@iinm/plain-agent 1.10.4 → 1.10.5

package/README.md

@@ -395,6 +395,8 @@ Files are loaded in the following order. Settings in later files override earlie
 ```js
 {
   "autoApproval": {
+    // Absolute paths outside the working directory to allow access to. Relative paths are ignored.
+    "allowedPaths": ["/tmp"],
     "defaultAction": "ask",
     // The maximum number of automatic approvals.
     "maxApprovals": 50,

package/config/config.predefined.json

@@ -125,6 +125,23 @@
           ]
         },
         "action": "allow"
+      },
+      {
+        "toolName": "exec_command",
+        "input": {
+          "command": "gh",
+          "args": ["api", "--method"]
+        },
+        "action": "ask"
+      },
+      {
+        "toolName": "exec_command",
+        "input": {
+          "command": "gh",
+          "args": ["api"]
+        },
+        "action": "deny",
+        "reason": "--method must be specified"
       }
     ]
   },

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@iinm/plain-agent",
-  "version": "1.10.4",
+  "version": "1.10.5",
   "description": "A lightweight CLI-based coding agent",
   "license": "MIT",
   "type": "module",

package/src/cli/interactive.mjs

@@ -112,13 +112,18 @@ export function startInteractiveSession({
   claudeCodePlugins,
   voiceInput,
 }) {
-  /** @type {{ turn: boolean, multiLineBuffer: string[] | null, subagentName: string }} */
+  /** @type {{ turn: boolean, multiLineBuffer: string[] | null, subagentName: string, toolSpinnerIndex: number, toolSpinnerLastTime: number }} */
   const state = {
     turn: true,
     multiLineBuffer: null,
     subagentName: agentCommands.getActiveSubagent()?.name ?? "",
+    toolSpinnerIndex: 0,
+    toolSpinnerLastTime: 0,
   };
 
+  const SPINNER_FRAMES = ["⠋", "⠙", "⠹", "⠸", "⠼", "⠴", "⠦", "⠧", "⠇", "⠏"];
+  const SPINNER_INTERVAL_MS = 80;
+
   /**
    * Active voice input session, or null when not recording.
    * @type {{ session: VoiceSession, startCursor: number, transcriptLength: number } | null}
@@ -466,11 +471,28 @@ export function startInteractiveSession({
         ? styleText("cyan", `[${state.subagentName}]\n`)
         : "";
       const partialContentStr = styleText("gray", `<${partialContent.type}>`);
-      console.log(`\n${subagentPrefix}${partialContentStr}`);
+
+      if (partialContent.type === "tool_use") {
+        state.toolSpinnerIndex = 0;
+        state.toolSpinnerLastTime = Date.now();
+        process.stdout.write(
+          `\n${subagentPrefix}${partialContentStr} ${styleText("cyan", SPINNER_FRAMES[0])}`,
+        );
+      } else {
+        console.log(`\n${subagentPrefix}${partialContentStr}`);
+      }
     }
     if (partialContent.content) {
       if (partialContent.type === "tool_use") {
-        process.stdout.write(styleText("gray", partialContent.content));
+        const now = Date.now();
+        if (now - state.toolSpinnerLastTime >= SPINNER_INTERVAL_MS) {
+          state.toolSpinnerIndex =
+            (state.toolSpinnerIndex + 1) % SPINNER_FRAMES.length;
+          state.toolSpinnerLastTime = now;
+          process.stdout.write(
+            `\r\x1b[K${styleText("gray", `<${partialContent.type}>`)} ${styleText("cyan", SPINNER_FRAMES[state.toolSpinnerIndex])}`,
+          );
+        }
       } else if (partialContent.type === "text") {
         tableBuffer.feed(partialContent.content);
       } else {
@@ -478,7 +500,13 @@ export function startInteractiveSession({
       }
     }
     if (partialContent.position === "stop") {
-      console.log(styleText("gray", `\n</${partialContent.type}>`));
+      if (partialContent.type === "tool_use") {
+        process.stdout.write(
+          `\r\x1b[K${styleText("gray", `<${partialContent.type}>`)} ${styleText("green", "✓")}\n`,
+        );
+      } else {
+        console.log(styleText("gray", `\n</${partialContent.type}>`));
+      }
     }
   });
 

package/src/config.d.ts

@@ -74,6 +74,8 @@ export type AppConfig = {
     patterns?: ToolUsePattern[];
     maxApprovals?: number;
     defaultAction?: "deny" | "ask";
+    /** Additional absolute paths to allow for auto-approval (outside working directory) */
+    allowedPaths?: string[];
   };
   sandbox?: ExecCommandSanboxConfig;
   tools?: {

package/src/config.mjs

@@ -73,6 +73,10 @@ export async function loadAppConfig(options = {}) {
         maxApprovals:
           config.autoApproval?.maxApprovals ??
           merged.autoApproval?.maxApprovals,
+        allowedPaths: [
+          ...(config.autoApproval?.allowedPaths ?? []),
+          ...(merged.autoApproval?.allowedPaths ?? []),
+        ],
       },
       sandbox: config.sandbox ?? merged.sandbox,
       tools: {

package/src/main.mjs

@@ -363,6 +363,7 @@ if (cliArgs.subcommand.type === "resume" && cliArgs.subcommand.list) {
     maxApprovals: appConfig.autoApproval?.maxApprovals || 50,
     defaultAction: appConfig.autoApproval?.defaultAction || "ask",
     patterns: appConfig.autoApproval?.patterns || [],
+    allowedPaths: appConfig.autoApproval?.allowedPaths ?? [],
     maskApprovalInput: (toolName, input) => {
       for (const tool of builtinTools) {
         if (tool.def.name === toolName && tool.maskApprovalInput) {

package/src/prompt.mjs

@@ -45,14 +45,20 @@ export function createPrompt({
     .join("\n");
 
   return `
+# Communication Style
+
+- Respond in the user's language.
+- Call the user by name, not "user".
+- Use emojis sparingly to highlight key points.
+
 # Memory Files
 
-- Create/Update memory files after creating/updating a plan, completing milestones, encountering issues, or making decisions.
-- Update existing task memory when continuing the same task.
+- Create/Update memory files when creating/updating a plan, completing milestones, encountering issues, or making decisions.
 - Ensure self-containment: The file must be standalone. A reader should fully understand the task context, logic and progress without any other references.
 - Write the memory content in the user's language.
 
 Memory files should include:
+- Project discovery status: Whether AGENTS.md has been checked
 - Task overview: What the task is, why it's being done, requirements and constraints
 - Context: Relevant documentation, source files, commands, and resources referenced
 - Progress tracking: Completed milestones with evidence, current status, and next steps
@@ -67,7 +73,8 @@ Call multiple tools at once when they don't depend on each other's results.
 ## exec_command
 
 - Use relative paths.
-- Avoid bash -c unless pipes (|) or redirection (>, <) are required.
+- Use ${projectMetadataDir}/tmp/ for temporary files.
+- Use bash -c only when pipes (|) or redirection (>, <) are required.
 
 Examples:
 - List directories or find files: fd [".", "./", "--max-depth", "3", "--type", "d", "--hidden"]
@@ -78,7 +85,7 @@ Examples:
 
 ## tmux_command
 
-- Only use when the user explicitly requests it.
+- Use only when the user explicitly requests it.
 - Create a new session with the given tmux session id.
 
 Examples:

package/src/tool.d.ts

@@ -37,6 +37,8 @@ export type ToolUseApproverConfig = {
   patterns: ToolUsePattern[];
   maxApprovals: number;
   defaultAction: "deny" | "ask";
+  /** Additional absolute paths to allow for auto-approval (outside working directory) */
+  allowedPaths?: string[];
 
   /**
    * Mask the input before auto-approval checks and recording.

package/src/toolInputValidator.mjs

@@ -9,39 +9,37 @@ import {
 } from "./env.mjs";
 import { noThrowSync } from "./utils/noThrow.mjs";
 
-// Paths that must never be auto-approvable as tool input, even when
-// git-managed. Sandbox scripts run on the host and the project config files
-// drive auto-approval policy itself, so silent in-sandbox modification of
-// either could lead to host code execution or self-granted privilege
-// escalation.
-const UNSAFE_PROJECT_PATHS = [
-  path.join(AGENT_PROJECT_METADATA_DIR, "sandbox"),
-  path.join(AGENT_PROJECT_METADATA_DIR, "config.json"),
-  path.join(AGENT_PROJECT_METADATA_DIR, "config.local.json"),
+const BUILTIN_ALLOWED_PATHS = [
+  AGENT_MEMORY_DIR,
+  AGENT_TMP_DIR,
+  CLAUDE_CODE_PLUGIN_DIR,
 ];
 
 /**
  * @param {unknown} input
+ * @param {string[]} [allowedPaths=[]] - Additional allowed paths (outside working directory)
  * @returns {boolean}
  */
-export function isSafeToolInput(input) {
+export function isSafeToolInput(input, allowedPaths = []) {
   if (["number", "boolean", "undefined"].includes(typeof input)) {
     return true;
   }
 
   if (typeof input === "string") {
-    return isSafeToolInputItem(input);
+    return isSafeToolInputItem(input, allowedPaths);
   }
 
   if (Array.isArray(input)) {
-    return input.every((item) => isSafeToolInput(item));
+    return input.every((item) => isSafeToolInput(item, allowedPaths));
   }
 
   if (typeof input === "object") {
     if (input === null) {
       return true;
     }
-    return Object.values(input).every((value) => isSafeToolInput(value));
+    return Object.values(input).every((value) =>
+      isSafeToolInput(value, allowedPaths),
+    );
   }
 
   return false;
@@ -49,9 +47,10 @@ export function isSafeToolInput(input) {
 
 /**
  * @param {string} arg
+ * @param {string[]} [allowedPaths=[]] - Additional allowed paths (outside working directory)
  * @returns {boolean}
  */
-export function isSafeToolInputItem(arg) {
+export function isSafeToolInputItem(arg, allowedPaths = []) {
   const workingDir = process.cwd();
 
   // Note: An argument can be a command option (e.g., '-l').
@@ -63,29 +62,38 @@ export function isSafeToolInputItem(arg) {
     return false;
   }
 
-  // Disallow paths outside the working directory (WITHOUT EXCEPTION)
-  if (!isInsideWorkingDirectory(realPath, workingDir)) {
-    return false;
-  }
-
   // Disallow any input that contains ".." as a path segment (directory traversal)
   // Example:
   // - When write_file is allowed for ^safe-dir/.+
   // - "safe-dir/../unsafe-path" should be disallowed
+  // This check must happen before allowedPaths check for security
   if (arg.split(path.sep).includes("..")) {
     return false;
   }
 
-  // Always require approval for these, even if git-managed.
-  if (isUnsafeProjectPath(realPath)) {
+  // Built-in allowed paths (memory, tmp, claude-code-plugins) are always safe.
+  // This check must come before the .plain-agent/ block below.
+  if (isInBuiltinAllowedPath(realPath)) {
+    return true;
+  }
+
+  // Any other path under .plain-agent/ is unsafe and cannot be overridden
+  // by allowedPaths. This prevents privilege escalation via sandbox scripts
+  // or config files even when explicitly listed in allowedPaths.
+  if (isInsideProjectMetadataDir(realPath)) {
     return false;
   }
 
-  // Always allow these even if git-ignored.
-  if (isSafePath(realPath)) {
+  // User-configured allowed paths (outside working directory)
+  if (isInUserAllowedPath(realPath, allowedPaths)) {
     return true;
   }
 
+  // Disallow paths outside the working directory (not in allowedPaths)
+  if (!isInsideWorkingDirectory(realPath, workingDir)) {
+    return false;
+  }
+
   // Deny git ignored files (which may contain sensitive information or should not be accessed)
   return !isGitIgnored(realPath);
 }
@@ -153,43 +161,60 @@ function isInsideWorkingDirectory(targetPath, workingDir) {
 }
 
 /**
- * @param {string} targetPath
+ * Check if the path is under a built-in allowed directory
+ * (.plain-agent/{memory,tmp,claude-code-plugins}).
+ * @param {string} targetPath - Must be an absolute path.
  * @returns {boolean}
  */
-function isSafePath(targetPath) {
-  const safePaths = [AGENT_MEMORY_DIR, AGENT_TMP_DIR, CLAUDE_CODE_PLUGIN_DIR];
-
-  for (const safePath of safePaths) {
-    const safeAbsPath = path.resolve(safePath);
+function isInBuiltinAllowedPath(targetPath) {
+  for (const builtinPath of BUILTIN_ALLOWED_PATHS) {
+    const absPath = path.resolve(builtinPath);
     if (
-      targetPath === safeAbsPath ||
-      targetPath.startsWith(`${safeAbsPath}${path.sep}`)
+      targetPath === absPath ||
+      targetPath.startsWith(`${absPath}${path.sep}`)
     ) {
       return true;
     }
   }
-
   return false;
 }
 
 /**
- * @param {string} targetPath
+ * Check if the path is under a user-configured allowed path.
+ * @param {string} targetPath - Must be an absolute path.
+ * @param {string[]} allowedPaths - Additional absolute paths (outside working directory)
  * @returns {boolean}
  */
-function isUnsafeProjectPath(targetPath) {
-  for (const unsafePath of UNSAFE_PROJECT_PATHS) {
-    const unsafeAbsPath = path.resolve(unsafePath);
+function isInUserAllowedPath(targetPath, allowedPaths) {
+  // User-provided paths must be absolute; relative paths are silently skipped
+  // to prevent unintended access from CWD-dependent resolution.
+  for (const allowedPath of allowedPaths) {
+    if (!path.isAbsolute(allowedPath)) {
+      continue;
+    }
     if (
-      targetPath === unsafeAbsPath ||
-      targetPath.startsWith(`${unsafeAbsPath}${path.sep}`)
+      targetPath === allowedPath ||
+      targetPath.startsWith(`${allowedPath}${path.sep}`)
     ) {
       return true;
     }
   }
-
   return false;
 }
 
+/**
+ * Check if the path is under .plain-agent/.
+ * @param {string} targetPath
+ * @returns {boolean}
+ */
+function isInsideProjectMetadataDir(targetPath) {
+  const metadataAbsPath = path.resolve(AGENT_PROJECT_METADATA_DIR);
+  return (
+    targetPath === metadataAbsPath ||
+    targetPath.startsWith(`${metadataAbsPath}${path.sep}`)
+  );
+}
+
 /**
  * @param {string} absPath
  * @returns {boolean}

package/src/toolUseApprover.mjs

@@ -15,6 +15,7 @@ export function createToolUseApprover({
   maxApprovals: max,
   defaultAction,
   maskApprovalInput,
+  allowedPaths = [],
 }) {
   const state = {
     approvalCount: 0,
@@ -64,7 +65,7 @@ export function createToolUseApprover({
 
       if (action === "allow") {
         const maskedInput = maskApprovalInput(toolUse.toolName, toolUse.input);
-        if (isSafeToolInput(maskedInput)) {
+        if (isSafeToolInput(maskedInput, allowedPaths)) {
           state.approvalCount += 1;
           return state.approvalCount <= max
             ? { action: "allow" }

package/src/tools/patchFile.mjs

@@ -31,18 +31,26 @@ Format — a single patch string may contain multiple blocks:
 >>> ${nonce} {start}:{startHash}-{end}:{endHash}
 new content
 <<< ${nonce}
+
+>>> ${nonce} {start}:{startHash}-{end}:{endHash}
+another new content
+<<< ${nonce}
+
 >>> ${nonce} {N}:{afterHash}+
-inserted content
+appended content after line N
 <<< ${nonce}
+
 >>> ${nonce} 0+
 prepended content
 <<< ${nonce}
 
+>>> ${nonce} 10:ab-15:cd
+(empty body deletes the range)
+<<< ${nonce}
+
 - The nonce "${nonce}" is constant; always use the exact value shown above.
 - Line numbers are 1-indexed and refer to the original file; "{start}-{end}" is inclusive.
 - Hashes are 2-character hex hashes of each line's full content as shown by read_file (e.g. "a3").
-- "{N}:{afterHash}+" inserts after line N; "0+" prepends (no hash needed). "{lastLine}:{hash}+" appends.
-- An empty body deletes the range.
             `.trim(),
             type: "string",
           },