fix: auto-allow safe read-only commands in acceptEdits mode (#341)
* fix: auto-allow safe read-only commands in acceptEdits mode In acceptEdits mode, read-only commands like grep, cat, ls, find, head, tail were still prompting for approval. This created unnecessary friction since these commands cannot modify or delete files. Add safe read-only commands to ACCEPT_EDITS_ALLOWED_COMMANDS: grep, cat, ls, find, head, tail, echo, pwd, wc, sort, uniq, diff These are all read-only — they cannot cause data loss or modify the filesystem. Auto-allowing them reduces approval fatigue in acceptEdits mode without introducing any safety risk. Write commands (rm, rmdir, mv, cp, sed, mkdir, touch) are unchanged. The dangerous path guard for rm/rmdir remains in place. Fixes #251. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * fix(bash): block unsafe acceptEdits auto-allow Keep the new read-only acceptEdits commands behind the existing read-only validator and block shell redirection based on the original command text. This prevents commands like echo > file and find -delete from being silently auto-approved while preserving safe read-only commands. Co-Authored-By: Claude <noreply@anthropic.com> --------- Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
KRATOS
GitHub
44
src/tools/BashTool/modeValidation.test.ts
Normal file
44
src/tools/BashTool/modeValidation.test.ts
Normal file
@@ -0,0 +1,44 @@
|
||||
import { expect, test } from 'bun:test'
|
||||
import { getEmptyToolPermissionContext } from '../../Tool.js'
|
||||
import { checkPermissionMode } from './modeValidation.js'
|
||||
|
||||
const acceptEditsContext = {
|
||||
...getEmptyToolPermissionContext(),
|
||||
mode: 'acceptEdits' as const,
|
||||
}
|
||||
|
||||
test('acceptEdits does not auto-allow read commands with output redirection', () => {
|
||||
const result = checkPermissionMode(
|
||||
{ command: 'echo hello > output.txt' } as never,
|
||||
acceptEditsContext,
|
||||
)
|
||||
|
||||
expect(result.behavior).toBe('passthrough')
|
||||
})
|
||||
|
||||
test('acceptEdits does not auto-allow mutating find invocations', () => {
|
||||
const result = checkPermissionMode(
|
||||
{ command: 'find . -delete' } as never,
|
||||
acceptEditsContext,
|
||||
)
|
||||
|
||||
expect(result.behavior).toBe('passthrough')
|
||||
})
|
||||
|
||||
test('acceptEdits still auto-allows safe read-only commands', () => {
|
||||
const result = checkPermissionMode(
|
||||
{ command: 'grep foo package.json' } as never,
|
||||
acceptEditsContext,
|
||||
)
|
||||
|
||||
expect(result.behavior).toBe('allow')
|
||||
})
|
||||
|
||||
test('acceptEdits still blocks dangerous rm paths even in auto-allow mode', () => {
|
||||
const result = checkPermissionMode(
|
||||
{ command: 'rm -rf ~' } as never,
|
||||
acceptEditsContext,
|
||||
)
|
||||
|
||||
expect(result.behavior).toBe('ask')
|
||||
})
|
||||
Reference in New Issue
Block a user