codemini-cli 0.3.9 → 0.4.0

package/README.md

@@ -74,6 +74,11 @@ CodeMini CLI can optionally use `fff-mcp` as a faster backend for `grep`, `glob`
 | `codemini [prompt]` | Start an interactive coding session with an optional initial prompt |
 | `codemini chat [prompt]` | Chat mode — single-turn or multi-turn conversation |
 | `codemini run <task>` | Run a task non-interactively (e.g. `codemini run "fix the login bug"`) |
+| `codemini run --harness <role> <task>` | Run a task with a specific sub-agent role (e.g. `coder`, `planner`, `reviewer`) |
+| `codemini run --pipeline <task>` | Run a task through the full planning → coding → review pipeline |
+| `codemini run <task> --max-steps N` | Limit the maximum number of agent steps for a run task |
+| `codemini run <task> --model <name>` | Override the default model for a single run |
+| `codemini [prompt] --plain` | Disable TUI and use plain terminal output |
 | `codemini config set\|get\|list <key> [value]` | Manage configuration (gateway, model, shell, UI, soul, etc.) |
 | `codemini doctor` | Run environment diagnostics and validate configuration |
 | `codemini skill list\|install\|enable\|disable\|inspect\|reindex` | Manage skills — list, install, toggle, or inspect bundled/third-party skills |
@@ -88,6 +93,23 @@ Built-in souls: `default`, `professional`, `ceo`, `playful`, `anime`, `caveman`,
 codemini config set soul.preset playful
 ```
 
+### Built-in Skills
+
+Skills are reusable workflow patterns that guide how the agent approaches different types of tasks. They are loaded automatically when applicable.
+
+| Skill | Trigger | Description |
+|-------|---------|-------------|
+| **superpowers-lite** | Default for all coding work | Lightweight operating style: prefer structured tools, keep context tight, use sub-agents, verify before claiming success |
+| **brainstorm** | Multiple reasonable approaches exist | Explores options and tradeoffs before coding; asks one question at a time to resolve uncertainty |
+| **writing-plans** | Non-trivial implementation task | Creates a step-by-step plan with exact file paths, code, and verification steps before touching code |
+
+Skills are installed and managed via `codemini skill`:
+
+```bash
+codemini skill list        # List all available skills
+codemini skill inspect <name>  # Inspect a skill's details
+```
+
 ### How The Tool Model Works
 
 CodeMini CLI intentionally separates tools into two layers:
@@ -285,6 +307,11 @@ CodeMini CLI 可以可选地使用 `fff-mcp` 作为 `grep`、`glob` 和部分 `l
 | `codemini [prompt]` | 启动交互式编码会话，可附带初始提示 |
 | `codemini chat [prompt]` | 对话模式——单轮或多轮 |
 | `codemini run <task>` | 非交互式执行任务（如 `codemini run "修复登录 bug"`） |
+| `codemini run --harness <role> <task>` | 以指定 sub-agent 角色执行任务（如 `coder`、`planner`、`reviewer`） |
+| `codemini run --pipeline <task>` | 通过完整计划→编码→审查流水线执行任务 |
+| `codemini run <task> --max-steps N` | 限制单次执行的最大 agent 步数 |
+| `codemini run <task> --model <name>` | 单次执行时覆盖默认模型 |
+| `codemini [prompt] --plain` | 禁用 TUI，使用纯文本终端输出 |
 | `codemini config set\|get\|list <key> [value]` | 管理配置（网关、模型、shell、UI、soul 等） |
 | `codemini doctor` | 运行环境诊断并验证配置 |
 | `codemini skill list\|install\|enable\|disable\|inspect\|reindex` | 管理 skill——列表、安装、启用/禁用、检查 |
@@ -299,6 +326,23 @@ CodeMini CLI 支持可切换的 "soul" 人格，仅改变语气和表达风格
 codemini config set soul.preset playful
 ```
 
+### 内置 Skills
+
+Skill 是可复用的工作流模式，指导 agent 如何处理不同类型的任务。适用时会自动加载。
+
+| Skill | 触发条件 | 说明 |
+|-------|----------|------|
+| **superpowers-lite** | 所有编码工作的默认 skill | 轻量操作风格：优先结构化工具、保持上下文精简、使用 sub-agent、验证后再报告完成 |
+| **brainstorm** | 存在多种合理方案时 | 在编码前探索选项和权衡；每次只问一个问题来消除不确定性 |
+| **writing-plans** | 非平凡的实现任务 | 在动手之前创建包含精确文件路径、代码和验证步骤的分步计划 |
+
+通过 `codemini skill` 管理技能：
+
+```bash
+codemini skill list           # 列出所有可用 skill
+codemini skill inspect <name> # 查看某个 skill 的详细信息
+```
+
 ### 工具模型怎么设计
 
 CodeMini CLI 把工具分成两层：

package/deployment.md

@@ -13,13 +13,13 @@ npm pack
 Expected output:
 
 ```text
-codemini-cli-0.1.0.tgz
+codemini-cli-0.4.0.tgz
 ```
 
 If you want to verify the package contents:
 
 ```bash
-tar -tf codemini-cli-0.1.0.tgz
+tar -tf codemini-cli-0.4.0.tgz
 ```
 
 ## 2. Copy To The Target Machine
@@ -34,7 +34,7 @@ Copy the generated `.tgz` file to the Win10 machine by one of these methods:
 Recommended target path:
 
 ```powershell
-C:\temp\codemini-cli-0.1.0.tgz
+C:\temp\codemini-cli-0.4.0.tgz
 ```
 
 ## 3. Environment Requirements
@@ -42,7 +42,7 @@ C:\temp\codemini-cli-0.1.0.tgz
 Target machine requirements:
 
 - Windows 10
-- Node.js 20 or newer
+- Node.js 22 or newer
 - npm available
 - PowerShell available
 
@@ -58,7 +58,7 @@ npm -v
 Global install:
 
 ```powershell
-npm install -g C:\temp\codemini-cli-0.1.0.tgz
+npm install -g C:\temp\codemini-cli-0.4.0.tgz
 ```
 
 If global install is blocked by company policy, install in a working directory instead:
@@ -66,7 +66,7 @@ If global install is blocked by company policy, install in a working directory i
 ```powershell
 mkdir C:\temp\coder-test
 cd C:\temp\coder-test
-npm install C:\temp\codemini-cli-0.1.0.tgz
+npm install C:\temp\codemini-cli-0.4.0.tgz
 ```
 
 ## 5. Confirm Installation

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "codemini-cli",
-  "version": "0.3.9",
+  "version": "0.4.0",
   "description": "Coding CLI optimized for small-model workflows and Windows PowerShell",
   "keywords": [
     "cli",
@@ -48,10 +48,12 @@
   "dependencies": {
     "@cursorless/tree-sitter-wasms": "^0.8.1",
     "cheerio": "^1.1.2",
+    "cli-truncate": "^6.0.0",
     "duck-duck-scrape": "^2.2.7",
     "ink": "^7.0.0",
     "playwright": "^1.54.2",
     "react": "^19.2.5",
+    "strip-ansi": "^7.2.0",
     "web-tree-sitter": "^0.26.8"
   },
   "license": "MIT"

package/src/core/agent-loop.js

@@ -4,6 +4,8 @@ import fs from 'node:fs/promises';
 import { BoundedCache } from './bounded-cache.js';
 import { trimInline as _trimInline, normalizePath } from './string-utils.js';
 import { captureToInbox, listInbox } from './memory-store.js';
+import { requiresApprovalEvaluation } from './command-risk.js';
+import { getToolOutputSanitizeOptions, sanitizeTextForModel } from './tool-output.js';
 
 /**
  * 安全解析 JSON 字符串。
@@ -162,7 +164,7 @@ function emptyToolResultMarker(toolName) {
 }
 
 function clipToolResult(result, maxChars = 12000) {
-  const raw = typeof result === 'string' ? result : JSON.stringify(result);
+  const raw = sanitizeTextForModel(typeof result === 'string' ? result : JSON.stringify(result));
   if (!maxChars || raw.length <= maxChars) return raw;
   return `${raw.slice(0, maxChars)}\n... [tool result truncated ${raw.length - maxChars} chars]`;
 }
@@ -170,8 +172,9 @@ function clipToolResult(result, maxChars = 12000) {
 function compactToolResult(result, toolName, args, maxChars = 12000) {
   if (result === null || result === undefined) return 'no output';
   if (typeof result === 'string') {
-    if (result.length <= maxChars) return result;
-    return `${result.slice(0, maxChars)}\n... [tool result truncated ${result.length - maxChars} chars, original: ${result.length}]`;
+    const sanitized = sanitizeTextForModel(result);
+    if (sanitized.length <= maxChars) return sanitized;
+    return `${sanitized.slice(0, maxChars)}\n... [tool result truncated ${sanitized.length - maxChars} chars, original: ${sanitized.length}]`;
   }
   if (typeof result !== 'object') return String(result);
 
@@ -387,7 +390,18 @@ function shouldAutoCaptureError(toolName, message) {
     /not found$/i,
     /already exists$/i,
     /cancelled/i,
-    /aborted/i
+    /aborted/i,
+    /blocked by (?:safe mode|policy|dangerous command)/i,
+    /exit 127/i,
+    /command not found/i,
+    /permission denied/i,
+    /args\?\s/i,
+    /Raw tool arguments/i,
+    /edit requires/i,
+    /write requires/i,
+    /requires file/i,
+    /path.*outside workspace/i,
+    /escapes workspace/i
   ];
   if (noisePatterns.some((p) => p.test(message))) return false;
   lastAutoCaptureByTool.set(toolName, now);
@@ -400,7 +414,7 @@ function fireAndForgetCapture(toolName, message, args) {
     ? `Tool: ${toolName}\nError: ${message}\nArgs: ${JSON.stringify(args).slice(0, 300)}`
     : `Tool: ${toolName}\nError: ${message}`;
   captureToInbox({
-    scope: 'global',
+    scope: 'auto',
     type: 'failure',
     summary,
     details,
@@ -421,6 +435,33 @@ async function checkAutoDreamThreshold(config) {
 
 // ─── Exported helpers ────────────────────────────────────────────────
 
+function extractFileChange(toolName, result) {
+  if (!result || typeof result !== 'object') return null;
+  const FILE_TOOLS = new Set(['edit', 'write', 'delete']);
+  if (!FILE_TOOLS.has(toolName)) return null;
+
+  /* delete */
+  if ('deleted' in result && result.deleted) {
+    return { path: String(result.path || ''), action: 'delete', linesAdded: 0, linesRemoved: 0 };
+  }
+
+  /* edit / write */
+  if ('path' in result && 'action' in result) {
+    const action = String(result.action || '');
+    const isCreate = action === 'create';
+    const added = Number(result.lines_added || 0);
+    const removed = Number(result.lines_removed || 0);
+    return {
+      path: String(result.path || ''),
+      action: isCreate ? 'create' : 'edit',
+      linesAdded: added,
+      linesRemoved: removed
+    };
+  }
+
+  return null;
+}
+
 export function summarizeToolResult(result) {
   if (result === null || result === undefined) return 'no output';
   if (typeof result === 'string') {
@@ -640,7 +681,7 @@ function blockedExplorationReason(toolName, args, state) {
   const top = topLevelPath(target);
   if (!top) return '';
 
-  if (['skills', 'souls', 'templates', '.codemini', '.codemini-project'].includes(top)) {
+  if (['skills', 'souls', 'templates', '.codemini', '.codemini-global'].includes(top)) {
     return `Skip ${top}/ for broad repository analysis unless the user explicitly asks for it. Inspect relevant source files first.`;
   }
   return '';
@@ -736,14 +777,17 @@ function formatToolDisplayName(name, args) {
 // ─── Format a single tool result using per-tool formatter or fallback ──
 
 function formatToolResult(toolResult, toolName, args, toolFormatters, toolResultMaxChars) {
+  const sanitizeOptions = getToolOutputSanitizeOptions(toolName);
   if (toolFormatters && typeof toolFormatters[toolName] === 'function') {
     const formatted = toolFormatters[toolName](toolResult, args);
     if (typeof formatted === 'string') {
-      return formatted.trim() ? formatted : emptyToolResultMarker(toolName);
+      const sanitized = sanitizeTextForModel(formatted, sanitizeOptions);
+      return sanitized.trim() ? sanitized : emptyToolResultMarker(toolName);
     }
   }
   const fallback = compactToolResult(toolResult, toolName, args, toolResultMaxChars);
-  return String(fallback || '').trim() ? fallback : emptyToolResultMarker(toolName);
+  const sanitizedFallback = sanitizeTextForModel(fallback, sanitizeOptions);
+  return String(sanitizedFallback || '').trim() ? sanitizedFallback : emptyToolResultMarker(toolName);
 }
 
 // ─── Main agent loop ────────────────────────────────────────────────
@@ -924,7 +968,11 @@ export async function runAgentLoop({
       let approved = true;
       let approvalArgs = args;
       let preflightErrorContent = '';
-      const needsApproval = toolName === 'delete' || (executionMode === 'normal' && !alwaysAllowSet.has(toolName));
+      const isSafeModeRun = toolName === 'run'
+        && config?.policy?.safe_mode !== false
+        && requiresApprovalEvaluation(args?.command || '', config?.shell?.default);
+      const needsApproval = toolName === 'delete' || isSafeModeRun
+        || (executionMode === 'normal' && !alwaysAllowSet.has(toolName));
       if (needsApproval) {
         approved = false;
         const handler = toolHandlers[toolName];
@@ -940,6 +988,31 @@ export async function runAgentLoop({
             preflightErrorContent = clipToolResult({ error: message }, toolResultMaxChars);
           }
         }
+        /* Run tool: safe mode LLM-based command evaluation */
+        if (toolName === 'run' && isSafeModeRun && !preflightErrorContent) {
+          try {
+            const { evaluateCommandWithLLM } = await import('./command-evaluator.js');
+            const evaluation = await evaluateCommandWithLLM({
+              command: args?.command || '',
+              config,
+              workspaceRoot: config?.workspaceRoot || process.cwd()
+            });
+            approvalArgs = { ...args, _risk: evaluation.risk, _evaluation: evaluation };
+            /* LLM says low-risk + allow → auto-approve, skip confirmation panel */
+            if (evaluation.risk === 'low' && evaluation.recommendation === 'allow') {
+              approvalResults.set(call.id, { approved: true, args: approvalArgs });
+              continue;
+            }
+          } catch (_) {
+            approvalArgs = { ...args, _risk: 'high', _evaluation: null };
+          }
+          if (typeof handler?.prepareApproval === 'function') {
+            try {
+              const approval = await handler.prepareApproval(approvalArgs);
+              approvalArgs = { ...approvalArgs, approval };
+            } catch (_) { /* skip */ }
+          }
+        }
         if (preflightErrorContent) {
           approvalResults.set(call.id, {
             approved: false,
@@ -954,7 +1027,8 @@ export async function runAgentLoop({
             name: toolName,
             displayName,
             arguments: approvalArgs,
-            approvalDetails: toolName === 'delete' ? approvalArgs.approval : undefined
+            approvalDetails: toolName === 'delete' ? approvalArgs.approval
+              : (toolName === 'run' ? approvalArgs.approval : undefined)
           });
           approved = Boolean(decision?.approved);
         }
@@ -1035,8 +1109,10 @@ export async function runAgentLoop({
       }
 
       const durationMs = Date.now() - startedAt;
+      /* 提取文件改动统计 */
+      const fileChange = extractFileChange(toolName, toolResult);
       if (onEvent) {
-        onEvent({ type: 'tool:end', name: displayName, id: call.id, arguments: effectiveArgs, durationMs, summary: summarizeToolResult(toolResult) });
+        onEvent({ type: 'tool:end', name: displayName, id: call.id, arguments: effectiveArgs, durationMs, summary: summarizeToolResult(toolResult), fileChange });
       }
 
       // Auto-capture non-throwing tool failures (e.g. shell non-zero exit)

package/src/core/chat-runtime.js

@@ -10,7 +10,7 @@ import {
 } from './provider/index.js';
 import { isDangerousCommand, runShellCommand } from './shell.js';
 import { getBuiltinTools } from './tools.js';
-import { listSessions, loadSession, pruneSessions, saveSession } from './session-store.js';
+import { createSession, listSessions, loadSession, pruneSessions, saveSession } from './session-store.js';
 import { getConfigValue, loadConfig, resetConfig, setConfigValue } from './config-store.js';
 import { evaluateCommandPolicy } from './command-policy.js';
 import { appendInputHistory, loadInputHistory } from './input-history-store.js';
@@ -152,10 +152,12 @@ function getCompletionCopy(language = 'zh') {
         agents: '列出/运行子代理角色',
         config: '设置/读取/列出/重置配置',
         memory: '查看/搜索/删除持久记忆',
+        dream: '整理记忆收件箱（dream consolidation）',
         history: '查看/恢复会话',
         debug: '运行时调试开关',
         retry: '重试上一条用户请求',
         stop: '中止当前回答',
+        new: '开始新会话',
         yes: '确认当前待审批计划并开始执行',
         edit: '修改当前待审批计划',
         reject: '拒绝当前待审批计划'
@@ -169,6 +171,7 @@ function getCompletionCopy(language = 'zh') {
         planCommand: '规划命令',
         agentCommand: '子代理命令',
         memoryCommand: '记忆命令',
+        dreamCommand: '记忆整理命令',
         debugCommand: '调试命令',
         keyboardDebugCommand: '键盘调试命令',
         compactCommand: '上下文压缩命令',
@@ -246,10 +249,12 @@ function getCompletionCopy(language = 'zh') {
         agents: 'run/list sub-agent roles',
         config: 'set/get/list/reset config values',
         memory: 'list/search/delete persistent memories',
+        dream: 'consolidate memory inbox (dream)',
         history: 'list/resume sessions',
         debug: 'runtime debug switches',
         retry: 'retry the last user request',
         stop: 'stop the current response',
+        new: 'start a new session',
         yes: 'approve the pending plan and start execution',
         edit: 'revise the pending plan',
         reject: 'reject the pending plan'
@@ -263,6 +268,7 @@ function getCompletionCopy(language = 'zh') {
         planCommand: 'planning command',
         agentCommand: 'sub-agent command',
         memoryCommand: 'memory command',
+        dreamCommand: 'dream consolidation command',
         debugCommand: 'debug command',
         keyboardDebugCommand: 'keyboard debug command',
         compactCommand: 'context compaction command',
@@ -1636,6 +1642,18 @@ async function writeMarkdownInProjectDir(subDir, title, body, fallbackName, sess
   return filePath;
 }
 
+async function removePlanFileIfPresent(planState) {
+  const filePath = String(planState?.filePath || '').trim();
+  if (!filePath) return;
+  try {
+    await fs.unlink(filePath);
+  } catch (error) {
+    if (error?.code !== 'ENOENT') {
+      // Best-effort cleanup: keep the main approval flow moving.
+    }
+  }
+}
+
 function buildSpecTemplate(topic) {
   return `
 # Spec: ${topic}
@@ -2777,7 +2795,7 @@ export async function createChatRuntime({
   if (initialIndex?.summary) {
     startupEvents.push({
       type: 'system_tool',
-      name: 'project_index(.codemini-project/project-map.json,.codemini-project/file-index.json)',
+      name: 'project_index(.codemini/project-map.json,.codemini/file-index.json)',
       status: 'done',
       summary: initialIndex.summary
     });
@@ -2901,7 +2919,8 @@ export async function createChatRuntime({
     '/agents',
     '/compact',
     '/debug',
-    '/retry'
+    '/retry',
+    '/new'
   ];
   const configSubcommandPriority = ['/config set', '/config get', '/config list', '/config reset'];
 
@@ -2920,10 +2939,12 @@ export async function createChatRuntime({
       { name: 'agents', description: completionCopy.commands.agents },
       { name: 'config', description: completionCopy.commands.config },
       { name: 'memory', description: completionCopy.commands.memory },
+      { name: 'dream', description: completionCopy.commands.dream },
       { name: 'history', description: completionCopy.commands.history },
       { name: 'debug', description: completionCopy.commands.debug },
       { name: 'retry', description: completionCopy.commands.retry },
-      { name: 'stop', description: completionCopy.commands.stop }
+      { name: 'stop', description: completionCopy.commands.stop },
+      { name: 'new', description: completionCopy.commands.new }
     ];
     const out = [];
     for (const cmd of commands.values()) {
@@ -2969,6 +2990,7 @@ export async function createChatRuntime({
   const planTemplates = ['/plan <goal>', '/plan auto <goal>', '/plan approve', '/plan from-spec <spec-path?>'];
   const agentTemplates = ['/agents list', '/agents run planner <task>', '/agents run coder <task>', '/agents run reviewer <task>', '/agents run tester <task>', '/agents run summarizer <task>'];
   const debugTemplates = ['/debug keys on', '/debug keys off', '/debug keys status'];
+  const dreamTemplates = ['/dream', '/dream --dry-run', '/dream --scope=project', '/dream --scope=global'];
   const compactTemplates = compactOptions.map((opt) => `/compact ${opt}`);
   const slashTemplates = [
     ...configTemplates,
@@ -2980,6 +3002,7 @@ export async function createChatRuntime({
     ...planTemplates,
     ...agentTemplates,
     ...debugTemplates,
+    ...dreamTemplates,
     ...compactTemplates,
     '/retry',
     '/status'
@@ -3046,6 +3069,7 @@ export async function createChatRuntime({
     }
     for (const template of agentTemplates) registerSuggestion(template, completionCopy.generic.agentCommand);
     for (const template of debugTemplates) registerSuggestion(template, completionCopy.generic.debugCommand);
+    for (const template of dreamTemplates) registerSuggestion(template, completionCopy.generic.dreamCommand);
     for (const template of compactTemplates) registerSuggestion(template, completionCopy.generic.compactCommand);
     registerSuggestion('/retry', completionCopy.generic.retryCommand);
     registerSuggestion('/status', completionCopy.generic.statusCommand);
@@ -3382,10 +3406,27 @@ export async function createChatRuntime({
     }
     if (parsedInput.type === 'slash') {
       if (parsedInput.command === 'exit') return { type: 'exit' };
+      if (parsedInput.command === 'new') {
+        const fresh = await createSession();
+        currentSession = fresh;
+        executionMode = config.execution?.mode || 'auto';
+        compactState.backupMessages = null;
+        setResultDir(path.join(getSessionsDir(), String(fresh.id)));
+        historyIdCache = [fresh.id, ...historyIdCache.filter((id) => id !== fresh.id)];
+        historySessionCache = [
+          { id: fresh.id, messageCount: 0 },
+          ...historySessionCache.filter((s) => s.id !== fresh.id)
+        ];
+        return {
+          type: 'system',
+          text: `New session started: ${fresh.id}`,
+          restoredMessages: []
+        };
+      }
       if (parsedInput.command === 'help') {
         return {
           type: 'system',
-          text: 'Commands: /help /exit /stop /commands /status /mode /compact /checkpoint /spec /plan /yes /edit /reject /agents /config /memory /capture /inbox /dream /history /debug /retry /<custom> !<shell>'
+          text: 'Commands: /help /exit /new /stop /commands /status /mode /compact /checkpoint /spec /plan /yes /edit /reject /agents /config /memory /capture /inbox /dream /history /debug /retry /<custom> !<shell>'
         };
       }
       if (parsedInput.command === 'status') {
@@ -3428,6 +3469,7 @@ export async function createChatRuntime({
         });
         activeSubSession = null;
         currentSession.planState = null;
+        await removePlanFileIfPresent(planState);
         executionMode = 'auto';
         await persistAssistantExchange(line, result.text || '', { includeUser: false });
         return { type: 'assistant', text: result.text, aborted: !!result.aborted };
@@ -3457,7 +3499,9 @@ export async function createChatRuntime({
         if (!hasPendingPlanApproval(currentSession)) {
           return { type: 'system', text: 'No pending plan approval.' };
         }
+        const planState = { ...currentSession.planState };
         currentSession.planState = null;
+        await removePlanFileIfPresent(planState);
         executionMode = 'auto';
         const text = 'Pending plan rejected and cleared.';
         await persistLocalExchange(line, text);
@@ -3597,6 +3641,7 @@ export async function createChatRuntime({
           });
           activeSubSession = null;
           currentSession.planState = null;
+          await removePlanFileIfPresent(planState);
           executionMode = 'auto';
           await persistAssistantExchange(line, result.text || '', { includeUser: false });
           return { type: 'assistant', text: result.text, aborted: !!result.aborted };

package/src/core/command-evaluator.js

@@ -0,0 +1,66 @@
+import { createChatCompletion } from './provider/index.js';
+
+const EVAL_TIMEOUT_MS = 15000;
+
+const SYSTEM_PROMPT = `You are a command safety evaluator for a coding assistant. Analyze the shell command and respond with valid JSON only, no markdown fences:
+{"risk":"low|medium|high","description":"what this command does in one sentence","sideEffects":"potential side effects in one sentence, or none","recommendation":"allow|deny"}
+
+Rules:
+- Read-only commands (ls, cat, git status, git diff, grep, find, etc.) are low risk and allow.
+- Commands that install/uninstall packages, modify files, push code, start servers, or have network side effects are medium or high.
+- Destructive commands (rm -rf, format, sudo, dd) are high risk and deny.
+- Consider the workspace context: the command runs in the project directory.
+- Be concise. Maximum 1 sentence per field.`;
+
+const FAIL_CLOSED_RESULT = Object.freeze({
+  risk: 'high',
+  description: '',
+  sideEffects: '',
+  recommendation: 'deny'
+});
+
+function parseEvaluation(text) {
+  try {
+    const json = JSON.parse(text);
+    const risk = String(json?.risk || '').toLowerCase();
+    const recommendation = String(json?.recommendation || '').toLowerCase();
+    return {
+      risk: ['low', 'medium', 'high'].includes(risk) ? risk : 'high',
+      description: String(json?.description || '').slice(0, 200),
+      sideEffects: String(json?.sideEffects || '').slice(0, 200),
+      recommendation: recommendation === 'allow' ? 'allow' : 'deny'
+    };
+  } catch {
+    return { ...FAIL_CLOSED_RESULT };
+  }
+}
+
+/**
+ * 用轻量 LLM 调用评估命令风险。
+ * @param {{ command: string, config: object, workspaceRoot?: string }} params
+ * @returns {Promise<{ risk: 'low'|'medium'|'high', description: string, sideEffects: string, recommendation: 'allow'|'deny' }>}
+ */
+export async function evaluateCommandWithLLM({ command, config, workspaceRoot }) {
+  const cmd = String(command || '').trim();
+  if (!cmd) return { ...FAIL_CLOSED_RESULT };
+
+  try {
+    const result = await createChatCompletion({
+      sdkProvider: config?.sdk?.provider,
+      baseUrl: config?.gateway?.base_url,
+      apiKey: config?.gateway?.api_key,
+      model: config?.model?.name,
+      messages: [
+        { role: 'system', content: SYSTEM_PROMPT },
+        { role: 'user', content: `Command: ${cmd}\nWorkspace: ${workspaceRoot || process.cwd()}` }
+      ],
+      temperature: 0,
+      timeoutMs: EVAL_TIMEOUT_MS
+    });
+
+    const text = result?.text || '';
+    return parseEvaluation(text);
+  } catch {
+    return { ...FAIL_CLOSED_RESULT };
+  }
+}

package/src/core/command-policy.js

@@ -169,8 +169,22 @@ function includesAny(haystackLower, patterns = []) {
   return patterns.some((p) => haystackLower.includes(String(p).toLowerCase()));
 }
 
+/** bash 下会被阻止的删除类命令 token */
+const BASH_DELETE_TOKENS = new Set(['rm', 'rmdir']);
+/** PowerShell 下会被阻止的删除类命令 token */
+const POWERSHELL_DELETE_TOKENS = new Set(['del', 'erase', 'rmdir', 'rd', 'remove-item', 'ri']);
+
 function suggestionForToken(token, config) {
   const shell = String(config?.shell?.default || '').toLowerCase();
+
+  /* 删除类命令：优先引导 LLM 使用 delete 工具 */
+  if (
+    (shell !== 'powershell' && BASH_DELETE_TOKENS.has(token)) ||
+    (shell === 'powershell' && POWERSHELL_DELETE_TOKENS.has(token))
+  ) {
+    return 'Use the delete tool to remove files or directories inside the workspace. Do not use shell commands for deletion.';
+  }
+
   if (token === 'find' || token === 'grep') {
     return shell === 'powershell'
       ? 'Prefer structured tools like grep, list, read, and edit first. If you need shell fallback, use allowed search and context commands such as Get-ChildItem, Select-String, Get-Content, or rg when available.'
@@ -259,3 +273,5 @@ export function evaluateCommandPolicy(command, config, workspaceRoot = process.c
 
   return { allowed: true };
 }
+
+export { collectCommandTokens, firstToken };