@iinm/plain-agent 1.10.3 → 1.10.5

package/README.md

@@ -395,6 +395,8 @@ Files are loaded in the following order. Settings in later files override earlie
 ```js
 {
   "autoApproval": {
+    // Absolute paths outside the working directory to allow access to. Relative paths are ignored.
+    "allowedPaths": ["/tmp"],
     "defaultAction": "ask",
     // The maximum number of automatic approvals.
     "maxApprovals": 50,

package/config/config.predefined.json

@@ -125,6 +125,23 @@
           ]
         },
         "action": "allow"
+      },
+      {
+        "toolName": "exec_command",
+        "input": {
+          "command": "gh",
+          "args": ["api", "--method"]
+        },
+        "action": "ask"
+      },
+      {
+        "toolName": "exec_command",
+        "input": {
+          "command": "gh",
+          "args": ["api"]
+        },
+        "action": "deny",
+        "reason": "--method must be specified"
       }
     ]
   },

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@iinm/plain-agent",
-  "version": "1.10.3",
+  "version": "1.10.5",
   "description": "A lightweight CLI-based coding agent",
   "license": "MIT",
   "type": "module",
@@ -19,6 +19,7 @@
     "config",
     "src/**/*.mjs",
     "src/**/*.d.ts",
+    "src/**/*.json",
     "!src/**/*.test.mjs",
     "!src/**/*.test.*.mjs",
     "!src/**/*.playground.mjs",

package/src/cli/eastAsianWideRanges.json

@@ -0,0 +1,124 @@
+[
+  [4352, 4447],
+  [8986, 8987],
+  [9001, 9002],
+  [9193, 9196],
+  [9200, 9200],
+  [9203, 9203],
+  [9725, 9726],
+  [9748, 9749],
+  [9776, 9783],
+  [9800, 9811],
+  [9855, 9855],
+  [9866, 9871],
+  [9875, 9875],
+  [9889, 9889],
+  [9898, 9899],
+  [9917, 9918],
+  [9924, 9925],
+  [9934, 9934],
+  [9940, 9940],
+  [9962, 9962],
+  [9970, 9971],
+  [9973, 9973],
+  [9978, 9978],
+  [9981, 9981],
+  [9989, 9989],
+  [9994, 9995],
+  [10024, 10024],
+  [10060, 10060],
+  [10062, 10062],
+  [10067, 10069],
+  [10071, 10071],
+  [10133, 10135],
+  [10160, 10160],
+  [10175, 10175],
+  [11035, 11036],
+  [11088, 11088],
+  [11093, 11093],
+  [11904, 11929],
+  [11931, 12019],
+  [12032, 12245],
+  [12272, 12350],
+  [12353, 12438],
+  [12441, 12543],
+  [12549, 12591],
+  [12593, 12686],
+  [12688, 12773],
+  [12783, 12830],
+  [12832, 12871],
+  [12880, 42124],
+  [42128, 42182],
+  [43360, 43388],
+  [44032, 55203],
+  [63744, 64255],
+  [65040, 65049],
+  [65072, 65106],
+  [65108, 65126],
+  [65128, 65131],
+  [65281, 65376],
+  [65504, 65510],
+  [94176, 94180],
+  [94192, 94193],
+  [94208, 100343],
+  [100352, 101589],
+  [101631, 101640],
+  [110576, 110579],
+  [110581, 110587],
+  [110589, 110590],
+  [110592, 110882],
+  [110898, 110898],
+  [110928, 110930],
+  [110933, 110933],
+  [110948, 110951],
+  [110960, 111355],
+  [119552, 119638],
+  [119648, 119670],
+  [126980, 126980],
+  [127183, 127183],
+  [127374, 127374],
+  [127377, 127386],
+  [127488, 127490],
+  [127504, 127547],
+  [127552, 127560],
+  [127568, 127569],
+  [127584, 127589],
+  [127744, 127776],
+  [127789, 127797],
+  [127799, 127868],
+  [127870, 127891],
+  [127904, 127946],
+  [127951, 127955],
+  [127968, 127984],
+  [127988, 127988],
+  [127992, 128062],
+  [128064, 128064],
+  [128066, 128252],
+  [128255, 128317],
+  [128331, 128334],
+  [128336, 128359],
+  [128378, 128378],
+  [128405, 128406],
+  [128420, 128420],
+  [128507, 128591],
+  [128640, 128709],
+  [128716, 128716],
+  [128720, 128722],
+  [128725, 128727],
+  [128732, 128735],
+  [128747, 128748],
+  [128756, 128764],
+  [128992, 129003],
+  [129008, 129008],
+  [129292, 129338],
+  [129340, 129349],
+  [129351, 129535],
+  [129648, 129660],
+  [129664, 129673],
+  [129679, 129734],
+  [129742, 129756],
+  [129759, 129769],
+  [129776, 129784],
+  [131072, 196605],
+  [196608, 262141]
+]

package/src/cli/formatter.mjs

@@ -640,110 +640,32 @@ function wrapCell(text, width) {
   return lines;
 }
 
+/**
+ * Sorted, merged [start, end] ranges of Unicode code points with
+ * East_Asian_Width property "W" (Wide) or "F" (Fullwidth).
+ *
+ * Generated by: node scripts/fetchEastAsianWideRanges.mjs
+ * Source: https://www.unicode.org/Public/16.0.0/ucd/EastAsianWidth.txt
+ */
+import WIDE_RANGES from "./eastAsianWideRanges.json" with { type: "json" };
+
 /**
  * Check if a Unicode code point is a wide (double-width) character.
- * Extracted from charDisplayWidth for reuse in wrapCell.
+ * Uses binary search over the sorted WIDE_RANGES for efficiency.
  * @param {number} code
  * @returns {boolean}
  */
 function isWideChar(code) {
-  return (
-    (code >= 0x1100 && code <= 0x115f) ||
-    (code >= 0x2e80 && code <= 0xa4cf) ||
-    (code >= 0xac00 && code <= 0xd7a3) ||
-    (code >= 0xf900 && code <= 0xfaff) ||
-    (code >= 0xfe10 && code <= 0xfe19) ||
-    (code >= 0xfe30 && code <= 0xfe6f) ||
-    (code >= 0xff00 && code <= 0xff60) ||
-    (code >= 0xffe0 && code <= 0xffe6) ||
-    (code >= 0x2614 && code <= 0x2615) ||
-    (code >= 0x2630 && code <= 0x2637) ||
-    (code >= 0x2648 && code <= 0x2653) ||
-    code === 0x267f ||
-    (code >= 0x268a && code <= 0x268f) ||
-    code === 0x2693 ||
-    code === 0x26a1 ||
-    (code >= 0x26aa && code <= 0x26ab) ||
-    (code >= 0x26bd && code <= 0x26be) ||
-    (code >= 0x26c4 && code <= 0x26c5) ||
-    code === 0x26ce ||
-    code === 0x26d4 ||
-    code === 0x26ea ||
-    (code >= 0x26f2 && code <= 0x26f3) ||
-    code === 0x26f5 ||
-    code === 0x26fa ||
-    code === 0x26fd ||
-    code === 0x2705 ||
-    (code >= 0x270a && code <= 0x270b) ||
-    code === 0x2728 ||
-    code === 0x274c ||
-    code === 0x274e ||
-    (code >= 0x2753 && code <= 0x2755) ||
-    code === 0x2757 ||
-    (code >= 0x2795 && code <= 0x2797) ||
-    code === 0x27b0 ||
-    code === 0x27bf ||
-    (code >= 0x2b1b && code <= 0x2b1c) ||
-    code === 0x2b50 ||
-    code === 0x2b55 ||
-    (code >= 0x231a && code <= 0x231b) ||
-    code === 0x2329 ||
-    code === 0x232a ||
-    (code >= 0x23e9 && code <= 0x23ec) ||
-    code === 0x23f0 ||
-    code === 0x23f3 ||
-    code === 0x1f004 ||
-    code === 0x1f0cf ||
-    code === 0x1f18e ||
-    (code >= 0x1f191 && code <= 0x1f19a) ||
-    (code >= 0x1f200 && code <= 0x1f202) ||
-    (code >= 0x1f210 && code <= 0x1f23b) ||
-    (code >= 0x1f240 && code <= 0x1f248) ||
-    (code >= 0x1f250 && code <= 0x1f251) ||
-    (code >= 0x1f260 && code <= 0x1f265) ||
-    (code >= 0x1f300 && code <= 0x1f320) ||
-    (code >= 0x1f32d && code <= 0x1f335) ||
-    (code >= 0x1f337 && code <= 0x1f37c) ||
-    (code >= 0x1f37e && code <= 0x1f393) ||
-    (code >= 0x1f3a0 && code <= 0x1f3ca) ||
-    (code >= 0x1f3cf && code <= 0x1f3d3) ||
-    (code >= 0x1f3e0 && code <= 0x1f3f0) ||
-    code === 0x1f3f4 ||
-    (code >= 0x1f3f8 && code <= 0x1f3fa) ||
-    (code >= 0x1f3fb && code <= 0x1f3ff) ||
-    (code >= 0x1f400 && code <= 0x1f43e) ||
-    code === 0x1f440 ||
-    (code >= 0x1f442 && code <= 0x1f4fc) ||
-    (code >= 0x1f4ff && code <= 0x1f53d) ||
-    (code >= 0x1f54b && code <= 0x1f54e) ||
-    (code >= 0x1f550 && code <= 0x1f567) ||
-    code === 0x1f57a ||
-    (code >= 0x1f595 && code <= 0x1f596) ||
-    code === 0x1f5a4 ||
-    (code >= 0x1f5fb && code <= 0x1f5ff) ||
-    (code >= 0x1f600 && code <= 0x1f64f) ||
-    (code >= 0x1f680 && code <= 0x1f6c5) ||
-    code === 0x1f6cc ||
-    (code >= 0x1f6d0 && code <= 0x1f6d2) ||
-    (code >= 0x1f6d5 && code <= 0x1f6d8) ||
-    (code >= 0x1f6dc && code <= 0x1f6df) ||
-    (code >= 0x1f6eb && code <= 0x1f6ec) ||
-    (code >= 0x1f6f4 && code <= 0x1f6fc) ||
-    (code >= 0x1f7e0 && code <= 0x1f7eb) ||
-    code === 0x1f7f0 ||
-    (code >= 0x1f90c && code <= 0x1f93a) ||
-    (code >= 0x1f93c && code <= 0x1f945) ||
-    (code >= 0x1f947 && code <= 0x1f9ff) ||
-    (code >= 0x1fa70 && code <= 0x1fa7c) ||
-    (code >= 0x1fa80 && code <= 0x1fa8a) ||
-    (code >= 0x1fa8e && code <= 0x1fac6) ||
-    code === 0x1fac8 ||
-    (code >= 0x1facd && code <= 0x1fadc) ||
-    (code >= 0x1fadf && code <= 0x1faea) ||
-    (code >= 0x1faef && code <= 0x1faf8) ||
-    (code >= 0x20000 && code <= 0x2fffd) ||
-    (code >= 0x30000 && code <= 0x3fffd)
-  );
+  let lo = 0;
+  let hi = WIDE_RANGES.length - 1;
+  while (lo <= hi) {
+    const mid = (lo + hi) >>> 1;
+    const [start, end] = WIDE_RANGES[mid];
+    if (code < start) hi = mid - 1;
+    else if (code > end) lo = mid + 1;
+    else return true;
+  }
+  return false;
 }
 
 /**

package/src/cli/interactive.mjs

@@ -112,13 +112,18 @@ export function startInteractiveSession({
   claudeCodePlugins,
   voiceInput,
 }) {
-  /** @type {{ turn: boolean, multiLineBuffer: string[] | null, subagentName: string }} */
+  /** @type {{ turn: boolean, multiLineBuffer: string[] | null, subagentName: string, toolSpinnerIndex: number, toolSpinnerLastTime: number }} */
   const state = {
     turn: true,
     multiLineBuffer: null,
     subagentName: agentCommands.getActiveSubagent()?.name ?? "",
+    toolSpinnerIndex: 0,
+    toolSpinnerLastTime: 0,
   };
 
+  const SPINNER_FRAMES = ["⠋", "⠙", "⠹", "⠸", "⠼", "⠴", "⠦", "⠧", "⠇", "⠏"];
+  const SPINNER_INTERVAL_MS = 80;
+
   /**
    * Active voice input session, or null when not recording.
    * @type {{ session: VoiceSession, startCursor: number, transcriptLength: number } | null}
@@ -466,11 +471,28 @@ export function startInteractiveSession({
         ? styleText("cyan", `[${state.subagentName}]\n`)
         : "";
       const partialContentStr = styleText("gray", `<${partialContent.type}>`);
-      console.log(`\n${subagentPrefix}${partialContentStr}`);
+
+      if (partialContent.type === "tool_use") {
+        state.toolSpinnerIndex = 0;
+        state.toolSpinnerLastTime = Date.now();
+        process.stdout.write(
+          `\n${subagentPrefix}${partialContentStr} ${styleText("cyan", SPINNER_FRAMES[0])}`,
+        );
+      } else {
+        console.log(`\n${subagentPrefix}${partialContentStr}`);
+      }
     }
     if (partialContent.content) {
       if (partialContent.type === "tool_use") {
-        process.stdout.write(styleText("gray", partialContent.content));
+        const now = Date.now();
+        if (now - state.toolSpinnerLastTime >= SPINNER_INTERVAL_MS) {
+          state.toolSpinnerIndex =
+            (state.toolSpinnerIndex + 1) % SPINNER_FRAMES.length;
+          state.toolSpinnerLastTime = now;
+          process.stdout.write(
+            `\r\x1b[K${styleText("gray", `<${partialContent.type}>`)} ${styleText("cyan", SPINNER_FRAMES[state.toolSpinnerIndex])}`,
+          );
+        }
       } else if (partialContent.type === "text") {
         tableBuffer.feed(partialContent.content);
       } else {
@@ -478,7 +500,13 @@ export function startInteractiveSession({
       }
     }
     if (partialContent.position === "stop") {
-      console.log(styleText("gray", `\n</${partialContent.type}>`));
+      if (partialContent.type === "tool_use") {
+        process.stdout.write(
+          `\r\x1b[K${styleText("gray", `<${partialContent.type}>`)} ${styleText("green", "✓")}\n`,
+        );
+      } else {
+        console.log(styleText("gray", `\n</${partialContent.type}>`));
+      }
     }
   });
 

package/src/config.d.ts

@@ -74,6 +74,8 @@ export type AppConfig = {
     patterns?: ToolUsePattern[];
     maxApprovals?: number;
     defaultAction?: "deny" | "ask";
+    /** Additional absolute paths to allow for auto-approval (outside working directory) */
+    allowedPaths?: string[];
   };
   sandbox?: ExecCommandSanboxConfig;
   tools?: {

package/src/config.mjs

@@ -73,6 +73,10 @@ export async function loadAppConfig(options = {}) {
         maxApprovals:
           config.autoApproval?.maxApprovals ??
           merged.autoApproval?.maxApprovals,
+        allowedPaths: [
+          ...(config.autoApproval?.allowedPaths ?? []),
+          ...(merged.autoApproval?.allowedPaths ?? []),
+        ],
       },
       sandbox: config.sandbox ?? merged.sandbox,
       tools: {

package/src/main.mjs

@@ -363,6 +363,7 @@ if (cliArgs.subcommand.type === "resume" && cliArgs.subcommand.list) {
     maxApprovals: appConfig.autoApproval?.maxApprovals || 50,
     defaultAction: appConfig.autoApproval?.defaultAction || "ask",
     patterns: appConfig.autoApproval?.patterns || [],
+    allowedPaths: appConfig.autoApproval?.allowedPaths ?? [],
     maskApprovalInput: (toolName, input) => {
       for (const tool of builtinTools) {
         if (tool.def.name === toolName && tool.maskApprovalInput) {

package/src/prompt.mjs

@@ -45,14 +45,20 @@ export function createPrompt({
     .join("\n");
 
   return `
+# Communication Style
+
+- Respond in the user's language.
+- Call the user by name, not "user".
+- Use emojis sparingly to highlight key points.
+
 # Memory Files
 
-- Create/Update memory files after creating/updating a plan, completing milestones, encountering issues, or making decisions.
-- Update existing task memory when continuing the same task.
+- Create/Update memory files when creating/updating a plan, completing milestones, encountering issues, or making decisions.
 - Ensure self-containment: The file must be standalone. A reader should fully understand the task context, logic and progress without any other references.
 - Write the memory content in the user's language.
 
 Memory files should include:
+- Project discovery status: Whether AGENTS.md has been checked
 - Task overview: What the task is, why it's being done, requirements and constraints
 - Context: Relevant documentation, source files, commands, and resources referenced
 - Progress tracking: Completed milestones with evidence, current status, and next steps
@@ -67,7 +73,8 @@ Call multiple tools at once when they don't depend on each other's results.
 ## exec_command
 
 - Use relative paths.
-- Avoid bash -c unless pipes (|) or redirection (>, <) are required.
+- Use ${projectMetadataDir}/tmp/ for temporary files.
+- Use bash -c only when pipes (|) or redirection (>, <) are required.
 
 Examples:
 - List directories or find files: fd [".", "./", "--max-depth", "3", "--type", "d", "--hidden"]
@@ -78,7 +85,7 @@ Examples:
 
 ## tmux_command
 
-- Only use when the user explicitly requests it.
+- Use only when the user explicitly requests it.
 - Create a new session with the given tmux session id.
 
 Examples:

package/src/tool.d.ts

@@ -37,6 +37,8 @@ export type ToolUseApproverConfig = {
   patterns: ToolUsePattern[];
   maxApprovals: number;
   defaultAction: "deny" | "ask";
+  /** Additional absolute paths to allow for auto-approval (outside working directory) */
+  allowedPaths?: string[];
 
   /**
    * Mask the input before auto-approval checks and recording.

package/src/toolInputValidator.mjs

@@ -9,39 +9,37 @@ import {
 } from "./env.mjs";
 import { noThrowSync } from "./utils/noThrow.mjs";
 
-// Paths that must never be auto-approvable as tool input, even when
-// git-managed. Sandbox scripts run on the host and the project config files
-// drive auto-approval policy itself, so silent in-sandbox modification of
-// either could lead to host code execution or self-granted privilege
-// escalation.
-const UNSAFE_PROJECT_PATHS = [
-  path.join(AGENT_PROJECT_METADATA_DIR, "sandbox"),
-  path.join(AGENT_PROJECT_METADATA_DIR, "config.json"),
-  path.join(AGENT_PROJECT_METADATA_DIR, "config.local.json"),
+const BUILTIN_ALLOWED_PATHS = [
+  AGENT_MEMORY_DIR,
+  AGENT_TMP_DIR,
+  CLAUDE_CODE_PLUGIN_DIR,
 ];
 
 /**
  * @param {unknown} input
+ * @param {string[]} [allowedPaths=[]] - Additional allowed paths (outside working directory)
  * @returns {boolean}
  */
-export function isSafeToolInput(input) {
+export function isSafeToolInput(input, allowedPaths = []) {
   if (["number", "boolean", "undefined"].includes(typeof input)) {
     return true;
   }
 
   if (typeof input === "string") {
-    return isSafeToolInputItem(input);
+    return isSafeToolInputItem(input, allowedPaths);
   }
 
   if (Array.isArray(input)) {
-    return input.every((item) => isSafeToolInput(item));
+    return input.every((item) => isSafeToolInput(item, allowedPaths));
   }
 
   if (typeof input === "object") {
     if (input === null) {
       return true;
     }
-    return Object.values(input).every((value) => isSafeToolInput(value));
+    return Object.values(input).every((value) =>
+      isSafeToolInput(value, allowedPaths),
+    );
   }
 
   return false;
@@ -49,9 +47,10 @@ export function isSafeToolInput(input) {
 
 /**
  * @param {string} arg
+ * @param {string[]} [allowedPaths=[]] - Additional allowed paths (outside working directory)
  * @returns {boolean}
  */
-export function isSafeToolInputItem(arg) {
+export function isSafeToolInputItem(arg, allowedPaths = []) {
   const workingDir = process.cwd();
 
   // Note: An argument can be a command option (e.g., '-l').
@@ -63,29 +62,38 @@ export function isSafeToolInputItem(arg) {
     return false;
   }
 
-  // Disallow paths outside the working directory (WITHOUT EXCEPTION)
-  if (!isInsideWorkingDirectory(realPath, workingDir)) {
-    return false;
-  }
-
   // Disallow any input that contains ".." as a path segment (directory traversal)
   // Example:
   // - When write_file is allowed for ^safe-dir/.+
   // - "safe-dir/../unsafe-path" should be disallowed
+  // This check must happen before allowedPaths check for security
   if (arg.split(path.sep).includes("..")) {
     return false;
   }
 
-  // Always require approval for these, even if git-managed.
-  if (isUnsafeProjectPath(realPath)) {
+  // Built-in allowed paths (memory, tmp, claude-code-plugins) are always safe.
+  // This check must come before the .plain-agent/ block below.
+  if (isInBuiltinAllowedPath(realPath)) {
+    return true;
+  }
+
+  // Any other path under .plain-agent/ is unsafe and cannot be overridden
+  // by allowedPaths. This prevents privilege escalation via sandbox scripts
+  // or config files even when explicitly listed in allowedPaths.
+  if (isInsideProjectMetadataDir(realPath)) {
     return false;
   }
 
-  // Always allow these even if git-ignored.
-  if (isSafePath(realPath)) {
+  // User-configured allowed paths (outside working directory)
+  if (isInUserAllowedPath(realPath, allowedPaths)) {
     return true;
   }
 
+  // Disallow paths outside the working directory (not in allowedPaths)
+  if (!isInsideWorkingDirectory(realPath, workingDir)) {
+    return false;
+  }
+
   // Deny git ignored files (which may contain sensitive information or should not be accessed)
   return !isGitIgnored(realPath);
 }
@@ -153,43 +161,60 @@ function isInsideWorkingDirectory(targetPath, workingDir) {
 }
 
 /**
- * @param {string} targetPath
+ * Check if the path is under a built-in allowed directory
+ * (.plain-agent/{memory,tmp,claude-code-plugins}).
+ * @param {string} targetPath - Must be an absolute path.
  * @returns {boolean}
  */
-function isSafePath(targetPath) {
-  const safePaths = [AGENT_MEMORY_DIR, AGENT_TMP_DIR, CLAUDE_CODE_PLUGIN_DIR];
-
-  for (const safePath of safePaths) {
-    const safeAbsPath = path.resolve(safePath);
+function isInBuiltinAllowedPath(targetPath) {
+  for (const builtinPath of BUILTIN_ALLOWED_PATHS) {
+    const absPath = path.resolve(builtinPath);
     if (
-      targetPath === safeAbsPath ||
-      targetPath.startsWith(`${safeAbsPath}${path.sep}`)
+      targetPath === absPath ||
+      targetPath.startsWith(`${absPath}${path.sep}`)
     ) {
       return true;
     }
   }
-
   return false;
 }
 
 /**
- * @param {string} targetPath
+ * Check if the path is under a user-configured allowed path.
+ * @param {string} targetPath - Must be an absolute path.
+ * @param {string[]} allowedPaths - Additional absolute paths (outside working directory)
  * @returns {boolean}
  */
-function isUnsafeProjectPath(targetPath) {
-  for (const unsafePath of UNSAFE_PROJECT_PATHS) {
-    const unsafeAbsPath = path.resolve(unsafePath);
+function isInUserAllowedPath(targetPath, allowedPaths) {
+  // User-provided paths must be absolute; relative paths are silently skipped
+  // to prevent unintended access from CWD-dependent resolution.
+  for (const allowedPath of allowedPaths) {
+    if (!path.isAbsolute(allowedPath)) {
+      continue;
+    }
     if (
-      targetPath === unsafeAbsPath ||
-      targetPath.startsWith(`${unsafeAbsPath}${path.sep}`)
+      targetPath === allowedPath ||
+      targetPath.startsWith(`${allowedPath}${path.sep}`)
     ) {
       return true;
     }
   }
-
   return false;
 }
 
+/**
+ * Check if the path is under .plain-agent/.
+ * @param {string} targetPath
+ * @returns {boolean}
+ */
+function isInsideProjectMetadataDir(targetPath) {
+  const metadataAbsPath = path.resolve(AGENT_PROJECT_METADATA_DIR);
+  return (
+    targetPath === metadataAbsPath ||
+    targetPath.startsWith(`${metadataAbsPath}${path.sep}`)
+  );
+}
+
 /**
  * @param {string} absPath
  * @returns {boolean}

package/src/toolUseApprover.mjs

@@ -15,6 +15,7 @@ export function createToolUseApprover({
   maxApprovals: max,
   defaultAction,
   maskApprovalInput,
+  allowedPaths = [],
 }) {
   const state = {
     approvalCount: 0,
@@ -64,7 +65,7 @@ export function createToolUseApprover({
 
       if (action === "allow") {
         const maskedInput = maskApprovalInput(toolUse.toolName, toolUse.input);
-        if (isSafeToolInput(maskedInput)) {
+        if (isSafeToolInput(maskedInput, allowedPaths)) {
           state.approvalCount += 1;
           return state.approvalCount <= max
             ? { action: "allow" }

package/src/tools/patchFile.mjs

@@ -31,18 +31,26 @@ Format — a single patch string may contain multiple blocks:
 >>> ${nonce} {start}:{startHash}-{end}:{endHash}
 new content
 <<< ${nonce}
+
+>>> ${nonce} {start}:{startHash}-{end}:{endHash}
+another new content
+<<< ${nonce}
+
 >>> ${nonce} {N}:{afterHash}+
-inserted content
+appended content after line N
 <<< ${nonce}
+
 >>> ${nonce} 0+
 prepended content
 <<< ${nonce}
 
+>>> ${nonce} 10:ab-15:cd
+(empty body deletes the range)
+<<< ${nonce}
+
 - The nonce "${nonce}" is constant; always use the exact value shown above.
 - Line numbers are 1-indexed and refer to the original file; "{start}-{end}" is inclusive.
 - Hashes are 2-character hex hashes of each line's full content as shown by read_file (e.g. "a3").
-- "{N}:{afterHash}+" inserts after line N; "0+" prepends (no hash needed). "{lastLine}:{hash}+" appends.
-- An empty body deletes the range.
             `.trim(),
             type: "string",
           },