npm - @iinm/plain-agent - Versions diffs - 1.8.10 → 1.8.11 - Mend

@iinm/plain-agent 1.8.10 → 1.8.11

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/README.md +4 -6
package/config/agents.predefined/sandbox-configurator.md +2 -6
package/package.json +1 -1
package/src/toolInputValidator.mjs +31 -15

package/README.md CHANGED Viewed

@@ -322,17 +322,15 @@ Files are loaded in the following order. Settings in later files override earlie
   └── .plain-agent/
         ├── (3) config.json        # Project-specific configuration
         ├── (4) config.local.json  # Project-specific local configuration (including secrets)
-        ├── memory/                  # Task-specific memory files (auto-approvable, writable in sandbox)
-        ├── tmp/                     # Agent scratch space (auto-approvable, writable in sandbox)
-        ├── claude-code-plugins/     # Cached Claude Code plugins (auto-approvable, writable in sandbox)
+        ├── memory/                  # Task-specific memory files (auto-approvable)
+        ├── tmp/                     # Agent scratch space (auto-approvable)
+        ├── claude-code-plugins/     # Cached Claude Code plugins
         ├── prompts/                 # Project-specific prompts
         ├── agents/                  # Project-specific agent roles
-        ├── sandbox/                 # Sandbox runner scripts (run.sh, Dockerfile)
+        ├── sandbox/                 # Sandbox runner scripts (run.sh, Dockerfile); always require approval
         └── setup.sh                 # Initial setup script
 ```
-Within `.plain-agent/`, only `memory/`, `tmp/`, and `claude-code-plugins/` are auto-approvable as tool input; everything else is executed on the host or changes agent behavior, so writes/reads require explicit approval. The sandbox runner mounts `.plain-agent/` read-only and re-overlays those three scratch directories as writable.
 ### Example
 <details>

package/config/agents.predefined/sandbox-configurator.md CHANGED Viewed

@@ -76,22 +76,18 @@ Generate `.plain-agent/sandbox/run.sh`. Use the following Node.js example as the
 set -eu -o pipefail
 # Mount .plain-agent/ as read-only over the writable project root, then
-# re-overlay the agent's scratch directories as writable. This prevents
-# in-sandbox modification of host-executed scripts (sandbox/run.sh,
-# setup.sh) and agent config (config.json, prompts/, agents/, ...).
+# re-overlay only memory/ and tmp/ as writable scratch space.
 working_dir=$(pwd)
 metadata_dir="$working_dir/.plain-agent"
 mkdir -p \
   "$metadata_dir/memory" \
-  "$metadata_dir/tmp" \
-  "$metadata_dir/claude-code-plugins"
+  "$metadata_dir/tmp"
 options=(
   --allow-write
   --mount-readonly "$metadata_dir:$metadata_dir"
   --mount-writable "$metadata_dir/memory:$metadata_dir/memory"
   --mount-writable "$metadata_dir/tmp:$metadata_dir/tmp"
-  --mount-writable "$metadata_dir/claude-code-plugins:$metadata_dir/claude-code-plugins"
   --volume plain-sandbox--global--home-npm:/home/sandbox/.npm
   --volume node_modules
 )

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@iinm/plain-agent",
-  "version": "1.8.10",
+  "version": "1.8.11",
   "description": "A lightweight CLI-based coding agent",
   "license": "MIT",
   "type": "module",

package/src/toolInputValidator.mjs CHANGED Viewed

@@ -9,6 +9,17 @@ import {
 } from "./env.mjs";
 import { noThrowSync } from "./utils/noThrow.mjs";
+// Paths that must never be auto-approvable as tool input, even when
+// git-managed. Sandbox scripts run on the host and the project config files
+// drive auto-approval policy itself, so silent in-sandbox modification of
+// either could lead to host code execution or self-granted privilege
+// escalation.
+const UNSAFE_PROJECT_PATHS = [
+  path.join(AGENT_PROJECT_METADATA_DIR, "sandbox"),
+  path.join(AGENT_PROJECT_METADATA_DIR, "config.json"),
+  path.join(AGENT_PROJECT_METADATA_DIR, "config.local.json"),
+];
 /**
  * @param {unknown} input
  * @returns {boolean}
@@ -65,15 +76,14 @@ export function isSafeToolInputItem(arg) {
     return false;
   }
-  // Inside the agent metadata directory, only the agent's known scratch
-  // directories (memory, tmp, claude-code-plugins) are auto-approvable
-  // (and that exception applies even when those subdirectories are
-  // git-ignored). Other entries (sandbox/, setup.sh, config.json,
-  // prompts/, agents/, ...) are executed on the host or change agent
-  // behavior across sessions, so tool uses targeting them must require
-  // explicit approval even if the file is git-managed.
-  if (isInsideAgentMetadataDir(realPath)) {
-    return isSafePath(realPath);
+  // Always require approval for these, even if git-managed.
+  if (isUnsafeProjectPath(realPath)) {
+    return false;
+  }
+  // Always allow these even if git-ignored.
+  if (isSafePath(realPath)) {
+    return true;
   }
   // Deny git ignored files (which may contain sensitive information or should not be accessed)
@@ -166,12 +176,18 @@ function isSafePath(targetPath) {
  * @param {string} targetPath
  * @returns {boolean}
  */
-function isInsideAgentMetadataDir(targetPath) {
-  const metadataAbsPath = path.resolve(AGENT_PROJECT_METADATA_DIR);
-  return (
-    targetPath === metadataAbsPath ||
-    targetPath.startsWith(`${metadataAbsPath}${path.sep}`)
-  );
+function isUnsafeProjectPath(targetPath) {
+  for (const unsafePath of UNSAFE_PROJECT_PATHS) {
+    const unsafeAbsPath = path.resolve(unsafePath);
+    if (
+      targetPath === unsafeAbsPath ||
+      targetPath.startsWith(`${unsafeAbsPath}${path.sep}`)
+    ) {
+      return true;
+    }
+  }
+  return false;
 }
 /**