ai-agent 0.88.0

Idiomatic agent sdk inspired by the claude code source leak
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250

// Source: /data/home/swei/claudecode/openclaudecode/src/memdir/teamMemPaths.ts
//! Team memory paths and validation
//!
//! Provides team memory path resolution with security checks for path traversal
//! and symlink attacks.

use crate::memdir::paths::{get_auto_mem_path, is_auto_memory_enabled};
use std::path::{Path, PathBuf};

/// Error thrown when a path validation detects a traversal or injection attempt.
#[derive(Debug, Clone)]
pub struct PathTraversalError {
    message: String,
}

impl std::fmt::Display for PathTraversalError {
    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
        write!(f, "{}", self.message)
    }
}

impl std::error::Error for PathTraversalError {}

impl PathTraversalError {
    pub fn new(message: &str) -> Self {
        Self {
            message: message.to_string(),
        }
    }
}

/// Sanitize a file path key by rejecting dangerous patterns.
/// Checks for null bytes, URL-encoded traversals, and other injection vectors.
/// Returns the sanitized string or throws PathTraversalError.
fn sanitize_path_key(key: &str) -> Result<String, PathTraversalError> {
    // Null bytes can truncate paths in C-based syscalls
    if key.contains('\0') {
        return Err(PathTraversalError::new(&format!(
            "Null byte in path key: \"{}\"",
            key
        )));
    }

    // URL-encoded traversals (e.g. %2e%2e%2f = ../)
    // Simple check: decode percent-encoded sequences if possible
    let mut has_url_encoded_traversal = false;
    let key_lower = key.to_lowercase();
    // Check for common URL-encoded patterns
    if key_lower.contains("%2e%2e") || key_lower.contains("%2e/") || key_lower.contains("/%2e%2e") {
        has_url_encoded_traversal = true;
    }

    if has_url_encoded_traversal {
        return Err(PathTraversalError::new(&format!(
            "URL-encoded traversal in path key: \"{}\"",
            key
        )));
    }

    // Reject backslashes (Windows path separator used as traversal vector)
    if key.contains('\\') {
        return Err(PathTraversalError::new(&format!(
            "Backslash in path key: \"{}\"",
            key
        )));
    }

    // Reject absolute paths
    if key.starts_with('/') {
        return Err(PathTraversalError::new(&format!(
            "Absolute path key: \"{}\"",
            key
        )));
    }

    Ok(key.to_string())
}

/// Whether team memory features are enabled.
/// Team memory is a subdirectory of auto memory, so it requires auto memory
/// to be enabled. This keeps all team-memory consumers (prompt, content
/// injection, sync watcher, file detection) consistent when auto memory is
/// disabled via env var or settings.
pub fn is_team_memory_enabled() -> bool {
    if !is_auto_memory_enabled() {
        return false;
    }

    // TODO: integrate with growthbook feature flags
    // getFeatureValue_CACHED_MAY_BE_STALE('tengu_herring_clock', false)
    false
}

/// Returns the team memory path: <memoryBase>/projects/<sanitized-project-root>/memory/team/
/// Lives as a subdirectory of the auto-memory directory, scoped per-project.
pub fn get_team_mem_path() -> PathBuf {
    let auto_mem = get_auto_mem_path();
    let team_path = auto_mem.join("team");
    let path_str = team_path.to_string_lossy().to_string();

    // Ensure trailing separator and NFC normalization
    let sep = std::path::MAIN_SEPARATOR;
    if !path_str.ends_with(sep) {
        format!("{}{}", path_str, sep).into()
    } else {
        team_path
    }
}

/// Returns the team memory entrypoint: <memoryBase>/projects/<sanitized-project-root>/memory/team/MEMORY.md
/// Lives as a subdirectory of the auto-memory directory, scoped per-project.
pub fn get_team_mem_entypoint() -> PathBuf {
    get_team_mem_path().join("MEMORY.md")
}

/// Check if a resolved absolute path is within the team memory directory.
/// Uses path.resolve() to convert relative paths and eliminate traversal segments.
/// Does NOT resolve symlinks — for write validation use validate_team_mem_write_path()
/// or validate_team_mem_key() which include symlink resolution.
pub fn is_team_mem_path(file_path: &Path) -> bool {
    // SECURITY: resolve() converts to absolute and eliminates .. segments,
    // preventing path traversal attacks (e.g. "team/../../etc/passwd")
    let resolved_path = std::fs::canonicalize(file_path).unwrap_or_else(|_| {
        // If canonicalize fails, fall back to resolving manually
        if file_path.is_absolute() {
            file_path.to_path_buf()
        } else {
            std::env::current_dir()
                .map(|c| c.join(file_path))
                .unwrap_or_else(|_| file_path.to_path_buf())
        }
    });

    let team_dir = get_team_mem_path();
    let team_dir_str = team_dir.to_string_lossy();

    resolved_path.to_string_lossy().starts_with(&*team_dir_str)
}

/// Validate that an absolute file path is safe for writing to the team memory directory.
/// Returns the resolved absolute path if valid.
/// Throws PathTraversalError if the path contains injection vectors, escapes the
/// directory via .. segments, or escapes via a symlink.
pub fn validate_team_mem_write_path(file_path: &Path) -> Result<PathBuf, PathTraversalError> {
    let path_str = file_path.to_string_lossy();
    if path_str.contains('\0') {
        return Err(PathTraversalError::new(&format!(
            "Null byte in path: \"{}\"",
            file_path.display()
        )));
    }

    // First pass: normalize .. segments and check string-level containment.
    // This is a fast rejection for obvious traversal attempts before we touch
    // the filesystem.
    let resolved_path = std::fs::canonicalize(file_path).unwrap_or_else(|_| {
        if file_path.is_absolute() {
            file_path.to_path_buf()
        } else {
            std::env::current_dir()
                .map(|c| c.join(file_path))
                .unwrap_or_else(|_| file_path.to_path_buf())
        }
    });

    let team_dir = get_team_mem_path();
    let team_dir_str = team_dir.to_string_lossy();

    // Prefix attack protection: teamDir already ends with sep (from getTeamMemPath),
    // so "team-evil/" won't match "team/"
    if !resolved_path.to_string_lossy().starts_with(&*team_dir_str) {
        return Err(PathTraversalError::new(&format!(
            "Path escapes team memory directory: \"{}\"",
            file_path.display()
        )));
    }

    // TODO: Second pass - resolve symlinks on the deepest existing ancestor
    // and verify the real path is still within the real team dir.

    Ok(resolved_path)
}

/// Validate a relative path key from the server against the team memory directory.
/// Sanitizes the key, joins with the team dir, resolves symlinks on the deepest
/// existing ancestor, and verifies containment against the real team dir.
/// Returns the resolved absolute path.
/// Throws PathTraversalError if the key is malicious.
pub fn validate_team_mem_key(relative_key: &str) -> Result<PathBuf, PathTraversalError> {
    sanitize_path_key(relative_key)?;

    let team_dir = get_team_mem_path();
    let full_path = team_dir.join(relative_key);

    // First pass: normalize .. segments and check string-level containment.
    let resolved_path = std::fs::canonicalize(&full_path).unwrap_or_else(|_| full_path.clone());

    let team_dir_str = team_dir.to_string_lossy();
    if !resolved_path.to_string_lossy().starts_with(&*team_dir_str) {
        return Err(PathTraversalError::new(&format!(
            "Key escapes team memory directory: \"{}\"",
            relative_key
        )));
    }

    // TODO: Second pass - resolve symlinks and verify real containment.

    Ok(resolved_path)
}

/// Check if a file path is within the team memory directory
/// and team memory is enabled.
pub fn is_team_mem_file(file_path: &Path) -> bool {
    is_team_memory_enabled() && is_team_mem_path(file_path)
}

#[cfg(test)]
mod tests {
    use super::*;

    #[test]
    fn test_sanitize_path_key_valid() {
        assert!(sanitize_path_key("valid_name.md").is_ok());
        assert!(sanitize_path_key("subdir/test.md").is_ok());
    }

    #[test]
    fn test_sanitize_path_key_null_byte() {
        let result = sanitize_path_key("test\0.md");
        assert!(result.is_err());
    }

    #[test]
    fn test_sanitize_path_key_absolute() {
        let result = sanitize_path_key("/etc/passwd");
        assert!(result.is_err());
    }

    #[test]
    fn test_sanitize_path_key_backslash() {
        let result = sanitize_path_key("test\\md");
        assert!(result.is_err());
    }

    #[test]
    fn test_is_team_memory_enabled_when_auto_disabled() {
        // This test depends on environment, just verify the function runs
        let _ = is_team_memory_enabled();
    }
}