chore: switch default permission to allow and improve deny error messages

Made-with: Cursor

Author: ysyneu

cmd/main.go

@@ -175,8 +175,7 @@ func runRunner() error {
 		"workspace", cfg.WorkspaceRoot,
 	)
 
-	// Create permission checker with default deny-all policy
-	checker := permission.NewChecker(map[string]string{"*": "deny"})
+	checker := permission.NewChecker(map[string]string{"*": "allow"})
 
 	// Create workspace
 	wspace, err := workspace.New(cfg.WorkspaceRoot, checker)

permission/permission.go

@@ -136,12 +136,25 @@ func (c *Checker) evaluateRules(command string) (Action, string) {
 	return action, pattern
 }
 
-// denyError creates an appropriate error message for denied commands.
+// denyError creates an error message that lists denied patterns so callers
+// (especially LLM agents) know which commands are blocked and stop retrying.
 func (c *Checker) denyError(matchedPattern, command string) error {
-	if matchedPattern == "" {
-		return fmt.Errorf("command denied (no matching allow rule): %s", command)
+	denied := c.deniedPatterns()
+	if len(denied) == 0 {
+		return fmt.Errorf("command denied: %s", command)
 	}
-	return fmt.Errorf("command denied by rule '%s': %s", matchedPattern, command)
+	return fmt.Errorf("command denied: %s. Blocked command patterns: [%s]",
+		command, strings.Join(denied, ", "))
+}
+
+func (c *Checker) deniedPatterns() []string {
+	var patterns []string
+	for _, r := range c.rules {
+		if r.Action == ActionDeny {
+			patterns = append(patterns, r.Pattern)
+		}
+	}
+	return patterns
 }
 
 // matchPattern checks if a command matches a glob pattern.
@@ -163,10 +176,10 @@ func (c *Checker) IsAllowed(command string) bool {
 	return c.Check(command) == nil
 }
 
-// DefaultRules returns a set of safe default rules.
+// DefaultRules returns a set of default rules that trust model capabilities.
 func DefaultRules() map[string]string {
 	return map[string]string{
-		"*": "deny", // Deny all by default
+		"*": "allow",
 	}
 }
 

permission/permission_test.go

@@ -171,10 +171,10 @@ func TestDefaultRules(t *testing.T) {
 	rules := DefaultRules()
 	checker := NewChecker(rules)
 
-	// All commands should be denied by default
-	assert.False(t, checker.IsAllowed("ls"))
-	assert.False(t, checker.IsAllowed("cat /etc/passwd"))
-	assert.False(t, checker.IsAllowed("rm -rf /"))
+	// All commands should be allowed by default
+	assert.True(t, checker.IsAllowed("ls"))
+	assert.True(t, checker.IsAllowed("cat /etc/passwd"))
+	assert.True(t, checker.IsAllowed("rm -rf /"))
 }
 
 func TestSafeReadOnlyRules(t *testing.T) {

workspace/large_output.go

@@ -18,9 +18,7 @@ const (
 	// DefaultPreviewLines is the number of lines shown in the preview
 	DefaultPreviewLines = 20
 	// OutputsDir is the directory name for storing large outputs
-	OutputsDir = ".work/outputs"
-	// WorkDir is the base working directory
-	WorkDir = ".work"
+	OutputsDir = ".outputs"
 )
 
 // LargeOutputConfig holds configuration for large output handling.
@@ -105,13 +103,13 @@ func (p *LargeOutputProcessor) Process(ctx context.Context, content string, pref
 	}, nil
 }
 
-// ShouldSkipForWorkDir checks if large output processing should be skipped
-// for commands operating on .work/ directory to avoid circular processing.
-func ShouldSkipForWorkDir(command string) bool {
+// ShouldSkipForOutputsDir checks if large output processing should be skipped
+// for commands operating on .outputs/ directory to avoid circular processing.
+func ShouldSkipForOutputsDir(command string) bool {
 	readCommands := []string{"cat ", "head ", "tail ", "less ", "more ", "bat "}
 	for _, cmd := range readCommands {
 		if strings.Contains(command, cmd) {
-			if strings.Contains(command, WorkDir+"/") || strings.Contains(command, WorkDir+"\\") {
+			if strings.Contains(command, OutputsDir+"/") || strings.Contains(command, OutputsDir+"\\") {
 				return true
 			}
 		}

workspace/workspace.go

@@ -363,8 +363,8 @@ func (w *Workspace) Bash(ctx context.Context, args *protocol.BashArgs) (*protoco
 		return result, err
 	}
 
-	// Skip large output processing for .work/ directory reads
-	if ShouldSkipForWorkDir(args.Command) {
+	// Skip large output processing for .outputs/ directory reads
+	if ShouldSkipForOutputsDir(args.Command) {
 		result.TotalSize = int64(len(result.Stdout))
 		return result, nil
 	}

ws/client.go

@@ -31,11 +31,14 @@ const (
 	pongWait = 60 * time.Second
 
 	// Maximum reconnect attempts
-	maxReconnectAttempts = 10
+	maxReconnectAttempts = 30
 
-	// Initial reconnect delay
+	// Initial reconnect delay (used for first few attempts)
 	initialReconnectDelay = 1 * time.Second
 
+	// Fast retry attempts before switching to exponential backoff
+	fastRetryAttempts = 15
+
 	// Maximum reconnect delay
 	maxReconnectDelay = 5 * time.Minute
 )
@@ -217,10 +220,16 @@ func (c *Client) RunWithReconnect(ctx context.Context) error {
 			case <-time.After(delay):
 			}
 
-			// Exponential backoff
-			delay *= 2
-			if delay > maxReconnectDelay {
-				delay = maxReconnectDelay
+			// Fast retry phase: use fixed delay for first few attempts
+			// This helps quickly detect when server comes back online after restart
+			if attempt < fastRetryAttempts {
+				delay = initialReconnectDelay
+			} else {
+				// Exponential backoff after fast retry phase
+				delay *= 2
+				if delay > maxReconnectDelay {
+					delay = maxReconnectDelay
+				}
 			}
 			continue
 		}