cersei-tools 0.1.9

Tool trait, built-in tools, and permission system for the Cersei SDK
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180

//! Bash tool: execute shell commands with persistent shell state.
//!
//! Uses sentinel markers to capture pwd after each command execution,
//! persisting the working directory across calls.

use super::*;
use crate::tool_primitives::process::{self as pproc, ExecOptions, Shell};
use serde::Deserialize;

/// Parse stdout to separate user output from sentinel-captured state.
/// Returns (user_visible_output, Option<new_cwd>).
fn parse_sentinel_output(stdout: &str, sentinel: &str) -> (String, Option<String>) {
    if let Some(pos) = stdout.rfind(sentinel) {
        let user_output = stdout[..pos].trim_end_matches('\n').to_string();
        let state_section = &stdout[pos + sentinel.len()..];
        let new_cwd = state_section
            .trim()
            .lines()
            .next()
            .map(|s| s.trim().to_string());
        (user_output, new_cwd)
    } else {
        // Sentinel not found (command may have failed before reaching it)
        (stdout.to_string(), None)
    }
}

pub struct BashTool;

#[async_trait]
impl Tool for BashTool {
    fn name(&self) -> &str {
        "Bash"
    }

    fn description(&self) -> &str {
        "Execute a bash command and return its output. The working directory persists between commands."
    }

    fn permission_level(&self) -> PermissionLevel {
        PermissionLevel::Execute
    }
    fn category(&self) -> ToolCategory {
        ToolCategory::Shell
    }

    fn input_schema(&self) -> Value {
        serde_json::json!({
            "type": "object",
            "properties": {
                "command": {
                    "type": "string",
                    "description": "The bash command to execute"
                },
                "timeout": {
                    "type": "integer",
                    "description": "Optional timeout in milliseconds (max 600000)"
                }
            },
            "required": ["command"]
        })
    }

    async fn execute(&self, input: Value, ctx: &ToolContext) -> ToolResult {
        #[derive(Deserialize)]
        struct Input {
            command: String,
            timeout: Option<u64>,
        }

        let input: Input = match serde_json::from_value(input) {
            Ok(i) => i,
            Err(e) => return ToolResult::error(format!("Invalid input: {}", e)),
        };

        let shell_state = session_shell_state(&ctx.session_id);
        let (cwd, env_vars) = {
            let state = shell_state.lock();
            (
                state.cwd.clone().unwrap_or_else(|| ctx.working_dir.clone()),
                state.env_vars.clone(),
            )
        };

        let timeout_ms = input.timeout.unwrap_or(120_000).min(600_000);

        // Transparent sandbox routing: if a Sandbox handle is in the tool
        // context extensions, run the command inside it instead of on the host.
        #[cfg(feature = "vms")]
        if let Some(sandbox) =
            ctx.extensions.get::<std::sync::Arc<dyn cersei_vms::Sandbox>>()
        {
            let req = cersei_vms::RunRequest::new(input.command.clone())
                .timeout(std::time::Duration::from_millis(timeout_ms));
            return match sandbox.commands().run(req).await {
                Ok(out) => {
                    if out.timed_out {
                        return ToolResult::error(format!(
                            "Command timed out after {}ms (sandbox: {})",
                            timeout_ms,
                            sandbox.id()
                        ));
                    }
                    let mut content = out.stdout;
                    if !out.stderr.is_empty() {
                        if !content.is_empty() {
                            content.push('\n');
                        }
                        content.push_str(&out.stderr);
                    }
                    if out.exit_code == 0 {
                        if content.is_empty() {
                            ToolResult::success("(Bash completed with no output)")
                        } else {
                            ToolResult::success(content)
                        }
                    } else {
                        ToolResult::error(format!("Exit code {}\n{}", out.exit_code, content))
                    }
                }
                Err(e) => ToolResult::error(format!("Sandbox exec failed: {e}")),
            };
        }

        // Wrap command with sentinel-based state capture
        // After the user's command runs, we capture pwd to persist cwd
        const SENTINEL: &str = "__ABSTRACT_STATE_7f2a9b__";
        let wrapped_command = format!(
            "cd '{}' 2>/dev/null; {} ; __abstract_exit=$?; echo '{}'; pwd; exit $__abstract_exit",
            cwd.display(),
            input.command,
            SENTINEL,
        );

        let opts = ExecOptions {
            cwd: Some(ctx.working_dir.clone()), // base cwd, actual cd is in the script
            env: env_vars,
            timeout: Some(std::time::Duration::from_millis(timeout_ms)),
            shell: Shell::Sh,
        };

        match pproc::exec(&wrapped_command, opts).await {
            Ok(output) => {
                if output.timed_out {
                    return ToolResult::error(format!("Command timed out after {}ms", timeout_ms));
                }

                // Parse sentinel-based output to extract new cwd
                let (user_output, new_cwd) = parse_sentinel_output(&output.stdout, SENTINEL);

                // Persist new cwd
                if let Some(new_dir) = new_cwd {
                    let path = PathBuf::from(&new_dir);
                    if path.exists() {
                        shell_state.lock().cwd = Some(path);
                    }
                }

                let mut content = user_output;
                if !output.stderr.is_empty() {
                    if !content.is_empty() {
                        content.push('\n');
                    }
                    content.push_str(&output.stderr);
                }

                if output.exit_code == 0 {
                    if content.is_empty() {
                        ToolResult::success("(Bash completed with no output)")
                    } else {
                        ToolResult::success(content)
                    }
                } else {
                    ToolResult::error(format!("Exit code {}\n{}", output.exit_code, content))
                }
            }
            Err(e) => ToolResult::error(format!("Failed to execute: {}", e)),
        }
    }
}