Upd0611

cli/fs.py

@@ -1,68 +1,12 @@
 import os
-import re
 from collections.abc import Iterator
 from typing import Any
 
 from fsspec.implementations.local import LocalFileSystem, stringify_path
 
+from contractor.tools.fs.globmatch import glob_to_regex
 from contractor.utils.formatting import norm_unicode
-
-
-def _translate_glob_segment(seg: str) -> str:
-    """Translate one glob path segment to regex, never crossing ``/``."""
-    out: list[str] = []
-    i, n = 0, len(seg)
-    while i < n:
-        c = seg[i]
-        if c == "*":
-            out.append("[^/]*")
-        elif c == "?":
-            out.append("[^/]")
-        elif c == "[":
-            j = i + 1
-            if j < n and seg[j] == "!":
-                j += 1
-            if j < n and seg[j] == "]":
-                j += 1
-            while j < n and seg[j] != "]":
-                j += 1
-            if j >= n:  # no closing bracket: treat '[' literally
-                out.append(re.escape(c))
-            else:
-                inner = seg[i + 1 : j]
-                if inner.startswith("!"):
-                    inner = "^" + inner[1:]
-                out.append("[" + inner + "]")
-                i = j + 1
-                continue
-        else:
-            out.append(re.escape(c))
-        i += 1
-    return "".join(out)
-
-
-def _glob_to_regex(pattern: str) -> "re.Pattern[str]":
-    """
-    Compile a glob pattern into a path-aware regex with Python-like semantics:
-    ``*``/``?``/``[...]`` match within a single path segment, while ``**``
-    matches any number of segments (including zero). Matches relative paths
-    without a leading ``/``.
-    """
-    segments = pattern.split("/")
-    parts: list[str] = []
-    last = len(segments) - 1
-    for idx, seg in enumerate(segments):
-        if seg == "**":
-            if idx == last:
-                parts.append(".*")  # trailing ** matches anything, any depth
-            else:
-                parts.append("(?:[^/]*/)*")  # **/ matches zero or more segments
-                continue  # the separator is baked into the group above
-        else:
-            parts.append(_translate_glob_segment(seg))
-        if idx != last:
-            parts.append("/")
-    return re.compile("(?s:" + "".join(parts) + r")\Z")
+from contractor.utils.settings import get_settings
 
 
 class RootedLocalFileSystem(LocalFileSystem):
@@ -130,7 +74,11 @@ def _strip_protocol(self, path: str) -> str:
         resolved = os.path.realpath(candidate)
 
         if self._is_within_sandbox(resolved):
-            return candidate
+            # Return the *resolved* path — the exact path that was validated —
+            # so the later open()/stat() cannot re-resolve a symlink component
+            # swapped in after this check (check-then-use TOCTOU). In-sandbox
+            # symlinks still work: they resolve to their (validated) target.
+            return resolved
 
         return self._blocked_path
 
@@ -164,6 +112,11 @@ def walk(
             # Prune symlinked directories so os.walk never descends into them.
             dirs[:] = [d for d in dirs if self._is_safe_entry(current_root, d)]
 
+            # Hide symlinked files too (same policy as ls/glob): their content
+            # is already unreadable through the sandbox, so leaking the names
+            # would only disclose the existence of out-of-sandbox targets.
+            files = [f for f in files if self._is_safe_entry(current_root, f)]
+
             yield self._to_virtual(real_root), dirs, files
 
     def ls(
@@ -201,17 +154,35 @@ def glob(self, pattern: str, **kwargs: Any) -> list[str]:
 
         Returns virtual paths such as ``/file.txt`` or ``/dir/inner.txt``.
         """
+        matches, _truncated = self.glob_scanned(pattern)
+        return matches
+
+    def glob_scanned(
+        self, pattern: str, max_files: int | None = None
+    ) -> tuple[list[str], bool]:
+        """``glob`` plus a truncation flag.
+
+        The tree walk is hard-bounded at *max_files* scanned files (default:
+        ``Settings.fs_max_files_per_walk``) so a glob over a huge repo cannot
+        run away. The flag is ``True`` when the ceiling was hit, i.e. the
+        match list may be incomplete.
+        """
         if not pattern:
-            return []
+            return [], False
 
         pattern = norm_unicode(pattern.lstrip("/")) or ""
 
         # Reject obvious traversal attempts.
         if ".." in pattern.split("/"):
-            return []
+            return [], False
+
+        if max_files is None:
+            max_files = get_settings().fs_max_files_per_walk
 
-        regex = _glob_to_regex(pattern)
+        regex = glob_to_regex(pattern)
         matches: set[str] = set()
+        scanned = 0
+        truncated = False
 
         # Always walk the full tree: a non-recursive pattern like ``sub/*.py``
         # still needs to descend into ``sub``. The regex is path-aware, so a
@@ -225,6 +196,11 @@ def glob(self, pattern: str, **kwargs: Any) -> list[str]:
                 rel_root = ""
 
             for name in files:
+                if scanned >= max_files:
+                    truncated = True
+                    break
+                scanned += 1
+
                 normalized_name = norm_unicode(name) or name
                 host_path = os.path.join(host_root, normalized_name)
 
@@ -239,4 +215,7 @@ def glob(self, pattern: str, **kwargs: Any) -> list[str]:
                 if regex.match(rel_path):
                     matches.add("/" + rel_path)
 
-        return sorted(matches)
+            if truncated:
+                break
+
+        return sorted(matches), truncated

cli/main.py

@@ -67,7 +67,15 @@ def _project_artifacts_dir(base: Path, project_path: Path) -> Path:
     "opentelemetry",
 )
 
-_UI_STOP_EVENTS = frozenset({"run_finished", "task_failed", "workflow_finished"})
+# Only the single, truly-terminal workflow event stops the live UI. Both
+# ``run_finished`` (per TaskRunner.run(), fired once per finding in multi-run
+# workflows) and ``task_failed`` (per-finding failure that the workflow catches
+# and continues past) happen mid-workflow — stopping on them froze the UI and,
+# because the handler returned early, suppressed every later event from both the
+# live render and the print fallback. ``workflow_finished`` is emitted exactly
+# once in ``Workflow.run()``'s finally block (even on abort), so it is the only
+# safe place to tear the renderer down.
+_UI_STOP_EVENTS = frozenset({"workflow_finished"})
 
 # High-volume / non-user-facing events. Persisted to metrics.jsonl when they
 # match, but never forwarded to the live UI (they would just flood it).
@@ -201,7 +209,13 @@ async def async_main(
         checkpoint_path=checkpoint_path,
     )
 
-    runner = workflow_cls(ctx)
+    try:
+        runner = workflow_cls(ctx)
+    except ValueError as exc:
+        # Some workflows (e.g. ExploitabilityWorkflow without a target URL)
+        # validate their context in __init__. Surface that as a clean CLI
+        # error instead of an uncaught traceback.
+        raise click.UsageError(str(exc)) from exc
     handler = _build_event_handler(output_dir, workflow, enable_ui=enable_ui)
 
     with observability.run_context(

cli/metrics.py

@@ -59,6 +59,8 @@ def _event_to_record(event: TaskRunnerEvent) -> dict[str, Any]:
         "task_name": getattr(event, "task_name", None),
         "task_id": getattr(event, "task_id", None),
     }
+    # Intentional: setdefault means payload keys that shadow envelope keys
+    # ("type", "task_name", ...) are dropped — the envelope always wins.
     for key, value in payload_dict.items():
         record.setdefault(key, value)
     return record

contractor/agents/exploitability_agent/agent.py

@@ -9,7 +9,7 @@
 
 from contractor.agents.worker_factory import build_worker
 from contractor.callbacks import default_tool
-from contractor.callbacks.adapter import CallbackAdapter
+from contractor.callbacks.adapter import chain_after_model_callback
 from contractor.callbacks.guardrails import MandatoryToolCallback
 from contractor.tools.caido import caido_tools
 from contractor.tools.code import attach_graph_tools_if_local, code_tools
@@ -18,6 +18,8 @@
 from contractor.tools.memory import MemoryFormat, memory_tools
 from contractor.tools.podman import code_exec_tools
 from contractor.tools.vuln import (
+    READ_ONLY_VULN_TOOL_NAMES,
+    VERDICT_TOOL_NAMES,
     VerifiedFindingFormat,
     VulnerabilityReportFormat,
     verification_tools,
@@ -27,12 +29,6 @@
 
 EXPLOIT_PROMPT: Final[str] = load_prompt("exploitability_agent")
 
-_READ_ONLY_VULN_TOOL_NAMES: frozenset[str] = frozenset(
-    {"get_vulnerability", "list_vulnerabilities"}
-)
-
-_VERDICT_TOOL_NAMES: list[str] = ["submit_verdict", "report_verification"]
-
 _ELIDE_TOOLS: list[str] = [
     "read_file", "grep", "glob", "list_symbols",
     "http_request", "http_read_body",
@@ -112,7 +108,7 @@ def build_exploitability_agent(
             name=src_ns,
             fmt=VulnerabilityReportFormat(_format=_format),
         )
-        if t.__name__ in _READ_ONLY_VULN_TOOL_NAMES
+        if t.__name__ in READ_ONLY_VULN_TOOL_NAMES
     ]
 
     verif_tools = verification_tools(
@@ -150,28 +146,9 @@ def build_exploitability_agent(
         elide_keep_last_n=elide_keep_last_n,
     )
 
-    mandatory_cb = MandatoryToolCallback(tool_names=_VERDICT_TOOL_NAMES, max_nudges=3)
-    adapter = CallbackAdapter(agent_name=name)
-    adapter.register(mandatory_cb)
-    extra_callbacks = adapter()
-    if "after_model_callback" in extra_callbacks:
-        existing = agent.after_model_callback
-        new_cb = extra_callbacks["after_model_callback"]
-        if existing is not None:
-            original = existing
-            def _chain(callback_context, llm_response, _orig=original, _new=new_cb):
-                result = _orig(
-                    callback_context=callback_context,
-                    llm_response=llm_response,
-                )
-                if result is not None:
-                    return result
-                return _new(
-                    callback_context=callback_context,
-                    llm_response=llm_response,
-                )
-            agent.after_model_callback = _chain
-        else:
-            agent.after_model_callback = new_cb
+    chain_after_model_callback(
+        agent,
+        MandatoryToolCallback(tool_names=list(VERDICT_TOOL_NAMES), max_nudges=3),
+    )
 
     return agent

contractor/agents/http_agent/agent.py

@@ -14,7 +14,14 @@
 HTTP_PROMPT: Final[str] = load_prompt("http_agent")
 
 _SUMMARIZATION_BULLETS: Final[str] = (
-    "You have reached context limit. Summarize your progress and call report tool."
+    "You have reached the context limit. Summarize your progress:\n"
+    "1. Subtask objective as you understand it\n"
+    "2. Requests issued so far (method + URL) and the key responses observed\n"
+    "3. Findings worth keeping — persist them to memory before stopping\n"
+    "4. Open questions or blockers\n"
+    "5. Smallest concrete next step to resume the flow\n"
+    "Then return the structured result. Include only claims supported by "
+    "tool output; mark anything inferred as such.\n"
 )
 
 def build_http_agent(

contractor/agents/likec4_builder_agent/prompts/v3.md

@@ -179,7 +179,7 @@ Inbound entry points:
 - In the relationship title, name the specific vulnerability if present:
     "POST /notes/search (unauthenticated, SQL injection via q param)"
     "GET /admin/users (no RBAC — any auth user can access)"
-    "DELETE /notes/{id} (no ownership check)"
+    "DELETE /notes/{note-id} (no ownership check)"
 
 Outbound calls:
 - Protocol, transport (TLS?), credential type in the title: