@posthog/agent 2.3.403 → 2.3.418

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@posthog/agent",
-  "version": "2.3.403",
+  "version": "2.3.418",
   "repository": "https://github.com/PostHog/code",
   "description": "TypeScript agent framework wrapping Claude Agent SDK with Git-based task execution for PostHog",
   "exports": {
@@ -102,8 +102,8 @@
     "tsx": "^4.20.6",
     "typescript": "^5.5.0",
     "vitest": "^2.1.8",
-    "@posthog/enricher": "1.0.0",
     "@posthog/shared": "1.0.0",
+    "@posthog/enricher": "1.0.0",
     "@posthog/git": "1.0.0"
   },
   "dependencies": {

package/src/adapters/claude/claude-agent.ts

@@ -1026,6 +1026,19 @@ export class ClaudeAcpAgent extends BaseAcpAgent {
         configOptions: this.session.configOptions,
       },
     });
+
+    // Notify the agent-server so its cached permissionMode stays in sync.
+    // Without this, cloud sessions that change mode via plan approval or
+    // setSessionMode use a stale mode for relay decisions.
+    if (configId === "mode") {
+      await this.client.sessionUpdate({
+        sessionId: this.sessionId,
+        update: {
+          sessionUpdate: "current_mode_update",
+          currentModeId: value,
+        },
+      });
+    }
   }
 
   private async applySessionMode(modeId: string): Promise<void> {
@@ -1322,6 +1335,7 @@ export class ClaudeAcpAgent extends BaseAcpAgent {
         logger: this.logger,
         updateConfigOption: (configId: string, value: string) =>
           this.updateConfigOption(configId, value),
+        applySessionMode: (modeId: string) => this.applySessionMode(modeId),
         allowedDomains,
       });
   }

package/src/adapters/claude/permissions/permission-handlers.ts

@@ -56,6 +56,7 @@ interface ToolHandlerContext {
   fileContentCache: { [key: string]: string };
   logger: Logger;
   updateConfigOption: (configId: string, value: string) => Promise<void>;
+  applySessionMode: (modeId: string) => Promise<void>;
   allowedDomains?: string[];
 }
 
@@ -167,8 +168,6 @@ async function applyPlanApproval(
   context: ToolHandlerContext,
   updatedInput: Record<string, unknown>,
 ): Promise<ToolPermissionResult> {
-  const { session } = context;
-
   if (
     response.outcome?.outcome === "selected" &&
     (response.outcome.optionId === "auto" ||
@@ -176,16 +175,7 @@ async function applyPlanApproval(
       response.outcome.optionId === "acceptEdits" ||
       response.outcome.optionId === "bypassPermissions")
   ) {
-    session.permissionMode = response.outcome
-      .optionId as typeof session.permissionMode;
-    await session.query.setPermissionMode(response.outcome.optionId);
-    await context.client.sessionUpdate({
-      sessionId: context.sessionId,
-      update: {
-        sessionUpdate: "current_mode_update",
-        currentModeId: response.outcome.optionId,
-      },
-    });
+    await context.applySessionMode(response.outcome.optionId);
     await context.updateConfigOption("mode", response.outcome.optionId);
 
     return {
@@ -215,10 +205,9 @@ async function applyPlanApproval(
 async function handleEnterPlanModeTool(
   context: ToolHandlerContext,
 ): Promise<ToolPermissionResult> {
-  const { session, toolInput } = context;
+  const { toolInput } = context;
 
-  session.permissionMode = "plan";
-  await session.query.setPermissionMode("plan");
+  await context.applySessionMode("plan");
   await context.updateConfigOption("mode", "plan");
 
   return {

package/src/adapters/claude/permissions/permission-options.ts

@@ -1,5 +1,5 @@
 import type { PermissionUpdate } from "@anthropic-ai/claude-agent-sdk";
-import { IS_ROOT } from "../../../utils/common";
+import { ALLOW_BYPASS } from "../../../utils/common";
 import { BASH_TOOLS, READ_TOOLS, SEARCH_TOOLS, WRITE_TOOLS } from "../tools";
 
 export interface PermissionOption {
@@ -92,8 +92,6 @@ export function buildPermissionOptions(
   return permissionOptions("Yes, always allow");
 }
 
-const ALLOW_BYPASS = !IS_ROOT || !!process.env.IS_SANDBOX;
-
 export function buildExitPlanModePermissionOptions(): PermissionOption[] {
   const options: PermissionOption[] = [];
 

package/src/adapters/claude/session/options.ts

@@ -317,7 +317,7 @@ export function buildSessionOptions(params: BuildOptionsParams): Options {
     stderr: (err) => params.logger.error(err),
     cwd: params.cwd,
     includePartialMessages: true,
-    allowDangerouslySkipPermissions: !IS_ROOT,
+    allowDangerouslySkipPermissions: !IS_ROOT || !!process.env.IS_SANDBOX,
     permissionMode: params.permissionMode,
     canUseTool: params.canUseTool,
     executable: "node",

package/src/adapters/codex/codex-agent.ts

@@ -667,6 +667,20 @@ export class CodexAcpAgent extends BaseAcpAgent {
     if (response.configOptions) {
       this.sessionState.configOptions = response.configOptions;
     }
+    if (params.configId === "mode" && typeof params.value === "string") {
+      // Signal the mode change to agent-server so its session.permissionMode
+      // cache (used by shouldRelayPermissionToClient) stays in sync with the
+      // real Codex mode. Claude emits the same signal from its equivalent
+      // handler; without it, the agent-server's relay decisions for cloud
+      // runs would use a stale mode and silently auto-approve tool calls.
+      await this.client.sessionUpdate({
+        sessionId: this.sessionId,
+        update: {
+          sessionUpdate: "current_mode_update",
+          currentModeId: params.value,
+        },
+      });
+    }
     return response;
   }
 

package/src/execution-mode.ts

@@ -1,4 +1,4 @@
-import { IS_ROOT } from "./utils/common";
+import { ALLOW_BYPASS } from "./utils/common";
 
 export interface ModeInfo {
   id: string;
@@ -6,9 +6,6 @@ export interface ModeInfo {
   description: string;
 }
 
-// Helper constant that can easily be toggled for env/feature flag/etc
-const ALLOW_BYPASS = !IS_ROOT;
-
 const availableModes: ModeInfo[] = [
   {
     id: "default",
@@ -58,9 +55,9 @@ export function isCodeExecutionMode(mode: string): mode is CodeExecutionMode {
 }
 
 export function getAvailableModes(): ModeInfo[] {
-  return IS_ROOT
-    ? availableModes.filter((m) => m.id !== "bypassPermissions")
-    : availableModes;
+  return ALLOW_BYPASS
+    ? availableModes
+    : availableModes.filter((m) => m.id !== "bypassPermissions");
 }
 
 // --- Codex-native modes ---
@@ -98,7 +95,7 @@ if (ALLOW_BYPASS) {
 }
 
 export function getAvailableCodexModes(): ModeInfo[] {
-  return IS_ROOT
-    ? codexModes.filter((m) => m.id !== "full-access")
-    : codexModes;
+  return ALLOW_BYPASS
+    ? codexModes
+    : codexModes.filter((m) => m.id !== "full-access");
 }

package/src/server/agent-server.ts

@@ -48,6 +48,7 @@ import { resourceLink } from "../utils/acp-content";
 import { AsyncMutex } from "../utils/async-mutex";
 import { getLlmGatewayUrl } from "../utils/gateway";
 import { Logger } from "../utils/logger";
+import { logAgentshRuntimeInfo } from "./agentsh-runtime";
 import {
   normalizeCloudPromptContent,
   promptBlocksToText,
@@ -297,7 +298,7 @@ export class AgentServer {
   }
 
   private shouldRelayPermissionToClient(mode: PermissionMode): boolean {
-    return mode === "default" || mode === "auto";
+    return mode === "default" || mode === "auto" || mode === "read-only";
   }
 
   private createApp(): Hono {
@@ -954,6 +955,7 @@ export class AgentServer {
     this.logger.debug(
       `Agent version: ${this.config.version ?? packageJson.version}`,
     );
+    await logAgentshRuntimeInfo(this.logger);
     this.logger.debug(`Initial permission mode: ${initialPermissionMode}`);
 
     // Signal in_progress so the UI can start polling for updates

package/src/server/agentsh-runtime.test.ts

@@ -0,0 +1,107 @@
+import { describe, expect, it, vi } from "vitest";
+import {
+  logAgentshRuntimeInfo,
+  resolveAgentshRuntimeInfo,
+} from "./agentsh-runtime";
+
+describe("agentsh runtime detection", () => {
+  it("returns null when no agentsh session marker exists", async () => {
+    const getVersion = vi.fn();
+    const result = await resolveAgentshRuntimeInfo({
+      readSessionId: async () => {
+        const error = new Error("missing") as NodeJS.ErrnoException;
+        error.code = "ENOENT";
+        throw error;
+      },
+      getVersion,
+    });
+
+    expect(result).toBeNull();
+    expect(getVersion).not.toHaveBeenCalled();
+  });
+
+  it("rethrows unexpected session marker read errors", async () => {
+    const error = new Error("permission denied") as NodeJS.ErrnoException;
+    error.code = "EACCES";
+
+    await expect(
+      resolveAgentshRuntimeInfo({
+        readSessionId: async () => {
+          throw error;
+        },
+      }),
+    ).rejects.toBe(error);
+  });
+
+  it.each([
+    {
+      name: "returns the agentsh session id and version",
+      getVersion: async () => ({
+        stdout: "agentsh version 0.16.7\n",
+        stderr: "",
+      }),
+      expected: {
+        sessionId: "session-123",
+        version: "agentsh version 0.16.7",
+      },
+    },
+    {
+      name: "keeps the agentsh signal when version lookup fails",
+      getVersion: async () => {
+        throw new Error("agentsh not found");
+      },
+      expected: {
+        sessionId: "session-123",
+        version: null,
+        versionLookupError: "agentsh not found",
+      },
+    },
+  ])("$name", async ({ getVersion, expected }) => {
+    const result = await resolveAgentshRuntimeInfo({
+      readSessionId: async () => "session-123\n",
+      getVersion,
+    });
+
+    expect(result).toEqual(expected);
+  });
+
+  it("logs session id and version details", async () => {
+    const logger = { debug: vi.fn() };
+
+    await logAgentshRuntimeInfo(logger, {
+      readSessionId: async () => "session-123\n",
+      getVersion: async () => ({
+        stdout: "agentsh version 0.16.7\n",
+        stderr: "",
+      }),
+    });
+
+    expect(logger.debug).toHaveBeenCalledWith(
+      "Agentsh session ID: session-123",
+    );
+    expect(logger.debug).toHaveBeenCalledWith(
+      "Agentsh hardening version: agentsh version 0.16.7",
+    );
+  });
+
+  it("logs version lookup failures", async () => {
+    const logger = { debug: vi.fn() };
+
+    await logAgentshRuntimeInfo(logger, {
+      readSessionId: async () => "session-123\n",
+      getVersion: async () => {
+        throw new Error("agentsh not found");
+      },
+    });
+
+    expect(logger.debug).toHaveBeenCalledWith(
+      "Agentsh session ID: session-123",
+    );
+    expect(logger.debug).toHaveBeenCalledWith(
+      "Agentsh hardening version: unknown",
+    );
+    expect(logger.debug).toHaveBeenCalledWith(
+      "Agentsh version lookup failed: agentsh not found",
+    );
+  });
+});

package/src/server/agentsh-runtime.ts

@@ -0,0 +1,97 @@
+import { execFile } from "node:child_process";
+import { readFile } from "node:fs/promises";
+import { promisify } from "node:util";
+import type { Logger } from "../utils/logger";
+
+export const AGENTSH_SESSION_ID_FILE = "/tmp/agentsh-session-id";
+
+const execFileAsync = promisify(execFile);
+
+interface AgentshVersionOutput {
+  stdout: string;
+  stderr: string;
+}
+
+interface ResolveAgentshRuntimeInfoOptions {
+  sessionIdPath?: string;
+  readSessionId?: (path: string) => Promise<string>;
+  getVersion?: () => Promise<AgentshVersionOutput>;
+}
+
+export interface AgentshRuntimeInfo {
+  sessionId: string;
+  version: string | null;
+  versionLookupError?: string;
+}
+
+function errorMessage(error: unknown): string {
+  return error instanceof Error ? error.message : String(error);
+}
+
+function parseAgentshVersion(output: AgentshVersionOutput): string | null {
+  const version = `${output.stdout}\n${output.stderr}`
+    .split("\n")
+    .map((line) => line.trim())
+    .find(Boolean);
+  return version ?? null;
+}
+
+async function getAgentshVersion(): Promise<AgentshVersionOutput> {
+  const { stdout, stderr } = await execFileAsync("agentsh", ["--version"], {
+    timeout: 5_000,
+  });
+  return { stdout, stderr };
+}
+
+export async function resolveAgentshRuntimeInfo({
+  sessionIdPath = AGENTSH_SESSION_ID_FILE,
+  readSessionId = async (path: string) => readFile(path, "utf8"),
+  getVersion = getAgentshVersion,
+}: ResolveAgentshRuntimeInfoOptions = {}): Promise<AgentshRuntimeInfo | null> {
+  let sessionId: string;
+  try {
+    sessionId = (await readSessionId(sessionIdPath)).trim();
+  } catch (error) {
+    const code = (error as NodeJS.ErrnoException).code;
+    if (code === "ENOENT") {
+      return null;
+    }
+    throw error;
+  }
+
+  if (!sessionId) {
+    return null;
+  }
+
+  try {
+    const output = await getVersion();
+    return {
+      sessionId,
+      version: parseAgentshVersion(output),
+    };
+  } catch (error) {
+    return {
+      sessionId,
+      version: null,
+      versionLookupError: errorMessage(error),
+    };
+  }
+}
+
+export async function logAgentshRuntimeInfo(
+  logger: Pick<Logger, "debug">,
+  options?: ResolveAgentshRuntimeInfoOptions,
+): Promise<void> {
+  const agentsh = await resolveAgentshRuntimeInfo(options);
+  if (!agentsh) {
+    return;
+  }
+
+  logger.debug(`Agentsh session ID: ${agentsh.sessionId}`);
+  logger.debug(`Agentsh hardening version: ${agentsh.version ?? "unknown"}`);
+  if (agentsh.versionLookupError) {
+    logger.debug(
+      `Agentsh version lookup failed: ${agentsh.versionLookupError}`,
+    );
+  }
+}

package/src/utils/common.ts

@@ -23,6 +23,8 @@ export const IS_ROOT =
   typeof process !== "undefined" &&
   (process.geteuid?.() ?? process.getuid?.()) === 0;
 
+export const ALLOW_BYPASS = !IS_ROOT || !!process.env.IS_SANDBOX;
+
 export function unreachable(value: never, logger: Logger): void {
   let valueAsString: string;
   try {