Skip to content

feat: add readonly mode with bash safety and spawn child filtering #7

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
ofriw wants to merge 49 commits into
base: main
Choose a base branch
from
Open

feat: add readonly mode with bash safety and spawn child filtering #7

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
49 commits
Select commit Hold shift + click to select a range
0c485e7
readonly-bash: add bash safety classifier with destructive command bl…
ofriw May 27, 2026
33b29c7
state+tui: add readonlyEnabled and readonlyNudgePending state fields …
ofriw May 27, 2026
671fe7a
readonly: add toggle, tool_call blocking, nudges, session lifecycle, …
ofriw May 27, 2026
e7b07b7
Remove dead-end '/readonly' instruction from model-facing readonly gu…
ofriw May 27, 2026
76439d3
Update readonly toggle messages and include handoff in block list des…
ofriw May 27, 2026
3c48eaa
Block handoff at tool_call layer in readonly mode
ofriw May 27, 2026
721c858
Gate /handoff command in readonly mode and apply --readonly CLI flag …
ofriw May 27, 2026
3686a5c
Add readonly-aware guidance to notebook boundary hint, watchdog nudge…
ofriw May 27, 2026
8ffc797
Rewrite bash classifier with shell-aware pipeline, code editor detect…
ofriw May 27, 2026
6540936
Add tests for readonly handoff blocking, bash classifier, context nud…
ofriw May 27, 2026
469a044
Add resolve-real-path utility and IDE config poisoning prevention
ofriw May 31, 2026
28ddffc
Add OS-level sandboxing for readonly bash on macOS (sandbox-exec) and…
ofriw May 31, 2026
0e009bd
Rewrite bash classifier with shell-aware pipeline, git allowlist, and…
ofriw May 31, 2026
27845c5
Refine config validator with case-insensitive key matching and MCP co…
ofriw May 31, 2026
58fd869
Add watchdog throttling and merge readonly nudges into context hook
ofriw May 31, 2026
4502977
Add readonly bash and config-validated write/edit tools to child spaw…
ofriw May 31, 2026
32de094
Update tests for new bash classifier, config validator, readonly chil…
ofriw May 31, 2026
e562b63
Remove standalone config-validator.ts and all references
ofriw Jun 2, 2026
fa8b893
Simplify bash guard from 3 enforcement layers to 2
ofriw Jun 2, 2026
2f5f520
Add user-friendly sandbox denial messages
ofriw Jun 2, 2026
2db1202
Remove debug logging from OS sandbox availability checks
ofriw Jun 2, 2026
d043d17
Ignore TypeScript compilation output
ofriw Jun 2, 2026
c6d0df9
Block wget without output flags to prevent unintended disk writes
ofriw Jun 2, 2026
26d3b27
Fix sed -i argument parsing for macOS empty backup extension
ofriw Jun 2, 2026
709513a
Allow bare git tag as read-only command
ofriw Jun 2, 2026
3da9806
Guard ui.notify behind hasUI check to prevent headless crash
ofriw Jun 2, 2026
0d41de0
Use type-safe tool call event handling and fix sandbox mutation path
ofriw Jun 2, 2026
64e911b
Ignore PR review artifacts in .gitignore
ofriw Jun 2, 2026
c1fad71
Remove TUI-corrupting console diagnostics
ofriw Jun 2, 2026
b3ccbe4
Share canonical temp dir outside readonly guard
ofriw Jun 2, 2026
84acc41
Allow blank readonly bash commands
ofriw Jun 2, 2026
b898b1a
Allow wget stdout output in readonly mode
ofriw Jun 2, 2026
320e0cf
Add readonly classifier edge-case tests
ofriw Jun 2, 2026
a9075c9
Fix critical rm/rmdir/unlink/mkdir mutation bypass
ofriw Jun 3, 2026
9d12a06
Fix flag-value skip for truncate/touch --no-create
ofriw Jun 3, 2026
fa34723
Fix sed -e expression values leaking as false targets
ofriw Jun 3, 2026
00d75e2
Fix package mutation false positive on 'build'
ofriw Jun 3, 2026
d739362
Resolve glob patterns and tilde expansion in temp path check
ofriw Jun 3, 2026
7e3f78c
Add type guard for malformed bash input
ofriw Jun 3, 2026
b661a13
Guard readonly toggle behind hasUI check
ofriw Jun 3, 2026
e1fdfa0
Optimize and compact context primer
ofriw Jun 3, 2026
039d200
Add AGENTS.md project instructions
ofriw Jun 3, 2026
1f703a9
Add null guards for notebook branch rehydration
ofriw Jun 3, 2026
3e00c91
Add null guards for readonly branch rehydration on session_start
ofriw Jun 3, 2026
1ebfb4f
Fix bash classifier bypasses: sudo -h, env --split-string, process su…
ofriw Jun 3, 2026
f833a36
Add sandbox functional health probes for bwrap and sandbox-exec
ofriw Jun 3, 2026
f44c31a
Switch bwrap from /bin/sh to /bin/bash
ofriw Jun 3, 2026
ba2645c
Harden sandbox profile path quoting against injection
ofriw Jun 3, 2026
420392a
Remove process.stderr.write calls that corrupt TUI rendering
ofriw Jun 4, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 10 additions & 0 deletions .gitignore
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -47,6 +47,9 @@ web_modules/
# TypeScript cache
*.tsbuildinfo

# TypeScript compilation output
*.js

# Optional npm cache directory
.npm

Expand Down Expand Up @@ -149,3 +152,10 @@ package-lock.json
.chunkhound.json
.chunkhound/
.mcp.json

# macOS
.DS_Store

# PR review artifacts
AGENT_REVIEW.md
HUMAN_REVIEW.md
5 changes: 5 additions & 0 deletions AGENTS.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
# TUI Safety

**Never use `console.debug/warn/error/log`** — writes to stdout/stderr corrupt pi's TUI ANSI rendering. Extension host runs in the same process.

Use `ctx.ui.notify()` / `setStatus()` / `setWidget()` instead. For diagnostics, remove entirely.
Loading