@bastani/atomic 0.9.0-alpha.1 → 0.9.0-alpha.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (223) hide show
  1. package/CHANGELOG.md +29 -0
  2. package/dist/builtin/cursor/CHANGELOG.md +6 -0
  3. package/dist/builtin/cursor/package.json +2 -2
  4. package/dist/builtin/intercom/CHANGELOG.md +6 -0
  5. package/dist/builtin/intercom/package.json +2 -2
  6. package/dist/builtin/mcp/CHANGELOG.md +6 -0
  7. package/dist/builtin/mcp/package.json +3 -3
  8. package/dist/builtin/subagents/CHANGELOG.md +6 -0
  9. package/dist/builtin/subagents/package.json +4 -4
  10. package/dist/builtin/web-access/CHANGELOG.md +6 -0
  11. package/dist/builtin/web-access/package.json +2 -2
  12. package/dist/builtin/workflows/CHANGELOG.md +19 -0
  13. package/dist/builtin/workflows/README.md +189 -122
  14. package/dist/builtin/workflows/builtin/deep-research-codebase.ts +30 -27
  15. package/dist/builtin/workflows/builtin/goal-ledger.ts +2 -0
  16. package/dist/builtin/workflows/builtin/goal-reports.ts +5 -0
  17. package/dist/builtin/workflows/builtin/goal-runner.ts +17 -20
  18. package/dist/builtin/workflows/builtin/goal-types.ts +2 -0
  19. package/dist/builtin/workflows/builtin/goal.d.ts +1 -0
  20. package/dist/builtin/workflows/builtin/goal.ts +40 -44
  21. package/dist/builtin/workflows/builtin/index.d.ts +1 -0
  22. package/dist/builtin/workflows/builtin/open-claude-design-runner.ts +16 -17
  23. package/dist/builtin/workflows/builtin/open-claude-design.d.ts +1 -0
  24. package/dist/builtin/workflows/builtin/open-claude-design.ts +42 -50
  25. package/dist/builtin/workflows/builtin/prompt-refinement.ts +102 -0
  26. package/dist/builtin/workflows/builtin/ralph-core.ts +6 -4
  27. package/dist/builtin/workflows/builtin/ralph-runner.ts +22 -24
  28. package/dist/builtin/workflows/builtin/ralph.d.ts +2 -0
  29. package/dist/builtin/workflows/builtin/ralph.ts +46 -41
  30. package/dist/builtin/workflows/package.json +2 -2
  31. package/dist/builtin/workflows/src/authoring/typebox-defaults.d.ts +41 -0
  32. package/dist/builtin/workflows/src/authoring/typebox-defaults.ts +217 -0
  33. package/dist/builtin/workflows/src/authoring/workflow.ts +184 -0
  34. package/dist/builtin/workflows/src/authoring.d.ts +14 -66
  35. package/dist/builtin/workflows/src/engine/graph-inference.ts +100 -0
  36. package/dist/builtin/workflows/src/engine/options.ts +40 -0
  37. package/dist/builtin/workflows/src/engine/primitives/chain.ts +29 -0
  38. package/dist/builtin/workflows/src/engine/primitives/exit.ts +2 -0
  39. package/dist/builtin/workflows/src/engine/primitives/parallel.ts +47 -0
  40. package/dist/builtin/workflows/src/engine/primitives/task.ts +108 -0
  41. package/dist/builtin/workflows/src/engine/primitives/ui.ts +41 -0
  42. package/dist/builtin/workflows/src/engine/primitives/workflow.ts +159 -0
  43. package/dist/builtin/workflows/src/engine/replay.ts +8 -0
  44. package/dist/builtin/workflows/src/engine/run.ts +356 -0
  45. package/dist/builtin/workflows/src/engine/runtime.ts +160 -0
  46. package/dist/builtin/workflows/src/extension/workflow-module-loader.ts +9 -3
  47. package/dist/builtin/workflows/src/extension/workflow-prompts.ts +3 -1
  48. package/dist/builtin/workflows/src/extension/workflow-schema.ts +0 -18
  49. package/dist/builtin/workflows/src/index.ts +0 -2
  50. package/dist/builtin/workflows/src/runs/background/runner.ts +6 -3
  51. package/dist/builtin/workflows/src/runs/foreground/executor-child-boundary.ts +3 -3
  52. package/dist/builtin/workflows/src/runs/foreground/executor-child-helpers.ts +4 -4
  53. package/dist/builtin/workflows/src/runs/foreground/executor-child-workflow.ts +1 -158
  54. package/dist/builtin/workflows/src/runs/foreground/executor-direct-helpers.ts +1 -1
  55. package/dist/builtin/workflows/src/runs/foreground/executor-outputs.ts +2 -2
  56. package/dist/builtin/workflows/src/runs/foreground/executor-prompt-nodes.ts +1 -1
  57. package/dist/builtin/workflows/src/runs/foreground/executor-run.ts +1 -359
  58. package/dist/builtin/workflows/src/runs/foreground/executor-scheduler.ts +1 -1
  59. package/dist/builtin/workflows/src/runs/foreground/executor-stage-call.ts +2 -5
  60. package/dist/builtin/workflows/src/runs/foreground/executor-stage-factory.ts +12 -4
  61. package/dist/builtin/workflows/src/runs/foreground/executor-stage-replay.ts +4 -3
  62. package/dist/builtin/workflows/src/runs/foreground/executor-stage-types.ts +9 -2
  63. package/dist/builtin/workflows/src/runs/foreground/executor-task-context.ts +2 -132
  64. package/dist/builtin/workflows/src/runs/foreground/executor-types.ts +2 -2
  65. package/dist/builtin/workflows/src/runs/shared/graph-inference.ts +2 -100
  66. package/dist/builtin/workflows/src/sdk-surface.ts +6 -9
  67. package/dist/builtin/workflows/src/shared/authoring-contract-stage.d.ts +9 -3
  68. package/dist/builtin/workflows/src/shared/authoring-contract-stage.ts +17 -3
  69. package/dist/builtin/workflows/src/shared/authoring-contract-ui.d.ts +3 -33
  70. package/dist/builtin/workflows/src/shared/authoring-contract-ui.ts +9 -81
  71. package/dist/builtin/workflows/src/shared/types.ts +25 -8
  72. package/dist/builtin/workflows/src/shared/workflow-authoring-types.d.ts +49 -0
  73. package/dist/builtin/workflows/src/shared/workflow-authoring-types.ts +84 -0
  74. package/dist/builtin/workflows/src/workflows/registry.ts +7 -3
  75. package/dist/core/agent-session-auto-compaction.d.ts.map +1 -1
  76. package/dist/core/agent-session-auto-compaction.js +6 -1
  77. package/dist/core/agent-session-auto-compaction.js.map +1 -1
  78. package/dist/core/agent-session-bash.d.ts.map +1 -1
  79. package/dist/core/agent-session-bash.js +0 -5
  80. package/dist/core/agent-session-bash.js.map +1 -1
  81. package/dist/core/agent-session-methods.d.ts +0 -2
  82. package/dist/core/agent-session-methods.d.ts.map +1 -1
  83. package/dist/core/agent-session-methods.js.map +1 -1
  84. package/dist/core/agent-session-services.d.ts +0 -1
  85. package/dist/core/agent-session-services.d.ts.map +1 -1
  86. package/dist/core/agent-session-services.js +0 -1
  87. package/dist/core/agent-session-services.js.map +1 -1
  88. package/dist/core/agent-session-tool-registry.d.ts.map +1 -1
  89. package/dist/core/agent-session-tool-registry.js +0 -2
  90. package/dist/core/agent-session-tool-registry.js.map +1 -1
  91. package/dist/core/agent-session-types.d.ts +0 -2
  92. package/dist/core/agent-session-types.d.ts.map +1 -1
  93. package/dist/core/agent-session-types.js.map +1 -1
  94. package/dist/core/agent-session.d.ts +0 -2
  95. package/dist/core/agent-session.d.ts.map +1 -1
  96. package/dist/core/agent-session.js +0 -1
  97. package/dist/core/agent-session.js.map +1 -1
  98. package/dist/core/atomic-guide-command.d.ts.map +1 -1
  99. package/dist/core/atomic-guide-command.js +1 -1
  100. package/dist/core/atomic-guide-command.js.map +1 -1
  101. package/dist/core/extensions/loader-core.d.ts +1 -3
  102. package/dist/core/extensions/loader-core.d.ts.map +1 -1
  103. package/dist/core/extensions/loader-core.js +13 -6
  104. package/dist/core/extensions/loader-core.js.map +1 -1
  105. package/dist/core/extensions/loader-virtual-modules.d.ts +7 -1
  106. package/dist/core/extensions/loader-virtual-modules.d.ts.map +1 -1
  107. package/dist/core/extensions/loader-virtual-modules.js +34 -2
  108. package/dist/core/extensions/loader-virtual-modules.js.map +1 -1
  109. package/dist/core/extensions/loader.d.ts +2 -1
  110. package/dist/core/extensions/loader.d.ts.map +1 -1
  111. package/dist/core/extensions/loader.js +2 -1
  112. package/dist/core/extensions/loader.js.map +1 -1
  113. package/dist/core/index.d.ts +0 -1
  114. package/dist/core/index.d.ts.map +1 -1
  115. package/dist/core/index.js +0 -1
  116. package/dist/core/index.js.map +1 -1
  117. package/dist/core/model-registry-builtins.d.ts.map +1 -1
  118. package/dist/core/model-registry-builtins.js +6 -0
  119. package/dist/core/model-registry-builtins.js.map +1 -1
  120. package/dist/core/model-registry-schemas.d.ts +65 -13
  121. package/dist/core/model-registry-schemas.d.ts.map +1 -1
  122. package/dist/core/model-registry-schemas.js +10 -0
  123. package/dist/core/model-registry-schemas.js.map +1 -1
  124. package/dist/core/resource-loader-core.d.ts +1 -0
  125. package/dist/core/resource-loader-core.d.ts.map +1 -1
  126. package/dist/core/resource-loader-core.js +2 -0
  127. package/dist/core/resource-loader-core.js.map +1 -1
  128. package/dist/core/resource-loader-extensions.d.ts.map +1 -1
  129. package/dist/core/resource-loader-extensions.js +3 -3
  130. package/dist/core/resource-loader-extensions.js.map +1 -1
  131. package/dist/core/resource-loader-internals.d.ts +1 -0
  132. package/dist/core/resource-loader-internals.d.ts.map +1 -1
  133. package/dist/core/resource-loader-internals.js.map +1 -1
  134. package/dist/core/resource-loader-reload.d.ts.map +1 -1
  135. package/dist/core/resource-loader-reload.js +6 -2
  136. package/dist/core/resource-loader-reload.js.map +1 -1
  137. package/dist/core/sdk-exports.d.ts +1 -1
  138. package/dist/core/sdk-exports.d.ts.map +1 -1
  139. package/dist/core/sdk-exports.js.map +1 -1
  140. package/dist/core/sdk-types.d.ts +0 -3
  141. package/dist/core/sdk-types.d.ts.map +1 -1
  142. package/dist/core/sdk-types.js.map +1 -1
  143. package/dist/core/sdk.d.ts.map +1 -1
  144. package/dist/core/sdk.js +0 -1
  145. package/dist/core/sdk.js.map +1 -1
  146. package/dist/core/session-manager-history.d.ts.map +1 -1
  147. package/dist/core/session-manager-history.js +2 -1
  148. package/dist/core/session-manager-history.js.map +1 -1
  149. package/dist/core/system-prompt.d.ts.map +1 -1
  150. package/dist/core/system-prompt.js +0 -1
  151. package/dist/core/system-prompt.js.map +1 -1
  152. package/dist/core/tools/bash.d.ts +0 -5
  153. package/dist/core/tools/bash.d.ts.map +1 -1
  154. package/dist/core/tools/bash.js +10 -11
  155. package/dist/core/tools/bash.js.map +1 -1
  156. package/dist/core/tools/edit-diff-preserve.d.ts +18 -0
  157. package/dist/core/tools/edit-diff-preserve.d.ts.map +1 -0
  158. package/dist/core/tools/edit-diff-preserve.js +85 -0
  159. package/dist/core/tools/edit-diff-preserve.js.map +1 -0
  160. package/dist/core/tools/edit-diff.d.ts +3 -2
  161. package/dist/core/tools/edit-diff.d.ts.map +1 -1
  162. package/dist/core/tools/edit-diff.js +15 -18
  163. package/dist/core/tools/edit-diff.js.map +1 -1
  164. package/dist/core/tools/index.d.ts +0 -1
  165. package/dist/core/tools/index.d.ts.map +1 -1
  166. package/dist/core/tools/index.js +0 -1
  167. package/dist/core/tools/index.js.map +1 -1
  168. package/dist/index.d.ts +2 -2
  169. package/dist/index.d.ts.map +1 -1
  170. package/dist/index.js +1 -1
  171. package/dist/index.js.map +1 -1
  172. package/dist/modes/interactive/components/model-selector.d.ts.map +1 -1
  173. package/dist/modes/interactive/components/model-selector.js +2 -2
  174. package/dist/modes/interactive/components/model-selector.js.map +1 -1
  175. package/dist/modes/interactive/model-search.d.ts +5 -0
  176. package/dist/modes/interactive/model-search.d.ts.map +1 -1
  177. package/dist/modes/interactive/model-search.js +9 -0
  178. package/dist/modes/interactive/model-search.js.map +1 -1
  179. package/dist/utils/shell.d.ts +1 -0
  180. package/dist/utils/shell.d.ts.map +1 -1
  181. package/dist/utils/shell.js +12 -5
  182. package/dist/utils/shell.js.map +1 -1
  183. package/docs/custom-provider.md +4 -3
  184. package/docs/models.md +3 -2
  185. package/docs/packages.md +2 -2
  186. package/docs/quickstart.md +1 -1
  187. package/docs/sdk.md +2 -40
  188. package/docs/security.md +1 -1
  189. package/docs/workflows.md +991 -176
  190. package/package.json +5 -5
  191. package/dist/builtin/workflows/src/workflows/define-workflow.ts +0 -277
  192. package/dist/core/tools/bash-policy-compile.d.ts +0 -5
  193. package/dist/core/tools/bash-policy-compile.d.ts.map +0 -1
  194. package/dist/core/tools/bash-policy-compile.js +0 -241
  195. package/dist/core/tools/bash-policy-compile.js.map +0 -1
  196. package/dist/core/tools/bash-policy-evaluate.d.ts +0 -3
  197. package/dist/core/tools/bash-policy-evaluate.d.ts.map +0 -1
  198. package/dist/core/tools/bash-policy-evaluate.js +0 -92
  199. package/dist/core/tools/bash-policy-evaluate.js.map +0 -1
  200. package/dist/core/tools/bash-policy-format.d.ts +0 -5
  201. package/dist/core/tools/bash-policy-format.d.ts.map +0 -1
  202. package/dist/core/tools/bash-policy-format.js +0 -49
  203. package/dist/core/tools/bash-policy-format.js.map +0 -1
  204. package/dist/core/tools/bash-policy-parser.d.ts +0 -4
  205. package/dist/core/tools/bash-policy-parser.d.ts.map +0 -1
  206. package/dist/core/tools/bash-policy-parser.js +0 -155
  207. package/dist/core/tools/bash-policy-parser.js.map +0 -1
  208. package/dist/core/tools/bash-policy-segment.d.ts +0 -3
  209. package/dist/core/tools/bash-policy-segment.d.ts.map +0 -1
  210. package/dist/core/tools/bash-policy-segment.js +0 -275
  211. package/dist/core/tools/bash-policy-segment.js.map +0 -1
  212. package/dist/core/tools/bash-policy-shell.d.ts +0 -11
  213. package/dist/core/tools/bash-policy-shell.d.ts.map +0 -1
  214. package/dist/core/tools/bash-policy-shell.js +0 -267
  215. package/dist/core/tools/bash-policy-shell.js.map +0 -1
  216. package/dist/core/tools/bash-policy-types.d.ts +0 -146
  217. package/dist/core/tools/bash-policy-types.d.ts.map +0 -1
  218. package/dist/core/tools/bash-policy-types.js +0 -2
  219. package/dist/core/tools/bash-policy-types.js.map +0 -1
  220. package/dist/core/tools/bash-policy.d.ts +0 -6
  221. package/dist/core/tools/bash-policy.d.ts.map +0 -1
  222. package/dist/core/tools/bash-policy.js +0 -5
  223. package/dist/core/tools/bash-policy.js.map +0 -1
package/docs/sdk.md CHANGED
@@ -539,45 +539,9 @@ const { session } = await createAgentSession({
539
539
  });
540
540
  ```
541
541
 
542
- #### Bash command policy
542
+ #### Bash tool behavior
543
543
 
544
- `bashPolicy` narrows what the built-in `bash` tool may execute after `tools`/`excludedTools` have already decided that `bash` is exposed. It does not grant shell access by itself.
545
-
546
- ```typescript
547
- import { createAgentSession, type BashCommandPolicy } from "@bastani/atomic";
548
-
549
- const playwrightCliOnly: BashCommandPolicy = {
550
- default: "deny",
551
- allow: [
552
- "which playwright-cli",
553
- { prefix: "playwright-cli " },
554
- { prefix: "grep " },
555
- { glob: "bun test test/unit/*.test.ts" },
556
- { regex: "^rg\\b" },
557
- ],
558
- deny: [{ regex: "\\brm\\b" }], // deny rules win over allow rules
559
- // match defaults to "segments"
560
- };
561
-
562
- const { session } = await createAgentSession({
563
- tools: ["read", "bash"],
564
- bashPolicy: playwrightCliOnly,
565
- });
566
- ```
567
-
568
- Rules match exact command strings, prefixes, command-string globs, or JavaScript regular expressions. `default` defaults to `"allow"` for backward compatibility; set `default: "deny"` for an allowlist-only shell. Omitting `bashPolicy`, passing `{}`, or passing a default-allow policy with no `allow`/`deny` rules is a compatibility no-op and does not parse the command. Empty `allow`/`deny` arrays and match-only default-allow policies are treated the same; malformed policy objects still fail closed.
569
-
570
- Glob rules match command target strings, not filesystem path segments. `*` and `?` can match `/`, so `{ glob: "playwright-cli *" }` matches `playwright-cli http://localhost:3000`, `playwright-cli docs/index.html`, and `playwright-cli ./preview/output.html`, while still matching the whole target so `echo playwright-cli docs/index.html` does not match unless the pattern includes leading wildcards. Backslash escapes the next glob character when you need a literal `*`, `?`, or bracket; inside bracket classes, escaped metacharacters such as `\-`, `\^`, `\]`, `\[`, and `\\` stay literal instead of becoming regex ranges, negation markers, class delimiters, or backslash escapes. Malformed glob bracket classes or ranges, such as `{ glob: "echo [z-a]" }`, fail closed as `invalid-policy` rather than surfacing raw regular-expression errors.
571
-
572
- Runtime policy validation is part of enforcement for JavaScript/JSON callers: a provided policy must be a non-null object with only the top-level keys `default`, `allow`, `deny`, and `match`; typoed or extra keys such as `denny` or `extra` are rejected as `invalid-policy` even when the policy otherwise looks like default-allow. `allow`/`deny` must be arrays when present, rules must be non-empty strings or one-variant objects with string values, regex flags must be strings, and invalid regexes, invalid globs, or stateful `g`/`y` flags are rejected as `invalid-policy` before shell execution.
573
-
574
- By default, `match: "segments"` parses shell separators and substitutions and requires every executable segment to pass. Separators include pipes, `&&`, `||`, `;`, background `&`, and unquoted line terminators: LF, CRLF, and bare CR are command separators rather than ordinary whitespace. Bash noclobber redirection `>|` is treated as redirection syntax rather than a pipeline separator after a command head, so `echo ok >|/tmp/out` remains one `echo` segment. For example, `playwright-cli snapshot | grep title` must satisfy both the `playwright-cli` rule and the `grep` rule, and `playwright-cli snapshot; rm -rf /` or `playwright-cli snapshot\nrm -rf /` is blocked when `rm` is denied or when `default: "deny"` has no matching allow rule. Segment mode also checks command substitutions (`$(...)`, backticks) and process substitutions (`<(...)`, `>(...)`). Syntax Atomic cannot safely segment is rejected before a shell process starts.
575
-
576
- Segment mode requires each command head to be a statically identifiable literal word. Literal names such as `grep`, `./script`, `/usr/bin/env`, `bun`, `playwright-cli`, and names containing hyphens, underscores, dots, or slashes are accepted when they contain no shell expansion syntax. Atomic conservatively rejects Bash reserved words and compound introducers (`coproc`, `if`, `for`, `while`, `case`, `{`, `}`, `!`), leading redirection syntax (`>file cmd`, `2>file cmd`, `<file cmd`, `&>file cmd`, `>|file cmd`, `<&0 cmd`, `>&2 cmd`), redirection operators attached to the command-head word (`cmd>file`, `cmd>>file`, `cmd>|file`, `cmd2>file`, `cmd>&2`, `cmd</tmp/in`), leading environment assignment words (`PATH=/tmp:$PATH playwright-cli snapshot`, `LD_PRELOAD=/tmp/x playwright-cli snapshot`, `FOO=bar`), variable or parameter-expanded heads (`$cmd`, `${cmd}`), quote- or escape-constructed heads (`r''m`, `"rm"`, `r\m`), tilde/glob/brace-expanded heads (`~/bin/rm`, `r*m`, `{rm,echo}`), and command/process substitutions or backticks embedded in the head. Substitutions in argument positions are still parsed so nested commands must also pass the policy.
577
-
578
- Use `match: "whole"` only when you intentionally want rules to match the raw command string as-is. Whole-command prefix rules can allow shell operators inside the same raw string.
579
-
580
- `AgentSession.executeBash()` applies the same session `bashPolicy` before adding any configured command prefix or invoking the execution backend.
544
+ Atomic's built-in `bash` tool matches upstream pi: when `bash` is enabled, commands execute through the configured shell with the Atomic process permissions. Use `tools`, `excludedTools`, or `noTools` to decide whether a session exposes the `bash` tool at all. Atomic no longer provides a command-level allow/deny option for `bash`; use an operating-system/container sandbox or a custom tool/extension when you need command allowlisting or stronger isolation.
581
545
 
582
546
  #### Tools with Custom cwd
583
547
 
@@ -1284,8 +1248,6 @@ createGrepTool, createFindTool, createLsTool
1284
1248
  // Types
1285
1249
  type CreateAgentSessionOptions
1286
1250
  type CreateAgentSessionResult
1287
- type BashCommandPolicy
1288
- type BashCommandRule
1289
1251
  type StructuredOutputCapture
1290
1252
  type StructuredOutputToolOptions
1291
1253
  type ExtensionFactory
package/docs/security.md CHANGED
@@ -33,7 +33,7 @@ This is intentional. Atomic is designed to operate on local source trees, invoke
33
33
 
34
34
  Project trust is only an input-loading guard. It prevents a repository from silently changing Atomic's settings or extensions before you approve it. It does not make untrusted code, untrusted prompts, or untrusted model output safe. Prompt injection from repository files, comments, documentation, context files, or build output is expected local-agent risk and cannot be reliably prevented by Atomic.
35
35
 
36
- `bashPolicy` is a command-scoping guardrail for the built-in `bash` tool, not a sandbox. It can block model-supplied commands before shell execution, including disallowed segments in pipelines, command substitutions, process substitutions, and unquoted newline-separated commands (LF, CRLF, or bare CR). In segment mode, Atomic also rejects reserved or compound shell heads such as `coproc`, `if`, `for`, `while`, `case`, `{`, `}`, and `!`; leading redirection syntax such as `>file command`, `2>file command`, `<file command`, `&>file command`, `>|file command`, `<&0 command`, or `>&2 command`; redirection operators attached to the command head such as `cmd>file`, `cmd>>file`, `cmd>|file`, `cmd2>file`, `cmd>&2`, or `cmd</tmp/in`; leading environment assignments (`PATH=... command`, `LD_PRELOAD=... command`, assignment-only segments); and non-literal command heads such as variable-expanded, quote/escape-constructed, glob/brace/tilde-expanded, or substitution-built executable names instead of trying to normalize shell syntax. Non-leading Bash noclobber redirection `>|` after a literal command head is treated as redirection syntax rather than a pipeline separator, so it stays within the current command segment. Runtime-malformed policy objects, including typoed or extra top-level keys outside `default`, `allow`, `deny`, and `match`, fail closed rather than being partially interpreted, malformed glob bracket ranges become `invalid-policy` denials instead of raw JavaScript errors, and escaped glob bracket-class metacharacters such as `\-`, `\^`, `\]`, `\[`, and `\\` stay literal. Glob rules are command-string patterns where `*` and `?` may match `/`; they scope command text, not filesystem access. Default-allow policies with no allow/deny rules intentionally preserve legacy behavior and do not parse commands unless the policy object itself is invalid. `bashPolicy` cannot restrict what an allowed program does after it starts, and it does not isolate files, network access, credentials, shell startup behavior, aliases/functions, or child processes. Be especially careful when allowing interpreters, shells, package managers, `curl`, `git`, `sudo`, `env`, `xargs`, or other programs that can delegate arbitrary work.
36
+ The built-in `bash` tool follows upstream pi behavior: if the tool is enabled, model-supplied commands run through the configured shell with the same permissions as the Atomic process. Atomic does not provide command-level allow/deny policy for `bash`. Use `tools`, `excludedTools`, or `noTools` to decide whether a session exposes shell access at all, and use a container, VM, remote sandbox, restricted OS account, or custom extension/tool when you need command allowlisting or stronger isolation. Be especially careful with interpreters, shells, package managers, `curl`, `git`, `sudo`, `env`, `xargs`, or other programs that can delegate arbitrary work.
37
37
 
38
38
  ## Running Untrusted or Unmonitored Work
39
39