@leviyuan/lodestar 0.2.7 → 0.2.9

package/src/claude-process.ts

@@ -59,6 +59,15 @@ export interface ClaudeResultMeta {
   duration_ms: number | null
   num_turns: number | null
   usage: ClaudeUsage | null
+  /** SDK `result.subtype` — `success` on natural end_turn,
+   * `error_max_turns` if --max-turns was reached, `error_during_execution`
+   * for API-side failures (rate limit / 5xx / context overflow / refusal).
+   * Session.wireProc uses this to drive auto-retry + suppress phone push
+   * on aborted turns. */
+  subtype: string | null
+  /** Mirror of `subtype !== 'success'`; cached so callers don't have to
+   * re-derive it from the (open-ended) subtype string. */
+  is_error: boolean
 }
 
 export interface HookCallbackRequest {
@@ -92,13 +101,18 @@ export class ClaudeProcess extends EventEmitter {
    * turn" stats even while idle. */
   lastResult: ClaudeResultMeta = {
     cost_usd: null, duration_ms: null, num_turns: null, usage: null,
+    subtype: null, is_error: false,
   }
   /** Context-window capacity of the model that ran the latest turn —
    * lifted from `result.modelUsage[model].contextWindow` so we don't
-   * have to hardcode `[1m]` vs stock variants. 200K is the safe
-   * default if no result has landed yet (e.g. between spawn and the
-   * first turn close). */
-  lastContextWindow: number = 200_000
+   * have to hardcode `[1m]` vs stock variants. `null` until the first
+   * `result` event lands (spawn → first turn close gap). Callers that
+   * render a percentage MUST treat null as "unknown" and drop the %
+   * rather than substituting a default — past life of this field was a
+   * 200K constant default which made fresh-spawn `hi` panels lie about
+   * the limit on this project's opus-4-7[1m] (1M) pin. (no_fallbacks
+   * rule applies: surface absence, don't fabricate.) */
+  lastContextWindow: number | null = null
 
   constructor(opts: SpawnOpts) {
     super()
@@ -242,11 +256,19 @@ export class ClaudeProcess extends EventEmitter {
       return
     }
     if (type === 'result') {
+      const subtype = typeof msg.subtype === 'string' ? msg.subtype : null
       this.lastResult = {
         cost_usd: typeof msg.total_cost_usd === 'number' ? msg.total_cost_usd : null,
         duration_ms: typeof msg.duration_ms === 'number' ? msg.duration_ms : null,
         num_turns: typeof msg.num_turns === 'number' ? msg.num_turns : null,
         usage: msg.usage ?? null,
+        subtype,
+        // Trust the SDK's own bool when present; otherwise derive from
+        // subtype so a future error_* variant we haven't seen still flags
+        // as error.
+        is_error: typeof msg.is_error === 'boolean'
+          ? msg.is_error
+          : (subtype !== null && subtype !== 'success'),
       }
       // modelUsage maps "<model id>" → { contextWindow, maxOutputTokens, … }.
       // For mixed-model runs the SDK reports one entry per model used in

package/src/config.ts

@@ -1,6 +1,6 @@
 /**
  * Read config.toml — minimal hand-rolled parser sufficient for the
- * two-section, scalar-value-only schema we expect:
+ * three-section, scalar-value-only schema we expect:
  *
  *   [feishu]
  *   app_id = "cli_..."
@@ -9,6 +9,10 @@
  *   [runtime]
  *   projects_root = "~/"      # optional, defaults to $HOME
  *
+ *   [notify]                  # all optional
+ *   bind = "127.0.0.1"        # default 127.0.0.1 (loopback only)
+ *   port = 9876               # default 9876
+ *
  * Loaded synchronously at import time; downstream modules read the
  * exported `config` object directly.
  */
@@ -25,6 +29,10 @@ export interface LodestarConfig {
   runtime: {
     projects_root: string
   }
+  notify: {
+    bind: string
+    port: number
+  }
 }
 
 function expandTilde(v: string): string {
@@ -74,9 +82,16 @@ function loadConfig(): LodestarConfig {
     throw new Error(`lodestar: ${CONFIG_FILE} is missing [feishu].app_id / [feishu].app_secret`)
   }
   const projectsRoot = expandTilde(t.runtime?.projects_root ?? homedir())
+  const notifyBind = t.notify?.bind ?? '127.0.0.1'
+  const notifyPortRaw = t.notify?.port ?? '9876'
+  const notifyPort = Number.parseInt(notifyPortRaw, 10)
+  if (!Number.isFinite(notifyPort) || notifyPort <= 0 || notifyPort > 65535) {
+    throw new Error(`lodestar: [notify].port must be 1..65535, got "${notifyPortRaw}"`)
+  }
   return {
     feishu: { app_id: appId, app_secret: appSecret },
     runtime: { projects_root: projectsRoot },
+    notify: { bind: notifyBind, port: notifyPort },
   }
 }
 

package/src/feishu.ts

@@ -9,7 +9,7 @@
 import * as lark from '@larksuiteoapi/node-sdk'
 import { execSync } from 'node:child_process'
 import { randomUUID } from 'node:crypto'
-import { existsSync, mkdirSync, readFileSync, realpathSync, statSync, unlinkSync, writeFileSync } from 'node:fs'
+import { existsSync, mkdirSync, readFileSync, statSync, unlinkSync, writeFileSync } from 'node:fs'
 import { homedir } from 'node:os'
 import { basename, extname, join } from 'node:path'
 import { config } from './config'
@@ -359,31 +359,6 @@ function looksLikeImage(filePath: string): boolean {
   return IMAGE_EXTS.has(extname(filePath).toLowerCase())
 }
 
-/** Defense against prompt-injection-driven exfiltration via the
- * [[send: /path]] marker.  The resolved (symlink-followed) real path
- * must sit inside one of the explicitly-trusted roots.  Anything
- * outside — `/etc/*`, `~/.ssh`, `~/.config/lodestar/config.toml`,
- * `~/.claude.json`, the user's home dotfiles — is rejected, even if a
- * symlink in an allowed root points to it.
- *
- * Returns [realPath, ''] on accept, [null, reason] on reject. */
-function gateOutboundPath(rawPath: string, allowedRoots: string[]): [string | null, string] {
-  let real: string
-  try { real = realpathSync(rawPath) }
-  catch (e) { return [null, `realpath failed: ${e instanceof Error ? e.message : e}`] }
-  for (const root of allowedRoots) {
-    if (!root) continue
-    if (real === root) return [real, '']
-    const prefix = root.endsWith('/') ? root : root + '/'
-    if (real.startsWith(prefix)) return [real, '']
-    // Special-case the `/tmp/lodestar-` namespace: caller can pass
-    // the bare prefix without a trailing slash to mean "any tmp file
-    // whose basename starts with lodestar-".
-    if (root.endsWith('-') && real.startsWith(root)) return [real, '']
-  }
-  return [null, `not inside any allowed root (real=${real})`]
-}
-
 async function uploadImageMultipart(filePath: string): Promise<string | null> {
   const token = await getTenantToken()
   const file = Bun.file(filePath)
@@ -453,49 +428,41 @@ export async function sendFile(chatId: string, fileKey: string): Promise<string
 }
 
 /** Upload a local file and post it as an image or file message in the
- * chat.  Type is inferred from extension.  The path MUST resolve inside
- * one of `allowedRoots` (defense against prompt-injection-driven
- * exfiltration via the `[[send: /path]]` marker — see isPathAllowed).
- * Returns true on success.  All failures (missing file, oversize,
- * outside allowed roots, upload reject, send reject) log and surface
- * an inline error message in the chat so the user knows. */
-export async function uploadAndSend(chatId: string, filePath: string, allowedRoots: string[]): Promise<boolean> {
-  const [realPath, reason] = gateOutboundPath(filePath, allowedRoots)
-  if (!realPath) {
-    log(`feishu: uploadAndSend REJECTED ${filePath}: ${reason}`)
-    await sendText(chatId, `❌ 出站文件被拒绝（路径不在允许范围）: ${filePath}`)
-    return false
-  }
+ * chat.  Type is inferred from extension.  Returns true on success.
+ * All failures (missing file, oversize, upload reject, send reject)
+ * log and surface an inline error message in the chat so the user
+ * knows. */
+export async function uploadAndSend(chatId: string, filePath: string): Promise<boolean> {
   try {
-    const stats = statSync(realPath)
+    const stats = statSync(filePath)
     if (!stats.isFile()) {
       await sendText(chatId, `❌ 出站文件: 路径不是文件 — ${filePath}`)
       return false
     }
     if (stats.size > MAX_UPLOAD_BYTES) {
-      await sendText(chatId, `❌ 出站文件: ${basename(realPath)} 超过 30 MB (${(stats.size / 1024 / 1024).toFixed(1)} MB)`)
+      await sendText(chatId, `❌ 出站文件: ${basename(filePath)} 超过 30 MB (${(stats.size / 1024 / 1024).toFixed(1)} MB)`)
       return false
     }
   } catch (e) {
     await sendText(chatId, `❌ 出站文件: 无法读取 ${filePath} (${e})`)
     return false
   }
-  const isImage = looksLikeImage(realPath)
+  const isImage = looksLikeImage(filePath)
   try {
     if (isImage) {
-      const key = await uploadImageMultipart(realPath)
-      if (!key) { await sendText(chatId, `❌ 出站图片上传失败: ${basename(realPath)}`); return false }
+      const key = await uploadImageMultipart(filePath)
+      if (!key) { await sendText(chatId, `❌ 出站图片上传失败: ${basename(filePath)}`); return false }
       const msgId = await sendImage(chatId, key)
       return msgId != null
     } else {
-      const key = await uploadFileMultipart(realPath)
-      if (!key) { await sendText(chatId, `❌ 出站文件上传失败: ${basename(realPath)}`); return false }
+      const key = await uploadFileMultipart(filePath)
+      if (!key) { await sendText(chatId, `❌ 出站文件上传失败: ${basename(filePath)}`); return false }
       const msgId = await sendFile(chatId, key)
       return msgId != null
     }
   } catch (e) {
     log(`feishu: uploadAndSend ${filePath} failed: ${e}`)
-    await sendText(chatId, `❌ 出站文件异常: ${basename(realPath)} — ${e}`)
+    await sendText(chatId, `❌ 出站文件异常: ${basename(filePath)} — ${e}`)
     return false
   }
 }

package/src/notify.ts

@@ -0,0 +1,132 @@
+/**
+ * Outbound notification HTTP endpoint — any local process can POST a
+ * markdown message + project name and it lands in the matching Feishu
+ * group as a one-shot interactive card (non-streaming).
+ *
+ * Default bind: 127.0.0.1:9876. No auth — the daemon trusts loopback
+ * on the assumption that anything able to hit this port is already
+ * owner-equivalent (same security tier as the bot's stdin and the
+ * debug.sock). Do NOT bind 0.0.0.0 without adding your own front-end
+ * auth.
+ *
+ *   POST /notify
+ *     Content-Type: application/json
+ *     { "project": "feishu",
+ *       "text":    "**build done** 12 files",
+ *       "title":   "build",                    // optional, default = project
+ *       "level":   "info" | "warn" | "error"   // optional, default "info"
+ *     }
+ *   → 200 { ok: true, chat_id, message_id }
+ *   → 400 bad/empty json or missing field
+ *   → 404 project not bound to any Feishu group
+ *   → 502 feishu sendCard failed (network / API rejection)
+ *
+ *   GET / → plain-text help (so a `curl` from the shell reports a
+ *           live server instead of 404).
+ *
+ * "project" must match a Feishu group name that the daemon already
+ * has a chat_id binding for — usually established by sending any
+ * message in that group at least once after the daemon started. Run
+ * `bun scripts/test-inject.ts "hi"` from the project root if you
+ * need to seed the binding without leaving the keyboard.
+ */
+
+import { log } from './log'
+import * as feishu from './feishu'
+
+type Level = 'info' | 'warn' | 'error'
+const VALID_LEVELS: ReadonlySet<Level> = new Set(['info', 'warn', 'error'])
+
+function notifyCard(opts: { title: string; text: string; level: Level }): object {
+  const template = opts.level === 'error' ? 'red'
+    : opts.level === 'warn' ? 'yellow'
+    : 'blue'
+  const emoji = opts.level === 'error' ? '❌'
+    : opts.level === 'warn' ? '⚠️'
+    : '🔔'
+  const d = new Date()
+  const hhmm = `${String(d.getHours()).padStart(2, '0')}:${String(d.getMinutes()).padStart(2, '0')}`
+  return {
+    schema: '2.0',
+    config: {},
+    header: {
+      title: { tag: 'plain_text', content: `${emoji} ${opts.title}` },
+      template,
+    },
+    body: {
+      elements: [
+        { tag: 'markdown', content: opts.text || '_（空消息）_' },
+        { tag: 'hr' },
+        { tag: 'markdown', content: `<font color='grey'>via notify · ${hhmm}</font>` },
+      ],
+    },
+  }
+}
+
+export interface NotifyOptions {
+  bind: string
+  port: number
+}
+
+export function startNotifyServer(opts: NotifyOptions): void {
+  try {
+    Bun.serve({
+      hostname: opts.bind,
+      port: opts.port,
+      fetch: async (req: Request) => {
+        const url = new URL(req.url)
+        if (req.method === 'GET' && url.pathname === '/') {
+          return new Response(
+            'lodestar notify\n' +
+            'POST /notify  body={project,text,title?,level?}\n' +
+            'levels: info|warn|error (default info)\n',
+            { headers: { 'content-type': 'text/plain; charset=utf-8' } },
+          )
+        }
+        if (req.method !== 'POST' || url.pathname !== '/notify') {
+          return new Response('use POST /notify', { status: 405 })
+        }
+
+        let body: any = {}
+        try { body = await req.json() } catch {
+          return new Response('bad json', { status: 400 })
+        }
+        const project = String(body.project ?? '').trim()
+        const text = String(body.text ?? '')
+        const titleRaw = String(body.title ?? '').trim()
+        const levelRaw = String(body.level ?? 'info').toLowerCase()
+        if (!project) return new Response('missing "project"', { status: 400 })
+        if (!text)    return new Response('missing "text"', { status: 400 })
+
+        const level: Level = (VALID_LEVELS.has(levelRaw as Level) ? levelRaw : 'info') as Level
+        const title = titleRaw || project
+
+        const sessionName = feishu.sanitizeSessionName(project)
+        const chatId = feishu.chatIdForSession(sessionName)
+        if (!chatId) {
+          log(`notify: project "${project}" (sanitized "${sessionName}") has no chat binding → 404`)
+          return new Response(
+            `project "${project}" not bound — send any message in that Feishu group at least once after the daemon started, then retry`,
+            { status: 404 },
+          )
+        }
+
+        const card = notifyCard({ title, text, level })
+        const messageId = await feishu.sendCard(chatId, card)
+        if (!messageId) {
+          log(`notify: sendCard failed → 502 (project="${project}" chat=${chatId.slice(0, 8)}…)`)
+          return new Response('feishu sendCard failed (see daemon log)', { status: 502 })
+        }
+        log(`notify: → ${project} (${chatId.slice(0, 8)}…) level=${level} bytes=${text.length} msg=${messageId}`)
+        return Response.json({ ok: true, chat_id: chatId, message_id: messageId })
+      },
+      error: (err: Error) => {
+        log(`notify: handler crash: ${err.message}`)
+        return new Response('internal error', { status: 500 })
+      },
+    })
+    log(`notify: HTTP listening at http://${opts.bind}:${opts.port}/notify`)
+  } catch (e) {
+    log(`notify: server bind failed (${opts.bind}:${opts.port}): ${e}`)
+  }
+}

package/src/session-ask.ts

@@ -0,0 +1,165 @@
+/**
+ * AskUserQuestion flow split out of session.ts. The SDK routes
+ * AskUserQuestion through can_use_tool even under bypass mode, so the
+ * "answered" state lives across two SDK control messages — option
+ * clicks/custom text land via Feishu callbacks first, then
+ * can_use_tool arrives and we finalize with `updatedInput.answers`.
+ */
+
+import type { Session } from './session'
+import * as cardkit from './cardkit'
+import * as cards from './cards'
+import { log } from './log'
+
+/** True iff there's at least one open AskUserQuestion awaiting an
+ * answer in this session. `daemon.handleMessage` uses this to
+ * decide whether an inbound chat message should be a custom answer
+ * (routed to onAskMessageAnswer) instead of opening a new turn. */
+export function hasPendingAsk(s: Session): boolean {
+  return s.pendingAsks.size > 0
+}
+
+/** Funnel an arbitrary chat message into the *current* question
+ * of the oldest pending ask as a `customText` answer. Multi-
+ * question semantics: from the user's perspective, the chat
+ * input always answers whatever question is on screen right now
+ * (`pending.currentIdx`), and a new question slides in after. */
+export async function onAskMessageAnswer(s: Session, text: string, user: string): Promise<void> {
+  const firstEntry = s.pendingAsks.entries().next()
+  if (firstEntry.done) {
+    log(`session "${s.sessionName}": onAskMessageAnswer with no pending — falling back to onUserMessage`)
+    await s.onUserMessage(text)
+    return
+  }
+  const [toolUseId, pending] = firstEntry.value
+  if (pending.currentIdx === undefined) {
+    log(`session "${s.sessionName}": pending ask ${toolUseId} already terminal — ignoring message`)
+    return
+  }
+  await onAskCustomAnswer(s, toolUseId, pending.currentIdx, text, user)
+}
+
+/** Click handler for an option button. The click must target the
+ * question currently on screen (`pending.currentIdx`); a stale
+ * click (e.g. user clicked an older render before it swapped in
+ * the next question) is logged and dropped — better than double-
+ * answering. */
+export async function onAskAnswer(
+  s: Session,
+  toolUseId: string,
+  questionIdx: number,
+  optionIdx: number,
+  user: string,
+): Promise<void> {
+  const pending = s.pendingAsks.get(toolUseId)
+  if (!pending) { log(`session "${s.sessionName}": stray ask answer for ${toolUseId}`); return }
+  if (questionIdx !== pending.currentIdx) {
+    log(`session "${s.sessionName}": stale ask click q=${questionIdx} current=${pending.currentIdx}`)
+    return
+  }
+  advanceAsk(s, toolUseId, { optionIdx, user })
+}
+
+/** Custom-text branch. Same staleness rule as onAskAnswer; empty
+ * input is silently ignored (panel stays pending). */
+export async function onAskCustomAnswer(
+  s: Session,
+  toolUseId: string,
+  questionIdx: number,
+  customText: string,
+  user: string,
+): Promise<void> {
+  const pending = s.pendingAsks.get(toolUseId)
+  if (!pending) { log(`session "${s.sessionName}": stray ask custom for ${toolUseId}`); return }
+  const trimmed = (customText ?? '').trim()
+  if (!trimmed) { log(`session "${s.sessionName}": empty custom answer, ignoring`); return }
+  if (questionIdx !== pending.currentIdx) {
+    log(`session "${s.sessionName}": stale ask custom q=${questionIdx} current=${pending.currentIdx}`)
+    return
+  }
+  advanceAsk(s, toolUseId, { customText: trimmed, user })
+}
+
+/** Record an answer for the current question, advance the state
+ * machine, repaint. If every question is now answered, finalize
+ * (or defer the finalize until can_use_tool lands — the race is
+ * handled by renderPermission). */
+export function advanceAsk(
+  s: Session,
+  toolUseId: string,
+  answer: { optionIdx?: number; customText?: string; user: string },
+): void {
+  const pending = s.pendingAsks.get(toolUseId)
+  if (!pending || pending.currentIdx === undefined) return
+  const cur = pending.currentIdx
+  const q = pending.questions[cur]
+  if (!q) { log(`session "${s.sessionName}": advanceAsk currentIdx=${cur} out of range`); return }
+  // Resolve the literal answer value — custom text wins if both set.
+  let value: string
+  if (answer.customText !== undefined) {
+    value = answer.customText
+  } else if (answer.optionIdx !== undefined) {
+    const opt = q.options?.[answer.optionIdx]
+    if (!opt) { log(`session "${s.sessionName}": advanceAsk option ${answer.optionIdx} out of range`); return }
+    value = opt.label
+  } else {
+    log(`session "${s.sessionName}": advanceAsk with neither customText nor optionIdx`)
+    return
+  }
+  pending.answers[q.question] = value
+  pending.answered.set(cur, {
+    optionIdx: answer.optionIdx,
+    customText: answer.customText,
+    user: answer.user,
+  })
+  // Next unanswered idx — linear from cur+1. Implementation
+  // always moves forward; we don't currently let users revisit a
+  // previous question (would need richer UI affordance for that).
+  const total = pending.questions.length
+  let nextIdx: number | undefined = undefined
+  for (let i = cur + 1; i < total; i++) {
+    if (!pending.answered.has(i)) { nextIdx = i; break }
+  }
+  pending.currentIdx = nextIdx
+
+  const turn = s.currentTurn
+  const meta = turn?.toolByUseId.get(toolUseId)
+  if (turn && meta) {
+    const el = cards.askUserQuestionElement(
+      meta.i, toolUseId, pending.questions,
+      nextIdx === undefined ? '✅' : '🤔',
+      { currentIdx: nextIdx, answered: pending.answered },
+    )
+    void cardkit.replaceElement(turn.cardId, cards.ELEMENTS.tool(meta.i), el)
+  }
+
+  if (nextIdx === undefined) {
+    // All done. Finalize iff we have the permission request id;
+    // otherwise renderPermission will pick it up when it arrives.
+    if (pending.requestId) finalizeAsk(s, toolUseId)
+    else log(`session "${s.sessionName}": ask ${toolUseId} all answered, waiting for can_use_tool`)
+  }
+}
+
+/** Settle a fully-answered AskUserQuestion: emit the SDK allow
+ * with the full `answers` record folded into `updatedInput`,
+ * drop bookkeeping, restore status. The terminal panel paint was
+ * already done by the final advanceAsk; this is just protocol. */
+export function finalizeAsk(s: Session, toolUseId: string): void {
+  const pending = s.pendingAsks.get(toolUseId)
+  if (!pending || !pending.requestId) return
+  const meta = s.currentTurn?.toolByUseId.get(toolUseId)
+  const originalInput = meta?.input ?? {}
+  s.proc?.sendPermissionResponse(pending.requestId, 'allow', {
+    updatedInput: { ...originalInput, answers: pending.answers },
+  })
+  s.pendingPermissions.delete(pending.requestId)
+  if (meta) {
+    meta.output = JSON.stringify({ answers: pending.answers })
+    meta.isError = false
+  }
+  s.pendingAsks.delete(toolUseId)
+  if (s.pendingPermissions.size === 0 && s.status === 'awaiting_permission') {
+    s.status = 'working'
+  }
+}

package/src/session-permission.ts

@@ -0,0 +1,136 @@
+/**
+ * Permission flow split out of session.ts. The daemon merges the
+ * permission ask into the existing tool element in the current turn
+ * card — one continuous timeline: ⏳ pending → 🔐 awaiting approval
+ * (with buttons) → ⏳ allowed / ❌ denied → ✅ with output. No
+ * floating orange card.
+ */
+
+import type { Session } from './session'
+import type { CanUseToolRequest } from './claude-process'
+import * as cardkit from './cardkit'
+import * as cards from './cards'
+import * as feishu from './feishu'
+import { log } from './log'
+import { isTaskWorkflow, todosArray } from './session-tools'
+import { finalizeAsk } from './session-ask'
+
+export async function onPermissionDecision(
+  s: Session,
+  requestId: string,
+  decision: 'allow' | 'allow_always' | 'deny',
+  user: string,
+): Promise<void> {
+  const pending = s.pendingPermissions.get(requestId)
+  if (!pending) { log(`session "${s.sessionName}": stray permission ${requestId}`); return }
+  s.pendingPermissions.delete(requestId)
+
+  // Update the tool element in the main turn card in place — the
+  // permission decision lives on the same row as the tool call.
+  const turn = s.currentTurn
+  const meta = turn?.toolByUseId.get(pending.toolUseId)
+  if (turn && meta) {
+    const todos = isTaskWorkflow(meta.name) ? todosArray(s) : undefined
+    if (decision === 'deny') {
+      const el = cards.toolCallElement(meta.i, meta.name, meta.input, `🚫 已拒绝 by ${user || '匿名'}`, '❌', undefined, todos)
+      void cardkit.replaceElement(turn.cardId, cards.ELEMENTS.tool(meta.i), el)
+    } else {
+      const label = decision === 'allow_always' ? '始终允许' : '已允许'
+      meta.resolvedNote = `✅ **${label}** by ${user || '匿名'}`
+      const el = cards.toolCallElement(meta.i, meta.name, meta.input, null, '⏳', meta.resolvedNote, todos)
+      void cardkit.replaceElement(turn.cardId, cards.ELEMENTS.tool(meta.i), el)
+    }
+  }
+
+  const claudeDecision = decision === 'deny' ? 'deny' : 'allow'
+  s.proc?.sendPermissionResponse(requestId, claudeDecision)
+
+  if (decision === 'allow_always') {
+    s.proc?.sendSetPermissionMode('acceptEdits')
+  }
+
+  if (s.pendingPermissions.size === 0 && s.status === 'awaiting_permission') {
+    s.status = 'working'
+  }
+}
+
+/** Merge the permission ask into the existing tool element in the
+ * current turn card. The user sees one continuous timeline: ⏳ pending
+ * → 🔐 awaiting approval (with buttons) → ⏳ allowed / ❌ denied → ✅
+ * with output. No floating orange card.
+ *
+ * `tool_use` is emitted as part of the assistant message and lands on
+ * our `addTool` handler BEFORE the SDK's `can_use_tool` control_request
+ * arrives — so by the time we get here, `toolByUseId` already has the
+ * entry we need to replace.
+ *
+ * Edge cases (no current turn / missing tool_use_id / unknown id) are
+ * surfaced loudly and auto-denied. We don't fall back to a standalone
+ * card — per the project's no-fallbacks rule, hidden anomalies are
+ * worse than visible deny errors. */
+export function renderPermission(s: Session, req: CanUseToolRequest): void {
+  const turn = s.currentTurn
+  if (!turn) {
+    log(`session "${s.sessionName}": can_use_tool with no current turn — auto-deny req=${req.request_id}`)
+    s.proc?.sendPermissionResponse(req.request_id, 'deny', { denyMessage: 'no active turn' })
+    return
+  }
+  const toolUseId = req.tool_use_id
+  if (!toolUseId) {
+    log(`session "${s.sessionName}": can_use_tool without tool_use_id — auto-deny req=${req.request_id}`)
+    s.proc?.sendPermissionResponse(req.request_id, 'deny', { denyMessage: 'no tool_use_id' })
+    return
+  }
+  const meta = turn.toolByUseId.get(toolUseId)
+  if (!meta) {
+    log(`session "${s.sessionName}": can_use_tool for unknown tool_use_id=${toolUseId} — auto-deny req=${req.request_id}`)
+    s.proc?.sendPermissionResponse(req.request_id, 'deny', { denyMessage: 'unknown tool_use_id' })
+    return
+  }
+  // AskUserQuestion: SDK routes it through can_use_tool even under
+  // bypass. The PAYLOAD of "user has answered" is the permission
+  // response itself — specifically `updatedInput.answers`. So we
+  // CANNOT auto-allow here (that's the v0.1.2 bug: SDK got an empty
+  // answers map and immediately synthesised a "User has answered
+  // your questions: ." tool_result). Park the requestId on the
+  // pendingAsk record and wait for the user to click an option;
+  // onAskAnswer will then send allow + updatedInput.answers in one
+  // shot. If the user already clicked between addTool and now —
+  // the deferredAnswer slot — settle immediately.
+  if (meta.name === 'AskUserQuestion') {
+    const ask = s.pendingAsks.get(toolUseId)
+    if (!ask) {
+      log(`session "${s.sessionName}": AskUserQuestion ${toolUseId} missing pendingAsk — deny`)
+      s.proc?.sendPermissionResponse(req.request_id, 'deny', { denyMessage: 'no pending ask' })
+      return
+    }
+    ask.requestId = req.request_id
+    s.pendingPermissions.set(req.request_id, { toolUseId })
+    // Fast-clicker race: the user may have answered every question
+    // while we were still waiting for can_use_tool to arrive. If so,
+    // advanceAsk parked the all-done state and we drain it now.
+    if (ask.currentIdx === undefined) finalizeAsk(s, toolUseId)
+    return
+  }
+  s.status = 'awaiting_permission'
+  s.pendingPermissions.set(req.request_id, { toolUseId })
+  const el = cards.toolCallPermissionElement(meta.i, meta.name, meta.input, req.request_id)
+  void cardkit.replaceElement(turn.cardId, cards.ELEMENTS.tool(meta.i), el)
+  // Phone push — Claude is blocked until the user approves/denies.
+  // Set summary to "🔐 等审批: <tool>(<input summary>)" so the lock-
+  // screen notification shows which tool needs approval.
+  if (turn.userOpenId && turn.messageId) {
+    const inputSummary = cards.summarizeToolInput(meta.name, meta.input)
+    const tail = inputSummary && inputSummary.length > 30
+      ? inputSummary.slice(0, 30) + '…'
+      : inputSummary
+    const summary = tail
+      ? `🔐 等审批: ${meta.name} · ${tail}`
+      : `🔐 等审批: ${meta.name}`
+    void (async () => {
+      cardkit.cancelSummary(turn.cardId)
+      await cardkit.patchSettings(turn.cardId, { config: { summary: { content: summary } } })
+      await feishu.urgentApp(turn.messageId, [turn.userOpenId])
+    })()
+  }
+}