@gajae-code/coding-agent 0.5.4 → 0.6.1

package/src/sdk.ts

@@ -47,6 +47,7 @@ import {
 import { loadPromptTemplates as loadPromptTemplatesInternal, type PromptTemplate } from "./config/prompt-templates";
 import { Settings, type SkillsSettings } from "./config/settings";
 import { CursorExecHandlers } from "./cursor";
+import type { BashRestrictionProfile } from "./tools/bash-allowed-prefixes";
 import "./discovery";
 import { resolveConfigValue } from "./config/resolve-config-value";
 import { getEmbeddedDefaultGjcSkills } from "./defaults/gjc-defaults";
@@ -310,6 +311,12 @@ export interface CreateAgentSessionOptions {
 	agentDisplayName?: string;
 	/** Optional restricted bash command prefixes for read-only role agents. */
 	bashAllowedPrefixes?: string[];
+	/** Restriction policy paired with bashAllowedPrefixes. */
+	bashRestrictionProfile?: BashRestrictionProfile;
+	/** Optional per-session restriction for goal tool operations. */
+	goalToolAllowedOps?: readonly ("create" | "get" | "complete" | "resume" | "drop" | "pause")[];
+	/** Optional per-session allowlist for tools exposed through search_tool_bm25. */
+	discoverableToolAllowedNames?: readonly string[];
 	/** Optional shared agent registry for IRC routing. Default: AgentRegistry.global(). */
 	agentRegistry?: AgentRegistry;
 	/** Parent task ID prefix for nested artifact naming (e.g., "6-Extensions") */
@@ -619,6 +626,7 @@ function customToolToDefinition(tool: CustomTool): ToolDefinition {
 		label: tool.label,
 		description: tool.description,
 		parameters: tool.parameters,
+		concurrency: tool.concurrency,
 		hidden: tool.hidden,
 		deferrable: tool.deferrable,
 		mcpServerName: tool.mcpServerName,
@@ -1219,6 +1227,9 @@ export async function createAgentSession(options: CreateAgentSessionOptions = {}
 			},
 			getAgentId: () => resolvedAgentId,
 			bashAllowedPrefixes: options.bashAllowedPrefixes,
+			bashRestrictionProfile: options.bashRestrictionProfile,
+			goalToolAllowedOps: options.goalToolAllowedOps,
+			discoverableToolAllowedNames: options.discoverableToolAllowedNames,
 			getToolByName: name => session?.getToolByName(name),
 			agentRegistry,
 			getSessionSpawns: () => options.spawns ?? "*",
@@ -2028,6 +2039,7 @@ export async function createAgentSession(options: CreateAgentSessionOptions = {}
 			rebuildSystemPrompt,
 			reloadSshTool,
 			requestedToolNames: requestedToolNameSet,
+			discoverableToolAllowedNames: options.discoverableToolAllowedNames,
 			getMcpServerInstructions: mcpManager
 				? () => {
 						const raw = mcpManager.getServerInstructions();

package/src/session/agent-session.ts

@@ -388,6 +388,8 @@ export interface AgentSessionConfig {
 	/** Rebuild the SSH tool from current capability discovery results. */
 	reloadSshTool?: () => Promise<AgentTool | null>;
 	requestedToolNames?: ReadonlySet<string>;
+	/** Optional per-session allowlist for tools exposed through search_tool_bm25. */
+	discoverableToolAllowedNames?: readonly string[];
 	/**
 	 * Optional accessor for live MCP server instructions. Read by the session's
 	 * `rebuildSystemPrompt`-skip optimization to detect server-side instruction
@@ -944,6 +946,7 @@ export class AgentSession {
 	// Bash execution state
 	#bashAbortControllers = new Set<AbortController>();
 	#pendingBashMessages: BashExecutionMessage[] = [];
+	#foregroundBashBackgroundRequestHandler: (() => void) | undefined;
 
 	// Python execution state
 	#evalAbortControllers = new Set<AbortController>();
@@ -1016,6 +1019,7 @@ export class AgentSession {
 	// Generic tool discovery (covers built-in + MCP + extension when tools.discoveryMode === "all")
 	#discoverableToolSearchIndex: DiscoverableToolSearchIndex | null = null;
 	#selectedDiscoveredToolNames = new Set<string>();
+	#discoverableToolAllowedNames: ReadonlySet<string> | undefined;
 	#rpcHostToolNames = new Set<string>();
 	#gjcSubskillToolNames = new Set<string>();
 	#gjcSubskillToolSignature: string | undefined;
@@ -1224,6 +1228,9 @@ export class AgentSession {
 		this.#reloadSshTool = config.reloadSshTool;
 		this.#baseSystemPrompt = this.agent.state.systemPrompt;
 		this.#mcpDiscoveryEnabled = config.mcpDiscoveryEnabled ?? false;
+		this.#discoverableToolAllowedNames = config.discoverableToolAllowedNames
+			? new Set(config.discoverableToolAllowedNames.map(name => name.toLowerCase()))
+			: undefined;
 		this.#setDiscoverableMCPTools(this.#collectDiscoverableMCPToolsFromRegistry());
 		this.#selectedMCPToolNames = new Set(config.initialSelectedMCPToolNames ?? []);
 		this.#defaultSelectedMCPServerNames = new Set(config.defaultSelectedMCPServerNames ?? []);
@@ -3429,6 +3436,42 @@ export class AgentSession {
 		return this.#toolRegistry.get(name);
 	}
 
+	/**
+	 * Register a UI/control-plane request handler for a currently foregrounded
+	 * managed bash execution. This is intentionally narrower than generic
+	 * process/job control: unsupported tool types simply do not register a
+	 * handler, so Ctrl+B-style folding fails closed instead of aborting or
+	 * shell-suspending arbitrary work.
+	 */
+	registerForegroundBashBackgroundRequestHandler(handler: () => void): () => void {
+		this.#foregroundBashBackgroundRequestHandler = handler;
+		return () => {
+			if (this.#foregroundBashBackgroundRequestHandler === handler) {
+				this.#foregroundBashBackgroundRequestHandler = undefined;
+			}
+		};
+	}
+
+	/**
+	 * Returns whether a managed foreground bash call is currently backgroundable.
+	 * UI key handlers use this to avoid consuming normal editor shortcuts when
+	 * no fold target exists.
+	 */
+	hasForegroundBashBackgroundRequestHandler(): boolean {
+		return this.#foregroundBashBackgroundRequestHandler !== undefined;
+	}
+
+	/**
+	 * Ask the active managed foreground bash call to return as a background job.
+	 * Returns false when no supported foreground tool is currently backgroundable.
+	 */
+	requestForegroundBashBackground(): boolean {
+		const handler = this.#foregroundBashBackgroundRequestHandler;
+		if (!handler) return false;
+		handler();
+		return true;
+	}
+
 	/**
 	 * Get all configured tool names (built-in via --tools or default, plus custom tools).
 	 */
@@ -3553,6 +3596,7 @@ export class AgentSession {
 		for (const tool of this.#toolRegistry.values()) {
 			if (tool.loadMode !== "discoverable") continue;
 			if (activeNames.has(tool.name)) continue;
+			if (this.#discoverableToolAllowedNames && !this.#discoverableToolAllowedNames.has(tool.name)) continue;
 			const collected = collectDiscoverableTools([tool], { source: "builtin" });
 			result.push(...collected);
 		}
@@ -3599,6 +3643,7 @@ export class AgentSession {
 			const currentActiveNames = new Set(this.getActiveToolNames());
 			const newlyAdded: string[] = [];
 			for (const name of nonMcpNames) {
+				if (this.#discoverableToolAllowedNames && !this.#discoverableToolAllowedNames.has(name)) continue;
 				if (this.#toolRegistry.has(name) && !currentActiveNames.has(name)) {
 					newlyAdded.push(name);
 					this.#selectedDiscoveredToolNames.add(name);
@@ -5804,9 +5849,9 @@ export class AgentSession {
 		);
 		this.settings.getStorage()?.recordModelUsage(`${model.provider}/${model.id}`);
 
-		// Re-apply thinking for the newly selected model. Prefer the model's
-		// configured defaultLevel; otherwise preserve the current level.
-		this.setThinkingLevel(model.thinking?.defaultLevel ?? this.thinkingLevel);
+		// Apply the explicitly selected thinking level when the selector supplies one;
+		// otherwise prefer the model's configured defaultLevel, then preserve the current level.
+		this.setThinkingLevel(options?.thinkingLevel ?? model.thinking?.defaultLevel ?? this.thinkingLevel);
 		await this.#syncEditToolModeAfterModelChange(previousEditMode);
 	}
 

package/src/slash-commands/builtin-registry.ts

@@ -449,6 +449,23 @@ const BUILTIN_SLASH_COMMAND_REGISTRY: ReadonlyArray<SlashCommandSpec> = [
 			runtime.ctx.editor.setText("");
 		},
 	},
+	{
+		name: "copy",
+		description: "Copy last response as markdown",
+		// Public `/copy` is strict zero-argument, but `allowArgs` lets the
+		// TUI dispatcher route `/copy <arg>` here so it can be rejected locally
+		// instead of falling through as a model prompt.
+		allowArgs: true,
+		handleTui: (command, runtime) => {
+			if (command.args.trim().length > 0) {
+				runtime.ctx.showError("Usage: /copy");
+				runtime.ctx.editor.setText("");
+				return;
+			}
+			runtime.ctx.handleCopyCommand(undefined);
+			runtime.ctx.editor.setText("");
+		},
+	},
 	{
 		name: "dump",
 		description: "Copy session transcript to clipboard",

package/src/tools/bash-allowed-prefixes.ts

@@ -3,11 +3,18 @@ export interface BashAllowedPrefixesCheck {
 	reason?: string;
 }
 
+export type BashRestrictionProfile = "workflow" | "read-only";
+
+export interface BashRestrictionOptions {
+	profile?: BashRestrictionProfile;
+}
+
 const SHELL_CONTROL_CHARS = new Set([";", "|", "&", "<", ">", "(", ")"]);
 const UNSAFE_UNQUOTED_EXPANSION_CHARS = new Set(["$", "*", "?", "[", "]", "{", "}", "~"]);
 const STATE_FLAGS_WITH_VALUES = new Set(["--input", "--mode", "--session-id", "--thread-id", "--turn-id", "--to"]);
 const STATE_ACTIONS = new Set(["read", "write", "clear", "contract", "handoff"]);
 const ALLOWED_STATE_ACTIONS = new Set(["read", "write", "contract"]);
+const READ_ONLY_COMMANDS = new Set(["grep", "rg", "tree", "ls", "pwd", "wc", "du", "file", "stat"]);
 
 function parseShellWords(command: string): { words: string[]; reason?: string } {
 	const words: string[] = [];
@@ -118,6 +125,59 @@ function parseStateAction(words: readonly string[]): string | undefined {
 	return third ? undefined : second;
 }
 
+function optionWords(words: readonly string[]): string[] {
+	const options: string[] = [];
+	for (const word of words.slice(1)) {
+		if (word === "--") break;
+		options.push(word);
+	}
+	return options;
+}
+
+function isLongOption(word: string, option: string): boolean {
+	return word === option || word.startsWith(`${option}=`);
+}
+
+function hasShortOption(word: string, option: string): boolean {
+	return word.startsWith("-") && !word.startsWith("--") && word.slice(1).includes(option);
+}
+function shellQuote(value: string): string {
+	return `'${value.replace(/'/g, `'"'"'`)}'`;
+}
+
+function resolvedExternalCommand(command: string): string | undefined {
+	return Bun.which(command) ?? undefined;
+}
+
+function validateReadOnlyCommand(words: readonly string[]): BashAllowedPrefixesCheck {
+	const command = words[0];
+	if (!command || !READ_ONLY_COMMANDS.has(command)) {
+		return { allowed: false, reason: "read-only bash only allows approved inspection commands" };
+	}
+
+	const options = optionWords(words);
+	if (command === "rg") {
+		for (const option of options) {
+			if (isLongOption(option, "--pre") || isLongOption(option, "--pre-glob")) {
+				return { allowed: false, reason: "read-only bash does not allow ripgrep preprocessors" };
+			}
+			if (isLongOption(option, "--search-zip") || hasShortOption(option, "z")) {
+				return { allowed: false, reason: "read-only bash does not allow ripgrep compressed-file subprocesses" };
+			}
+		}
+	}
+
+	if (command === "tree") {
+		for (const option of options) {
+			if (isLongOption(option, "--output") || hasShortOption(option, "o")) {
+				return { allowed: false, reason: "read-only bash does not allow tree output-file writes" };
+			}
+		}
+	}
+
+	return { allowed: true };
+}
+
 function validateMatchedGjcCommand(words: readonly string[]): BashAllowedPrefixesCheck {
 	if (words[0] !== "gjc") return { allowed: true };
 
@@ -145,9 +205,29 @@ function validateMatchedGjcCommand(words: readonly string[]): BashAllowedPrefixe
 	return { allowed: true };
 }
 
+function commandAllowedPrefixesReason(normalizedPrefixes: readonly string[], options: BashRestrictionOptions): string {
+	const prefixList = normalizedPrefixes.join(", ");
+	return options.profile === "read-only"
+		? `read-only bash only allows commands starting with: ${prefixList}`
+		: `restricted role-agent bash only allows commands starting with: ${prefixList}`;
+}
+
+export function normalizeReadOnlyBashCommand(command: string): string | undefined {
+	const parsed = parseShellWords(command.trim());
+	if (parsed.reason || parsed.words.length === 0) return undefined;
+	const validation = validateReadOnlyCommand(parsed.words);
+	if (!validation.allowed) return undefined;
+	const [head, ...rest] = parsed.words;
+	if (!head) return undefined;
+	const resolvedHead = resolvedExternalCommand(head);
+	if (!resolvedHead) return undefined;
+	return [shellQuote(resolvedHead), ...rest.map(shellQuote)].join(" ");
+}
+
 export function checkBashAllowedPrefixes(
 	command: string,
 	allowedPrefixes: readonly string[] | undefined,
+	options: BashRestrictionOptions = {},
 ): BashAllowedPrefixesCheck {
 	const normalizedPrefixes = allowedPrefixes?.map(prefix => prefix.trim()).filter(Boolean) ?? [];
 	if (normalizedPrefixes.length === 0) return { allowed: true };
@@ -161,9 +241,12 @@ export function checkBashAllowedPrefixes(
 	if (!matched) {
 		return {
 			allowed: false,
-			reason: `restricted role-agent bash only allows commands starting with: ${normalizedPrefixes.join(", ")}`,
+			reason: commandAllowedPrefixesReason(normalizedPrefixes, options),
 		};
 	}
 
+	if (options.profile === "read-only") {
+		return validateReadOnlyCommand(parsed.words);
+	}
 	return validateMatchedGjcCommand(parsed.words);
 }

package/src/tools/bash.ts

@@ -19,7 +19,7 @@ import { renderStatusLine } from "../tui";
 import { CachedOutputBlock } from "../tui/output-block";
 import { getSixelLineMask } from "../utils/sixel";
 import type { ToolSession } from ".";
-import { checkBashAllowedPrefixes } from "./bash-allowed-prefixes";
+import { checkBashAllowedPrefixes, normalizeReadOnlyBashCommand } from "./bash-allowed-prefixes";
 import { applyBashFixups } from "./bash-command-fixup";
 import { type BashInteractiveResult, runInteractiveBashPty } from "./bash-interactive";
 import { checkBashInterception } from "./bash-interceptor";
@@ -36,6 +36,12 @@ export const BASH_DEFAULT_PREVIEW_LINES = 10;
 
 const BASH_ENV_NAME_PATTERN = /^[A-Za-z_][A-Za-z0-9_]*$/;
 const DEFAULT_AUTO_BACKGROUND_THRESHOLD_MS = 60_000;
+const READ_ONLY_BASH_ENV: Record<string, string> = {
+	GREP_OPTIONS: "",
+	GREP_COLOR: "",
+	GREP_COLORS: "",
+	RIPGREP_CONFIG_PATH: "",
+};
 
 export async function saveBashOriginalArtifactForTests(
 	session: ToolSession,
@@ -261,6 +267,7 @@ export class BashTool implements AgentTool<BashToolSchema, BashToolDetails> {
 			hasSearch: this.session.settings.get("search.enabled"),
 			hasFind: this.session.settings.get("find.enabled"),
 			restrictedAllowedPrefixes: this.session.bashAllowedPrefixes,
+			restrictionProfile: this.session.bashRestrictionProfile,
 		});
 	}
 
@@ -363,6 +370,12 @@ export class BashTool implements AgentTool<BashToolSchema, BashToolDetails> {
 		const label = options.command.length > 120 ? `${options.command.slice(0, 117)}...` : options.command;
 		let latestText = "";
 		let backgrounded = options.startBackgrounded;
+		const runningDetails = (jobId: string): Record<string, unknown> | undefined =>
+			backgrounded ? { async: { state: "running", jobId, type: "bash" } } : undefined;
+		const completedDetails = (jobId: string): Record<string, unknown> | undefined =>
+			backgrounded ? { async: { state: "completed", jobId, type: "bash" } } : undefined;
+		const failedDetails = (jobId: string): Record<string, unknown> | undefined =>
+			backgrounded ? { async: { state: "failed", jobId, type: "bash" } } : undefined;
 		const completion = Promise.withResolvers<ManagedBashJobCompletion>();
 
 		const jobId = manager.register(
@@ -381,10 +394,12 @@ export class BashTool implements AgentTool<BashToolSchema, BashToolDetails> {
 						artifactPath,
 						artifactId,
 						oneShot: true,
+						ignoreShellPrefix: this.session.bashRestrictionProfile === "read-only",
+						disableShellSnapshot: this.session.bashRestrictionProfile === "read-only",
 						onChunk: chunk => {
 							tailBuffer.append(chunk);
 							latestText = tailBuffer.text();
-							void reportProgress(latestText, { async: { state: "running", jobId, type: "bash" } });
+							void reportProgress(latestText, runningDetails(jobId));
 						},
 						onRawChunk: chunk => {
 							// Forward the unthrottled sanitized chunk to the async-job
@@ -402,13 +417,13 @@ export class BashTool implements AgentTool<BashToolSchema, BashToolDetails> {
 					const finalText = this.#extractTextResult(finalResult);
 					latestText = finalText;
 					completion.resolve({ kind: "completed", result: finalResult });
-					await reportProgress(finalText, { async: { state: "completed", jobId, type: "bash" } });
+					await reportProgress(finalText, completedDetails(jobId));
 					return finalText;
 				} catch (error) {
 					const message = error instanceof Error ? error.message : String(error);
 					latestText = message;
 					completion.resolve({ kind: "failed", error });
-					await reportProgress(message, { async: { state: "failed", jobId, type: "bash" } });
+					await reportProgress(message, failedDetails(jobId));
 					throw error;
 				}
 			},
@@ -439,6 +454,7 @@ export class BashTool implements AgentTool<BashToolSchema, BashToolDetails> {
 		job: ManagedBashJobHandle,
 		thresholdMs: number,
 		signal?: AbortSignal,
+		backgroundRequest?: Promise<void>,
 	): Promise<ManagedBashJobCompletion | { kind: "running" } | { kind: "aborted" }> {
 		if (signal?.aborted) {
 			return { kind: "aborted" };
@@ -448,6 +464,9 @@ export class BashTool implements AgentTool<BashToolSchema, BashToolDetails> {
 			job.completion,
 			Bun.sleep(thresholdMs).then(() => ({ kind: "running" as const })),
 		];
+		if (backgroundRequest) {
+			waiters.push(backgroundRequest.then(() => ({ kind: "running" as const })));
+		}
 
 		if (!signal) {
 			return await Promise.race(waiters);
@@ -510,23 +529,37 @@ export class BashTool implements AgentTool<BashToolSchema, BashToolDetails> {
 
 		const rawCommand = input.command;
 		const allowedPrefixes = this.session.bashAllowedPrefixes;
+		if (
+			(this.session.bashRestrictionProfile === "read-only" || (allowedPrefixes && allowedPrefixes.length > 0)) &&
+			env &&
+			Object.keys(env).length > 0
+		) {
+			const mode = this.session.bashRestrictionProfile === "read-only" ? "Read-only" : "Restricted role-agent";
+			throw new ToolError(`${mode} bash does not allow per-command env overrides.`);
+		}
 		if (allowedPrefixes && allowedPrefixes.length > 0) {
-			if (env && Object.keys(env).length > 0) {
-				throw new ToolError("Restricted role-agent bash does not allow per-command env overrides.");
-			}
 			const commandsToCheck = rawCommand === command ? [command] : [rawCommand, command];
 			for (const commandToCheck of commandsToCheck) {
-				const allowlist = checkBashAllowedPrefixes(commandToCheck, allowedPrefixes);
+				const allowlist = checkBashAllowedPrefixes(commandToCheck, allowedPrefixes, {
+					profile: this.session.bashRestrictionProfile,
+				});
 				if (!allowlist.allowed) {
 					throw new ToolError(allowlist.reason ?? "Command blocked by restricted role-agent bash allowlist.");
 				}
 			}
 		}
+		if (this.session.bashRestrictionProfile === "read-only") {
+			const normalizedReadOnlyCommand = normalizeReadOnlyBashCommand(command);
+			if (!normalizedReadOnlyCommand) {
+				throw new ToolError("Read-only bash command could not be normalized safely.");
+			}
+			command = normalizedReadOnlyCommand;
+		}
 
 		// Check both the original command and the cwd-normalized command so
 		// leading `cd ... &&` wrappers do not hide either shell-navigation rules
 		// or the dedicated-tool command that follows the directory change.
-		if (this.session.settings.get("bashInterceptor.enabled")) {
+		if (this.session.bashRestrictionProfile !== "read-only" && this.session.settings.get("bashInterceptor.enabled")) {
 			const rules = this.session.settings.getBashInterceptorRules();
 			const commandsToCheck = rawCommand === command ? [command] : [rawCommand, command];
 			for (const commandToCheck of commandsToCheck) {
@@ -545,7 +578,10 @@ export class BashTool implements AgentTool<BashToolSchema, BashToolDetails> {
 				getSessionId: this.session.getSessionId,
 			},
 		};
-		command = await expandInternalUrls(command, { ...internalUrlOptions, ensureLocalParentDirs: true });
+		command = await expandInternalUrls(command, {
+			...internalUrlOptions,
+			ensureLocalParentDirs: this.session.bashRestrictionProfile !== "read-only",
+		});
 		const sessionFile = this.session.getSessionFile?.() ?? null;
 		const expandedEnv = env
 			? Object.fromEntries(
@@ -568,6 +604,7 @@ export class BashTool implements AgentTool<BashToolSchema, BashToolDetails> {
 				cwd: this.session.cwd,
 			}),
 			...expandedEnv,
+			...(this.session.bashRestrictionProfile === "read-only" ? READ_ONLY_BASH_ENV : {}),
 			...(allowedPrefixes && allowedPrefixes.length > 0 ? { [GJC_RESTRICTED_ROLE_AGENT_BASH_ENV]: "1" } : {}),
 		};
 
@@ -682,6 +719,8 @@ export class BashTool implements AgentTool<BashToolSchema, BashToolDetails> {
 						artifactPath,
 						artifactId,
 						oneShot: true,
+						ignoreShellPrefix: this.session.bashRestrictionProfile === "read-only",
+						disableShellSnapshot: this.session.bashRestrictionProfile === "read-only",
 						onChunk: chunk => {
 							tailBuffer.append(chunk);
 							void reportProgress(tailBuffer.text(), {
@@ -729,6 +768,10 @@ export class BashTool implements AgentTool<BashToolSchema, BashToolDetails> {
 		if (asyncRequested && !this.#asyncEnabled) {
 			throw new ToolError("Async bash execution is disabled. Enable async.enabled to use async mode.");
 		}
+		if (this.session.bashRestrictionProfile === "read-only" && pty) {
+			throw new ToolError("Read-only bash does not allow PTY mode.");
+		}
+
 		const prepared = await this.#prepareBashExecution(
 			{ command: rawCommand, env: rawEnv, timeout: rawTimeout, cwd },
 			ctx,
@@ -787,7 +830,22 @@ export class BashTool implements AgentTool<BashToolSchema, BashToolDetails> {
 					notices: pendingNotices,
 				});
 			}
-			const waitResult = await this.#waitForManagedBashJob(job, autoBackgroundWaitMs, signal);
+			const backgroundRequest = Promise.withResolvers<void>();
+			const unregisterBackgroundRequest = this.session.registerForegroundBashBackgroundRequestHandler?.(() => {
+				job.setBackgrounded(true);
+				backgroundRequest.resolve();
+			});
+			let waitResult: ManagedBashJobCompletion | { kind: "running" } | { kind: "aborted" };
+			try {
+				waitResult = await this.#waitForManagedBashJob(
+					job,
+					autoBackgroundWaitMs,
+					signal,
+					backgroundRequest.promise,
+				);
+			} finally {
+				unregisterBackgroundRequest?.();
+			}
 			if (waitResult.kind === "completed") {
 				autoBgManager.acknowledgeDeliveries([job.jobId]);
 				return waitResult.result;
@@ -810,7 +868,8 @@ export class BashTool implements AgentTool<BashToolSchema, BashToolDetails> {
 
 		// Route through the client terminal when the client advertises the terminal capability.
 		// Skip when pty=true (PTY needs the local terminal UI).
-		const clientBridge = this.session.getClientBridge?.();
+		const clientBridge =
+			this.session.bashRestrictionProfile === "read-only" ? undefined : this.session.getClientBridge?.();
 		if (clientBridge?.capabilities.terminal && clientBridge.createTerminal && !pty) {
 			const handle = await clientBridge.createTerminal({
 				command,
@@ -983,7 +1042,12 @@ export class BashTool implements AgentTool<BashToolSchema, BashToolDetails> {
 		// Allocate artifact for truncated output storage
 		const { path: artifactPath, id: artifactId } = (await this.session.allocateOutputArtifact?.("bash")) ?? {};
 
-		const interactiveUi = canUseInteractiveBashPty(pty, ctx) ? ctx?.ui : undefined;
+		const interactiveUi =
+			this.session.bashRestrictionProfile === "read-only"
+				? undefined
+				: canUseInteractiveBashPty(pty, ctx)
+					? ctx?.ui
+					: undefined;
 		const result: BashResult | BashInteractiveResult = interactiveUi
 			? await runInteractiveBashPty(interactiveUi, {
 					command,
@@ -997,6 +1061,7 @@ export class BashTool implements AgentTool<BashToolSchema, BashToolDetails> {
 			: await executeBash(command, {
 					cwd: commandCwd,
 					sessionKey: this.session.getSessionId?.() ?? undefined,
+					oneShot: this.session.bashRestrictionProfile === "read-only",
 					timeout: timeoutMs,
 					signal,
 					env: resolvedEnv,
@@ -1004,6 +1069,8 @@ export class BashTool implements AgentTool<BashToolSchema, BashToolDetails> {
 					artifactId,
 					onChunk: streamTailUpdates(tailBuffer, onUpdate),
 					onMinimizedSave: originalText => saveBashOriginalArtifactForTests(this.session, originalText),
+					ignoreShellPrefix: this.session.bashRestrictionProfile === "read-only",
+					disableShellSnapshot: this.session.bashRestrictionProfile === "read-only",
 				});
 		if (result.cancelled) {
 			if (signal?.aborted) {

package/src/tools/browser/attach.ts

@@ -1,4 +1,5 @@
 import * as net from "node:net";
+import * as path from "node:path";
 import { Process, ProcessStatus } from "@gajae-code/natives";
 import type { Browser, Page } from "puppeteer-core";
 import { ToolError, throwIfAborted } from "../tool-errors";
@@ -62,6 +63,17 @@ export async function waitForCdp(cdpUrl: string, timeoutMs: number, signal?: Abo
  * accepts both `--flag=value` and `--flag value`). Returns null if absent or
  * malformed.
  */
+export function findCdpPortInArgsForTest(args: string[]): number | null {
+	return findCdpPortInArgs(args);
+}
+export function findCdpAddressInArgsForTest(args: readonly string[]): string | null {
+	return findCdpAddressInArgs(args);
+}
+
+export function isSafeCdpAddressForTest(address: string | null): boolean {
+	return isSafeCdpAddress(address);
+}
+
 function findCdpPortInArgs(args: string[]): number | null {
 	for (const arg of args) {
 		const m = /^--remote-debugging-port=(\d+)$/.exec(arg);
@@ -79,6 +91,41 @@ function findCdpPortInArgs(args: string[]): number | null {
 	return null;
 }
 
+function findArgValue(args: readonly string[], name: string): string | null {
+	const prefix = `${name}=`;
+	for (const arg of args) {
+		if (arg.startsWith(prefix)) return arg.slice(prefix.length);
+	}
+	for (let i = 0; i < args.length - 1; i++) {
+		if (args[i] === name) return args[i + 1] ?? null;
+	}
+	return null;
+}
+
+function normalizeProfilePath(input: string): string {
+	return path.resolve(input);
+}
+
+export function argsMatchChromeProfileForTest(
+	args: readonly string[],
+	profile: { userDataDir: string; profileDirectory: string },
+): boolean {
+	return argsMatchChromeProfile(args, profile);
+}
+
+function argsMatchChromeProfile(
+	args: readonly string[],
+	profile: { userDataDir: string; profileDirectory: string },
+): boolean {
+	const userDataDir = findArgValue(args, "--user-data-dir");
+	const profileDirectory = findArgValue(args, "--profile-directory") ?? "Default";
+	return (
+		userDataDir !== null &&
+		normalizeProfilePath(userDataDir) === normalizeProfilePath(profile.userDataDir) &&
+		profileDirectory === profile.profileDirectory
+	);
+}
+
 /** One-shot probe: returns true when `/json/version` answers 200 within the timeout. */
 async function probeCdpAt(port: number, signal?: AbortSignal): Promise<boolean> {
 	const probeTimeout = AbortSignal.timeout(1500);
@@ -93,10 +140,26 @@ async function probeCdpAt(port: number, signal?: AbortSignal): Promise<boolean>
 }
 
 /**
- * If any running instance of `exe` was launched with `--remote-debugging-port`
- * and that endpoint actually answers, return it so attach can reuse it instead
- * of killing and respawning. Idempotent re-attaches are the common case.
+ * Chromium binds remote debugging to loopback by default when no address is
+ * provided. Reuse only loopback CDP listeners; a matching profile launched with
+ * --remote-debugging-address=0.0.0.0, ::, or any LAN/public address is unsafe.
  */
+function findCdpAddressInArgs(args: readonly string[]): string | null {
+	return findArgValue(args, "--remote-debugging-address");
+}
+
+function isSafeCdpAddress(address: string | null): boolean {
+	if (address === null || address.trim() === "") return true;
+	const normalized = address.trim().toLowerCase();
+	return normalized === "127.0.0.1" || normalized === "localhost" || normalized === "::1" || normalized === "[::1]";
+}
+
+function unsafeCdpAddressReason(address: string): string {
+	return `Refusing to reuse Chrome profile CDP endpoint because --remote-debugging-address=${JSON.stringify(
+		address,
+	)} is not a loopback-only address. Restart Chrome with --remote-debugging-address=127.0.0.1 or omit the address flag.`;
+}
+
 export async function findReusableCdp(
 	exe: string,
 	signal?: AbortSignal,
@@ -111,6 +174,8 @@ export async function findReusableCdp(
 		}
 		const port = findCdpPortInArgs(args);
 		if (port === null) continue;
+		const address = findCdpAddressInArgs(args);
+		if (!isSafeCdpAddress(address)) continue;
 		if (await probeCdpAt(port, signal)) {
 			return { cdpUrl: `http://127.0.0.1:${port}`, pid: proc.pid };
 		}
@@ -118,6 +183,41 @@ export async function findReusableCdp(
 	return null;
 }
 
+export interface RunningChromeProfile {
+	pid: number;
+	cdpUrl: string | null;
+	unsafeCdpReason?: string;
+}
+
+export async function findRunningChromeProfile(
+	exe: string,
+	profile: { userDataDir: string; profileDirectory: string },
+	signal?: AbortSignal,
+): Promise<RunningChromeProfile | null> {
+	const candidates = Process.fromPath(exe).filter(p => p.status() === ProcessStatus.Running);
+	for (const proc of candidates) {
+		let args: string[];
+		try {
+			args = proc.args();
+		} catch {
+			continue;
+		}
+		if (!argsMatchChromeProfile(args, profile)) continue;
+		const port = findCdpPortInArgs(args);
+		if (port !== null) {
+			const address = findCdpAddressInArgs(args);
+			if (!isSafeCdpAddress(address)) {
+				return { pid: proc.pid, cdpUrl: null, unsafeCdpReason: unsafeCdpAddressReason(address ?? "") };
+			}
+			if (await probeCdpAt(port, signal)) {
+				return { pid: proc.pid, cdpUrl: `http://127.0.0.1:${port}` };
+			}
+		}
+		return { pid: proc.pid, cdpUrl: null };
+	}
+	return null;
+}
+
 /**
  * Pick the best page target on an attached browser. Without a matcher, prefer
  * a page that doesn't look like a helper window (devtools, request handler,