npm - @kkelly-offical/kkcode - Versions diffs - 0.1.6 → 0.2.1 - Mend

@kkelly-offical/kkcode 0.1.6 → 0.2.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (163) hide show

package/LICENSE +674 -674
package/README.md +452 -387
package/package.json +50 -46
package/src/agent/agent.mjs +19 -2
package/src/agent/custom-agent-loader.mjs +6 -3
package/src/agent/generator.mjs +2 -2
package/src/agent/prompt/assistant.txt +12 -0
package/src/agent/prompt/bug-hunter.txt +90 -0
package/src/agent/prompt/frontend-designer.txt +58 -58
package/src/agent/prompt/guide.txt +1 -1
package/src/agent/prompt/longagent-blueprint-agent.txt +83 -83
package/src/agent/prompt/longagent-coding-agent.txt +37 -37
package/src/agent/prompt/longagent-debugging-agent.txt +46 -46
package/src/agent/prompt/longagent-preview-agent.txt +63 -63
package/src/command/custom-commands.mjs +2 -2
package/src/commands/agent.mjs +1 -1
package/src/commands/background.mjs +145 -4
package/src/commands/chat.mjs +117 -76
package/src/commands/config.mjs +148 -1
package/src/commands/doctor.mjs +30 -6
package/src/commands/init.mjs +32 -6
package/src/commands/longagent.mjs +117 -0
package/src/commands/mcp.mjs +275 -43
package/src/commands/permission.mjs +1 -1
package/src/commands/session.mjs +195 -140
package/src/commands/skill.mjs +63 -0
package/src/commands/theme.mjs +1 -1
package/src/config/defaults.mjs +280 -260
package/src/config/import-config.mjs +1 -1
package/src/config/load-config.mjs +61 -4
package/src/config/schema.mjs +591 -574
package/src/context.mjs +4 -1
package/src/core/constants.mjs +97 -91
package/src/core/types.mjs +1 -1
package/src/github/api.mjs +78 -78
package/src/github/auth.mjs +294 -286
package/src/github/flow.mjs +298 -298
package/src/github/workspace.mjs +225 -212
package/src/index.mjs +84 -82
package/src/knowledge/frontend-aesthetics.txt +38 -38
package/src/mcp/client-http.mjs +139 -141
package/src/mcp/client-sse.mjs +297 -288
package/src/mcp/client-stdio.mjs +534 -533
package/src/mcp/constants.mjs +2 -2
package/src/mcp/registry.mjs +498 -479
package/src/mcp/stdio-framing.mjs +135 -133
package/src/mcp/tool-result.mjs +24 -24
package/src/observability/edit-diagnostics.mjs +449 -0
package/src/observability/index.mjs +42 -42
package/src/observability/metrics.mjs +165 -137
package/src/observability/tracer.mjs +137 -137
package/src/onboarding.mjs +209 -0
package/src/orchestration/background-manager.mjs +567 -372
package/src/orchestration/background-worker.mjs +419 -305
package/src/orchestration/interruption-reason.mjs +21 -0
package/src/orchestration/longagent-manager.mjs +197 -171
package/src/orchestration/stage-scheduler.mjs +733 -728
package/src/orchestration/subagent-router.mjs +7 -1
package/src/orchestration/task-scheduler.mjs +219 -7
package/src/permission/engine.mjs +1 -1
package/src/permission/exec-policy.mjs +370 -370
package/src/permission/file-edit-policy.mjs +108 -0
package/src/permission/prompt.mjs +1 -1
package/src/permission/rules.mjs +116 -7
package/src/plugin/builtin-hooks/post-edit-format.mjs +2 -1
package/src/plugin/builtin-hooks/post-edit-typecheck.mjs +104 -40
package/src/plugin/hook-bus.mjs +19 -5
package/src/plugin/manifest-loader.mjs +222 -0
package/src/provider/anthropic.mjs +396 -390
package/src/provider/ollama.mjs +7 -1
package/src/provider/openai.mjs +382 -340
package/src/provider/retry-policy.mjs +74 -68
package/src/provider/router.mjs +242 -241
package/src/provider/sse.mjs +104 -104
package/src/provider/wizard.mjs +556 -0
package/src/repl/capability-facade.mjs +30 -0
package/src/repl/command-surface.mjs +23 -0
package/src/repl/controller-entry.mjs +40 -0
package/src/repl/core-shell.mjs +208 -0
package/src/repl/dialog-router.mjs +87 -0
package/src/repl/input-engine.mjs +76 -0
package/src/repl/keymap.mjs +7 -0
package/src/repl/operator-surface.mjs +15 -0
package/src/repl/permission-flow.mjs +49 -0
package/src/repl/runtime-facade.mjs +36 -0
package/src/repl/slash-router.mjs +62 -0
package/src/repl/state-store.mjs +29 -0
package/src/repl/turn-controller.mjs +58 -0
package/src/repl/verification.mjs +23 -0
package/src/repl.mjs +3368 -2929
package/src/rules/load-rules.mjs +3 -3
package/src/runtime.mjs +1 -1
package/src/session/agent-transaction.mjs +86 -0
package/src/session/checkpoint.mjs +302 -302
package/src/session/compaction.mjs +36 -14
package/src/session/engine.mjs +417 -227
package/src/session/longagent-4stage.mjs +467 -460
package/src/session/longagent-hybrid.mjs +1344 -1081
package/src/session/longagent-plan.mjs +376 -365
package/src/session/longagent-project-memory.mjs +53 -53
package/src/session/longagent-scaffold.mjs +291 -291
package/src/session/longagent-task-bus.mjs +138 -54
package/src/session/longagent-utils.mjs +828 -472
package/src/session/longagent.mjs +911 -884
package/src/session/loop.mjs +1005 -905
package/src/session/prompt/agent.txt +25 -0
package/src/session/prompt/anthropic.txt +150 -150
package/src/session/prompt/beast.txt +1 -1
package/src/session/prompt/plan.txt +28 -6
package/src/session/prompt/qwen.txt +46 -46
package/src/session/recovery.mjs +21 -0
package/src/session/rollback.mjs +197 -0
package/src/session/routing-observability.mjs +72 -0
package/src/session/runtime-state.mjs +47 -0
package/src/session/store.mjs +523 -510
package/src/session/system-prompt.mjs +56 -8
package/src/session/task-validator.mjs +267 -267
package/src/session/usability-gates.mjs +2 -2
package/src/skill/builtin/commit.mjs +64 -64
package/src/skill/builtin/design.mjs +76 -76
package/src/skill/generator.mjs +18 -2
package/src/skill/registry.mjs +642 -390
package/src/storage/audit-store.mjs +18 -11
package/src/storage/event-log.mjs +7 -1
package/src/storage/ghost-commit-store.mjs +243 -245
package/src/storage/paths.mjs +13 -0
package/src/theme/default-theme.mjs +1 -1
package/src/theme/markdown.mjs +4 -0
package/src/theme/schema.mjs +1 -1
package/src/theme/status-bar.mjs +162 -158
package/src/tool/audit-wrapper.mjs +18 -2
package/src/tool/edit-transaction.mjs +23 -0
package/src/tool/executor.mjs +26 -1
package/src/tool/file-read-state.mjs +65 -0
package/src/tool/git-auto.mjs +526 -526
package/src/tool/git-full-auto.mjs +487 -478
package/src/tool/mutation-guard.mjs +54 -0
package/src/tool/prompt/edit.txt +3 -3
package/src/tool/prompt/multiedit.txt +1 -0
package/src/tool/prompt/notebookedit.txt +2 -1
package/src/tool/prompt/patch.txt +25 -24
package/src/tool/prompt/read.txt +3 -3
package/src/tool/prompt/sysinfo.txt +29 -0
package/src/tool/prompt/task.txt +66 -4
package/src/tool/prompt/write.txt +2 -2
package/src/tool/question-prompt.mjs +17 -4
package/src/tool/registry.mjs +1701 -1343
package/src/tool/task-tool.mjs +14 -6
package/src/ui/activity-renderer.mjs +667 -664
package/src/ui/repl-background-panel.mjs +7 -0
package/src/ui/repl-capability-panel.mjs +9 -0
package/src/ui/repl-dashboard.mjs +54 -4
package/src/ui/repl-help.mjs +110 -0
package/src/ui/repl-operator-panel.mjs +12 -0
package/src/ui/repl-route-feedback.mjs +35 -0
package/src/ui/repl-status-view.mjs +76 -0
package/src/ui/repl-task-panel.mjs +5 -0
package/src/ui/repl-transcript-panel.mjs +56 -0
package/src/ui/repl-turn-summary.mjs +135 -0
package/src/usage/pricing.mjs +122 -121
package/src/usage/usage-meter.mjs +1 -0
package/src/util/git.mjs +562 -519
package/src/util/template.mjs +6 -1

package/src/permission/exec-policy.mjs CHANGED Viewed

@@ -1,370 +1,370 @@
-/**
- * 执行策略 (Execution Policy)
- *
- * 定义 AI Agent 执行命令的安全规则。
- * 参考 Codex 的设计理念：
- * - AI 可以修改文件（通过 patch）
- * - AI 可以查看 Git 状态
- * - AI 不能执行某些危险操作（如 git commit, git push）
- *
- * 安全原则：
- * 1. 最小权限原则 - AI 只拥有完成任务必需的最小权限
- * 2. 用户保留控制权 - 关键操作（commit/push）必须由用户手动执行
- * 3. 透明可审计 - 所有策略决策都有明确的原因
- */
-/**
- * 决策类型
- */
-export const Decision = {
-  ALLOW: "allow",       // 允许执行
-  FORBID: "forbid",     // 禁止执行
-  WARN: "warn",         // 警告但允许（记录日志）
-  CONFIRM: "confirm"    // 需要用户确认
-}
-/**
- * 规则匹配器
- */
-function createMatcher(pattern) {
-  if (typeof pattern === "string") {
-    return (cmd) => cmd.includes(pattern)
-  }
-  if (pattern instanceof RegExp) {
-    return (cmd) => pattern.test(cmd)
-  }
-  if (Array.isArray(pattern)) {
-    // RegExp 数组：任一匹配即命中
-    if (pattern[0] instanceof RegExp) {
-      return (cmd) => pattern.some(re => re.test(cmd))
-    }
-    // 字符串数组：按顺序包含所有元素（用于匹配 git commit）
-    return (cmd) => {
-      const parts = cmd.toLowerCase().split(/\s+/)
-      let patternIdx = 0
-      for (const part of parts) {
-        if (patternIdx < pattern.length && part === pattern[patternIdx].toLowerCase()) {
-          patternIdx++
-        }
-      }
-      return patternIdx === pattern.length
-    }
-  }
-  return () => false
-}
-/**
- * 执行策略规则
- */
-const DEFAULT_RULES = [
-  // =========================================================================
-  // 高危操作 - 禁止
-  // =========================================================================
-  {
-    name: "forbid_git_commit",
-    pattern: ["git", "commit"],
-    decision: Decision.FORBID,
-    reason: "AI cannot directly create git commits. Use git_snapshot to create temporary snapshots instead. Users must manually run 'git commit' to finalize changes.",
-    category: "git_safety"
-  },
-  {
-    name: "forbid_git_push",
-    pattern: ["git", "push"],
-    decision: Decision.FORBID,
-    reason: "AI cannot push to remote repositories. Users must manually review and push changes.",
-    category: "git_safety"
-  },
-  {
-    name: "forbid_git_force_push",
-    pattern: [/git\s+push\s+.*--force/, /git\s+push\s+.*-f\b/],
-    decision: Decision.FORBID,
-    reason: "Force push is extremely dangerous and can overwrite remote history. Never allowed for AI.",
-    category: "git_safety"
-  },
-  {
-    name: "forbid_git_reset_hard",
-    pattern: ["git", "reset", "--hard"],
-    decision: Decision.FORBID,
-    reason: "Hard reset destroys uncommitted changes. Use git_restore with a snapshot ID instead.",
-    category: "git_safety"
-  },
-  {
-    name: "forbid_git_clean_fd",
-    pattern: [/git\s+clean\s+.*-f/, /git\s+clean\s+.*-d/],
-    decision: Decision.FORBID,
-    reason: "git clean -f/-d deletes untracked files and directories. Dangerous operation.",
-    category: "git_safety"
-  },
-  // =========================================================================
-  // 文件系统危险操作 - 禁止
-  // =========================================================================
-  {
-    name: "forbid_rm_rf",
-    pattern: [/rm\s+-rf?\s+\//, /rm\s+.*\*\s+.*\/\.\.?/],
-    decision: Decision.FORBID,
-    reason: "Dangerous file deletion pattern detected. Cannot delete system directories or use wildcards with relative path traversals.",
-    category: "fs_safety"
-  },
-  {
-    name: "forbid_dd_disk",
-    pattern: [/dd\s+.*of=\/dev\//],
-    decision: Decision.FORBID,
-    reason: "Direct disk write operations are forbidden.",
-    category: "fs_safety"
-  },
-  {
-    name: "forbid_mkfs",
-    pattern: ["mkfs"],
-    decision: Decision.FORBID,
-    reason: "Filesystem formatting operations are forbidden.",
-    category: "fs_safety"
-  },
-  // =========================================================================
-  // 网络危险操作 - 禁止
-  // =========================================================================
-  {
-    name: "forbid_curl_pipe_sh",
-    pattern: [/curl\s+.*\|\s*(ba)?sh/, /wget\s+.*\|\s*(ba)?sh/],
-    decision: Decision.FORBID,
-    reason: "Piping curl/wget output directly to shell is dangerous and can execute arbitrary code.",
-    category: "network_safety"
-  },
-  // =========================================================================
-  // 权限提升操作 - 需要确认
-  // =========================================================================
-  {
-    name: "confirm_sudo",
-    pattern: ["sudo"],
-    decision: Decision.CONFIRM,
-    reason: "Command requires elevated privileges. Please confirm this is necessary.",
-    category: "privilege"
-  },
-  {
-    name: "confirm_chmod_777",
-    pattern: [/chmod\s+.*777/],
-    decision: Decision.WARN,
-    reason: "777 permissions grant full access to everyone. Consider using more restrictive permissions.",
-    category: "privilege"
-  },
-  // =========================================================================
-  // Git 信息查看 - 允许
-  // =========================================================================
-  {
-    name: "allow_git_status",
-    pattern: ["git", "status"],
-    decision: Decision.ALLOW,
-    reason: "Reading git status is safe and necessary.",
-    category: "git_read"
-  },
-  {
-    name: "allow_git_log",
-    pattern: ["git", "log"],
-    decision: Decision.ALLOW,
-    reason: "Reading git history is safe.",
-    category: "git_read"
-  },
-  {
-    name: "allow_git_diff",
-    pattern: ["git", "diff"],
-    decision: Decision.ALLOW,
-    reason: "Reading git diff is safe.",
-    category: "git_read"
-  },
-  {
-    name: "allow_git_show",
-    pattern: ["git", "show"],
-    decision: Decision.ALLOW,
-    reason: "Reading commit details is safe.",
-    category: "git_read"
-  }
-]
-/**
- * 执行策略评估结果
- */
-export class PolicyResult {
-  constructor(decision, rule, reason, category) {
-    this.decision = decision
-    this.rule = rule
-    this.reason = reason
-    this.category = category
-  }
-  isAllowed() {
-    return this.decision === Decision.ALLOW
-  }
-  isForbidden() {
-    return this.decision === Decision.FORBID
-  }
-  needsConfirmation() {
-    return this.decision === Decision.CONFIRM
-  }
-}
-/**
- * 评估命令是否符合执行策略
- *
- * @param {string} command - 要评估的命令
- * @param {Object} options - 选项
- * @param {boolean} [options.strict=false] - 严格模式（默认禁止任何未明确允许的操作）
- * @param {Array} [options.customRules=[]] - 自定义规则
- * @returns {PolicyResult}
- */
-export function evaluateCommand(command, options = {}) {
-  const { strict = false, customRules = [] } = options
-  const rules = [...customRules, ...DEFAULT_RULES]
-  const normalizedCmd = String(command || "").trim()
-  for (const rule of rules) {
-    const matcher = createMatcher(rule.pattern)
-    if (matcher(normalizedCmd)) {
-      return new PolicyResult(
-        rule.decision,
-        rule.name,
-        rule.reason,
-        rule.category
-      )
-    }
-  }
-  // 严格模式：未匹配任何规则则禁止
-  if (strict) {
-    return new PolicyResult(
-      Decision.FORBID,
-      "strict_mode",
-      "Command not in allowlist (strict mode)",
-      "strict"
-    )
-  }
-  // 默认允许
-  return new PolicyResult(
-    Decision.ALLOW,
-    "default",
-    "No policy rules matched, allowing by default",
-    "default"
-  )
-}
-/**
- * 检查 bash 工具调用是否被允许
- *
- * @param {string} command - 命令
- * @param {Object} config - 配置
- * @returns {{allowed: boolean, reason?: string, warning?: string}}
- */
-export function checkBashAllowed(command, config = {}) {
-  // 全自动化模式检查
-  const fullAuto = config.git_auto?.full_auto === true
-  const allowDangerous = config.git_auto?.allow_dangerous_ops === true
-  // 检查是否配置了全局禁止 git commit/push
-  // 全自动化模式下，如果 auto_commit/auto_push 启用，则允许
-  const autoCommit = fullAuto && config.git_auto?.auto_commit === true
-  const autoPush = fullAuto && config.git_auto?.auto_push === true
-  if (!autoCommit && config.git_auto?.forbid_commit !== false) {
-    const commitPattern = /^git\s+commit\b/i
-    if (commitPattern.test(command)) {
-      return {
-        allowed: false,
-        reason: "git commit is forbidden for AI. Use git_snapshot to create temporary snapshots, then manually commit when satisfied. Or enable git_auto.full_auto and git_auto.auto_commit for automatic commits."
-      }
-    }
-  }
-  if (!autoPush && config.git_auto?.forbid_push !== false) {
-    const pushPattern = /^git\s+push\b/i
-    if (pushPattern.test(command)) {
-      return {
-        allowed: false,
-        reason: "git push is forbidden for AI. Users must manually review and push changes. Or enable git_auto.full_auto and git_auto.auto_push for automatic pushes."
-      }
-    }
-  }
-  // 执行完整策略评估
-  const result = evaluateCommand(command)
-  if (result.isForbidden()) {
-    // 全自动化模式下，仅 git_safety 类别的危险操作可被允许
-    if (fullAuto && allowDangerous && result.category === "git_safety") {
-      return {
-        allowed: true,
-        warning: `Dangerous git operation allowed in full-auto mode: ${result.reason}`
-      }
-    }
-    // 其他 forbidden 类别（fs_safety, network_safety 等）始终禁止
-    return {
-      allowed: false,
-      reason: result.reason
-    }
-  }
-  return { allowed: true }
-}
-/**
- * 获取当前执行策略模式
- *
- * @param {Object} config - 配置
- * @returns {{mode: string, restrictions: string[]}}
- */
-export function getPolicyMode(config = {}) {
-  if (config.git_auto?.full_auto === true) {
-    const restrictions = []
-    if (config.git_auto?.auto_commit !== true) restrictions.push("no_auto_commit")
-    if (config.git_auto?.auto_push !== true) restrictions.push("no_auto_push")
-    if (config.git_auto?.allow_dangerous_ops !== true) restrictions.push("no_dangerous_ops")
-    return {
-      mode: "full_auto",
-      restrictions: restrictions.length > 0 ? restrictions : ["none"]
-    }
-  }
-  return {
-    mode: "safe",
-    restrictions: ["no_commit", "no_push", "no_dangerous_ops"]
-  }
-}
-/**
- * 检查是否为全自动化模式
- */
-export function isFullAutoMode(config = {}) {
-  return config.git_auto?.full_auto === true
-}
-/**
- * 获取所有禁止的规则（用于文档）
- */
-export function getForbiddenRules() {
-  return DEFAULT_RULES
-    .filter(r => r.decision === Decision.FORBID)
-    .map(r => ({
-      name: r.name,
-      pattern: Array.isArray(r.pattern) ? r.pattern.join(" ") : r.pattern.toString(),
-      reason: r.reason
-    }))
-}
-/**
- * 检查是否为 Git 相关操作
- */
-export function isGitCommand(command) {
-  return /^git\s+/i.test(String(command || ""))
-}
+/**
+ * 执行策略 (Execution Policy)
+ *
+ * 定义 AI Agent 执行命令的安全规则。
+ * 参考 Codex 的设计理念：
+ * - AI 可以修改文件（通过 patch）
+ * - AI 可以查看 Git 状态
+ * - AI 不能执行某些危险操作（如 git commit, git push）
+ *
+ * 安全原则：
+ * 1. 最小权限原则 - AI 只拥有完成任务必需的最小权限
+ * 2. 用户保留控制权 - 关键操作（commit/push）必须由用户手动执行
+ * 3. 透明可审计 - 所有策略决策都有明确的原因
+ */
+/**
+ * 决策类型
+ */
+export const Decision = {
+  ALLOW: "allow",       // 允许执行
+  FORBID: "forbid",     // 禁止执行
+  WARN: "warn",         // 警告但允许（记录日志）
+  CONFIRM: "confirm"    // 需要用户确认
+}
+/**
+ * 规则匹配器
+ */
+function createMatcher(pattern) {
+  if (typeof pattern === "string") {
+    return (cmd) => cmd.includes(pattern)
+  }
+  if (pattern instanceof RegExp) {
+    return (cmd) => pattern.test(cmd)
+  }
+  if (Array.isArray(pattern)) {
+    // RegExp 数组：任一匹配即命中
+    if (pattern[0] instanceof RegExp) {
+      return (cmd) => pattern.some(re => re.test(cmd))
+    }
+    // 字符串数组：按顺序包含所有元素（用于匹配 git commit）
+    return (cmd) => {
+      const parts = cmd.toLowerCase().split(/\s+/)
+      let patternIdx = 0
+      for (const part of parts) {
+        if (patternIdx < pattern.length && part === pattern[patternIdx].toLowerCase()) {
+          patternIdx++
+        }
+      }
+      return patternIdx === pattern.length
+    }
+  }
+  return () => false
+}
+/**
+ * 执行策略规则
+ */
+const DEFAULT_RULES = [
+  // =========================================================================
+  // 高危操作 - 禁止
+  // =========================================================================
+  {
+    name: "forbid_git_commit",
+    pattern: ["git", "commit"],
+    decision: Decision.FORBID,
+    reason: "AI cannot directly create git commits. Use git_snapshot to create temporary snapshots instead. Users must manually run 'git commit' to finalize changes.",
+    category: "git_safety"
+  },
+  {
+    name: "forbid_git_push",
+    pattern: ["git", "push"],
+    decision: Decision.FORBID,
+    reason: "AI cannot push to remote repositories. Users must manually review and push changes.",
+    category: "git_safety"
+  },
+  {
+    name: "forbid_git_force_push",
+    pattern: [/git\s+push\s+.*--force/, /git\s+push\s+.*-f\b/],
+    decision: Decision.FORBID,
+    reason: "Force push is extremely dangerous and can overwrite remote history. Never allowed for AI.",
+    category: "git_safety"
+  },
+  {
+    name: "forbid_git_reset_hard",
+    pattern: ["git", "reset", "--hard"],
+    decision: Decision.FORBID,
+    reason: "Hard reset destroys uncommitted changes. Use git_restore with a snapshot ID instead.",
+    category: "git_safety"
+  },
+  {
+    name: "forbid_git_clean_fd",
+    pattern: [/git\s+clean\s+.*-f/, /git\s+clean\s+.*-d/],
+    decision: Decision.FORBID,
+    reason: "git clean -f/-d deletes untracked files and directories. Dangerous operation.",
+    category: "git_safety"
+  },
+  // =========================================================================
+  // 文件系统危险操作 - 禁止
+  // =========================================================================
+  {
+    name: "forbid_rm_rf",
+    pattern: [/rm\s+-rf?\s+\//, /rm\s+.*\*\s+.*\/\.\.?/],
+    decision: Decision.FORBID,
+    reason: "Dangerous file deletion pattern detected. Cannot delete system directories or use wildcards with relative path traversals.",
+    category: "fs_safety"
+  },
+  {
+    name: "forbid_dd_disk",
+    pattern: [/dd\s+.*of=\/dev\//],
+    decision: Decision.FORBID,
+    reason: "Direct disk write operations are forbidden.",
+    category: "fs_safety"
+  },
+  {
+    name: "forbid_mkfs",
+    pattern: ["mkfs"],
+    decision: Decision.FORBID,
+    reason: "Filesystem formatting operations are forbidden.",
+    category: "fs_safety"
+  },
+  // =========================================================================
+  // 网络危险操作 - 禁止
+  // =========================================================================
+  {
+    name: "forbid_curl_pipe_sh",
+    pattern: [/curl\s+.*\|\s*(ba)?sh/, /wget\s+.*\|\s*(ba)?sh/],
+    decision: Decision.FORBID,
+    reason: "Piping curl/wget output directly to shell is dangerous and can execute arbitrary code.",
+    category: "network_safety"
+  },
+  // =========================================================================
+  // 权限提升操作 - 需要确认
+  // =========================================================================
+  {
+    name: "confirm_sudo",
+    pattern: ["sudo"],
+    decision: Decision.CONFIRM,
+    reason: "Command requires elevated privileges. Please confirm this is necessary.",
+    category: "privilege"
+  },
+  {
+    name: "confirm_chmod_777",
+    pattern: [/chmod\s+.*777/],
+    decision: Decision.WARN,
+    reason: "777 permissions grant full access to everyone. Consider using more restrictive permissions.",
+    category: "privilege"
+  },
+  // =========================================================================
+  // Git 信息查看 - 允许
+  // =========================================================================
+  {
+    name: "allow_git_status",
+    pattern: ["git", "status"],
+    decision: Decision.ALLOW,
+    reason: "Reading git status is safe and necessary.",
+    category: "git_read"
+  },
+  {
+    name: "allow_git_log",
+    pattern: ["git", "log"],
+    decision: Decision.ALLOW,
+    reason: "Reading git history is safe.",
+    category: "git_read"
+  },
+  {
+    name: "allow_git_diff",
+    pattern: ["git", "diff"],
+    decision: Decision.ALLOW,
+    reason: "Reading git diff is safe.",
+    category: "git_read"
+  },
+  {
+    name: "allow_git_show",
+    pattern: ["git", "show"],
+    decision: Decision.ALLOW,
+    reason: "Reading commit details is safe.",
+    category: "git_read"
+  }
+]
+/**
+ * 执行策略评估结果
+ */
+export class PolicyResult {
+  constructor(decision, rule, reason, category) {
+    this.decision = decision
+    this.rule = rule
+    this.reason = reason
+    this.category = category
+  }
+  isAllowed() {
+    return this.decision === Decision.ALLOW
+  }
+  isForbidden() {
+    return this.decision === Decision.FORBID
+  }
+  needsConfirmation() {
+    return this.decision === Decision.CONFIRM
+  }
+}
+/**
+ * 评估命令是否符合执行策略
+ *
+ * @param {string} command - 要评估的命令
+ * @param {Object} options - 选项
+ * @param {boolean} [options.strict=false] - 严格模式（默认禁止任何未明确允许的操作）
+ * @param {Array} [options.customRules=[]] - 自定义规则
+ * @returns {PolicyResult}
+ */
+export function evaluateCommand(command, options = {}) {
+  const { strict = false, customRules = [] } = options
+  const rules = [...customRules, ...DEFAULT_RULES]
+  const normalizedCmd = String(command || "").trim()
+  for (const rule of rules) {
+    const matcher = createMatcher(rule.pattern)
+    if (matcher(normalizedCmd)) {
+      return new PolicyResult(
+        rule.decision,
+        rule.name,
+        rule.reason,
+        rule.category
+      )
+    }
+  }
+  // 严格模式：未匹配任何规则则禁止
+  if (strict) {
+    return new PolicyResult(
+      Decision.FORBID,
+      "strict_mode",
+      "Command not in allowlist (strict mode)",
+      "strict"
+    )
+  }
+  // 默认允许
+  return new PolicyResult(
+    Decision.ALLOW,
+    "default",
+    "No policy rules matched, allowing by default",
+    "default"
+  )
+}
+/**
+ * 检查 bash 工具调用是否被允许
+ *
+ * @param {string} command - 命令
+ * @param {Object} config - 配置
+ * @returns {{allowed: boolean, reason?: string, warning?: string}}
+ */
+export function checkBashAllowed(command, config = {}) {
+  // 全自动化模式检查
+  const fullAuto = config.git_auto?.full_auto === true
+  const allowDangerous = config.git_auto?.allow_dangerous_ops === true
+  // 检查是否配置了全局禁止 git commit/push
+  // 全自动化模式下，如果 auto_commit/auto_push 启用，则允许
+  const autoCommit = fullAuto && config.git_auto?.auto_commit === true
+  const autoPush = fullAuto && config.git_auto?.auto_push === true
+  if (!autoCommit && config.git_auto?.forbid_commit !== false) {
+    const commitPattern = /^git\s+commit\b/i
+    if (commitPattern.test(command)) {
+      return {
+        allowed: false,
+        reason: "git commit is forbidden for AI. Use git_snapshot to create temporary snapshots, then manually commit when satisfied. Or enable git_auto.full_auto and git_auto.auto_commit for automatic commits."
+      }
+    }
+  }
+  if (!autoPush && config.git_auto?.forbid_push !== false) {
+    const pushPattern = /^git\s+push\b/i
+    if (pushPattern.test(command)) {
+      return {
+        allowed: false,
+        reason: "git push is forbidden for AI. Users must manually review and push changes. Or enable git_auto.full_auto and git_auto.auto_push for automatic pushes."
+      }
+    }
+  }
+  // 执行完整策略评估
+  const result = evaluateCommand(command)
+  if (result.isForbidden()) {
+    // 全自动化模式下，仅 git_safety 类别的危险操作可被允许
+    if (fullAuto && allowDangerous && result.category === "git_safety") {
+      return {
+        allowed: true,
+        warning: `Dangerous git operation allowed in full-auto mode: ${result.reason}`
+      }
+    }
+    // 其他 forbidden 类别（fs_safety, network_safety 等）始终禁止
+    return {
+      allowed: false,
+      reason: result.reason
+    }
+  }
+  return { allowed: true }
+}
+/**
+ * 获取当前执行策略模式
+ *
+ * @param {Object} config - 配置
+ * @returns {{mode: string, restrictions: string[]}}
+ */
+export function getPolicyMode(config = {}) {
+  if (config.git_auto?.full_auto === true) {
+    const restrictions = []
+    if (config.git_auto?.auto_commit !== true) restrictions.push("no_auto_commit")
+    if (config.git_auto?.auto_push !== true) restrictions.push("no_auto_push")
+    if (config.git_auto?.allow_dangerous_ops !== true) restrictions.push("no_dangerous_ops")
+    return {
+      mode: "full_auto",
+      restrictions: restrictions.length > 0 ? restrictions : ["none"]
+    }
+  }
+  return {
+    mode: "safe",
+    restrictions: ["no_commit", "no_push", "no_dangerous_ops"]
+  }
+}
+/**
+ * 检查是否为全自动化模式
+ */
+export function isFullAutoMode(config = {}) {
+  return config.git_auto?.full_auto === true
+}
+/**
+ * 获取所有禁止的规则（用于文档）
+ */
+export function getForbiddenRules() {
+  return DEFAULT_RULES
+    .filter(r => r.decision === Decision.FORBID)
+    .map(r => ({
+      name: r.name,
+      pattern: Array.isArray(r.pattern) ? r.pattern.join(" ") : r.pattern.toString(),
+      reason: r.reason
+    }))
+}
+/**
+ * 检查是否为 Git 相关操作
+ */
+export function isGitCommand(command) {
+  return /^git\s+/i.test(String(command || ""))
+}