Skip to content

Automatic Sync: Merge changes from stable/mi to main#2315

Open
choreo-cicd wants to merge 21 commits into
mainfrom
sync/main-stable/mi-1780318066
Open

Automatic Sync: Merge changes from stable/mi to main#2315
choreo-cicd wants to merge 21 commits into
mainfrom
sync/main-stable/mi-1780318066

Conversation

@choreo-cicd

@choreo-cicd choreo-cicd commented Jun 1, 2026

Copy link
Copy Markdown
Contributor

This PR syncs changes from stable/mi to the main branch.

Automated PR created by GitHub Actions.

Summary by CodeRabbit

Release Notes

  • New Features

    • Added support for AGENTS.md project instruction files
    • Added context warnings when content is truncated
  • Bug Fixes

    • Fixed Copilot mediator packing
    • Fixed Copilot database creation and XML output
    • Fixed AGENTS.md support
  • Chores

    • Updated dependencies: axios (1.16.0), tmp (0.2.6)

IsuruMaduranga and others added 21 commits May 27, 2026 00:25
Replace VALID_FILE_EXTENSIONS / VALID_SPECIAL_FILE_NAMES with
BLOCKED_BINARY_EXTENSIONS so the agent can read/write any text file
(including extensionless ones like Dockerfile, Makefile, .gitignore)
while still blocking archives, executables, office docs, images, etc.
Shell sandbox now enforces the same deny-list on mutation paths. The
@-mention picker keeps its own short UX allow-list, decoupled from
the security gate. Also enable XML validation for .dbs data services.
Trim filePath in getReadFileKind() to keep classification consistent with
validateReadableFilePath(), and update shell sandbox error message to
accurately describe all mutation types (write/edit/delete/rename).
Loads a root-level AGENTS.md (CLAUDE.md / Cursor convention) as a tracked
context block. Re-injected only on content drift via the existing
session-context hash system, so it does not waste tokens every turn.

Files over 30 KB are truncated before being shipped to the model. The
block carries an explicit truncation banner so the agent knows context is
missing (and can file_read the tail on demand), and a persistent in-chat
warning segment tells the user. Truncation warnings fire only when the
block is actually being injected, so an unchanged large file does not
re-warn each turn.
- agent.ts: make `saveAgentsMdWarning` failure non-fatal. The live event
  still fires so the user sees the warning this turn; only the JSONL
  replay across reconnects is sacrificed on persistence failure.
- prompt.ts: neutralize embedded `<system-reminder>` / `<user_query>`
  tags in user-authored AGENTS.md so they can't break out of the
  surrounding envelope. Replaces the angle brackets with U+27E8 / U+27E9.
- prompt.ts: fix the `SessionContextBlockHashes.agentsMd` doc comment to
  describe what the code actually hashes (surfaced bytes + truncation
  metadata) instead of the old "full untruncated raw bytes" claim.
- AIChatFooter.tsx: splice the warning before the optimistic streaming
  placeholder. Appending at the end displaced the placeholder, causing
  subsequent content_block / thinking_* events to land in the warning
  bubble instead of the assistant message.
- eventToMessageConverter.ts: drop `(event as any)` cast now that
  `warningMessage` is a typed field on AgentEvent / ChatHistoryEvent.
Instruct agent-mode to flip pom.xml <packaging> to jar and declare
synapse-core when creating a class mediator, otherwise the CApp ships
without the compiled jar and deployment silently fails.

Fixes wso2/product-integrator#1631
file_write and file_edit now append a <system-reminder> to the tool
result whenever the touched file is a class mediator java source
(src/main/java/**/*.java), telling the agent to verify root pom.xml
packaging is "jar" and synapse-core is declared. The prompt-level
guideline alone can be missed; a per-tool reminder makes it harder
to skip.

Related to wso2/product-integrator#1631
Read the project root pom.xml and skip the class mediator reminder
when <packaging>jar</packaging> is already set, so the agent is not
prompted to fix something that is already correct. When packaging is
something else (typically the default "pom"), the reminder reports
the current value to make the required change unambiguous.
…ging

Fix copilot-created class mediators not packed in CApp
- Clarify file_read offset/limit are line-based in AGENTS.md guidance
- Use Math.ceil for KB rounding and improve truncation warning copy
- Add aria-hidden to decorative warning icon
- Dedup context_warning on panel reconnect/event replay
Mirror the POSIX shell sandbox check so the agent cannot mutate
foo.jar, foo.dll, etc. via PowerShell on Windows.
Switch agent file tools to a binary deny-list
Fix trivy detected vulnerabilities
Sync latest changes from release/mi-4.0.2
Merge "micro-integrator-4.0.2" into "stable/mi"
@choreo-cicd choreo-cicd requested review from gigara and hevayo as code owners June 1, 2026 12:47
@coderabbitai

coderabbitai Bot commented Jun 1, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

📝 Walkthrough

Walkthrough

This PR adds AGENTS.md truncation warning detection to the agent copilot system, replaces file-extension validation with a deny-list safety policy, and updates axios/tmp dependencies. The feature detects when injected project instructions are truncated, persists warnings to chat history, and displays them in the UI. File tooling and shell sandboxes now block mutations targeting binary extensions.

Changes

Dependency Version Updates

Layer / File(s) Summary
PNPM hook overrides
common/config/rush/.pnpmfile.cjs, package.json
axios 1.15.2 → 1.16.0 and tmp 0.2.4 → 0.2.6 pinned in pnpm readPackage hook and root pnpm.overrides.
Workspace package.json versions
workspaces/*/package.json, workspaces/mi/mi-extension/package.json, workspaces/mi/mi-extension/CHANGELOG.md
axios bumped to 1.16.0 across extension workspaces; mi-extension version updated to 4.0.2 with axios/tmp bumps and changelog entry.

AGENTS.md Context Warning Feature

Layer / File(s) Summary
RPC event and state types
workspaces/mi/mi-core/src/rpc-types/agent-mode/types.ts
Add context_warning event type and warningMessage field to AgentEvent and ChatHistoryEvent; add agentsMd hash field to SessionContextBlocksState for persistence.
Prompt template, snapshot building, and truncation
workspaces/mi/mi-extension/src/ai-features/agent-mode/agents/main/prompt.ts
Define AGENTS_MD_MAX_BYTES constant; extend BlockInjectionStatuses, SessionContextSnapshot, and SessionContextBlockHashes with agentsMd fields; implement readAgentsMd to read and truncate project AGENTS.md; implement buildAgentsMdBlockText with envelope-tag neutralization; inject rendered block into PROMPT_TEMPLATE via system-reminder wrapper.
Agent execution warning flow
workspaces/mi/mi-extension/src/ai-features/agent-mode/agents/main/agent.ts
Track agentsMd block state changes and drift; emit context_warning event with warning message when AGENTS.md is truncated during injection; persist warning to chat history with non-fatal error handling.
System prompt AGENTS.md guidance
workspaces/mi/mi-extension/src/ai-features/agent-mode/agents/main/system.ts
Import FILE_READ_TOOL_NAME and document "Project AGENTS.md" agent behavior including override semantics, re-send rules, and on-demand read handling for truncated reminders.
Chat history persistence and conversion
workspaces/mi/mi-extension/src/ai-features/agent-mode/chat-history-manager.ts
Extend SessionContextBlocksState with agentsMd; add context_warning journal entry type and warningMessage field; implement saveAgentsMdWarning method; add includeContextWarningEntry option to getMessages; update convertToEventFormat to emit context_warning UI events.
UI event conversion and warning components
workspaces/mi/mi-visualizer/src/views/AIPanel/component/ContextWarningSegment.tsx, AIChatFooter.tsx, AIChatMessage.tsx, utils.ts, utils/eventToMessageConverter.ts
Add ContextWarningSegment component for styled warning display; extend AIChatFooter to handle context_warning events with deduplication; update message rendering and content segmentation to recognize <agents-md-warning> blocks; convert events to standalone warning messages.

Binary File Deny-List Safety Policy

Layer / File(s) Summary
Binary blocklist definition and helper
workspaces/mi/mi-extension/src/ai-features/agent-mode/tools/types.ts
Add BLOCKED_BINARY_EXTENSIONS constant and hasBlockedBinaryExtension helper function; remove VALID_FILE_EXTENSIONS and VALID_SPECIAL_FILE_NAMES exports.
File tool validation and class mediator reminders
workspaces/mi/mi-extension/src/ai-features/agent-mode/tools/file_tools.ts
Switch to binary deny-list for read/write kind determination; update error messages to reflect deny-list approach; add isClassMediatorPath and buildClassMediatorPomReminder helpers to emit conditional system-reminder for class mediator Java sources when pom.xml packaging is not jar.
Shell command mutation blocking
workspaces/mi/mi-extension/src/ai-features/agent-mode/tools/shell_sandbox.ts, shell_sandbox_powershell.ts
Detect and block shell mutations targeting binary file paths using deny-list; add detailed denial reasons guiding users to directory-level operations.
RPC manager mention allow-list
workspaces/mi/mi-extension/src/rpc-managers/agent-mode/rpc-manager.ts
Replace imported valid-extension constants with local MENTIONABLE_FILE_EXTENSIONS and MENTIONABLE_SPECIAL_FILE_NAMES allow-lists; update isMentionableFile logic and cache initialization; enable includeContextWarningEntry when loading chat history.
XML file validation extension
workspaces/mi/mi-extension/src/ai-features/agent-mode/tools/validation-utils.ts
Update validateXmlFile to accept both .xml and .dbs extensions for Synapse data service files.

🐰 A rabbit hops through the code, leaves no trail
With warnings for truncated AGENTS at scale,
Binary files now blocked by deny-list's nail,
Dependencies patched—no security fail! 🔐

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~60 minutes

Possibly related PRs

  • wso2/vscode-extensions#2300: Adds core AGENTS.md support feature that this PR refines with truncation warnings and context-warning events.
  • wso2/vscode-extensions#2311: Updates the same tmp dependency version (0.2.40.2.6) in pnpm configuration.
  • wso2/vscode-extensions#2291: Implements the binary file deny-list policy changes (hasBlockedBinaryExtension, file_tools.ts, shell_sandbox.ts) that this PR extends.

Suggested reviewers

  • hevayo
  • gigara
  • IsuruMaduranga
🚥 Pre-merge checks | ✅ 3 | ❌ 2

❌ Failed checks (2 warnings)

Check name Status Explanation Resolution
Description check ⚠️ Warning The PR description is minimal and does not follow the provided template structure, missing all required sections like Purpose, Goals, Approach, Release notes, and other critical documentation elements. Fill in the template sections with: Purpose (context warning and AGENTS.md support, class mediator handling, dependency updates), Goals, Approach, Release notes, and other applicable sections to document this significant merge.
Docstring Coverage ⚠️ Warning Docstring coverage is 66.67% which is insufficient. The required threshold is 80.00%. Write docstrings for the functions missing them to satisfy the coverage threshold.
✅ Passed checks (3 passed)
Check name Status Explanation
Title check ✅ Passed The title 'Automatic Sync: Merge changes from stable/mi to main' is directly related to the PR's primary purpose of syncing changes between branches, though it lacks specifics about the substantial feature and fix content.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch sync/main-stable/mi-1780318066
⚔️ Resolve merge conflicts
  • Resolve merge conflict in branch sync/main-stable/mi-1780318066

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@CLAassistant

CLAassistant commented Jun 1, 2026

Copy link
Copy Markdown

CLA assistant check
Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you all sign our Contributor License Agreement before we can accept your contribution.
2 out of 3 committers have signed the CLA.

✅ ChinthakaJ98
✅ IsuruMaduranga
❌ choreo-cicd
You have signed the CLA already but the status is still pending? Let us recheck it.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 4

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)
workspaces/mi/mi-extension/src/ai-features/agent-mode/tools/shell_sandbox.ts (1)

1263-1301: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

This binary-path block misses common bare-filename mutations.

blockedBinaryMutationPaths only checks writePathTokens, but the current extractor does not put plain filenames like foo.jar or logo.png there for many POSIX mutations. Commands such as rm foo.jar, touch logo.png, or truncate -s 0 app.war therefore drop to approval instead of being hard-blocked.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@workspaces/mi/mi-extension/src/ai-features/agent-mode/tools/shell_sandbox.ts`
around lines 1263 - 1301, The binary-path blocking currently only inspects
writePathTokens (via blockedBinaryMutationPaths) and misses plain filenames
extracted elsewhere; update the logic to also check other mutation path sources
(e.g., disallowedMutationPaths and resolvedMutationPaths) for blocked binary
extensions: for each candidate path or token use hasDynamicShellExpansion(path)
to skip dynamic tokens and hasBlockedBinaryExtension(path.basename(path)) to
detect binaries, then merge those results into blockedBinaryMutationPaths (or a
unified blockedBinaryCandidates) so commands like "rm foo.jar" or "touch
logo.png" are correctly hard-blocked.
🧹 Nitpick comments (1)
workspaces/mi/mi-extension/CHANGELOG.md (1)

9-9: 💤 Low value

Consider hyphenating compound adjective.

"Copilot created class mediators" should be "Copilot-created class mediators" when used as a compound adjective modifying "class mediators".

✏️ Suggested grammar fix
-Fixed: Copilot created class mediators are not getting packed in the CApp ([`#1631`](https://github.com/wso2/product-integrator/issues/1631))
+Fixed: Copilot-created class mediators are not getting packed in the CApp ([`#1631`](https://github.com/wso2/product-integrator/issues/1631))
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@workspaces/mi/mi-extension/CHANGELOG.md` at line 9, Change the phrase
"Copilot created class mediators" to the hyphenated compound adjective
"Copilot-created class mediators" in the CHANGELOG entry; locate the exact
string "Copilot created class mediators" in the file and replace it so the
adjective correctly modifies "class mediators" as "Copilot-created class
mediators".
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@workspaces/mi/mi-extension/src/ai-features/agent-mode/agents/main/prompt.ts`:
- Around line 923-925: truncationFooter currently includes an explicit "Inform
the user..." directive which duplicates the runtime context_warning emitted by
agent.ts when snapshot.agentsMdTruncated is true; remove that instructional
sentence so truncationFooter (defined near AGENTS_MD_MAX_BYTES and
snapshot.agentsMdTruncated) only reports the truncation and sizes (e.g., "[file
truncated — original size: X KB, showing first Y KB]") and does not tell the
assistant to notify the user, avoiding a second truncation notice.

In `@workspaces/mi/mi-extension/src/ai-features/agent-mode/agents/main/system.ts`:
- Around line 151-154: The AGENTS.md reminder currently is treated as overriding
system defaults; change the merge/apply logic so that a "<system-reminder>"
titled "Project AGENTS.md" is only allowed to augment project conventions/task
guidance and never override safety-critical system rules: in the code that
processes reminders (look for the branch handling the "Project AGENTS.md" title
or the "<system-reminder>" handler), merge AGENTS.md entries after enforcing
base safety rules, add a conflict-check that preserves safety-critical keys and
emits a warning/log when AGENTS.md attempts to change them, and ensure any
precedence comments/documentation reflect that AGENTS.md cannot relax
confirmation, privacy, or tool-use constraints.

In
`@workspaces/mi/mi-extension/src/ai-features/agent-mode/tools/shell_sandbox_powershell.ts`:
- Around line 902-918: The mutation path check only inspects
extractedPathTokens.mutationPathTokens so bare filenames in
extractedPathTokens.unresolvedPathLikeTokens bypass the deny-list; update the
logic that computes blockedBinaryMutationPaths to include
unresolvedPathLikeTokens as well (e.g., combine mutationPathTokens and
unresolvedPathLikeTokens before dedupe/filter), still applying
stripWrappingQuotes and hasBlockedBinaryExtension(path.win32.basename(...)) to
each token; ensure the rest of the block (setting blocked = true and pushing the
reasons message) remains using the now-combined deduped list so plain filenames
like "foo.jar" are correctly blocked.

In `@workspaces/mi/mi-extension/src/ai-features/agent-mode/tools/types.ts`:
- Around line 73-103: The BLOCKED_BINARY_EXTENSIONS array omits the `.car`
packaged MI deployment archive, allowing reads/writes that should be blocked;
update the BLOCKED_BINARY_EXTENSIONS constant (used by hasBlockedBinaryExtension
and file tools/sandboxes) to include '.car' among the archive/compressed
extensions so `.car` files are treated as blocked binary artifacts; keep the
array as const and preserve existing comment grouping and ordering for clarity.

---

Outside diff comments:
In
`@workspaces/mi/mi-extension/src/ai-features/agent-mode/tools/shell_sandbox.ts`:
- Around line 1263-1301: The binary-path blocking currently only inspects
writePathTokens (via blockedBinaryMutationPaths) and misses plain filenames
extracted elsewhere; update the logic to also check other mutation path sources
(e.g., disallowedMutationPaths and resolvedMutationPaths) for blocked binary
extensions: for each candidate path or token use hasDynamicShellExpansion(path)
to skip dynamic tokens and hasBlockedBinaryExtension(path.basename(path)) to
detect binaries, then merge those results into blockedBinaryMutationPaths (or a
unified blockedBinaryCandidates) so commands like "rm foo.jar" or "touch
logo.png" are correctly hard-blocked.

---

Nitpick comments:
In `@workspaces/mi/mi-extension/CHANGELOG.md`:
- Line 9: Change the phrase "Copilot created class mediators" to the hyphenated
compound adjective "Copilot-created class mediators" in the CHANGELOG entry;
locate the exact string "Copilot created class mediators" in the file and
replace it so the adjective correctly modifies "class mediators" as
"Copilot-created class mediators".
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: d78287b4-e64b-45a5-9930-f9e7422df55d

📥 Commits

Reviewing files that changed from the base of the PR and between c35aa4d and a15c9bd.

⛔ Files ignored due to path filters (1)
  • common/config/rush/pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml
📒 Files selected for processing (26)
  • common/config/rush/.pnpmfile.cjs
  • package.json
  • workspaces/api-designer/api-designer-extension/package.json
  • workspaces/ballerina/ballerina-extension/package.json
  • workspaces/choreo/choreo-extension/package.json
  • workspaces/mi/mi-core/src/rpc-types/agent-mode/types.ts
  • workspaces/mi/mi-extension/CHANGELOG.md
  • workspaces/mi/mi-extension/package.json
  • workspaces/mi/mi-extension/src/ai-features/agent-mode/agents/main/agent.ts
  • workspaces/mi/mi-extension/src/ai-features/agent-mode/agents/main/prompt.ts
  • workspaces/mi/mi-extension/src/ai-features/agent-mode/agents/main/system.ts
  • workspaces/mi/mi-extension/src/ai-features/agent-mode/chat-history-manager.ts
  • workspaces/mi/mi-extension/src/ai-features/agent-mode/context/synapse_guide.ts
  • workspaces/mi/mi-extension/src/ai-features/agent-mode/context/synapse_guide_old.ts
  • workspaces/mi/mi-extension/src/ai-features/agent-mode/tools/file_tools.ts
  • workspaces/mi/mi-extension/src/ai-features/agent-mode/tools/shell_sandbox.ts
  • workspaces/mi/mi-extension/src/ai-features/agent-mode/tools/shell_sandbox_powershell.ts
  • workspaces/mi/mi-extension/src/ai-features/agent-mode/tools/types.ts
  • workspaces/mi/mi-extension/src/ai-features/agent-mode/tools/validation-utils.ts
  • workspaces/mi/mi-extension/src/rpc-managers/agent-mode/rpc-manager.ts
  • workspaces/mi/mi-visualizer/src/views/AIPanel/component/AIChatFooter.tsx
  • workspaces/mi/mi-visualizer/src/views/AIPanel/component/AIChatMessage.tsx
  • workspaces/mi/mi-visualizer/src/views/AIPanel/component/ContextWarningSegment.tsx
  • workspaces/mi/mi-visualizer/src/views/AIPanel/utils.ts
  • workspaces/mi/mi-visualizer/src/views/AIPanel/utils/eventToMessageConverter.ts
  • workspaces/wso2-platform/wso2-platform-extension/package.json

Comment on lines +923 to +925
const truncationFooter = snapshot.agentsMdTruncated
? `\n\n[file truncated — original size: ${Math.round(snapshot.agentsMdOriginalSize / 1024)} KB, showing first ${Math.round(AGENTS_MD_MAX_BYTES / 1024)} KB. Inform the user that their AGENTS.md exceeds the size limit and any rules beyond this point are NOT in your context.]`
: '';

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Avoid a second truncation notice here.

agent.ts already emits a dedicated context_warning event whenever a truncated AGENTS.md block is injected. Keeping the “Inform the user…” directive in this footer means the runtime warning and the assistant reply can both surface the same notice in the same turn.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@workspaces/mi/mi-extension/src/ai-features/agent-mode/agents/main/prompt.ts`
around lines 923 - 925, truncationFooter currently includes an explicit "Inform
the user..." directive which duplicates the runtime context_warning emitted by
agent.ts when snapshot.agentsMdTruncated is true; remove that instructional
sentence so truncationFooter (defined near AGENTS_MD_MAX_BYTES and
snapshot.agentsMdTruncated) only reports the truncation and sizes (e.g., "[file
truncated — original size: X KB, showing first Y KB]") and does not tell the
assistant to notify the user, avoiding a second truncation notice.

Comment on lines +151 to +154
## Project AGENTS.md
- If a \`<system-reminder>\` titled \`# Project AGENTS.md\` is present in this turn or any prior turn, treat its contents as user-authored project-level instructions that augment this system prompt and override defaults where they conflict.
- AGENTS.md content is re-sent only when it changes; an absent reminder means either no \`AGENTS.md\` exists at the project root, or its content is unchanged since the last time it was injected — assume the prior content is still in effect.
- If the reminder ends with a \`[file truncated — ...]\` notice, rules beyond the cut are NOT in your persistent context. When a user request plausibly depends on rules past the cut, read \`AGENTS.md\` on demand with ${FILE_READ_TOOL_NAME}; its \`offset\`/\`limit\` options are line-based, so use them to fetch a specific section when needed. Do not pre-fetch — only read when the task actually needs it. Also tell the user once that AGENTS.md exceeds the in-context size limit and ask them to shorten the file (or split it into multiple smaller instruction files) so the full set stays in context every turn.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Keep AGENTS.md below safety-critical system rules.

This now tells the model that auto-loaded workspace AGENTS.md instructions override conflicting system defaults. Because AGENTS.md is pulled from the repo automatically, that lets repository content relax confirmation, privacy, or tool-use constraints without an explicit user decision. Please scope AGENTS.md precedence to project conventions/task guidance and keep base safety rules authoritative.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@workspaces/mi/mi-extension/src/ai-features/agent-mode/agents/main/system.ts`
around lines 151 - 154, The AGENTS.md reminder currently is treated as
overriding system defaults; change the merge/apply logic so that a
"<system-reminder>" titled "Project AGENTS.md" is only allowed to augment
project conventions/task guidance and never override safety-critical system
rules: in the code that processes reminders (look for the branch handling the
"Project AGENTS.md" title or the "<system-reminder>" handler), merge AGENTS.md
entries after enforcing base safety rules, add a conflict-check that preserves
safety-critical keys and emits a warning/log when AGENTS.md attempts to change
them, and ensure any precedence comments/documentation reflect that AGENTS.md
cannot relax confirmation, privacy, or tool-use constraints.

Comment on lines +902 to +918
// Mirror the POSIX analyzer: block mutations targeting binary file paths
// (matches the file-tool deny-list). Basename is compared case-insensitively
// via `hasBlockedBinaryExtension`. We use `path.win32.basename` to handle
// both `/` and `\` separators in PowerShell tokens.
const blockedBinaryMutationPaths = dedupe(
extractedPathTokens.mutationPathTokens.filter(
(token) => hasBlockedBinaryExtension(path.win32.basename(stripWrappingQuotes(token)))
)
);
if (blockedBinaryMutationPaths.length > 0) {
blocked = true;
reasons.push(
`Mutating binary file paths is blocked (write/edit/delete/rename; matches the file-tool deny-list). ` +
`Blocked path(s): ${blockedBinaryMutationPaths.join(', ')}. ` +
`Use directory-level operations (e.g. \`Remove-Item -Recurse dist\`) instead of targeting binary files by name.`
);
}

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Bare filenames bypass the PowerShell binary deny-list.

This check only sees mutationPathTokens, but plain filenames like foo.jar are currently classified into unresolvedPathLikeTokens instead. So Remove-Item foo.jar / Set-Content logo.png ... end up approval-gated rather than blocked, which breaks parity with the intended hard deny-list.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@workspaces/mi/mi-extension/src/ai-features/agent-mode/tools/shell_sandbox_powershell.ts`
around lines 902 - 918, The mutation path check only inspects
extractedPathTokens.mutationPathTokens so bare filenames in
extractedPathTokens.unresolvedPathLikeTokens bypass the deny-list; update the
logic that computes blockedBinaryMutationPaths to include
unresolvedPathLikeTokens as well (e.g., combine mutationPathTokens and
unresolvedPathLikeTokens before dedupe/filter), still applying
stripWrappingQuotes and hasBlockedBinaryExtension(path.win32.basename(...)) to
each token; ensure the rest of the block (setting blocked = true and pushing the
reasons message) remains using the now-combined deduped list so plain filenames
like "foo.jar" are correctly blocked.

Comment on lines +73 to +103
export const BLOCKED_BINARY_EXTENSIONS = [
// Archives / compressed
'.zip', '.tar', '.gz', '.tgz', '.bz2', '.tbz2', '.7z', '.rar', '.xz', '.lz', '.lzma', '.zst',
// JVM compiled artifacts
'.jar', '.war', '.ear', '.class',
// Native binaries / object files
'.exe', '.dll', '.so', '.dylib', '.bin', '.o', '.a', '.lib', '.obj', '.pdb',
// Compiled Python
'.pyc', '.pyo', '.pyd',
// Office documents (binary; the agent can't meaningfully edit these as text)
'.doc', '.docx', '.xls', '.xlsx', '.ppt', '.pptx', '.odt', '.ods', '.odp',
// Image formats not handled by the multimodal read path
'.bmp', '.tiff', '.tif', '.ico', '.heic', '.heif', '.avif',
// Images handled by the multimodal read path — blocked for writes only.
// file_read special-cases these (see READ_IMAGE_EXTENSIONS in file_tools.ts).
'.png', '.jpg', '.jpeg', '.gif', '.webp',
// PDF — blocked for writes only; file_read routes to the PDF multimodal path.
'.pdf',
// Audio
'.mp3', '.wav', '.flac', '.ogg', '.aac', '.m4a', '.wma',
// Video
'.mp4', '.mov', '.avi', '.mkv', '.webm', '.flv', '.wmv', '.mpeg', '.mpg', '.m4v',
// Fonts
'.ttf', '.otf', '.woff', '.woff2', '.eot',
// Databases
'.db', '.sqlite', '.sqlite3', '.mdb', '.accdb',
// Installers / disk images
'.iso', '.dmg', '.deb', '.rpm', '.msi', '.pkg', '.apk', '.ipa',
// Design assets
'.psd', '.ai', '.sketch', '.fig'
] as const;

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Block .car artifacts in the shared deny-list.

.car files are packaged MI deployment archives, but this list leaves them text-readable/writable. Because hasBlockedBinaryExtension is reused by the file tools and both shell sandboxes, the current policy still allows corrupting a core archive type even though this change is meant to block archives.

Proposed fix
 export const BLOCKED_BINARY_EXTENSIONS = [
     // Archives / compressed
-    '.zip', '.tar', '.gz', '.tgz', '.bz2', '.tbz2', '.7z', '.rar', '.xz', '.lz', '.lzma', '.zst',
+    '.zip', '.tar', '.gz', '.tgz', '.bz2', '.tbz2', '.7z', '.rar', '.xz', '.lz', '.lzma', '.zst', '.car',
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
export const BLOCKED_BINARY_EXTENSIONS = [
// Archives / compressed
'.zip', '.tar', '.gz', '.tgz', '.bz2', '.tbz2', '.7z', '.rar', '.xz', '.lz', '.lzma', '.zst',
// JVM compiled artifacts
'.jar', '.war', '.ear', '.class',
// Native binaries / object files
'.exe', '.dll', '.so', '.dylib', '.bin', '.o', '.a', '.lib', '.obj', '.pdb',
// Compiled Python
'.pyc', '.pyo', '.pyd',
// Office documents (binary; the agent can't meaningfully edit these as text)
'.doc', '.docx', '.xls', '.xlsx', '.ppt', '.pptx', '.odt', '.ods', '.odp',
// Image formats not handled by the multimodal read path
'.bmp', '.tiff', '.tif', '.ico', '.heic', '.heif', '.avif',
// Images handled by the multimodal read path — blocked for writes only.
// file_read special-cases these (see READ_IMAGE_EXTENSIONS in file_tools.ts).
'.png', '.jpg', '.jpeg', '.gif', '.webp',
// PDF — blocked for writes only; file_read routes to the PDF multimodal path.
'.pdf',
// Audio
'.mp3', '.wav', '.flac', '.ogg', '.aac', '.m4a', '.wma',
// Video
'.mp4', '.mov', '.avi', '.mkv', '.webm', '.flv', '.wmv', '.mpeg', '.mpg', '.m4v',
// Fonts
'.ttf', '.otf', '.woff', '.woff2', '.eot',
// Databases
'.db', '.sqlite', '.sqlite3', '.mdb', '.accdb',
// Installers / disk images
'.iso', '.dmg', '.deb', '.rpm', '.msi', '.pkg', '.apk', '.ipa',
// Design assets
'.psd', '.ai', '.sketch', '.fig'
] as const;
export const BLOCKED_BINARY_EXTENSIONS = [
// Archives / compressed
'.zip', '.tar', '.gz', '.tgz', '.bz2', '.tbz2', '.7z', '.rar', '.xz', '.lz', '.lzma', '.zst', '.car',
// JVM compiled artifacts
'.jar', '.war', '.ear', '.class',
// Native binaries / object files
'.exe', '.dll', '.so', '.dylib', '.bin', '.o', '.a', '.lib', '.obj', '.pdb',
// Compiled Python
'.pyc', '.pyo', '.pyd',
// Office documents (binary; the agent can't meaningfully edit these as text)
'.doc', '.docx', '.xls', '.xlsx', '.ppt', '.pptx', '.odt', '.ods', '.odp',
// Image formats not handled by the multimodal read path
'.bmp', '.tiff', '.tif', '.ico', '.heic', '.heif', '.avif',
// Images handled by the multimodal read path — blocked for writes only.
// file_read special-cases these (see READ_IMAGE_EXTENSIONS in file_tools.ts).
'.png', '.jpg', '.jpeg', '.gif', '.webp',
// PDF — blocked for writes only; file_read routes to the PDF multimodal path.
'.pdf',
// Audio
'.mp3', '.wav', '.flac', '.ogg', '.aac', '.m4a', '.wma',
// Video
'.mp4', '.mov', '.avi', '.mkv', '.webm', '.flv', '.wmv', '.mpeg', '.mpg', '.m4v',
// Fonts
'.ttf', '.otf', '.woff', '.woff2', '.eot',
// Databases
'.db', '.sqlite', '.sqlite3', '.mdb', '.accdb',
// Installers / disk images
'.iso', '.dmg', '.deb', '.rpm', '.msi', '.pkg', '.apk', '.ipa',
// Design assets
'.psd', '.ai', '.sketch', '.fig'
] as const;
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@workspaces/mi/mi-extension/src/ai-features/agent-mode/tools/types.ts` around
lines 73 - 103, The BLOCKED_BINARY_EXTENSIONS array omits the `.car` packaged MI
deployment archive, allowing reads/writes that should be blocked; update the
BLOCKED_BINARY_EXTENSIONS constant (used by hasBlockedBinaryExtension and file
tools/sandboxes) to include '.car' among the archive/compressed extensions so
`.car` files are treated as blocked binary artifacts; keep the array as const
and preserve existing comment grouping and ordering for clarity.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants