wolverine-ai 1.0.0

package/src/security/rate-limiter.js

@@ -0,0 +1,152 @@
+/**
+ * Rate Limiter — prevents error explosion from draining API budget.
+ *
+ * Uses a sliding window + token bucket approach:
+ * - Tracks API calls in a rolling time window
+ * - Enforces max calls per window
+ * - Enforces minimum gap between calls
+ * - Detects error loops (same error repeating) and backs off exponentially
+ */
+class RateLimiter {
+  constructor(options = {}) {
+    // Max API calls within the rolling window
+    this.maxCallsPerWindow = options.maxCallsPerWindow || 10;
+    // Window size in ms (default: 10 minutes)
+    this.windowMs = options.windowMs || 10 * 60 * 1000;
+    // Minimum gap between calls in ms (default: 5 seconds)
+    this.minGapMs = options.minGapMs || 5000;
+    // Max cost per hour in estimated tokens (rough budget protection)
+    this.maxTokensPerHour = options.maxTokensPerHour || 100000;
+
+    // Internal state
+    this._callLog = [];          // timestamps of recent calls
+    this._tokenLog = [];         // { timestamp, tokens } for budget tracking
+    this._errorSignatures = {};  // signature -> { count, lastSeen, backoffMs }
+    this._lastCallTime = 0;
+  }
+
+  /**
+   * Check if a call is allowed. Returns { allowed, reason, waitMs }.
+   * If not allowed, waitMs indicates how long to wait before retrying.
+   */
+  check(errorSignature) {
+    const now = Date.now();
+    this._pruneOldEntries(now);
+
+    // 1. Minimum gap between calls
+    const sinceLast = now - this._lastCallTime;
+    if (sinceLast < this.minGapMs) {
+      const waitMs = this.minGapMs - sinceLast;
+      return { allowed: false, reason: `Rate limit: minimum ${this.minGapMs}ms gap between calls. Wait ${waitMs}ms.`, waitMs };
+    }
+
+    // 2. Sliding window limit
+    if (this._callLog.length >= this.maxCallsPerWindow) {
+      const oldestInWindow = this._callLog[0];
+      const waitMs = oldestInWindow + this.windowMs - now;
+      return { allowed: false, reason: `Rate limit: ${this.maxCallsPerWindow} calls per ${this.windowMs / 1000}s window exceeded.`, waitMs };
+    }
+
+    // 3. Hourly token budget
+    const hourAgo = now - 3600000;
+    const recentTokens = this._tokenLog
+      .filter(e => e.timestamp > hourAgo)
+      .reduce((sum, e) => sum + e.tokens, 0);
+    if (recentTokens >= this.maxTokensPerHour) {
+      return { allowed: false, reason: `Budget limit: estimated ${recentTokens} tokens used in the last hour (max: ${this.maxTokensPerHour}).`, waitMs: 60000 };
+    }
+
+    // 4. Error loop detection — same error repeating gets exponential backoff
+    if (errorSignature) {
+      const sig = this._errorSignatures[errorSignature];
+      if (sig && sig.count >= 2) {
+        const timeSinceLast = now - sig.lastSeen;
+        if (timeSinceLast < sig.backoffMs) {
+          const waitMs = sig.backoffMs - timeSinceLast;
+          return {
+            allowed: false,
+            reason: `Error loop detected: same error seen ${sig.count} times. Backing off ${sig.backoffMs / 1000}s.`,
+            waitMs,
+          };
+        }
+      }
+    }
+
+    return { allowed: true };
+  }
+
+  /**
+   * Record a call was made. Call this after a successful API request.
+   */
+  record(errorSignature, estimatedTokens = 3000) {
+    const now = Date.now();
+    this._callLog.push(now);
+    this._tokenLog.push({ timestamp: now, tokens: estimatedTokens });
+    this._lastCallTime = now;
+
+    // Track error signature for loop detection
+    if (errorSignature) {
+      if (!this._errorSignatures[errorSignature]) {
+        this._errorSignatures[errorSignature] = { count: 0, lastSeen: 0, backoffMs: 5000 };
+      }
+      const sig = this._errorSignatures[errorSignature];
+      sig.count++;
+      sig.lastSeen = now;
+      // Exponential backoff: 5s, 10s, 20s, 40s, 80s... capped at 5 min
+      sig.backoffMs = Math.min(5000 * Math.pow(2, sig.count - 1), 300000);
+    }
+  }
+
+  /**
+   * Clear the error signature tracker (call after a successful fix that doesn't recur).
+   */
+  clearSignature(errorSignature) {
+    delete this._errorSignatures[errorSignature];
+  }
+
+  /**
+   * Generate a stable signature for an error (for loop detection).
+   */
+  static signature(errorMessage, filePath) {
+    // Strip line numbers and paths to create a stable key
+    const normalized = (errorMessage || "")
+      .replace(/:\d+:\d+/g, "")
+      .replace(/\(.+\)/g, "")
+      .trim();
+    return `${filePath || "unknown"}::${normalized}`;
+  }
+
+  /**
+   * Get current state for debugging/logging.
+   */
+  getStats() {
+    const now = Date.now();
+    this._pruneOldEntries(now);
+    return {
+      callsInWindow: this._callLog.length,
+      maxCallsPerWindow: this.maxCallsPerWindow,
+      trackedErrorSignatures: Object.keys(this._errorSignatures).length,
+      estimatedTokensLastHour: this._tokenLog
+        .filter(e => e.timestamp > now - 3600000)
+        .reduce((sum, e) => sum + e.tokens, 0),
+    };
+  }
+
+  _pruneOldEntries(now) {
+    const windowStart = now - this.windowMs;
+    this._callLog = this._callLog.filter(t => t > windowStart);
+
+    const hourAgo = now - 3600000;
+    this._tokenLog = this._tokenLog.filter(e => e.timestamp > hourAgo);
+
+    // Clean stale error signatures (not seen in 30 min)
+    const staleThreshold = now - 30 * 60 * 1000;
+    for (const key of Object.keys(this._errorSignatures)) {
+      if (this._errorSignatures[key].lastSeen < staleThreshold) {
+        delete this._errorSignatures[key];
+      }
+    }
+  }
+}
+
+module.exports = { RateLimiter };

package/src/security/sandbox.js

@@ -0,0 +1,128 @@
+const path = require("path");
+const fs = require("fs");
+
+/**
+ * File Sandbox — restricts all file operations to the project directory.
+ *
+ * Every file read/write in wolverine passes through this gate.
+ * Rejects path traversal, symlink escapes, and out-of-bounds access.
+ */
+class Sandbox {
+  constructor(rootDir) {
+    this.rootDir = path.resolve(rootDir);
+  }
+
+  /**
+   * Resolve and validate a file path. Throws if the path escapes the sandbox.
+   * Returns the resolved absolute path.
+   */
+  resolve(filePath) {
+    // Resolve relative to sandbox root
+    const resolved = path.isAbsolute(filePath)
+      ? path.resolve(filePath)
+      : path.resolve(this.rootDir, filePath);
+
+    // Normalize separators for consistent comparison
+    const normalizedResolved = resolved.replace(/\\/g, "/").toLowerCase();
+    const normalizedRoot = this.rootDir.replace(/\\/g, "/").toLowerCase();
+
+    if (!normalizedResolved.startsWith(normalizedRoot + "/") && normalizedResolved !== normalizedRoot) {
+      throw new SandboxViolationError(
+        `Path "${filePath}" resolves to "${resolved}" which is outside the sandbox root "${this.rootDir}"`
+      );
+    }
+
+    // Check for symlink escape
+    if (fs.existsSync(resolved)) {
+      const real = fs.realpathSync(resolved);
+      const normalizedReal = real.replace(/\\/g, "/").toLowerCase();
+      if (!normalizedReal.startsWith(normalizedRoot + "/") && normalizedReal !== normalizedRoot) {
+        throw new SandboxViolationError(
+          `Path "${filePath}" is a symlink that escapes the sandbox (real path: "${real}")`
+        );
+      }
+    }
+
+    return resolved;
+  }
+
+  /**
+   * Read a file within the sandbox.
+   */
+  readFile(filePath) {
+    const resolved = this.resolve(filePath);
+    return fs.readFileSync(resolved, "utf-8");
+  }
+
+  /**
+   * Write a file within the sandbox.
+   */
+  writeFile(filePath, content) {
+    const resolved = this.resolve(filePath);
+    fs.writeFileSync(resolved, content, "utf-8");
+    return resolved;
+  }
+
+  /**
+   * Check if a file exists within the sandbox.
+   */
+  exists(filePath) {
+    try {
+      const resolved = this.resolve(filePath);
+      return fs.existsSync(resolved);
+    } catch (e) {
+      if (e instanceof SandboxViolationError) return false;
+      throw e;
+    }
+  }
+
+  /**
+   * Copy a file within the sandbox.
+   */
+  copyFile(src, dest) {
+    const resolvedSrc = this.resolve(src);
+    const resolvedDest = this.resolve(dest);
+    fs.copyFileSync(resolvedSrc, resolvedDest);
+    return resolvedDest;
+  }
+
+  /**
+   * Delete a file within the sandbox.
+   */
+  unlinkFile(filePath) {
+    const resolved = this.resolve(filePath);
+    if (fs.existsSync(resolved)) {
+      fs.unlinkSync(resolved);
+    }
+  }
+
+  /**
+   * Validate a set of AI-proposed changes — all file paths must be in sandbox.
+   * Returns { valid: boolean, violations: string[] }
+   */
+  validateChanges(changes) {
+    const violations = [];
+    for (const change of changes) {
+      try {
+        this.resolve(change.file);
+      } catch (e) {
+        if (e instanceof SandboxViolationError) {
+          violations.push(e.message);
+        } else {
+          throw e;
+        }
+      }
+    }
+    return { valid: violations.length === 0, violations };
+  }
+}
+
+class SandboxViolationError extends Error {
+  constructor(message) {
+    super(message);
+    this.name = "SandboxViolationError";
+    this.code = "SANDBOX_VIOLATION";
+  }
+}
+
+module.exports = { Sandbox, SandboxViolationError };

package/src/security/secret-redactor.js

@@ -0,0 +1,217 @@
+const fs = require("fs");
+const path = require("path");
+const chalk = require("chalk");
+
+/**
+ * Secret Redactor — prevents secrets from leaking to AI, brain, logs, or dashboard.
+ *
+ * On init, reads .env.local / .env to build a map of secret values → env key names.
+ * Then every string that passes through redact() gets values replaced with
+ * `process.env.KEY_NAME` so the AI knows which secret is referenced without
+ * seeing the actual value.
+ *
+ * Also detects common secret patterns (API keys, tokens, connection strings)
+ * that might not be in .env files.
+ *
+ * This runs as a gate on EVERY outbound path:
+ * - Before AI calls (error messages, source code, stack traces)
+ * - Before brain memory storage
+ * - Before event logger persistence
+ * - Before dashboard SSE broadcast
+ * - Before agent tool results
+ */
+
+// Patterns that look like secrets even if we don't know them from .env
+const SECRET_PATTERNS = [
+  // API keys
+  { pattern: /sk-[a-zA-Z0-9_-]{20,}/g, label: "[REDACTED_API_KEY]" },
+  { pattern: /sk-proj-[a-zA-Z0-9_-]{20,}/g, label: "[REDACTED_OPENAI_KEY]" },
+  { pattern: /ghp_[a-zA-Z0-9]{36,}/g, label: "[REDACTED_GITHUB_TOKEN]" },
+  { pattern: /gho_[a-zA-Z0-9]{36,}/g, label: "[REDACTED_GITHUB_OAUTH]" },
+  { pattern: /xoxb-[a-zA-Z0-9-]+/g, label: "[REDACTED_SLACK_TOKEN]" },
+  { pattern: /xoxp-[a-zA-Z0-9-]+/g, label: "[REDACTED_SLACK_TOKEN]" },
+  // AWS
+  { pattern: /AKIA[0-9A-Z]{16}/g, label: "[REDACTED_AWS_KEY]" },
+  // Connection strings
+  { pattern: /(?:mongodb|postgres|mysql|redis|amqp):\/\/[^\s"'`]+/gi, label: "[REDACTED_CONNECTION_STRING]" },
+  // Bearer tokens
+  { pattern: /Bearer\s+[a-zA-Z0-9._-]{20,}/g, label: "Bearer [REDACTED_TOKEN]" },
+  // Generic long hex/base64 secrets (32+ chars of hex or base64)
+  { pattern: /(?:password|secret|token|key|credential|auth)['"`]?\s*[:=]\s*['"`]([a-zA-Z0-9+/=_-]{32,})['"`]/gi, label: null }, // handled specially
+  // JWT tokens
+  { pattern: /eyJ[a-zA-Z0-9_-]{10,}\.eyJ[a-zA-Z0-9_-]{10,}\.[a-zA-Z0-9_-]{10,}/g, label: "[REDACTED_JWT]" },
+];
+
+class SecretRedactor {
+  constructor(projectRoot) {
+    this.projectRoot = path.resolve(projectRoot);
+    // Map: secret value → env key name (sorted longest first for greedy matching)
+    this._secretMap = [];
+    // Set of raw secret values for fast detection
+    this._secretValues = new Set();
+
+    this._loadEnvSecrets();
+  }
+
+  /**
+   * Redact all secrets from a string.
+   * Replaces actual secret values with `process.env.KEY_NAME`.
+   * Also catches pattern-based secrets not in .env.
+   *
+   * @param {string} text - Any string that might contain secrets
+   * @returns {string} - Redacted string
+   */
+  redact(text) {
+    if (!text || typeof text !== "string") return text;
+
+    let result = text;
+
+    // 1. Replace known env secret values with their key names (longest first)
+    for (const { value, key } of this._secretMap) {
+      if (result.includes(value)) {
+        result = result.split(value).join(`process.env.${key}`);
+      }
+    }
+
+    // 2. Apply pattern-based redaction for secrets we don't know about
+    for (const { pattern, label } of SECRET_PATTERNS) {
+      if (label) {
+        result = result.replace(pattern, label);
+      } else {
+        // Special handling for key=value patterns — replace just the value part
+        result = result.replace(pattern, (match, capturedValue) => {
+          if (capturedValue && capturedValue.length >= 32) {
+            return match.replace(capturedValue, "[REDACTED_SECRET]");
+          }
+          return match;
+        });
+      }
+    }
+
+    return result;
+  }
+
+  /**
+   * Redact secrets from a structured object (deep).
+   * Walks all string values in objects/arrays.
+   */
+  redactObject(obj) {
+    if (typeof obj === "string") return this.redact(obj);
+    if (Array.isArray(obj)) return obj.map(item => this.redactObject(item));
+    if (obj && typeof obj === "object") {
+      const result = {};
+      for (const [key, val] of Object.entries(obj)) {
+        result[key] = this.redactObject(val);
+      }
+      return result;
+    }
+    return obj;
+  }
+
+  /**
+   * Check if a string contains any known secrets. Fast check.
+   */
+  containsSecrets(text) {
+    if (!text) return false;
+    for (const { value } of this._secretMap) {
+      if (text.includes(value)) return true;
+    }
+    return false;
+  }
+
+  /**
+   * Reload secrets (call if .env files change).
+   */
+  reload() {
+    this._secretMap = [];
+    this._secretValues.clear();
+    this._loadEnvSecrets();
+  }
+
+  /**
+   * Get stats for logging.
+   */
+  getStats() {
+    return {
+      trackedSecrets: this._secretMap.length,
+      envFiles: this._envFilesLoaded || 0,
+    };
+  }
+
+  // -- Private --
+
+  _loadEnvSecrets() {
+    const envFiles = [".env.local", ".env", ".env.production", ".env.development"];
+    let filesLoaded = 0;
+
+    for (const envFile of envFiles) {
+      const filePath = path.join(this.projectRoot, envFile);
+      if (!fs.existsSync(filePath)) continue;
+
+      filesLoaded++;
+      const content = fs.readFileSync(filePath, "utf-8");
+      const lines = content.split("\n");
+
+      for (const line of lines) {
+        // Skip comments and empty lines
+        const trimmed = line.trim();
+        if (!trimmed || trimmed.startsWith("#")) continue;
+
+        const eqIndex = trimmed.indexOf("=");
+        if (eqIndex === -1) continue;
+
+        const key = trimmed.slice(0, eqIndex).trim();
+        const value = trimmed.slice(eqIndex + 1).trim()
+          // Remove surrounding quotes
+          .replace(/^['"]|['"]$/g, "");
+
+        // Only track values that look like secrets (long enough, not just a port number)
+        if (value.length >= 8 && !this._isNonSecret(key, value)) {
+          this._secretMap.push({ key, value });
+          this._secretValues.add(value);
+        }
+      }
+    }
+
+    // Also add current process.env values for known secret keys
+    const knownSecretKeys = [
+      "OPENAI_API_KEY", "DATABASE_URL", "REDIS_URL", "JWT_SECRET",
+      "SESSION_SECRET", "AWS_SECRET_ACCESS_KEY", "GITHUB_TOKEN",
+      "SLACK_TOKEN", "STRIPE_SECRET_KEY", "SENDGRID_API_KEY",
+    ];
+
+    for (const key of knownSecretKeys) {
+      const value = process.env[key];
+      if (value && value.length >= 8 && !this._secretValues.has(value)) {
+        this._secretMap.push({ key, value });
+        this._secretValues.add(value);
+      }
+    }
+
+    // Sort longest values first for greedy replacement
+    this._secretMap.sort((a, b) => b.value.length - a.value.length);
+    this._envFilesLoaded = filesLoaded;
+  }
+
+  /**
+   * Heuristic: is this key/value pair NOT a secret?
+   * Avoids redacting things like PORT=6969 or NODE_ENV=production.
+   */
+  _isNonSecret(key, value) {
+    const nonSecretKeys = /^(PORT|HOST|NODE_ENV|DEBUG|LOG_LEVEL|TZ|LANG|PATH|HOME|USER|SHELL|TERM|HOSTNAME)$/i;
+    if (nonSecretKeys.test(key)) return true;
+
+    // Model names aren't secrets
+    if (key.endsWith("_MODEL")) return true;
+
+    // Pure numbers aren't secrets
+    if (/^\d+$/.test(value)) return true;
+
+    // Short common values
+    if (["true", "false", "development", "production", "staging", "test", "localhost"].includes(value.toLowerCase())) return true;
+
+    return false;
+  }
+}
+
+module.exports = { SecretRedactor };

package/src/skills/skill-registry.js

@@ -0,0 +1,129 @@
+const fs = require("fs");
+const path = require("path");
+const chalk = require("chalk");
+
+/**
+ * Skill Registry — discovers skills and injects relevant ones into agent context.
+ *
+ * claw-code pattern:
+ * 1. On startup, scan all skills and build a token-searchable index
+ * 2. Before any AI call, match the user's command/error against skills
+ * 3. Inject matched skill context into the prompt (not the AI — the prompt)
+ *
+ * Skills are JS modules in src/skills/ that export:
+ * - name: string
+ * - description: string
+ * - keywords: string[] — tokens for matching
+ * - usage: string — code example to inject into agent prompts
+ * - middleware?: function — Express middleware to mount
+ */
+
+class SkillRegistry {
+  constructor(options = {}) {
+    this.skillsDir = options.skillsDir || path.join(__dirname);
+    this._skills = [];
+    this._loaded = false;
+  }
+
+  /**
+   * Discover and load all skills from the skills directory.
+   */
+  load() {
+    if (!fs.existsSync(this.skillsDir)) return;
+
+    const files = fs.readdirSync(this.skillsDir).filter(f =>
+      f.endsWith(".js") && f !== "skill-registry.js"
+    );
+
+    for (const file of files) {
+      try {
+        const mod = require(path.join(this.skillsDir, file));
+        const skill = {
+          file,
+          name: mod.SKILL_NAME || file.replace(".js", ""),
+          description: mod.SKILL_DESCRIPTION || "",
+          keywords: mod.SKILL_KEYWORDS || [],
+          usage: mod.SKILL_USAGE || "",
+          hasMiddleware: typeof mod.sqlGuard === "function" || typeof mod.middleware === "function",
+        };
+        this._skills.push(skill);
+      } catch (err) {
+        console.log(chalk.yellow(`  ⚠️ Skill load error (${file}): ${err.message}`));
+      }
+    }
+
+    this._loaded = true;
+    if (this._skills.length > 0) {
+      console.log(chalk.gray(`  🔧 Skills: ${this._skills.map(s => s.name).join(", ")}`));
+    }
+  }
+
+  /**
+   * Match skills to a command/error using token scoring.
+   * claw-code pattern: tokenize → score against name/description/keywords → return top matches.
+   *
+   * @param {string} text — user command or error message
+   * @param {number} limit — max skills to return
+   * @returns {Array<{ name, description, usage, score }>}
+   */
+  match(text, limit = 3) {
+    if (!text || this._skills.length === 0) return [];
+
+    const tokens = text.toLowerCase()
+      .replace(/[^a-z0-9\s]/g, " ")
+      .split(/\s+/)
+      .filter(t => t.length > 2);
+
+    const scored = this._skills.map(skill => {
+      const haystacks = [
+        skill.name.toLowerCase(),
+        skill.description.toLowerCase(),
+        ...skill.keywords.map(k => k.toLowerCase()),
+      ].join(" ");
+
+      let score = 0;
+      for (const token of tokens) {
+        if (haystacks.includes(token)) score++;
+      }
+
+      return { ...skill, score };
+    });
+
+    return scored
+      .filter(s => s.score > 0)
+      .sort((a, b) => b.score - a.score)
+      .slice(0, limit);
+  }
+
+  /**
+   * Build context string for matched skills — inject into AI prompt.
+   * claw-code pattern: pre-enrich the prompt with tool availability.
+   */
+  buildContext(text) {
+    const matches = this.match(text);
+    if (matches.length === 0) return "";
+
+    const parts = ["\n## Available Skills"];
+    for (const skill of matches) {
+      parts.push(`### ${skill.name}`);
+      if (skill.description) parts.push(skill.description);
+      if (skill.usage) parts.push("```js\n" + skill.usage + "\n```");
+    }
+
+    return parts.join("\n");
+  }
+
+  /**
+   * Get all skills for dashboard display.
+   */
+  getAll() {
+    return this._skills.map(s => ({
+      name: s.name,
+      description: s.description,
+      keywords: s.keywords,
+      hasMiddleware: s.hasMiddleware,
+    }));
+  }
+}
+
+module.exports = { SkillRegistry };