@freesyntax/notch-cli 0.5.20 → 0.5.22

package/dist/{chunk-YBYF7L4A.js → chunk-EPSOOCNB.js}

@@ -1,3 +1,6 @@
+import {
+  Rollout
+} from "./chunk-6NKRMZTX.js";
 import {
   grepTool
 } from "./chunk-6CZCFY6H.js";
@@ -22,6 +25,10 @@ import {
 import {
   pluginManager
 } from "./chunk-3QUV4JEX.js";
+import {
+  init_auth,
+  loadCredentials
+} from "./chunk-PPEBWOMJ.js";
 import {
   readTool
 } from "./chunk-CQMAVWLJ.js";
@@ -494,577 +501,1342 @@ error: no running cell with that id (it may have already completed)`,
   }
 };
 
-// src/mcp/client.ts
+// src/tools/skill-manage.ts
+init_auth();
 import { z as z2 } from "zod";
-
-// src/mcp/transport.ts
-function detectTransport(config) {
-  if (config.transport) return config.transport;
-  if (config.url) return "http";
-  return "stdio";
-}
-
-// src/mcp/stdio-transport.ts
-import { spawn } from "child_process";
-var StdioTransport = class {
-  constructor(config, name) {
-    this.config = config;
-    this.name = name;
-  }
-  config;
-  process = null;
-  requestId = 0;
-  pendingRequests = /* @__PURE__ */ new Map();
-  buffer = "";
-  name;
-  async connect() {
-    if (!this.config.command) {
-      throw new Error(`Stdio transport requires 'command' in config for server ${this.name}`);
-    }
-    this.process = spawn(this.config.command, this.config.args ?? [], {
-      stdio: ["pipe", "pipe", "pipe"],
-      env: { ...process.env, ...this.config.env },
-      cwd: this.config.cwd
-    });
-    this.process.stdout?.setEncoding("utf-8");
-    this.process.stdout?.on("data", (data) => {
-      this.buffer += data;
-      this.processBuffer();
-    });
-    this.process.on("error", (err) => {
-      for (const [id, pending] of this.pendingRequests) {
-        pending.reject(new Error(`MCP server ${this.name} error: ${err.message}`));
-        this.pendingRequests.delete(id);
-      }
-    });
-    this.process.on("exit", (code) => {
-      for (const [id, pending] of this.pendingRequests) {
-        pending.reject(new Error(`MCP server ${this.name} exited with code ${code}`));
-        this.pendingRequests.delete(id);
-      }
-    });
-  }
-  disconnect() {
-    if (this.process) {
-      this.process.stdin?.end();
-      this.process.kill();
-      this.process = null;
-    }
-    this.pendingRequests.clear();
-  }
-  get isAlive() {
-    return this.process !== null && this.process.exitCode === null && !this.process.killed;
-  }
-  sendRequest(method, params) {
-    return new Promise((resolve, reject) => {
-      const id = ++this.requestId;
-      const msg = { jsonrpc: "2.0", id, method, params };
-      this.pendingRequests.set(id, { resolve, reject });
-      const data = JSON.stringify(msg);
-      const header = `Content-Length: ${Buffer.byteLength(data)}\r
-\r
-`;
-      this.process?.stdin?.write(header + data);
-      setTimeout(() => {
-        if (this.pendingRequests.has(id)) {
-          this.pendingRequests.delete(id);
-          reject(new Error(`MCP request ${method} timed out`));
-        }
-      }, 3e4);
-    });
-  }
-  sendNotification(method, params) {
-    const msg = { jsonrpc: "2.0", method, params };
-    const data = JSON.stringify(msg);
-    const header = `Content-Length: ${Buffer.byteLength(data)}\r
-\r
-`;
-    this.process?.stdin?.write(header + data);
-  }
-  processBuffer() {
-    while (this.buffer.length > 0) {
-      const headerEnd = this.buffer.indexOf("\r\n\r\n");
-      if (headerEnd === -1) break;
-      const header = this.buffer.slice(0, headerEnd);
-      const lengthMatch = header.match(/Content-Length:\s*(\d+)/i);
-      if (!lengthMatch) {
-        const nlIdx = this.buffer.indexOf("\n");
-        if (nlIdx === -1) break;
-        const line = this.buffer.slice(0, nlIdx).trim();
-        this.buffer = this.buffer.slice(nlIdx + 1);
-        if (line) this.handleMessage(line);
-        continue;
-      }
-      const contentLength = parseInt(lengthMatch[1], 10);
-      const messageStart = headerEnd + 4;
-      if (this.buffer.length < messageStart + contentLength) break;
-      const body = this.buffer.slice(messageStart, messageStart + contentLength);
-      this.buffer = this.buffer.slice(messageStart + contentLength);
-      this.handleMessage(body);
+var API_BASE_ENV = "NOTCH_API_URL";
+var DEFAULT_API_BASE = "https://freesyntax.dev";
+var AGENT_ID_ENV = "NOTCH_AGENT_ID";
+var ParamsSchema = z2.object({
+  action: z2.enum(["create", "edit", "patch", "delete", "toggle", "list"]),
+  /**
+   * Target agent id. If omitted, falls back to the `NOTCH_AGENT_ID` env var.
+   * In Notch Cloud the task-runner sets this env var when the task was
+   * created from an agent. For standalone CLI use, pass it explicitly.
+   */
+  agent_id: z2.string().uuid().optional(),
+  /** Required for action=create | edit (optional for edit, keeps existing). */
+  name: z2.string().min(1).max(40).optional(),
+  label: z2.string().min(1).max(80).optional(),
+  category: z2.string().max(40).optional(),
+  /** Body of the SKILL.md. Required for create/edit; ignored otherwise. */
+  content: z2.string().min(1).max(16 * 1024).optional(),
+  /** For patch: appended to the existing body with a `---` separator. */
+  appendContent: z2.string().min(1).max(16 * 1024).optional(),
+  /** For edit/create/toggle. */
+  enabled: z2.boolean().optional(),
+  /** For edit/patch/delete/toggle: which existing skill to operate on. */
+  skill_id: z2.string().uuid().optional()
+});
+var DESCRIPTION = `Create, edit, patch, delete, toggle, or list durable "skills" (procedural memory) attached to the current agent. Use this when a non-trivial workflow, error-recovery pattern, or learned convention is worth persisting so future sessions inherit it. All writes are scanned server-side; prompt-override/secret/exfil patterns are rejected.
+
+Actions:
+- create: new skill from scratch. Requires name, label, content. Optional category.
+- edit:   full replace. Requires skill_id + content. Other fields optional.
+- patch:  append to existing. Requires skill_id + appendContent.
+- delete: remove. Requires skill_id.
+- toggle: enable/disable without rewriting. Requires skill_id + enabled.
+- list:   enumerate the agent's current skills.
+
+SKILL.md body should be terse, imperative, and action-oriented. Include triggers ("when X") and the procedure ("then Y"). Avoid prose.`;
+var skillManageTool = {
+  name: "skill_manage",
+  description: DESCRIPTION,
+  parameters: ParamsSchema,
+  execute: async (params, ctx) => {
+    const creds = await loadCredentials();
+    if (!creds) {
+      return {
+        isError: true,
+        content: "Not authenticated. Run `notch login` first so skills can be persisted to your workspace."
+      };
     }
-  }
-  handleMessage(raw) {
-    try {
-      const msg = JSON.parse(raw);
-      if (msg.id !== void 0 && this.pendingRequests.has(msg.id)) {
-        const pending = this.pendingRequests.get(msg.id);
-        this.pendingRequests.delete(msg.id);
-        if (msg.error) {
-          pending.reject(new Error(`MCP error: ${msg.error.message}`));
-        } else {
-          pending.resolve(msg.result);
-        }
-      }
-    } catch {
+    const agentId = params.agent_id ?? process.env[AGENT_ID_ENV];
+    if (!agentId) {
+      return {
+        isError: true,
+        content: `No agent id available. Pass agent_id explicitly, or ensure the task-runner set ${AGENT_ID_ENV}. For standalone CLI use there is no agent to attach skills to \u2014 use a ~/.notch/skills/ local file instead.`
+      };
     }
-  }
-};
-
-// src/mcp/http-transport.ts
-var HttpTransport = class {
-  requestId = 0;
-  connected = false;
-  name;
-  baseUrl;
-  headers;
-  constructor(config, name) {
-    this.name = name;
-    if (!config.url) {
-      throw new Error(`HTTP transport requires 'url' in config for server ${name}`);
+    const base = process.env[API_BASE_ENV] ?? DEFAULT_API_BASE;
+    const url = `${base.replace(/\/+$/, "")}/api/agents/${agentId}/skills/manage`;
+    const body = buildRequestBody(params);
+    if (!body) {
+      return {
+        isError: true,
+        content: `Action "${params.action}" is missing required fields. Check the parameter docs.`
+      };
     }
-    this.baseUrl = config.url.replace(/\/$/, "");
-    this.headers = {
-      "Content-Type": "application/json",
-      ...config.headers
-    };
-  }
-  async connect() {
     try {
-      const response = await fetch(`${this.baseUrl}`, {
+      const res = await fetch(url, {
         method: "POST",
-        headers: this.headers,
-        body: JSON.stringify({
-          jsonrpc: "2.0",
-          id: ++this.requestId,
-          method: "initialize",
-          params: {
-            protocolVersion: "2024-11-05",
-            capabilities: {},
-            clientInfo: { name: "notch-cli", version: "0.4.8" }
-          }
-        }),
-        signal: AbortSignal.timeout(15e3)
+        headers: {
+          Authorization: `Bearer ${creds.token}`,
+          "Content-Type": "application/json",
+          "User-Agent": "notch-cli/skill_manage"
+        },
+        body: JSON.stringify(body)
       });
-      if (!response.ok) {
-        throw new Error(`HTTP ${response.status}: ${response.statusText}`);
+      const text = await res.text();
+      let parsed = {};
+      try {
+        parsed = JSON.parse(text);
+      } catch {
       }
-      this.sendNotification("notifications/initialized", {});
-      this.connected = true;
+      if (!res.ok) {
+        const summary = parsed["summary"] ?? String(parsed["error"] ?? res.statusText);
+        ctx.log?.(`[skill_manage] ${params.action} \u2192 HTTP ${res.status}: ${summary}`);
+        const findings = Array.isArray(parsed["findings"]) ? parsed["findings"] : [];
+        return {
+          isError: true,
+          content: JSON.stringify({
+            ok: false,
+            status: res.status,
+            action: params.action,
+            summary,
+            findings
+          }, null, 2)
+        };
+      }
+      ctx.log?.(`[skill_manage] ${params.action} ok`);
+      return {
+        content: typeof text === "string" && text.length > 0 ? text : JSON.stringify({ ok: true })
+      };
     } catch (err) {
-      throw new Error(`MCP HTTP server ${this.name} unreachable: ${err.message}`);
+      const message = err instanceof Error ? err.message : String(err);
+      return {
+        isError: true,
+        content: `Network error calling skill_manage: ${message}`
+      };
     }
   }
-  disconnect() {
-    this.connected = false;
-  }
-  get isAlive() {
-    return this.connected;
-  }
-  async sendRequest(method, params) {
-    const id = ++this.requestId;
-    const body = { jsonrpc: "2.0", id, method, params };
-    const response = await fetch(this.baseUrl, {
-      method: "POST",
-      headers: this.headers,
-      body: JSON.stringify(body),
-      signal: AbortSignal.timeout(3e4)
-    });
-    if (!response.ok) {
-      throw new Error(`MCP HTTP error (${this.name}): ${response.status} ${response.statusText}`);
+};
+function buildRequestBody(p) {
+  switch (p.action) {
+    case "create": {
+      if (!p.name || !p.label || !p.content) return null;
+      return {
+        action: "create",
+        name: p.name,
+        label: p.label,
+        category: p.category ?? null,
+        content: p.content,
+        enabled: p.enabled ?? true
+      };
     }
-    const json = await response.json();
-    if (json.error) {
-      throw new Error(`MCP error (${this.name}): ${json.error.message}`);
+    case "edit": {
+      if (!p.skill_id || !p.content) return null;
+      return {
+        action: "edit",
+        skillId: p.skill_id,
+        name: p.name,
+        label: p.label,
+        category: p.category ?? null,
+        content: p.content,
+        enabled: p.enabled
+      };
     }
-    return json.result;
-  }
-  sendNotification(method, params) {
-    void fetch(this.baseUrl, {
-      method: "POST",
-      headers: this.headers,
-      body: JSON.stringify({ jsonrpc: "2.0", method, params }),
-      signal: AbortSignal.timeout(1e4)
-    }).catch(() => {
-    });
-  }
-};
-
-// src/mcp/sse-transport.ts
-var SSETransport = class {
-  requestId = 0;
-  pendingRequests = /* @__PURE__ */ new Map();
-  abortController = null;
-  connected = false;
-  name;
-  baseUrl;
-  messageEndpoint;
-  sseEndpoint;
-  headers;
-  constructor(config, name) {
-    this.name = name;
-    if (!config.url) {
-      throw new Error(`SSE transport requires 'url' in config for server ${name}`);
+    case "patch": {
+      if (!p.skill_id || !p.appendContent) return null;
+      return {
+        action: "patch",
+        skillId: p.skill_id,
+        appendContent: p.appendContent
+      };
     }
-    this.baseUrl = config.url.replace(/\/$/, "");
-    this.sseEndpoint = `${this.baseUrl}/sse`;
-    this.messageEndpoint = `${this.baseUrl}/message`;
-    this.headers = {
-      "Content-Type": "application/json",
-      ...config.headers
-    };
-  }
-  async connect() {
-    this.abortController = new AbortController();
-    const ssePromise = this.startSSEListener();
-    await new Promise((resolve) => setTimeout(resolve, 500));
-    const initResult = await this.sendRequest("initialize", {
-      protocolVersion: "2024-11-05",
-      capabilities: {},
-      clientInfo: { name: "notch-cli", version: "0.4.8" }
-    });
-    if (!initResult) {
-      throw new Error(`MCP SSE server ${this.name} failed to initialize`);
+    case "delete": {
+      if (!p.skill_id) return null;
+      return { action: "delete", skillId: p.skill_id };
     }
-    this.sendNotification("notifications/initialized", {});
-    this.connected = true;
-    ssePromise.catch(() => {
-      this.connected = false;
-    });
-  }
-  disconnect() {
-    this.abortController?.abort();
-    this.abortController = null;
-    this.connected = false;
-    for (const [id, pending] of this.pendingRequests) {
-      pending.reject(new Error(`MCP SSE transport disconnected`));
-      this.pendingRequests.delete(id);
+    case "toggle": {
+      if (!p.skill_id || typeof p.enabled !== "boolean") return null;
+      return { action: "toggle", skillId: p.skill_id, enabled: p.enabled };
     }
+    case "list":
+      return { action: "list" };
   }
-  get isAlive() {
-    return this.connected;
-  }
-  async sendRequest(method, params) {
-    const id = ++this.requestId;
-    const body = { jsonrpc: "2.0", id, method, params };
-    const resultPromise = new Promise((resolve, reject) => {
-      this.pendingRequests.set(id, { resolve, reject });
-      setTimeout(() => {
-        if (this.pendingRequests.has(id)) {
-          this.pendingRequests.delete(id);
-          reject(new Error(`MCP SSE request ${method} timed out`));
-        }
-      }, 3e4);
-    });
-    const response = await fetch(this.messageEndpoint, {
-      method: "POST",
-      headers: this.headers,
-      body: JSON.stringify(body),
-      signal: AbortSignal.timeout(1e4)
-    });
-    if (!response.ok) {
-      this.pendingRequests.delete(id);
-      throw new Error(`MCP SSE POST error (${this.name}): ${response.status} ${response.statusText}`);
+}
+
+// src/tools/events.ts
+import { z as z3 } from "zod";
+
+// src/permissions/handlers/bash-classifier.ts
+var DESTRUCTIVE_PATTERNS = [
+  /\brm\s+(-[a-zA-Z]*[rf][a-zA-Z]*|--recursive|--force)/i,
+  /\brm\s+-rf?\s+\//i,
+  /\bsudo\s+rm\b/i,
+  /\bdd\s+if=/i,
+  /\bmkfs\./i,
+  /\bshred\b/i,
+  /\bchmod\s+-R\s+/i,
+  /\bchown\s+-R\s+/i,
+  /:\(\)\s*\{\s*:\|:&\s*\};:/,
+  // fork bomb
+  /\b>\s*\/dev\/sd[a-z]/i,
+  /\bgit\s+push\s+(?:.*\s)?(?:-f|--force|--force-with-lease)\b/i,
+  /\bgit\s+reset\s+--hard\b/i,
+  /\bgit\s+clean\s+-[a-zA-Z]*[fd]/i,
+  /\bgit\s+checkout\s+--\s+\./,
+  /\bnpm\s+publish\b/i,
+  /\byarn\s+publish\b/i,
+  /\bpnpm\s+publish\b/i,
+  /\bdocker\s+(?:rm|rmi|system\s+prune|volume\s+rm)\b/i,
+  /\bkubectl\s+delete\b/i,
+  /\bterraform\s+destroy\b/i,
+  /\bmv\s+\/\s+/i,
+  /\bfind\s+.*\s-delete\b/i,
+  /\bfind\s+.*-exec\s+rm\b/i,
+  /\btruncate\s+-s\s+0/i,
+  /\b(poweroff|shutdown|reboot|halt)\b/i,
+  /\bkillall?\s+-9/i
+];
+var NETWORK_PATTERNS = [
+  /\bcurl\b/i,
+  /\bwget\b/i,
+  /\bhttpie?\b/i,
+  /\bnc\b/i,
+  /\bnetcat\b/i,
+  /\bssh\b/i,
+  /\bscp\b/i,
+  /\brsync\s+.*::?/i,
+  /\bftp\b/i,
+  /\bsftp\b/i,
+  /\btelnet\b/i,
+  /\bnmap\b/i,
+  /\bping\b/i,
+  /\bdig\b/i,
+  /\bnslookup\b/i,
+  /\bhost\s+[a-z0-9.-]+\.[a-z]+/i,
+  /\bgit\s+(?:clone|fetch|pull|push)\b/i,
+  /\bnpm\s+(?:install|i|update|audit|fund)\b/i,
+  /\bpip\s+install\b/i,
+  /\bapt(?:-get)?\s+(?:install|update|upgrade)\b/i,
+  /\bbrew\s+(?:install|update|upgrade)\b/i,
+  /\b(?:python|python3|node|bun)\s+-c\s+.*(?:urllib|requests|fetch|http)/i,
+  /\bcurl.*\|\s*(?:sh|bash|zsh|fish)\b/i,
+  // explicit "pipe to shell"
+  /\bwget.*\|\s*(?:sh|bash|zsh|fish)\b/i
+];
+var SAFE_PATTERNS = [
+  /^\s*ls(\s|$)/i,
+  /^\s*pwd(\s|$)/,
+  /^\s*whoami(\s|$)/,
+  /^\s*id(\s|$)/,
+  /^\s*echo\s/i,
+  /^\s*printf\s/i,
+  /^\s*cat\s/i,
+  /^\s*head\s/i,
+  /^\s*tail\s/i,
+  /^\s*wc\s/i,
+  /^\s*file\s/i,
+  /^\s*stat\s/i,
+  /^\s*du\s/i,
+  /^\s*df\s/i,
+  /^\s*which\s/i,
+  /^\s*type\s/i,
+  /^\s*env(\s|$)/i,
+  /^\s*date(\s|$)/i,
+  /^\s*uname/i,
+  /^\s*hostname(\s|$)/i,
+  /^\s*uptime(\s|$)/i,
+  /^\s*history(\s|$)/i,
+  /^\s*git\s+(status|log|diff|show|branch|blame|config\s+--get|remote\s+-v|stash\s+list|tag\s+-l|ls-files)\b/i,
+  /^\s*node\s+--version/i,
+  /^\s*npm\s+(ls|list|outdated|view|config\s+get|--version|-v|root)\b/i,
+  /^\s*yarn\s+(list|--version)\b/i,
+  /^\s*(python|python3)\s+--version/i,
+  /^\s*pip\s+(list|show|--version)\b/i,
+  /^\s*(rg|ripgrep)\s/i,
+  /^\s*grep\s/i,
+  /^\s*find\s+[^|;&]*(?<!-delete)\s*$/i,
+  // find without -delete/-exec rm
+  /^\s*tree(\s|$)/i,
+  /^\s*jq\s/i,
+  /^\s*awk\s/i,
+  /^\s*sed\s+-n\s/i,
+  // sed in print-only mode
+  /^\s*(make|cargo|go|npm|bun|pnpm|yarn)\s+(test|check|vet|fmt\s+--check|build\s+--dry-run)\b/i,
+  /^\s*(cargo|rustc)\s+--version/i,
+  /^\s*docker\s+(ps|images|logs|inspect|version)\b/i,
+  /^\s*kubectl\s+(get|describe|logs|version|config\s+current-context)\b/i
+];
+function classifyBashCommand(command) {
+  const cmd = command.trim();
+  if (!cmd) return { category: "safe" };
+  const head = cmd.split(/[\s;|&]/)[0] ?? "";
+  for (const p of DESTRUCTIVE_PATTERNS) {
+    if (p.test(cmd)) {
+      return { category: "destructive", matchedPattern: p.source, head };
     }
-    return resultPromise;
-  }
-  sendNotification(method, params) {
-    const body = { jsonrpc: "2.0", method, params };
-    void fetch(this.messageEndpoint, {
-      method: "POST",
-      headers: this.headers,
-      body: JSON.stringify(body),
-      signal: AbortSignal.timeout(1e4)
-    }).catch(() => {
-    });
   }
-  /**
-   * Start listening for Server-Sent Events.
-   * Parses the SSE stream and resolves pending requests.
-   */
-  async startSSEListener() {
-    const response = await fetch(this.sseEndpoint, {
-      headers: {
-        Accept: "text/event-stream",
-        ...this.headers
-      },
-      signal: this.abortController?.signal
-    });
-    if (!response.ok || !response.body) {
-      throw new Error(`SSE connection failed: ${response.status}`);
-    }
-    const reader = response.body.getReader();
-    const decoder = new TextDecoder();
-    let buffer = "";
-    try {
-      while (true) {
-        const { done, value } = await reader.read();
-        if (done) break;
-        buffer += decoder.decode(value, { stream: true });
-        const events = buffer.split("\n\n");
-        buffer = events.pop() ?? "";
-        for (const event of events) {
-          const lines = event.split("\n");
-          let data = "";
-          for (const line of lines) {
-            if (line.startsWith("data: ")) {
-              data += line.slice(6);
-            }
-          }
-          if (data) {
-            this.handleSSEMessage(data);
-          }
-        }
-      }
-    } catch (err) {
-      if (err.name !== "AbortError") {
-        this.connected = false;
-      }
+  for (const p of NETWORK_PATTERNS) {
+    if (p.test(cmd)) {
+      return { category: "network", matchedPattern: p.source, head };
     }
   }
-  handleSSEMessage(raw) {
-    try {
-      const msg = JSON.parse(raw);
-      if (msg.id !== void 0 && this.pendingRequests.has(msg.id)) {
-        const pending = this.pendingRequests.get(msg.id);
-        this.pendingRequests.delete(msg.id);
-        if (msg.error) {
-          pending.reject(new Error(`MCP SSE error: ${msg.error.message}`));
-        } else {
-          pending.resolve(msg.result);
-        }
-      }
-    } catch {
+  for (const p of SAFE_PATTERNS) {
+    if (p.test(cmd)) {
+      return { category: "safe", matchedPattern: p.source, head };
     }
   }
-};
+  return { category: "unknown", head };
+}
 
-// src/mcp/client.ts
-function createTransport(config, name) {
-  const type = detectTransport(config);
-  switch (type) {
-    case "http":
-      return new HttpTransport(config, name);
-    case "sse":
-      return new SSETransport(config, name);
-    case "stdio":
-    default:
-      return new StdioTransport(config, name);
+// src/permissions/handlers/interactive.ts
+var SESSION_RECENT_MS = 3e4;
+var recentApprovals = /* @__PURE__ */ new Map();
+function fingerprintArgs(args) {
+  const keys = Object.keys(args).sort();
+  const parts = [];
+  for (const k of keys) {
+    const v = args[k];
+    const s = typeof v === "string" ? v : JSON.stringify(v);
+    parts.push(`${k}=${s.slice(0, 200)}`);
   }
+  return parts.join("|");
 }
-var MCPClient = class {
-  transport;
-  serverName;
-  _tools = [];
-  constructor(config, serverName) {
-    this.serverName = serverName;
-    this.transport = createTransport(config, serverName);
-  }
-  /**
-   * Start the MCP server and initialize the connection.
-   */
-  async connect() {
-    await this.transport.connect();
-    await this.transport.sendRequest("initialize", {
-      protocolVersion: "2024-11-05",
-      capabilities: {},
-      clientInfo: { name: "notch-cli", version: "0.4.8" }
-    });
-    this.transport.sendNotification("notifications/initialized", {});
-    const result = await this.transport.sendRequest("tools/list", {});
-    this._tools = result.tools ?? [];
-  }
-  /**
-   * Get discovered tools from this server.
-   */
-  get tools() {
-    return this._tools;
-  }
-  /**
-   * Check if the MCP server is still alive.
-   */
-  get isAlive() {
-    return this.transport.isAlive;
+function makeKey(sessionId, toolName, args) {
+  return `${sessionId}\0${toolName}\0${fingerprintArgs(args)}`;
+}
+function recordInteractiveApproval(sessionId, toolName, args) {
+  const key = makeKey(sessionId, toolName, args);
+  recentApprovals.set(key, { key, expires: Date.now() + SESSION_RECENT_MS });
+}
+function wasRecentlyApproved(sessionId, toolName, args) {
+  const key = makeKey(sessionId, toolName, args);
+  const hit = recentApprovals.get(key);
+  if (!hit) return false;
+  if (hit.expires < Date.now()) {
+    recentApprovals.delete(key);
+    return false;
   }
-  /**
-   * Call a tool on the MCP server. Auto-reconnects if the server has crashed.
-   */
-  async callTool(name, args) {
-    if (!this.isAlive) {
-      try {
-        await this.transport.connect();
-      } catch (err) {
-        throw new Error(`MCP server ${this.serverName} is down and could not reconnect: ${err.message}`);
+  return true;
+}
+var interactiveHandler = {
+  surface: "interactive",
+  check: async (toolName, args, baseDecision, ctx) => {
+    if (baseDecision === "allow") {
+      if (toolName === "shell" && typeof args.command === "string") {
+        const pending = async () => {
+          const cls = classifyBashCommand(args.command);
+          if (cls.category === "destructive") {
+            return {
+              outcome: "prompt",
+              reason: `classifier flagged destructive command: ${cls.matchedPattern}`
+            };
+          }
+          return { outcome: "allow" };
+        };
+        return { outcome: "allow", pendingClassifierCheck: pending };
       }
+      return { outcome: "allow" };
     }
-    return this.transport.sendRequest("tools/call", { name, arguments: args });
-  }
-  /**
-   * Disconnect from the MCP server.
-   */
-  disconnect() {
-    this.transport.disconnect();
+    if (baseDecision === "deny") {
+      return { outcome: "deny", reason: "denied by permission config" };
+    }
+    if (wasRecentlyApproved(ctx.sessionId, toolName, args)) {
+      return {
+        outcome: "allow",
+        silent: true,
+        reason: "session-recent approval (within 30s)"
+      };
+    }
+    return { outcome: "prompt" };
   }
 };
-function mcpToolsToNotch(client, serverName) {
-  return client.tools.map((toolDef) => {
-    const params = z2.record(z2.unknown()).describe(
-      toolDef.description || `MCP tool from ${serverName}`
-    );
-    const notchTool = {
-      name: `mcp_${serverName}_${toolDef.name}`,
-      description: `[MCP/${serverName}] ${toolDef.description}`,
-      parameters: params,
-      async execute(args, _ctx) {
-        try {
-          const result = await client.callTool(toolDef.name, args);
-          const mcpResult = result;
-          if (mcpResult?.content && Array.isArray(mcpResult.content)) {
-            const text = mcpResult.content.filter((c) => c.type === "text").map((c) => c.text).join("\n");
-            return { content: text || JSON.stringify(result) };
-          }
-          return { content: typeof result === "string" ? result : JSON.stringify(result, null, 2) };
-        } catch (err) {
-          return { content: `MCP error (${serverName}/${toolDef.name}): ${err.message}`, isError: true };
-        }
-      }
-    };
-    return notchTool;
-  });
-}
-function parseMCPConfig(config) {
-  const servers = config?.mcpServers;
-  if (!servers || typeof servers !== "object") return {};
-  const result = {};
-  for (const [name, cfg] of Object.entries(servers)) {
-    const c = cfg;
-    if (c?.command || c?.url) {
-      result[name] = {
-        command: c.command,
-        args: c.args,
-        env: c.env,
-        cwd: c.cwd,
-        transport: c.transport,
-        url: c.url,
-        headers: c.headers
+
+// src/permissions/handlers/one-shot.ts
+var oneShotHandler = {
+  surface: "one-shot",
+  check: async (toolName, _args, baseDecision, ctx) => {
+    if (baseDecision === "allow") return { outcome: "allow" };
+    if (baseDecision === "deny") {
+      return { outcome: "deny", reason: "denied by permission config" };
+    }
+    if (ctx.autoConfirm) {
+      return {
+        outcome: "allow",
+        silent: true,
+        reason: "--yes flag set; auto-confirming one-shot"
       };
     }
+    const count = (ctx.denialCounter.get(toolName) ?? 0) + 1;
+    ctx.denialCounter.set(toolName, count);
+    return {
+      outcome: "deny",
+      silent: true,
+      reason: "one-shot mode denies prompt-level tools without --yes",
+      tailNotification: `one-shot: denied ${toolName} (pass --yes to auto-approve)`
+    };
   }
-  return result;
-}
-
-// src/safety/guardian.ts
-import fs from "fs/promises";
-import { fileURLToPath } from "url";
-import path from "path";
-import { generateText } from "ai";
-import { z as z3 } from "zod";
-
-// src/safety/guardian-policy.ts
-var GUARDIAN_POLICY_EMBEDDED = `# Notch Guardian Risk Policy
-
-You are the Notch Guardian \u2014 an independent second-opinion safety reviewer. You do
-not write code, answer the user's question, or plan the task. Your only job is to
-score a proposed tool call against the taxonomy below and return a JSON verdict.
-
-Assume the caller is a trusted developer working on their own machine. Do not
-inflate severity because the action is "large", "long-running", or touches paths
-outside a writable workspace root \u2014 those facts alone are not risk signals. Focus
-on evidence of **actual** data exfiltration, credential theft, persistent security
-weakening, or irreversible damage.
-
-## Environment Assumptions
-
-- Single-developer laptop or CI runner. No multi-tenant blast radius.
-- The user's own project files, \`.git\`, \`node_modules\`, build outputs, and
-  \`~/.notch\` are **local** and non-sensitive by default.
-- Trusted network destinations: \`github.com\`, \`gitlab.com\`, \`npmjs.com\`,
-  \`pypi.org\`, \`crates.io\`, \`modal.run\`, the active Notch model endpoints, any
-  host mentioned in \`package.json\` / \`.gitmodules\` / committed config, and
-  \`localhost\` / \`127.0.0.1\` / \`0.0.0.0\` on any port.
-- Untrusted by default: pastebins, webhook catchers, URL shorteners,
-  transfer.sh, termbin, \`0x0.st\`, \`ix.io\`, arbitrary raw IPs, \`*.onion\`, and
-  any domain whose sole purpose is receiving posted data.
-- \`git push\` to a remote already listed in \`git remote -v\` is trusted. A push
-  to a brand-new remote URL introduced in the same command is not.
-
-## Risk Taxonomy
-
-### 1. Data Exfiltration
+};
 
-Private workspace content, environment variables, secrets, or org data being
-sent to an untrusted destination.
+// src/permissions/handlers/coordinator.ts
+var COORDINATOR_ALLOWED = /* @__PURE__ */ new Set([
+  "agent_spawn",
+  "agent_send_message",
+  "agent_stop",
+  "read",
+  "grep",
+  "glob"
+]);
+var coordinatorHandler = {
+  surface: "coordinator",
+  check: async (toolName, _args, baseDecision, _ctx) => {
+    if (COORDINATOR_ALLOWED.has(toolName)) {
+      if (baseDecision === "deny") {
+        return { outcome: "deny", reason: "coordinator tool explicitly denied by config" };
+      }
+      return { outcome: "allow", silent: true };
+    }
+    if (baseDecision === "deny") {
+      return { outcome: "deny", reason: "denied by permission config" };
+    }
+    return {
+      outcome: "deny",
+      silent: true,
+      reason: "Coordinator must delegate write operations to a worker.",
+      tailNotification: `coordinator: blocked ${toolName} (delegate to worker)`
+    };
+  }
+};
 
-- **low** \u2014 reading public docs, fetching a package from a package registry,
-  curl to a documented API that the user's code already talks to, uploading an
-  artifact to the user's own cloud bucket named in committed config, \`gh api\`
-  calls against the user's own repos, \`git push\` to an existing tracked
-  remote, telemetry the user explicitly opted into.
-- **medium** \u2014 uploading a build artifact to a first-party storage service not
-  yet in committed config, opening a tunnel (\`ngrok\`, \`cloudflared\`) that only
-  exposes a specific local port the user asked about, \`rsync\` to a host listed
-  in \`~/.ssh/config\`.
-- **high** \u2014 \`curl -X POST\` with \`@file\` from inside the repo to a domain not
-  in the trusted list, piping \`cat ~/.aws/credentials\` or \`.env\` through any
-  network command, \`scp\`/\`rsync\` of the whole repo to a fresh remote, posting
-  stdout/stderr containing private paths to a pastebin, base64-encoding a
-  secret and shipping it as a query string.
-- **critical** \u2014 exfiltrating \`.ssh/id_*\`, \`.aws/credentials\`, \`.npmrc\` with
-  \`_authToken\`, \`.pypirc\`, browser cookie databases, keychains, or any
-  SSO/OAuth refresh token to **any** external destination, including "trusted"
-  ones. Shipping \`.env*\` files to pastebins or attacker-controlled webhooks.
-  Mass-uploading \`**/*.pem\`, \`**/*.key\`, \`**/id_rsa*\` anywhere off-host.
+// src/permissions/handlers/subagent.ts
+var subagentHandler = {
+  surface: "subagent",
+  check: async (toolName, _args, baseDecision, ctx) => {
+    if (baseDecision === "allow") return { outcome: "allow" };
+    if (baseDecision === "deny") {
+      return { outcome: "deny", reason: "denied by permission config" };
+    }
+    const count = (ctx.denialCounter.get(toolName) ?? 0) + 1;
+    ctx.denialCounter.set(toolName, count);
+    const id = ctx.subagentId ?? "unknown";
+    return {
+      outcome: "deny",
+      silent: true,
+      reason: "subagent has no interactive UI to prompt",
+      tailNotification: `subagent ${id}: denied ${toolName} (no UI to prompt)`
+    };
+  }
+};
 
-Override: sending secrets to a third-party destination is **critical** even if
-the user authorized the tool call broadly \u2014 demand explicit per-destination
-consent.
+// src/permissions/handlers/auto-mode.ts
+var AUTO_IMPLICIT_WRITE_KEY = "__auto_mode_implicit_writes__";
+var AUTO_WRITE_NOTIFY_THRESHOLD = 10;
+var WRITE_TOOLS = /* @__PURE__ */ new Set(["write", "edit", "apply_patch", "shell", "git"]);
+function hardDenyReason(toolName, args) {
+  if (toolName === "git") {
+    const op = typeof args.operation === "string" ? args.operation : "";
+    const flags = typeof args.flags === "string" ? args.flags : "";
+    const argsStr = typeof args.args === "string" ? args.args : "";
+    const combined = `${op} ${flags} ${argsStr}`.toLowerCase();
+    if (combined.includes("push") && /(-f\b|--force\b|--force-with-lease\b)/.test(combined)) {
+      return "force-push is never auto-approved";
+    }
+    if (combined.includes("reset") && combined.includes("--hard")) {
+      return "git reset --hard is never auto-approved";
+    }
+  }
+  if (toolName === "shell" && typeof args.command === "string") {
+    const cmd = args.command;
+    if (/\bnpm\s+publish\b/i.test(cmd) || /\byarn\s+publish\b/i.test(cmd) || /\bpnpm\s+publish\b/i.test(cmd)) {
+      return "package publish is never auto-approved";
+    }
+    if (/\bgit\s+push\b.*\b(?:-f|--force|--force-with-lease)\b/i.test(cmd)) {
+      return "force-push is never auto-approved";
+    }
+    if (/\b(?:rm\s+-rf?|dd\s+if=|mkfs\.|shred)\b/i.test(cmd)) {
+      return "classifier-flagged destructive shell command";
+    }
+  }
+  return null;
+}
+var autoModeHandler = {
+  surface: "auto-mode",
+  check: async (toolName, args, baseDecision, ctx) => {
+    if (baseDecision === "deny") {
+      return { outcome: "deny", reason: "denied by permission config" };
+    }
+    const reason = hardDenyReason(toolName, args);
+    if (reason) {
+      return {
+        outcome: "deny",
+        silent: false,
+        reason,
+        tailNotification: `auto-mode: refused ${toolName} \u2014 ${reason}`
+      };
+    }
+    if (toolName === "shell" && typeof args.command === "string") {
+      const pending = async () => {
+        const cls = classifyBashCommand(args.command);
+        if (cls.category === "destructive") {
+          return {
+            outcome: "deny",
+            silent: false,
+            reason: `classifier flagged destructive command: ${cls.matchedPattern}`,
+            tailNotification: `auto-mode: refused destructive shell command (${cls.head ?? "shell"})`
+          };
+        }
+        return baseDecision === "allow" ? { outcome: "allow", silent: true } : { outcome: "allow", silent: true, reason: "auto-mode implicit approval" };
+      };
+      if (baseDecision === "allow") return { outcome: "allow", pendingClassifierCheck: pending };
+      return { outcome: "allow", silent: true, pendingClassifierCheck: pending };
+    }
+    if (baseDecision === "allow") return { outcome: "allow" };
+    if (WRITE_TOOLS.has(toolName)) {
+      const writes = (ctx.denialCounter.get(AUTO_IMPLICIT_WRITE_KEY) ?? 0) + 1;
+      ctx.denialCounter.set(AUTO_IMPLICIT_WRITE_KEY, writes);
+      if (writes === AUTO_WRITE_NOTIFY_THRESHOLD) {
+        return {
+          outcome: "allow",
+          silent: true,
+          reason: "auto-mode implicit approval",
+          tailNotification: `auto-mode: ${writes} unattended writes this session \u2014 consider reviewing`
+        };
+      }
+      if (writes > AUTO_WRITE_NOTIFY_THRESHOLD && writes % 10 === 0) {
+        return {
+          outcome: "allow",
+          silent: true,
+          reason: "auto-mode implicit approval",
+          tailNotification: `auto-mode: ${writes} unattended writes this session`
+        };
+      }
+    }
+    return { outcome: "allow", silent: true, reason: "auto-mode implicit approval" };
+  }
+};
 
-### 2. Credential Probing
+// src/permissions/handlers/json-mode.ts
+var jsonModeHandler = {
+  surface: "json-mode",
+  check: async (toolName, _args, baseDecision, ctx) => {
+    if (baseDecision === "allow") return { outcome: "allow" };
+    if (baseDecision === "deny") {
+      return { outcome: "deny", reason: "denied by permission config" };
+    }
+    const count = (ctx.denialCounter.get(toolName) ?? 0) + 1;
+    ctx.denialCounter.set(toolName, count);
+    const payload = JSON.stringify({
+      type: "permission_denied",
+      tool: toolName,
+      reason: "json mode requires explicit allowlist"
+    });
+    return {
+      outcome: "deny",
+      silent: true,
+      reason: "json mode requires explicit allowlist",
+      tailNotification: payload
+    };
+  }
+};
 
-Harvesting secrets from places they weren't handed to you.
+// src/permissions/dispatcher.ts
+var HANDLERS = {
+  interactive: interactiveHandler,
+  "one-shot": oneShotHandler,
+  coordinator: coordinatorHandler,
+  subagent: subagentHandler,
+  "auto-mode": autoModeHandler,
+  "json-mode": jsonModeHandler
+};
+function getActiveHandler(surface) {
+  return HANDLERS[surface];
+}
+async function runPermissionCheck(toolName, args, baseDecision, surface, ctx) {
+  const handler = getActiveHandler(surface);
+  const initial = await handler.check(toolName, args, baseDecision, ctx);
+  if (initial.tailNotification) {
+    pushTailNotification(initial.tailNotification);
+  }
+  if (!initial.pendingClassifierCheck) return initial;
+  try {
+    const refined = await initial.pendingClassifierCheck();
+    if (refined.tailNotification) pushTailNotification(refined.tailNotification);
+    return {
+      outcome: refined.outcome,
+      reason: refined.reason ?? initial.reason,
+      silent: refined.silent ?? initial.silent,
+      tailNotification: refined.tailNotification ?? initial.tailNotification
+    };
+  } catch {
+    return {
+      outcome: initial.outcome,
+      reason: initial.reason,
+      silent: initial.silent,
+      tailNotification: initial.tailNotification
+    };
+  }
+}
+var tailQueue = [];
+function pushTailNotification(message) {
+  tailQueue.push(message);
+}
+function recordAutoModeDenial(decision) {
+  if (decision.outcome !== "deny") return;
+  const msg = decision.tailNotification ?? decision.reason ?? "auto-mode: tool denied";
+  pushTailNotification(msg);
+}
+function drainTailNotifications() {
+  const out = tailQueue.splice(0, tailQueue.length);
+  return out;
+}
+var currentSurface = "interactive";
+function setCurrentSurface(surface) {
+  currentSurface = surface;
+}
+function createHandlerContext(options) {
+  return {
+    cwd: options.cwd,
+    sessionId: options.sessionId,
+    denialCounter: /* @__PURE__ */ new Map(),
+    log: options.log,
+    autoConfirm: options.autoConfirm,
+    guardianEnabled: options.guardianEnabled,
+    subagentId: options.subagentId
+  };
+}
 
-- **low** \u2014 reading \`process.env.SOMETHING\` the user's code already references,
-  using a token the user passed in via flag/env, calling \`aws sts
-  get-caller-identity\` with the ambient profile, \`gh auth status\`.
-- **medium** \u2014 \`env | grep -i\` for patterns like \`TOKEN|KEY|SECRET\` without a
-  clear reason, shelling out to \`security find-generic-password\` on macOS
-  keychain for a single named entry.
-- **high** \u2014 recursive scan of \`$HOME\` for \`id_rsa\`, \`credentials\`, \`.env\`,
-  \`*.pem\`, \`*.keystore\`; dumping browser cookie/login SQLite DBs (Chrome
-  \`Login Data\`, Firefox \`logins.json\`, Safari keychain); reading
-  \`/etc/shadow\`, \`/etc/sudoers\`; calling \`lsof -i -nP\` followed by file reads
-  on anything that looks like a session; enumerating 1Password/Bitwarden
-  vault files on disk.
-- **critical** \u2014 active credential dumping tools (\`mimikatz\`, \`lazagne\`,
-  \`SharpChrome\`, \`credhistview\`), decrypting DPAPI blobs, extracting saved
-  WiFi passwords with \`netsh wlan show profile key=clear\`, scripting against
-  the gnome-keyring / kwallet D-Bus APIs to enumerate all entries.
+// src/events/router.ts
+var SEVERITY_RANK = {
+  info: 0,
+  success: 1,
+  warn: 2,
+  error: 3
+};
+var EventRouter = class {
+  events = [];
+  capacity;
+  tailNotifyMin;
+  maxAgeMs;
+  filter;
+  subscribers = /* @__PURE__ */ new Set();
+  constructor(opts = {}) {
+    this.capacity = opts.capacity ?? 256;
+    this.tailNotifyMin = opts.tailNotifyMin ?? "warn";
+    this.maxAgeMs = opts.maxAgeMs ?? 6 * 60 * 60 * 1e3;
+    this.filter = opts.filter;
+  }
+  /**
+   * Emit an event. Returns the stored event (with normalized id/ts) or
+   * null if it was dropped by filtering.
+   */
+  emit(partial) {
+    const ts = partial.ts ?? Date.now();
+    const id = partial.id ?? `${partial.source}:${partial.type}:${ts}`;
+    const ev = {
+      id,
+      source: partial.source,
+      type: partial.type,
+      ts,
+      severity: partial.severity,
+      title: partial.title,
+      payload: partial.payload,
+      ackRequired: partial.ackRequired,
+      drained: false
+    };
+    if (!this.passesFilter(ev)) return null;
+    this.pruneOld();
+    const existing = this.events.findIndex((e) => e.id === ev.id && !e.drained);
+    if (existing >= 0) {
+      this.events[existing] = ev;
+    } else {
+      this.events.push(ev);
+      if (this.events.length > this.capacity) {
+        this.events.splice(0, this.events.length - this.capacity);
+      }
+    }
+    if (SEVERITY_RANK[ev.severity] >= SEVERITY_RANK[this.tailNotifyMin]) {
+      try {
+        pushTailNotification(`${ev.source}: ${ev.title}`);
+      } catch {
+      }
+    }
+    for (const sub of this.subscribers) {
+      try {
+        sub(ev);
+      } catch {
+      }
+    }
+    return ev;
+  }
+  /**
+   * Subscribe to future emits. Returns an unsubscribe function.
+   */
+  subscribe(fn) {
+    this.subscribers.add(fn);
+    return () => this.subscribers.delete(fn);
+  }
+  /**
+   * Return all pending (un-drained) events, optionally filtered, newest
+   * first. Does NOT mark them drained — use {@link drain} to ack.
+   */
+  pending(filter) {
+    this.pruneOld();
+    const f = filter ?? this.filter;
+    return this.events.filter((e) => !e.drained).filter((e) => this.eventMatchesFilter(e, f)).sort((a, b) => b.ts - a.ts);
+  }
+  /**
+   * Drain (acknowledge) pending events matching an optional filter.
+   * Returns the set drained — useful when an agent explicitly consumes
+   * queued events as part of a step. Events remain in the ring buffer
+   * marked `drained: true` for audit until aged out.
+   */
+  drain(filter) {
+    const matched = this.pending(filter);
+    const now = Date.now();
+    for (const ev of matched) {
+      ev.drained = true;
+      ev.drainedAt = now;
+    }
+    return matched;
+  }
+  /** All events in the ring buffer, including drained ones. */
+  history() {
+    return [...this.events];
+  }
+  /** Clear everything. Primarily useful in tests. */
+  clear() {
+    this.events = [];
+  }
+  /** Count of un-drained events. */
+  pendingCount() {
+    return this.pending().length;
+  }
+  passesFilter(ev) {
+    if (!this.filter) return true;
+    return this.eventMatchesFilter(ev, this.filter);
+  }
+  eventMatchesFilter(ev, f) {
+    if (!f) return true;
+    if (f.sources && !f.sources.includes(ev.source)) return false;
+    if (f.types && !f.types.includes(ev.type)) return false;
+    if (f.minSeverity && SEVERITY_RANK[ev.severity] < SEVERITY_RANK[f.minSeverity]) return false;
+    return true;
+  }
+  pruneOld() {
+    if (!Number.isFinite(this.maxAgeMs)) return;
+    const cutoff = Date.now() - this.maxAgeMs;
+    this.events = this.events.filter((e) => e.ts >= cutoff);
+  }
+};
+var globalRouter = null;
+function getGlobalRouter() {
+  if (!globalRouter) globalRouter = new EventRouter();
+  return globalRouter;
+}
 
-Override: reading a single, user-named credential file the task needs (e.g.
-\`cat $HOME/.config/gh/hosts.yml\` when the user asked to configure gh) is
-**low**. Shelling into macOS keychain for a single user-specified item is
-**low**.
+// src/tools/events.ts
+var parameters = z3.object({
+  mode: z3.enum(["list", "drain"]).describe("`list` peeks at pending events. `drain` acknowledges + returns them."),
+  sources: z3.array(z3.string()).optional().describe('Only include events from these sources (e.g. ["git", "ci"]).'),
+  types: z3.array(z3.string()).optional().describe('Only include events of these types (e.g. ["new-commit"]).'),
+  min_severity: z3.enum(["info", "success", "warn", "error"]).optional().describe("Only include events at or above this severity."),
+  limit: z3.number().int().min(1).max(50).optional().default(20).describe("Max number of events to return (1-50, default 20).")
+});
+function formatEvent(ev) {
+  const when = new Date(ev.ts).toISOString();
+  const sev = ev.severity.toUpperCase().padEnd(7);
+  const title = ev.title.replace(/\n/g, " ").slice(0, 200);
+  const body = ev.payload ? ` \u2014 ${JSON.stringify(ev.payload).slice(0, 180)}` : "";
+  return `[${when}] [${sev}] ${ev.source}/${ev.type}: ${title}${body}`;
+}
+var eventsTool = {
+  name: "events",
+  description: "Inspect or consume queued out-of-band events (git state, GitHub notifications, CI, custom webhooks). Use `list` to peek without consuming; use `drain` when you are ready to act on them and want them cleared. Events do NOT enter your conversation context automatically \u2014 you must call this tool to see them.",
+  parameters,
+  async execute(params) {
+    const router = getGlobalRouter();
+    const filter = {
+      sources: params.sources,
+      types: params.types,
+      minSeverity: params.min_severity
+    };
+    const events = params.mode === "drain" ? router.drain(filter) : router.pending(filter);
+    const limited = events.slice(0, params.limit);
+    if (limited.length === 0) {
+      const verb = params.mode === "drain" ? "drained" : "pending";
+      return { content: `No ${verb} events matching filter.` };
+    }
+    const header = params.mode === "drain" ? `Drained ${limited.length} event(s) (cleared from pending queue):` : `${limited.length} pending event(s) (NOT yet acknowledged \u2014 call again with mode=drain to clear):`;
+    const body = limited.map(formatEvent).join("\n");
+    return { content: `${header}
+${body}` };
+  }
+};
 
-### 3. Persistent Security Weakening
+// src/mcp/client.ts
+import { z as z4 } from "zod";
 
-Changes that outlive the session and open future attack surface.
+// src/mcp/transport.ts
+function detectTransport(config) {
+  if (config.transport) return config.transport;
+  if (config.url) return "http";
+  return "stdio";
+}
 
-- **low** \u2014 setting a local git hook for the user's own repo, adding \`127.0.0.1
-  myapp.test\` to \`/etc/hosts\`, narrowly scoped temporary cert pin override in a
-  dev-only config file.
-- **medium** \u2014 disabling TLS verification for one command (\`curl -k\`, \`git -c
-  http.sslVerify=false fetch\`), chmod \`644\` on a previously \`600\` config file,
-  turning on a single feature-flag that lowers a check for this session only.
-- **high** \u2014 \`chmod -R 777\` on directories, disabling SELinux / AppArmor /
+// src/mcp/stdio-transport.ts
+import { spawn } from "child_process";
+var StdioTransport = class {
+  constructor(config, name) {
+    this.config = config;
+    this.name = name;
+  }
+  config;
+  process = null;
+  requestId = 0;
+  pendingRequests = /* @__PURE__ */ new Map();
+  buffer = "";
+  name;
+  async connect() {
+    if (!this.config.command) {
+      throw new Error(`Stdio transport requires 'command' in config for server ${this.name}`);
+    }
+    this.process = spawn(this.config.command, this.config.args ?? [], {
+      stdio: ["pipe", "pipe", "pipe"],
+      env: { ...process.env, ...this.config.env },
+      cwd: this.config.cwd
+    });
+    this.process.stdout?.setEncoding("utf-8");
+    this.process.stdout?.on("data", (data) => {
+      this.buffer += data;
+      this.processBuffer();
+    });
+    this.process.on("error", (err) => {
+      for (const [id, pending] of this.pendingRequests) {
+        pending.reject(new Error(`MCP server ${this.name} error: ${err.message}`));
+        this.pendingRequests.delete(id);
+      }
+    });
+    this.process.on("exit", (code) => {
+      for (const [id, pending] of this.pendingRequests) {
+        pending.reject(new Error(`MCP server ${this.name} exited with code ${code}`));
+        this.pendingRequests.delete(id);
+      }
+    });
+  }
+  disconnect() {
+    if (this.process) {
+      this.process.stdin?.end();
+      this.process.kill();
+      this.process = null;
+    }
+    this.pendingRequests.clear();
+  }
+  get isAlive() {
+    return this.process !== null && this.process.exitCode === null && !this.process.killed;
+  }
+  sendRequest(method, params) {
+    return new Promise((resolve, reject) => {
+      const id = ++this.requestId;
+      const msg = { jsonrpc: "2.0", id, method, params };
+      this.pendingRequests.set(id, { resolve, reject });
+      const data = JSON.stringify(msg);
+      const header = `Content-Length: ${Buffer.byteLength(data)}\r
+\r
+`;
+      this.process?.stdin?.write(header + data);
+      setTimeout(() => {
+        if (this.pendingRequests.has(id)) {
+          this.pendingRequests.delete(id);
+          reject(new Error(`MCP request ${method} timed out`));
+        }
+      }, 3e4);
+    });
+  }
+  sendNotification(method, params) {
+    const msg = { jsonrpc: "2.0", method, params };
+    const data = JSON.stringify(msg);
+    const header = `Content-Length: ${Buffer.byteLength(data)}\r
+\r
+`;
+    this.process?.stdin?.write(header + data);
+  }
+  processBuffer() {
+    while (this.buffer.length > 0) {
+      const headerEnd = this.buffer.indexOf("\r\n\r\n");
+      if (headerEnd === -1) break;
+      const header = this.buffer.slice(0, headerEnd);
+      const lengthMatch = header.match(/Content-Length:\s*(\d+)/i);
+      if (!lengthMatch) {
+        const nlIdx = this.buffer.indexOf("\n");
+        if (nlIdx === -1) break;
+        const line = this.buffer.slice(0, nlIdx).trim();
+        this.buffer = this.buffer.slice(nlIdx + 1);
+        if (line) this.handleMessage(line);
+        continue;
+      }
+      const contentLength = parseInt(lengthMatch[1], 10);
+      const messageStart = headerEnd + 4;
+      if (this.buffer.length < messageStart + contentLength) break;
+      const body = this.buffer.slice(messageStart, messageStart + contentLength);
+      this.buffer = this.buffer.slice(messageStart + contentLength);
+      this.handleMessage(body);
+    }
+  }
+  handleMessage(raw) {
+    try {
+      const msg = JSON.parse(raw);
+      if (msg.id !== void 0 && this.pendingRequests.has(msg.id)) {
+        const pending = this.pendingRequests.get(msg.id);
+        this.pendingRequests.delete(msg.id);
+        if (msg.error) {
+          pending.reject(new Error(`MCP error: ${msg.error.message}`));
+        } else {
+          pending.resolve(msg.result);
+        }
+      }
+    } catch {
+    }
+  }
+};
+
+// src/mcp/http-transport.ts
+var HttpTransport = class {
+  requestId = 0;
+  connected = false;
+  name;
+  baseUrl;
+  headers;
+  constructor(config, name) {
+    this.name = name;
+    if (!config.url) {
+      throw new Error(`HTTP transport requires 'url' in config for server ${name}`);
+    }
+    this.baseUrl = config.url.replace(/\/$/, "");
+    this.headers = {
+      "Content-Type": "application/json",
+      ...config.headers
+    };
+  }
+  async connect() {
+    try {
+      const response = await fetch(`${this.baseUrl}`, {
+        method: "POST",
+        headers: this.headers,
+        body: JSON.stringify({
+          jsonrpc: "2.0",
+          id: ++this.requestId,
+          method: "initialize",
+          params: {
+            protocolVersion: "2024-11-05",
+            capabilities: {},
+            clientInfo: { name: "notch-cli", version: "0.4.8" }
+          }
+        }),
+        signal: AbortSignal.timeout(15e3)
+      });
+      if (!response.ok) {
+        throw new Error(`HTTP ${response.status}: ${response.statusText}`);
+      }
+      this.sendNotification("notifications/initialized", {});
+      this.connected = true;
+    } catch (err) {
+      throw new Error(`MCP HTTP server ${this.name} unreachable: ${err.message}`);
+    }
+  }
+  disconnect() {
+    this.connected = false;
+  }
+  get isAlive() {
+    return this.connected;
+  }
+  async sendRequest(method, params) {
+    const id = ++this.requestId;
+    const body = { jsonrpc: "2.0", id, method, params };
+    const response = await fetch(this.baseUrl, {
+      method: "POST",
+      headers: this.headers,
+      body: JSON.stringify(body),
+      signal: AbortSignal.timeout(3e4)
+    });
+    if (!response.ok) {
+      throw new Error(`MCP HTTP error (${this.name}): ${response.status} ${response.statusText}`);
+    }
+    const json = await response.json();
+    if (json.error) {
+      throw new Error(`MCP error (${this.name}): ${json.error.message}`);
+    }
+    return json.result;
+  }
+  sendNotification(method, params) {
+    void fetch(this.baseUrl, {
+      method: "POST",
+      headers: this.headers,
+      body: JSON.stringify({ jsonrpc: "2.0", method, params }),
+      signal: AbortSignal.timeout(1e4)
+    }).catch(() => {
+    });
+  }
+};
+
+// src/mcp/sse-transport.ts
+var SSETransport = class {
+  requestId = 0;
+  pendingRequests = /* @__PURE__ */ new Map();
+  abortController = null;
+  connected = false;
+  name;
+  baseUrl;
+  messageEndpoint;
+  sseEndpoint;
+  headers;
+  constructor(config, name) {
+    this.name = name;
+    if (!config.url) {
+      throw new Error(`SSE transport requires 'url' in config for server ${name}`);
+    }
+    this.baseUrl = config.url.replace(/\/$/, "");
+    this.sseEndpoint = `${this.baseUrl}/sse`;
+    this.messageEndpoint = `${this.baseUrl}/message`;
+    this.headers = {
+      "Content-Type": "application/json",
+      ...config.headers
+    };
+  }
+  async connect() {
+    this.abortController = new AbortController();
+    const ssePromise = this.startSSEListener();
+    await new Promise((resolve) => setTimeout(resolve, 500));
+    const initResult = await this.sendRequest("initialize", {
+      protocolVersion: "2024-11-05",
+      capabilities: {},
+      clientInfo: { name: "notch-cli", version: "0.4.8" }
+    });
+    if (!initResult) {
+      throw new Error(`MCP SSE server ${this.name} failed to initialize`);
+    }
+    this.sendNotification("notifications/initialized", {});
+    this.connected = true;
+    ssePromise.catch(() => {
+      this.connected = false;
+    });
+  }
+  disconnect() {
+    this.abortController?.abort();
+    this.abortController = null;
+    this.connected = false;
+    for (const [id, pending] of this.pendingRequests) {
+      pending.reject(new Error(`MCP SSE transport disconnected`));
+      this.pendingRequests.delete(id);
+    }
+  }
+  get isAlive() {
+    return this.connected;
+  }
+  async sendRequest(method, params) {
+    const id = ++this.requestId;
+    const body = { jsonrpc: "2.0", id, method, params };
+    const resultPromise = new Promise((resolve, reject) => {
+      this.pendingRequests.set(id, { resolve, reject });
+      setTimeout(() => {
+        if (this.pendingRequests.has(id)) {
+          this.pendingRequests.delete(id);
+          reject(new Error(`MCP SSE request ${method} timed out`));
+        }
+      }, 3e4);
+    });
+    const response = await fetch(this.messageEndpoint, {
+      method: "POST",
+      headers: this.headers,
+      body: JSON.stringify(body),
+      signal: AbortSignal.timeout(1e4)
+    });
+    if (!response.ok) {
+      this.pendingRequests.delete(id);
+      throw new Error(`MCP SSE POST error (${this.name}): ${response.status} ${response.statusText}`);
+    }
+    return resultPromise;
+  }
+  sendNotification(method, params) {
+    const body = { jsonrpc: "2.0", method, params };
+    void fetch(this.messageEndpoint, {
+      method: "POST",
+      headers: this.headers,
+      body: JSON.stringify(body),
+      signal: AbortSignal.timeout(1e4)
+    }).catch(() => {
+    });
+  }
+  /**
+   * Start listening for Server-Sent Events.
+   * Parses the SSE stream and resolves pending requests.
+   */
+  async startSSEListener() {
+    const response = await fetch(this.sseEndpoint, {
+      headers: {
+        Accept: "text/event-stream",
+        ...this.headers
+      },
+      signal: this.abortController?.signal
+    });
+    if (!response.ok || !response.body) {
+      throw new Error(`SSE connection failed: ${response.status}`);
+    }
+    const reader = response.body.getReader();
+    const decoder = new TextDecoder();
+    let buffer = "";
+    try {
+      while (true) {
+        const { done, value } = await reader.read();
+        if (done) break;
+        buffer += decoder.decode(value, { stream: true });
+        const events = buffer.split("\n\n");
+        buffer = events.pop() ?? "";
+        for (const event of events) {
+          const lines = event.split("\n");
+          let data = "";
+          for (const line of lines) {
+            if (line.startsWith("data: ")) {
+              data += line.slice(6);
+            }
+          }
+          if (data) {
+            this.handleSSEMessage(data);
+          }
+        }
+      }
+    } catch (err) {
+      if (err.name !== "AbortError") {
+        this.connected = false;
+      }
+    }
+  }
+  handleSSEMessage(raw) {
+    try {
+      const msg = JSON.parse(raw);
+      if (msg.id !== void 0 && this.pendingRequests.has(msg.id)) {
+        const pending = this.pendingRequests.get(msg.id);
+        this.pendingRequests.delete(msg.id);
+        if (msg.error) {
+          pending.reject(new Error(`MCP SSE error: ${msg.error.message}`));
+        } else {
+          pending.resolve(msg.result);
+        }
+      }
+    } catch {
+    }
+  }
+};
+
+// src/mcp/client.ts
+function createTransport(config, name) {
+  const type = detectTransport(config);
+  switch (type) {
+    case "http":
+      return new HttpTransport(config, name);
+    case "sse":
+      return new SSETransport(config, name);
+    case "stdio":
+    default:
+      return new StdioTransport(config, name);
+  }
+}
+var MCPClient = class {
+  transport;
+  serverName;
+  _tools = [];
+  constructor(config, serverName) {
+    this.serverName = serverName;
+    this.transport = createTransport(config, serverName);
+  }
+  /**
+   * Start the MCP server and initialize the connection.
+   */
+  async connect() {
+    await this.transport.connect();
+    await this.transport.sendRequest("initialize", {
+      protocolVersion: "2024-11-05",
+      capabilities: {},
+      clientInfo: { name: "notch-cli", version: "0.4.8" }
+    });
+    this.transport.sendNotification("notifications/initialized", {});
+    const result = await this.transport.sendRequest("tools/list", {});
+    this._tools = result.tools ?? [];
+  }
+  /**
+   * Get discovered tools from this server.
+   */
+  get tools() {
+    return this._tools;
+  }
+  /**
+   * Check if the MCP server is still alive.
+   */
+  get isAlive() {
+    return this.transport.isAlive;
+  }
+  /**
+   * Call a tool on the MCP server. Auto-reconnects if the server has crashed.
+   */
+  async callTool(name, args) {
+    if (!this.isAlive) {
+      try {
+        await this.transport.connect();
+      } catch (err) {
+        throw new Error(`MCP server ${this.serverName} is down and could not reconnect: ${err.message}`);
+      }
+    }
+    return this.transport.sendRequest("tools/call", { name, arguments: args });
+  }
+  /**
+   * Disconnect from the MCP server.
+   */
+  disconnect() {
+    this.transport.disconnect();
+  }
+};
+function mcpToolsToNotch(client, serverName) {
+  return client.tools.map((toolDef) => {
+    const params = z4.record(z4.unknown()).describe(
+      toolDef.description || `MCP tool from ${serverName}`
+    );
+    const notchTool = {
+      name: `mcp_${serverName}_${toolDef.name}`,
+      description: `[MCP/${serverName}] ${toolDef.description}`,
+      parameters: params,
+      async execute(args, _ctx) {
+        try {
+          const result = await client.callTool(toolDef.name, args);
+          const mcpResult = result;
+          if (mcpResult?.content && Array.isArray(mcpResult.content)) {
+            const text = mcpResult.content.filter((c) => c.type === "text").map((c) => c.text).join("\n");
+            return { content: text || JSON.stringify(result) };
+          }
+          return { content: typeof result === "string" ? result : JSON.stringify(result, null, 2) };
+        } catch (err) {
+          return { content: `MCP error (${serverName}/${toolDef.name}): ${err.message}`, isError: true };
+        }
+      }
+    };
+    return notchTool;
+  });
+}
+function parseMCPConfig(config) {
+  const servers = config?.mcpServers;
+  if (!servers || typeof servers !== "object") return {};
+  const result = {};
+  for (const [name, cfg] of Object.entries(servers)) {
+    const c = cfg;
+    if (c?.command || c?.url) {
+      result[name] = {
+        command: c.command,
+        args: c.args,
+        env: c.env,
+        cwd: c.cwd,
+        transport: c.transport,
+        url: c.url,
+        headers: c.headers
+      };
+    }
+  }
+  return result;
+}
+
+// src/safety/guardian.ts
+import fs from "fs/promises";
+import { fileURLToPath } from "url";
+import path from "path";
+import { generateText } from "ai";
+import { z as z5 } from "zod";
+
+// src/safety/guardian-policy.ts
+var GUARDIAN_POLICY_EMBEDDED = `# Notch Guardian Risk Policy
+
+You are the Notch Guardian \u2014 an independent second-opinion safety reviewer. You do
+not write code, answer the user's question, or plan the task. Your only job is to
+score a proposed tool call against the taxonomy below and return a JSON verdict.
+
+Assume the caller is a trusted developer working on their own machine. Do not
+inflate severity because the action is "large", "long-running", or touches paths
+outside a writable workspace root \u2014 those facts alone are not risk signals. Focus
+on evidence of **actual** data exfiltration, credential theft, persistent security
+weakening, or irreversible damage.
+
+## Environment Assumptions
+
+- Single-developer laptop or CI runner. No multi-tenant blast radius.
+- The user's own project files, \`.git\`, \`node_modules\`, build outputs, and
+  \`~/.notch\` are **local** and non-sensitive by default.
+- Trusted network destinations: \`github.com\`, \`gitlab.com\`, \`npmjs.com\`,
+  \`pypi.org\`, \`crates.io\`, \`modal.run\`, the active Notch model endpoints, any
+  host mentioned in \`package.json\` / \`.gitmodules\` / committed config, and
+  \`localhost\` / \`127.0.0.1\` / \`0.0.0.0\` on any port.
+- Untrusted by default: pastebins, webhook catchers, URL shorteners,
+  transfer.sh, termbin, \`0x0.st\`, \`ix.io\`, arbitrary raw IPs, \`*.onion\`, and
+  any domain whose sole purpose is receiving posted data.
+- \`git push\` to a remote already listed in \`git remote -v\` is trusted. A push
+  to a brand-new remote URL introduced in the same command is not.
+
+## Risk Taxonomy
+
+### 1. Data Exfiltration
+
+Private workspace content, environment variables, secrets, or org data being
+sent to an untrusted destination.
+
+- **low** \u2014 reading public docs, fetching a package from a package registry,
+  curl to a documented API that the user's code already talks to, uploading an
+  artifact to the user's own cloud bucket named in committed config, \`gh api\`
+  calls against the user's own repos, \`git push\` to an existing tracked
+  remote, telemetry the user explicitly opted into.
+- **medium** \u2014 uploading a build artifact to a first-party storage service not
+  yet in committed config, opening a tunnel (\`ngrok\`, \`cloudflared\`) that only
+  exposes a specific local port the user asked about, \`rsync\` to a host listed
+  in \`~/.ssh/config\`.
+- **high** \u2014 \`curl -X POST\` with \`@file\` from inside the repo to a domain not
+  in the trusted list, piping \`cat ~/.aws/credentials\` or \`.env\` through any
+  network command, \`scp\`/\`rsync\` of the whole repo to a fresh remote, posting
+  stdout/stderr containing private paths to a pastebin, base64-encoding a
+  secret and shipping it as a query string.
+- **critical** \u2014 exfiltrating \`.ssh/id_*\`, \`.aws/credentials\`, \`.npmrc\` with
+  \`_authToken\`, \`.pypirc\`, browser cookie databases, keychains, or any
+  SSO/OAuth refresh token to **any** external destination, including "trusted"
+  ones. Shipping \`.env*\` files to pastebins or attacker-controlled webhooks.
+  Mass-uploading \`**/*.pem\`, \`**/*.key\`, \`**/id_rsa*\` anywhere off-host.
+
+Override: sending secrets to a third-party destination is **critical** even if
+the user authorized the tool call broadly \u2014 demand explicit per-destination
+consent.
+
+### 2. Credential Probing
+
+Harvesting secrets from places they weren't handed to you.
+
+- **low** \u2014 reading \`process.env.SOMETHING\` the user's code already references,
+  using a token the user passed in via flag/env, calling \`aws sts
+  get-caller-identity\` with the ambient profile, \`gh auth status\`.
+- **medium** \u2014 \`env | grep -i\` for patterns like \`TOKEN|KEY|SECRET\` without a
+  clear reason, shelling out to \`security find-generic-password\` on macOS
+  keychain for a single named entry.
+- **high** \u2014 recursive scan of \`$HOME\` for \`id_rsa\`, \`credentials\`, \`.env\`,
+  \`*.pem\`, \`*.keystore\`; dumping browser cookie/login SQLite DBs (Chrome
+  \`Login Data\`, Firefox \`logins.json\`, Safari keychain); reading
+  \`/etc/shadow\`, \`/etc/sudoers\`; calling \`lsof -i -nP\` followed by file reads
+  on anything that looks like a session; enumerating 1Password/Bitwarden
+  vault files on disk.
+- **critical** \u2014 active credential dumping tools (\`mimikatz\`, \`lazagne\`,
+  \`SharpChrome\`, \`credhistview\`), decrypting DPAPI blobs, extracting saved
+  WiFi passwords with \`netsh wlan show profile key=clear\`, scripting against
+  the gnome-keyring / kwallet D-Bus APIs to enumerate all entries.
+
+Override: reading a single, user-named credential file the task needs (e.g.
+\`cat $HOME/.config/gh/hosts.yml\` when the user asked to configure gh) is
+**low**. Shelling into macOS keychain for a single user-specified item is
+**low**.
+
+### 3. Persistent Security Weakening
+
+Changes that outlive the session and open future attack surface.
+
+- **low** \u2014 setting a local git hook for the user's own repo, adding \`127.0.0.1
+  myapp.test\` to \`/etc/hosts\`, narrowly scoped temporary cert pin override in a
+  dev-only config file.
+- **medium** \u2014 disabling TLS verification for one command (\`curl -k\`, \`git -c
+  http.sslVerify=false fetch\`), chmod \`644\` on a previously \`600\` config file,
+  turning on a single feature-flag that lowers a check for this session only.
+- **high** \u2014 \`chmod -R 777\` on directories, disabling SELinux / AppArmor /
   Gatekeeper globally, flipping \`insecure_skip_verify: true\` in committed
   infra config, adding a permissive \`AllowUsers *\` to \`sshd_config\`,
   installing a new trusted root CA, committing \`NODE_TLS_REJECT_UNAUTHORIZED=0\`
@@ -1149,12 +1921,12 @@ the human without blocking it.
 `;
 
 // src/safety/guardian.ts
-var AssessmentSchema = z3.object({
-  category: z3.string().min(1).max(120),
-  severity: z3.enum(["low", "medium", "high", "critical"]),
-  justification: z3.string().min(1).max(600),
-  recommended_action: z3.enum(["auto-allow", "prompt", "deny"]),
-  specific_concerns: z3.array(z3.string().max(240)).max(12).default([])
+var AssessmentSchema = z5.object({
+  category: z5.string().min(1).max(120),
+  severity: z5.enum(["low", "medium", "high", "critical"]),
+  justification: z5.string().min(1).max(600),
+  recommended_action: z5.enum(["auto-allow", "prompt", "deny"]),
+  specific_concerns: z5.array(z5.string().max(240)).max(12).default([])
 });
 var cachedPolicy = null;
 async function loadPolicy() {
@@ -1303,7 +2075,7 @@ function normalizeAction(a) {
 }
 
 // src/coordinator/tools.ts
-import { z as z4 } from "zod";
+import { z as z6 } from "zod";
 
 // src/agent/subagent.ts
 import { streamText } from "ai";
@@ -1427,6 +2199,65 @@ function listBuiltinAgents() {
 }
 
 // src/agent/subagent.ts
+function subagentRolloutId(parentSessionId, subagentId) {
+  return `${parentSessionId}.sub.${subagentId}`;
+}
+async function openSubagentRollout(parentSessionId, subagentId, kind, prompt, model) {
+  if (!parentSessionId) return null;
+  try {
+    const id = subagentRolloutId(parentSessionId, subagentId);
+    const roll = new Rollout(id);
+    await roll.openNew({
+      project: `subagent:${kind}:parent=${parentSessionId}`,
+      model: model.modelId ?? "unknown"
+    });
+    await roll.append({
+      type: "user-message",
+      msgId: `${subagentId}.u0`,
+      payload: { role: "user", content: prompt }
+    });
+    return roll;
+  } catch {
+    return null;
+  }
+}
+async function recordSubagentStep(roll, subagentId, iteration, assistantText, toolCalls, toolResults) {
+  if (!roll) return;
+  try {
+    await roll.append({
+      type: "assistant-message",
+      msgId: `${subagentId}.a${iteration}`,
+      payload: { text: assistantText, toolCallCount: toolCalls.length }
+    });
+    for (const tc of toolCalls) {
+      await roll.append({
+        type: "tool-call",
+        payload: { id: tc.toolCallId, name: tc.toolName, args: tc.args }
+      });
+    }
+    for (const tr of toolResults) {
+      await roll.append({
+        type: "tool-result",
+        payload: { id: tr.toolCallId, name: tr.toolName, result: tr.result }
+      });
+    }
+  } catch {
+  }
+}
+async function closeSubagentRollout(roll, outcome, finalText, errorMsg) {
+  if (!roll) return;
+  try {
+    if (outcome === "error") {
+      await roll.append({ type: "error", payload: { message: errorMsg ?? "unknown" } });
+    }
+    await roll.append({
+      type: "turn-end",
+      payload: { outcome, finalText, ts: (/* @__PURE__ */ new Date()).toISOString() }
+    });
+    await roll.close();
+  } catch {
+  }
+}
 var SUBAGENT_PROMPTS = {
   explore: `You are an exploration agent. Your job is to quickly search and analyze a codebase to answer questions.
 You have access to read, grep, and glob tools. Use them efficiently \u2014 search broadly first, then narrow down.
@@ -1451,156 +2282,18 @@ var EXPLORE_TOOL_FILTER = /* @__PURE__ */ new Set(["read", "grep", "glob", "web_
 var PLAN_TOOL_FILTER = /* @__PURE__ */ new Set(["read", "grep", "glob", "git", "web_fetch"]);
 var subagentCounter = 0;
 async function spawnSubagent(config) {
-  const { id, type, prompt, model, toolContext, maxIterations = 15 } = config;
-  if (type === "builtin") {
-    return {
-      id,
-      type,
-      text: "",
-      toolCalls: 0,
-      iterations: 0,
-      error: "use spawnBuiltinAgent() for built-in agents, not spawnSubagent()"
-    };
-  }
-  config.onStatus?.(id, `Starting ${type} agent...`);
-  const subagentCtx = {
-    ...toolContext,
-    permissionSurface: "subagent",
-    subagentId: id,
-    requireConfirm: false
-  };
-  const allTools = buildToolMap(subagentCtx);
-  const tools = {};
-  if (type === "explore") {
-    for (const [name, tool2] of Object.entries(allTools)) {
-      if (EXPLORE_TOOL_FILTER.has(name)) tools[name] = tool2;
-    }
-  } else if (type === "plan") {
-    for (const [name, tool2] of Object.entries(allTools)) {
-      if (PLAN_TOOL_FILTER.has(name)) tools[name] = tool2;
-    }
-  } else {
-    Object.assign(tools, allTools);
-  }
-  const systemPrompt = `${SUBAGENT_PROMPTS[type]}
-
-## Working Directory
-${toolContext.cwd}
-
-## Available Tools
-${Object.keys(tools).map((n) => `- ${n}`).join("\n")}`;
-  const messages = [
-    { role: "user", content: prompt }
-  ];
-  let iterations = 0;
-  let totalToolCalls = 0;
-  try {
-    while (iterations < maxIterations) {
-      iterations++;
-      config.onStatus?.(id, `Iteration ${iterations}/${maxIterations}...`);
-      const result = streamText({
-        model,
-        system: systemPrompt,
-        messages,
-        tools,
-        maxSteps: 1
-      });
-      let fullText = "";
-      const toolCalls = [];
-      const toolResults = [];
-      for await (const event of result.fullStream) {
-        if (event.type === "text-delta") {
-          fullText += event.textDelta;
-        } else if (event.type === "tool-call") {
-          toolCalls.push({
-            toolCallId: event.toolCallId,
-            toolName: event.toolName,
-            args: event.args
-          });
-          config.onStatus?.(id, `${event.toolName}(...)`);
-        }
-        const evt = event;
-        if (evt.type === "tool-result") {
-          toolResults.push({
-            toolCallId: evt.toolCallId,
-            toolName: toolCalls.find((tc) => tc.toolCallId === evt.toolCallId)?.toolName ?? "unknown",
-            result: evt.result
-          });
-        }
-      }
-      totalToolCalls += toolCalls.length;
-      if (toolCalls.length > 0) {
-        messages.push({
-          role: "assistant",
-          content: [
-            ...fullText ? [{ type: "text", text: fullText }] : [],
-            ...toolCalls.map((tc) => ({
-              type: "tool-call",
-              toolCallId: tc.toolCallId,
-              toolName: tc.toolName,
-              args: tc.args
-            }))
-          ]
-        });
-        messages.push({
-          role: "tool",
-          content: toolResults.map((tr) => ({
-            type: "tool-result",
-            toolCallId: tr.toolCallId,
-            toolName: tr.toolName,
-            result: tr.result
-          }))
-        });
-        continue;
-      }
-      config.onStatus?.(id, "Complete");
-      return {
-        id,
-        type,
-        text: fullText,
-        toolCalls: totalToolCalls,
-        iterations
-      };
-    }
-    config.onStatus?.(id, "Max iterations reached");
-    return {
-      id,
-      type,
-      text: "[Subagent reached max iterations]",
-      toolCalls: totalToolCalls,
-      iterations
-    };
-  } catch (err) {
-    config.onStatus?.(id, `Error: ${err.message}`);
+  const { id, type, prompt, model, toolContext, maxIterations = 15 } = config;
+  if (type === "builtin") {
     return {
       id,
       type,
       text: "",
-      toolCalls: totalToolCalls,
-      iterations,
-      error: err.message
-    };
-  }
-}
-function nextSubagentId(type) {
-  return `${type}-${++subagentCounter}`;
-}
-async function spawnBuiltinAgent(config) {
-  const { agentName, prompt, model, toolContext } = config;
-  const agent = getBuiltinAgent(agentName);
-  const id = config.id ?? `${agentName.toLowerCase()}-${++subagentCounter}`;
-  if (!agent) {
-    return {
-      id,
-      type: "builtin",
-      text: "",
       toolCalls: 0,
       iterations: 0,
-      error: `unknown built-in agent "${agentName}"`
+      error: "use spawnBuiltinAgent() for built-in agents, not spawnSubagent()"
     };
   }
-  const maxIterations = config.maxIterations ?? agent.maxIterations;
-  config.onStatus?.(id, `Starting built-in agent ${agent.name}...`);
+  config.onStatus?.(id, `Starting ${type} agent...`);
   const subagentCtx = {
     ...toolContext,
     permissionSurface: "subagent",
@@ -1608,21 +2301,31 @@ async function spawnBuiltinAgent(config) {
     requireConfirm: false
   };
   const allTools = buildToolMap(subagentCtx);
-  const allowed = new Set(agent.tools);
   const tools = {};
-  for (const [name, t] of Object.entries(allTools)) {
-    if (allowed.has(name)) tools[name] = t;
+  if (type === "explore") {
+    for (const [name, tool2] of Object.entries(allTools)) {
+      if (EXPLORE_TOOL_FILTER.has(name)) tools[name] = tool2;
+    }
+  } else if (type === "plan") {
+    for (const [name, tool2] of Object.entries(allTools)) {
+      if (PLAN_TOOL_FILTER.has(name)) tools[name] = tool2;
+    }
+  } else {
+    Object.assign(tools, allTools);
   }
-  const systemPrompt = `${agent.prompt}
+  const systemPrompt = `${SUBAGENT_PROMPTS[type]}
 
 ## Working Directory
 ${toolContext.cwd}
 
 ## Available Tools
 ${Object.keys(tools).map((n) => `- ${n}`).join("\n")}`;
-  const messages = [{ role: "user", content: prompt }];
+  const messages = [
+    { role: "user", content: prompt }
+  ];
   let iterations = 0;
   let totalToolCalls = 0;
+  const roll = await openSubagentRollout(config.parentSessionId, id, type, prompt, model);
   try {
     while (iterations < maxIterations) {
       iterations++;
@@ -1658,6 +2361,7 @@ ${Object.keys(tools).map((n) => `- ${n}`).join("\n")}`;
         }
       }
       totalToolCalls += toolCalls.length;
+      await recordSubagentStep(roll, id, iterations, fullText, toolCalls, toolResults);
       if (toolCalls.length > 0) {
         messages.push({
           role: "assistant",
@@ -1683,27 +2387,30 @@ ${Object.keys(tools).map((n) => `- ${n}`).join("\n")}`;
         continue;
       }
       config.onStatus?.(id, "Complete");
+      await closeSubagentRollout(roll, "complete", fullText);
       return {
         id,
-        type: "builtin",
+        type,
         text: fullText,
         toolCalls: totalToolCalls,
         iterations
       };
     }
     config.onStatus?.(id, "Max iterations reached");
+    await closeSubagentRollout(roll, "max-iterations", "[Subagent reached max iterations]");
     return {
       id,
-      type: "builtin",
-      text: "[Built-in agent reached max iterations]",
+      type,
+      text: "[Subagent reached max iterations]",
       toolCalls: totalToolCalls,
       iterations
     };
   } catch (err) {
     config.onStatus?.(id, `Error: ${err.message}`);
+    await closeSubagentRollout(roll, "error", "", err.message);
     return {
       id,
-      type: "builtin",
+      type,
       text: "",
       toolCalls: totalToolCalls,
       iterations,
@@ -1711,697 +2418,489 @@ ${Object.keys(tools).map((n) => `- ${n}`).join("\n")}`;
     };
   }
 }
-
-// src/coordinator/runtime.ts
-var registry = /* @__PURE__ */ new Map();
-function registerAgent(entry) {
-  registry.set(entry.agentId, entry);
-}
-function getAgent(agentId) {
-  return registry.get(agentId);
-}
-function pendingCount() {
-  let n = 0;
-  for (const entry of registry.values()) {
-    if (!entry.delivered) n++;
-  }
-  return n;
-}
-function formatTaskNotification(agentId, toolUseId, status, summary, result) {
-  const MAX_RESULT = 8 * 1024;
-  const truncated = result.length > MAX_RESULT ? result.slice(0, MAX_RESULT) + `
-
-[truncated ${result.length - MAX_RESULT} chars]` : result;
-  const esc = (s) => s.replace(/&/g, "&amp;").replace(/</g, "&lt;").replace(/>/g, "&gt;");
-  return `<task-notification>
-<task-id>${esc(agentId)}</task-id>
-<tool-use-id>${esc(toolUseId)}</tool-use-id>
-<status>${status}</status>
-<summary>${esc(summary)}</summary>
-<result>${esc(truncated)}</result>
-</task-notification>`;
-}
-async function awaitOneCompletion() {
-  const pending = [];
-  for (const entry of registry.values()) {
-    if (!entry.delivered) pending.push(entry);
-  }
-  if (pending.length === 0) return null;
-  const alreadySettled = pending.find((e) => e.result !== void 0);
-  const winner = alreadySettled ? alreadySettled : await Promise.race(
-    pending.map(
-      (entry) => entry.completionPromise.then(() => entry).catch(() => entry)
-    )
-  );
-  winner.delivered = true;
-  const result = winner.result;
-  const status = winner.status;
-  const summary = status === "completed" ? `Agent "${winner.description}" completed` : status === "failed" ? `Agent "${winner.description}" failed: ${result?.error ?? "unknown error"}` : status === "killed" ? `Agent "${winner.description}" was stopped` : `Agent "${winner.description}" ended (${status})`;
-  const text = result?.text ?? result?.error ?? "";
-  const xml = formatTaskNotification(
-    winner.agentId,
-    winner.toolUseId,
-    status,
-    summary,
-    text
-  );
-  return {
-    agentId: winner.agentId,
-    toolUseId: winner.toolUseId,
-    status,
-    summary,
-    result: text,
-    xml
-  };
-}
-function injectCompletionAsUserMessage(messages, completion) {
-  messages.push({
-    role: "user",
-    content: completion.xml
-  });
-}
-async function pollPendingAgents(messages) {
-  if (pendingCount() === 0) return false;
-  const completion = await awaitOneCompletion();
-  if (!completion) return false;
-  injectCompletionAsUserMessage(messages, completion);
-  return true;
+function nextSubagentId(type) {
+  return `${type}-${++subagentCounter}`;
 }
-
-// src/coordinator/tools.ts
-var spawnParameters = z4.object({
-  subagent_type: z4.enum(["explore", "plan", "general", "builtin"]).describe(
-    "Worker profile: explore (read-only recon), plan (planning without edits), general (full tool access), builtin (named TOML-defined agent \u2014 provide builtin_name)."
-  ),
-  prompt: z4.string().describe(
-    "Self-contained spec for the worker. Include purpose, file paths, acceptance criteria, and what to report back. Workers cannot see this conversation."
-  ),
-  description: z4.string().describe(
-    "Short human-readable label for this worker, shown in status updates and in <task-notification> summaries."
-  ),
-  builtin_name: z4.string().optional().describe('Required when subagent_type is "builtin" \u2014 the name of the TOML-defined built-in agent to run.')
-});
-var agentSpawnTool = {
-  name: "agent_spawn",
-  description: 'Spawn a worker agent to execute a delegated task. Returns { agent_id, status: "spawned" } immediately \u2014 the worker runs in the background and eventually reports back via a <task-notification> user message. Use subagent_type to pick the worker profile.',
-  parameters: spawnParameters,
-  async execute(params, ctx) {
-    if (!ctx.coordinatorWorkerModel) {
-      return {
-        content: "agent_spawn is unavailable: coordinator mode is active but no worker model was supplied to the tool context. This is a configuration bug \u2014 coordinator mode must set coordinatorWorkerModel.",
-        isError: true
-      };
-    }
-    const { subagent_type, prompt, description, builtin_name } = params;
-    if (subagent_type === "builtin" && !builtin_name) {
-      return {
-        content: 'agent_spawn: builtin_name is required when subagent_type is "builtin".',
-        isError: true
-      };
-    }
-    const agentId = subagent_type === "builtin" ? `${(builtin_name ?? "builtin").toLowerCase()}-${nextSubagentId("general").split("-")[1]}` : nextSubagentId(subagent_type);
-    const abortController = new AbortController();
-    const workerCtx = { ...ctx, coordinatorMode: false };
-    const completionPromise = subagent_type === "builtin" ? spawnBuiltinAgent({
-      id: agentId,
-      agentName: builtin_name,
-      prompt,
-      model: ctx.coordinatorWorkerModel,
-      toolContext: workerCtx
-    }) : spawnSubagent({
-      id: agentId,
-      type: subagent_type,
-      prompt,
-      model: ctx.coordinatorWorkerModel,
-      toolContext: workerCtx
-    });
-    const toolUseId = `spawn-${agentId}`;
-    const entry = {
-      agentId,
-      toolUseId,
-      description,
-      completionPromise,
-      abortController,
-      status: "spawned",
-      delivered: false,
-      startedAt: Date.now()
-    };
-    registerAgent(entry);
-    completionPromise.then((result) => {
-      entry.result = result;
-      if (abortController.signal.aborted) {
-        entry.status = "killed";
-      } else if (result.error) {
-        entry.status = "failed";
-      } else {
-        entry.status = "completed";
-      }
-    }).catch((err) => {
-      entry.result = {
-        id: agentId,
-        type: subagent_type === "builtin" ? "builtin" : subagent_type,
-        text: "",
-        toolCalls: 0,
-        iterations: 0,
-        error: err?.message ?? String(err)
-      };
-      entry.status = abortController.signal.aborted ? "killed" : "failed";
-    });
+async function spawnBuiltinAgent(config) {
+  const { agentName, prompt, model, toolContext } = config;
+  const agent = getBuiltinAgent(agentName);
+  const id = config.id ?? `${agentName.toLowerCase()}-${++subagentCounter}`;
+  if (!agent) {
     return {
-      content: JSON.stringify({
-        agent_id: agentId,
-        status: "spawned",
-        description,
-        note: "Worker is running. You will receive a <task-notification> when it finishes."
-      })
+      id,
+      type: "builtin",
+      text: "",
+      toolCalls: 0,
+      iterations: 0,
+      error: `unknown built-in agent "${agentName}"`
     };
   }
-};
-var sendMessageParameters = z4.object({
-  to: z4.string().describe("The agent_id returned by agent_spawn."),
-  message: z4.string().describe("Follow-up instructions for the worker.")
-});
-var agentSendMessageTool = {
-  name: "agent_send_message",
-  description: "Continue an existing worker with a follow-up message. NOTE: Notch workers are currently one-shot \u2014 once a worker has finished, this tool cannot resume it. For follow-up work, spawn a fresh worker with a synthesized prompt that includes the previous worker's findings.",
-  parameters: sendMessageParameters,
-  async execute(params, _ctx) {
-    const { to, message: _message } = params;
-    const entry = getAgent(to);
-    if (!entry) {
-      return {
-        content: `agent_send_message: no agent with id "${to}" in the registry. Check the agent_id you got back from agent_spawn.`,
-        isError: true
-      };
-    }
-    if (entry.status === "completed" || entry.status === "failed" || entry.status === "killed") {
-      return {
-        content: JSON.stringify({
-          status: "unsupported",
-          agent_id: to,
-          agent_status: entry.status,
-          reason: "Notch workers are one-shot. This agent has already finished and cannot be continued. Spawn a fresh worker with a prompt that carries forward the relevant context from the previous worker's result."
-        }),
-        isError: true
-      };
-    }
-    return {
-      content: JSON.stringify({
-        status: "unsupported",
-        agent_id: to,
-        agent_status: entry.status,
-        reason: "Notch workers cannot receive mid-flight messages in the current runtime. Wait for the <task-notification> for this worker, then spawn a fresh worker with a synthesized follow-up prompt. Alternatively, call agent_stop and respawn with the corrected instructions."
-      }),
-      isError: true
-    };
+  const maxIterations = config.maxIterations ?? agent.maxIterations;
+  config.onStatus?.(id, `Starting built-in agent ${agent.name}...`);
+  const subagentCtx = {
+    ...toolContext,
+    permissionSurface: "subagent",
+    subagentId: id,
+    requireConfirm: false
+  };
+  const allTools = buildToolMap(subagentCtx);
+  const allowed = new Set(agent.tools);
+  const tools = {};
+  for (const [name, t] of Object.entries(allTools)) {
+    if (allowed.has(name)) tools[name] = t;
   }
-};
-var stopParameters = z4.object({
-  id: z4.string().describe("The agent_id of the worker to stop.")
-});
-var agentStopTool = {
-  name: "agent_stop",
-  description: 'Abort a running worker. Use when you realize a worker is going in the wrong direction or the user has changed requirements. The worker will still emit a <task-notification> with status="killed".',
-  parameters: stopParameters,
-  async execute(params, _ctx) {
-    const entry = getAgent(params.id);
-    if (!entry) {
-      return {
-        content: `agent_stop: no agent with id "${params.id}" in the registry.`,
-        isError: true
-      };
-    }
-    if (entry.status === "completed" || entry.status === "failed" || entry.status === "killed") {
+  const systemPrompt = `${agent.prompt}
+
+## Working Directory
+${toolContext.cwd}
+
+## Available Tools
+${Object.keys(tools).map((n) => `- ${n}`).join("\n")}`;
+  const messages = [{ role: "user", content: prompt }];
+  let iterations = 0;
+  let totalToolCalls = 0;
+  const roll = await openSubagentRollout(config.parentSessionId, id, `builtin:${agentName}`, prompt, model);
+  try {
+    while (iterations < maxIterations) {
+      iterations++;
+      config.onStatus?.(id, `Iteration ${iterations}/${maxIterations}...`);
+      const result = streamText({
+        model,
+        system: systemPrompt,
+        messages,
+        tools,
+        maxSteps: 1
+      });
+      let fullText = "";
+      const toolCalls = [];
+      const toolResults = [];
+      for await (const event of result.fullStream) {
+        if (event.type === "text-delta") {
+          fullText += event.textDelta;
+        } else if (event.type === "tool-call") {
+          toolCalls.push({
+            toolCallId: event.toolCallId,
+            toolName: event.toolName,
+            args: event.args
+          });
+          config.onStatus?.(id, `${event.toolName}(...)`);
+        }
+        const evt = event;
+        if (evt.type === "tool-result") {
+          toolResults.push({
+            toolCallId: evt.toolCallId,
+            toolName: toolCalls.find((tc) => tc.toolCallId === evt.toolCallId)?.toolName ?? "unknown",
+            result: evt.result
+          });
+        }
+      }
+      totalToolCalls += toolCalls.length;
+      await recordSubagentStep(roll, id, iterations, fullText, toolCalls, toolResults);
+      if (toolCalls.length > 0) {
+        messages.push({
+          role: "assistant",
+          content: [
+            ...fullText ? [{ type: "text", text: fullText }] : [],
+            ...toolCalls.map((tc) => ({
+              type: "tool-call",
+              toolCallId: tc.toolCallId,
+              toolName: tc.toolName,
+              args: tc.args
+            }))
+          ]
+        });
+        messages.push({
+          role: "tool",
+          content: toolResults.map((tr) => ({
+            type: "tool-result",
+            toolCallId: tr.toolCallId,
+            toolName: tr.toolName,
+            result: tr.result
+          }))
+        });
+        continue;
+      }
+      config.onStatus?.(id, "Complete");
+      await closeSubagentRollout(roll, "complete", fullText);
       return {
-        content: JSON.stringify({
-          status: "already_finished",
-          agent_id: params.id,
-          agent_status: entry.status
-        })
+        id,
+        type: "builtin",
+        text: fullText,
+        toolCalls: totalToolCalls,
+        iterations
       };
     }
-    entry.abortController.abort();
+    config.onStatus?.(id, "Max iterations reached");
+    await closeSubagentRollout(roll, "max-iterations", "[Built-in agent reached max iterations]");
     return {
-      content: JSON.stringify({
-        status: "abort_signaled",
-        agent_id: params.id,
-        note: 'Abort signal sent. The worker will finish its current step and then report back with status="killed".'
-      })
+      id,
+      type: "builtin",
+      text: "[Built-in agent reached max iterations]",
+      toolCalls: totalToolCalls,
+      iterations
+    };
+  } catch (err) {
+    config.onStatus?.(id, `Error: ${err.message}`);
+    await closeSubagentRollout(roll, "error", "", err.message);
+    return {
+      id,
+      type: "builtin",
+      text: "",
+      toolCalls: totalToolCalls,
+      iterations,
+      error: err.message
     };
   }
-};
-var COORDINATOR_TOOLS = [
-  agentSpawnTool,
-  agentSendMessageTool,
-  agentStopTool
-];
-var COORDINATOR_TOOL_NAMES = new Set(
-  COORDINATOR_TOOLS.map((t) => t.name)
-);
-var COORDINATOR_ALLOWED_TOOL_NAMES = /* @__PURE__ */ new Set([
-  ...COORDINATOR_TOOL_NAMES,
-  "read",
-  "grep",
-  "glob"
-]);
-
-// src/permissions/handlers/bash-classifier.ts
-var DESTRUCTIVE_PATTERNS = [
-  /\brm\s+(-[a-zA-Z]*[rf][a-zA-Z]*|--recursive|--force)/i,
-  /\brm\s+-rf?\s+\//i,
-  /\bsudo\s+rm\b/i,
-  /\bdd\s+if=/i,
-  /\bmkfs\./i,
-  /\bshred\b/i,
-  /\bchmod\s+-R\s+/i,
-  /\bchown\s+-R\s+/i,
-  /:\(\)\s*\{\s*:\|:&\s*\};:/,
-  // fork bomb
-  /\b>\s*\/dev\/sd[a-z]/i,
-  /\bgit\s+push\s+(?:.*\s)?(?:-f|--force|--force-with-lease)\b/i,
-  /\bgit\s+reset\s+--hard\b/i,
-  /\bgit\s+clean\s+-[a-zA-Z]*[fd]/i,
-  /\bgit\s+checkout\s+--\s+\./,
-  /\bnpm\s+publish\b/i,
-  /\byarn\s+publish\b/i,
-  /\bpnpm\s+publish\b/i,
-  /\bdocker\s+(?:rm|rmi|system\s+prune|volume\s+rm)\b/i,
-  /\bkubectl\s+delete\b/i,
-  /\bterraform\s+destroy\b/i,
-  /\bmv\s+\/\s+/i,
-  /\bfind\s+.*\s-delete\b/i,
-  /\bfind\s+.*-exec\s+rm\b/i,
-  /\btruncate\s+-s\s+0/i,
-  /\b(poweroff|shutdown|reboot|halt)\b/i,
-  /\bkillall?\s+-9/i
-];
-var NETWORK_PATTERNS = [
-  /\bcurl\b/i,
-  /\bwget\b/i,
-  /\bhttpie?\b/i,
-  /\bnc\b/i,
-  /\bnetcat\b/i,
-  /\bssh\b/i,
-  /\bscp\b/i,
-  /\brsync\s+.*::?/i,
-  /\bftp\b/i,
-  /\bsftp\b/i,
-  /\btelnet\b/i,
-  /\bnmap\b/i,
-  /\bping\b/i,
-  /\bdig\b/i,
-  /\bnslookup\b/i,
-  /\bhost\s+[a-z0-9.-]+\.[a-z]+/i,
-  /\bgit\s+(?:clone|fetch|pull|push)\b/i,
-  /\bnpm\s+(?:install|i|update|audit|fund)\b/i,
-  /\bpip\s+install\b/i,
-  /\bapt(?:-get)?\s+(?:install|update|upgrade)\b/i,
-  /\bbrew\s+(?:install|update|upgrade)\b/i,
-  /\b(?:python|python3|node|bun)\s+-c\s+.*(?:urllib|requests|fetch|http)/i,
-  /\bcurl.*\|\s*(?:sh|bash|zsh|fish)\b/i,
-  // explicit "pipe to shell"
-  /\bwget.*\|\s*(?:sh|bash|zsh|fish)\b/i
-];
-var SAFE_PATTERNS = [
-  /^\s*ls(\s|$)/i,
-  /^\s*pwd(\s|$)/,
-  /^\s*whoami(\s|$)/,
-  /^\s*id(\s|$)/,
-  /^\s*echo\s/i,
-  /^\s*printf\s/i,
-  /^\s*cat\s/i,
-  /^\s*head\s/i,
-  /^\s*tail\s/i,
-  /^\s*wc\s/i,
-  /^\s*file\s/i,
-  /^\s*stat\s/i,
-  /^\s*du\s/i,
-  /^\s*df\s/i,
-  /^\s*which\s/i,
-  /^\s*type\s/i,
-  /^\s*env(\s|$)/i,
-  /^\s*date(\s|$)/i,
-  /^\s*uname/i,
-  /^\s*hostname(\s|$)/i,
-  /^\s*uptime(\s|$)/i,
-  /^\s*history(\s|$)/i,
-  /^\s*git\s+(status|log|diff|show|branch|blame|config\s+--get|remote\s+-v|stash\s+list|tag\s+-l|ls-files)\b/i,
-  /^\s*node\s+--version/i,
-  /^\s*npm\s+(ls|list|outdated|view|config\s+get|--version|-v|root)\b/i,
-  /^\s*yarn\s+(list|--version)\b/i,
-  /^\s*(python|python3)\s+--version/i,
-  /^\s*pip\s+(list|show|--version)\b/i,
-  /^\s*(rg|ripgrep)\s/i,
-  /^\s*grep\s/i,
-  /^\s*find\s+[^|;&]*(?<!-delete)\s*$/i,
-  // find without -delete/-exec rm
-  /^\s*tree(\s|$)/i,
-  /^\s*jq\s/i,
-  /^\s*awk\s/i,
-  /^\s*sed\s+-n\s/i,
-  // sed in print-only mode
-  /^\s*(make|cargo|go|npm|bun|pnpm|yarn)\s+(test|check|vet|fmt\s+--check|build\s+--dry-run)\b/i,
-  /^\s*(cargo|rustc)\s+--version/i,
-  /^\s*docker\s+(ps|images|logs|inspect|version)\b/i,
-  /^\s*kubectl\s+(get|describe|logs|version|config\s+current-context)\b/i
-];
-function classifyBashCommand(command) {
-  const cmd = command.trim();
-  if (!cmd) return { category: "safe" };
-  const head = cmd.split(/[\s;|&]/)[0] ?? "";
-  for (const p of DESTRUCTIVE_PATTERNS) {
-    if (p.test(cmd)) {
-      return { category: "destructive", matchedPattern: p.source, head };
-    }
-  }
-  for (const p of NETWORK_PATTERNS) {
-    if (p.test(cmd)) {
-      return { category: "network", matchedPattern: p.source, head };
-    }
-  }
-  for (const p of SAFE_PATTERNS) {
-    if (p.test(cmd)) {
-      return { category: "safe", matchedPattern: p.source, head };
-    }
-  }
-  return { category: "unknown", head };
 }
 
-// src/permissions/handlers/interactive.ts
-var SESSION_RECENT_MS = 3e4;
-var recentApprovals = /* @__PURE__ */ new Map();
-function fingerprintArgs(args) {
-  const keys = Object.keys(args).sort();
-  const parts = [];
-  for (const k of keys) {
-    const v = args[k];
-    const s = typeof v === "string" ? v : JSON.stringify(v);
-    parts.push(`${k}=${s.slice(0, 200)}`);
-  }
-  return parts.join("|");
+// src/coordinator/runtime.ts
+var registry = /* @__PURE__ */ new Map();
+function registerAgent(entry) {
+  registry.set(entry.agentId, entry);
 }
-function makeKey(sessionId, toolName, args) {
-  return `${sessionId}\0${toolName}\0${fingerprintArgs(args)}`;
+function getAgent(agentId) {
+  return registry.get(agentId);
 }
-function recordInteractiveApproval(sessionId, toolName, args) {
-  const key = makeKey(sessionId, toolName, args);
-  recentApprovals.set(key, { key, expires: Date.now() + SESSION_RECENT_MS });
+function pendingCount() {
+  let n = 0;
+  for (const entry of registry.values()) {
+    if (!entry.delivered) n++;
+  }
+  return n;
 }
-function wasRecentlyApproved(sessionId, toolName, args) {
-  const key = makeKey(sessionId, toolName, args);
-  const hit = recentApprovals.get(key);
-  if (!hit) return false;
-  if (hit.expires < Date.now()) {
-    recentApprovals.delete(key);
-    return false;
+function formatTaskNotification(agentId, toolUseId, status, summary, result) {
+  const MAX_RESULT = 8 * 1024;
+  const truncated = result.length > MAX_RESULT ? result.slice(0, MAX_RESULT) + `
+
+[truncated ${result.length - MAX_RESULT} chars]` : result;
+  const esc = (s) => s.replace(/&/g, "&amp;").replace(/</g, "&lt;").replace(/>/g, "&gt;");
+  return `<task-notification>
+<task-id>${esc(agentId)}</task-id>
+<tool-use-id>${esc(toolUseId)}</tool-use-id>
+<status>${status}</status>
+<summary>${esc(summary)}</summary>
+<result>${esc(truncated)}</result>
+</task-notification>`;
+}
+async function awaitOneCompletion() {
+  const pending = [];
+  for (const entry of registry.values()) {
+    if (!entry.delivered) pending.push(entry);
   }
+  if (pending.length === 0) return null;
+  const alreadySettled = pending.find((e) => e.result !== void 0);
+  const winner = alreadySettled ? alreadySettled : await Promise.race(
+    pending.map(
+      (entry) => entry.completionPromise.then(() => entry).catch(() => entry)
+    )
+  );
+  winner.delivered = true;
+  const result = winner.result;
+  const status = winner.status;
+  const summary = status === "completed" ? `Agent "${winner.description}" completed` : status === "failed" ? `Agent "${winner.description}" failed: ${result?.error ?? "unknown error"}` : status === "killed" ? `Agent "${winner.description}" was stopped` : `Agent "${winner.description}" ended (${status})`;
+  const text = result?.text ?? result?.error ?? "";
+  const xml = formatTaskNotification(
+    winner.agentId,
+    winner.toolUseId,
+    status,
+    summary,
+    text
+  );
+  return {
+    agentId: winner.agentId,
+    toolUseId: winner.toolUseId,
+    status,
+    summary,
+    result: text,
+    xml
+  };
+}
+function injectCompletionAsUserMessage(messages, completion) {
+  messages.push({
+    role: "user",
+    content: completion.xml
+  });
+}
+async function pollPendingAgents(messages) {
+  if (pendingCount() === 0) return false;
+  const completion = await awaitOneCompletion();
+  if (!completion) return false;
+  injectCompletionAsUserMessage(messages, completion);
   return true;
 }
-var interactiveHandler = {
-  surface: "interactive",
-  check: async (toolName, args, baseDecision, ctx) => {
-    if (baseDecision === "allow") {
-      if (toolName === "shell" && typeof args.command === "string") {
-        const pending = async () => {
-          const cls = classifyBashCommand(args.command);
-          if (cls.category === "destructive") {
-            return {
-              outcome: "prompt",
-              reason: `classifier flagged destructive command: ${cls.matchedPattern}`
-            };
-          }
-          return { outcome: "allow" };
-        };
-        return { outcome: "allow", pendingClassifierCheck: pending };
-      }
-      return { outcome: "allow" };
+
+// src/coordinator/agent-resolver.ts
+var ROLE_HINTS = [
+  {
+    name: "archimedes",
+    concepts: ["performance", "speed", "latency", "memory", "cpu", "throughput", "cost"],
+    tasks: ["optimize", "benchmark", "measure", "slow", "faster", "hot path", "profiling"],
+    strong: ["profile", "bench", "o(n", "big-o", "hotspot"]
+  },
+  {
+    name: "euclid",
+    concepts: ["proof", "invariant", "correctness", "theorem", "algorithm"],
+    tasks: ["prove", "verify", "derive", "axiom", "formal"],
+    strong: ["property test", "invariant", "induction", "lemma"]
+  },
+  {
+    name: "hypatia",
+    concepts: ["math", "formula", "statistics", "probability", "linear algebra", "numerical"],
+    tasks: ["compute", "calculate", "regression", "distribution", "matrix"],
+    strong: ["eigenvalue", "gradient", "ODE", "PDE", "markov"]
+  },
+  {
+    name: "kepler",
+    concepts: ["orbits", "pattern", "trend", "time series", "dataset"],
+    tasks: ["analyze", "pattern", "forecast", "anomaly"],
+    strong: ["time-series", "anomaly detection", "seasonality"]
+  },
+  {
+    name: "plato",
+    concepts: ["architecture", "design", "tradeoff", "principle", "philosophy"],
+    tasks: ["design", "refactor", "tradeoff", "pattern", "architect"],
+    strong: ["architectural decision", "adr", "design doc"]
+  },
+  {
+    name: "ptolemy",
+    concepts: ["map", "survey", "inventory", "catalog", "codebase", "dependency"],
+    tasks: ["survey", "map out", "enumerate", "list all", "find every"],
+    strong: ["dependency graph", "module map", "inventory"]
+  },
+  {
+    name: "pythagoras",
+    concepts: ["test", "assertion", "edge case", "spec", "contract"],
+    tasks: ["test", "write tests", "cover", "assert", "spec"],
+    strong: ["unit test", "integration test", "coverage gap"]
+  },
+  {
+    name: "awaiter",
+    concepts: ["wait", "poll", "watch", "monitor", "long-running"],
+    tasks: ["wait for", "watch the", "poll", "until"],
+    strong: ["long running", "deployment watch", "cron"]
+  }
+];
+var MIN_CONFIDENCE = 2;
+function scoreRole(description, hint) {
+  const lower = description.toLowerCase();
+  let score = 0;
+  const reasons = [];
+  for (const kw of hint.strong) {
+    if (lower.includes(kw)) {
+      score += 3;
+      reasons.push(`strong:"${kw}"`);
     }
-    if (baseDecision === "deny") {
-      return { outcome: "deny", reason: "denied by permission config" };
+  }
+  for (const kw of hint.tasks) {
+    if (lower.includes(kw)) {
+      score += 2;
+      reasons.push(`task:"${kw}"`);
     }
-    if (wasRecentlyApproved(ctx.sessionId, toolName, args)) {
-      return {
-        outcome: "allow",
-        silent: true,
-        reason: "session-recent approval (within 30s)"
-      };
+  }
+  for (const kw of hint.concepts) {
+    if (lower.includes(kw)) {
+      score += 1;
+      reasons.push(`concept:"${kw}"`);
     }
-    return { outcome: "prompt" };
   }
-};
+  return { score, reasons };
+}
+function resolveAgent(description) {
+  const agents = listBuiltinAgents();
+  const byName = /* @__PURE__ */ new Map();
+  for (const a of agents) byName.set(a.name, a);
+  const ranked = [];
+  for (const hint of ROLE_HINTS) {
+    const agent = byName.get(hint.name);
+    if (!agent) continue;
+    const { score, reasons } = scoreRole(description, hint);
+    if (score > 0) ranked.push({ agent, score, reasons });
+  }
+  ranked.sort((a, b) => b.score - a.score);
+  const best = ranked[0] ?? null;
+  const confident = best !== null && best.score >= MIN_CONFIDENCE;
+  return { best, ranked, confident };
+}
 
-// src/permissions/handlers/one-shot.ts
-var oneShotHandler = {
-  surface: "one-shot",
-  check: async (toolName, _args, baseDecision, ctx) => {
-    if (baseDecision === "allow") return { outcome: "allow" };
-    if (baseDecision === "deny") {
-      return { outcome: "deny", reason: "denied by permission config" };
+// src/coordinator/tools.ts
+var spawnParameters = z6.object({
+  subagent_type: z6.enum(["explore", "plan", "general", "builtin"]).describe(
+    "Worker profile: explore (read-only recon), plan (planning without edits), general (full tool access), builtin (named TOML-defined agent \u2014 provide builtin_name)."
+  ),
+  prompt: z6.string().describe(
+    "Self-contained spec for the worker. Include purpose, file paths, acceptance criteria, and what to report back. Workers cannot see this conversation."
+  ),
+  description: z6.string().describe(
+    "Short human-readable label for this worker, shown in status updates and in <task-notification> summaries."
+  ),
+  builtin_name: z6.string().optional().describe('Required when subagent_type is "builtin" \u2014 the name of the TOML-defined built-in agent to run.')
+});
+var agentSpawnTool = {
+  name: "agent_spawn",
+  description: 'Spawn a worker agent to execute a delegated task. Returns { agent_id, status: "spawned" } immediately \u2014 the worker runs in the background and eventually reports back via a <task-notification> user message. Use subagent_type to pick the worker profile.',
+  parameters: spawnParameters,
+  async execute(params, ctx) {
+    if (!ctx.coordinatorWorkerModel) {
+      return {
+        content: "agent_spawn is unavailable: coordinator mode is active but no worker model was supplied to the tool context. This is a configuration bug \u2014 coordinator mode must set coordinatorWorkerModel.",
+        isError: true
+      };
     }
-    if (ctx.autoConfirm) {
+    const { subagent_type, prompt, description, builtin_name } = params;
+    if (subagent_type === "builtin" && !builtin_name) {
+      const hint = resolveAgent(`${description}
+${prompt}`);
+      const suggestion = hint.confident ? ` Suggested: builtin_name="${hint.best.agent.name}" (matched ${hint.best.reasons.slice(0, 2).join(", ")}).` : "";
       return {
-        outcome: "allow",
-        silent: true,
-        reason: "--yes flag set; auto-confirming one-shot"
+        content: `agent_spawn: builtin_name is required when subagent_type is "builtin".${suggestion}`,
+        isError: true
       };
     }
-    const count = (ctx.denialCounter.get(toolName) ?? 0) + 1;
-    ctx.denialCounter.set(toolName, count);
-    return {
-      outcome: "deny",
-      silent: true,
-      reason: "one-shot mode denies prompt-level tools without --yes",
-      tailNotification: `one-shot: denied ${toolName} (pass --yes to auto-approve)`
+    const agentId = subagent_type === "builtin" ? `${(builtin_name ?? "builtin").toLowerCase()}-${nextSubagentId("general").split("-")[1]}` : nextSubagentId(subagent_type);
+    const abortController = new AbortController();
+    const workerCtx = { ...ctx, coordinatorMode: false };
+    const completionPromise = subagent_type === "builtin" ? spawnBuiltinAgent({
+      id: agentId,
+      agentName: builtin_name,
+      prompt,
+      model: ctx.coordinatorWorkerModel,
+      toolContext: workerCtx
+    }) : spawnSubagent({
+      id: agentId,
+      type: subagent_type,
+      prompt,
+      model: ctx.coordinatorWorkerModel,
+      toolContext: workerCtx
+    });
+    const toolUseId = `spawn-${agentId}`;
+    const entry = {
+      agentId,
+      toolUseId,
+      description,
+      completionPromise,
+      abortController,
+      status: "spawned",
+      delivered: false,
+      startedAt: Date.now()
     };
-  }
-};
-
-// src/permissions/handlers/coordinator.ts
-var COORDINATOR_ALLOWED = /* @__PURE__ */ new Set([
-  "agent_spawn",
-  "agent_send_message",
-  "agent_stop",
-  "read",
-  "grep",
-  "glob"
-]);
-var coordinatorHandler = {
-  surface: "coordinator",
-  check: async (toolName, _args, baseDecision, _ctx) => {
-    if (COORDINATOR_ALLOWED.has(toolName)) {
-      if (baseDecision === "deny") {
-        return { outcome: "deny", reason: "coordinator tool explicitly denied by config" };
+    registerAgent(entry);
+    completionPromise.then((result) => {
+      entry.result = result;
+      if (abortController.signal.aborted) {
+        entry.status = "killed";
+      } else if (result.error) {
+        entry.status = "failed";
+      } else {
+        entry.status = "completed";
       }
-      return { outcome: "allow", silent: true };
-    }
-    if (baseDecision === "deny") {
-      return { outcome: "deny", reason: "denied by permission config" };
-    }
+    }).catch((err) => {
+      entry.result = {
+        id: agentId,
+        type: subagent_type === "builtin" ? "builtin" : subagent_type,
+        text: "",
+        toolCalls: 0,
+        iterations: 0,
+        error: err?.message ?? String(err)
+      };
+      entry.status = abortController.signal.aborted ? "killed" : "failed";
+    });
     return {
-      outcome: "deny",
-      silent: true,
-      reason: "Coordinator must delegate write operations to a worker.",
-      tailNotification: `coordinator: blocked ${toolName} (delegate to worker)`
+      content: JSON.stringify({
+        agent_id: agentId,
+        status: "spawned",
+        description,
+        note: "Worker is running. You will receive a <task-notification> when it finishes."
+      })
     };
   }
 };
-
-// src/permissions/handlers/subagent.ts
-var subagentHandler = {
-  surface: "subagent",
-  check: async (toolName, _args, baseDecision, ctx) => {
-    if (baseDecision === "allow") return { outcome: "allow" };
-    if (baseDecision === "deny") {
-      return { outcome: "deny", reason: "denied by permission config" };
+var sendMessageParameters = z6.object({
+  to: z6.string().describe("The agent_id returned by agent_spawn."),
+  message: z6.string().describe("Follow-up instructions for the worker.")
+});
+var agentSendMessageTool = {
+  name: "agent_send_message",
+  description: "Continue an existing worker with a follow-up message. NOTE: Notch workers are currently one-shot \u2014 once a worker has finished, this tool cannot resume it. For follow-up work, spawn a fresh worker with a synthesized prompt that includes the previous worker's findings.",
+  parameters: sendMessageParameters,
+  async execute(params, _ctx) {
+    const { to, message: _message } = params;
+    const entry = getAgent(to);
+    if (!entry) {
+      return {
+        content: `agent_send_message: no agent with id "${to}" in the registry. Check the agent_id you got back from agent_spawn.`,
+        isError: true
+      };
+    }
+    if (entry.status === "completed" || entry.status === "failed" || entry.status === "killed") {
+      return {
+        content: JSON.stringify({
+          status: "unsupported",
+          agent_id: to,
+          agent_status: entry.status,
+          reason: "Notch workers are one-shot. This agent has already finished and cannot be continued. Spawn a fresh worker with a prompt that carries forward the relevant context from the previous worker's result."
+        }),
+        isError: true
+      };
     }
-    const count = (ctx.denialCounter.get(toolName) ?? 0) + 1;
-    ctx.denialCounter.set(toolName, count);
-    const id = ctx.subagentId ?? "unknown";
     return {
-      outcome: "deny",
-      silent: true,
-      reason: "subagent has no interactive UI to prompt",
-      tailNotification: `subagent ${id}: denied ${toolName} (no UI to prompt)`
+      content: JSON.stringify({
+        status: "unsupported",
+        agent_id: to,
+        agent_status: entry.status,
+        reason: "Notch workers cannot receive mid-flight messages in the current runtime. Wait for the <task-notification> for this worker, then spawn a fresh worker with a synthesized follow-up prompt. Alternatively, call agent_stop and respawn with the corrected instructions."
+      }),
+      isError: true
     };
   }
 };
-
-// src/permissions/handlers/auto-mode.ts
-var AUTO_IMPLICIT_WRITE_KEY = "__auto_mode_implicit_writes__";
-var AUTO_WRITE_NOTIFY_THRESHOLD = 10;
-var WRITE_TOOLS = /* @__PURE__ */ new Set(["write", "edit", "apply_patch", "shell", "git"]);
-function hardDenyReason(toolName, args) {
-  if (toolName === "git") {
-    const op = typeof args.operation === "string" ? args.operation : "";
-    const flags = typeof args.flags === "string" ? args.flags : "";
-    const argsStr = typeof args.args === "string" ? args.args : "";
-    const combined = `${op} ${flags} ${argsStr}`.toLowerCase();
-    if (combined.includes("push") && /(-f\b|--force\b|--force-with-lease\b)/.test(combined)) {
-      return "force-push is never auto-approved";
-    }
-    if (combined.includes("reset") && combined.includes("--hard")) {
-      return "git reset --hard is never auto-approved";
-    }
-  }
-  if (toolName === "shell" && typeof args.command === "string") {
-    const cmd = args.command;
-    if (/\bnpm\s+publish\b/i.test(cmd) || /\byarn\s+publish\b/i.test(cmd) || /\bpnpm\s+publish\b/i.test(cmd)) {
-      return "package publish is never auto-approved";
-    }
-    if (/\bgit\s+push\b.*\b(?:-f|--force|--force-with-lease)\b/i.test(cmd)) {
-      return "force-push is never auto-approved";
-    }
-    if (/\b(?:rm\s+-rf?|dd\s+if=|mkfs\.|shred)\b/i.test(cmd)) {
-      return "classifier-flagged destructive shell command";
-    }
-  }
-  return null;
-}
-var autoModeHandler = {
-  surface: "auto-mode",
-  check: async (toolName, args, baseDecision, ctx) => {
-    if (baseDecision === "deny") {
-      return { outcome: "deny", reason: "denied by permission config" };
-    }
-    const reason = hardDenyReason(toolName, args);
-    if (reason) {
+var stopParameters = z6.object({
+  id: z6.string().describe("The agent_id of the worker to stop.")
+});
+var agentStopTool = {
+  name: "agent_stop",
+  description: 'Abort a running worker. Use when you realize a worker is going in the wrong direction or the user has changed requirements. The worker will still emit a <task-notification> with status="killed".',
+  parameters: stopParameters,
+  async execute(params, _ctx) {
+    const entry = getAgent(params.id);
+    if (!entry) {
       return {
-        outcome: "deny",
-        silent: false,
-        reason,
-        tailNotification: `auto-mode: refused ${toolName} \u2014 ${reason}`
+        content: `agent_stop: no agent with id "${params.id}" in the registry.`,
+        isError: true
       };
     }
-    if (toolName === "shell" && typeof args.command === "string") {
-      const pending = async () => {
-        const cls = classifyBashCommand(args.command);
-        if (cls.category === "destructive") {
-          return {
-            outcome: "deny",
-            silent: false,
-            reason: `classifier flagged destructive command: ${cls.matchedPattern}`,
-            tailNotification: `auto-mode: refused destructive shell command (${cls.head ?? "shell"})`
-          };
-        }
-        return baseDecision === "allow" ? { outcome: "allow", silent: true } : { outcome: "allow", silent: true, reason: "auto-mode implicit approval" };
+    if (entry.status === "completed" || entry.status === "failed" || entry.status === "killed") {
+      return {
+        content: JSON.stringify({
+          status: "already_finished",
+          agent_id: params.id,
+          agent_status: entry.status
+        })
       };
-      if (baseDecision === "allow") return { outcome: "allow", pendingClassifierCheck: pending };
-      return { outcome: "allow", silent: true, pendingClassifierCheck: pending };
-    }
-    if (baseDecision === "allow") return { outcome: "allow" };
-    if (WRITE_TOOLS.has(toolName)) {
-      const writes = (ctx.denialCounter.get(AUTO_IMPLICIT_WRITE_KEY) ?? 0) + 1;
-      ctx.denialCounter.set(AUTO_IMPLICIT_WRITE_KEY, writes);
-      if (writes === AUTO_WRITE_NOTIFY_THRESHOLD) {
-        return {
-          outcome: "allow",
-          silent: true,
-          reason: "auto-mode implicit approval",
-          tailNotification: `auto-mode: ${writes} unattended writes this session \u2014 consider reviewing`
-        };
-      }
-      if (writes > AUTO_WRITE_NOTIFY_THRESHOLD && writes % 10 === 0) {
-        return {
-          outcome: "allow",
-          silent: true,
-          reason: "auto-mode implicit approval",
-          tailNotification: `auto-mode: ${writes} unattended writes this session`
-        };
-      }
-    }
-    return { outcome: "allow", silent: true, reason: "auto-mode implicit approval" };
-  }
-};
-
-// src/permissions/handlers/json-mode.ts
-var jsonModeHandler = {
-  surface: "json-mode",
-  check: async (toolName, _args, baseDecision, ctx) => {
-    if (baseDecision === "allow") return { outcome: "allow" };
-    if (baseDecision === "deny") {
-      return { outcome: "deny", reason: "denied by permission config" };
     }
-    const count = (ctx.denialCounter.get(toolName) ?? 0) + 1;
-    ctx.denialCounter.set(toolName, count);
-    const payload = JSON.stringify({
-      type: "permission_denied",
-      tool: toolName,
-      reason: "json mode requires explicit allowlist"
-    });
+    entry.abortController.abort();
     return {
-      outcome: "deny",
-      silent: true,
-      reason: "json mode requires explicit allowlist",
-      tailNotification: payload
+      content: JSON.stringify({
+        status: "abort_signaled",
+        agent_id: params.id,
+        note: 'Abort signal sent. The worker will finish its current step and then report back with status="killed".'
+      })
     };
   }
 };
-
-// src/permissions/dispatcher.ts
-var HANDLERS = {
-  interactive: interactiveHandler,
-  "one-shot": oneShotHandler,
-  coordinator: coordinatorHandler,
-  subagent: subagentHandler,
-  "auto-mode": autoModeHandler,
-  "json-mode": jsonModeHandler
-};
-function getActiveHandler(surface) {
-  return HANDLERS[surface];
-}
-async function runPermissionCheck(toolName, args, baseDecision, surface, ctx) {
-  const handler = getActiveHandler(surface);
-  const initial = await handler.check(toolName, args, baseDecision, ctx);
-  if (initial.tailNotification) {
-    pushTailNotification(initial.tailNotification);
-  }
-  if (!initial.pendingClassifierCheck) return initial;
-  try {
-    const refined = await initial.pendingClassifierCheck();
-    if (refined.tailNotification) pushTailNotification(refined.tailNotification);
-    return {
-      outcome: refined.outcome,
-      reason: refined.reason ?? initial.reason,
-      silent: refined.silent ?? initial.silent,
-      tailNotification: refined.tailNotification ?? initial.tailNotification
-    };
-  } catch {
-    return {
-      outcome: initial.outcome,
-      reason: initial.reason,
-      silent: initial.silent,
-      tailNotification: initial.tailNotification
-    };
-  }
-}
-var tailQueue = [];
-function pushTailNotification(message) {
-  tailQueue.push(message);
-}
-function recordAutoModeDenial(decision) {
-  if (decision.outcome !== "deny") return;
-  const msg = decision.tailNotification ?? decision.reason ?? "auto-mode: tool denied";
-  pushTailNotification(msg);
-}
-function drainTailNotifications() {
-  const out = tailQueue.splice(0, tailQueue.length);
-  return out;
-}
-var currentSurface = "interactive";
-function setCurrentSurface(surface) {
-  currentSurface = surface;
-}
-function createHandlerContext(options) {
-  return {
-    cwd: options.cwd,
-    sessionId: options.sessionId,
-    denialCounter: /* @__PURE__ */ new Map(),
-    log: options.log,
-    autoConfirm: options.autoConfirm,
-    guardianEnabled: options.guardianEnabled,
-    subagentId: options.subagentId
-  };
-}
+var COORDINATOR_TOOLS = [
+  agentSpawnTool,
+  agentSendMessageTool,
+  agentStopTool
+];
+var COORDINATOR_TOOL_NAMES = new Set(
+  COORDINATOR_TOOLS.map((t) => t.name)
+);
+var COORDINATOR_ALLOWED_TOOL_NAMES = /* @__PURE__ */ new Set([
+  ...COORDINATOR_TOOL_NAMES,
+  "read",
+  "grep",
+  "glob"
+]);
 
 // src/tools/index.ts
 var BUILTIN_TOOLS = [
@@ -2419,7 +2918,9 @@ var BUILTIN_TOOLS = [
   notebookTool,
   taskTool,
   codeModeExecTool,
-  codeModeWaitTool
+  codeModeWaitTool,
+  skillManageTool,
+  eventsTool
 ];
 var mcpClients = /* @__PURE__ */ new Map();
 var mcpTools = [];
@@ -2590,14 +3091,14 @@ function mcpToolCount() {
 }
 
 export {
+  drainTailNotifications,
+  setCurrentSurface,
   MCPClient,
   parseMCPConfig,
   listBuiltinAgents,
   spawnSubagent,
   nextSubagentId,
   pollPendingAgents,
-  drainTailNotifications,
-  setCurrentSurface,
   initMCPServers,
   disconnectMCPServers,
   buildToolMap,