npm - kimiflare - Versions diffs - 0.9.2 → 0.10.0 - Mend

kimiflare 0.9.2 → 0.10.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/dist/index.js CHANGED Viewed

@@ -489,21 +489,209 @@ function nextMode(m) {
 function isBlockedInPlanMode(toolName) {
   return MUTATING_TOOLS.has(toolName);
 }
+function tokenizeCommand(command) {
+  const tokens = [];
+  let current = "";
+  let inQuote = null;
+  for (const ch of command) {
+    if (inQuote) {
+      if (ch === inQuote) {
+        inQuote = null;
+      } else {
+        current += ch;
+      }
+    } else if (ch === '"' || ch === "'") {
+      inQuote = ch;
+    } else if (/\s/.test(ch)) {
+      if (current) {
+        tokens.push(current);
+        current = "";
+      }
+    } else {
+      current += ch;
+    }
+  }
+  if (current) tokens.push(current);
+  return tokens;
+}
+function isReadOnlyBash(command) {
+  const trimmed = command.trim();
+  if (!trimmed) return false;
+  if (DANGEROUS_PATTERNS.test(trimmed)) return false;
+  const tokens = tokenizeCommand(trimmed);
+  if (tokens.length === 0) return false;
+  const first = tokens[0];
+  let cmdIndex = 0;
+  if (first === "cd" && tokens.length >= 3 && tokens[1] && tokens[2] === "&&") {
+    cmdIndex = 3;
+  }
+  const cmd = tokens[cmdIndex];
+  if (!cmd) return false;
+  const args = tokens.slice(cmdIndex + 1);
+  if (cmd === "git") {
+    const sub = args[0] ?? "";
+    const allowed = GIT_READONLY_SUBCOMMANDS[sub];
+    if (allowed === void 0) return false;
+    if (allowed === true) return true;
+    switch (sub) {
+      case "branch":
+        return !args.some((a) => /^-[dDmMcC]/.test(a));
+      case "stash":
+        return args[1] === "list";
+      case "remote":
+        return args[1] === "-v" || args[1] === "--verbose" || args.length === 1;
+      case "tag":
+        return args[1] === "-l" || args[1] === "--list" || args.length === 1;
+      case "config":
+        return args[1] === "--list" || args[1]?.startsWith("--get") === true || args.length === 1;
+      default:
+        return false;
+    }
+  }
+  const argCheck = COMMANDS_NEEDING_ARG_CHECK[cmd];
+  if (argCheck) {
+    return argCheck(args);
+  }
+  return READONLY_COMMANDS.has(cmd);
+}
 function systemPromptForMode(m) {
   if (m === "plan") {
-    return "\n\nPLAN MODE is active. The user wants you to investigate and produce a plan WITHOUT making any changes. Do not call write, edit, or bash. Only use read/glob/grep/web-fetch. At the end, present a concise plan (bullets, files to change, approach). The user will review and then exit plan mode to execute.";
+    return "\n\nPLAN MODE is active. The user wants you to investigate and produce a plan WITHOUT making any changes. Do not call write, edit, or mutating bash commands. You may use read-only bash commands (e.g., git log, git diff, ls, cat) along with read/glob/grep/web-fetch. At the end, present a concise plan (bullets, files to change, approach). The user will review and then exit plan mode to execute.";
   }
   if (m === "auto") {
     return "\n\nAUTO MODE is active. The user has opted into autonomous execution \u2014 every tool call will be auto-approved. Work efficiently, but do not take irreversible destructive actions (rm -rf, git push --force, dropping tables, etc.) without pausing to describe them in chat first. Prefer smaller reversible steps.";
   }
   return "";
 }
-var MODES, MUTATING_TOOLS;
+var MODES, MUTATING_TOOLS, DANGEROUS_PATTERNS, GIT_READONLY_SUBCOMMANDS, READONLY_COMMANDS, COMMANDS_NEEDING_ARG_CHECK;
 var init_mode = __esm({
   "src/mode.ts"() {
     "use strict";
     MODES = ["edit", "plan", "auto"];
     MUTATING_TOOLS = /* @__PURE__ */ new Set(["write", "edit", "bash"]);
+    DANGEROUS_PATTERNS = /[<>|;&`$]|\$\(|\$\{|&&|\|\||\b&\s*$/;
+    GIT_READONLY_SUBCOMMANDS = {
+      log: true,
+      diff: true,
+      status: true,
+      show: true,
+      blame: true,
+      describe: true,
+      "rev-parse": true,
+      "ls-files": true,
+      reflog: true,
+      shortlog: true,
+      whatchanged: true,
+      grep: true,
+      branch: false,
+      // needs check: block -d/-D/-m/-M/-c/-C
+      stash: false,
+      // needs check: only allow "list"
+      remote: false,
+      // needs check: only allow -v
+      tag: false,
+      // needs check: only allow -l
+      config: false
+      // needs check: only allow --list/--get
+    };
+    READONLY_COMMANDS = /* @__PURE__ */ new Set([
+      // File system
+      "ls",
+      "cat",
+      "head",
+      "tail",
+      "pwd",
+      "echo",
+      "file",
+      "stat",
+      "readlink",
+      "realpath",
+      "dirname",
+      "basename",
+      "wc",
+      "sort",
+      "uniq",
+      "diff",
+      "cmp",
+      // Search
+      "grep",
+      "rg",
+      "ag",
+      "fd",
+      // System info
+      "ps",
+      "df",
+      "du",
+      "env",
+      "printenv",
+      "which",
+      "whereis",
+      "uname",
+      "hostname",
+      "uptime",
+      "free",
+      "date",
+      "id",
+      "whoami",
+      "groups",
+      // Dev tools (version/info only)
+      "node",
+      "npx",
+      "python3",
+      "ruby",
+      "perl",
+      // Utilities
+      "jq",
+      "yq",
+      "awk",
+      "cut",
+      "tr",
+      "base64",
+      "sha256sum",
+      "md5sum",
+      "shasum",
+      "hexdump",
+      "xxd",
+      "strings",
+      "less",
+      "more",
+      "man",
+      "clear",
+      "history",
+      // Archive inspection
+      "zipinfo",
+      // Network
+      "ping",
+      "netstat",
+      "ss",
+      "lsof"
+    ]);
+    COMMANDS_NEEDING_ARG_CHECK = {
+      find: (args) => !args.some((a) => a === "-delete" || a === "-exec"),
+      sed: (args) => !args.some((a) => a === "-i" || a.startsWith("-i")),
+      tar: (args) => args[0] === "-tf" || args[0] === "--list",
+      unzip: (args) => args[0] === "-l",
+      curl: (args) => !args.some((a) => a === "-o" || a === "-O" || a === "-d" || a === "--data" || a.startsWith("-X")),
+      wget: (args) => !args.some((a) => a === "-O" || a === "--output-document" || a.startsWith("--post")),
+      npm: (args) => ["list", "view", "config"].includes(args[0] ?? "") && !(args[0] === "config" && args[1] && !args[1].startsWith("get") && args[1] !== "list"),
+      tsc: (args) => args.every(
+        (a) => ["--noEmit", "--version", "--showConfig", "--help", "-h", "--init"].includes(a)
+      ),
+      eslint: (args) => args.every(
+        (a) => ["--version", "--print-config", "--help", "-h"].includes(a) || !a.startsWith("-")
+      ),
+      prettier: (args) => args.every(
+        (a) => ["--version", "--check", "--help", "-h"].includes(a) || !a.startsWith("-")
+      ),
+      jest: (args) => args.every(
+        (a) => ["--version", "--listTests", "--showConfig", "--help", "-h"].includes(a) || !a.startsWith("-")
+      ),
+      vitest: (args) => args.every(
+        (a) => ["--version", "--help", "-h"].includes(a) || !a.startsWith("-")
+      ),
+      go: (args) => ["version", "env", "list", "mod"].includes(args[0] ?? "") && !(args[0] === "mod" && args[1] && !["graph", "download", "why", "verify"].includes(args[1])),
+      cargo: (args) => ["--version", "-V", "check", "test", "metadata"].includes(args[0] ?? "") && !(args[0] === "test" && args.includes("--no-run") === false)
+    };
   }
 });
@@ -3711,7 +3899,26 @@ function App({ initialCfg, initialUpdateResult }) {
             setUsage(u);
           },
           askPermission: (req) => new Promise((resolve2) => {
-            if (modeRef.current === "auto") return resolve2("allow");
+            if (modeRef.current === "auto") {
+              resolve2("allow");
+              return;
+            }
+            if (modeRef.current === "plan" && isBlockedInPlanMode(req.tool.name)) {
+              if (req.tool.name === "bash" && typeof req.args.command === "string" && isReadOnlyBash(req.args.command)) {
+                resolve2("allow");
+                return;
+              }
+              setEvents((e) => [
+                ...e,
+                {
+                  kind: "info",
+                  key: mkKey(),
+                  text: `plan mode blocked ${req.tool.name}; exit plan mode to execute`
+                }
+              ]);
+              resolve2("deny");
+              return;
+            }
             setPerm({ tool: req.tool, args: req.args, resolve: resolve2 });
           })
         }
@@ -4106,6 +4313,10 @@ use: /thinking low | medium | high`
                 return;
               }
               if (modeRef.current === "plan" && isBlockedInPlanMode(req.tool.name)) {
+                if (req.tool.name === "bash" && typeof req.args.command === "string" && isReadOnlyBash(req.args.command)) {
+                  resolve2("allow");
+                  return;
+                }
                 setEvents((e) => [
                   ...e,
                   {