@agent-sh/harness-bash 0.2.0

package/dist/index.js

@@ -0,0 +1,951 @@
+import path4 from 'path';
+import { toolError, defaultNodeOperations, matchesAnyPattern, isInsideAnyRoot } from '@agent-sh/harness-core';
+import { spawn } from 'child_process';
+import { mkdirSync, writeFileSync, appendFileSync, createWriteStream, existsSync, statSync, readFileSync } from 'fs';
+import { tmpdir } from 'os';
+import { randomUUID } from 'crypto';
+import * as v from 'valibot';
+
+// src/bash.ts
+
+// src/constants.ts
+var DEFAULT_INACTIVITY_TIMEOUT_MS = 6e4;
+var DEFAULT_WALLCLOCK_BACKSTOP_MS = 3e5;
+var MAX_COMMAND_LENGTH = 16384;
+var MAX_OUTPUT_BYTES_INLINE = 30720;
+var MAX_OUTPUT_BYTES_FILE = 10 * 1024 * 1024;
+var BACKGROUND_MAX_JOBS = 16;
+var KILL_GRACE_MS = 5e3;
+var SENSITIVE_ENV_PREFIXES = [
+  "AWS_",
+  "BEDROCK_",
+  "GITHUB_TOKEN",
+  "GH_TOKEN",
+  "OPENAI_API_KEY",
+  "ANTHROPIC_API_KEY",
+  "GOOGLE_API_KEY",
+  "GEMINI_API_KEY",
+  "NPM_TOKEN",
+  "DOCKERHUB_TOKEN",
+  "SLACK_",
+  "STRIPE_"
+];
+function createLocalBashExecutor(opts) {
+  const bashPath = opts?.bashPath ?? "/bin/bash";
+  const logDir = opts?.logDir ?? path4.join(tmpdir(), "agent-sh-bash-logs");
+  mkdirSync(logDir, { recursive: true });
+  const jobs = /* @__PURE__ */ new Map();
+  async function runForeground2(input) {
+    const child = spawn(bashPath, ["-c", input.command], {
+      cwd: input.cwd,
+      env: { ...input.env },
+      stdio: ["ignore", "pipe", "pipe"]
+    });
+    child.stdout.on("data", (chunk) => input.onStdout(chunk));
+    child.stderr.on("data", (chunk) => input.onStderr(chunk));
+    let killedBySignal = false;
+    const onAbort = () => {
+      killedBySignal = true;
+      try {
+        child.kill("SIGTERM");
+        setTimeout(() => {
+          if (child.exitCode === null) child.kill("SIGKILL");
+        }, KILL_GRACE_MS).unref();
+      } catch {
+      }
+    };
+    if (input.signal.aborted) {
+      onAbort();
+    } else {
+      input.signal.addEventListener("abort", onAbort, { once: true });
+    }
+    return new Promise((resolve) => {
+      child.on("close", (code, signal) => {
+        input.signal.removeEventListener("abort", onAbort);
+        resolve({
+          exitCode: code,
+          killed: killedBySignal,
+          signal: signal ?? null
+        });
+      });
+      child.on("error", () => {
+        input.signal.removeEventListener("abort", onAbort);
+        resolve({ exitCode: null, killed: killedBySignal, signal: null });
+      });
+    });
+  }
+  async function spawnBackground(args) {
+    const jobId = randomUUID();
+    const outPath = path4.join(logDir, `${jobId}.out`);
+    const errPath = path4.join(logDir, `${jobId}.err`);
+    const outStream = createWriteStream(outPath, { flags: "w" });
+    const errStream = createWriteStream(errPath, { flags: "w" });
+    const child = spawn(bashPath, ["-c", args.command], {
+      cwd: args.cwd,
+      env: { ...args.env },
+      stdio: ["ignore", "pipe", "pipe"],
+      detached: false
+    });
+    child.stdout.pipe(outStream);
+    child.stderr.pipe(errStream);
+    const job = {
+      id: jobId,
+      outPath,
+      errPath,
+      running: true,
+      exitCode: null,
+      killed: false,
+      proc: child
+    };
+    jobs.set(jobId, job);
+    child.on("close", (code) => {
+      job.running = false;
+      job.exitCode = code;
+      job.proc = null;
+    });
+    child.on("error", () => {
+      job.running = false;
+      job.proc = null;
+    });
+    return { jobId };
+  }
+  async function readBackground(jobId, opts2) {
+    const job = jobs.get(jobId);
+    if (!job) {
+      throw new Error(`Unknown job_id: ${jobId}`);
+    }
+    const since = opts2.since_byte ?? 0;
+    const limit = opts2.head_limit ?? 30720;
+    const stdout = readSlice(job.outPath, since, limit);
+    const stderr = readSlice(job.errPath, since, limit);
+    return {
+      stdout: stdout.text,
+      stderr: stderr.text,
+      running: job.running,
+      exitCode: job.exitCode,
+      totalBytesStdout: stdout.totalBytes,
+      totalBytesStderr: stderr.totalBytes
+    };
+  }
+  async function killBackground(jobId, signal = "SIGTERM") {
+    const job = jobs.get(jobId);
+    if (!job || !job.proc) return;
+    job.killed = true;
+    try {
+      job.proc.kill(signal);
+      if (signal === "SIGTERM") {
+        setTimeout(() => {
+          if (job.running && job.proc) {
+            try {
+              job.proc.kill("SIGKILL");
+            } catch {
+            }
+          }
+        }, KILL_GRACE_MS).unref();
+      }
+    } catch {
+    }
+  }
+  async function closeSession() {
+    for (const job of jobs.values()) {
+      if (job.running && job.proc) {
+        try {
+          job.proc.kill("SIGTERM");
+        } catch {
+        }
+      }
+    }
+  }
+  return {
+    run: runForeground2,
+    spawnBackground,
+    readBackground,
+    killBackground,
+    closeSession
+  };
+}
+function readSlice(filePath, since, limit) {
+  if (!existsSync(filePath)) return { text: "", totalBytes: 0 };
+  const totalBytes = statSync(filePath).size;
+  if (since >= totalBytes) return { text: "", totalBytes };
+  const end = Math.min(since + limit, totalBytes);
+  const buf = readFileSync(filePath).subarray(since, end);
+  return { text: buf.toString("utf8"), totalBytes };
+}
+async function resolveCwd(ops, session, requested) {
+  const base = requested ?? session.logicalCwd?.value ?? session.cwd;
+  const absolute = path4.isAbsolute(base) ? base : path4.resolve(session.cwd, base);
+  try {
+    return await ops.realpath(absolute);
+  } catch {
+    return absolute;
+  }
+}
+async function fenceBash(session, resolvedCwd) {
+  const { permissions } = session;
+  const isSensitive = matchesAnyPattern(
+    resolvedCwd,
+    permissions.sensitivePatterns
+  );
+  const insideWorkspace = isInsideAnyRoot(resolvedCwd, permissions.roots);
+  if (isSensitive && permissions.hook === void 0) {
+    return toolError(
+      "SENSITIVE",
+      `Refusing to run bash in sensitive path: ${resolvedCwd}`,
+      { meta: { path: resolvedCwd } }
+    );
+  }
+  if (!insideWorkspace && permissions.bypassWorkspaceGuard !== true && permissions.hook === void 0) {
+    return toolError(
+      "OUTSIDE_WORKSPACE",
+      `cwd is outside all configured workspace roots: ${resolvedCwd}`,
+      { meta: { path: resolvedCwd, roots: permissions.roots } }
+    );
+  }
+  return void 0;
+}
+async function askPermission(session, args) {
+  const { permissions } = session;
+  const commandHead = args.command.trimStart().split(/\s+/)[0] ?? "";
+  const alwaysPatterns = commandHead ? [`Bash(${commandHead}:*)`] : ["Bash(*)"];
+  if (permissions.hook === void 0) {
+    if (permissions.unsafeAllowBashWithoutHook === true) {
+      return { decision: "allow" };
+    }
+    return {
+      decision: "deny",
+      reason: "bash tool has no permission hook configured; refusing to run untrusted commands. Wire a hook or set session.permissions.unsafeAllowBashWithoutHook for test fixtures."
+    };
+  }
+  const decision = await permissions.hook({
+    tool: "bash",
+    path: args.cwd,
+    action: "read",
+    always_patterns: alwaysPatterns,
+    metadata: {
+      command: args.command,
+      cwd: args.cwd,
+      background: args.background,
+      timeout_ms: args.timeoutMs,
+      env_keys: args.envKeys,
+      network_required: null
+    }
+  });
+  if (decision === "deny") {
+    return {
+      decision: "deny",
+      reason: `Command blocked by permission policy. Pattern hint: ${alwaysPatterns.join(", ")}`
+    };
+  }
+  if (decision === "allow" || decision === "allow_once") {
+    return { decision };
+  }
+  return {
+    decision: "deny",
+    reason: "Permission hook returned 'ask' but bash runs in autonomous mode. Configure the hook to return allow or deny."
+  };
+}
+function resolveOps(session) {
+  return session.ops ?? defaultNodeOperations();
+}
+var HeadTailBuffer = class {
+  constructor(maxInline, maxFile, kind, spillDir) {
+    this.maxInline = maxInline;
+    this.maxFile = maxFile;
+    this.kind = kind;
+    this.spillDir = spillDir;
+  }
+  maxInline;
+  maxFile;
+  kind;
+  spillDir;
+  chunks = [];
+  totalBytes = 0;
+  byteCap = false;
+  spilled = false;
+  spillPath = null;
+  spillBytes = [];
+  write(chunk) {
+    this.totalBytes += chunk.byteLength;
+    if (this.totalBytes <= this.maxInline) {
+      this.chunks.push(chunk);
+      return;
+    }
+    if (!this.spilled) {
+      this.spilled = true;
+      this.byteCap = true;
+      this.spillPath = path4.join(
+        this.spillDir,
+        `${randomUUID()}.${this.kind}`
+      );
+      for (const c of this.chunks) this.appendSpill(c);
+    }
+    this.appendSpill(chunk);
+    this.spillBytes.push(chunk.byteLength);
+  }
+  appendSpill(chunk) {
+    if (this.spillPath === null) return;
+    if (!this.spillInit) {
+      mkdirSync(this.spillDir, { recursive: true });
+      writeFileSync(this.spillPath, "");
+      this.spillInit = true;
+    }
+    if (this.fileBytesWritten + chunk.byteLength > this.maxFile) {
+      return;
+    }
+    appendFileSync(this.spillPath, Buffer.from(chunk));
+    this.fileBytesWritten += chunk.byteLength;
+  }
+  spillInit = false;
+  fileBytesWritten = 0;
+  /**
+   * Return the inline render:
+   *   - If not capped: the full buffered text.
+   *   - If capped: head (first maxInline/2 bytes) + marker + tail
+   *     (last maxInline/2 bytes) approximation. We approximate the tail
+   *     by decoding only the tail window (maxInline/2 bytes from the spill
+   *     file) because the stream is write-once and we dropped the middle.
+   *
+   * The actual implementation is simpler: we keep only the head inline
+   * (first maxInline bytes, never overwritten) and emit a marker that
+   * points at the log path. Head-only is a deliberate simplification
+   * versus spec's head+tail — it matches OpenCode's default, and we
+   * rely on Read(path) to see the tail. Spec §4 head+tail is a v2
+   * improvement once we prove the file-path recovery path.
+   */
+  render() {
+    if (!this.spilled) {
+      const combined = Buffer.concat(this.chunks.map((c) => Buffer.from(c)));
+      return {
+        text: combined.toString("utf8"),
+        byteCap: false,
+        logPath: null
+      };
+    }
+    const head = Buffer.concat(
+      this.chunks.map((c) => Buffer.from(c)),
+      this.maxInline
+    ).toString("utf8");
+    const marker = `
+... (stream exceeded ${this.maxInline} bytes; full log at ${this.spillPath}) ...`;
+    return {
+      text: head + marker,
+      byteCap: true,
+      logPath: this.spillPath
+    };
+  }
+  bytesTotal() {
+    return this.totalBytes;
+  }
+  wasCapped() {
+    return this.byteCap;
+  }
+};
+function defaultSpillDir() {
+  return path4.join(tmpdir(), "agent-sh-bash-spill");
+}
+function formatResultText(args) {
+  const header = `<command>${args.command}</command>`;
+  const exitLine = `<exit_code>${args.exitCode}</exit_code>`;
+  const stdoutBlock = `<stdout>
+${args.stdout}
+</stdout>`;
+  const stderrBlock = `<stderr>
+${args.stderr}
+</stderr>`;
+  const hint = args.byteCap ? `(Output capped. Full log: ${args.logPath}. Read it with pagination if you need the middle.)` : args.kind === "ok" ? `(Command completed in ${args.durationMs}ms. exit=0.)` : `(Command exited nonzero in ${args.durationMs}ms. Exit code: ${args.exitCode}.)`;
+  return [header, exitLine, stdoutBlock, stderrBlock, hint].join("\n");
+}
+function formatTimeoutText(args) {
+  const header = `<command>${args.command}</command>`;
+  const stdoutBlock = `<stdout>
+${args.stdout}
+</stdout>`;
+  const stderrBlock = `<stderr>
+${args.stderr}
+</stderr>`;
+  const logHint = args.logPath ? ` Full log: ${args.logPath}.` : "";
+  const hint = `(Command hit ${args.reason} after ${args.durationMs}ms. ${args.partialBytes} bytes captured. Kill signal: SIGTERM then SIGKILL.${logHint} If the command is long-running, retry with background: true.)`;
+  return [header, stdoutBlock, stderrBlock, hint].join("\n");
+}
+function formatBackgroundStartedText(args) {
+  return [
+    `<command>${args.command}</command>`,
+    `<job_id>${args.jobId}</job_id>`,
+    `(Background job started. Poll output with bash_output(job_id). Kill with bash_kill(job_id).)`
+  ].join("\n");
+}
+function formatBashOutputText(args) {
+  const next = args.sinceByte + args.returnedBytes;
+  return [
+    `<job_id>${args.jobId}</job_id>`,
+    `<running>${args.running}</running>`,
+    `<exit_code>${args.exitCode === null ? "null" : args.exitCode}</exit_code>`,
+    `<stdout>
+${args.stdout}
+</stdout>`,
+    `<stderr>
+${args.stderr}
+</stderr>`,
+    `(Showing bytes ${args.sinceByte}-${next} of ${args.totalBytes}. Next since_byte: ${next}. Job running: ${args.running}.)`
+  ].join("\n");
+}
+function formatBashKillText(args) {
+  return `<job_id>${args.jobId}</job_id>
+(${args.signal} sent. Poll bash_output to confirm termination.)`;
+}
+var BashParamsSchema = v.strictObject({
+  command: v.pipe(
+    v.string(),
+    v.minLength(1, "command is required"),
+    v.maxLength(
+      MAX_COMMAND_LENGTH,
+      `command exceeds ${MAX_COMMAND_LENGTH} bytes`
+    )
+  ),
+  cwd: v.optional(v.pipe(v.string(), v.minLength(1, "cwd must not be empty"))),
+  timeout_ms: v.optional(
+    v.pipe(
+      v.number(),
+      v.integer(),
+      v.minValue(100, "timeout_ms must be >= 100 ms")
+    )
+  ),
+  description: v.optional(v.string()),
+  background: v.optional(v.boolean()),
+  env: v.optional(v.record(v.string(), v.string()))
+});
+var BashOutputParamsSchema = v.strictObject({
+  job_id: v.pipe(v.string(), v.minLength(1, "job_id is required")),
+  since_byte: v.optional(
+    v.pipe(v.number(), v.integer(), v.minValue(0, "since_byte must be >= 0"))
+  ),
+  head_limit: v.optional(
+    v.pipe(v.number(), v.integer(), v.minValue(1, "head_limit must be >= 1"))
+  )
+});
+var BashKillParamsSchema = v.strictObject({
+  job_id: v.pipe(v.string(), v.minLength(1, "job_id is required")),
+  signal: v.optional(v.picklist(["SIGTERM", "SIGKILL"]))
+});
+var KNOWN_PARAM_ALIASES = {
+  cmd: "unknown parameter 'cmd'. Use 'command' instead.",
+  shell_command: "unknown parameter 'shell_command'. Use 'command' instead.",
+  script: "unknown parameter 'script'. Use 'command' instead.",
+  run: "unknown parameter 'run'. Use 'command' instead.",
+  directory: "unknown parameter 'directory'. Use 'cwd' instead.",
+  dir: "unknown parameter 'dir'. Use 'cwd' instead.",
+  path: "unknown parameter 'path'. Use 'cwd' instead.",
+  working_directory: "unknown parameter 'working_directory'. Use 'cwd' instead.",
+  timeout: "unknown parameter 'timeout'. Use 'timeout_ms' instead (milliseconds, not seconds). For 30s pass timeout_ms: 30000.",
+  time_limit: "unknown parameter 'time_limit'. Use 'timeout_ms' instead (milliseconds).",
+  timeout_seconds: "unknown parameter 'timeout_seconds'. Use 'timeout_ms' instead (multiply by 1000).",
+  env_vars: "unknown parameter 'env_vars'. Use 'env' instead.",
+  environment: "unknown parameter 'environment'. Use 'env' instead.",
+  lang: `unknown parameter 'lang'. Bash runs shell commands; invoke other languages via the command itself (e.g. 'python -c "..."', 'node -e "..."').`,
+  language: `unknown parameter 'language'. Invoke other languages via the command (e.g. 'python -c "..."', 'node -e "..."').`,
+  interpreter: `unknown parameter 'interpreter'. Invoke the interpreter inside the command itself (e.g. 'python -c "..."').`,
+  runtime: `unknown parameter 'runtime'. Invoke the runtime inside the command itself (e.g. 'node -e "..."').`,
+  stdin: `unknown parameter 'stdin'. Interactive stdin is not supported in v1. Pipe data into the command instead (e.g. 'echo "y" | npm init').`,
+  input: "unknown parameter 'input'. Interactive input is not supported in v1. Make the command non-interactive with flags like --yes.",
+  sandbox: "unknown parameter 'sandbox'. Sandboxing is configured on the session, not per-call.",
+  sandbox_mode: "unknown parameter 'sandbox_mode'. Sandboxing is configured on the session, not per-call.",
+  permissions: "unknown parameter 'permissions'. The permission hook is configured on the session.",
+  network: "unknown parameter 'network'. Network access is configured on the session / executor adapter.",
+  network_access: "unknown parameter 'network_access'. Network access is configured on the session / executor adapter.",
+  shell: "unknown parameter 'shell'. Shell binary is configured on the session.",
+  shell_binary: "unknown parameter 'shell_binary'. Shell binary is configured on the session."
+};
+function checkAliases(input) {
+  if (input === null || typeof input !== "object") return [];
+  const hints = [];
+  for (const key of Object.keys(input)) {
+    const hint = KNOWN_PARAM_ALIASES[key];
+    if (hint) hints.push(hint);
+  }
+  return hints;
+}
+function makeAliasIssues(messages) {
+  return messages.map(
+    (m) => ({
+      kind: "validation",
+      type: "custom",
+      input: void 0,
+      expected: null,
+      received: "unknown",
+      message: m
+    })
+  );
+}
+function safeParseBashParams(input) {
+  const aliases = checkAliases(input);
+  if (aliases.length > 0) {
+    return { ok: false, issues: makeAliasIssues(aliases) };
+  }
+  const result = v.safeParse(BashParamsSchema, input);
+  if (result.success) return { ok: true, value: result.output };
+  return { ok: false, issues: result.issues };
+}
+function safeParseBashOutputParams(input) {
+  const result = v.safeParse(BashOutputParamsSchema, input);
+  if (result.success) return { ok: true, value: result.output };
+  return { ok: false, issues: result.issues };
+}
+function safeParseBashKillParams(input) {
+  const result = v.safeParse(BashKillParamsSchema, input);
+  if (result.success) return { ok: true, value: result.output };
+  return { ok: false, issues: result.issues };
+}
+var BASH_TOOL_NAME = "bash";
+var BASH_TOOL_DESCRIPTION = `Run a single shell command in a bash subprocess. Output is captured and returned with the exit code.
+
+Usage:
+- 'cd' carries over to subsequent calls if it stays inside the workspace; otherwise the cwd is reset. Environment variables do NOT persist across calls \u2014 set them inline (FOO=bar some-cmd) or via 'env'.
+- For non-shell code, use language one-liners: 'python -c "print(2+2)"', 'node -e "console.log(2+2)"', 'deno eval "console.log(2+2)"'. For multi-line scripts, write a temp file with the write tool and invoke the interpreter on it.
+- Long-running processes (servers, watchers) MUST use background: true. The tool returns a job_id; poll output with bash_output(job_id). Do not leave a foreground command running past the 5-minute wall-clock backstop.
+- No interactive commands. Anything that needs stdin (pagers, Y/n prompts, REPLs, 'git commit' without -m) will hang until the inactivity timeout. Use flags to make commands non-interactive (--yes, -y, --no-pager) or pipe 'echo "y" |' in front.
+- Inactivity timeout resets on any output; default 60000 ms. Override with timeout_ms. Wall-clock backstop is 5 minutes for foreground calls.
+- Prefer this tool over other ways of running shell commands. For filename search prefer 'glob'; for content search prefer 'grep'.`;
+var bashToolDefinition = {
+  name: BASH_TOOL_NAME,
+  description: BASH_TOOL_DESCRIPTION,
+  inputSchema: {
+    type: "object",
+    properties: {
+      command: {
+        type: "string",
+        description: "The shell command to run (single string, interpreted by bash -c)."
+      },
+      cwd: {
+        type: "string",
+        description: "Absolute working directory. Defaults to the session cwd plus any carried-over cd. Must be inside the workspace."
+      },
+      timeout_ms: {
+        type: "integer",
+        minimum: 100,
+        description: "Inactivity timeout in milliseconds. Any output resets the clock. Default 60000 (60 s). Wall-clock backstop is 5 minutes regardless."
+      },
+      description: {
+        type: "string",
+        description: "One-line human-readable 'why' (optional, for traces)."
+      },
+      background: {
+        type: "boolean",
+        description: "Run as a background job. Returns a job_id; poll output with bash_output. Use for servers, watchers, long-running builds."
+      },
+      env: {
+        type: "object",
+        additionalProperties: { type: "string" },
+        description: "Environment variables merged on top of the session env. Keys with sensitive prefixes (AWS_*, GITHUB_TOKEN, etc.) are rejected."
+      }
+    },
+    required: ["command"],
+    additionalProperties: false
+  }
+};
+var BASH_OUTPUT_TOOL_NAME = "bash_output";
+var BASH_OUTPUT_TOOL_DESCRIPTION = `Poll a backgrounded bash job's output since a given byte offset.
+
+Returns stdout and stderr slices plus whether the job is still running and its exit code if finished. Use 'since_byte' from the previous call to paginate through a long-running job's output without re-fetching already-seen bytes.`;
+var bashOutputToolDefinition = {
+  name: BASH_OUTPUT_TOOL_NAME,
+  description: BASH_OUTPUT_TOOL_DESCRIPTION,
+  inputSchema: {
+    type: "object",
+    properties: {
+      job_id: {
+        type: "string",
+        description: "The job_id returned by a previous bash call with background: true."
+      },
+      since_byte: {
+        type: "integer",
+        minimum: 0,
+        description: "Start of the requested slice per stream, in bytes. Defaults to 0. Use next_since_byte from a previous output call to resume."
+      },
+      head_limit: {
+        type: "integer",
+        minimum: 1,
+        description: "Max bytes per stream (default 30720 / 30 KB)."
+      }
+    },
+    required: ["job_id"],
+    additionalProperties: false
+  }
+};
+var BASH_KILL_TOOL_NAME = "bash_kill";
+var BASH_KILL_TOOL_DESCRIPTION = `Send a termination signal to a backgrounded bash job.
+
+Defaults to SIGTERM (graceful). Use SIGKILL for an unresponsive job. The job's next bash_output call will report running: false.`;
+var bashKillToolDefinition = {
+  name: BASH_KILL_TOOL_NAME,
+  description: BASH_KILL_TOOL_DESCRIPTION,
+  inputSchema: {
+    type: "object",
+    properties: {
+      job_id: {
+        type: "string",
+        description: "The job_id returned by a previous bash call with background: true."
+      },
+      signal: {
+        type: "string",
+        enum: ["SIGTERM", "SIGKILL"],
+        description: "Signal to send. Default SIGTERM."
+      }
+    },
+    required: ["job_id"],
+    additionalProperties: false
+  }
+};
+
+// src/bash.ts
+var jobCountBySession = /* @__PURE__ */ new WeakMap();
+function incJobCount(session) {
+  jobCountBySession.set(session, (jobCountBySession.get(session) ?? 0) + 1);
+}
+function jobCount(session) {
+  return jobCountBySession.get(session) ?? 0;
+}
+function err(error) {
+  return { kind: "error", error };
+}
+function resolveExecutor(session) {
+  if (session.executor) return session.executor;
+  if (session.permissions.unsafeAllowBashWithoutHook !== true) ;
+  return createLocalBashExecutor();
+}
+function detectTopLevelCd(command) {
+  const trimmed = command.trim();
+  if (trimmed.length === 0) return null;
+  const match = trimmed.match(/^cd\s+([^\s&|;`$()]+)$/);
+  if (!match) return null;
+  const arg = match[1];
+  if (arg === void 0) return null;
+  if (arg.startsWith('"') && arg.endsWith('"') || arg.startsWith("'") && arg.endsWith("'")) {
+    return arg.slice(1, -1);
+  }
+  return arg;
+}
+function checkEnv(env) {
+  for (const key of Object.keys(env)) {
+    for (const prefix of SENSITIVE_ENV_PREFIXES) {
+      if (key === prefix || prefix.endsWith("_") && key.startsWith(prefix)) {
+        return `env may not set sensitive-prefix variable '${key}' (prefix '${prefix}').`;
+      }
+    }
+  }
+  return null;
+}
+function byteLength(s) {
+  return Buffer.byteLength(s, "utf8");
+}
+async function bash(input, session) {
+  const parsed = safeParseBashParams(input);
+  if (!parsed.ok) {
+    const messages = parsed.issues.map((i) => i.message).join("; ");
+    return err(toolError("INVALID_PARAM", messages, { cause: parsed.issues }));
+  }
+  const params = parsed.value;
+  if (params.background === true && params.timeout_ms !== void 0) {
+    return err(
+      toolError(
+        "INVALID_PARAM",
+        "timeout_ms does not apply to background jobs; they have their own lifecycle (bash_kill). Drop timeout_ms or set background: false."
+      )
+    );
+  }
+  const envParam = params.env ?? {};
+  const envError = checkEnv(envParam);
+  if (envError) {
+    return err(toolError("INVALID_PARAM", envError));
+  }
+  const ops = resolveOps(session);
+  const resolvedCwd = await resolveCwd(ops, session, params.cwd);
+  const fenceError = await fenceBash(session, resolvedCwd);
+  if (fenceError) return err(fenceError);
+  const stat = await ops.stat(resolvedCwd).catch(() => void 0);
+  if (!stat) {
+    return err(
+      toolError("NOT_FOUND", `cwd does not exist: ${resolvedCwd}`, {
+        meta: { cwd: resolvedCwd }
+      })
+    );
+  }
+  if (stat.type !== "directory") {
+    return err(
+      toolError(
+        "IO_ERROR",
+        `cwd is not a directory: ${resolvedCwd}`,
+        { meta: { cwd: resolvedCwd } }
+      )
+    );
+  }
+  const effectiveTimeout = params.timeout_ms ?? session.defaultInactivityTimeoutMs ?? DEFAULT_INACTIVITY_TIMEOUT_MS;
+  const decision = await askPermission(session, {
+    command: params.command,
+    cwd: resolvedCwd,
+    background: params.background ?? false,
+    timeoutMs: effectiveTimeout,
+    envKeys: Object.keys(envParam)
+  });
+  if (decision.decision === "deny") {
+    const echo = params.command.length > 200 ? params.command.slice(0, 200) + "..." : params.command;
+    return err(
+      toolError(
+        "PERMISSION_DENIED",
+        `${decision.reason}
+Command: ${echo}`,
+        { meta: { command: params.command, cwd: resolvedCwd } }
+      )
+    );
+  }
+  const execEnv = {
+    ...session.env ?? process.env,
+    ...envParam
+  };
+  for (const [k, v2] of Object.entries(execEnv)) {
+    if (v2 === void 0) delete execEnv[k];
+  }
+  const executor = resolveExecutor(session);
+  if (params.background === true) {
+    return runBackground(
+      session,
+      executor,
+      params.command,
+      resolvedCwd,
+      execEnv
+    );
+  }
+  return runForeground(
+    session,
+    executor,
+    params.command,
+    resolvedCwd,
+    execEnv,
+    effectiveTimeout
+  );
+}
+async function runBackground(session, executor, command, cwd, env) {
+  if (!executor.spawnBackground) {
+    return err(
+      toolError(
+        "INVALID_PARAM",
+        "background: true is not supported by this executor adapter."
+      )
+    );
+  }
+  const maxJobs = session.maxBackgroundJobs ?? BACKGROUND_MAX_JOBS;
+  if (jobCount(session) >= maxJobs) {
+    return err(
+      toolError(
+        "IO_ERROR",
+        `Background job limit reached (${maxJobs}). Kill an existing job first with bash_kill.`
+      )
+    );
+  }
+  const { jobId } = await executor.spawnBackground({ command, cwd, env });
+  incJobCount(session);
+  return {
+    kind: "background_started",
+    output: formatBackgroundStartedText({ command, jobId }),
+    jobId
+  };
+}
+async function runForeground(session, executor, command, cwd, env, inactivityTimeoutMs) {
+  const wallclockMs = session.wallclockBackstopMs ?? DEFAULT_WALLCLOCK_BACKSTOP_MS;
+  const maxInline = session.maxOutputBytesInline ?? MAX_OUTPUT_BYTES_INLINE;
+  const maxFile = session.maxOutputBytesFile ?? MAX_OUTPUT_BYTES_FILE;
+  const spillDir = defaultSpillDir();
+  const stdoutBuf = new HeadTailBuffer(maxInline, maxFile, "out", spillDir);
+  const stderrBuf = new HeadTailBuffer(maxInline, maxFile, "err", spillDir);
+  const controller = new AbortController();
+  const abortOnOuter = () => controller.abort();
+  if (session.signal) {
+    if (session.signal.aborted) controller.abort();
+    else session.signal.addEventListener("abort", abortOnOuter, { once: true });
+  }
+  let timedOut = null;
+  let inactivityTimer = null;
+  const resetInactivity = () => {
+    if (inactivityTimer) clearTimeout(inactivityTimer);
+    inactivityTimer = setTimeout(() => {
+      timedOut = "inactivity timeout";
+      controller.abort();
+    }, inactivityTimeoutMs);
+  };
+  resetInactivity();
+  const wallclockTimer = setTimeout(() => {
+    timedOut = "wall-clock backstop";
+    controller.abort();
+  }, wallclockMs);
+  const start = Date.now();
+  let result;
+  try {
+    result = await executor.run({
+      command,
+      cwd,
+      env,
+      signal: controller.signal,
+      onStdout: (chunk) => {
+        stdoutBuf.write(chunk);
+        resetInactivity();
+      },
+      onStderr: (chunk) => {
+        stderrBuf.write(chunk);
+        resetInactivity();
+      }
+    });
+  } finally {
+    if (inactivityTimer) clearTimeout(inactivityTimer);
+    clearTimeout(wallclockTimer);
+    if (session.signal) {
+      session.signal.removeEventListener("abort", abortOnOuter);
+    }
+  }
+  const durationMs = Date.now() - start;
+  const stdoutRender = stdoutBuf.render();
+  const stderrRender = stderrBuf.render();
+  if (timedOut !== null) {
+    const logPath2 = stdoutRender.logPath ?? stderrRender.logPath;
+    return {
+      kind: "timeout",
+      output: formatTimeoutText({
+        command,
+        stdout: stdoutRender.text,
+        stderr: stderrRender.text,
+        reason: timedOut,
+        durationMs,
+        partialBytes: stdoutBuf.bytesTotal() + stderrBuf.bytesTotal(),
+        logPath: logPath2
+      }),
+      stdout: stdoutRender.text,
+      stderr: stderrRender.text,
+      reason: timedOut,
+      durationMs,
+      ...logPath2 ? { logPath: logPath2 } : {}
+    };
+  }
+  const exitCode = result.exitCode ?? -1;
+  const kind = exitCode === 0 ? "ok" : "nonzero_exit";
+  const logPath = stdoutRender.logPath ?? stderrRender.logPath;
+  const byteCap = stdoutRender.byteCap || stderrRender.byteCap;
+  return {
+    kind,
+    output: formatResultText({
+      command,
+      exitCode,
+      stdout: stdoutRender.text,
+      stderr: stderrRender.text,
+      durationMs,
+      byteCap,
+      logPath,
+      kind
+    }),
+    exitCode,
+    stdout: stdoutRender.text,
+    stderr: stderrRender.text,
+    durationMs,
+    ...logPath ? { logPath } : {},
+    byteCap
+  };
+}
+async function bashOutput(input, session) {
+  const parsed = safeParseBashOutputParams(input);
+  if (!parsed.ok) {
+    const messages = parsed.issues.map((i) => i.message).join("; ");
+    return err(toolError("INVALID_PARAM", messages));
+  }
+  const executor = session.executor ?? createLocalBashExecutor();
+  if (!executor.readBackground) {
+    return err(
+      toolError(
+        "INVALID_PARAM",
+        "bash_output is not supported by this executor adapter."
+      )
+    );
+  }
+  try {
+    const read = await executor.readBackground(parsed.value.job_id, {
+      ...parsed.value.since_byte !== void 0 ? { since_byte: parsed.value.since_byte } : {},
+      ...parsed.value.head_limit !== void 0 ? { head_limit: parsed.value.head_limit } : {}
+    });
+    const sinceByte = parsed.value.since_byte ?? 0;
+    const returnedBytes = byteLength(read.stdout) + byteLength(read.stderr);
+    const totalBytes = read.totalBytesStdout + read.totalBytesStderr;
+    return {
+      kind: "output",
+      output: formatBashOutputText({
+        jobId: parsed.value.job_id,
+        running: read.running,
+        exitCode: read.exitCode,
+        stdout: read.stdout,
+        stderr: read.stderr,
+        sinceByte,
+        returnedBytes,
+        totalBytes
+      }),
+      running: read.running,
+      exitCode: read.exitCode,
+      stdout: read.stdout,
+      stderr: read.stderr,
+      totalBytesStdout: read.totalBytesStdout,
+      totalBytesStderr: read.totalBytesStderr,
+      nextSinceByte: sinceByte + returnedBytes
+    };
+  } catch (e) {
+    return err(
+      toolError(
+        "NOT_FOUND",
+        e.message || `Unknown job_id: ${parsed.value.job_id}`
+      )
+    );
+  }
+}
+async function bashKill(input, session) {
+  const parsed = safeParseBashKillParams(input);
+  if (!parsed.ok) {
+    const messages = parsed.issues.map((i) => i.message).join("; ");
+    return err(toolError("INVALID_PARAM", messages));
+  }
+  const executor = session.executor ?? createLocalBashExecutor();
+  if (!executor.killBackground) {
+    return err(
+      toolError(
+        "INVALID_PARAM",
+        "bash_kill is not supported by this executor adapter."
+      )
+    );
+  }
+  const signal = parsed.value.signal ?? "SIGTERM";
+  await executor.killBackground(parsed.value.job_id, signal);
+  return {
+    kind: "killed",
+    output: formatBashKillText({ jobId: parsed.value.job_id, signal }),
+    jobId: parsed.value.job_id,
+    signal
+  };
+}
+function applyCwdCarry(session, command, exitCode) {
+  if (exitCode !== 0) {
+    return { changed: false, newCwd: null, escaped: false };
+  }
+  const target = detectTopLevelCd(command);
+  if (target === null) {
+    return { changed: false, newCwd: null, escaped: false };
+  }
+  const base = session.logicalCwd?.value ?? session.cwd;
+  const resolved = path4.isAbsolute(target) ? path4.resolve(target) : path4.resolve(base, target);
+  const inside = session.permissions.roots.some(
+    (r) => resolved === r || resolved.startsWith(r + path4.sep)
+  );
+  if (!inside && session.permissions.bypassWorkspaceGuard !== true) {
+    return { changed: false, newCwd: resolved, escaped: true };
+  }
+  if (session.logicalCwd) {
+    session.logicalCwd.value = resolved;
+  }
+  return { changed: true, newCwd: resolved, escaped: false };
+}
+
+export { BACKGROUND_MAX_JOBS, BASH_KILL_TOOL_DESCRIPTION, BASH_KILL_TOOL_NAME, BASH_OUTPUT_TOOL_DESCRIPTION, BASH_OUTPUT_TOOL_NAME, BASH_TOOL_DESCRIPTION, BASH_TOOL_NAME, BashKillParamsSchema, BashOutputParamsSchema, BashParamsSchema, DEFAULT_INACTIVITY_TIMEOUT_MS, DEFAULT_WALLCLOCK_BACKSTOP_MS, HeadTailBuffer, MAX_COMMAND_LENGTH, MAX_OUTPUT_BYTES_FILE, MAX_OUTPUT_BYTES_INLINE, SENSITIVE_ENV_PREFIXES, applyCwdCarry, bash, bashKill, bashKillToolDefinition, bashOutput, bashOutputToolDefinition, bashToolDefinition, createLocalBashExecutor, detectTopLevelCd, formatBackgroundStartedText, formatBashKillText, formatBashOutputText, formatResultText, formatTimeoutText, safeParseBashKillParams, safeParseBashOutputParams, safeParseBashParams };
+//# sourceMappingURL=index.js.map
+//# sourceMappingURL=index.js.map