@freesyntax/notch-cli 0.5.17 → 0.5.20

package/dist/chunk-YBYF7L4A.js

@@ -0,0 +1,2607 @@
+import {
+  grepTool
+} from "./chunk-6CZCFY6H.js";
+import {
+  globTool
+} from "./chunk-6U3ZAGYA.js";
+import {
+  webFetchTool
+} from "./chunk-FFB7GK3Y.js";
+import {
+  githubTool
+} from "./chunk-GBZGR6ID.js";
+import {
+  lspTool
+} from "./chunk-TH6GKC7E.js";
+import {
+  notebookTool
+} from "./chunk-KZAS754V.js";
+import {
+  taskTool
+} from "./chunk-UR4XL6OM.js";
+import {
+  pluginManager
+} from "./chunk-3QUV4JEX.js";
+import {
+  readTool
+} from "./chunk-CQMAVWLJ.js";
+import {
+  writeTool
+} from "./chunk-O3WZW7GS.js";
+import {
+  editTool
+} from "./chunk-YAYPQTOU.js";
+import {
+  applyPatchTool
+} from "./chunk-C4CPDDMN.js";
+import {
+  shellTool
+} from "./chunk-W4FAGQFL.js";
+import {
+  gitTool
+} from "./chunk-FAULT7VE.js";
+
+// src/tools/index.ts
+import { tool } from "ai";
+
+// src/tools/code-mode.ts
+import vm from "vm";
+import { z } from "zod";
+var DEFAULT_YIELD_TIME_MS = 3e4;
+var MAX_YIELD_TIME_MS = 3e5;
+var DEFAULT_MAX_OUTPUT_TOKENS = 1e3;
+var CHARS_PER_TOKEN = 4;
+var PRAGMA_PREFIX = "// @exec:";
+var EXCLUDED_TOOLS = /* @__PURE__ */ new Set(["code_exec", "code_wait"]);
+var CELLS = /* @__PURE__ */ new Map();
+function nextCellId() {
+  return `cell_${Date.now().toString(36)}_${Math.random().toString(36).slice(2, 8)}`;
+}
+function parsePragma(input) {
+  const firstNewline = input.indexOf("\n");
+  if (firstNewline < 0) return { code: input };
+  const firstLine = input.slice(0, firstNewline).trimStart();
+  if (!firstLine.startsWith(PRAGMA_PREFIX)) return { code: input };
+  const rest = input.slice(firstNewline + 1);
+  const directive = firstLine.slice(PRAGMA_PREFIX.length).trim();
+  if (!directive) return { code: rest };
+  try {
+    const parsed = JSON.parse(directive);
+    if (!parsed || typeof parsed !== "object") return { code: rest };
+    const obj = parsed;
+    const out = { code: rest };
+    if (typeof obj.yield_time_ms === "number" && Number.isFinite(obj.yield_time_ms)) {
+      out.yieldTimeMs = obj.yield_time_ms;
+    }
+    if (typeof obj.max_output_tokens === "number" && Number.isFinite(obj.max_output_tokens)) {
+      out.maxOutputTokens = obj.max_output_tokens;
+    }
+    return out;
+  } catch {
+    return { code: rest };
+  }
+}
+function toJsIdentifier(name) {
+  return name.replace(/[^A-Za-z0-9_]/g, "_");
+}
+function buildContext(args) {
+  const { realTools, store, stdoutBuf, notifBuf, input, onYield, log } = args;
+  const wrappedTools = {};
+  for (const [name, tool2] of Object.entries(realTools)) {
+    if (EXCLUDED_TOOLS.has(name)) continue;
+    const jsName = toJsIdentifier(name);
+    const exec = tool2.execute;
+    wrappedTools[jsName] = async (params) => {
+      try {
+        const result = await exec(params ?? {});
+        if (!result) return "";
+        if (typeof result === "string") return result;
+        return result.content ?? "";
+      } catch (err) {
+        return `Error: ${err.message ?? String(err)}`;
+      }
+    };
+  }
+  const captureConsole = (level) => (...a) => {
+    const line = a.map((x) => {
+      if (x === null || x === void 0) return String(x);
+      if (typeof x === "string") return x;
+      try {
+        return JSON.stringify(x);
+      } catch {
+        return String(x);
+      }
+    }).join(" ");
+    stdoutBuf.value += (level === "log" ? "" : `[${level}] `) + line + "\n";
+  };
+  const sandboxConsole = {
+    log: captureConsole("log"),
+    info: captureConsole("info"),
+    warn: captureConsole("warn"),
+    error: captureConsole("error"),
+    debug: captureConsole("debug")
+  };
+  const globals = {
+    console: sandboxConsole,
+    Buffer,
+    URL,
+    URLSearchParams,
+    TextEncoder,
+    TextDecoder,
+    // Timers
+    setTimeout,
+    clearTimeout,
+    setInterval,
+    clearInterval,
+    setImmediate,
+    clearImmediate,
+    // Network
+    fetch: globalThis.fetch,
+    // WebCrypto
+    crypto: globalThis.crypto,
+    // Primitives that are mandatory for useful JS
+    Promise,
+    JSON,
+    Math,
+    Date,
+    Array,
+    Object,
+    String,
+    Number,
+    Boolean,
+    RegExp,
+    Error,
+    TypeError,
+    RangeError,
+    // Tool surface
+    tools: wrappedTools,
+    ALL_TOOLS: Object.keys(wrappedTools).map((n) => ({ name: n, description: "" })),
+    // Per-cell kv
+    store: (key, value) => {
+      store.set(key, value);
+    },
+    load: (key) => store.get(key),
+    // Extras
+    notify: (msg) => {
+      const text = typeof msg === "string" ? msg : (() => {
+        try {
+          return JSON.stringify(msg);
+        } catch {
+          return String(msg);
+        }
+      })();
+      notifBuf.push(text);
+      log(`[code_exec notify] ${text}`);
+    },
+    yield_control: () => {
+      onYield();
+    },
+    exit: () => {
+      throw new __CodeModeExitSignal();
+    },
+    input
+  };
+  return vm.createContext(globals, { name: "notch-code-mode" });
+}
+var __CodeModeExitSignal = class extends Error {
+  constructor() {
+    super("__CODE_MODE_EXIT__");
+    this.name = "__CodeModeExitSignal";
+  }
+};
+async function runScript(args) {
+  const { code, yieldTimeMs, context, wireYield, registerPending } = args;
+  const wrapped = `(async () => {
+${code}
+})()`;
+  let script;
+  try {
+    script = new vm.Script(wrapped, { filename: "code_exec.js" });
+  } catch (err) {
+    return { status: "error", error: err.message };
+  }
+  const scriptPromise = (async () => {
+    try {
+      const p = script.runInContext(context, { timeout: yieldTimeMs });
+      return await p;
+    } catch (err) {
+      if (err instanceof __CodeModeExitSignal || err?.name === "__CodeModeExitSignal") {
+        return void 0;
+      }
+      throw err;
+    }
+  })();
+  scriptPromise.catch(() => {
+  });
+  registerPending?.(scriptPromise);
+  const outcome = await new Promise((resolve) => {
+    let settled = false;
+    const finish = (o) => {
+      if (settled) return;
+      settled = true;
+      resolve(o);
+    };
+    wireYield(() => finish({ kind: "yielded" }));
+    const timer = setTimeout(() => finish({ kind: "timeout" }), yieldTimeMs);
+    scriptPromise.then((value) => {
+      clearTimeout(timer);
+      finish({ kind: "done", value });
+    }).catch((error) => {
+      clearTimeout(timer);
+      finish({ kind: "error", error });
+    });
+  });
+  if (outcome.kind === "done") {
+    let rv;
+    if (outcome.value !== void 0) {
+      try {
+        rv = typeof outcome.value === "string" ? outcome.value : JSON.stringify(outcome.value);
+      } catch {
+        rv = String(outcome.value);
+      }
+    }
+    return { status: "completed", returnValue: rv };
+  }
+  if (outcome.kind === "yielded") return { status: "yielded" };
+  if (outcome.kind === "timeout") return { status: "timeout" };
+  return { status: "error", error: outcome.error.message };
+}
+var CODE_EXEC_DESCRIPTION = `Run JavaScript code to orchestrate/compose tool calls in one round-trip.
+
+- Evaluates the provided JavaScript as an async module in a node:vm sandbox.
+- All nested tools are available on the global \`tools\` object, e.g. \`await tools.read({ path: 'foo.ts' })\`. Tool names are normalized JS identifiers (slashes/dots become underscores, so \`tools.mcp__ologs__get_profile(...)\`).
+- Nested tools accept an object and return a string.
+- Accepts raw JavaScript source text \u2014 not JSON, not markdown fences, not a quoted string.
+- Optional first-line pragma: \`// @exec: {"yield_time_ms": 10000, "max_output_tokens": 1000}\`. Pragma values override the structured params.
+- \`yield_time_ms\` asks \`code_exec\` to yield early (status "yielded") if the script is still running. Max 300000ms.
+- \`max_output_tokens\` caps the stdout returned to the model. Default 1000 tokens (~4000 chars).
+- Top-level await is supported.
+
+Globals available in the sandbox:
+- \`tools.<name>(args)\`: call any other notch-cli tool.
+- \`console.log/info/warn/error\`: captured and returned as stdout.
+- \`store(key, value)\` / \`load(key)\`: per-cell kv scoped to the current \`cell_id\`.
+- \`notify(msg)\`: log a message to the user terminal without waiting.
+- \`yield_control()\`: yield current stdout back to the model while the script keeps running \u2014 resume with \`code_wait\`.
+- \`exit()\`: end the script immediately.
+- \`fetch\`, \`URL\`, \`URLSearchParams\`, \`crypto\`, \`TextEncoder/Decoder\`, \`Buffer\`, timers \u2014 standard runtime primitives.
+- \`input\`: optional string provided by \`code_wait\` when resuming.
+- \`ALL_TOOLS\`: array of \`{name, description}\` for every tool exposed on \`tools.*\`.
+
+Sandbox limits (NOT a hard isolate \u2014 this is node:vm, not V8 isolate):
+- No \`require\`, no \`process\`, no \`fs\`, no module system \u2014 all filesystem access must go through wrapped tools (tools.read / tools.write / tools.edit / ...).
+- \`fetch\` IS exposed; assume arbitrary network egress is possible.
+- A tight sync loop CAN exceed \`yield_time_ms\` (vm timeout catches sync code, but async work is only bounded by an outer race).
+
+Return shape: \`{cell_id, status, stdout, return_value?, error?}\`. If status is "yielded" or "timeout", use \`code_wait\` with the same \`cell_id\` to resume.`;
+var CODE_WAIT_DESCRIPTION = `Resume a previously yielded or timed-out \`code_exec\` cell.
+
+- Use only after \`code_exec\` returned status "yielded" or "timeout".
+- \`cell_id\` must match the id returned by the original \`code_exec\` call.
+- \`additional_input\` (optional) is injected as the global \`input\` string inside the resumed script.
+- Returns the same shape as \`code_exec\`: \`{cell_id, status, stdout, return_value?, error?}\`.
+- If the cell has already completed, \`code_wait\` returns the final result and forgets the cell.`;
+function clampYield(ms) {
+  const v = ms ?? DEFAULT_YIELD_TIME_MS;
+  if (!Number.isFinite(v) || v <= 0) return DEFAULT_YIELD_TIME_MS;
+  return Math.min(v, MAX_YIELD_TIME_MS);
+}
+function truncate(s, maxChars) {
+  if (s.length <= maxChars) return s;
+  return s.slice(0, maxChars) + `
+
+[...truncated ${s.length - maxChars} chars]`;
+}
+function formatResult(cell, maxChars, extraNotifs) {
+  const lines = [];
+  lines.push(`cell_id: ${cell.id}`);
+  lines.push(`status: ${cell.status}`);
+  if (cell.returnValue !== void 0) {
+    lines.push(`return_value: ${cell.returnValue.slice(0, 2e3)}`);
+  }
+  if (cell.error) {
+    lines.push(`error: ${cell.error}`);
+  }
+  if (extraNotifs.length > 0) {
+    lines.push(`notifications:
+${extraNotifs.map((n) => `  - ${n}`).join("\n")}`);
+  }
+  lines.push(`stdout:
+${truncate(cell.stdout, maxChars)}`);
+  if (cell.status === "yielded" || cell.status === "timeout") {
+    lines.push(`
+[cell still running \u2014 resume with code_wait({cell_id: "${cell.id}"})]`);
+  }
+  return lines.join("\n");
+}
+var execParams = z.object({
+  code: z.string().describe("Raw JavaScript source. May begin with `// @exec: {...}` pragma."),
+  yield_time_ms: z.number().optional().describe("Yield back to the model after this many ms. Max 300000."),
+  max_output_tokens: z.number().optional().describe("Cap stdout returned to the model. Default 1000."),
+  cell_id: z.string().optional().describe("Reuse an existing cell_id (rarely needed \u2014 exec allocates one).")
+});
+var codeModeExecTool = {
+  name: "code_exec",
+  description: CODE_EXEC_DESCRIPTION,
+  parameters: execParams,
+  execute: async (params, ctx) => {
+    const parsed = parsePragma(params.code);
+    const yieldTimeMs = clampYield(parsed.yieldTimeMs ?? params.yield_time_ms);
+    const maxTokens = parsed.maxOutputTokens ?? params.max_output_tokens ?? DEFAULT_MAX_OUTPUT_TOKENS;
+    const maxChars = Math.max(512, maxTokens * CHARS_PER_TOKEN);
+    const cellId = params.cell_id ?? nextCellId();
+    const realTools = buildToolMap(ctx);
+    const stdoutBuf = { value: "" };
+    const notifBuf = [];
+    const store = /* @__PURE__ */ new Map();
+    const cell = {
+      id: cellId,
+      stdout: "",
+      store,
+      pending: null,
+      status: "error",
+      settled: false,
+      context: null,
+      notifications: notifBuf
+    };
+    const context = buildContext({
+      realTools,
+      store,
+      stdoutBuf,
+      notifBuf,
+      onYield: () => cell.yieldResolver?.(),
+      log: ctx.log
+    });
+    cell.context = context;
+    CELLS.set(cellId, cell);
+    let outcome;
+    try {
+      outcome = await runScript({
+        cellId,
+        code: parsed.code,
+        yieldTimeMs,
+        maxChars,
+        context,
+        stdoutBuf,
+        notifBuf,
+        store,
+        wireYield: (r) => {
+          cell.yieldResolver = r;
+        },
+        registerPending: (p) => {
+          cell.pending = p;
+          p.then((value) => {
+            cell.stdout = stdoutBuf.value;
+            if (!cell.settled) {
+              cell.status = "completed";
+              if (value !== void 0) {
+                try {
+                  cell.returnValue = typeof value === "string" ? value : JSON.stringify(value);
+                } catch {
+                  cell.returnValue = String(value);
+                }
+              }
+              cell.settled = true;
+            }
+          }).catch((err) => {
+            cell.stdout = stdoutBuf.value;
+            if (!cell.settled) {
+              cell.status = "error";
+              cell.error = err.message;
+              cell.settled = true;
+            }
+          });
+        }
+      });
+    } catch (err) {
+      outcome = { status: "error", error: err.message };
+    }
+    cell.stdout = stdoutBuf.value;
+    cell.status = outcome.status;
+    if (outcome.returnValue !== void 0) cell.returnValue = outcome.returnValue;
+    if (outcome.error) cell.error = outcome.error;
+    cell.settled = outcome.status === "completed" || outcome.status === "error";
+    if (cell.settled) CELLS.delete(cellId);
+    const notifsForThisCall = notifBuf.splice(0, notifBuf.length);
+    return {
+      content: formatResult(cell, maxChars, notifsForThisCall),
+      isError: outcome.status === "error"
+    };
+  }
+};
+var waitParams = z.object({
+  cell_id: z.string().describe("The cell_id returned by code_exec."),
+  additional_input: z.string().optional().describe("Injected as the global `input` string inside the resumed script."),
+  yield_time_ms: z.number().optional(),
+  max_output_tokens: z.number().optional(),
+  terminate: z.boolean().optional().describe("If true, stop the cell instead of waiting for more output.")
+});
+var codeModeWaitTool = {
+  name: "code_wait",
+  description: CODE_WAIT_DESCRIPTION,
+  parameters: waitParams,
+  execute: async (params, _ctx) => {
+    const cell = CELLS.get(params.cell_id);
+    if (!cell) {
+      return {
+        content: `cell_id: ${params.cell_id}
+status: unknown
+error: no running cell with that id (it may have already completed)`,
+        isError: true
+      };
+    }
+    const maxTokens = params.max_output_tokens ?? DEFAULT_MAX_OUTPUT_TOKENS;
+    const maxChars = Math.max(512, maxTokens * CHARS_PER_TOKEN);
+    const yieldTimeMs = clampYield(params.yield_time_ms);
+    if (params.terminate) {
+      cell.status = "completed";
+      cell.error = cell.error ?? "terminated by code_wait";
+      cell.settled = true;
+      CELLS.delete(cell.id);
+      const notifs2 = cell.notifications.splice(0, cell.notifications.length);
+      return { content: formatResult(cell, maxChars, notifs2) };
+    }
+    if (params.additional_input !== void 0) {
+      try {
+        vm.runInContext(
+          `globalThis.input = ${JSON.stringify(params.additional_input)};`,
+          cell.context,
+          { timeout: 1e3 }
+        );
+      } catch {
+      }
+    }
+    if (cell.settled) {
+      const notifs2 = cell.notifications.splice(0, cell.notifications.length);
+      CELLS.delete(cell.id);
+      return {
+        content: formatResult(cell, maxChars, notifs2),
+        isError: cell.status === "error"
+      };
+    }
+    const outcome = await new Promise((resolve) => {
+      let settled = false;
+      const finish = (v) => {
+        if (settled) return;
+        settled = true;
+        resolve(v);
+      };
+      cell.yieldResolver = () => finish("yielded");
+      const timer = setTimeout(() => finish("timeout"), yieldTimeMs);
+      if (cell.pending) {
+        cell.pending.then(() => {
+          clearTimeout(timer);
+          finish("done");
+        }).catch(() => {
+          clearTimeout(timer);
+          finish("done");
+        });
+      }
+    });
+    if (outcome === "done") {
+      cell.settled = true;
+      CELLS.delete(cell.id);
+    } else if (outcome === "yielded") {
+      cell.status = "yielded";
+    } else {
+      cell.status = "timeout";
+    }
+    const notifs = cell.notifications.splice(0, cell.notifications.length);
+    return {
+      content: formatResult(cell, maxChars, notifs),
+      isError: cell.status === "error"
+    };
+  }
+};
+
+// src/mcp/client.ts
+import { z as z2 } from "zod";
+
+// src/mcp/transport.ts
+function detectTransport(config) {
+  if (config.transport) return config.transport;
+  if (config.url) return "http";
+  return "stdio";
+}
+
+// src/mcp/stdio-transport.ts
+import { spawn } from "child_process";
+var StdioTransport = class {
+  constructor(config, name) {
+    this.config = config;
+    this.name = name;
+  }
+  config;
+  process = null;
+  requestId = 0;
+  pendingRequests = /* @__PURE__ */ new Map();
+  buffer = "";
+  name;
+  async connect() {
+    if (!this.config.command) {
+      throw new Error(`Stdio transport requires 'command' in config for server ${this.name}`);
+    }
+    this.process = spawn(this.config.command, this.config.args ?? [], {
+      stdio: ["pipe", "pipe", "pipe"],
+      env: { ...process.env, ...this.config.env },
+      cwd: this.config.cwd
+    });
+    this.process.stdout?.setEncoding("utf-8");
+    this.process.stdout?.on("data", (data) => {
+      this.buffer += data;
+      this.processBuffer();
+    });
+    this.process.on("error", (err) => {
+      for (const [id, pending] of this.pendingRequests) {
+        pending.reject(new Error(`MCP server ${this.name} error: ${err.message}`));
+        this.pendingRequests.delete(id);
+      }
+    });
+    this.process.on("exit", (code) => {
+      for (const [id, pending] of this.pendingRequests) {
+        pending.reject(new Error(`MCP server ${this.name} exited with code ${code}`));
+        this.pendingRequests.delete(id);
+      }
+    });
+  }
+  disconnect() {
+    if (this.process) {
+      this.process.stdin?.end();
+      this.process.kill();
+      this.process = null;
+    }
+    this.pendingRequests.clear();
+  }
+  get isAlive() {
+    return this.process !== null && this.process.exitCode === null && !this.process.killed;
+  }
+  sendRequest(method, params) {
+    return new Promise((resolve, reject) => {
+      const id = ++this.requestId;
+      const msg = { jsonrpc: "2.0", id, method, params };
+      this.pendingRequests.set(id, { resolve, reject });
+      const data = JSON.stringify(msg);
+      const header = `Content-Length: ${Buffer.byteLength(data)}\r
+\r
+`;
+      this.process?.stdin?.write(header + data);
+      setTimeout(() => {
+        if (this.pendingRequests.has(id)) {
+          this.pendingRequests.delete(id);
+          reject(new Error(`MCP request ${method} timed out`));
+        }
+      }, 3e4);
+    });
+  }
+  sendNotification(method, params) {
+    const msg = { jsonrpc: "2.0", method, params };
+    const data = JSON.stringify(msg);
+    const header = `Content-Length: ${Buffer.byteLength(data)}\r
+\r
+`;
+    this.process?.stdin?.write(header + data);
+  }
+  processBuffer() {
+    while (this.buffer.length > 0) {
+      const headerEnd = this.buffer.indexOf("\r\n\r\n");
+      if (headerEnd === -1) break;
+      const header = this.buffer.slice(0, headerEnd);
+      const lengthMatch = header.match(/Content-Length:\s*(\d+)/i);
+      if (!lengthMatch) {
+        const nlIdx = this.buffer.indexOf("\n");
+        if (nlIdx === -1) break;
+        const line = this.buffer.slice(0, nlIdx).trim();
+        this.buffer = this.buffer.slice(nlIdx + 1);
+        if (line) this.handleMessage(line);
+        continue;
+      }
+      const contentLength = parseInt(lengthMatch[1], 10);
+      const messageStart = headerEnd + 4;
+      if (this.buffer.length < messageStart + contentLength) break;
+      const body = this.buffer.slice(messageStart, messageStart + contentLength);
+      this.buffer = this.buffer.slice(messageStart + contentLength);
+      this.handleMessage(body);
+    }
+  }
+  handleMessage(raw) {
+    try {
+      const msg = JSON.parse(raw);
+      if (msg.id !== void 0 && this.pendingRequests.has(msg.id)) {
+        const pending = this.pendingRequests.get(msg.id);
+        this.pendingRequests.delete(msg.id);
+        if (msg.error) {
+          pending.reject(new Error(`MCP error: ${msg.error.message}`));
+        } else {
+          pending.resolve(msg.result);
+        }
+      }
+    } catch {
+    }
+  }
+};
+
+// src/mcp/http-transport.ts
+var HttpTransport = class {
+  requestId = 0;
+  connected = false;
+  name;
+  baseUrl;
+  headers;
+  constructor(config, name) {
+    this.name = name;
+    if (!config.url) {
+      throw new Error(`HTTP transport requires 'url' in config for server ${name}`);
+    }
+    this.baseUrl = config.url.replace(/\/$/, "");
+    this.headers = {
+      "Content-Type": "application/json",
+      ...config.headers
+    };
+  }
+  async connect() {
+    try {
+      const response = await fetch(`${this.baseUrl}`, {
+        method: "POST",
+        headers: this.headers,
+        body: JSON.stringify({
+          jsonrpc: "2.0",
+          id: ++this.requestId,
+          method: "initialize",
+          params: {
+            protocolVersion: "2024-11-05",
+            capabilities: {},
+            clientInfo: { name: "notch-cli", version: "0.4.8" }
+          }
+        }),
+        signal: AbortSignal.timeout(15e3)
+      });
+      if (!response.ok) {
+        throw new Error(`HTTP ${response.status}: ${response.statusText}`);
+      }
+      this.sendNotification("notifications/initialized", {});
+      this.connected = true;
+    } catch (err) {
+      throw new Error(`MCP HTTP server ${this.name} unreachable: ${err.message}`);
+    }
+  }
+  disconnect() {
+    this.connected = false;
+  }
+  get isAlive() {
+    return this.connected;
+  }
+  async sendRequest(method, params) {
+    const id = ++this.requestId;
+    const body = { jsonrpc: "2.0", id, method, params };
+    const response = await fetch(this.baseUrl, {
+      method: "POST",
+      headers: this.headers,
+      body: JSON.stringify(body),
+      signal: AbortSignal.timeout(3e4)
+    });
+    if (!response.ok) {
+      throw new Error(`MCP HTTP error (${this.name}): ${response.status} ${response.statusText}`);
+    }
+    const json = await response.json();
+    if (json.error) {
+      throw new Error(`MCP error (${this.name}): ${json.error.message}`);
+    }
+    return json.result;
+  }
+  sendNotification(method, params) {
+    void fetch(this.baseUrl, {
+      method: "POST",
+      headers: this.headers,
+      body: JSON.stringify({ jsonrpc: "2.0", method, params }),
+      signal: AbortSignal.timeout(1e4)
+    }).catch(() => {
+    });
+  }
+};
+
+// src/mcp/sse-transport.ts
+var SSETransport = class {
+  requestId = 0;
+  pendingRequests = /* @__PURE__ */ new Map();
+  abortController = null;
+  connected = false;
+  name;
+  baseUrl;
+  messageEndpoint;
+  sseEndpoint;
+  headers;
+  constructor(config, name) {
+    this.name = name;
+    if (!config.url) {
+      throw new Error(`SSE transport requires 'url' in config for server ${name}`);
+    }
+    this.baseUrl = config.url.replace(/\/$/, "");
+    this.sseEndpoint = `${this.baseUrl}/sse`;
+    this.messageEndpoint = `${this.baseUrl}/message`;
+    this.headers = {
+      "Content-Type": "application/json",
+      ...config.headers
+    };
+  }
+  async connect() {
+    this.abortController = new AbortController();
+    const ssePromise = this.startSSEListener();
+    await new Promise((resolve) => setTimeout(resolve, 500));
+    const initResult = await this.sendRequest("initialize", {
+      protocolVersion: "2024-11-05",
+      capabilities: {},
+      clientInfo: { name: "notch-cli", version: "0.4.8" }
+    });
+    if (!initResult) {
+      throw new Error(`MCP SSE server ${this.name} failed to initialize`);
+    }
+    this.sendNotification("notifications/initialized", {});
+    this.connected = true;
+    ssePromise.catch(() => {
+      this.connected = false;
+    });
+  }
+  disconnect() {
+    this.abortController?.abort();
+    this.abortController = null;
+    this.connected = false;
+    for (const [id, pending] of this.pendingRequests) {
+      pending.reject(new Error(`MCP SSE transport disconnected`));
+      this.pendingRequests.delete(id);
+    }
+  }
+  get isAlive() {
+    return this.connected;
+  }
+  async sendRequest(method, params) {
+    const id = ++this.requestId;
+    const body = { jsonrpc: "2.0", id, method, params };
+    const resultPromise = new Promise((resolve, reject) => {
+      this.pendingRequests.set(id, { resolve, reject });
+      setTimeout(() => {
+        if (this.pendingRequests.has(id)) {
+          this.pendingRequests.delete(id);
+          reject(new Error(`MCP SSE request ${method} timed out`));
+        }
+      }, 3e4);
+    });
+    const response = await fetch(this.messageEndpoint, {
+      method: "POST",
+      headers: this.headers,
+      body: JSON.stringify(body),
+      signal: AbortSignal.timeout(1e4)
+    });
+    if (!response.ok) {
+      this.pendingRequests.delete(id);
+      throw new Error(`MCP SSE POST error (${this.name}): ${response.status} ${response.statusText}`);
+    }
+    return resultPromise;
+  }
+  sendNotification(method, params) {
+    const body = { jsonrpc: "2.0", method, params };
+    void fetch(this.messageEndpoint, {
+      method: "POST",
+      headers: this.headers,
+      body: JSON.stringify(body),
+      signal: AbortSignal.timeout(1e4)
+    }).catch(() => {
+    });
+  }
+  /**
+   * Start listening for Server-Sent Events.
+   * Parses the SSE stream and resolves pending requests.
+   */
+  async startSSEListener() {
+    const response = await fetch(this.sseEndpoint, {
+      headers: {
+        Accept: "text/event-stream",
+        ...this.headers
+      },
+      signal: this.abortController?.signal
+    });
+    if (!response.ok || !response.body) {
+      throw new Error(`SSE connection failed: ${response.status}`);
+    }
+    const reader = response.body.getReader();
+    const decoder = new TextDecoder();
+    let buffer = "";
+    try {
+      while (true) {
+        const { done, value } = await reader.read();
+        if (done) break;
+        buffer += decoder.decode(value, { stream: true });
+        const events = buffer.split("\n\n");
+        buffer = events.pop() ?? "";
+        for (const event of events) {
+          const lines = event.split("\n");
+          let data = "";
+          for (const line of lines) {
+            if (line.startsWith("data: ")) {
+              data += line.slice(6);
+            }
+          }
+          if (data) {
+            this.handleSSEMessage(data);
+          }
+        }
+      }
+    } catch (err) {
+      if (err.name !== "AbortError") {
+        this.connected = false;
+      }
+    }
+  }
+  handleSSEMessage(raw) {
+    try {
+      const msg = JSON.parse(raw);
+      if (msg.id !== void 0 && this.pendingRequests.has(msg.id)) {
+        const pending = this.pendingRequests.get(msg.id);
+        this.pendingRequests.delete(msg.id);
+        if (msg.error) {
+          pending.reject(new Error(`MCP SSE error: ${msg.error.message}`));
+        } else {
+          pending.resolve(msg.result);
+        }
+      }
+    } catch {
+    }
+  }
+};
+
+// src/mcp/client.ts
+function createTransport(config, name) {
+  const type = detectTransport(config);
+  switch (type) {
+    case "http":
+      return new HttpTransport(config, name);
+    case "sse":
+      return new SSETransport(config, name);
+    case "stdio":
+    default:
+      return new StdioTransport(config, name);
+  }
+}
+var MCPClient = class {
+  transport;
+  serverName;
+  _tools = [];
+  constructor(config, serverName) {
+    this.serverName = serverName;
+    this.transport = createTransport(config, serverName);
+  }
+  /**
+   * Start the MCP server and initialize the connection.
+   */
+  async connect() {
+    await this.transport.connect();
+    await this.transport.sendRequest("initialize", {
+      protocolVersion: "2024-11-05",
+      capabilities: {},
+      clientInfo: { name: "notch-cli", version: "0.4.8" }
+    });
+    this.transport.sendNotification("notifications/initialized", {});
+    const result = await this.transport.sendRequest("tools/list", {});
+    this._tools = result.tools ?? [];
+  }
+  /**
+   * Get discovered tools from this server.
+   */
+  get tools() {
+    return this._tools;
+  }
+  /**
+   * Check if the MCP server is still alive.
+   */
+  get isAlive() {
+    return this.transport.isAlive;
+  }
+  /**
+   * Call a tool on the MCP server. Auto-reconnects if the server has crashed.
+   */
+  async callTool(name, args) {
+    if (!this.isAlive) {
+      try {
+        await this.transport.connect();
+      } catch (err) {
+        throw new Error(`MCP server ${this.serverName} is down and could not reconnect: ${err.message}`);
+      }
+    }
+    return this.transport.sendRequest("tools/call", { name, arguments: args });
+  }
+  /**
+   * Disconnect from the MCP server.
+   */
+  disconnect() {
+    this.transport.disconnect();
+  }
+};
+function mcpToolsToNotch(client, serverName) {
+  return client.tools.map((toolDef) => {
+    const params = z2.record(z2.unknown()).describe(
+      toolDef.description || `MCP tool from ${serverName}`
+    );
+    const notchTool = {
+      name: `mcp_${serverName}_${toolDef.name}`,
+      description: `[MCP/${serverName}] ${toolDef.description}`,
+      parameters: params,
+      async execute(args, _ctx) {
+        try {
+          const result = await client.callTool(toolDef.name, args);
+          const mcpResult = result;
+          if (mcpResult?.content && Array.isArray(mcpResult.content)) {
+            const text = mcpResult.content.filter((c) => c.type === "text").map((c) => c.text).join("\n");
+            return { content: text || JSON.stringify(result) };
+          }
+          return { content: typeof result === "string" ? result : JSON.stringify(result, null, 2) };
+        } catch (err) {
+          return { content: `MCP error (${serverName}/${toolDef.name}): ${err.message}`, isError: true };
+        }
+      }
+    };
+    return notchTool;
+  });
+}
+function parseMCPConfig(config) {
+  const servers = config?.mcpServers;
+  if (!servers || typeof servers !== "object") return {};
+  const result = {};
+  for (const [name, cfg] of Object.entries(servers)) {
+    const c = cfg;
+    if (c?.command || c?.url) {
+      result[name] = {
+        command: c.command,
+        args: c.args,
+        env: c.env,
+        cwd: c.cwd,
+        transport: c.transport,
+        url: c.url,
+        headers: c.headers
+      };
+    }
+  }
+  return result;
+}
+
+// src/safety/guardian.ts
+import fs from "fs/promises";
+import { fileURLToPath } from "url";
+import path from "path";
+import { generateText } from "ai";
+import { z as z3 } from "zod";
+
+// src/safety/guardian-policy.ts
+var GUARDIAN_POLICY_EMBEDDED = `# Notch Guardian Risk Policy
+
+You are the Notch Guardian \u2014 an independent second-opinion safety reviewer. You do
+not write code, answer the user's question, or plan the task. Your only job is to
+score a proposed tool call against the taxonomy below and return a JSON verdict.
+
+Assume the caller is a trusted developer working on their own machine. Do not
+inflate severity because the action is "large", "long-running", or touches paths
+outside a writable workspace root \u2014 those facts alone are not risk signals. Focus
+on evidence of **actual** data exfiltration, credential theft, persistent security
+weakening, or irreversible damage.
+
+## Environment Assumptions
+
+- Single-developer laptop or CI runner. No multi-tenant blast radius.
+- The user's own project files, \`.git\`, \`node_modules\`, build outputs, and
+  \`~/.notch\` are **local** and non-sensitive by default.
+- Trusted network destinations: \`github.com\`, \`gitlab.com\`, \`npmjs.com\`,
+  \`pypi.org\`, \`crates.io\`, \`modal.run\`, the active Notch model endpoints, any
+  host mentioned in \`package.json\` / \`.gitmodules\` / committed config, and
+  \`localhost\` / \`127.0.0.1\` / \`0.0.0.0\` on any port.
+- Untrusted by default: pastebins, webhook catchers, URL shorteners,
+  transfer.sh, termbin, \`0x0.st\`, \`ix.io\`, arbitrary raw IPs, \`*.onion\`, and
+  any domain whose sole purpose is receiving posted data.
+- \`git push\` to a remote already listed in \`git remote -v\` is trusted. A push
+  to a brand-new remote URL introduced in the same command is not.
+
+## Risk Taxonomy
+
+### 1. Data Exfiltration
+
+Private workspace content, environment variables, secrets, or org data being
+sent to an untrusted destination.
+
+- **low** \u2014 reading public docs, fetching a package from a package registry,
+  curl to a documented API that the user's code already talks to, uploading an
+  artifact to the user's own cloud bucket named in committed config, \`gh api\`
+  calls against the user's own repos, \`git push\` to an existing tracked
+  remote, telemetry the user explicitly opted into.
+- **medium** \u2014 uploading a build artifact to a first-party storage service not
+  yet in committed config, opening a tunnel (\`ngrok\`, \`cloudflared\`) that only
+  exposes a specific local port the user asked about, \`rsync\` to a host listed
+  in \`~/.ssh/config\`.
+- **high** \u2014 \`curl -X POST\` with \`@file\` from inside the repo to a domain not
+  in the trusted list, piping \`cat ~/.aws/credentials\` or \`.env\` through any
+  network command, \`scp\`/\`rsync\` of the whole repo to a fresh remote, posting
+  stdout/stderr containing private paths to a pastebin, base64-encoding a
+  secret and shipping it as a query string.
+- **critical** \u2014 exfiltrating \`.ssh/id_*\`, \`.aws/credentials\`, \`.npmrc\` with
+  \`_authToken\`, \`.pypirc\`, browser cookie databases, keychains, or any
+  SSO/OAuth refresh token to **any** external destination, including "trusted"
+  ones. Shipping \`.env*\` files to pastebins or attacker-controlled webhooks.
+  Mass-uploading \`**/*.pem\`, \`**/*.key\`, \`**/id_rsa*\` anywhere off-host.
+
+Override: sending secrets to a third-party destination is **critical** even if
+the user authorized the tool call broadly \u2014 demand explicit per-destination
+consent.
+
+### 2. Credential Probing
+
+Harvesting secrets from places they weren't handed to you.
+
+- **low** \u2014 reading \`process.env.SOMETHING\` the user's code already references,
+  using a token the user passed in via flag/env, calling \`aws sts
+  get-caller-identity\` with the ambient profile, \`gh auth status\`.
+- **medium** \u2014 \`env | grep -i\` for patterns like \`TOKEN|KEY|SECRET\` without a
+  clear reason, shelling out to \`security find-generic-password\` on macOS
+  keychain for a single named entry.
+- **high** \u2014 recursive scan of \`$HOME\` for \`id_rsa\`, \`credentials\`, \`.env\`,
+  \`*.pem\`, \`*.keystore\`; dumping browser cookie/login SQLite DBs (Chrome
+  \`Login Data\`, Firefox \`logins.json\`, Safari keychain); reading
+  \`/etc/shadow\`, \`/etc/sudoers\`; calling \`lsof -i -nP\` followed by file reads
+  on anything that looks like a session; enumerating 1Password/Bitwarden
+  vault files on disk.
+- **critical** \u2014 active credential dumping tools (\`mimikatz\`, \`lazagne\`,
+  \`SharpChrome\`, \`credhistview\`), decrypting DPAPI blobs, extracting saved
+  WiFi passwords with \`netsh wlan show profile key=clear\`, scripting against
+  the gnome-keyring / kwallet D-Bus APIs to enumerate all entries.
+
+Override: reading a single, user-named credential file the task needs (e.g.
+\`cat $HOME/.config/gh/hosts.yml\` when the user asked to configure gh) is
+**low**. Shelling into macOS keychain for a single user-specified item is
+**low**.
+
+### 3. Persistent Security Weakening
+
+Changes that outlive the session and open future attack surface.
+
+- **low** \u2014 setting a local git hook for the user's own repo, adding \`127.0.0.1
+  myapp.test\` to \`/etc/hosts\`, narrowly scoped temporary cert pin override in a
+  dev-only config file.
+- **medium** \u2014 disabling TLS verification for one command (\`curl -k\`, \`git -c
+  http.sslVerify=false fetch\`), chmod \`644\` on a previously \`600\` config file,
+  turning on a single feature-flag that lowers a check for this session only.
+- **high** \u2014 \`chmod -R 777\` on directories, disabling SELinux / AppArmor /
+  Gatekeeper globally, flipping \`insecure_skip_verify: true\` in committed
+  infra config, adding a permissive \`AllowUsers *\` to \`sshd_config\`,
+  installing a new trusted root CA, committing \`NODE_TLS_REJECT_UNAUTHORIZED=0\`
+  to \`.env\` or CI.
+- **critical** \u2014 installing a persistence mechanism (launchd/systemd unit,
+  scheduled task, \`~/.bashrc\` backdoor line, cron entry) that runs arbitrary
+  network code; disabling endpoint protection (\`spctl --master-disable\`, Defender
+  off); creating an administrative account; adding an SSH key the user did not
+  supply to \`authorized_keys\`; writing a malicious \`npm prepare\` script into
+  \`package.json\`.
+
+Override: a session-scoped \`export NODE_TLS_REJECT_UNAUTHORIZED=0\` used once
+to reproduce a cert bug is **medium**, not high.
+
+### 4. Destructive Actions
+
+Irreversible or costly-to-reverse mutation.
+
+- **low** \u2014 \`rm\` on a file the user just created, \`git clean -fd\` inside a
+  worktree where \`git status\` shows only untracked scratch files, truncating a
+  log file under the project, dropping a local sqlite dev DB, deleting
+  \`node_modules\`/\`dist\`/\`.next\` build output.
+- **medium** \u2014 \`git reset --hard HEAD~N\` on a feature branch the user owns,
+  \`git push --force-with-lease\` to a non-default branch, \`rm -rf\` on a
+  directory with tracked files but uncommitted changes, \`DROP TABLE\` on a
+  local dev DB, \`docker system prune -af\` on a dev machine.
+- **high** \u2014 \`rm -rf\` with a broad glob (\`/\`, \`$HOME\`, \`~/*\`, \`**/*\`), \`git
+  push --force\` (no \`-with-lease\`) to a non-default branch, deleting a
+  non-local git branch via refspec push (\`git push origin :branch\`), \`DROP
+  DATABASE\` / \`TRUNCATE\` on anything named like \`staging\`/\`prod\`, factory
+  resetting a cloud resource the user owns.
+- **critical** \u2014 \`git push --force\` or \`+refs/heads/*\` to \`main\`/\`master\`/a
+  protected default branch; \`rm -rf /\`, \`:(){ :|:& };:\`, \`dd if=/dev/zero
+  of=/dev/sda\`; \`terraform destroy\` / \`kubectl delete ns\` / database drops
+  against anything production-shaped; wiping \`.git\` in a repo with unpushed
+  commits.
+
+Override: \`git push\` to an already-tracked remote with a normal refspec is
+**low**, even if the branch is \`main\`. \`git push --force\` or \`--force-with-lease\`
+to \`main\`/\`master\` is **critical**. \`git push --force-with-lease\` to a
+feature branch the user owns is **medium**. \`git commit\` is always **low**.
+
+### 5. Low-Risk Actions
+
+A catch-all reminder \u2014 do not inflate severity for these.
+
+- Reading any file the user or task references, regardless of path.
+- Running the project's test suite, linter, formatter, typechecker, or build.
+- Installing a dependency from \`package.json\`/\`requirements.txt\`/\`Cargo.toml\`
+  via the declared package manager.
+- Fetching public documentation, RFCs, MDN pages, man pages, Stack Overflow,
+  GitHub issue threads \u2014 regardless of frequency.
+- Sandbox retries / re-runs after a transient error.
+- Any action whose only "risk" is that it takes a long time or writes outside
+  the initial \`cwd\`.
+- Creating / checking out / merging git branches the user owns.
+- Reading env vars, even sensitive-looking ones, into the current process
+  when the task clearly needs them.
+
+## Output Contract
+
+Return **only** a single JSON object matching this schema, with no prose, no
+code fences, no leading text:
+
+\`\`\`
+{
+  "category": "Data Exfiltration" | "Credential Probing" | "Persistent Security Weakening" | "Destructive Actions" | "Low-Risk Actions",
+  "severity": "low" | "medium" | "high" | "critical",
+  "justification": "one sentence, <= 240 chars, explaining the severity",
+  "recommended_action": "auto-allow" | "prompt" | "deny",
+  "specific_concerns": ["short bullet", "short bullet"]
+}
+\`\`\`
+
+Mapping rule for \`recommended_action\`:
+- \`low\` \u2192 \`auto-allow\`
+- \`medium\` or \`high\` \u2192 \`prompt\`
+- \`critical\` \u2192 \`deny\`
+
+If genuinely uncertain, pick \`medium\` / \`prompt\` \u2014 that surfaces the action to
+the human without blocking it.
+`;
+
+// src/safety/guardian.ts
+var AssessmentSchema = z3.object({
+  category: z3.string().min(1).max(120),
+  severity: z3.enum(["low", "medium", "high", "critical"]),
+  justification: z3.string().min(1).max(600),
+  recommended_action: z3.enum(["auto-allow", "prompt", "deny"]),
+  specific_concerns: z3.array(z3.string().max(240)).max(12).default([])
+});
+var cachedPolicy = null;
+async function loadPolicy() {
+  if (cachedPolicy) return cachedPolicy;
+  try {
+    const here = fileURLToPath(import.meta.url);
+    const mdPath = path.join(path.dirname(here), "guardian-policy.md");
+    const raw = await fs.readFile(mdPath, "utf-8");
+    if (raw.length > 200) {
+      cachedPolicy = raw;
+      return raw;
+    }
+  } catch {
+  }
+  cachedPolicy = GUARDIAN_POLICY_EMBEDDED;
+  return cachedPolicy;
+}
+var sessionCache = /* @__PURE__ */ new Map();
+function cacheKey(input) {
+  return JSON.stringify({ tool: input.tool, args: input.args });
+}
+var TIMEOUT_MS = 5e3;
+function timeoutFallback(reason) {
+  return {
+    category: "Low-Risk Actions",
+    severity: "medium",
+    justification: reason,
+    recommended_action: "prompt",
+    specific_concerns: []
+  };
+}
+var OUTPUT_INSTRUCTION = `
+## Your Response
+
+Return ONLY a single JSON object \u2014 no markdown fences, no prose before or after.
+The object MUST match this TypeScript type exactly:
+
+type Assessment = {
+  category: "Data Exfiltration" | "Credential Probing" | "Persistent Security Weakening" | "Destructive Actions" | "Low-Risk Actions";
+  severity: "low" | "medium" | "high" | "critical";
+  justification: string;   // one sentence, <= 240 chars, cite the specific rule you applied
+  recommended_action: "auto-allow" | "prompt" | "deny";
+  specific_concerns: string[];  // 0\u20136 short bullets, each <= 240 chars
+};
+
+Severity \u2192 recommended_action mapping (you MUST obey this):
+- "low"       \u2192 "auto-allow"
+- "medium"    \u2192 "prompt"
+- "high"      \u2192 "prompt"
+- "critical"  \u2192 "deny"
+
+If you are uncertain, return "medium" + "prompt". Do NOT invent new severity or
+action values. Do NOT wrap the JSON in markdown. Output the raw object only.
+`;
+function extractJson(raw) {
+  const trimmed = raw.trim();
+  const fenced = trimmed.match(/```(?:json)?\s*([\s\S]*?)\s*```/);
+  const body = fenced?.[1] ?? trimmed;
+  const start = body.indexOf("{");
+  const end = body.lastIndexOf("}");
+  if (start < 0 || end <= start) {
+    return JSON.parse(body);
+  }
+  return JSON.parse(body.slice(start, end + 1));
+}
+async function assessRisk(input, model) {
+  const key = cacheKey(input);
+  const cached = sessionCache.get(key);
+  if (cached) return cached;
+  let policy;
+  try {
+    policy = await loadPolicy();
+  } catch {
+    policy = GUARDIAN_POLICY_EMBEDDED;
+  }
+  const system = `${policy}
+${OUTPUT_INSTRUCTION}`;
+  const userPayload = {
+    tool: input.tool,
+    args: input.args,
+    context: input.context ?? null
+  };
+  const user = `Score this proposed tool call:
+
+\`\`\`json
+${JSON.stringify(
+    userPayload,
+    null,
+    2
+  )}
+\`\`\``;
+  const controller = new AbortController();
+  const timer = setTimeout(() => controller.abort(), TIMEOUT_MS);
+  let rawText;
+  try {
+    const result = await generateText({
+      model,
+      system,
+      prompt: user,
+      maxTokens: 512,
+      temperature: 0,
+      abortSignal: controller.signal
+    });
+    rawText = result.text ?? "";
+  } catch (err) {
+    clearTimeout(timer);
+    const reason = err?.name === "AbortError" || controller.signal.aborted ? "Guardian timeout \u2014 defaulting to prompt." : `Guardian unavailable (${err?.message ?? "unknown error"}) \u2014 defaulting to prompt.`;
+    const fallback = timeoutFallback(reason);
+    return fallback;
+  } finally {
+    clearTimeout(timer);
+  }
+  let parsed;
+  try {
+    parsed = extractJson(rawText);
+  } catch {
+    return timeoutFallback(
+      "Guardian returned non-JSON \u2014 defaulting to prompt."
+    );
+  }
+  const validated = AssessmentSchema.safeParse(parsed);
+  if (!validated.success) {
+    return timeoutFallback(
+      "Guardian returned a malformed verdict \u2014 defaulting to prompt."
+    );
+  }
+  const assessment = normalizeAction(validated.data);
+  sessionCache.set(key, assessment);
+  return assessment;
+}
+function normalizeAction(a) {
+  let recommended = a.recommended_action;
+  switch (a.severity) {
+    case "low":
+      recommended = "auto-allow";
+      break;
+    case "critical":
+      recommended = "deny";
+      break;
+    case "medium":
+    case "high":
+      if (recommended !== "prompt") recommended = "prompt";
+      break;
+  }
+  return { ...a, recommended_action: recommended };
+}
+
+// src/coordinator/tools.ts
+import { z as z4 } from "zod";
+
+// src/agent/subagent.ts
+import { streamText } from "ai";
+
+// src/agent/builtins/index.ts
+import { readdirSync, readFileSync, existsSync } from "fs";
+import { dirname, join } from "path";
+import { fileURLToPath as fileURLToPath2 } from "url";
+import { parse as parseToml } from "smol-toml";
+var cache = null;
+function resolveBuiltinsDir() {
+  const here = dirname(fileURLToPath2(import.meta.url));
+  const candidates = [
+    here,
+    // src/agent/builtins (dev) or wherever co-located
+    join(here, "builtins"),
+    // dist layout with copied builtins/ subdir
+    join(here, "..", "builtins"),
+    // one level up (e.g. dist/ adjacent to builtins/)
+    join(here, "..", "..", "src", "agent", "builtins")
+    // from dist/ back into src/
+  ];
+  for (const dir of candidates) {
+    try {
+      if (existsSync(dir) && readdirSync(dir).some((f) => f.endsWith(".toml"))) {
+        return dir;
+      }
+    } catch {
+    }
+  }
+  return null;
+}
+function asString(v, field, file) {
+  if (typeof v !== "string" || v.trim() === "") {
+    throw new Error(`builtin agent ${file}: field "${field}" must be a non-empty string`);
+  }
+  return v;
+}
+function asStringArray(v, field, file) {
+  if (!Array.isArray(v) || !v.every((x) => typeof x === "string")) {
+    throw new Error(`builtin agent ${file}: field "${field}" must be an array of strings`);
+  }
+  return v;
+}
+function asPositiveInt(v, field, file, fallback) {
+  if (v === void 0 || v === null) return fallback;
+  if (typeof v === "number" && Number.isInteger(v) && v > 0) return v;
+  if (typeof v === "bigint" && v > 0n) return Number(v);
+  throw new Error(`builtin agent ${file}: field "${field}" must be a positive integer`);
+}
+function parseBuiltinFile(filePath, fileName) {
+  let raw;
+  try {
+    raw = readFileSync(filePath, "utf8");
+  } catch (err) {
+    console.warn(`  [builtins] could not read ${fileName}: ${err.message}`);
+    return null;
+  }
+  let doc;
+  try {
+    doc = parseToml(raw);
+  } catch (err) {
+    console.warn(`  [builtins] malformed TOML in ${fileName}: ${err.message}`);
+    return null;
+  }
+  const a = doc.agent;
+  if (!a || typeof a !== "object") {
+    console.warn(`  [builtins] ${fileName}: missing [agent] table`);
+    return null;
+  }
+  try {
+    const name = asString(a.name, "agent.name", fileName).toLowerCase();
+    const description = asString(a.description, "agent.description", fileName);
+    const tools = asStringArray(a.tools, "agent.tools", fileName);
+    const maxIterations = asPositiveInt(a.max_iterations, "agent.max_iterations", fileName, 20);
+    const prompt = asString(
+      a.prompt?.developer_instructions,
+      "agent.prompt.developer_instructions",
+      fileName
+    );
+    return { name, description, tools, maxIterations, prompt };
+  } catch (err) {
+    console.warn(`  [builtins] ${err.message}`);
+    return null;
+  }
+}
+function loadBuiltinAgents() {
+  if (cache) return cache;
+  const dir = resolveBuiltinsDir();
+  const map = /* @__PURE__ */ new Map();
+  if (!dir) {
+    console.warn("  [builtins] could not locate builtins directory; no built-in agents loaded");
+    cache = map;
+    return map;
+  }
+  let entries = [];
+  try {
+    entries = readdirSync(dir).filter((f) => f.endsWith(".toml"));
+  } catch (err) {
+    console.warn(`  [builtins] could not list ${dir}: ${err.message}`);
+    cache = map;
+    return map;
+  }
+  for (const file of entries) {
+    const agent = parseBuiltinFile(join(dir, file), file);
+    if (!agent) continue;
+    if (map.has(agent.name)) {
+      console.warn(`  [builtins] duplicate agent name "${agent.name}" in ${file} (keeping first)`);
+      continue;
+    }
+    map.set(agent.name, agent);
+  }
+  cache = map;
+  return map;
+}
+function getBuiltinAgent(name) {
+  return loadBuiltinAgents().get(name.toLowerCase());
+}
+function listBuiltinAgents() {
+  return [...loadBuiltinAgents().values()].sort((a, b) => a.name.localeCompare(b.name));
+}
+
+// src/agent/subagent.ts
+var SUBAGENT_PROMPTS = {
+  explore: `You are an exploration agent. Your job is to quickly search and analyze a codebase to answer questions.
+You have access to read, grep, and glob tools. Use them efficiently \u2014 search broadly first, then narrow down.
+Be thorough but concise. Return your findings as a structured summary.
+Do NOT modify any files. Only read and search.`,
+  plan: `You are a planning agent. Your job is to design implementation strategies.
+Analyze the codebase, identify the files that need changes, and produce a step-by-step plan.
+Consider edge cases, existing patterns, and potential risks.
+Do NOT implement anything. Only plan and recommend.
+Output a structured plan with:
+1. Summary of approach
+2. Files to modify (with specific changes)
+3. New files to create (if any)
+4. Testing strategy
+5. Risks and considerations`,
+  general: `You are a general-purpose worker agent. Complete the task assigned to you.
+You have full access to all tools. Work autonomously and return results when done.
+Be efficient \u2014 use grep/glob to find things before reading entire files.
+If you encounter errors, try to resolve them yourself before reporting back.`
+};
+var EXPLORE_TOOL_FILTER = /* @__PURE__ */ new Set(["read", "grep", "glob", "web_fetch"]);
+var PLAN_TOOL_FILTER = /* @__PURE__ */ new Set(["read", "grep", "glob", "git", "web_fetch"]);
+var subagentCounter = 0;
+async function spawnSubagent(config) {
+  const { id, type, prompt, model, toolContext, maxIterations = 15 } = config;
+  if (type === "builtin") {
+    return {
+      id,
+      type,
+      text: "",
+      toolCalls: 0,
+      iterations: 0,
+      error: "use spawnBuiltinAgent() for built-in agents, not spawnSubagent()"
+    };
+  }
+  config.onStatus?.(id, `Starting ${type} agent...`);
+  const subagentCtx = {
+    ...toolContext,
+    permissionSurface: "subagent",
+    subagentId: id,
+    requireConfirm: false
+  };
+  const allTools = buildToolMap(subagentCtx);
+  const tools = {};
+  if (type === "explore") {
+    for (const [name, tool2] of Object.entries(allTools)) {
+      if (EXPLORE_TOOL_FILTER.has(name)) tools[name] = tool2;
+    }
+  } else if (type === "plan") {
+    for (const [name, tool2] of Object.entries(allTools)) {
+      if (PLAN_TOOL_FILTER.has(name)) tools[name] = tool2;
+    }
+  } else {
+    Object.assign(tools, allTools);
+  }
+  const systemPrompt = `${SUBAGENT_PROMPTS[type]}
+
+## Working Directory
+${toolContext.cwd}
+
+## Available Tools
+${Object.keys(tools).map((n) => `- ${n}`).join("\n")}`;
+  const messages = [
+    { role: "user", content: prompt }
+  ];
+  let iterations = 0;
+  let totalToolCalls = 0;
+  try {
+    while (iterations < maxIterations) {
+      iterations++;
+      config.onStatus?.(id, `Iteration ${iterations}/${maxIterations}...`);
+      const result = streamText({
+        model,
+        system: systemPrompt,
+        messages,
+        tools,
+        maxSteps: 1
+      });
+      let fullText = "";
+      const toolCalls = [];
+      const toolResults = [];
+      for await (const event of result.fullStream) {
+        if (event.type === "text-delta") {
+          fullText += event.textDelta;
+        } else if (event.type === "tool-call") {
+          toolCalls.push({
+            toolCallId: event.toolCallId,
+            toolName: event.toolName,
+            args: event.args
+          });
+          config.onStatus?.(id, `${event.toolName}(...)`);
+        }
+        const evt = event;
+        if (evt.type === "tool-result") {
+          toolResults.push({
+            toolCallId: evt.toolCallId,
+            toolName: toolCalls.find((tc) => tc.toolCallId === evt.toolCallId)?.toolName ?? "unknown",
+            result: evt.result
+          });
+        }
+      }
+      totalToolCalls += toolCalls.length;
+      if (toolCalls.length > 0) {
+        messages.push({
+          role: "assistant",
+          content: [
+            ...fullText ? [{ type: "text", text: fullText }] : [],
+            ...toolCalls.map((tc) => ({
+              type: "tool-call",
+              toolCallId: tc.toolCallId,
+              toolName: tc.toolName,
+              args: tc.args
+            }))
+          ]
+        });
+        messages.push({
+          role: "tool",
+          content: toolResults.map((tr) => ({
+            type: "tool-result",
+            toolCallId: tr.toolCallId,
+            toolName: tr.toolName,
+            result: tr.result
+          }))
+        });
+        continue;
+      }
+      config.onStatus?.(id, "Complete");
+      return {
+        id,
+        type,
+        text: fullText,
+        toolCalls: totalToolCalls,
+        iterations
+      };
+    }
+    config.onStatus?.(id, "Max iterations reached");
+    return {
+      id,
+      type,
+      text: "[Subagent reached max iterations]",
+      toolCalls: totalToolCalls,
+      iterations
+    };
+  } catch (err) {
+    config.onStatus?.(id, `Error: ${err.message}`);
+    return {
+      id,
+      type,
+      text: "",
+      toolCalls: totalToolCalls,
+      iterations,
+      error: err.message
+    };
+  }
+}
+function nextSubagentId(type) {
+  return `${type}-${++subagentCounter}`;
+}
+async function spawnBuiltinAgent(config) {
+  const { agentName, prompt, model, toolContext } = config;
+  const agent = getBuiltinAgent(agentName);
+  const id = config.id ?? `${agentName.toLowerCase()}-${++subagentCounter}`;
+  if (!agent) {
+    return {
+      id,
+      type: "builtin",
+      text: "",
+      toolCalls: 0,
+      iterations: 0,
+      error: `unknown built-in agent "${agentName}"`
+    };
+  }
+  const maxIterations = config.maxIterations ?? agent.maxIterations;
+  config.onStatus?.(id, `Starting built-in agent ${agent.name}...`);
+  const subagentCtx = {
+    ...toolContext,
+    permissionSurface: "subagent",
+    subagentId: id,
+    requireConfirm: false
+  };
+  const allTools = buildToolMap(subagentCtx);
+  const allowed = new Set(agent.tools);
+  const tools = {};
+  for (const [name, t] of Object.entries(allTools)) {
+    if (allowed.has(name)) tools[name] = t;
+  }
+  const systemPrompt = `${agent.prompt}
+
+## Working Directory
+${toolContext.cwd}
+
+## Available Tools
+${Object.keys(tools).map((n) => `- ${n}`).join("\n")}`;
+  const messages = [{ role: "user", content: prompt }];
+  let iterations = 0;
+  let totalToolCalls = 0;
+  try {
+    while (iterations < maxIterations) {
+      iterations++;
+      config.onStatus?.(id, `Iteration ${iterations}/${maxIterations}...`);
+      const result = streamText({
+        model,
+        system: systemPrompt,
+        messages,
+        tools,
+        maxSteps: 1
+      });
+      let fullText = "";
+      const toolCalls = [];
+      const toolResults = [];
+      for await (const event of result.fullStream) {
+        if (event.type === "text-delta") {
+          fullText += event.textDelta;
+        } else if (event.type === "tool-call") {
+          toolCalls.push({
+            toolCallId: event.toolCallId,
+            toolName: event.toolName,
+            args: event.args
+          });
+          config.onStatus?.(id, `${event.toolName}(...)`);
+        }
+        const evt = event;
+        if (evt.type === "tool-result") {
+          toolResults.push({
+            toolCallId: evt.toolCallId,
+            toolName: toolCalls.find((tc) => tc.toolCallId === evt.toolCallId)?.toolName ?? "unknown",
+            result: evt.result
+          });
+        }
+      }
+      totalToolCalls += toolCalls.length;
+      if (toolCalls.length > 0) {
+        messages.push({
+          role: "assistant",
+          content: [
+            ...fullText ? [{ type: "text", text: fullText }] : [],
+            ...toolCalls.map((tc) => ({
+              type: "tool-call",
+              toolCallId: tc.toolCallId,
+              toolName: tc.toolName,
+              args: tc.args
+            }))
+          ]
+        });
+        messages.push({
+          role: "tool",
+          content: toolResults.map((tr) => ({
+            type: "tool-result",
+            toolCallId: tr.toolCallId,
+            toolName: tr.toolName,
+            result: tr.result
+          }))
+        });
+        continue;
+      }
+      config.onStatus?.(id, "Complete");
+      return {
+        id,
+        type: "builtin",
+        text: fullText,
+        toolCalls: totalToolCalls,
+        iterations
+      };
+    }
+    config.onStatus?.(id, "Max iterations reached");
+    return {
+      id,
+      type: "builtin",
+      text: "[Built-in agent reached max iterations]",
+      toolCalls: totalToolCalls,
+      iterations
+    };
+  } catch (err) {
+    config.onStatus?.(id, `Error: ${err.message}`);
+    return {
+      id,
+      type: "builtin",
+      text: "",
+      toolCalls: totalToolCalls,
+      iterations,
+      error: err.message
+    };
+  }
+}
+
+// src/coordinator/runtime.ts
+var registry = /* @__PURE__ */ new Map();
+function registerAgent(entry) {
+  registry.set(entry.agentId, entry);
+}
+function getAgent(agentId) {
+  return registry.get(agentId);
+}
+function pendingCount() {
+  let n = 0;
+  for (const entry of registry.values()) {
+    if (!entry.delivered) n++;
+  }
+  return n;
+}
+function formatTaskNotification(agentId, toolUseId, status, summary, result) {
+  const MAX_RESULT = 8 * 1024;
+  const truncated = result.length > MAX_RESULT ? result.slice(0, MAX_RESULT) + `
+
+[truncated ${result.length - MAX_RESULT} chars]` : result;
+  const esc = (s) => s.replace(/&/g, "&amp;").replace(/</g, "&lt;").replace(/>/g, "&gt;");
+  return `<task-notification>
+<task-id>${esc(agentId)}</task-id>
+<tool-use-id>${esc(toolUseId)}</tool-use-id>
+<status>${status}</status>
+<summary>${esc(summary)}</summary>
+<result>${esc(truncated)}</result>
+</task-notification>`;
+}
+async function awaitOneCompletion() {
+  const pending = [];
+  for (const entry of registry.values()) {
+    if (!entry.delivered) pending.push(entry);
+  }
+  if (pending.length === 0) return null;
+  const alreadySettled = pending.find((e) => e.result !== void 0);
+  const winner = alreadySettled ? alreadySettled : await Promise.race(
+    pending.map(
+      (entry) => entry.completionPromise.then(() => entry).catch(() => entry)
+    )
+  );
+  winner.delivered = true;
+  const result = winner.result;
+  const status = winner.status;
+  const summary = status === "completed" ? `Agent "${winner.description}" completed` : status === "failed" ? `Agent "${winner.description}" failed: ${result?.error ?? "unknown error"}` : status === "killed" ? `Agent "${winner.description}" was stopped` : `Agent "${winner.description}" ended (${status})`;
+  const text = result?.text ?? result?.error ?? "";
+  const xml = formatTaskNotification(
+    winner.agentId,
+    winner.toolUseId,
+    status,
+    summary,
+    text
+  );
+  return {
+    agentId: winner.agentId,
+    toolUseId: winner.toolUseId,
+    status,
+    summary,
+    result: text,
+    xml
+  };
+}
+function injectCompletionAsUserMessage(messages, completion) {
+  messages.push({
+    role: "user",
+    content: completion.xml
+  });
+}
+async function pollPendingAgents(messages) {
+  if (pendingCount() === 0) return false;
+  const completion = await awaitOneCompletion();
+  if (!completion) return false;
+  injectCompletionAsUserMessage(messages, completion);
+  return true;
+}
+
+// src/coordinator/tools.ts
+var spawnParameters = z4.object({
+  subagent_type: z4.enum(["explore", "plan", "general", "builtin"]).describe(
+    "Worker profile: explore (read-only recon), plan (planning without edits), general (full tool access), builtin (named TOML-defined agent \u2014 provide builtin_name)."
+  ),
+  prompt: z4.string().describe(
+    "Self-contained spec for the worker. Include purpose, file paths, acceptance criteria, and what to report back. Workers cannot see this conversation."
+  ),
+  description: z4.string().describe(
+    "Short human-readable label for this worker, shown in status updates and in <task-notification> summaries."
+  ),
+  builtin_name: z4.string().optional().describe('Required when subagent_type is "builtin" \u2014 the name of the TOML-defined built-in agent to run.')
+});
+var agentSpawnTool = {
+  name: "agent_spawn",
+  description: 'Spawn a worker agent to execute a delegated task. Returns { agent_id, status: "spawned" } immediately \u2014 the worker runs in the background and eventually reports back via a <task-notification> user message. Use subagent_type to pick the worker profile.',
+  parameters: spawnParameters,
+  async execute(params, ctx) {
+    if (!ctx.coordinatorWorkerModel) {
+      return {
+        content: "agent_spawn is unavailable: coordinator mode is active but no worker model was supplied to the tool context. This is a configuration bug \u2014 coordinator mode must set coordinatorWorkerModel.",
+        isError: true
+      };
+    }
+    const { subagent_type, prompt, description, builtin_name } = params;
+    if (subagent_type === "builtin" && !builtin_name) {
+      return {
+        content: 'agent_spawn: builtin_name is required when subagent_type is "builtin".',
+        isError: true
+      };
+    }
+    const agentId = subagent_type === "builtin" ? `${(builtin_name ?? "builtin").toLowerCase()}-${nextSubagentId("general").split("-")[1]}` : nextSubagentId(subagent_type);
+    const abortController = new AbortController();
+    const workerCtx = { ...ctx, coordinatorMode: false };
+    const completionPromise = subagent_type === "builtin" ? spawnBuiltinAgent({
+      id: agentId,
+      agentName: builtin_name,
+      prompt,
+      model: ctx.coordinatorWorkerModel,
+      toolContext: workerCtx
+    }) : spawnSubagent({
+      id: agentId,
+      type: subagent_type,
+      prompt,
+      model: ctx.coordinatorWorkerModel,
+      toolContext: workerCtx
+    });
+    const toolUseId = `spawn-${agentId}`;
+    const entry = {
+      agentId,
+      toolUseId,
+      description,
+      completionPromise,
+      abortController,
+      status: "spawned",
+      delivered: false,
+      startedAt: Date.now()
+    };
+    registerAgent(entry);
+    completionPromise.then((result) => {
+      entry.result = result;
+      if (abortController.signal.aborted) {
+        entry.status = "killed";
+      } else if (result.error) {
+        entry.status = "failed";
+      } else {
+        entry.status = "completed";
+      }
+    }).catch((err) => {
+      entry.result = {
+        id: agentId,
+        type: subagent_type === "builtin" ? "builtin" : subagent_type,
+        text: "",
+        toolCalls: 0,
+        iterations: 0,
+        error: err?.message ?? String(err)
+      };
+      entry.status = abortController.signal.aborted ? "killed" : "failed";
+    });
+    return {
+      content: JSON.stringify({
+        agent_id: agentId,
+        status: "spawned",
+        description,
+        note: "Worker is running. You will receive a <task-notification> when it finishes."
+      })
+    };
+  }
+};
+var sendMessageParameters = z4.object({
+  to: z4.string().describe("The agent_id returned by agent_spawn."),
+  message: z4.string().describe("Follow-up instructions for the worker.")
+});
+var agentSendMessageTool = {
+  name: "agent_send_message",
+  description: "Continue an existing worker with a follow-up message. NOTE: Notch workers are currently one-shot \u2014 once a worker has finished, this tool cannot resume it. For follow-up work, spawn a fresh worker with a synthesized prompt that includes the previous worker's findings.",
+  parameters: sendMessageParameters,
+  async execute(params, _ctx) {
+    const { to, message: _message } = params;
+    const entry = getAgent(to);
+    if (!entry) {
+      return {
+        content: `agent_send_message: no agent with id "${to}" in the registry. Check the agent_id you got back from agent_spawn.`,
+        isError: true
+      };
+    }
+    if (entry.status === "completed" || entry.status === "failed" || entry.status === "killed") {
+      return {
+        content: JSON.stringify({
+          status: "unsupported",
+          agent_id: to,
+          agent_status: entry.status,
+          reason: "Notch workers are one-shot. This agent has already finished and cannot be continued. Spawn a fresh worker with a prompt that carries forward the relevant context from the previous worker's result."
+        }),
+        isError: true
+      };
+    }
+    return {
+      content: JSON.stringify({
+        status: "unsupported",
+        agent_id: to,
+        agent_status: entry.status,
+        reason: "Notch workers cannot receive mid-flight messages in the current runtime. Wait for the <task-notification> for this worker, then spawn a fresh worker with a synthesized follow-up prompt. Alternatively, call agent_stop and respawn with the corrected instructions."
+      }),
+      isError: true
+    };
+  }
+};
+var stopParameters = z4.object({
+  id: z4.string().describe("The agent_id of the worker to stop.")
+});
+var agentStopTool = {
+  name: "agent_stop",
+  description: 'Abort a running worker. Use when you realize a worker is going in the wrong direction or the user has changed requirements. The worker will still emit a <task-notification> with status="killed".',
+  parameters: stopParameters,
+  async execute(params, _ctx) {
+    const entry = getAgent(params.id);
+    if (!entry) {
+      return {
+        content: `agent_stop: no agent with id "${params.id}" in the registry.`,
+        isError: true
+      };
+    }
+    if (entry.status === "completed" || entry.status === "failed" || entry.status === "killed") {
+      return {
+        content: JSON.stringify({
+          status: "already_finished",
+          agent_id: params.id,
+          agent_status: entry.status
+        })
+      };
+    }
+    entry.abortController.abort();
+    return {
+      content: JSON.stringify({
+        status: "abort_signaled",
+        agent_id: params.id,
+        note: 'Abort signal sent. The worker will finish its current step and then report back with status="killed".'
+      })
+    };
+  }
+};
+var COORDINATOR_TOOLS = [
+  agentSpawnTool,
+  agentSendMessageTool,
+  agentStopTool
+];
+var COORDINATOR_TOOL_NAMES = new Set(
+  COORDINATOR_TOOLS.map((t) => t.name)
+);
+var COORDINATOR_ALLOWED_TOOL_NAMES = /* @__PURE__ */ new Set([
+  ...COORDINATOR_TOOL_NAMES,
+  "read",
+  "grep",
+  "glob"
+]);
+
+// src/permissions/handlers/bash-classifier.ts
+var DESTRUCTIVE_PATTERNS = [
+  /\brm\s+(-[a-zA-Z]*[rf][a-zA-Z]*|--recursive|--force)/i,
+  /\brm\s+-rf?\s+\//i,
+  /\bsudo\s+rm\b/i,
+  /\bdd\s+if=/i,
+  /\bmkfs\./i,
+  /\bshred\b/i,
+  /\bchmod\s+-R\s+/i,
+  /\bchown\s+-R\s+/i,
+  /:\(\)\s*\{\s*:\|:&\s*\};:/,
+  // fork bomb
+  /\b>\s*\/dev\/sd[a-z]/i,
+  /\bgit\s+push\s+(?:.*\s)?(?:-f|--force|--force-with-lease)\b/i,
+  /\bgit\s+reset\s+--hard\b/i,
+  /\bgit\s+clean\s+-[a-zA-Z]*[fd]/i,
+  /\bgit\s+checkout\s+--\s+\./,
+  /\bnpm\s+publish\b/i,
+  /\byarn\s+publish\b/i,
+  /\bpnpm\s+publish\b/i,
+  /\bdocker\s+(?:rm|rmi|system\s+prune|volume\s+rm)\b/i,
+  /\bkubectl\s+delete\b/i,
+  /\bterraform\s+destroy\b/i,
+  /\bmv\s+\/\s+/i,
+  /\bfind\s+.*\s-delete\b/i,
+  /\bfind\s+.*-exec\s+rm\b/i,
+  /\btruncate\s+-s\s+0/i,
+  /\b(poweroff|shutdown|reboot|halt)\b/i,
+  /\bkillall?\s+-9/i
+];
+var NETWORK_PATTERNS = [
+  /\bcurl\b/i,
+  /\bwget\b/i,
+  /\bhttpie?\b/i,
+  /\bnc\b/i,
+  /\bnetcat\b/i,
+  /\bssh\b/i,
+  /\bscp\b/i,
+  /\brsync\s+.*::?/i,
+  /\bftp\b/i,
+  /\bsftp\b/i,
+  /\btelnet\b/i,
+  /\bnmap\b/i,
+  /\bping\b/i,
+  /\bdig\b/i,
+  /\bnslookup\b/i,
+  /\bhost\s+[a-z0-9.-]+\.[a-z]+/i,
+  /\bgit\s+(?:clone|fetch|pull|push)\b/i,
+  /\bnpm\s+(?:install|i|update|audit|fund)\b/i,
+  /\bpip\s+install\b/i,
+  /\bapt(?:-get)?\s+(?:install|update|upgrade)\b/i,
+  /\bbrew\s+(?:install|update|upgrade)\b/i,
+  /\b(?:python|python3|node|bun)\s+-c\s+.*(?:urllib|requests|fetch|http)/i,
+  /\bcurl.*\|\s*(?:sh|bash|zsh|fish)\b/i,
+  // explicit "pipe to shell"
+  /\bwget.*\|\s*(?:sh|bash|zsh|fish)\b/i
+];
+var SAFE_PATTERNS = [
+  /^\s*ls(\s|$)/i,
+  /^\s*pwd(\s|$)/,
+  /^\s*whoami(\s|$)/,
+  /^\s*id(\s|$)/,
+  /^\s*echo\s/i,
+  /^\s*printf\s/i,
+  /^\s*cat\s/i,
+  /^\s*head\s/i,
+  /^\s*tail\s/i,
+  /^\s*wc\s/i,
+  /^\s*file\s/i,
+  /^\s*stat\s/i,
+  /^\s*du\s/i,
+  /^\s*df\s/i,
+  /^\s*which\s/i,
+  /^\s*type\s/i,
+  /^\s*env(\s|$)/i,
+  /^\s*date(\s|$)/i,
+  /^\s*uname/i,
+  /^\s*hostname(\s|$)/i,
+  /^\s*uptime(\s|$)/i,
+  /^\s*history(\s|$)/i,
+  /^\s*git\s+(status|log|diff|show|branch|blame|config\s+--get|remote\s+-v|stash\s+list|tag\s+-l|ls-files)\b/i,
+  /^\s*node\s+--version/i,
+  /^\s*npm\s+(ls|list|outdated|view|config\s+get|--version|-v|root)\b/i,
+  /^\s*yarn\s+(list|--version)\b/i,
+  /^\s*(python|python3)\s+--version/i,
+  /^\s*pip\s+(list|show|--version)\b/i,
+  /^\s*(rg|ripgrep)\s/i,
+  /^\s*grep\s/i,
+  /^\s*find\s+[^|;&]*(?<!-delete)\s*$/i,
+  // find without -delete/-exec rm
+  /^\s*tree(\s|$)/i,
+  /^\s*jq\s/i,
+  /^\s*awk\s/i,
+  /^\s*sed\s+-n\s/i,
+  // sed in print-only mode
+  /^\s*(make|cargo|go|npm|bun|pnpm|yarn)\s+(test|check|vet|fmt\s+--check|build\s+--dry-run)\b/i,
+  /^\s*(cargo|rustc)\s+--version/i,
+  /^\s*docker\s+(ps|images|logs|inspect|version)\b/i,
+  /^\s*kubectl\s+(get|describe|logs|version|config\s+current-context)\b/i
+];
+function classifyBashCommand(command) {
+  const cmd = command.trim();
+  if (!cmd) return { category: "safe" };
+  const head = cmd.split(/[\s;|&]/)[0] ?? "";
+  for (const p of DESTRUCTIVE_PATTERNS) {
+    if (p.test(cmd)) {
+      return { category: "destructive", matchedPattern: p.source, head };
+    }
+  }
+  for (const p of NETWORK_PATTERNS) {
+    if (p.test(cmd)) {
+      return { category: "network", matchedPattern: p.source, head };
+    }
+  }
+  for (const p of SAFE_PATTERNS) {
+    if (p.test(cmd)) {
+      return { category: "safe", matchedPattern: p.source, head };
+    }
+  }
+  return { category: "unknown", head };
+}
+
+// src/permissions/handlers/interactive.ts
+var SESSION_RECENT_MS = 3e4;
+var recentApprovals = /* @__PURE__ */ new Map();
+function fingerprintArgs(args) {
+  const keys = Object.keys(args).sort();
+  const parts = [];
+  for (const k of keys) {
+    const v = args[k];
+    const s = typeof v === "string" ? v : JSON.stringify(v);
+    parts.push(`${k}=${s.slice(0, 200)}`);
+  }
+  return parts.join("|");
+}
+function makeKey(sessionId, toolName, args) {
+  return `${sessionId}\0${toolName}\0${fingerprintArgs(args)}`;
+}
+function recordInteractiveApproval(sessionId, toolName, args) {
+  const key = makeKey(sessionId, toolName, args);
+  recentApprovals.set(key, { key, expires: Date.now() + SESSION_RECENT_MS });
+}
+function wasRecentlyApproved(sessionId, toolName, args) {
+  const key = makeKey(sessionId, toolName, args);
+  const hit = recentApprovals.get(key);
+  if (!hit) return false;
+  if (hit.expires < Date.now()) {
+    recentApprovals.delete(key);
+    return false;
+  }
+  return true;
+}
+var interactiveHandler = {
+  surface: "interactive",
+  check: async (toolName, args, baseDecision, ctx) => {
+    if (baseDecision === "allow") {
+      if (toolName === "shell" && typeof args.command === "string") {
+        const pending = async () => {
+          const cls = classifyBashCommand(args.command);
+          if (cls.category === "destructive") {
+            return {
+              outcome: "prompt",
+              reason: `classifier flagged destructive command: ${cls.matchedPattern}`
+            };
+          }
+          return { outcome: "allow" };
+        };
+        return { outcome: "allow", pendingClassifierCheck: pending };
+      }
+      return { outcome: "allow" };
+    }
+    if (baseDecision === "deny") {
+      return { outcome: "deny", reason: "denied by permission config" };
+    }
+    if (wasRecentlyApproved(ctx.sessionId, toolName, args)) {
+      return {
+        outcome: "allow",
+        silent: true,
+        reason: "session-recent approval (within 30s)"
+      };
+    }
+    return { outcome: "prompt" };
+  }
+};
+
+// src/permissions/handlers/one-shot.ts
+var oneShotHandler = {
+  surface: "one-shot",
+  check: async (toolName, _args, baseDecision, ctx) => {
+    if (baseDecision === "allow") return { outcome: "allow" };
+    if (baseDecision === "deny") {
+      return { outcome: "deny", reason: "denied by permission config" };
+    }
+    if (ctx.autoConfirm) {
+      return {
+        outcome: "allow",
+        silent: true,
+        reason: "--yes flag set; auto-confirming one-shot"
+      };
+    }
+    const count = (ctx.denialCounter.get(toolName) ?? 0) + 1;
+    ctx.denialCounter.set(toolName, count);
+    return {
+      outcome: "deny",
+      silent: true,
+      reason: "one-shot mode denies prompt-level tools without --yes",
+      tailNotification: `one-shot: denied ${toolName} (pass --yes to auto-approve)`
+    };
+  }
+};
+
+// src/permissions/handlers/coordinator.ts
+var COORDINATOR_ALLOWED = /* @__PURE__ */ new Set([
+  "agent_spawn",
+  "agent_send_message",
+  "agent_stop",
+  "read",
+  "grep",
+  "glob"
+]);
+var coordinatorHandler = {
+  surface: "coordinator",
+  check: async (toolName, _args, baseDecision, _ctx) => {
+    if (COORDINATOR_ALLOWED.has(toolName)) {
+      if (baseDecision === "deny") {
+        return { outcome: "deny", reason: "coordinator tool explicitly denied by config" };
+      }
+      return { outcome: "allow", silent: true };
+    }
+    if (baseDecision === "deny") {
+      return { outcome: "deny", reason: "denied by permission config" };
+    }
+    return {
+      outcome: "deny",
+      silent: true,
+      reason: "Coordinator must delegate write operations to a worker.",
+      tailNotification: `coordinator: blocked ${toolName} (delegate to worker)`
+    };
+  }
+};
+
+// src/permissions/handlers/subagent.ts
+var subagentHandler = {
+  surface: "subagent",
+  check: async (toolName, _args, baseDecision, ctx) => {
+    if (baseDecision === "allow") return { outcome: "allow" };
+    if (baseDecision === "deny") {
+      return { outcome: "deny", reason: "denied by permission config" };
+    }
+    const count = (ctx.denialCounter.get(toolName) ?? 0) + 1;
+    ctx.denialCounter.set(toolName, count);
+    const id = ctx.subagentId ?? "unknown";
+    return {
+      outcome: "deny",
+      silent: true,
+      reason: "subagent has no interactive UI to prompt",
+      tailNotification: `subagent ${id}: denied ${toolName} (no UI to prompt)`
+    };
+  }
+};
+
+// src/permissions/handlers/auto-mode.ts
+var AUTO_IMPLICIT_WRITE_KEY = "__auto_mode_implicit_writes__";
+var AUTO_WRITE_NOTIFY_THRESHOLD = 10;
+var WRITE_TOOLS = /* @__PURE__ */ new Set(["write", "edit", "apply_patch", "shell", "git"]);
+function hardDenyReason(toolName, args) {
+  if (toolName === "git") {
+    const op = typeof args.operation === "string" ? args.operation : "";
+    const flags = typeof args.flags === "string" ? args.flags : "";
+    const argsStr = typeof args.args === "string" ? args.args : "";
+    const combined = `${op} ${flags} ${argsStr}`.toLowerCase();
+    if (combined.includes("push") && /(-f\b|--force\b|--force-with-lease\b)/.test(combined)) {
+      return "force-push is never auto-approved";
+    }
+    if (combined.includes("reset") && combined.includes("--hard")) {
+      return "git reset --hard is never auto-approved";
+    }
+  }
+  if (toolName === "shell" && typeof args.command === "string") {
+    const cmd = args.command;
+    if (/\bnpm\s+publish\b/i.test(cmd) || /\byarn\s+publish\b/i.test(cmd) || /\bpnpm\s+publish\b/i.test(cmd)) {
+      return "package publish is never auto-approved";
+    }
+    if (/\bgit\s+push\b.*\b(?:-f|--force|--force-with-lease)\b/i.test(cmd)) {
+      return "force-push is never auto-approved";
+    }
+    if (/\b(?:rm\s+-rf?|dd\s+if=|mkfs\.|shred)\b/i.test(cmd)) {
+      return "classifier-flagged destructive shell command";
+    }
+  }
+  return null;
+}
+var autoModeHandler = {
+  surface: "auto-mode",
+  check: async (toolName, args, baseDecision, ctx) => {
+    if (baseDecision === "deny") {
+      return { outcome: "deny", reason: "denied by permission config" };
+    }
+    const reason = hardDenyReason(toolName, args);
+    if (reason) {
+      return {
+        outcome: "deny",
+        silent: false,
+        reason,
+        tailNotification: `auto-mode: refused ${toolName} \u2014 ${reason}`
+      };
+    }
+    if (toolName === "shell" && typeof args.command === "string") {
+      const pending = async () => {
+        const cls = classifyBashCommand(args.command);
+        if (cls.category === "destructive") {
+          return {
+            outcome: "deny",
+            silent: false,
+            reason: `classifier flagged destructive command: ${cls.matchedPattern}`,
+            tailNotification: `auto-mode: refused destructive shell command (${cls.head ?? "shell"})`
+          };
+        }
+        return baseDecision === "allow" ? { outcome: "allow", silent: true } : { outcome: "allow", silent: true, reason: "auto-mode implicit approval" };
+      };
+      if (baseDecision === "allow") return { outcome: "allow", pendingClassifierCheck: pending };
+      return { outcome: "allow", silent: true, pendingClassifierCheck: pending };
+    }
+    if (baseDecision === "allow") return { outcome: "allow" };
+    if (WRITE_TOOLS.has(toolName)) {
+      const writes = (ctx.denialCounter.get(AUTO_IMPLICIT_WRITE_KEY) ?? 0) + 1;
+      ctx.denialCounter.set(AUTO_IMPLICIT_WRITE_KEY, writes);
+      if (writes === AUTO_WRITE_NOTIFY_THRESHOLD) {
+        return {
+          outcome: "allow",
+          silent: true,
+          reason: "auto-mode implicit approval",
+          tailNotification: `auto-mode: ${writes} unattended writes this session \u2014 consider reviewing`
+        };
+      }
+      if (writes > AUTO_WRITE_NOTIFY_THRESHOLD && writes % 10 === 0) {
+        return {
+          outcome: "allow",
+          silent: true,
+          reason: "auto-mode implicit approval",
+          tailNotification: `auto-mode: ${writes} unattended writes this session`
+        };
+      }
+    }
+    return { outcome: "allow", silent: true, reason: "auto-mode implicit approval" };
+  }
+};
+
+// src/permissions/handlers/json-mode.ts
+var jsonModeHandler = {
+  surface: "json-mode",
+  check: async (toolName, _args, baseDecision, ctx) => {
+    if (baseDecision === "allow") return { outcome: "allow" };
+    if (baseDecision === "deny") {
+      return { outcome: "deny", reason: "denied by permission config" };
+    }
+    const count = (ctx.denialCounter.get(toolName) ?? 0) + 1;
+    ctx.denialCounter.set(toolName, count);
+    const payload = JSON.stringify({
+      type: "permission_denied",
+      tool: toolName,
+      reason: "json mode requires explicit allowlist"
+    });
+    return {
+      outcome: "deny",
+      silent: true,
+      reason: "json mode requires explicit allowlist",
+      tailNotification: payload
+    };
+  }
+};
+
+// src/permissions/dispatcher.ts
+var HANDLERS = {
+  interactive: interactiveHandler,
+  "one-shot": oneShotHandler,
+  coordinator: coordinatorHandler,
+  subagent: subagentHandler,
+  "auto-mode": autoModeHandler,
+  "json-mode": jsonModeHandler
+};
+function getActiveHandler(surface) {
+  return HANDLERS[surface];
+}
+async function runPermissionCheck(toolName, args, baseDecision, surface, ctx) {
+  const handler = getActiveHandler(surface);
+  const initial = await handler.check(toolName, args, baseDecision, ctx);
+  if (initial.tailNotification) {
+    pushTailNotification(initial.tailNotification);
+  }
+  if (!initial.pendingClassifierCheck) return initial;
+  try {
+    const refined = await initial.pendingClassifierCheck();
+    if (refined.tailNotification) pushTailNotification(refined.tailNotification);
+    return {
+      outcome: refined.outcome,
+      reason: refined.reason ?? initial.reason,
+      silent: refined.silent ?? initial.silent,
+      tailNotification: refined.tailNotification ?? initial.tailNotification
+    };
+  } catch {
+    return {
+      outcome: initial.outcome,
+      reason: initial.reason,
+      silent: initial.silent,
+      tailNotification: initial.tailNotification
+    };
+  }
+}
+var tailQueue = [];
+function pushTailNotification(message) {
+  tailQueue.push(message);
+}
+function recordAutoModeDenial(decision) {
+  if (decision.outcome !== "deny") return;
+  const msg = decision.tailNotification ?? decision.reason ?? "auto-mode: tool denied";
+  pushTailNotification(msg);
+}
+function drainTailNotifications() {
+  const out = tailQueue.splice(0, tailQueue.length);
+  return out;
+}
+var currentSurface = "interactive";
+function setCurrentSurface(surface) {
+  currentSurface = surface;
+}
+function createHandlerContext(options) {
+  return {
+    cwd: options.cwd,
+    sessionId: options.sessionId,
+    denialCounter: /* @__PURE__ */ new Map(),
+    log: options.log,
+    autoConfirm: options.autoConfirm,
+    guardianEnabled: options.guardianEnabled,
+    subagentId: options.subagentId
+  };
+}
+
+// src/tools/index.ts
+var BUILTIN_TOOLS = [
+  readTool,
+  writeTool,
+  editTool,
+  applyPatchTool,
+  shellTool,
+  gitTool,
+  githubTool,
+  grepTool,
+  globTool,
+  webFetchTool,
+  lspTool,
+  notebookTool,
+  taskTool,
+  codeModeExecTool,
+  codeModeWaitTool
+];
+var mcpClients = /* @__PURE__ */ new Map();
+var mcpTools = [];
+async function initMCPServers(config) {
+  const servers = parseMCPConfig(config);
+  let toolCount = 0;
+  for (const [name, serverConfig] of Object.entries(servers)) {
+    try {
+      const client = new MCPClient(serverConfig, name);
+      await client.connect();
+      mcpClients.set(name, client);
+      const tools = mcpToolsToNotch(client, name);
+      mcpTools.push(...tools);
+      toolCount += tools.length;
+    } catch (err) {
+      console.error(`  MCP server '${name}' failed to connect: ${err.message}`);
+    }
+  }
+  return toolCount;
+}
+function disconnectMCPServers() {
+  for (const [, client] of mcpClients) {
+    client.disconnect();
+  }
+  mcpClients.clear();
+  mcpTools = [];
+}
+var COORDINATOR_ONLY_TOOLS = [
+  agentSpawnTool,
+  agentSendMessageTool,
+  agentStopTool
+];
+function getAllTools(ctx) {
+  const coordinator = !!ctx?.coordinatorMode;
+  if (coordinator) {
+    const allowed = [];
+    for (const t of BUILTIN_TOOLS) {
+      if (COORDINATOR_ALLOWED_TOOL_NAMES.has(t.name)) allowed.push(t);
+    }
+    allowed.push(...COORDINATOR_ONLY_TOOLS);
+    return allowed;
+  }
+  return [...BUILTIN_TOOLS, ...mcpTools, ...pluginManager.getTools()];
+}
+function buildToolMap(ctx) {
+  const map = {};
+  for (const t of getAllTools(ctx)) {
+    map[t.name] = tool({
+      description: t.description,
+      parameters: t.parameters,
+      execute: async (params) => {
+        if (ctx.checkPermission) {
+          await ctx.runHook?.("permission-request", { tool: t.name, args: params });
+          const argRecord = params;
+          const baseLevel = ctx.checkPermission(t.name, argRecord);
+          const surface = ctx.permissionSurface ?? "interactive";
+          const handlerCtx = createHandlerContext({
+            cwd: ctx.cwd,
+            sessionId: ctx.permissionSessionId ?? "session",
+            log: ctx.log,
+            autoConfirm: ctx.autoConfirm,
+            guardianEnabled: !!ctx.guardianModel,
+            subagentId: ctx.subagentId
+          });
+          const decision = await runPermissionCheck(t.name, argRecord, baseLevel, surface, handlerCtx);
+          if (decision.outcome === "deny") {
+            if (surface === "auto-mode") recordAutoModeDenial(decision);
+            await ctx.runHook?.("permission-denied", {
+              tool: t.name,
+              args: params,
+              reason: decision.reason ?? "denied-by-handler",
+              surface
+            });
+            return {
+              content: decision.silent ? `Permission denied: ${decision.reason ?? t.name + " blocked by " + surface + " handler"}` : `Permission denied: ${t.name} \u2014 ${decision.reason ?? "denied by permission handler"}.`,
+              isError: true
+            };
+          }
+          if (decision.outcome === "prompt") {
+            let guardian = null;
+            if (ctx.guardianModel) {
+              try {
+                guardian = await assessRisk(
+                  { tool: t.name, args: argRecord },
+                  ctx.guardianModel
+                );
+              } catch {
+                guardian = null;
+              }
+              if (guardian?.recommended_action === "deny") {
+                await ctx.runHook?.("permission-denied", {
+                  tool: t.name,
+                  args: params,
+                  reason: "guardian-denied",
+                  guardian
+                });
+                return {
+                  content: `Guardian blocked this action (${guardian.severity}): ${guardian.justification}`,
+                  isError: true
+                };
+              }
+            }
+            const guardianCleared = guardian?.recommended_action === "auto-allow" && guardian.severity === "low";
+            if (!guardianCleared) {
+              if (!ctx.requireConfirm) {
+                pushTailNotification(`${surface}: prompt required for ${t.name} but no UI (denied)`);
+                await ctx.runHook?.("permission-denied", {
+                  tool: t.name,
+                  args: params,
+                  reason: "no-ui-to-prompt",
+                  surface
+                });
+                return {
+                  content: `Permission denied: ${t.name} requires a prompt but no interactive UI is attached.`,
+                  isError: true
+                };
+              }
+              const paramSummary = Object.entries(argRecord).map(([k, v]) => `${k}=${String(v).slice(0, 80)}`).join(", ");
+              const basePrompt = `Tool ${t.name}(${paramSummary}) requires approval. Proceed?`;
+              const guardianTag = guardian ? `
+(Guardian: ${guardian.severity} \u2014 ${guardian.justification.slice(0, 200)})` : "";
+              const confirmed = await ctx.confirm(basePrompt + guardianTag);
+              if (!confirmed) {
+                await ctx.runHook?.("permission-denied", { tool: t.name, args: params, reason: "cancelled-by-user" });
+                return { content: "Cancelled by user.", isError: true };
+              }
+              if (surface === "interactive") {
+                recordInteractiveApproval(
+                  ctx.permissionSessionId ?? "session",
+                  t.name,
+                  argRecord
+                );
+              }
+            }
+          }
+        }
+        if (ctx.dryRun && ["write", "edit", "apply_patch", "shell", "git"].includes(t.name)) {
+          const paramSummary = JSON.stringify(params, null, 2).slice(0, 500);
+          return {
+            content: `[DRY RUN] Would execute ${t.name}:
+${paramSummary}`
+          };
+        }
+        await ctx.runHook?.("pre-tool", { tool: t.name, args: params });
+        const result = await t.execute(params, ctx);
+        await ctx.runHook?.("post-tool", {
+          tool: t.name,
+          args: params,
+          result: result.content.slice(0, 500),
+          isError: result.isError ?? false
+        });
+        return result;
+      }
+    });
+  }
+  return map;
+}
+function listToolNames(ctx) {
+  return getAllTools(ctx).map((t) => t.name);
+}
+function describeTools2(ctx) {
+  return getAllTools(ctx).map(
+    (t) => `- **${t.name}**: ${t.description}`
+  ).join("\n");
+}
+function mcpToolCount() {
+  return mcpTools.length;
+}
+
+export {
+  MCPClient,
+  parseMCPConfig,
+  listBuiltinAgents,
+  spawnSubagent,
+  nextSubagentId,
+  pollPendingAgents,
+  drainTailNotifications,
+  setCurrentSurface,
+  initMCPServers,
+  disconnectMCPServers,
+  buildToolMap,
+  listToolNames,
+  describeTools2 as describeTools,
+  mcpToolCount
+};