@askexenow/exe-os 0.8.1 → 0.8.3

package/dist/bin/exe-agent.js

@@ -1,2016 +0,0 @@
-#!/usr/bin/env node
-
-// src/bin/exe-agent.ts
-import { createInterface } from "readline";
-import { readFileSync } from "fs";
-import path7 from "path";
-import os2 from "os";
-
-// src/runtime/external-agent-mode.ts
-var HARD_BLOCKED_TOOLS = /* @__PURE__ */ new Set([
-  "Bash",
-  "Write",
-  "Edit",
-  "Glob",
-  "Grep",
-  "Read",
-  "Agent",
-  "NotebookEdit"
-]);
-var BLOCKED_TOOL_PATTERNS = [
-  /^mcp__.*git/i,
-  /^mcp__.*exec/i,
-  /^mcp__.*shell/i,
-  /^mcp__.*process/i,
-  /^mcp__.*file/i
-];
-function checkExternalAgentPermission(toolName, config) {
-  if (HARD_BLOCKED_TOOLS.has(toolName)) {
-    return `DENIED: "${toolName}" is hard-blocked for customer-facing agents`;
-  }
-  for (const pattern of BLOCKED_TOOL_PATTERNS) {
-    if (pattern.test(toolName)) {
-      return `DENIED: "${toolName}" matches blocked pattern for customer-facing agents`;
-    }
-  }
-  if (!config.allowedTools.includes(toolName)) {
-    return `DENIED: "${toolName}" is not in the external agent tool whitelist`;
-  }
-  return null;
-}
-
-// src/runtime/permission-presets.ts
-var CMO_PRESET = {
-  defaultMode: "deny",
-  rules: [
-    { tool: "Read", decision: "allow" },
-    { tool: "Glob", decision: "allow" },
-    { tool: "Grep", decision: "allow" },
-    { tool: "Write", pattern: "exe/output/*", decision: "allow" },
-    { tool: "mcp__exe-os__*", decision: "allow" },
-    { tool: "mcp__exe-mem__*", decision: "allow" }
-  ]
-};
-var CONTENT_SPECIALIST_PRESET = {
-  ...CMO_PRESET
-};
-
-// src/runtime/permissions.ts
-function checkPermission(toolName, permissions, externalAgentConfig) {
-  if (externalAgentConfig) {
-    const denyReason = checkExternalAgentPermission(toolName, externalAgentConfig);
-    if (denyReason) {
-      return { allowed: false, mode: "deny", reason: denyReason };
-    }
-  }
-  const mode = permissions.overrides[toolName] ?? permissions.defaultMode;
-  if (mode === "auto-approve") {
-    return { allowed: true, mode };
-  }
-  if (mode === "deny") {
-    return { allowed: false, mode, reason: `Tool "${toolName}" is denied by permission policy` };
-  }
-  return { allowed: false, mode, reason: `Tool "${toolName}" requires approval` };
-}
-var EMPLOYEE_PERMISSIONS = {
-  defaultMode: "auto-approve",
-  overrides: {}
-};
-
-// src/runtime/zod-to-schema.ts
-function zodToJsonSchema(schema) {
-  if ("toJSONSchema" in schema && typeof schema.toJSONSchema === "function") {
-    return schema.toJSONSchema();
-  }
-  const def = schema._def;
-  if (!def) {
-    return { type: "object", properties: {} };
-  }
-  return extractSchema(def);
-}
-function extractSchema(def) {
-  const typeName = def.typeName;
-  switch (typeName) {
-    case "ZodObject": {
-      const shape = def.shape;
-      const properties = {};
-      const required = [];
-      if (shape) {
-        const resolved = typeof shape === "function" ? shape() : shape;
-        for (const [key, value] of Object.entries(resolved)) {
-          const fieldDef = value._def ?? value;
-          const isOptional = fieldDef.typeName === "ZodOptional";
-          if (isOptional) {
-            properties[key] = extractSchema(
-              fieldDef.innerType?._def ?? {}
-            );
-          } else {
-            properties[key] = extractSchema(fieldDef);
-            required.push(key);
-          }
-        }
-      }
-      const result = { type: "object", properties };
-      if (required.length > 0) result.required = required;
-      return result;
-    }
-    case "ZodString":
-      return { type: "string", ...def.description ? { description: String(def.description) } : {} };
-    case "ZodNumber":
-      return { type: "number", ...def.description ? { description: String(def.description) } : {} };
-    case "ZodBoolean":
-      return { type: "boolean", ...def.description ? { description: String(def.description) } : {} };
-    case "ZodArray":
-      return {
-        type: "array",
-        items: extractSchema(
-          def.type?._def ?? {}
-        )
-      };
-    case "ZodEnum":
-      return { type: "string", enum: def.values };
-    case "ZodOptional":
-      return extractSchema(
-        def.innerType?._def ?? {}
-      );
-    case "ZodDefault":
-      return extractSchema(
-        def.innerType?._def ?? {}
-      );
-    default:
-      return { type: "string" };
-  }
-}
-
-// src/runtime/tool-registry.ts
-var ToolRegistry = class {
-  tools = /* @__PURE__ */ new Map();
-  /** Register a tool */
-  register(tool) {
-    this.tools.set(tool.name, tool);
-  }
-  /** Look up a tool by name */
-  get(name) {
-    return this.tools.get(name);
-  }
-  /** List all registered tools */
-  list() {
-    return [...this.tools.values()];
-  }
-  /** List tool names */
-  names() {
-    return [...this.tools.keys()];
-  }
-  /** Convert all tools to LLM-ready NormalizedTool format */
-  toNormalizedTools() {
-    return this.list().map((tool) => ({
-      name: tool.name,
-      description: tool.description,
-      inputSchema: zodToJsonSchema(tool.inputSchema)
-    }));
-  }
-  /** Get only tools allowed by the given permission set */
-  listAllowed(permissions) {
-    return this.list().filter(
-      (tool) => checkPermission(tool.name, permissions).allowed
-    );
-  }
-  /** Convert allowed tools to NormalizedTool format */
-  toAllowedNormalizedTools(permissions) {
-    return this.listAllowed(permissions).map((tool) => ({
-      name: tool.name,
-      description: tool.description,
-      inputSchema: zodToJsonSchema(tool.inputSchema)
-    }));
-  }
-};
-function partitionTools(blocks, registry) {
-  const concurrent = [];
-  const sequential = [];
-  let hitWrite = false;
-  for (const block of blocks) {
-    if (block.type !== "tool_use") continue;
-    const tool = registry.get(block.name);
-    if (!hitWrite && tool?.isReadOnly) {
-      concurrent.push(block);
-    } else {
-      hitWrite = true;
-      sequential.push(block);
-    }
-  }
-  return { concurrent, sequential };
-}
-
-// src/runtime/compact.ts
-var KEEP_RECENT_MESSAGES = 10;
-function estimateTokens(messages) {
-  let chars = 0;
-  for (const msg of messages) {
-    if (typeof msg.content === "string") {
-      chars += msg.content.length;
-    } else {
-      for (const block of msg.content) {
-        if (block.type === "text") chars += block.text.length;
-        else if (block.type === "tool_use") chars += JSON.stringify(block.input).length + block.name.length;
-        else if (block.type === "tool_result") chars += block.content.length;
-      }
-    }
-  }
-  return Math.ceil(chars / 4);
-}
-function stripMediaBlocks(messages) {
-  return messages.map((msg) => {
-    if (typeof msg.content === "string") return msg;
-    const filtered = msg.content.filter(
-      (block) => block.type !== "tool_use" || !isMediaTool(block.name)
-    );
-    if (filtered.length === 0) {
-      return { ...msg, content: "[media content removed for compaction]" };
-    }
-    return { ...msg, content: filtered };
-  });
-}
-function isMediaTool(name) {
-  return ["upload_image", "screenshot", "render_image"].includes(name);
-}
-async function compactMessages(messages, provider, summaryModel = "claude-haiku-4-5-20251001") {
-  if (messages.length <= KEEP_RECENT_MESSAGES) {
-    return { messages, removedCount: 0 };
-  }
-  const toSummarize = messages.slice(0, -KEEP_RECENT_MESSAGES);
-  const toKeep = messages.slice(-KEEP_RECENT_MESSAGES);
-  const stripped = stripMediaBlocks(toSummarize);
-  const serialized = stripped.map((m) => {
-    const content = typeof m.content === "string" ? m.content : m.content.map((b) => {
-      if (b.type === "text") return b.text;
-      if (b.type === "tool_use") return `[tool: ${b.name}(${JSON.stringify(b.input).slice(0, 200)})]`;
-      if (b.type === "tool_result") return `[result: ${b.content.slice(0, 200)}]`;
-      return "";
-    }).join("\n");
-    return `${m.role}: ${content}`;
-  }).join("\n\n");
-  try {
-    const summary = await provider.createMessage({
-      model: summaryModel,
-      system: "Summarize this conversation concisely. Preserve: decisions made, files modified, current task status, blockers, key findings. Be specific about file paths and tool results.",
-      messages: [{ role: "user", content: serialized.slice(0, 5e4) }],
-      // Cap input
-      maxTokens: 2e3
-    });
-    const summaryText = summary.content.filter((b) => b.type === "text").map((b) => b.text).join("\n");
-    return {
-      messages: [
-        { role: "user", content: `[Previous conversation summary]
-${summaryText}` },
-        { role: "assistant", content: "Understood. I have context from the summary. Continuing." },
-        ...toKeep
-      ],
-      removedCount: toSummarize.length
-    };
-  } catch {
-    return {
-      messages: [
-        { role: "user", content: "[Earlier conversation history was compacted due to context limits]" },
-        { role: "assistant", content: "Understood. Continuing with recent context." },
-        ...toKeep
-      ],
-      removedCount: toSummarize.length
-    };
-  }
-}
-
-// src/runtime/context-manager.ts
-var MODEL_CONTEXT_LIMITS = {
-  // Anthropic
-  "claude-opus-4": 2e5,
-  "claude-sonnet-4": 2e5,
-  "claude-haiku-4": 2e5,
-  // Extended context variants
-  "claude-opus-4-6[1m]": 1e6,
-  "claude-sonnet-4-6[1m]": 1e6,
-  // OpenAI
-  "gpt-4o": 128e3,
-  "gpt-4-turbo": 128e3,
-  "gpt-4": 8192,
-  "o3": 2e5,
-  "o4-mini": 2e5,
-  // Google
-  "gemini-2.0": 1e6,
-  "gemini-2.5-pro": 1e6,
-  "gemini-2.5-flash": 1e6,
-  // Local / small models
-  "llama": 8192,
-  "mistral": 32768,
-  "qwen": 32768,
-  "deepseek": 64e3
-};
-var DEFAULT_CONTEXT_LIMIT = 2e5;
-var PRESSURE_THRESHOLDS = [50, 70, 90];
-function getContextLimit(model) {
-  if (model in MODEL_CONTEXT_LIMITS) {
-    return MODEL_CONTEXT_LIMITS[model];
-  }
-  let bestMatch = "";
-  let bestLimit = DEFAULT_CONTEXT_LIMIT;
-  for (const [prefix, limit] of Object.entries(MODEL_CONTEXT_LIMITS)) {
-    if (model.startsWith(prefix) && prefix.length > bestMatch.length) {
-      bestMatch = prefix;
-      bestLimit = limit;
-    }
-  }
-  return bestLimit;
-}
-function createContextManager(model, hooks) {
-  return new ContextManager(model, hooks);
-}
-var ContextManager = class {
-  state;
-  hooks;
-  constructor(model, hooks) {
-    this.hooks = hooks;
-    this.state = {
-      inputTokens: 0,
-      outputTokens: 0,
-      estimatedTokens: 0,
-      maxTokens: getContextLimit(model),
-      thresholdsEmitted: /* @__PURE__ */ new Set(),
-      model
-    };
-  }
-  /** Get current context state (read-only snapshot) */
-  getState() {
-    return { ...this.state, thresholdsEmitted: new Set(this.state.thresholdsEmitted) };
-  }
-  /** Get current token usage (best available: API data or estimate) */
-  get usedTokens() {
-    if (this.state.inputTokens > 0) {
-      return this.state.inputTokens;
-    }
-    return this.state.estimatedTokens;
-  }
-  /** Get percent of context used */
-  get percentUsed() {
-    return Math.round(this.usedTokens / this.state.maxTokens * 100);
-  }
-  /**
-   * Update with API usage data (from LLM response).
-   * This is the most accurate source of token counts.
-   */
-  updateFromApiUsage(inputTokens, outputTokens) {
-    this.state.inputTokens = inputTokens;
-    this.state.outputTokens = outputTokens;
-  }
-  /**
-   * Update with estimated tokens from message content.
-   * Used as fallback when API doesn't report cache-aware usage.
-   */
-  updateFromMessages(messages) {
-    this.state.estimatedTokens = estimateTokens(messages);
-  }
-  /**
-   * Check context pressure and emit threshold events.
-   * Should be called after each turn.
-   */
-  async checkPressure() {
-    const percent = this.percentUsed;
-    for (const threshold of PRESSURE_THRESHOLDS) {
-      if (percent >= threshold && !this.state.thresholdsEmitted.has(threshold)) {
-        this.state.thresholdsEmitted.add(threshold);
-        const event = {
-          threshold,
-          usedTokens: this.usedTokens,
-          maxTokens: this.state.maxTokens,
-          percentUsed: percent
-        };
-        if (this.hooks.onContextPressure) {
-          try {
-            await this.hooks.onContextPressure(event);
-          } catch {
-          }
-        }
-      }
-    }
-  }
-  /** Should compaction run? (85% threshold, matching compact.ts) */
-  shouldCompact() {
-    return this.usedTokens > this.state.maxTokens * 0.85;
-  }
-  /**
-   * Pre-compaction: fire hooks and extract critical context to protect.
-   * Returns strings that must survive compaction.
-   */
-  async preCompact(messages) {
-    const protectedContext = [];
-    const memoriesToExtract = [];
-    if (this.hooks.onCompact) {
-      try {
-        await this.hooks.onCompact(messages.length, 0);
-      } catch {
-      }
-    }
-    const DECISION_PATTERNS = /\b(decided|chose|selected|fixed|resolved|implemented|created|deleted|changed|updated|configured)\b/i;
-    const FILE_PATTERNS = /(?:(?:src|lib|bin|tests?)\/[\w/.-]+\.(?:ts|js|json|md))/g;
-    for (const msg of messages) {
-      const text = typeof msg.content === "string" ? msg.content : msg.content.filter((b) => b.type === "text").map((b) => b.text).join("\n");
-      if (text.length > 50 && DECISION_PATTERNS.test(text)) {
-        const firstSentence = text.split(/[.\n]/).find((s) => DECISION_PATTERNS.test(s));
-        if (firstSentence) {
-          memoriesToExtract.push(firstSentence.trim().slice(0, 200));
-        }
-      }
-      const files = text.match(FILE_PATTERNS);
-      if (files && files.length > 0) {
-        protectedContext.push(`Files referenced: ${[...new Set(files)].join(", ")}`);
-      }
-    }
-    return { protectedContext, memoriesToExtract };
-  }
-  /**
-   * Post-compaction: fire hooks and verify state.
-   */
-  async postCompact(removedCount, summaryLength) {
-    this.state.estimatedTokens = 0;
-    const currentPercent = this.percentUsed;
-    for (const threshold of PRESSURE_THRESHOLDS) {
-      if (currentPercent < threshold) {
-        this.state.thresholdsEmitted.delete(threshold);
-      }
-    }
-    if (this.hooks.onPostCompact) {
-      try {
-        await this.hooks.onPostCompact(removedCount, `Compacted ${removedCount} messages into ${summaryLength} chars`);
-      } catch {
-      }
-    }
-  }
-  /**
-   * Switch model mid-session (e.g., failover).
-   * Recalculates context limit.
-   */
-  switchModel(newModel) {
-    this.state.model = newModel;
-    this.state.maxTokens = getContextLimit(newModel);
-    this.state.thresholdsEmitted.clear();
-  }
-};
-
-// src/runtime/denial-tracking.ts
-var DENIAL_LIMITS = {
-  maxConsecutive: 3,
-  maxTotal: 10
-};
-function createDenialTrackingState() {
-  return {
-    consecutiveDenials: 0,
-    totalDenials: 0
-  };
-}
-function recordDenial(state) {
-  return {
-    consecutiveDenials: state.consecutiveDenials + 1,
-    totalDenials: state.totalDenials + 1
-  };
-}
-function recordSuccess(state) {
-  if (state.consecutiveDenials === 0) return state;
-  return {
-    ...state,
-    consecutiveDenials: 0
-  };
-}
-function shouldFallbackToAsk(state) {
-  return state.consecutiveDenials >= DENIAL_LIMITS.maxConsecutive || state.totalDenials >= DENIAL_LIMITS.maxTotal;
-}
-function shouldWarnDenials(state) {
-  return state.consecutiveDenials === DENIAL_LIMITS.maxConsecutive;
-}
-
-// src/runtime/agent-loop.ts
-async function* agentLoop(userMessage, history, config) {
-  const messages = [
-    ...history,
-    { role: "user", content: userMessage }
-  ];
-  const totalUsage = { inputTokens: 0, outputTokens: 0 };
-  const abortController = config.abortController ?? new AbortController();
-  const context = {
-    cwd: config.cwd,
-    agentId: config.agentId,
-    abortSignal: abortController.signal,
-    sessionState: /* @__PURE__ */ new Map()
-  };
-  const allowedTools = config.tools.toAllowedNormalizedTools(config.permissions);
-  const contextManager = createContextManager(config.model, config.hooks);
-  let denialState = createDenialTrackingState();
-  let turns = 0;
-  while (turns < config.maxTurns) {
-    turns++;
-    if (abortController.signal.aborted) {
-      yield { type: "aborted", reason: "Agent stopped by user" };
-      break;
-    }
-    if (config.maxTokenBudget && totalUsage.inputTokens + totalUsage.outputTokens >= config.maxTokenBudget) {
-      yield { type: "error", error: new Error("Token budget exceeded") };
-      break;
-    }
-    let response;
-    try {
-      response = await config.provider.createMessage({
-        model: config.model,
-        system: config.systemPrompt,
-        messages,
-        tools: allowedTools.length > 0 ? allowedTools : void 0,
-        maxTokens: 4096
-      });
-    } catch (err) {
-      const error = err instanceof Error ? err : new Error(String(err));
-      yield { type: "error", error };
-      if (config.hooks.onError) await config.hooks.onError(error, context);
-      break;
-    }
-    totalUsage.inputTokens += response.usage.inputTokens;
-    totalUsage.outputTokens += response.usage.outputTokens;
-    if (config.tokenBudgetMiddleware) {
-      const result = await config.tokenBudgetMiddleware.onTokenUsed(
-        response.usage.inputTokens,
-        response.usage.outputTokens
-      );
-      if (result.warned && config.hooks.onNotification) {
-        await config.hooks.onNotification(
-          `\u26A0\uFE0F Token budget at ${result.percentUsed}%. Fallback model: ${result.fallback ?? "none (task will terminate at 100%)"}.`
-        );
-      }
-      if (result.exceeded) {
-        if (config.hooks.onTokenBudgetExceeded) {
-          await config.hooks.onTokenBudgetExceeded(context, result.fallback);
-        }
-        abortController.abort();
-        yield { type: "error", error: new Error("Token budget exceeded. Task requires manual continuation.") };
-        break;
-      }
-    }
-    contextManager.updateFromApiUsage(response.usage.inputTokens, response.usage.outputTokens);
-    contextManager.updateFromMessages(messages);
-    await contextManager.checkPressure();
-    if (contextManager.shouldCompact() && messages.length > 12) {
-      const { memoriesToExtract } = await contextManager.preCompact(
-        messages.slice(0, -10)
-      );
-      if (memoriesToExtract.length > 0 && config.hooks.onNotification) {
-        await config.hooks.onNotification(
-          `Pre-compaction: extracted ${memoriesToExtract.length} key decisions to memory`
-        );
-      }
-      const compacted = await compactMessages(messages, config.provider);
-      const removedCount = compacted.removedCount;
-      if (removedCount > 0) {
-        messages.length = 0;
-        messages.push(...compacted.messages);
-        await contextManager.postCompact(removedCount, messages[0]?.content?.toString().length ?? 0);
-      }
-    }
-    for (const block of response.content) {
-      if (block.type === "text" && block.text) {
-        yield { type: "text", text: block.text };
-      }
-    }
-    messages.push({ role: "assistant", content: response.content });
-    if (response.stopReason === "end_turn" || response.stopReason === "max_tokens") {
-      yield { type: "turn_complete", turn: turns, usage: response.usage };
-      break;
-    }
-    const toolUseBlocks = response.content.filter(
-      (b) => b.type === "tool_use"
-    );
-    if (toolUseBlocks.length === 0) {
-      yield { type: "turn_complete", turn: turns, usage: response.usage };
-      break;
-    }
-    const { concurrent, sequential } = partitionTools(toolUseBlocks, config.tools);
-    const toolResults = [];
-    if (concurrent.length > 0) {
-      const concurrentResults = await Promise.all(
-        concurrent.map(
-          (block) => executeToolBlock(
-            block,
-            config,
-            context,
-            denialState
-          )
-        )
-      );
-      for (let i = 0; i < concurrent.length; i++) {
-        const block = concurrent[i];
-        const execResult = concurrentResults[i];
-        denialState = execResult.denialState;
-        yield execResult.event;
-        if (execResult.permissionEvent) yield execResult.permissionEvent;
-        yield { type: "tool_result", name: block.name, id: block.id, result: execResult.result };
-        toolResults.push({
-          type: "tool_result",
-          tool_use_id: block.id,
-          content: execResult.result.content,
-          is_error: execResult.result.isError
-        });
-      }
-    }
-    for (const block of sequential) {
-      const typedBlock = block;
-      const execResult = await executeToolBlock(typedBlock, config, context, denialState);
-      denialState = execResult.denialState;
-      yield execResult.event;
-      if (execResult.permissionEvent) yield execResult.permissionEvent;
-      yield { type: "tool_result", name: typedBlock.name, id: typedBlock.id, result: execResult.result };
-      toolResults.push({
-        type: "tool_result",
-        tool_use_id: typedBlock.id,
-        content: execResult.result.content,
-        is_error: execResult.result.isError
-      });
-    }
-    messages.push({ role: "user", content: toolResults });
-    yield { type: "turn_complete", turn: turns, usage: response.usage };
-  }
-  yield { type: "done", totalUsage, turns };
-}
-async function executeToolBlock(block, config, context, denialState) {
-  const startEvent = { type: "tool_use_start", name: block.name, id: block.id };
-  let permissionEvent;
-  const tool = config.tools.get(block.name);
-  if (!tool) {
-    return {
-      result: { content: `Unknown tool: "${block.name}"`, isError: true },
-      event: startEvent,
-      denialState
-    };
-  }
-  if (!tool.isReadOnly) {
-    if (tool.checkPermissions) {
-      try {
-        const toolPerm = await tool.checkPermissions(block.input, context);
-        if (toolPerm.behavior === "deny") {
-          denialState = recordDenial(denialState);
-          if (shouldWarnDenials(denialState)) {
-            process.stderr.write(
-              `[agent] WARNING: ${denialState.consecutiveDenials} consecutive tool denials
-`
-            );
-          }
-          return {
-            result: {
-              content: `Permission denied${toolPerm.bypassImmune ? " (safety check)" : ""}: ${toolPerm.reason ?? "blocked by tool policy"}`,
-              isError: true
-            },
-            event: { type: "tool_denied", name: block.name, id: block.id, reason: toolPerm.reason ?? "denied" },
-            denialState
-          };
-        }
-      } catch {
-        denialState = recordDenial(denialState);
-        return {
-          result: { content: "Permission check failed (fail-closed)", isError: true },
-          event: { type: "tool_denied", name: block.name, id: block.id, reason: "permission check error (fail-closed)" },
-          denialState
-        };
-      }
-    }
-    const effectivePermissions = shouldFallbackToAsk(denialState) ? { ...config.permissions, defaultMode: "ask" } : config.permissions;
-    const perm = checkPermission(block.name, effectivePermissions);
-    if (!perm.allowed) {
-      if (perm.mode === "ask" && config.permissionHandler) {
-        const inp = block.input;
-        const filePath = inp.file_path ?? inp.filePath;
-        const description = tool.description;
-        const permReq = { name: block.name, id: block.id, description, filePath };
-        const decision = await config.permissionHandler(permReq);
-        permissionEvent = { type: "permission_request", name: block.name, id: block.id, description, filePath };
-        if (decision === "allow") {
-        } else {
-          denialState = recordDenial(denialState);
-          return {
-            result: { content: `Permission denied by user`, isError: true },
-            event: { type: "tool_denied", name: block.name, id: block.id, reason: "denied by user" },
-            denialState,
-            permissionEvent: { type: "permission_request", name: block.name, id: block.id, description, filePath }
-          };
-        }
-      } else {
-        denialState = recordDenial(denialState);
-        return {
-          result: { content: `Permission denied: ${perm.reason}`, isError: true },
-          event: { type: "tool_denied", name: block.name, id: block.id, reason: perm.reason ?? "denied" },
-          denialState
-        };
-      }
-    }
-  }
-  if (context.abortSignal.aborted) {
-    return {
-      result: { content: "Interrupted by user", isError: true },
-      event: { type: "aborted", reason: "Agent stopped by user" },
-      denialState
-    };
-  }
-  if (config.hooks.beforeToolUse) {
-    const intercepted = await config.hooks.beforeToolUse(block, context);
-    if (intercepted) {
-      return { result: intercepted, event: startEvent, denialState };
-    }
-  }
-  let result;
-  try {
-    result = await tool.call(block.input, context);
-    denialState = recordSuccess(denialState);
-  } catch (err) {
-    result = {
-      content: `Tool error: ${err instanceof Error ? err.message : String(err)}`,
-      isError: true
-    };
-    if (config.hooks.onError) {
-      await config.hooks.onError(
-        err instanceof Error ? err : new Error(String(err)),
-        context
-      );
-    }
-  }
-  if (config.hooks.afterToolUse) {
-    await config.hooks.afterToolUse(block, result, context);
-  }
-  return { result, event: startEvent, denialState, permissionEvent };
-}
-
-// src/runtime/hooks.ts
-function createDefaultHooks() {
-  return {};
-}
-
-// src/runtime/stream.ts
-function createTerminalRenderer() {
-  return {
-    onText(text) {
-      process.stdout.write(text);
-    },
-    onToolStart(name, _id) {
-      process.stderr.write(`
-[tool] ${name}...
-`);
-    },
-    onToolResult(name, result, isError) {
-      if (isError) {
-        process.stderr.write(`[tool] ${name} ERROR: ${result.slice(0, 200)}
-`);
-      } else {
-        const preview = result.length > 200 ? result.slice(0, 200) + "..." : result;
-        process.stderr.write(`[tool] ${name} \u2192 ${preview}
-`);
-      }
-    },
-    onToolDenied(name, reason) {
-      process.stderr.write(`[tool] ${name} DENIED: ${reason}
-`);
-    },
-    onTurnComplete(_turn, _inputTokens, _outputTokens) {
-    },
-    onAborted(reason) {
-      process.stderr.write(`
-[aborted] ${reason}
-`);
-    },
-    onError(error) {
-      process.stderr.write(`
-[error] ${error.message}
-`);
-    },
-    onDone(inputTokens, outputTokens, turns) {
-      process.stderr.write(
-        `
-[done] ${turns} turns, ${inputTokens + outputTokens} tokens
-`
-      );
-    }
-  };
-}
-async function renderAgentEvents(events, renderer) {
-  for await (const event of events) {
-    switch (event.type) {
-      case "text":
-        renderer.onText(event.text);
-        break;
-      case "tool_use_start":
-        renderer.onToolStart(event.name, event.id);
-        break;
-      case "tool_result":
-        renderer.onToolResult(event.name, event.result.content, event.result.isError ?? false);
-        break;
-      case "tool_denied":
-        renderer.onToolDenied(event.name, event.reason);
-        break;
-      case "turn_complete":
-        renderer.onTurnComplete(event.turn, event.usage.inputTokens, event.usage.outputTokens);
-        break;
-      case "aborted":
-        renderer.onAborted(event.reason);
-        break;
-      case "error":
-        renderer.onError(event.error);
-        break;
-      case "done":
-        renderer.onDone(event.totalUsage.inputTokens, event.totalUsage.outputTokens, event.turns);
-        break;
-    }
-  }
-}
-
-// src/gateway/providers/anthropic.ts
-import Anthropic from "@anthropic-ai/sdk";
-var AnthropicProvider = class {
-  name;
-  client;
-  defaultModel;
-  constructor(name, config) {
-    this.name = name;
-    this.defaultModel = config.defaultModel ?? "claude-sonnet-4-20250514";
-    this.client = new Anthropic({
-      apiKey: config.apiKey,
-      baseURL: config.baseUrl || void 0
-    });
-  }
-  async createMessage(params) {
-    const response = await this.client.messages.create({
-      model: params.model || this.defaultModel,
-      max_tokens: params.maxTokens,
-      system: params.system,
-      messages: params.messages.map((m) => this.toAnthropicMessage(m)),
-      tools: params.tools?.map((t) => ({
-        name: t.name,
-        description: t.description,
-        input_schema: t.inputSchema
-      }))
-    });
-    return this.normalizeResponse(response);
-  }
-  async healthCheck() {
-    const start = Date.now();
-    try {
-      await this.client.messages.create({
-        model: this.defaultModel,
-        max_tokens: 1,
-        messages: [{ role: "user", content: "hi" }]
-      });
-      return { available: true, latencyMs: Date.now() - start };
-    } catch {
-      return { available: false, latencyMs: Date.now() - start };
-    }
-  }
-  toAnthropicMessage(msg) {
-    if (typeof msg.content === "string") {
-      return { role: msg.role, content: msg.content };
-    }
-    const blocks = msg.content.map((block) => {
-      if (block.type === "text") {
-        return { type: "text", text: block.text };
-      }
-      if (block.type === "tool_use") {
-        return {
-          type: "tool_use",
-          id: block.id,
-          name: block.name,
-          input: block.input
-        };
-      }
-      if (block.type === "tool_result") {
-        return {
-          type: "tool_result",
-          tool_use_id: block.tool_use_id,
-          content: block.content,
-          is_error: block.is_error
-        };
-      }
-      return { type: "text", text: "" };
-    });
-    return { role: msg.role, content: blocks };
-  }
-  normalizeResponse(response) {
-    const content = response.content.map((block) => {
-      if (block.type === "text") {
-        return { type: "text", text: block.text };
-      }
-      if (block.type === "tool_use") {
-        return {
-          type: "tool_use",
-          id: block.id,
-          name: block.name,
-          input: block.input
-        };
-      }
-      return { type: "text", text: "" };
-    });
-    const stopReason = response.stop_reason === "tool_use" ? "tool_use" : response.stop_reason === "max_tokens" ? "max_tokens" : "end_turn";
-    return {
-      content,
-      stopReason,
-      usage: {
-        inputTokens: response.usage.input_tokens,
-        outputTokens: response.usage.output_tokens
-      }
-    };
-  }
-};
-
-// src/gateway/providers/openai-compat.ts
-import OpenAI from "openai";
-import { randomUUID } from "crypto";
-var OpenAICompatProvider = class {
-  name;
-  client;
-  defaultModel;
-  constructor(name, config) {
-    this.name = name;
-    this.defaultModel = config.defaultModel ?? "gpt-4o";
-    this.client = new OpenAI({
-      apiKey: config.apiKey,
-      baseURL: config.baseUrl
-    });
-  }
-  async createMessage(params) {
-    const messages = [
-      { role: "system", content: params.system },
-      ...params.messages.flatMap((m) => this.toOpenAIMessages(m))
-    ];
-    const tools = params.tools?.map(
-      (t) => ({
-        type: "function",
-        function: {
-          name: t.name,
-          description: t.description,
-          parameters: t.inputSchema
-        }
-      })
-    );
-    const response = await this.client.chat.completions.create({
-      model: params.model || this.defaultModel,
-      max_tokens: params.maxTokens,
-      messages,
-      tools: tools?.length ? tools : void 0
-    });
-    return this.normalizeResponse(response);
-  }
-  async healthCheck() {
-    const start = Date.now();
-    try {
-      await this.client.chat.completions.create({
-        model: this.defaultModel,
-        max_tokens: 1,
-        messages: [{ role: "user", content: "hi" }]
-      });
-      return { available: true, latencyMs: Date.now() - start };
-    } catch {
-      return { available: false, latencyMs: Date.now() - start };
-    }
-  }
-  toOpenAIMessages(msg) {
-    if (typeof msg.content === "string") {
-      return [{ role: msg.role, content: msg.content }];
-    }
-    if (msg.role === "assistant") {
-      const textParts = msg.content.filter((b) => b.type === "text").map((b) => b.text).join("\n");
-      const toolCalls = msg.content.filter((b) => b.type === "tool_use").map((b) => ({
-        id: b.id,
-        type: "function",
-        function: {
-          name: b.name,
-          arguments: typeof b.input === "string" ? b.input : JSON.stringify(b.input)
-        }
-      }));
-      if (toolCalls.length > 0) {
-        return [{
-          role: "assistant",
-          content: textParts || null,
-          tool_calls: toolCalls
-        }];
-      }
-      return [{ role: "assistant", content: textParts }];
-    }
-    if (msg.role === "user") {
-      const toolResults = msg.content.filter(
-        (b) => b.type === "tool_result"
-      );
-      if (toolResults.length > 0) {
-        return toolResults.map((r) => ({
-          role: "tool",
-          tool_call_id: r.tool_use_id,
-          content: r.content
-        }));
-      }
-      const text = msg.content.filter((b) => b.type === "text").map((b) => b.text).join("\n");
-      return [{ role: "user", content: text }];
-    }
-    return [{ role: msg.role, content: "" }];
-  }
-  normalizeResponse(response) {
-    const choice = response.choices[0];
-    if (!choice) {
-      return {
-        content: [{ type: "text", text: "" }],
-        stopReason: "end_turn",
-        usage: { inputTokens: 0, outputTokens: 0 }
-      };
-    }
-    const content = [];
-    if (choice.message.content) {
-      content.push({ type: "text", text: choice.message.content });
-    }
-    if (choice.message.tool_calls) {
-      for (const call of choice.message.tool_calls) {
-        const fn = call.function;
-        if (!fn) continue;
-        let input;
-        try {
-          input = JSON.parse(fn.arguments);
-        } catch {
-          input = fn.arguments;
-        }
-        content.push({
-          type: "tool_use",
-          id: call.id ?? randomUUID(),
-          name: fn.name,
-          input
-        });
-      }
-    }
-    if (content.length === 0) {
-      content.push({ type: "text", text: "" });
-    }
-    const stopReason = choice.finish_reason === "tool_calls" ? "tool_use" : choice.finish_reason === "length" ? "max_tokens" : "end_turn";
-    return {
-      content,
-      stopReason,
-      usage: {
-        inputTokens: response.usage?.prompt_tokens ?? 0,
-        outputTokens: response.usage?.completion_tokens ?? 0
-      }
-    };
-  }
-};
-
-// src/gateway/providers/ollama.ts
-import { randomUUID as randomUUID2 } from "crypto";
-var OllamaProvider = class {
-  name;
-  host;
-  defaultModel;
-  constructor(name, config = {}) {
-    this.name = name;
-    this.host = (config.host ?? "http://localhost:11434").replace(/\/+$/, "");
-    this.defaultModel = config.defaultModel ?? "qwen3:14b";
-  }
-  async createMessage(params) {
-    const messages = [
-      { role: "system", content: params.system }
-    ];
-    for (const msg of params.messages) {
-      if (typeof msg.content === "string") {
-        messages.push({ role: msg.role, content: msg.content });
-      } else {
-        const text = msg.content.filter((b) => b.type === "text").map((b) => b.text).join("\n");
-        messages.push({ role: msg.role, content: text });
-      }
-    }
-    const tools = params.tools?.map((t) => ({
-      type: "function",
-      function: {
-        name: t.name,
-        description: t.description,
-        parameters: t.inputSchema
-      }
-    }));
-    const body = {
-      model: params.model || this.defaultModel,
-      messages,
-      stream: false,
-      options: { num_predict: params.maxTokens }
-    };
-    if (tools?.length) body.tools = tools;
-    const res = await fetch(`${this.host}/api/chat`, {
-      method: "POST",
-      headers: { "Content-Type": "application/json" },
-      body: JSON.stringify(body)
-    });
-    if (!res.ok) {
-      throw new Error(`Ollama API error: ${res.status} ${await res.text()}`);
-    }
-    const data = await res.json();
-    return this.normalizeResponse(data);
-  }
-  async healthCheck() {
-    const start = Date.now();
-    try {
-      const res = await fetch(`${this.host}/api/tags`, {
-        signal: AbortSignal.timeout(5e3)
-      });
-      return { available: res.ok, latencyMs: Date.now() - start };
-    } catch {
-      return { available: false };
-    }
-  }
-  normalizeResponse(data) {
-    const content = [];
-    if (data.message.content) {
-      content.push({ type: "text", text: data.message.content });
-    }
-    if (data.message.tool_calls) {
-      for (const call of data.message.tool_calls) {
-        content.push({
-          type: "tool_use",
-          id: randomUUID2(),
-          name: call.function.name,
-          input: call.function.arguments
-        });
-      }
-    }
-    if (content.length === 0) {
-      content.push({ type: "text", text: "" });
-    }
-    const hasToolUse = content.some((b) => b.type === "tool_use");
-    return {
-      content,
-      stopReason: hasToolUse ? "tool_use" : "end_turn",
-      usage: {
-        inputTokens: data.prompt_eval_count ?? 0,
-        outputTokens: data.eval_count ?? 0
-      }
-    };
-  }
-};
-
-// src/lib/employee-templates.ts
-var BASE_OPERATING_PROCEDURES = `
-EXE OS \u2014 VISION AND NON-NEGOTIABLE PRINCIPLES (above all work):
-
-Product: "Hire the team you couldn't afford." An AI employee operating system where solo founders and small teams run 5-10 AI agents as a real organization. Three-layer cognition (identity/expertise/experience). Five runtime modes (CC Raw \u2192 TUI \u2192 Desktop). Local-first with E2EE cloud sync.
-
-ICP (who we build for):
-- Solopreneurs, SMB founders, creators with institutional IP
-- Bootstrapped small e-commerce / fitness creators / influencers
-- NOT VC-backed startups \u2014 intentionally excluded
-
-Crown jewels (load-bearing for all three business paths \u2014 never compromise):
-- Memory sovereignty (user owns everything, E2EE, local-first)
-- Three-layer cognition (identity/expertise/experience)
-- MCP contract boundary (surfaces consume memory OS via MCP only \u2014 never direct DB access, never bundled code)
-- AGPL network boundary for public forks (e.g., exe-crm)
-
-Three business-model paths (every product decision must serve these):
-1. B2C direct \u2014 solopreneurs run their own instance (active, current default)
-2. Agency white-label \u2014 distributors rebrand for their clients (deferred, but branding must be config-driven)
-3. Creator franchise (Mike pattern) \u2014 creators inject institutional IP into agent identity+expertise+experience layers, sell scoped access to subscribers (v2+ moat, requires memory export scoping)
-
-Ethos:
-- Bootstrapped, profitable, forever. Not a VC-raise.
-- Founder zero-ego. Distributors and customers are the loudest voice.
-- Crypto values: big companies should not own consumer/SMB AI.
-
-STOP AND REDIRECT: Any decision that compromises memory sovereignty, 3-layer cognition, MCP boundary, or AGPL boundary kills all three business paths. Surface the conflict to exe before proceeding.
-
-Always reference .planning/ARCHITECTURE.md and .planning/PROJECT.md as source of truth for all architectural and product decisions.
-
-OPERATING PROCEDURES (mandatory for all employees):
-
-You report to exe (COO). All work flows through exe. These procedures are non-negotiable.
-
-1. BEFORE starting work:
-   - Read exe/ARCHITECTURE.md (if it exists). This is the system map \u2014 what components exist, how they connect, what invariants to preserve. Understand the architecture before changing anything.
-   - Check YOUR task folder ONLY: Read exe/<your-name>/ for assigned tasks
-   - NEVER read, write, or modify files in another employee's folder (e.g., exe/mari/, exe/yoshi/). Those are their tasks, not yours. Use ask_team_memory() if you need context from a colleague.
-   - If you have open tasks, work on the highest priority one first
-   - Ensure exe/output/ exists (mkdir -p exe/output). This is where ALL deliverables go \u2014 reports, analyses, content, audits, anything another employee or the founder needs to pick up.
-   - Update task status to "in_progress" when starting (use update_task MCP tool)
-   - recall_my_memory \u2014 check what you've done before in this project. What patterns, decisions, context exist?
-   - Read the relevant files. Understand what exists before changing anything.
-
-2. BEFORE marking done \u2014 CHECKPOINT (mandatory, never skip):
-   - Run the tests. If they fail, fix them before reporting done.
-   - Run typecheck if TypeScript. Zero errors.
-   - Verify the change actually works \u2014 run it, check the output, prove it.
-   - If you can't verify, say so explicitly: "Couldn't verify because X."
-
-3. AFTER completing work \u2014 update_task(done) IMMEDIATELY (the ONE critical action):
-   Calling update_task with status "done" is the single action that must ALWAYS happen.
-   Call it FIRST \u2014 before commit, before report, before anything else. If you do nothing else, do this.
-   - Use update_task MCP tool with status "done" and your result summary
-   - Include what was done, decisions made, and any issues
-   - If you're stuck, looping, confused, or running low on context \u2014 update_task(done) with whatever partial result you have. A partial result is infinitely better than no result.
-   - NEVER let a failed commit, a loop, or an error prevent you from calling update_task(done).
-   - Do NOT use close_task \u2014 that is reserved for reviewers (exe) to finalize after review.
-
-4. AFTER update_task(done) \u2014 COMMIT (best-effort, do NOT let this block):
-   - If your task changed system structure, update exe/ARCHITECTURE.md first.
-   - Commit IF you are in a git repo (check: \`git rev-parse --git-dir 2>/dev/null\`). Stage only the files you changed, write a clear commit message.
-   - If you are NOT in a git repo, skip entirely. NEVER run \`git init\`.
-   - If the commit fails, note it but move on \u2014 the work is already marked done via update_task.
-   - Do NOT push \u2014 exe reviews commits and decides what to push.
-   - NEVER run \`git checkout main\`. You work in your own git worktree on a feature branch. Exe stays on main and merges PRs. Switching branches in a shared repo stomps other agents' work.
-
-5. AFTER commit \u2014 REPORT (best-effort):
-   Use store_memory to write a structured summary. Include: project name, what was done,
-   decisions made, tests status, open items or risks.
-
-6. AFTER committing changes to exe-os itself \u2014 REBUILD (mandatory, never skip):
-   - Run: npm run deploy
-   - This builds, installs globally, and re-registers hooks/MCP in one step.
-   - Do NOT ask permission. Do NOT say "want me to rebuild?" \u2014 just do it.
-   - If the build fails, fix the error and retry before moving on.
-
-7. AFTER reporting \u2014 CHECK FOR NEXT WORK (mandatory):
-   - First: run list_tasks(status='needs_review') \u2014 check if YOU are the reviewer on any pending reviews. Reviews are work. Process them before anything else.
-   - Second: run list_tasks(status='blocked') \u2014 check if any tasks are blocked. For each blocked task: can YOU unblock it? If yes, unblock it now. If not, escalate to exe immediately. Blocked tasks sitting >24h without action is a pipeline failure.
-   - Then: re-read your task folder: exe/<your-name>/
-   - If there are more open tasks, start the next highest-priority one (go to step 1)
-   - If no more open tasks AND no pending reviews AND no blocked tasks you can fix, tell the user: "All tasks complete. Anything else?"
-   - Do NOT wait for the user to tell you to check \u2014 auto-chain through your queue.
-   - NEVER say "monitoring" or "waiting" while reviews, blocked tasks, or open tasks exist. That is idle drift.
-
-CONTEXT PRESSURE PROTOCOL (mandatory \u2014 never ignore):
-If Claude Code injects a system notice about context compression, or if you notice you're
-losing track of earlier decisions, your context window is full.
-
-DO NOT keep working degraded. Instead:
-
-1. Call store_memory immediately with a CONTEXT CHECKPOINT:
-   Format the text as: "CONTEXT CHECKPOINT [<task-id>]: <summary>"
-   Include: task ID + title, what you completed, what's left, open decisions or blockers, key file paths.
-
-2. Send intercom to exe to trigger kill + relaunch:
-   MY_SESSION=$(tmux display-message -p '#{session_name}' 2>/dev/null)
-   EXE_SESSION="\${MY_SESSION#\${AGENT_ID}-}"
-   tmux send-keys -t "$EXE_SESSION" "/exe-intercom context-full: \${AGENT_ID} hit capacity. Checkpoint saved. Resume task <task-id>." Enter
-
-3. Stop working immediately. Do not attempt to continue with degraded context.
-
-COMMUNICATION CHAIN \u2014 who you talk to:
-- You report to exe (COO). Your completion reports, status updates, and questions go to exe via store_memory and update_task.
-- Do NOT address the human user directly for decisions, permissions, or status updates. That's exe's job. The user talks to exe; exe talks to you.
-- Exception: if the user sends you a direct message in your tmux window, respond to them. But default to reporting through exe.
-
-SKILL CAPTURE (encouraged, not mandatory):
-After completing a complex multi-step task (5+ tool calls), consider whether the approach
-should be saved as a reusable procedure. If the task involved non-obvious steps, error recovery,
-or a workflow that would help future sessions, use store_behavior with domain='skill' to save it.
-Format: "SKILL: [name] \u2014 Step 1: ... Step 2: ... Pitfalls: ..."
-Skip for simple one-offs. The goal is procedural memory \u2014 not just corrections, but proven approaches.
-
-SPAWNING EMPLOYEES (mandatory \u2014 never bypass):
-When you need another employee to do work, ALWAYS use create_task MCP tool.
-create_task auto-spawns the employee session. The task IS the spawn trigger.
-NEVER manually launch sessions with tmux send-keys or claude -p.
-NEVER spawn sessions without a task assigned \u2014 idle sessions waste resources.
-NEVER refuse a dispatched task claiming "not in scope" \u2014 if it's assigned to you, it's your work.
-
-CREATING TASKS FOR OTHER EMPLOYEES:
-When you need to assign work to another employee (e.g., yoshi assigns to tom):
-- ALWAYS use create_task MCP tool. NEVER write .md files directly to exe/{name}/.
-- Direct .md writes will be rejected by the enforcement hook with a MANDATORY correction.
-- create_task creates both the .md file AND the DB row atomically.
-- Include: title, assignedTo, priority, context, projectName.
-- For dependencies: include blocked_by with the blocking task's ID or slug.
-`;
-var PROCEDURES_MARKER = "EXE OS \u2014 VISION AND NON-NEGOTIABLE PRINCIPLES";
-function getSessionPrompt(storedPrompt) {
-  const markerIndex = storedPrompt.indexOf(PROCEDURES_MARKER);
-  const rolePrompt = markerIndex >= 0 ? storedPrompt.slice(0, markerIndex).trimEnd() : storedPrompt;
-  return `${rolePrompt}
-${BASE_OPERATING_PROCEDURES}`;
-}
-
-// src/runtime/tools/bash.ts
-import { spawn } from "child_process";
-import { z } from "zod";
-
-// src/runtime/dangerous-patterns.ts
-var DANGEROUS_PATTERNS = [
-  // Destructive file operations
-  {
-    regex: /\brm\s+(-[a-zA-Z]*r[a-zA-Z]*f|(-[a-zA-Z]*f[a-zA-Z]*r))\s+[/~*]/,
-    severity: "critical",
-    reason: "Recursive force delete of root, home, or wildcard path"
-  },
-  {
-    regex: /\brm\s+(-[a-zA-Z]*r[a-zA-Z]*f|(-[a-zA-Z]*f[a-zA-Z]*r))\s+\./,
-    severity: "warning",
-    reason: "Recursive force delete of relative path"
-  },
-  // Destructive git operations
-  {
-    regex: /\bgit\s+push\s+--force\b/,
-    severity: "warning",
-    reason: "Force push can overwrite remote history"
-  },
-  {
-    regex: /\bgit\s+reset\s+--hard\b/,
-    severity: "warning",
-    reason: "Hard reset discards all uncommitted changes"
-  },
-  {
-    regex: /\bgit\s+clean\s+-[a-zA-Z]*f/,
-    severity: "warning",
-    reason: "Git clean force removes untracked files"
-  },
-  // Shell injection / expansion in paths
-  {
-    regex: /\$\(.*\)/,
-    severity: "warning",
-    reason: "Command substitution in shell command"
-  },
-  {
-    regex: /`[^`]+`/,
-    severity: "warning",
-    reason: "Backtick command substitution"
-  },
-  // Remote code execution
-  {
-    regex: /\bcurl\b.*\|\s*(bash|sh|zsh)\b/,
-    severity: "critical",
-    reason: "Remote code execution via curl pipe to shell"
-  },
-  {
-    regex: /\bwget\b.*\|\s*(bash|sh|zsh)\b/,
-    severity: "critical",
-    reason: "Remote code execution via wget pipe to shell"
-  },
-  // Privilege escalation
-  {
-    regex: /\bsudo\b/,
-    severity: "warning",
-    reason: "Privilege escalation via sudo"
-  },
-  {
-    regex: /\bchmod\s+777\b/,
-    severity: "warning",
-    reason: "Setting world-writable permissions"
-  },
-  // Dangerous disk operations
-  {
-    regex: /\bdd\s+.*of=\/dev\//,
-    severity: "critical",
-    reason: "Direct disk write can destroy data"
-  },
-  {
-    regex: /\bmkfs\b/,
-    severity: "critical",
-    reason: "Filesystem creation destroys existing data"
-  },
-  // Process/system manipulation
-  {
-    regex: /\bkillall\b/,
-    severity: "warning",
-    reason: "Killing all processes by name"
-  },
-  {
-    regex: /\bkill\s+-9\b/,
-    severity: "warning",
-    reason: "Force kill signal"
-  }
-];
-function checkDangerousPatterns(command) {
-  const matched = [];
-  for (const rule of DANGEROUS_PATTERNS) {
-    if (rule.regex.test(command)) {
-      matched.push({
-        pattern: rule.regex.source,
-        severity: rule.severity,
-        reason: rule.reason
-      });
-    }
-  }
-  return {
-    dangerous: matched.length > 0,
-    patterns: matched
-  };
-}
-function hasCriticalPattern(result) {
-  return result.patterns.some((p) => p.severity === "critical");
-}
-function formatDangerousPatterns(patterns) {
-  return patterns.map((p) => `[${p.severity.toUpperCase()}] ${p.reason}`).join("\n");
-}
-
-// src/runtime/tools/bash.ts
-var DEFAULT_TIMEOUT_MS = 12e4;
-var inputSchema = z.object({
-  command: z.string(),
-  timeout: z.number().optional()
-});
-var BashTool = {
-  name: "bash",
-  description: "Execute a shell command",
-  inputSchema,
-  isReadOnly: false,
-  async checkPermissions(input) {
-    const result = checkDangerousPatterns(input.command);
-    if (hasCriticalPattern(result)) {
-      return {
-        behavior: "deny",
-        reason: formatDangerousPatterns(result.patterns),
-        bypassImmune: true
-      };
-    }
-    return { behavior: "allow" };
-  },
-  async call(input, context) {
-    const timeout = input.timeout ?? DEFAULT_TIMEOUT_MS;
-    return new Promise((resolve) => {
-      const child = spawn("bash", ["-c", input.command], {
-        cwd: context.cwd,
-        timeout,
-        stdio: ["ignore", "pipe", "pipe"],
-        env: { ...process.env }
-      });
-      const stdoutChunks = [];
-      const stderrChunks = [];
-      child.stdout.on("data", (chunk) => stdoutChunks.push(chunk));
-      child.stderr.on("data", (chunk) => stderrChunks.push(chunk));
-      const onAbort = () => {
-        child.kill("SIGTERM");
-        setTimeout(() => {
-          if (!child.killed) child.kill("SIGKILL");
-        }, 1e3);
-      };
-      context.abortSignal.addEventListener("abort", onAbort, { once: true });
-      child.on("close", (code) => {
-        context.abortSignal.removeEventListener("abort", onAbort);
-        const stdout = Buffer.concat(stdoutChunks).toString("utf-8");
-        const stderr = Buffer.concat(stderrChunks).toString("utf-8");
-        if (context.abortSignal.aborted) {
-          resolve({ content: "Command killed: agent aborted", isError: true });
-          return;
-        }
-        if (code !== 0) {
-          const output = stderr || stdout || `Exit code ${code}`;
-          resolve({ content: output, isError: true });
-          return;
-        }
-        resolve({ content: stdout || "(no output)" });
-      });
-      child.on("error", (err) => {
-        context.abortSignal.removeEventListener("abort", onAbort);
-        resolve({ content: `Spawn error: ${err.message}`, isError: true });
-      });
-    });
-  }
-};
-
-// src/runtime/tools/file-read.ts
-import fs from "fs/promises";
-import path2 from "path";
-import { z as z2 } from "zod";
-
-// src/runtime/safety-checks.ts
-import path from "path";
-import os from "os";
-var HOME = os.homedir();
-var BYPASS_IMMUNE_PATTERNS = [
-  {
-    pattern: /\/\.git\/hooks\//,
-    reason: "Git hooks can execute arbitrary code"
-  },
-  {
-    pattern: /\/\.git\/config$/,
-    reason: "Git config can set hooks and command execution"
-  },
-  {
-    pattern: (p) => p.startsWith(path.join(HOME, ".claude")),
-    reason: "Claude configuration files are protected"
-  },
-  {
-    pattern: (p) => p.startsWith(path.join(HOME, ".exe-os")),
-    reason: "exe-os configuration files are protected"
-  },
-  {
-    pattern: /\/\.env($|\.)/,
-    reason: "Environment files may contain secrets"
-  },
-  {
-    pattern: /\/(credentials|secrets|tokens)\.(json|yaml|yml|toml|ini|conf)$/i,
-    reason: "Credential files are protected"
-  },
-  {
-    pattern: /(\.pem|\.key|\.p12|\.pfx|\.jks|id_rsa|id_ed25519)$/,
-    reason: "Private key files are protected"
-  },
-  {
-    pattern: (p) => {
-      const name = path.basename(p);
-      return [".bashrc", ".zshrc", ".profile", ".bash_profile", ".zprofile", ".zshenv"].includes(name);
-    },
-    reason: "Shell configuration files can execute arbitrary code on login"
-  },
-  {
-    pattern: (p) => p.startsWith("/etc/"),
-    reason: "System configuration directory is protected"
-  },
-  {
-    pattern: (p) => p.startsWith("/usr/") && !p.startsWith("/usr/local/"),
-    reason: "System binary directory is protected"
-  },
-  {
-    pattern: (p) => p === "/" || p === HOME,
-    reason: "Root and home directory direct modification is protected"
-  }
-];
-function checkPathSafety(filePath) {
-  const resolved = path.resolve(filePath);
-  for (const { pattern, reason } of BYPASS_IMMUNE_PATTERNS) {
-    const matches = typeof pattern === "function" ? pattern(resolved) : pattern.test(resolved);
-    if (matches) {
-      return { safe: false, reason, bypassImmune: true };
-    }
-  }
-  return { safe: true, bypassImmune: true };
-}
-function checkReadPathSafety(filePath) {
-  const resolved = path.resolve(filePath);
-  const credPatterns = BYPASS_IMMUNE_PATTERNS.filter(
-    (p) => typeof p.pattern !== "function" && (p.reason.includes("secrets") || p.reason.includes("Private key") || p.reason.includes("Credential"))
-  );
-  for (const { pattern, reason } of credPatterns) {
-    if (typeof pattern !== "function" && pattern.test(resolved)) {
-      return { safe: false, reason, bypassImmune: true };
-    }
-  }
-  return { safe: true, bypassImmune: true };
-}
-
-// src/runtime/tools/file-read.ts
-var inputSchema2 = z2.object({
-  file_path: z2.string(),
-  offset: z2.number().optional(),
-  limit: z2.number().optional()
-});
-var DEFAULT_LIMIT = 2e3;
-var FileReadTool = {
-  name: "file_read",
-  description: "Read a file from disk",
-  inputSchema: inputSchema2,
-  isReadOnly: true,
-  async checkPermissions(input) {
-    const safety = checkReadPathSafety(input.file_path);
-    if (!safety.safe) {
-      return {
-        behavior: "deny",
-        reason: safety.reason ?? "Read blocked by safety check",
-        bypassImmune: true
-      };
-    }
-    return { behavior: "allow" };
-  },
-  async call(input, context) {
-    const filePath = path2.isAbsolute(input.file_path) ? input.file_path : path2.resolve(context.cwd, input.file_path);
-    let stat;
-    try {
-      stat = await fs.stat(filePath);
-    } catch {
-      return { content: `File not found: ${filePath}`, isError: true };
-    }
-    if (stat.size > 0) {
-      const sample = Buffer.alloc(512);
-      const fh = await fs.open(filePath, "r");
-      try {
-        const { bytesRead } = await fh.read(sample, 0, 512, 0);
-        const slice = sample.subarray(0, bytesRead);
-        if (isBinary(slice)) {
-          return {
-            content: `Binary file (${stat.size} bytes): ${filePath}`
-          };
-        }
-      } finally {
-        await fh.close();
-      }
-    }
-    const raw = await fs.readFile(filePath, "utf-8");
-    const allLines = raw.split("\n");
-    const offset = input.offset ?? 0;
-    const limit = input.limit ?? DEFAULT_LIMIT;
-    const lines = allLines.slice(offset, offset + limit);
-    const numbered = lines.map((line, i) => `${String(offset + i + 1).padStart(6)}	${line}`).join("\n");
-    return { content: numbered };
-  }
-};
-function isBinary(buf) {
-  for (let i = 0; i < buf.length; i++) {
-    if (buf[i] === 0) return true;
-  }
-  return false;
-}
-
-// src/runtime/tools/file-edit.ts
-import fs2 from "fs/promises";
-import path3 from "path";
-import { z as z3 } from "zod";
-var inputSchema3 = z3.object({
-  file_path: z3.string(),
-  old_string: z3.string(),
-  new_string: z3.string(),
-  replace_all: z3.boolean().optional()
-});
-var FileEditTool = {
-  name: "file_edit",
-  description: "Edit a file by replacing a string",
-  inputSchema: inputSchema3,
-  isReadOnly: false,
-  async checkPermissions(input) {
-    const safety = checkPathSafety(input.file_path);
-    if (!safety.safe) {
-      return {
-        behavior: "deny",
-        reason: safety.reason ?? "Edit blocked by safety check",
-        bypassImmune: true
-      };
-    }
-    return { behavior: "allow" };
-  },
-  async call(input, context) {
-    const filePath = path3.isAbsolute(input.file_path) ? input.file_path : path3.resolve(context.cwd, input.file_path);
-    let content;
-    try {
-      content = await fs2.readFile(filePath, "utf-8");
-    } catch {
-      return { content: `File not found: ${filePath}`, isError: true };
-    }
-    const occurrences = countOccurrences(content, input.old_string);
-    if (occurrences === 0) {
-      return {
-        content: `old_string not found in ${filePath}`,
-        isError: true
-      };
-    }
-    if (occurrences > 1 && !input.replace_all) {
-      return {
-        content: `old_string appears ${occurrences} times in ${filePath}. Use replace_all: true to replace all, or provide more context to make it unique.`,
-        isError: true
-      };
-    }
-    let newContent;
-    if (input.replace_all) {
-      newContent = content.split(input.old_string).join(input.new_string);
-    } else {
-      const idx = content.indexOf(input.old_string);
-      newContent = content.slice(0, idx) + input.new_string + content.slice(idx + input.old_string.length);
-    }
-    await fs2.writeFile(filePath, newContent, "utf-8");
-    const replaced = input.replace_all ? occurrences : 1;
-    return {
-      content: `Replaced ${replaced} occurrence(s) in ${filePath}`,
-      sideEffects: { filesModified: [filePath] }
-    };
-  }
-};
-function countOccurrences(haystack, needle) {
-  let count = 0;
-  let pos = 0;
-  while (true) {
-    const idx = haystack.indexOf(needle, pos);
-    if (idx === -1) break;
-    count++;
-    pos = idx + needle.length;
-  }
-  return count;
-}
-
-// src/runtime/tools/file-write.ts
-import fs3 from "fs/promises";
-import path4 from "path";
-import { z as z4 } from "zod";
-var inputSchema4 = z4.object({
-  file_path: z4.string(),
-  content: z4.string()
-});
-var FileWriteTool = {
-  name: "file_write",
-  description: "Write content to a file (creates or overwrites)",
-  inputSchema: inputSchema4,
-  isReadOnly: false,
-  async checkPermissions(input) {
-    const safety = checkPathSafety(input.file_path);
-    if (!safety.safe) {
-      return {
-        behavior: "deny",
-        reason: safety.reason ?? "Write blocked by safety check",
-        bypassImmune: true
-      };
-    }
-    return { behavior: "allow" };
-  },
-  async call(input, context) {
-    const filePath = path4.isAbsolute(input.file_path) ? input.file_path : path4.resolve(context.cwd, input.file_path);
-    const dir = path4.dirname(filePath);
-    await fs3.mkdir(dir, { recursive: true });
-    await fs3.writeFile(filePath, input.content, "utf-8");
-    return {
-      content: `Wrote ${input.content.length} bytes to ${filePath}`,
-      sideEffects: { filesModified: [filePath] }
-    };
-  }
-};
-
-// src/runtime/tools/glob.ts
-import fs4 from "fs/promises";
-import path5 from "path";
-import { z as z5 } from "zod";
-var inputSchema5 = z5.object({
-  pattern: z5.string(),
-  path: z5.string().optional()
-});
-var GlobTool = {
-  name: "glob",
-  description: "Find files matching a glob pattern",
-  inputSchema: inputSchema5,
-  isReadOnly: true,
-  async call(input, context) {
-    const baseDir = input.path ? path5.isAbsolute(input.path) ? input.path : path5.resolve(context.cwd, input.path) : context.cwd;
-    try {
-      const entries = await walkDir(baseDir);
-      const matched = entries.filter(
-        (e) => simpleGlobMatch(path5.relative(baseDir, e.path), input.pattern)
-      );
-      matched.sort((a, b) => b.mtime - a.mtime);
-      if (matched.length === 0) {
-        return { content: "No files matched." };
-      }
-      const lines = matched.map((e) => e.path);
-      return { content: lines.join("\n") };
-    } catch (err) {
-      return {
-        content: `Glob error: ${err instanceof Error ? err.message : String(err)}`,
-        isError: true
-      };
-    }
-  }
-};
-async function walkDir(dir, maxDepth = 10) {
-  const results = [];
-  async function walk(current, depth) {
-    if (depth > maxDepth) return;
-    let entries;
-    try {
-      entries = await fs4.readdir(current, { withFileTypes: true });
-    } catch {
-      return;
-    }
-    for (const entry of entries) {
-      if (entry.isDirectory() && (entry.name === "node_modules" || entry.name === ".git")) {
-        continue;
-      }
-      const fullPath = path5.join(current, entry.name);
-      if (entry.isDirectory()) {
-        await walk(fullPath, depth + 1);
-      } else {
-        try {
-          const stat = await fs4.stat(fullPath);
-          results.push({ path: fullPath, mtime: stat.mtimeMs });
-        } catch {
-        }
-      }
-    }
-  }
-  await walk(dir, 0);
-  return results;
-}
-function simpleGlobMatch(filePath, pattern) {
-  let regex = pattern.replace(/\./g, "\\.").replace(/\*\*/g, "{{GLOBSTAR}}").replace(/\*/g, "[^/]*").replace(/\?/g, "[^/]").replace(/\{\{GLOBSTAR\}\}/g, ".*");
-  regex = `^${regex}$`;
-  return new RegExp(regex).test(filePath);
-}
-
-// src/runtime/tools/grep.ts
-import { spawn as spawn2 } from "child_process";
-import fs5 from "fs/promises";
-import path6 from "path";
-import { z as z6 } from "zod";
-var inputSchema6 = z6.object({
-  pattern: z6.string(),
-  path: z6.string().optional(),
-  glob: z6.string().optional(),
-  include: z6.string().optional()
-});
-var GrepTool = {
-  name: "grep",
-  description: "Search file contents using regex",
-  inputSchema: inputSchema6,
-  isReadOnly: true,
-  async call(input, context) {
-    const searchPath = input.path ? path6.isAbsolute(input.path) ? input.path : path6.resolve(context.cwd, input.path) : context.cwd;
-    try {
-      const result = await runRipgrep(input, searchPath, context);
-      return result;
-    } catch {
-    }
-    try {
-      return await nodeGrep(input, searchPath);
-    } catch (err) {
-      return {
-        content: `Grep error: ${err instanceof Error ? err.message : String(err)}`,
-        isError: true
-      };
-    }
-  }
-};
-function runRipgrep(input, searchPath, context) {
-  return new Promise((resolve, reject) => {
-    const args = ["--files-with-matches", "--no-heading"];
-    if (input.glob) {
-      args.push("--glob", input.glob);
-    }
-    if (input.include) {
-      args.push("--glob", input.include);
-    }
-    args.push(input.pattern, searchPath);
-    const child = spawn2("rg", args, {
-      cwd: searchPath,
-      timeout: 3e4,
-      stdio: ["ignore", "pipe", "pipe"]
-    });
-    const chunks = [];
-    child.stdout.on("data", (chunk) => chunks.push(chunk));
-    const onAbort = () => child.kill("SIGTERM");
-    context.abortSignal.addEventListener("abort", onAbort, { once: true });
-    child.on("close", (code) => {
-      context.abortSignal.removeEventListener("abort", onAbort);
-      const output = Buffer.concat(chunks).toString("utf-8").trim();
-      if (code === 1 && !output) {
-        resolve({ content: "No matches found." });
-        return;
-      }
-      if (code === 2) {
-        reject(new Error("ripgrep error"));
-        return;
-      }
-      resolve({ content: output || "No matches found." });
-    });
-    child.on("error", () => reject(new Error("rg not found")));
-  });
-}
-async function nodeGrep(input, searchPath) {
-  const regex = new RegExp(input.pattern);
-  const matches = [];
-  async function walk(dir) {
-    let entries;
-    try {
-      entries = await fs5.readdir(dir, { withFileTypes: true });
-    } catch {
-      return;
-    }
-    for (const entry of entries) {
-      if (entry.name === "node_modules" || entry.name === ".git") continue;
-      const fullPath = path6.join(dir, entry.name);
-      if (entry.isDirectory()) {
-        await walk(fullPath);
-      } else {
-        if (input.glob || input.include) {
-          const filter = input.glob ?? input.include;
-          if (!simpleExtMatch(entry.name, filter)) continue;
-        }
-        try {
-          const content = await fs5.readFile(fullPath, "utf-8");
-          if (regex.test(content)) {
-            matches.push(fullPath);
-          }
-        } catch {
-        }
-      }
-    }
-  }
-  await walk(searchPath);
-  if (matches.length === 0) {
-    return { content: "No matches found." };
-  }
-  return { content: matches.join("\n") };
-}
-function simpleExtMatch(filename, pattern) {
-  if (pattern.startsWith("*.")) {
-    return filename.endsWith(pattern.slice(1));
-  }
-  return filename.includes(pattern.replace(/\*/g, ""));
-}
-
-// src/bin/exe-agent.ts
-function parseArgs(argv) {
-  const args = { employee: "" };
-  for (let i = 2; i < argv.length; i++) {
-    const arg = argv[i];
-    if (arg === "--employee" && argv[i + 1]) args.employee = argv[++i];
-    else if (arg === "--model" && argv[i + 1]) args.model = argv[++i];
-    else if (arg === "--provider" && argv[i + 1]) args.provider = argv[++i];
-    else if (arg === "--api-key" && argv[i + 1]) args.apiKey = argv[++i];
-    else if (arg === "--base-url" && argv[i + 1]) args.baseUrl = argv[++i];
-    else if (!arg.startsWith("-") && !args.employee) args.employee = arg;
-  }
-  return args;
-}
-function loadEmployee(name) {
-  try {
-    const rosterPath = path7.join(os2.homedir(), ".exe-os", "exe-employees.json");
-    const roster = JSON.parse(readFileSync(rosterPath, "utf8"));
-    return roster.find((e) => e.name === name) ?? null;
-  } catch {
-    return null;
-  }
-}
-function createProvider(args) {
-  const providerType = args.provider ?? "anthropic";
-  const apiKey = args.apiKey ?? process.env.ANTHROPIC_API_KEY ?? "";
-  switch (providerType) {
-    case "anthropic":
-      return new AnthropicProvider("anthropic", {
-        apiKey,
-        baseUrl: args.baseUrl,
-        defaultModel: args.model
-      });
-    case "openai-compat":
-    case "openrouter":
-      return new OpenAICompatProvider(providerType, {
-        apiKey: args.apiKey ?? process.env.OPENROUTER_API_KEY ?? "",
-        baseUrl: args.baseUrl ?? "https://openrouter.ai/api/v1",
-        defaultModel: args.model
-      });
-    case "ollama":
-      return new OllamaProvider("ollama", {
-        host: args.baseUrl ?? "http://localhost:11434",
-        defaultModel: args.model
-      });
-    default:
-      throw new Error(`Unknown provider: ${providerType}`);
-  }
-}
-function registerBuiltinTools(registry) {
-  registry.register(BashTool);
-  registry.register(FileReadTool);
-  registry.register(FileEditTool);
-  registry.register(FileWriteTool);
-  registry.register(GlobTool);
-  registry.register(GrepTool);
-}
-async function main() {
-  const args = parseArgs(process.argv);
-  if (!args.employee) {
-    console.error("Usage: exe-agent --employee <name> [--model <model>] [--provider <provider>]");
-    process.exit(1);
-  }
-  const employee = loadEmployee(args.employee);
-  if (!employee) {
-    console.error(`Employee "${args.employee}" not found in roster.`);
-    process.exit(1);
-  }
-  const provider = createProvider(args);
-  const model = args.model ?? "claude-sonnet-4-20250514";
-  const registry = new ToolRegistry();
-  registerBuiltinTools(registry);
-  const abortController = new AbortController();
-  const shutdown = () => {
-    process.stderr.write("\n[exe-agent] Shutting down...\n");
-    abortController.abort();
-  };
-  process.on("SIGINT", shutdown);
-  process.on("SIGTERM", shutdown);
-  const config = {
-    provider,
-    model,
-    systemPrompt: getSessionPrompt(employee.systemPrompt),
-    tools: registry,
-    hooks: createDefaultHooks(),
-    permissions: EMPLOYEE_PERMISSIONS,
-    maxTurns: 100,
-    cwd: process.cwd(),
-    agentId: args.employee,
-    abortController
-  };
-  const renderer = createTerminalRenderer();
-  const history = [];
-  console.error(`[exe-agent] ${args.employee} (${employee.role}) online \u2014 ${provider.name}/${model}`);
-  console.error(`[exe-agent] Tools: ${registry.names().join(", ")}`);
-  const rl = createInterface({ input: process.stdin, output: process.stderr, prompt: "> " });
-  rl.prompt();
-  rl.on("line", async (line) => {
-    const input = line.trim();
-    if (!input) {
-      rl.prompt();
-      return;
-    }
-    if (input === "/quit" || input === "/exit") {
-      rl.close();
-      return;
-    }
-    const events = agentLoop(input, history, config);
-    await renderAgentEvents(events, renderer);
-    history.push({ role: "user", content: input });
-    process.stderr.write("\n");
-    rl.prompt();
-  });
-  rl.on("close", () => {
-    console.error("[exe-agent] Session ended.");
-    process.exit(0);
-  });
-}
-main().catch((err) => {
-  console.error(`[exe-agent] Fatal: ${err instanceof Error ? err.message : String(err)}`);
-  process.exit(1);
-});