Skip to content

UI upgraded to Ink with fixed positions and more UX tweaks #2

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
jasonkneen wants to merge 1 commit into
base: main
Choose a base branch
from
Open

UI upgraded to Ink with fixed positions and more UX tweaks #2

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 7 additions & 0 deletions .claude/settings.local.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
{
"permissions": {
"allow": ["Bash(bun run format:*)", "Bash(node -e:*)", "Bash(node -p:*)"],
Copy link
Copy Markdown

@coderabbitai coderabbitai Bot Nov 24, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

Restrict node -e and node -p patterns or move to ask array.

The node -e:* and node -p:* patterns are overly permissive. The -e and -p flags allow arbitrary JavaScript code execution, and the * wildcard places no constraints on what code can run. This creates a significant attack surface if Claude or an AI assistant executes these commands during development.

Recommended actions:

  1. If these commands are essential for your workflow, move them to the ask array to require user confirmation before execution.
  2. If possible, replace the wildcards with more specific patterns, e.g., node -e:console.log(*) or other restricted code patterns.
  3. Document why these broad permissions are necessary for the project.

Clarify: Is this configuration file intended only for local development, and will it be committed to the repository? If yes, consider the security implications for other developers who clone the repo.

🏁 Script executed:

#!/bin/bash
# Examine the .claude/settings.local.json file
echo "=== File content ==="
cat .claude/settings.local.json 2>/dev/null || echo "File not found"

echo ""
echo "=== Check if file is in .gitignore ==="
if [ -f .gitignore ]; then
  grep -n "settings.local.json" .gitignore || echo "Not found in .gitignore"
  grep -n "\.claude/" .gitignore || echo ".claude/ not excluded"
else
  echo ".gitignore not found"
fi

echo ""
echo "=== Check .claude directory structure ==="
find .claude -type f 2>/dev/null | head -20

echo ""
echo "=== Check for README or documentation ==="
find . -maxdepth 3 -name "*README*" -o -name "*readme*" 2>/dev/null | head -10

Length of output: 368

🏁 Script executed:

#!/bin/bash
# Check README for documentation on .claude settings
echo "=== Searching README.md for claude/settings references ==="
grep -i -n "claude\|settings\|permissions\|node -e\|node -p" ./README.md || echo "No matches found"

echo ""
echo "=== Full README.md content (first 100 lines) ==="
head -100 ./README.md

Length of output: 4361

Remove or restrict node -e:* and node -p:* patterns in version-controlled configuration.

The .claude/settings.local.json file is committed to version control and shared with all repository contributors. The patterns Bash(node -e:*) and Bash(node -p:*) allow arbitrary JavaScript code execution without restrictions, contradicting the project's stated security model ("Command whitelisting - Only safe shell commands allowed").

Required actions:

  1. Move these patterns to the ask array to require user confirmation, or remove them entirely if not essential.
  2. If these patterns are necessary, add documented justification explaining the security implications.
  3. Consider more restrictive patterns or specific use cases instead of wildcards.

The file being shared across all developers amplifies the risk surface.

🤖 Prompt for AI Agents 
In .claude/settings.local.json around line 3, the allow list currently includes
overly broad patterns "Bash(node -e:*)" and "Bash(node -p:*)" which permit
arbitrary JS execution in a version-controlled file; remove these patterns or
move them from "allow" into the "ask" array so they require user confirmation,
or replace them with narrow, specific command patterns; if you must keep them,
add a short documented justification adjacent in the file explaining the
security tradeoffs and restrict the wildcard to minimal necessary use cases.

"deny": [],
"ask": []
}
}
8 changes: 7 additions & 1 deletion README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -111,7 +111,8 @@ bun run dev
### 2. Use the CLI
```bash
# Global command (after setup)
coder --interactive # Interactive mode (recommended)
coder --interactive # Ink-powered TUI (recommended)
coder --classic --interactive # Legacy prompt-based UI
coder "What files are in this project?"
coder "Create a FastAPI server with authentication"

Expand Down Expand Up @@ -146,13 +147,18 @@ coding assistance. It features a hybrid architecture where...

## 🎨 CLI Features

- **Ink TUI** – split-pane interface with streaming responses, session sidebar, and slash-command hints (default `coder --interactive`)
- **Classic Mode** – run `coder --classic --interactive` for the original prompt-based flow

### 🔧 Interactive Commands
- `/help` - Show available commands and examples
- `/clear` - Clear screen and show header
- `/session` - Start new conversation session
- `/context` - Show current work context and goals
- `/diff` - Show git diff with beautiful formatting
- `/quit` - Exit gracefully
- `!<cmd>` - Run a local shell command without the AI
- `/` - Autocomplete slash commands, `@` to browse files inline

### 🎯 Smart Features
- **Project Detection** - Auto-detects git repos, package.json, pyproject.toml
Expand Down
10 changes: 6 additions & 4 deletions agentuity.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,11 +6,11 @@
# ------------------------------------------------

# The version semver range required to run this project
version: ">=0.0.148"
version: '>=0.0.148'
# The ID of the project which is automatically generated
project_id: proj_e486cfa66f59ea194efbf702bdea36cb
project_id: proj_07c920f6ef76a3be2f227d6d30c17427
# The name of the project which is editable
name: CodingAgent
name: agent-coder-new
# The description of the project which is editable
description: ""
# The development configuration for the project
Expand Down Expand Up @@ -69,5 +69,7 @@ bundler:
- src/**
# The agents that are part of this project
agents:
- id: agent_3918f7879297cf4159ea3d23b54f835b
- # The ID of the Agent which is automatically generated
id: agent_6a545da0967300ece00e2cc451546250
# The name of the Agent which is editable
name: CloudCoder
Loading