@probelabs/probe 0.6.0-rc255 → 0.6.0-rc257

package/src/agent/bashPermissions.js

@@ -79,9 +79,19 @@ function matchesAnyPattern(parsedCommand, patterns) {
 export class BashPermissionChecker {
   /**
    * Create a permission checker
+   *
+   * Priority order (highest to lowest):
+   *   1. Custom deny  — always blocks (user explicitly blocked it)
+   *   2. Custom allow — overrides default deny (user explicitly allowed it)
+   *   3. Default deny — blocks by default
+   *   4. Allow list   — allows recognized safe commands
+   *
+   * This means `--bash-allow "git:push"` overrides the default deny for git:push
+   * without requiring `--no-default-bash-deny`.
+   *
    * @param {Object} config - Configuration options
-   * @param {string[]} [config.allow] - Additional allow patterns
-   * @param {string[]} [config.deny] - Additional deny patterns
+   * @param {string[]} [config.allow] - Additional allow patterns (override default deny)
+   * @param {string[]} [config.deny] - Additional deny patterns (always win)
    * @param {boolean} [config.disableDefaultAllow] - Disable default allow list
    * @param {boolean} [config.disableDefaultDeny] - Disable default deny list
    * @param {boolean} [config.debug] - Enable debug logging
@@ -90,38 +100,19 @@ export class BashPermissionChecker {
   constructor(config = {}) {
     this.debug = config.debug || false;
     this.tracer = config.tracer || null;
-    
-    // Build allow patterns
-    this.allowPatterns = [];
-    if (!config.disableDefaultAllow) {
-      this.allowPatterns.push(...DEFAULT_ALLOW_PATTERNS);
-      if (this.debug) {
-        console.log(`[BashPermissions] Added ${DEFAULT_ALLOW_PATTERNS.length} default allow patterns`);
-      }
-    }
-    if (config.allow && Array.isArray(config.allow)) {
-      this.allowPatterns.push(...config.allow);
-      if (this.debug) {
-        console.log(`[BashPermissions] Added ${config.allow.length} custom allow patterns:`, config.allow);
-      }
-    }
 
-    // Build deny patterns
-    this.denyPatterns = [];
-    if (!config.disableDefaultDeny) {
-      this.denyPatterns.push(...DEFAULT_DENY_PATTERNS);
-      if (this.debug) {
-        console.log(`[BashPermissions] Added ${DEFAULT_DENY_PATTERNS.length} default deny patterns`);
-      }
-    }
-    if (config.deny && Array.isArray(config.deny)) {
-      this.denyPatterns.push(...config.deny);
-      if (this.debug) {
-        console.log(`[BashPermissions] Added ${config.deny.length} custom deny patterns:`, config.deny);
-      }
-    }
+    // Separate default and custom patterns for priority-based resolution
+    this.defaultAllowPatterns = config.disableDefaultAllow ? [] : [...DEFAULT_ALLOW_PATTERNS];
+    this.customAllowPatterns = (config.allow && Array.isArray(config.allow)) ? [...config.allow] : [];
+    this.allowPatterns = [...this.defaultAllowPatterns, ...this.customAllowPatterns];
+
+    this.defaultDenyPatterns = config.disableDefaultDeny ? [] : [...DEFAULT_DENY_PATTERNS];
+    this.customDenyPatterns = (config.deny && Array.isArray(config.deny)) ? [...config.deny] : [];
+    this.denyPatterns = [...this.defaultDenyPatterns, ...this.customDenyPatterns];
 
     if (this.debug) {
+      console.log(`[BashPermissions] Default allow: ${this.defaultAllowPatterns.length}, Custom allow: ${this.customAllowPatterns.length}`);
+      console.log(`[BashPermissions] Default deny: ${this.defaultDenyPatterns.length}, Custom deny: ${this.customDenyPatterns.length}`);
       console.log(`[BashPermissions] Total patterns - Allow: ${this.allowPatterns.length}, Deny: ${this.denyPatterns.length}`);
     }
 
@@ -129,8 +120,8 @@ export class BashPermissionChecker {
     this.recordBashEvent('permissions.initialized', {
       allowPatternCount: this.allowPatterns.length,
       denyPatternCount: this.denyPatterns.length,
-      hasCustomAllowPatterns: !!(config.allow && config.allow.length > 0),
-      hasCustomDenyPatterns: !!(config.deny && config.deny.length > 0),
+      hasCustomAllowPatterns: this.customAllowPatterns.length > 0,
+      hasCustomDenyPatterns: this.customDenyPatterns.length > 0,
       disableDefaultAllow: !!config.disableDefaultAllow,
       disableDefaultDeny: !!config.disableDefaultDeny
     });
@@ -212,9 +203,18 @@ export class BashPermissionChecker {
       console.log(`[BashPermissions] Parsed: ${parsed.command} with args: [${parsed.args.join(', ')}]`);
     }
 
-    // Check deny patterns first (deny takes precedence)
-    if (matchesAnyPattern(parsed, this.denyPatterns)) {
-      const matchedPatterns = this.denyPatterns.filter(pattern => matchesPattern(parsed, pattern));
+    // Priority-based permission check:
+    // 1. Custom deny always wins
+    // 2. Custom allow overrides default deny
+    // 3. Default deny blocks
+    // 4. Allow list permits
+
+    // Step 1: Custom deny always wins
+    if (matchesAnyPattern(parsed, this.customDenyPatterns)) {
+      const matchedPatterns = this.customDenyPatterns.filter(pattern => matchesPattern(parsed, pattern));
+      if (this.debug) {
+        console.log(`[BashPermissions] DENIED - matches custom deny pattern: ${matchedPatterns[0]}`);
+      }
       const result = {
         allowed: false,
         reason: `Command matches deny pattern: ${matchedPatterns[0]}`,
@@ -227,12 +227,40 @@ export class BashPermissionChecker {
         parsedCommand: parsed.command,
         reason: 'matches_deny_pattern',
         matchedPattern: matchedPatterns[0],
-        isComplex: false
+        isComplex: false,
+        isCustomDeny: true
       });
       return result;
     }
 
-    // Check allow patterns
+    // Step 2: Custom allow overrides default deny
+    const matchesCustomAllow = matchesAnyPattern(parsed, this.customAllowPatterns);
+
+    // Step 3: Default deny (skipped if custom allow matches)
+    if (!matchesCustomAllow && matchesAnyPattern(parsed, this.defaultDenyPatterns)) {
+      const matchedPatterns = this.defaultDenyPatterns.filter(pattern => matchesPattern(parsed, pattern));
+      if (this.debug) {
+        console.log(`[BashPermissions] DENIED - matches default deny pattern: ${matchedPatterns[0]}`);
+      }
+      const result = {
+        allowed: false,
+        reason: `Command matches deny pattern: ${matchedPatterns[0]}`,
+        command: command,
+        parsed: parsed,
+        matchedPatterns: matchedPatterns
+      };
+      this.recordBashEvent('permission.denied', {
+        command,
+        parsedCommand: parsed.command,
+        reason: 'matches_deny_pattern',
+        matchedPattern: matchedPatterns[0],
+        isComplex: false,
+        isCustomDeny: false
+      });
+      return result;
+    }
+
+    // Step 4: Check allow patterns
     if (this.allowPatterns.length > 0) {
       if (!matchesAnyPattern(parsed, this.allowPatterns)) {
         const result = {
@@ -256,17 +284,23 @@ export class BashPermissionChecker {
       allowed: true,
       command: command,
       parsed: parsed,
-      isComplex: false
+      isComplex: false,
+      overriddenDeny: matchesCustomAllow && matchesAnyPattern(parsed, this.defaultDenyPatterns)
     };
 
     if (this.debug) {
-      console.log(`[BashPermissions] ALLOWED - command passed all checks`);
+      if (result.overriddenDeny) {
+        console.log(`[BashPermissions] ALLOWED - custom allow overrides default deny`);
+      } else {
+        console.log(`[BashPermissions] ALLOWED - command passed all checks`);
+      }
     }
 
     this.recordBashEvent('permission.allowed', {
       command,
       parsedCommand: parsed.command,
-      isComplex: false
+      isComplex: false,
+      overriddenDeny: result.overriddenDeny || false
     });
 
     return result;
@@ -477,10 +511,25 @@ export class BashPermissionChecker {
           break;
         }
 
-        // Check against deny patterns
-        if (matchesAnyPattern(parsed, this.denyPatterns)) {
+        // Check using same priority logic as simple commands:
+        // 1. Custom deny always wins
+        if (matchesAnyPattern(parsed, this.customDenyPatterns)) {
+          if (this.debug) {
+            console.log(`[BashPermissions] Component "${component}" matches custom deny pattern`);
+          }
+          allAllowed = false;
+          deniedComponent = component;
+          deniedReason = 'Component matches deny pattern';
+          break;
+        }
+
+        // 2. Custom allow overrides default deny
+        const componentMatchesCustomAllow = matchesAnyPattern(parsed, this.customAllowPatterns);
+
+        // 3. Default deny (skipped if custom allow matches)
+        if (!componentMatchesCustomAllow && matchesAnyPattern(parsed, this.defaultDenyPatterns)) {
           if (this.debug) {
-            console.log(`[BashPermissions] Component "${component}" matches deny pattern`);
+            console.log(`[BashPermissions] Component "${component}" matches default deny pattern`);
           }
           allAllowed = false;
           deniedComponent = component;
@@ -488,7 +537,7 @@ export class BashPermissionChecker {
           break;
         }
 
-        // Check against allow patterns
+        // 4. Check allow patterns
         if (!matchesAnyPattern(parsed, this.allowPatterns)) {
           if (this.debug) {
             console.log(`[BashPermissions] Component "${component}" not in allow list`);
@@ -567,6 +616,10 @@ export class BashPermissionChecker {
     return {
       allowPatterns: this.allowPatterns.length,
       denyPatterns: this.denyPatterns.length,
+      customAllowPatterns: this.customAllowPatterns.length,
+      customDenyPatterns: this.customDenyPatterns.length,
+      defaultAllowPatterns: this.defaultAllowPatterns.length,
+      defaultDenyPatterns: this.defaultDenyPatterns.length,
       totalPatterns: this.allowPatterns.length + this.denyPatterns.length
     };
   }

package/src/agent/index.js

@@ -623,9 +623,9 @@ class ProbeAgentMcpServer {
                 // Retry once with correction prompt
                 const correctionPrompt = createJsonCorrectionPrompt(result, schema, validation.error);
                 try {
-                  result = await agent.answer(correctionPrompt, [], { schema, _schemaFormatted: true, _disableTools: true });
+                  result = await agent.answer(correctionPrompt, [], { schema, _schemaFormatted: true, _disableTools: true, _maxIterationsOverride: 3 });
                   result = cleanSchemaResponse(result);
-                  
+
                   // Validate again after correction
                   const finalValidation = validateJsonResponse(result);
                   if (!finalValidation.isValid && args.debug) {
@@ -971,11 +971,11 @@ async function main() {
             try {
               if (appTracer) {
                 result = await appTracer.withSpan('agent.json_correction',
-                  () => agent.answer(correctionPrompt, [], { schema, _schemaFormatted: true, _disableTools: true }),
+                  () => agent.answer(correctionPrompt, [], { schema, _schemaFormatted: true, _disableTools: true, _maxIterationsOverride: 3 }),
                   { 'original_error': validation.error }
                 );
               } else {
-                result = await agent.answer(correctionPrompt, [], { schema, _schemaFormatted: true, _disableTools: true });
+                result = await agent.answer(correctionPrompt, [], { schema, _schemaFormatted: true, _disableTools: true, _maxIterationsOverride: 3 });
               }
               result = cleanSchemaResponse(result);
               

package/src/agent/mcp/xmlBridge.js

@@ -6,6 +6,7 @@
 import { MCPClientManager } from './client.js';
 import { loadMCPConfiguration } from './config.js';
 import { processXmlWithThinkingAndRecovery } from '../xmlParsingUtils.js';
+import { unescapeXmlEntities } from '../../tools/common.js';
 
 /**
  * Convert MCP tool to XML definition format
@@ -111,7 +112,7 @@ export function parseXmlMcpToolCall(xmlString, mcpToolNames = []) {
       let match;
       while ((match = paramPattern.exec(content)) !== null) {
         const [, paramName, paramValue] = match;
-        params[paramName] = paramValue.trim();
+        params[paramName] = unescapeXmlEntities(paramValue.trim());
       }
     }
 
@@ -393,7 +394,7 @@ function parseNativeXmlTool(xmlString, toolName) {
     const [, paramName, paramValue] = match;
     // Skip if this is the params tag itself (MCP format)
     if (paramName !== 'params') {
-      params[paramName] = paramValue.trim();
+      params[paramName] = unescapeXmlEntities(paramValue.trim());
     }
   }
 

package/src/agent/schemaUtils.js

@@ -603,6 +603,17 @@ export function validateJsonResponse(response, options = {}) {
       }
     }
 
+    // Quick recovery: try to extract a valid JSON prefix before returning error.
+    // This handles the common case where AI returns valid JSON followed by markdown content,
+    // e.g., "Unexpected non-whitespace character after JSON at position 477" (issue #447).
+    const prefixResult = tryExtractValidJsonPrefix(responseToValidate, { schema, debug });
+    if (prefixResult && prefixResult.isValid) {
+      if (debug) {
+        console.log(`[DEBUG] JSON validation: Recovered valid JSON prefix (${prefixResult.extracted.length} chars) from response with trailing content`);
+      }
+      return { isValid: true, parsed: prefixResult.parsed };
+    }
+
     // Create enhanced error message with context snippet
     let enhancedError = error.message;
     let errorContext = null;
@@ -667,6 +678,122 @@ ${pointer} here`;
   }
 }
 
+/**
+ * Try to extract a valid JSON prefix from a string that has trailing non-JSON content.
+ * This handles the common case where an AI returns valid JSON followed by markdown text.
+ *
+ * Uses bracket-matching to find the end of the first complete JSON object/array,
+ * then validates the prefix with JSON.parse(). Optionally validates against a schema.
+ *
+ * @param {string} response - The full response string
+ * @param {Object} [options] - Options
+ * @param {Object|string} [options.schema] - JSON schema to validate against
+ * @param {boolean} [options.debug=false] - Enable debug logging
+ * @returns {Object|null} - {isValid: true, parsed: Object, extracted: string} or null if no valid prefix found
+ */
+export function tryExtractValidJsonPrefix(response, options = {}) {
+  const { schema = null, debug = false } = options;
+
+  if (!response || typeof response !== 'string') {
+    return null;
+  }
+
+  const trimmed = response.trim();
+  if (trimmed.length === 0) {
+    return null;
+  }
+
+  // Must start with { or [
+  const firstChar = trimmed[0];
+  if (firstChar !== '{' && firstChar !== '[') {
+    return null;
+  }
+
+  // First, check if the full string already parses - no need to extract prefix
+  try {
+    JSON.parse(trimmed);
+    return null; // Full string is valid JSON, no extraction needed
+  } catch {
+    // Expected - continue with prefix extraction
+  }
+
+  // Find the end of the first complete JSON object/array using bracket matching
+  const openChar = firstChar;
+  const closeChar = openChar === '{' ? '}' : ']';
+  let depth = 0;
+  let inString = false;
+  let escapeNext = false;
+  let endPos = -1;
+
+  for (let i = 0; i < trimmed.length; i++) {
+    const char = trimmed[i];
+
+    if (escapeNext) {
+      escapeNext = false;
+      continue;
+    }
+
+    if (char === '\\' && inString) {
+      escapeNext = true;
+      continue;
+    }
+
+    if (char === '"') {
+      inString = !inString;
+      continue;
+    }
+
+    if (inString) {
+      continue;
+    }
+
+    if (char === openChar) {
+      depth++;
+    } else if (char === closeChar) {
+      depth--;
+      if (depth === 0) {
+        endPos = i + 1;
+        break;
+      }
+    }
+  }
+
+  if (endPos <= 0 || endPos >= trimmed.length) {
+    return null; // No complete JSON found, or JSON spans the entire string
+  }
+
+  // Check that there's actual non-whitespace trailing content
+  const remainder = trimmed.substring(endPos).trim();
+  if (remainder.length === 0) {
+    return null; // Only whitespace after JSON, no trailing content issue
+  }
+
+  // Try to parse the prefix
+  const prefix = trimmed.substring(0, endPos);
+  try {
+    const parsed = JSON.parse(prefix);
+
+    if (debug) {
+      console.log(`[DEBUG] tryExtractValidJsonPrefix: Extracted valid JSON prefix (${prefix.length} chars), stripped trailing content (${remainder.length} chars)`);
+    }
+
+    // If schema provided, validate against it
+    if (schema) {
+      const schemaValidation = validateJsonResponse(prefix, { debug, schema });
+      if (!schemaValidation.isValid) {
+        if (debug) {
+          console.log(`[DEBUG] tryExtractValidJsonPrefix: Prefix is valid JSON but fails schema validation: ${schemaValidation.error}`);
+        }
+        return null;
+      }
+    }
+
+    return { isValid: true, parsed, extracted: prefix };
+  } catch {
+    return null;
+  }
+}
+
 /**
  * Validate that the cleaned response is valid XML if expected
  * @param {string} response - Cleaned response

package/src/tools/bash.js

@@ -146,8 +146,8 @@ Common reasons:
 2. The command is not in the allow list (not a recognized safe command)
 
 If you believe this command should be allowed, you can:
-- Use the --bash-allow option to add specific patterns
-- Use the --no-default-bash-deny flag to remove default restrictions (not recommended)
+- Use the --bash-allow option to add specific patterns (overrides default deny list)
+  Example: --bash-allow "git:push" allows git push while keeping all other deny rules
 
 For code exploration, try these safe alternatives:
 - ls, cat, head, tail for file operations

package/src/tools/common.js

@@ -521,6 +521,23 @@ function getValidParamsForTool(toolName) {
 	return [];
 }
 
+/**
+ * Unescape standard XML entities in a string value.
+ * Order matters: & must be decoded LAST to avoid double-decoding
+ * (e.g., &amp;lt; should become &lt;, not <).
+ * @param {string} str - The string to unescape
+ * @returns {string} The unescaped string
+ */
+export function unescapeXmlEntities(str) {
+	if (typeof str !== 'string') return str;
+	return str
+		.replace(/&lt;/g, '<')
+		.replace(/&gt;/g, '>')
+		.replace(/&quot;/g, '"')
+		.replace(/&apos;/g, "'")
+		.replace(/&amp;/g, '&');
+}
+
 // Simple XML parser helper - safer string-based approach
 export function parseXmlToolCall(xmlString, validTools = DEFAULT_VALID_TOOLS) {
 	// Find the tool that appears EARLIEST in the string
@@ -609,10 +626,10 @@ export function parseXmlToolCall(xmlString, validTools = DEFAULT_VALID_TOOLS) {
 			paramCloseIndex = nextTagIndex;
 		}
 
-		let paramValue = innerContent.substring(
+		let paramValue = unescapeXmlEntities(innerContent.substring(
 			paramOpenIndex + paramOpenTag.length,
 			paramCloseIndex
-		).trim();
+		).trim());
 
 		// Basic type inference (can be improved)
 		if (paramValue.toLowerCase() === 'true') {
@@ -633,7 +650,7 @@ export function parseXmlToolCall(xmlString, validTools = DEFAULT_VALID_TOOLS) {
 
 	// Special handling for attempt_completion - use entire inner content as result
 	if (toolName === 'attempt_completion') {
-		params['result'] = innerContent.trim();
+		params['result'] = unescapeXmlEntities(innerContent.trim());
 		// Remove command parameter if it was parsed by generic logic above (legacy compatibility)
 		if (params.command) {
 			delete params.command;