Automatic Sync: Merge changes from stable/mi to main#2315
Conversation
Replace VALID_FILE_EXTENSIONS / VALID_SPECIAL_FILE_NAMES with BLOCKED_BINARY_EXTENSIONS so the agent can read/write any text file (including extensionless ones like Dockerfile, Makefile, .gitignore) while still blocking archives, executables, office docs, images, etc. Shell sandbox now enforces the same deny-list on mutation paths. The @-mention picker keeps its own short UX allow-list, decoupled from the security gate. Also enable XML validation for .dbs data services.
Trim filePath in getReadFileKind() to keep classification consistent with validateReadableFilePath(), and update shell sandbox error message to accurately describe all mutation types (write/edit/delete/rename).
Loads a root-level AGENTS.md (CLAUDE.md / Cursor convention) as a tracked context block. Re-injected only on content drift via the existing session-context hash system, so it does not waste tokens every turn. Files over 30 KB are truncated before being shipped to the model. The block carries an explicit truncation banner so the agent knows context is missing (and can file_read the tail on demand), and a persistent in-chat warning segment tells the user. Truncation warnings fire only when the block is actually being injected, so an unchanged large file does not re-warn each turn.
- agent.ts: make `saveAgentsMdWarning` failure non-fatal. The live event still fires so the user sees the warning this turn; only the JSONL replay across reconnects is sacrificed on persistence failure. - prompt.ts: neutralize embedded `<system-reminder>` / `<user_query>` tags in user-authored AGENTS.md so they can't break out of the surrounding envelope. Replaces the angle brackets with U+27E8 / U+27E9. - prompt.ts: fix the `SessionContextBlockHashes.agentsMd` doc comment to describe what the code actually hashes (surfaced bytes + truncation metadata) instead of the old "full untruncated raw bytes" claim. - AIChatFooter.tsx: splice the warning before the optimistic streaming placeholder. Appending at the end displaced the placeholder, causing subsequent content_block / thinking_* events to land in the warning bubble instead of the assistant message. - eventToMessageConverter.ts: drop `(event as any)` cast now that `warningMessage` is a typed field on AgentEvent / ChatHistoryEvent.
Instruct agent-mode to flip pom.xml <packaging> to jar and declare synapse-core when creating a class mediator, otherwise the CApp ships without the compiled jar and deployment silently fails. Fixes wso2/product-integrator#1631
file_write and file_edit now append a <system-reminder> to the tool result whenever the touched file is a class mediator java source (src/main/java/**/*.java), telling the agent to verify root pom.xml packaging is "jar" and synapse-core is declared. The prompt-level guideline alone can be missed; a per-tool reminder makes it harder to skip. Related to wso2/product-integrator#1631
Read the project root pom.xml and skip the class mediator reminder when <packaging>jar</packaging> is already set, so the agent is not prompted to fix something that is already correct. When packaging is something else (typically the default "pom"), the reminder reports the current value to make the required change unambiguous.
Prepare for the MI 4.0.2 release
…ging Fix copilot-created class mediators not packed in CApp
- Clarify file_read offset/limit are line-based in AGENTS.md guidance - Use Math.ceil for KB rounding and improve truncation warning copy - Add aria-hidden to decorative warning icon - Dedup context_warning on panel reconnect/event replay
Mirror the POSIX shell sandbox check so the agent cannot mutate foo.jar, foo.dll, etc. via PowerShell on Windows.
Switch agent file tools to a binary deny-list
Fix trivy detected vulnerabilities
Sync latest changes from release/mi-4.0.2
Merge "micro-integrator-4.0.2" into "stable/mi"
📝 WalkthroughWalkthroughThis PR adds AGENTS.md truncation warning detection to the agent copilot system, replaces file-extension validation with a deny-list safety policy, and updates axios/tmp dependencies. The feature detects when injected project instructions are truncated, persists warnings to chat history, and displays them in the UI. File tooling and shell sandboxes now block mutations targeting binary extensions. ChangesDependency Version Updates
AGENTS.md Context Warning Feature
Binary File Deny-List Safety Policy
Estimated code review effort🎯 4 (Complex) | ⏱️ ~60 minutes Possibly related PRs
Suggested reviewers
🚥 Pre-merge checks | ✅ 3 | ❌ 2❌ Failed checks (2 warnings)
✅ Passed checks (3 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches📝 Generate docstrings
🧪 Generate unit tests (beta)
⚔️ Resolve merge conflicts
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
|
|
There was a problem hiding this comment.
Actionable comments posted: 4
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (1)
workspaces/mi/mi-extension/src/ai-features/agent-mode/tools/shell_sandbox.ts (1)
1263-1301:⚠️ Potential issue | 🟠 Major | ⚡ Quick winThis binary-path block misses common bare-filename mutations.
blockedBinaryMutationPathsonly checkswritePathTokens, but the current extractor does not put plain filenames likefoo.jarorlogo.pngthere for many POSIX mutations. Commands such asrm foo.jar,touch logo.png, ortruncate -s 0 app.wartherefore drop to approval instead of being hard-blocked.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@workspaces/mi/mi-extension/src/ai-features/agent-mode/tools/shell_sandbox.ts` around lines 1263 - 1301, The binary-path blocking currently only inspects writePathTokens (via blockedBinaryMutationPaths) and misses plain filenames extracted elsewhere; update the logic to also check other mutation path sources (e.g., disallowedMutationPaths and resolvedMutationPaths) for blocked binary extensions: for each candidate path or token use hasDynamicShellExpansion(path) to skip dynamic tokens and hasBlockedBinaryExtension(path.basename(path)) to detect binaries, then merge those results into blockedBinaryMutationPaths (or a unified blockedBinaryCandidates) so commands like "rm foo.jar" or "touch logo.png" are correctly hard-blocked.
🧹 Nitpick comments (1)
workspaces/mi/mi-extension/CHANGELOG.md (1)
9-9: 💤 Low valueConsider hyphenating compound adjective.
"Copilot created class mediators" should be "Copilot-created class mediators" when used as a compound adjective modifying "class mediators".
✏️ Suggested grammar fix
-Fixed: Copilot created class mediators are not getting packed in the CApp ([`#1631`](https://github.com/wso2/product-integrator/issues/1631)) +Fixed: Copilot-created class mediators are not getting packed in the CApp ([`#1631`](https://github.com/wso2/product-integrator/issues/1631))🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@workspaces/mi/mi-extension/CHANGELOG.md` at line 9, Change the phrase "Copilot created class mediators" to the hyphenated compound adjective "Copilot-created class mediators" in the CHANGELOG entry; locate the exact string "Copilot created class mediators" in the file and replace it so the adjective correctly modifies "class mediators" as "Copilot-created class mediators".
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@workspaces/mi/mi-extension/src/ai-features/agent-mode/agents/main/prompt.ts`:
- Around line 923-925: truncationFooter currently includes an explicit "Inform
the user..." directive which duplicates the runtime context_warning emitted by
agent.ts when snapshot.agentsMdTruncated is true; remove that instructional
sentence so truncationFooter (defined near AGENTS_MD_MAX_BYTES and
snapshot.agentsMdTruncated) only reports the truncation and sizes (e.g., "[file
truncated — original size: X KB, showing first Y KB]") and does not tell the
assistant to notify the user, avoiding a second truncation notice.
In `@workspaces/mi/mi-extension/src/ai-features/agent-mode/agents/main/system.ts`:
- Around line 151-154: The AGENTS.md reminder currently is treated as overriding
system defaults; change the merge/apply logic so that a "<system-reminder>"
titled "Project AGENTS.md" is only allowed to augment project conventions/task
guidance and never override safety-critical system rules: in the code that
processes reminders (look for the branch handling the "Project AGENTS.md" title
or the "<system-reminder>" handler), merge AGENTS.md entries after enforcing
base safety rules, add a conflict-check that preserves safety-critical keys and
emits a warning/log when AGENTS.md attempts to change them, and ensure any
precedence comments/documentation reflect that AGENTS.md cannot relax
confirmation, privacy, or tool-use constraints.
In
`@workspaces/mi/mi-extension/src/ai-features/agent-mode/tools/shell_sandbox_powershell.ts`:
- Around line 902-918: The mutation path check only inspects
extractedPathTokens.mutationPathTokens so bare filenames in
extractedPathTokens.unresolvedPathLikeTokens bypass the deny-list; update the
logic that computes blockedBinaryMutationPaths to include
unresolvedPathLikeTokens as well (e.g., combine mutationPathTokens and
unresolvedPathLikeTokens before dedupe/filter), still applying
stripWrappingQuotes and hasBlockedBinaryExtension(path.win32.basename(...)) to
each token; ensure the rest of the block (setting blocked = true and pushing the
reasons message) remains using the now-combined deduped list so plain filenames
like "foo.jar" are correctly blocked.
In `@workspaces/mi/mi-extension/src/ai-features/agent-mode/tools/types.ts`:
- Around line 73-103: The BLOCKED_BINARY_EXTENSIONS array omits the `.car`
packaged MI deployment archive, allowing reads/writes that should be blocked;
update the BLOCKED_BINARY_EXTENSIONS constant (used by hasBlockedBinaryExtension
and file tools/sandboxes) to include '.car' among the archive/compressed
extensions so `.car` files are treated as blocked binary artifacts; keep the
array as const and preserve existing comment grouping and ordering for clarity.
---
Outside diff comments:
In
`@workspaces/mi/mi-extension/src/ai-features/agent-mode/tools/shell_sandbox.ts`:
- Around line 1263-1301: The binary-path blocking currently only inspects
writePathTokens (via blockedBinaryMutationPaths) and misses plain filenames
extracted elsewhere; update the logic to also check other mutation path sources
(e.g., disallowedMutationPaths and resolvedMutationPaths) for blocked binary
extensions: for each candidate path or token use hasDynamicShellExpansion(path)
to skip dynamic tokens and hasBlockedBinaryExtension(path.basename(path)) to
detect binaries, then merge those results into blockedBinaryMutationPaths (or a
unified blockedBinaryCandidates) so commands like "rm foo.jar" or "touch
logo.png" are correctly hard-blocked.
---
Nitpick comments:
In `@workspaces/mi/mi-extension/CHANGELOG.md`:
- Line 9: Change the phrase "Copilot created class mediators" to the hyphenated
compound adjective "Copilot-created class mediators" in the CHANGELOG entry;
locate the exact string "Copilot created class mediators" in the file and
replace it so the adjective correctly modifies "class mediators" as
"Copilot-created class mediators".
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: CHILL
Plan: Pro
Run ID: d78287b4-e64b-45a5-9930-f9e7422df55d
⛔ Files ignored due to path filters (1)
common/config/rush/pnpm-lock.yamlis excluded by!**/pnpm-lock.yaml
📒 Files selected for processing (26)
common/config/rush/.pnpmfile.cjspackage.jsonworkspaces/api-designer/api-designer-extension/package.jsonworkspaces/ballerina/ballerina-extension/package.jsonworkspaces/choreo/choreo-extension/package.jsonworkspaces/mi/mi-core/src/rpc-types/agent-mode/types.tsworkspaces/mi/mi-extension/CHANGELOG.mdworkspaces/mi/mi-extension/package.jsonworkspaces/mi/mi-extension/src/ai-features/agent-mode/agents/main/agent.tsworkspaces/mi/mi-extension/src/ai-features/agent-mode/agents/main/prompt.tsworkspaces/mi/mi-extension/src/ai-features/agent-mode/agents/main/system.tsworkspaces/mi/mi-extension/src/ai-features/agent-mode/chat-history-manager.tsworkspaces/mi/mi-extension/src/ai-features/agent-mode/context/synapse_guide.tsworkspaces/mi/mi-extension/src/ai-features/agent-mode/context/synapse_guide_old.tsworkspaces/mi/mi-extension/src/ai-features/agent-mode/tools/file_tools.tsworkspaces/mi/mi-extension/src/ai-features/agent-mode/tools/shell_sandbox.tsworkspaces/mi/mi-extension/src/ai-features/agent-mode/tools/shell_sandbox_powershell.tsworkspaces/mi/mi-extension/src/ai-features/agent-mode/tools/types.tsworkspaces/mi/mi-extension/src/ai-features/agent-mode/tools/validation-utils.tsworkspaces/mi/mi-extension/src/rpc-managers/agent-mode/rpc-manager.tsworkspaces/mi/mi-visualizer/src/views/AIPanel/component/AIChatFooter.tsxworkspaces/mi/mi-visualizer/src/views/AIPanel/component/AIChatMessage.tsxworkspaces/mi/mi-visualizer/src/views/AIPanel/component/ContextWarningSegment.tsxworkspaces/mi/mi-visualizer/src/views/AIPanel/utils.tsworkspaces/mi/mi-visualizer/src/views/AIPanel/utils/eventToMessageConverter.tsworkspaces/wso2-platform/wso2-platform-extension/package.json
| const truncationFooter = snapshot.agentsMdTruncated | ||
| ? `\n\n[file truncated — original size: ${Math.round(snapshot.agentsMdOriginalSize / 1024)} KB, showing first ${Math.round(AGENTS_MD_MAX_BYTES / 1024)} KB. Inform the user that their AGENTS.md exceeds the size limit and any rules beyond this point are NOT in your context.]` | ||
| : ''; |
There was a problem hiding this comment.
Avoid a second truncation notice here.
agent.ts already emits a dedicated context_warning event whenever a truncated AGENTS.md block is injected. Keeping the “Inform the user…” directive in this footer means the runtime warning and the assistant reply can both surface the same notice in the same turn.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@workspaces/mi/mi-extension/src/ai-features/agent-mode/agents/main/prompt.ts`
around lines 923 - 925, truncationFooter currently includes an explicit "Inform
the user..." directive which duplicates the runtime context_warning emitted by
agent.ts when snapshot.agentsMdTruncated is true; remove that instructional
sentence so truncationFooter (defined near AGENTS_MD_MAX_BYTES and
snapshot.agentsMdTruncated) only reports the truncation and sizes (e.g., "[file
truncated — original size: X KB, showing first Y KB]") and does not tell the
assistant to notify the user, avoiding a second truncation notice.
| ## Project AGENTS.md | ||
| - If a \`<system-reminder>\` titled \`# Project AGENTS.md\` is present in this turn or any prior turn, treat its contents as user-authored project-level instructions that augment this system prompt and override defaults where they conflict. | ||
| - AGENTS.md content is re-sent only when it changes; an absent reminder means either no \`AGENTS.md\` exists at the project root, or its content is unchanged since the last time it was injected — assume the prior content is still in effect. | ||
| - If the reminder ends with a \`[file truncated — ...]\` notice, rules beyond the cut are NOT in your persistent context. When a user request plausibly depends on rules past the cut, read \`AGENTS.md\` on demand with ${FILE_READ_TOOL_NAME}; its \`offset\`/\`limit\` options are line-based, so use them to fetch a specific section when needed. Do not pre-fetch — only read when the task actually needs it. Also tell the user once that AGENTS.md exceeds the in-context size limit and ask them to shorten the file (or split it into multiple smaller instruction files) so the full set stays in context every turn. |
There was a problem hiding this comment.
Keep AGENTS.md below safety-critical system rules.
This now tells the model that auto-loaded workspace AGENTS.md instructions override conflicting system defaults. Because AGENTS.md is pulled from the repo automatically, that lets repository content relax confirmation, privacy, or tool-use constraints without an explicit user decision. Please scope AGENTS.md precedence to project conventions/task guidance and keep base safety rules authoritative.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@workspaces/mi/mi-extension/src/ai-features/agent-mode/agents/main/system.ts`
around lines 151 - 154, The AGENTS.md reminder currently is treated as
overriding system defaults; change the merge/apply logic so that a
"<system-reminder>" titled "Project AGENTS.md" is only allowed to augment
project conventions/task guidance and never override safety-critical system
rules: in the code that processes reminders (look for the branch handling the
"Project AGENTS.md" title or the "<system-reminder>" handler), merge AGENTS.md
entries after enforcing base safety rules, add a conflict-check that preserves
safety-critical keys and emits a warning/log when AGENTS.md attempts to change
them, and ensure any precedence comments/documentation reflect that AGENTS.md
cannot relax confirmation, privacy, or tool-use constraints.
| // Mirror the POSIX analyzer: block mutations targeting binary file paths | ||
| // (matches the file-tool deny-list). Basename is compared case-insensitively | ||
| // via `hasBlockedBinaryExtension`. We use `path.win32.basename` to handle | ||
| // both `/` and `\` separators in PowerShell tokens. | ||
| const blockedBinaryMutationPaths = dedupe( | ||
| extractedPathTokens.mutationPathTokens.filter( | ||
| (token) => hasBlockedBinaryExtension(path.win32.basename(stripWrappingQuotes(token))) | ||
| ) | ||
| ); | ||
| if (blockedBinaryMutationPaths.length > 0) { | ||
| blocked = true; | ||
| reasons.push( | ||
| `Mutating binary file paths is blocked (write/edit/delete/rename; matches the file-tool deny-list). ` + | ||
| `Blocked path(s): ${blockedBinaryMutationPaths.join(', ')}. ` + | ||
| `Use directory-level operations (e.g. \`Remove-Item -Recurse dist\`) instead of targeting binary files by name.` | ||
| ); | ||
| } |
There was a problem hiding this comment.
Bare filenames bypass the PowerShell binary deny-list.
This check only sees mutationPathTokens, but plain filenames like foo.jar are currently classified into unresolvedPathLikeTokens instead. So Remove-Item foo.jar / Set-Content logo.png ... end up approval-gated rather than blocked, which breaks parity with the intended hard deny-list.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In
`@workspaces/mi/mi-extension/src/ai-features/agent-mode/tools/shell_sandbox_powershell.ts`
around lines 902 - 918, The mutation path check only inspects
extractedPathTokens.mutationPathTokens so bare filenames in
extractedPathTokens.unresolvedPathLikeTokens bypass the deny-list; update the
logic that computes blockedBinaryMutationPaths to include
unresolvedPathLikeTokens as well (e.g., combine mutationPathTokens and
unresolvedPathLikeTokens before dedupe/filter), still applying
stripWrappingQuotes and hasBlockedBinaryExtension(path.win32.basename(...)) to
each token; ensure the rest of the block (setting blocked = true and pushing the
reasons message) remains using the now-combined deduped list so plain filenames
like "foo.jar" are correctly blocked.
| export const BLOCKED_BINARY_EXTENSIONS = [ | ||
| // Archives / compressed | ||
| '.zip', '.tar', '.gz', '.tgz', '.bz2', '.tbz2', '.7z', '.rar', '.xz', '.lz', '.lzma', '.zst', | ||
| // JVM compiled artifacts | ||
| '.jar', '.war', '.ear', '.class', | ||
| // Native binaries / object files | ||
| '.exe', '.dll', '.so', '.dylib', '.bin', '.o', '.a', '.lib', '.obj', '.pdb', | ||
| // Compiled Python | ||
| '.pyc', '.pyo', '.pyd', | ||
| // Office documents (binary; the agent can't meaningfully edit these as text) | ||
| '.doc', '.docx', '.xls', '.xlsx', '.ppt', '.pptx', '.odt', '.ods', '.odp', | ||
| // Image formats not handled by the multimodal read path | ||
| '.bmp', '.tiff', '.tif', '.ico', '.heic', '.heif', '.avif', | ||
| // Images handled by the multimodal read path — blocked for writes only. | ||
| // file_read special-cases these (see READ_IMAGE_EXTENSIONS in file_tools.ts). | ||
| '.png', '.jpg', '.jpeg', '.gif', '.webp', | ||
| // PDF — blocked for writes only; file_read routes to the PDF multimodal path. | ||
| '.pdf', | ||
| // Audio | ||
| '.mp3', '.wav', '.flac', '.ogg', '.aac', '.m4a', '.wma', | ||
| // Video | ||
| '.mp4', '.mov', '.avi', '.mkv', '.webm', '.flv', '.wmv', '.mpeg', '.mpg', '.m4v', | ||
| // Fonts | ||
| '.ttf', '.otf', '.woff', '.woff2', '.eot', | ||
| // Databases | ||
| '.db', '.sqlite', '.sqlite3', '.mdb', '.accdb', | ||
| // Installers / disk images | ||
| '.iso', '.dmg', '.deb', '.rpm', '.msi', '.pkg', '.apk', '.ipa', | ||
| // Design assets | ||
| '.psd', '.ai', '.sketch', '.fig' | ||
| ] as const; |
There was a problem hiding this comment.
Block .car artifacts in the shared deny-list.
.car files are packaged MI deployment archives, but this list leaves them text-readable/writable. Because hasBlockedBinaryExtension is reused by the file tools and both shell sandboxes, the current policy still allows corrupting a core archive type even though this change is meant to block archives.
Proposed fix
export const BLOCKED_BINARY_EXTENSIONS = [
// Archives / compressed
- '.zip', '.tar', '.gz', '.tgz', '.bz2', '.tbz2', '.7z', '.rar', '.xz', '.lz', '.lzma', '.zst',
+ '.zip', '.tar', '.gz', '.tgz', '.bz2', '.tbz2', '.7z', '.rar', '.xz', '.lz', '.lzma', '.zst', '.car',📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| export const BLOCKED_BINARY_EXTENSIONS = [ | |
| // Archives / compressed | |
| '.zip', '.tar', '.gz', '.tgz', '.bz2', '.tbz2', '.7z', '.rar', '.xz', '.lz', '.lzma', '.zst', | |
| // JVM compiled artifacts | |
| '.jar', '.war', '.ear', '.class', | |
| // Native binaries / object files | |
| '.exe', '.dll', '.so', '.dylib', '.bin', '.o', '.a', '.lib', '.obj', '.pdb', | |
| // Compiled Python | |
| '.pyc', '.pyo', '.pyd', | |
| // Office documents (binary; the agent can't meaningfully edit these as text) | |
| '.doc', '.docx', '.xls', '.xlsx', '.ppt', '.pptx', '.odt', '.ods', '.odp', | |
| // Image formats not handled by the multimodal read path | |
| '.bmp', '.tiff', '.tif', '.ico', '.heic', '.heif', '.avif', | |
| // Images handled by the multimodal read path — blocked for writes only. | |
| // file_read special-cases these (see READ_IMAGE_EXTENSIONS in file_tools.ts). | |
| '.png', '.jpg', '.jpeg', '.gif', '.webp', | |
| // PDF — blocked for writes only; file_read routes to the PDF multimodal path. | |
| '.pdf', | |
| // Audio | |
| '.mp3', '.wav', '.flac', '.ogg', '.aac', '.m4a', '.wma', | |
| // Video | |
| '.mp4', '.mov', '.avi', '.mkv', '.webm', '.flv', '.wmv', '.mpeg', '.mpg', '.m4v', | |
| // Fonts | |
| '.ttf', '.otf', '.woff', '.woff2', '.eot', | |
| // Databases | |
| '.db', '.sqlite', '.sqlite3', '.mdb', '.accdb', | |
| // Installers / disk images | |
| '.iso', '.dmg', '.deb', '.rpm', '.msi', '.pkg', '.apk', '.ipa', | |
| // Design assets | |
| '.psd', '.ai', '.sketch', '.fig' | |
| ] as const; | |
| export const BLOCKED_BINARY_EXTENSIONS = [ | |
| // Archives / compressed | |
| '.zip', '.tar', '.gz', '.tgz', '.bz2', '.tbz2', '.7z', '.rar', '.xz', '.lz', '.lzma', '.zst', '.car', | |
| // JVM compiled artifacts | |
| '.jar', '.war', '.ear', '.class', | |
| // Native binaries / object files | |
| '.exe', '.dll', '.so', '.dylib', '.bin', '.o', '.a', '.lib', '.obj', '.pdb', | |
| // Compiled Python | |
| '.pyc', '.pyo', '.pyd', | |
| // Office documents (binary; the agent can't meaningfully edit these as text) | |
| '.doc', '.docx', '.xls', '.xlsx', '.ppt', '.pptx', '.odt', '.ods', '.odp', | |
| // Image formats not handled by the multimodal read path | |
| '.bmp', '.tiff', '.tif', '.ico', '.heic', '.heif', '.avif', | |
| // Images handled by the multimodal read path — blocked for writes only. | |
| // file_read special-cases these (see READ_IMAGE_EXTENSIONS in file_tools.ts). | |
| '.png', '.jpg', '.jpeg', '.gif', '.webp', | |
| // PDF — blocked for writes only; file_read routes to the PDF multimodal path. | |
| '.pdf', | |
| // Audio | |
| '.mp3', '.wav', '.flac', '.ogg', '.aac', '.m4a', '.wma', | |
| // Video | |
| '.mp4', '.mov', '.avi', '.mkv', '.webm', '.flv', '.wmv', '.mpeg', '.mpg', '.m4v', | |
| // Fonts | |
| '.ttf', '.otf', '.woff', '.woff2', '.eot', | |
| // Databases | |
| '.db', '.sqlite', '.sqlite3', '.mdb', '.accdb', | |
| // Installers / disk images | |
| '.iso', '.dmg', '.deb', '.rpm', '.msi', '.pkg', '.apk', '.ipa', | |
| // Design assets | |
| '.psd', '.ai', '.sketch', '.fig' | |
| ] as const; |
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@workspaces/mi/mi-extension/src/ai-features/agent-mode/tools/types.ts` around
lines 73 - 103, The BLOCKED_BINARY_EXTENSIONS array omits the `.car` packaged MI
deployment archive, allowing reads/writes that should be blocked; update the
BLOCKED_BINARY_EXTENSIONS constant (used by hasBlockedBinaryExtension and file
tools/sandboxes) to include '.car' among the archive/compressed extensions so
`.car` files are treated as blocked binary artifacts; keep the array as const
and preserve existing comment grouping and ordering for clarity.
This PR syncs changes from stable/mi to the main branch.
Automated PR created by GitHub Actions.
Summary by CodeRabbit
Release Notes
New Features
Bug Fixes
Chores