {
+        if (!this.ready) {
+            if (!checkDocker()) {
+                return "Docker is not available. Please start Docker and try again.";
+            }
+            this.ready = true;
+            this.pruneOrphans();
+            logger.info("Docker sandbox: Docker is available, ready to execute");
+        }
+        const handle = this.getOrCreateContainer(sessionKey);
+        this.resetIdleTimer(sessionKey, handle);
+        try {
+            const output = execFileSync("docker", ["exec", handle.id, "sh", "-c", command], {
+                encoding: "utf-8",
+                timeout: EXEC_TIMEOUT,
+                maxBuffer: 1024 * 1024,
+            });
+            return output.slice(0, MAX_OUTPUT);
+        }
+        catch (err) {
+            // If docker exec itself failed (not the command inside), reset ready flag
+            // so next call re-checks Docker availability
+            if (this.isDockerError(err)) {
+                logger.warn("Docker sandbox: Docker connection lost, will re-check on next exec");
+                this.ready = false;
+                this.containers.delete(sessionKey);
+            }
+            const msg = err instanceof Error ? err.message : String(err);
+            const stderr = err.stderr ?? "";
+            return `Error: ${msg}\n${stderr}`.slice(0, MAX_ERROR);
+        }
+    }
+    /** Remove container for a session. */
+    cleanup(sessionKey) {
+        const handle = this.containers.get(sessionKey);
+        if (!handle)
+            return;
+        clearTimeout(handle.timer);
+        this.removeContainer(handle);
+        this.containers.delete(sessionKey);
+    }
+    /** Remove all containers (call on shutdown). */
+    cleanupAll() {
+        for (const [key, handle] of this.containers) {
+            clearTimeout(handle.timer);
+            this.removeContainer(handle);
+            this.containers.delete(key);
+        }
+        logger.info("Docker sandbox: all containers cleaned up");
+    }
+    getOrCreateContainer(sessionKey) {
+        const existing = this.containers.get(sessionKey);
+        if (existing)
+            return existing;
+        const name = this.containerName(sessionKey);
+        const workspaceAbs = resolve(SANDBOX_WORKSPACE);
+        // Create container
+        const createArgs = [
+            "create",
+            "--name",
+            name,
+            "--label",
+            LABEL,
+            "--read-only",
+            "--tmpfs",
+            "/tmp:rw,noexec,nosuid,size=64m",
+            "--network",
+            "none",
+            "--cap-drop",
+            "ALL",
+            "--security-opt",
+            "no-new-privileges",
+            "--memory",
+            this.config.memoryLimit,
+            "--pids-limit",
+            String(this.config.pidsLimit),
+            "-v",
+            `${workspaceAbs}:/workspace:rw`,
+            "-w",
+            "/workspace",
+            this.config.image,
+            "sleep",
+            "infinity",
+        ];
+        const id = execFileSync("docker", createArgs, {
+            encoding: "utf-8",
+            timeout: 30_000,
+        }).trim();
+        // Start container
+        execFileSync("docker", ["start", id], {
+            stdio: "ignore",
+            timeout: 10_000,
+        });
+        logger.info(`Docker sandbox: created container ${name} (${id.slice(0, 12)}) for ${sessionKey}`);
+        const handle = {
+            id,
+            name,
+            timer: setTimeout(() => this.onIdle(sessionKey), this.config.idleTimeoutMs),
+        };
+        handle.timer.unref();
+        this.containers.set(sessionKey, handle);
+        return handle;
+    }
+    resetIdleTimer(sessionKey, handle) {
+        clearTimeout(handle.timer);
+        handle.timer = setTimeout(() => this.onIdle(sessionKey), this.config.idleTimeoutMs);
+        handle.timer.unref();
+    }
+    onIdle(sessionKey) {
+        const handle = this.containers.get(sessionKey);
+        if (!handle)
+            return;
+        logger.info(`Docker sandbox: pruning idle container ${handle.name} for ${sessionKey}`);
+        this.removeContainer(handle);
+        this.containers.delete(sessionKey);
+    }
+    removeContainer(handle) {
+        try {
+            execFileSync("docker", ["rm", "-f", handle.id], {
+                stdio: "ignore",
+                timeout: 10_000,
+            });
+        }
+        catch (err) {
+            logger.warn(`Docker sandbox: failed to remove ${handle.name}: ${err instanceof Error ? err.message : err}`);
+        }
+    }
+    containerName(sessionKey) {
+        const hash = createHash("sha256").update(sessionKey).digest("hex").slice(0, 12);
+        return `${CONTAINER_PREFIX}-${hash}`;
+    }
+    /**
+     * Distinguish Docker daemon errors (connection lost, daemon stopped) from
+     * normal command failures inside the container (non-zero exit code).
+     */
+    isDockerError(err) {
+        const msg = err instanceof Error ? err.message : String(err);
+        const stderr = err.stderr ?? "";
+        const combined = `${msg}\n${stderr}`.toLowerCase();
+        // These indicate Docker itself is unavailable, not a command failure
+        return (combined.includes("cannot connect to the docker daemon") ||
+            combined.includes("connection refused") ||
+            combined.includes("is the docker daemon running") ||
+            combined.includes("no such container") ||
+            combined.includes("is not running"));
+    }
+    pruneOrphans() {
+        try {
+            const ids = execFileSync("docker", ["ps", "-aq", "--filter", `label=${LABEL}`], { encoding: "utf-8", timeout: 5_000 }).trim();
+            if (!ids)
+                return;
+            const idList = ids.split("\n").filter(Boolean);
+            for (const id of idList) {
+                try {
+                    execFileSync("docker", ["rm", "-f", id], { stdio: "ignore", timeout: 5_000 });
+                }
+                catch {
+                    // ignore individual failures
+                }
+            }
+            logger.info(`Docker sandbox: pruned ${idList.length} orphan container(s)`);
+        }
+        catch {
+            // docker ps failed, ignore
+        }
+    }
+}

package/dist/security/env-filter.d.ts

@@ -0,0 +1,8 @@
+/**
+ * Environment variable filtering for bash tool security.
+ *
+ * Strips dangerous env vars that could be used for code injection
+ * (LD_PRELOAD, DYLD_*, NODE_OPTIONS, etc.) before passing to child processes.
+ */
+/** Returns a copy of process.env with dangerous variables removed. */
+export declare function sanitizeEnv(): Record<string, string>;

package/dist/security/env-filter.js

@@ -0,0 +1,41 @@
+/**
+ * Environment variable filtering for bash tool security.
+ *
+ * Strips dangerous env vars that could be used for code injection
+ * (LD_PRELOAD, DYLD_*, NODE_OPTIONS, etc.) before passing to child processes.
+ */
+/** Exact env var names to strip (from Verybot's DANGEROUS_HOST_ENV_VARS). */
+const BLOCKED_VARS = new Set([
+    "LD_PRELOAD",
+    "LD_LIBRARY_PATH",
+    "LD_AUDIT",
+    "DYLD_INSERT_LIBRARIES",
+    "DYLD_LIBRARY_PATH",
+    "NODE_OPTIONS",
+    "NODE_PATH",
+    "PYTHONPATH",
+    "PYTHONHOME",
+    "RUBYLIB",
+    "PERL5LIB",
+    "BASH_ENV",
+    "ENV",
+    "GCONV_PATH",
+    "IFS",
+    "SSLKEYLOGFILE",
+]);
+/** Env var prefixes to strip (catches all DYLD_* and LD_* variants). */
+const BLOCKED_PREFIXES = ["DYLD_", "LD_"];
+/** Returns a copy of process.env with dangerous variables removed. */
+export function sanitizeEnv() {
+    const clean = {};
+    for (const [key, value] of Object.entries(process.env)) {
+        if (value === undefined)
+            continue;
+        if (BLOCKED_VARS.has(key))
+            continue;
+        if (BLOCKED_PREFIXES.some((prefix) => key.startsWith(prefix)))
+            continue;
+        clean[key] = value;
+    }
+    return clean;
+}

package/dist/skills/loader.d.ts

@@ -0,0 +1,33 @@
+import type { Tool } from "ai";
+import type { SkillEntry } from "./types.js";
+/**
+ * Manages skills with optional file watching for hot-reload.
+ * The Agent reads `systemPrompt` and `readTool` on each run,
+ * so changes are picked up automatically.
+ */
+export declare class SkillManager {
+    private _entries;
+    private _systemPrompt;
+    private _readTool;
+    private watcher;
+    private retryTimer;
+    private retryCount;
+    private stopped;
+    private dir;
+    constructor(dir: string);
+    get entries(): SkillEntry[];
+    get systemPrompt(): string;
+    get readTool(): Tool | null;
+    /** Scan the skills directory and update state. */
+    scan(): Promise<void>;
+    /** Start watching the skills directory for changes. Retries with backoff if directory is missing. */
+    startWatching(): void;
+    /** Stop the file watcher and cancel any pending retries. */
+    stopWatching(): void;
+    private attemptWatch;
+    private scheduleRetry;
+}
+/**
+ * Load skills from the given directory and start watching for changes.
+ */
+export declare function loadSkills(dir: string): Promise<SkillManager>;

package/dist/skills/loader.js

@@ -0,0 +1,132 @@
+import { watch as chokidarWatch } from "chokidar";
+import { resolve } from "path";
+import { scanSkills } from "./scanner.js";
+import { buildSkillListing } from "./prompt.js";
+import { createReadSkillTool } from "./read-tool.js";
+import { logger } from "../logger.js";
+/** Debounce delay for file watcher to avoid rapid rescans. */
+const WATCH_DEBOUNCE_MS = 500;
+/** Initial retry delay when watcher fails or directory is missing. */
+const WATCH_RETRY_BASE_MS = 2_000;
+/** Maximum retry delay (caps exponential backoff). */
+const WATCH_RETRY_MAX_MS = 60_000;
+/**
+ * Manages skills with optional file watching for hot-reload.
+ * The Agent reads `systemPrompt` and `readTool` on each run,
+ * so changes are picked up automatically.
+ */
+export class SkillManager {
+    _entries = [];
+    _systemPrompt = "";
+    _readTool = null;
+    watcher = null;
+    retryTimer = null;
+    retryCount = 0;
+    stopped = false;
+    dir;
+    constructor(dir) {
+        this.dir = resolve(dir);
+    }
+    get entries() {
+        return this._entries;
+    }
+    get systemPrompt() {
+        return this._systemPrompt;
+    }
+    get readTool() {
+        return this._readTool;
+    }
+    /** Scan the skills directory and update state. */
+    async scan() {
+        const entries = await scanSkills(this.dir);
+        this._entries = entries;
+        if (entries.length === 0) {
+            this._systemPrompt = "";
+            this._readTool = null;
+            return;
+        }
+        this._systemPrompt = buildSkillListing(entries);
+        this._readTool = createReadSkillTool(entries);
+        logger.info(`Skills loaded: ${entries.map((s) => s.name).join(", ")}`);
+    }
+    /** Start watching the skills directory for changes. Retries with backoff if directory is missing. */
+    startWatching() {
+        this.stopped = false;
+        this.attemptWatch();
+    }
+    /** Stop the file watcher and cancel any pending retries. */
+    stopWatching() {
+        this.stopped = true;
+        if (this.retryTimer) {
+            clearTimeout(this.retryTimer);
+            this.retryTimer = null;
+        }
+        this.watcher?.close();
+        this.watcher = null;
+    }
+    attemptWatch() {
+        if (this.stopped)
+            return;
+        this.watcher?.close();
+        this.watcher = null;
+        let debounceTimer = null;
+        try {
+            this.watcher = chokidarWatch(this.dir, {
+                ignoreInitial: true,
+                persistent: true,
+                depth: 2,
+            });
+        }
+        catch {
+            this.scheduleRetry();
+            return;
+        }
+        const debouncedRescan = (path) => {
+            if (debounceTimer)
+                clearTimeout(debounceTimer);
+            debounceTimer = setTimeout(() => {
+                logger.info(`Skills directory changed (${path}), rescanning...`);
+                this.scan().catch((err) => {
+                    logger.warn(`Skills rescan failed: ${err instanceof Error ? err.message : err}`);
+                });
+            }, WATCH_DEBOUNCE_MS);
+        };
+        this.watcher
+            .on("add", debouncedRescan)
+            .on("change", debouncedRescan)
+            .on("unlink", debouncedRescan)
+            .on("unlinkDir", debouncedRescan)
+            .on("error", (err) => {
+            logger.warn(`Skills watcher error: ${err instanceof Error ? err.message : err}`);
+            this.scheduleRetry();
+        });
+        this.retryCount = 0;
+        logger.info(`Watching skills directory: ${this.dir}`);
+    }
+    scheduleRetry() {
+        if (this.stopped)
+            return;
+        this.watcher?.close();
+        this.watcher = null;
+        const delay = Math.min(WATCH_RETRY_BASE_MS * 2 ** this.retryCount, WATCH_RETRY_MAX_MS);
+        this.retryCount++;
+        logger.info(`Skills watcher will retry in ${delay / 1000}s (attempt ${this.retryCount})`);
+        this.retryTimer = setTimeout(() => {
+            this.retryTimer = null;
+            this.scan()
+                .catch((err) => {
+                logger.warn(`Skills rescan on retry failed: ${err instanceof Error ? err.message : err}`);
+            })
+                .finally(() => this.attemptWatch());
+        }, delay);
+    }
+}
+/**
+ * Load skills from the given directory and start watching for changes.
+ */
+export async function loadSkills(dir) {
+    const manager = new SkillManager(dir);
+    await manager.scan();
+    manager.startWatching();
+    return manager;
+}

package/dist/skills/prompt.d.ts

@@ -0,0 +1,6 @@
+import type { SkillEntry } from "./types.js";
+/**
+ * Build a compact system prompt section listing available skills.
+ * The model uses `read_skill` to fetch full content on demand.
+ */
+export declare function buildSkillListing(skills: SkillEntry[]): string;

package/dist/skills/prompt.js

@@ -0,0 +1,17 @@
+/**
+ * Build a compact system prompt section listing available skills.
+ * The model uses `read_skill` to fetch full content on demand.
+ */
+export function buildSkillListing(skills) {
+    if (skills.length === 0)
+        return "";
+    const lines = skills.map((s) => `  - **${s.name}**: ${s.description || "(no description)"}`);
+    return `## Available Skills
+You have access to specialized skills. Use the \`read_skill\` tool to read the full instructions for a skill before applying it.
+
+<available_skills>
+${lines.join("\n")}
+</available_skills>
+
+When a user's request matches a skill, read it first, then follow its instructions.`;
+}

package/dist/skills/read-tool.d.ts

@@ -0,0 +1,7 @@
+import { type Tool } from "ai";
+import type { SkillEntry } from "./types.js";
+/**
+ * Create the read_skill tool with the given skill entries baked in.
+ * Returns the full SKILL.md content for the requested skill name.
+ */
+export declare function createReadSkillTool(skills: SkillEntry[]): Tool;