klaude-code 1.2.6__py3-none-any.whl

klaude_code/core/tool/shell/command_safety.py

@@ -0,0 +1,363 @@
+import os
+import re
+import shlex
+
+
+class SafetyCheckResult:
+    """Result of a safety check with detailed error information."""
+
+    def __init__(self, is_safe: bool, error_msg: str = ""):
+        self.is_safe = is_safe
+        self.error_msg = error_msg
+
+
+def _is_valid_sed_n_arg(s: str | None) -> bool:
+    if not s:
+        return False
+    # Matches: Np or M,Np where M,N are positive integers
+    return bool(re.fullmatch(r"\d+(,\d+)?p", s))
+
+
+def _is_safe_awk_program(program: str) -> SafetyCheckResult:
+    lowered = program.lower()
+
+    if "`" in program:
+        return SafetyCheckResult(False, "awk: backticks not allowed in program")
+    if "$(" in program:
+        return SafetyCheckResult(False, "awk: command substitution not allowed in program")
+    if "|&" in program:
+        return SafetyCheckResult(False, "awk: background pipeline not allowed in program")
+
+    if "system(" in lowered:
+        return SafetyCheckResult(False, "awk: system() call not allowed in program")
+
+    if re.search(r"(?<![|&>])\bprint\s*\|", program, re.IGNORECASE):
+        return SafetyCheckResult(False, "awk: piping output to external command not allowed")
+    if re.search(r"\bprintf\s*\|", program, re.IGNORECASE):
+        return SafetyCheckResult(False, "awk: piping output to external command not allowed")
+
+    return SafetyCheckResult(True)
+
+
+def _is_safe_awk_argv(argv: list[str]) -> SafetyCheckResult:
+    if len(argv) < 2:
+        return SafetyCheckResult(False, "awk: Missing program")
+
+    program: str | None = None
+
+    i = 1
+    while i < len(argv):
+        arg = argv[i]
+
+        if arg in {"-f", "--file", "--source"} or arg.startswith("-f"):
+            return SafetyCheckResult(False, "awk: -f/--file not allowed")
+
+        if arg in {"-e", "--exec"}:
+            if i + 1 >= len(argv):
+                return SafetyCheckResult(False, "awk: Missing program for -e")
+            script = argv[i + 1]
+            program_check = _is_safe_awk_program(script)
+            if not program_check.is_safe:
+                return program_check
+            if program is None:
+                program = script
+            i += 2
+            continue
+
+        if arg.startswith("-"):
+            i += 1
+            continue
+
+        if program is None:
+            program_check = _is_safe_awk_program(arg)
+            if not program_check.is_safe:
+                return program_check
+            program = arg
+        i += 1
+
+    if program is None:
+        return SafetyCheckResult(False, "awk: Missing program")
+
+    return SafetyCheckResult(True)
+
+
+def _is_safe_rm_argv(argv: list[str]) -> SafetyCheckResult:
+    """Check safety of rm command arguments."""
+    # Enforce strict safety rules for rm operands
+    # - Forbid absolute paths, tildes, wildcards (*?[), and trailing '/'
+    # - Resolve each operand with realpath and ensure it stays under CWD
+    # - If -r/-R/-rf/-fr present: only allow relative paths whose targets
+    #   exist and are not symbolic links
+
+    cwd = os.getcwd()
+    workspace_root = os.path.realpath(cwd)
+
+    recursive = False
+    end_of_opts = False
+    operands: list[str] = []
+
+    for arg in argv[1:]:
+        if not end_of_opts and arg == "--":
+            end_of_opts = True
+            continue
+
+        if not end_of_opts and arg.startswith("-") and arg != "-":
+            # Parse short or long options
+            if arg.startswith("--"):
+                # Recognize common long options
+                if arg == "--recursive":
+                    recursive = True
+                # Other long options are ignored for safety purposes
+                continue
+            # Combined short options like -rf
+            for ch in arg[1:]:
+                if ch in ("r", "R"):
+                    recursive = True
+            continue
+
+        # Operand (path)
+        operands.append(arg)
+
+    # Reject dangerous operand patterns
+    wildcard_chars = {"*", "?", "["}
+
+    for op in operands:
+        # Disallow absolute paths
+        if os.path.isabs(op):
+            return SafetyCheckResult(False, f"rm: Absolute path not allowed: '{op}'")
+        # Disallow tildes
+        if op.startswith("~") or "/~/" in op or "~/" in op:
+            return SafetyCheckResult(False, f"rm: Tilde expansion not allowed: '{op}'")
+        # Disallow wildcards
+        if any(c in op for c in wildcard_chars):
+            return SafetyCheckResult(False, f"rm: Wildcards not allowed: '{op}'")
+        # Disallow trailing slash (avoid whole-dir deletes)
+        if op.endswith("/"):
+            return SafetyCheckResult(False, f"rm: Trailing slash not allowed: '{op}'")
+
+        # Resolve and ensure stays within workspace_root
+        op_abs = os.path.realpath(os.path.join(cwd, op))
+        try:
+            if os.path.commonpath([op_abs, workspace_root]) != workspace_root:
+                return SafetyCheckResult(False, f"rm: Path escapes workspace: '{op}' -> '{op_abs}'")
+        except Exception as e:
+            # Different drives or resolution errors
+            return SafetyCheckResult(False, f"rm: Path resolution failed for '{op}': {e}")
+
+        if recursive:
+            # For recursive deletion, require operand exists and is not a symlink
+            op_lpath = os.path.join(cwd, op)
+            if not os.path.exists(op_lpath):
+                return SafetyCheckResult(False, f"rm -r: Target does not exist: '{op}'")
+            if os.path.islink(op_lpath):
+                return SafetyCheckResult(False, f"rm -r: Cannot delete symlink recursively: '{op}'")
+
+    # If no operands provided, allow (harmless, will fail at runtime)
+    return SafetyCheckResult(True)
+
+
+def _is_safe_trash_argv(argv: list[str]) -> SafetyCheckResult:
+    """Check safety of trash command arguments."""
+    # Apply similar safety rules as rm but slightly more permissive
+    # - Forbid absolute paths, tildes, wildcards (*?[), and trailing '/'
+    # - Resolve each operand with realpath and ensure it stays under CWD
+    # - Unlike rm, allow symlinks since trash is less destructive
+
+    cwd = os.getcwd()
+    workspace_root = os.path.realpath(cwd)
+
+    end_of_opts = False
+    operands: list[str] = []
+
+    for arg in argv[1:]:
+        if not end_of_opts and arg == "--":
+            end_of_opts = True
+            continue
+
+        if not end_of_opts and arg.startswith("-") and arg != "-":
+            # Skip options for trash command
+            continue
+
+        # Operand (path)
+        operands.append(arg)
+
+    # Reject dangerous operand patterns
+    wildcard_chars = {"*", "?", "["}
+
+    for op in operands:
+        # Disallow absolute paths
+        if os.path.isabs(op):
+            return SafetyCheckResult(False, f"trash: Absolute path not allowed: '{op}'")
+        # Disallow tildes
+        if op.startswith("~") or "/~/" in op or "~/" in op:
+            return SafetyCheckResult(False, f"trash: Tilde expansion not allowed: '{op}'")
+        # Disallow wildcards
+        if any(c in op for c in wildcard_chars):
+            return SafetyCheckResult(False, f"trash: Wildcards not allowed: '{op}'")
+        # Disallow trailing slash (avoid whole-dir operations)
+        if op.endswith("/"):
+            return SafetyCheckResult(False, f"trash: Trailing slash not allowed: '{op}'")
+
+        # Resolve and ensure stays within workspace_root
+        op_abs = os.path.realpath(os.path.join(cwd, op))
+        try:
+            if os.path.commonpath([op_abs, workspace_root]) != workspace_root:
+                return SafetyCheckResult(False, f"trash: Path escapes workspace: '{op}' -> '{op_abs}'")
+        except Exception as e:
+            # Different drives or resolution errors
+            return SafetyCheckResult(False, f"trash: Path resolution failed for '{op}': {e}")
+
+    # If no operands provided, allow (harmless, will fail at runtime)
+    return SafetyCheckResult(True)
+
+
+def _is_safe_argv(argv: list[str]) -> SafetyCheckResult:
+    if not argv:
+        return SafetyCheckResult(False, "Empty command")
+
+    cmd0 = argv[0]
+
+    # if _has_shell_redirection(argv):
+    #     return SafetyCheckResult(False, "Shell redirection and pipelines are not allowed in single commands")
+
+    # Special handling for rm to prevent dangerous operations
+    if cmd0 == "rm":
+        return _is_safe_rm_argv(argv)
+
+    # Special handling for trash to prevent dangerous operations
+    if cmd0 == "trash":
+        return _is_safe_trash_argv(argv)
+
+    if cmd0 == "find":
+        unsafe_opts = {
+            "-exec": "command execution",
+            "-execdir": "command execution",
+            "-ok": "interactive command execution",
+            "-okdir": "interactive command execution",
+            "-delete": "file deletion",
+            "-fls": "file output",
+            "-fprint": "file output",
+            "-fprint0": "file output",
+            "-fprintf": "formatted file output",
+        }
+        for arg in argv[1:]:
+            if arg in unsafe_opts:
+                return SafetyCheckResult(False, f"find: {unsafe_opts[arg]} option '{arg}' not allowed")
+        return SafetyCheckResult(True)
+
+    if cmd0 == "git":
+        sub = argv[1] if len(argv) > 1 else None
+        if not sub:
+            return SafetyCheckResult(False, "git: Missing subcommand")
+
+        # Allow most local git operations, but block remote operations
+        allowed_git_cmds = {
+            "add",
+            "branch",
+            "checkout",
+            "commit",
+            "config",
+            "diff",
+            "fetch",
+            "init",
+            "log",
+            "merge",
+            "mv",
+            "rebase",
+            "reset",
+            "restore",
+            "revert",
+            "rm",
+            "show",
+            "stash",
+            "status",
+            "switch",
+            "tag",
+            "clone",
+            "worktree",
+        }
+        # Block remote operations
+        blocked_git_cmds = {"push", "pull", "remote"}
+
+        if sub in blocked_git_cmds:
+            return SafetyCheckResult(False, f"git: Remote operation '{sub}' not allowed")
+        if sub not in allowed_git_cmds:
+            return SafetyCheckResult(False, f"git: Subcommand '{sub}' not in allow list")
+        return SafetyCheckResult(True)
+
+    # Build tools and linters - allow all subcommands
+    if cmd0 in {
+        "cargo",
+        "uv",
+        "go",
+        "ruff",
+        "pyright",
+        "make",
+        "isort",
+        "npm",
+        "pnpm",
+        "bun",
+    }:
+        return SafetyCheckResult(True)
+
+    if cmd0 == "sed":
+        # Allow sed -n patterns (line printing)
+        if len(argv) >= 3 and argv[1] == "-n" and _is_valid_sed_n_arg(argv[2]):
+            return SafetyCheckResult(True)
+        # Allow simple text replacement: sed 's/old/new/g' file
+        # or sed -i 's/old/new/g' file for in-place editing
+        if len(argv) >= 3:
+            # Find the sed script argument (usually starts with 's/')
+            for arg in argv[1:]:
+                if arg.startswith("s/") or arg.startswith("s|"):
+                    # Basic safety check: no command execution in replacement
+                    if ";" in arg:
+                        return SafetyCheckResult(False, f"sed: Command separator ';' not allowed in '{arg}'")
+                    if "`" in arg:
+                        return SafetyCheckResult(False, f"sed: Backticks not allowed in '{arg}'")
+                    if "$(" in arg:
+                        return SafetyCheckResult(False, f"sed: Command substitution not allowed in '{arg}'")
+                    return SafetyCheckResult(True)
+        return SafetyCheckResult(
+            False,
+            "sed: Only text replacement (s/old/new/) or line printing (-n 'Np') is allowed",
+        )
+
+    if cmd0 == "awk":
+        return _is_safe_awk_argv(argv)
+
+    # Default allow when command is not explicitly restricted
+    return SafetyCheckResult(True)
+
+
+def is_safe_command(command: str) -> SafetyCheckResult:
+    """Determine if a command is safe enough to run.
+
+    The check is intentionally lightweight: it blocks only a small set of
+    obviously dangerous patterns (rm/trash/git remotes, unsafe sed/awk,
+    find -exec/-delete, etc.) and otherwise lets the real shell surface
+    syntax errors (for example, unmatched quotes in complex multiline
+    scripts).
+    """
+
+    # Try to parse into an argv-style list first. If this fails (e.g. due
+    # to unterminated quotes in a complex heredoc), treat the command as
+    # safe here and let bash itself perform syntax checking instead of
+    # blocking execution pre-emptively.
+    try:
+        argv = shlex.split(command, posix=True)
+    except ValueError:
+        # If we cannot reliably parse the command (e.g. due to unterminated
+        # quotes in a complex heredoc), treat it as safe here and let the
+        # real shell surface any syntax errors instead of blocking execution
+        # pre-emptively.
+        return SafetyCheckResult(True)
+
+    # All further safety checks are done directly on the parsed argv via
+    # _is_safe_argv. We intentionally avoid trying to re-interpret complex
+    # shell sequences here and rely on the real shell to handle syntax.
+
+    if not argv:
+        return SafetyCheckResult(False, "Empty command")
+
+    return _is_safe_argv(argv)

klaude_code/core/tool/sub_agent_tool.py

@@ -0,0 +1,83 @@
+"""Generic sub-agent tool implementation.
+
+This module provides a single tool class that can handle all sub-agent invocations
+based on their SubAgentProfile configuration.
+"""
+
+from __future__ import annotations
+
+import asyncio
+import json
+from typing import TYPE_CHECKING, ClassVar
+
+from klaude_code.core.tool.tool_abc import ToolABC
+from klaude_code.core.tool.tool_context import current_run_subtask_callback
+from klaude_code.protocol import llm_param, model
+
+if TYPE_CHECKING:
+    from klaude_code.protocol.sub_agent import SubAgentProfile
+
+
+class SubAgentTool(ToolABC):
+    """Generic tool implementation for all sub-agents.
+
+    Each sub-agent type gets its own dynamically generated subclass with the
+    appropriate profile attached as a class variable.
+    """
+
+    _profile: ClassVar[SubAgentProfile]
+
+    @classmethod
+    def for_profile(cls, profile: SubAgentProfile) -> type[SubAgentTool]:
+        """Create a tool class for a specific sub-agent profile."""
+        return type(
+            f"{profile.name}Tool",
+            (SubAgentTool,),
+            {"_profile": profile},
+        )
+
+    @classmethod
+    def schema(cls) -> llm_param.ToolSchema:
+        profile = cls._profile
+        return llm_param.ToolSchema(
+            name=profile.name,
+            type="function",
+            description=profile.description,
+            parameters=profile.parameters,
+        )
+
+    @classmethod
+    async def call(cls, arguments: str) -> model.ToolResultItem:
+        profile = cls._profile
+
+        try:
+            args = json.loads(arguments)
+        except json.JSONDecodeError as e:
+            return model.ToolResultItem(status="error", output=f"Invalid JSON arguments: {e}")
+
+        runner = current_run_subtask_callback.get()
+        if runner is None:
+            return model.ToolResultItem(status="error", output="No subtask runner available in this context")
+
+        # Build the prompt using the profile's prompt builder
+        prompt = profile.prompt_builder(args)
+        description = args.get("description", "")
+
+        try:
+            result = await runner(
+                model.SubAgentState(
+                    sub_agent_type=profile.name,
+                    sub_agent_desc=description,
+                    sub_agent_prompt=prompt,
+                )
+            )
+        except asyncio.CancelledError:
+            raise
+        except Exception as e:
+            return model.ToolResultItem(status="error", output=f"Failed to run subtask: {e}")
+
+        return model.ToolResultItem(
+            status="success" if not result.error else "error",
+            output=result.task_result or "",
+            ui_extra=model.ToolResultUIExtra(type=model.ToolResultUIExtraType.SESSION_ID, session_id=result.session_id),
+        )

klaude_code/core/tool/todo/todo_write_tool.md

@@ -0,0 +1,182 @@
+Use this tool to create and manage a structured task list for your current coding session. This helps you track progress, organize complex tasks, and demonstrate thoroughness to the user.
+It also helps the user understand the progress of the task and overall progress of their requests.
+
+#### When to Use This Tool
+Use this tool proactively in these scenarios:
+
+1. Complex multi-step tasks - When a task requires 3 or more distinct steps or actions
+2. Non-trivial and complex tasks - Tasks that require careful planning or multiple operations
+3. User explicitly requests todo list - When the user directly asks you to use the todo list
+4. User provides multiple tasks - When users provide a list of things to be done (numbered or comma-separated)
+5. After receiving new instructions - Immediately capture user requirements as todos
+6. When you start working on a task - Mark it as in_progress BEFORE beginning work. Ideally you should only have one todo as in_progress at a time
+7. After completing a task - Mark it as completed and add any new follow-up tasks discovered during implementation
+
+#### When NOT to Use This Tool
+
+Skip using this tool when:
+1. There is only a single, straightforward task
+2. The task is trivial and tracking it provides no organizational benefit
+3. The task can be completed in less than 3 trivial steps
+4. The task is purely conversational or informational
+
+NOTE that you should not use this tool if there is only one trivial task to do. In this case you are better off just doing the task directly.
+
+#### Examples of When to Use the Todo List
+
+<example>
+User: I want to add a dark mode toggle to the application settings. Make sure you run the tests and build when you're done!
+Assistant: I'll help add a dark mode toggle to your application settings. Let me create a todo list to track this implementation.
+*Creates todo list with the following items:*
+1. Creating dark mode toggle component in Settings page
+2. Adding dark mode state management (context/store)
+3. Implementing CSS-in-JS styles for dark theme
+4. Updating existing components to support theme switching
+5. Running tests and build process, addressing any failures or errors that occur
+*Begins working on the first task*
+
+<reasoning>
+The assistant used the todo list because:
+1. Adding dark mode is a multi-step feature requiring UI, state management, and styling changes
+2. The user explicitly requested tests and build be run afterward
+3. The assistant inferred that tests and build need to pass by adding "Ensure tests and build succeed" as the final task
+</reasoning>
+</example>
+
+<example>
+User: Help me rename the function getCwd to getCurrentWorkingDirectory across my project
+Assistant: Let me first search through your codebase to find all occurrences of 'getCwd'.
+*Uses grep or search tools to locate all instances of getCwd in the codebase*
+Assistant: I've found 15 instances of 'getCwd' across 8 different files. Let me create a todo list to track these changes.
+*Creates todo list with specific items for each file that needs updating*
+
+<reasoning>
+The assistant used the todo list because:
+1. First, the assistant searched to understand the scope of the task
+2. Upon finding multiple occurrences across different files, it determined this was a complex task with multiple steps
+3. The todo list helps ensure every instance is tracked and updated systematically
+4. This approach prevents missing any occurrences and maintains code consistency
+</reasoning>
+</example>
+
+
+<example>
+User: I need to implement these features for my e-commerce site: user registration, product catalog, shopping cart, and checkout flow.
+Assistant: I'll help implement these features. First, let's add all the features to the todo list.
+*Creates a todo list breaking down each feature into specific tasks based on the project architecture*
+Assistant: Let's start with user registration. This will involve creating database models, API endpoints, and frontend forms that integrate with your existing authentication system.
+
+<reasoning>
+The assistant used the todo list because:
+1. The user provided multiple complex features to implement in a comma separated list
+2. The todo list helps organize these large features into manageable tasks
+3. This approach allows for tracking progress across the entire implementation
+</reasoning>
+</example>
+
+<example>
+User: Can you help optimize my React application? It's rendering slowly and has performance issues.</user>
+Assistant: I'll help optimize your React application. First, let me examine your codebase to identify potential performance bottlenecks.
+*Reviews component structure, render patterns, state management, and data fetching*
+Assistant: After analyzing your codebase, I've identified several performance issues. Let me create a todo list to track our optimization efforts.
+*Creates todo list with items like: 1) Implementing memoization for expensive calculations in ProductList, 2) Adding virtualization for long lists in Dashboard, 3) Optimizing image loading in Gallery component, 4) Fixing state update loops in ShoppingCart, 5) Reviewing bundle size and implementing code splitting*
+Let's start by implementing memoization for the expensive calculations in your ProductList component.</assistant>
+
+<reasoning>
+The assistant used the todo list because:
+1. First, the assistant examined the codebase to identify specific performance issues
+2. Based on this analysis, it identified multiple optimization opportunities
+3. Performance optimization is a non-trivial task requiring multiple steps
+4. The todo list helps methodically track improvements across different components
+5. This systematic approach ensures all performance bottlenecks are addressed
+</reasoning>
+</example>
+
+#### Examples of When NOT to Use the Todo List
+
+<example>
+User: How do I print 'Hello World' in Python?
+Assistant: In Python, you can print "Hello World" with this simple code:
+
+python
+print("Hello World")
+
+This will output the text "Hello World" to the console when executed.</assistant>
+
+<reasoning>
+The assistant did not use the todo list because this is a single, trivial task that can be completed in one step. There's no need to track multiple tasks or steps for such a straightforward request.
+</reasoning>
+</example>
+
+<example>
+User: What does the git status command do?
+Assistant: The git status command shows the current state of your working directory and staging area. It displays which changes have been staged, which haven't, and which files aren't being tracked by Git. This is a fundamental command for understanding the current state of your repository before making commits.
+
+<reasoning>
+The assistant did not use the todo list because this is an informational request with no actual coding task to complete. The user is simply asking for an explanation, not for the assistant to perform multiple steps or tasks.
+</reasoning>
+</example>
+
+<example>
+User: Can you add a comment to the calculateTotal function to explain what it does?
+Assistant: Sure, let me add a comment to the calculateTotal function to explain what it does.
+* Uses the Edit tool to add a comment to the calculateTotal function *
+
+<reasoning>
+The assistant did not use the todo list because this is a single, straightforward task confined to one location in the code. Adding a comment doesn't require tracking multiple steps or systematic organization.
+</reasoning>
+</example>
+
+<example>
+User: Run npm install for me and tell me what happens.
+Assistant: I'll run the npm install command for you.
+
+*Executes: npm install*
+
+The command completed successfully. Here's the output:
+[Output of npm install command]
+
+All dependencies have been installed according to your package.json file.
+
+<reasoning>
+The assistant did not use the todo list because this is a single command execution with immediate results. There are no multiple steps to track or organize, making the todo list unnecessary for this straightforward task.
+</reasoning>
+</example>
+
+#### Task States and Management
+
+1. **Task States**: Use these states to track progress:
+   - pending: Task not yet started
+   - in_progress: Currently working on (limit to ONE task at a time)
+   - completed: Task finished successfully
+
+   **IMPORTANT**: Task descriptions must have two forms:
+   - content: The imperative form describing what needs to be done (e.g., "Run tests", "Build the project")
+   - activeForm: The present continuous form shown during execution (e.g., "Running tests", "Building the project")
+
+2. **Task Management**:
+   - Update task status in real-time as you work
+   - Mark tasks complete IMMEDIATELY after finishing (don't batch completions)
+   - Exactly ONE task must be in_progress at any time (not less, not more)
+   - Complete current tasks before starting new ones
+   - Remove tasks that are no longer relevant from the list entirely
+
+3. **Task Completion Requirements**:
+   - ONLY mark a task as completed when you have FULLY accomplished it
+   - If you encounter errors, blockers, or cannot finish, keep the task as in_progress
+   - When blocked, create a new task describing what needs to be resolved
+   - Never mark a task as completed if:
+     - Tests are failing
+     - Implementation is partial
+     - You encountered unresolved errors
+     - You couldn't find necessary files or dependencies
+
+4. **Task Breakdown**:
+   - Create specific, actionable items
+   - Break complex tasks into smaller, manageable steps
+   - Use clear, descriptive task names
+   - Always provide both forms:
+     - content: "Fix authentication bug"
+     - activeForm: "Fixing authentication bug"
+
+When in doubt, use this tool. Being proactive with task management demonstrates attentiveness and ensures you complete all requirements successfully.