npm - @corbat-tech/coco - Versions diffs - 1.1.0 → 1.2.2 - Mend

@corbat-tech/coco 1.1.0 → 1.2.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (6) hide show

package/dist/cli/index.js CHANGED Viewed

@@ -4,7 +4,7 @@ import { homedir } from 'os';
 import * as path20 from 'path';
 import path20__default, { join, dirname, basename } from 'path';
 import * as fs19 from 'fs';
-import fs19__default, { readFileSync, existsSync, constants } from 'fs';
+import fs19__default, { readFileSync, constants } from 'fs';
 import * as fs22 from 'fs/promises';
 import fs22__default, { writeFile, access, readFile, mkdir, readdir, rm } from 'fs/promises';
 import { Command } from 'commander';
@@ -21,6 +21,7 @@ import * as http from 'http';
 import { execFile, exec, execSync, execFileSync, spawn } from 'child_process';
 import { promisify } from 'util';
 import { GoogleGenerativeAI, FunctionCallingMode } from '@google/generative-ai';
+import stringWidth from 'string-width';
 import ansiEscapes3 from 'ansi-escapes';
 import * as readline from 'readline';
 import { execa } from 'execa';
@@ -279,8 +280,8 @@ __export(trust_store_exports, {
   saveTrustStore: () => saveTrustStore,
   updateLastAccessed: () => updateLastAccessed
 });
-async function ensureDir(path37) {
-  await mkdir(dirname(path37), { recursive: true });
+async function ensureDir(path36) {
+  await mkdir(dirname(path36), { recursive: true });
 }
 async function loadTrustStore(storePath = TRUST_STORE_PATH) {
   try {
@@ -358,8 +359,8 @@ function canPerformOperation(store, projectPath, operation) {
   };
   return permissions[level]?.includes(operation) ?? false;
 }
-function normalizePath(path37) {
-  return join(path37);
+function normalizePath(path36) {
+  return join(path36);
 }
 function createTrustStore(storePath = TRUST_STORE_PATH) {
   let store = null;
@@ -609,8 +610,8 @@ Generated by Corbat-Coco v0.1.0
 // src/cli/commands/init.ts
 function registerInitCommand(program2) {
-  program2.command("init").description("Initialize a new Corbat-Coco project").argument("[path]", "Project directory path", ".").option("-t, --template <template>", "Project template to use").option("-y, --yes", "Skip prompts and use defaults").option("--skip-discovery", "Skip the discovery phase (use existing spec)").action(async (path37, options) => {
-    await runInit(path37, options);
+  program2.command("init").description("Initialize a new Corbat-Coco project").argument("[path]", "Project directory path", ".").option("-t, --template <template>", "Project template to use").option("-y, --yes", "Skip prompts and use defaults").option("--skip-discovery", "Skip the discovery phase (use existing spec)").action(async (path36, options) => {
+    await runInit(path36, options);
   });
 }
 async function runInit(projectPath, options) {
@@ -689,18 +690,18 @@ async function gatherProjectInfo() {
     language
   };
 }
-function getDefaultProjectInfo(path37) {
-  const name = path37 === "." ? "my-project" : path37.split("/").pop() || "my-project";
+function getDefaultProjectInfo(path36) {
+  const name = path36 === "." ? "my-project" : path36.split("/").pop() || "my-project";
   return {
     name,
     description: "",
     language: "typescript"
   };
 }
-async function checkExistingProject(path37) {
+async function checkExistingProject(path36) {
   try {
     const fs39 = await import('fs/promises');
-    await fs39.access(`${path37}/.coco`);
+    await fs39.access(`${path36}/.coco`);
     return true;
   } catch {
     return false;
@@ -724,9 +725,6 @@ var QualityConfigSchema = z.object({
 }).refine((data) => data.minIterations <= data.maxIterations, {
   message: "minIterations must be <= maxIterations",
   path: ["minIterations"]
-}).refine((data) => data.convergenceThreshold < data.minScore, {
-  message: "convergenceThreshold must be < minScore",
-  path: ["convergenceThreshold"]
 });
 var PersistenceConfigSchema = z.object({
   checkpointInterval: z.number().min(6e4).default(3e5),
@@ -1072,7 +1070,17 @@ function deepMergeConfig(base, override) {
     project: { ...base.project, ...override.project },
     provider: { ...base.provider, ...override.provider },
     quality: { ...base.quality, ...override.quality },
-    persistence: { ...base.persistence, ...override.persistence }
+    persistence: { ...base.persistence, ...override.persistence },
+    // Merge optional sections only if present in either base or override
+    ...base.stack || override.stack ? { stack: { ...base.stack, ...override.stack } } : {},
+    ...base.integrations || override.integrations ? {
+      integrations: {
+        ...base.integrations,
+        ...override.integrations
+      }
+    } : {},
+    ...base.mcp || override.mcp ? { mcp: { ...base.mcp, ...override.mcp } } : {},
+    ...base.tools || override.tools ? { tools: { ...base.tools, ...override.tools } } : {}
   };
 }
 function getProjectConfigPath() {
@@ -4778,6 +4786,9 @@ var AnthropicProvider = class {
             try {
               currentToolCall.input = currentToolInputJson ? JSON.parse(currentToolInputJson) : {};
             } catch {
+              console.warn(
+                `[Anthropic] Failed to parse tool call arguments: ${currentToolInputJson?.slice(0, 100)}`
+              );
               currentToolCall.input = {};
             }
             yield {
@@ -5310,6 +5321,9 @@ var OpenAIProvider = class {
           try {
             input = builder.arguments ? JSON.parse(builder.arguments) : {};
           } catch {
+            console.warn(
+              `[OpenAI] Failed to parse tool call arguments: ${builder.arguments?.slice(0, 100)}`
+            );
           }
           yield {
             type: "tool_use_end",
@@ -5598,7 +5612,16 @@ var OpenAIProvider = class {
     ).map((tc) => ({
       id: tc.id,
       name: tc.function.name,
-      input: JSON.parse(tc.function.arguments || "{}")
+      input: (() => {
+        try {
+          return JSON.parse(tc.function.arguments || "{}");
+        } catch {
+          console.warn(
+            `[OpenAI] Failed to parse tool call arguments: ${tc.function.arguments?.slice(0, 100)}`
+          );
+          return {};
+        }
+      })()
     }));
   }
   /**
@@ -7246,7 +7269,10 @@ var GeminiProvider = class {
           for (const part of candidate.content.parts) {
             if ("functionCall" in part && part.functionCall) {
               const funcCall = part.functionCall;
-              const callKey = `${funcCall.name}-${JSON.stringify(funcCall.args)}`;
+              const sortedArgs = funcCall.args ? Object.keys(funcCall.args).sort().map(
+                (k) => `${k}:${JSON.stringify(funcCall.args[k])}`
+              ).join(",") : "";
+              const callKey = `${funcCall.name}-${sortedArgs}`;
               if (!emittedToolCalls.has(callKey)) {
                 emittedToolCalls.add(callKey);
                 const toolCall = {
@@ -7278,9 +7304,18 @@ var GeminiProvider = class {
   }
   /**
    * Count tokens (approximate)
+   *
+   * Gemini uses a SentencePiece tokenizer. The average ratio varies:
+   * - English text: ~4 characters per token
+   * - Code: ~3.2 characters per token
+   * - Mixed content: ~3.5 characters per token
+   *
+   * Using 3.5 as the default provides a better estimate for typical
+   * coding agent workloads which mix code and natural language.
    */
   countTokens(text9) {
-    return Math.ceil(text9.length / 4);
+    if (!text9) return 0;
+    return Math.ceil(text9.length / 3.5);
   }
   /**
    * Get context window size
@@ -7614,20 +7649,20 @@ async function createCliPhaseContext(projectPath, _onUserInput) {
     },
     tools: {
       file: {
-        async read(path37) {
+        async read(path36) {
           const fs39 = await import('fs/promises');
-          return fs39.readFile(path37, "utf-8");
+          return fs39.readFile(path36, "utf-8");
         },
-        async write(path37, content) {
+        async write(path36, content) {
           const fs39 = await import('fs/promises');
           const nodePath = await import('path');
-          await fs39.mkdir(nodePath.dirname(path37), { recursive: true });
-          await fs39.writeFile(path37, content, "utf-8");
+          await fs39.mkdir(nodePath.dirname(path36), { recursive: true });
+          await fs39.writeFile(path36, content, "utf-8");
         },
-        async exists(path37) {
+        async exists(path36) {
           const fs39 = await import('fs/promises');
           try {
-            await fs39.access(path37);
+            await fs39.access(path36);
             return true;
           } catch {
             return false;
@@ -7980,10 +8015,10 @@ function getPhaseStatusForPhase(phase) {
 }
 async function loadProjectState(cwd, config) {
   const fs39 = await import('fs/promises');
-  const path37 = await import('path');
-  const statePath = path37.join(cwd, ".coco", "state.json");
-  const backlogPath = path37.join(cwd, ".coco", "planning", "backlog.json");
-  const checkpointDir = path37.join(cwd, ".coco", "checkpoints");
+  const path36 = await import('path');
+  const statePath = path36.join(cwd, ".coco", "state.json");
+  const backlogPath = path36.join(cwd, ".coco", "planning", "backlog.json");
+  const checkpointDir = path36.join(cwd, ".coco", "checkpoints");
   let currentPhase = "idle";
   let metrics;
   let sprint;
@@ -8698,8 +8733,8 @@ async function saveConfig(config) {
   await fs39.mkdir(".coco", { recursive: true });
   await fs39.writeFile(".coco/config.json", JSON.stringify(config, null, 2));
 }
-function getNestedValue(obj, path37) {
-  const keys = path37.split(".");
+function getNestedValue(obj, path36) {
+  const keys = path36.split(".");
   let current = obj;
   for (const key of keys) {
     if (current === null || current === void 0 || typeof current !== "object") {
@@ -8709,8 +8744,8 @@ function getNestedValue(obj, path37) {
   }
   return current;
 }
-function setNestedValue(obj, path37, value) {
-  const keys = path37.split(".");
+function setNestedValue(obj, path36, value) {
+  const keys = path36.split(".");
   let current = obj;
   for (let i = 0; i < keys.length - 1; i++) {
     const key = keys[i];
@@ -8931,8 +8966,8 @@ var MCPRegistryImpl = class {
   /**
    * Ensure directory exists
    */
-  async ensureDir(path37) {
-    await mkdir(dirname(path37), { recursive: true });
+  async ensureDir(path36) {
+    await mkdir(dirname(path36), { recursive: true });
   }
 };
 function createMCPRegistry(registryPath) {
@@ -9451,9 +9486,9 @@ function createEmptyMemoryContext() {
     errors: []
   };
 }
-function createMissingMemoryFile(path37, level) {
+function createMissingMemoryFile(path36, level) {
   return {
-    path: path37,
+    path: path36,
     level,
     content: "",
     sections: [],
@@ -9658,7 +9693,9 @@ async function saveTrustSettings(settings) {
     await fs22__default.mkdir(TRUST_SETTINGS_DIR, { recursive: true });
     settings.updatedAt = (/* @__PURE__ */ new Date()).toISOString();
     await fs22__default.writeFile(TRUST_SETTINGS_FILE, JSON.stringify(settings, null, 2), "utf-8");
-  } catch {
+  } catch (error) {
+    const msg = error instanceof Error ? error.message : String(error);
+    console.warn(`[Trust] Failed to save trust settings: ${msg}`);
   }
 }
 async function loadTrustedTools(projectPath) {
@@ -12142,8 +12179,8 @@ async function listTrustedProjects2(trustStore) {
   p9.log.message("");
   for (const project of projects) {
     const level = project.approvalLevel.toUpperCase().padEnd(5);
-    const path37 = project.path.length > 50 ? "..." + project.path.slice(-47) : project.path;
-    p9.log.message(`  [${level}] ${path37}`);
+    const path36 = project.path.length > 50 ? "..." + project.path.slice(-47) : project.path;
+    p9.log.message(`  [${level}] ${path36}`);
     p9.log.message(`      Last accessed: ${new Date(project.lastAccessed).toLocaleString()}`);
   }
   p9.log.message("");
@@ -13403,8 +13440,8 @@ function displayRewindResult(result) {
     const fileName = filePath.split("/").pop() ?? filePath;
     console.log(`${chalk12.green(String.fromCodePoint(10003))} Restored: ${fileName}`);
   }
-  for (const { path: path37, error } of result.filesFailed) {
-    const fileName = path37.split("/").pop() ?? path37;
+  for (const { path: path36, error } of result.filesFailed) {
+    const fileName = path36.split("/").pop() ?? path36;
     console.log(`${chalk12.red(String.fromCodePoint(10007))} Failed: ${fileName} (${error})`);
   }
   if (result.conversationRestored) {
@@ -14369,7 +14406,11 @@ function flushLineBuffer() {
   }
   if (inCodeBlock && codeBlockLines.length > 0) {
     stopStreamingIndicator();
-    renderCodeBlock(codeBlockLang, codeBlockLines);
+    try {
+      renderCodeBlock(codeBlockLang, codeBlockLines);
+    } finally {
+      stopStreamingIndicator();
+    }
     inCodeBlock = false;
     codeBlockLang = "";
     codeBlockLines = [];
@@ -14725,6 +14766,7 @@ function formatInlineMarkdown(text9) {
   return text9;
 }
 function wrapText(text9, maxWidth) {
+  if (maxWidth <= 0) return [text9];
   const plainText = stripAnsi(text9);
   if (plainText.length <= maxWidth) {
     return [text9];
@@ -14732,14 +14774,37 @@ function wrapText(text9, maxWidth) {
   const lines = [];
   let remaining = text9;
   while (stripAnsi(remaining).length > maxWidth) {
-    let breakPoint = maxWidth;
     const plain = stripAnsi(remaining);
+    let breakPoint = maxWidth;
     const lastSpace = plain.lastIndexOf(" ", maxWidth);
     if (lastSpace > maxWidth * 0.5) {
       breakPoint = lastSpace;
     }
-    lines.push(remaining.slice(0, breakPoint));
-    remaining = remaining.slice(breakPoint).trimStart();
+    const ansiRegex = /\x1b\[[0-9;]*m/g;
+    let match;
+    const ansiPositions = [];
+    ansiRegex.lastIndex = 0;
+    while ((match = ansiRegex.exec(remaining)) !== null) {
+      ansiPositions.push({ start: match.index, end: match.index + match[0].length });
+    }
+    let rawPos = 0;
+    let visualPos = 0;
+    let ansiIdx = 0;
+    while (visualPos < breakPoint && rawPos < remaining.length) {
+      while (ansiIdx < ansiPositions.length && ansiPositions[ansiIdx].start === rawPos) {
+        rawPos = ansiPositions[ansiIdx].end;
+        ansiIdx++;
+      }
+      if (rawPos >= remaining.length) break;
+      rawPos++;
+      visualPos++;
+    }
+    while (ansiIdx < ansiPositions.length && ansiPositions[ansiIdx].start === rawPos) {
+      rawPos = ansiPositions[ansiIdx].end;
+      ansiIdx++;
+    }
+    lines.push(remaining.slice(0, rawPos));
+    remaining = remaining.slice(rawPos).trimStart();
   }
   if (remaining) {
     lines.push(remaining);
@@ -14809,8 +14874,8 @@ function formatToolSummary(toolName, input) {
       return String(input.path || ".");
     case "search_files": {
       const pattern = String(input.pattern || "");
-      const path37 = input.path ? ` in ${input.path}` : "";
-      return `"${pattern}"${path37}`;
+      const path36 = input.path ? ` in ${input.path}` : "";
+      return `"${pattern}"${path36}`;
     }
     case "bash_exec": {
       const cmd = String(input.command || "");
@@ -16188,6 +16253,9 @@ function createInputHandler(_session) {
   let historyIndex = -1;
   let tempLine = "";
   let lastMenuLines = 0;
+  let lastCursorRow = 0;
+  let lastContentRows = 1;
+  let isFirstRender = true;
   let isPasting = false;
   let pasteBuffer = "";
   let isReadingClipboard = false;
@@ -16219,11 +16287,13 @@ function createInputHandler(_session) {
   function render() {
     const termCols = process.stdout.columns || 80;
     const prompt = getPrompt();
-    const totalVisualLen = prompt.visualLen + currentLine.length;
-    const wrappedLines = Math.max(0, Math.ceil(totalVisualLen / termCols) - 1);
-    if (wrappedLines > 0) {
-      process.stdout.write(ansiEscapes3.cursorUp(wrappedLines));
+    if (!isFirstRender) {
+      const linesToGoUp = lastCursorRow + 1;
+      if (linesToGoUp > 0) {
+        process.stdout.write(ansiEscapes3.cursorUp(linesToGoUp));
+      }
     }
+    isFirstRender = false;
     process.stdout.write("\r" + ansiEscapes3.eraseDown);
     const separator = chalk12.dim("\u2500".repeat(termCols));
     let output = separator + "\n";
@@ -16236,7 +16306,12 @@ function createInputHandler(_session) {
         output += chalk12.dim.gray(ghost);
       }
     }
+    const totalContentLen = prompt.visualLen + currentLine.length;
+    const contentRows = totalContentLen === 0 ? 1 : Math.ceil(totalContentLen / termCols);
+    const contentExactFill = totalContentLen > 0 && totalContentLen % termCols === 0;
+    output += (contentExactFill ? "" : "\n") + separator;
     const showMenu = completions.length > 0 && currentLine.startsWith("/") && currentLine.length >= 1;
+    let extraLinesBelow = 0;
     if (showMenu) {
       const cols = getColumnCount();
       const maxVisibleItems = MAX_ROWS * cols;
@@ -16255,9 +16330,11 @@ function createInputHandler(_session) {
         output += "\n";
         output += chalk12.dim(`  \u2191 ${startIndex} more above`);
         lastMenuLines++;
+        extraLinesBelow++;
       }
       for (let row = 0; row < rowCount; row++) {
         output += "\n";
+        extraLinesBelow++;
         for (let col = 0; col < cols; col++) {
           const itemIndex = row * cols + col;
           if (itemIndex >= visibleItems.length) break;
@@ -16276,22 +16353,22 @@ function createInputHandler(_session) {
         output += "\n";
         output += chalk12.dim(`  \u2193 ${completions.length - endIndex} more below`);
         lastMenuLines++;
+        extraLinesBelow++;
       }
-      for (let i = 0; i < BOTTOM_MARGIN; i++) {
-        output += "\n";
-      }
-      output += ansiEscapes3.cursorUp(lastMenuLines + BOTTOM_MARGIN + 1);
     } else {
       lastMenuLines = 0;
-      for (let i = 0; i < BOTTOM_MARGIN; i++) {
-        output += "\n";
-      }
-      output += ansiEscapes3.cursorUp(BOTTOM_MARGIN + 1);
     }
+    for (let i = 0; i < BOTTOM_MARGIN; i++) {
+      output += "\n";
+      extraLinesBelow++;
+    }
+    const totalUp = extraLinesBelow + 1 + contentRows;
+    output += ansiEscapes3.cursorUp(totalUp);
     output += ansiEscapes3.cursorDown(1);
     const cursorAbsolutePos = prompt.visualLen + cursorPos;
-    const finalLine = Math.floor(cursorAbsolutePos / termCols);
-    const finalCol = cursorAbsolutePos % termCols;
+    const onExactBoundary = cursorAbsolutePos > 0 && cursorAbsolutePos % termCols === 0;
+    const finalLine = onExactBoundary ? cursorAbsolutePos / termCols - 1 : Math.floor(cursorAbsolutePos / termCols);
+    const finalCol = onExactBoundary ? 0 : cursorAbsolutePos % termCols;
     output += "\r";
     if (finalLine > 0) {
       output += ansiEscapes3.cursorDown(finalLine);
@@ -16299,10 +16376,16 @@ function createInputHandler(_session) {
     if (finalCol > 0) {
       output += ansiEscapes3.cursorForward(finalCol);
     }
+    lastCursorRow = finalLine;
+    lastContentRows = contentRows;
     process.stdout.write(output);
   }
   function clearMenu() {
-    process.stdout.write(ansiEscapes3.eraseDown);
+    const rowsDown = lastContentRows - lastCursorRow + 1;
+    if (rowsDown > 0) {
+      process.stdout.write(ansiEscapes3.cursorDown(rowsDown));
+    }
+    process.stdout.write("\r" + ansiEscapes3.eraseDown);
     lastMenuLines = 0;
   }
   function insertTextAtCursor(text9) {
@@ -16325,15 +16408,21 @@ function createInputHandler(_session) {
         historyIndex = -1;
         tempLine = "";
         lastMenuLines = 0;
+        lastCursorRow = 0;
+        lastContentRows = 1;
+        isFirstRender = true;
         render();
         if (process.stdin.isTTY) {
           process.stdin.setRawMode(true);
         }
         process.stdin.resume();
         process.stdout.write("\x1B[?2004h");
+        const onResize = () => render();
+        process.stdout.on("resize", onResize);
         const cleanup = () => {
           process.stdout.write("\x1B[?2004l");
           process.stdin.removeListener("data", onData);
+          process.stdout.removeListener("resize", onResize);
           if (process.stdin.isTTY) {
             process.stdin.setRawMode(false);
           }
@@ -16463,9 +16552,7 @@ function createInputHandler(_session) {
               currentLine = completions[selectedCompletion].cmd;
             }
             cleanup();
-            const termWidth = process.stdout.columns || 80;
             console.log();
-            console.log(chalk12.dim("\u2500".repeat(termWidth)));
             const result = currentLine.trim();
             if (result) {
               sessionHistory.push(result);
@@ -17504,7 +17591,8 @@ async function promptEditCommand(originalCommand) {
   console.log();
   console.log(chalk12.dim("  Edit command (or press Enter to cancel):"));
   console.log(chalk12.cyan(`  Current: ${originalCommand}`));
-  if (process.stdin.isTTY && process.stdin.isRaw) {
+  const wasRaw = process.stdin.isTTY ? process.stdin.isRaw : false;
+  if (process.stdin.isTTY && wasRaw) {
     process.stdin.setRawMode(false);
   }
   const rl = readline2.createInterface({
@@ -17517,6 +17605,9 @@ async function promptEditCommand(originalCommand) {
     return trimmed || null;
   } finally {
     rl.close();
+    if (process.stdin.isTTY && wasRaw) {
+      process.stdin.setRawMode(true);
+    }
   }
 }
 async function confirmToolExecution(toolCall) {
@@ -20228,10 +20319,10 @@ var CoverageAnalyzer = class {
       join(this.projectPath, ".coverage", "coverage-summary.json"),
       join(this.projectPath, "coverage", "lcov-report", "coverage-summary.json")
     ];
-    for (const path37 of possiblePaths) {
+    for (const path36 of possiblePaths) {
       try {
-        await access(path37, constants.R_OK);
-        const content = await readFile(path37, "utf-8");
+        await access(path36, constants.R_OK);
+        const content = await readFile(path36, "utf-8");
         const report = JSON.parse(content);
         return parseCoverageSummary(report);
       } catch {
@@ -22452,17 +22543,17 @@ var QualityEvaluator = class {
       maintainabilityResult
     ] = await Promise.all([
       this.coverageAnalyzer.analyze().catch(() => null),
-      this.securityScanner.scan(fileContents),
-      this.complexityAnalyzer.analyze(targetFiles),
-      this.duplicationAnalyzer.analyze(targetFiles),
+      this.securityScanner.scan(fileContents).catch(() => ({ score: 0, vulnerabilities: [] })),
+      this.complexityAnalyzer.analyze(targetFiles).catch(() => ({ score: 0, files: [] })),
+      this.duplicationAnalyzer.analyze(targetFiles).catch(() => ({ score: 0, percentage: 0 })),
       this.correctnessAnalyzer.analyze().catch(() => ({ score: 0 })),
       this.completenessAnalyzer.analyze(targetFiles).catch(() => ({ score: 0 })),
       this.robustnessAnalyzer.analyze(targetFiles).catch(() => ({ score: 0 })),
       this.testQualityAnalyzer.analyze().catch(() => ({ score: 0 })),
       this.documentationAnalyzer.analyze(targetFiles).catch(() => ({ score: 0 })),
-      this.styleAnalyzer.analyze().catch(() => ({ score: 50 })),
-      this.readabilityAnalyzer.analyze(targetFiles).catch(() => ({ score: 50 })),
-      this.maintainabilityAnalyzer.analyze(targetFiles).catch(() => ({ score: 50 }))
+      this.styleAnalyzer.analyze().catch(() => ({ score: 0 })),
+      this.readabilityAnalyzer.analyze(targetFiles).catch(() => ({ score: 0 })),
+      this.maintainabilityAnalyzer.analyze(targetFiles).catch(() => ({ score: 0 }))
     ]);
     const dimensions = {
       testCoverage: coverageResult?.lines.percentage ?? 0,
@@ -22976,7 +23067,17 @@ Examples:
         regexPattern = `\\b${pattern}\\b`;
       }
       const flags = caseSensitive ? "g" : "gi";
-      const regex = new RegExp(regexPattern, flags);
+      let regex;
+      try {
+        regex = new RegExp(regexPattern, flags);
+      } catch {
+        throw new ToolError(`Invalid regex pattern: ${pattern}`, { tool: "grep" });
+      }
+      if (/(\.\*|\.\+|\[.*\][*+])\s*(\.\*|\.\+|\[.*\][*+])/.test(regexPattern)) {
+        throw new ToolError(`Regex pattern rejected: nested quantifiers may cause slow matching`, {
+          tool: "grep"
+        });
+      }
       const stats = await fs22__default.stat(targetPath);
       let filesToSearch;
       if (stats.isFile()) {
@@ -24114,9 +24215,11 @@ function parseDiff(raw) {
 function parseFileBlock(lines, start) {
   const diffLine = lines[start];
   let i = start + 1;
-  const pathMatch = diffLine.match(/^diff --git a\/(.+?) b\/(.+)$/);
-  const oldPath = pathMatch?.[1] ?? "";
-  const newPath = pathMatch?.[2] ?? oldPath;
+  const gitPrefix = "diff --git a/";
+  const pathPart = diffLine.slice(gitPrefix.length);
+  const lastBSlash = pathPart.lastIndexOf(" b/");
+  const oldPath = lastBSlash >= 0 ? pathPart.slice(0, lastBSlash) : pathPart;
+  const newPath = lastBSlash >= 0 ? pathPart.slice(lastBSlash + 3) : oldPath;
   let fileType = "modified";
   while (i < lines.length && !lines[i].startsWith("diff --git ")) {
     const current = lines[i];
@@ -24262,7 +24365,7 @@ function renderDiff(diff, options) {
 function renderFileBlock(file, opts) {
   const { maxWidth, showLineNumbers, compact } = opts;
   const lang = detectLanguage(file.path);
-  const contentWidth = maxWidth - 4;
+  const contentWidth = Math.max(1, maxWidth - 4);
   const typeLabel = file.type === "modified" ? "modified" : file.type === "added" ? "new file" : file.type === "deleted" ? "deleted" : `renamed from ${file.oldPath}`;
   const statsLabel = ` +${file.additions} -${file.deletions}`;
   const title = ` ${file.path} (${typeLabel}${statsLabel}) `;
@@ -24309,12 +24412,8 @@ function renderFileBlock(file, opts) {
 }
 function formatLineNo(line, show) {
   if (!show) return "";
-  if (line.type === "add") {
-    return chalk12.dim(`${String(line.newLineNo ?? "").padStart(4)} `);
-  } else if (line.type === "delete") {
-    return chalk12.dim(`${String(line.oldLineNo ?? "").padStart(4)} `);
-  }
-  return chalk12.dim(`${String(line.newLineNo ?? "").padStart(4)} `);
+  const lineNo = line.type === "delete" ? line.oldLineNo : line.newLineNo;
+  return chalk12.dim(`${String(lineNo ?? "").padStart(5)} `);
 }
 function getChangedLines(diff) {
   const result = /* @__PURE__ */ new Map();
@@ -24405,9 +24504,9 @@ Examples:
   }
 });
 var diffTools = [showDiffTool];
-async function fileExists(path37) {
+async function fileExists(path36) {
   try {
-    await access(path37);
+    await access(path36);
     return true;
   } catch {
     return false;
@@ -26471,6 +26570,13 @@ Examples:
     const startTime = performance.now();
     const effectivePrompt = prompt ?? "Describe this image in detail. If it's code or a UI, identify the key elements.";
     const absPath = path31.resolve(filePath);
+    const cwd = process.cwd();
+    if (!absPath.startsWith(cwd + path31.sep) && absPath !== cwd) {
+      throw new ToolError(
+        `Path traversal denied: '${filePath}' resolves outside the project directory`,
+        { tool: "read_image" }
+      );
+    }
     const ext = path31.extname(absPath).toLowerCase();
     if (!SUPPORTED_FORMATS.has(ext)) {
       throw new ToolError(
@@ -28531,24 +28637,6 @@ var pc = chalk12;
 });
 // src/cli/repl/index.ts
-function visualWidth(str) {
-  const stripped = str.replace(/\x1b\[[0-9;]*m/g, "");
-  let width = 0;
-  for (const char of stripped) {
-    const cp = char.codePointAt(0) || 0;
-    if (cp > 128512 || cp >= 9728 && cp <= 10175 || cp >= 127744 && cp <= 129750 || cp >= 129280 && cp <= 129535 || cp >= 9986 && cp <= 10160 || cp >= 65024 && cp <= 65039 || cp === 8205) {
-      width += 2;
-    } else if (
-      // CJK Unified Ideographs and other wide characters
-      cp >= 4352 && cp <= 4447 || cp >= 11904 && cp <= 12350 || cp >= 12352 && cp <= 13247 || cp >= 19968 && cp <= 40959 || cp >= 63744 && cp <= 64255 || cp >= 65072 && cp <= 65135 || cp >= 65281 && cp <= 65376 || cp >= 65504 && cp <= 65510
-    ) {
-      width += 2;
-    } else {
-      width += 1;
-    }
-  }
-  return width;
-}
 async function startRepl(options = {}) {
   const projectPath = options.projectPath ?? process.cwd();
   const session = createSession(projectPath, options.config);
@@ -28598,6 +28686,17 @@ async function startRepl(options = {}) {
   const inputHandler = createInputHandler();
   const intentRecognizer = createIntentRecognizer();
   await printWelcome(session);
+  const cleanupTerminal = () => {
+    process.stdout.write("\x1B[?2004l");
+    if (process.stdin.isTTY && process.stdin.isRaw) {
+      process.stdin.setRawMode(false);
+    }
+  };
+  process.on("exit", cleanupTerminal);
+  process.on("SIGTERM", () => {
+    cleanupTerminal();
+    process.exit(0);
+  });
   while (true) {
     const input = await inputHandler.prompt();
     if (input === null && !hasPendingImage()) {
@@ -28677,6 +28776,14 @@ async function startRepl(options = {}) {
         activeSpinner.start();
       }
     };
+    const abortController = new AbortController();
+    let wasAborted = false;
+    const sigintHandler = () => {
+      wasAborted = true;
+      abortController.abort();
+      clearSpinner();
+      renderInfo("\nOperation cancelled");
+    };
     try {
       if (typeof agentMessage === "string" && !isCocoMode() && !wasHintShown() && looksLikeFeatureRequest(agentMessage)) {
         markHintShown();
@@ -28689,14 +28796,6 @@ async function startRepl(options = {}) {
         session.config.agent.systemPrompt = originalSystemPrompt + "\n" + getCocoModeSystemPrompt();
       }
       inputHandler.pause();
-      const abortController = new AbortController();
-      let wasAborted = false;
-      const sigintHandler = () => {
-        wasAborted = true;
-        abortController.abort();
-        clearSpinner();
-        renderInfo("\nOperation cancelled");
-      };
       process.once("SIGINT", sigintHandler);
       const result = await executeAgentTurn(session, agentMessage, provider, toolRegistry, {
         onStream: renderStreamChunk,
@@ -28785,6 +28884,7 @@ async function startRepl(options = {}) {
       console.log();
     } catch (error) {
       clearSpinner();
+      process.off("SIGINT", sigintHandler);
       if (error instanceof Error && error.name === "AbortError") {
         continue;
       }
@@ -28815,40 +28915,30 @@ async function startRepl(options = {}) {
   inputHandler.close();
 }
 async function printWelcome(session) {
-  const providerType = session.config.provider.type;
-  const model = session.config.provider.model || "default";
-  const isReturningUser = existsSync(path20__default.join(session.projectPath, ".coco"));
-  if (isReturningUser) {
-    const versionStr = chalk12.dim(`v${VERSION}`);
-    const providerStr = chalk12.dim(`${providerType}/${model}`);
-    console.log(
-      `
-  \u{1F965} Coco ${versionStr} ${chalk12.dim("\u2502")} ${providerStr} ${chalk12.dim("\u2502")} ${chalk12.yellow("/help")}
-`
-    );
-    return;
-  }
   const trustStore = createTrustStore();
   await trustStore.init();
   const trustLevel = trustStore.getLevel(session.projectPath);
   const boxWidth = 41;
-  const innerWidth = boxWidth - 4;
-  const titleContent = "\u{1F965} CORBAT-COCO";
+  const innerWidth = boxWidth - 2;
   const versionText = `v${VERSION}`;
-  const titleContentVisualWidth = visualWidth(titleContent);
-  const versionVisualWidth = visualWidth(versionText);
-  const titlePadding = innerWidth - titleContentVisualWidth - versionVisualWidth;
   const subtitleText = "open source \u2022 corbat.tech";
-  const subtitleVisualWidth = visualWidth(subtitleText);
-  const subtitlePadding = innerWidth - subtitleVisualWidth;
+  const boxLine = (content) => {
+    const pad = Math.max(0, innerWidth - stringWidth(content));
+    return chalk12.magenta("\u2502") + content + " ".repeat(pad) + chalk12.magenta("\u2502");
+  };
+  const titleLeftRaw = " COCO";
+  const titleRightRaw = versionText + " ";
+  const titleLeftStyled = " " + chalk12.bold.white("COCO");
+  const titleGap = Math.max(1, innerWidth - stringWidth(titleLeftRaw) - stringWidth(titleRightRaw));
+  const titleContent = titleLeftStyled + " ".repeat(titleGap) + chalk12.dim(titleRightRaw);
+  const taglineText = "code that converges to quality";
+  const taglineContent = " " + chalk12.magenta(taglineText) + " ";
+  const subtitleContent = " " + chalk12.dim(subtitleText) + " ";
   console.log();
   console.log(chalk12.magenta("  \u256D" + "\u2500".repeat(boxWidth - 2) + "\u256E"));
-  console.log(
-    chalk12.magenta("  \u2502 ") + "\u{1F965} " + chalk12.bold.white("CORBAT-COCO") + " ".repeat(Math.max(0, titlePadding)) + chalk12.dim(versionText) + chalk12.magenta(" \u2502")
-  );
-  console.log(
-    chalk12.magenta("  \u2502 ") + chalk12.dim(subtitleText) + " ".repeat(Math.max(0, subtitlePadding)) + chalk12.magenta(" \u2502")
-  );
+  console.log("  " + boxLine(titleContent));
+  console.log("  " + boxLine(taglineContent));
+  console.log("  " + boxLine(subtitleContent));
   console.log(chalk12.magenta("  \u2570" + "\u2500".repeat(boxWidth - 2) + "\u256F"));
   const updateInfo = await checkForUpdates();
   if (updateInfo) {
@@ -28889,7 +28979,7 @@ async function checkProjectTrust(projectPath) {
     return true;
   }
   console.log();
-  console.log(chalk12.cyan.bold("  \u{1F965} Corbat-Coco") + chalk12.dim(` v${VERSION}`));
+  console.log(chalk12.cyan.bold("  \u{1F965} Coco") + chalk12.dim(` v${VERSION}`));
   console.log(chalk12.dim(`  \u{1F4C1} ${projectPath}`));
   console.log();
   console.log(chalk12.yellow("  \u26A0 First time accessing this directory"));