@doingdev/opencode-claude-manager-plugin 0.1.51 → 0.1.53

package/README.md

@@ -81,7 +81,7 @@ If you are testing locally, point OpenCode at the local package or plugin file u
 
 - `approval_policy` — view the current tool approval policy.
 - `approval_decisions` — view recent tool approval decisions.
-- `approval_update` — add/remove rules, change default action, or enable/disable approval.
+- `approval_update` — add/remove rules, enable/disable approval, or clear decision history. Policy uses a **deny-list**: tools not matching any rule are **allowed**; use explicit **deny** rules to block. `defaultAction` is always `allow` (cannot be set to deny).
 
 ## Agent hierarchy
 

package/dist/claude/tool-approval-manager.js

@@ -3,6 +3,13 @@ import path from 'node:path';
 import { isFileNotFoundError, writeJsonAtomically } from '../util/fs-helpers.js';
 const DEFAULT_MAX_DECISIONS = 500;
 const INPUT_PREVIEW_MAX = 300;
+function normalizePolicy(policy) {
+    return {
+        ...policy,
+        rules: [...policy.rules],
+        defaultAction: 'allow',
+    };
+}
 function getDefaultRules() {
     return [
         // Safe read-only tools
@@ -125,12 +132,12 @@ export class ToolApprovalManager {
     maxDecisions;
     persistPath;
     constructor(policy, maxDecisions, persistPath) {
-        this.policy = {
+        this.policy = normalizePolicy({
             rules: policy?.rules ?? getDefaultRules(),
-            defaultAction: policy?.defaultAction ?? 'allow',
+            defaultAction: 'allow',
             defaultDenyMessage: policy?.defaultDenyMessage ?? 'Tool call denied by approval policy.',
             enabled: policy?.enabled ?? true,
-        };
+        });
         this.maxDecisions = maxDecisions ?? DEFAULT_MAX_DECISIONS;
         this.persistPath = persistPath ?? null;
     }
@@ -141,12 +148,12 @@ export class ToolApprovalManager {
         try {
             const content = await fs.readFile(this.persistPath, 'utf8');
             const loaded = JSON.parse(content);
-            this.policy = {
+            this.policy = normalizePolicy({
                 rules: loaded.rules ?? getDefaultRules(),
-                defaultAction: loaded.defaultAction ?? 'allow',
+                defaultAction: 'allow',
                 defaultDenyMessage: loaded.defaultDenyMessage ?? 'Tool call denied by approval policy.',
                 enabled: loaded.enabled ?? true,
-            };
+            });
         }
         catch (error) {
             if (!isFileNotFoundError(error)) {
@@ -167,7 +174,7 @@ export class ToolApprovalManager {
         }
         const inputJson = safeJsonStringify(input);
         const matchedRule = this.findMatchingRule(toolName, inputJson);
-        const action = matchedRule?.action ?? this.policy.defaultAction;
+        const action = matchedRule?.action ?? 'allow';
         const denyMessage = action === 'deny'
             ? (matchedRule?.denyMessage ?? this.policy.defaultDenyMessage ?? 'Denied by policy.')
             : undefined;
@@ -201,7 +208,7 @@ export class ToolApprovalManager {
         return { ...this.policy, rules: [...this.policy.rules] };
     }
     async setPolicy(policy) {
-        this.policy = { ...policy, rules: [...policy.rules] };
+        this.policy = normalizePolicy(policy);
         await this.persistPolicy();
     }
     async addRule(rule, position) {
@@ -223,7 +230,10 @@ export class ToolApprovalManager {
         return true;
     }
     async setDefaultAction(action) {
-        this.policy.defaultAction = action;
+        if (action === 'deny') {
+            throw new Error('defaultAction cannot be deny; unmatched tools are always allowed. Add explicit deny rules instead.');
+        }
+        this.policy = normalizePolicy(this.policy);
         await this.persistPolicy();
     }
     async setEnabled(enabled) {

package/dist/plugin/claude-manager.plugin.js

@@ -289,7 +289,7 @@ export const ClaudeManagerPlugin = async ({ worktree }) => {
                 },
             }),
             approval_update: tool({
-                description: 'Update the tool approval policy. Add or remove rules, change the default action, enable or disable approvals, or clear decision history.',
+                description: 'Update the tool approval policy. Add or remove rules, enable or disable approvals, or clear decision history. Unmatched tools are always allowed; block only with explicit deny rules (defaultAction cannot be set to deny).',
                 args: {
                     action: tool.schema.enum([
                         'addRule',
@@ -336,6 +336,11 @@ export const ClaudeManagerPlugin = async ({ worktree }) => {
                         if (!args.defaultAction) {
                             return JSON.stringify({ error: 'setDefault requires defaultAction' });
                         }
+                        if (args.defaultAction === 'deny') {
+                            return JSON.stringify({
+                                error: 'defaultAction cannot be deny; unmatched tools are always allowed. Add explicit deny rules instead.',
+                            });
+                        }
                         await services.approvalManager.setDefaultAction(args.defaultAction);
                     }
                     else if (args.action === 'setEnabled') {

package/dist/prompts/registry.js

@@ -5,13 +5,22 @@ export const managerPromptRegistry = {
         'Every prompt you send to an engineer costs time and tokens. Make each one count.',
         '',
         'Understand first:',
-        '- Ask questions. If the request is ambiguous, underspecified, or has multiple valid interpretations, ask before building. Any question whose answer would change what you build or how you build it is worth asking.',
-        '- Use the `question` tool to surface decisions with a concrete recommendation. Prefer one precise question over many vague ones.',
+        '- Before asking the user anything, extract what you can from the user message, codebase (read/grep/glob/codesearch), prior engineer results, and `websearch`/`webfetch` when relevant.',
+        '- Ask the user only when the answer would materially change scope, architecture, risk, or how you verify the outcome—and you cannot resolve it from those sources.',
+        '- Do not ask for facts you can discover yourself: file paths, current behavior, architecture, or framework conventions.',
+        '- Before using `question`, silently check: is it in the user message? answerable from code or transcripts? from web? If still blocked, is this a real decision or only uncertainty tolerance?',
         '- Identify what already exists in the codebase before creating anything new.',
         '- Think about what could go wrong and address it upfront.',
         '- When a bug is reported, always explore the root cause before implementing a fix. No fix without investigation. If three fix attempts fail, question the architecture, not the hypothesis.',
         '',
+        'Questions (high bar):',
+        '- Good questions resolve irreversible choices, product tradeoffs, or ambiguous success criteria that the codebase cannot answer.',
+        '- Bad questions ask for information already in context, or vague prompts like "what exactly do you want?" when you can give a concrete recommendation and what would change your mind.',
+        '- Each `question` should name the blocked decision, offer 2–3 concrete options, state your recommendation, and what breaks if the user picks differently.',
+        '- Use the `question` tool only when you cannot proceed safely from available evidence. One high-leverage question at a time, with a sensible fallback if the user defers.',
+        '',
         'Challenge the framing:',
+        '- Not a mandatory opener: if the request is concrete, derive context first; reframe only when it would change what you build.',
         '- Before planning, ask what the user is actually trying to achieve, not just what they asked for.',
         '- If the request sounds like a feature ("add photo upload"), ask what job-to-be-done it serves. The real feature might be larger or different.',
         '- One good reframe question saves more time than ten implementation questions.',
@@ -44,6 +53,7 @@ export const managerPromptRegistry = {
         '- Do not edit files or run bash directly. Engineers do the hands-on work.',
         '- Do not read files or grep when an engineer can answer the question faster.',
         '- Communicate proactively. If the plan changes or you discover something unexpected, tell the user.',
+        '- Ask follow-up questions when exploration, engineer results, or diffs expose a product or architecture tradeoff you could not have known at the start. Prefer that timing over opening with speculative clarifiers.',
     ].join('\n'),
     engineerAgentPrompt: [
         "You are a named engineer on the CTO's team.",

package/dist/src/claude/tool-approval-manager.js

@@ -3,6 +3,13 @@ import path from 'node:path';
 import { isFileNotFoundError, writeJsonAtomically } from '../util/fs-helpers.js';
 const DEFAULT_MAX_DECISIONS = 500;
 const INPUT_PREVIEW_MAX = 300;
+function normalizePolicy(policy) {
+    return {
+        ...policy,
+        rules: [...policy.rules],
+        defaultAction: 'allow',
+    };
+}
 function getDefaultRules() {
     return [
         // Safe read-only tools
@@ -125,12 +132,12 @@ export class ToolApprovalManager {
     maxDecisions;
     persistPath;
     constructor(policy, maxDecisions, persistPath) {
-        this.policy = {
+        this.policy = normalizePolicy({
             rules: policy?.rules ?? getDefaultRules(),
-            defaultAction: policy?.defaultAction ?? 'allow',
+            defaultAction: 'allow',
             defaultDenyMessage: policy?.defaultDenyMessage ?? 'Tool call denied by approval policy.',
             enabled: policy?.enabled ?? true,
-        };
+        });
         this.maxDecisions = maxDecisions ?? DEFAULT_MAX_DECISIONS;
         this.persistPath = persistPath ?? null;
     }
@@ -141,12 +148,12 @@ export class ToolApprovalManager {
         try {
             const content = await fs.readFile(this.persistPath, 'utf8');
             const loaded = JSON.parse(content);
-            this.policy = {
+            this.policy = normalizePolicy({
                 rules: loaded.rules ?? getDefaultRules(),
-                defaultAction: loaded.defaultAction ?? 'allow',
+                defaultAction: 'allow',
                 defaultDenyMessage: loaded.defaultDenyMessage ?? 'Tool call denied by approval policy.',
                 enabled: loaded.enabled ?? true,
-            };
+            });
         }
         catch (error) {
             if (!isFileNotFoundError(error)) {
@@ -167,7 +174,7 @@ export class ToolApprovalManager {
         }
         const inputJson = safeJsonStringify(input);
         const matchedRule = this.findMatchingRule(toolName, inputJson);
-        const action = matchedRule?.action ?? this.policy.defaultAction;
+        const action = matchedRule?.action ?? 'allow';
         const denyMessage = action === 'deny'
             ? (matchedRule?.denyMessage ?? this.policy.defaultDenyMessage ?? 'Denied by policy.')
             : undefined;
@@ -201,7 +208,7 @@ export class ToolApprovalManager {
         return { ...this.policy, rules: [...this.policy.rules] };
     }
     async setPolicy(policy) {
-        this.policy = { ...policy, rules: [...policy.rules] };
+        this.policy = normalizePolicy(policy);
         await this.persistPolicy();
     }
     async addRule(rule, position) {
@@ -223,7 +230,10 @@ export class ToolApprovalManager {
         return true;
     }
     async setDefaultAction(action) {
-        this.policy.defaultAction = action;
+        if (action === 'deny') {
+            throw new Error('defaultAction cannot be deny; unmatched tools are always allowed. Add explicit deny rules instead.');
+        }
+        this.policy = normalizePolicy(this.policy);
         await this.persistPolicy();
     }
     async setEnabled(enabled) {

package/dist/src/plugin/claude-manager.plugin.js

@@ -289,7 +289,7 @@ export const ClaudeManagerPlugin = async ({ worktree }) => {
                 },
             }),
             approval_update: tool({
-                description: 'Update the tool approval policy. Add or remove rules, change the default action, enable or disable approvals, or clear decision history.',
+                description: 'Update the tool approval policy. Add or remove rules, enable or disable approvals, or clear decision history. Unmatched tools are always allowed; block only with explicit deny rules (defaultAction cannot be set to deny).',
                 args: {
                     action: tool.schema.enum([
                         'addRule',
@@ -336,6 +336,11 @@ export const ClaudeManagerPlugin = async ({ worktree }) => {
                         if (!args.defaultAction) {
                             return JSON.stringify({ error: 'setDefault requires defaultAction' });
                         }
+                        if (args.defaultAction === 'deny') {
+                            return JSON.stringify({
+                                error: 'defaultAction cannot be deny; unmatched tools are always allowed. Add explicit deny rules instead.',
+                            });
+                        }
                         await services.approvalManager.setDefaultAction(args.defaultAction);
                     }
                     else if (args.action === 'setEnabled') {

package/dist/src/prompts/registry.js

@@ -5,13 +5,22 @@ export const managerPromptRegistry = {
         'Every prompt you send to an engineer costs time and tokens. Make each one count.',
         '',
         'Understand first:',
-        '- Ask questions. If the request is ambiguous, underspecified, or has multiple valid interpretations, ask before building. Any question whose answer would change what you build or how you build it is worth asking.',
-        '- Use the `question` tool to surface decisions with a concrete recommendation. Prefer one precise question over many vague ones.',
+        '- Before asking the user anything, extract what you can from the user message, codebase (read/grep/glob/codesearch), prior engineer results, and `websearch`/`webfetch` when relevant.',
+        '- Ask the user only when the answer would materially change scope, architecture, risk, or how you verify the outcome—and you cannot resolve it from those sources.',
+        '- Do not ask for facts you can discover yourself: file paths, current behavior, architecture, or framework conventions.',
+        '- Before using `question`, silently check: is it in the user message? answerable from code or transcripts? from web? If still blocked, is this a real decision or only uncertainty tolerance?',
         '- Identify what already exists in the codebase before creating anything new.',
         '- Think about what could go wrong and address it upfront.',
         '- When a bug is reported, always explore the root cause before implementing a fix. No fix without investigation. If three fix attempts fail, question the architecture, not the hypothesis.',
         '',
+        'Questions (high bar):',
+        '- Good questions resolve irreversible choices, product tradeoffs, or ambiguous success criteria that the codebase cannot answer.',
+        '- Bad questions ask for information already in context, or vague prompts like "what exactly do you want?" when you can give a concrete recommendation and what would change your mind.',
+        '- Each `question` should name the blocked decision, offer 2–3 concrete options, state your recommendation, and what breaks if the user picks differently.',
+        '- Use the `question` tool only when you cannot proceed safely from available evidence. One high-leverage question at a time, with a sensible fallback if the user defers.',
+        '',
         'Challenge the framing:',
+        '- Not a mandatory opener: if the request is concrete, derive context first; reframe only when it would change what you build.',
         '- Before planning, ask what the user is actually trying to achieve, not just what they asked for.',
         '- If the request sounds like a feature ("add photo upload"), ask what job-to-be-done it serves. The real feature might be larger or different.',
         '- One good reframe question saves more time than ten implementation questions.',
@@ -44,6 +53,7 @@ export const managerPromptRegistry = {
         '- Do not edit files or run bash directly. Engineers do the hands-on work.',
         '- Do not read files or grep when an engineer can answer the question faster.',
         '- Communicate proactively. If the plan changes or you discover something unexpected, tell the user.',
+        '- Ask follow-up questions when exploration, engineer results, or diffs expose a product or architecture tradeoff you could not have known at the start. Prefer that timing over opening with speculative clarifiers.',
     ].join('\n'),
     engineerAgentPrompt: [
         "You are a named engineer on the CTO's team.",

package/dist/src/types/contracts.d.ts

@@ -186,7 +186,11 @@ export interface ToolApprovalRule {
 }
 export interface ToolApprovalPolicy {
     rules: ToolApprovalRule[];
-    defaultAction: 'allow' | 'deny';
+    /**
+     * Always `allow`: tools that do not match any rule are allowed.
+     * Blocking is done only with explicit `deny` rules (deny-list contract).
+     */
+    defaultAction: 'allow';
     defaultDenyMessage?: string;
     enabled: boolean;
 }

package/dist/test/tool-approval-manager.test.js

@@ -73,13 +73,12 @@ describe('ToolApprovalManager', () => {
             const result = manager.evaluate('Bash', { command: 'rm -rf /' });
             expect(result).toEqual({ behavior: 'allow' });
         });
-        it('uses default action when no rule matches', () => {
+        it('allows tools when no rule matches (deny-list contract)', () => {
             const manager = new ToolApprovalManager({
                 rules: [],
-                defaultAction: 'deny',
             });
             const result = manager.evaluate('SomeUnknownTool', {});
-            expect(result.behavior).toBe('deny');
+            expect(result.behavior).toBe('allow');
         });
         it('first matching rule wins', () => {
             const manager = new ToolApprovalManager({
@@ -175,24 +174,22 @@ describe('ToolApprovalManager', () => {
             const manager = new ToolApprovalManager();
             expect(await manager.removeRule('nonexistent')).toBe(false);
         });
-        it('setPolicy replaces entire policy', async () => {
+        it('setPolicy replaces entire policy and normalizes defaultAction to allow', async () => {
             const manager = new ToolApprovalManager();
             await manager.setPolicy({
                 rules: [{ id: 'only', toolPattern: '*', action: 'deny' }],
-                defaultAction: 'deny',
+                defaultAction: 'allow',
                 enabled: true,
             });
             expect(manager.getPolicy().rules).toHaveLength(1);
-            expect(manager.getPolicy().defaultAction).toBe('deny');
+            expect(manager.getPolicy().defaultAction).toBe('allow');
         });
-        it('setDefaultAction changes the fallback', async () => {
+        it('setDefaultAction rejects deny', async () => {
             const manager = new ToolApprovalManager({
                 rules: [],
                 enabled: true,
-                defaultAction: 'allow',
             });
-            await manager.setDefaultAction('deny');
-            expect(manager.evaluate('Unknown', {}).behavior).toBe('deny');
+            await expect(manager.setDefaultAction('deny')).rejects.toThrow(/defaultAction cannot be deny/);
         });
         it('setEnabled toggles the manager', async () => {
             const manager = new ToolApprovalManager({
@@ -205,7 +202,6 @@ describe('ToolApprovalManager', () => {
                     },
                 ],
                 enabled: true,
-                defaultAction: 'deny',
             });
             expect(manager.evaluate('Read', {}).behavior).toBe('deny');
             await manager.setEnabled(false);

package/dist/types/contracts.d.ts

@@ -186,7 +186,11 @@ export interface ToolApprovalRule {
 }
 export interface ToolApprovalPolicy {
     rules: ToolApprovalRule[];
-    defaultAction: 'allow' | 'deny';
+    /**
+     * Always `allow`: tools that do not match any rule are allowed.
+     * Blocking is done only with explicit `deny` rules (deny-list contract).
+     */
+    defaultAction: 'allow';
     defaultDenyMessage?: string;
     enabled: boolean;
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@doingdev/opencode-claude-manager-plugin",
-  "version": "0.1.51",
+  "version": "0.1.53",
   "description": "OpenCode plugin that orchestrates Claude Code sessions.",
   "keywords": [
     "opencode",