@tianhai/pi-workflow-kit 0.8.2 → 0.8.3

package/README.md

@@ -13,7 +13,7 @@ brainstorm → plan → execute → finalize
 **1 extension** that enforces the rules:
 
 - During brainstorming and planning, `write` and `edit` are **hard-blocked** outside `docs/plans/`. The agent can only read code and discuss the design with you — it literally cannot modify source files.
-- `bash` is **restricted to read-only commands** — file writes, installs, git mutations, and editors are blocked. Safe commands like `grep`, `find`, `git status`, `cat`, `curl` remain available.
+- `bash` is **restricted to read-only commands** — file writes, installs, git mutations, and editors are blocked. Safe commands like `grep`, `find`, `git status`, `cat`, `curl`, `go doc`, `go list` remain available.
 
 No configuration required. Skills and extensions activate automatically after install.
 

package/docs/plans/completed/2026-04-22-go-readonly-safe-commands-implementation.md

@@ -0,0 +1,54 @@
+# Add Go read-only commands to workflow-guard safe list
+
+## Context
+
+Go toolchain read-only commands (`go doc`, `go list`, `go version`, `go env`) are blocked during brainstorm/plan phases because they're not in `SAFE_PATTERNS`. These are purely read-only with no side effects and are commonly needed during code exploration.
+
+## Tasks
+
+### 1 — Add Go safe patterns [Modifying tested code]
+
+**File:** `extensions/workflow-guard.ts`
+
+Add four entries to `SAFE_PATTERNS`, after the `git describe` entry:
+
+```ts
+/^\s*go\s+doc\b/,
+/^\s*go\s+list\b/,
+/^\s*go\s+version\b/,
+/^\s*go\s+env\b/,
+```
+
+**Verify:** run `npx vitest run tests/workflow-guard.test.ts` — all existing tests should pass.
+
+**Commit:** `feat(workflow-guard): add Go read-only commands to safe list`
+
+### 2 — Add tests for Go safe commands [New feature]
+
+**File:** `tests/workflow-guard.test.ts`
+
+Add a new `it` block inside the `describe("isSafeCommand", ...)` suite:
+
+```ts
+it("allows go read-only subcommands", () => {
+	expect(isSafeCommand("go doc go.opentelemetry.io/otel/label")).toBe(true);
+	expect(isSafeCommand("go doc go.opentelemetry.io/otel/codes 2>&1 | head -20")).toBe(true);
+	expect(isSafeCommand("go list -m -versions go.opentelemetry.io/otel 2>&1 | tr ' ' '\\n' | grep -E '^v1\\\\.(2[89]|[3-9][0-9])' | head -20")).toBe(true);
+	expect(isSafeCommand("go version")).toBe(true);
+	expect(isSafeCommand("go env GOOS GOARCH")).toBe(true);
+});
+```
+
+Also add a `go build` block test to ensure write-oriented Go commands stay blocked:
+
+```ts
+it("blocks go write subcommands", () => {
+	expect(isSafeCommand("go build ./...")).toBe(false);
+	expect(isSafeCommand("go install golang.org/x/tools/gopls@latest")).toBe(false);
+	expect(isSafeCommand("go mod tidy")).toBe(false);
+});
+```
+
+**Verify:** run `npx vitest run tests/workflow-guard.test.ts` — all tests pass.
+
+**Commit:** `test(workflow-guard): add tests for Go read-only safe commands`

package/extensions/workflow-guard.ts

@@ -110,6 +110,10 @@ const SAFE_PATTERNS = [
 	/^\s*git\s+stash\s+list\b/i,
 	/^\s*git\s+tag\s+(-l|--list)\b/i,
 	/^\s*git\s+describe\b/,
+	/^\s*go\s+doc\b/,
+	/^\s*go\s+list\b/,
+	/^\s*go\s+version\b/,
+	/^\s*go\s+env\b/,
 ];
 
 /** Split a compound command into individual sub-commands.

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@tianhai/pi-workflow-kit",
-  "version": "0.8.2",
+  "version": "0.8.3",
   "description": "Workflow skills and enforcement extensions for pi",
   "keywords": [
     "pi-package"
@@ -14,7 +14,7 @@
   "author": "yinloo-ola",
   "repository": {
     "type": "git",
-    "url": "https://github.com/yinloo-ola/pi-workflow-kit.git"
+    "url": "git+https://github.com/yinloo-ola/pi-workflow-kit.git"
   },
   "files": [
     "extensions/",