docs: explain how to opt in to allowing the system temp directory

[yanyihan-xiaomi]

Summary

Documents how a user can opt in to allowing reads/writes under the system temp directory (/tmp), instead of enabling it by default. No code or default-behavior changes — this is README-only (a collapsible <details> block under Configuration, mirrored in README.zh.md).

中文：说明用户如何主动放行系统临时目录 /tmp 的读写，而非默认开启。不改任何代码或默认行为，仅在 README 的 Configuration 章节加一个可折叠 <details> 小节，并同步中文版。

Background — why this supersedes #1335

The earlier #1335 (closed) auto-allowed /tmp by default by injecting temp-dir globs into whitelistedDirs. Review consensus: we should not silently widen the permission posture out of the box. The permission layer is deliberately a backstop, and external-directory access is opt-in by design — changing that default for everyone is the wrong trade for a convenience win.

So the direction flipped: keep the default exactly as-is (temp-dir access still prompts via external_directory), and instead teach the user how to opt in if they decide it's worth it in their environment. The guidance lives in the README rather than the docs site (packages/web/.../permissions.mdx) because the mdx docs are largely unmaintained and the README is where users actually look.

中文：此 PR 替代已关闭的 #1335。#1335 默认放行 /tmp，review 共识是不应开箱即静默放宽权限——权限层有意作为 backstop，外部目录访问按设计就是 opt-in。因此方向反转：默认完全不变（临时目录仍会询问），改为用文档引导用户在自己认为合适时主动开启。引导放在 README 而非 mdx 文档站，因为 mdx 基本不再维护，README 才是用户实际查看处。

What the doc explains

• Default is unchanged and intentional. Reads/writes outside the working dir prompt via external_directory, temp dir included. MiMoCode does not silently widen permissions.
• Why /tmp is singled out. Most models reach for the temp dir as scratch space (quick scripts, throwaway data), so it's the external directory users most often want to allow. This matches common model behavior.
• The opt-in config, minimal form:

  { "permission": { "external_directory": { "/tmp/**": "allow" } } }

• Known risk + disclaimer. The temp dir is world-writable and shared; auto-allowing widens exposure to predictable-temp-path / symlink tricks. Stated as "known risks — use it at your own risk," recommended only for single-user controlled environments or inside a container. (Disclaimer kept to one mention, since this is a low-severity reminder-level setting, not a destructive flag.)

中文：文档说明了——默认行为不变且有意为之；为何单独提 /tmp（多数模型把它当临时空间，符合常见模型行为）；最小化的 opt-in 配置；已知风险与免责声明（临时目录共享可写，自动放行扩大攻击面，"风险自负"，仅建议单人可控环境或容器内使用）。

Why /tmp/** alone is sufficient (verified, not assumed)

A natural worry on macOS: /tmp is a symlink to /private/tmp, and os.tmpdir() resolves to /var/folders/.../T — so would a rule keyed on /tmp/** miss the real path? I traced the actual write/read path to confirm it does not:

• tool/write.ts:36-39 — the incoming file_path is only checked for path.isAbsolute / joined with the session cwd. No realpath / symlink resolution. A model writing /tmp/foo.py keeps the literal string /tmp/foo.py.
• tool/external-directory.ts:29 — on non-Windows, full = target (the literal path), and Instance.containsPath(full) decides "outside the worktree."
• project/instance.ts:121-125 — containsPath uses AppFileSystem.contains, a plain string-prefix comparison. No realpath.
• The external_directory ask then evaluates path.dirname(full) + "/*", i.e. /tmp/*, against the rule. util/wildcard.ts compiles *→.* with the dotall s flag, so a single * crosses / and /tmp/** matches arbitrarily deep paths.

Conclusion: the permission layer sees the literal /tmp/... string the model passed, before the filesystem resolves the symlink. The /private/tmp and /var/folders/... forms only arise when a tool itself passes an already-resolved path (e.g. something that calls os.tmpdir() directly), which is the uncommon case. Putting those forms in the default example would be misleading, so the doc uses just /tmp/** (which is also exactly os.tmpdir() on Linux) and omits a macOS caveat to avoid noise.

中文：在 macOS 上 /tmp 是指向 /private/tmp 的软链、os.tmpdir() 解析为 /var/folders/.../T，自然会担心 /tmp/** 是否会漏掉真实路径。我实地追踪了写/读链路确认不会：工具拿到的路径不做 realpath（write.ts:36-39），external-directory 用字面路径（:29）和纯字符串前缀比较（instance.ts:121-125），且 * 在 dotall 下可跨 /（wildcard.ts）。因此权限层看到的是模型传入的字面 /tmp/...，发生在文件系统解析软链之前。/private/tmp、/var/folders/... 只在工具自身传入已解析路径（如直接调用 os.tmpdir()）的少数情况出现。把这些写进默认示例反而误导，故默认只用 /tmp/**（Linux 上也正是 os.tmpdir()），并省去 macOS 注意事项以免增加噪音。

Scope

• README.md + README.zh.md only. No code, no default-permission change, no new dependency.

Supersedes #1335 (closed).

Co-authored-by: MiMo-Code noreply@mimo.xiaomi.com