pascal-agent 0.3.0__py3-none-any.whl

pascal/sandbox.py

@@ -0,0 +1,287 @@
+"""Sandbox -- isolated command execution.
+
+Docker (if available) → RestrictedSandbox (fallback).
+Ported from Dorothy2. Zero framework dependencies.
+"""
+
+from __future__ import annotations
+
+import logging
+import os
+import re
+import shlex
+import subprocess
+import tempfile
+import time
+from dataclasses import dataclass
+from pathlib import Path
+
+logger = logging.getLogger(__name__)
+
+_MAX_OUTPUT = 10_000
+
+# Env vars to strip in restricted/delegate mode
+_STRIPPED_ENV_KEYS = {
+    "AWS_ACCESS_KEY_ID", "AWS_SECRET_ACCESS_KEY", "AWS_SESSION_TOKEN",
+    "GOOGLE_APPLICATION_CREDENTIALS", "AZURE_CLIENT_SECRET",
+    "DATABASE_URL", "DB_PASSWORD", "OPENAI_API_KEY",
+    "ANTHROPIC_API_KEY", "GITHUB_TOKEN", "NPM_TOKEN",
+    "DOCKER_HOST", "KUBECONFIG",
+}
+
+
+@dataclass
+class SandboxResult:
+    ok: bool
+    stdout: str = ""
+    stderr: str = ""
+    return_code: int = -1
+    elapsed_ms: float = 0.0
+    sandbox_type: str = ""
+    error: str = ""
+
+    @property
+    def status(self) -> str:
+        if self.error and "timeout" in self.error.lower():
+            return "unknown"
+        return "ok" if self.ok else "error"
+
+    @property
+    def output(self) -> str:
+        return (self.stdout + self.stderr)[:2000]
+
+
+class DockerSandbox:
+    """Run commands in Docker with --rm, --read-only, --network none, resource limits."""
+
+    def __init__(self, image: str = "python:3.12-slim", workspace: str = ""):
+        self._image = image
+        self._workspace = workspace
+        self._available: bool | None = None
+
+    def is_available(self) -> bool:
+        if self._available is not None:
+            return self._available
+        try:
+            r = subprocess.run(["docker", "info"], capture_output=True, timeout=5)
+            self._available = r.returncode == 0
+        except Exception:
+            self._available = False
+        return self._available
+
+    def execute(self, command: str, *, timeout: int = 60, allow_network: bool = False) -> SandboxResult:
+        t0 = time.time()
+        cmd = [
+            "docker", "run", "--rm",
+            "--memory", "512m", "--cpus", "1.0", "--pids-limit", "64",
+            "--read-only", "--tmpfs", "/tmp:size=100m",
+        ]
+        if not allow_network:
+            cmd += ["--network", "none"]
+        if self._workspace and os.path.isdir(self._workspace):
+            cmd += ["-v", f"{os.path.realpath(self._workspace)}:/workspace", "-w", "/workspace"]
+        cmd += [self._image, "sh", "-c", command]
+
+        try:
+            result = subprocess.run(cmd, capture_output=True, text=True, timeout=timeout,
+                                     encoding="utf-8", errors="replace")
+        except subprocess.TimeoutExpired:
+            return SandboxResult(ok=False, elapsed_ms=(time.time() - t0) * 1000,
+                                 sandbox_type="docker", error=f"Timeout ({timeout}s)")
+        except Exception as e:
+            return SandboxResult(ok=False, elapsed_ms=(time.time() - t0) * 1000,
+                                 sandbox_type="docker", error=f"Docker error: {e}")
+
+        stdout, stderr = _truncate(result.stdout or ""), _truncate(result.stderr or "")
+        return SandboxResult(
+            ok=result.returncode == 0, stdout=stdout, stderr=stderr,
+            return_code=result.returncode, elapsed_ms=(time.time() - t0) * 1000,
+            sandbox_type="docker",
+        )
+
+
+# Patterns that indicate shell features requiring sh -c wrapping
+_SHELL_FEATURES = re.compile(r"[|><;`$&]|\b&&\b|\b\|\|\b")
+# Windows shell built-ins that need cmd /c
+_WIN_BUILTINS = re.compile(r"^\s*(?:start|dir|copy|move|del|type|cls|set|title|assoc|ftype)\b", re.I)
+
+
+def _needs_shell(command: str) -> bool:
+    """Return True if the command uses shell features or Windows built-ins."""
+    if _SHELL_FEATURES.search(command):
+        return True
+    if os.name == "nt" and _WIN_BUILTINS.search(command):
+        return True
+    return False
+
+
+def _check_paths_in_command(command: str, workspace: str) -> str | None:
+    """Check for paths outside workspace, symlinks, and relative traversal."""
+    if not workspace:
+        return None
+    # Block symlink/junction/hardlink creation
+    if re.search(r'\bln\b\s+.*-s', command):
+        return "Symlink creation is not allowed in restricted sandbox"
+    if re.search(r'\bmklink\b', command, re.I):
+        return "mklink is not allowed in restricted sandbox"
+    if re.search(r'New-Item.*SymbolicLink', command, re.I):
+        return "Symlink creation is not allowed in restricted sandbox"
+    # Block relative traversal patterns
+    if re.search(r'\.\.[/\\]', command):
+        return "Relative path traversal (../) is not allowed in restricted sandbox"
+    ws = Path(workspace).resolve()
+    # Find absolute paths: unquoted, single-quoted, and double-quoted
+    # Pattern 1: unquoted paths (original)
+    # Pattern 2: paths inside quotes (new — catches python -c "open('/etc/passwd')")
+    path_patterns = [
+        r'(?:^|\s)(/[\w./-]+|[a-zA-Z]:\\[\w.\\ /-]+)',           # unquoted
+        r"""['"](/[\w./ -]+|[a-zA-Z]:\\[\w.\\ /-]+)['"]""",       # quoted
+    ]
+    for pattern in path_patterns:
+        for match in re.finditer(pattern, command):
+            path_str = match.group(1) if match.lastindex else match.group().strip()
+            try:
+                resolved = Path(path_str).resolve()
+                if not (resolved == ws or resolved.is_relative_to(ws)):
+                    return f"Path '{path_str}' is outside workspace '{ws}'"
+            except (OSError, ValueError):
+                continue
+    return None
+
+
+# Track temp directories created by make_safe_env for cleanup
+_sandbox_temp_dirs: list[str] = []
+_SANDBOX_TEMP_MAX = 50  # trigger cleanup when this many accumulate
+
+
+def make_safe_env() -> tuple[dict[str, str], str]:
+    """Create a stripped env dict + temp HOME. Shared by sandbox and delegate.
+
+    Temp directories are tracked and cleaned up periodically via cleanup_sandbox_temps().
+    """
+    safe_env = {}
+    for k, v in os.environ.items():
+        if k.upper() in _STRIPPED_ENV_KEYS:
+            continue
+        k_up = k.upper()
+        if any(pat in k_up for pat in ("SECRET", "TOKEN", "PASSWORD", "CREDENTIAL", "PRIVATE_KEY")):
+            continue
+        safe_env[k] = v
+    tmp_home = tempfile.mkdtemp(prefix="pascal_sandbox_")
+    _sandbox_temp_dirs.append(tmp_home)
+    # Proactive cleanup: remove old temp dirs when too many accumulate
+    if len(_sandbox_temp_dirs) > _SANDBOX_TEMP_MAX:
+        cleanup_sandbox_temps(keep_last=5)
+    safe_env["HOME"] = tmp_home
+    safe_env["TMPDIR"] = tmp_home
+    # Windows: also override user profile and temp directories
+    if os.name == "nt":
+        safe_env["USERPROFILE"] = tmp_home
+        safe_env["TEMP"] = tmp_home
+        safe_env["TMP"] = tmp_home
+        safe_env["APPDATA"] = os.path.join(tmp_home, "AppData", "Roaming")
+        safe_env["LOCALAPPDATA"] = os.path.join(tmp_home, "AppData", "Local")
+    return safe_env, tmp_home
+
+
+def cleanup_sandbox_temps(keep_last: int = 0) -> int:
+    """Remove tracked sandbox temp directories. Returns count removed."""
+    import shutil
+    removed = 0
+    to_remove = _sandbox_temp_dirs[:-keep_last] if keep_last else list(_sandbox_temp_dirs)
+    for tmp_dir in to_remove:
+        try:
+            if os.path.isdir(tmp_dir):
+                shutil.rmtree(tmp_dir, ignore_errors=True)
+                removed += 1
+        except Exception:
+            pass
+        if tmp_dir in _sandbox_temp_dirs:
+            _sandbox_temp_dirs.remove(tmp_dir)
+    return removed
+
+
+class RestrictedSandbox:
+    """Subprocess with stripped env vars, workspace boundary, temp HOME."""
+
+    def __init__(self, workspace: str = ""):
+        self._workspace = workspace
+
+    def execute(self, command: str, *, timeout: int = 60) -> SandboxResult:
+        t0 = time.time()
+        cwd = self._workspace if self._workspace and os.path.isdir(self._workspace) else None
+
+        # Path boundary check: block absolute paths outside workspace
+        path_err = _check_paths_in_command(command, self._workspace)
+        if path_err:
+            return SandboxResult(ok=False, elapsed_ms=0, sandbox_type="restricted",
+                                 error=path_err)
+
+        safe_env, tmp_home = make_safe_env()
+
+        # shell=False by default; wrap with shell when needed
+        if _needs_shell(command):
+            cmd: list[str] | str = ["cmd", "/c", command] if os.name == "nt" else ["sh", "-c", command]
+        else:
+            try:
+                cmd = shlex.split(command)
+            except ValueError:
+                # Malformed command -- fall back to platform-appropriate shell
+                cmd = ["cmd", "/c", command] if os.name == "nt" else ["sh", "-c", command]
+
+        try:
+            result = subprocess.run(
+                cmd, shell=False, capture_output=True, text=True,
+                timeout=timeout, cwd=cwd, env=safe_env,
+                encoding="utf-8", errors="replace",
+            )
+        except subprocess.TimeoutExpired:
+            return SandboxResult(ok=False, elapsed_ms=(time.time() - t0) * 1000,
+                                 sandbox_type="restricted", error=f"Timeout ({timeout}s)")
+        except FileNotFoundError as e:
+            return SandboxResult(ok=False, elapsed_ms=(time.time() - t0) * 1000,
+                                 sandbox_type="restricted", error=f"Command not found: {e}")
+        except Exception as e:
+            return SandboxResult(ok=False, elapsed_ms=(time.time() - t0) * 1000,
+                                 sandbox_type="restricted", error=f"Execution error: {e}")
+        finally:
+            # Clean up this invocation's temp dir immediately
+            import shutil as _shutil
+            try:
+                if os.path.isdir(tmp_home):
+                    _shutil.rmtree(tmp_home, ignore_errors=True)
+                if tmp_home in _sandbox_temp_dirs:
+                    _sandbox_temp_dirs.remove(tmp_home)
+            except Exception:
+                pass
+
+        stdout, stderr = _truncate(result.stdout or ""), _truncate(result.stderr or "")
+        return SandboxResult(
+            ok=result.returncode == 0, stdout=stdout, stderr=stderr,
+            return_code=result.returncode, elapsed_ms=(time.time() - t0) * 1000,
+            sandbox_type="restricted",
+        )
+
+
+class SandboxManager:
+    """Auto-selects Docker if available, falls back to Restricted."""
+
+    def __init__(self, workspace: str = "", prefer_docker: bool = True):
+        self._docker = DockerSandbox(workspace=workspace)
+        self._restricted = RestrictedSandbox(workspace=workspace)
+        self._prefer_docker = prefer_docker
+
+    def run(self, command: str, *, timeout: int = 60, allow_network: bool = False) -> SandboxResult:
+        if self._prefer_docker and self._docker.is_available():
+            result = self._docker.execute(command, timeout=timeout, allow_network=allow_network)
+            if not result.ok and "Docker" in result.error:
+                return self._restricted.execute(command, timeout=timeout)
+            return result
+        return self._restricted.execute(command, timeout=timeout)
+
+
+
+def _truncate(text: str) -> str:
+    if len(text) <= _MAX_OUTPUT:
+        return text
+    return text[:_MAX_OUTPUT] + f"\n... [truncated, {len(text)} chars total]"

pascal/scheduler.py

@@ -0,0 +1,243 @@
+"""Scheduler -- bounded tick for periodic checks. Not a daemon.
+
+Usage:
+  pascal --tick                              # manual
+  */5 * * * * pascal --tick                  # cron
+"""
+
+from __future__ import annotations
+
+import json
+import logging
+import os
+import urllib.error
+import urllib.request
+from datetime import datetime, timedelta, timezone
+from typing import Any, Callable
+
+from pascal.state import PascalStore
+
+logger = logging.getLogger(__name__)
+
+
+def _cron_field_matches(field: str, value: int) -> bool:
+    """Match a single cron field against a value. Supports *, integers, and */N step."""
+    if field == "*":
+        return True
+    if field.startswith("*/"):
+        try:
+            step = int(field[2:])
+            return step > 0 and value % step == 0
+        except (ValueError, TypeError):
+            return False
+    try:
+        return int(field) == value
+    except (ValueError, TypeError):
+        return False
+
+
+def _cron_matches(cron_expr: str, dt: datetime) -> bool:
+    """Simple cron matching: 'minute hour day month weekday'.
+    Supports *, integers, and */N step. Weekday: 0=Monday ... 6=Sunday."""
+    try:
+        parts = cron_expr.strip().split()
+        if len(parts) != 5:
+            return False
+        checks = [
+            (parts[0], dt.minute),
+            (parts[1], dt.hour),
+            (parts[2], dt.day),
+            (parts[3], dt.month),
+            (parts[4], dt.weekday()),
+        ]
+        return all(_cron_field_matches(field, value) for field, value in checks)
+    except (ValueError, TypeError):
+        return False
+
+
+def _send_webhook(url: str, text: str) -> bool:
+    """Send a message via webhook (Slack or Discord)."""
+    if not url:
+        return False
+    payload = json.dumps(
+        {"text": text} if "slack" in url else {"content": text[:2000], "username": "Pascal"}
+    ).encode("utf-8")
+    req = urllib.request.Request(
+        url, data=payload,
+        headers={"Content-Type": "application/json"}, method="POST",
+    )
+    try:
+        with urllib.request.urlopen(req, timeout=10) as resp:
+            return resp.status in (200, 204)
+    except (urllib.error.URLError, OSError) as exc:
+        logger.warning("Webhook send failed: %s", exc)
+        return False
+
+
+class Scheduler:
+    def __init__(self, store: PascalStore, emit: Callable[[str], None] | None = None):
+        self.store = store
+        self._emit = emit or print
+        self._slack_url = os.environ.get("PASCAL_SLACK_WEBHOOK", "")
+        self._discord_url = os.environ.get("PASCAL_DISCORD_WEBHOOK", "")
+
+    def tick(self) -> dict[str, Any]:
+        """One bounded tick. Returns summary."""
+        overdue = self._check_overdue()
+        stale = self._check_stale()
+        expired = self.store.cleanup_expired_context()
+        archived = 0  # memory decay disabled until access_count tracking is re-enabled
+        pending = self._count_pending_notifications()
+        evolved = self._evolve()
+
+        for item in overdue:
+            promised = ""
+            if item.get("promised_to"):
+                try:
+                    names = json.loads(item["promised_to"])
+                    promised = f"\nPromised to: {', '.join(names)}"
+                except (json.JSONDecodeError, TypeError):
+                    pass
+            msg = f"Overdue: {item['goal']}\nDue: {item['due_at']}{promised}"
+            self._broadcast(msg)
+
+        for item in stale:
+            self._broadcast(f"Stale ({item['status']}): {item['goal']}")
+
+        due_routines = self._check_routines()
+
+        return {
+            "overdue": len(overdue),
+            "stale": len(stale),
+            "expired_context": expired,
+            "archived_memories": archived,
+            "pending_notifications": pending,
+            "due_routines": due_routines,
+            "evolved": evolved,
+        }
+
+    def _broadcast(self, message: str) -> None:
+        """Send to CLI + any configured webhooks."""
+        self._emit(message)
+        if self._slack_url:
+            _send_webhook(self._slack_url, message)
+        if self._discord_url:
+            _send_webhook(self._discord_url, message)
+
+    def _check_overdue(self) -> list[dict[str, Any]]:
+        now = datetime.now(timezone.utc).strftime("%Y-%m-%dT%H:%M:%S.%fZ")
+        rows = self.store.connection.execute(
+            "SELECT id, goal, status, due_at, promised_to FROM tasks "
+            "WHERE due_at IS NOT NULL AND due_at < ? AND status NOT IN ('done', 'failed') "
+            "ORDER BY due_at ASC", (now,),
+        ).fetchall()
+        return [dict(r) for r in rows]
+
+    def _check_stale(self, days: int = 3) -> list[dict[str, Any]]:
+        cutoff = (datetime.now(timezone.utc) - timedelta(days=days)).strftime("%Y-%m-%dT%H:%M:%S.%fZ")
+        rows = self.store.connection.execute(
+            "SELECT id, goal, status, updated_at FROM tasks "
+            "WHERE status IN ('active', 'paused') "
+            "AND updated_at < ?", (cutoff,),
+        ).fetchall()
+        return [dict(r) for r in rows]
+
+    def _count_pending_notifications(self) -> int:
+        row = self.store.connection.execute(
+            "SELECT COUNT(*) FROM notifications WHERE status = 'pending'"
+        ).fetchone()
+        return row[0] if row else 0
+
+    def _check_routines(self) -> int:
+        """Check context for due routines, create notifications for them."""
+        routines = self.store.get_context("routines")
+        if not routines or not isinstance(routines, list):
+            return 0
+        now = datetime.now(timezone.utc)
+        dedup_prefix = now.strftime("%Y%m%d%H")
+        fired = 0
+        for r in routines:
+            name = r.get("name", "")
+            cron = r.get("cron", "")
+            goal = r.get("task_goal", "")
+            if not cron or not goal:
+                continue
+            if not _cron_matches(cron, now):
+                continue
+            idem_key = f"routine:{name}:{dedup_prefix}"
+            existing = self.store.connection.execute(
+                "SELECT id FROM notifications WHERE metadata LIKE ? AND status != 'dismissed'",
+                (f'%{idem_key}%',),
+            ).fetchone()
+            if existing:
+                continue
+            self.store.push_notification(
+                source="routine",
+                message=f"[Routine: {name}] {goal}",
+                priority="normal",
+                metadata={"routine_name": name, "idem_key": idem_key},
+            )
+            fired += 1
+        return fired
+
+    # ── Self-Evolution (scorecard → strategy adjustment, zero LLM calls) ──
+
+    _EVOLVE_WINDOW = 20  # recent actions to analyze
+    _EVOLVE_MIN_ACTIONS = 5  # minimum actions before evolving
+
+    def _evolve(self) -> dict[str, Any]:
+        """Compute scorecard from recent history and adjust strategy. No LLM calls."""
+        rows = self.store.connection.execute(
+            "SELECT action_status FROM history ORDER BY created_at DESC LIMIT ?",
+            (self._EVOLVE_WINDOW,),
+        ).fetchall()
+        total = len(rows)
+        if total < self._EVOLVE_MIN_ACTIONS:
+            return {}
+
+        ok = sum(1 for r in rows if r["action_status"] == "ok")
+        errors = sum(1 for r in rows if r["action_status"] == "error")
+        unknown = sum(1 for r in rows if r["action_status"] == "unknown")
+        success_rate = ok / total
+        failure_rate = errors / total
+
+        scorecard = {
+            "total": total, "ok": ok, "errors": errors, "unknown": unknown,
+            "success_rate": round(success_rate, 2),
+            "failure_rate": round(failure_rate, 2),
+        }
+
+        # Strategy adjustment
+        strategy = "balanced"
+        if total >= 10 and failure_rate >= 0.4:
+            strategy = "careful"
+        elif total >= 10 and success_rate >= 0.9 and errors == 0:
+            strategy = "fast"
+
+        prev = self.store.get_context("evolution_strategy")
+        if prev != strategy:
+            self.store.set_context("evolution_strategy", strategy)
+            self.store.set_context("evolution_scorecard", scorecard)
+            self._emit(f"Evolution: strategy → {strategy} (success={success_rate:.0%}, fail={failure_rate:.0%})")
+
+        return {"strategy": strategy, "scorecard": scorecard}
+
+    def _archive_stale_memories(self, max_age_days: int = 90, min_access: int = 0) -> int:
+        """Delete memories not accessed in max_age_days with low access count."""
+        cutoff = (datetime.now(timezone.utc) - timedelta(days=max_age_days)).strftime(
+            "%Y-%m-%dT%H:%M:%S.%fZ"
+        )
+        # Collect rows to delete so we can clean up FTS5 index too
+        rows = self.store.connection.execute(
+            "SELECT id FROM memories WHERE access_count <= ? "
+            "AND (last_accessed IS NULL OR last_accessed < ?) "
+            "AND created_at < ?",
+            (min_access, cutoff, cutoff),
+        ).fetchall()
+        count = 0
+        for row in rows:
+            self.store.delete_memory(row["id"])
+            count += 1
+        if count > 0:
+            self._emit(f"Archived {count} stale memories (>{max_age_days}d, access={min_access})")
+        return count