@calliopelabs/cli 0.8.20 → 2.0.2

package/dist/tools.js

@@ -7,10 +7,13 @@ import { spawn } from 'child_process';
 import * as fs from 'fs';
 import * as path from 'path';
 import * as sandbox from './sandbox.js';
-import { getAgtermTools, isAgtermTool, executeAgtermTool } from './agterm/index.js';
-import { validatePath as scopeValidatePath } from './scope.js';
+import * as nativeSandbox from './sandbox-native.js';
+import { getAgtermTools, isAgtermTool, executeAgtermTool } from './agents/index.js';
+import { validatePath as scopeValidatePath, isInScope } from './scope.js';
 import { getPluginTools, isPluginTool, executePluginTool } from './plugins.js';
 import config from './config.js';
+import { applySkin, applyPalette, listSkins, listPalettes } from './hud/api.js';
+import { listCompanions } from './companions.js';
 /**
  * Available tools for the agent
  */
@@ -92,6 +95,52 @@ export const TOOLS = [
             required: ['thought'],
         },
     },
+    {
+        name: 'ask_question',
+        description: 'Ask the user a clarifying question. Use in plan mode to gather requirements before finalizing a plan. Can present multiple choice options or ask freeform questions.',
+        parameters: {
+            type: 'object',
+            properties: {
+                question: {
+                    type: 'string',
+                    description: 'The question to ask the user',
+                },
+                options: {
+                    type: 'array',
+                    items: { type: 'string' },
+                    description: 'Optional list of choices. If provided, displayed as numbered options. Omit for freeform questions.',
+                },
+                context: {
+                    type: 'string',
+                    description: 'Optional context explaining why this question matters for the plan',
+                },
+            },
+            required: ['question'],
+        },
+    },
+    {
+        name: 'create_plan',
+        description: 'Create a structured execution plan for a complex task. Use this when a task requires multiple steps. The plan will be shown to the user for approval before execution begins. Available in all modes including plan mode.',
+        parameters: {
+            type: 'object',
+            properties: {
+                title: {
+                    type: 'string',
+                    description: 'Brief title for the plan',
+                },
+                steps: {
+                    type: 'array',
+                    items: { type: 'string' },
+                    description: 'Ordered list of steps to execute',
+                },
+                reasoning: {
+                    type: 'string',
+                    description: 'Brief explanation of the approach',
+                },
+            },
+            required: ['title', 'steps'],
+        },
+    },
     {
         name: 'execute_code',
         description: 'Execute code in a sandboxed environment. Supports Python, Node.js, and shell scripts.',
@@ -148,6 +197,63 @@ export const TOOLS = [
             required: ['operation'],
         },
     },
+    {
+        name: 'configure',
+        description: `Read, set, or list Calliope configuration options. Use this when the user asks to change settings, switch themes, providers, models, companions, or any preference through natural conversation. Always use action "list" first if you need to show available options.
+
+CONFIGURABLE SETTINGS:
+- defaultProvider: AI provider (anthropic, google, openai, together, openrouter, groq, fireworks, mistral, ollama, ai21, huggingface, litellm, bedrock, auto)
+- defaultModel: Model name string (provider-specific, e.g. "claude-sonnet-4-20250514", "gemini-2.0-flash", "gpt-4o")
+- persona: Agent persona style (calliope, muse, minimal)
+- maxIterations: Max agent loop iterations (0 = unlimited)
+- maxIterationTime: Max seconds per iteration (0 = no limit, default: 600)
+- fancyOutput: Enable rich formatting (true/false)
+- autoSaveHistory: Auto-save session history (true/false)
+- autoUpgrade: Check for updates on startup (true/false)
+- collapseTools: Auto-collapse tool output (true/false)
+- collapseThinking: Auto-collapse think blocks (true/false)
+- toolDisplayLimit: Show last N tools expanded (0 = all)
+- layout: UI layout (classic, response-top, response-bottom, split, zen, focus, dashboard, minimal)
+- density: Display density (normal, compact)
+- activeSkin: Terminal skin/theme name (use action "list" category "skins" to see options)
+- activePalette: Color palette name (use action "list" category "palettes" to see options)
+- activeCompanion: AI companion personality (use action "list" category "companions" to see options)
+- companionIntensity: Companion personality level (professional, immersive)
+- useEmojis: Show emojis in UI (true/false)
+- diffStyle: Diff display format (inline, unified, side-by-side)
+- borderStyle: UI border style (rounded, sharp, double, ascii, none)
+- bannerStyle: Startup banner (full, compact, none)
+- circuitBreakersEnabled: Safety circuit breakers (true/false)
+- sandboxMode: Code execution sandbox (auto, native, docker, off)
+- smartRoutingEnabled: Dynamic model routing (true/false)
+- smartRoutingCostSensitivity: Cost vs quality (0-1, 0=best quality, 1=cheapest)
+- recordSessions: Record session audit logs (true/false)
+- recordingRetentionDays: Auto-delete old recordings after N days (0 = keep forever)`,
+        parameters: {
+            type: 'object',
+            properties: {
+                action: {
+                    type: 'string',
+                    description: 'Action to perform: "get" reads a setting, "set" changes a setting, "list" shows available options for a category',
+                    enum: ['get', 'set', 'list'],
+                },
+                key: {
+                    type: 'string',
+                    description: 'Config key name (for get/set actions)',
+                },
+                value: {
+                    type: 'string',
+                    description: 'New value to set (for set action). Use "true"/"false" for booleans, numbers as strings.',
+                },
+                category: {
+                    type: 'string',
+                    description: 'Category to list options for (for list action): skins, palettes, companions, providers, layouts, all',
+                    enum: ['skins', 'palettes', 'companions', 'providers', 'layouts', 'all'],
+                },
+            },
+            required: ['action'],
+        },
+    },
     {
         name: 'mermaid',
         description: 'Generate a Mermaid diagram. The output can be rendered as a visual graph.',
@@ -174,11 +280,11 @@ export const TOOLS = [
 ];
 /**
  * Get all available tools
- * Includes agterm tools when agtermEnabled is true
+ * Includes agent tools when agentEnabled is true
  */
-export function getTools(agtermEnabled = false) {
+export function getTools(agentEnabled = false) {
     const pluginTools = getPluginTools();
-    if (agtermEnabled) {
+    if (agentEnabled) {
         return [...TOOLS, ...getAgtermTools(), ...pluginTools];
     }
     return [...TOOLS, ...pluginTools];
@@ -187,30 +293,28 @@ export function getTools(agtermEnabled = false) {
  * Validate path is within allowed directory (prevent path traversal)
  */
 function validatePath(filePath, cwd) {
-    // Primary validation via scope manager
-    const validated = scopeValidatePath(filePath, cwd);
-    // Secondary validation: ensure path doesn't escape allowed directories
-    const resolved = path.resolve(cwd, validated);
-    const normalizedCwd = path.resolve(cwd);
-    // Check for path traversal attempts
-    if (validated.includes('..')) {
-        // Ensure the resolved path is still within cwd or an allowed scope
-        if (!resolved.startsWith(normalizedCwd) && !resolved.startsWith('/tmp')) {
+    // Check raw input for null bytes before any resolution (path injection attack)
+    if (filePath.includes('\0')) {
+        throw new Error(`Invalid path: contains null bytes`);
+    }
+    // Check raw input for path traversal attempts before resolution
+    if (filePath.includes('..')) {
+        const resolved = path.resolve(cwd, filePath);
+        const normalizedCwd = path.resolve(cwd);
+        if (!resolved.startsWith(normalizedCwd + path.sep) && resolved !== normalizedCwd && !resolved.startsWith('/tmp/') && resolved !== '/tmp') {
             throw new Error(`Path traversal detected: ${filePath} resolves outside allowed scope`);
         }
     }
-    // Check for null bytes (path injection attack)
-    if (validated.includes('\0')) {
-        throw new Error(`Invalid path: contains null bytes`);
-    }
+    // Primary validation via scope manager
+    const validated = scopeValidatePath(filePath, cwd);
     return validated;
 }
 /**
  * Execute a tool call
  */
-export async function executeTool(toolCall, cwd, timeout = 60000) {
+export async function executeTool(toolCall, cwd, timeout = 60000, onOutput) {
     const { id, name, arguments: args } = toolCall;
-    // Handle agterm tools
+    // Handle agent tools
     if (isAgtermTool(name)) {
         return executeAgtermTool(toolCall, cwd);
     }
@@ -225,7 +329,7 @@ export async function executeTool(toolCall, cwd, timeout = 60000) {
                 if (typeof args.command !== 'string') {
                     return { toolCallId: id, result: 'Error: command must be a string', isError: true };
                 }
-                result = await executeShell(args.command, cwd, timeout);
+                result = await executeShell(args.command, cwd, timeout, onOutput);
                 break;
             }
             case 'read_file': {
@@ -258,6 +362,39 @@ export async function executeTool(toolCall, cwd, timeout = 60000) {
                 result = 'Thought recorded.';
                 break;
             }
+            case 'ask_question': {
+                if (typeof args.question !== 'string') {
+                    return { toolCallId: id, result: 'Error: question must be a string', isError: true };
+                }
+                // The actual question display is handled by the UI layer (agent.ts)
+                // This just returns a placeholder that gets replaced with the user's answer
+                const options = Array.isArray(args.options) ? args.options : undefined;
+                const contextNote = typeof args.context === 'string' ? args.context : undefined;
+                let questionDisplay = args.question;
+                if (contextNote)
+                    questionDisplay += `\n  Context: ${contextNote}`;
+                if (options)
+                    questionDisplay += '\n' + options.map((o, i) => `  ${i + 1}. ${o}`).join('\n');
+                result = `QUESTION:${questionDisplay}`;
+                break;
+            }
+            case 'create_plan': {
+                if (typeof args.title !== 'string') {
+                    return { toolCallId: id, result: 'Error: title must be a string', isError: true };
+                }
+                if (!Array.isArray(args.steps) || args.steps.length === 0) {
+                    return { toolCallId: id, result: 'Error: steps must be a non-empty array of strings', isError: true };
+                }
+                const planTitle = args.title;
+                const planSteps = args.steps;
+                const planReasoning = typeof args.reasoning === 'string' ? args.reasoning : undefined;
+                let planDisplay = `PLAN:${planTitle}\n`;
+                if (planReasoning)
+                    planDisplay += `Approach: ${planReasoning}\n`;
+                planDisplay += '\n' + planSteps.map((s, i) => `  ${i + 1}. [ ] ${s}`).join('\n');
+                result = planDisplay;
+                break;
+            }
             case 'execute_code': {
                 if (typeof args.language !== 'string' || !['python', 'node', 'bash'].includes(args.language)) {
                     return { toolCallId: id, result: 'Error: language must be python, node, or bash', isError: true };
@@ -286,6 +423,134 @@ export async function executeTool(toolCall, cwd, timeout = 60000) {
                 result = await executeGit(args.operation, gitArgs, cwd);
                 break;
             }
+            case 'configure': {
+                const action = args.action;
+                if (!action || !['get', 'set', 'list'].includes(action)) {
+                    return { toolCallId: id, result: 'Error: action must be "get", "set", or "list"', isError: true };
+                }
+                if (action === 'list') {
+                    const category = args.category || 'all';
+                    const sections = [];
+                    if (category === 'skins' || category === 'all') {
+                        const skins = listSkins();
+                        const current = config.get('activeSkin');
+                        sections.push('SKINS (activeSkin):\n' + skins.map(s => `  ${s.name === current ? '→ ' : '  '}${s.name} - ${s.description}`).join('\n'));
+                    }
+                    if (category === 'palettes' || category === 'all') {
+                        const palettes = listPalettes();
+                        const current = config.get('activePalette');
+                        sections.push('PALETTES (activePalette):\n' + palettes.map(p => `  ${p.name === current ? '→ ' : '  '}${p.name} - ${p.description}`).join('\n'));
+                    }
+                    if (category === 'companions' || category === 'all') {
+                        const companions = listCompanions();
+                        const current = config.get('activeCompanion');
+                        sections.push('COMPANIONS (activeCompanion):\n' + companions.map(c => `  ${c.name === current ? '→ ' : '  '}${c.name} - ${c.description}`).join('\n'));
+                    }
+                    if (category === 'providers' || category === 'all') {
+                        const providers = ['anthropic', 'google', 'openai', 'together', 'openrouter', 'groq', 'fireworks', 'mistral', 'ollama', 'ai21', 'huggingface', 'litellm', 'bedrock', 'auto'];
+                        const current = config.get('defaultProvider');
+                        sections.push('PROVIDERS (defaultProvider):\n' + providers.map(p => `  ${p === current ? '→ ' : '  '}${p}`).join('\n'));
+                    }
+                    if (category === 'layouts' || category === 'all') {
+                        const layouts = ['classic', 'response-top', 'response-bottom', 'split', 'zen', 'focus', 'dashboard', 'minimal'];
+                        const current = config.get('layout');
+                        sections.push('LAYOUTS (layout):\n' + layouts.map(l => `  ${l === current ? '→ ' : '  '}${l}`).join('\n'));
+                    }
+                    if (category === 'all') {
+                        // Also show current key settings
+                        const currentSettings = [
+                            `density: ${config.get('density')}`,
+                            `companionIntensity: ${config.get('companionIntensity')}`,
+                            `useEmojis: ${config.get('useEmojis')}`,
+                            `diffStyle: ${config.get('diffStyle')}`,
+                            `borderStyle: ${config.get('borderStyle')}`,
+                            `bannerStyle: ${config.get('bannerStyle')}`,
+                            `sandboxMode: ${config.get('sandboxMode')}`,
+                            `smartRoutingEnabled: ${config.get('smartRoutingEnabled')}`,
+                            `defaultModel: ${config.get('defaultModel') || '(auto)'}`,
+                        ];
+                        sections.push('CURRENT SETTINGS:\n' + currentSettings.map(s => `  ${s}`).join('\n'));
+                    }
+                    result = sections.join('\n\n');
+                    break;
+                }
+                if (action === 'get') {
+                    const key = args.key;
+                    if (!key) {
+                        return { toolCallId: id, result: 'Error: key is required for get action', isError: true };
+                    }
+                    const val = config.get(key);
+                    result = `${key} = ${JSON.stringify(val)}`;
+                    break;
+                }
+                // action === 'set'
+                const key = args.key;
+                const rawValue = args.value;
+                if (!key) {
+                    return { toolCallId: id, result: 'Error: key is required for set action', isError: true };
+                }
+                if (rawValue === undefined || rawValue === null) {
+                    return { toolCallId: id, result: 'Error: value is required for set action', isError: true };
+                }
+                // Only allow setting safe keys through conversation (allowlist)
+                const SAFE_CONFIG_KEYS = new Set([
+                    'defaultProvider', 'defaultModel', 'persona', 'maxIterations', 'maxIterationTime',
+                    'fancyOutput', 'autoSaveHistory', 'autoUpgrade',
+                    'collapseTools', 'collapseThinking', 'toolDisplayLimit',
+                    'layout', 'density',
+                    'activeSkin', 'activePalette', 'activeCompanion', 'activeThemePack',
+                    'companionIntensity', 'useEmojis', 'diffStyle', 'borderStyle', 'bannerStyle',
+                    'circuitBreakersEnabled', 'sandboxMode',
+                    'smartRoutingEnabled', 'smartRoutingCostSensitivity',
+                    'recordSessions', 'recordingRetentionDays',
+                    'awsRegion', 'awsProfile',
+                ]);
+                if (!SAFE_CONFIG_KEYS.has(key)) {
+                    return { toolCallId: id, result: `Error: "${key}" cannot be set through conversation. Use /keys command, environment variables, or edit the config file directly.`, isError: true };
+                }
+                // Parse the value to the correct type
+                let parsedValue = rawValue;
+                if (rawValue === 'true')
+                    parsedValue = true;
+                else if (rawValue === 'false')
+                    parsedValue = false;
+                else if (/^\d+(\.\d+)?$/.test(rawValue))
+                    parsedValue = Number(rawValue);
+                try {
+                    // Special handling for HUD settings that need apply functions
+                    if (key === 'activeSkin') {
+                        const success = applySkin(rawValue);
+                        if (!success) {
+                            return { toolCallId: id, result: `Error: skin "${rawValue}" not found. Use action "list" category "skins" to see available skins.`, isError: true };
+                        }
+                        result = `Skin changed to "${rawValue}"`;
+                        break;
+                    }
+                    if (key === 'activePalette') {
+                        const success = applyPalette(rawValue);
+                        if (!success) {
+                            return { toolCallId: id, result: `Error: palette "${rawValue}" not found. Use action "list" category "palettes" to see available palettes.`, isError: true };
+                        }
+                        result = `Palette changed to "${rawValue}"`;
+                        break;
+                    }
+                    if (key === 'activeCompanion') {
+                        if (!listCompanions().some(c => c.name === rawValue)) {
+                            return { toolCallId: id, result: `Error: companion "${rawValue}" not found. Use action "list" category "companions" to see available companions.`, isError: true };
+                        }
+                        config.set('activeCompanion', rawValue);
+                        result = `Companion changed to "${rawValue}"`;
+                        break;
+                    }
+                    // Generic config set
+                    config.set(key, parsedValue);
+                    result = `Set ${key} = ${JSON.stringify(parsedValue)}`;
+                }
+                catch (err) {
+                    return { toolCallId: id, result: `Error setting ${key}: ${err instanceof Error ? err.message : String(err)}`, isError: true };
+                }
+                break;
+            }
             case 'mermaid': {
                 const diagramType = typeof args.type === 'string' ? args.type : 'flowchart';
                 if (typeof args.content !== 'string') {
@@ -298,17 +563,207 @@ export async function executeTool(toolCall, cwd, timeout = 60000) {
             default:
                 return { toolCallId: id, result: `Unknown tool: ${name}`, isError: true };
         }
-        return { toolCallId: id, result };
+        // Generate human-friendly display summary for large results (#25)
+        const lines = result.split('\n');
+        let displayResult;
+        if (lines.length > 10) {
+            const preview = lines.slice(0, 5).join('\n');
+            displayResult = `${preview}\n... (${lines.length - 5} more lines)`;
+        }
+        return { toolCallId: id, result, displayResult };
     }
     catch (error) {
         const msg = error instanceof Error ? error.message : String(error);
         return { toolCallId: id, result: `Error: ${msg}`, isError: true };
     }
 }
+/**
+ * Commands that are blocked outright (not just flagged as risky).
+ * These are destructive system-level commands that should never be run by an agent.
+ *
+ * Patterns are tested against the normalized command (see normalizeCommand())
+ * to defeat common bypass techniques like quoting, env prefixes, and subshells.
+ */
+const BLOCKED_COMMANDS = [
+    /^sudo\s/,
+    /^su\s/,
+    /^rm\s+-rf\s+\//, // rm -rf /
+    /^rm\s+-fr\s+\//,
+    /^rm\s+-rf\s+~/, // rm -rf ~
+    /^rm\s+-fr\s+~/,
+    /^dd\s+.*of=\/dev\//, // dd to block devices
+    /^mkfs/,
+    /^fdisk/,
+    /^parted/,
+    /^format/,
+    />\s*\/dev\//, // redirect to devices
+    /^chmod\s+-R\s+777/,
+    /^curl.*\|\s*(sh|bash)/, // pipe to shell
+    /^wget.*\|\s*(sh|bash)/,
+    /\|\s*sh(\s|;|$)/, // pipe to sh (anywhere, not just end)
+    /\|\s*bash(\s|;|$)/, // pipe to bash (anywhere, not just end)
+    /\|\s*zsh(\s|;|$)/, // pipe to zsh
+    /bash\s+<\(/, // process substitution: bash <(...)
+    /sh\s+<\(/, // process substitution: sh <(...)
+    /zsh\s+<\(/, // process substitution: zsh <(...)
+];
+/**
+ * Normalize a shell command to defeat common blocklist bypass techniques (#60).
+ *
+ * Handles:
+ * - Leading env-var assignments: \`VAR=1 sudo ...\` -> \`sudo ...\`
+ * - Subshell wrapping: \`(sudo rm ...)\` -> \`sudo rm ...\`
+ * - Quote insertion: \`'su'do\` or \`"su"do\` -> \`sudo\`
+ * - Backslash escaping: \`su\do\` -> \`sudo\`
+ *
+ * The result is used only for blocklist matching; the original command is still
+ * passed to the shell for execution.
+ */
+function normalizeCommand(command) {
+    let cmd = command.trim();
+    // Strip leading subshell / group wrappers: ( ... ), { ... }
+    while ((cmd.startsWith('(') && cmd.endsWith(')')) ||
+        (cmd.startsWith('{') && cmd.endsWith('}'))) {
+        cmd = cmd.slice(1, -1).trim();
+    }
+    // Strip leading env-var assignments: FOO=bar BAZ="qux" command ...
+    cmd = cmd.replace(/^(\s*[A-Za-z_][A-Za-z0-9_]*=\S*\s+)+/, '');
+    // Remove inserted quotes that break up words: 'su'do -> sudo, "su"do -> sudo
+    cmd = cmd.replace(/['"]/g, '');
+    // Remove backslash escapes: su\do -> sudo
+    cmd = cmd.replace(/\\(.)/g, '$1');
+    return cmd.trim();
+}
+/**
+ * Check a command (and all sub-commands separated by ; or &&/||) against
+ * the blocklist. Returns the matching pattern source string, or null if allowed.
+ */
+function matchesBlocklist(command) {
+    // Split on command separators to check each sub-command
+    const subCommands = command.split(/\s*(?:;|&&|\|\|)\s*/);
+    for (const sub of subCommands) {
+        const normalized = normalizeCommand(sub);
+        for (const pattern of BLOCKED_COMMANDS) {
+            if (pattern.test(normalized)) {
+                return pattern.source;
+            }
+        }
+    }
+    // Also test the full normalized command (for patterns that span separators, like pipes)
+    const fullNormalized = normalizeCommand(command);
+    for (const pattern of BLOCKED_COMMANDS) {
+        if (pattern.test(fullNormalized)) {
+            return pattern.source;
+        }
+    }
+    return null;
+}
+/**
+ * Extract file paths from a shell command for scope validation (#63).
+ *
+ * Looks for common file-access commands (cat, cp, mv, head, tail, etc.) and
+ * extracts the path arguments. Only absolute paths and paths starting with ~/
+ * are extracted, since relative paths are within the cwd which is already in scope.
+ *
+ * Returns an array of extracted paths (may be empty).
+ */
+function extractFilePathsFromCommand(command) {
+    const paths = [];
+    // Commands that read or write files, followed by path arguments
+    const fileCommands = [
+        'cat', 'head', 'tail', 'less', 'more', 'cp', 'mv', 'rm',
+        'tee', 'touch', 'chmod', 'chown', 'ln', 'readlink',
+        'source', '\\.',
+    ];
+    const cmdPattern = new RegExp('(?:^|[;&|]\\s*)(?:' + fileCommands.join('|') + ')\\s+' +
+        '(?:-[^\\s]*\\s+)*' +
+        '((?:\\/|~\\/)[^\\s;|&>]+)', 'g');
+    let match;
+    while ((match = cmdPattern.exec(command)) !== null) {
+        let p = match[1];
+        if (p.startsWith('~/')) {
+            p = path.join(process.env.HOME || '/tmp', p.slice(2));
+        }
+        p = p.replace(/['"]+$/, '');
+        paths.push(p);
+    }
+    // Also catch redirection targets: > /path, >> /path
+    const redirectPattern = />{1,2}\s*((?:\/|~\/)[^\s;|&]+)/g;
+    while ((match = redirectPattern.exec(command)) !== null) {
+        let p = match[1];
+        if (p.startsWith('~/')) {
+            p = path.join(process.env.HOME || '/tmp', p.slice(2));
+        }
+        p = p.replace(/['"]+$/, '');
+        paths.push(p);
+    }
+    return paths;
+}
+/**
+ * Validate that a shell command does not access files outside scope (#63).
+ * Returns an error message if a path violation is found, or null if ok.
+ */
+function validateShellPaths(command, cwd) {
+    const extractedPaths = extractFilePathsFromCommand(command);
+    for (const p of extractedPaths) {
+        const allowed = isInScope(p, cwd);
+        if (!allowed) {
+            return 'Shell command blocked: "' + p + '" is outside allowed scope. Use /add-dir to expand scope.';
+        }
+    }
+    return null;
+}
+/**
+ * Determine whether to use native sandboxing for shell commands based on config.
+ *
+ * sandboxMode values:
+ *  - 'auto':   use native sandbox when available, otherwise run unsandboxed
+ *  - 'native': require native sandbox (fail if unavailable)
+ *  - 'docker': defer to Docker sandbox (handled elsewhere)
+ *  - 'off':    no sandboxing
+ */
+function shouldUseNativeSandbox() {
+    const mode = config.get('sandboxMode') || 'auto';
+    if (mode === 'off' || mode === 'docker')
+        return 'skip';
+    if (mode === 'native')
+        return 'require';
+    // 'auto': use if available
+    return nativeSandbox.isNativeSandboxAvailable() ? 'use' : 'skip';
+}
 /**
  * Execute a shell command
  */
-async function executeShell(command, cwd, timeout) {
+async function executeShell(command, cwd, timeout, onOutput) {
+    // Check against blocked command patterns using normalized matching (#60)
+    const blocked = matchesBlocklist(command);
+    if (blocked) {
+        return `Error: Command blocked for safety. Pattern "${blocked}" is not allowed.`;
+    }
+    // Check file paths in shell commands against scope (#63)
+    const scopeError = validateShellPaths(command, cwd);
+    if (scopeError) {
+        return `Error: ${scopeError}`;
+    }
+    // Check if native sandbox should be used
+    const sandboxDecision = shouldUseNativeSandbox();
+    if (sandboxDecision === 'require' && !nativeSandbox.isNativeSandboxAvailable()) {
+        return 'Error: Native sandbox required (sandboxMode=native) but not available on this platform.';
+    }
+    if (sandboxDecision === 'use' || sandboxDecision === 'require') {
+        const result = await nativeSandbox.executeInNativeSandbox(command, cwd, {
+            timeout,
+            networkEnabled: true,
+        });
+        // Shell tool output is transparent — same format as unsandboxed execution
+        let output = result.stdout + (result.stderr ? `\nstderr: ${result.stderr}` : '');
+        if (result.exitCode !== 0) {
+            return `Exit code ${result.exitCode}\n${output}`;
+        }
+        return output || '(no output)';
+    }
+    // Fallback: unsandboxed execution
+    const MAX_OUTPUT_SIZE = 50000; // 50K chars max output
     return new Promise((resolve, reject) => {
         const proc = spawn('bash', ['-c', command], {
             cwd,
@@ -317,11 +772,30 @@ async function executeShell(command, cwd, timeout) {
         });
         let stdout = '';
         let stderr = '';
+        let truncated = false;
         proc.stdout.on('data', (data) => {
-            stdout += data.toString();
+            const chunk = data.toString();
+            if (onOutput)
+                onOutput(chunk);
+            if (!truncated) {
+                stdout += chunk;
+                if (stdout.length > MAX_OUTPUT_SIZE) {
+                    stdout = stdout.slice(0, MAX_OUTPUT_SIZE);
+                    truncated = true;
+                }
+            }
         });
         proc.stderr.on('data', (data) => {
-            stderr += data.toString();
+            const chunk = data.toString();
+            if (onOutput)
+                onOutput(chunk);
+            if (!truncated) {
+                stderr += chunk;
+                if (stderr.length > MAX_OUTPUT_SIZE) {
+                    stderr = stderr.slice(0, MAX_OUTPUT_SIZE);
+                    truncated = true;
+                }
+            }
         });
         const timer = setTimeout(() => {
             proc.kill('SIGTERM');
@@ -329,7 +803,10 @@ async function executeShell(command, cwd, timeout) {
         }, timeout);
         proc.on('close', (code) => {
             clearTimeout(timer);
-            const output = stdout + (stderr ? `\nstderr: ${stderr}` : '');
+            let output = stdout + (stderr ? `\nstderr: ${stderr}` : '');
+            if (truncated) {
+                output += '\n\n[Output truncated at 50K chars. Use head/tail/grep to filter.]';
+            }
             if (code !== 0) {
                 resolve(`Exit code ${code}\n${output}`);
             }
@@ -446,6 +923,16 @@ async function writeFile(filePath, content, cwd) {
             // Ignore errors reading old content
         }
     }
+    // Auto-checkpoint before overwriting existing files (#20)
+    if (!isNewFile && oldContent) {
+        try {
+            const { createCheckpoint } = require('./checkpoint.js');
+            createCheckpoint(absPath, oldContent);
+        }
+        catch {
+            // Checkpoint module not available or failed - continue with write
+        }
+    }
     fs.writeFileSync(absPath, content);
     // Generate diff output
     if (isNewFile) {
@@ -519,29 +1006,84 @@ function listFilesRecursive(dir, prefix, depth) {
     return lines.join('\n');
 }
 /**
- * Execute code in a sandboxed environment
+ * Execute code in a sandboxed environment.
+ *
+ * Sandbox selection order based on sandboxMode config:
+ *  - 'docker': Docker only (existing behaviour)
+ *  - 'native': native OS sandbox only
+ *  - 'auto':   Docker first, then native sandbox, then unsandboxed
+ *  - 'off':    no sandboxing
  */
 async function executeCode(language, code, cwd, timeout) {
-    // Map language names to sandbox language types
+    const mode = config.get('sandboxMode') || 'auto';
     const sandboxLang = language === 'node' ? 'node' : language;
-    // Try sandboxed execution first (using Docker if available)
-    const result = await sandbox.execute(sandboxLang, code, {
-        timeout,
-        mountWorkdir: true,
-        readOnly: false,
-    });
-    const sandboxIndicator = result.sandboxed ? '🔒 [sandboxed]' : '⚠️ [unsandboxed]';
-    const statusIndicator = result.success ? '✓' : '✗';
-    let output = `${sandboxIndicator} ${statusIndicator} [${language}]\n`;
-    if (result.stdout) {
-        output += `Output:\n${result.stdout}\n`;
+    // Determine execution strategy
+    const useDocker = mode === 'docker' || (mode === 'auto' && sandbox.isDockerAvailable());
+    const useNative = mode === 'native' || (mode === 'auto' && !sandbox.isDockerAvailable() && nativeSandbox.isNativeSandboxAvailable());
+    if (useDocker) {
+        // Docker sandbox path (existing behaviour)
+        const result = await sandbox.execute(sandboxLang, code, {
+            timeout,
+            mountWorkdir: true,
+            readOnly: true,
+        }, cwd);
+        const sandboxIndicator = result.sandboxed ? '[sandboxed:docker]' : '[unsandboxed]';
+        const statusIndicator = result.success ? 'ok' : 'err';
+        let output = `${sandboxIndicator} ${statusIndicator} [${language}]\n`;
+        if (result.stdout)
+            output += `Output:\n${result.stdout}\n`;
+        if (result.stderr)
+            output += `Errors:\n${result.stderr}\n`;
+        if (!result.success && !result.stdout && !result.stderr)
+            output += `Exit code: ${result.exitCode}\n`;
+        output += `Duration: ${result.duration}ms`;
+        return output;
     }
-    if (result.stderr) {
-        output += `Errors:\n${result.stderr}\n`;
+    if (useNative) {
+        // Native OS sandbox path — write code to temp file and execute
+        const fs = await import('fs');
+        const os = await import('os');
+        const pathMod = await import('path');
+        const tempDir = fs.mkdtempSync(pathMod.join(os.tmpdir(), 'calliope-native-'));
+        const ext = language === 'python' ? 'py' : language === 'node' ? 'js' : 'sh';
+        const codePath = pathMod.join(tempDir, `code.${ext}`);
+        fs.writeFileSync(codePath, code);
+        const cmd = language === 'python' ? `python3 "${codePath}"`
+            : language === 'node' ? `node "${codePath}"`
+                : `bash "${codePath}"`;
+        const startTime = Date.now();
+        const result = await nativeSandbox.executeInNativeSandbox(cmd, cwd, {
+            timeout,
+            readOnlyPaths: [tempDir],
+        });
+        // Cleanup temp
+        try {
+            fs.rmSync(tempDir, { recursive: true });
+        }
+        catch { /* ignore */ }
+        const duration = Date.now() - startTime;
+        const sandboxIndicator = result.sandboxed ? `[sandboxed:${result.backend}]` : '[unsandboxed]';
+        const statusIndicator = result.exitCode === 0 ? 'ok' : 'err';
+        let output = `${sandboxIndicator} ${statusIndicator} [${language}]\n`;
+        if (result.stdout)
+            output += `Output:\n${result.stdout}\n`;
+        if (result.stderr)
+            output += `Errors:\n${result.stderr}\n`;
+        if (result.exitCode !== 0 && !result.stdout && !result.stderr)
+            output += `Exit code: ${result.exitCode}\n`;
+        output += `Duration: ${duration}ms`;
+        return output;
     }
-    if (!result.success && !result.stdout && !result.stderr) {
+    // Unsandboxed fallback (mode === 'off' or nothing available)
+    const result = await sandbox.executeUnsafe(sandboxLang, code, timeout);
+    const statusIndicator = result.success ? 'ok' : 'err';
+    let output = `[unsandboxed] ${statusIndicator} [${language}]\n`;
+    if (result.stdout)
+        output += `Output:\n${result.stdout}\n`;
+    if (result.stderr)
+        output += `Errors:\n${result.stderr}\n`;
+    if (!result.success && !result.stdout && !result.stderr)
         output += `Exit code: ${result.exitCode}\n`;
-    }
     output += `Duration: ${result.duration}ms`;
     return output;
 }
@@ -610,8 +1152,8 @@ async function executeGit(operation, args, cwd) {
     if (!allowedOps.includes(operation)) {
         return `Error: Unknown git operation: ${operation}. Allowed: ${allowedOps.join(', ')}`;
     }
-    // Sanitize args to prevent command injection
-    const safeArgs = args.replace(/[;&|`$]/g, '');
+    // Sanitize args to prevent command injection via shell metacharacters
+    const safeArgs = args.replace(/[;&|`$(){}!#\n\r]/g, '');
     let command;
     switch (operation) {
         case 'status':