feat(context): enhance agent ledger and monitor functionality

- Improved `get_agent_ledger` method in `ledger.py` by adding validation
  for `agent_id` to raise a `ValueError` if it is empty.
- Updated `_get_output_path` in `monitor.py` to include detailed path
  sanitization steps and added checks to prevent path traversal attacks.
- Refined agent name sanitation and fallback techniques to ensure unique
  naming.
- Incremented version number to `1.5.114` in `pyproject.toml` and
  `uv.lock`.

Author: MervinPraison

src/praisonai-agents/praisonaiagents/context/ledger.py

@@ -291,7 +291,20 @@ def __init__(self):
         self._shared_tokens: int = 0  # Tokens shared across agents
 
     def get_agent_ledger(self, agent_id: str) -> ContextLedgerManager:
-        """Get or create ledger for an agent."""
+        """Get or create ledger for an agent.
+        
+        Args:
+            agent_id: Unique identifier for the agent.
+            
+        Returns:
+            ContextLedgerManager for this agent.
+            
+        Raises:
+            ValueError: If agent_id is empty or contains only whitespace.
+        """
+        if not agent_id or not agent_id.strip():
+            raise ValueError("agent_id must be a non-empty string")
+        
         if agent_id not in self._agents:
             self._agents[agent_id] = ContextLedgerManager(agent_id)
         return self._agents[agent_id]

src/praisonai-agents/praisonaiagents/context/monitor.py

@@ -514,18 +514,41 @@ def snapshot(
         return str(output_path)
 
     def _get_output_path(self, agent_name: str = "") -> Path:
-        """Get output path, optionally per-agent."""
+        """Get output path, optionally per-agent.
+        
+        Security: Agent names are sanitized to prevent path traversal.
+        """
         if not self.multi_agent_files or not agent_name:
             return self.path
 
         # Create per-agent path
         stem = self.path.stem
         suffix = self.path.suffix or (".json" if self.format == "json" else ".txt")
 
-        # Sanitize agent name
-        safe_name = re.sub(r'[^\w\-]', '_', agent_name.lower())
-        
-        return self.path.parent / f"{stem}_{safe_name}{suffix}"
+        # Sanitize agent name:
+        # 1. Strip any path separators first (defence in depth)
+        safe_name = agent_name.replace('/', '_').replace('\\', '_')
+        # 2. Collapse to safe chars only
+        safe_name = re.sub(r'[^\w\-]', '_', safe_name.lower())
+        # 3. Enforce length limit to prevent filesystem issues
+        safe_name = safe_name[:64] if safe_name else 'unknown'
+        # 4. Strip leading/trailing underscores / dots  
+        safe_name = safe_name.strip('_.')
+        if not safe_name:
+            safe_name = 'unknown'
+        
+        result = self.path.parent / f"{stem}_{safe_name}{suffix}"
+        
+        # Verify the resolved path stays within the expected parent dir
+        resolved = result.resolve()
+        parent_resolved = self.path.parent.resolve()
+        if not str(resolved).startswith(str(parent_resolved) + '/') and resolved.parent != parent_resolved:
+            # Fallback to a safe hash-based name
+            import hashlib
+            hash_name = hashlib.sha256(agent_name.encode()).hexdigest()[:16]
+            result = self.path.parent / f"{stem}_{hash_name}{suffix}"
+        
+        return result
 
     def _get_warnings(
         self,

src/praisonai-agents/praisonaiagents/tools/python_tools.py

@@ -143,7 +143,15 @@ def safe_execute():
         blocked_attrs = {{
             '__subclasses__', '__bases__', '__mro__', '__globals__',
             '__code__', '__class__', '__dict__', '__builtins__',
-            '__import__', '__loader__', '__spec__'
+            '__import__', '__loader__', '__spec__', '__init_subclass__',
+            '__set_name__', '__reduce__', '__reduce_ex__',
+            '__traceback__', '__qualname__', '__module__',
+            '__wrapped__', '__closure__', '__annotations__',
+            # Frame/code object introspection
+            'gi_frame', 'gi_code', 'cr_frame', 'cr_code',
+            'ag_frame', 'ag_code', 'tb_frame', 'tb_next',
+            'f_globals', 'f_locals', 'f_builtins', 'f_code',
+            'co_consts', 'co_names',
         }}
         
         for node in ast.walk(tree):
@@ -162,7 +170,9 @@ def safe_execute():
                     "success": False
                 }}
             if isinstance(node, ast.Call) and isinstance(node.func, ast.Name):
-                if node.func.id in ('exec', 'eval', 'compile', '__import__', 'open'):
+                if node.func.id in ('exec', 'eval', 'compile', '__import__',
+                                     'open', 'input', 'breakpoint',
+                                     'setattr', 'delattr', 'dir'):
                     return {{
                         "result": None,
                         "stdout": "",

src/praisonai-agents/pyproject.toml

@@ -4,7 +4,7 @@ build-backend = "setuptools.build_meta"
 
 [project]
 name = "praisonaiagents"
-version = "1.5.113"
+version = "1.5.114"
 description = "Praison AI agents for completing complex tasks with Self Reflection Agents"
 readme = "README.md"
 requires-python = ">=3.10"

src/praisonai-agents/uv.lock

@@ -4,6 +4,7 @@
  */
 
 import { AgentFlow, Task, TaskConfig } from './index';
+import * as path from 'path';
 
 export interface YAMLWorkflowDefinition {
   name: string;
@@ -39,8 +40,9 @@ export interface ParsedWorkflow {
  * Parse YAML string into workflow definition
  */
 export function parseYAMLWorkflow(yamlContent: string): YAMLWorkflowDefinition {
-  // Simple YAML parser for workflow definitions
-  // For production, use js-yaml package
+  // SECURITY: If migrating to js-yaml, you MUST use:
+  //   yaml.load(content, { schema: yaml.JSON_SCHEMA })
+  // Never use yaml.load() with DEFAULT_SCHEMA — it enables arbitrary JS execution.
   const lines = yamlContent.split('\n');
   const result: YAMLWorkflowDefinition = {
     name: '',
@@ -82,7 +84,15 @@ export function parseYAMLWorkflow(yamlContent: string): YAMLWorkflowDefinition {
         type: 'agent'
       };
     } else if (currentStep) {
-      // Step properties
+      // Step properties — whitelist allowed keys to prevent injection
+      const ALLOWED_STEP_KEYS = new Set([
+        'type', 'agent', 'tool', 'input', 'output', 'condition',
+        'onError', 'maxRetries', 'timeout', 'loopCondition', 'maxIterations',
+      ]);
+      if (!ALLOWED_STEP_KEYS.has(key)) {
+        // Ignore unknown keys — do not allow arbitrary property injection
+        continue;
+      }
       if (key === 'type') currentStep.type = value as any;
       else if (key === 'agent') currentStep.agent = value;
       else if (key === 'tool') currentStep.tool = value;
@@ -265,9 +275,33 @@ function parseValue(value: string): any {
 export async function loadWorkflowFromFile(
   filePath: string,
   agents: Record<string, any> = {},
-  tools: Record<string, any> = {}
+  tools: Record<string, any> = {},
+  options: { basePath?: string; maxFileSizeBytes?: number } = {}
 ): Promise<ParsedWorkflow> {
   const fs = await import('fs/promises');
+
+  // SECURITY: Prevent path traversal
+  const normalizedPath = path.normalize(filePath);
+  if (normalizedPath.includes('..')) {
+    throw new Error('Path traversal detected: ".." is not allowed in file paths');
+  }
+
+  // If basePath is specified, ensure resolvedPath stays within it
+  if (options.basePath) {
+    const resolvedBase = path.resolve(options.basePath);
+    const resolvedFile = path.resolve(options.basePath, normalizedPath);
+    if (!resolvedFile.startsWith(resolvedBase + path.sep) && resolvedFile !== resolvedBase) {
+      throw new Error(`File path must be within base directory: ${options.basePath}`);
+    }
+  }
+
+  // SECURITY: Enforce file size limit (default 1 MB)
+  const maxSize = options.maxFileSizeBytes ?? 1_048_576;
+  const stat = await fs.stat(filePath);
+  if (stat.size > maxSize) {
+    throw new Error(`File too large: ${stat.size} bytes exceeds limit of ${maxSize} bytes`);
+  }
+
   const content = await fs.readFile(filePath, 'utf-8');
   const definition = parseYAMLWorkflow(content);
   return createWorkflowFromYAML(definition, agents, tools);

src/praisonai-ts/src/workflows/yaml-parser.ts

@@ -15,9 +15,70 @@
     from .code_intelligence import CodeIntelligenceRouter
     from .action_orchestrator import ActionOrchestrator
 
+import os
+import re
+
 logger = logging.getLogger(__name__)
 
 
+def _sanitize_filepath(filepath: str, workspace: str = None) -> str:
+    """Validate and sanitize a filepath against injection attacks.
+    
+    Raises ValueError if the path is unsafe.
+    """
+    # Reject null bytes (common injection technique)
+    if '\x00' in filepath:
+        raise ValueError("Null bytes are not allowed in file paths")
+    
+    # Reject obvious shell meta-characters in file names
+    if any(ch in filepath for ch in ('|', ';', '`', '$', '&', '\n', '\r')):
+        raise ValueError(f"Unsafe characters in filepath: {filepath!r}")
+    
+    # Normalize and reject path traversal
+    normalized = os.path.normpath(filepath)
+    if '..' in normalized.split(os.sep):
+        raise ValueError(f"Path traversal detected in: {filepath!r}")
+    
+    # If we have a workspace, ensure the resolved path stays within it
+    if workspace:
+        resolved = os.path.realpath(os.path.join(workspace, normalized))
+        ws_resolved = os.path.realpath(workspace)
+        if not resolved.startswith(ws_resolved + os.sep) and resolved != ws_resolved:
+            raise ValueError(
+                f"Path {filepath!r} resolves outside workspace {workspace!r}"
+            )
+    
+    return normalized
+
+
+def _sanitize_command(command: str) -> str:
+    """Basic command sanitization — reject common injection vectors.
+    
+    The command still goes through ACP approval flow, but this prevents
+    the most egregious prompt-injection-to-shell-injection chains.
+    
+    Raises ValueError if dangerous patterns are detected.
+    """
+    if '\x00' in command:
+        raise ValueError("Null bytes are not allowed in commands")
+    
+    # Reject command chaining operators that indicate injection
+    DANGEROUS_PATTERNS = [
+        '$(', '`',      # Command substitution
+        '&&', '||',     # Command chaining  
+        '>>', '> ',     # Output redirection
+        '| ',           # Pipe
+    ]
+    for pattern in DANGEROUS_PATTERNS:
+        if pattern in command:
+            raise ValueError(
+                f"Potentially unsafe command pattern detected: {pattern!r} "
+                f"in command: {command!r}. Use separate commands instead."
+            )
+    
+    return command
+
+
 def create_agent_centric_tools(
     runtime: "InteractiveRuntime",
     router: "CodeIntelligenceRouter" = None,
@@ -77,8 +138,17 @@ def acp_create_file(filepath: str, content: str) -> str:
             JSON string with result including plan status and verification
         """
         async def _create():
+            # Validate filepath
+            try:
+                safe_path = _sanitize_filepath(
+                    filepath, 
+                    workspace=getattr(runtime.config, 'workspace', None)
+                )
+            except ValueError as e:
+                return json.dumps({"success": False, "error": str(e)})
+            
             # Build a detailed prompt for the orchestrator
-            prompt = f"create file {filepath}"
+            prompt = f"create file {safe_path}"
 
             # Create plan
             result = await orchestrator.create_plan(prompt)
@@ -141,7 +211,15 @@ def acp_edit_file(filepath: str, new_content: str) -> str:
             JSON string with result including plan status
         """
         async def _edit():
-            prompt = f"edit file {filepath}"
+            try:
+                safe_path = _sanitize_filepath(
+                    filepath,
+                    workspace=getattr(runtime.config, 'workspace', None)
+                )
+            except ValueError as e:
+                return json.dumps({"success": False, "error": str(e)})
+            
+            prompt = f"edit file {safe_path}"
 
             result = await orchestrator.create_plan(prompt)
             if not result.success:
@@ -189,7 +267,15 @@ def acp_delete_file(filepath: str) -> str:
             JSON string with result
         """
         async def _delete():
-            prompt = f"delete file {filepath}"
+            try:
+                safe_path = _sanitize_filepath(
+                    filepath,
+                    workspace=getattr(runtime.config, 'workspace', None)
+                )
+            except ValueError as e:
+                return json.dumps({"success": False, "error": str(e)})
+            
+            prompt = f"delete file {safe_path}"
 
             result = await orchestrator.create_plan(prompt)
             if not result.success:
@@ -234,7 +320,12 @@ def acp_execute_command(command: str, cwd: str = None) -> str:
             JSON string with command output
         """
         async def _execute():
-            prompt = f"run command: {command}"
+            try:
+                safe_cmd = _sanitize_command(command)
+            except ValueError as e:
+                return json.dumps({"success": False, "error": str(e)})
+            
+            prompt = f"run command: {safe_cmd}"
 
             result = await orchestrator.create_plan(prompt)
             if not result.success:
@@ -414,10 +505,16 @@ def read_file(filepath: str) -> str:
             if not path.is_absolute():
                 path = Path(runtime.config.workspace) / filepath
 
-            if not path.exists():
+            # SECURITY: Ensure resolved path stays within workspace
+            resolved = path.resolve()
+            ws_resolved = Path(runtime.config.workspace).resolve()
+            if not str(resolved).startswith(str(ws_resolved) + os.sep) and resolved != ws_resolved:
+                return json.dumps({"error": f"Path escapes workspace: {filepath}"})
+            
+            if not resolved.exists():
                 return json.dumps({"error": f"File not found: {filepath}"})
 
-            content = path.read_text()
+            content = resolved.read_text()
 
             # Track in trace if enabled
             if runtime._trace:
@@ -451,7 +548,13 @@ def list_files(directory: str = ".", pattern: str = "*") -> str:
             if not path.is_absolute():
                 path = Path(runtime.config.workspace) / directory
 
-            if not path.exists():
+            # SECURITY: Ensure resolved path stays within workspace
+            resolved = path.resolve()
+            ws_resolved = Path(runtime.config.workspace).resolve()
+            if not str(resolved).startswith(str(ws_resolved) + os.sep) and resolved != ws_resolved:
+                return json.dumps({"error": f"Directory escapes workspace: {directory}"})
+            
+            if not resolved.exists():
                 return json.dumps({"error": f"Directory not found: {directory}"})
 
             files = []