s03_permission README: example "Delete all temporary files in /tmp" is incorrect — it triggers Gate 1 (deny) not Gate 2

[DAWN47]

Summary

The s03_permission README currently states that the example "Delete all temporary files in /tmp" (bash + rm) will trigger Gate 2 (rule matching / user approval). This is incorrect: in practice that prompt leads the agent to generate a command that matches the Gate 1 deny-list substring and is therefore hard-rejected by Gate 1. It does not reach Gate 2.

What is wrong

• README line (s03_permission/README.md):
  "2. Delete all temporary files in /tmp（bash + rm 会触发闸门 2）"
  This asserts Gate 2 will be triggered.

Why it's incorrect

• In s03_permission/code.py, Gate 1 uses a substring-based deny list (e.g. "rm -rf /") and Gate 2 flags any bash command containing "rm ":

  DENY_LIST = ["rm -rf /", "sudo", "shutdown", "reboot", "mkfs", "dd if=", "> /dev/sda"]
  def check_deny_list(command: str) -> str | None:
      for pattern in DENY_LIST:
          if pattern in command:
              return f"Blocked: '{pattern}' is on the deny list"
      return None
  
  PERMISSION_RULES = [
      {"tools": ["bash"],
       "check": lambda args: any(kw in args.get("command", "") for kw in ["rm ", "> /etc/", "chmod 777"]),
       "message": "Potentially destructive command"},
  ]

• Because Gate 1 is implemented as a substring check, many rm-based cleanup commands generated by the agent end up containing the deny substring ("rm -rf /") or other deny patterns, causing Gate 1 to block them before Gate 2 runs. The observed behavior is that the example prompt is blocked by Gate 1.

Reproduction

1. Run python s03_permission/code.py in the repository.
2. At the prompt, send: Delete all temporary files in /tmp.
3. Observe the generated bash command (printed by the agent) and note it is blocked by Gate 1 (deny list) instead of asking for Gate 2 user approval.

Suggested fixes

1. Update README example text to accurately reflect observed behavior. Suggested wording (Chinese):

   • Replace the second example with:
     "2. Delete all temporary files in /tmp（通常会被闸门 1 硬拒绝；要触发闸门 2，请使用像 Delete the file test.txt 这样明确仅操作工作区内单个文件的 prompt）"

   • Or more concise:
     "2. Delete all temporary files in /tmp（可能会被闸门 1 拦截；要示范闸门 2，请用 Delete the file test.txt）"

2. (Optional, recommended) Improve deny-list matching in s03_permission/code.py to reduce false positives:

   • Parse/normalize the shell command (e.g. with a simple tokenizer) and perform token-aware or regex word-boundary checks instead of raw substring containment.
   • Example approach: split command into tokens and check for an exact path token of / after rm -rf rather than checking for the substring "rm -rf /" anywhere in the command.

3. Add a unit/integration test demonstrating both behaviors: one test where a safe local rm triggers Gate 2 and another where a root-targeting rm triggers Gate 1.

Files to edit

• s03_permission/README.md — update the example list and explanatory sentence
• s03_permission/code.py — (optional) make deny-list checking more precise

Why this matters

• The README is used by readers and learners to understand the permission pipeline. Incorrect examples cause confusion and undermine trust in the teaching material. Making deny-list detection more robust reduces accidental hard-rejections and makes the pipeline behave more deterministically for intended prompts.

Request

Please update the README to correct the example and consider the optional code improvement. If you'd like, I can open a PR that updates the README and shows a suggested code change for token-aware deny checks.