poke-gate 0.2.1 → 0.3.0

package/README.md

@@ -28,6 +28,25 @@ Run Poke Gate on your Mac, then message Poke from iMessage, Telegram, or SMS to
 brew install f/tap/poke-gate
 ```
 
+**Install via npx**
+
+If you have Node.js installed, you can download and install the macOS app with a single command:
+
+```bash
+npx poke-gate download-macos
+```
+
+This downloads the latest DMG from GitHub Releases, installs the app to `/Applications`, and clears the quarantine flag automatically.
+
+**Don't have Node.js?** Install it first:
+
+```bash
+# Option 1: Homebrew
+brew install node
+
+# Option 2: Download from https://nodejs.org
+```
+
 **Manual download**
 
 Download the latest **Poke.macOS.Gate.dmg** from [Releases](https://github.com/f/poke-gate/releases), open it, and drag to Applications. Since the app is not notarized, you may need to run:
@@ -36,7 +55,9 @@ Download the latest **Poke.macOS.Gate.dmg** from [Releases](https://github.com/f
 xattr -cr /Applications/Poke\ macOS\ Gate.app
 ```
 
-**CLI** (no macOS app needed)
+**CLI only** (no macOS app needed)
+
+If you just want to run poke-gate from the terminal without the menu bar app:
 
 ```bash
 npx poke-gate
@@ -123,7 +144,9 @@ Hit **Run** in Xcode, or build from the command line:
 
 ## CLI usage
 
-If you prefer the command line over the macOS app:
+The CLI requires [Node.js](https://nodejs.org) 18 or later. If you don't have it, install via `brew install node` or download from [nodejs.org](https://nodejs.org).
+
+Start the gate:
 
 ```bash
 npx poke-gate
@@ -142,6 +165,12 @@ npx poke-gate --mode limited
 npx poke-gate --mode sandbox
 ```
 
+Install or update the macOS app:
+
+```bash
+npx poke-gate download-macos
+```
+
 Config is stored at `~/.config/poke-gate/config.json`.
 
 ## Agents
@@ -241,7 +270,7 @@ Poke Gate supports three access modes that control what your agent can do:
 
 | Mode | Description |
 |------|-------------|
-| **Full** (default) | All tools available. Risky actions (commands, file writes, screenshots) require chat approval. |
+| **Full** (default) | All tools available with no approval required. The agent can run commands, write files, and take screenshots directly. |
 | **Limited** | Read-only tools plus a curated set of safe commands (`ls`, `cat`, `grep`, `curl`, etc.). `write_file` and `take_screenshot` are disabled. |
 | **Sandbox** | Broader command support than Limited, but writes are restricted to `~/Downloads` and `/tmp` via macOS `sandbox-exec`. |
 
@@ -264,30 +293,6 @@ POKE_GATE_PERMISSION_MODE=limited npx poke-gate
 
 Only run Poke Gate on machines and networks you trust. Use `limited` or `sandbox` mode if you want tighter restrictions.
 
-## Project structure
-
-```
-clients/
-  Poke macOS Gate/       macOS menu bar app (SwiftUI)
-bin/
-  poke-gate.js           CLI entry point with --mode flag
-src/
-  app.js                 Startup: MCP server + tunnel + agent scheduler
-  agents.js              Agent discovery, scheduling, env loading, download
-  mcp-server.js          JSON-RPC MCP handler, tools, access policy, sandbox
-  permission-service.js  HMAC approval tokens, session whitelisting
-  tunnel.js              PokeTunnel wrapper
-test/
-  mcp-server-access-policy.test.js
-  mcp-server-loop-guard.test.js
-  mcp-server-sandbox-command.test.js
-  permission-service.test.js
-examples/
-  agents/
-    beeper.1h.js         Example: Beeper message digest agent
-    .env.beeper          Example env file for beeper agent
-```
-
 ## Credits
 
 - [Poke](https://poke.com) by [The Interaction Company of California](https://interaction.co)

package/bin/poke-gate.js

@@ -39,6 +39,9 @@ async function main() {
     const prompt = promptIdx !== -1 ? args.slice(promptIdx + 1).join(" ") : args.slice(2).join(" ") || null;
     const { createAgent } = await import("../src/agent-create.js");
     await createAgent(prompt);
+  } else if (args[0] === "download-macos") {
+    const { downloadMacOSApp } = await import("../src/download-macos.js");
+    await downloadMacOSApp();
   } else {
     const mode = parseMode();
     if (mode) {

package/clients/Poke macOS Gate/Poke macOS Gate/GateService.swift

@@ -91,11 +91,16 @@ class GateService: ObservableObject {
 
     @Published var status: Status = .stopped
     @Published var logs: [String] = []
+    @Published var processLogs: [String] = []
     @Published var terminalPreviews: [TerminalPreview] = []
     @Published var userName: String? = nil
     @Published var permissionMode: PermissionMode
     @Published var hasCompletedSetup: Bool
     @Published var systemPermissionStatuses: [SystemPermissionStatus] = []
+    @Published var availableUpdate: String? = nil
+    @Published var isUpdating = false
+    @Published var isCheckingForUpdate = false
+    @Published var updateCheckResult: String? = nil
 
     private var hasAutoStarted = false
     private var process: Process?
@@ -120,7 +125,9 @@ class GateService: ObservableObject {
             object: nil,
             queue: .main
         ) { [weak self] _ in
-            self?.refreshSystemPermissions()
+            Task { @MainActor in
+                self?.refreshSystemPermissions()
+            }
         }
     }
 
@@ -301,6 +308,112 @@ class GateService: ObservableObject {
         if hasAPIKey {
             start()
         }
+        checkForUpdate(silent: true)
+    }
+
+    func checkForUpdate(silent: Bool = false) {
+        let currentVersion = Bundle.main.object(forInfoDictionaryKey: "CFBundleShortVersionString") as? String ?? "0.0.0"
+        isCheckingForUpdate = true
+        updateCheckResult = nil
+
+        Task.detached {
+            let start = ContinuousClock.now
+            var found = false
+
+            defer {
+                Task { @MainActor in
+                    self.isCheckingForUpdate = false
+                    if !found && !silent {
+                        self.updateCheckResult = "You're on the latest version."
+                    }
+                }
+            }
+
+            guard let url = URL(string: "https://registry.npmjs.org/poke-gate/latest") else { return }
+            do {
+                let (data, _) = try await URLSession.shared.data(from: url)
+                guard let json = try JSONSerialization.jsonObject(with: data) as? [String: Any],
+                      let latestVersion = json["version"] as? String else { return }
+
+                let elapsed = ContinuousClock.now - start
+                if elapsed < .seconds(1) {
+                    try await Task.sleep(for: .seconds(1) - elapsed)
+                }
+
+                if Self.isNewer(latestVersion, than: currentVersion) {
+                    found = true
+                    await MainActor.run {
+                        self.availableUpdate = latestVersion
+                        self.appendLog("Update available: v\(latestVersion) (current: v\(currentVersion))")
+                    }
+                }
+            } catch {}
+        }
+    }
+
+    private nonisolated static func isNewer(_ remote: String, than local: String) -> Bool {
+        let r = remote.split(separator: ".").compactMap { Int($0) }
+        let l = local.split(separator: ".").compactMap { Int($0) }
+        for i in 0..<max(r.count, l.count) {
+            let rv = i < r.count ? r[i] : 0
+            let lv = i < l.count ? l[i] : 0
+            if rv > lv { return true }
+            if rv < lv { return false }
+        }
+        return false
+    }
+
+    func performUpdate() {
+        guard let version = availableUpdate else { return }
+        isUpdating = true
+        appendLog("Updating to v\(version)...")
+
+        stop()
+
+        let fullPath = shellPath()
+        let npxBin = findNpx()
+
+        let proc = Process()
+        let pipe = Pipe()
+        proc.executableURL = URL(fileURLWithPath: "/bin/zsh")
+        proc.arguments = ["-c", "\(npxBin) -y poke-gate@\(version) download-macos"]
+        proc.environment = ProcessInfo.processInfo.environment.merging(
+            ["PATH": fullPath],
+            uniquingKeysWith: { _, new in new }
+        )
+        proc.standardOutput = pipe
+        proc.standardError = pipe
+        proc.currentDirectoryURL = FileManager.default.homeDirectoryForCurrentUser
+
+        let handle = pipe.fileHandleForReading
+        handle.readabilityHandler = { [weak self] fh in
+            let data = fh.availableData
+            guard !data.isEmpty, let line = String(data: data, encoding: .utf8) else { return }
+            DispatchQueue.main.async {
+                for l in line.components(separatedBy: .newlines) where !l.isEmpty {
+                    self?.appendLog(l)
+                }
+            }
+        }
+
+        proc.terminationHandler = { [weak self] proc in
+            DispatchQueue.main.async {
+                self?.isUpdating = false
+                if proc.terminationStatus == 0 {
+                    self?.appendLog("Update complete. The app will relaunch.")
+                    self?.availableUpdate = nil
+                } else {
+                    self?.appendLog("Update failed (exit \(proc.terminationStatus)).")
+                }
+            }
+        }
+
+        do {
+            try proc.run()
+        } catch {
+            isUpdating = false
+            appendLog("Failed to start update: \(error.localizedDescription)")
+        }
     }
 
     func start() {
@@ -489,11 +602,21 @@ class GateService: ObservableObject {
         outputPipe?.fileHandleForReading.readabilityHandler = nil
         process = nil
         outputPipe = nil
+        killOrphanedProcesses()
+    }
+
+    private func killOrphanedProcesses() {
+        let task = Process()
+        task.executableURL = URL(fileURLWithPath: "/usr/bin/pkill")
+        task.arguments = ["-f", "poke-gate"]
+        try? task.run()
+        task.waitUntilExit()
     }
 
     private func handleOutput(_ raw: String) {
         for line in raw.components(separatedBy: .newlines) where !line.isEmpty {
             appendLog(line)
+            appendProcessLog(line)
             parseTerminalPreviewLine(line)
 
             if line.contains("Tunnel connected") || line.contains("Ready") {
@@ -510,6 +633,15 @@ class GateService: ObservableObject {
         }
     }
 
+    private func appendProcessLog(_ line: String) {
+        let stripped = stripToolTimestamp(from: line)
+        guard !stripped.isEmpty else { return }
+        processLogs.append(stripped)
+        if processLogs.count > maxLogs {
+            processLogs.removeFirst(processLogs.count - maxLogs)
+        }
+    }
+
     private func handleTermination(exitCode: Int32) {
         appendLog("Process exited with code \(exitCode)")
         stopHealthCheck()

package/clients/Poke macOS Gate/Poke macOS Gate/Poke_macOS_GateApp.swift

@@ -111,6 +111,9 @@ struct PopoverContent: View {
             SetupView(service: service)
         } else {
             VStack(spacing: 10) {
+                if service.availableUpdate != nil {
+                    updateBanner
+                }
                 statusSection
                 recentActivitySection
                 accessModeSection
@@ -128,6 +131,37 @@ struct PopoverContent: View {
         }
     }
 
+    private var updateBanner: some View {
+        HStack(spacing: 8) {
+            Image(systemName: "arrow.down.circle.fill")
+                .foregroundStyle(.blue)
+
+            VStack(alignment: .leading, spacing: 1) {
+                Text("Update available: v\(service.availableUpdate ?? "")")
+                    .font(.caption)
+                    .fontWeight(.semibold)
+                Text("A new version of Poke Gate is ready.")
+                    .font(.caption2)
+                    .foregroundStyle(.secondary)
+            }
+
+            Spacer()
+
+            if service.isUpdating {
+                ProgressView()
+                    .controlSize(.small)
+            } else {
+                Button("Update") {
+                    service.performUpdate()
+                }
+                .controlSize(.small)
+                .buttonStyle(.borderedProminent)
+            }
+        }
+        .padding(10)
+        .macPanelStyle(.neutral, cornerRadius: 10)
+    }
+
     private var statusSection: some View {
         VStack(alignment: .leading, spacing: 6) {
             HStack(spacing: 8) {
@@ -189,9 +223,9 @@ struct PopoverContent: View {
                             .truncationMode(.tail)
                     }
                 }
-            } else if !service.logs.isEmpty {
-                ForEach(Array(service.logs.suffix(4).enumerated()), id: \.offset) { _, log in
-                    Text(log)
+            } else if !service.processLogs.isEmpty {
+                ForEach(Array(service.processLogs.suffix(4).enumerated()), id: \.offset) { _, entry in
+                    Text(entry)
                         .font(.system(size: 9, design: .monospaced))
                         .foregroundStyle(.tertiary)
                         .lineLimit(1)
@@ -303,8 +337,10 @@ struct PopoverContent: View {
         .macPanelStyle(.neutral, cornerRadius: 12)
     }
 
+    @State private var refreshRotation: Double = 0
+
     private var footerSection: some View {
-        HStack {
+        HStack(spacing: 6) {
             Button {
                 NSApp.activate(ignoringOtherApps: true)
                 openWindow(id: "about")
@@ -315,6 +351,28 @@ struct PopoverContent: View {
             }
             .buttonStyle(.plain)
 
+            Button {
+                service.checkForUpdate()
+            } label: {
+                Image(systemName: "arrow.triangle.2.circlepath")
+                    .font(.system(size: 9))
+                    .foregroundStyle(MacVisualStyle.sectionTitleColor)
+                    .rotationEffect(.degrees(refreshRotation))
+            }
+            .buttonStyle(.plain)
+            .disabled(service.isCheckingForUpdate)
+            .onChange(of: service.isCheckingForUpdate) { _, checking in
+                if checking {
+                    withAnimation(.linear(duration: 1).repeatForever(autoreverses: false)) {
+                        refreshRotation = 360
+                    }
+                } else {
+                    withAnimation(.default) {
+                        refreshRotation = 0
+                    }
+                }
+            }
+
             Spacer()
 
             Text("Not affiliated with Poke")
@@ -322,6 +380,18 @@ struct PopoverContent: View {
                 .foregroundStyle(MacVisualStyle.sectionTitleColor.opacity(0.7))
         }
         .padding(.horizontal, 6)
+        .onChange(of: service.updateCheckResult) { _, result in
+            guard let message = result else { return }
+            service.updateCheckResult = nil
+            DispatchQueue.main.async {
+                let alert = NSAlert()
+                alert.messageText = "Version Check"
+                alert.informativeText = message
+                alert.alertStyle = .informational
+                alert.addButton(withTitle: "OK")
+                alert.runModal()
+            }
+        }
     }
 
     private func sectionTitle(_ text: String) -> some View {

package/clients/Poke macOS Gate/Poke macOS Gate.xcodeproj/project.pbxproj

@@ -286,7 +286,7 @@
 					"@executable_path/../Frameworks",
 				);
 				MACOSX_DEPLOYMENT_TARGET = 15.0;
-				MARKETING_VERSION = 0.2.0;
+				MARKETING_VERSION = 0.2.2;
 				PRODUCT_BUNDLE_IDENTIFIER = "dev.fka.Poke-macOS-Gate";
 				PRODUCT_NAME = "$(TARGET_NAME)";
 				REGISTER_APP_GROUPS = YES;
@@ -322,7 +322,7 @@
 					"@executable_path/../Frameworks",
 				);
 				MACOSX_DEPLOYMENT_TARGET = 15.0;
-				MARKETING_VERSION = 0.2.0;
+				MARKETING_VERSION = 0.2.2;
 				PRODUCT_BUNDLE_IDENTIFIER = "dev.fka.Poke-macOS-Gate";
 				PRODUCT_NAME = "$(TARGET_NAME)";
 				REGISTER_APP_GROUPS = YES;

package/docs/cli.md

@@ -82,6 +82,22 @@ npx poke-gate agent create --prompt "send me a daily git commit summary across a
 npx poke-gate agent create --prompt "track Spotify listening and log my music taste"
 ```
 
+## Download the macOS app
+
+```bash
+npx poke-gate download-macos
+```
+
+Downloads and installs the Poke macOS Gate app from GitHub Releases. Matches the version of the npm package being run.
+
+This command:
+1. Downloads the DMG from the matching GitHub release
+2. Mounts the DMG, copies the app to `/Applications`
+3. Clears the quarantine flag (`xattr -cr`)
+4. Launches the app
+
+The macOS app also checks for updates automatically on startup and shows a banner when a new version is available.
+
 ## Install an agent
 
 ```bash

package/docs/security.md

@@ -10,7 +10,7 @@ Poke Gate supports three access modes that control what tools your agent can use
 
 ### Full (default)
 
-All tools are available. Risky actions (`run_command`, `write_file`, `take_screenshot`) require **chat approval** — the agent must ask you in chat before executing, and you approve with a signed token.
+All tools are available with no approval required. The agent can run commands, write files, and take screenshots directly.
 
 ### Limited
 
@@ -48,13 +48,15 @@ POKE_GATE_PERMISSION_MODE=sandbox npx poke-gate
 
 ## Tool approval flow
 
-In **full** mode, risky tools (`run_command`, `write_file`, `take_screenshot`) use an HMAC-signed approval flow:
+In **limited** and **sandbox** modes, risky tools (`run_command`, `write_file`, `take_screenshot`) use an HMAC-signed approval flow:
 
 1. The agent calls the tool — Poke Gate returns `AWAITING_APPROVAL` with a signed token
 2. The agent asks you in chat to approve
 3. You approve — the agent re-calls the tool with the approval token
 4. Optionally, you can `remember_in_session` (same command) or `remember_all_risky` (all risky tools for the session)
 
+In **full** mode, all tools execute directly without approval.
+
 ## What protects you
 
 - **Authentication** — only your Poke agent (authenticated via Poke OAuth) can reach the tunnel

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "poke-gate",
-  "version": "0.2.1",
+  "version": "0.3.0",
   "description": "Expose your machine to your Poke AI assistant via MCP tunnel",
   "type": "module",
   "bin": {

package/src/app.js

@@ -2,10 +2,23 @@ import { startMcpServer, enableLogging, getPermissionMode } from "./mcp-server.j
 import { startTunnel } from "./tunnel.js";
 import { startAgentScheduler, stopAgentScheduler } from "./agents.js";
 import { Poke, isLoggedIn, login, getToken } from "poke";
+import { execSync } from "node:child_process";
 
 const verbose = process.argv.includes("--verbose") || process.argv.includes("-v");
 enableLogging(verbose);
 
+function killExistingInstances() {
+  const myPid = process.pid;
+  try {
+    const out = execSync("pgrep -f 'poke-gate'", { encoding: "utf-8" }).trim();
+    const pids = out.split("\n").map(Number).filter((p) => p && p !== myPid);
+    for (const pid of pids) {
+      try { process.kill(pid, "SIGTERM"); } catch {}
+    }
+    if (pids.length > 0) log(`Killed ${pids.length} existing poke-gate process(es).`);
+  } catch {}
+}
+
 function log(msg) {
   const ts = new Date().toISOString().slice(11, 19);
   console.log(`[${ts}] ${msg}`);
@@ -102,6 +115,7 @@ function scheduleReconnect(mcpUrl, token) {
 }
 
 async function main() {
+  killExistingInstances();
   log("poke-gate starting...");
   log(`Access mode: ${getPermissionMode()}`);
 
@@ -132,8 +146,8 @@ function buildAccessModeMessage(mode) {
     default:
       return (
         "Access mode: Full. " +
-        "You can run any shell command, read and write files, list directories, take screenshots, and check system info. " +
-        "Risky actions (commands, file writes, screenshots) require user approval in chat before execution."
+        "You can run any shell command, read files, list directories, take screenshots, and check system info — no approval needed. " +
+        "Only destructive actions (deleting files, rm, write_file) require a one-time approval; after that, everything is auto-approved for the session."
       );
   }
 }

package/src/download-macos.js

@@ -0,0 +1,133 @@
+import https from "node:https";
+import { createWriteStream, unlinkSync, readFileSync } from "node:fs";
+import { execSync } from "node:child_process";
+import { tmpdir } from "node:os";
+import { join, dirname } from "node:path";
+import { fileURLToPath } from "node:url";
+
+const APP_NAME = "Poke macOS Gate";
+const DMG_ASSET = "Poke.macOS.Gate.dmg";
+const INSTALL_PATH = `/Applications/${APP_NAME}.app`;
+const REPO = "f/poke-gate";
+
+function getPackageVersion() {
+  const pkgPath = join(dirname(fileURLToPath(import.meta.url)), "..", "package.json");
+  const pkg = JSON.parse(readFileSync(pkgPath, "utf-8"));
+  return pkg.version;
+}
+
+function httpGet(url) {
+  return new Promise((resolve, reject) => {
+    https.get(url, { headers: { "User-Agent": "poke-gate" } }, (res) => {
+      if (res.statusCode >= 300 && res.statusCode < 400 && res.headers.location) {
+        return httpGet(res.headers.location).then(resolve, reject);
+      }
+      resolve(res);
+    }).on("error", reject);
+  });
+}
+
+function downloadFile(url, dest, version) {
+  return new Promise((resolve, reject) => {
+    const follow = (followUrl) => {
+      https.get(followUrl, { headers: { "User-Agent": "poke-gate" } }, (res) => {
+        if (res.statusCode >= 300 && res.statusCode < 400 && res.headers.location) {
+          return follow(res.headers.location);
+        }
+        if (res.statusCode !== 200) {
+          reject(new Error(`Download failed: HTTP ${res.statusCode}`));
+          return;
+        }
+
+        const total = parseInt(res.headers["content-length"], 10) || 0;
+        let downloaded = 0;
+        const file = createWriteStream(dest);
+
+        res.on("data", (chunk) => {
+          downloaded += chunk.length;
+          if (total > 0) {
+            const pct = Math.round((downloaded / total) * 100);
+            const dlMB = (downloaded / 1024 / 1024).toFixed(1);
+            const totalMB = (total / 1024 / 1024).toFixed(1);
+            process.stdout.write(`\rDownloading ${APP_NAME} v${version}... ${pct}% (${dlMB}/${totalMB} MB)`);
+          }
+        });
+
+        res.pipe(file);
+
+        file.on("finish", () => {
+          file.close(() => {
+            console.log("");
+            resolve();
+          });
+        });
+
+        file.on("error", (err) => {
+          file.close();
+          reject(err);
+        });
+      }).on("error", reject);
+    };
+    follow(url);
+  });
+}
+
+function run(cmd) {
+  return execSync(cmd, { encoding: "utf-8", stdio: ["pipe", "pipe", "pipe"] }).trim();
+}
+
+export async function downloadMacOSApp() {
+  const version = getPackageVersion();
+  const tag = `v${version}`;
+  const dmgUrl = `https://github.com/${REPO}/releases/download/${tag}/${DMG_ASSET}`;
+
+  console.log(`Poke Gate macOS installer (${tag})`);
+  console.log("");
+
+  const res = await httpGet(`https://api.github.com/repos/${REPO}/releases/tags/${tag}`);
+  const chunks = [];
+  for await (const chunk of res) chunks.push(chunk);
+  const release = JSON.parse(Buffer.concat(chunks).toString());
+
+  if (!release.assets || !release.assets.find((a) => a.name === DMG_ASSET)) {
+    console.error(`No DMG found for ${tag}. The release may not have finished building yet.`);
+    process.exit(1);
+  }
+
+  const dmgPath = join(tmpdir(), `poke-gate-${version}.dmg`);
+
+  try {
+    await downloadFile(dmgUrl, dmgPath, version);
+
+    console.log("Mounting DMG...");
+    const mountOutput = run(`hdiutil attach "${dmgPath}" -nobrowse`);
+    const mountMatch = mountOutput.match(/\/Volumes\/.+/);
+    if (!mountMatch) {
+      throw new Error("Failed to detect mount point from hdiutil output.");
+    }
+    const mountPoint = mountMatch[0].trim();
+    const appSource = `${mountPoint}/${APP_NAME}.app`;
+
+    console.log("Stopping running instances...");
+    try { run(`pkill -f "${APP_NAME}"`); } catch {}
+    await new Promise((r) => setTimeout(r, 1000));
+
+    console.log(`Installing to ${INSTALL_PATH}...`);
+    try { run(`rm -rf "${INSTALL_PATH}"`); } catch {}
+    run(`cp -R "${appSource}" "${INSTALL_PATH}"`);
+
+    console.log("Clearing quarantine...");
+    run(`xattr -cr "${INSTALL_PATH}"`);
+
+    console.log("Unmounting DMG...");
+    try { run(`hdiutil detach "${mountPoint}" -quiet`); } catch {}
+
+    console.log("");
+    console.log(`Poke macOS Gate v${version} installed successfully.`);
+    console.log("");
+    console.log("Launching...");
+    try { run(`open "${INSTALL_PATH}"`); } catch {}
+  } finally {
+    try { unlinkSync(dmgPath); } catch {}
+  }
+}

package/src/mcp-server.js

@@ -22,6 +22,15 @@ const runCommandLoopState = new Map();
 
 const SAFE_TOOL_NAMES = new Set(["read_file", "read_image", "list_directory", "system_info", "network_speed"]);
 
+const DESTRUCTIVE_COMMAND_PATTERNS = [
+  /\brm\b/i,
+  /\brmdir\b/i,
+  /\bunlink\b/i,
+  /\bmkfs\b/i,
+  /\bdiskutil\s+erase/i,
+  />\s*\//,
+];
+
 const LIMITED_RUN_COMMANDS = new Set([
   "curl", "yt-dlp", "youtube-dl",
   "ls", "pwd", "cat", "grep", "find", "head", "tail", "wc", "sed", "awk",
@@ -270,6 +279,15 @@ function hasDangerousPattern(commandText) {
   return DANGEROUS_COMMAND_PATTERNS.some((pattern) => pattern.test(commandText));
 }
 
+function isDestructiveInFullMode(name, cleanArgs) {
+  if (name === "write_file") return true;
+  if (name === "run_command") {
+    const cmd = typeof cleanArgs.command === "string" ? cleanArgs.command : "";
+    return DESTRUCTIVE_COMMAND_PATTERNS.some((p) => p.test(cmd));
+  }
+  return false;
+}
+
 function validateRunCommandAgainstAllowlist(commandText, allowlist) {
   if (typeof commandText !== "string" || commandText.trim().length === 0) {
     return "Command is empty.";
@@ -565,7 +583,11 @@ function handleToolCall(name, args, context = {}) {
     return blocked;
   }
 
-  if (permissionService.isRisky(name)) {
+  const needsApproval = PERMISSION_MODE === "full"
+    ? isDestructiveInFullMode(name, cleanArgs)
+    : permissionService.isRisky(name);
+
+  if (needsApproval) {
     const commandText = typeof cleanArgs.command === "string" ? cleanArgs.command : "";
     const alreadyAllowed = sessionAutoApproveAllRisky.has(sessionId) ||
       (commandText && permissionService.isAllowedBySessionPattern(sessionId, commandText));
@@ -581,12 +603,15 @@ function handleToolCall(name, args, context = {}) {
         return buildApprovalResponse(name, cleanArgs, approval);
       }
 
-      if (name === "run_command" && args.remember_in_session === true && commandText) {
-        permissionService.allowPatternForSession(sessionId, commandText);
-      }
-
-      if (args.remember_all_risky === true) {
+      if (PERMISSION_MODE === "full") {
         sessionAutoApproveAllRisky.add(sessionId);
+      } else {
+        if (name === "run_command" && args.remember_in_session === true && commandText) {
+          permissionService.allowPatternForSession(sessionId, commandText);
+        }
+        if (args.remember_all_risky === true) {
+          sessionAutoApproveAllRisky.add(sessionId);
+        }
       }
     }
   }