refactor(pi-extension): remove bash regex gating, use prompt-based guidance

Delete DESTRUCTIVE_PATTERNS and isDestructiveCommand() from utils.ts.
Remove bash interception from tool_call handler. Bash is now unrestricted
during planning — the system prompt guides the agent not to run destructive
commands. Write/edit file restrictions to the plan file remain enforced.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: backnotprop

apps/pi-extension/README.md

@@ -104,7 +104,7 @@ The extension manages a state machine: **idle** → **planning** → **executing
 
 During **planning**:
 - All tools from other extensions remain available
-- Bash blocks destructive commands (rm, git push, npm install, etc.) but allows read-only and web fetching (curl, wget)
+- Bash is unrestricted — the agent is guided by the system prompt not to run destructive commands
 - Writes and edits restricted to the plan file only
 
 During **executing**:

apps/pi-extension/index.ts

@@ -10,7 +10,7 @@
  * - /plannotator command or Ctrl+Alt+P to toggle
  * - --plan flag to start in planning mode
  * - --plan-file flag to customize the plan file path
- * - Bash restricted (destructive commands blocked) during planning
+ * - Bash unrestricted during planning (prompt-guided)
  * - Write restricted to plan file only during planning
  * - exit_plan_mode tool with browser-based visual approval
  * - [DONE:n] markers for execution progress tracking
@@ -26,7 +26,7 @@ import type { AssistantMessage, TextContent } from "@mariozechner/pi-ai";
 import { Type } from "@mariozechner/pi-ai";
 import type { ExtensionAPI, ExtensionContext } from "@mariozechner/pi-coding-agent";
 import { Key } from "@mariozechner/pi-tui";
-import { isDestructiveCommand, markCompletedSteps, parseChecklist, type ChecklistItem } from "./utils.js";
+import { markCompletedSteps, parseChecklist, type ChecklistItem } from "./utils.js";
 import {
   startPlanReviewServer,
   startReviewServer,
@@ -76,7 +76,7 @@ export default function plannotator(pi: ExtensionAPI): void {
   // ── Flags ────────────────────────────────────────────────────────────
 
   pi.registerFlag("plan", {
-    description: "Start in plan mode (read-only exploration)",
+    description: "Start in plan mode (restricted exploration and planning)",
     type: "boolean",
     default: false,
   });
@@ -451,20 +451,10 @@ export default function plannotator(pi: ExtensionAPI): void {
 
   // ── Event Handlers ───────────────────────────────────────────────────
 
-  // Gate writes and bash during planning
+  // Gate writes during planning
   pi.on("tool_call", async (event, ctx) => {
     if (phase !== "planning") return;
 
-    if (event.toolName === "bash") {
-      const command = event.input.command as string;
-      if (isDestructiveCommand(command)) {
-        return {
-          block: true,
-          reason: `Plannotator: destructive command blocked during planning.\nCommand: ${command}`,
-        };
-      }
-    }
-
     if (event.toolName === "write") {
       const targetPath = resolve(ctx.cwd, event.input.path as string);
       const allowedPath = resolvePlanPath(ctx.cwd);
@@ -497,7 +487,9 @@ export default function plannotator(pi: ExtensionAPI): void {
           content: `[PLANNOTATOR - PLANNING PHASE]
 You are in plan mode. You MUST NOT make any changes to the codebase — no edits, no commits, no installs, no destructive commands. The ONLY file you may write to or edit is the plan file: ${planFilePath}.
 
-Available tools: read, bash (destructive commands are blocked; curl/wget for web fetching is allowed), grep, find, ls, write (${planFilePath} only), edit (${planFilePath} only), exit_plan_mode
+Available tools: read, bash, grep, find, ls, write (${planFilePath} only), edit (${planFilePath} only), exit_plan_mode
+
+Do not run destructive bash commands (rm, git push, npm install, etc.) — focus on reading and exploring the codebase. Web fetching (curl, wget) is fine.
 
 ## Iterative Planning Workflow
 

apps/pi-extension/utils.ts

@@ -1,41 +1,10 @@
 /**
  * Plannotator Pi extension utilities.
  *
- * Inlined versions of bash safety checks and checklist parsing.
+ * Checklist parsing and progress tracking helpers.
  * (No access to pi-mono's plan-mode/utils at runtime.)
  */
 
-// ── Bash Safety ──────────────────────────────────────────────────────────
-
-const DESTRUCTIVE_PATTERNS = [
-  /\brm\b/i, /\brmdir\b/i, /\bmv\b/i, /\bcp\b/i, /\bmkdir\b/i,
-  /\btouch\b/i, /\bchmod\b/i, /\bchown\b/i, /\bchgrp\b/i, /\bln\b/i,
-  /\btee\b/i, /\btruncate\b/i, /\bdd\b/i, /\bshred\b/i,
-  /(^|[^<])>(?!>)/, />>/,
-  /\bnpm\s+(install|uninstall|update|ci|link|publish)/i,
-  /\byarn\s+(add|remove|install|publish)/i,
-  /\bpnpm\s+(add|remove|install|publish)/i,
-  /\bpip\s+(install|uninstall)/i,
-  /\bapt(-get)?\s+(install|remove|purge|update|upgrade)/i,
-  /\bbrew\s+(install|uninstall|upgrade)/i,
-  /\bgit\s+(add|commit|push|pull|merge|rebase|reset|checkout|branch\s+-[dD]|stash|cherry-pick|revert|tag|init|clone)/i,
-  /\bsudo\b/i, /\bsu\b/i, /\bkill\b/i, /\bpkill\b/i, /\bkillall\b/i,
-  /\breboot\b/i, /\bshutdown\b/i,
-  /\bsystemctl\s+(start|stop|restart|enable|disable)/i,
-  /\bservice\s+\S+\s+(start|stop|restart)/i,
-  /\b(vim?|nano|emacs|code|subl)\b/i,
-];
-
-export function isDestructiveCommand(command: string): boolean {
-  // Strip safe fd redirects so `curl ... 2>/dev/null` and `2>&1` pass
-  const normalized = command
-    .replace(/\s+\d*>\s*\/dev\/null/g, "")
-    .replace(/\s+\d*>&\d+/g, "")
-    .replace(/\s+&>\s*\/dev\/null/g, "");
-
-  return DESTRUCTIVE_PATTERNS.some((p) => p.test(normalized));
-}
-
 // ── Checklist Parsing ────────────────────────────────────────────────────
 
 export interface ChecklistItem {