refactor: delegate filesystem enforcement to sandbox extension (#17)

* refactor(plan-ask): delegate filesystem enforcement to sandbox extension

* feat(status-bar): add sandbox status display on line 3

* docs: update changelog

Author: kostyay

CHANGELOG.md

@@ -30,7 +30,13 @@ All notable changes to agent-stuff are documented here.
 
 
 
-## feat/terminal-progress-indicator
+
+
+## refactor/delegate-filesystem-enforcement
+
+This refactor consolidates filesystem enforcement into a dedicated event-driven architecture (#17). The plan-ask extension now delegates read-only command filtering to the sandbox extension via a shared `readonly` event on `pi.events`, eliminating ~100 lines of duplicated destructive-command pattern matching and reducing the plan-ask module's responsibility to tool restrictions and system prompts only. The sandbox extension listens for readonly state changes and dynamically reconfigures its filesystem allowlist, with an acknowledgment mechanism that warns users if the sandbox extension isn't loaded. Additionally, the status bar now displays sandbox state on a dedicated line 3, surfacing sandbox and readonly modes to users in real-time.
+
+## [1.0.5](https://github.com/kostyay/agent-stuff/pull/16) - 2026-03-03
 
 Introduces a terminal progress indicator extension using OSC 9;4 escape sequences (#16), providing visual feedback in the terminal tab/titlebar with an indeterminate pulse while the agent is working. The indicator automatically clears when the agent finishes or waits for user input, with graceful cleanup on process exit to prevent stuck indicators. Supports multiple terminal emulators including Ghostty, iTerm2, WezTerm, Windows Terminal, and ConEmu, enhancing the user experience during long-running agent operations without requiring explicit status polling.
 

pi-extensions/plan-ask.ts

@@ -16,6 +16,10 @@
  * - **Plan** — Read-only. Agent explores, asks clarifying questions, builds a plan.
  *   On completion, offers save/execute/refine options.
  *
+ * Filesystem enforcement is delegated to the sandbox extension via the
+ * shared `readonly` event on `pi.events`. This extension only manages
+ * tool restrictions (removing edit/write) and system prompts.
+ *
  * Depends on kbrainstorm extension for the ask_question tool.
  */
 
@@ -38,104 +42,6 @@ interface ModeState {
 	originalTools: string[];
 }
 
-// ── Safe command filter ──────────────────────────────────────────────────
-
-const DESTRUCTIVE_PATTERNS: RegExp[] = [
-	/\brm\b/i,
-	/\brmdir\b/i,
-	/\bmv\b/i,
-	/\bcp\b/i,
-	/\bmkdir\b/i,
-	/\btouch\b/i,
-	/\bchmod\b/i,
-	/\bchown\b/i,
-	/\bchgrp\b/i,
-	/\bln\b/i,
-	/\btee\b/i,
-	/\btruncate\b/i,
-	/\bdd\b/i,
-	/\bshred\b/i,
-	/(^|[^<])>(?!>)/,
-	/>>/,
-	/\bnpm\s+(install|uninstall|update|ci|link|publish)/i,
-	/\byarn\s+(add|remove|install|publish)/i,
-	/\bpnpm\s+(add|remove|install|publish)/i,
-	/\bpip\s+(install|uninstall)/i,
-	/\bapt(-get)?\s+(install|remove|purge|update|upgrade)/i,
-	/\bbrew\s+(install|uninstall|upgrade)/i,
-	/\bgit\s+(add|commit|push|pull|merge|rebase|reset|checkout|branch\s+-[dD]|stash|cherry-pick|revert|tag|init|clone)/i,
-	/\bsudo\b/i,
-	/\bsu\b/i,
-	/\bkill\b/i,
-	/\bpkill\b/i,
-	/\bkillall\b/i,
-	/\breboot\b/i,
-	/\bshutdown\b/i,
-	/\bsystemctl\s+(start|stop|restart|enable|disable)/i,
-	/\bservice\s+\S+\s+(start|stop|restart)/i,
-	/\b(vim?|nano|emacs|code|subl)\b/i,
-];
-
-const SAFE_PATTERNS: RegExp[] = [
-	/^\s*cat\b/,
-	/^\s*head\b/,
-	/^\s*tail\b/,
-	/^\s*less\b/,
-	/^\s*more\b/,
-	/^\s*grep\b/,
-	/^\s*find\b/,
-	/^\s*ls\b/,
-	/^\s*pwd\b/,
-	/^\s*echo\b/,
-	/^\s*printf\b/,
-	/^\s*wc\b/,
-	/^\s*sort\b/,
-	/^\s*uniq\b/,
-	/^\s*diff\b/,
-	/^\s*file\b/,
-	/^\s*stat\b/,
-	/^\s*du\b/,
-	/^\s*df\b/,
-	/^\s*tree\b/,
-	/^\s*which\b/,
-	/^\s*whereis\b/,
-	/^\s*type\b/,
-	/^\s*env\b/,
-	/^\s*printenv\b/,
-	/^\s*uname\b/,
-	/^\s*whoami\b/,
-	/^\s*id\b/,
-	/^\s*date\b/,
-	/^\s*cal\b/,
-	/^\s*uptime\b/,
-	/^\s*ps\b/,
-	/^\s*top\b/,
-	/^\s*htop\b/,
-	/^\s*free\b/,
-	/^\s*git\s+(status|log|diff|show|branch|remote|config\s+--get)/i,
-	/^\s*git\s+ls-/i,
-	/^\s*npm\s+(list|ls|view|info|search|outdated|audit)/i,
-	/^\s*yarn\s+(list|info|why|audit)/i,
-	/^\s*node\s+--version/i,
-	/^\s*python\s+--version/i,
-	/^\s*curl\s/i,
-	/^\s*wget\s+-O\s*-/i,
-	/^\s*jq\b/,
-	/^\s*sed\s+-n/i,
-	/^\s*awk\b/,
-	/^\s*rg\b/,
-	/^\s*fd\b/,
-	/^\s*bat\b/,
-	/^\s*exa\b/,
-];
-
-/** Check whether a bash command is safe for read-only modes. */
-function isSafeCommand(command: string): boolean {
-	const isDestructive = DESTRUCTIVE_PATTERNS.some((p) => p.test(command));
-	const isSafe = SAFE_PATTERNS.some((p) => p.test(command));
-	return !isDestructive && isSafe;
-}
-
 // ── Helpers ──────────────────────────────────────────────────────────────
 
 function isAssistantMessage(m: AgentMessage): m is AssistantMessage {
@@ -273,6 +179,23 @@ export default function planAskExtension(pi: ExtensionAPI) {
 		ctx.ui.setStatus("plan-mode", ctx.ui.theme.fg(display.color, `${display.icon} ${display.label}`));
 	}
 
+	/**
+	 * Emit a `readonly` event on the shared event bus.
+	 * Includes an `ack` callback — if no listener calls it (sandbox not loaded),
+	 * warns the user that filesystem writes are not enforced.
+	 */
+	function emitReadonly(enabled: boolean, ctx: ExtensionContext): void {
+		let acknowledged = false;
+		pi.events.emit("readonly", { enabled, ack: () => { acknowledged = true; } });
+		if (enabled && !acknowledged) {
+			ctx.ui.notify(
+				"⚠️ Sandbox extension not loaded — readonly filesystem enforcement is inactive. " +
+				"Only tool restrictions (no edit/write) are in effect.",
+				"warning",
+			);
+		}
+	}
+
 	function setMode(newMode: Mode, ctx: ExtensionContext): void {
 		if (newMode === mode) return;
 
@@ -286,8 +209,10 @@ export default function planAskExtension(pi: ExtensionAPI) {
 			modePrompt = "";
 			pi.setActiveTools(originalTools.length > 0 ? originalTools : DEFAULT_AGENT_TOOLS);
 			originalTools = [];
+			emitReadonly(false, ctx);
 		} else {
 			pi.setActiveTools(RESTRICTED_TOOLS);
+			emitReadonly(true, ctx);
 		}
 
 		updateStatus(ctx);
@@ -381,20 +306,6 @@ export default function planAskExtension(pi: ExtensionAPI) {
 		};
 	});
 
-	// ── Block unsafe bash in restricted modes ────────────────────────
-
-	pi.on("tool_call", async (event) => {
-		if (mode === AGENT || event.toolName !== "bash") return;
-
-		const command = event.input.command as string;
-		if (!isSafeCommand(command)) {
-			return {
-				block: true,
-				reason: `${MODE_DISPLAY[mode].label} mode: command blocked (not in read-only allowlist).\nCommand: ${command}`,
-			};
-		}
-	});
-
 	// ── Filter mode-specific context messages ────────────────────────
 
 	pi.on("context", async (event) => {
@@ -491,6 +402,7 @@ export default function planAskExtension(pi: ExtensionAPI) {
 
 			if (mode !== AGENT) {
 				pi.setActiveTools(RESTRICTED_TOOLS);
+				emitReadonly(true, ctx);
 			}
 		}
 

pi-extensions/sandbox/index.ts

@@ -204,12 +204,21 @@ function killTree(child: ReturnType<typeof spawn>) {
 // Status helpers
 // ---------------------------------------------------------------------------
 
-function updateStatus(ctx: ExtensionContext, config: SandboxConfig, active: boolean) {
+function updateStatus(ctx: ExtensionContext, config: SandboxConfig, active: boolean, readonly = false) {
 	if (!active) {
 		ctx.ui.setStatus("sandbox", ctx.ui.theme.fg("warning", "🔓 Sandbox OFF"));
 		return;
 	}
 
+	if (readonly) {
+		ctx.ui.setStatus(
+			"sandbox",
+			ctx.ui.theme.fg("accent", "🔒 Sandbox") +
+				ctx.ui.theme.fg("warning", " [READONLY]"),
+		);
+		return;
+	}
+
 	const domains = config.network?.allowedDomains?.length ?? 0;
 	const writePaths = config.filesystem?.allowWrite?.length ?? 0;
 	const denyRead = config.filesystem?.denyRead?.length ?? 0;
@@ -265,6 +274,10 @@ export default function sandboxExtension(pi: ExtensionAPI) {
 	// and /sandbox on|off. Checked synchronously by user_bash.
 	let sandboxActive = false;
 
+	// Readonly mode state — set by plan-ask extension via pi.events.
+	let readonlyActive = false;
+	let lastCtx: ExtensionContext | null = null;
+
 	// Sandbox readiness — awaited by the bash tool to avoid races.
 	// Resolves to true when sandbox is active, false otherwise.
 	let sandboxReady: Promise<boolean> = Promise.resolve(false);
@@ -337,6 +350,7 @@ export default function sandboxExtension(pi: ExtensionAPI) {
 
 	// ---- Initialize sandbox on session start ----
 	pi.on("session_start", async (_event, ctx) => {
+		lastCtx = ctx;
 		const noSandbox = pi.getFlag("no-sandbox") as boolean;
 
 		if (noSandbox) {
@@ -366,8 +380,51 @@ export default function sandboxExtension(pi: ExtensionAPI) {
 		await sandboxReady;
 	});
 
+	// ---- Readonly mode (emitted by plan-ask extension) ----
+	pi.events.on("readonly", (data: unknown) => {
+		const { enabled, ack } = data as { enabled: boolean; ack: () => void };
+
+		if (!sandboxActive || !lastCtx) return;
+
+		ack();
+
+		if (enabled === readonlyActive) return;
+		readonlyActive = enabled;
+
+		const ctx = lastCtx;
+		const config = loadConfig(ctx.cwd);
+
+		if (enabled) {
+			const readonlyConfig: SandboxConfig = {
+				...config,
+				filesystem: {
+					...config.filesystem,
+					allowWrite: [],
+				},
+			};
+			sandboxReady = activateSandbox(readonlyConfig, ctx).then((ok) => {
+				if (ok) {
+					updateStatus(ctx, readonlyConfig, true, true);
+					ctx.ui.notify("🔒 Sandbox: filesystem set to read-only", "info");
+				}
+				return ok;
+			});
+		} else {
+			sandboxReady = activateSandbox(config, ctx).then((ok) => {
+				if (ok) {
+					updateStatus(ctx, config, true, false);
+					ctx.ui.notify("🔓 Sandbox: filesystem writes restored", "info");
+				}
+				return ok;
+			});
+			readonlyActive = false;
+		}
+	});
+
 	// ---- Cleanup ----
 	pi.on("session_shutdown", async (_event, ctx) => {
+		readonlyActive = false;
+		lastCtx = null;
 		await deactivateSandbox(ctx);
 	});
 

pi-extensions/status-bar.ts

@@ -3,6 +3,7 @@
  *
  * Line 1: [profile badge] + status icon + model + context meter (left), tokens in/out/cache + cost (right)
  * Line 2: cwd (branch ±dirty +add,-del ✨new📝mod🗑del⚡unstaged) on left, tool tally + turn on right
+ * Line 3: sandbox status (shown only when sandbox extension is active)
  *
  * When PI_CODING_AGENT_DIR is set to a non-default path, a colored profile badge
  * is shown at the start of line 1. The badge background color is deterministically
@@ -254,9 +255,13 @@ export default function statusBarExtension(pi: ExtensionAPI) {
 						theme.fg("dim", " ");
 
 					const statuses = footerData.getExtensionStatuses();
+					const sandboxStatus = statuses.get("sandbox");
+					const otherStatuses = [...statuses.entries()]
+						.filter(([key]) => key !== "sandbox")
+						.map(([, val]) => val);
 					let l1Mid = "";
-					if (statuses.size > 0) {
-						l1Mid = " " + [...statuses.values()].join(theme.fg("dim", " · "));
+					if (otherStatuses.length > 0) {
+						l1Mid = " " + otherStatuses.join(theme.fg("dim", " · "));
 					}
 
 					const pad1 = " ".repeat(
@@ -339,7 +344,14 @@ export default function statusBarExtension(pi: ExtensionAPI) {
 					);
 					const line2 = truncateToWidth(l2Left + pad2 + l2Right, width, "");
 
-					return [line1, line2];
+					if (!sandboxStatus) return [line1, line2];
+
+					// --- Line 3: sandbox status (left-aligned) ---
+					const l3Left = " " + sandboxStatus;
+					const pad3 = " ".repeat(Math.max(1, width - visibleWidth(l3Left)));
+					const line3 = truncateToWidth(l3Left + pad3, width, "");
+
+					return [line1, line2, line3];
 				},
 			};
 		});