refactor: Enhance tool write protection and lower Bash requirement

- Add explicit write operation protection in intelligent-tools-strategy - Require MODE=write or MODE=auto for local codebase modifications - Default all tools to read-only analysis mode - Convert all Chinese text to English for consistency - Lower Bash version requirement from 4.0 to 2.0 in Install-Claude.sh - Align with install-remote.sh requirements - Improve compatibility with older systems 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
2026-02-05 01:50:27 +08:00 · 2025-10-04 00:09:17 +08:00
parent 5c66e268ec
commit 4b578285ea
2 changed files with 32 additions and 22 deletions
--- a/.claude/workflows/intelligent-tools-strategy.md
+++ b/.claude/workflows/intelligent-tools-strategy.md
@@ -18,6 +18,7 @@ type: strategic-guideline
 - **Default to tools** - Use specialized tools for most coding tasks, no matter how small
 - **Lower barriers** - Engage tools immediately when encountering any complexity
 - **Context optimization** - Based on user intent, determine whether to use `-C [directory]` parameter for focused analysis to reduce irrelevant context import
+- **⚠️ Write operation protection** - For local codebase write/modify operations, require EXPLICIT user confirmation unless user provides clear instructions containing MODE=write or MODE=auto

 ### Quick Decision Rules
 1. **Exploring/Understanding?** → Start with Gemini
@@ -33,15 +34,19 @@ type: strategic-guideline
 - **Override When Needed**: Specify custom timeout for longer operations

 ### Permission Framework
- **Gemini/Qwen Write Access**: Use `--approval-mode yolo` when tools need to create/modify files
- **Codex Write Access**: Always use `-s danger-full-access` and `--skip-git-repo-check` for development and file operations
- **Auto-approval Protocol**: Enable automatic tool approvals for autonomous workflow execution
+- **⚠️ WRITE PROTECTION**: Local codebase write/modify requires EXPLICIT user confirmation
+  - **Analysis Mode (default)**: Read-only, safe for auto-execution
+  - **Write Mode**: Requires user explicitly states MODE=write or MODE=auto in prompt
+  - **Exception**: User provides clear instructions like "modify", "create", "implement"
+- **Gemini/Qwen Write Access**: Use `--approval-mode yolo` ONLY when MODE=write explicitly specified
+- **Codex Write Access**: Use `-s danger-full-access` and `--skip-git-repo-check` ONLY when MODE=auto explicitly specified
+- **Default Behavior**: All tools default to analysis/read-only mode without explicit write permission

 ## 🎯 Universal Command Template

 ### Standard Format (REQUIRED)
 ```bash
-# Gemini Analysis (全权限)
+# Gemini Analysis (read/write capable)
 cd [directory] && ~/.claude/scripts/gemini-wrapper -p "
 PURPOSE: [clear analysis goal]
 TASK: [specific analysis task]
@@ -51,7 +56,7 @@ EXPECTED: [expected output]
 RULES: [template reference and constraints]
 "

-# Qwen Architecture Analysis (仅分析)
+# Qwen Architecture Analysis (read-only analysis)
 cd [directory] && ~/.claude/scripts/qwen-wrapper -p "
 PURPOSE: [clear architecture goal]
 TASK: [specific analysis task]
@@ -84,16 +89,18 @@ RULES: [template reference and constraints]

 The MODE field controls execution behavior and file permissions:

-**For Gemini** (全权限，可读写):
- `analysis` (default) - 分析 + 可生成文档
- `write` - 创建/修改文件（自动启用 --approval-mode yolo）
+**For Gemini**:
+- `analysis` (default) - Read-only analysis and documentation generation
+- `write` - ⚠️ Create/modify codebase files (requires explicit specification, auto-enables --approval-mode yolo)

-**For Qwen** (仅分析):
- `analysis` (default) - 仅架构分析，不生成代码
+**For Qwen**:
+- `analysis` (default) - Architecture analysis only, no code generation/modification (read-only)
+- `write` - ⚠️ Code generation (requires explicit specification, disabled by default)

 **For Codex**:
- `auto` (default) - 自主开发，全文件操作
- `write` - 测试生成和文件修改
+- `auto` - ⚠️ Autonomous development with full file operations (requires explicit specification, enables -s danger-full-access)
+- `write` - ⚠️ Test generation and file modification (requires explicit specification)
+- **Default**: No default mode, MODE must be explicitly specified

 ### Directory Context
 Tools execute in current working directory:
@@ -235,26 +242,29 @@ For every development task:

 ## 🎯 Key Features

-### Gemini (全权限)
+### Gemini
 - **Command**: `~/.claude/scripts/gemini-wrapper`
 - **Strengths**: Large context window, pattern recognition
 - **Best For**: Analysis, documentation generation, code exploration
- **Permissions**: 可读写，MODE=write 时自动启用 --approval-mode yolo
- **Default MODE**: `analysis`
+- **Permissions**: Default read-only analysis, MODE=write requires explicit specification (auto-enables --approval-mode yolo)
+- **Default MODE**: `analysis` (read-only)
+- **⚠️ Write Trigger**: Only when user explicitly requests "generate documentation", "modify code", or specifies MODE=write

-### Qwen (仅分析)
+### Qwen
 - **Command**: `~/.claude/scripts/qwen-wrapper`
 - **Strengths**: Architecture analysis, pattern recognition
 - **Best For**: System design analysis, architectural review
- **Permissions**: 仅分析，不生成代码
- **Default MODE**: `analysis`
+- **Permissions**: Architecture analysis only, no automatic code generation
+- **Default MODE**: `analysis` (read-only)
+- **⚠️ Write Trigger**: Explicitly prohibited from auto-calling write mode

 ### Codex
 - **Command**: `codex --full-auto exec`
 - **Strengths**: Autonomous development, mathematical reasoning
 - **Best For**: Implementation, testing, automation
- **Required**: `-s danger-full-access` and `--skip-git-repo-check` for development
- **Default MODE**: `auto`
+- **Permissions**: Requires explicit MODE=auto or MODE=write specification
+- **Default MODE**: No default, must be explicitly specified
+- **⚠️ Write Trigger**: Only when user explicitly requests "implement", "modify", "generate code" AND specifies MODE

 ### File Patterns
 - All files: `@{**/*}`
--- a/Install-Claude.sh
+++ b/Install-Claude.sh
@@ -87,8 +87,8 @@ function show_header() {

 function test_prerequisites() {
    # Test bash version
-    if [ "${BASH_VERSINFO[0]}" -lt 4 ]; then
-        write_color "ERROR: Bash 4.0 or higher is required" "$COLOR_ERROR"
+    if [ "${BASH_VERSINFO[0]}" -lt 2 ]; then
+        write_color "ERROR: Bash 2.0 or higher is required" "$COLOR_ERROR"
        write_color "Current version: ${BASH_VERSION}" "$COLOR_ERROR"
        return 1
    fi