let mng ask read the source code#827
Draft
evgunter wants to merge 6 commits intomng/headless-claudefrom
Draft
Conversation
… headless-claude) Re-implements the source access and web access features on top of the headless-claude branch which replaced SubprocessClaudeBackend with HeadlessClaudeBackend. Changes: - Add _find_mng_source_directory to locate the mng source tree - Add _build_source_access_context to enrich the system prompt with source code directory information - Add _build_web_access_context for GitHub repository access context - Configure headless claude agent with Read/Glob/Grep tools (and optionally WebFetch) instead of empty tool list - Add --allowedTools and --permission-mode dontAsk to agent args - Add --allow-web CLI flag - Extract _run_ask_query for system prompt assembly and dispatch https://claude.ai/code/session_01P6ioKexZAqMkD4vv16BxXi
evgunter
changed the title
…missionsAgentMixin - Path-scope Read, Glob, Grep tools to the mng source directory via --allowedTools "Read(//path/**)" syntax, preventing the ask agent from reading arbitrary files on the machine. - When source directory is not found (installed package), these tools are omitted entirely rather than granted unrestricted access. - Extract _build_read_only_tools_and_permissions() to build both the --tools CSV and --allowedTools args in one place. - Rename NoPermissionsAgentMixin -> SafePermissionsAgentMixin to accurately reflect that these agents may have permissions, but they are safe enough to skip user confirmation. https://claude.ai/code/session_01P6ioKexZAqMkD4vv16BxXi
Previously the function walked up to parents[3] and checked for imbue/mng/, which incorrectly matched site-packages/ when mng was installed as a package (scoping the agent to all of site-packages). Now distinguishes source checkouts (pyproject.toml present) from installed packages. For source checkouts, returns the project root (includes docs/). For installed packages, returns the imbue/ directory (scopes to just the mng source). Also fixes _build_source_access_context to compute the mng package path relative to whichever root was returned, avoiding doubled imbue/imbue/mng paths. https://claude.ai/code/session_01P6ioKexZAqMkD4vv16BxXi
Instead of scoping Read/Glob/Grep to just the mng project root, discover all sibling libraries under libs/ that have pyproject.toml and an imbue/ directory. This includes mng plugins (mng_opencode, mng_schedule, etc.) and dependency libraries (imbue_common, concurrency_group, etc.). For installed packages (non-editable), all packages merge under a single imbue/ directory in site-packages, so a single scope suffices. Each discovered directory gets its own --allowedTools scope entries. Adds test_find_source_checkout_directories_includes_all_monorepo_libs which verifies that every libs/ package with pyproject.toml and imbue/ is discovered, ensuring new packages are automatically included. https://claude.ai/code/session_01P6ioKexZAqMkD4vv16BxXi
…irectories Replace _find_source_checkout_directories filesystem scan with a hard-coded _MONOREPO_PACKAGE_DIRS tuple that lists the dir_name of every publishable package. This is validated by a sync test against scripts/utils.py PACKAGES. https://claude.ai/code/session_01P6ioKexZAqMkD4vv16BxXi
Installs mng and all published plugins from PyPI into a temporary venv, then verifies the directory layout is correctly detected as an installed (non-source-checkout) environment with all packages under site-packages/imbue/. https://claude.ai/code/session_01P6ioKexZAqMkD4vv16BxXi
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
mng askread-only access to the mng source code via Read, Glob, and Grep tools (previously it had no tools at all), so it can look up implementation details when answering questions--allow-webflag that additionally enables WebFetch restricted togithub.comandraw.githubusercontent.com, for reading issues/PRs/docs from the repo_run_ask_queryso the source-access and web-access context sections are composed in one placeDetails
The headless claude agent previously ran with
--tools ""(no tools). This changes it to:--tools "Read,Glob,Grep"with--allowedTools Read,Glob,Grepand--permission-mode dontAsk--allow-web: additionally includesWebFetchin the tool list, restricted to GitHub domains via--allowedTools "WebFetch(domain:github.com)"and--allowedTools "WebFetch(domain:raw.githubusercontent.com)"The system prompt is enriched with the on-disk source tree location (auto-detected by walking up from
ask.py) and, when--allow-webis set, a note about the available GitHub access.Test plan
_find_mng_source_directoryfinds the source tree and returns None when not in the tree_build_source_access_contextincludes/omits docs directory based on existence_build_web_access_contextincludes GitHub info_run_ask_querycomposes source context always, web context only when enabled--allow-webCLI flag is acceptedhttps://claude.ai/code/session_01P6ioKexZAqMkD4vv16BxXi