@germanescobar/anita 0.3.0 → 0.4.0

package/README.md

@@ -200,6 +200,39 @@ Example stream:
 {"type":"run.completed","sessionId":"9e6f8a7d-7ff1-4c2c-b3d8-9c3ed5a1d4b7","status":"completed","stopReason":"end_turn","timestamp":"2026-04-09T15:00:01.000Z"}
 ```
 
+#### Approvals in `--stream-json` mode
+
+When a tool call requires approval (policy returns `ask`), the CLI emits two
+extra events around the gate so consumers can audit decisions. They fire in
+every mode — including `--auto-approve` and human TTY mode — so the stream
+shape is uniform regardless of how the answer was produced.
+
+```json
+{"type":"approval.request","id":"toolu_123","tool":"run_command","input":{"command":"npm test"},"timestamp":"…"}
+{"type":"approval.resolved","id":"toolu_123","approved":true,"reason":"user","timestamp":"…"}
+```
+
+`id` is the model's tool call id and matches the surrounding `tool.call` /
+`tool.result` lifecycle. `input` is the structured object, never a pre-rendered
+string. `reason` is one of:
+
+- `user` — the responder answered.
+- `aborted` — the run's `AbortSignal` fired while waiting.
+- `eof` — the consumer closed stdin before answering.
+- `error` — the approval callback itself threw.
+
+When stdin is a pipe, the CLI never writes a prompt to stdout or stderr. The
+consumer answers by writing a single JSON line to stdin:
+
+```json
+{"type":"approval.response","id":"toolu_123","approved":true}
+```
+
+The resolver waits silently on stdin. Mismatched `id`s, malformed JSON, and
+unknown message types are discarded (logged to stderr) so a stale response
+can't poison the run. There is exactly one approval pending at a time — the
+executor runs tool calls sequentially.
+
 Without `--stream-json`, the CLI uses the normal human-readable terminal output.
 
 When using an OpenAI-compatible backend that exposes reasoning traces, Anita will also store them in the `assistant_response` event payload as `reasoning` and emit an `assistant.reasoning` stream event.

package/dist/agent/context-builder.d.ts

@@ -1,6 +1,4 @@
 import type { ApprovalMode, PolicyContext } from "./policies.js";
-import type { ConversationItem } from "../types/conversation.js";
-import type { Message } from "../types/messages.js";
 import type { Skill } from "../skills/skills.js";
 export type NetworkAccess = "available" | "unavailable" | "unknown";
 export interface RuntimeContextOptions {
@@ -19,11 +17,10 @@ export declare class ContextBuilder {
     private runtimeContext;
     constructor(workingDirectory: string, runtimeContext?: RuntimeContextOptions);
     buildSystemPrompt(): string;
+    appendRuntimeContext(baseSystemPrompt: string): Promise<string>;
     private buildUserSystemPromptSection;
     private buildEnvironmentFooter;
     buildDynamicContext(): Promise<string>;
-    buildMessagesWithDynamicContext(messages: Message[]): Promise<Message[]>;
-    buildItemsWithDynamicContext(items: ConversationItem[]): Promise<ConversationItem[]>;
     private buildEnvironmentContext;
     private buildPolicyContext;
     private describeApprovalMode;

package/dist/agent/context-builder.js

@@ -1,7 +1,7 @@
 import { exec } from "node:child_process";
 import { formatSkillsForPrompt } from "../skills/skills.js";
 import { formatAgentInstructionsForPrompt, loadAgentInstructions, } from "./agents.js";
-const STATIC_SYSTEM_PROMPT = `You are Anita, a coding agent.
+const STATIC_SYSTEM_PROMPT = `You are Anita, an extremely capable coding agent.
 
 You have these tools available:
 - read_file: Read file contents
@@ -11,13 +11,14 @@ You have these tools available:
 - run_command: Run a shell command
 
 Instructions:
-- Use tools to explore and understand the codebase before making changes
-- Prefer rg for repository text searches when available; fall back to grep only when rg is unavailable
-- Always read a file before editing it
-- Run tests or checks after making changes when appropriate
-- Follow the instructions of the user without jumping ahead.
-- Do not print or publish secrets, credentials, tokens, private keys, environment values, or other sensitive data
-- Explain what you are doing briefly`;
+- Use tools to explore and understand the codebase before making changes.
+- Prefer rg for repository text searches when available; fall back to grep only when rg is unavailable.
+- Always read a file before editing it.
+- Run tests or checks after making changes when appropriate.
+- Do not print or publish secrets, credentials, tokens, private keys, environment values, or other sensitive data.
+- Explain what you are doing briefly.
+- Sometimes the most simple solution is the correct one. Try it first and ask the user before jumping ahead or going deeper. Don't spiral into rabbit holes.
+- Always verify, don't guess.`;
 export class ContextBuilder {
     workingDirectory;
     runtimeContext;
@@ -33,11 +34,30 @@ export class ContextBuilder {
             repositoryRoot: this.runtimeContext.agentsRepositoryRoot,
         }));
         return (STATIC_SYSTEM_PROMPT +
+            skillsSection +
             agentInstructionsSection +
             this.buildUserSystemPromptSection() +
-            skillsSection +
             this.buildEnvironmentFooter());
     }
+    /*
+     * Appends the dynamic runtime context to an already-built base system prompt.
+     *
+     * Runtime context (environment, policy, git state) belongs in the system
+     * prompt rather than as a separate user turn. Injecting it as a user message
+     * placed it adjacent to the real request, and weaker models conflated the two
+     * and treated the actual request as context.
+     *
+     * The caller passes the base prompt so it can be built once per run: rebuilding
+     * it each turn would reload AGENTS.md from disk and let a tool that writes
+     * AGENTS.md inject generated text as system instructions mid-run. Only the
+     * runtime context is refreshed here so git state stays current.
+     */
+    async appendRuntimeContext(baseSystemPrompt) {
+        const dynamicContext = await this.buildDynamicContext();
+        if (!dynamicContext)
+            return baseSystemPrompt;
+        return `${baseSystemPrompt}\n\n${dynamicContext}`;
+    }
     buildUserSystemPromptSection() {
         const systemPrompt = this.runtimeContext.systemPrompt?.trim();
         if (!systemPrompt)
@@ -63,7 +83,7 @@ export class ContextBuilder {
         const environmentContext = this.buildEnvironmentContext();
         const policyContext = this.buildPolicyContext();
         return [
-            "Runtime context for the assistant. This is not a user request:",
+            "Runtime context (current environment state, refreshed each turn; not a user request):",
             environmentContext,
             policyContext,
             gitContext,
@@ -71,31 +91,6 @@ export class ContextBuilder {
             .filter(Boolean)
             .join("\n\n");
     }
-    async buildMessagesWithDynamicContext(messages) {
-        const dynamicContext = await this.buildDynamicContext();
-        if (!dynamicContext)
-            return messages;
-        return [
-            {
-                role: "user",
-                content: [{ type: "text", text: dynamicContext }],
-            },
-            ...messages,
-        ];
-    }
-    async buildItemsWithDynamicContext(items) {
-        const dynamicContext = await this.buildDynamicContext();
-        if (!dynamicContext)
-            return items;
-        return [
-            {
-                type: "message",
-                role: "user",
-                content: dynamicContext,
-            },
-            ...items,
-        ];
-    }
     buildEnvironmentContext() {
         const shell = this.runtimeContext.shell ?? process.env.SHELL ?? "unknown";
         const approvalMode = this.runtimeContext.approvalMode ?? "prompt";

package/dist/agent/executor.d.ts

@@ -2,12 +2,31 @@ import type { ToolCall, ToolExecuteOptions, ToolResult } from "../types/tools.js
 import type { ToolRegistry } from "../tools/registry.js";
 import type { EventStore } from "../storage/event-store.js";
 import type { PolicyEngine } from "./policies.js";
-export type ApprovalCallback = (toolName: string, input: Record<string, unknown>) => Promise<boolean>;
+import type { ApprovalAnswer, ApprovalCallback, ApprovalNotifier, ApprovalRequest } from "../types/approval.js";
+export type { ApprovalAnswer, ApprovalCallback, ApprovalNotifier, ApprovalRequest, };
 export declare class Executor {
     private registry;
     private policyEngine;
     private eventStore;
     private approvalCallback;
-    constructor(registry: ToolRegistry, policyEngine: PolicyEngine, eventStore: EventStore, approvalCallback: ApprovalCallback);
+    /**
+     * Optional notifier used to emit structured `approval.request` /
+     * `approval.resolved` stream events. Kept as an injected seam so the
+     * Executor does not depend on AgentLoop or stream-json mode.
+     */
+    private approvalNotifier?;
+    constructor(registry: ToolRegistry, policyEngine: PolicyEngine, eventStore: EventStore, approvalCallback: ApprovalCallback, 
+    /**
+     * Optional notifier used to emit structured `approval.request` /
+     * `approval.resolved` stream events. Kept as an injected seam so the
+     * Executor does not depend on AgentLoop or stream-json mode.
+     */
+    approvalNotifier?: ApprovalNotifier | undefined);
+    /**
+     * Install (or replace) the approval notifier after construction. Used by
+     * `AgentLoop` to wire the executor into its own stream-json emitter without
+     * changing the public constructor order.
+     */
+    setApprovalNotifier(notifier: ApprovalNotifier | undefined): void;
     executeTool(sessionId: string, toolCall: ToolCall, options?: ToolExecuteOptions): Promise<ToolResult>;
 }

package/dist/agent/executor.js

@@ -3,11 +3,27 @@ export class Executor {
     policyEngine;
     eventStore;
     approvalCallback;
-    constructor(registry, policyEngine, eventStore, approvalCallback) {
+    approvalNotifier;
+    constructor(registry, policyEngine, eventStore, approvalCallback, 
+    /**
+     * Optional notifier used to emit structured `approval.request` /
+     * `approval.resolved` stream events. Kept as an injected seam so the
+     * Executor does not depend on AgentLoop or stream-json mode.
+     */
+    approvalNotifier) {
         this.registry = registry;
         this.policyEngine = policyEngine;
         this.eventStore = eventStore;
         this.approvalCallback = approvalCallback;
+        this.approvalNotifier = approvalNotifier;
+    }
+    /**
+     * Install (or replace) the approval notifier after construction. Used by
+     * `AgentLoop` to wire the executor into its own stream-json emitter without
+     * changing the public constructor order.
+     */
+    setApprovalNotifier(notifier) {
+        this.approvalNotifier = notifier;
     }
     async executeTool(sessionId, toolCall, options) {
         const validationError = this.registry.validateInput(toolCall.name, toolCall.input);
@@ -39,7 +55,41 @@ export class Executor {
             };
         }
         if (decision === "ask") {
-            const approved = await this.approvalCallback(toolCall.name, toolCall.input);
+            const request = {
+                toolCallId: toolCall.id,
+                toolName: toolCall.name,
+                input: toolCall.input,
+            };
+            // Emit the request before awaiting the responder so consumers see
+            // approval.request ahead of any tool.call/tool.result events for the
+            // same toolCallId.
+            this.approvalNotifier?.notifyApprovalRequest(request);
+            let answer;
+            try {
+                answer = await this.approvalCallback(request, options?.signal);
+            }
+            catch (err) {
+                this.approvalNotifier?.notifyApprovalResolved({
+                    ...request,
+                    approved: false,
+                    reason: "error",
+                    error: err instanceof Error ? err.message : String(err),
+                });
+                throw err;
+            }
+            const approved = typeof answer === "boolean" ? answer : answer.approved;
+            // Resolver may supply a reason (e.g. stdin EOF). Otherwise fall back
+            // to "aborted" when the surrounding signal is already aborted, else
+            // "user".
+            const responderReason = typeof answer === "boolean" ? undefined : answer.reason;
+            const reason = options?.signal?.aborted
+                ? "aborted"
+                : (responderReason ?? "user");
+            this.approvalNotifier?.notifyApprovalResolved({
+                ...request,
+                approved,
+                reason,
+            });
             if (!approved) {
                 return {
                     content: `Tool "${toolCall.name}" was denied by user.`,

package/dist/agent/loop.d.ts

@@ -6,6 +6,7 @@ import type { SessionState } from "../types/agent.js";
 import type { AttachmentContentBlock } from "../types/messages.js";
 import { ContextBuilder } from "./context-builder.js";
 import { Executor } from "./executor.js";
+import type { ApprovalRequest, ApprovalResolvedEvent } from "../types/approval.js";
 export declare const DEFAULT_CONTEXT_BUDGET: ContextBudgetOptions;
 export interface ContextBudgetOptions {
     compactAtRatio: number;
@@ -25,6 +26,13 @@ export declare class AgentLoop {
     private contextBudget;
     private pendingTerminalDelta;
     constructor(provider: ModelProvider, executor: Executor, contextBuilder: ContextBuilder, registry: ToolRegistry, eventStore: EventStore, sessionStore: SessionStore, streamJson?: boolean, contextBudget?: ContextBudgetOptions);
+    /**
+     * ApprovalNotifier implementation: emits structured stream events around
+     * every approval gate so consumers can correlate the request with the
+     * matching tool.call / tool.result lifecycle.
+     */
+    notifyApprovalRequest(request: ApprovalRequest): void;
+    notifyApprovalResolved(event: ApprovalResolvedEvent): void;
     run(session: SessionState, userMessage: string, attachments?: AttachmentContentBlock[], signal?: AbortSignal): Promise<void>;
     /**
      * Record a coherent cancellation: persist the session at its last consistent

package/dist/agent/loop.js

@@ -34,6 +34,36 @@ export class AgentLoop {
         this.sessionStore = sessionStore;
         this.streamJson = streamJson;
         this.contextBudget = contextBudget;
+        // Route executor approval events through this loop's stream emitter.
+        // Executor stays unaware of AgentLoop or stream-json mode via the small
+        // ApprovalNotifier seam. Tests that stub the executor may omit the
+        // setter; skip silently in that case.
+        if (typeof this.executor.setApprovalNotifier === "function") {
+            this.executor.setApprovalNotifier(this);
+        }
+    }
+    /**
+     * ApprovalNotifier implementation: emits structured stream events around
+     * every approval gate so consumers can correlate the request with the
+     * matching tool.call / tool.result lifecycle.
+     */
+    notifyApprovalRequest(request) {
+        this.emit({
+            type: "approval.request",
+            id: request.toolCallId,
+            tool: request.toolName,
+            input: request.input,
+            timestamp: new Date().toISOString(),
+        });
+    }
+    notifyApprovalResolved(event) {
+        this.emit({
+            type: "approval.resolved",
+            id: event.toolCallId,
+            approved: event.approved,
+            reason: event.reason,
+            timestamp: new Date().toISOString(),
+        });
     }
     async run(session, userMessage, attachments = [], signal) {
         try {
@@ -66,10 +96,17 @@ export class AgentLoop {
                 })),
             });
             await this.saveSession(session);
-            const systemPrompt = this.contextBuilder.buildSystemPrompt();
             const tools = this.registry.toSchemas();
+            // Build the base system prompt once per run. It loads AGENTS.md from disk,
+            // so rebuilding it each turn would let a tool that writes AGENTS.md inject
+            // freshly generated text as system instructions mid-run. Only the runtime
+            // context is refreshed per turn.
+            const baseSystemPrompt = this.contextBuilder.buildSystemPrompt();
             let finalStopReason = "max_iterations";
             let status = "max_iterations";
+            // Track the last logged system prompt so the model_request event is only
+            // written when the assembled prompt (including runtime context) changes.
+            let lastLoggedSystemPrompt;
             this.emit({
                 type: "run.started",
                 sessionId: session.id,
@@ -83,12 +120,19 @@ export class AgentLoop {
                     return;
                 }
                 const modelContextItems = await this.buildModelContextItems(session);
-                const conversationItems = await this.contextBuilder.buildItemsWithDynamicContext(modelContextItems);
+                const systemPrompt = await this.contextBuilder.appendRuntimeContext(baseSystemPrompt);
+                if (systemPrompt !== lastLoggedSystemPrompt) {
+                    await this.eventStore.append(session.id, "model_request", {
+                        systemPrompt,
+                        messageCount: modelContextItems.length,
+                    });
+                    lastLoggedSystemPrompt = systemPrompt;
+                }
                 const response = await this.getModelResponse({
                     systemPrompt,
                     sessionId: session.id,
-                    conversationItems,
-                    messages: conversationItemsToMessages(conversationItems),
+                    conversationItems: modelContextItems,
+                    messages: conversationItemsToMessages(modelContextItems),
                     tools,
                     signal,
                 });
@@ -526,6 +570,24 @@ export class AgentLoop {
                 console.log(event.isError ? chalk.red(`  ✗ ${preview}`) : chalk.gray(`  ${preview}`));
                 return;
             }
+            case "approval.request": {
+                // The readline responder in `askApprovalOn` prints the actual prompt;
+                // emitting one here would show it twice in human mode. The structured
+                // `approval.resolved` event still prints the audit decision below so
+                // the user sees the outcome of every gate.
+                this.finishPendingTerminalDelta();
+                return;
+            }
+            case "approval.resolved": {
+                this.finishPendingTerminalDelta();
+                if (event.approved) {
+                    console.log(chalk.gray("  approved"));
+                }
+                else {
+                    console.log(chalk.red(`  denied (${event.reason})`));
+                }
+                return;
+            }
         }
     }
     finishPendingTerminalDelta() {

package/dist/cli/index.d.ts

@@ -1,5 +1,53 @@
+import readline from "node:readline";
 import { Command } from "commander";
+import type { ApprovalAnswer, ApprovalRequest } from "../types/approval.js";
 import { type ModelOption, type ModelOptionsResult } from "../models/resolve.js";
 export declare function formatModelOptions(options?: readonly ModelOption[]): string;
 export declare function formatModelOptionsJson(result: ModelOptionsResult): string;
+/**
+ * Builds an approval responder suited to the current CLI mode.
+ *
+ * Selection rules (matches the issue #75 spec):
+ * - `--auto-approve` (with or without `--stream-json`): never prompts the
+ *   user. Always resolves true so the Executor emits the audit events but
+ *   the user is never interrupted.
+ * - `--stream-json` with a piped stdin (no TTY): the stdin line protocol
+ *   responder. It reads JSON lines like
+ *   `{"type":"approval.response","id":"<toolCallId>","approved":<bool>}`
+ *   from stdin and never writes a prompt to stdout/stderr.
+ * - Otherwise (no flags or `--stream-json` with a TTY stdin): the readline
+ *   prompt, identical to today's behavior.
+ */
+export declare function createApprovalResponder(options?: {
+    autoApprove?: boolean;
+    streamJson?: boolean;
+}): (request: ApprovalRequest, signal?: AbortSignal) => Promise<ApprovalAnswer>;
+export declare function askApprovalOn(streams: {
+    input: NodeJS.ReadableStream;
+    output: NodeJS.WritableStream;
+}, request: ApprovalRequest, signal?: AbortSignal, hooks?: {
+    onReadline?: (rl: readline.Interface) => void;
+}): Promise<boolean>;
+/**
+ * Stdin line protocol responder used when `--stream-json` is active and
+ * stdin is not a TTY. Reads JSON lines from stdin and resolves the pending
+ * approval when a matching response arrives. See issue #75 §4 for the
+ * protocol and the mismatch / malformed / EOF / abort cases.
+ *
+ * Invariant: at most one approval is pending at a time (Executor runs tool
+ * calls sequentially). The responder therefore buffers exactly one pending
+ * request and discards responses received while no request is in flight.
+ */
+export declare function createStdinApprovalResponder(streams: {
+    input: NodeJS.ReadableStream;
+    stderr?: NodeJS.WritableStream;
+}): ((request: ApprovalRequest, signal?: AbortSignal) => Promise<ApprovalAnswer>) & {
+    /**
+     * Detach the readline interface from stdin. The CLI calls this in a
+     * `finally` after the run completes so a long-lived orchestrator piping
+     * JSON events on stdout and approval responses on stdin does not hang.
+     * Idempotent and safe to call multiple times.
+     */
+    close(): void;
+};
 export declare function createCLI(): Command;

package/dist/cli/index.js

@@ -90,17 +90,170 @@ async function createAgentsFile(filePath, force) {
 function isAlreadyExistsError(err) {
     return err instanceof Error && "code" in err && err.code === "EEXIST";
 }
-async function askApproval(toolName, input) {
+function askApproval(request, signal) {
+    return askApprovalOn({ input: process.stdin, output: process.stdout }, request, signal);
+}
+/**
+ * Builds an approval responder suited to the current CLI mode.
+ *
+ * Selection rules (matches the issue #75 spec):
+ * - `--auto-approve` (with or without `--stream-json`): never prompts the
+ *   user. Always resolves true so the Executor emits the audit events but
+ *   the user is never interrupted.
+ * - `--stream-json` with a piped stdin (no TTY): the stdin line protocol
+ *   responder. It reads JSON lines like
+ *   `{"type":"approval.response","id":"<toolCallId>","approved":<bool>}`
+ *   from stdin and never writes a prompt to stdout/stderr.
+ * - Otherwise (no flags or `--stream-json` with a TTY stdin): the readline
+ *   prompt, identical to today's behavior.
+ */
+export function createApprovalResponder(options = {}) {
+    if (options.autoApprove) {
+        return async () => true;
+    }
+    if (options.streamJson && !process.stdin.isTTY) {
+        return createStdinApprovalResponder({
+            input: process.stdin,
+            stderr: process.stderr,
+        });
+    }
+    return askApproval;
+}
+export async function askApprovalOn(streams, request, signal, hooks) {
     const rl = readline.createInterface({
-        input: process.stdin,
-        output: process.stdout,
+        input: streams.input,
+        output: streams.output,
     });
-    const summary = toolName === "run_command" ? input.command : JSON.stringify(input);
-    const answer = await new Promise((resolve) => {
-        rl.question(chalk.yellow(`Allow ${toolName}: ${summary}? [y/n] `), resolve);
+    hooks?.onReadline?.(rl);
+    const summary = request.toolName === "run_command"
+        ? request.input.command ?? JSON.stringify(request.input)
+        : JSON.stringify(request.input);
+    return new Promise((resolve) => {
+        let settled = false;
+        const settle = (value) => {
+            if (settled)
+                return;
+            settled = true;
+            signal?.removeEventListener("abort", onAbort);
+            rl.removeListener("SIGINT", onRlSigint);
+            rl.removeListener("close", onRlClose);
+            rl.close();
+            resolve(value);
+        };
+        const onAbort = () => settle(false);
+        // Readline captures Ctrl-C on a TTY and pauses stdin instead of letting
+        // the process-level SIGINT handler fire. Listen for the interface's own
+        // SIGINT event so a first Ctrl-C still cancels the prompt.
+        const onRlSigint = () => settle(false);
+        const onRlClose = () => settle(false);
+        if (signal?.aborted) {
+            settle(false);
+            return;
+        }
+        signal?.addEventListener("abort", onAbort, { once: true });
+        rl.on("SIGINT", onRlSigint);
+        rl.on("close", onRlClose);
+        rl.question(chalk.yellow(`Allow ${request.toolName}: ${summary}? [y/n] `), (answer) => settle(answer.toLowerCase().startsWith("y")));
     });
-    rl.close();
-    return answer.toLowerCase().startsWith("y");
+}
+/**
+ * Stdin line protocol responder used when `--stream-json` is active and
+ * stdin is not a TTY. Reads JSON lines from stdin and resolves the pending
+ * approval when a matching response arrives. See issue #75 §4 for the
+ * protocol and the mismatch / malformed / EOF / abort cases.
+ *
+ * Invariant: at most one approval is pending at a time (Executor runs tool
+ * calls sequentially). The responder therefore buffers exactly one pending
+ * request and discards responses received while no request is in flight.
+ */
+export function createStdinApprovalResponder(streams) {
+    let pending;
+    let closed = false;
+    const onLine = (line) => {
+        const trimmed = line.trim();
+        if (!trimmed)
+            return;
+        let parsed;
+        try {
+            parsed = JSON.parse(trimmed);
+        }
+        catch (err) {
+            // Malformed JSON: log to stderr, discard, do not resolve.
+            streams.stderr?.write(`anita: discarded malformed approval.response line (${err.message})\n`);
+            return;
+        }
+        if (!parsed ||
+            typeof parsed !== "object" ||
+            parsed.type !== "approval.response") {
+            return;
+        }
+        const { id, approved } = parsed;
+        if (typeof id !== "string" || typeof approved !== "boolean") {
+            streams.stderr?.write("anita: discarded approval.response with invalid id/approved\n");
+            return;
+        }
+        if (!pending) {
+            streams.stderr?.write("anita: discarded approval.response with no pending request\n");
+            return;
+        }
+        if (pending.request.toolCallId !== id) {
+            // Desync recovery: don't poison the run with a stale response.
+            streams.stderr?.write(`anita: discarded approval.response for unknown id ${id} (waiting on ${pending.request.toolCallId})\n`);
+            return;
+        }
+        const current = pending;
+        pending = undefined;
+        current.resolve(approved);
+    };
+    const onEnd = () => {
+        closed = true;
+        if (pending) {
+            const current = pending;
+            pending = undefined;
+            // EOF while a request is in flight must surface as `reason: "eof"` so
+            // consumers can distinguish "user said no" from "consumer closed the
+            // pipe mid-run" (issue #75 §4).
+            current.resolve({ approved: false, reason: "eof" });
+        }
+    };
+    const rl = readline.createInterface({ input: streams.input, crlfDelay: Infinity });
+    rl.on("line", onLine);
+    rl.on("close", onEnd);
+    // Returns a function that disposes the stdin reader. The chat command calls
+    // this from a `finally` block so a long-lived orchestrator piping JSON
+    // events on stdout and approval responses on stdin does not hang after
+    // `loop.run` returns. The responder is single-use: after close, further
+    // calls short-circuit to a structured EOF answer.
+    function close() {
+        if (closed)
+            return;
+        closed = true;
+        rl.close();
+        if (pending) {
+            const current = pending;
+            pending = undefined;
+            current.resolve({ approved: false, reason: "eof" });
+        }
+    }
+    const answer = async (request, signal) => {
+        if (closed)
+            return { approved: false, reason: "eof" };
+        return new Promise((resolve) => {
+            pending = { request, resolve };
+            const settle = (value) => {
+                if (pending && pending.request.toolCallId === request.toolCallId) {
+                    pending = undefined;
+                    resolve(value);
+                }
+            };
+            if (signal?.aborted) {
+                settle({ approved: false, reason: "eof" });
+                return;
+            }
+            signal?.addEventListener("abort", () => settle(false), { once: true });
+        });
+    };
+    return Object.assign(answer, { close });
 }
 export function createCLI() {
     const program = new Command();
@@ -217,7 +370,10 @@ export function createCLI() {
             skills,
             systemPrompt,
         });
-        const approvalFn = autoApprove ? async () => true : askApproval;
+        const approvalFn = createApprovalResponder({
+            autoApprove,
+            streamJson,
+        });
         const executor = new Executor(registry, policyEngine, eventStore, approvalFn);
         const loop = new AgentLoop(provider, executor, contextBuilder, registry, eventStore, sessionStore, streamJson);
         if (!streamJson) {
@@ -262,6 +418,14 @@ export function createCLI() {
         }
         finally {
             process.off("SIGINT", onSigint);
+            // Detach any stdin readline the responder opened so the process can
+            // exit naturally instead of waiting for stdin to close. The
+            // auto-approve and readline responders return plain async functions
+            // without a `close` method; only the stdin line-protocol responder
+            // exposes one.
+            const close = approvalFn.close;
+            if (typeof close === "function")
+                close();
         }
         if (interrupted) {
             process.exit(130);

package/dist/models/resolve.d.ts

@@ -1,5 +1,5 @@
 import type { ModelProvider } from "./provider.js";
-export declare const OLLAMA_CLOUD_MODELS: readonly ["glm-5.2", "minimax-m3", "deepseek-v4-pro", "kimi-k2.7-code"];
+export declare const OLLAMA_CLOUD_MODELS: string[];
 export type ModelOptionGroupName = "Ollama Local" | "Ollama Cloud" | "OpenRouter";
 export interface ModelOption {
     label: string;

package/dist/models/resolve.js

@@ -12,64 +12,72 @@ const DEEPSEEK_V4_PRO_CONTEXT_WINDOW_TOKENS = 1_000_000;
 const KIMI_K2_CONTEXT_WINDOW_TOKENS = 256_000;
 const MINIMAX_M3_OLLAMA_CONTEXT_WINDOW_TOKENS = 512_000;
 const MINIMAX_M3_OPENROUTER_CONTEXT_WINDOW_TOKENS = 1_000_000;
-export const OLLAMA_CLOUD_MODELS = [
-    "glm-5.2",
-    "minimax-m3",
-    "deepseek-v4-pro",
-    "kimi-k2.7-code",
+const OLLAMA_CLOUD_MODEL_SPECS = [
+    {
+        slug: "glm-5.2",
+        label: "GLM 5.2",
+        contextWindowTokens: GLM_5_2_CONTEXT_WINDOW_TOKENS,
+    },
+    {
+        slug: "minimax-m3",
+        label: "MiniMax M3",
+        contextWindowTokens: MINIMAX_M3_OLLAMA_CONTEXT_WINDOW_TOKENS,
+        capabilities: { attachments: { images: true, files: true } },
+    },
+    {
+        slug: "deepseek-v4-pro",
+        label: "DeepSeek V4 Pro",
+        contextWindowTokens: DEEPSEEK_V4_PRO_CONTEXT_WINDOW_TOKENS,
+    },
+    {
+        slug: "kimi-k2.7-code",
+        label: "Kimi K2.7 Code",
+        contextWindowTokens: KIMI_K2_CONTEXT_WINDOW_TOKENS,
+        capabilities: { attachments: { images: true, files: false } },
+    },
 ];
-const OLLAMA_CLOUD_CONTEXT_WINDOWS = {
-    "glm-5.2": GLM_5_2_CONTEXT_WINDOW_TOKENS,
-    "minimax-m3": MINIMAX_M3_OLLAMA_CONTEXT_WINDOW_TOKENS,
-    "deepseek-v4-pro": DEEPSEEK_V4_PRO_CONTEXT_WINDOW_TOKENS,
-    "kimi-k2.7-code": KIMI_K2_CONTEXT_WINDOW_TOKENS,
-};
+export const OLLAMA_CLOUD_MODELS = OLLAMA_CLOUD_MODEL_SPECS.map((spec) => spec.slug);
 export const MODEL_OPTIONS = [
     {
-        label: "GLM 4.7 Flash (local)",
+        label: "GLM 4.7 Flash",
         value: "ollama/glm-4.7-flash:latest",
         group: "Ollama Local",
         contextWindowTokens: GLM_CONTEXT_WINDOW_TOKENS,
     },
     {
-        label: "GLM 5.1 (OpenRouter)",
+        label: "GLM 5.1",
         value: "openrouter/z-ai/glm-5.1",
         group: "OpenRouter",
         contextWindowTokens: GLM_CONTEXT_WINDOW_TOKENS,
         capabilities: { attachments: { images: false, files: true } },
     },
     {
-        label: "MiniMax M3 (OpenRouter)",
+        label: "MiniMax M3",
         value: "openrouter/minimax/minimax-m3",
         group: "OpenRouter",
         contextWindowTokens: MINIMAX_M3_OPENROUTER_CONTEXT_WINDOW_TOKENS,
         capabilities: { attachments: { images: true, files: true } },
     },
     {
-        label: "DeepSeek V4 Pro (OpenRouter)",
+        label: "DeepSeek V4 Pro",
         value: "openrouter/deepseek/deepseek-v4-pro",
         group: "OpenRouter",
         contextWindowTokens: DEEPSEEK_V4_PRO_CONTEXT_WINDOW_TOKENS,
         capabilities: { attachments: { images: false, files: true } },
     },
     {
-        label: "Kimi K2.6 (OpenRouter)",
+        label: "Kimi K2.6",
         value: "openrouter/moonshotai/kimi-k2.6",
         group: "OpenRouter",
         contextWindowTokens: KIMI_K2_CONTEXT_WINDOW_TOKENS,
         capabilities: { attachments: { images: true, files: true } },
     },
-    ...OLLAMA_CLOUD_MODELS.map((model) => ({
-        label: `${model} (cloud)`,
-        value: `ollama-cloud/${model}`,
+    ...OLLAMA_CLOUD_MODEL_SPECS.map((spec) => ({
+        label: spec.label,
+        value: `ollama-cloud/${spec.slug}`,
         group: "Ollama Cloud",
-        contextWindowTokens: OLLAMA_CLOUD_CONTEXT_WINDOWS[model],
-        ...(model === "minimax-m3"
-            ? { capabilities: { attachments: { images: true, files: true } } }
-            : {}),
-        ...(model === "kimi-k2.7-code"
-            ? { capabilities: { attachments: { images: true, files: false } } }
-            : {}),
+        contextWindowTokens: spec.contextWindowTokens,
+        ...(spec.capabilities ? { capabilities: spec.capabilities } : {}),
     })),
 ];
 export function parseModelString(modelString) {
@@ -112,7 +120,7 @@ export async function discoverLocalOllamaModelOptions(fetchImpl = fetch) {
             return undefined;
         const payload = await response.json();
         return parseOllamaModelNames(payload).map((name) => ({
-            label: `${name} (local)`,
+            label: name,
             value: `ollama/${name}`,
             group: "Ollama Local",
             contextWindowTokens: UNKNOWN_MODEL_CONTEXT_WINDOW_TOKENS,

package/dist/types/approval.d.ts

@@ -0,0 +1,55 @@
+/**
+ * Shared types for the approval seam between Executor and consumers.
+ *
+ * The `Executor` exposes a single approval callback. To make stream-json +
+ * approvals work, the callback now receives a structured request (with the
+ * model's tool call id) and a small notifier seam emits structured events
+ * around every approval gate so consumers can audit decisions.
+ */
+export interface ApprovalRequest {
+    /** The model's tool call id; matches `tool.call.id` / `tool.result.id`. */
+    toolCallId: string;
+    toolName: string;
+    input: Record<string, unknown>;
+}
+/**
+ * Reason a pending approval was settled. Echoed in `approval.resolved`.
+ *
+ * - `user`: the user/consumer answered the prompt.
+ * - `aborted`: the run's AbortSignal fired while waiting for the answer.
+ * - `eof`: the consumer closed stdin before responding (stdin line protocol).
+ * - `error`: the approval callback itself threw.
+ */
+export type ApprovalResolvedReason = "user" | "aborted" | "eof" | "error";
+/**
+ * What a resolver hands back to the executor. A plain boolean still works
+ * (treated as `{ approved: <value>, reason: "user" }`) for callers that
+ * don't care about distinguishing EOF/aborted; responders that need to
+ * signal "stdin closed mid-run" return `{ approved: false, reason: "eof" }`.
+ */
+export type ApprovalAnswer = boolean | {
+    approved: boolean;
+    reason?: "user" | "eof";
+};
+export interface ApprovalResolvedEvent {
+    toolCallId: string;
+    toolName: string;
+    approved: boolean;
+    reason: ApprovalResolvedReason;
+    /** Optional human-readable detail for the `error` reason. */
+    error?: string;
+}
+/**
+ * Resolves the pending approval request. Implementations live in the CLI
+ * (readline, stdin line protocol, or always-true under --auto-approve).
+ */
+export type ApprovalCallback = (request: ApprovalRequest, signal?: AbortSignal) => Promise<ApprovalAnswer>;
+/**
+ * Small injected seam so `Executor` can emit stream-json approval events
+ * without depending on `AgentLoop`. The CLI's `AgentLoop` implements this by
+ * calling its own `emit(...)` with `approval.request` / `approval.resolved`.
+ */
+export interface ApprovalNotifier {
+    notifyApprovalRequest(request: ApprovalRequest): void;
+    notifyApprovalResolved(event: ApprovalResolvedEvent): void;
+}

package/dist/types/approval.js

@@ -0,0 +1,9 @@
+/**
+ * Shared types for the approval seam between Executor and consumers.
+ *
+ * The `Executor` exposes a single approval callback. To make stream-json +
+ * approvals work, the callback now receives a structured request (with the
+ * model's tool call id) and a small notifier seam emits structured events
+ * around every approval gate so consumers can audit decisions.
+ */
+export {};

package/dist/types/events.d.ts

@@ -1,4 +1,4 @@
-export type EventType = "session_start" | "user_message" | "assistant_reasoning" | "assistant_response" | "conversation_compaction" | "tool_call" | "tool_result" | "policy_decision" | "error" | "run_cancelled" | "session_end" | "session_archived" | "skills_loaded";
+export type EventType = "session_start" | "user_message" | "model_request" | "assistant_reasoning" | "assistant_response" | "conversation_compaction" | "tool_call" | "tool_result" | "policy_decision" | "error" | "run_cancelled" | "session_end" | "session_archived" | "skills_loaded";
 export interface AgentEvent {
     id: string;
     sessionId: string;

package/dist/types/stream.d.ts

@@ -36,6 +36,18 @@ export type StreamEvent = {
     content: string;
     isError: boolean;
     metadata?: Record<string, ToolResultMetadata>;
+} | {
+    type: "approval.request";
+    id: string;
+    tool: string;
+    input: Record<string, unknown>;
+    timestamp: string;
+} | {
+    type: "approval.resolved";
+    id: string;
+    approved: boolean;
+    reason: "user" | "aborted" | "eof" | "error";
+    timestamp: string;
 } | {
     type: "run.completed";
     sessionId: string;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@germanescobar/anita",
-  "version": "0.3.0",
+  "version": "0.4.0",
   "description": "An intelligent AI-powered coding agent that helps you write, edit, and run code with conversational access to AI models and your file system.",
   "type": "module",
   "files": [