@drisp/cli 0.4.5 → 0.4.7

package/dist/chunk-2OJ3GGIP.js

@@ -0,0 +1,104 @@
+// src/infra/daemon/logFile.ts
+import fs from "fs";
+import path from "path";
+var DEFAULT_MAX_BYTES = 5 * 1024 * 1024;
+var DEFAULT_MAX_FILES = 5;
+function openDaemonLog(logPath, options = {}) {
+  const maxBytes = options.maxBytes ?? DEFAULT_MAX_BYTES;
+  const maxFiles = options.maxFiles ?? DEFAULT_MAX_FILES;
+  const now = options.now ?? (() => /* @__PURE__ */ new Date());
+  fs.mkdirSync(path.dirname(logPath), { recursive: true, mode: 448 });
+  let fd = fs.openSync(logPath, "a", 384);
+  if (process.platform !== "win32") {
+    try {
+      fs.chmodSync(logPath, 384);
+    } catch {
+    }
+  }
+  function rotate() {
+    try {
+      fs.closeSync(fd);
+    } catch {
+    }
+    for (let i = maxFiles - 1; i >= 1; i -= 1) {
+      const src = `${logPath}.${i}`;
+      const dst = `${logPath}.${i + 1}`;
+      try {
+        fs.renameSync(src, dst);
+      } catch (err) {
+        if (err.code !== "ENOENT") {
+        }
+      }
+    }
+    try {
+      fs.renameSync(logPath, `${logPath}.1`);
+    } catch (err) {
+      if (err.code !== "ENOENT") {
+      }
+    }
+    fd = fs.openSync(logPath, "a", 384);
+    if (process.platform !== "win32") {
+      try {
+        fs.chmodSync(logPath, 384);
+      } catch {
+      }
+    }
+  }
+  function write(level, message) {
+    const line = `${now().toISOString()} ${level.toUpperCase()} ${redactSecrets(message)}
+`;
+    const buf = Buffer.from(line, "utf-8");
+    let stat = null;
+    try {
+      stat = fs.fstatSync(fd);
+    } catch {
+    }
+    if (stat && stat.size + buf.length > maxBytes) {
+      rotate();
+    }
+    try {
+      fs.writeSync(fd, buf);
+    } catch {
+      try {
+        fs.closeSync(fd);
+      } catch {
+      }
+      try {
+        fd = fs.openSync(logPath, "a", 384);
+        fs.writeSync(fd, buf);
+      } catch {
+      }
+    }
+  }
+  function close() {
+    try {
+      fs.closeSync(fd);
+    } catch {
+    }
+  }
+  return { write, close, path: logPath };
+}
+var SECRET_PATTERNS = [
+  [/Bearer\s+[A-Za-z0-9._\-+/=]+/g, "Bearer ***"],
+  [
+    /(["']?(?:access|refresh)_?token["']?\s*[:=]\s*)["']?[A-Za-z0-9._\-+/=]+/gi,
+    '$1"***"'
+  ],
+  [/(Sec-WebSocket-Protocol:\s*)\S+/gi, "$1***"],
+  [
+    /eyJ[A-Za-z0-9_-]{8,}\.[A-Za-z0-9_-]{8,}\.[A-Za-z0-9_-]{4,}/g,
+    "***.***.***"
+  ]
+];
+function redactSecrets(message) {
+  let out = message;
+  for (const [pattern, replacement] of SECRET_PATTERNS) {
+    out = out.replace(pattern, replacement);
+  }
+  return out;
+}
+
+export {
+  openDaemonLog
+};
+//# sourceMappingURL=chunk-2OJ3GGIP.js.map

package/dist/{chunk-5VK2ZMVV.js → chunk-A54HGVML.js}

@@ -934,6 +934,31 @@ function hasProjectWorkflow(projectDir) {
   return hasActiveWorkflow(projectConfigPath(projectDir));
 }
 
+// src/infra/plugins/mcpOptions.ts
+import fs6 from "fs";
+import path5 from "path";
+function collectMcpServersWithOptions(pluginDirs) {
+  const result = [];
+  const seen = /* @__PURE__ */ new Set();
+  for (const dir of pluginDirs) {
+    const mcpPath = path5.join(dir, ".mcp.json");
+    if (!fs6.existsSync(mcpPath)) {
+      continue;
+    }
+    const config = JSON.parse(fs6.readFileSync(mcpPath, "utf-8"));
+    for (const [serverName, serverConfig] of Object.entries(
+      config.mcpServers ?? {}
+    )) {
+      if (seen.has(serverName) || !Array.isArray(serverConfig.options) || serverConfig.options.length === 0) {
+        continue;
+      }
+      seen.add(serverName);
+      result.push({ serverName, options: serverConfig.options });
+    }
+  }
+  return result;
+}
+
 // src/core/workflows/types.ts
 function pluginSpecRef(spec) {
   return typeof spec === "string" ? spec : spec.ref;
@@ -1027,17 +1052,17 @@ function refreshPinnedWorkflowPlugins(workflow) {
 }
 
 // src/core/workflows/registry.ts
-import fs9 from "fs";
+import fs10 from "fs";
 import os5 from "os";
-import path7 from "path";
+import path8 from "path";
 
 // src/core/workflows/builtins/index.ts
-import fs7 from "fs";
+import fs8 from "fs";
 import os4 from "os";
-import path5 from "path";
+import path6 from "path";
 
 // src/core/workflows/loopManager.ts
-import fs6 from "fs";
+import fs7 from "fs";
 
 // src/core/workflows/templateVars.ts
 function substituteVariables(text, ctx) {
@@ -1068,7 +1093,7 @@ function createLoopManager(trackerPath, config) {
   const blockedMarker = config.blockedMarker ?? DEFAULT_BLOCKED_MARKER;
   function readTracker() {
     try {
-      return fs6.readFileSync(trackerPath, "utf-8");
+      return fs7.readFileSync(trackerPath, "utf-8");
     } catch {
       return "";
     }
@@ -1180,17 +1205,17 @@ If you are blocked and cannot make further progress:
 3. Explain what needs to happen to unblock the task whenever possible
 `;
 function ensureSystemPromptFile() {
-  const dir = path5.join(
+  const dir = path6.join(
     os4.homedir(),
     ".config",
     "athena",
     "builtins",
     "default"
   );
-  const filePath = path5.join(dir, "system_prompt.md");
-  if (!fs7.existsSync(filePath) || fs7.readFileSync(filePath, "utf-8") !== SYSTEM_PROMPT) {
-    fs7.mkdirSync(dir, { recursive: true });
-    fs7.writeFileSync(filePath, SYSTEM_PROMPT, "utf-8");
+  const filePath = path6.join(dir, "system_prompt.md");
+  if (!fs8.existsSync(filePath) || fs8.readFileSync(filePath, "utf-8") !== SYSTEM_PROMPT) {
+    fs8.mkdirSync(dir, { recursive: true });
+    fs8.writeFileSync(filePath, SYSTEM_PROMPT, "utf-8");
   }
   return filePath;
 }
@@ -1217,19 +1242,19 @@ function listBuiltinWorkflows() {
 }
 
 // src/core/workflows/sourceMetadata.ts
-import fs8 from "fs";
-import path6 from "path";
+import fs9 from "fs";
+import path7 from "path";
 function legacyLocalToNew(legacyPath, legacyRepoDir) {
   const repoDir = legacyRepoDir ?? findMarketplaceRepoDir(legacyPath);
   if (!repoDir) {
     return { kind: "filesystem", path: legacyPath };
   }
   try {
-    const canonicalRepoDir = fs8.realpathSync(repoDir);
+    const canonicalRepoDir = fs9.realpathSync(repoDir);
     const listings = listMarketplaceWorkflowsFromRepo(canonicalRepoDir);
-    const absolutePath = fs8.realpathSync(legacyPath);
+    const absolutePath = fs9.realpathSync(legacyPath);
     const match = listings.find(
-      (l) => fs8.realpathSync(l.workflowPath) === absolutePath
+      (l) => fs9.realpathSync(l.workflowPath) === absolutePath
     );
     if (match) {
       return {
@@ -1244,11 +1269,11 @@ function legacyLocalToNew(legacyPath, legacyRepoDir) {
   return { kind: "filesystem", path: legacyPath };
 }
 function readWorkflowSourceMetadata(workflowDir) {
-  const sourceFile = path6.join(workflowDir, "source.json");
-  if (!fs8.existsSync(sourceFile)) return void 0;
+  const sourceFile = path7.join(workflowDir, "source.json");
+  if (!fs9.existsSync(sourceFile)) return void 0;
   let raw;
   try {
-    raw = JSON.parse(fs8.readFileSync(sourceFile, "utf-8"));
+    raw = JSON.parse(fs9.readFileSync(sourceFile, "utf-8"));
   } catch {
     throw new Error(`Invalid source.json: ${sourceFile} is not valid JSON`);
   }
@@ -1290,9 +1315,9 @@ function readWorkflowSourceMetadata(workflowDir) {
   throw new Error(`Invalid source.json: ${sourceFile} kind is not supported`);
 }
 function writeWorkflowSourceMetadata(workflowDir, metadata) {
-  fs8.mkdirSync(workflowDir, { recursive: true });
-  fs8.writeFileSync(
-    path6.join(workflowDir, "source.json"),
+  fs9.mkdirSync(workflowDir, { recursive: true });
+  fs9.writeFileSync(
+    path7.join(workflowDir, "source.json"),
     JSON.stringify({ v: 2, ...metadata }),
     "utf-8"
   );
@@ -1300,19 +1325,19 @@ function writeWorkflowSourceMetadata(workflowDir, metadata) {
 
 // src/core/workflows/registry.ts
 function registryDir() {
-  return path7.join(os5.homedir(), ".config", "athena", "workflows");
+  return path8.join(os5.homedir(), ".config", "athena", "workflows");
 }
 function ensurePathWithinRoot(rootDir, targetPath, label) {
-  const relative = path7.relative(rootDir, targetPath);
-  if (relative === "" || !relative.startsWith("..") && !path7.isAbsolute(relative)) {
+  const relative = path8.relative(rootDir, targetPath);
+  if (relative === "" || !relative.startsWith("..") && !path8.isAbsolute(relative)) {
     return;
   }
   throw new Error(`${label} resolves outside the workflow root: ${targetPath}`);
 }
 function resolveWorkflow(name) {
-  const workflowDir = path7.join(registryDir(), name);
-  const workflowPath = path7.join(workflowDir, "workflow.json");
-  if (!fs9.existsSync(workflowPath)) {
+  const workflowDir = path8.join(registryDir(), name);
+  const workflowPath = path8.join(workflowDir, "workflow.json");
+  if (!fs10.existsSync(workflowPath)) {
     const builtin = resolveBuiltinWorkflow(name);
     if (builtin) {
       return builtin;
@@ -1322,7 +1347,7 @@ function resolveWorkflow(name) {
     );
   }
   const source = readWorkflowSourceMetadata(workflowDir);
-  const raw = JSON.parse(fs9.readFileSync(workflowPath, "utf-8"));
+  const raw = JSON.parse(fs10.readFileSync(workflowPath, "utf-8"));
   if (!Array.isArray(raw["plugins"])) {
     throw new Error(
       `Invalid workflow.json: "plugins" must be an array (got ${typeof raw["plugins"]})`
@@ -1362,15 +1387,15 @@ function resolveWorkflow(name) {
     );
   }
   const workflowFile = raw["workflowFile"];
-  if (typeof workflowFile === "string" && !path7.isAbsolute(workflowFile)) {
-    const workflowFilePath = path7.resolve(workflowDir, workflowFile);
-    if (!fs9.existsSync(workflowFilePath)) {
+  if (typeof workflowFile === "string" && !path8.isAbsolute(workflowFile)) {
+    const workflowFilePath = path8.resolve(workflowDir, workflowFile);
+    if (!fs10.existsSync(workflowFilePath)) {
       throw new Error(
         `Invalid workflow.json: workflowFile "${workflowFile}" not found at ${workflowFilePath}`
       );
     }
     raw["workflowFile"] = workflowFilePath;
-  } else if (typeof workflowFile === "string" && !fs9.existsSync(workflowFile)) {
+  } else if (typeof workflowFile === "string" && !fs10.existsSync(workflowFile)) {
     throw new Error(
       `Invalid workflow.json: workflowFile "${workflowFile}" not found`
     );
@@ -1381,29 +1406,29 @@ function resolveWorkflow(name) {
   };
 }
 function readWorkflowSource(sourcePath) {
-  const content = fs9.readFileSync(sourcePath, "utf-8");
+  const content = fs10.readFileSync(sourcePath, "utf-8");
   return { content, workflow: JSON.parse(content) };
 }
 function copyWorkflowFiles(sourcePath, destDir) {
   const { content, workflow } = readWorkflowSource(sourcePath);
-  const absoluteSourcePath = path7.resolve(sourcePath);
-  const sourceDir = path7.dirname(absoluteSourcePath);
-  const absoluteDestDir = path7.resolve(destDir);
-  fs9.mkdirSync(absoluteDestDir, { recursive: true });
-  fs9.writeFileSync(
-    path7.join(absoluteDestDir, "workflow.json"),
+  const absoluteSourcePath = path8.resolve(sourcePath);
+  const sourceDir = path8.dirname(absoluteSourcePath);
+  const absoluteDestDir = path8.resolve(destDir);
+  fs10.mkdirSync(absoluteDestDir, { recursive: true });
+  fs10.writeFileSync(
+    path8.join(absoluteDestDir, "workflow.json"),
     content,
     "utf-8"
   );
   const copyRelativeAsset = (assetPath) => {
-    if (!assetPath || path7.isAbsolute(assetPath)) return;
-    const sourceAssetPath = path7.resolve(sourceDir, assetPath);
+    if (!assetPath || path8.isAbsolute(assetPath)) return;
+    const sourceAssetPath = path8.resolve(sourceDir, assetPath);
     ensurePathWithinRoot(sourceDir, sourceAssetPath, "Workflow asset");
-    if (!fs9.existsSync(sourceAssetPath)) return;
-    const destAssetPath = path7.resolve(absoluteDestDir, assetPath);
+    if (!fs10.existsSync(sourceAssetPath)) return;
+    const destAssetPath = path8.resolve(absoluteDestDir, assetPath);
     ensurePathWithinRoot(absoluteDestDir, destAssetPath, "Workflow asset");
-    fs9.mkdirSync(path7.dirname(destAssetPath), { recursive: true });
-    fs9.copyFileSync(sourceAssetPath, destAssetPath);
+    fs10.mkdirSync(path8.dirname(destAssetPath), { recursive: true });
+    fs10.copyFileSync(sourceAssetPath, destAssetPath);
   };
   const rawWorkflow = workflow;
   const promptAsset = rawWorkflow["workflowFile"];
@@ -1440,7 +1465,7 @@ function installWorkflowFromSource(source, name) {
       'Workflow has no "name" field. Provide --name to specify one.'
     );
   }
-  const destDir = path7.join(registryDir(), workflowName);
+  const destDir = path8.join(registryDir(), workflowName);
   copyWorkflowFiles(source.workflowPath, destDir);
   const metadata = toStoredMetadata(source);
   writeWorkflowSourceMetadata(destDir, metadata);
@@ -1482,7 +1507,7 @@ function reResolveFromMetadata(metadata) {
   return { kind: "filesystem", workflowPath: metadata.path };
 }
 function updateWorkflow(name) {
-  const workflowDir = path7.join(registryDir(), name);
+  const workflowDir = path8.join(registryDir(), name);
   const metadata = readWorkflowSourceMetadata(workflowDir);
   if (!metadata) {
     throw new Error(
@@ -1496,8 +1521,8 @@ function updateWorkflow(name) {
 }
 function listWorkflows() {
   const dir = registryDir();
-  const installed = fs9.existsSync(dir) ? fs9.readdirSync(dir, { withFileTypes: true }).filter(
-    (entry) => entry.isDirectory() && fs9.existsSync(path7.join(dir, entry.name, "workflow.json"))
+  const installed = fs10.existsSync(dir) ? fs10.readdirSync(dir, { withFileTypes: true }).filter(
+    (entry) => entry.isDirectory() && fs10.existsSync(path8.join(dir, entry.name, "workflow.json"))
   ).map((entry) => entry.name) : [];
   const builtins = listBuiltinWorkflows().filter(
     (name) => !installed.includes(name)
@@ -1505,11 +1530,11 @@ function listWorkflows() {
   return [...builtins, ...installed];
 }
 function removeWorkflow(name) {
-  const dir = path7.join(registryDir(), name);
-  if (!fs9.existsSync(dir)) {
+  const dir = path8.join(registryDir(), name);
+  if (!fs10.existsSync(dir)) {
     throw new Error(`Workflow "${name}" not found.`);
   }
-  fs9.rmSync(dir, { recursive: true, force: true });
+  fs10.rmSync(dir, { recursive: true, force: true });
 }
 
 // src/core/workflows/applyWorkflow.ts
@@ -1543,8 +1568,8 @@ function compileWorkflowPlan(input) {
 }
 
 // src/core/workflows/sessionPlan.ts
-import fs10 from "fs";
-import path8 from "path";
+import fs11 from "fs";
+import path9 from "path";
 
 // src/core/workflows/stateMachine.md
 var stateMachine_default = "# Stateless Session Protocol\n\nYou run in a stateless loop. Each session is a fresh process with no memory of prior sessions. **The tracker file is your only continuity** \u2014 read it, work, write it. Assume interruption: the runner may kill a long session, your context may collapse under tool output, you may hit token limits mid-task. Anything not in the tracker is gone.\n\n## First action, every session\n\n1. Read the tracker at the configured path (default: `.athena/<session_id>/tracker.md`). The runner provides the session ID \u2014 do not invent one.\n2. If the tracker contains `<!-- TRACKER_SKELETON -->` \u2192 this is session 1, run [**Orient**](#orient-session-1).\n3. Otherwise \u2192 this is a continuation, run [**Execute**](#execute-session-2) from where the tracker says, not from the start of the flow.\n\nReading first prevents two failure modes that waste whole sessions: redoing work already done, or contradicting decisions a prior session made.\n\n## Tracker contract\n\nThe tracker must always answer four questions:\n\n1. What are we trying to accomplish?\n2. What has been done?\n3. What's left?\n4. What should the next session do first?\n\nA future session has no other context. If something isn't here, it doesn't exist. Section headings may vary by workflow, but these four answers must be explicit and easy to find.\n\n### Terminal markers\n\nDefault markers (workflows may override \u2014 use the markers configured for the active workflow):\n\n- `<!-- WORKFLOW_COMPLETE -->` \u2014 all work done and verified\n- `<!-- WORKFLOW_BLOCKED -->` or `<!-- WORKFLOW_BLOCKED: reason -->` \u2014 cannot proceed without external intervention\n\nRules:\n\n- Only the last non-empty line of the tracker is authoritative. Marker-like text in notes, examples, or quoted instructions earlier in the file is ignored.\n- The runner trusts markers unconditionally. A premature marker ends the loop with no automatic recovery \u2014 write one only when its criteria are fully met.\n- Include a concrete reason after `WORKFLOW_BLOCKED:` whenever possible; the bare form is still valid.\n\n## Phases\n\n### Orient (session 1)\n\n1. **Replace the skeleton immediately**, before any domain work. Even a three-line tracker (goal + \"orienting\") protects you if the session dies during setup.\n2. Run the workflow's orientation steps. These vary by domain \u2014 a test-writing workflow explores the product in a browser; a migration workflow audits the schema. The workflow defines what orientation means.\n3. Refine the tracker into a granular plan. Each task a concrete, verifiable unit of work, including verification steps (running checks, reviewing output) \u2014 not just implementation. Vague tasks (\"write tests\") cannot be meaningfully resumed by a future session that has no idea what they mean here.\n4. Record concrete observations \u2014 what you actually saw, not what you assumed. Wrong assumptions burn entire future sessions on rework.\n5. **Single-turn requests still go through this phase.** If the entire request is satisfied in one turn, write a minimal tracker (what was asked, what was done, the outcome) and append `<!-- WORKFLOW_COMPLETE -->`. Leaving the skeleton in place causes the runner to classify the session as a failure.\n\n### Execute (session 2+)\n\n- Work from where the tracker says, in the workflow's prescribed sequence. Not every session covers every step.\n- If the workflow defines a skill table, **load the relevant skill before each activity**. Skills carry the implementation detail (scaffolding steps, locator rules, anti-patterns, code templates) that this protocol intentionally doesn't repeat.\n- Delegate heavy exploration or generation to subagents via the Task tool. Pass file paths, conventions, and concrete output expectations; tell them which skill to load. Respect the workflow's **delegation constraints** \u2014 some operations must run in the main agent because their output is proof, or because the main agent needs to interpret results in context.\n- Run quality gates in order. Do not skip \u2014 they exist because skipping cascades into rework. On a failing verdict, address the issues and re-run before proceeding. Respect the workflow's **retry limits**: repeated failure usually signals a deeper issue another retry won't fix.\n\n### End\n\n1. Tracker reflects all progress, discoveries, and blockers.\n2. Tracker says clearly what the next session should do first.\n3. If all work is verified: append the completion marker.\n4. If an unrecoverable blocker prevents progress: append the blocked marker, with a reason if you have one.\n\n## When to write the tracker\n\nWrite on **concrete triggers**, not on a vague sense of \"meaningful progress.\" The right cadence sits between every-tool-call (noisy log, wastes tokens) and end-of-session (everything lost if you die mid-task).\n\n- **Discrete unit done** \u2014 file written, fix applied, test run, gate passed. Reflect the new reality before starting the next unit.\n- **Insight learned** \u2014 API quirk, config field that turned out to matter, dead end ruled out, decision between two approaches. Insights are tracker-worthy even when no code changed; rediscovering them costs the next session a full re-exploration. The tracker is a knowledge ledger, not just a task log.\n- **About to do something risky or long-running** \u2014 subagent dispatch, long build, flaky external call, large refactor. Write _first_, then act. If the operation kills your session, only what's on disk survives.\n- **Plan changed** \u2014 task resequenced, new task surfaced, planned task no longer needed. Stale plans poison continuation sessions.\n- **You haven't written in a while** \u2014 if you can't remember the last update, you've gone too long. A short defensive update (\"doing X, last completed Y, next is Z\") beats nothing.\n\nEach update covers: what changed (work or knowledge), what's now next, and any caveat the next session needs. Don't transcribe tool calls \u2014 the tracker is a contract with your future self, not a replay log.\n\nThe cost of one extra tracker update is a few tokens. The cost of dying without one is a whole wasted session. Bias toward writing.\n\n## Task UI projection\n\nThe tracker is the durable source of truth. Your harness's task tools are a session-scoped UI projection of the same plan, shown to the user in their CLI widget. They do not survive process exit.\n\n{{TASK_TOOL_INSTRUCTIONS}}\n\n- **Session 1, after orientation:** project the tracker's task plan into the task tools.\n- **Session 2+, after reading the tracker:** recreate the projection from the tracker; do not assume task IDs from prior sessions still exist.\n- **During work:** update both \u2014 the task tools for immediate UI feedback, the tracker for persistence \u2014 in the same working phase.\n\n## Session bounding\n\nEach fresh session starts with a clean context window and a compact tracker \u2014 effectively self-compaction. As you work, context fills with tool outputs and intermediate state. The longer you run, the more attention is spread across tokens that are no longer relevant, degrading precision on the work that matters now.\n\nWork a bounded chunk per session. Ending early and letting the next session pick up from a clean tracker is almost always better than pushing through with a heavy context. Natural checkpoints:\n\n- After a quality gate\n- After crossing multiple phases (explored \u2192 planned \u2192 wrote specs) \u2014 stop before pushing into the next\n- When your context is visibly heavy with tool output from earlier work\n\n## Quick reference\n\n- [ ] Read the tracker before doing anything else\n- [ ] Replace the skeleton immediately, even for single-turn requests\n- [ ] Update on concrete triggers \u2014 unit done, insight learned, risky op pending, plan changed\n- [ ] Project the tracker plan into task tools at session start; keep both in sync as work lands\n- [ ] Load the workflow's skill before each activity\n- [ ] Run quality gates in order; respect delegation constraints and retry limits\n- [ ] Write the completion marker only when all work is verified\n- [ ] Checkpoint and end before context goes stale\n";
@@ -1587,10 +1612,10 @@ function readWorkflowOverride(projectDir, workflow, sessionId, trackerPath, harn
   if (!workflow?.workflowFile) {
     return { workflowOverride: void 0, warnings: [] };
   }
-  const resolvedPath = path8.isAbsolute(workflow.workflowFile) ? workflow.workflowFile : path8.resolve(projectDir, workflow.workflowFile);
+  const resolvedPath = path9.isAbsolute(workflow.workflowFile) ? workflow.workflowFile : path9.resolve(projectDir, workflow.workflowFile);
   let workflowContent;
   try {
-    workflowContent = fs10.readFileSync(resolvedPath, "utf-8");
+    workflowContent = fs11.readFileSync(resolvedPath, "utf-8");
   } catch {
     return {
       workflowOverride: void 0,
@@ -1604,9 +1629,9 @@ function readWorkflowOverride(projectDir, workflow, sessionId, trackerPath, harn
     sessionId,
     trackerPath: trackerPath ?? void 0
   });
-  const workflowDir = path8.dirname(resolvedPath);
-  const composedPath = path8.join(workflowDir, ".composed-system-prompt.md");
-  fs10.writeFileSync(composedPath, composed, "utf-8");
+  const workflowDir = path9.dirname(resolvedPath);
+  const composedPath = path9.join(workflowDir, ".composed-system-prompt.md");
+  fs11.writeFileSync(composedPath, composed, "utf-8");
   return {
     workflowOverride: {
       appendSystemPromptFile: composedPath,
@@ -1633,7 +1658,7 @@ function resolveTrackerPath(input) {
     return null;
   }
   const promptPath = input.sessionId ? rawPath.replaceAll("{sessionId}", input.sessionId) : rawPath;
-  const absolutePath = path8.isAbsolute(promptPath) ? promptPath : path8.resolve(input.projectDir, promptPath);
+  const absolutePath = path9.isAbsolute(promptPath) ? promptPath : path9.resolve(input.projectDir, promptPath);
   return {
     absolutePath,
     promptPath
@@ -1679,7 +1704,7 @@ function shouldContinueWorkflowRun(state) {
     return null;
   }
   const loopState = loopManager.getState();
-  if (!fs10.existsSync(loopManager.trackerPath)) {
+  if (!fs11.existsSync(loopManager.trackerPath)) {
     cleanupWorkflowRun(state);
     return {
       reason: "missing_tracker",
@@ -1725,8 +1750,8 @@ import { useCallback, useEffect, useRef, useState } from "react";
 
 // src/core/workflows/workflowRunner.ts
 import crypto from "crypto";
-import fs11 from "fs";
-import path9 from "path";
+import fs12 from "fs";
+import path10 from "path";
 var NULL_TOKENS = {
   input: null,
   output: null,
@@ -1783,9 +1808,9 @@ function mergeTokens(base, next) {
   };
 }
 function defaultCreateTracker(trackerPath, content) {
-  fs11.mkdirSync(path9.dirname(trackerPath), { recursive: true });
+  fs12.mkdirSync(path10.dirname(trackerPath), { recursive: true });
   try {
-    fs11.writeFileSync(trackerPath, content, { encoding: "utf-8", flag: "wx" });
+    fs12.writeFileSync(trackerPath, content, { encoding: "utf-8", flag: "wx" });
   } catch (e) {
     if (e.code !== "EEXIST") throw e;
   }
@@ -1898,7 +1923,8 @@ function createWorkflowRunner(input) {
           } else if (loopStop.reason === "max_iterations") {
             status = "exhausted";
           } else if (loopStop.reason === "skeleton_not_replaced") {
-            status = "completed";
+            status = "failed";
+            stopReason = "tracker skeleton was never replaced \u2014 Claude did not bootstrap the tracker";
           } else {
             status = "failed";
             stopReason = `Loop stopped: ${loopStop.reason}`;
@@ -2041,31 +2067,6 @@ function useWorkflowSessionController(base, input) {
   };
 }
 
-// src/infra/plugins/mcpOptions.ts
-import fs12 from "fs";
-import path10 from "path";
-function collectMcpServersWithOptions(pluginDirs) {
-  const result = [];
-  const seen = /* @__PURE__ */ new Set();
-  for (const dir of pluginDirs) {
-    const mcpPath = path10.join(dir, ".mcp.json");
-    if (!fs12.existsSync(mcpPath)) {
-      continue;
-    }
-    const config = JSON.parse(fs12.readFileSync(mcpPath, "utf-8"));
-    for (const [serverName, serverConfig] of Object.entries(
-      config.mcpServers ?? {}
-    )) {
-      if (seen.has(serverName) || !Array.isArray(serverConfig.options) || serverConfig.options.length === 0) {
-        continue;
-      }
-      seen.add(serverName);
-      result.push({ serverName, options: serverConfig.options });
-    }
-  }
-  return result;
-}
-
 export {
   createWorkflowRunner,
   useWorkflowSessionController,
@@ -2084,6 +2085,7 @@ export {
   writeGlobalConfig,
   writeProjectConfig,
   hasProjectWorkflow,
+  collectMcpServersWithOptions,
   installWorkflowPlugins,
   resolveWorkflowPlugins,
   listBuiltinWorkflows,
@@ -2092,7 +2094,6 @@ export {
   updateWorkflow,
   listWorkflows,
   removeWorkflow,
-  compileWorkflowPlan,
-  collectMcpServersWithOptions
+  compileWorkflowPlan
 };
-//# sourceMappingURL=chunk-5VK2ZMVV.js.map
+//# sourceMappingURL=chunk-A54HGVML.js.map

package/dist/chunk-D4W7RB25.js

@@ -0,0 +1,76 @@
+import {
+  isLoopbackHost
+} from "./chunk-WRHKXH5M.js";
+
+// src/gateway/auth.ts
+import crypto from "crypto";
+import fs from "fs";
+import path from "path";
+var TOKEN_BYTES = 32;
+function loadOrCreateToken(tokenPath) {
+  try {
+    const buf = fs.readFileSync(tokenPath);
+    const text = buf.toString("utf-8").trim();
+    if (text.length >= 16) return text;
+  } catch (err) {
+    const code = err.code;
+    if (code !== "ENOENT") throw err;
+  }
+  return writeNewToken(tokenPath);
+}
+function rotateGatewayToken(tokenPath) {
+  return writeNewToken(tokenPath);
+}
+function writeNewToken(tokenPath) {
+  const dir = path.dirname(tokenPath);
+  fs.mkdirSync(dir, { recursive: true, mode: 448 });
+  const token = crypto.randomBytes(TOKEN_BYTES).toString("base64url");
+  const tmpPath = `${tokenPath}.tmp-${process.pid}-${crypto.randomBytes(4).toString("hex")}`;
+  fs.writeFileSync(tmpPath, token + "\n", { mode: 384 });
+  try {
+    fs.renameSync(tmpPath, tokenPath);
+  } catch (err) {
+    try {
+      fs.unlinkSync(tmpPath);
+    } catch {
+    }
+    throw err;
+  }
+  if (process.platform !== "win32") {
+    fs.chmodSync(dir, 448);
+    fs.chmodSync(tokenPath, 384);
+  }
+  return token;
+}
+function timingSafeTokenEqual(a, b) {
+  const ab = Buffer.from(a, "utf-8");
+  const bb = Buffer.from(b, "utf-8");
+  if (ab.length !== bb.length) {
+    const filler = Buffer.alloc(Math.max(ab.length, bb.length));
+    crypto.timingSafeEqual(filler, filler);
+    return false;
+  }
+  return crypto.timingSafeEqual(ab, bb);
+}
+function requireTokenForBind(spec, token) {
+  if (spec.kind === "uds" || isLoopbackHost(spec.host)) return;
+  if (!token || token.length < 16) {
+    throw new Error(
+      `gateway: refusing to bind ${spec.host}:${spec.port} without token configured`
+    );
+  }
+  if (spec.tls) return;
+  if (!spec.insecure) {
+    throw new Error(
+      `gateway: refusing to bind ${spec.host}:${spec.port} without TLS; pass --tls-cert/--tls-key, or --insecure only for trusted reverse-proxy/tunnel deployments`
+    );
+  }
+}
+
+export {
+  loadOrCreateToken,
+  rotateGatewayToken,
+  timingSafeTokenEqual,
+  requireTokenForBind
+};
+//# sourceMappingURL=chunk-D4W7RB25.js.map