little-coder 1.2.1 → 1.3.0

package/.pi/extensions/permission-gate/index.ts

@@ -21,6 +21,10 @@ const BUILTIN_SAFE_PREFIXES: readonly string[] = [
   "pip show", "pip list", "npm list", "cargo metadata",
   "df ", "du ", "free ", "top -bn", "ps ",
   "curl -I", "curl --head",
+  // Routine filesystem scaffolding. Trailing space = word boundary, so
+  // "cp " matches "cp a b" but not "cpufetch". rm stays off the list by
+  // design; use LITTLE_CODER_BASH_ALLOW=rm if a deployment needs it.
+  "cp ", "mv ", "mkdir ", "touch ",
 ];
 
 // Trailing whitespace is meaningful — it acts as a word boundary in startsWith

package/.pi/extensions/permission-gate/permission.test.ts

@@ -9,10 +9,22 @@ describe("isSafeBash", () => {
     expect(isSafeBash("grep -r pattern .")).toBe(true);
     expect(isSafeBash("rg pattern src/")).toBe(true);
   });
+  it("allows routine filesystem scaffolding (cp/mv/mkdir/touch)", () => {
+    expect(isSafeBash("cp a b")).toBe(true);
+    expect(isSafeBash("mv old new")).toBe(true);
+    expect(isSafeBash("mkdir -p sub/dir")).toBe(true);
+    expect(isSafeBash("touch foo.md")).toBe(true);
+  });
+  it("preserves trailing-whitespace word boundary on fs prefixes", () => {
+    // Without the trailing space, "cp" would match "cpufetch". With it, these stay blocked.
+    expect(isSafeBash("cpufetch")).toBe(false);
+    expect(isSafeBash("mvtool")).toBe(false);
+    expect(isSafeBash("mkdiroops")).toBe(false);
+    expect(isSafeBash("touchscreen")).toBe(false);
+  });
   it("blocks non-whitelisted commands", () => {
     expect(isSafeBash("rm -rf /")).toBe(false);
     expect(isSafeBash("npm install foo")).toBe(false);
-    expect(isSafeBash("cp a b")).toBe(false);
     expect(isSafeBash("sudo anything")).toBe(false);
   });
   it("handles leading whitespace", () => {

package/.pi/extensions/write-guard/index.ts

@@ -1,7 +1,40 @@
 import type { ExtensionAPI } from "@mariozechner/pi-coding-agent";
 import { Type } from "@sinclair/typebox";
 import { existsSync, mkdirSync, writeFileSync } from "node:fs";
-import { dirname } from "node:path";
+import { dirname, isAbsolute, join } from "node:path";
+
+/**
+ * Resolve the Write tool's `file_path` argument to a concrete on-disk path.
+ *
+ * Two deterministic rewrites:
+ *
+ * 1. `"/<single-segment>"` (e.g. `/foo.md`) → `<cwd>/<single-segment>`.
+ *    Background: the model has been seen to anchor at filesystem root when
+ *    given an "Absolute file path" schema and no obvious directory context.
+ *    Genuine system-path writes always include at least one intermediate
+ *    directory (`/etc/X`, `/tmp/Y/Z`), so a root + bare filename is almost
+ *    always a mistake. Rewriting to cwd matches user intent and avoids
+ *    accidentally writing to `/`.
+ *
+ * 2. Bare filename / relative path (no leading slash) → resolved against cwd.
+ *    Node's `fs` APIs already do this implicitly, but resolving here makes
+ *    the success message report the real absolute path that was written.
+ *
+ * Anything else (absolute path with at least one intermediate directory) is
+ * left untouched.
+ */
+export function normalizeWritePath(
+  filePath: string,
+  cwd: string = process.cwd(),
+): { path: string; rewrittenFrom?: string } {
+  if (/^\/[^/]+$/.test(filePath)) {
+    return { path: join(cwd, filePath.slice(1)), rewrittenFrom: filePath };
+  }
+  if (!isAbsolute(filePath)) {
+    return { path: join(cwd, filePath) };
+  }
+  return { path: filePath };
+}
 
 // Port of tools.py::_write. Preserves the exact Edit-recipe error string so
 // the model recovers to Edit on its next turn. The whitepaper's benchmark
@@ -12,18 +45,24 @@ export default function (pi: ExtensionAPI) {
     name: "write",
     label: "Write",
     description:
-      "Create a NEW file with the given content. Refuses if the file already exists — use edit to modify existing files. Parent directories are created automatically.",
+      "Create a NEW file with the given content. Refuses if the file already exists — use edit to modify existing files. " +
+      "Parent directories are created automatically. " +
+      "Pass either a path relative to the working directory (e.g. `notes/plan.md`) or a full absolute path. " +
+      "A bare filename like `foo.md` resolves to <cwd>/foo.md. " +
+      "A path of the form `/<filename>` with no intermediate directories is treated as cwd-relative " +
+      "(use `/etc/hosts` etc. if you really mean the filesystem root).",
     parameters: Type.Object({
-      file_path: Type.String({ description: "Absolute file path" }),
+      file_path: Type.String({ description: "File path (relative to cwd, or absolute)" }),
       content: Type.String({ description: "Full file content" }),
     }),
     async execute(_id, { file_path, content }) {
-      if (existsSync(file_path)) {
+      const { path: resolved, rewrittenFrom } = normalizeWritePath(file_path);
+      if (existsSync(resolved)) {
         const recipe =
-          `Error: Write refused — ${file_path} already exists.\n` +
+          `Error: Write refused — ${resolved} already exists.\n` +
           `\n` +
           `Write is only for creating NEW files. To change an existing file, use Edit:\n` +
-          `  {"name": "Edit", "input": {"file_path": "${file_path}", ` +
+          `  {"name": "Edit", "input": {"file_path": "${resolved}", ` +
           `"old_string": "<exact text currently in the file>", ` +
           `"new_string": "<replacement text>"}}\n` +
           `\n` +
@@ -41,12 +80,15 @@ export default function (pi: ExtensionAPI) {
       }
 
       try {
-        mkdirSync(dirname(file_path), { recursive: true });
-        writeFileSync(file_path, content, { encoding: "utf-8" });
+        mkdirSync(dirname(resolved), { recursive: true });
+        writeFileSync(resolved, content, { encoding: "utf-8" });
         const lc = content.split("\n").length - (content.endsWith("\n") ? 1 : 0) +
           (content.length > 0 && !content.endsWith("\n") ? 1 : 0);
+        const suffix = rewrittenFrom
+          ? ` (rewrote ${rewrittenFrom} → cwd; root-path single-segment write redirected)`
+          : "";
         return {
-          content: [{ type: "text", text: `Created ${file_path} (${lc} lines)` }],
+          content: [{ type: "text", text: `Created ${resolved} (${lc} lines)${suffix}` }],
           details: {},
         };
       } catch (e) {

package/.pi/extensions/write-guard/write-guard.test.ts

@@ -0,0 +1,51 @@
+import { describe, it, expect } from "vitest";
+import { normalizeWritePath } from "./index.ts";
+
+describe("normalizeWritePath", () => {
+  const cwd = "/home/me/proj";
+
+  it("rewrites /<bare-filename> to <cwd>/<bare-filename>", () => {
+    // The model anchoring at filesystem root is the bug we're fixing.
+    expect(normalizeWritePath("/foo.md", cwd)).toEqual({
+      path: "/home/me/proj/foo.md",
+      rewrittenFrom: "/foo.md",
+    });
+    expect(normalizeWritePath("/person.md", cwd)).toEqual({
+      path: "/home/me/proj/person.md",
+      rewrittenFrom: "/person.md",
+    });
+  });
+
+  it("resolves bare filenames against cwd (no rewrite flag — already cwd-relative)", () => {
+    expect(normalizeWritePath("foo.md", cwd)).toEqual({
+      path: "/home/me/proj/foo.md",
+    });
+  });
+
+  it("resolves nested relative paths against cwd", () => {
+    expect(normalizeWritePath("sub/foo.md", cwd)).toEqual({
+      path: "/home/me/proj/sub/foo.md",
+    });
+    expect(normalizeWritePath("a/b/c.md", cwd)).toEqual({
+      path: "/home/me/proj/a/b/c.md",
+    });
+  });
+
+  it("leaves genuine absolute paths alone (path has an intermediate directory)", () => {
+    // /etc/hosts has an intermediate directory, so it's a legitimate
+    // absolute path. We don't rewrite it.
+    expect(normalizeWritePath("/etc/hosts", cwd)).toEqual({
+      path: "/etc/hosts",
+    });
+    expect(normalizeWritePath("/tmp/foo.log", cwd)).toEqual({
+      path: "/tmp/foo.log",
+    });
+  });
+
+  it("leaves deep absolute paths in cwd untouched", () => {
+    // Model handing back its own cwd-prefixed path: unchanged.
+    expect(normalizeWritePath("/home/me/proj/notes/plan.md", cwd)).toEqual({
+      path: "/home/me/proj/notes/plan.md",
+    });
+  });
+});

package/CHANGELOG.md

@@ -2,6 +2,25 @@
 
 All notable changes to little-coder are documented here. The format follows [Keep a Changelog](https://keepachangelog.com/en/1.1.0/), and little-coder's public interface (CLI, providers, tools, skills) follows semver starting at `v0.0.1` post-rename.
 
+## [v1.3.0] — 2026-05-16
+
+First functional release of Phase 2 (iterative improvement on real-world coding tasks). Three concrete sharp edges that surfaced while actually using the Mac → Linux LAN setup, plus a quality-of-life cleanup on the pi update banner. Minor version bump because three of the four changes are new behavior, all backwards-compatible.
+
+### Added
+- **`cp`, `mv`, `mkdir`, `touch` are now on the built-in bash whitelist.** The permission-gate's `BUILTIN_SAFE_PREFIXES` previously covered only read-only inspection (`ls`, `cat`, `git log`, `find`, `grep`, …), so the model couldn't move or copy a file it just created without flipping `LITTLE_CODER_PERMISSION_MODE=accept-all`. These four were the most common false-positive blocks on day-to-day editing work. Trailing-whitespace word-boundary convention preserved — `cp ` allows `cp a b` but not `cpufetch`. `rm` and `sudo` stay off the list by design; per-deployment escape hatch is still `LITTLE_CODER_BASH_ALLOW`. New positive + negative-boundary assertions in `.pi/extensions/permission-gate/permission.test.ts`.
+- **Image input on `llamacpp/qwen3.6-35b-a3b`.** `models.json` now declares `input: ["text", "image"]` for this entry, so pi's TUI no longer rejects clipboard / drag-and-drop screenshots. Pi already ships the full image-conversion / resize / OpenAI-format encoding stack (`@mariozechner/pi-coding-agent/dist/utils/{clipboard-image,image-resize,image-convert,mime}.js`); the gate was purely the capability flag on the model. README's *Option A — llama.cpp* now folds the vision projector into the canonical setup: an extra `hf download unsloth/Qwen3.6-35B-A3B-GGUF mmproj-F16.gguf` line and `--mmproj ~/models/mmproj-F16.gguf` on the `llama-server` command. Skip both lines if you want a text-only deployment.
+
+### Fixed
+- **Write tool no longer writes to filesystem root when the model emits `/<filename>`.** Previously the tool's schema described `file_path` as *"Absolute file path"*, so models that had no obvious working-directory context dutifully wrote `/person.md` — landing the file at the filesystem root instead of under cwd. `.pi/extensions/write-guard/index.ts` now runs a deterministic `normalizeWritePath()` before any filesystem call: a path matching `/^\/[^/]+$/` (root + single segment, no intermediate dirs) is rewritten to `<cwd>/<segment>` and the success message says so explicitly; bare filenames / relative paths are resolved against cwd up-front so the returned path is absolute; genuine system writes (`/etc/X`, `/tmp/Y/Z`) are passed through untouched. Tool description updated to give the model the right mental model. New unit-test module `.pi/extensions/write-guard/write-guard.test.ts` covers the five distinct path shapes.
+
+### Changed
+- **Pi's "Update Available" banner is suppressed by default.** `bin/little-coder.mjs` now defaults `PI_SKIP_VERSION_CHECK=1` unless you've explicitly set it. little-coder bundles `@mariozechner/pi-coding-agent` as an internal dependency pinned per release, so the in-session nag about updating pi was telling users to do something they shouldn't (and couldn't usefully) do — `npm install -g @mariozechner/pi-coding-agent@latest` doesn't affect the bundled copy. Opt back in with `PI_SKIP_VERSION_CHECK=0` if you want the banner. (The broader `PI_OFFLINE=1` is still your hammer for killing pi's other startup network calls — package-update check, tool auto-fetch, install telemetry.)
+
+### Notes for upgraders
+- No CLI flag, settings.json, or skill-pack breaks. Existing `LITTLE_CODER_BASH_ALLOW` overrides continue to compose on top of the (now-wider) built-in list. Existing `models.json` user-override files for the llamacpp provider continue to work unchanged; if you'd hand-rolled an override entry for `qwen3.6-35b-a3b` you'll keep its old `input` value until you redeclare it. Tool descriptions changed on Write, which the model sees as a system-prompt diff — no API surface change for you.
+
+---
+
 ## [v1.2.1] — 2026-05-16
 
 Docs-only release marking two milestones: **Terminal-Bench 2.0 leaderboard acceptance** and the **end of the Phase 1 benchmark baseline**. No CLI, settings, or skill-pack changes — the env-var path for remote inference (`LLAMACPP_BASE_URL` / `OLLAMA_BASE_URL` / `LMSTUDIO_BASE_URL` pointing at a non-loopback host) has worked since v1.1.0 / v1.2.0, but it was undocumented for the LAN-server case until now.

package/README.md

@@ -81,16 +81,21 @@ git clone https://github.com/ggml-org/llama.cpp && cd llama.cpp
 cmake -B build -DGGML_CUDA=ON -DCMAKE_CUDA_ARCHITECTURES=120 -DLLAMA_CURL=ON
 cmake --build build --config Release -j
 
-# Fetch a GGUF
+# Fetch the model GGUF and the matching vision projector.
+# The mmproj (~900 MB) is what lets the model see attached screenshots.
 pip install -U "huggingface_hub[cli]"
 hf download unsloth/Qwen3.6-35B-A3B-GGUF Qwen3.6-35B-A3B-UD-Q4_K_M.gguf --local-dir ~/models
+hf download unsloth/Qwen3.6-35B-A3B-GGUF mmproj-F16.gguf            --local-dir ~/models
 
 # Serve it (MoE trick: experts in RAM, attention on GPU → 22 GB model on 8 GB VRAM)
 build/bin/llama-server -m ~/models/Qwen3.6-35B-A3B-UD-Q4_K_M.gguf \
+   --mmproj ~/models/mmproj-F16.gguf \
    --host 127.0.0.1 --port 8888 --jinja \
    -c 16384 -ngl 99 --n-cpu-moe 999 --flash-attn on
 ```
 
+If you only need text and want to skip the projector download, drop the second `hf download` line and the `--mmproj` flag — little-coder still works text-only, but the TUI's image attachment will be rejected by the server with a 4xx.
+
 **Option B — Ollama** (simpler, but slower on MoE):
 
 ```bash
@@ -186,7 +191,7 @@ Then verify with `little-coder --list-models` — you should see your overridden
 
 ## Permissions
 
-little-coder gates `Bash` tool calls against a built-in safe-prefix whitelist (`ls`, `cat`, `git log/status/diff`, `find`, `grep`, etc.) before pi's own confirmation flow ever sees them.
+little-coder gates `Bash` tool calls against a built-in safe-prefix whitelist (`ls`, `cat`, `head`, `tail`, `git log/status/diff`, `find`, `grep`, `cp`, `mv`, `mkdir`, `touch`, etc.) before pi's own confirmation flow ever sees them. `rm` and `sudo` are intentionally not on the list — add them via `LITTLE_CODER_BASH_ALLOW` per deployment if you really need them.
 
 Two env vars control the gate:
 
@@ -247,8 +252,14 @@ That spans short coding exercises (Polyglot), interactive shell-bound tasks (Ter
 
 **`ECONNREFUSED 127.0.0.1:8888`** — llama.cpp isn't running. Start `llama-server` first, or switch `--model` to an Ollama/cloud ID.
 
+**LAN client times out (no `RST`, just hangs)** — the inference box's firewall is dropping the SYN. The usual cause is `ufw` with a default-deny policy that allow-lists only SSH / a few dev ports. From the server: `sudo ufw status verbose` to confirm; `sudo ufw allow from <your-lan-subnet>/24 to any port 8888 proto tcp` to fix (scoped to the LAN so you're not exposing the box). Docker-published ports bypass `ufw` via `PREROUTING` NAT, which is why a Docker container can be reachable while a plain `llama-server` on the same host isn't.
+
+**Image attachment is accepted but the request returns 4xx** — your llama-server is running without a vision projector. Re-launch it with `--mmproj ~/models/mmproj-F16.gguf` (or another mmproj variant from the same GGUF repo). The `--list-models` `images` column reflects what the client *will attempt to send*, not what the server can answer; the projector is what gives the model eyes.
+
 **No API key env var warning** — pi expects *some* key even for local providers. Export `LLAMACPP_API_KEY=noop` (or `OLLAMA_API_KEY=noop`) before launching.
 
+**No pi "Update Available" banner** — that's intentional. little-coder defaults `PI_SKIP_VERSION_CHECK=1` so the bundled pi runtime doesn't nag about updating itself; little-coder pins pi to a known-good version per release. If you actually want the banner back, `export PI_SKIP_VERSION_CHECK=0` before launching.
+
 **Extension load failures on startup** — run `little-coder --list-models --verbose`; extension errors surface there. If the install looks corrupt: `npm uninstall -g little-coder && npm install -g little-coder`.
 
 **Node version too old** — little-coder needs Node ≥ 20.6.0. Check with `node --version`. Easiest fix: `nvm install 20 && nvm use 20`.

package/bin/little-coder.mjs

@@ -87,7 +87,18 @@ const piArgs = [
   ...userArgs,
 ];
 
-// ---- 7. Spawn pi in the user's cwd ----
+// ---- 7. Suppress pi's own version-banner by default ----
+// pi is an internal dependency here; users install `little-coder` and shouldn't
+// see in-session nags about updating the underlying coding-agent package.
+// PI_SKIP_VERSION_CHECK is the surgical pi switch (interactive-mode.js:525)
+// that gates the "Update Available" banner without touching pi's other
+// network-dependent startup paths. Honor an explicit user value (set to "0" or
+// anything else to re-enable the banner; PI_OFFLINE=1 also re-overrides).
+if (process.env.PI_SKIP_VERSION_CHECK === undefined) {
+  process.env.PI_SKIP_VERSION_CHECK = "1";
+}
+
+// ---- 8. Spawn pi in the user's cwd ----
 const [spawnCmd, spawnArgs] = isWindows
   ? ["cmd.exe", ["/c", piBin, ...piArgs]]
   : [piBin, piArgs];

package/models.json

@@ -18,7 +18,7 @@
           "id": "qwen3.6-35b-a3b",
           "name": "Qwen3.6-35B-A3B (MoE, local llama.cpp)",
           "reasoning": true,
-          "input": ["text"],
+          "input": ["text", "image"],
           "contextWindow": 32768,
           "maxTokens": 4096,
           "cost": { "input": 0, "output": 0, "cacheRead": 0, "cacheWrite": 0 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "little-coder",
-  "version": "1.2.1",
+  "version": "1.3.0",
   "description": "A pi-based coding agent optimized for small local language models. Reproduces the whitepaper's scaffold-model-fit adaptations as pi extensions.",
   "homepage": "https://github.com/itayinbarr/little-coder",
   "repository": {