@backendkit-labs/agent-core 0.20.1 → 0.21.0

package/dist/engine/AgentEngine.js

@@ -1,59 +1,16 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.AgentEngine = void 0;
-const fs_1 = require("fs");
-const path_1 = require("path");
-const atomic_write_1 = require("../shared/utils/atomic-write");
+const ApprovalGate_1 = require("./ApprovalGate");
+const AuditLogger_1 = require("./AuditLogger");
+const HistoryManager_1 = require("./HistoryManager");
+const MCPRegistrar_1 = require("./MCPRegistrar");
 const DelegationBus_1 = require("../delegation/DelegationBus");
 const SessionMemory_1 = require("../memory/SessionMemory");
 const activator_1 = require("../skills/activator");
 const WorkflowRunner_1 = require("../workflow/WorkflowRunner");
 const IterationManager_1 = require("./IterationManager");
 const qa_orchestrator_1 = require("./qa-orchestrator");
-/**
- * Remove messages that would cause a 400 from any OpenAI-compatible provider:
- * - `tool` messages that are not part of an active assistant→tool chain
- * - `assistant` messages that declare tool_calls but have no following tool results
- *   (only stripped when the next non-tool message is NOT another turn of the same chain)
- *
- * Walking forward: we track whether we're "inside" a tool_calls chain.
- * A chain starts with assistant(tool_calls) and ends once all IDs have a result.
- * Any `tool` result that arrives outside an open chain is dropped.
- */
-function sanitizeMessages(messages) {
-    const out = [];
-    // IDs still waiting for a tool result in the current chain
-    let pendingIds = new Set();
-    for (const msg of messages) {
-        if (msg.role === 'assistant') {
-            // A new assistant message closes any previous chain (even if incomplete)
-            // and optionally opens a new one.
-            pendingIds = new Set();
-            if (msg.tool_calls?.length) {
-                for (const tc of msg.tool_calls) {
-                    if (tc.id)
-                        pendingIds.add(tc.id);
-                }
-            }
-            out.push(msg);
-        }
-        else if (msg.role === 'tool') {
-            if (pendingIds.size === 0) {
-                // Orphaned tool result — no open chain. Drop it.
-                continue;
-            }
-            if (msg.tool_call_id)
-                pendingIds.delete(msg.tool_call_id);
-            out.push(msg);
-        }
-        else {
-            // user / system — close any open chain
-            pendingIds = new Set();
-            out.push(msg);
-        }
-    }
-    return out;
-}
 const MAX_INPUT_BYTES = 100_000; // Fix #17: 100 KB hard cap on user input
 const ASK_AGENT_TOOL = {
     name: 'ask_agent',
@@ -76,70 +33,54 @@ class AgentEngine {
     memory;
     bus;
     skillActivator = new activator_1.SkillActivator();
+    history;
+    auditLogger;
     currentAgentId;
-    messages = [];
     aborted = false;
     abortController = null;
     allSkills;
     iterationManager;
     activeSkillAddition = '';
     yamlSkillsLoaded = false;
-    mcpInitialized = false;
-    mcpInitAttempts = 0;
-    mcpRegisteredServers = new Set();
-    mcpTriggers = new Map(); // agentId → triggers
-    mcpToolTriggers = new Map(); // keyword → {agentId, tool}
-    approvalDisabled = false; // set to true after 'approve_all'
+    mcpRegistrar;
+    approvalGate;
     pendingContextLoad = null;
-    static WRITE_TOOLS = new Set(['write_file', 'edit_file', 'run_command']);
-    /** Tracks what each MCP server blocked/assigned so it can be fully reverted on disconnect. */
-    mcpAgentBlocks = new Map();
-    /**
-     * Commands that always require user approval regardless of iteration mode or
-     * approvalDisabled flag. These are irreversible or high-blast-radius operations:
-     * installing new packages, removing packages, running destructive npm scripts.
-     */
-    static ALWAYS_ASK_PATTERNS = [
-        /^\s*npm\s+(install|i|add)\s+[^-]/i, // npm install <pkg> — new package install
-        /^\s*npm\s+uninstall\b/i, // npm uninstall
-        /^\s*yarn\s+add\s+[^-]/i, // yarn add <pkg>
-        /^\s*pnpm\s+add\s+[^-]/i, // pnpm add <pkg>
-        /^\s*pip\s+install\b/i, // pip install
-        /^\s*pip3\s+install\b/i,
-    ];
     agentsLoaded = false;
+    agentsLoadedPromise = null;
     memoryContextBlock = '';
+    /** Serializes concurrent run() calls — shared mutable state is not reentrant-safe. */
+    runMutex = Promise.resolve();
     constructor(opts) {
         this.opts = opts;
         this.memory = opts.sessionMemory ?? new SessionMemory_1.SessionMemory();
         this.currentAgentId = opts.defaultAgentId;
         this.allSkills = opts.skills ?? [];
+        this.history = new HistoryManager_1.HistoryManager({
+            historyPath: opts.historyPath,
+            maxContextMessages: opts.maxContextMessages,
+        });
+        this.auditLogger = new AuditLogger_1.AuditLogger(opts.auditLog);
+        this.mcpRegistrar = new MCPRegistrar_1.MCPRegistrar({
+            mcpManager: opts.mcpManager,
+            tools: opts.tools,
+            agents: opts.agents,
+            transport: opts.transport,
+        });
+        this.approvalGate = new ApprovalGate_1.ApprovalGate({
+            onToolApproval: opts.onToolApproval,
+            transport: opts.transport,
+        });
         this.iterationManager = new IterationManager_1.IterationManager({
             mode: opts.iterationMode ?? 'interactive',
             maxIterations: opts.maxIterations ?? 100,
             onLimitReached: opts.onIterationLimit,
             onStep: opts.onStep,
         });
-        if (opts.auditLog) {
-            try {
-                (0, fs_1.mkdirSync)((0, path_1.dirname)(opts.auditLog), { recursive: true });
-            }
-            catch { }
-        }
-        if (opts.historyPath && (0, fs_1.existsSync)(opts.historyPath)) {
-            try {
-                const raw = JSON.parse((0, fs_1.readFileSync)(opts.historyPath, 'utf-8'));
-                this.messages = raw.filter(m => m.role !== 'system');
-            }
-            catch { /* corrupt or missing — start fresh */ }
-        }
         this.bus = new DelegationBus_1.DelegationBus({
             maxParallel: opts.maxParallelAgents ?? 6,
             agents: opts.agents,
-            tools: opts.tools,
             transport: opts.transport,
-            workingDir: opts.workingDir,
-            runAgent: (id, question, context) => this.runAgentInternal(id, question, context),
+            runAgent: (id, question, context, depth, buf) => this.runAgentInternal(id, question, context, depth, buf),
         });
     }
     /** Access the observability manager when configured via createBaseEngine({ observability }). */
@@ -179,7 +120,7 @@ class AgentEngine {
      * without requiring a full engine restart.
      */
     injectContext(message) {
-        this.messages.push({ role: 'user', content: message });
+        this.history.inject(message);
     }
     /**
      * Returns a partial CommandContext pre-wired to this engine instance.
@@ -193,7 +134,11 @@ class AgentEngine {
      */
     getCommandBindings() {
         return {
-            onCwdChange: (cwd) => this.updateWorkingDir(cwd),
+            onCwdChange: (cwd, contextMessage) => {
+                this.updateWorkingDir(cwd);
+                if (contextMessage)
+                    this.injectContext(contextMessage);
+            },
             injectContext: (message) => this.injectContext(message),
             setIterationMode: (mode) => this.setIterationMode(mode),
             getIterationMode: () => this.getIterationMode(),
@@ -245,6 +190,21 @@ class AgentEngine {
         return this.opts.providers.resolve(profile.provider, this.opts.defaultProvider);
     }
     async run(input) {
+        // Serialize concurrent calls — messages, currentAgentId, and other fields are
+        // shared mutable state that is not safe for concurrent access.
+        let release;
+        const slot = new Promise(r => { release = r; });
+        const prev = this.runMutex;
+        this.runMutex = prev.then(() => slot);
+        await prev;
+        try {
+            await this._run(input);
+        }
+        finally {
+            release();
+        }
+    }
+    async _run(input) {
         if (this.pendingContextLoad)
             await this.pendingContextLoad;
         this.aborted = false;
@@ -258,27 +218,27 @@ class AgentEngine {
             this.opts.transport.emit({ type: 'done' });
             return;
         }
-        await this.ensureMCPInitialized();
+        await this.mcpRegistrar.ensureInitialized();
         await this.ensureAgentsLoaded();
         // Direct MCP routing: bypass general when input matches a configured trigger
-        const mcpRoute = this.findMCPRoute(input);
+        const mcpRoute = this.mcpRegistrar.findRoute(input);
         if (mcpRoute) {
             if (mcpRoute.tool) {
-                // Tool trigger: call the MCP tool directly — no intermediate LLM
+                // Tool trigger: call the MCP tool directly — no intermediate LLM.
+                // Route through executeToolCall so auth checks and onToolApproval gate apply.
                 const toolName = `mcp__${mcpRoute.agentId}__${mcpRoute.tool}`;
                 const toolDef = this.opts.tools.get(toolName);
                 if (toolDef) {
                     const required = toolDef.parameters.required;
                     const firstParam = required?.[0] ?? 'input';
-                    const ctx = this.buildContext();
-                    const profile = this.opts.agents.get(mcpRoute.agentId);
+                    const mcpProfile = this.opts.agents.get(mcpRoute.agentId) ?? this.getCurrentProfile();
                     this.opts.transport.emit({
                         type: 'block_start',
                         agent_id: mcpRoute.agentId,
-                        agent_name: profile?.name ?? mcpRoute.agentId,
-                        agent_icon: profile?.icon ?? '◎',
+                        agent_name: mcpProfile.name ?? mcpRoute.agentId,
+                        agent_icon: mcpProfile.icon ?? '◎',
                     });
-                    const result = await toolDef.execute({ [firstParam]: input }, ctx);
+                    const result = await this.executeToolCall({ name: toolName, args: JSON.stringify({ [firstParam]: input }) }, mcpProfile);
                     this.opts.transport.emit({ type: 'token', content: result, agent_id: mcpRoute.agentId });
                     this.opts.transport.emit({ type: 'block_end', status: 'ok', agent_id: mcpRoute.agentId });
                     this.opts.transport.emit({ type: 'done' });
@@ -316,7 +276,7 @@ class AgentEngine {
         if (this.opts.orchestrator) {
             orchestrationResult = await this.opts.orchestrator.orchestrate(input).catch(() => undefined);
         }
-        this.messages.push({ role: 'user', content: input });
+        this.history.push({ role: 'user', content: input });
         await this.runLoop(profile, orchestrationResult);
         this.saveHistory();
         this.opts.transport.emit({ type: 'done' });
@@ -324,12 +284,12 @@ class AgentEngine {
     async runWorkflow(defOrBuilder, opts = {}) {
         if (this.pendingContextLoad)
             await this.pendingContextLoad;
-        await this.ensureMCPInitialized();
+        await this.mcpRegistrar.ensureInitialized();
         await this.ensureAgentsLoaded();
         const def = 'build' in defOrBuilder ? defOrBuilder.build() : defOrBuilder;
         const runner = new WorkflowRunner_1.WorkflowRunner(def, {
             ...opts,
-            runAgent: (agentId, input, context) => this.runAgentInternal(agentId, input, context),
+            runAgent: (agentId, input, context) => this.runAgentInternal(agentId, input, context, 0),
             transport: this.opts.transport,
         });
         return runner.run();
@@ -349,59 +309,39 @@ class AgentEngine {
     }
     /** Delete persisted history file and reset in-memory conversation. */
     clearHistory() {
-        this.messages = [];
-        if (!this.opts.historyPath)
-            return;
-        try {
-            (0, atomic_write_1.atomicWriteSync)(this.opts.historyPath, '[]');
-        }
-        catch { /* non-fatal */ }
+        this.history.clear();
     }
-    /** Serialize current conversation to disk (called automatically after each run). */
     saveHistory() {
-        if (!this.opts.historyPath)
-            return;
-        const cap = this.opts.maxContextMessages ?? 100;
-        const toSave = this.messages.filter(m => m.role !== 'system').slice(-cap);
-        try {
-            (0, fs_1.mkdirSync)((0, path_1.dirname)(this.opts.historyPath), { recursive: true });
-            (0, atomic_write_1.atomicWriteSync)(this.opts.historyPath, JSON.stringify(toSave, null, 2));
-        }
-        catch { /* non-fatal — history loss is preferable to a crash */ }
+        this.history.save();
     }
-    /**
-     * Trim conversation history to maxContextMessages by dropping oldest messages
-     * at a user-turn boundary. Preserves all assistant↔tool pairs intact.
-     */
     trimHistory() {
         const max = this.opts.maxContextMessages;
-        if (!max || this.messages.length <= max)
+        if (!max)
             return;
-        // Walk forward from the target offset to find the next 'user' message.
-        // Cutting there avoids orphaning assistant tool_calls / tool results.
-        const target = this.messages.length - max;
-        let cutAt = target;
-        while (cutAt < this.messages.length && this.messages[cutAt].role !== 'user') {
-            cutAt++;
-        }
-        if (cutAt > 0 && cutAt < this.messages.length) {
-            this.messages = this.messages.slice(cutAt);
+        const dropped = this.history.trim(max);
+        if (dropped > 0) {
             this.opts.transport.emit({
                 type: 'system',
                 level: 'warn',
-                text: `[ContextWindow] Dropped ${cutAt} messages — history capped at ${max} (maxContextMessages)`,
+                text: `[ContextWindow] Dropped ${dropped} messages — history capped at ${max} (maxContextMessages)`,
             });
         }
     }
     async ensureAgentsLoaded() {
         if (this.agentsLoaded || !this.opts.loadAgents)
             return;
-        this.agentsLoaded = true; // set early to prevent concurrent double-loads
+        // Cache the promise so concurrent run() calls wait for the same load,
+        // rather than the early-flag pattern that let callers proceed unguarded.
+        if (this.agentsLoadedPromise)
+            return this.agentsLoadedPromise;
+        this.agentsLoadedPromise = this._loadAgentsOnce();
+        return this.agentsLoadedPromise;
+    }
+    async _loadAgentsOnce() {
         try {
             const discovered = await this.opts.loadAgents();
             for (const agent of discovered)
                 this.opts.agents.upsert(agent);
-            // If the current default agent still isn't registered, fall back to first available
             if (!this.opts.agents.has(this.currentAgentId)) {
                 const all = this.opts.agents.getAll();
                 if (all.length > 0)
@@ -414,175 +354,10 @@ class AgentEngine {
                 text: `[AgentDiscovery] Failed to load agents: ${err.message}`,
             });
         }
-    }
-    async ensureMCPInitialized() {
-        if (!this.opts.mcpManager)
-            return;
-        try {
-            if (!this.mcpInitialized) {
-                await this.opts.mcpManager.initialize();
-                this.mcpInitialized = true;
-            }
-            else {
-                // Subsequent runs: retry only servers that are still offline — bounded by their own counter
-                const offline = this.opts.mcpManager.getConfiguredNames()
-                    .filter(n => !this.mcpRegisteredServers.has(n));
-                if (offline.length > 0 && this.mcpInitAttempts < 3) {
-                    this.mcpInitAttempts++;
-                    await this.opts.mcpManager.reconnectFailed();
-                }
-            }
-        }
-        catch (err) {
-            this.opts.transport.emit({
-                type: 'system', level: 'warn',
-                text: `MCP initialization error: ${err.message}`,
-            });
-        }
-        // Always register any server that is now connected but not yet registered as agent.
-        // This runs regardless of the retry counter so late-starting servers get picked up.
-        for (const { name, toolCount } of this.opts.mcpManager.getServerInfo()) {
-            if (toolCount > 0 && !this.mcpRegisteredServers.has(name)) {
-                const tools = this.opts.mcpManager.getServerTools(name);
-                const config = this.opts.mcpManager.getConfig(name);
-                this.registerMCPAgent(config, tools);
-                this.mcpRegisteredServers.add(name);
-            }
-        }
-        // Warn about servers still offline (only while retries remain)
-        const stillOffline = this.opts.mcpManager.getConfiguredNames()
-            .filter(n => !this.mcpRegisteredServers.has(n));
-        if (stillOffline.length > 0) {
-            const retriesLeft = 3 - this.mcpInitAttempts;
-            const suffix = retriesLeft > 0
-                ? `Retrying on next message (${retriesLeft} attempts left).`
-                : `No more automatic retries — call engine.getMCPManager()?.reconnectFailed() to retry manually.`;
-            this.opts.transport.emit({
-                type: 'system', level: 'warn',
-                text: `MCP agents offline: ${stillOffline.join(', ')} — start their servers to enable them. ${suffix}`,
-            });
+        finally {
+            this.agentsLoaded = true;
         }
     }
-    registerMCPAgent(config, tools) {
-        // safeName mirrors the sanitization done by MCPClientManager.wrapTool() so that
-        // tool lookup `mcp__${safeName}__${tool}` always resolves correctly.
-        const safeName = config.name.replace(/[^a-zA-Z0-9_-]/g, '_');
-        // Register tools in the ToolRegistry — skip already-registered ones
-        // (safe for reconnection scenarios; mcpRegisteredServers normally prevents duplicates)
-        for (const tool of tools) {
-            if (!this.opts.tools.has(tool.name)) {
-                this.opts.tools.register(tool);
-            }
-        }
-        // toolTriggers work in both modes — direct keyword → tool execution, zero LLM hops
-        if (config.toolTriggers) {
-            for (const [keyword, tool] of Object.entries(config.toolTriggers)) {
-                this.mcpToolTriggers.set(keyword.toLowerCase(), { agentId: safeName, tool });
-            }
-        }
-        const mode = config.mode ?? 'tools';
-        if (mode === 'tools') {
-            this.registerMCPToolPack(config, tools, safeName);
-        }
-        else {
-            this.registerMCPAgentWrapper(config, tools, safeName);
-        }
-    }
-    /**
-     * mode='tools' (default): assigns MCP tools directly to local agent allowedTools.
-     * Also applies blocksCommands to those agents while the server is connected —
-     * forcing them to use the MCP tools instead of equivalent shell commands.
-     * Both tool assignments and command blocks are tracked so they can be
-     * fully reverted when the server disconnects via unregisterMCPServer().
-     */
-    registerMCPToolPack(config, tools, safeName) {
-        const toolNames = tools.map(t => t.name);
-        const blocksCommands = config.blocksCommands ?? [];
-        // Resolve target agents: explicit assignTo list, or all registered agents
-        const assignTo = config.assignTo?.filter(id => id !== '*') ?? [];
-        const targets = assignTo.length > 0
-            ? assignTo
-            : this.opts.agents.getAll().map(a => a.id);
-        const blockRecord = [];
-        for (const agentId of targets) {
-            const agent = this.opts.agents.get(agentId);
-            if (!agent) {
-                this.opts.transport.emit({
-                    type: 'system', level: 'warn',
-                    text: `[MCP:${config.name}] assignTo agent "${agentId}" not found — skipped.`,
-                });
-                continue;
-            }
-            this.opts.agents.upsert({
-                ...agent,
-                allowedTools: [...new Set([...agent.allowedTools, ...toolNames])],
-                blockedCommands: [...new Set([...(agent.blockedCommands ?? []), ...blocksCommands])],
-            });
-            blockRecord.push({ agentId, toolNames, blockedCmds: blocksCommands });
-        }
-        this.mcpAgentBlocks.set(safeName, blockRecord);
-        if (config.triggers?.length) {
-            this.opts.transport.emit({
-                type: 'system', level: 'warn',
-                text: `[MCP:${config.name}] 'triggers' is ignored in mode='tools'. Use 'toolTriggers' for direct keyword routing.`,
-            });
-        }
-        const shortNames = tools.map(t => t.name.split('__')[2] ?? t.name).join(', ');
-        const agentList = targets.join(', ') || 'all agents';
-        const blockedLabel = blocksCommands.length ? `  blocked: [${blocksCommands.join(', ')}]` : '';
-        this.opts.transport.emit({
-            type: 'system', level: 'info',
-            text: `[MCP:${config.name}] tools [${shortNames}] assigned to: ${agentList}${blockedLabel}`,
-        });
-    }
-    /**
-     * mode='agent': wraps the MCP server as a delegatable agent in the roster.
-     * Use only when the remote service has its own reasoning layer or its output
-     * is so large it needs a dedicated summarization turn.
-     */
-    registerMCPAgentWrapper(config, tools, safeName) {
-        const toolList = tools
-            .map(t => {
-            const shortName = t.name.split('__')[2] ?? t.name;
-            const desc = t.description.replace(/^\[MCP:[^\]]+\]\s*/, '').slice(0, 80);
-            return `- ${shortName}: ${desc}`;
-        })
-            .join('\n');
-        const enrichedDesc = tools
-            .map(t => {
-            const shortName = t.name.split('__')[2] ?? t.name;
-            const desc = t.description.replace(/^\[MCP:[^\]]+\]\s*/, '').slice(0, 70);
-            return `${shortName}: ${desc}`;
-        })
-            .join(' | ');
-        this.opts.agents.upsert({
-            id: safeName,
-            name: config.agentName ?? toTitleCase(config.name),
-            icon: config.icon ?? '◎',
-            description: config.agentDescription ?? `External specialist — ${enrichedDesc}`,
-            systemPrompt: `You are a specialized remote agent: ${config.name}.\n` +
-                `Use ONLY your available tools to answer the request. ` +
-                `Do NOT use run_command, read_file, or other local tools.\n\n` +
-                `Your tools:\n${toolList}`,
-            allowedTools: tools.map(t => t.name),
-            source: 'mcp',
-        });
-        if (config.triggers?.length) {
-            this.mcpTriggers.set(safeName, config.triggers);
-        }
-    }
-    findMCPRoute(input) {
-        const lower = input.toLowerCase();
-        for (const [keyword, route] of this.mcpToolTriggers) {
-            if (lower.includes(keyword))
-                return route;
-        }
-        for (const [agentId, triggers] of this.mcpTriggers) {
-            if (triggers.some(t => lower.includes(t.toLowerCase())))
-                return { agentId };
-        }
-        return undefined;
-    }
     switchAgent(agentId) {
         if (!this.opts.agents.has(agentId))
             throw new Error(`Agent "${agentId}" not found`);
@@ -697,7 +472,7 @@ class AgentEngine {
         if (explicit)
             parts.push(explicit);
         if (trimmed)
-            parts.push(`## Análisis del orquestador\n${trimmed}`);
+            parts.push(`## Orchestrator Analysis\n${trimmed}`);
         return parts.join('\n\n');
     }
     async runLoop(profile, orchestrationResult) {
@@ -717,7 +492,7 @@ class AgentEngine {
             this.trimHistory();
             const systemMsg = { role: 'system', content: this.buildSystemPrompt(currentProfile, orchestrationResult) };
             const tools = this.getToolsForAgent(currentProfile);
-            const safeHistory = sanitizeMessages(this.messages);
+            const safeHistory = this.history.sanitized();
             let streamBuffer = '';
             const askAgentCalls = [];
             const otherCalls = [];
@@ -760,7 +535,7 @@ class AgentEngine {
                 break;
             if (!finalMessage)
                 break;
-            this.messages.push(finalMessage);
+            this.history.push(finalMessage);
             const toolResults = [];
             // ── ask_agent: parallel if 2+ calls ──────────────────────────────
             if (askAgentCalls.length > 0) {
@@ -776,6 +551,7 @@ class AgentEngine {
                         agentId: c.agentId,
                         question: c.question,
                         context: this.buildSubAgentContext(c.context, streamBuffer),
+                        fromAgentId: currentProfile.id,
                     }));
                     const results = validCalls.length >= 2
                         ? await this.bus.runParallel(requests)
@@ -794,7 +570,7 @@ class AgentEngine {
                 if (this.aborted)
                     break;
                 iterManager.recordToolCall();
-                const result = await this.executeToolCall(call, currentProfile);
+                const result = await this.executeToolCall(call, currentProfile, 0);
                 toolResults.push({ role: 'tool', tool_call_id: call.id, content: result });
             }
             // ── QA orchestration: runs when response is final (no tool calls) ─
@@ -806,7 +582,7 @@ class AgentEngine {
                     orchestrator: this.opts.orchestrator,
                     qaService: this.opts.qaService,
                     allAgents: this.opts.agents.getAll(),
-                    messages: this.messages,
+                    messages: this.history.getAll(),
                     effectiveAgentId: currentProfile.id,
                     defaultAgentId: this.opts.defaultAgentId,
                     qaAgentId,
@@ -834,11 +610,11 @@ class AgentEngine {
             }
             if (toolResults.length === 0)
                 break;
-            this.messages.push(...toolResults);
+            this.history.pushAll(toolResults);
         }
         this.opts.transport.emit({ type: 'block_end', status: 'ok', agent_id: profile.id });
     }
-    async runAgentInternal(agentId, question, context) {
+    async runAgentInternal(agentId, question, context, depth = 0, outputBuffer) {
         const profile = this.opts.agents.get(agentId);
         if (!profile)
             throw new Error(`Agent "${agentId}" not registered`);
@@ -848,28 +624,38 @@ class AgentEngine {
         // without requiring the orchestrator to manually copy it into context.
         let historySlice = [];
         const maxCtxMsgs = this.opts.subAgentContextMessages;
-        if (maxCtxMsgs && maxCtxMsgs > 0 && this.messages.length > 0) {
-            historySlice = this.messages.slice(-maxCtxMsgs);
+        const allMessages = this.history.getAll();
+        if (maxCtxMsgs && maxCtxMsgs > 0 && allMessages.length > 0) {
+            historySlice = allMessages.slice(-maxCtxMsgs);
             // Trim to the first user-turn boundary to avoid orphaning tool results.
             const firstUser = historySlice.findIndex(m => m.role === 'user');
             if (firstUser > 0)
                 historySlice = historySlice.slice(firstUser);
             else if (firstUser < 0)
                 historySlice = [];
-            // Sanitize: drop any tool messages whose assistant(tool_calls) was cut off
-            historySlice = sanitizeMessages(historySlice);
+            historySlice = (0, HistoryManager_1.sanitizeMessages)(historySlice);
         }
         const messages = [
             { role: 'system', content: this.buildSystemPrompt(profile) },
             ...historySlice,
-            { role: 'user', content: context ? `${question}\n\nContexto:\n${context}` : question },
+            { role: 'user', content: context ? `${question}\n\nContext:\n${context}` : question },
         ];
         let finalContent = '';
         let totalInputTokens = 0;
         let totalOutputTokens = 0;
-        const maxIter = 30;
+        const maxIter = this.opts.maxIterations ?? 100;
         let iter = 0;
-        this.opts.transport.emit({ type: 'block_start', agent_id: profile.id, agent_name: profile.name, agent_icon: profile.icon });
+        // When running in parallel (outputBuffer provided), route output events to the
+        // buffer instead of the real transport. The caller flushes the buffer atomically
+        // after the agent finishes, preventing interleaved output from parallel agents.
+        // tool_approval_request always bypasses buffering — it needs an immediate response.
+        const emit = (event) => {
+            if (outputBuffer)
+                outputBuffer.push(event);
+            else
+                this.opts.transport.emit(event);
+        };
+        emit({ type: 'block_start', agent_id: profile.id, agent_name: profile.name, agent_icon: profile.icon });
         while (iter < maxIter) {
             iter++;
             let streamContent = '';
@@ -879,12 +665,12 @@ class AgentEngine {
                 onChunk: (delta) => {
                     streamContent += delta;
                     if (!profile.suppressDefaultOutput) {
-                        this.opts.transport.emit({ type: 'token', content: delta, agent_id: profile.id });
+                        emit({ type: 'token', content: delta, agent_id: profile.id });
                     }
                 },
                 onToolCall: (name, args, id) => {
                     if (!profile.suppressDefaultOutput) {
-                        this.opts.transport.emit({ type: 'tool_call', name, args_preview: args.slice(0, 200) });
+                        emit({ type: 'tool_call', name, args_preview: args.slice(0, 200) });
                     }
                     toolCalls.push({ id, name, args });
                 },
@@ -893,7 +679,7 @@ class AgentEngine {
                 onMetrics: (inputTokens, outputTokens) => {
                     totalInputTokens += inputTokens;
                     totalOutputTokens += outputTokens;
-                    this.opts.transport.emit({ type: 'metrics', input_tokens: inputTokens, output_tokens: outputTokens });
+                    emit({ type: 'metrics', input_tokens: inputTokens, output_tokens: outputTokens });
                 },
                 model: profile.model,
             });
@@ -906,12 +692,12 @@ class AgentEngine {
                 break;
             const toolResults = [];
             for (const call of toolCalls) {
-                const result = await this.executeToolCall(call, profile);
+                const result = await this.executeToolCall(call, profile, depth, emit);
                 toolResults.push({ role: 'tool', tool_call_id: call.id, content: result });
             }
             messages.push(...toolResults);
         }
-        this.opts.transport.emit({ type: 'block_end', status: 'ok', agent_id: profile.id });
+        emit({ type: 'block_end', status: 'ok', agent_id: profile.id });
         return { agentId, content: finalContent, inputTokens: totalInputTokens, outputTokens: totalOutputTokens, elapsedMs: Date.now() - start };
     }
     /**
@@ -919,87 +705,47 @@ class AgentEngine {
      * runAgentInternal (sub-agents via ask_agent).
      * Handles: allowedTools authorization → onToolApproval gate → execute → audit → transport.
      */
-    async executeToolCall(call, profile) {
+    async executeToolCall(call, profile, depth = 0, emit) {
+        const emitEvent = emit ?? ((e) => this.opts.transport.emit(e));
         const callStart = Date.now();
         const toolDef = this.opts.tools.get(call.name);
         let result;
+        let success;
         if (!toolDef) {
             result = `Tool "${call.name}" not found`;
+            success = false;
         }
         else if (!profile.allowedTools.includes(call.name) &&
             (profile.allowedTools.length > 0 || (profile.delegatesTo && profile.delegatesTo.length > 0))) {
             result = `Tool "${call.name}" is not authorized for agent "${profile.id}". ` +
                 `Use ask_agent to delegate to a specialist.`;
-        }
-        else if (this.opts.onToolApproval && this.requiresAlwaysAsk(call)) {
-            // High-blast-radius operations (npm install, pip install, etc.) always
-            // require approval — cannot be bypassed by approve_all or auto mode.
-            const preview = call.args.slice(0, 200);
-            this.opts.transport.emit({
-                type: 'tool_approval_request',
-                tool_name: call.name,
-                agent_id: profile.id,
-                args_preview: preview,
-            });
-            const decision = await this.opts.onToolApproval(call.name, profile.id, preview);
-            result = decision === 'reject'
-                ? `Tool call "${call.name}" was rejected by the user.`
-                : await this.runToolDef(call, toolDef, profile.id);
-        }
-        else if (!this.approvalDisabled &&
-            this.opts.onToolApproval &&
-            AgentEngine.WRITE_TOOLS.has(call.name)) {
-            const preview = call.args.slice(0, 200);
-            this.opts.transport.emit({
-                type: 'tool_approval_request',
-                tool_name: call.name,
-                agent_id: profile.id,
-                args_preview: preview,
-            });
-            const decision = await this.opts.onToolApproval(call.name, profile.id, preview);
-            if (decision === 'approve_all')
-                this.approvalDisabled = true;
-            result = decision === 'reject'
-                ? `Tool call "${call.name}" was rejected by the user.`
-                : await this.runToolDef(call, toolDef, profile.id);
+            success = false;
         }
         else {
-            result = await this.runToolDef(call, toolDef, profile.id);
+            const gateDecision = await this.approvalGate.check(call, profile.id);
+            if (gateDecision === 'rejected') {
+                result = `Tool call "${call.name}" was rejected by the user.`;
+                success = false;
+            }
+            else {
+                ({ result, success } = await this.runToolDef(call, toolDef, profile.id, depth));
+            }
         }
-        const success = !result.startsWith('Error:');
-        this.writeAuditRecord(profile.id, call.name, call.args, success, Date.now() - callStart);
+        await this.auditLogger.log({ agentId: profile.id, tool: call.name, inputPreview: call.args, success, durationMs: Date.now() - callStart, sessionId: this.opts.sessionId });
         // Strip ANSI before slicing to avoid partial escape sequences in the preview
         // eslint-disable-next-line no-control-regex
         const cleanPreview = result.replace(/\x1b\[[0-9;?]*[A-Za-z]/g, '');
-        this.opts.transport.emit({ type: 'tool_result', name: call.name, success, preview: cleanPreview.slice(0, 120) });
+        emitEvent({ type: 'tool_result', name: call.name, success, preview: cleanPreview.slice(0, 120) });
         return result;
     }
-    async runToolDef(call, toolDef, agentId) {
-        const ctx = this.buildContext(agentId);
+    async runToolDef(call, toolDef, agentId, depth = 0) {
+        const ctx = this.buildContext(agentId, depth);
         try {
             const args = JSON.parse(call.args);
-            return await toolDef.execute(args, ctx);
+            return { result: await toolDef.execute(args, ctx), success: true };
         }
         catch (err) {
-            return `Error: ${err instanceof Error ? err.message : String(err)}`;
-        }
-    }
-    /**
-     * Returns true when a tool call matches a high-blast-radius pattern that
-     * always requires explicit approval — cannot be bypassed by approve_all or
-     * auto iteration mode.
-     */
-    requiresAlwaysAsk(call) {
-        if (call.name !== 'run_command')
-            return false;
-        try {
-            const { command } = JSON.parse(call.args);
-            if (!command)
-                return false;
-            return AgentEngine.ALWAYS_ASK_PATTERNS.some(re => re.test(command));
-        }
-        catch {
-            return false;
+            return { result: `Error: ${err instanceof Error ? err.message : String(err)}`, success: false };
         }
     }
     /**
@@ -1012,56 +758,13 @@ class AgentEngine {
      * For mode='tools' servers, agents fall back to shell commands automatically.
      */
     unregisterMCPServer(serverName) {
-        const safeName = serverName.replace(/[^a-zA-Z0-9_-]/g, '_');
-        // Revert tool assignments and command blocks on affected agents
-        const records = this.mcpAgentBlocks.get(safeName) ?? [];
-        for (const { agentId, toolNames, blockedCmds } of records) {
-            const agent = this.opts.agents.get(agentId);
-            if (agent) {
-                this.opts.agents.upsert({
-                    ...agent,
-                    allowedTools: agent.allowedTools.filter(t => !toolNames.includes(t)),
-                    blockedCommands: (agent.blockedCommands ?? []).filter(c => !blockedCmds.includes(c)),
-                });
-            }
-            for (const toolName of toolNames) {
-                this.opts.tools.unregister(toolName);
-            }
-        }
-        this.mcpAgentBlocks.delete(safeName);
-        // Remove wrapper agent if mode='agent'
-        this.opts.agents.delete(safeName);
-        // Clean up routing tables
-        this.mcpTriggers.delete(safeName);
-        for (const [keyword, route] of this.mcpToolTriggers) {
-            if (route.agentId === safeName)
-                this.mcpToolTriggers.delete(keyword);
-        }
-        this.mcpRegisteredServers.delete(serverName);
-        this.opts.transport.emit({
-            type: 'system', level: 'info',
-            text: `[MCP:${serverName}] unregistered — tools removed, commands unblocked.`,
-        });
+        this.mcpRegistrar.unregisterServer(serverName);
     }
     /** Disable approval gate for the rest of this session (approve_all). */
-    disableToolApproval() { this.approvalDisabled = true; }
+    disableToolApproval() { this.approvalGate.disable(); }
     /** Re-enable approval gate (e.g. after /iteration manual). */
-    enableToolApproval() { this.approvalDisabled = false; }
-    writeAuditRecord(agentId, tool, inputPreview, success, durationMs) {
-        if (!this.opts.auditLog)
-            return;
-        const line = JSON.stringify({
-            ts: new Date().toISOString(),
-            session: this.opts.sessionId ?? 'default',
-            agent: agentId,
-            tool,
-            input: inputPreview.slice(0, 200),
-            success,
-            durationMs,
-        });
-        (0, fs_1.appendFileSync)(this.opts.auditLog, line + '\n');
-    }
-    buildContext(agentId) {
+    enableToolApproval() { this.approvalGate.enable(); }
+    buildContext(agentId, depth = 0) {
         const id = agentId ?? this.currentAgentId;
         const profile = this.opts.agents.get(id);
         const storeRoot = this.opts.store?.projectDir;
@@ -1079,14 +782,14 @@ class AgentEngine {
             ...(additionalRoots.length ? { additionalRoots } : {}),
             ...(profile?.blockedCommands?.length ? { blockedCommands: profile.blockedCommands } : {}),
             askAgent: async (agentId, question, context) => {
-                const result = await this.bus.runSingle({ agentId, question, context });
+                const result = await this.bus.runSingle({ agentId, question, context, fromAgentId: id, depth: depth + 1 });
                 return result.content;
             },
             emitCompacting: (phase, label) => {
                 this.opts.transport.emit({ type: 'compacting', phase, label });
             },
             llmCall: async (prompt) => {
-                const profile = this.opts.agents.get(this.currentAgentId);
+                const profile = this.opts.agents.get(id);
                 if (!profile)
                     return '';
                 const provider = this.getProviderForProfile(profile);
@@ -1103,9 +806,4 @@ class AgentEngine {
     }
 }
 exports.AgentEngine = AgentEngine;
-function toTitleCase(s) {
-    return s
-        .replace(/[-_](.)/g, (_, c) => ' ' + c.toUpperCase())
-        .replace(/^(.)/, (c) => c.toUpperCase());
-}
 //# sourceMappingURL=AgentEngine.js.map