Harden dirac CLI defaults

bglusman · bglusman · commit c6e1c10dd2dd · 2026-05-12T09:06:20.000-04:00
diff --git a/crates/calciforge/examples/config.toml b/crates/calciforge/examples/config.toml
@@ -97,14 +97,14 @@ primary_channels = ["telegram"]
 id = "dirac"
 kind = "dirac-cli"
 command = "dirac"
-args = ["--yolo", "--json"]
+args = ["--json"]
 timeout_ms = 600000
 
 [agents.registry]
 display_name = "Dirac CLI"
 description = "Dirac coding agent via the official dirac-cli"
 specialties = ["coding", "refactoring", "token-efficiency"]
-access = ["filesystem", "git", "shell"]
+access = ["filesystem", "git"]
 primary_channels = ["telegram"]
 
 # OpenCode via ACP (stdio transport)
diff --git a/crates/calciforge/src/adapters/dirac_cli.rs b/crates/calciforge/src/adapters/dirac_cli.rs
@@ -1,8 +1,9 @@
 //! Dirac CLI adapter.
 //!
 //! This adapter dispatches messages through `dirac` in scripted mode.
-//! Default invocation uses `--yolo --json` with a fixed argv prompt and writes
+//! Default invocation uses JSON output with a fixed argv prompt and writes
 //! the user task on stdin, avoiding prompt leakage through process listings.
+//! Operators who want approval-bypass modes must opt in explicitly in config.
 
 use std::collections::HashMap;
 use std::process::Stdio;
@@ -157,7 +158,7 @@ impl DiracCliAdapter {
 }
 
 fn default_dirac_args() -> Vec<String> {
-    vec!["--yolo".to_string(), "--json".to_string()]
+    vec!["--json".to_string()]
 }
 
 #[async_trait]
@@ -239,10 +240,10 @@ mod tests {
     use super::*;
 
     #[test]
-    fn defaults_append_prompt_when_no_placeholder() {
+    fn defaults_do_not_bypass_dirac_approvals() {
         let a = DiracCliAdapter::new(None, None, None, None, None);
         let args = a.build_args();
-        assert!(args.contains(&"--yolo".to_string()));
+        assert!(!args.contains(&"--yolo".to_string()));
         assert!(args.contains(&"--json".to_string()));
         assert_eq!(args.last().map(String::as_str), Some(STDIN_TASK_PROMPT));
     }
diff --git a/crates/calciforge/src/adapters/mod.rs b/crates/calciforge/src/adapters/mod.rs
@@ -360,7 +360,7 @@ pub fn agent_supports_model_override(agent: &AgentConfig) -> bool {
 /// | `artifact-cli`     | subprocess stdin + artifact dir | ❌ one-shot | n/a |
 /// | `codex-cli`        | `codex exec`        | ✅ `resume` path    | n/a |
 /// | `claude-cli`       | `claude --print`    | ✅ `--session-id`   | n/a |
-/// | `dirac-cli`        | `dirac --yolo --json` | ❌ one-shot       | n/a |
+/// | `dirac-cli`        | `dirac --json` | ❌ one-shot       | n/a |
 /// | `kimi-cli`         | `kimi --quiet`      | ✅ `--session`      | n/a |
 /// | `ironclaw`         | HTTP + SSE events   | ✅ server-side      | n/a |
 /// | `acp`              | SACP stdio          | ✅ persistent proc  | n/a |
diff --git a/docs/agent-adapters.md b/docs/agent-adapters.md
@@ -49,7 +49,7 @@ Adapter lifecycle labels:
 | OpenAI-compatible endpoint | `openai-compat` | Plain `/v1/chat/completions` target for Calciforge's model gateway, local test gateways, or compatible model APIs. Set `allow_model_override = true` only when this endpoint should accept Calciforge `!model` selections. |
 | Artifact-producing CLI | `kind = "artifact-cli"` | Prototype path for tools such as npcsh media workflows. Calciforge sends the task on stdin, exposes `{artifact_dir}` and `CALCIFORGE_ARTIFACT_DIR`, validates produced files, and returns a text fallback that names attachments without exposing local paths. Telegram and Matrix already use the richer internal envelope; native media upload can be added channel by channel. |
 | opencode | `acpx` or generic CLI | Model-agnostic terminal agent with a mature CLI/TUI surface. Prefer ACP when available. |
-| Dirac | `kind = "dirac-cli"` | Good scriptable fit. The adapter uses `--yolo --json`, sends the user task on stdin, ignores internal JSON event spam, and returns the final `completion_result`. |
+| Dirac | `kind = "dirac-cli"` | Good scriptable fit. The adapter defaults to `--json`, sends the user task on stdin, ignores internal JSON event spam, and returns the final `completion_result`. Approval-bypass flags such as `--yolo` require an explicit operator opt-in. |
 | Kimi Code CLI | `kind = "kimi-cli"` or generic ACP | Use `kimi-cli` for print-mode CLI dispatch with `--session` and explicit `--thinking` / `--no-thinking` args. Use generic ACP for `kimi acp` when Calciforge should talk to Kimi's native agent protocol. |
 | AgentSwift | Not supported directly | Interesting iOS-specific workflow, but current public shape is a SwiftUI app that drives Claude plus `xcodebuildmcp`/`openspec`, not a stable CLI adapter surface. Revisit if it exposes a noninteractive JSON/ACP/HTTP protocol. |
 
@@ -229,25 +229,27 @@ Operational guidance:
 Dirac is attractive for Calciforge because its CLI is scriptable:
 
 ```sh
-dirac --yolo --json --timeout 120 --cwd /path/to/project \
+dirac --json --timeout 120 --cwd /path/to/project \
   "Fix the failing test and summarize the result."
 ```
 
 Local smoke testing found:
 
 - `dirac --json` can complete a non-edit task and emit a final
   `completion_result`.
-- `dirac --yolo --json` can perform a simple edit, run `npm test`, and return a
-  concise final answer.
-- Non-yolo scripted runs can stop at approval prompts, which is unsuitable for
-  unattended Calciforge dispatch.
+- Approval-bypass flags such as `--yolo` can perform edits and run commands
+  without interactive approval, so Calciforge does not enable them by default.
+- Non-yolo scripted runs can stop at approval prompts; operators should pair
+  Dirac agents with trusted identities and constrained workspaces rather than
+  making approval bypass the default.
 - JSON output includes repeated internal `api_req_started` events for the same
   request. The Calciforge adapter intentionally ignores those and only returns
   final assistant events.
 
 Operational guidance:
 
-- Keep `--yolo` limited to trusted identities and workspaces.
+- Only add approval-bypass flags such as `--yolo` for trusted identities and
+  workspaces after accepting the local command execution risk.
 - Set `timeout_ms` generously for real coding tasks; the adapter still kills the
   child process if it exceeds Calciforge's timeout.
 - Prefer prompt-on-stdin configuration. Avoid putting sensitive request text in
diff --git a/scripts/install.sh b/scripts/install.sh
@@ -424,7 +424,7 @@ CONFIGURE_ONLY=false
 NODES_ONLY=false
 AGENTS_ONLY=false
 NODES_FILE=""
-AGENTS="claude,opencode,openclaw,zeroclaw,ironclaw,hermes,dirac"
+AGENTS="claude,opencode,openclaw,zeroclaw,ironclaw,hermes"
 
 while [[ $# -gt 0 ]]; do
     case "$1" in
@@ -1947,6 +1947,7 @@ if agent_enabled dirac; then
     if command -v dirac &>/dev/null; then
         ok "dirac CLI installed"
         warn "Authenticate once before first use: dirac auth"
+        warn "Dirac is opt-in for installation; avoid approval-bypass flags such as --yolo unless you accept local command execution risk."
     fi
 fi
 
