mini-coder 0.2.2 → 0.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (5) hide show
  1. package/README.md +5 -3
  2. package/dist/mc.js +666 -438
  3. package/docs/design-decisions.md +31 -0
  4. package/docs/mini-coder.1.md +1 -1
  5. package/package.json +2 -2
package/docs/design-decisions.md ADDED
@@ -0,0 +1,31 @@
1
+ # Design Decisions
2
+
3
+ Documenting why mini-coder makes certain architectural choices — especially where we intentionally diverge from common patterns.
4
+
5
+ ## Why no tool-call permissions?
6
+
7
+ **Decision:** No approval prompts, no blacklists, no whitelists. Every tool call executes immediately.
8
+
9
+ Our inspirations (Claude Code, OpenCode) require user approval for tool calls — shell commands, file writes, etc. We intentionally skip this.
10
+
11
+ ### Permission systems provide a false sense of security
12
+
13
+ - **Shell bypasses everything.** An LLM with shell access can `curl`, `eval`, pipe through `bash`, encode payloads, or chain commands in ways no static blacklist can anticipate. Any permission scheme that allows shell but blocks specific patterns is playing whack-a-mole.
14
+ - **Blacklists and whitelists always have gaps.** Block `rm -rf /`? The model uses `find -delete`. Block `git push --force`? It uses `git push origin +main`. The surface area is unbounded.
15
+ - **Approval fatigue degrades security.** After the 20th "Allow shell command?" prompt, users auto-approve everything. The permission system trains the user to click "yes" reflexively — the opposite of its intent.
16
+
17
+ ### Permissions are cumbersome
18
+
19
+ A coding agent runs dozens of shell commands per task. Requiring approval for each one destroys the flow that makes a CLI agent useful. The whole point of mini-coder is: small, fast, stays out of the way.
20
+
21
+ ### Isolation is a separate concern
22
+
23
+ Sandboxing is a real need, but it belongs at the OS/container level — not inside the agent. Tools like [nono](https://nono.sh/) provide proper filesystem and network isolation that the LLM cannot circumvent. This is defense in depth done right: the agent runs unrestricted inside a sandbox that enforces actual boundaries.
24
+
25
+ ### Our approach
26
+
27
+ - The system prompt includes safety rules (no secrets, confirm destructive actions, no unauthorized reverts).
28
+ - The user can interrupt at any time with ESC (preserve context) or Ctrl+C (hard exit).
29
+ - For real isolation, run mini-coder inside a sandboxed environment.
30
+
31
+ **Summary:** Permission dialogs give the appearance of safety without the substance. Real security comes from sandboxing the environment, not gatekeeping individual tool calls. Mini-coder codes — isolating it is a job for the right tool.
package/docs/mini-coder.1.md CHANGED
@@ -80,7 +80,7 @@ _prompt_
80
80
  : Show OAuth login status.
81
81
 
82
82
  `/login` _provider_
83
- : Login via OAuth (opens browser for device flow). Currently supports `anthropic`.
83
+ : Login via OAuth (opens browser for device flow). Currently supports `anthropic` and `openai` (`openai` uses the Codex / ChatGPT Plus/Pro flow).
84
84
 
85
85
  `/logout` _provider_
86
86
  : Clear saved OAuth tokens.
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "mini-coder",
3
- "version": "0.2.2",
3
+ "version": "0.3.0",
4
4
  "description": "A small, fast CLI coding agent",
5
5
  "module": "src/index.ts",
6
6
  "type": "module",
@@ -31,7 +31,7 @@
31
31
  "diff": "^8.0.3",
32
32
  "yoctocolors": "^2.1.2",
33
33
  "yoctomarkdown": "^0.0.7",
34
- "yoctoselect": "0.0.2",
34
+ "yoctoselect": "0.0.3",
35
35
  "zod": "^4.3.6"
36
36
  },
37
37
  "devDependencies": {