ripperdoc 0.2.8__py3-none-any.whl → 0.2.10__py3-none-any.whl

ripperdoc/tools/bash_tool.py

@@ -41,7 +41,6 @@ from ripperdoc.utils.output_utils import (
     truncate_output,
 )
 from ripperdoc.utils.permissions.path_validation_utils import validate_shell_command_paths
-from ripperdoc.utils.permissions.shell_command_validation import validate_shell_command
 from ripperdoc.utils.permissions.tool_permission_utils import (
     evaluate_shell_command_permissions,
     is_command_read_only,
@@ -150,7 +149,7 @@ build projects, run tests, and interact with the file system."""
             ),
         ]
 
-    async def prompt(self, safe_mode: bool = False) -> str:
+    async def prompt(self, yolo_mode: bool = False) -> str:
         sandbox_available = is_sandbox_available()
         try:
             current_shell = find_suitable_shell()
@@ -341,9 +340,8 @@ build projects, run tests, and interact with the file system."""
             allow_rules,
             deny_rules,
             allowed_dirs,
-            command_injection_detected=False,
-            injection_detector=lambda cmd: validate_shell_command(cmd).behavior != "passthrough",
-            read_only_detector=lambda cmd, detector: is_command_read_only(cmd),
+            # danger_detector uses default: validate_shell_command(cmd).behavior != "passthrough"
+            # read_only_detector uses default: _is_command_read_only
         )
 
         # Background executions need an explicit confirmation even if heuristics
@@ -384,6 +382,43 @@ build projects, run tests, and interact with the file system."""
                 result=False, message="Sandbox mode requested but not available."
             )
 
+        # Validate shell_executable if provided
+        if input_data.shell_executable:
+            shell_path = Path(input_data.shell_executable)
+            # Must be an absolute path
+            if not shell_path.is_absolute():
+                return ValidationResult(
+                    result=False,
+                    message=f"shell_executable must be an absolute path: {input_data.shell_executable}",
+                )
+            # Must exist and be a file
+            if not shell_path.exists():
+                return ValidationResult(
+                    result=False,
+                    message=f"shell_executable not found: {input_data.shell_executable}",
+                )
+            if not shell_path.is_file():
+                return ValidationResult(
+                    result=False,
+                    message=f"shell_executable is not a file: {input_data.shell_executable}",
+                )
+            # Must be executable
+            if not os.access(shell_path, os.X_OK):
+                return ValidationResult(
+                    result=False,
+                    message=f"shell_executable is not executable: {input_data.shell_executable}",
+                )
+            # Must be in a safe system directory or match known shell patterns
+            safe_dirs = {"/bin", "/usr/bin", "/usr/local/bin", "/opt/homebrew/bin"}
+            shell_name = shell_path.name.lower()
+            known_shells = {"bash", "sh", "zsh", "fish", "dash", "ksh", "tcsh", "csh"}
+            parent_dir = str(shell_path.parent)
+            if parent_dir not in safe_dirs and shell_name not in known_shells:
+                return ValidationResult(
+                    result=False,
+                    message=f"shell_executable must be a known shell in a standard location: {input_data.shell_executable}",
+                )
+
         # Note: Path validation for sensitive directories (cd/find to /usr, /etc, etc.)
         # is now handled in check_permissions() to allow user confirmation for read-only ops.
 
@@ -396,10 +431,9 @@ build projects, run tests, and interact with the file system."""
                     result=False, message="This command cannot be run in background"
                 )
 
-        validation = validate_shell_command(input_data.command)
-        if validation.behavior == "ask":
-            return ValidationResult(result=False, message=validation.message)
-
+        # Note: Security validation (shell metacharacters, destructive commands, etc.)
+        # is handled in check_permissions() via evaluate_shell_command_permissions().
+        # validate_input() should only perform format/parameter validation.
         return ValidationResult(result=True)
 
     def render_result_for_assistant(self, output: BashToolOutput) -> str:
@@ -505,9 +539,7 @@ build projects, run tests, and interact with the file system."""
 
         return command, False
 
-    def _create_error_output(
-        self, command: str, stderr: str, sandbox: bool
-    ) -> BashToolOutput:
+    def _create_error_output(self, command: str, stderr: str, sandbox: bool) -> BashToolOutput:
         """Create a standardized error output."""
         return BashToolOutput(
             stdout="",
@@ -531,9 +563,13 @@ build projects, run tests, and interact with the file system."""
             return command, None, None
 
         if not is_sandbox_available():
-            return None, self._create_error_output(
-                command, "Sandbox mode requested but not available on this system", True
-            ), None
+            return (
+                None,
+                self._create_error_output(
+                    command, "Sandbox mode requested but not available on this system", True
+                ),
+                None,
+            )
 
         try:
             wrapper = create_sandbox_wrapper(command)
@@ -541,12 +577,15 @@ build projects, run tests, and interact with the file system."""
         except (OSError, RuntimeError, ValueError) as exc:
             logger.warning(
                 "[bash_tool] Failed to enable sandbox: %s: %s",
-                type(exc).__name__, exc,
+                type(exc).__name__,
+                exc,
                 extra={"command": command},
             )
-            return None, self._create_error_output(
-                command, f"Failed to enable sandbox: {exc}", True
-            ), None
+            return (
+                None,
+                self._create_error_output(command, f"Failed to enable sandbox: {exc}", True),
+                None,
+            )
 
     async def _run_background_command(
         self,
@@ -570,7 +609,8 @@ build projects, run tests, and interact with the file system."""
             # pragma: no cover - defensive import
             logger.warning(
                 "[bash_tool] Failed to import background shell runner: %s: %s",
-                type(e).__name__, e,
+                type(e).__name__,
+                e,
                 extra={"command": effective_command},
             )
             return self._create_error_output(
@@ -696,9 +736,7 @@ build projects, run tests, and interact with the file system."""
         # Store results in a way that the caller can access
         self._last_execution_result = (stdout_lines, stderr_lines, timed_out)
 
-    async def _drain_stream(
-        self, stream: Optional[asyncio.StreamReader], sink: list[str]
-    ) -> None:
+    async def _drain_stream(self, stream: Optional[asyncio.StreamReader], sink: list[str]) -> None:
         """Drain any remaining data from a stream."""
         if not stream:
             return
@@ -969,7 +1007,8 @@ build projects, run tests, and interact with the file system."""
                 raise  # Re-raise cancellation
             logger.warning(
                 "[bash_tool] Error executing command: %s: %s",
-                type(e).__name__, e,
+                type(e).__name__,
+                e,
                 extra={"command": effective_command},
             )
             error_output = self._create_error_output(

ripperdoc/tools/dynamic_mcp_tool.py

@@ -74,7 +74,8 @@ def _annotation_flag(tool_info: Any, key: str) -> bool:
         except (AttributeError, TypeError, KeyError) as exc:
             logger.debug(
                 "[mcp_tools] Failed to read annotation flag: %s: %s",
-                type(exc).__name__, exc,
+                type(exc).__name__,
+                exc,
             )
             return False
     return False
@@ -204,7 +205,7 @@ class DynamicMcpTool(Tool[BaseModel, McpToolCallOutput]):
     def input_schema(self) -> type[BaseModel]:
         return self._input_model
 
-    async def prompt(self, _safe_mode: bool = False) -> str:
+    async def prompt(self, _yolo_mode: bool = False) -> str:
         return await self.description()
 
     def is_read_only(self) -> bool:
@@ -321,7 +322,14 @@ class DynamicMcpTool(Tool[BaseModel, McpToolCallOutput]):
                 data=annotated_output,
                 result_for_assistant=final_text,
             )
-        except (OSError, RuntimeError, ConnectionError, ValueError, KeyError, TypeError) as exc:  # pragma: no cover - runtime errors
+        except (
+            OSError,
+            RuntimeError,
+            ConnectionError,
+            ValueError,
+            KeyError,
+            TypeError,
+        ) as exc:  # pragma: no cover - runtime errors
             output = McpToolCallOutput(
                 server=self.server_name,
                 tool=self.tool_info.name,
@@ -333,7 +341,8 @@ class DynamicMcpTool(Tool[BaseModel, McpToolCallOutput]):
             )
             logger.warning(
                 "Error calling MCP tool: %s: %s",
-                type(exc).__name__, exc,
+                type(exc).__name__,
+                exc,
                 extra={
                     "server": self.server_name,
                     "tool": self.tool_info.name,
@@ -381,10 +390,16 @@ def load_dynamic_mcp_tools_sync(project_path: Optional[Path] = None) -> List[Dyn
 
     try:
         return asyncio.run(_load_and_keep())
-    except (OSError, RuntimeError, ConnectionError, ValueError) as exc:  # pragma: no cover - SDK/runtime failures
+    except (
+        OSError,
+        RuntimeError,
+        ConnectionError,
+        ValueError,
+    ) as exc:  # pragma: no cover - SDK/runtime failures
         logger.warning(
             "Failed to initialize MCP runtime for dynamic tools (sync): %s: %s",
-            type(exc).__name__, exc,
+            type(exc).__name__,
+            exc,
         )
         return []
 
@@ -393,10 +408,16 @@ async def load_dynamic_mcp_tools_async(project_path: Optional[Path] = None) -> L
     """Async loader for MCP tools when already in an event loop."""
     try:
         runtime = await ensure_mcp_runtime(project_path)
-    except (OSError, RuntimeError, ConnectionError, ValueError) as exc:  # pragma: no cover - SDK/runtime failures
+    except (
+        OSError,
+        RuntimeError,
+        ConnectionError,
+        ValueError,
+    ) as exc:  # pragma: no cover - SDK/runtime failures
         logger.warning(
             "Failed to initialize MCP runtime for dynamic tools (async): %s: %s",
-            type(exc).__name__, exc,
+            type(exc).__name__,
+            exc,
         )
         return []
     return _build_dynamic_mcp_tools(runtime)

ripperdoc/tools/enter_plan_mode_tool.py

@@ -151,7 +151,7 @@ class EnterPlanModeTool(Tool[EnterPlanModeToolInput, EnterPlanModeToolOutput]):
     def input_schema(self) -> type[EnterPlanModeToolInput]:
         return EnterPlanModeToolInput
 
-    async def prompt(self, safe_mode: bool = False) -> str:  # noqa: ARG002
+    async def prompt(self, yolo_mode: bool = False) -> str:  # noqa: ARG002
         return ENTER_PLAN_MODE_PROMPT
 
     def user_facing_name(self) -> str:

ripperdoc/tools/exit_plan_mode_tool.py

@@ -84,7 +84,7 @@ class ExitPlanModeTool(Tool[ExitPlanModeToolInput, ExitPlanModeToolOutput]):
     def input_schema(self) -> type[ExitPlanModeToolInput]:
         return ExitPlanModeToolInput
 
-    async def prompt(self, safe_mode: bool = False) -> str:  # noqa: ARG002
+    async def prompt(self, yolo_mode: bool = False) -> str:  # noqa: ARG002
         return EXIT_PLAN_MODE_PROMPT
 
     def user_facing_name(self) -> str:

ripperdoc/tools/file_edit_tool.py

@@ -3,9 +3,11 @@
 Allows the AI to edit files by replacing text.
 """
 
+import contextlib
 import os
+import tempfile
 from pathlib import Path
-from typing import AsyncGenerator, List, Optional
+from typing import AsyncGenerator, Generator, List, Optional, TextIO
 from pydantic import BaseModel, Field
 
 from ripperdoc.core.tool import (
@@ -20,9 +22,42 @@ from ripperdoc.utils.log import get_logger
 from ripperdoc.utils.file_watch import record_snapshot
 from ripperdoc.utils.path_ignore import check_path_for_tool
 
+# Import fcntl for file locking on Unix systems
+try:
+    import fcntl
+
+    HAS_FCNTL = True
+except ImportError:
+    HAS_FCNTL = False
+
 logger = get_logger()
 
 
+@contextlib.contextmanager
+def _file_lock(file_handle: TextIO, exclusive: bool = True) -> Generator[None, None, None]:
+    """Acquire a file lock, with fallback for systems without fcntl.
+
+    Args:
+        file_handle: An open file handle to lock
+        exclusive: If True, acquire exclusive lock; otherwise shared lock
+
+    Yields:
+        None
+    """
+    if not HAS_FCNTL:
+        # On Windows or systems without fcntl, skip locking
+        yield
+        return
+
+    lock_type = fcntl.LOCK_EX if exclusive else fcntl.LOCK_SH
+    try:
+        fcntl.flock(file_handle.fileno(), lock_type)
+        yield
+    finally:
+        with contextlib.suppress(OSError):
+            fcntl.flock(file_handle.fileno(), fcntl.LOCK_UN)
+
+
 class FileEditToolInput(BaseModel):
     """Input schema for FileEditTool."""
 
@@ -84,7 +119,7 @@ match exactly (including whitespace and indentation)."""
             ),
         ]
 
-    async def prompt(self, safe_mode: bool = False) -> str:
+    async def prompt(self, yolo_mode: bool = False) -> str:
         return (
             "Performs exact string replacements in files.\n\n"
             "Usage:\n"
@@ -159,7 +194,9 @@ match exactly (including whitespace and indentation)."""
 
         # Check if path is ignored (warning for edit operations)
         file_path_obj = Path(file_path)
-        should_proceed, warning_msg = check_path_for_tool(file_path_obj, tool_name="Edit", warn_only=True)
+        should_proceed, warning_msg = check_path_for_tool(
+            file_path_obj, tool_name="Edit", warn_only=True
+        )
         if warning_msg:
             logger.warning("[file_edit_tool] %s", warning_msg)
 
@@ -178,57 +215,131 @@ match exactly (including whitespace and indentation)."""
     async def call(
         self, input_data: FileEditToolInput, context: ToolUseContext
     ) -> AsyncGenerator[ToolOutput, None]:
-        """Edit the file."""
+        """Edit the file with TOCTOU protection."""
+
+        abs_file_path = os.path.abspath(input_data.file_path)
+        file_state_cache = getattr(context, "file_state_cache", {})
+        file_snapshot = file_state_cache.get(abs_file_path)
 
         try:
-            # Read the file
-            with open(input_data.file_path, "r", encoding="utf-8") as f:
-                content = f.read()
-
-            # Check if old_string exists
-            if input_data.old_string not in content:
-                output = FileEditToolOutput(
-                    file_path=input_data.file_path,
-                    replacements_made=0,
-                    success=False,
-                    message=f"String not found in file: {input_data.file_path}",
-                )
-                yield ToolResult(
-                    data=output, result_for_assistant=self.render_result_for_assistant(output)
-                )
-                return
-
-            # Count occurrences
-            occurrence_count = content.count(input_data.old_string)
-
-            # Check for ambiguity if not replace_all
-            if not input_data.replace_all and occurrence_count > 1:
-                output = FileEditToolOutput(
-                    file_path=input_data.file_path,
-                    replacements_made=0,
-                    success=False,
-                    message=f"String appears {occurrence_count} times in file. "
-                    f"Either provide a unique string or use replace_all=true",
-                )
-                yield ToolResult(
-                    data=output, result_for_assistant=self.render_result_for_assistant(output)
-                )
-                return
-
-            # Perform replacement
-            if input_data.replace_all:
-                new_content = content.replace(input_data.old_string, input_data.new_string)
-                replacements = occurrence_count
-            else:
-                new_content = content.replace(input_data.old_string, input_data.new_string, 1)
-                replacements = 1
-
-            # Write the file
-            with open(input_data.file_path, "w", encoding="utf-8") as f:
-                f.write(new_content)
-
-            # Use absolute path to ensure consistency with validation lookup
-            abs_file_path = os.path.abspath(input_data.file_path)
+            # Open file with exclusive lock to prevent concurrent modifications
+            # Use r+ mode to get a file handle we can lock before reading
+            with open(abs_file_path, "r+", encoding="utf-8") as f:
+                with _file_lock(f, exclusive=True):
+                    # Re-check mtime AFTER acquiring lock to close TOCTOU window
+                    # This is the key fix: validate mtime while holding the lock
+                    if file_snapshot:
+                        try:
+                            current_mtime = os.fstat(f.fileno()).st_mtime
+                            if current_mtime > file_snapshot.timestamp:
+                                output = FileEditToolOutput(
+                                    file_path=input_data.file_path,
+                                    replacements_made=0,
+                                    success=False,
+                                    message="File has been modified since read, either by the user "
+                                    "or by a linter. Read it again before attempting to edit it.",
+                                )
+                                yield ToolResult(
+                                    data=output,
+                                    result_for_assistant=self.render_result_for_assistant(output),
+                                )
+                                return
+                        except OSError:
+                            pass  # fstat failed, proceed anyway
+
+                    # Read content while holding the lock
+                    content = f.read()
+
+                    # Check if old_string exists
+                    if input_data.old_string not in content:
+                        output = FileEditToolOutput(
+                            file_path=input_data.file_path,
+                            replacements_made=0,
+                            success=False,
+                            message=f"String not found in file: {input_data.file_path}",
+                        )
+                        yield ToolResult(
+                            data=output,
+                            result_for_assistant=self.render_result_for_assistant(output),
+                        )
+                        return
+
+                    # Count occurrences
+                    occurrence_count = content.count(input_data.old_string)
+
+                    # Check for ambiguity if not replace_all
+                    if not input_data.replace_all and occurrence_count > 1:
+                        output = FileEditToolOutput(
+                            file_path=input_data.file_path,
+                            replacements_made=0,
+                            success=False,
+                            message=f"String appears {occurrence_count} times in file. "
+                            f"Either provide a unique string or use replace_all=true",
+                        )
+                        yield ToolResult(
+                            data=output,
+                            result_for_assistant=self.render_result_for_assistant(output),
+                        )
+                        return
+
+                    # Perform replacement
+                    if input_data.replace_all:
+                        new_content = content.replace(input_data.old_string, input_data.new_string)
+                        replacements = occurrence_count
+                    else:
+                        new_content = content.replace(
+                            input_data.old_string, input_data.new_string, 1
+                        )
+                        replacements = 1
+
+                    # Atomic write: write to temp file then rename
+                    # This ensures the file is either fully written or not at all
+                    file_dir = os.path.dirname(abs_file_path)
+                    try:
+                        # Create temp file in same directory to ensure same filesystem
+                        fd, temp_path = tempfile.mkstemp(
+                            dir=file_dir, prefix=".ripperdoc_edit_", suffix=".tmp"
+                        )
+                        try:
+                            with os.fdopen(fd, "w", encoding="utf-8") as temp_f:
+                                temp_f.write(new_content)
+                            # Preserve original file permissions
+                            original_stat = os.fstat(f.fileno())
+                            os.chmod(temp_path, original_stat.st_mode)
+                            # Atomic replace (works on Unix, best-effort on Windows)
+                            os.replace(temp_path, abs_file_path)
+                        except Exception:
+                            # Clean up temp file on failure
+                            with contextlib.suppress(OSError):
+                                os.unlink(temp_path)
+                            raise
+                    except OSError as atomic_error:
+                        # Fallback to in-place write if atomic write fails
+                        # (e.g., cross-filesystem issues)
+                        # Re-verify file hasn't changed before fallback write (TOCTOU protection)
+                        f.seek(0)
+                        current_content = f.read()
+                        if current_content != content:
+                            output = FileEditToolOutput(
+                                file_path=input_data.file_path,
+                                replacements_made=0,
+                                success=False,
+                                message="File was modified during atomic write fallback. Please retry.",
+                            )
+                            yield ToolResult(
+                                data=output,
+                                result_for_assistant=self.render_result_for_assistant(output),
+                            )
+                            return
+                        f.seek(0)
+                        f.truncate()
+                        f.write(new_content)
+                        logger.debug(
+                            "[file_edit_tool] Atomic write failed, used fallback: %s",
+                            atomic_error,
+                        )
+
+            # Record the new snapshot after successful edit
             try:
                 record_snapshot(
                     abs_file_path,
@@ -238,7 +349,8 @@ match exactly (including whitespace and indentation)."""
             except (OSError, IOError, RuntimeError) as exc:
                 logger.warning(
                     "[file_edit_tool] Failed to record file snapshot: %s: %s",
-                    type(exc).__name__, exc,
+                    type(exc).__name__,
+                    exc,
                     extra={"file_path": abs_file_path},
                 )
 
@@ -330,7 +442,8 @@ match exactly (including whitespace and indentation)."""
         except (OSError, IOError, PermissionError, UnicodeDecodeError, ValueError) as e:
             logger.warning(
                 "[file_edit_tool] Error editing file: %s: %s",
-                type(e).__name__, e,
+                type(e).__name__,
+                e,
                 extra={"file_path": input_data.file_path},
             )
             error_output = FileEditToolOutput(

ripperdoc/tools/file_read_tool.py

@@ -22,6 +22,10 @@ from ripperdoc.utils.path_ignore import check_path_for_tool
 
 logger = get_logger()
 
+# Maximum file size to read (default 50MB, configurable via env)
+MAX_FILE_SIZE_MB = float(os.getenv("RIPPERDOC_MAX_READ_FILE_SIZE_MB", "50"))
+MAX_FILE_SIZE_BYTES = int(MAX_FILE_SIZE_MB * 1024 * 1024)
+
 
 class FileReadToolInput(BaseModel):
     """Input schema for FileReadTool."""
@@ -70,7 +74,7 @@ and limit to read only a portion of the file."""
             ),
         ]
 
-    async def prompt(self, safe_mode: bool = False) -> str:
+    async def prompt(self, yolo_mode: bool = False) -> str:
         return (
             "Read a file from the local filesystem.\n\n"
             "Usage:\n"
@@ -106,7 +110,9 @@ and limit to read only a portion of the file."""
 
         # Check if path is ignored (warning only for read operations)
         file_path = Path(input_data.file_path)
-        should_proceed, warning_msg = check_path_for_tool(file_path, tool_name="Read", warn_only=True)
+        should_proceed, warning_msg = check_path_for_tool(
+            file_path, tool_name="Read", warn_only=True
+        )
         if warning_msg:
             logger.info("[file_read_tool] %s", warning_msg)
 
@@ -138,6 +144,22 @@ and limit to read only a portion of the file."""
         """Read the file."""
 
         try:
+            # Check file size before reading to prevent memory exhaustion
+            file_size = os.path.getsize(input_data.file_path)
+            if file_size > MAX_FILE_SIZE_BYTES:
+                error_output = FileReadToolOutput(
+                    content=f"File too large to read: {file_size / (1024*1024):.1f}MB exceeds limit of {MAX_FILE_SIZE_MB}MB. Use offset and limit parameters to read portions.",
+                    file_path=input_data.file_path,
+                    line_count=0,
+                    offset=0,
+                    limit=None,
+                )
+                yield ToolResult(
+                    data=error_output,
+                    result_for_assistant=f"Error: File {input_data.file_path} is too large ({file_size / (1024*1024):.1f}MB). Maximum size is {MAX_FILE_SIZE_MB}MB. Use offset and limit to read portions.",
+                )
+                return
+
             with open(input_data.file_path, "r", encoding="utf-8", errors="replace") as f:
                 lines = f.readlines()
 
@@ -166,7 +188,8 @@ and limit to read only a portion of the file."""
             except (OSError, IOError, RuntimeError) as exc:
                 logger.warning(
                     "[file_read_tool] Failed to record file snapshot: %s: %s",
-                    type(exc).__name__, exc,
+                    type(exc).__name__,
+                    exc,
                     extra={"file_path": input_data.file_path},
                 )
 
@@ -185,7 +208,8 @@ and limit to read only a portion of the file."""
         except (OSError, IOError, UnicodeDecodeError, ValueError) as e:
             logger.warning(
                 "[file_read_tool] Error reading file: %s: %s",
-                type(e).__name__, e,
+                type(e).__name__,
+                e,
                 extra={"file_path": input_data.file_path},
             )
             # Create an error output