open-agents-ai 0.187.464 → 0.187.466

package/dist/index.js

@@ -518419,6 +518419,181 @@ ${body}`;
        * Returns null when the disable knob is set or the backend is missing the
        * chatCompletion method.
        */
+      /**
+       * REG-6: Heuristic — does this shell command perform side effects, or is it
+       * purely a read? Read-only commands are safe to dedup-cache the same way
+       * file_read and list_directory are.
+       *
+       * Conservative: if any token looks like it mutates state (write redirects,
+       * piped-to-write, mutating subcommands), return false. Otherwise check that
+       * every command segment starts with a known read-only binary.
+       */
+      _isShellCommandReadOnly(rawCmd) {
+        if (!rawCmd || typeof rawCmd !== "string")
+          return false;
+        const cmd = rawCmd.trim();
+        if (cmd.length === 0 || cmd.length > 1500)
+          return false;
+        if (/(^|[^&\d])(>|>>)\s*\S/.test(cmd))
+          return false;
+        const MUTATE_BINS = [
+          "rm",
+          "mv",
+          "cp",
+          "mkdir",
+          "rmdir",
+          "chmod",
+          "chown",
+          "touch",
+          "tee",
+          "dd",
+          "truncate",
+          "ln",
+          "kill",
+          "pkill",
+          "killall",
+          "reboot",
+          "shutdown",
+          "fakeroot",
+          "sudo",
+          "nohup",
+          "setsid",
+          "make",
+          "gradle",
+          "mvn",
+          "ansible",
+          "systemd-run"
+        ];
+        const mutateBinsRe = new RegExp(`\\b(${MUTATE_BINS.join("|")})\\b`, "i");
+        if (mutateBinsRe.test(cmd))
+          return false;
+        if (/\bsed\s+(-i|--in-place)\b/.test(cmd))
+          return false;
+        if (/\bsystemctl\s+(?!status\b|show\b|is-)/i.test(cmd))
+          return false;
+        if (/\bservice\s+\S+\s+(?!status\b)/i.test(cmd))
+          return false;
+        if (/\bcrontab\s+-(e|d|r)\b/.test(cmd))
+          return false;
+        if (/\bnpm\s+(install|uninstall|update|run|test|exec|publish|init|link|unlink|version|cache\s+clean|ci|audit\s+fix)\b/i.test(cmd))
+          return false;
+        if (/\bpnpm\s+(install|update|add|remove|run|test|exec|publish|init|link|unlink|version)\b/i.test(cmd))
+          return false;
+        if (/\byarn\s+(install|add|remove|upgrade|run|test|exec|publish|init|link|unlink|version)\b/i.test(cmd))
+          return false;
+        if (/\bpip\s+(install|uninstall|wheel)\b/i.test(cmd))
+          return false;
+        if (/\bnpx\b/.test(cmd))
+          return false;
+        if (/\bcargo\s+(build|run|test|update|publish|install|uninstall|fmt|fix)\b/i.test(cmd))
+          return false;
+        if (/\bgo\s+(build|run|test|get|install)\b/i.test(cmd))
+          return false;
+        if (/\bdocker\s+(build|run|push|pull|exec|kill|stop|rm|rmi|tag)\b/i.test(cmd))
+          return false;
+        if (/\bkubectl\s+(apply|delete|create|edit|patch|scale|rollout|exec)\b/i.test(cmd))
+          return false;
+        if (/\bterraform\s+(apply|destroy|init|plan|import)\b/i.test(cmd))
+          return false;
+        const READ_ONLY_BINS = /* @__PURE__ */ new Set([
+          "cd",
+          // shell builtin: changes pwd, doesn't write — common segment leader
+          "grep",
+          "egrep",
+          "fgrep",
+          "rg",
+          "ag",
+          "cat",
+          "head",
+          "tail",
+          "less",
+          "more",
+          "ls",
+          "ll",
+          "la",
+          "find",
+          // ALLOWED only if no -delete/-exec mutating action — pre-filtered above
+          "wc",
+          "awk",
+          "gawk",
+          "sort",
+          "uniq",
+          "tr",
+          "cut",
+          "paste",
+          "join",
+          "comm",
+          "diff",
+          "cmp",
+          "echo",
+          "printf",
+          "pwd",
+          "which",
+          "type",
+          "command",
+          "node",
+          "python",
+          "python3",
+          "ruby",
+          "perl",
+          "git",
+          // git log/show/diff/status are read; but git add/commit/push/pull are writes — pre-filtered above
+          "ollama",
+          // ollama show/list are read; ollama pull/run/create are writes — pre-filtered above
+          "cargo",
+          // pre-filtered above for build/run/etc.
+          "go",
+          // pre-filtered above for build/run/etc.
+          "stat",
+          "file",
+          "du",
+          "df",
+          "date",
+          "uname",
+          "id",
+          "whoami",
+          "hostname",
+          "uptime",
+          "env",
+          "printenv",
+          "test",
+          "[",
+          "true",
+          "false",
+          "tsc",
+          "eslint",
+          "prettier",
+          // these emit but mostly read
+          "head",
+          "tail",
+          "jq",
+          "yq",
+          "xq",
+          "base64",
+          "md5sum",
+          "sha256sum",
+          "sha1sum",
+          "tldr",
+          "man",
+          "info"
+        ]);
+        if (/\bfind\b[\s\S]*?(-delete|-exec\s+(rm|mv|cp|chmod|chown|sed\s+-i)|--?ok\s+(rm|mv))/i.test(cmd))
+          return false;
+        if (/\b(node|python\d?)\b\s+-(e|c)\b[\s\S]*\b(rm|writeFileSync|unlinkSync|mkdir|process\.exit|exec|spawn|require\(\s*['"]child_process)/i.test(cmd))
+          return false;
+        const segments = cmd.split(/(?:\|\||&&|;)/).map((s2) => s2.trim()).filter(Boolean);
+        if (segments.length === 0)
+          return false;
+        for (const seg of segments) {
+          const stripped = seg.replace(/^cd\s+\S+\s*$/i, "true").replace(/^!/, "");
+          const firstTok = stripped.split(/\s+/)[0]?.replace(/^.*\//, "") || "";
+          if (!firstTok)
+            continue;
+          if (!READ_ONLY_BINS.has(firstTok))
+            return false;
+        }
+        return true;
+      }
       /**
        * REG-5: Render the recent-failures block so the agent SEES its own error
        * output before deciding what to do next. Detects same-fingerprint failure
@@ -520022,7 +520197,7 @@ ${cachedEntry2.result.slice(0, 500)}` : `[BLOCKED — the observer confirmed thi
                 this.emit({ type: "tool_result", toolName: tc.name, success: true, content: blockMsg.slice(0, 100), turn, timestamp: (/* @__PURE__ */ new Date()).toISOString() });
                 return { tc, output: blockMsg };
               }
-              const isReadLike = ![
+              const baseIsReadLike = ![
                 "file_write",
                 "file_edit",
                 "shell",
@@ -520051,6 +520226,7 @@ ${cachedEntry2.result.slice(0, 500)}` : `[BLOCKED — the observer confirmed thi
                 // tool see every call and return the cached state itself.
                 "nexus"
               ].includes(tc.name);
+              const isReadLike = baseIsReadLike || tc.name === "shell" && this._isShellCommandReadOnly(tc.arguments?.["command"] ?? tc.arguments?.["cmd"] ?? "");
               const cachedEntry = recentToolResults.get(toolFingerprint);
               if (isReadLike && cachedEntry !== void 0) {
                 this.emit({

package/npm-shrinkwrap.json

@@ -1,12 +1,12 @@
 {
   "name": "open-agents-ai",
-  "version": "0.187.464",
+  "version": "0.187.466",
   "lockfileVersion": 3,
   "requires": true,
   "packages": {
     "": {
       "name": "open-agents-ai",
-      "version": "0.187.464",
+      "version": "0.187.466",
       "hasInstallScript": true,
       "license": "CC-BY-NC-4.0",
       "dependencies": {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "open-agents-ai",
-  "version": "0.187.464",
+  "version": "0.187.466",
   "description": "AI coding agent powered by open-source models (Ollama/vLLM) — interactive TUI with agentic tool-calling loop",
   "type": "module",
   "main": "./dist/index.js",