@cardor/agent-harness-kit 1.5.2 → 1.6.2

package/dist/cli.js

@@ -67,7 +67,7 @@ function mergeClaudeSettingsJson(filePath) {
   };
   writeFileSync2(filePath, JSON.stringify(merged, null, 2) + "\n", "utf8");
 }
-var MCP_CLAUDE_PERMISSIONS = [
+var MCP_CLAUDE_PERMISSIONS_LEAD = [
   "mcp__agent-harness-kit__actions_start",
   "mcp__agent-harness-kit__actions_write",
   "mcp__agent-harness-kit__actions_complete",
@@ -76,14 +76,69 @@ var MCP_CLAUDE_PERMISSIONS = [
   "mcp__agent-harness-kit__actions_record_tool",
   "mcp__agent-harness-kit__tasks_get",
   "mcp__agent-harness-kit__tasks_claim",
+  "mcp__agent-harness-kit__tasks_add",
   "mcp__agent-harness-kit__tasks_update",
+  "mcp__agent-harness-kit__tasks_edit",
+  "mcp__agent-harness-kit__tasks_archive",
+  "mcp__agent-harness-kit__tasks_unarchive",
+  "mcp__agent-harness-kit__tasks_acceptance_get",
+  "mcp__agent-harness-kit__docs_search"
+];
+var MCP_CLAUDE_PERMISSIONS_EXPLORER = [
+  "mcp__agent-harness-kit__actions_start",
+  "mcp__agent-harness-kit__actions_write",
+  "mcp__agent-harness-kit__actions_complete",
+  "mcp__agent-harness-kit__actions_get",
+  "mcp__agent-harness-kit__actions_record_file",
+  "mcp__agent-harness-kit__actions_record_tool",
+  "mcp__agent-harness-kit__tasks_get",
+  "mcp__agent-harness-kit__tasks_claim",
+  "mcp__agent-harness-kit__tasks_acceptance_get",
+  "mcp__agent-harness-kit__docs_search"
+];
+var MCP_CLAUDE_PERMISSIONS_BUILDER = [
+  "mcp__agent-harness-kit__actions_start",
+  "mcp__agent-harness-kit__actions_write",
+  "mcp__agent-harness-kit__actions_complete",
+  "mcp__agent-harness-kit__actions_get",
+  "mcp__agent-harness-kit__actions_record_file",
+  "mcp__agent-harness-kit__actions_record_tool",
+  "mcp__agent-harness-kit__tasks_get",
+  "mcp__agent-harness-kit__tasks_claim",
   "mcp__agent-harness-kit__tasks_add",
-  "mcp__agent-harness-kit__tasks_acceptance_update",
+  "mcp__agent-harness-kit__tasks_update",
+  "mcp__agent-harness-kit__tasks_edit",
+  "mcp__agent-harness-kit__tasks_archive",
+  "mcp__agent-harness-kit__tasks_unarchive",
+  "mcp__agent-harness-kit__tasks_acceptance_get",
+  "mcp__agent-harness-kit__docs_search"
+];
+var MCP_CLAUDE_PERMISSIONS_REVIEWER = [
+  "mcp__agent-harness-kit__actions_start",
+  "mcp__agent-harness-kit__actions_write",
+  "mcp__agent-harness-kit__actions_complete",
+  "mcp__agent-harness-kit__actions_get",
+  "mcp__agent-harness-kit__actions_record_file",
+  "mcp__agent-harness-kit__actions_record_tool",
+  "mcp__agent-harness-kit__tasks_get",
+  "mcp__agent-harness-kit__tasks_claim",
+  "mcp__agent-harness-kit__tasks_add",
+  "mcp__agent-harness-kit__tasks_update",
   "mcp__agent-harness-kit__tasks_edit",
   "mcp__agent-harness-kit__tasks_archive",
   "mcp__agent-harness-kit__tasks_unarchive",
+  "mcp__agent-harness-kit__tasks_acceptance_update",
+  "mcp__agent-harness-kit__tasks_acceptance_get",
   "mcp__agent-harness-kit__docs_search"
 ];
+var MCP_CLAUDE_PERMISSIONS = [
+  .../* @__PURE__ */ new Set([
+    ...MCP_CLAUDE_PERMISSIONS_LEAD,
+    ...MCP_CLAUDE_PERMISSIONS_EXPLORER,
+    ...MCP_CLAUDE_PERMISSIONS_BUILDER,
+    ...MCP_CLAUDE_PERMISSIONS_REVIEWER
+  ])
+];
 function mergeClaudeSettingsLocalJson(filePath) {
   mkdirSync2(dirname(filePath), { recursive: true });
   let existing = {};
@@ -491,8 +546,15 @@ function agentReviewerToml(vars) {
   const { description, body } = stripFrontmatter(loadAgentTemplate("reviewer", vars));
   return toCodexToml("reviewer", description, body, "read-only");
 }
-function translateFrontmatterForClaudeCode(md, _agentName) {
-  const mcpLines = MCP_CLAUDE_PERMISSIONS.map((t) => `  - ${t}`).join("\n");
+function translateFrontmatterForClaudeCode(md, agentName) {
+  const permissionsMap = {
+    lead: MCP_CLAUDE_PERMISSIONS_LEAD,
+    explorer: MCP_CLAUDE_PERMISSIONS_EXPLORER,
+    builder: MCP_CLAUDE_PERMISSIONS_BUILDER,
+    reviewer: MCP_CLAUDE_PERMISSIONS_REVIEWER
+  };
+  const permissions = permissionsMap[agentName] ?? MCP_CLAUDE_PERMISSIONS;
+  const mcpLines = permissions.map((t) => `  - ${t}`).join("\n");
   return md.replace(/(tools:\n(?:  - (?!mcp__)[^\n]+\n)+)/, (match) => {
     const trimmed = match.trimEnd();
     return `${trimmed}
@@ -527,6 +589,32 @@ function appendGitignore(cwd2) {
 function slugify(title) {
   return title.toLowerCase().replace(/[^a-z0-9]+/g, "-").replace(/^-+|-+$/g, "").slice(0, 64);
 }
+var AGENT_TOOLS = {
+  lead: MCP_CLAUDE_PERMISSIONS_LEAD,
+  explorer: MCP_CLAUDE_PERMISSIONS_EXPLORER,
+  builder: MCP_CLAUDE_PERMISSIONS_BUILDER,
+  reviewer: MCP_CLAUDE_PERMISSIONS_REVIEWER
+};
+async function syncAgentPermissions(cwd2) {
+  for (const [agent, tools] of Object.entries(AGENT_TOOLS)) {
+    const filePath = join3(cwd2, ".claude", "agents", `${agent}.md`);
+    if (!existsSync2(filePath)) {
+      console.log(`  ${agent}.md not found \u2014 skipping`);
+      continue;
+    }
+    const content = readFileSync3(filePath, "utf-8");
+    const toolsBlock = `tools:
+${tools.map((t) => `  - ${t}`).join("\n")}
+`;
+    const updated = content.replace(/tools:\n(?:  - [^\n]+\n)*/m, toolsBlock);
+    if (updated === content) {
+      console.log(`  ${agent}.md already in sync`);
+    } else {
+      writeFileSync3(filePath, updated, "utf-8");
+      console.log(`  ${agent}.md updated`);
+    }
+  }
+}
 
 // src/core/materializer/claude-code.ts
 var ClaudeCodeMaterializer = class {
@@ -727,6 +815,9 @@ function getMaterializer(provider) {
 // src/commands/build.ts
 async function runBuild(cwd2, opts) {
   await buildOnce(cwd2);
+  if (opts.sync) {
+    await syncAgentPermissions(cwd2);
+  }
   if (opts.watch) {
     p.log.info(`Watching agent-harness-kit.config.ts for changes...`);
     watch(cwd2, { recursive: false }, async (_, filename) => {
@@ -770,6 +861,30 @@ import { extname, join as join7 } from "path";
 import { serve } from "@hono/node-server";
 import { Hono } from "hono";
 import { WebSocketServer } from "ws";
+
+// src/core/port-utils.ts
+import { createServer } from "net";
+function isPortFree(port) {
+  return new Promise((resolve13) => {
+    const server = createServer();
+    server.once("error", () => resolve13(false));
+    server.once("listening", () => {
+      server.close(() => resolve13(true));
+    });
+    server.listen(port, "127.0.0.1");
+  });
+}
+async function findFreePort(start, maxAttempts = 10) {
+  for (let i = 0; i < maxAttempts; i++) {
+    const port = start + i;
+    if (await isPortFree(port)) return port;
+  }
+  throw new Error(
+    `Could not find a free port after ${maxAttempts} attempts (tried ${start}-${start + maxAttempts - 1}). Please free a port and try again.`
+  );
+}
+
+// src/core/dashboard-server.ts
 var MIME = {
   ".html": "text/html; charset=utf-8",
   ".js": "application/javascript; charset=utf-8",
@@ -790,7 +905,7 @@ function fileResponse(filePath) {
     headers: { "Content-Type": mime, "Cache-Control": "no-cache" }
   });
 }
-function startDashboardServer(db, dbPath, staticPath, port) {
+async function startDashboardServer(db, dbPath, staticPath, port) {
   const app = new Hono();
   const { tasks, actions, stats } = db;
   app.use("/api/*", async (c, next) => {
@@ -832,7 +947,10 @@ function startDashboardServer(db, dbPath, staticPath, port) {
     if (body.description !== void 0) updateParams.description = body.description;
     await db.updateTask(id, updateParams);
     if (body.acceptance !== void 0 && Array.isArray(body.acceptance)) {
-      await db.updateTaskAcceptance(id, body.acceptance.map((a) => a.trim()).filter(Boolean));
+      await db.updateTaskAcceptance(
+        id,
+        body.acceptance.map((a) => a.trim()).filter(Boolean)
+      );
     }
     const updated = await tasks.getById(id);
     const acceptance = await tasks.getAcceptance(id);
@@ -897,7 +1015,11 @@ function startDashboardServer(db, dbPath, staticPath, port) {
     }
     return fileResponse(join7(staticPath, "index.html"));
   });
-  const httpServer = serve({ fetch: app.fetch, port });
+  const resolvedPort = await findFreePort(port);
+  if (resolvedPort !== port) {
+    console.log(`Port ${port} in use, using ${resolvedPort}`);
+  }
+  const httpServer = serve({ fetch: app.fetch, port: resolvedPort });
   const wss = new WebSocketServer({ noServer: true });
   httpServer.on("upgrade", (req, socket, head) => {
     if (req.url === "/ws") {
@@ -926,7 +1048,7 @@ function startDashboardServer(db, dbPath, staticPath, port) {
     watcher = watch2(watchTarget, broadcast);
   }
   return {
-    url: `http://localhost:${port}`,
+    url: `http://localhost:${resolvedPort}`,
     close: () => {
       clearTimeout(debounce);
       watcher?.close();
@@ -1149,8 +1271,8 @@ var TaskRepository = class {
   async add(params) {
     const now = (/* @__PURE__ */ new Date()).toISOString();
     return this.driver.insert(
-      `INSERT INTO tasks (slug, title, description, status, created_at) VALUES (?, ?, ?, ?, ?)`,
-      [params.slug, params.title, params.description ?? null, params.status ?? "pending", now]
+      `INSERT INTO tasks (slug, title, description, status, created_at, updated_at) VALUES (?, ?, ?, ?, ?, ?)`,
+      [params.slug, params.title, params.description ?? null, params.status ?? "pending", now, now]
     );
   }
   async addAcceptance(taskId, criteria) {
@@ -1175,7 +1297,7 @@ var TaskRepository = class {
     if (conditions.length > 0) {
       sql += ` WHERE ${conditions.join(" AND ")}`;
     }
-    sql += ` ORDER BY id`;
+    sql += ` ORDER BY CASE status WHEN 'pending' THEN 1 WHEN 'in_progress' THEN 2 WHEN 'blocked' THEN 3 WHEN 'done' THEN 4 ELSE 5 END, updated_at DESC`;
     return this.driver.query(sql, params);
   }
   async getAllWithAcceptanceCounts(includeArchived = false) {
@@ -1189,7 +1311,7 @@ var TaskRepository = class {
     if (!includeArchived) {
       sql += ` WHERE t.archived_at IS NULL`;
     }
-    sql += ` GROUP BY t.id ORDER BY t.id`;
+    sql += ` GROUP BY t.id ORDER BY CASE t.status WHEN 'pending' THEN 1 WHEN 'in_progress' THEN 2 WHEN 'blocked' THEN 3 WHEN 'done' THEN 4 ELSE 5 END, t.updated_at DESC`;
     return this.driver.query(sql);
   }
   async getById(id) {
@@ -1205,23 +1327,25 @@ var TaskRepository = class {
     );
   }
   async setStatus(id, status, extra) {
+    const now = (/* @__PURE__ */ new Date()).toISOString();
     if (extra?.started_at) {
       await this.driver.exec(
-        `UPDATE tasks SET status = ?, started_at = ? WHERE id = ?`,
-        [status, extra.started_at, id]
+        `UPDATE tasks SET status = ?, started_at = ?, updated_at = ? WHERE id = ?`,
+        [status, extra.started_at, now, id]
       );
     } else if (extra?.completed_at) {
       await this.driver.exec(
-        `UPDATE tasks SET status = ?, completed_at = ? WHERE id = ?`,
-        [status, extra.completed_at, id]
+        `UPDATE tasks SET status = ?, completed_at = ?, updated_at = ? WHERE id = ?`,
+        [status, extra.completed_at, now, id]
       );
     } else {
-      await this.driver.exec(`UPDATE tasks SET status = ? WHERE id = ?`, [status, id]);
+      await this.driver.exec(`UPDATE tasks SET status = ?, updated_at = ? WHERE id = ?`, [status, now, id]);
     }
   }
   async update(id, params) {
     const sets = [];
     const vals = [];
+    const now = (/* @__PURE__ */ new Date()).toISOString();
     if (params.title !== void 0) {
       sets.push("title = ?");
       vals.push(params.title);
@@ -1235,6 +1359,8 @@ var TaskRepository = class {
       vals.push(params.slug);
     }
     if (sets.length === 0) return;
+    sets.push("updated_at = ?");
+    vals.push(now);
     vals.push(id);
     await this.driver.exec(`UPDATE tasks SET ${sets.join(", ")} WHERE id = ?`, vals);
   }
@@ -1249,10 +1375,11 @@ var TaskRepository = class {
   }
   async archive(id) {
     const now = (/* @__PURE__ */ new Date()).toISOString();
-    await this.driver.exec(`UPDATE tasks SET archived_at = ? WHERE id = ?`, [now, id]);
+    await this.driver.exec(`UPDATE tasks SET archived_at = ?, updated_at = ? WHERE id = ?`, [now, now, id]);
   }
   async unarchive(id) {
-    await this.driver.exec(`UPDATE tasks SET archived_at = NULL WHERE id = ?`, [id]);
+    const now = (/* @__PURE__ */ new Date()).toISOString();
+    await this.driver.exec(`UPDATE tasks SET archived_at = NULL, updated_at = ? WHERE id = ?`, [now, id]);
   }
   async getArchived() {
     return this.driver.query(
@@ -1261,8 +1388,8 @@ var TaskRepository = class {
   }
   async claim(id, agent, now) {
     return this.driver.exec(
-      `UPDATE tasks SET status = 'in_progress', assigned_to = ?, started_at = ? WHERE id = ? AND status = 'pending'`,
-      [agent, now, id]
+      `UPDATE tasks SET status = 'in_progress', assigned_to = ?, started_at = ?, updated_at = ? WHERE id = ? AND status = 'pending'`,
+      [agent, now, now, id]
     );
   }
   async markAcceptanceMet(criterionId) {
@@ -1538,13 +1665,13 @@ async function openDB(config, cwd2) {
   const dbConfig = config.database;
   let driver;
   if (dbConfig.type === "postgres") {
-    const { PostgresDriver } = await import("./postgres-6BXN7ZH4.js");
+    const { PostgresDriver } = await import("./postgres-IOQE32DM.js");
     driver = new PostgresDriver(dbConfig);
   } else if (dbConfig.type === "mysql") {
-    const { MySQLDriver } = await import("./mysql-NXLYFD2H.js");
+    const { MySQLDriver } = await import("./mysql-THKQOXIS.js");
     driver = new MySQLDriver(dbConfig);
   } else {
-    const { SQLiteDriver } = await import("./sqlite-M65L55DA.js");
+    const { SQLiteDriver } = await import("./sqlite-KWYK4IJW.js");
     if (dbConfig.type !== "sqlite") {
       throw new Error("Invalid database type");
     }
@@ -1561,7 +1688,7 @@ async function runDashboard(cwd2, opts) {
   const db = await openDB(config, cwd2);
   const dbPath = config.database.type === "sqlite" ? resolve7(cwd2, config.database.path) : null;
   const staticPath = join9(__dirname2, "dashboard-dist");
-  const { url } = startDashboardServer(db, dbPath, staticPath, opts.port);
+  const { url } = await startDashboardServer(db, dbPath, staticPath, opts.port);
   console.log(pc2.green(`\u2713`) + ` Dashboard running at ${pc2.bold(pc2.cyan(url))}`);
   console.log(pc2.dim(`  WebSocket live updates enabled`));
   console.log(pc2.dim(`  Press Ctrl+C to stop`));
@@ -2226,14 +2353,56 @@ async function runReset(cwd2, opts) {
 }
 
 // src/core/mcp-server.ts
-import { readdirSync as readdirSync2, readFileSync as readFileSync6, statSync } from "fs";
-import { join as join14, resolve as resolve10 } from "path";
+import { readdirSync as readdirSync2, readFileSync as readFileSync7, statSync } from "fs";
+import { join as join15, resolve as resolve10 } from "path";
 import { Server } from "@modelcontextprotocol/sdk/server";
 import { StdioServerTransport } from "@modelcontextprotocol/sdk/server/stdio.js";
 import {
   CallToolRequestSchema,
   ListToolsRequestSchema
 } from "@modelcontextprotocol/sdk/types.js";
+
+// src/core/permissions-check.ts
+import { existsSync as existsSync10, readFileSync as readFileSync6 } from "fs";
+import { join as join14 } from "path";
+var CANONICAL = {
+  lead: MCP_CLAUDE_PERMISSIONS_LEAD,
+  explorer: MCP_CLAUDE_PERMISSIONS_EXPLORER,
+  builder: MCP_CLAUDE_PERMISSIONS_BUILDER,
+  reviewer: MCP_CLAUDE_PERMISSIONS_REVIEWER
+};
+function parseToolsFromFrontmatter(content) {
+  const match = content.match(/^---\n([\s\S]*?)\n---/m);
+  if (!match) return [];
+  const fm = match[1];
+  const toolsMatch = fm.match(/^tools:\n((?:  - [^\n]+\n?)*)/m);
+  if (!toolsMatch) return [];
+  return toolsMatch[1].split("\n").map((l) => l.trim().replace(/^- /, "")).filter((l) => l.startsWith("mcp__"));
+}
+function checkPermissionsSync(cwd2) {
+  const agents = {};
+  let in_sync = true;
+  for (const agent of ["lead", "explorer", "builder", "reviewer"]) {
+    const filePath = join14(cwd2, ".claude", "agents", `${agent}.md`);
+    if (!existsSync10(filePath)) {
+      const missing2 = CANONICAL[agent];
+      agents[agent] = { ok: false, missing: missing2, extra: [] };
+      in_sync = false;
+      continue;
+    }
+    const content = readFileSync6(filePath, "utf-8");
+    const installed = parseToolsFromFrontmatter(content);
+    const canonical = CANONICAL[agent];
+    const missing = canonical.filter((t) => !installed.includes(t));
+    const extra = installed.filter((t) => !canonical.includes(t));
+    const ok2 = missing.length === 0 && extra.length === 0;
+    if (!ok2) in_sync = false;
+    agents[agent] = { ok: ok2, missing, extra };
+  }
+  return { in_sync, agents };
+}
+
+// src/core/mcp-server.ts
 var VERSION = "0.1.0";
 var TOOLS = [
   {
@@ -2375,6 +2544,17 @@ var TOOLS = [
       required: ["criterionId"]
     }
   },
+  {
+    name: "tasks.acceptance.get",
+    description: "Given a taskId, returns all acceptance criteria for that task with their id, task_id, criterion text, and met status. Use the returned id values to call tasks.acceptance_update(criterionId).",
+    inputSchema: {
+      type: "object",
+      properties: {
+        taskId: { type: "number", description: "Task ID" }
+      },
+      required: ["taskId"]
+    }
+  },
   {
     name: "tasks.add",
     description: "Create a new task in the harness. Use this when the user describes work in natural language. Infer slug, title, description, and acceptance criteria from the conversation. Ask for missing critical info before calling.",
@@ -2446,6 +2626,11 @@ var TOOLS = [
       },
       required: ["id"]
     }
+  },
+  {
+    name: "permissions.check",
+    description: "Check whether the .claude/agents/*.md tool permission lists are in sync with the current canonical permission constants. Returns per-agent diff with missing and extra tools. Call this at session start to detect outdated agent files after an ahk upgrade.",
+    inputSchema: { type: "object", properties: {}, required: [] }
   }
 ];
 async function startMcpServer(config, cwd2) {
@@ -2460,7 +2645,7 @@ async function startMcpServer(config, cwd2) {
     const { name, arguments: args } = request.params;
     const a = args ?? {};
     try {
-      const result = await dispatch(name, a, db, docsPath);
+      const result = await dispatch(name, a, db, docsPath, cwd2);
       return result;
     } catch (err) {
       return ok(`Error: ${err instanceof Error ? err.message : String(err)}`, true);
@@ -2469,7 +2654,7 @@ async function startMcpServer(config, cwd2) {
   const transport = new StdioServerTransport();
   await server.connect(transport);
 }
-async function dispatch(name, args, db, docsPath) {
+async function dispatch(name, args, db, docsPath, cwd2) {
   switch (name) {
     case "actions.start": {
       const taskId = num(args, "taskId");
@@ -2551,6 +2736,11 @@ async function dispatch(name, args, db, docsPath) {
       await db.markAcceptanceMet(criterionId);
       return ok(JSON.stringify({ criterionId, met: true }));
     }
+    case "tasks.acceptance.get": {
+      const taskId = num(args, "taskId");
+      const criteria = await db.getTaskAcceptance(taskId);
+      return ok(JSON.stringify(criteria, null, 2));
+    }
     case "actions.record_tool": {
       const actionId = str(args, "actionId");
       const toolName = str(args, "toolName");
@@ -2583,6 +2773,10 @@ async function dispatch(name, args, db, docsPath) {
       const task2 = await db.unarchiveTask(id);
       return ok(JSON.stringify(task2));
     }
+    case "permissions.check": {
+      const result = checkPermissionsSync(cwd2);
+      return ok(JSON.stringify(result, null, 2));
+    }
     default:
       return ok(`Unknown tool: ${name}`, true);
   }
@@ -2595,7 +2789,7 @@ function searchDocs(docsPath, query, maxResults = 10) {
     for (const file of files) {
       if (results.length >= maxResults) break;
       try {
-        const content = readFileSync6(file, "utf8");
+        const content = readFileSync7(file, "utf8");
         const lines = content.split("\n");
         for (let i = 0; i < lines.length; i++) {
           const lower = lines[i].toLowerCase();
@@ -2616,7 +2810,7 @@ function collectMarkdownFiles(dir) {
   const files = [];
   try {
     for (const entry of readdirSync2(dir)) {
-      const full = join14(dir, entry);
+      const full = join15(dir, entry);
       const stat = statSync(full);
       if (stat.isDirectory()) {
         files.push(...collectMarkdownFiles(full));
@@ -2650,6 +2844,18 @@ async function runServe(cwd2, opts) {
   }
   process.stderr.write(`[agent-harness-kit] MCP server starting (stdio)
 `);
+  const syncResult = checkPermissionsSync(cwd2);
+  if (!syncResult.in_sync) {
+    const affected = Object.entries(syncResult.agents).filter(([, r]) => !r.ok).map(([name, r]) => {
+      const parts = [];
+      if (r.missing.length) parts.push(`missing: ${r.missing.map((t) => t.replace("mcp__agent-harness-kit__", "")).join(", ")}`);
+      if (r.extra.length) parts.push(`extra: ${r.extra.map((t) => t.replace("mcp__agent-harness-kit__", "")).join(", ")}`);
+      return `${name} (${parts.join("; ")})`;
+    }).join("\n   ");
+    process.stderr.write(`[agent-harness-kit] Agent permissions out of sync. Run: ahk build --sync
+   ${affected}
+`);
+  }
   await startMcpServer(config, cwd2);
 }
 
@@ -2728,13 +2934,13 @@ async function runStatus(cwd2, opts) {
 }
 
 // src/commands/sync.ts
-import { existsSync as existsSync10, readFileSync as readFileSync7 } from "fs";
-import { join as join15, resolve as resolve11 } from "path";
+import { existsSync as existsSync11, readFileSync as readFileSync8 } from "fs";
+import { join as join16, resolve as resolve11 } from "path";
 import pc10 from "picocolors";
 async function runSync(cwd2, opts) {
   const config = await loadConfig(cwd2);
   const direction = opts.direction ?? "both";
-  const featureListPath = resolve11(join15(cwd2, config.storage.dir, "feature_list.json"));
+  const featureListPath = resolve11(join16(cwd2, config.storage.dir, "feature_list.json"));
   const db = await openDB(config, cwd2);
   try {
     if (direction === "in" || direction === "both") {
@@ -2748,13 +2954,13 @@ async function runSync(cwd2, opts) {
   }
 }
 async function syncIn(featureListPath, db, dryRun) {
-  if (!existsSync10(featureListPath)) {
+  if (!existsSync11(featureListPath)) {
     console.log(pc10.dim(`feature_list.json not found at ${featureListPath} \u2014 skipping in-sync`));
     return;
   }
   let seeds;
   try {
-    seeds = JSON.parse(readFileSync7(featureListPath, "utf8"));
+    seeds = JSON.parse(readFileSync8(featureListPath, "utf8"));
   } catch (err) {
     console.error(pc10.red(`Failed to parse feature_list.json: ${err}`));
     process.exit(1);
@@ -2839,14 +3045,14 @@ async function runTaskAdd(cwd2) {
 
 // src/commands/task/done.ts
 import { spawnSync as spawnSync2 } from "child_process";
-import { existsSync as existsSync11 } from "fs";
+import { existsSync as existsSync12 } from "fs";
 import { resolve as resolve12 } from "path";
 import pc12 from "picocolors";
 async function runTaskDone(cwd2, idOrSlug) {
   const config = await loadConfig(cwd2);
   if (config.health.required) {
     const scriptPath = resolve12(cwd2, config.health.scriptPath);
-    if (existsSync11(scriptPath)) {
+    if (existsSync12(scriptPath)) {
       const result = spawnSync2("bash", [scriptPath], { cwd: cwd2, stdio: "pipe", encoding: "utf8" });
       if (result.status !== 0) {
         console.error(pc12.red("\u2717 Health check failed \u2014 cannot mark task as done."));
@@ -3019,10 +3225,10 @@ async function runTaskList(cwd2, opts) {
 
 // src/core/package-data.ts
 import { createRequire } from "module";
-import { dirname as dirname5, join as join16 } from "path";
+import { dirname as dirname5, join as join17 } from "path";
 import { fileURLToPath as fileURLToPath3 } from "url";
 var require2 = createRequire(import.meta.url);
-var pkgPath = join16(dirname5(fileURLToPath3(import.meta.url)), "..", "package.json");
+var pkgPath = join17(dirname5(fileURLToPath3(import.meta.url)), "..", "package.json");
 var pkg = require2(pkgPath);
 
 // src/core/update-check.ts
@@ -3066,7 +3272,7 @@ program.name("ahk").description("agent-harness-kit \u2014 CLI scaffolding for mu
 program.command("init").description("Scaffold a harness interactively in the current directory").option("--name <name>", "Project name (skip prompt)").option("--provider <provider>", "AI provider: claude-code | opencode (skip prompt)").option("--docs <path>", "Docs folder path (skip prompt)").option("--tasks <adapter>", "Task adapter: local | jira | linear (skip prompt)").action(async (opts) => {
   await runInit(cwd, opts);
 });
-program.command("build").description("Regenerate AGENTS.md and provider files from agent-harness-kit.config.ts").option("--watch", "Rebuild on config changes").action(async (opts) => {
+program.command("build").description("Regenerate AGENTS.md and provider files from agent-harness-kit.config.ts").option("--watch", "Rebuild on config changes").option("--sync", "Sync tools: frontmatter in existing .claude/agents/*.md to match current permission constants").action(async (opts) => {
   await runBuild(cwd, opts);
 });
 program.command("health").description("Run health.sh and report result").action(async () => {