@askexenow/exe-os 0.8.0

package/dist/bin/exe-agent.js

@@ -0,0 +1,1858 @@
+#!/usr/bin/env node
+
+// src/bin/exe-agent.ts
+import { createInterface } from "readline";
+import { readFileSync } from "fs";
+import path7 from "path";
+import os2 from "os";
+
+// src/runtime/external-agent-mode.ts
+var HARD_BLOCKED_TOOLS = /* @__PURE__ */ new Set([
+  "Bash",
+  "Write",
+  "Edit",
+  "Glob",
+  "Grep",
+  "Read",
+  "Agent",
+  "NotebookEdit"
+]);
+var BLOCKED_TOOL_PATTERNS = [
+  /^mcp__.*git/i,
+  /^mcp__.*exec/i,
+  /^mcp__.*shell/i,
+  /^mcp__.*process/i,
+  /^mcp__.*file/i
+];
+function checkExternalAgentPermission(toolName, config) {
+  if (HARD_BLOCKED_TOOLS.has(toolName)) {
+    return `DENIED: "${toolName}" is hard-blocked for customer-facing agents`;
+  }
+  for (const pattern of BLOCKED_TOOL_PATTERNS) {
+    if (pattern.test(toolName)) {
+      return `DENIED: "${toolName}" matches blocked pattern for customer-facing agents`;
+    }
+  }
+  if (!config.allowedTools.includes(toolName)) {
+    return `DENIED: "${toolName}" is not in the external agent tool whitelist`;
+  }
+  return null;
+}
+
+// src/runtime/permission-presets.ts
+var CMO_PRESET = {
+  defaultMode: "deny",
+  rules: [
+    { tool: "Read", decision: "allow" },
+    { tool: "Glob", decision: "allow" },
+    { tool: "Grep", decision: "allow" },
+    { tool: "Write", pattern: "exe/output/*", decision: "allow" },
+    { tool: "mcp__exe-os__*", decision: "allow" },
+    { tool: "mcp__exe-mem__*", decision: "allow" }
+  ]
+};
+var CONTENT_SPECIALIST_PRESET = {
+  ...CMO_PRESET
+};
+
+// src/runtime/permissions.ts
+function checkPermission(toolName, permissions, externalAgentConfig) {
+  if (externalAgentConfig) {
+    const denyReason = checkExternalAgentPermission(toolName, externalAgentConfig);
+    if (denyReason) {
+      return { allowed: false, mode: "deny", reason: denyReason };
+    }
+  }
+  const mode = permissions.overrides[toolName] ?? permissions.defaultMode;
+  if (mode === "auto-approve") {
+    return { allowed: true, mode };
+  }
+  if (mode === "deny") {
+    return { allowed: false, mode, reason: `Tool "${toolName}" is denied by permission policy` };
+  }
+  return { allowed: false, mode, reason: `Tool "${toolName}" requires approval` };
+}
+var EMPLOYEE_PERMISSIONS = {
+  defaultMode: "auto-approve",
+  overrides: {}
+};
+
+// src/runtime/zod-to-schema.ts
+function zodToJsonSchema(schema) {
+  if ("toJSONSchema" in schema && typeof schema.toJSONSchema === "function") {
+    return schema.toJSONSchema();
+  }
+  const def = schema._def;
+  if (!def) {
+    return { type: "object", properties: {} };
+  }
+  return extractSchema(def);
+}
+function extractSchema(def) {
+  const typeName = def.typeName;
+  switch (typeName) {
+    case "ZodObject": {
+      const shape = def.shape;
+      const properties = {};
+      const required = [];
+      if (shape) {
+        const resolved = typeof shape === "function" ? shape() : shape;
+        for (const [key, value] of Object.entries(resolved)) {
+          const fieldDef = value._def ?? value;
+          const isOptional = fieldDef.typeName === "ZodOptional";
+          if (isOptional) {
+            properties[key] = extractSchema(
+              fieldDef.innerType?._def ?? {}
+            );
+          } else {
+            properties[key] = extractSchema(fieldDef);
+            required.push(key);
+          }
+        }
+      }
+      const result = { type: "object", properties };
+      if (required.length > 0) result.required = required;
+      return result;
+    }
+    case "ZodString":
+      return { type: "string", ...def.description ? { description: String(def.description) } : {} };
+    case "ZodNumber":
+      return { type: "number", ...def.description ? { description: String(def.description) } : {} };
+    case "ZodBoolean":
+      return { type: "boolean", ...def.description ? { description: String(def.description) } : {} };
+    case "ZodArray":
+      return {
+        type: "array",
+        items: extractSchema(
+          def.type?._def ?? {}
+        )
+      };
+    case "ZodEnum":
+      return { type: "string", enum: def.values };
+    case "ZodOptional":
+      return extractSchema(
+        def.innerType?._def ?? {}
+      );
+    case "ZodDefault":
+      return extractSchema(
+        def.innerType?._def ?? {}
+      );
+    default:
+      return { type: "string" };
+  }
+}
+
+// src/runtime/tool-registry.ts
+var ToolRegistry = class {
+  tools = /* @__PURE__ */ new Map();
+  /** Register a tool */
+  register(tool) {
+    this.tools.set(tool.name, tool);
+  }
+  /** Look up a tool by name */
+  get(name) {
+    return this.tools.get(name);
+  }
+  /** List all registered tools */
+  list() {
+    return [...this.tools.values()];
+  }
+  /** List tool names */
+  names() {
+    return [...this.tools.keys()];
+  }
+  /** Convert all tools to LLM-ready NormalizedTool format */
+  toNormalizedTools() {
+    return this.list().map((tool) => ({
+      name: tool.name,
+      description: tool.description,
+      inputSchema: zodToJsonSchema(tool.inputSchema)
+    }));
+  }
+  /** Get only tools allowed by the given permission set */
+  listAllowed(permissions) {
+    return this.list().filter(
+      (tool) => checkPermission(tool.name, permissions).allowed
+    );
+  }
+  /** Convert allowed tools to NormalizedTool format */
+  toAllowedNormalizedTools(permissions) {
+    return this.listAllowed(permissions).map((tool) => ({
+      name: tool.name,
+      description: tool.description,
+      inputSchema: zodToJsonSchema(tool.inputSchema)
+    }));
+  }
+};
+function partitionTools(blocks, registry) {
+  const concurrent = [];
+  const sequential = [];
+  let hitWrite = false;
+  for (const block of blocks) {
+    if (block.type !== "tool_use") continue;
+    const tool = registry.get(block.name);
+    if (!hitWrite && tool?.isReadOnly) {
+      concurrent.push(block);
+    } else {
+      hitWrite = true;
+      sequential.push(block);
+    }
+  }
+  return { concurrent, sequential };
+}
+
+// src/runtime/compact.ts
+var KEEP_RECENT_MESSAGES = 10;
+function estimateTokens(messages) {
+  let chars = 0;
+  for (const msg of messages) {
+    if (typeof msg.content === "string") {
+      chars += msg.content.length;
+    } else {
+      for (const block of msg.content) {
+        if (block.type === "text") chars += block.text.length;
+        else if (block.type === "tool_use") chars += JSON.stringify(block.input).length + block.name.length;
+        else if (block.type === "tool_result") chars += block.content.length;
+      }
+    }
+  }
+  return Math.ceil(chars / 4);
+}
+function stripMediaBlocks(messages) {
+  return messages.map((msg) => {
+    if (typeof msg.content === "string") return msg;
+    const filtered = msg.content.filter(
+      (block) => block.type !== "tool_use" || !isMediaTool(block.name)
+    );
+    if (filtered.length === 0) {
+      return { ...msg, content: "[media content removed for compaction]" };
+    }
+    return { ...msg, content: filtered };
+  });
+}
+function isMediaTool(name) {
+  return ["upload_image", "screenshot", "render_image"].includes(name);
+}
+async function compactMessages(messages, provider, summaryModel = "claude-haiku-4-5-20251001") {
+  if (messages.length <= KEEP_RECENT_MESSAGES) {
+    return { messages, removedCount: 0 };
+  }
+  const toSummarize = messages.slice(0, -KEEP_RECENT_MESSAGES);
+  const toKeep = messages.slice(-KEEP_RECENT_MESSAGES);
+  const stripped = stripMediaBlocks(toSummarize);
+  const serialized = stripped.map((m) => {
+    const content = typeof m.content === "string" ? m.content : m.content.map((b) => {
+      if (b.type === "text") return b.text;
+      if (b.type === "tool_use") return `[tool: ${b.name}(${JSON.stringify(b.input).slice(0, 200)})]`;
+      if (b.type === "tool_result") return `[result: ${b.content.slice(0, 200)}]`;
+      return "";
+    }).join("\n");
+    return `${m.role}: ${content}`;
+  }).join("\n\n");
+  try {
+    const summary = await provider.createMessage({
+      model: summaryModel,
+      system: "Summarize this conversation concisely. Preserve: decisions made, files modified, current task status, blockers, key findings. Be specific about file paths and tool results.",
+      messages: [{ role: "user", content: serialized.slice(0, 5e4) }],
+      // Cap input
+      maxTokens: 2e3
+    });
+    const summaryText = summary.content.filter((b) => b.type === "text").map((b) => b.text).join("\n");
+    return {
+      messages: [
+        { role: "user", content: `[Previous conversation summary]
+${summaryText}` },
+        { role: "assistant", content: "Understood. I have context from the summary. Continuing." },
+        ...toKeep
+      ],
+      removedCount: toSummarize.length
+    };
+  } catch {
+    return {
+      messages: [
+        { role: "user", content: "[Earlier conversation history was compacted due to context limits]" },
+        { role: "assistant", content: "Understood. Continuing with recent context." },
+        ...toKeep
+      ],
+      removedCount: toSummarize.length
+    };
+  }
+}
+
+// src/runtime/context-manager.ts
+var MODEL_CONTEXT_LIMITS = {
+  // Anthropic
+  "claude-opus-4": 2e5,
+  "claude-sonnet-4": 2e5,
+  "claude-haiku-4": 2e5,
+  // Extended context variants
+  "claude-opus-4-6[1m]": 1e6,
+  "claude-sonnet-4-6[1m]": 1e6,
+  // OpenAI
+  "gpt-4o": 128e3,
+  "gpt-4-turbo": 128e3,
+  "gpt-4": 8192,
+  "o3": 2e5,
+  "o4-mini": 2e5,
+  // Google
+  "gemini-2.0": 1e6,
+  "gemini-2.5-pro": 1e6,
+  "gemini-2.5-flash": 1e6,
+  // Local / small models
+  "llama": 8192,
+  "mistral": 32768,
+  "qwen": 32768,
+  "deepseek": 64e3
+};
+var DEFAULT_CONTEXT_LIMIT = 2e5;
+var PRESSURE_THRESHOLDS = [50, 70, 90];
+function getContextLimit(model) {
+  if (model in MODEL_CONTEXT_LIMITS) {
+    return MODEL_CONTEXT_LIMITS[model];
+  }
+  let bestMatch = "";
+  let bestLimit = DEFAULT_CONTEXT_LIMIT;
+  for (const [prefix, limit] of Object.entries(MODEL_CONTEXT_LIMITS)) {
+    if (model.startsWith(prefix) && prefix.length > bestMatch.length) {
+      bestMatch = prefix;
+      bestLimit = limit;
+    }
+  }
+  return bestLimit;
+}
+function createContextManager(model, hooks) {
+  return new ContextManager(model, hooks);
+}
+var ContextManager = class {
+  state;
+  hooks;
+  constructor(model, hooks) {
+    this.hooks = hooks;
+    this.state = {
+      inputTokens: 0,
+      outputTokens: 0,
+      estimatedTokens: 0,
+      maxTokens: getContextLimit(model),
+      thresholdsEmitted: /* @__PURE__ */ new Set(),
+      model
+    };
+  }
+  /** Get current context state (read-only snapshot) */
+  getState() {
+    return { ...this.state, thresholdsEmitted: new Set(this.state.thresholdsEmitted) };
+  }
+  /** Get current token usage (best available: API data or estimate) */
+  get usedTokens() {
+    if (this.state.inputTokens > 0) {
+      return this.state.inputTokens;
+    }
+    return this.state.estimatedTokens;
+  }
+  /** Get percent of context used */
+  get percentUsed() {
+    return Math.round(this.usedTokens / this.state.maxTokens * 100);
+  }
+  /**
+   * Update with API usage data (from LLM response).
+   * This is the most accurate source of token counts.
+   */
+  updateFromApiUsage(inputTokens, outputTokens) {
+    this.state.inputTokens = inputTokens;
+    this.state.outputTokens = outputTokens;
+  }
+  /**
+   * Update with estimated tokens from message content.
+   * Used as fallback when API doesn't report cache-aware usage.
+   */
+  updateFromMessages(messages) {
+    this.state.estimatedTokens = estimateTokens(messages);
+  }
+  /**
+   * Check context pressure and emit threshold events.
+   * Should be called after each turn.
+   */
+  async checkPressure() {
+    const percent = this.percentUsed;
+    for (const threshold of PRESSURE_THRESHOLDS) {
+      if (percent >= threshold && !this.state.thresholdsEmitted.has(threshold)) {
+        this.state.thresholdsEmitted.add(threshold);
+        const event = {
+          threshold,
+          usedTokens: this.usedTokens,
+          maxTokens: this.state.maxTokens,
+          percentUsed: percent
+        };
+        if (this.hooks.onContextPressure) {
+          try {
+            await this.hooks.onContextPressure(event);
+          } catch {
+          }
+        }
+      }
+    }
+  }
+  /** Should compaction run? (85% threshold, matching compact.ts) */
+  shouldCompact() {
+    return this.usedTokens > this.state.maxTokens * 0.85;
+  }
+  /**
+   * Pre-compaction: fire hooks and extract critical context to protect.
+   * Returns strings that must survive compaction.
+   */
+  async preCompact(messages) {
+    const protectedContext = [];
+    const memoriesToExtract = [];
+    if (this.hooks.onCompact) {
+      try {
+        await this.hooks.onCompact(messages.length, 0);
+      } catch {
+      }
+    }
+    const DECISION_PATTERNS = /\b(decided|chose|selected|fixed|resolved|implemented|created|deleted|changed|updated|configured)\b/i;
+    const FILE_PATTERNS = /(?:(?:src|lib|bin|tests?)\/[\w/.-]+\.(?:ts|js|json|md))/g;
+    for (const msg of messages) {
+      const text = typeof msg.content === "string" ? msg.content : msg.content.filter((b) => b.type === "text").map((b) => b.text).join("\n");
+      if (text.length > 50 && DECISION_PATTERNS.test(text)) {
+        const firstSentence = text.split(/[.\n]/).find((s) => DECISION_PATTERNS.test(s));
+        if (firstSentence) {
+          memoriesToExtract.push(firstSentence.trim().slice(0, 200));
+        }
+      }
+      const files = text.match(FILE_PATTERNS);
+      if (files && files.length > 0) {
+        protectedContext.push(`Files referenced: ${[...new Set(files)].join(", ")}`);
+      }
+    }
+    return { protectedContext, memoriesToExtract };
+  }
+  /**
+   * Post-compaction: fire hooks and verify state.
+   */
+  async postCompact(removedCount, summaryLength) {
+    this.state.estimatedTokens = 0;
+    const currentPercent = this.percentUsed;
+    for (const threshold of PRESSURE_THRESHOLDS) {
+      if (currentPercent < threshold) {
+        this.state.thresholdsEmitted.delete(threshold);
+      }
+    }
+    if (this.hooks.onPostCompact) {
+      try {
+        await this.hooks.onPostCompact(removedCount, `Compacted ${removedCount} messages into ${summaryLength} chars`);
+      } catch {
+      }
+    }
+  }
+  /**
+   * Switch model mid-session (e.g., failover).
+   * Recalculates context limit.
+   */
+  switchModel(newModel) {
+    this.state.model = newModel;
+    this.state.maxTokens = getContextLimit(newModel);
+    this.state.thresholdsEmitted.clear();
+  }
+};
+
+// src/runtime/denial-tracking.ts
+var DENIAL_LIMITS = {
+  maxConsecutive: 3,
+  maxTotal: 10
+};
+function createDenialTrackingState() {
+  return {
+    consecutiveDenials: 0,
+    totalDenials: 0
+  };
+}
+function recordDenial(state) {
+  return {
+    consecutiveDenials: state.consecutiveDenials + 1,
+    totalDenials: state.totalDenials + 1
+  };
+}
+function recordSuccess(state) {
+  if (state.consecutiveDenials === 0) return state;
+  return {
+    ...state,
+    consecutiveDenials: 0
+  };
+}
+function shouldFallbackToAsk(state) {
+  return state.consecutiveDenials >= DENIAL_LIMITS.maxConsecutive || state.totalDenials >= DENIAL_LIMITS.maxTotal;
+}
+function shouldWarnDenials(state) {
+  return state.consecutiveDenials === DENIAL_LIMITS.maxConsecutive;
+}
+
+// src/runtime/agent-loop.ts
+async function* agentLoop(userMessage, history, config) {
+  const messages = [
+    ...history,
+    { role: "user", content: userMessage }
+  ];
+  const totalUsage = { inputTokens: 0, outputTokens: 0 };
+  const abortController = config.abortController ?? new AbortController();
+  const context = {
+    cwd: config.cwd,
+    agentId: config.agentId,
+    abortSignal: abortController.signal,
+    sessionState: /* @__PURE__ */ new Map()
+  };
+  const allowedTools = config.tools.toAllowedNormalizedTools(config.permissions);
+  const contextManager = createContextManager(config.model, config.hooks);
+  let denialState = createDenialTrackingState();
+  let turns = 0;
+  while (turns < config.maxTurns) {
+    turns++;
+    if (abortController.signal.aborted) {
+      yield { type: "aborted", reason: "Agent stopped by user" };
+      break;
+    }
+    if (config.maxTokenBudget && totalUsage.inputTokens + totalUsage.outputTokens >= config.maxTokenBudget) {
+      yield { type: "error", error: new Error("Token budget exceeded") };
+      break;
+    }
+    let response;
+    try {
+      response = await config.provider.createMessage({
+        model: config.model,
+        system: config.systemPrompt,
+        messages,
+        tools: allowedTools.length > 0 ? allowedTools : void 0,
+        maxTokens: 4096
+      });
+    } catch (err) {
+      const error = err instanceof Error ? err : new Error(String(err));
+      yield { type: "error", error };
+      if (config.hooks.onError) await config.hooks.onError(error, context);
+      break;
+    }
+    totalUsage.inputTokens += response.usage.inputTokens;
+    totalUsage.outputTokens += response.usage.outputTokens;
+    contextManager.updateFromApiUsage(response.usage.inputTokens, response.usage.outputTokens);
+    contextManager.updateFromMessages(messages);
+    await contextManager.checkPressure();
+    if (contextManager.shouldCompact() && messages.length > 12) {
+      const { memoriesToExtract } = await contextManager.preCompact(
+        messages.slice(0, -10)
+      );
+      if (memoriesToExtract.length > 0 && config.hooks.onNotification) {
+        await config.hooks.onNotification(
+          `Pre-compaction: extracted ${memoriesToExtract.length} key decisions to memory`
+        );
+      }
+      const compacted = await compactMessages(messages, config.provider);
+      const removedCount = compacted.removedCount;
+      if (removedCount > 0) {
+        messages.length = 0;
+        messages.push(...compacted.messages);
+        await contextManager.postCompact(removedCount, messages[0]?.content?.toString().length ?? 0);
+      }
+    }
+    for (const block of response.content) {
+      if (block.type === "text" && block.text) {
+        yield { type: "text", text: block.text };
+      }
+    }
+    messages.push({ role: "assistant", content: response.content });
+    if (response.stopReason === "end_turn" || response.stopReason === "max_tokens") {
+      yield { type: "turn_complete", turn: turns, usage: response.usage };
+      break;
+    }
+    const toolUseBlocks = response.content.filter(
+      (b) => b.type === "tool_use"
+    );
+    if (toolUseBlocks.length === 0) {
+      yield { type: "turn_complete", turn: turns, usage: response.usage };
+      break;
+    }
+    const { concurrent, sequential } = partitionTools(toolUseBlocks, config.tools);
+    const toolResults = [];
+    if (concurrent.length > 0) {
+      const concurrentResults = await Promise.all(
+        concurrent.map(
+          (block) => executeToolBlock(
+            block,
+            config,
+            context,
+            denialState
+          )
+        )
+      );
+      for (let i = 0; i < concurrent.length; i++) {
+        const block = concurrent[i];
+        const execResult = concurrentResults[i];
+        denialState = execResult.denialState;
+        yield execResult.event;
+        if (execResult.permissionEvent) yield execResult.permissionEvent;
+        yield { type: "tool_result", name: block.name, id: block.id, result: execResult.result };
+        toolResults.push({
+          type: "tool_result",
+          tool_use_id: block.id,
+          content: execResult.result.content,
+          is_error: execResult.result.isError
+        });
+      }
+    }
+    for (const block of sequential) {
+      const typedBlock = block;
+      const execResult = await executeToolBlock(typedBlock, config, context, denialState);
+      denialState = execResult.denialState;
+      yield execResult.event;
+      if (execResult.permissionEvent) yield execResult.permissionEvent;
+      yield { type: "tool_result", name: typedBlock.name, id: typedBlock.id, result: execResult.result };
+      toolResults.push({
+        type: "tool_result",
+        tool_use_id: typedBlock.id,
+        content: execResult.result.content,
+        is_error: execResult.result.isError
+      });
+    }
+    messages.push({ role: "user", content: toolResults });
+    yield { type: "turn_complete", turn: turns, usage: response.usage };
+  }
+  yield { type: "done", totalUsage, turns };
+}
+async function executeToolBlock(block, config, context, denialState) {
+  const startEvent = { type: "tool_use_start", name: block.name, id: block.id };
+  let permissionEvent;
+  const tool = config.tools.get(block.name);
+  if (!tool) {
+    return {
+      result: { content: `Unknown tool: "${block.name}"`, isError: true },
+      event: startEvent,
+      denialState
+    };
+  }
+  if (!tool.isReadOnly) {
+    if (tool.checkPermissions) {
+      try {
+        const toolPerm = await tool.checkPermissions(block.input, context);
+        if (toolPerm.behavior === "deny") {
+          denialState = recordDenial(denialState);
+          if (shouldWarnDenials(denialState)) {
+            process.stderr.write(
+              `[agent] WARNING: ${denialState.consecutiveDenials} consecutive tool denials
+`
+            );
+          }
+          return {
+            result: {
+              content: `Permission denied${toolPerm.bypassImmune ? " (safety check)" : ""}: ${toolPerm.reason ?? "blocked by tool policy"}`,
+              isError: true
+            },
+            event: { type: "tool_denied", name: block.name, id: block.id, reason: toolPerm.reason ?? "denied" },
+            denialState
+          };
+        }
+      } catch {
+        denialState = recordDenial(denialState);
+        return {
+          result: { content: "Permission check failed (fail-closed)", isError: true },
+          event: { type: "tool_denied", name: block.name, id: block.id, reason: "permission check error (fail-closed)" },
+          denialState
+        };
+      }
+    }
+    const effectivePermissions = shouldFallbackToAsk(denialState) ? { ...config.permissions, defaultMode: "ask" } : config.permissions;
+    const perm = checkPermission(block.name, effectivePermissions);
+    if (!perm.allowed) {
+      if (perm.mode === "ask" && config.permissionHandler) {
+        const inp = block.input;
+        const filePath = inp.file_path ?? inp.filePath;
+        const description = tool.description;
+        const permReq = { name: block.name, id: block.id, description, filePath };
+        const decision = await config.permissionHandler(permReq);
+        permissionEvent = { type: "permission_request", name: block.name, id: block.id, description, filePath };
+        if (decision === "allow") {
+        } else {
+          denialState = recordDenial(denialState);
+          return {
+            result: { content: `Permission denied by user`, isError: true },
+            event: { type: "tool_denied", name: block.name, id: block.id, reason: "denied by user" },
+            denialState,
+            permissionEvent: { type: "permission_request", name: block.name, id: block.id, description, filePath }
+          };
+        }
+      } else {
+        denialState = recordDenial(denialState);
+        return {
+          result: { content: `Permission denied: ${perm.reason}`, isError: true },
+          event: { type: "tool_denied", name: block.name, id: block.id, reason: perm.reason ?? "denied" },
+          denialState
+        };
+      }
+    }
+  }
+  if (context.abortSignal.aborted) {
+    return {
+      result: { content: "Interrupted by user", isError: true },
+      event: { type: "aborted", reason: "Agent stopped by user" },
+      denialState
+    };
+  }
+  if (config.hooks.beforeToolUse) {
+    const intercepted = await config.hooks.beforeToolUse(block, context);
+    if (intercepted) {
+      return { result: intercepted, event: startEvent, denialState };
+    }
+  }
+  let result;
+  try {
+    result = await tool.call(block.input, context);
+    denialState = recordSuccess(denialState);
+  } catch (err) {
+    result = {
+      content: `Tool error: ${err instanceof Error ? err.message : String(err)}`,
+      isError: true
+    };
+    if (config.hooks.onError) {
+      await config.hooks.onError(
+        err instanceof Error ? err : new Error(String(err)),
+        context
+      );
+    }
+  }
+  if (config.hooks.afterToolUse) {
+    await config.hooks.afterToolUse(block, result, context);
+  }
+  return { result, event: startEvent, denialState, permissionEvent };
+}
+
+// src/runtime/hooks.ts
+function createDefaultHooks() {
+  return {};
+}
+
+// src/runtime/stream.ts
+function createTerminalRenderer() {
+  return {
+    onText(text) {
+      process.stdout.write(text);
+    },
+    onToolStart(name, _id) {
+      process.stderr.write(`
+[tool] ${name}...
+`);
+    },
+    onToolResult(name, result, isError) {
+      if (isError) {
+        process.stderr.write(`[tool] ${name} ERROR: ${result.slice(0, 200)}
+`);
+      } else {
+        const preview = result.length > 200 ? result.slice(0, 200) + "..." : result;
+        process.stderr.write(`[tool] ${name} \u2192 ${preview}
+`);
+      }
+    },
+    onToolDenied(name, reason) {
+      process.stderr.write(`[tool] ${name} DENIED: ${reason}
+`);
+    },
+    onTurnComplete(_turn, _inputTokens, _outputTokens) {
+    },
+    onAborted(reason) {
+      process.stderr.write(`
+[aborted] ${reason}
+`);
+    },
+    onError(error) {
+      process.stderr.write(`
+[error] ${error.message}
+`);
+    },
+    onDone(inputTokens, outputTokens, turns) {
+      process.stderr.write(
+        `
+[done] ${turns} turns, ${inputTokens + outputTokens} tokens
+`
+      );
+    }
+  };
+}
+async function renderAgentEvents(events, renderer) {
+  for await (const event of events) {
+    switch (event.type) {
+      case "text":
+        renderer.onText(event.text);
+        break;
+      case "tool_use_start":
+        renderer.onToolStart(event.name, event.id);
+        break;
+      case "tool_result":
+        renderer.onToolResult(event.name, event.result.content, event.result.isError ?? false);
+        break;
+      case "tool_denied":
+        renderer.onToolDenied(event.name, event.reason);
+        break;
+      case "turn_complete":
+        renderer.onTurnComplete(event.turn, event.usage.inputTokens, event.usage.outputTokens);
+        break;
+      case "aborted":
+        renderer.onAborted(event.reason);
+        break;
+      case "error":
+        renderer.onError(event.error);
+        break;
+      case "done":
+        renderer.onDone(event.totalUsage.inputTokens, event.totalUsage.outputTokens, event.turns);
+        break;
+    }
+  }
+}
+
+// src/gateway/providers/anthropic.ts
+import Anthropic from "@anthropic-ai/sdk";
+var AnthropicProvider = class {
+  name;
+  client;
+  defaultModel;
+  constructor(name, config) {
+    this.name = name;
+    this.defaultModel = config.defaultModel ?? "claude-sonnet-4-20250514";
+    this.client = new Anthropic({
+      apiKey: config.apiKey,
+      baseURL: config.baseUrl || void 0
+    });
+  }
+  async createMessage(params) {
+    const response = await this.client.messages.create({
+      model: params.model || this.defaultModel,
+      max_tokens: params.maxTokens,
+      system: params.system,
+      messages: params.messages.map((m) => this.toAnthropicMessage(m)),
+      tools: params.tools?.map((t) => ({
+        name: t.name,
+        description: t.description,
+        input_schema: t.inputSchema
+      }))
+    });
+    return this.normalizeResponse(response);
+  }
+  async healthCheck() {
+    const start = Date.now();
+    try {
+      await this.client.messages.create({
+        model: this.defaultModel,
+        max_tokens: 1,
+        messages: [{ role: "user", content: "hi" }]
+      });
+      return { available: true, latencyMs: Date.now() - start };
+    } catch {
+      return { available: false, latencyMs: Date.now() - start };
+    }
+  }
+  toAnthropicMessage(msg) {
+    if (typeof msg.content === "string") {
+      return { role: msg.role, content: msg.content };
+    }
+    const blocks = msg.content.map((block) => {
+      if (block.type === "text") {
+        return { type: "text", text: block.text };
+      }
+      if (block.type === "tool_use") {
+        return {
+          type: "tool_use",
+          id: block.id,
+          name: block.name,
+          input: block.input
+        };
+      }
+      if (block.type === "tool_result") {
+        return {
+          type: "tool_result",
+          tool_use_id: block.tool_use_id,
+          content: block.content,
+          is_error: block.is_error
+        };
+      }
+      return { type: "text", text: "" };
+    });
+    return { role: msg.role, content: blocks };
+  }
+  normalizeResponse(response) {
+    const content = response.content.map((block) => {
+      if (block.type === "text") {
+        return { type: "text", text: block.text };
+      }
+      if (block.type === "tool_use") {
+        return {
+          type: "tool_use",
+          id: block.id,
+          name: block.name,
+          input: block.input
+        };
+      }
+      return { type: "text", text: "" };
+    });
+    const stopReason = response.stop_reason === "tool_use" ? "tool_use" : response.stop_reason === "max_tokens" ? "max_tokens" : "end_turn";
+    return {
+      content,
+      stopReason,
+      usage: {
+        inputTokens: response.usage.input_tokens,
+        outputTokens: response.usage.output_tokens
+      }
+    };
+  }
+};
+
+// src/gateway/providers/openai-compat.ts
+import OpenAI from "openai";
+import { randomUUID } from "crypto";
+var OpenAICompatProvider = class {
+  name;
+  client;
+  defaultModel;
+  constructor(name, config) {
+    this.name = name;
+    this.defaultModel = config.defaultModel ?? "gpt-4o";
+    this.client = new OpenAI({
+      apiKey: config.apiKey,
+      baseURL: config.baseUrl
+    });
+  }
+  async createMessage(params) {
+    const messages = [
+      { role: "system", content: params.system },
+      ...params.messages.flatMap((m) => this.toOpenAIMessages(m))
+    ];
+    const tools = params.tools?.map(
+      (t) => ({
+        type: "function",
+        function: {
+          name: t.name,
+          description: t.description,
+          parameters: t.inputSchema
+        }
+      })
+    );
+    const response = await this.client.chat.completions.create({
+      model: params.model || this.defaultModel,
+      max_tokens: params.maxTokens,
+      messages,
+      tools: tools?.length ? tools : void 0
+    });
+    return this.normalizeResponse(response);
+  }
+  async healthCheck() {
+    const start = Date.now();
+    try {
+      await this.client.chat.completions.create({
+        model: this.defaultModel,
+        max_tokens: 1,
+        messages: [{ role: "user", content: "hi" }]
+      });
+      return { available: true, latencyMs: Date.now() - start };
+    } catch {
+      return { available: false, latencyMs: Date.now() - start };
+    }
+  }
+  toOpenAIMessages(msg) {
+    if (typeof msg.content === "string") {
+      return [{ role: msg.role, content: msg.content }];
+    }
+    if (msg.role === "assistant") {
+      const textParts = msg.content.filter((b) => b.type === "text").map((b) => b.text).join("\n");
+      const toolCalls = msg.content.filter((b) => b.type === "tool_use").map((b) => ({
+        id: b.id,
+        type: "function",
+        function: {
+          name: b.name,
+          arguments: typeof b.input === "string" ? b.input : JSON.stringify(b.input)
+        }
+      }));
+      if (toolCalls.length > 0) {
+        return [{
+          role: "assistant",
+          content: textParts || null,
+          tool_calls: toolCalls
+        }];
+      }
+      return [{ role: "assistant", content: textParts }];
+    }
+    if (msg.role === "user") {
+      const toolResults = msg.content.filter(
+        (b) => b.type === "tool_result"
+      );
+      if (toolResults.length > 0) {
+        return toolResults.map((r) => ({
+          role: "tool",
+          tool_call_id: r.tool_use_id,
+          content: r.content
+        }));
+      }
+      const text = msg.content.filter((b) => b.type === "text").map((b) => b.text).join("\n");
+      return [{ role: "user", content: text }];
+    }
+    return [{ role: msg.role, content: "" }];
+  }
+  normalizeResponse(response) {
+    const choice = response.choices[0];
+    if (!choice) {
+      return {
+        content: [{ type: "text", text: "" }],
+        stopReason: "end_turn",
+        usage: { inputTokens: 0, outputTokens: 0 }
+      };
+    }
+    const content = [];
+    if (choice.message.content) {
+      content.push({ type: "text", text: choice.message.content });
+    }
+    if (choice.message.tool_calls) {
+      for (const call of choice.message.tool_calls) {
+        const fn = call.function;
+        if (!fn) continue;
+        let input;
+        try {
+          input = JSON.parse(fn.arguments);
+        } catch {
+          input = fn.arguments;
+        }
+        content.push({
+          type: "tool_use",
+          id: call.id ?? randomUUID(),
+          name: fn.name,
+          input
+        });
+      }
+    }
+    if (content.length === 0) {
+      content.push({ type: "text", text: "" });
+    }
+    const stopReason = choice.finish_reason === "tool_calls" ? "tool_use" : choice.finish_reason === "length" ? "max_tokens" : "end_turn";
+    return {
+      content,
+      stopReason,
+      usage: {
+        inputTokens: response.usage?.prompt_tokens ?? 0,
+        outputTokens: response.usage?.completion_tokens ?? 0
+      }
+    };
+  }
+};
+
+// src/gateway/providers/ollama.ts
+import { randomUUID as randomUUID2 } from "crypto";
+var OllamaProvider = class {
+  name;
+  host;
+  defaultModel;
+  constructor(name, config = {}) {
+    this.name = name;
+    this.host = (config.host ?? "http://localhost:11434").replace(/\/+$/, "");
+    this.defaultModel = config.defaultModel ?? "qwen3:14b";
+  }
+  async createMessage(params) {
+    const messages = [
+      { role: "system", content: params.system }
+    ];
+    for (const msg of params.messages) {
+      if (typeof msg.content === "string") {
+        messages.push({ role: msg.role, content: msg.content });
+      } else {
+        const text = msg.content.filter((b) => b.type === "text").map((b) => b.text).join("\n");
+        messages.push({ role: msg.role, content: text });
+      }
+    }
+    const tools = params.tools?.map((t) => ({
+      type: "function",
+      function: {
+        name: t.name,
+        description: t.description,
+        parameters: t.inputSchema
+      }
+    }));
+    const body = {
+      model: params.model || this.defaultModel,
+      messages,
+      stream: false,
+      options: { num_predict: params.maxTokens }
+    };
+    if (tools?.length) body.tools = tools;
+    const res = await fetch(`${this.host}/api/chat`, {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify(body)
+    });
+    if (!res.ok) {
+      throw new Error(`Ollama API error: ${res.status} ${await res.text()}`);
+    }
+    const data = await res.json();
+    return this.normalizeResponse(data);
+  }
+  async healthCheck() {
+    const start = Date.now();
+    try {
+      const res = await fetch(`${this.host}/api/tags`, {
+        signal: AbortSignal.timeout(5e3)
+      });
+      return { available: res.ok, latencyMs: Date.now() - start };
+    } catch {
+      return { available: false };
+    }
+  }
+  normalizeResponse(data) {
+    const content = [];
+    if (data.message.content) {
+      content.push({ type: "text", text: data.message.content });
+    }
+    if (data.message.tool_calls) {
+      for (const call of data.message.tool_calls) {
+        content.push({
+          type: "tool_use",
+          id: randomUUID2(),
+          name: call.function.name,
+          input: call.function.arguments
+        });
+      }
+    }
+    if (content.length === 0) {
+      content.push({ type: "text", text: "" });
+    }
+    const hasToolUse = content.some((b) => b.type === "tool_use");
+    return {
+      content,
+      stopReason: hasToolUse ? "tool_use" : "end_turn",
+      usage: {
+        inputTokens: data.prompt_eval_count ?? 0,
+        outputTokens: data.eval_count ?? 0
+      }
+    };
+  }
+};
+
+// src/runtime/tools/bash.ts
+import { spawn } from "child_process";
+import { z } from "zod";
+
+// src/runtime/dangerous-patterns.ts
+var DANGEROUS_PATTERNS = [
+  // Destructive file operations
+  {
+    regex: /\brm\s+(-[a-zA-Z]*r[a-zA-Z]*f|(-[a-zA-Z]*f[a-zA-Z]*r))\s+[/~*]/,
+    severity: "critical",
+    reason: "Recursive force delete of root, home, or wildcard path"
+  },
+  {
+    regex: /\brm\s+(-[a-zA-Z]*r[a-zA-Z]*f|(-[a-zA-Z]*f[a-zA-Z]*r))\s+\./,
+    severity: "warning",
+    reason: "Recursive force delete of relative path"
+  },
+  // Destructive git operations
+  {
+    regex: /\bgit\s+push\s+--force\b/,
+    severity: "warning",
+    reason: "Force push can overwrite remote history"
+  },
+  {
+    regex: /\bgit\s+reset\s+--hard\b/,
+    severity: "warning",
+    reason: "Hard reset discards all uncommitted changes"
+  },
+  {
+    regex: /\bgit\s+clean\s+-[a-zA-Z]*f/,
+    severity: "warning",
+    reason: "Git clean force removes untracked files"
+  },
+  // Shell injection / expansion in paths
+  {
+    regex: /\$\(.*\)/,
+    severity: "warning",
+    reason: "Command substitution in shell command"
+  },
+  {
+    regex: /`[^`]+`/,
+    severity: "warning",
+    reason: "Backtick command substitution"
+  },
+  // Remote code execution
+  {
+    regex: /\bcurl\b.*\|\s*(bash|sh|zsh)\b/,
+    severity: "critical",
+    reason: "Remote code execution via curl pipe to shell"
+  },
+  {
+    regex: /\bwget\b.*\|\s*(bash|sh|zsh)\b/,
+    severity: "critical",
+    reason: "Remote code execution via wget pipe to shell"
+  },
+  // Privilege escalation
+  {
+    regex: /\bsudo\b/,
+    severity: "warning",
+    reason: "Privilege escalation via sudo"
+  },
+  {
+    regex: /\bchmod\s+777\b/,
+    severity: "warning",
+    reason: "Setting world-writable permissions"
+  },
+  // Dangerous disk operations
+  {
+    regex: /\bdd\s+.*of=\/dev\//,
+    severity: "critical",
+    reason: "Direct disk write can destroy data"
+  },
+  {
+    regex: /\bmkfs\b/,
+    severity: "critical",
+    reason: "Filesystem creation destroys existing data"
+  },
+  // Process/system manipulation
+  {
+    regex: /\bkillall\b/,
+    severity: "warning",
+    reason: "Killing all processes by name"
+  },
+  {
+    regex: /\bkill\s+-9\b/,
+    severity: "warning",
+    reason: "Force kill signal"
+  }
+];
+function checkDangerousPatterns(command) {
+  const matched = [];
+  for (const rule of DANGEROUS_PATTERNS) {
+    if (rule.regex.test(command)) {
+      matched.push({
+        pattern: rule.regex.source,
+        severity: rule.severity,
+        reason: rule.reason
+      });
+    }
+  }
+  return {
+    dangerous: matched.length > 0,
+    patterns: matched
+  };
+}
+function hasCriticalPattern(result) {
+  return result.patterns.some((p) => p.severity === "critical");
+}
+function formatDangerousPatterns(patterns) {
+  return patterns.map((p) => `[${p.severity.toUpperCase()}] ${p.reason}`).join("\n");
+}
+
+// src/runtime/tools/bash.ts
+var DEFAULT_TIMEOUT_MS = 12e4;
+var inputSchema = z.object({
+  command: z.string(),
+  timeout: z.number().optional()
+});
+var BashTool = {
+  name: "bash",
+  description: "Execute a shell command",
+  inputSchema,
+  isReadOnly: false,
+  async checkPermissions(input) {
+    const result = checkDangerousPatterns(input.command);
+    if (hasCriticalPattern(result)) {
+      return {
+        behavior: "deny",
+        reason: formatDangerousPatterns(result.patterns),
+        bypassImmune: true
+      };
+    }
+    return { behavior: "allow" };
+  },
+  async call(input, context) {
+    const timeout = input.timeout ?? DEFAULT_TIMEOUT_MS;
+    return new Promise((resolve) => {
+      const child = spawn("bash", ["-c", input.command], {
+        cwd: context.cwd,
+        timeout,
+        stdio: ["ignore", "pipe", "pipe"],
+        env: { ...process.env }
+      });
+      const stdoutChunks = [];
+      const stderrChunks = [];
+      child.stdout.on("data", (chunk) => stdoutChunks.push(chunk));
+      child.stderr.on("data", (chunk) => stderrChunks.push(chunk));
+      const onAbort = () => {
+        child.kill("SIGTERM");
+        setTimeout(() => {
+          if (!child.killed) child.kill("SIGKILL");
+        }, 1e3);
+      };
+      context.abortSignal.addEventListener("abort", onAbort, { once: true });
+      child.on("close", (code) => {
+        context.abortSignal.removeEventListener("abort", onAbort);
+        const stdout = Buffer.concat(stdoutChunks).toString("utf-8");
+        const stderr = Buffer.concat(stderrChunks).toString("utf-8");
+        if (context.abortSignal.aborted) {
+          resolve({ content: "Command killed: agent aborted", isError: true });
+          return;
+        }
+        if (code !== 0) {
+          const output = stderr || stdout || `Exit code ${code}`;
+          resolve({ content: output, isError: true });
+          return;
+        }
+        resolve({ content: stdout || "(no output)" });
+      });
+      child.on("error", (err) => {
+        context.abortSignal.removeEventListener("abort", onAbort);
+        resolve({ content: `Spawn error: ${err.message}`, isError: true });
+      });
+    });
+  }
+};
+
+// src/runtime/tools/file-read.ts
+import fs from "fs/promises";
+import path2 from "path";
+import { z as z2 } from "zod";
+
+// src/runtime/safety-checks.ts
+import path from "path";
+import os from "os";
+var HOME = os.homedir();
+var BYPASS_IMMUNE_PATTERNS = [
+  {
+    pattern: /\/\.git\/hooks\//,
+    reason: "Git hooks can execute arbitrary code"
+  },
+  {
+    pattern: /\/\.git\/config$/,
+    reason: "Git config can set hooks and command execution"
+  },
+  {
+    pattern: (p) => p.startsWith(path.join(HOME, ".claude")),
+    reason: "Claude configuration files are protected"
+  },
+  {
+    pattern: (p) => p.startsWith(path.join(HOME, ".exe-os")),
+    reason: "exe-os configuration files are protected"
+  },
+  {
+    pattern: /\/\.env($|\.)/,
+    reason: "Environment files may contain secrets"
+  },
+  {
+    pattern: /\/(credentials|secrets|tokens)\.(json|yaml|yml|toml|ini|conf)$/i,
+    reason: "Credential files are protected"
+  },
+  {
+    pattern: /(\.pem|\.key|\.p12|\.pfx|\.jks|id_rsa|id_ed25519)$/,
+    reason: "Private key files are protected"
+  },
+  {
+    pattern: (p) => {
+      const name = path.basename(p);
+      return [".bashrc", ".zshrc", ".profile", ".bash_profile", ".zprofile", ".zshenv"].includes(name);
+    },
+    reason: "Shell configuration files can execute arbitrary code on login"
+  },
+  {
+    pattern: (p) => p.startsWith("/etc/"),
+    reason: "System configuration directory is protected"
+  },
+  {
+    pattern: (p) => p.startsWith("/usr/") && !p.startsWith("/usr/local/"),
+    reason: "System binary directory is protected"
+  },
+  {
+    pattern: (p) => p === "/" || p === HOME,
+    reason: "Root and home directory direct modification is protected"
+  }
+];
+function checkPathSafety(filePath) {
+  const resolved = path.resolve(filePath);
+  for (const { pattern, reason } of BYPASS_IMMUNE_PATTERNS) {
+    const matches = typeof pattern === "function" ? pattern(resolved) : pattern.test(resolved);
+    if (matches) {
+      return { safe: false, reason, bypassImmune: true };
+    }
+  }
+  return { safe: true, bypassImmune: true };
+}
+function checkReadPathSafety(filePath) {
+  const resolved = path.resolve(filePath);
+  const credPatterns = BYPASS_IMMUNE_PATTERNS.filter(
+    (p) => typeof p.pattern !== "function" && (p.reason.includes("secrets") || p.reason.includes("Private key") || p.reason.includes("Credential"))
+  );
+  for (const { pattern, reason } of credPatterns) {
+    if (typeof pattern !== "function" && pattern.test(resolved)) {
+      return { safe: false, reason, bypassImmune: true };
+    }
+  }
+  return { safe: true, bypassImmune: true };
+}
+
+// src/runtime/tools/file-read.ts
+var inputSchema2 = z2.object({
+  file_path: z2.string(),
+  offset: z2.number().optional(),
+  limit: z2.number().optional()
+});
+var DEFAULT_LIMIT = 2e3;
+var FileReadTool = {
+  name: "file_read",
+  description: "Read a file from disk",
+  inputSchema: inputSchema2,
+  isReadOnly: true,
+  async checkPermissions(input) {
+    const safety = checkReadPathSafety(input.file_path);
+    if (!safety.safe) {
+      return {
+        behavior: "deny",
+        reason: safety.reason ?? "Read blocked by safety check",
+        bypassImmune: true
+      };
+    }
+    return { behavior: "allow" };
+  },
+  async call(input, context) {
+    const filePath = path2.isAbsolute(input.file_path) ? input.file_path : path2.resolve(context.cwd, input.file_path);
+    let stat;
+    try {
+      stat = await fs.stat(filePath);
+    } catch {
+      return { content: `File not found: ${filePath}`, isError: true };
+    }
+    if (stat.size > 0) {
+      const sample = Buffer.alloc(512);
+      const fh = await fs.open(filePath, "r");
+      try {
+        const { bytesRead } = await fh.read(sample, 0, 512, 0);
+        const slice = sample.subarray(0, bytesRead);
+        if (isBinary(slice)) {
+          return {
+            content: `Binary file (${stat.size} bytes): ${filePath}`
+          };
+        }
+      } finally {
+        await fh.close();
+      }
+    }
+    const raw = await fs.readFile(filePath, "utf-8");
+    const allLines = raw.split("\n");
+    const offset = input.offset ?? 0;
+    const limit = input.limit ?? DEFAULT_LIMIT;
+    const lines = allLines.slice(offset, offset + limit);
+    const numbered = lines.map((line, i) => `${String(offset + i + 1).padStart(6)}	${line}`).join("\n");
+    return { content: numbered };
+  }
+};
+function isBinary(buf) {
+  for (let i = 0; i < buf.length; i++) {
+    if (buf[i] === 0) return true;
+  }
+  return false;
+}
+
+// src/runtime/tools/file-edit.ts
+import fs2 from "fs/promises";
+import path3 from "path";
+import { z as z3 } from "zod";
+var inputSchema3 = z3.object({
+  file_path: z3.string(),
+  old_string: z3.string(),
+  new_string: z3.string(),
+  replace_all: z3.boolean().optional()
+});
+var FileEditTool = {
+  name: "file_edit",
+  description: "Edit a file by replacing a string",
+  inputSchema: inputSchema3,
+  isReadOnly: false,
+  async checkPermissions(input) {
+    const safety = checkPathSafety(input.file_path);
+    if (!safety.safe) {
+      return {
+        behavior: "deny",
+        reason: safety.reason ?? "Edit blocked by safety check",
+        bypassImmune: true
+      };
+    }
+    return { behavior: "allow" };
+  },
+  async call(input, context) {
+    const filePath = path3.isAbsolute(input.file_path) ? input.file_path : path3.resolve(context.cwd, input.file_path);
+    let content;
+    try {
+      content = await fs2.readFile(filePath, "utf-8");
+    } catch {
+      return { content: `File not found: ${filePath}`, isError: true };
+    }
+    const occurrences = countOccurrences(content, input.old_string);
+    if (occurrences === 0) {
+      return {
+        content: `old_string not found in ${filePath}`,
+        isError: true
+      };
+    }
+    if (occurrences > 1 && !input.replace_all) {
+      return {
+        content: `old_string appears ${occurrences} times in ${filePath}. Use replace_all: true to replace all, or provide more context to make it unique.`,
+        isError: true
+      };
+    }
+    let newContent;
+    if (input.replace_all) {
+      newContent = content.split(input.old_string).join(input.new_string);
+    } else {
+      const idx = content.indexOf(input.old_string);
+      newContent = content.slice(0, idx) + input.new_string + content.slice(idx + input.old_string.length);
+    }
+    await fs2.writeFile(filePath, newContent, "utf-8");
+    const replaced = input.replace_all ? occurrences : 1;
+    return {
+      content: `Replaced ${replaced} occurrence(s) in ${filePath}`,
+      sideEffects: { filesModified: [filePath] }
+    };
+  }
+};
+function countOccurrences(haystack, needle) {
+  let count = 0;
+  let pos = 0;
+  while (true) {
+    const idx = haystack.indexOf(needle, pos);
+    if (idx === -1) break;
+    count++;
+    pos = idx + needle.length;
+  }
+  return count;
+}
+
+// src/runtime/tools/file-write.ts
+import fs3 from "fs/promises";
+import path4 from "path";
+import { z as z4 } from "zod";
+var inputSchema4 = z4.object({
+  file_path: z4.string(),
+  content: z4.string()
+});
+var FileWriteTool = {
+  name: "file_write",
+  description: "Write content to a file (creates or overwrites)",
+  inputSchema: inputSchema4,
+  isReadOnly: false,
+  async checkPermissions(input) {
+    const safety = checkPathSafety(input.file_path);
+    if (!safety.safe) {
+      return {
+        behavior: "deny",
+        reason: safety.reason ?? "Write blocked by safety check",
+        bypassImmune: true
+      };
+    }
+    return { behavior: "allow" };
+  },
+  async call(input, context) {
+    const filePath = path4.isAbsolute(input.file_path) ? input.file_path : path4.resolve(context.cwd, input.file_path);
+    const dir = path4.dirname(filePath);
+    await fs3.mkdir(dir, { recursive: true });
+    await fs3.writeFile(filePath, input.content, "utf-8");
+    return {
+      content: `Wrote ${input.content.length} bytes to ${filePath}`,
+      sideEffects: { filesModified: [filePath] }
+    };
+  }
+};
+
+// src/runtime/tools/glob.ts
+import fs4 from "fs/promises";
+import path5 from "path";
+import { z as z5 } from "zod";
+var inputSchema5 = z5.object({
+  pattern: z5.string(),
+  path: z5.string().optional()
+});
+var GlobTool = {
+  name: "glob",
+  description: "Find files matching a glob pattern",
+  inputSchema: inputSchema5,
+  isReadOnly: true,
+  async call(input, context) {
+    const baseDir = input.path ? path5.isAbsolute(input.path) ? input.path : path5.resolve(context.cwd, input.path) : context.cwd;
+    try {
+      const entries = await walkDir(baseDir);
+      const matched = entries.filter(
+        (e) => simpleGlobMatch(path5.relative(baseDir, e.path), input.pattern)
+      );
+      matched.sort((a, b) => b.mtime - a.mtime);
+      if (matched.length === 0) {
+        return { content: "No files matched." };
+      }
+      const lines = matched.map((e) => e.path);
+      return { content: lines.join("\n") };
+    } catch (err) {
+      return {
+        content: `Glob error: ${err instanceof Error ? err.message : String(err)}`,
+        isError: true
+      };
+    }
+  }
+};
+async function walkDir(dir, maxDepth = 10) {
+  const results = [];
+  async function walk(current, depth) {
+    if (depth > maxDepth) return;
+    let entries;
+    try {
+      entries = await fs4.readdir(current, { withFileTypes: true });
+    } catch {
+      return;
+    }
+    for (const entry of entries) {
+      if (entry.isDirectory() && (entry.name === "node_modules" || entry.name === ".git")) {
+        continue;
+      }
+      const fullPath = path5.join(current, entry.name);
+      if (entry.isDirectory()) {
+        await walk(fullPath, depth + 1);
+      } else {
+        try {
+          const stat = await fs4.stat(fullPath);
+          results.push({ path: fullPath, mtime: stat.mtimeMs });
+        } catch {
+        }
+      }
+    }
+  }
+  await walk(dir, 0);
+  return results;
+}
+function simpleGlobMatch(filePath, pattern) {
+  let regex = pattern.replace(/\./g, "\\.").replace(/\*\*/g, "{{GLOBSTAR}}").replace(/\*/g, "[^/]*").replace(/\?/g, "[^/]").replace(/\{\{GLOBSTAR\}\}/g, ".*");
+  regex = `^${regex}$`;
+  return new RegExp(regex).test(filePath);
+}
+
+// src/runtime/tools/grep.ts
+import { spawn as spawn2 } from "child_process";
+import fs5 from "fs/promises";
+import path6 from "path";
+import { z as z6 } from "zod";
+var inputSchema6 = z6.object({
+  pattern: z6.string(),
+  path: z6.string().optional(),
+  glob: z6.string().optional(),
+  include: z6.string().optional()
+});
+var GrepTool = {
+  name: "grep",
+  description: "Search file contents using regex",
+  inputSchema: inputSchema6,
+  isReadOnly: true,
+  async call(input, context) {
+    const searchPath = input.path ? path6.isAbsolute(input.path) ? input.path : path6.resolve(context.cwd, input.path) : context.cwd;
+    try {
+      const result = await runRipgrep(input, searchPath, context);
+      return result;
+    } catch {
+    }
+    try {
+      return await nodeGrep(input, searchPath);
+    } catch (err) {
+      return {
+        content: `Grep error: ${err instanceof Error ? err.message : String(err)}`,
+        isError: true
+      };
+    }
+  }
+};
+function runRipgrep(input, searchPath, context) {
+  return new Promise((resolve, reject) => {
+    const args = ["--files-with-matches", "--no-heading"];
+    if (input.glob) {
+      args.push("--glob", input.glob);
+    }
+    if (input.include) {
+      args.push("--glob", input.include);
+    }
+    args.push(input.pattern, searchPath);
+    const child = spawn2("rg", args, {
+      cwd: searchPath,
+      timeout: 3e4,
+      stdio: ["ignore", "pipe", "pipe"]
+    });
+    const chunks = [];
+    child.stdout.on("data", (chunk) => chunks.push(chunk));
+    const onAbort = () => child.kill("SIGTERM");
+    context.abortSignal.addEventListener("abort", onAbort, { once: true });
+    child.on("close", (code) => {
+      context.abortSignal.removeEventListener("abort", onAbort);
+      const output = Buffer.concat(chunks).toString("utf-8").trim();
+      if (code === 1 && !output) {
+        resolve({ content: "No matches found." });
+        return;
+      }
+      if (code === 2) {
+        reject(new Error("ripgrep error"));
+        return;
+      }
+      resolve({ content: output || "No matches found." });
+    });
+    child.on("error", () => reject(new Error("rg not found")));
+  });
+}
+async function nodeGrep(input, searchPath) {
+  const regex = new RegExp(input.pattern);
+  const matches = [];
+  async function walk(dir) {
+    let entries;
+    try {
+      entries = await fs5.readdir(dir, { withFileTypes: true });
+    } catch {
+      return;
+    }
+    for (const entry of entries) {
+      if (entry.name === "node_modules" || entry.name === ".git") continue;
+      const fullPath = path6.join(dir, entry.name);
+      if (entry.isDirectory()) {
+        await walk(fullPath);
+      } else {
+        if (input.glob || input.include) {
+          const filter = input.glob ?? input.include;
+          if (!simpleExtMatch(entry.name, filter)) continue;
+        }
+        try {
+          const content = await fs5.readFile(fullPath, "utf-8");
+          if (regex.test(content)) {
+            matches.push(fullPath);
+          }
+        } catch {
+        }
+      }
+    }
+  }
+  await walk(searchPath);
+  if (matches.length === 0) {
+    return { content: "No matches found." };
+  }
+  return { content: matches.join("\n") };
+}
+function simpleExtMatch(filename, pattern) {
+  if (pattern.startsWith("*.")) {
+    return filename.endsWith(pattern.slice(1));
+  }
+  return filename.includes(pattern.replace(/\*/g, ""));
+}
+
+// src/bin/exe-agent.ts
+function parseArgs(argv) {
+  const args = { employee: "" };
+  for (let i = 2; i < argv.length; i++) {
+    const arg = argv[i];
+    if (arg === "--employee" && argv[i + 1]) args.employee = argv[++i];
+    else if (arg === "--model" && argv[i + 1]) args.model = argv[++i];
+    else if (arg === "--provider" && argv[i + 1]) args.provider = argv[++i];
+    else if (arg === "--api-key" && argv[i + 1]) args.apiKey = argv[++i];
+    else if (arg === "--base-url" && argv[i + 1]) args.baseUrl = argv[++i];
+    else if (!arg.startsWith("-") && !args.employee) args.employee = arg;
+  }
+  return args;
+}
+function loadEmployee(name) {
+  try {
+    const rosterPath = path7.join(os2.homedir(), ".exe-os", "exe-employees.json");
+    const roster = JSON.parse(readFileSync(rosterPath, "utf8"));
+    return roster.find((e) => e.name === name) ?? null;
+  } catch {
+    return null;
+  }
+}
+function createProvider(args) {
+  const providerType = args.provider ?? "anthropic";
+  const apiKey = args.apiKey ?? process.env.ANTHROPIC_API_KEY ?? "";
+  switch (providerType) {
+    case "anthropic":
+      return new AnthropicProvider("anthropic", {
+        apiKey,
+        baseUrl: args.baseUrl,
+        defaultModel: args.model
+      });
+    case "openai-compat":
+    case "openrouter":
+      return new OpenAICompatProvider(providerType, {
+        apiKey: args.apiKey ?? process.env.OPENROUTER_API_KEY ?? "",
+        baseUrl: args.baseUrl ?? "https://openrouter.ai/api/v1",
+        defaultModel: args.model
+      });
+    case "ollama":
+      return new OllamaProvider("ollama", {
+        host: args.baseUrl ?? "http://localhost:11434",
+        defaultModel: args.model
+      });
+    default:
+      throw new Error(`Unknown provider: ${providerType}`);
+  }
+}
+function registerBuiltinTools(registry) {
+  registry.register(BashTool);
+  registry.register(FileReadTool);
+  registry.register(FileEditTool);
+  registry.register(FileWriteTool);
+  registry.register(GlobTool);
+  registry.register(GrepTool);
+}
+async function main() {
+  const args = parseArgs(process.argv);
+  if (!args.employee) {
+    console.error("Usage: exe-agent --employee <name> [--model <model>] [--provider <provider>]");
+    process.exit(1);
+  }
+  const employee = loadEmployee(args.employee);
+  if (!employee) {
+    console.error(`Employee "${args.employee}" not found in roster.`);
+    process.exit(1);
+  }
+  const provider = createProvider(args);
+  const model = args.model ?? "claude-sonnet-4-20250514";
+  const registry = new ToolRegistry();
+  registerBuiltinTools(registry);
+  const abortController = new AbortController();
+  const shutdown = () => {
+    process.stderr.write("\n[exe-agent] Shutting down...\n");
+    abortController.abort();
+  };
+  process.on("SIGINT", shutdown);
+  process.on("SIGTERM", shutdown);
+  const config = {
+    provider,
+    model,
+    systemPrompt: employee.systemPrompt,
+    tools: registry,
+    hooks: createDefaultHooks(),
+    permissions: EMPLOYEE_PERMISSIONS,
+    maxTurns: 100,
+    cwd: process.cwd(),
+    agentId: args.employee,
+    abortController
+  };
+  const renderer = createTerminalRenderer();
+  const history = [];
+  console.error(`[exe-agent] ${args.employee} (${employee.role}) online \u2014 ${provider.name}/${model}`);
+  console.error(`[exe-agent] Tools: ${registry.names().join(", ")}`);
+  const rl = createInterface({ input: process.stdin, output: process.stderr, prompt: "> " });
+  rl.prompt();
+  rl.on("line", async (line) => {
+    const input = line.trim();
+    if (!input) {
+      rl.prompt();
+      return;
+    }
+    if (input === "/quit" || input === "/exit") {
+      rl.close();
+      return;
+    }
+    const events = agentLoop(input, history, config);
+    await renderAgentEvents(events, renderer);
+    history.push({ role: "user", content: input });
+    process.stderr.write("\n");
+    rl.prompt();
+  });
+  rl.on("close", () => {
+    console.error("[exe-agent] Session ended.");
+    process.exit(0);
+  });
+}
+main().catch((err) => {
+  console.error(`[exe-agent] Fatal: ${err instanceof Error ? err.message : String(err)}`);
+  process.exit(1);
+});