Hybrid Research Rig v0.1.3 — ensemble bot, Baritone pathfinding, vision, HUD, security hardening#714
Closed
Z0mb13V1 wants to merge 7 commits intomindcraft-bots:developfrom
Closed
Hybrid Research Rig v0.1.3 — ensemble bot, Baritone pathfinding, vision, HUD, security hardening#714Z0mb13V1 wants to merge 7 commits intomindcraft-bots:developfrom
Z0mb13V1 wants to merge 7 commits intomindcraft-bots:developfrom
Conversation
Contributor
There was a problem hiding this comment.
Pull request overview
This PR brings in the “Hybrid Research Rig v0.1.3” feature set: multi-model ensemble decision-making, Baritone-based pathfinding, vision/HUD support, remote MindServer mode, and broad security + resilience hardening across agent lifecycle, messaging, and persistence.
Changes:
- Add an ensemble model pipeline (panel + heuristic arbiter + optional LLM judge) with logging and ChromaDB-backed experience retrieval.
- Replace/extend navigation and vision subsystems (Baritone integration, safer async camera/viewer loading) and strengthen agent process resilience + persistence (atomic writes, restart backoff).
- Security hardening across input validation, rate limiting, key loading precedence, sandbox notes, and safer TTS execution.
Reviewed changes
Copilot reviewed 133 out of 134 changed files in this pull request and generated 8 comments.
Show a summary per file
| File | Description |
|---|---|
| tasks/human_evaluation.js | Minor lint/unused-var adjustments for task runner script. |
| tasks/construction_tasks/get_blueprint.js | Minor lint/format fixes in blueprint generation helper. |
| tasks/dragon/diamond_pickaxe.json | New dragon progression task chunk config. |
| tasks/dragon/nether_portal.json | New dragon progression task chunk config. |
| tasks/dragon/blaze_rods.json | New dragon progression task chunk config. |
| tasks/dragon/ender_pearls.json | New dragon progression task chunk config. |
| tasks/dragon/stronghold.json | New dragon progression task chunk config. |
| tasks/dragon/ender_dragon.json | New dragon progression task chunk config. |
| tasks/dragon/full_run.json | New “full run” dragon progression task config. |
| start.ps1 | Add Windows launcher for starting both bots via Docker Compose profiles. |
| src/utils/usage_tracker.js | New usage/cost tracking with periodic autosave + RPM/TPM snapshot. |
| src/utils/rate_limiter.js | New in-memory rate limiter with cleanup interval + destroy hook. |
| src/utils/message_validator.js | New Discord/Minecraft message + username validation/sanitization helpers. |
| src/utils/mcdata.js | Switch auto-eat loader style; load Baritone; configure ashfinder defaults on spawn. |
| src/utils/keys.js | Prefer env vars over keys.json; sanitize loaded keys; warn on legacy usage. |
| src/utils/examples.js | Minor lint/format adjustments. |
| src/process/init_agent.js | Add remote MindServer connection mode; add global exception/rejection handlers. |
| src/process/agent_process.js | Support remote agent mode; improve restart/backoff behavior; use process.execPath. |
| src/models/vllm.js | Refactor vLLM client; retries; usage capture; basic <think> stripping; add vision wrapper. |
| src/models/qwen.js | Remove unused hasKey import. |
| src/models/openrouter.js | Remove unused hasKey import; embed stub arg rename. |
| src/models/ollama.js | Add usage capture; replace fetch usage with http/https request; Ollama-native vision formatting. |
| src/models/novita.js | Embed stub arg rename. |
| src/models/mercury.js | Remove unused hasKey import. |
| src/models/huggingface.js | Embed stub arg rename. |
| src/models/grok.js | Add usage capture; null-safe separator replacement; embed stub arg rename. |
| src/models/gpt.js | Minor lint-variable renaming inside OpenAI provider. |
| src/models/glhf.js | Normalize line endings/formatting; embed stub arg rename. |
| src/models/gemini.js | Capture usage metadata; adjust generateContent config shape; embed return compatibility. |
| src/models/deepseek.js | Remove unused hasKey import; embed stub arg rename. |
| src/models/claude.js | Embed stub arg rename. |
| src/models/cerebras.js | Stop-seq arg rename; embed stub arg rename. |
| src/models/_model_map.js | Guard against null/undefined model profile selection. |
| src/mindcraft/mindcraft.js | Add remote agent creation (writes settings file, spawns remote-connected agent process). |
| src/ensemble/panel.js | New panel fan-out with per-model timeout and proposal parsing. |
| src/ensemble/arbiter.js | New heuristic scoring + majority bonus + latency penalty + confidence calculation. |
| src/ensemble/judge.js | New LLM-as-judge fallback for low-confidence heuristic outcomes. |
| src/ensemble/logger.js | New decision log writer with trimming + basic stats. |
| src/ensemble/feedback.js | New ChromaDB feedback collector for “similar situations” memory injection + outcome updates. |
| src/ensemble/controller.js | New EnsembleModel drop-in implementing phased decision pipeline + usage aggregation. |
| src/agent/vision/vision_interpreter.js | Switch to async camera import with graceful fallback on missing native deps/WebGL. |
| src/agent/vision/camera.js | Fix viewer init ordering; add readiness flag + destroy method; improve error handling. |
| src/agent/vision/browser_viewer.js | Lazy-load prismarine-viewer; bind host; degrade gracefully when module missing. |
| src/agent/tasks/tasks.js | Minor linting/format; small control-flow cleanup. |
| src/agent/tasks/cooking_tasks.js | Minor linting/format; rename unused locals. |
| src/agent/speak.js | Replace shell-based TTS with spawn arg arrays/stdin to mitigate injection; async queue handling. |
| src/agent/self_prompter.js | Minor formatting/semicolons/log statements. |
| src/agent/npc/item_goal.js | Minor lint/semicolons; ignore unused tuple element. |
| src/agent/npc/controller.js | Harden construction JSON loading (resolved dir + path traversal guard); minor lint. |
| src/agent/npc/build_goal.js | Remove unused mcdata import. |
| src/agent/mindserver_proxy.js | Add remote registration flow; connection timeout; ignore unnamed/broadcast restart events; add usage RPC. |
| src/agent/memory_bank.js | Minor semicolon fixes. |
| src/agent/library/world.js | Switch clear-path checks to Baritone generatePath; remove pathfinder dependency. |
| src/agent/library/skill_library.js | Improve embedding-model error logging; minor lint. |
| src/agent/library/lockdown.js | Clarify unsafeEval rationale; minor export formatting. |
| src/agent/library/index.js | Add dragon_runner docs to skill doc generation. |
| src/agent/library/full_state.js | Include resumeName + selfPrompter state in full state snapshot. |
| src/agent/learnings.js | New persistent “learnings” store with atomic write + stats/summary helpers. |
| src/agent/history.js | Atomic writes; sanitize stale “broken gathering” beliefs; guard corrupted/empty files; persist learnings. |
| src/agent/conversation.js | Make endConversation/endAllConversations async; await scheduling; minor semicolons. |
| src/agent/connection_handler.js | Allow empty catch blocks; minor lint. |
| src/agent/commands/queries.js | Minor formatting; string escape fix; add semicolons. |
| src/agent/commands/index.js | Track blocked commands; regex semicolon; minor error message formatting. |
| src/agent/coder.js | Use sync template reads; add optional code execution timeout; fix missing-skills check; minor logging fixes. |
| src/agent/action_manager.js | Add stuck/loop detection and collect-fail heuristics; adjust stop behavior; improve error-stack logging. |
| settings.js | Add deepSanitize for SETTINGS_JSON; update defaults for hybrid rig use (vision, prompts, profiles, etc.). |
| services/viaproxy/README.md | Formatting and list cleanup. |
| profiles/vllm.json | Add mode scaffolding + local URL changes. |
| profiles/qwen.json | Add mode scaffolding + hybrid/local variants. |
| profiles/mistral.json | Add mode scaffolding + hybrid/local variants. |
| profiles/mercury.json | Add mode scaffolding + hybrid/local variants. |
| profiles/llama.json | Add mode scaffolding + hybrid/local variants. |
| profiles/grok.json | Update identity/prompting; add mode scaffolding. |
| profiles/gpt.json | Update default OpenAI model; add mode scaffolding. |
| profiles/gemini.json | Update identity/prompting; add mode scaffolding; embedding selection. |
| profiles/deepseek.json | Add mode scaffolding + hybrid/local variants. |
| profiles/claude_thinker.json | Add mode scaffolding + hybrid/local variants. |
| profiles/claude.json | Add mode scaffolding + prompt changes. |
| profiles/andy-4.json | Add mode scaffolding + hybrid/local variants. |
| profiles/andy-4-reasoning.json | Add mode scaffolding + prompt tweaks. |
| profiles/tasks/crafting_profile.json | Add TODO header + formatting. |
| profiles/tasks/cooking_profile.json | Add TODO header + formatting. |
| profiles/tasks/construction_profile.json | Add TODO header + formatting. |
| profiles/ensemble.json | New ensemble-bot profile wiring panel/judge/arbiter settings. |
| profiles/dragon-slayer.json | New autonomous dragon progression profile with strict rules/examples. |
| profiles/cloud-persistent.json | New cloud “persistent” ensemble profile for remote 24/7 operation. |
| profiles/freeguy.json | Add mode scaffolding + hybrid/local variants. |
| profiles/azure.json | Add mode scaffolding + hybrid/local variants. |
| profiles/defaults/_default.json | Tighten prompting; include learnings/wiki; adjust defaults (cooldown/night_bed). |
| profiles/defaults/survival.json | Add TODO header; enable auto_eat/panic_defense. |
| profiles/defaults/assistant.json | Add TODO header. |
| profiles/defaults/creative.json | Add TODO header. |
| profiles/defaults/god_mode.json | Add TODO header. |
| patches/prismarine-viewer+1.33.0.patch | Patch viewer entity handling to avoid crashes on unknown bones/entities. |
| patches/@miner-org+mineflayer-baritone+4.5.0.patch | Patch baritone movement to guard missing “above” block. |
| package.json | Bump version; add deps (baritone, chromadb, discord.js); add lint/husky/lint-staged; overrides hardening. |
| main.js | Safer JSON parsing; env-var parsing robustness; remote MindServer mode; profile existence checks. |
| keys.example.json | Add Discord bot token key placeholder. |
| eslint.config.js | Update globals and rule severities; add overrides for bot/action code. |
| data/minecraft_wiki.json | Add curated wiki/recipe/mob/item reference data file. |
| bots/lintTemplate.js | Prefix unused imports to avoid lint noise. |
| bots/execTemplate.js | Minor formatting fix. |
| aws/user-data.sh | New EC2 bootstrap for Docker + AWS CLI + base tooling. |
| aws/backup.sh | New S3 backup script (world + selected bot memory files). |
| aws/restore.sh | New S3 restore script with safe stop/start of services. |
| aws/teardown.sh | New AWS teardown script for infra cleanup. |
| aws/env-toggle.sh | New helper to toggle AWS vs local environment usage. |
| aws/setup-ollama-proxy.sh | New host-level socat proxy setup for Ollama via Tailscale. |
| aws/s3-policy.json | New S3 bucket policy template (TLS-only + role-scoped access). |
| Dockerfile | Improve caching (copy patches); run npm test; drop root privileges in image. |
| Tasks.Dockerfile | Rework tasks image to Node 22 slim + Java 21 + AWS CLI; add non-root user. |
| FAQ.md | Formatting and minor content cleanup. |
| CLAUDE.md | New repository guide for Claude Code. |
| .husky/pre-commit | Add pre-commit hook to run lint-staged. |
| .gitignore | Add env/secret/AWS/minecraft-data ignores. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
+29
to
+36
| # ── Application code ─────────────────────────────────────────────────────── | ||
| WORKDIR /mindcraft | ||
| COPY ./server_data.zip /mindcraft | ||
| RUN unzip server_data.zip | ||
| RUN git clone --depth 1 https://github.com/mindcraft-bots/mindcraft.git . | ||
|
|
||
| RUN npm install | ||
| COPY ./server_data.zip /mindcraft/ | ||
| RUN unzip -q server_data.zip && rm server_data.zip | ||
|
|
||
| RUN npm ci --omit=dev |
There was a problem hiding this comment.
This image clones https://github.com/mindcraft-bots/mindcraft.git during build, which makes the container depend on external HEAD and can drift from the code in this repository/PR (and breaks reproducibility/offline builds). Consider using COPY . . (or COPY package*.json + npm ci + COPY . .) so the image builds the checked-in source instead of pulling a different repo version.
src/mindcraft/mindcraft.js
Outdated
Comment on lines
+99
to
+103
| const settingsPath = `/tmp/mindcraft_${agent_name}_settings.json`; | ||
| writeFileSync(settingsPath, JSON.stringify(settings)); | ||
|
|
||
| const agentProcess = new AgentProcess(agent_name, null, remoteUrl, settingsPath); | ||
| agentProcess.start(settings.load_memory || false, settings.init_message || null, agentIndex); |
There was a problem hiding this comment.
createRemoteAgent writes a settings file to /tmp/mindcraft_${agent_name}_settings.json using the profile-provided agent_name verbatim. If a profile name contains path separators or .., this can write outside /tmp (and also collide with other agents). Consider sanitizing agent_name (e.g., allow only [A-Za-z0-9_-], or wrap with path.basename), and/or generate the filename with a random suffix (mkdtemp/UUID) to avoid collisions.
Comment on lines
+240
to
243
| async endAllConversations() { | ||
| for (const sender in this.convos) { | ||
| this.endConversation(sender); | ||
| } |
There was a problem hiding this comment.
endAllConversations() is now async, but it doesn't await the per-sender endConversation(sender) calls. This can race with _resumeSelfPrompter() and leave monitor/self-prompter state inconsistent. Update the loop to await each call (or collect promises and await Promise.all).
Comment on lines
+410
to
+414
| // Temporarily disable break/place to test clear-path feasibility | ||
| const prevBreak = bot.ashfinder.config.breakBlocks; | ||
| const prevPlace = bot.ashfinder.config.placeBlocks; | ||
| bot.ashfinder.config.breakBlocks = false; | ||
| bot.ashfinder.config.placeBlocks = false; |
There was a problem hiding this comment.
isClearPath() assumes bot.ashfinder is always present and initialized; accessing bot.ashfinder.config will throw if the Baritone plugin failed to load, is disabled, or the bot isn't fully spawned yet. Add a guard (e.g., return false when !bot.ashfinder?.config), or fall back to the previous mineflayer-pathfinder implementation when Baritone isn't available.
Comment on lines
26
to
36
| export function blacklistCommands(commands) { | ||
| const unblockable = ['!stop', '!stats', '!inventory', '!goal']; | ||
| for (let command_name of commands) { | ||
| if (unblockable.includes(command_name)){ | ||
| console.warn(`Command ${command_name} is unblockable`); | ||
| continue; | ||
| } | ||
| blockedCommands.add(command_name); | ||
| delete commandMap[command_name]; | ||
| delete commandList.find(command => command.name === command_name); | ||
| } |
There was a problem hiding this comment.
blacklistCommands() tries to remove an entry from commandList via delete commandList.find(...), but delete on the found object does nothing to the array (and find() doesn't return an index). This means blacklisted commands may still appear when iterating commandList elsewhere. Use findIndex + splice, or rebuild commandList/commandMap from a filtered list.
Comment on lines
9
to
+31
| if (allow_vision) { | ||
| this.camera = new Camera(agent.bot, this.fp); | ||
| import("./camera.js").then(({ Camera }) => { | ||
| try { | ||
| this.camera = new Camera(agent.bot, this.fp); | ||
| this.camera.on('error', (err) => { | ||
| console.warn(`[Vision] Camera async init failed: ${err.message}`); | ||
| console.warn('[Vision] Vision disabled — bots will continue without screenshot capability.'); | ||
| this.allow_vision = false; | ||
| if (this.camera) this.camera.destroy(); | ||
| this.camera = null; | ||
| }); | ||
| } catch (err) { | ||
| console.warn(`[Vision] Camera init failed (WebGL not available): ${err.message}`); | ||
| console.warn('[Vision] Vision disabled — bots will continue without screenshot capability.'); | ||
| this.allow_vision = false; | ||
| this.camera = null; | ||
| } | ||
| }).catch((err) => { | ||
| console.warn(`[Vision] Failed to load camera module: ${err.message}`); | ||
| console.warn('[Vision] Vision disabled — prismarine-viewer/canvas not available.'); | ||
| this.allow_vision = false; | ||
| this.camera = null; | ||
| }); |
There was a problem hiding this comment.
The camera is now initialized asynchronously via dynamic import(), but allow_vision remains true during that async window and this.camera may be undefined when lookAtPlayer() / lookAtPosition() call this.camera.capture(). This can throw at runtime. Consider setting this.camera = null up front and gating on this.camera?.ready (or awaiting a ready promise) before attempting captures, otherwise return a clear "camera not ready" message.
Comment on lines
+19
to
+41
| globals: { | ||
| ...globals.node, | ||
| ...globals.browser, | ||
| // Custom globals for Minecraft bot code | ||
| skills: "readonly", | ||
| log: "readonly", | ||
| world: "readonly", | ||
| bot: "readonly", | ||
| agent: "readonly", | ||
| Vec3: "readonly", | ||
| newAction: "readonly", | ||
| nearbyEntities: "readonly", | ||
| assert: "readonly", | ||
| chat_model_profile: "readonly", | ||
| result: "readonly", | ||
| Compartment: "readonly", | ||
| res: "writable", | ||
| id: "readonly", | ||
| cleanEmb: "readonly", | ||
| text: "readonly", | ||
| meta: "readonly", | ||
| sendRequest: "readonly", | ||
| }, |
There was a problem hiding this comment.
eslint.config.js declares a number of ordinary identifiers as globals (id, text, meta, result, etc.). These don't look like true runtime globals and will hide real no-undef bugs across the codebase. Prefer scoping these globals to the specific generated bot/action files that need them (via a files override), or remove them and fix the underlying undefined-variable usage.
Tasks.Dockerfile
Outdated
| WORKDIR /mindcraft | ||
| COPY ./server_data.zip /mindcraft | ||
| RUN unzip server_data.zip | ||
| RUN git clone --depth 1 https://github.com/mindcraft-bots/mindcraft.git . |
There was a problem hiding this comment.
This Dockerfile step pulls and executes arbitrary code from the unpinned third‑party GitHub repository mindcraft-bots/mindcraft at build time, which is a supply-chain risk. If the upstream repo or the network path is ever compromised, an attacker could inject malicious code into the container image and gain access to any AWS credentials or other secrets used by tasks run in this image. Pin this dependency to a specific immutable identifier (e.g., a commit SHA or release tarball) and, where possible, verify its integrity via checksum or signature instead of cloning the moving default branch.
Z0mb13V1
force-pushed
the
pr/hybrid-rig-v0.1.3
branch
from
e482dbc to
76f10a7
Compare
Z0mb13V1
added a commit
to Z0mb13V1/mindcraft
that referenced
this pull request
Mar 1, 2026
src/agent/commands/index.js - blacklistCommands: fix delete-on-find bug — delete commandList.find(...) did nothing to the array; replace with findIndex + splice so blacklisted commands are actually removed from commandList (not just commandMap) Tasks.Dockerfile - Replace 'git clone --depth 1 mindcraft-bots/mindcraft' with 'COPY . .' Fixes: broken reproducibility (upstream HEAD drift), offline CI failure, supply-chain risk (arbitrary code fetched at image build time) eslint.config.js - Scope action-code-only globals (newAction, nearbyEntities, assert, result, id, cleanEmb, text, meta) to the action-code files override block instead of declaring them globally, preventing them from masking real no-undef bugs - Keep Compartment, res, sendRequest, chat_model_profile as true globals since they are used in real source files (lockdown.js, item_goal.js, novita.js, prompter.js) src/agent/coder.js (follow-up to security commit) - Spread skills/world into plain objects before Object.freeze() to satisfy ESLint no-import-assign on namespace imports; security property preserved Already fixed in earlier RCs (no change needed): - mindcraft.js: agent_name sanitized with path.basename + regex (RC30) - conversation.js: endAllConversations awaits endConversation (RC30) - world.js: isClearPath guards bot.ashfinder?.config (RC30) - vision_interpreter.js: lookAtPlayer/lookAtPosition guard !this.camera
Z0mb13V1
added a commit
to Z0mb13V1/mindcraft
that referenced
this pull request
Mar 1, 2026
src/agent/commands/index.js - blacklistCommands: fix delete-on-find bug — delete commandList.find(...) did nothing to the array; replace with findIndex + splice so blacklisted commands are actually removed from commandList (not just commandMap) Tasks.Dockerfile - Replace 'git clone --depth 1 mindcraft-bots/mindcraft' with 'COPY . .' Fixes: broken reproducibility (upstream HEAD drift), offline CI failure, supply-chain risk (arbitrary code fetched at image build time) eslint.config.js - Scope action-code-only globals (newAction, nearbyEntities, assert, result, id, cleanEmb, text, meta) to the action-code files override block instead of declaring them globally, preventing them from masking real no-undef bugs - Keep Compartment, res, sendRequest, chat_model_profile as true globals since they are used in real source files (lockdown.js, item_goal.js, novita.js, prompter.js) src/agent/coder.js (follow-up to security commit) - Spread skills/world into plain objects before Object.freeze() to satisfy ESLint no-import-assign on namespace imports; security property preserved Already fixed in earlier RCs (no change needed): - mindcraft.js: agent_name sanitized with path.basename + regex (RC30) - conversation.js: endAllConversations awaits endConversation (RC30) - world.js: isClearPath guards bot.ashfinder?.config (RC30) - vision_interpreter.js: lookAtPlayer/lookAtPosition guard !this.camera
…DB memory
Adds the 3-phase ensemble pipeline used by CloudGrok:
- panel.js: queries 4 Grok models in parallel (60s timeout)
- arbiter.js: heuristic scoring (length, completeness, action quality, latency);
escalates to judge when top-2 within 0.08 margin
- judge.js: LLM-as-judge (grok-4) picks best response; 30s timeout with fallback
- feedback.js: ChromaDB vector memory (3072-dim Gemini embeddings); retrieves
similar past decisions (similarity > 0.6) and injects as [PAST EXPERIENCE]
- logger.js: writes every decision to bots/{BotName}/ensemble_log.json
- controller.js: EnsembleModel class — drop-in replacement for any single model
Integration: profile.model = 'ensemble' routes through EnsembleModel, which
implements the same sendRequest() interface as all other model providers.
…tone pathfinding Ender Dragon automation (dragon_runner.js + dragon_progress.js): - 6 gameplay chunks: getDiamondPickaxe, buildNetherPortal, collectBlazeRods, collectEnderPearls, locateStronghold, defeatEnderDragon - Persistent state (dragon_progress.json) with atomic writes and corruption recovery - 5 retries per chunk with exponential backoff; death recovery returns to drop coords - !beatMinecraft / !dragonProgression commands (120-180 min timeout) Baritone A* pathfinding (RC25+): - Custom A* pathfinder replacing mineflayer-pathfinder; distance-adaptive timeouts - Ghost block handling for Paper servers (re-fetch block after nav) - isClearPath() with Baritone integration; null-guard on isWalkable for respawn Skills RC13-RC29 (skills.js + world.js): - RC13: safeToBreak filter fix for tree logs - RC14-17: multi-hop smart explore (200-block relocation), water avoidance, wider collect range - RC18-20: resilient collectBlock — retry on combat, exclude failed positions - RC22: Aikar GC flags; RC23: bypass bot.collectBlock.collect() for Paper - RC24: timeout-protected dig (goToPosition 15s, dig 10s, pickup 8s) - RC26: prefer doors over block-breaking; stale dig fix (re-fetch after nav) - RC27: 9 runtime bug fixes from log review
Vision system (src/agent/vision/): - Dynamic import() for camera module with graceful fallback if WebGL unavailable - Xvfb + Mesa software rendering in Docker (LIBGL_ALWAYS_SOFTWARE=1) - 2-second delay after Xvfb start for WebGL context initialization - Patched prismarine-viewer: entity bone parent null check, unknown entity suppression - Per-bot vision model support (grok-2-vision-1212 for CloudGrok) HUD overlay (mindserver.js + public/index.html): - Gaming-style web dashboard at :8080 - Per-bot panels: runtime tracker, current goal, action display, scrollable command log - Live bot camera feeds via protocol-aware viewer iframes - Toolbar with bot controls; responsive CSS Discord bot (discord-bot.js): - Direct bot chat via Discord channels - Admin commands: !start, !stop, !restart with group-based control - Auto-fix monitor: watches bot-output events for errors, suggests fixes - Role-based access (DISCORD_ADMIN_IDS), usage tracking (!usage [agent|all]) - Path traversal guard + command injection detection on all user input - MindServer integration: live agent status display Windows launcher (start.ps1): one-command start/stop/detach for all bot profiles
…ctions, key loading New security modules: - message_validator.js: injection detection (shell commands, backticks, pipe-to-shell), character sanitization, and length limits for Discord/Minecraft chat - rate_limiter.js: sliding-window per-user limiter with automatic stale entry cleanup - usage_tracker.js: token usage tracking with cost estimation for active providers Existing file hardening: - keys.js: environment variables always override keys.json; added .env support - speak.js: TTS sanitization to prevent command injection in text-to-speech - commands/index.js: isCommandBlocked() check against per-profile blocked_actions array; settings.js deepSanitize() strips __proto__, constructor, prototype from SETTINGS_JSON
…Grafana monitoring Docker / Compose: - docker-compose.aws.yml: production config with LiteLLM proxy (:4000), ChromaDB, Tailscale sidecar, ENFORCE_SECURE_PROFILE=FALSE for mineflayer chat - docker-compose.yml: dev compose with Ollama host routing, port 19565 (was 25565) - Dockerfile: non-root user, Xvfb/Mesa for vision, memory 1536M→2560M - Tasks.Dockerfile: separate image for task evaluation runner - .dockerignore: exclude bot logs, node_modules, world saves from build context AWS scripts (aws/): - ec2-go.sh: one-command deploy (pull/rebuild/restart); IMDSv2 support, auto-detects local vs remote execution - setup.sh: full EC2 provisioning — Docker, Tailscale, ChromaDB, environment setup - deploy.sh: rsync-based deployment with SSM secret pulling - ec2-deploy.sh: self-contained bootstrap for EC2 browser SSH - env-toggle.sh: switch between cloud/local/hybrid environment configs - backup.sh / restore.sh: S3 world backup and restore - setup-ollama-proxy.sh: socat systemd service for Tailscale→Ollama routing Observability: - prometheus-aws.yml: Prometheus scrape config for EC2 deployment - grafana-provisioning/: dashboards, datasources, and alerting rules Security: - whitelist.json: pre-built offline UUIDs (avoids Playerdb crash for ONLINE_MODE=FALSE) - .env.example / keys.example.json: API key templates - .husky/pre-commit: ESLint zero-warning gate on every commit Patches: - prismarine-viewer: entity bone parent null check, unknown entity suppression
…ation, ESLint, and CI/CD New profiles: - ensemble.json: all-Grok 4-panel (grok-4, grok-4-fast-non-reasoning, grok-4-1-fast-non-reasoning, grok-code-fast-1); judge: grok-4 (30s) - cloud-persistent.json: grok-4 single-model cloud bot - dragon-slayer.json: sweaterdog/andy-4:q8_0 via Ollama; autonomous dragon speedrun - local-research.json: sweaterdog/andy-4 for research and exploration - All existing profiles updated: blocked_actions, conversation_examples, wiki references Core agent improvements: - agent.js: death handler + respawn recovery, post-respawn grace period (5s), human-player priority, max-command cap at 15, empty init_message support - action_manager.js: action deadlock detection, cancelResume(), error propagation - modes.js: night bed mode, door navigation, anti-team-kill guards, food panic fix - history.js / learnings.js: atomic writes (.tmp + rename), EBADF retry with backoff - conversation.js: inter-bot messaging protocol; Grok_En alias system - memory_bank.js, self_prompter.js, coder.js, connection_handler.js: various fixes - agent_process.js: 3 quick-exit retries with increasing delay Model providers (src/models/): - prompter.js: \, \, \, \, \ placeholder injection - grok.js: updated for grok-4 / grok-4-fast-non-reasoning API surface - ollama.js: fix http.request (avoid headers timeout), num_ctx/num_gpu params - All other providers: price table updates, API compatibility fixes Data / wiki: - data/minecraft_wiki.json: Minecraft wiki data for \ prompt injection Configuration and tooling: - settings.js: deepSanitize() prototype-pollution guard, SETTINGS_JSON env override, allow_vision config, port 19565 (was 25565) - main.js: multi-profile startup cleanup - package.json: updated deps + patch-package postinstall - eslint.config.js: flat config migration; zero-warning enforcement - CLAUDE.md: AI assistant guidance for codebase navigation - FAQ.md, README.md: updated for v0.1.3 Hybrid Research Rig
Z0mb13V1
force-pushed
the
pr/hybrid-rig-v0.1.3
branch
from
3404c87 to
88213bc
Compare
Author
|
Replaced by a fresh PR to clear edit history. All content is identical — see the new PR for a clean description. |
This was referenced Mar 3, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
3/3/2026
PR #716 consolidated everything from #710, #714, #717, and #718.
This PR was superseded by #716.