@iinm/plain-agent 1.8.9 → 1.8.11

package/README.md

@@ -322,9 +322,13 @@ Files are loaded in the following order. Settings in later files override earlie
   └── .plain-agent/
         ├── (3) config.json        # Project-specific configuration
         ├── (4) config.local.json  # Project-specific local configuration (including secrets)
-        ├── memory/                  # Task-specific memory files
+        ├── memory/                  # Task-specific memory files (auto-approvable)
+        ├── tmp/                     # Agent scratch space (auto-approvable)
+        ├── claude-code-plugins/     # Cached Claude Code plugins
         ├── prompts/                 # Project-specific prompts
-        └── agents/                  # Project-specific agent roles
+        ├── agents/                  # Project-specific agent roles
+        ├── sandbox/                 # Sandbox runner scripts (run.sh, Dockerfile); always require approval
+        └── setup.sh                 # Initial setup script
 ```
 
 ### Example

package/config/agents.predefined/sandbox-configurator.md

@@ -75,8 +75,19 @@ Generate `.plain-agent/sandbox/run.sh`. Use the following Node.js example as the
 
 set -eu -o pipefail
 
+# Mount .plain-agent/ as read-only over the writable project root, then
+# re-overlay only memory/ and tmp/ as writable scratch space.
+working_dir=$(pwd)
+metadata_dir="$working_dir/.plain-agent"
+mkdir -p \
+  "$metadata_dir/memory" \
+  "$metadata_dir/tmp"
+
 options=(
   --allow-write
+  --mount-readonly "$metadata_dir:$metadata_dir"
+  --mount-writable "$metadata_dir/memory:$metadata_dir/memory"
+  --mount-writable "$metadata_dir/tmp:$metadata_dir/tmp"
   --volume plain-sandbox--global--home-npm:/home/sandbox/.npm
   --volume node_modules
 )

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@iinm/plain-agent",
-  "version": "1.8.9",
+  "version": "1.8.11",
   "description": "A lightweight CLI-based coding agent",
   "license": "MIT",
   "type": "module",

package/src/toolInputValidator.mjs

@@ -3,11 +3,23 @@ import fs from "node:fs";
 import path from "node:path";
 import {
   AGENT_MEMORY_DIR,
+  AGENT_PROJECT_METADATA_DIR,
   AGENT_TMP_DIR,
   CLAUDE_CODE_PLUGIN_DIR,
 } from "./env.mjs";
 import { noThrowSync } from "./utils/noThrow.mjs";
 
+// Paths that must never be auto-approvable as tool input, even when
+// git-managed. Sandbox scripts run on the host and the project config files
+// drive auto-approval policy itself, so silent in-sandbox modification of
+// either could lead to host code execution or self-granted privilege
+// escalation.
+const UNSAFE_PROJECT_PATHS = [
+  path.join(AGENT_PROJECT_METADATA_DIR, "sandbox"),
+  path.join(AGENT_PROJECT_METADATA_DIR, "config.json"),
+  path.join(AGENT_PROJECT_METADATA_DIR, "config.local.json"),
+];
+
 /**
  * @param {unknown} input
  * @returns {boolean}
@@ -64,7 +76,12 @@ export function isSafeToolInputItem(arg) {
     return false;
   }
 
-  // Allow safe path even if git-ignored.
+  // Always require approval for these, even if git-managed.
+  if (isUnsafeProjectPath(realPath)) {
+    return false;
+  }
+
+  // Always allow these even if git-ignored.
   if (isSafePath(realPath)) {
     return true;
   }
@@ -155,6 +172,24 @@ function isSafePath(targetPath) {
   return false;
 }
 
+/**
+ * @param {string} targetPath
+ * @returns {boolean}
+ */
+function isUnsafeProjectPath(targetPath) {
+  for (const unsafePath of UNSAFE_PROJECT_PATHS) {
+    const unsafeAbsPath = path.resolve(unsafePath);
+    if (
+      targetPath === unsafeAbsPath ||
+      targetPath.startsWith(`${unsafeAbsPath}${path.sep}`)
+    ) {
+      return true;
+    }
+  }
+
+  return false;
+}
+
 /**
  * @param {string} absPath
  * @returns {boolean}