ripperdoc 0.2.9__py3-none-any.whl → 0.3.0__py3-none-any.whl

ripperdoc/tools/bash_tool.py

@@ -41,7 +41,6 @@ from ripperdoc.utils.output_utils import (
     truncate_output,
 )
 from ripperdoc.utils.permissions.path_validation_utils import validate_shell_command_paths
-from ripperdoc.utils.permissions.shell_command_validation import validate_shell_command
 from ripperdoc.utils.permissions.tool_permission_utils import (
     evaluate_shell_command_permissions,
     is_command_read_only,
@@ -51,6 +50,7 @@ from ripperdoc.utils.sandbox_utils import create_sandbox_wrapper, is_sandbox_ava
 from ripperdoc.utils.safe_get_cwd import get_original_cwd, safe_get_cwd
 from ripperdoc.utils.shell_utils import build_shell_command, find_suitable_shell
 from ripperdoc.utils.log import get_logger
+from ripperdoc.utils.platform import IS_WINDOWS
 
 logger = get_logger()
 
@@ -341,9 +341,8 @@ build projects, run tests, and interact with the file system."""
             allow_rules,
             deny_rules,
             allowed_dirs,
-            command_injection_detected=False,
-            injection_detector=lambda cmd: validate_shell_command(cmd).behavior != "passthrough",
-            read_only_detector=lambda cmd, detector: is_command_read_only(cmd),
+            # danger_detector uses default: validate_shell_command(cmd).behavior != "passthrough"
+            # read_only_detector uses default: _is_command_read_only
         )
 
         # Background executions need an explicit confirmation even if heuristics
@@ -384,6 +383,43 @@ build projects, run tests, and interact with the file system."""
                 result=False, message="Sandbox mode requested but not available."
             )
 
+        # Validate shell_executable if provided
+        if input_data.shell_executable:
+            shell_path = Path(input_data.shell_executable)
+            # Must be an absolute path
+            if not shell_path.is_absolute():
+                return ValidationResult(
+                    result=False,
+                    message=f"shell_executable must be an absolute path: {input_data.shell_executable}",
+                )
+            # Must exist and be a file
+            if not shell_path.exists():
+                return ValidationResult(
+                    result=False,
+                    message=f"shell_executable not found: {input_data.shell_executable}",
+                )
+            if not shell_path.is_file():
+                return ValidationResult(
+                    result=False,
+                    message=f"shell_executable is not a file: {input_data.shell_executable}",
+                )
+            # Must be executable
+            if not os.access(shell_path, os.X_OK):
+                return ValidationResult(
+                    result=False,
+                    message=f"shell_executable is not executable: {input_data.shell_executable}",
+                )
+            # Must be in a safe system directory or match known shell patterns
+            safe_dirs = {"/bin", "/usr/bin", "/usr/local/bin", "/opt/homebrew/bin"}
+            shell_name = shell_path.name.lower()
+            known_shells = {"bash", "sh", "zsh", "fish", "dash", "ksh", "tcsh", "csh"}
+            parent_dir = str(shell_path.parent)
+            if parent_dir not in safe_dirs and shell_name not in known_shells:
+                return ValidationResult(
+                    result=False,
+                    message=f"shell_executable must be a known shell in a standard location: {input_data.shell_executable}",
+                )
+
         # Note: Path validation for sensitive directories (cd/find to /usr, /etc, etc.)
         # is now handled in check_permissions() to allow user confirmation for read-only ops.
 
@@ -396,15 +432,9 @@ build projects, run tests, and interact with the file system."""
                     result=False, message="This command cannot be run in background"
                 )
 
-        validation = validate_shell_command(input_data.command)
-        if validation.behavior == "ask":
-            # In yolo mode, allow shell metacharacters
-            if context and hasattr(context, 'yolo_mode') and context.yolo_mode \
-               and "shell metacharacters" in validation.message:
-                # Allow commands with shell metacharacters in yolo mode
-                return ValidationResult(result=True)
-            return ValidationResult(result=False, message=validation.message)
-
+        # Note: Security validation (shell metacharacters, destructive commands, etc.)
+        # is handled in check_permissions() via evaluate_shell_command_permissions().
+        # validate_input() should only perform format/parameter validation.
         return ValidationResult(result=True)
 
     def render_result_for_assistant(self, output: BashToolOutput) -> str:
@@ -568,6 +598,7 @@ build projects, run tests, and interact with the file system."""
         sandbox_requested: bool,
         start_time: float,
         input_data: BashToolInput,
+        context: Optional[ToolUseContext] = None,
     ) -> Optional[BashToolOutput]:
         """Run a command in background mode.
 
@@ -593,8 +624,50 @@ build projects, run tests, and interact with the file system."""
             if input_data.timeout is None
             else (timeout_seconds if timeout_seconds > 0 else None)
         )
+
+        completion_callbacks = None
+        queue = getattr(context, "pending_message_queue", None) if context else None
+        if queue is not None:
+
+            def _notify_completion(task: Any) -> None:
+                # Mirror status computation from background_shell._compute_status
+                if getattr(task, "killed", False):
+                    status = "killed"
+                elif getattr(task, "timed_out", False):
+                    status = "failed"
+                else:
+                    exit_code = getattr(task, "exit_code", None)
+                    status = (
+                        "running"
+                        if exit_code is None
+                        else ("completed" if exit_code == 0 else "failed")
+                    )
+                exit_code = getattr(task, "exit_code", None)
+                status_line = (
+                    f"Background bash task {getattr(task, 'id', '')} finished with status: {status}"
+                )
+                if exit_code is not None:
+                    status_line += f" (exit code {exit_code})"
+                details = [
+                    status_line,
+                    f"Command: {effective_command}",
+                    "Use BashOutput with this task id to read stdout/stderr and continue.",
+                ]
+                queue.enqueue_text(
+                    "\n".join(details),
+                    metadata={
+                        "source": "background_bash",
+                        "background_task_id": getattr(task, "id", None),
+                    },
+                )
+
+            completion_callbacks = [_notify_completion]  # type: ignore[assignment]
+
         task_id = await start_background_command(
-            final_command, timeout=bg_timeout, shell_executable=resolved_shell
+            final_command,
+            timeout=bg_timeout,
+            shell_executable=resolved_shell,
+            completion_callbacks=completion_callbacks,  # type: ignore[arg-type]
         )
 
         return BashToolOutput(
@@ -860,6 +933,7 @@ build projects, run tests, and interact with the file system."""
                     sandbox_requested,
                     start,
                     input_data,
+                    context,
                 )
                 if output:
                     yield ToolResult(
@@ -992,35 +1066,56 @@ build projects, run tests, and interact with the file system."""
         finally:
             self._current_is_read_only = previous_read_only
             if sandbox_cleanup:
-                with contextlib.suppress(Exception):
+                with contextlib.suppress(OSError, IOError, PermissionError):
                     sandbox_cleanup()
 
     async def _force_kill_process(
         self, process: asyncio.subprocess.Process, grace_seconds: float = KILL_GRACE_SECONDS
     ) -> None:
-        """Attempt to terminate a process group and avoid hanging waits."""
+        """Attempt to terminate a process group and avoid hanging waits.
+
+        Platform differences:
+        - Unix: Uses killpg with SIGTERM/SIGKILL to terminate process groups
+        - Windows: Uses process.terminate()/kill() which sends appropriate signals
+        """
         if process.returncode is not None:
             return
 
         def _terminate() -> None:
-            if hasattr(os, "killpg"):
-                os.killpg(process.pid, signal.SIGTERM)
+            if IS_WINDOWS:
+                # Windows: use process.terminate() which is cross-platform
+                process.terminate()
+            elif hasattr(os, "killpg"):
+                # Unix: terminate the entire process group
+                try:
+                    os.killpg(process.pid, signal.SIGTERM)
+                except (ProcessLookupError, PermissionError, OSError):
+                    # Fallback to single process termination
+                    process.terminate()
             else:
                 process.terminate()
 
         def _kill() -> None:
-            if hasattr(os, "killpg"):
-                os.killpg(process.pid, signal.SIGKILL)
+            if IS_WINDOWS:
+                # Windows: use process.kill() which forcefully terminates
+                process.kill()
+            elif hasattr(os, "killpg") and hasattr(signal, "SIGKILL"):
+                # Unix: forcefully kill the entire process group
+                try:
+                    os.killpg(process.pid, signal.SIGKILL)
+                except (ProcessLookupError, PermissionError, OSError):
+                    # Fallback to single process kill
+                    process.kill()
             else:
                 process.kill()
 
-        with contextlib.suppress(ProcessLookupError, PermissionError):
+        with contextlib.suppress(ProcessLookupError, PermissionError, OSError):
             _terminate()
         with contextlib.suppress(asyncio.TimeoutError):
             await asyncio.wait_for(process.wait(), timeout=grace_seconds)
             return
 
-        with contextlib.suppress(ProcessLookupError, PermissionError):
+        with contextlib.suppress(ProcessLookupError, PermissionError, OSError):
             _kill()
         with contextlib.suppress(asyncio.TimeoutError):
             await asyncio.wait_for(process.wait(), timeout=grace_seconds)

ripperdoc/tools/file_edit_tool.py

@@ -3,9 +3,11 @@
 Allows the AI to edit files by replacing text.
 """
 
+import contextlib
 import os
+import tempfile
 from pathlib import Path
-from typing import AsyncGenerator, List, Optional
+from typing import AsyncGenerator, Generator, List, Optional, TextIO
 from pydantic import BaseModel, Field
 
 from ripperdoc.core.tool import (
@@ -17,12 +19,65 @@ from ripperdoc.core.tool import (
     ValidationResult,
 )
 from ripperdoc.utils.log import get_logger
+from ripperdoc.utils.platform import HAS_FCNTL
 from ripperdoc.utils.file_watch import record_snapshot
 from ripperdoc.utils.path_ignore import check_path_for_tool
+from ripperdoc.tools.file_read_tool import detect_file_encoding
 
 logger = get_logger()
 
 
+def determine_edit_encoding(file_path: str, new_content: str) -> str:
+    """Determine encoding for editing a file.
+
+    Detects the file's current encoding and verifies the new content
+    can be encoded with it. Falls back to UTF-8 if needed.
+    """
+    detected_encoding, _ = detect_file_encoding(file_path)
+
+    if not detected_encoding:
+        return "utf-8"
+
+    # Verify new content can be encoded
+    try:
+        new_content.encode(detected_encoding)
+        return detected_encoding
+    except (UnicodeEncodeError, LookupError):
+        logger.info(
+            "New content cannot be encoded with %s, falling back to UTF-8 for %s",
+            detected_encoding,
+            file_path,
+        )
+        return "utf-8"
+
+
+@contextlib.contextmanager
+def _file_lock(file_handle: TextIO, exclusive: bool = True) -> Generator[None, None, None]:
+    """Acquire a file lock, with fallback for systems without fcntl.
+
+    Args:
+        file_handle: An open file handle to lock
+        exclusive: If True, acquire exclusive lock; otherwise shared lock
+
+    Yields:
+        None
+    """
+    if not HAS_FCNTL:
+        # On Windows or systems without fcntl, skip locking
+        yield
+        return
+
+    import fcntl
+
+    lock_type = fcntl.LOCK_EX if exclusive else fcntl.LOCK_SH
+    try:
+        fcntl.flock(file_handle.fileno(), lock_type)
+        yield
+    finally:
+        with contextlib.suppress(OSError):
+            fcntl.flock(file_handle.fileno(), fcntl.LOCK_UN)
+
+
 class FileEditToolInput(BaseModel):
     """Input schema for FileEditTool."""
 
@@ -180,62 +235,185 @@ match exactly (including whitespace and indentation)."""
     async def call(
         self, input_data: FileEditToolInput, context: ToolUseContext
     ) -> AsyncGenerator[ToolOutput, None]:
-        """Edit the file."""
+        """Edit the file with TOCTOU protection."""
+
+        abs_file_path = os.path.abspath(input_data.file_path)
+        file_state_cache = getattr(context, "file_state_cache", {})
+        file_snapshot = file_state_cache.get(abs_file_path)
+
+        # Detect file encoding before opening
+        file_encoding, _ = detect_file_encoding(abs_file_path)
+        if not file_encoding:
+            file_encoding = "utf-8"
 
         try:
-            # Read the file
-            with open(input_data.file_path, "r", encoding="utf-8") as f:
-                content = f.read()
-
-            # Check if old_string exists
-            if input_data.old_string not in content:
-                output = FileEditToolOutput(
-                    file_path=input_data.file_path,
-                    replacements_made=0,
-                    success=False,
-                    message=f"String not found in file: {input_data.file_path}",
-                )
-                yield ToolResult(
-                    data=output, result_for_assistant=self.render_result_for_assistant(output)
-                )
-                return
-
-            # Count occurrences
-            occurrence_count = content.count(input_data.old_string)
-
-            # Check for ambiguity if not replace_all
-            if not input_data.replace_all and occurrence_count > 1:
-                output = FileEditToolOutput(
-                    file_path=input_data.file_path,
-                    replacements_made=0,
-                    success=False,
-                    message=f"String appears {occurrence_count} times in file. "
-                    f"Either provide a unique string or use replace_all=true",
-                )
-                yield ToolResult(
-                    data=output, result_for_assistant=self.render_result_for_assistant(output)
-                )
-                return
-
-            # Perform replacement
-            if input_data.replace_all:
-                new_content = content.replace(input_data.old_string, input_data.new_string)
-                replacements = occurrence_count
-            else:
-                new_content = content.replace(input_data.old_string, input_data.new_string, 1)
-                replacements = 1
-
-            # Write the file
-            with open(input_data.file_path, "w", encoding="utf-8") as f:
-                f.write(new_content)
-
-            # Use absolute path to ensure consistency with validation lookup
-            abs_file_path = os.path.abspath(input_data.file_path)
+            # Open file with exclusive lock to prevent concurrent modifications
+            # Use r+ mode to get a file handle we can lock before reading
+            #
+            # TOCTOU mitigation strategy:
+            # 1. Record mtime immediately after open (pre_lock_mtime)
+            # 2. Acquire exclusive lock
+            # 3. Check mtime again after lock (post_lock_mtime)
+            # 4. If pre != post, file was modified in the window between open and lock
+            # 5. Also validate against cached snapshot timestamp
+            with open(abs_file_path, "r+", encoding=file_encoding) as f:
+                # Record mtime immediately after open, before acquiring lock
+                try:
+                    pre_lock_mtime = os.fstat(f.fileno()).st_mtime
+                except OSError:
+                    pre_lock_mtime = None
+
+                with _file_lock(f, exclusive=True):
+                    # Check mtime after acquiring lock to detect modifications
+                    # during the window between open() and lock acquisition
+                    try:
+                        post_lock_mtime = os.fstat(f.fileno()).st_mtime
+                    except OSError:
+                        post_lock_mtime = None
+
+                    # Detect modification during open->lock window
+                    if pre_lock_mtime is not None and post_lock_mtime is not None:
+                        if post_lock_mtime > pre_lock_mtime:
+                            output = FileEditToolOutput(
+                                file_path=input_data.file_path,
+                                replacements_made=0,
+                                success=False,
+                                message="File was modified while acquiring lock. Please retry.",
+                            )
+                            yield ToolResult(
+                                data=output,
+                                result_for_assistant=self.render_result_for_assistant(output),
+                            )
+                            return
+
+                    # Validate against cached snapshot timestamp
+                    if file_snapshot and post_lock_mtime is not None:
+                        if post_lock_mtime > file_snapshot.timestamp:
+                            output = FileEditToolOutput(
+                                file_path=input_data.file_path,
+                                replacements_made=0,
+                                success=False,
+                                message="File has been modified since read, either by the user "
+                                "or by a linter. Read it again before attempting to edit it.",
+                            )
+                            yield ToolResult(
+                                data=output,
+                                result_for_assistant=self.render_result_for_assistant(output),
+                            )
+                            return
+
+                    # Read content while holding the lock
+                    content = f.read()
+
+                    # Check if old_string exists
+                    if input_data.old_string not in content:
+                        output = FileEditToolOutput(
+                            file_path=input_data.file_path,
+                            replacements_made=0,
+                            success=False,
+                            message=f"String not found in file: {input_data.file_path}",
+                        )
+                        yield ToolResult(
+                            data=output,
+                            result_for_assistant=self.render_result_for_assistant(output),
+                        )
+                        return
+
+                    # Count occurrences
+                    occurrence_count = content.count(input_data.old_string)
+
+                    # Check for ambiguity if not replace_all
+                    if not input_data.replace_all and occurrence_count > 1:
+                        output = FileEditToolOutput(
+                            file_path=input_data.file_path,
+                            replacements_made=0,
+                            success=False,
+                            message=f"String appears {occurrence_count} times in file. "
+                            f"Either provide a unique string or use replace_all=true",
+                        )
+                        yield ToolResult(
+                            data=output,
+                            result_for_assistant=self.render_result_for_assistant(output),
+                        )
+                        return
+
+                    # Perform replacement
+                    if input_data.replace_all:
+                        new_content = content.replace(input_data.old_string, input_data.new_string)
+                        replacements = occurrence_count
+                    else:
+                        new_content = content.replace(
+                            input_data.old_string, input_data.new_string, 1
+                        )
+                        replacements = 1
+
+                    # Verify new content can be encoded with file's encoding
+                    # If not, fall back to UTF-8
+                    write_encoding = file_encoding
+                    try:
+                        new_content.encode(file_encoding)
+                    except (UnicodeEncodeError, LookupError):
+                        logger.info(
+                            "New content cannot be encoded with %s, using UTF-8 for %s",
+                            file_encoding,
+                            abs_file_path,
+                        )
+                        write_encoding = "utf-8"
+
+                    # Atomic write: write to temp file then rename
+                    # This ensures the file is either fully written or not at all
+                    file_dir = os.path.dirname(abs_file_path)
+                    try:
+                        # Create temp file in same directory to ensure same filesystem
+                        fd, temp_path = tempfile.mkstemp(
+                            dir=file_dir, prefix=".ripperdoc_edit_", suffix=".tmp"
+                        )
+                        try:
+                            with os.fdopen(fd, "w", encoding=write_encoding) as temp_f:
+                                temp_f.write(new_content)
+                            # Preserve original file permissions
+                            original_stat = os.fstat(f.fileno())
+                            os.chmod(temp_path, original_stat.st_mode)
+                            # Atomic replace (works on Unix, best-effort on Windows)
+                            os.replace(temp_path, abs_file_path)
+                        except Exception:
+                            # Clean up temp file on failure
+                            with contextlib.suppress(OSError):
+                                os.unlink(temp_path)
+                            raise
+                    except OSError as atomic_error:
+                        # Fallback to in-place write if atomic write fails
+                        # (e.g., cross-filesystem issues)
+                        # Re-verify file hasn't changed before fallback write (TOCTOU protection)
+                        f.seek(0)
+                        current_content = f.read()
+                        if current_content != content:
+                            output = FileEditToolOutput(
+                                file_path=input_data.file_path,
+                                replacements_made=0,
+                                success=False,
+                                message="File was modified during atomic write fallback. Please retry.",
+                            )
+                            yield ToolResult(
+                                data=output,
+                                result_for_assistant=self.render_result_for_assistant(output),
+                            )
+                            return
+                        f.seek(0)
+                        f.truncate()
+                        f.write(new_content)
+                        logger.debug(
+                            "[file_edit_tool] Atomic write failed, used fallback: %s",
+                            atomic_error,
+                        )
+
+            # Record the new snapshot after successful edit
             try:
                 record_snapshot(
                     abs_file_path,
                     new_content,
                     getattr(context, "file_state_cache", {}),
+                    encoding=write_encoding,
                 )
             except (OSError, IOError, RuntimeError) as exc:
                 logger.warning(