@antonbabenko/deliberation-mcp 3.5.2 → 3.5.4

package/dist/index.js

@@ -1591,16 +1591,17 @@ var require_antigravity = __commonJS({
         },
         async ask(req) {
           const started = Date.now();
+          const includeDirs = (req.files || []).filter((f) => f.dir).map((f) => f.dir);
           const args = bridge.buildAgyArgs({
             prompt: req.prompt,
             model,
             sandbox: "read-only",
             developerInstructions: req.developerInstructions,
-            includeDirs: (req.files || []).filter((f) => f.dir).map((f) => f.dir)
+            includeDirs
           });
           try {
-            const out = await bridge.runGemini(args, req.cwd, req.timeoutMs, void 0);
-            return { provider: "gemini", model, text: out.response || "", threadId: out.threadId, isError: false, ms: Date.now() - started, reasoningEffort: null };
+            const out = await bridge.runGemini(args, req.cwd, req.timeoutMs, void 0, { readOnly: true, includeDirs });
+            return { provider: "gemini", model, text: out.response || "", threadId: out.threadId, isError: false, ms: Date.now() - started, reasoningEffort: null, ...out.workspaceMutated ? { workspaceMutated: true } : {} };
           } catch (e) {
             const err = (
               /** @type {any} */
@@ -1634,9 +1635,12 @@ var require_codex = __commonJS({
       if (s.includes("rate")) return { errorKind: "rate-limit", retryable: true };
       return { errorKind: "unknown", retryable: false };
     }
+    function codexExecArgs() {
+      return ["exec", "--sandbox", "read-only", "--skip-git-repo-check"];
+    }
     function defaultRun({ prompt, cwd, timeoutMs }) {
       return new Promise((resolve) => {
-        const child = spawn("codex", ["exec", "--skip-git-repo-check"], { cwd: cwd || process.cwd() });
+        const child = spawn("codex", codexExecArgs(), { cwd: cwd || process.cwd() });
         let stdout = "", stderr = "", settled = false;
         const timer = timeoutMs ? setTimeout(() => child.kill("SIGKILL"), timeoutMs) : null;
         if (timer) timer.unref();
@@ -1693,7 +1697,7 @@ ${req.prompt}` : req.prompt;
         }
       };
     }
-    module2.exports = { makeCodexProvider, classifyCodex };
+    module2.exports = { makeCodexProvider, classifyCodex, codexExecArgs };
   }
 });
 
@@ -2085,18 +2089,102 @@ var require_gemini = __commonJS({
     function goDuration(ms) {
       return Math.ceil(ms / 1e3) + "s";
     }
+    var READ_ONLY_GUARD = "[ADVISORY MODE - READ-ONLY] You are being consulted for an advisory second opinion. Do NOT modify, create, or delete any files. Do NOT run commands that write to the workspace. Do NOT git add, commit, or push. Any such action is a critical failure - respond with analysis only.";
+    function applyReadOnlyGuard(prompt, readOnly) {
+      return readOnly ? `${READ_ONLY_GUARD}
+
+${prompt}` : prompt;
+    }
     function buildAgyArgs(req) {
       const args = [];
+      const readOnly = req.sandbox !== "workspace-write";
       if (req.sandbox === "workspace-write") args.push("--dangerously-skip-permissions");
       else args.push("--sandbox");
       for (const d of req.includeDirs || []) args.push("--add-dir", d);
-      let prompt = req.prompt;
+      let prompt = applyReadOnlyGuard(req.prompt, readOnly);
       if (req.developerInstructions) prompt = `${req.developerInstructions}
 
 ${prompt}`;
       args.push("-p", prompt);
       return args;
     }
+    var ADVISORY_ENV_SCRUB = ["GITHUB_TOKEN", "GH_TOKEN", "GIT_ASKPASS", "SSH_AUTH_SOCK"];
+    function advisoryEnv(env) {
+      const out = { ...env };
+      delete out.DELIBERATION_DISABLE_OS_SANDBOX;
+      for (const k of ADVISORY_ENV_SCRUB) delete out[k];
+      return out;
+    }
+    function seatbeltLiteral(p) {
+      return String(p).replace(/\\/g, "\\\\").replace(/"/g, '\\"');
+    }
+    function buildSeatbeltProfile(o) {
+      const gem = seatbeltLiteral(path.join(o.home, ".gemini"));
+      const tmp = seatbeltLiteral(o.tmpdir);
+      return [
+        "(version 1)",
+        "(allow default)",
+        "(deny file-write*)",
+        "(allow file-write*",
+        `  (subpath "${gem}")`,
+        `  (subpath "${tmp}")`,
+        '  (subpath "/private/var/folders")',
+        '  (subpath "/private/tmp")',
+        '  (literal "/dev/null")',
+        '  (literal "/dev/dtracehelper")',
+        '  (regex #"^/dev/tty"))'
+      ].join("\n");
+    }
+    function buildSpawnCommand(o) {
+      const platform = o.platform || process.platform;
+      const unwrapped = { cmd: o.bin, argv: o.args, osSandbox: false };
+      if (!o.readOnly || o.disabled === true || platform !== "darwin" || !o.sandboxExecPath) {
+        return unwrapped;
+      }
+      const profile = buildSeatbeltProfile({ home: o.home, tmpdir: o.tmpdir });
+      return { cmd: o.sandboxExecPath, argv: ["-p", profile, o.bin, ...o.args], osSandbox: true };
+    }
+    function resolveSandboxExecPath() {
+      try {
+        fs.accessSync("/usr/bin/sandbox-exec", fs.constants.X_OK);
+        return "/usr/bin/sandbox-exec";
+      } catch (_) {
+        return null;
+      }
+    }
+    function captureGitState(cwd) {
+      const opts = { cwd, encoding: "utf8", timeout: 1e4, stdio: ["ignore", "pipe", "ignore"] };
+      try {
+        const head = execFileSync("git", ["rev-parse", "HEAD"], opts).trim();
+        const status = execFileSync("git", ["status", "--porcelain"], opts);
+        return { head, status };
+      } catch (_) {
+        return null;
+      }
+    }
+    function diffGitState(pre, post) {
+      if (!pre || !post) return false;
+      return pre.head !== post.head || pre.status !== post.status;
+    }
+    function captureRoots(dirs) {
+      const seen = /* @__PURE__ */ new Set();
+      const states = [];
+      for (const d of dirs) {
+        if (!d || seen.has(d)) continue;
+        seen.add(d);
+        states.push([d, captureGitState(d)]);
+      }
+      return states;
+    }
+    function rootsMutated(preStates) {
+      for (const [dir, pre] of preStates) {
+        if (diffGitState(pre, captureGitState(dir))) return true;
+      }
+      return false;
+    }
+    function workspaceMutationWarning(dir) {
+      return "WORKSPACE MUTATION DETECTED\nThis advisory (read-only) run changed the workspace at " + dir + " (git HEAD and/or working-tree status changed during the run). Review `git status` / `git log` before continuing - nothing was auto-reverted, and the result below should be treated as tainted.\n---\n";
+    }
     function sendResponse(id, result) {
       process.stdout.write(JSON.stringify({
         jsonrpc: "2.0",
@@ -2150,11 +2238,13 @@ ${prompt}`;
         return null;
       }
     }
-    async function runGemini(args, cwd, timeoutMs, recoveryGraceMs) {
+    async function runGemini(args, cwd, timeoutMs, recoveryGraceMs, opts = {}) {
       return new Promise((resolve, reject) => {
         const t = typeof timeoutMs === "number" && timeoutMs > 0 ? timeoutMs : DEFAULT_TIMEOUT_MS;
         const effCwd = cwd || process.cwd();
         const spawnStartMs = Date.now();
+        const readOnly = opts.readOnly === true;
+        const preRoots = readOnly ? captureRoots([effCwd, ...opts.includeDirs || []]) : [];
         const disableRecovery = process.env.GEMINI_DISABLE_TIMEOUT_RECOVERY === "1";
         const grace = disableRecovery ? 0 : typeof recoveryGraceMs === "number" && recoveryGraceMs >= 0 ? recoveryGraceMs : DEFAULT_RECOVERY_GRACE_MS;
         let killed = false;
@@ -2165,8 +2255,27 @@ ${prompt}`;
         const head = ptIdx >= 0 ? args.slice(0, ptIdx) : args;
         const tail = ptIdx >= 0 ? args.slice(ptIdx) : [];
         const agyArgs = [...head, "--print-timeout", goDuration(t + grace + 3e4), ...tail];
-        const agyProcess = spawn(AGY_BIN, agyArgs, {
-          env: process.env,
+        const spawnPlan = buildSpawnCommand({
+          bin: AGY_BIN,
+          args: agyArgs,
+          readOnly,
+          platform: process.platform,
+          home: os.homedir(),
+          tmpdir: (() => {
+            try {
+              return fs.realpathSync(os.tmpdir());
+            } catch (_) {
+              return os.tmpdir();
+            }
+          })(),
+          sandboxExecPath: readOnly ? resolveSandboxExecPath() : null,
+          disabled: process.env.DELIBERATION_DISABLE_OS_SANDBOX === "1"
+        });
+        if (spawnPlan.osSandbox) {
+          process.stderr.write("[deliberation] agy read-only run wrapped in sandbox-exec (workspace writes denied)\n");
+        }
+        const agyProcess = spawn(spawnPlan.cmd, spawnPlan.argv, {
+          env: readOnly ? advisoryEnv(process.env) : process.env,
           shell: false,
           cwd: effCwd,
           // agy -p (print mode) waits for stdin EOF before returning; if the stdin
@@ -2274,7 +2383,9 @@ ${prompt}`;
               process.stderr.write(
                 "[deliberation] recovered agy answer via stdout drain after soft timeout (" + Math.round((Date.now() - spawnStartMs) / 1e3) + "s)\n"
               );
-              return resolve({ response: out, threadId: resolveConversationId(effCwd) || "unknown", recovered: true });
+              const mutated = readOnly && rootsMutated(preRoots);
+              const text = mutated ? workspaceMutationWarning(effCwd) + out : out;
+              return resolve({ response: text, threadId: resolveConversationId(effCwd) || "unknown", recovered: true, ...mutated ? { workspaceMutated: true } : {} });
             }
             return finishTimeout();
           }
@@ -2287,7 +2398,9 @@ ${prompt}`;
                 "[deliberation] no conversation id found for cwd " + effCwd + '; returning threadId:"unknown" (resume will be unavailable)\n'
               );
             }
-            return resolve({ response: out, threadId: threadId || "unknown" });
+            const mutated = readOnly && rootsMutated(preRoots);
+            const text = mutated ? workspaceMutationWarning(effCwd) + out : out;
+            return resolve({ response: text, threadId: threadId || "unknown", ...mutated ? { workspaceMutated: true } : {} });
           }
           let message;
           if (trimmedErr) message = trimmedErr;
@@ -2454,19 +2567,27 @@ ${prompt}`;
               return;
             }
             agyArgs.push("--conversation", threadId2, ...sandboxFlags, ...addDirFlags);
-            agyArgs.push("-p", args.prompt);
+            agyArgs.push("-p", applyReadOnlyGuard(args.prompt, args.sandbox !== "workspace-write"));
           } else {
             if (shouldRespond) sendError(id, -32601, `Tool not found: ${name}`);
             return;
           }
           const timeoutMs = typeof args.timeout === "number" && args.timeout > 0 ? args.timeout : DEFAULT_TIMEOUT_MS;
           const recoveryGraceMs = typeof args["recovery-grace"] === "number" && args["recovery-grace"] >= 0 ? args["recovery-grace"] : DEFAULT_RECOVERY_GRACE_MS;
-          const { response, threadId, recovered } = await runGemini(agyArgs, args.cwd, timeoutMs, recoveryGraceMs);
+          const readOnly = args.sandbox !== "workspace-write";
+          const { response, threadId, recovered, workspaceMutated } = await runGemini(
+            agyArgs,
+            args.cwd,
+            timeoutMs,
+            recoveryGraceMs,
+            { readOnly, includeDirs: args["include-directories"] || [] }
+          );
           if (shouldRespond) {
             sendResponse(id, {
               content: [{ type: "text", text: response }],
               threadId,
-              ...recovered ? { recovered: true } : {}
+              ...recovered ? { recovered: true } : {},
+              ...workspaceMutated ? { workspaceMutated: true } : {}
             });
           }
         } catch (e) {
@@ -2532,6 +2653,12 @@ ${prompt}`;
       module2.exports.stdoutIsError = stdoutIsError;
       module2.exports.runGemini = runGemini;
       module2.exports.buildAgyArgs = buildAgyArgs;
+      module2.exports.READ_ONLY_GUARD = READ_ONLY_GUARD;
+      module2.exports.applyReadOnlyGuard = applyReadOnlyGuard;
+      module2.exports.advisoryEnv = advisoryEnv;
+      module2.exports.buildSeatbeltProfile = buildSeatbeltProfile;
+      module2.exports.buildSpawnCommand = buildSpawnCommand;
+      module2.exports.diffGitState = diffGitState;
     }
   }
 });

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@antonbabenko/deliberation-mcp",
-  "version": "3.5.2",
+  "version": "3.5.4",
   "description": "Deliberation for Claude Code and any MCP host - GPT, Gemini, Grok, and OpenRouter expert subagents.",
   "mcpName": "io.github.antonbabenko/deliberation",
   "repository": { "type": "git", "url": "git+https://github.com/antonbabenko/deliberation.git", "directory": "server/mcp" },