vibecore 0.3.1__py3-none-any.whl → 0.4.0__py3-none-any.whl

vibecore/context.py

@@ -1,4 +1,5 @@
 from dataclasses import dataclass, field
+from pathlib import Path
 from typing import TYPE_CHECKING, Optional
 
 from vibecore.tools.python.manager import PythonExecutionManager
@@ -7,6 +8,7 @@ from vibecore.tools.todo.manager import TodoManager
 if TYPE_CHECKING:
     from vibecore.main import VibecoreApp
     from vibecore.mcp import MCPManager
+    from vibecore.tools.path_validator import PathValidator
 
 
 @dataclass
@@ -17,8 +19,43 @@ class VibecoreContext:
     context_fullness: float = 0.0
     mcp_manager: Optional["MCPManager"] = None
 
+    # Path confinement configuration
+    allowed_directories: list[Path] = field(default_factory=list)
+    path_validator: "PathValidator" = field(init=False)  # Always initialized, never None
+
+    def __post_init__(self):
+        """Initialize path validator with allowed directories."""
+        from vibecore.tools.path_validator import PathValidator
+
+        if not self.allowed_directories:
+            # Load from settings if not explicitly provided
+            from vibecore.settings import settings
+
+            if settings.path_confinement.enabled:
+                self.allowed_directories = settings.path_confinement.allowed_directories
+                # Add home directory if configured
+                if settings.path_confinement.allow_home:
+                    self.allowed_directories.append(Path.home())
+                # Add temp directories if configured
+                if settings.path_confinement.allow_temp:
+                    import tempfile
+
+                    temp_dir = Path(tempfile.gettempdir())
+                    if temp_dir not in self.allowed_directories:
+                        self.allowed_directories.append(temp_dir)
+            else:
+                # If path confinement is disabled, allow CWD only (but validator won't be used)
+                self.allowed_directories = [Path.cwd()]
+
+        self.path_validator = PathValidator(self.allowed_directories)
+
     def reset_state(self) -> None:
         """Reset all context state for a new session."""
         self.todo_manager = TodoManager()
         self.python_manager = PythonExecutionManager()
         self.context_fullness = 0.0
+        # Preserve allowed_directories across resets
+        # Re-initialize validator in case directories changed
+        from vibecore.tools.path_validator import PathValidator
+
+        self.path_validator = PathValidator(self.allowed_directories)

vibecore/settings.py

@@ -39,6 +39,48 @@ class SessionSettings(BaseModel):
     )
 
 
+class PathConfinementSettings(BaseModel):
+    """Configuration for path confinement."""
+
+    enabled: bool = Field(
+        default=True,
+        description="Enable path confinement for file and shell tools",
+    )
+
+    allowed_directories: list[Path] = Field(
+        default_factory=lambda: [Path.cwd()],
+        description="List of directories that tools can access",
+    )
+
+    allow_home: bool = Field(
+        default=False,
+        description="Allow access to user's home directory",
+    )
+
+    allow_temp: bool = Field(
+        default=True,
+        description="Allow access to system temp directories",
+    )
+
+    strict_mode: bool = Field(
+        default=False,
+        description="Strict mode prevents any path traversal attempts",
+    )
+
+    @field_validator("allowed_directories", mode="before")
+    @classmethod
+    def resolve_paths(cls, v: list[str | Path]) -> list[Path]:
+        """Resolve and validate directory paths."""
+        paths = []
+        for p in v:
+            path = Path(p).expanduser().resolve()
+            if not path.exists():
+                # Create directory if it doesn't exist
+                path.mkdir(parents=True, exist_ok=True)
+            paths.append(path)
+        return paths
+
+
 class MCPServerConfig(BaseModel):
     """Configuration for an MCP server."""
 
@@ -155,6 +197,12 @@ class Settings(BaseSettings):
         description="List of MCP servers to connect to",
     )
 
+    # Path confinement configuration
+    path_confinement: PathConfinementSettings = Field(
+        default_factory=PathConfinementSettings,
+        description="Path confinement configuration",
+    )
+
     rich_tool_names: list[str] = Field(
         default_factory=list,
         description="List of tools to render with RichToolMessage (temporary settings)",
@@ -207,7 +255,6 @@ class Settings(BaseSettings):
         return (
             init_settings,
             env_settings,
-            dotenv_settings,
             YamlConfigSettingsSource(settings_cls),
             file_secret_settings,
         )

vibecore/tools/file/executor.py

@@ -2,13 +2,22 @@
 
 from typing import Any
 
-from .utils import PathValidationError, format_line_with_number, validate_file_path
+from agents import RunContextWrapper
 
+from vibecore.context import VibecoreContext
+from vibecore.settings import settings
+from vibecore.tools.file.utils import PathValidationError
 
-async def read_file(file_path: str, offset: int | None = None, limit: int | None = None) -> str:
+from .utils import format_line_with_number
+
+
+async def read_file(
+    ctx: RunContextWrapper[VibecoreContext], file_path: str, offset: int | None = None, limit: int | None = None
+) -> str:
     """Read a file and return its contents in cat -n format.
 
     Args:
+        ctx: The context wrapper containing the VibecoreContext
         file_path: The path to the file to read
         offset: The line number to start reading from (1-based)
         limit: The maximum number of lines to read
@@ -17,8 +26,14 @@ async def read_file(file_path: str, offset: int | None = None, limit: int | None
         The file contents with line numbers, or an error message
     """
     try:
-        # Validate the file path
-        validated_path = validate_file_path(file_path)
+        # Validate the file path using context if path confinement is enabled
+        if settings.path_confinement.enabled:
+            validated_path = ctx.context.path_validator.validate_path(file_path, operation="read")
+        else:
+            # Fall back to simple validation against CWD
+            from .utils import validate_file_path
+
+            validated_path = validate_file_path(file_path)
 
         # Check if file exists
         if not validated_path.exists():
@@ -84,10 +99,13 @@ async def read_file(file_path: str, offset: int | None = None, limit: int | None
         return f"Error: Unexpected error reading file: {e}"
 
 
-async def edit_file(file_path: str, old_string: str, new_string: str, replace_all: bool = False) -> str:
+async def edit_file(
+    ctx: RunContextWrapper[VibecoreContext], file_path: str, old_string: str, new_string: str, replace_all: bool = False
+) -> str:
     """Edit a file by replacing strings.
 
     Args:
+        ctx: The context wrapper containing the VibecoreContext
         file_path: The path to the file to edit
         old_string: The text to replace
         new_string: The text to replace it with
@@ -97,8 +115,14 @@ async def edit_file(file_path: str, old_string: str, new_string: str, replace_al
         Success message or error message
     """
     try:
-        # Validate the file path
-        validated_path = validate_file_path(file_path)
+        # Validate the file path using context if path confinement is enabled
+        if settings.path_confinement.enabled:
+            validated_path = ctx.context.path_validator.validate_path(file_path, operation="edit")
+        else:
+            # Fall back to simple validation against CWD
+            from .utils import validate_file_path
+
+            validated_path = validate_file_path(file_path)
 
         # Check if file exists
         if not validated_path.exists():
@@ -158,10 +182,11 @@ async def edit_file(file_path: str, old_string: str, new_string: str, replace_al
         return f"Error: Unexpected error editing file: {e}"
 
 
-async def multi_edit_file(file_path: str, edits: list[dict[str, Any]]) -> str:
+async def multi_edit_file(ctx: RunContextWrapper[VibecoreContext], file_path: str, edits: list[dict[str, Any]]) -> str:
     """Edit a file by applying multiple replacements sequentially.
 
     Args:
+        ctx: The context wrapper containing the VibecoreContext
         file_path: The path to the file to edit
         edits: List of edit operations, each containing old_string, new_string, and optional replace_all
 
@@ -169,8 +194,14 @@ async def multi_edit_file(file_path: str, edits: list[dict[str, Any]]) -> str:
         Success message or error message
     """
     try:
-        # Validate the file path
-        validated_path = validate_file_path(file_path)
+        # Validate the file path using context if path confinement is enabled
+        if settings.path_confinement.enabled:
+            validated_path = ctx.context.path_validator.validate_path(file_path, operation="multi_edit")
+        else:
+            # Fall back to simple validation against CWD
+            from .utils import validate_file_path
+
+            validated_path = validate_file_path(file_path)
 
         # Check if file exists
         if not validated_path.exists():
@@ -239,10 +270,11 @@ async def multi_edit_file(file_path: str, edits: list[dict[str, Any]]) -> str:
         return f"Error: Unexpected error editing file: {e}"
 
 
-async def write_file(file_path: str, content: str) -> str:
+async def write_file(ctx: RunContextWrapper[VibecoreContext], file_path: str, content: str) -> str:
     """Write content to a file.
 
     Args:
+        ctx: The context wrapper containing the VibecoreContext
         file_path: The path to the file to write
         content: The content to write to the file
 
@@ -250,8 +282,14 @@ async def write_file(file_path: str, content: str) -> str:
         Success message or error message
     """
     try:
-        # Validate the file path
-        validated_path = validate_file_path(file_path)
+        # Validate the file path using context if path confinement is enabled
+        if settings.path_confinement.enabled:
+            validated_path = ctx.context.path_validator.validate_path(file_path, operation="write")
+        else:
+            # Fall back to simple validation against CWD
+            from .utils import validate_file_path
+
+            validated_path = validate_file_path(file_path)
 
         # Check if it's a directory
         if validated_path.exists() and validated_path.is_dir():

vibecore/tools/file/tools.py

@@ -49,7 +49,7 @@ async def read(
     Returns:
         The file contents with line numbers in cat -n format, or an error message
     """
-    return await read_file(file_path, offset, limit)
+    return await read_file(ctx, file_path, offset, limit)
 
 
 @function_tool
@@ -86,7 +86,7 @@ async def edit(
     Returns:
         Success message or error message
     """
-    return await edit_file(file_path, old_string, new_string, replace_all)
+    return await edit_file(ctx, file_path, old_string, new_string, replace_all)
 
 
 @function_tool
@@ -153,7 +153,7 @@ async def multi_edit(
     """
     # Convert EditOperation objects to dictionaries
     edit_dicts = [edit.model_dump() for edit in edits]
-    return await multi_edit_file(file_path, edit_dicts)
+    return await multi_edit_file(ctx, file_path, edit_dicts)
 
 
 @function_tool
@@ -181,4 +181,4 @@ async def write(
     Returns:
         Success message or error message
     """
-    return await write_file(file_path, content)
+    return await write_file(ctx, file_path, content)

vibecore/tools/path_validator.py

@@ -0,0 +1,251 @@
+"""Path validation module for vibecore tools.
+
+This module provides path validation functionality to confine file and shell
+operations to a configurable list of allowed directories.
+"""
+
+import shlex
+from contextlib import suppress
+from pathlib import Path
+
+from textual import log
+
+from vibecore.tools.file.utils import PathValidationError
+
+
+class PathValidator:
+    """Validates paths against a list of allowed directories."""
+
+    def __init__(self, allowed_directories: list[Path]):
+        """Initialize with list of allowed directories.
+
+        Args:
+            allowed_directories: List of directories to allow access to.
+                               Defaults to [CWD] if empty.
+        """
+        self.allowed_directories = (
+            [d.resolve() for d in allowed_directories] if allowed_directories else [Path.cwd().resolve()]
+        )
+
+    def validate_path(self, path: str | Path, operation: str = "access") -> Path:
+        """Validate a path against allowed directories.
+
+        Args:
+            path: The path to validate
+            operation: Description of the operation (for error messages)
+
+        Returns:
+            The validated absolute Path object
+
+        Raises:
+            PathValidationError: If path is outside allowed directories
+        """
+        # Convert to Path object
+        path_obj = Path(path) if isinstance(path, str) else path
+
+        # Resolve to absolute path (follows symlinks)
+        try:
+            absolute_path = path_obj.resolve()
+        except (OSError, RuntimeError) as e:
+            # Handle cases where path resolution fails
+            raise PathValidationError(f"Cannot resolve path '{path}': {e}") from e
+
+        # Check if path is under any allowed directory
+        if not self.is_path_allowed(absolute_path):
+            allowed_dirs_str = ", ".join(f"'{d}'" for d in self.allowed_directories)
+            raise PathValidationError(
+                f"Path '{absolute_path}' is outside the allowed directories. "
+                f"Access is restricted to {allowed_dirs_str} and their subdirectories."
+            )
+
+        return absolute_path
+
+    def validate_command_paths(self, command: str) -> None:
+        """Validate paths referenced in a shell command.
+
+        Args:
+            command: The shell command to validate
+
+        Raises:
+            PathValidationError: If command references paths outside allowed directories
+        """
+        # Parse the command to extract potential file paths
+        try:
+            # First, replace shell operators with spaces around them to ensure proper splitting
+            # This handles cases like "cd /path;ls" which shlex doesn't split properly
+            for op in [";", "&&", "||", "|", "&"]:
+                command = command.replace(op, f" {op} ")
+
+            # Use shlex to properly parse the command
+            tokens = shlex.split(command)
+        except ValueError as e:
+            # If shlex fails, the command might be malformed
+            raise PathValidationError(f"Cannot parse command: {e}") from e
+
+        # Commands that take path arguments
+        path_commands = {
+            "cat",
+            "ls",
+            "cd",
+            "cp",
+            "mv",
+            "rm",
+            "mkdir",
+            "rmdir",
+            "touch",
+            "chmod",
+            "chown",
+            "head",
+            "tail",
+            "less",
+            "more",
+            "grep",
+            "find",
+            "sed",
+            "awk",
+            "wc",
+            "du",
+            "df",
+            "tar",
+            "zip",
+            "unzip",
+            "vim",
+            "vi",
+            "nano",
+            "emacs",
+            "code",
+            "open",
+        }
+
+        # Check each token that might be a path
+        current_command = None
+        piped_command = False  # Track if command comes after a pipe
+        for i, token in enumerate(tokens):
+            # Skip shell operators
+            if token in ["&&", "||", ";", "|", "&", ">", ">>", "<", "2>", "&>"]:
+                if token == "|":
+                    piped_command = True
+                elif token in ["&&", "||", ";"]:
+                    piped_command = False
+                continue
+
+            # Skip flags and options
+            if token.startswith("-"):
+                continue
+
+            # Check if this is a command
+            if i == 0 or tokens[i - 1] in ["&&", "||", ";", "|"]:
+                current_command = token.split("/")[-1]  # Get base command name
+                # Don't validate grep/awk/sed arguments after pipes - they're patterns not paths
+                if piped_command and current_command in ["grep", "awk", "sed", "sort", "uniq", "wc"]:
+                    current_command = None
+                if tokens[i - 1] in ["&&", "||", ";"]:
+                    piped_command = False
+                continue
+
+            # Check for redirections
+            if i > 0 and tokens[i - 1] in [">", ">>", "<", "2>", "&>"]:
+                # This is a file path for redirection
+                self._validate_path_token(token, f"redirect to/from '{token}'")
+                continue
+
+            # Check if current command takes path arguments
+            if current_command in path_commands:
+                # Skip if it looks like an option value
+                if i > 0 and tokens[i - 1].startswith("-"):
+                    continue
+                # This might be a path argument
+                self._validate_path_token(token, f"access '{token}'")
+
+            # Check for paths in other contexts (if they look like paths)
+            elif "/" in token or token in [".", "..", "~"]:
+                # This looks like a path, validate it
+                with suppress(PathValidationError):
+                    # It might not be a path, just a string with slash
+                    # We'll be lenient here if it fails
+                    self._validate_path_token(token, f"access '{token}'")
+
+    def _validate_path_token(self, token: str, operation: str) -> None:
+        """Validate a single path token from a command.
+
+        Args:
+            token: The token that might be a path
+            operation: Description of the operation
+
+        Raises:
+            PathValidationError: If the path is not allowed
+        """
+        # Expand user home directory
+        if token.startswith("~"):
+            token = str(Path(token).expanduser())
+
+        # Skip URLs and remote paths
+        if (
+            token.startswith("http://")
+            or token.startswith("https://")
+            or token.startswith("ftp://")
+            or token.startswith("ssh://")
+            or token.startswith("git@")
+            or ":" in token.split("/")[0]
+        ):  # user@host:path
+            return
+
+        # Try to validate as a path
+        try:
+            path = Path(token)
+            # If it's a relative path, resolve it from CWD
+            if not path.is_absolute():
+                path = Path.cwd() / path
+            self.validate_path(path, operation)
+        except (ValueError, OSError):
+            # Not a valid path, skip validation
+            pass
+
+    def is_path_allowed(self, path: Path) -> bool:
+        """Check if a path is within allowed directories.
+
+        Args:
+            path: The path to check (should be absolute)
+
+        Returns:
+            True if path is allowed, False otherwise
+        """
+        # Ensure path is absolute
+        path = path.resolve()
+        log(f"Validating path: {path}")
+
+        # Check if path is under any allowed directory
+        for allowed_dir in self.allowed_directories:
+            try:
+                # Check if path is relative to allowed_dir
+                path.relative_to(allowed_dir)
+                return True
+            except ValueError:
+                # path is not relative to this allowed_dir
+                continue
+
+        return False
+
+    def _is_parent_of(self, parent: Path, child: Path) -> bool:
+        """Check if parent is a parent directory of child.
+
+        Args:
+            parent: Potential parent path
+            child: Potential child path
+
+        Returns:
+            True if parent is a parent of child
+        """
+        try:
+            child.relative_to(parent)
+            return True
+        except ValueError:
+            return False
+
+    def get_allowed_directories(self) -> list[Path]:
+        """Get the list of allowed directories.
+
+        Returns:
+            List of allowed directory paths
+        """
+        return self.allowed_directories.copy()

vibecore/tools/shell/executor.py

@@ -6,13 +6,20 @@ import re
 import subprocess
 from pathlib import Path
 
+from agents import RunContextWrapper
+
+from vibecore.context import VibecoreContext
+from vibecore.settings import settings
 from vibecore.tools.file.utils import PathValidationError, validate_file_path
 
 
-async def bash_executor(command: str, timeout: int | None = None) -> tuple[str, int]:
+async def bash_executor(
+    ctx: RunContextWrapper[VibecoreContext], command: str, timeout: int | None = None
+) -> tuple[str, int]:
     """Execute a bash command asynchronously.
 
     Args:
+        ctx: The context wrapper containing the VibecoreContext
         command: The bash command to execute
         timeout: Optional timeout in milliseconds (max 600000)
 
@@ -32,6 +39,13 @@ async def bash_executor(command: str, timeout: int | None = None) -> tuple[str,
     # Convert timeout to seconds
     timeout_seconds = timeout / 1000.0
 
+    # Validate command paths if path confinement is enabled
+    if settings.path_confinement.enabled:
+        try:
+            ctx.context.path_validator.validate_command_paths(command)
+        except PathValidationError as e:
+            return f"Error: {e}", 1
+
     process = None
     try:
         # Create subprocess
@@ -66,10 +80,11 @@ async def bash_executor(command: str, timeout: int | None = None) -> tuple[str,
         return f"Error executing command: {e}", 1
 
 
-async def glob_files(pattern: str, path: str | None = None) -> list[str]:
+async def glob_files(ctx: RunContextWrapper[VibecoreContext], pattern: str, path: str | None = None) -> list[str]:
     """Find files matching a glob pattern.
 
     Args:
+        ctx: The context wrapper containing the VibecoreContext
         pattern: The glob pattern to match
         path: Optional directory to search in (defaults to CWD)
 
@@ -78,7 +93,23 @@ async def glob_files(pattern: str, path: str | None = None) -> list[str]:
     """
     try:
         # Validate and resolve the path
-        search_path = Path.cwd() if path is None else validate_file_path(path)
+        if path is None:
+            search_path = Path.cwd()
+            # Validate CWD is in allowed directories if path confinement is enabled
+            if settings.path_confinement.enabled:
+                try:
+                    ctx.context.path_validator.validate_path(search_path, operation="glob")
+                except PathValidationError as e:
+                    return [f"Error: {e}"]
+        else:
+            # Validate the provided path
+            if settings.path_confinement.enabled:
+                try:
+                    search_path = ctx.context.path_validator.validate_path(path, operation="glob")
+                except PathValidationError as e:
+                    return [f"Error: {e}"]
+            else:
+                search_path = validate_file_path(path)
 
         # Validate path is a directory
         if not search_path.is_dir():
@@ -110,10 +141,13 @@ async def glob_files(pattern: str, path: str | None = None) -> list[str]:
         return [f"Error: {e}"]
 
 
-async def grep_files(pattern: str, path: str | None = None, include: str | None = None) -> list[str]:
+async def grep_files(
+    ctx: RunContextWrapper[VibecoreContext], pattern: str, path: str | None = None, include: str | None = None
+) -> list[str]:
     """Search file contents using regular expressions.
 
     Args:
+        ctx: The context wrapper containing the VibecoreContext
         pattern: The regex pattern to search for
         path: Directory to search in (defaults to CWD)
         include: File pattern to include (e.g. "*.js")
@@ -123,7 +157,23 @@ async def grep_files(pattern: str, path: str | None = None, include: str | None
     """
     try:
         # Validate and resolve the path
-        search_path = Path.cwd() if path is None else validate_file_path(path)
+        if path is None:
+            search_path = Path.cwd()
+            # Validate CWD is in allowed directories if path confinement is enabled
+            if settings.path_confinement.enabled:
+                try:
+                    ctx.context.path_validator.validate_path(search_path, operation="grep")
+                except PathValidationError as e:
+                    return [f"Error: {e}"]
+        else:
+            # Validate the provided path
+            if settings.path_confinement.enabled:
+                try:
+                    search_path = ctx.context.path_validator.validate_path(path, operation="grep")
+                except PathValidationError as e:
+                    return [f"Error: {e}"]
+            else:
+                search_path = validate_file_path(path)
 
         # Validate path is a directory
         if not search_path.is_dir():
@@ -175,10 +225,13 @@ async def grep_files(pattern: str, path: str | None = None, include: str | None
         return [f"Error: {e}"]
 
 
-async def list_directory(path: str, ignore: list[str] | None = None) -> list[str]:
+async def list_directory(
+    ctx: RunContextWrapper[VibecoreContext], path: str, ignore: list[str] | None = None
+) -> list[str]:
     """List files and directories in a given path.
 
     Args:
+        ctx: The context wrapper containing the VibecoreContext
         path: The absolute path to list
         ignore: Optional list of glob patterns to ignore
 
@@ -187,7 +240,10 @@ async def list_directory(path: str, ignore: list[str] | None = None) -> list[str
     """
     try:
         # Validate and resolve the path
-        dir_path = validate_file_path(path)
+        if settings.path_confinement.enabled:
+            dir_path = ctx.context.path_validator.validate_path(path, operation="list")
+        else:
+            dir_path = validate_file_path(path)
 
         # Validate path is a directory
         if not dir_path.is_dir():

vibecore/tools/shell/tools.py

@@ -58,7 +58,7 @@ async def bash(
     Returns:
         The command output or error message
     """
-    output, exit_code = await bash_executor(command, timeout)
+    output, exit_code = await bash_executor(ctx, command, timeout)
     if exit_code != 0:
         return f"{output}\nExit code: {exit_code}"
     return output
@@ -90,7 +90,7 @@ async def glob(
     Returns:
         List of matching file paths, one per line
     """
-    files = await glob_files(pattern, path)
+    files = await glob_files(ctx, pattern, path)
     if files and files[0].startswith("Error:"):
         return files[0]
     return "\n".join(files) if files else "No files found matching pattern"
@@ -124,7 +124,7 @@ async def grep(
     Returns:
         List of file paths containing matches, one per line
     """
-    files = await grep_files(pattern, path, include)
+    files = await grep_files(ctx, pattern, path, include)
     if files and files[0].startswith("Error:"):
         return files[0]
     return "\n".join(files) if files else "No files found containing pattern"
@@ -150,7 +150,7 @@ async def ls(
     Returns:
         List of entries in the directory, one per line
     """
-    entries = await list_directory(path, ignore)
+    entries = await list_directory(ctx, path, ignore)
     if entries and entries[0].startswith("Error:"):
         return entries[0]
     return "\n".join(entries) if entries else "Empty directory"

vibecore/widgets/messages.py

@@ -1,10 +1,11 @@
 from enum import StrEnum
 
 from textual.app import ComposeResult
+from textual.containers import Horizontal
 from textual.content import Content
 from textual.reactive import reactive
 from textual.widget import Widget
-from textual.widgets import Markdown, Static
+from textual.widgets import Button, Markdown, Static
 
 
 class MessageStatus(StrEnum):
@@ -167,6 +168,19 @@ class AgentMessage(BaseMessage):
         """Get parameters for MessageHeader."""
         return ("⏺", self.text, True)
 
+    def compose(self) -> ComposeResult:
+        """Create child widgets for the agent message."""
+        prefix, text, use_markdown = self.get_header_params()
+        with Horizontal(classes="agent-message-header"):
+            yield MessageHeader(prefix, text, status=self.status, use_markdown=use_markdown)
+            yield Button("Copy", classes="copy-button", variant="primary")
+
+    def on_button_pressed(self, event: Button.Pressed) -> None:
+        """Handle button press events."""
+        if event.button.has_class("copy-button"):
+            # Copy the markdown text to clipboard
+            self.app.copy_to_clipboard(self.text)
+
     def update(self, text: str, status: MessageStatus | None = None) -> None:
         """Update the text of the agent message."""
         self.text = text

vibecore/widgets/messages.tcss

@@ -62,6 +62,34 @@ UserMessage {
 
 AgentMessage {
     color: $text;
+
+    Horizontal.agent-message-header {
+        height: auto;
+        width: 1fr;
+        layers: main button;
+
+        .copy-button {
+            layer: button;
+            dock: right;
+            height: 1;
+            width: 8;
+            min-width: 8;
+            margin: 0;
+            padding: 0;
+            background: $secondary;
+            color: $text;
+            border: none;
+            
+            &:hover {
+                background: $secondary-lighten-1;
+            }
+            
+            &:focus {
+                background: $secondary-lighten-1;
+                text-style: bold;
+            }
+        }
+    }
 }
 
 SystemMessage {

{vibecore-0.3.1.dist-info → vibecore-0.4.0.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: vibecore
-Version: 0.3.1
+Version: 0.4.0
 Summary: Build your own AI-powered automation tools in the terminal with this extensible agent framework
 Project-URL: Homepage, https://github.com/serialx/vibecore
 Project-URL: Repository, https://github.com/serialx/vibecore
@@ -414,6 +414,38 @@ uv run ruff check . && uv run ruff format --check . && uv run pyright . && uv ru
 
 ## Configuration
 
+### Path Confinement (Security)
+
+vibecore includes a path confinement system that restricts file and shell operations to specified directories for enhanced security. This prevents agents from accessing sensitive system files or directories outside your project.
+
+#### Configuration Options
+
+```yaml
+# config.yaml
+path_confinement:
+  enabled: true                    # Enable/disable path confinement (default: true)
+  allowed_directories:              # List of allowed directories (default: [current working directory])
+    - /home/user/projects
+    - /tmp
+  allow_home: false                # Allow access to user's home directory (default: false)
+  allow_temp: true                 # Allow access to system temp directory (default: true)
+  strict_mode: false               # Strict validation mode (default: false)
+```
+
+Or via environment variables:
+```bash
+export VIBECORE_PATH_CONFINEMENT__ENABLED=true
+export VIBECORE_PATH_CONFINEMENT__ALLOWED_DIRECTORIES='["/home/user/projects", "/tmp"]'
+export VIBECORE_PATH_CONFINEMENT__ALLOW_HOME=false
+export VIBECORE_PATH_CONFINEMENT__ALLOW_TEMP=true
+```
+
+When enabled, the path confinement system:
+- Validates all file read/write/edit operations
+- Checks paths in shell commands before execution
+- Resolves symlinks to prevent escapes
+- Blocks access to files outside allowed directories
+
 ### Reasoning Effort
 
 - Set default via env var: `VIBECORE_REASONING_EFFORT` (minimal | low | medium | high)
@@ -475,6 +507,7 @@ vibecore is built with a modular, extensible architecture:
 
 ## Recent Updates
 
+- **Path Confinement**: New security feature to restrict file and shell operations to specified directories
 - **Reasoning View**: New ReasoningMessage widget with live reasoning summaries during streaming
 - **Context Usage Bar & CWD**: Footer shows token usage progress and current working directory
 - **Keyboard & Commands**: Ctrl+Shift+D toggles theme, Esc cancels, Ctrl+D double-press to exit, `/help` and `/clear` commands
@@ -487,7 +520,7 @@ vibecore is built with a modular, extensible architecture:
 - [x] More custom tool views (Python, Read, Todo widgets)
 - [x] Automation (vibecore -p "prompt")
 - [x] MCP (Model Context Protocol) support
-- [ ] Permission model
+- [x] Path confinement for security
 - [ ] Multi-agent system (agent-as-tools)
 - [ ] Plugin system for custom tools
 - [ ] Automated workflow

{vibecore-0.3.1.dist-info → vibecore-0.4.0.dist-info}/RECORD

@@ -1,11 +1,11 @@
 vibecore/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 vibecore/cli.py,sha256=HU2cjvEDzMWlauoArUItBlTpsVAdgVuKFMLshtaqvUE,7119
-vibecore/context.py,sha256=JUVkZpmKGUSlcchrHpxu-oSO8D21GDgHT1BXDzZDTeQ,844
+vibecore/context.py,sha256=SZdWOOBKOPBRVC66Y3NohkWdxR5dbAycCHynuqhmEFo,2577
 vibecore/flow.py,sha256=ZaKzMsz4YBvgelVzJOIHnTJzMWTmvkfvudwW_hllq6U,3384
 vibecore/main.py,sha256=MIn7Mpg_xO_20c6Mju8PgY-MmVCTER9cepHd5YFbtYs,20175
 vibecore/main.tcss,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 vibecore/py.typed,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
-vibecore/settings.py,sha256=PwivzoJ-xyJu-Mmnv4E6G_E8up4GNvvz9_j4ttj-GUw,7063
+vibecore/settings.py,sha256=0hugs44VOKB47ysmkJ1BqZnfR8-Lvm_8OmEt3VTUjak,8471
 vibecore/agents/default.py,sha256=wxeP3Hsq9MVBChyMF_sNkVHCtFFXgy5ghDIxy9eH_fQ,2287
 vibecore/agents/prompts.py,sha256=0oO9QzcytIbzgZcKJQjWD9fSRNQqBqqK5ku0fcYZZrA,324
 vibecore/agents/task.py,sha256=cdhZDzKDA8eHHNYPhogFIKBms3oVAMvYeiBB2GqYNuE,1898
@@ -34,9 +34,10 @@ vibecore/session/loader.py,sha256=vmDwzjtedFEeWhaFa6HbygjL32-bSNXM6KccQC9hyJs,68
 vibecore/session/path_utils.py,sha256=_meng4PnOR59ekPWp_WICkt8yVkokt8c6oePZvk3m-4,2544
 vibecore/tools/__init__.py,sha256=nppfKiflvkQRUotBrj9nFU0veWex1DE_YX1fg67SRlw,37
 vibecore/tools/base.py,sha256=POI1bM89qDWlQ5VfcdUFoIg_Tv5Rlrd6sQTRLj-4YmQ,658
+vibecore/tools/path_validator.py,sha256=3Dob33-A6aNy92UeFAEEQME10V_P4N6ZODf7o5H6fYU,8566
 vibecore/tools/file/__init__.py,sha256=EhdebEC6JTaiROkpItoJWK2lGEq2B5ReNL_IRqxZX5w,147
-vibecore/tools/file/executor.py,sha256=xCHaER8_WVRGSLtfSiYF8M5CNkgB26VaeUbesyD2nuU,10236
-vibecore/tools/file/tools.py,sha256=CUl9c78WioC3hkw9GD7vSR-YGJBjVnWpHaPTMdKoo5k,8325
+vibecore/tools/file/executor.py,sha256=KRwXZD_n2ypQ8m7kAz06WFgboIW8lJonOBZ_z-fZFo4,12079
+vibecore/tools/file/tools.py,sha256=qkR_IxYHaNfjWkLjiA3Y5Uvq6jXycZWvlMAYWE_cCkM,8345
 vibecore/tools/file/utils.py,sha256=0Gef8HZgq520pqYgsF8n4cL9FNtzA7nYEr8bBCZVnro,2356
 vibecore/tools/python/__init__.py,sha256=bqSKgP2pY3bArCmQxOsWFflfmASq3SybOlrmZiz9y4s,35
 vibecore/tools/python/helpers.py,sha256=y-qwCQ4aRMVUZU6F9OpjgrbzsIGn8i16idXEWR5MBNU,2918
@@ -45,8 +46,8 @@ vibecore/tools/python/tools.py,sha256=OBz9csUUk90Pq3QwHEkz49NcJhgK-3MhaCeCd-mGPO
 vibecore/tools/python/backends/__init__.py,sha256=RTfU7AzlVyDSaldfVNdKAgv4759RQAl07-UFGqc70Oo,50
 vibecore/tools/python/backends/terminal_backend.py,sha256=3PA4haJN-dyIvnudx6qfx58ThjaeT7DULnCvhacADbw,1908
 vibecore/tools/shell/__init__.py,sha256=Ias6qmBMDK29q528VtUGtCQeYD4RU_Yx73SIAJrB8No,133
-vibecore/tools/shell/executor.py,sha256=yXUkbPqLc3anlsLUB_g4yEu1A_QpzfzwsoMAqx-gplA,6933
-vibecore/tools/shell/tools.py,sha256=hpftFrv4JWn7mbYLJwpCPLROTFyj-RiAOg1hyecV0bE,6829
+vibecore/tools/shell/executor.py,sha256=9bEXHU83fXo5zCIS0ZcOeF6ZabCcE4zaNqVGLHJnPKk,9333
+vibecore/tools/shell/tools.py,sha256=EgbNP5d-MaGfy_UM451GHDLsYUJsSvspQUCvpKzbu9s,6849
 vibecore/tools/task/__init__.py,sha256=Fyw33zGiBArMnPuRMm7qwSYE6ZRPCZVbHK6eIUJDiJY,112
 vibecore/tools/task/executor.py,sha256=gRIdq0f2gjDKxnWH-b5Rbmk1H2garIs56EDYFVKfUiw,1606
 vibecore/tools/task/tools.py,sha256=m6MBOQC3Pz07TZgd3lVAHPGQu9M-Ted-YOxQvIPrGvo,2257
@@ -73,13 +74,13 @@ vibecore/widgets/expandable.py,sha256=GIcXXzVGr4BdyATphUrHZqB30DF_WgeyrccjEIf7FW
 vibecore/widgets/expandable.tcss,sha256=zmm5zDDabvXiePwwsuSGLPkxHUYunEjmwkp5XrTjxSw,1343
 vibecore/widgets/info.py,sha256=hXtsRUOE13oHbIm9FNe1GCUX_FCht28pgT9SQWeJ69I,1567
 vibecore/widgets/info.tcss,sha256=v30IqNt1two-ezIcm18ZEInKRKcRkAW-h-UH2r8QzSo,201
-vibecore/widgets/messages.py,sha256=az4fJtdk3ItSoFZBG_adRDUHdTLttIV8F23E8LOb-mg,8156
-vibecore/widgets/messages.tcss,sha256=WtBbjf5LgFkUhzhVlxJB7NMbagWladJawDizvDm7hBE,1271
+vibecore/widgets/messages.py,sha256=2m821HLKH2K0Tigt0rN5hMH3uoIEJdoVguLvPJvD16o,8849
+vibecore/widgets/messages.tcss,sha256=Dhz6X1Fkj2XN9bVGVH_hBelDF7WXNE6hHMkGQRQy1QA,1911
 vibecore/widgets/tool_message_factory.py,sha256=yrZorT4HKo5b6rWUc0dgQle7q7cvLyq8JllE772RZS0,5730
 vibecore/widgets/tool_messages.py,sha256=hJOolN3iLTAjqfotfH1elXqsdDo1r_UHjsyRVH0GAeo,29415
 vibecore/widgets/tool_messages.tcss,sha256=gdChmHClURqn_sD9GkcOGQcQVYvUUl75mLUYp85sKz8,8442
-vibecore-0.3.1.dist-info/METADATA,sha256=wCQB7NKn35T0W3onSrpV1FNX13zHzO-VEn0WqU6ZIlw,18093
-vibecore-0.3.1.dist-info/WHEEL,sha256=qtCwoSJWgHk21S1Kb4ihdzI2rlJ1ZKaIurTj_ngOhyQ,87
-vibecore-0.3.1.dist-info/entry_points.txt,sha256=i9mOKvpz07ciV_YYisxNCYZ53_Crjkn9mciiQ3aA6QM,51
-vibecore-0.3.1.dist-info/licenses/LICENSE,sha256=KXxxifvrcreHrZ4aOYgP-vA8DRHHueW389KKOeEbtjc,1069
-vibecore-0.3.1.dist-info/RECORD,,
+vibecore-0.4.0.dist-info/METADATA,sha256=4MbnR28_1JwTXNKo5ldLZiBCIhRr8-2aCNPCZVbAfwo,19550
+vibecore-0.4.0.dist-info/WHEEL,sha256=qtCwoSJWgHk21S1Kb4ihdzI2rlJ1ZKaIurTj_ngOhyQ,87
+vibecore-0.4.0.dist-info/entry_points.txt,sha256=i9mOKvpz07ciV_YYisxNCYZ53_Crjkn9mciiQ3aA6QM,51
+vibecore-0.4.0.dist-info/licenses/LICENSE,sha256=KXxxifvrcreHrZ4aOYgP-vA8DRHHueW389KKOeEbtjc,1069
+vibecore-0.4.0.dist-info/RECORD,,