fix: restrict bash in plan mode

[WqyJh]

Issue for this PR

Closes XiaomiMiMo#475

Type of change

• Bug fix
• New feature
• Refactor / code improvement
• Documentation

What does this PR do?

Plan mode is documented as read-only, but the built-in plan agent did not set bash permissions, so bash inherited the default allow behavior. That left commands like mkdir, touch, and shell redirects able to modify the workspace.

This PR makes plan-mode bash default to deny and explicitly allows common read-only exploration commands: pwd, ls, cat, grep, rg, find, git status, git diff, git log, git show, Get-ChildItem, and Get-Content. User-defined permission overrides still flow through the existing config merge path.

How did you verify your code works?

Passed locally:

• bun test test/agent/agent.test.ts -t "plan agent" --timeout 30000
• bun test test/tool/bash.test.ts -t "matches redirects in permission pattern" --timeout 30000
• bun test test/tool/bash.test.ts -t "always pattern has space before wildcard" --timeout 30000
• git diff --check

Local limitation:

• bun typecheck currently fails before reaching this change with src/storage/db.node.ts(1,30): error TS2307: Cannot find module 'node:sqlite' or its corresponding type declarations.

Screenshots / recordings

No UI change.

Checklist

• I have tested my changes locally
• I have not included unrelated changes in this PR

---

Mirrored from XiaomiMiMo/MiMo-Code#505 — original author @cnYui.