@iinm/plain-agent 1.10.4 → 1.10.6

package/README.md

@@ -395,6 +395,8 @@ Files are loaded in the following order. Settings in later files override earlie
 ```js
 {
   "autoApproval": {
+    // Absolute paths outside the working directory to allow access to. Relative paths are ignored.
+    "allowedPaths": ["/tmp"],
     "defaultAction": "ask",
     // The maximum number of automatic approvals.
     "maxApprovals": 50,

package/config/config.predefined.json

@@ -125,6 +125,23 @@
           ]
         },
         "action": "allow"
+      },
+      {
+        "toolName": "exec_command",
+        "input": {
+          "command": "gh",
+          "args": ["api", "--method"]
+        },
+        "action": "ask"
+      },
+      {
+        "toolName": "exec_command",
+        "input": {
+          "command": "gh",
+          "args": ["api"]
+        },
+        "action": "deny",
+        "reason": "--method must be specified"
       }
     ]
   },

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@iinm/plain-agent",
-  "version": "1.10.4",
+  "version": "1.10.6",
   "description": "A lightweight CLI-based coding agent",
   "license": "MIT",
   "type": "module",

package/src/cli/formatter.mjs

@@ -428,6 +428,21 @@ export async function printMessage(message) {
     }
   }
 }
+/**
+ * Convert **bold** Markdown to ANSI bold terminal escape codes.
+ * Only matches when ** is preceded by whitespace or line start
+ * and followed by whitespace, line end, or punctuation — so inline
+ * code like `**bold**` is left untouched.
+ * @param {string} text
+ * @returns {string}
+ */
+export function applyInlineMarkdown(text) {
+  return text.replace(
+    /(?<=\s|^)\*\*(.+?)\*\*(?=[\s.,;:!?)〕）】」』]|$)/g,
+    (_, c) => styleText("bold", c),
+  );
+}
+
 /**
  * Format markdown table lines with aligned columns.
  * Input lines may have leading/trailing pipes.

package/src/cli/interactive.mjs

@@ -22,7 +22,7 @@ import {
 import { createInterruptTransform } from "./interruptTransform.mjs";
 import { createMuteTransform } from "./muteTransform.mjs";
 import { createPasteHandler } from "./pasteTransform.mjs";
-import { createTableDetector } from "./tableDetector.mjs";
+import { createStreamFormatter } from "./streamFormatter.mjs";
 
 const HELP_MESSAGE = [
   "Commands:",
@@ -112,21 +112,26 @@ export function startInteractiveSession({
   claudeCodePlugins,
   voiceInput,
 }) {
-  /** @type {{ turn: boolean, multiLineBuffer: string[] | null, subagentName: string }} */
+  /** @type {{ turn: boolean, multiLineBuffer: string[] | null, subagentName: string, toolSpinnerIndex: number, toolSpinnerLastTime: number }} */
   const state = {
     turn: true,
     multiLineBuffer: null,
     subagentName: agentCommands.getActiveSubagent()?.name ?? "",
+    toolSpinnerIndex: 0,
+    toolSpinnerLastTime: 0,
   };
 
+  const SPINNER_FRAMES = ["⠋", "⠙", "⠹", "⠸", "⠼", "⠴", "⠦", "⠧", "⠇", "⠏"];
+  const SPINNER_INTERVAL_MS = 80;
+
   /**
    * Active voice input session, or null when not recording.
    * @type {{ session: VoiceSession, startCursor: number, transcriptLength: number } | null}
    */
   let voice = null;
 
-  // Create the table buffer instance for this session
-  const tableBuffer = createTableBuffer();
+  // Create the stream buffer instance for this session
+  const streamBuffer = createStreamBuffer();
 
   // Parse the voice toggle key once at startup so misconfiguration fails
   // loudly instead of silently falling back.
@@ -466,19 +471,44 @@ export function startInteractiveSession({
         ? styleText("cyan", `[${state.subagentName}]\n`)
         : "";
       const partialContentStr = styleText("gray", `<${partialContent.type}>`);
-      console.log(`\n${subagentPrefix}${partialContentStr}`);
+
+      if (partialContent.type === "tool_use") {
+        state.toolSpinnerIndex = 0;
+        state.toolSpinnerLastTime = Date.now();
+        process.stdout.write(
+          `\n${subagentPrefix}${partialContentStr} ${styleText("cyan", SPINNER_FRAMES[0])}`,
+        );
+      } else {
+        console.log(`\n${subagentPrefix}${partialContentStr}`);
+      }
     }
     if (partialContent.content) {
       if (partialContent.type === "tool_use") {
-        process.stdout.write(styleText("gray", partialContent.content));
+        const now = Date.now();
+        if (now - state.toolSpinnerLastTime >= SPINNER_INTERVAL_MS) {
+          state.toolSpinnerIndex =
+            (state.toolSpinnerIndex + 1) % SPINNER_FRAMES.length;
+          state.toolSpinnerLastTime = now;
+          process.stdout.write(
+            `\r\x1b[K${styleText("gray", `<${partialContent.type}>`)} ${styleText("cyan", SPINNER_FRAMES[state.toolSpinnerIndex])}`,
+          );
+        }
       } else if (partialContent.type === "text") {
-        tableBuffer.feed(partialContent.content);
+        streamBuffer.feed(partialContent.content);
       } else {
         process.stdout.write(partialContent.content);
       }
     }
     if (partialContent.position === "stop") {
-      console.log(styleText("gray", `\n</${partialContent.type}>`));
+      if (partialContent.type === "tool_use") {
+        process.stdout.write(
+          `\r\x1b[K${styleText("gray", `<${partialContent.type}>`)}\n`,
+        );
+      } else {
+        // Flush any buffered text before printing the closing tag
+        streamBuffer.forceFlush();
+        console.log(styleText("gray", `\n</${partialContent.type}>`));
+      }
     }
   });
 
@@ -528,8 +558,8 @@ export function startInteractiveSession({
   });
 
   agentEventEmitter.on("turnEnd", async () => {
-    // Flush any remaining table buffer content
-    tableBuffer.forceFlush();
+    // Flush any remaining stream buffer content
+    streamBuffer.forceFlush();
 
     const err = notify(notifyCmd);
     if (err) {
@@ -556,21 +586,20 @@ export function startInteractiveSession({
 }
 
 /**
- * Creates a table buffer for detecting and formatting markdown tables
- * in streaming text output.
- * Thin shell: delegates pure logic to createTableDetector and handles I/O.
+ * Creates a stream buffer for formatting streaming text output.
+ * Thin shell: delegates pure logic to createStreamFormatter and handles I/O.
  */
-function createTableBuffer() {
-  const detector = createTableDetector();
+function createStreamBuffer() {
+  const formatter = createStreamFormatter();
 
   function feed(/** @type {string} */ chunk) {
-    const { output, warnings } = detector.feed(chunk);
+    const { output, warnings } = formatter.feed(chunk);
     for (const s of output) process.stdout.write(s);
     for (const w of warnings) console.error(styleText("yellow", w));
   }
 
   function forceFlush() {
-    const { output, warnings } = detector.forceFlush();
+    const { output, warnings } = formatter.forceFlush();
     for (const s of output) process.stdout.write(s);
     for (const w of warnings) console.error(styleText("yellow", w));
   }

package/src/cli/{tableDetector.mjs → streamFormatter.mjs}

@@ -1,18 +1,24 @@
-import { formatMarkdownTable } from "./formatter.mjs";
+import { applyInlineMarkdown, formatMarkdownTable } from "./formatter.mjs";
 
 /**
- * @typedef {{ output: string[], warnings: string[] }} DetectorResult
+ * @typedef {{ output: string[], warnings: string[] }} StreamFormatterResult
  */
 
 /**
- * Creates a table detector for detecting and formatting markdown tables
- * in streaming text output. This is a pure logic module with no I/O side effects.
+ * Creates a stream formatter for formatting streaming text output
+ * in a terminal. Applies **bold** Markdown styling
+ * on completed lines, and detects + formats markdown tables.
+ * This is a pure logic module with no I/O side effects.
+ *
+ * All output is deferred until line completion (\n or forceFlush),
+ * so inline Markdown patterns spanning chunk boundaries are handled
+ * correctly without special boundary-detection logic.
  *
  * @param {(lines: string[], maxWidth?: number) => string} [formatTable=formatMarkdownTable] - Table formatting function (injectable for testing)
  * @param {number} [maxWidth] - Maximum terminal display width (defaults to process.stdout.columns - 4 or 80)
- * @returns {{ feed: (chunk: string) => DetectorResult, forceFlush: () => DetectorResult }}
+ * @returns {{ feed: (chunk: string) => StreamFormatterResult, forceFlush: () => StreamFormatterResult }}
  */
-export function createTableDetector(
+export function createStreamFormatter(
   formatTable = formatMarkdownTable,
   maxWidth = process.stdout.columns ? process.stdout.columns - 4 : 80,
 ) {
@@ -25,9 +31,9 @@ export function createTableDetector(
   const MAX_TABLE_LINES = 200;
 
   /**
-   * Feed a text chunk to the detector.
+   * Feed a text chunk to the formatter.
    * @param {string} chunk
-   * @returns {DetectorResult}
+   * @returns {StreamFormatterResult}
    */
   function feed(chunk) {
     if (chunk.length === 0) return { output: [], warnings: [] };
@@ -48,19 +54,12 @@ export function createTableDetector(
       warnings.push(...result.warnings);
     }
 
-    // If not buffering a table and pendingLine has no pipe, output immediately
-    // This ensures non-table text is streamed without delay
-    if (tableLines.length === 0 && !pendingLine.includes("|")) {
-      output.push(pendingLine);
-      pendingLine = "";
-    }
-
     return { output, warnings };
   }
 
   /**
    * Force flush any pending content (call on turn end).
-   * @returns {DetectorResult}
+   * @returns {StreamFormatterResult}
    */
   function forceFlush() {
     /** @type {string[]} */
@@ -68,14 +67,11 @@ export function createTableDetector(
     /** @type {string[]} */
     const warnings = [];
 
-    // Process any remaining pending line
+    // Process any remaining pending line as a completed line
     if (pendingLine.length > 0) {
-      // If we have a table buffer, add pending line to it or output directly
-      if (tableLines.length > 0) {
-        tableLines.push(`${pendingLine}\n`);
-      } else {
-        output.push(pendingLine);
-      }
+      const result = processLine(pendingLine);
+      output.push(...result.output);
+      warnings.push(...result.warnings);
       pendingLine = "";
     }
     const flushResult = flushTable();
@@ -87,30 +83,33 @@ export function createTableDetector(
 
   /**
    * Process a complete line.
-   * @param {string} line - Line including trailing newline
-   * @returns {DetectorResult}
+   * @param {string} rawLine - Line (may or may not include trailing newline)
+   * @returns {StreamFormatterResult}
    */
-  function processLine(line) {
+  function processLine(rawLine) {
     /** @type {string[]} */
     const output = [];
     /** @type {string[]} */
     const warnings = [];
 
-    // Code block detection
-    if (line.trimStart().startsWith("```")) {
+    // Code block detection (before Markdown conversion — code blocks stay raw)
+    if (rawLine.trimStart().startsWith("```")) {
       inCodeBlock = !inCodeBlock;
       const flushResult = flushTable(); // Code block terminates any ongoing table
       output.push(...flushResult.output);
       warnings.push(...flushResult.warnings);
-      output.push(line);
+      output.push(rawLine);
       return { output, warnings };
     }
 
     if (inCodeBlock) {
-      output.push(line);
+      output.push(rawLine);
       return { output, warnings };
     }
 
+    // Apply inline Markdown styling on completed lines
+    const line = applyInlineMarkdown(rawLine);
+
     // Table start: line begins with pipe
     if (isTableStart(line)) {
       tableLines.push(line);
@@ -145,7 +144,7 @@ export function createTableDetector(
 
   /**
    * Flush table buffer with formatting.
-   * @returns {DetectorResult}
+   * @returns {StreamFormatterResult}
    */
   function flushTable() {
     if (tableLines.length === 0) return { output: [], warnings: [] };
@@ -193,7 +192,7 @@ export function createTableDetector(
 
   /**
    * Flush table buffer without formatting (for oversized tables).
-   * @returns {DetectorResult}
+   * @returns {StreamFormatterResult}
    */
   function flushTableAsIs() {
     if (tableLines.length === 0) return { output: [], warnings: [] };

package/src/config.d.ts

@@ -74,6 +74,8 @@ export type AppConfig = {
     patterns?: ToolUsePattern[];
     maxApprovals?: number;
     defaultAction?: "deny" | "ask";
+    /** Additional absolute paths to allow for auto-approval (outside working directory) */
+    allowedPaths?: string[];
   };
   sandbox?: ExecCommandSanboxConfig;
   tools?: {

package/src/config.mjs

@@ -73,6 +73,10 @@ export async function loadAppConfig(options = {}) {
         maxApprovals:
           config.autoApproval?.maxApprovals ??
           merged.autoApproval?.maxApprovals,
+        allowedPaths: [
+          ...(config.autoApproval?.allowedPaths ?? []),
+          ...(merged.autoApproval?.allowedPaths ?? []),
+        ],
       },
       sandbox: config.sandbox ?? merged.sandbox,
       tools: {

package/src/main.mjs

@@ -363,6 +363,7 @@ if (cliArgs.subcommand.type === "resume" && cliArgs.subcommand.list) {
     maxApprovals: appConfig.autoApproval?.maxApprovals || 50,
     defaultAction: appConfig.autoApproval?.defaultAction || "ask",
     patterns: appConfig.autoApproval?.patterns || [],
+    allowedPaths: appConfig.autoApproval?.allowedPaths ?? [],
     maskApprovalInput: (toolName, input) => {
       for (const tool of builtinTools) {
         if (tool.def.name === toolName && tool.maskApprovalInput) {

package/src/prompt.mjs

@@ -45,14 +45,20 @@ export function createPrompt({
     .join("\n");
 
   return `
+# Communication Style
+
+- Respond in the user's language.
+- Call the user by name, not "user".
+- Use emojis sparingly to highlight key points.
+
 # Memory Files
 
-- Create/Update memory files after creating/updating a plan, completing milestones, encountering issues, or making decisions.
-- Update existing task memory when continuing the same task.
+- Create/Update memory files when creating/updating a plan, completing milestones, encountering issues, or making decisions.
 - Ensure self-containment: The file must be standalone. A reader should fully understand the task context, logic and progress without any other references.
 - Write the memory content in the user's language.
 
 Memory files should include:
+- Project discovery status: Whether AGENTS.md has been checked
 - Task overview: What the task is, why it's being done, requirements and constraints
 - Context: Relevant documentation, source files, commands, and resources referenced
 - Progress tracking: Completed milestones with evidence, current status, and next steps
@@ -67,7 +73,8 @@ Call multiple tools at once when they don't depend on each other's results.
 ## exec_command
 
 - Use relative paths.
-- Avoid bash -c unless pipes (|) or redirection (>, <) are required.
+- Use ${projectMetadataDir}/tmp/ for temporary files.
+- Use bash -c only when pipes (|) or redirection (>, <) are required.
 
 Examples:
 - List directories or find files: fd [".", "./", "--max-depth", "3", "--type", "d", "--hidden"]
@@ -78,7 +85,7 @@ Examples:
 
 ## tmux_command
 
-- Only use when the user explicitly requests it.
+- Use only when the user explicitly requests it.
 - Create a new session with the given tmux session id.
 
 Examples:

package/src/tool.d.ts

@@ -37,6 +37,8 @@ export type ToolUseApproverConfig = {
   patterns: ToolUsePattern[];
   maxApprovals: number;
   defaultAction: "deny" | "ask";
+  /** Additional absolute paths to allow for auto-approval (outside working directory) */
+  allowedPaths?: string[];
 
   /**
    * Mask the input before auto-approval checks and recording.

package/src/toolInputValidator.mjs

@@ -9,39 +9,37 @@ import {
 } from "./env.mjs";
 import { noThrowSync } from "./utils/noThrow.mjs";
 
-// Paths that must never be auto-approvable as tool input, even when
-// git-managed. Sandbox scripts run on the host and the project config files
-// drive auto-approval policy itself, so silent in-sandbox modification of
-// either could lead to host code execution or self-granted privilege
-// escalation.
-const UNSAFE_PROJECT_PATHS = [
-  path.join(AGENT_PROJECT_METADATA_DIR, "sandbox"),
-  path.join(AGENT_PROJECT_METADATA_DIR, "config.json"),
-  path.join(AGENT_PROJECT_METADATA_DIR, "config.local.json"),
+const BUILTIN_ALLOWED_PATHS = [
+  AGENT_MEMORY_DIR,
+  AGENT_TMP_DIR,
+  CLAUDE_CODE_PLUGIN_DIR,
 ];
 
 /**
  * @param {unknown} input
+ * @param {string[]} [allowedPaths=[]] - Additional allowed paths (outside working directory)
  * @returns {boolean}
  */
-export function isSafeToolInput(input) {
+export function isSafeToolInput(input, allowedPaths = []) {
   if (["number", "boolean", "undefined"].includes(typeof input)) {
     return true;
   }
 
   if (typeof input === "string") {
-    return isSafeToolInputItem(input);
+    return isSafeToolInputItem(input, allowedPaths);
   }
 
   if (Array.isArray(input)) {
-    return input.every((item) => isSafeToolInput(item));
+    return input.every((item) => isSafeToolInput(item, allowedPaths));
   }
 
   if (typeof input === "object") {
     if (input === null) {
       return true;
     }
-    return Object.values(input).every((value) => isSafeToolInput(value));
+    return Object.values(input).every((value) =>
+      isSafeToolInput(value, allowedPaths),
+    );
   }
 
   return false;
@@ -49,9 +47,10 @@ export function isSafeToolInput(input) {
 
 /**
  * @param {string} arg
+ * @param {string[]} [allowedPaths=[]] - Additional allowed paths (outside working directory)
  * @returns {boolean}
  */
-export function isSafeToolInputItem(arg) {
+export function isSafeToolInputItem(arg, allowedPaths = []) {
   const workingDir = process.cwd();
 
   // Note: An argument can be a command option (e.g., '-l').
@@ -63,29 +62,38 @@ export function isSafeToolInputItem(arg) {
     return false;
   }
 
-  // Disallow paths outside the working directory (WITHOUT EXCEPTION)
-  if (!isInsideWorkingDirectory(realPath, workingDir)) {
-    return false;
-  }
-
   // Disallow any input that contains ".." as a path segment (directory traversal)
   // Example:
   // - When write_file is allowed for ^safe-dir/.+
   // - "safe-dir/../unsafe-path" should be disallowed
+  // This check must happen before allowedPaths check for security
   if (arg.split(path.sep).includes("..")) {
     return false;
   }
 
-  // Always require approval for these, even if git-managed.
-  if (isUnsafeProjectPath(realPath)) {
+  // Built-in allowed paths (memory, tmp, claude-code-plugins) are always safe.
+  // This check must come before the .plain-agent/ block below.
+  if (isInBuiltinAllowedPath(realPath)) {
+    return true;
+  }
+
+  // Any other path under .plain-agent/ is unsafe and cannot be overridden
+  // by allowedPaths. This prevents privilege escalation via sandbox scripts
+  // or config files even when explicitly listed in allowedPaths.
+  if (isInsideProjectMetadataDir(realPath)) {
     return false;
   }
 
-  // Always allow these even if git-ignored.
-  if (isSafePath(realPath)) {
+  // User-configured allowed paths (outside working directory)
+  if (isInUserAllowedPath(realPath, allowedPaths)) {
     return true;
   }
 
+  // Disallow paths outside the working directory (not in allowedPaths)
+  if (!isInsideWorkingDirectory(realPath, workingDir)) {
+    return false;
+  }
+
   // Deny git ignored files (which may contain sensitive information or should not be accessed)
   return !isGitIgnored(realPath);
 }
@@ -153,43 +161,60 @@ function isInsideWorkingDirectory(targetPath, workingDir) {
 }
 
 /**
- * @param {string} targetPath
+ * Check if the path is under a built-in allowed directory
+ * (.plain-agent/{memory,tmp,claude-code-plugins}).
+ * @param {string} targetPath - Must be an absolute path.
  * @returns {boolean}
  */
-function isSafePath(targetPath) {
-  const safePaths = [AGENT_MEMORY_DIR, AGENT_TMP_DIR, CLAUDE_CODE_PLUGIN_DIR];
-
-  for (const safePath of safePaths) {
-    const safeAbsPath = path.resolve(safePath);
+function isInBuiltinAllowedPath(targetPath) {
+  for (const builtinPath of BUILTIN_ALLOWED_PATHS) {
+    const absPath = path.resolve(builtinPath);
     if (
-      targetPath === safeAbsPath ||
-      targetPath.startsWith(`${safeAbsPath}${path.sep}`)
+      targetPath === absPath ||
+      targetPath.startsWith(`${absPath}${path.sep}`)
     ) {
       return true;
     }
   }
-
   return false;
 }
 
 /**
- * @param {string} targetPath
+ * Check if the path is under a user-configured allowed path.
+ * @param {string} targetPath - Must be an absolute path.
+ * @param {string[]} allowedPaths - Additional absolute paths (outside working directory)
  * @returns {boolean}
  */
-function isUnsafeProjectPath(targetPath) {
-  for (const unsafePath of UNSAFE_PROJECT_PATHS) {
-    const unsafeAbsPath = path.resolve(unsafePath);
+function isInUserAllowedPath(targetPath, allowedPaths) {
+  // User-provided paths must be absolute; relative paths are silently skipped
+  // to prevent unintended access from CWD-dependent resolution.
+  for (const allowedPath of allowedPaths) {
+    if (!path.isAbsolute(allowedPath)) {
+      continue;
+    }
     if (
-      targetPath === unsafeAbsPath ||
-      targetPath.startsWith(`${unsafeAbsPath}${path.sep}`)
+      targetPath === allowedPath ||
+      targetPath.startsWith(`${allowedPath}${path.sep}`)
     ) {
       return true;
     }
   }
-
   return false;
 }
 
+/**
+ * Check if the path is under .plain-agent/.
+ * @param {string} targetPath
+ * @returns {boolean}
+ */
+function isInsideProjectMetadataDir(targetPath) {
+  const metadataAbsPath = path.resolve(AGENT_PROJECT_METADATA_DIR);
+  return (
+    targetPath === metadataAbsPath ||
+    targetPath.startsWith(`${metadataAbsPath}${path.sep}`)
+  );
+}
+
 /**
  * @param {string} absPath
  * @returns {boolean}

package/src/toolUseApprover.mjs

@@ -15,6 +15,7 @@ export function createToolUseApprover({
   maxApprovals: max,
   defaultAction,
   maskApprovalInput,
+  allowedPaths = [],
 }) {
   const state = {
     approvalCount: 0,
@@ -64,7 +65,7 @@ export function createToolUseApprover({
 
       if (action === "allow") {
         const maskedInput = maskApprovalInput(toolUse.toolName, toolUse.input);
-        if (isSafeToolInput(maskedInput)) {
+        if (isSafeToolInput(maskedInput, allowedPaths)) {
           state.approvalCount += 1;
           return state.approvalCount <= max
             ? { action: "allow" }

package/src/tools/patchFile.mjs

@@ -31,18 +31,26 @@ Format — a single patch string may contain multiple blocks:
 >>> ${nonce} {start}:{startHash}-{end}:{endHash}
 new content
 <<< ${nonce}
+
+>>> ${nonce} {start}:{startHash}-{end}:{endHash}
+another new content
+<<< ${nonce}
+
 >>> ${nonce} {N}:{afterHash}+
-inserted content
+appended content after line N
 <<< ${nonce}
+
 >>> ${nonce} 0+
 prepended content
 <<< ${nonce}
 
+>>> ${nonce} 10:ab-15:cd
+(empty body deletes the range)
+<<< ${nonce}
+
 - The nonce "${nonce}" is constant; always use the exact value shown above.
 - Line numbers are 1-indexed and refer to the original file; "{start}-{end}" is inclusive.
 - Hashes are 2-character hex hashes of each line's full content as shown by read_file (e.g. "a3").
-- "{N}:{afterHash}+" inserts after line N; "0+" prepends (no hash needed). "{lastLine}:{hash}+" appends.
-- An empty body deletes the range.
             `.trim(),
             type: "string",
           },