@agenticmail/claudecode 0.1.7 → 0.1.8

package/dist/{chunk-3ZBSRXAK.js → chunk-5HUEJNT5.js}

@@ -2,7 +2,7 @@ import {
   listAccounts,
   renderPersonaBody,
   resolveConfig
-} from "./chunk-YWSO3QOQ.js";
+} from "./chunk-M5HV2M67.js";
 
 // src/persona-loader.ts
 import { existsSync, readFileSync } from "fs";
@@ -82,25 +82,25 @@ async function runWorker(query, persona, userPrompt, agent, mcpServerName, mcpCo
         env: mcpEnv
       }
     },
-    // Restrict to MCP tools only — workers should never reach for
-    // Bash / Read / Edit / etc. Listing them avoids accidental leakage.
-    allowedTools: [
-      `mcp__${mcpServerName}__whoami`,
-      `mcp__${mcpServerName}__list_inbox`,
-      `mcp__${mcpServerName}__read_email`,
-      `mcp__${mcpServerName}__send_email`,
-      `mcp__${mcpServerName}__reply_email`,
-      `mcp__${mcpServerName}__search_emails`,
-      `mcp__${mcpServerName}__list_agents`,
-      `mcp__${mcpServerName}__message_agent`,
-      `mcp__${mcpServerName}__call_agent`,
-      `mcp__${mcpServerName}__wait_for_email`,
-      `mcp__${mcpServerName}__check_tasks`,
-      `mcp__${mcpServerName}__claim_task`,
-      `mcp__${mcpServerName}__submit_result`,
-      `mcp__${mcpServerName}__request_tools`,
-      `mcp__${mcpServerName}__invoke`
-    ],
+    // No `allowedTools` restriction.
+    //
+    // Earlier versions of the dispatcher locked workers to MCP-only tools
+    // ("you operate an email account, not a developer environment"). That
+    // was the wrong design: AgenticMail agents are real Claude Code
+    // subagents running under the host's OAuth, and the work humans
+    // delegate to them (write code, run tests, do research, edit files)
+    // demands the full native toolset (Read, Write, Edit, Bash, Glob,
+    // Grep, WebFetch, WebSearch, NotebookEdit, …). Restricting them
+    // turned "Zephyr implements the game" into "Zephyr emails source
+    // code as plaintext and the human has to copy-paste it" — which
+    // defeats the point of having agents in the first place.
+    //
+    // Omitting allowedTools lets the SDK fall through to its defaults
+    // (all built-in tools + every tool exposed by the MCP servers we
+    // declare above). Outbound mail is still guarded by AgenticMail's
+    // own outbound guard (HIGH-severity sends held for owner approval)
+    // and the worker is sandboxed by Claude Code's permission system
+    // just like any other subagent.
     permissionMode: "bypassPermissions",
     abortController: abortSignal ? wrapSignal(abortSignal) : void 0
   };
@@ -172,8 +172,14 @@ function newMailPrompt(agent, event) {
     `   When in doubt, stay silent \u2014 over-replying creates noise. Better to let`,
     `   the right teammate take the turn than to step on theirs.`,
     ``,
-    `5. **If it's your turn \u2014 reply-all so the whole thread sees it.**`,
-    `   reply_email({ uid: ${uid ?? "<uid>"}, replyAll: true, text: "...", _account: "${agent.name}" })`,
+    `5. **If it's your turn \u2014 do the actual work, THEN reply-all about it.**`,
+    `   You have full native tools: Read, Write, Edit, Bash, Glob, Grep, WebFetch,`,
+    `   WebSearch, NotebookEdit, etc. If the task is "implement X", write the file`,
+    `   with Write or Edit and verify with Bash \u2014 do NOT paste source code into an`,
+    `   email body and call it shipped. The thread is for COORDINATION ("done,`,
+    `   see ./foo.py, runs with \`python3 foo.py\`"); the filesystem is for`,
+    `   DELIVERABLES. Then:`,
+    `     reply_email({ uid: ${uid ?? "<uid>"}, replyAll: true, text: "...", _account: "${agent.name}" })`,
     `   Sign with your name. Be substantive but concise. If you are handing off`,
     `   to the next teammate, name them explicitly in your reply ("Orion \u2014 over to you, please \u2026").`,
     ``,

package/dist/{chunk-XGBVWZ3M.js → chunk-JVDPUO35.js}

@@ -7,7 +7,7 @@ import {
   deleteAccount,
   getAccountByName,
   resolveConfig
-} from "./chunk-YWSO3QOQ.js";
+} from "./chunk-M5HV2M67.js";
 
 // src/uninstall.ts
 import { existsSync, readdirSync, readFileSync, unlinkSync } from "fs";

package/dist/{chunk-YWSO3QOQ.js → chunk-M5HV2M67.js}

@@ -121,30 +121,6 @@ function resolveConfig(opts = {}) {
 }
 
 // src/subagent-template.ts
-var ESSENTIAL_TOOL_NAMES = [
-  "whoami",
-  "list_inbox",
-  "read_email",
-  "send_email",
-  "reply_email",
-  "search_emails",
-  "list_agents",
-  "message_agent",
-  // call_agent is the one-shot RPC primitive — sync request, sync answer.
-  // For multi-step coordination use the thread pattern (send_email with
-  // CC + reply_email with replyAll) instead.
-  "call_agent",
-  // wait_for_email is the thread-coordination primitive: block until a
-  // specific reply lands in your inbox (filter by from / subject /
-  // inReplyTo / participants). Essential for delegate-then-wait flows;
-  // making subagents discover it via request_tools would be a usability
-  // disaster for the most common coordination pattern.
-  "wait_for_email",
-  "check_tasks",
-  // Meta-tools — these unlock the other ~50 tools on demand.
-  "request_tools",
-  "invoke"
-];
 var MANAGED_BY_MARKER = "@agenticmail/claudecode";
 function yamlQuote(s) {
   const cleaned = s.replace(/[\r\n]+/g, " ").replace(/\s+/g, " ").trim();
@@ -182,14 +158,15 @@ function renderPersonaBody(input) {
     "",
     "## Operating instructions",
     "",
-    `You start every session with a small **pre-loaded** set of MCP tools (the ones listed in your frontmatter). Everything else AgenticMail offers \u2014 signatures, drafts, templates, SMS, bulk mail ops, folders, scheduling, spam tools, setup wizards, account admin \u2014 is reachable through the two **meta-tools** that are always pre-loaded:`,
+    `You have access to TWO complementary toolsets:`,
     "",
-    `- \`${tool("request_tools")}\` \u2014 Returns a text catalogue of unloaded tools. Use with \`query="signature"\` to filter, or \`sets=["sms", "mail_extras"]\` to scope to specific categories.`,
-    `- \`${tool("invoke")}\` \u2014 Calls any AgenticMail tool by name with structured args. Example: \`${tool("invoke")}({ tool: "manage_signatures", args: { action: "create", name: "default", body: "\u2014\\n${agent.name}" }, _account: "${agent.name}" })\`.`,
+    `1. **AgenticMail MCP tools** (\`${tool("*")}\`) \u2014 your mailbox, contacts, tasks, signatures, drafts, SMS, agent coordination. The full ~62-tool surface; the most common ones (\`${tool("list_inbox")}\`, \`${tool("send_email")}\`, \`${tool("reply_email")}\`, \`${tool("search_emails")}\`, \`${tool("call_agent")}\`, \`${tool("wait_for_email")}\`, \u2026) are pre-loaded. Anything else is reachable via the meta-tools \`${tool("request_tools")}\` (discover) + \`${tool("invoke")}\` (call by name).`,
     "",
-    `**On EVERY tool call you make \u2014 pre-loaded OR via \`invoke\` \u2014 you MUST pass \`_account: "${agent.name}"\`.** This tells the MCP server to authenticate as you, not as the integration's bridge identity. Without it, you'd be reading the bridge's empty inbox instead of your own, sending mail from the wrong address, and bypassing your owner's expectation that the agent named "${agent.name}" did the work.`,
+    `2. **Native Claude Code tools** \u2014 Read, Write, Edit, Bash, Glob, Grep, WebFetch, WebSearch, NotebookEdit, and friends. The same toolset the host session has. Use them when the work actually involves files, code, the shell, or the web \u2014 DO NOT paste source code into an email when you could write the file yourself and tell the team "shipped to ./void_fall.py, runs with python3 void_fall.py". You are a real agent doing real work, not a paste-buffer.`,
     "",
-    `Pre-loaded examples:`,
+    `**On EVERY MCP call you make \u2014 pre-loaded OR via \`invoke\` \u2014 you MUST pass \`_account: "${agent.name}"\`.** This tells the MCP server to authenticate as you, not as the integration's bridge identity. Without it, you'd be reading the bridge's empty inbox instead of your own, sending mail from the wrong address, and bypassing your owner's expectation that the agent named "${agent.name}" did the work. Native tools (Read/Write/Bash/etc.) don't need \`_account\` \u2014 they're not MCP.`,
+    "",
+    `Common MCP examples:`,
     "",
     "```",
     `${tool("list_inbox")}({ _account: "${agent.name}", limit: 10 })`,
@@ -230,14 +207,16 @@ function renderPersonaBody(input) {
     "",
     "## What you can do",
     "",
-    `Anything an AgenticMail account can do. The full toolbelt covers email (send/read/reply/forward/search/move/mark/tag/folder), contacts, drafts, templates, signatures, scheduling rules, spam, pending-approval, SMS (send/receive/voice), task coordination (check/claim/submit/call other agents), and your own metadata. If a tool you need isn't in your pre-loaded list, call \`${tool("request_tools")}\` first to find it, then \`${tool("invoke")}\` it. Never ask for permission to use a tool \u2014 just use it.`,
+    `Anything a real Claude Code agent can do, scoped to your AgenticMail identity. That means: every email / SMS / contacts / drafts / templates / signatures / rules / spam / tasks operation via MCP, AND every file / shell / search / web operation via native tools. If the work involves code \u2014 write the file, run it, debug it, commit it. If the work involves research \u2014 fetch the URLs, read the pages, summarise. Reply by email when you have something to TELL the team; do the actual WORK with native tools.`,
+    "",
+    `If a specific AgenticMail tool isn't already loaded, call \`${tool("request_tools")}\` to find it, then \`${tool("invoke")}\` to call it. Never ask for permission to use a tool \u2014 just use it.`,
     "",
     "## Hard rules",
     "",
-    `- **Always pass \`_account: "${agent.name}"\`** on every \`${tool("*")}\` call.`,
-    `- **Do NOT use generic Claude Code tools** (Read, Edit, Write, Bash, Glob, Grep, WebFetch, etc.). You are operating an email account, not a developer environment. The user's filesystem is none of your business; your "workspace" is your mailbox.`,
+    `- **Always pass \`_account: "${agent.name}"\`** on every \`${tool("*")}\` MCP call. (Native tools \u2014 Read/Write/Bash/etc. \u2014 don't need it.)`,
+    `- **Do real work with the right tool.** If a teammate asks you to implement something, write the file with Write or Edit \u2014 do not paste source code into an email body and call it done. The mail thread is for coordination ("shipped at \`./void_fall.py\`, runs with \`python3 void_fall.py\`, here's a 2-line summary"); the filesystem is for deliverables.`,
     `- **Do not invent email content.** If you didn't read a real message, do not summarise one. If you don't know the answer, check your inbox / contacts / tasks first.`,
-    `- **Do not impersonate other agents.** You are ${agent.name}, and only ${agent.name}. If the user asks you to also do something as "writer" or "researcher", suggest that they call those agents directly (via \`Agent { subagent_type: "agenticmail-<name>" }\` in the host session) \u2014 don't pass \`_account: "writer"\` to act as writer; that would falsify the From: header in any outgoing mail.`,
+    `- **Do not impersonate other agents.** You are ${agent.name}, and only ${agent.name}. If the user asks you to also do something as "writer" or "researcher", suggest that they call those agents directly \u2014 don't pass \`_account: "writer"\` to act as writer; that would falsify the From: header in any outgoing mail.`,
     `- **Respect outbound guard.** If a send is blocked by the AgenticMail outbound guard, tell the user in plain English \u2014 recipient, subject, the specific warnings \u2014 and ask them to approve. Do NOT rewrite the email to evade detection.`,
     "",
     "## Output style",
@@ -247,15 +226,12 @@ function renderPersonaBody(input) {
   ].filter((line) => line !== void 0).join("\n");
 }
 function renderSubagentMarkdown(input) {
-  const { name, agent, mcpServerName } = input;
-  const tool = (n) => `mcp__${mcpServerName}__${n}`;
+  const { name, agent } = input;
   const description = describeAgent(agent);
-  const allowedTools = ESSENTIAL_TOOL_NAMES.map((n) => tool(n)).join(", ");
   const frontmatter = [
     "---",
     `name: ${name}`,
     `description: ${yamlQuote(description)}`,
-    `tools: ${allowedTools}`,
     `model: inherit`,
     `# managed-by: ${MANAGED_BY_MARKER}`,
     `# agenticmail-agent-id: ${agent.id}`,

package/dist/{chunk-WP2ELPRM.js → chunk-V5LH4BNZ.js}

@@ -9,7 +9,7 @@ import {
   listAccounts,
   renderSubagentMarkdown,
   resolveConfig
-} from "./chunk-YWSO3QOQ.js";
+} from "./chunk-M5HV2M67.js";
 
 // src/install.ts
 import { existsSync, mkdirSync, readdirSync, writeFileSync, readFileSync, unlinkSync } from "fs";

package/dist/{chunk-UC63VEBP.js → chunk-VYBBCFP5.js}

@@ -7,7 +7,7 @@ import {
   MANAGED_BY_MARKER,
   getAccountByName,
   resolveConfig
-} from "./chunk-YWSO3QOQ.js";
+} from "./chunk-M5HV2M67.js";
 
 // src/status.ts
 import { existsSync, readFileSync, readdirSync } from "fs";

package/dist/{chunk-N43A7EQB.js → chunk-XHDRGX46.js}

@@ -1,15 +1,15 @@
 import {
   install
-} from "./chunk-WP2ELPRM.js";
+} from "./chunk-V5LH4BNZ.js";
 import {
   status
-} from "./chunk-UC63VEBP.js";
+} from "./chunk-VYBBCFP5.js";
 import {
   uninstall
-} from "./chunk-XGBVWZ3M.js";
+} from "./chunk-JVDPUO35.js";
 import {
   AgenticMailApiError
-} from "./chunk-YWSO3QOQ.js";
+} from "./chunk-M5HV2M67.js";
 
 // src/http-routes.ts
 import { Router } from "express";

package/dist/cli.js

@@ -1,17 +1,17 @@
 #!/usr/bin/env node
 import {
   install
-} from "./chunk-WP2ELPRM.js";
+} from "./chunk-V5LH4BNZ.js";
 import {
   status
-} from "./chunk-UC63VEBP.js";
+} from "./chunk-VYBBCFP5.js";
 import {
   uninstall
-} from "./chunk-XGBVWZ3M.js";
+} from "./chunk-JVDPUO35.js";
 import "./chunk-US5FT2UB.js";
 import {
   AgenticMailApiError
-} from "./chunk-YWSO3QOQ.js";
+} from "./chunk-M5HV2M67.js";
 
 // src/cli.ts
 var GREEN = (s) => `\x1B[32m${s}\x1B[0m`;

package/dist/dispatcher-bin.js

@@ -1,8 +1,8 @@
 #!/usr/bin/env node
 import {
   Dispatcher
-} from "./chunk-3ZBSRXAK.js";
-import "./chunk-YWSO3QOQ.js";
+} from "./chunk-5HUEJNT5.js";
+import "./chunk-M5HV2M67.js";
 
 // src/dispatcher-bin.ts
 async function main() {

package/dist/dispatcher.js

@@ -1,7 +1,7 @@
 import {
   Dispatcher
-} from "./chunk-3ZBSRXAK.js";
-import "./chunk-YWSO3QOQ.js";
+} from "./chunk-5HUEJNT5.js";
+import "./chunk-M5HV2M67.js";
 export {
   Dispatcher
 };

package/dist/http-routes.js

@@ -1,11 +1,11 @@
 import {
   createIntegrationRoutes
-} from "./chunk-N43A7EQB.js";
-import "./chunk-WP2ELPRM.js";
-import "./chunk-UC63VEBP.js";
-import "./chunk-XGBVWZ3M.js";
+} from "./chunk-XHDRGX46.js";
+import "./chunk-V5LH4BNZ.js";
+import "./chunk-VYBBCFP5.js";
+import "./chunk-JVDPUO35.js";
 import "./chunk-US5FT2UB.js";
-import "./chunk-YWSO3QOQ.js";
+import "./chunk-M5HV2M67.js";
 export {
   createIntegrationRoutes
 };

package/dist/index.js

@@ -1,19 +1,19 @@
 import {
   Dispatcher,
   loadPersonaForAgent
-} from "./chunk-3ZBSRXAK.js";
+} from "./chunk-5HUEJNT5.js";
 import {
   createIntegrationRoutes
-} from "./chunk-N43A7EQB.js";
+} from "./chunk-XHDRGX46.js";
 import {
   install
-} from "./chunk-WP2ELPRM.js";
+} from "./chunk-V5LH4BNZ.js";
 import {
   status
-} from "./chunk-UC63VEBP.js";
+} from "./chunk-VYBBCFP5.js";
 import {
   uninstall
-} from "./chunk-XGBVWZ3M.js";
+} from "./chunk-JVDPUO35.js";
 import "./chunk-US5FT2UB.js";
 import {
   AgenticMailApiError,
@@ -26,7 +26,7 @@ import {
   renderPersonaBody,
   renderSubagentMarkdown,
   resolveConfig
-} from "./chunk-YWSO3QOQ.js";
+} from "./chunk-M5HV2M67.js";
 export {
   AgenticMailApiError,
   Dispatcher,

package/dist/install.js

@@ -1,9 +1,9 @@
 import {
   install,
   selectExposableAgents
-} from "./chunk-WP2ELPRM.js";
+} from "./chunk-V5LH4BNZ.js";
 import "./chunk-US5FT2UB.js";
-import "./chunk-YWSO3QOQ.js";
+import "./chunk-M5HV2M67.js";
 export {
   install,
   selectExposableAgents

package/dist/status.js

@@ -1,8 +1,8 @@
 import {
   status
-} from "./chunk-UC63VEBP.js";
+} from "./chunk-VYBBCFP5.js";
 import "./chunk-US5FT2UB.js";
-import "./chunk-YWSO3QOQ.js";
+import "./chunk-M5HV2M67.js";
 export {
   status
 };

package/dist/uninstall.js

@@ -1,8 +1,8 @@
 import {
   uninstall
-} from "./chunk-XGBVWZ3M.js";
+} from "./chunk-JVDPUO35.js";
 import "./chunk-US5FT2UB.js";
-import "./chunk-YWSO3QOQ.js";
+import "./chunk-M5HV2M67.js";
 export {
   uninstall
 };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@agenticmail/claudecode",
-  "version": "0.1.7",
+  "version": "0.1.8",
   "description": "Claude Code integration for AgenticMail — surfaces every AgenticMail agent as a native Claude Code subagent so any Claude Code session can delegate to them with the Agent tool",
   "type": "module",
   "main": "dist/index.js",