@blockrun/franklin 3.5.1 → 3.6.2

package/dist/agent/bash-guard.d.ts

@@ -0,0 +1,17 @@
+/**
+ * Bash Risk Classifier — lightweight Guardian for Franklin.
+ *
+ * Classifies bash commands into three risk levels:
+ *   safe      — read-only or standard dev commands → auto-approve
+ *   normal    — typical mutations (file writes, installs) → default ask behavior
+ *   dangerous — destructive/irreversible operations → always ask, with warning
+ *
+ * Inspired by OpenAI Codex's Guardian system, but deterministic pattern matching
+ * instead of an LLM call. Fast, predictable, zero-cost.
+ */
+export type BashRiskLevel = 'safe' | 'normal' | 'dangerous';
+export interface BashRiskResult {
+    level: BashRiskLevel;
+    reason?: string;
+}
+export declare function classifyBashRisk(command: string): BashRiskResult;

package/dist/agent/bash-guard.js

@@ -0,0 +1,158 @@
+/**
+ * Bash Risk Classifier — lightweight Guardian for Franklin.
+ *
+ * Classifies bash commands into three risk levels:
+ *   safe      — read-only or standard dev commands → auto-approve
+ *   normal    — typical mutations (file writes, installs) → default ask behavior
+ *   dangerous — destructive/irreversible operations → always ask, with warning
+ *
+ * Inspired by OpenAI Codex's Guardian system, but deterministic pattern matching
+ * instead of an LLM call. Fast, predictable, zero-cost.
+ */
+// ─── Dangerous Patterns ──────────────────────────────────────────────────
+// Checked first. If ANY pattern matches, the command is dangerous.
+const DANGEROUS_PATTERNS = [
+    // Destructive file operations
+    [/\brm\s+-[a-zA-Z]*[rR][a-zA-Z]*\s+[/~]/, 'recursive delete on root/home'],
+    [/\brm\s+-[a-zA-Z]*[rR][a-zA-Z]*f/, 'forced recursive delete'],
+    [/\brm\s+-[a-zA-Z]*f[a-zA-Z]*[rR]/, 'forced recursive delete'],
+    [/\bmkfs\b/, 'format filesystem'],
+    [/\bdd\s+.*of=/, 'raw disk write'],
+    // Git irreversible operations
+    [/\bgit\s+push\s+.*--force\b/, 'force push'],
+    [/\bgit\s+push\s+-f\b/, 'force push'],
+    [/\bgit\s+reset\s+--hard\b/, 'hard reset — discards uncommitted changes'],
+    [/\bgit\s+clean\s+-[a-zA-Z]*f/, 'git clean — deletes untracked files'],
+    [/\bgit\s+checkout\s+--\s+\./, 'discard all working changes'],
+    [/\bgit\s+branch\s+-D\b/, 'force delete branch'],
+    // Database destructive
+    [/\bDROP\s+(TABLE|DATABASE|SCHEMA)\b/i, 'drop database objects'],
+    [/\bTRUNCATE\s+TABLE\b/i, 'truncate table'],
+    // System-level danger
+    [/\bchmod\s+(-R\s+)?777\b/, 'world-writable permissions'],
+    [/\bcurl\s+.*\|\s*(sudo\s+)?(ba)?sh\b/, 'pipe URL to shell'],
+    [/\bwget\s+.*\|\s*(sudo\s+)?(ba)?sh\b/, 'pipe URL to shell'],
+    [/\bsudo\s+rm\b/, 'sudo delete'],
+    // Kill/shutdown
+    [/\bkill\s+-9\s+-1\b/, 'kill all processes'],
+    [/\bshutdown\b/, 'system shutdown'],
+    [/\breboot\b/, 'system reboot'],
+];
+// ─── Safe Commands ────────────────────────────────────────────────────────
+// If ALL segments use these commands, auto-approve.
+const SAFE_COMMANDS = new Set([
+    // Filesystem read-only
+    'ls', 'cat', 'head', 'tail', 'wc', 'du', 'df', 'file', 'stat', 'tree',
+    'find', 'grep', 'rg', 'ag', 'ack', 'which', 'whereis', 'type',
+    'echo', 'printf', 'date', 'whoami', 'hostname', 'uname', 'printenv',
+    'pwd', 'realpath', 'dirname', 'basename',
+    // Text processing (read-only when not redirecting)
+    'jq', 'yq', 'sort', 'uniq', 'cut', 'tr', 'diff', 'comm', 'less', 'more',
+    'wc', 'tee', 'xargs',
+]);
+const SAFE_GIT_SUBCOMMANDS = new Set([
+    'status', 'log', 'diff', 'show', 'branch', 'tag', 'remote',
+    'blame', 'shortlog', 'describe', 'rev-parse', 'rev-list',
+    'ls-files', 'ls-tree', 'ls-remote', 'config', 'reflog',
+]);
+const SAFE_PKG_SUBCOMMANDS = new Set([
+    'test', 'run', 'list', 'ls', 'info', 'view', 'show',
+    'outdated', 'audit', 'start', 'dev', 'serve', 'lint', 'check',
+    'why', 'explain', 'doctor',
+]);
+const SAFE_CARGO_SUBCOMMANDS = new Set([
+    'test', 'check', 'clippy', 'build', 'run', 'bench', 'doc',
+    'fmt', 'tree', 'metadata', 'verify-project',
+]);
+// ─── Classifier ──────────────────────────────────────────────────────────
+export function classifyBashRisk(command) {
+    // 1. Check dangerous patterns first (highest priority)
+    for (const [pattern, reason] of DANGEROUS_PATTERNS) {
+        if (pattern.test(command)) {
+            return { level: 'dangerous', reason };
+        }
+    }
+    // 2. Check if every segment is a known-safe command
+    const segments = command.split(/\s*(?:&&|\|\||[;|])\s*/);
+    let allSafe = true;
+    for (const segment of segments) {
+        const trimmed = segment.trim();
+        if (!trimmed)
+            continue;
+        if (!isSegmentSafe(trimmed)) {
+            allSafe = false;
+            break;
+        }
+    }
+    if (allSafe && segments.some(s => s.trim().length > 0)) {
+        return { level: 'safe' };
+    }
+    return { level: 'normal' };
+}
+function isSegmentSafe(segment) {
+    // Parse: strip env vars, extract command and args
+    const words = segment.split(/\s+/).filter(w => !w.includes('='));
+    let idx = 0;
+    let cmd = words[idx] || '';
+    // Strip harmless prefixes
+    while (['time', 'nice'].includes(cmd) && idx < words.length - 1) {
+        cmd = words[++idx] || '';
+    }
+    // sudo → not safe (even if the underlying command is safe)
+    if (cmd === 'sudo')
+        return false;
+    const baseName = cmd.split('/').pop() || cmd;
+    const argIdx = idx + 1;
+    const subCmd = words[argIdx] || '';
+    // git
+    if (baseName === 'git') {
+        return SAFE_GIT_SUBCOMMANDS.has(subCmd);
+    }
+    // npm / yarn / pnpm / bun / npx
+    if (['npm', 'npx', 'yarn', 'pnpm', 'bun'].includes(baseName)) {
+        // "npm run <script>" — safe (dev servers, linters, etc.)
+        if (subCmd === 'run')
+            return true;
+        return SAFE_PKG_SUBCOMMANDS.has(subCmd);
+    }
+    // cargo
+    if (baseName === 'cargo') {
+        return SAFE_CARGO_SUBCOMMANDS.has(subCmd);
+    }
+    // rtk (RTK wrapper — safe, it's a proxy)
+    if (baseName === 'rtk')
+        return true;
+    // Known safe base command
+    if (SAFE_COMMANDS.has(baseName)) {
+        // sed -i is not read-only
+        if (baseName === 'sed' && segment.includes(' -i'))
+            return false;
+        // Output redirection means writing — not safe
+        if (/>\s*[^&|]/.test(segment))
+            return false;
+        return true;
+    }
+    // Version/help checks are always safe
+    if (/\s+(-v|--version|-V)\s*$/.test(segment))
+        return true;
+    if (/\s+(-h|--help)\s*$/.test(segment))
+        return true;
+    // gh (GitHub CLI) read-only commands
+    if (baseName === 'gh') {
+        const ghAction = words.slice(argIdx, argIdx + 2).join(' ');
+        if (/^(pr|issue|repo|release|run)\s+(view|list|status|diff|checks|comments)/.test(ghAction))
+            return true;
+        if (subCmd === 'api')
+            return true; // gh api is read-only (GET)
+        if (subCmd === 'auth' && words[argIdx + 1] === 'status')
+            return true;
+        return false;
+    }
+    // docker/podman read-only
+    if (baseName === 'docker' || baseName === 'podman') {
+        if (['ps', 'images', 'inspect', 'logs', 'stats', 'top', 'port', 'version', 'info'].includes(subCmd))
+            return true;
+        return false;
+    }
+    return false;
+}

package/dist/agent/permissions.js

@@ -7,6 +7,31 @@ import path from 'node:path';
 import readline from 'node:readline';
 import chalk from 'chalk';
 import { BLOCKRUN_DIR } from '../config.js';
+import { classifyBashRisk } from './bash-guard.js';
+// ─── Common dev command patterns (auto-allow without prompting) ──────────
+// These are "normal" risk commands that are too common to interrupt the user.
+// Only applied when --trust flag is set (user explicitly opted into auto-mode).
+const COMMON_DEV_PATTERNS = [
+    /^npm\s+(install|i|ci|run|exec|test|start|build|lint|format|outdated|ls|list|info|view|pack)\b/,
+    /^(pnpm|yarn|bun)\s+(install|add|run|test|build|lint|exec)\b/,
+    /^pip3?\s+install\b/,
+    /^python3?\s+/,
+    /^node\s+/,
+    /^(pytest|jest|vitest|mocha)\b/,
+    /^(tsc|eslint|prettier|biome)\b/,
+    /^git\s+(add|commit|push|pull|fetch|status|diff|log|branch|checkout|switch|merge|rebase|stash|tag|remote|show)\b/,
+    /^(cat|head|tail|wc|sort|uniq|diff|file|which|whoami|hostname|uname|date|echo)\b/,
+    /^(ls|pwd|cd|mkdir|touch)\b/,
+    /^(docker|docker-compose)\s+(ps|logs|images|inspect|stats|exec|build|run|pull)\b/,
+    /^(curl|wget)\s+/,
+    /^make\b/,
+    /^cargo\s+(build|test|check|clippy|run|bench|doc|fmt)\b/,
+    /^go\s+(build|test|run|vet|fmt|mod)\b/,
+];
+function isCommonDevCommand(cmd) {
+    const trimmed = cmd.trim();
+    return COMMON_DEV_PATTERNS.some(p => p.test(trimmed));
+}
 // ─── Default Rules ─────────────────────────────────────────────────────────
 const READ_ONLY_TOOLS = new Set(['Read', 'Glob', 'Grep', 'WebSearch', 'Task', 'AskUser', 'ImageGen', 'TradingSignal', 'TradingMarket', 'SearchX']);
 const DESTRUCTIVE_TOOLS = new Set(['Write', 'Edit', 'Bash']);
@@ -61,8 +86,17 @@ export class PermissionManager {
         if (this.matchesRule(toolName, input, this.rules.allow)) {
             return { behavior: 'allow', reason: 'allowed by rule' };
         }
-        // Check explicit ask rules
+        // Check explicit ask rules — with Bash risk classification
         if (this.matchesRule(toolName, input, this.rules.ask)) {
+            // Bash Guardian: classify risk before blindly asking
+            if (toolName === 'Bash') {
+                const cmd = input.command || '';
+                const risk = classifyBashRisk(cmd);
+                if (risk.level === 'safe') {
+                    return { behavior: 'allow', reason: 'safe command' };
+                }
+                // dangerous and normal both ask, but dangerous gets a warning in describeAction
+            }
             return { behavior: 'ask' };
         }
         // Default: read-only tools are auto-allowed, others ask
@@ -179,7 +213,12 @@ export class PermissionManager {
         switch (toolName) {
             case 'Bash': {
                 const cmd = input.command || '';
-                return `Execute: ${cmd.length > 100 ? cmd.slice(0, 100) + '...' : cmd}`;
+                const preview = cmd.length > 100 ? cmd.slice(0, 100) + '...' : cmd;
+                const risk = classifyBashRisk(cmd);
+                if (risk.level === 'dangerous') {
+                    return `\x1b[31m⚠ DANGEROUS: ${risk.reason}\x1b[0m\n  │ Execute: ${preview}`;
+                }
+                return `Execute: ${preview}`;
             }
             case 'Write': {
                 const fp = input.file_path || '';

package/dist/agent/streaming-executor.js

@@ -174,6 +174,38 @@ export class StreamingExecutor {
             }
             : this.scope;
         try {
+            // Runtime input validation: check required fields and types
+            const schema = handler.spec.input_schema;
+            if (schema?.required) {
+                for (const field of schema.required) {
+                    if (invocation.input[field] === undefined || invocation.input[field] === null) {
+                        const desc = schema.properties?.[field]?.description || '';
+                        return {
+                            output: `Error: missing required parameter "${field}" for ${handler.spec.name}. ${desc}`,
+                            isError: true,
+                        };
+                    }
+                }
+            }
+            // Type coercion for common model mistakes (string↔number, string↔boolean)
+            if (schema?.properties) {
+                for (const [key, value] of Object.entries(invocation.input)) {
+                    if (value == null)
+                        continue;
+                    const prop = schema.properties[key];
+                    if (!prop?.type)
+                        continue;
+                    if (prop.type === 'number' && typeof value === 'string' && !isNaN(Number(value))) {
+                        invocation.input[key] = Number(value);
+                    }
+                    else if (prop.type === 'boolean' && typeof value === 'string') {
+                        if (value === 'true')
+                            invocation.input[key] = true;
+                        else if (value === 'false')
+                            invocation.input[key] = false;
+                    }
+                }
+            }
             let result = await handler.execute(invocation.input, progressScope);
             this.guard?.afterExecute(invocation, result);
             // Persist large results to disk with preview (inspired by Claude Code toolResultStorage)

package/dist/agent/tokens.js

@@ -180,7 +180,7 @@ const MODEL_CONTEXT_WINDOWS = {
     'xai/grok-4-0709': 131_072,
     'xai/grok-4-1-fast-reasoning': 131_072,
     // Others
-    'zai/glm-5.1': 128_000,
+    'zai/glm-5.1': 200_000,
     'moonshot/kimi-k2.5': 128_000,
     'minimax/minimax-m2.7': 128_000,
 };

package/dist/agent/types.d.ts

@@ -51,6 +51,15 @@ export interface CapabilityHandler {
 export interface CapabilityResult {
     output: string;
     isError?: boolean;
+    /** Structured diff for Edit tool — enables colored diff display in UI. */
+    diff?: {
+        file: string;
+        oldLines: string[];
+        newLines: string[];
+        count: number;
+    };
+    /** Full tool output for expandable display — separate from truncated preview. */
+    fullOutput?: string;
 }
 export interface ExecutionScope {
     workingDir: string;

package/dist/mcp/client.js

@@ -79,6 +79,42 @@ async function connectStdio(name, config) {
             concurrent: true, // MCP tools are safe to run concurrently
         });
     }
+    // Discover resources (optional — not all servers expose resources)
+    try {
+        const { resources: mcpResources } = await client.listResources();
+        for (const resource of mcpResources) {
+            const resourceToolName = `mcp__${name}__read_${resource.name.replace(/[^a-zA-Z0-9_]/g, '_')}`;
+            const resourceDesc = resource.description
+                ? `Read resource: ${resource.description}`.slice(0, 2048)
+                : `Read MCP resource "${resource.name}" from ${name}`;
+            capabilities.push({
+                spec: {
+                    name: resourceToolName,
+                    description: resourceDesc,
+                    input_schema: { type: 'object', properties: {}, required: [] },
+                },
+                execute: async () => {
+                    try {
+                        const result = await client.readResource({ uri: resource.uri });
+                        const output = result.contents
+                            ?.map(c => c.text ?? `[resource: ${c.uri}]`)
+                            ?.join('\n') || JSON.stringify(result.contents);
+                        return { output, isError: false };
+                    }
+                    catch (err) {
+                        return {
+                            output: `MCP resource error (${name}/${resource.name}): ${err.message}`,
+                            isError: true,
+                        };
+                    }
+                },
+                concurrent: true,
+            });
+        }
+    }
+    catch {
+        // Server doesn't support resources — that's fine, tools-only mode
+    }
     const connected = { name, client, transport, tools: capabilities };
     connections.set(name, connected);
     return connected;

package/dist/pricing.js

@@ -73,7 +73,7 @@ export const MODEL_PRICING = {
     'zai/glm-5': { input: 0, output: 0, perCall: 0.001 },
     'zai/glm-5.1': { input: 0, output: 0, perCall: 0.001 },
     'zai/glm-5-turbo': { input: 0, output: 0, perCall: 0.001 },
-    'zai/glm-5.1-turbo': { input: 0, output: 0, perCall: 0.001 },
+    'zai/glm-5.1-turbo': { input: 0, output: 0, perCall: 0.001 }, // client alias for zai/glm-5-turbo
 };
 /** Opus pricing for savings calculations */
 export const OPUS_PRICING = MODEL_PRICING['anthropic/claude-opus-4.6'];

package/dist/tools/bash.js

@@ -51,7 +51,26 @@ function compressOutput(command, output) {
         else if (sub === 'install')
             out = compressInstall(out);
     }
-    // 7. Always collapse excessive blank lines
+    // 7. Python — pip install, pytest, python scripts
+    else if (/^(pip|pip3)\s+install\b/.test(fullCmd)) {
+        out = compressInstall(out);
+    }
+    else if (/^(pytest|python.*-m\s+pytest)\b/.test(fullCmd)) {
+        out = compressTests(out);
+    }
+    // 8. Docker — strip layer hashes, progress bars, keep errors + summary
+    else if (/^docker\s+(build|run|pull|push|compose)\b/.test(fullCmd)) {
+        out = compressDocker(out);
+    }
+    // 9. curl/wget — strip progress bars, keep response
+    else if (/^(curl|wget)\b/.test(fullCmd)) {
+        out = compressDownload(out);
+    }
+    // 10. Make — keep errors/warnings, drop recipe lines
+    else if (cmd === 'make') {
+        out = compressBuild(out);
+    }
+    // 11. Always collapse excessive blank lines
     out = collapseBlankLines(out);
     return out;
 }
@@ -161,6 +180,42 @@ function compressBuild(out) {
     });
     return collapseBlankLines(kept.join('\n')).trim() || out.trim();
 }
+function compressDocker(out) {
+    const lines = out.split('\n');
+    const kept = lines.filter(l => {
+        const t = l.trim();
+        // Drop layer progress: "sha256:abc123: Pulling fs layer" / "Downloading [==>  ]"
+        if (/^[a-f0-9]{12}:\s*(Pull|Wait|Download|Extract|Verif|Already)/.test(t))
+            return false;
+        // Drop download/upload progress bars
+        if (/^\[[\s=>#]+\]/.test(t) || /\d+(\.\d+)?%/.test(t) && t.length < 80)
+            return false;
+        // Drop "Sending build context" progress
+        if (/^Sending build context/.test(t))
+            return false;
+        return true;
+    });
+    return collapseBlankLines(kept.join('\n')).trim() || out.trim();
+}
+function compressDownload(out) {
+    const lines = out.split('\n');
+    const kept = lines.filter(l => {
+        const t = l.trim();
+        // Drop curl progress bars: "  % Total    % Received..."
+        if (/^\s*%\s+Total/.test(t))
+            return false;
+        if (/^\s*\d+\s+\d+[kMG]?\s+\d+\s+\d+[kMG]?/.test(t) && t.length < 100)
+            return false;
+        // Drop wget progress: "2024-01-01 12:00:00 (1.23 MB/s) - saved"
+        if (/^\d{4}-\d{2}-\d{2}.*saved/.test(t))
+            return false;
+        // Drop download percentage lines
+        if (/^\s*\d+%\s/.test(t))
+            return false;
+        return true;
+    });
+    return collapseBlankLines(kept.join('\n')).trim() || out.trim();
+}
 const backgroundTasks = new Map();
 let bgTaskCounter = 0;
 /** Get a background task's result (called by the agent to check status). */

package/dist/tools/edit.js

@@ -3,7 +3,7 @@
  */
 import fs from 'node:fs';
 import path from 'node:path';
-import { partiallyReadFiles, fileReadTracker } from './read.js';
+import { partiallyReadFiles, fileReadTracker, invalidateFileCache } from './read.js';
 /**
  * Normalize curly/smart quotes to straight quotes.
  * Claude Code does this to handle API-sanitized strings and editor paste artifacts.
@@ -143,8 +143,9 @@ async function execute(input, ctx) {
             updated = content.slice(0, firstIdx) + newStr + content.slice(firstIdx + effectiveOldStr.length);
         }
         fs.writeFileSync(resolved, updated, 'utf-8');
-        // File has been modified — remove from partial-read tracking so next read is fresh
+        // File has been modified — invalidate caches so next read is fresh
         partiallyReadFiles.delete(resolved);
+        invalidateFileCache(resolved);
         // Update read tracker mtime so subsequent edits don't trigger stale-write detection
         const newStat = fs.statSync(resolved);
         fileReadTracker.set(resolved, { mtimeMs: newStat.mtimeMs, readAt: Date.now() });
@@ -172,6 +173,7 @@ async function execute(input, ctx) {
         }
         return {
             output: `Updated ${resolved} — ${matchCount} replacement${matchCount > 1 ? 's' : ''} made.${diffPreview}${partialWarning}`,
+            diff: { file: resolved, oldLines, newLines, count: matchCount },
         };
     }
     catch (err) {

package/dist/tools/read.d.ts

@@ -22,4 +22,6 @@ export declare const fileReadTracker: Map<string, {
     mtimeMs: number;
     readAt: number;
 }>;
+/** Invalidate the content cache for a file (call after Edit/Write modifies it). */
+export declare function invalidateFileCache(resolvedPath: string): void;
 export declare const readCapability: CapabilityHandler;

package/dist/tools/read.js

@@ -16,6 +16,24 @@ export const partiallyReadFiles = new Map();
  * Exported so edit.ts and write.ts can check.
  */
 export const fileReadTracker = new Map();
+/**
+ * File state cache — avoids re-reading unchanged files across turns.
+ * Stores mtime + line count for each file. If the model requests a Read
+ * and the file hasn't changed (same mtime), return a short stub instead
+ * of the full content. This saves thousands of tokens on repeated reads.
+ *
+ * Cache is invalidated when:
+ * - File mtime changes (edited externally or by Edit/Write tool)
+ * - Different offset/limit is requested (user wants a different section)
+ */
+const fileContentCache = new Map();
+function cacheKey(resolved, offset, limit) {
+    return `${offset ?? 0}:${limit ?? 2000}`;
+}
+/** Invalidate the content cache for a file (call after Edit/Write modifies it). */
+export function invalidateFileCache(resolvedPath) {
+    fileContentCache.delete(resolvedPath);
+}
 async function execute(input, ctx) {
     const { file_path: filePath, offset, limit } = input;
     if (!filePath) {
@@ -24,6 +42,14 @@ async function execute(input, ctx) {
     const resolved = path.isAbsolute(filePath) ? filePath : path.resolve(ctx.workingDir, filePath);
     try {
         const stat = fs.statSync(resolved);
+        // File state cache: if file hasn't changed and same range requested, return stub
+        const range = cacheKey(resolved, offset, limit);
+        const cached = fileContentCache.get(resolved);
+        if (cached && cached.mtimeMs === stat.mtimeMs && cached.readRange === range) {
+            return {
+                output: `File unchanged since last read (${cached.lineCount} lines). Content is already in your context — do not re-read it.`,
+            };
+        }
         if (stat.isDirectory()) {
             // Helpfully list directory contents instead of just erroring
             const entries = fs.readdirSync(resolved, { withFileTypes: true });
@@ -65,6 +91,8 @@ async function execute(input, ctx) {
         }
         // Record this read for read-before-edit/write enforcement
         fileReadTracker.set(resolved, { mtimeMs: stat.mtimeMs, readAt: Date.now() });
+        // Update file state cache (for cross-turn dedup)
+        fileContentCache.set(resolved, { mtimeMs: stat.mtimeMs, lineCount: allLines.length, readRange: range });
         // Format with line numbers (cat -n style)
         const numbered = slice.map((line, i) => `${startLine + i + 1}\t${line}`);
         let result = numbered.join('\n');

package/dist/tools/write.js

@@ -4,7 +4,7 @@
 import fs from 'node:fs';
 import path from 'node:path';
 import os from 'node:os';
-import { partiallyReadFiles, fileReadTracker } from './read.js';
+import { partiallyReadFiles, fileReadTracker, invalidateFileCache } from './read.js';
 function withTrailingSep(value) {
     return value.endsWith(path.sep) ? value : value + path.sep;
 }
@@ -93,6 +93,7 @@ async function execute(input, ctx) {
         fs.mkdirSync(parentDir, { recursive: true });
         fs.writeFileSync(resolved, content, 'utf-8');
         partiallyReadFiles.delete(resolved);
+        invalidateFileCache(resolved);
         // Update read tracker so subsequent edits don't trigger stale detection
         const newStat = fs.statSync(resolved);
         fileReadTracker.set(resolved, { mtimeMs: newStat.mtimeMs, readAt: Date.now() });