@burtson-labs/bandit-stealth-cli 1.7.183 → 1.7.184

package/dist/cli.js

@@ -1009,6 +1009,10 @@ Content-Type: ${y||"(unknown)"}
 
 ${F}`,isError:!f.ok}}catch(f){return{output:`Fetch failed: ${f instanceof Error?f.message:String(f)}`,isError:!0}}}}}t(mbr,"buildWebFetchTool");function gbr(a){return a.replace(/<script\b[^>]*>[\s\S]*?<\/script>/gi,"").replace(/<style\b[^>]*>[\s\S]*?<\/style>/gi,"").replace(/<[^>]+>/g," ").replace(/&nbsp;/g," ").replace(/&amp;/g,"&").replace(/&lt;/g,"<").replace(/&gt;/g,">").replace(/&quot;/g,'"').replace(/\s+/g," ").trim()}t(gbr,"stripHtml")});var Z_t=Ot(vZ=>{"use strict";Object.defineProperty(vZ,"__esModule",{value:!0});vZ.buildTaskTool=hbr;vZ.buildCheckTaskTool=ybr;vZ.buildListTasksTool=vbr;var J_t=YV();function W_t(a){return a.replace(/```bandit-reasoning\b[\s\S]*?```/gi,"").replace(/```bandit-reasoning\b[\s\S]*$/i,"").replace(/<think\b[\s\S]*?<\/think\s*>/gi,"").replace(/<think\b[\s\S]*$/i,"").trim()}t(W_t,"sanitizeSubagentSynopsis");var V_t=`You are a focused subagent spawned to accomplish a single well-defined goal. You have access to the same tools as the parent agent (read, write, search, run_command, skill tools, etc.) EXCEPT you cannot spawn further subagents.
 
+CRITICAL \u2014 read these BEFORE thinking:
+- **ACT, DON'T NARRATE.** Your FIRST iteration MUST emit a tool call. Do NOT sit in reasoning thinking through the whole problem before acting \u2014 that pattern produces zero iterations and a "stalled in reasoning" failure. The goal needs information you don't have yet, so the way to make progress is to call a tool. Pick the most obvious starting tool (\`list_files\`, \`read_file\`, \`search_code\`) and emit it RIGHT NOW.
+- **NEVER write the literal text \`<tool_call>\` or \`</tool_call>\` in your prose, reasoning, or explanations.** These are protocol tokens. Emitting them anywhere except as a real tool invocation breaks Ollama's qwen tool-call parser and the entire request returns 500 \u2014 taking the whole subagent down with it. Same rule for \`<tool_result>\`, \`<think>\`, and any other angle-bracket protocol token: only emit them in their actual structural role, never as prose text describing tool calls.
+
 Rules:
 - Stay strictly on the goal. Do NOT start adjacent work, refactors, or "while I'm here" cleanups.
 - When the goal is achieved, STOP and return a concise synopsis. No preamble.
@@ -1346,7 +1350,7 @@ ${(()=>{let Z=`Bandit insights \u2014 ${new Date(s).toISOString().slice(0,10)}`,
     <h1>You're signed in.</h1>
     <p>Bandit picked up your session. You can close this tab and return to your terminal.</p>
   </div>
-</body></html>`;t(fSr,"startLoopbackListener");t(_Sr,"openBrowser");t(dSr,"buildDefaultDeviceLabel");t(pSr,"runOAuthSignIn")});var Mue=Ot((S6r,mSr)=>{mSr.exports={name:"@burtson-labs/bandit-stealth-cli",version:"1.7.183",description:"Bandit \u2014 a local-first AI coding agent for your terminal. Same runtime as the Bandit Stealth VS Code / Cursor extension.",keywords:["ai","agent","cli","coding-agent","llm","ollama","local-first","bandit","burtson-labs","terminal","repl","developer-tools"],homepage:"https://burtson.ai",bugs:{email:"team@burtson.ai"},license:"MIT",author:{name:"Burtson Labs",email:"team@burtson.ai",url:"https://burtson.ai"},bin:{bandit:"./dist/cli.js"},main:"dist/cli.js",files:["dist/cli.js","README.md","LICENSE"],engines:{node:">=20"},publishConfig:{access:"public"},scripts:{typecheck:"tsc -p tsconfig.json --noEmit",build:"node build.mjs","build:publish":"node build.mjs --publish",dev:"node build.mjs --watch",start:"node dist/cli.js",smoke:"node build.mjs && node dist/__smoke__/smoke.js",integration:"node build.mjs && node dist/__integration__/ollama.js",eval:"node build.mjs && node dist/__eval__/eval.js",benchmark:"node build.mjs && node dist/__eval__/benchmark.js","gen-logo":"node scripts/gen-logo.mjs","preview-banner":"node scripts/preview-banner.mjs",clean:"rm -rf dist",prepack:"node scripts/prepack.mjs",postpack:"node scripts/postpack.mjs",prepublishOnly:"pnpm run clean && pnpm run typecheck && pnpm run build:publish"},dependencies:{"pdf-parse":"^2.4.5"},devDependencies:{"@burtson-labs/agent-core":"workspace:*","@burtson-labs/host-kit":"workspace:*","@burtson-labs/stealth-core-runtime":"workspace:*","@types/node":"^20.11.0","@types/pdf-parse":"^1.1.5","@types/pngjs":"^6.0.5",esbuild:"^0.28.0",pngjs:"^7.0.0",typescript:"^5.4.0"}}});var HSr={};module.exports=Tet(HSr);var Cm=Tu(require("fs")),Rue=Tu(require("os")),Yp=Tu(require("path")),S9=Tu(require("readline")),jue=Tu(require("child_process")),Qp=Tu(YV()),Iy=Tu(hOe());var QF=Tu(require("fs")),yOe=Tu(require("os")),D6=Tu(require("path")),dZ=Tu(require("child_process"));function Sb(a){return a==="~"?yOe.homedir():a.startsWith("~/")?D6.join(yOe.homedir(),a.slice(2)):a}t(Sb,"expandHome");var p9=16*1024,_Z=32*1024,Qft=1e4,e1r=3e4,vOe=200,bOe=new Set(["node_modules",".git","dist","build","out",".next",".turbo","coverage","target","__pycache__",".venv","venv"]);function t1r(a){let s=t(_=>{let f=_.match(/^(.*?)\{([^}]+)\}(.*)$/);if(!f)return[_];let[,y,k,P]=f;return k.split(",").map(F=>`${y}${F.trim()}${P}`)},"braceExpand"),c=a.match(/^([^*{}]+?)\/\*\*\/(.+)$/);if(c){let[,_,f]=c;return{includes:s(f),subDir:_}}return{includes:s(a),subDir:""}}t(t1r,"expandGlobForGrep");var eM=class{constructor(s,c,_={}){this.workspaceRoot=s;this.languageAdapters=c;this.options=_;this._readFiles=new Set;this.customRepoRoots=_.customRepoRoots&&_.customRepoRoots.length>0?_.customRepoRoots:void 0}static{t(this,"CliToolExecutionContext")}markFileRead(s){this._readFiles.add(Sb(s))}hasFileBeenRead(s){return this._readFiles.has(Sb(s))}async readFile(s){return QF.promises.readFile(Sb(s),"utf-8")}async writeFile(s,c){let _=Sb(s);if(this.options.approveWrite&&!await this.options.approveWrite(_,c))throw new Error(`Write to ${_} rejected by user`);await QF.promises.mkdir(D6.dirname(_),{recursive:!0}),await QF.promises.writeFile(_,c,"utf-8")}async listFiles(s,c){let _=Sb(c??this.workspaceRoot),f=r1r(s),y=[];return await e_t(_,_,f,y),y.slice(0,vOe).sort()}async listDirectoryEntries(s){let c=Sb(s),_=await QF.promises.readdir(c,{withFileTypes:!0}),f=[];for(let y of _){if(y.name.startsWith("."))continue;let k=y.isDirectory();if(y.isSymbolicLink())try{k=(await QF.promises.stat(D6.join(c,y.name))).isDirectory()}catch{k=!1}f.push(k?`${y.name}/`:y.name)}return f.sort()}async searchCode(s,c,_){let f=Sb(c??this.workspaceRoot);return this.runRipgrep(s,f,_).catch(()=>this.runGrep(s,f,_))}async runCommand(s,c,_){let f=c.map(Sb),y=_?Sb(_):this.workspaceRoot,k={...process.env};if((s.split(/[\\/]/).pop()??s)==="gh")for(let F of["GITHUB_TOKEN","GH_TOKEN"]){let L=k[F];typeof L=="string"&&L.trim()===""&&delete k[F]}return new Promise(F=>{let L="",U="",Z=dZ.spawn(s,f,{cwd:y,shell:process.platform==="win32",env:k}),J=setTimeout(()=>{Z.kill("SIGTERM"),F({stdout:L.slice(0,_Z),stderr:U+`
+</body></html>`;t(fSr,"startLoopbackListener");t(_Sr,"openBrowser");t(dSr,"buildDefaultDeviceLabel");t(pSr,"runOAuthSignIn")});var Mue=Ot((S6r,mSr)=>{mSr.exports={name:"@burtson-labs/bandit-stealth-cli",version:"1.7.184",description:"Bandit \u2014 a local-first AI coding agent for your terminal. Same runtime as the Bandit Stealth VS Code / Cursor extension.",keywords:["ai","agent","cli","coding-agent","llm","ollama","local-first","bandit","burtson-labs","terminal","repl","developer-tools"],homepage:"https://burtson.ai",bugs:{email:"team@burtson.ai"},license:"MIT",author:{name:"Burtson Labs",email:"team@burtson.ai",url:"https://burtson.ai"},bin:{bandit:"./dist/cli.js"},main:"dist/cli.js",files:["dist/cli.js","README.md","LICENSE"],engines:{node:">=20"},publishConfig:{access:"public"},scripts:{typecheck:"tsc -p tsconfig.json --noEmit",build:"node build.mjs","build:publish":"node build.mjs --publish",dev:"node build.mjs --watch",start:"node dist/cli.js",smoke:"node build.mjs && node dist/__smoke__/smoke.js",integration:"node build.mjs && node dist/__integration__/ollama.js",eval:"node build.mjs && node dist/__eval__/eval.js",benchmark:"node build.mjs && node dist/__eval__/benchmark.js","gen-logo":"node scripts/gen-logo.mjs","preview-banner":"node scripts/preview-banner.mjs",clean:"rm -rf dist",prepack:"node scripts/prepack.mjs",postpack:"node scripts/postpack.mjs",prepublishOnly:"pnpm run clean && pnpm run typecheck && pnpm run build:publish"},dependencies:{"pdf-parse":"^2.4.5"},devDependencies:{"@burtson-labs/agent-core":"workspace:*","@burtson-labs/host-kit":"workspace:*","@burtson-labs/stealth-core-runtime":"workspace:*","@types/node":"^20.11.0","@types/pdf-parse":"^1.1.5","@types/pngjs":"^6.0.5",esbuild:"^0.28.0",pngjs:"^7.0.0",typescript:"^5.4.0"}}});var HSr={};module.exports=Tet(HSr);var Cm=Tu(require("fs")),Rue=Tu(require("os")),Yp=Tu(require("path")),S9=Tu(require("readline")),jue=Tu(require("child_process")),Qp=Tu(YV()),Iy=Tu(hOe());var QF=Tu(require("fs")),yOe=Tu(require("os")),D6=Tu(require("path")),dZ=Tu(require("child_process"));function Sb(a){return a==="~"?yOe.homedir():a.startsWith("~/")?D6.join(yOe.homedir(),a.slice(2)):a}t(Sb,"expandHome");var p9=16*1024,_Z=32*1024,Qft=1e4,e1r=3e4,vOe=200,bOe=new Set(["node_modules",".git","dist","build","out",".next",".turbo","coverage","target","__pycache__",".venv","venv"]);function t1r(a){let s=t(_=>{let f=_.match(/^(.*?)\{([^}]+)\}(.*)$/);if(!f)return[_];let[,y,k,P]=f;return k.split(",").map(F=>`${y}${F.trim()}${P}`)},"braceExpand"),c=a.match(/^([^*{}]+?)\/\*\*\/(.+)$/);if(c){let[,_,f]=c;return{includes:s(f),subDir:_}}return{includes:s(a),subDir:""}}t(t1r,"expandGlobForGrep");var eM=class{constructor(s,c,_={}){this.workspaceRoot=s;this.languageAdapters=c;this.options=_;this._readFiles=new Set;this.customRepoRoots=_.customRepoRoots&&_.customRepoRoots.length>0?_.customRepoRoots:void 0}static{t(this,"CliToolExecutionContext")}markFileRead(s){this._readFiles.add(Sb(s))}hasFileBeenRead(s){return this._readFiles.has(Sb(s))}async readFile(s){return QF.promises.readFile(Sb(s),"utf-8")}async writeFile(s,c){let _=Sb(s);if(this.options.approveWrite&&!await this.options.approveWrite(_,c))throw new Error(`Write to ${_} rejected by user`);await QF.promises.mkdir(D6.dirname(_),{recursive:!0}),await QF.promises.writeFile(_,c,"utf-8")}async listFiles(s,c){let _=Sb(c??this.workspaceRoot),f=r1r(s),y=[];return await e_t(_,_,f,y),y.slice(0,vOe).sort()}async listDirectoryEntries(s){let c=Sb(s),_=await QF.promises.readdir(c,{withFileTypes:!0}),f=[];for(let y of _){if(y.name.startsWith("."))continue;let k=y.isDirectory();if(y.isSymbolicLink())try{k=(await QF.promises.stat(D6.join(c,y.name))).isDirectory()}catch{k=!1}f.push(k?`${y.name}/`:y.name)}return f.sort()}async searchCode(s,c,_){let f=Sb(c??this.workspaceRoot);return this.runRipgrep(s,f,_).catch(()=>this.runGrep(s,f,_))}async runCommand(s,c,_){let f=c.map(Sb),y=_?Sb(_):this.workspaceRoot,k={...process.env};if((s.split(/[\\/]/).pop()??s)==="gh")for(let F of["GITHUB_TOKEN","GH_TOKEN"]){let L=k[F];typeof L=="string"&&L.trim()===""&&delete k[F]}return new Promise(F=>{let L="",U="",Z=dZ.spawn(s,f,{cwd:y,shell:process.platform==="win32",env:k}),J=setTimeout(()=>{Z.kill("SIGTERM"),F({stdout:L.slice(0,_Z),stderr:U+`
 [process timed out]`,exitCode:124})},e1r),ve=process.stdout.isTTY===!0,he=t((Te,pt)=>{if(!ve)return;(pt?process.stderr:process.stdout).write("\r\x1B[2K\x1B[2m"+Te+"\x1B[0m")},"writeLive");Z.stdout?.on("data",Te=>{let pt=Te.toString();L+=pt,he(pt,!1),L.length>_Z&&Z.kill("SIGTERM")}),Z.stderr?.on("data",Te=>{let pt=Te.toString();U+=pt,he(pt,!0)}),Z.on("close",Te=>{clearTimeout(J);let pt=L.slice(0,_Z);if(Te===0&&/Operation cancelled/i.test(pt)&&/(create-vite|create-react-app|create-next|create-svelte|create-astro|create-remix|@clack)/i.test(`${s} ${f.join(" ")} ${pt}`)){let bt=[s,...f].join(" ");F({stdout:pt,stderr:`Interactive scaffolder detected \u2014 \`${s}\` aborted with "Operation cancelled" because Bandit captures stdout/stderr (no TTY on stdin) and modern scaffolders refuse to start without one. Tell the user to run this directly in their shell: \`!${bt}\`. The \`!\`-prefix runs through their terminal with real stdin, so the scaffolder's prompts work. After they finish, you can pick up from the resulting filesystem state. Do NOT retry the same command \u2014 it will loop forever.`,exitCode:1});return}F({stdout:pt,stderr:U.slice(0,4*1024),exitCode:Te??0})}),Z.on("error",Te=>{if(clearTimeout(J),Te.code==="ENOENT"){F({stdout:"",stderr:`spawn ${s} ENOENT \u2014 '${s}' not found on PATH. Verify the tool is installed (\`which ${s}\` in a fresh terminal). If you use nvm/asdf/volta, your shim PATH may not be inherited; relaunching this CLI from the same terminal session that has \`${s}\` on PATH usually fixes it.`,exitCode:127});return}F({stdout:"",stderr:Te.message,exitCode:1})})})}async watchCommand(s,c,_,f){let y=c.map(Sb),k=_?Sb(_):this.workspaceRoot;return new Promise(P=>{let F="",L="",U=!1,Z=!1,J=dZ.spawn(s,y,{cwd:k,shell:process.platform==="win32",env:{...process.env}}),ve=t(gt=>{Z||(Z=!0,P({stdout:F.slice(0,_Z),stderr:L.slice(0,4*1024),exitCode:gt,endedEarly:U}))},"finish"),he=setTimeout(()=>{try{J.kill("SIGTERM")}catch{}let gt=setTimeout(()=>{try{J.kill("SIGKILL")}catch{}ve(null)},1e3);J.once("close",bt=>{clearTimeout(gt),ve(typeof bt=="number"?bt:null)})},f),Te=process.stdout.isTTY===!0,pt=t((gt,bt)=>{if(!Te)return;(bt?process.stderr:process.stdout).write("\r\x1B[2K\x1B[2m"+gt+"\x1B[0m")},"writeLive");J.stdout?.on("data",gt=>{let bt=gt.toString();if(F+=bt,pt(bt,!1),F.length>_Z)try{J.kill("SIGTERM")}catch{}}),J.stderr?.on("data",gt=>{let bt=gt.toString();L+=bt,pt(bt,!0)}),J.on("close",gt=>{Z||(clearTimeout(he),U=!0,ve(typeof gt=="number"?gt:null))}),J.on("error",gt=>{Z||(clearTimeout(he),U=!0,L+=gt.message,ve(1))})})}runRipgrep(s,c,_){return new Promise((f,y)=>{let k=["--color=never","--line-number","--max-count=25","--max-filesize=1M",...[...bOe].map(U=>["--glob",`!${U}`]).flat()];_&&k.push("--glob",_),k.push(s,c);let P="",F=dZ.spawn("rg",k,{shell:!1}),L=setTimeout(()=>{F.kill("SIGTERM"),f(P.slice(0,p9))},Qft);F.stdout?.on("data",U=>{P+=U.toString(),P.length>p9&&F.kill("SIGTERM")}),F.on("close",U=>{clearTimeout(L),U!=null&&U>=2&&P.length===0?y(new Error(`rg exited with code ${U}`)):f(P.slice(0,p9))}),F.on("error",y)})}runGrep(s,c,_){return new Promise((f,y)=>{let k=[...bOe].map(he=>["--exclude-dir",he]).flat(),P=_?t1r(_):{includes:[],subDir:""},F=P.includes.flatMap(he=>["--include",he]),L=P.subDir?`${c}/${P.subDir}`:c,U=["-rn","-E","--color=never",...k,...F,s,L],Z="",J=dZ.spawn("grep",U,{shell:!1}),ve=setTimeout(()=>{J.kill("SIGTERM"),f(Z.slice(0,p9))},Qft);J.stdout?.on("data",he=>{Z+=he.toString(),Z.length>p9&&J.kill("SIGTERM")}),J.on("close",he=>{clearTimeout(ve),he!=null&&he>=2&&Z.length===0?y(new Error(`grep exited with code ${he}`)):f(Z.slice(0,p9))}),J.on("error",y)})}};function r1r(a){let s=n1r(a);return c=>s.test(c.replace(/\\/g,"/"))}t(r1r,"compileGlob");function n1r(a){let s="^";for(let c=0;c<a.length;c++){let _=a[c];if(_==="*")a[c+1]==="*"?(s+=".*",c++,a[c+1]==="/"&&c++):s+="[^/]*";else if(_==="?")s+="[^/]";else if(_==="{"){let f=a.indexOf("}",c);if(f===-1){s+="\\{";continue}let y=a.slice(c+1,f).split(",").map(i1r).join("|");s+=`(?:${y})`,c=f}else/[.+^$()|\\]/.test(_)?s+="\\"+_:s+=_}return s+="$",new RegExp(s)}t(n1r,"globToRegex");function i1r(a){return a.replace(/[.*+?^${}()|[\]\\]/g,"\\$&")}t(i1r,"escapeRegex");async function e_t(a,s,c,_){if(_.length>=vOe)return;let f;try{f=await QF.promises.readdir(a,{withFileTypes:!0})}catch{return}for(let y of f){if(_.length>=vOe)return;if(bOe.has(y.name))continue;let k=D6.join(a,y.name),P=D6.relative(s,k);y.isDirectory()?await e_t(k,s,c,_):y.isFile()&&c(P)&&_.push(k)}}t(e_t,"walk");var r_t=Tu(require("child_process")),lE=Tu(require("fs")),n_t=Tu(require("os")),SOe=Tu(require("path")),i_t=Tu(require("crypto"));function TOe(){let a=i_t.randomBytes(4).toString("hex");return SOe.join(n_t.tmpdir(),`bandit-paste-${Date.now()}-${a}.png`)}t(TOe,"freshTempPath");function pue(a,s,c={}){try{let _=r_t.spawnSync(a,s,{...c,encoding:void 0});return{stdout:Buffer.isBuffer(_.stdout)?_.stdout:Buffer.from(_.stdout??""),code:_.status}}catch{return{stdout:Buffer.alloc(0),code:null}}}t(pue,"tryExec");async function mue(){return process.platform==="darwin"?a1r():process.platform==="linux"?s1r():process.platform==="win32"?o1r():null}t(mue,"readClipboardImage");function a1r(){let a=TOe(),s=`set pngData to (the clipboard as \xABclass PNGf\xBB)
 set outFile to (open for access (POSIX file "${a}") with write permission)
 write pngData to outFile

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@burtson-labs/bandit-stealth-cli",
-  "version": "1.7.183",
+  "version": "1.7.184",
   "description": "Bandit — a local-first AI coding agent for your terminal. Same runtime as the Bandit Stealth VS Code / Cursor extension.",
   "keywords": [
     "ai",