dominds 1.15.3 → 1.15.4
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
|
@@ -133,6 +133,9 @@ Notes:
|
|
|
133
133
|
- For `team_mgmt`, that explicit allowlist is `.minds/**` (including `.minds/memory/**`) so the
|
|
134
134
|
team manager can repair accidental corruptions made by other tools (even though `.minds/memory/**`
|
|
135
135
|
already has dedicated `personal_memory` / `team_memory` tools for normal use).
|
|
136
|
+
- Conversely, the denial of `.minds/**` / `*.tsk/**` for general file tools is a **built-in hard runtime
|
|
137
|
+
rule**, not a standard deny stanza you should keep repeating in `team.yaml`. Only additional
|
|
138
|
+
business-specific constraints belong in explicit `no_read_dirs` / `no_write_dirs`.
|
|
136
139
|
- Require explicit `.minds/...` paths and validate them; do not support “implicitly scoped” paths
|
|
137
140
|
like `team.yaml`.
|
|
138
141
|
|
|
@@ -444,19 +447,14 @@ member_defaults:
|
|
|
444
447
|
toolsets:
|
|
445
448
|
- ws_read
|
|
446
449
|
- personal_memory
|
|
447
|
-
# Default posture: deny `.minds/` edits for normal members.
|
|
448
|
-
# (Team management should be done via `team_mgmt` tools, not general file tools.)
|
|
449
|
-
no_read_dirs:
|
|
450
|
-
- .minds/team.yaml
|
|
451
|
-
- .minds/llm.yaml
|
|
452
|
-
- .minds/mcp.yaml
|
|
453
|
-
- .minds/team/**
|
|
454
|
-
no_write_dirs:
|
|
455
|
-
- .minds/**
|
|
456
450
|
|
|
457
451
|
default_responder: fuxi
|
|
458
452
|
|
|
459
453
|
members:
|
|
454
|
+
|
|
455
|
+
Note: in the normal-member example above, do **not** add `no_read_dirs` / `no_write_dirs` merely to
|
|
456
|
+
restate that `.minds/**` is blocked. That boundary is already enforced by the runtime for general
|
|
457
|
+
file tools; explicit deny entries should be reserved for extra constraints beyond the built-ins.
|
|
460
458
|
# Example visible teammate (recommended): define at least one non-hidden responder for daily work.
|
|
461
459
|
dev:
|
|
462
460
|
name: Dev
|
|
@@ -110,6 +110,7 @@
|
|
|
110
110
|
- 拒绝规范化后解析到 `.minds/` 之外的任何路径
|
|
111
111
|
- 优先使用显式白名单而非" rtws 中的任何内容"
|
|
112
112
|
- 对于 `team_mgmt`,该显式白名单是 `.minds/**`(包括 `.minds/memory/**`),以便团队管理者可以修复其他工具造成的意外损坏(即使 `.minds/memory/**` 已有专用的 `personal_memory` / `team_memory` 工具供正常使用)
|
|
113
|
+
- 反过来,普通通用文件工具对 `.minds/**` / `*.tsk/**` 的拒绝是**系统内置硬约束**,不是需要在 `team.yaml` 里重复书写的常规 deny 项。只有额外业务约束才需要显式写入 `no_read_dirs` / `no_write_dirs`
|
|
113
114
|
- 需要显式的 `.minds/...` 路径并验证它们;不支持像 `team.yaml` 这样的"隐式作用域"路径
|
|
114
115
|
|
|
115
116
|
### 为什么需要专用工具集(而不是仅 `read_dirs` / `write_dirs`)?
|
|
@@ -383,19 +384,12 @@ member_defaults:
|
|
|
383
384
|
toolsets:
|
|
384
385
|
- ws_read
|
|
385
386
|
- personal_memory
|
|
386
|
-
# 默认姿态:拒绝普通成员的 `.minds/` 编辑
|
|
387
|
-
#(团队管理应通过 `team_mgmt` 工具完成,而非通用文件工具)
|
|
388
|
-
no_read_dirs:
|
|
389
|
-
- .minds/team.yaml
|
|
390
|
-
- .minds/llm.yaml
|
|
391
|
-
- .minds/mcp.yaml
|
|
392
|
-
- .minds/team/**
|
|
393
|
-
no_write_dirs:
|
|
394
|
-
- .minds/**
|
|
395
387
|
|
|
396
388
|
default_responder: fuxi
|
|
397
389
|
|
|
398
390
|
members:
|
|
391
|
+
|
|
392
|
+
说明:上面的普通成员默认示例**不要**再额外写 `no_read_dirs` / `no_write_dirs` 去重复声明 `.minds/**` 拒绝。那是运行时内置边界,不是常规样板;只有要表达超出内置边界的额外 deny 规则时,才应显式写这些字段。
|
|
399
393
|
# 示例显在成员(推荐):至少定义一个非隐藏的响应者用于日常工作
|
|
400
394
|
dev:
|
|
401
395
|
name: Dev
|
package/dist/tools/team_mgmt.js
CHANGED
|
@@ -3147,8 +3147,6 @@ function renderTeamManual(language) {
|
|
|
3147
3147
|
' - ws_read\n' +
|
|
3148
3148
|
' - ws_mod\n' +
|
|
3149
3149
|
(windowsHost ? '' : ' - codex_style_tools\n') +
|
|
3150
|
-
" no_read_dirs: ['.minds/**']\n" +
|
|
3151
|
-
" no_write_dirs: ['.minds/**']\n" +
|
|
3152
3150
|
' qa_guard:\n' +
|
|
3153
3151
|
' name: QA Guard\n' +
|
|
3154
3152
|
' gofor:\n' +
|
|
@@ -3209,8 +3207,6 @@ function renderTeamManual(language) {
|
|
|
3209
3207
|
' - ws_read\n' +
|
|
3210
3208
|
' - ws_mod\n' +
|
|
3211
3209
|
(windowsHost ? '' : ' - codex_style_tools\n') +
|
|
3212
|
-
" no_read_dirs: ['.minds/**']\n" +
|
|
3213
|
-
" no_write_dirs: ['.minds/**']\n" +
|
|
3214
3210
|
'```\n');
|
|
3215
3211
|
}
|
|
3216
3212
|
async function renderMcpManual(language) {
|
|
@@ -3389,6 +3385,8 @@ function renderPermissionsManual(language) {
|
|
|
3389
3385
|
'示例:`.minds/**` 会匹配 `.minds/team.yaml`、`.minds/team/<id>/persona.zh.md` 等;常用于限制普通成员访问 minds 资产。',
|
|
3390
3386
|
'`*.tsk/` 是封装差遣牒:只能用函数工具 `change_mind` 维护。任何通用文件工具都无法访问该目录树(硬编码无条件拒绝)。',
|
|
3391
3387
|
'`.minds/**` 是 rtws(运行时工作区)的“团队配置/记忆/资产”目录:任何通用文件工具都无法访问(硬编码无条件拒绝)。只有专用的 `.minds/` 工具集(例如 `team_mgmt`)可访问它。',
|
|
3388
|
+
'因此,**不要**为了“重申系统内置限制”而在 `team.yaml` 里机械地添加 `no_read_dirs: [".minds/**"]` / `no_write_dirs: [".minds/**"]`(或出于同类目的添加 `*.tsk/**` deny)。这类条目不增加任何真实约束,只会制造样板噪音,并误导团队管理智能体以为它们是常规必填项。',
|
|
3389
|
+
'原则:`team.yaml` 里的权限字段只写**额外**业务约束;系统内置的硬边界由运行时自己保证,不需要也不应重复书写。',
|
|
3392
3390
|
'说明:如果你在 `team.yaml` 的 allow-list(`read_dirs`/`write_dirs`)里写了 `.minds/**` 或 `*.tsk/**` 试图绕过限制,运行时会忽略并上报 err 级别问题。',
|
|
3393
3391
|
]) +
|
|
3394
3392
|
fmtCodeBlock('yaml', [
|
|
@@ -3397,8 +3395,6 @@ function renderPermissionsManual(language) {
|
|
|
3397
3395
|
' coder:',
|
|
3398
3396
|
' read_dirs: ["dominds/**"]',
|
|
3399
3397
|
' write_dirs: ["dominds/**"]',
|
|
3400
|
-
' no_read_dirs: [".minds/**"]',
|
|
3401
|
-
' no_write_dirs: [".minds/**"]',
|
|
3402
3398
|
]));
|
|
3403
3399
|
}
|
|
3404
3400
|
return (fmtHeader('Permissions (Directory + Extension)') +
|
|
@@ -3415,6 +3411,8 @@ function renderPermissionsManual(language) {
|
|
|
3415
3411
|
'Example: `.minds/**` matches `.minds/team.yaml` and `.minds/team/<id>/persona.*.md`; commonly used to restrict normal members from minds assets.',
|
|
3416
3412
|
'`*.tsk/` is an encapsulated Taskdoc: it must be maintained via the function tool `change_mind` only. It is hard-denied for all general file tools.',
|
|
3417
3413
|
'`.minds/**` stores rtws (runtime workspace) team config/memory/assets: it is hard-denied for all general file tools. Only dedicated `.minds/`-scoped toolsets (e.g. `team_mgmt`) may access it.',
|
|
3414
|
+
'Therefore, do **not** mechanically restate that built-in hard deny in `team.yaml` with `no_read_dirs: [".minds/**"]` / `no_write_dirs: [".minds/**"]` (or similar `*.tsk/**` deny lines). Those entries add no real constraint, only boilerplate noise, and they incorrectly teach team managers that such lines are standard required practice.',
|
|
3415
|
+
'Rule of thumb: permission fields in `team.yaml` should describe only **additional** business-specific constraints. Built-in hard boundaries are enforced by the runtime and should not be redundantly copied into member config.',
|
|
3418
3416
|
'Note: If you try to whitelist `.minds/**` or `*.tsk/**` via `read_dirs`/`write_dirs`, the runtime ignores it and reports an error-level Problem.',
|
|
3419
3417
|
]) +
|
|
3420
3418
|
fmtCodeBlock('yaml', [
|
|
@@ -3423,8 +3421,6 @@ function renderPermissionsManual(language) {
|
|
|
3423
3421
|
' coder:',
|
|
3424
3422
|
' read_dirs: ["dominds/**"]',
|
|
3425
3423
|
' write_dirs: ["dominds/**"]',
|
|
3426
|
-
' no_read_dirs: [".minds/**"]',
|
|
3427
|
-
' no_write_dirs: [".minds/**"]',
|
|
3428
3424
|
]));
|
|
3429
3425
|
}
|
|
3430
3426
|
function renderMindsManual(language) {
|