npm - @agent-sh/harness-bash - Versions diffs - 0.2.0 - Mend

@agent-sh/harness-bash 0.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (9) hide show

package/dist/index.cjs ADDED Viewed

@@ -0,0 +1,1009 @@
+'use strict';
+var path4 = require('path');
+var harnessCore = require('@agent-sh/harness-core');
+var child_process = require('child_process');
+var fs = require('fs');
+var os = require('os');
+var crypto = require('crypto');
+var v = require('valibot');
+function _interopDefault (e) { return e && e.__esModule ? e : { default: e }; }
+function _interopNamespace(e) {
+  if (e && e.__esModule) return e;
+  var n = Object.create(null);
+  if (e) {
+    Object.keys(e).forEach(function (k) {
+      if (k !== 'default') {
+        var d = Object.getOwnPropertyDescriptor(e, k);
+        Object.defineProperty(n, k, d.get ? d : {
+          enumerable: true,
+          get: function () { return e[k]; }
+        });
+      }
+    });
+  }
+  n.default = e;
+  return Object.freeze(n);
+}
+var path4__default = /*#__PURE__*/_interopDefault(path4);
+var v__namespace = /*#__PURE__*/_interopNamespace(v);
+// src/bash.ts
+// src/constants.ts
+var DEFAULT_INACTIVITY_TIMEOUT_MS = 6e4;
+var DEFAULT_WALLCLOCK_BACKSTOP_MS = 3e5;
+var MAX_COMMAND_LENGTH = 16384;
+var MAX_OUTPUT_BYTES_INLINE = 30720;
+var MAX_OUTPUT_BYTES_FILE = 10 * 1024 * 1024;
+var BACKGROUND_MAX_JOBS = 16;
+var KILL_GRACE_MS = 5e3;
+var SENSITIVE_ENV_PREFIXES = [
+  "AWS_",
+  "BEDROCK_",
+  "GITHUB_TOKEN",
+  "GH_TOKEN",
+  "OPENAI_API_KEY",
+  "ANTHROPIC_API_KEY",
+  "GOOGLE_API_KEY",
+  "GEMINI_API_KEY",
+  "NPM_TOKEN",
+  "DOCKERHUB_TOKEN",
+  "SLACK_",
+  "STRIPE_"
+];
+function createLocalBashExecutor(opts) {
+  const bashPath = opts?.bashPath ?? "/bin/bash";
+  const logDir = opts?.logDir ?? path4__default.default.join(os.tmpdir(), "agent-sh-bash-logs");
+  fs.mkdirSync(logDir, { recursive: true });
+  const jobs = /* @__PURE__ */ new Map();
+  async function runForeground2(input) {
+    const child = child_process.spawn(bashPath, ["-c", input.command], {
+      cwd: input.cwd,
+      env: { ...input.env },
+      stdio: ["ignore", "pipe", "pipe"]
+    });
+    child.stdout.on("data", (chunk) => input.onStdout(chunk));
+    child.stderr.on("data", (chunk) => input.onStderr(chunk));
+    let killedBySignal = false;
+    const onAbort = () => {
+      killedBySignal = true;
+      try {
+        child.kill("SIGTERM");
+        setTimeout(() => {
+          if (child.exitCode === null) child.kill("SIGKILL");
+        }, KILL_GRACE_MS).unref();
+      } catch {
+      }
+    };
+    if (input.signal.aborted) {
+      onAbort();
+    } else {
+      input.signal.addEventListener("abort", onAbort, { once: true });
+    }
+    return new Promise((resolve) => {
+      child.on("close", (code, signal) => {
+        input.signal.removeEventListener("abort", onAbort);
+        resolve({
+          exitCode: code,
+          killed: killedBySignal,
+          signal: signal ?? null
+        });
+      });
+      child.on("error", () => {
+        input.signal.removeEventListener("abort", onAbort);
+        resolve({ exitCode: null, killed: killedBySignal, signal: null });
+      });
+    });
+  }
+  async function spawnBackground(args) {
+    const jobId = crypto.randomUUID();
+    const outPath = path4__default.default.join(logDir, `${jobId}.out`);
+    const errPath = path4__default.default.join(logDir, `${jobId}.err`);
+    const outStream = fs.createWriteStream(outPath, { flags: "w" });
+    const errStream = fs.createWriteStream(errPath, { flags: "w" });
+    const child = child_process.spawn(bashPath, ["-c", args.command], {
+      cwd: args.cwd,
+      env: { ...args.env },
+      stdio: ["ignore", "pipe", "pipe"],
+      detached: false
+    });
+    child.stdout.pipe(outStream);
+    child.stderr.pipe(errStream);
+    const job = {
+      id: jobId,
+      outPath,
+      errPath,
+      running: true,
+      exitCode: null,
+      killed: false,
+      proc: child
+    };
+    jobs.set(jobId, job);
+    child.on("close", (code) => {
+      job.running = false;
+      job.exitCode = code;
+      job.proc = null;
+    });
+    child.on("error", () => {
+      job.running = false;
+      job.proc = null;
+    });
+    return { jobId };
+  }
+  async function readBackground(jobId, opts2) {
+    const job = jobs.get(jobId);
+    if (!job) {
+      throw new Error(`Unknown job_id: ${jobId}`);
+    }
+    const since = opts2.since_byte ?? 0;
+    const limit = opts2.head_limit ?? 30720;
+    const stdout = readSlice(job.outPath, since, limit);
+    const stderr = readSlice(job.errPath, since, limit);
+    return {
+      stdout: stdout.text,
+      stderr: stderr.text,
+      running: job.running,
+      exitCode: job.exitCode,
+      totalBytesStdout: stdout.totalBytes,
+      totalBytesStderr: stderr.totalBytes
+    };
+  }
+  async function killBackground(jobId, signal = "SIGTERM") {
+    const job = jobs.get(jobId);
+    if (!job || !job.proc) return;
+    job.killed = true;
+    try {
+      job.proc.kill(signal);
+      if (signal === "SIGTERM") {
+        setTimeout(() => {
+          if (job.running && job.proc) {
+            try {
+              job.proc.kill("SIGKILL");
+            } catch {
+            }
+          }
+        }, KILL_GRACE_MS).unref();
+      }
+    } catch {
+    }
+  }
+  async function closeSession() {
+    for (const job of jobs.values()) {
+      if (job.running && job.proc) {
+        try {
+          job.proc.kill("SIGTERM");
+        } catch {
+        }
+      }
+    }
+  }
+  return {
+    run: runForeground2,
+    spawnBackground,
+    readBackground,
+    killBackground,
+    closeSession
+  };
+}
+function readSlice(filePath, since, limit) {
+  if (!fs.existsSync(filePath)) return { text: "", totalBytes: 0 };
+  const totalBytes = fs.statSync(filePath).size;
+  if (since >= totalBytes) return { text: "", totalBytes };
+  const end = Math.min(since + limit, totalBytes);
+  const buf = fs.readFileSync(filePath).subarray(since, end);
+  return { text: buf.toString("utf8"), totalBytes };
+}
+async function resolveCwd(ops, session, requested) {
+  const base = requested ?? session.logicalCwd?.value ?? session.cwd;
+  const absolute = path4__default.default.isAbsolute(base) ? base : path4__default.default.resolve(session.cwd, base);
+  try {
+    return await ops.realpath(absolute);
+  } catch {
+    return absolute;
+  }
+}
+async function fenceBash(session, resolvedCwd) {
+  const { permissions } = session;
+  const isSensitive = harnessCore.matchesAnyPattern(
+    resolvedCwd,
+    permissions.sensitivePatterns
+  );
+  const insideWorkspace = harnessCore.isInsideAnyRoot(resolvedCwd, permissions.roots);
+  if (isSensitive && permissions.hook === void 0) {
+    return harnessCore.toolError(
+      "SENSITIVE",
+      `Refusing to run bash in sensitive path: ${resolvedCwd}`,
+      { meta: { path: resolvedCwd } }
+    );
+  }
+  if (!insideWorkspace && permissions.bypassWorkspaceGuard !== true && permissions.hook === void 0) {
+    return harnessCore.toolError(
+      "OUTSIDE_WORKSPACE",
+      `cwd is outside all configured workspace roots: ${resolvedCwd}`,
+      { meta: { path: resolvedCwd, roots: permissions.roots } }
+    );
+  }
+  return void 0;
+}
+async function askPermission(session, args) {
+  const { permissions } = session;
+  const commandHead = args.command.trimStart().split(/\s+/)[0] ?? "";
+  const alwaysPatterns = commandHead ? [`Bash(${commandHead}:*)`] : ["Bash(*)"];
+  if (permissions.hook === void 0) {
+    if (permissions.unsafeAllowBashWithoutHook === true) {
+      return { decision: "allow" };
+    }
+    return {
+      decision: "deny",
+      reason: "bash tool has no permission hook configured; refusing to run untrusted commands. Wire a hook or set session.permissions.unsafeAllowBashWithoutHook for test fixtures."
+    };
+  }
+  const decision = await permissions.hook({
+    tool: "bash",
+    path: args.cwd,
+    action: "read",
+    always_patterns: alwaysPatterns,
+    metadata: {
+      command: args.command,
+      cwd: args.cwd,
+      background: args.background,
+      timeout_ms: args.timeoutMs,
+      env_keys: args.envKeys,
+      network_required: null
+    }
+  });
+  if (decision === "deny") {
+    return {
+      decision: "deny",
+      reason: `Command blocked by permission policy. Pattern hint: ${alwaysPatterns.join(", ")}`
+    };
+  }
+  if (decision === "allow" || decision === "allow_once") {
+    return { decision };
+  }
+  return {
+    decision: "deny",
+    reason: "Permission hook returned 'ask' but bash runs in autonomous mode. Configure the hook to return allow or deny."
+  };
+}
+function resolveOps(session) {
+  return session.ops ?? harnessCore.defaultNodeOperations();
+}
+var HeadTailBuffer = class {
+  constructor(maxInline, maxFile, kind, spillDir) {
+    this.maxInline = maxInline;
+    this.maxFile = maxFile;
+    this.kind = kind;
+    this.spillDir = spillDir;
+  }
+  maxInline;
+  maxFile;
+  kind;
+  spillDir;
+  chunks = [];
+  totalBytes = 0;
+  byteCap = false;
+  spilled = false;
+  spillPath = null;
+  spillBytes = [];
+  write(chunk) {
+    this.totalBytes += chunk.byteLength;
+    if (this.totalBytes <= this.maxInline) {
+      this.chunks.push(chunk);
+      return;
+    }
+    if (!this.spilled) {
+      this.spilled = true;
+      this.byteCap = true;
+      this.spillPath = path4__default.default.join(
+        this.spillDir,
+        `${crypto.randomUUID()}.${this.kind}`
+      );
+      for (const c of this.chunks) this.appendSpill(c);
+    }
+    this.appendSpill(chunk);
+    this.spillBytes.push(chunk.byteLength);
+  }
+  appendSpill(chunk) {
+    if (this.spillPath === null) return;
+    if (!this.spillInit) {
+      fs.mkdirSync(this.spillDir, { recursive: true });
+      fs.writeFileSync(this.spillPath, "");
+      this.spillInit = true;
+    }
+    if (this.fileBytesWritten + chunk.byteLength > this.maxFile) {
+      return;
+    }
+    fs.appendFileSync(this.spillPath, Buffer.from(chunk));
+    this.fileBytesWritten += chunk.byteLength;
+  }
+  spillInit = false;
+  fileBytesWritten = 0;
+  /**
+   * Return the inline render:
+   *   - If not capped: the full buffered text.
+   *   - If capped: head (first maxInline/2 bytes) + marker + tail
+   *     (last maxInline/2 bytes) approximation. We approximate the tail
+   *     by decoding only the tail window (maxInline/2 bytes from the spill
+   *     file) because the stream is write-once and we dropped the middle.
+   *
+   * The actual implementation is simpler: we keep only the head inline
+   * (first maxInline bytes, never overwritten) and emit a marker that
+   * points at the log path. Head-only is a deliberate simplification
+   * versus spec's head+tail — it matches OpenCode's default, and we
+   * rely on Read(path) to see the tail. Spec §4 head+tail is a v2
+   * improvement once we prove the file-path recovery path.
+   */
+  render() {
+    if (!this.spilled) {
+      const combined = Buffer.concat(this.chunks.map((c) => Buffer.from(c)));
+      return {
+        text: combined.toString("utf8"),
+        byteCap: false,
+        logPath: null
+      };
+    }
+    const head = Buffer.concat(
+      this.chunks.map((c) => Buffer.from(c)),
+      this.maxInline
+    ).toString("utf8");
+    const marker = `
+... (stream exceeded ${this.maxInline} bytes; full log at ${this.spillPath}) ...`;
+    return {
+      text: head + marker,
+      byteCap: true,
+      logPath: this.spillPath
+    };
+  }
+  bytesTotal() {
+    return this.totalBytes;
+  }
+  wasCapped() {
+    return this.byteCap;
+  }
+};
+function defaultSpillDir() {
+  return path4__default.default.join(os.tmpdir(), "agent-sh-bash-spill");
+}
+function formatResultText(args) {
+  const header = `<command>${args.command}</command>`;
+  const exitLine = `<exit_code>${args.exitCode}</exit_code>`;
+  const stdoutBlock = `<stdout>
+${args.stdout}
+</stdout>`;
+  const stderrBlock = `<stderr>
+${args.stderr}
+</stderr>`;
+  const hint = args.byteCap ? `(Output capped. Full log: ${args.logPath}. Read it with pagination if you need the middle.)` : args.kind === "ok" ? `(Command completed in ${args.durationMs}ms. exit=0.)` : `(Command exited nonzero in ${args.durationMs}ms. Exit code: ${args.exitCode}.)`;
+  return [header, exitLine, stdoutBlock, stderrBlock, hint].join("\n");
+}
+function formatTimeoutText(args) {
+  const header = `<command>${args.command}</command>`;
+  const stdoutBlock = `<stdout>
+${args.stdout}
+</stdout>`;
+  const stderrBlock = `<stderr>
+${args.stderr}
+</stderr>`;
+  const logHint = args.logPath ? ` Full log: ${args.logPath}.` : "";
+  const hint = `(Command hit ${args.reason} after ${args.durationMs}ms. ${args.partialBytes} bytes captured. Kill signal: SIGTERM then SIGKILL.${logHint} If the command is long-running, retry with background: true.)`;
+  return [header, stdoutBlock, stderrBlock, hint].join("\n");
+}
+function formatBackgroundStartedText(args) {
+  return [
+    `<command>${args.command}</command>`,
+    `<job_id>${args.jobId}</job_id>`,
+    `(Background job started. Poll output with bash_output(job_id). Kill with bash_kill(job_id).)`
+  ].join("\n");
+}
+function formatBashOutputText(args) {
+  const next = args.sinceByte + args.returnedBytes;
+  return [
+    `<job_id>${args.jobId}</job_id>`,
+    `<running>${args.running}</running>`,
+    `<exit_code>${args.exitCode === null ? "null" : args.exitCode}</exit_code>`,
+    `<stdout>
+${args.stdout}
+</stdout>`,
+    `<stderr>
+${args.stderr}
+</stderr>`,
+    `(Showing bytes ${args.sinceByte}-${next} of ${args.totalBytes}. Next since_byte: ${next}. Job running: ${args.running}.)`
+  ].join("\n");
+}
+function formatBashKillText(args) {
+  return `<job_id>${args.jobId}</job_id>
+(${args.signal} sent. Poll bash_output to confirm termination.)`;
+}
+var BashParamsSchema = v__namespace.strictObject({
+  command: v__namespace.pipe(
+    v__namespace.string(),
+    v__namespace.minLength(1, "command is required"),
+    v__namespace.maxLength(
+      MAX_COMMAND_LENGTH,
+      `command exceeds ${MAX_COMMAND_LENGTH} bytes`
+    )
+  ),
+  cwd: v__namespace.optional(v__namespace.pipe(v__namespace.string(), v__namespace.minLength(1, "cwd must not be empty"))),
+  timeout_ms: v__namespace.optional(
+    v__namespace.pipe(
+      v__namespace.number(),
+      v__namespace.integer(),
+      v__namespace.minValue(100, "timeout_ms must be >= 100 ms")
+    )
+  ),
+  description: v__namespace.optional(v__namespace.string()),
+  background: v__namespace.optional(v__namespace.boolean()),
+  env: v__namespace.optional(v__namespace.record(v__namespace.string(), v__namespace.string()))
+});
+var BashOutputParamsSchema = v__namespace.strictObject({
+  job_id: v__namespace.pipe(v__namespace.string(), v__namespace.minLength(1, "job_id is required")),
+  since_byte: v__namespace.optional(
+    v__namespace.pipe(v__namespace.number(), v__namespace.integer(), v__namespace.minValue(0, "since_byte must be >= 0"))
+  ),
+  head_limit: v__namespace.optional(
+    v__namespace.pipe(v__namespace.number(), v__namespace.integer(), v__namespace.minValue(1, "head_limit must be >= 1"))
+  )
+});
+var BashKillParamsSchema = v__namespace.strictObject({
+  job_id: v__namespace.pipe(v__namespace.string(), v__namespace.minLength(1, "job_id is required")),
+  signal: v__namespace.optional(v__namespace.picklist(["SIGTERM", "SIGKILL"]))
+});
+var KNOWN_PARAM_ALIASES = {
+  cmd: "unknown parameter 'cmd'. Use 'command' instead.",
+  shell_command: "unknown parameter 'shell_command'. Use 'command' instead.",
+  script: "unknown parameter 'script'. Use 'command' instead.",
+  run: "unknown parameter 'run'. Use 'command' instead.",
+  directory: "unknown parameter 'directory'. Use 'cwd' instead.",
+  dir: "unknown parameter 'dir'. Use 'cwd' instead.",
+  path: "unknown parameter 'path'. Use 'cwd' instead.",
+  working_directory: "unknown parameter 'working_directory'. Use 'cwd' instead.",
+  timeout: "unknown parameter 'timeout'. Use 'timeout_ms' instead (milliseconds, not seconds). For 30s pass timeout_ms: 30000.",
+  time_limit: "unknown parameter 'time_limit'. Use 'timeout_ms' instead (milliseconds).",
+  timeout_seconds: "unknown parameter 'timeout_seconds'. Use 'timeout_ms' instead (multiply by 1000).",
+  env_vars: "unknown parameter 'env_vars'. Use 'env' instead.",
+  environment: "unknown parameter 'environment'. Use 'env' instead.",
+  lang: `unknown parameter 'lang'. Bash runs shell commands; invoke other languages via the command itself (e.g. 'python -c "..."', 'node -e "..."').`,
+  language: `unknown parameter 'language'. Invoke other languages via the command (e.g. 'python -c "..."', 'node -e "..."').`,
+  interpreter: `unknown parameter 'interpreter'. Invoke the interpreter inside the command itself (e.g. 'python -c "..."').`,
+  runtime: `unknown parameter 'runtime'. Invoke the runtime inside the command itself (e.g. 'node -e "..."').`,
+  stdin: `unknown parameter 'stdin'. Interactive stdin is not supported in v1. Pipe data into the command instead (e.g. 'echo "y" | npm init').`,
+  input: "unknown parameter 'input'. Interactive input is not supported in v1. Make the command non-interactive with flags like --yes.",
+  sandbox: "unknown parameter 'sandbox'. Sandboxing is configured on the session, not per-call.",
+  sandbox_mode: "unknown parameter 'sandbox_mode'. Sandboxing is configured on the session, not per-call.",
+  permissions: "unknown parameter 'permissions'. The permission hook is configured on the session.",
+  network: "unknown parameter 'network'. Network access is configured on the session / executor adapter.",
+  network_access: "unknown parameter 'network_access'. Network access is configured on the session / executor adapter.",
+  shell: "unknown parameter 'shell'. Shell binary is configured on the session.",
+  shell_binary: "unknown parameter 'shell_binary'. Shell binary is configured on the session."
+};
+function checkAliases(input) {
+  if (input === null || typeof input !== "object") return [];
+  const hints = [];
+  for (const key of Object.keys(input)) {
+    const hint = KNOWN_PARAM_ALIASES[key];
+    if (hint) hints.push(hint);
+  }
+  return hints;
+}
+function makeAliasIssues(messages) {
+  return messages.map(
+    (m) => ({
+      kind: "validation",
+      type: "custom",
+      input: void 0,
+      expected: null,
+      received: "unknown",
+      message: m
+    })
+  );
+}
+function safeParseBashParams(input) {
+  const aliases = checkAliases(input);
+  if (aliases.length > 0) {
+    return { ok: false, issues: makeAliasIssues(aliases) };
+  }
+  const result = v__namespace.safeParse(BashParamsSchema, input);
+  if (result.success) return { ok: true, value: result.output };
+  return { ok: false, issues: result.issues };
+}
+function safeParseBashOutputParams(input) {
+  const result = v__namespace.safeParse(BashOutputParamsSchema, input);
+  if (result.success) return { ok: true, value: result.output };
+  return { ok: false, issues: result.issues };
+}
+function safeParseBashKillParams(input) {
+  const result = v__namespace.safeParse(BashKillParamsSchema, input);
+  if (result.success) return { ok: true, value: result.output };
+  return { ok: false, issues: result.issues };
+}
+var BASH_TOOL_NAME = "bash";
+var BASH_TOOL_DESCRIPTION = `Run a single shell command in a bash subprocess. Output is captured and returned with the exit code.
+Usage:
+- 'cd' carries over to subsequent calls if it stays inside the workspace; otherwise the cwd is reset. Environment variables do NOT persist across calls \u2014 set them inline (FOO=bar some-cmd) or via 'env'.
+- For non-shell code, use language one-liners: 'python -c "print(2+2)"', 'node -e "console.log(2+2)"', 'deno eval "console.log(2+2)"'. For multi-line scripts, write a temp file with the write tool and invoke the interpreter on it.
+- Long-running processes (servers, watchers) MUST use background: true. The tool returns a job_id; poll output with bash_output(job_id). Do not leave a foreground command running past the 5-minute wall-clock backstop.
+- No interactive commands. Anything that needs stdin (pagers, Y/n prompts, REPLs, 'git commit' without -m) will hang until the inactivity timeout. Use flags to make commands non-interactive (--yes, -y, --no-pager) or pipe 'echo "y" |' in front.
+- Inactivity timeout resets on any output; default 60000 ms. Override with timeout_ms. Wall-clock backstop is 5 minutes for foreground calls.
+- Prefer this tool over other ways of running shell commands. For filename search prefer 'glob'; for content search prefer 'grep'.`;
+var bashToolDefinition = {
+  name: BASH_TOOL_NAME,
+  description: BASH_TOOL_DESCRIPTION,
+  inputSchema: {
+    type: "object",
+    properties: {
+      command: {
+        type: "string",
+        description: "The shell command to run (single string, interpreted by bash -c)."
+      },
+      cwd: {
+        type: "string",
+        description: "Absolute working directory. Defaults to the session cwd plus any carried-over cd. Must be inside the workspace."
+      },
+      timeout_ms: {
+        type: "integer",
+        minimum: 100,
+        description: "Inactivity timeout in milliseconds. Any output resets the clock. Default 60000 (60 s). Wall-clock backstop is 5 minutes regardless."
+      },
+      description: {
+        type: "string",
+        description: "One-line human-readable 'why' (optional, for traces)."
+      },
+      background: {
+        type: "boolean",
+        description: "Run as a background job. Returns a job_id; poll output with bash_output. Use for servers, watchers, long-running builds."
+      },
+      env: {
+        type: "object",
+        additionalProperties: { type: "string" },
+        description: "Environment variables merged on top of the session env. Keys with sensitive prefixes (AWS_*, GITHUB_TOKEN, etc.) are rejected."
+      }
+    },
+    required: ["command"],
+    additionalProperties: false
+  }
+};
+var BASH_OUTPUT_TOOL_NAME = "bash_output";
+var BASH_OUTPUT_TOOL_DESCRIPTION = `Poll a backgrounded bash job's output since a given byte offset.
+Returns stdout and stderr slices plus whether the job is still running and its exit code if finished. Use 'since_byte' from the previous call to paginate through a long-running job's output without re-fetching already-seen bytes.`;
+var bashOutputToolDefinition = {
+  name: BASH_OUTPUT_TOOL_NAME,
+  description: BASH_OUTPUT_TOOL_DESCRIPTION,
+  inputSchema: {
+    type: "object",
+    properties: {
+      job_id: {
+        type: "string",
+        description: "The job_id returned by a previous bash call with background: true."
+      },
+      since_byte: {
+        type: "integer",
+        minimum: 0,
+        description: "Start of the requested slice per stream, in bytes. Defaults to 0. Use next_since_byte from a previous output call to resume."
+      },
+      head_limit: {
+        type: "integer",
+        minimum: 1,
+        description: "Max bytes per stream (default 30720 / 30 KB)."
+      }
+    },
+    required: ["job_id"],
+    additionalProperties: false
+  }
+};
+var BASH_KILL_TOOL_NAME = "bash_kill";
+var BASH_KILL_TOOL_DESCRIPTION = `Send a termination signal to a backgrounded bash job.
+Defaults to SIGTERM (graceful). Use SIGKILL for an unresponsive job. The job's next bash_output call will report running: false.`;
+var bashKillToolDefinition = {
+  name: BASH_KILL_TOOL_NAME,
+  description: BASH_KILL_TOOL_DESCRIPTION,
+  inputSchema: {
+    type: "object",
+    properties: {
+      job_id: {
+        type: "string",
+        description: "The job_id returned by a previous bash call with background: true."
+      },
+      signal: {
+        type: "string",
+        enum: ["SIGTERM", "SIGKILL"],
+        description: "Signal to send. Default SIGTERM."
+      }
+    },
+    required: ["job_id"],
+    additionalProperties: false
+  }
+};
+// src/bash.ts
+var jobCountBySession = /* @__PURE__ */ new WeakMap();
+function incJobCount(session) {
+  jobCountBySession.set(session, (jobCountBySession.get(session) ?? 0) + 1);
+}
+function jobCount(session) {
+  return jobCountBySession.get(session) ?? 0;
+}
+function err(error) {
+  return { kind: "error", error };
+}
+function resolveExecutor(session) {
+  if (session.executor) return session.executor;
+  if (session.permissions.unsafeAllowBashWithoutHook !== true) ;
+  return createLocalBashExecutor();
+}
+function detectTopLevelCd(command) {
+  const trimmed = command.trim();
+  if (trimmed.length === 0) return null;
+  const match = trimmed.match(/^cd\s+([^\s&|;`$()]+)$/);
+  if (!match) return null;
+  const arg = match[1];
+  if (arg === void 0) return null;
+  if (arg.startsWith('"') && arg.endsWith('"') || arg.startsWith("'") && arg.endsWith("'")) {
+    return arg.slice(1, -1);
+  }
+  return arg;
+}
+function checkEnv(env) {
+  for (const key of Object.keys(env)) {
+    for (const prefix of SENSITIVE_ENV_PREFIXES) {
+      if (key === prefix || prefix.endsWith("_") && key.startsWith(prefix)) {
+        return `env may not set sensitive-prefix variable '${key}' (prefix '${prefix}').`;
+      }
+    }
+  }
+  return null;
+}
+function byteLength(s) {
+  return Buffer.byteLength(s, "utf8");
+}
+async function bash(input, session) {
+  const parsed = safeParseBashParams(input);
+  if (!parsed.ok) {
+    const messages = parsed.issues.map((i) => i.message).join("; ");
+    return err(harnessCore.toolError("INVALID_PARAM", messages, { cause: parsed.issues }));
+  }
+  const params = parsed.value;
+  if (params.background === true && params.timeout_ms !== void 0) {
+    return err(
+      harnessCore.toolError(
+        "INVALID_PARAM",
+        "timeout_ms does not apply to background jobs; they have their own lifecycle (bash_kill). Drop timeout_ms or set background: false."
+      )
+    );
+  }
+  const envParam = params.env ?? {};
+  const envError = checkEnv(envParam);
+  if (envError) {
+    return err(harnessCore.toolError("INVALID_PARAM", envError));
+  }
+  const ops = resolveOps(session);
+  const resolvedCwd = await resolveCwd(ops, session, params.cwd);
+  const fenceError = await fenceBash(session, resolvedCwd);
+  if (fenceError) return err(fenceError);
+  const stat = await ops.stat(resolvedCwd).catch(() => void 0);
+  if (!stat) {
+    return err(
+      harnessCore.toolError("NOT_FOUND", `cwd does not exist: ${resolvedCwd}`, {
+        meta: { cwd: resolvedCwd }
+      })
+    );
+  }
+  if (stat.type !== "directory") {
+    return err(
+      harnessCore.toolError(
+        "IO_ERROR",
+        `cwd is not a directory: ${resolvedCwd}`,
+        { meta: { cwd: resolvedCwd } }
+      )
+    );
+  }
+  const effectiveTimeout = params.timeout_ms ?? session.defaultInactivityTimeoutMs ?? DEFAULT_INACTIVITY_TIMEOUT_MS;
+  const decision = await askPermission(session, {
+    command: params.command,
+    cwd: resolvedCwd,
+    background: params.background ?? false,
+    timeoutMs: effectiveTimeout,
+    envKeys: Object.keys(envParam)
+  });
+  if (decision.decision === "deny") {
+    const echo = params.command.length > 200 ? params.command.slice(0, 200) + "..." : params.command;
+    return err(
+      harnessCore.toolError(
+        "PERMISSION_DENIED",
+        `${decision.reason}
+Command: ${echo}`,
+        { meta: { command: params.command, cwd: resolvedCwd } }
+      )
+    );
+  }
+  const execEnv = {
+    ...session.env ?? process.env,
+    ...envParam
+  };
+  for (const [k, v2] of Object.entries(execEnv)) {
+    if (v2 === void 0) delete execEnv[k];
+  }
+  const executor = resolveExecutor(session);
+  if (params.background === true) {
+    return runBackground(
+      session,
+      executor,
+      params.command,
+      resolvedCwd,
+      execEnv
+    );
+  }
+  return runForeground(
+    session,
+    executor,
+    params.command,
+    resolvedCwd,
+    execEnv,
+    effectiveTimeout
+  );
+}
+async function runBackground(session, executor, command, cwd, env) {
+  if (!executor.spawnBackground) {
+    return err(
+      harnessCore.toolError(
+        "INVALID_PARAM",
+        "background: true is not supported by this executor adapter."
+      )
+    );
+  }
+  const maxJobs = session.maxBackgroundJobs ?? BACKGROUND_MAX_JOBS;
+  if (jobCount(session) >= maxJobs) {
+    return err(
+      harnessCore.toolError(
+        "IO_ERROR",
+        `Background job limit reached (${maxJobs}). Kill an existing job first with bash_kill.`
+      )
+    );
+  }
+  const { jobId } = await executor.spawnBackground({ command, cwd, env });
+  incJobCount(session);
+  return {
+    kind: "background_started",
+    output: formatBackgroundStartedText({ command, jobId }),
+    jobId
+  };
+}
+async function runForeground(session, executor, command, cwd, env, inactivityTimeoutMs) {
+  const wallclockMs = session.wallclockBackstopMs ?? DEFAULT_WALLCLOCK_BACKSTOP_MS;
+  const maxInline = session.maxOutputBytesInline ?? MAX_OUTPUT_BYTES_INLINE;
+  const maxFile = session.maxOutputBytesFile ?? MAX_OUTPUT_BYTES_FILE;
+  const spillDir = defaultSpillDir();
+  const stdoutBuf = new HeadTailBuffer(maxInline, maxFile, "out", spillDir);
+  const stderrBuf = new HeadTailBuffer(maxInline, maxFile, "err", spillDir);
+  const controller = new AbortController();
+  const abortOnOuter = () => controller.abort();
+  if (session.signal) {
+    if (session.signal.aborted) controller.abort();
+    else session.signal.addEventListener("abort", abortOnOuter, { once: true });
+  }
+  let timedOut = null;
+  let inactivityTimer = null;
+  const resetInactivity = () => {
+    if (inactivityTimer) clearTimeout(inactivityTimer);
+    inactivityTimer = setTimeout(() => {
+      timedOut = "inactivity timeout";
+      controller.abort();
+    }, inactivityTimeoutMs);
+  };
+  resetInactivity();
+  const wallclockTimer = setTimeout(() => {
+    timedOut = "wall-clock backstop";
+    controller.abort();
+  }, wallclockMs);
+  const start = Date.now();
+  let result;
+  try {
+    result = await executor.run({
+      command,
+      cwd,
+      env,
+      signal: controller.signal,
+      onStdout: (chunk) => {
+        stdoutBuf.write(chunk);
+        resetInactivity();
+      },
+      onStderr: (chunk) => {
+        stderrBuf.write(chunk);
+        resetInactivity();
+      }
+    });
+  } finally {
+    if (inactivityTimer) clearTimeout(inactivityTimer);
+    clearTimeout(wallclockTimer);
+    if (session.signal) {
+      session.signal.removeEventListener("abort", abortOnOuter);
+    }
+  }
+  const durationMs = Date.now() - start;
+  const stdoutRender = stdoutBuf.render();
+  const stderrRender = stderrBuf.render();
+  if (timedOut !== null) {
+    const logPath2 = stdoutRender.logPath ?? stderrRender.logPath;
+    return {
+      kind: "timeout",
+      output: formatTimeoutText({
+        command,
+        stdout: stdoutRender.text,
+        stderr: stderrRender.text,
+        reason: timedOut,
+        durationMs,
+        partialBytes: stdoutBuf.bytesTotal() + stderrBuf.bytesTotal(),
+        logPath: logPath2
+      }),
+      stdout: stdoutRender.text,
+      stderr: stderrRender.text,
+      reason: timedOut,
+      durationMs,
+      ...logPath2 ? { logPath: logPath2 } : {}
+    };
+  }
+  const exitCode = result.exitCode ?? -1;
+  const kind = exitCode === 0 ? "ok" : "nonzero_exit";
+  const logPath = stdoutRender.logPath ?? stderrRender.logPath;
+  const byteCap = stdoutRender.byteCap || stderrRender.byteCap;
+  return {
+    kind,
+    output: formatResultText({
+      command,
+      exitCode,
+      stdout: stdoutRender.text,
+      stderr: stderrRender.text,
+      durationMs,
+      byteCap,
+      logPath,
+      kind
+    }),
+    exitCode,
+    stdout: stdoutRender.text,
+    stderr: stderrRender.text,
+    durationMs,
+    ...logPath ? { logPath } : {},
+    byteCap
+  };
+}
+async function bashOutput(input, session) {
+  const parsed = safeParseBashOutputParams(input);
+  if (!parsed.ok) {
+    const messages = parsed.issues.map((i) => i.message).join("; ");
+    return err(harnessCore.toolError("INVALID_PARAM", messages));
+  }
+  const executor = session.executor ?? createLocalBashExecutor();
+  if (!executor.readBackground) {
+    return err(
+      harnessCore.toolError(
+        "INVALID_PARAM",
+        "bash_output is not supported by this executor adapter."
+      )
+    );
+  }
+  try {
+    const read = await executor.readBackground(parsed.value.job_id, {
+      ...parsed.value.since_byte !== void 0 ? { since_byte: parsed.value.since_byte } : {},
+      ...parsed.value.head_limit !== void 0 ? { head_limit: parsed.value.head_limit } : {}
+    });
+    const sinceByte = parsed.value.since_byte ?? 0;
+    const returnedBytes = byteLength(read.stdout) + byteLength(read.stderr);
+    const totalBytes = read.totalBytesStdout + read.totalBytesStderr;
+    return {
+      kind: "output",
+      output: formatBashOutputText({
+        jobId: parsed.value.job_id,
+        running: read.running,
+        exitCode: read.exitCode,
+        stdout: read.stdout,
+        stderr: read.stderr,
+        sinceByte,
+        returnedBytes,
+        totalBytes
+      }),
+      running: read.running,
+      exitCode: read.exitCode,
+      stdout: read.stdout,
+      stderr: read.stderr,
+      totalBytesStdout: read.totalBytesStdout,
+      totalBytesStderr: read.totalBytesStderr,
+      nextSinceByte: sinceByte + returnedBytes
+    };
+  } catch (e) {
+    return err(
+      harnessCore.toolError(
+        "NOT_FOUND",
+        e.message || `Unknown job_id: ${parsed.value.job_id}`
+      )
+    );
+  }
+}
+async function bashKill(input, session) {
+  const parsed = safeParseBashKillParams(input);
+  if (!parsed.ok) {
+    const messages = parsed.issues.map((i) => i.message).join("; ");
+    return err(harnessCore.toolError("INVALID_PARAM", messages));
+  }
+  const executor = session.executor ?? createLocalBashExecutor();
+  if (!executor.killBackground) {
+    return err(
+      harnessCore.toolError(
+        "INVALID_PARAM",
+        "bash_kill is not supported by this executor adapter."
+      )
+    );
+  }
+  const signal = parsed.value.signal ?? "SIGTERM";
+  await executor.killBackground(parsed.value.job_id, signal);
+  return {
+    kind: "killed",
+    output: formatBashKillText({ jobId: parsed.value.job_id, signal }),
+    jobId: parsed.value.job_id,
+    signal
+  };
+}
+function applyCwdCarry(session, command, exitCode) {
+  if (exitCode !== 0) {
+    return { changed: false, newCwd: null, escaped: false };
+  }
+  const target = detectTopLevelCd(command);
+  if (target === null) {
+    return { changed: false, newCwd: null, escaped: false };
+  }
+  const base = session.logicalCwd?.value ?? session.cwd;
+  const resolved = path4__default.default.isAbsolute(target) ? path4__default.default.resolve(target) : path4__default.default.resolve(base, target);
+  const inside = session.permissions.roots.some(
+    (r) => resolved === r || resolved.startsWith(r + path4__default.default.sep)
+  );
+  if (!inside && session.permissions.bypassWorkspaceGuard !== true) {
+    return { changed: false, newCwd: resolved, escaped: true };
+  }
+  if (session.logicalCwd) {
+    session.logicalCwd.value = resolved;
+  }
+  return { changed: true, newCwd: resolved, escaped: false };
+}
+exports.BACKGROUND_MAX_JOBS = BACKGROUND_MAX_JOBS;
+exports.BASH_KILL_TOOL_DESCRIPTION = BASH_KILL_TOOL_DESCRIPTION;
+exports.BASH_KILL_TOOL_NAME = BASH_KILL_TOOL_NAME;
+exports.BASH_OUTPUT_TOOL_DESCRIPTION = BASH_OUTPUT_TOOL_DESCRIPTION;
+exports.BASH_OUTPUT_TOOL_NAME = BASH_OUTPUT_TOOL_NAME;
+exports.BASH_TOOL_DESCRIPTION = BASH_TOOL_DESCRIPTION;
+exports.BASH_TOOL_NAME = BASH_TOOL_NAME;
+exports.BashKillParamsSchema = BashKillParamsSchema;
+exports.BashOutputParamsSchema = BashOutputParamsSchema;
+exports.BashParamsSchema = BashParamsSchema;
+exports.DEFAULT_INACTIVITY_TIMEOUT_MS = DEFAULT_INACTIVITY_TIMEOUT_MS;
+exports.DEFAULT_WALLCLOCK_BACKSTOP_MS = DEFAULT_WALLCLOCK_BACKSTOP_MS;
+exports.HeadTailBuffer = HeadTailBuffer;
+exports.MAX_COMMAND_LENGTH = MAX_COMMAND_LENGTH;
+exports.MAX_OUTPUT_BYTES_FILE = MAX_OUTPUT_BYTES_FILE;
+exports.MAX_OUTPUT_BYTES_INLINE = MAX_OUTPUT_BYTES_INLINE;
+exports.SENSITIVE_ENV_PREFIXES = SENSITIVE_ENV_PREFIXES;
+exports.applyCwdCarry = applyCwdCarry;
+exports.bash = bash;
+exports.bashKill = bashKill;
+exports.bashKillToolDefinition = bashKillToolDefinition;
+exports.bashOutput = bashOutput;
+exports.bashOutputToolDefinition = bashOutputToolDefinition;
+exports.bashToolDefinition = bashToolDefinition;
+exports.createLocalBashExecutor = createLocalBashExecutor;
+exports.detectTopLevelCd = detectTopLevelCd;
+exports.formatBackgroundStartedText = formatBackgroundStartedText;
+exports.formatBashKillText = formatBashKillText;
+exports.formatBashOutputText = formatBashOutputText;
+exports.formatResultText = formatResultText;
+exports.formatTimeoutText = formatTimeoutText;
+exports.safeParseBashKillParams = safeParseBashKillParams;
+exports.safeParseBashOutputParams = safeParseBashOutputParams;
+exports.safeParseBashParams = safeParseBashParams;
+//# sourceMappingURL=index.cjs.map
+//# sourceMappingURL=index.cjs.map